ros_rt_wmp: rx.c Source File

Go to the documentation of this file.
00001 /*
00002  * Copyright 2002-2005, Instant802 Networks, Inc.
00003  * Copyright 2005-2006, Devicescape Software, Inc.
00004  * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
00005  * Copyright 2007-2010  Johannes Berg <johannes@sipsolutions.net>
00006  *
00007  * This program is free software; you can redistribute it and/or modify
00008  * it under the terms of the GNU General Public License version 2 as
00009  * published by the Free Software Foundation.
00010  */
00011 
00012 #include <linux/jiffies.h>
00013 #include <linux/slab.h>
00014 #include <linux/kernel.h>
00015 #include <linux/skbuff.h>
00016 #include <linux/netdevice.h>
00017 #include <linux/etherdevice.h>
00018 #include <linux/rcupdate.h>
00019 #include <linux/export.h>
00020 #include <net/mac80211.h>
00021 #include <net/ieee80211_radiotap.h>
00022 #include <asm/unaligned.h>
00023 
00024 #include "ieee80211_i.h"
00025 #include "driver-ops.h"
00026 #include "led.h"
00027 #include "mesh.h"
00028 #include "wep.h"
00029 #include "wpa.h"
00030 #include "tkip.h"
00031 #include "wme.h"
00032 #include "rate.h"
00033 #include "rt_wmp.h"
00034 
00035 /*
00036  * monitor mode reception
00037  *
00038  * This function cleans up the SKB, i.e. it removes all the stuff
00039  * only useful for monitoring.
00040  */
00041 static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
00042                                            struct sk_buff *skb)
00043 {
00044         if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) {
00045                 if (likely(skb->len > FCS_LEN))
00046                         __pskb_trim(skb, skb->len - FCS_LEN);
00047                 else {
00048                         /* driver bug */
00049                         WARN_ON(1);
00050                         dev_kfree_skb(skb);
00051                         skb = NULL;
00052                 }
00053         }
00054 
00055         return skb;
00056 }
00057 
00058 static inline int should_drop_frame(struct sk_buff *skb,
00059                                     int present_fcs_len)
00060 {
00061         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
00062         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
00063 
00064         if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
00065                 return 1;
00066         if (unlikely(skb->len < 16 + present_fcs_len))
00067                 return 1;
00068         if (ieee80211_is_ctl(hdr->frame_control) &&
00069             !ieee80211_is_pspoll(hdr->frame_control) &&
00070             !ieee80211_is_back_req(hdr->frame_control))
00071                 return 1;
00072         return 0;
00073 }
00074 
00075 static int
00076 ieee80211_rx_radiotap_len(struct ieee80211_local *local,
00077                           struct ieee80211_rx_status *status)
00078 {
00079         int len;
00080 
00081         /* always present fields */
00082         len = sizeof(struct ieee80211_radiotap_header) + 9;
00083 
00084         if (status->flag & RX_FLAG_MACTIME_MPDU)
00085                 len += 8;
00086         if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
00087                 len += 1;
00088 
00089         if (len & 1) /* padding for RX_FLAGS if necessary */
00090                 len++;
00091 
00092         if (status->flag & RX_FLAG_HT) /* HT info */
00093                 len += 3;
00094 
00095         return len;
00096 }
00097 
00098 /*
00099  * ieee80211_add_rx_radiotap_header - add radiotap header
00100  *
00101  * add a radiotap header containing all the fields which the hardware provided.
00102  */
00103 static void
00104 ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
00105                                  struct sk_buff *skb,
00106                                  struct ieee80211_rate *rate,
00107                                  int rtap_len, bool has_fcs)
00108 {
00109         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
00110         struct ieee80211_radiotap_header *rthdr;
00111         unsigned char *pos;
00112         u16 rx_flags = 0;
00113 
00114         rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len);
00115         memset(rthdr, 0, rtap_len);
00116 
00117         /* radiotap header, set always present flags */
00118         rthdr->it_present =
00119                 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) |
00120                             (1 << IEEE80211_RADIOTAP_CHANNEL) |
00121                             (1 << IEEE80211_RADIOTAP_ANTENNA) |
00122                             (1 << IEEE80211_RADIOTAP_RX_FLAGS));
00123         rthdr->it_len = cpu_to_le16(rtap_len);
00124 
00125         pos = (unsigned char *)(rthdr+1);
00126 
00127         /* the order of the following fields is important */
00128 
00129         /* IEEE80211_RADIOTAP_TSFT */
00130         if (status->flag & RX_FLAG_MACTIME_MPDU) {
00131                 put_unaligned_le64(status->mactime, pos);
00132                 rthdr->it_present |=
00133                         cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
00134                 pos += 8;
00135         }
00136 
00137         /* IEEE80211_RADIOTAP_FLAGS */
00138         if (has_fcs && (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS))
00139                 *pos |= IEEE80211_RADIOTAP_F_FCS;
00140         if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
00141                 *pos |= IEEE80211_RADIOTAP_F_BADFCS;
00142         if (status->flag & RX_FLAG_SHORTPRE)
00143                 *pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
00144         pos++;
00145 
00146         /* IEEE80211_RADIOTAP_RATE */
00147         if (!rate || status->flag & RX_FLAG_HT) {
00148                 /*
00149                  * Without rate information don't add it. If we have,
00150                  * MCS information is a separate field in radiotap,
00151                  * added below. The byte here is needed as padding
00152                  * for the channel though, so initialise it to 0.
00153                  */
00154                 *pos = 0;
00155         } else {
00156                 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
00157                 *pos = rate->bitrate / 5;
00158         }
00159         pos++;
00160 
00161         /* IEEE80211_RADIOTAP_CHANNEL */
00162         put_unaligned_le16(status->freq, pos);
00163         pos += 2;
00164         if (status->band == IEEE80211_BAND_5GHZ)
00165                 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ,
00166                                    pos);
00167         else if (status->flag & RX_FLAG_HT)
00168                 put_unaligned_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ,
00169                                    pos);
00170         else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
00171                 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ,
00172                                    pos);
00173         else if (rate)
00174                 put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ,
00175                                    pos);
00176         else
00177                 put_unaligned_le16(IEEE80211_CHAN_2GHZ, pos);
00178         pos += 2;
00179 
00180         /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
00181         if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM &&
00182             !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
00183                 *pos = status->signal;
00184                 rthdr->it_present |=
00185                         cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
00186                 pos++;
00187         }
00188 
00189         /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */
00190 
00191         /* IEEE80211_RADIOTAP_ANTENNA */
00192         *pos = status->antenna;
00193         pos++;
00194 
00195         /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */
00196 
00197         /* IEEE80211_RADIOTAP_RX_FLAGS */
00198         /* ensure 2 byte alignment for the 2 byte field as required */
00199         if ((pos - (u8 *)rthdr) & 1)
00200                 pos++;
00201         if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
00202                 rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
00203         put_unaligned_le16(rx_flags, pos);
00204         pos += 2;
00205 
00206         if (status->flag & RX_FLAG_HT) {
00207                 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
00208                 *pos++ = local->hw.radiotap_mcs_details;
00209                 *pos = 0;
00210                 if (status->flag & RX_FLAG_SHORT_GI)
00211                         *pos |= IEEE80211_RADIOTAP_MCS_SGI;
00212                 if (status->flag & RX_FLAG_40MHZ)
00213                         *pos |= IEEE80211_RADIOTAP_MCS_BW_40;
00214                 if (status->flag & RX_FLAG_HT_GF)
00215                         *pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
00216                 pos++;
00217                 *pos++ = status->rate_idx;
00218         }
00219 }
00220 
00221 /*
00222  * This function copies a received frame to all monitor interfaces and
00223  * returns a cleaned-up SKB that no longer includes the FCS nor the
00224  * radiotap header the driver might have added.
00225  */
00226 static struct sk_buff *
00227 ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
00228                      struct ieee80211_rate *rate)
00229 {
00230         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
00231         struct ieee80211_sub_if_data *sdata;
00232         int needed_headroom;
00233         struct sk_buff *skb, *skb2;
00234         struct net_device *prev_dev = NULL;
00235         int present_fcs_len = 0;
00236 
00237         /*
00238          * First, we may need to make a copy of the skb because
00239          *  (1) we need to modify it for radiotap (if not present), and
00240          *  (2) the other RX handlers will modify the skb we got.
00241          *
00242          * We don't need to, of course, if we aren't going to return
00243          * the SKB because it has a bad FCS/PLCP checksum.
00244          */
00245 
00246         /* room for the radiotap header based on driver features */
00247         needed_headroom = ieee80211_rx_radiotap_len(local, status);
00248 
00249         if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
00250                 present_fcs_len = FCS_LEN;
00251 
00252         /* make sure hdr->frame_control is on the linear part */
00253         if (!pskb_may_pull(origskb, 2)) {
00254                 dev_kfree_skb(origskb);
00255                 return NULL;
00256         }
00257 
00258 
00259         /* DANILO */
00260         if (rt_wmp_is_active()){
00261                 struct sk_buff * skb3;
00262                 skb3 = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);
00263                 skb3 = remove_monitor_info(local, skb3);
00264                 ieee80211_add_rx_radiotap_header(local, skb3, rate, needed_headroom,1);
00265                 //skb3->dev = sdata->dev;
00266                 //printk(KERN_ERR "DEV:%p\n", prev_dev);
00267                 rt_wmp_netif_receive_skb(skb3,status->signal);
00268         }
00269         /* DANILO */
00270 
00271         if (!local->monitors) {
00272                 if (should_drop_frame(origskb, present_fcs_len)) {
00273                         dev_kfree_skb(origskb);
00274                         return NULL;
00275                 }
00276 
00277                 return remove_monitor_info(local, origskb);
00278         }
00279 
00280         if (should_drop_frame(origskb, present_fcs_len)) {
00281                 /* only need to expand headroom if necessary */
00282                 skb = origskb;
00283                 origskb = NULL;
00284 
00285                 /*
00286                  * This shouldn't trigger often because most devices have an
00287                  * RX header they pull before we get here, and that should
00288                  * be big enough for our radiotap information. We should
00289                  * probably export the length to drivers so that we can have
00290                  * them allocate enough headroom to start with.
00291                  */
00292                 if (skb_headroom(skb) < needed_headroom &&
00293                     pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
00294                         dev_kfree_skb(skb);
00295                         return NULL;
00296                 }
00297         } else {
00298                 /*
00299                  * Need to make a copy and possibly remove radiotap header
00300                  * and FCS from the original.
00301                  */
00302                 skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);
00303 
00304                 origskb = remove_monitor_info(local, origskb);
00305 
00306                 if (!skb)
00307                         return origskb;
00308         }
00309 
00310         /* prepend radiotap information */
00311         ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
00312                                          true);
00313 
00314         skb_reset_mac_header(skb);
00315         skb->ip_summed = CHECKSUM_UNNECESSARY;
00316         skb->pkt_type = PACKET_OTHERHOST;
00317         skb->protocol = htons(ETH_P_802_2);
00318 
00319         list_for_each_entry_rcu(sdata, &local->interfaces, list) {
00320                 if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
00321                         continue;
00322 
00323                 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)
00324                         continue;
00325 
00326                 if (!ieee80211_sdata_running(sdata))
00327                         continue;
00328 
00329                 if (prev_dev) {
00330                         skb2 = skb_clone(skb, GFP_ATOMIC);
00331                         if (skb2) {
00332                                 skb2->dev = prev_dev;
00333                                 netif_receive_skb(skb2);
00334                         }
00335                 }
00336 
00337                 prev_dev = sdata->dev;
00338                 sdata->dev->stats.rx_packets++;
00339                 sdata->dev->stats.rx_bytes += skb->len;
00340         }
00341 
00342         if (prev_dev) {
00343                 skb->dev = prev_dev;
00344                 netif_receive_skb(skb);
00345         } else
00346                 dev_kfree_skb(skb);
00347 
00348         return origskb;
00349 }
00350 
00351 
00352 static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
00353 {
00354         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
00355         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
00356         int tid, seqno_idx, security_idx;
00357 
00358         /* does the frame have a qos control field? */
00359         if (ieee80211_is_data_qos(hdr->frame_control)) {
00360                 u8 *qc = ieee80211_get_qos_ctl(hdr);
00361                 /* frame has qos control */
00362                 tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
00363                 if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
00364                         status->rx_flags |= IEEE80211_RX_AMSDU;
00365 
00366                 seqno_idx = tid;
00367                 security_idx = tid;
00368         } else {
00369                 /*
00370                  * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
00371                  *
00372                  *      Sequence numbers for management frames, QoS data
00373                  *      frames with a broadcast/multicast address in the
00374                  *      Address 1 field, and all non-QoS data frames sent
00375                  *      by QoS STAs are assigned using an additional single
00376                  *      modulo-4096 counter, [...]
00377                  *
00378                  * We also use that counter for non-QoS STAs.
00379                  */
00380                 seqno_idx = NUM_RX_DATA_QUEUES;
00381                 security_idx = 0;
00382                 if (ieee80211_is_mgmt(hdr->frame_control))
00383                         security_idx = NUM_RX_DATA_QUEUES;
00384                 tid = 0;
00385         }
00386 
00387         rx->seqno_idx = seqno_idx;
00388         rx->security_idx = security_idx;
00389         /* Set skb->priority to 1d tag if highest order bit of TID is not set.
