net/mac80211: Use wiphy_<level>

[net-next-2.6.git] / net / mac80211 / rx.c

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index be9abc2e6348943753aab8daae864b561adce82f..e1844f7085debca9aff358a332260d634b160d51 100644 (file)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -293,7 +293,7 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
                        skb2 = skb_clone(skb, GFP_ATOMIC);
                        if (skb2) {
                                skb2->dev = prev_dev;
-                               netif_rx(skb2);
+                               netif_receive_skb(skb2);
                        }
                }
 
@@ -304,7 +304,7 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
 
        if (prev_dev) {
                skb->dev = prev_dev;
-               netif_rx(skb);
+               netif_receive_skb(skb);
        } else
                dev_kfree_skb(skb);
 
@@ -538,20 +538,12 @@ static void ieee80211_release_reorder_frame(struct ieee80211_hw *hw,
                                            int index,
                                            struct sk_buff_head *frames)
 {
-       struct ieee80211_supported_band *sband;
-       struct ieee80211_rate *rate = NULL;
        struct sk_buff *skb = tid_agg_rx->reorder_buf[index];
-       struct ieee80211_rx_status *status;
 
        if (!skb)
                goto no_frame;
 
-       status = IEEE80211_SKB_RXCB(skb);
-
-       /* release the reordered frames to stack */
-       sband = hw->wiphy->bands[status->band];
-       if (!(status->flag & RX_FLAG_HT))
-               rate = &sband->bitrates[status->rate_idx];
+       /* release the frame from the reorder ring buffer */
        tid_agg_rx->stored_mpdu_num--;
        tid_agg_rx->reorder_buf[index] = NULL;
        __skb_queue_tail(frames, skb);
@@ -580,9 +572,78 @@ static void ieee80211_release_reorder_frames(struct ieee80211_hw *hw,
  * frames that have not yet been received are assumed to be lost and the skb
  * can be released for processing. This may also release other skb's from the
  * reorder buffer if there are no additional gaps between the frames.
+ *
+ * Callers must hold tid_agg_rx->reorder_lock.
  */
 #define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)
 
+static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
+                                         struct tid_ampdu_rx *tid_agg_rx,
+                                         struct sk_buff_head *frames)
+{
+       int index, j;
+
+       /* release the buffer until next missing frame */
+       index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
+                                               tid_agg_rx->buf_size;
+       if (!tid_agg_rx->reorder_buf[index] &&
+           tid_agg_rx->stored_mpdu_num > 1) {
+               /*
+                * No buffers ready to be released, but check whether any
+                * frames in the reorder buffer have timed out.
+                */
+               int skipped = 1;
+               for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
+                    j = (j + 1) % tid_agg_rx->buf_size) {
+                       if (!tid_agg_rx->reorder_buf[j]) {
+                               skipped++;
+                               continue;
+                       }
+                       if (!time_after(jiffies, tid_agg_rx->reorder_time[j] +
+                                       HT_RX_REORDER_BUF_TIMEOUT))
+                               goto set_release_timer;
+
+#ifdef CONFIG_MAC80211_HT_DEBUG
+                       if (net_ratelimit())
+                               wiphy_debug(hw->wiphy,
+                                           "release an RX reorder frame due to timeout on earlier frames\n");
+#endif
+                       ieee80211_release_reorder_frame(hw, tid_agg_rx,
+                                                       j, frames);
+
+                       /*
+                        * Increment the head seq# also for the skipped slots.
+                        */
+                       tid_agg_rx->head_seq_num =
+                               (tid_agg_rx->head_seq_num + skipped) & SEQ_MASK;
+                       skipped = 0;
+               }
+       } else while (tid_agg_rx->reorder_buf[index]) {
+               ieee80211_release_reorder_frame(hw, tid_agg_rx, index, frames);
+               index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
+                                                       tid_agg_rx->buf_size;
+       }
+
+       if (tid_agg_rx->stored_mpdu_num) {
+               j = index = seq_sub(tid_agg_rx->head_seq_num,
+                                   tid_agg_rx->ssn) % tid_agg_rx->buf_size;
+
+               for (; j != (index - 1) % tid_agg_rx->buf_size;
+                    j = (j + 1) % tid_agg_rx->buf_size) {
+                       if (tid_agg_rx->reorder_buf[j])
+                               break;
+               }
+
+ set_release_timer:
+
+               mod_timer(&tid_agg_rx->reorder_timer,
+                         tid_agg_rx->reorder_time[j] +
+                         HT_RX_REORDER_BUF_TIMEOUT);
+       } else {
+               del_timer(&tid_agg_rx->reorder_timer);
+       }
+}
+
 /*
  * As this function belongs to the RX path it must be under
  * rcu_read_lock protection. It returns false if the frame
@@ -598,14 +659,16 @@ static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
        u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
        u16 head_seq_num, buf_size;
        int index;
+       bool ret = true;
 
        buf_size = tid_agg_rx->buf_size;
        head_seq_num = tid_agg_rx->head_seq_num;
 
