rx.c 89 KB
Newer Older
1 2 3 4
/*
 * Copyright 2002-2005, Instant802 Networks, Inc.
 * Copyright 2005-2006, Devicescape Software, Inc.
 * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
5
 * Copyright 2007-2010	Johannes Berg <johannes@sipsolutions.net>
6 7 8 9 10 11
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

12
#include <linux/jiffies.h>
13
#include <linux/slab.h>
14 15 16 17
#include <linux/kernel.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/etherdevice.h>
18
#include <linux/rcupdate.h>
19
#include <linux/export.h>
20 21
#include <net/mac80211.h>
#include <net/ieee80211_radiotap.h>
22
#include <asm/unaligned.h>
23 24

#include "ieee80211_i.h"
25
#include "driver-ops.h"
Johannes Berg's avatar
Johannes Berg committed
26
#include "led.h"
27
#include "mesh.h"
28 29 30 31
#include "wep.h"
#include "wpa.h"
#include "tkip.h"
#include "wme.h"
32
#include "rate.h"
33

34 35 36 37 38 39 40
/*
 * monitor mode reception
 *
 * This function cleans up the SKB, i.e. it removes all the stuff
 * only useful for monitoring.
 */
static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
41
					   struct sk_buff *skb)
42
{
43 44
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);

45 46
	if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) {
		if (likely(skb->len > FCS_LEN))
Zhu Yi's avatar
Zhu Yi committed
47
			__pskb_trim(skb, skb->len - FCS_LEN);
48 49 50 51 52 53 54 55
		else {
			/* driver bug */
			WARN_ON(1);
			dev_kfree_skb(skb);
			skb = NULL;
		}
	}

56 57 58
	if (status->vendor_radiotap_len)
		__pskb_pull(skb, status->vendor_radiotap_len);

59 60 61
	return skb;
}

62
static inline int should_drop_frame(struct sk_buff *skb, int present_fcs_len)
63
{
64
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
65 66 67
	struct ieee80211_hdr *hdr;

	hdr = (void *)(skb->data + status->vendor_radiotap_len);
68

69 70 71
	if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
			    RX_FLAG_FAILED_PLCP_CRC |
			    RX_FLAG_AMPDU_IS_ZEROLEN))
72
		return 1;
73 74
	if (unlikely(skb->len < 16 + present_fcs_len +
				status->vendor_radiotap_len))
75
		return 1;
76 77 78
	if (ieee80211_is_ctl(hdr->frame_control) &&
	    !ieee80211_is_pspoll(hdr->frame_control) &&
	    !ieee80211_is_back_req(hdr->frame_control))
79 80 81 82
		return 1;
	return 0;
}

83
static int
84 85
ieee80211_rx_radiotap_space(struct ieee80211_local *local,
			    struct ieee80211_rx_status *status)
86 87 88 89 90 91
{
	int len;

	/* always present fields */
	len = sizeof(struct ieee80211_radiotap_header) + 9;

92 93 94 95 96 97
	/* allocate extra bitmap */
	if (status->vendor_radiotap_len)
		len += 4;

	if (ieee80211_have_rx_timestamp(status)) {
		len = ALIGN(len, 8);
98
		len += 8;
99
	}
Johannes Berg's avatar
Johannes Berg committed
100
	if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
101 102
		len += 1;

103 104
	/* padding for RX_FLAGS if necessary */
	len = ALIGN(len, 2);
105

106 107 108
	if (status->flag & RX_FLAG_HT) /* HT info */
		len += 3;

109
	if (status->flag & RX_FLAG_AMPDU_DETAILS) {
110
		len = ALIGN(len, 4);
111 112 113
		len += 8;
	}

114 115 116 117 118 119 120 121 122 123 124 125
	if (status->vendor_radiotap_len) {
		if (WARN_ON_ONCE(status->vendor_radiotap_align == 0))
			status->vendor_radiotap_align = 1;
		/* align standard part of vendor namespace */
		len = ALIGN(len, 2);
		/* allocate standard part of vendor namespace */
		len += 6;
		/* align vendor-defined part */
		len = ALIGN(len, status->vendor_radiotap_align);
		/* vendor-defined part is already in skb */
	}

