aboutsummaryrefslogtreecommitdiffstats
path: root/net/mac80211/rx.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/mac80211/rx.c')
-rw-r--r--net/mac80211/rx.c696
1 files changed, 408 insertions, 288 deletions
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 82a30c1bf3ab..28624282c5f3 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2,7 +2,7 @@
2 * Copyright 2002-2005, Instant802 Networks, Inc. 2 * Copyright 2002-2005, Instant802 Networks, Inc.
3 * Copyright 2005-2006, Devicescape Software, Inc. 3 * Copyright 2005-2006, Devicescape Software, Inc.
4 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 4 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
5 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 5 * Copyright 2007-2010 Johannes Berg <johannes@sipsolutions.net>
6 * 6 *
7 * This program is free software; you can redistribute it and/or modify 7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as 8 * it under the terms of the GNU General Public License version 2 as
@@ -10,6 +10,7 @@
10 */ 10 */
11 11
12#include <linux/jiffies.h> 12#include <linux/jiffies.h>
13#include <linux/slab.h>
13#include <linux/kernel.h> 14#include <linux/kernel.h>
14#include <linux/skbuff.h> 15#include <linux/skbuff.h>
15#include <linux/netdevice.h> 16#include <linux/netdevice.h>
@@ -38,7 +39,7 @@ static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
38{ 39{
39 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) { 40 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) {
40 if (likely(skb->len > FCS_LEN)) 41 if (likely(skb->len > FCS_LEN))
41 skb_trim(skb, skb->len - FCS_LEN); 42 __pskb_trim(skb, skb->len - FCS_LEN);
42 else { 43 else {
43 /* driver bug */ 44 /* driver bug */
44 WARN_ON(1); 45 WARN_ON(1);
@@ -80,8 +81,6 @@ ieee80211_rx_radiotap_len(struct ieee80211_local *local,
80 len += 8; 81 len += 8;
81 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 82 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
82 len += 1; 83 len += 1;
83 if (local->hw.flags & IEEE80211_HW_NOISE_DBM)
84 len += 1;
85 84
86 if (len & 1) /* padding for RX_FLAGS if necessary */ 85 if (len & 1) /* padding for RX_FLAGS if necessary */
87 len++; 86 len++;
@@ -178,14 +177,6 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
178 pos++; 177 pos++;
179 } 178 }
180 179
181 /* IEEE80211_RADIOTAP_DBM_ANTNOISE */
182 if (local->hw.flags & IEEE80211_HW_NOISE_DBM) {
183 *pos = status->noise;
184 rthdr->it_present |=
185 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTNOISE);
186 pos++;
187 }
188
189 /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */ 180 /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */
190 181
191 /* IEEE80211_RADIOTAP_ANTENNA */ 182 /* IEEE80211_RADIOTAP_ANTENNA */
@@ -235,6 +226,12 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
235 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 226 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
236 present_fcs_len = FCS_LEN; 227 present_fcs_len = FCS_LEN;
237 228
229 /* make sure hdr->frame_control is on the linear part */
230 if (!pskb_may_pull(origskb, 2)) {
231 dev_kfree_skb(origskb);
232 return NULL;
233 }
234
238 if (!local->monitors) { 235 if (!local->monitors) {
239 if (should_drop_frame(origskb, present_fcs_len)) { 236 if (should_drop_frame(origskb, present_fcs_len)) {
240 dev_kfree_skb(origskb); 237 dev_kfree_skb(origskb);
@@ -283,20 +280,20 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
283 skb->protocol = htons(ETH_P_802_2); 280 skb->protocol = htons(ETH_P_802_2);
284 281
285 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 282 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
286 if (!netif_running(sdata->dev))
287 continue;
288
289 if (sdata->vif.type != NL80211_IFTYPE_MONITOR) 283 if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
290 continue; 284 continue;
291 285
292 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES) 286 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)
293 continue; 287 continue;
294 288
289 if (!ieee80211_sdata_running(sdata))
290 continue;
291
295 if (prev_dev) { 292 if (prev_dev) {
296 skb2 = skb_clone(skb, GFP_ATOMIC); 293 skb2 = skb_clone(skb, GFP_ATOMIC);
297 if (skb2) { 294 if (skb2) {
298 skb2->dev = prev_dev; 295 skb2->dev = prev_dev;
299 netif_rx(skb2); 296 netif_receive_skb(skb2);
300 } 297 }
301 } 298 }
302 299
@@ -307,7 +304,7 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
307 304
308 if (prev_dev) { 305 if (prev_dev) {
309 skb->dev = prev_dev; 306 skb->dev = prev_dev;
310 netif_rx(skb); 307 netif_receive_skb(skb);
311 } else 308 } else
312 dev_kfree_skb(skb); 309 dev_kfree_skb(skb);
313 310
@@ -361,7 +358,9 @@ static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
361 * boundary. In the case of regular frames, this simply means aligning the 358 * boundary. In the case of regular frames, this simply means aligning the
362 * payload to a four-byte boundary (because either the IP header is directly 359 * payload to a four-byte boundary (because either the IP header is directly
363 * contained, or IV/RFC1042 headers that have a length divisible by four are 360 * contained, or IV/RFC1042 headers that have a length divisible by four are
364 * in front of it). 361 * in front of it). If the payload data is not properly aligned and the
362 * architecture doesn't support efficient unaligned operations, mac80211
363 * will align the data.
365 * 364 *
366 * With A-MSDU frames, however, the payload data address must yield two modulo 365 * With A-MSDU frames, however, the payload data address must yield two modulo
367 * four because there are 14-byte 802.3 headers within the A-MSDU frames that 366 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
@@ -375,25 +374,10 @@ static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
375 */ 374 */
376static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx) 375static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
377{ 376{
378 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 377#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
379 int hdrlen; 378 WARN_ONCE((unsigned long)rx->skb->data & 1,
380 379 "unaligned packet at 0x%p\n", rx->skb->data);
381#ifndef CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT
382 return;
383#endif 380#endif
384
385 if (WARN_ONCE((unsigned long)rx->skb->data & 1,
386 "unaligned packet at 0x%p\n", rx->skb->data))
387 return;
388
389 if (!ieee80211_is_data_present(hdr->frame_control))
390 return;
391
392 hdrlen = ieee80211_hdrlen(hdr->frame_control);
393 if (rx->flags & IEEE80211_RX_AMSDU)
394 hdrlen += ETH_HLEN;
395 WARN_ONCE(((unsigned long)(rx->skb->data + hdrlen)) & 3,
396 "unaligned IP payload at 0x%p\n", rx->skb->data + hdrlen);
397} 381}
398 382
399 383
@@ -476,7 +460,7 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
476{ 460{
477 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 461 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
478 unsigned int hdrlen = ieee80211_hdrlen(hdr->frame_control); 462 unsigned int hdrlen = ieee80211_hdrlen(hdr->frame_control);
479 char *dev_addr = rx->sdata->dev->dev_addr; 463 char *dev_addr = rx->sdata->vif.addr;
480 464
481 if (ieee80211_is_data(hdr->frame_control)) { 465 if (ieee80211_is_data(hdr->frame_control)) {
482 if (is_multicast_ether_addr(hdr->addr1)) { 466 if (is_multicast_ether_addr(hdr->addr1)) {
@@ -505,7 +489,7 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
505 489
506 if (ieee80211_is_action(hdr->frame_control)) { 490 if (ieee80211_is_action(hdr->frame_control)) {
507 mgmt = (struct ieee80211_mgmt *)hdr; 491 mgmt = (struct ieee80211_mgmt *)hdr;
508 if (mgmt->u.action.category != MESH_PLINK_CATEGORY) 492 if (mgmt->u.action.category != WLAN_CATEGORY_MESH_PLINK)
509 return RX_DROP_MONITOR; 493 return RX_DROP_MONITOR;
510 return RX_CONTINUE; 494 return RX_CONTINUE;
511 } 495 }
@@ -735,11 +719,10 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
735 719
736 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; 720 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
737 721
738 if (sta->ampdu_mlme.tid_state_rx[tid] != HT_AGG_STATE_OPERATIONAL) 722 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
723 if (!tid_agg_rx)
739 goto dont_reorder; 724 goto dont_reorder;
740 725
741 tid_agg_rx = sta->ampdu_mlme.tid_rx[tid];
742
743 /* qos null data frames are excluded */ 726 /* qos null data frames are excluded */
744 if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC))) 727 if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
745 goto dont_reorder; 728 goto dont_reorder;
@@ -754,12 +737,19 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
754 /* if this mpdu is fragmented - terminate rx aggregation session */ 737 /* if this mpdu is fragmented - terminate rx aggregation session */
755 sc = le16_to_cpu(hdr->seq_ctrl); 738 sc = le16_to_cpu(hdr->seq_ctrl);
756 if (sc & IEEE80211_SCTL_FRAG) { 739 if (sc & IEEE80211_SCTL_FRAG) {
757 ieee80211_sta_stop_rx_ba_session(sta->sdata, sta->sta.addr, 740 skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
758 tid, 0, WLAN_REASON_QSTA_REQUIRE_SETUP); 741 skb_queue_tail(&rx->sdata->skb_queue, skb);
759 dev_kfree_skb(skb); 742 ieee80211_queue_work(&local->hw, &rx->sdata->work);
760 return; 743 return;
761 } 744 }
762 745
746 /*
747 * No locking needed -- we will only ever process one
748 * RX packet at a time, and thus own tid_agg_rx. All
749 * other code manipulating it needs to (and does) make
750 * sure that we cannot get to it any more before doing
751 * anything with it.
