rx.c revision f501dba4c4c5bda1b64c941997ab7ece1d503945
1/* 2 * Copyright 2002-2005, Instant802 Networks, Inc. 3 * Copyright 2005-2006, Devicescape Software, Inc. 4 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 5 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 */ 11 12#include <linux/jiffies.h> 13#include <linux/kernel.h> 14#include <linux/skbuff.h> 15#include <linux/netdevice.h> 16#include <linux/etherdevice.h> 17#include <linux/rcupdate.h> 18#include <net/mac80211.h> 19#include <net/ieee80211_radiotap.h> 20 21#include "ieee80211_i.h" 22#include "driver-ops.h" 23#include "led.h" 24#include "mesh.h" 25#include "wep.h" 26#include "wpa.h" 27#include "tkip.h" 28#include "wme.h" 29 30static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, 31 struct tid_ampdu_rx *tid_agg_rx, 32 struct sk_buff *skb, 33 u16 mpdu_seq_num, 34 int bar_req); 35/* 36 * monitor mode reception 37 * 38 * This function cleans up the SKB, i.e. it removes all the stuff 39 * only useful for monitoring. 40 */ 41static struct sk_buff *remove_monitor_info(struct ieee80211_local *local, 42 struct sk_buff *skb) 43{ 44 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) { 45 if (likely(skb->len > FCS_LEN)) 46 skb_trim(skb, skb->len - FCS_LEN); 47 else { 48 /* driver bug */ 49 WARN_ON(1); 50 dev_kfree_skb(skb); 51 skb = NULL; 52 } 53 } 54 55 return skb; 56} 57 58static inline int should_drop_frame(struct sk_buff *skb, 59 int present_fcs_len) 60{ 61 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 62 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 63 64 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 65 return 1; 66 if (unlikely(skb->len < 16 + present_fcs_len)) 67 return 1; 68 if (ieee80211_is_ctl(hdr->frame_control) && 69 !ieee80211_is_pspoll(hdr->frame_control) && 70 !ieee80211_is_back_req(hdr->frame_control)) 71 return 1; 72 return 0; 73} 74 75static int 76ieee80211_rx_radiotap_len(struct ieee80211_local *local, 77 struct ieee80211_rx_status *status) 78{ 79 int len; 80 81 /* always present fields */ 82 len = sizeof(struct ieee80211_radiotap_header) + 9; 83 84 if (status->flag & RX_FLAG_TSFT) 85 len += 8; 86 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 87 len += 1; 88 if (local->hw.flags & IEEE80211_HW_NOISE_DBM) 89 len += 1; 90 91 if (len & 1) /* padding for RX_FLAGS if necessary */ 92 len++; 93 94 return len; 95} 96 97/* 98 * ieee80211_add_rx_radiotap_header - add radiotap header 99 * 100 * add a radiotap header containing all the fields which the hardware provided. 101 */ 102static void 103ieee80211_add_rx_radiotap_header(struct ieee80211_local *local, 104 struct sk_buff *skb, 105 struct ieee80211_rate *rate, 106 int rtap_len) 107{ 108 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 109 struct ieee80211_radiotap_header *rthdr; 110 unsigned char *pos; 111 u16 rx_flags = 0; 112 113 rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len); 114 memset(rthdr, 0, rtap_len); 115 116 /* radiotap header, set always present flags */ 117 rthdr->it_present = 118 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | 119 (1 << IEEE80211_RADIOTAP_CHANNEL) | 120 (1 << IEEE80211_RADIOTAP_ANTENNA) | 121 (1 << IEEE80211_RADIOTAP_RX_FLAGS)); 122 rthdr->it_len = cpu_to_le16(rtap_len); 123 124 pos = (unsigned char *)(rthdr+1); 125 126 /* the order of the following fields is important */ 127 128 /* IEEE80211_RADIOTAP_TSFT */ 129 if (status->flag & RX_FLAG_TSFT) { 130 put_unaligned_le64(status->mactime, pos); 131 rthdr->it_present |= 132 cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT); 133 pos += 8; 134 } 135 136 /* IEEE80211_RADIOTAP_FLAGS */ 137 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 138 *pos |= IEEE80211_RADIOTAP_F_FCS; 139 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 140 *pos |= IEEE80211_RADIOTAP_F_BADFCS; 141 if (status->flag & RX_FLAG_SHORTPRE) 142 *pos |= IEEE80211_RADIOTAP_F_SHORTPRE; 143 pos++; 144 145 /* IEEE80211_RADIOTAP_RATE */ 146 if (status->flag & RX_FLAG_HT) { 147 /* 148 * TODO: add following information into radiotap header once 149 * suitable fields are defined for it: 150 * - MCS index (status->rate_idx) 151 * - HT40 (status->flag & RX_FLAG_40MHZ) 152 * - short-GI (status->flag & RX_FLAG_SHORT_GI) 153 */ 154 *pos = 0; 155 } else { 156 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE); 157 *pos = rate->bitrate / 5; 158 } 159 pos++; 160 161 /* IEEE80211_RADIOTAP_CHANNEL */ 162 put_unaligned_le16(status->freq, pos); 163 pos += 2; 164 if (status->band == IEEE80211_BAND_5GHZ) 165 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ, 166 pos); 167 else if (rate->flags & IEEE80211_RATE_ERP_G) 168 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ, 169 pos); 170 else 171 put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ, 172 pos); 173 pos += 2; 174 175 /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */ 176 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) { 177 *pos = status->signal; 178 rthdr->it_present |= 179 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL); 180 pos++; 181 } 182 183 /* IEEE80211_RADIOTAP_DBM_ANTNOISE */ 184 if (local->hw.flags & IEEE80211_HW_NOISE_DBM) { 185 *pos = status->noise; 186 rthdr->it_present |= 187 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTNOISE); 188 pos++; 189 } 190 191 /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */ 192 193 /* IEEE80211_RADIOTAP_ANTENNA */ 194 *pos = status->antenna; 195 pos++; 196 197 /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */ 198 199 /* IEEE80211_RADIOTAP_RX_FLAGS */ 200 /* ensure 2 byte alignment for the 2 byte field as required */ 201 if ((pos - (u8 *)rthdr) & 1) 202 pos++; 203 if (status->flag & RX_FLAG_FAILED_PLCP_CRC) 204 rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP; 205 put_unaligned_le16(rx_flags, pos); 206 pos += 2; 207} 208 209/* 210 * This function copies a received frame to all monitor interfaces and 211 * returns a cleaned-up SKB that no longer includes the FCS nor the 212 * radiotap header the driver might have added. 213 */ 214static struct sk_buff * 215ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb, 216 struct ieee80211_rate *rate) 217{ 218 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb); 219 struct ieee80211_sub_if_data *sdata; 220 int needed_headroom = 0; 221 struct sk_buff *skb, *skb2; 222 struct net_device *prev_dev = NULL; 223 int present_fcs_len = 0; 224 225 /* 226 * First, we may need to make a copy of the skb because 227 * (1) we need to modify it for radiotap (if not present), and 228 * (2) the other RX handlers will modify the skb we got. 229 * 230 * We don't need to, of course, if we aren't going to return 231 * the SKB because it has a bad FCS/PLCP checksum. 232 */ 233 234 /* room for the radiotap header based on driver features */ 235 needed_headroom = ieee80211_rx_radiotap_len(local, status); 236 237 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 238 present_fcs_len = FCS_LEN; 239 240 if (!local->monitors) { 241 if (should_drop_frame(origskb, present_fcs_len)) { 242 dev_kfree_skb(origskb); 243 return NULL; 244 } 245 246 return remove_monitor_info(local, origskb); 247 } 248 249 if (should_drop_frame(origskb, present_fcs_len)) { 250 /* only need to expand headroom if necessary */ 251 skb = origskb; 252 origskb = NULL; 253 254 /* 255 * This shouldn't trigger often because most devices have an 256 * RX header they pull before we get here, and that should 257 * be big enough for our radiotap information. We should 258 * probably export the length to drivers so that we can have 259 * them allocate enough headroom to start with. 260 */ 261 if (skb_headroom(skb) < needed_headroom && 262 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) { 263 dev_kfree_skb(skb); 264 return NULL; 265 } 266 } else { 267 /* 268 * Need to make a copy and possibly remove radiotap header 269 * and FCS from the original. 270 */ 271 skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC); 272 273 origskb = remove_monitor_info(local, origskb); 274 275 if (!skb) 276 return origskb; 277 } 278 279 /* prepend radiotap information */ 280 ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom); 281 282 skb_reset_mac_header(skb); 283 skb->ip_summed = CHECKSUM_UNNECESSARY; 284 skb->pkt_type = PACKET_OTHERHOST; 285 skb->protocol = htons(ETH_P_802_2); 286 287 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 288 if (!netif_running(sdata->dev)) 289 continue; 290 291 if (sdata->vif.type != NL80211_IFTYPE_MONITOR) 292 continue; 293 294 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES) 295 continue; 296 297 if (prev_dev) { 298 skb2 = skb_clone(skb, GFP_ATOMIC); 299 if (skb2) { 300 skb2->dev = prev_dev; 301 netif_rx(skb2); 302 } 303 } 304 305 prev_dev = sdata->dev; 306 sdata->dev->stats.rx_packets++; 307 sdata->dev->stats.rx_bytes += skb->len; 308 } 309 310 if (prev_dev) { 311 skb->dev = prev_dev; 312 netif_rx(skb); 313 } else 314 dev_kfree_skb(skb); 315 316 return origskb; 317} 318 319 320static void ieee80211_parse_qos(struct ieee80211_rx_data *rx) 321{ 322 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 323 int tid; 324 325 /* does the frame have a qos control field? */ 326 if (ieee80211_is_data_qos(hdr->frame_control)) { 327 u8 *qc = ieee80211_get_qos_ctl(hdr); 328 /* frame has qos control */ 329 tid = *qc & IEEE80211_QOS_CTL_TID_MASK; 330 if (*qc & IEEE80211_QOS_CONTROL_A_MSDU_PRESENT) 331 rx->flags |= IEEE80211_RX_AMSDU; 332 else 333 rx->flags &= ~IEEE80211_RX_AMSDU; 334 } else { 335 /* 336 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"): 337 * 338 * Sequence numbers for management frames, QoS data 339 * frames with a broadcast/multicast address in the 340 * Address 1 field, and all non-QoS data frames sent 341 * by QoS STAs are assigned using an additional single 342 * modulo-4096 counter, [...] 