rx.c 82.1 KB
Newer Older
1
2
3
4
/*
 * Copyright 2002-2005, Instant802 Networks, Inc.
 * Copyright 2005-2006, Devicescape Software, Inc.
 * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
5
 * Copyright 2007-2010	Johannes Berg <johannes@sipsolutions.net>
6
7
8
9
10
11
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

12
#include <linux/jiffies.h>
13
#include <linux/slab.h>
14
15
16
17
#include <linux/kernel.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/etherdevice.h>
18
#include <linux/rcupdate.h>
19
20
21
22
#include <net/mac80211.h>
#include <net/ieee80211_radiotap.h>

#include "ieee80211_i.h"
23
#include "driver-ops.h"
Johannes Berg's avatar
Johannes Berg committed
24
#include "led.h"
25
#include "mesh.h"
26
27
28
29
30
#include "wep.h"
#include "wpa.h"
#include "tkip.h"
#include "wme.h"

31
32
33
34
35
36
37
/*
 * monitor mode reception
 *
 * This function cleans up the SKB, i.e. it removes all the stuff
 * only useful for monitoring.
 */
static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
38
					   struct sk_buff *skb)
39
40
41
{
	if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) {
		if (likely(skb->len > FCS_LEN))
Zhu Yi's avatar
Zhu Yi committed
42
			__pskb_trim(skb, skb->len - FCS_LEN);
43
44
45
46
47
48
49
50
51
52
53
		else {
			/* driver bug */
			WARN_ON(1);
			dev_kfree_skb(skb);
			skb = NULL;
		}
	}

	return skb;
}

54
static inline int should_drop_frame(struct sk_buff *skb,
55
				    int present_fcs_len)
56
{
57
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
58
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
59
60
61

	if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
		return 1;
62
	if (unlikely(skb->len < 16 + present_fcs_len))
63
		return 1;
64
65
66
	if (ieee80211_is_ctl(hdr->frame_control) &&
	    !ieee80211_is_pspoll(hdr->frame_control) &&
	    !ieee80211_is_back_req(hdr->frame_control))
67
68
69
70
		return 1;
	return 0;
}

71
72
73
74
75
76
77
78
79
static int
ieee80211_rx_radiotap_len(struct ieee80211_local *local,
			  struct ieee80211_rx_status *status)
{
	int len;

	/* always present fields */
	len = sizeof(struct ieee80211_radiotap_header) + 9;

Johannes Berg's avatar
Johannes Berg committed
80
	if (status->flag & RX_FLAG_MACTIME_MPDU)
81
		len += 8;
Johannes Berg's avatar
Johannes Berg committed
82
	if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
83
84
85
86
87
		len += 1;

	if (len & 1) /* padding for RX_FLAGS if necessary */
		len++;

88
89
90
	if (status->flag & RX_FLAG_HT) /* HT info */
		len += 3;

91
92
93
	return len;
}

94
/*
95
96
97
98
99
100
101
102
103
104
 * ieee80211_add_rx_radiotap_header - add radiotap header
 *
 * add a radiotap header containing all the fields which the hardware provided.
 */
static void
ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
				 struct sk_buff *skb,
				 struct ieee80211_rate *rate,
				 int rtap_len)
{
105
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
106
107
	struct ieee80211_radiotap_header *rthdr;
	unsigned char *pos;
108
	u16 rx_flags = 0;
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125

	rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len);
	memset(rthdr, 0, rtap_len);

	/* radiotap header, set always present flags */
	rthdr->it_present =
		cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) |
			    (1 << IEEE80211_RADIOTAP_CHANNEL) |
			    (1 << IEEE80211_RADIOTAP_ANTENNA) |
			    (1 << IEEE80211_RADIOTAP_RX_FLAGS));
	rthdr->it_len = cpu_to_le16(rtap_len);

	pos = (unsigned char *)(rthdr+1);

	/* the order of the following fields is important */

	/* IEEE80211_RADIOTAP_TSFT */
Johannes Berg's avatar
Johannes Berg committed
126
	if (status->flag & RX_FLAG_MACTIME_MPDU) {
127
		put_unaligned_le64(status->mactime, pos);
128
129
130
131
132
133
134
135
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
		pos += 8;
	}

	/* IEEE80211_RADIOTAP_FLAGS */
	if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
		*pos |= IEEE80211_RADIOTAP_F_FCS;
Johannes Berg's avatar
Johannes Berg committed
136
137
	if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
		*pos |= IEEE80211_RADIOTAP_F_BADFCS;
138
139
	if (status->flag & RX_FLAG_SHORTPRE)
		*pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
140
141
142
	pos++;

