rx.c 120 KB
Newer Older
1 2 3 4
/*
 * Copyright 2002-2005, Instant802 Networks, Inc.
 * Copyright 2005-2006, Devicescape Software, Inc.
 * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
5
 * Copyright 2007-2010	Johannes Berg <johannes@sipsolutions.net>
6
 * Copyright 2013-2014  Intel Mobile Communications GmbH
7
 * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
8 9 10 11 12 13
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

14
#include <linux/jiffies.h>
15
#include <linux/slab.h>
16 17 18 19
#include <linux/kernel.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/etherdevice.h>
20
#include <linux/rcupdate.h>
21
#include <linux/export.h>
22
#include <linux/bitops.h>
23 24
#include <net/mac80211.h>
#include <net/ieee80211_radiotap.h>
25
#include <asm/unaligned.h>
26 27

#include "ieee80211_i.h"
28
#include "driver-ops.h"
Johannes Berg's avatar
Johannes Berg committed
29
#include "led.h"
30
#include "mesh.h"
31 32 33 34
#include "wep.h"
#include "wpa.h"
#include "tkip.h"
#include "wme.h"
35
#include "rate.h"
36

37 38 39 40 41 42 43 44 45 46
static inline void ieee80211_rx_stats(struct net_device *dev, u32 len)
{
	struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);

	u64_stats_update_begin(&tstats->syncp);
	tstats->rx_packets++;
	tstats->rx_bytes += len;
	u64_stats_update_end(&tstats->syncp);
}

47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
static u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len,
			       enum nl80211_iftype type)
{
	__le16 fc = hdr->frame_control;

	if (ieee80211_is_data(fc)) {
		if (len < 24) /* drop incorrect hdr len (data) */
			return NULL;

		if (ieee80211_has_a4(fc))
			return NULL;
		if (ieee80211_has_tods(fc))
			return hdr->addr1;
		if (ieee80211_has_fromds(fc))
			return hdr->addr2;

		return hdr->addr3;
	}

	if (ieee80211_is_mgmt(fc)) {
		if (len < 24) /* drop incorrect hdr len (mgmt) */
			return NULL;
		return hdr->addr3;
	}

	if (ieee80211_is_ctl(fc)) {
		if (ieee80211_is_pspoll(fc))
			return hdr->addr1;

		if (ieee80211_is_back_req(fc)) {
			switch (type) {
			case NL80211_IFTYPE_STATION:
				return hdr->addr2;
			case NL80211_IFTYPE_AP:
			case NL80211_IFTYPE_AP_VLAN:
				return hdr->addr1;
			default:
				break; /* fall through to the return */
			}
		}
	}

	return NULL;
}

92 93 94 95 96 97 98
/*
 * monitor mode reception
 *
 * This function cleans up the SKB, i.e. it removes all the stuff
 * only useful for monitoring.
 */
static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
99 100
					   struct sk_buff *skb,
					   unsigned int rtap_vendor_space)
101
{
102
	if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
103
		if (likely(skb->len > FCS_LEN))
Zhu Yi's avatar
Zhu Yi committed
104
			__pskb_trim(skb, skb->len - FCS_LEN);
105 106 107 108
		else {
			/* driver bug */
			WARN_ON(1);
			dev_kfree_skb(skb);
109
			return NULL;
110 111 112
		}
	}

113 114
	__pskb_pull(skb, rtap_vendor_space);

115 116 117
	return skb;
}

118 119
static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len,
				     unsigned int rtap_vendor_space)
120
{
121
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
122 123 124
	struct ieee80211_hdr *hdr;

	hdr = (void *)(skb->data + rtap_vendor_space);
125

126
	if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
127 128
			    RX_FLAG_FAILED_PLCP_CRC |
			    RX_FLAG_ONLY_MONITOR))
129 130
		return true;

131
	if (unlikely(skb->len < 16 + present_fcs_len + rtap_vendor_space))
132 133
		return true;

134 135 136
	if (ieee80211_is_ctl(hdr->frame_control) &&
	    !ieee80211_is_pspoll(hdr->frame_control) &&
	    !ieee80211_is_back_req(hdr->frame_control))
137 138 139
		return true;

	return false;
140 141
}

142
static int
143 144 145
ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
			     struct ieee80211_rx_status *status,
			     struct sk_buff *skb)
146 147 148 149
{
	int len;

	/* always present fields */
150
	len = sizeof(struct ieee80211_radiotap_header) + 8;
151

152 153 154
	/* allocate extra bitmaps */
	if (status->chains)
		len += 4 * hweight8(status->chains);
155 156 157

	if (ieee80211_have_rx_timestamp(status)) {
		len = ALIGN(len, 8);
158
		len += 8;
159
	}
160
	if (ieee80211_hw_check(&local->hw, SIGNAL_DBM))
161 162
		len += 1;

163 164 165 166
	/* antenna field, if we don't have per-chain info */
	if (!status->chains)
		len += 1;

167 168
	/* padding for RX_FLAGS if necessary */
	len = ALIGN(len, 2);
169

170 171 172
	if (status->flag & RX_FLAG_HT) /* HT info */
		len += 3;