343 * 344 * We also use that counter for non-QoS STAs. 345 */ 346 tid = NUM_RX_DATA_QUEUES - 1; 347 } 348 349 rx->queue = tid; 350 /* Set skb->priority to 1d tag if highest order bit of TID is not set. 351 * For now, set skb->priority to 0 for other cases. */ 352 rx->skb->priority = (tid > 7) ? 0 : tid; 353} 354 355/** 356 * DOC: Packet alignment 357 * 358 * Drivers always need to pass packets that are aligned to two-byte boundaries 359 * to the stack. 360 * 361 * Additionally, should, if possible, align the payload data in a way that 362 * guarantees that the contained IP header is aligned to a four-byte 363 * boundary. In the case of regular frames, this simply means aligning the 364 * payload to a four-byte boundary (because either the IP header is directly 365 * contained, or IV/RFC1042 headers that have a length divisible by four are 366 * in front of it). 367 * 368 * With A-MSDU frames, however, the payload data address must yield two modulo 369 * four because there are 14-byte 802.3 headers within the A-MSDU frames that 370 * push the IP header further back to a multiple of four again. Thankfully, the 371 * specs were sane enough this time around to require padding each A-MSDU 372 * subframe to a length that is a multiple of four. 373 * 374 * Padding like Atheros hardware adds which is inbetween the 802.11 header and 375 * the payload is not supported, the driver is required to move the 802.11 376 * header to be directly in front of the payload in that case. 377 */ 378static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx) 379{ 380 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 381 int hdrlen; 382 383#ifndef CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT 384 return; 385#endif 386 387 if (WARN_ONCE((unsigned long)rx->skb->data & 1, 388 "unaligned packet at 0x%p\n", rx->skb->data)) 389 return; 390 391 if (!ieee80211_is_data_present(hdr->frame_control)) 392 return; 393 394 hdrlen = ieee80211_hdrlen(hdr->frame_control); 395 if (rx->flags & IEEE80211_RX_AMSDU) 396 hdrlen += ETH_HLEN; 397 WARN_ONCE(((unsigned long)(rx->skb->data + hdrlen)) & 3, 398 "unaligned IP payload at 0x%p\n", rx->skb->data + hdrlen); 399} 400 401 402/* rx handlers */ 403 404static ieee80211_rx_result debug_noinline 405ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx) 406{ 407 struct ieee80211_local *local = rx->local; 408 struct sk_buff *skb = rx->skb; 409 410 if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning))) 411 return ieee80211_scan_rx(rx->sdata, skb); 412 413 if (unlikely(test_bit(SCAN_SW_SCANNING, &local->scanning) && 414 (rx->flags & IEEE80211_RX_IN_SCAN))) { 415 /* drop all the other packets during a software scan anyway */ 416 if (ieee80211_scan_rx(rx->sdata, skb) != RX_QUEUED) 417 dev_kfree_skb(skb); 418 return RX_QUEUED; 419 } 420 421 if (unlikely(rx->flags & IEEE80211_RX_IN_SCAN)) { 422 /* scanning finished during invoking of handlers */ 423 I802_DEBUG_INC(local->rx_handlers_drop_passive_scan); 424 return RX_DROP_UNUSABLE; 425 } 426 427 return RX_CONTINUE; 428} 429 430 431static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb) 432{ 433 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 434 435 if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1)) 436 return 0; 437 438 return ieee80211_is_robust_mgmt_frame(hdr); 439} 440 441 442static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb) 443{ 444 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 445 446 if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1)) 447 return 0; 448 449 return ieee80211_is_robust_mgmt_frame(hdr); 450} 451 452 453/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */ 454static int ieee80211_get_mmie_keyidx(struct sk_buff *skb) 455{ 456 struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data; 457 struct ieee80211_mmie *mmie; 458 459 if (skb->len < 24 + sizeof(*mmie) || 460 !is_multicast_ether_addr(hdr->da)) 461 return -1; 462 463 if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr)) 464 return -1; /* not a robust management frame */ 465 466 mmie = (struct ieee80211_mmie *) 467 (skb->data + skb->len - sizeof(*mmie)); 468 if (mmie->element_id != WLAN_EID_MMIE || 469 mmie->length != sizeof(*mmie) - 2) 470 return -1; 471 472 return le16_to_cpu(mmie->key_id); 473} 474 475 476static ieee80211_rx_result 477ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx) 478{ 479 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 480 unsigned int hdrlen = ieee80211_hdrlen(hdr->frame_control); 481 char *dev_addr = rx->dev->dev_addr; 482 483 if (ieee80211_is_data(hdr->frame_control)) { 484 if (is_multicast_ether_addr(hdr->addr1)) { 485 if (ieee80211_has_tods(hdr->frame_control) || 486 !ieee80211_has_fromds(hdr->frame_control)) 487 return RX_DROP_MONITOR; 488 if (memcmp(hdr->addr3, dev_addr, ETH_ALEN) == 0) 489 return RX_DROP_MONITOR; 490 } else { 491 if (!ieee80211_has_a4(hdr->frame_control)) 492 return RX_DROP_MONITOR; 493 if (memcmp(hdr->addr4, dev_addr, ETH_ALEN) == 0) 494 return RX_DROP_MONITOR; 495 } 496 } 497 498 /* If there is not an established peer link and this is not a peer link 499 * establisment frame, beacon or probe, drop the frame. 500 */ 501 502 if (!rx->sta || sta_plink_state(rx->sta) != PLINK_ESTAB) { 503 struct ieee80211_mgmt *mgmt; 504 505 if (!ieee80211_is_mgmt(hdr->frame_control)) 506 return RX_DROP_MONITOR; 507 508 if (ieee80211_is_action(hdr->frame_control)) { 509 mgmt = (struct ieee80211_mgmt *)hdr; 510 if (mgmt->u.action.category != MESH_PLINK_CATEGORY) 511 return RX_DROP_MONITOR; 512 return RX_CONTINUE; 513 } 514 515 if (ieee80211_is_probe_req(hdr->frame_control) || 516 ieee80211_is_probe_resp(hdr->frame_control) || 517 ieee80211_is_beacon(hdr->frame_control)) 518 return RX_CONTINUE; 519 520 return RX_DROP_MONITOR; 521 522 } 523 524#define msh_h_get(h, l) ((struct ieee80211s_hdr *) ((u8 *)h + l)) 525 526 if (ieee80211_is_data(hdr->frame_control) && 527 is_multicast_ether_addr(hdr->addr1) && 528 mesh_rmc_check(hdr->addr3, msh_h_get(hdr, hdrlen), rx->sdata)) 529 return RX_DROP_MONITOR; 530#undef msh_h_get 531 532 return RX_CONTINUE; 533} 534 535 536static ieee80211_rx_result debug_noinline 537ieee80211_rx_h_check(struct ieee80211_rx_data *rx) 538{ 539 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 540 541 /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */ 542 if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) { 543 if (unlikely(ieee80211_has_retry(hdr->frame_control) && 544 rx->sta->last_seq_ctrl[rx->queue] == 545 hdr->seq_ctrl)) { 546 if (rx->flags & IEEE80211_RX_RA_MATCH) { 547 rx->local->dot11FrameDuplicateCount++; 548 rx->sta->num_duplicates++; 549 } 550 return RX_DROP_MONITOR; 551 } else 552 rx->sta->last_seq_ctrl[rx->queue] = hdr->seq_ctrl; 553 } 554 555 if (unlikely(rx->skb->len < 16)) { 556 I802_DEBUG_INC(rx->local->rx_handlers_drop_short); 557 return RX_DROP_MONITOR; 558 } 559 560 /* Drop disallowed frame classes based on STA auth/assoc state; 561 * IEEE 802.11, Chap 5.5. 562 * 563 * mac80211 filters only based on association state, i.e. it drops 564 * Class 3 frames from not associated stations. hostapd sends 565 * deauth/disassoc frames when needed. In addition, hostapd is 566 * responsible for filtering on both auth and assoc states. 567 */ 568 569 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) 570 return ieee80211_rx_mesh_check(rx); 571 572 if (unlikely((ieee80211_is_data(hdr->frame_control) || 573 ieee80211_is_pspoll(hdr->frame_control)) && 574 rx->sdata->vif.type != NL80211_IFTYPE_ADHOC && 575 (!rx->sta || !test_sta_flags(rx->sta, WLAN_STA_ASSOC)))) { 576 if ((!ieee80211_has_fromds(hdr->frame_control) && 577 !ieee80211_has_tods(hdr->frame_control) && 578 ieee80211_is_data(hdr->frame_control)) || 579 !(rx->flags & IEEE80211_RX_RA_MATCH)) { 580 /* Drop IBSS frames and frames for other hosts 581 * silently. */ 582 return RX_DROP_MONITOR; 583 } 584 585 return RX_DROP_MONITOR; 586 } 587 588 return RX_CONTINUE; 589} 590 591 592static ieee80211_rx_result debug_noinline 593ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) 594{ 595 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 596 int keyidx; 597 int hdrlen; 598 ieee80211_rx_result result = RX_DROP_UNUSABLE; 599 struct ieee80211_key *stakey = NULL; 600 int mmie_keyidx = -1; 601 602 /* 603 * Key selection 101 604 * 605 * There are four types of keys: 606 * - GTK (group keys) 607 * - IGTK (group keys for management frames) 608 * - PTK (pairwise keys) 609 * - STK (station-to-station pairwise keys) 610 * 611 * When selecting a key, we have to distinguish between multicast 612 * (including broadcast) and unicast frames, the latter can only 613 * use PTKs and STKs while the former always use GTKs and IGTKs. 614 * Unless, of course, actual WEP keys ("pre-RSNA") are used, then 615 * unicast frames can also use key indices like GTKs. Hence, if we 616 * don't have a PTK/STK we check the key index for a WEP key. 617 * 618 * Note that in a regular BSS, multicast frames are sent by the 619 * AP only, associated stations unicast the frame to the AP first 620 * which then multicasts it on their behalf. 621 * 622 * There is also a slight problem in IBSS mode: GTKs are negotiated 623 * with each station, that is something we don't currently handle. 624 * The spec seems to expect that one negotiates the same key with 625 * every station but there's no such requirement; VLANs could be 626 * possible. 627 */ 628 629 /* 630 * No point in finding a key and decrypting if the frame is neither 631 * addressed to us nor a multicast frame. 