root/net/mac80211/rx.c

DEFINITIONS

1. ieee80211_rx_stats
2. ieee80211_get_bssid
3. remove_monitor_info
4. should_drop_frame
5. ieee80211_rx_radiotap_hdrlen
6. ieee80211_handle_mu_mimo_mon
7. ieee80211_add_rx_radiotap_header
8. ieee80211_make_monitor_skb
9. ieee80211_rx_monitor
10. ieee80211_parse_qos
11. ieee80211_verify_alignment
12. ieee80211_is_unicast_robust_mgmt_frame
13. ieee80211_is_multicast_robust_mgmt_frame
14. ieee80211_get_mmie_keyidx
15. ieee80211_get_keyid
16. ieee80211_rx_mesh_check
17. ieee80211_rx_reorder_ready
18. ieee80211_release_reorder_frame
19. ieee80211_release_reorder_frames
20. ieee80211_sta_reorder_release
21. ieee80211_sta_manage_reorder_buf
22. ieee80211_rx_reorder_ampdu
23. ieee80211_rx_h_check_dup
24. ieee80211_rx_h_check
25. ieee80211_rx_h_check_more_data
26. sta_ps_start
27. sta_ps_end
28. ieee80211_sta_ps_transition
29. ieee80211_sta_pspoll
30. ieee80211_sta_uapsd_trigger
31. ieee80211_rx_h_uapsd_and_pspoll
32. ieee80211_rx_h_sta_process
33. ieee80211_rx_h_decrypt
34. ieee80211_reassemble_add
35. ieee80211_reassemble_find
36. ieee80211_rx_h_defragment
37. ieee80211_802_1x_port_control
38. ieee80211_drop_unencrypted
39. ieee80211_drop_unencrypted_mgmt
40. __ieee80211_data_to_8023
41. ieee80211_frame_allowed
42. ieee80211_deliver_skb_to_local_stack
43. ieee80211_deliver_skb
44. __ieee80211_rx_h_amsdu
45. ieee80211_rx_h_amsdu
46. ieee80211_rx_h_mesh_fwding
47. ieee80211_rx_h_data
48. ieee80211_rx_h_ctrl
49. ieee80211_process_sa_query_req
50. ieee80211_rx_h_mgmt_check
51. ieee80211_rx_h_action
52. ieee80211_rx_h_userspace_mgmt
53. ieee80211_rx_h_action_return
54. ieee80211_rx_h_mgmt
55. ieee80211_rx_cooked_monitor
56. ieee80211_rx_handlers_result
57. ieee80211_rx_handlers
58. ieee80211_invoke_rx_handlers
59. ieee80211_release_reorder_timeout
60. ieee80211_mark_rx_ba_filtered_frames
61. ieee80211_accept_frame
62. ieee80211_check_fast_rx
63. ieee80211_clear_fast_rx
64. __ieee80211_check_fast_rx_iface
65. ieee80211_check_fast_rx_iface
66. ieee80211_invoke_fast_rx
67. ieee80211_prepare_and_rx_handle
68. __ieee80211_rx_handle_packet
69. ieee80211_rx_napi
70. ieee80211_rx_irqsafe

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Copyright 2002-2005, Instant802 Networks, Inc.
   4  * Copyright 2005-2006, Devicescape Software, Inc.
   5  * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
   6  * Copyright 2007-2010  Johannes Berg <johannes@sipsolutions.net>
   7  * Copyright 2013-2014  Intel Mobile Communications GmbH
   8  * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
   9  * Copyright (C) 2018-2019 Intel Corporation
  10  */
  11 
  12 #include <linux/jiffies.h>
  13 #include <linux/slab.h>
  14 #include <linux/kernel.h>
  15 #include <linux/skbuff.h>
  16 #include <linux/netdevice.h>
  17 #include <linux/etherdevice.h>
  18 #include <linux/rcupdate.h>
  19 #include <linux/export.h>
  20 #include <linux/bitops.h>
  21 #include <net/mac80211.h>
  22 #include <net/ieee80211_radiotap.h>
  23 #include <asm/unaligned.h>
  24 
  25 #include "ieee80211_i.h"
  26 #include "driver-ops.h"
  27 #include "led.h"
  28 #include "mesh.h"
  29 #include "wep.h"
  30 #include "wpa.h"
  31 #include "tkip.h"
  32 #include "wme.h"
  33 #include "rate.h"
  34 
  35 static inline void ieee80211_rx_stats(struct net_device *dev, u32 len)
  36 {
  37         struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
  38 
  39         u64_stats_update_begin(&tstats->syncp);
  40         tstats->rx_packets++;
  41         tstats->rx_bytes += len;
  42         u64_stats_update_end(&tstats->syncp);
  43 }
  44 
  45 static u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len,
  46                                enum nl80211_iftype type)
  47 {
  48         __le16 fc = hdr->frame_control;
  49 
  50         if (ieee80211_is_data(fc)) {
  51                 if (len < 24) /* drop incorrect hdr len (data) */
  52                         return NULL;
  53 
  54                 if (ieee80211_has_a4(fc))
  55                         return NULL;
  56                 if (ieee80211_has_tods(fc))
  57                         return hdr->addr1;
  58                 if (ieee80211_has_fromds(fc))
  59                         return hdr->addr2;
  60 
  61                 return hdr->addr3;
  62         }
  63 
  64         if (ieee80211_is_mgmt(fc)) {
  65                 if (len < 24) /* drop incorrect hdr len (mgmt) */
  66                         return NULL;
  67                 return hdr->addr3;
  68         }
  69 
  70         if (ieee80211_is_ctl(fc)) {
  71                 if (ieee80211_is_pspoll(fc))
  72                         return hdr->addr1;
  73 
  74                 if (ieee80211_is_back_req(fc)) {
  75                         switch (type) {
  76                         case NL80211_IFTYPE_STATION:
  77                                 return hdr->addr2;
  78                         case NL80211_IFTYPE_AP:
  79                         case NL80211_IFTYPE_AP_VLAN:
  80                                 return hdr->addr1;
  81                         default:
  82                                 break; /* fall through to the return */
  83                         }
  84                 }
  85         }
  86 
  87         return NULL;
  88 }
  89 
  90 /*
  91  * monitor mode reception
  92  *
  93  * This function cleans up the SKB, i.e. it removes all the stuff
  94  * only useful for monitoring.
  95  */
  96 static void remove_monitor_info(struct sk_buff *skb,
  97                                 unsigned int present_fcs_len,
  98                                 unsigned int rtap_space)
  99 {
 100         if (present_fcs_len)
 101                 __pskb_trim(skb, skb->len - present_fcs_len);
 102         __pskb_pull(skb, rtap_space);
 103 }
 104 
 105 static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len,
 106                                      unsigned int rtap_space)
 107 {
 108         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 109         struct ieee80211_hdr *hdr;
 110 
 111         hdr = (void *)(skb->data + rtap_space);
 112 
 113         if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
 114                             RX_FLAG_FAILED_PLCP_CRC |
 115                             RX_FLAG_ONLY_MONITOR |
 116                             RX_FLAG_NO_PSDU))
 117                 return true;
 118 
 119         if (unlikely(skb->len < 16 + present_fcs_len + rtap_space))
 120                 return true;
 121 
 122         if (ieee80211_is_ctl(hdr->frame_control) &&
 123             !ieee80211_is_pspoll(hdr->frame_control) &&
 124             !ieee80211_is_back_req(hdr->frame_control))
 125                 return true;
 126 
 127         return false;
 128 }
 129 
 130 static int
 131 ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
 132                              struct ieee80211_rx_status *status,
 133                              struct sk_buff *skb)
 134 {
 135         int len;
 136 
 137         /* always present fields */
 138         len = sizeof(struct ieee80211_radiotap_header) + 8;
 139 
 140         /* allocate extra bitmaps */
 141         if (status->chains)
 142                 len += 4 * hweight8(status->chains);
 143         /* vendor presence bitmap */
 144         if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)
 145                 len += 4;
 146 
 147         if (ieee80211_have_rx_timestamp(status)) {
 148                 len = ALIGN(len, 8);
 149                 len += 8;
 150         }
 151         if (ieee80211_hw_check(&local->hw, SIGNAL_DBM))
 152                 len += 1;
 153 
 154         /* antenna field, if we don't have per-chain info */
 155         if (!status->chains)
 156                 len += 1;
 157 
 158         /* padding for RX_FLAGS if necessary */
 159         len = ALIGN(len, 2);
 160 
 161         if (status->encoding == RX_ENC_HT) /* HT info */
 162                 len += 3;
 163 
 164         if (status->flag & RX_FLAG_AMPDU_DETAILS) {
 165                 len = ALIGN(len, 4);
 166                 len += 8;
 167         }
 168 
 169         if (status->encoding == RX_ENC_VHT) {
 170                 len = ALIGN(len, 2);
 171                 len += 12;
 172         }
 173 
 174         if (local->hw.radiotap_timestamp.units_pos >= 0) {
 175                 len = ALIGN(len, 8);
 176                 len += 12;
 177         }
 178 
 179         if (status->encoding == RX_ENC_HE &&
 180             status->flag & RX_FLAG_RADIOTAP_HE) {
 181                 len = ALIGN(len, 2);
 182                 len += 12;
 183                 BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he) != 12);
 184         }
 185 
 186         if (status->encoding == RX_ENC_HE &&
 187             status->flag & RX_FLAG_RADIOTAP_HE_MU) {
 188                 len = ALIGN(len, 2);
 189                 len += 12;
 190                 BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he_mu) != 12);
 191         }
 192 
 193         if (status->flag & RX_FLAG_NO_PSDU)
 194                 len += 1;
 195 
 196         if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
 197                 len = ALIGN(len, 2);
 198                 len += 4;
 199                 BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_lsig) != 4);
 200         }
 201 
 202         if (status->chains) {
 203                 /* antenna and antenna signal fields */
 204                 len += 2 * hweight8(status->chains);
 205         }
 206 
 207         if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
 208                 struct ieee80211_vendor_radiotap *rtap;
 209                 int vendor_data_offset = 0;
 210 
 211                 /*
 212                  * The position to look at depends on the existence (or non-
 213                  * existence) of other elements, so take that into account...
 214                  */
 215                 if (status->flag & RX_FLAG_RADIOTAP_HE)
 216                         vendor_data_offset +=
 217                                 sizeof(struct ieee80211_radiotap_he);
 218                 if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
 219                         vendor_data_offset +=
 220                                 sizeof(struct ieee80211_radiotap_he_mu);
 221                 if (status->flag & RX_FLAG_RADIOTAP_LSIG)
 222                         vendor_data_offset +=
 223                                 sizeof(struct ieee80211_radiotap_lsig);
 224 
 225                 rtap = (void *)&skb->data[vendor_data_offset];
 226 
 227                 /* alignment for fixed 6-byte vendor data header */
 228                 len = ALIGN(len, 2);
 229                 /* vendor data header */
 230                 len += 6;
 231                 if (WARN_ON(rtap->align == 0))
 232                         rtap->align = 1;
 233                 len = ALIGN(len, rtap->align);
 234                 len += rtap->len + rtap->pad;
 235         }
 236 
 237         return len;
 238 }
 239 
 240 static void ieee80211_handle_mu_mimo_mon(struct ieee80211_sub_if_data *sdata,
 241                                          struct sk_buff *skb,
 242                                          int rtap_space)
 243 {
 244         struct {
 245                 struct ieee80211_hdr_3addr hdr;
 246                 u8 category;
 247                 u8 action_code;
 248         } __packed __aligned(2) action;
 249 
 250         if (!sdata)
 251                 return;
 252 
 253         BUILD_BUG_ON(sizeof(action) != IEEE80211_MIN_ACTION_SIZE + 1);
 254 
 255         if (skb->len < rtap_space + sizeof(action) +
 256                        VHT_MUMIMO_GROUPS_DATA_LEN)
 257                 return;
 258 
 259         if (!is_valid_ether_addr(sdata->u.mntr.mu_follow_addr))
 260                 return;
 261 
 262         skb_copy_bits(skb, rtap_space, &action, sizeof(action));
 263 
 264         if (!ieee80211_is_action(action.hdr.frame_control))
 265                 return;
 266 
 267         if (action.category != WLAN_CATEGORY_VHT)
 268                 return;
 269 
 270         if (action.action_code != WLAN_VHT_ACTION_GROUPID_MGMT)
 271                 return;
 272 
 273         if (!ether_addr_equal(action.hdr.addr1, sdata->u.mntr.mu_follow_addr))
 274                 return;
 275 
 276         skb = skb_copy(skb, GFP_ATOMIC);
 277         if (!skb)
 278                 return;
 279 
 280         skb_queue_tail(&sdata->skb_queue, skb);
 281         ieee80211_queue_work(&sdata->local->hw, &sdata->work);
 282 }
 283 
 284 /*
 285  * ieee80211_add_rx_radiotap_header - add radiotap header
 286  *
 287  * add a radiotap header containing all the fields which the hardware provided.
 288  */
 289 static void
 290 ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
 291                                  struct sk_buff *skb,
 292                                  struct ieee80211_rate *rate,
 293                                  int rtap_len, bool has_fcs)
 294 {
 295         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 296         struct ieee80211_radiotap_header *rthdr;
 297         unsigned char *pos;
 298         __le32 *it_present;
 299         u32 it_present_val;
 300         u16 rx_flags = 0;
 301         u16 channel_flags = 0;
 302         int mpdulen, chain;
 303         unsigned long chains = status->chains;
 304         struct ieee80211_vendor_radiotap rtap = {};
 305         struct ieee80211_radiotap_he he = {};
 306         struct ieee80211_radiotap_he_mu he_mu = {};
 307         struct ieee80211_radiotap_lsig lsig = {};
 308 
 309         if (status->flag & RX_FLAG_RADIOTAP_HE) {
 310                 he = *(struct ieee80211_radiotap_he *)skb->data;
 311                 skb_pull(skb, sizeof(he));
 312                 WARN_ON_ONCE(status->encoding != RX_ENC_HE);
 313         }
 314 
 315         if (status->flag & RX_FLAG_RADIOTAP_HE_MU) {
 316                 he_mu = *(struct ieee80211_radiotap_he_mu *)skb->data;
 317                 skb_pull(skb, sizeof(he_mu));
 318         }
 319 
 320         if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
 321                 lsig = *(struct ieee80211_radiotap_lsig *)skb->data;
 322                 skb_pull(skb, sizeof(lsig));
 323         }
 324 
 325         if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
 326                 rtap = *(struct ieee80211_vendor_radiotap *)skb->data;
 327                 /* rtap.len and rtap.pad are undone immediately */
 328                 skb_pull(skb, sizeof(rtap) + rtap.len + rtap.pad);
 329         }
 330 
 331         mpdulen = skb->len;
 332         if (!(has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)))
 333                 mpdulen += FCS_LEN;
 334 
 335         rthdr = skb_push(skb, rtap_len);
 336         memset(rthdr, 0, rtap_len - rtap.len - rtap.pad);
 337         it_present = &rthdr->it_present;
 338 
 339         /* radiotap header, set always present flags */
 340         rthdr->it_len = cpu_to_le16(rtap_len);
 341         it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) |
 342                          BIT(IEEE80211_RADIOTAP_CHANNEL) |
 343                          BIT(IEEE80211_RADIOTAP_RX_FLAGS);
 344 
 345         if (!status->chains)
 346                 it_present_val |= BIT(IEEE80211_RADIOTAP_ANTENNA);
 347 
 348         for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
 349                 it_present_val |=
 350                         BIT(IEEE80211_RADIOTAP_EXT) |
 351                         BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE);
 352                 put_unaligned_le32(it_present_val, it_present);
 353                 it_present++;
 354                 it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) |
 355                                  BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
 356         }
 357 
 358         if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
 359                 it_present_val |= BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE) |
 360                                   BIT(IEEE80211_RADIOTAP_EXT);
 361                 put_unaligned_le32(it_present_val, it_present);
 362                 it_present++;
 363                 it_present_val = rtap.present;
 364         }
 365 
 366         put_unaligned_le32(it_present_val, it_present);
 367 
 368         pos = (void *)(it_present + 1);
 369 
 370         /* the order of the following fields is important */
 371 
 372         /* IEEE80211_RADIOTAP_TSFT */
 373         if (ieee80211_have_rx_timestamp(status)) {
 374                 /* padding */
 375                 while ((pos - (u8 *)rthdr) & 7)
 376                         *pos++ = 0;
 377                 put_unaligned_le64(
 378                         ieee80211_calculate_rx_timestamp(local, status,
 379                                                          mpdulen, 0),
 380                         pos);
 381                 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
 382                 pos += 8;
 383         }
 384 
 385         /* IEEE80211_RADIOTAP_FLAGS */
 386         if (has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
 387                 *pos |= IEEE80211_RADIOTAP_F_FCS;
 388         if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
 389                 *pos |= IEEE80211_RADIOTAP_F_BADFCS;
 390         if (status->enc_flags & RX_ENC_FLAG_SHORTPRE)
 391                 *pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
 392         pos++;
 393 
 394         /* IEEE80211_RADIOTAP_RATE */
 395         if (!rate || status->encoding != RX_ENC_LEGACY) {
 396                 /*
 397                  * Without rate information don't add it. If we have,
 398                  * MCS information is a separate field in radiotap,
 399                  * added below. The byte here is needed as padding
 400                  * for the channel though, so initialise it to 0.