+       spin_lock(&tid_agg_rx->reorder_lock);
        /* frame with out of date sequence number */
        if (seq_less(mpdu_seq_num, head_seq_num)) {
                dev_kfree_skb(skb);
-               return true;
+               goto out;
        }
 
        /*
@@ -626,7 +689,7 @@ static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
        /* check if we already stored this frame */
        if (tid_agg_rx->reorder_buf[index]) {
                dev_kfree_skb(skb);
-               return true;
+               goto out;
        }
 
        /*
@@ -636,58 +699,19 @@ static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
        if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
            tid_agg_rx->stored_mpdu_num == 0) {
                tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num);
-               return false;
+               ret = false;
+               goto out;
        }
 
        /* put the frame in the reordering buffer */
        tid_agg_rx->reorder_buf[index] = skb;
        tid_agg_rx->reorder_time[index] = jiffies;
        tid_agg_rx->stored_mpdu_num++;
-       /* release the buffer until next missing frame */
-       index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
-                                               tid_agg_rx->buf_size;
-       if (!tid_agg_rx->reorder_buf[index] &&
-           tid_agg_rx->stored_mpdu_num > 1) {
-               /*
-                * No buffers ready to be released, but check whether any
-                * frames in the reorder buffer have timed out.
-                */
-               int j;
-               int skipped = 1;
-               for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
-                    j = (j + 1) % tid_agg_rx->buf_size) {
-                       if (!tid_agg_rx->reorder_buf[j]) {
-                               skipped++;
-                               continue;
-                       }
-                       if (!time_after(jiffies, tid_agg_rx->reorder_time[j] +
-                                       HT_RX_REORDER_BUF_TIMEOUT))
-                               break;
+       ieee80211_sta_reorder_release(hw, tid_agg_rx, frames);
 
-#ifdef CONFIG_MAC80211_HT_DEBUG
-                       if (net_ratelimit())
-                               printk(KERN_DEBUG "%s: release an RX reorder "
-                                      "frame due to timeout on earlier "
-                                      "frames\n",
-                                      wiphy_name(hw->wiphy));
-#endif
-                       ieee80211_release_reorder_frame(hw, tid_agg_rx,
-                                                       j, frames);
-
-                       /*
-                        * Increment the head seq# also for the skipped slots.
-                        */
-                       tid_agg_rx->head_seq_num =
-                               (tid_agg_rx->head_seq_num + skipped) & SEQ_MASK;
-                       skipped = 0;
-               }
-       } else while (tid_agg_rx->reorder_buf[index]) {
-               ieee80211_release_reorder_frame(hw, tid_agg_rx, index, frames);
-               index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
-                                                       tid_agg_rx->buf_size;
-       }
-
-       return true;
+ out:
+       spin_unlock(&tid_agg_rx->reorder_lock);
+       return ret;
 }
 
 /*
@@ -719,16 +743,13 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
 
        tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
 
-       spin_lock(&sta->lock);
-
-       if (!sta->ampdu_mlme.tid_active_rx[tid])
-               goto dont_reorder_unlock;
-
-       tid_agg_rx = sta->ampdu_mlme.tid_rx[tid];
+       tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
+       if (!tid_agg_rx)
+               goto dont_reorder;
 
        /* qos null data frames are excluded */
        if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
-               goto dont_reorder_unlock;
+               goto dont_reorder;
 
        /* new, potentially un-ordered, ampdu frame - process it */
 
@@ -740,20 +761,22 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
        /* if this mpdu is fragmented - terminate rx aggregation session */
        sc = le16_to_cpu(hdr->seq_ctrl);
        if (sc & IEEE80211_SCTL_FRAG) {
-               spin_unlock(&sta->lock);
-               __ieee80211_stop_rx_ba_session(sta, tid, WLAN_BACK_RECIPIENT,
-                                              WLAN_REASON_QSTA_REQUIRE_SETUP);
-               dev_kfree_skb(skb);
+               skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
+               skb_queue_tail(&rx->sdata->skb_queue, skb);
+               ieee80211_queue_work(&local->hw, &rx->sdata->work);
                return;
        }
 
-       if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, frames)) {
-               spin_unlock(&sta->lock);
+       /*
+        * No locking needed -- we will only ever process one
+        * RX packet at a time, and thus own tid_agg_rx. All
+        * other code manipulating it needs to (and does) make
+        * sure that we cannot get to it any more before doing
+        * anything with it.
+        */
+       if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, frames))
                return;
-       }
 
- dont_reorder_unlock:
-       spin_unlock(&sta->lock);
  dont_reorder:
        __skb_queue_tail(frames, skb);
 }
@@ -825,6 +848,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
        ieee80211_rx_result result = RX_DROP_UNUSABLE;
        struct ieee80211_key *stakey = NULL;
        int mmie_keyidx = -1;
+       __le16 fc;
 
        /*
         * Key selection 101
@@ -866,13 +890,18 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
        if (rx->sta)
                stakey = rcu_dereference(rx->sta->key);
 
