2 * Copyright 2002-2005, Instant802 Networks, Inc.
3 * Copyright 2005-2006, Devicescape Software, Inc.
4 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
5 * Copyright 2007-2010 Johannes Berg <johannes@sipsolutions.net>
6 * Copyright 2013-2014 Intel Mobile Communications GmbH
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
13 #include <linux/jiffies.h>
14 #include <linux/slab.h>
15 #include <linux/kernel.h>
16 #include <linux/skbuff.h>
17 #include <linux/netdevice.h>
18 #include <linux/etherdevice.h>
19 #include <linux/rcupdate.h>
20 #include <linux/export.h>
21 #include <net/mac80211.h>
22 #include <net/ieee80211_radiotap.h>
23 #include <asm/unaligned.h>
25 #include "ieee80211_i.h"
26 #include "driver-ops.h"
36 * monitor mode reception
38 * This function cleans up the SKB, i.e. it removes all the stuff
39 * only useful for monitoring.
41 static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
44 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) {
45 if (likely(skb->len > FCS_LEN))
46 __pskb_trim(skb, skb->len - FCS_LEN);
58 static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len)
60 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
61 struct ieee80211_hdr *hdr = (void *)skb->data;
63 if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
64 RX_FLAG_FAILED_PLCP_CRC |
65 RX_FLAG_AMPDU_IS_ZEROLEN))
68 if (unlikely(skb->len < 16 + present_fcs_len))
71 if (ieee80211_is_ctl(hdr->frame_control) &&
72 !ieee80211_is_pspoll(hdr->frame_control) &&
73 !ieee80211_is_back_req(hdr->frame_control))
80 ieee80211_rx_radiotap_space(struct ieee80211_local *local,
81 struct ieee80211_rx_status *status)
85 /* always present fields */
86 len = sizeof(struct ieee80211_radiotap_header) + 8;
88 /* allocate extra bitmaps */
90 len += 4 * hweight8(status->chains);
92 if (ieee80211_have_rx_timestamp(status)) {
96 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
99 /* antenna field, if we don't have per-chain info */
103 /* padding for RX_FLAGS if necessary */
106 if (status->flag & RX_FLAG_HT) /* HT info */
109 if (status->flag & RX_FLAG_AMPDU_DETAILS) {
114 if (status->flag & RX_FLAG_VHT) {
119 if (status->chains) {
120 /* antenna and antenna signal fields */
121 len += 2 * hweight8(status->chains);
128 * ieee80211_add_rx_radiotap_header - add radiotap header
130 * add a radiotap header containing all the fields which the hardware provided.
133 ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
135 struct ieee80211_rate *rate,
136 int rtap_len, bool has_fcs)
138 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
139 struct ieee80211_radiotap_header *rthdr;
144 u16 channel_flags = 0;
146 unsigned long chains = status->chains;
149 if (!(has_fcs && (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)))
152 rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len);
153 memset(rthdr, 0, rtap_len);
154 it_present = &rthdr->it_present;
156 /* radiotap header, set always present flags */
157 rthdr->it_len = cpu_to_le16(rtap_len);
158 it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) |
159 BIT(IEEE80211_RADIOTAP_CHANNEL) |
160 BIT(IEEE80211_RADIOTAP_RX_FLAGS);
163 it_present_val |= BIT(IEEE80211_RADIOTAP_ANTENNA);
165 for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
167 BIT(IEEE80211_RADIOTAP_EXT) |
168 BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE);
169 put_unaligned_le32(it_present_val, it_present);
171 it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) |
172 BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
175 put_unaligned_le32(it_present_val, it_present);
177 pos = (void *)(it_present + 1);
179 /* the order of the following fields is important */
181 /* IEEE80211_RADIOTAP_TSFT */
182 if (ieee80211_have_rx_timestamp(status)) {
184 while ((pos - (u8 *)rthdr) & 7)
187 ieee80211_calculate_rx_timestamp(local, status,
190 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
194 /* IEEE80211_RADIOTAP_FLAGS */
195 if (has_fcs && (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS))
196 *pos |= IEEE80211_RADIOTAP_F_FCS;
197 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
198 *pos |= IEEE80211_RADIOTAP_F_BADFCS;
199 if (status->flag & RX_FLAG_SHORTPRE)
200 *pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
203 /* IEEE80211_RADIOTAP_RATE */
204 if (!rate || status->flag & (RX_FLAG_HT | RX_FLAG_VHT)) {
206 * Without rate information don't add it. If we have,
207 * MCS information is a separate field in radiotap,
208 * added below. The byte here is needed as padding
209 * for the channel though, so initialise it to 0.
214 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
215 if (status->flag & RX_FLAG_10MHZ)
217 else if (status->flag & RX_FLAG_5MHZ)
219 *pos = DIV_ROUND_UP(rate->bitrate, 5 * (1 << shift));
223 /* IEEE80211_RADIOTAP_CHANNEL */
224 put_unaligned_le16(status->freq, pos);
226 if (status->flag & RX_FLAG_10MHZ)
227 channel_flags |= IEEE80211_CHAN_HALF;
228 else if (status->flag & RX_FLAG_5MHZ)
229 channel_flags |= IEEE80211_CHAN_QUARTER;
231 if (status->band == IEEE80211_BAND_5GHZ)
232 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ;
233 else if (status->flag & (RX_FLAG_HT | RX_FLAG_VHT))
234 channel_flags |= IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
235 else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
236 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ;
238 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ;
240 channel_flags |= IEEE80211_CHAN_2GHZ;
241 put_unaligned_le16(channel_flags, pos);
244 /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
245 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM &&
246 !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
247 *pos = status->signal;
249 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
253 /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */
255 if (!status->chains) {
256 /* IEEE80211_RADIOTAP_ANTENNA */
257 *pos = status->antenna;
261 /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */
263 /* IEEE80211_RADIOTAP_RX_FLAGS */
264 /* ensure 2 byte alignment for the 2 byte field as required */
265 if ((pos - (u8 *)rthdr) & 1)
267 if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
268 rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
269 put_unaligned_le16(rx_flags, pos);
272 if (status->flag & RX_FLAG_HT) {
275 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
276 *pos++ = local->hw.radiotap_mcs_details;
278 if (status->flag & RX_FLAG_SHORT_GI)
279 *pos |= IEEE80211_RADIOTAP_MCS_SGI;
280 if (status->flag & RX_FLAG_40MHZ)
281 *pos |= IEEE80211_RADIOTAP_MCS_BW_40;
282 if (status->flag & RX_FLAG_HT_GF)
283 *pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
284 if (status->flag & RX_FLAG_LDPC)
285 *pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
286 stbc = (status->flag & RX_FLAG_STBC_MASK) >> RX_FLAG_STBC_SHIFT;
287 *pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
289 *pos++ = status->rate_idx;
292 if (status->flag & RX_FLAG_AMPDU_DETAILS) {
295 /* ensure 4 byte alignment */
296 while ((pos - (u8 *)rthdr) & 3)
299 cpu_to_le32(1 << IEEE80211_RADIOTAP_AMPDU_STATUS);
300 put_unaligned_le32(status->ampdu_reference, pos);
302 if (status->flag & RX_FLAG_AMPDU_REPORT_ZEROLEN)
303 flags |= IEEE80211_RADIOTAP_AMPDU_REPORT_ZEROLEN;
304 if (status->flag & RX_FLAG_AMPDU_IS_ZEROLEN)
305 flags |= IEEE80211_RADIOTAP_AMPDU_IS_ZEROLEN;
306 if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
307 flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
308 if (status->flag & RX_FLAG_AMPDU_IS_LAST)
309 flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
310 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
311 flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
312 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
313 flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN;
314 put_unaligned_le16(flags, pos);
316 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
317 *pos++ = status->ampdu_delimiter_crc;
323 if (status->flag & RX_FLAG_VHT) {
324 u16 known = local->hw.radiotap_vht_details;
326 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_VHT);
327 /* known field - how to handle 80+80? */
328 if (status->vht_flag & RX_VHT_FLAG_80P80MHZ)
329 known &= ~IEEE80211_RADIOTAP_VHT_KNOWN_BANDWIDTH;
330 put_unaligned_le16(known, pos);
333 if (status->flag & RX_FLAG_SHORT_GI)
334 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
335 /* in VHT, STBC is binary */
336 if (status->flag & RX_FLAG_STBC_MASK)
337 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
338 if (status->vht_flag & RX_VHT_FLAG_BF)
339 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED;
342 if (status->vht_flag & RX_VHT_FLAG_80MHZ)
344 else if (status->vht_flag & RX_VHT_FLAG_80P80MHZ)
345 *pos++ = 0; /* marked not known above */
346 else if (status->vht_flag & RX_VHT_FLAG_160MHZ)
348 else if (status->flag & RX_FLAG_40MHZ)
353 *pos = (status->rate_idx << 4) | status->vht_nss;
356 if (status->flag & RX_FLAG_LDPC)
357 *pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
365 for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
366 *pos++ = status->chain_signal[chain];
372 * This function copies a received frame to all monitor interfaces and
373 * returns a cleaned-up SKB that no longer includes the FCS nor the
374 * radiotap header the driver might have added.
376 static struct sk_buff *
377 ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
378 struct ieee80211_rate *rate)
380 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
381 struct ieee80211_sub_if_data *sdata;
383 struct sk_buff *skb, *skb2;
384 struct net_device *prev_dev = NULL;
385 int present_fcs_len = 0;
388 * First, we may need to make a copy of the skb because
389 * (1) we need to modify it for radiotap (if not present), and
390 * (2) the other RX handlers will modify the skb we got.
392 * We don't need to, of course, if we aren't going to return
393 * the SKB because it has a bad FCS/PLCP checksum.
396 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
397 present_fcs_len = FCS_LEN;
399 /* ensure hdr->frame_control is in skb head */
400 if (!pskb_may_pull(origskb, 2)) {
401 dev_kfree_skb(origskb);
405 if (!local->monitors) {
406 if (should_drop_frame(origskb, present_fcs_len)) {
407 dev_kfree_skb(origskb);
411 return remove_monitor_info(local, origskb);
414 /* room for the radiotap header based on driver features */
415 needed_headroom = ieee80211_rx_radiotap_space(local, status);
417 if (should_drop_frame(origskb, present_fcs_len)) {
418 /* only need to expand headroom if necessary */
423 * This shouldn't trigger often because most devices have an
424 * RX header they pull before we get here, and that should
425 * be big enough for our radiotap information. We should
426 * probably export the length to drivers so that we can have
427 * them allocate enough headroom to start with.
429 if (skb_headroom(skb) < needed_headroom &&
430 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
436 * Need to make a copy and possibly remove radiotap header
437 * and FCS from the original.
439 skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);
441 origskb = remove_monitor_info(local, origskb);
447 /* prepend radiotap information */
448 ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
451 skb_reset_mac_header(skb);
452 skb->ip_summed = CHECKSUM_UNNECESSARY;
453 skb->pkt_type = PACKET_OTHERHOST;
454 skb->protocol = htons(ETH_P_802_2);
456 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
457 if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
460 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)
463 if (!ieee80211_sdata_running(sdata))
467 skb2 = skb_clone(skb, GFP_ATOMIC);
469 skb2->dev = prev_dev;
470 netif_receive_skb(skb2);
474 prev_dev = sdata->dev;
475 sdata->dev->stats.rx_packets++;
476 sdata->dev->stats.rx_bytes += skb->len;
481 netif_receive_skb(skb);
488 static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
490 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
491 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
492 int tid, seqno_idx, security_idx;
494 /* does the frame have a qos control field? */
495 if (ieee80211_is_data_qos(hdr->frame_control)) {
496 u8 *qc = ieee80211_get_qos_ctl(hdr);
497 /* frame has qos control */
498 tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
499 if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
500 status->rx_flags |= IEEE80211_RX_AMSDU;
506 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
508 * Sequence numbers for management frames, QoS data
509 * frames with a broadcast/multicast address in the
510 * Address 1 field, and all non-QoS data frames sent
511 * by QoS STAs are assigned using an additional single
512 * modulo-4096 counter, [...]