126 127 128
	return len;
}

129
/*
130 131 132 133 134 135 136 137
 * ieee80211_add_rx_radiotap_header - add radiotap header
 *
 * add a radiotap header containing all the fields which the hardware provided.
 */
static void
ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
				 struct sk_buff *skb,
				 struct ieee80211_rate *rate,
138
				 int rtap_len, bool has_fcs)
139
{
140
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
141 142
	struct ieee80211_radiotap_header *rthdr;
	unsigned char *pos;
143
	u16 rx_flags = 0;
144 145 146 147 148
	int mpdulen;

	mpdulen = skb->len;
	if (!(has_fcs && (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)))
		mpdulen += FCS_LEN;
149 150 151 152 153 154 155 156 157 158

	rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len);
	memset(rthdr, 0, rtap_len);

	/* radiotap header, set always present flags */
	rthdr->it_present =
		cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) |
			    (1 << IEEE80211_RADIOTAP_CHANNEL) |
			    (1 << IEEE80211_RADIOTAP_ANTENNA) |
			    (1 << IEEE80211_RADIOTAP_RX_FLAGS));
159
	rthdr->it_len = cpu_to_le16(rtap_len + status->vendor_radiotap_len);
160

161
	pos = (unsigned char *)(rthdr + 1);
162

163 164 165 166 167 168 169 170
	if (status->vendor_radiotap_len) {
		rthdr->it_present |=
			cpu_to_le32(BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE)) |
			cpu_to_le32(BIT(IEEE80211_RADIOTAP_EXT));
		put_unaligned_le32(status->vendor_radiotap_bitmap, pos);
		pos += 4;
	}

171 172 173
	/* the order of the following fields is important */

	/* IEEE80211_RADIOTAP_TSFT */
174
	if (ieee80211_have_rx_timestamp(status)) {
175 176 177
		/* padding */
		while ((pos - (u8 *)rthdr) & 7)
			*pos++ = 0;
178 179 180 181
		put_unaligned_le64(
			ieee80211_calculate_rx_timestamp(local, status,
							 mpdulen, 0),
			pos);
182
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
183 184 185 186
		pos += 8;
	}

	/* IEEE80211_RADIOTAP_FLAGS */
187
	if (has_fcs && (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS))
188
		*pos |= IEEE80211_RADIOTAP_F_FCS;
Johannes Berg's avatar
Johannes Berg committed
189 190
	if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
		*pos |= IEEE80211_RADIOTAP_F_BADFCS;
191 192
	if (status->flag & RX_FLAG_SHORTPRE)
		*pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
193 194 195
	pos++;

	/* IEEE80211_RADIOTAP_RATE */
196
	if (!rate || status->flag & (RX_FLAG_HT | RX_FLAG_VHT)) {
197
		/*
198
		 * Without rate information don't add it. If we have,
199
		 * MCS information is a separate field in radiotap,
200 201
		 * added below. The byte here is needed as padding
		 * for the channel though, so initialise it to 0.
202 203
		 */
		*pos = 0;
204
	} else {
205
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
206
		*pos = rate->bitrate / 5;
207
	}
208 209 210
	pos++;

	/* IEEE80211_RADIOTAP_CHANNEL */
211
	put_unaligned_le16(status->freq, pos);
212 213
	pos += 2;
	if (status->band == IEEE80211_BAND_5GHZ)
214 215
		put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ,
				   pos);
216
	else if (status->flag & (RX_FLAG_HT | RX_FLAG_VHT))
217 218
		put_unaligned_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ,
				   pos);
219
	else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
220 221
		put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ,
				   pos);
222
	else if (rate)
223 224
		put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ,
				   pos);
225 226
	else
		put_unaligned_le16(IEEE80211_CHAN_2GHZ, pos);
227 228 229
	pos += 2;

	/* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
230 231
	if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM &&
	    !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247
		*pos = status->signal;
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
		pos++;
	}

	/* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */

	/* IEEE80211_RADIOTAP_ANTENNA */
	*pos = status->antenna;
	pos++;

	/* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */

	/* IEEE80211_RADIOTAP_RX_FLAGS */
	/* ensure 2 byte alignment for the 2 byte field as required */
248
	if ((pos - (u8 *)rthdr) & 1)
249
		*pos++ = 0;
Johannes Berg's avatar
Johannes Berg committed
250
	if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
251 252
		rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
	put_unaligned_le16(rx_flags, pos);
253
	pos += 2;
254 255 256

	if (status->flag & RX_FLAG_HT) {
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
257
		*pos++ = local->hw.radiotap_mcs_details;
258 259 260 261 262
		*pos = 0;
		if (status->flag & RX_FLAG_SHORT_GI)
			*pos |= IEEE80211_RADIOTAP_MCS_SGI;
		if (status->flag & RX_FLAG_40MHZ)
			*pos |= IEEE80211_RADIOTAP_MCS_BW_40;
263 264
		if (status->flag & RX_FLAG_HT_GF)
			*pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
265 266 267
		pos++;
		*pos++ = status->rate_idx;
	}
268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298

	if (status->flag & RX_FLAG_AMPDU_DETAILS) {
		u16 flags = 0;