-       if (!ieee80211_has_protected(hdr->frame_control))
+       fc = hdr->frame_control;
+
+       if (!ieee80211_has_protected(fc))
                mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);
 
        if (!is_multicast_ether_addr(hdr->addr1) && stakey) {
                rx->key = stakey;
+               if ((status->flag & RX_FLAG_DECRYPTED) &&
+                   (status->flag & RX_FLAG_IV_STRIPPED))
+                       return RX_CONTINUE;
                /* Skip decryption if the frame is not protected. */
-               if (!ieee80211_has_protected(hdr->frame_control))
+               if (!ieee80211_has_protected(fc))
                        return RX_CONTINUE;
        } else if (mmie_keyidx >= 0) {
                /* Broadcast/multicast robust management frame / BIP */
@@ -884,7 +913,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
                    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
                        return RX_DROP_MONITOR; /* unexpected BIP keyidx */
                rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
-       } else if (!ieee80211_has_protected(hdr->frame_control)) {
+       } else if (!ieee80211_has_protected(fc)) {
                /*
                 * The frame was not protected, so skip decryption. However, we
                 * need to set rx->key if there is a key that could have been
@@ -892,7 +921,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
                 * have been expected.
                 */
                struct ieee80211_key *key = NULL;
-               if (ieee80211_is_mgmt(hdr->frame_control) &&
+               if (ieee80211_is_mgmt(fc) &&
                    is_multicast_ether_addr(hdr->addr1) &&
                    (key = rcu_dereference(rx->sdata->default_mgmt_key)))
                        rx->key = key;
@@ -914,7 +943,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
                    (status->flag & RX_FLAG_IV_STRIPPED))
                        return RX_CONTINUE;
 
-               hdrlen = ieee80211_hdrlen(hdr->frame_control);
+               hdrlen = ieee80211_hdrlen(fc);
 
                if (rx->skb->len < 8 + hdrlen)
                        return RX_DROP_UNUSABLE; /* TODO: count this? */
@@ -933,7 +962,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
                 * pairwise or station-to-station keys, but for WEP we allow
                 * using a key index as well.
                 */
-               if (rx->key && rx->key->conf.alg != ALG_WEP &&
+               if (rx->key && rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 &&
+                   rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 &&
                    !is_multicast_ether_addr(hdr->addr1))
                        rx->key = NULL;
        }
@@ -947,28 +977,27 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
 
        if (skb_linearize(rx->skb))
                return RX_DROP_UNUSABLE;
+       /* the hdr variable is invalid now! */
+
+       switch (rx->key->conf.cipher) {
+       case WLAN_CIPHER_SUITE_WEP40:
+       case WLAN_CIPHER_SUITE_WEP104:
+               /* Check for weak IVs if possible */
+               if (rx->sta && ieee80211_is_data(fc) &&
+                   (!(status->flag & RX_FLAG_IV_STRIPPED) ||
+                    !(status->flag & RX_FLAG_DECRYPTED)) &&
+                   ieee80211_wep_is_weak_iv(rx->skb, rx->key))
+                       rx->sta->wep_weak_iv_count++;
 
-       hdr = (struct ieee80211_hdr *)rx->skb->data;
-
-       /* Check for weak IVs if possible */
-       if (rx->sta && rx->key->conf.alg == ALG_WEP &&
-           ieee80211_is_data(hdr->frame_control) &&
-           (!(status->flag & RX_FLAG_IV_STRIPPED) ||
-            !(status->flag & RX_FLAG_DECRYPTED)) &&
-           ieee80211_wep_is_weak_iv(rx->skb, rx->key))
-               rx->sta->wep_weak_iv_count++;
-
-       switch (rx->key->conf.alg) {
-       case ALG_WEP:
                result = ieee80211_crypto_wep_decrypt(rx);
                break;
-       case ALG_TKIP:
+       case WLAN_CIPHER_SUITE_TKIP:
                result = ieee80211_crypto_tkip_decrypt(rx);
                break;
-       case ALG_CCMP:
+       case WLAN_CIPHER_SUITE_CCMP:
                result = ieee80211_crypto_ccmp_decrypt(rx);
                break;
-       case ALG_AES_CMAC:
+       case WLAN_CIPHER_SUITE_AES_CMAC:
                result = ieee80211_crypto_aes_cmac_decrypt(rx);
                break;
        }
@@ -1265,13 +1294,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
                /* This is the first fragment of a new frame. */
                entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
                                                 rx->queue, &(rx->skb));
-               if (rx->key && rx->key->conf.alg == ALG_CCMP &&
+               if (rx->key && rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP &&
                    ieee80211_has_protected(fc)) {
+                       int queue = ieee80211_is_mgmt(fc) ?
+                               NUM_RX_DATA_QUEUES : rx->queue;
                        /* Store CCMP PN so that we can verify that the next
                         * fragment has a sequential PN value. */
                        entry->ccmp = 1;
                        memcpy(entry->last_pn,
-                              rx->key->u.ccmp.rx_pn[rx->queue],
+                              rx->key->u.ccmp.rx_pn[queue],
                               CCMP_PN_LEN);
                }
                return RX_QUEUED;
@@ -1291,7 +1322,8 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
        if (entry->ccmp) {
                int i;
                u8 pn[CCMP_PN_LEN], *rpn;
-               if (!rx->key || rx->key->conf.alg != ALG_CCMP)
+               int queue;
+               if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP)
                        return RX_DROP_UNUSABLE;
                memcpy(pn, entry->last_pn, CCMP_PN_LEN);
                for (i = CCMP_PN_LEN - 1; i >= 0; i--) {
@@ -1299,7 +1331,9 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
                        if (pn[i])
                                break;
                }
-               rpn = rx->key->u.ccmp.rx_pn[rx->queue];
+               queue = ieee80211_is_mgmt(fc) ?
+                       NUM_RX_DATA_QUEUES : rx->queue;
+               rpn = rx->key->u.ccmp.rx_pn[queue];
                if (memcmp(pn, rpn, CCMP_PN_LEN))
                        return RX_DROP_UNUSABLE;
                memcpy(entry->last_pn, pn, CCMP_PN_LEN);
@@ -1573,7 +1607,7 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
                        /* deliver to local stack */
                        skb->protocol = eth_type_trans(skb, dev);
                        memset(skb->cb, 0, sizeof(skb->cb));
-                       netif_rx(skb);
+                       netif_receive_skb(skb);
                }
        }
 