514 * We also use that counter for non-QoS STAs.
516 seqno_idx = IEEE80211_NUM_TIDS;
518 if (ieee80211_is_mgmt(hdr->frame_control))
519 security_idx = IEEE80211_NUM_TIDS;
523 rx->seqno_idx = seqno_idx;
524 rx->security_idx = security_idx;
525 /* Set skb->priority to 1d tag if highest order bit of TID is not set.
526 * For now, set skb->priority to 0 for other cases. */
527 rx->skb->priority = (tid > 7) ? 0 : tid;
531 * DOC: Packet alignment
533 * Drivers always need to pass packets that are aligned to two-byte boundaries
536 * Additionally, should, if possible, align the payload data in a way that
537 * guarantees that the contained IP header is aligned to a four-byte
538 * boundary. In the case of regular frames, this simply means aligning the
539 * payload to a four-byte boundary (because either the IP header is directly
540 * contained, or IV/RFC1042 headers that have a length divisible by four are
541 * in front of it). If the payload data is not properly aligned and the
542 * architecture doesn't support efficient unaligned operations, mac80211
543 * will align the data.
545 * With A-MSDU frames, however, the payload data address must yield two modulo
546 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
547 * push the IP header further back to a multiple of four again. Thankfully, the
548 * specs were sane enough this time around to require padding each A-MSDU
549 * subframe to a length that is a multiple of four.
551 * Padding like Atheros hardware adds which is between the 802.11 header and
552 * the payload is not supported, the driver is required to move the 802.11
553 * header to be directly in front of the payload in that case.
555 static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
557 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
558 WARN_ONCE((unsigned long)rx->skb->data & 1,
559 "unaligned packet at 0x%p\n", rx->skb->data);
566 static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
568 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
570 if (is_multicast_ether_addr(hdr->addr1))
573 return ieee80211_is_robust_mgmt_frame(skb);
577 static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
579 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
581 if (!is_multicast_ether_addr(hdr->addr1))
584 return ieee80211_is_robust_mgmt_frame(skb);
588 /* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
589 static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
591 struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
592 struct ieee80211_mmie *mmie;
594 if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
597 if (!ieee80211_is_robust_mgmt_frame(skb))
598 return -1; /* not a robust management frame */
600 mmie = (struct ieee80211_mmie *)
601 (skb->data + skb->len - sizeof(*mmie));
602 if (mmie->element_id != WLAN_EID_MMIE ||
603 mmie->length != sizeof(*mmie) - 2)
606 return le16_to_cpu(mmie->key_id);
609 static int iwl80211_get_cs_keyid(const struct ieee80211_cipher_scheme *cs,
612 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
617 fc = hdr->frame_control;
618 hdrlen = ieee80211_hdrlen(fc);
620 if (skb->len < hdrlen + cs->hdr_len)
623 skb_copy_bits(skb, hdrlen + cs->key_idx_off, &keyid, 1);
624 keyid &= cs->key_idx_mask;
625 keyid >>= cs->key_idx_shift;
630 static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
632 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
633 char *dev_addr = rx->sdata->vif.addr;
635 if (ieee80211_is_data(hdr->frame_control)) {
636 if (is_multicast_ether_addr(hdr->addr1)) {
637 if (ieee80211_has_tods(hdr->frame_control) ||
638 !ieee80211_has_fromds(hdr->frame_control))
639 return RX_DROP_MONITOR;
640 if (ether_addr_equal(hdr->addr3, dev_addr))
641 return RX_DROP_MONITOR;
643 if (!ieee80211_has_a4(hdr->frame_control))
644 return RX_DROP_MONITOR;
645 if (ether_addr_equal(hdr->addr4, dev_addr))
646 return RX_DROP_MONITOR;
650 /* If there is not an established peer link and this is not a peer link
651 * establisment frame, beacon or probe, drop the frame.
654 if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
655 struct ieee80211_mgmt *mgmt;
657 if (!ieee80211_is_mgmt(hdr->frame_control))
658 return RX_DROP_MONITOR;
660 if (ieee80211_is_action(hdr->frame_control)) {
663 /* make sure category field is present */
664 if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
665 return RX_DROP_MONITOR;
667 mgmt = (struct ieee80211_mgmt *)hdr;
668 category = mgmt->u.action.category;
669 if (category != WLAN_CATEGORY_MESH_ACTION &&
670 category != WLAN_CATEGORY_SELF_PROTECTED)
671 return RX_DROP_MONITOR;
675 if (ieee80211_is_probe_req(hdr->frame_control) ||
676 ieee80211_is_probe_resp(hdr->frame_control) ||
677 ieee80211_is_beacon(hdr->frame_control) ||
678 ieee80211_is_auth(hdr->frame_control))
681 return RX_DROP_MONITOR;
687 static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
688 struct tid_ampdu_rx *tid_agg_rx,
690 struct sk_buff_head *frames)
692 struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index];
694 struct ieee80211_rx_status *status;
696 lockdep_assert_held(&tid_agg_rx->reorder_lock);
698 if (skb_queue_empty(skb_list))
701 if (!ieee80211_rx_reorder_ready(skb_list)) {
702 __skb_queue_purge(skb_list);
706 /* release frames from the reorder ring buffer */
707 tid_agg_rx->stored_mpdu_num--;
708 while ((skb = __skb_dequeue(skb_list))) {
709 status = IEEE80211_SKB_RXCB(skb);
710 status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
711 __skb_queue_tail(frames, skb);
715 tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num);
718 static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
719 struct tid_ampdu_rx *tid_agg_rx,
721 struct sk_buff_head *frames)
725 lockdep_assert_held(&tid_agg_rx->reorder_lock);
727 while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) {
728 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
729 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
735 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
736 * the skb was added to the buffer longer than this time ago, the earlier
737 * frames that have not yet been received are assumed to be lost and the skb
738 * can be released for processing. This may also release other skb's from the
739 * reorder buffer if there are no additional gaps between the frames.
741 * Callers must hold tid_agg_rx->reorder_lock.
743 #define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)
745 static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
746 struct tid_ampdu_rx *tid_agg_rx,
747 struct sk_buff_head *frames)
751 lockdep_assert_held(&tid_agg_rx->reorder_lock);
753 /* release the buffer until next missing frame */
754 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
755 if (!ieee80211_rx_reorder_ready(&tid_agg_rx->reorder_buf[index]) &&
756 tid_agg_rx->stored_mpdu_num) {
758 * No buffers ready to be released, but check whether any
759 * frames in the reorder buffer have timed out.
762 for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
763 j = (j + 1) % tid_agg_rx->buf_size) {
764 if (!ieee80211_rx_reorder_ready(
765 &tid_agg_rx->reorder_buf[j])) {
770 !time_after(jiffies, tid_agg_rx->reorder_time[j] +
771 HT_RX_REORDER_BUF_TIMEOUT))
772 goto set_release_timer;
774 /* don't leave incomplete A-MSDUs around */
775 for (i = (index + 1) % tid_agg_rx->buf_size; i != j;
776 i = (i + 1) % tid_agg_rx->buf_size)
777 __skb_queue_purge(&tid_agg_rx->reorder_buf[i]);
779 ht_dbg_ratelimited(sdata,
780 "release an RX reorder frame due to timeout on earlier frames\n");
781 ieee80211_release_reorder_frame(sdata, tid_agg_rx, j,
785 * Increment the head seq# also for the skipped slots.
787 tid_agg_rx->head_seq_num =
788 (tid_agg_rx->head_seq_num +
789 skipped) & IEEE80211_SN_MASK;
792 } else while (ieee80211_rx_reorder_ready(
793 &tid_agg_rx->reorder_buf[index])) {
794 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
796 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
799 if (tid_agg_rx->stored_mpdu_num) {
800 j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
802 for (; j != (index - 1) % tid_agg_rx->buf_size;
803 j = (j + 1) % tid_agg_rx->buf_size) {
804 if (ieee80211_rx_reorder_ready(
805 &tid_agg_rx->reorder_buf[j]))
811 mod_timer(&tid_agg_rx->reorder_timer,
812 tid_agg_rx->reorder_time[j] + 1 +
813 HT_RX_REORDER_BUF_TIMEOUT);
815 del_timer(&tid_agg_rx->reorder_timer);
820 * As this function belongs to the RX path it must be under
821 * rcu_read_lock protection. It returns false if the frame
822 * can be processed immediately, true if it was consumed.
824 static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
825 struct tid_ampdu_rx *tid_agg_rx,
827 struct sk_buff_head *frames)
829 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
830 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
831 u16 sc = le16_to_cpu(hdr->seq_ctrl);
832 u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
833 u16 head_seq_num, buf_size;
837 spin_lock(&tid_agg_rx->reorder_lock);
840 * Offloaded BA sessions have no known starting sequence number so pick
841 * one from first Rxed frame for this tid after BA was started.
843 if (unlikely(tid_agg_rx->auto_seq)) {
844 tid_agg_rx->auto_seq = false;
845 tid_agg_rx->ssn = mpdu_seq_num;
846 tid_agg_rx->head_seq_num = mpdu_seq_num;
849 buf_size = tid_agg_rx->buf_size;
850 head_seq_num = tid_agg_rx->head_seq_num;
852 /* frame with out of date sequence number */
853 if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
859 * If frame the sequence number exceeds our buffering window
860 * size release some previous frames to make room for this one.
862 if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) {
863 head_seq_num = ieee80211_sn_inc(
864 ieee80211_sn_sub(mpdu_seq_num, buf_size));
865 /* release stored frames up to new head to stack */
866 ieee80211_release_reorder_frames(sdata, tid_agg_rx,
867 head_seq_num, frames);
870 /* Now the new frame is always in the range of the reordering buffer */
872 index = mpdu_seq_num % tid_agg_rx->buf_size;
874 /* check if we already stored this frame */
875 if (ieee80211_rx_reorder_ready(&tid_agg_rx->reorder_buf[index])) {
881 * If the current MPDU is in the right order and nothing else
882 * is stored we can process it directly, no need to buffer it.
883 * If it is first but there's something stored, we may be able
884 * to release frames after this one.
886 if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
887 tid_agg_rx->stored_mpdu_num == 0) {
888 if (!(status->flag & RX_FLAG_AMSDU_MORE))
889 tid_agg_rx->head_seq_num =
890 ieee80211_sn_inc(tid_agg_rx->head_seq_num);
895 /* put the frame in the reordering buffer */
896 __skb_queue_tail(&tid_agg_rx->reorder_buf[index], skb);
897 if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
898 tid_agg_rx->reorder_time[index] = jiffies;
899 tid_agg_rx->stored_mpdu_num++;
900 ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames);
904 spin_unlock(&tid_agg_rx->reorder_lock);
909 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
910 * true if the MPDU was buffered, false if it should be processed.