	/* IEEE80211_RADIOTAP_RATE */
143
144
	if (status->flag & RX_FLAG_HT) {
		/*
145
		 * MCS information is a separate field in radiotap,
146
147
		 * added below. The byte here is needed as padding
		 * for the channel though, so initialise it to 0.
148
149
		 */
		*pos = 0;
150
	} else {
151
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
152
		*pos = rate->bitrate / 5;
153
	}
154
155
156
	pos++;

	/* IEEE80211_RADIOTAP_CHANNEL */
157
	put_unaligned_le16(status->freq, pos);
158
159
	pos += 2;
	if (status->band == IEEE80211_BAND_5GHZ)
160
161
		put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ,
				   pos);
162
163
164
	else if (status->flag & RX_FLAG_HT)
		put_unaligned_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ,
				   pos);
165
	else if (rate->flags & IEEE80211_RATE_ERP_G)
166
167
		put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ,
				   pos);
168
	else
169
170
		put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ,
				   pos);
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
	pos += 2;

	/* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
	if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) {
		*pos = status->signal;
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
		pos++;
	}

	/* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */

	/* IEEE80211_RADIOTAP_ANTENNA */
	*pos = status->antenna;
	pos++;

	/* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */

	/* IEEE80211_RADIOTAP_RX_FLAGS */
	/* ensure 2 byte alignment for the 2 byte field as required */
191
	if ((pos - (u8 *)rthdr) & 1)
192
		pos++;
Johannes Berg's avatar
Johannes Berg committed
193
	if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
194
195
		rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
	put_unaligned_le16(rx_flags, pos);
196
	pos += 2;
197
198
199
200
201
202
203
204
205
206
207
208
209
210

	if (status->flag & RX_FLAG_HT) {
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
		*pos++ = IEEE80211_RADIOTAP_MCS_HAVE_MCS |
			 IEEE80211_RADIOTAP_MCS_HAVE_GI |
			 IEEE80211_RADIOTAP_MCS_HAVE_BW;
		*pos = 0;
		if (status->flag & RX_FLAG_SHORT_GI)
			*pos |= IEEE80211_RADIOTAP_MCS_SGI;
		if (status->flag & RX_FLAG_40MHZ)
			*pos |= IEEE80211_RADIOTAP_MCS_BW_40;
		pos++;
		*pos++ = status->rate_idx;
	}
211
212
}

213
214
215
216
217
218
219
/*
 * This function copies a received frame to all monitor interfaces and
 * returns a cleaned-up SKB that no longer includes the FCS nor the
 * radiotap header the driver might have added.
 */
static struct sk_buff *
ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
220
		     struct ieee80211_rate *rate)
221
{
222
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
223
224
225
226
227
228
229
230
231
232
233
234
235
236
	struct ieee80211_sub_if_data *sdata;
	int needed_headroom = 0;
	struct sk_buff *skb, *skb2;
	struct net_device *prev_dev = NULL;
	int present_fcs_len = 0;

	/*
	 * First, we may need to make a copy of the skb because
	 *  (1) we need to modify it for radiotap (if not present), and
	 *  (2) the other RX handlers will modify the skb we got.
	 *
	 * We don't need to, of course, if we aren't going to return
	 * the SKB because it has a bad FCS/PLCP checksum.
	 */
237
238
239

	/* room for the radiotap header based on driver features */
	needed_headroom = ieee80211_rx_radiotap_len(local, status);
240
241
242
243

	if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
		present_fcs_len = FCS_LEN;

Zhu Yi's avatar
Zhu Yi committed
244
245
246
247
248
249
	/* make sure hdr->frame_control is on the linear part */
	if (!pskb_may_pull(origskb, 2)) {
		dev_kfree_skb(origskb);
		return NULL;
	}

250
	if (!local->monitors) {
251
		if (should_drop_frame(origskb, present_fcs_len)) {
252
253
254
255
			dev_kfree_skb(origskb);
			return NULL;
		}

256
		return remove_monitor_info(local, origskb);
257
258
	}

259
	if (should_drop_frame(origskb, present_fcs_len)) {
260
261
262
263
264
265
266
267
268
269
270
271
		/* only need to expand headroom if necessary */
		skb = origskb;
		origskb = NULL;