00390          * For now, set skb->priority to 0 for other cases. */
00391         rx->skb->priority = (tid > 7) ? 0 : tid;
00392 }
00393 
00419 static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
00420 {
00421 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
00422         WARN_ONCE((unsigned long)rx->skb->data & 1,
00423                   "unaligned packet at 0x%p\n", rx->skb->data);
00424 #endif
00425 }
00426 
00427 
00428 /* rx handlers */
00429 
00430 static ieee80211_rx_result debug_noinline
00431 ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx)
00432 {
00433         struct ieee80211_local *local = rx->local;
00434         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
00435         struct sk_buff *skb = rx->skb;
00436 
00437         if (likely(!(status->rx_flags & IEEE80211_RX_IN_SCAN) &&
00438                    !local->sched_scanning))
00439                 return RX_CONTINUE;
00440 
00441         if (test_bit(SCAN_HW_SCANNING, &local->scanning) ||
00442             test_bit(SCAN_SW_SCANNING, &local->scanning) ||
00443             test_bit(SCAN_ONCHANNEL_SCANNING, &local->scanning) ||
00444             local->sched_scanning)
00445                 return ieee80211_scan_rx(rx->sdata, skb);
00446 
00447         /* scanning finished during invoking of handlers */
00448         I802_DEBUG_INC(local->rx_handlers_drop_passive_scan);
00449         return RX_DROP_UNUSABLE;
00450 }
00451 
00452 
00453 static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
00454 {
00455         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
00456 
00457         if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
00458                 return 0;
00459 
00460         return ieee80211_is_robust_mgmt_frame(hdr);
00461 }
00462 
00463 
00464 static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
00465 {
00466         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
00467 
00468         if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
00469                 return 0;
00470 
00471         return ieee80211_is_robust_mgmt_frame(hdr);
00472 }
00473 
00474 
00475 /* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
00476 static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
00477 {
00478         struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
00479         struct ieee80211_mmie *mmie;
00480 
00481         if (skb->len < 24 + sizeof(*mmie) ||
00482             !is_multicast_ether_addr(hdr->da))
00483                 return -1;
00484 
00485         if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
00486                 return -1; /* not a robust management frame */
00487 
00488         mmie = (struct ieee80211_mmie *)
00489                 (skb->data + skb->len - sizeof(*mmie));
00490         if (mmie->element_id != WLAN_EID_MMIE ||
00491             mmie->length != sizeof(*mmie) - 2)
00492                 return -1;
00493 
00494         return le16_to_cpu(mmie->key_id);
00495 }
00496 
00497 
00498 static ieee80211_rx_result
00499 ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
00500 {
00501         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
00502         char *dev_addr = rx->sdata->vif.addr;
00503 
00504         if (ieee80211_is_data(hdr->frame_control)) {
00505                 if (is_multicast_ether_addr(hdr->addr1)) {
00506                         if (ieee80211_has_tods(hdr->frame_control) ||
00507                                 !ieee80211_has_fromds(hdr->frame_control))
00508                                 return RX_DROP_MONITOR;
00509                         if (ether_addr_equal(hdr->addr3, dev_addr))
00510                                 return RX_DROP_MONITOR;
00511                 } else {
00512                         if (!ieee80211_has_a4(hdr->frame_control))
00513                                 return RX_DROP_MONITOR;
00514                         if (ether_addr_equal(hdr->addr4, dev_addr))
00515                                 return RX_DROP_MONITOR;
00516                 }
00517         }
00518 
00519         /* If there is not an established peer link and this is not a peer link
00520          * establisment frame, beacon or probe, drop the frame.
00521          */
00522 
00523         if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
00524                 struct ieee80211_mgmt *mgmt;
00525 
00526                 if (!ieee80211_is_mgmt(hdr->frame_control))
00527                         return RX_DROP_MONITOR;
00528 
00529                 if (ieee80211_is_action(hdr->frame_control)) {
00530                         u8 category;
00531                         mgmt = (struct ieee80211_mgmt *)hdr;
00532                         category = mgmt->u.action.category;
00533                         if (category != WLAN_CATEGORY_MESH_ACTION &&
00534                                 category != WLAN_CATEGORY_SELF_PROTECTED)
00535                                 return RX_DROP_MONITOR;
00536                         return RX_CONTINUE;
00537                 }
00538 
00539                 if (ieee80211_is_probe_req(hdr->frame_control) ||
00540                     ieee80211_is_probe_resp(hdr->frame_control) ||
00541                     ieee80211_is_beacon(hdr->frame_control) ||
00542                     ieee80211_is_auth(hdr->frame_control))
00543                         return RX_CONTINUE;
00544 
00545                 return RX_DROP_MONITOR;
00546 
00547         }
00548 
00549         return RX_CONTINUE;
00550 }
00551 
00552 #define SEQ_MODULO 0x1000
00553 #define SEQ_MASK   0xfff
00554 
00555 static inline int seq_less(u16 sq1, u16 sq2)
00556 {
00557         return ((sq1 - sq2) & SEQ_MASK) > (SEQ_MODULO >> 1);
00558 }
00559 
00560 static inline u16 seq_inc(u16 sq)
00561 {
00562         return (sq + 1) & SEQ_MASK;
00563 }
00564 
00565 static inline u16 seq_sub(u16 sq1, u16 sq2)
00566 {
00567         return (sq1 - sq2) & SEQ_MASK;
00568 }
00569 
00570 
00571 static void ieee80211_release_reorder_frame(struct ieee80211_hw *hw,
00572                                             struct tid_ampdu_rx *tid_agg_rx,
00573                                             int index)
00574 {
00575         struct ieee80211_local *local = hw_to_local(hw);
00576         struct sk_buff *skb = tid_agg_rx->reorder_buf[index];
00577         struct ieee80211_rx_status *status;
00578 
00579         lockdep_assert_held(&tid_agg_rx->reorder_lock);
00580 
00581         if (!skb)
00582                 goto no_frame;
00583 
00584         /* release the frame from the reorder ring buffer */
00585         tid_agg_rx->stored_mpdu_num--;
00586         tid_agg_rx->reorder_buf[index] = NULL;
00587         status = IEEE80211_SKB_RXCB(skb);
00588         status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
00589         skb_queue_tail(&local->rx_skb_queue, skb);
00590 
00591 no_frame:
00592         tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num);
00593 }
00594 
00595 static void ieee80211_release_reorder_frames(struct ieee80211_hw *hw,
00596                                              struct tid_ampdu_rx *tid_agg_rx,
00597                                              u16 head_seq_num)
00598 {
00599         int index;
00600 
00601         lockdep_assert_held(&tid_agg_rx->reorder_lock);
00602 
00603         while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) {
00604                 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
00605                                                         tid_agg_rx->buf_size;
00606                 ieee80211_release_reorder_frame(hw, tid_agg_rx, index);
00607         }
00608 }
00609 
00610 /*
00611  * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
00612  * the skb was added to the buffer longer than this time ago, the earlier
00613  * frames that have not yet been received are assumed to be lost and the skb
00614  * can be released for processing. This may also release other skb's from the
00615  * reorder buffer if there are no additional gaps between the frames.
00616  *
00617  * Callers must hold tid_agg_rx->reorder_lock.
00618  */
00619 #define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)
00620 
00621 static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
00622                                           struct tid_ampdu_rx *tid_agg_rx)
00623 {
00624         int index, j;
00625 
00626         lockdep_assert_held(&tid_agg_rx->reorder_lock);
00627 
00628         /* release the buffer until next missing frame */
00629         index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
00630                                                 tid_agg_rx->buf_size;
00631         if (!tid_agg_rx->reorder_buf[index] &&
00632             tid_agg_rx->stored_mpdu_num) {
00633                 /*
00634                  * No buffers ready to be released, but check whether any
00635                  * frames in the reorder buffer have timed out.
00636                  */
00637                 int skipped = 1;
00638                 for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
00639                      j = (j + 1) % tid_agg_rx->buf_size) {
00640                         if (!tid_agg_rx->reorder_buf[j]) {
00641                                 skipped++;
00642                                 continue;
00643                         }
00644                         if (skipped &&
00645                             !time_after(jiffies, tid_agg_rx->reorder_time[j] +
00646                                         HT_RX_REORDER_BUF_TIMEOUT))
00647                                 goto set_release_timer;
00648 
00649 #ifdef CONFIG_MAC80211_HT_DEBUG
00650                         if (net_ratelimit())
00651                                 wiphy_debug(hw->wiphy,
00652                                             "release an RX reorder frame due to timeout on earlier frames\n");
00653 #endif
00654                         ieee80211_release_reorder_frame(hw, tid_agg_rx, j);
00655 
00656                         /*
00657                          * Increment the head seq# also for the skipped slots.
00658                          */
00659                         tid_agg_rx->head_seq_num =
00660                                 (tid_agg_rx->head_seq_num + skipped) & SEQ_MASK;
00661                         skipped = 0;
00662                 }
00663         } else while (tid_agg_rx->reorder_buf[index]) {
00664                 ieee80211_release_reorder_frame(hw, tid_agg_rx, index);
00665                 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
00666                                                         tid_agg_rx->buf_size;
00667         }
00668 
00669         if (tid_agg_rx->stored_mpdu_num) {
00670                 j = index = seq_sub(tid_agg_rx->head_seq_num,
00671                                     tid_agg_rx->ssn) % tid_agg_rx->buf_size;
00672 
00673                 for (; j != (index - 1) % tid_agg_rx->buf_size;
00674                      j = (j + 1) % tid_agg_rx->buf_size) {
00675                         if (tid_agg_rx->reorder_buf[j])
00676                                 break;
00677                 }
00678 
00679  set_release_timer:
00680 
00681                 mod_timer(&tid_agg_rx->reorder_timer,
00682                           tid_agg_rx->reorder_time[j] + 1 +
00683                           HT_RX_REORDER_BUF_TIMEOUT);
00684         } else {
00685                 del_timer(&tid_agg_rx->reorder_timer);
00686         }
00687 }
00688 
00689 /*
00690  * As this function belongs to the RX path it must be under
00691  * rcu_read_lock protection. It returns false if the frame
00692  * can be processed immediately, true if it was consumed.
00693  */
00694 static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
00695                                              struct tid_ampdu_rx *tid_agg_rx,
00696                                              struct sk_buff *skb)
00697 {
00698         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
00699         u16 sc = le16_to_cpu(hdr->seq_ctrl);
00700         u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
00701         u16 head_seq_num, buf_size;
00702         int index;
00703         bool ret = true;
00704 
00705         spin_lock(&tid_agg_rx->reorder_lock);
00706 
00707         buf_size = tid_agg_rx->buf_size;
00708         head_seq_num = tid_agg_rx->head_seq_num;
00709 
00710         /* frame with out of date sequence number */
00711         if (seq_less(mpdu_seq_num, head_seq_num)) {
00712                 dev_kfree_skb(skb);
00713                 goto out;
00714         }
00715 
00716         /*
00717          * If frame the sequence number exceeds our buffering window
00718          * size release some previous frames to make room for this one.
00719          */
00720         if (!seq_less(mpdu_seq_num, head_seq_num + buf_size)) {
00721                 head_seq_num = seq_inc(seq_sub(mpdu_seq_num, buf_size));
00722                 /* release stored frames up to new head to stack */
00723                 ieee80211_release_reorder_frames(hw, tid_agg_rx, head_seq_num);
00724         }
00725 
00726         /* Now the new frame is always in the range of the reordering buffer */
00727 
00728         index = seq_sub(mpdu_seq_num, tid_agg_rx->ssn) % tid_agg_rx->buf_size;
00729 
00730         /* check if we already stored this frame */
00731         if (tid_agg_rx->reorder_buf[index]) {
00732                 dev_kfree_skb(skb);
00733                 goto out;
00734         }
00735 
00736         /*
00737          * If the current MPDU is in the right order and nothing else
00738          * is stored we can process it directly, no need to buffer it.
00739          * If it is first but there's something stored, we may be able
00740          * to release frames after this one.
00741          */
00742         if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
00743             tid_agg_rx->stored_mpdu_num == 0) {
00744                 tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num);
00745                 ret = false;
00746                 goto out;
00747         }
00748 
00749         /* put the frame in the reordering buffer */
00750         tid_agg_rx->reorder_buf[index] = skb;
00751         tid_agg_rx->reorder_time[index] = jiffies;
00752         tid_agg_rx->stored_mpdu_num++;
00753         ieee80211_sta_reorder_release(hw, tid_agg_rx);
00754 
00755  out:
00756         spin_unlock(&tid_agg_rx->reorder_lock);
00757         return ret;
00758 }
00759 
00760 /*
00761  * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
00762  * true if the MPDU was buffered, false if it should be processed.
00763  */
00764 static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx)
00765 {
00766         struct sk_buff *skb = rx->skb;
00767         struct ieee80211_local *local = rx->local;
00768         struct ieee80211_hw *hw = &local->hw;
00769         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
00770         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
00771         struct sta_info *sta = rx->sta;
00772         struct tid_ampdu_rx *tid_agg_rx;
00773         u16 sc;
00774         u8 tid, ack_policy;
00775 
00776         if (!ieee80211_is_data_qos(hdr->frame_control))
00777                 goto dont_reorder;
00778 
00779         /*
00780          * filter the QoS data rx stream according to
00781          * STA/TID and check if this STA/TID is on aggregation
00782          */
00783 
00784         if (!sta)
00785                 goto dont_reorder;
00786 
00787         ack_policy = *ieee80211_get_qos_ctl(hdr) &
00788                      IEEE80211_QOS_CTL_ACK_POLICY_MASK;
00789         tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
00790 
00791         tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
00792         if (!tid_agg_rx)
00793                 goto dont_reorder;
00794 
00795         /* qos null data frames are excluded */
00796         if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
00797                 goto dont_reorder;
00798 
00799         /* not part of a BA session */
00800         if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
00801             ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
00802                 goto dont_reorder;
00803 
00804         /* not actually part of this BA session */
00805         if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
00806                 goto dont_reorder;
00807 
00808         /* new, potentially un-ordered, ampdu frame - process it */
00809 
00810         /* reset session timer */
00811         if (tid_agg_rx->timeout)
00812                 tid_agg_rx->last_rx = jiffies;
00813 
00814         /* if this mpdu is fragmented - terminate rx aggregation session */
00815         sc = le16_to_cpu(hdr->seq_ctrl);
00816         if (sc & IEEE80211_SCTL_FRAG) {
00817                 skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
00818                 skb_queue_tail(&rx->sdata->skb_queue, skb);
00819                 ieee80211_queue_work(&local->hw, &rx->sdata->work);
00820                 return;
00821         }
00822 
00823         /*
00824          * No locking needed -- we will only ever process one
00825          * RX packet at a time, and thus own tid_agg_rx. All
00826          * other code manipulating it needs to (and does) make
00827          * sure that we cannot get to it any more before doing
00828          * anything with it.