912 static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
913 struct sk_buff_head *frames)
915 struct sk_buff *skb = rx->skb;
916 struct ieee80211_local *local = rx->local;
917 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
918 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
919 struct sta_info *sta = rx->sta;
920 struct tid_ampdu_rx *tid_agg_rx;
924 if (!ieee80211_is_data_qos(hdr->frame_control) ||
925 is_multicast_ether_addr(hdr->addr1))
929 * filter the QoS data rx stream according to
930 * STA/TID and check if this STA/TID is on aggregation
936 ack_policy = *ieee80211_get_qos_ctl(hdr) &
937 IEEE80211_QOS_CTL_ACK_POLICY_MASK;
938 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
940 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
944 /* qos null data frames are excluded */
945 if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
948 /* not part of a BA session */
949 if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
950 ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
953 /* not actually part of this BA session */
954 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
957 /* new, potentially un-ordered, ampdu frame - process it */
959 /* reset session timer */
960 if (tid_agg_rx->timeout)
961 tid_agg_rx->last_rx = jiffies;
963 /* if this mpdu is fragmented - terminate rx aggregation session */
964 sc = le16_to_cpu(hdr->seq_ctrl);
965 if (sc & IEEE80211_SCTL_FRAG) {
966 skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
967 skb_queue_tail(&rx->sdata->skb_queue, skb);
968 ieee80211_queue_work(&local->hw, &rx->sdata->work);
973 * No locking needed -- we will only ever process one
974 * RX packet at a time, and thus own tid_agg_rx. All
975 * other code manipulating it needs to (and does) make
976 * sure that we cannot get to it any more before doing
979 if (ieee80211_sta_manage_reorder_buf(rx->sdata, tid_agg_rx, skb,
984 __skb_queue_tail(frames, skb);
987 static ieee80211_rx_result debug_noinline
988 ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
990 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
991 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
994 * Drop duplicate 802.11 retransmissions
995 * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
997 if (rx->skb->len >= 24 && rx->sta &&
998 !ieee80211_is_ctl(hdr->frame_control) &&
999 !ieee80211_is_qos_nullfunc(hdr->frame_control) &&
1000 !is_multicast_ether_addr(hdr->addr1)) {
1001 if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
1002 rx->sta->last_seq_ctrl[rx->seqno_idx] ==
1004 if (status->rx_flags & IEEE80211_RX_RA_MATCH) {
1005 rx->local->dot11FrameDuplicateCount++;
1006 rx->sta->num_duplicates++;
1008 return RX_DROP_UNUSABLE;
1009 } else if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1010 rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
1014 if (unlikely(rx->skb->len < 16)) {
1015 I802_DEBUG_INC(rx->local->rx_handlers_drop_short);
1016 return RX_DROP_MONITOR;
1019 /* Drop disallowed frame classes based on STA auth/assoc state;
1020 * IEEE 802.11, Chap 5.5.
1022 * mac80211 filters only based on association state, i.e. it drops
1023 * Class 3 frames from not associated stations. hostapd sends
1024 * deauth/disassoc frames when needed. In addition, hostapd is
1025 * responsible for filtering on both auth and assoc states.
1028 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1029 return ieee80211_rx_mesh_check(rx);
1031 if (unlikely((ieee80211_is_data(hdr->frame_control) ||
1032 ieee80211_is_pspoll(hdr->frame_control)) &&
1033 rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
1034 rx->sdata->vif.type != NL80211_IFTYPE_WDS &&
1035 rx->sdata->vif.type != NL80211_IFTYPE_OCB &&
1036 (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
1038 * accept port control frames from the AP even when it's not
1039 * yet marked ASSOC to prevent a race where we don't set the
1040 * assoc bit quickly enough before it sends the first frame
1042 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
1043 ieee80211_is_data_present(hdr->frame_control)) {
1044 unsigned int hdrlen;
1047 hdrlen = ieee80211_hdrlen(hdr->frame_control);
1049 if (rx->skb->len < hdrlen + 8)
1050 return RX_DROP_MONITOR;
1052 skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2);
1053 if (ethertype == rx->sdata->control_port_protocol)
1057 if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
1058 cfg80211_rx_spurious_frame(rx->sdata->dev,
1061 return RX_DROP_UNUSABLE;
1063 return RX_DROP_MONITOR;
1070 static ieee80211_rx_result debug_noinline
1071 ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
1073 struct ieee80211_local *local;
1074 struct ieee80211_hdr *hdr;
1075 struct sk_buff *skb;
1079 hdr = (struct ieee80211_hdr *) skb->data;
1081 if (!local->pspolling)
1084 if (!ieee80211_has_fromds(hdr->frame_control))
1085 /* this is not from AP */
1088 if (!ieee80211_is_data(hdr->frame_control))
1091 if (!ieee80211_has_moredata(hdr->frame_control)) {
1092 /* AP has no more frames buffered for us */
1093 local->pspolling = false;
1097 /* more data bit is set, let's request a new frame from the AP */
1098 ieee80211_send_pspoll(local, rx->sdata);
1103 static void sta_ps_start(struct sta_info *sta)
1105 struct ieee80211_sub_if_data *sdata = sta->sdata;
1106 struct ieee80211_local *local = sdata->local;
1109 if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
1110 sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
1111 ps = &sdata->bss->ps;
1115 atomic_inc(&ps->num_sta_ps);
1116 set_sta_flag(sta, WLAN_STA_PS_STA);
1117 if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS))
1118 drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
1119 ps_dbg(sdata, "STA %pM aid %d enters power save mode\n",
1120 sta->sta.addr, sta->sta.aid);
1123 static void sta_ps_end(struct sta_info *sta)
1125 ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n",
1126 sta->sta.addr, sta->sta.aid);
1128 if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1130 * Clear the flag only if the other one is still set
1131 * so that the TX path won't start TX'ing new frames
1132 * directly ... In the case that the driver flag isn't
1133 * set ieee80211_sta_ps_deliver_wakeup() will clear it.
1135 clear_sta_flag(sta, WLAN_STA_PS_STA);
1136 ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
1137 sta->sta.addr, sta->sta.aid);
1141 set_sta_flag(sta, WLAN_STA_PS_DELIVER);
1142 clear_sta_flag(sta, WLAN_STA_PS_STA);
1143 ieee80211_sta_ps_deliver_wakeup(sta);
1146 int ieee80211_sta_ps_transition(struct ieee80211_sta *sta, bool start)
1148 struct sta_info *sta_inf = container_of(sta, struct sta_info, sta);
1151 WARN_ON(!(sta_inf->local->hw.flags & IEEE80211_HW_AP_LINK_PS));
1153 /* Don't let the same PS state be set twice */
1154 in_ps = test_sta_flag(sta_inf, WLAN_STA_PS_STA);
1155 if ((start && in_ps) || (!start && !in_ps))
1159 sta_ps_start(sta_inf);
1161 sta_ps_end(sta_inf);
1165 EXPORT_SYMBOL(ieee80211_sta_ps_transition);
1167 static ieee80211_rx_result debug_noinline
1168 ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx)
1170 struct ieee80211_sub_if_data *sdata = rx->sdata;
1171 struct ieee80211_hdr *hdr = (void *)rx->skb->data;
1172 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1175 if (!rx->sta || !(status->rx_flags & IEEE80211_RX_RA_MATCH))
1178 if (sdata->vif.type != NL80211_IFTYPE_AP &&
1179 sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
1183 * The device handles station powersave, so don't do anything about
1184 * uAPSD and PS-Poll frames (the latter shouldn't even come up from
1185 * it to mac80211 since they're handled.)
1187 if (sdata->local->hw.flags & IEEE80211_HW_AP_LINK_PS)
1191 * Don't do anything if the station isn't already asleep. In
1192 * the uAPSD case, the station will probably be marked asleep,
1193 * in the PS-Poll case the station must be confused ...
1195 if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA))
1198 if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) {
1199 if (!test_sta_flag(rx->sta, WLAN_STA_SP)) {
1200 if (!test_sta_flag(rx->sta, WLAN_STA_PS_DRIVER))
1201 ieee80211_sta_ps_deliver_poll_response(rx->sta);
1203 set_sta_flag(rx->sta, WLAN_STA_PSPOLL);
1206 /* Free PS Poll skb here instead of returning RX_DROP that would
1207 * count as an dropped frame. */
1208 dev_kfree_skb(rx->skb);
1211 } else if (!ieee80211_has_morefrags(hdr->frame_control) &&
1212 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1213 ieee80211_has_pm(hdr->frame_control) &&
1214 (ieee80211_is_data_qos(hdr->frame_control) ||
1215 ieee80211_is_qos_nullfunc(hdr->frame_control))) {
1216 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
1217 ac = ieee802_1d_to_ac[tid & 7];
1220 * If this AC is not trigger-enabled do nothing.
1222 * NB: This could/should check a separate bitmap of trigger-
1223 * enabled queues, but for now we only implement uAPSD w/o
1224 * TSPEC changes to the ACs, so they're always the same.
1226 if (!(rx->sta->sta.uapsd_queues & BIT(ac)))
1229 /* if we are in a service period, do nothing */
1230 if (test_sta_flag(rx->sta, WLAN_STA_SP))
1233 if (!test_sta_flag(rx->sta, WLAN_STA_PS_DRIVER))
1234 ieee80211_sta_ps_deliver_uapsd(rx->sta);
1236 set_sta_flag(rx->sta, WLAN_STA_UAPSD);
1242 static ieee80211_rx_result debug_noinline
1243 ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
1245 struct sta_info *sta = rx->sta;
1246 struct sk_buff *skb = rx->skb;
1247 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1248 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1255 * Update last_rx only for IBSS packets which are for the current
1256 * BSSID and for station already AUTHORIZED to avoid keeping the
1257 * current IBSS network alive in cases where other STAs start
1258 * using different BSSID. This will also give the station another
1259 * chance to restart the authentication/authorization in case
1260 * something went wrong the first time.
1262 if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
1263 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
1264 NL80211_IFTYPE_ADHOC);
1265 if (ether_addr_equal(bssid, rx->sdata->u.ibss.bssid) &&
1266 test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
1267 sta->last_rx = jiffies;
1268 if (ieee80211_is_data(hdr->frame_control) &&
1269 !is_multicast_ether_addr(hdr->addr1)) {
1270 sta->last_rx_rate_idx = status->rate_idx;
1271 sta->last_rx_rate_flag = status->flag;
1272 sta->last_rx_rate_vht_flag = status->vht_flag;
1273 sta->last_rx_rate_vht_nss = status->vht_nss;
1276 } else if (rx->sdata->vif.type == NL80211_IFTYPE_OCB) {
1277 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
1278 NL80211_IFTYPE_OCB);
1279 /* OCB uses wild-card BSSID */
1280 if (is_broadcast_ether_addr(bssid))
1281 sta->last_rx = jiffies;
1282 } else if (!is_multicast_ether_addr(hdr->addr1)) {
1284 * Mesh beacons will update last_rx when if they are found to
1285 * match the current local configuration when processed.
1287 sta->last_rx = jiffies;
1288 if (ieee80211_is_data(hdr->frame_control)) {
1289 sta->last_rx_rate_idx = status->rate_idx;
1290 sta->last_rx_rate_flag = status->flag;
1291 sta->last_rx_rate_vht_flag = status->vht_flag;
1292 sta->last_rx_rate_vht_nss = status->vht_nss;
1296 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
1299 if (rx->sdata->vif.type == NL80211_IFTYPE_STATION)
1300 ieee80211_sta_rx_notify(rx->sdata, hdr);
1302 sta->rx_fragments++;
1303 sta->rx_bytes += rx->skb->len;
1304 if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
1305 sta->last_signal = status->signal;
1306 ewma_add(&sta->avg_signal, -status->signal);
1309 if (status->chains) {
1310 sta->chains = status->chains;
1311 for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
1312 int signal = status->chain_signal[i];
1314 if (!(status->chains & BIT(i)))
1317 sta->chain_signal_last[i] = signal;
1318 ewma_add(&sta->chain_signal_avg[i], -signal);
1323 * Change STA power saving mode only at the end of a frame
1324 * exchange sequence.
1326 if (!(sta->local->hw.flags & IEEE80211_HW_AP_LINK_PS) &&
1327 !ieee80211_has_morefrags(hdr->frame_control) &&
1328 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1329 (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1330 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
1331 /* PM bit is only checked in frames where it isn't reserved,
1332 * in AP mode it's reserved in non-bufferable management frames
1333 * (cf. IEEE 802.11-2012 8.2.4.1.7 Power Management field)
1335 (!ieee80211_is_mgmt(hdr->frame_control) ||
1336 ieee80211_is_bufferable_mmpdu(hdr->frame_control))) {
1337 if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
1338 if (!ieee80211_has_pm(hdr->frame_control))
1341 if (ieee80211_has_pm(hdr->frame_control))
1346 /* mesh power save support */
1347 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1348 ieee80211_mps_rx_h_sta_process(sta, hdr);
1351 * Drop (qos-)data::nullfunc frames silently, since they
1352 * are used only to control station power saving mode.