		/* ensure 4 byte alignment */
		while ((pos - (u8 *)rthdr) & 3)
			pos++;
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_AMPDU_STATUS);
		put_unaligned_le32(status->ampdu_reference, pos);
		pos += 4;
		if (status->flag & RX_FLAG_AMPDU_REPORT_ZEROLEN)
			flags |= IEEE80211_RADIOTAP_AMPDU_REPORT_ZEROLEN;
		if (status->flag & RX_FLAG_AMPDU_IS_ZEROLEN)
			flags |= IEEE80211_RADIOTAP_AMPDU_IS_ZEROLEN;
		if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
			flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
		if (status->flag & RX_FLAG_AMPDU_IS_LAST)
			flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
			flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
			flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN;
		put_unaligned_le16(flags, pos);
		pos += 2;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
			*pos++ = status->ampdu_delimiter_crc;
		else
			*pos++ = 0;
		*pos++ = 0;
	}
299 300 301 302 303 304 305 306 307 308 309 310 311 312 313

	if (status->vendor_radiotap_len) {
		/* ensure 2 byte alignment for the vendor field as required */
		if ((pos - (u8 *)rthdr) & 1)
			*pos++ = 0;
		*pos++ = status->vendor_radiotap_oui[0];
		*pos++ = status->vendor_radiotap_oui[1];
		*pos++ = status->vendor_radiotap_oui[2];
		*pos++ = status->vendor_radiotap_subns;
		put_unaligned_le16(status->vendor_radiotap_len, pos);
		pos += 2;
		/* align the actual payload as requested */
		while ((pos - (u8 *)rthdr) & (status->vendor_radiotap_align - 1))
			*pos++ = 0;
	}
314 315
}

316 317 318 319 320 321 322
/*
 * This function copies a received frame to all monitor interfaces and
 * returns a cleaned-up SKB that no longer includes the FCS nor the
 * radiotap header the driver might have added.
 */
static struct sk_buff *
ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
323
		     struct ieee80211_rate *rate)
324
{
325
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
326
	struct ieee80211_sub_if_data *sdata;
327
	int needed_headroom;
328 329 330 331 332 333 334 335 336 337 338 339
	struct sk_buff *skb, *skb2;
	struct net_device *prev_dev = NULL;
	int present_fcs_len = 0;

	/*
	 * First, we may need to make a copy of the skb because
	 *  (1) we need to modify it for radiotap (if not present), and
	 *  (2) the other RX handlers will modify the skb we got.
	 *
	 * We don't need to, of course, if we aren't going to return
	 * the SKB because it has a bad FCS/PLCP checksum.
	 */
340 341

	/* room for the radiotap header based on driver features */
342
	needed_headroom = ieee80211_rx_radiotap_space(local, status);
343 344 345 346

	if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
		present_fcs_len = FCS_LEN;

347 348
	/* ensure hdr->frame_control and vendor radiotap data are in skb head */
	if (!pskb_may_pull(origskb, 2 + status->vendor_radiotap_len)) {
Zhu Yi's avatar
Zhu Yi committed
349 350 351 352
		dev_kfree_skb(origskb);
		return NULL;
	}

353
	if (!local->monitors) {
354
		if (should_drop_frame(origskb, present_fcs_len)) {
355 356 357 358
			dev_kfree_skb(origskb);
			return NULL;
		}

359
		return remove_monitor_info(local, origskb);
360 361
	}

362
	if (should_drop_frame(origskb, present_fcs_len)) {
363 364 365 366 367 368 369 370 371 372 373 374
		/* only need to expand headroom if necessary */
		skb = origskb;
		origskb = NULL;

		/*
		 * This shouldn't trigger often because most devices have an
		 * RX header they pull before we get here, and that should
		 * be big enough for our radiotap information. We should
		 * probably export the length to drivers so that we can have
		 * them allocate enough headroom to start with.
		 */
		if (skb_headroom(skb) < needed_headroom &&
375
		    pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
376 377 378 379 380 381 382 383 384 385
			dev_kfree_skb(skb);
			return NULL;
		}
	} else {
		/*
		 * Need to make a copy and possibly remove radiotap header
		 * and FCS from the original.
		 */
		skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);

