[MAC80211]: ignore key index on pairwise key (WEP only)

[linux-2.6] / net / mac80211 / rx.c
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c

index b46ba7c6745353f62ce6e588319e9069dd9b4d36..28b8b6af4c42cca3c92082551d28ed588b3f8664 100644 (file)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -13,7 +13,7 @@
  #include <linux/skbuff.h>
  #include <linux/netdevice.h>
  #include <linux/etherdevice.h>
-#include <net/iw_handler.h>
+#include <linux/rcupdate.h>
  #include <net/mac80211.h>
  #include <net/ieee80211_radiotap.h>
  
@@ -28,6 +28,8 @@
  /* pre-rx handlers
   *
   * these don't have dev/sdata fields in the rx data
+ * The sta value should also not be used because it may
+ * be NULL even though a STA (in IBSS mode) will be added.
   */
  
  static ieee80211_txrx_result
@@ -50,12 +52,11 @@ ieee80211_rx_h_parse_qos(struct ieee80211_txrx_data *rx)
                         tid = 0; /* 802.1d - Best Effort */
                 }
         }
-#ifdef CONFIG_MAC80211_DEBUG_COUNTERS
+
         I802_DEBUG_INC(rx->local->wme_rx_queue[tid]);
-       if (rx->sta) {
+       /* only a debug counter, sta might not be assigned properly yet */
+       if (rx->sta)
                 I802_DEBUG_INC(rx->sta->wme_rx_queue[tid]);
-       }
-#endif /* CONFIG_MAC80211_DEBUG_COUNTERS */
  
         rx->u.rx.queue = tid;
         /* Set skb->priority to 1d tag if highest order bit of TID is not set.
@@ -93,8 +94,6 @@ ieee80211_rx_h_load_stats(struct ieee80211_txrx_data *rx)
          * 1 usec = 1/8 * (1080 / 10) = 13.5 */
  
         if (mode->mode == MODE_IEEE80211A ||
-           mode->mode == MODE_ATHEROS_TURBO ||
-           mode->mode == MODE_ATHEROS_TURBOG ||
             (mode->mode == MODE_IEEE80211G &&
              rate->flags & IEEE80211_RATE_ERP))
                 hdrtime = CHAN_UTIL_HDR_SHORT;
@@ -110,8 +109,6 @@ ieee80211_rx_h_load_stats(struct ieee80211_txrx_data *rx)
         /* Divide channel_use by 8 to avoid wrapping around the counter */
         load >>= CHAN_UTIL_SHIFT;
         local->channel_use_raw += load;
-       if (rx->sta)
-               rx->sta->channel_use_raw += load;
         rx->u.rx.load = load;
  
         return TXRX_CONTINUE;
@@ -129,6 +126,8 @@ ieee80211_rx_handler ieee80211_rx_pre_handlers[] =
  static ieee80211_txrx_result
  ieee80211_rx_h_if_stats(struct ieee80211_txrx_data *rx)
  {
+       if (rx->sta)
+               rx->sta->channel_use_raw += rx->u.rx.load;
         rx->sdata->channel_use_raw += rx->u.rx.load;
         return TXRX_CONTINUE;
  }
@@ -221,7 +220,7 @@ ieee80211_rx_h_passive_scan(struct ieee80211_txrx_data *rx)
                 return TXRX_QUEUED;
         }
  
-       if (unlikely(rx->u.rx.in_scan)) {
+       if (unlikely(rx->flags & IEEE80211_TXRXD_RXIN_SCAN)) {
                 /* scanning finished during invoking of handlers */
                 I802_DEBUG_INC(local->rx_handlers_drop_passive_scan);
                 return TXRX_DROP;
@@ -234,7 +233,6 @@ static ieee80211_txrx_result
  ieee80211_rx_h_check(struct ieee80211_txrx_data *rx)
  {
         struct ieee80211_hdr *hdr;
-       int always_sta_key;
         hdr = (struct ieee80211_hdr *) rx->skb->data;
  
         /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */
@@ -242,7 +240,7 @@ ieee80211_rx_h_check(struct ieee80211_txrx_data *rx)
                 if (unlikely(rx->fc & IEEE80211_FCTL_RETRY &&
                              rx->sta->last_seq_ctrl[rx->u.rx.queue] ==
                              hdr->seq_ctrl)) {
-                       if (rx->u.rx.ra_match) {
+                       if (rx->flags & IEEE80211_TXRXD_RXRA_MATCH) {
                                 rx->local->dot11FrameDuplicateCount++;
                                 rx->sta->num_duplicates++;
                         }
@@ -260,7 +258,7 @@ ieee80211_rx_h_check(struct ieee80211_txrx_data *rx)
                 return TXRX_DROP;
         }
  
-       if (!rx->u.rx.ra_match)
+       if (!(rx->flags & IEEE80211_TXRXD_RXRA_MATCH))
                 rx->skb->pkt_type = PACKET_OTHERHOST;
         else if (compare_ether_addr(rx->dev->dev_addr, hdr->addr1) == 0)
                 rx->skb->pkt_type = PACKET_HOST;
@@ -288,7 +286,7 @@ ieee80211_rx_h_check(struct ieee80211_txrx_data *rx)
                 if ((!(rx->fc & IEEE80211_FCTL_FROMDS) &&
                      !(rx->fc & IEEE80211_FCTL_TODS) &&
                      (rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA)
-                   || !rx->u.rx.ra_match) {
+                   || !(rx->flags & IEEE80211_TXRXD_RXRA_MATCH)) {
                         /* Drop IBSS frames and frames for other hosts
                          * silently. */
                         return TXRX_DROP;
@@ -302,48 +300,97 @@ ieee80211_rx_h_check(struct ieee80211_txrx_data *rx)
                 return TXRX_QUEUED;
         }
  
