1// SPDX-License-Identifier: GPL-2.0 2/* 3 * cfg80211 scan result handling 4 * 5 * Copyright 2008 Johannes Berg <johannes@sipsolutions.net> 6 * Copyright 2013-2014 Intel Mobile Communications GmbH 7 * Copyright 2016 Intel Deutschland GmbH 8 * Copyright (C) 2018-2024 Intel Corporation 9 */ 10#include <linux/kernel.h> 11#include <linux/slab.h> 12#include <linux/module.h> 13#include <linux/netdevice.h> 14#include <linux/wireless.h> 15#include <linux/nl80211.h> 16#include <linux/etherdevice.h> 17#include <linux/crc32.h> 18#include <linux/bitfield.h> 19#include <net/arp.h> 20#include <net/cfg80211.h> 21#include <net/cfg80211-wext.h> 22#include <net/iw_handler.h> 23#include <kunit/visibility.h> 24#include "core.h" 25#include "nl80211.h" 26#include "wext-compat.h" 27#include "rdev-ops.h" 28 29/** 30 * DOC: BSS tree/list structure 31 * 32 * At the top level, the BSS list is kept in both a list in each 33 * registered device (@bss_list) as well as an RB-tree for faster 34 * lookup. In the RB-tree, entries can be looked up using their 35 * channel, MESHID, MESHCONF (for MBSSes) or channel, BSSID, SSID 36 * for other BSSes. 37 * 38 * Due to the possibility of hidden SSIDs, there's a second level 39 * structure, the "hidden_list" and "hidden_beacon_bss" pointer. 40 * The hidden_list connects all BSSes belonging to a single AP 41 * that has a hidden SSID, and connects beacon and probe response 42 * entries. For a probe response entry for a hidden SSID, the 43 * hidden_beacon_bss pointer points to the BSS struct holding the 44 * beacon's information. 45 * 46 * Reference counting is done for all these references except for 47 * the hidden_list, so that a beacon BSS struct that is otherwise 48 * not referenced has one reference for being on the bss_list and 49 * one for each probe response entry that points to it using the 50 * hidden_beacon_bss pointer. When a BSS struct that has such a 51 * pointer is get/put, the refcount update is also propagated to 52 * the referenced struct, this ensure that it cannot get removed 53 * while somebody is using the probe response version. 54 * 55 * Note that the hidden_beacon_bss pointer never changes, due to 56 * the reference counting. Therefore, no locking is needed for 57 * it. 58 * 59 * Also note that the hidden_beacon_bss pointer is only relevant 60 * if the driver uses something other than the IEs, e.g. private 61 * data stored in the BSS struct, since the beacon IEs are 62 * also linked into the probe response struct. 63 */ 64 65/* 66 * Limit the number of BSS entries stored in mac80211. Each one is 67 * a bit over 4k at most, so this limits to roughly 4-5M of memory. 68 * If somebody wants to really attack this though, they'd likely 69 * use small beacons, and only one type of frame, limiting each of 70 * the entries to a much smaller size (in order to generate more 71 * entries in total, so overhead is bigger.) 72 */ 73static int bss_entries_limit = 1000; 74module_param(bss_entries_limit, int, 0644); 75MODULE_PARM_DESC(bss_entries_limit, 76 "limit to number of scan BSS entries (per wiphy, default 1000)"); 77 78#define IEEE80211_SCAN_RESULT_EXPIRE (30 * HZ) 79 80static void bss_free(struct cfg80211_internal_bss *bss) 81{ 82 struct cfg80211_bss_ies *ies; 83 84 if (WARN_ON(atomic_read(&bss->hold))) 85 return; 86 87 ies = (void *)rcu_access_pointer(bss->pub.beacon_ies); 88 if (ies && !bss->pub.hidden_beacon_bss) 89 kfree_rcu(ies, rcu_head); 90 ies = (void *)rcu_access_pointer(bss->pub.proberesp_ies); 91 if (ies) 92 kfree_rcu(ies, rcu_head); 93 94 /* 95 * This happens when the module is removed, it doesn't 96 * really matter any more save for completeness 97 */ 98 if (!list_empty(&bss->hidden_list)) 99 list_del(&bss->hidden_list); 100 101 kfree(bss); 102} 103 104static inline void bss_ref_get(struct cfg80211_registered_device *rdev, 105 struct cfg80211_internal_bss *bss) 106{ 107 lockdep_assert_held(&rdev->bss_lock); 108 109 bss->refcount++; 110 111 if (bss->pub.hidden_beacon_bss) 112 bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; 113 114 if (bss->pub.transmitted_bss) 115 bss_from_pub(bss->pub.transmitted_bss)->refcount++; 116} 117 118static inline void bss_ref_put(struct cfg80211_registered_device *rdev, 119 struct cfg80211_internal_bss *bss) 120{ 121 lockdep_assert_held(&rdev->bss_lock); 122 123 if (bss->pub.hidden_beacon_bss) { 124 struct cfg80211_internal_bss *hbss; 125 126 hbss = bss_from_pub(bss->pub.hidden_beacon_bss); 127 hbss->refcount--; 128 if (hbss->refcount == 0) 129 bss_free(hbss); 130 } 131 132 if (bss->pub.transmitted_bss) { 133 struct cfg80211_internal_bss *tbss; 134 135 tbss = bss_from_pub(bss->pub.transmitted_bss); 136 tbss->refcount--; 137 if (tbss->refcount == 0) 138 bss_free(tbss); 139 } 140 141 bss->refcount--; 142 if (bss->refcount == 0) 143 bss_free(bss); 144} 145 146static bool __cfg80211_unlink_bss(struct cfg80211_registered_device *rdev, 147 struct cfg80211_internal_bss *bss) 148{ 149 lockdep_assert_held(&rdev->bss_lock); 150 151 if (!list_empty(&bss->hidden_list)) { 152 /* 153 * don't remove the beacon entry if it has 154 * probe responses associated with it 155 */ 156 if (!bss->pub.hidden_beacon_bss) 157 return false; 158 /* 159 * if it's a probe response entry break its 160 * link to the other entries in the group 161 */ 162 list_del_init(&bss->hidden_list); 163 } 164 165 list_del_init(&bss->list); 166 list_del_init(&bss->pub.nontrans_list); 167 rb_erase(&bss->rbn, &rdev->bss_tree); 168 rdev->bss_entries--; 169 WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list), 170 "rdev bss entries[%d]/list[empty:%d] corruption\n", 171 rdev->bss_entries, list_empty(&rdev->bss_list)); 172 bss_ref_put(rdev, bss); 173 return true; 174} 175 176bool cfg80211_is_element_inherited(const struct element *elem, 177 const struct element *non_inherit_elem) 178{ 179 u8 id_len, ext_id_len, i, loop_len, id; 180 const u8 *list; 181 182 if (elem->id == WLAN_EID_MULTIPLE_BSSID) 183 return false; 184 185 if (elem->id == WLAN_EID_EXTENSION && elem->datalen > 1 && 186 elem->data[0] == WLAN_EID_EXT_EHT_MULTI_LINK) 187 return false; 188 189 if (!non_inherit_elem || non_inherit_elem->datalen < 2) 190 return true; 191 192 /* 193 * non inheritance element format is: 194 * ext ID (56) | IDs list len | list | extension IDs list len | list 195 * Both lists are optional. Both lengths are mandatory. 196 * This means valid length is: 197 * elem_len = 1 (extension ID) + 2 (list len fields) + list lengths 198 */ 199 id_len = non_inherit_elem->data[1]; 200 if (non_inherit_elem->datalen < 3 + id_len) 201 return true; 202 203 ext_id_len = non_inherit_elem->data[2 + id_len]; 204 if (non_inherit_elem->datalen < 3 + id_len + ext_id_len) 205 return true; 206 207 if (elem->id == WLAN_EID_EXTENSION) { 208 if (!ext_id_len) 209 return true; 210 loop_len = ext_id_len; 211 list = &non_inherit_elem->data[3 + id_len]; 212 id = elem->data[0]; 213 } else { 214 if (!id_len) 215 return true; 216 loop_len = id_len; 217 list = &non_inherit_elem->data[2]; 218 id = elem->id; 219 } 220 221 for (i = 0; i < loop_len; i++) { 222 if (list[i] == id) 223 return false; 224 } 225 226 return true; 227} 228EXPORT_SYMBOL(cfg80211_is_element_inherited); 229 230static size_t cfg80211_copy_elem_with_frags(const struct element *elem, 231 const u8 *ie, size_t ie_len, 232 u8 **pos, u8 *buf, size_t buf_len) 233{ 234 if (WARN_ON((u8 *)elem < ie || elem->data > ie + ie_len || 235 elem->data + elem->datalen > ie + ie_len)) 236 return 0; 237 238 if (elem->datalen + 2 > buf + buf_len - *pos) 239 return 0; 240 241 memcpy(*pos, elem, elem->datalen + 2); 242 *pos += elem->datalen + 2; 243 244 /* Finish if it is not fragmented */ 245 if (elem->datalen != 255) 246 return *pos - buf; 247 248 ie_len = ie + ie_len - elem->data - elem->datalen; 249 ie = (const u8 *)elem->data + elem->datalen; 250 251 for_each_element(elem, ie, ie_len) { 252 if (elem->id != WLAN_EID_FRAGMENT) 253 break; 254 255 if (elem->datalen + 2 > buf + buf_len - *pos) 256 return 0; 257 258 memcpy(*pos, elem, elem->datalen + 2); 259 *pos += elem->datalen + 2; 260 261 if (elem->datalen != 255) 262 break; 263 } 264 265 return *pos - buf; 266} 267 268VISIBLE_IF_CFG80211_KUNIT size_t 269cfg80211_gen_new_ie(const u8 *ie, size_t ielen, 270 const u8 *subie, size_t subie_len, 271 u8 *new_ie, size_t new_ie_len) 272{ 273 const struct element *non_inherit_elem, *parent, *sub; 274 u8 *pos = new_ie; 275 u8 id, ext_id; 276 unsigned int match_len; 277 278 non_inherit_elem = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 279 subie, subie_len); 280 281 /* We copy the elements one by one from the parent to the generated 282 * elements. 283 * If they are not inherited (included in subie or in the non 284 * inheritance element), then we copy all occurrences the first time 285 * we see this element type. 286 */ 287 for_each_element(parent, ie, ielen) { 288 if (parent->id == WLAN_EID_FRAGMENT) 289 continue; 290 291 if (parent->id == WLAN_EID_EXTENSION) { 292 if (parent->datalen < 1) 293 continue; 294 295 id = WLAN_EID_EXTENSION; 296 ext_id = parent->data[0]; 297 match_len = 1; 298 } else { 299 id = parent->id; 300 match_len = 0; 301 } 302 303 /* Find first occurrence in subie */ 304 sub = cfg80211_find_elem_match(id, subie, subie_len, 305 &ext_id, match_len, 0); 306 307 /* Copy from parent if not in subie and inherited */ 308 if (!sub && 309 cfg80211_is_element_inherited(parent, non_inherit_elem)) { 310 if (!cfg80211_copy_elem_with_frags(parent, 311 ie, ielen, 312 &pos, new_ie, 313 new_ie_len)) 314 return 0; 315 316 continue; 317 } 318 319 /* Already copied if an earlier element had the same type */ 320 if (cfg80211_find_elem_match(id, ie, (u8 *)parent - ie, 321 &ext_id, match_len, 0)) 322 continue; 323 324 /* Not inheriting, copy all similar elements from subie */ 325 while (sub) { 326 if (!cfg80211_copy_elem_with_frags(sub, 327 subie, subie_len, 328 &pos, new_ie, 329 new_ie_len)) 330 return 0; 331 332 sub = cfg80211_find_elem_match(id, 333 sub->data + sub->datalen, 334 subie_len + subie - 335 (sub->data + 336 sub->datalen), 337 &ext_id, match_len, 0); 338 } 339 } 340 341 /* The above misses elements that are included in subie but not in the 342 * parent, so do a pass over subie and append those. 343 * Skip the non-tx BSSID caps and non-inheritance element. 