		/*
		 * This shouldn't trigger often because most devices have an
		 * RX header they pull before we get here, and that should
		 * be big enough for our radiotap information. We should
		 * probably export the length to drivers so that we can have
		 * them allocate enough headroom to start with.
		 */
		if (skb_headroom(skb) < needed_headroom &&
272
		    pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
273
274
275
276
277
278
279
280
281
282
			dev_kfree_skb(skb);
			return NULL;
		}
	} else {
		/*
		 * Need to make a copy and possibly remove radiotap header
		 * and FCS from the original.
		 */
		skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);

283
		origskb = remove_monitor_info(local, origskb);
284
285
286
287
288

		if (!skb)
			return origskb;
	}

289
290
	/* prepend radiotap information */
	ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom);
291

292
	skb_reset_mac_header(skb);
293
294
295
296
297
	skb->ip_summed = CHECKSUM_UNNECESSARY;
	skb->pkt_type = PACKET_OTHERHOST;
	skb->protocol = htons(ETH_P_802_2);

	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
298
		if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
299
300
			continue;

301
302
303
		if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)
			continue;

304
		if (!ieee80211_sdata_running(sdata))
305
306
			continue;

307
308
309
310
		if (prev_dev) {
			skb2 = skb_clone(skb, GFP_ATOMIC);
			if (skb2) {
				skb2->dev = prev_dev;
311
				netif_receive_skb(skb2);
312
313
314
315
316
317
318
319
320
321
			}
		}

		prev_dev = sdata->dev;
		sdata->dev->stats.rx_packets++;
		sdata->dev->stats.rx_bytes += skb->len;
	}

	if (prev_dev) {
		skb->dev = prev_dev;
322
		netif_receive_skb(skb);
323
324
325
326
327
328
329
	} else
		dev_kfree_skb(skb);

	return origskb;
}


330
static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
331
{
332
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
333
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
334
	int tid, seqno_idx, security_idx;
335
336

	/* does the frame have a qos control field? */
337
338
	if (ieee80211_is_data_qos(hdr->frame_control)) {
		u8 *qc = ieee80211_get_qos_ctl(hdr);
339
		/* frame has qos control */
340
		tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
341
		if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
342
			status->rx_flags |= IEEE80211_RX_AMSDU;
343
344
345

		seqno_idx = tid;
		security_idx = tid;
346
	} else {
347
348
349
350
351
352
353
354
355
356
357
		/*
		 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
		 *
		 *	Sequence numbers for management frames, QoS data
		 *	frames with a broadcast/multicast address in the
		 *	Address 1 field, and all non-QoS data frames sent
		 *	by QoS STAs are assigned using an additional single
		 *	modulo-4096 counter, [...]
		 *
		 * We also use that counter for non-QoS STAs.
		 */
358
359
360
361
362
		seqno_idx = NUM_RX_DATA_QUEUES;
		security_idx = 0;
		if (ieee80211_is_mgmt(hdr->frame_control))
			security_idx = NUM_RX_DATA_QUEUES;
		tid = 0;
363
	}
364

365
366
	rx->seqno_idx = seqno_idx;
	rx->security_idx = security_idx;
367
368
369
	/* Set skb->priority to 1d tag if highest order bit of TID is not set.
	 * For now, set skb->priority to 0 for other cases. */
	rx->skb->priority = (tid > 7) ? 0 : tid;
370
}
371

372
373
374
375
376
377
378
379
380
381
382
/**
 * DOC: Packet alignment
 *
 * Drivers always need to pass packets that are aligned to two-byte boundaries
 * to the stack.
 *
 * Additionally, should, if possible, align the payload data in a way that
 * guarantees that the contained IP header is aligned to a four-byte
 * boundary. In the case of regular frames, this simply means aligning the
 * payload to a four-byte boundary (because either the IP header is directly
 * contained, or IV/RFC1042 headers that have a length divisible by four are
383
384
385
 * in front of it).  If the payload data is not properly aligned and the
 * architecture doesn't support efficient unaligned operations, mac80211
 * will align the data.
386
387
388
389
390
391
392
 *
 * With A-MSDU frames, however, the payload data address must yield two modulo
 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
 * push the IP header further back to a multiple of four again. Thankfully, the
 * specs were sane enough this time around to require padding each A-MSDU
 * subframe to a length that is a multiple of four.
 *
Lucas De Marchi's avatar
Lucas De Marchi committed
393
 * Padding like Atheros hardware adds which is between the 802.11 header and
394
395
396
397
 * the payload is not supported, the driver is required to move the 802.11
 * header to be directly in front of the payload in that case.
 */
static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
398
{
399
400
401
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
	WARN_ONCE((unsigned long)rx->skb->data & 1,
		  "unaligned packet at 0x%p\n", rx->skb->data);
402
#endif
403
404
}