632 */ 633 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 634 return RX_CONTINUE; 635 636 if (rx->sta) 637 stakey = rcu_dereference(rx->sta->key); 638 639 if (!ieee80211_has_protected(hdr->frame_control)) 640 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb); 641 642 if (!is_multicast_ether_addr(hdr->addr1) && stakey) { 643 rx->key = stakey; 644 /* Skip decryption if the frame is not protected. */ 645 if (!ieee80211_has_protected(hdr->frame_control)) 646 return RX_CONTINUE; 647 } else if (mmie_keyidx >= 0) { 648 /* Broadcast/multicast robust management frame / BIP */ 649 if ((rx->status->flag & RX_FLAG_DECRYPTED) && 650 (rx->status->flag & RX_FLAG_IV_STRIPPED)) 651 return RX_CONTINUE; 652 653 if (mmie_keyidx < NUM_DEFAULT_KEYS || 654 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS) 655 return RX_DROP_MONITOR; /* unexpected BIP keyidx */ 656 rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]); 657 } else if (!ieee80211_has_protected(hdr->frame_control)) { 658 /* 659 * The frame was not protected, so skip decryption. However, we 660 * need to set rx->key if there is a key that could have been 661 * used so that the frame may be dropped if encryption would 662 * have been expected. 663 */ 664 struct ieee80211_key *key = NULL; 665 if (ieee80211_is_mgmt(hdr->frame_control) && 666 is_multicast_ether_addr(hdr->addr1) && 667 (key = rcu_dereference(rx->sdata->default_mgmt_key))) 668 rx->key = key; 669 else if ((key = rcu_dereference(rx->sdata->default_key))) 670 rx->key = key; 671 return RX_CONTINUE; 672 } else { 673 /* 674 * The device doesn't give us the IV so we won't be 675 * able to look up the key. That's ok though, we 676 * don't need to decrypt the frame, we just won't 677 * be able to keep statistics accurate. 678 * Except for key threshold notifications, should 679 * we somehow allow the driver to tell us which key 680 * the hardware used if this flag is set? 681 */ 682 if ((rx->status->flag & RX_FLAG_DECRYPTED) && 683 (rx->status->flag & RX_FLAG_IV_STRIPPED)) 684 return RX_CONTINUE; 685 686 hdrlen = ieee80211_hdrlen(hdr->frame_control); 687 688 if (rx->skb->len < 8 + hdrlen) 689 return RX_DROP_UNUSABLE; /* TODO: count this? */ 690 691 /* 692 * no need to call ieee80211_wep_get_keyidx, 693 * it verifies a bunch of things we've done already 694 */ 695 keyidx = rx->skb->data[hdrlen + 3] >> 6; 696 697 rx->key = rcu_dereference(rx->sdata->keys[keyidx]); 698 699 /* 700 * RSNA-protected unicast frames should always be sent with 701 * pairwise or station-to-station keys, but for WEP we allow 702 * using a key index as well. 703 */ 704 if (rx->key && rx->key->conf.alg != ALG_WEP && 705 !is_multicast_ether_addr(hdr->addr1)) 706 rx->key = NULL; 707 } 708 709 if (rx->key) { 710 rx->key->tx_rx_count++; 711 /* TODO: add threshold stuff again */ 712 } else { 713 return RX_DROP_MONITOR; 714 } 715 716 /* Check for weak IVs if possible */ 717 if (rx->sta && rx->key->conf.alg == ALG_WEP && 718 ieee80211_is_data(hdr->frame_control) && 719 (!(rx->status->flag & RX_FLAG_IV_STRIPPED) || 720 !(rx->status->flag & RX_FLAG_DECRYPTED)) && 721 ieee80211_wep_is_weak_iv(rx->skb, rx->key)) 722 rx->sta->wep_weak_iv_count++; 723 724 switch (rx->key->conf.alg) { 725 case ALG_WEP: 726 result = ieee80211_crypto_wep_decrypt(rx); 727 break; 728 case ALG_TKIP: 729 result = ieee80211_crypto_tkip_decrypt(rx); 730 break; 731 case ALG_CCMP: 732 result = ieee80211_crypto_ccmp_decrypt(rx); 733 break; 734 case ALG_AES_CMAC: 735 result = ieee80211_crypto_aes_cmac_decrypt(rx); 736 break; 737 } 738 739 /* either the frame has been decrypted or will be dropped */ 740 rx->status->flag |= RX_FLAG_DECRYPTED; 741 742 return result; 743} 744 745static ieee80211_rx_result debug_noinline 746ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx) 747{ 748 struct ieee80211_local *local; 749 struct ieee80211_hdr *hdr; 750 struct sk_buff *skb; 751 752 local = rx->local; 753 skb = rx->skb; 754 hdr = (struct ieee80211_hdr *) skb->data; 755 756 if (!local->pspolling) 757 return RX_CONTINUE; 758 759 if (!ieee80211_has_fromds(hdr->frame_control)) 760 /* this is not from AP */ 761 return RX_CONTINUE; 762 763 if (!ieee80211_is_data(hdr->frame_control)) 764 return RX_CONTINUE; 765 766 if (!ieee80211_has_moredata(hdr->frame_control)) { 767 /* AP has no more frames buffered for us */ 768 local->pspolling = false; 769 return RX_CONTINUE; 770 } 771 772 /* more data bit is set, let's request a new frame from the AP */ 773 ieee80211_send_pspoll(local, rx->sdata); 774 775 return RX_CONTINUE; 776} 777 778static void ap_sta_ps_start(struct sta_info *sta) 779{ 780 struct ieee80211_sub_if_data *sdata = sta->sdata; 781 struct ieee80211_local *local = sdata->local; 782 783 atomic_inc(&sdata->bss->num_sta_ps); 784 set_sta_flags(sta, WLAN_STA_PS_STA); 785 drv_sta_notify(local, &sdata->vif, STA_NOTIFY_SLEEP, &sta->sta); 786#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 787 printk(KERN_DEBUG "%s: STA %pM aid %d enters power save mode\n", 788 sdata->dev->name, sta->sta.addr, sta->sta.aid); 789#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 790} 791 792static void ap_sta_ps_end(struct sta_info *sta) 793{ 794 struct ieee80211_sub_if_data *sdata = sta->sdata; 795 796 atomic_dec(&sdata->bss->num_sta_ps); 797 798 clear_sta_flags(sta, WLAN_STA_PS_STA); 799 800#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 801 printk(KERN_DEBUG "%s: STA %pM aid %d exits power save mode\n", 802 sdata->dev->name, sta->sta.addr, sta->sta.aid); 803#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 804 805 if (test_sta_flags(sta, WLAN_STA_PS_DRIVER)) { 806#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 807 printk(KERN_DEBUG "%s: STA %pM aid %d driver-ps-blocked\n", 808 sdata->dev->name, sta->sta.addr, sta->sta.aid); 809#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 810 return; 811 } 812 813 ieee80211_sta_ps_deliver_wakeup(sta); 814} 815 816static ieee80211_rx_result debug_noinline 817ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx) 818{ 819 struct sta_info *sta = rx->sta; 820 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 821 822 if (!sta) 823 return RX_CONTINUE; 824 825 /* 826 * Update last_rx only for IBSS packets which are for the current 827 * BSSID to avoid keeping the current IBSS network alive in cases 828 * where other STAs start using different BSSID. 829 */ 830 if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) { 831 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len, 832 NL80211_IFTYPE_ADHOC); 833 if (compare_ether_addr(bssid, rx->sdata->u.ibss.bssid) == 0) 834 sta->last_rx = jiffies; 835 } else if (!is_multicast_ether_addr(hdr->addr1)) { 836 /* 837 * Mesh beacons will update last_rx when if they are found to 838 * match the current local configuration when processed. 839 */ 840 sta->last_rx = jiffies; 841 } 842 843 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 844 return RX_CONTINUE; 845 846 if (rx->sdata->vif.type == NL80211_IFTYPE_STATION) 847 ieee80211_sta_rx_notify(rx->sdata, hdr); 848 849 sta->rx_fragments++; 850 sta->rx_bytes += rx->skb->len; 851 sta->last_signal = rx->status->signal; 852 sta->last_noise = rx->status->noise; 853 854 /* 855 * Change STA power saving mode only at the end of a frame 856 * exchange sequence. 857 */ 858 if (!ieee80211_has_morefrags(hdr->frame_control) && 859 (rx->sdata->vif.type == NL80211_IFTYPE_AP || 860 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) { 861 if (test_sta_flags(sta, WLAN_STA_PS_STA)) { 862 /* 863 * Ignore doze->wake transitions that are 864 * indicated by non-data frames, the standard 865 * is unclear here, but for example going to 866 * PS mode and then scanning would cause a 867 * doze->wake transition for the probe request, 868 * and that is clearly undesirable. 869 */ 870 if (ieee80211_is_data(hdr->frame_control) && 871 !ieee80211_has_pm(hdr->frame_control)) 872 ap_sta_ps_end(sta); 873 } else { 874 if (ieee80211_has_pm(hdr->frame_control)) 875 ap_sta_ps_start(sta); 876 } 877 } 878 879 /* 880 * Drop (qos-)data::nullfunc frames silently, since they 881 * are used only to control station power saving mode. 882 */ 883 if (ieee80211_is_nullfunc(hdr->frame_control) || 884 ieee80211_is_qos_nullfunc(hdr->frame_control)) { 885 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc); 886 /* 887 * Update counter and free packet here to avoid 888 * counting this as a dropped packed. 