mac80211: make master netdev handling sane
[linux-2.6] / net / mac80211 / rx.c
1 /*
2  * Copyright 2002-2005, Instant802 Networks, Inc.
3  * Copyright 2005-2006, Devicescape Software, Inc.
4  * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
5  * Copyright 2007       Johannes Berg <johannes@sipsolutions.net>
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License version 2 as
9  * published by the Free Software Foundation.
10  */
11
12 #include <linux/jiffies.h>
13 #include <linux/kernel.h>
14 #include <linux/skbuff.h>
15 #include <linux/netdevice.h>
16 #include <linux/etherdevice.h>
17 #include <linux/rcupdate.h>
18 #include <net/mac80211.h>
19 #include <net/ieee80211_radiotap.h>
20
21 #include "ieee80211_i.h"
22 #include "led.h"
23 #include "mesh.h"
24 #include "wep.h"
25 #include "wpa.h"
26 #include "tkip.h"
27 #include "wme.h"
28
29 u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
30                                 struct tid_ampdu_rx *tid_agg_rx,
31                                 struct sk_buff *skb, u16 mpdu_seq_num,
32                                 int bar_req);
33 /*
34  * monitor mode reception
35  *
36  * This function cleans up the SKB, i.e. it removes all the stuff
37  * only useful for monitoring.
38  */
39 static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
40                                            struct sk_buff *skb,
41                                            int rtap_len)
42 {
43         skb_pull(skb, rtap_len);
44
45         if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) {
46                 if (likely(skb->len > FCS_LEN))
47                         skb_trim(skb, skb->len - FCS_LEN);
48                 else {
49                         /* driver bug */
50                         WARN_ON(1);
51                         dev_kfree_skb(skb);
52                         skb = NULL;
53                 }
54         }
55
56         return skb;
57 }
58
59 static inline int should_drop_frame(struct ieee80211_rx_status *status,
60                                     struct sk_buff *skb,
61                                     int present_fcs_len,
62                                     int radiotap_len)
63 {
64         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
65
66         if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
67                 return 1;
68         if (unlikely(skb->len < 16 + present_fcs_len + radiotap_len))
69                 return 1;
70         if (ieee80211_is_ctl(hdr->frame_control) &&
71             !ieee80211_is_pspoll(hdr->frame_control) &&
72             !ieee80211_is_back_req(hdr->frame_control))
73                 return 1;
74         return 0;
75 }
76
77 static int
78 ieee80211_rx_radiotap_len(struct ieee80211_local *local,
79                           struct ieee80211_rx_status *status)
80 {
81         int len;
82
83         /* always present fields */
84         len = sizeof(struct ieee80211_radiotap_header) + 9;
85
86         if (status->flag & RX_FLAG_TSFT)
87                 len += 8;
88         if (local->hw.flags & IEEE80211_HW_SIGNAL_DB ||
89             local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
90                 len += 1;
91         if (local->hw.flags & IEEE80211_HW_NOISE_DBM)
92                 len += 1;
93
94         if (len & 1) /* padding for RX_FLAGS if necessary */
95                 len++;
96
97         /* make sure radiotap starts at a naturally aligned address */
98         if (len % 8)
99                 len = roundup(len, 8);
100
101         return len;
102 }
103
104 /**
105  * ieee80211_add_rx_radiotap_header - add radiotap header
106  *
107  * add a radiotap header containing all the fields which the hardware provided.
108  */
109 static void
110 ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
111                                  struct sk_buff *skb,
112                                  struct ieee80211_rx_status *status,
113                                  struct ieee80211_rate *rate,
114                                  int rtap_len)
115 {
116         struct ieee80211_radiotap_header *rthdr;
117         unsigned char *pos;
118
119         rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len);
120         memset(rthdr, 0, rtap_len);
121
122         /* radiotap header, set always present flags */
123         rthdr->it_present =
124                 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) |
125                             (1 << IEEE80211_RADIOTAP_RATE) |
126                             (1 << IEEE80211_RADIOTAP_CHANNEL) |
127                             (1 << IEEE80211_RADIOTAP_ANTENNA) |
128                             (1 << IEEE80211_RADIOTAP_RX_FLAGS));
129         rthdr->it_len = cpu_to_le16(rtap_len);
130
131         pos = (unsigned char *)(rthdr+1);
132
133         /* the order of the following fields is important */
134
135         /* IEEE80211_RADIOTAP_TSFT */
136         if (status->flag & RX_FLAG_TSFT) {
137                 *(__le64 *)pos = cpu_to_le64(status->mactime);
138                 rthdr->it_present |=
139                         cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
140                 pos += 8;
141         }
142
143         /* IEEE80211_RADIOTAP_FLAGS */
144         if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
145                 *pos |= IEEE80211_RADIOTAP_F_FCS;
146         pos++;
147
148         /* IEEE80211_RADIOTAP_RATE */
149         *pos = rate->bitrate / 5;
150         pos++;
151
152         /* IEEE80211_RADIOTAP_CHANNEL */
153         *(__le16 *)pos = cpu_to_le16(status->freq);
154         pos += 2;
155         if (status->band == IEEE80211_BAND_5GHZ)
156                 *(__le16 *)pos = cpu_to_le16(IEEE80211_CHAN_OFDM |
157                                              IEEE80211_CHAN_5GHZ);
158         else
159                 *(__le16 *)pos = cpu_to_le16(IEEE80211_CHAN_DYN |
160                                              IEEE80211_CHAN_2GHZ);
161         pos += 2;
162
163         /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
164         if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) {
165                 *pos = status->signal;
166                 rthdr->it_present |=
167                         cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
168                 pos++;
169         }
170
171         /* IEEE80211_RADIOTAP_DBM_ANTNOISE */
172         if (local->hw.flags & IEEE80211_HW_NOISE_DBM) {
173                 *pos = status->noise;
174                 rthdr->it_present |=
175                         cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTNOISE);
176                 pos++;
177         }
178
179         /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */
180
181         /* IEEE80211_RADIOTAP_ANTENNA */
182         *pos = status->antenna;
183         pos++;
184
185         /* IEEE80211_RADIOTAP_DB_ANTSIGNAL */
186         if (local->hw.flags & IEEE80211_HW_SIGNAL_DB) {
187                 *pos = status->signal;
188                 rthdr->it_present |=
189                         cpu_to_le32(1 << IEEE80211_RADIOTAP_DB_ANTSIGNAL);
190                 pos++;
191         }
192
193         /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */
194
195         /* IEEE80211_RADIOTAP_RX_FLAGS */
196         /* ensure 2 byte alignment for the 2 byte field as required */
197         if ((pos - (unsigned char *)rthdr) & 1)
198                 pos++;
199         /* FIXME: when radiotap gets a 'bad PLCP' flag use it here */
200         if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
201                 *(__le16 *)pos |= cpu_to_le16(IEEE80211_RADIOTAP_F_RX_BADFCS);
202         pos += 2;
203 }
204
205 /*
206  * This function copies a received frame to all monitor interfaces and
207  * returns a cleaned-up SKB that no longer includes the FCS nor the
208  * radiotap header the driver might have added.
209  */
210 static struct sk_buff *
211 ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
212                      struct ieee80211_rx_status *status,
213                      struct ieee80211_rate *rate)
214 {
215         struct ieee80211_sub_if_data *sdata;
216         int needed_headroom = 0;
217         struct sk_buff *skb, *skb2;
218         struct net_device *prev_dev = NULL;
219         int present_fcs_len = 0;
220         int rtap_len = 0;
221
222         /*
223          * First, we may need to make a copy of the skb because
224          *  (1) we need to modify it for radiotap (if not present), and
225          *  (2) the other RX handlers will modify the skb we got.
226          *
227          * We don't need to, of course, if we aren't going to return
228          * the SKB because it has a bad FCS/PLCP checksum.
229          */
230         if (status->flag & RX_FLAG_RADIOTAP)
231                 rtap_len = ieee80211_get_radiotap_len(origskb->data);
232         else
233                 /* room for the radiotap header based on driver features */
234                 needed_headroom = ieee80211_rx_radiotap_len(local, status);
235
236         if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
237                 present_fcs_len = FCS_LEN;
238
239         if (!local->monitors) {
240                 if (should_drop_frame(status, origskb, present_fcs_len,
241                                       rtap_len)) {
242                         dev_kfree_skb(origskb);
243                         return NULL;
244                 }
245
246                 return remove_monitor_info(local, origskb, rtap_len);
247         }
248
249         if (should_drop_frame(status, origskb, present_fcs_len, rtap_len)) {
250                 /* only need to expand headroom if necessary */
251                 skb = origskb;
252                 origskb = NULL;
253
254                 /*
255                  * This shouldn't trigger often because most devices have an
256                  * RX header they pull before we get here, and that should
257                  * be big enough for our radiotap information. We should
258                  * probably export the length to drivers so that we can have
259                  * them allocate enough headroom to start with.
260                  */
261                 if (skb_headroom(skb) < needed_headroom &&
262                     pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
263                         dev_kfree_skb(skb);
264                         return NULL;
265                 }
266         } else {
267                 /*
268                  * Need to make a copy and possibly remove radiotap header
269                  * and FCS from the original.