405

406
407
/* rx handlers */

408
static ieee80211_rx_result debug_noinline
409
ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx)
410
411
{
	struct ieee80211_local *local = rx->local;
412
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
413
414
	struct sk_buff *skb = rx->skb;

415
416
	if (likely(!(status->rx_flags & IEEE80211_RX_IN_SCAN) &&
		   !local->sched_scanning))
417
418
		return RX_CONTINUE;

419
	if (test_bit(SCAN_HW_SCANNING, &local->scanning) ||
420
421
	    test_bit(SCAN_SW_SCANNING, &local->scanning) ||
	    local->sched_scanning)
422
		return ieee80211_scan_rx(rx->sdata, skb);
Zhu Yi's avatar
Zhu Yi committed
423

424
425
426
	/* scanning finished during invoking of handlers */
	I802_DEBUG_INC(local->rx_handlers_drop_passive_scan);
	return RX_DROP_UNUSABLE;
427
428
}

429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474

static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

	if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
		return 0;

	return ieee80211_is_robust_mgmt_frame(hdr);
}


static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

	if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
		return 0;

	return ieee80211_is_robust_mgmt_frame(hdr);
}


/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
{
	struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
	struct ieee80211_mmie *mmie;

	if (skb->len < 24 + sizeof(*mmie) ||
	    !is_multicast_ether_addr(hdr->da))
		return -1;

	if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
		return -1; /* not a robust management frame */

	mmie = (struct ieee80211_mmie *)
		(skb->data + skb->len - sizeof(*mmie));
	if (mmie->element_id != WLAN_EID_MMIE ||
	    mmie->length != sizeof(*mmie) - 2)
		return -1;

	return le16_to_cpu(mmie->key_id);
}


475
static ieee80211_rx_result
476
ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
477
{
478
479
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
	unsigned int hdrlen = ieee80211_hdrlen(hdr->frame_control);
480
	char *dev_addr = rx->sdata->vif.addr;
481

482
	if (ieee80211_is_data(hdr->frame_control)) {
483
484
485
486
487
488
489
490
491
492
493
494
		if (is_multicast_ether_addr(hdr->addr1)) {
			if (ieee80211_has_tods(hdr->frame_control) ||
				!ieee80211_has_fromds(hdr->frame_control))
				return RX_DROP_MONITOR;
			if (memcmp(hdr->addr3, dev_addr, ETH_ALEN) == 0)
				return RX_DROP_MONITOR;
		} else {
			if (!ieee80211_has_a4(hdr->frame_control))
				return RX_DROP_MONITOR;
			if (memcmp(hdr->addr4, dev_addr, ETH_ALEN) == 0)
				return RX_DROP_MONITOR;
		}
495
496
497
498
499
500
	}

	/* If there is not an established peer link and this is not a peer link
	 * establisment frame, beacon or probe, drop the frame.
	 */

501
	if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
502
		struct ieee80211_mgmt *mgmt;
503

504
		if (!ieee80211_is_mgmt(hdr->frame_control))
505
506
			return RX_DROP_MONITOR;

507
		if (ieee80211_is_action(hdr->frame_control)) {
508
			u8 category;
509
			mgmt = (struct ieee80211_mgmt *)hdr;
510
511
512
			category = mgmt->u.action.category;
			if (category != WLAN_CATEGORY_MESH_ACTION &&
				category != WLAN_CATEGORY_SELF_PROTECTED)
513
514
515
516
				return RX_DROP_MONITOR;
			return RX_CONTINUE;
		}

517
518
		if (ieee80211_is_probe_req(hdr->frame_control) ||
		    ieee80211_is_probe_resp(hdr->frame_control) ||
519
520
		    ieee80211_is_beacon(hdr->frame_control) ||
		    ieee80211_is_auth(hdr->frame_control))
521
522
523
524
525
526
527
528
529
530
			return RX_CONTINUE;

		return RX_DROP_MONITOR;

