rx.c 102 KB
Newer Older
1 2 3 4
/*
 * Copyright 2002-2005, Instant802 Networks, Inc.
 * Copyright 2005-2006, Devicescape Software, Inc.
 * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
5
 * Copyright 2007-2010	Johannes Berg <johannes@sipsolutions.net>
6
 * Copyright 2013-2014  Intel Mobile Communications GmbH
7 8 9 10 11 12
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

13
#include <linux/jiffies.h>
14
#include <linux/slab.h>
15 16 17 18
#include <linux/kernel.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/etherdevice.h>
19
#include <linux/rcupdate.h>
20
#include <linux/export.h>
21 22
#include <net/mac80211.h>
#include <net/ieee80211_radiotap.h>
23
#include <asm/unaligned.h>
24 25

#include "ieee80211_i.h"
26
#include "driver-ops.h"
Johannes Berg's avatar
Johannes Berg committed
27
#include "led.h"
28
#include "mesh.h"
29 30 31 32
#include "wep.h"
#include "wpa.h"
#include "tkip.h"
#include "wme.h"
33
#include "rate.h"
34

35 36 37 38 39 40 41 42 43 44
static inline void ieee80211_rx_stats(struct net_device *dev, u32 len)
{
	struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);

	u64_stats_update_begin(&tstats->syncp);
	tstats->rx_packets++;
	tstats->rx_bytes += len;
	u64_stats_update_end(&tstats->syncp);
}

45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89
static u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len,
			       enum nl80211_iftype type)
{
	__le16 fc = hdr->frame_control;

	if (ieee80211_is_data(fc)) {
		if (len < 24) /* drop incorrect hdr len (data) */
			return NULL;

		if (ieee80211_has_a4(fc))
			return NULL;
		if (ieee80211_has_tods(fc))
			return hdr->addr1;
		if (ieee80211_has_fromds(fc))
			return hdr->addr2;

		return hdr->addr3;
	}

	if (ieee80211_is_mgmt(fc)) {
		if (len < 24) /* drop incorrect hdr len (mgmt) */
			return NULL;
		return hdr->addr3;
	}

	if (ieee80211_is_ctl(fc)) {
		if (ieee80211_is_pspoll(fc))
			return hdr->addr1;

		if (ieee80211_is_back_req(fc)) {
			switch (type) {
			case NL80211_IFTYPE_STATION:
				return hdr->addr2;
			case NL80211_IFTYPE_AP:
			case NL80211_IFTYPE_AP_VLAN:
				return hdr->addr1;
			default:
				break; /* fall through to the return */
			}
		}
	}

	return NULL;
}

90 91 92 93 94 95 96
/*
 * monitor mode reception
 *
 * This function cleans up the SKB, i.e. it removes all the stuff
 * only useful for monitoring.
 */
static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
97 98
					   struct sk_buff *skb,
					   unsigned int rtap_vendor_space)
99
{
100
	if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
101
		if (likely(skb->len > FCS_LEN))
Zhu Yi's avatar
Zhu Yi committed
102
			__pskb_trim(skb, skb->len - FCS_LEN);
103 104 105 106
		else {
			/* driver bug */
			WARN_ON(1);
			dev_kfree_skb(skb);
107
			return NULL;
108 109 110
		}
	}

111 112
	__pskb_pull(skb, rtap_vendor_space);

113 114 115
	return skb;
}

116 117
static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len,
				     unsigned int rtap_vendor_space)
118
{
119
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
120 121 122
	struct ieee80211_hdr *hdr;

	hdr = (void *)(skb->data + rtap_vendor_space);
123

124
	if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
125 126
			    RX_FLAG_FAILED_PLCP_CRC |
			    RX_FLAG_ONLY_MONITOR))
127 128
		return true;

129
	if (unlikely(skb->len < 16 + present_fcs_len + rtap_vendor_space))
130 131
		return true;

132 133 134
	if (ieee80211_is_ctl(hdr->frame_control) &&
	    !ieee80211_is_pspoll(hdr->frame_control) &&
	    !ieee80211_is_back_req(hdr->frame_control))
135 136 137
		return true;

	return false;
138 139
}

140
static int
141 142 143
ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
			     struct ieee80211_rx_status *status,
			     struct sk_buff *skb)
144 145 146 147
{
	int len;

	/* always present fields */
148
	len = sizeof(struct ieee80211_radiotap_header) + 8;
149