752 */
763 if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, frames)) 753 if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, frames))
764 return; 754 return;
765 755
@@ -834,6 +824,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
834 ieee80211_rx_result result = RX_DROP_UNUSABLE; 824 ieee80211_rx_result result = RX_DROP_UNUSABLE;
835 struct ieee80211_key *stakey = NULL; 825 struct ieee80211_key *stakey = NULL;
836 int mmie_keyidx = -1; 826 int mmie_keyidx = -1;
827 __le16 fc;
837 828
838 /* 829 /*
839 * Key selection 101 830 * Key selection 101
@@ -875,13 +866,15 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
875 if (rx->sta) 866 if (rx->sta)
876 stakey = rcu_dereference(rx->sta->key); 867 stakey = rcu_dereference(rx->sta->key);
877 868
878 if (!ieee80211_has_protected(hdr->frame_control)) 869 fc = hdr->frame_control;
870
871 if (!ieee80211_has_protected(fc))
879 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb); 872 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);
880 873
881 if (!is_multicast_ether_addr(hdr->addr1) && stakey) { 874 if (!is_multicast_ether_addr(hdr->addr1) && stakey) {
882 rx->key = stakey; 875 rx->key = stakey;
883 /* Skip decryption if the frame is not protected. */ 876 /* Skip decryption if the frame is not protected. */
884 if (!ieee80211_has_protected(hdr->frame_control)) 877 if (!ieee80211_has_protected(fc))
885 return RX_CONTINUE; 878 return RX_CONTINUE;
886 } else if (mmie_keyidx >= 0) { 879 } else if (mmie_keyidx >= 0) {
887 /* Broadcast/multicast robust management frame / BIP */ 880 /* Broadcast/multicast robust management frame / BIP */
@@ -893,7 +886,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
893 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS) 886 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
894 return RX_DROP_MONITOR; /* unexpected BIP keyidx */ 887 return RX_DROP_MONITOR; /* unexpected BIP keyidx */
895 rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]); 888 rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
896 } else if (!ieee80211_has_protected(hdr->frame_control)) { 889 } else if (!ieee80211_has_protected(fc)) {
897 /* 890 /*
898 * The frame was not protected, so skip decryption. However, we 891 * The frame was not protected, so skip decryption. However, we
899 * need to set rx->key if there is a key that could have been 892 * need to set rx->key if there is a key that could have been
@@ -901,7 +894,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
901 * have been expected. 894 * have been expected.
902 */ 895 */
903 struct ieee80211_key *key = NULL; 896 struct ieee80211_key *key = NULL;
904 if (ieee80211_is_mgmt(hdr->frame_control) && 897 if (ieee80211_is_mgmt(fc) &&
905 is_multicast_ether_addr(hdr->addr1) && 898 is_multicast_ether_addr(hdr->addr1) &&
906 (key = rcu_dereference(rx->sdata->default_mgmt_key))) 899 (key = rcu_dereference(rx->sdata->default_mgmt_key)))
907 rx->key = key; 900 rx->key = key;
@@ -909,6 +902,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
909 rx->key = key; 902 rx->key = key;
910 return RX_CONTINUE; 903 return RX_CONTINUE;
911 } else { 904 } else {
905 u8 keyid;
912 /* 906 /*
913 * The device doesn't give us the IV so we won't be 907 * The device doesn't give us the IV so we won't be
914 * able to look up the key. That's ok though, we 908 * able to look up the key. That's ok though, we
@@ -922,7 +916,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
922 (status->flag & RX_FLAG_IV_STRIPPED)) 916 (status->flag & RX_FLAG_IV_STRIPPED))
923 return RX_CONTINUE; 917 return RX_CONTINUE;
924 918
925 hdrlen = ieee80211_hdrlen(hdr->frame_control); 919 hdrlen = ieee80211_hdrlen(fc);
926 920
927 if (rx->skb->len < 8 + hdrlen) 921 if (rx->skb->len < 8 + hdrlen)
928 return RX_DROP_UNUSABLE; /* TODO: count this? */ 922 return RX_DROP_UNUSABLE; /* TODO: count this? */
@@ -931,7 +925,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
931 * no need to call ieee80211_wep_get_keyidx, 925 * no need to call ieee80211_wep_get_keyidx,
932 * it verifies a bunch of things we've done already 926 * it verifies a bunch of things we've done already
933 */ 927 */
934 keyidx = rx->skb->data[hdrlen + 3] >> 6; 928 skb_copy_bits(rx->skb, hdrlen + 3, &keyid, 1);
929 keyidx = keyid >> 6;
935 930
936 rx->key = rcu_dereference(rx->sdata->keys[keyidx]); 931 rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
937 932
@@ -952,16 +947,19 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
952 return RX_DROP_MONITOR; 947 return RX_DROP_MONITOR;
953 } 948 }
954 949
955 /* Check for weak IVs if possible */ 950 if (skb_linearize(rx->skb))
956 if (rx->sta && rx->key->conf.alg == ALG_WEP && 951 return RX_DROP_UNUSABLE;
957 ieee80211_is_data(hdr->frame_control) && 952 /* the hdr variable is invalid now! */
958 (!(status->flag & RX_FLAG_IV_STRIPPED) ||
959 !(status->flag & RX_FLAG_DECRYPTED)) &&
960 ieee80211_wep_is_weak_iv(rx->skb, rx->key))
961 rx->sta->wep_weak_iv_count++;
962 953
963 switch (rx->key->conf.alg) { 954 switch (rx->key->conf.alg) {
964 case ALG_WEP: 955 case ALG_WEP:
956 /* Check for weak IVs if possible */
957 if (rx->sta && ieee80211_is_data(fc) &&
958 (!(status->flag & RX_FLAG_IV_STRIPPED) ||
959 !(status->flag & RX_FLAG_DECRYPTED)) &&
960 ieee80211_wep_is_weak_iv(rx->skb, rx->key))
961 rx->sta->wep_weak_iv_count++;
962
965 result = ieee80211_crypto_wep_decrypt(rx); 963 result = ieee80211_crypto_wep_decrypt(rx);
966 break; 964 break;
967 case ALG_TKIP: 965 case ALG_TKIP:
@@ -1021,10 +1019,10 @@ static void ap_sta_ps_start(struct sta_info *sta)
1021 1019
1022 atomic_inc(&sdata->bss->num_sta_ps); 1020 atomic_inc(&sdata->bss->num_sta_ps);
1023 set_sta_flags(sta, WLAN_STA_PS_STA); 1021 set_sta_flags(sta, WLAN_STA_PS_STA);
1024 drv_sta_notify(local, &sdata->vif, STA_NOTIFY_SLEEP, &sta->sta); 1022 drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
1025#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1023#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
1026 printk(KERN_DEBUG "%s: STA %pM aid %d enters power save mode\n", 1024 printk(KERN_DEBUG "%s: STA %pM aid %d enters power save mode\n",
1027 sdata->dev->name, sta->sta.addr, sta->sta.aid); 1025 sdata->name, sta->sta.addr, sta->sta.aid);
1028#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1026#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
1029} 1027}
1030 1028
@@ -1038,13 +1036,13 @@ static void ap_sta_ps_end(struct sta_info *sta)
1038 1036
1039#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1037#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
1040 printk(KERN_DEBUG "%s: STA %pM aid %d exits power save mode\n", 1038 printk(KERN_DEBUG "%s: STA %pM aid %d exits power save mode\n",
1041 sdata->dev->name, sta->sta.addr, sta->sta.aid); 1039 sdata->name, sta->sta.addr, sta->sta.aid);
1042#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1040#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
1043 1041
1044 if (test_sta_flags(sta, WLAN_STA_PS_DRIVER)) { 1042 if (test_sta_flags(sta, WLAN_STA_PS_DRIVER)) {
1045#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1043#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
1046 printk(KERN_DEBUG "%s: STA %pM aid %d driver-ps-blocked\n", 1044 printk(KERN_DEBUG "%s: STA %pM aid %d driver-ps-blocked\n",
1047 sdata->dev->name, sta->sta.addr, sta->sta.aid); 1045 sdata->name, sta->sta.addr, sta->sta.aid);
1048#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1046#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
1049 return; 1047 return;
1050 } 1048 }
@@ -1090,7 +1088,6 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
1090 sta->rx_fragments++; 1088 sta->rx_fragments++;
1091 sta->rx_bytes += rx->skb->len; 1089 sta->rx_bytes += rx->skb->len;
1092 sta->last_signal = status->signal; 1090 sta->last_signal = status->signal;
1093 sta->last_noise = status->noise;
1094 1091
1095 /* 1092 /*
1096 * Change STA power saving mode only at the end of a frame 1093 * Change STA power saving mode only at the end of a frame
@@ -1124,6 +1121,18 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
1124 if (ieee80211_is_nullfunc(hdr->frame_control) || 1121 if (ieee80211_is_nullfunc(hdr->frame_control) ||
1125 ieee80211_is_qos_nullfunc(hdr->frame_control)) { 1122 ieee80211_is_qos_nullfunc(hdr->frame_control)) {
1126 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc); 1123 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
1124
1125 /*
1126 * If we receive a 4-addr nullfunc frame from a STA
1127 * that was not moved to a 4-addr STA vlan yet, drop
1128 * the frame to the monitor interface, to make sure
1129 * that hostapd sees it
1130 */
1131 if (ieee80211_has_a4(hdr->frame_control) &&
1132 (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1133 (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1134 !rx->sdata->u.vlan.sta)))
1135 return RX_DROP_MONITOR;
1127 /* 1136 /*
1128 * Update counter and free packet here to avoid 1137 * Update counter and free packet here to avoid
1129 * counting this as a dropped packed. 1138 * counting this as a dropped packed.