	}

#define msh_h_get(h, l) ((struct ieee80211s_hdr *) ((u8 *)h + l))

	if (ieee80211_is_data(hdr->frame_control) &&
	    is_multicast_ether_addr(hdr->addr1) &&
531
	    mesh_rmc_check(hdr->addr3, msh_h_get(hdr, hdrlen), rx->sdata))
532
		return RX_DROP_MONITOR;
Johannes Berg's avatar
Johannes Berg committed
533
#undef msh_h_get
534

Johannes Berg's avatar
Johannes Berg committed
535
536
	return RX_CONTINUE;
}
537

538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
#define SEQ_MODULO 0x1000
#define SEQ_MASK   0xfff

static inline int seq_less(u16 sq1, u16 sq2)
{
	return ((sq1 - sq2) & SEQ_MASK) > (SEQ_MODULO >> 1);
}

static inline u16 seq_inc(u16 sq)
{
	return (sq + 1) & SEQ_MASK;
}

static inline u16 seq_sub(u16 sq1, u16 sq2)
{
	return (sq1 - sq2) & SEQ_MASK;
}


static void ieee80211_release_reorder_frame(struct ieee80211_hw *hw,
					    struct tid_ampdu_rx *tid_agg_rx,
559
					    int index)
560
{
561
	struct ieee80211_local *local = hw_to_local(hw);
562
	struct sk_buff *skb = tid_agg_rx->reorder_buf[index];
563
	struct ieee80211_rx_status *status;
564

565
566
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

567
568
569
	if (!skb)
		goto no_frame;

570
	/* release the frame from the reorder ring buffer */
571
572
	tid_agg_rx->stored_mpdu_num--;
	tid_agg_rx->reorder_buf[index] = NULL;
573
574
	status = IEEE80211_SKB_RXCB(skb);
	status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
575
	skb_queue_tail(&local->rx_skb_queue, skb);
576
577
578
579
580
581
582

no_frame:
	tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num);
}

static void ieee80211_release_reorder_frames(struct ieee80211_hw *hw,
					     struct tid_ampdu_rx *tid_agg_rx,
583
					     u16 head_seq_num)
584
585
586
{
	int index;

587
588
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

589
590
591
	while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) {
		index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
							tid_agg_rx->buf_size;
592
		ieee80211_release_reorder_frame(hw, tid_agg_rx, index);
593
594
595
596
597
598
599
600
601
	}
}

/*
 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
 * the skb was added to the buffer longer than this time ago, the earlier
 * frames that have not yet been received are assumed to be lost and the skb
 * can be released for processing. This may also release other skb's from the
 * reorder buffer if there are no additional gaps between the frames.
602
603
 *
 * Callers must hold tid_agg_rx->reorder_lock.
604
605
606
 */
#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)

607
static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
608
					  struct tid_ampdu_rx *tid_agg_rx)
609
{
610
	int index, j;
611

612
613
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
	/* release the buffer until next missing frame */
	index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
						tid_agg_rx->buf_size;
	if (!tid_agg_rx->reorder_buf[index] &&
	    tid_agg_rx->stored_mpdu_num > 1) {
		/*
		 * No buffers ready to be released, but check whether any
		 * frames in the reorder buffer have timed out.
		 */
		int skipped = 1;
		for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
		     j = (j + 1) % tid_agg_rx->buf_size) {
			if (!tid_agg_rx->reorder_buf[j]) {
				skipped++;
				continue;
			}
630
631
			if (skipped &&
			    !time_after(jiffies, tid_agg_rx->reorder_time[j] +
632
					HT_RX_REORDER_BUF_TIMEOUT))
633
				goto set_release_timer;
634
635
636

#ifdef CONFIG_MAC80211_HT_DEBUG
			if (net_ratelimit())
Joe Perches's avatar
Joe Perches committed
637
638
				wiphy_debug(hw->wiphy,
					    "release an RX reorder frame due to timeout on earlier frames\n");
639
#endif
640
			ieee80211_release_reorder_frame(hw, tid_agg_rx, j);
641
642
643
644
645
646
647
648
649