270                  */
271                 skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);
272
273                 origskb = remove_monitor_info(local, origskb, rtap_len);
274
275                 if (!skb)
276                         return origskb;
277         }
278
279         /* if necessary, prepend radiotap information */
280         if (!(status->flag & RX_FLAG_RADIOTAP))
281                 ieee80211_add_rx_radiotap_header(local, skb, status, rate,
282                                                  needed_headroom);
283
284         skb_reset_mac_header(skb);
285         skb->ip_summed = CHECKSUM_UNNECESSARY;
286         skb->pkt_type = PACKET_OTHERHOST;
287         skb->protocol = htons(ETH_P_802_2);
288
289         list_for_each_entry_rcu(sdata, &local->interfaces, list) {
290                 if (!netif_running(sdata->dev))
291                         continue;
292
293                 if (sdata->vif.type != IEEE80211_IF_TYPE_MNTR)
294                         continue;
295
296                 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)
297                         continue;
298
299                 if (prev_dev) {
300                         skb2 = skb_clone(skb, GFP_ATOMIC);
301                         if (skb2) {
302                                 skb2->dev = prev_dev;
303                                 netif_rx(skb2);
304                         }
305                 }
306
307                 prev_dev = sdata->dev;
308                 sdata->dev->stats.rx_packets++;
309                 sdata->dev->stats.rx_bytes += skb->len;
310         }
311
312         if (prev_dev) {
313                 skb->dev = prev_dev;
314                 netif_rx(skb);
315         } else
316                 dev_kfree_skb(skb);
317
318         return origskb;
319 }
320
321
322 static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
323 {
324         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
325         int tid;
326
327         /* does the frame have a qos control field? */
328         if (ieee80211_is_data_qos(hdr->frame_control)) {
329                 u8 *qc = ieee80211_get_qos_ctl(hdr);
330                 /* frame has qos control */
331                 tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
332                 if (*qc & IEEE80211_QOS_CONTROL_A_MSDU_PRESENT)
333                         rx->flags |= IEEE80211_RX_AMSDU;
334                 else
335                         rx->flags &= ~IEEE80211_RX_AMSDU;
336         } else {
337                 if (unlikely(ieee80211_is_mgmt(hdr->frame_control))) {
338                         /* Separate TID for management frames */
339                         tid = NUM_RX_DATA_QUEUES - 1;
340                 } else {
341                         /* no qos control present */
342                         tid = 0; /* 802.1d - Best Effort */
343                 }
344         }
345
346         rx->queue = tid;
347         /* Set skb->priority to 1d tag if highest order bit of TID is not set.
348          * For now, set skb->priority to 0 for other cases. */
349         rx->skb->priority = (tid > 7) ? 0 : tid;
350 }
351
352 static void ieee80211_verify_ip_alignment(struct ieee80211_rx_data *rx)
353 {
354 #ifdef CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT
355         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
356         int hdrlen;
357
358         if (!ieee80211_is_data_present(hdr->frame_control))
359                 return;
360
361         /*
362          * Drivers are required to align the payload data in a way that
363          * guarantees that the contained IP header is aligned to a four-
364          * byte boundary. In the case of regular frames, this simply means
365          * aligning the payload to a four-byte boundary (because either
366          * the IP header is directly contained, or IV/RFC1042 headers that
367          * have a length divisible by four are in front of it.
368          *
369          * With A-MSDU frames, however, the payload data address must
370          * yield two modulo four because there are 14-byte 802.3 headers
371          * within the A-MSDU frames that push the IP header further back
372          * to a multiple of four again. Thankfully, the specs were sane
373          * enough this time around to require padding each A-MSDU subframe
374          * to a length that is a multiple of four.
375          *
376          * Padding like atheros hardware adds which is inbetween the 802.11
377          * header and the payload is not supported, the driver is required
378          * to move the 802.11 header further back in that case.
379          */
380         hdrlen = ieee80211_hdrlen(hdr->frame_control);
381         if (rx->flags & IEEE80211_RX_AMSDU)
382                 hdrlen += ETH_HLEN;
383         WARN_ON_ONCE(((unsigned long)(rx->skb->data + hdrlen)) & 3);
384 #endif
385 }
386
387
388 /* rx handlers */
389
390 static ieee80211_rx_result debug_noinline
391 ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx)
392 {
393         struct ieee80211_local *local = rx->local;
394         struct sk_buff *skb = rx->skb;
395
396         if (unlikely(local->sta_hw_scanning))
397                 return ieee80211_sta_rx_scan(rx->dev, skb, rx->status);
398
399         if (unlikely(local->sta_sw_scanning)) {
400                 /* drop all the other packets during a software scan anyway */
401                 if (ieee80211_sta_rx_scan(rx->dev, skb, rx->status)
402                     != RX_QUEUED)
403                         dev_kfree_skb(skb);
404                 return RX_QUEUED;
405         }
406
407         if (unlikely(rx->flags & IEEE80211_RX_IN_SCAN)) {
408                 /* scanning finished during invoking of handlers */
409                 I802_DEBUG_INC(local->rx_handlers_drop_passive_scan);
410                 return RX_DROP_UNUSABLE;
411         }
412
413         return RX_CONTINUE;
414 }
415
416 static ieee80211_rx_result
417 ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
418 {
419         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
420         unsigned int hdrlen = ieee80211_hdrlen(hdr->frame_control);
421
422         if (ieee80211_is_data(hdr->frame_control)) {
423                 if (!ieee80211_has_a4(hdr->frame_control))
424                         return RX_DROP_MONITOR;
425                 if (memcmp(hdr->addr4, rx->dev->dev_addr, ETH_ALEN) == 0)
426                         return RX_DROP_MONITOR;
427         }
428
429         /* If there is not an established peer link and this is not a peer link
430          * establisment frame, beacon or probe, drop the frame.
431          */
432
433         if (!rx->sta || sta_plink_state(rx->sta) != PLINK_ESTAB) {
434                 struct ieee80211_mgmt *mgmt;
435
436                 if (!ieee80211_is_mgmt(hdr->frame_control))
437                         return RX_DROP_MONITOR;
438
439                 if (ieee80211_is_action(hdr->frame_control)) {
440                         mgmt = (struct ieee80211_mgmt *)hdr;
441                         if (mgmt->u.action.category != PLINK_CATEGORY)
442                                 return RX_DROP_MONITOR;
443                         return RX_CONTINUE;
444                 }
445
446                 if (ieee80211_is_probe_req(hdr->frame_control) ||
447                     ieee80211_is_probe_resp(hdr->frame_control) ||
448                     ieee80211_is_beacon(hdr->frame_control))
449                         return RX_CONTINUE;
450
451                 return RX_DROP_MONITOR;
452
453         }
454
455 #define msh_h_get(h, l) ((struct ieee80211s_hdr *) ((u8 *)h + l))
456
457         if (ieee80211_is_data(hdr->frame_control) &&
458             is_multicast_ether_addr(hdr->addr1) &&
459             mesh_rmc_check(hdr->addr4, msh_h_get(hdr, hdrlen), rx->dev))
460                 return RX_DROP_MONITOR;
461 #undef msh_h_get
462
463         return RX_CONTINUE;
464 }
465
466
467 static ieee80211_rx_result debug_noinline
468 ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
469 {
470         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
471
472         /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */
473         if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) {
474                 if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
475                              rx->sta->last_seq_ctrl[rx->queue] ==
476                              hdr->seq_ctrl)) {
477                         if (rx->flags & IEEE80211_RX_RA_MATCH) {
478                                 rx->local->dot11FrameDuplicateCount++;
479                                 rx->sta->num_duplicates++;
480                         }
481                         return RX_DROP_MONITOR;
482                 } else
483                         rx->sta->last_seq_ctrl[rx->queue] = hdr->seq_ctrl;
484         }
485
486         if (unlikely(rx->skb->len < 16)) {
487                 I802_DEBUG_INC(rx->local->rx_handlers_drop_short);
488                 return RX_DROP_MONITOR;
489         }
490
491         /* Drop disallowed frame classes based on STA auth/assoc state;
492          * IEEE 802.11, Chap 5.5.
493          *
494          * 80211.o does filtering only based on association state, i.e., it
495          * drops Class 3 frames from not associated stations. hostapd sends
496          * deauth/disassoc frames when needed. In addition, hostapd is
497          * responsible for filtering on both auth and assoc states.
498          */
499
500         if (ieee80211_vif_is_mesh(&rx->sdata->vif))
501                 return ieee80211_rx_mesh_check(rx);
502
503         if (unlikely((ieee80211_is_data(hdr->frame_control) ||
504                       ieee80211_is_pspoll(hdr->frame_control)) &&
505                      rx->sdata->vif.type != IEEE80211_IF_TYPE_IBSS &&
506                      (!rx->sta || !test_sta_flags(rx->sta, WLAN_STA_ASSOC)))) {
507                 if ((!ieee80211_has_fromds(hdr->frame_control) &&
508                      !ieee80211_has_tods(hdr->frame_control) &&
509                      ieee80211_is_data(hdr->frame_control)) ||
510                     !(rx->flags & IEEE80211_RX_RA_MATCH)) {
511                         /* Drop IBSS frames and frames for other hosts
512                          * silently. */
513                         return RX_DROP_MONITOR;
514                 }
515
516                 return RX_DROP_MONITOR;
517         }
518
519         return RX_CONTINUE;
520 }
521
522
523 static ieee80211_rx_result debug_noinline
524 ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
525 {
526         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
527         int keyidx;
528         int hdrlen;
529         ieee80211_rx_result result = RX_DROP_UNUSABLE;
530         struct ieee80211_key *stakey = NULL;
531
532         /*
533          * Key selection 101
534          *
535          * There are three types of keys:
536          *  - GTK (group keys)
537          *  - PTK (pairwise keys)
538          *  - STK (station-to-station pairwise keys)
539          *
540          * When selecting a key, we have to distinguish between multicast
541          * (including broadcast) and unicast frames, the latter can only
542          * use PTKs and STKs while the former always use GTKs. Unless, of
543          * course, actual WEP keys ("pre-RSNA") are used, then unicast
544          * frames can also use key indizes like GTKs. Hence, if we don't
545          * have a PTK/STK we check the key index for a WEP key.
546          *
547          * Note that in a regular BSS, multicast frames are sent by the
548          * AP only, associated stations unicast the frame to the AP first
549          * which then multicasts it on their behalf.
550          *
551          * There is also a slight problem in IBSS mode: GTKs are negotiated
552          * with each station, that is something we don't currently handle.
553          * The spec seems to expect that one negotiates the same key with
554          * every station but there's no such requirement; VLANs could be
555          * possible.
556          */
557
558         if (!ieee80211_has_protected(hdr->frame_control))
559                 return RX_CONTINUE;
560
561         /*
562          * No point in finding a key and decrypting if the frame is neither
563          * addressed to us nor a multicast frame.
564          */
565         if (!(rx->flags & IEEE80211_RX_RA_MATCH))
566                 return RX_CONTINUE;
567
568         if (rx->sta)
569                 stakey = rcu_dereference(rx->sta->key);
570
571         if (!is_multicast_ether_addr(hdr->addr1) && stakey) {
572                 rx->key = stakey;
573         } else {
574                 /*
575                  * The device doesn't give us the IV so we won't be
576                  * able to look up the key. That's ok though, we
577                  * don't need to decrypt the frame, we just won't
578                  * be able to keep statistics accurate.