889 */ 890 sta->rx_packets++; 891 dev_kfree_skb(rx->skb); 892 return RX_QUEUED; 893 } 894 895 return RX_CONTINUE; 896} /* ieee80211_rx_h_sta_process */ 897 898static inline struct ieee80211_fragment_entry * 899ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata, 900 unsigned int frag, unsigned int seq, int rx_queue, 901 struct sk_buff **skb) 902{ 903 struct ieee80211_fragment_entry *entry; 904 int idx; 905 906 idx = sdata->fragment_next; 907 entry = &sdata->fragments[sdata->fragment_next++]; 908 if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX) 909 sdata->fragment_next = 0; 910 911 if (!skb_queue_empty(&entry->skb_list)) { 912#ifdef CONFIG_MAC80211_VERBOSE_DEBUG 913 struct ieee80211_hdr *hdr = 914 (struct ieee80211_hdr *) entry->skb_list.next->data; 915 printk(KERN_DEBUG "%s: RX reassembly removed oldest " 916 "fragment entry (idx=%d age=%lu seq=%d last_frag=%d " 917 "addr1=%pM addr2=%pM\n", 918 sdata->dev->name, idx, 919 jiffies - entry->first_frag_time, entry->seq, 920 entry->last_frag, hdr->addr1, hdr->addr2); 921#endif 922 __skb_queue_purge(&entry->skb_list); 923 } 924 925 __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */ 926 *skb = NULL; 927 entry->first_frag_time = jiffies; 928 entry->seq = seq; 929 entry->rx_queue = rx_queue; 930 entry->last_frag = frag; 931 entry->ccmp = 0; 932 entry->extra_len = 0; 933 934 return entry; 935} 936 937static inline struct ieee80211_fragment_entry * 938ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata, 939 unsigned int frag, unsigned int seq, 940 int rx_queue, struct ieee80211_hdr *hdr) 941{ 942 struct ieee80211_fragment_entry *entry; 943 int i, idx; 944 945 idx = sdata->fragment_next; 946 for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) { 947 struct ieee80211_hdr *f_hdr; 948 949 idx--; 950 if (idx < 0) 951 idx = IEEE80211_FRAGMENT_MAX - 1; 952 953 entry = &sdata->fragments[idx]; 954 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq || 955 entry->rx_queue != rx_queue || 956 entry->last_frag + 1 != frag) 957 continue; 958 959 f_hdr = (struct ieee80211_hdr *)entry->skb_list.next->data; 960 961 /* 962 * Check ftype and addresses are equal, else check next fragment 963 */ 964 if (((hdr->frame_control ^ f_hdr->frame_control) & 965 cpu_to_le16(IEEE80211_FCTL_FTYPE)) || 966 compare_ether_addr(hdr->addr1, f_hdr->addr1) != 0 || 967 compare_ether_addr(hdr->addr2, f_hdr->addr2) != 0) 968 continue; 969 970 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) { 971 __skb_queue_purge(&entry->skb_list); 972 continue; 973 } 974 return entry; 975 } 976 977 return NULL; 978} 979 980static ieee80211_rx_result debug_noinline 981ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) 982{ 983 struct ieee80211_hdr *hdr; 984 u16 sc; 985 __le16 fc; 986 unsigned int frag, seq; 987 struct ieee80211_fragment_entry *entry; 988 struct sk_buff *skb; 989 990 hdr = (struct ieee80211_hdr *)rx->skb->data; 991 fc = hdr->frame_control; 992 sc = le16_to_cpu(hdr->seq_ctrl); 993 frag = sc & IEEE80211_SCTL_FRAG; 994 995 if (likely((!ieee80211_has_morefrags(fc) && frag == 0) || 996 (rx->skb)->len < 24 || 997 is_multicast_ether_addr(hdr->addr1))) { 998 /* not fragmented */ 999 goto out; 1000 } 1001 I802_DEBUG_INC(rx->local->rx_handlers_fragments); 1002 1003 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 1004 1005 if (frag == 0) { 1006 /* This is the first fragment of a new frame. */ 1007 entry = ieee80211_reassemble_add(rx->sdata, frag, seq, 1008 rx->queue, &(rx->skb)); 1009 if (rx->key && rx->key->conf.alg == ALG_CCMP && 1010 ieee80211_has_protected(fc)) { 1011 /* Store CCMP PN so that we can verify that the next 1012 * fragment has a sequential PN value. */ 1013 entry->ccmp = 1; 1014 memcpy(entry->last_pn, 1015 rx->key->u.ccmp.rx_pn[rx->queue], 1016 CCMP_PN_LEN); 1017 } 1018 return RX_QUEUED; 1019 } 1020 1021 /* This is a fragment for a frame that should already be pending in 1022 * fragment cache. Add this fragment to the end of the pending entry. 1023 */ 1024 entry = ieee80211_reassemble_find(rx->sdata, frag, seq, rx->queue, hdr); 1025 if (!entry) { 1026 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1027 return RX_DROP_MONITOR; 1028 } 1029 1030 /* Verify that MPDUs within one MSDU have sequential PN values. 1031 * (IEEE 802.11i, 8.3.3.4.5) */ 1032 if (entry->ccmp) { 1033 int i; 1034 u8 pn[CCMP_PN_LEN], *rpn; 1035 if (!rx->key || rx->key->conf.alg != ALG_CCMP) 1036 return RX_DROP_UNUSABLE; 1037 memcpy(pn, entry->last_pn, CCMP_PN_LEN); 1038 for (i = CCMP_PN_LEN - 1; i >= 0; i--) { 1039 pn[i]++; 1040 if (pn[i]) 1041 break; 1042 } 1043 rpn = rx->key->u.ccmp.rx_pn[rx->queue]; 1044 if (memcmp(pn, rpn, CCMP_PN_LEN)) 1045 return RX_DROP_UNUSABLE; 1046 memcpy(entry->last_pn, pn, CCMP_PN_LEN); 1047 } 1048 1049 skb_pull(rx->skb, ieee80211_hdrlen(fc)); 1050 __skb_queue_tail(&entry->skb_list, rx->skb); 1051 entry->last_frag = frag; 1052 entry->extra_len += rx->skb->len; 1053 if (ieee80211_has_morefrags(fc)) { 1054 rx->skb = NULL; 1055 return RX_QUEUED; 1056 } 1057 1058 rx->skb = __skb_dequeue(&entry->skb_list); 1059 if (skb_tailroom(rx->skb) < entry->extra_len) { 1060 I802_DEBUG_INC(rx->local->rx_expand_skb_head2); 1061 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len, 1062 GFP_ATOMIC))) { 1063 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1064 __skb_queue_purge(&entry->skb_list); 1065 return RX_DROP_UNUSABLE; 1066 } 1067 } 1068 while ((skb = __skb_dequeue(&entry->skb_list))) { 1069 memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len); 1070 dev_kfree_skb(skb); 1071 } 1072 1073 /* Complete frame has been reassembled - process it now */ 1074 rx->flags |= IEEE80211_RX_FRAGMENTED; 1075 1076 out: 1077 if (rx->sta) 1078 rx->sta->rx_packets++; 1079 if (is_multicast_ether_addr(hdr->addr1)) 1080 rx->local->dot11MulticastReceivedFrameCount++; 1081 else 1082 ieee80211_led_rx(rx->local); 1083 return RX_CONTINUE; 1084} 1085 1086static ieee80211_rx_result debug_noinline 1087ieee80211_rx_h_ps_poll(struct ieee80211_rx_data *rx) 1088{ 1089 struct ieee80211_sub_if_data *sdata = rx->sdata; 1090 __le16 fc = ((struct ieee80211_hdr *)rx->skb->data)->frame_control; 1091 1092 if (likely(!rx->sta || !ieee80211_is_pspoll(fc) || 1093 !(rx->flags & IEEE80211_RX_RA_MATCH))) 1094 return RX_CONTINUE; 1095 1096 if ((sdata->vif.type != NL80211_IFTYPE_AP) && 1097 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN)) 1098 return RX_DROP_UNUSABLE; 1099 1100 if (!test_sta_flags(rx->sta, WLAN_STA_PS_DRIVER)) 1101 ieee80211_sta_ps_deliver_poll_response(rx->sta); 1102 else 1103 set_sta_flags(rx->sta, WLAN_STA_PSPOLL); 1104 1105 /* Free PS Poll skb here instead of returning RX_DROP that would 1106 * count as an dropped frame. */ 1107 dev_kfree_skb(rx->skb); 1108 1109 return RX_QUEUED; 1110} 1111 1112static ieee80211_rx_result debug_noinline 1113ieee80211_rx_h_remove_qos_control(struct ieee80211_rx_data *rx) 1114{ 1115 u8 *data = rx->skb->data; 1116 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)data; 1117 1118 if (!ieee80211_is_data_qos(hdr->frame_control)) 1119 return RX_CONTINUE; 1120 1121 /* remove the qos control field, update frame type and meta-data */ 1122 memmove(data + IEEE80211_QOS_CTL_LEN, data, 1123 ieee80211_hdrlen(hdr->frame_control) - IEEE80211_QOS_CTL_LEN); 1124 hdr = (struct ieee80211_hdr *)skb_pull(rx->skb, IEEE80211_QOS_CTL_LEN); 1125 /* change frame type to non QOS */ 1126 hdr->frame_control &= ~cpu_to_le16(IEEE80211_STYPE_QOS_DATA); 1127 1128 return RX_CONTINUE; 1129} 1130 1131static int 1132ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx) 1133{ 1134 if (unlikely(!rx->sta || 1135 !test_sta_flags(rx->sta, WLAN_STA_AUTHORIZED))) 1136 return -EACCES; 1137 1138 return 0; 1139} 1140 1141static int 1142ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc) 1143{ 1144 /* 1145 * Pass through unencrypted frames if the hardware has 1146 * decrypted them already. 1147 */ 1148 if (rx->status->flag & RX_FLAG_DECRYPTED) 1149 return 0; 1150 1151 /* Drop unencrypted frames if key is set. */ 1152 if (unlikely(!ieee80211_has_protected(fc) && 1153 !ieee80211_is_nullfunc(fc) && 1154 ieee80211_is_data(fc) && 1155 (rx->key || rx->sdata->drop_unencrypted))) 1156 return -EACCES; 1157 if (rx->sta && test_sta_flags(rx->sta, WLAN_STA_MFP)) { 1158 if (unlikely(ieee80211_is_unicast_robust_mgmt_frame(rx->skb) && 1159 rx->key)) 1160 return -EACCES; 1161 /* BIP does not use Protected field, so need to check MMIE */ 1162 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) 1163 && ieee80211_get_mmie_keyidx(rx->skb) < 0 && 1164 rx->key)) 1165 return -EACCES; 1166 /* 1167 * When using MFP, Action frames are not allowed prior to 1168 * having configured keys. 1169 */ 1170 if (unlikely(ieee80211_is_action(fc) && !rx->key && 1171 ieee80211_is_robust_mgmt_frame( 1172 (struct ieee80211_hdr *) rx->skb->data))) 1173 return -EACCES; 1174 } 1175 1176 return 0; 1177} 1178 1179static int 1180__ieee80211_data_to_8023(struct ieee80211_rx_data *rx) 1181{ 1182 struct net_device *dev = rx->dev; 1183 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); 1184 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1185 1186 if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->use_4addr && 1187 ieee80211_has_a4(hdr->frame_control)) 1188 return -1; 1189 if (sdata->use_4addr && is_multicast_ether_addr(hdr->addr1)) 1190 return -1; 1191 1192 return ieee80211_data_to_8023(rx->skb, dev->dev_addr, sdata->vif.type); 1193} 1194 1195/* 1196 * requires that rx->skb is a frame with ethernet header 1197 */ 1198static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc) 1199{ 1200 static const u8 pae_group_addr[ETH_ALEN] __aligned(2) 1201 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 }; 1202 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1203 1204 /* 1205 * Allow EAPOL frames to us/the PAE group address regardless 1206 * of whether the frame was encrypted or not. 1207 */ 1208 if (ehdr->h_proto == htons(ETH_P_PAE) && 1209 (compare_ether_addr(ehdr->h_dest, rx->dev->dev_addr) == 0 || 1210 compare_ether_addr(ehdr->h_dest, pae_group_addr) == 0)) 1211 return true; 1212 1213 if (ieee80211_802_1x_port_control(rx) || 1214 ieee80211_drop_unencrypted(rx, fc)) 1215 return false; 1216 1217 return true; 1218} 1219 1220/* 1221 * requires that rx->skb is a frame with ethernet header 1222 */ 1223static void 1224ieee80211_deliver_skb(struct ieee80211_rx_data *rx) 1225{ 1226 struct net_device *dev = rx->dev; 1227 struct ieee80211_local *local = rx->local; 1228 struct sk_buff *skb, *xmit_skb; 1229 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); 1230 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1231 struct sta_info *dsta; 1232 1233 skb = rx->skb; 1234 xmit_skb = NULL; 1235 1236 if ((sdata->vif.type == NL80211_IFTYPE_AP || 1237 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) && 1238 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) && 1239 (rx->flags & IEEE80211_RX_RA_MATCH) && !rx->sdata->use_4addr) { 1240 if (is_multicast_ether_addr(ehdr->h_dest)) { 1241 /* 1242 * send multicast frames both to higher layers in 1243 * local net stack and back to the wireless medium 1244 */ 1245 xmit_skb = skb_copy(skb, GFP_ATOMIC); 1246 if (!xmit_skb && net_ratelimit()) 1247 printk(KERN_DEBUG "%s: failed to clone " 1248 "multicast frame\n", dev->name); 1249 } else { 1250 dsta = sta_info_get(local, skb->data); 1251 if (dsta && dsta->sdata->dev == dev) { 1252 /* 1253 * The destination station is associated to 1254 * this AP (in this VLAN), so send the frame 1255 * directly to it and do not pass it to local 1256 * net stack. 