rx.c 102 KB
Newer Older
1 2 3 4
/*
 * Copyright 2002-2005, Instant802 Networks, Inc.
 * Copyright 2005-2006, Devicescape Software, Inc.
 * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
5
 * Copyright 2007-2010	Johannes Berg <johannes@sipsolutions.net>
6
 * Copyright 2013-2014  Intel Mobile Communications GmbH
7 8 9 10 11 12
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

13
#include <linux/jiffies.h>
14
#include <linux/slab.h>
15 16 17 18
#include <linux/kernel.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/etherdevice.h>
19
#include <linux/rcupdate.h>
20
#include <linux/export.h>
21 22
#include <net/mac80211.h>
#include <net/ieee80211_radiotap.h>
23
#include <asm/unaligned.h>
24 25

#include "ieee80211_i.h"
26
#include "driver-ops.h"
Johannes Berg's avatar
Johannes Berg committed
27
#include "led.h"
28
#include "mesh.h"
29 30 31 32
#include "wep.h"
#include "wpa.h"
#include "tkip.h"
#include "wme.h"
33
#include "rate.h"
34

35 36 37 38 39 40 41 42 43 44
static inline void ieee80211_rx_stats(struct net_device *dev, u32 len)
{
	struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);

	u64_stats_update_begin(&tstats->syncp);
	tstats->rx_packets++;
	tstats->rx_bytes += len;
	u64_stats_update_end(&tstats->syncp);
}

45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89
static u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len,
			       enum nl80211_iftype type)
{
	__le16 fc = hdr->frame_control;

	if (ieee80211_is_data(fc)) {
		if (len < 24) /* drop incorrect hdr len (data) */
			return NULL;

		if (ieee80211_has_a4(fc))
			return NULL;
		if (ieee80211_has_tods(fc))
			return hdr->addr1;
		if (ieee80211_has_fromds(fc))
			return hdr->addr2;

		return hdr->addr3;
	}

	if (ieee80211_is_mgmt(fc)) {
		if (len < 24) /* drop incorrect hdr len (mgmt) */
			return NULL;
		return hdr->addr3;
	}

	if (ieee80211_is_ctl(fc)) {
		if (ieee80211_is_pspoll(fc))
			return hdr->addr1;

		if (ieee80211_is_back_req(fc)) {
			switch (type) {
			case NL80211_IFTYPE_STATION:
				return hdr->addr2;
			case NL80211_IFTYPE_AP:
			case NL80211_IFTYPE_AP_VLAN:
				return hdr->addr1;
			default:
				break; /* fall through to the return */
			}
		}
	}

	return NULL;
}

90 91 92 93 94 95 96
/*
 * monitor mode reception
 *
 * This function cleans up the SKB, i.e. it removes all the stuff
 * only useful for monitoring.
 */
static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
97 98
					   struct sk_buff *skb,
					   unsigned int rtap_vendor_space)
99
{
100
	if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
101
		if (likely(skb->len > FCS_LEN))
Zhu Yi's avatar
Zhu Yi committed
102
			__pskb_trim(skb, skb->len - FCS_LEN);
103 104 105 106
		else {
			/* driver bug */
			WARN_ON(1);
			dev_kfree_skb(skb);
107
			return NULL;
108 109 110
		}
	}

111 112
	__pskb_pull(skb, rtap_vendor_space);

113 114 115
	return skb;
}

116 117
static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len,
				     unsigned int rtap_vendor_space)
118
{
119
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
120 121 122
	struct ieee80211_hdr *hdr;

	hdr = (void *)(skb->data + rtap_vendor_space);
123

124
	if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
125
			    RX_FLAG_FAILED_PLCP_CRC))
126 127
		return true;

128
	if (unlikely(skb->len < 16 + present_fcs_len + rtap_vendor_space))
129 130
		return true;

131 132 133
	if (ieee80211_is_ctl(hdr->frame_control) &&
	    !ieee80211_is_pspoll(hdr->frame_control) &&
	    !ieee80211_is_back_req(hdr->frame_control))
134 135 136
		return true;

	return false;
137 138
}

139
static int
140 141 142
ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
			     struct ieee80211_rx_status *status,
			     struct sk_buff *skb)
143 144 145 146
{
	int len;

	/* always present fields */
147
	len = sizeof(struct ieee80211_radiotap_header) + 8;
148