150 151 152
	/* allocate extra bitmaps */
	if (status->chains)
		len += 4 * hweight8(status->chains);
153 154 155

	if (ieee80211_have_rx_timestamp(status)) {
		len = ALIGN(len, 8);
156
		len += 8;
157
	}
158
	if (ieee80211_hw_check(&local->hw, SIGNAL_DBM))
159 160
		len += 1;

161 162 163 164
	/* antenna field, if we don't have per-chain info */
	if (!status->chains)
		len += 1;

165 166
	/* padding for RX_FLAGS if necessary */
	len = ALIGN(len, 2);
167

168 169 170
	if (status->flag & RX_FLAG_HT) /* HT info */
		len += 3;

171
	if (status->flag & RX_FLAG_AMPDU_DETAILS) {
172
		len = ALIGN(len, 4);
173 174 175
		len += 8;
	}

176 177 178 179 180
	if (status->flag & RX_FLAG_VHT) {
		len = ALIGN(len, 2);
		len += 12;
	}

181 182 183 184 185
	if (status->chains) {
		/* antenna and antenna signal fields */
		len += 2 * hweight8(status->chains);
	}

186 187 188 189 190 191 192 193 194 195 196 197 198 199 200
	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		struct ieee80211_vendor_radiotap *rtap = (void *)skb->data;

		/* vendor presence bitmap */
		len += 4;
		/* alignment for fixed 6-byte vendor data header */
		len = ALIGN(len, 2);
		/* vendor data header */
		len += 6;
		if (WARN_ON(rtap->align == 0))
			rtap->align = 1;
		len = ALIGN(len, rtap->align);
		len += rtap->len + rtap->pad;
	}

201 202 203
	return len;
}

204
/*
205 206 207 208 209 210 211 212
 * ieee80211_add_rx_radiotap_header - add radiotap header
 *
 * add a radiotap header containing all the fields which the hardware provided.
 */
static void
ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
				 struct sk_buff *skb,
				 struct ieee80211_rate *rate,
213
				 int rtap_len, bool has_fcs)
214
{
215
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
216 217
	struct ieee80211_radiotap_header *rthdr;
	unsigned char *pos;
218 219
	__le32 *it_present;
	u32 it_present_val;
220
	u16 rx_flags = 0;
221
	u16 channel_flags = 0;
222 223
	int mpdulen, chain;
	unsigned long chains = status->chains;
224 225 226 227 228 229 230
	struct ieee80211_vendor_radiotap rtap = {};

	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		rtap = *(struct ieee80211_vendor_radiotap *)skb->data;
		/* rtap.len and rtap.pad are undone immediately */
		skb_pull(skb, sizeof(rtap) + rtap.len + rtap.pad);
	}
231 232

	mpdulen = skb->len;
233
	if (!(has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)))
234
		mpdulen += FCS_LEN;
235 236

	rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len);
237
	memset(rthdr, 0, rtap_len - rtap.len - rtap.pad);
238
	it_present = &rthdr->it_present;
239 240

	/* radiotap header, set always present flags */
241
	rthdr->it_len = cpu_to_le16(rtap_len);
242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257
	it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) |
			 BIT(IEEE80211_RADIOTAP_CHANNEL) |
			 BIT(IEEE80211_RADIOTAP_RX_FLAGS);

	if (!status->chains)
		it_present_val |= BIT(IEEE80211_RADIOTAP_ANTENNA);

	for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
		it_present_val |=
			BIT(IEEE80211_RADIOTAP_EXT) |
			BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE);
		put_unaligned_le32(it_present_val, it_present);
		it_present++;
		it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) |
				 BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
	}
258

259 260 261 262 263 264 265 266
	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		it_present_val |= BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE) |
				  BIT(IEEE80211_RADIOTAP_EXT);
		put_unaligned_le32(it_present_val, it_present);
		it_present++;
		it_present_val = rtap.present;
	}

267 268 269 270
	put_unaligned_le32(it_present_val, it_present);

	pos = (void *)(it_present + 1);

271 272 273
	/* the order of the following fields is important */

	/* IEEE80211_RADIOTAP_TSFT */
274
	if (ieee80211_have_rx_timestamp(status)) {
275 276 277
		/* padding */
		while ((pos - (u8 *)rthdr) & 7)
			*pos++ = 0;
278 279 280 281
		put_unaligned_le64(
			ieee80211_calculate_rx_timestamp(local, status,
							 mpdulen, 0),
			pos);
282
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
283 284 285 286
		pos += 8;
	}