1257 */ 1258 xmit_skb = skb; 1259 skb = NULL; 1260 } 1261 } 1262 } 1263 1264 if (skb) { 1265 int align __maybe_unused; 1266 1267#if defined(CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT) || !defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) 1268 /* 1269 * 'align' will only take the values 0 or 2 here 1270 * since all frames are required to be aligned 1271 * to 2-byte boundaries when being passed to 1272 * mac80211. That also explains the __skb_push() 1273 * below. 1274 */ 1275 align = ((unsigned long)(skb->data + sizeof(struct ethhdr))) & 3; 1276 if (align) { 1277 if (WARN_ON(skb_headroom(skb) < 3)) { 1278 dev_kfree_skb(skb); 1279 skb = NULL; 1280 } else { 1281 u8 *data = skb->data; 1282 size_t len = skb_headlen(skb); 1283 skb->data -= align; 1284 memmove(skb->data, data, len); 1285 skb_set_tail_pointer(skb, len); 1286 } 1287 } 1288#endif 1289 1290 if (skb) { 1291 /* deliver to local stack */ 1292 skb->protocol = eth_type_trans(skb, dev); 1293 memset(skb->cb, 0, sizeof(skb->cb)); 1294 netif_rx(skb); 1295 } 1296 } 1297 1298 if (xmit_skb) { 1299 /* send to wireless media */ 1300 xmit_skb->protocol = htons(ETH_P_802_3); 1301 skb_reset_network_header(xmit_skb); 1302 skb_reset_mac_header(xmit_skb); 1303 dev_queue_xmit(xmit_skb); 1304 } 1305} 1306 1307static ieee80211_rx_result debug_noinline 1308ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx) 1309{ 1310 struct net_device *dev = rx->dev; 1311 struct ieee80211_local *local = rx->local; 1312 u16 ethertype; 1313 u8 *payload; 1314 struct sk_buff *skb = rx->skb, *frame = NULL; 1315 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1316 __le16 fc = hdr->frame_control; 1317 const struct ethhdr *eth; 1318 int remaining, err; 1319 u8 dst[ETH_ALEN]; 1320 u8 src[ETH_ALEN]; 1321 1322 if (unlikely(!ieee80211_is_data(fc))) 1323 return RX_CONTINUE; 1324 1325 if (unlikely(!ieee80211_is_data_present(fc))) 1326 return RX_DROP_MONITOR; 1327 1328 if (!(rx->flags & IEEE80211_RX_AMSDU)) 1329 return RX_CONTINUE; 1330 1331 err = __ieee80211_data_to_8023(rx); 1332 if (unlikely(err)) 1333 return RX_DROP_UNUSABLE; 1334 1335 skb->dev = dev; 1336 1337 dev->stats.rx_packets++; 1338 dev->stats.rx_bytes += skb->len; 1339 1340 /* skip the wrapping header */ 1341 eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr)); 1342 if (!eth) 1343 return RX_DROP_UNUSABLE; 1344 1345 while (skb != frame) { 1346 u8 padding; 1347 __be16 len = eth->h_proto; 1348 unsigned int subframe_len = sizeof(struct ethhdr) + ntohs(len); 1349 1350 remaining = skb->len; 1351 memcpy(dst, eth->h_dest, ETH_ALEN); 1352 memcpy(src, eth->h_source, ETH_ALEN); 1353 1354 padding = ((4 - subframe_len) & 0x3); 1355 /* the last MSDU has no padding */ 1356 if (subframe_len > remaining) 1357 return RX_DROP_UNUSABLE; 1358 1359 skb_pull(skb, sizeof(struct ethhdr)); 1360 /* if last subframe reuse skb */ 1361 if (remaining <= subframe_len + padding) 1362 frame = skb; 1363 else { 1364 /* 1365 * Allocate and reserve two bytes more for payload 1366 * alignment since sizeof(struct ethhdr) is 14. 1367 */ 1368 frame = dev_alloc_skb( 1369 ALIGN(local->hw.extra_tx_headroom, 4) + 1370 subframe_len + 2); 1371 1372 if (frame == NULL) 1373 return RX_DROP_UNUSABLE; 1374 1375 skb_reserve(frame, 1376 ALIGN(local->hw.extra_tx_headroom, 4) + 1377 sizeof(struct ethhdr) + 2); 1378 memcpy(skb_put(frame, ntohs(len)), skb->data, 1379 ntohs(len)); 1380 1381 eth = (struct ethhdr *) skb_pull(skb, ntohs(len) + 1382 padding); 1383 if (!eth) { 1384 dev_kfree_skb(frame); 1385 return RX_DROP_UNUSABLE; 1386 } 1387 } 1388 1389 skb_reset_network_header(frame); 1390 frame->dev = dev; 1391 frame->priority = skb->priority; 1392 rx->skb = frame; 1393 1394 payload = frame->data; 1395 ethertype = (payload[6] << 8) | payload[7]; 1396 1397 if (likely((compare_ether_addr(payload, rfc1042_header) == 0 && 1398 ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) || 1399 compare_ether_addr(payload, 1400 bridge_tunnel_header) == 0)) { 1401 /* remove RFC1042 or Bridge-Tunnel 1402 * encapsulation and replace EtherType */ 1403 skb_pull(frame, 6); 1404 memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN); 1405 memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN); 1406 } else { 1407 memcpy(skb_push(frame, sizeof(__be16)), 1408 &len, sizeof(__be16)); 1409 memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN); 1410 memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN); 1411 } 1412 1413 if (!ieee80211_frame_allowed(rx, fc)) { 1414 if (skb == frame) /* last frame */ 1415 return RX_DROP_UNUSABLE; 1416 dev_kfree_skb(frame); 1417 continue; 1418 } 1419 1420 ieee80211_deliver_skb(rx); 1421 } 1422 1423 return RX_QUEUED; 1424} 1425 1426#ifdef CONFIG_MAC80211_MESH 1427static ieee80211_rx_result 1428ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) 1429{ 1430 struct ieee80211_hdr *hdr; 1431 struct ieee80211s_hdr *mesh_hdr; 1432 unsigned int hdrlen; 1433 struct sk_buff *skb = rx->skb, *fwd_skb; 1434 struct ieee80211_local *local = rx->local; 1435 struct ieee80211_sub_if_data *sdata; 1436 1437 hdr = (struct ieee80211_hdr *) skb->data; 1438 hdrlen = ieee80211_hdrlen(hdr->frame_control); 1439 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); 1440 sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev); 1441 1442 if (!ieee80211_is_data(hdr->frame_control)) 1443 return RX_CONTINUE; 1444 1445 if (!mesh_hdr->ttl) 1446 /* illegal frame */ 1447 return RX_DROP_MONITOR; 1448 1449 if (mesh_hdr->flags & MESH_FLAGS_AE) { 1450 struct mesh_path *mppath; 1451 char *proxied_addr; 1452 char *mpp_addr; 1453 1454 if (is_multicast_ether_addr(hdr->addr1)) { 1455 mpp_addr = hdr->addr3; 1456 proxied_addr = mesh_hdr->eaddr1; 1457 } else { 1458 mpp_addr = hdr->addr4; 1459 proxied_addr = mesh_hdr->eaddr2; 1460 } 1461 1462 rcu_read_lock(); 1463 mppath = mpp_path_lookup(proxied_addr, sdata); 1464 if (!mppath) { 1465 mpp_path_add(proxied_addr, mpp_addr, sdata); 1466 } else { 1467 spin_lock_bh(&mppath->state_lock); 1468 mppath->exp_time = jiffies; 1469 if (compare_ether_addr(mppath->mpp, mpp_addr) != 0) 1470 memcpy(mppath->mpp, mpp_addr, ETH_ALEN); 1471 spin_unlock_bh(&mppath->state_lock); 1472 } 1473 rcu_read_unlock(); 1474 } 1475 1476 /* Frame has reached destination. Don't forward */ 1477 if (!is_multicast_ether_addr(hdr->addr1) && 1478 compare_ether_addr(rx->dev->dev_addr, hdr->addr3) == 0) 1479 return RX_CONTINUE; 1480 1481 mesh_hdr->ttl--; 1482 1483 if (rx->flags & IEEE80211_RX_RA_MATCH) { 1484 if (!mesh_hdr->ttl) 1485 IEEE80211_IFSTA_MESH_CTR_INC(&rx->sdata->u.mesh, 1486 dropped_frames_ttl); 1487 else { 1488 struct ieee80211_hdr *fwd_hdr; 1489 struct ieee80211_tx_info *info; 1490 1491 fwd_skb = skb_copy(skb, GFP_ATOMIC); 1492 1493 if (!fwd_skb && net_ratelimit()) 1494 printk(KERN_DEBUG "%s: failed to clone mesh frame\n", 1495 rx->dev->name); 1496 1497 fwd_hdr = (struct ieee80211_hdr *) fwd_skb->data; 1498 memcpy(fwd_hdr->addr2, rx->dev->dev_addr, ETH_ALEN); 1499 info = IEEE80211_SKB_CB(fwd_skb); 1500 memset(info, 0, sizeof(*info)); 1501 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING; 1502 info->control.vif = &rx->sdata->vif; 1503 ieee80211_select_queue(local, fwd_skb); 1504 if (is_multicast_ether_addr(fwd_hdr->addr1)) 1505 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh, 1506 fwded_mcast); 1507 else { 1508 int err; 1509 /* 1510 * Save TA to addr1 to send TA a path error if a 1511 * suitable next hop is not found 1512 */ 1513 memcpy(fwd_hdr->addr1, fwd_hdr->addr2, 1514 ETH_ALEN); 1515 err = mesh_nexthop_lookup(fwd_skb, sdata); 1516 /* Failed to immediately resolve next hop: 1517 * fwded frame was dropped or will be added 1518 * later to the pending skb queue. */ 1519 if (err) 1520 return RX_DROP_MONITOR; 1521 1522 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh, 1523 fwded_unicast); 1524 } 1525 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh, 1526 fwded_frames); 1527 ieee80211_add_pending_skb(local, fwd_skb); 1528 } 1529 } 1530 1531 if (is_multicast_ether_addr(hdr->addr1) || 1532 rx->dev->flags & IFF_PROMISC) 1533 return RX_CONTINUE; 1534 else 1535 return RX_DROP_MONITOR; 1536} 1537#endif 1538 1539static ieee80211_rx_result debug_noinline 1540ieee80211_rx_h_data(struct ieee80211_rx_data *rx) 1541{ 1542 struct net_device *dev = rx->dev; 1543 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1544 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); 1545 __le16 fc = hdr->frame_control; 1546 int err; 1547 1548 if (unlikely(!ieee80211_is_data(hdr->frame_control))) 1549 return RX_CONTINUE; 1550 1551 if (unlikely(!ieee80211_is_data_present(hdr->frame_control))) 1552 return RX_DROP_MONITOR; 1553 1554 /* 1555 * Allow the cooked monitor interface of an AP to see 4-addr frames so 1556 * that a 4-addr station can be detected and moved into a separate VLAN 1557 */ 1558 if (ieee80211_has_a4(hdr->frame_control) && 1559 sdata->vif.type == NL80211_IFTYPE_AP) 1560 return RX_DROP_MONITOR; 1561 1562 err = __ieee80211_data_to_8023(rx); 1563 if (unlikely(err)) 1564 return RX_DROP_UNUSABLE; 1565 1566 if (!ieee80211_frame_allowed(rx, fc)) 1567 return RX_DROP_MONITOR; 1568 1569 rx->skb->dev = dev; 1570 1571 dev->stats.rx_packets++; 1572 dev->stats.rx_bytes += rx->skb->len; 1573 1574 ieee80211_deliver_skb(rx); 1575 1576 return RX_QUEUED; 1577} 1578 1579static ieee80211_rx_result debug_noinline 