 401                  */
 402                 *pos = 0;
 403         } else {
 404                 int shift = 0;
 405                 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
 406                 if (status->bw == RATE_INFO_BW_10)
 407                         shift = 1;
 408                 else if (status->bw == RATE_INFO_BW_5)
 409                         shift = 2;
 410                 *pos = DIV_ROUND_UP(rate->bitrate, 5 * (1 << shift));
 411         }
 412         pos++;
 413 
 414         /* IEEE80211_RADIOTAP_CHANNEL */
 415         put_unaligned_le16(status->freq, pos);
 416         pos += 2;
 417         if (status->bw == RATE_INFO_BW_10)
 418                 channel_flags |= IEEE80211_CHAN_HALF;
 419         else if (status->bw == RATE_INFO_BW_5)
 420                 channel_flags |= IEEE80211_CHAN_QUARTER;
 421 
 422         if (status->band == NL80211_BAND_5GHZ)
 423                 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ;
 424         else if (status->encoding != RX_ENC_LEGACY)
 425                 channel_flags |= IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
 426         else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
 427                 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ;
 428         else if (rate)
 429                 channel_flags |= IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ;
 430         else
 431                 channel_flags |= IEEE80211_CHAN_2GHZ;
 432         put_unaligned_le16(channel_flags, pos);
 433         pos += 2;
 434 
 435         /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
 436         if (ieee80211_hw_check(&local->hw, SIGNAL_DBM) &&
 437             !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
 438                 *pos = status->signal;
 439                 rthdr->it_present |=
 440                         cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
 441                 pos++;
 442         }
 443 
 444         /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */
 445 
 446         if (!status->chains) {
 447                 /* IEEE80211_RADIOTAP_ANTENNA */
 448                 *pos = status->antenna;
 449                 pos++;
 450         }
 451 
 452         /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */
 453 
 454         /* IEEE80211_RADIOTAP_RX_FLAGS */
 455         /* ensure 2 byte alignment for the 2 byte field as required */
 456         if ((pos - (u8 *)rthdr) & 1)
 457                 *pos++ = 0;
 458         if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
 459                 rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
 460         put_unaligned_le16(rx_flags, pos);
 461         pos += 2;
 462 
 463         if (status->encoding == RX_ENC_HT) {
 464                 unsigned int stbc;
 465 
 466                 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
 467                 *pos++ = local->hw.radiotap_mcs_details;
 468                 *pos = 0;
 469                 if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
 470                         *pos |= IEEE80211_RADIOTAP_MCS_SGI;
 471                 if (status->bw == RATE_INFO_BW_40)
 472                         *pos |= IEEE80211_RADIOTAP_MCS_BW_40;
 473                 if (status->enc_flags & RX_ENC_FLAG_HT_GF)
 474                         *pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
 475                 if (status->enc_flags & RX_ENC_FLAG_LDPC)
 476                         *pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
 477                 stbc = (status->enc_flags & RX_ENC_FLAG_STBC_MASK) >> RX_ENC_FLAG_STBC_SHIFT;
 478                 *pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
 479                 pos++;
 480                 *pos++ = status->rate_idx;
 481         }
 482 
 483         if (status->flag & RX_FLAG_AMPDU_DETAILS) {
 484                 u16 flags = 0;
 485 
 486                 /* ensure 4 byte alignment */
 487                 while ((pos - (u8 *)rthdr) & 3)
 488                         pos++;
 489                 rthdr->it_present |=
 490                         cpu_to_le32(1 << IEEE80211_RADIOTAP_AMPDU_STATUS);
 491                 put_unaligned_le32(status->ampdu_reference, pos);
 492                 pos += 4;
 493                 if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
 494                         flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
 495                 if (status->flag & RX_FLAG_AMPDU_IS_LAST)
 496                         flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
 497                 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
 498                         flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
 499                 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
 500                         flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN;
 501                 if (status->flag & RX_FLAG_AMPDU_EOF_BIT_KNOWN)
 502                         flags |= IEEE80211_RADIOTAP_AMPDU_EOF_KNOWN;
 503                 if (status->flag & RX_FLAG_AMPDU_EOF_BIT)
 504                         flags |= IEEE80211_RADIOTAP_AMPDU_EOF;
 505                 put_unaligned_le16(flags, pos);
 506                 pos += 2;
 507                 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
 508                         *pos++ = status->ampdu_delimiter_crc;
 509                 else
 510                         *pos++ = 0;
 511                 *pos++ = 0;
 512         }
 513 
 514         if (status->encoding == RX_ENC_VHT) {
 515                 u16 known = local->hw.radiotap_vht_details;
 516 
 517                 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_VHT);
 518                 put_unaligned_le16(known, pos);
 519                 pos += 2;
 520                 /* flags */
 521                 if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
 522                         *pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
 523                 /* in VHT, STBC is binary */
 524                 if (status->enc_flags & RX_ENC_FLAG_STBC_MASK)
 525                         *pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
 526                 if (status->enc_flags & RX_ENC_FLAG_BF)
 527                         *pos |= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED;
 528                 pos++;
 529                 /* bandwidth */
 530                 switch (status->bw) {
 531                 case RATE_INFO_BW_80:
 532                         *pos++ = 4;
 533                         break;
 534                 case RATE_INFO_BW_160:
 535                         *pos++ = 11;
 536                         break;
 537                 case RATE_INFO_BW_40:
 538                         *pos++ = 1;
 539                         break;
 540                 default:
 541                         *pos++ = 0;
 542                 }
 543                 /* MCS/NSS */
 544                 *pos = (status->rate_idx << 4) | status->nss;
 545                 pos += 4;
 546                 /* coding field */
 547                 if (status->enc_flags & RX_ENC_FLAG_LDPC)
 548                         *pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
 549                 pos++;
 550                 /* group ID */
 551                 pos++;
 552                 /* partial_aid */
 553                 pos += 2;
 554         }
 555 
 556         if (local->hw.radiotap_timestamp.units_pos >= 0) {
 557                 u16 accuracy = 0;
 558                 u8 flags = IEEE80211_RADIOTAP_TIMESTAMP_FLAG_32BIT;
 559 
 560                 rthdr->it_present |=
 561                         cpu_to_le32(1 << IEEE80211_RADIOTAP_TIMESTAMP);
 562 
 563                 /* ensure 8 byte alignment */
 564                 while ((pos - (u8 *)rthdr) & 7)
 565                         pos++;
 566 
 567                 put_unaligned_le64(status->device_timestamp, pos);
 568                 pos += sizeof(u64);
 569 
 570                 if (local->hw.radiotap_timestamp.accuracy >= 0) {
 571                         accuracy = local->hw.radiotap_timestamp.accuracy;
 572                         flags |= IEEE80211_RADIOTAP_TIMESTAMP_FLAG_ACCURACY;
 573                 }
 574                 put_unaligned_le16(accuracy, pos);
 575                 pos += sizeof(u16);
 576 
 577                 *pos++ = local->hw.radiotap_timestamp.units_pos;
 578                 *pos++ = flags;
 579         }
 580 
 581         if (status->encoding == RX_ENC_HE &&
 582             status->flag & RX_FLAG_RADIOTAP_HE) {
 583 #define HE_PREP(f, val) le16_encode_bits(val, IEEE80211_RADIOTAP_HE_##f)
 584 
 585                 if (status->enc_flags & RX_ENC_FLAG_STBC_MASK) {
 586                         he.data6 |= HE_PREP(DATA6_NSTS,
 587                                             FIELD_GET(RX_ENC_FLAG_STBC_MASK,
 588                                                       status->enc_flags));
 589                         he.data3 |= HE_PREP(DATA3_STBC, 1);
 590                 } else {
 591                         he.data6 |= HE_PREP(DATA6_NSTS, status->nss);
 592                 }
 593 
 594 #define CHECK_GI(s) \
 595         BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_GI_##s != \
 596                      (int)NL80211_RATE_INFO_HE_GI_##s)
 597 
 598                 CHECK_GI(0_8);
 599                 CHECK_GI(1_6);
 600                 CHECK_GI(3_2);
 601 
 602                 he.data3 |= HE_PREP(DATA3_DATA_MCS, status->rate_idx);
 603                 he.data3 |= HE_PREP(DATA3_DATA_DCM, status->he_dcm);
 604                 he.data3 |= HE_PREP(DATA3_CODING,
 605                                     !!(status->enc_flags & RX_ENC_FLAG_LDPC));
 606 
 607                 he.data5 |= HE_PREP(DATA5_GI, status->he_gi);
 608 
 609                 switch (status->bw) {
 610                 case RATE_INFO_BW_20:
 611                         he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
 612                                             IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_20MHZ);
 613                         break;
 614                 case RATE_INFO_BW_40:
 615                         he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
 616                                             IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_40MHZ);
 617                         break;
 618                 case RATE_INFO_BW_80:
 619                         he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
 620                                             IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_80MHZ);
 621                         break;
 622                 case RATE_INFO_BW_160:
 623                         he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
 624                                             IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_160MHZ);
 625                         break;
 626                 case RATE_INFO_BW_HE_RU:
 627 #define CHECK_RU_ALLOC(s) \
 628         BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_##s##T != \
 629                      NL80211_RATE_INFO_HE_RU_ALLOC_##s + 4)
 630 
 631                         CHECK_RU_ALLOC(26);
 632                         CHECK_RU_ALLOC(52);
 633                         CHECK_RU_ALLOC(106);
 634                         CHECK_RU_ALLOC(242);
 635                         CHECK_RU_ALLOC(484);
 636                         CHECK_RU_ALLOC(996);
 637                         CHECK_RU_ALLOC(2x996);
 638 
 639                         he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
 640                                             status->he_ru + 4);
 641                         break;
 642                 default:
 643                         WARN_ONCE(1, "Invalid SU BW %d\n", status->bw);
 644                 }
 645 
 646                 /* ensure 2 byte alignment */
 647                 while ((pos - (u8 *)rthdr) & 1)
 648                         pos++;
 649                 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_HE);
 650                 memcpy(pos, &he, sizeof(he));
 651                 pos += sizeof(he);
 652         }
 653 
 654         if (status->encoding == RX_ENC_HE &&
 655             status->flag & RX_FLAG_RADIOTAP_HE_MU) {
 656                 /* ensure 2 byte alignment */
 657                 while ((pos - (u8 *)rthdr) & 1)
 658                         pos++;
 659                 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_HE_MU);
 660                 memcpy(pos, &he_mu, sizeof(he_mu));
 661                 pos += sizeof(he_mu);
 662         }
 663 
 664         if (status->flag & RX_FLAG_NO_PSDU) {
 665                 rthdr->it_present |=
 666                         cpu_to_le32(1 << IEEE80211_RADIOTAP_ZERO_LEN_PSDU);
 667                 *pos++ = status->zero_length_psdu_type;
 668         }
 669 
 670         if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
 671                 /* ensure 2 byte alignment */
 672                 while ((pos - (u8 *)rthdr) & 1)
 673                         pos++;
 674                 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_LSIG);
 675                 memcpy(pos, &lsig, sizeof(lsig));
 676                 pos += sizeof(lsig);
 677         }
 678 
 679         for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
 680                 *pos++ = status->chain_signal[chain];
 681                 *pos++ = chain;
 682         }
 683 
 684         if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
 685                 /* ensure 2 byte alignment for the vendor field as required */
 686                 if ((pos - (u8 *)rthdr) & 1)
 687                         *pos++ = 0;
 688                 *pos++ = rtap.oui[0];
 689                 *pos++ = rtap.oui[1];
 690                 *pos++ = rtap.oui[2];
 691                 *pos++ = rtap.subns;
 692                 put_unaligned_le16(rtap.len, pos);
 693                 pos += 2;
 694                 /* align the actual payload as requested */
 695                 while ((pos - (u8 *)rthdr) & (rtap.align - 1))
 696                         *pos++ = 0;
 697                 /* data (and possible padding) already follows */
 698         }
 699 }
 700 
 701 static struct sk_buff *
 702 ieee80211_make_monitor_skb(struct ieee80211_local *local,
 703                            struct sk_buff **origskb,
 704                            struct ieee80211_rate *rate,
 705                            int rtap_space, bool use_origskb)
 706 {
 707         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(*origskb);
 708         int rt_hdrlen, needed_headroom;
 709         struct sk_buff *skb;
 710 
 711         /* room for the radiotap header based on driver features */
 712         rt_hdrlen = ieee80211_rx_radiotap_hdrlen(local, status, *origskb);
 713         needed_headroom = rt_hdrlen - rtap_space;
 714 
 715         if (use_origskb) {
 716                 /* only need to expand headroom if necessary */
 717                 skb = *origskb;
 718                 *origskb = NULL;
 719 
 720                 /*
 721                  * This shouldn't trigger often because most devices have an
 722                  * RX header they pull before we get here, and that should
 723                  * be big enough for our radiotap information. We should
 724                  * probably export the length to drivers so that we can have
 725                  * them allocate enough headroom to start with.
 726                  */
 727                 if (skb_headroom(skb) < needed_headroom &&
 728                     pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
 729                         dev_kfree_skb(skb);
 730                         return NULL;
 731                 }
 732         } else {
 733                 /*
 734                  * Need to make a copy and possibly remove radiotap header
 735                  * and FCS from the original.
 736                  */
 737                 skb = skb_copy_expand(*origskb, needed_headroom, 0, GFP_ATOMIC);
 738 
 739                 if (!skb)
 740                         return NULL;
 741         }
 742 
 743         /* prepend radiotap information */
 744         ieee80211_add_rx_radiotap_header(local, skb, rate, rt_hdrlen, true);
 745 
 746         skb_reset_mac_header(skb);
 747         skb->ip_summed = CHECKSUM_UNNECESSARY;
 748         skb->pkt_type = PACKET_OTHERHOST;
 749         skb->protocol = htons(ETH_P_802_2);
 750 
 751         return skb;
 752 }
 753 
 754 /*
 755  * This function copies a received frame to all monitor interfaces and
 756  * returns a cleaned-up SKB that no longer includes the FCS nor the
 757  * radiotap header the driver might have added.
 758  */
 759 static struct sk_buff *
 760 ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
 761                      struct ieee80211_rate *rate)
 762 {
 763         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
 764         struct ieee80211_sub_if_data *sdata;
 765         struct sk_buff *monskb = NULL;
 766         int present_fcs_len = 0;
 767         unsigned int rtap_space = 0;
 768         struct ieee80211_sub_if_data *monitor_sdata =
 769                 rcu_dereference(local->monitor_sdata);
 770         bool only_monitor = false;
 771         unsigned int min_head_len;
 772 
 773         if (status->flag & RX_FLAG_RADIOTAP_HE)
 774                 rtap_space += sizeof(struct ieee80211_radiotap_he);
 775 
 776         if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
 777                 rtap_space += sizeof(struct ieee80211_radiotap_he_mu);
 778 
 779         if (status->flag & RX_FLAG_RADIOTAP_LSIG)
 780                 rtap_space += sizeof(struct ieee80211_radiotap_lsig);
 781 
 782         if (unlikely(status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)) {
 783                 struct ieee80211_vendor_radiotap *rtap =
 784                         (void *)(origskb->data + rtap_space);
 785 
 786                 rtap_space += sizeof(*rtap) + rtap->len + rtap->pad;
 787         }
 788 
 789         min_head_len = rtap_space;
 790 
 791         /*
 792          * First, we may need to make a copy of the skb because
 793          *  (1) we need to modify it for radiotap (if not present), and
 794          *  (2) the other RX handlers will modify the skb we got.
 795          *
 796          * We don't need to, of course, if we aren't going to return
 797          * the SKB because it has a bad FCS/PLCP checksum.
 798          */
 799 
 800         if (!(status->flag & RX_FLAG_NO_PSDU)) {
 801                 if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
 802                         if (unlikely(origskb->len <= FCS_LEN + rtap_space)) {
 803                                 /* driver bug */
 804                                 WARN_ON(1);
 805                                 dev_kfree_skb(origskb);
 806                                 return NULL;
 807                         }
 808                         present_fcs_len = FCS_LEN;
 809                 }
 810 
 811                 /* also consider the hdr->frame_control */
 812                 min_head_len += 2;
 813         }
 814 
 815         /* ensure that the expected data elements are in skb head */
 816         if (!pskb_may_pull(origskb, min_head_len)) {
 817                 dev_kfree_skb(origskb);
 818                 return NULL;
 819         }
 820 
 821         only_monitor = should_drop_frame(origskb, present_fcs_len, rtap_space);
 822 
 823         if (!local->monitors || (status->flag & RX_FLAG_SKIP_MONITOR)) {
 824                 if (only_monitor) {
 825                         dev_kfree_skb(origskb);
 826                         return NULL;
 827                 }
 828 
 829                 remove_monitor_info(origskb, present_fcs_len, rtap_space);
 830                 return origskb;
 831         }
 832 
 833         ieee80211_handle_mu_mimo_mon(monitor_sdata, origskb, rtap_space);
 834 
 835         list_for_each_entry_rcu(sdata, &local->mon_list, u.mntr.list) {
 836                 bool last_monitor = list_is_last(&sdata->u.mntr.list,
 837                                                  &local->mon_list);
 838 
 839                 if (!monskb)
 840                         monskb = ieee80211_make_monitor_skb(local, &origskb,
 841                                                             rate, rtap_space,
 842                                                             only_monitor &&
 843                                                             last_monitor);
 844 
 845                 if (monskb) {
 846                         struct sk_buff *skb;
 847 
 848                         if (last_monitor) {
 849                                 skb = monskb;
 850                                 monskb = NULL;
 851                         } else {
 852                                 skb = skb_clone(monskb, GFP_ATOMIC);
 853                         }
 854 
 855                         if (skb) {
 856                                 skb->dev = sdata->dev;
 857                                 ieee80211_rx_stats(skb->dev, skb->len);
 858                                 netif_receive_skb(skb);
 859                         }
 860                 }
 861 
 862                 if (last_monitor)
 863                         break;
 864         }
 865 
 866         /* this happens if last_monitor was erroneously false */
 867         dev_kfree_skb(monskb);
 868 
 869         /* ditto */
 870         if (!origskb)
 871                 return NULL;
 872 
 873         remove_monitor_info(origskb, present_fcs_len, rtap_space);
 874         return origskb;
 875 }
 876 
 877 static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
 878 {
 879         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
 880         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
 881         int tid, seqno_idx, security_idx;
 882 
 883         /* does the frame have a qos control field? */
 884         if (ieee80211_is_data_qos(hdr->frame_control)) {
 885                 u8 *qc = ieee80211_get_qos_ctl(hdr);
 886                 /* frame has qos control */
 887                 tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
 888                 if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
 889                         status->rx_flags |= IEEE80211_RX_AMSDU;
 890 
 891                 seqno_idx = tid;
 892                 security_idx = tid;
 893         } else {
 894                 /*
 895                  * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
 896                  *
 897                  *      Sequence numbers for management frames, QoS data
 898                  *      frames with a broadcast/multicast address in the
 899                  *      Address 1 field, and all non-QoS data frames sent
 900                  *      by QoS STAs are assigned using an additional single
 901                  *      modulo-4096 counter, [...]
 902                  *
 903                  * We also use that counter for non-QoS STAs.
 904                  */
 905                 seqno_idx = IEEE80211_NUM_TIDS;
 906                 security_idx = 0;
 907                 if (ieee80211_is_mgmt(hdr->frame_control))
 908                         security_idx = IEEE80211_NUM_TIDS;
 909                 tid = 0;
 910         }
 911 
 912         rx->seqno_idx = seqno_idx;
 913         rx->security_idx = security_idx;
 914         /* Set skb->priority to 1d tag if highest order bit of TID is not set.
 915          * For now, set skb->priority to 0 for other cases. */
 916         rx->skb->priority = (tid > 7) ? 0 : tid;
 917 }
 918 
 919 /**
 920  * DOC: Packet alignment
 921  *
 922  * Drivers always need to pass packets that are aligned to two-byte boundaries
 923  * to the stack.
 924  *
 925  * Additionally, should, if possible, align the payload data in a way that
 926  * guarantees that the contained IP header is aligned to a four-byte
 927  * boundary. In the case of regular frames, this simply means aligning the
 928  * payload to a four-byte boundary (because either the IP header is directly
 929  * contained, or IV/RFC1042 headers that have a length divisible by four are
 930  * in front of it).  If the payload data is not properly aligned and the
 931  * architecture doesn't support efficient unaligned operations, mac80211
 932  * will align the data.
 933  *
 934  * With A-MSDU frames, however, the payload data address must yield two modulo
 935  * four because there are 14-byte 802.3 headers within the A-MSDU frames that
 936  * push the IP header further back to a multiple of four again. Thankfully, the
 937  * specs were sane enough this time around to require padding each A-MSDU
 938  * subframe to a length that is a multiple of four.
 939  *
 940  * Padding like Atheros hardware adds which is between the 802.11 header and
 941  * the payload is not supported, the driver is required to move the 802.11
 942  * header to be directly in front of the payload in that case.
 943  */
 944 static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
 945 {
 946 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
 947         WARN_ON_ONCE((unsigned long)rx->skb->data & 1);
 948 #endif
 949 }
 950 
 951 
 952 /* rx handlers */
 953 
 954 static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
 955 {
 956         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 957 
 958         if (is_multicast_ether_addr(hdr->addr1))
 959                 return 0;
 960 
 961         return ieee80211_is_robust_mgmt_frame(skb);
 962 }
 963 
 964 
 965 static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
 966 {
 967         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 968 
 969         if (!is_multicast_ether_addr(hdr->addr1))
 970                 return 0;
 971 
 972         return ieee80211_is_robust_mgmt_frame(skb);
 973 }
 974 
 975 
 976 /* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
 977 static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
 978 {
 979         struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
 980         struct ieee80211_mmie *mmie;
 981         struct ieee80211_mmie_16 *mmie16;
 982 
 983         if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
 984                 return -1;
 985 
 986         if (!ieee80211_is_robust_mgmt_frame(skb))
 987                 return -1; /* not a robust management frame */
 988 
 989         mmie = (struct ieee80211_mmie *)
 990                 (skb->data + skb->len - sizeof(*mmie));
 991         if (mmie->element_id == WLAN_EID_MMIE &&
 992             mmie->length == sizeof(*mmie) - 2)
 993                 return le16_to_cpu(mmie->key_id);
 994 
 995         mmie16 = (struct ieee80211_mmie_16 *)
 996                 (skb->data + skb->len - sizeof(*mmie16));
 997         if (skb->len >= 24 + sizeof(*mmie16) &&
 998             mmie16->element_id == WLAN_EID_MMIE &&
 999             mmie16->length == sizeof(*mmie16) - 2)
1000                 return le16_to_cpu(mmie16->key_id);
1001 
1002         return -1;
1003 }
1004 
1005 static int ieee80211_get_keyid(struct sk_buff *skb,
1006                                const struct ieee80211_cipher_scheme *cs)
1007 {
1008         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1009         __le16 fc;
1010         int hdrlen;
1011         int minlen;
1012         u8 key_idx_off;
1013         u8 key_idx_shift;
1014         u8 keyid;
1015 
1016         fc = hdr->frame_control;
1017         hdrlen = ieee80211_hdrlen(fc);
1018 
1019         if (cs) {
1020                 minlen = hdrlen + cs->hdr_len;
1021                 key_idx_off = hdrlen + cs->key_idx_off;
1022                 key_idx_shift = cs->key_idx_shift;
1023         } else {
1024                 /* WEP, TKIP, CCMP and GCMP */
1025                 minlen = hdrlen + IEEE80211_WEP_IV_LEN;
1026                 key_idx_off = hdrlen + 3;
1027                 key_idx_shift = 6;
1028         }
1029 
1030         if (unlikely(skb->len < minlen))
1031                 return -EINVAL;
1032 
1033         skb_copy_bits(skb, key_idx_off, &keyid, 1);
1034 
1035         if (cs)
1036                 keyid &= cs->key_idx_mask;
1037         keyid >>= key_idx_shift;
1038 
1039         /* cs could use more than the usual two bits for the keyid */
1040         if (unlikely(keyid >= NUM_DEFAULT_KEYS))
1041                 return -EINVAL;
1042 
1043         return keyid;
1044 }
1045 
1046 static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
1047 {
1048         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1049         char *dev_addr = rx->sdata->vif.addr;
1050 
1051         if (ieee80211_is_data(hdr->frame_control)) {
1052                 if (is_multicast_ether_addr(hdr->addr1)) {
1053                         if (ieee80211_has_tods(hdr->frame_control) ||
1054                             !ieee80211_has_fromds(hdr->frame_control))
1055                                 return RX_DROP_MONITOR;
1056                         if (ether_addr_equal(hdr->addr3, dev_addr))
1057                                 return RX_DROP_MONITOR;
1058                 } else {
1059                         if (!ieee80211_has_a4(hdr->frame_control))
1060                                 return RX_DROP_MONITOR;
1061                         if (ether_addr_equal(hdr->addr4, dev_addr))
1062                                 return RX_DROP_MONITOR;
1063                 }
1064         }
1065 
1066         /* If there is not an established peer link and this is not a peer link
1067          * establisment frame, beacon or probe, drop the frame.