344 */ 345 for_each_element(sub, subie, subie_len) { 346 if (sub->id == WLAN_EID_NON_TX_BSSID_CAP) 347 continue; 348 349 if (sub->id == WLAN_EID_FRAGMENT) 350 continue; 351 352 if (sub->id == WLAN_EID_EXTENSION) { 353 if (sub->datalen < 1) 354 continue; 355 356 id = WLAN_EID_EXTENSION; 357 ext_id = sub->data[0]; 358 match_len = 1; 359 360 if (ext_id == WLAN_EID_EXT_NON_INHERITANCE) 361 continue; 362 } else { 363 id = sub->id; 364 match_len = 0; 365 } 366 367 /* Processed if one was included in the parent */ 368 if (cfg80211_find_elem_match(id, ie, ielen, 369 &ext_id, match_len, 0)) 370 continue; 371 372 if (!cfg80211_copy_elem_with_frags(sub, subie, subie_len, 373 &pos, new_ie, new_ie_len)) 374 return 0; 375 } 376 377 return pos - new_ie; 378} 379EXPORT_SYMBOL_IF_CFG80211_KUNIT(cfg80211_gen_new_ie); 380 381static bool is_bss(struct cfg80211_bss *a, const u8 *bssid, 382 const u8 *ssid, size_t ssid_len) 383{ 384 const struct cfg80211_bss_ies *ies; 385 const struct element *ssid_elem; 386 387 if (bssid && !ether_addr_equal(a->bssid, bssid)) 388 return false; 389 390 if (!ssid) 391 return true; 392 393 ies = rcu_access_pointer(a->ies); 394 if (!ies) 395 return false; 396 ssid_elem = cfg80211_find_elem(WLAN_EID_SSID, ies->data, ies->len); 397 if (!ssid_elem) 398 return false; 399 if (ssid_elem->datalen != ssid_len) 400 return false; 401 return memcmp(ssid_elem->data, ssid, ssid_len) == 0; 402} 403 404static int 405cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss, 406 struct cfg80211_bss *nontrans_bss) 407{ 408 const struct element *ssid_elem; 409 struct cfg80211_bss *bss = NULL; 410 411 rcu_read_lock(); 412 ssid_elem = ieee80211_bss_get_elem(nontrans_bss, WLAN_EID_SSID); 413 if (!ssid_elem) { 414 rcu_read_unlock(); 415 return -EINVAL; 416 } 417 418 /* check if nontrans_bss is in the list */ 419 list_for_each_entry(bss, &trans_bss->nontrans_list, nontrans_list) { 420 if (is_bss(bss, nontrans_bss->bssid, ssid_elem->data, 421 ssid_elem->datalen)) { 422 rcu_read_unlock(); 423 return 0; 424 } 425 } 426 427 rcu_read_unlock(); 428 429 /* 430 * This is a bit weird - it's not on the list, but already on another 431 * one! The only way that could happen is if there's some BSSID/SSID 432 * shared by multiple APs in their multi-BSSID profiles, potentially 433 * with hidden SSID mixed in ... ignore it. 434 */ 435 if (!list_empty(&nontrans_bss->nontrans_list)) 436 return -EINVAL; 437 438 /* add to the list */ 439 list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); 440 return 0; 441} 442 443static void __cfg80211_bss_expire(struct cfg80211_registered_device *rdev, 444 unsigned long expire_time) 445{ 446 struct cfg80211_internal_bss *bss, *tmp; 447 bool expired = false; 448 449 lockdep_assert_held(&rdev->bss_lock); 450 451 list_for_each_entry_safe(bss, tmp, &rdev->bss_list, list) { 452 if (atomic_read(&bss->hold)) 453 continue; 454 if (!time_after(expire_time, bss->ts)) 455 continue; 456 457 if (__cfg80211_unlink_bss(rdev, bss)) 458 expired = true; 459 } 460 461 if (expired) 462 rdev->bss_generation++; 463} 464 465static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev) 466{ 467 struct cfg80211_internal_bss *bss, *oldest = NULL; 468 bool ret; 469 470 lockdep_assert_held(&rdev->bss_lock); 471 472 list_for_each_entry(bss, &rdev->bss_list, list) { 473 if (atomic_read(&bss->hold)) 474 continue; 475 476 if (!list_empty(&bss->hidden_list) && 477 !bss->pub.hidden_beacon_bss) 478 continue; 479 480 if (oldest && time_before(oldest->ts, bss->ts)) 481 continue; 482 oldest = bss; 483 } 484 485 if (WARN_ON(!oldest)) 486 return false; 487 488 /* 489 * The callers make sure to increase rdev->bss_generation if anything 490 * gets removed (and a new entry added), so there's no need to also do 491 * it here. 492 */ 493 494 ret = __cfg80211_unlink_bss(rdev, oldest); 495 WARN_ON(!ret); 496 return ret; 497} 498 499static u8 cfg80211_parse_bss_param(u8 data, 500 struct cfg80211_colocated_ap *coloc_ap) 501{ 502 coloc_ap->oct_recommended = 503 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_OCT_RECOMMENDED); 504 coloc_ap->same_ssid = 505 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_SAME_SSID); 506 coloc_ap->multi_bss = 507 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID); 508 coloc_ap->transmitted_bssid = 509 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID); 510 coloc_ap->unsolicited_probe = 511 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_PROBE_ACTIVE); 512 coloc_ap->colocated_ess = 513 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_COLOC_ESS); 514 515 return u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_COLOC_AP); 516} 517 518static int cfg80211_calc_short_ssid(const struct cfg80211_bss_ies *ies, 519 const struct element **elem, u32 *s_ssid) 520{ 521 522 *elem = cfg80211_find_elem(WLAN_EID_SSID, ies->data, ies->len); 523 if (!*elem || (*elem)->datalen > IEEE80211_MAX_SSID_LEN) 524 return -EINVAL; 525 526 *s_ssid = ~crc32_le(~0, (*elem)->data, (*elem)->datalen); 527 return 0; 528} 529 530VISIBLE_IF_CFG80211_KUNIT void 531cfg80211_free_coloc_ap_list(struct list_head *coloc_ap_list) 532{ 533 struct cfg80211_colocated_ap *ap, *tmp_ap; 534 535 list_for_each_entry_safe(ap, tmp_ap, coloc_ap_list, list) { 536 list_del(&ap->list); 537 kfree(ap); 538 } 539} 540EXPORT_SYMBOL_IF_CFG80211_KUNIT(cfg80211_free_coloc_ap_list); 541 542static int cfg80211_parse_ap_info(struct cfg80211_colocated_ap *entry, 543 const u8 *pos, u8 length, 544 const struct element *ssid_elem, 545 u32 s_ssid_tmp) 546{ 547 u8 bss_params; 548 549 entry->psd_20 = IEEE80211_RNR_TBTT_PARAMS_PSD_RESERVED; 550 551 /* The length is already verified by the caller to contain bss_params */ 552 if (length > sizeof(struct ieee80211_tbtt_info_7_8_9)) { 553 struct ieee80211_tbtt_info_ge_11 *tbtt_info = (void *)pos; 554 555 memcpy(entry->bssid, tbtt_info->bssid, ETH_ALEN); 556 entry->short_ssid = le32_to_cpu(tbtt_info->short_ssid); 557 entry->short_ssid_valid = true; 558 559 bss_params = tbtt_info->bss_params; 560 561 /* Ignore disabled links */ 562 if (length >= offsetofend(typeof(*tbtt_info), mld_params)) { 563 if (le16_get_bits(tbtt_info->mld_params.params, 564 IEEE80211_RNR_MLD_PARAMS_DISABLED_LINK)) 565 return -EINVAL; 566 } 567 568 if (length >= offsetofend(struct ieee80211_tbtt_info_ge_11, 569 psd_20)) 570 entry->psd_20 = tbtt_info->psd_20; 571 } else { 572 struct ieee80211_tbtt_info_7_8_9 *tbtt_info = (void *)pos; 573 574 memcpy(entry->bssid, tbtt_info->bssid, ETH_ALEN); 575 576 bss_params = tbtt_info->bss_params; 577 578 if (length == offsetofend(struct ieee80211_tbtt_info_7_8_9, 579 psd_20)) 580 entry->psd_20 = tbtt_info->psd_20; 581 } 582 583 /* ignore entries with invalid BSSID */ 584 if (!is_valid_ether_addr(entry->bssid)) 585 return -EINVAL; 586 587 /* skip non colocated APs */ 588 if (!cfg80211_parse_bss_param(bss_params, entry)) 589 return -EINVAL; 590 591 /* no information about the short ssid. Consider the entry valid 592 * for now. It would later be dropped in case there are explicit 593 * SSIDs that need to be matched 594 */ 595 if (!entry->same_ssid && !entry->short_ssid_valid) 596 return 0; 597 598 if (entry->same_ssid) { 599 entry->short_ssid = s_ssid_tmp; 600 entry->short_ssid_valid = true; 601 602 /* 603 * This is safe because we validate datalen in 604 * cfg80211_parse_colocated_ap(), before calling this 605 * function. 606 */ 607 memcpy(&entry->ssid, &ssid_elem->data, ssid_elem->datalen); 608 entry->ssid_len = ssid_elem->datalen; 609 } 610 611 return 0; 612} 613 614bool cfg80211_iter_rnr(const u8 *elems, size_t elems_len, 615 enum cfg80211_rnr_iter_ret 616 (*iter)(void *data, u8 type, 617 const struct ieee80211_neighbor_ap_info *info, 618 const u8 *tbtt_info, u8 tbtt_info_len), 619 void *iter_data) 620{ 621 const struct element *rnr; 622 const u8 *pos, *end; 623 624 for_each_element_id(rnr, WLAN_EID_REDUCED_NEIGHBOR_REPORT, 625 elems, elems_len) { 626 const struct ieee80211_neighbor_ap_info *info; 627 628 pos = rnr->data; 629 end = rnr->data + rnr->datalen; 630 631 /* RNR IE may contain more than one NEIGHBOR_AP_INFO */ 632 while (sizeof(*info) <= end - pos) { 633 u8 length, i, count; 634 u8 type; 635 636 info = (void *)pos; 637 count = u8_get_bits(info->tbtt_info_hdr, 638 IEEE80211_AP_INFO_TBTT_HDR_COUNT) + 639 1; 640 length = info->tbtt_info_len; 641 642 pos += sizeof(*info); 643 644 if (count * length > end - pos) 645 return false; 646 647 type = u8_get_bits(info->tbtt_info_hdr, 648 IEEE80211_AP_INFO_TBTT_HDR_TYPE); 649 650 for (i = 0; i < count; i++) { 651 switch (iter(iter_data, type, info, 652 pos, length)) { 653 case RNR_ITER_CONTINUE: 654 break; 655 case RNR_ITER_BREAK: 656 return true; 657 case RNR_ITER_ERROR: 658 return false; 659 } 660 661 pos += length; 662 } 663 } 664 665 if (pos != end) 666 return false; 667 } 668 669 return true; 670} 671EXPORT_SYMBOL_GPL(cfg80211_iter_rnr); 672 673struct colocated_ap_data { 674 const struct element *ssid_elem; 675 struct list_head ap_list; 676 u32 s_ssid_tmp; 677 int n_coloc; 678}; 679 680static enum cfg80211_rnr_iter_ret 681cfg80211_parse_colocated_ap_iter(void *_data, u8 type, 682 const struct ieee80211_neighbor_ap_info *info, 683 const u8 *tbtt_info, u8 tbtt_info_len) 684{ 685 struct colocated_ap_data *data = _data; 686 struct cfg80211_colocated_ap *entry; 687 enum nl80211_band band; 688 689 if (type != IEEE80211_TBTT_INFO_TYPE_TBTT) 690 return RNR_ITER_CONTINUE; 691 692 if (!ieee80211_operating_class_to_band(info->op_class, &band)) 693 return RNR_ITER_CONTINUE; 694 695 /* TBTT info must include bss param + BSSID + (short SSID or 696 * same_ssid bit to be set). Ignore other options, and move to 697 * the next AP info 698 */ 699 if (band != NL80211_BAND_6GHZ || 700 !(tbtt_info_len == offsetofend(struct ieee80211_tbtt_info_7_8_9, 701 bss_params) || 702 tbtt_info_len == sizeof(struct ieee80211_tbtt_info_7_8_9) || 703 tbtt_info_len >= offsetofend(struct ieee80211_tbtt_info_ge_11, 704 bss_params))) 705 return RNR_ITER_CONTINUE; 706 707 entry = kzalloc(sizeof(*entry) + IEEE80211_MAX_SSID_LEN, GFP_ATOMIC); 708 if (!entry) 709 return RNR_ITER_ERROR; 710 711 entry->center_freq = 712 ieee80211_channel_to_frequency(info->channel, band); 713 714 if (!cfg80211_parse_ap_info(entry, tbtt_info, tbtt_info_len, 715 data->ssid_elem, data->s_ssid_tmp)) { 716 data->n_coloc++; 717 list_add_tail(&entry->list, &data->ap_list); 718 } else { 719 kfree(entry); 720 } 721 722 return RNR_ITER_CONTINUE; 723} 724 725VISIBLE_IF_CFG80211_KUNIT int 726cfg80211_parse_colocated_ap(const struct cfg80211_bss_ies *ies, 727 struct list_head *list) 728{ 729 struct colocated_ap_data data = {}; 730 int ret; 731 732 INIT_LIST_HEAD(&data.ap_list); 733 734 ret = cfg80211_calc_short_ssid(ies, &data.ssid_elem, &data.s_ssid_tmp); 735 if (ret) 736 return 0; 737 738 if (!cfg80211_iter_rnr(ies->data, ies->len, 739 cfg80211_parse_colocated_ap_iter, &data)) { 740 cfg80211_free_coloc_ap_list(&data.ap_list); 741 return 0; 742 } 743 744 list_splice_tail(&data.ap_list, list); 745 return data.n_coloc; 746} 747EXPORT_SYMBOL_IF_CFG80211_KUNIT(cfg80211_parse_colocated_ap); 748 749static void cfg80211_scan_req_add_chan(struct cfg80211_scan_request *request, 750 struct ieee80211_channel *chan, 751 bool add_to_6ghz) 752{ 753 int i; 754 u32 n_channels = request->n_channels; 755 struct cfg80211_scan_6ghz_params *params = 756 &request->scan_6ghz_params[request->n_6ghz_params]; 757 758 for (i = 0; i < n_channels; i++) { 759 if (request->channels[i] == chan) { 760 if (add_to_6ghz) 761 