rx.c source code [Linux/net/mac80211/rx.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* Copyright 2002-2005, Instant802 Networks, Inc.
4	* Copyright 2005-2006, Devicescape Software, Inc.
5	* Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
6	* Copyright 2007-2010 Johannes Berg <johannes@sipsolutions.net>
7	* Copyright 2013-2014 Intel Mobile Communications GmbH
8	* Copyright(c) 2015 - 2017 Intel Deutschland GmbH
9	* Copyright (C) 2018-2025 Intel Corporation
10	*/
11
12	#include <linux/jiffies.h>
13	#include <linux/slab.h>
14	#include <linux/kernel.h>
15	#include <linux/skbuff.h>
16	#include <linux/netdevice.h>
17	#include <linux/etherdevice.h>
18	#include <linux/rcupdate.h>
19	#include <linux/export.h>
20	#include <linux/kcov.h>
21	#include <linux/bitops.h>
22	#include <kunit/visibility.h>
23	#include <net/mac80211.h>
24	#include <net/ieee80211_radiotap.h>
25	#include <linux/unaligned.h>
26
27	#include "ieee80211_i.h"
28	#include "driver-ops.h"
29	#include "led.h"
30	#include "mesh.h"
31	#include "wep.h"
32	#include "wpa.h"
33	#include "tkip.h"
34	#include "wme.h"
35	#include "rate.h"
36
37	/*
38	* monitor mode reception
39	*
40	* This function cleans up the SKB, i.e. it removes all the stuff
41	* only useful for monitoring.
42	*/
43	static struct sk_buff ieee80211_clean_skb(struct* sk_buff *skb,
44	unsigned int present_fcs_len,
45	unsigned int rtap_space)
46	{
47	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
48	struct ieee80211_hdr *hdr;
49	unsigned int hdrlen;
50	__le16 fc;
51
52	if (present_fcs_len)
53	__pskb_trim(skb, len: skb->len - present_fcs_len);
54	pskb_pull(skb, len: rtap_space);
55
56	/ After pulling radiotap header, clear all flags that indicate*
57	* info in skb->data.
58	*/
59	status->flag &= ~(RX_FLAG_RADIOTAP_TLV_AT_END \|
60	RX_FLAG_RADIOTAP_LSIG \|
61	RX_FLAG_RADIOTAP_HE_MU \|
62	RX_FLAG_RADIOTAP_HE);
63
64	hdr = (void *)skb->data;
65	fc = hdr->frame_control;
66
67	/*
68	* Remove the HT-Control field (if present) on management
69	* frames after we've sent the frame to monitoring. We
70	* (currently) don't need it, and don't properly parse
71	* frames with it present, due to the assumption of a
72	* fixed management header length.
73	*/
74	if (likely(!ieee80211_is_mgmt(fc) \|\| !ieee80211_has_order(fc)))
75	return skb;
76
77	hdrlen = ieee80211_hdrlen(fc);
78	hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_ORDER);
79
80	if (!pskb_may_pull(skb, len: hdrlen)) {
81	dev_kfree_skb(skb);
82	return NULL;
83	}
84
85	memmove(dest: skb->data + IEEE80211_HT_CTL_LEN, src: skb->data,
86	count: hdrlen - IEEE80211_HT_CTL_LEN);
87	pskb_pull(skb, IEEE80211_HT_CTL_LEN);
88
89	return skb;
90	}
91
92	static inline bool should_drop_frame(struct sk_buff skb, int* present_fcs_len,
93	unsigned int rtap_space)
94	{
95	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
96	struct ieee80211_hdr *hdr;
97
98	hdr = (void *)(skb->data + rtap_space);
99
100	if (status->flag & (RX_FLAG_FAILED_FCS_CRC \|
101	RX_FLAG_FAILED_PLCP_CRC \|
102	RX_FLAG_ONLY_MONITOR \|
103	RX_FLAG_NO_PSDU))
104	return true;
105
106	if (unlikely(skb->len < `16` + present_fcs_len + rtap_space))
107	return true;
108
109	if (ieee80211_is_ctl(fc: hdr->frame_control) &&
110	!ieee80211_is_pspoll(fc: hdr->frame_control) &&
111	!ieee80211_is_back_req(fc: hdr->frame_control))
112	return true;
113
114	return false;
115	}
116
117	static int
118	ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
119	struct ieee80211_rx_status *status,
120	struct sk_buff *skb)
121	{
122	int len;
123
124	/ always present fields /
125	len = sizeof(struct ieee80211_radiotap_header) + `8`;
126
127	/ allocate extra bitmaps /
128	if (status->chains)
129	len += `4` * hweight8(status->chains);
130
131	if (ieee80211_have_rx_timestamp(status)) {
132	len = ALIGN(len, `8`);
133	len += `8`;
134	}
135	if (ieee80211_hw_check(&local->hw, SIGNAL_DBM))
136	len += `1`;
137
138	/ antenna field, if we don't have per-chain info /
139	if (!status->chains)
140	len += `1`;
141
142	/ padding for RX_FLAGS if necessary /
143	len = ALIGN(len, `2`);
144
145	if (status->encoding == RX_ENC_HT) / HT info /
146	len += `3`;
147
148	if (status->flag & RX_FLAG_AMPDU_DETAILS) {
149	len = ALIGN(len, `4`);
150	len += `8`;
151	}
152
153	if (status->encoding == RX_ENC_VHT) {
154	len = ALIGN(len, `2`);
155	len += `12`;
156	}
157
158	if (local->hw.radiotap_timestamp.units_pos >= `0`) {
159	len = ALIGN(len, `8`);
160	len += `12`;
161	}
162
163	if (status->encoding == RX_ENC_HE &&
164	status->flag & RX_FLAG_RADIOTAP_HE) {
165	len = ALIGN(len, `2`);
166	len += `12`;
167	BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he) != `12`);
168	}
169
170	if (status->encoding == RX_ENC_HE &&
171	status->flag & RX_FLAG_RADIOTAP_HE_MU) {
172	len = ALIGN(len, `2`);
173	len += `12`;
174	BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he_mu) != `12`);
175	}
176
177	if (status->flag & RX_FLAG_NO_PSDU)
178	len += `1`;
179
180	if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
181	len = ALIGN(len, `2`);
182	len += `4`;
183	BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_lsig) != `4`);
184	}
185
186	if (status->chains) {
187	/ antenna and antenna signal fields /
188	len += `2` * hweight8(status->chains);
189	}
190
191	if (status->flag & RX_FLAG_RADIOTAP_TLV_AT_END) {
192	int tlv_offset = `0`;
193
194	/*
195	* The position to look at depends on the existence (or non-
196	* existence) of other elements, so take that into account...
197	*/
198	if (status->flag & RX_FLAG_RADIOTAP_HE)
199	tlv_offset +=
200	sizeof(struct ieee80211_radiotap_he);
201	if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
202	tlv_offset +=
203	sizeof(struct ieee80211_radiotap_he_mu);
204	if (status->flag & RX_FLAG_RADIOTAP_LSIG)
205	tlv_offset +=
206	sizeof(struct ieee80211_radiotap_lsig);
207
208	/ ensure 4 byte alignment for TLV /
209	len = ALIGN(len, `4`);
210
211	/ TLVs until the mac header /
212	len += skb_mac_header(skb) - &skb->data[tlv_offset];
213	}
214
215	return len;
216	}
217
218	static void __ieee80211_queue_skb_to_iface(struct ieee80211_sub_if_data *sdata,
219	int link_id,
220	struct sta_info *sta,
221	struct sk_buff *skb)
222	{
223	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
224
225	if (link_id >= `0`) {
226	status->link_valid = `1`;
227	status->link_id = link_id;
228	} else {
229	status->link_valid = `0`;
230	}
231
232	skb_queue_tail(list: &sdata->skb_queue, newsk: skb);
233	wiphy_work_queue(wiphy: sdata->local->hw.wiphy, work: &sdata->work);
234	if (sta) {
235	struct link_sta_info *link_sta_info;
236
237	if (link_id >= `0`) {
238	link_sta_info = rcu_dereference(sta->link[link_id]);
239	if (!link_sta_info)
240	return;
241	} else {
242	link_sta_info = &sta->deflink;
243	}
244
245	link_sta_info->rx_stats.packets++;
246	}
247	}
248
249	static void ieee80211_queue_skb_to_iface(struct ieee80211_sub_if_data *sdata,
250	int link_id,
251	struct sta_info *sta,
252	struct sk_buff *skb)
253	{
254	skb->protocol = `0`;
255	__ieee80211_queue_skb_to_iface(sdata, link_id, sta, skb);
256	}
257
258	static void ieee80211_handle_mu_mimo_mon(struct ieee80211_sub_if_data *sdata,
259	struct sk_buff *skb,
260	int rtap_space)
261	{
262	struct {
263	struct ieee80211_hdr_3addr hdr;
264	u8 category;
265	u8 action_code;
266	} __packed __aligned(`2`) action;
267
268	if (!sdata)
269	return;
270
271	BUILD_BUG_ON(sizeof(action) != IEEE80211_MIN_ACTION_SIZE + `1`);
272
273	if (skb->len < rtap_space + sizeof(action) +
274	VHT_MUMIMO_GROUPS_DATA_LEN)
275	return;
276
277	if (!is_valid_ether_addr(addr: sdata->u.mntr.mu_follow_addr))
278	return;
279
280	skb_copy_bits(skb, offset: rtap_space, to: &action, len: sizeof(action));
281
282	if (!ieee80211_is_action(fc: action.hdr.frame_control))
283	return;
284
285	if (action.category != WLAN_CATEGORY_VHT)
286	return;
287
288	if (action.action_code != WLAN_VHT_ACTION_GROUPID_MGMT)
289	return;
290
291	if (!ether_addr_equal(addr1: action.hdr.addr1, addr2: sdata->u.mntr.mu_follow_addr))
292	return;
293
294	skb = skb_copy(skb, GFP_ATOMIC);
295	if (!skb)
296	return;
297
298	ieee80211_queue_skb_to_iface(sdata, link_id: -`1`, NULL, skb);
299	}
300
301	/*
302	* ieee80211_add_rx_radiotap_header - add radiotap header
303	*
304	* add a radiotap header containing all the fields which the hardware provided.
305	*/
306	static void
307	ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
308	struct sk_buff *skb,
309	struct ieee80211_rate *rate,
310	int rtap_len, bool has_fcs)
311	{
312	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
313	struct ieee80211_radiotap_header *rthdr;
314	unsigned char *pos;
315	__le32 *it_present;
316	u32 it_present_val;
317	u16 rx_flags = `0`;
318	u16 channel_flags = `0`;
319	u32 tlvs_len = `0`;
320	int mpdulen, chain;
321	unsigned long chains = status->chains;
322	struct ieee80211_radiotap_he he = {};
323	struct ieee80211_radiotap_he_mu he_mu = {};
324	struct ieee80211_radiotap_lsig lsig = {};
325
326	if (status->flag & RX_FLAG_RADIOTAP_HE) {
327	he = (struct* ieee80211_radiotap_he *)skb->data;
328	skb_pull(skb, len: sizeof(he));
329	WARN_ON_ONCE(status->encoding != RX_ENC_HE);
330	}
331
332	if (status->flag & RX_FLAG_RADIOTAP_HE_MU) {
333	he_mu = (struct* ieee80211_radiotap_he_mu *)skb->data;
334	skb_pull(skb, len: sizeof(he_mu));
335	}
336
337	if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
338	lsig = (struct* ieee80211_radiotap_lsig *)skb->data;
339	skb_pull(skb, len: sizeof(lsig));
340	}
341
342	if (status->flag & RX_FLAG_RADIOTAP_TLV_AT_END) {
343	/ data is pointer at tlv all other info was pulled off /
344	tlvs_len = skb_mac_header(skb) - skb->data;
345	}
346
347	mpdulen = skb->len;
348	if (!(has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)))
349	mpdulen += FCS_LEN;
350
351	rthdr = skb_push(skb, len: rtap_len - tlvs_len);
352	memset(s: rthdr, c: `0`, n: rtap_len - tlvs_len);
353	it_present = &rthdr->it_present;
354
355	/ radiotap header, set always present flags /
356	rthdr->it_len = cpu_to_le16(rtap_len);
357	it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) \|
358	BIT(IEEE80211_RADIOTAP_CHANNEL) \|
359	BIT(IEEE80211_RADIOTAP_RX_FLAGS);
360
361	if (!status->chains)
362	it_present_val \|= BIT(IEEE80211_RADIOTAP_ANTENNA);
363
364	for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
365	it_present_val \|=
366	BIT(IEEE80211_RADIOTAP_EXT) \|
367	BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE);
368	put_unaligned_le32(val: it_present_val, p: it_present);
369	it_present++;
370	it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) \|
371	BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
372	}
373
374	if (status->flag & RX_FLAG_RADIOTAP_TLV_AT_END)
375	it_present_val \|= BIT(IEEE80211_RADIOTAP_TLV);
376
377	put_unaligned_le32(val: it_present_val, p: it_present);
378
379	/ This references through an offset into it_optional[] rather*
380	* than via it_present otherwise later uses of pos will cause
381	* the compiler to think we have walked past the end of the
382	* struct member.
383	*/
384	pos = (void *)&rthdr->it_optional[it_present + `1` - rthdr->it_optional];
385
386	/ the order of the following fields is important /
387
388	/ IEEE80211_RADIOTAP_TSFT /
389	if (ieee80211_have_rx_timestamp(status)) {
390	/ padding /
391	while ((pos - (u8 *)rthdr) & `7`)
392	*pos++ = `0`;
393	put_unaligned_le64(
394	val: ieee80211_calculate_rx_timestamp(local, status,
395	mpdu_len: mpdulen, mpdu_offset: `0`),
396	p: pos);
397	rthdr->it_present \|= cpu_to_le32(BIT(IEEE80211_RADIOTAP_TSFT));
398	pos += `8`;
399	}
400
401	/ IEEE80211_RADIOTAP_FLAGS /
402	if (has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
403	*pos \|= IEEE80211_RADIOTAP_F_FCS;
404	if (status->flag & (RX_FLAG_FAILED_FCS_CRC \| RX_FLAG_FAILED_PLCP_CRC))
405	*pos \|= IEEE80211_RADIOTAP_F_BADFCS;
406	if (status->enc_flags & RX_ENC_FLAG_SHORTPRE)
407	*pos \|= IEEE80211_RADIOTAP_F_SHORTPRE;
408	pos++;
409
410	/ IEEE80211_RADIOTAP_RATE /
411	if (!rate \|\| status->encoding != RX_ENC_LEGACY) {
412	/*
413	* Without rate information don't add it. If we have,
414	* MCS information is a separate field in radiotap,
415	* added below. The byte here is needed as padding
416	* for the channel though, so initialise it to 0.
417	*/
418	*pos = `0`;
419	} else {
420	int shift = `0`;
421	rthdr->it_present \|= cpu_to_le32(BIT(IEEE80211_RADIOTAP_RATE));
422	if (status->bw == RATE_INFO_BW_10)
423	shift = `1`;
424	else if (status->bw == RATE_INFO_BW_5)
425	shift = `2`;
426	pos = DIV_ROUND_UP(rate->bitrate, `5` (`1` << shift));
427	}
428	pos++;
429
430	/ IEEE80211_RADIOTAP_CHANNEL /
431	/ TODO: frequency offset in KHz /
432	put_unaligned_le16(val: status->freq, p: pos);
433	pos += `2`;
434	if (status->bw == RATE_INFO_BW_10)
435	channel_flags \|= IEEE80211_CHAN_HALF;
436	else if (status->bw == RATE_INFO_BW_5)
437	channel_flags \|= IEEE80211_CHAN_QUARTER;
438
439	if (status->band == NL80211_BAND_5GHZ \|\|
440	status->band == NL80211_BAND_6GHZ)
441	channel_flags \|= IEEE80211_CHAN_OFDM \| IEEE80211_CHAN_5GHZ;
442	else if (status->encoding != RX_ENC_LEGACY)
443	channel_flags \|= IEEE80211_CHAN_DYN \| IEEE80211_CHAN_2GHZ;
444	else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
445	channel_flags \|= IEEE80211_CHAN_OFDM \| IEEE80211_CHAN_2GHZ;
446	else if (rate)
447	channel_flags \|= IEEE80211_CHAN_CCK \| IEEE80211_CHAN_2GHZ;
448	else
449	channel_flags \|= IEEE80211_CHAN_2GHZ;
450	put_unaligned_le16(val: channel_flags, p: pos);
451	pos += `2`;
452
453	/ IEEE80211_RADIOTAP_DBM_ANTSIGNAL /
454	if (ieee80211_hw_check(&local->hw, SIGNAL_DBM) &&
455	!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
456	*pos = status->signal;
457	rthdr->it_present \|=
458	cpu_to_le32(BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL));
459	pos++;
460	}
461
462	/ IEEE80211_RADIOTAP_LOCK_QUALITY is missing /
463
464	if (!status->chains) {
465	/ IEEE80211_RADIOTAP_ANTENNA /
466	*pos = status->antenna;
467	pos++;
468	}
469
470	/ IEEE80211_RADIOTAP_DB_ANTNOISE is not used /
471
472	/ IEEE80211_RADIOTAP_RX_FLAGS /
473	/ ensure 2 byte alignment for the 2 byte field as required /
474	if ((pos - (u8 *)rthdr) & `1`)
475	*pos++ = `0`;
476	if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
477	rx_flags \|= IEEE80211_RADIOTAP_F_RX_BADPLCP;
478	put_unaligned_le16(val: rx_flags, p: pos);
479	pos += `2`;
480
481	if (status->encoding == RX_ENC_HT) {
482	unsigned int stbc;
483
484	rthdr->it_present \|= cpu_to_le32(BIT(IEEE80211_RADIOTAP_MCS));
485	*pos = local->hw.radiotap_mcs_details;
486	if (status->enc_flags & RX_ENC_FLAG_HT_GF)
487	*pos \|= IEEE80211_RADIOTAP_MCS_HAVE_FMT;
488	if (status->enc_flags & RX_ENC_FLAG_LDPC)
489	*pos \|= IEEE80211_RADIOTAP_MCS_HAVE_FEC;
490	pos++;
491	*pos = `0`;
492	if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
493	*pos \|= IEEE80211_RADIOTAP_MCS_SGI;
494	if (status->bw == RATE_INFO_BW_40)
495	*pos \|= IEEE80211_RADIOTAP_MCS_BW_40;
496	if (status->enc_flags & RX_ENC_FLAG_HT_GF)
497	*pos \|= IEEE80211_RADIOTAP_MCS_FMT_GF;
498	if (status->enc_flags & RX_ENC_FLAG_LDPC)
499	*pos \|= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
500	stbc = (status->enc_flags & RX_ENC_FLAG_STBC_MASK) >> RX_ENC_FLAG_STBC_SHIFT;
501	*pos \|= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
502	pos++;
503	*pos++ = status->rate_idx;
504	}
505
506	if (status->flag & RX_FLAG_AMPDU_DETAILS) {
507	u16 flags = `0`;
508
509	/ ensure 4 byte alignment /
510	while ((pos - (u8 *)rthdr) & `3`)
511	pos++;
512	rthdr->it_present \|=
513	cpu_to_le32(BIT(IEEE80211_RADIOTAP_AMPDU_STATUS));
514	put_unaligned_le32(val: status->ampdu_reference, p: pos);
515	pos += `4`;
516	if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
517	flags \|= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
518	if (status->flag & RX_FLAG_AMPDU_IS_LAST)
519	flags \|= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
520	if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
521	flags \|= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
522	if (status->flag & RX_FLAG_AMPDU_EOF_BIT_KNOWN)
523	flags \|= IEEE80211_RADIOTAP_AMPDU_EOF_KNOWN;
524	if (status->flag & RX_FLAG_AMPDU_EOF_BIT)
525	flags \|= IEEE80211_RADIOTAP_AMPDU_EOF;
526	put_unaligned_le16(val: flags, p: pos);
527	pos += `2`;
528	*pos++ = `0`;
529	*pos++ = `0`;
530	}
531
532	if (status->encoding == RX_ENC_VHT) {
533	u16 known = local->hw.radiotap_vht_details;
534
535	rthdr->it_present \|= cpu_to_le32(BIT(IEEE80211_RADIOTAP_VHT));
536	put_unaligned_le16(val: known, p: pos);
537	pos += `2`;
538	/ flags /
539	if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
540	*pos \|= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
541	/ in VHT, STBC is binary /
542	if (status->enc_flags & RX_ENC_FLAG_STBC_MASK)
543	*pos \|= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
544	if (status->enc_flags & RX_ENC_FLAG_BF)
545	*pos \|= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED;
546	pos++;
547	/ bandwidth /
548	switch (status->bw) {
549	case RATE_INFO_BW_80:
550	*pos++ = `4`;
551	break;
552	case RATE_INFO_BW_160:
553	*pos++ = `11`;
554	break;
555	case RATE_INFO_BW_40:
556	*pos++ = `1`;
557	break;
558	default:
559	*pos++ = `0`;
560	}
561	/ MCS/NSS /
562	*pos = (status->rate_idx << `4`) \| status->nss;
563	pos += `4`;
564	/ coding field /
565	if (status->enc_flags & RX_ENC_FLAG_LDPC)
566	*pos \|= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
567	pos++;
568	/ group ID /
569	pos++;
570	/ partial_aid /
571	pos += `2`;
572	}
573
574	if (local->hw.radiotap_timestamp.units_pos >= `0`) {
575	u16 accuracy = `0`;
576	u8 flags;
577	u64 ts;
578
579	rthdr->it_present \|=
580	cpu_to_le32(BIT(IEEE80211_RADIOTAP_TIMESTAMP));
581
582	/ ensure 8 byte alignment /
583	while ((pos - (u8 *)rthdr) & `7`)
584	pos++;
585
586	if (status->flag & RX_FLAG_MACTIME_IS_RTAP_TS64) {
587	flags = IEEE80211_RADIOTAP_TIMESTAMP_FLAG_64BIT;
588	ts = status->mactime;
589	} else {
590	flags = IEEE80211_RADIOTAP_TIMESTAMP_FLAG_32BIT;
591	ts = status->device_timestamp;
592	}
593
594	put_unaligned_le64(val: ts, p: pos);
595	pos += sizeof(u64);
596
597	if (local->hw.radiotap_timestamp.accuracy >= `0`) {
598	accuracy = local->hw.radiotap_timestamp.accuracy;
599	flags \|= IEEE80211_RADIOTAP_TIMESTAMP_FLAG_ACCURACY;
600	}
601	put_unaligned_le16(val: accuracy, p: pos);
602	pos += sizeof(u16);
603
604	*pos++ = local->hw.radiotap_timestamp.units_pos;
605	*pos++ = flags;
606	}
607
608	if (status->encoding == RX_ENC_HE &&
609	status->flag & RX_FLAG_RADIOTAP_HE) {
610	#define HE_PREP(f, val) le16_encode_bits(val, IEEE80211_RADIOTAP_HE_##f)
611
612	if (status->enc_flags & RX_ENC_FLAG_STBC_MASK) {
613	he.data6 \|= HE_PREP(DATA6_NSTS,
614	FIELD_GET(RX_ENC_FLAG_STBC_MASK,
615	status->enc_flags));
616	he.data3 \|= HE_PREP(DATA3_STBC, `1`);
617	} else {
618	he.data6 \|= HE_PREP(DATA6_NSTS, status->nss);
619	}
620
621	#define CHECK_GI(s) \
622	BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_GI_##s != \
623	(int)NL80211_RATE_INFO_HE_GI_##s)
624
625	CHECK_GI(`0_8`);
626	CHECK_GI(`1_6`);
627	CHECK_GI(`3_2`);
628
629	he.data3 \|= HE_PREP(DATA3_DATA_MCS, status->rate_idx);
630	he.data3 \|= HE_PREP(DATA3_DATA_DCM, status->he_dcm);
631	he.data3 \|= HE_PREP(DATA3_CODING,
632	!!(status->enc_flags & RX_ENC_FLAG_LDPC));
633
634	he.data5 \|= HE_PREP(DATA5_GI, status->he_gi);
635
636	switch (status->bw) {
637	case RATE_INFO_BW_20:
638	he.data5 \|= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
639	IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_20MHZ);
640	break;
641	case RATE_INFO_BW_40:
642	he.data5 \|= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
643	IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_40MHZ);
644	break;
645	case RATE_INFO_BW_80:
646	he.data5 \|= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
647	IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_80MHZ);
648	break;
649	case RATE_INFO_BW_160:
650	he.data5 \|= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
651	IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_160MHZ);
652	break;
653	case RATE_INFO_BW_HE_RU:
654	#define CHECK_RU_ALLOC(s) \
655	BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_##s##T != \
656	NL80211_RATE_INFO_HE_RU_ALLOC_##s + 4)
657
658	CHECK_RU_ALLOC(`26`);
659	CHECK_RU_ALLOC(`52`);
660	CHECK_RU_ALLOC(`106`);
661	CHECK_RU_ALLOC(`242`);
662	CHECK_RU_ALLOC(`484`);
663	CHECK_RU_ALLOC(`996`);
664	CHECK_RU_ALLOC(`2x996`);
665
666	he.data5 \|= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
667	status->he_ru + `4`);
668	break;
669	default:
670	WARN_ONCE(`1`, "Invalid SU BW %d\n", status->bw);
671	}
672
673	/ ensure 2 byte alignment /
674	while ((pos - (u8 *)rthdr) & `1`)
675	pos++;
676	rthdr->it_present \|= cpu_to_le32(BIT(IEEE80211_RADIOTAP_HE));
677	memcpy(to: pos, from: &he, len: sizeof(he));
678	pos += sizeof(he);
679	}
680
681	if (status->encoding == RX_ENC_HE &&
682	status->flag & RX_FLAG_RADIOTAP_HE_MU) {
683	/ ensure 2 byte alignment /
684	while ((pos - (u8 *)rthdr) & `1`)
685	pos++;
686	rthdr->it_present \|= cpu_to_le32(BIT(IEEE80211_RADIOTAP_HE_MU));
687	memcpy(to: pos, from: &he_mu, len: sizeof(he_mu));
688	pos += sizeof(he_mu);
689	}
690
691	if (status->flag & RX_FLAG_NO_PSDU) {
692	rthdr->it_present \|=
693	cpu_to_le32(BIT(IEEE80211_RADIOTAP_ZERO_LEN_PSDU));
694	*pos++ = status->zero_length_psdu_type;
695	}
696
697	if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
698	/ ensure 2 byte alignment /
699	while ((pos - (u8 *)rthdr) & `1`)
700	pos++;
701	rthdr->it_present \|= cpu_to_le32(BIT(IEEE80211_RADIOTAP_LSIG));
702	memcpy(to: pos, from: &lsig, len: sizeof(lsig));
703	pos += sizeof(lsig);
704	}
705
706	for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
707	*pos++ = status->chain_signal[chain];
708	*pos++ = chain;
709	}
710	}
711
712	static struct sk_buff *
713	ieee80211_make_monitor_skb(struct ieee80211_local *local,
714	struct sk_buff **origskb,
715	struct ieee80211_rate *rate,
716	int rtap_space, bool use_origskb)
717	{
718	struct ieee80211_rx_status status = IEEE80211_SKB_RXCB(skb: origskb);
719	int rt_hdrlen, needed_headroom;
720	struct sk_buff *skb;
721
722	/ room for the radiotap header based on driver features /
723	rt_hdrlen = ieee80211_rx_radiotap_hdrlen(local, status, skb: *origskb);
724	needed_headroom = rt_hdrlen - rtap_space;
725
726	if (use_origskb) {
727	/ only need to expand headroom if necessary /
728	skb = *origskb;
729	*origskb = NULL;
730
731	/*
732	* This shouldn't trigger often because most devices have an
733	* RX header they pull before we get here, and that should
734	* be big enough for our radiotap information. We should
735	* probably export the length to drivers so that we can have
736	* them allocate enough headroom to start with.