-       if (rx->sdata->type == IEEE80211_IF_TYPE_STA)
-               always_sta_key = 0;
-       else
-               always_sta_key = 1;
+       return TXRX_CONTINUE;
+}
+
+
+static ieee80211_txrx_result
+ieee80211_rx_h_load_key(struct ieee80211_txrx_data *rx)
+{
+       struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data;
+       int keyidx;
+       int hdrlen;
+       struct ieee80211_key *stakey = NULL;
+
+       /*
+        * Key selection 101
+        *
+        * There are three types of keys:
+        *  - GTK (group keys)
+        *  - PTK (pairwise keys)
+        *  - STK (station-to-station pairwise keys)
+        *
+        * When selecting a key, we have to distinguish between multicast
+        * (including broadcast) and unicast frames, the latter can only
+        * use PTKs and STKs while the former always use GTKs. Unless, of
+        * course, actual WEP keys ("pre-RSNA") are used, then unicast
+        * frames can also use key indizes like GTKs. Hence, if we don't
+        * have a PTK/STK we check the key index for a WEP key.
+        *
+        * Note that in a regular BSS, multicast frames are sent by the
+        * AP only, associated stations unicast the frame to the AP first
+        * which then multicasts it on their behalf.
+        *
+        * There is also a slight problem in IBSS mode: GTKs are negotiated
+        * with each station, that is something we don't currently handle.
+        * The spec seems to expect that one negotiates the same key with
+        * every station but there's no such requirement; VLANs could be
+        * possible.
+        */
+
+       if (!(rx->fc & IEEE80211_FCTL_PROTECTED))
+               return TXRX_CONTINUE;
+
+       /*
+        * No point in finding a key if the frame is neither
+        * addressed to us nor a multicast frame.
+        */
+       if (!(rx->flags & IEEE80211_TXRXD_RXRA_MATCH))
+               return TXRX_CONTINUE;
+
+       if (rx->sta)
+               stakey = rcu_dereference(rx->sta->key);
  
-       if (rx->sta && rx->sta->key && always_sta_key) {
-               rx->key = rx->sta->key;
+       if (!is_multicast_ether_addr(hdr->addr1) && stakey) {
+               rx->key = stakey;
         } else {
-               if (rx->sta && rx->sta->key)
-                       rx->key = rx->sta->key;
-               else
-                       rx->key = rx->sdata->default_key;
-
-               if ((rx->local->hw.flags & IEEE80211_HW_WEP_INCLUDE_IV) &&
-                   rx->fc & IEEE80211_FCTL_PROTECTED) {
-                       int keyidx = ieee80211_wep_get_keyidx(rx->skb);
-
-                       if (keyidx >= 0 && keyidx < NUM_DEFAULT_KEYS &&
-                           (!rx->sta || !rx->sta->key || keyidx > 0))
-                               rx->key = rx->sdata->keys[keyidx];
-
-                       if (!rx->key) {
-                               if (!rx->u.rx.ra_match)
-                                       return TXRX_DROP;
-                               printk(KERN_DEBUG "%s: RX WEP frame with "
-                                      "unknown keyidx %d (A1=" MAC_FMT " A2="
-                                      MAC_FMT " A3=" MAC_FMT ")\n",
-                                      rx->dev->name, keyidx,
-                                      MAC_ARG(hdr->addr1),
-                                      MAC_ARG(hdr->addr2),
-                                      MAC_ARG(hdr->addr3));
-                               if (!rx->local->apdev)
-                                       return TXRX_DROP;
-                               ieee80211_rx_mgmt(
-                                       rx->local, rx->skb, rx->u.rx.status,
-                                       ieee80211_msg_wep_frame_unknown_key);
-                               return TXRX_QUEUED;
-                       }
-               }
+               /*
+                * The device doesn't give us the IV so we won't be
+                * able to look up the key. That's ok though, we
+                * don't need to decrypt the frame, we just won't
+                * be able to keep statistics accurate.
+                * Except for key threshold notifications, should
+                * we somehow allow the driver to tell us which key
+                * the hardware used if this flag is set?
+                */
+               if ((rx->u.rx.status->flag & RX_FLAG_DECRYPTED) &&
+                   (rx->u.rx.status->flag & RX_FLAG_IV_STRIPPED))
+                       return TXRX_CONTINUE;
+
+               hdrlen = ieee80211_get_hdrlen(rx->fc);
+
+               if (rx->skb->len < 8 + hdrlen)
+                       return TXRX_DROP; /* TODO: count this? */
+
+               /*
+                * no need to call ieee80211_wep_get_keyidx,
+                * it verifies a bunch of things we've done already
+                */
+               keyidx = rx->skb->data[hdrlen + 3] >> 6;
+
+               rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
+
+               /*
+                * RSNA-protected unicast frames should always be sent with
+                * pairwise or station-to-station keys, but for WEP we allow
+                * using a key index as well.
+                */
+               if (rx->key && rx->key->conf.alg != ALG_WEP &&
+                   !is_multicast_ether_addr(hdr->addr1))
+                       rx->key = NULL;
         }
  