@@ -1156,7 +1165,7 @@ ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata,
1156 printk(KERN_DEBUG "%s: RX reassembly removed oldest " 1165 printk(KERN_DEBUG "%s: RX reassembly removed oldest "
1157 "fragment entry (idx=%d age=%lu seq=%d last_frag=%d " 1166 "fragment entry (idx=%d age=%lu seq=%d last_frag=%d "
1158 "addr1=%pM addr2=%pM\n", 1167 "addr1=%pM addr2=%pM\n",
1159 sdata->dev->name, idx, 1168 sdata->name, idx,
1160 jiffies - entry->first_frag_time, entry->seq, 1169 jiffies - entry->first_frag_time, entry->seq,
1161 entry->last_frag, hdr->addr1, hdr->addr2); 1170 entry->last_frag, hdr->addr1, hdr->addr2);
1162#endif 1171#endif
@@ -1241,6 +1250,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1241 } 1250 }
1242 I802_DEBUG_INC(rx->local->rx_handlers_fragments); 1251 I802_DEBUG_INC(rx->local->rx_handlers_fragments);
1243 1252
1253 if (skb_linearize(rx->skb))
1254 return RX_DROP_UNUSABLE;
1255
1256 /*
1257 * skb_linearize() might change the skb->data and
1258 * previously cached variables (in this case, hdr) need to
1259 * be refreshed with the new data.
1260 */
1261 hdr = (struct ieee80211_hdr *)rx->skb->data;
1244 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 1262 seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
1245 1263
1246 if (frag == 0) { 1264 if (frag == 0) {
@@ -1249,11 +1267,13 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1249 rx->queue, &(rx->skb)); 1267 rx->queue, &(rx->skb));
1250 if (rx->key && rx->key->conf.alg == ALG_CCMP && 1268 if (rx->key && rx->key->conf.alg == ALG_CCMP &&
1251 ieee80211_has_protected(fc)) { 1269 ieee80211_has_protected(fc)) {
1270 int queue = ieee80211_is_mgmt(fc) ?
1271 NUM_RX_DATA_QUEUES : rx->queue;
1252 /* Store CCMP PN so that we can verify that the next 1272 /* Store CCMP PN so that we can verify that the next
1253 * fragment has a sequential PN value. */ 1273 * fragment has a sequential PN value. */
1254 entry->ccmp = 1; 1274 entry->ccmp = 1;
1255 memcpy(entry->last_pn, 1275 memcpy(entry->last_pn,
1256 rx->key->u.ccmp.rx_pn[rx->queue], 1276 rx->key->u.ccmp.rx_pn[queue],
1257 CCMP_PN_LEN); 1277 CCMP_PN_LEN);
1258 } 1278 }
1259 return RX_QUEUED; 1279 return RX_QUEUED;
@@ -1273,6 +1293,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1273 if (entry->ccmp) { 1293 if (entry->ccmp) {
1274 int i; 1294 int i;
1275 u8 pn[CCMP_PN_LEN], *rpn; 1295 u8 pn[CCMP_PN_LEN], *rpn;
1296 int queue;
1276 if (!rx->key || rx->key->conf.alg != ALG_CCMP) 1297 if (!rx->key || rx->key->conf.alg != ALG_CCMP)
1277 return RX_DROP_UNUSABLE; 1298 return RX_DROP_UNUSABLE;
1278 memcpy(pn, entry->last_pn, CCMP_PN_LEN); 1299 memcpy(pn, entry->last_pn, CCMP_PN_LEN);
@@ -1281,7 +1302,9 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1281 if (pn[i]) 1302 if (pn[i])
1282 break; 1303 break;
1283 } 1304 }
1284 rpn = rx->key->u.ccmp.rx_pn[rx->queue]; 1305 queue = ieee80211_is_mgmt(fc) ?
1306 NUM_RX_DATA_QUEUES : rx->queue;
1307 rpn = rx->key->u.ccmp.rx_pn[queue];
1285 if (memcmp(pn, rpn, CCMP_PN_LEN)) 1308 if (memcmp(pn, rpn, CCMP_PN_LEN))
1286 return RX_DROP_UNUSABLE; 1309 return RX_DROP_UNUSABLE;
1287 memcpy(entry->last_pn, pn, CCMP_PN_LEN); 1310 memcpy(entry->last_pn, pn, CCMP_PN_LEN);
@@ -1398,14 +1421,32 @@ ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
1398 ieee80211_is_data(fc) && 1421 ieee80211_is_data(fc) &&
1399 (rx->key || rx->sdata->drop_unencrypted))) 1422 (rx->key || rx->sdata->drop_unencrypted)))
1400 return -EACCES; 1423 return -EACCES;
1424
1425 return 0;
1426}
1427
1428static int
1429ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
1430{
1431 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1432 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1433 __le16 fc = hdr->frame_control;
1434
1435 /*
1436 * Pass through unencrypted frames if the hardware has
1437 * decrypted them already.
1438 */
1439 if (status->flag & RX_FLAG_DECRYPTED)
1440 return 0;
1441
1401 if (rx->sta && test_sta_flags(rx->sta, WLAN_STA_MFP)) { 1442 if (rx->sta && test_sta_flags(rx->sta, WLAN_STA_MFP)) {
1402 if (unlikely(ieee80211_is_unicast_robust_mgmt_frame(rx->skb) && 1443 if (unlikely(!ieee80211_has_protected(fc) &&
1444 ieee80211_is_unicast_robust_mgmt_frame(rx->skb) &&
1403 rx->key)) 1445 rx->key))
1404 return -EACCES; 1446 return -EACCES;
1405 /* BIP does not use Protected field, so need to check MMIE */ 1447 /* BIP does not use Protected field, so need to check MMIE */
1406 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) && 1448 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
1407 ieee80211_get_mmie_keyidx(rx->skb) < 0 && 1449 ieee80211_get_mmie_keyidx(rx->skb) < 0))
1408 rx->key))
1409 return -EACCES; 1450 return -EACCES;
1410 /* 1451 /*
1411 * When using MFP, Action frames are not allowed prior to 1452 * When using MFP, Action frames are not allowed prior to
@@ -1424,7 +1465,6 @@ static int
1424__ieee80211_data_to_8023(struct ieee80211_rx_data *rx) 1465__ieee80211_data_to_8023(struct ieee80211_rx_data *rx)
1425{ 1466{
1426 struct ieee80211_sub_if_data *sdata = rx->sdata; 1467 struct ieee80211_sub_if_data *sdata = rx->sdata;
1427 struct net_device *dev = sdata->dev;
1428 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1468 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1429 1469
1430 if (ieee80211_has_a4(hdr->frame_control) && 1470 if (ieee80211_has_a4(hdr->frame_control) &&
@@ -1436,7 +1476,7 @@ __ieee80211_data_to_8023(struct ieee80211_rx_data *rx)
1436 (sdata->vif.type == NL80211_IFTYPE_STATION && sdata->u.mgd.use_4addr))) 1476 (sdata->vif.type == NL80211_IFTYPE_STATION && sdata->u.mgd.use_4addr)))
1437 return -1; 1477 return -1;
1438 1478
1439 return ieee80211_data_to_8023(rx->skb, dev->dev_addr, sdata->vif.type); 1479 return ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
1440} 1480}
1441 1481
1442/* 1482/*
@@ -1453,7 +1493,7 @@ static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
1453 * of whether the frame was encrypted or not. 1493 * of whether the frame was encrypted or not.