173
	if (status->flag & RX_FLAG_AMPDU_DETAILS) {
174
		len = ALIGN(len, 4);
175 176 177
		len += 8;
	}

178 179 180 181 182
	if (status->flag & RX_FLAG_VHT) {
		len = ALIGN(len, 2);
		len += 12;
	}

183 184 185 186 187
	if (local->hw.radiotap_timestamp.units_pos >= 0) {
		len = ALIGN(len, 8);
		len += 12;
	}

188 189 190 191 192
	if (status->chains) {
		/* antenna and antenna signal fields */
		len += 2 * hweight8(status->chains);
	}

193 194 195 196 197 198 199 200 201 202 203 204 205 206 207
	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		struct ieee80211_vendor_radiotap *rtap = (void *)skb->data;

		/* vendor presence bitmap */
		len += 4;
		/* alignment for fixed 6-byte vendor data header */
		len = ALIGN(len, 2);
		/* vendor data header */
		len += 6;
		if (WARN_ON(rtap->align == 0))
			rtap->align = 1;
		len = ALIGN(len, rtap->align);
		len += rtap->len + rtap->pad;
	}

208 209 210
	return len;
}

211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255
static void ieee80211_handle_mu_mimo_mon(struct ieee80211_sub_if_data *sdata,
					 struct sk_buff *skb,
					 int rtap_vendor_space)
{
	struct {
		struct ieee80211_hdr_3addr hdr;
		u8 category;
		u8 action_code;
	} __packed action;

	if (!sdata)
		return;

	BUILD_BUG_ON(sizeof(action) != IEEE80211_MIN_ACTION_SIZE + 1);

	if (skb->len < rtap_vendor_space + sizeof(action) +
		       VHT_MUMIMO_GROUPS_DATA_LEN)
		return;

	if (!is_valid_ether_addr(sdata->u.mntr.mu_follow_addr))
		return;

	skb_copy_bits(skb, rtap_vendor_space, &action, sizeof(action));

	if (!ieee80211_is_action(action.hdr.frame_control))
		return;

	if (action.category != WLAN_CATEGORY_VHT)
		return;

	if (action.action_code != WLAN_VHT_ACTION_GROUPID_MGMT)
		return;

	if (!ether_addr_equal(action.hdr.addr1, sdata->u.mntr.mu_follow_addr))
		return;

	skb = skb_copy(skb, GFP_ATOMIC);
	if (!skb)
		return;

	skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
	skb_queue_tail(&sdata->skb_queue, skb);
	ieee80211_queue_work(&sdata->local->hw, &sdata->work);
}

256
/*
257 258 259 260 261 262 263 264
 * ieee80211_add_rx_radiotap_header - add radiotap header
 *
 * add a radiotap header containing all the fields which the hardware provided.
 */
static void
ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
				 struct sk_buff *skb,
				 struct ieee80211_rate *rate,
265
				 int rtap_len, bool has_fcs)
266
{
267
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
268 269
	struct ieee80211_radiotap_header *rthdr;
	unsigned char *pos;
270 271
	__le32 *it_present;
	u32 it_present_val;
272
	u16 rx_flags = 0;
273
	u16 channel_flags = 0;
274 275
	int mpdulen, chain;
	unsigned long chains = status->chains;
276 277 278 279 280 281 282
	struct ieee80211_vendor_radiotap rtap = {};

	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		rtap = *(struct ieee80211_vendor_radiotap *)skb->data;
		/* rtap.len and rtap.pad are undone immediately */
		skb_pull(skb, sizeof(rtap) + rtap.len + rtap.pad);
	}
283 284

	mpdulen = skb->len;
285
	if (!(has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)))
286
		mpdulen += FCS_LEN;
287 288

	rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len);
289
	memset(rthdr, 0, rtap_len - rtap.len - rtap.pad);
290
	it_present = &rthdr->it_present;
291 292

	/* radiotap header, set always present flags */
293
	rthdr->it_len = cpu_to_le16(rtap_len);
294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309
	it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) |
			 BIT(IEEE80211_RADIOTAP_CHANNEL) |
			 BIT(IEEE80211_RADIOTAP_RX_FLAGS);

	if (!status->chains)
		it_present_val |= BIT(IEEE80211_RADIOTAP_ANTENNA);

	for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
		it_present_val |=
			BIT(IEEE80211_RADIOTAP_EXT) |
			BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE);
		put_unaligned_le32(it_present_val, it_present);
		it_present++;
		it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) |
				 BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
	}
310

311 312 313 314 315 316 317 318
	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		it_present_val |= BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE) |
				  BIT(IEEE80211_RADIOTAP_EXT);
		put_unaligned_le32(it_present_val, it_present);
		it_present++;
		it_present_val = rtap.present;
	}

319 320 321 322
	put_unaligned_le32(it_present_val, it_present);

	pos = (void *)(it_present + 1);