	/* IEEE80211_RADIOTAP_FLAGS */
287
	if (has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
288
		*pos |= IEEE80211_RADIOTAP_F_FCS;
Johannes Berg's avatar
Johannes Berg committed
289 290
	if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
		*pos |= IEEE80211_RADIOTAP_F_BADFCS;
291 292
	if (status->flag & RX_FLAG_SHORTPRE)
		*pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
293 294 295
	pos++;

	/* IEEE80211_RADIOTAP_RATE */
296
	if (!rate || status->flag & (RX_FLAG_HT | RX_FLAG_VHT)) {
297
		/*
298
		 * Without rate information don't add it. If we have,
299
		 * MCS information is a separate field in radiotap,
300 301
		 * added below. The byte here is needed as padding
		 * for the channel though, so initialise it to 0.
302 303
		 */
		*pos = 0;
304
	} else {
305
		int shift = 0;
306
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
307 308 309 310 311
		if (status->flag & RX_FLAG_10MHZ)
			shift = 1;
		else if (status->flag & RX_FLAG_5MHZ)
			shift = 2;
		*pos = DIV_ROUND_UP(rate->bitrate, 5 * (1 << shift));
312
	}
313 314 315
	pos++;

	/* IEEE80211_RADIOTAP_CHANNEL */
316
	put_unaligned_le16(status->freq, pos);
317
	pos += 2;
318 319 320 321 322
	if (status->flag & RX_FLAG_10MHZ)
		channel_flags |= IEEE80211_CHAN_HALF;
	else if (status->flag & RX_FLAG_5MHZ)
		channel_flags |= IEEE80211_CHAN_QUARTER;

323
	if (status->band == IEEE80211_BAND_5GHZ)
324
		channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ;
325
	else if (status->flag & (RX_FLAG_HT | RX_FLAG_VHT))
326
		channel_flags |= IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
327
	else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
328
		channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ;
329
	else if (rate)
330
		channel_flags |= IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ;
331
	else
332 333
		channel_flags |= IEEE80211_CHAN_2GHZ;
	put_unaligned_le16(channel_flags, pos);
334 335 336
	pos += 2;

	/* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
337
	if (ieee80211_hw_check(&local->hw, SIGNAL_DBM) &&
338
	    !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
339 340 341 342 343 344 345 346
		*pos = status->signal;
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
		pos++;
	}

	/* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */

347 348 349 350 351
	if (!status->chains) {
		/* IEEE80211_RADIOTAP_ANTENNA */
		*pos = status->antenna;
		pos++;
	}
352 353 354 355 356

	/* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */

	/* IEEE80211_RADIOTAP_RX_FLAGS */
	/* ensure 2 byte alignment for the 2 byte field as required */
357
	if ((pos - (u8 *)rthdr) & 1)
358
		*pos++ = 0;
Johannes Berg's avatar
Johannes Berg committed
359
	if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
360 361
		rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
	put_unaligned_le16(rx_flags, pos);
362
	pos += 2;
363 364

	if (status->flag & RX_FLAG_HT) {
365 366
		unsigned int stbc;

367
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
368
		*pos++ = local->hw.radiotap_mcs_details;
369 370 371 372 373
		*pos = 0;
		if (status->flag & RX_FLAG_SHORT_GI)
			*pos |= IEEE80211_RADIOTAP_MCS_SGI;
		if (status->flag & RX_FLAG_40MHZ)
			*pos |= IEEE80211_RADIOTAP_MCS_BW_40;
374 375
		if (status->flag & RX_FLAG_HT_GF)
			*pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
376 377
		if (status->flag & RX_FLAG_LDPC)
			*pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
378 379
		stbc = (status->flag & RX_FLAG_STBC_MASK) >> RX_FLAG_STBC_SHIFT;
		*pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
380 381 382
		pos++;
		*pos++ = status->rate_idx;
	}
383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409

	if (status->flag & RX_FLAG_AMPDU_DETAILS) {
		u16 flags = 0;

		/* ensure 4 byte alignment */
		while ((pos - (u8 *)rthdr) & 3)
			pos++;
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_AMPDU_STATUS);
		put_unaligned_le32(status->ampdu_reference, pos);
		pos += 4;
		if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
			flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
		if (status->flag & RX_FLAG_AMPDU_IS_LAST)
			flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
			flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
			flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN;
		put_unaligned_le16(flags, pos);
		pos += 2;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
			*pos++ = status->ampdu_delimiter_crc;
		else
			*pos++ = 0;
		*pos++ = 0;
	}
410