00829          */
00830         if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb))
00831                 return;
00832 
00833  dont_reorder:
00834         skb_queue_tail(&local->rx_skb_queue, skb);
00835 }
00836 
00837 static ieee80211_rx_result debug_noinline
00838 ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
00839 {
00840         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
00841         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
00842 
00843         /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */
00844         if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) {
00845                 if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
00846                              rx->sta->last_seq_ctrl[rx->seqno_idx] ==
00847                              hdr->seq_ctrl)) {
00848                         if (status->rx_flags & IEEE80211_RX_RA_MATCH) {
00849                                 rx->local->dot11FrameDuplicateCount++;
00850                                 rx->sta->num_duplicates++;
00851                         }
00852                         return RX_DROP_UNUSABLE;
00853                 } else
00854                         rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
00855         }
00856 
00857         if (unlikely(rx->skb->len < 16)) {
00858                 I802_DEBUG_INC(rx->local->rx_handlers_drop_short);
00859                 return RX_DROP_MONITOR;
00860         }
00861 
00862         /* Drop disallowed frame classes based on STA auth/assoc state;
00863          * IEEE 802.11, Chap 5.5.
00864          *
00865          * mac80211 filters only based on association state, i.e. it drops
00866          * Class 3 frames from not associated stations. hostapd sends
00867          * deauth/disassoc frames when needed. In addition, hostapd is
00868          * responsible for filtering on both auth and assoc states.
00869          */
00870 
00871         if (ieee80211_vif_is_mesh(&rx->sdata->vif))
00872                 return ieee80211_rx_mesh_check(rx);
00873 
00874         if (unlikely((ieee80211_is_data(hdr->frame_control) ||
00875                       ieee80211_is_pspoll(hdr->frame_control)) &&
00876                      rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
00877                      rx->sdata->vif.type != NL80211_IFTYPE_WDS &&
00878                      (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
00879                 /*
00880                  * accept port control frames from the AP even when it's not
00881                  * yet marked ASSOC to prevent a race where we don't set the
00882                  * assoc bit quickly enough before it sends the first frame
00883                  */
00884                 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
00885                     ieee80211_is_data_present(hdr->frame_control)) {
00886                         u16 ethertype;
00887                         u8 *payload;
00888 
00889                         payload = rx->skb->data +
00890                                 ieee80211_hdrlen(hdr->frame_control);
00891                         ethertype = (payload[6] << 8) | payload[7];
00892                         if (cpu_to_be16(ethertype) ==
00893                             rx->sdata->control_port_protocol)
00894                                 return RX_CONTINUE;
00895                 }
00896 
00897                 if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
00898                     cfg80211_rx_spurious_frame(rx->sdata->dev,
00899                                                hdr->addr2,
00900                                                GFP_ATOMIC))
00901                         return RX_DROP_UNUSABLE;
00902 
00903                 return RX_DROP_MONITOR;
00904         }
00905 
00906         return RX_CONTINUE;
00907 }
00908 
00909 
00910 static ieee80211_rx_result debug_noinline
00911 ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
00912 {
00913         struct sk_buff *skb = rx->skb;
00914         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
00915         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
00916         int keyidx;
00917         int hdrlen;
00918         ieee80211_rx_result result = RX_DROP_UNUSABLE;
00919         struct ieee80211_key *sta_ptk = NULL;
00920         int mmie_keyidx = -1;
00921         __le16 fc;
00922 
00923         /*
00924          * Key selection 101
00925          *
00926          * There are four types of keys:
00927          *  - GTK (group keys)
00928          *  - IGTK (group keys for management frames)
00929          *  - PTK (pairwise keys)
00930          *  - STK (station-to-station pairwise keys)
00931          *
00932          * When selecting a key, we have to distinguish between multicast
00933          * (including broadcast) and unicast frames, the latter can only
00934          * use PTKs and STKs while the former always use GTKs and IGTKs.
00935          * Unless, of course, actual WEP keys ("pre-RSNA") are used, then
00936          * unicast frames can also use key indices like GTKs. Hence, if we
00937          * don't have a PTK/STK we check the key index for a WEP key.
00938          *
00939          * Note that in a regular BSS, multicast frames are sent by the
00940          * AP only, associated stations unicast the frame to the AP first
00941          * which then multicasts it on their behalf.
00942          *
00943          * There is also a slight problem in IBSS mode: GTKs are negotiated
00944          * with each station, that is something we don't currently handle.
00945          * The spec seems to expect that one negotiates the same key with
00946          * every station but there's no such requirement; VLANs could be
00947          * possible.
00948          */
00949 
00950         /*
00951          * No point in finding a key and decrypting if the frame is neither
00952          * addressed to us nor a multicast frame.
00953          */
00954         if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
00955                 return RX_CONTINUE;
00956 
00957         /* start without a key */
00958         rx->key = NULL;
00959 
00960         if (rx->sta)
00961                 sta_ptk = rcu_dereference(rx->sta->ptk);
00962 
00963         fc = hdr->frame_control;
00964 
00965         if (!ieee80211_has_protected(fc))
00966                 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);
00967 
00968         if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) {
00969                 rx->key = sta_ptk;
00970                 if ((status->flag & RX_FLAG_DECRYPTED) &&
00971                     (status->flag & RX_FLAG_IV_STRIPPED))
00972                         return RX_CONTINUE;
00973                 /* Skip decryption if the frame is not protected. */
00974                 if (!ieee80211_has_protected(fc))
00975                         return RX_CONTINUE;
00976         } else if (mmie_keyidx >= 0) {
00977                 /* Broadcast/multicast robust management frame / BIP */
00978                 if ((status->flag & RX_FLAG_DECRYPTED) &&
00979                     (status->flag & RX_FLAG_IV_STRIPPED))
00980                         return RX_CONTINUE;
00981 
00982                 if (mmie_keyidx < NUM_DEFAULT_KEYS ||
00983                     mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
00984                         return RX_DROP_MONITOR; /* unexpected BIP keyidx */
00985                 if (rx->sta)
00986                         rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]);
00987                 if (!rx->key)
00988                         rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
00989         } else if (!ieee80211_has_protected(fc)) {
00990                 /*
00991                  * The frame was not protected, so skip decryption. However, we
00992                  * need to set rx->key if there is a key that could have been
00993                  * used so that the frame may be dropped if encryption would
00994                  * have been expected.
00995                  */
00996                 struct ieee80211_key *key = NULL;
00997                 struct ieee80211_sub_if_data *sdata = rx->sdata;
00998                 int i;
00999 
01000                 if (ieee80211_is_mgmt(fc) &&
01001                     is_multicast_ether_addr(hdr->addr1) &&
01002                     (key = rcu_dereference(rx->sdata->default_mgmt_key)))
01003                         rx->key = key;
01004                 else {
01005                         if (rx->sta) {
01006                                 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
01007                                         key = rcu_dereference(rx->sta->gtk[i]);
01008                                         if (key)
01009                                                 break;
01010                                 }
01011                         }
01012                         if (!key) {
01013                                 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
01014                                         key = rcu_dereference(sdata->keys[i]);
01015                                         if (key)
01016                                                 break;
01017                                 }
01018                         }
01019                         if (key)
01020                                 rx->key = key;
01021                 }
01022                 return RX_CONTINUE;
01023         } else {
01024                 u8 keyid;
01025                 /*
01026                  * The device doesn't give us the IV so we won't be
01027                  * able to look up the key. That's ok though, we
01028                  * don't need to decrypt the frame, we just won't
01029                  * be able to keep statistics accurate.
01030                  * Except for key threshold notifications, should
01031                  * we somehow allow the driver to tell us which key
01032                  * the hardware used if this flag is set?
01033                  */
01034                 if ((status->flag & RX_FLAG_DECRYPTED) &&
01035                     (status->flag & RX_FLAG_IV_STRIPPED))
01036                         return RX_CONTINUE;
01037 
01038                 hdrlen = ieee80211_hdrlen(fc);
01039 
01040                 if (rx->skb->len < 8 + hdrlen)
01041                         return RX_DROP_UNUSABLE; /* TODO: count this? */
01042 
01043                 /*
01044                  * no need to call ieee80211_wep_get_keyidx,
01045                  * it verifies a bunch of things we've done already
01046                  */
01047                 skb_copy_bits(rx->skb, hdrlen + 3, &keyid, 1);
01048                 keyidx = keyid >> 6;
01049 
01050                 /* check per-station GTK first, if multicast packet */
01051                 if (is_multicast_ether_addr(hdr->addr1) && rx->sta)
01052                         rx->key = rcu_dereference(rx->sta->gtk[keyidx]);
01053 
01054                 /* if not found, try default key */
01055                 if (!rx->key) {
01056                         rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
01057 
01058                         /*
01059                          * RSNA-protected unicast frames should always be
01060                          * sent with pairwise or station-to-station keys,
01061                          * but for WEP we allow using a key index as well.
01062                          */
01063                         if (rx->key &&
01064                             rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 &&
01065                             rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 &&
01066                             !is_multicast_ether_addr(hdr->addr1))
01067                                 rx->key = NULL;
01068                 }
01069         }
01070 
01071         if (rx->key) {
01072                 if (unlikely(rx->key->flags & KEY_FLAG_TAINTED))
01073                         return RX_DROP_MONITOR;
01074 
01075                 rx->key->tx_rx_count++;
01076                 /* TODO: add threshold stuff again */
01077         } else {
01078                 return RX_DROP_MONITOR;
01079         }
01080 
01081         switch (rx->key->conf.cipher) {
01082         case WLAN_CIPHER_SUITE_WEP40:
01083         case WLAN_CIPHER_SUITE_WEP104:
01084                 result = ieee80211_crypto_wep_decrypt(rx);
01085                 break;
01086         case WLAN_CIPHER_SUITE_TKIP:
01087                 result = ieee80211_crypto_tkip_decrypt(rx);
01088                 break;
01089         case WLAN_CIPHER_SUITE_CCMP:
01090                 result = ieee80211_crypto_ccmp_decrypt(rx);
01091                 break;
01092         case WLAN_CIPHER_SUITE_AES_CMAC:
01093                 result = ieee80211_crypto_aes_cmac_decrypt(rx);
01094                 break;
01095         default:
01096                 /*
01097                  * We can reach here only with HW-only algorithms
01098                  * but why didn't it decrypt the frame?!
01099                  */
01100                 return RX_DROP_UNUSABLE;
01101         }
01102 
01103         /* the hdr variable is invalid after the decrypt handlers */
01104 
01105         /* either the frame has been decrypted or will be dropped */
01106         status->flag |= RX_FLAG_DECRYPTED;
01107 
01108         return result;
01109 }
01110 
01111 static ieee80211_rx_result debug_noinline
01112 ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
01113 {
01114         struct ieee80211_local *local;
01115         struct ieee80211_hdr *hdr;
01116         struct sk_buff *skb;
01117 
01118         local = rx->local;
01119         skb = rx->skb;
01120         hdr = (struct ieee80211_hdr *) skb->data;
01121 
01122         if (!local->pspolling)
01123                 return RX_CONTINUE;
01124 
01125         if (!ieee80211_has_fromds(hdr->frame_control))
01126                 /* this is not from AP */
01127                 return RX_CONTINUE;
01128 
01129         if (!ieee80211_is_data(hdr->frame_control))
01130                 return RX_CONTINUE;
01131 
01132         if (!ieee80211_has_moredata(hdr->frame_control)) {
01133                 /* AP has no more frames buffered for us */
01134                 local->pspolling = false;
01135                 return RX_CONTINUE;
01136         }
01137 
01138         /* more data bit is set, let's request a new frame from the AP */
01139         ieee80211_send_pspoll(local, rx->sdata);
01140 
01141         return RX_CONTINUE;
01142 }
01143 
01144 static void ap_sta_ps_start(struct sta_info *sta)
01145 {
01146         struct ieee80211_sub_if_data *sdata = sta->sdata;
01147         struct ieee80211_local *local = sdata->local;
01148 
01149         atomic_inc(&sdata->bss->num_sta_ps);
01150         set_sta_flag(sta, WLAN_STA_PS_STA);
01151         if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS))
01152                 drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
01153 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
01154         printk(KERN_DEBUG "%s: STA %pM aid %d enters power save mode\n",
01155                sdata->name, sta->sta.addr, sta->sta.aid);
01156 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
01157 }
01158 
01159 static void ap_sta_ps_end(struct sta_info *sta)
01160 {
01161 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
01162         printk(KERN_DEBUG "%s: STA %pM aid %d exits power save mode\n",
01163                sta->sdata->name, sta->sta.addr, sta->sta.aid);
01164 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
01165 
01166         if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
01167 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
01168                 printk(KERN_DEBUG "%s: STA %pM aid %d driver-ps-blocked\n",
01169                        sta->sdata->name, sta->sta.addr, sta->sta.aid);
01170 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
01171                 return;
01172         }
01173 
01174         ieee80211_sta_ps_deliver_wakeup(sta);
01175 }
01176 
01177 int ieee80211_sta_ps_transition(struct ieee80211_sta *sta, bool start)
01178 {
01179         struct sta_info *sta_inf = container_of(sta, struct sta_info, sta);
01180         bool in_ps;
01181 
01182         WARN_ON(!(sta_inf->local->hw.flags & IEEE80211_HW_AP_LINK_PS));
01183 
01184         /* Don't let the same PS state be set twice */
01185         in_ps = test_sta_flag(sta_inf, WLAN_STA_PS_STA);
01186         if ((start && in_ps) || (!start && !in_ps))
01187                 return -EINVAL;
01188 
01189         if (start)
01190                 ap_sta_ps_start(sta_inf);
01191         else
01192                 ap_sta_ps_end(sta_inf);
01193 
01194         return 0;
01195 }
01196 EXPORT_SYMBOL(ieee80211_sta_ps_transition);
01197 
01198 static ieee80211_rx_result debug_noinline
01199 ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx)
01200 {
01201         struct ieee80211_sub_if_data *sdata = rx->sdata;
01202         struct ieee80211_hdr *hdr = (void *)rx->skb->data;
01203         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
01204         int tid, ac;
01205 
01206         if (!rx->sta || !(status->rx_flags & IEEE80211_RX_RA_MATCH))
01207                 return RX_CONTINUE;
01208 
01209         if (sdata->vif.type != NL80211_IFTYPE_AP &&
01210             sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
01211                 return RX_CONTINUE;
01212 
01213         /*
01214          * The device handles station powersave, so don't do anything about
01215          * uAPSD and PS-Poll frames (the latter shouldn't even come up from
01216          * it to mac80211 since they're handled.)