579                  * Except for key threshold notifications, should
580                  * we somehow allow the driver to tell us which key
581                  * the hardware used if this flag is set?
582                  */
583                 if ((rx->status->flag & RX_FLAG_DECRYPTED) &&
584                     (rx->status->flag & RX_FLAG_IV_STRIPPED))
585                         return RX_CONTINUE;
586
587                 hdrlen = ieee80211_hdrlen(hdr->frame_control);
588
589                 if (rx->skb->len < 8 + hdrlen)
590                         return RX_DROP_UNUSABLE; /* TODO: count this? */
591
592                 /*
593                  * no need to call ieee80211_wep_get_keyidx,
594                  * it verifies a bunch of things we've done already
595                  */
596                 keyidx = rx->skb->data[hdrlen + 3] >> 6;
597
598                 rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
599
600                 /*
601                  * RSNA-protected unicast frames should always be sent with
602                  * pairwise or station-to-station keys, but for WEP we allow
603                  * using a key index as well.
604                  */
605                 if (rx->key && rx->key->conf.alg != ALG_WEP &&
606                     !is_multicast_ether_addr(hdr->addr1))
607                         rx->key = NULL;
608         }
609
610         if (rx->key) {
611                 rx->key->tx_rx_count++;
612                 /* TODO: add threshold stuff again */
613         } else {
614                 return RX_DROP_MONITOR;
615         }
616
617         /* Check for weak IVs if possible */
618         if (rx->sta && rx->key->conf.alg == ALG_WEP &&
619             ieee80211_is_data(hdr->frame_control) &&
620             (!(rx->status->flag & RX_FLAG_IV_STRIPPED) ||
621              !(rx->status->flag & RX_FLAG_DECRYPTED)) &&
622             ieee80211_wep_is_weak_iv(rx->skb, rx->key))
623                 rx->sta->wep_weak_iv_count++;
624
625         switch (rx->key->conf.alg) {
626         case ALG_WEP:
627                 result = ieee80211_crypto_wep_decrypt(rx);
628                 break;
629         case ALG_TKIP:
630                 result = ieee80211_crypto_tkip_decrypt(rx);
631                 break;
632         case ALG_CCMP:
633                 result = ieee80211_crypto_ccmp_decrypt(rx);
634                 break;
635         }
636
637         /* either the frame has been decrypted or will be dropped */
638         rx->status->flag |= RX_FLAG_DECRYPTED;
639
640         return result;
641 }
642
643 static void ap_sta_ps_start(struct net_device *dev, struct sta_info *sta)
644 {
645         struct ieee80211_sub_if_data *sdata;
646         DECLARE_MAC_BUF(mac);
647
648         sdata = sta->sdata;
649
650         atomic_inc(&sdata->bss->num_sta_ps);
651         set_and_clear_sta_flags(sta, WLAN_STA_PS, WLAN_STA_PSPOLL);
652 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
653         printk(KERN_DEBUG "%s: STA %s aid %d enters power save mode\n",
654                dev->name, print_mac(mac, sta->addr), sta->aid);
655 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
656 }
657
658 static int ap_sta_ps_end(struct net_device *dev, struct sta_info *sta)
659 {
660         struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
661         struct sk_buff *skb;
662         int sent = 0;
663         struct ieee80211_sub_if_data *sdata;
664         struct ieee80211_tx_info *info;
665         DECLARE_MAC_BUF(mac);
666
667         sdata = sta->sdata;
668
669         atomic_dec(&sdata->bss->num_sta_ps);
670
671         clear_sta_flags(sta, WLAN_STA_PS | WLAN_STA_PSPOLL);
672
673         if (!skb_queue_empty(&sta->ps_tx_buf))
674                 sta_info_clear_tim_bit(sta);
675
676 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
677         printk(KERN_DEBUG "%s: STA %s aid %d exits power save mode\n",
678                dev->name, print_mac(mac, sta->addr), sta->aid);
679 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
680
681         /* Send all buffered frames to the station */
682         while ((skb = skb_dequeue(&sta->tx_filtered)) != NULL) {
683                 info = IEEE80211_SKB_CB(skb);
684                 sent++;
685                 info->flags |= IEEE80211_TX_CTL_REQUEUE;
686                 dev_queue_xmit(skb);
687         }
688         while ((skb = skb_dequeue(&sta->ps_tx_buf)) != NULL) {
689                 info = IEEE80211_SKB_CB(skb);
690                 local->total_ps_buffered--;
691                 sent++;
692 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
693                 printk(KERN_DEBUG "%s: STA %s aid %d send PS frame "
694                        "since STA not sleeping anymore\n", dev->name,
695                        print_mac(mac, sta->addr), sta->aid);
696 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
697                 info->flags |= IEEE80211_TX_CTL_REQUEUE;
698                 dev_queue_xmit(skb);
699         }
700
701         return sent;
702 }
703
704 static ieee80211_rx_result debug_noinline
705 ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
706 {
707         struct sta_info *sta = rx->sta;
708         struct net_device *dev = rx->dev;
709         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
710
711         if (!sta)
712                 return RX_CONTINUE;
713
714         /* Update last_rx only for IBSS packets which are for the current
715          * BSSID to avoid keeping the current IBSS network alive in cases where
716          * other STAs are using different BSSID. */
717         if (rx->sdata->vif.type == IEEE80211_IF_TYPE_IBSS) {
718                 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
719                                                 IEEE80211_IF_TYPE_IBSS);
720                 if (compare_ether_addr(bssid, rx->sdata->u.sta.bssid) == 0)
721                         sta->last_rx = jiffies;
722         } else
723         if (!is_multicast_ether_addr(hdr->addr1) ||
724             rx->sdata->vif.type == IEEE80211_IF_TYPE_STA) {
725                 /* Update last_rx only for unicast frames in order to prevent
726                  * the Probe Request frames (the only broadcast frames from a
727                  * STA in infrastructure mode) from keeping a connection alive.
728                  * Mesh beacons will update last_rx when if they are found to
729                  * match the current local configuration when processed.
730                  */
731                 sta->last_rx = jiffies;
732         }
733
734         if (!(rx->flags & IEEE80211_RX_RA_MATCH))
735                 return RX_CONTINUE;
736
737         sta->rx_fragments++;
738         sta->rx_bytes += rx->skb->len;
739         sta->last_signal = rx->status->signal;
740         sta->last_qual = rx->status->qual;
741         sta->last_noise = rx->status->noise;
742
743         if (!ieee80211_has_morefrags(hdr->frame_control) &&
744             (rx->sdata->vif.type == IEEE80211_IF_TYPE_AP ||
745              rx->sdata->vif.type == IEEE80211_IF_TYPE_VLAN)) {
746                 /* Change STA power saving mode only in the end of a frame
747                  * exchange sequence */
748                 if (test_sta_flags(sta, WLAN_STA_PS) &&
749                     !ieee80211_has_pm(hdr->frame_control))
750                         rx->sent_ps_buffered += ap_sta_ps_end(dev, sta);
751                 else if (!test_sta_flags(sta, WLAN_STA_PS) &&
752                          ieee80211_has_pm(hdr->frame_control))
753                         ap_sta_ps_start(dev, sta);
754         }
755
756         /* Drop data::nullfunc frames silently, since they are used only to
757          * control station power saving mode. */
758         if (ieee80211_is_nullfunc(hdr->frame_control)) {
759                 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
760                 /* Update counter and free packet here to avoid counting this
761                  * as a dropped packed. */
762                 sta->rx_packets++;
763                 dev_kfree_skb(rx->skb);
764                 return RX_QUEUED;
765         }
766
767         return RX_CONTINUE;
768 } /* ieee80211_rx_h_sta_process */
769
770 static inline struct ieee80211_fragment_entry *
771 ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata,
772                          unsigned int frag, unsigned int seq, int rx_queue,
773                          struct sk_buff **skb)
774 {
775         struct ieee80211_fragment_entry *entry;
776         int idx;
777
778         idx = sdata->fragment_next;
779         entry = &sdata->fragments[sdata->fragment_next++];
780         if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX)
781                 sdata->fragment_next = 0;
782
783         if (!skb_queue_empty(&entry->skb_list)) {
784 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
785                 struct ieee80211_hdr *hdr =
786                         (struct ieee80211_hdr *) entry->skb_list.next->data;
787                 DECLARE_MAC_BUF(mac);
788                 DECLARE_MAC_BUF(mac2);
789                 printk(KERN_DEBUG "%s: RX reassembly removed oldest "
790                        "fragment entry (idx=%d age=%lu seq=%d last_frag=%d "
791                        "addr1=%s addr2=%s\n",
792                        sdata->dev->name, idx,
793                        jiffies - entry->first_frag_time, entry->seq,
794                        entry->last_frag, print_mac(mac, hdr->addr1),
795                        print_mac(mac2, hdr->addr2));
796 #endif
797                 __skb_queue_purge(&entry->skb_list);
798         }
799
800         __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
801         *skb = NULL;
802         entry->first_frag_time = jiffies;
803         entry->seq = seq;
804         entry->rx_queue = rx_queue;
805         entry->last_frag = frag;
806         entry->ccmp = 0;
807         entry->extra_len = 0;
808
809         return entry;
810 }
811
812 static inline struct ieee80211_fragment_entry *
813 ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata,
814                           u16 fc, unsigned int frag, unsigned int seq,
815                           int rx_queue, struct ieee80211_hdr *hdr)
816 {
817         struct ieee80211_fragment_entry *entry;
818         int i, idx;
819
820         idx = sdata->fragment_next;
821         for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
822                 struct ieee80211_hdr *f_hdr;
823                 u16 f_fc;
824
825                 idx--;
826                 if (idx < 0)
827                         idx = IEEE80211_FRAGMENT_MAX - 1;
828
829                 entry = &sdata->fragments[idx];
830                 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
831                     entry->rx_queue != rx_queue ||
832                     entry->last_frag + 1 != frag)
833                         continue;
834
835                 f_hdr = (struct ieee80211_hdr *) entry->skb_list.next->data;
836                 f_fc = le16_to_cpu(f_hdr->frame_control);
837
838                 if ((fc & IEEE80211_FCTL_FTYPE) != (f_fc & IEEE80211_FCTL_FTYPE) ||
839                     compare_ether_addr(hdr->addr1, f_hdr->addr1) != 0 ||
840                     compare_ether_addr(hdr->addr2, f_hdr->addr2) != 0)
841                         continue;
842
843                 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
844                         __skb_queue_purge(&entry->skb_list);
845                         continue;
846                 }
847                 return entry;
848         }
849
850         return NULL;
851 }
852
853 static ieee80211_rx_result debug_noinline
854 ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
855 {
856         struct ieee80211_hdr *hdr;
857         u16 sc;
858         unsigned int frag, seq;
859         struct ieee80211_fragment_entry *entry;
860         struct sk_buff *skb;
861         DECLARE_MAC_BUF(mac);
862
863         hdr = (struct ieee80211_hdr *) rx->skb->data;
864         sc = le16_to_cpu(hdr->seq_ctrl);
865         frag = sc & IEEE80211_SCTL_FRAG;
866
867         if (likely((!(rx->fc & IEEE80211_FCTL_MOREFRAGS) && frag == 0) ||
868                    (rx->skb)->len < 24 ||
869                    is_multicast_ether_addr(hdr->addr1))) {
870                 /* not fragmented */
871                 goto out;
872         }
873         I802_DEBUG_INC(rx->local->rx_handlers_fragments);
874
875         seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
876
877         if (frag == 0) {
878                 /* This is the first fragment of a new frame. */
879                 entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
880                                                  rx->queue, &(rx->skb));
881                 if (rx->key && rx->key->conf.alg == ALG_CCMP &&
882                     (rx->fc & IEEE80211_FCTL_PROTECTED)) {
883                         /* Store CCMP PN so that we can verify that the next
884                          * fragment has a sequential PN value. */
885                         entry->ccmp = 1;
886                         memcpy(entry->last_pn,
887                                rx->key->u.ccmp.rx_pn[rx->queue],
888                                CCMP_PN_LEN);
889                 }
890                 return RX_QUEUED;
891         }
892
893         /* This is a fragment for a frame that should already be pending in
894          * fragment cache. Add this fragment to the end of the pending entry.