1580ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx) 1581{ 1582 struct ieee80211_local *local = rx->local; 1583 struct ieee80211_hw *hw = &local->hw; 1584 struct sk_buff *skb = rx->skb; 1585 struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data; 1586 struct tid_ampdu_rx *tid_agg_rx; 1587 u16 start_seq_num; 1588 u16 tid; 1589 1590 if (likely(!ieee80211_is_ctl(bar->frame_control))) 1591 return RX_CONTINUE; 1592 1593 if (ieee80211_is_back_req(bar->frame_control)) { 1594 if (!rx->sta) 1595 return RX_CONTINUE; 1596 tid = le16_to_cpu(bar->control) >> 12; 1597 if (rx->sta->ampdu_mlme.tid_state_rx[tid] 1598 != HT_AGG_STATE_OPERATIONAL) 1599 return RX_CONTINUE; 1600 tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid]; 1601 1602 start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4; 1603 1604 /* reset session timer */ 1605 if (tid_agg_rx->timeout) 1606 mod_timer(&tid_agg_rx->session_timer, 1607 TU_TO_EXP_TIME(tid_agg_rx->timeout)); 1608 1609 /* manage reordering buffer according to requested */ 1610 /* sequence number */ 1611 rcu_read_lock(); 1612 ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL, 1613 start_seq_num, 1); 1614 rcu_read_unlock(); 1615 return RX_DROP_UNUSABLE; 1616 } 1617 1618 return RX_CONTINUE; 1619} 1620 1621static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata, 1622 struct ieee80211_mgmt *mgmt, 1623 size_t len) 1624{ 1625 struct ieee80211_local *local = sdata->local; 1626 struct sk_buff *skb; 1627 struct ieee80211_mgmt *resp; 1628 1629 if (compare_ether_addr(mgmt->da, sdata->dev->dev_addr) != 0) { 1630 /* Not to own unicast address */ 1631 return; 1632 } 1633 1634 if (compare_ether_addr(mgmt->sa, sdata->u.mgd.bssid) != 0 || 1635 compare_ether_addr(mgmt->bssid, sdata->u.mgd.bssid) != 0) { 1636 /* Not from the current AP or not associated yet. */ 1637 return; 1638 } 1639 1640 if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) { 1641 /* Too short SA Query request frame */ 1642 return; 1643 } 1644 1645 skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom); 1646 if (skb == NULL) 1647 return; 1648 1649 skb_reserve(skb, local->hw.extra_tx_headroom); 1650 resp = (struct ieee80211_mgmt *) skb_put(skb, 24); 1651 memset(resp, 0, 24); 1652 memcpy(resp->da, mgmt->sa, ETH_ALEN); 1653 memcpy(resp->sa, sdata->dev->dev_addr, ETH_ALEN); 1654 memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN); 1655 resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | 1656 IEEE80211_STYPE_ACTION); 1657 skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query)); 1658 resp->u.action.category = WLAN_CATEGORY_SA_QUERY; 1659 resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE; 1660 memcpy(resp->u.action.u.sa_query.trans_id, 1661 mgmt->u.action.u.sa_query.trans_id, 1662 WLAN_SA_QUERY_TR_ID_LEN); 1663 1664 ieee80211_tx_skb(sdata, skb, 1); 1665} 1666 1667static ieee80211_rx_result debug_noinline 1668ieee80211_rx_h_action(struct ieee80211_rx_data *rx) 1669{ 1670 struct ieee80211_local *local = rx->local; 1671 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev); 1672 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 1673 int len = rx->skb->len; 1674 1675 if (!ieee80211_is_action(mgmt->frame_control)) 1676 return RX_CONTINUE; 1677 1678 if (!rx->sta) 1679 return RX_DROP_MONITOR; 1680 1681 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 1682 return RX_DROP_MONITOR; 1683 1684 if (ieee80211_drop_unencrypted(rx, mgmt->frame_control)) 1685 return RX_DROP_MONITOR; 1686 1687 /* all categories we currently handle have action_code */ 1688 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 1689 return RX_DROP_MONITOR; 1690 1691 switch (mgmt->u.action.category) { 1692 case WLAN_CATEGORY_BACK: 1693 /* 1694 * The aggregation code is not prepared to handle 1695 * anything but STA/AP due to the BSSID handling; 1696 * IBSS could work in the code but isn't supported 1697 * by drivers or the standard. 1698 */ 1699 if (sdata->vif.type != NL80211_IFTYPE_STATION && 1700 sdata->vif.type != NL80211_IFTYPE_AP_VLAN && 1701 sdata->vif.type != NL80211_IFTYPE_AP) 1702 return RX_DROP_MONITOR; 1703 1704 switch (mgmt->u.action.u.addba_req.action_code) { 1705 case WLAN_ACTION_ADDBA_REQ: 1706 if (len < (IEEE80211_MIN_ACTION_SIZE + 1707 sizeof(mgmt->u.action.u.addba_req))) 1708 return RX_DROP_MONITOR; 1709 ieee80211_process_addba_request(local, rx->sta, mgmt, len); 1710 break; 1711 case WLAN_ACTION_ADDBA_RESP: 1712 if (len < (IEEE80211_MIN_ACTION_SIZE + 1713 sizeof(mgmt->u.action.u.addba_resp))) 1714 return RX_DROP_MONITOR; 1715 ieee80211_process_addba_resp(local, rx->sta, mgmt, len); 1716 break; 1717 case WLAN_ACTION_DELBA: 1718 if (len < (IEEE80211_MIN_ACTION_SIZE + 1719 sizeof(mgmt->u.action.u.delba))) 1720 return RX_DROP_MONITOR; 1721 ieee80211_process_delba(sdata, rx->sta, mgmt, len); 1722 break; 1723 } 1724 break; 1725 case WLAN_CATEGORY_SPECTRUM_MGMT: 1726 if (local->hw.conf.channel->band != IEEE80211_BAND_5GHZ) 1727 return RX_DROP_MONITOR; 1728 1729 if (sdata->vif.type != NL80211_IFTYPE_STATION) 1730 return RX_DROP_MONITOR; 1731 1732 switch (mgmt->u.action.u.measurement.action_code) { 1733 case WLAN_ACTION_SPCT_MSR_REQ: 1734 if (len < (IEEE80211_MIN_ACTION_SIZE + 1735 sizeof(mgmt->u.action.u.measurement))) 1736 return RX_DROP_MONITOR; 1737 ieee80211_process_measurement_req(sdata, mgmt, len); 1738 break; 1739 case WLAN_ACTION_SPCT_CHL_SWITCH: 1740 if (len < (IEEE80211_MIN_ACTION_SIZE + 1741 sizeof(mgmt->u.action.u.chan_switch))) 1742 return RX_DROP_MONITOR; 1743 1744 if (sdata->vif.type != NL80211_IFTYPE_STATION) 1745 return RX_DROP_MONITOR; 1746 1747 if (memcmp(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN)) 1748 return RX_DROP_MONITOR; 1749 1750 return ieee80211_sta_rx_mgmt(sdata, rx->skb); 1751 } 1752 break; 1753 case WLAN_CATEGORY_SA_QUERY: 1754 if (len < (IEEE80211_MIN_ACTION_SIZE + 1755 sizeof(mgmt->u.action.u.sa_query))) 1756 return RX_DROP_MONITOR; 1757 switch (mgmt->u.action.u.sa_query.action) { 1758 case WLAN_ACTION_SA_QUERY_REQUEST: 1759 if (sdata->vif.type != NL80211_IFTYPE_STATION) 1760 return RX_DROP_MONITOR; 1761 ieee80211_process_sa_query_req(sdata, mgmt, len); 1762 break; 1763 case WLAN_ACTION_SA_QUERY_RESPONSE: 1764 /* 1765 * SA Query response is currently only used in AP mode 1766 * and it is processed in user space. 1767 */ 1768 return RX_CONTINUE; 1769 } 1770 break; 1771 default: 1772 return RX_CONTINUE; 1773 } 1774 1775 rx->sta->rx_packets++; 1776 dev_kfree_skb(rx->skb); 1777 return RX_QUEUED; 1778} 1779 1780static ieee80211_rx_result debug_noinline 1781ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx) 1782{ 1783 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev); 1784 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 1785 1786 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 1787 return RX_DROP_MONITOR; 1788 1789 if (ieee80211_drop_unencrypted(rx, mgmt->frame_control)) 1790 return RX_DROP_MONITOR; 1791 1792 if (ieee80211_vif_is_mesh(&sdata->vif)) 1793 return ieee80211_mesh_rx_mgmt(sdata, rx->skb); 1794 1795 if (sdata->vif.type == NL80211_IFTYPE_ADHOC) 1796 return ieee80211_ibss_rx_mgmt(sdata, rx->skb); 1797 1798 if (sdata->vif.type == NL80211_IFTYPE_STATION) 1799 return ieee80211_sta_rx_mgmt(sdata, rx->skb); 1800 1801 return RX_DROP_MONITOR; 1802} 1803 1804static void ieee80211_rx_michael_mic_report(struct ieee80211_hdr *hdr, 1805 struct ieee80211_rx_data *rx) 1806{ 1807 int keyidx; 1808 unsigned int hdrlen; 1809 1810 hdrlen = ieee80211_hdrlen(hdr->frame_control); 1811 if (rx->skb->len >= hdrlen + 4) 1812 keyidx = rx->skb->data[hdrlen + 3] >> 6; 1813 else 1814 keyidx = -1; 1815 1816 if (!rx->sta) { 1817 /* 1818 * Some hardware seem to generate incorrect Michael MIC 1819 * reports; ignore them to avoid triggering countermeasures. 1820 */ 1821 goto ignore; 1822 } 1823 1824 if (!ieee80211_has_protected(hdr->frame_control)) 1825 goto ignore; 1826 1827 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && keyidx) { 1828 /* 1829 * APs with pairwise keys should never receive Michael MIC 1830 * errors for non-zero keyidx because these are reserved for 1831 * group keys and only the AP is sending real multicast 1832 * frames in the BSS. 1833 */ 1834 goto ignore; 1835 } 1836 1837 if (!ieee80211_is_data(hdr->frame_control) && 1838 !ieee80211_is_auth(hdr->frame_control)) 1839 goto ignore; 1840 1841 mac80211_ev_michael_mic_failure(rx->sdata, keyidx, hdr, NULL, 1842 GFP_ATOMIC); 1843 ignore: 1844 dev_kfree_skb(rx->skb); 1845 rx->skb = NULL; 1846} 1847 1848/* TODO: use IEEE80211_RX_FRAGMENTED */ 1849static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx) 1850{ 1851 struct ieee80211_sub_if_data *sdata; 1852 struct ieee80211_local *local = rx->local; 1853 struct ieee80211_rtap_hdr { 1854 struct ieee80211_radiotap_header hdr; 1855 u8 flags; 1856 u8 rate; 1857 __le16 chan_freq; 1858 __le16 chan_flags; 1859 } __attribute__ ((packed)) *rthdr; 1860 struct sk_buff *skb = rx->skb, *skb2; 1861 struct net_device *prev_dev = NULL; 1862 struct ieee80211_rx_status *status = rx->status; 1863 1864 if (rx->flags & IEEE80211_RX_CMNTR_REPORTED) 1865 goto out_free_skb; 1866 1867 if (skb_headroom(skb) < sizeof(*rthdr) && 1868 pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC)) 1869 goto out_free_skb; 1870 1871 rthdr = (void *)skb_push(skb, sizeof(*rthdr)); 1872 memset(rthdr, 0, sizeof(*rthdr)); 1873 rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr)); 1874 rthdr->hdr.it_present = 1875 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | 1876 (1 << IEEE80211_RADIOTAP_RATE) | 1877 (1 << IEEE80211_RADIOTAP_CHANNEL)); 1878 1879 rthdr->rate = rx->rate->bitrate / 5; 1880 rthdr->chan_freq = cpu_to_le16(status->freq); 1881 1882 if (status->band == IEEE80211_BAND_5GHZ) 1883 rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_OFDM | 1884 IEEE80211_CHAN_5GHZ); 1885 else 1886 rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_DYN | 1887 IEEE80211_CHAN_2GHZ); 1888 1889 skb_set_mac_header(skb, 0); 1890 skb->ip_summed = CHECKSUM_UNNECESSARY; 1891 skb->pkt_type = PACKET_OTHERHOST; 1892 skb->protocol = htons(ETH_P_802_2); 1893 1894 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 1895 if (!netif_running(sdata->dev)) 1896 continue; 1897 1898 if (sdata->vif.type != NL80211_IFTYPE_MONITOR || 1899 !(sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)) 1900 continue; 1901 1902 if (prev_dev) { 1903 skb2 = skb_clone(skb, GFP_ATOMIC); 1904 if (skb2) { 1905 skb2->dev = prev_dev; 1906 netif_rx(skb2); 1907 } 1908 } 1909 1910 prev_dev = sdata->dev; 1911 sdata->dev->stats.rx_packets++; 1912 sdata->dev->stats.rx_bytes += skb->len; 1913 } 1914 1915 if (prev_dev) { 1916 skb->dev = prev_dev; 1917 netif_rx(skb); 1918 skb = NULL; 1919 } else 1920 goto out_free_skb; 1921 1922 rx->flags |= IEEE80211_RX_CMNTR_REPORTED; 1923 return; 1924 1925 out_free_skb: 1926 dev_kfree_skb(skb); 1927} 1928 1929 1930static void ieee80211_invoke_rx_handlers(struct ieee80211_sub_if_data *sdata, 1931 struct ieee80211_rx_data *rx, 1932 struct sk_buff *skb) 1933{ 1934 ieee80211_rx_result res = RX_DROP_MONITOR; 1935 1936 rx->skb = skb; 1937 rx->sdata = sdata; 1938 rx->dev = sdata->dev; 1939 1940#define CALL_RXH(rxh) \ 1941 do { \ 1942 res = rxh(rx); \ 1943 if (res != RX_CONTINUE) \ 1944 goto rxh_done; \ 1945 } while (0); 1946 1947 CALL_RXH(ieee80211_rx_h_passive_scan) 1948 CALL_RXH(ieee80211_rx_h_check) 1949 CALL_RXH(ieee80211_rx_h_decrypt) 1950 CALL_RXH(ieee80211_rx_h_check_more_data) 1951 CALL_RXH(ieee80211_rx_h_sta_process) 1952 CALL_RXH(ieee80211_rx_h_defragment) 1953 CALL_RXH(ieee80211_rx_h_ps_poll) 1954 CALL_RXH(ieee80211_rx_h_michael_mic_verify) 1955 /* must be after MMIC verify so header is counted in MPDU mic */ 1956 CALL_RXH(ieee80211_rx_h_remove_qos_control) 1957 CALL_RXH(ieee80211_rx_h_amsdu) 1958#ifdef CONFIG_MAC80211_MESH 1959 if (ieee80211_vif_is_mesh(&sdata->vif)) 1960 CALL_RXH(ieee80211_rx_h_mesh_fwding); 1961#endif 1962 CALL_RXH(ieee80211_rx_h_data) 1963 CALL_RXH(ieee80211_rx_h_ctrl) 1964 CALL_RXH(ieee80211_rx_h_action) 1965 CALL_RXH(ieee80211_rx_h_mgmt) 1966 1967#undef CALL_RXH 1968 1969 rxh_done: 1970 switch (res) { 1971 case RX_DROP_MONITOR: 1972 I802_DEBUG_INC(sdata->local->rx_handlers_drop); 1973 if (rx->sta) 1974 rx->sta->rx_dropped++; 1975 /* fall through */ 1976 case RX_CONTINUE: 1977 ieee80211_rx_cooked_monitor(rx); 1978 break; 1979 case RX_DROP_UNUSABLE: 1980 I802_DEBUG_INC(sdata->local->rx_handlers_drop); 1981 if (rx->sta) 1982 rx->sta->rx_dropped++; 1983 dev_kfree_skb(rx->skb); 1984 break; 1985 case RX_QUEUED: 1986 I802_DEBUG_INC(sdata->local->rx_handlers_queued); 1987 break; 1988 } 1989} 1990 1991/* main receive path */ 1992 1993static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata, 1994 struct ieee80211_rx_data *rx, 1995 struct ieee80211_hdr *hdr) 1996{ 1997 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len, sdata->vif.type); 1998 int multicast = is_multicast_ether_addr(hdr->addr1); 1999 2000 switch (sdata->vif.type) { 2001 case NL80211_IFTYPE_STATION: 2002 if (!bssid && !sdata->use_4addr) 2003 return 0; 2004 if (!multicast && 2005 compare_ether_addr(sdata->dev->dev_addr, hdr->addr1) != 0) { 2006 if (!(sdata->dev->flags & IFF_PROMISC)) 2007 return 0; 2008 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2009 } 2010 break; 2011 case NL80211_IFTYPE_ADHOC: 2012 if (!bssid) 2013 return 0; 2014 if (ieee80211_is_beacon(hdr->frame_control)) { 2015 return 1; 2016 } 2017 else if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid)) { 2018 if (!(rx->flags & IEEE80211_RX_IN_SCAN)) 2019 return 0; 2020 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2021 } else if (!multicast && 2022 compare_ether_addr(sdata->dev->dev_addr, 2023 hdr->addr1) != 0) { 2024 if (!(sdata->dev->flags & IFF_PROMISC)) 2025 return 0; 2026 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2027 } else if (!rx->sta) { 2028 int rate_idx; 2029 if (rx->status->flag & RX_FLAG_HT) 2030 rate_idx = 0; /* TODO: HT rates */ 2031 else 2032 rate_idx = rx->status->rate_idx; 2033 rx->sta = ieee80211_ibss_add_sta(sdata, bssid, hdr->addr2, 2034 BIT(rate_idx)); 2035 } 2036 break; 2037 case NL80211_IFTYPE_MESH_POINT: 2038 if (!multicast && 2039 compare_ether_addr(sdata->dev->dev_addr, 2040 hdr->addr1) != 0) { 2041 if (!(sdata->dev->flags & IFF_PROMISC)) 2042 return 0; 2043 2044 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2045 } 2046 break; 2047 case NL80211_IFTYPE_AP_VLAN: 2048 case NL80211_IFTYPE_AP: 2049 if (!bssid) { 2050 if (compare_ether_addr(sdata->dev->dev_addr, 2051 hdr->addr1)) 2052 return 0; 2053 } else if (!ieee80211_bssid_match(bssid, 2054 sdata->dev->dev_addr)) { 2055 if (!(rx->flags & IEEE80211_RX_IN_SCAN)) 2056 return 0; 2057 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2058 } 2059 break; 2060 case NL80211_IFTYPE_WDS: 2061 if (bssid || !ieee80211_is_data(hdr->frame_control)) 2062 return 0; 2063 if (compare_ether_addr(sdata->u.wds.remote_addr, hdr->addr2)) 2064 return 0; 2065 break; 2066 case NL80211_IFTYPE_MONITOR: 2067 /* take everything */ 2068 break; 2069 case NL80211_IFTYPE_UNSPECIFIED: 2070 case __NL80211_IFTYPE_AFTER_LAST: 2071 /* should never get here */ 2072 WARN_ON(1); 2073 break; 2074 } 2075 2076 return 1; 2077} 2078 2079/* 2080 * This is the actual Rx frames handler. as it blongs to Rx path it must 2081 * be called with rcu_read_lock protection. 2082 */ 2083static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw, 2084 struct sk_buff *skb, 2085 struct ieee80211_rate *rate) 2086{ 2087 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2088 struct ieee80211_local *local = hw_to_local(hw); 2089 struct ieee80211_sub_if_data *sdata; 2090 struct ieee80211_hdr *hdr; 2091 struct ieee80211_rx_data rx; 2092 int prepares; 2093 struct ieee80211_sub_if_data *prev = NULL; 2094 struct sk_buff *skb_new; 2095 2096 hdr = (struct ieee80211_hdr *)skb->data; 2097 memset(&rx, 0, sizeof(rx)); 2098 rx.skb = skb; 2099 rx.local = local; 2100 2101 rx.status = status; 2102 rx.rate = rate; 2103 2104 if (ieee80211_is_data(hdr->frame_control) || ieee80211_is_mgmt(hdr->frame_control)) 2105 local->dot11ReceivedFragmentCount++; 2106 2107 rx.sta = sta_info_get(local, hdr->addr2); 2108 if (rx.sta) { 2109 rx.sdata = rx.sta->sdata; 2110 rx.dev = rx.sta->sdata->dev; 2111 } 2112 2113 if ((status->flag & RX_FLAG_MMIC_ERROR)) { 2114 ieee80211_rx_michael_mic_report(hdr, &rx); 2115 return; 2116 } 2117 2118 if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning) || 2119 test_bit(SCAN_OFF_CHANNEL, &local->scanning))) 2120 rx.flags |= IEEE80211_RX_IN_SCAN; 2121 2122 ieee80211_parse_qos(&rx); 2123 ieee80211_verify_alignment(&rx); 2124 2125 skb = rx.skb; 2126 2127 if (rx.sdata && ieee80211_is_data(hdr->frame_control)) { 2128 rx.flags |= IEEE80211_RX_RA_MATCH; 2129 prepares = prepare_for_handlers(rx.sdata, &rx, hdr); 2130 if (prepares) 2131 prev = rx.sdata; 2132 } else list_for_each_entry_rcu(sdata, &local->interfaces, list) { 2133 if (!netif_running(sdata->dev)) 2134 continue; 2135 2136 if (sdata->vif.type == NL80211_IFTYPE_MONITOR || 2137 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) 2138 continue; 2139 2140 rx.flags |= IEEE80211_RX_RA_MATCH; 2141 prepares = prepare_for_handlers(sdata, &rx, hdr); 2142 2143 if (!prepares) 2144 continue; 2145 2146 /* 2147 * frame is destined for this interface, but if it's not 2148 * also for the previous one we handle that after the 2149 * loop to avoid copying the SKB once too much 2150 */ 2151 2152 if (!prev) { 2153 prev = sdata; 2154 continue; 2155 } 2156 2157 /* 2158 * frame was destined for the previous interface 2159 * so invoke RX handlers for it 2160 */ 2161 2162 skb_new = skb_copy(skb, GFP_ATOMIC); 2163 if (!skb_new) { 2164 if (net_ratelimit()) 2165 printk(KERN_DEBUG "%s: failed to copy " 2166 "multicast frame for %s\n", 2167 wiphy_name(local->hw.wiphy), 2168 prev->dev->name); 2169 continue; 2170 } 2171 ieee80211_invoke_rx_handlers(prev, &rx, skb_new); 2172 prev = sdata; 2173 } 2174 if (prev) 2175 ieee80211_invoke_rx_handlers(prev, &rx, skb); 2176 else 2177 dev_kfree_skb(skb); 2178} 2179 2180#define SEQ_MODULO 0x1000 2181#define SEQ_MASK 0xfff 2182 2183static inline int seq_less(u16 sq1, u16 sq2) 2184{ 2185 return ((sq1 - sq2) & SEQ_MASK) > (SEQ_MODULO >> 1); 2186} 2187 2188static inline u16 seq_inc(u16 sq) 2189{ 2190 return (sq + 1) & SEQ_MASK; 2191} 2192 2193static inline u16 seq_sub(u16 sq1, u16 sq2) 2194{ 2195 return (sq1 - sq2) & SEQ_MASK; 2196} 2197 2198 2199static void ieee80211_release_reorder_frame(struct ieee80211_hw *hw, 2200 struct tid_ampdu_rx *tid_agg_rx, 2201 int index) 2202{ 2203 struct ieee80211_supported_band *sband; 2204 struct ieee80211_rate *rate; 2205 struct sk_buff *skb = tid_agg_rx->reorder_buf[index]; 2206 struct ieee80211_rx_status *status; 2207 2208 if (!skb) 2209 goto no_frame; 2210 2211 status = IEEE80211_SKB_RXCB(skb); 2212 2213 /* release the reordered frames to stack */ 2214 sband = hw->wiphy->bands[status->band]; 2215 if (status->flag & RX_FLAG_HT) 2216 rate = sband->bitrates; /* TODO: HT rates */ 2217 else 2218 rate = &sband->bitrates[status->rate_idx]; 2219 __ieee80211_rx_handle_packet(hw, skb, rate); 2220 tid_agg_rx->stored_mpdu_num--; 2221 tid_agg_rx->reorder_buf[index] = NULL; 2222 2223no_frame: 2224 tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num); 2225} 2226 2227 2228/* 2229 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If 2230 * the skb was added to the buffer longer than this time ago, the earlier 2231 * frames that have not yet been received are assumed to be lost and the skb 2232 * can be released for processing. This may also release other skb's from the 2233 * reorder buffer if there are no additional gaps between the frames. 