-       if (rx->fc & IEEE80211_FCTL_PROTECTED && rx->key && rx->u.rx.ra_match) {
+       if (rx->key) {
                 rx->key->tx_rx_count++;
                 if (unlikely(rx->local->key_tx_rx_threshold &&
                              rx->key->tx_rx_count >
@@ -398,7 +445,7 @@ static int ap_sta_ps_end(struct net_device *dev, struct sta_info *sta)
         while ((skb = skb_dequeue(&sta->tx_filtered)) != NULL) {
                 pkt_data = (struct ieee80211_tx_packet_data *) skb->cb;
                 sent++;
-               pkt_data->requeue = 1;
+               pkt_data->flags |= IEEE80211_TXPD_REQUEUE;
                 dev_queue_xmit(skb);
         }
         while ((skb = skb_dequeue(&sta->ps_tx_buf)) != NULL) {
@@ -410,7 +457,7 @@ static int ap_sta_ps_end(struct net_device *dev, struct sta_info *sta)
                        "since STA not sleeping anymore\n", dev->name,
                        MAC_ARG(sta->addr), sta->aid);
  #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
-               pkt_data->requeue = 1;
+               pkt_data->flags |= IEEE80211_TXPD_REQUEUE;
                 dev_queue_xmit(skb);
         }
  
@@ -444,17 +491,14 @@ ieee80211_rx_h_sta_process(struct ieee80211_txrx_data *rx)
                 sta->last_rx = jiffies;
         }
  
-       if (!rx->u.rx.ra_match)
+       if (!(rx->flags & IEEE80211_TXRXD_RXRA_MATCH))
                 return TXRX_CONTINUE;
  
         sta->rx_fragments++;
         sta->rx_bytes += rx->skb->len;
-       sta->last_rssi = (sta->last_rssi * 15 +
-                         rx->u.rx.status->ssi) / 16;
-       sta->last_signal = (sta->last_signal * 15 +
-                           rx->u.rx.status->signal) / 16;
-       sta->last_noise = (sta->last_noise * 15 +
-                          rx->u.rx.status->noise) / 16;
+       sta->last_rssi = rx->u.rx.status->ssi;
+       sta->last_signal = rx->u.rx.status->signal;
+       sta->last_noise = rx->u.rx.status->noise;
  
         if (!(rx->fc & IEEE80211_FCTL_MOREFRAGS)) {
                 /* Change STA power saving mode only in the end of a frame
@@ -486,17 +530,15 @@ ieee80211_rx_h_wep_weak_iv_detection(struct ieee80211_txrx_data *rx)
  {
         if (!rx->sta || !(rx->fc & IEEE80211_FCTL_PROTECTED) ||
             (rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA ||
-           !rx->key || rx->key->alg != ALG_WEP || !rx->u.rx.ra_match)
+           !rx->key || rx->key->conf.alg != ALG_WEP ||
+           !(rx->flags & IEEE80211_TXRXD_RXRA_MATCH))
                 return TXRX_CONTINUE;
  
         /* Check for weak IVs, if hwaccel did not remove IV from the frame */
-       if ((rx->local->hw.flags & IEEE80211_HW_WEP_INCLUDE_IV) ||
-           rx->key->force_sw_encrypt) {
-               u8 *iv = ieee80211_wep_is_weak_iv(rx->skb, rx->key);
-               if (iv) {
+       if (!(rx->u.rx.status->flag & RX_FLAG_IV_STRIPPED) ||
+           !(rx->u.rx.status->flag & RX_FLAG_DECRYPTED))
+               if (ieee80211_wep_is_weak_iv(rx->skb, rx->key))
                         rx->sta->wep_weak_iv_count++;
-               }
-       }
  
         return TXRX_CONTINUE;
  }
@@ -504,11 +546,7 @@ ieee80211_rx_h_wep_weak_iv_detection(struct ieee80211_txrx_data *rx)
  static ieee80211_txrx_result
  ieee80211_rx_h_wep_decrypt(struct ieee80211_txrx_data *rx)
  {
-       /* If the device handles decryption totally, skip this test */
-       if (rx->local->hw.flags & IEEE80211_HW_DEVICE_HIDES_WEP)
-               return TXRX_CONTINUE;
-
-       if ((rx->key && rx->key->alg != ALG_WEP) ||
+       if ((rx->key && rx->key->conf.alg != ALG_WEP) ||
             !(rx->fc & IEEE80211_FCTL_PROTECTED) ||
             ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA &&
              ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT ||
@@ -516,19 +554,20 @@ ieee80211_rx_h_wep_decrypt(struct ieee80211_txrx_data *rx)
                 return TXRX_CONTINUE;
  
         if (!rx->key) {
-               printk(KERN_DEBUG "%s: RX WEP frame, but no key set\n",
-                      rx->dev->name);
+               if (net_ratelimit())
+                       printk(KERN_DEBUG "%s: RX WEP frame, but no key set\n",
+                              rx->dev->name);
                 return TXRX_DROP;
         }
  