1354 if (ieee80211_is_nullfunc(hdr->frame_control) ||
1355 ieee80211_is_qos_nullfunc(hdr->frame_control)) {
1356 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
1359 * If we receive a 4-addr nullfunc frame from a STA
1360 * that was not moved to a 4-addr STA vlan yet send
1361 * the event to userspace and for older hostapd drop
1362 * the frame to the monitor interface.
1364 if (ieee80211_has_a4(hdr->frame_control) &&
1365 (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1366 (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1367 !rx->sdata->u.vlan.sta))) {
1368 if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT))
1369 cfg80211_rx_unexpected_4addr_frame(
1370 rx->sdata->dev, sta->sta.addr,
1372 return RX_DROP_MONITOR;
1375 * Update counter and free packet here to avoid
1376 * counting this as a dropped packed.
1379 dev_kfree_skb(rx->skb);
1384 } /* ieee80211_rx_h_sta_process */
1386 static ieee80211_rx_result debug_noinline
1387 ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
1389 struct sk_buff *skb = rx->skb;
1390 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1391 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1394 ieee80211_rx_result result = RX_DROP_UNUSABLE;
1395 struct ieee80211_key *sta_ptk = NULL;
1396 int mmie_keyidx = -1;
1398 const struct ieee80211_cipher_scheme *cs = NULL;
1403 * There are four types of keys:
1404 * - GTK (group keys)
1405 * - IGTK (group keys for management frames)
1406 * - PTK (pairwise keys)
1407 * - STK (station-to-station pairwise keys)
1409 * When selecting a key, we have to distinguish between multicast
1410 * (including broadcast) and unicast frames, the latter can only
1411 * use PTKs and STKs while the former always use GTKs and IGTKs.
1412 * Unless, of course, actual WEP keys ("pre-RSNA") are used, then
1413 * unicast frames can also use key indices like GTKs. Hence, if we
1414 * don't have a PTK/STK we check the key index for a WEP key.
1416 * Note that in a regular BSS, multicast frames are sent by the
1417 * AP only, associated stations unicast the frame to the AP first
1418 * which then multicasts it on their behalf.
1420 * There is also a slight problem in IBSS mode: GTKs are negotiated
1421 * with each station, that is something we don't currently handle.
1422 * The spec seems to expect that one negotiates the same key with
1423 * every station but there's no such requirement; VLANs could be
1428 * No point in finding a key and decrypting if the frame is neither
1429 * addressed to us nor a multicast frame.
1431 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
1434 /* start without a key */
1436 fc = hdr->frame_control;
1439 int keyid = rx->sta->ptk_idx;
1441 if (ieee80211_has_protected(fc) && rx->sta->cipher_scheme) {
1442 cs = rx->sta->cipher_scheme;
1443 keyid = iwl80211_get_cs_keyid(cs, rx->skb);
1444 if (unlikely(keyid < 0))
1445 return RX_DROP_UNUSABLE;
1447 sta_ptk = rcu_dereference(rx->sta->ptk[keyid]);
1450 if (!ieee80211_has_protected(fc))
1451 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);
1453 if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) {
1455 if ((status->flag & RX_FLAG_DECRYPTED) &&
1456 (status->flag & RX_FLAG_IV_STRIPPED))
1458 /* Skip decryption if the frame is not protected. */
1459 if (!ieee80211_has_protected(fc))
1461 } else if (mmie_keyidx >= 0) {
1462 /* Broadcast/multicast robust management frame / BIP */
1463 if ((status->flag & RX_FLAG_DECRYPTED) &&
1464 (status->flag & RX_FLAG_IV_STRIPPED))
1467 if (mmie_keyidx < NUM_DEFAULT_KEYS ||
1468 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
1469 return RX_DROP_MONITOR; /* unexpected BIP keyidx */
1471 rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]);
1473 rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
1474 } else if (!ieee80211_has_protected(fc)) {
1476 * The frame was not protected, so skip decryption. However, we
1477 * need to set rx->key if there is a key that could have been
1478 * used so that the frame may be dropped if encryption would
1479 * have been expected.
1481 struct ieee80211_key *key = NULL;
1482 struct ieee80211_sub_if_data *sdata = rx->sdata;
1485 if (ieee80211_is_mgmt(fc) &&
1486 is_multicast_ether_addr(hdr->addr1) &&
1487 (key = rcu_dereference(rx->sdata->default_mgmt_key)))
1491 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
1492 key = rcu_dereference(rx->sta->gtk[i]);
1498 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
1499 key = rcu_dereference(sdata->keys[i]);
1512 * The device doesn't give us the IV so we won't be
1513 * able to look up the key. That's ok though, we
1514 * don't need to decrypt the frame, we just won't
1515 * be able to keep statistics accurate.
1516 * Except for key threshold notifications, should
1517 * we somehow allow the driver to tell us which key
1518 * the hardware used if this flag is set?
1520 if ((status->flag & RX_FLAG_DECRYPTED) &&
1521 (status->flag & RX_FLAG_IV_STRIPPED))
1524 hdrlen = ieee80211_hdrlen(fc);
1527 keyidx = iwl80211_get_cs_keyid(cs, rx->skb);
1529 if (unlikely(keyidx < 0))
1530 return RX_DROP_UNUSABLE;
1532 if (rx->skb->len < 8 + hdrlen)
1533 return RX_DROP_UNUSABLE; /* TODO: count this? */
1535 * no need to call ieee80211_wep_get_keyidx,
1536 * it verifies a bunch of things we've done already
1538 skb_copy_bits(rx->skb, hdrlen + 3, &keyid, 1);
1539 keyidx = keyid >> 6;
1542 /* check per-station GTK first, if multicast packet */
1543 if (is_multicast_ether_addr(hdr->addr1) && rx->sta)
1544 rx->key = rcu_dereference(rx->sta->gtk[keyidx]);
1546 /* if not found, try default key */
1548 rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
1551 * RSNA-protected unicast frames should always be
1552 * sent with pairwise or station-to-station keys,
1553 * but for WEP we allow using a key index as well.
1556 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1557 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 &&
1558 !is_multicast_ether_addr(hdr->addr1))
1564 if (unlikely(rx->key->flags & KEY_FLAG_TAINTED))
1565 return RX_DROP_MONITOR;
1567 rx->key->tx_rx_count++;
1568 /* TODO: add threshold stuff again */
1570 return RX_DROP_MONITOR;
1573 switch (rx->key->conf.cipher) {
1574 case WLAN_CIPHER_SUITE_WEP40:
1575 case WLAN_CIPHER_SUITE_WEP104:
1576 result = ieee80211_crypto_wep_decrypt(rx);
1578 case WLAN_CIPHER_SUITE_TKIP:
1579 result = ieee80211_crypto_tkip_decrypt(rx);
1581 case WLAN_CIPHER_SUITE_CCMP:
1582 result = ieee80211_crypto_ccmp_decrypt(rx);
1584 case WLAN_CIPHER_SUITE_AES_CMAC:
1585 result = ieee80211_crypto_aes_cmac_decrypt(rx);
1588 result = ieee80211_crypto_hw_decrypt(rx);
1591 /* the hdr variable is invalid after the decrypt handlers */
1593 /* either the frame has been decrypted or will be dropped */
1594 status->flag |= RX_FLAG_DECRYPTED;
1599 static inline struct ieee80211_fragment_entry *
1600 ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata,
1601 unsigned int frag, unsigned int seq, int rx_queue,
1602 struct sk_buff **skb)
1604 struct ieee80211_fragment_entry *entry;
1606 entry = &sdata->fragments[sdata->fragment_next++];
1607 if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX)
1608 sdata->fragment_next = 0;
1610 if (!skb_queue_empty(&entry->skb_list))
1611 __skb_queue_purge(&entry->skb_list);
1613 __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
1615 entry->first_frag_time = jiffies;
1617 entry->rx_queue = rx_queue;
1618 entry->last_frag = frag;
1620 entry->extra_len = 0;
1625 static inline struct ieee80211_fragment_entry *
1626 ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata,
1627 unsigned int frag, unsigned int seq,
1628 int rx_queue, struct ieee80211_hdr *hdr)
1630 struct ieee80211_fragment_entry *entry;
1633 idx = sdata->fragment_next;
1634 for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
1635 struct ieee80211_hdr *f_hdr;
1639 idx = IEEE80211_FRAGMENT_MAX - 1;
1641 entry = &sdata->fragments[idx];
1642 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
1643 entry->rx_queue != rx_queue ||
1644 entry->last_frag + 1 != frag)
1647 f_hdr = (struct ieee80211_hdr *)entry->skb_list.next->data;
1650 * Check ftype and addresses are equal, else check next fragment
1652 if (((hdr->frame_control ^ f_hdr->frame_control) &
1653 cpu_to_le16(IEEE80211_FCTL_FTYPE)) ||
1654 !ether_addr_equal(hdr->addr1, f_hdr->addr1) ||
1655 !ether_addr_equal(hdr->addr2, f_hdr->addr2))
1658 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
1659 __skb_queue_purge(&entry->skb_list);
1668 static ieee80211_rx_result debug_noinline
1669 ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1671 struct ieee80211_hdr *hdr;
1674 unsigned int frag, seq;
1675 struct ieee80211_fragment_entry *entry;
1676 struct sk_buff *skb;
1677 struct ieee80211_rx_status *status;
1679 hdr = (struct ieee80211_hdr *)rx->skb->data;
1680 fc = hdr->frame_control;
1682 if (ieee80211_is_ctl(fc))
1685 sc = le16_to_cpu(hdr->seq_ctrl);
1686 frag = sc & IEEE80211_SCTL_FRAG;
1688 if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
1691 if (is_multicast_ether_addr(hdr->addr1)) {
1692 rx->local->dot11MulticastReceivedFrameCount++;
1696 I802_DEBUG_INC(rx->local->rx_handlers_fragments);
1698 if (skb_linearize(rx->skb))
1699 return RX_DROP_UNUSABLE;
1702 * skb_linearize() might change the skb->data and
1703 * previously cached variables (in this case, hdr) need to
1704 * be refreshed with the new data.
1706 hdr = (struct ieee80211_hdr *)rx->skb->data;
1707 seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
1710 /* This is the first fragment of a new frame. */
1711 entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
1712 rx->seqno_idx, &(rx->skb));
1713 if (rx->key && rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP &&
1714 ieee80211_has_protected(fc)) {
1715 int queue = rx->security_idx;
1716 /* Store CCMP PN so that we can verify that the next
1717 * fragment has a sequential PN value. */
1719 memcpy(entry->last_pn,
1720 rx->key->u.ccmp.rx_pn[queue],
1721 IEEE80211_CCMP_PN_LEN);
1726 /* This is a fragment for a frame that should already be pending in
1727 * fragment cache. Add this fragment to the end of the pending entry.
1729 entry = ieee80211_reassemble_find(rx->sdata, frag, seq,
1730 rx->seqno_idx, hdr);
1732 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
1733 return RX_DROP_MONITOR;
1736 /* Verify that MPDUs within one MSDU have sequential PN values.