323 324 325
	/* the order of the following fields is important */

	/* IEEE80211_RADIOTAP_TSFT */
326
	if (ieee80211_have_rx_timestamp(status)) {
327 328 329
		/* padding */
		while ((pos - (u8 *)rthdr) & 7)
			*pos++ = 0;
330 331 332 333
		put_unaligned_le64(
			ieee80211_calculate_rx_timestamp(local, status,
							 mpdulen, 0),
			pos);
334
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
335 336 337 338
		pos += 8;
	}

	/* IEEE80211_RADIOTAP_FLAGS */
339
	if (has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
340
		*pos |= IEEE80211_RADIOTAP_F_FCS;
Johannes Berg's avatar
Johannes Berg committed
341 342
	if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
		*pos |= IEEE80211_RADIOTAP_F_BADFCS;
343 344
	if (status->flag & RX_FLAG_SHORTPRE)
		*pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
345 346 347
	pos++;

	/* IEEE80211_RADIOTAP_RATE */
348
	if (!rate || status->flag & (RX_FLAG_HT | RX_FLAG_VHT)) {
349
		/*
350
		 * Without rate information don't add it. If we have,
351
		 * MCS information is a separate field in radiotap,
352 353
		 * added below. The byte here is needed as padding
		 * for the channel though, so initialise it to 0.
354 355
		 */
		*pos = 0;
356
	} else {
357
		int shift = 0;
358
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
359 360 361 362 363
		if (status->flag & RX_FLAG_10MHZ)
			shift = 1;
		else if (status->flag & RX_FLAG_5MHZ)
			shift = 2;
		*pos = DIV_ROUND_UP(rate->bitrate, 5 * (1 << shift));
364
	}
365 366 367
	pos++;

	/* IEEE80211_RADIOTAP_CHANNEL */
368
	put_unaligned_le16(status->freq, pos);
369
	pos += 2;
370 371 372 373 374
	if (status->flag & RX_FLAG_10MHZ)
		channel_flags |= IEEE80211_CHAN_HALF;
	else if (status->flag & RX_FLAG_5MHZ)
		channel_flags |= IEEE80211_CHAN_QUARTER;

375
	if (status->band == NL80211_BAND_5GHZ)
376
		channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ;
377
	else if (status->flag & (RX_FLAG_HT | RX_FLAG_VHT))
378
		channel_flags |= IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
379
	else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
380
		channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ;
381
	else if (rate)
382
		channel_flags |= IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ;
383
	else
384 385
		channel_flags |= IEEE80211_CHAN_2GHZ;
	put_unaligned_le16(channel_flags, pos);
386 387 388
	pos += 2;

	/* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
389
	if (ieee80211_hw_check(&local->hw, SIGNAL_DBM) &&
390
	    !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
391 392 393 394 395 396 397 398
		*pos = status->signal;
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
		pos++;
	}

	/* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */

399 400 401 402 403
	if (!status->chains) {
		/* IEEE80211_RADIOTAP_ANTENNA */
		*pos = status->antenna;
		pos++;
	}
404 405 406 407 408

	/* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */

	/* IEEE80211_RADIOTAP_RX_FLAGS */
	/* ensure 2 byte alignment for the 2 byte field as required */
409
	if ((pos - (u8 *)rthdr) & 1)
410
		*pos++ = 0;
Johannes Berg's avatar
Johannes Berg committed
411
	if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
412 413
		rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
	put_unaligned_le16(rx_flags, pos);
414
	pos += 2;
415 416

	if (status->flag & RX_FLAG_HT) {
417 418
		unsigned int stbc;

419
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
420
		*pos++ = local->hw.radiotap_mcs_details;
421 422 423 424 425
		*pos = 0;
		if (status->flag & RX_FLAG_SHORT_GI)
			*pos |= IEEE80211_RADIOTAP_MCS_SGI;
		if (status->flag & RX_FLAG_40MHZ)
			*pos |= IEEE80211_RADIOTAP_MCS_BW_40;
426 427
		if (status->flag & RX_FLAG_HT_GF)
			*pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
428 429
		if (status->flag & RX_FLAG_LDPC)
			*pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
430 431
		stbc = (status->flag & RX_FLAG_STBC_MASK) >> RX_FLAG_STBC_SHIFT;
		*pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
432 433 434
		pos++;
		*pos++ = status->rate_idx;
	}
435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461

	if (status->flag & RX_FLAG_AMPDU_DETAILS) {
		u16 flags = 0;

		/* ensure 4 byte alignment */
		while ((pos - (u8 *)rthdr) & 3)
			pos++;
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_AMPDU_STATUS);
		put_unaligned_le32(status->ampdu_reference, pos);
		pos += 4;
		if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
			flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
		if (status->flag & RX_FLAG_AMPDU_IS_LAST)
			flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
			flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
			flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN;
		put_unaligned_le16(flags, pos);
		pos += 2;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
			*pos++ = status->ampdu_delimiter_crc;
		else
			*pos++ = 0;
		*pos++ = 0;
	}
462

463 464 465 466 467 468 469 470 471
	if (status->flag & RX_FLAG_VHT) {
		u16 known = local->hw.radiotap_vht_details;