-       if (!(rx->u.rx.status->flag & RX_FLAG_DECRYPTED) ||
-           rx->key->force_sw_encrypt) {
+       if (!(rx->u.rx.status->flag & RX_FLAG_DECRYPTED)) {
                 if (ieee80211_wep_decrypt(rx->local, rx->skb, rx->key)) {
-                       printk(KERN_DEBUG "%s: RX WEP frame, decrypt "
-                              "failed\n", rx->dev->name);
+                       if (net_ratelimit())
+                               printk(KERN_DEBUG "%s: RX WEP frame, decrypt "
+                                      "failed\n", rx->dev->name);
                         return TXRX_DROP;
                 }
-       } else if (rx->local->hw.flags & IEEE80211_HW_WEP_INCLUDE_IV) {
+       } else if (!(rx->u.rx.status->flag & RX_FLAG_IV_STRIPPED)) {
                 ieee80211_wep_remove_iv(rx->local, rx->skb, rx->key);
                 /* remove ICV */
                 skb_trim(rx->skb, rx->skb->len - 4);
@@ -645,7 +684,7 @@ ieee80211_rx_h_defragment(struct ieee80211_txrx_data *rx)
                 /* This is the first fragment of a new frame. */
                 entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
                                                  rx->u.rx.queue, &(rx->skb));
-               if (rx->key && rx->key->alg == ALG_CCMP &&
+               if (rx->key && rx->key->conf.alg == ALG_CCMP &&
                     (rx->fc & IEEE80211_FCTL_PROTECTED)) {
                         /* Store CCMP PN so that we can verify that the next
                          * fragment has a sequential PN value. */
@@ -672,7 +711,7 @@ ieee80211_rx_h_defragment(struct ieee80211_txrx_data *rx)
         if (entry->ccmp) {
                 int i;
                 u8 pn[CCMP_PN_LEN], *rpn;
-               if (!rx->key || rx->key->alg != ALG_CCMP)
+               if (!rx->key || rx->key->conf.alg != ALG_CCMP)
                         return TXRX_DROP;
                 memcpy(pn, entry->last_pn, CCMP_PN_LEN);
                 for (i = CCMP_PN_LEN - 1; i >= 0; i--) {
@@ -682,12 +721,15 @@ ieee80211_rx_h_defragment(struct ieee80211_txrx_data *rx)
                 }
                 rpn = rx->key->u.ccmp.rx_pn[rx->u.rx.queue];
                 if (memcmp(pn, rpn, CCMP_PN_LEN) != 0) {
-                       printk(KERN_DEBUG "%s: defrag: CCMP PN not sequential"
-                              " A2=" MAC_FMT " PN=%02x%02x%02x%02x%02x%02x "
-                              "(expected %02x%02x%02x%02x%02x%02x)\n",
-                              rx->dev->name, MAC_ARG(hdr->addr2),
-                              rpn[0], rpn[1], rpn[2], rpn[3], rpn[4], rpn[5],
-                              pn[0], pn[1], pn[2], pn[3], pn[4], pn[5]);
+                       if (net_ratelimit())
+                               printk(KERN_DEBUG "%s: defrag: CCMP PN not "
+                                      "sequential A2=" MAC_FMT
+                                      " PN=%02x%02x%02x%02x%02x%02x "
+                                      "(expected %02x%02x%02x%02x%02x%02x)\n",
+                                      rx->dev->name, MAC_ARG(hdr->addr2),
+                                      rpn[0], rpn[1], rpn[2], rpn[3], rpn[4],
+                                      rpn[5], pn[0], pn[1], pn[2], pn[3],
+                                      pn[4], pn[5]);
                         return TXRX_DROP;
                 }
                 memcpy(entry->last_pn, pn, CCMP_PN_LEN);
@@ -718,7 +760,7 @@ ieee80211_rx_h_defragment(struct ieee80211_txrx_data *rx)
         }
  
         /* Complete frame has been reassembled - process it now */
-       rx->fragmented = 1;
+       rx->flags |= IEEE80211_TXRXD_FRAGMENTED;
  
   out:
         if (rx->sta)
@@ -739,7 +781,7 @@ ieee80211_rx_h_ps_poll(struct ieee80211_txrx_data *rx)
         if (likely(!rx->sta ||
                    (rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_CTL ||
                    (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_PSPOLL ||
-                  !rx->u.rx.ra_match))
+                  !(rx->flags & IEEE80211_TXRXD_RXRA_MATCH)))
                 return TXRX_CONTINUE;
  
         skb = skb_dequeue(&rx->sta->tx_filtered);
@@ -823,7 +865,8 @@ static ieee80211_txrx_result
  ieee80211_rx_h_802_1x_pae(struct ieee80211_txrx_data *rx)
  {
         if (rx->sdata->eapol && ieee80211_is_eapol(rx->skb) &&
-           rx->sdata->type != IEEE80211_IF_TYPE_STA && rx->u.rx.ra_match) {
+           rx->sdata->type != IEEE80211_IF_TYPE_STA &&
+           (rx->flags & IEEE80211_TXRXD_RXRA_MATCH)) {
                 /* Pass both encrypted and unencrypted EAPOL frames to user
                  * space for processing. */
                 if (!rx->local->apdev)
@@ -854,8 +897,11 @@ ieee80211_rx_h_802_1x_pae(struct ieee80211_txrx_data *rx)
  static ieee80211_txrx_result
  ieee80211_rx_h_drop_unencrypted(struct ieee80211_txrx_data *rx)
  {
-       /*  If the device handles decryption totally, skip this test */
-       if (rx->local->hw.flags & IEEE80211_HW_DEVICE_HIDES_WEP)
+       /*
+        * Pass through unencrypted frames if the hardware has
+        * decrypted them already.
+        */
+       if (rx->u.rx.status->flag & RX_FLAG_DECRYPTED)
                 return TXRX_CONTINUE;
  