1068          */
1069 
1070         if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
1071                 struct ieee80211_mgmt *mgmt;
1072 
1073                 if (!ieee80211_is_mgmt(hdr->frame_control))
1074                         return RX_DROP_MONITOR;
1075 
1076                 if (ieee80211_is_action(hdr->frame_control)) {
1077                         u8 category;
1078 
1079                         /* make sure category field is present */
1080                         if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
1081                                 return RX_DROP_MONITOR;
1082 
1083                         mgmt = (struct ieee80211_mgmt *)hdr;
1084                         category = mgmt->u.action.category;
1085                         if (category != WLAN_CATEGORY_MESH_ACTION &&
1086                             category != WLAN_CATEGORY_SELF_PROTECTED)
1087                                 return RX_DROP_MONITOR;
1088                         return RX_CONTINUE;
1089                 }
1090 
1091                 if (ieee80211_is_probe_req(hdr->frame_control) ||
1092                     ieee80211_is_probe_resp(hdr->frame_control) ||
1093                     ieee80211_is_beacon(hdr->frame_control) ||
1094                     ieee80211_is_auth(hdr->frame_control))
1095                         return RX_CONTINUE;
1096 
1097                 return RX_DROP_MONITOR;
1098         }
1099 
1100         return RX_CONTINUE;
1101 }
1102 
1103 static inline bool ieee80211_rx_reorder_ready(struct tid_ampdu_rx *tid_agg_rx,
1104                                               int index)
1105 {
1106         struct sk_buff_head *frames = &tid_agg_rx->reorder_buf[index];
1107         struct sk_buff *tail = skb_peek_tail(frames);
1108         struct ieee80211_rx_status *status;
1109 
1110         if (tid_agg_rx->reorder_buf_filtered & BIT_ULL(index))
1111                 return true;
1112 
1113         if (!tail)
1114                 return false;
1115 
1116         status = IEEE80211_SKB_RXCB(tail);
1117         if (status->flag & RX_FLAG_AMSDU_MORE)
1118                 return false;
1119 
1120         return true;
1121 }
1122 
1123 static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
1124                                             struct tid_ampdu_rx *tid_agg_rx,
1125                                             int index,
1126                                             struct sk_buff_head *frames)
1127 {
1128         struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index];
1129         struct sk_buff *skb;
1130         struct ieee80211_rx_status *status;
1131 
1132         lockdep_assert_held(&tid_agg_rx->reorder_lock);
1133 
1134         if (skb_queue_empty(skb_list))
1135                 goto no_frame;
1136 
1137         if (!ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1138                 __skb_queue_purge(skb_list);
1139                 goto no_frame;
1140         }
1141 
1142         /* release frames from the reorder ring buffer */
1143         tid_agg_rx->stored_mpdu_num--;
1144         while ((skb = __skb_dequeue(skb_list))) {
1145                 status = IEEE80211_SKB_RXCB(skb);
1146                 status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
1147                 __skb_queue_tail(frames, skb);
1148         }
1149 
1150 no_frame:
1151         tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
1152         tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1153 }
1154 
1155 static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
1156                                              struct tid_ampdu_rx *tid_agg_rx,
1157                                              u16 head_seq_num,
1158                                              struct sk_buff_head *frames)
1159 {
1160         int index;
1161 
1162         lockdep_assert_held(&tid_agg_rx->reorder_lock);
1163 
1164         while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) {
1165                 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1166                 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
1167                                                 frames);
1168         }
1169 }
1170 
1171 /*
1172  * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
1173  * the skb was added to the buffer longer than this time ago, the earlier
1174  * frames that have not yet been received are assumed to be lost and the skb
1175  * can be released for processing. This may also release other skb's from the
1176  * reorder buffer if there are no additional gaps between the frames.
1177  *
1178  * Callers must hold tid_agg_rx->reorder_lock.
1179  */
1180 #define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)
1181 
1182 static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
1183                                           struct tid_ampdu_rx *tid_agg_rx,
1184                                           struct sk_buff_head *frames)
1185 {
1186         int index, i, j;
1187 
1188         lockdep_assert_held(&tid_agg_rx->reorder_lock);
1189 
1190         /* release the buffer until next missing frame */
1191         index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1192         if (!ieee80211_rx_reorder_ready(tid_agg_rx, index) &&
1193             tid_agg_rx->stored_mpdu_num) {
1194                 /*
1195                  * No buffers ready to be released, but check whether any
1196                  * frames in the reorder buffer have timed out.
1197                  */
1198                 int skipped = 1;
1199                 for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
1200                      j = (j + 1) % tid_agg_rx->buf_size) {
1201                         if (!ieee80211_rx_reorder_ready(tid_agg_rx, j)) {
1202                                 skipped++;
1203                                 continue;
1204                         }
1205                         if (skipped &&
1206                             !time_after(jiffies, tid_agg_rx->reorder_time[j] +
1207                                         HT_RX_REORDER_BUF_TIMEOUT))
1208                                 goto set_release_timer;
1209 
1210                         /* don't leave incomplete A-MSDUs around */
1211                         for (i = (index + 1) % tid_agg_rx->buf_size; i != j;
1212                              i = (i + 1) % tid_agg_rx->buf_size)
1213                                 __skb_queue_purge(&tid_agg_rx->reorder_buf[i]);
1214 
1215                         ht_dbg_ratelimited(sdata,
1216                                            "release an RX reorder frame due to timeout on earlier frames\n");
1217                         ieee80211_release_reorder_frame(sdata, tid_agg_rx, j,
1218                                                         frames);
1219 
1220                         /*
1221                          * Increment the head seq# also for the skipped slots.
1222                          */
1223                         tid_agg_rx->head_seq_num =
1224                                 (tid_agg_rx->head_seq_num +
1225                                  skipped) & IEEE80211_SN_MASK;
1226                         skipped = 0;
1227                 }
1228         } else while (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1229                 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
1230                                                 frames);
1231                 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1232         }
1233 
1234         if (tid_agg_rx->stored_mpdu_num) {
1235                 j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1236 
1237                 for (; j != (index - 1) % tid_agg_rx->buf_size;
1238                      j = (j + 1) % tid_agg_rx->buf_size) {
1239                         if (ieee80211_rx_reorder_ready(tid_agg_rx, j))
1240                                 break;
1241                 }
1242 
1243  set_release_timer:
1244 
1245                 if (!tid_agg_rx->removed)
1246                         mod_timer(&tid_agg_rx->reorder_timer,
1247                                   tid_agg_rx->reorder_time[j] + 1 +
1248                                   HT_RX_REORDER_BUF_TIMEOUT);
1249         } else {
1250                 del_timer(&tid_agg_rx->reorder_timer);
1251         }
1252 }
1253 
1254 /*
1255  * As this function belongs to the RX path it must be under
1256  * rcu_read_lock protection. It returns false if the frame
1257  * can be processed immediately, true if it was consumed.
1258  */
1259 static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
1260                                              struct tid_ampdu_rx *tid_agg_rx,
1261                                              struct sk_buff *skb,
1262                                              struct sk_buff_head *frames)
1263 {
1264         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1265         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1266         u16 sc = le16_to_cpu(hdr->seq_ctrl);
1267         u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
1268         u16 head_seq_num, buf_size;
1269         int index;
1270         bool ret = true;
1271 
1272         spin_lock(&tid_agg_rx->reorder_lock);
1273 
1274         /*
1275          * Offloaded BA sessions have no known starting sequence number so pick
1276          * one from first Rxed frame for this tid after BA was started.
1277          */
1278         if (unlikely(tid_agg_rx->auto_seq)) {
1279                 tid_agg_rx->auto_seq = false;
1280                 tid_agg_rx->ssn = mpdu_seq_num;
1281                 tid_agg_rx->head_seq_num = mpdu_seq_num;
1282         }
1283 
1284         buf_size = tid_agg_rx->buf_size;
1285         head_seq_num = tid_agg_rx->head_seq_num;
1286 
1287         /*
1288          * If the current MPDU's SN is smaller than the SSN, it shouldn't
1289          * be reordered.
1290          */
1291         if (unlikely(!tid_agg_rx->started)) {
1292                 if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
1293                         ret = false;
1294                         goto out;
1295                 }
1296                 tid_agg_rx->started = true;
1297         }
1298 
1299         /* frame with out of date sequence number */
1300         if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
1301                 dev_kfree_skb(skb);
1302                 goto out;
1303         }
1304 
1305         /*
1306          * If frame the sequence number exceeds our buffering window
1307          * size release some previous frames to make room for this one.
1308          */
1309         if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) {
1310                 head_seq_num = ieee80211_sn_inc(
1311                                 ieee80211_sn_sub(mpdu_seq_num, buf_size));
1312                 /* release stored frames up to new head to stack */
1313                 ieee80211_release_reorder_frames(sdata, tid_agg_rx,
1314                                                  head_seq_num, frames);
1315         }
1316 
1317         /* Now the new frame is always in the range of the reordering buffer */
1318 
1319         index = mpdu_seq_num % tid_agg_rx->buf_size;
1320 
1321         /* check if we already stored this frame */
1322         if (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1323                 dev_kfree_skb(skb);
1324                 goto out;
1325         }
1326 
1327         /*
1328          * If the current MPDU is in the right order and nothing else
1329          * is stored we can process it directly, no need to buffer it.
1330          * If it is first but there's something stored, we may be able
1331          * to release frames after this one.
1332          */
1333         if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
1334             tid_agg_rx->stored_mpdu_num == 0) {
1335                 if (!(status->flag & RX_FLAG_AMSDU_MORE))
1336                         tid_agg_rx->head_seq_num =
1337                                 ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1338                 ret = false;
1339                 goto out;
1340         }
1341 
1342         /* put the frame in the reordering buffer */
1343         __skb_queue_tail(&tid_agg_rx->reorder_buf[index], skb);
1344         if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1345                 tid_agg_rx->reorder_time[index] = jiffies;
1346                 tid_agg_rx->stored_mpdu_num++;
1347                 ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames);
1348         }
1349 
1350  out:
1351         spin_unlock(&tid_agg_rx->reorder_lock);
1352         return ret;
1353 }
1354 
1355 /*
1356  * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
1357  * true if the MPDU was buffered, false if it should be processed.
1358  */
1359 static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
1360                                        struct sk_buff_head *frames)
1361 {
1362         struct sk_buff *skb = rx->skb;
1363         struct ieee80211_local *local = rx->local;
1364         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1365         struct sta_info *sta = rx->sta;
1366         struct tid_ampdu_rx *tid_agg_rx;
1367         u16 sc;
1368         u8 tid, ack_policy;
1369 
1370         if (!ieee80211_is_data_qos(hdr->frame_control) ||
1371             is_multicast_ether_addr(hdr->addr1))
1372                 goto dont_reorder;
1373 
1374         /*
1375          * filter the QoS data rx stream according to
1376          * STA/TID and check if this STA/TID is on aggregation
1377          */
1378 
1379         if (!sta)
1380                 goto dont_reorder;
1381 
1382         ack_policy = *ieee80211_get_qos_ctl(hdr) &
1383                      IEEE80211_QOS_CTL_ACK_POLICY_MASK;
1384         tid = ieee80211_get_tid(hdr);
1385 
1386         tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
1387         if (!tid_agg_rx) {
1388                 if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
1389                     !test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
1390                     !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
1391                         ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
1392                                              WLAN_BACK_RECIPIENT,
1393                                              WLAN_REASON_QSTA_REQUIRE_SETUP);
1394                 goto dont_reorder;
1395         }
1396 
1397         /* qos null data frames are excluded */
1398         if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
1399                 goto dont_reorder;
1400 
1401         /* not part of a BA session */
1402         if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
1403             ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
1404                 goto dont_reorder;
1405 
1406         /* new, potentially un-ordered, ampdu frame - process it */
1407 
1408         /* reset session timer */
1409         if (tid_agg_rx->timeout)
1410                 tid_agg_rx->last_rx = jiffies;
1411 
1412         /* if this mpdu is fragmented - terminate rx aggregation session */
1413         sc = le16_to_cpu(hdr->seq_ctrl);
1414         if (sc & IEEE80211_SCTL_FRAG) {
1415                 skb_queue_tail(&rx->sdata->skb_queue, skb);
1416                 ieee80211_queue_work(&local->hw, &rx->sdata->work);
1417                 return;
1418         }
1419 
1420         /*
1421          * No locking needed -- we will only ever process one
1422          * RX packet at a time, and thus own tid_agg_rx. All
1423          * other code manipulating it needs to (and does) make
1424          * sure that we cannot get to it any more before doing
1425          * anything with it.
1426          */
1427         if (ieee80211_sta_manage_reorder_buf(rx->sdata, tid_agg_rx, skb,
1428                                              frames))
1429                 return;
1430 
1431  dont_reorder:
1432         __skb_queue_tail(frames, skb);
1433 }
1434 
1435 static ieee80211_rx_result debug_noinline
1436 ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
1437 {
1438         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1439         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1440 
1441         if (status->flag & RX_FLAG_DUP_VALIDATED)
1442                 return RX_CONTINUE;
1443 
1444         /*
1445          * Drop duplicate 802.11 retransmissions
1446          * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
1447          */
1448 
1449         if (rx->skb->len < 24)
1450                 return RX_CONTINUE;
1451 
1452         if (ieee80211_is_ctl(hdr->frame_control) ||
1453             ieee80211_is_any_nullfunc(hdr->frame_control) ||
1454             is_multicast_ether_addr(hdr->addr1))
1455                 return RX_CONTINUE;
1456 
1457         if (!rx->sta)
1458                 return RX_CONTINUE;
1459 
1460         if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
1461                      rx->sta->last_seq_ctrl[rx->seqno_idx] == hdr->seq_ctrl)) {
1462                 I802_DEBUG_INC(rx->local->dot11FrameDuplicateCount);
1463                 rx->sta->rx_stats.num_duplicates++;
1464                 return RX_DROP_UNUSABLE;
1465         } else if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1466                 rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
1467         }
1468 
1469         return RX_CONTINUE;
1470 }
1471 
1472 static ieee80211_rx_result debug_noinline
1473 ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
1474 {
1475         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1476 
1477         /* Drop disallowed frame classes based on STA auth/assoc state;
1478          * IEEE 802.11, Chap 5.5.
1479          *
1480          * mac80211 filters only based on association state, i.e. it drops
1481          * Class 3 frames from not associated stations. hostapd sends
1482          * deauth/disassoc frames when needed. In addition, hostapd is
1483          * responsible for filtering on both auth and assoc states.
1484          */
1485 
1486         if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1487                 return ieee80211_rx_mesh_check(rx);
1488 
1489         if (unlikely((ieee80211_is_data(hdr->frame_control) ||
1490                       ieee80211_is_pspoll(hdr->frame_control)) &&
1491                      rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
1492                      rx->sdata->vif.type != NL80211_IFTYPE_WDS &&
1493                      rx->sdata->vif.type != NL80211_IFTYPE_OCB &&
1494                      (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
1495                 /*
1496                  * accept port control frames from the AP even when it's not
1497                  * yet marked ASSOC to prevent a race where we don't set the
1498                  * assoc bit quickly enough before it sends the first frame
1499                  */
1500                 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
1501                     ieee80211_is_data_present(hdr->frame_control)) {
1502                         unsigned int hdrlen;
1503                         __be16 ethertype;
1504 
1505                         hdrlen = ieee80211_hdrlen(hdr->frame_control);
1506 
1507                         if (rx->skb->len < hdrlen + 8)
1508                                 return RX_DROP_MONITOR;
1509 
1510                         skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
1511                         if (ethertype == rx->sdata->control_port_protocol)
1512                                 return RX_CONTINUE;
1513                 }
1514 
1515                 if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
1516                     cfg80211_rx_spurious_frame(rx->sdata->dev,
1517                                                hdr->addr2,
1518                                                GFP_ATOMIC))
1519                         return RX_DROP_UNUSABLE;
1520 
1521                 return RX_DROP_MONITOR;
1522         }
1523 
1524         return RX_CONTINUE;
1525 }
1526 
1527 
1528 static ieee80211_rx_result debug_noinline
1529 ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
1530 {
1531         struct ieee80211_local *local;
1532         struct ieee80211_hdr *hdr;
1533         struct sk_buff *skb;
1534 
1535         local = rx->local;
1536         skb = rx->skb;
1537         hdr = (struct ieee80211_hdr *) skb->data;
1538 
1539         if (!local->pspolling)
1540                 return RX_CONTINUE;
1541 
1542         if (!ieee80211_has_fromds(hdr->frame_control))
1543                 /* this is not from AP */
1544                 return RX_CONTINUE;
1545 
1546         if (!ieee80211_is_data(hdr->frame_control))
1547                 return RX_CONTINUE;
1548 
1549         if (!ieee80211_has_moredata(hdr->frame_control)) {
1550                 /* AP has no more frames buffered for us */
1551                 local->pspolling = false;
1552                 return RX_CONTINUE;
1553         }
1554 
1555         /* more data bit is set, let's request a new frame from the AP */
1556         ieee80211_send_pspoll(local, rx->sdata);
1557 
1558         return RX_CONTINUE;
1559 }
1560 
1561 static void sta_ps_start(struct sta_info *sta)
1562 {
1563         struct ieee80211_sub_if_data *sdata = sta->sdata;
1564         struct ieee80211_local *local = sdata->local;
1565         struct ps_data *ps;
1566         int tid;
1567 
1568         if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
1569             sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
1570                 ps = &sdata->bss->ps;
1571         else
1572                 return;
1573 
1574         atomic_inc(&ps->num_sta_ps);
1575         set_sta_flag(sta, WLAN_STA_PS_STA);
1576         if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
1577                 drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
1578         ps_dbg(sdata, "STA %pM aid %d enters power save mode\n",
1579                sta->sta.addr, sta->sta.aid);
1580 
1581         ieee80211_clear_fast_xmit(sta);
1582 
1583         if (!sta->sta.txq[0])
1584                 return;
1585 
1586         for (tid = 0; tid < IEEE80211_NUM_TIDS; tid++) {
1587                 struct ieee80211_txq *txq = sta->sta.txq[tid];
1588                 struct txq_info *txqi = to_txq_info(txq);
1589 
1590                 spin_lock(&local->active_txq_lock[txq->ac]);
1591                 if (!list_empty(&txqi->schedule_order))
1592                         list_del_init(&txqi->schedule_order);
1593                 spin_unlock(&local->active_txq_lock[txq->ac]);
1594 
1595                 if (txq_has_queue(txq))
1596                         set_bit(tid, &sta->txq_buffered_tids);
1597                 else
1598                         clear_bit(tid, &sta->txq_buffered_tids);
1599         }
1600 }
1601 
1602 static void sta_ps_end(struct sta_info *sta)
1603 {
1604         ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n",
1605                sta->sta.addr, sta->sta.aid);
1606 
1607         if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1608                 /*
1609                  * Clear the flag only if the other one is still set
1610                  * so that the TX path won't start TX'ing new frames
1611                  * directly ... In the case that the driver flag isn't
1612                  * set ieee80211_sta_ps_deliver_wakeup() will clear it.
1613                  */
1614                 clear_sta_flag(sta, WLAN_STA_PS_STA);
1615                 ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
1616                        sta->sta.addr, sta->sta.aid);
1617                 return;
1618         }
1619 
1620         set_sta_flag(sta, WLAN_STA_PS_DELIVER);
1621         clear_sta_flag(sta, WLAN_STA_PS_STA);
1622         ieee80211_sta_ps_deliver_wakeup(sta);
1623 }
1624 
1625 int ieee80211_sta_ps_transition(struct ieee80211_sta *pubsta, bool start)
1626 {
1627         struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1628         bool in_ps;
1629 
1630         WARN_ON(!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS));
1631 
1632         /* Don't let the same PS state be set twice */
1633         in_ps = test_sta_flag(sta, WLAN_STA_PS_STA);
1634         if ((start && in_ps) || (!start && !in_ps))
1635                 return -EINVAL;
1636 
1637         if (start)
1638                 sta_ps_start(sta);
1639         else
1640                 sta_ps_end(sta);
1641 
1642         return 0;
1643 }
1644 EXPORT_SYMBOL(ieee80211_sta_ps_transition);
1645 
1646 void ieee80211_sta_pspoll(struct ieee80211_sta *pubsta)
1647 {
1648         struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1649 
1650         if (test_sta_flag(sta, WLAN_STA_SP))
1651                 return;
1652 
1653         if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
1654                 ieee80211_sta_ps_deliver_poll_response(sta);
1655         else
1656                 set_sta_flag(sta, WLAN_STA_PSPOLL);
1657 }
1658 EXPORT_SYMBOL(ieee80211_sta_pspoll);
1659 
1660 void ieee80211_sta_uapsd_trigger(struct ieee80211_sta *pubsta, u8 tid)
1661 {
1662         struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1663         int ac = ieee80211_ac_from_tid(tid);
1664 
1665         /*
1666          * If this AC is not trigger-enabled do nothing unless the
1667          * driver is calling us after it already checked.
1668          *
1669          * NB: This could/should check a separate bitmap of trigger-
1670          * enabled queues, but for now we only implement uAPSD w/o
1671          * TSPEC changes to the ACs, so they're always the same.
1672          */
1673         if (!(sta->sta.uapsd_queues & ieee80211_ac_to_qos_mask[ac]) &&
1674             tid != IEEE80211_NUM_TIDS)
1675                 return;
1676 
1677         /* if we are in a service period, do nothing */
1678         if (test_sta_flag(sta, WLAN_STA_SP))
1679                 return;
1680 
1681         if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
1682                 ieee80211_sta_ps_deliver_uapsd(sta);
1683         else
1684                 set_sta_flag(sta, WLAN_STA_UAPSD);
1685 }
1686 EXPORT_SYMBOL(ieee80211_sta_uapsd_trigger);
1687 
1688 static ieee80211_rx_result debug_noinline
1689 ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx)
1690 {
1691         struct ieee80211_sub_if_data *sdata = rx->sdata;
1692         struct ieee80211_hdr *hdr = (void *)rx->skb->data;
1693         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1694 
1695         if (!rx->sta)
1696                 return RX_CONTINUE;
1697 
1698         if (sdata->vif.type != NL80211_IFTYPE_AP &&
1699             sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
1700                 return RX_CONTINUE;
1701 
1702         /*
1703          * The device handles station powersave, so don't do anything about
1704          * uAPSD and PS-Poll frames (the latter shouldn't even come up from
1705          * it to mac80211 since they're handled.)
1706          */
1707         if (ieee80211_hw_check(&sdata->local->hw, AP_LINK_PS))
1708                 return RX_CONTINUE;
1709 
1710         /*
1711          * Don't do anything if the station isn't already asleep. In
1712          * the uAPSD case, the station will probably be marked asleep,
1713          * in the PS-Poll case the station must be confused ...