149 150 151
	/* allocate extra bitmaps */
	if (status->chains)
		len += 4 * hweight8(status->chains);
152 153 154

	if (ieee80211_have_rx_timestamp(status)) {
		len = ALIGN(len, 8);
155
		len += 8;
156
	}
157
	if (ieee80211_hw_check(&local->hw, SIGNAL_DBM))
158 159
		len += 1;

160 161 162 163
	/* antenna field, if we don't have per-chain info */
	if (!status->chains)
		len += 1;

164 165
	/* padding for RX_FLAGS if necessary */
	len = ALIGN(len, 2);
166

167 168 169
	if (status->flag & RX_FLAG_HT) /* HT info */
		len += 3;

170
	if (status->flag & RX_FLAG_AMPDU_DETAILS) {
171
		len = ALIGN(len, 4);
172 173 174
		len += 8;
	}

175 176 177 178 179
	if (status->flag & RX_FLAG_VHT) {
		len = ALIGN(len, 2);
		len += 12;
	}

180 181 182 183 184
	if (status->chains) {
		/* antenna and antenna signal fields */
		len += 2 * hweight8(status->chains);
	}

185 186 187 188 189 190 191 192 193 194 195 196 197 198 199
	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		struct ieee80211_vendor_radiotap *rtap = (void *)skb->data;

		/* vendor presence bitmap */
		len += 4;
		/* alignment for fixed 6-byte vendor data header */
		len = ALIGN(len, 2);
		/* vendor data header */
		len += 6;
		if (WARN_ON(rtap->align == 0))
			rtap->align = 1;
		len = ALIGN(len, rtap->align);
		len += rtap->len + rtap->pad;
	}

200 201 202
	return len;
}

203
/*
204 205 206 207 208 209 210 211
 * ieee80211_add_rx_radiotap_header - add radiotap header
 *
 * add a radiotap header containing all the fields which the hardware provided.
 */
static void
ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
				 struct sk_buff *skb,
				 struct ieee80211_rate *rate,
212
				 int rtap_len, bool has_fcs)
213
{
214
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
215 216
	struct ieee80211_radiotap_header *rthdr;
	unsigned char *pos;
217 218
	__le32 *it_present;
	u32 it_present_val;
219
	u16 rx_flags = 0;
220
	u16 channel_flags = 0;
221 222
	int mpdulen, chain;
	unsigned long chains = status->chains;
223 224 225 226 227 228 229
	struct ieee80211_vendor_radiotap rtap = {};

	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		rtap = *(struct ieee80211_vendor_radiotap *)skb->data;
		/* rtap.len and rtap.pad are undone immediately */
		skb_pull(skb, sizeof(rtap) + rtap.len + rtap.pad);
	}
230 231

	mpdulen = skb->len;
232
	if (!(has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)))
233
		mpdulen += FCS_LEN;
234 235

	rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len);
236
	memset(rthdr, 0, rtap_len - rtap.len - rtap.pad);
237
	it_present = &rthdr->it_present;
238 239

	/* radiotap header, set always present flags */
240
	rthdr->it_len = cpu_to_le16(rtap_len);
241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256
	it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) |
			 BIT(IEEE80211_RADIOTAP_CHANNEL) |
			 BIT(IEEE80211_RADIOTAP_RX_FLAGS);

	if (!status->chains)
		it_present_val |= BIT(IEEE80211_RADIOTAP_ANTENNA);

	for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
		it_present_val |=
			BIT(IEEE80211_RADIOTAP_EXT) |
			BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE);
		put_unaligned_le32(it_present_val, it_present);
		it_present++;
		it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) |
				 BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
	}
257

258 259 260 261 262 263 264 265
	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		it_present_val |= BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE) |
				  BIT(IEEE80211_RADIOTAP_EXT);
		put_unaligned_le32(it_present_val, it_present);
		it_present++;
		it_present_val = rtap.present;
	}

266 267 268 269
	put_unaligned_le32(it_present_val, it_present);

	pos = (void *)(it_present + 1);

270 271 272
	/* the order of the following fields is important */

	/* IEEE80211_RADIOTAP_TSFT */
273
	if (ieee80211_have_rx_timestamp(status)) {
274 275 276
		/* padding */
		while ((pos - (u8 *)rthdr) & 7)
			*pos++ = 0;
277 278 279 280
		put_unaligned_le64(
			ieee80211_calculate_rx_timestamp(local, status,
							 mpdulen, 0),
			pos);
281
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
282 283 284 285
		pos += 8;
	}