411 412 413 414 415 416 417 418 419
	if (status->flag & RX_FLAG_VHT) {
		u16 known = local->hw.radiotap_vht_details;

		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_VHT);
		put_unaligned_le16(known, pos);
		pos += 2;
		/* flags */
		if (status->flag & RX_FLAG_SHORT_GI)
			*pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
420 421 422
		/* in VHT, STBC is binary */
		if (status->flag & RX_FLAG_STBC_MASK)
			*pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
423 424
		if (status->vht_flag & RX_VHT_FLAG_BF)
			*pos |= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED;
425 426
		pos++;
		/* bandwidth */
427
		if (status->vht_flag & RX_VHT_FLAG_80MHZ)
428
			*pos++ = 4;
429
		else if (status->vht_flag & RX_VHT_FLAG_160MHZ)
430 431 432 433 434 435 436 437 438
			*pos++ = 11;
		else if (status->flag & RX_FLAG_40MHZ)
			*pos++ = 1;
		else /* 20 MHz */
			*pos++ = 0;
		/* MCS/NSS */
		*pos = (status->rate_idx << 4) | status->vht_nss;
		pos += 4;
		/* coding field */
439 440
		if (status->flag & RX_FLAG_LDPC)
			*pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
441 442 443 444 445 446 447
		pos++;
		/* group ID */
		pos++;
		/* partial_aid */
		pos += 2;
	}

448 449 450 451
	for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
		*pos++ = status->chain_signal[chain];
		*pos++ = chain;
	}
452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467

	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		/* ensure 2 byte alignment for the vendor field as required */
		if ((pos - (u8 *)rthdr) & 1)
			*pos++ = 0;
		*pos++ = rtap.oui[0];
		*pos++ = rtap.oui[1];
		*pos++ = rtap.oui[2];
		*pos++ = rtap.subns;
		put_unaligned_le16(rtap.len, pos);
		pos += 2;
		/* align the actual payload as requested */
		while ((pos - (u8 *)rthdr) & (rtap.align - 1))
			*pos++ = 0;
		/* data (and possible padding) already follows */
	}
468 469
}

470 471 472 473 474 475 476
/*
 * This function copies a received frame to all monitor interfaces and
 * returns a cleaned-up SKB that no longer includes the FCS nor the
 * radiotap header the driver might have added.
 */
static struct sk_buff *
ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
477
		     struct ieee80211_rate *rate)
478
{
479
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
480
	struct ieee80211_sub_if_data *sdata;
481
	int rt_hdrlen, needed_headroom;
482 483 484
	struct sk_buff *skb, *skb2;
	struct net_device *prev_dev = NULL;
	int present_fcs_len = 0;
485 486 487 488 489 490 491
	unsigned int rtap_vendor_space = 0;

	if (unlikely(status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)) {
		struct ieee80211_vendor_radiotap *rtap = (void *)origskb->data;

		rtap_vendor_space = sizeof(*rtap) + rtap->len + rtap->pad;
	}
492 493 494 495 496 497 498 499 500

	/*
	 * First, we may need to make a copy of the skb because
	 *  (1) we need to modify it for radiotap (if not present), and
	 *  (2) the other RX handlers will modify the skb we got.
	 *
	 * We don't need to, of course, if we aren't going to return
	 * the SKB because it has a bad FCS/PLCP checksum.
	 */
501

502
	if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
503 504
		present_fcs_len = FCS_LEN;

505 506
	/* ensure hdr->frame_control and vendor radiotap data are in skb head */
	if (!pskb_may_pull(origskb, 2 + rtap_vendor_space)) {
Zhu Yi's avatar
Zhu Yi committed
507 508 509 510
		dev_kfree_skb(origskb);
		return NULL;
	}

511
	if (!local->monitors || (status->flag & RX_FLAG_SKIP_MONITOR)) {
512 513
		if (should_drop_frame(origskb, present_fcs_len,
				      rtap_vendor_space)) {
514 515 516 517
			dev_kfree_skb(origskb);
			return NULL;
		}

518
		return remove_monitor_info(local, origskb, rtap_vendor_space);
519 520
	}

521
	/* room for the radiotap header based on driver features */
522 523
	rt_hdrlen = ieee80211_rx_radiotap_hdrlen(local, status, origskb);
	needed_headroom = rt_hdrlen - rtap_vendor_space;
524