1737 * (IEEE 802.11i, 8.3.3.4.5) */
1740 u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
1742 if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP)
1743 return RX_DROP_UNUSABLE;
1744 memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
1745 for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
1750 queue = rx->security_idx;
1751 rpn = rx->key->u.ccmp.rx_pn[queue];
1752 if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
1753 return RX_DROP_UNUSABLE;
1754 memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
1757 skb_pull(rx->skb, ieee80211_hdrlen(fc));
1758 __skb_queue_tail(&entry->skb_list, rx->skb);
1759 entry->last_frag = frag;
1760 entry->extra_len += rx->skb->len;
1761 if (ieee80211_has_morefrags(fc)) {
1766 rx->skb = __skb_dequeue(&entry->skb_list);
1767 if (skb_tailroom(rx->skb) < entry->extra_len) {
1768 I802_DEBUG_INC(rx->local->rx_expand_skb_head2);
1769 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len,
1771 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
1772 __skb_queue_purge(&entry->skb_list);
1773 return RX_DROP_UNUSABLE;
1776 while ((skb = __skb_dequeue(&entry->skb_list))) {
1777 memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len);
1781 /* Complete frame has been reassembled - process it now */
1782 status = IEEE80211_SKB_RXCB(rx->skb);
1783 status->rx_flags |= IEEE80211_RX_FRAGMENTED;
1787 rx->sta->rx_packets++;
1788 ieee80211_led_rx(rx->local);
1792 static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
1794 if (unlikely(!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
1800 static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
1802 struct sk_buff *skb = rx->skb;
1803 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1806 * Pass through unencrypted frames if the hardware has
1807 * decrypted them already.
1809 if (status->flag & RX_FLAG_DECRYPTED)
1812 /* Drop unencrypted frames if key is set. */
1813 if (unlikely(!ieee80211_has_protected(fc) &&
1814 !ieee80211_is_nullfunc(fc) &&
1815 ieee80211_is_data(fc) &&
1816 (rx->key || rx->sdata->drop_unencrypted)))
1822 static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
1824 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1825 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1826 __le16 fc = hdr->frame_control;
1829 * Pass through unencrypted frames if the hardware has
1830 * decrypted them already.
1832 if (status->flag & RX_FLAG_DECRYPTED)
1835 if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) {
1836 if (unlikely(!ieee80211_has_protected(fc) &&
1837 ieee80211_is_unicast_robust_mgmt_frame(rx->skb) &&
1839 if (ieee80211_is_deauth(fc) ||
1840 ieee80211_is_disassoc(fc))
1841 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
1846 /* BIP does not use Protected field, so need to check MMIE */
1847 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
1848 ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
1849 if (ieee80211_is_deauth(fc) ||
1850 ieee80211_is_disassoc(fc))
1851 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
1857 * When using MFP, Action frames are not allowed prior to
1858 * having configured keys.
1860 if (unlikely(ieee80211_is_action(fc) && !rx->key &&
1861 ieee80211_is_robust_mgmt_frame(rx->skb)))
1869 __ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control)
1871 struct ieee80211_sub_if_data *sdata = rx->sdata;
1872 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1873 bool check_port_control = false;
1874 struct ethhdr *ehdr;
1877 *port_control = false;
1878 if (ieee80211_has_a4(hdr->frame_control) &&
1879 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
1882 if (sdata->vif.type == NL80211_IFTYPE_STATION &&
1883 !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
1885 if (!sdata->u.mgd.use_4addr)
1888 check_port_control = true;
1891 if (is_multicast_ether_addr(hdr->addr1) &&
1892 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta)
1895 ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
1899 ehdr = (struct ethhdr *) rx->skb->data;
1900 if (ehdr->h_proto == rx->sdata->control_port_protocol)
1901 *port_control = true;
1902 else if (check_port_control)
1909 * requires that rx->skb is a frame with ethernet header
1911 static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
1913 static const u8 pae_group_addr[ETH_ALEN] __aligned(2)
1914 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 };
1915 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
1918 * Allow EAPOL frames to us/the PAE group address regardless
1919 * of whether the frame was encrypted or not.
1921 if (ehdr->h_proto == rx->sdata->control_port_protocol &&
1922 (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
1923 ether_addr_equal(ehdr->h_dest, pae_group_addr)))
1926 if (ieee80211_802_1x_port_control(rx) ||
1927 ieee80211_drop_unencrypted(rx, fc))
1934 * requires that rx->skb is a frame with ethernet header
1937 ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
1939 struct ieee80211_sub_if_data *sdata = rx->sdata;
1940 struct net_device *dev = sdata->dev;
1941 struct sk_buff *skb, *xmit_skb;
1942 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
1943 struct sta_info *dsta;
1944 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1949 if ((sdata->vif.type == NL80211_IFTYPE_AP ||
1950 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
1951 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
1952 (status->rx_flags & IEEE80211_RX_RA_MATCH) &&
1953 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) {
1954 if (is_multicast_ether_addr(ehdr->h_dest)) {
1956 * send multicast frames both to higher layers in
1957 * local net stack and back to the wireless medium
1959 xmit_skb = skb_copy(skb, GFP_ATOMIC);
1961 net_info_ratelimited("%s: failed to clone multicast frame\n",
1964 dsta = sta_info_get(sdata, skb->data);
1967 * The destination station is associated to
1968 * this AP (in this VLAN), so send the frame
1969 * directly to it and do not pass it to local
1978 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
1980 /* 'align' will only take the values 0 or 2 here since all
1981 * frames are required to be aligned to 2-byte boundaries
1982 * when being passed to mac80211; the code here works just
1983 * as well if that isn't true, but mac80211 assumes it can
1984 * access fields as 2-byte aligned (e.g. for ether_addr_equal)
1988 align = (unsigned long)(skb->data + sizeof(struct ethhdr)) & 3;
1990 if (WARN_ON(skb_headroom(skb) < 3)) {
1994 u8 *data = skb->data;
1995 size_t len = skb_headlen(skb);
1997 memmove(skb->data, data, len);
1998 skb_set_tail_pointer(skb, len);
2005 /* deliver to local stack */
2006 skb->protocol = eth_type_trans(skb, dev);
2007 memset(skb->cb, 0, sizeof(skb->cb));
2008 if (rx->local->napi)
2009 napi_gro_receive(rx->local->napi, skb);
2011 netif_receive_skb(skb);
2016 * Send to wireless media and increase priority by 256 to
2017 * keep the received priority instead of reclassifying
2018 * the frame (see cfg80211_classify8021d).
2020 xmit_skb->priority += 256;
2021 xmit_skb->protocol = htons(ETH_P_802_3);
2022 skb_reset_network_header(xmit_skb);
2023 skb_reset_mac_header(xmit_skb);
2024 dev_queue_xmit(xmit_skb);
2028 static ieee80211_rx_result debug_noinline
2029 ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
2031 struct net_device *dev = rx->sdata->dev;
2032 struct sk_buff *skb = rx->skb;
2033 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
2034 __le16 fc = hdr->frame_control;
2035 struct sk_buff_head frame_list;
2036 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2038 if (unlikely(!ieee80211_is_data(fc)))
2041 if (unlikely(!ieee80211_is_data_present(fc)))
2042 return RX_DROP_MONITOR;
2044 if (!(status->rx_flags & IEEE80211_RX_AMSDU))
2047 if (ieee80211_has_a4(hdr->frame_control) &&
2048 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
2049 !rx->sdata->u.vlan.sta)
2050 return RX_DROP_UNUSABLE;
2052 if (is_multicast_ether_addr(hdr->addr1) &&
2053 ((rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
2054 rx->sdata->u.vlan.sta) ||
2055 (rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
2056 rx->sdata->u.mgd.use_4addr)))
2057 return RX_DROP_UNUSABLE;
2060 __skb_queue_head_init(&frame_list);
2062 if (skb_linearize(skb))
2063 return RX_DROP_UNUSABLE;
2065 ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
2066 rx->sdata->vif.type,
2067 rx->local->hw.extra_tx_headroom, true);
2069 while (!skb_queue_empty(&frame_list)) {
2070 rx->skb = __skb_dequeue(&frame_list);
2072 if (!ieee80211_frame_allowed(rx, fc)) {
2073 dev_kfree_skb(rx->skb);
2076 dev->stats.rx_packets++;
2077 dev->stats.rx_bytes += rx->skb->len;
2079 ieee80211_deliver_skb(rx);
2085 #ifdef CONFIG_MAC80211_MESH
2086 static ieee80211_rx_result
2087 ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
2089 struct ieee80211_hdr *fwd_hdr, *hdr;
2090 struct ieee80211_tx_info *info;
2091 struct ieee80211s_hdr *mesh_hdr;
2092 struct sk_buff *skb = rx->skb, *fwd_skb;
2093 struct ieee80211_local *local = rx->local;
2094 struct ieee80211_sub_if_data *sdata = rx->sdata;
2095 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2096 struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
2099 hdr = (struct ieee80211_hdr *) skb->data;
2100 hdrlen = ieee80211_hdrlen(hdr->frame_control);
2102 /* make sure fixed part of mesh header is there, also checks skb len */
2103 if (!pskb_may_pull(rx->skb, hdrlen + 6))
2104 return RX_DROP_MONITOR;
2106 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
2108 /* make sure full mesh header is there, also checks skb len */
2109 if (!pskb_may_pull(rx->skb,
2110 hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
2111 return RX_DROP_MONITOR;
2113 /* reload pointers */
2114 hdr = (struct ieee80211_hdr *) skb->data;
2115 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
2117 /* frame is in RMC, don't forward */
2118 if (ieee80211_is_data(hdr->frame_control) &&
2119 is_multicast_ether_addr(hdr->addr1) &&
2120 mesh_rmc_check(rx->sdata, hdr->addr3, mesh_hdr))
2121 return RX_DROP_MONITOR;
2123 if (!ieee80211_is_data(hdr->frame_control) ||
2124 !(status->rx_flags & IEEE80211_RX_RA_MATCH))
2128 return RX_DROP_MONITOR;
2130 if (mesh_hdr->flags & MESH_FLAGS_AE) {
2131 struct mesh_path *mppath;
2135 if (is_multicast_ether_addr(hdr->addr1)) {
2136 mpp_addr = hdr->addr3;
2137 proxied_addr = mesh_hdr->eaddr1;
2138 } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
2139 /* has_a4 already checked in ieee80211_rx_mesh_check */
2140 mpp_addr = hdr->addr4;
2141 proxied_addr = mesh_hdr->eaddr2;
2143 return RX_DROP_MONITOR;
2147 mppath = mpp_path_lookup(sdata, proxied_addr);
2149 mpp_path_add(sdata, proxied_addr, mpp_addr);
2151 spin_lock_bh(&mppath->state_lock);
2152 if (!ether_addr_equal(mppath->mpp, mpp_addr))
2153 memcpy(mppath->mpp, mpp_addr, ETH_ALEN);
2154 spin_unlock_bh(&mppath->state_lock);
2159 /* Frame has reached destination. Don't forward */
2160 if (!is_multicast_ether_addr(hdr->addr1) &&
2161 ether_addr_equal(sdata->vif.addr, hdr->addr3))
2164 q = ieee80211_select_queue_80211(sdata, skb, hdr);
2165 if (ieee80211_queue_stopped(&local->hw, q)) {
2166 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion);
2167 return RX_DROP_MONITOR;
2169 skb_set_queue_mapping(skb, q);
2171 if (!--mesh_hdr->ttl) {
2172 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
2176 if (!ifmsh->mshcfg.dot11MeshForwarding)
2179 fwd_skb = skb_copy(skb, GFP_ATOMIC);
2181 net_info_ratelimited("%s: failed to clone mesh frame\n",
2186 fwd_hdr = (struct ieee80211_hdr *) fwd_skb->data;
2187 fwd_hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_RETRY);
2188 info = IEEE80211_SKB_CB(fwd_skb);
2189 memset(info, 0, sizeof(*info));
2190 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
2191 info->control.vif = &rx->sdata->vif;
2192 info->control.jiffies = jiffies;
2193 if (is_multicast_ether_addr(fwd_hdr->addr1)) {
2194 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast);
2195 memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
2196 /* update power mode indication when forwarding */
2197 ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr);
2198 } else if (!mesh_nexthop_lookup(sdata, fwd_skb)) {
2199 /* mesh power mode flags updated in mesh_nexthop_lookup */
2200 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
2202 /* unable to resolve next hop */
2203 mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl,
2205 WLAN_REASON_MESH_PATH_NOFORWARD,
2207 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route);
2209 return RX_DROP_MONITOR;
2212 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
2213 ieee80211_add_pending_skb(local, fwd_skb);
2215 if (is_multicast_ether_addr(hdr->addr1) ||
2216 sdata->dev->flags & IFF_PROMISC)
2219 return RX_DROP_MONITOR;
2223 static ieee80211_rx_result debug_noinline
2224 ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
2226 struct ieee80211_sub_if_data *sdata = rx->sdata;
2227 struct ieee80211_local *local = rx->local;
2228 struct net_device *dev = sdata->dev;
2229 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2230 __le16 fc = hdr->frame_control;
2234 if (unlikely(!ieee80211_is_data(hdr->frame_control)))
2237 if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
2238 return RX_DROP_MONITOR;
2241 * Send unexpected-4addr-frame event to hostapd. For older versions,
2242 * also drop the frame to cooked monitor interfaces.