	/* IEEE80211_RADIOTAP_FLAGS */
286
	if (has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
287
		*pos |= IEEE80211_RADIOTAP_F_FCS;
Johannes Berg's avatar
Johannes Berg committed
288 289
	if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
		*pos |= IEEE80211_RADIOTAP_F_BADFCS;
290 291
	if (status->flag & RX_FLAG_SHORTPRE)
		*pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
292 293 294
	pos++;

	/* IEEE80211_RADIOTAP_RATE */
295
	if (!rate || status->flag & (RX_FLAG_HT | RX_FLAG_VHT)) {
296
		/*
297
		 * Without rate information don't add it. If we have,
298
		 * MCS information is a separate field in radiotap,
299 300
		 * added below. The byte here is needed as padding
		 * for the channel though, so initialise it to 0.
301 302
		 */
		*pos = 0;
303
	} else {
304
		int shift = 0;
305
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
306 307 308 309 310
		if (status->flag & RX_FLAG_10MHZ)
			shift = 1;
		else if (status->flag & RX_FLAG_5MHZ)
			shift = 2;
		*pos = DIV_ROUND_UP(rate->bitrate, 5 * (1 << shift));
311
	}
312 313 314
	pos++;

	/* IEEE80211_RADIOTAP_CHANNEL */
315
	put_unaligned_le16(status->freq, pos);
316
	pos += 2;
317 318 319 320 321
	if (status->flag & RX_FLAG_10MHZ)
		channel_flags |= IEEE80211_CHAN_HALF;
	else if (status->flag & RX_FLAG_5MHZ)
		channel_flags |= IEEE80211_CHAN_QUARTER;

322
	if (status->band == IEEE80211_BAND_5GHZ)
323
		channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ;
324
	else if (status->flag & (RX_FLAG_HT | RX_FLAG_VHT))
325
		channel_flags |= IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
326
	else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
327
		channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ;
328
	else if (rate)
329
		channel_flags |= IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ;
330
	else
331 332
		channel_flags |= IEEE80211_CHAN_2GHZ;
	put_unaligned_le16(channel_flags, pos);
333 334 335
	pos += 2;

	/* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
336
	if (ieee80211_hw_check(&local->hw, SIGNAL_DBM) &&
337
	    !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
338 339 340 341 342 343 344 345
		*pos = status->signal;
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
		pos++;
	}

	/* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */

346 347 348 349 350
	if (!status->chains) {
		/* IEEE80211_RADIOTAP_ANTENNA */
		*pos = status->antenna;
		pos++;
	}
351 352 353 354 355

	/* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */

	/* IEEE80211_RADIOTAP_RX_FLAGS */
	/* ensure 2 byte alignment for the 2 byte field as required */
356
	if ((pos - (u8 *)rthdr) & 1)
357
		*pos++ = 0;
Johannes Berg's avatar
Johannes Berg committed
358
	if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
359 360
		rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
	put_unaligned_le16(rx_flags, pos);
361
	pos += 2;
362 363

	if (status->flag & RX_FLAG_HT) {
364 365
		unsigned int stbc;

366
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
367
		*pos++ = local->hw.radiotap_mcs_details;
368 369 370 371 372
		*pos = 0;
		if (status->flag & RX_FLAG_SHORT_GI)
			*pos |= IEEE80211_RADIOTAP_MCS_SGI;
		if (status->flag & RX_FLAG_40MHZ)
			*pos |= IEEE80211_RADIOTAP_MCS_BW_40;
373 374
		if (status->flag & RX_FLAG_HT_GF)
			*pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
375 376
		if (status->flag & RX_FLAG_LDPC)
			*pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
377 378
		stbc = (status->flag & RX_FLAG_STBC_MASK) >> RX_FLAG_STBC_SHIFT;
		*pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
379 380 381
		pos++;
		*pos++ = status->rate_idx;
	}
382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408

	if (status->flag & RX_FLAG_AMPDU_DETAILS) {
		u16 flags = 0;

		/* ensure 4 byte alignment */
		while ((pos - (u8 *)rthdr) & 3)
			pos++;
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_AMPDU_STATUS);
		put_unaligned_le32(status->ampdu_reference, pos);
		pos += 4;
		if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
			flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
		if (status->flag & RX_FLAG_AMPDU_IS_LAST)
			flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
			flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
			flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN;
		put_unaligned_le16(flags, pos);
		pos += 2;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
			*pos++ = status->ampdu_delimiter_crc;
		else
			*pos++ = 0;
		*pos++ = 0;
	}
409