@@ -1829,13 +1863,11 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
                                  &bar_data, sizeof(bar_data)))
                        return RX_DROP_MONITOR;
 
-               spin_lock(&rx->sta->lock);
                tid = le16_to_cpu(bar_data.control) >> 12;
-               if (!rx->sta->ampdu_mlme.tid_active_rx[tid]) {
-                       spin_unlock(&rx->sta->lock);
+
+               tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]);
+               if (!tid_agg_rx)
                        return RX_DROP_MONITOR;
-               }
-               tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];
 
                start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
 
@@ -1848,11 +1880,15 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
                ieee80211_release_reorder_frames(hw, tid_agg_rx, start_seq_num,
                                                 frames);
                kfree_skb(skb);
-               spin_unlock(&rx->sta->lock);
                return RX_QUEUED;
        }
 
-       return RX_CONTINUE;
+       /*
+        * After this point, we only want management frames,
+        * so we can drop all remaining control frames to
+        * cooked monitor interfaces.
+        */
+       return RX_DROP_MONITOR;
 }
 
 static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
@@ -1901,14 +1937,37 @@ static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
        ieee80211_tx_skb(sdata, skb);
 }
 
+static ieee80211_rx_result debug_noinline
+ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
+{
+       struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
+
+       /*
+        * From here on, look only at management frames.
+        * Data and control frames are already handled,
+        * and unknown (reserved) frames are useless.
+        */
+       if (rx->skb->len < 24)
+               return RX_DROP_MONITOR;
+
+       if (!ieee80211_is_mgmt(mgmt->frame_control))
+               return RX_DROP_MONITOR;
+
+       if (!(rx->flags & IEEE80211_RX_RA_MATCH))
+               return RX_DROP_MONITOR;
+
+       if (ieee80211_drop_unencrypted_mgmt(rx))
+               return RX_DROP_UNUSABLE;
+
+       return RX_CONTINUE;
+}
+
 static ieee80211_rx_result debug_noinline
 ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
 {
        struct ieee80211_local *local = rx->local;
        struct ieee80211_sub_if_data *sdata = rx->sdata;
        struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
-       struct sk_buff *nskb;
-       struct ieee80211_rx_status *status;
        int len = rx->skb->len;
 
        if (!ieee80211_is_action(mgmt->frame_control))
@@ -1924,9 +1983,6 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
        if (!(rx->flags & IEEE80211_RX_RA_MATCH))
                return RX_DROP_UNUSABLE;
 
-       if (ieee80211_drop_unencrypted_mgmt(rx))
-               return RX_DROP_UNUSABLE;
-
        switch (mgmt->u.action.category) {
        case WLAN_CATEGORY_BACK:
                /*
@@ -1944,30 +2000,27 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                if (len < IEEE80211_MIN_ACTION_SIZE + 1)
                        break;
 
-               if (sdata->vif.type == NL80211_IFTYPE_STATION)
-                       return ieee80211_sta_rx_mgmt(sdata, rx->skb);
-
                switch (mgmt->u.action.u.addba_req.action_code) {
                case WLAN_ACTION_ADDBA_REQ:
                        if (len < (IEEE80211_MIN_ACTION_SIZE +
                                   sizeof(mgmt->u.action.u.addba_req)))
-                               return RX_DROP_MONITOR;
-                       ieee80211_process_addba_request(local, rx->sta, mgmt, len);
-                       goto handled;
+                               goto invalid;
+                       break;
                case WLAN_ACTION_ADDBA_RESP:
                        if (len < (IEEE80211_MIN_ACTION_SIZE +
                                   sizeof(mgmt->u.action.u.addba_resp)))
-                               break;
-                       ieee80211_process_addba_resp(local, rx->sta, mgmt, len);
-                       goto handled;
+                               goto invalid;
+                       break;
                case WLAN_ACTION_DELBA:
                        if (len < (IEEE80211_MIN_ACTION_SIZE +
                                   sizeof(mgmt->u.action.u.delba)))
-                               break;
-                       ieee80211_process_delba(sdata, rx->sta, mgmt, len);
-                       goto handled;
+                               goto invalid;
+                       break;
+               default:
+                       goto invalid;
                }
-               break;
+
+               goto queue;
        case WLAN_CATEGORY_SPECTRUM_MGMT:
                if (local->hw.conf.channel->band != IEEE80211_BAND_5GHZ)
                        break;
@@ -1997,7 +2050,7 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                        if (memcmp(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN))
                                break;
 