1454 */ 1494 */
1455 if (ehdr->h_proto == htons(ETH_P_PAE) && 1495 if (ehdr->h_proto == htons(ETH_P_PAE) &&
1456 (compare_ether_addr(ehdr->h_dest, rx->sdata->dev->dev_addr) == 0 || 1496 (compare_ether_addr(ehdr->h_dest, rx->sdata->vif.addr) == 0 ||
1457 compare_ether_addr(ehdr->h_dest, pae_group_addr) == 0)) 1497 compare_ether_addr(ehdr->h_dest, pae_group_addr) == 0))
1458 return true; 1498 return true;
1459 1499
@@ -1472,7 +1512,6 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
1472{ 1512{
1473 struct ieee80211_sub_if_data *sdata = rx->sdata; 1513 struct ieee80211_sub_if_data *sdata = rx->sdata;
1474 struct net_device *dev = sdata->dev; 1514 struct net_device *dev = sdata->dev;
1475 struct ieee80211_local *local = rx->local;
1476 struct sk_buff *skb, *xmit_skb; 1515 struct sk_buff *skb, *xmit_skb;
1477 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1516 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
1478 struct sta_info *dsta; 1517 struct sta_info *dsta;
@@ -1495,8 +1534,8 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
1495 printk(KERN_DEBUG "%s: failed to clone " 1534 printk(KERN_DEBUG "%s: failed to clone "
1496 "multicast frame\n", dev->name); 1535 "multicast frame\n", dev->name);
1497 } else { 1536 } else {
1498 dsta = sta_info_get(local, skb->data); 1537 dsta = sta_info_get(sdata, skb->data);
1499 if (dsta && dsta->sdata->dev == dev) { 1538 if (dsta) {
1500 /* 1539 /*
1501 * The destination station is associated to 1540 * The destination station is associated to
1502 * this AP (in this VLAN), so send the frame 1541 * this AP (in this VLAN), so send the frame
@@ -1512,7 +1551,7 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
1512 if (skb) { 1551 if (skb) {
1513 int align __maybe_unused; 1552 int align __maybe_unused;
1514 1553
1515#if defined(CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT) || !defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) 1554#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
1516 /* 1555 /*
1517 * 'align' will only take the values 0 or 2 here 1556 * 'align' will only take the values 0 or 2 here
1518 * since all frames are required to be aligned 1557 * since all frames are required to be aligned
@@ -1539,7 +1578,7 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
1539 /* deliver to local stack */ 1578 /* deliver to local stack */
1540 skb->protocol = eth_type_trans(skb, dev); 1579 skb->protocol = eth_type_trans(skb, dev);
1541 memset(skb->cb, 0, sizeof(skb->cb)); 1580 memset(skb->cb, 0, sizeof(skb->cb));
1542 netif_rx(skb); 1581 netif_receive_skb(skb);
1543 } 1582 }
1544 } 1583 }
1545 1584
@@ -1556,16 +1595,10 @@ static ieee80211_rx_result debug_noinline
1556ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx) 1595ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
1557{ 1596{
1558 struct net_device *dev = rx->sdata->dev; 1597 struct net_device *dev = rx->sdata->dev;
1559 struct ieee80211_local *local = rx->local; 1598 struct sk_buff *skb = rx->skb;
1560 u16 ethertype;
1561 u8 *payload;
1562 struct sk_buff *skb = rx->skb, *frame = NULL;
1563 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1599 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1564 __le16 fc = hdr->frame_control; 1600 __le16 fc = hdr->frame_control;
1565 const struct ethhdr *eth; 1601 struct sk_buff_head frame_list;
1566 int remaining, err;
1567 u8 dst[ETH_ALEN];
1568 u8 src[ETH_ALEN];
1569 1602
1570 if (unlikely(!ieee80211_is_data(fc))) 1603 if (unlikely(!ieee80211_is_data(fc)))
1571 return RX_CONTINUE; 1604 return RX_CONTINUE;
@@ -1576,94 +1609,37 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
1576 if (!(rx->flags & IEEE80211_RX_AMSDU)) 1609 if (!(rx->flags & IEEE80211_RX_AMSDU))
1577 return RX_CONTINUE; 1610 return RX_CONTINUE;
1578 1611
1579 err = __ieee80211_data_to_8023(rx); 1612 if (ieee80211_has_a4(hdr->frame_control) &&
1580 if (unlikely(err)) 1613 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1614 !rx->sdata->u.vlan.sta)
1581 return RX_DROP_UNUSABLE; 1615 return RX_DROP_UNUSABLE;
1582 1616
1583 skb->dev = dev; 1617 if (is_multicast_ether_addr(hdr->addr1) &&
1584 1618 ((rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1585 dev->stats.rx_packets++; 1619 rx->sdata->u.vlan.sta) ||
1586 dev->stats.rx_bytes += skb->len; 1620 (rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
1587 1621 rx->sdata->u.mgd.use_4addr)))
1588 /* skip the wrapping header */
1589 eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr));
1590 if (!eth)
1591 return RX_DROP_UNUSABLE; 1622 return RX_DROP_UNUSABLE;
1592 1623
1593 while (skb != frame) { 1624 skb->dev = dev;
1594 u8 padding; 1625 __skb_queue_head_init(&frame_list);
1595 __be16 len = eth->h_proto;
1596 unsigned int subframe_len = sizeof(struct ethhdr) + ntohs(len);
1597
1598 remaining = skb->len;
1599 memcpy(dst, eth->h_dest, ETH_ALEN);
1600 memcpy(src, eth->h_source, ETH_ALEN);
1601 1626
1602 padding = ((4 - subframe_len) & 0x3); 1627 if (skb_linearize(skb))
1603 /* the last MSDU has no padding */ 1628 return RX_DROP_UNUSABLE;
1604 if (subframe_len > remaining)
1605 return RX_DROP_UNUSABLE;
1606 1629
1607 skb_pull(skb, sizeof(struct ethhdr)); 1630 ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
1608 /* if last subframe reuse skb */ 1631 rx->sdata->vif.type,
1609 if (remaining <= subframe_len + padding) 1632 rx->local->hw.extra_tx_headroom);
1610 frame = skb;
1611 else {
1612 /*
1613 * Allocate and reserve two bytes more for payload
1614 * alignment since sizeof(struct ethhdr) is 14.