params->channel_idx = i; 762 return; 763 } 764 } 765 766 request->channels[n_channels] = chan; 767 if (add_to_6ghz) 768 request->scan_6ghz_params[request->n_6ghz_params].channel_idx = 769 n_channels; 770 771 request->n_channels++; 772} 773 774static bool cfg80211_find_ssid_match(struct cfg80211_colocated_ap *ap, 775 struct cfg80211_scan_request *request) 776{ 777 int i; 778 u32 s_ssid; 779 780 for (i = 0; i < request->n_ssids; i++) { 781 /* wildcard ssid in the scan request */ 782 if (!request->ssids[i].ssid_len) { 783 if (ap->multi_bss && !ap->transmitted_bssid) 784 continue; 785 786 return true; 787 } 788 789 if (ap->ssid_len && 790 ap->ssid_len == request->ssids[i].ssid_len) { 791 if (!memcmp(request->ssids[i].ssid, ap->ssid, 792 ap->ssid_len)) 793 return true; 794 } else if (ap->short_ssid_valid) { 795 s_ssid = ~crc32_le(~0, request->ssids[i].ssid, 796 request->ssids[i].ssid_len); 797 798 if (ap->short_ssid == s_ssid) 799 return true; 800 } 801 } 802 803 return false; 804} 805 806static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev) 807{ 808 u8 i; 809 struct cfg80211_colocated_ap *ap; 810 int n_channels, count = 0, err; 811 struct cfg80211_scan_request *request, *rdev_req = rdev->scan_req; 812 LIST_HEAD(coloc_ap_list); 813 bool need_scan_psc = true; 814 const struct ieee80211_sband_iftype_data *iftd; 815 816 rdev_req->scan_6ghz = true; 817 818 if (!rdev->wiphy.bands[NL80211_BAND_6GHZ]) 819 return -EOPNOTSUPP; 820 821 iftd = ieee80211_get_sband_iftype_data(rdev->wiphy.bands[NL80211_BAND_6GHZ], 822 rdev_req->wdev->iftype); 823 if (!iftd || !iftd->he_cap.has_he) 824 return -EOPNOTSUPP; 825 826 n_channels = rdev->wiphy.bands[NL80211_BAND_6GHZ]->n_channels; 827 828 if (rdev_req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ) { 829 struct cfg80211_internal_bss *intbss; 830 831 spin_lock_bh(&rdev->bss_lock); 832 list_for_each_entry(intbss, &rdev->bss_list, list) { 833 struct cfg80211_bss *res = &intbss->pub; 834 const struct cfg80211_bss_ies *ies; 835 const struct element *ssid_elem; 836 struct cfg80211_colocated_ap *entry; 837 u32 s_ssid_tmp; 838 int ret; 839 840 ies = rcu_access_pointer(res->ies); 841 count += cfg80211_parse_colocated_ap(ies, 842 &coloc_ap_list); 843 844 /* In case the scan request specified a specific BSSID 845 * and the BSS is found and operating on 6GHz band then 846 * add this AP to the collocated APs list. 847 * This is relevant for ML probe requests when the lower 848 * band APs have not been discovered. 849 */ 850 if (is_broadcast_ether_addr(rdev_req->bssid) || 851 !ether_addr_equal(rdev_req->bssid, res->bssid) || 852 res->channel->band != NL80211_BAND_6GHZ) 853 continue; 854 855 ret = cfg80211_calc_short_ssid(ies, &ssid_elem, 856 &s_ssid_tmp); 857 if (ret) 858 continue; 859 860 entry = kzalloc(sizeof(*entry) + IEEE80211_MAX_SSID_LEN, 861 GFP_ATOMIC); 862 863 if (!entry) 864 continue; 865 866 memcpy(entry->bssid, res->bssid, ETH_ALEN); 867 entry->short_ssid = s_ssid_tmp; 868 memcpy(entry->ssid, ssid_elem->data, 869 ssid_elem->datalen); 870 entry->ssid_len = ssid_elem->datalen; 871 entry->short_ssid_valid = true; 872 entry->center_freq = res->channel->center_freq; 873 874 list_add_tail(&entry->list, &coloc_ap_list); 875 count++; 876 } 877 spin_unlock_bh(&rdev->bss_lock); 878 } 879 880 request = kzalloc(struct_size(request, channels, n_channels) + 881 sizeof(*request->scan_6ghz_params) * count + 882 sizeof(*request->ssids) * rdev_req->n_ssids, 883 GFP_KERNEL); 884 if (!request) { 885 cfg80211_free_coloc_ap_list(&coloc_ap_list); 886 return -ENOMEM; 887 } 888 889 *request = *rdev_req; 890 request->n_channels = 0; 891 request->scan_6ghz_params = 892 (void *)&request->channels[n_channels]; 893 894 /* 895 * PSC channels should not be scanned in case of direct scan with 1 SSID 896 * and at least one of the reported co-located APs with same SSID 897 * indicating that all APs in the same ESS are co-located 898 */ 899 if (count && request->n_ssids == 1 && request->ssids[0].ssid_len) { 900 list_for_each_entry(ap, &coloc_ap_list, list) { 901 if (ap->colocated_ess && 902 cfg80211_find_ssid_match(ap, request)) { 903 need_scan_psc = false; 904 break; 905 } 906 } 907 } 908 909 /* 910 * add to the scan request the channels that need to be scanned 911 * regardless of the collocated APs (PSC channels or all channels 912 * in case that NL80211_SCAN_FLAG_COLOCATED_6GHZ is not set) 913 */ 914 for (i = 0; i < rdev_req->n_channels; i++) { 915 if (rdev_req->channels[i]->band == NL80211_BAND_6GHZ && 916 ((need_scan_psc && 917 cfg80211_channel_is_psc(rdev_req->channels[i])) || 918 !(rdev_req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ))) { 919 cfg80211_scan_req_add_chan(request, 920 rdev_req->channels[i], 921 false); 922 } 923 } 924 925 if (!(rdev_req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ)) 926 goto skip; 927 928 list_for_each_entry(ap, &coloc_ap_list, list) { 929 bool found = false; 930 struct cfg80211_scan_6ghz_params *scan_6ghz_params = 931 &request->scan_6ghz_params[request->n_6ghz_params]; 932 struct ieee80211_channel *chan = 933 ieee80211_get_channel(&rdev->wiphy, ap->center_freq); 934 935 if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) 936 continue; 937 938 for (i = 0; i < rdev_req->n_channels; i++) { 939 if (rdev_req->channels[i] == chan) 940 found = true; 941 } 942 943 if (!found) 944 continue; 945 946 if (request->n_ssids > 0 && 947 !cfg80211_find_ssid_match(ap, request)) 948 continue; 949 950 if (!is_broadcast_ether_addr(request->bssid) && 951 !ether_addr_equal(request->bssid, ap->bssid)) 952 continue; 953 954 if (!request->n_ssids && ap->multi_bss && !ap->transmitted_bssid) 955 continue; 956 957 cfg80211_scan_req_add_chan(request, chan, true); 958 memcpy(scan_6ghz_params->bssid, ap->bssid, ETH_ALEN); 959 scan_6ghz_params->short_ssid = ap->short_ssid; 960 scan_6ghz_params->short_ssid_valid = ap->short_ssid_valid; 961 scan_6ghz_params->unsolicited_probe = ap->unsolicited_probe; 962 scan_6ghz_params->psd_20 = ap->psd_20; 963 964 /* 965 * If a PSC channel is added to the scan and 'need_scan_psc' is 966 * set to false, then all the APs that the scan logic is 967 * interested with on the channel are collocated and thus there 968 * is no need to perform the initial PSC channel listen. 969 */ 970 if (cfg80211_channel_is_psc(chan) && !need_scan_psc) 971 scan_6ghz_params->psc_no_listen = true; 972 973 request->n_6ghz_params++; 974 } 975 976skip: 977 cfg80211_free_coloc_ap_list(&coloc_ap_list); 978 979 if (request->n_channels) { 980 struct cfg80211_scan_request *old = rdev->int_scan_req; 981 rdev->int_scan_req = request; 982 983 /* 984 * Add the ssids from the parent scan request to the new scan 985 * request, so the driver would be able to use them in its 986 * probe requests to discover hidden APs on PSC channels. 987 */ 988 request->ssids = (void *)&request->channels[request->n_channels]; 989 request->n_ssids = rdev_req->n_ssids; 990 memcpy(request->ssids, rdev_req->ssids, sizeof(*request->ssids) * 991 request->n_ssids); 992 993 /* 994 * If this scan follows a previous scan, save the scan start 995 * info from the first part of the scan 996 */ 997 if (old) 998 rdev->int_scan_req->info = old->info; 999 1000 err = rdev_scan(rdev, request); 1001 if (err) { 1002 rdev->int_scan_req = old; 1003 kfree(request); 1004 } else { 1005 kfree(old); 1006 } 1007 1008 return err; 1009 } 1010 1011 kfree(request); 1012 return -EINVAL; 1013} 1014 1015int cfg80211_scan(struct cfg80211_registered_device *rdev) 1016{ 1017 struct cfg80211_scan_request *request; 1018 struct cfg80211_scan_request *rdev_req = rdev->scan_req; 1019 u32 n_channels = 0, idx, i; 1020 1021 if (!(rdev->wiphy.flags & WIPHY_FLAG_SPLIT_SCAN_6GHZ)) 1022 return rdev_scan(rdev, rdev_req); 1023 1024 for (i = 0; i < rdev_req->n_channels; i++) { 1025 if (rdev_req->channels[i]->band != NL80211_BAND_6GHZ) 1026 n_channels++; 1027 } 1028 1029 if (!n_channels) 1030 return cfg80211_scan_6ghz(rdev); 1031 1032 request = kzalloc(struct_size(request, channels, n_channels), 1033 GFP_KERNEL); 1034 if (!request) 1035 return -ENOMEM; 1036 1037 *request = *rdev_req; 1038 request->n_channels = n_channels; 1039 1040 for (i = idx = 0; i < rdev_req->n_channels; i++) { 1041 if (rdev_req->channels[i]->band != NL80211_BAND_6GHZ) 1042 request->channels[idx++] = rdev_req->channels[i]; 1043 } 1044 1045 rdev_req->scan_6ghz = false; 1046 rdev->int_scan_req = request; 1047 return rdev_scan(rdev, request); 1048} 1049 1050void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, 1051 bool send_message) 1052{ 1053 struct cfg80211_scan_request *request, *rdev_req; 1054 struct wireless_dev *wdev; 1055 struct sk_buff *msg; 1056#ifdef CONFIG_CFG80211_WEXT 1057 union iwreq_data wrqu; 1058#endif 1059 1060 lockdep_assert_held(&rdev->wiphy.mtx); 1061 1062 if (rdev->scan_msg) { 1063 nl80211_send_scan_msg(rdev, rdev->scan_msg); 1064 rdev->scan_msg = NULL; 1065 return; 1066 } 1067 1068 rdev_req = rdev->scan_req; 1069 if (!rdev_req) 1070 return; 1071 1072 wdev = rdev_req->wdev; 1073 request = rdev->int_scan_req ? rdev->int_scan_req : rdev_req; 1074 1075 if (wdev_running(wdev) && 1076 (rdev->wiphy.flags & WIPHY_FLAG_SPLIT_SCAN_6GHZ) && 1077 !rdev_req->scan_6ghz && !request->info.aborted && 1078 !cfg80211_scan_6ghz(rdev)) 1079 return; 1080 1081 /* 1082 * This must be before sending the other events! 1083 * Otherwise, wpa_supplicant gets completely confused with 1084 * wext events. 