737	*/
738	if (skb_headroom(skb) < needed_headroom &&
739	pskb_expand_head(skb, nhead: needed_headroom, ntail: `0`, GFP_ATOMIC)) {
740	dev_kfree_skb(skb);
741	return NULL;
742	}
743	} else {
744	/*
745	* Need to make a copy and possibly remove radiotap header
746	* and FCS from the original.
747	*/
748	skb = skb_copy_expand(skb: *origskb, newheadroom: needed_headroom + NET_SKB_PAD,
749	newtailroom: `0`, GFP_ATOMIC);
750
751	if (!skb)
752	return NULL;
753	}
754
755	/ prepend radiotap information /
756	ieee80211_add_rx_radiotap_header(local, skb, rate, rtap_len: rt_hdrlen, has_fcs: true);
757
758	skb_reset_mac_header(skb);
759	skb->ip_summed = CHECKSUM_UNNECESSARY;
760	skb->pkt_type = PACKET_OTHERHOST;
761	skb->protocol = htons(ETH_P_802_2);
762
763	return skb;
764	}
765
766	/*
767	* This function copies a received frame to all monitor interfaces and
768	* returns a cleaned-up SKB that no longer includes the FCS nor the
769	* radiotap header the driver might have added.
770	*/
771	static struct sk_buff *
772	ieee80211_rx_monitor(struct ieee80211_local local, struct* sk_buff *origskb,
773	struct ieee80211_rate *rate)
774	{
775	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb: origskb);
776	struct ieee80211_sub_if_data sdata, prev_sdata = NULL;
777	struct sk_buff skb, monskb = NULL;
778	int present_fcs_len = `0`;
779	unsigned int rtap_space = `0`;
780	struct ieee80211_sub_if_data *monitor_sdata =
781	rcu_dereference(local->monitor_sdata);
782	bool only_monitor = false;
783	unsigned int min_head_len;
784
785	if (WARN_ON_ONCE(status->flag & RX_FLAG_RADIOTAP_TLV_AT_END &&
786	!skb_mac_header_was_set(origskb))) {
787	/ with this skb no way to know where frame payload starts /
788	dev_kfree_skb(origskb);
789	return NULL;
790	}
791
792	if (status->flag & RX_FLAG_RADIOTAP_HE)
793	rtap_space += sizeof(struct ieee80211_radiotap_he);
794
795	if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
796	rtap_space += sizeof(struct ieee80211_radiotap_he_mu);
797
798	if (status->flag & RX_FLAG_RADIOTAP_LSIG)
799	rtap_space += sizeof(struct ieee80211_radiotap_lsig);
800
801	if (status->flag & RX_FLAG_RADIOTAP_TLV_AT_END)
802	rtap_space += skb_mac_header(skb: origskb) - &origskb->data[rtap_space];
803
804	min_head_len = rtap_space;
805
806	/*
807	* First, we may need to make a copy of the skb because
808	* (1) we need to modify it for radiotap (if not present), and
809	* (2) the other RX handlers will modify the skb we got.
810	*
811	* We don't need to, of course, if we aren't going to return
812	* the SKB because it has a bad FCS/PLCP checksum.
813	*/
814
815	if (!(status->flag & RX_FLAG_NO_PSDU)) {
816	if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
817	if (unlikely(origskb->len <= FCS_LEN + rtap_space)) {
818	/ driver bug /
819	WARN_ON(`1`);
820	dev_kfree_skb(origskb);
821	return NULL;
822	}
823	present_fcs_len = FCS_LEN;
824	}
825
826	/ also consider the hdr->frame_control /
827	min_head_len += `2`;
828	}
829
830	/ ensure that the expected data elements are in skb head /
831	if (!pskb_may_pull(skb: origskb, len: min_head_len)) {
832	dev_kfree_skb(origskb);
833	return NULL;
834	}
835
836	only_monitor = should_drop_frame(skb: origskb, present_fcs_len, rtap_space);
837
838	if (!local->monitors \|\| (status->flag & RX_FLAG_SKIP_MONITOR)) {
839	if (only_monitor) {
840	dev_kfree_skb(origskb);
841	return NULL;
842	}
843
844	return ieee80211_clean_skb(skb: origskb, present_fcs_len,
845	rtap_space);
846	}
847
848	ieee80211_handle_mu_mimo_mon(sdata: monitor_sdata, skb: origskb, rtap_space);
849
850	list_for_each_entry_rcu(sdata, &local->mon_list, u.mntr.list) {
851	struct cfg80211_chan_def *chandef;
852
853	chandef = &sdata->vif.bss_conf.chanreq.oper;
854	if (chandef->chan &&
855	chandef->chan->center_freq != status->freq)
856	continue;
857
858	if (!prev_sdata) {
859	prev_sdata = sdata;
860	continue;
861	}
862
863	if (ieee80211_hw_check(&local->hw, NO_VIRTUAL_MONITOR))
864	ieee80211_handle_mu_mimo_mon(sdata, skb: origskb, rtap_space);
865
866	if (!monskb)
867	monskb = ieee80211_make_monitor_skb(local, origskb: &origskb,
868	rate, rtap_space,
869	use_origskb: false);
870	if (!monskb)
871	continue;
872
873	skb = skb_clone(skb: monskb, GFP_ATOMIC);
874	if (!skb)
875	continue;
876
877	skb->dev = prev_sdata->dev;
878	dev_sw_netstats_rx_add(dev: skb->dev, len: skb->len);
879	netif_receive_skb(skb);
880	prev_sdata = sdata;
881	}
882
883	if (prev_sdata) {
884	if (monskb)
885	skb = monskb;
886	else
887	skb = ieee80211_make_monitor_skb(local, origskb: &origskb,
888	rate, rtap_space,
889	use_origskb: only_monitor);
890	if (skb) {
891	skb->dev = prev_sdata->dev;
892	dev_sw_netstats_rx_add(dev: skb->dev, len: skb->len);
893	netif_receive_skb(skb);
894	}
895	}
896
897	if (!origskb)
898	return NULL;
899
900	return ieee80211_clean_skb(skb: origskb, present_fcs_len, rtap_space);
901	}
902
903	static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
904	{
905	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *)rx->skb->data;
906	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb: rx->skb);
907	int tid, seqno_idx, security_idx;
908
909	/ does the frame have a qos control field? /
910	if (ieee80211_is_data_qos(fc: hdr->frame_control)) {
911	u8 *qc = ieee80211_get_qos_ctl(hdr);
912	/ frame has qos control /
913	tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
914	if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
915	status->rx_flags \|= IEEE80211_RX_AMSDU;
916
917	seqno_idx = tid;
918	security_idx = tid;
919	} else {
920	/*
921	* IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
922	*
923	* Sequence numbers for management frames, QoS data
924	* frames with a broadcast/multicast address in the
925	* Address 1 field, and all non-QoS data frames sent
926	* by QoS STAs are assigned using an additional single
927	* modulo-4096 counter, [...]
928	*
929	* We also use that counter for non-QoS STAs.
930	*/
931	seqno_idx = IEEE80211_NUM_TIDS;
932	security_idx = `0`;
933	if (ieee80211_is_mgmt(fc: hdr->frame_control))
934	security_idx = IEEE80211_NUM_TIDS;
935	tid = `0`;
936	}
937
938	rx->seqno_idx = seqno_idx;
939	rx->security_idx = security_idx;
940	/ Set skb->priority to 1d tag if highest order bit of TID is not set.*
941	* For now, set skb->priority to 0 for other cases. */
942	rx->skb->priority = (tid > `7`) ? `0` : tid;
943	}
944
945	/**
946	* DOC: Packet alignment
947	*
948	* Drivers always need to pass packets that are aligned to two-byte boundaries
949	* to the stack.
950	*
951	* Additionally, they should, if possible, align the payload data in a way that
952	* guarantees that the contained IP header is aligned to a four-byte
953	* boundary. In the case of regular frames, this simply means aligning the
954	* payload to a four-byte boundary (because either the IP header is directly
955	* contained, or IV/RFC1042 headers that have a length divisible by four are
956	* in front of it). If the payload data is not properly aligned and the
957	* architecture doesn't support efficient unaligned operations, mac80211
958	* will align the data.
959	*
960	* With A-MSDU frames, however, the payload data address must yield two modulo
961	* four because there are 14-byte 802.3 headers within the A-MSDU frames that
962	* push the IP header further back to a multiple of four again. Thankfully, the
963	* specs were sane enough this time around to require padding each A-MSDU
964	* subframe to a length that is a multiple of four.
965	*
966	* Padding like Atheros hardware adds which is between the 802.11 header and
967	* the payload is not supported; the driver is required to move the 802.11
968	* header to be directly in front of the payload in that case.
969	*/
970	static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
971	{
972	#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
973	WARN_ON_ONCE((unsigned long)rx->skb->data & `1`);
974	#endif
975	}
976
977
978	/ rx handlers /
979
980	static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
981	{
982	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *) skb->data;
983
984	if (is_multicast_ether_addr(addr: hdr->addr1))
985	return `0`;
986
987	return ieee80211_is_robust_mgmt_frame(skb);
988	}
989
990
991	static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
992	{
993	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *) skb->data;
994
995	if (!is_multicast_ether_addr(addr: hdr->addr1))
996	return `0`;
997
998	return ieee80211_is_robust_mgmt_frame(skb);
999	}
1000
1001
1002	/ Get the BIP key index from MMIE; return -1 if this is not a BIP frame /
1003	static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
1004	{
1005	struct ieee80211_mgmt hdr = (struct* ieee80211_mgmt *) skb->data;
1006	struct ieee80211_mmie *mmie;
1007	struct ieee80211_mmie_16 *mmie16;
1008
1009	if (skb->len < `24` + sizeof(*mmie) \|\| !is_multicast_ether_addr(addr: hdr->da))
1010	return -`1`;
1011
1012	if (!ieee80211_is_robust_mgmt_frame(skb) &&
1013	!ieee80211_is_beacon(fc: hdr->frame_control))
1014	return -`1`; / not a robust management frame /
1015
1016	mmie = (struct ieee80211_mmie *)
1017	(skb->data + skb->len - sizeof(*mmie));
1018	if (mmie->element_id == WLAN_EID_MMIE &&
1019	mmie->length == sizeof(*mmie) - `2`)
1020	return le16_to_cpu(mmie->key_id);
1021
1022	mmie16 = (struct ieee80211_mmie_16 *)
1023	(skb->data + skb->len - sizeof(*mmie16));
1024	if (skb->len >= `24` + sizeof(*mmie16) &&
1025	mmie16->element_id == WLAN_EID_MMIE &&
1026	mmie16->length == sizeof(*mmie16) - `2`)
1027	return le16_to_cpu(mmie16->key_id);
1028
1029	return -`1`;
1030	}
1031
1032	static int ieee80211_get_keyid(struct sk_buff *skb)
1033	{
1034	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *)skb->data;
1035	__le16 fc = hdr->frame_control;
1036	int hdrlen = ieee80211_hdrlen(fc);
1037	u8 keyid;
1038
1039	/ WEP, TKIP, CCMP and GCMP /
1040	if (unlikely(skb->len < hdrlen + IEEE80211_WEP_IV_LEN))
1041	return -EINVAL;
1042
1043	skb_copy_bits(skb, offset: hdrlen + `3`, to: &keyid, len: `1`);
1044
1045	keyid >>= `6`;
1046
1047	return keyid;
1048	}
1049
1050	static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
1051	{
1052	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *)rx->skb->data;
1053	char *dev_addr = rx->sdata->vif.addr;
1054
1055	if (ieee80211_is_data(fc: hdr->frame_control)) {
1056	if (is_multicast_ether_addr(addr: hdr->addr1)) {
1057	if (ieee80211_has_tods(fc: hdr->frame_control) \|\|
1058	!ieee80211_has_fromds(fc: hdr->frame_control))
1059	return RX_DROP;
1060	if (ether_addr_equal(addr1: hdr->addr3, addr2: dev_addr))
1061	return RX_DROP;
1062	} else {
1063	if (!ieee80211_has_a4(fc: hdr->frame_control))
1064	return RX_DROP;
1065	if (ether_addr_equal(addr1: hdr->addr4, addr2: dev_addr))
1066	return RX_DROP;
1067	}
1068	}
1069
1070	/ If there is not an established peer link and this is not a peer link*
1071	* establisment frame, beacon or probe, drop the frame.
1072	*/
1073
1074	if (!rx->sta \|\| sta_plink_state(sta: rx->sta) != NL80211_PLINK_ESTAB) {
1075	struct ieee80211_mgmt *mgmt;
1076
1077	if (!ieee80211_is_mgmt(fc: hdr->frame_control))
1078	return RX_DROP;
1079
1080	if (ieee80211_is_action(fc: hdr->frame_control)) {
1081	u8 category;
1082
1083	/ make sure category field is present /
1084	if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
1085	return RX_DROP;
1086
1087	mgmt = (struct ieee80211_mgmt *)hdr;
1088	category = mgmt->u.action.category;
1089	if (category != WLAN_CATEGORY_MESH_ACTION &&
1090	category != WLAN_CATEGORY_SELF_PROTECTED)
1091	return RX_DROP;
1092	return RX_CONTINUE;
1093	}
1094
1095	if (ieee80211_is_probe_req(fc: hdr->frame_control) \|\|
1096	ieee80211_is_probe_resp(fc: hdr->frame_control) \|\|
1097	ieee80211_is_beacon(fc: hdr->frame_control) \|\|
1098	ieee80211_is_auth(fc: hdr->frame_control))
1099	return RX_CONTINUE;
1100
1101	return RX_DROP;
1102	}
1103
1104	return RX_CONTINUE;
1105	}
1106
1107	static inline bool ieee80211_rx_reorder_ready(struct tid_ampdu_rx *tid_agg_rx,
1108	int index)
1109	{
1110	struct sk_buff_head *frames = &tid_agg_rx->reorder_buf[index];
1111	struct sk_buff *tail = skb_peek_tail(list_: frames);
1112	struct ieee80211_rx_status *status;
1113
1114	if (tid_agg_rx->reorder_buf_filtered &&
1115	tid_agg_rx->reorder_buf_filtered & BIT_ULL(index))
1116	return true;
1117
1118	if (!tail)
1119	return false;
1120
1121	status = IEEE80211_SKB_RXCB(skb: tail);
1122	if (status->flag & RX_FLAG_AMSDU_MORE)
1123	return false;
1124
1125	return true;
1126	}
1127
1128	static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
1129	struct tid_ampdu_rx *tid_agg_rx,
1130	int index,
1131	struct sk_buff_head *frames)
1132	{
1133	struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index];
1134	struct sk_buff *skb;
1135	struct ieee80211_rx_status *status;
1136
1137	lockdep_assert_held(&tid_agg_rx->reorder_lock);
1138
1139	if (skb_queue_empty(list: skb_list))
1140	goto no_frame;
1141
1142	if (!ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1143	__skb_queue_purge(list: skb_list);
1144	goto no_frame;
1145	}
1146
1147	/ release frames from the reorder ring buffer /
1148	tid_agg_rx->stored_mpdu_num--;
1149	while ((skb = __skb_dequeue(list: skb_list))) {
1150	status = IEEE80211_SKB_RXCB(skb);
1151	status->rx_flags \|= IEEE80211_RX_DEFERRED_RELEASE;
1152	__skb_queue_tail(list: frames, newsk: skb);
1153	}
1154
1155	no_frame:
1156	if (tid_agg_rx->reorder_buf_filtered)
1157	tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
1158	tid_agg_rx->head_seq_num = ieee80211_sn_inc(sn: tid_agg_rx->head_seq_num);
1159	}
1160
1161	static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
1162	struct tid_ampdu_rx *tid_agg_rx,
1163	u16 head_seq_num,
1164	struct sk_buff_head *frames)
1165	{
1166	int index;
1167
1168	lockdep_assert_held(&tid_agg_rx->reorder_lock);
1169
1170	while (ieee80211_sn_less(sn1: tid_agg_rx->head_seq_num, sn2: head_seq_num)) {
1171	index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1172	ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
1173	frames);
1174	}
1175	}
1176
1177	/*
1178	* Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
1179	* the skb was added to the buffer longer than this time ago, the earlier
1180	* frames that have not yet been received are assumed to be lost and the skb
1181	* can be released for processing. This may also release other skb's from the
1182	* reorder buffer if there are no additional gaps between the frames.
1183	*
1184	* Callers must hold tid_agg_rx->reorder_lock.
1185	*/
1186	#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)
1187
1188	static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
1189	struct tid_ampdu_rx *tid_agg_rx,
1190	struct sk_buff_head *frames)
1191	{
1192	int index, i, j;
1193
1194	lockdep_assert_held(&tid_agg_rx->reorder_lock);
1195
1196	/ release the buffer until next missing frame /
1197	index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1198	if (!ieee80211_rx_reorder_ready(tid_agg_rx, index) &&
1199	tid_agg_rx->stored_mpdu_num) {
1200	/*
1201	* No buffers ready to be released, but check whether any
1202	* frames in the reorder buffer have timed out.
1203	*/
1204	int skipped = `1`;
1205	for (j = (index + `1`) % tid_agg_rx->buf_size; j != index;
1206	j = (j + `1`) % tid_agg_rx->buf_size) {
1207	if (!ieee80211_rx_reorder_ready(tid_agg_rx, index: j)) {
1208	skipped++;
1209	continue;
1210	}
1211	if (skipped &&
1212	!time_after(jiffies, tid_agg_rx->reorder_time[j] +
1213	HT_RX_REORDER_BUF_TIMEOUT))
1214	goto set_release_timer;
1215
1216	/ don't leave incomplete A-MSDUs around /
1217	for (i = (index + `1`) % tid_agg_rx->buf_size; i != j;
1218	i = (i + `1`) % tid_agg_rx->buf_size)
1219	__skb_queue_purge(list: &tid_agg_rx->reorder_buf[i]);
1220
1221	ht_dbg_ratelimited(sdata,
1222	"release an RX reorder frame due to timeout on earlier frames\n");
1223	ieee80211_release_reorder_frame(sdata, tid_agg_rx, index: j,
1224	frames);
1225
1226	/*
1227	* Increment the head seq# also for the skipped slots.
1228	*/
1229	tid_agg_rx->head_seq_num =
1230	(tid_agg_rx->head_seq_num +
1231	skipped) & IEEE80211_SN_MASK;
1232	skipped = `0`;
1233	}
1234	} else while (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1235	ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
1236	frames);
1237	index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1238	}
1239
1240	if (tid_agg_rx->stored_mpdu_num) {
1241	j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1242
1243	for (; j != (index - `1`) % tid_agg_rx->buf_size;
1244	j = (j + `1`) % tid_agg_rx->buf_size) {
1245	if (ieee80211_rx_reorder_ready(tid_agg_rx, index: j))
1246	break;
1247	}
1248
1249	set_release_timer:
1250
1251	if (!tid_agg_rx->removed)
1252	mod_timer(timer: &tid_agg_rx->reorder_timer,
1253	expires: tid_agg_rx->reorder_time[j] + `1` +
1254	HT_RX_REORDER_BUF_TIMEOUT);
1255	} else {
1256	timer_delete(timer: &tid_agg_rx->reorder_timer);
1257	}
1258	}
1259
1260	/*
1261	* As this function belongs to the RX path it must be under
1262	* rcu_read_lock protection. It returns false if the frame
1263	* can be processed immediately, true if it was consumed.
1264	*/
1265	static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
1266	struct tid_ampdu_rx *tid_agg_rx,
1267	struct sk_buff *skb,
1268	struct sk_buff_head *frames)
1269	{
1270	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *) skb->data;
1271	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1272	u16 mpdu_seq_num = ieee80211_get_sn(hdr);
1273	u16 head_seq_num, buf_size;
1274	int index;
1275	bool ret = true;
1276
1277	spin_lock(lock: &tid_agg_rx->reorder_lock);
1278
1279	/*
1280	* Offloaded BA sessions have no known starting sequence number so pick
1281	* one from first Rxed frame for this tid after BA was started.
1282	*/
1283	if (unlikely(tid_agg_rx->auto_seq)) {
1284	tid_agg_rx->auto_seq = false;
1285	tid_agg_rx->ssn = mpdu_seq_num;
1286	tid_agg_rx->head_seq_num = mpdu_seq_num;
1287	}
1288
1289	buf_size = tid_agg_rx->buf_size;
1290	head_seq_num = tid_agg_rx->head_seq_num;
1291
1292	/*
1293	* If the current MPDU's SN is smaller than the SSN, it shouldn't
1294	* be reordered.
1295	*/
1296	if (unlikely(!tid_agg_rx->started)) {
1297	if (ieee80211_sn_less(sn1: mpdu_seq_num, sn2: head_seq_num)) {
1298	ret = false;
1299	goto out;
1300	}
1301	tid_agg_rx->started = true;
1302	}
1303
1304	/ frame with out of date sequence number /
1305	if (ieee80211_sn_less(sn1: mpdu_seq_num, sn2: head_seq_num)) {
1306	dev_kfree_skb(skb);
1307	goto out;
1308	}
1309
1310	/*
1311	* If frame the sequence number exceeds our buffering window
1312	* size release some previous frames to make room for this one.
1313	*/
1314	if (!ieee80211_sn_less(sn1: mpdu_seq_num, sn2: head_seq_num + buf_size)) {
1315	head_seq_num = ieee80211_sn_inc(
1316	sn: ieee80211_sn_sub(sn1: mpdu_seq_num, sn2: buf_size));
1317	/ release stored frames up to new head to stack /
1318	ieee80211_release_reorder_frames(sdata, tid_agg_rx,
1319	head_seq_num, frames);
1320	}
1321
1322	/ Now the new frame is always in the range of the reordering buffer /
1323
1324	index = mpdu_seq_num % tid_agg_rx->buf_size;
1325
1326	/ check if we already stored this frame /
1327	if (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1328	dev_kfree_skb(skb);
1329	goto out;
1330	}
1331
1332	/*
1333	* If the current MPDU is in the right order and nothing else
1334	* is stored we can process it directly, no need to buffer it.
1335	* If it is first but there's something stored, we may be able
1336	* to release frames after this one.
1337	*/
1338	if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
1339	tid_agg_rx->stored_mpdu_num == `0`) {
1340	if (!(status->flag & RX_FLAG_AMSDU_MORE))
1341	tid_agg_rx->head_seq_num =
1342	ieee80211_sn_inc(sn: tid_agg_rx->head_seq_num);
1343	ret = false;
1344	goto out;
1345	}
1346
1347	/ put the frame in the reordering buffer /
1348	__skb_queue_tail(list: &tid_agg_rx->reorder_buf[index], newsk: skb);
1349	if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1350	tid_agg_rx->reorder_time[index] = jiffies;
1351	tid_agg_rx->stored_mpdu_num++;
1352	ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames);
1353	}
1354
1355	out:
1356	spin_unlock(lock: &tid_agg_rx->reorder_lock);
1357	return ret;
1358	}
1359
1360	/*
1361	* Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
1362	* true if the MPDU was buffered, false if it should be processed.
1363	*/
1364	static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
1365	struct sk_buff_head *frames)
1366	{
1367	struct sk_buff *skb = rx->skb;
1368	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *) skb->data;
1369	struct sta_info *sta = rx->sta;
1370	struct tid_ampdu_rx *tid_agg_rx;
1371	u16 sc;
1372	u8 tid, ack_policy;
1373
1374	if (!ieee80211_is_data_qos(fc: hdr->frame_control) \|\|
1375	is_multicast_ether_addr(addr: hdr->addr1))
1376	goto dont_reorder;
1377
1378	/*
1379	* filter the QoS data rx stream according to
1380	* STA/TID and check if this STA/TID is on aggregation
1381	*/
1382
1383	if (!sta)
1384	goto dont_reorder;
1385
1386	ack_policy = *ieee80211_get_qos_ctl(hdr) &
1387	IEEE80211_QOS_CTL_ACK_POLICY_MASK;
1388	tid = ieee80211_get_tid(hdr);
1389
1390	tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
1391	if (!tid_agg_rx) {
1392	if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
1393	!test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
1394	!test_and_set_bit(nr: tid, addr: rx->sta->ampdu_mlme.unexpected_agg))
1395	ieee80211_send_delba(sdata: rx->sdata, da: rx->sta->sta.addr, tid,
1396	initiator: WLAN_BACK_RECIPIENT,
1397	reason_code: WLAN_REASON_QSTA_REQUIRE_SETUP);
1398	goto dont_reorder;
1399	}
1400
1401	/ qos null data frames are excluded /
1402	if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
1403	goto dont_reorder;
1404
1405	/ not part of a BA session /
1406	if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_NOACK)
1407	goto dont_reorder;
1408
1409	/ new, potentially un-ordered, ampdu frame - process it /
1410
1411	/ reset session timer /
1412	if (tid_agg_rx->timeout)
1413	tid_agg_rx->last_rx = jiffies;
1414
1415	/ if this mpdu is fragmented - terminate rx aggregation session /
1416	sc = le16_to_cpu(hdr->seq_ctrl);
1417	if (sc & IEEE80211_SCTL_FRAG) {
1418	ieee80211_queue_skb_to_iface(sdata: rx->sdata, link_id: rx->link_id, NULL, skb);
1419	return;
1420	}
1421
1422	/*
1423	* No locking needed -- we will only ever process one
1424	* RX packet at a time, and thus own tid_agg_rx. All
1425	* other code manipulating it needs to (and does) make
1426	* sure that we cannot get to it any more before doing
1427	* anything with it.