-                       return ieee80211_sta_rx_mgmt(sdata, rx->skb);
+                       goto queue;
                }
                break;
        case WLAN_CATEGORY_SA_QUERY:
@@ -2015,21 +2068,41 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                break;
        case WLAN_CATEGORY_MESH_PLINK:
        case WLAN_CATEGORY_MESH_PATH_SEL:
-               if (ieee80211_vif_is_mesh(&sdata->vif))
-                       return ieee80211_mesh_rx_mgmt(sdata, rx->skb);
-               break;
+               if (!ieee80211_vif_is_mesh(&sdata->vif))
+                       break;
+               goto queue;
        }
 
-       /*
-        * For AP mode, hostapd is responsible for handling any action
-        * frames that we didn't handle, including returning unknown
-        * ones. For all other modes we will return them to the sender,
-        * setting the 0x80 bit in the action category, as required by
-        * 802.11-2007 7.3.1.11.
-        */
-       if (sdata->vif.type == NL80211_IFTYPE_AP ||
-           sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
-               return RX_DROP_MONITOR;
+       return RX_CONTINUE;
+
+ invalid:
+       rx->flags |= IEEE80211_MALFORMED_ACTION_FRM;
+       /* will return in the next handlers */
+       return RX_CONTINUE;
+
+ handled:
+       if (rx->sta)
+               rx->sta->rx_packets++;
+       dev_kfree_skb(rx->skb);
+       return RX_QUEUED;
+
+ queue:
+       rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
+       skb_queue_tail(&sdata->skb_queue, rx->skb);
+       ieee80211_queue_work(&local->hw, &sdata->work);
+       if (rx->sta)
+               rx->sta->rx_packets++;
+       return RX_QUEUED;
+}
+
+static ieee80211_rx_result debug_noinline
+ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
+{
+       struct ieee80211_rx_status *status;
+
+       /* skip known-bad action frames and return them in the next handler */
+       if (rx->flags & IEEE80211_MALFORMED_ACTION_FRM)
+               return RX_CONTINUE;
 
        /*
         * Getting here means the kernel doesn't know how to handle
@@ -2039,11 +2112,44 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
         */
        status = IEEE80211_SKB_RXCB(rx->skb);
 
-       if (sdata->vif.type == NL80211_IFTYPE_STATION &&
-           cfg80211_rx_action(rx->sdata->dev, status->freq,
-                              rx->skb->data, rx->skb->len,
-                              GFP_ATOMIC))
-               goto handled;
+       if (cfg80211_rx_mgmt(rx->sdata->dev, status->freq,
+                            rx->skb->data, rx->skb->len,
+                            GFP_ATOMIC)) {
+               if (rx->sta)
+                       rx->sta->rx_packets++;
+               dev_kfree_skb(rx->skb);
+               return RX_QUEUED;
+       }
+
+
+       return RX_CONTINUE;
+}
+
+static ieee80211_rx_result debug_noinline
+ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
+{
+       struct ieee80211_local *local = rx->local;
+       struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
+       struct sk_buff *nskb;
+       struct ieee80211_sub_if_data *sdata = rx->sdata;
+
+       if (!ieee80211_is_action(mgmt->frame_control))
+               return RX_CONTINUE;
+
+       /*
+        * For AP mode, hostapd is responsible for handling any action
+        * frames that we didn't handle, including returning unknown
+        * ones. For all other modes we will return them to the sender,
+        * setting the 0x80 bit in the action category, as required by
+        * 802.11-2007 7.3.1.11.
+        * Newer versions of hostapd shall also use the management frame
+        * registration mechanisms, but older ones still use cooked
+        * monitor interfaces so push all frames there.
+        */
+       if (!(rx->flags & IEEE80211_MALFORMED_ACTION_FRM) &&
+           (sdata->vif.type == NL80211_IFTYPE_AP ||
+            sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
+               return RX_DROP_MONITOR;
 
        /* do not return rejected action frames */
        if (mgmt->u.action.category & 0x80)
@@ -2052,20 +2158,16 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
        nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0,
                               GFP_ATOMIC);
        if (nskb) {
-               struct ieee80211_mgmt *mgmt = (void *)nskb->data;
+               struct ieee80211_mgmt *nmgmt = (void *)nskb->data;
 