386
		origskb = remove_monitor_info(local, origskb);
387 388 389 390 391

		if (!skb)
			return origskb;
	}

392
	/* prepend radiotap information */
393 394
	ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
					 true);
395

396
	skb_reset_mac_header(skb);
397 398 399 400 401
	skb->ip_summed = CHECKSUM_UNNECESSARY;
	skb->pkt_type = PACKET_OTHERHOST;
	skb->protocol = htons(ETH_P_802_2);

	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
402
		if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
403 404
			continue;

405 406 407
		if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)
			continue;

408
		if (!ieee80211_sdata_running(sdata))
409 410
			continue;

411 412 413 414
		if (prev_dev) {
			skb2 = skb_clone(skb, GFP_ATOMIC);
			if (skb2) {
				skb2->dev = prev_dev;
415
				netif_receive_skb(skb2);
416 417 418 419 420 421 422 423 424 425
			}
		}

		prev_dev = sdata->dev;
		sdata->dev->stats.rx_packets++;
		sdata->dev->stats.rx_bytes += skb->len;
	}

	if (prev_dev) {
		skb->dev = prev_dev;
426
		netif_receive_skb(skb);
427 428 429 430 431 432
	} else
		dev_kfree_skb(skb);

	return origskb;
}

433
static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
434
{
435
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
436
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
437
	int tid, seqno_idx, security_idx;
438 439

	/* does the frame have a qos control field? */
440 441
	if (ieee80211_is_data_qos(hdr->frame_control)) {
		u8 *qc = ieee80211_get_qos_ctl(hdr);
442
		/* frame has qos control */
443
		tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
444
		if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
445
			status->rx_flags |= IEEE80211_RX_AMSDU;
446 447 448

		seqno_idx = tid;
		security_idx = tid;
449
	} else {
450 451 452 453 454 455 456 457 458 459 460
		/*
		 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
		 *
		 *	Sequence numbers for management frames, QoS data
		 *	frames with a broadcast/multicast address in the
		 *	Address 1 field, and all non-QoS data frames sent
		 *	by QoS STAs are assigned using an additional single
		 *	modulo-4096 counter, [...]
		 *
		 * We also use that counter for non-QoS STAs.
		 */
461
		seqno_idx = IEEE80211_NUM_TIDS;
462 463
		security_idx = 0;
		if (ieee80211_is_mgmt(hdr->frame_control))
464
			security_idx = IEEE80211_NUM_TIDS;
465
		tid = 0;
466
	}
467

468 469
	rx->seqno_idx = seqno_idx;
	rx->security_idx = security_idx;
470 471 472
	/* Set skb->priority to 1d tag if highest order bit of TID is not set.
	 * For now, set skb->priority to 0 for other cases. */
	rx->skb->priority = (tid > 7) ? 0 : tid;
473
}
474

475 476 477 478 479 480 481 482 483 484 485
/**
 * DOC: Packet alignment
 *
 * Drivers always need to pass packets that are aligned to two-byte boundaries
 * to the stack.
 *
 * Additionally, should, if possible, align the payload data in a way that
 * guarantees that the contained IP header is aligned to a four-byte
 * boundary. In the case of regular frames, this simply means aligning the
 * payload to a four-byte boundary (because either the IP header is directly
 * contained, or IV/RFC1042 headers that have a length divisible by four are
486 487 488
 * in front of it).  If the payload data is not properly aligned and the
 * architecture doesn't support efficient unaligned operations, mac80211
 * will align the data.
489 490 491 492 493 494 495
 *
 * With A-MSDU frames, however, the payload data address must yield two modulo
 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
 * push the IP header further back to a multiple of four again. Thankfully, the
 * specs were sane enough this time around to require padding each A-MSDU
 * subframe to a length that is a multiple of four.
 *
Lucas De Marchi's avatar
Lucas De Marchi committed
496
 * Padding like Atheros hardware adds which is between the 802.11 header and
497 498 499 500
 * the payload is not supported, the driver is required to move the 802.11
 * header to be directly in front of the payload in that case.
 */
static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
501
{
502 503 504
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
	WARN_ONCE((unsigned long)rx->skb->data & 1,
		  "unaligned packet at 0x%p\n", rx->skb->data);
505
#endif
506 507
}

508

509 510
/* rx handlers */

511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538
static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

	if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
		return 0;

	return ieee80211_is_robust_mgmt_frame(hdr);
}


static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

	if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
		return 0;

	return ieee80211_is_robust_mgmt_frame(hdr);
}


/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
{
	struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
	struct ieee80211_mmie *mmie;