1428	*/
1429	if (ieee80211_sta_manage_reorder_buf(sdata: rx->sdata, tid_agg_rx, skb,
1430	frames))
1431	return;
1432
1433	dont_reorder:
1434	__skb_queue_tail(list: frames, newsk: skb);
1435	}
1436
1437	static ieee80211_rx_result debug_noinline
1438	ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
1439	{
1440	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *)rx->skb->data;
1441	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb: rx->skb);
1442
1443	if (status->flag & RX_FLAG_DUP_VALIDATED)
1444	return RX_CONTINUE;
1445
1446	/*
1447	* Drop duplicate 802.11 retransmissions
1448	* (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
1449	*/
1450
1451	if (rx->skb->len < `24`)
1452	return RX_CONTINUE;
1453
1454	if (ieee80211_is_ctl(fc: hdr->frame_control) \|\|
1455	ieee80211_is_any_nullfunc(fc: hdr->frame_control))
1456	return RX_CONTINUE;
1457
1458	if (!rx->sta)
1459	return RX_CONTINUE;
1460
1461	if (unlikely(is_multicast_ether_addr(hdr->addr1))) {
1462	struct ieee80211_sub_if_data *sdata = rx->sdata;
1463	u16 sn = ieee80211_get_sn(hdr);
1464
1465	if (!ieee80211_is_data_present(fc: hdr->frame_control))
1466	return RX_CONTINUE;
1467
1468	if (!ieee80211_vif_is_mld(vif: &sdata->vif) \|\|
1469	sdata->vif.type != NL80211_IFTYPE_STATION)
1470	return RX_CONTINUE;
1471
1472	if (sdata->u.mgd.mcast_seq_last != IEEE80211_SN_MODULO &&
1473	ieee80211_sn_less_eq(sn1: sn, sn2: sdata->u.mgd.mcast_seq_last))
1474	return RX_DROP_U_DUP;
1475
1476	sdata->u.mgd.mcast_seq_last = sn;
1477	return RX_CONTINUE;
1478	}
1479
1480	if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
1481	rx->sta->last_seq_ctrl[rx->seqno_idx] == hdr->seq_ctrl)) {
1482	I802_DEBUG_INC(rx->local->dot11FrameDuplicateCount);
1483	rx->link_sta->rx_stats.num_duplicates++;
1484	return RX_DROP_U_DUP;
1485	} else if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1486	rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
1487	}
1488
1489	return RX_CONTINUE;
1490	}
1491
1492	static ieee80211_rx_result debug_noinline
1493	ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
1494	{
1495	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *)rx->skb->data;
1496
1497	/ Drop disallowed frame classes based on STA auth/assoc state;*
1498	* IEEE 802.11, Chap 5.5.
1499	*
1500	* mac80211 filters only based on association state, i.e. it drops
1501	* Class 3 frames from not associated stations. hostapd sends
1502	* deauth/disassoc frames when needed. In addition, hostapd is
1503	* responsible for filtering on both auth and assoc states.
1504	*/
1505
1506	if (ieee80211_vif_is_mesh(vif: &rx->sdata->vif))
1507	return ieee80211_rx_mesh_check(rx);
1508
1509	if (unlikely((ieee80211_is_data(hdr->frame_control) \|\|
1510	ieee80211_is_pspoll(hdr->frame_control)) &&
1511	rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
1512	rx->sdata->vif.type != NL80211_IFTYPE_OCB &&
1513	(!rx->sta \|\| !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
1514	/*
1515	* accept port control frames from the AP even when it's not
1516	* yet marked ASSOC to prevent a race where we don't set the
1517	* assoc bit quickly enough before it sends the first frame
1518	*/
1519	if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
1520	ieee80211_is_data_present(fc: hdr->frame_control)) {
1521	unsigned int hdrlen;
1522	__be16 ethertype;
1523
1524	hdrlen = ieee80211_hdrlen(fc: hdr->frame_control);
1525
1526	if (rx->skb->len < hdrlen + `8`)
1527	return RX_DROP;
1528
1529	skb_copy_bits(skb: rx->skb, offset: hdrlen + `6`, to: &ethertype, len: `2`);
1530	if (ethertype == rx->sdata->control_port_protocol)
1531	return RX_CONTINUE;
1532	}
1533
1534	if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
1535	cfg80211_rx_spurious_frame(dev: rx->sdata->dev, addr: hdr->addr2,
1536	link_id: rx->link_id, GFP_ATOMIC))
1537	return RX_DROP_U_SPURIOUS;
1538
1539	return RX_DROP;
1540	}
1541
1542	return RX_CONTINUE;
1543	}
1544
1545
1546	static ieee80211_rx_result debug_noinline
1547	ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
1548	{
1549	struct ieee80211_local *local;
1550	struct ieee80211_hdr *hdr;
1551	struct sk_buff *skb;
1552
1553	local = rx->local;
1554	skb = rx->skb;
1555	hdr = (struct ieee80211_hdr *) skb->data;
1556
1557	if (!local->pspolling)
1558	return RX_CONTINUE;
1559
1560	if (!ieee80211_has_fromds(fc: hdr->frame_control))
1561	/ this is not from AP /
1562	return RX_CONTINUE;
1563
1564	if (!ieee80211_is_data(fc: hdr->frame_control))
1565	return RX_CONTINUE;
1566
1567	if (!ieee80211_has_moredata(fc: hdr->frame_control)) {
1568	/ AP has no more frames buffered for us /
1569	local->pspolling = false;
1570	return RX_CONTINUE;
1571	}
1572
1573	/ more data bit is set, let's request a new frame from the AP /
1574	ieee80211_send_pspoll(local, sdata: rx->sdata);
1575
1576	return RX_CONTINUE;
1577	}
1578
1579	static void sta_ps_start(struct sta_info *sta)
1580	{
1581	struct ieee80211_sub_if_data *sdata = sta->sdata;
1582	struct ieee80211_local *local = sdata->local;
1583	struct ps_data *ps;
1584	int tid;
1585
1586	if (sta->sdata->vif.type == NL80211_IFTYPE_AP \|\|
1587	sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
1588	ps = &sdata->bss->ps;
1589	else
1590	return;
1591
1592	atomic_inc(v: &ps->num_sta_ps);
1593	set_sta_flag(sta, flag: WLAN_STA_PS_STA);
1594	if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
1595	drv_sta_notify(local, sdata, cmd: STA_NOTIFY_SLEEP, sta: &sta->sta);
1596	ps_dbg(sdata, "STA %pM aid %d enters power save mode\n",
1597	sta->sta.addr, sta->sta.aid);
1598
1599	ieee80211_clear_fast_xmit(sta);
1600
1601	for (tid = `0`; tid < IEEE80211_NUM_TIDS; tid++) {
1602	struct ieee80211_txq *txq = sta->sta.txq[tid];
1603	struct txq_info *txqi = to_txq_info(txq);
1604
1605	spin_lock(lock: &local->active_txq_lock[txq->ac]);
1606	if (!list_empty(head: &txqi->schedule_order))
1607	list_del_init(entry: &txqi->schedule_order);
1608	spin_unlock(lock: &local->active_txq_lock[txq->ac]);
1609
1610	if (txq_has_queue(txq))
1611	set_bit(nr: tid, addr: &sta->txq_buffered_tids);
1612	else
1613	clear_bit(nr: tid, addr: &sta->txq_buffered_tids);
1614	}
1615	}
1616
1617	static void sta_ps_end(struct sta_info *sta)
1618	{
1619	ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n",
1620	sta->sta.addr, sta->sta.aid);
1621
1622	if (test_sta_flag(sta, flag: WLAN_STA_PS_DRIVER)) {
1623	/*
1624	* Clear the flag only if the other one is still set
1625	* so that the TX path won't start TX'ing new frames
1626	* directly ... In the case that the driver flag isn't
1627	* set ieee80211_sta_ps_deliver_wakeup() will clear it.
1628	*/
1629	clear_sta_flag(sta, flag: WLAN_STA_PS_STA);
1630	ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
1631	sta->sta.addr, sta->sta.aid);
1632	return;
1633	}
1634
1635	set_sta_flag(sta, flag: WLAN_STA_PS_DELIVER);
1636	clear_sta_flag(sta, flag: WLAN_STA_PS_STA);
1637	ieee80211_sta_ps_deliver_wakeup(sta);
1638	}
1639
1640	int ieee80211_sta_ps_transition(struct ieee80211_sta *pubsta, bool start)
1641	{
1642	struct sta_info sta = container_of(pubsta, struct* sta_info, sta);
1643	bool in_ps;
1644
1645	WARN_ON(!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS));
1646
1647	/ Don't let the same PS state be set twice /
1648	in_ps = test_sta_flag(sta, flag: WLAN_STA_PS_STA);
1649	if ((start && in_ps) \|\| (!start && !in_ps))
1650	return -EINVAL;
1651
1652	if (start)
1653	sta_ps_start(sta);
1654	else
1655	sta_ps_end(sta);
1656
1657	return `0`;
1658	}
1659	EXPORT_SYMBOL(ieee80211_sta_ps_transition);
1660
1661	void ieee80211_sta_pspoll(struct ieee80211_sta *pubsta)
1662	{
1663	struct sta_info sta = container_of(pubsta, struct* sta_info, sta);
1664
1665	if (test_sta_flag(sta, flag: WLAN_STA_SP))
1666	return;
1667
1668	if (!test_sta_flag(sta, flag: WLAN_STA_PS_DRIVER))
1669	ieee80211_sta_ps_deliver_poll_response(sta);
1670	else
1671	set_sta_flag(sta, flag: WLAN_STA_PSPOLL);
1672	}
1673	EXPORT_SYMBOL(ieee80211_sta_pspoll);
1674
1675	void ieee80211_sta_uapsd_trigger(struct ieee80211_sta *pubsta, u8 tid)
1676	{
1677	struct sta_info sta = container_of(pubsta, struct* sta_info, sta);
1678	int ac = ieee80211_ac_from_tid(tid);
1679
1680	/*
1681	* If this AC is not trigger-enabled do nothing unless the
1682	* driver is calling us after it already checked.
1683	*
1684	* NB: This could/should check a separate bitmap of trigger-
1685	* enabled queues, but for now we only implement uAPSD w/o
1686	* TSPEC changes to the ACs, so they're always the same.
1687	*/
1688	if (!(sta->sta.uapsd_queues & ieee80211_ac_to_qos_mask[ac]) &&
1689	tid != IEEE80211_NUM_TIDS)
1690	return;
1691
1692	/ if we are in a service period, do nothing /
1693	if (test_sta_flag(sta, flag: WLAN_STA_SP))
1694	return;
1695
1696	if (!test_sta_flag(sta, flag: WLAN_STA_PS_DRIVER))
1697	ieee80211_sta_ps_deliver_uapsd(sta);
1698	else
1699	set_sta_flag(sta, flag: WLAN_STA_UAPSD);
1700	}
1701	EXPORT_SYMBOL(ieee80211_sta_uapsd_trigger);
1702
1703	static ieee80211_rx_result debug_noinline
1704	ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx)
1705	{
1706	struct ieee80211_sub_if_data *sdata = rx->sdata;
1707	struct ieee80211_hdr hdr = (void* *)rx->skb->data;
1708	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb: rx->skb);
1709
1710	if (!rx->sta)
1711	return RX_CONTINUE;
1712
1713	if (sdata->vif.type != NL80211_IFTYPE_AP &&
1714	sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
1715	return RX_CONTINUE;
1716
1717	/*
1718	* The device handles station powersave, so don't do anything about
1719	* uAPSD and PS-Poll frames (the latter shouldn't even come up from
1720	* it to mac80211 since they're handled.)
1721	*/
1722	if (ieee80211_hw_check(&sdata->local->hw, AP_LINK_PS))
1723	return RX_CONTINUE;
1724
1725	/*
1726	* Don't do anything if the station isn't already asleep. In
1727	* the uAPSD case, the station will probably be marked asleep,
1728	* in the PS-Poll case the station must be confused ...
1729	*/
1730	if (!test_sta_flag(sta: rx->sta, flag: WLAN_STA_PS_STA))
1731	return RX_CONTINUE;
1732
1733	if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) {
1734	ieee80211_sta_pspoll(&rx->sta->sta);
1735
1736	/ Free PS Poll skb here instead of returning RX_DROP that would*
1737	* count as an dropped frame. */
1738	dev_kfree_skb(rx->skb);
1739
1740	return RX_QUEUED;
1741	} else if (!ieee80211_has_morefrags(fc: hdr->frame_control) &&
1742	!(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1743	ieee80211_has_pm(fc: hdr->frame_control) &&
1744	(ieee80211_is_data_qos(fc: hdr->frame_control) \|\|
1745	ieee80211_is_qos_nullfunc(fc: hdr->frame_control))) {
1746	u8 tid = ieee80211_get_tid(hdr);
1747
1748	ieee80211_sta_uapsd_trigger(&rx->sta->sta, tid);
1749	}
1750
1751	return RX_CONTINUE;
1752	}
1753
1754	static ieee80211_rx_result debug_noinline
1755	ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
1756	{
1757	struct sta_info *sta = rx->sta;
1758	struct link_sta_info *link_sta = rx->link_sta;
1759	struct sk_buff *skb = rx->skb;
1760	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1761	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *)skb->data;
1762	int i;
1763
1764	if (!sta \|\| !link_sta)
1765	return RX_CONTINUE;
1766
1767	/*
1768	* Update last_rx only for IBSS packets which are for the current
1769	* BSSID and for station already AUTHORIZED to avoid keeping the
1770	* current IBSS network alive in cases where other STAs start
1771	* using different BSSID. This will also give the station another
1772	* chance to restart the authentication/authorization in case
1773	* something went wrong the first time.
1774	*/
1775	if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
1776	u8 *bssid = ieee80211_get_bssid(hdr, len: rx->skb->len,
1777	type: NL80211_IFTYPE_ADHOC);
1778	if (ether_addr_equal(addr1: bssid, addr2: rx->sdata->u.ibss.bssid) &&
1779	test_sta_flag(sta, flag: WLAN_STA_AUTHORIZED)) {
1780	link_sta->rx_stats.last_rx = jiffies;
1781	if (ieee80211_is_data_present(fc: hdr->frame_control) &&
1782	!is_multicast_ether_addr(addr: hdr->addr1))
1783	link_sta->rx_stats.last_rate =
1784	sta_stats_encode_rate(s: status);
1785	}
1786	} else if (rx->sdata->vif.type == NL80211_IFTYPE_OCB) {
1787	link_sta->rx_stats.last_rx = jiffies;
1788	} else if (!ieee80211_is_s1g_beacon(fc: hdr->frame_control) &&
1789	!is_multicast_ether_addr(addr: hdr->addr1)) {
1790	/*
1791	* Mesh beacons will update last_rx when if they are found to
1792	* match the current local configuration when processed.
1793	*/
1794	link_sta->rx_stats.last_rx = jiffies;
1795	if (ieee80211_is_data_present(fc: hdr->frame_control))
1796	link_sta->rx_stats.last_rate = sta_stats_encode_rate(s: status);
1797	}
1798
1799	link_sta->rx_stats.fragments++;
1800
1801	u64_stats_update_begin(syncp: &link_sta->rx_stats.syncp);
1802	link_sta->rx_stats.bytes += rx->skb->len;
1803	u64_stats_update_end(syncp: &link_sta->rx_stats.syncp);
1804
1805	if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
1806	link_sta->rx_stats.last_signal = status->signal;
1807	ewma_signal_add(e: &link_sta->rx_stats_avg.signal,
1808	val: -status->signal);
1809	}
1810
1811	if (status->chains) {
1812	link_sta->rx_stats.chains = status->chains;
1813	for (i = `0`; i < ARRAY_SIZE(status->chain_signal); i++) {
1814	int signal = status->chain_signal[i];
1815
1816	if (!(status->chains & BIT(i)))
1817	continue;
1818
1819	link_sta->rx_stats.chain_signal_last[i] = signal;
1820	ewma_signal_add(e: &link_sta->rx_stats_avg.chain_signal[i],
1821	val: -signal);
1822	}
1823	}
1824
1825	if (ieee80211_is_s1g_beacon(fc: hdr->frame_control))
1826	return RX_CONTINUE;
1827
1828	/*
1829	* Change STA power saving mode only at the end of a frame
1830	* exchange sequence, and only for a data or management
1831	* frame as specified in IEEE 802.11-2016 11.2.3.2
1832	*/
1833	if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
1834	!ieee80211_has_morefrags(fc: hdr->frame_control) &&
1835	!is_multicast_ether_addr(addr: hdr->addr1) &&
1836	(ieee80211_is_mgmt(fc: hdr->frame_control) \|\|
1837	ieee80211_is_data(fc: hdr->frame_control)) &&
1838	!(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1839	(rx->sdata->vif.type == NL80211_IFTYPE_AP \|\|
1840	rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
1841	if (test_sta_flag(sta, flag: WLAN_STA_PS_STA)) {
1842	if (!ieee80211_has_pm(fc: hdr->frame_control))
1843	sta_ps_end(sta);
1844	} else {
1845	if (ieee80211_has_pm(fc: hdr->frame_control))
1846	sta_ps_start(sta);
1847	}
1848	}
1849
1850	/ mesh power save support /
1851	if (ieee80211_vif_is_mesh(vif: &rx->sdata->vif))
1852	ieee80211_mps_rx_h_sta_process(sta, hdr);
1853
1854	/*
1855	* Drop (qos-)data::nullfunc frames silently, since they
1856	* are used only to control station power saving mode.
1857	*/
1858	if (ieee80211_is_any_nullfunc(fc: hdr->frame_control)) {
1859	I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
1860
1861	/*
1862	* If we receive a 4-addr nullfunc frame from a STA
1863	* that was not moved to a 4-addr STA vlan yet send
1864	* the event to userspace and for older hostapd drop
1865	* the frame to the monitor interface.
1866	*/
1867	if (ieee80211_has_a4(fc: hdr->frame_control) &&
1868	(rx->sdata->vif.type == NL80211_IFTYPE_AP \|\|
1869	(rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1870	!rx->sdata->u.vlan.sta))) {
1871	if (!test_and_set_sta_flag(sta, flag: WLAN_STA_4ADDR_EVENT))
1872	cfg80211_rx_unexpected_4addr_frame(
1873	dev: rx->sdata->dev, addr: sta->sta.addr,
1874	link_id: rx->link_id, GFP_ATOMIC);
1875	return RX_DROP_U_UNEXPECTED_4ADDR_FRAME;
1876	}
1877	/*
1878	* Update counter and free packet here to avoid
1879	* counting this as a dropped packed.
1880	*/
1881	link_sta->rx_stats.packets++;
1882	dev_kfree_skb(rx->skb);
1883	return RX_QUEUED;
1884	}
1885
1886	return RX_CONTINUE;
1887	} / ieee80211_rx_h_sta_process /
1888
1889	static struct ieee80211_key *
1890	ieee80211_rx_get_bigtk(struct ieee80211_rx_data rx, int* idx)
1891	{
1892	struct ieee80211_key *key = NULL;
1893	int idx2;
1894
1895	/ Make sure key gets set if either BIGTK key index is set so that*
1896	* ieee80211_drop_unencrypted_mgmt() can properly drop both unprotected
1897	* Beacon frames and Beacon frames that claim to use another BIGTK key
1898	* index (i.e., a key that we do not have).
1899	*/
1900
1901	if (idx < `0`) {
1902	idx = NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS;
1903	idx2 = idx + `1`;
1904	} else {
1905	if (idx == NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
1906	idx2 = idx + `1`;
1907	else
1908	idx2 = idx - `1`;
1909	}
1910
1911	if (rx->link_sta)
1912	key = rcu_dereference(rx->link_sta->gtk[idx]);
1913	if (!key)
1914	key = rcu_dereference(rx->link->gtk[idx]);
1915	if (!key && rx->link_sta)
1916	key = rcu_dereference(rx->link_sta->gtk[idx2]);
1917	if (!key)
1918	key = rcu_dereference(rx->link->gtk[idx2]);
1919
1920	return key;
1921	}
1922
1923	static ieee80211_rx_result debug_noinline
1924	ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
1925	{
1926	struct sk_buff *skb = rx->skb;
1927	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1928	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *)skb->data;
1929	int keyidx;
1930	ieee80211_rx_result result = RX_DROP_U_DECRYPT_FAIL;
1931	struct ieee80211_key *sta_ptk = NULL;
1932	struct ieee80211_key *ptk_idx = NULL;
1933	int mmie_keyidx = -`1`;
1934	__le16 fc;
1935
1936	if (ieee80211_is_ext(fc: hdr->frame_control))
1937	return RX_CONTINUE;
1938
1939	/*
1940	* Key selection 101
1941	*
1942	* There are five types of keys:
1943	* - GTK (group keys)
1944	* - IGTK (group keys for management frames)
1945	* - BIGTK (group keys for Beacon frames)
1946	* - PTK (pairwise keys)
1947	* - STK (station-to-station pairwise keys)
1948	*
1949	* When selecting a key, we have to distinguish between multicast
1950	* (including broadcast) and unicast frames, the latter can only
1951	* use PTKs and STKs while the former always use GTKs, IGTKs, and
1952	* BIGTKs. Unless, of course, actual WEP keys ("pre-RSNA") are used,
1953	* then unicast frames can also use key indices like GTKs. Hence, if we
1954	* don't have a PTK/STK we check the key index for a WEP key.
1955	*
1956	* Note that in a regular BSS, multicast frames are sent by the
1957	* AP only, associated stations unicast the frame to the AP first
1958	* which then multicasts it on their behalf.
1959	*
1960	* There is also a slight problem in IBSS mode: GTKs are negotiated
1961	* with each station, that is something we don't currently handle.
1962	* The spec seems to expect that one negotiates the same key with
1963	* every station but there's no such requirement; VLANs could be
1964	* possible.
1965	*/
1966
1967	/ start without a key /
1968	rx->key = NULL;
1969	fc = hdr->frame_control;
1970
1971	if (rx->sta) {
1972	int keyid = rx->sta->ptk_idx;
1973	sta_ptk = rcu_dereference(rx->sta->ptk[keyid]);
1974
1975	if (ieee80211_has_protected(fc) &&
1976	!(status->flag & RX_FLAG_IV_STRIPPED)) {
1977	keyid = ieee80211_get_keyid(skb: rx->skb);
1978
1979	if (unlikely(keyid < `0`))
1980	return RX_DROP_U_NO_KEY_ID;
1981
1982	ptk_idx = rcu_dereference(rx->sta->ptk[keyid]);
1983	}
1984	}
1985
1986	if (!ieee80211_has_protected(fc))
1987	mmie_keyidx = ieee80211_get_mmie_keyidx(skb: rx->skb);
1988
1989	if (!is_multicast_ether_addr(addr: hdr->addr1) && sta_ptk) {
1990	rx->key = ptk_idx ? ptk_idx : sta_ptk;
1991	if ((status->flag & RX_FLAG_DECRYPTED) &&
1992	(status->flag & RX_FLAG_IV_STRIPPED))
1993	return RX_CONTINUE;
1994	/ Skip decryption if the frame is not protected. /
1995	if (!ieee80211_has_protected(fc))
1996	return RX_CONTINUE;
1997	} else if (mmie_keyidx >= `0` && ieee80211_is_beacon(fc)) {
1998	/ Broadcast/multicast robust management frame / BIP /
1999	if ((status->flag & RX_FLAG_DECRYPTED) &&
2000	(status->flag & RX_FLAG_IV_STRIPPED))
2001	return RX_CONTINUE;
2002
2003	if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS \|\|
2004	mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
2005	NUM_DEFAULT_BEACON_KEYS) {
2006	if (rx->sdata->dev)
2007	cfg80211_rx_unprot_mlme_mgmt(dev: rx->sdata->dev,
2008	buf: skb->data,
2009	len: skb->len);
2010	return RX_DROP_U_BAD_BCN_KEYIDX;
2011	}
2012
2013	rx->key = ieee80211_rx_get_bigtk(rx, idx: mmie_keyidx);
2014	if (!rx->key)
2015	return RX_CONTINUE; / Beacon protection not in use /
2016	} else if (mmie_keyidx >= `0`) {
2017	/ Broadcast/multicast robust management frame / BIP /
2018	if ((status->flag & RX_FLAG_DECRYPTED) &&
2019	(status->flag & RX_FLAG_IV_STRIPPED))
2020	return RX_CONTINUE;
2021
2022	if (mmie_keyidx < NUM_DEFAULT_KEYS \|\|
2023	mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
2024	return RX_DROP_U_BAD_MGMT_KEYIDX; / unexpected BIP keyidx /
2025	if (rx->link_sta) {
2026	if (ieee80211_is_group_privacy_action(skb) &&
2027	test_sta_flag(sta: rx->sta, flag: WLAN_STA_MFP))
2028	return RX_DROP;
2029
2030	rx->key = rcu_dereference(rx->link_sta->gtk[mmie_keyidx]);
2031	}
2032	if (!rx->key)
2033	rx->key = rcu_dereference(rx->link->gtk[mmie_keyidx]);
2034	} else if (!ieee80211_has_protected(fc)) {
2035	/*
2036	* The frame was not protected, so skip decryption. However, we
2037	* need to set rx->key if there is a key that could have been
2038	* used so that the frame may be dropped if encryption would
2039	* have been expected.
2040	*/
2041	struct ieee80211_key *key = NULL;
2042	int i;
2043
2044	if (ieee80211_is_beacon(fc)) {
2045	key = ieee80211_rx_get_bigtk(rx, idx: -`1`);
2046	} else if (ieee80211_is_mgmt(fc) &&
2047	is_multicast_ether_addr(addr: hdr->addr1)) {
2048	key = rcu_dereference(rx->link->default_mgmt_key);
2049	} else {
2050	if (rx->link_sta) {
2051	for (i = `0`; i < NUM_DEFAULT_KEYS; i++) {
2052	key = rcu_dereference(rx->link_sta->gtk[i]);
2053	if (key)
2054	break;
2055	}
2056	}
2057	if (!key) {
2058	for (i = `0`; i < NUM_DEFAULT_KEYS; i++) {
2059	key = rcu_dereference(rx->link->gtk[i]);
2060	if (key)
2061	break;
2062	}
2063	}
2064	}
2065	if (key)
2066	rx->key = key;
2067	return RX_CONTINUE;
2068	} else {
2069	/*
2070	* The device doesn't give us the IV so we won't be
2071	* able to look up the key. That's ok though, we
2072	* don't need to decrypt the frame, we just won't
2073	* be able to keep statistics accurate.
2074	* Except for key threshold notifications, should
2075	* we somehow allow the driver to tell us which key
2076	* the hardware used if this flag is set?
2077	*/
2078	if ((status->flag & RX_FLAG_DECRYPTED) &&
2079	(status->flag & RX_FLAG_IV_STRIPPED))
2080	return RX_CONTINUE;
2081
2082	keyidx = ieee80211_get_keyid(skb: rx->skb);
2083
2084	if (unlikely(keyidx < `0`))
2085	return RX_DROP_U_NO_KEY_ID;
2086
2087	/ check per-station GTK first, if multicast packet /
2088	if (is_multicast_ether_addr(addr: hdr->addr1) && rx->link_sta)
2089	rx->key = rcu_dereference(rx->link_sta->gtk[keyidx]);
2090
2091	/ if not found, try default key /
2092	if (!rx->key) {
2093	if (is_multicast_ether_addr(addr: hdr->addr1))
2094	rx->key = rcu_dereference(rx->link->gtk[keyidx]);
2095	if (!rx->key)
2096	rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
2097
2098	/*
2099	* RSNA-protected unicast frames should always be
2100	* sent with pairwise or station-to-station keys,
2101	* but for WEP we allow using a key index as well.