1714          */
1715         if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA))
1716                 return RX_CONTINUE;
1717 
1718         if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) {
1719                 ieee80211_sta_pspoll(&rx->sta->sta);
1720 
1721                 /* Free PS Poll skb here instead of returning RX_DROP that would
1722                  * count as an dropped frame. */
1723                 dev_kfree_skb(rx->skb);
1724 
1725                 return RX_QUEUED;
1726         } else if (!ieee80211_has_morefrags(hdr->frame_control) &&
1727                    !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1728                    ieee80211_has_pm(hdr->frame_control) &&
1729                    (ieee80211_is_data_qos(hdr->frame_control) ||
1730                     ieee80211_is_qos_nullfunc(hdr->frame_control))) {
1731                 u8 tid = ieee80211_get_tid(hdr);
1732 
1733                 ieee80211_sta_uapsd_trigger(&rx->sta->sta, tid);
1734         }
1735 
1736         return RX_CONTINUE;
1737 }
1738 
1739 static ieee80211_rx_result debug_noinline
1740 ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
1741 {
1742         struct sta_info *sta = rx->sta;
1743         struct sk_buff *skb = rx->skb;
1744         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1745         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1746         int i;
1747 
1748         if (!sta)
1749                 return RX_CONTINUE;
1750 
1751         /*
1752          * Update last_rx only for IBSS packets which are for the current
1753          * BSSID and for station already AUTHORIZED to avoid keeping the
1754          * current IBSS network alive in cases where other STAs start
1755          * using different BSSID. This will also give the station another
1756          * chance to restart the authentication/authorization in case
1757          * something went wrong the first time.
1758          */
1759         if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
1760                 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
1761                                                 NL80211_IFTYPE_ADHOC);
1762                 if (ether_addr_equal(bssid, rx->sdata->u.ibss.bssid) &&
1763                     test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
1764                         sta->rx_stats.last_rx = jiffies;
1765                         if (ieee80211_is_data(hdr->frame_control) &&
1766                             !is_multicast_ether_addr(hdr->addr1))
1767                                 sta->rx_stats.last_rate =
1768                                         sta_stats_encode_rate(status);
1769                 }
1770         } else if (rx->sdata->vif.type == NL80211_IFTYPE_OCB) {
1771                 sta->rx_stats.last_rx = jiffies;
1772         } else if (!is_multicast_ether_addr(hdr->addr1)) {
1773                 /*
1774                  * Mesh beacons will update last_rx when if they are found to
1775                  * match the current local configuration when processed.
1776                  */
1777                 sta->rx_stats.last_rx = jiffies;
1778                 if (ieee80211_is_data(hdr->frame_control))
1779                         sta->rx_stats.last_rate = sta_stats_encode_rate(status);
1780         }
1781 
1782         if (rx->sdata->vif.type == NL80211_IFTYPE_STATION)
1783                 ieee80211_sta_rx_notify(rx->sdata, hdr);
1784 
1785         sta->rx_stats.fragments++;
1786 
1787         u64_stats_update_begin(&rx->sta->rx_stats.syncp);
1788         sta->rx_stats.bytes += rx->skb->len;
1789         u64_stats_update_end(&rx->sta->rx_stats.syncp);
1790 
1791         if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
1792                 sta->rx_stats.last_signal = status->signal;
1793                 ewma_signal_add(&sta->rx_stats_avg.signal, -status->signal);
1794         }
1795 
1796         if (status->chains) {
1797                 sta->rx_stats.chains = status->chains;
1798                 for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
1799                         int signal = status->chain_signal[i];
1800 
1801                         if (!(status->chains & BIT(i)))
1802                                 continue;
1803 
1804                         sta->rx_stats.chain_signal_last[i] = signal;
1805                         ewma_signal_add(&sta->rx_stats_avg.chain_signal[i],
1806                                         -signal);
1807                 }
1808         }
1809 
1810         /*
1811          * Change STA power saving mode only at the end of a frame
1812          * exchange sequence, and only for a data or management
1813          * frame as specified in IEEE 802.11-2016 11.2.3.2
1814          */
1815         if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
1816             !ieee80211_has_morefrags(hdr->frame_control) &&
1817             !is_multicast_ether_addr(hdr->addr1) &&
1818             (ieee80211_is_mgmt(hdr->frame_control) ||
1819              ieee80211_is_data(hdr->frame_control)) &&
1820             !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1821             (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1822              rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
1823                 if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
1824                         if (!ieee80211_has_pm(hdr->frame_control))
1825                                 sta_ps_end(sta);
1826                 } else {
1827                         if (ieee80211_has_pm(hdr->frame_control))
1828                                 sta_ps_start(sta);
1829                 }
1830         }
1831 
1832         /* mesh power save support */
1833         if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1834                 ieee80211_mps_rx_h_sta_process(sta, hdr);
1835 
1836         /*
1837          * Drop (qos-)data::nullfunc frames silently, since they
1838          * are used only to control station power saving mode.
1839          */
1840         if (ieee80211_is_any_nullfunc(hdr->frame_control)) {
1841                 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
1842 
1843                 /*
1844                  * If we receive a 4-addr nullfunc frame from a STA
1845                  * that was not moved to a 4-addr STA vlan yet send
1846                  * the event to userspace and for older hostapd drop
1847                  * the frame to the monitor interface.
1848                  */
1849                 if (ieee80211_has_a4(hdr->frame_control) &&
1850                     (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1851                      (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1852                       !rx->sdata->u.vlan.sta))) {
1853                         if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT))
1854                                 cfg80211_rx_unexpected_4addr_frame(
1855                                         rx->sdata->dev, sta->sta.addr,
1856                                         GFP_ATOMIC);
1857                         return RX_DROP_MONITOR;
1858                 }
1859                 /*
1860                  * Update counter and free packet here to avoid
1861                  * counting this as a dropped packed.
1862                  */
1863                 sta->rx_stats.packets++;
1864                 dev_kfree_skb(rx->skb);
1865                 return RX_QUEUED;
1866         }
1867 
1868         return RX_CONTINUE;
1869 } /* ieee80211_rx_h_sta_process */
1870 
1871 static ieee80211_rx_result debug_noinline
1872 ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
1873 {
1874         struct sk_buff *skb = rx->skb;
1875         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1876         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1877         int keyidx;
1878         ieee80211_rx_result result = RX_DROP_UNUSABLE;
1879         struct ieee80211_key *sta_ptk = NULL;
1880         struct ieee80211_key *ptk_idx = NULL;
1881         int mmie_keyidx = -1;
1882         __le16 fc;
1883         const struct ieee80211_cipher_scheme *cs = NULL;
1884 
1885         /*
1886          * Key selection 101
1887          *
1888          * There are four types of keys:
1889          *  - GTK (group keys)
1890          *  - IGTK (group keys for management frames)
1891          *  - PTK (pairwise keys)
1892          *  - STK (station-to-station pairwise keys)
1893          *
1894          * When selecting a key, we have to distinguish between multicast
1895          * (including broadcast) and unicast frames, the latter can only
1896          * use PTKs and STKs while the former always use GTKs and IGTKs.
1897          * Unless, of course, actual WEP keys ("pre-RSNA") are used, then
1898          * unicast frames can also use key indices like GTKs. Hence, if we
1899          * don't have a PTK/STK we check the key index for a WEP key.
1900          *
1901          * Note that in a regular BSS, multicast frames are sent by the
1902          * AP only, associated stations unicast the frame to the AP first
1903          * which then multicasts it on their behalf.
1904          *
1905          * There is also a slight problem in IBSS mode: GTKs are negotiated
1906          * with each station, that is something we don't currently handle.
1907          * The spec seems to expect that one negotiates the same key with
1908          * every station but there's no such requirement; VLANs could be
1909          * possible.
1910          */
1911 
1912         /* start without a key */
1913         rx->key = NULL;
1914         fc = hdr->frame_control;
1915 
1916         if (rx->sta) {
1917                 int keyid = rx->sta->ptk_idx;
1918                 sta_ptk = rcu_dereference(rx->sta->ptk[keyid]);
1919 
1920                 if (ieee80211_has_protected(fc)) {
1921                         cs = rx->sta->cipher_scheme;
1922                         keyid = ieee80211_get_keyid(rx->skb, cs);
1923 
1924                         if (unlikely(keyid < 0))
1925                                 return RX_DROP_UNUSABLE;
1926 
1927                         ptk_idx = rcu_dereference(rx->sta->ptk[keyid]);
1928                 }
1929         }
1930 
1931         if (!ieee80211_has_protected(fc))
1932                 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);
1933 
1934         if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) {
1935                 rx->key = ptk_idx ? ptk_idx : sta_ptk;
1936                 if ((status->flag & RX_FLAG_DECRYPTED) &&
1937                     (status->flag & RX_FLAG_IV_STRIPPED))
1938                         return RX_CONTINUE;
1939                 /* Skip decryption if the frame is not protected. */
1940                 if (!ieee80211_has_protected(fc))
1941                         return RX_CONTINUE;
1942         } else if (mmie_keyidx >= 0) {
1943                 /* Broadcast/multicast robust management frame / BIP */
1944                 if ((status->flag & RX_FLAG_DECRYPTED) &&
1945                     (status->flag & RX_FLAG_IV_STRIPPED))
1946                         return RX_CONTINUE;
1947 
1948                 if (mmie_keyidx < NUM_DEFAULT_KEYS ||
1949                     mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
1950                         return RX_DROP_MONITOR; /* unexpected BIP keyidx */
1951                 if (rx->sta) {
1952                         if (ieee80211_is_group_privacy_action(skb) &&
1953                             test_sta_flag(rx->sta, WLAN_STA_MFP))
1954                                 return RX_DROP_MONITOR;
1955 
1956                         rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]);
1957                 }
1958                 if (!rx->key)
1959                         rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
1960         } else if (!ieee80211_has_protected(fc)) {
1961                 /*
1962                  * The frame was not protected, so skip decryption. However, we
1963                  * need to set rx->key if there is a key that could have been
1964                  * used so that the frame may be dropped if encryption would
1965                  * have been expected.
1966                  */
1967                 struct ieee80211_key *key = NULL;
1968                 struct ieee80211_sub_if_data *sdata = rx->sdata;
1969                 int i;
1970 
1971                 if (ieee80211_is_mgmt(fc) &&
1972                     is_multicast_ether_addr(hdr->addr1) &&
1973                     (key = rcu_dereference(rx->sdata->default_mgmt_key)))
1974                         rx->key = key;
1975                 else {
1976                         if (rx->sta) {
1977                                 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
1978                                         key = rcu_dereference(rx->sta->gtk[i]);
1979                                         if (key)
1980                                                 break;
1981                                 }
1982                         }
1983                         if (!key) {
1984                                 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
1985                                         key = rcu_dereference(sdata->keys[i]);
1986                                         if (key)
1987                                                 break;
1988                                 }
1989                         }
1990                         if (key)
1991                                 rx->key = key;
1992                 }
1993                 return RX_CONTINUE;
1994         } else {
1995                 /*
1996                  * The device doesn't give us the IV so we won't be
1997                  * able to look up the key. That's ok though, we
1998                  * don't need to decrypt the frame, we just won't
1999                  * be able to keep statistics accurate.
2000                  * Except for key threshold notifications, should
2001                  * we somehow allow the driver to tell us which key
2002                  * the hardware used if this flag is set?
2003                  */
2004                 if ((status->flag & RX_FLAG_DECRYPTED) &&
2005                     (status->flag & RX_FLAG_IV_STRIPPED))
2006                         return RX_CONTINUE;
2007 
2008                 keyidx = ieee80211_get_keyid(rx->skb, cs);
2009 
2010                 if (unlikely(keyidx < 0))
2011                         return RX_DROP_UNUSABLE;
2012 
2013                 /* check per-station GTK first, if multicast packet */
2014                 if (is_multicast_ether_addr(hdr->addr1) && rx->sta)
2015                         rx->key = rcu_dereference(rx->sta->gtk[keyidx]);
2016 
2017                 /* if not found, try default key */
2018                 if (!rx->key) {
2019                         rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
2020 
2021                         /*
2022                          * RSNA-protected unicast frames should always be
2023                          * sent with pairwise or station-to-station keys,
2024                          * but for WEP we allow using a key index as well.
2025                          */
2026                         if (rx->key &&
2027                             rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 &&
2028                             rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 &&
2029                             !is_multicast_ether_addr(hdr->addr1))
2030                                 rx->key = NULL;
2031                 }
2032         }
2033 
2034         if (rx->key) {
2035                 if (unlikely(rx->key->flags & KEY_FLAG_TAINTED))
2036                         return RX_DROP_MONITOR;
2037 
2038                 /* TODO: add threshold stuff again */
2039         } else {
2040                 return RX_DROP_MONITOR;
2041         }
2042 
2043         switch (rx->key->conf.cipher) {
2044         case WLAN_CIPHER_SUITE_WEP40:
2045         case WLAN_CIPHER_SUITE_WEP104:
2046                 result = ieee80211_crypto_wep_decrypt(rx);
2047                 break;
2048         case WLAN_CIPHER_SUITE_TKIP:
2049                 result = ieee80211_crypto_tkip_decrypt(rx);
2050                 break;
2051         case WLAN_CIPHER_SUITE_CCMP:
2052                 result = ieee80211_crypto_ccmp_decrypt(
2053                         rx, IEEE80211_CCMP_MIC_LEN);
2054                 break;
2055         case WLAN_CIPHER_SUITE_CCMP_256:
2056                 result = ieee80211_crypto_ccmp_decrypt(
2057                         rx, IEEE80211_CCMP_256_MIC_LEN);
2058                 break;
2059         case WLAN_CIPHER_SUITE_AES_CMAC:
2060                 result = ieee80211_crypto_aes_cmac_decrypt(rx);
2061                 break;
2062         case WLAN_CIPHER_SUITE_BIP_CMAC_256:
2063                 result = ieee80211_crypto_aes_cmac_256_decrypt(rx);
2064                 break;
2065         case WLAN_CIPHER_SUITE_BIP_GMAC_128:
2066         case WLAN_CIPHER_SUITE_BIP_GMAC_256:
2067                 result = ieee80211_crypto_aes_gmac_decrypt(rx);
2068                 break;
2069         case WLAN_CIPHER_SUITE_GCMP:
2070         case WLAN_CIPHER_SUITE_GCMP_256:
2071                 result = ieee80211_crypto_gcmp_decrypt(rx);
2072                 break;
2073         default:
2074                 result = ieee80211_crypto_hw_decrypt(rx);
2075         }
2076 
2077         /* the hdr variable is invalid after the decrypt handlers */
2078 
2079         /* either the frame has been decrypted or will be dropped */
2080         status->flag |= RX_FLAG_DECRYPTED;
2081 
2082         return result;
2083 }
2084 
2085 static inline struct ieee80211_fragment_entry *
2086 ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata,
2087                          unsigned int frag, unsigned int seq, int rx_queue,
2088                          struct sk_buff **skb)
2089 {
2090         struct ieee80211_fragment_entry *entry;
2091 
2092         entry = &sdata->fragments[sdata->fragment_next++];
2093         if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX)
2094                 sdata->fragment_next = 0;
2095 
2096         if (!skb_queue_empty(&entry->skb_list))
2097                 __skb_queue_purge(&entry->skb_list);
2098 
2099         __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
2100         *skb = NULL;
2101         entry->first_frag_time = jiffies;
2102         entry->seq = seq;
2103         entry->rx_queue = rx_queue;
2104         entry->last_frag = frag;
2105         entry->check_sequential_pn = false;
2106         entry->extra_len = 0;
2107 
2108         return entry;
2109 }
2110 
2111 static inline struct ieee80211_fragment_entry *
2112 ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata,
2113                           unsigned int frag, unsigned int seq,
2114                           int rx_queue, struct ieee80211_hdr *hdr)
2115 {
2116         struct ieee80211_fragment_entry *entry;
2117         int i, idx;
2118 
2119         idx = sdata->fragment_next;
2120         for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
2121                 struct ieee80211_hdr *f_hdr;
2122                 struct sk_buff *f_skb;
2123 
2124                 idx--;
2125                 if (idx < 0)
2126                         idx = IEEE80211_FRAGMENT_MAX - 1;
2127 
2128                 entry = &sdata->fragments[idx];
2129                 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
2130                     entry->rx_queue != rx_queue ||
2131                     entry->last_frag + 1 != frag)
2132                         continue;
2133 
2134                 f_skb = __skb_peek(&entry->skb_list);
2135                 f_hdr = (struct ieee80211_hdr *) f_skb->data;
2136 
2137                 /*
2138                  * Check ftype and addresses are equal, else check next fragment
2139                  */
2140                 if (((hdr->frame_control ^ f_hdr->frame_control) &
2141                      cpu_to_le16(IEEE80211_FCTL_FTYPE)) ||
2142                     !ether_addr_equal(hdr->addr1, f_hdr->addr1) ||
2143                     !ether_addr_equal(hdr->addr2, f_hdr->addr2))
2144                         continue;
2145 
2146                 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
2147                         __skb_queue_purge(&entry->skb_list);
2148                         continue;
2149                 }
2150                 return entry;
2151         }
2152 
2153         return NULL;
2154 }
2155 
2156 static ieee80211_rx_result debug_noinline
2157 ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
2158 {
2159         struct ieee80211_hdr *hdr;
2160         u16 sc;
2161         __le16 fc;
2162         unsigned int frag, seq;
2163         struct ieee80211_fragment_entry *entry;
2164         struct sk_buff *skb;
2165 
2166         hdr = (struct ieee80211_hdr *)rx->skb->data;
2167         fc = hdr->frame_control;
2168 
2169         if (ieee80211_is_ctl(fc))
2170                 return RX_CONTINUE;
2171 
2172         sc = le16_to_cpu(hdr->seq_ctrl);
2173         frag = sc & IEEE80211_SCTL_FRAG;
2174 
2175         if (is_multicast_ether_addr(hdr->addr1)) {
2176                 I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount);
2177                 goto out_no_led;
2178         }
2179 
2180         if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
2181                 goto out;
2182 
2183         I802_DEBUG_INC(rx->local->rx_handlers_fragments);
2184 
2185         if (skb_linearize(rx->skb))
2186                 return RX_DROP_UNUSABLE;
2187 
2188         /*
2189          *  skb_linearize() might change the skb->data and
2190          *  previously cached variables (in this case, hdr) need to
2191          *  be refreshed with the new data.
2192          */
2193         hdr = (struct ieee80211_hdr *)rx->skb->data;
2194         seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
2195 
2196         if (frag == 0) {
2197                 /* This is the first fragment of a new frame. */
2198                 entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
2199                                                  rx->seqno_idx, &(rx->skb));
2200                 if (rx->key &&
2201                     (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
2202                      rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
2203                      rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
2204                      rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
2205                     ieee80211_has_protected(fc)) {
2206                         int queue = rx->security_idx;
2207 
2208                         /* Store CCMP/GCMP PN so that we can verify that the
2209                          * next fragment has a sequential PN value.
2210                          */
2211                         entry->check_sequential_pn = true;
2212                         memcpy(entry->last_pn,
2213                                rx->key->u.ccmp.rx_pn[queue],
2214                                IEEE80211_CCMP_PN_LEN);
2215                         BUILD_BUG_ON(offsetof(struct ieee80211_key,
2216                                               u.ccmp.rx_pn) !=
2217                                      offsetof(struct ieee80211_key,
2218                                               u.gcmp.rx_pn));
2219                         BUILD_BUG_ON(sizeof(rx->key->u.ccmp.rx_pn[queue]) !=
2220                                      sizeof(rx->key->u.gcmp.rx_pn[queue]));
2221                         BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
2222                                      IEEE80211_GCMP_PN_LEN);
2223                 }
2224                 return RX_QUEUED;
2225         }
2226 
2227         /* This is a fragment for a frame that should already be pending in
2228          * fragment cache. Add this fragment to the end of the pending entry.
2229          */
2230         entry = ieee80211_reassemble_find(rx->sdata, frag, seq,
2231                                           rx->seqno_idx, hdr);
2232         if (!entry) {
2233                 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
2234                 return RX_DROP_MONITOR;
2235         }
2236 
2237         /* "The receiver shall discard MSDUs and MMPDUs whose constituent
2238          *  MPDU PN values are not incrementing in steps of 1."
2239          * see IEEE P802.11-REVmc/D5.0, 12.5.3.4.4, item d (for CCMP)
2240          * and IEEE P802.11-REVmc/D5.0, 12.5.5.4.4, item d (for GCMP)
2241          */
2242         if (entry->check_sequential_pn) {
2243                 int i;
2244                 u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
2245                 int queue;
2246 
2247                 if (!rx->key ||
2248                     (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP &&
2249                      rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 &&
2250                      rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP &&
2251                      rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256))
2252                         return RX_DROP_UNUSABLE;
2253                 memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
2254                 for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
2255                         pn[i]++;
2256                         if (pn[i])
2257                                 break;
2258                 }
2259                 queue = rx->security_idx;
2260                 rpn = rx->key->u.ccmp.rx_pn[queue];
2261                 if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
2262                         return RX_DROP_UNUSABLE;
2263                 memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
2264         }
2265 
2266         skb_pull(rx->skb, ieee80211_hdrlen(fc));
2267         __skb_queue_tail(&entry->skb_list, rx->skb);
2268         entry->last_frag = frag;
2269         entry->extra_len += rx->skb->len;
2270         if (ieee80211_has_morefrags(fc)) {
2271                 rx->skb = NULL;
2272                 return RX_QUEUED;
2273         }
2274 
2275         rx->skb = __skb_dequeue(&entry->skb_list);
2276         if (skb_tailroom(rx->skb) < entry->extra_len) {
2277                 I802_DEBUG_INC(rx->local->rx_expand_skb_head_defrag);
2278                 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len,
2279                                               GFP_ATOMIC))) {
2280                         I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
2281                         __skb_queue_purge(&entry->skb_list);
2282                         return RX_DROP_UNUSABLE;
2283                 }
2284         }
2285         while ((skb = __skb_dequeue(&entry->skb_list))) {
2286                 skb_put_data(rx->skb, skb->data, skb->len);
2287                 dev_kfree_skb(skb);
2288         }
2289 
2290  out:
2291         ieee80211_led_rx(rx->local);
2292  out_no_led:
2293         if (rx->sta)
2294                 rx->sta->rx_stats.packets++;
2295         return RX_CONTINUE;
2296 }
2297 
2298 static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
2299 {
2300         if (unlikely(!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
2301                 return -EACCES;
2302 
2303         return 0;
2304 }
2305 
2306 static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
2307 {
2308         struct sk_buff *skb = rx->skb;
2309         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2310 
2311         /*
2312          * Pass through unencrypted frames if the hardware has
2313          * decrypted them already.