01217          */
01218         if (sdata->local->hw.flags & IEEE80211_HW_AP_LINK_PS)
01219                 return RX_CONTINUE;
01220 
01221         /*
01222          * Don't do anything if the station isn't already asleep. In
01223          * the uAPSD case, the station will probably be marked asleep,
01224          * in the PS-Poll case the station must be confused ...
01225          */
01226         if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA))
01227                 return RX_CONTINUE;
01228 
01229         if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) {
01230                 if (!test_sta_flag(rx->sta, WLAN_STA_SP)) {
01231                         if (!test_sta_flag(rx->sta, WLAN_STA_PS_DRIVER))
01232                                 ieee80211_sta_ps_deliver_poll_response(rx->sta);
01233                         else
01234                                 set_sta_flag(rx->sta, WLAN_STA_PSPOLL);
01235                 }
01236 
01237                 /* Free PS Poll skb here instead of returning RX_DROP that would
01238                  * count as an dropped frame. */
01239                 dev_kfree_skb(rx->skb);
01240 
01241                 return RX_QUEUED;
01242         } else if (!ieee80211_has_morefrags(hdr->frame_control) &&
01243                    !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
01244                    ieee80211_has_pm(hdr->frame_control) &&
01245                    (ieee80211_is_data_qos(hdr->frame_control) ||
01246                     ieee80211_is_qos_nullfunc(hdr->frame_control))) {
01247                 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
01248                 ac = ieee802_1d_to_ac[tid & 7];
01249 
01250                 /*
01251                  * If this AC is not trigger-enabled do nothing.
01252                  *
01253                  * NB: This could/should check a separate bitmap of trigger-
01254                  * enabled queues, but for now we only implement uAPSD w/o
01255                  * TSPEC changes to the ACs, so they're always the same.
01256                  */
01257                 if (!(rx->sta->sta.uapsd_queues & BIT(ac)))
01258                         return RX_CONTINUE;
01259 
01260                 /* if we are in a service period, do nothing */
01261                 if (test_sta_flag(rx->sta, WLAN_STA_SP))
01262                         return RX_CONTINUE;
01263 
01264                 if (!test_sta_flag(rx->sta, WLAN_STA_PS_DRIVER))
01265                         ieee80211_sta_ps_deliver_uapsd(rx->sta);
01266                 else
01267                         set_sta_flag(rx->sta, WLAN_STA_UAPSD);
01268         }
01269 
01270         return RX_CONTINUE;
01271 }
01272 
01273 static ieee80211_rx_result debug_noinline
01274 ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
01275 {
01276         struct sta_info *sta = rx->sta;
01277         struct sk_buff *skb = rx->skb;
01278         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
01279         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
01280 
01281         if (!sta)
01282                 return RX_CONTINUE;
01283 
01284         /*
01285          * Update last_rx only for IBSS packets which are for the current
01286          * BSSID to avoid keeping the current IBSS network alive in cases
01287          * where other STAs start using different BSSID.
01288          */
01289         if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
01290                 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
01291                                                 NL80211_IFTYPE_ADHOC);
01292                 if (ether_addr_equal(bssid, rx->sdata->u.ibss.bssid)) {
01293                         sta->last_rx = jiffies;
01294                         if (ieee80211_is_data(hdr->frame_control)) {
01295                                 sta->last_rx_rate_idx = status->rate_idx;
01296                                 sta->last_rx_rate_flag = status->flag;
01297                         }
01298                 }
01299         } else if (!is_multicast_ether_addr(hdr->addr1)) {
01300                 /*
01301                  * Mesh beacons will update last_rx when if they are found to
01302                  * match the current local configuration when processed.
01303                  */
01304                 sta->last_rx = jiffies;
01305                 if (ieee80211_is_data(hdr->frame_control)) {
01306                         sta->last_rx_rate_idx = status->rate_idx;
01307                         sta->last_rx_rate_flag = status->flag;
01308                 }
01309         }
01310 
01311         if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
01312                 return RX_CONTINUE;
01313 
01314         if (rx->sdata->vif.type == NL80211_IFTYPE_STATION)
01315                 ieee80211_sta_rx_notify(rx->sdata, hdr);
01316 
01317         sta->rx_fragments++;
01318         sta->rx_bytes += rx->skb->len;
01319         if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
01320                 sta->last_signal = status->signal;
01321                 ewma_add(&sta->avg_signal, -status->signal);
01322         }
01323 
01324         /*
01325          * Change STA power saving mode only at the end of a frame
01326          * exchange sequence.
01327          */
01328         if (!(sta->local->hw.flags & IEEE80211_HW_AP_LINK_PS) &&
01329             !ieee80211_has_morefrags(hdr->frame_control) &&
01330             !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
01331             (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
01332              rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
01333                 if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
01334                         /*
01335                          * Ignore doze->wake transitions that are
01336                          * indicated by non-data frames, the standard
01337                          * is unclear here, but for example going to
01338                          * PS mode and then scanning would cause a
01339                          * doze->wake transition for the probe request,
01340                          * and that is clearly undesirable.
01341                          */
01342                         if (ieee80211_is_data(hdr->frame_control) &&
01343                             !ieee80211_has_pm(hdr->frame_control))
01344                                 ap_sta_ps_end(sta);
01345                 } else {
01346                         if (ieee80211_has_pm(hdr->frame_control))
01347                                 ap_sta_ps_start(sta);
01348                 }
01349         }
01350 
01351         /*
01352          * Drop (qos-)data::nullfunc frames silently, since they
01353          * are used only to control station power saving mode.
01354          */
01355         if (ieee80211_is_nullfunc(hdr->frame_control) ||
01356             ieee80211_is_qos_nullfunc(hdr->frame_control)) {
01357                 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
01358 
01359                 /*
01360                  * If we receive a 4-addr nullfunc frame from a STA
01361                  * that was not moved to a 4-addr STA vlan yet send
01362                  * the event to userspace and for older hostapd drop
01363                  * the frame to the monitor interface.
01364                  */
01365                 if (ieee80211_has_a4(hdr->frame_control) &&
01366                     (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
01367                      (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
01368                       !rx->sdata->u.vlan.sta))) {
01369                         if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT))
01370                                 cfg80211_rx_unexpected_4addr_frame(
01371                                         rx->sdata->dev, sta->sta.addr,
01372                                         GFP_ATOMIC);
01373                         return RX_DROP_MONITOR;
01374                 }
01375                 /*
01376                  * Update counter and free packet here to avoid
01377                  * counting this as a dropped packed.
01378                  */
01379                 sta->rx_packets++;
01380                 dev_kfree_skb(rx->skb);
01381                 return RX_QUEUED;
01382         }
01383 
01384         return RX_CONTINUE;
01385 } /* ieee80211_rx_h_sta_process */
01386 
01387 static inline struct ieee80211_fragment_entry *
01388 ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata,
01389                          unsigned int frag, unsigned int seq, int rx_queue,
01390                          struct sk_buff **skb)
01391 {
01392         struct ieee80211_fragment_entry *entry;
01393         int idx;
01394 
01395         idx = sdata->fragment_next;
01396         entry = &sdata->fragments[sdata->fragment_next++];
01397         if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX)
01398                 sdata->fragment_next = 0;
01399 
01400         if (!skb_queue_empty(&entry->skb_list)) {
01401 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
01402                 struct ieee80211_hdr *hdr =
01403                         (struct ieee80211_hdr *) entry->skb_list.next->data;
01404                 printk(KERN_DEBUG "%s: RX reassembly removed oldest "
01405                        "fragment entry (idx=%d age=%lu seq=%d last_frag=%d "
01406                        "addr1=%pM addr2=%pM\n",
01407                        sdata->name, idx,
01408                        jiffies - entry->first_frag_time, entry->seq,
01409                        entry->last_frag, hdr->addr1, hdr->addr2);
01410 #endif
01411                 __skb_queue_purge(&entry->skb_list);
01412         }
01413 
01414         __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
01415         *skb = NULL;
01416         entry->first_frag_time = jiffies;
01417         entry->seq = seq;
01418         entry->rx_queue = rx_queue;
01419         entry->last_frag = frag;
01420         entry->ccmp = 0;
01421         entry->extra_len = 0;
01422 
01423         return entry;
01424 }
01425 
01426 static inline struct ieee80211_fragment_entry *
01427 ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata,
01428                           unsigned int frag, unsigned int seq,
01429                           int rx_queue, struct ieee80211_hdr *hdr)
01430 {
01431         struct ieee80211_fragment_entry *entry;
01432         int i, idx;
01433 
01434         idx = sdata->fragment_next;
01435         for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
01436                 struct ieee80211_hdr *f_hdr;
01437 
01438                 idx--;
01439                 if (idx < 0)
01440                         idx = IEEE80211_FRAGMENT_MAX - 1;
01441 
01442                 entry = &sdata->fragments[idx];
01443                 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
01444                     entry->rx_queue != rx_queue ||
01445                     entry->last_frag + 1 != frag)
01446                         continue;
01447 
01448                 f_hdr = (struct ieee80211_hdr *)entry->skb_list.next->data;
01449 
01450                 /*
01451                  * Check ftype and addresses are equal, else check next fragment
01452                  */
01453                 if (((hdr->frame_control ^ f_hdr->frame_control) &
01454                      cpu_to_le16(IEEE80211_FCTL_FTYPE)) ||
01455                     !ether_addr_equal(hdr->addr1, f_hdr->addr1) ||
01456                     !ether_addr_equal(hdr->addr2, f_hdr->addr2))
01457                         continue;
01458 
01459                 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
01460                         __skb_queue_purge(&entry->skb_list);
01461                         continue;
01462                 }
01463                 return entry;
01464         }
01465 
01466         return NULL;
01467 }
01468 
01469 static ieee80211_rx_result debug_noinline
01470 ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
01471 {
01472         struct ieee80211_hdr *hdr;
01473         u16 sc;
01474         __le16 fc;
01475         unsigned int frag, seq;
01476         struct ieee80211_fragment_entry *entry;
01477         struct sk_buff *skb;
01478         struct ieee80211_rx_status *status;
01479 
01480         hdr = (struct ieee80211_hdr *)rx->skb->data;
01481         fc = hdr->frame_control;
01482         sc = le16_to_cpu(hdr->seq_ctrl);
01483         frag = sc & IEEE80211_SCTL_FRAG;
01484 
01485         if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
01486                    (rx->skb)->len < 24 ||
01487                    is_multicast_ether_addr(hdr->addr1))) {
01488                 /* not fragmented */
01489                 goto out;
01490         }
01491         I802_DEBUG_INC(rx->local->rx_handlers_fragments);
01492 
01493         if (skb_linearize(rx->skb))
01494                 return RX_DROP_UNUSABLE;
01495 
01496         /*
01497          *  skb_linearize() might change the skb->data and
01498          *  previously cached variables (in this case, hdr) need to
01499          *  be refreshed with the new data.
01500          */
01501         hdr = (struct ieee80211_hdr *)rx->skb->data;
01502         seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
01503 
01504         if (frag == 0) {
01505                 /* This is the first fragment of a new frame. */
01506                 entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
01507                                                  rx->seqno_idx, &(rx->skb));
01508                 if (rx->key && rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP &&
01509                     ieee80211_has_protected(fc)) {
01510                         int queue = rx->security_idx;
01511                         /* Store CCMP PN so that we can verify that the next
01512                          * fragment has a sequential PN value. */
01513                         entry->ccmp = 1;
01514                         memcpy(entry->last_pn,
01515                                rx->key->u.ccmp.rx_pn[queue],
01516                                CCMP_PN_LEN);
01517                 }
01518                 return RX_QUEUED;
01519         }
01520 
01521         /* This is a fragment for a frame that should already be pending in
01522          * fragment cache. Add this fragment to the end of the pending entry.
01523          */
01524         entry = ieee80211_reassemble_find(rx->sdata, frag, seq,
01525                                           rx->seqno_idx, hdr);
01526         if (!entry) {
01527                 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
01528                 return RX_DROP_MONITOR;
01529         }
01530 
01531         /* Verify that MPDUs within one MSDU have sequential PN values.
01532          * (IEEE 802.11i, 8.3.3.4.5) */
01533         if (entry->ccmp) {
01534                 int i;
01535                 u8 pn[CCMP_PN_LEN], *rpn;
01536                 int queue;
01537                 if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP)
01538                         return RX_DROP_UNUSABLE;
01539                 memcpy(pn, entry->last_pn, CCMP_PN_LEN);
01540                 for (i = CCMP_PN_LEN - 1; i >= 0; i--) {
01541                         pn[i]++;
01542                         if (pn[i])
01543                                 break;
01544                 }
01545                 queue = rx->security_idx;
01546                 rpn = rx->key->u.ccmp.rx_pn[queue];
01547                 if (memcmp(pn, rpn, CCMP_PN_LEN))
01548                         return RX_DROP_UNUSABLE;
01549                 memcpy(entry->last_pn, pn, CCMP_PN_LEN);
01550         }
01551 
01552         skb_pull(rx->skb, ieee80211_hdrlen(fc));
01553         __skb_queue_tail(&entry->skb_list, rx->skb);
01554         entry->last_frag = frag;
01555         entry->extra_len += rx->skb->len;
01556         if (ieee80211_has_morefrags(fc)) {
01557                 rx->skb = NULL;
01558                 return RX_QUEUED;
01559         }
01560 
01561         rx->skb = __skb_dequeue(&entry->skb_list);
01562         if (skb_tailroom(rx->skb) < entry->extra_len) {
01563                 I802_DEBUG_INC(rx->local->rx_expand_skb_head2);
01564                 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len,
01565                                               GFP_ATOMIC))) {
01566                         I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
01567                         __skb_queue_purge(&entry->skb_list);
01568                         return RX_DROP_UNUSABLE;
01569                 }
01570         }
01571         while ((skb = __skb_dequeue(&entry->skb_list))) {
01572                 memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len);
01573                 dev_kfree_skb(skb);
01574         }
01575 
01576         /* Complete frame has been reassembled - process it now */
01577         status = IEEE80211_SKB_RXCB(rx->skb);
01578         status->rx_flags |= IEEE80211_RX_FRAGMENTED;
01579 
01580  out:
01581         if (rx->sta)
01582                 rx->sta->rx_packets++;
01583         if (is_multicast_ether_addr(hdr->addr1))
01584                 rx->local->dot11MulticastReceivedFrameCount++;
01585         else
01586                 ieee80211_led_rx(rx->local);
01587         return RX_CONTINUE;
01588 }
01589 
01590 static int
01591 ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
01592 {
01593         if (unlikely(!rx->sta ||
01594             !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
01595                 return -EACCES;
01596 
01597         return 0;
01598 }
01599 
01600 static int
01601 ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
01602 {
01603         struct sk_buff *skb = rx->skb;
01604         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
01605 
01606         /*
01607          * Pass through unencrypted frames if the hardware has
01608          * decrypted them already.