895          */
896         entry = ieee80211_reassemble_find(rx->sdata, rx->fc, frag, seq,
897                                           rx->queue, hdr);
898         if (!entry) {
899                 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
900                 return RX_DROP_MONITOR;
901         }
902
903         /* Verify that MPDUs within one MSDU have sequential PN values.
904          * (IEEE 802.11i, 8.3.3.4.5) */
905         if (entry->ccmp) {
906                 int i;
907                 u8 pn[CCMP_PN_LEN], *rpn;
908                 if (!rx->key || rx->key->conf.alg != ALG_CCMP)
909                         return RX_DROP_UNUSABLE;
910                 memcpy(pn, entry->last_pn, CCMP_PN_LEN);
911                 for (i = CCMP_PN_LEN - 1; i >= 0; i--) {
912                         pn[i]++;
913                         if (pn[i])
914                                 break;
915                 }
916                 rpn = rx->key->u.ccmp.rx_pn[rx->queue];
917                 if (memcmp(pn, rpn, CCMP_PN_LEN))
918                         return RX_DROP_UNUSABLE;
919                 memcpy(entry->last_pn, pn, CCMP_PN_LEN);
920         }
921
922         skb_pull(rx->skb, ieee80211_get_hdrlen(rx->fc));
923         __skb_queue_tail(&entry->skb_list, rx->skb);
924         entry->last_frag = frag;
925         entry->extra_len += rx->skb->len;
926         if (rx->fc & IEEE80211_FCTL_MOREFRAGS) {
927                 rx->skb = NULL;
928                 return RX_QUEUED;
929         }
930
931         rx->skb = __skb_dequeue(&entry->skb_list);
932         if (skb_tailroom(rx->skb) < entry->extra_len) {
933                 I802_DEBUG_INC(rx->local->rx_expand_skb_head2);
934                 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len,
935                                               GFP_ATOMIC))) {
936                         I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
937                         __skb_queue_purge(&entry->skb_list);
938                         return RX_DROP_UNUSABLE;
939                 }
940         }
941         while ((skb = __skb_dequeue(&entry->skb_list))) {
942                 memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len);
943                 dev_kfree_skb(skb);
944         }
945
946         /* Complete frame has been reassembled - process it now */
947         rx->flags |= IEEE80211_RX_FRAGMENTED;
948
949  out:
950         if (rx->sta)
951                 rx->sta->rx_packets++;
952         if (is_multicast_ether_addr(hdr->addr1))
953                 rx->local->dot11MulticastReceivedFrameCount++;
954         else
955                 ieee80211_led_rx(rx->local);
956         return RX_CONTINUE;
957 }
958
959 static ieee80211_rx_result debug_noinline
960 ieee80211_rx_h_ps_poll(struct ieee80211_rx_data *rx)
961 {
962         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev);
963         struct sk_buff *skb;
964         int no_pending_pkts;
965         DECLARE_MAC_BUF(mac);
966
967         if (likely(!rx->sta ||
968                    (rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_CTL ||
969                    (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_PSPOLL ||
970                    !(rx->flags & IEEE80211_RX_RA_MATCH)))
971                 return RX_CONTINUE;
972
973         if ((sdata->vif.type != IEEE80211_IF_TYPE_AP) &&
974             (sdata->vif.type != IEEE80211_IF_TYPE_VLAN))
975                 return RX_DROP_UNUSABLE;
976
977         skb = skb_dequeue(&rx->sta->tx_filtered);
978         if (!skb) {
979                 skb = skb_dequeue(&rx->sta->ps_tx_buf);
980                 if (skb)
981                         rx->local->total_ps_buffered--;
982         }
983         no_pending_pkts = skb_queue_empty(&rx->sta->tx_filtered) &&
984                 skb_queue_empty(&rx->sta->ps_tx_buf);
985
986         if (skb) {
987                 struct ieee80211_hdr *hdr =
988                         (struct ieee80211_hdr *) skb->data;
989
990                 /*
991                  * Tell TX path to send one frame even though the STA may
992                  * still remain is PS mode after this frame exchange.
993                  */
994                 set_sta_flags(rx->sta, WLAN_STA_PSPOLL);
995
996 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
997                 printk(KERN_DEBUG "STA %s aid %d: PS Poll (entries after %d)\n",
998                        print_mac(mac, rx->sta->addr), rx->sta->aid,
999                        skb_queue_len(&rx->sta->ps_tx_buf));
1000 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
1001
1002                 /* Use MoreData flag to indicate whether there are more
1003                  * buffered frames for this STA */
1004                 if (no_pending_pkts)
1005                         hdr->frame_control &= cpu_to_le16(~IEEE80211_FCTL_MOREDATA);
1006                 else
1007                         hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_MOREDATA);
1008
1009                 dev_queue_xmit(skb);
1010
1011                 if (no_pending_pkts)
1012                         sta_info_clear_tim_bit(rx->sta);
1013 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
1014         } else if (!rx->sent_ps_buffered) {
1015                 /*
1016                  * FIXME: This can be the result of a race condition between
1017                  *        us expiring a frame and the station polling for it.
1018                  *        Should we send it a null-func frame indicating we
1019                  *        have nothing buffered for it?
1020                  */
1021                 printk(KERN_DEBUG "%s: STA %s sent PS Poll even "
1022                        "though there are no buffered frames for it\n",
1023                        rx->dev->name, print_mac(mac, rx->sta->addr));
1024 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
1025         }
1026
1027         /* Free PS Poll skb here instead of returning RX_DROP that would
1028          * count as an dropped frame. */
1029         dev_kfree_skb(rx->skb);
1030
1031         return RX_QUEUED;
1032 }
1033
1034 static ieee80211_rx_result debug_noinline
1035 ieee80211_rx_h_remove_qos_control(struct ieee80211_rx_data *rx)
1036 {
1037         u8 *data = rx->skb->data;
1038         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)data;
1039
1040         if (!ieee80211_is_data_qos(hdr->frame_control))
1041                 return RX_CONTINUE;
1042
1043         /* remove the qos control field, update frame type and meta-data */
1044         memmove(data + IEEE80211_QOS_CTL_LEN, data,
1045                 ieee80211_hdrlen(hdr->frame_control) - IEEE80211_QOS_CTL_LEN);
1046         hdr = (struct ieee80211_hdr *)skb_pull(rx->skb, IEEE80211_QOS_CTL_LEN);
1047         /* change frame type to non QOS */
1048         rx->fc &= ~IEEE80211_STYPE_QOS_DATA;
1049         hdr->frame_control &= ~cpu_to_le16(IEEE80211_STYPE_QOS_DATA);
1050
1051         return RX_CONTINUE;
1052 }
1053
1054 static int
1055 ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
1056 {
1057         if (unlikely(!rx->sta ||
1058             !test_sta_flags(rx->sta, WLAN_STA_AUTHORIZED)))
1059                 return -EACCES;
1060
1061         return 0;
1062 }
1063
1064 static int
1065 ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx)
1066 {
1067         /*
1068          * Pass through unencrypted frames if the hardware has
1069          * decrypted them already.
1070          */
1071         if (rx->status->flag & RX_FLAG_DECRYPTED)
1072                 return 0;
1073
1074         /* Drop unencrypted frames if key is set. */
1075         if (unlikely(!(rx->fc & IEEE80211_FCTL_PROTECTED) &&
1076                      (rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA &&
1077                      (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_NULLFUNC &&
1078                      (rx->key || rx->sdata->drop_unencrypted)))
1079                 return -EACCES;
1080
1081         return 0;
1082 }
1083
1084 static int
1085 ieee80211_data_to_8023(struct ieee80211_rx_data *rx)
1086 {
1087         struct net_device *dev = rx->dev;
1088         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data;
1089         u16 fc, hdrlen, ethertype;
1090         u8 *payload;
1091         u8 dst[ETH_ALEN];
1092         u8 src[ETH_ALEN] __aligned(2);
1093         struct sk_buff *skb = rx->skb;
1094         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
1095         DECLARE_MAC_BUF(mac);
1096         DECLARE_MAC_BUF(mac2);
1097         DECLARE_MAC_BUF(mac3);
1098         DECLARE_MAC_BUF(mac4);
1099
1100         fc = rx->fc;
1101
1102         if (unlikely(!WLAN_FC_DATA_PRESENT(fc)))
1103                 return -1;
1104
1105         hdrlen = ieee80211_get_hdrlen(fc);
1106
1107         if (ieee80211_vif_is_mesh(&sdata->vif)) {
1108                 int meshhdrlen = ieee80211_get_mesh_hdrlen(
1109                                 (struct ieee80211s_hdr *) (skb->data + hdrlen));
1110                 /* Copy on cb:
1111                  *  - mesh header: to be used for mesh forwarding
1112                  * decision. It will also be used as mesh header template at
1113                  * tx.c:ieee80211_subif_start_xmit() if interface
1114                  * type is mesh and skb->pkt_type == PACKET_OTHERHOST
1115                  *  - ta: to be used if a RERR needs to be sent.