-               mgmt->u.action.category |= 0x80;
-               memcpy(mgmt->da, mgmt->sa, ETH_ALEN);
-               memcpy(mgmt->sa, rx->sdata->vif.addr, ETH_ALEN);
+               nmgmt->u.action.category |= 0x80;
+               memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN);
+               memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN);
 
                memset(nskb->cb, 0, sizeof(nskb->cb));
 
                ieee80211_tx_skb(rx->sdata, nskb);
        }
-
- handled:
-       if (rx->sta)
-               rx->sta->rx_packets++;
        dev_kfree_skb(rx->skb);
        return RX_QUEUED;
 }
@@ -2075,27 +2177,49 @@ ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
 {
        struct ieee80211_sub_if_data *sdata = rx->sdata;
        ieee80211_rx_result rxs;
-
-       if (!(rx->flags & IEEE80211_RX_RA_MATCH))
-               return RX_DROP_MONITOR;
-
-       if (ieee80211_drop_unencrypted_mgmt(rx))
-               return RX_DROP_UNUSABLE;
+       struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
+       __le16 stype;
 
        rxs = ieee80211_work_rx_mgmt(rx->sdata, rx->skb);
        if (rxs != RX_CONTINUE)
                return rxs;
 
-       if (ieee80211_vif_is_mesh(&sdata->vif))
-               return ieee80211_mesh_rx_mgmt(sdata, rx->skb);
+       stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
 
-       if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
-               return ieee80211_ibss_rx_mgmt(sdata, rx->skb);
+       if (!ieee80211_vif_is_mesh(&sdata->vif) &&
+           sdata->vif.type != NL80211_IFTYPE_ADHOC &&
+           sdata->vif.type != NL80211_IFTYPE_STATION)
+               return RX_DROP_MONITOR;
+
+       switch (stype) {
+       case cpu_to_le16(IEEE80211_STYPE_BEACON):
+       case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
+               /* process for all: mesh, mlme, ibss */
+               break;
+       case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
+       case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
+               /* process only for station */
+               if (sdata->vif.type != NL80211_IFTYPE_STATION)
+                       return RX_DROP_MONITOR;
+               break;
+       case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ):
+       case cpu_to_le16(IEEE80211_STYPE_AUTH):
+               /* process only for ibss */
+               if (sdata->vif.type != NL80211_IFTYPE_ADHOC)
+                       return RX_DROP_MONITOR;
+               break;
+       default:
+               return RX_DROP_MONITOR;
+       }
 
-       if (sdata->vif.type == NL80211_IFTYPE_STATION)
-               return ieee80211_sta_rx_mgmt(sdata, rx->skb);
+       /* queue up frame and kick off work to process it */
+       rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
+       skb_queue_tail(&sdata->skb_queue, rx->skb);
+       ieee80211_queue_work(&rx->local->hw, &sdata->work);
+       if (rx->sta)
+               rx->sta->rx_packets++;
 
-       return RX_DROP_MONITOR;
+       return RX_QUEUED;
 }
 
 static void ieee80211_rx_michael_mic_report(struct ieee80211_hdr *hdr,
@@ -2151,7 +2275,7 @@ static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
                u8 rate_or_pad;
                __le16 chan_freq;
                __le16 chan_flags;
-       } __attribute__ ((packed)) *rthdr;
+       } __packed *rthdr;
        struct sk_buff *skb = rx->skb, *skb2;
        struct net_device *prev_dev = NULL;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
@@ -2201,7 +2325,7 @@ static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
                        skb2 = skb_clone(skb, GFP_ATOMIC);
                        if (skb2) {
                                skb2->dev = prev_dev;
-                               netif_rx(skb2);
+                               netif_receive_skb(skb2);
                        }
                }
 
@@ -2212,7 +2336,7 @@ static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
 
        if (prev_dev) {
                skb->dev = prev_dev;
-               netif_rx(skb);
+               netif_receive_skb(skb);
                skb = NULL;
        } else
                goto out_free_skb;
@@ -2224,19 +2348,46 @@ static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
        dev_kfree_skb(skb);
 }
 
+static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx,
+                                        ieee80211_rx_result res)
+{
+       switch (res) {
+       case RX_DROP_MONITOR:
+               I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
+               if (rx->sta)
+                       rx->sta->rx_dropped++;
+               /* fall through */
+       case RX_CONTINUE: {
+               struct ieee80211_rate *rate = NULL;
+               struct ieee80211_supported_band *sband;
+               struct ieee80211_rx_status *status;
+
+               status = IEEE80211_SKB_RXCB((rx->skb));
+
+               sband = rx->local->hw.wiphy->bands[status->band];
+               if (!(status->flag & RX_FLAG_HT))
+                       rate = &sband->bitrates[status->rate_idx];
+
+               ieee80211_rx_cooked_monitor(rx, rate);
+               break;
+               }
+       case RX_DROP_UNUSABLE:
+               I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
+               if (rx->sta)
+                       rx->sta->rx_dropped++;
+               dev_kfree_skb(rx->skb);
+               break;
+       case RX_QUEUED:
+               I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued);
+               break;
+       }
+}
 