1615 */
1616 frame = dev_alloc_skb(
1617 ALIGN(local->hw.extra_tx_headroom, 4) +
1618 subframe_len + 2);
1619
1620 if (frame == NULL)
1621 return RX_DROP_UNUSABLE;
1622
1623 skb_reserve(frame,
1624 ALIGN(local->hw.extra_tx_headroom, 4) +
1625 sizeof(struct ethhdr) + 2);
1626 memcpy(skb_put(frame, ntohs(len)), skb->data,
1627 ntohs(len));
1628
1629 eth = (struct ethhdr *) skb_pull(skb, ntohs(len) +
1630 padding);
1631 if (!eth) {
1632 dev_kfree_skb(frame);
1633 return RX_DROP_UNUSABLE;
1634 }
1635 }
1636 1633
1637 skb_reset_network_header(frame); 1634 while (!skb_queue_empty(&frame_list)) {
1638 frame->dev = dev; 1635 rx->skb = __skb_dequeue(&frame_list);
1639 frame->priority = skb->priority;
1640 rx->skb = frame;
1641
1642 payload = frame->data;
1643 ethertype = (payload[6] << 8) | payload[7];
1644
1645 if (likely((compare_ether_addr(payload, rfc1042_header) == 0 &&
1646 ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) ||
1647 compare_ether_addr(payload,
1648 bridge_tunnel_header) == 0)) {
1649 /* remove RFC1042 or Bridge-Tunnel
1650 * encapsulation and replace EtherType */
1651 skb_pull(frame, 6);
1652 memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN);
1653 memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN);
1654 } else {
1655 memcpy(skb_push(frame, sizeof(__be16)),
1656 &len, sizeof(__be16));
1657 memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN);
1658 memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN);
1659 }
1660 1636
1661 if (!ieee80211_frame_allowed(rx, fc)) { 1637 if (!ieee80211_frame_allowed(rx, fc)) {
1662 if (skb == frame) /* last frame */ 1638 dev_kfree_skb(rx->skb);
1663 return RX_DROP_UNUSABLE;
1664 dev_kfree_skb(frame);
1665 continue; 1639 continue;
1666 } 1640 }
1641 dev->stats.rx_packets++;
1642 dev->stats.rx_bytes += rx->skb->len;
1667 1643
1668 ieee80211_deliver_skb(rx); 1644 ieee80211_deliver_skb(rx);
1669 } 1645 }
@@ -1721,7 +1697,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1721 1697
1722 /* Frame has reached destination. Don't forward */ 1698 /* Frame has reached destination. Don't forward */
1723 if (!is_multicast_ether_addr(hdr->addr1) && 1699 if (!is_multicast_ether_addr(hdr->addr1) &&
1724 compare_ether_addr(sdata->dev->dev_addr, hdr->addr3) == 0) 1700 compare_ether_addr(sdata->vif.addr, hdr->addr3) == 0)
1725 return RX_CONTINUE; 1701 return RX_CONTINUE;
1726 1702
1727 mesh_hdr->ttl--; 1703 mesh_hdr->ttl--;
@@ -1738,10 +1714,10 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1738 1714
1739 if (!fwd_skb && net_ratelimit()) 1715 if (!fwd_skb && net_ratelimit())
1740 printk(KERN_DEBUG "%s: failed to clone mesh frame\n", 1716 printk(KERN_DEBUG "%s: failed to clone mesh frame\n",
1741 sdata->dev->name); 1717 sdata->name);
1742 1718
1743 fwd_hdr = (struct ieee80211_hdr *) fwd_skb->data; 1719 fwd_hdr = (struct ieee80211_hdr *) fwd_skb->data;
1744 memcpy(fwd_hdr->addr2, sdata->dev->dev_addr, ETH_ALEN); 1720 memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
1745 info = IEEE80211_SKB_CB(fwd_skb); 1721 info = IEEE80211_SKB_CB(fwd_skb);
1746 memset(info, 0, sizeof(*info)); 1722 memset(info, 0, sizeof(*info));
1747 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING; 1723 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
@@ -1788,6 +1764,7 @@ static ieee80211_rx_result debug_noinline
1788ieee80211_rx_h_data(struct ieee80211_rx_data *rx) 1764ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
1789{ 1765{
1790 struct ieee80211_sub_if_data *sdata = rx->sdata; 1766 struct ieee80211_sub_if_data *sdata = rx->sdata;
1767 struct ieee80211_local *local = rx->local;
1791 struct net_device *dev = sdata->dev; 1768 struct net_device *dev = sdata->dev;
1792 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1769 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1793 __le16 fc = hdr->frame_control; 1770 __le16 fc = hdr->frame_control;
@@ -1819,6 +1796,13 @@ ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
1819 dev->stats.rx_packets++; 1796 dev->stats.rx_packets++;
1820 dev->stats.rx_bytes += rx->skb->len; 1797 dev->stats.rx_bytes += rx->skb->len;
1821 1798
1799 if (ieee80211_is_data(hdr->frame_control) &&
1800 !is_multicast_ether_addr(hdr->addr1) &&
1801 local->hw.conf.dynamic_ps_timeout > 0 && local->ps_sdata) {
1802 mod_timer(&local->dynamic_ps_timer, jiffies +
1803 msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
1804 }
1805
1822 ieee80211_deliver_skb(rx); 1806 ieee80211_deliver_skb(rx);
1823 1807
1824 return RX_QUEUED; 1808 return RX_QUEUED;
@@ -1839,15 +1823,24 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
1839 return RX_CONTINUE; 1823 return RX_CONTINUE;
1840 1824
1841 if (ieee80211_is_back_req(bar->frame_control)) { 1825 if (ieee80211_is_back_req(bar->frame_control)) {
1826 struct {
1827 __le16 control, start_seq_num;
1828 } __packed bar_data;
1829
1842 if (!rx->sta) 1830 if (!rx->sta)
1843 return RX_DROP_MONITOR; 1831 return RX_DROP_MONITOR;
1844 tid = le16_to_cpu(bar->control) >> 12; 1832
1845 if (rx->sta->ampdu_mlme.tid_state_rx[tid] 1833 if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
1846 != HT_AGG_STATE_OPERATIONAL) 1834 &bar_data, sizeof(bar_data)))
1847 return RX_DROP_MONITOR; 1835 return RX_DROP_MONITOR;
1848 tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];
1849 1836
1850 start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4; 1837 tid = le16_to_cpu(bar_data.control) >> 12;
1838
1839 tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]);
1840 if (!tid_agg_rx)
1841 return RX_DROP_MONITOR;
1842
1843 start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
1851 1844
1852 /* reset session timer */ 1845 /* reset session timer */
1853 if (tid_agg_rx->timeout) 1846 if (tid_agg_rx->timeout)
@@ -1861,7 +1854,12 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
1861 return RX_QUEUED; 1854 return RX_QUEUED;
1862 } 1855 }
1863 1856
1864 return RX_CONTINUE; 1857 /*
1858 * After this point, we only want management frames,
1859 * so we can drop all remaining control frames to
1860 * cooked monitor interfaces.
1861 */
1862 return RX_DROP_MONITOR;
1865} 1863}
1866 1864
1867static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata, 1865static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
@@ -1872,7 +1870,7 @@ static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
1872 struct sk_buff *skb; 1870 struct sk_buff *skb;
1873 struct ieee80211_mgmt *resp; 1871 struct ieee80211_mgmt *resp;
1874 1872
1875 if (compare_ether_addr(mgmt->da, sdata->dev->dev_addr) != 0) { 1873 if (compare_ether_addr(mgmt->da, sdata->vif.addr) != 0) {
1876 /* Not to own unicast address */ 1874 /* Not to own unicast address */
1877 return; 1875 return;
1878 } 1876 }
@@ -1896,7 +1894,7 @@ static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
1896 resp = (struct ieee80211_mgmt *) skb_put(skb, 24); 1894 resp = (struct ieee80211_mgmt *) skb_put(skb, 24);
1897 memset(resp, 0, 24); 1895 memset(resp, 0, 24);
1898 memcpy(resp->da, mgmt->sa, ETH_ALEN); 1896 memcpy(resp->da, mgmt->sa, ETH_ALEN);
1899 memcpy(resp->sa, sdata->dev->dev_addr, ETH_ALEN); 1897 memcpy(resp->sa, sdata->vif.addr, ETH_ALEN);
1900 memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN); 1898 memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN);
1901 resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | 1899 resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