539
	if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
540 541 542 543 544 545 546 547 548 549 550 551 552 553
		return -1;

	if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
		return -1; /* not a robust management frame */

	mmie = (struct ieee80211_mmie *)
		(skb->data + skb->len - sizeof(*mmie));
	if (mmie->element_id != WLAN_EID_MMIE ||
	    mmie->length != sizeof(*mmie) - 2)
		return -1;

	return le16_to_cpu(mmie->key_id);
}

554
static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
555
{
556
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
557
	char *dev_addr = rx->sdata->vif.addr;
558

559
	if (ieee80211_is_data(hdr->frame_control)) {
560 561
		if (is_multicast_ether_addr(hdr->addr1)) {
			if (ieee80211_has_tods(hdr->frame_control) ||
562
			    !ieee80211_has_fromds(hdr->frame_control))
563
				return RX_DROP_MONITOR;
564
			if (ether_addr_equal(hdr->addr3, dev_addr))
565 566 567 568
				return RX_DROP_MONITOR;
		} else {
			if (!ieee80211_has_a4(hdr->frame_control))
				return RX_DROP_MONITOR;
569
			if (ether_addr_equal(hdr->addr4, dev_addr))
570 571
				return RX_DROP_MONITOR;
		}
572 573 574 575 576 577
	}

	/* If there is not an established peer link and this is not a peer link
	 * establisment frame, beacon or probe, drop the frame.
	 */

578
	if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
579
		struct ieee80211_mgmt *mgmt;
580

581
		if (!ieee80211_is_mgmt(hdr->frame_control))
582 583
			return RX_DROP_MONITOR;

584
		if (ieee80211_is_action(hdr->frame_control)) {
585
			u8 category;
586 587 588 589 590

			/* make sure category field is present */
			if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
				return RX_DROP_MONITOR;

591
			mgmt = (struct ieee80211_mgmt *)hdr;
592 593
			category = mgmt->u.action.category;
			if (category != WLAN_CATEGORY_MESH_ACTION &&
594
			    category != WLAN_CATEGORY_SELF_PROTECTED)
595 596 597 598
				return RX_DROP_MONITOR;
			return RX_CONTINUE;
		}

599 600
		if (ieee80211_is_probe_req(hdr->frame_control) ||
		    ieee80211_is_probe_resp(hdr->frame_control) ||
601 602
		    ieee80211_is_beacon(hdr->frame_control) ||
		    ieee80211_is_auth(hdr->frame_control))
603 604 605 606 607
			return RX_CONTINUE;

		return RX_DROP_MONITOR;
	}

Johannes Berg's avatar
Johannes Berg committed
608 609
	return RX_CONTINUE;
}
610

611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628
#define SEQ_MODULO 0x1000
#define SEQ_MASK   0xfff

static inline int seq_less(u16 sq1, u16 sq2)
{
	return ((sq1 - sq2) & SEQ_MASK) > (SEQ_MODULO >> 1);
}

static inline u16 seq_inc(u16 sq)
{
	return (sq + 1) & SEQ_MASK;
}

static inline u16 seq_sub(u16 sq1, u16 sq2)
{
	return (sq1 - sq2) & SEQ_MASK;
}

629
static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
630
					    struct tid_ampdu_rx *tid_agg_rx,
631
					    int index)
632
{
633
	struct ieee80211_local *local = sdata->local;
634
	struct sk_buff *skb = tid_agg_rx->reorder_buf[index];
635
	struct ieee80211_rx_status *status;
636

637 638
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

639 640 641
	if (!skb)
		goto no_frame;

642
	/* release the frame from the reorder ring buffer */
643 644
	tid_agg_rx->stored_mpdu_num--;
	tid_agg_rx->reorder_buf[index] = NULL;
645 646
	status = IEEE80211_SKB_RXCB(skb);
	status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
647
	skb_queue_tail(&local->rx_skb_queue, skb);
648 649 650 651 652

no_frame:
	tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num);
}

653
static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
654
					     struct tid_ampdu_rx *tid_agg_rx,
655
					     u16 head_seq_num)
656 657 658
{
	int index;

659 660
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

661 662 663
	while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) {
		index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
							tid_agg_rx->buf_size;
664
		ieee80211_release_reorder_frame(sdata, tid_agg_rx, index);
665 666 667 668 669 670 671 672 673
	}
}