-static void ieee80211_invoke_rx_handlers(struct ieee80211_sub_if_data *sdata,
-                                        struct ieee80211_rx_data *rx,
-                                        struct sk_buff *skb,
-                                        struct ieee80211_rate *rate)
+static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
+                                 struct sk_buff_head *frames)
 {
-       struct sk_buff_head reorder_release;
        ieee80211_rx_result res = RX_DROP_MONITOR;
-
-       __skb_queue_head_init(&reorder_release);
-
-       rx->skb = skb;
-       rx->sdata = sdata;
+       struct sk_buff *skb;
 
 #define CALL_RXH(rxh)                  \
        do {                            \
@@ -2245,17 +2396,7 @@ static void ieee80211_invoke_rx_handlers(struct ieee80211_sub_if_data *sdata,
                        goto rxh_next;  \
        } while (0);
 
-       /*
-        * NB: the rxh_next label works even if we jump
-        *     to it from here because then the list will
-        *     be empty, which is a trivial check
-        */
-       CALL_RXH(ieee80211_rx_h_passive_scan)
-       CALL_RXH(ieee80211_rx_h_check)
-
-       ieee80211_rx_reorder_ampdu(rx, &reorder_release);
-
-       while ((skb = __skb_dequeue(&reorder_release))) {
+       while ((skb = __skb_dequeue(frames))) {
                /*
                 * all the other fields are valid across frames
                 * that belong to an aMPDU since they are on the
@@ -2273,42 +2414,91 @@ static void ieee80211_invoke_rx_handlers(struct ieee80211_sub_if_data *sdata,
                CALL_RXH(ieee80211_rx_h_remove_qos_control)
                CALL_RXH(ieee80211_rx_h_amsdu)
 #ifdef CONFIG_MAC80211_MESH
-               if (ieee80211_vif_is_mesh(&sdata->vif))
+               if (ieee80211_vif_is_mesh(&rx->sdata->vif))
                        CALL_RXH(ieee80211_rx_h_mesh_fwding);
 #endif
                CALL_RXH(ieee80211_rx_h_data)
 
                /* special treatment -- needs the queue */
-               res = ieee80211_rx_h_ctrl(rx, &reorder_release);
+               res = ieee80211_rx_h_ctrl(rx, frames);
                if (res != RX_CONTINUE)
                        goto rxh_next;
 
+               CALL_RXH(ieee80211_rx_h_mgmt_check)
                CALL_RXH(ieee80211_rx_h_action)
+               CALL_RXH(ieee80211_rx_h_userspace_mgmt)
+               CALL_RXH(ieee80211_rx_h_action_return)
                CALL_RXH(ieee80211_rx_h_mgmt)
 
+ rxh_next:
+               ieee80211_rx_handlers_result(rx, res);
+
 #undef CALL_RXH
+       }
+}
+
+static void ieee80211_invoke_rx_handlers(struct ieee80211_sub_if_data *sdata,
+                                        struct ieee80211_rx_data *rx,
+                                        struct sk_buff *skb)
+{
+       struct sk_buff_head reorder_release;
+       ieee80211_rx_result res = RX_DROP_MONITOR;
+
+       __skb_queue_head_init(&reorder_release);
+
+       rx->skb = skb;
+       rx->sdata = sdata;
+
+#define CALL_RXH(rxh)                  \
+       do {                            \
+               res = rxh(rx);          \
+               if (res != RX_CONTINUE) \
+                       goto rxh_next;  \
+       } while (0);
+
+       CALL_RXH(ieee80211_rx_h_passive_scan)
+       CALL_RXH(ieee80211_rx_h_check)
+
+       ieee80211_rx_reorder_ampdu(rx, &reorder_release);
+
+       ieee80211_rx_handlers(rx, &reorder_release);
+       return;
 
  rxh_next:
-               switch (res) {
-               case RX_DROP_MONITOR:
-                       I802_DEBUG_INC(sdata->local->rx_handlers_drop);
-                       if (rx->sta)
-                               rx->sta->rx_dropped++;
-                       /* fall through */
-               case RX_CONTINUE:
-                       ieee80211_rx_cooked_monitor(rx, rate);
-                       break;
-               case RX_DROP_UNUSABLE:
-                       I802_DEBUG_INC(sdata->local->rx_handlers_drop);
-                       if (rx->sta)
-                               rx->sta->rx_dropped++;
-                       dev_kfree_skb(rx->skb);
-                       break;
-               case RX_QUEUED:
-                       I802_DEBUG_INC(sdata->local->rx_handlers_queued);
-                       break;
-               }
-       }
+       ieee80211_rx_handlers_result(rx, res);
+
+#undef CALL_RXH
+}
+
+/*
+ * This function makes calls into the RX path. Therefore the
+ * caller must hold the sta_info->lock and everything has to
+ * be under rcu_read_lock protection as well.
+ */
+void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
+{
+       struct sk_buff_head frames;
+       struct ieee80211_rx_data rx = { };
+
+       __skb_queue_head_init(&frames);
+
+       /* construct rx struct */
+       rx.sta = sta;
+       rx.sdata = sta->sdata;
+       rx.local = sta->local;
+       rx.queue = tid;
+       rx.flags |= IEEE80211_RX_RA_MATCH;
+
+       if (unlikely(test_bit(SCAN_HW_SCANNING, &sta->local->scanning) ||
+                    test_bit(SCAN_OFF_CHANNEL, &sta->local->scanning)))
+               rx.flags |= IEEE80211_RX_IN_SCAN;
+
+       spin_lock(&sta->ampdu_mlme.tid_rx[tid]->reorder_lock);
+       ieee80211_sta_reorder_release(&sta->local->hw,
+               sta->ampdu_mlme.tid_rx[tid], &frames);
+       spin_unlock(&sta->ampdu_mlme.tid_rx[tid]->reorder_lock);
+
+       ieee80211_rx_handlers(&rx, &frames);
 }
 