410 411 412 413 414 415 416 417 418
	if (status->flag & RX_FLAG_VHT) {
		u16 known = local->hw.radiotap_vht_details;

		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_VHT);
		put_unaligned_le16(known, pos);
		pos += 2;
		/* flags */
		if (status->flag & RX_FLAG_SHORT_GI)
			*pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
419 420 421
		/* in VHT, STBC is binary */
		if (status->flag & RX_FLAG_STBC_MASK)
			*pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
422 423
		if (status->vht_flag & RX_VHT_FLAG_BF)
			*pos |= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED;
424 425
		pos++;
		/* bandwidth */
426
		if (status->vht_flag & RX_VHT_FLAG_80MHZ)
427
			*pos++ = 4;
428
		else if (status->vht_flag & RX_VHT_FLAG_160MHZ)
429 430 431 432 433 434 435 436 437
			*pos++ = 11;
		else if (status->flag & RX_FLAG_40MHZ)
			*pos++ = 1;
		else /* 20 MHz */
			*pos++ = 0;
		/* MCS/NSS */
		*pos = (status->rate_idx << 4) | status->vht_nss;
		pos += 4;
		/* coding field */
438 439
		if (status->flag & RX_FLAG_LDPC)
			*pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
440 441 442 443 444 445 446
		pos++;
		/* group ID */
		pos++;
		/* partial_aid */
		pos += 2;
	}

447 448 449 450
	for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
		*pos++ = status->chain_signal[chain];
		*pos++ = chain;
	}
451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466

	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		/* ensure 2 byte alignment for the vendor field as required */
		if ((pos - (u8 *)rthdr) & 1)
			*pos++ = 0;
		*pos++ = rtap.oui[0];
		*pos++ = rtap.oui[1];
		*pos++ = rtap.oui[2];
		*pos++ = rtap.subns;
		put_unaligned_le16(rtap.len, pos);
		pos += 2;
		/* align the actual payload as requested */
		while ((pos - (u8 *)rthdr) & (rtap.align - 1))
			*pos++ = 0;
		/* data (and possible padding) already follows */
	}
467 468
}

469 470 471 472 473 474 475
/*
 * This function copies a received frame to all monitor interfaces and
 * returns a cleaned-up SKB that no longer includes the FCS nor the
 * radiotap header the driver might have added.
 */
static struct sk_buff *
ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
476
		     struct ieee80211_rate *rate)
477
{
478
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
479
	struct ieee80211_sub_if_data *sdata;
480
	int rt_hdrlen, needed_headroom;
481 482 483
	struct sk_buff *skb, *skb2;
	struct net_device *prev_dev = NULL;
	int present_fcs_len = 0;
484 485 486 487 488 489 490
	unsigned int rtap_vendor_space = 0;

	if (unlikely(status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)) {
		struct ieee80211_vendor_radiotap *rtap = (void *)origskb->data;

		rtap_vendor_space = sizeof(*rtap) + rtap->len + rtap->pad;
	}
491 492 493 494 495 496 497 498 499

	/*
	 * First, we may need to make a copy of the skb because
	 *  (1) we need to modify it for radiotap (if not present), and
	 *  (2) the other RX handlers will modify the skb we got.
	 *
	 * We don't need to, of course, if we aren't going to return
	 * the SKB because it has a bad FCS/PLCP checksum.
	 */
500

501
	if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
502 503
		present_fcs_len = FCS_LEN;

504 505
	/* ensure hdr->frame_control and vendor radiotap data are in skb head */
	if (!pskb_may_pull(origskb, 2 + rtap_vendor_space)) {
Zhu Yi's avatar
Zhu Yi committed
506 507 508 509
		dev_kfree_skb(origskb);
		return NULL;
	}

510
	if (!local->monitors) {
511 512
		if (should_drop_frame(origskb, present_fcs_len,
				      rtap_vendor_space)) {
513 514 515 516
			dev_kfree_skb(origskb);
			return NULL;
		}

517
		return remove_monitor_info(local, origskb, rtap_vendor_space);
518 519
	}

520
	/* room for the radiotap header based on driver features */
521 522
	rt_hdrlen = ieee80211_rx_radiotap_hdrlen(local, status, origskb);
	needed_headroom = rt_hdrlen - rtap_vendor_space;
523