2314          */
2315         if (status->flag & RX_FLAG_DECRYPTED)
2316                 return 0;
2317 
2318         /* Drop unencrypted frames if key is set. */
2319         if (unlikely(!ieee80211_has_protected(fc) &&
2320                      !ieee80211_is_any_nullfunc(fc) &&
2321                      ieee80211_is_data(fc) && rx->key))
2322                 return -EACCES;
2323 
2324         return 0;
2325 }
2326 
2327 static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
2328 {
2329         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2330         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2331         __le16 fc = hdr->frame_control;
2332 
2333         /*
2334          * Pass through unencrypted frames if the hardware has
2335          * decrypted them already.
2336          */
2337         if (status->flag & RX_FLAG_DECRYPTED)
2338                 return 0;
2339 
2340         if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) {
2341                 if (unlikely(!ieee80211_has_protected(fc) &&
2342                              ieee80211_is_unicast_robust_mgmt_frame(rx->skb) &&
2343                              rx->key)) {
2344                         if (ieee80211_is_deauth(fc) ||
2345                             ieee80211_is_disassoc(fc))
2346                                 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2347                                                              rx->skb->data,
2348                                                              rx->skb->len);
2349                         return -EACCES;
2350                 }
2351                 /* BIP does not use Protected field, so need to check MMIE */
2352                 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
2353                              ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
2354                         if (ieee80211_is_deauth(fc) ||
2355                             ieee80211_is_disassoc(fc))
2356                                 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2357                                                              rx->skb->data,
2358                                                              rx->skb->len);
2359                         return -EACCES;
2360                 }
2361                 /*
2362                  * When using MFP, Action frames are not allowed prior to
2363                  * having configured keys.
2364                  */
2365                 if (unlikely(ieee80211_is_action(fc) && !rx->key &&
2366                              ieee80211_is_robust_mgmt_frame(rx->skb)))
2367                         return -EACCES;
2368         }
2369 
2370         return 0;
2371 }
2372 
2373 static int
2374 __ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control)
2375 {
2376         struct ieee80211_sub_if_data *sdata = rx->sdata;
2377         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2378         bool check_port_control = false;
2379         struct ethhdr *ehdr;
2380         int ret;
2381 
2382         *port_control = false;
2383         if (ieee80211_has_a4(hdr->frame_control) &&
2384             sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
2385                 return -1;
2386 
2387         if (sdata->vif.type == NL80211_IFTYPE_STATION &&
2388             !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
2389 
2390                 if (!sdata->u.mgd.use_4addr)
2391                         return -1;
2392                 else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr))
2393                         check_port_control = true;
2394         }
2395 
2396         if (is_multicast_ether_addr(hdr->addr1) &&
2397             sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta)
2398                 return -1;
2399 
2400         ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
2401         if (ret < 0)
2402                 return ret;
2403 
2404         ehdr = (struct ethhdr *) rx->skb->data;
2405         if (ehdr->h_proto == rx->sdata->control_port_protocol)
2406                 *port_control = true;
2407         else if (check_port_control)
2408                 return -1;
2409 
2410         return 0;
2411 }
2412 
2413 /*
2414  * requires that rx->skb is a frame with ethernet header
2415  */
2416 static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
2417 {
2418         static const u8 pae_group_addr[ETH_ALEN] __aligned(2)
2419                 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 };
2420         struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
2421 
2422         /*
2423          * Allow EAPOL frames to us/the PAE group address regardless
2424          * of whether the frame was encrypted or not.
2425          */
2426         if (ehdr->h_proto == rx->sdata->control_port_protocol &&
2427             (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
2428              ether_addr_equal(ehdr->h_dest, pae_group_addr)))
2429                 return true;
2430 
2431         if (ieee80211_802_1x_port_control(rx) ||
2432             ieee80211_drop_unencrypted(rx, fc))
2433                 return false;
2434 
2435         return true;
2436 }
2437 
2438 static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb,
2439                                                  struct ieee80211_rx_data *rx)
2440 {
2441         struct ieee80211_sub_if_data *sdata = rx->sdata;
2442         struct net_device *dev = sdata->dev;
2443 
2444         if (unlikely((skb->protocol == sdata->control_port_protocol ||
2445                       skb->protocol == cpu_to_be16(ETH_P_PREAUTH)) &&
2446                      sdata->control_port_over_nl80211)) {
2447                 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2448                 bool noencrypt = !(status->flag & RX_FLAG_DECRYPTED);
2449 
2450                 cfg80211_rx_control_port(dev, skb, noencrypt);
2451                 dev_kfree_skb(skb);
2452         } else {
2453                 memset(skb->cb, 0, sizeof(skb->cb));
2454 
2455                 /* deliver to local stack */
2456                 if (rx->napi)
2457                         napi_gro_receive(rx->napi, skb);
2458                 else
2459                         netif_receive_skb(skb);
2460         }
2461 }
2462 
2463 /*
2464  * requires that rx->skb is a frame with ethernet header
2465  */
2466 static void
2467 ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
2468 {
2469         struct ieee80211_sub_if_data *sdata = rx->sdata;
2470         struct net_device *dev = sdata->dev;
2471         struct sk_buff *skb, *xmit_skb;
2472         struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
2473         struct sta_info *dsta;
2474 
2475         skb = rx->skb;
2476         xmit_skb = NULL;
2477 
2478         ieee80211_rx_stats(dev, skb->len);
2479 
2480         if (rx->sta) {
2481                 /* The seqno index has the same property as needed
2482                  * for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
2483                  * for non-QoS-data frames. Here we know it's a data
2484                  * frame, so count MSDUs.
2485                  */
2486                 u64_stats_update_begin(&rx->sta->rx_stats.syncp);
2487                 rx->sta->rx_stats.msdu[rx->seqno_idx]++;
2488                 u64_stats_update_end(&rx->sta->rx_stats.syncp);
2489         }
2490 
2491         if ((sdata->vif.type == NL80211_IFTYPE_AP ||
2492              sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
2493             !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
2494             (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) {
2495                 if (is_multicast_ether_addr(ehdr->h_dest) &&
2496                     ieee80211_vif_get_num_mcast_if(sdata) != 0) {
2497                         /*
2498                          * send multicast frames both to higher layers in
2499                          * local net stack and back to the wireless medium
2500                          */
2501                         xmit_skb = skb_copy(skb, GFP_ATOMIC);
2502                         if (!xmit_skb)
2503                                 net_info_ratelimited("%s: failed to clone multicast frame\n",
2504                                                     dev->name);
2505                 } else if (!is_multicast_ether_addr(ehdr->h_dest) &&
2506                            !ether_addr_equal(ehdr->h_dest, ehdr->h_source)) {
2507                         dsta = sta_info_get(sdata, ehdr->h_dest);
2508                         if (dsta) {
2509                                 /*
2510                                  * The destination station is associated to
2511                                  * this AP (in this VLAN), so send the frame
2512                                  * directly to it and do not pass it to local
2513                                  * net stack.
2514                                  */
2515                                 xmit_skb = skb;
2516                                 skb = NULL;
2517                         }
2518                 }
2519         }
2520 
2521 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
2522         if (skb) {
2523                 /* 'align' will only take the values 0 or 2 here since all
2524                  * frames are required to be aligned to 2-byte boundaries
2525                  * when being passed to mac80211; the code here works just
2526                  * as well if that isn't true, but mac80211 assumes it can
2527                  * access fields as 2-byte aligned (e.g. for ether_addr_equal)
2528                  */
2529                 int align;
2530 
2531                 align = (unsigned long)(skb->data + sizeof(struct ethhdr)) & 3;
2532                 if (align) {
2533                         if (WARN_ON(skb_headroom(skb) < 3)) {
2534                                 dev_kfree_skb(skb);
2535                                 skb = NULL;
2536                         } else {
2537                                 u8 *data = skb->data;
2538                                 size_t len = skb_headlen(skb);
2539                                 skb->data -= align;
2540                                 memmove(skb->data, data, len);
2541                                 skb_set_tail_pointer(skb, len);
2542                         }
2543                 }
2544         }
2545 #endif
2546 
2547         if (skb) {
2548                 skb->protocol = eth_type_trans(skb, dev);
2549                 ieee80211_deliver_skb_to_local_stack(skb, rx);
2550         }
2551 
2552         if (xmit_skb) {
2553                 /*
2554                  * Send to wireless media and increase priority by 256 to
2555                  * keep the received priority instead of reclassifying
2556                  * the frame (see cfg80211_classify8021d).
2557                  */
2558                 xmit_skb->priority += 256;
2559                 xmit_skb->protocol = htons(ETH_P_802_3);
2560                 skb_reset_network_header(xmit_skb);
2561                 skb_reset_mac_header(xmit_skb);
2562                 dev_queue_xmit(xmit_skb);
2563         }
2564 }
2565 
2566 static ieee80211_rx_result debug_noinline
2567 __ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx, u8 data_offset)
2568 {
2569         struct net_device *dev = rx->sdata->dev;
2570         struct sk_buff *skb = rx->skb;
2571         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
2572         __le16 fc = hdr->frame_control;
2573         struct sk_buff_head frame_list;
2574         struct ethhdr ethhdr;
2575         const u8 *check_da = ethhdr.h_dest, *check_sa = ethhdr.h_source;
2576 
2577         if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
2578                 check_da = NULL;
2579                 check_sa = NULL;
2580         } else switch (rx->sdata->vif.type) {
2581                 case NL80211_IFTYPE_AP:
2582                 case NL80211_IFTYPE_AP_VLAN:
2583                         check_da = NULL;
2584                         break;
2585                 case NL80211_IFTYPE_STATION:
2586                         if (!rx->sta ||
2587                             !test_sta_flag(rx->sta, WLAN_STA_TDLS_PEER))
2588                                 check_sa = NULL;
2589                         break;
2590                 case NL80211_IFTYPE_MESH_POINT:
2591                         check_sa = NULL;
2592                         break;
2593                 default:
2594                         break;
2595         }
2596 
2597         skb->dev = dev;
2598         __skb_queue_head_init(&frame_list);
2599 
2600         if (ieee80211_data_to_8023_exthdr(skb, &ethhdr,
2601                                           rx->sdata->vif.addr,
2602                                           rx->sdata->vif.type,
2603                                           data_offset))
2604                 return RX_DROP_UNUSABLE;
2605 
2606         ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
2607                                  rx->sdata->vif.type,
2608                                  rx->local->hw.extra_tx_headroom,
2609                                  check_da, check_sa);
2610 
2611         while (!skb_queue_empty(&frame_list)) {
2612                 rx->skb = __skb_dequeue(&frame_list);
2613 
2614                 if (!ieee80211_frame_allowed(rx, fc)) {
2615                         dev_kfree_skb(rx->skb);
2616                         continue;
2617                 }
2618 
2619                 ieee80211_deliver_skb(rx);
2620         }
2621 
2622         return RX_QUEUED;
2623 }
2624 
2625 static ieee80211_rx_result debug_noinline
2626 ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
2627 {
2628         struct sk_buff *skb = rx->skb;
2629         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2630         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
2631         __le16 fc = hdr->frame_control;
2632 
2633         if (!(status->rx_flags & IEEE80211_RX_AMSDU))
2634                 return RX_CONTINUE;
2635 
2636         if (unlikely(!ieee80211_is_data(fc)))
2637                 return RX_CONTINUE;
2638 
2639         if (unlikely(!ieee80211_is_data_present(fc)))
2640                 return RX_DROP_MONITOR;
2641 
2642         if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
2643                 switch (rx->sdata->vif.type) {
2644                 case NL80211_IFTYPE_AP_VLAN:
2645                         if (!rx->sdata->u.vlan.sta)
2646                                 return RX_DROP_UNUSABLE;
2647                         break;
2648                 case NL80211_IFTYPE_STATION:
2649                         if (!rx->sdata->u.mgd.use_4addr)
2650                                 return RX_DROP_UNUSABLE;
2651                         break;
2652                 default:
2653                         return RX_DROP_UNUSABLE;
2654                 }
2655         }
2656 
2657         if (is_multicast_ether_addr(hdr->addr1))
2658                 return RX_DROP_UNUSABLE;
2659 
2660         return __ieee80211_rx_h_amsdu(rx, 0);
2661 }
2662 
2663 #ifdef CONFIG_MAC80211_MESH
2664 static ieee80211_rx_result
2665 ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
2666 {
2667         struct ieee80211_hdr *fwd_hdr, *hdr;
2668         struct ieee80211_tx_info *info;
2669         struct ieee80211s_hdr *mesh_hdr;
2670         struct sk_buff *skb = rx->skb, *fwd_skb;
2671         struct ieee80211_local *local = rx->local;
2672         struct ieee80211_sub_if_data *sdata = rx->sdata;
2673         struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
2674         u16 ac, q, hdrlen;
2675         int tailroom = 0;
2676 
2677         hdr = (struct ieee80211_hdr *) skb->data;
2678         hdrlen = ieee80211_hdrlen(hdr->frame_control);
2679 
2680         /* make sure fixed part of mesh header is there, also checks skb len */
2681         if (!pskb_may_pull(rx->skb, hdrlen + 6))
2682                 return RX_DROP_MONITOR;
2683 
2684         mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
2685 
2686         /* make sure full mesh header is there, also checks skb len */
2687         if (!pskb_may_pull(rx->skb,
2688                            hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
2689                 return RX_DROP_MONITOR;
2690 
2691         /* reload pointers */
2692         hdr = (struct ieee80211_hdr *) skb->data;
2693         mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
2694 
2695         if (ieee80211_drop_unencrypted(rx, hdr->frame_control))
2696                 return RX_DROP_MONITOR;
2697 
2698         /* frame is in RMC, don't forward */
2699         if (ieee80211_is_data(hdr->frame_control) &&
2700             is_multicast_ether_addr(hdr->addr1) &&
2701             mesh_rmc_check(rx->sdata, hdr->addr3, mesh_hdr))
2702                 return RX_DROP_MONITOR;
2703 
2704         if (!ieee80211_is_data(hdr->frame_control))
2705                 return RX_CONTINUE;
2706 
2707         if (!mesh_hdr->ttl)
2708                 return RX_DROP_MONITOR;
2709 
2710         if (mesh_hdr->flags & MESH_FLAGS_AE) {
2711                 struct mesh_path *mppath;
2712                 char *proxied_addr;
2713                 char *mpp_addr;
2714 
2715                 if (is_multicast_ether_addr(hdr->addr1)) {
2716                         mpp_addr = hdr->addr3;
2717                         proxied_addr = mesh_hdr->eaddr1;
2718                 } else if ((mesh_hdr->flags & MESH_FLAGS_AE) ==
2719                             MESH_FLAGS_AE_A5_A6) {
2720                         /* has_a4 already checked in ieee80211_rx_mesh_check */
2721                         mpp_addr = hdr->addr4;
2722                         proxied_addr = mesh_hdr->eaddr2;
2723                 } else {
2724                         return RX_DROP_MONITOR;
2725                 }
2726 
2727                 rcu_read_lock();
2728                 mppath = mpp_path_lookup(sdata, proxied_addr);
2729                 if (!mppath) {
2730                         mpp_path_add(sdata, proxied_addr, mpp_addr);
2731                 } else {
2732                         spin_lock_bh(&mppath->state_lock);
2733                         if (!ether_addr_equal(mppath->mpp, mpp_addr))
2734                                 memcpy(mppath->mpp, mpp_addr, ETH_ALEN);
2735                         mppath->exp_time = jiffies;
2736                         spin_unlock_bh(&mppath->state_lock);
2737                 }
2738                 rcu_read_unlock();
2739         }
2740 
2741         /* Frame has reached destination.  Don't forward */
2742         if (!is_multicast_ether_addr(hdr->addr1) &&
2743             ether_addr_equal(sdata->vif.addr, hdr->addr3))
2744                 return RX_CONTINUE;
2745 
2746         ac = ieee80211_select_queue_80211(sdata, skb, hdr);
2747         q = sdata->vif.hw_queue[ac];
2748         if (ieee80211_queue_stopped(&local->hw, q)) {
2749                 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion);
2750                 return RX_DROP_MONITOR;
2751         }
2752         skb_set_queue_mapping(skb, q);
2753 
2754         if (!--mesh_hdr->ttl) {
2755                 if (!is_multicast_ether_addr(hdr->addr1))
2756                         IEEE80211_IFSTA_MESH_CTR_INC(ifmsh,
2757                                                      dropped_frames_ttl);
2758                 goto out;
2759         }
2760 
2761         if (!ifmsh->mshcfg.dot11MeshForwarding)
2762                 goto out;
2763 
2764         if (sdata->crypto_tx_tailroom_needed_cnt)
2765                 tailroom = IEEE80211_ENCRYPT_TAILROOM;
2766 
2767         fwd_skb = skb_copy_expand(skb, local->tx_headroom +
2768                                        sdata->encrypt_headroom,
2769                                   tailroom, GFP_ATOMIC);
2770         if (!fwd_skb)
2771                 goto out;
2772 
2773         fwd_hdr =  (struct ieee80211_hdr *) fwd_skb->data;
2774         fwd_hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_RETRY);
2775         info = IEEE80211_SKB_CB(fwd_skb);
2776         memset(info, 0, sizeof(*info));
2777         info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
2778         info->control.vif = &rx->sdata->vif;
2779         info->control.jiffies = jiffies;
2780         if (is_multicast_ether_addr(fwd_hdr->addr1)) {
2781                 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast);
2782                 memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
2783                 /* update power mode indication when forwarding */
2784                 ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr);
2785         } else if (!mesh_nexthop_lookup(sdata, fwd_skb)) {
2786                 /* mesh power mode flags updated in mesh_nexthop_lookup */
2787                 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
2788         } else {
2789                 /* unable to resolve next hop */
2790                 mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl,
2791                                    fwd_hdr->addr3, 0,
2792                                    WLAN_REASON_MESH_PATH_NOFORWARD,
2793                                    fwd_hdr->addr2);
2794                 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route);
2795                 kfree_skb(fwd_skb);
2796                 return RX_DROP_MONITOR;
2797         }
2798 
2799         IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
2800         ieee80211_add_pending_skb(local, fwd_skb);
2801  out:
2802         if (is_multicast_ether_addr(hdr->addr1))
2803                 return RX_CONTINUE;
2804         return RX_DROP_MONITOR;
2805 }
2806 #endif
2807 
2808 static ieee80211_rx_result debug_noinline
2809 ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
2810 {
2811         struct ieee80211_sub_if_data *sdata = rx->sdata;
2812         struct ieee80211_local *local = rx->local;
2813         struct net_device *dev = sdata->dev;
2814         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2815         __le16 fc = hdr->frame_control;
2816         bool port_control;
2817         int err;
2818 
2819         if (unlikely(!ieee80211_is_data(hdr->frame_control)))
2820                 return RX_CONTINUE;
2821 
2822         if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
2823                 return RX_DROP_MONITOR;
2824 
2825         /*
2826          * Send unexpected-4addr-frame event to hostapd. For older versions,
2827          * also drop the frame to cooked monitor interfaces.
2828          */
2829         if (ieee80211_has_a4(hdr->frame_control) &&
2830             sdata->vif.type == NL80211_IFTYPE_AP) {
2831                 if (rx->sta &&
2832                     !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT))
2833                         cfg80211_rx_unexpected_4addr_frame(
2834                                 rx->sdata->dev, rx->sta->sta.addr, GFP_ATOMIC);
2835                 return RX_DROP_MONITOR;
2836         }
2837 
2838         err = __ieee80211_data_to_8023(rx, &port_control);
2839         if (unlikely(err))
2840                 return RX_DROP_UNUSABLE;
2841 
2842         if (!ieee80211_frame_allowed(rx, fc))
2843                 return RX_DROP_MONITOR;
2844 
2845         /* directly handle TDLS channel switch requests/responses */
2846         if (unlikely(((struct ethhdr *)rx->skb->data)->h_proto ==
2847                                                 cpu_to_be16(ETH_P_TDLS))) {
2848                 struct ieee80211_tdls_data *tf = (void *)rx->skb->data;
2849 
2850                 if (pskb_may_pull(rx->skb,
2851                                   offsetof(struct ieee80211_tdls_data, u)) &&
2852                     tf->payload_type == WLAN_TDLS_SNAP_RFTYPE &&
2853                     tf->category == WLAN_CATEGORY_TDLS &&
2854                     (tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_REQUEST ||
2855                      tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_RESPONSE)) {
2856                         skb_queue_tail(&local->skb_queue_tdls_chsw, rx->skb);
2857                         schedule_work(&local->tdls_chsw_work);
2858                         if (rx->sta)
2859                                 rx->sta->rx_stats.packets++;
2860 
2861                         return RX_QUEUED;
2862                 }
2863         }
2864 
2865         if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
2866             unlikely(port_control) && sdata->bss) {
2867                 sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
2868                                      u.ap);
2869                 dev = sdata->dev;
2870                 rx->sdata = sdata;
2871         }
2872 
2873         rx->skb->dev = dev;
2874 
2875         if (!ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS) &&
2876             local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 &&
2877             !is_multicast_ether_addr(
2878                     ((struct ethhdr *)rx->skb->data)->h_dest) &&
2879             (!local->scanning &&
2880              !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state)))
2881                 mod_timer(&local->dynamic_ps_timer, jiffies +
2882                           msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
2883 
2884         ieee80211_deliver_skb(rx);
2885 
2886         return RX_QUEUED;
2887 }
2888 
2889 static ieee80211_rx_result debug_noinline
2890 ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
2891 {
2892         struct sk_buff *skb = rx->skb;
2893         struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data;
2894         struct tid_ampdu_rx *tid_agg_rx;
2895         u16 start_seq_num;
2896         u16 tid;
2897 
2898         if (likely(!ieee80211_is_ctl(bar->frame_control)))
2899                 return RX_CONTINUE;
2900 
2901         if (ieee80211_is_back_req(bar->frame_control)) {
2902                 struct {
2903                         __le16 control, start_seq_num;
2904                 } __packed bar_data;
2905                 struct ieee80211_event event = {
2906                         .type = BAR_RX_EVENT,
2907                 };
2908 
2909                 if (!rx->sta)
2910                         return RX_DROP_MONITOR;
2911 
2912                 if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
2913                                   &bar_data, sizeof(bar_data)))
2914                         return RX_DROP_MONITOR;
2915 
2916                 tid = le16_to_cpu(bar_data.control) >> 12;
2917 
2918                 if (!test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
2919                     !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
2920                         ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
2921                                              WLAN_BACK_RECIPIENT,
2922                                              WLAN_REASON_QSTA_REQUIRE_SETUP);
2923 
2924                 tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]);
2925                 if (!tid_agg_rx)
2926                         return RX_DROP_MONITOR;
2927 
2928                 start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
2929                 event.u.ba.tid = tid;
2930                 event.u.ba.ssn = start_seq_num;
2931                 event.u.ba.sta = &rx->sta->sta;
2932 
2933                 /* reset session timer */
2934                 if (tid_agg_rx->timeout)
2935                         mod_timer(&tid_agg_rx->session_timer,
2936                                   TU_TO_EXP_TIME(tid_agg_rx->timeout));
2937 
2938                 spin_lock(&tid_agg_rx->reorder_lock);
2939                 /* release stored frames up to start of BAR */
2940                 ieee80211_release_reorder_frames(rx->sdata, tid_agg_rx,
2941                                                  start_seq_num, frames);
2942                 spin_unlock(&tid_agg_rx->reorder_lock);
2943 
2944                 drv_event_callback(rx->local, rx->sdata, &event);
2945 
2946                 kfree_skb(skb);
2947                 return RX_QUEUED;
2948         }
2949 
2950         /*
2951          * After this point, we only want management frames,
2952          * so we can drop all remaining control frames to
2953          * cooked monitor interfaces.