/*
 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
 * the skb was added to the buffer longer than this time ago, the earlier
 * frames that have not yet been received are assumed to be lost and the skb
 * can be released for processing. This may also release other skb's from the
 * reorder buffer if there are no additional gaps between the frames.
674 675
 *
 * Callers must hold tid_agg_rx->reorder_lock.
676 677 678
 */
#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)

679
static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
680
					  struct tid_ampdu_rx *tid_agg_rx)
681
{
682
	int index, j;
683

684 685
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

686 687 688 689
	/* release the buffer until next missing frame */
	index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
						tid_agg_rx->buf_size;
	if (!tid_agg_rx->reorder_buf[index] &&
690
	    tid_agg_rx->stored_mpdu_num) {
691 692 693 694 695 696 697 698 699 700 701
		/*
		 * No buffers ready to be released, but check whether any
		 * frames in the reorder buffer have timed out.
		 */
		int skipped = 1;
		for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
		     j = (j + 1) % tid_agg_rx->buf_size) {
			if (!tid_agg_rx->reorder_buf[j]) {
				skipped++;
				continue;
			}
702 703
			if (skipped &&
			    !time_after(jiffies, tid_agg_rx->reorder_time[j] +
704
					HT_RX_REORDER_BUF_TIMEOUT))
705
				goto set_release_timer;
706

Johannes Berg's avatar
Johannes Berg committed
707 708
			ht_dbg_ratelimited(sdata,
					   "release an RX reorder frame due to timeout on earlier frames\n");
709
			ieee80211_release_reorder_frame(sdata, tid_agg_rx, j);
710 711 712 713 714 715 716 717 718

			/*
			 * Increment the head seq# also for the skipped slots.
			 */
			tid_agg_rx->head_seq_num =
				(tid_agg_rx->head_seq_num + skipped) & SEQ_MASK;
			skipped = 0;
		}
	} else while (tid_agg_rx->reorder_buf[index]) {
719
		ieee80211_release_reorder_frame(sdata, tid_agg_rx, index);
720 721 722
		index =	seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
							tid_agg_rx->buf_size;
	}
723 724 725 726 727 728 729 730 731 732 733 734 735 736

	if (tid_agg_rx->stored_mpdu_num) {
		j = index = seq_sub(tid_agg_rx->head_seq_num,
				    tid_agg_rx->ssn) % tid_agg_rx->buf_size;

		for (; j != (index - 1) % tid_agg_rx->buf_size;
		     j = (j + 1) % tid_agg_rx->buf_size) {
			if (tid_agg_rx->reorder_buf[j])
				break;
		}

 set_release_timer:

		mod_timer(&tid_agg_rx->reorder_timer,
737
			  tid_agg_rx->reorder_time[j] + 1 +
738 739 740 741
			  HT_RX_REORDER_BUF_TIMEOUT);
	} else {
		del_timer(&tid_agg_rx->reorder_timer);
	}
742 743
}

744 745 746 747 748
/*
 * As this function belongs to the RX path it must be under
 * rcu_read_lock protection. It returns false if the frame
 * can be processed immediately, true if it was consumed.
 */
749
static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
750
					     struct tid_ampdu_rx *tid_agg_rx,
751
					     struct sk_buff *skb)
752 753 754 755 756 757
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
	u16 sc = le16_to_cpu(hdr->seq_ctrl);
	u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
	u16 head_seq_num, buf_size;
	int index;
758
	bool ret = true;
759

760 761
	spin_lock(&tid_agg_rx->reorder_lock);

762 763 764 765 766 767
	buf_size = tid_agg_rx->buf_size;
	head_seq_num = tid_agg_rx->head_seq_num;

	/* frame with out of date sequence number */
	if (seq_less(mpdu_seq_num, head_seq_num)) {
		dev_kfree_skb(skb);
768
		goto out;
769 770 771 772 773 774 775 776 777
	}

	/*
	 * If frame the sequence number exceeds our buffering window
	 * size release some previous frames to make room for this one.
	 */
	if (!seq_less(mpdu_seq_num, head_seq_num + buf_size)) {
		head_seq_num = seq_inc(seq_sub(mpdu_seq_num, buf_size));
		/* release stored frames up to new head to stack */
778 779
		ieee80211_release_reorder_frames(sdata, tid_agg_rx,
						 head_seq_num);
780 781 782 783 784 785 786 787 788
	}

	/* Now the new frame is always in the range of the reordering buffer */

	index = seq_sub(mpdu_seq_num, tid_agg_rx->ssn) % tid_agg_rx->buf_size;