2102	*/
2103	if (rx->key &&
2104	rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 &&
2105	rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 &&
2106	!is_multicast_ether_addr(addr: hdr->addr1))
2107	rx->key = NULL;
2108	}
2109	}
2110
2111	if (rx->key) {
2112	if (unlikely(rx->key->flags & KEY_FLAG_TAINTED))
2113	return RX_DROP;
2114
2115	/ TODO: add threshold stuff again /
2116	} else {
2117	return RX_DROP;
2118	}
2119
2120	switch (rx->key->conf.cipher) {
2121	case WLAN_CIPHER_SUITE_WEP40:
2122	case WLAN_CIPHER_SUITE_WEP104:
2123	result = ieee80211_crypto_wep_decrypt(rx);
2124	break;
2125	case WLAN_CIPHER_SUITE_TKIP:
2126	result = ieee80211_crypto_tkip_decrypt(rx);
2127	break;
2128	case WLAN_CIPHER_SUITE_CCMP:
2129	result = ieee80211_crypto_ccmp_decrypt(
2130	rx, IEEE80211_CCMP_MIC_LEN);
2131	break;
2132	case WLAN_CIPHER_SUITE_CCMP_256:
2133	result = ieee80211_crypto_ccmp_decrypt(
2134	rx, IEEE80211_CCMP_256_MIC_LEN);
2135	break;
2136	case WLAN_CIPHER_SUITE_AES_CMAC:
2137	result = ieee80211_crypto_aes_cmac_decrypt(rx);
2138	break;
2139	case WLAN_CIPHER_SUITE_BIP_CMAC_256:
2140	result = ieee80211_crypto_aes_cmac_256_decrypt(rx);
2141	break;
2142	case WLAN_CIPHER_SUITE_BIP_GMAC_128:
2143	case WLAN_CIPHER_SUITE_BIP_GMAC_256:
2144	result = ieee80211_crypto_aes_gmac_decrypt(rx);
2145	break;
2146	case WLAN_CIPHER_SUITE_GCMP:
2147	case WLAN_CIPHER_SUITE_GCMP_256:
2148	result = ieee80211_crypto_gcmp_decrypt(rx);
2149	break;
2150	default:
2151	result = RX_DROP_U_BAD_CIPHER;
2152	}
2153
2154	/ the hdr variable is invalid after the decrypt handlers /
2155
2156	/ either the frame has been decrypted or will be dropped /
2157	status->flag \|= RX_FLAG_DECRYPTED;
2158
2159	if (unlikely(ieee80211_is_beacon(fc) && RX_RES_IS_UNUSABLE(result) &&
2160	rx->sdata->dev))
2161	cfg80211_rx_unprot_mlme_mgmt(dev: rx->sdata->dev,
2162	buf: skb->data, len: skb->len);
2163
2164	return result;
2165	}
2166
2167	void ieee80211_init_frag_cache(struct ieee80211_fragment_cache *cache)
2168	{
2169	int i;
2170
2171	for (i = `0`; i < ARRAY_SIZE(cache->entries); i++)
2172	skb_queue_head_init(list: &cache->entries[i].skb_list);
2173	}
2174
2175	void ieee80211_destroy_frag_cache(struct ieee80211_fragment_cache *cache)
2176	{
2177	int i;
2178
2179	for (i = `0`; i < ARRAY_SIZE(cache->entries); i++)
2180	__skb_queue_purge(list: &cache->entries[i].skb_list);
2181	}
2182
2183	static inline struct ieee80211_fragment_entry *
2184	ieee80211_reassemble_add(struct ieee80211_fragment_cache *cache,
2185	unsigned int frag, unsigned int seq, int rx_queue,
2186	struct sk_buff **skb)
2187	{
2188	struct ieee80211_fragment_entry *entry;
2189
2190	entry = &cache->entries[cache->next++];
2191	if (cache->next >= IEEE80211_FRAGMENT_MAX)
2192	cache->next = `0`;
2193
2194	__skb_queue_purge(list: &entry->skb_list);
2195
2196	__skb_queue_tail(list: &entry->skb_list, newsk: skb); /* no need for locking /
2197	*skb = NULL;
2198	entry->first_frag_time = jiffies;
2199	entry->seq = seq;
2200	entry->rx_queue = rx_queue;
2201	entry->last_frag = frag;
2202	entry->check_sequential_pn = false;
2203	entry->extra_len = `0`;
2204
2205	return entry;
2206	}
2207
2208	static inline struct ieee80211_fragment_entry *
2209	ieee80211_reassemble_find(struct ieee80211_fragment_cache *cache,
2210	unsigned int frag, unsigned int seq,
2211	int rx_queue, struct ieee80211_hdr *hdr)
2212	{
2213	struct ieee80211_fragment_entry *entry;
2214	int i, idx;
2215
2216	idx = cache->next;
2217	for (i = `0`; i < IEEE80211_FRAGMENT_MAX; i++) {
2218	struct ieee80211_hdr *f_hdr;
2219	struct sk_buff *f_skb;
2220
2221	idx--;
2222	if (idx < `0`)
2223	idx = IEEE80211_FRAGMENT_MAX - `1`;
2224
2225	entry = &cache->entries[idx];
2226	if (skb_queue_empty(list: &entry->skb_list) \|\| entry->seq != seq \|\|
2227	entry->rx_queue != rx_queue \|\|
2228	entry->last_frag + `1` != frag)
2229	continue;
2230
2231	f_skb = __skb_peek(list_: &entry->skb_list);
2232	f_hdr = (struct ieee80211_hdr *) f_skb->data;
2233
2234	/*
2235	* Check ftype and addresses are equal, else check next fragment
2236	*/
2237	if (((hdr->frame_control ^ f_hdr->frame_control) &
2238	cpu_to_le16(IEEE80211_FCTL_FTYPE)) \|\|
2239	!ether_addr_equal(addr1: hdr->addr1, addr2: f_hdr->addr1) \|\|
2240	!ether_addr_equal(addr1: hdr->addr2, addr2: f_hdr->addr2))
2241	continue;
2242
2243	if (time_after(jiffies, entry->first_frag_time + `2` * HZ)) {
2244	__skb_queue_purge(list: &entry->skb_list);
2245	continue;
2246	}
2247	return entry;
2248	}
2249
2250	return NULL;
2251	}
2252
2253	static bool requires_sequential_pn(struct ieee80211_rx_data *rx, __le16 fc)
2254	{
2255	return rx->key &&
2256	(rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP \|\|
2257	rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 \|\|
2258	rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP \|\|
2259	rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
2260	ieee80211_has_protected(fc);
2261	}
2262
2263	static ieee80211_rx_result debug_noinline
2264	ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
2265	{
2266	struct ieee80211_fragment_cache *cache = &rx->sdata->frags;
2267	struct ieee80211_hdr *hdr;
2268	u16 sc;
2269	__le16 fc;
2270	unsigned int frag, seq;
2271	struct ieee80211_fragment_entry *entry;
2272	struct sk_buff *skb;
2273	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb: rx->skb);
2274
2275	hdr = (struct ieee80211_hdr *)rx->skb->data;
2276	fc = hdr->frame_control;
2277
2278	if (ieee80211_is_ctl(fc) \|\| ieee80211_is_ext(fc))
2279	return RX_CONTINUE;
2280
2281	sc = le16_to_cpu(hdr->seq_ctrl);
2282	frag = sc & IEEE80211_SCTL_FRAG;
2283
2284	if (rx->sta)
2285	cache = &rx->sta->frags;
2286
2287	if (likely(!ieee80211_has_morefrags(fc) && frag == `0`))
2288	goto out;
2289
2290	if (is_multicast_ether_addr(addr: hdr->addr1))
2291	return RX_DROP;
2292
2293	I802_DEBUG_INC(rx->local->rx_handlers_fragments);
2294
2295	if (skb_linearize(skb: rx->skb))
2296	return RX_DROP_U_OOM;
2297
2298	/*
2299	* skb_linearize() might change the skb->data and
2300	* previously cached variables (in this case, hdr) need to
2301	* be refreshed with the new data.
2302	*/
2303	hdr = (struct ieee80211_hdr *)rx->skb->data;
2304	seq = (sc & IEEE80211_SCTL_SEQ) >> `4`;
2305
2306	if (frag == `0`) {
2307	/ This is the first fragment of a new frame. /
2308	entry = ieee80211_reassemble_add(cache, frag, seq,
2309	rx_queue: rx->seqno_idx, skb: &(rx->skb));
2310	if (requires_sequential_pn(rx, fc)) {
2311	int queue = rx->security_idx;
2312
2313	/ Store CCMP/GCMP PN so that we can verify that the*
2314	* next fragment has a sequential PN value.
2315	*/
2316	entry->check_sequential_pn = true;
2317	entry->is_protected = true;
2318	entry->key_color = rx->key->color;
2319	memcpy(to: entry->last_pn,
2320	from: rx->key->u.ccmp.rx_pn[queue],
2321	IEEE80211_CCMP_PN_LEN);
2322	BUILD_BUG_ON(offsetof(struct ieee80211_key,
2323	u.ccmp.rx_pn) !=
2324	offsetof(struct ieee80211_key,
2325	u.gcmp.rx_pn));
2326	BUILD_BUG_ON(sizeof(rx->key->u.ccmp.rx_pn[queue]) !=
2327	sizeof(rx->key->u.gcmp.rx_pn[queue]));
2328	BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
2329	IEEE80211_GCMP_PN_LEN);
2330	} else if (rx->key &&
2331	(ieee80211_has_protected(fc) \|\|
2332	(status->flag & RX_FLAG_DECRYPTED))) {
2333	entry->is_protected = true;
2334	entry->key_color = rx->key->color;
2335	}
2336	return RX_QUEUED;
2337	}
2338
2339	/ This is a fragment for a frame that should already be pending in*
2340	* fragment cache. Add this fragment to the end of the pending entry.
2341	*/
2342	entry = ieee80211_reassemble_find(cache, frag, seq,
2343	rx_queue: rx->seqno_idx, hdr);
2344	if (!entry) {
2345	I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
2346	return RX_DROP;
2347	}
2348
2349	/ "The receiver shall discard MSDUs and MMPDUs whose constituent*
2350	* MPDU PN values are not incrementing in steps of 1."
2351	* see IEEE P802.11-REVmc/D5.0, 12.5.3.4.4, item d (for CCMP)
2352	* and IEEE P802.11-REVmc/D5.0, 12.5.5.4.4, item d (for GCMP)
2353	*/
2354	if (entry->check_sequential_pn) {
2355	int i;
2356	u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
2357
2358	if (!requires_sequential_pn(rx, fc))
2359	return RX_DROP_U_NONSEQ_PN;
2360
2361	/ Prevent mixed key and fragment cache attacks /
2362	if (entry->key_color != rx->key->color)
2363	return RX_DROP_U_BAD_KEY_COLOR;
2364
2365	memcpy(to: pn, from: entry->last_pn, IEEE80211_CCMP_PN_LEN);
2366	for (i = IEEE80211_CCMP_PN_LEN - `1`; i >= `0`; i--) {
2367	pn[i]++;
2368	if (pn[i])
2369	break;
2370	}
2371
2372	rpn = rx->ccm_gcm.pn;
2373	if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
2374	return RX_DROP_U_REPLAY;
2375	memcpy(to: entry->last_pn, from: pn, IEEE80211_CCMP_PN_LEN);
2376	} else if (entry->is_protected &&
2377	(!rx->key \|\|
2378	(!ieee80211_has_protected(fc) &&
2379	!(status->flag & RX_FLAG_DECRYPTED)) \|\|
2380	rx->key->color != entry->key_color)) {
2381	/ Drop this as a mixed key or fragment cache attack, even*
2382	* if for TKIP Michael MIC should protect us, and WEP is a
2383	* lost cause anyway.
2384	*/
2385	return RX_DROP_U_EXPECT_DEFRAG_PROT;
2386	} else if (entry->is_protected && rx->key &&
2387	entry->key_color != rx->key->color &&
2388	(status->flag & RX_FLAG_DECRYPTED)) {
2389	return RX_DROP_U_BAD_KEY_COLOR;
2390	}
2391
2392	skb_pull(skb: rx->skb, len: ieee80211_hdrlen(fc));
2393	__skb_queue_tail(list: &entry->skb_list, newsk: rx->skb);
2394	entry->last_frag = frag;
2395	entry->extra_len += rx->skb->len;
2396	if (ieee80211_has_morefrags(fc)) {
2397	rx->skb = NULL;
2398	return RX_QUEUED;
2399	}
2400
2401	rx->skb = __skb_dequeue(list: &entry->skb_list);
2402	if (skb_tailroom(skb: rx->skb) < entry->extra_len) {
2403	I802_DEBUG_INC(rx->local->rx_expand_skb_head_defrag);
2404	if (unlikely(pskb_expand_head(rx->skb, `0`, entry->extra_len,
2405	GFP_ATOMIC))) {
2406	I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
2407	__skb_queue_purge(list: &entry->skb_list);
2408	return RX_DROP_U_OOM;
2409	}
2410	}
2411	while ((skb = __skb_dequeue(list: &entry->skb_list))) {
2412	skb_put_data(skb: rx->skb, data: skb->data, len: skb->len);
2413	dev_kfree_skb(skb);
2414	}
2415
2416	out:
2417	ieee80211_led_rx(local: rx->local);
2418	if (rx->sta)
2419	rx->link_sta->rx_stats.packets++;
2420	return RX_CONTINUE;
2421	}
2422
2423	static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
2424	{
2425	if (unlikely(!rx->sta \|\| !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
2426	return -EACCES;
2427
2428	return `0`;
2429	}
2430
2431	static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
2432	{
2433	struct sk_buff *skb = rx->skb;
2434	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2435
2436	/*
2437	* Pass through unencrypted frames if the hardware has
2438	* decrypted them already.
2439	*/
2440	if (status->flag & RX_FLAG_DECRYPTED)
2441	return `0`;
2442
2443	/ Drop unencrypted frames if key is set. /
2444	if (unlikely(!ieee80211_has_protected(fc) &&
2445	!ieee80211_is_any_nullfunc(fc) &&
2446	ieee80211_is_data(fc) && rx->key))
2447	return -EACCES;
2448
2449	return `0`;
2450	}
2451
2452	VISIBLE_IF_MAC80211_KUNIT ieee80211_rx_result
2453	ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
2454	{
2455	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb: rx->skb);
2456	struct ieee80211_mgmt mgmt = (void* *)rx->skb->data;
2457	__le16 fc = mgmt->frame_control;
2458
2459	/*
2460	* Pass through unencrypted frames if the hardware has
2461	* decrypted them already.
2462	*/
2463	if (status->flag & RX_FLAG_DECRYPTED)
2464	return RX_CONTINUE;
2465
2466	/ drop unicast protected dual (that wasn't protected) /
2467	if (ieee80211_is_action(fc) &&
2468	mgmt->u.action.category == WLAN_CATEGORY_PROTECTED_DUAL_OF_ACTION)
2469	return RX_DROP_U_UNPROT_DUAL;
2470
2471	if (rx->sta && test_sta_flag(sta: rx->sta, flag: WLAN_STA_MFP)) {
2472	if (unlikely(!ieee80211_has_protected(fc) &&
2473	ieee80211_is_unicast_robust_mgmt_frame(rx->skb))) {
2474	if (ieee80211_is_deauth(fc) \|\|
2475	ieee80211_is_disassoc(fc)) {
2476	/*
2477	* Permit unprotected deauth/disassoc frames
2478	* during 4-way-HS (key is installed after HS).
2479	*/
2480	if (!rx->key)
2481	return RX_CONTINUE;
2482
2483	cfg80211_rx_unprot_mlme_mgmt(dev: rx->sdata->dev,
2484	buf: rx->skb->data,
2485	len: rx->skb->len);
2486	}
2487	return RX_DROP_U_UNPROT_UCAST_MGMT;
2488	}
2489	/ BIP does not use Protected field, so need to check MMIE /
2490	if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
2491	ieee80211_get_mmie_keyidx(rx->skb) < `0`)) {
2492	if (ieee80211_is_deauth(fc) \|\|
2493	ieee80211_is_disassoc(fc))
2494	cfg80211_rx_unprot_mlme_mgmt(dev: rx->sdata->dev,
2495	buf: rx->skb->data,
2496	len: rx->skb->len);
2497	return RX_DROP_U_UNPROT_MCAST_MGMT;
2498	}
2499	if (unlikely(ieee80211_is_beacon(fc) && rx->key &&
2500	ieee80211_get_mmie_keyidx(rx->skb) < `0`)) {
2501	cfg80211_rx_unprot_mlme_mgmt(dev: rx->sdata->dev,
2502	buf: rx->skb->data,
2503	len: rx->skb->len);
2504	return RX_DROP_U_UNPROT_BEACON;
2505	}
2506	/*
2507	* When using MFP, Action frames are not allowed prior to
2508	* having configured keys.
2509	*/
2510	if (unlikely(ieee80211_is_action(fc) && !rx->key &&
2511	ieee80211_is_robust_mgmt_frame(rx->skb)))
2512	return RX_DROP_U_UNPROT_ACTION;
2513
2514	/ drop unicast public action frames when using MPF /
2515	if (is_unicast_ether_addr(addr: mgmt->da) &&
2516	ieee80211_is_protected_dual_of_public_action(skb: rx->skb))
2517	return RX_DROP_U_UNPROT_UNICAST_PUB_ACTION;
2518	}
2519
2520	/*
2521	* Drop robust action frames before assoc regardless of MFP state,
2522	* after assoc we also have decided on MFP or not.
2523	*/
2524	if (ieee80211_is_action(fc) &&
2525	ieee80211_is_robust_mgmt_frame(skb: rx->skb) &&
2526	(!rx->sta \|\| !test_sta_flag(sta: rx->sta, flag: WLAN_STA_ASSOC)))
2527	return RX_DROP_U_UNPROT_ROBUST_ACTION;
2528
2529	return RX_CONTINUE;
2530	}
2531	EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_drop_unencrypted_mgmt);
2532
2533	static ieee80211_rx_result
2534	__ieee80211_data_to_8023(struct ieee80211_rx_data rx, bool port_control)
2535	{
2536	struct ieee80211_sub_if_data *sdata = rx->sdata;
2537	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *)rx->skb->data;
2538	bool check_port_control = false;
2539	struct ethhdr *ehdr;
2540	int ret;
2541
2542	*port_control = false;
2543	if (ieee80211_has_a4(fc: hdr->frame_control) &&
2544	sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
2545	return RX_DROP_U_UNEXPECTED_VLAN_4ADDR;
2546
2547	if (sdata->vif.type == NL80211_IFTYPE_STATION &&
2548	!!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(fc: hdr->frame_control)) {
2549	if (!sdata->u.mgd.use_4addr)
2550	return RX_DROP_U_UNEXPECTED_STA_4ADDR;
2551	else if (!ether_addr_equal(addr1: hdr->addr1, addr2: sdata->vif.addr))
2552	check_port_control = true;
2553	}
2554
2555	if (is_multicast_ether_addr(addr: hdr->addr1) &&
2556	sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta)
2557	return RX_DROP_U_UNEXPECTED_VLAN_MCAST;
2558
2559	ret = ieee80211_data_to_8023(skb: rx->skb, addr: sdata->vif.addr, iftype: sdata->vif.type);
2560	if (ret < `0`)
2561	return RX_DROP_U_INVALID_8023;
2562
2563	ehdr = (struct ethhdr *) rx->skb->data;
2564	if (ehdr->h_proto == rx->sdata->control_port_protocol)
2565	*port_control = true;
2566	else if (check_port_control)
2567	return RX_DROP_U_NOT_PORT_CONTROL;
2568
2569	return RX_CONTINUE;
2570	}
2571
2572	bool ieee80211_is_our_addr(struct ieee80211_sub_if_data *sdata,
2573	const u8 addr, int* *out_link_id)
2574	{
2575	unsigned int link_id;
2576
2577	/ non-MLO, or MLD address replaced by hardware /
2578	if (ether_addr_equal(addr1: sdata->vif.addr, addr2: addr))
2579	return true;
2580
2581	if (!ieee80211_vif_is_mld(vif: &sdata->vif))
2582	return false;
2583
2584	for (link_id = `0`; link_id < ARRAY_SIZE(sdata->vif.link_conf); link_id++) {
2585	struct ieee80211_bss_conf *conf;
2586
2587	conf = rcu_dereference(sdata->vif.link_conf[link_id]);
2588
2589	if (!conf)
2590	continue;
2591	if (ether_addr_equal(addr1: conf->addr, addr2: addr)) {
2592	if (out_link_id)
2593	*out_link_id = link_id;
2594	return true;
2595	}
2596	}
2597
2598	return false;
2599	}
2600
2601	/*
2602	* requires that rx->skb is a frame with ethernet header
2603	*/
2604	static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
2605	{
2606	static const u8 pae_group_addr[ETH_ALEN] __aligned(`2`)
2607	= { `0x01`, `0x80`, `0xC2`, `0x00`, `0x00`, `0x03` };
2608	struct ethhdr ehdr = (struct* ethhdr *) rx->skb->data;
2609
2610	/*
2611	* Allow EAPOL frames to us/the PAE group address regardless of
2612	* whether the frame was encrypted or not, and always disallow
2613	* all other destination addresses for them.
2614	*/
2615	if (unlikely(ehdr->h_proto == rx->sdata->control_port_protocol))
2616	return ieee80211_is_our_addr(sdata: rx->sdata, addr: ehdr->h_dest, NULL) \|\|
2617	ether_addr_equal(addr1: ehdr->h_dest, addr2: pae_group_addr);
2618
2619	if (ieee80211_802_1x_port_control(rx) \|\|
2620	ieee80211_drop_unencrypted(rx, fc))
2621	return false;
2622
2623	return true;
2624	}
2625
2626	static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb,
2627	struct ieee80211_rx_data *rx)
2628	{
2629	struct ieee80211_sub_if_data *sdata = rx->sdata;
2630	struct net_device *dev = sdata->dev;
2631
2632	if (unlikely((skb->protocol == sdata->control_port_protocol \|\|
2633	(skb->protocol == cpu_to_be16(ETH_P_PREAUTH) &&
2634	!sdata->control_port_no_preauth)) &&
2635	sdata->control_port_over_nl80211)) {
2636	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2637	bool noencrypt = !(status->flag & RX_FLAG_DECRYPTED);
2638
2639	cfg80211_rx_control_port(dev, skb, unencrypted: noencrypt, link_id: rx->link_id);
2640	dev_kfree_skb(skb);
2641	} else {
2642	struct ethhdr ehdr = (void* *)skb_mac_header(skb);
2643
2644	memset(s: skb->cb, c: `0`, n: sizeof(skb->cb));
2645
2646	/*
2647	* 802.1X over 802.11 requires that the authenticator address
2648	* be used for EAPOL frames. However, 802.1X allows the use of
2649	* the PAE group address instead. If the interface is part of
2650	* a bridge and we pass the frame with the PAE group address,
2651	* then the bridge will forward it to the network (even if the
2652	* client was not associated yet), which isn't supposed to
2653	* happen.
2654	* To avoid that, rewrite the destination address to our own
2655	* address, so that the authenticator (e.g. hostapd) will see
2656	* the frame, but bridge won't forward it anywhere else. Note
2657	* that due to earlier filtering, the only other address can
2658	* be the PAE group address, unless the hardware allowed them
2659	* through in 802.3 offloaded mode.
2660	*/
2661	if (unlikely(skb->protocol == sdata->control_port_protocol &&
2662	!ether_addr_equal(ehdr->h_dest, sdata->vif.addr)))
2663	ether_addr_copy(dst: ehdr->h_dest, src: sdata->vif.addr);
2664
2665	/ deliver to local stack /
2666	if (rx->list)
2667	list_add_tail(new: &skb->list, head: rx->list);
2668	else
2669	netif_receive_skb(skb);
2670	}
2671	}
2672
2673	/*
2674	* requires that rx->skb is a frame with ethernet header
2675	*/
2676	static void
2677	ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
2678	{
2679	struct ieee80211_sub_if_data *sdata = rx->sdata;
2680	struct net_device *dev = sdata->dev;
2681	struct sk_buff skb, xmit_skb;
2682	struct ethhdr ehdr = (struct* ethhdr *) rx->skb->data;
2683	struct sta_info *dsta;
2684
2685	skb = rx->skb;
2686	xmit_skb = NULL;
2687
2688	dev_sw_netstats_rx_add(dev, len: skb->len);
2689
2690	if (rx->sta) {
2691	/ The seqno index has the same property as needed*
2692	* for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
2693	* for non-QoS-data frames. Here we know it's a data
2694	* frame, so count MSDUs.
2695	*/
2696	u64_stats_update_begin(syncp: &rx->link_sta->rx_stats.syncp);
2697	rx->link_sta->rx_stats.msdu[rx->seqno_idx]++;
2698	u64_stats_update_end(syncp: &rx->link_sta->rx_stats.syncp);
2699	}
2700
2701	if ((sdata->vif.type == NL80211_IFTYPE_AP \|\|
2702	sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
2703	!(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
2704	ehdr->h_proto != rx->sdata->control_port_protocol &&
2705	(sdata->vif.type != NL80211_IFTYPE_AP_VLAN \|\| !sdata->u.vlan.sta)) {
2706	if (is_multicast_ether_addr(addr: ehdr->h_dest) &&
2707	ieee80211_vif_get_num_mcast_if(sdata) != `0`) {
2708	/*
2709	* send multicast frames both to higher layers in
2710	* local net stack and back to the wireless medium
2711	*/
2712	xmit_skb = skb_copy(skb, GFP_ATOMIC);
2713	if (!xmit_skb)
2714	net_info_ratelimited("%s: failed to clone multicast frame\n",
2715	dev->name);
2716	} else if (!is_multicast_ether_addr(addr: ehdr->h_dest) &&
2717	!ether_addr_equal(addr1: ehdr->h_dest, addr2: ehdr->h_source)) {
2718	dsta = sta_info_get(sdata, addr: ehdr->h_dest);
2719	if (dsta) {
2720	/*
2721	* The destination station is associated to
2722	* this AP (in this VLAN), so send the frame
2723	* directly to it and do not pass it to local
2724	* net stack.