1085 */ 1086 if (wdev->netdev) 1087 cfg80211_sme_scan_done(wdev->netdev); 1088 1089 if (!request->info.aborted && 1090 request->flags & NL80211_SCAN_FLAG_FLUSH) { 1091 /* flush entries from previous scans */ 1092 spin_lock_bh(&rdev->bss_lock); 1093 __cfg80211_bss_expire(rdev, request->scan_start); 1094 spin_unlock_bh(&rdev->bss_lock); 1095 } 1096 1097 msg = nl80211_build_scan_msg(rdev, wdev, request->info.aborted); 1098 1099#ifdef CONFIG_CFG80211_WEXT 1100 if (wdev->netdev && !request->info.aborted) { 1101 memset(&wrqu, 0, sizeof(wrqu)); 1102 1103 wireless_send_event(wdev->netdev, SIOCGIWSCAN, &wrqu, NULL); 1104 } 1105#endif 1106 1107 dev_put(wdev->netdev); 1108 1109 kfree(rdev->int_scan_req); 1110 rdev->int_scan_req = NULL; 1111 1112 kfree(rdev->scan_req); 1113 rdev->scan_req = NULL; 1114 1115 if (!send_message) 1116 rdev->scan_msg = msg; 1117 else 1118 nl80211_send_scan_msg(rdev, msg); 1119} 1120 1121void __cfg80211_scan_done(struct wiphy *wiphy, struct wiphy_work *wk) 1122{ 1123 ___cfg80211_scan_done(wiphy_to_rdev(wiphy), true); 1124} 1125 1126void cfg80211_scan_done(struct cfg80211_scan_request *request, 1127 struct cfg80211_scan_info *info) 1128{ 1129 struct cfg80211_scan_info old_info = request->info; 1130 1131 trace_cfg80211_scan_done(request, info); 1132 WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req && 1133 request != wiphy_to_rdev(request->wiphy)->int_scan_req); 1134 1135 request->info = *info; 1136 1137 /* 1138 * In case the scan is split, the scan_start_tsf and tsf_bssid should 1139 * be of the first part. In such a case old_info.scan_start_tsf should 1140 * be non zero. 1141 */ 1142 if (request->scan_6ghz && old_info.scan_start_tsf) { 1143 request->info.scan_start_tsf = old_info.scan_start_tsf; 1144 memcpy(request->info.tsf_bssid, old_info.tsf_bssid, 1145 sizeof(request->info.tsf_bssid)); 1146 } 1147 1148 request->notified = true; 1149 wiphy_work_queue(request->wiphy, 1150 &wiphy_to_rdev(request->wiphy)->scan_done_wk); 1151} 1152EXPORT_SYMBOL(cfg80211_scan_done); 1153 1154void cfg80211_add_sched_scan_req(struct cfg80211_registered_device *rdev, 1155 struct cfg80211_sched_scan_request *req) 1156{ 1157 lockdep_assert_held(&rdev->wiphy.mtx); 1158 1159 list_add_rcu(&req->list, &rdev->sched_scan_req_list); 1160} 1161 1162static void cfg80211_del_sched_scan_req(struct cfg80211_registered_device *rdev, 1163 struct cfg80211_sched_scan_request *req) 1164{ 1165 lockdep_assert_held(&rdev->wiphy.mtx); 1166 1167 list_del_rcu(&req->list); 1168 kfree_rcu(req, rcu_head); 1169} 1170 1171static struct cfg80211_sched_scan_request * 1172cfg80211_find_sched_scan_req(struct cfg80211_registered_device *rdev, u64 reqid) 1173{ 1174 struct cfg80211_sched_scan_request *pos; 1175 1176 list_for_each_entry_rcu(pos, &rdev->sched_scan_req_list, list, 1177 lockdep_is_held(&rdev->wiphy.mtx)) { 1178 if (pos->reqid == reqid) 1179 return pos; 1180 } 1181 return NULL; 1182} 1183 1184/* 1185 * Determines if a scheduled scan request can be handled. When a legacy 1186 * scheduled scan is running no other scheduled scan is allowed regardless 1187 * whether the request is for legacy or multi-support scan. When a multi-support 1188 * scheduled scan is running a request for legacy scan is not allowed. In this 1189 * case a request for multi-support scan can be handled if resources are 1190 * available, ie. struct wiphy::max_sched_scan_reqs limit is not yet reached. 1191 */ 1192int cfg80211_sched_scan_req_possible(struct cfg80211_registered_device *rdev, 1193 bool want_multi) 1194{ 1195 struct cfg80211_sched_scan_request *pos; 1196 int i = 0; 1197 1198 list_for_each_entry(pos, &rdev->sched_scan_req_list, list) { 1199 /* request id zero means legacy in progress */ 1200 if (!i && !pos->reqid) 1201 return -EINPROGRESS; 1202 i++; 1203 } 1204 1205 if (i) { 1206 /* no legacy allowed when multi request(s) are active */ 1207 if (!want_multi) 1208 return -EINPROGRESS; 1209 1210 /* resource limit reached */ 1211 if (i == rdev->wiphy.max_sched_scan_reqs) 1212 return -ENOSPC; 1213 } 1214 return 0; 1215} 1216 1217void cfg80211_sched_scan_results_wk(struct work_struct *work) 1218{ 1219 struct cfg80211_registered_device *rdev; 1220 struct cfg80211_sched_scan_request *req, *tmp; 1221 1222 rdev = container_of(work, struct cfg80211_registered_device, 1223 sched_scan_res_wk); 1224 1225 wiphy_lock(&rdev->wiphy); 1226 list_for_each_entry_safe(req, tmp, &rdev->sched_scan_req_list, list) { 1227 if (req->report_results) { 1228 req->report_results = false; 1229 if (req->flags & NL80211_SCAN_FLAG_FLUSH) { 1230 /* flush entries from previous scans */ 1231 spin_lock_bh(&rdev->bss_lock); 1232 __cfg80211_bss_expire(rdev, req->scan_start); 1233 spin_unlock_bh(&rdev->bss_lock); 1234 req->scan_start = jiffies; 1235 } 1236 nl80211_send_sched_scan(req, 1237 NL80211_CMD_SCHED_SCAN_RESULTS); 1238 } 1239 } 1240 wiphy_unlock(&rdev->wiphy); 1241} 1242 1243void cfg80211_sched_scan_results(struct wiphy *wiphy, u64 reqid) 1244{ 1245 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1246 struct cfg80211_sched_scan_request *request; 1247 1248 trace_cfg80211_sched_scan_results(wiphy, reqid); 1249 /* ignore if we're not scanning */ 1250 1251 rcu_read_lock(); 1252 request = cfg80211_find_sched_scan_req(rdev, reqid); 1253 if (request) { 1254 request->report_results = true; 1255 queue_work(cfg80211_wq, &rdev->sched_scan_res_wk); 1256 } 1257 rcu_read_unlock(); 1258} 1259EXPORT_SYMBOL(cfg80211_sched_scan_results); 1260 1261void cfg80211_sched_scan_stopped_locked(struct wiphy *wiphy, u64 reqid) 1262{ 1263 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1264 1265 lockdep_assert_held(&wiphy->mtx); 1266 1267 trace_cfg80211_sched_scan_stopped(wiphy, reqid); 1268 1269 __cfg80211_stop_sched_scan(rdev, reqid, true); 1270} 1271EXPORT_SYMBOL(cfg80211_sched_scan_stopped_locked); 1272 1273void cfg80211_sched_scan_stopped(struct wiphy *wiphy, u64 reqid) 1274{ 1275 wiphy_lock(wiphy); 1276 cfg80211_sched_scan_stopped_locked(wiphy, reqid); 1277 wiphy_unlock(wiphy); 1278} 1279EXPORT_SYMBOL(cfg80211_sched_scan_stopped); 1280 1281int cfg80211_stop_sched_scan_req(struct cfg80211_registered_device *rdev, 1282 struct cfg80211_sched_scan_request *req, 1283 bool driver_initiated) 1284{ 1285 lockdep_assert_held(&rdev->wiphy.mtx); 1286 1287 if (!driver_initiated) { 1288 int err = rdev_sched_scan_stop(rdev, req->dev, req->reqid); 1289 if (err) 1290 return err; 1291 } 1292 1293 nl80211_send_sched_scan(req, NL80211_CMD_SCHED_SCAN_STOPPED); 1294 1295 cfg80211_del_sched_scan_req(rdev, req); 1296 1297 return 0; 1298} 1299 1300int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev, 1301 u64 reqid, bool driver_initiated) 1302{ 1303 struct cfg80211_sched_scan_request *sched_scan_req; 1304 1305 lockdep_assert_held(&rdev->wiphy.mtx); 1306 1307 sched_scan_req = cfg80211_find_sched_scan_req(rdev, reqid); 1308 if (!sched_scan_req) 1309 return -ENOENT; 1310 1311 return cfg80211_stop_sched_scan_req(rdev, sched_scan_req, 1312 driver_initiated); 1313} 1314 1315void cfg80211_bss_age(struct cfg80211_registered_device *rdev, 1316 unsigned long age_secs) 1317{ 1318 struct cfg80211_internal_bss *bss; 1319 unsigned long age_jiffies = msecs_to_jiffies(age_secs * MSEC_PER_SEC); 1320 1321 spin_lock_bh(&rdev->bss_lock); 1322 list_for_each_entry(bss, &rdev->bss_list, list) 1323 bss->ts -= age_jiffies; 1324 spin_unlock_bh(&rdev->bss_lock); 1325} 1326 1327void cfg80211_bss_expire(struct cfg80211_registered_device *rdev) 1328{ 1329 __cfg80211_bss_expire(rdev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE); 1330} 1331 1332void cfg80211_bss_flush(struct wiphy *wiphy) 1333{ 1334 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1335 1336 spin_lock_bh(&rdev->bss_lock); 1337 __cfg80211_bss_expire(rdev, jiffies); 1338 spin_unlock_bh(&rdev->bss_lock); 1339} 1340EXPORT_SYMBOL(cfg80211_bss_flush); 1341 1342const struct element * 1343cfg80211_find_elem_match(u8 eid, const u8 *ies, unsigned int len, 1344 const u8 *match, unsigned int match_len, 1345 unsigned int match_offset) 1346{ 1347 const struct element *elem; 1348 1349 for_each_element_id(elem, eid, ies, len) { 1350 if (elem->datalen >= match_offset + match_len && 1351 !memcmp(elem->data + match_offset, match, match_len)) 1352 return elem; 1353 } 1354 1355 return NULL; 1356} 1357EXPORT_SYMBOL(cfg80211_find_elem_match); 1358 1359const struct element *cfg80211_find_vendor_elem(unsigned int oui, int oui_type, 1360 const u8 *ies, 1361 unsigned int len) 1362{ 1363 const struct element *elem; 1364 u8 match[] = { oui >> 16, oui >> 8, oui, oui_type }; 1365 int match_len = (oui_type < 0) ? 3 : sizeof(match); 1366 1367 if (WARN_ON(oui_type > 0xff)) 1368 return NULL; 1369 1370 elem = cfg80211_find_elem_match(WLAN_EID_VENDOR_SPECIFIC, ies, len, 1371 match, match_len, 0); 1372 1373 if (!elem || elem->datalen < 4) 1374 return NULL; 1375 1376 return elem; 1377} 1378EXPORT_SYMBOL(cfg80211_find_vendor_elem); 1379 1380/** 1381 * enum bss_compare_mode - BSS compare mode 1382 * @BSS_CMP_REGULAR: regular compare mode (for insertion and normal find) 1383 * @BSS_CMP_HIDE_ZLEN: find hidden SSID with zero-length mode 1384 * @BSS_CMP_HIDE_NUL: find hidden SSID with NUL-ed out mode 1385 */ 1386enum bss_compare_mode { 1387 BSS_CMP_REGULAR, 1388 BSS_CMP_HIDE_ZLEN, 1389 BSS_CMP_HIDE_NUL, 1390}; 1391 1392static int cmp_bss(struct cfg80211_bss *a, 1393 struct cfg80211_bss *b, 1394 enum bss_compare_mode mode) 1395{ 1396 const struct cfg80211_bss_ies *a_ies, *b_ies; 1397 const u8 *ie1 = NULL; 1398 const u8 *ie2 = NULL; 1399 int i, r; 1400 1401 if (a->channel != b->channel) 1402 return (b->channel->center_freq * 1000 + b->channel->freq_offset) - 1403 (a->channel->center_freq * 1000 + a->channel->freq_offset); 1404 1405 a_ies = rcu_access_pointer(a->ies); 1406 if (!a_ies) 1407 return -1; 1408 b_ies = rcu_access_pointer(b->ies); 1409 if (!b_ies) 1410 return 1; 1411 1412 if (WLAN_CAPABILITY_IS_STA_BSS(a->capability)) 1413 ie1 = cfg80211_find_ie(WLAN_EID_MESH_ID, 1414 a_ies->data, a_ies->len); 1415 if (WLAN_CAPABILITY_IS_STA_BSS(b->capability)) 1416 ie2 = cfg80211_find_ie(WLAN_EID_MESH_ID, 1417 b_ies->data, b_ies->len); 1418 if (ie1 && ie2) { 1419 int mesh_id_cmp; 1420 1421 if (ie1[1] == ie2[1]) 1422 mesh_id_cmp = memcmp(ie1 + 2, ie2 + 2, ie1[1]); 1423 else 1424 mesh_id_cmp = ie2[1] - ie1[1]; 1425 1426 ie1 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG, 1427 a_ies->data, a_ies->len); 1428 ie2 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG, 1429 b_ies->data, b_ies->len); 1430 if (ie1 && ie2) { 1431 if (mesh_id_cmp) 1432 return mesh_id_cmp; 1433 if (ie1[1] != ie2[1]) 1434 return ie2[1] - ie1[1]; 1435 return memcmp(ie1 + 2, ie2 + 2, ie1[1]); 1436 } 1437 } 1438 1439 r = memcmp(a->bssid, b->bssid, sizeof(a->bssid)); 1440 if (r) 1441 return r; 1442 1443 ie1 = cfg80211_find_ie(WLAN_EID_SSID, a_ies->data, a_ies->len); 1444 ie2 = cfg80211_find_ie(WLAN_EID_SSID, b_ies->data, b_ies->len); 1445 1446 if (!ie1 && !ie2) 1447 return 0; 1448 1449 /* 1450 * Note that with "hide_ssid", the function returns a match if 1451 * the already-present BSS ("b") is a hidden SSID beacon for 1452 * the new BSS ("a"). 