1116                  */
1117                 memcpy(skb->cb, skb->data + hdrlen, meshhdrlen);
1118                 memcpy(MESH_PREQ(skb), hdr->addr2, ETH_ALEN);
1119                 hdrlen += meshhdrlen;
1120         }
1121
1122         /* convert IEEE 802.11 header + possible LLC headers into Ethernet
1123          * header
1124          * IEEE 802.11 address fields:
1125          * ToDS FromDS Addr1 Addr2 Addr3 Addr4
1126          *   0     0   DA    SA    BSSID n/a
1127          *   0     1   DA    BSSID SA    n/a
1128          *   1     0   BSSID SA    DA    n/a
1129          *   1     1   RA    TA    DA    SA
1130          */
1131
1132         switch (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) {
1133         case IEEE80211_FCTL_TODS:
1134                 /* BSSID SA DA */
1135                 memcpy(dst, hdr->addr3, ETH_ALEN);
1136                 memcpy(src, hdr->addr2, ETH_ALEN);
1137
1138                 if (unlikely(sdata->vif.type != IEEE80211_IF_TYPE_AP &&
1139                              sdata->vif.type != IEEE80211_IF_TYPE_VLAN))
1140                         return -1;
1141                 break;
1142         case (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS):
1143                 /* RA TA DA SA */
1144                 memcpy(dst, hdr->addr3, ETH_ALEN);
1145                 memcpy(src, hdr->addr4, ETH_ALEN);
1146
1147                  if (unlikely(sdata->vif.type != IEEE80211_IF_TYPE_WDS &&
1148                              sdata->vif.type != IEEE80211_IF_TYPE_MESH_POINT))
1149                         return -1;
1150                 break;
1151         case IEEE80211_FCTL_FROMDS:
1152                 /* DA BSSID SA */
1153                 memcpy(dst, hdr->addr1, ETH_ALEN);
1154                 memcpy(src, hdr->addr3, ETH_ALEN);
1155
1156                 if (sdata->vif.type != IEEE80211_IF_TYPE_STA ||
1157                     (is_multicast_ether_addr(dst) &&
1158                      !compare_ether_addr(src, dev->dev_addr)))
1159                         return -1;
1160                 break;
1161         case 0:
1162                 /* DA SA BSSID */
1163                 memcpy(dst, hdr->addr1, ETH_ALEN);
1164                 memcpy(src, hdr->addr2, ETH_ALEN);
1165
1166                 if (sdata->vif.type != IEEE80211_IF_TYPE_IBSS)
1167                         return -1;
1168                 break;
1169         }
1170
1171         if (unlikely(skb->len - hdrlen < 8))
1172                 return -1;
1173
1174         payload = skb->data + hdrlen;
1175         ethertype = (payload[6] << 8) | payload[7];
1176
1177         if (likely((compare_ether_addr(payload, rfc1042_header) == 0 &&
1178                     ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) ||
1179                    compare_ether_addr(payload, bridge_tunnel_header) == 0)) {
1180                 /* remove RFC1042 or Bridge-Tunnel encapsulation and
1181                  * replace EtherType */
1182                 skb_pull(skb, hdrlen + 6);
1183                 memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN);
1184                 memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN);
1185         } else {
1186                 struct ethhdr *ehdr;
1187                 __be16 len;
1188
1189                 skb_pull(skb, hdrlen);
1190                 len = htons(skb->len);
1191                 ehdr = (struct ethhdr *) skb_push(skb, sizeof(struct ethhdr));
1192                 memcpy(ehdr->h_dest, dst, ETH_ALEN);
1193                 memcpy(ehdr->h_source, src, ETH_ALEN);
1194                 ehdr->h_proto = len;
1195         }
1196         return 0;
1197 }
1198
1199 /*
1200  * requires that rx->skb is a frame with ethernet header
1201  */
1202 static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx)
1203 {
1204         static const u8 pae_group_addr[ETH_ALEN] __aligned(2)
1205                 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 };
1206         struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
1207
1208         /*
1209          * Allow EAPOL frames to us/the PAE group address regardless
1210          * of whether the frame was encrypted or not.
1211          */
1212         if (ehdr->h_proto == htons(ETH_P_PAE) &&
1213             (compare_ether_addr(ehdr->h_dest, rx->dev->dev_addr) == 0 ||
1214              compare_ether_addr(ehdr->h_dest, pae_group_addr) == 0))
1215                 return true;
1216
1217         if (ieee80211_802_1x_port_control(rx) ||
1218             ieee80211_drop_unencrypted(rx))
1219                 return false;
1220
1221         return true;
1222 }
1223
1224 /*
1225  * requires that rx->skb is a frame with ethernet header
1226  */
1227 static void
1228 ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
1229 {
1230         struct net_device *dev = rx->dev;
1231         struct ieee80211_local *local = rx->local;
1232         struct sk_buff *skb, *xmit_skb;
1233         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
1234         struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
1235         struct sta_info *dsta;
1236
1237         skb = rx->skb;
1238         xmit_skb = NULL;
1239
1240         if (local->bridge_packets && (sdata->vif.type == IEEE80211_IF_TYPE_AP ||
1241                                       sdata->vif.type == IEEE80211_IF_TYPE_VLAN) &&
1242             (rx->flags & IEEE80211_RX_RA_MATCH)) {
1243                 if (is_multicast_ether_addr(ehdr->h_dest)) {
1244                         /*
1245                          * send multicast frames both to higher layers in
1246                          * local net stack and back to the wireless medium
1247                          */
1248                         xmit_skb = skb_copy(skb, GFP_ATOMIC);
1249                         if (!xmit_skb && net_ratelimit())
1250                                 printk(KERN_DEBUG "%s: failed to clone "
1251                                        "multicast frame\n", dev->name);
1252                 } else {
1253                         dsta = sta_info_get(local, skb->data);
1254                         if (dsta && dsta->sdata->dev == dev) {
1255                                 /*
1256                                  * The destination station is associated to
1257                                  * this AP (in this VLAN), so send the frame
1258                                  * directly to it and do not pass it to local
1259                                  * net stack.
1260                                  */
1261                                 xmit_skb = skb;
1262                                 skb = NULL;
1263                         }
1264                 }
1265         }
1266
1267         /* Mesh forwarding */
1268         if (ieee80211_vif_is_mesh(&sdata->vif)) {
1269                 u8 *mesh_ttl = &((struct ieee80211s_hdr *)skb->cb)->ttl;
1270                 (*mesh_ttl)--;
1271
1272                 if (is_multicast_ether_addr(skb->data)) {
1273                         if (*mesh_ttl > 0) {
1274                                 xmit_skb = skb_copy(skb, GFP_ATOMIC);
1275                                 if (xmit_skb)
1276                                         xmit_skb->pkt_type = PACKET_OTHERHOST;
1277                                 else if (net_ratelimit())
1278                                         printk(KERN_DEBUG "%s: failed to clone "
1279                                                "multicast frame\n", dev->name);
1280                         } else
1281                                 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.sta,
1282                                                              dropped_frames_ttl);
1283                 } else if (skb->pkt_type != PACKET_OTHERHOST &&
1284                         compare_ether_addr(dev->dev_addr, skb->data) != 0) {
1285                         if (*mesh_ttl == 0) {
1286                                 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.sta,
1287                                                              dropped_frames_ttl);
1288                                 dev_kfree_skb(skb);
1289                                 skb = NULL;
1290                         } else {
1291                                 xmit_skb = skb;
1292                                 xmit_skb->pkt_type = PACKET_OTHERHOST;
1293                                 if (!(dev->flags & IFF_PROMISC))
1294                                         skb  = NULL;
1295                         }
1296                 }
1297         }
1298
1299         if (skb) {
1300                 /* deliver to local stack */
1301                 skb->protocol = eth_type_trans(skb, dev);
1302                 memset(skb->cb, 0, sizeof(skb->cb));
1303                 netif_rx(skb);
1304         }
1305
1306         if (xmit_skb) {
1307                 /* send to wireless media */
1308                 xmit_skb->protocol = htons(ETH_P_802_3);
1309                 skb_reset_network_header(xmit_skb);
1310                 skb_reset_mac_header(xmit_skb);
1311                 dev_queue_xmit(xmit_skb);
1312         }
1313 }
1314
1315 static ieee80211_rx_result debug_noinline
1316 ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
1317 {
1318         struct net_device *dev = rx->dev;
1319         struct ieee80211_local *local = rx->local;
1320         u16 fc, ethertype;
1321         u8 *payload;
1322         struct sk_buff *skb = rx->skb, *frame = NULL;