 /* main receive path */
@@ -2390,7 +2580,7 @@ static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata,
                break;
        case NL80211_IFTYPE_MONITOR:
        case NL80211_IFTYPE_UNSPECIFIED:
-       case __NL80211_IFTYPE_AFTER_LAST:
+       case NUM_NL80211_IFTYPES:
                /* should never get here */
                WARN_ON(1);
                break;
@@ -2404,8 +2594,7 @@ static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata,
  * be called with rcu_read_lock protection.
  */
 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
-                                        struct sk_buff *skb,
-                                        struct ieee80211_rate *rate)
+                                        struct sk_buff *skb)
 {
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
        struct ieee80211_local *local = hw_to_local(hw);
@@ -2507,13 +2696,12 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
                        skb_new = skb_copy(skb, GFP_ATOMIC);
                        if (!skb_new) {
                                if (net_ratelimit())
-                                       printk(KERN_DEBUG "%s: failed to copy "
-                                              "multicast frame for %s\n",
-                                              wiphy_name(local->hw.wiphy),
-                                              prev->name);
+                                       wiphy_debug(local->hw.wiphy,
+                                                   "failed to copy multicast frame for %s\n",
+                                                   prev->name);
                                goto next;
                        }
-                       ieee80211_invoke_rx_handlers(prev, &rx, skb_new, rate);
+                       ieee80211_invoke_rx_handlers(prev, &rx, skb_new);
 next:
                        prev = sdata;
                }
@@ -2529,7 +2717,7 @@ next:
                }
        }
        if (prev)
-               ieee80211_invoke_rx_handlers(prev, &rx, skb, rate);
+               ieee80211_invoke_rx_handlers(prev, &rx, skb);
        else
                dev_kfree_skb(skb);
 }
@@ -2572,28 +2760,37 @@ void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb)
        if (WARN_ON(!local->started))
                goto drop;
 
-       if (status->flag & RX_FLAG_HT) {
+       if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) {
                /*
-                * rate_idx is MCS index, which can be [0-76] as documented on:
-                *
-                * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n
-                *
-                * Anything else would be some sort of driver or hardware error.
-                * The driver should catch hardware errors.
+                * Validate the rate, unless a PLCP error means that
+                * we probably can't have a valid rate here anyway.
                 */
-               if (WARN((status->rate_idx < 0 ||
-                        status->rate_idx > 76),
-                        "Rate marked as an HT rate but passed "
-                        "status->rate_idx is not "
-                        "an MCS index [0-76]: %d (0x%02x)\n",
-                        status->rate_idx,
-                        status->rate_idx))
-                       goto drop;
-       } else {
-               if (WARN_ON(status->rate_idx < 0 ||
-                           status->rate_idx >= sband->n_bitrates))
-                       goto drop;
-               rate = &sband->bitrates[status->rate_idx];
+
+               if (status->flag & RX_FLAG_HT) {
+                       /*
+                        * rate_idx is MCS index, which can be [0-76]
+                        * as documented on:
+                        *
+                        * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n
+                        *
+                        * Anything else would be some sort of driver or
+                        * hardware error. The driver should catch hardware
+                        * errors.
+                        */
+                       if (WARN((status->rate_idx < 0 ||
+                                status->rate_idx > 76),
+                                "Rate marked as an HT rate but passed "
+                                "status->rate_idx is not "
+                                "an MCS index [0-76]: %d (0x%02x)\n",
+                                status->rate_idx,
+                                status->rate_idx))
+                               goto drop;
+               } else {
+                       if (WARN_ON(status->rate_idx < 0 ||
+                                   status->rate_idx >= sband->n_bitrates))
+                               goto drop;
+                       rate = &sband->bitrates[status->rate_idx];
+               }
        }
 
        /*
@@ -2615,7 +2812,7 @@ void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb)
                return;
        }
 
-       __ieee80211_rx_handle_packet(hw, skb, rate);
+       __ieee80211_rx_handle_packet(hw, skb);
 
        rcu_read_unlock();