         /* Drop unencrypted frames if key is set. */
@@ -865,8 +911,9 @@ ieee80211_rx_h_drop_unencrypted(struct ieee80211_txrx_data *rx)
                      (rx->key || rx->sdata->drop_unencrypted) &&
                      (rx->sdata->eapol == 0 ||
                       !ieee80211_is_eapol(rx->skb)))) {
-               printk(KERN_DEBUG "%s: RX non-WEP frame, but expected "
-                      "encryption\n", rx->dev->name);
+               if (net_ratelimit())
+                       printk(KERN_DEBUG "%s: RX non-WEP frame, but expected "
+                              "encryption\n", rx->dev->name);
                 return TXRX_DROP;
         }
         return TXRX_CONTINUE;
@@ -912,10 +959,15 @@ ieee80211_rx_h_data(struct ieee80211_txrx_data *rx)
  
                 if (unlikely(sdata->type != IEEE80211_IF_TYPE_AP &&
                              sdata->type != IEEE80211_IF_TYPE_VLAN)) {
-                       printk(KERN_DEBUG "%s: dropped ToDS frame (BSSID="
-                              MAC_FMT " SA=" MAC_FMT " DA=" MAC_FMT ")\n",
-                              dev->name, MAC_ARG(hdr->addr1),
-                              MAC_ARG(hdr->addr2), MAC_ARG(hdr->addr3));
+                       if (net_ratelimit())
+                               printk(KERN_DEBUG "%s: dropped ToDS frame "
+                                      "(BSSID=" MAC_FMT
+                                      " SA=" MAC_FMT
+                                      " DA=" MAC_FMT ")\n",
+                                      dev->name,
+                                      MAC_ARG(hdr->addr1),
+                                      MAC_ARG(hdr->addr2),
+                                      MAC_ARG(hdr->addr3));
                         return TXRX_DROP;
                 }
                 break;
@@ -925,12 +977,16 @@ ieee80211_rx_h_data(struct ieee80211_txrx_data *rx)
                 memcpy(src, hdr->addr4, ETH_ALEN);
  
                 if (unlikely(sdata->type != IEEE80211_IF_TYPE_WDS)) {
-                       printk(KERN_DEBUG "%s: dropped FromDS&ToDS frame (RA="
-                              MAC_FMT " TA=" MAC_FMT " DA=" MAC_FMT " SA="
-                              MAC_FMT ")\n",
-                              rx->dev->name, MAC_ARG(hdr->addr1),
-                              MAC_ARG(hdr->addr2), MAC_ARG(hdr->addr3),
-                              MAC_ARG(hdr->addr4));
+                       if (net_ratelimit())
+                               printk(KERN_DEBUG "%s: dropped FromDS&ToDS "
+                                      "frame (RA=" MAC_FMT
+                                      " TA=" MAC_FMT " DA=" MAC_FMT
+                                      " SA=" MAC_FMT ")\n",
+                                      rx->dev->name,
+                                      MAC_ARG(hdr->addr1),
+                                      MAC_ARG(hdr->addr2),
+                                      MAC_ARG(hdr->addr3),
+                                      MAC_ARG(hdr->addr4));
                         return TXRX_DROP;
                 }
                 break;
@@ -939,9 +995,10 @@ ieee80211_rx_h_data(struct ieee80211_txrx_data *rx)
                 memcpy(dst, hdr->addr1, ETH_ALEN);
                 memcpy(src, hdr->addr3, ETH_ALEN);
  
-               if (sdata->type != IEEE80211_IF_TYPE_STA) {
+               if (sdata->type != IEEE80211_IF_TYPE_STA ||
+                   (is_multicast_ether_addr(dst) &&
+                    !compare_ether_addr(src, dev->dev_addr)))
                         return TXRX_DROP;
-               }
                 break;
         case 0:
                 /* DA SA BSSID */
@@ -1000,20 +1057,22 @@ ieee80211_rx_h_data(struct ieee80211_txrx_data *rx)
         sdata->stats.rx_bytes += skb->len;
  
         if (local->bridge_packets && (sdata->type == IEEE80211_IF_TYPE_AP
-           || sdata->type == IEEE80211_IF_TYPE_VLAN) && rx->u.rx.ra_match) {
+           || sdata->type == IEEE80211_IF_TYPE_VLAN) &&
+           (rx->flags & IEEE80211_TXRXD_RXRA_MATCH)) {
                 if (is_multicast_ether_addr(skb->data)) {
                         /* send multicast frames both to higher layers in
                          * local net stack and back to the wireless media */
                         skb2 = skb_copy(skb, GFP_ATOMIC);
-                       if (!skb2)
+                       if (!skb2 && net_ratelimit())
                                 printk(KERN_DEBUG "%s: failed to clone "
                                        "multicast frame\n", dev->name);
                 } else {
                         struct sta_info *dsta;
                         dsta = sta_info_get(local, skb->data);
                         if (dsta && !dsta->dev) {
-                               printk(KERN_DEBUG "Station with null dev "
-                                      "structure!\n");
+                               if (net_ratelimit())
+                                       printk(KERN_DEBUG "Station with null "
+                                              "dev structure!\n");
                         } else if (dsta && dsta->dev == dev) {
                                 /* Destination station is associated to this
                                  * AP, so send the frame directly to it and
@@ -1050,7 +1109,7 @@ ieee80211_rx_h_mgmt(struct ieee80211_txrx_data *rx)
  {
         struct ieee80211_sub_if_data *sdata;
  
-       if (!rx->u.rx.ra_match)
+       if (!(rx->flags & IEEE80211_TXRXD_RXRA_MATCH))
                 return TXRX_DROP;
  
         sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev);
@@ -1125,78 +1184,60 @@ static void ieee80211_rx_michael_mic_report(struct net_device *dev,
  