2725	*/
2726	xmit_skb = skb;
2727	skb = NULL;
2728	}
2729	}
2730	}
2731
2732	#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
2733	if (skb) {
2734	/ 'align' will only take the values 0 or 2 here since all*
2735	* frames are required to be aligned to 2-byte boundaries
2736	* when being passed to mac80211; the code here works just
2737	* as well if that isn't true, but mac80211 assumes it can
2738	* access fields as 2-byte aligned (e.g. for ether_addr_equal)
2739	*/
2740	int align;
2741
2742	align = (unsigned long)(skb->data + sizeof(struct ethhdr)) & `3`;
2743	if (align) {
2744	if (WARN_ON(skb_headroom(skb) < `3`)) {
2745	dev_kfree_skb(skb);
2746	skb = NULL;
2747	} else {
2748	u8 *data = skb->data;
2749	size_t len = skb_headlen(skb);
2750	skb->data -= align;
2751	memmove(skb->data, data, len);
2752	skb_set_tail_pointer(skb, len);
2753	}
2754	}
2755	}
2756	#endif
2757
2758	if (skb) {
2759	skb->protocol = eth_type_trans(skb, dev);
2760	ieee80211_deliver_skb_to_local_stack(skb, rx);
2761	}
2762
2763	if (xmit_skb) {
2764	/*
2765	* Send to wireless media and increase priority by 256 to
2766	* keep the received priority instead of reclassifying
2767	* the frame (see cfg80211_classify8021d).
2768	*/
2769	xmit_skb->priority += `256`;
2770	xmit_skb->protocol = htons(ETH_P_802_3);
2771	skb_reset_network_header(skb: xmit_skb);
2772	skb_reset_mac_header(skb: xmit_skb);
2773	dev_queue_xmit(skb: xmit_skb);
2774	}
2775	}
2776
2777	#ifdef CONFIG_MAC80211_MESH
2778	static bool
2779	ieee80211_rx_mesh_fast_forward(struct ieee80211_sub_if_data *sdata,
2780	struct sk_buff skb, int* hdrlen)
2781	{
2782	struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
2783	struct ieee80211_mesh_fast_tx_key key = {
2784	.type = MESH_FAST_TX_TYPE_FORWARDED
2785	};
2786	struct ieee80211_mesh_fast_tx *entry;
2787	struct ieee80211s_hdr *mesh_hdr;
2788	struct tid_ampdu_tx *tid_tx;
2789	struct sta_info *sta;
2790	struct ethhdr eth;
2791	u8 tid;
2792
2793	mesh_hdr = (struct ieee80211s_hdr )(skb->data + sizeof*(eth));
2794	if ((mesh_hdr->flags & MESH_FLAGS_AE) == MESH_FLAGS_AE_A5_A6)
2795	ether_addr_copy(key.addr, mesh_hdr->eaddr1);
2796	else if (!(mesh_hdr->flags & MESH_FLAGS_AE))
2797	ether_addr_copy(key.addr, skb->data);
2798	else
2799	return false;
2800
2801	entry = mesh_fast_tx_get(sdata, &key);
2802	if (!entry)
2803	return false;
2804
2805	sta = rcu_dereference(entry->mpath->next_hop);
2806	if (!sta)
2807	return false;
2808
2809	if (skb_linearize(skb))
2810	return false;
2811
2812	tid = skb->priority & IEEE80211_QOS_CTL_TAG1D_MASK;
2813	tid_tx = rcu_dereference(sta->ampdu_mlme.tid_tx[tid]);
2814	if (tid_tx) {
2815	if (!test_bit(HT_AGG_STATE_OPERATIONAL, &tid_tx->state))
2816	return false;
2817
2818	if (tid_tx->timeout)
2819	tid_tx->last_tx = jiffies;
2820	}
2821
2822	ieee80211_aggr_check(sdata, sta, skb);
2823
2824	if (ieee80211_get_8023_tunnel_proto(skb->data + hdrlen,
2825	&skb->protocol))
2826	hdrlen += ETH_ALEN;
2827	else
2828	skb->protocol = htons(skb->len - hdrlen);
2829	skb_set_network_header(skb, hdrlen + `2`);
2830
2831	skb->dev = sdata->dev;
2832	memcpy(&eth, skb->data, ETH_HLEN - `2`);
2833	skb_pull(skb, `2`);
2834	__ieee80211_xmit_fast(sdata, sta, &entry->fast_tx, skb, tid_tx,
2835	eth.h_dest, eth.h_source);
2836	IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
2837	IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
2838
2839	return true;
2840	}
2841	#endif
2842
2843	static ieee80211_rx_result
2844	ieee80211_rx_mesh_data(struct ieee80211_sub_if_data sdata, struct* sta_info *sta,
2845	struct sk_buff *skb)
2846	{
2847	#ifdef CONFIG_MAC80211_MESH
2848	struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
2849	struct ieee80211_local *local = sdata->local;
2850	uint16_t fc = IEEE80211_FTYPE_DATA \| IEEE80211_STYPE_QOS_DATA;
2851	struct ieee80211_hdr hdr = {
2852	.frame_control = cpu_to_le16(fc)
2853	};
2854	struct ieee80211_hdr *fwd_hdr;
2855	struct ieee80211s_hdr *mesh_hdr;
2856	struct ieee80211_tx_info *info;
2857	struct sk_buff *fwd_skb;
2858	struct ethhdr *eth;
2859	bool multicast;
2860	int tailroom = `0`;
2861	int hdrlen, mesh_hdrlen;
2862	u8 *qos;
2863
2864	if (!ieee80211_vif_is_mesh(&sdata->vif))
2865	return RX_CONTINUE;
2866
2867	if (!pskb_may_pull(skb, sizeof(*eth) + `6`))
2868	return RX_DROP;
2869
2870	mesh_hdr = (struct ieee80211s_hdr )(skb->data + sizeof(eth));
2871	mesh_hdrlen = ieee80211_get_mesh_hdrlen(mesh_hdr);
2872
2873	if (!pskb_may_pull(skb, sizeof(*eth) + mesh_hdrlen))
2874	return RX_DROP;
2875
2876	eth = (struct ethhdr *)skb->data;
2877	multicast = is_multicast_ether_addr(eth->h_dest);
2878
2879	mesh_hdr = (struct ieee80211s_hdr *)(eth + `1`);
2880	if (!mesh_hdr->ttl)
2881	return RX_DROP;
2882
2883	/ frame is in RMC, don't forward /
2884	if (is_multicast_ether_addr(eth->h_dest) &&
2885	mesh_rmc_check(sdata, eth->h_source, mesh_hdr))
2886	return RX_DROP;
2887
2888	/ forward packet /
2889	if (sdata->crypto_tx_tailroom_needed_cnt)
2890	tailroom = IEEE80211_ENCRYPT_TAILROOM;
2891
2892	if (mesh_hdr->flags & MESH_FLAGS_AE) {
2893	struct mesh_path *mppath;
2894	char *proxied_addr;
2895	bool update = false;
2896
2897	if (multicast)
2898	proxied_addr = mesh_hdr->eaddr1;
2899	else if ((mesh_hdr->flags & MESH_FLAGS_AE) == MESH_FLAGS_AE_A5_A6)
2900	/ has_a4 already checked in ieee80211_rx_mesh_check /
2901	proxied_addr = mesh_hdr->eaddr2;
2902	else
2903	return RX_DROP;
2904
2905	rcu_read_lock();
2906	mppath = mpp_path_lookup(sdata, proxied_addr);
2907	if (!mppath) {
2908	mpp_path_add(sdata, proxied_addr, eth->h_source);
2909	} else {
2910	spin_lock_bh(&mppath->state_lock);
2911	if (!ether_addr_equal(mppath->mpp, eth->h_source)) {
2912	memcpy(mppath->mpp, eth->h_source, ETH_ALEN);
2913	update = true;
2914	}
2915	mppath->exp_time = jiffies;
2916	spin_unlock_bh(&mppath->state_lock);
2917	}
2918
2919	/ flush fast xmit cache if the address path changed /
2920	if (update)
2921	mesh_fast_tx_flush_addr(sdata, proxied_addr);
2922
2923	rcu_read_unlock();
2924	}
2925
2926	/ Frame has reached destination. Don't forward /
2927	if (ether_addr_equal(sdata->vif.addr, eth->h_dest))
2928	goto rx_accept;
2929
2930	if (!--mesh_hdr->ttl) {
2931	if (multicast)
2932	goto rx_accept;
2933
2934	IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
2935	return RX_DROP;
2936	}
2937
2938	if (!ifmsh->mshcfg.dot11MeshForwarding) {
2939	if (is_multicast_ether_addr(eth->h_dest))
2940	goto rx_accept;
2941
2942	return RX_DROP;
2943	}
2944
2945	skb_set_queue_mapping(skb, ieee802_1d_to_ac[skb->priority]);
2946
2947	if (!multicast &&
2948	ieee80211_rx_mesh_fast_forward(sdata, skb, mesh_hdrlen))
2949	return RX_QUEUED;
2950
2951	ieee80211_fill_mesh_addresses(&hdr, &hdr.frame_control,
2952	eth->h_dest, eth->h_source);
2953	hdrlen = ieee80211_hdrlen(hdr.frame_control);
2954	if (multicast) {
2955	int extra_head = sizeof(struct ieee80211_hdr) - sizeof(*eth);
2956
2957	fwd_skb = skb_copy_expand(skb, local->tx_headroom + extra_head +
2958	IEEE80211_ENCRYPT_HEADROOM,
2959	tailroom, GFP_ATOMIC);
2960	if (!fwd_skb)
2961	goto rx_accept;
2962	} else {
2963	fwd_skb = skb;
2964	skb = NULL;
2965
2966	if (skb_cow_head(fwd_skb, hdrlen - sizeof(struct ethhdr)))
2967	return RX_DROP_U_OOM;
2968
2969	if (skb_linearize(fwd_skb))
2970	return RX_DROP_U_OOM;
2971	}
2972
2973	fwd_hdr = skb_push(fwd_skb, hdrlen - sizeof(struct ethhdr));
2974	memcpy(fwd_hdr, &hdr, hdrlen - `2`);
2975	qos = ieee80211_get_qos_ctl(fwd_hdr);
2976	qos[`0`] = qos[`1`] = `0`;
2977
2978	skb_reset_mac_header(fwd_skb);
2979	hdrlen += mesh_hdrlen;
2980	if (ieee80211_get_8023_tunnel_proto(fwd_skb->data + hdrlen,
2981	&fwd_skb->protocol))
2982	hdrlen += ETH_ALEN;
2983	else
2984	fwd_skb->protocol = htons(fwd_skb->len - hdrlen);
2985	skb_set_network_header(fwd_skb, hdrlen + `2`);
2986
2987	info = IEEE80211_SKB_CB(fwd_skb);
2988	memset(info, `0`, sizeof(*info));
2989	info->control.flags \|= IEEE80211_TX_INTCFL_NEED_TXPROCESSING;
2990	info->control.vif = &sdata->vif;
2991	info->control.jiffies = jiffies;
2992	fwd_skb->dev = sdata->dev;
2993	if (multicast) {
2994	IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast);
2995	memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
2996	/ update power mode indication when forwarding /
2997	ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr);
2998	} else if (!mesh_nexthop_lookup(sdata, fwd_skb)) {
2999	/ mesh power mode flags updated in mesh_nexthop_lookup /
3000	IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
3001	} else {
3002	/ unable to resolve next hop /
3003	if (sta)
3004	mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl,
3005	hdr.addr3, `0`,
3006	WLAN_REASON_MESH_PATH_NOFORWARD,
3007	sta->sta.addr);
3008	IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route);
3009	kfree_skb(fwd_skb);
3010	goto rx_accept;
3011	}
3012
3013	IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
3014	ieee80211_set_qos_hdr(sdata, fwd_skb);
3015	ieee80211_add_pending_skb(local, fwd_skb);
3016
3017	rx_accept:
3018	if (!skb)
3019	return RX_QUEUED;
3020
3021	ieee80211_strip_8023_mesh_hdr(skb);
3022	#endif
3023
3024	return RX_CONTINUE;
3025	}
3026
3027	static ieee80211_rx_result debug_noinline
3028	__ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx, u8 data_offset)
3029	{
3030	struct net_device *dev = rx->sdata->dev;
3031	struct sk_buff *skb = rx->skb;
3032	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *)skb->data;
3033	__le16 fc = hdr->frame_control;
3034	struct sk_buff_head frame_list;
3035	struct ethhdr ethhdr;
3036	const u8 check_da = ethhdr.h_dest, check_sa = ethhdr.h_source;
3037
3038	if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
3039	check_da = NULL;
3040	check_sa = NULL;
3041	} else switch (rx->sdata->vif.type) {
3042	case NL80211_IFTYPE_AP:
3043	case NL80211_IFTYPE_AP_VLAN:
3044	check_da = NULL;
3045	break;
3046	case NL80211_IFTYPE_STATION:
3047	if (!test_sta_flag(sta: rx->sta, flag: WLAN_STA_TDLS_PEER))
3048	check_sa = NULL;
3049	break;
3050	case NL80211_IFTYPE_MESH_POINT:
3051	check_sa = NULL;
3052	check_da = NULL;
3053	break;
3054	default:
3055	break;
3056	}
3057
3058	skb->dev = dev;
3059	__skb_queue_head_init(list: &frame_list);
3060
3061	if (ieee80211_data_to_8023_exthdr(skb, ehdr: &ethhdr,
3062	addr: rx->sdata->vif.addr,
3063	iftype: rx->sdata->vif.type,
3064	data_offset, is_amsdu: true))
3065	return RX_DROP_U_BAD_AMSDU;
3066
3067	if (rx->sta->amsdu_mesh_control < `0`) {
3068	s8 valid = -`1`;
3069	int i;
3070
3071	for (i = `0`; i <= `2`; i++) {
3072	if (!ieee80211_is_valid_amsdu(skb, mesh_hdr: i))
3073	continue;
3074
3075	if (valid >= `0`) {
3076	/ ambiguous /
3077	valid = -`1`;
3078	break;
3079	}
3080
3081	valid = i;
3082	}
3083
3084	rx->sta->amsdu_mesh_control = valid;
3085	}
3086
3087	ieee80211_amsdu_to_8023s(skb, list: &frame_list, addr: dev->dev_addr,
3088	iftype: rx->sdata->vif.type,
3089	extra_headroom: rx->local->hw.extra_tx_headroom,
3090	check_da, check_sa,
3091	mesh_control: rx->sta->amsdu_mesh_control);
3092
3093	while (!skb_queue_empty(list: &frame_list)) {
3094	rx->skb = __skb_dequeue(list: &frame_list);
3095
3096	switch (ieee80211_rx_mesh_data(sdata: rx->sdata, sta: rx->sta, skb: rx->skb)) {
3097	case RX_QUEUED:
3098	break;
3099	case RX_CONTINUE:
3100	if (ieee80211_frame_allowed(rx, fc)) {
3101	ieee80211_deliver_skb(rx);
3102	break;
3103	}
3104	fallthrough;
3105	default:
3106	dev_kfree_skb(rx->skb);
3107	}
3108	}
3109
3110	return RX_QUEUED;
3111	}
3112
3113	static ieee80211_rx_result debug_noinline
3114	ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
3115	{
3116	struct sk_buff *skb = rx->skb;
3117	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3118	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *)skb->data;
3119	__le16 fc = hdr->frame_control;
3120
3121	if (!(status->rx_flags & IEEE80211_RX_AMSDU))
3122	return RX_CONTINUE;
3123
3124	if (unlikely(!ieee80211_is_data(fc)))
3125	return RX_CONTINUE;
3126
3127	if (unlikely(!ieee80211_is_data_present(fc)))
3128	return RX_DROP;
3129
3130	if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
3131	switch (rx->sdata->vif.type) {
3132	case NL80211_IFTYPE_AP_VLAN:
3133	if (!rx->sdata->u.vlan.sta)
3134	return RX_DROP_U_BAD_4ADDR;
3135	break;
3136	case NL80211_IFTYPE_STATION:
3137	if (!rx->sdata->u.mgd.use_4addr)
3138	return RX_DROP_U_BAD_4ADDR;
3139	break;
3140	case NL80211_IFTYPE_MESH_POINT:
3141	break;
3142	default:
3143	return RX_DROP_U_BAD_4ADDR;
3144	}
3145	}
3146
3147	if (is_multicast_ether_addr(addr: hdr->addr1) \|\| !rx->sta)
3148	return RX_DROP_U_BAD_AMSDU;
3149
3150	if (rx->key) {
3151	/*
3152	* We should not receive A-MSDUs on pre-HT connections,
3153	* and HT connections cannot use old ciphers. Thus drop
3154	* them, as in those cases we couldn't even have SPP
3155	* A-MSDUs or such.
3156	*/
3157	switch (rx->key->conf.cipher) {
3158	case WLAN_CIPHER_SUITE_WEP40:
3159	case WLAN_CIPHER_SUITE_WEP104:
3160	case WLAN_CIPHER_SUITE_TKIP:
3161	return RX_DROP_U_BAD_AMSDU_CIPHER;
3162	default:
3163	break;
3164	}
3165	}
3166
3167	return __ieee80211_rx_h_amsdu(rx, data_offset: `0`);
3168	}
3169
3170	static ieee80211_rx_result debug_noinline
3171	ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
3172	{
3173	struct ieee80211_sub_if_data *sdata = rx->sdata;
3174	struct ieee80211_local *local = rx->local;
3175	struct net_device *dev = sdata->dev;
3176	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *)rx->skb->data;
3177	__le16 fc = hdr->frame_control;
3178	ieee80211_rx_result res;
3179	bool port_control;
3180
3181	if (unlikely(!ieee80211_is_data(hdr->frame_control)))
3182	return RX_CONTINUE;
3183
3184	if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
3185	return RX_DROP;
3186
3187	/ Send unexpected-4addr-frame event to hostapd /
3188	if (ieee80211_has_a4(fc: hdr->frame_control) &&
3189	sdata->vif.type == NL80211_IFTYPE_AP) {
3190	if (rx->sta &&
3191	!test_and_set_sta_flag(sta: rx->sta, flag: WLAN_STA_4ADDR_EVENT))
3192	cfg80211_rx_unexpected_4addr_frame(
3193	dev: rx->sdata->dev, addr: rx->sta->sta.addr, link_id: rx->link_id,
3194	GFP_ATOMIC);
3195	return RX_DROP;
3196	}
3197
3198	res = __ieee80211_data_to_8023(rx, port_control: &port_control);
3199	if (unlikely(res != RX_CONTINUE))
3200	return res;
3201
3202	res = ieee80211_rx_mesh_data(sdata: rx->sdata, sta: rx->sta, skb: rx->skb);
3203	if (res != RX_CONTINUE)
3204	return res;
3205
3206	if (!ieee80211_frame_allowed(rx, fc))
3207	return RX_DROP;
3208
3209	/ directly handle TDLS channel switch requests/responses /
3210	if (unlikely(((struct ethhdr *)rx->skb->data)->h_proto ==
3211	cpu_to_be16(ETH_P_TDLS))) {
3212	struct ieee80211_tdls_data tf = (void* *)rx->skb->data;
3213
3214	if (pskb_may_pull(skb: rx->skb,
3215	offsetof(struct ieee80211_tdls_data, u)) &&
3216	tf->payload_type == WLAN_TDLS_SNAP_RFTYPE &&
3217	tf->category == WLAN_CATEGORY_TDLS &&
3218	(tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_REQUEST \|\|
3219	tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_RESPONSE)) {
3220	rx->skb->protocol = cpu_to_be16(ETH_P_TDLS);
3221	__ieee80211_queue_skb_to_iface(sdata, link_id: rx->link_id,
3222	sta: rx->sta, skb: rx->skb);
3223	return RX_QUEUED;
3224	}
3225	}
3226
3227	if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
3228	unlikely(port_control) && sdata->bss) {
3229	sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
3230	u.ap);
3231	dev = sdata->dev;
3232	rx->sdata = sdata;
3233	}
3234
3235	rx->skb->dev = dev;
3236
3237	if (!ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS) &&
3238	local->ps_sdata && local->hw.conf.dynamic_ps_timeout > `0` &&
3239	!is_multicast_ether_addr(
3240	addr: ((struct ethhdr *)rx->skb->data)->h_dest) &&
3241	(!local->scanning &&
3242	!test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state)))
3243	mod_timer(timer: &local->dynamic_ps_timer, expires: jiffies +
3244	msecs_to_jiffies(m: local->hw.conf.dynamic_ps_timeout));
3245
3246	ieee80211_deliver_skb(rx);
3247
3248	return RX_QUEUED;
3249	}
3250
3251	static ieee80211_rx_result debug_noinline
3252	ieee80211_rx_h_ctrl(struct ieee80211_rx_data rx, struct* sk_buff_head *frames)
3253	{
3254	struct sk_buff *skb = rx->skb;
3255	struct ieee80211_bar bar = (struct* ieee80211_bar *)skb->data;
3256	struct tid_ampdu_rx *tid_agg_rx;
3257	u16 start_seq_num;
3258	u16 tid;
3259
3260	if (likely(!ieee80211_is_ctl(bar->frame_control)))
3261	return RX_CONTINUE;
3262
3263	if (ieee80211_is_back_req(fc: bar->frame_control)) {
3264	struct {
3265	__le16 control, start_seq_num;
3266	} __packed bar_data;
3267	struct ieee80211_event event = {
3268	.type = BAR_RX_EVENT,
3269	};
3270
3271	if (!rx->sta)
3272	return RX_DROP;
3273
3274	if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
3275	to: &bar_data, len: sizeof(bar_data)))
3276	return RX_DROP;
3277
3278	tid = le16_to_cpu(bar_data.control) >> `12`;
3279
3280	if (!test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
3281	!test_and_set_bit(nr: tid, addr: rx->sta->ampdu_mlme.unexpected_agg))
3282	ieee80211_send_delba(sdata: rx->sdata, da: rx->sta->sta.addr, tid,
3283	initiator: WLAN_BACK_RECIPIENT,
3284	reason_code: WLAN_REASON_QSTA_REQUIRE_SETUP);
3285
3286	tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]);
3287	if (!tid_agg_rx)
3288	return RX_DROP;
3289
3290	start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> `4`;
3291	event.u.ba.tid = tid;
3292	event.u.ba.ssn = start_seq_num;
3293	event.u.ba.sta = &rx->sta->sta;
3294
3295	/ reset session timer /
3296	if (tid_agg_rx->timeout)
3297	mod_timer(timer: &tid_agg_rx->session_timer,
3298	TU_TO_EXP_TIME(tid_agg_rx->timeout));
3299
3300	spin_lock(lock: &tid_agg_rx->reorder_lock);
3301	/ release stored frames up to start of BAR /
3302	ieee80211_release_reorder_frames(sdata: rx->sdata, tid_agg_rx,
3303	head_seq_num: start_seq_num, frames);
3304	spin_unlock(lock: &tid_agg_rx->reorder_lock);
3305
3306	drv_event_callback(local: rx->local, sdata: rx->sdata, event: &event);
3307
3308	kfree_skb(skb);
3309	return RX_QUEUED;
3310	}
3311
3312	return RX_DROP;
3313	}
3314
3315	static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
3316	struct ieee80211_mgmt *mgmt,
3317	size_t len)
3318	{
3319	struct ieee80211_local *local = sdata->local;
3320	struct sk_buff *skb;
3321	struct ieee80211_mgmt *resp;
3322
3323	if (!ether_addr_equal(addr1: mgmt->da, addr2: sdata->vif.addr)) {
3324	/ Not to own unicast address /
3325	return;
3326	}
3327
3328	if (!ether_addr_equal(addr1: mgmt->sa, addr2: sdata->vif.cfg.ap_addr) \|\|
3329	!ether_addr_equal(addr1: mgmt->bssid, addr2: sdata->vif.cfg.ap_addr)) {
3330	/ Not from the current AP or not associated yet. /
3331	return;
3332	}
3333
3334	if (len < `24` + `1` + sizeof(resp->u.action.u.sa_query)) {
3335	/ Too short SA Query request frame /
3336	return;
3337	}
3338
3339	skb = dev_alloc_skb(length: sizeof(*resp) + local->hw.extra_tx_headroom);
3340	if (skb == NULL)
3341	return;
3342
3343	skb_reserve(skb, len: local->hw.extra_tx_headroom);
3344	resp = skb_put_zero(skb, len: `24`);
3345	memcpy(to: resp->da, from: sdata->vif.cfg.ap_addr, ETH_ALEN);
3346	memcpy(to: resp->sa, from: sdata->vif.addr, ETH_ALEN);
3347	memcpy(to: resp->bssid, from: sdata->vif.cfg.ap_addr, ETH_ALEN);
3348	resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT \|
3349	IEEE80211_STYPE_ACTION);
3350	skb_put(skb, len: `1` + sizeof(resp->u.action.u.sa_query));
3351	resp->u.action.category = WLAN_CATEGORY_SA_QUERY;
3352	resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE;
3353	memcpy(to: resp->u.action.u.sa_query.trans_id,
3354	from: mgmt->u.action.u.sa_query.trans_id,
3355	WLAN_SA_QUERY_TR_ID_LEN);
3356
3357	ieee80211_tx_skb(sdata, skb);
3358	}
3359
3360	static void
3361	ieee80211_rx_check_bss_color_collision(struct ieee80211_rx_data *rx)
3362	{
3363	struct ieee80211_mgmt mgmt = (void* *)rx->skb->data;
3364	struct ieee80211_bss_conf *bss_conf;
3365	const struct element *ie;
3366	size_t baselen;
3367
3368	if (!wiphy_ext_feature_isset(wiphy: rx->local->hw.wiphy,
3369	ftidx: NL80211_EXT_FEATURE_BSS_COLOR))
3370	return;
3371
3372	if (ieee80211_hw_check(&rx->local->hw, DETECTS_COLOR_COLLISION))
3373	return;
3374
3375	bss_conf = rx->link->conf;
3376	if (bss_conf->csa_active \|\| bss_conf->color_change_active \|\|
3377	!bss_conf->he_bss_color.enabled)
3378	return;
3379
3380	baselen = mgmt->u.beacon.variable - rx->skb->data;
3381	if (baselen > rx->skb->len)
3382	return;
3383
3384	ie = cfg80211_find_ext_elem(ext_eid: WLAN_EID_EXT_HE_OPERATION,
3385	ies: mgmt->u.beacon.variable,
3386	len: rx->skb->len - baselen);
3387	if (ie && ie->datalen >= sizeof(struct ieee80211_he_operation) &&
3388	ie->datalen >= ieee80211_he_oper_size(he_oper_ie: ie->data + `1`)) {
3389	const struct ieee80211_he_operation *he_oper;
3390	u8 color;
3391
3392	he_oper = (void *)(ie->data + `1`);
3393	if (le32_get_bits(v: he_oper->he_oper_params,
3394	IEEE80211_HE_OPERATION_BSS_COLOR_DISABLED))
3395	return;
3396
3397	color = le32_get_bits(v: he_oper->he_oper_params,
3398	IEEE80211_HE_OPERATION_BSS_COLOR_MASK);
3399	if (color == bss_conf->he_bss_color.color)
3400	ieee80211_obss_color_collision_notify(vif: &rx->sdata->vif,
3401	BIT_ULL(color),
3402	link_id: bss_conf->link_id);
3403	}
3404	}
3405
3406	static ieee80211_rx_result debug_noinline
3407	ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
3408	{
3409	struct ieee80211_mgmt mgmt = (struct* ieee80211_mgmt *) rx->skb->data;
3410	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb: rx->skb);
3411
3412	if (ieee80211_is_s1g_beacon(fc: mgmt->frame_control))
3413	return RX_CONTINUE;
3414
3415	/*
3416	* From here on, look only at management frames.