		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_VHT);
		put_unaligned_le16(known, pos);
		pos += 2;
		/* flags */
		if (status->flag & RX_FLAG_SHORT_GI)
			*pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
472 473 474
		/* in VHT, STBC is binary */
		if (status->flag & RX_FLAG_STBC_MASK)
			*pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
475 476
		if (status->vht_flag & RX_VHT_FLAG_BF)
			*pos |= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED;
477 478
		pos++;
		/* bandwidth */
479
		if (status->vht_flag & RX_VHT_FLAG_80MHZ)
480
			*pos++ = 4;
481
		else if (status->vht_flag & RX_VHT_FLAG_160MHZ)
482 483 484 485 486 487 488 489 490
			*pos++ = 11;
		else if (status->flag & RX_FLAG_40MHZ)
			*pos++ = 1;
		else /* 20 MHz */
			*pos++ = 0;
		/* MCS/NSS */
		*pos = (status->rate_idx << 4) | status->vht_nss;
		pos += 4;
		/* coding field */
491 492
		if (status->flag & RX_FLAG_LDPC)
			*pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
493 494 495 496 497 498 499
		pos++;
		/* group ID */
		pos++;
		/* partial_aid */
		pos += 2;
	}

500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524
	if (local->hw.radiotap_timestamp.units_pos >= 0) {
		u16 accuracy = 0;
		u8 flags = IEEE80211_RADIOTAP_TIMESTAMP_FLAG_32BIT;

		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_TIMESTAMP);

		/* ensure 8 byte alignment */
		while ((pos - (u8 *)rthdr) & 7)
			pos++;

		put_unaligned_le64(status->device_timestamp, pos);
		pos += sizeof(u64);

		if (local->hw.radiotap_timestamp.accuracy >= 0) {
			accuracy = local->hw.radiotap_timestamp.accuracy;
			flags |= IEEE80211_RADIOTAP_TIMESTAMP_FLAG_ACCURACY;
		}
		put_unaligned_le16(accuracy, pos);
		pos += sizeof(u16);

		*pos++ = local->hw.radiotap_timestamp.units_pos;
		*pos++ = flags;
	}

525 526 527 528
	for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
		*pos++ = status->chain_signal[chain];
		*pos++ = chain;
	}
529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544

	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		/* ensure 2 byte alignment for the vendor field as required */
		if ((pos - (u8 *)rthdr) & 1)
			*pos++ = 0;
		*pos++ = rtap.oui[0];
		*pos++ = rtap.oui[1];
		*pos++ = rtap.oui[2];
		*pos++ = rtap.subns;
		put_unaligned_le16(rtap.len, pos);
		pos += 2;
		/* align the actual payload as requested */
		while ((pos - (u8 *)rthdr) & (rtap.align - 1))
			*pos++ = 0;
		/* data (and possible padding) already follows */
	}
545 546
}

547 548 549 550 551 552 553
/*
 * This function copies a received frame to all monitor interfaces and
 * returns a cleaned-up SKB that no longer includes the FCS nor the
 * radiotap header the driver might have added.
 */
static struct sk_buff *
ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
554
		     struct ieee80211_rate *rate)
555
{
556
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
557
	struct ieee80211_sub_if_data *sdata;
558
	int rt_hdrlen, needed_headroom;
559 560 561
	struct sk_buff *skb, *skb2;
	struct net_device *prev_dev = NULL;
	int present_fcs_len = 0;
562
	unsigned int rtap_vendor_space = 0;
563 564
	struct ieee80211_sub_if_data *monitor_sdata =
		rcu_dereference(local->monitor_sdata);
565 566 567 568 569 570

	if (unlikely(status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)) {
		struct ieee80211_vendor_radiotap *rtap = (void *)origskb->data;

		rtap_vendor_space = sizeof(*rtap) + rtap->len + rtap->pad;
	}
571 572 573 574 575 576 577 578 579

	/*
	 * First, we may need to make a copy of the skb because
	 *  (1) we need to modify it for radiotap (if not present), and
	 *  (2) the other RX handlers will modify the skb we got.
	 *
	 * We don't need to, of course, if we aren't going to return
	 * the SKB because it has a bad FCS/PLCP checksum.
	 */
580

581
	if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
582 583
		present_fcs_len = FCS_LEN;

584 585
	/* ensure hdr->frame_control and vendor radiotap data are in skb head */
	if (!pskb_may_pull(origskb, 2 + rtap_vendor_space)) {
Zhu Yi's avatar
Zhu Yi committed
586 587 588 589
		dev_kfree_skb(origskb);
		return NULL;
	}

590
	if (!local->monitors || (status->flag & RX_FLAG_SKIP_MONITOR)) {
591 592
		if (should_drop_frame(origskb, present_fcs_len,
				      rtap_vendor_space)) {
593 594 595 596
			dev_kfree_skb(origskb);
			return NULL;
		}

597
		return remove_monitor_info(local, origskb, rtap_vendor_space);
598 599
	}

600 601
	ieee80211_handle_mu_mimo_mon(monitor_sdata, origskb, rtap_vendor_space);

602
	/* room for the radiotap header based on driver features */
603 604
	rt_hdrlen = ieee80211_rx_radiotap_hdrlen(local, status, origskb);
	needed_headroom = rt_hdrlen - rtap_vendor_space;
605