525
	if (should_drop_frame(origskb, present_fcs_len, rtap_vendor_space)) {
526 527 528 529 530 531 532 533 534 535 536 537
		/* only need to expand headroom if necessary */
		skb = origskb;
		origskb = NULL;

		/*
		 * This shouldn't trigger often because most devices have an
		 * RX header they pull before we get here, and that should
		 * be big enough for our radiotap information. We should
		 * probably export the length to drivers so that we can have
		 * them allocate enough headroom to start with.
		 */
		if (skb_headroom(skb) < needed_headroom &&
538
		    pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
539 540 541 542 543 544 545 546 547 548
			dev_kfree_skb(skb);
			return NULL;
		}
	} else {
		/*
		 * Need to make a copy and possibly remove radiotap header
		 * and FCS from the original.
		 */
		skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);

549 550
		origskb = remove_monitor_info(local, origskb,
					      rtap_vendor_space);
551 552 553 554 555

		if (!skb)
			return origskb;
	}

556
	/* prepend radiotap information */
557
	ieee80211_add_rx_radiotap_header(local, skb, rate, rt_hdrlen, true);
558

559
	skb_reset_mac_header(skb);
560 561 562 563 564
	skb->ip_summed = CHECKSUM_UNNECESSARY;
	skb->pkt_type = PACKET_OTHERHOST;
	skb->protocol = htons(ETH_P_802_2);

	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
565
		if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
566 567
			continue;

568 569 570
		if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)
			continue;

571
		if (!ieee80211_sdata_running(sdata))
572 573
			continue;

574 575 576 577
		if (prev_dev) {
			skb2 = skb_clone(skb, GFP_ATOMIC);
			if (skb2) {
				skb2->dev = prev_dev;
578
				netif_receive_skb(skb2);
579 580 581 582
			}
		}

		prev_dev = sdata->dev;
583
		ieee80211_rx_stats(sdata->dev, skb->len);
584 585 586 587
	}

	if (prev_dev) {
		skb->dev = prev_dev;
588
		netif_receive_skb(skb);
589 590 591 592 593 594
	} else
		dev_kfree_skb(skb);

	return origskb;
}

595
static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
596
{
597
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
598
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
599
	int tid, seqno_idx, security_idx;
600 601

	/* does the frame have a qos control field? */
602 603
	if (ieee80211_is_data_qos(hdr->frame_control)) {
		u8 *qc = ieee80211_get_qos_ctl(hdr);
604
		/* frame has qos control */
605
		tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
606
		if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
607
			status->rx_flags |= IEEE80211_RX_AMSDU;
608 609 610

		seqno_idx = tid;
		security_idx = tid;
611
	} else {
612 613 614 615 616 617 618 619 620 621 622
		/*
		 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
		 *
		 *	Sequence numbers for management frames, QoS data
		 *	frames with a broadcast/multicast address in the
		 *	Address 1 field, and all non-QoS data frames sent
		 *	by QoS STAs are assigned using an additional single
		 *	modulo-4096 counter, [...]
		 *
		 * We also use that counter for non-QoS STAs.
		 */
623
		seqno_idx = IEEE80211_NUM_TIDS;
624 625
		security_idx = 0;
		if (ieee80211_is_mgmt(hdr->frame_control))
626
			security_idx = IEEE80211_NUM_TIDS;
627
		tid = 0;
628
	}
629

630 631
	rx->seqno_idx = seqno_idx;
	rx->security_idx = security_idx;
632 633 634
	/* Set skb->priority to 1d tag if highest order bit of TID is not set.
	 * For now, set skb->priority to 0 for other cases. */
	rx->skb->priority = (tid > 7) ? 0 : tid;
635
}
636