1453 */ 1454 1455 /* sort missing IE before (left of) present IE */ 1456 if (!ie1) 1457 return -1; 1458 if (!ie2) 1459 return 1; 1460 1461 switch (mode) { 1462 case BSS_CMP_HIDE_ZLEN: 1463 /* 1464 * In ZLEN mode we assume the BSS entry we're 1465 * looking for has a zero-length SSID. So if 1466 * the one we're looking at right now has that, 1467 * return 0. Otherwise, return the difference 1468 * in length, but since we're looking for the 1469 * 0-length it's really equivalent to returning 1470 * the length of the one we're looking at. 1471 * 1472 * No content comparison is needed as we assume 1473 * the content length is zero. 1474 */ 1475 return ie2[1]; 1476 case BSS_CMP_REGULAR: 1477 default: 1478 /* sort by length first, then by contents */ 1479 if (ie1[1] != ie2[1]) 1480 return ie2[1] - ie1[1]; 1481 return memcmp(ie1 + 2, ie2 + 2, ie1[1]); 1482 case BSS_CMP_HIDE_NUL: 1483 if (ie1[1] != ie2[1]) 1484 return ie2[1] - ie1[1]; 1485 /* this is equivalent to memcmp(zeroes, ie2 + 2, len) */ 1486 for (i = 0; i < ie2[1]; i++) 1487 if (ie2[i + 2]) 1488 return -1; 1489 return 0; 1490 } 1491} 1492 1493static bool cfg80211_bss_type_match(u16 capability, 1494 enum nl80211_band band, 1495 enum ieee80211_bss_type bss_type) 1496{ 1497 bool ret = true; 1498 u16 mask, val; 1499 1500 if (bss_type == IEEE80211_BSS_TYPE_ANY) 1501 return ret; 1502 1503 if (band == NL80211_BAND_60GHZ) { 1504 mask = WLAN_CAPABILITY_DMG_TYPE_MASK; 1505 switch (bss_type) { 1506 case IEEE80211_BSS_TYPE_ESS: 1507 val = WLAN_CAPABILITY_DMG_TYPE_AP; 1508 break; 1509 case IEEE80211_BSS_TYPE_PBSS: 1510 val = WLAN_CAPABILITY_DMG_TYPE_PBSS; 1511 break; 1512 case IEEE80211_BSS_TYPE_IBSS: 1513 val = WLAN_CAPABILITY_DMG_TYPE_IBSS; 1514 break; 1515 default: 1516 return false; 1517 } 1518 } else { 1519 mask = WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS; 1520 switch (bss_type) { 1521 case IEEE80211_BSS_TYPE_ESS: 1522 val = WLAN_CAPABILITY_ESS; 1523 break; 1524 case IEEE80211_BSS_TYPE_IBSS: 1525 val = WLAN_CAPABILITY_IBSS; 1526 break; 1527 case IEEE80211_BSS_TYPE_MBSS: 1528 val = 0; 1529 break; 1530 default: 1531 return false; 1532 } 1533 } 1534 1535 ret = ((capability & mask) == val); 1536 return ret; 1537} 1538 1539/* Returned bss is reference counted and must be cleaned up appropriately. */ 1540struct cfg80211_bss *__cfg80211_get_bss(struct wiphy *wiphy, 1541 struct ieee80211_channel *channel, 1542 const u8 *bssid, 1543 const u8 *ssid, size_t ssid_len, 1544 enum ieee80211_bss_type bss_type, 1545 enum ieee80211_privacy privacy, 1546 u32 use_for) 1547{ 1548 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1549 struct cfg80211_internal_bss *bss, *res = NULL; 1550 unsigned long now = jiffies; 1551 int bss_privacy; 1552 1553 trace_cfg80211_get_bss(wiphy, channel, bssid, ssid, ssid_len, bss_type, 1554 privacy); 1555 1556 spin_lock_bh(&rdev->bss_lock); 1557 1558 list_for_each_entry(bss, &rdev->bss_list, list) { 1559 if (!cfg80211_bss_type_match(bss->pub.capability, 1560 bss->pub.channel->band, bss_type)) 1561 continue; 1562 1563 bss_privacy = (bss->pub.capability & WLAN_CAPABILITY_PRIVACY); 1564 if ((privacy == IEEE80211_PRIVACY_ON && !bss_privacy) || 1565 (privacy == IEEE80211_PRIVACY_OFF && bss_privacy)) 1566 continue; 1567 if (channel && bss->pub.channel != channel) 1568 continue; 1569 if (!is_valid_ether_addr(bss->pub.bssid)) 1570 continue; 1571 if ((bss->pub.use_for & use_for) != use_for) 1572 continue; 1573 /* Don't get expired BSS structs */ 1574 if (time_after(now, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE) && 1575 !atomic_read(&bss->hold)) 1576 continue; 1577 if (is_bss(&bss->pub, bssid, ssid, ssid_len)) { 1578 res = bss; 1579 bss_ref_get(rdev, res); 1580 break; 1581 } 1582 } 1583 1584 spin_unlock_bh(&rdev->bss_lock); 1585 if (!res) 1586 return NULL; 1587 trace_cfg80211_return_bss(&res->pub); 1588 return &res->pub; 1589} 1590EXPORT_SYMBOL(__cfg80211_get_bss); 1591 1592static void rb_insert_bss(struct cfg80211_registered_device *rdev, 1593 struct cfg80211_internal_bss *bss) 1594{ 1595 struct rb_node **p = &rdev->bss_tree.rb_node; 1596 struct rb_node *parent = NULL; 1597 struct cfg80211_internal_bss *tbss; 1598 int cmp; 1599 1600 while (*p) { 1601 parent = *p; 1602 tbss = rb_entry(parent, struct cfg80211_internal_bss, rbn); 1603 1604 cmp = cmp_bss(&bss->pub, &tbss->pub, BSS_CMP_REGULAR); 1605 1606 if (WARN_ON(!cmp)) { 1607 /* will sort of leak this BSS */ 1608 return; 1609 } 1610 1611 if (cmp < 0) 1612 p = &(*p)->rb_left; 1613 else 1614 p = &(*p)->rb_right; 1615 } 1616 1617 rb_link_node(&bss->rbn, parent, p); 1618 rb_insert_color(&bss->rbn, &rdev->bss_tree); 1619} 1620 1621static struct cfg80211_internal_bss * 1622rb_find_bss(struct cfg80211_registered_device *rdev, 1623 struct cfg80211_internal_bss *res, 1624 enum bss_compare_mode mode) 1625{ 1626 struct rb_node *n = rdev->bss_tree.rb_node; 1627 struct cfg80211_internal_bss *bss; 1628 int r; 1629 1630 while (n) { 1631 bss = rb_entry(n, struct cfg80211_internal_bss, rbn); 1632 r = cmp_bss(&res->pub, &bss->pub, mode); 1633 1634 if (r == 0) 1635 return bss; 1636 else if (r < 0) 1637 n = n->rb_left; 1638 else 1639 n = n->rb_right; 1640 } 1641 1642 return NULL; 1643} 1644 1645static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev, 1646 struct cfg80211_internal_bss *new) 1647{ 1648 const struct cfg80211_bss_ies *ies; 1649 struct cfg80211_internal_bss *bss; 1650 const u8 *ie; 1651 int i, ssidlen; 1652 u8 fold = 0; 1653 u32 n_entries = 0; 1654 1655 ies = rcu_access_pointer(new->pub.beacon_ies); 1656 if (WARN_ON(!ies)) 1657 return false; 1658 1659 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 1660 if (!ie) { 1661 /* nothing to do */ 1662 return true; 1663 } 1664 1665 ssidlen = ie[1]; 1666 for (i = 0; i < ssidlen; i++) 1667 fold |= ie[2 + i]; 1668 1669 if (fold) { 1670 /* not a hidden SSID */ 1671 return true; 1672 } 1673 1674 /* This is the bad part ... */ 1675 1676 list_for_each_entry(bss, &rdev->bss_list, list) { 1677 /* 1678 * we're iterating all the entries anyway, so take the 1679 * opportunity to validate the list length accounting 1680 */ 1681 n_entries++; 1682 1683 if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid)) 1684 continue; 1685 if (bss->pub.channel != new->pub.channel) 1686 continue; 1687 if (rcu_access_pointer(bss->pub.beacon_ies)) 1688 continue; 1689 ies = rcu_access_pointer(bss->pub.ies); 1690 if (!ies) 1691 continue; 1692 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 1693 if (!ie) 1694 continue; 1695 if (ssidlen && ie[1] != ssidlen) 1696 continue; 1697 if (WARN_ON_ONCE(bss->pub.hidden_beacon_bss)) 1698 continue; 1699 if (WARN_ON_ONCE(!list_empty(&bss->hidden_list))) 1700 list_del(&bss->hidden_list); 1701 /* combine them */ 1702 list_add(&bss->hidden_list, &new->hidden_list); 1703 bss->pub.hidden_beacon_bss = &new->pub; 1704 new->refcount += bss->refcount; 1705 rcu_assign_pointer(bss->pub.beacon_ies, 1706 new->pub.beacon_ies); 1707 } 1708 1709 WARN_ONCE(n_entries != rdev->bss_entries, 1710 "rdev bss entries[%d]/list[len:%d] corruption\n", 1711 rdev->bss_entries, n_entries); 1712 1713 return true; 1714} 1715 1716static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known, 1717 const struct cfg80211_bss_ies *new_ies, 1718 const struct cfg80211_bss_ies *old_ies) 1719{ 1720 struct cfg80211_internal_bss *bss; 1721 1722 /* Assign beacon IEs to all sub entries */ 1723 list_for_each_entry(bss, &known->hidden_list, hidden_list) { 1724 const struct cfg80211_bss_ies *ies; 1725 1726 ies = rcu_access_pointer(bss->pub.beacon_ies); 1727 WARN_ON(ies != old_ies); 1728 1729 rcu_assign_pointer(bss->pub.beacon_ies, new_ies); 1730 } 1731} 1732 1733static void cfg80211_check_stuck_ecsa(struct cfg80211_registered_device *rdev, 1734 struct cfg80211_internal_bss *known, 1735 const struct cfg80211_bss_ies *old) 1736{ 1737 const struct ieee80211_ext_chansw_ie *ecsa; 1738 const struct element *elem_new, *elem_old; 1739 const struct cfg80211_bss_ies *new, *bcn; 1740 1741 if (known->pub.proberesp_ecsa_stuck) 1742 return; 1743 1744 new = rcu_dereference_protected(known->pub.proberesp_ies, 1745 lockdep_is_held(&rdev->bss_lock)); 1746 if (WARN_ON(!new)) 1747 return; 1748 1749 if (new->tsf - old->tsf < USEC_PER_SEC) 1750 return; 1751 1752 elem_old = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, 1753 old->data, old->len); 1754 if (!elem_old) 1755 return; 1756 1757 elem_new = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, 1758 new->data, new->len); 1759 if (!elem_new) 1760 return; 1761 1762 bcn = rcu_dereference_protected(known->pub.beacon_ies, 1763 lockdep_is_held(&rdev->bss_lock)); 1764 if (bcn && 1765 cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, 1766 bcn->data, bcn->len)) 1767 return; 1768 1769 if (elem_new->datalen != elem_old->datalen) 1770 return; 1771 if (elem_new->datalen < sizeof(struct ieee80211_ext_chansw_ie)) 1772 return; 1773 if (memcmp(elem_new->data, elem_old->data, elem_new->datalen)) 1774 return; 1775 1776 ecsa = (void *)elem_new->data; 1777 1778 if (!ecsa->mode) 1779 return; 1780 1781 if (ecsa->new_ch_num != 1782 ieee80211_frequency_to_channel(known->pub.channel->center_freq)) 1783 return; 1784 1785 known->pub.proberesp_ecsa_stuck = 1; 1786} 1787 1788static bool 1789cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, 1790 struct cfg80211_internal_bss *known, 1791 struct cfg80211_internal_bss *new, 1792 bool signal_valid) 1793{ 1794 lockdep_assert_held(&rdev->bss_lock); 1795 1796 /* Update IEs */ 1797 if (rcu_access_pointer(new->pub.proberesp_ies)) { 1798 const struct cfg80211_bss_ies *old; 1799 1800 old = rcu_access_pointer(known->pub.proberesp_ies); 1801 1802 rcu_assign_pointer(known->pub.proberesp_ies, 1803 new->pub.proberesp_ies); 1804 /* Override possible earlier Beacon frame IEs */ 1805 rcu_assign_pointer(known->pub.ies, 1806 new->pub.proberesp_ies); 1807 if (old) { 1808 cfg80211_check_stuck_ecsa(rdev, known, old); 1809 kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); 1810 } 1811 } 1812 1813 if (rcu_access_pointer(new->pub.beacon_ies)) { 1814 const struct cfg80211_bss_ies *old; 1815 1816 if (known->pub.hidden_beacon_bss && 1817 !list_empty(&known->hidden_list)) { 1818 const struct cfg80211_bss_ies *f; 1819 1820 /* The known BSS struct is one of the probe 1821 * response members of a group, but we're 1822 * receiving a beacon (beacon_ies in the new 1823 * bss is used). This can only mean that the 1824 * AP changed its beacon from not having an 1825 * SSID to showing it, which is confusing so 1826 * drop this information. 1827 */ 1828 1829 f = rcu_access_pointer(new->pub.beacon_ies); 1830 kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); 1831 return false; 1832 } 1833 1834 old = rcu_access_pointer(known->pub.beacon_ies); 1835 1836 rcu_assign_pointer(known->pub.beacon_ies, new->pub.beacon_ies); 1837 1838 /* Override IEs if they were from a beacon before */ 1839 if (old == rcu_access_pointer(known->pub.ies)) 1840 rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); 1841 1842 cfg80211_update_hidden_bsses(known, 1843 rcu_access_pointer(new->pub.beacon_ies), 1844 old); 1845 1846 if (old) 1847 kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); 1848 } 1849 1850 known->pub.beacon_interval = new->pub.beacon_interval; 1851 1852 /* don't update the signal if beacon was heard on 1853 * adjacent channel. 