1323         const struct ethhdr *eth;
1324         int remaining, err;
1325         u8 dst[ETH_ALEN];
1326         u8 src[ETH_ALEN];
1327         DECLARE_MAC_BUF(mac);
1328
1329         fc = rx->fc;
1330         if (unlikely((fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA))
1331                 return RX_CONTINUE;
1332
1333         if (unlikely(!WLAN_FC_DATA_PRESENT(fc)))
1334                 return RX_DROP_MONITOR;
1335
1336         if (!(rx->flags & IEEE80211_RX_AMSDU))
1337                 return RX_CONTINUE;
1338
1339         err = ieee80211_data_to_8023(rx);
1340         if (unlikely(err))
1341                 return RX_DROP_UNUSABLE;
1342
1343         skb->dev = dev;
1344
1345         dev->stats.rx_packets++;
1346         dev->stats.rx_bytes += skb->len;
1347
1348         /* skip the wrapping header */
1349         eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr));
1350         if (!eth)
1351                 return RX_DROP_UNUSABLE;
1352
1353         while (skb != frame) {
1354                 u8 padding;
1355                 __be16 len = eth->h_proto;
1356                 unsigned int subframe_len = sizeof(struct ethhdr) + ntohs(len);
1357
1358                 remaining = skb->len;
1359                 memcpy(dst, eth->h_dest, ETH_ALEN);
1360                 memcpy(src, eth->h_source, ETH_ALEN);
1361
1362                 padding = ((4 - subframe_len) & 0x3);
1363                 /* the last MSDU has no padding */
1364                 if (subframe_len > remaining)
1365                         return RX_DROP_UNUSABLE;
1366
1367                 skb_pull(skb, sizeof(struct ethhdr));
1368                 /* if last subframe reuse skb */
1369                 if (remaining <= subframe_len + padding)
1370                         frame = skb;
1371                 else {
1372                         frame = dev_alloc_skb(local->hw.extra_tx_headroom +
1373                                               subframe_len);
1374
1375                         if (frame == NULL)
1376                                 return RX_DROP_UNUSABLE;
1377
1378                         skb_reserve(frame, local->hw.extra_tx_headroom +
1379                                     sizeof(struct ethhdr));
1380                         memcpy(skb_put(frame, ntohs(len)), skb->data,
1381                                 ntohs(len));
1382
1383                         eth = (struct ethhdr *) skb_pull(skb, ntohs(len) +
1384                                                         padding);
1385                         if (!eth) {
1386                                 dev_kfree_skb(frame);
1387                                 return RX_DROP_UNUSABLE;
1388                         }
1389                 }
1390
1391                 skb_reset_network_header(frame);
1392                 frame->dev = dev;
1393                 frame->priority = skb->priority;
1394                 rx->skb = frame;
1395
1396                 payload = frame->data;
1397                 ethertype = (payload[6] << 8) | payload[7];
1398
1399                 if (likely((compare_ether_addr(payload, rfc1042_header) == 0 &&
1400                             ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) ||
1401                            compare_ether_addr(payload,
1402                                               bridge_tunnel_header) == 0)) {
1403                         /* remove RFC1042 or Bridge-Tunnel
1404                          * encapsulation and replace EtherType */
1405                         skb_pull(frame, 6);
1406                         memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN);
1407                         memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN);
1408                 } else {
1409                         memcpy(skb_push(frame, sizeof(__be16)),
1410                                &len, sizeof(__be16));
1411                         memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN);
1412                         memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN);
1413                 }
1414
1415                 if (!ieee80211_frame_allowed(rx)) {
1416                         if (skb == frame) /* last frame */
1417                                 return RX_DROP_UNUSABLE;
1418                         dev_kfree_skb(frame);
1419                         continue;
1420                 }
1421
1422                 ieee80211_deliver_skb(rx);
1423         }
1424
1425         return RX_QUEUED;
1426 }
1427
1428 static ieee80211_rx_result debug_noinline
1429 ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
1430 {
1431         struct net_device *dev = rx->dev;
1432         u16 fc;
1433         int err;
1434
1435         fc = rx->fc;
1436         if (unlikely((fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA))
1437                 return RX_CONTINUE;
1438
1439         if (unlikely(!WLAN_FC_DATA_PRESENT(fc)))
1440                 return RX_DROP_MONITOR;
1441
1442         err = ieee80211_data_to_8023(rx);
1443         if (unlikely(err))
1444                 return RX_DROP_UNUSABLE;
1445
1446         if (!ieee80211_frame_allowed(rx))
1447                 return RX_DROP_MONITOR;
1448
1449         rx->skb->dev = dev;
1450
1451         dev->stats.rx_packets++;
1452         dev->stats.rx_bytes += rx->skb->len;
1453
1454         ieee80211_deliver_skb(rx);
1455
1456         return RX_QUEUED;
1457 }
1458
1459 static ieee80211_rx_result debug_noinline
1460 ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx)
1461 {
1462         struct ieee80211_local *local = rx->local;
1463         struct ieee80211_hw *hw = &local->hw;
1464         struct sk_buff *skb = rx->skb;
1465         struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data;
1466         struct tid_ampdu_rx *tid_agg_rx;
1467         u16 start_seq_num;
1468         u16 tid;
1469
1470         if (likely(!ieee80211_is_ctl(bar->frame_control)))
1471                 return RX_CONTINUE;
1472
1473         if (ieee80211_is_back_req(bar->frame_control)) {
1474                 if (!rx->sta)
1475                         return RX_CONTINUE;
1476                 tid = le16_to_cpu(bar->control) >> 12;
1477                 if (rx->sta->ampdu_mlme.tid_state_rx[tid]
1478                                         != HT_AGG_STATE_OPERATIONAL)
1479                         return RX_CONTINUE;
1480                 tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];
1481
1482                 start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4;
1483
1484                 /* reset session timer */
1485                 if (tid_agg_rx->timeout) {
1486                         unsigned long expires =
1487                                 jiffies + (tid_agg_rx->timeout / 1000) * HZ;
1488                         mod_timer(&tid_agg_rx->session_timer, expires);
1489                 }
1490
1491                 /* manage reordering buffer according to requested */
1492                 /* sequence number */
1493                 rcu_read_lock();
1494                 ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL,
1495                                                  start_seq_num, 1);
1496                 rcu_read_unlock();
1497                 return RX_DROP_UNUSABLE;
1498         }
1499
1500         return RX_CONTINUE;
1501 }
1502
1503 static ieee80211_rx_result debug_noinline
1504 ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
1505 {
1506         struct ieee80211_sub_if_data *sdata;
1507
1508         if (!(rx->flags & IEEE80211_RX_RA_MATCH))
1509                 return RX_DROP_MONITOR;
1510
1511         sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev);
1512         if ((sdata->vif.type == IEEE80211_IF_TYPE_STA ||
1513              sdata->vif.type == IEEE80211_IF_TYPE_IBSS ||
1514              sdata->vif.type == IEEE80211_IF_TYPE_MESH_POINT) &&
1515             !(sdata->flags & IEEE80211_SDATA_USERSPACE_MLME))
1516                 ieee80211_sta_rx_mgmt(rx->dev, rx->skb, rx->status);
1517         else
1518                 return RX_DROP_MONITOR;
1519
1520         return RX_QUEUED;
1521 }
1522
1523 static void ieee80211_rx_michael_mic_report(struct net_device *dev,
1524                                             struct ieee80211_hdr *hdr,
1525                                             struct ieee80211_rx_data *rx)
1526 {
1527         int keyidx;
1528         unsigned int hdrlen;
1529         DECLARE_MAC_BUF(mac);
1530         DECLARE_MAC_BUF(mac2);
1531
1532         hdrlen = ieee80211_hdrlen(hdr->frame_control);
1533         if (rx->skb->len >= hdrlen + 4)
1534                 keyidx = rx->skb->data[hdrlen + 3] >> 6;
1535         else
1536                 keyidx = -1;
1537
1538         if (!rx->sta) {
1539                 /*
1540                  * Some hardware seem to generate incorrect Michael MIC
1541                  * reports; ignore them to avoid triggering countermeasures.
1542                  */
1543                 goto ignore;
1544         }
1545
1546         if (!ieee80211_has_protected(hdr->frame_control))
1547                 goto ignore;
1548
1549         if (rx->sdata->vif.type == IEEE80211_IF_TYPE_AP && keyidx) {
1550                 /*
1551                  * APs with pairwise keys should never receive Michael MIC
1552                  * errors for non-zero keyidx because these are reserved for
1553                  * group keys and only the AP is sending real multicast
1554                  * frames in the BSS.