01609          */
01610         if (status->flag & RX_FLAG_DECRYPTED)
01611                 return 0;
01612 
01613         /* Drop unencrypted frames if key is set. */
01614         if (unlikely(!ieee80211_has_protected(fc) &&
01615                      !ieee80211_is_nullfunc(fc) &&
01616                      ieee80211_is_data(fc) &&
01617                      (rx->key || rx->sdata->drop_unencrypted)))
01618                 return -EACCES;
01619 
01620         return 0;
01621 }
01622 
01623 static int
01624 ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
01625 {
01626         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
01627         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
01628         __le16 fc = hdr->frame_control;
01629 
01630         /*
01631          * Pass through unencrypted frames if the hardware has
01632          * decrypted them already.
01633          */
01634         if (status->flag & RX_FLAG_DECRYPTED)
01635                 return 0;
01636 
01637         if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) {
01638                 if (unlikely(!ieee80211_has_protected(fc) &&
01639                              ieee80211_is_unicast_robust_mgmt_frame(rx->skb) &&
01640                              rx->key)) {
01641                         if (ieee80211_is_deauth(fc))
01642                                 cfg80211_send_unprot_deauth(rx->sdata->dev,
01643                                                             rx->skb->data,
01644                                                             rx->skb->len);
01645                         else if (ieee80211_is_disassoc(fc))
01646                                 cfg80211_send_unprot_disassoc(rx->sdata->dev,
01647                                                               rx->skb->data,
01648                                                               rx->skb->len);
01649                         return -EACCES;
01650                 }
01651                 /* BIP does not use Protected field, so need to check MMIE */
01652                 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
01653                              ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
01654                         if (ieee80211_is_deauth(fc))
01655                                 cfg80211_send_unprot_deauth(rx->sdata->dev,
01656                                                             rx->skb->data,
01657                                                             rx->skb->len);
01658                         else if (ieee80211_is_disassoc(fc))
01659                                 cfg80211_send_unprot_disassoc(rx->sdata->dev,
01660                                                               rx->skb->data,
01661                                                               rx->skb->len);
01662                         return -EACCES;
01663                 }
01664                 /*
01665                  * When using MFP, Action frames are not allowed prior to
01666                  * having configured keys.
01667                  */
01668                 if (unlikely(ieee80211_is_action(fc) && !rx->key &&
01669                              ieee80211_is_robust_mgmt_frame(
01670                                      (struct ieee80211_hdr *) rx->skb->data)))
01671                         return -EACCES;
01672         }
01673 
01674         return 0;
01675 }
01676 
01677 static int
01678 __ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control)
01679 {
01680         struct ieee80211_sub_if_data *sdata = rx->sdata;
01681         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
01682         bool check_port_control = false;
01683         struct ethhdr *ehdr;
01684         int ret;
01685 
01686         *port_control = false;
01687         if (ieee80211_has_a4(hdr->frame_control) &&
01688             sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
01689                 return -1;
01690 
01691         if (sdata->vif.type == NL80211_IFTYPE_STATION &&
01692             !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
01693 
01694                 if (!sdata->u.mgd.use_4addr)
01695                         return -1;
01696                 else
01697                         check_port_control = true;
01698         }
01699 
01700         if (is_multicast_ether_addr(hdr->addr1) &&
01701             sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta)
01702                 return -1;
01703 
01704         ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
01705         if (ret < 0)
01706                 return ret;
01707 
01708         ehdr = (struct ethhdr *) rx->skb->data;
01709         if (ehdr->h_proto == rx->sdata->control_port_protocol)
01710                 *port_control = true;
01711         else if (check_port_control)
01712                 return -1;
01713 
01714         return 0;
01715 }
01716 
01717 /*
01718  * requires that rx->skb is a frame with ethernet header
01719  */
01720 static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
01721 {
01722         static const u8 pae_group_addr[ETH_ALEN] __aligned(2)
01723                 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 };
01724         struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
01725 
01726         /*
01727          * Allow EAPOL frames to us/the PAE group address regardless
01728          * of whether the frame was encrypted or not.
01729          */
01730         if (ehdr->h_proto == rx->sdata->control_port_protocol &&
01731             (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
01732              ether_addr_equal(ehdr->h_dest, pae_group_addr)))
01733                 return true;
01734 
01735         if (ieee80211_802_1x_port_control(rx) ||
01736             ieee80211_drop_unencrypted(rx, fc))
01737                 return false;
01738 
01739         return true;
01740 }
01741 
01742 /*
01743  * requires that rx->skb is a frame with ethernet header
01744  */
01745 static void
01746 ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
01747 {
01748         struct ieee80211_sub_if_data *sdata = rx->sdata;
01749         struct net_device *dev = sdata->dev;
01750         struct sk_buff *skb, *xmit_skb;
01751         struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
01752         struct sta_info *dsta;
01753         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
01754 
01755         skb = rx->skb;
01756         xmit_skb = NULL;
01757 
01758         if ((sdata->vif.type == NL80211_IFTYPE_AP ||
01759              sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
01760             !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
01761             (status->rx_flags & IEEE80211_RX_RA_MATCH) &&
01762             (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) {
01763                 if (is_multicast_ether_addr(ehdr->h_dest)) {
01764                         /*
01765                          * send multicast frames both to higher layers in
01766                          * local net stack and back to the wireless medium
01767                          */
01768                         xmit_skb = skb_copy(skb, GFP_ATOMIC);
01769                         if (!xmit_skb)
01770                                 net_dbg_ratelimited("%s: failed to clone multicast frame\n",
01771                                                     dev->name);
01772                 } else {
01773                         dsta = sta_info_get(sdata, skb->data);
01774                         if (dsta) {
01775                                 /*
01776                                  * The destination station is associated to
01777                                  * this AP (in this VLAN), so send the frame
01778                                  * directly to it and do not pass it to local
01779                                  * net stack.
01780                                  */
01781                                 xmit_skb = skb;
01782                                 skb = NULL;
01783                         }
01784                 }
01785         }
01786 
01787         if (skb) {
01788                 int align __maybe_unused;
01789 
01790 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
01791                 /*
01792                  * 'align' will only take the values 0 or 2 here
01793                  * since all frames are required to be aligned
01794                  * to 2-byte boundaries when being passed to
01795                  * mac80211. That also explains the __skb_push()
01796                  * below.
01797                  */
01798                 align = ((unsigned long)(skb->data + sizeof(struct ethhdr))) & 3;
01799                 if (align) {
01800                         if (WARN_ON(skb_headroom(skb) < 3)) {
01801                                 dev_kfree_skb(skb);
01802                                 skb = NULL;
01803                         } else {
01804                                 u8 *data = skb->data;
01805                                 size_t len = skb_headlen(skb);
01806                                 skb->data -= align;
01807                                 memmove(skb->data, data, len);
01808                                 skb_set_tail_pointer(skb, len);
01809                         }
01810                 }
01811 #endif
01812 
01813                 if (skb) {
01814                         /* deliver to local stack */
01815                         skb->protocol = eth_type_trans(skb, dev);
01816                         memset(skb->cb, 0, sizeof(skb->cb));
01817                         netif_receive_skb(skb);
01818                 }
01819         }
01820 
01821         if (xmit_skb) {
01822                 /*
01823                  * Send to wireless media and increase priority by 256 to
01824                  * keep the received priority instead of reclassifying
01825                  * the frame (see cfg80211_classify8021d).
01826                  */
01827                 xmit_skb->priority += 256;
01828                 xmit_skb->protocol = htons(ETH_P_802_3);
01829                 skb_reset_network_header(xmit_skb);
01830                 skb_reset_mac_header(xmit_skb);
01831                 dev_queue_xmit(xmit_skb);
01832         }
01833 }
01834 
01835 static ieee80211_rx_result debug_noinline
01836 ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
01837 {
01838         struct net_device *dev = rx->sdata->dev;
01839         struct sk_buff *skb = rx->skb;
01840         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
01841         __le16 fc = hdr->frame_control;
01842         struct sk_buff_head frame_list;
01843         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
01844 
01845         if (unlikely(!ieee80211_is_data(fc)))
01846                 return RX_CONTINUE;
01847 
01848         if (unlikely(!ieee80211_is_data_present(fc)))
01849                 return RX_DROP_MONITOR;
01850 
01851         if (!(status->rx_flags & IEEE80211_RX_AMSDU))
01852                 return RX_CONTINUE;
01853 
01854         if (ieee80211_has_a4(hdr->frame_control) &&
01855             rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
01856             !rx->sdata->u.vlan.sta)
01857                 return RX_DROP_UNUSABLE;
01858 
01859         if (is_multicast_ether_addr(hdr->addr1) &&
01860             ((rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
01861               rx->sdata->u.vlan.sta) ||
01862              (rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
01863               rx->sdata->u.mgd.use_4addr)))
01864                 return RX_DROP_UNUSABLE;
01865 
01866         skb->dev = dev;
01867         __skb_queue_head_init(&frame_list);
01868 
01869         if (skb_linearize(skb))
01870                 return RX_DROP_UNUSABLE;
01871 
01872         ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
01873                                  rx->sdata->vif.type,
01874                                  rx->local->hw.extra_tx_headroom, true);
01875 
01876         while (!skb_queue_empty(&frame_list)) {
01877                 rx->skb = __skb_dequeue(&frame_list);
01878 
01879                 if (!ieee80211_frame_allowed(rx, fc)) {
01880                         dev_kfree_skb(rx->skb);
01881                         continue;
01882                 }
01883                 dev->stats.rx_packets++;
01884                 dev->stats.rx_bytes += rx->skb->len;
01885 
01886                 ieee80211_deliver_skb(rx);
01887         }
01888 
01889         return RX_QUEUED;
01890 }
01891 
01892 #ifdef CONFIG_MAC80211_MESH
01893 static ieee80211_rx_result
01894 ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
01895 {
01896         struct ieee80211_hdr *fwd_hdr, *hdr;
01897         struct ieee80211_tx_info *info;
01898         struct ieee80211s_hdr *mesh_hdr;
01899         struct sk_buff *skb = rx->skb, *fwd_skb;
01900         struct ieee80211_local *local = rx->local;
01901         struct ieee80211_sub_if_data *sdata = rx->sdata;
01902         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
01903         struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
01904         __le16 reason = cpu_to_le16(WLAN_REASON_MESH_PATH_NOFORWARD);
01905         u16 q, hdrlen;
01906 
01907         hdr = (struct ieee80211_hdr *) skb->data;
01908         hdrlen = ieee80211_hdrlen(hdr->frame_control);
01909         mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
01910 
01911         /* frame is in RMC, don't forward */
01912         if (ieee80211_is_data(hdr->frame_control) &&
01913             is_multicast_ether_addr(hdr->addr1) &&
01914             mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata))
01915                 return RX_DROP_MONITOR;
01916 
01917         if (!ieee80211_is_data(hdr->frame_control))
01918                 return RX_CONTINUE;
01919 
01920         if (!mesh_hdr->ttl)
01921                 return RX_DROP_MONITOR;
01922 
01923         if (mesh_hdr->flags & MESH_FLAGS_AE) {
01924                 struct mesh_path *mppath;
01925                 char *proxied_addr;
01926                 char *mpp_addr;
01927 
01928                 if (is_multicast_ether_addr(hdr->addr1)) {
01929                         mpp_addr = hdr->addr3;
01930                         proxied_addr = mesh_hdr->eaddr1;
01931                 } else {
01932                         mpp_addr = hdr->addr4;
01933                         proxied_addr = mesh_hdr->eaddr2;
01934                 }
01935 
01936                 rcu_read_lock();
01937                 mppath = mpp_path_lookup(proxied_addr, sdata);
01938                 if (!mppath) {
01939                         mpp_path_add(proxied_addr, mpp_addr, sdata);
01940                 } else {
01941                         spin_lock_bh(&mppath->state_lock);
01942                         if (!ether_addr_equal(mppath->mpp, mpp_addr))
01943                                 memcpy(mppath->mpp, mpp_addr, ETH_ALEN);
01944                         spin_unlock_bh(&mppath->state_lock);
01945                 }
01946                 rcu_read_unlock();
01947         }
01948 
01949         /* Frame has reached destination.  Don't forward */
01950         if (!is_multicast_ether_addr(hdr->addr1) &&
01951             ether_addr_equal(sdata->vif.addr, hdr->addr3))
01952                 return RX_CONTINUE;
01953 
01954         q = ieee80211_select_queue_80211(local, skb, hdr);
01955         if (ieee80211_queue_stopped(&local->hw, q)) {
01956                 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion);
01957                 return RX_DROP_MONITOR;
01958         }
01959         skb_set_queue_mapping(skb, q);
01960 
01961         if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
01962                 goto out;
01963 
01964         if (!--mesh_hdr->ttl) {
01965                 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
01966                 return RX_DROP_MONITOR;
01967         }
01968 
01969         if (!ifmsh->mshcfg.dot11MeshForwarding)
01970                 goto out;
01971 
01972         fwd_skb = skb_copy(skb, GFP_ATOMIC);
01973         if (!fwd_skb) {
01974                 net_dbg_ratelimited("%s: failed to clone mesh frame\n",
01975                                     sdata->name);
01976                 goto out;
01977         }
01978 
01979         fwd_hdr =  (struct ieee80211_hdr *) fwd_skb->data;
01980         info = IEEE80211_SKB_CB(fwd_skb);
01981         memset(info, 0, sizeof(*info));
01982         info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
01983         info->control.vif = &rx->sdata->vif;
01984         info->control.jiffies = jiffies;
01985         if (is_multicast_ether_addr(fwd_hdr->addr1)) {
01986                 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast);
01987                 memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
01988         } else if (!mesh_nexthop_lookup(fwd_skb, sdata)) {
01989                 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
01990         } else {
01991                 /* unable to resolve next hop */
01992                 mesh_path_error_tx(ifmsh->mshcfg.element_ttl, fwd_hdr->addr3,
01993                                     0, reason, fwd_hdr->addr2, sdata);
01994                 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route);
01995                 kfree_skb(fwd_skb);
01996                 return RX_DROP_MONITOR;
01997         }
01998 
01999         IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
02000         ieee80211_add_pending_skb(local, fwd_skb);
02001  out:
02002         if (is_multicast_ether_addr(hdr->addr1) ||
02003             sdata->dev->flags & IFF_PROMISC)
02004                 return RX_CONTINUE;
02005         else
02006                 return RX_DROP_MONITOR;
02007 }
02008 #endif
02009 
02010 static ieee80211_rx_result debug_noinline
02011 ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
02012 {
02013         struct ieee80211_sub_if_data *sdata = rx->sdata;
02014         struct ieee80211_local *local = rx->local;
02015         struct net_device *dev = sdata->dev;
02016         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
02017         __le16 fc = hdr->frame_control;
02018         bool port_control;
02019         int err;
02020 
02021         if (unlikely(!ieee80211_is_data(hdr->frame_control)))
02022                 return RX_CONTINUE;
02023 
02024         if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
02025                 return RX_DROP_MONITOR;
02026 
02027         /*
02028          * Send unexpected-4addr-frame event to hostapd. For older versions,
02029          * also drop the frame to cooked monitor interfaces.