1854 */ 1855 if (signal_valid) 1856 known->pub.signal = new->pub.signal; 1857 known->pub.capability = new->pub.capability; 1858 known->ts = new->ts; 1859 known->ts_boottime = new->ts_boottime; 1860 known->parent_tsf = new->parent_tsf; 1861 known->pub.chains = new->pub.chains; 1862 memcpy(known->pub.chain_signal, new->pub.chain_signal, 1863 IEEE80211_MAX_CHAINS); 1864 ether_addr_copy(known->parent_bssid, new->parent_bssid); 1865 known->pub.max_bssid_indicator = new->pub.max_bssid_indicator; 1866 known->pub.bssid_index = new->pub.bssid_index; 1867 known->pub.use_for &= new->pub.use_for; 1868 known->pub.cannot_use_reasons = new->pub.cannot_use_reasons; 1869 1870 return true; 1871} 1872 1873/* Returned bss is reference counted and must be cleaned up appropriately. */ 1874static struct cfg80211_internal_bss * 1875__cfg80211_bss_update(struct cfg80211_registered_device *rdev, 1876 struct cfg80211_internal_bss *tmp, 1877 bool signal_valid, unsigned long ts) 1878{ 1879 struct cfg80211_internal_bss *found = NULL; 1880 struct cfg80211_bss_ies *ies; 1881 1882 if (WARN_ON(!tmp->pub.channel)) 1883 goto free_ies; 1884 1885 tmp->ts = ts; 1886 1887 if (WARN_ON(!rcu_access_pointer(tmp->pub.ies))) 1888 goto free_ies; 1889 1890 found = rb_find_bss(rdev, tmp, BSS_CMP_REGULAR); 1891 1892 if (found) { 1893 if (!cfg80211_update_known_bss(rdev, found, tmp, signal_valid)) 1894 return NULL; 1895 } else { 1896 struct cfg80211_internal_bss *new; 1897 struct cfg80211_internal_bss *hidden; 1898 1899 /* 1900 * create a copy -- the "res" variable that is passed in 1901 * is allocated on the stack since it's not needed in the 1902 * more common case of an update 1903 */ 1904 new = kzalloc(sizeof(*new) + rdev->wiphy.bss_priv_size, 1905 GFP_ATOMIC); 1906 if (!new) 1907 goto free_ies; 1908 memcpy(new, tmp, sizeof(*new)); 1909 new->refcount = 1; 1910 INIT_LIST_HEAD(&new->hidden_list); 1911 INIT_LIST_HEAD(&new->pub.nontrans_list); 1912 /* we'll set this later if it was non-NULL */ 1913 new->pub.transmitted_bss = NULL; 1914 1915 if (rcu_access_pointer(tmp->pub.proberesp_ies)) { 1916 hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); 1917 if (!hidden) 1918 hidden = rb_find_bss(rdev, tmp, 1919 BSS_CMP_HIDE_NUL); 1920 if (hidden) { 1921 new->pub.hidden_beacon_bss = &hidden->pub; 1922 list_add(&new->hidden_list, 1923 &hidden->hidden_list); 1924 hidden->refcount++; 1925 1926 ies = (void *)rcu_access_pointer(new->pub.beacon_ies); 1927 rcu_assign_pointer(new->pub.beacon_ies, 1928 hidden->pub.beacon_ies); 1929 if (ies) 1930 kfree_rcu(ies, rcu_head); 1931 } 1932 } else { 1933 /* 1934 * Ok so we found a beacon, and don't have an entry. If 1935 * it's a beacon with hidden SSID, we might be in for an 1936 * expensive search for any probe responses that should 1937 * be grouped with this beacon for updates ... 1938 */ 1939 if (!cfg80211_combine_bsses(rdev, new)) { 1940 bss_ref_put(rdev, new); 1941 return NULL; 1942 } 1943 } 1944 1945 if (rdev->bss_entries >= bss_entries_limit && 1946 !cfg80211_bss_expire_oldest(rdev)) { 1947 bss_ref_put(rdev, new); 1948 return NULL; 1949 } 1950 1951 /* This must be before the call to bss_ref_get */ 1952 if (tmp->pub.transmitted_bss) { 1953 new->pub.transmitted_bss = tmp->pub.transmitted_bss; 1954 bss_ref_get(rdev, bss_from_pub(tmp->pub.transmitted_bss)); 1955 } 1956 1957 list_add_tail(&new->list, &rdev->bss_list); 1958 rdev->bss_entries++; 1959 rb_insert_bss(rdev, new); 1960 found = new; 1961 } 1962 1963 rdev->bss_generation++; 1964 bss_ref_get(rdev, found); 1965 1966 return found; 1967 1968free_ies: 1969 ies = (void *)rcu_dereference(tmp->pub.beacon_ies); 1970 if (ies) 1971 kfree_rcu(ies, rcu_head); 1972 ies = (void *)rcu_dereference(tmp->pub.proberesp_ies); 1973 if (ies) 1974 kfree_rcu(ies, rcu_head); 1975 1976 return NULL; 1977} 1978 1979struct cfg80211_internal_bss * 1980cfg80211_bss_update(struct cfg80211_registered_device *rdev, 1981 struct cfg80211_internal_bss *tmp, 1982 bool signal_valid, unsigned long ts) 1983{ 1984 struct cfg80211_internal_bss *res; 1985 1986 spin_lock_bh(&rdev->bss_lock); 1987 res = __cfg80211_bss_update(rdev, tmp, signal_valid, ts); 1988 spin_unlock_bh(&rdev->bss_lock); 1989 1990 return res; 1991} 1992 1993int cfg80211_get_ies_channel_number(const u8 *ie, size_t ielen, 1994 enum nl80211_band band) 1995{ 1996 const struct element *tmp; 1997 1998 if (band == NL80211_BAND_6GHZ) { 1999 struct ieee80211_he_operation *he_oper; 2000 2001 tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie, 2002 ielen); 2003 if (tmp && tmp->datalen >= sizeof(*he_oper) && 2004 tmp->datalen >= ieee80211_he_oper_size(&tmp->data[1])) { 2005 const struct ieee80211_he_6ghz_oper *he_6ghz_oper; 2006 2007 he_oper = (void *)&tmp->data[1]; 2008 2009 he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper); 2010 if (!he_6ghz_oper) 2011 return -1; 2012 2013 return he_6ghz_oper->primary; 2014 } 2015 } else if (band == NL80211_BAND_S1GHZ) { 2016 tmp = cfg80211_find_elem(WLAN_EID_S1G_OPERATION, ie, ielen); 2017 if (tmp && tmp->datalen >= sizeof(struct ieee80211_s1g_oper_ie)) { 2018 struct ieee80211_s1g_oper_ie *s1gop = (void *)tmp->data; 2019 2020 return s1gop->oper_ch; 2021 } 2022 } else { 2023 tmp = cfg80211_find_elem(WLAN_EID_DS_PARAMS, ie, ielen); 2024 if (tmp && tmp->datalen == 1) 2025 return tmp->data[0]; 2026 2027 tmp = cfg80211_find_elem(WLAN_EID_HT_OPERATION, ie, ielen); 2028 if (tmp && 2029 tmp->datalen >= sizeof(struct ieee80211_ht_operation)) { 2030 struct ieee80211_ht_operation *htop = (void *)tmp->data; 2031 2032 return htop->primary_chan; 2033 } 2034 } 2035 2036 return -1; 2037} 2038EXPORT_SYMBOL(cfg80211_get_ies_channel_number); 2039 2040/* 2041 * Update RX channel information based on the available frame payload 2042 * information. This is mainly for the 2.4 GHz band where frames can be received 2043 * from neighboring channels and the Beacon frames use the DSSS Parameter Set 2044 * element to indicate the current (transmitting) channel, but this might also 2045 * be needed on other bands if RX frequency does not match with the actual 2046 * operating channel of a BSS, or if the AP reports a different primary channel. 2047 */ 2048static struct ieee80211_channel * 2049cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen, 2050 struct ieee80211_channel *channel) 2051{ 2052 u32 freq; 2053 int channel_number; 2054 struct ieee80211_channel *alt_channel; 2055 2056 channel_number = cfg80211_get_ies_channel_number(ie, ielen, 2057 channel->band); 2058 2059 if (channel_number < 0) { 2060 /* No channel information in frame payload */ 2061 return channel; 2062 } 2063 2064 freq = ieee80211_channel_to_freq_khz(channel_number, channel->band); 2065 2066 /* 2067 * Frame info (beacon/prob res) is the same as received channel, 2068 * no need for further processing. 2069 */ 2070 if (freq == ieee80211_channel_to_khz(channel)) 2071 return channel; 2072 2073 alt_channel = ieee80211_get_channel_khz(wiphy, freq); 2074 if (!alt_channel) { 2075 if (channel->band == NL80211_BAND_2GHZ || 2076 channel->band == NL80211_BAND_6GHZ) { 2077 /* 2078 * Better not allow unexpected channels when that could 2079 * be going beyond the 1-11 range (e.g., discovering 2080 * BSS on channel 12 when radio is configured for 2081 * channel 11) or beyond the 6 GHz channel range. 2082 */ 2083 return NULL; 2084 } 2085 2086 /* No match for the payload channel number - ignore it */ 2087 return channel; 2088 } 2089 2090 /* 2091 * Use the channel determined through the payload channel number 2092 * instead of the RX channel reported by the driver. 2093 */ 2094 if (alt_channel->flags & IEEE80211_CHAN_DISABLED) 2095 return NULL; 2096 return alt_channel; 2097} 2098 2099struct cfg80211_inform_single_bss_data { 2100 struct cfg80211_inform_bss *drv_data; 2101 enum cfg80211_bss_frame_type ftype; 2102 struct ieee80211_channel *channel; 2103 u8 bssid[ETH_ALEN]; 2104 u64 tsf; 2105 u16 capability; 2106 u16 beacon_interval; 2107 const u8 *ie; 2108 size_t ielen; 2109 2110 enum { 2111 BSS_SOURCE_DIRECT = 0, 2112 BSS_SOURCE_MBSSID, 2113 BSS_SOURCE_STA_PROFILE, 2114 } bss_source; 2115 /* Set if reporting bss_source != BSS_SOURCE_DIRECT */ 2116 struct cfg80211_bss *source_bss; 2117 u8 max_bssid_indicator; 2118 u8 bssid_index; 2119 2120 u8 use_for; 2121 u64 cannot_use_reasons; 2122}; 2123 2124static bool cfg80211_6ghz_power_type_valid(const u8 *ie, size_t ielen, 2125 const u32 flags) 2126{ 2127 const struct element *tmp; 2128 struct ieee80211_he_operation *he_oper; 2129 2130 tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie, ielen); 2131 if (tmp && tmp->datalen >= sizeof(*he_oper) + 1) { 2132 const struct ieee80211_he_6ghz_oper *he_6ghz_oper; 2133 2134 he_oper = (void *)&tmp->data[1]; 2135 he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper); 2136 2137 if (!he_6ghz_oper) 2138 return false; 2139 2140 switch (u8_get_bits(he_6ghz_oper->control, 2141 IEEE80211_HE_6GHZ_OPER_CTRL_REG_INFO)) { 2142 case IEEE80211_6GHZ_CTRL_REG_LPI_AP: 2143 return true; 2144 case IEEE80211_6GHZ_CTRL_REG_SP_AP: 2145 return !(flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT); 2146 case IEEE80211_6GHZ_CTRL_REG_VLP_AP: 2147 return !(flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT); 2148 } 2149 } 2150 return false; 2151} 2152 2153/* Returned bss is reference counted and must be cleaned up appropriately. */ 2154static struct cfg80211_bss * 2155cfg80211_inform_single_bss_data(struct wiphy *wiphy, 2156 struct cfg80211_inform_single_bss_data *data, 2157 gfp_t gfp) 2158{ 2159 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 2160 struct cfg80211_inform_bss *drv_data = data->drv_data; 2161 struct cfg80211_bss_ies *ies; 2162 struct ieee80211_channel *channel; 2163 struct cfg80211_internal_bss tmp = {}, *res; 2164 int bss_type; 2165 bool signal_valid; 2166 unsigned long ts; 2167 2168 if (WARN_ON(!wiphy)) 2169 return NULL; 2170 2171 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && 2172 (drv_data->signal < 0 || drv_data->signal > 100))) 2173 return NULL; 2174 2175 if (WARN_ON(data->bss_source != BSS_SOURCE_DIRECT && !data->source_bss)) 2176 return NULL; 2177 2178 channel = data->channel; 2179 if (!channel) 2180 channel = cfg80211_get_bss_channel(wiphy, data->ie, data->ielen, 2181 drv_data->chan); 2182 if (!channel) 2183 return NULL; 2184 2185 if (channel->band == NL80211_BAND_6GHZ && 2186 !cfg80211_6ghz_power_type_valid(data->ie, data->ielen, 2187 channel->flags)) { 2188 data->use_for = 0; 2189 data->cannot_use_reasons = 2190 NL80211_BSS_CANNOT_USE_6GHZ_PWR_MISMATCH; 2191 } 2192 2193 memcpy(tmp.pub.bssid, data->bssid, ETH_ALEN); 2194 tmp.pub.channel = channel; 2195 if (data->bss_source != BSS_SOURCE_STA_PROFILE) 2196 tmp.pub.signal = drv_data->signal; 2197 else 2198 tmp.pub.signal = 0; 2199 tmp.pub.beacon_interval = data->beacon_interval; 2200 tmp.pub.capability = data->capability; 2201 tmp.ts_boottime = drv_data->boottime_ns; 2202 tmp.parent_tsf = drv_data->parent_tsf; 2203 ether_addr_copy(tmp.parent_bssid, drv_data->parent_bssid); 2204 tmp.pub.chains = drv_data->chains; 2205 memcpy(tmp.pub.chain_signal, drv_data->chain_signal, 2206 IEEE80211_MAX_CHAINS); 2207 tmp.pub.use_for = data->use_for; 2208 tmp.pub.cannot_use_reasons = data->cannot_use_reasons; 2209 2210 if (data->bss_source != BSS_SOURCE_DIRECT) { 2211 tmp.pub.transmitted_bss = data->source_bss; 2212 ts = bss_from_pub(data->source_bss)->ts; 2213 tmp.pub.bssid_index = data->bssid_index; 2214 tmp.pub.max_bssid_indicator = data->max_bssid_indicator; 2215 } else { 2216 ts = jiffies; 2217 2218 if (channel->band == NL80211_BAND_60GHZ) { 2219 bss_type = data->capability & 2220 WLAN_CAPABILITY_DMG_TYPE_MASK; 2221 if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP || 2222 bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS) 2223 regulatory_hint_found_beacon(wiphy, channel, 2224 gfp); 2225 } else { 2226 if (data->capability & WLAN_CAPABILITY_ESS) 2227 regulatory_hint_found_beacon(wiphy, channel, 2228 gfp); 2229 } 2230 } 2231 2232 /* 2233 * If we do not know here whether the IEs are from a Beacon or Probe 2234 * Response frame, we need to pick one of the options and only use it 2235 * with the driver that does not provide the full Beacon/Probe Response 2236 * frame. Use Beacon frame pointer to avoid indicating that this should 2237 * override the IEs pointer should we have received an earlier 2238 * indication of Probe Response data. 2239 */ 2240 ies = kzalloc(sizeof(*ies) + data->ielen, gfp); 2241 if (!ies) 2242 return NULL; 2243 ies->len = data->ielen; 2244 ies->tsf = data->tsf; 2245 ies->from_beacon = false; 2246 memcpy(ies->data, data->ie, data->ielen); 2247 2248 switch (data->ftype) { 2249 case CFG80211_BSS_FTYPE_BEACON: 2250 case CFG80211_BSS_FTYPE_S1G_BEACON: 2251 ies->from_beacon = true; 2252 fallthrough; 2253 case CFG80211_BSS_FTYPE_UNKNOWN: 2254 rcu_assign_pointer(tmp.pub.beacon_ies, ies); 2255 break; 2256 case CFG80211_BSS_FTYPE_PRESP: 2257 rcu_assign_pointer(tmp.pub.proberesp_ies, ies); 2258 break; 2259 } 2260 rcu_assign_pointer(tmp.pub.ies, ies); 2261 2262 signal_valid = drv_data->chan == channel; 2263 spin_lock_bh(&rdev->bss_lock); 2264 res = __cfg80211_bss_update(rdev, &tmp, signal_valid, ts); 2265 if (!res) 2266 goto drop; 2267 2268 rdev_inform_bss(rdev, &res->pub, ies, drv_data->drv_data); 2269 2270 if (data->bss_source == BSS_SOURCE_MBSSID) { 2271 /* this is a nontransmitting bss, we need to add it to 2272 * transmitting bss' list if it is not there 2273 */ 2274 if (cfg80211_add_nontrans_list(data->source_bss, &res->pub)) { 2275 if (__cfg80211_unlink_bss(rdev, res)) { 2276 rdev->bss_generation++; 2277 res = NULL; 2278 } 2279 } 2280 2281 if (!res) 2282 goto drop; 2283 } 2284 spin_unlock_bh(&rdev->bss_lock); 2285 2286 trace_cfg80211_return_bss(&res->pub); 2287 /* __cfg80211_bss_update gives us a referenced result */ 2288 return &res->pub; 2289 2290drop: 2291 spin_unlock_bh(&rdev->bss_lock); 2292 return NULL; 2293} 2294 2295static const struct element 2296*cfg80211_get_profile_continuation(const u8 *ie, size_t ielen, 2297 const struct element *mbssid_elem, 2298 const struct element *sub_elem) 2299{ 2300 const u8 *mbssid_end = mbssid_elem->data + mbssid_elem->datalen; 2301 const struct element *next_mbssid; 2302 const struct element *next_sub; 2303 2304 next_mbssid = cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID, 2305 mbssid_end, 2306 ielen - (mbssid_end - ie)); 2307 2308 /* 2309 * If it is not the last subelement in current MBSSID IE or there isn't 2310 * a next MBSSID IE - profile is complete. 2311 */ 2312 if ((sub_elem->data + sub_elem->datalen < mbssid_end - 1) || 2313 !next_mbssid) 2314 return NULL; 2315 2316 /* For any length error, just return NULL */ 2317 2318 if (next_mbssid->datalen < 4) 2319 return NULL; 2320 2321 next_sub = (void *)&next_mbssid->data[1]; 2322 2323 if (next_mbssid->data + next_mbssid->datalen < 2324 next_sub->data + next_sub->datalen) 2325 return NULL; 2326 2327 if (next_sub->id != 0 || next_sub->datalen < 2) 2328 return NULL; 2329 2330 /* 2331 * Check if the first element in the next sub element is a start 2332 * of a new profile 2333 */ 2334 return next_sub->data[0] == WLAN_EID_NON_TX_BSSID_CAP ? 2335 NULL : next_mbssid; 2336} 2337 2338size_t cfg80211_merge_profile(const u8 *ie, size_t ielen, 2339 const struct element *mbssid_elem, 2340 const struct element *sub_elem, 2341 u8 *merged_ie, size_t max_copy_len) 2342{ 2343 size_t copied_len = sub_elem->datalen; 2344 const struct element *next_mbssid; 2345 2346 if (sub_elem->datalen > max_copy_len) 2347 return 0; 2348 2349 memcpy(merged_ie, sub_elem->data, sub_elem->datalen); 2350 2351 while ((next_mbssid = cfg80211_get_profile_continuation(ie, ielen, 2352 mbssid_elem, 2353 sub_elem))) { 2354 const struct element *next_sub = (void *)&next_mbssid->data[1]; 2355 2356 if (copied_len + next_sub->datalen > max_copy_len) 2357 break; 2358 memcpy(merged_ie + copied_len, next_sub->data, 2359 next_sub->datalen); 2360 copied_len += next_sub->datalen; 2361 } 2362 2363 return copied_len; 2364} 2365EXPORT_SYMBOL(cfg80211_merge_profile); 2366 2367static void 2368cfg80211_parse_mbssid_data(struct wiphy *wiphy, 2369 struct cfg80211_inform_single_bss_data *tx_data, 2370 struct cfg80211_bss *source_bss, 2371 gfp_t gfp) 2372{ 2373 struct cfg80211_inform_single_bss_data data = { 2374 .drv_data = tx_data->drv_data, 2375 .ftype = tx_data->ftype, 2376 .tsf = tx_data->tsf, 2377 .beacon_interval = tx_data->beacon_interval, 2378 .source_bss = source_bss, 2379 .bss_source = BSS_SOURCE_MBSSID, 2380 .use_for = tx_data->use_for, 2381 .cannot_use_reasons = tx_data->cannot_use_reasons, 2382 }; 2383 const u8 *mbssid_index_ie; 2384 const struct element *elem, *sub; 2385 u8 *new_ie, *profile; 2386 u64 seen_indices = 0; 2387 struct cfg80211_bss *bss; 2388 2389 if (!source_bss) 2390 return; 2391 if (!cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID, 2392 tx_data->ie, tx_data->ielen)) 2393 return; 2394 if (!wiphy->support_mbssid) 2395 return; 2396 if (wiphy->support_only_he_mbssid && 2397 !cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, 2398 tx_data->ie, tx_data->ielen)) 2399 return; 2400 2401 new_ie = kmalloc(IEEE80211_MAX_DATA_LEN, gfp); 2402 if (!new_ie) 2403 return; 2404 2405 profile = kmalloc(tx_data->ielen, gfp); 2406 if (!profile) 2407 goto out; 2408 2409 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, 2410 tx_data->ie, tx_data->ielen) { 2411 if (elem->datalen < 4) 2412 continue; 2413 if (elem->data[0] < 1 || (int)elem->data[0] > 8) 2414 continue; 2415 for_each_element(sub, elem->data + 1, elem->datalen - 1) { 2416 u8 profile_len; 2417 2418 if (sub->id != 0 || sub->datalen < 4) { 2419 /* not a valid BSS profile */ 2420 continue; 2421 } 2422 2423 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP || 2424 sub->data[1] != 2) { 2425 /* The first element within the Nontransmitted 2426 * BSSID Profile is not the Nontransmitted 2427 * BSSID Capability element. 2428 */ 2429 continue; 2430 } 2431 2432 memset(profile, 0, tx_data->ielen); 2433 profile_len = cfg80211_merge_profile(tx_data->ie, 2434 tx_data->ielen, 2435 elem, 2436 sub, 2437 profile, 2438 tx_data->ielen); 2439 2440 /* found a Nontransmitted BSSID Profile */ 2441 mbssid_index_ie = cfg80211_find_ie 2442 (WLAN_EID_MULTI_BSSID_IDX, 2443 profile, profile_len); 2444 if (!mbssid_index_ie || mbssid_index_ie[1] < 1 || 2445 mbssid_index_ie[2] == 0 || 2446 mbssid_index_ie[2] > 46) { 2447 /* No valid Multiple BSSID-Index element */ 2448 continue; 2449 } 2450 2451 if (seen_indices & BIT_ULL(mbssid_index_ie[2])) 2452 /* We don't support legacy split of a profile */ 2453 net_dbg_ratelimited("Partial info for BSSID index %d\n", 2454 mbssid_index_ie[2]); 2455 2456 seen_indices |= BIT_ULL(mbssid_index_ie[2]); 2457 2458 data.bssid_index = mbssid_index_ie[2]; 2459 data.max_bssid_indicator = elem->data[0]; 2460 2461 cfg80211_gen_new_bssid(tx_data->bssid, 2462 data.max_bssid_indicator, 2463 data.bssid_index, 2464 data.bssid); 2465 2466 memset(new_ie, 0, IEEE80211_MAX_DATA_LEN); 2467 data.ie = new_ie; 2468 data.ielen = cfg80211_gen_new_ie(tx_data->ie, 2469 tx_data->ielen, 2470 profile, 2471 profile_len, 2472 new_ie, 2473 IEEE80211_MAX_DATA_LEN); 2474 if (!data.ielen) 2475 continue; 2476 2477 data.capability = get_unaligned_le16(profile + 2); 2478 bss = cfg80211_inform_single_bss_data(wiphy, &data, gfp); 2479 if (!bss) 2480 break; 2481 cfg80211_put_bss(wiphy, bss); 2482 } 2483 } 2484 2485out: 2486 kfree(new_ie); 2487 kfree(profile); 2488} 2489 2490ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies, 2491 size_t ieslen, u8 *data, size_t data_len, 2492 u8 frag_id) 2493{ 2494 const struct element *next; 2495 ssize_t copied; 2496 u8 elem_datalen; 2497 2498 if (!elem) 2499 return -EINVAL; 2500 2501 /* elem might be invalid after the memmove */ 2502 next = (void *)(elem->data + elem->datalen); 2503 elem_datalen = elem->datalen; 2504 2505 if (elem->id == WLAN_EID_EXTENSION) { 2506 copied = elem->datalen - 1; 2507 2508 if (data) { 2509 if (copied > data_len) 2510 return -ENOSPC; 2511 2512 memmove(data, elem->data + 1, copied); 2513 } 2514 } else { 2515 copied = elem->datalen; 2516 2517 if (data) { 2518 if (copied > data_len) 2519 return -ENOSPC; 2520 2521 memmove(data, elem->data, copied); 2522 } 2523 } 2524 2525 /* Fragmented elements must have 255 bytes */ 2526 if (elem_datalen < 255) 2527 return copied; 2528 2529 for (elem = next; 2530 elem->data < ies + ieslen && 2531 elem->data + elem->datalen <= ies + ieslen; 2532 elem = next) { 2533 /* elem might be invalid after the memmove */ 2534 next = (void *)(elem->data + elem->datalen); 2535 2536 if (elem->id != frag_id) 2537 break; 2538 2539 elem_datalen = elem->datalen; 2540 2541 if (data) { 2542 if (copied + elem_datalen > data_len) 2543 return -ENOSPC; 2544 2545 memmove(data + copied, elem->data, elem_datalen); 2546 } 2547 2548 copied += elem_datalen; 2549 2550 /* Only the last fragment may be short */ 2551 if (elem_datalen != 255) 2552 break; 2553 } 2554 2555 return copied; 2556} 2557EXPORT_SYMBOL(cfg80211_defragment_element); 2558 2559struct cfg80211_mle { 2560 struct ieee80211_multi_link_elem *mle; 2561 struct ieee80211_mle_per_sta_profile 2562 *sta_prof[IEEE80211_MLD_MAX_NUM_LINKS]; 2563 ssize_t sta_prof_len[IEEE80211_MLD_MAX_NUM_LINKS]; 2564 2565 u8 data[]; 2566}; 2567 2568static struct cfg80211_mle * 2569cfg80211_defrag_mle(const struct element *mle, const u8 *ie, size_t ielen, 2570 gfp_t gfp) 2571{ 2572 const struct element *elem; 2573 struct cfg80211_mle *res; 2574 size_t buf_len; 2575 ssize_t mle_len; 2576 u8 common_size, idx; 2577 2578 if (!mle || !ieee80211_mle_size_ok(mle->data + 1, mle->datalen - 1)) 2579 return NULL; 2580 2581 /* Required length for first defragmentation */ 2582 buf_len = mle->datalen - 1; 2583 for_each_element(elem, mle->data + mle->datalen, 2584 ielen - sizeof(*mle) + mle->datalen) { 2585 if (elem->id != WLAN_EID_FRAGMENT) 2586 break; 2587 2588 buf_len += elem->datalen; 2589 } 2590 2591 res = kzalloc(struct_size(res, data, buf_len), gfp); 2592 if (!res) 2593 return NULL; 2594 2595 mle_len = cfg80211_defragment_element(mle, ie, ielen, 2596 res->data, buf_len, 2597 WLAN_EID_FRAGMENT); 2598 if (mle_len < 0) 2599 goto error; 2600 2601 res->mle = (void *)res->data; 2602 2603 /* Find the sub-element area in the buffer */ 2604 common_size = ieee80211_mle_common_size((u8 *)res->mle); 2605 ie = res->data + common_size; 2606 ielen = mle_len - common_size; 2607 2608 idx = 0; 2609 for_each_element_id(elem, IEEE80211_MLE_SUBELEM_PER_STA_PROFILE, 2610 ie, ielen) { 2611 res->sta_prof[idx] = (void *)elem->data; 2612 res->sta_prof_len[idx] = elem->datalen; 2613 2614 idx++; 2615 