1555                  */
1556                 goto ignore;
1557         }
1558
1559         if (!ieee80211_is_data(hdr->frame_control) &&
1560             !ieee80211_is_auth(hdr->frame_control))
1561                 goto ignore;
1562
1563         mac80211_ev_michael_mic_failure(rx->dev, keyidx, hdr);
1564  ignore:
1565         dev_kfree_skb(rx->skb);
1566         rx->skb = NULL;
1567 }
1568
1569 /* TODO: use IEEE80211_RX_FRAGMENTED */
1570 static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx)
1571 {
1572         struct ieee80211_sub_if_data *sdata;
1573         struct ieee80211_local *local = rx->local;
1574         struct ieee80211_rtap_hdr {
1575                 struct ieee80211_radiotap_header hdr;
1576                 u8 flags;
1577                 u8 rate;
1578                 __le16 chan_freq;
1579                 __le16 chan_flags;
1580         } __attribute__ ((packed)) *rthdr;
1581         struct sk_buff *skb = rx->skb, *skb2;
1582         struct net_device *prev_dev = NULL;
1583         struct ieee80211_rx_status *status = rx->status;
1584
1585         if (rx->flags & IEEE80211_RX_CMNTR_REPORTED)
1586                 goto out_free_skb;
1587
1588         if (skb_headroom(skb) < sizeof(*rthdr) &&
1589             pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC))
1590                 goto out_free_skb;
1591
1592         rthdr = (void *)skb_push(skb, sizeof(*rthdr));
1593         memset(rthdr, 0, sizeof(*rthdr));
1594         rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr));
1595         rthdr->hdr.it_present =
1596                 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) |
1597                             (1 << IEEE80211_RADIOTAP_RATE) |
1598                             (1 << IEEE80211_RADIOTAP_CHANNEL));
1599
1600         rthdr->rate = rx->rate->bitrate / 5;
1601         rthdr->chan_freq = cpu_to_le16(status->freq);
1602
1603         if (status->band == IEEE80211_BAND_5GHZ)
1604                 rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_OFDM |
1605                                                 IEEE80211_CHAN_5GHZ);
1606         else
1607                 rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_DYN |
1608                                                 IEEE80211_CHAN_2GHZ);
1609
1610         skb_set_mac_header(skb, 0);
1611         skb->ip_summed = CHECKSUM_UNNECESSARY;
1612         skb->pkt_type = PACKET_OTHERHOST;
1613         skb->protocol = htons(ETH_P_802_2);
1614
1615         list_for_each_entry_rcu(sdata, &local->interfaces, list) {
1616                 if (!netif_running(sdata->dev))
1617                         continue;
1618
1619                 if (sdata->vif.type != IEEE80211_IF_TYPE_MNTR ||
1620                     !(sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES))
1621                         continue;
1622
1623                 if (prev_dev) {
1624                         skb2 = skb_clone(skb, GFP_ATOMIC);
1625                         if (skb2) {
1626                                 skb2->dev = prev_dev;
1627                                 netif_rx(skb2);
1628                         }
1629                 }
1630
1631                 prev_dev = sdata->dev;
1632                 sdata->dev->stats.rx_packets++;
1633                 sdata->dev->stats.rx_bytes += skb->len;
1634         }
1635
1636         if (prev_dev) {
1637                 skb->dev = prev_dev;
1638                 netif_rx(skb);
1639                 skb = NULL;
1640         } else
1641                 goto out_free_skb;
1642
1643         rx->flags |= IEEE80211_RX_CMNTR_REPORTED;
1644         return;
1645
1646  out_free_skb:
1647         dev_kfree_skb(skb);
1648 }
1649
1650
1651 static void ieee80211_invoke_rx_handlers(struct ieee80211_sub_if_data *sdata,
1652                                          struct ieee80211_rx_data *rx,
1653                                          struct sk_buff *skb)
1654 {
1655         ieee80211_rx_result res = RX_DROP_MONITOR;
1656
1657         rx->skb = skb;
1658         rx->sdata = sdata;
1659         rx->dev = sdata->dev;
1660
1661 #define CALL_RXH(rxh)           \
1662         res = rxh(rx);          \
1663         if (res != RX_CONTINUE) \
1664                 goto rxh_done;
1665
1666         CALL_RXH(ieee80211_rx_h_passive_scan)
1667         CALL_RXH(ieee80211_rx_h_check)
1668         CALL_RXH(ieee80211_rx_h_decrypt)
1669         CALL_RXH(ieee80211_rx_h_sta_process)
1670         CALL_RXH(ieee80211_rx_h_defragment)
1671         CALL_RXH(ieee80211_rx_h_ps_poll)
1672         CALL_RXH(ieee80211_rx_h_michael_mic_verify)
1673         /* must be after MMIC verify so header is counted in MPDU mic */
1674         CALL_RXH(ieee80211_rx_h_remove_qos_control)
1675         CALL_RXH(ieee80211_rx_h_amsdu)
1676         CALL_RXH(ieee80211_rx_h_data)
1677         CALL_RXH(ieee80211_rx_h_ctrl)
1678         CALL_RXH(ieee80211_rx_h_mgmt)
1679
1680 #undef CALL_RXH
1681
1682  rxh_done:
1683         switch (res) {
1684         case RX_DROP_MONITOR:
1685                 I802_DEBUG_INC(sdata->local->rx_handlers_drop);
1686                 if (rx->sta)
1687                         rx->sta->rx_dropped++;
1688                 /* fall through */
1689         case RX_CONTINUE:
1690                 ieee80211_rx_cooked_monitor(rx);
1691                 break;
1692         case RX_DROP_UNUSABLE:
1693                 I802_DEBUG_INC(sdata->local->rx_handlers_drop);
1694                 if (rx->sta)
1695                         rx->sta->rx_dropped++;
1696                 dev_kfree_skb(rx->skb);
1697                 break;
1698         case RX_QUEUED:
1699                 I802_DEBUG_INC(sdata->local->rx_handlers_queued);
1700                 break;
1701         }
1702 }
1703
1704 /* main receive path */
1705
1706 static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata,
1707                                 u8 *bssid, struct ieee80211_rx_data *rx,
1708                                 struct ieee80211_hdr *hdr)
1709 {
1710         int multicast = is_multicast_ether_addr(hdr->addr1);
1711
1712         switch (sdata->vif.type) {
1713         case IEEE80211_IF_TYPE_STA:
1714                 if (!bssid)
1715                         return 0;
1716                 if (!ieee80211_bssid_match(bssid, sdata->u.sta.bssid)) {
1717                         if (!(rx->flags & IEEE80211_RX_IN_SCAN))
1718                                 return 0;
1719                         rx->flags &= ~IEEE80211_RX_RA_MATCH;
1720                 } else if (!multicast &&
1721                            compare_ether_addr(sdata->dev->dev_addr,
1722                                               hdr->addr1) != 0) {
1723                         if (!(sdata->dev->flags & IFF_PROMISC))
1724                                 return 0;
1725                         rx->flags &= ~IEEE80211_RX_RA_MATCH;
1726                 }
1727                 break;
1728         case IEEE80211_IF_TYPE_IBSS:
1729                 if (!bssid)
1730                         return 0;
1731                 if (ieee80211_is_beacon(hdr->frame_control)) {
1732                         if (!rx->sta)
1733                                 rx->sta = ieee80211_ibss_add_sta(sdata->dev,
1734                                                 rx->skb, bssid, hdr->addr2,
1735                                                 BIT(rx->status->rate_idx));
1736                         return 1;
1737                 }
1738                 else if (!ieee80211_bssid_match(bssid, sdata->u.sta.bssid)) {
1739                         if (!(rx->flags & IEEE80211_RX_IN_SCAN))
1740                                 return 0;
1741                         rx->flags &= ~IEEE80211_RX_RA_MATCH;
1742                 } else if (!multicast &&
1743                            compare_ether_addr(sdata->dev->dev_addr,
1744                                               hdr->addr1) != 0) {
1745                         if (!(sdata->dev->flags & IFF_PROMISC))
1746                                 return 0;
1747                         rx->flags &= ~IEEE80211_RX_RA_MATCH;
1748                 } else if (!rx->sta)
1749                         rx->sta = ieee80211_ibss_add_sta(sdata->dev, rx->skb,
1750                                                 bssid, hdr->addr2,
1751                                                 BIT(rx->status->rate_idx));
1752                 break;
1753         case IEEE80211_IF_TYPE_MESH_POINT:
1754                 if (!multicast &&
1755                     compare_ether_addr(sdata->dev->dev_addr,
1756                                        hdr->addr1) != 0) {
1757                         if (!(sdata->dev->flags & IFF_PROMISC))
1758                                 return 0;
1759
1760                         rx->flags &= ~IEEE80211_RX_RA_MATCH;
1761                 }
1762                 break;
1763         case IEEE80211_IF_TYPE_VLAN:
1764         case IEEE80211_IF_TYPE_AP:
1765                 if (!bssid) {
1766                         if (compare_ether_addr(sdata->dev->dev_addr,
1767                                                hdr->addr1))
1768                                 return 0;
1769                 } else if (!ieee80211_bssid_match(bssid,
1770                                         sdata->dev->dev_addr)) {
1771                         if (!(rx->flags & IEEE80211_RX_IN_SCAN))
1772                                 return 0;
1773                         rx->flags &= ~IEEE80211_RX_RA_MATCH;
1774                 }
1775                 break;
1776         case IEEE80211_IF_TYPE_WDS:
1777                 if (bssid || !ieee80211_is_data(hdr->frame_control))
1778                         return 0;
1779                 if (compare_ether_addr(sdata->u.wds.remote_addr, hdr->addr2))
1780                         return 0;
1781                 break;
1782         case IEEE80211_IF_TYPE_MNTR:
1783                 /* take everything */
1784                 break;
1785         case IEEE80211_IF_TYPE_INVALID:
1786                 /* should never get here */
1787                 WARN_ON(1);
1788                 break;
1789         }
1790
1791         return 1;
1792 }
1793
1794 /*
1795  * This is the actual Rx frames handler. as it blongs to Rx path it must
1796  * be called with rcu_read_lock protection.
1797  */
1798 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
1799                                          struct sk_buff *skb,
1800                                          struct ieee80211_rx_status *status,
1801                                          struct ieee80211_rate *rate)
1802 {
1803         struct ieee80211_local *local = hw_to_local(hw);
1804         struct ieee80211_sub_if_data *sdata;
1805         struct ieee80211_hdr *hdr;
1806         struct ieee80211_rx_data rx;
1807         u16 type;
1808         int prepares;
1809         struct ieee80211_sub_if_data *prev = NULL;
1810         struct sk_buff *skb_new;
1811         u8 *bssid;
1812
1813         hdr = (struct ieee80211_hdr *) skb->data;
1814         memset(&rx, 0, sizeof(rx));
1815         rx.skb = skb;
1816         rx.local = local;
1817
1818         rx.status = status;
1819         rx.rate = rate;
1820         rx.fc = le16_to_cpu(hdr->frame_control);
1821         type = rx.fc & IEEE80211_FCTL_FTYPE;
1822
1823         if (type == IEEE80211_FTYPE_DATA || type == IEEE80211_FTYPE_MGMT)
1824                 local->dot11ReceivedFragmentCount++;
1825
1826         rx.sta = sta_info_get(local, hdr->addr2);
1827         if (rx.sta) {
1828                 rx.sdata = rx.sta->sdata;
1829                 rx.dev = rx.sta->sdata->dev;
1830         }
1831
1832         if ((status->flag & RX_FLAG_MMIC_ERROR)) {
1833                 ieee80211_rx_michael_mic_report(local->mdev, hdr, &rx);
1834                 return;
1835         }
1836
1837         if (unlikely(local->sta_sw_scanning || local->sta_hw_scanning))
1838                 rx.flags |= IEEE80211_RX_IN_SCAN;
1839
1840         ieee80211_parse_qos(&rx);
1841         ieee80211_verify_ip_alignment(&rx);
1842
1843         skb = rx.skb;
1844
1845         list_for_each_entry_rcu(sdata, &local->interfaces, list) {
1846                 if (!netif_running(sdata->dev))
1847                         continue;
1848
1849                 if (sdata->vif.type == IEEE80211_IF_TYPE_MNTR)
1850                         continue;
1851
1852                 bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
1853                 rx.flags |= IEEE80211_RX_RA_MATCH;
1854                 prepares = prepare_for_handlers(sdata, bssid, &rx, hdr);
1855
1856                 if (!prepares)
1857                         continue;
1858
1859                 /*
1860                  * frame is destined for this interface, but if it's not
1861                  * also for the previous one we handle that after the
1862                  * loop to avoid copying the SKB once too much
1863                  */
1864
1865                 if (!prev) {
1866                         prev = sdata;
1867                         continue;
1868                 }
1869
1870                 /*
1871                  * frame was destined for the previous interface
1872                  * so invoke RX handlers for it
1873                  */
1874
1875                 skb_new = skb_copy(skb, GFP_ATOMIC);
1876                 if (!skb_new) {
1877                         if (net_ratelimit())
1878                                 printk(KERN_DEBUG "%s: failed to copy "
1879                                        "multicast frame for %s\n",
1880                                        wiphy_name(local->hw.wiphy),
1881                                        prev->dev->name);
1882                         continue;
1883                 }
1884                 rx.fc = le16_to_cpu(hdr->frame_control);
1885                 ieee80211_invoke_rx_handlers(prev, &rx, skb_new);
1886                 prev = sdata;
1887         }
1888         if (prev) {
1889                 rx.fc = le16_to_cpu(hdr->frame_control);
1890                 ieee80211_invoke_rx_handlers(prev, &rx, skb);
1891         } else
1892                 dev_kfree_skb(skb);
1893 }
1894
1895 #define SEQ_MODULO 0x1000
1896 #define SEQ_MASK   0xfff
1897
1898 static inline int seq_less(u16 sq1, u16 sq2)
1899 {
1900         return (((sq1 - sq2) & SEQ_MASK) > (SEQ_MODULO >> 1));
1901 }
1902
1903 static inline u16 seq_inc(u16 sq)
1904 {
1905         return ((sq + 1) & SEQ_MASK);
1906 }
1907
1908 static inline u16 seq_sub(u16 sq1, u16 sq2)
1909 {
1910         return ((sq1 - sq2) & SEQ_MASK);
1911 }
1912
1913
1914 /*
1915  * As it function blongs to Rx path it must be called with
1916  * the proper rcu_read_lock protection for its flow.