2244 if (ieee80211_has_a4(hdr->frame_control) &&
2245 sdata->vif.type == NL80211_IFTYPE_AP) {
2247 !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT))
2248 cfg80211_rx_unexpected_4addr_frame(
2249 rx->sdata->dev, rx->sta->sta.addr, GFP_ATOMIC);
2250 return RX_DROP_MONITOR;
2253 err = __ieee80211_data_to_8023(rx, &port_control);
2255 return RX_DROP_UNUSABLE;
2257 if (!ieee80211_frame_allowed(rx, fc))
2258 return RX_DROP_MONITOR;
2260 if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
2261 unlikely(port_control) && sdata->bss) {
2262 sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
2270 dev->stats.rx_packets++;
2271 dev->stats.rx_bytes += rx->skb->len;
2273 if (local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 &&
2274 !is_multicast_ether_addr(
2275 ((struct ethhdr *)rx->skb->data)->h_dest) &&
2276 (!local->scanning &&
2277 !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state))) {
2278 mod_timer(&local->dynamic_ps_timer, jiffies +
2279 msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
2282 ieee80211_deliver_skb(rx);
2287 static ieee80211_rx_result debug_noinline
2288 ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
2290 struct sk_buff *skb = rx->skb;
2291 struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data;
2292 struct tid_ampdu_rx *tid_agg_rx;
2296 if (likely(!ieee80211_is_ctl(bar->frame_control)))
2299 if (ieee80211_is_back_req(bar->frame_control)) {
2301 __le16 control, start_seq_num;
2302 } __packed bar_data;
2305 return RX_DROP_MONITOR;
2307 if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
2308 &bar_data, sizeof(bar_data)))
2309 return RX_DROP_MONITOR;
2311 tid = le16_to_cpu(bar_data.control) >> 12;
2313 tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]);
2315 return RX_DROP_MONITOR;
2317 start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
2319 /* reset session timer */
2320 if (tid_agg_rx->timeout)
2321 mod_timer(&tid_agg_rx->session_timer,
2322 TU_TO_EXP_TIME(tid_agg_rx->timeout));
2324 spin_lock(&tid_agg_rx->reorder_lock);
2325 /* release stored frames up to start of BAR */
2326 ieee80211_release_reorder_frames(rx->sdata, tid_agg_rx,
2327 start_seq_num, frames);
2328 spin_unlock(&tid_agg_rx->reorder_lock);
2335 * After this point, we only want management frames,
2336 * so we can drop all remaining control frames to
2337 * cooked monitor interfaces.
2339 return RX_DROP_MONITOR;
2342 static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
2343 struct ieee80211_mgmt *mgmt,
2346 struct ieee80211_local *local = sdata->local;
2347 struct sk_buff *skb;
2348 struct ieee80211_mgmt *resp;
2350 if (!ether_addr_equal(mgmt->da, sdata->vif.addr)) {
2351 /* Not to own unicast address */
2355 if (!ether_addr_equal(mgmt->sa, sdata->u.mgd.bssid) ||
2356 !ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) {
2357 /* Not from the current AP or not associated yet. */
2361 if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) {
2362 /* Too short SA Query request frame */
2366 skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom);
2370 skb_reserve(skb, local->hw.extra_tx_headroom);
2371 resp = (struct ieee80211_mgmt *) skb_put(skb, 24);
2372 memset(resp, 0, 24);
2373 memcpy(resp->da, mgmt->sa, ETH_ALEN);
2374 memcpy(resp->sa, sdata->vif.addr, ETH_ALEN);
2375 memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN);
2376 resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
2377 IEEE80211_STYPE_ACTION);
2378 skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query));
2379 resp->u.action.category = WLAN_CATEGORY_SA_QUERY;
2380 resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE;
2381 memcpy(resp->u.action.u.sa_query.trans_id,
2382 mgmt->u.action.u.sa_query.trans_id,
2383 WLAN_SA_QUERY_TR_ID_LEN);
2385 ieee80211_tx_skb(sdata, skb);
2388 static ieee80211_rx_result debug_noinline
2389 ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
2391 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
2392 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2395 * From here on, look only at management frames.
2396 * Data and control frames are already handled,
2397 * and unknown (reserved) frames are useless.
2399 if (rx->skb->len < 24)
2400 return RX_DROP_MONITOR;
2402 if (!ieee80211_is_mgmt(mgmt->frame_control))
2403 return RX_DROP_MONITOR;
2405 if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
2406 ieee80211_is_beacon(mgmt->frame_control) &&
2407 !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {
2410 if (rx->local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
2411 sig = status->signal;
2413 cfg80211_report_obss_beacon(rx->local->hw.wiphy,
2414 rx->skb->data, rx->skb->len,
2416 rx->flags |= IEEE80211_RX_BEACON_REPORTED;
2419 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
2420 return RX_DROP_MONITOR;
2422 if (ieee80211_drop_unencrypted_mgmt(rx))
2423 return RX_DROP_UNUSABLE;
2428 static ieee80211_rx_result debug_noinline
2429 ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
2431 struct ieee80211_local *local = rx->local;
2432 struct ieee80211_sub_if_data *sdata = rx->sdata;
2433 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
2434 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2435 int len = rx->skb->len;
2437 if (!ieee80211_is_action(mgmt->frame_control))
2440 /* drop too small frames */
2441 if (len < IEEE80211_MIN_ACTION_SIZE)
2442 return RX_DROP_UNUSABLE;
2444 if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC &&
2445 mgmt->u.action.category != WLAN_CATEGORY_SELF_PROTECTED &&
2446 mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
2447 return RX_DROP_UNUSABLE;
2449 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
2450 return RX_DROP_UNUSABLE;
2452 switch (mgmt->u.action.category) {
2453 case WLAN_CATEGORY_HT:
2454 /* reject HT action frames from stations not supporting HT */
2455 if (!rx->sta->sta.ht_cap.ht_supported)
2458 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
2459 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
2460 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
2461 sdata->vif.type != NL80211_IFTYPE_AP &&
2462 sdata->vif.type != NL80211_IFTYPE_ADHOC)
2465 /* verify action & smps_control/chanwidth are present */
2466 if (len < IEEE80211_MIN_ACTION_SIZE + 2)
2469 switch (mgmt->u.action.u.ht_smps.action) {
2470 case WLAN_HT_ACTION_SMPS: {
2471 struct ieee80211_supported_band *sband;
2472 enum ieee80211_smps_mode smps_mode;
2474 /* convert to HT capability */
2475 switch (mgmt->u.action.u.ht_smps.smps_control) {
2476 case WLAN_HT_SMPS_CONTROL_DISABLED:
2477 smps_mode = IEEE80211_SMPS_OFF;
2479 case WLAN_HT_SMPS_CONTROL_STATIC:
2480 smps_mode = IEEE80211_SMPS_STATIC;
2482 case WLAN_HT_SMPS_CONTROL_DYNAMIC:
2483 smps_mode = IEEE80211_SMPS_DYNAMIC;
2489 /* if no change do nothing */
2490 if (rx->sta->sta.smps_mode == smps_mode)
2492 rx->sta->sta.smps_mode = smps_mode;
2494 sband = rx->local->hw.wiphy->bands[status->band];
2496 rate_control_rate_update(local, sband, rx->sta,
2497 IEEE80211_RC_SMPS_CHANGED);
2500 case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: {
2501 struct ieee80211_supported_band *sband;
2502 u8 chanwidth = mgmt->u.action.u.ht_notify_cw.chanwidth;
2503 enum ieee80211_sta_rx_bandwidth new_bw;
2505 /* If it doesn't support 40 MHz it can't change ... */
2506 if (!(rx->sta->sta.ht_cap.cap &
2507 IEEE80211_HT_CAP_SUP_WIDTH_20_40))
2510 if (chanwidth == IEEE80211_HT_CHANWIDTH_20MHZ)
2511 new_bw = IEEE80211_STA_RX_BW_20;
2513 new_bw = ieee80211_sta_cur_vht_bw(rx->sta);
2515 if (rx->sta->sta.bandwidth == new_bw)
2518 sband = rx->local->hw.wiphy->bands[status->band];
2520 rate_control_rate_update(local, sband, rx->sta,
2521 IEEE80211_RC_BW_CHANGED);
2529 case WLAN_CATEGORY_PUBLIC:
2530 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
2532 if (sdata->vif.type != NL80211_IFTYPE_STATION)
2536 if (!ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid))
2538 if (mgmt->u.action.u.ext_chan_switch.action_code !=
2539 WLAN_PUB_ACTION_EXT_CHANSW_ANN)
2541 if (len < offsetof(struct ieee80211_mgmt,
2542 u.action.u.ext_chan_switch.variable))
2545 case WLAN_CATEGORY_VHT:
2546 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
2547 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
2548 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
2549 sdata->vif.type != NL80211_IFTYPE_AP &&
2550 sdata->vif.type != NL80211_IFTYPE_ADHOC)
2553 /* verify action code is present */
2554 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
2557 switch (mgmt->u.action.u.vht_opmode_notif.action_code) {
2558 case WLAN_VHT_ACTION_OPMODE_NOTIF: {
2561 /* verify opmode is present */
2562 if (len < IEEE80211_MIN_ACTION_SIZE + 2)
2565 opmode = mgmt->u.action.u.vht_opmode_notif.operating_mode;
2567 ieee80211_vht_handle_opmode(rx->sdata, rx->sta,
2568 opmode, status->band,
2576 case WLAN_CATEGORY_BACK:
2577 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
2578 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
2579 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
2580 sdata->vif.type != NL80211_IFTYPE_AP &&
2581 sdata->vif.type != NL80211_IFTYPE_ADHOC)
2584 /* verify action_code is present */
2585 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
2588 switch (mgmt->u.action.u.addba_req.action_code) {
2589 case WLAN_ACTION_ADDBA_REQ:
2590 if (len < (IEEE80211_MIN_ACTION_SIZE +
2591 sizeof(mgmt->u.action.u.addba_req)))
2594 case WLAN_ACTION_ADDBA_RESP:
2595 if (len < (IEEE80211_MIN_ACTION_SIZE +
2596 sizeof(mgmt->u.action.u.addba_resp)))
2599 case WLAN_ACTION_DELBA:
2600 if (len < (IEEE80211_MIN_ACTION_SIZE +
2601 sizeof(mgmt->u.action.u.delba)))
2609 case WLAN_CATEGORY_SPECTRUM_MGMT:
2610 /* verify action_code is present */
2611 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
2614 switch (mgmt->u.action.u.measurement.action_code) {
2615 case WLAN_ACTION_SPCT_MSR_REQ:
2616 if (status->band != IEEE80211_BAND_5GHZ)
2619 if (len < (IEEE80211_MIN_ACTION_SIZE +
2620 sizeof(mgmt->u.action.u.measurement)))
2623 if (sdata->vif.type != NL80211_IFTYPE_STATION)
2626 ieee80211_process_measurement_req(sdata, mgmt, len);
2628 case WLAN_ACTION_SPCT_CHL_SWITCH: {
2630 if (len < (IEEE80211_MIN_ACTION_SIZE +
2631 sizeof(mgmt->u.action.u.chan_switch)))
2634 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
2635 sdata->vif.type != NL80211_IFTYPE_ADHOC &&
2636 sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
2639 if (sdata->vif.type == NL80211_IFTYPE_STATION)
2640 bssid = sdata->u.mgd.bssid;
2641 else if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
2642 bssid = sdata->u.ibss.bssid;
2643 else if (sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
2648 if (!ether_addr_equal(mgmt->bssid, bssid))
2655 case WLAN_CATEGORY_SA_QUERY:
2656 if (len < (IEEE80211_MIN_ACTION_SIZE +
2657 sizeof(mgmt->u.action.u.sa_query)))
2660 switch (mgmt->u.action.u.sa_query.action) {
2661 case WLAN_ACTION_SA_QUERY_REQUEST:
2662 if (sdata->vif.type != NL80211_IFTYPE_STATION)
2664 ieee80211_process_sa_query_req(sdata, mgmt, len);
2668 case WLAN_CATEGORY_SELF_PROTECTED:
2669 if (len < (IEEE80211_MIN_ACTION_SIZE +
2670 sizeof(mgmt->u.action.u.self_prot.action_code)))
2673 switch (mgmt->u.action.u.self_prot.action_code) {
2674 case WLAN_SP_MESH_PEERING_OPEN:
2675 case WLAN_SP_MESH_PEERING_CLOSE:
2676 case WLAN_SP_MESH_PEERING_CONFIRM:
2677 if (!ieee80211_vif_is_mesh(&sdata->vif))
2679 if (sdata->u.mesh.user_mpm)
2680 /* userspace handles this frame */
2683 case WLAN_SP_MGK_INFORM:
2684 case WLAN_SP_MGK_ACK:
2685 if (!ieee80211_vif_is_mesh(&sdata->vif))
2690 case WLAN_CATEGORY_MESH_ACTION:
2691 if (len < (IEEE80211_MIN_ACTION_SIZE +
2692 sizeof(mgmt->u.action.u.mesh_action.action_code)))
2695 if (!ieee80211_vif_is_mesh(&sdata->vif))
2697 if (mesh_action_is_path_sel(mgmt) &&
2698 !mesh_path_sel_is_hwmp(sdata))
2706 status->rx_flags |= IEEE80211_RX_MALFORMED_ACTION_FRM;
2707 /* will return in the next handlers */
2712 rx->sta->rx_packets++;
2713 dev_kfree_skb(rx->skb);
2717 rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
2718 skb_queue_tail(&sdata->skb_queue, rx->skb);
2719 ieee80211_queue_work(&local->hw, &sdata->work);
2721 rx->sta->rx_packets++;
2725 static ieee80211_rx_result debug_noinline
2726 ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
2728 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2731 /* skip known-bad action frames and return them in the next handler */
2732 if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM)
2736 * Getting here means the kernel doesn't know how to handle
2737 * it, but maybe userspace does ... include returned frames
2738 * so userspace can register for those to know whether ones
2739 * it transmitted were processed or returned.