2954          */
2955         return RX_DROP_MONITOR;
2956 }
2957 
2958 static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
2959                                            struct ieee80211_mgmt *mgmt,
2960                                            size_t len)
2961 {
2962         struct ieee80211_local *local = sdata->local;
2963         struct sk_buff *skb;
2964         struct ieee80211_mgmt *resp;
2965 
2966         if (!ether_addr_equal(mgmt->da, sdata->vif.addr)) {
2967                 /* Not to own unicast address */
2968                 return;
2969         }
2970 
2971         if (!ether_addr_equal(mgmt->sa, sdata->u.mgd.bssid) ||
2972             !ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) {
2973                 /* Not from the current AP or not associated yet. */
2974                 return;
2975         }
2976 
2977         if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) {
2978                 /* Too short SA Query request frame */
2979                 return;
2980         }
2981 
2982         skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom);
2983         if (skb == NULL)
2984                 return;
2985 
2986         skb_reserve(skb, local->hw.extra_tx_headroom);
2987         resp = skb_put_zero(skb, 24);
2988         memcpy(resp->da, mgmt->sa, ETH_ALEN);
2989         memcpy(resp->sa, sdata->vif.addr, ETH_ALEN);
2990         memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN);
2991         resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
2992                                           IEEE80211_STYPE_ACTION);
2993         skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query));
2994         resp->u.action.category = WLAN_CATEGORY_SA_QUERY;
2995         resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE;
2996         memcpy(resp->u.action.u.sa_query.trans_id,
2997                mgmt->u.action.u.sa_query.trans_id,
2998                WLAN_SA_QUERY_TR_ID_LEN);
2999 
3000         ieee80211_tx_skb(sdata, skb);
3001 }
3002 
3003 static ieee80211_rx_result debug_noinline
3004 ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
3005 {
3006         struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3007         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3008 
3009         /*
3010          * From here on, look only at management frames.
3011          * Data and control frames are already handled,
3012          * and unknown (reserved) frames are useless.
3013          */
3014         if (rx->skb->len < 24)
3015                 return RX_DROP_MONITOR;
3016 
3017         if (!ieee80211_is_mgmt(mgmt->frame_control))
3018                 return RX_DROP_MONITOR;
3019 
3020         if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
3021             ieee80211_is_beacon(mgmt->frame_control) &&
3022             !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {
3023                 int sig = 0;
3024 
3025                 if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM) &&
3026                     !(status->flag & RX_FLAG_NO_SIGNAL_VAL))
3027                         sig = status->signal;
3028 
3029                 cfg80211_report_obss_beacon(rx->local->hw.wiphy,
3030                                             rx->skb->data, rx->skb->len,
3031                                             status->freq, sig);
3032                 rx->flags |= IEEE80211_RX_BEACON_REPORTED;
3033         }
3034 
3035         if (ieee80211_drop_unencrypted_mgmt(rx))
3036                 return RX_DROP_UNUSABLE;
3037 
3038         return RX_CONTINUE;
3039 }
3040 
3041 static ieee80211_rx_result debug_noinline
3042 ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
3043 {
3044         struct ieee80211_local *local = rx->local;
3045         struct ieee80211_sub_if_data *sdata = rx->sdata;
3046         struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3047         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3048         int len = rx->skb->len;
3049 
3050         if (!ieee80211_is_action(mgmt->frame_control))
3051                 return RX_CONTINUE;
3052 
3053         /* drop too small frames */
3054         if (len < IEEE80211_MIN_ACTION_SIZE)
3055                 return RX_DROP_UNUSABLE;
3056 
3057         if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC &&
3058             mgmt->u.action.category != WLAN_CATEGORY_SELF_PROTECTED &&
3059             mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
3060                 return RX_DROP_UNUSABLE;
3061 
3062         switch (mgmt->u.action.category) {
3063         case WLAN_CATEGORY_HT:
3064                 /* reject HT action frames from stations not supporting HT */
3065                 if (!rx->sta->sta.ht_cap.ht_supported)
3066                         goto invalid;
3067 
3068                 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3069                     sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3070                     sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3071                     sdata->vif.type != NL80211_IFTYPE_AP &&
3072                     sdata->vif.type != NL80211_IFTYPE_ADHOC)
3073                         break;
3074 
3075                 /* verify action & smps_control/chanwidth are present */
3076                 if (len < IEEE80211_MIN_ACTION_SIZE + 2)
3077                         goto invalid;
3078 
3079                 switch (mgmt->u.action.u.ht_smps.action) {
3080                 case WLAN_HT_ACTION_SMPS: {
3081                         struct ieee80211_supported_band *sband;
3082                         enum ieee80211_smps_mode smps_mode;
3083                         struct sta_opmode_info sta_opmode = {};
3084 
3085                         /* convert to HT capability */
3086                         switch (mgmt->u.action.u.ht_smps.smps_control) {
3087                         case WLAN_HT_SMPS_CONTROL_DISABLED:
3088                                 smps_mode = IEEE80211_SMPS_OFF;
3089                                 break;
3090                         case WLAN_HT_SMPS_CONTROL_STATIC:
3091                                 smps_mode = IEEE80211_SMPS_STATIC;
3092                                 break;
3093                         case WLAN_HT_SMPS_CONTROL_DYNAMIC:
3094                                 smps_mode = IEEE80211_SMPS_DYNAMIC;
3095                                 break;
3096                         default:
3097                                 goto invalid;
3098                         }
3099 
3100                         /* if no change do nothing */
3101                         if (rx->sta->sta.smps_mode == smps_mode)
3102                                 goto handled;
3103                         rx->sta->sta.smps_mode = smps_mode;
3104                         sta_opmode.smps_mode =
3105                                 ieee80211_smps_mode_to_smps_mode(smps_mode);
3106                         sta_opmode.changed = STA_OPMODE_SMPS_MODE_CHANGED;
3107 
3108                         sband = rx->local->hw.wiphy->bands[status->band];
3109 
3110                         rate_control_rate_update(local, sband, rx->sta,
3111                                                  IEEE80211_RC_SMPS_CHANGED);
3112                         cfg80211_sta_opmode_change_notify(sdata->dev,
3113                                                           rx->sta->addr,
3114                                                           &sta_opmode,
3115                                                           GFP_ATOMIC);
3116                         goto handled;
3117                 }
3118                 case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: {
3119                         struct ieee80211_supported_band *sband;
3120                         u8 chanwidth = mgmt->u.action.u.ht_notify_cw.chanwidth;
3121                         enum ieee80211_sta_rx_bandwidth max_bw, new_bw;
3122                         struct sta_opmode_info sta_opmode = {};
3123 
3124                         /* If it doesn't support 40 MHz it can't change ... */
3125                         if (!(rx->sta->sta.ht_cap.cap &
3126                                         IEEE80211_HT_CAP_SUP_WIDTH_20_40))
3127                                 goto handled;
3128 
3129                         if (chanwidth == IEEE80211_HT_CHANWIDTH_20MHZ)
3130                                 max_bw = IEEE80211_STA_RX_BW_20;
3131                         else
3132                                 max_bw = ieee80211_sta_cap_rx_bw(rx->sta);
3133 
3134                         /* set cur_max_bandwidth and recalc sta bw */
3135                         rx->sta->cur_max_bandwidth = max_bw;
3136                         new_bw = ieee80211_sta_cur_vht_bw(rx->sta);
3137 
3138                         if (rx->sta->sta.bandwidth == new_bw)
3139                                 goto handled;
3140 
3141                         rx->sta->sta.bandwidth = new_bw;
3142                         sband = rx->local->hw.wiphy->bands[status->band];
3143                         sta_opmode.bw =
3144                                 ieee80211_sta_rx_bw_to_chan_width(rx->sta);
3145                         sta_opmode.changed = STA_OPMODE_MAX_BW_CHANGED;
3146 
3147                         rate_control_rate_update(local, sband, rx->sta,
3148                                                  IEEE80211_RC_BW_CHANGED);
3149                         cfg80211_sta_opmode_change_notify(sdata->dev,
3150                                                           rx->sta->addr,
3151                                                           &sta_opmode,
3152                                                           GFP_ATOMIC);
3153                         goto handled;
3154                 }
3155                 default:
3156                         goto invalid;
3157                 }
3158 
3159                 break;
3160         case WLAN_CATEGORY_PUBLIC:
3161                 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3162                         goto invalid;
3163                 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3164                         break;
3165                 if (!rx->sta)
3166                         break;
3167                 if (!ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid))
3168                         break;
3169                 if (mgmt->u.action.u.ext_chan_switch.action_code !=
3170                                 WLAN_PUB_ACTION_EXT_CHANSW_ANN)
3171                         break;
3172                 if (len < offsetof(struct ieee80211_mgmt,
3173                                    u.action.u.ext_chan_switch.variable))
3174                         goto invalid;
3175                 goto queue;
3176         case WLAN_CATEGORY_VHT:
3177                 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3178                     sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3179                     sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3180                     sdata->vif.type != NL80211_IFTYPE_AP &&
3181                     sdata->vif.type != NL80211_IFTYPE_ADHOC)
3182                         break;
3183 
3184                 /* verify action code is present */
3185                 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3186                         goto invalid;
3187 
3188                 switch (mgmt->u.action.u.vht_opmode_notif.action_code) {
3189                 case WLAN_VHT_ACTION_OPMODE_NOTIF: {
3190                         /* verify opmode is present */
3191                         if (len < IEEE80211_MIN_ACTION_SIZE + 2)
3192                                 goto invalid;
3193                         goto queue;
3194                 }
3195                 case WLAN_VHT_ACTION_GROUPID_MGMT: {
3196                         if (len < IEEE80211_MIN_ACTION_SIZE + 25)
3197                                 goto invalid;
3198                         goto queue;
3199                 }
3200                 default:
3201                         break;
3202                 }
3203                 break;
3204         case WLAN_CATEGORY_BACK:
3205                 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3206                     sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3207                     sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3208                     sdata->vif.type != NL80211_IFTYPE_AP &&
3209                     sdata->vif.type != NL80211_IFTYPE_ADHOC)
3210                         break;
3211 
3212                 /* verify action_code is present */
3213                 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3214                         break;
3215 
3216                 switch (mgmt->u.action.u.addba_req.action_code) {
3217                 case WLAN_ACTION_ADDBA_REQ:
3218                         if (len < (IEEE80211_MIN_ACTION_SIZE +
3219                                    sizeof(mgmt->u.action.u.addba_req)))
3220                                 goto invalid;
3221                         break;
3222                 case WLAN_ACTION_ADDBA_RESP:
3223                         if (len < (IEEE80211_MIN_ACTION_SIZE +
3224                                    sizeof(mgmt->u.action.u.addba_resp)))
3225                                 goto invalid;
3226                         break;
3227                 case WLAN_ACTION_DELBA:
3228                         if (len < (IEEE80211_MIN_ACTION_SIZE +
3229                                    sizeof(mgmt->u.action.u.delba)))
3230                                 goto invalid;
3231                         break;
3232                 default:
3233                         goto invalid;
3234                 }
3235 
3236                 goto queue;
3237         case WLAN_CATEGORY_SPECTRUM_MGMT:
3238                 /* verify action_code is present */
3239                 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3240                         break;
3241 
3242                 switch (mgmt->u.action.u.measurement.action_code) {
3243                 case WLAN_ACTION_SPCT_MSR_REQ:
3244                         if (status->band != NL80211_BAND_5GHZ)
3245                                 break;
3246 
3247                         if (len < (IEEE80211_MIN_ACTION_SIZE +
3248                                    sizeof(mgmt->u.action.u.measurement)))
3249                                 break;
3250 
3251                         if (sdata->vif.type != NL80211_IFTYPE_STATION)
3252                                 break;
3253 
3254                         ieee80211_process_measurement_req(sdata, mgmt, len);
3255                         goto handled;
3256                 case WLAN_ACTION_SPCT_CHL_SWITCH: {
3257                         u8 *bssid;
3258                         if (len < (IEEE80211_MIN_ACTION_SIZE +
3259                                    sizeof(mgmt->u.action.u.chan_switch)))
3260                                 break;
3261 
3262                         if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3263                             sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3264                             sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
3265                                 break;
3266 
3267                         if (sdata->vif.type == NL80211_IFTYPE_STATION)
3268                                 bssid = sdata->u.mgd.bssid;
3269                         else if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
3270                                 bssid = sdata->u.ibss.bssid;
3271                         else if (sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
3272                                 bssid = mgmt->sa;
3273                         else
3274                                 break;
3275 
3276                         if (!ether_addr_equal(mgmt->bssid, bssid))
3277                                 break;
3278 
3279                         goto queue;
3280                         }
3281                 }
3282                 break;
3283         case WLAN_CATEGORY_SA_QUERY:
3284                 if (len < (IEEE80211_MIN_ACTION_SIZE +
3285                            sizeof(mgmt->u.action.u.sa_query)))
3286                         break;
3287 
3288                 switch (mgmt->u.action.u.sa_query.action) {
3289                 case WLAN_ACTION_SA_QUERY_REQUEST:
3290                         if (sdata->vif.type != NL80211_IFTYPE_STATION)
3291                                 break;
3292                         ieee80211_process_sa_query_req(sdata, mgmt, len);
3293                         goto handled;
3294                 }
3295                 break;
3296         case WLAN_CATEGORY_SELF_PROTECTED:
3297                 if (len < (IEEE80211_MIN_ACTION_SIZE +
3298                            sizeof(mgmt->u.action.u.self_prot.action_code)))
3299                         break;
3300 
3301                 switch (mgmt->u.action.u.self_prot.action_code) {
3302                 case WLAN_SP_MESH_PEERING_OPEN:
3303                 case WLAN_SP_MESH_PEERING_CLOSE:
3304                 case WLAN_SP_MESH_PEERING_CONFIRM:
3305                         if (!ieee80211_vif_is_mesh(&sdata->vif))
3306                                 goto invalid;
3307                         if (sdata->u.mesh.user_mpm)
3308                                 /* userspace handles this frame */
3309                                 break;
3310                         goto queue;
3311                 case WLAN_SP_MGK_INFORM:
3312                 case WLAN_SP_MGK_ACK:
3313                         if (!ieee80211_vif_is_mesh(&sdata->vif))
3314                                 goto invalid;
3315                         break;
3316                 }
3317                 break;
3318         case WLAN_CATEGORY_MESH_ACTION:
3319                 if (len < (IEEE80211_MIN_ACTION_SIZE +
3320                            sizeof(mgmt->u.action.u.mesh_action.action_code)))
3321                         break;
3322 
3323                 if (!ieee80211_vif_is_mesh(&sdata->vif))
3324                         break;
3325                 if (mesh_action_is_path_sel(mgmt) &&
3326                     !mesh_path_sel_is_hwmp(sdata))
3327                         break;
3328                 goto queue;
3329         }
3330 
3331         return RX_CONTINUE;
3332 
3333  invalid:
3334         status->rx_flags |= IEEE80211_RX_MALFORMED_ACTION_FRM;
3335         /* will return in the next handlers */
3336         return RX_CONTINUE;
3337 
3338  handled:
3339         if (rx->sta)
3340                 rx->sta->rx_stats.packets++;
3341         dev_kfree_skb(rx->skb);
3342         return RX_QUEUED;
3343 
3344  queue:
3345         skb_queue_tail(&sdata->skb_queue, rx->skb);
3346         ieee80211_queue_work(&local->hw, &sdata->work);
3347         if (rx->sta)
3348                 rx->sta->rx_stats.packets++;
3349         return RX_QUEUED;
3350 }
3351 
3352 static ieee80211_rx_result debug_noinline
3353 ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
3354 {
3355         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3356         int sig = 0;
3357 
3358         /* skip known-bad action frames and return them in the next handler */
3359         if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM)
3360                 return RX_CONTINUE;
3361 
3362         /*
3363          * Getting here means the kernel doesn't know how to handle
3364          * it, but maybe userspace does ... include returned frames
3365          * so userspace can register for those to know whether ones
3366          * it transmitted were processed or returned.
3367          */
3368 
3369         if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM) &&
3370             !(status->flag & RX_FLAG_NO_SIGNAL_VAL))
3371                 sig = status->signal;
3372 
3373         if (cfg80211_rx_mgmt(&rx->sdata->wdev, status->freq, sig,
3374                              rx->skb->data, rx->skb->len, 0)) {
3375                 if (rx->sta)
3376                         rx->sta->rx_stats.packets++;
3377                 dev_kfree_skb(rx->skb);
3378                 return RX_QUEUED;
3379         }
3380 
3381         return RX_CONTINUE;
3382 }
3383 
3384 static ieee80211_rx_result debug_noinline
3385 ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
3386 {
3387         struct ieee80211_local *local = rx->local;
3388         struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3389         struct sk_buff *nskb;
3390         struct ieee80211_sub_if_data *sdata = rx->sdata;
3391         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3392 
3393         if (!ieee80211_is_action(mgmt->frame_control))
3394                 return RX_CONTINUE;
3395 
3396         /*
3397          * For AP mode, hostapd is responsible for handling any action
3398          * frames that we didn't handle, including returning unknown
3399          * ones. For all other modes we will return them to the sender,
3400          * setting the 0x80 bit in the action category, as required by
3401          * 802.11-2012 9.24.4.
3402          * Newer versions of hostapd shall also use the management frame
3403          * registration mechanisms, but older ones still use cooked
3404          * monitor interfaces so push all frames there.
3405          */
3406         if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) &&
3407             (sdata->vif.type == NL80211_IFTYPE_AP ||
3408              sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
3409                 return RX_DROP_MONITOR;
3410 
3411         if (is_multicast_ether_addr(mgmt->da))
3412                 return RX_DROP_MONITOR;
3413 
3414         /* do not return rejected action frames */
3415         if (mgmt->u.action.category & 0x80)
3416                 return RX_DROP_UNUSABLE;
3417 
3418         nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0,
3419                                GFP_ATOMIC);
3420         if (nskb) {
3421                 struct ieee80211_mgmt *nmgmt = (void *)nskb->data;
3422 
3423                 nmgmt->u.action.category |= 0x80;
3424                 memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN);
3425                 memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN);
3426 
3427                 memset(nskb->cb, 0, sizeof(nskb->cb));
3428 
3429                 if (rx->sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) {
3430                         struct ieee80211_tx_info *info = IEEE80211_SKB_CB(nskb);
3431 
3432                         info->flags = IEEE80211_TX_CTL_TX_OFFCHAN |
3433                                       IEEE80211_TX_INTFL_OFFCHAN_TX_OK |
3434                                       IEEE80211_TX_CTL_NO_CCK_RATE;
3435                         if (ieee80211_hw_check(&local->hw, QUEUE_CONTROL))
3436                                 info->hw_queue =
3437                                         local->hw.offchannel_tx_hw_queue;
3438                 }
3439 
3440                 __ieee80211_tx_skb_tid_band(rx->sdata, nskb, 7,
3441                                             status->band, 0);
3442         }
3443         dev_kfree_skb(rx->skb);
3444         return RX_QUEUED;
3445 }
3446 
3447 static ieee80211_rx_result debug_noinline
3448 ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
3449 {
3450         struct ieee80211_sub_if_data *sdata = rx->sdata;
3451         struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
3452         __le16 stype;
3453 
3454         stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
3455 
3456         if (!ieee80211_vif_is_mesh(&sdata->vif) &&
3457             sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3458             sdata->vif.type != NL80211_IFTYPE_OCB &&
3459             sdata->vif.type != NL80211_IFTYPE_STATION)
3460                 return RX_DROP_MONITOR;
3461 
3462         switch (stype) {
3463         case cpu_to_le16(IEEE80211_STYPE_AUTH):
3464         case cpu_to_le16(IEEE80211_STYPE_BEACON):
3465         case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
3466                 /* process for all: mesh, mlme, ibss */
3467                 break;
3468         case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
3469                 if (is_multicast_ether_addr(mgmt->da) &&
3470                     !is_broadcast_ether_addr(mgmt->da))
3471                         return RX_DROP_MONITOR;
3472 
3473                 /* process only for station/IBSS */
3474                 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3475                     sdata->vif.type != NL80211_IFTYPE_ADHOC)
3476                         return RX_DROP_MONITOR;
3477                 break;
3478         case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP):
3479         case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP):
3480         case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
3481                 if (is_multicast_ether_addr(mgmt->da) &&
3482                     !is_broadcast_ether_addr(mgmt->da))
3483                         return RX_DROP_MONITOR;
3484 
3485                 /* process only for station */
3486                 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3487                         return RX_DROP_MONITOR;
3488                 break;
3489         case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ):
3490                 /* process only for ibss and mesh */
3491                 if (sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3492                     sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
3493                         return RX_DROP_MONITOR;
3494                 break;
3495         default:
3496                 return RX_DROP_MONITOR;
3497         }
3498 
3499         /* queue up frame and kick off work to process it */
3500         skb_queue_tail(&sdata->skb_queue, rx->skb);
3501         ieee80211_queue_work(&rx->local->hw, &sdata->work);
3502         if (rx->sta)
3503                 rx->sta->rx_stats.packets++;
3504 
3505         return RX_QUEUED;
3506 }
3507 
3508 static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
3509                                         struct ieee80211_rate *rate)
3510 {
3511         struct ieee80211_sub_if_data *sdata;
3512         struct ieee80211_local *local = rx->local;
3513         struct sk_buff *skb = rx->skb, *skb2;
3514         struct net_device *prev_dev = NULL;
3515         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3516         int needed_headroom;
3517 
3518         /*
3519          * If cooked monitor has been processed already, then
3520          * don't do it again. If not, set the flag.