         /* TODO: verify that this is not triggered by fragmented
          * frames (hw does not verify MIC for them). */
-       printk(KERN_DEBUG "%s: TKIP hwaccel reported Michael MIC "
-              "failure from " MAC_FMT " to " MAC_FMT " keyidx=%d\n",
-              dev->name, MAC_ARG(hdr->addr2), MAC_ARG(hdr->addr1), keyidx);
+       if (net_ratelimit())
+               printk(KERN_DEBUG "%s: TKIP hwaccel reported Michael MIC "
+                      "failure from " MAC_FMT " to " MAC_FMT " keyidx=%d\n",
+                      dev->name, MAC_ARG(hdr->addr2), MAC_ARG(hdr->addr1),
+                      keyidx);
  
         if (!sta) {
                 /* Some hardware versions seem to generate incorrect
                  * Michael MIC reports; ignore them to avoid triggering
                  * countermeasures. */
-               printk(KERN_DEBUG "%s: ignored spurious Michael MIC "
-                      "error for unknown address " MAC_FMT "\n",
-                      dev->name, MAC_ARG(hdr->addr2));
+               if (net_ratelimit())
+                       printk(KERN_DEBUG "%s: ignored spurious Michael MIC "
+                              "error for unknown address " MAC_FMT "\n",
+                              dev->name, MAC_ARG(hdr->addr2));
                 goto ignore;
         }
  
         if (!(rx->fc & IEEE80211_FCTL_PROTECTED)) {
-               printk(KERN_DEBUG "%s: ignored spurious Michael MIC "
-                      "error for a frame with no ISWEP flag (src "
-                      MAC_FMT ")\n", dev->name, MAC_ARG(hdr->addr2));
+               if (net_ratelimit())
+                       printk(KERN_DEBUG "%s: ignored spurious Michael MIC "
+                              "error for a frame with no ISWEP flag (src "
+                              MAC_FMT ")\n", dev->name, MAC_ARG(hdr->addr2));
                 goto ignore;
         }
  
-       if ((rx->local->hw.flags & IEEE80211_HW_WEP_INCLUDE_IV) &&
-           rx->sdata->type == IEEE80211_IF_TYPE_AP) {
-               keyidx = ieee80211_wep_get_keyidx(rx->skb);
+       if (rx->sdata->type == IEEE80211_IF_TYPE_AP && keyidx) {
                 /* AP with Pairwise keys support should never receive Michael
                  * MIC errors for non-zero keyidx because these are reserved
                  * for group keys and only the AP is sending real multicast
                  * frames in BSS. */
-               if (keyidx) {
+               if (net_ratelimit())
                         printk(KERN_DEBUG "%s: ignored Michael MIC error for "
-                              "a frame with non-zero keyidx (%d) (src " MAC_FMT
-                              ")\n", dev->name, keyidx, MAC_ARG(hdr->addr2));
-                       goto ignore;
-               }
+                              "a frame with non-zero keyidx (%d)"
+                              " (src " MAC_FMT ")\n", dev->name, keyidx,
+                              MAC_ARG(hdr->addr2));
+               goto ignore;
         }
  
         if ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA &&
             ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT ||
              (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_AUTH)) {
-               printk(KERN_DEBUG "%s: ignored spurious Michael MIC "
-                      "error for a frame that cannot be encrypted "
-                      "(fc=0x%04x) (src " MAC_FMT ")\n",
-                      dev->name, rx->fc, MAC_ARG(hdr->addr2));
+               if (net_ratelimit())
+                       printk(KERN_DEBUG "%s: ignored spurious Michael MIC "
+                              "error for a frame that cannot be encrypted "
+                              "(fc=0x%04x) (src " MAC_FMT ")\n",
+                              dev->name, rx->fc, MAC_ARG(hdr->addr2));
                 goto ignore;
         }
  
-       do {
-               union iwreq_data wrqu;
-               char *buf = kmalloc(128, GFP_ATOMIC);
-               if (!buf)
-                       break;
-
-               /* TODO: needed parameters: count, key type, TSC */
-               sprintf(buf, "MLME-MICHAELMICFAILURE.indication("
-                       "keyid=%d %scast addr=" MAC_FMT ")",
-                       keyidx, hdr->addr1[0] & 0x01 ? "broad" : "uni",
-                       MAC_ARG(hdr->addr2));
-               memset(&wrqu, 0, sizeof(wrqu));
-               wrqu.data.length = strlen(buf);
-               wireless_send_event(rx->dev, IWEVCUSTOM, &wrqu, buf);
-               kfree(buf);
-       } while (0);
-
         /* TODO: consider verifying the MIC error report with software
          * implementation if we get too many spurious reports from the
          * hardware. */
-       if (!rx->local->apdev)
-               goto ignore;
-       ieee80211_rx_mgmt(rx->local, rx->skb, rx->u.rx.status,
-                         ieee80211_msg_michael_mic_failure);
-       return;
  
+       mac80211_ev_michael_mic_failure(rx->dev, keyidx, hdr);
   ignore:
         dev_kfree_skb(rx->skb);
         rx->skb = NULL;
@@ -1208,6 +1249,7 @@ ieee80211_rx_handler ieee80211_rx_handlers[] =
         ieee80211_rx_h_monitor,
         ieee80211_rx_h_passive_scan,
         ieee80211_rx_h_check,
+       ieee80211_rx_h_load_key,
         ieee80211_rx_h_sta_process,
         ieee80211_rx_h_ccmp_decrypt,
         ieee80211_rx_h_tkip_decrypt,
@@ -1230,6 +1272,74 @@ ieee80211_rx_handler ieee80211_rx_handlers[] =
  