			/*
			 * Increment the head seq# also for the skipped slots.
			 */
			tid_agg_rx->head_seq_num =
				(tid_agg_rx->head_seq_num + skipped) & SEQ_MASK;
			skipped = 0;
		}
	} else while (tid_agg_rx->reorder_buf[index]) {
650
		ieee80211_release_reorder_frame(hw, tid_agg_rx, index);
651
652
653
		index =	seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
							tid_agg_rx->buf_size;
	}
654
655
656
657
658
659
660
661
662
663
664
665
666
667

	if (tid_agg_rx->stored_mpdu_num) {
		j = index = seq_sub(tid_agg_rx->head_seq_num,
				    tid_agg_rx->ssn) % tid_agg_rx->buf_size;

		for (; j != (index - 1) % tid_agg_rx->buf_size;
		     j = (j + 1) % tid_agg_rx->buf_size) {
			if (tid_agg_rx->reorder_buf[j])
				break;
		}

 set_release_timer:

		mod_timer(&tid_agg_rx->reorder_timer,
668
			  tid_agg_rx->reorder_time[j] + 1 +
669
670
671
672
			  HT_RX_REORDER_BUF_TIMEOUT);
	} else {
		del_timer(&tid_agg_rx->reorder_timer);
	}
673
674
}

675
676
677
678
679
680
681
/*
 * As this function belongs to the RX path it must be under
 * rcu_read_lock protection. It returns false if the frame
 * can be processed immediately, true if it was consumed.
 */
static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
					     struct tid_ampdu_rx *tid_agg_rx,
682
					     struct sk_buff *skb)
683
684
685
686
687
688
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
	u16 sc = le16_to_cpu(hdr->seq_ctrl);
	u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
	u16 head_seq_num, buf_size;
	int index;
689
	bool ret = true;
690

691
692
	spin_lock(&tid_agg_rx->reorder_lock);

693
694
695
696
697
698
	buf_size = tid_agg_rx->buf_size;
	head_seq_num = tid_agg_rx->head_seq_num;

	/* frame with out of date sequence number */
	if (seq_less(mpdu_seq_num, head_seq_num)) {
		dev_kfree_skb(skb);
699
		goto out;
700
701
702
703
704
705
706
707
708
	}

	/*
	 * If frame the sequence number exceeds our buffering window
	 * size release some previous frames to make room for this one.
	 */
	if (!seq_less(mpdu_seq_num, head_seq_num + buf_size)) {
		head_seq_num = seq_inc(seq_sub(mpdu_seq_num, buf_size));
		/* release stored frames up to new head to stack */
709
		ieee80211_release_reorder_frames(hw, tid_agg_rx, head_seq_num);
710
711
712
713
714
715
716
717
718
	}

	/* Now the new frame is always in the range of the reordering buffer */

	index = seq_sub(mpdu_seq_num, tid_agg_rx->ssn) % tid_agg_rx->buf_size;

	/* check if we already stored this frame */
	if (tid_agg_rx->reorder_buf[index]) {
		dev_kfree_skb(skb);
719
		goto out;
720
721
722
723
724
	}

	/*
	 * If the current MPDU is in the right order and nothing else
	 * is stored we can process it directly, no need to buffer it.
725
726
	 * If it is first but there's something stored, we may be able
	 * to release frames after this one.
727
728
729
730
	 */
	if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
	    tid_agg_rx->stored_mpdu_num == 0) {
		tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num);
731
732
		ret = false;
		goto out;
733
734
735
736
737
738
	}

	/* put the frame in the reordering buffer */
	tid_agg_rx->reorder_buf[index] = skb;
	tid_agg_rx->reorder_time[index] = jiffies;
	tid_agg_rx->stored_mpdu_num++;
739
	ieee80211_sta_reorder_release(hw, tid_agg_rx);
740

741
742
743
 out:
	spin_unlock(&tid_agg_rx->reorder_lock);
	return ret;
744
745
746
747
748
749
}

/*
 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
 * true if the MPDU was buffered, false if it should be processed.
 */
750
static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx)
751
{
752
753
	struct sk_buff *skb = rx->skb;
	struct ieee80211_local *local = rx->local;
754
755
	struct ieee80211_hw *hw = &local->hw;
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
756
	struct sta_info *sta = rx->sta;
757
758
759
760
761
	struct tid_ampdu_rx *tid_agg_rx;
	u16 sc;
	int tid;

	if (!ieee80211_is_data_qos(hdr->frame_control))
762
		goto dont_reorder;
763
764
765
766
767
768
769

	/*
	 * filter the QoS data rx stream according to
	 * STA/TID and check if this STA/TID is on aggregation
	 */

	if (!sta)
770
		goto dont_reorder;
771
772
773

	tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;

774
775
776
	tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
	if (!tid_agg_rx)
		goto dont_reorder;
777
778
779