	/* check if we already stored this frame */
	if (tid_agg_rx->reorder_buf[index]) {
		dev_kfree_skb(skb);
789
		goto out;
790 791 792 793 794
	}

	/*
	 * If the current MPDU is in the right order and nothing else
	 * is stored we can process it directly, no need to buffer it.
795 796
	 * If it is first but there's something stored, we may be able
	 * to release frames after this one.
797 798 799 800
	 */
	if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
	    tid_agg_rx->stored_mpdu_num == 0) {
		tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num);
801 802
		ret = false;
		goto out;
803 804 805 806 807 808
	}

	/* put the frame in the reordering buffer */
	tid_agg_rx->reorder_buf[index] = skb;
	tid_agg_rx->reorder_time[index] = jiffies;
	tid_agg_rx->stored_mpdu_num++;
809
	ieee80211_sta_reorder_release(sdata, tid_agg_rx);
810

811 812 813
 out:
	spin_unlock(&tid_agg_rx->reorder_lock);
	return ret;
814 815 816 817 818 819
}

/*
 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
 * true if the MPDU was buffered, false if it should be processed.
 */
820
static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx)
821
{
822 823
	struct sk_buff *skb = rx->skb;
	struct ieee80211_local *local = rx->local;
824
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
825
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
826
	struct sta_info *sta = rx->sta;
827 828
	struct tid_ampdu_rx *tid_agg_rx;
	u16 sc;
829
	u8 tid, ack_policy;
830 831

	if (!ieee80211_is_data_qos(hdr->frame_control))
832
		goto dont_reorder;
833 834 835 836 837 838 839

	/*
	 * filter the QoS data rx stream according to
	 * STA/TID and check if this STA/TID is on aggregation
	 */

	if (!sta)
840
		goto dont_reorder;
841

842 843
	ack_policy = *ieee80211_get_qos_ctl(hdr) &
		     IEEE80211_QOS_CTL_ACK_POLICY_MASK;
844 845
	tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;

846 847 848
	tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
	if (!tid_agg_rx)
		goto dont_reorder;
849 850 851

	/* qos null data frames are excluded */
	if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
852
		goto dont_reorder;
853

854 855 856 857 858
	/* not part of a BA session */
	if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
	    ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
		goto dont_reorder;

859 860 861 862
	/* not actually part of this BA session */
	if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
		goto dont_reorder;

863 864 865 866
	/* new, potentially un-ordered, ampdu frame - process it */

	/* reset session timer */
	if (tid_agg_rx->timeout)
867
		tid_agg_rx->last_rx = jiffies;
868 869 870 871

	/* if this mpdu is fragmented - terminate rx aggregation session */
	sc = le16_to_cpu(hdr->seq_ctrl);
	if (sc & IEEE80211_SCTL_FRAG) {
872
		skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
873 874
		skb_queue_tail(&rx->sdata->skb_queue, skb);
		ieee80211_queue_work(&local->hw, &rx->sdata->work);
875
		return;
876 877
	}

878 879 880 881 882 883 884
	/*
	 * No locking needed -- we will only ever process one
	 * RX packet at a time, and thus own tid_agg_rx. All
	 * other code manipulating it needs to (and does) make
	 * sure that we cannot get to it any more before doing
	 * anything with it.
	 */
885
	if (ieee80211_sta_manage_reorder_buf(rx->sdata, tid_agg_rx, skb))
886 887 888
		return;

 dont_reorder:
889
	skb_queue_tail(&local->rx_skb_queue, skb);
890
}
891

892
static ieee80211_rx_result debug_noinline
893
ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
894
{
895
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
896
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
897 898 899

	/* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */
	if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) {
900
		if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
901
			     rx->sta->last_seq_ctrl[rx->seqno_idx] ==
902
			     hdr->seq_ctrl)) {
903
			if (status->rx_flags & IEEE80211_RX_RA_MATCH) {
904 905 906
				rx->local->dot11FrameDuplicateCount++;
				rx->sta->num_duplicates++;
			}
907
			return RX_DROP_UNUSABLE;
908
		} else
909
			rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
910 911 912 913
	}

	if (unlikely(rx->skb->len < 16)) {
		I802_DEBUG_INC(rx->local->rx_handlers_drop_short);
Johannes Berg's avatar
Johannes Berg committed
914
		return RX_DROP_MONITOR;
915 916 917 918 919
	}

	/* Drop disallowed frame classes based on STA auth/assoc state;
	 * IEEE 802.11, Chap 5.5.
	 *
920 921
	 * mac80211 filters only based on association state, i.e. it drops
	 * Class 3 frames from not associated stations. hostapd sends
922 923 924
	 * deauth/disassoc frames when needed. In addition, hostapd is
	 * responsible for filtering on both auth and assoc states.
	 */
925