606
	if (should_drop_frame(origskb, present_fcs_len, rtap_vendor_space)) {
607 608 609 610 611 612 613 614 615 616 617 618
		/* only need to expand headroom if necessary */
		skb = origskb;
		origskb = NULL;

		/*
		 * This shouldn't trigger often because most devices have an
		 * RX header they pull before we get here, and that should
		 * be big enough for our radiotap information. We should
		 * probably export the length to drivers so that we can have
		 * them allocate enough headroom to start with.
		 */
		if (skb_headroom(skb) < needed_headroom &&
619
		    pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
620 621 622 623 624 625 626 627 628 629
			dev_kfree_skb(skb);
			return NULL;
		}
	} else {
		/*
		 * Need to make a copy and possibly remove radiotap header
		 * and FCS from the original.
		 */
		skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);

630 631
		origskb = remove_monitor_info(local, origskb,
					      rtap_vendor_space);
632 633 634 635 636

		if (!skb)
			return origskb;
	}

637
	/* prepend radiotap information */
638
	ieee80211_add_rx_radiotap_header(local, skb, rate, rt_hdrlen, true);
639

640
	skb_reset_mac_header(skb);
641 642 643 644 645
	skb->ip_summed = CHECKSUM_UNNECESSARY;
	skb->pkt_type = PACKET_OTHERHOST;
	skb->protocol = htons(ETH_P_802_2);

	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
646
		if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
647 648
			continue;

649
		if (sdata->u.mntr.flags & MONITOR_FLAG_COOK_FRAMES)
650 651
			continue;

652
		if (!ieee80211_sdata_running(sdata))
653 654
			continue;

655 656 657 658
		if (prev_dev) {
			skb2 = skb_clone(skb, GFP_ATOMIC);
			if (skb2) {
				skb2->dev = prev_dev;
659
				netif_receive_skb(skb2);
660 661 662 663
			}
		}

		prev_dev = sdata->dev;
664
		ieee80211_rx_stats(sdata->dev, skb->len);
665 666 667 668
	}

	if (prev_dev) {
		skb->dev = prev_dev;
669
		netif_receive_skb(skb);
670 671 672 673 674 675
	} else
		dev_kfree_skb(skb);

	return origskb;
}

676
static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
677
{
678
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
679
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
680
	int tid, seqno_idx, security_idx;
681 682

	/* does the frame have a qos control field? */
683 684
	if (ieee80211_is_data_qos(hdr->frame_control)) {
		u8 *qc = ieee80211_get_qos_ctl(hdr);
685
		/* frame has qos control */
686
		tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
687
		if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
688
			status->rx_flags |= IEEE80211_RX_AMSDU;
689 690 691

		seqno_idx = tid;
		security_idx = tid;
692
	} else {
693 694 695 696 697 698 699 700 701 702 703
		/*
		 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
		 *
		 *	Sequence numbers for management frames, QoS data
		 *	frames with a broadcast/multicast address in the
		 *	Address 1 field, and all non-QoS data frames sent
		 *	by QoS STAs are assigned using an additional single
		 *	modulo-4096 counter, [...]
		 *
		 * We also use that counter for non-QoS STAs.
		 */
704
		seqno_idx = IEEE80211_NUM_TIDS;
705 706
		security_idx = 0;
		if (ieee80211_is_mgmt(hdr->frame_control))
707
			security_idx = IEEE80211_NUM_TIDS;
708
		tid = 0;
709
	}
710

711 712
	rx->seqno_idx = seqno_idx;
	rx->security_idx = security_idx;
713 714 715
	/* Set skb->priority to 1d tag if highest order bit of TID is not set.
	 * For now, set skb->priority to 0 for other cases. */
	rx->skb->priority = (tid > 7) ? 0 : tid;
716
}
717

718 719 720 721 722 723 724 725 726 727 728
/**
 * DOC: Packet alignment
 *
 * Drivers always need to pass packets that are aligned to two-byte boundaries
 * to the stack.
 *
 * Additionally, should, if possible, align the payload data in a way that
 * guarantees that the contained IP header is aligned to a four-byte
 * boundary. In the case of regular frames, this simply means aligning the
 * payload to a four-byte boundary (because either the IP header is directly
 * contained, or IV/RFC1042 headers that have a length divisible by four are
729 730 731
 * in front of it).  If the payload data is not properly aligned and the
 * architecture doesn't support efficient unaligned operations, mac80211
 * will align the data.
732 733 734 735 736 737 738
 *
 * With A-MSDU frames, however, the payload data address must yield two modulo
 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
 * push the IP header further back to a multiple of four again. Thankfully, the
 * specs were sane enough this time around to require padding each A-MSDU
 * subframe to a length that is a multiple of four.
 *
Lucas De Marchi's avatar
Lucas De Marchi committed
739
 * Padding like Atheros hardware adds which is between the 802.11 header and
740 741 742 743
 * the payload is not supported, the driver is required to move the 802.11
 * header to be directly in front of the payload in that case.
 */
static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
744
{
745
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
746
	WARN_ON_ONCE((unsigned long)rx->skb->data & 1);
747
#endif
748 749
}