3521          */
3522         if (rx->flags & IEEE80211_RX_CMNTR)
3523                 goto out_free_skb;
3524         rx->flags |= IEEE80211_RX_CMNTR;
3525 
3526         /* If there are no cooked monitor interfaces, just free the SKB */
3527         if (!local->cooked_mntrs)
3528                 goto out_free_skb;
3529 
3530         /* vendor data is long removed here */
3531         status->flag &= ~RX_FLAG_RADIOTAP_VENDOR_DATA;
3532         /* room for the radiotap header based on driver features */
3533         needed_headroom = ieee80211_rx_radiotap_hdrlen(local, status, skb);
3534 
3535         if (skb_headroom(skb) < needed_headroom &&
3536             pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC))
3537                 goto out_free_skb;
3538 
3539         /* prepend radiotap information */
3540         ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
3541                                          false);
3542 
3543         skb_reset_mac_header(skb);
3544         skb->ip_summed = CHECKSUM_UNNECESSARY;
3545         skb->pkt_type = PACKET_OTHERHOST;
3546         skb->protocol = htons(ETH_P_802_2);
3547 
3548         list_for_each_entry_rcu(sdata, &local->interfaces, list) {
3549                 if (!ieee80211_sdata_running(sdata))
3550                         continue;
3551 
3552                 if (sdata->vif.type != NL80211_IFTYPE_MONITOR ||
3553                     !(sdata->u.mntr.flags & MONITOR_FLAG_COOK_FRAMES))
3554                         continue;
3555 
3556                 if (prev_dev) {
3557                         skb2 = skb_clone(skb, GFP_ATOMIC);
3558                         if (skb2) {
3559                                 skb2->dev = prev_dev;
3560                                 netif_receive_skb(skb2);
3561                         }
3562                 }
3563 
3564                 prev_dev = sdata->dev;
3565                 ieee80211_rx_stats(sdata->dev, skb->len);
3566         }
3567 
3568         if (prev_dev) {
3569                 skb->dev = prev_dev;
3570                 netif_receive_skb(skb);
3571                 return;
3572         }
3573 
3574  out_free_skb:
3575         dev_kfree_skb(skb);
3576 }
3577 
3578 static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx,
3579                                          ieee80211_rx_result res)
3580 {
3581         switch (res) {
3582         case RX_DROP_MONITOR:
3583                 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
3584                 if (rx->sta)
3585                         rx->sta->rx_stats.dropped++;
3586                 /* fall through */
3587         case RX_CONTINUE: {
3588                 struct ieee80211_rate *rate = NULL;
3589                 struct ieee80211_supported_band *sband;
3590                 struct ieee80211_rx_status *status;
3591 
3592                 status = IEEE80211_SKB_RXCB((rx->skb));
3593 
3594                 sband = rx->local->hw.wiphy->bands[status->band];
3595                 if (status->encoding == RX_ENC_LEGACY)
3596                         rate = &sband->bitrates[status->rate_idx];
3597 
3598                 ieee80211_rx_cooked_monitor(rx, rate);
3599                 break;
3600                 }
3601         case RX_DROP_UNUSABLE:
3602                 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
3603                 if (rx->sta)
3604                         rx->sta->rx_stats.dropped++;
3605                 dev_kfree_skb(rx->skb);
3606                 break;
3607         case RX_QUEUED:
3608                 I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued);
3609                 break;
3610         }
3611 }
3612 
3613 static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
3614                                   struct sk_buff_head *frames)
3615 {
3616         ieee80211_rx_result res = RX_DROP_MONITOR;
3617         struct sk_buff *skb;
3618 
3619 #define CALL_RXH(rxh)                   \
3620         do {                            \
3621                 res = rxh(rx);          \
3622                 if (res != RX_CONTINUE) \
3623                         goto rxh_next;  \
3624         } while (0)
3625 
3626         /* Lock here to avoid hitting all of the data used in the RX
3627          * path (e.g. key data, station data, ...) concurrently when
3628          * a frame is released from the reorder buffer due to timeout
3629          * from the timer, potentially concurrently with RX from the
3630          * driver.
3631          */
3632         spin_lock_bh(&rx->local->rx_path_lock);
3633 
3634         while ((skb = __skb_dequeue(frames))) {
3635                 /*
3636                  * all the other fields are valid across frames
3637                  * that belong to an aMPDU since they are on the
3638                  * same TID from the same station
3639                  */
3640                 rx->skb = skb;
3641 
3642                 CALL_RXH(ieee80211_rx_h_check_more_data);
3643                 CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll);
3644                 CALL_RXH(ieee80211_rx_h_sta_process);
3645                 CALL_RXH(ieee80211_rx_h_decrypt);
3646                 CALL_RXH(ieee80211_rx_h_defragment);
3647                 CALL_RXH(ieee80211_rx_h_michael_mic_verify);
3648                 /* must be after MMIC verify so header is counted in MPDU mic */
3649 #ifdef CONFIG_MAC80211_MESH
3650                 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
3651                         CALL_RXH(ieee80211_rx_h_mesh_fwding);
3652 #endif
3653                 CALL_RXH(ieee80211_rx_h_amsdu);
3654                 CALL_RXH(ieee80211_rx_h_data);
3655 
3656                 /* special treatment -- needs the queue */
3657                 res = ieee80211_rx_h_ctrl(rx, frames);
3658                 if (res != RX_CONTINUE)
3659                         goto rxh_next;
3660 
3661                 CALL_RXH(ieee80211_rx_h_mgmt_check);
3662                 CALL_RXH(ieee80211_rx_h_action);
3663                 CALL_RXH(ieee80211_rx_h_userspace_mgmt);
3664                 CALL_RXH(ieee80211_rx_h_action_return);
3665                 CALL_RXH(ieee80211_rx_h_mgmt);
3666 
3667  rxh_next:
3668                 ieee80211_rx_handlers_result(rx, res);
3669 
3670 #undef CALL_RXH
3671         }
3672 
3673         spin_unlock_bh(&rx->local->rx_path_lock);
3674 }
3675 
3676 static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
3677 {
3678         struct sk_buff_head reorder_release;
3679         ieee80211_rx_result res = RX_DROP_MONITOR;
3680 
3681         __skb_queue_head_init(&reorder_release);
3682 
3683 #define CALL_RXH(rxh)                   \
3684         do {                            \
3685                 res = rxh(rx);          \
3686                 if (res != RX_CONTINUE) \
3687                         goto rxh_next;  \
3688         } while (0)
3689 
3690         CALL_RXH(ieee80211_rx_h_check_dup);
3691         CALL_RXH(ieee80211_rx_h_check);
3692 
3693         ieee80211_rx_reorder_ampdu(rx, &reorder_release);
3694 
3695         ieee80211_rx_handlers(rx, &reorder_release);
3696         return;
3697 
3698  rxh_next:
3699         ieee80211_rx_handlers_result(rx, res);
3700 
3701 #undef CALL_RXH
3702 }
3703 
3704 /*
3705  * This function makes calls into the RX path, therefore
3706  * it has to be invoked under RCU read lock.
3707  */
3708 void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
3709 {
3710         struct sk_buff_head frames;
3711         struct ieee80211_rx_data rx = {
3712                 .sta = sta,
3713                 .sdata = sta->sdata,
3714                 .local = sta->local,
3715                 /* This is OK -- must be QoS data frame */
3716                 .security_idx = tid,
3717                 .seqno_idx = tid,
3718                 .napi = NULL, /* must be NULL to not have races */
3719         };
3720         struct tid_ampdu_rx *tid_agg_rx;
3721 
3722         tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
3723         if (!tid_agg_rx)
3724                 return;
3725 
3726         __skb_queue_head_init(&frames);
3727 
3728         spin_lock(&tid_agg_rx->reorder_lock);
3729         ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);
3730         spin_unlock(&tid_agg_rx->reorder_lock);
3731 
3732         if (!skb_queue_empty(&frames)) {
3733                 struct ieee80211_event event = {
3734                         .type = BA_FRAME_TIMEOUT,
3735                         .u.ba.tid = tid,
3736                         .u.ba.sta = &sta->sta,
3737                 };
3738                 drv_event_callback(rx.local, rx.sdata, &event);
3739         }
3740 
3741         ieee80211_rx_handlers(&rx, &frames);
3742 }
3743 
3744 void ieee80211_mark_rx_ba_filtered_frames(struct ieee80211_sta *pubsta, u8 tid,
3745                                           u16 ssn, u64 filtered,
3746                                           u16 received_mpdus)
3747 {
3748         struct sta_info *sta;
3749         struct tid_ampdu_rx *tid_agg_rx;
3750         struct sk_buff_head frames;
3751         struct ieee80211_rx_data rx = {
3752                 /* This is OK -- must be QoS data frame */
3753                 .security_idx = tid,
3754                 .seqno_idx = tid,
3755         };
3756         int i, diff;
3757 
3758         if (WARN_ON(!pubsta || tid >= IEEE80211_NUM_TIDS))
3759                 return;
3760 
3761         __skb_queue_head_init(&frames);
3762 
3763         sta = container_of(pubsta, struct sta_info, sta);
3764 
3765         rx.sta = sta;
3766         rx.sdata = sta->sdata;
3767         rx.local = sta->local;
3768 
3769         rcu_read_lock();
3770         tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
3771         if (!tid_agg_rx)
3772                 goto out;
3773 
3774         spin_lock_bh(&tid_agg_rx->reorder_lock);
3775 
3776         if (received_mpdus >= IEEE80211_SN_MODULO >> 1) {
3777                 int release;
3778 
3779                 /* release all frames in the reorder buffer */
3780                 release = (tid_agg_rx->head_seq_num + tid_agg_rx->buf_size) %
3781                            IEEE80211_SN_MODULO;
3782                 ieee80211_release_reorder_frames(sta->sdata, tid_agg_rx,
3783                                                  release, &frames);
3784                 /* update ssn to match received ssn */
3785                 tid_agg_rx->head_seq_num = ssn;
3786         } else {
3787                 ieee80211_release_reorder_frames(sta->sdata, tid_agg_rx, ssn,
3788                                                  &frames);
3789         }
3790 
3791         /* handle the case that received ssn is behind the mac ssn.
3792          * it can be tid_agg_rx->buf_size behind and still be valid */
3793         diff = (tid_agg_rx->head_seq_num - ssn) & IEEE80211_SN_MASK;
3794         if (diff >= tid_agg_rx->buf_size) {
3795                 tid_agg_rx->reorder_buf_filtered = 0;
3796                 goto release;
3797         }
3798         filtered = filtered >> diff;
3799         ssn += diff;
3800 
3801         /* update bitmap */
3802         for (i = 0; i < tid_agg_rx->buf_size; i++) {
3803                 int index = (ssn + i) % tid_agg_rx->buf_size;
3804 
3805                 tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
3806                 if (filtered & BIT_ULL(i))
3807                         tid_agg_rx->reorder_buf_filtered |= BIT_ULL(index);
3808         }
3809 
3810         /* now process also frames that the filter marking released */
3811         ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);
3812 
3813 release:
3814         spin_unlock_bh(&tid_agg_rx->reorder_lock);
3815 
3816         ieee80211_rx_handlers(&rx, &frames);
3817 
3818  out:
3819         rcu_read_unlock();
3820 }
3821 EXPORT_SYMBOL(ieee80211_mark_rx_ba_filtered_frames);
3822 
3823 /* main receive path */
3824 
3825 static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
3826 {
3827         struct ieee80211_sub_if_data *sdata = rx->sdata;
3828         struct sk_buff *skb = rx->skb;
3829         struct ieee80211_hdr *hdr = (void *)skb->data;
3830         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3831         u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
3832         bool multicast = is_multicast_ether_addr(hdr->addr1);
3833 
3834         switch (sdata->vif.type) {
3835         case NL80211_IFTYPE_STATION:
3836                 if (!bssid && !sdata->u.mgd.use_4addr)
3837                         return false;
3838                 if (ieee80211_is_robust_mgmt_frame(skb) && !rx->sta)
3839                         return false;
3840                 if (multicast)
3841                         return true;
3842                 return ether_addr_equal(sdata->vif.addr, hdr->addr1);
3843         case NL80211_IFTYPE_ADHOC:
3844                 if (!bssid)
3845                         return false;
3846                 if (ether_addr_equal(sdata->vif.addr, hdr->addr2) ||
3847                     ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2))
3848                         return false;
3849                 if (ieee80211_is_beacon(hdr->frame_control))
3850                         return true;
3851                 if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid))
3852                         return false;
3853                 if (!multicast &&
3854                     !ether_addr_equal(sdata->vif.addr, hdr->addr1))
3855                         return false;
3856                 if (!rx->sta) {
3857                         int rate_idx;
3858                         if (status->encoding != RX_ENC_LEGACY)
3859                                 rate_idx = 0; /* TODO: HT/VHT rates */
3860                         else
3861                                 rate_idx = status->rate_idx;
3862                         ieee80211_ibss_rx_no_sta(sdata, bssid, hdr->addr2,
3863                                                  BIT(rate_idx));
3864                 }
3865                 return true;
3866         case NL80211_IFTYPE_OCB:
3867                 if (!bssid)
3868                         return false;
3869                 if (!ieee80211_is_data_present(hdr->frame_control))
3870                         return false;
3871                 if (!is_broadcast_ether_addr(bssid))
3872                         return false;
3873                 if (!multicast &&
3874                     !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1))
3875                         return false;
3876                 if (!rx->sta) {
3877                         int rate_idx;
3878                         if (status->encoding != RX_ENC_LEGACY)
3879                                 rate_idx = 0; /* TODO: HT rates */
3880                         else
3881                                 rate_idx = status->rate_idx;
3882                         ieee80211_ocb_rx_no_sta(sdata, bssid, hdr->addr2,
3883                                                 BIT(rate_idx));
3884                 }
3885                 return true;
3886         case NL80211_IFTYPE_MESH_POINT:
3887                 if (ether_addr_equal(sdata->vif.addr, hdr->addr2))
3888                         return false;
3889                 if (multicast)
3890                         return true;
3891                 return ether_addr_equal(sdata->vif.addr, hdr->addr1);
3892         case NL80211_IFTYPE_AP_VLAN:
3893         case NL80211_IFTYPE_AP:
3894                 if (!bssid)
3895                         return ether_addr_equal(sdata->vif.addr, hdr->addr1);
3896 
3897                 if (!ieee80211_bssid_match(bssid, sdata->vif.addr)) {
3898                         /*
3899                          * Accept public action frames even when the
3900                          * BSSID doesn't match, this is used for P2P
3901                          * and location updates. Note that mac80211
3902                          * itself never looks at these frames.
3903                          */
3904                         if (!multicast &&
3905                             !ether_addr_equal(sdata->vif.addr, hdr->addr1))
3906                                 return false;
3907                         if (ieee80211_is_public_action(hdr, skb->len))
3908                                 return true;
3909                         return ieee80211_is_beacon(hdr->frame_control);
3910                 }
3911 
3912                 if (!ieee80211_has_tods(hdr->frame_control)) {
3913                         /* ignore data frames to TDLS-peers */
3914                         if (ieee80211_is_data(hdr->frame_control))
3915                                 return false;
3916                         /* ignore action frames to TDLS-peers */
3917                         if (ieee80211_is_action(hdr->frame_control) &&
3918                             !is_broadcast_ether_addr(bssid) &&
3919                             !ether_addr_equal(bssid, hdr->addr1))
3920                                 return false;
3921                 }
3922 
3923                 /*
3924                  * 802.11-2016 Table 9-26 says that for data frames, A1 must be
3925                  * the BSSID - we've checked that already but may have accepted
3926                  * the wildcard (ff:ff:ff:ff:ff:ff).
3927                  *
3928                  * It also says:
3929                  *      The BSSID of the Data frame is determined as follows:
3930                  *      a) If the STA is contained within an AP or is associated
3931                  *         with an AP, the BSSID is the address currently in use
3932                  *         by the STA contained in the AP.
3933                  *
3934                  * So we should not accept data frames with an address that's
3935                  * multicast.
3936                  *
3937                  * Accepting it also opens a security problem because stations
3938                  * could encrypt it with the GTK and inject traffic that way.
3939                  */
3940                 if (ieee80211_is_data(hdr->frame_control) && multicast)
3941                         return false;
3942 
3943                 return true;
3944         case NL80211_IFTYPE_WDS:
3945                 if (bssid || !ieee80211_is_data(hdr->frame_control))
3946                         return false;
3947                 return ether_addr_equal(sdata->u.wds.remote_addr, hdr->addr2);
3948         case NL80211_IFTYPE_P2P_DEVICE:
3949                 return ieee80211_is_public_action(hdr, skb->len) ||
3950                        ieee80211_is_probe_req(hdr->frame_control) ||
3951                        ieee80211_is_probe_resp(hdr->frame_control) ||
3952                        ieee80211_is_beacon(hdr->frame_control);
3953         case NL80211_IFTYPE_NAN:
3954                 /* Currently no frames on NAN interface are allowed */
3955                 return false;
3956         default:
3957                 break;
3958         }
3959 
3960         WARN_ON_ONCE(1);
3961         return false;
3962 }
3963 
3964 void ieee80211_check_fast_rx(struct sta_info *sta)
3965 {
3966         struct ieee80211_sub_if_data *sdata = sta->sdata;
3967         struct ieee80211_local *local = sdata->local;
3968         struct ieee80211_key *key;
3969         struct ieee80211_fast_rx fastrx = {
3970                 .dev = sdata->dev,
3971                 .vif_type = sdata->vif.type,
3972                 .control_port_protocol = sdata->control_port_protocol,
3973         }, *old, *new = NULL;
3974         bool assign = false;
3975 
3976         /* use sparse to check that we don't return without updating */
3977         __acquire(check_fast_rx);
3978 
3979         BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != sizeof(rfc1042_header));
3980         BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != ETH_ALEN);
3981         ether_addr_copy(fastrx.rfc1042_hdr, rfc1042_header);
3982         ether_addr_copy(fastrx.vif_addr, sdata->vif.addr);
3983 
3984         fastrx.uses_rss = ieee80211_hw_check(&local->hw, USES_RSS);
3985 
3986         /* fast-rx doesn't do reordering */
3987         if (ieee80211_hw_check(&local->hw, AMPDU_AGGREGATION) &&
3988             !ieee80211_hw_check(&local->hw, SUPPORTS_REORDERING_BUFFER))
3989                 goto clear;
3990 
3991         switch (sdata->vif.type) {
3992         case NL80211_IFTYPE_STATION:
3993                 if (sta->sta.tdls) {
3994                         fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
3995                         fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
3996                         fastrx.expected_ds_bits = 0;
3997                 } else {
3998                         fastrx.sta_notify = sdata->u.mgd.probe_send_count > 0;
3999                         fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
4000                         fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr3);
4001                         fastrx.expected_ds_bits =
4002                                 cpu_to_le16(IEEE80211_FCTL_FROMDS);
4003                 }
4004 
4005                 if (sdata->u.mgd.use_4addr && !sta->sta.tdls) {
4006                         fastrx.expected_ds_bits |=
4007                                 cpu_to_le16(IEEE80211_FCTL_TODS);
4008                         fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
4009                         fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
4010                 }
4011 
4012                 if (!sdata->u.mgd.powersave)
4013                         break;
4014 
4015                 /* software powersave is a huge mess, avoid all of it */
4016                 if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK))
4017                         goto clear;
4018                 if (ieee80211_hw_check(&local->hw, SUPPORTS_PS) &&
4019                     !ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS))
4020                         goto clear;
4021                 break;
4022         case NL80211_IFTYPE_AP_VLAN:
4023         case NL80211_IFTYPE_AP:
4024                 /* parallel-rx requires this, at least with calls to
4025                  * ieee80211_sta_ps_transition()
4026                  */
4027                 if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
4028                         goto clear;
4029                 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
4030                 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
4031                 fastrx.expected_ds_bits = cpu_to_le16(IEEE80211_FCTL_TODS);
4032 
4033                 fastrx.internal_forward =
4034                         !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
4035                         (sdata->vif.type != NL80211_IFTYPE_AP_VLAN ||
4036                          !sdata->u.vlan.sta);
4037 
4038                 if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
4039                     sdata->u.vlan.sta) {
4040                         fastrx.expected_ds_bits |=
4041                                 cpu_to_le16(IEEE80211_FCTL_FROMDS);
4042                         fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
4043                         fastrx.internal_forward = 0;
4044                 }
4045 
4046                 break;
4047         default:
4048                 goto clear;
4049         }
4050 
4051         if (!test_sta_flag(sta, WLAN_STA_AUTHORIZED))
4052                 goto clear;
4053 
4054         rcu_read_lock();
4055         key = rcu_dereference(sta->ptk[sta->ptk_idx]);
4056         if (key) {
4057                 switch (key->conf.cipher) {
4058                 case WLAN_CIPHER_SUITE_TKIP:
4059                         /* we don't want to deal with MMIC in fast-rx */
4060                         goto clear_rcu;
4061                 case WLAN_CIPHER_SUITE_CCMP:
4062                 case WLAN_CIPHER_SUITE_CCMP_256:
4063                 case WLAN_CIPHER_SUITE_GCMP:
4064                 case WLAN_CIPHER_SUITE_GCMP_256:
4065                         break;
4066                 default:
4067                         /* We also don't want to deal with
4068                          * WEP or cipher scheme.