2742 if (rx->local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
2743 sig = status->signal;
2745 if (cfg80211_rx_mgmt(&rx->sdata->wdev, status->freq, sig,
2746 rx->skb->data, rx->skb->len, 0)) {
2748 rx->sta->rx_packets++;
2749 dev_kfree_skb(rx->skb);
2756 static ieee80211_rx_result debug_noinline
2757 ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
2759 struct ieee80211_local *local = rx->local;
2760 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
2761 struct sk_buff *nskb;
2762 struct ieee80211_sub_if_data *sdata = rx->sdata;
2763 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2765 if (!ieee80211_is_action(mgmt->frame_control))
2769 * For AP mode, hostapd is responsible for handling any action
2770 * frames that we didn't handle, including returning unknown
2771 * ones. For all other modes we will return them to the sender,
2772 * setting the 0x80 bit in the action category, as required by
2773 * 802.11-2012 9.24.4.
2774 * Newer versions of hostapd shall also use the management frame
2775 * registration mechanisms, but older ones still use cooked
2776 * monitor interfaces so push all frames there.
2778 if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) &&
2779 (sdata->vif.type == NL80211_IFTYPE_AP ||
2780 sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
2781 return RX_DROP_MONITOR;
2783 if (is_multicast_ether_addr(mgmt->da))
2784 return RX_DROP_MONITOR;
2786 /* do not return rejected action frames */
2787 if (mgmt->u.action.category & 0x80)
2788 return RX_DROP_UNUSABLE;
2790 nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0,
2793 struct ieee80211_mgmt *nmgmt = (void *)nskb->data;
2795 nmgmt->u.action.category |= 0x80;
2796 memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN);
2797 memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN);
2799 memset(nskb->cb, 0, sizeof(nskb->cb));
2801 if (rx->sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) {
2802 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(nskb);
2804 info->flags = IEEE80211_TX_CTL_TX_OFFCHAN |
2805 IEEE80211_TX_INTFL_OFFCHAN_TX_OK |
2806 IEEE80211_TX_CTL_NO_CCK_RATE;
2807 if (local->hw.flags & IEEE80211_HW_QUEUE_CONTROL)
2809 local->hw.offchannel_tx_hw_queue;
2812 __ieee80211_tx_skb_tid_band(rx->sdata, nskb, 7,
2815 dev_kfree_skb(rx->skb);
2819 static ieee80211_rx_result debug_noinline
2820 ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
2822 struct ieee80211_sub_if_data *sdata = rx->sdata;
2823 struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
2826 stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
2828 if (!ieee80211_vif_is_mesh(&sdata->vif) &&
2829 sdata->vif.type != NL80211_IFTYPE_ADHOC &&
2830 sdata->vif.type != NL80211_IFTYPE_OCB &&
2831 sdata->vif.type != NL80211_IFTYPE_STATION)
2832 return RX_DROP_MONITOR;
2835 case cpu_to_le16(IEEE80211_STYPE_AUTH):
2836 case cpu_to_le16(IEEE80211_STYPE_BEACON):
2837 case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
2838 /* process for all: mesh, mlme, ibss */
2840 case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP):
2841 case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP):
2842 case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
2843 case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
2844 if (is_multicast_ether_addr(mgmt->da) &&
2845 !is_broadcast_ether_addr(mgmt->da))
2846 return RX_DROP_MONITOR;
2848 /* process only for station */
2849 if (sdata->vif.type != NL80211_IFTYPE_STATION)
2850 return RX_DROP_MONITOR;
2852 case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ):
2853 /* process only for ibss and mesh */
2854 if (sdata->vif.type != NL80211_IFTYPE_ADHOC &&
2855 sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
2856 return RX_DROP_MONITOR;
2859 return RX_DROP_MONITOR;
2862 /* queue up frame and kick off work to process it */
2863 rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
2864 skb_queue_tail(&sdata->skb_queue, rx->skb);
2865 ieee80211_queue_work(&rx->local->hw, &sdata->work);
2867 rx->sta->rx_packets++;
2872 /* TODO: use IEEE80211_RX_FRAGMENTED */
2873 static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
2874 struct ieee80211_rate *rate)
2876 struct ieee80211_sub_if_data *sdata;
2877 struct ieee80211_local *local = rx->local;
2878 struct sk_buff *skb = rx->skb, *skb2;
2879 struct net_device *prev_dev = NULL;
2880 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2881 int needed_headroom;
2884 * If cooked monitor has been processed already, then
2885 * don't do it again. If not, set the flag.
2887 if (rx->flags & IEEE80211_RX_CMNTR)
2889 rx->flags |= IEEE80211_RX_CMNTR;
2891 /* If there are no cooked monitor interfaces, just free the SKB */
2892 if (!local->cooked_mntrs)
2895 /* room for the radiotap header based on driver features */
2896 needed_headroom = ieee80211_rx_radiotap_space(local, status);
2898 if (skb_headroom(skb) < needed_headroom &&
2899 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC))
2902 /* prepend radiotap information */
2903 ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
2906 skb_set_mac_header(skb, 0);
2907 skb->ip_summed = CHECKSUM_UNNECESSARY;
2908 skb->pkt_type = PACKET_OTHERHOST;
2909 skb->protocol = htons(ETH_P_802_2);
2911 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
2912 if (!ieee80211_sdata_running(sdata))
2915 if (sdata->vif.type != NL80211_IFTYPE_MONITOR ||
2916 !(sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES))
2920 skb2 = skb_clone(skb, GFP_ATOMIC);
2922 skb2->dev = prev_dev;
2923 netif_receive_skb(skb2);
2927 prev_dev = sdata->dev;
2928 sdata->dev->stats.rx_packets++;
2929 sdata->dev->stats.rx_bytes += skb->len;
2933 skb->dev = prev_dev;
2934 netif_receive_skb(skb);
2942 static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx,
2943 ieee80211_rx_result res)
2946 case RX_DROP_MONITOR:
2947 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
2949 rx->sta->rx_dropped++;
2952 struct ieee80211_rate *rate = NULL;
2953 struct ieee80211_supported_band *sband;
2954 struct ieee80211_rx_status *status;
2956 status = IEEE80211_SKB_RXCB((rx->skb));
2958 sband = rx->local->hw.wiphy->bands[status->band];
2959 if (!(status->flag & RX_FLAG_HT) &&
2960 !(status->flag & RX_FLAG_VHT))
2961 rate = &sband->bitrates[status->rate_idx];
2963 ieee80211_rx_cooked_monitor(rx, rate);
2966 case RX_DROP_UNUSABLE:
2967 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
2969 rx->sta->rx_dropped++;
2970 dev_kfree_skb(rx->skb);
2973 I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued);
2978 static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
2979 struct sk_buff_head *frames)
2981 ieee80211_rx_result res = RX_DROP_MONITOR;
2982 struct sk_buff *skb;
2984 #define CALL_RXH(rxh) \
2987 if (res != RX_CONTINUE) \
2991 spin_lock_bh(&rx->local->rx_path_lock);
2993 while ((skb = __skb_dequeue(frames))) {
2995 * all the other fields are valid across frames
2996 * that belong to an aMPDU since they are on the
2997 * same TID from the same station
3001 CALL_RXH(ieee80211_rx_h_check_more_data)
3002 CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll)
3003 CALL_RXH(ieee80211_rx_h_sta_process)
3004 CALL_RXH(ieee80211_rx_h_decrypt)
3005 CALL_RXH(ieee80211_rx_h_defragment)
3006 CALL_RXH(ieee80211_rx_h_michael_mic_verify)
3007 /* must be after MMIC verify so header is counted in MPDU mic */
3008 #ifdef CONFIG_MAC80211_MESH
3009 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
3010 CALL_RXH(ieee80211_rx_h_mesh_fwding);
3012 CALL_RXH(ieee80211_rx_h_amsdu)
3013 CALL_RXH(ieee80211_rx_h_data)
3015 /* special treatment -- needs the queue */
3016 res = ieee80211_rx_h_ctrl(rx, frames);
3017 if (res != RX_CONTINUE)
3020 CALL_RXH(ieee80211_rx_h_mgmt_check)
3021 CALL_RXH(ieee80211_rx_h_action)
3022 CALL_RXH(ieee80211_rx_h_userspace_mgmt)
3023 CALL_RXH(ieee80211_rx_h_action_return)
3024 CALL_RXH(ieee80211_rx_h_mgmt)
3027 ieee80211_rx_handlers_result(rx, res);
3032 spin_unlock_bh(&rx->local->rx_path_lock);
3035 static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
3037 struct sk_buff_head reorder_release;
3038 ieee80211_rx_result res = RX_DROP_MONITOR;
3040 __skb_queue_head_init(&reorder_release);
3042 #define CALL_RXH(rxh) \
3045 if (res != RX_CONTINUE) \
3049 CALL_RXH(ieee80211_rx_h_check)
3051 ieee80211_rx_reorder_ampdu(rx, &reorder_release);
3053 ieee80211_rx_handlers(rx, &reorder_release);
3057 ieee80211_rx_handlers_result(rx, res);
3063 * This function makes calls into the RX path, therefore
3064 * it has to be invoked under RCU read lock.