1902 IEEE80211_STYPE_ACTION); 1900 IEEE80211_STYPE_ACTION);
@@ -1916,23 +1914,25 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
1916 struct ieee80211_local *local = rx->local; 1914 struct ieee80211_local *local = rx->local;
1917 struct ieee80211_sub_if_data *sdata = rx->sdata; 1915 struct ieee80211_sub_if_data *sdata = rx->sdata;
1918 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 1916 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
1917 struct sk_buff *nskb;
1918 struct ieee80211_rx_status *status;
1919 int len = rx->skb->len; 1919 int len = rx->skb->len;
1920 1920
1921 if (!ieee80211_is_action(mgmt->frame_control)) 1921 if (!ieee80211_is_action(mgmt->frame_control))
1922 return RX_CONTINUE; 1922 return RX_CONTINUE;
1923 1923
1924 if (!rx->sta) 1924 /* drop too small frames */
1925 return RX_DROP_MONITOR; 1925 if (len < IEEE80211_MIN_ACTION_SIZE)
1926 return RX_DROP_UNUSABLE;
1926 1927
1927 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 1928 if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC)
1928 return RX_DROP_MONITOR; 1929 return RX_DROP_UNUSABLE;
1929 1930
1930 if (ieee80211_drop_unencrypted(rx, mgmt->frame_control)) 1931 if (!(rx->flags & IEEE80211_RX_RA_MATCH))
1931 return RX_DROP_MONITOR; 1932 return RX_DROP_UNUSABLE;
1932 1933
1933 /* all categories we currently handle have action_code */ 1934 if (ieee80211_drop_unencrypted_mgmt(rx))
1934 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 1935 return RX_DROP_UNUSABLE;
1935 return RX_DROP_MONITOR;
1936 1936
1937 switch (mgmt->u.action.category) { 1937 switch (mgmt->u.action.category) {
1938 case WLAN_CATEGORY_BACK: 1938 case WLAN_CATEGORY_BACK:
@@ -1945,110 +1945,200 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
1945 if (sdata->vif.type != NL80211_IFTYPE_STATION && 1945 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
1946 sdata->vif.type != NL80211_IFTYPE_AP_VLAN && 1946 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
1947 sdata->vif.type != NL80211_IFTYPE_AP) 1947 sdata->vif.type != NL80211_IFTYPE_AP)
1948 return RX_DROP_MONITOR; 1948 break;
1949
1950 /* verify action_code is present */
1951 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
1952 break;
1949 1953
1950 switch (mgmt->u.action.u.addba_req.action_code) { 1954 switch (mgmt->u.action.u.addba_req.action_code) {
1951 case WLAN_ACTION_ADDBA_REQ: 1955 case WLAN_ACTION_ADDBA_REQ:
1952 if (len < (IEEE80211_MIN_ACTION_SIZE + 1956 if (len < (IEEE80211_MIN_ACTION_SIZE +
1953 sizeof(mgmt->u.action.u.addba_req))) 1957 sizeof(mgmt->u.action.u.addba_req)))
1954 return RX_DROP_MONITOR; 1958 goto invalid;
1955 ieee80211_process_addba_request(local, rx->sta, mgmt, len);
1956 break; 1959 break;
1957 case WLAN_ACTION_ADDBA_RESP: 1960 case WLAN_ACTION_ADDBA_RESP:
1958 if (len < (IEEE80211_MIN_ACTION_SIZE + 1961 if (len < (IEEE80211_MIN_ACTION_SIZE +
1959 sizeof(mgmt->u.action.u.addba_resp))) 1962 sizeof(mgmt->u.action.u.addba_resp)))
1960 return RX_DROP_MONITOR; 1963 goto invalid;
1961 ieee80211_process_addba_resp(local, rx->sta, mgmt, len);
1962 break; 1964 break;
1963 case WLAN_ACTION_DELBA: 1965 case WLAN_ACTION_DELBA:
1964 if (len < (IEEE80211_MIN_ACTION_SIZE + 1966 if (len < (IEEE80211_MIN_ACTION_SIZE +
1965 sizeof(mgmt->u.action.u.delba))) 1967 sizeof(mgmt->u.action.u.delba)))
1966 return RX_DROP_MONITOR; 1968 goto invalid;
1967 ieee80211_process_delba(sdata, rx->sta, mgmt, len);
1968 break; 1969 break;
1970 default:
1971 goto invalid;
1969 } 1972 }
1970 break; 1973
1974 goto queue;
1971 case WLAN_CATEGORY_SPECTRUM_MGMT: 1975 case WLAN_CATEGORY_SPECTRUM_MGMT:
1972 if (local->hw.conf.channel->band != IEEE80211_BAND_5GHZ) 1976 if (local->hw.conf.channel->band != IEEE80211_BAND_5GHZ)
1973 return RX_DROP_MONITOR; 1977 break;
1974 1978
1975 if (sdata->vif.type != NL80211_IFTYPE_STATION) 1979 if (sdata->vif.type != NL80211_IFTYPE_STATION)
1976 return RX_DROP_MONITOR; 1980 break;
1981
1982 /* verify action_code is present */
1983 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
1984 break;
1977 1985
1978 switch (mgmt->u.action.u.measurement.action_code) { 1986 switch (mgmt->u.action.u.measurement.action_code) {
1979 case WLAN_ACTION_SPCT_MSR_REQ: 1987 case WLAN_ACTION_SPCT_MSR_REQ:
1980 if (len < (IEEE80211_MIN_ACTION_SIZE + 1988 if (len < (IEEE80211_MIN_ACTION_SIZE +
1981 sizeof(mgmt->u.action.u.measurement))) 1989 sizeof(mgmt->u.action.u.measurement)))
1982 return RX_DROP_MONITOR; 1990 break;
1983 ieee80211_process_measurement_req(sdata, mgmt, len); 1991 ieee80211_process_measurement_req(sdata, mgmt, len);
1984 break; 1992 goto handled;
1985 case WLAN_ACTION_SPCT_CHL_SWITCH: 1993 case WLAN_ACTION_SPCT_CHL_SWITCH:
1986 if (len < (IEEE80211_MIN_ACTION_SIZE + 1994 if (len < (IEEE80211_MIN_ACTION_SIZE +
1987 sizeof(mgmt->u.action.u.chan_switch))) 1995 sizeof(mgmt->u.action.u.chan_switch)))
1988 return RX_DROP_MONITOR; 1996 break;
1989 1997
1990 if (sdata->vif.type != NL80211_IFTYPE_STATION) 1998 if (sdata->vif.type != NL80211_IFTYPE_STATION)
1991 return RX_DROP_MONITOR; 1999 break;
1992 2000
1993 if (memcmp(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN)) 2001 if (memcmp(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN))
1994 return RX_DROP_MONITOR; 2002 break;
1995 2003
1996 return ieee80211_sta_rx_mgmt(sdata, rx->skb); 2004 goto queue;
1997 } 2005 }
1998 break; 2006 break;
1999 case WLAN_CATEGORY_SA_QUERY: 2007 case WLAN_CATEGORY_SA_QUERY:
2000 if (len < (IEEE80211_MIN_ACTION_SIZE + 2008 if (len < (IEEE80211_MIN_ACTION_SIZE +
2001 sizeof(mgmt->u.action.u.sa_query))) 2009 sizeof(mgmt->u.action.u.sa_query)))
2002 return RX_DROP_MONITOR; 2010 break;
2011
2003 switch (mgmt->u.action.u.sa_query.action) { 2012 switch (mgmt->u.action.u.sa_query.action) {
2004 case WLAN_ACTION_SA_QUERY_REQUEST: 2013 case WLAN_ACTION_SA_QUERY_REQUEST:
2005 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2014 if (sdata->vif.type != NL80211_IFTYPE_STATION)
2006 return RX_DROP_MONITOR; 2015 break;
2007 ieee80211_process_sa_query_req(sdata, mgmt, len); 2016 ieee80211_process_sa_query_req(sdata, mgmt, len);
2008 break; 2017 goto handled;
2009 case WLAN_ACTION_SA_QUERY_RESPONSE:
2010 /*
2011 * SA Query response is currently only used in AP mode
2012 * and it is processed in user space.
2013 */
2014 return RX_CONTINUE;
2015 } 2018 }
2016 break; 2019 break;
2017 default: 2020 case WLAN_CATEGORY_MESH_PLINK:
2018 /* do not process rejected action frames */ 2021 case WLAN_CATEGORY_MESH_PATH_SEL:
2019 if (mgmt->u.action.category & 0x80) 2022 if (!ieee80211_vif_is_mesh(&sdata->vif))
2020 return RX_DROP_MONITOR; 2023 break;
2024 goto queue;
2025 }
2021 2026
2022 return RX_CONTINUE; 2027 invalid:
2028 /*
2029 * For AP mode, hostapd is responsible for handling any action
2030 * frames that we didn't handle, including returning unknown
2031 * ones. For all other modes we will return them to the sender,
2032 * setting the 0x80 bit in the action category, as required by
2033 * 802.11-2007 7.3.1.11.
2034 */
2035 if (sdata->vif.type == NL80211_IFTYPE_AP ||
2036 sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
2037 return RX_DROP_MONITOR;
2038
2039 /*
2040 * Getting here means the kernel doesn't know how to handle
2041 * it, but maybe userspace does ... include returned frames
2042 * so userspace can register for those to know whether ones
2043 * it transmitted were processed or returned.