4069                          */
4070                         goto clear_rcu;
4071                 }
4072 
4073                 fastrx.key = true;
4074                 fastrx.icv_len = key->conf.icv_len;
4075         }
4076 
4077         assign = true;
4078  clear_rcu:
4079         rcu_read_unlock();
4080  clear:
4081         __release(check_fast_rx);
4082 
4083         if (assign)
4084                 new = kmemdup(&fastrx, sizeof(fastrx), GFP_KERNEL);
4085 
4086         spin_lock_bh(&sta->lock);
4087         old = rcu_dereference_protected(sta->fast_rx, true);
4088         rcu_assign_pointer(sta->fast_rx, new);
4089         spin_unlock_bh(&sta->lock);
4090 
4091         if (old)
4092                 kfree_rcu(old, rcu_head);
4093 }
4094 
4095 void ieee80211_clear_fast_rx(struct sta_info *sta)
4096 {
4097         struct ieee80211_fast_rx *old;
4098 
4099         spin_lock_bh(&sta->lock);
4100         old = rcu_dereference_protected(sta->fast_rx, true);
4101         RCU_INIT_POINTER(sta->fast_rx, NULL);
4102         spin_unlock_bh(&sta->lock);
4103 
4104         if (old)
4105                 kfree_rcu(old, rcu_head);
4106 }
4107 
4108 void __ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
4109 {
4110         struct ieee80211_local *local = sdata->local;
4111         struct sta_info *sta;
4112 
4113         lockdep_assert_held(&local->sta_mtx);
4114 
4115         list_for_each_entry(sta, &local->sta_list, list) {
4116                 if (sdata != sta->sdata &&
4117                     (!sta->sdata->bss || sta->sdata->bss != sdata->bss))
4118                         continue;
4119                 ieee80211_check_fast_rx(sta);
4120         }
4121 }
4122 
4123 void ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
4124 {
4125         struct ieee80211_local *local = sdata->local;
4126 
4127         mutex_lock(&local->sta_mtx);
4128         __ieee80211_check_fast_rx_iface(sdata);
4129         mutex_unlock(&local->sta_mtx);
4130 }
4131 
4132 static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx,
4133                                      struct ieee80211_fast_rx *fast_rx)
4134 {
4135         struct sk_buff *skb = rx->skb;
4136         struct ieee80211_hdr *hdr = (void *)skb->data;
4137         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
4138         struct sta_info *sta = rx->sta;
4139         int orig_len = skb->len;
4140         int hdrlen = ieee80211_hdrlen(hdr->frame_control);
4141         int snap_offs = hdrlen;
4142         struct {
4143                 u8 snap[sizeof(rfc1042_header)];
4144                 __be16 proto;
4145         } *payload __aligned(2);
4146         struct {
4147                 u8 da[ETH_ALEN];
4148                 u8 sa[ETH_ALEN];
4149         } addrs __aligned(2);
4150         struct ieee80211_sta_rx_stats *stats = &sta->rx_stats;
4151 
4152         if (fast_rx->uses_rss)
4153                 stats = this_cpu_ptr(sta->pcpu_rx_stats);
4154 
4155         /* for parallel-rx, we need to have DUP_VALIDATED, otherwise we write
4156          * to a common data structure; drivers can implement that per queue
4157          * but we don't have that information in mac80211
4158          */
4159         if (!(status->flag & RX_FLAG_DUP_VALIDATED))
4160                 return false;
4161 
4162 #define FAST_RX_CRYPT_FLAGS     (RX_FLAG_PN_VALIDATED | RX_FLAG_DECRYPTED)
4163 
4164         /* If using encryption, we also need to have:
4165          *  - PN_VALIDATED: similar, but the implementation is tricky
4166          *  - DECRYPTED: necessary for PN_VALIDATED
4167          */
4168         if (fast_rx->key &&
4169             (status->flag & FAST_RX_CRYPT_FLAGS) != FAST_RX_CRYPT_FLAGS)
4170                 return false;
4171 
4172         if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
4173                 return false;
4174 
4175         if (unlikely(ieee80211_is_frag(hdr)))
4176                 return false;
4177 
4178         /* Since our interface address cannot be multicast, this
4179          * implicitly also rejects multicast frames without the
4180          * explicit check.
4181          *
4182          * We shouldn't get any *data* frames not addressed to us
4183          * (AP mode will accept multicast *management* frames), but
4184          * punting here will make it go through the full checks in
4185          * ieee80211_accept_frame().
4186          */
4187         if (!ether_addr_equal(fast_rx->vif_addr, hdr->addr1))
4188                 return false;
4189 
4190         if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FROMDS |
4191                                               IEEE80211_FCTL_TODS)) !=
4192             fast_rx->expected_ds_bits)
4193                 return false;
4194 
4195         /* assign the key to drop unencrypted frames (later)
4196          * and strip the IV/MIC if necessary
4197          */
4198         if (fast_rx->key && !(status->flag & RX_FLAG_IV_STRIPPED)) {
4199                 /* GCMP header length is the same */
4200                 snap_offs += IEEE80211_CCMP_HDR_LEN;
4201         }
4202 
4203         if (!(status->rx_flags & IEEE80211_RX_AMSDU)) {
4204                 if (!pskb_may_pull(skb, snap_offs + sizeof(*payload)))
4205                         goto drop;
4206 
4207                 payload = (void *)(skb->data + snap_offs);
4208 
4209                 if (!ether_addr_equal(payload->snap, fast_rx->rfc1042_hdr))
4210                         return false;
4211 
4212                 /* Don't handle these here since they require special code.
4213                  * Accept AARP and IPX even though they should come with a
4214                  * bridge-tunnel header - but if we get them this way then
4215                  * there's little point in discarding them.
4216                  */
4217                 if (unlikely(payload->proto == cpu_to_be16(ETH_P_TDLS) ||
4218                              payload->proto == fast_rx->control_port_protocol))
4219                         return false;
4220         }
4221 
4222         /* after this point, don't punt to the slowpath! */
4223 
4224         if (rx->key && !(status->flag & RX_FLAG_MIC_STRIPPED) &&
4225             pskb_trim(skb, skb->len - fast_rx->icv_len))
4226                 goto drop;
4227 
4228         if (unlikely(fast_rx->sta_notify)) {
4229                 ieee80211_sta_rx_notify(rx->sdata, hdr);
4230                 fast_rx->sta_notify = false;
4231         }
4232 
4233         /* statistics part of ieee80211_rx_h_sta_process() */
4234         if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
4235                 stats->last_signal = status->signal;
4236                 if (!fast_rx->uses_rss)
4237                         ewma_signal_add(&sta->rx_stats_avg.signal,
4238                                         -status->signal);
4239         }
4240 
4241         if (status->chains) {
4242                 int i;
4243 
4244                 stats->chains = status->chains;
4245                 for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
4246                         int signal = status->chain_signal[i];
4247 
4248                         if (!(status->chains & BIT(i)))
4249                                 continue;
4250 
4251                         stats->chain_signal_last[i] = signal;
4252                         if (!fast_rx->uses_rss)
4253                                 ewma_signal_add(&sta->rx_stats_avg.chain_signal[i],
4254                                                 -signal);
4255                 }
4256         }
4257         /* end of statistics */
4258 
4259         if (rx->key && !ieee80211_has_protected(hdr->frame_control))
4260                 goto drop;
4261 
4262         if (status->rx_flags & IEEE80211_RX_AMSDU) {
4263                 if (__ieee80211_rx_h_amsdu(rx, snap_offs - hdrlen) !=
4264                     RX_QUEUED)
4265                         goto drop;
4266 
4267                 return true;
4268         }
4269 
4270         stats->last_rx = jiffies;
4271         stats->last_rate = sta_stats_encode_rate(status);
4272 
4273         stats->fragments++;
4274         stats->packets++;
4275 
4276         /* do the header conversion - first grab the addresses */
4277         ether_addr_copy(addrs.da, skb->data + fast_rx->da_offs);
4278         ether_addr_copy(addrs.sa, skb->data + fast_rx->sa_offs);
4279         /* remove the SNAP but leave the ethertype */
4280         skb_pull(skb, snap_offs + sizeof(rfc1042_header));
4281         /* push the addresses in front */
4282         memcpy(skb_push(skb, sizeof(addrs)), &addrs, sizeof(addrs));
4283 
4284         skb->dev = fast_rx->dev;
4285 
4286         ieee80211_rx_stats(fast_rx->dev, skb->len);
4287 
4288         /* The seqno index has the same property as needed
4289          * for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
4290          * for non-QoS-data frames. Here we know it's a data
4291          * frame, so count MSDUs.
4292          */
4293         u64_stats_update_begin(&stats->syncp);
4294         stats->msdu[rx->seqno_idx]++;
4295         stats->bytes += orig_len;
4296         u64_stats_update_end(&stats->syncp);
4297 
4298         if (fast_rx->internal_forward) {
4299                 struct sk_buff *xmit_skb = NULL;
4300                 if (is_multicast_ether_addr(addrs.da)) {
4301                         xmit_skb = skb_copy(skb, GFP_ATOMIC);
4302                 } else if (!ether_addr_equal(addrs.da, addrs.sa) &&
4303                            sta_info_get(rx->sdata, addrs.da)) {
4304                         xmit_skb = skb;
4305                         skb = NULL;
4306                 }
4307 
4308                 if (xmit_skb) {
4309                         /*
4310                          * Send to wireless media and increase priority by 256
4311                          * to keep the received priority instead of
4312                          * reclassifying the frame (see cfg80211_classify8021d).
4313                          */
4314                         xmit_skb->priority += 256;
4315                         xmit_skb->protocol = htons(ETH_P_802_3);
4316                         skb_reset_network_header(xmit_skb);
4317                         skb_reset_mac_header(xmit_skb);
4318                         dev_queue_xmit(xmit_skb);
4319                 }
4320 
4321                 if (!skb)
4322                         return true;
4323         }
4324 
4325         /* deliver to local stack */
4326         skb->protocol = eth_type_trans(skb, fast_rx->dev);
4327         memset(skb->cb, 0, sizeof(skb->cb));
4328         if (rx->napi)
4329                 napi_gro_receive(rx->napi, skb);
4330         else
4331                 netif_receive_skb(skb);
4332 
4333         return true;
4334  drop:
4335         dev_kfree_skb(skb);
4336         stats->dropped++;
4337         return true;
4338 }
4339 
4340 /*
4341  * This function returns whether or not the SKB
4342  * was destined for RX processing or not, which,
4343  * if consume is true, is equivalent to whether
4344  * or not the skb was consumed.
4345  */
4346 static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
4347                                             struct sk_buff *skb, bool consume)
4348 {
4349         struct ieee80211_local *local = rx->local;
4350         struct ieee80211_sub_if_data *sdata = rx->sdata;
4351 
4352         rx->skb = skb;
4353 
4354         /* See if we can do fast-rx; if we have to copy we already lost,
4355          * so punt in that case. We should never have to deliver a data
4356          * frame to multiple interfaces anyway.
4357          *
4358          * We skip the ieee80211_accept_frame() call and do the necessary
4359          * checking inside ieee80211_invoke_fast_rx().
4360          */
4361         if (consume && rx->sta) {
4362                 struct ieee80211_fast_rx *fast_rx;
4363 
4364                 fast_rx = rcu_dereference(rx->sta->fast_rx);
4365                 if (fast_rx && ieee80211_invoke_fast_rx(rx, fast_rx))
4366                         return true;
4367         }
4368 
4369         if (!ieee80211_accept_frame(rx))
4370                 return false;
4371 
4372         if (!consume) {
4373                 skb = skb_copy(skb, GFP_ATOMIC);
4374                 if (!skb) {
4375                         if (net_ratelimit())
4376                                 wiphy_debug(local->hw.wiphy,
4377                                         "failed to copy skb for %s\n",
4378                                         sdata->name);
4379                         return true;
4380                 }
4381 
4382                 rx->skb = skb;
4383         }
4384 
4385         ieee80211_invoke_rx_handlers(rx);
4386         return true;
4387 }
4388 
4389 /*
4390  * This is the actual Rx frames handler. as it belongs to Rx path it must
4391  * be called with rcu_read_lock protection.
4392  */
4393 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
4394                                          struct ieee80211_sta *pubsta,
4395                                          struct sk_buff *skb,
4396                                          struct napi_struct *napi)
4397 {
4398         struct ieee80211_local *local = hw_to_local(hw);
4399         struct ieee80211_sub_if_data *sdata;
4400         struct ieee80211_hdr *hdr;
4401         __le16 fc;
4402         struct ieee80211_rx_data rx;
4403         struct ieee80211_sub_if_data *prev;
4404         struct rhlist_head *tmp;
4405         int err = 0;
4406 
4407         fc = ((struct ieee80211_hdr *)skb->data)->frame_control;
4408         memset(&rx, 0, sizeof(rx));
4409         rx.skb = skb;
4410         rx.local = local;
4411         rx.napi = napi;
4412 
4413         if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
4414                 I802_DEBUG_INC(local->dot11ReceivedFragmentCount);
4415 
4416         if (ieee80211_is_mgmt(fc)) {
4417                 /* drop frame if too short for header */
4418                 if (skb->len < ieee80211_hdrlen(fc))
4419                         err = -ENOBUFS;
4420                 else
4421                         err = skb_linearize(skb);
4422         } else {
4423                 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
4424         }
4425 
4426         if (err) {
4427                 dev_kfree_skb(skb);
4428                 return;
4429         }
4430 
4431         hdr = (struct ieee80211_hdr *)skb->data;
4432         ieee80211_parse_qos(&rx);
4433         ieee80211_verify_alignment(&rx);
4434 
4435         if (unlikely(ieee80211_is_probe_resp(hdr->frame_control) ||
4436                      ieee80211_is_beacon(hdr->frame_control)))
4437                 ieee80211_scan_rx(local, skb);
4438 
4439         if (ieee80211_is_data(fc)) {
4440                 struct sta_info *sta, *prev_sta;
4441 
4442                 if (pubsta) {
4443                         rx.sta = container_of(pubsta, struct sta_info, sta);
4444                         rx.sdata = rx.sta->sdata;
4445                         if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
4446                                 return;
4447                         goto out;
4448                 }
4449 
4450                 prev_sta = NULL;
4451 
4452                 for_each_sta_info(local, hdr->addr2, sta, tmp) {
4453                         if (!prev_sta) {
4454                                 prev_sta = sta;
4455                                 continue;
4456                         }
4457 
4458                         rx.sta = prev_sta;
4459                         rx.sdata = prev_sta->sdata;
4460                         ieee80211_prepare_and_rx_handle(&rx, skb, false);
4461 
4462                         prev_sta = sta;
4463                 }
4464 
4465                 if (prev_sta) {
4466                         rx.sta = prev_sta;
4467                         rx.sdata = prev_sta->sdata;
4468 
4469                         if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
4470                                 return;
4471                         goto out;
4472                 }
4473         }
4474 
4475         prev = NULL;
4476 
4477         list_for_each_entry_rcu(sdata, &local->interfaces, list) {
4478                 if (!ieee80211_sdata_running(sdata))
4479                         continue;
4480 
4481                 if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
4482                     sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
4483                         continue;
4484 
4485                 /*
4486                  * frame is destined for this interface, but if it's
4487                  * not also for the previous one we handle that after
4488                  * the loop to avoid copying the SKB once too much
4489                  */
4490 
4491                 if (!prev) {
4492                         prev = sdata;
4493                         continue;
4494                 }
4495 
4496                 rx.sta = sta_info_get_bss(prev, hdr->addr2);
4497                 rx.sdata = prev;
4498                 ieee80211_prepare_and_rx_handle(&rx, skb, false);
4499 
4500                 prev = sdata;
4501         }
4502 
4503         if (prev) {
4504                 rx.sta = sta_info_get_bss(prev, hdr->addr2);
4505                 rx.sdata = prev;
4506 
4507                 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
4508                         return;
4509         }
4510 
4511  out:
4512         dev_kfree_skb(skb);
4513 }
4514 
4515 /*
4516  * This is the receive path handler. It is called by a low level driver when an
4517  * 802.11 MPDU is received from the hardware.
4518  */
4519 void ieee80211_rx_napi(struct ieee80211_hw *hw, struct ieee80211_sta *pubsta,
4520                        struct sk_buff *skb, struct napi_struct *napi)
4521 {
4522         struct ieee80211_local *local = hw_to_local(hw);
4523         struct ieee80211_rate *rate = NULL;
4524         struct ieee80211_supported_band *sband;
4525         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
4526 
4527         WARN_ON_ONCE(softirq_count() == 0);
4528 
4529         if (WARN_ON(status->band >= NUM_NL80211_BANDS))
4530                 goto drop;
4531 
4532         sband = local->hw.wiphy->bands[status->band];
4533         if (WARN_ON(!sband))
4534                 goto drop;
4535 
4536         /*
4537          * If we're suspending, it is possible although not too likely
4538          * that we'd be receiving frames after having already partially
4539          * quiesced the stack. We can't process such frames then since
4540          * that might, for example, cause stations to be added or other
4541          * driver callbacks be invoked.
4542          */
4543         if (unlikely(local->quiescing || local->suspended))
4544                 goto drop;
4545 
4546         /* We might be during a HW reconfig, prevent Rx for the same reason */
4547         if (unlikely(local->in_reconfig))
4548                 goto drop;
4549 
4550         /*
4551          * The same happens when we're not even started,
4552          * but that's worth a warning.
4553          */
4554         if (WARN_ON(!local->started))
4555                 goto drop;
4556 
4557         if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) {
4558                 /*
4559                  * Validate the rate, unless a PLCP error means that
4560                  * we probably can't have a valid rate here anyway.
4561                  */
4562 
4563                 switch (status->encoding) {
4564                 case RX_ENC_HT:
4565                         /*
4566                          * rate_idx is MCS index, which can be [0-76]
4567                          * as documented on:
4568                          *
4569                          * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n
4570                          *
4571                          * Anything else would be some sort of driver or
4572                          * hardware error. The driver should catch hardware
4573                          * errors.
4574                          */
4575                         if (WARN(status->rate_idx > 76,
4576                                  "Rate marked as an HT rate but passed "
4577                                  "status->rate_idx is not "
4578                                  "an MCS index [0-76]: %d (0x%02x)\n",
4579                                  status->rate_idx,
4580                                  status->rate_idx))
4581                                 goto drop;
4582                         break;
4583                 case RX_ENC_VHT:
4584                         if (WARN_ONCE(status->rate_idx > 9 ||
4585                                       !status->nss ||
4586                                       status->nss > 8,
4587                                       "Rate marked as a VHT rate but data is invalid: MCS: %d, NSS: %d\n",
4588                                       status->rate_idx, status->nss))
4589                                 goto drop;
4590                         break;
4591                 case RX_ENC_HE:
4592                         if (WARN_ONCE(status->rate_idx > 11 ||
4593                                       !status->nss ||
4594                                       status->nss > 8,
4595                                       "Rate marked as an HE rate but data is invalid: MCS: %d, NSS: %d\n",
4596                                       status->rate_idx, status->nss))
4597                                 goto drop;
4598                         break;
4599                 default:
4600                         WARN_ON_ONCE(1);
4601                         /* fall through */
4602                 case RX_ENC_LEGACY:
4603                         if (WARN_ON(status->rate_idx >= sband->n_bitrates))
4604                                 goto drop;
4605                         rate = &sband->bitrates[status->rate_idx];
4606                 }
4607         }
4608 
4609         status->rx_flags = 0;
4610 
4611         /*
4612          * key references and virtual interfaces are protected using RCU
4613          * and this requires that we are in a read-side RCU section during
4614          * receive processing
4615          */
4616         rcu_read_lock();
4617 
4618         /*
4619          * Frames with failed FCS/PLCP checksum are not returned,
4620          * all other frames are returned without radiotap header
4621          * if it was previously present.
4622          * Also, frames with less than 16 bytes are dropped.
4623          */
4624         skb = ieee80211_rx_monitor(local, skb, rate);
4625         if (!skb) {
4626                 rcu_read_unlock();
4627                 return;
4628         }
4629 
4630         ieee80211_tpt_led_trig_rx(local,
4631                         ((struct ieee80211_hdr *)skb->data)->frame_control,
4632                         skb->len);
4633 
4634         __ieee80211_rx_handle_packet(hw, pubsta, skb, napi);
4635 
4636         rcu_read_unlock();
4637 
4638         return;
4639  drop:
4640         kfree_skb(skb);
4641 }
4642 EXPORT_SYMBOL(ieee80211_rx_napi);
4643 
4644 /* This is a version of the rx handler that can be called from hard irq
4645  * context. Post the skb on the queue and schedule the tasklet */
4646 void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb)
4647 {
4648         struct ieee80211_local *local = hw_to_local(hw);
4649 
4650         BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb));
4651 
4652         skb->pkt_type = IEEE80211_RX_MSG;
4653         skb_queue_tail(&local->skb_queue, skb);
4654         tasklet_schedule(&local->tasklet);
4655 }
4656 EXPORT_SYMBOL(ieee80211_rx_irqsafe);