524
	if (should_drop_frame(origskb, present_fcs_len, rtap_vendor_space)) {
525 526 527 528 529 530 531 532 533 534 535 536
		/* only need to expand headroom if necessary */
		skb = origskb;
		origskb = NULL;

		/*
		 * This shouldn't trigger often because most devices have an
		 * RX header they pull before we get here, and that should
		 * be big enough for our radiotap information. We should
		 * probably export the length to drivers so that we can have
		 * them allocate enough headroom to start with.
		 */
		if (skb_headroom(skb) < needed_headroom &&
537
		    pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
538 539 540 541 542 543 544 545 546 547
			dev_kfree_skb(skb);
			return NULL;
		}
	} else {
		/*
		 * Need to make a copy and possibly remove radiotap header
		 * and FCS from the original.
		 */
		skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);

548 549
		origskb = remove_monitor_info(local, origskb,
					      rtap_vendor_space);
550 551 552 553 554

		if (!skb)
			return origskb;
	}

555
	/* prepend radiotap information */
556
	ieee80211_add_rx_radiotap_header(local, skb, rate, rt_hdrlen, true);
557

558
	skb_reset_mac_header(skb);
559 560 561 562 563
	skb->ip_summed = CHECKSUM_UNNECESSARY;
	skb->pkt_type = PACKET_OTHERHOST;
	skb->protocol = htons(ETH_P_802_2);

	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
564
		if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
565 566
			continue;

567 568 569
		if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)
			continue;

570
		if (!ieee80211_sdata_running(sdata))
571 572
			continue;

573 574 575 576
		if (prev_dev) {
			skb2 = skb_clone(skb, GFP_ATOMIC);
			if (skb2) {
				skb2->dev = prev_dev;
577
				netif_receive_skb(skb2);
578 579 580 581
			}
		}

		prev_dev = sdata->dev;
582
		ieee80211_rx_stats(sdata->dev, skb->len);
583 584 585 586
	}

	if (prev_dev) {
		skb->dev = prev_dev;
587
		netif_receive_skb(skb);
588 589 590 591 592 593
	} else
		dev_kfree_skb(skb);

	return origskb;
}

594
static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
595
{
596
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
597
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
598
	int tid, seqno_idx, security_idx;
599 600

	/* does the frame have a qos control field? */
601 602
	if (ieee80211_is_data_qos(hdr->frame_control)) {
		u8 *qc = ieee80211_get_qos_ctl(hdr);
603
		/* frame has qos control */
604
		tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
605
		if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
606
			status->rx_flags |= IEEE80211_RX_AMSDU;
607 608 609

		seqno_idx = tid;
		security_idx = tid;
610
	} else {
611 612 613 614 615 616 617 618 619 620 621
		/*
		 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
		 *
		 *	Sequence numbers for management frames, QoS data
		 *	frames with a broadcast/multicast address in the
		 *	Address 1 field, and all non-QoS data frames sent
		 *	by QoS STAs are assigned using an additional single
		 *	modulo-4096 counter, [...]
		 *
		 * We also use that counter for non-QoS STAs.
		 */
622
		seqno_idx = IEEE80211_NUM_TIDS;
623 624
		security_idx = 0;
		if (ieee80211_is_mgmt(hdr->frame_control))
625
			security_idx = IEEE80211_NUM_TIDS;
626
		tid = 0;
627
	}
628

629 630
	rx->seqno_idx = seqno_idx;
	rx->security_idx = security_idx;
631 632 633
	/* Set skb->priority to 1d tag if highest order bit of TID is not set.
	 * For now, set skb->priority to 0 for other cases. */
	rx->skb->priority = (tid > 7) ? 0 : tid;
634
}
635

636 637 638 639 640 641 642 643 644 645 646
/**
 * DOC: Packet alignment
 *
 * Drivers always need to pass packets that are aligned to two-byte boundaries
 * to the stack.
 *
 * Additionally, should, if possible, align the payload data in a way that
 * guarantees that the contained IP header is aligned to a four-byte
 * boundary. In the case of regular frames, this simply means aligning the
 * payload to a four-byte boundary (because either the IP header is directly
 * contained, or IV/RFC1042 headers that have a length divisible by four are
647 648 649
 * in front of it).  If the payload data is not properly aligned and the
 * architecture doesn't support efficient unaligned operations, mac80211
 * will align the data.
650 651 652 653 654 655 656
 *
 * With A-MSDU frames, however, the payload data address must yield two modulo
 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
 * push the IP header further back to a multiple of four again. Thankfully, the
 * specs were sane enough this time around to require padding each A-MSDU
 * subframe to a length that is a multiple of four.
 *
Lucas De Marchi's avatar
Lucas De Marchi committed
657
 * Padding like Atheros hardware adds which is between the 802.11 header and
658 659 660 661
 * the payload is not supported, the driver is required to move the 802.11
 * header to be directly in front of the payload in that case.
 */
static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
662
{
663
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
664
	WARN_ON_ONCE((unsigned long)rx->skb->data & 1);
665
#endif
666 667
}