02030          */
02031         if (ieee80211_has_a4(hdr->frame_control) &&
02032             sdata->vif.type == NL80211_IFTYPE_AP) {
02033                 if (rx->sta &&
02034                     !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT))
02035                         cfg80211_rx_unexpected_4addr_frame(
02036                                 rx->sdata->dev, rx->sta->sta.addr, GFP_ATOMIC);
02037                 return RX_DROP_MONITOR;
02038         }
02039 
02040         err = __ieee80211_data_to_8023(rx, &port_control);
02041         if (unlikely(err))
02042                 return RX_DROP_UNUSABLE;
02043 
02044         if (!ieee80211_frame_allowed(rx, fc))
02045                 return RX_DROP_MONITOR;
02046 
02047         if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
02048             unlikely(port_control) && sdata->bss) {
02049                 sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
02050                                      u.ap);
02051                 dev = sdata->dev;
02052                 rx->sdata = sdata;
02053         }
02054 
02055         rx->skb->dev = dev;
02056 
02057         dev->stats.rx_packets++;
02058         dev->stats.rx_bytes += rx->skb->len;
02059 
02060         if (local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 &&
02061             !is_multicast_ether_addr(
02062                     ((struct ethhdr *)rx->skb->data)->h_dest) &&
02063             (!local->scanning &&
02064              !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state))) {
02065                         mod_timer(&local->dynamic_ps_timer, jiffies +
02066                          msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
02067         }
02068 
02069         ieee80211_deliver_skb(rx);
02070 
02071         return RX_QUEUED;
02072 }
02073 
02074 static ieee80211_rx_result debug_noinline
02075 ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx)
02076 {
02077         struct ieee80211_local *local = rx->local;
02078         struct ieee80211_hw *hw = &local->hw;
02079         struct sk_buff *skb = rx->skb;
02080         struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data;
02081         struct tid_ampdu_rx *tid_agg_rx;
02082         u16 start_seq_num;
02083         u16 tid;
02084 
02085         if (likely(!ieee80211_is_ctl(bar->frame_control)))
02086                 return RX_CONTINUE;
02087 
02088         if (ieee80211_is_back_req(bar->frame_control)) {
02089                 struct {
02090                         __le16 control, start_seq_num;
02091                 } __packed bar_data;
02092 
02093                 if (!rx->sta)
02094                         return RX_DROP_MONITOR;
02095 
02096                 if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
02097                                   &bar_data, sizeof(bar_data)))
02098                         return RX_DROP_MONITOR;
02099 
02100                 tid = le16_to_cpu(bar_data.control) >> 12;
02101 
02102                 tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]);
02103                 if (!tid_agg_rx)
02104                         return RX_DROP_MONITOR;
02105 
02106                 start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
02107 
02108                 /* reset session timer */
02109                 if (tid_agg_rx->timeout)
02110                         mod_timer(&tid_agg_rx->session_timer,
02111                                   TU_TO_EXP_TIME(tid_agg_rx->timeout));
02112 
02113                 spin_lock(&tid_agg_rx->reorder_lock);
02114                 /* release stored frames up to start of BAR */
02115                 ieee80211_release_reorder_frames(hw, tid_agg_rx, start_seq_num);
02116                 spin_unlock(&tid_agg_rx->reorder_lock);
02117 
02118                 kfree_skb(skb);
02119                 return RX_QUEUED;
02120         }
02121 
02122         /*
02123          * After this point, we only want management frames,
02124          * so we can drop all remaining control frames to
02125          * cooked monitor interfaces.
02126          */
02127         return RX_DROP_MONITOR;
02128 }
02129 
02130 static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
02131                                            struct ieee80211_mgmt *mgmt,
02132                                            size_t len)
02133 {
02134         struct ieee80211_local *local = sdata->local;
02135         struct sk_buff *skb;
02136         struct ieee80211_mgmt *resp;
02137 
02138         if (!ether_addr_equal(mgmt->da, sdata->vif.addr)) {
02139                 /* Not to own unicast address */
02140                 return;
02141         }
02142 
02143         if (!ether_addr_equal(mgmt->sa, sdata->u.mgd.bssid) ||
02144             !ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) {
02145                 /* Not from the current AP or not associated yet. */
02146                 return;
02147         }
02148 
02149         if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) {
02150                 /* Too short SA Query request frame */
02151                 return;
02152         }
02153 
02154         skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom);
02155         if (skb == NULL)
02156                 return;
02157 
02158         skb_reserve(skb, local->hw.extra_tx_headroom);
02159         resp = (struct ieee80211_mgmt *) skb_put(skb, 24);
02160         memset(resp, 0, 24);
02161         memcpy(resp->da, mgmt->sa, ETH_ALEN);
02162         memcpy(resp->sa, sdata->vif.addr, ETH_ALEN);
02163         memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN);
02164         resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
02165                                           IEEE80211_STYPE_ACTION);
02166         skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query));
02167         resp->u.action.category = WLAN_CATEGORY_SA_QUERY;
02168         resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE;
02169         memcpy(resp->u.action.u.sa_query.trans_id,
02170                mgmt->u.action.u.sa_query.trans_id,
02171                WLAN_SA_QUERY_TR_ID_LEN);
02172 
02173         ieee80211_tx_skb(sdata, skb);
02174 }
02175 
02176 static ieee80211_rx_result debug_noinline
02177 ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
02178 {
02179         struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
02180         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
02181 
02182         /*
02183          * From here on, look only at management frames.
02184          * Data and control frames are already handled,
02185          * and unknown (reserved) frames are useless.
02186          */
02187         if (rx->skb->len < 24)
02188                 return RX_DROP_MONITOR;
02189 
02190         if (!ieee80211_is_mgmt(mgmt->frame_control))
02191                 return RX_DROP_MONITOR;
02192 
02193         if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
02194             ieee80211_is_beacon(mgmt->frame_control) &&
02195             !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {
02196                 int sig = 0;
02197 
02198                 if (rx->local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
02199                         sig = status->signal;
02200 
02201                 cfg80211_report_obss_beacon(rx->local->hw.wiphy,
02202                                             rx->skb->data, rx->skb->len,
02203                                             status->freq, sig, GFP_ATOMIC);
02204                 rx->flags |= IEEE80211_RX_BEACON_REPORTED;
02205         }
02206 
02207         if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
02208                 return RX_DROP_MONITOR;
02209 
02210         if (ieee80211_drop_unencrypted_mgmt(rx))
02211                 return RX_DROP_UNUSABLE;
02212 
02213         return RX_CONTINUE;
02214 }
02215 
02216 static ieee80211_rx_result debug_noinline
02217 ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
02218 {
02219         struct ieee80211_local *local = rx->local;
02220         struct ieee80211_sub_if_data *sdata = rx->sdata;
02221         struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
02222         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
02223         int len = rx->skb->len;
02224 
02225         if (!ieee80211_is_action(mgmt->frame_control))
02226                 return RX_CONTINUE;
02227 
02228         /* drop too small frames */
02229         if (len < IEEE80211_MIN_ACTION_SIZE)
02230                 return RX_DROP_UNUSABLE;
02231 
02232         if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC)
02233                 return RX_DROP_UNUSABLE;
02234 
02235         if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
02236                 return RX_DROP_UNUSABLE;
02237 
02238         switch (mgmt->u.action.category) {
02239         case WLAN_CATEGORY_HT:
02240                 /* reject HT action frames from stations not supporting HT */
02241                 if (!rx->sta->sta.ht_cap.ht_supported)
02242                         goto invalid;
02243 
02244                 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
02245                     sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
02246                     sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
02247                     sdata->vif.type != NL80211_IFTYPE_AP &&
02248                     sdata->vif.type != NL80211_IFTYPE_ADHOC)
02249                         break;
02250 
02251                 /* verify action & smps_control are present */
02252                 if (len < IEEE80211_MIN_ACTION_SIZE + 2)
02253                         goto invalid;
02254 
02255                 switch (mgmt->u.action.u.ht_smps.action) {
02256                 case WLAN_HT_ACTION_SMPS: {
02257                         struct ieee80211_supported_band *sband;
02258                         u8 smps;
02259 
02260                         /* convert to HT capability */
02261                         switch (mgmt->u.action.u.ht_smps.smps_control) {
02262                         case WLAN_HT_SMPS_CONTROL_DISABLED:
02263                                 smps = WLAN_HT_CAP_SM_PS_DISABLED;
02264                                 break;
02265                         case WLAN_HT_SMPS_CONTROL_STATIC:
02266                                 smps = WLAN_HT_CAP_SM_PS_STATIC;
02267                                 break;
02268                         case WLAN_HT_SMPS_CONTROL_DYNAMIC:
02269                                 smps = WLAN_HT_CAP_SM_PS_DYNAMIC;
02270                                 break;
02271                         default:
02272                                 goto invalid;
02273                         }
02274                         smps <<= IEEE80211_HT_CAP_SM_PS_SHIFT;
02275 
02276                         /* if no change do nothing */
02277                         if ((rx->sta->sta.ht_cap.cap &
02278                                         IEEE80211_HT_CAP_SM_PS) == smps)
02279                                 goto handled;
02280 
02281                         rx->sta->sta.ht_cap.cap &= ~IEEE80211_HT_CAP_SM_PS;
02282                         rx->sta->sta.ht_cap.cap |= smps;
02283 
02284                         sband = rx->local->hw.wiphy->bands[status->band];
02285 
02286                         rate_control_rate_update(local, sband, rx->sta,
02287                                                  IEEE80211_RC_SMPS_CHANGED);
02288                         goto handled;
02289                 }
02290                 default:
02291                         goto invalid;
02292                 }
02293 
02294                 break;
02295         case WLAN_CATEGORY_BACK:
02296                 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
02297                     sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
02298                     sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
02299                     sdata->vif.type != NL80211_IFTYPE_AP &&
02300                     sdata->vif.type != NL80211_IFTYPE_ADHOC)
02301                         break;
02302 
02303                 /* verify action_code is present */
02304                 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
02305                         break;
02306 
02307                 switch (mgmt->u.action.u.addba_req.action_code) {
02308                 case WLAN_ACTION_ADDBA_REQ:
02309                         if (len < (IEEE80211_MIN_ACTION_SIZE +
02310                                    sizeof(mgmt->u.action.u.addba_req)))
02311                                 goto invalid;
02312                         break;
02313                 case WLAN_ACTION_ADDBA_RESP:
02314                         if (len < (IEEE80211_MIN_ACTION_SIZE +
02315                                    sizeof(mgmt->u.action.u.addba_resp)))
02316                                 goto invalid;
02317                         break;
02318                 case WLAN_ACTION_DELBA:
02319                         if (len < (IEEE80211_MIN_ACTION_SIZE +
02320                                    sizeof(mgmt->u.action.u.delba)))
02321                                 goto invalid;
02322                         break;
02323                 default:
02324                         goto invalid;
02325                 }
02326 
02327                 goto queue;
02328         case WLAN_CATEGORY_SPECTRUM_MGMT:
02329                 if (local->hw.conf.channel->band != IEEE80211_BAND_5GHZ)
02330                         break;
02331 
02332                 if (sdata->vif.type != NL80211_IFTYPE_STATION)
02333                         break;
02334 
02335                 /* verify action_code is present */
02336                 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
02337                         break;
02338 
02339                 switch (mgmt->u.action.u.measurement.action_code) {
02340                 case WLAN_ACTION_SPCT_MSR_REQ:
02341                         if (len < (IEEE80211_MIN_ACTION_SIZE +
02342                                    sizeof(mgmt->u.action.u.measurement)))
02343                                 break;
02344                         ieee80211_process_measurement_req(sdata, mgmt, len);
02345                         goto handled;
02346                 case WLAN_ACTION_SPCT_CHL_SWITCH:
02347                         if (len < (IEEE80211_MIN_ACTION_SIZE +
02348                                    sizeof(mgmt->u.action.u.chan_switch)))
02349                                 break;
02350 
02351                         if (sdata->vif.type != NL80211_IFTYPE_STATION)
02352                                 break;
02353 
02354                         if (!ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid))
02355                                 break;
02356 
02357                         goto queue;
02358                 }
02359                 break;
02360         case WLAN_CATEGORY_SA_QUERY:
02361                 if (len < (IEEE80211_MIN_ACTION_SIZE +
02362                            sizeof(mgmt->u.action.u.sa_query)))
02363                         break;
02364 
02365                 switch (mgmt->u.action.u.sa_query.action) {
02366                 case WLAN_ACTION_SA_QUERY_REQUEST:
02367                         if (sdata->vif.type != NL80211_IFTYPE_STATION)
02368                                 break;
02369                         ieee80211_process_sa_query_req(sdata, mgmt, len);
02370                         goto handled;
02371                 }
02372                 break;
02373         case WLAN_CATEGORY_SELF_PROTECTED:
02374                 switch (mgmt->u.action.u.self_prot.action_code) {
02375                 case WLAN_SP_MESH_PEERING_OPEN:
02376                 case WLAN_SP_MESH_PEERING_CLOSE:
02377                 case WLAN_SP_MESH_PEERING_CONFIRM:
02378                         if (!ieee80211_vif_is_mesh(&sdata->vif))
02379                                 goto invalid;
02380                         if (sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE)
02381                                 /* userspace handles this frame */
02382                                 break;
02383                         goto queue;
02384                 case WLAN_SP_MGK_INFORM:
02385                 case WLAN_SP_MGK_ACK:
02386                         if (!ieee80211_vif_is_mesh(&sdata->vif))
02387                                 goto invalid;
02388                         break;
02389                 }
02390                 break;
02391         case WLAN_CATEGORY_MESH_ACTION:
02392                 if (!ieee80211_vif_is_mesh(&sdata->vif))
02393                         break;
02394                 if (mesh_action_is_path_sel(mgmt) &&
02395                   (!mesh_path_sel_is_hwmp(sdata)))
02396                         break;
02397                 goto queue;
02398         }
02399 
02400         return RX_CONTINUE;
02401 
02402  invalid:
02403         status->rx_flags |= IEEE80211_RX_MALFORMED_ACTION_FRM;
02404         /* will return in the next handlers */
02405         return RX_CONTINUE;
02406 
02407  handled:
02408         if (rx->sta)
02409                 rx->sta->rx_packets++;
02410         dev_kfree_skb(rx->skb);
02411         return RX_QUEUED;
02412 
02413  queue:
02414         rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
02415         skb_queue_tail(&sdata->skb_queue, rx->skb);
02416         ieee80211_queue_work(&local->hw, &sdata->work);
02417         if (rx->sta)
02418                 rx->sta->rx_packets++;
02419         return RX_QUEUED;
02420 }
02421 
02422 static ieee80211_rx_result debug_noinline
02423 ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
02424 {
02425         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
02426         int sig = 0;
02427 
02428         /* skip known-bad action frames and return them in the next handler */
02429         if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM)
02430                 return RX_CONTINUE;
02431 
02432         /*
02433          * Getting here means the kernel doesn't know how to handle
02434          * it, but maybe userspace does ... include returned frames
02435          * so userspace can register for those to know whether ones
02436          * it transmitted were processed or returned.