3417	* Data and control frames are already handled,
3418	* and unknown (reserved) frames are useless.
3419	*/
3420	if (rx->skb->len < `24`)
3421	return RX_DROP;
3422
3423	if (!ieee80211_is_mgmt(fc: mgmt->frame_control))
3424	return RX_DROP;
3425
3426	/ drop too small action frames /
3427	if (ieee80211_is_action(fc: mgmt->frame_control) &&
3428	rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
3429	return RX_DROP_U_RUNT_ACTION;
3430
3431	if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
3432	ieee80211_is_beacon(fc: mgmt->frame_control) &&
3433	!(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {
3434	int sig = `0`;
3435
3436	/ sw bss color collision detection /
3437	ieee80211_rx_check_bss_color_collision(rx);
3438
3439	if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM) &&
3440	!(status->flag & RX_FLAG_NO_SIGNAL_VAL))
3441	sig = status->signal;
3442
3443	cfg80211_report_obss_beacon_khz(wiphy: rx->local->hw.wiphy,
3444	frame: rx->skb->data, len: rx->skb->len,
3445	freq: ieee80211_rx_status_to_khz(rx_status: status),
3446	sig_dbm: sig);
3447	rx->flags \|= IEEE80211_RX_BEACON_REPORTED;
3448	}
3449
3450	return ieee80211_drop_unencrypted_mgmt(rx);
3451	}
3452
3453	static bool
3454	ieee80211_process_rx_twt_action(struct ieee80211_rx_data *rx)
3455	{
3456	struct ieee80211_mgmt mgmt = (struct* ieee80211_mgmt *)rx->skb->data;
3457	struct ieee80211_sub_if_data *sdata = rx->sdata;
3458
3459	/ TWT actions are only supported in AP for the moment /
3460	if (sdata->vif.type != NL80211_IFTYPE_AP)
3461	return false;
3462
3463	if (!rx->local->ops->add_twt_setup)
3464	return false;
3465
3466	if (!sdata->vif.bss_conf.twt_responder)
3467	return false;
3468
3469	if (!rx->sta)
3470	return false;
3471
3472	switch (mgmt->u.action.u.s1g.action_code) {
3473	case WLAN_S1G_TWT_SETUP: {
3474	struct ieee80211_twt_setup *twt;
3475
3476	if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE +
3477	`1` + / action code /
3478	sizeof(struct ieee80211_twt_setup) +
3479	`2` / TWT req_type agrt /)
3480	break;
3481
3482	twt = (void *)mgmt->u.action.u.s1g.variable;
3483	if (twt->element_id != WLAN_EID_S1G_TWT)
3484	break;
3485
3486	if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE +
3487	`4` + / action code + token + tlv /
3488	twt->length)
3489	break;
3490
3491	return true; / queue the frame /
3492	}
3493	case WLAN_S1G_TWT_TEARDOWN:
3494	if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE + `2`)
3495	break;
3496
3497	return true; / queue the frame /
3498	default:
3499	break;
3500	}
3501
3502	return false;
3503	}
3504
3505	static ieee80211_rx_result debug_noinline
3506	ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
3507	{
3508	struct ieee80211_local *local = rx->local;
3509	struct ieee80211_sub_if_data *sdata = rx->sdata;
3510	struct ieee80211_mgmt mgmt = (struct* ieee80211_mgmt *) rx->skb->data;
3511	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb: rx->skb);
3512	int len = rx->skb->len;
3513
3514	if (!ieee80211_is_action(fc: mgmt->frame_control))
3515	return RX_CONTINUE;
3516
3517	if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC &&
3518	mgmt->u.action.category != WLAN_CATEGORY_SELF_PROTECTED &&
3519	mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
3520	return RX_DROP_U_ACTION_UNKNOWN_SRC;
3521
3522	switch (mgmt->u.action.category) {
3523	case WLAN_CATEGORY_HT:
3524	/ reject HT action frames from stations not supporting HT /
3525	if (!rx->link_sta->pub->ht_cap.ht_supported)
3526	goto invalid;
3527
3528	if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3529	sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3530	sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3531	sdata->vif.type != NL80211_IFTYPE_AP &&
3532	sdata->vif.type != NL80211_IFTYPE_ADHOC)
3533	break;
3534
3535	/ verify action & smps_control/chanwidth are present /
3536	if (len < IEEE80211_MIN_ACTION_SIZE + `2`)
3537	goto invalid;
3538
3539	switch (mgmt->u.action.u.ht_smps.action) {
3540	case WLAN_HT_ACTION_SMPS: {
3541	struct ieee80211_supported_band *sband;
3542	enum ieee80211_smps_mode smps_mode;
3543	struct sta_opmode_info sta_opmode = {};
3544
3545	if (sdata->vif.type != NL80211_IFTYPE_AP &&
3546	sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
3547	goto handled;
3548
3549	/ convert to HT capability /
3550	switch (mgmt->u.action.u.ht_smps.smps_control) {
3551	case WLAN_HT_SMPS_CONTROL_DISABLED:
3552	smps_mode = IEEE80211_SMPS_OFF;
3553	break;
3554	case WLAN_HT_SMPS_CONTROL_STATIC:
3555	smps_mode = IEEE80211_SMPS_STATIC;
3556	break;
3557	case WLAN_HT_SMPS_CONTROL_DYNAMIC:
3558	smps_mode = IEEE80211_SMPS_DYNAMIC;
3559	break;
3560	default:
3561	goto invalid;
3562	}
3563
3564	/ if no change do nothing /
3565	if (rx->link_sta->pub->smps_mode == smps_mode)
3566	goto handled;
3567	rx->link_sta->pub->smps_mode = smps_mode;
3568	sta_opmode.smps_mode =
3569	ieee80211_smps_mode_to_smps_mode(smps: smps_mode);
3570	sta_opmode.changed = STA_OPMODE_SMPS_MODE_CHANGED;
3571
3572	sband = rx->local->hw.wiphy->bands[status->band];
3573
3574	rate_control_rate_update(local, sband, link_sta: rx->link_sta,
3575	changed: IEEE80211_RC_SMPS_CHANGED);
3576	cfg80211_sta_opmode_change_notify(dev: sdata->dev,
3577	mac: rx->sta->addr,
3578	sta_opmode: &sta_opmode,
3579	GFP_ATOMIC);
3580	goto handled;
3581	}
3582	case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: {
3583	u8 chanwidth = mgmt->u.action.u.ht_notify_cw.chanwidth;
3584
3585	if (chanwidth != IEEE80211_HT_CHANWIDTH_20MHZ &&
3586	chanwidth != IEEE80211_HT_CHANWIDTH_ANY)
3587	goto invalid;
3588
3589	/ If it doesn't support 40 MHz it can't change ... /
3590	if (!(rx->link_sta->pub->ht_cap.cap &
3591	IEEE80211_HT_CAP_SUP_WIDTH_20_40))
3592	goto handled;
3593
3594	goto queue;
3595	}
3596	default:
3597	goto invalid;
3598	}
3599
3600	break;
3601	case WLAN_CATEGORY_PUBLIC:
3602	case WLAN_CATEGORY_PROTECTED_DUAL_OF_ACTION:
3603	if (len < IEEE80211_MIN_ACTION_SIZE + `1`)
3604	goto invalid;
3605	if (sdata->vif.type != NL80211_IFTYPE_STATION)
3606	break;
3607	if (!rx->sta)
3608	break;
3609	if (!ether_addr_equal(addr1: mgmt->bssid, addr2: sdata->deflink.u.mgd.bssid))
3610	break;
3611	if (mgmt->u.action.u.ext_chan_switch.action_code !=
3612	WLAN_PUB_ACTION_EXT_CHANSW_ANN)
3613	break;
3614	if (len < offsetof(struct ieee80211_mgmt,
3615	u.action.u.ext_chan_switch.variable))
3616	goto invalid;
3617	goto queue;
3618	case WLAN_CATEGORY_VHT:
3619	if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3620	sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3621	sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3622	sdata->vif.type != NL80211_IFTYPE_AP &&
3623	sdata->vif.type != NL80211_IFTYPE_ADHOC)
3624	break;
3625
3626	/ verify action code is present /
3627	if (len < IEEE80211_MIN_ACTION_SIZE + `1`)
3628	goto invalid;
3629
3630	switch (mgmt->u.action.u.vht_opmode_notif.action_code) {
3631	case WLAN_VHT_ACTION_OPMODE_NOTIF: {
3632	/ verify opmode is present /
3633	if (len < IEEE80211_MIN_ACTION_SIZE + `2`)
3634	goto invalid;
3635	goto queue;
3636	}
3637	case WLAN_VHT_ACTION_GROUPID_MGMT: {
3638	if (len < IEEE80211_MIN_ACTION_SIZE + `25`)
3639	goto invalid;
3640	goto queue;
3641	}
3642	default:
3643	break;
3644	}
3645	break;
3646	case WLAN_CATEGORY_BACK:
3647	if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3648	sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3649	sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3650	sdata->vif.type != NL80211_IFTYPE_AP &&
3651	sdata->vif.type != NL80211_IFTYPE_ADHOC)
3652	break;
3653
3654	/ verify action_code is present /
3655	if (len < IEEE80211_MIN_ACTION_SIZE + `1`)
3656	break;
3657
3658	switch (mgmt->u.action.u.addba_req.action_code) {
3659	case WLAN_ACTION_ADDBA_REQ:
3660	if (len < (IEEE80211_MIN_ACTION_SIZE +
3661	sizeof(mgmt->u.action.u.addba_req)))
3662	goto invalid;
3663	break;
3664	case WLAN_ACTION_ADDBA_RESP:
3665	if (len < (IEEE80211_MIN_ACTION_SIZE +
3666	sizeof(mgmt->u.action.u.addba_resp)))
3667	goto invalid;
3668	break;
3669	case WLAN_ACTION_DELBA:
3670	if (len < (IEEE80211_MIN_ACTION_SIZE +
3671	sizeof(mgmt->u.action.u.delba)))
3672	goto invalid;
3673	break;
3674	default:
3675	goto invalid;
3676	}
3677
3678	goto queue;
3679	case WLAN_CATEGORY_SPECTRUM_MGMT:
3680	/ verify action_code is present /
3681	if (len < IEEE80211_MIN_ACTION_SIZE + `1`)
3682	break;
3683
3684	switch (mgmt->u.action.u.measurement.action_code) {
3685	case WLAN_ACTION_SPCT_MSR_REQ:
3686	if (status->band != NL80211_BAND_5GHZ)
3687	break;
3688
3689	if (len < (IEEE80211_MIN_ACTION_SIZE +
3690	sizeof(mgmt->u.action.u.measurement)))
3691	break;
3692
3693	if (sdata->vif.type != NL80211_IFTYPE_STATION)
3694	break;
3695
3696	ieee80211_process_measurement_req(sdata, mgmt, len);
3697	goto handled;
3698	case WLAN_ACTION_SPCT_CHL_SWITCH: {
3699	u8 *bssid;
3700	if (len < (IEEE80211_MIN_ACTION_SIZE +
3701	sizeof(mgmt->u.action.u.chan_switch)))
3702	break;
3703
3704	if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3705	sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3706	sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
3707	break;
3708
3709	if (sdata->vif.type == NL80211_IFTYPE_STATION)
3710	bssid = sdata->deflink.u.mgd.bssid;
3711	else if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
3712	bssid = sdata->u.ibss.bssid;
3713	else if (sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
3714	bssid = mgmt->sa;
3715	else
3716	break;
3717
3718	if (!ether_addr_equal(addr1: mgmt->bssid, addr2: bssid))
3719	break;
3720
3721	goto queue;
3722	}
3723	}
3724	break;
3725	case WLAN_CATEGORY_SELF_PROTECTED:
3726	if (len < (IEEE80211_MIN_ACTION_SIZE +
3727	sizeof(mgmt->u.action.u.self_prot.action_code)))
3728	break;
3729
3730	switch (mgmt->u.action.u.self_prot.action_code) {
3731	case WLAN_SP_MESH_PEERING_OPEN:
3732	case WLAN_SP_MESH_PEERING_CLOSE:
3733	case WLAN_SP_MESH_PEERING_CONFIRM:
3734	if (!ieee80211_vif_is_mesh(vif: &sdata->vif))
3735	goto invalid;
3736	if (sdata->u.mesh.user_mpm)
3737	/ userspace handles this frame /
3738	break;
3739	goto queue;
3740	case WLAN_SP_MGK_INFORM:
3741	case WLAN_SP_MGK_ACK:
3742	if (!ieee80211_vif_is_mesh(vif: &sdata->vif))
3743	goto invalid;
3744	break;
3745	}
3746	break;
3747	case WLAN_CATEGORY_MESH_ACTION:
3748	if (len < (IEEE80211_MIN_ACTION_SIZE +
3749	sizeof(mgmt->u.action.u.mesh_action.action_code)))
3750	break;
3751
3752	if (!ieee80211_vif_is_mesh(vif: &sdata->vif))
3753	break;
3754	if (mesh_action_is_path_sel(mgmt) &&
3755	!mesh_path_sel_is_hwmp(sdata))
3756	break;
3757	goto queue;
3758	case WLAN_CATEGORY_S1G:
3759	if (len < offsetofend(typeof(*mgmt),
3760	u.action.u.s1g.action_code))
3761	break;
3762
3763	switch (mgmt->u.action.u.s1g.action_code) {
3764	case WLAN_S1G_TWT_SETUP:
3765	case WLAN_S1G_TWT_TEARDOWN:
3766	if (ieee80211_process_rx_twt_action(rx))
3767	goto queue;
3768	break;
3769	default:
3770	break;
3771	}
3772	break;
3773	case WLAN_CATEGORY_PROTECTED_EHT:
3774	if (len < offsetofend(typeof(*mgmt),
3775	u.action.u.ttlm_req.action_code))
3776	break;
3777
3778	switch (mgmt->u.action.u.ttlm_req.action_code) {
3779	case WLAN_PROTECTED_EHT_ACTION_TTLM_REQ:
3780	if (sdata->vif.type != NL80211_IFTYPE_STATION)
3781	break;
3782
3783	if (len < offsetofend(typeof(*mgmt),
3784	u.action.u.ttlm_req))
3785	goto invalid;
3786	goto queue;
3787	case WLAN_PROTECTED_EHT_ACTION_TTLM_RES:
3788	if (sdata->vif.type != NL80211_IFTYPE_STATION)
3789	break;
3790
3791	if (len < offsetofend(typeof(*mgmt),
3792	u.action.u.ttlm_res))
3793	goto invalid;
3794	goto queue;
3795	case WLAN_PROTECTED_EHT_ACTION_TTLM_TEARDOWN:
3796	if (sdata->vif.type != NL80211_IFTYPE_STATION)
3797	break;
3798
3799	if (len < offsetofend(typeof(*mgmt),
3800	u.action.u.ttlm_tear_down))
3801	goto invalid;
3802	goto queue;
3803	case WLAN_PROTECTED_EHT_ACTION_LINK_RECONFIG_RESP:
3804	if (sdata->vif.type != NL80211_IFTYPE_STATION)
3805	break;
3806
3807	/ The reconfiguration response action frame must*
3808	* least one 'Status Duple' entry (3 octets)
3809	*/
3810	if (len <
3811	offsetofend(typeof(*mgmt),
3812	u.action.u.ml_reconf_resp) + `3`)
3813	goto invalid;
3814	goto queue;
3815	case WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_RESP:
3816	if (sdata->vif.type != NL80211_IFTYPE_STATION)
3817	break;
3818
3819	if (len < offsetofend(typeof(*mgmt),
3820	u.action.u.epcs) +
3821	IEEE80211_EPCS_ENA_RESP_BODY_LEN)
3822	goto invalid;
3823	goto queue;
3824	case WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_TEARDOWN:
3825	if (sdata->vif.type != NL80211_IFTYPE_STATION)
3826	break;
3827
3828	if (len < offsetofend(typeof(*mgmt),
3829	u.action.u.epcs))
3830	goto invalid;
3831	goto queue;
3832	default:
3833	break;
3834	}
3835	break;
3836	}
3837
3838	return RX_CONTINUE;
3839
3840	invalid:
3841	status->rx_flags \|= IEEE80211_RX_MALFORMED_ACTION_FRM;
3842	/ will return in the next handlers /
3843	return RX_CONTINUE;
3844
3845	handled:
3846	if (rx->sta)
3847	rx->link_sta->rx_stats.packets++;
3848	dev_kfree_skb(rx->skb);
3849	return RX_QUEUED;
3850
3851	queue:
3852	ieee80211_queue_skb_to_iface(sdata, link_id: rx->link_id, sta: rx->sta, skb: rx->skb);
3853	return RX_QUEUED;
3854	}
3855
3856	static ieee80211_rx_result debug_noinline
3857	ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
3858	{
3859	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb: rx->skb);
3860	struct cfg80211_rx_info info = {
3861	.freq = ieee80211_rx_status_to_khz(rx_status: status),
3862	.buf = rx->skb->data,
3863	.len = rx->skb->len,
3864	.link_id = rx->link_id,
3865	.have_link_id = rx->link_id >= `0`,
3866	};
3867
3868	/ skip known-bad action frames and return them in the next handler /
3869	if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM)
3870	return RX_CONTINUE;
3871
3872	/*
3873	* Getting here means the kernel doesn't know how to handle
3874	* it, but maybe userspace does ... include returned frames
3875	* so userspace can register for those to know whether ones
3876	* it transmitted were processed or returned.
3877	*/
3878
3879	if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM) &&
3880	!(status->flag & RX_FLAG_NO_SIGNAL_VAL))
3881	info.sig_dbm = status->signal;
3882
3883	if (ieee80211_is_timing_measurement(skb: rx->skb) \|\|
3884	ieee80211_is_ftm(skb: rx->skb)) {
3885	info.rx_tstamp = ktime_to_ns(kt: skb_hwtstamps(skb: rx->skb)->hwtstamp);
3886	info.ack_tstamp = ktime_to_ns(kt: status->ack_tx_hwtstamp);
3887	}
3888
3889	if (cfg80211_rx_mgmt_ext(wdev: &rx->sdata->wdev, info: &info)) {
3890	if (rx->sta)
3891	rx->link_sta->rx_stats.packets++;
3892	dev_kfree_skb(rx->skb);
3893	return RX_QUEUED;
3894	}
3895
3896	return RX_CONTINUE;
3897	}
3898
3899	static ieee80211_rx_result debug_noinline
3900	ieee80211_rx_h_action_post_userspace(struct ieee80211_rx_data *rx)
3901	{
3902	struct ieee80211_sub_if_data *sdata = rx->sdata;
3903	struct ieee80211_mgmt mgmt = (struct* ieee80211_mgmt *) rx->skb->data;
3904	int len = rx->skb->len;
3905
3906	if (!ieee80211_is_action(fc: mgmt->frame_control))
3907	return RX_CONTINUE;
3908
3909	switch (mgmt->u.action.category) {
3910	case WLAN_CATEGORY_SA_QUERY:
3911	if (len < (IEEE80211_MIN_ACTION_SIZE +
3912	sizeof(mgmt->u.action.u.sa_query)))
3913	break;
3914
3915	switch (mgmt->u.action.u.sa_query.action) {
3916	case WLAN_ACTION_SA_QUERY_REQUEST:
3917	if (sdata->vif.type != NL80211_IFTYPE_STATION)
3918	break;
3919	ieee80211_process_sa_query_req(sdata, mgmt, len);
3920	goto handled;
3921	}
3922	break;
3923	}
3924
3925	return RX_CONTINUE;
3926
3927	handled:
3928	if (rx->sta)
3929	rx->link_sta->rx_stats.packets++;
3930	dev_kfree_skb(rx->skb);
3931	return RX_QUEUED;
3932	}
3933
3934	static ieee80211_rx_result debug_noinline
3935	ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
3936	{
3937	struct ieee80211_local *local = rx->local;
3938	struct ieee80211_mgmt mgmt = (struct* ieee80211_mgmt *) rx->skb->data;
3939	struct sk_buff *nskb;
3940	struct ieee80211_sub_if_data *sdata = rx->sdata;
3941	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb: rx->skb);
3942
3943	if (!ieee80211_is_action(fc: mgmt->frame_control))
3944	return RX_CONTINUE;
3945
3946	/*
3947	* For AP mode, hostapd is responsible for handling any action
3948	* frames that we didn't handle, including returning unknown
3949	* ones. For all other modes we will return them to the sender,
3950	* setting the 0x80 bit in the action category, as required by
3951	* 802.11-2012 9.24.4.
3952	* Newer versions of hostapd use the management frame registration
3953	* mechanisms and old cooked monitor interface is no longer supported.
3954	*/
3955	if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) &&
3956	(sdata->vif.type == NL80211_IFTYPE_AP \|\|
3957	sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
3958	return RX_DROP;
3959
3960	if (is_multicast_ether_addr(addr: mgmt->da))
3961	return RX_DROP;
3962
3963	/ do not return rejected action frames /
3964	if (mgmt->u.action.category & `0x80`)
3965	return RX_DROP_U_REJECTED_ACTION_RESPONSE;
3966
3967	nskb = skb_copy_expand(skb: rx->skb, newheadroom: local->hw.extra_tx_headroom, newtailroom: `0`,
3968	GFP_ATOMIC);
3969	if (nskb) {
3970	struct ieee80211_mgmt nmgmt = (void* *)nskb->data;
3971
3972	nmgmt->u.action.category \|= `0x80`;
3973	memcpy(to: nmgmt->da, from: nmgmt->sa, ETH_ALEN);
3974	memcpy(to: nmgmt->sa, from: rx->sdata->vif.addr, ETH_ALEN);
3975
3976	memset(s: nskb->cb, c: `0`, n: sizeof(nskb->cb));
3977
3978	if (rx->sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) {
3979	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb: nskb);
3980
3981	info->flags = IEEE80211_TX_CTL_TX_OFFCHAN \|
3982	IEEE80211_TX_INTFL_OFFCHAN_TX_OK \|
3983	IEEE80211_TX_CTL_NO_CCK_RATE;
3984	if (ieee80211_hw_check(&local->hw, QUEUE_CONTROL))
3985	info->hw_queue =
3986	local->hw.offchannel_tx_hw_queue;
3987	}
3988
3989	__ieee80211_tx_skb_tid_band(sdata: rx->sdata, skb: nskb, tid: `7`, link_id: -`1`,
3990	band: status->band);
3991	}
3992
3993	return RX_DROP_U_UNKNOWN_ACTION_REJECTED;
3994	}
3995
3996	static ieee80211_rx_result debug_noinline
3997	ieee80211_rx_h_ext(struct ieee80211_rx_data *rx)
3998	{
3999	struct ieee80211_sub_if_data *sdata = rx->sdata;
4000	struct ieee80211_hdr hdr = (void* *)rx->skb->data;
4001
4002	if (!ieee80211_is_ext(fc: hdr->frame_control))
4003	return RX_CONTINUE;
4004
4005	if (sdata->vif.type != NL80211_IFTYPE_STATION)
4006	return RX_DROP;
4007
4008	/ for now only beacons are ext, so queue them /
4009	ieee80211_queue_skb_to_iface(sdata, link_id: rx->link_id, sta: rx->sta, skb: rx->skb);
4010
4011	return RX_QUEUED;
4012	}
4013
4014	static ieee80211_rx_result debug_noinline
4015	ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
4016	{
4017	struct ieee80211_sub_if_data *sdata = rx->sdata;
4018	struct ieee80211_mgmt mgmt = (void* *)rx->skb->data;
4019	__le16 stype;
4020
4021	stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
4022
4023	if (!ieee80211_vif_is_mesh(vif: &sdata->vif) &&
4024	sdata->vif.type != NL80211_IFTYPE_ADHOC &&
4025	sdata->vif.type != NL80211_IFTYPE_OCB &&
4026	sdata->vif.type != NL80211_IFTYPE_STATION)
4027	return RX_DROP;
4028
4029	switch (stype) {
4030	case cpu_to_le16(IEEE80211_STYPE_AUTH):
4031	case cpu_to_le16(IEEE80211_STYPE_BEACON):
4032	case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
4033	/ process for all: mesh, mlme, ibss /
4034	break;
4035	case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
4036	if (is_multicast_ether_addr(addr: mgmt->da) &&
4037	!is_broadcast_ether_addr(addr: mgmt->da))
4038	return RX_DROP;
4039
4040	/ process only for station/IBSS /
4041	if (sdata->vif.type != NL80211_IFTYPE_STATION &&
4042	sdata->vif.type != NL80211_IFTYPE_ADHOC)
4043	return RX_DROP;
4044	break;
4045	case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP):
4046	case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP):
4047	case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
4048	if (is_multicast_ether_addr(addr: mgmt->da) &&
4049	!is_broadcast_ether_addr(addr: mgmt->da))
4050	return RX_DROP;
4051
4052	/ process only for station /
4053	if (sdata->vif.type != NL80211_IFTYPE_STATION)
4054	return RX_DROP;
4055	break;
4056	case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ):
4057	/ process only for ibss and mesh /
4058	if (sdata->vif.type != NL80211_IFTYPE_ADHOC &&
4059	sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
4060	return RX_DROP;
4061	break;
4062	default:
4063	return RX_DROP;
4064	}
4065
4066	ieee80211_queue_skb_to_iface(sdata, link_id: rx->link_id, sta: rx->sta, skb: rx->skb);
4067
4068	return RX_QUEUED;
4069	}
4070
4071	static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx,
4072	ieee80211_rx_result res)
4073	{
4074	if (res == RX_QUEUED) {
4075	I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued);
4076	return;
4077	}
4078
4079	if (res != RX_CONTINUE) {
4080	I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
4081	if (rx->sta)
4082	rx->link_sta->rx_stats.dropped++;
4083	}
4084
4085	kfree_skb_reason(skb: rx->skb, reason: (__force u32)res);
4086	}
4087
4088	static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
4089	struct sk_buff_head *frames)
4090	{
4091	ieee80211_rx_result res = RX_DROP;
4092	struct sk_buff *skb;
4093
4094	#define CALL_RXH(rxh) \
4095	do { \
4096	res = rxh(rx); \
4097	if (res != RX_CONTINUE) \
4098	goto rxh_next; \
4099	} while (0)
4100
4101	/ Lock here to avoid hitting all of the data used in the RX*
4102	* path (e.g. key data, station data, ...) concurrently when
4103	* a frame is released from the reorder buffer due to timeout
4104	* from the timer, potentially concurrently with RX from the
4105	* driver.