750

751 752
/* rx handlers */

753 754 755 756
static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

757
	if (is_multicast_ether_addr(hdr->addr1))
758 759
		return 0;

760
	return ieee80211_is_robust_mgmt_frame(skb);
761 762 763 764 765 766 767
}


static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

768
	if (!is_multicast_ether_addr(hdr->addr1))
769 770
		return 0;

771
	return ieee80211_is_robust_mgmt_frame(skb);
772 773 774 775 776 777 778 779
}


/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
{
	struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
	struct ieee80211_mmie *mmie;
780
	struct ieee80211_mmie_16 *mmie16;
781

782
	if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
783 784
		return -1;

785
	if (!ieee80211_is_robust_mgmt_frame(skb))
786 787 788 789
		return -1; /* not a robust management frame */

	mmie = (struct ieee80211_mmie *)
		(skb->data + skb->len - sizeof(*mmie));
790 791 792 793 794 795 796 797 798 799 800 801
	if (mmie->element_id == WLAN_EID_MMIE &&
	    mmie->length == sizeof(*mmie) - 2)
		return le16_to_cpu(mmie->key_id);

	mmie16 = (struct ieee80211_mmie_16 *)
		(skb->data + skb->len - sizeof(*mmie16));
	if (skb->len >= 24 + sizeof(*mmie16) &&
	    mmie16->element_id == WLAN_EID_MMIE &&
	    mmie16->length == sizeof(*mmie16) - 2)
		return le16_to_cpu(mmie16->key_id);

	return -1;
802 803
}

804 805
static int ieee80211_get_cs_keyid(const struct ieee80211_cipher_scheme *cs,
				  struct sk_buff *skb)
806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
	__le16 fc;
	int hdrlen;
	u8 keyid;

	fc = hdr->frame_control;
	hdrlen = ieee80211_hdrlen(fc);

	if (skb->len < hdrlen + cs->hdr_len)
		return -EINVAL;

	skb_copy_bits(skb, hdrlen + cs->key_idx_off, &keyid, 1);
	keyid &= cs->key_idx_mask;
	keyid >>= cs->key_idx_shift;

	return keyid;
}

825
static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
826
{
827
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
828
	char *dev_addr = rx->sdata->vif.addr;
829

830
	if (ieee80211_is_data(hdr->frame_control)) {
831 832
		if (is_multicast_ether_addr(hdr->addr1)) {
			if (ieee80211_has_tods(hdr->frame_control) ||
833
			    !ieee80211_has_fromds(hdr->frame_control))
834
				return RX_DROP_MONITOR;
835
			if (ether_addr_equal(hdr->addr3, dev_addr))
836 837 838 839
				return RX_DROP_MONITOR;
		} else {
			if (!ieee80211_has_a4(hdr->frame_control))
				return RX_DROP_MONITOR;
840
			if (ether_addr_equal(hdr->addr4, dev_addr))
841 842
				return RX_DROP_MONITOR;
		}
843 844 845 846 847 848
	}

	/* If there is not an established peer link and this is not a peer link
	 * establisment frame, beacon or probe, drop the frame.
	 */

849
	if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
850
		struct ieee80211_mgmt *mgmt;
851

852
		if (!ieee80211_is_mgmt(hdr->frame_control))
853 854
			return RX_DROP_MONITOR;

855
		if (ieee80211_is_action(hdr->frame_control)) {
856
			u8 category;
857 858 859 860 861

			/* make sure category field is present */
			if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
				return RX_DROP_MONITOR;

862
			mgmt = (struct ieee80211_mgmt *)hdr;
863 864
			category = mgmt->u.action.category;
			if (category != WLAN_CATEGORY_MESH_ACTION &&
865
			    category != WLAN_CATEGORY_SELF_PROTECTED)
866 867 868 869
				return RX_DROP_MONITOR;
			return RX_CONTINUE;
		}

870 871
		if (ieee80211_is_probe_req(hdr->frame_control) ||
		    ieee80211_is_probe_resp(hdr->frame_control) ||
872 873
		    ieee80211_is_beacon(hdr->frame_control) ||
		    ieee80211_is_auth(hdr->frame_control))
874 875 876 877 878
			return RX_CONTINUE;

		return RX_DROP_MONITOR;
	}

Johannes Berg's avatar
Johannes Berg committed
879 880
	return RX_CONTINUE;
}
881

882 883 884 885 886 887 888
static inline bool ieee80211_rx_reorder_ready(struct tid_ampdu_rx *tid_agg_rx,
					      int index)
{
	struct sk_buff_head *frames = &tid_agg_rx->reorder_buf[index];
	struct sk_buff *tail = skb_peek_tail(frames);
	struct ieee80211_rx_status *status;

889 890 891
	if (tid_agg_rx->reorder_buf_filtered & BIT_ULL(index))
		return true;

892 893 894 895 896 897 898 899 900 901
	if (!tail)
		return false;

	status = IEEE80211_SKB_RXCB(tail);
	if (status->flag & RX_FLAG_AMSDU_MORE)
		return false;

	return true;
}

902
static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
903
					    struct tid_ampdu_rx *tid_agg_rx,
904 905
					    int index,
					    struct sk_buff_head *frames)
906
{
907 908
	struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index];
	struct sk_buff *skb;
909
	struct ieee80211_rx_status *status;
910