02437          */
02438 
02439         if (rx->local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
02440                 sig = status->signal;
02441 
02442         if (cfg80211_rx_mgmt(rx->sdata->dev, status->freq, sig,
02443                              rx->skb->data, rx->skb->len,
02444                              GFP_ATOMIC)) {
02445                 if (rx->sta)
02446                         rx->sta->rx_packets++;
02447                 dev_kfree_skb(rx->skb);
02448                 return RX_QUEUED;
02449         }
02450 
02451 
02452         return RX_CONTINUE;
02453 }
02454 
02455 static ieee80211_rx_result debug_noinline
02456 ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
02457 {
02458         struct ieee80211_local *local = rx->local;
02459         struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
02460         struct sk_buff *nskb;
02461         struct ieee80211_sub_if_data *sdata = rx->sdata;
02462         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
02463 
02464         if (!ieee80211_is_action(mgmt->frame_control))
02465                 return RX_CONTINUE;
02466 
02467         /*
02468          * For AP mode, hostapd is responsible for handling any action
02469          * frames that we didn't handle, including returning unknown
02470          * ones. For all other modes we will return them to the sender,
02471          * setting the 0x80 bit in the action category, as required by
02472          * 802.11-2012 9.24.4.
02473          * Newer versions of hostapd shall also use the management frame
02474          * registration mechanisms, but older ones still use cooked
02475          * monitor interfaces so push all frames there.
02476          */
02477         if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) &&
02478             (sdata->vif.type == NL80211_IFTYPE_AP ||
02479              sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
02480                 return RX_DROP_MONITOR;
02481 
02482         if (is_multicast_ether_addr(mgmt->da))
02483                 return RX_DROP_MONITOR;
02484 
02485         /* do not return rejected action frames */
02486         if (mgmt->u.action.category & 0x80)
02487                 return RX_DROP_UNUSABLE;
02488 
02489         nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0,
02490                                GFP_ATOMIC);
02491         if (nskb) {
02492                 struct ieee80211_mgmt *nmgmt = (void *)nskb->data;
02493 
02494                 nmgmt->u.action.category |= 0x80;
02495                 memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN);
02496                 memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN);
02497 
02498                 memset(nskb->cb, 0, sizeof(nskb->cb));
02499 
02500                 ieee80211_tx_skb(rx->sdata, nskb);
02501         }
02502         dev_kfree_skb(rx->skb);
02503         return RX_QUEUED;
02504 }
02505 
02506 static ieee80211_rx_result debug_noinline
02507 ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
02508 {
02509         struct ieee80211_sub_if_data *sdata = rx->sdata;
02510         struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
02511         __le16 stype;
02512 
02513         stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
02514 
02515         if (!ieee80211_vif_is_mesh(&sdata->vif) &&
02516             sdata->vif.type != NL80211_IFTYPE_ADHOC &&
02517             sdata->vif.type != NL80211_IFTYPE_STATION)
02518                 return RX_DROP_MONITOR;
02519 
02520         switch (stype) {
02521         case cpu_to_le16(IEEE80211_STYPE_AUTH):
02522         case cpu_to_le16(IEEE80211_STYPE_BEACON):
02523         case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
02524                 /* process for all: mesh, mlme, ibss */
02525                 break;
02526         case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP):
02527         case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP):
02528         case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
02529         case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
02530                 if (is_multicast_ether_addr(mgmt->da) &&
02531                     !is_broadcast_ether_addr(mgmt->da))
02532                         return RX_DROP_MONITOR;
02533 
02534                 /* process only for station */
02535                 if (sdata->vif.type != NL80211_IFTYPE_STATION)
02536                         return RX_DROP_MONITOR;
02537                 break;
02538         case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ):
02539                 /* process only for ibss */
02540                 if (sdata->vif.type != NL80211_IFTYPE_ADHOC)
02541                         return RX_DROP_MONITOR;
02542                 break;
02543         default:
02544                 return RX_DROP_MONITOR;
02545         }
02546 
02547         /* queue up frame and kick off work to process it */
02548         rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
02549         skb_queue_tail(&sdata->skb_queue, rx->skb);
02550         ieee80211_queue_work(&rx->local->hw, &sdata->work);
02551         if (rx->sta)
02552                 rx->sta->rx_packets++;
02553 
02554         return RX_QUEUED;
02555 }
02556 
02557 /* TODO: use IEEE80211_RX_FRAGMENTED */
02558 static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
02559                                         struct ieee80211_rate *rate)
02560 {
02561         struct ieee80211_sub_if_data *sdata;
02562         struct ieee80211_local *local = rx->local;
02563         struct sk_buff *skb = rx->skb, *skb2;
02564         struct net_device *prev_dev = NULL;
02565         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
02566         int needed_headroom;
02567 
02568         /*
02569          * If cooked monitor has been processed already, then
02570          * don't do it again. If not, set the flag.
02571          */
02572         if (rx->flags & IEEE80211_RX_CMNTR)
02573                 goto out_free_skb;
02574         rx->flags |= IEEE80211_RX_CMNTR;
02575 
02576         /* If there are no cooked monitor interfaces, just free the SKB */
02577         if (!local->cooked_mntrs)
02578                 goto out_free_skb;
02579 
02580         /* room for the radiotap header based on driver features */
02581         needed_headroom = ieee80211_rx_radiotap_len(local, status);
02582 
02583         if (skb_headroom(skb) < needed_headroom &&
02584             pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC))
02585                 goto out_free_skb;
02586 
02587         /* prepend radiotap information */
02588         ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
02589                                          false);
02590 
02591         skb_set_mac_header(skb, 0);
02592         skb->ip_summed = CHECKSUM_UNNECESSARY;
02593         skb->pkt_type = PACKET_OTHERHOST;
02594         skb->protocol = htons(ETH_P_802_2);
02595 
02596         list_for_each_entry_rcu(sdata, &local->interfaces, list) {
02597                 if (!ieee80211_sdata_running(sdata))
02598                         continue;
02599 
02600                 if (sdata->vif.type != NL80211_IFTYPE_MONITOR ||
02601                     !(sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES))
02602                         continue;
02603 
02604                 if (prev_dev) {
02605                         skb2 = skb_clone(skb, GFP_ATOMIC);
02606                         if (skb2) {
02607                                 skb2->dev = prev_dev;
02608                                 netif_receive_skb(skb2);
02609                         }
02610                 }
02611 
02612                 prev_dev = sdata->dev;
02613                 sdata->dev->stats.rx_packets++;
02614                 sdata->dev->stats.rx_bytes += skb->len;
02615         }
02616 
02617         if (prev_dev) {
02618                 skb->dev = prev_dev;
02619                 netif_receive_skb(skb);
02620                 return;
02621         }
02622 
02623  out_free_skb:
02624         dev_kfree_skb(skb);
02625 }
02626 
02627 static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx,
02628                                          ieee80211_rx_result res)
02629 {
02630         switch (res) {
02631         case RX_DROP_MONITOR:
02632                 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
02633                 if (rx->sta)
02634                         rx->sta->rx_dropped++;
02635                 /* fall through */
02636         case RX_CONTINUE: {
02637                 struct ieee80211_rate *rate = NULL;
02638                 struct ieee80211_supported_band *sband;
02639                 struct ieee80211_rx_status *status;
02640 
02641                 status = IEEE80211_SKB_RXCB((rx->skb));
02642 
02643                 sband = rx->local->hw.wiphy->bands[status->band];
02644                 if (!(status->flag & RX_FLAG_HT))
02645                         rate = &sband->bitrates[status->rate_idx];
02646 
02647                 ieee80211_rx_cooked_monitor(rx, rate);
02648                 break;
02649                 }
02650         case RX_DROP_UNUSABLE:
02651                 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
02652                 if (rx->sta)
02653                         rx->sta->rx_dropped++;
02654                 dev_kfree_skb(rx->skb);
02655                 break;
02656         case RX_QUEUED:
02657                 I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued);
02658                 break;
02659         }
02660 }
02661 
02662 static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx)
02663 {
02664         ieee80211_rx_result res = RX_DROP_MONITOR;
02665         struct sk_buff *skb;
02666 
02667 #define CALL_RXH(rxh)                   \
02668         do {                            \
02669                 res = rxh(rx);          \
02670                 if (res != RX_CONTINUE) \
02671                         goto rxh_next;  \
02672         } while (0);
02673 
02674         spin_lock(&rx->local->rx_skb_queue.lock);
02675         if (rx->local->running_rx_handler)
02676                 goto unlock;
02677 
02678         rx->local->running_rx_handler = true;
02679 
02680         while ((skb = __skb_dequeue(&rx->local->rx_skb_queue))) {
02681                 spin_unlock(&rx->local->rx_skb_queue.lock);
02682 
02683                 /*
02684                  * all the other fields are valid across frames
02685                  * that belong to an aMPDU since they are on the
02686                  * same TID from the same station
02687                  */
02688                 rx->skb = skb;
02689 
02690                 CALL_RXH(ieee80211_rx_h_decrypt)
02691                 CALL_RXH(ieee80211_rx_h_check_more_data)
02692                 CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll)
02693                 CALL_RXH(ieee80211_rx_h_sta_process)
02694                 CALL_RXH(ieee80211_rx_h_defragment)
02695                 CALL_RXH(ieee80211_rx_h_michael_mic_verify)
02696                 /* must be after MMIC verify so header is counted in MPDU mic */
02697 #ifdef CONFIG_MAC80211_MESH
02698                 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
02699                         CALL_RXH(ieee80211_rx_h_mesh_fwding);
02700 #endif
02701                 CALL_RXH(ieee80211_rx_h_amsdu)
02702                 CALL_RXH(ieee80211_rx_h_data)
02703                 CALL_RXH(ieee80211_rx_h_ctrl);
02704                 CALL_RXH(ieee80211_rx_h_mgmt_check)
02705                 CALL_RXH(ieee80211_rx_h_action)
02706                 CALL_RXH(ieee80211_rx_h_userspace_mgmt)
02707                 CALL_RXH(ieee80211_rx_h_action_return)
02708                 CALL_RXH(ieee80211_rx_h_mgmt)
02709 
02710  rxh_next:
02711                 ieee80211_rx_handlers_result(rx, res);
02712                 spin_lock(&rx->local->rx_skb_queue.lock);
02713 #undef CALL_RXH
02714         }
02715 
02716         rx->local->running_rx_handler = false;
02717 
02718  unlock:
02719         spin_unlock(&rx->local->rx_skb_queue.lock);
02720 }
02721 
02722 static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
02723 {
02724         ieee80211_rx_result res = RX_DROP_MONITOR;
02725 
02726 #define CALL_RXH(rxh)                   \
02727         do {                            \
02728                 res = rxh(rx);          \
02729                 if (res != RX_CONTINUE) \
02730                         goto rxh_next;  \
02731         } while (0);
02732 
02733         CALL_RXH(ieee80211_rx_h_passive_scan)
02734         CALL_RXH(ieee80211_rx_h_check)
02735 
02736         ieee80211_rx_reorder_ampdu(rx);
02737 
02738         ieee80211_rx_handlers(rx);
02739         return;
02740 
02741  rxh_next:
02742         ieee80211_rx_handlers_result(rx, res);
02743 
02744 #undef CALL_RXH
02745 }
02746 
02747 /*
02748  * This function makes calls into the RX path, therefore
02749  * it has to be invoked under RCU read lock.