668

669 670
/* rx handlers */

671 672 673 674
static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

675
	if (is_multicast_ether_addr(hdr->addr1))
676 677
		return 0;

678
	return ieee80211_is_robust_mgmt_frame(skb);
679 680 681 682 683 684 685
}


static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

686
	if (!is_multicast_ether_addr(hdr->addr1))
687 688
		return 0;

689
	return ieee80211_is_robust_mgmt_frame(skb);
690 691 692 693 694 695 696 697
}


/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
{
	struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
	struct ieee80211_mmie *mmie;
698
	struct ieee80211_mmie_16 *mmie16;
699

700
	if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
701 702
		return -1;

703
	if (!ieee80211_is_robust_mgmt_frame(skb))
704 705 706 707
		return -1; /* not a robust management frame */

	mmie = (struct ieee80211_mmie *)
		(skb->data + skb->len - sizeof(*mmie));
708 709 710 711 712 713 714 715 716 717 718 719
	if (mmie->element_id == WLAN_EID_MMIE &&
	    mmie->length == sizeof(*mmie) - 2)
		return le16_to_cpu(mmie->key_id);

	mmie16 = (struct ieee80211_mmie_16 *)
		(skb->data + skb->len - sizeof(*mmie16));
	if (skb->len >= 24 + sizeof(*mmie16) &&
	    mmie16->element_id == WLAN_EID_MMIE &&
	    mmie16->length == sizeof(*mmie16) - 2)
		return le16_to_cpu(mmie16->key_id);

	return -1;
720 721
}

722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742
static int iwl80211_get_cs_keyid(const struct ieee80211_cipher_scheme *cs,
				 struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
	__le16 fc;
	int hdrlen;
	u8 keyid;

	fc = hdr->frame_control;
	hdrlen = ieee80211_hdrlen(fc);

	if (skb->len < hdrlen + cs->hdr_len)
		return -EINVAL;

	skb_copy_bits(skb, hdrlen + cs->key_idx_off, &keyid, 1);
	keyid &= cs->key_idx_mask;
	keyid >>= cs->key_idx_shift;

	return keyid;
}

743
static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
744
{
745
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
746
	char *dev_addr = rx->sdata->vif.addr;
747

748
	if (ieee80211_is_data(hdr->frame_control)) {
749 750
		if (is_multicast_ether_addr(hdr->addr1)) {
			if (ieee80211_has_tods(hdr->frame_control) ||
751
			    !ieee80211_has_fromds(hdr->frame_control))
752
				return RX_DROP_MONITOR;
753
			if (ether_addr_equal(hdr->addr3, dev_addr))
754 755 756 757
				return RX_DROP_MONITOR;
		} else {
			if (!ieee80211_has_a4(hdr->frame_control))
				return RX_DROP_MONITOR;
758
			if (ether_addr_equal(hdr->addr4, dev_addr))
759 760
				return RX_DROP_MONITOR;
		}
761 762 763 764 765 766
	}

	/* If there is not an established peer link and this is not a peer link
	 * establisment frame, beacon or probe, drop the frame.
	 */

767
	if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
768
		struct ieee80211_mgmt *mgmt;
769

770
		if (!ieee80211_is_mgmt(hdr->frame_control))
771 772
			return RX_DROP_MONITOR;

773
		if (ieee80211_is_action(hdr->frame_control)) {
774
			u8 category;
775 776 777 778 779

			/* make sure category field is present */
			if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
				return RX_DROP_MONITOR;

780
			mgmt = (struct ieee80211_mgmt *)hdr;
781 782
			category = mgmt->u.action.category;
			if (category != WLAN_CATEGORY_MESH_ACTION &&
783
			    category != WLAN_CATEGORY_SELF_PROTECTED)
784 785 786 787
				return RX_DROP_MONITOR;
			return RX_CONTINUE;
		}