4106	*/
4107	spin_lock_bh(lock: &rx->local->rx_path_lock);
4108
4109	while ((skb = __skb_dequeue(list: frames))) {
4110	/*
4111	* all the other fields are valid across frames
4112	* that belong to an aMPDU since they are on the
4113	* same TID from the same station
4114	*/
4115	rx->skb = skb;
4116
4117	if (WARN_ON_ONCE(!rx->link))
4118	goto rxh_next;
4119
4120	CALL_RXH(ieee80211_rx_h_check_more_data);
4121	CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll);
4122	CALL_RXH(ieee80211_rx_h_sta_process);
4123	CALL_RXH(ieee80211_rx_h_decrypt);
4124	CALL_RXH(ieee80211_rx_h_defragment);
4125	CALL_RXH(ieee80211_rx_h_michael_mic_verify);
4126	/ must be after MMIC verify so header is counted in MPDU mic /
4127	CALL_RXH(ieee80211_rx_h_amsdu);
4128	CALL_RXH(ieee80211_rx_h_data);
4129
4130	/ special treatment -- needs the queue /
4131	res = ieee80211_rx_h_ctrl(rx, frames);
4132	if (res != RX_CONTINUE)
4133	goto rxh_next;
4134
4135	CALL_RXH(ieee80211_rx_h_mgmt_check);
4136	CALL_RXH(ieee80211_rx_h_action);
4137	CALL_RXH(ieee80211_rx_h_userspace_mgmt);
4138	CALL_RXH(ieee80211_rx_h_action_post_userspace);
4139	CALL_RXH(ieee80211_rx_h_action_return);
4140	CALL_RXH(ieee80211_rx_h_ext);
4141	CALL_RXH(ieee80211_rx_h_mgmt);
4142
4143	rxh_next:
4144	ieee80211_rx_handlers_result(rx, res);
4145
4146	#undef CALL_RXH
4147	}
4148
4149	spin_unlock_bh(lock: &rx->local->rx_path_lock);
4150	}
4151
4152	static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
4153	{
4154	struct sk_buff_head reorder_release;
4155	ieee80211_rx_result res = RX_DROP;
4156
4157	__skb_queue_head_init(list: &reorder_release);
4158
4159	#define CALL_RXH(rxh) \
4160	do { \
4161	res = rxh(rx); \
4162	if (res != RX_CONTINUE) \
4163	goto rxh_next; \
4164	} while (0)
4165
4166	CALL_RXH(ieee80211_rx_h_check_dup);
4167	CALL_RXH(ieee80211_rx_h_check);
4168
4169	ieee80211_rx_reorder_ampdu(rx, frames: &reorder_release);
4170
4171	ieee80211_rx_handlers(rx, frames: &reorder_release);
4172	return;
4173
4174	rxh_next:
4175	ieee80211_rx_handlers_result(rx, res);
4176
4177	#undef CALL_RXH
4178	}
4179
4180	static bool
4181	ieee80211_rx_is_valid_sta_link_id(struct ieee80211_sta *sta, u8 link_id)
4182	{
4183	return !!(sta->valid_links & BIT(link_id));
4184	}
4185
4186	static bool ieee80211_rx_data_set_link(struct ieee80211_rx_data *rx,
4187	u8 link_id)
4188	{
4189	rx->link_id = link_id;
4190	rx->link = rcu_dereference(rx->sdata->link[link_id]);
4191
4192	if (!rx->sta)
4193	return rx->link;
4194
4195	if (!ieee80211_rx_is_valid_sta_link_id(sta: &rx->sta->sta, link_id))
4196	return false;
4197
4198	rx->link_sta = rcu_dereference(rx->sta->link[link_id]);
4199
4200	return rx->link && rx->link_sta;
4201	}
4202
4203	static bool ieee80211_rx_data_set_sta(struct ieee80211_rx_data *rx,
4204	struct sta_info sta, int* link_id)
4205	{
4206	rx->link_id = link_id;
4207	rx->sta = sta;
4208
4209	if (sta) {
4210	rx->local = sta->sdata->local;
4211	if (!rx->sdata)
4212	rx->sdata = sta->sdata;
4213	rx->link_sta = &sta->deflink;
4214	} else {
4215	rx->link_sta = NULL;
4216	}
4217
4218	if (link_id < `0`) {
4219	if (ieee80211_vif_is_mld(vif: &rx->sdata->vif) &&
4220	sta && !sta->sta.valid_links)
4221	rx->link =
4222	rcu_dereference(rx->sdata->link[sta->deflink.link_id]);
4223	else
4224	rx->link = &rx->sdata->deflink;
4225	} else if (!ieee80211_rx_data_set_link(rx, link_id)) {
4226	return false;
4227	}
4228
4229	return true;
4230	}
4231
4232	/*
4233	* This function makes calls into the RX path, therefore
4234	* it has to be invoked under RCU read lock.
4235	*/
4236	void ieee80211_release_reorder_timeout(struct sta_info sta, int* tid)
4237	{
4238	struct sk_buff_head frames;
4239	struct ieee80211_rx_data rx = {
4240	/ This is OK -- must be QoS data frame /
4241	.security_idx = tid,
4242	.seqno_idx = tid,
4243	};
4244	struct tid_ampdu_rx *tid_agg_rx;
4245	int link_id = -`1`;
4246
4247	/ FIXME: statistics won't be right with this /
4248	if (sta->sta.valid_links)
4249	link_id = ffs(sta->sta.valid_links) - `1`;
4250
4251	if (!ieee80211_rx_data_set_sta(rx: &rx, sta, link_id))
4252	return;
4253
4254	tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
4255	if (!tid_agg_rx)
4256	return;
4257
4258	__skb_queue_head_init(list: &frames);
4259
4260	spin_lock(lock: &tid_agg_rx->reorder_lock);
4261	ieee80211_sta_reorder_release(sdata: sta->sdata, tid_agg_rx, frames: &frames);
4262	spin_unlock(lock: &tid_agg_rx->reorder_lock);
4263
4264	if (!skb_queue_empty(list: &frames)) {
4265	struct ieee80211_event event = {
4266	.type = BA_FRAME_TIMEOUT,
4267	.u.ba.tid = tid,
4268	.u.ba.sta = &sta->sta,
4269	};
4270	drv_event_callback(local: rx.local, sdata: rx.sdata, event: &event);
4271	}
4272
4273	ieee80211_rx_handlers(rx: &rx, frames: &frames);
4274	}
4275
4276	void ieee80211_mark_rx_ba_filtered_frames(struct ieee80211_sta *pubsta, u8 tid,
4277	u16 ssn, u64 filtered,
4278	u16 received_mpdus)
4279	{
4280	struct ieee80211_local *local;
4281	struct sta_info *sta;
4282	struct tid_ampdu_rx *tid_agg_rx;
4283	struct sk_buff_head frames;
4284	struct ieee80211_rx_data rx = {
4285	/ This is OK -- must be QoS data frame /
4286	.security_idx = tid,
4287	.seqno_idx = tid,
4288	};
4289	int i, diff;
4290
4291	if (WARN_ON(!pubsta \|\| tid >= IEEE80211_NUM_TIDS))
4292	return;
4293
4294	__skb_queue_head_init(list: &frames);
4295
4296	sta = container_of(pubsta, struct sta_info, sta);
4297
4298	local = sta->sdata->local;
4299	WARN_ONCE(local->hw.max_rx_aggregation_subframes > `64`,
4300	"RX BA marker can't support max_rx_aggregation_subframes %u > 64\n",
4301	local->hw.max_rx_aggregation_subframes);
4302
4303	if (!ieee80211_rx_data_set_sta(rx: &rx, sta, link_id: -`1`))
4304	return;
4305
4306	rcu_read_lock();
4307	tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
4308	if (!tid_agg_rx)
4309	goto out;
4310
4311	spin_lock_bh(lock: &tid_agg_rx->reorder_lock);
4312
4313	if (received_mpdus >= IEEE80211_SN_MODULO >> `1`) {
4314	int release;
4315
4316	/ release all frames in the reorder buffer /
4317	release = (tid_agg_rx->head_seq_num + tid_agg_rx->buf_size) %
4318	IEEE80211_SN_MODULO;
4319	ieee80211_release_reorder_frames(sdata: sta->sdata, tid_agg_rx,
4320	head_seq_num: release, frames: &frames);
4321	/ update ssn to match received ssn /
4322	tid_agg_rx->head_seq_num = ssn;
4323	} else {
4324	ieee80211_release_reorder_frames(sdata: sta->sdata, tid_agg_rx, head_seq_num: ssn,
4325	frames: &frames);
4326	}
4327
4328	/ handle the case that received ssn is behind the mac ssn.*
4329	* it can be tid_agg_rx->buf_size behind and still be valid */
4330	diff = (tid_agg_rx->head_seq_num - ssn) & IEEE80211_SN_MASK;
4331	if (diff >= tid_agg_rx->buf_size) {
4332	tid_agg_rx->reorder_buf_filtered = `0`;
4333	goto release;
4334	}
4335	filtered = filtered >> diff;
4336	ssn += diff;
4337
4338	/ update bitmap /
4339	for (i = `0`; i < tid_agg_rx->buf_size; i++) {
4340	int index = (ssn + i) % tid_agg_rx->buf_size;
4341
4342	tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
4343	if (filtered & BIT_ULL(i))
4344	tid_agg_rx->reorder_buf_filtered \|= BIT_ULL(index);
4345	}
4346
4347	/ now process also frames that the filter marking released /
4348	ieee80211_sta_reorder_release(sdata: sta->sdata, tid_agg_rx, frames: &frames);
4349
4350	release:
4351	spin_unlock_bh(lock: &tid_agg_rx->reorder_lock);
4352
4353	ieee80211_rx_handlers(rx: &rx, frames: &frames);
4354
4355	out:
4356	rcu_read_unlock();
4357	}
4358	EXPORT_SYMBOL(ieee80211_mark_rx_ba_filtered_frames);
4359
4360	/ main receive path /
4361
4362	static inline int ieee80211_bssid_match(const u8 raddr, const* u8 *addr)
4363	{
4364	return ether_addr_equal(addr1: raddr, addr2: addr) \|\|
4365	is_broadcast_ether_addr(addr: raddr);
4366	}
4367
4368	static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
4369	{
4370	struct ieee80211_sub_if_data *sdata = rx->sdata;
4371	struct sk_buff *skb = rx->skb;
4372	struct ieee80211_hdr hdr = (void* *)skb->data;
4373	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
4374	u8 *bssid = ieee80211_get_bssid(hdr, len: skb->len, type: sdata->vif.type);
4375	bool multicast = is_multicast_ether_addr(addr: hdr->addr1) \|\|
4376	ieee80211_is_s1g_beacon(fc: hdr->frame_control);
4377
4378	switch (sdata->vif.type) {
4379	case NL80211_IFTYPE_STATION:
4380	if (!bssid && !sdata->u.mgd.use_4addr)
4381	return false;
4382	if (ieee80211_is_first_frag(seq_ctrl: hdr->seq_ctrl) &&
4383	ieee80211_is_robust_mgmt_frame(skb) && !rx->sta)
4384	return false;
4385	if (multicast)
4386	return true;
4387	return ieee80211_is_our_addr(sdata, addr: hdr->addr1, out_link_id: &rx->link_id);
4388	case NL80211_IFTYPE_ADHOC:
4389	if (!bssid)
4390	return false;
4391	if (ether_addr_equal(addr1: sdata->vif.addr, addr2: hdr->addr2) \|\|
4392	ether_addr_equal(addr1: sdata->u.ibss.bssid, addr2: hdr->addr2) \|\|
4393	!is_valid_ether_addr(addr: hdr->addr2))
4394	return false;
4395	if (ieee80211_is_beacon(fc: hdr->frame_control))
4396	return true;
4397	if (!ieee80211_bssid_match(raddr: bssid, addr: sdata->u.ibss.bssid))
4398	return false;
4399	if (!multicast &&
4400	!ether_addr_equal(addr1: sdata->vif.addr, addr2: hdr->addr1))
4401	return false;
4402	if (!rx->sta) {
4403	int rate_idx;
4404	if (status->encoding != RX_ENC_LEGACY)
4405	rate_idx = `0`; / TODO: HT/VHT rates /
4406	else
4407	rate_idx = status->rate_idx;
4408	ieee80211_ibss_rx_no_sta(sdata, bssid, addr: hdr->addr2,
4409	BIT(rate_idx));
4410	}
4411	return true;
4412	case NL80211_IFTYPE_OCB:
4413	if (!bssid)
4414	return false;
4415	if (!ieee80211_is_data_present(fc: hdr->frame_control))
4416	return false;
4417	if (!is_broadcast_ether_addr(addr: bssid))
4418	return false;
4419	if (!multicast &&
4420	!ether_addr_equal(addr1: sdata->dev->dev_addr, addr2: hdr->addr1))
4421	return false;
4422	/ reject invalid/our STA address /
4423	if (!is_valid_ether_addr(addr: hdr->addr2) \|\|
4424	ether_addr_equal(addr1: sdata->dev->dev_addr, addr2: hdr->addr2))
4425	return false;
4426	if (!rx->sta) {
4427	int rate_idx;
4428	if (status->encoding != RX_ENC_LEGACY)
4429	rate_idx = `0`; / TODO: HT rates /
4430	else
4431	rate_idx = status->rate_idx;
4432	ieee80211_ocb_rx_no_sta(sdata, bssid, addr: hdr->addr2,
4433	BIT(rate_idx));
4434	}
4435	return true;
4436	case NL80211_IFTYPE_MESH_POINT:
4437	if (ether_addr_equal(addr1: sdata->vif.addr, addr2: hdr->addr2))
4438	return false;
4439	if (multicast)
4440	return true;
4441	return ether_addr_equal(addr1: sdata->vif.addr, addr2: hdr->addr1);
4442	case NL80211_IFTYPE_AP_VLAN:
4443	case NL80211_IFTYPE_AP:
4444	if (!bssid)
4445	return ieee80211_is_our_addr(sdata, addr: hdr->addr1,
4446	out_link_id: &rx->link_id);
4447
4448	if (!is_broadcast_ether_addr(addr: bssid) &&
4449	!ieee80211_is_our_addr(sdata, addr: bssid, NULL)) {
4450	/*
4451	* Accept public action frames even when the
4452	* BSSID doesn't match, this is used for P2P
4453	* and location updates. Note that mac80211
4454	* itself never looks at these frames.
4455	*/
4456	if (!multicast &&
4457	!ieee80211_is_our_addr(sdata, addr: hdr->addr1,
4458	out_link_id: &rx->link_id))
4459	return false;
4460	if (ieee80211_is_public_action(hdr, len: skb->len))
4461	return true;
4462	return ieee80211_is_beacon(fc: hdr->frame_control);
4463	}
4464
4465	if (!ieee80211_has_tods(fc: hdr->frame_control)) {
4466	/ ignore data frames to TDLS-peers /
4467	if (ieee80211_is_data(fc: hdr->frame_control))
4468	return false;
4469	/ ignore action frames to TDLS-peers /
4470	if (ieee80211_is_action(fc: hdr->frame_control) &&
4471	!is_broadcast_ether_addr(addr: bssid) &&
4472	!ether_addr_equal(addr1: bssid, addr2: hdr->addr1))
4473	return false;
4474	}
4475
4476	/*
4477	* 802.11-2016 Table 9-26 says that for data frames, A1 must be
4478	* the BSSID - we've checked that already but may have accepted
4479	* the wildcard (ff:ff:ff:ff:ff:ff).
4480	*
4481	* It also says:
4482	* The BSSID of the Data frame is determined as follows:
4483	* a) If the STA is contained within an AP or is associated
4484	* with an AP, the BSSID is the address currently in use
4485	* by the STA contained in the AP.
4486	*
4487	* So we should not accept data frames with an address that's
4488	* multicast.
4489	*
4490	* Accepting it also opens a security problem because stations
4491	* could encrypt it with the GTK and inject traffic that way.
4492	*/
4493	if (ieee80211_is_data(fc: hdr->frame_control) && multicast)
4494	return false;
4495
4496	return true;
4497	case NL80211_IFTYPE_P2P_DEVICE:
4498	return ieee80211_is_public_action(hdr, len: skb->len) \|\|
4499	ieee80211_is_probe_req(fc: hdr->frame_control) \|\|
4500	ieee80211_is_probe_resp(fc: hdr->frame_control) \|\|
4501	ieee80211_is_beacon(fc: hdr->frame_control) \|\|
4502	(ieee80211_is_auth(fc: hdr->frame_control) &&
4503	ether_addr_equal(addr1: sdata->vif.addr, addr2: hdr->addr1));
4504	case NL80211_IFTYPE_NAN:
4505	/ Accept only frames that are addressed to the NAN cluster*
4506	* (based on the Cluster ID). From these frames, accept only
4507	* action frames or authentication frames that are addressed to
4508	* the local NAN interface.
4509	*/
4510	return memcmp(sdata->wdev.u.nan.cluster_id,
4511	hdr->addr3, ETH_ALEN) == `0` &&
4512	(ieee80211_is_public_action(hdr, len: skb->len) \|\|
4513	(ieee80211_is_auth(fc: hdr->frame_control) &&
4514	ether_addr_equal(addr1: sdata->vif.addr, addr2: hdr->addr1)));
4515	default:
4516	break;
4517	}
4518
4519	WARN_ON_ONCE(`1`);
4520	return false;
4521	}
4522
4523	void ieee80211_check_fast_rx(struct sta_info *sta)
4524	{
4525	struct ieee80211_sub_if_data *sdata = sta->sdata;
4526	struct ieee80211_local *local = sdata->local;
4527	struct ieee80211_key *key;
4528	struct ieee80211_fast_rx fastrx = {
4529	.dev = sdata->dev,
4530	.vif_type = sdata->vif.type,
4531	.control_port_protocol = sdata->control_port_protocol,
4532	}, old, new = NULL;
4533	u32 offload_flags;
4534	bool set_offload = false;
4535	bool assign = false;
4536	bool offload;
4537
4538	/ use sparse to check that we don't return without updating /
4539	__acquire(check_fast_rx);
4540
4541	BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != sizeof(rfc1042_header));
4542	BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != ETH_ALEN);
4543	ether_addr_copy(dst: fastrx.rfc1042_hdr, src: rfc1042_header);
4544	ether_addr_copy(dst: fastrx.vif_addr, src: sdata->vif.addr);
4545
4546	fastrx.uses_rss = ieee80211_hw_check(&local->hw, USES_RSS);
4547
4548	/ fast-rx doesn't do reordering /
4549	if (ieee80211_hw_check(&local->hw, AMPDU_AGGREGATION) &&
4550	!ieee80211_hw_check(&local->hw, SUPPORTS_REORDERING_BUFFER))
4551	goto clear;
4552
4553	switch (sdata->vif.type) {
4554	case NL80211_IFTYPE_STATION:
4555	if (sta->sta.tdls) {
4556	fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
4557	fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
4558	fastrx.expected_ds_bits = `0`;
4559	} else {
4560	fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
4561	fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr3);
4562	fastrx.expected_ds_bits =
4563	cpu_to_le16(IEEE80211_FCTL_FROMDS);
4564	}
4565
4566	if (sdata->u.mgd.use_4addr && !sta->sta.tdls) {
4567	fastrx.expected_ds_bits \|=
4568	cpu_to_le16(IEEE80211_FCTL_TODS);
4569	fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
4570	fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
4571	}
4572
4573	if (!sdata->u.mgd.powersave)
4574	break;
4575
4576	/ software powersave is a huge mess, avoid all of it /
4577	if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK))
4578	goto clear;
4579	if (ieee80211_hw_check(&local->hw, SUPPORTS_PS) &&
4580	!ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS))
4581	goto clear;
4582	break;
4583	case NL80211_IFTYPE_AP_VLAN:
4584	case NL80211_IFTYPE_AP:
4585	/ parallel-rx requires this, at least with calls to*
4586	* ieee80211_sta_ps_transition()
4587	*/
4588	if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
4589	goto clear;
4590	fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
4591	fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
4592	fastrx.expected_ds_bits = cpu_to_le16(IEEE80211_FCTL_TODS);
4593
4594	fastrx.internal_forward =
4595	!(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
4596	(sdata->vif.type != NL80211_IFTYPE_AP_VLAN \|\|
4597	!sdata->u.vlan.sta);
4598
4599	if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
4600	sdata->u.vlan.sta) {
4601	fastrx.expected_ds_bits \|=
4602	cpu_to_le16(IEEE80211_FCTL_FROMDS);
4603	fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
4604	fastrx.internal_forward = `0`;
4605	}
4606
4607	break;
4608	case NL80211_IFTYPE_MESH_POINT:
4609	fastrx.expected_ds_bits = cpu_to_le16(IEEE80211_FCTL_FROMDS \|
4610	IEEE80211_FCTL_TODS);
4611	fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
4612	fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
4613	break;
4614	default:
4615	goto clear;
4616	}
4617
4618	if (!test_sta_flag(sta, flag: WLAN_STA_AUTHORIZED))
4619	goto clear;
4620
4621	rcu_read_lock();
4622	key = rcu_dereference(sta->ptk[sta->ptk_idx]);
4623	if (!key)
4624	key = rcu_dereference(sdata->default_unicast_key);
4625	if (key) {
4626	switch (key->conf.cipher) {
4627	case WLAN_CIPHER_SUITE_TKIP:
4628	/ we don't want to deal with MMIC in fast-rx /
4629	goto clear_rcu;
4630	case WLAN_CIPHER_SUITE_CCMP:
4631	case WLAN_CIPHER_SUITE_CCMP_256:
4632	case WLAN_CIPHER_SUITE_GCMP:
4633	case WLAN_CIPHER_SUITE_GCMP_256:
4634	break;
4635	default:
4636	/ We also don't want to deal with*
4637	* WEP or cipher scheme.
4638	*/
4639	goto clear_rcu;
4640	}
4641
4642	fastrx.key = true;
4643	fastrx.icv_len = key->conf.icv_len;
4644	}
4645
4646	assign = true;
4647	clear_rcu:
4648	rcu_read_unlock();
4649	clear:
4650	__release(check_fast_rx);
4651
4652	if (assign)
4653	new = kmemdup(&fastrx, sizeof(fastrx), GFP_KERNEL);
4654
4655	offload_flags = get_bss_sdata(sdata)->vif.offload_flags;
4656	offload = offload_flags & IEEE80211_OFFLOAD_DECAP_ENABLED;
4657
4658	if (assign && offload)
4659	set_offload = !test_and_set_sta_flag(sta, flag: WLAN_STA_DECAP_OFFLOAD);
4660	else
4661	set_offload = test_and_clear_sta_flag(sta, flag: WLAN_STA_DECAP_OFFLOAD);
4662
4663	if (set_offload)
4664	drv_sta_set_decap_offload(local, sdata, sta: &sta->sta, enabled: assign);
4665
4666	spin_lock_bh(lock: &sta->lock);
4667	old = rcu_dereference_protected(sta->fast_rx, true);
4668	rcu_assign_pointer(sta->fast_rx, new);
4669	spin_unlock_bh(lock: &sta->lock);
4670
4671	if (old)
4672	kfree_rcu(old, rcu_head);
4673	}
4674
4675	void ieee80211_clear_fast_rx(struct sta_info *sta)
4676	{
4677	struct ieee80211_fast_rx *old;
4678
4679	spin_lock_bh(lock: &sta->lock);
4680	old = rcu_dereference_protected(sta->fast_rx, true);
4681	RCU_INIT_POINTER(sta->fast_rx, NULL);
4682	spin_unlock_bh(lock: &sta->lock);
4683
4684	if (old)
4685	kfree_rcu(old, rcu_head);
4686	}
4687
4688	void __ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
4689	{
4690	struct ieee80211_local *local = sdata->local;
4691	struct sta_info *sta;
4692
4693	lockdep_assert_wiphy(local->hw.wiphy);
4694
4695	list_for_each_entry(sta, &local->sta_list, list) {
4696	if (sdata != sta->sdata &&
4697	(!sta->sdata->bss \|\| sta->sdata->bss != sdata->bss))
4698	continue;
4699	ieee80211_check_fast_rx(sta);
4700	}
4701	}
4702
4703	void ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
4704	{
4705	struct ieee80211_local *local = sdata->local;
4706
4707	lockdep_assert_wiphy(local->hw.wiphy);
4708
4709	__ieee80211_check_fast_rx_iface(sdata);
4710	}
4711
4712	static void ieee80211_rx_8023(struct ieee80211_rx_data *rx,
4713	struct ieee80211_fast_rx *fast_rx,
4714	int orig_len)
4715	{
4716	struct ieee80211_sta_rx_stats *stats;
4717	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb: rx->skb);
4718	struct sta_info *sta = rx->sta;
4719	struct link_sta_info *link_sta;
4720	struct sk_buff *skb = rx->skb;
4721	void *sa = skb->data + ETH_ALEN;
4722	void *da = skb->data;
4723
4724	if (rx->link_id >= `0`) {
4725	link_sta = rcu_dereference(sta->link[rx->link_id]);
4726	if (WARN_ON_ONCE(!link_sta)) {
4727	dev_kfree_skb(rx->skb);
4728	return;
4729	}
4730	} else {
4731	link_sta = &sta->deflink;
4732	}
4733
4734	stats = &link_sta->rx_stats;
4735	if (fast_rx->uses_rss)
4736	stats = this_cpu_ptr(link_sta->pcpu_rx_stats);
4737
4738	/ statistics part of ieee80211_rx_h_sta_process() /
4739	if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
4740	stats->last_signal = status->signal;
4741	if (!fast_rx->uses_rss)
4742	ewma_signal_add(e: &link_sta->rx_stats_avg.signal,
4743	val: -status->signal);
4744	}
4745
4746	if (status->chains) {
4747	int i;
4748
4749	stats->chains = status->chains;
4750	for (i = `0`; i < ARRAY_SIZE(status->chain_signal); i++) {
4751	int signal = status->chain_signal[i];
4752
4753	if (!(status->chains & BIT(i)))
4754	continue;
4755
4756	stats->chain_signal_last[i] = signal;
4757	if (!fast_rx->uses_rss)
4758	ewma_signal_add(e: &link_sta->rx_stats_avg.chain_signal[i],
4759	val: -signal);
4760	}
4761	}
4762	/ end of statistics /
4763
4764	stats->last_rx = jiffies;
4765	stats->last_rate = sta_stats_encode_rate(s: status);
4766
4767	stats->fragments++;
4768	stats->packets++;
4769
4770	skb->dev = fast_rx->dev;
4771
4772	dev_sw_netstats_rx_add(dev: fast_rx->dev, len: skb->len);
4773
4774	/ The seqno index has the same property as needed*
4775	* for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
4776	* for non-QoS-data frames. Here we know it's a data
4777	* frame, so count MSDUs.
4778	*/
4779	u64_stats_update_begin(syncp: &stats->syncp);
4780	stats->msdu[rx->seqno_idx]++;
4781	stats->bytes += orig_len;
4782	u64_stats_update_end(syncp: &stats->syncp);
4783
4784	if (fast_rx->internal_forward) {
4785	struct sk_buff *xmit_skb = NULL;
4786	if (is_multicast_ether_addr(addr: da)) {
4787	xmit_skb = skb_copy(skb, GFP_ATOMIC);
4788	} else if (!ether_addr_equal(addr1: da, addr2: sa) &&
4789	sta_info_get(sdata: rx->sdata, addr: da)) {
4790	xmit_skb = skb;
4791	skb = NULL;
4792	}
4793
4794	if (xmit_skb) {
4795	/*
4796	* Send to wireless media and increase priority by 256
4797	* to keep the received priority instead of
4798	* reclassifying the frame (see cfg80211_classify8021d).