911 912
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

913
	if (skb_queue_empty(skb_list))
914 915
		goto no_frame;

916
	if (!ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
917 918 919 920 921
		__skb_queue_purge(skb_list);
		goto no_frame;
	}

	/* release frames from the reorder ring buffer */
922
	tid_agg_rx->stored_mpdu_num--;
923 924 925 926 927
	while ((skb = __skb_dequeue(skb_list))) {
		status = IEEE80211_SKB_RXCB(skb);
		status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
		__skb_queue_tail(frames, skb);
	}
928 929

no_frame:
930
	tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
931
	tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num);
932 933
}

934
static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
935
					     struct tid_ampdu_rx *tid_agg_rx,
936 937
					     u16 head_seq_num,
					     struct sk_buff_head *frames)
938 939 940
{
	int index;

941 942
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

943
	while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) {
944
		index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
945 946
		ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
						frames);
947 948 949 950 951 952 953 954 955
	}
}

/*
 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
 * the skb was added to the buffer longer than this time ago, the earlier
 * frames that have not yet been received are assumed to be lost and the skb
 * can be released for processing. This may also release other skb's from the
 * reorder buffer if there are no additional gaps between the frames.
956 957
 *
 * Callers must hold tid_agg_rx->reorder_lock.
958 959 960
 */
#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)

961
static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
962 963
					  struct tid_ampdu_rx *tid_agg_rx,
					  struct sk_buff_head *frames)
964
{
965
	int index, i, j;
966

967 968
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

969
	/* release the buffer until next missing frame */
970
	index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
971
	if (!ieee80211_rx_reorder_ready(tid_agg_rx, index) &&
972
	    tid_agg_rx->stored_mpdu_num) {
973 974 975 976 977 978 979
		/*
		 * No buffers ready to be released, but check whether any
		 * frames in the reorder buffer have timed out.
		 */
		int skipped = 1;
		for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
		     j = (j + 1) % tid_agg_rx->buf_size) {
980
			if (!ieee80211_rx_reorder_ready(tid_agg_rx, j)) {
981 982 983
				skipped++;
				continue;
			}
984 985
			if (skipped &&
			    !time_after(jiffies, tid_agg_rx->reorder_time[j] +
986
					HT_RX_REORDER_BUF_TIMEOUT))
987
				goto set_release_timer;
988

989 990 991 992 993
			/* don't leave incomplete A-MSDUs around */
			for (i = (index + 1) % tid_agg_rx->buf_size; i != j;
			     i = (i + 1) % tid_agg_rx->buf_size)
				__skb_queue_purge(&tid_agg_rx->reorder_buf[i]);

Johannes Berg's avatar
Johannes Berg committed
994 995
			ht_dbg_ratelimited(sdata,
					   "release an RX reorder frame due to timeout on earlier frames\n");
996 997
			ieee80211_release_reorder_frame(sdata, tid_agg_rx, j,
							frames);
998 999 1000 1001 1002

			/*
			 * Increment the head seq# also for the skipped slots.
			 */
			tid_agg_rx->head_seq_num =
1003 1004
				(tid_agg_rx->head_seq_num +
				 skipped) & IEEE80211_SN_MASK;
1005 1006
			skipped = 0;
		}
1007
	} else while (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1008 1009
		ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
						frames);
1010
		index =	tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1011
	}
1012 1013

	if (tid_agg_rx->stored_mpdu_num) {
1014
		j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1015 1016 1017

		for (; j != (index - 1) % tid_agg_rx->buf_size;
		     j = (j + 1) % tid_agg_rx->buf_size) {
1018
			if (ieee80211_rx_reorder_ready(tid_agg_rx, j))
1019 1020 1021 1022 1023
				break;
		}

 set_release_timer:

1024 1025 1026 1027
		if (!tid_agg_rx->removed)
			mod_timer(&tid_agg_rx->reorder_timer,
				  tid_agg_rx->reorder_time[j] + 1 +
				  HT_RX_REORDER_BUF_TIMEOUT);
1028 1029 1030
	} else {
		del_timer(&tid_agg_rx->reorder_timer);
	}
1031 1032
}

1033 1034 1035 1036 1037
/*
 * As this function belongs to the RX path it must be under
 * rcu_read_lock protection. It returns false if the frame
 * can be processed immediately, true if it was consumed.
 */
1038
static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
1039
					     struct tid_ampdu_rx *tid_agg_rx,
1040 1041
					     struct sk_buff *skb,
					     struct sk_buff_head *frames)
1042 1043
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1044
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1045 1046 1047 1048
	u16 sc = le16_to_cpu(hdr->seq_ctrl);
	u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
	u16 head_seq_num, buf_size;
	int index;
1049
	bool ret = true;
1050

1051 1052
	spin_lock(&tid_agg_rx->reorder_lock);