3066 void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
3068 struct sk_buff_head frames;
3069 struct ieee80211_rx_data rx = {
3071 .sdata = sta->sdata,
3072 .local = sta->local,
3073 /* This is OK -- must be QoS data frame */
3074 .security_idx = tid,
3078 struct tid_ampdu_rx *tid_agg_rx;
3080 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
3084 __skb_queue_head_init(&frames);
3086 spin_lock(&tid_agg_rx->reorder_lock);
3087 ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);
3088 spin_unlock(&tid_agg_rx->reorder_lock);
3090 ieee80211_rx_handlers(&rx, &frames);
3093 /* main receive path */
3095 static bool prepare_for_handlers(struct ieee80211_rx_data *rx,
3096 struct ieee80211_hdr *hdr)
3098 struct ieee80211_sub_if_data *sdata = rx->sdata;
3099 struct sk_buff *skb = rx->skb;
3100 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3101 u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
3102 int multicast = is_multicast_ether_addr(hdr->addr1);
3104 switch (sdata->vif.type) {
3105 case NL80211_IFTYPE_STATION:
3106 if (!bssid && !sdata->u.mgd.use_4addr)
3109 !ether_addr_equal(sdata->vif.addr, hdr->addr1)) {
3110 if (!(sdata->dev->flags & IFF_PROMISC) ||
3111 sdata->u.mgd.use_4addr)
3113 status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
3116 case NL80211_IFTYPE_ADHOC:
3119 if (ether_addr_equal(sdata->vif.addr, hdr->addr2) ||
3120 ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2))
3122 if (ieee80211_is_beacon(hdr->frame_control)) {
3124 } else if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid)) {
3126 } else if (!multicast &&
3127 !ether_addr_equal(sdata->vif.addr, hdr->addr1)) {
3128 if (!(sdata->dev->flags & IFF_PROMISC))
3130 status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
3131 } else if (!rx->sta) {
3133 if (status->flag & (RX_FLAG_HT | RX_FLAG_VHT))
3134 rate_idx = 0; /* TODO: HT/VHT rates */
3136 rate_idx = status->rate_idx;
3137 ieee80211_ibss_rx_no_sta(sdata, bssid, hdr->addr2,
3141 case NL80211_IFTYPE_OCB:
3144 if (ieee80211_is_beacon(hdr->frame_control)) {
3146 } else if (!is_broadcast_ether_addr(bssid)) {
3147 ocb_dbg(sdata, "BSSID mismatch in OCB mode!\n");
3149 } else if (!multicast &&
3150 !ether_addr_equal(sdata->dev->dev_addr,
3152 /* if we are in promisc mode we also accept
3153 * packets not destined for us
3155 if (!(sdata->dev->flags & IFF_PROMISC))
3157 rx->flags &= ~IEEE80211_RX_RA_MATCH;
3158 } else if (!rx->sta) {
3160 if (status->flag & RX_FLAG_HT)
3161 rate_idx = 0; /* TODO: HT rates */
3163 rate_idx = status->rate_idx;
3164 ieee80211_ocb_rx_no_sta(sdata, bssid, hdr->addr2,
3168 case NL80211_IFTYPE_MESH_POINT:
3170 !ether_addr_equal(sdata->vif.addr, hdr->addr1)) {
3171 if (!(sdata->dev->flags & IFF_PROMISC))
3174 status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
3177 case NL80211_IFTYPE_AP_VLAN:
3178 case NL80211_IFTYPE_AP:
3180 if (!ether_addr_equal(sdata->vif.addr, hdr->addr1))
3182 } else if (!ieee80211_bssid_match(bssid, sdata->vif.addr)) {
3184 * Accept public action frames even when the
3185 * BSSID doesn't match, this is used for P2P
3186 * and location updates. Note that mac80211
3187 * itself never looks at these frames.
3190 !ether_addr_equal(sdata->vif.addr, hdr->addr1))
3192 if (ieee80211_is_public_action(hdr, skb->len))
3194 if (!ieee80211_is_beacon(hdr->frame_control))
3196 status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
3197 } else if (!ieee80211_has_tods(hdr->frame_control)) {
3198 /* ignore data frames to TDLS-peers */
3199 if (ieee80211_is_data(hdr->frame_control))
3201 /* ignore action frames to TDLS-peers */
3202 if (ieee80211_is_action(hdr->frame_control) &&
3203 !ether_addr_equal(bssid, hdr->addr1))
3207 case NL80211_IFTYPE_WDS:
3208 if (bssid || !ieee80211_is_data(hdr->frame_control))
3210 if (!ether_addr_equal(sdata->u.wds.remote_addr, hdr->addr2))
3213 case NL80211_IFTYPE_P2P_DEVICE:
3214 if (!ieee80211_is_public_action(hdr, skb->len) &&
3215 !ieee80211_is_probe_req(hdr->frame_control) &&
3216 !ieee80211_is_probe_resp(hdr->frame_control) &&
3217 !ieee80211_is_beacon(hdr->frame_control))
3219 if (!ether_addr_equal(sdata->vif.addr, hdr->addr1) &&
3221 status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
3224 /* should never get here */
3233 * This function returns whether or not the SKB
3234 * was destined for RX processing or not, which,
3235 * if consume is true, is equivalent to whether
3236 * or not the skb was consumed.
3238 static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
3239 struct sk_buff *skb, bool consume)
3241 struct ieee80211_local *local = rx->local;
3242 struct ieee80211_sub_if_data *sdata = rx->sdata;
3243 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3244 struct ieee80211_hdr *hdr = (void *)skb->data;
3247 status->rx_flags |= IEEE80211_RX_RA_MATCH;
3249 if (!prepare_for_handlers(rx, hdr))
3253 skb = skb_copy(skb, GFP_ATOMIC);
3255 if (net_ratelimit())
3256 wiphy_debug(local->hw.wiphy,
3257 "failed to copy skb for %s\n",
3265 ieee80211_invoke_rx_handlers(rx);
3270 * This is the actual Rx frames handler. as it belongs to Rx path it must
3271 * be called with rcu_read_lock protection.
3273 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
3274 struct sk_buff *skb)
3276 struct ieee80211_local *local = hw_to_local(hw);
3277 struct ieee80211_sub_if_data *sdata;
3278 struct ieee80211_hdr *hdr;
3280 struct ieee80211_rx_data rx;
3281 struct ieee80211_sub_if_data *prev;
3282 struct sta_info *sta, *tmp, *prev_sta;
3285 fc = ((struct ieee80211_hdr *)skb->data)->frame_control;
3286 memset(&rx, 0, sizeof(rx));
3290 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
3291 local->dot11ReceivedFragmentCount++;
3293 if (ieee80211_is_mgmt(fc)) {
3294 /* drop frame if too short for header */
3295 if (skb->len < ieee80211_hdrlen(fc))
3298 err = skb_linearize(skb);
3300 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
3308 hdr = (struct ieee80211_hdr *)skb->data;
3309 ieee80211_parse_qos(&rx);
3310 ieee80211_verify_alignment(&rx);
3312 if (unlikely(ieee80211_is_probe_resp(hdr->frame_control) ||
3313 ieee80211_is_beacon(hdr->frame_control)))
3314 ieee80211_scan_rx(local, skb);
3316 if (ieee80211_is_data(fc)) {
3319 for_each_sta_info(local, hdr->addr2, sta, tmp) {
3326 rx.sdata = prev_sta->sdata;
3327 ieee80211_prepare_and_rx_handle(&rx, skb, false);
3334 rx.sdata = prev_sta->sdata;
3336 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
3344 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
3345 if (!ieee80211_sdata_running(sdata))
3348 if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
3349 sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
3353 * frame is destined for this interface, but if it's
3354 * not also for the previous one we handle that after
3355 * the loop to avoid copying the SKB once too much
3363 rx.sta = sta_info_get_bss(prev, hdr->addr2);
3365 ieee80211_prepare_and_rx_handle(&rx, skb, false);
3371 rx.sta = sta_info_get_bss(prev, hdr->addr2);
3374 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
3383 * This is the receive path handler. It is called by a low level driver when an
3384 * 802.11 MPDU is received from the hardware.
3386 void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb)
3388 struct ieee80211_local *local = hw_to_local(hw);
3389 struct ieee80211_rate *rate = NULL;
3390 struct ieee80211_supported_band *sband;
3391 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3393 WARN_ON_ONCE(softirq_count() == 0);
3395 if (WARN_ON(status->band >= IEEE80211_NUM_BANDS))
3398 sband = local->hw.wiphy->bands[status->band];
3399 if (WARN_ON(!sband))
3403 * If we're suspending, it is possible although not too likely
3404 * that we'd be receiving frames after having already partially
3405 * quiesced the stack. We can't process such frames then since
3406 * that might, for example, cause stations to be added or other
3407 * driver callbacks be invoked.
3409 if (unlikely(local->quiescing || local->suspended))
3412 /* We might be during a HW reconfig, prevent Rx for the same reason */
3413 if (unlikely(local->in_reconfig))
3417 * The same happens when we're not even started,
3418 * but that's worth a warning.
3420 if (WARN_ON(!local->started))
3423 if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) {
3425 * Validate the rate, unless a PLCP error means that
3426 * we probably can't have a valid rate here anyway.
3429 if (status->flag & RX_FLAG_HT) {
3431 * rate_idx is MCS index, which can be [0-76]
3434 * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n
3436 * Anything else would be some sort of driver or
3437 * hardware error. The driver should catch hardware
3440 if (WARN(status->rate_idx > 76,
3441 "Rate marked as an HT rate but passed "
3442 "status->rate_idx is not "
3443 "an MCS index [0-76]: %d (0x%02x)\n",
3447 } else if (status->flag & RX_FLAG_VHT) {
3448 if (WARN_ONCE(status->rate_idx > 9 ||
3450 status->vht_nss > 8,
3451 "Rate marked as a VHT rate but data is invalid: MCS: %d, NSS: %d\n",
3452 status->rate_idx, status->vht_nss))
3455 if (WARN_ON(status->rate_idx >= sband->n_bitrates))
3457 rate = &sband->bitrates[status->rate_idx];
3461 status->rx_flags = 0;
3464 * key references and virtual interfaces are protected using RCU
3465 * and this requires that we are in a read-side RCU section during
3466 * receive processing
3471 * Frames with failed FCS/PLCP checksum are not returned,
3472 * all other frames are returned without radiotap header
3473 * if it was previously present.
3474 * Also, frames with less than 16 bytes are dropped.
3476 skb = ieee80211_rx_monitor(local, skb, rate);
3482 ieee80211_tpt_led_trig_rx(local,
3483 ((struct ieee80211_hdr *)skb->data)->frame_control,
3485 __ieee80211_rx_handle_packet(hw, skb);
3493 EXPORT_SYMBOL(ieee80211_rx);
3495 /* This is a version of the rx handler that can be called from hard irq
3496 * context. Post the skb on the queue and schedule the tasklet */
3497 void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb)
3499 struct ieee80211_local *local = hw_to_local(hw);
3501 BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb));
3503 skb->pkt_type = IEEE80211_RX_MSG;
3504 skb_queue_tail(&local->skb_queue, skb);
3505 tasklet_schedule(&local->tasklet);
3507 EXPORT_SYMBOL(ieee80211_rx_irqsafe);
projects / cascardo / linux.git / blob