	/* qos null data frames are excluded */
	if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
780
		goto dont_reorder;
781
782
783
784
785
786
787
788
789
790
791

	/* new, potentially un-ordered, ampdu frame - process it */

	/* reset session timer */
	if (tid_agg_rx->timeout)
		mod_timer(&tid_agg_rx->session_timer,
			  TU_TO_EXP_TIME(tid_agg_rx->timeout));

	/* if this mpdu is fragmented - terminate rx aggregation session */
	sc = le16_to_cpu(hdr->seq_ctrl);
	if (sc & IEEE80211_SCTL_FRAG) {
792
		skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
793
794
		skb_queue_tail(&rx->sdata->skb_queue, skb);
		ieee80211_queue_work(&local->hw, &rx->sdata->work);
795
		return;
796
797
	}

798
799
800
801
802
803
804
	/*
	 * No locking needed -- we will only ever process one
	 * RX packet at a time, and thus own tid_agg_rx. All
	 * other code manipulating it needs to (and does) make
	 * sure that we cannot get to it any more before doing
	 * anything with it.
	 */
805
	if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb))
806
807
808
		return;

 dont_reorder:
809
	skb_queue_tail(&local->rx_skb_queue, skb);
810
}
811

812
static ieee80211_rx_result debug_noinline
813
ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
814
{
815
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
816
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
817
818
819

	/* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */
	if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) {
820
		if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
821
			     rx->sta->last_seq_ctrl[rx->seqno_idx] ==
822
			     hdr->seq_ctrl)) {
823
			if (status->rx_flags & IEEE80211_RX_RA_MATCH) {
824
825
826
				rx->local->dot11FrameDuplicateCount++;
				rx->sta->num_duplicates++;
			}
827
			return RX_DROP_UNUSABLE;
828
		} else
829
			rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
830
831
832
833
	}

	if (unlikely(rx->skb->len < 16)) {
		I802_DEBUG_INC(rx->local->rx_handlers_drop_short);
Johannes Berg's avatar
Johannes Berg committed
834
		return RX_DROP_MONITOR;
835
836
837
838
839
	}

	/* Drop disallowed frame classes based on STA auth/assoc state;
	 * IEEE 802.11, Chap 5.5.
	 *
840
841
	 * mac80211 filters only based on association state, i.e. it drops
	 * Class 3 frames from not associated stations. hostapd sends
842
843
844
	 * deauth/disassoc frames when needed. In addition, hostapd is
	 * responsible for filtering on both auth and assoc states.
	 */
845

Johannes Berg's avatar
Johannes Berg committed
846
	if (ieee80211_vif_is_mesh(&rx->sdata->vif))
847
848
		return ieee80211_rx_mesh_check(rx);

849
850
	if (unlikely((ieee80211_is_data(hdr->frame_control) ||
		      ieee80211_is_pspoll(hdr->frame_control)) &&
851
		     rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
Bill Jordan's avatar
Bill Jordan committed
852
		     rx->sdata->vif.type != NL80211_IFTYPE_WDS &&
853
854
855
856
857
858
859
860
861
862
863
864
865
		     (!rx->sta || !test_sta_flags(rx->sta, WLAN_STA_ASSOC)))) {
		if (rx->sta && rx->sta->dummy &&
		    ieee80211_is_data_present(hdr->frame_control)) {
			u16 ethertype;
			u8 *payload;

			payload = rx->skb->data +
				ieee80211_hdrlen(hdr->frame_control);
			ethertype = (payload[6] << 8) | payload[7];
			if (cpu_to_be16(ethertype) ==
			    rx->sdata->control_port_protocol)
				return RX_CONTINUE;
		}
Johannes Berg's avatar
Johannes Berg committed
866
		return RX_DROP_MONITOR;
867
	}
868

869
	return RX_CONTINUE;
870
871
872
}


873
static ieee80211_rx_result debug_noinline
874
ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
875
{
Johannes Berg's avatar
Johannes Berg committed
876
877
878
	struct sk_buff *skb = rx->skb;
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
879
880
	int keyidx;
	int hdrlen;
Johannes Berg's avatar
Johannes Berg committed
881
	ieee80211_rx_result result = RX_DROP_UNUSABLE;
882
	struct ieee80211_key *sta_ptk = NULL;
883
	int mmie_keyidx = -1;
884
	__le16 fc;
885