  /* main receive path */
  
+static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata,
+                               u8 *bssid, struct ieee80211_txrx_data *rx,
+                               struct ieee80211_hdr *hdr)
+{
+       int multicast = is_multicast_ether_addr(hdr->addr1);
+
+       switch (sdata->type) {
+       case IEEE80211_IF_TYPE_STA:
+               if (!bssid)
+                       return 0;
+               if (!ieee80211_bssid_match(bssid, sdata->u.sta.bssid)) {
+                       if (!(rx->flags & IEEE80211_TXRXD_RXIN_SCAN))
+                               return 0;
+                       rx->flags &= ~IEEE80211_TXRXD_RXRA_MATCH;
+               } else if (!multicast &&
+                          compare_ether_addr(sdata->dev->dev_addr,
+                                             hdr->addr1) != 0) {
+                       if (!(sdata->flags & IEEE80211_SDATA_PROMISC))
+                               return 0;
+                       rx->flags &= ~IEEE80211_TXRXD_RXRA_MATCH;
+               }
+               break;
+       case IEEE80211_IF_TYPE_IBSS:
+               if (!bssid)
+                       return 0;
+               if (!ieee80211_bssid_match(bssid, sdata->u.sta.bssid)) {
+                       if (!(rx->flags & IEEE80211_TXRXD_RXIN_SCAN))
+                               return 0;
+                       rx->flags &= ~IEEE80211_TXRXD_RXRA_MATCH;
+               } else if (!multicast &&
+                          compare_ether_addr(sdata->dev->dev_addr,
+                                             hdr->addr1) != 0) {
+                       if (!(sdata->flags & IEEE80211_SDATA_PROMISC))
+                               return 0;
+                       rx->flags &= ~IEEE80211_TXRXD_RXRA_MATCH;
+               } else if (!rx->sta)
+                       rx->sta = ieee80211_ibss_add_sta(sdata->dev, rx->skb,
+                                                        bssid, hdr->addr2);
+               break;
+       case IEEE80211_IF_TYPE_AP:
+               if (!bssid) {
+                       if (compare_ether_addr(sdata->dev->dev_addr,
+                                              hdr->addr1))
+                               return 0;
+               } else if (!ieee80211_bssid_match(bssid,
+                                       sdata->dev->dev_addr)) {
+                       if (!(rx->flags & IEEE80211_TXRXD_RXIN_SCAN))
+                               return 0;
+                       rx->flags &= ~IEEE80211_TXRXD_RXRA_MATCH;
+               }
+               if (sdata->dev == sdata->local->mdev &&
+                   !(rx->flags & IEEE80211_TXRXD_RXIN_SCAN))
+                       /* do not receive anything via
+                        * master device when not scanning */
+                       return 0;
+               break;
+       case IEEE80211_IF_TYPE_WDS:
+               if (bssid ||
+                   (rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA)
+                       return 0;
+               if (compare_ether_addr(sdata->u.wds.remote_addr, hdr->addr2))
+                       return 0;
+               break;
+       }
+
+       return 1;
+}
+
  /*
   * This is the receive path handler. It is called by a low level driver when an
   * 802.11 MPDU is received from the hardware.
@@ -1243,8 +1353,7 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
         struct ieee80211_hdr *hdr;
         struct ieee80211_txrx_data rx;
         u16 type;
-       int multicast;
-       int radiotap_len = 0;
+       int radiotap_len = 0, prepres;
         struct ieee80211_sub_if_data *prev = NULL;
         struct sk_buff *skb_new;
         u8 *bssid;
@@ -1254,6 +1363,12 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
                 skb_pull(skb, radiotap_len);
         }
  
+       /*
+        * key references are protected using RCU and this requires that
+        * we are in a read-site RCU section during receive processing
+        */
+       rcu_read_lock();
+
         hdr = (struct ieee80211_hdr *) skb->data;
         memset(&rx, 0, sizeof(rx));
         rx.skb = skb;
@@ -1264,25 +1379,23 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
         type = rx.fc & IEEE80211_FCTL_FTYPE;
         if (type == IEEE80211_FTYPE_DATA || type == IEEE80211_FTYPE_MGMT)
                 local->dot11ReceivedFragmentCount++;
-       multicast = is_multicast_ether_addr(hdr->addr1);
  
-       if (skb->len >= 16)
+       if (skb->len >= 16) {
                 sta = rx.sta = sta_info_get(local, hdr->addr2);
-       else
+               if (sta) {
+                       rx.dev = rx.sta->dev;
+                       rx.sdata = IEEE80211_DEV_TO_SUB_IF(rx.dev);
+               }
+       } else
                 sta = rx.sta = NULL;
  