1917  */
1918 u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
1919                                 struct tid_ampdu_rx *tid_agg_rx,
1920                                 struct sk_buff *skb, u16 mpdu_seq_num,
1921                                 int bar_req)
1922 {
1923         struct ieee80211_local *local = hw_to_local(hw);
1924         struct ieee80211_rx_status status;
1925         u16 head_seq_num, buf_size;
1926         int index;
1927         struct ieee80211_supported_band *sband;
1928         struct ieee80211_rate *rate;
1929
1930         buf_size = tid_agg_rx->buf_size;
1931         head_seq_num = tid_agg_rx->head_seq_num;
1932
1933         /* frame with out of date sequence number */
1934         if (seq_less(mpdu_seq_num, head_seq_num)) {
1935                 dev_kfree_skb(skb);
1936                 return 1;
1937         }
1938
1939         /* if frame sequence number exceeds our buffering window size or
1940          * block Ack Request arrived - release stored frames */
1941         if ((!seq_less(mpdu_seq_num, head_seq_num + buf_size)) || (bar_req)) {
1942                 /* new head to the ordering buffer */
1943                 if (bar_req)
1944                         head_seq_num = mpdu_seq_num;
1945                 else
1946                         head_seq_num =
1947                                 seq_inc(seq_sub(mpdu_seq_num, buf_size));
1948                 /* release stored frames up to new head to stack */
1949                 while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) {
1950                         index = seq_sub(tid_agg_rx->head_seq_num,
1951                                 tid_agg_rx->ssn)
1952                                 % tid_agg_rx->buf_size;
1953
1954                         if (tid_agg_rx->reorder_buf[index]) {
1955                                 /* release the reordered frames to stack */
1956                                 memcpy(&status,
1957                                         tid_agg_rx->reorder_buf[index]->cb,
1958                                         sizeof(status));
1959                                 sband = local->hw.wiphy->bands[status.band];
1960                                 rate = &sband->bitrates[status.rate_idx];
1961                                 __ieee80211_rx_handle_packet(hw,
1962                                         tid_agg_rx->reorder_buf[index],
1963                                         &status, rate);
1964                                 tid_agg_rx->stored_mpdu_num--;
1965                                 tid_agg_rx->reorder_buf[index] = NULL;
1966                         }
1967                         tid_agg_rx->head_seq_num =
1968                                 seq_inc(tid_agg_rx->head_seq_num);
1969                 }
1970                 if (bar_req)
1971                         return 1;
1972         }
1973
1974         /* now the new frame is always in the range of the reordering */
1975         /* buffer window */
1976         index = seq_sub(mpdu_seq_num, tid_agg_rx->ssn)
1977                                 % tid_agg_rx->buf_size;
1978         /* check if we already stored this frame */
1979         if (tid_agg_rx->reorder_buf[index]) {
1980                 dev_kfree_skb(skb);
1981                 return 1;
1982         }
1983
1984         /* if arrived mpdu is in the right order and nothing else stored */
1985         /* release it immediately */
1986         if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
1987                         tid_agg_rx->stored_mpdu_num == 0) {
1988                 tid_agg_rx->head_seq_num =
1989                         seq_inc(tid_agg_rx->head_seq_num);
1990                 return 0;
1991         }
1992
1993         /* put the frame in the reordering buffer */
1994         tid_agg_rx->reorder_buf[index] = skb;
1995         tid_agg_rx->stored_mpdu_num++;
1996         /* release the buffer until next missing frame */
1997         index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn)
1998                                                 % tid_agg_rx->buf_size;
1999         while (tid_agg_rx->reorder_buf[index]) {
2000                 /* release the reordered frame back to stack */
2001                 memcpy(&status, tid_agg_rx->reorder_buf[index]->cb,
2002                         sizeof(status));
2003                 sband = local->hw.wiphy->bands[status.band];
2004                 rate = &sband->bitrates[status.rate_idx];
2005                 __ieee80211_rx_handle_packet(hw, tid_agg_rx->reorder_buf[index],
2006                                              &status, rate);
2007                 tid_agg_rx->stored_mpdu_num--;
2008                 tid_agg_rx->reorder_buf[index] = NULL;
2009                 tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num);
2010                 index = seq_sub(tid_agg_rx->head_seq_num,
2011                         tid_agg_rx->ssn) % tid_agg_rx->buf_size;
2012         }
2013         return 1;
2014 }
2015
2016 static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local,
2017                                      struct sk_buff *skb)
2018 {
2019         struct ieee80211_hw *hw = &local->hw;
2020         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
2021         struct sta_info *sta;
2022         struct tid_ampdu_rx *tid_agg_rx;
2023         u16 sc;
2024         u16 mpdu_seq_num;
2025         u8 ret = 0;
2026         int tid;
2027
2028         sta = sta_info_get(local, hdr->addr2);
2029         if (!sta)
2030                 return ret;
2031
2032         /* filter the QoS data rx stream according to
2033          * STA/TID and check if this STA/TID is on aggregation */
2034         if (!ieee80211_is_data_qos(hdr->frame_control))
2035                 goto end_reorder;
2036
2037         tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
2038
2039         if (sta->ampdu_mlme.tid_state_rx[tid] != HT_AGG_STATE_OPERATIONAL)
2040                 goto end_reorder;
2041
2042         tid_agg_rx = sta->ampdu_mlme.tid_rx[tid];
2043
2044         /* null data frames are excluded */
2045         if (unlikely(ieee80211_is_nullfunc(hdr->frame_control)))
2046                 goto end_reorder;
2047
2048         /* new un-ordered ampdu frame - process it */
2049
2050         /* reset session timer */
2051         if (tid_agg_rx->timeout) {
2052                 unsigned long expires =
2053                         jiffies + (tid_agg_rx->timeout / 1000) * HZ;
2054                 mod_timer(&tid_agg_rx->session_timer, expires);
2055         }
2056
2057         /* if this mpdu is fragmented - terminate rx aggregation session */
2058         sc = le16_to_cpu(hdr->seq_ctrl);
2059         if (sc & IEEE80211_SCTL_FRAG) {
2060                 ieee80211_sta_stop_rx_ba_session(sta->sdata->dev, sta->addr,
2061                         tid, 0, WLAN_REASON_QSTA_REQUIRE_SETUP);
2062                 ret = 1;
2063                 goto end_reorder;
2064         }
2065
2066         /* according to mpdu sequence number deal with reordering buffer */
2067         mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
2068         ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb,
2069                                                 mpdu_seq_num, 0);
2070  end_reorder:
2071         return ret;
2072 }
2073
2074 /*
2075  * This is the receive path handler. It is called by a low level driver when an
2076  * 802.11 MPDU is received from the hardware.
2077  */
2078 void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
2079                     struct ieee80211_rx_status *status)
2080 {
2081         struct ieee80211_local *local = hw_to_local(hw);
2082         struct ieee80211_rate *rate = NULL;
2083         struct ieee80211_supported_band *sband;
2084
2085         if (status->band < 0 ||
2086             status->band >= IEEE80211_NUM_BANDS) {
2087                 WARN_ON(1);
2088                 return;
2089         }
2090
2091         sband = local->hw.wiphy->bands[status->band];
2092
2093         if (!sband ||
2094             status->rate_idx < 0 ||
2095             status->rate_idx >= sband->n_bitrates) {
2096                 WARN_ON(1);
2097                 return;
2098         }
2099
2100         rate = &sband->bitrates[status->rate_idx];
2101
2102         /*
2103          * key references and virtual interfaces are protected using RCU
2104          * and this requires that we are in a read-side RCU section during
2105          * receive processing
2106          */
2107         rcu_read_lock();
2108
2109         /*
2110          * Frames with failed FCS/PLCP checksum are not returned,
2111          * all other frames are returned without radiotap header
2112          * if it was previously present.
2113          * Also, frames with less than 16 bytes are dropped.
2114          */
2115         skb = ieee80211_rx_monitor(local, skb, status, rate);
2116         if (!skb) {
2117                 rcu_read_unlock();
2118                 return;
2119         }
2120
2121         if (!ieee80211_rx_reorder_ampdu(local, skb))
2122                 __ieee80211_rx_handle_packet(hw, skb, status, rate);
2123
2124         rcu_read_unlock();
2125 }
2126 EXPORT_SYMBOL(__ieee80211_rx);
2127
2128 /* This is a version of the rx handler that can be called from hard irq
2129  * context. Post the skb on the queue and schedule the tasklet */
2130 void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb,
2131                           struct ieee80211_rx_status *status)
2132 {
2133         struct ieee80211_local *local = hw_to_local(hw);
2134
2135         BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb));
2136
2137         skb->dev = local->mdev;
2138         /* copy status into skb->cb for use by tasklet */
2139         memcpy(skb->cb, status, sizeof(*status));
2140         skb->pkt_type = IEEE80211_RX_MSG;
2141         skb_queue_tail(&local->skb_queue, skb);
2142         tasklet_schedule(&local->tasklet);
2143 }
2144 EXPORT_SYMBOL(ieee80211_rx_irqsafe);