1053 1054 1055 1056 1057 1058 1059 1060 1061 1062
	/*
	 * Offloaded BA sessions have no known starting sequence number so pick
	 * one from first Rxed frame for this tid after BA was started.
	 */
	if (unlikely(tid_agg_rx->auto_seq)) {
		tid_agg_rx->auto_seq = false;
		tid_agg_rx->ssn = mpdu_seq_num;
		tid_agg_rx->head_seq_num = mpdu_seq_num;
	}

1063 1064
	buf_size = tid_agg_rx->buf_size;
	head_seq_num = tid_agg_rx->head_seq_num;
1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076

	/*
	 * If the current MPDU's SN is smaller than the SSN, it shouldn't
	 * be reordered.
	 */
	if (unlikely(!tid_agg_rx->started)) {
		if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
			ret = false;
			goto out;
		}
		tid_agg_rx->started = true;
	}
1077 1078

	/* frame with out of date sequence number */
1079
	if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
1080
		dev_kfree_skb(skb);
1081
		goto out;
1082 1083 1084 1085 1086 1087
	}

	/*
	 * If frame the sequence number exceeds our buffering window
	 * size release some previous frames to make room for this one.
	 */
1088 1089 1090
	if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) {
		head_seq_num = ieee80211_sn_inc(
				ieee80211_sn_sub(mpdu_seq_num, buf_size));
1091
		/* release stored frames up to new head to stack */
1092
		ieee80211_release_reorder_frames(sdata, tid_agg_rx,
1093
						 head_seq_num, frames);
1094 1095 1096 1097
	}

	/* Now the new frame is always in the range of the reordering buffer */

1098
	index = mpdu_seq_num % tid_agg_rx->buf_size;
1099 1100

	/* check if we already stored this frame */
1101
	if (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1102
		dev_kfree_skb(skb);
1103
		goto out;
1104 1105 1106 1107 1108
	}

	/*
	 * If the current MPDU is in the right order and nothing else
	 * is stored we can process it directly, no need to buffer it.
1109 1110
	 * If it is first but there's something stored, we may be able
	 * to release frames after this one.
1111 1112 1113
	 */
	if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
	    tid_agg_rx->stored_mpdu_num == 0) {
1114 1115 1116
		if (!(status->flag & RX_FLAG_AMSDU_MORE))
			tid_agg_rx->head_seq_num =
				ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1117 1118
		ret = false;
		goto out;
1119 1120 1121
	}

	/* put the frame in the reordering buffer */
1122 1123 1124 1125 1126 1127
	__skb_queue_tail(&tid_agg_rx->reorder_buf[index], skb);
	if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
		tid_agg_rx->reorder_time[index] = jiffies;
		tid_agg_rx->stored_mpdu_num++;
		ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames);
	}
1128

1129 1130 1131
 out:
	spin_unlock(&tid_agg_rx->reorder_lock);
	return ret;
1132 1133 1134 1135 1136 1137
}

/*
 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
 * true if the MPDU was buffered, false if it should be processed.
 */
1138 1139
static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
				       struct sk_buff_head *frames)
1140
{
1141 1142
	struct sk_buff *skb = rx->skb;
	struct ieee80211_local *local = rx->local;
1143
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1144
	struct sta_info *sta = rx->sta;
1145 1146
	struct tid_ampdu_rx *tid_agg_rx;
	u16 sc;
1147
	u8 tid, ack_policy;
1148

1149 1150
	if (!ieee80211_is_data_qos(hdr->frame_control) ||
	    is_multicast_ether_addr(hdr->addr1))
1151
		goto dont_reorder;
1152 1153 1154 1155 1156 1157 1158

	/*
	 * filter the QoS data rx stream according to
	 * STA/TID and check if this STA/TID is on aggregation
	 */

	if (!sta)
1159
		goto dont_reorder;
1160

1161 1162
	ack_policy = *ieee80211_get_qos_ctl(hdr) &
		     IEEE80211_QOS_CTL_ACK_POLICY_MASK;
1163 1164
	tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;

1165
	tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
1166 1167 1168 1169 1170 1171 1172
	if (!tid_agg_rx) {
		if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
		    !test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
		    !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
			ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
					     WLAN_BACK_RECIPIENT,
					     WLAN_REASON_QSTA_REQUIRE_SETUP);
1173
		goto dont_reorder;
1174
	}
1175 1176 1177

	/* qos null data frames are excluded */
	if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
1178
		goto dont_reorder;
1179

1180 1181 1182 1183 1184
	/* not part of a BA session */
	if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
	    ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
		goto dont_reorder;

1185 1186 1187 1188
	/* new, potentially un-ordered, ampdu frame - process it */

	/* reset session timer */
	if (tid_agg_rx->timeout)
1189
		tid_agg_rx->last_rx = jiffies;
1190 1191 1192 1193

	/* if this mpdu is fragmented - terminate rx aggregation session */
	sc = le16_to_cpu(hdr->seq_ctrl);
	if (sc & IEEE80211_SCTL_FRAG) {
1194
		skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
1195 1196
		skb_queue_tail(&rx->sdata->skb_queue, skb);
		ieee80211_queue_work(&local->hw, &rx->sdata->work);
1197
		return;