4799	*/
4800	xmit_skb->priority += `256`;
4801	xmit_skb->protocol = htons(ETH_P_802_3);
4802	skb_reset_network_header(skb: xmit_skb);
4803	skb_reset_mac_header(skb: xmit_skb);
4804	dev_queue_xmit(skb: xmit_skb);
4805	}
4806
4807	if (!skb)
4808	return;
4809	}
4810
4811	/ deliver to local stack /
4812	skb->protocol = eth_type_trans(skb, dev: fast_rx->dev);
4813	ieee80211_deliver_skb_to_local_stack(skb, rx);
4814	}
4815
4816	static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx,
4817	struct ieee80211_fast_rx *fast_rx)
4818	{
4819	struct sk_buff *skb = rx->skb;
4820	struct ieee80211_hdr hdr = (void* *)skb->data;
4821	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
4822	static ieee80211_rx_result res;
4823	int orig_len = skb->len;
4824	int hdrlen = ieee80211_hdrlen(fc: hdr->frame_control);
4825	int snap_offs = hdrlen;
4826	struct {
4827	u8 snap[sizeof(rfc1042_header)];
4828	__be16 proto;
4829	} *payload __aligned(`2`);
4830	struct {
4831	u8 da[ETH_ALEN];
4832	u8 sa[ETH_ALEN];
4833	} addrs __aligned(`2`);
4834	struct ieee80211_sta_rx_stats *stats;
4835
4836	/ for parallel-rx, we need to have DUP_VALIDATED, otherwise we write*
4837	* to a common data structure; drivers can implement that per queue
4838	* but we don't have that information in mac80211
4839	*/
4840	if (!(status->flag & RX_FLAG_DUP_VALIDATED))
4841	return false;
4842
4843	#define FAST_RX_CRYPT_FLAGS (RX_FLAG_PN_VALIDATED \| RX_FLAG_DECRYPTED)
4844
4845	/ If using encryption, we also need to have:*
4846	* - PN_VALIDATED: similar, but the implementation is tricky
4847	* - DECRYPTED: necessary for PN_VALIDATED
4848	*/
4849	if (fast_rx->key &&
4850	(status->flag & FAST_RX_CRYPT_FLAGS) != FAST_RX_CRYPT_FLAGS)
4851	return false;
4852
4853	if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
4854	return false;
4855
4856	if (unlikely(ieee80211_is_frag(hdr)))
4857	return false;
4858
4859	/ Since our interface address cannot be multicast, this*
4860	* implicitly also rejects multicast frames without the
4861	* explicit check.
4862	*
4863	* We shouldn't get any data frames not addressed to us
4864	* (AP mode will accept multicast management frames), but
4865	* punting here will make it go through the full checks in
4866	* ieee80211_accept_frame().
4867	*/
4868	if (!ether_addr_equal(addr1: fast_rx->vif_addr, addr2: hdr->addr1))
4869	return false;
4870
4871	if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FROMDS \|
4872	IEEE80211_FCTL_TODS)) !=
4873	fast_rx->expected_ds_bits)
4874	return false;
4875
4876	/ assign the key to drop unencrypted frames (later)*
4877	* and strip the IV/MIC if necessary
4878	*/
4879	if (fast_rx->key && !(status->flag & RX_FLAG_IV_STRIPPED)) {
4880	/ GCMP header length is the same /
4881	snap_offs += IEEE80211_CCMP_HDR_LEN;
4882	}
4883
4884	if (!ieee80211_vif_is_mesh(vif: &rx->sdata->vif) &&
4885	!(status->rx_flags & IEEE80211_RX_AMSDU)) {
4886	if (!pskb_may_pull(skb, len: snap_offs + sizeof(*payload)))
4887	return false;
4888
4889	payload = (void *)(skb->data + snap_offs);
4890
4891	if (!ether_addr_equal(addr1: payload->snap, addr2: fast_rx->rfc1042_hdr))
4892	return false;
4893
4894	/ Don't handle these here since they require special code.*
4895	* Accept AARP and IPX even though they should come with a
4896	* bridge-tunnel header - but if we get them this way then
4897	* there's little point in discarding them.
4898	*/
4899	if (unlikely(payload->proto == cpu_to_be16(ETH_P_TDLS) \|\|
4900	payload->proto == fast_rx->control_port_protocol))
4901	return false;
4902	}
4903
4904	/ after this point, don't punt to the slowpath! /
4905
4906	if (rx->key && !(status->flag & RX_FLAG_MIC_STRIPPED) &&
4907	pskb_trim(skb, len: skb->len - fast_rx->icv_len))
4908	goto drop;
4909
4910	if (rx->key && !ieee80211_has_protected(fc: hdr->frame_control))
4911	goto drop;
4912
4913	if (status->rx_flags & IEEE80211_RX_AMSDU) {
4914	if (__ieee80211_rx_h_amsdu(rx, data_offset: snap_offs - hdrlen) !=
4915	RX_QUEUED)
4916	goto drop;
4917
4918	return true;
4919	}
4920
4921	/ do the header conversion - first grab the addresses /
4922	ether_addr_copy(dst: addrs.da, src: skb->data + fast_rx->da_offs);
4923	ether_addr_copy(dst: addrs.sa, src: skb->data + fast_rx->sa_offs);
4924	if (ieee80211_vif_is_mesh(vif: &rx->sdata->vif)) {
4925	skb_pull(skb, len: snap_offs - `2`);
4926	put_unaligned_be16(val: skb->len - `2`, p: skb->data);
4927	} else {
4928	skb_postpull_rcsum(skb, start: skb->data + snap_offs,
4929	len: sizeof(rfc1042_header) + `2`);
4930
4931	/ remove the SNAP but leave the ethertype /
4932	skb_pull(skb, len: snap_offs + sizeof(rfc1042_header));
4933	}
4934	/ push the addresses in front /
4935	memcpy(to: skb_push(skb, len: sizeof(addrs)), from: &addrs, len: sizeof(addrs));
4936
4937	res = ieee80211_rx_mesh_data(sdata: rx->sdata, sta: rx->sta, skb: rx->skb);
4938	switch (res) {
4939	case RX_QUEUED:
4940	return true;
4941	case RX_CONTINUE:
4942	break;
4943	default:
4944	goto drop;
4945	}
4946
4947	ieee80211_rx_8023(rx, fast_rx, orig_len);
4948
4949	return true;
4950	drop:
4951	dev_kfree_skb(skb);
4952
4953	if (fast_rx->uses_rss)
4954	stats = this_cpu_ptr(rx->link_sta->pcpu_rx_stats);
4955	else
4956	stats = &rx->link_sta->rx_stats;
4957
4958	stats->dropped++;
4959	return true;
4960	}
4961
4962	/*
4963	* This function returns whether or not the SKB
4964	* was destined for RX processing or not, which,
4965	* if consume is true, is equivalent to whether
4966	* or not the skb was consumed.
4967	*/
4968	static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
4969	struct sk_buff *skb, bool consume)
4970	{
4971	struct ieee80211_local *local = rx->local;
4972	struct ieee80211_sub_if_data *sdata = rx->sdata;
4973	struct ieee80211_hdr hdr = (void* *)skb->data;
4974	struct link_sta_info *link_sta = rx->link_sta;
4975	struct ieee80211_link_data *link = rx->link;
4976
4977	rx->skb = skb;
4978
4979	/ See if we can do fast-rx; if we have to copy we already lost,*
4980	* so punt in that case. We should never have to deliver a data
4981	* frame to multiple interfaces anyway.
4982	*
4983	* We skip the ieee80211_accept_frame() call and do the necessary
4984	* checking inside ieee80211_invoke_fast_rx().
4985	*/
4986	if (consume && rx->sta) {
4987	struct ieee80211_fast_rx *fast_rx;
4988
4989	fast_rx = rcu_dereference(rx->sta->fast_rx);
4990	if (fast_rx && ieee80211_invoke_fast_rx(rx, fast_rx))
4991	return true;
4992	}
4993
4994	if (!ieee80211_accept_frame(rx))
4995	return false;
4996
4997	if (!consume) {
4998	struct skb_shared_hwtstamps *shwt;
4999
5000	rx->skb = skb_copy(skb, GFP_ATOMIC);
5001	if (!rx->skb) {
5002	if (net_ratelimit())
5003	wiphy_debug(local->hw.wiphy,
5004	"failed to copy skb for %s\n",
5005	sdata->name);
5006	return true;
5007	}
5008
5009	/ skb_copy() does not copy the hw timestamps, so copy it*
5010	* explicitly
5011	*/
5012	shwt = skb_hwtstamps(skb: rx->skb);
5013	shwt->hwtstamp = skb_hwtstamps(skb)->hwtstamp;
5014
5015	/ Update the hdr pointer to the new skb for translation below /
5016	hdr = (struct ieee80211_hdr *)rx->skb->data;
5017	}
5018
5019	if (unlikely(rx->sta && rx->sta->sta.mlo) &&
5020	is_unicast_ether_addr(addr: hdr->addr1) &&
5021	!ieee80211_is_probe_resp(fc: hdr->frame_control) &&
5022	!ieee80211_is_beacon(fc: hdr->frame_control)) {
5023	/ translate to MLD addresses /
5024	if (ether_addr_equal(addr1: link->conf->addr, addr2: hdr->addr1))
5025	ether_addr_copy(dst: hdr->addr1, src: rx->sdata->vif.addr);
5026	if (ether_addr_equal(addr1: link_sta->addr, addr2: hdr->addr2))
5027	ether_addr_copy(dst: hdr->addr2, src: rx->sta->addr);
5028	/ translate A3 only if it's the BSSID /
5029	if (!ieee80211_has_tods(fc: hdr->frame_control) &&
5030	!ieee80211_has_fromds(fc: hdr->frame_control)) {
5031	if (ether_addr_equal(addr1: link_sta->addr, addr2: hdr->addr3))
5032	ether_addr_copy(dst: hdr->addr3, src: rx->sta->addr);
5033	else if (ether_addr_equal(addr1: link->conf->addr, addr2: hdr->addr3))
5034	ether_addr_copy(dst: hdr->addr3, src: rx->sdata->vif.addr);
5035	}
5036	/ not needed for A4 since it can only carry the SA /
5037	}
5038
5039	ieee80211_invoke_rx_handlers(rx);
5040	return true;
5041	}
5042
5043	static void __ieee80211_rx_handle_8023(struct ieee80211_hw *hw,
5044	struct ieee80211_sta *pubsta,
5045	struct sk_buff *skb,
5046	struct list_head *list)
5047	{
5048	struct ieee80211_local *local = hw_to_local(hw);
5049	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
5050	struct ieee80211_fast_rx *fast_rx;
5051	struct ieee80211_rx_data rx;
5052	struct sta_info *sta;
5053	int link_id = -`1`;
5054
5055	memset(s: &rx, c: `0`, n: sizeof(rx));
5056	rx.skb = skb;
5057	rx.local = local;
5058	rx.list = list;
5059	rx.link_id = -`1`;
5060
5061	I802_DEBUG_INC(local->dot11ReceivedFragmentCount);
5062
5063	/ drop frame if too short for header /
5064	if (skb->len < sizeof(struct ethhdr))
5065	goto drop;
5066
5067	if (!pubsta)
5068	goto drop;
5069
5070	if (status->link_valid)
5071	link_id = status->link_id;
5072
5073	/*
5074	* TODO: Should the frame be dropped if the right link_id is not
5075	* available? Or may be it is fine in the current form to proceed with
5076	* the frame processing because with frame being in 802.3 format,
5077	* link_id is used only for stats purpose and updating the stats on
5078	* the deflink is fine?
5079	*/
5080	sta = container_of(pubsta, struct sta_info, sta);
5081	if (!ieee80211_rx_data_set_sta(rx: &rx, sta, link_id))
5082	goto drop;
5083
5084	fast_rx = rcu_dereference(rx.sta->fast_rx);
5085	if (!fast_rx)
5086	goto drop;
5087
5088	ieee80211_rx_8023(rx: &rx, fast_rx, orig_len: skb->len);
5089	return;
5090
5091	drop:
5092	dev_kfree_skb(skb);
5093	}
5094
5095	static bool ieee80211_rx_for_interface(struct ieee80211_rx_data *rx,
5096	struct sk_buff *skb, bool consume)
5097	{
5098	struct link_sta_info *link_sta;
5099	struct ieee80211_hdr hdr = (void* *)skb->data;
5100	struct sta_info *sta;
5101	int link_id = -`1`;
5102
5103	/*
5104	* Look up link station first, in case there's a
5105	* chance that they might have a link address that
5106	* is identical to the MLD address, that way we'll
5107	* have the link information if needed.
5108	*/
5109	link_sta = link_sta_info_get_bss(sdata: rx->sdata, addr: hdr->addr2);
5110	if (link_sta) {
5111	sta = link_sta->sta;
5112	link_id = link_sta->link_id;
5113	} else {
5114	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
5115
5116	sta = sta_info_get_bss(sdata: rx->sdata, addr: hdr->addr2);
5117	if (status->link_valid) {
5118	link_id = status->link_id;
5119	} else if (ieee80211_vif_is_mld(vif: &rx->sdata->vif) &&
5120	status->freq) {
5121	struct ieee80211_link_data *link;
5122	struct ieee80211_chanctx_conf *conf;
5123
5124	for_each_link_data_rcu(rx->sdata, link) {
5125	conf = rcu_dereference(link->conf->chanctx_conf);
5126	if (!conf \|\| !conf->def.chan)
5127	continue;
5128
5129	if (status->freq == conf->def.chan->center_freq) {
5130	link_id = link->link_id;
5131	break;
5132	}
5133	}
5134	}
5135	}
5136
5137	if (!ieee80211_rx_data_set_sta(rx, sta, link_id))
5138	return false;
5139
5140	return ieee80211_prepare_and_rx_handle(rx, skb, consume);
5141	}
5142
5143	/*
5144	* This is the actual Rx frames handler. as it belongs to Rx path it must
5145	* be called with rcu_read_lock protection.
5146	*/
5147	static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
5148	struct ieee80211_sta *pubsta,
5149	struct sk_buff *skb,
5150	struct list_head *list)
5151	{
5152	struct ieee80211_local *local = hw_to_local(hw);
5153	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
5154	struct ieee80211_sub_if_data *sdata;
5155	struct ieee80211_hdr *hdr;
5156	__le16 fc;
5157	struct ieee80211_rx_data rx;
5158	struct ieee80211_sub_if_data *prev;
5159	struct rhlist_head *tmp;
5160	int err = `0`;
5161
5162	fc = ((struct ieee80211_hdr *)skb->data)->frame_control;
5163	memset(s: &rx, c: `0`, n: sizeof(rx));
5164	rx.skb = skb;
5165	rx.local = local;
5166	rx.list = list;
5167	rx.link_id = -`1`;
5168
5169	if (ieee80211_is_data(fc) \|\| ieee80211_is_mgmt(fc))
5170	I802_DEBUG_INC(local->dot11ReceivedFragmentCount);
5171
5172	if (ieee80211_is_mgmt(fc)) {
5173	/ drop frame if too short for header /
5174	if (skb->len < ieee80211_hdrlen(fc))
5175	err = -ENOBUFS;
5176	else
5177	err = skb_linearize(skb);
5178	} else {
5179	err = !pskb_may_pull(skb, len: ieee80211_hdrlen(fc));
5180	}
5181
5182	if (err) {
5183	dev_kfree_skb(skb);
5184	return;
5185	}
5186
5187	hdr = (struct ieee80211_hdr *)skb->data;
5188	ieee80211_parse_qos(rx: &rx);
5189	ieee80211_verify_alignment(rx: &rx);
5190
5191	if (unlikely(ieee80211_is_probe_resp(hdr->frame_control) \|\|
5192	ieee80211_is_beacon(hdr->frame_control) \|\|
5193	ieee80211_is_s1g_beacon(hdr->frame_control)))
5194	ieee80211_scan_rx(local, skb);
5195
5196	if (ieee80211_is_data(fc)) {
5197	struct sta_info sta, prev_sta;
5198	int link_id = -`1`;
5199
5200	if (status->link_valid)
5201	link_id = status->link_id;
5202
5203	if (pubsta) {
5204	sta = container_of(pubsta, struct sta_info, sta);
5205	if (!ieee80211_rx_data_set_sta(rx: &rx, sta, link_id))
5206	goto out;
5207
5208	/*
5209	* In MLO connection, fetch the link_id using addr2
5210	* when the driver does not pass link_id in status.
5211	* When the address translation is already performed by
5212	* driver/hw, the valid link_id must be passed in
5213	* status.
5214	*/
5215
5216	if (!status->link_valid && pubsta->mlo) {
5217	struct link_sta_info *link_sta;
5218
5219	link_sta = link_sta_info_get_bss(sdata: rx.sdata,
5220	addr: hdr->addr2);
5221	if (!link_sta)
5222	goto out;
5223
5224	ieee80211_rx_data_set_link(rx: &rx, link_id: link_sta->link_id);
5225	}
5226
5227	if (ieee80211_prepare_and_rx_handle(rx: &rx, skb, consume: true))
5228	return;
5229	goto out;
5230	}
5231
5232	prev_sta = NULL;
5233
5234	for_each_sta_info(local, hdr->addr2, sta, tmp) {
5235	if (!prev_sta) {
5236	prev_sta = sta;
5237	continue;
5238	}
5239
5240	rx.sdata = prev_sta->sdata;
5241	if (!status->link_valid && prev_sta->sta.mlo) {
5242	struct link_sta_info *link_sta;
5243
5244	link_sta = link_sta_info_get_bss(sdata: rx.sdata,
5245	addr: hdr->addr2);
5246	if (!link_sta)
5247	continue;
5248
5249	link_id = link_sta->link_id;
5250	}
5251
5252	if (!ieee80211_rx_data_set_sta(rx: &rx, sta: prev_sta, link_id))
5253	goto out;
5254
5255	ieee80211_prepare_and_rx_handle(rx: &rx, skb, consume: false);
5256
5257	prev_sta = sta;
5258	}
5259
5260	if (prev_sta) {
5261	rx.sdata = prev_sta->sdata;
5262	if (!status->link_valid && prev_sta->sta.mlo) {
5263	struct link_sta_info *link_sta;
5264
5265	link_sta = link_sta_info_get_bss(sdata: rx.sdata,
5266	addr: hdr->addr2);
5267	if (!link_sta)
5268	goto out;
5269
5270	link_id = link_sta->link_id;
5271	}
5272
5273	if (!ieee80211_rx_data_set_sta(rx: &rx, sta: prev_sta, link_id))
5274	goto out;
5275
5276	if (ieee80211_prepare_and_rx_handle(rx: &rx, skb, consume: true))
5277	return;
5278	goto out;
5279	}
5280	}
5281
5282	prev = NULL;
5283
5284	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
5285	if (!ieee80211_sdata_running(sdata))
5286	continue;
5287
5288	if (sdata->vif.type == NL80211_IFTYPE_MONITOR \|\|
5289	sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
5290	continue;
5291
5292	/*
5293	* frame is destined for this interface, but if it's
5294	* not also for the previous one we handle that after
5295	* the loop to avoid copying the SKB once too much
5296	*/
5297
5298	if (!prev) {
5299	prev = sdata;
5300	continue;
5301	}
5302
5303	rx.sdata = prev;
5304	ieee80211_rx_for_interface(rx: &rx, skb, consume: false);
5305
5306	prev = sdata;
5307	}
5308
5309	if (prev) {
5310	rx.sdata = prev;
5311
5312	if (ieee80211_rx_for_interface(rx: &rx, skb, consume: true))
5313	return;
5314	}
5315
5316	out:
5317	dev_kfree_skb(skb);
5318	}
5319
5320	/*
5321	* This is the receive path handler. It is called by a low level driver when an
5322	* 802.11 MPDU is received from the hardware.
5323	*/
5324	void ieee80211_rx_list(struct ieee80211_hw hw, struct* ieee80211_sta *pubsta,
5325	struct sk_buff skb, struct* list_head *list)
5326	{
5327	struct ieee80211_local *local = hw_to_local(hw);
5328	struct ieee80211_rate *rate = NULL;
5329	struct ieee80211_supported_band *sband;
5330	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
5331	struct ieee80211_hdr hdr = (struct* ieee80211_hdr *)skb->data;
5332
5333	WARN_ON_ONCE(softirq_count() == `0`);
5334
5335	if (WARN_ON(status->band >= NUM_NL80211_BANDS))
5336	goto drop;
5337
5338	sband = local->hw.wiphy->bands[status->band];
5339	if (WARN_ON(!sband))
5340	goto drop;
5341
5342	/*
5343	* If we're suspending, it is possible although not too likely
5344	* that we'd be receiving frames after having already partially
5345	* quiesced the stack. We can't process such frames then since
5346	* that might, for example, cause stations to be added or other
5347	* driver callbacks be invoked.
5348	*/
5349	if (unlikely(local->quiescing \|\| local->suspended))
5350	goto drop;
5351
5352	/ We might be during a HW reconfig, prevent Rx for the same reason /
5353	if (unlikely(local->in_reconfig))
5354	goto drop;
5355
5356	/*
5357	* The same happens when we're not even started,
5358	* but that's worth a warning.
5359	*/
5360	if (WARN_ON(!local->started))
5361	goto drop;
5362
5363	if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) {
5364	/*
5365	* Validate the rate, unless a PLCP error means that
5366	* we probably can't have a valid rate here anyway.
5367	*/
5368
5369	switch (status->encoding) {
5370	case RX_ENC_HT:
5371	/*
5372	* rate_idx is MCS index, which can be [0-76]
5373	* as documented on:
5374	*
5375	* https://wireless.wiki.kernel.org/en/developers/Documentation/ieee80211/802.11n
5376	*
5377	* Anything else would be some sort of driver or
5378	* hardware error. The driver should catch hardware
5379	* errors.
5380	*/
5381	if (WARN(status->rate_idx > `76`,
5382	"Rate marked as an HT rate but passed "
5383	"status->rate_idx is not "
5384	"an MCS index [0-76]: %d (0x%02x)\n",
5385	status->rate_idx,
5386	status->rate_idx))
5387	goto drop;
5388	break;
5389	case RX_ENC_VHT:
5390	if (WARN_ONCE(status->rate_idx > `11` \|\|
5391	!status->nss \|\|
5392	status->nss > `8`,
5393	"Rate marked as a VHT rate but data is invalid: MCS: %d, NSS: %d\n",
5394	status->rate_idx, status->nss))
5395	goto drop;
5396	break;
5397	case RX_ENC_HE:
5398	if (WARN_ONCE(status->rate_idx > `11` \|\|
5399	!status->nss \|\|
5400	status->nss > `8`,
5401	"Rate marked as an HE rate but data is invalid: MCS: %d, NSS: %d\n",
5402	status->rate_idx, status->nss))
5403	goto drop;
5404	break;
5405	case RX_ENC_EHT:
5406	if (WARN_ONCE(status->rate_idx > `15` \|\|
5407	!status->nss \|\|
5408	status->nss > `8` \|\|
5409	status->eht.gi > NL80211_RATE_INFO_EHT_GI_3_2,
5410	"Rate marked as an EHT rate but data is invalid: MCS:%d, NSS:%d, GI:%d\n",
5411	status->rate_idx, status->nss, status->eht.gi))
5412	goto drop;
5413	break;
5414	default:
5415	WARN_ON_ONCE(`1`);
5416	fallthrough;
5417	case RX_ENC_LEGACY:
5418	if (WARN_ON(status->rate_idx >= sband->n_bitrates))
5419	goto drop;
5420	rate = &sband->bitrates[status->rate_idx];
5421	}
5422	}
5423
5424	if (WARN_ON_ONCE(status->link_id >= IEEE80211_LINK_UNSPECIFIED))
5425	goto drop;
5426
5427	status->rx_flags = `0`;
5428
5429	kcov_remote_start_common(id: skb_get_kcov_handle(skb));
5430
5431	/*
5432	* Frames with failed FCS/PLCP checksum are not returned,
5433	* all other frames are returned without radiotap header
5434	* if it was previously present.
5435	* Also, frames with less than 16 bytes are dropped.
5436	*/
5437	if (!(status->flag & RX_FLAG_8023))
5438	skb = ieee80211_rx_monitor(local, origskb: skb, rate);
5439	if (skb) {
5440	if ((status->flag & RX_FLAG_8023) \|\|
5441	ieee80211_is_data_present(fc: hdr->frame_control))
5442	ieee80211_tpt_led_trig_rx(local, bytes: skb->len);
5443
5444	if (status->flag & RX_FLAG_8023)
5445	__ieee80211_rx_handle_8023(hw, pubsta, skb, list);
5446	else
5447	__ieee80211_rx_handle_packet(hw, pubsta, skb, list);
5448	}
5449
5450	kcov_remote_stop();
5451	return;
5452	drop:
5453	kfree_skb(skb);
5454	}
5455	EXPORT_SYMBOL(ieee80211_rx_list);
5456
5457	void ieee80211_rx_napi(struct ieee80211_hw hw, struct* ieee80211_sta *pubsta,
5458	struct sk_buff skb, struct* napi_struct *napi)
5459	{
5460	struct sk_buff *tmp;
5461	LIST_HEAD(list);
5462
5463
5464	/*
5465	* key references and virtual interfaces are protected using RCU
5466	* and this requires that we are in a read-side RCU section during
5467	* receive processing
5468	*/
5469	rcu_read_lock();
5470	ieee80211_rx_list(hw, pubsta, skb, &list);
5471	rcu_read_unlock();
5472
5473	if (!napi) {
5474	netif_receive_skb_list(head: &list);
5475	return;
5476	}
5477
5478	list_for_each_entry_safe(skb, tmp, &list, list) {
5479	skb_list_del_init(skb);
5480	napi_gro_receive(napi, skb);
5481	}
5482	}
5483	EXPORT_SYMBOL(ieee80211_rx_napi);
5484
5485	/ This is a version of the rx handler that can be called from hard irq*
5486	* context. Post the skb on the queue and schedule the tasklet */
5487	void ieee80211_rx_irqsafe(struct ieee80211_hw hw, struct* sk_buff *skb)
5488	{
5489	struct ieee80211_local *local = hw_to_local(hw);
5490
5491	BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb));
5492
5493	skb->pkt_type = IEEE80211_RX_MSG;
5494	skb_queue_tail(list: &local->skb_queue, newsk: skb);
5495	tasklet_schedule(t: &local->tasklet);
5496	}
5497	EXPORT_SYMBOL(ieee80211_rx_irqsafe);
5498

Browse the source code of Linux/net/mac80211/rx.c