Johannes Berg's avatar
Johannes Berg committed
926
	if (ieee80211_vif_is_mesh(&rx->sdata->vif))
927 928
		return ieee80211_rx_mesh_check(rx);

929 930
	if (unlikely((ieee80211_is_data(hdr->frame_control) ||
		      ieee80211_is_pspoll(hdr->frame_control)) &&
931
		     rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
Bill Jordan's avatar
Bill Jordan committed
932
		     rx->sdata->vif.type != NL80211_IFTYPE_WDS &&
933
		     (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
934 935 936 937 938 939
		/*
		 * accept port control frames from the AP even when it's not
		 * yet marked ASSOC to prevent a race where we don't set the
		 * assoc bit quickly enough before it sends the first frame
		 */
		if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
940
		    ieee80211_is_data_present(hdr->frame_control)) {
941 942 943 944 945 946 947 948 949 950
			unsigned int hdrlen;
			__be16 ethertype;

			hdrlen = ieee80211_hdrlen(hdr->frame_control);

			if (rx->skb->len < hdrlen + 8)
				return RX_DROP_MONITOR;

			skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
			if (ethertype == rx->sdata->control_port_protocol)
951 952
				return RX_CONTINUE;
		}
953 954 955 956 957 958 959

		if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
		    cfg80211_rx_spurious_frame(rx->sdata->dev,
					       hdr->addr2,
					       GFP_ATOMIC))
			return RX_DROP_UNUSABLE;

Johannes Berg's avatar
Johannes Berg committed
960
		return RX_DROP_MONITOR;
961
	}
962

963
	return RX_CONTINUE;
964 965 966
}


967
static ieee80211_rx_result debug_noinline
968
ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
969
{
Johannes Berg's avatar
Johannes Berg committed
970 971 972
	struct sk_buff *skb = rx->skb;
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
973 974
	int keyidx;
	int hdrlen;
Johannes Berg's avatar
Johannes Berg committed
975
	ieee80211_rx_result result = RX_DROP_UNUSABLE;
976
	struct ieee80211_key *sta_ptk = NULL;
977
	int mmie_keyidx = -1;
978
	__le16 fc;
979

980 981 982
	/*
	 * Key selection 101
	 *
983
	 * There are four types of keys:
984
	 *  - GTK (group keys)
985
	 *  - IGTK (group keys for management frames)
986 987 988 989 990
	 *  - PTK (pairwise keys)
	 *  - STK (station-to-station pairwise keys)
	 *
	 * When selecting a key, we have to distinguish between multicast
	 * (including broadcast) and unicast frames, the latter can only
991 992 993 994
	 * use PTKs and STKs while the former always use GTKs and IGTKs.
	 * Unless, of course, actual WEP keys ("pre-RSNA") are used, then
	 * unicast frames can also use key indices like GTKs. Hence, if we
	 * don't have a PTK/STK we check the key index for a WEP key.
995
	 *
996 997 998 999
	 * Note that in a regular BSS, multicast frames are sent by the
	 * AP only, associated stations unicast the frame to the AP first
	 * which then multicasts it on their behalf.
	 *
1000 1001
	 * There is also a slight problem in IBSS mode: GTKs are negotiated
	 * with each station, that is something we don't currently handle.
1002 1003 1004
	 * The spec seems to expect that one negotiates the same key with
	 * every station but there's no such requirement; VLANs could be
	 * possible.
1005 1006 1007
	 */

	/*
1008
	 * No point in finding a key and decrypting if the frame is neither
1009 1010
	 * addressed to us nor a multicast frame.
	 */
1011
	if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
1012
		return RX_CONTINUE;
1013

1014 1015 1016
	/* start without a key */
	rx->key = NULL;

1017
	if (rx->sta)
1018
		sta_ptk = rcu_dereference(rx->sta->ptk);
1019

1020 1021 1022
	fc = hdr->frame_control;

	if (!ieee80211_has_protected(fc))
1023 1024
		mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);

1025 1026
	if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) {
		rx->key = sta_ptk;
1027 1028 1029
		if ((status->flag & RX_FLAG_DECRYPTED) &&
		    (status->flag & RX_FLAG_IV_STRIPPED))
			return RX_CONTINUE;
1030
		/* Skip decryption if the frame is not protected. */
1031
		if (!ieee80211_has_protected(fc))