637 638 639 640 641 642 643 644 645 646 647
/**
 * DOC: Packet alignment
 *
 * Drivers always need to pass packets that are aligned to two-byte boundaries
 * to the stack.
 *
 * Additionally, should, if possible, align the payload data in a way that
 * guarantees that the contained IP header is aligned to a four-byte
 * boundary. In the case of regular frames, this simply means aligning the
 * payload to a four-byte boundary (because either the IP header is directly
 * contained, or IV/RFC1042 headers that have a length divisible by four are
648 649 650
 * in front of it).  If the payload data is not properly aligned and the
 * architecture doesn't support efficient unaligned operations, mac80211
 * will align the data.
651 652 653 654 655 656 657
 *
 * With A-MSDU frames, however, the payload data address must yield two modulo
 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
 * push the IP header further back to a multiple of four again. Thankfully, the
 * specs were sane enough this time around to require padding each A-MSDU
 * subframe to a length that is a multiple of four.
 *
Lucas De Marchi's avatar
Lucas De Marchi committed
658
 * Padding like Atheros hardware adds which is between the 802.11 header and
659 660 661 662
 * the payload is not supported, the driver is required to move the 802.11
 * header to be directly in front of the payload in that case.
 */
static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
663
{
664
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
665
	WARN_ON_ONCE((unsigned long)rx->skb->data & 1);
666
#endif
667 668
}

669

670 671
/* rx handlers */

672 673 674 675
static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

676
	if (is_multicast_ether_addr(hdr->addr1))
677 678
		return 0;

679
	return ieee80211_is_robust_mgmt_frame(skb);
680 681 682 683 684 685 686
}


static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

687
	if (!is_multicast_ether_addr(hdr->addr1))
688 689
		return 0;

690
	return ieee80211_is_robust_mgmt_frame(skb);
691 692 693 694 695 696 697 698
}


/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
{
	struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
	struct ieee80211_mmie *mmie;
699
	struct ieee80211_mmie_16 *mmie16;
700

701
	if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
702 703
		return -1;

704
	if (!ieee80211_is_robust_mgmt_frame(skb))
705 706 707 708
		return -1; /* not a robust management frame */

	mmie = (struct ieee80211_mmie *)
		(skb->data + skb->len - sizeof(*mmie));
709 710 711 712 713 714 715 716 717 718 719 720
	if (mmie->element_id == WLAN_EID_MMIE &&
	    mmie->length == sizeof(*mmie) - 2)
		return le16_to_cpu(mmie->key_id);

	mmie16 = (struct ieee80211_mmie_16 *)
		(skb->data + skb->len - sizeof(*mmie16));
	if (skb->len >= 24 + sizeof(*mmie16) &&
	    mmie16->element_id == WLAN_EID_MMIE &&
	    mmie16->length == sizeof(*mmie16) - 2)
		return le16_to_cpu(mmie16->key_id);

	return -1;
721 722
}

723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743
static int iwl80211_get_cs_keyid(const struct ieee80211_cipher_scheme *cs,
				 struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
	__le16 fc;
	int hdrlen;
	u8 keyid;

	fc = hdr->frame_control;
	hdrlen = ieee80211_hdrlen(fc);

	if (skb->len < hdrlen + cs->hdr_len)
		return -EINVAL;

	skb_copy_bits(skb, hdrlen + cs->key_idx_off, &keyid, 1);
	keyid &= cs->key_idx_mask;
	keyid >>= cs->key_idx_shift;

	return keyid;
}

744
static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
745
{
746
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
747
	char *dev_addr = rx->sdata->vif.addr;
748

749
	if (ieee80211_is_data(hdr->frame_control)) {
750 751
		if (is_multicast_ether_addr(hdr->addr1)) {
			if (ieee80211_has_tods(hdr->frame_control) ||
752
			    !ieee80211_has_fromds(hdr->frame_control))
753
				return RX_DROP_MONITOR;
754
			if (ether_addr_equal(hdr->addr3, dev_addr))
755 756 757 758
				return RX_DROP_MONITOR;
		} else {
			if (!ieee80211_has_a4(hdr->frame_control))
				return RX_DROP_MONITOR;
759
			if (ether_addr_equal(hdr->addr4, dev_addr))
760 761
				return RX_DROP_MONITOR;
		}
762 763 764 765 766 767
	}

	/* If there is not an established peer link and this is not a peer link
	 * establisment frame, beacon or probe, drop the frame.
	 */

768
	if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
769
		struct ieee80211_mgmt *mgmt;
770

771
		if (!ieee80211_is_mgmt(hdr->frame_control))
772 773
			return RX_DROP_MONITOR;

774
		if (ieee80211_is_action(hdr->frame_control)) {
775
			u8 category;
776 777 778 779 780

			/* make sure category field is present */
			if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
				return RX_DROP_MONITOR;