02750  */
02751 void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
02752 {
02753         struct ieee80211_rx_data rx = {
02754                 .sta = sta,
02755                 .sdata = sta->sdata,
02756                 .local = sta->local,
02757                 /* This is OK -- must be QoS data frame */
02758                 .security_idx = tid,
02759                 .seqno_idx = tid,
02760                 .flags = 0,
02761         };
02762         struct tid_ampdu_rx *tid_agg_rx;
02763 
02764         tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
02765         if (!tid_agg_rx)
02766                 return;
02767 
02768         spin_lock(&tid_agg_rx->reorder_lock);
02769         ieee80211_sta_reorder_release(&sta->local->hw, tid_agg_rx);
02770         spin_unlock(&tid_agg_rx->reorder_lock);
02771 
02772         ieee80211_rx_handlers(&rx);
02773 }
02774 
02775 /* main receive path */
02776 
02777 static int prepare_for_handlers(struct ieee80211_rx_data *rx,
02778                                 struct ieee80211_hdr *hdr)
02779 {
02780         struct ieee80211_sub_if_data *sdata = rx->sdata;
02781         struct sk_buff *skb = rx->skb;
02782         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
02783         u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
02784         int multicast = is_multicast_ether_addr(hdr->addr1);
02785 
02786         switch (sdata->vif.type) {
02787         case NL80211_IFTYPE_STATION:
02788                 if (!bssid && !sdata->u.mgd.use_4addr)
02789                         return 0;
02790                 if (!multicast &&
02791                     !ether_addr_equal(sdata->vif.addr, hdr->addr1)) {
02792                         if (!(sdata->dev->flags & IFF_PROMISC) ||
02793                             sdata->u.mgd.use_4addr)
02794                                 return 0;
02795                         status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
02796                 }
02797                 break;
02798         case NL80211_IFTYPE_ADHOC:
02799                 if (!bssid)
02800                         return 0;
02801                 if (ieee80211_is_beacon(hdr->frame_control)) {
02802                         return 1;
02803                 }
02804                 else if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid)) {
02805                         if (!(status->rx_flags & IEEE80211_RX_IN_SCAN))
02806                                 return 0;
02807                         status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
02808                 } else if (!multicast &&
02809                            !ether_addr_equal(sdata->vif.addr, hdr->addr1)) {
02810                         if (!(sdata->dev->flags & IFF_PROMISC))
02811                                 return 0;
02812                         status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
02813                 } else if (!rx->sta) {
02814                         int rate_idx;
02815                         if (status->flag & RX_FLAG_HT)
02816                                 rate_idx = 0; /* TODO: HT rates */
02817                         else
02818                                 rate_idx = status->rate_idx;
02819                         ieee80211_ibss_rx_no_sta(sdata, bssid, hdr->addr2,
02820                                                  BIT(rate_idx));
02821                 }
02822                 break;
02823         case NL80211_IFTYPE_MESH_POINT:
02824                 if (!multicast &&
02825                     !ether_addr_equal(sdata->vif.addr, hdr->addr1)) {
02826                         if (!(sdata->dev->flags & IFF_PROMISC))
02827                                 return 0;
02828 
02829                         status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
02830                 }
02831                 break;
02832         case NL80211_IFTYPE_AP_VLAN:
02833         case NL80211_IFTYPE_AP:
02834                 if (!bssid) {
02835                         if (!ether_addr_equal(sdata->vif.addr, hdr->addr1))
02836                                 return 0;
02837                 } else if (!ieee80211_bssid_match(bssid,
02838                                         sdata->vif.addr)) {
02839                         /*
02840                          * Accept public action frames even when the
02841                          * BSSID doesn't match, this is used for P2P
02842                          * and location updates. Note that mac80211
02843                          * itself never looks at these frames.
02844                          */
02845                         if (!(status->rx_flags & IEEE80211_RX_IN_SCAN) &&
02846                             ieee80211_is_public_action(hdr, skb->len))
02847                                 return 1;
02848                         if (!(status->rx_flags & IEEE80211_RX_IN_SCAN) &&
02849                             !ieee80211_is_beacon(hdr->frame_control))
02850                                 return 0;
02851                         status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
02852                 }
02853                 break;
02854         case NL80211_IFTYPE_WDS:
02855                 if (bssid || !ieee80211_is_data(hdr->frame_control))
02856                         return 0;
02857                 if (!ether_addr_equal(sdata->u.wds.remote_addr, hdr->addr2))
02858                         return 0;
02859                 break;
02860         default:
02861                 /* should never get here */
02862                 WARN_ON(1);
02863                 break;
02864         }
02865 
02866         return 1;
02867 }
02868 
02869 /*
02870  * This function returns whether or not the SKB
02871  * was destined for RX processing or not, which,
02872  * if consume is true, is equivalent to whether
02873  * or not the skb was consumed.
02874  */
02875 static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
02876                                             struct sk_buff *skb, bool consume)
02877 {
02878         struct ieee80211_local *local = rx->local;
02879         struct ieee80211_sub_if_data *sdata = rx->sdata;
02880         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
02881         struct ieee80211_hdr *hdr = (void *)skb->data;
02882         int prepares;
02883 
02884         rx->skb = skb;
02885         status->rx_flags |= IEEE80211_RX_RA_MATCH;
02886         prepares = prepare_for_handlers(rx, hdr);
02887 
02888         if (!prepares)
02889                 return false;
02890 
02891         if (!consume) {
02892                 skb = skb_copy(skb, GFP_ATOMIC);
02893                 if (!skb) {
02894                         if (net_ratelimit())
02895                                 wiphy_debug(local->hw.wiphy,
02896                                         "failed to copy skb for %s\n",
02897                                         sdata->name);
02898                         return true;
02899                 }
02900 
02901                 rx->skb = skb;
02902         }
02903 
02904         ieee80211_invoke_rx_handlers(rx);
02905         return true;
02906 }
02907 
02908 /*
02909  * This is the actual Rx frames handler. as it blongs to Rx path it must
02910  * be called with rcu_read_lock protection.
02911  */
02912 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
02913                                          struct sk_buff *skb)
02914 {
02915         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
02916         struct ieee80211_local *local = hw_to_local(hw);
02917         struct ieee80211_sub_if_data *sdata;
02918         struct ieee80211_hdr *hdr;
02919         __le16 fc;
02920         struct ieee80211_rx_data rx;
02921         struct ieee80211_sub_if_data *prev;
02922         struct sta_info *sta, *tmp, *prev_sta;
02923         int err = 0;
02924 
02925         fc = ((struct ieee80211_hdr *)skb->data)->frame_control;
02926         memset(&rx, 0, sizeof(rx));
02927         rx.skb = skb;
02928         rx.local = local;
02929 
02930         if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
02931                 local->dot11ReceivedFragmentCount++;
02932 
02933         if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning) ||
02934                      test_bit(SCAN_ONCHANNEL_SCANNING, &local->scanning) ||
02935                      test_bit(SCAN_SW_SCANNING, &local->scanning)))
02936                 status->rx_flags |= IEEE80211_RX_IN_SCAN;
02937 
02938         if (ieee80211_is_mgmt(fc))
02939                 err = skb_linearize(skb);
02940         else
02941                 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
02942 
02943         if (err) {
02944                 dev_kfree_skb(skb);
02945                 return;
02946         }
02947 
02948         hdr = (struct ieee80211_hdr *)skb->data;
02949         ieee80211_parse_qos(&rx);
02950         ieee80211_verify_alignment(&rx);
02951 
02952         if (ieee80211_is_data(fc)) {
02953                 prev_sta = NULL;
02954 
02955                 for_each_sta_info(local, hdr->addr2, sta, tmp) {
02956                         if (!prev_sta) {
02957                                 prev_sta = sta;
02958                                 continue;
02959                         }
02960 
02961                         rx.sta = prev_sta;
02962                         rx.sdata = prev_sta->sdata;
02963                         ieee80211_prepare_and_rx_handle(&rx, skb, false);
02964 
02965                         prev_sta = sta;
02966                 }
02967 
02968                 if (prev_sta) {
02969                         rx.sta = prev_sta;
02970                         rx.sdata = prev_sta->sdata;
02971 
02972                         if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
02973                                 return;
02974                         goto out;
02975                 }
02976         }
02977 
02978         prev = NULL;
02979 
02980         list_for_each_entry_rcu(sdata, &local->interfaces, list) {
02981                 if (!ieee80211_sdata_running(sdata))
02982                         continue;
02983 
02984                 if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
02985                     sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
02986                         continue;
02987 
02988                 /*
02989                  * frame is destined for this interface, but if it's
02990                  * not also for the previous one we handle that after
02991                  * the loop to avoid copying the SKB once too much
02992                  */
02993 
02994                 if (!prev) {
02995                         prev = sdata;
02996                         continue;
02997                 }
02998 
02999                 rx.sta = sta_info_get_bss(prev, hdr->addr2);
03000                 rx.sdata = prev;
03001                 ieee80211_prepare_and_rx_handle(&rx, skb, false);
03002 
03003                 prev = sdata;
03004         }
03005 
03006         if (prev) {
03007                 rx.sta = sta_info_get_bss(prev, hdr->addr2);
03008                 rx.sdata = prev;
03009 
03010                 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
03011                         return;
03012         }
03013 
03014  out:
03015         dev_kfree_skb(skb);
03016 }
03017 
03018 /*
03019  * This is the receive path handler. It is called by a low level driver when an
03020  * 802.11 MPDU is received from the hardware.
03021  */
03022 void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb)
03023 {
03024         struct ieee80211_local *local = hw_to_local(hw);
03025         struct ieee80211_rate *rate = NULL;
03026         struct ieee80211_supported_band *sband;
03027         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
03028 
03029         WARN_ON_ONCE(softirq_count() == 0);
03030 
03031         if (WARN_ON(status->band < 0 ||
03032                     status->band >= IEEE80211_NUM_BANDS))
03033                 goto drop;
03034 
03035         sband = local->hw.wiphy->bands[status->band];
03036         if (WARN_ON(!sband))
03037                 goto drop;
03038 
03039         /*
03040          * If we're suspending, it is possible although not too likely
03041          * that we'd be receiving frames after having already partially
03042          * quiesced the stack. We can't process such frames then since
03043          * that might, for example, cause stations to be added or other
03044          * driver callbacks be invoked.
03045          */
03046         if (unlikely(local->quiescing || local->suspended))
03047                 goto drop;
03048 
03049         /*
03050          * The same happens when we're not even started,
03051          * but that's worth a warning.
03052          */
03053         if (WARN_ON(!local->started))
03054                 goto drop;
03055 
03056         if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) {
03057                 /*
03058                  * Validate the rate, unless a PLCP error means that
03059                  * we probably can't have a valid rate here anyway.
03060                  */
03061 
03062                 if (status->flag & RX_FLAG_HT) {
03063                         /*
03064                          * rate_idx is MCS index, which can be [0-76]
03065                          * as documented on:
03066                          *
03067                          * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n
03068                          *
03069                          * Anything else would be some sort of driver or
03070                          * hardware error. The driver should catch hardware
03071                          * errors.
03072                          */
03073                         if (WARN((status->rate_idx < 0 ||
03074                                  status->rate_idx > 76),
03075                                  "Rate marked as an HT rate but passed "
03076                                  "status->rate_idx is not "
03077                                  "an MCS index [0-76]: %d (0x%02x)\n",
03078                                  status->rate_idx,
03079                                  status->rate_idx))
03080                                 goto drop;
03081                 } else {
03082                         if (WARN_ON(status->rate_idx < 0 ||
03083                                     status->rate_idx >= sband->n_bitrates))
03084                                 goto drop;
03085                         rate = &sband->bitrates[status->rate_idx];
03086                 }
03087         }
03088 
03089         status->rx_flags = 0;
03090 
03091         /*
03092          * key references and virtual interfaces are protected using RCU
03093          * and this requires that we are in a read-side RCU section during
03094          * receive processing
03095          */
03096         rcu_read_lock();
03097 
03098         /*
03099          * Frames with failed FCS/PLCP checksum are not returned,
03100          * all other frames are returned without radiotap header
03101          * if it was previously present.
03102          * Also, frames with less than 16 bytes are dropped.
03103          */
03104         skb = ieee80211_rx_monitor(local, skb, rate);
03105         if (!skb) {
03106                 rcu_read_unlock();
03107                 return;
03108         }
03109 
03110         ieee80211_tpt_led_trig_rx(local,
03111                         ((struct ieee80211_hdr *)skb->data)->frame_control,
03112                         skb->len);
03113         __ieee80211_rx_handle_packet(hw, skb);
03114 
03115         rcu_read_unlock();
03116 
03117         return;
03118  drop:
03119         kfree_skb(skb);
03120 }
03121 EXPORT_SYMBOL(ieee80211_rx);
03122 
03123 /* This is a version of the rx handler that can be called from hard irq
03124  * context. Post the skb on the queue and schedule the tasklet */
03125 void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb)
03126 {
03127         struct ieee80211_local *local = hw_to_local(hw);
03128 
03129         BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb));
03130 
03131         skb->pkt_type = IEEE80211_RX_MSG;
03132         skb_queue_tail(&local->skb_queue, skb);
03133         tasklet_schedule(&local->tasklet);
03134 }
03135 EXPORT_SYMBOL(ieee80211_rx_irqsafe);