-       if (sta) {
-               rx.dev = sta->dev;
-               rx.sdata = IEEE80211_DEV_TO_SUB_IF(rx.dev);
-       }
-
         if ((status->flag & RX_FLAG_MMIC_ERROR)) {
                 ieee80211_rx_michael_mic_report(local->mdev, hdr, sta, &rx);
                 goto end;
         }
  
         if (unlikely(local->sta_scanning))
-               rx.u.rx.in_scan = 1;
+               rx.flags |= IEEE80211_TXRXD_RXIN_SCAN;
  
         if (__ieee80211_invoke_rx_handlers(local, local->rx_pre_handlers, &rx,
                                            sta) != TXRX_CONTINUE)
@@ -1290,12 +1403,13 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
         skb = rx.skb;
  
         skb_push(skb, radiotap_len);
-       if (sta && !sta->assoc_ap && !(sta->flags & WLAN_STA_WDS) &&
-           !local->iff_promiscs && !multicast) {
-               rx.u.rx.ra_match = 1;
+       if (sta && !(sta->flags & (WLAN_STA_WDS | WLAN_STA_ASSOC_AP)) &&
+           !local->iff_promiscs && !is_multicast_ether_addr(hdr->addr1)) {
+               rx.flags |= IEEE80211_TXRXD_RXRA_MATCH;
                 ieee80211_invoke_rx_handlers(local, local->rx_handlers, &rx,
-                                            sta);
+                                            rx.sta);
                 sta_info_put(sta);
+               rcu_read_unlock();
                 return;
         }
  
@@ -1303,85 +1417,47 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
  
         read_lock(&local->sub_if_lock);
         list_for_each_entry(sdata, &local->sub_if_list, list) {
-               rx.u.rx.ra_match = 1;
-               switch (sdata->type) {
-               case IEEE80211_IF_TYPE_STA:
-                       if (!bssid)
-                               continue;
-                       if (!ieee80211_bssid_match(bssid,
-                                                  sdata->u.sta.bssid)) {
-                               if (!rx.u.rx.in_scan)
-                                       continue;
-                               rx.u.rx.ra_match = 0;
-                       } else if (!multicast &&
-                                  compare_ether_addr(sdata->dev->dev_addr,
-                                                     hdr->addr1) != 0) {
-                               if (!sdata->promisc)
-                                       continue;
-                               rx.u.rx.ra_match = 0;
-                       }
-                       break;
-               case IEEE80211_IF_TYPE_IBSS:
-                       if (!bssid)
-                               continue;
-                       if (!ieee80211_bssid_match(bssid,
-                                               sdata->u.sta.bssid)) {
-                               if (!rx.u.rx.in_scan)
-                                       continue;
-                               rx.u.rx.ra_match = 0;
-                       } else if (!multicast &&
-                                  compare_ether_addr(sdata->dev->dev_addr,
-                                                     hdr->addr1) != 0) {
-                               if (!sdata->promisc)
-                                       continue;
-                               rx.u.rx.ra_match = 0;
-                       } else if (!sta)
-                               sta = rx.sta =
-                                       ieee80211_ibss_add_sta(sdata->dev,
-                                                              skb, bssid,
-                                                              hdr->addr2);
-                       break;
-               case IEEE80211_IF_TYPE_AP:
-                       if (!bssid) {
-                               if (compare_ether_addr(sdata->dev->dev_addr,
-                                                      hdr->addr1))
-                                       continue;
-                       } else if (!ieee80211_bssid_match(bssid,
-                                               sdata->dev->dev_addr)) {
-                               if (!rx.u.rx.in_scan)
-                                       continue;
-                               rx.u.rx.ra_match = 0;
-                       }
-                       if (sdata->dev == local->mdev && !rx.u.rx.in_scan)
-                               /* do not receive anything via
-                                * master device when not scanning */
-                               continue;
-                       break;
-               case IEEE80211_IF_TYPE_WDS:
-                       if (bssid ||
-                           (rx.fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA)
-                               continue;
-                       if (compare_ether_addr(sdata->u.wds.remote_addr,
-                                              hdr->addr2))
-                               continue;
-                       break;
+               rx.flags |= IEEE80211_TXRXD_RXRA_MATCH;
+
+               if (!netif_running(sdata->dev))
+                       continue;
+
+               prepres = prepare_for_handlers(sdata, bssid, &rx, hdr);
+               /* prepare_for_handlers can change sta */
+               sta = rx.sta;
+
+               if (!prepres)
+                       continue;
+
+               /*
+                * frame is destined for this interface, but if it's not
+                * also for the previous one we handle that after the
+                * loop to avoid copying the SKB once too much
+                */
+
+               if (!prev) {
+                       prev = sdata;
+                       continue;
                 }
  
-               if (prev) {
-                       skb_new = skb_copy(skb, GFP_ATOMIC);
-                       if (!skb_new) {
-                               if (net_ratelimit())
-                                       printk(KERN_DEBUG "%s: failed to copy "
-                                              "multicast frame for %s",
-                                              local->mdev->name, prev->dev->name);
-                               continue;
-                       }
-                       rx.skb = skb_new;
-                       rx.dev = prev->dev;
-                       rx.sdata = prev;
-                       ieee80211_invoke_rx_handlers(local, local->rx_handlers,
-                                                    &rx, sta);
+               /*
+                * frame was destined for the previous interface
+                * so invoke RX handlers for it
+                */
+
+               skb_new = skb_copy(skb, GFP_ATOMIC);
+               if (!skb_new) {
+                       if (net_ratelimit())
+                               printk(KERN_DEBUG "%s: failed to copy "
+                                      "multicast frame for %s",
+                                      local->mdev->name, prev->dev->name);
+                       continue;
                 }
+               rx.skb = skb_new;
+               rx.dev = prev->dev;
+               rx.sdata = prev;
+               ieee80211_invoke_rx_handlers(local, local->rx_handlers,
+                                            &rx, sta);
                 prev = sdata;
         }
         if (prev) {
@@ -1395,6 +1471,8 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
         read_unlock(&local->sub_if_lock);
  
   end:
+       rcu_read_unlock();
+
         if (sta)
                 sta_info_put(sta);
  }