2044 */
2045 status = IEEE80211_SKB_RXCB(rx->skb);
2046
2047 if (cfg80211_rx_action(rx->sdata->dev, status->freq,
2048 rx->skb->data, rx->skb->len,
2049 GFP_ATOMIC))
2050 goto handled;
2051
2052 /* do not return rejected action frames */
2053 if (mgmt->u.action.category & 0x80)
2054 return RX_DROP_UNUSABLE;
2055
2056 nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0,
2057 GFP_ATOMIC);
2058 if (nskb) {
2059 struct ieee80211_mgmt *nmgmt = (void *)nskb->data;
2060
2061 nmgmt->u.action.category |= 0x80;
2062 memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN);
2063 memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN);
2064
2065 memset(nskb->cb, 0, sizeof(nskb->cb));
2066
2067 ieee80211_tx_skb(rx->sdata, nskb);
2023 } 2068 }
2024 2069
2025 rx->sta->rx_packets++; 2070 handled:
2071 if (rx->sta)
2072 rx->sta->rx_packets++;
2026 dev_kfree_skb(rx->skb); 2073 dev_kfree_skb(rx->skb);
2027 return RX_QUEUED; 2074 return RX_QUEUED;
2075
2076 queue:
2077 rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
2078 skb_queue_tail(&sdata->skb_queue, rx->skb);
2079 ieee80211_queue_work(&local->hw, &sdata->work);
2080 if (rx->sta)
2081 rx->sta->rx_packets++;
2082 return RX_QUEUED;
2028} 2083}
2029 2084
2030static ieee80211_rx_result debug_noinline 2085static ieee80211_rx_result debug_noinline
2031ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx) 2086ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
2032{ 2087{
2033 struct ieee80211_sub_if_data *sdata = rx->sdata; 2088 struct ieee80211_sub_if_data *sdata = rx->sdata;
2034 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 2089 ieee80211_rx_result rxs;
2090 struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
2091 __le16 stype;
2035 2092
2036 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 2093 if (!(rx->flags & IEEE80211_RX_RA_MATCH))
2037 return RX_DROP_MONITOR; 2094 return RX_DROP_MONITOR;
2038 2095
2039 if (ieee80211_drop_unencrypted(rx, mgmt->frame_control)) 2096 if (rx->skb->len < 24)
2040 return RX_DROP_MONITOR; 2097 return RX_DROP_MONITOR;
2041 2098
2042 if (ieee80211_vif_is_mesh(&sdata->vif)) 2099 if (ieee80211_drop_unencrypted_mgmt(rx))
2043 return ieee80211_mesh_rx_mgmt(sdata, rx->skb); 2100 return RX_DROP_UNUSABLE;
2044 2101
2045 if (sdata->vif.type == NL80211_IFTYPE_ADHOC) 2102 rxs = ieee80211_work_rx_mgmt(rx->sdata, rx->skb);
2046 return ieee80211_ibss_rx_mgmt(sdata, rx->skb); 2103 if (rxs != RX_CONTINUE)
2104 return rxs;
2047 2105
2048 if (sdata->vif.type == NL80211_IFTYPE_STATION) 2106 stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
2049 return ieee80211_sta_rx_mgmt(sdata, rx->skb);
2050 2107
2051 return RX_DROP_MONITOR; 2108 if (!ieee80211_vif_is_mesh(&sdata->vif) &&
2109 sdata->vif.type != NL80211_IFTYPE_ADHOC &&
2110 sdata->vif.type != NL80211_IFTYPE_STATION)
2111 return RX_DROP_MONITOR;
2112
2113 switch (stype) {
2114 case cpu_to_le16(IEEE80211_STYPE_BEACON):
2115 case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
2116 /* process for all: mesh, mlme, ibss */
2117 break;
2118 case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
2119 case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
2120 /* process only for station */
2121 if (sdata->vif.type != NL80211_IFTYPE_STATION)
2122 return RX_DROP_MONITOR;
2123 break;
2124 case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ):
2125 case cpu_to_le16(IEEE80211_STYPE_AUTH):
2126 /* process only for ibss */
2127 if (sdata->vif.type != NL80211_IFTYPE_ADHOC)
2128 return RX_DROP_MONITOR;
2129 break;
2130 default:
2131 return RX_DROP_MONITOR;
2132 }
2133
2134 /* queue up frame and kick off work to process it */
2135 rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
2136 skb_queue_tail(&sdata->skb_queue, rx->skb);
2137 ieee80211_queue_work(&rx->local->hw, &sdata->work);
2138 if (rx->sta)
2139 rx->sta->rx_packets++;
2140
2141 return RX_QUEUED;
2052} 2142}
2053 2143
2054static void ieee80211_rx_michael_mic_report(struct ieee80211_hdr *hdr, 2144static void ieee80211_rx_michael_mic_report(struct ieee80211_hdr *hdr,
@@ -2104,14 +2194,11 @@ static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
2104 u8 rate_or_pad; 2194 u8 rate_or_pad;
2105 __le16 chan_freq; 2195 __le16 chan_freq;
2106 __le16 chan_flags; 2196 __le16 chan_flags;
2107 } __attribute__ ((packed)) *rthdr; 2197 } __packed *rthdr;
2108 struct sk_buff *skb = rx->skb, *skb2; 2198 struct sk_buff *skb = rx->skb, *skb2;
2109 struct net_device *prev_dev = NULL; 2199 struct net_device *prev_dev = NULL;
2110 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2200 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2111 2201
2112 if (status->flag & RX_FLAG_INTERNAL_CMTR)
2113 goto out_free_skb;
2114
2115 if (skb_headroom(skb) < sizeof(*rthdr) && 2202 if (skb_headroom(skb) < sizeof(*rthdr) &&
2116 pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC)) 2203 pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC))
2117 goto out_free_skb; 2204 goto out_free_skb;
@@ -2143,7 +2230,7 @@ static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
2143 skb->protocol = htons(ETH_P_802_2); 2230 skb->protocol = htons(ETH_P_802_2);
2144 2231
2145 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 2232 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
2146 if (!netif_running(sdata->dev)) 2233 if (!ieee80211_sdata_running(sdata))
2147 continue; 2234 continue;
2148 2235
2149 if (sdata->vif.type != NL80211_IFTYPE_MONITOR || 2236 if (sdata->vif.type != NL80211_IFTYPE_MONITOR ||
@@ -2154,7 +2241,7 @@ static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
2154 skb2 = skb_clone(skb, GFP_ATOMIC); 2241 skb2 = skb_clone(skb, GFP_ATOMIC);
2155 if (skb2) { 2242 if (skb2) {
2156 skb2->dev = prev_dev; 2243 skb2->dev = prev_dev;
2157 netif_rx(skb2); 2244 netif_receive_skb(skb2);
2158 } 2245 }
2159 } 2246 }
2160 2247
@@ -2165,12 +2252,11 @@ static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
2165 2252
2166 if (prev_dev) { 2253 if (prev_dev) {
2167 skb->dev = prev_dev; 2254 skb->dev = prev_dev;
2168 netif_rx(skb); 2255 netif_receive_skb(skb);
2169 skb = NULL; 2256 skb = NULL;
2170 } else 2257 } else
2171 goto out_free_skb; 2258 goto out_free_skb;
2172 2259
2173 status->flag |= RX_FLAG_INTERNAL_CMTR;
2174 return; 2260 return;
2175 2261
2176 out_free_skb: 2262 out_free_skb:
@@ -2280,7 +2366,7 @@ static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata,
2280 if (!bssid && !sdata->u.mgd.use_4addr) 2366 if (!bssid && !sdata->u.mgd.use_4addr)
2281 return 0; 2367 return 0;
2282 if (!multicast && 2368 if (!multicast &&
2283 compare_ether_addr(sdata->dev->dev_addr, hdr->addr1) != 0) { 2369 compare_ether_addr(sdata->vif.addr, hdr->addr1) != 0) {
2284 if (!(sdata->dev->flags & IFF_PROMISC)) 2370 if (!(sdata->dev->flags & IFF_PROMISC))
2285 return 0; 2371 return 0;
2286 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2372 rx->flags &= ~IEEE80211_RX_RA_MATCH;
@@ -2297,7 +2383,7 @@ static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata,
2297 return 0; 2383 return 0;
2298 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2384 rx->flags &= ~IEEE80211_RX_RA_MATCH;
2299 } else if (!multicast && 2385 } else if (!multicast &&
2300 compare_ether_addr(sdata->dev->dev_addr, 2386 compare_ether_addr(sdata->vif.addr,
2301 hdr->addr1) != 0) { 2387 hdr->addr1) != 0) {
2302 if (!(sdata->dev->flags & IFF_PROMISC)) 2388 if (!(sdata->dev->flags & IFF_PROMISC))
2303 return 0; 2389 return 0;
@@ -2308,13 +2394,13 @@ static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata,