781
			mgmt = (struct ieee80211_mgmt *)hdr;
782 783
			category = mgmt->u.action.category;
			if (category != WLAN_CATEGORY_MESH_ACTION &&
784
			    category != WLAN_CATEGORY_SELF_PROTECTED)
785 786 787 788
				return RX_DROP_MONITOR;
			return RX_CONTINUE;
		}

789 790
		if (ieee80211_is_probe_req(hdr->frame_control) ||
		    ieee80211_is_probe_resp(hdr->frame_control) ||
791 792
		    ieee80211_is_beacon(hdr->frame_control) ||
		    ieee80211_is_auth(hdr->frame_control))
793 794 795 796 797
			return RX_CONTINUE;

		return RX_DROP_MONITOR;
	}

Johannes Berg's avatar
Johannes Berg committed
798 799
	return RX_CONTINUE;
}
800

801
static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
802
					    struct tid_ampdu_rx *tid_agg_rx,
803 804
					    int index,
					    struct sk_buff_head *frames)
805
{
806 807
	struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index];
	struct sk_buff *skb;
808
	struct ieee80211_rx_status *status;
809

810 811
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

812
	if (skb_queue_empty(skb_list))
813 814
		goto no_frame;

815 816 817 818 819 820
	if (!ieee80211_rx_reorder_ready(skb_list)) {
		__skb_queue_purge(skb_list);
		goto no_frame;
	}

	/* release frames from the reorder ring buffer */
821
	tid_agg_rx->stored_mpdu_num--;
822 823 824 825 826
	while ((skb = __skb_dequeue(skb_list))) {
		status = IEEE80211_SKB_RXCB(skb);
		status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
		__skb_queue_tail(frames, skb);
	}
827 828

no_frame:
829
	tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num);
830 831
}

832
static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
833
					     struct tid_ampdu_rx *tid_agg_rx,
834 835
					     u16 head_seq_num,
					     struct sk_buff_head *frames)
836 837 838
{
	int index;

839 840
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

841
	while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) {
842
		index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
843 844
		ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
						frames);
845 846 847 848 849 850 851 852 853
	}
}

/*
 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
 * the skb was added to the buffer longer than this time ago, the earlier
 * frames that have not yet been received are assumed to be lost and the skb
 * can be released for processing. This may also release other skb's from the
 * reorder buffer if there are no additional gaps between the frames.
854 855
 *
 * Callers must hold tid_agg_rx->reorder_lock.
856 857 858
 */
#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)

859
static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
860 861
					  struct tid_ampdu_rx *tid_agg_rx,
					  struct sk_buff_head *frames)
862
{
863
	int index, i, j;
864

865 866
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

867
	/* release the buffer until next missing frame */
868
	index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
869
	if (!ieee80211_rx_reorder_ready(&tid_agg_rx->reorder_buf[index]) &&
870
	    tid_agg_rx->stored_mpdu_num) {
871 872 873 874 875 876 877
		/*
		 * No buffers ready to be released, but check whether any
		 * frames in the reorder buffer have timed out.
		 */
		int skipped = 1;
		for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
		     j = (j + 1) % tid_agg_rx->buf_size) {
878 879
			if (!ieee80211_rx_reorder_ready(
					&tid_agg_rx->reorder_buf[j])) {
880 881 882
				skipped++;
				continue;
			}
883 884
			if (skipped &&
			    !time_after(jiffies, tid_agg_rx->reorder_time[j] +
885
					HT_RX_REORDER_BUF_TIMEOUT))
886
				goto set_release_timer;
887

888 889 890 891 892
			/* don't leave incomplete A-MSDUs around */
			for (i = (index + 1) % tid_agg_rx->buf_size; i != j;
			     i = (i + 1) % tid_agg_rx->buf_size)
				__skb_queue_purge(&tid_agg_rx->reorder_buf[i]);

Johannes Berg's avatar
Johannes Berg committed
893 894
			ht_dbg_ratelimited(sdata,
					   "release an RX reorder frame due to timeout on earlier frames\n");
895 896
			ieee80211_release_reorder_frame(sdata, tid_agg_rx, j,
							frames);
897 898 899 900 901

			/*
			 * Increment the head seq# also for the skipped slots.
			 */
			tid_agg_rx->head_seq_num =
902 903
				(tid_agg_rx->head_seq_num +
				 skipped) & IEEE80211_SN_MASK;
904 905
			skipped = 0;
		}
906 907
	} else while (ieee80211_rx_reorder_ready(
				&tid_agg_rx->reorder_buf[index])) {
908 909
		ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
						frames);
910
		index =	tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
911
	}
912 913

	if (tid_agg_rx->stored_mpdu_num) {
914
		j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
915 916 917

		for (; j != (index - 1) % tid_agg_rx->buf_size;
		     j = (j + 1) % tid_agg_rx->buf_size) {
918 919
			if (ieee80211_rx_reorder_ready(
					&tid_agg_rx->reorder_buf[j]))
920 921 922 923 924
				break;
		}

 set_release_timer:

925 926 927 928
		if (!tid_agg_rx->removed)
			mod_timer(&tid_agg_rx->reorder_timer,
				  tid_agg_rx->reorder_time[j] + 1 +
				  HT_RX_REORDER_BUF_TIMEOUT);
929 930 931
	} else {
		del_timer(&tid_agg_rx->reorder_timer);
	}
932 933
}

934 935 936 937 938
/*
 * As this function belongs to the RX path it must be under
 * rcu_read_lock protection. It returns false if the frame
 * can be processed immediately, true if it was consumed.
 */
939
static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
940
					     struct tid_ampdu_rx *tid_agg_rx,
941 942
					     struct sk_buff *skb,
					     struct sk_buff_head *frames)
943 944
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
945
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
946 947 948 949
	u16 sc = le16_to_cpu(hdr->seq_ctrl);
	u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
	u16 head_seq_num, buf_size;
	int index;
950
	bool ret = true;
951

952 953
	spin_lock(&tid_agg_rx->reorder_lock);

954 955 956 957 958 959 960 961 962 963
	/*
	 * Offloaded BA sessions have no known starting sequence number so pick
	 * one from first Rxed frame for this tid after BA was started.
	 */
	if (unlikely(tid_agg_rx->auto_seq)) {
		tid_agg_rx->auto_seq = false;
		tid_agg_rx->ssn = mpdu_seq_num;
		tid_agg_rx->head_seq_num = mpdu_seq_num;
	}

964 965 966 967
	buf_size = tid_agg_rx->buf_size;
	head_seq_num = tid_agg_rx->head_seq_num;

	/* frame with out of date sequence number */
968
	if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
969
		dev_kfree_skb(skb);
970
		goto out;
971 972 973 974 975 976
	}

	/*
	 * If frame the sequence number exceeds our buffering window
	 * size release some previous frames to make room for this one.
	 */
977 978 979
	if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) {
		head_seq_num = ieee80211_sn_inc(
				ieee80211_sn_sub(mpdu_seq_num, buf_size));
980
		/* release stored frames up to new head to stack */
981
		ieee80211_release_reorder_frames(sdata, tid_agg_rx,
982
						 head_seq_num, frames);
983 984 985 986
	}

	/* Now the new frame is always in the range of the reordering buffer */

987
	index = mpdu_seq_num % tid_agg_rx->buf_size;
988 989

	/* check if we already stored this frame */
990
	if (ieee80211_rx_reorder_ready(&tid_agg_rx->reorder_buf[index])) {
991
		dev_kfree_skb(skb);
992
		goto out;
993 994 995 996 997
	}

	/*
	 * If the current MPDU is in the right order and nothing else
	 * is stored we can process it directly, no need to buffer it.
998 999
	 * If it is first but there's something stored, we may be able
	 * to release frames after this one.
1000 1001 1002
	 */
	if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
	    tid_agg_rx->stored_mpdu_num == 0) {
1003 1004 1005
		if (!(status->flag & RX_FLAG_AMSDU_MORE))
			tid_agg_rx->head_seq_num =
				ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1006 1007
		ret = false;
		goto out;
1008 1009 1010
	}

	/* put the frame in the reordering buffer */
1011 1012 1013 1014 1015 1016
	__skb_queue_tail(&tid_agg_rx->reorder_buf[index], skb);
	if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
		tid_agg_rx->reorder_time[index] = jiffies;
		tid_agg_rx->stored_mpdu_num++;
		ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames);
	}
1017

1018 1019 1020
 out:
	spin_unlock(&tid_agg_rx->reorder_lock);
	return ret;
1021 1022 1023 1024 1025 1026
}

/*
 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
 * true if the MPDU was buffered, false if it should be processed.
 */
1027 1028
static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
				       struct sk_buff_head *frames)
1029
{
1030 1031
	struct sk_buff *skb = rx->skb;
	struct ieee80211_local *local = rx->local;
1032
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1033
	struct sta_info *sta = rx->sta;
1034 1035