886
887
888
	/*
	 * Key selection 101
	 *
889
	 * There are four types of keys:
890
	 *  - GTK (group keys)
891
	 *  - IGTK (group keys for management frames)
892
893
894
895
896
	 *  - PTK (pairwise keys)
	 *  - STK (station-to-station pairwise keys)
	 *
	 * When selecting a key, we have to distinguish between multicast
	 * (including broadcast) and unicast frames, the latter can only
897
898
899
900
	 * use PTKs and STKs while the former always use GTKs and IGTKs.
	 * Unless, of course, actual WEP keys ("pre-RSNA") are used, then
	 * unicast frames can also use key indices like GTKs. Hence, if we
	 * don't have a PTK/STK we check the key index for a WEP key.
901
	 *
902
903
904
905
	 * Note that in a regular BSS, multicast frames are sent by the
	 * AP only, associated stations unicast the frame to the AP first
	 * which then multicasts it on their behalf.
	 *
906
907
	 * There is also a slight problem in IBSS mode: GTKs are negotiated
	 * with each station, that is something we don't currently handle.
908
909
910
	 * The spec seems to expect that one negotiates the same key with
	 * every station but there's no such requirement; VLANs could be
	 * possible.
911
912
913
	 */

	/*
914
	 * No point in finding a key and decrypting if the frame is neither
915
916
	 * addressed to us nor a multicast frame.
	 */
917
	if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
918
		return RX_CONTINUE;
919

920
921
922
	/* start without a key */
	rx->key = NULL;

923
	if (rx->sta)
924
		sta_ptk = rcu_dereference(rx->sta->ptk);
925

926
927
928
	fc = hdr->frame_control;

	if (!ieee80211_has_protected(fc))
929
930
		mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);

931
932
	if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) {
		rx->key = sta_ptk;
933
934
935
		if ((status->flag & RX_FLAG_DECRYPTED) &&
		    (status->flag & RX_FLAG_IV_STRIPPED))
			return RX_CONTINUE;
936
		/* Skip decryption if the frame is not protected. */
937
		if (!ieee80211_has_protected(fc))
938
			return RX_CONTINUE;
939
940
	} else if (mmie_keyidx >= 0) {
		/* Broadcast/multicast robust management frame / BIP */
Johannes Berg's avatar
Johannes Berg committed
941
942
		if ((status->flag & RX_FLAG_DECRYPTED) &&
		    (status->flag & RX_FLAG_IV_STRIPPED))
943
944
945
946
947
			return RX_CONTINUE;

		if (mmie_keyidx < NUM_DEFAULT_KEYS ||
		    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
			return RX_DROP_MONITOR; /* unexpected BIP keyidx */
948
949
950
951
		if (rx->sta)
			rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]);
		if (!rx->key)
			rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
952
	} else if (!ieee80211_has_protected(fc)) {
953
954
955
956
957
958
959
		/*
		 * The frame was not protected, so skip decryption. However, we
		 * need to set rx->key if there is a key that could have been
		 * used so that the frame may be dropped if encryption would
		 * have been expected.
		 */
		struct ieee80211_key *key = NULL;
960
961
962
		struct ieee80211_sub_if_data *sdata = rx->sdata;
		int i;

963
		if (ieee80211_is_mgmt(fc) &&
964
965
966
		    is_multicast_ether_addr(hdr->addr1) &&
		    (key = rcu_dereference(rx->sdata->default_mgmt_key)))
			rx->key = key;
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
		else {
			if (rx->sta) {
				for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
					key = rcu_dereference(rx->sta->gtk[i]);
					if (key)
						break;
				}
			}
			if (!key) {
				for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
					key = rcu_dereference(sdata->keys[i]);
					if (key)
						break;
				}
			}
			if (key)
				rx->key = key;
		}
985
		return RX_CONTINUE;
986
	} else {
987
		u8 keyid;
988
989
990
991
992
993
994
995
996
		/*
		 * The device doesn't give us the IV so we won't be
		 * able to look up the key. That's ok though, we
		 * don't need to decrypt the frame, we just won't
		 * be able to keep statistics accurate.
		 * Except for key threshold notifications, should
		 * we somehow allow the driver to tell us which key
		 * the hardware used if this flag is set?
		 */
Johannes Berg's avatar
Johannes Berg committed
997
998
		if ((status->flag & RX_FLAG_DECRYPTED) &&
		    (status->flag & RX_FLAG_IV_STRIPPED))
999
			return RX_CONTINUE;
1000

For faster browsing, not all history is shown. View entire blame