2234 */ 2235#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10) 2236 2237/* 2238 * As it function blongs to Rx path it must be called with 2239 * the proper rcu_read_lock protection for its flow. 2240 */ 2241static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, 2242 struct tid_ampdu_rx *tid_agg_rx, 2243 struct sk_buff *skb, 2244 u16 mpdu_seq_num, 2245 int bar_req) 2246{ 2247 u16 head_seq_num, buf_size; 2248 int index; 2249 2250 buf_size = tid_agg_rx->buf_size; 2251 head_seq_num = tid_agg_rx->head_seq_num; 2252 2253 /* frame with out of date sequence number */ 2254 if (seq_less(mpdu_seq_num, head_seq_num)) { 2255 dev_kfree_skb(skb); 2256 return 1; 2257 } 2258 2259 /* if frame sequence number exceeds our buffering window size or 2260 * block Ack Request arrived - release stored frames */ 2261 if ((!seq_less(mpdu_seq_num, head_seq_num + buf_size)) || (bar_req)) { 2262 /* new head to the ordering buffer */ 2263 if (bar_req) 2264 head_seq_num = mpdu_seq_num; 2265 else 2266 head_seq_num = 2267 seq_inc(seq_sub(mpdu_seq_num, buf_size)); 2268 /* release stored frames up to new head to stack */ 2269 while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) { 2270 index = seq_sub(tid_agg_rx->head_seq_num, 2271 tid_agg_rx->ssn) 2272 % tid_agg_rx->buf_size; 2273 ieee80211_release_reorder_frame(hw, tid_agg_rx, 2274 index); 2275 } 2276 if (bar_req) 2277 return 1; 2278 } 2279 2280 /* now the new frame is always in the range of the reordering */ 2281 /* buffer window */ 2282 index = seq_sub(mpdu_seq_num, tid_agg_rx->ssn) 2283 % tid_agg_rx->buf_size; 2284 /* check if we already stored this frame */ 2285 if (tid_agg_rx->reorder_buf[index]) { 2286 dev_kfree_skb(skb); 2287 return 1; 2288 } 2289 2290 /* if arrived mpdu is in the right order and nothing else stored */ 2291 /* release it immediately */ 2292 if (mpdu_seq_num == tid_agg_rx->head_seq_num && 2293 tid_agg_rx->stored_mpdu_num == 0) { 2294 tid_agg_rx->head_seq_num = 2295 seq_inc(tid_agg_rx->head_seq_num); 2296 return 0; 2297 } 2298 2299 /* put the frame in the reordering buffer */ 2300 tid_agg_rx->reorder_buf[index] = skb; 2301 tid_agg_rx->reorder_time[index] = jiffies; 2302 tid_agg_rx->stored_mpdu_num++; 2303 /* release the buffer until next missing frame */ 2304 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) 2305 % tid_agg_rx->buf_size; 2306 if (!tid_agg_rx->reorder_buf[index] && 2307 tid_agg_rx->stored_mpdu_num > 1) { 2308 /* 2309 * No buffers ready to be released, but check whether any 2310 * frames in the reorder buffer have timed out. 2311 */ 2312 int j; 2313 int skipped = 1; 2314 for (j = (index + 1) % tid_agg_rx->buf_size; j != index; 2315 j = (j + 1) % tid_agg_rx->buf_size) { 2316 if (tid_agg_rx->reorder_buf[j] == NULL) { 2317 skipped++; 2318 continue; 2319 } 2320 if (!time_after(jiffies, tid_agg_rx->reorder_time[j] + 2321 HZ / 10)) 2322 break; 2323 2324#ifdef CONFIG_MAC80211_HT_DEBUG 2325 if (net_ratelimit()) 2326 printk(KERN_DEBUG "%s: release an RX reorder " 2327 "frame due to timeout on earlier " 2328 "frames\n", 2329 wiphy_name(hw->wiphy)); 2330#endif 2331 ieee80211_release_reorder_frame(hw, tid_agg_rx, j); 2332 2333 /* 2334 * Increment the head seq# also for the skipped slots. 2335 */ 2336 tid_agg_rx->head_seq_num = 2337 (tid_agg_rx->head_seq_num + skipped) & 2338 SEQ_MASK; 2339 skipped = 0; 2340 } 2341 } else while (tid_agg_rx->reorder_buf[index]) { 2342 ieee80211_release_reorder_frame(hw, tid_agg_rx, index); 2343 index = seq_sub(tid_agg_rx->head_seq_num, 2344 tid_agg_rx->ssn) % tid_agg_rx->buf_size; 2345 } 2346 return 1; 2347} 2348 2349static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local, 2350 struct sk_buff *skb) 2351{ 2352 struct ieee80211_hw *hw = &local->hw; 2353 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 2354 struct sta_info *sta; 2355 struct tid_ampdu_rx *tid_agg_rx; 2356 u16 sc; 2357 u16 mpdu_seq_num; 2358 u8 ret = 0; 2359 int tid; 2360 2361 sta = sta_info_get(local, hdr->addr2); 2362 if (!sta) 2363 return ret; 2364 2365 /* filter the QoS data rx stream according to 2366 * STA/TID and check if this STA/TID is on aggregation */ 2367 if (!ieee80211_is_data_qos(hdr->frame_control)) 2368 goto end_reorder; 2369 2370 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; 2371 2372 if (sta->ampdu_mlme.tid_state_rx[tid] != HT_AGG_STATE_OPERATIONAL) 2373 goto end_reorder; 2374 2375 tid_agg_rx = sta->ampdu_mlme.tid_rx[tid]; 2376 2377 /* qos null data frames are excluded */ 2378 if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC))) 2379 goto end_reorder; 2380 2381 /* new un-ordered ampdu frame - process it */ 2382 2383 /* reset session timer */ 2384 if (tid_agg_rx->timeout) 2385 mod_timer(&tid_agg_rx->session_timer, 2386 TU_TO_EXP_TIME(tid_agg_rx->timeout)); 2387 2388 /* if this mpdu is fragmented - terminate rx aggregation session */ 2389 sc = le16_to_cpu(hdr->seq_ctrl); 2390 if (sc & IEEE80211_SCTL_FRAG) { 2391 ieee80211_sta_stop_rx_ba_session(sta->sdata, sta->sta.addr, 2392 tid, 0, WLAN_REASON_QSTA_REQUIRE_SETUP); 2393 ret = 1; 2394 goto end_reorder; 2395 } 2396 2397 /* according to mpdu sequence number deal with reordering buffer */ 2398 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4; 2399 ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, 2400 mpdu_seq_num, 0); 2401 end_reorder: 2402 return ret; 2403} 2404 2405/* 2406 * This is the receive path handler. It is called by a low level driver when an 2407 * 802.11 MPDU is received from the hardware. 2408 */ 2409void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb) 2410{ 2411 struct ieee80211_local *local = hw_to_local(hw); 2412 struct ieee80211_rate *rate = NULL; 2413 struct ieee80211_supported_band *sband; 2414 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2415 2416 WARN_ON_ONCE(softirq_count() == 0); 2417 2418 if (WARN_ON(status->band < 0 || 2419 status->band >= IEEE80211_NUM_BANDS)) 2420 goto drop; 2421 2422 sband = local->hw.wiphy->bands[status->band]; 2423 if (WARN_ON(!sband)) 2424 goto drop; 2425 2426 /* 2427 * If we're suspending, it is possible although not too likely 2428 * that we'd be receiving frames after having already partially 2429 * quiesced the stack. We can't process such frames then since 2430 * that might, for example, cause stations to be added or other 2431 * driver callbacks be invoked. 2432 */ 2433 if (unlikely(local->quiescing || local->suspended)) 2434 goto drop; 2435 2436 /* 2437 * The same happens when we're not even started, 2438 * but that's worth a warning. 2439 */ 2440 if (WARN_ON(!local->started)) 2441 goto drop; 2442 2443 if (status->flag & RX_FLAG_HT) { 2444 /* 2445 * rate_idx is MCS index, which can be [0-76] as documented on: 2446 * 2447 * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n 2448 * 2449 * Anything else would be some sort of driver or hardware error. 2450 * The driver should catch hardware errors. 2451 */ 2452 if (WARN((status->rate_idx < 0 || 2453 status->rate_idx > 76), 2454 "Rate marked as an HT rate but passed " 2455 "status->rate_idx is not " 2456 "an MCS index [0-76]: %d (0x%02x)\n", 2457 status->rate_idx, 2458 status->rate_idx)) 2459 goto drop; 2460 /* HT rates are not in the table - use the highest legacy rate 2461 * for now since other parts of mac80211 may not yet be fully 2462 * MCS aware. */ 2463 rate = &sband->bitrates[sband->n_bitrates - 1]; 2464 } else { 2465 if (WARN_ON(status->rate_idx < 0 || 2466 status->rate_idx >= sband->n_bitrates)) 2467 goto drop; 2468 rate = &sband->bitrates[status->rate_idx]; 2469 } 2470 2471 /* 2472 * key references and virtual interfaces are protected using RCU 2473 * and this requires that we are in a read-side RCU section during 2474 * receive processing 2475 */ 2476 rcu_read_lock(); 2477 2478 /* 2479 * Frames with failed FCS/PLCP checksum are not returned, 2480 * all other frames are returned without radiotap header 2481 * if it was previously present. 2482 * Also, frames with less than 16 bytes are dropped. 2483 */ 2484 skb = ieee80211_rx_monitor(local, skb, rate); 2485 if (!skb) { 2486 rcu_read_unlock(); 2487 return; 2488 } 2489 2490 /* 2491 * In theory, the block ack reordering should happen after duplicate 2492 * removal (ieee80211_rx_h_check(), which is an RX handler). As such, 2493 * the call to ieee80211_rx_reorder_ampdu() should really be moved to 2494 * happen as a new RX handler between ieee80211_rx_h_check and 2495 * ieee80211_rx_h_decrypt. This cleanup may eventually happen, but for 2496 * the time being, the call can be here since RX reorder buf processing 2497 * will implicitly skip duplicates. We could, in theory at least, 2498 * process frames that ieee80211_rx_h_passive_scan would drop (e.g., 2499 * frames from other than operational channel), but that should not 2500 * happen in normal networks. 2501 */ 2502 if (!ieee80211_rx_reorder_ampdu(local, skb)) 2503 __ieee80211_rx_handle_packet(hw, skb, rate); 2504 2505 rcu_read_unlock(); 2506 2507 return; 2508 drop: 2509 kfree_skb(skb); 2510} 2511EXPORT_SYMBOL(ieee80211_rx); 2512 2513/* This is a version of the rx handler that can be called from hard irq 2514 * context. Post the skb on the queue and schedule the tasklet */ 2515void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb) 2516{ 2517 struct ieee80211_local *local = hw_to_local(hw); 2518 2519 BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb)); 2520 2521 skb->pkt_type = IEEE80211_RX_MSG; 2522 skb_queue_tail(&local->skb_queue, skb); 2523 tasklet_schedule(&local->tasklet); 2524} 2525EXPORT_SYMBOL(ieee80211_rx_irqsafe); 2526