2308 rate_idx = 0; /* TODO: HT rates */ 2394 rate_idx = 0; /* TODO: HT rates */
2309 else 2395 else
2310 rate_idx = status->rate_idx; 2396 rate_idx = status->rate_idx;
2311 rx->sta = ieee80211_ibss_add_sta(sdata, bssid, hdr->addr2, 2397 rx->sta = ieee80211_ibss_add_sta(sdata, bssid,
2312 BIT(rate_idx)); 2398 hdr->addr2, BIT(rate_idx), GFP_ATOMIC);
2313 } 2399 }
2314 break; 2400 break;
2315 case NL80211_IFTYPE_MESH_POINT: 2401 case NL80211_IFTYPE_MESH_POINT:
2316 if (!multicast && 2402 if (!multicast &&
2317 compare_ether_addr(sdata->dev->dev_addr, 2403 compare_ether_addr(sdata->vif.addr,
2318 hdr->addr1) != 0) { 2404 hdr->addr1) != 0) {
2319 if (!(sdata->dev->flags & IFF_PROMISC)) 2405 if (!(sdata->dev->flags & IFF_PROMISC))
2320 return 0; 2406 return 0;
@@ -2325,11 +2411,11 @@ static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata,
2325 case NL80211_IFTYPE_AP_VLAN: 2411 case NL80211_IFTYPE_AP_VLAN:
2326 case NL80211_IFTYPE_AP: 2412 case NL80211_IFTYPE_AP:
2327 if (!bssid) { 2413 if (!bssid) {
2328 if (compare_ether_addr(sdata->dev->dev_addr, 2414 if (compare_ether_addr(sdata->vif.addr,
2329 hdr->addr1)) 2415 hdr->addr1))
2330 return 0; 2416 return 0;
2331 } else if (!ieee80211_bssid_match(bssid, 2417 } else if (!ieee80211_bssid_match(bssid,
2332 sdata->dev->dev_addr)) { 2418 sdata->vif.addr)) {
2333 if (!(rx->flags & IEEE80211_RX_IN_SCAN)) 2419 if (!(rx->flags & IEEE80211_RX_IN_SCAN))
2334 return 0; 2420 return 0;
2335 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2421 rx->flags &= ~IEEE80211_RX_RA_MATCH;
@@ -2364,88 +2450,122 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
2364 struct ieee80211_local *local = hw_to_local(hw); 2450 struct ieee80211_local *local = hw_to_local(hw);
2365 struct ieee80211_sub_if_data *sdata; 2451 struct ieee80211_sub_if_data *sdata;
2366 struct ieee80211_hdr *hdr; 2452 struct ieee80211_hdr *hdr;
2453 __le16 fc;
2367 struct ieee80211_rx_data rx; 2454 struct ieee80211_rx_data rx;
2368 int prepares; 2455 int prepares;
2369 struct ieee80211_sub_if_data *prev = NULL; 2456 struct ieee80211_sub_if_data *prev = NULL;
2370 struct sk_buff *skb_new; 2457 struct sk_buff *skb_new;
2458 struct sta_info *sta, *tmp;
2459 bool found_sta = false;
2460 int err = 0;
2371 2461
2372 hdr = (struct ieee80211_hdr *)skb->data; 2462 fc = ((struct ieee80211_hdr *)skb->data)->frame_control;
2373 memset(&rx, 0, sizeof(rx)); 2463 memset(&rx, 0, sizeof(rx));
2374 rx.skb = skb; 2464 rx.skb = skb;
2375 rx.local = local; 2465 rx.local = local;
2376 2466
2377 if (ieee80211_is_data(hdr->frame_control) || ieee80211_is_mgmt(hdr->frame_control)) 2467 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
2378 local->dot11ReceivedFragmentCount++; 2468 local->dot11ReceivedFragmentCount++;
2379 2469
2380 if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning) || 2470 if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning) ||
2381 test_bit(SCAN_OFF_CHANNEL, &local->scanning))) 2471 test_bit(SCAN_OFF_CHANNEL, &local->scanning)))
2382 rx.flags |= IEEE80211_RX_IN_SCAN; 2472 rx.flags |= IEEE80211_RX_IN_SCAN;
2383 2473
2474 if (ieee80211_is_mgmt(fc))
2475 err = skb_linearize(skb);
2476 else
2477 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
2478
2479 if (err) {
2480 dev_kfree_skb(skb);
2481 return;
2482 }
2483
2484 hdr = (struct ieee80211_hdr *)skb->data;
2384 ieee80211_parse_qos(&rx); 2485 ieee80211_parse_qos(&rx);
2385 ieee80211_verify_alignment(&rx); 2486 ieee80211_verify_alignment(&rx);
2386 2487
2387 rx.sta = sta_info_get(local, hdr->addr2); 2488 if (ieee80211_is_data(fc)) {
2388 if (rx.sta) 2489 for_each_sta_info(local, hdr->addr2, sta, tmp) {
2389 rx.sdata = rx.sta->sdata; 2490 rx.sta = sta;
2390 2491 found_sta = true;
2391 if (rx.sdata && ieee80211_is_data(hdr->frame_control)) { 2492 rx.sdata = sta->sdata;
2392 rx.flags |= IEEE80211_RX_RA_MATCH; 2493
2393 prepares = prepare_for_handlers(rx.sdata, &rx, hdr); 2494 rx.flags |= IEEE80211_RX_RA_MATCH;
2394 if (prepares) { 2495 prepares = prepare_for_handlers(rx.sdata, &rx, hdr);
2395 if (status->flag & RX_FLAG_MMIC_ERROR) { 2496 if (prepares) {
2396 if (rx.flags & IEEE80211_RX_RA_MATCH) 2497 if (status->flag & RX_FLAG_MMIC_ERROR) {
2397 ieee80211_rx_michael_mic_report(hdr, &rx); 2498 if (rx.flags & IEEE80211_RX_RA_MATCH)
2398 } else 2499 ieee80211_rx_michael_mic_report(hdr, &rx);
2399 prev = rx.sdata; 2500 } else
2501 prev = rx.sdata;
2502 }
2400 } 2503 }
2401 } else list_for_each_entry_rcu(sdata, &local->interfaces, list) { 2504 }
2402 if (!netif_running(sdata->dev)) 2505 if (!found_sta) {
2403 continue; 2506 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
2507 if (!ieee80211_sdata_running(sdata))
2508 continue;
2404 2509
2405 if (sdata->vif.type == NL80211_IFTYPE_MONITOR || 2510 if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
2406 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) 2511 sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
2407 continue; 2512 continue;
2408 2513
2409 rx.flags |= IEEE80211_RX_RA_MATCH; 2514 /*
2410 prepares = prepare_for_handlers(sdata, &rx, hdr); 2515 * frame is destined for this interface, but if it's
2516 * not also for the previous one we handle that after
2517 * the loop to avoid copying the SKB once too much
2518 */
2411 2519
2412 if (!prepares) 2520 if (!prev) {
2413 continue; 2521 prev = sdata;
2522 continue;
2523 }
2414 2524
2415 if (status->flag & RX_FLAG_MMIC_ERROR) { 2525 rx.sta = sta_info_get_bss(prev, hdr->addr2);
2416 rx.sdata = sdata;
2417 if (rx.flags & IEEE80211_RX_RA_MATCH)
2418 ieee80211_rx_michael_mic_report(hdr, &rx);
2419 continue;
2420 }
2421 2526
2422 /* 2527 rx.flags |= IEEE80211_RX_RA_MATCH;
2423 * frame is destined for this interface, but if it's not 2528 prepares = prepare_for_handlers(prev, &rx, hdr);
2424 * also for the previous one we handle that after the 2529
2425 * loop to avoid copying the SKB once too much 2530 if (!prepares)
2426 */ 2531 goto next;
2427 2532
2428 if (!prev) { 2533 if (status->flag & RX_FLAG_MMIC_ERROR) {
2534 rx.sdata = prev;
2535 if (rx.flags & IEEE80211_RX_RA_MATCH)
2536 ieee80211_rx_michael_mic_report(hdr,
2537 &rx);
2538 goto next;
2539 }
2540
2541 /*
2542 * frame was destined for the previous interface
2543 * so invoke RX handlers for it
2544 */
2545
2546 skb_new = skb_copy(skb, GFP_ATOMIC);
2547 if (!skb_new) {
2548 if (net_ratelimit())
2549 printk(KERN_DEBUG "%s: failed to copy "
2550 "multicast frame for %s\n",
2551 wiphy_name(local->hw.wiphy),
2552 prev->name);
2553 goto next;
2554 }
2555 ieee80211_invoke_rx_handlers(prev, &rx, skb_new, rate);
2556next:
2429 prev = sdata; 2557 prev = sdata;
2430 continue;
2431 } 2558 }
2432 2559
2433 /* 2560 if (prev) {
2434 * frame was destined for the previous interface 2561 rx.sta = sta_info_get_bss(prev, hdr->addr2);
2435 * so invoke RX handlers for it
2436 */
2437 2562
2438 skb_new = skb_copy(skb, GFP_ATOMIC); 2563 rx.flags |= IEEE80211_RX_RA_MATCH;
2439 if (!skb_new) { 2564 prepares = prepare_for_handlers(prev, &rx, hdr);
2440 if (net_ratelimit()) 2565
2441 printk(KERN_DEBUG "%s: failed to copy " 2566 if (!prepares)
2442 "multicast frame for %s\n", 2567 prev = NULL;
2443 wiphy_name(local->hw.wiphy),
2444 prev->dev->name);
2445 continue;
2446 } 2568 }
2447 ieee80211_invoke_rx_handlers(prev, &rx, skb_new, rate);
2448 prev = sdata;
2449 } 2569 }
2450 if (prev) 2570 if (prev)
2451 ieee80211_invoke_rx_handlers(prev, &rx, skb, rate); 2571 ieee80211_invoke_rx_handlers(prev, &rx, skb, rate);
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-12 01:21:33 -0500