788 789
		if (ieee80211_is_probe_req(hdr->frame_control) ||
		    ieee80211_is_probe_resp(hdr->frame_control) ||
790 791
		    ieee80211_is_beacon(hdr->frame_control) ||
		    ieee80211_is_auth(hdr->frame_control))
792 793 794 795 796
			return RX_CONTINUE;

		return RX_DROP_MONITOR;
	}

Johannes Berg's avatar
Johannes Berg committed
797 798
	return RX_CONTINUE;
}
799

800
static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
801
					    struct tid_ampdu_rx *tid_agg_rx,
802 803
					    int index,
					    struct sk_buff_head *frames)
804
{
805 806
	struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index];
	struct sk_buff *skb;
807
	struct ieee80211_rx_status *status;
808

809 810
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

811
	if (skb_queue_empty(skb_list))
812 813
		goto no_frame;

814 815 816 817 818 819
	if (!ieee80211_rx_reorder_ready(skb_list)) {
		__skb_queue_purge(skb_list);
		goto no_frame;
	}

	/* release frames from the reorder ring buffer */
820
	tid_agg_rx->stored_mpdu_num--;
821 822 823 824 825
	while ((skb = __skb_dequeue(skb_list))) {
		status = IEEE80211_SKB_RXCB(skb);
		status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
		__skb_queue_tail(frames, skb);
	}
826 827

no_frame:
828
	tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num);
829 830
}

831
static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
832
					     struct tid_ampdu_rx *tid_agg_rx,
833 834
					     u16 head_seq_num,
					     struct sk_buff_head *frames)
835 836 837
{
	int index;

838 839
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

840
	while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) {
841
		index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
842 843
		ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
						frames);
844 845 846 847 848 849 850 851 852
	}
}

/*
 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
 * the skb was added to the buffer longer than this time ago, the earlier
 * frames that have not yet been received are assumed to be lost and the skb
 * can be released for processing. This may also release other skb's from the
 * reorder buffer if there are no additional gaps between the frames.
853 854
 *
 * Callers must hold tid_agg_rx->reorder_lock.
855 856 857
 */
#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)

858
static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
859 860
					  struct tid_ampdu_rx *tid_agg_rx,
					  struct sk_buff_head *frames)
861
{
862
	int index, i, j;
863

864 865
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

866
	/* release the buffer until next missing frame */
867
	index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
868
	if (!ieee80211_rx_reorder_ready(&tid_agg_rx->reorder_buf[index]) &&
869
	    tid_agg_rx->stored_mpdu_num) {
870 871 872 873 874 875 876
		/*
		 * No buffers ready to be released, but check whether any
		 * frames in the reorder buffer have timed out.
		 */
		int skipped = 1;
		for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
		     j = (j + 1) % tid_agg_rx->buf_size) {
877 878
			if (!ieee80211_rx_reorder_ready(
					&tid_agg_rx->reorder_buf[j])) {
879 880 881
				skipped++;
				continue;
			}
882 883
			if (skipped &&
			    !time_after(jiffies, tid_agg_rx->reorder_time[j] +
884
					HT_RX_REORDER_BUF_TIMEOUT))
885
				goto set_release_timer;
886

887 888 889 890 891
			/* don't leave incomplete A-MSDUs around */
			for (i = (index + 1) % tid_agg_rx->buf_size; i != j;
			     i = (i + 1) % tid_agg_rx->buf_size)
				__skb_queue_purge(&tid_agg_rx->reorder_buf[i]);

Johannes Berg's avatar
Johannes Berg committed
892 893
			ht_dbg_ratelimited(sdata,
					   "release an RX reorder frame due to timeout on earlier frames\n");
894 895
			ieee80211_release_reorder_frame(sdata, tid_agg_rx, j,
							frames);
896 897 898 899 900

			/*
			 * Increment the head seq# also for the skipped slots.
			 */
			tid_agg_rx->head_seq_num =
901 902
				(tid_agg_rx->head_seq_num +
				 skipped) & IEEE80211_SN_MASK;
903 904
			skipped = 0;
		}
905 906
	} else while (ieee80211_rx_reorder_ready(
				&tid_agg_rx->reorder_buf[index])) {
907 908
		ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
						frames);
909
		index =	tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
910
	}
911 912

	if (tid_agg_rx->stored_mpdu_num) {
913
		j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
914 915 916

		for (; j != (index - 1) % tid_agg_rx->buf_size;
		     j = (j + 1) % tid_agg_rx->buf_size) {
917 918
			if (ieee80211_rx_reorder_ready(
					&tid_agg_rx->reorder_buf[j]))
919 920 921 922 923
				break;
		}

 set_release_timer:

924 925 926 927
		if (!tid_agg_rx->removed)
			mod_timer(&tid_agg_rx->reorder_timer,
				  tid_agg_rx->reorder_time[j] + 1 +
				  HT_RX_REORDER_BUF_TIMEOUT);
928 929 930
	} else {
		del_timer(&tid_agg_rx->reorder_timer);
	}
931 932
}

933 934 935 936 937
/*
 * As this function belongs to the RX path it must be under
 * rcu_read_lock protection. It returns false if the frame
 * can be processed immediately, true if it was consumed.
 */
938
static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
939
					     struct tid_ampdu_rx *tid_agg_rx,
940 941
					     struct sk_buff *skb,
					     struct sk_buff_head *frames)
942 943
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
944
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
945 946 947 948
	u16 sc = le16_to_cpu(hdr->seq_ctrl);
	u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
	u16 head_seq_num, buf_size;
	int index;
949
	bool ret = true;
950

951 952
	spin_lock(&tid_agg_rx->reorder_lock);

953 954 955 956 957 958 959 960 961 962
	/*
	 * Offloaded BA sessions have no known starting sequence number so pick
	 * one from first Rxed frame for this tid after BA was started.
	 */
	if (unlikely(tid_agg_rx->auto_seq)) {
		tid_agg_rx->auto_seq = false;
		tid_agg_rx->ssn = mpdu_seq_num;
		tid_agg_rx->head_seq_num = mpdu_seq_num;
	}

963 964 965 966
	buf_size = tid_agg_rx->buf_size;
	head_seq_num = tid_agg_rx->head_seq_num;

	/* frame with out of date sequence number */
967
	if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
968
		dev_kfree_skb(skb);
969
		goto out;
970 971 972 973 974 975
	}

	/*
	 * If frame the sequence number exceeds our buffering window
	 * size release some previous frames to make room for this one.
	 */
976 977 978
	if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) {
		head_seq_num = ieee80211_sn_inc(
				ieee80211_sn_sub(mpdu_seq_num, buf_size));
979
		/* release stored frames up to new head to stack */
980
		ieee80211_release_reorder_frames(sdata, tid_agg_rx,
981
						 head_seq_num, frames);
982 983 984 985
	}

	/* Now the new frame is always in the range of the reordering buffer */

986
	index = mpdu_seq_num % tid_agg_rx->buf_size;
987 988

	/* check if we already stored this frame */
989
	if (ieee80211_rx_reorder_ready(&tid_agg_rx->reorder_buf[index])) {
990
		dev_kfree_skb(skb);
991
		goto out;
992 993 994 995 996
	}

	/*
	 * If the current MPDU is in the right order and nothing else
	 * is stored we can process it directly, no need to buffer it.
997 998
	 * If it is first but there's something stored, we may be able
	 * to release frames after this one.
999 1000 1001
	 */
	if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
	    tid_agg_rx->stored_mpdu_num == 0) {
1002 1003 1004
		if (!(status->flag & RX_FLAG_AMSDU_MORE))
			tid_agg_rx->head_seq_num =
				ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1005 1006
		ret = false;
		goto out;
1007 1008 1009
	}

	/* put the frame in the reordering buffer */
1010 1011 1012 1013 1014 1015
	__skb_queue_tail(&tid_agg_rx->reorder_buf[index], skb);
	if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
		tid_agg_rx->reorder_time[index] = jiffies;
		tid_agg_rx->stored_mpdu_num++;
		ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames);
	}
1016

1017 1018 1019
 out:
	spin_unlock(&tid_agg_rx->reorder_lock);
	return ret;
1020 1021 1022 1023 1024 1025
}

/*
 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
 * true if the MPDU was buffered, false if it should be processed.
 */
1026 1027
static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
				       struct sk_buff_head *frames)
1028
{
1029 1030
	struct sk_buff *skb = rx->skb;
	struct ieee80211_local *local = rx->local;
1031
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1032
	struct sta_info *sta = rx->sta;
1033 1034
	struct tid_ampdu_rx *tid_agg_rx;
	u16 sc;