if (idx >= IEEE80211_MLD_MAX_NUM_LINKS) 2616 break; 2617 } 2618 if (!for_each_element_completed(elem, ie, ielen)) 2619 goto error; 2620 2621 /* Defragment sta_info in-place */ 2622 for (idx = 0; idx < IEEE80211_MLD_MAX_NUM_LINKS && res->sta_prof[idx]; 2623 idx++) { 2624 if (res->sta_prof_len[idx] < 255) 2625 continue; 2626 2627 elem = (void *)res->sta_prof[idx] - 2; 2628 2629 if (idx + 1 < ARRAY_SIZE(res->sta_prof) && 2630 res->sta_prof[idx + 1]) 2631 buf_len = (u8 *)res->sta_prof[idx + 1] - 2632 (u8 *)res->sta_prof[idx]; 2633 else 2634 buf_len = ielen + ie - (u8 *)elem; 2635 2636 res->sta_prof_len[idx] = 2637 cfg80211_defragment_element(elem, 2638 (u8 *)elem, buf_len, 2639 (u8 *)res->sta_prof[idx], 2640 buf_len, 2641 IEEE80211_MLE_SUBELEM_FRAGMENT); 2642 if (res->sta_prof_len[idx] < 0) 2643 goto error; 2644 } 2645 2646 return res; 2647 2648error: 2649 kfree(res); 2650 return NULL; 2651} 2652 2653struct tbtt_info_iter_data { 2654 const struct ieee80211_neighbor_ap_info *ap_info; 2655 u8 param_ch_count; 2656 u32 use_for; 2657 u8 mld_id, link_id; 2658}; 2659 2660static enum cfg80211_rnr_iter_ret 2661cfg802121_mld_ap_rnr_iter(void *_data, u8 type, 2662 const struct ieee80211_neighbor_ap_info *info, 2663 const u8 *tbtt_info, u8 tbtt_info_len) 2664{ 2665 const struct ieee80211_rnr_mld_params *mld_params; 2666 struct tbtt_info_iter_data *data = _data; 2667 u8 link_id; 2668 2669 if (type == IEEE80211_TBTT_INFO_TYPE_TBTT && 2670 tbtt_info_len >= offsetofend(struct ieee80211_tbtt_info_ge_11, 2671 mld_params)) 2672 mld_params = (void *)(tbtt_info + 2673 offsetof(struct ieee80211_tbtt_info_ge_11, 2674 mld_params)); 2675 else if (type == IEEE80211_TBTT_INFO_TYPE_MLD && 2676 tbtt_info_len >= sizeof(struct ieee80211_rnr_mld_params)) 2677 mld_params = (void *)tbtt_info; 2678 else 2679 return RNR_ITER_CONTINUE; 2680 2681 link_id = le16_get_bits(mld_params->params, 2682 IEEE80211_RNR_MLD_PARAMS_LINK_ID); 2683 2684 if (data->mld_id != mld_params->mld_id) 2685 return RNR_ITER_CONTINUE; 2686 2687 if (data->link_id != link_id) 2688 return RNR_ITER_CONTINUE; 2689 2690 data->ap_info = info; 2691 data->param_ch_count = 2692 le16_get_bits(mld_params->params, 2693 IEEE80211_RNR_MLD_PARAMS_BSS_CHANGE_COUNT); 2694 2695 if (type == IEEE80211_TBTT_INFO_TYPE_TBTT) 2696 data->use_for = NL80211_BSS_USE_FOR_ALL; 2697 else 2698 data->use_for = NL80211_BSS_USE_FOR_MLD_LINK; 2699 return RNR_ITER_BREAK; 2700} 2701 2702static u8 2703cfg80211_rnr_info_for_mld_ap(const u8 *ie, size_t ielen, u8 mld_id, u8 link_id, 2704 const struct ieee80211_neighbor_ap_info **ap_info, 2705 u8 *param_ch_count) 2706{ 2707 struct tbtt_info_iter_data data = { 2708 .mld_id = mld_id, 2709 .link_id = link_id, 2710 }; 2711 2712 cfg80211_iter_rnr(ie, ielen, cfg802121_mld_ap_rnr_iter, &data); 2713 2714 *ap_info = data.ap_info; 2715 *param_ch_count = data.param_ch_count; 2716 2717 return data.use_for; 2718} 2719 2720static struct element * 2721cfg80211_gen_reporter_rnr(struct cfg80211_bss *source_bss, bool is_mbssid, 2722 bool same_mld, u8 link_id, u8 bss_change_count, 2723 gfp_t gfp) 2724{ 2725 const struct cfg80211_bss_ies *ies; 2726 struct ieee80211_neighbor_ap_info ap_info; 2727 struct ieee80211_tbtt_info_ge_11 tbtt_info; 2728 u32 short_ssid; 2729 const struct element *elem; 2730 struct element *res; 2731 2732 /* 2733 * We only generate the RNR to permit ML lookups. For that we do not 2734 * need an entry for the corresponding transmitting BSS, lets just skip 2735 * it even though it would be easy to add. 2736 */ 2737 if (!same_mld) 2738 return NULL; 2739 2740 /* We could use tx_data->ies if we change cfg80211_calc_short_ssid */ 2741 rcu_read_lock(); 2742 ies = rcu_dereference(source_bss->ies); 2743 2744 ap_info.tbtt_info_len = offsetofend(typeof(tbtt_info), mld_params); 2745 ap_info.tbtt_info_hdr = 2746 u8_encode_bits(IEEE80211_TBTT_INFO_TYPE_TBTT, 2747 IEEE80211_AP_INFO_TBTT_HDR_TYPE) | 2748 u8_encode_bits(0, IEEE80211_AP_INFO_TBTT_HDR_COUNT); 2749 2750 ap_info.channel = ieee80211_frequency_to_channel(source_bss->channel->center_freq); 2751 2752 /* operating class */ 2753 elem = cfg80211_find_elem(WLAN_EID_SUPPORTED_REGULATORY_CLASSES, 2754 ies->data, ies->len); 2755 if (elem && elem->datalen >= 1) { 2756 ap_info.op_class = elem->data[0]; 2757 } else { 2758 struct cfg80211_chan_def chandef; 2759 2760 /* The AP is not providing us with anything to work with. So 2761 * make up a somewhat reasonable operating class, but don't 2762 * bother with it too much as no one will ever use the 2763 * information. 2764 */ 2765 cfg80211_chandef_create(&chandef, source_bss->channel, 2766 NL80211_CHAN_NO_HT); 2767 2768 if (!ieee80211_chandef_to_operating_class(&chandef, 2769 &ap_info.op_class)) 2770 goto out_unlock; 2771 } 2772 2773 /* Just set TBTT offset and PSD 20 to invalid/unknown */ 2774 tbtt_info.tbtt_offset = 255; 2775 tbtt_info.psd_20 = IEEE80211_RNR_TBTT_PARAMS_PSD_RESERVED; 2776 2777 memcpy(tbtt_info.bssid, source_bss->bssid, ETH_ALEN); 2778 if (cfg80211_calc_short_ssid(ies, &elem, &short_ssid)) 2779 goto out_unlock; 2780 2781 rcu_read_unlock(); 2782 2783 tbtt_info.short_ssid = cpu_to_le32(short_ssid); 2784 2785 tbtt_info.bss_params = IEEE80211_RNR_TBTT_PARAMS_SAME_SSID; 2786 2787 if (is_mbssid) { 2788 tbtt_info.bss_params |= IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID; 2789 tbtt_info.bss_params |= IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID; 2790 } 2791 2792 tbtt_info.mld_params.mld_id = 0; 2793 tbtt_info.mld_params.params = 2794 le16_encode_bits(link_id, IEEE80211_RNR_MLD_PARAMS_LINK_ID) | 2795 le16_encode_bits(bss_change_count, 2796 IEEE80211_RNR_MLD_PARAMS_BSS_CHANGE_COUNT); 2797 2798 res = kzalloc(struct_size(res, data, 2799 sizeof(ap_info) + ap_info.tbtt_info_len), 2800 gfp); 2801 if (!res) 2802 return NULL; 2803 2804 /* Copy the data */ 2805 res->id = WLAN_EID_REDUCED_NEIGHBOR_REPORT; 2806 res->datalen = sizeof(ap_info) + ap_info.tbtt_info_len; 2807 memcpy(res->data, &ap_info, sizeof(ap_info)); 2808 memcpy(res->data + sizeof(ap_info), &tbtt_info, ap_info.tbtt_info_len); 2809 2810 return res; 2811 2812out_unlock: 2813 rcu_read_unlock(); 2814 return NULL; 2815} 2816 2817static void 2818cfg80211_parse_ml_elem_sta_data(struct wiphy *wiphy, 2819 struct cfg80211_inform_single_bss_data *tx_data, 2820 struct cfg80211_bss *source_bss, 2821 const struct element *elem, 2822 gfp_t gfp) 2823{ 2824 struct cfg80211_inform_single_bss_data data = { 2825 .drv_data = tx_data->drv_data, 2826 .ftype = tx_data->ftype, 2827 .source_bss = source_bss, 2828 .bss_source = BSS_SOURCE_STA_PROFILE, 2829 }; 2830 struct element *reporter_rnr = NULL; 2831 struct ieee80211_multi_link_elem *ml_elem; 2832 struct cfg80211_mle *mle; 2833 u16 control; 2834 u8 ml_common_len; 2835 u8 *new_ie = NULL; 2836 struct cfg80211_bss *bss; 2837 u8 mld_id, reporter_link_id, bss_change_count; 2838 u16 seen_links = 0; 2839 u8 i; 2840 2841 if (!ieee80211_mle_type_ok(elem->data + 1, 2842 IEEE80211_ML_CONTROL_TYPE_BASIC, 2843 elem->datalen - 1)) 2844 return; 2845 2846 ml_elem = (void *)(elem->data + 1); 2847 control = le16_to_cpu(ml_elem->control); 2848 ml_common_len = ml_elem->variable[0]; 2849 2850 /* Must be present when transmitted by an AP (in a probe response) */ 2851 if (!(control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT) || 2852 !(control & IEEE80211_MLC_BASIC_PRES_LINK_ID) || 2853 !(control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP)) 2854 return; 2855 2856 reporter_link_id = ieee80211_mle_get_link_id(elem->data + 1); 2857 bss_change_count = ieee80211_mle_get_bss_param_ch_cnt(elem->data + 1); 2858 2859 /* 2860 * The MLD ID of the reporting AP is always zero. It is set if the AP 2861 * is part of an MBSSID set and will be non-zero for ML Elements 2862 * relating to a nontransmitted BSS (matching the Multi-BSSID Index, 2863 * Draft P802.11be_D3.2, 35.3.4.2) 2864 */ 2865 mld_id = ieee80211_mle_get_mld_id(elem->data + 1); 2866 2867 /* Fully defrag the ML element for sta information/profile iteration */ 2868 mle = cfg80211_defrag_mle(elem, tx_data->ie, tx_data->ielen, gfp); 2869 if (!mle) 2870 return; 2871 2872 /* No point in doing anything if there is no per-STA profile */ 2873 if (!mle->sta_prof[0]) 2874 goto out; 2875 2876 new_ie = kmalloc(IEEE80211_MAX_DATA_LEN, gfp); 2877 if (!new_ie) 2878 goto out; 2879 2880 reporter_rnr = cfg80211_gen_reporter_rnr(source_bss, 2881 u16_get_bits(control, 2882 IEEE80211_MLC_BASIC_PRES_MLD_ID), 2883 mld_id == 0, reporter_link_id, 2884 bss_change_count, 2885 gfp); 2886 2887 for (i = 0; i < ARRAY_SIZE(mle->sta_prof) && mle->sta_prof[i]; i++) { 2888 const struct ieee80211_neighbor_ap_info *ap_info; 2889 enum nl80211_band band; 2890 u32 freq; 2891 const u8 *profile; 2892 ssize_t profile_len; 2893 u8 param_ch_count; 2894 u8 link_id, use_for; 2895 2896 if (!ieee80211_mle_basic_sta_prof_size_ok((u8 *)mle->sta_prof[i], 2897 mle->sta_prof_len[i])) 2898 continue; 2899 2900 control = le16_to_cpu(mle->sta_prof[i]->control); 2901 2902 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE)) 2903 continue; 2904 2905 link_id = u16_get_bits(control, 2906 IEEE80211_MLE_STA_CONTROL_LINK_ID); 2907 if (seen_links & BIT(link_id)) 2908 break; 2909 seen_links |= BIT(link_id); 2910 2911 if (!(control & IEEE80211_MLE_STA_CONTROL_BEACON_INT_PRESENT) || 2912 !(control & IEEE80211_MLE_STA_CONTROL_TSF_OFFS_PRESENT) || 2913 !(control & IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT)) 2914 continue; 2915 2916 memcpy(data.bssid, mle->sta_prof[i]->variable, ETH_ALEN); 2917 data.beacon_interval = 2918 get_unaligned_le16(mle->sta_prof[i]->variable + 6); 2919 data.tsf = tx_data->tsf + 2920 get_unaligned_le64(mle->sta_prof[i]->variable + 8); 2921 2922 /* sta_info_len counts itself */ 2923 profile = mle->sta_prof[i]->variable + 2924 mle->sta_prof[i]->sta_info_len - 1; 2925 profile_len = (u8 *)mle->sta_prof[i] + mle->sta_prof_len[i] - 2926 profile; 2927 2928 if (profile_len < 2) 2929 continue; 2930 2931 data.capability = get_unaligned_le16(profile); 2932 profile += 2; 2933 profile_len -= 2; 2934 2935 /* Find in RNR to look up channel information */ 2936 use_for = cfg80211_rnr_info_for_mld_ap(tx_data->ie, 2937 tx_data->ielen, 2938 mld_id, link_id, 2939 &ap_info, 2940 ¶m_ch_count); 2941 if (!use_for) 2942 continue; 2943 2944 /* We could sanity check the BSSID is included */ 2945 2946 if (!ieee80211_operating_class_to_band(ap_info->op_class, 2947 &band)) 2948 continue; 2949 2950 freq = ieee80211_channel_to_freq_khz(ap_info->channel, band); 2951 data.channel = ieee80211_get_channel_khz(wiphy, freq); 2952 2953 if (use_for == NL80211_BSS_USE_FOR_MLD_LINK && 2954 !(wiphy->flags & WIPHY_FLAG_SUPPORTS_NSTR_NONPRIMARY)) { 2955 use_for = 0; 2956 data.cannot_use_reasons = 2957 NL80211_BSS_CANNOT_USE_NSTR_NONPRIMARY; 2958 } 2959 data.use_for = use_for; 2960 2961 /* Generate new elements */ 2962 memset(new_ie, 0, IEEE80211_MAX_DATA_LEN); 2963 data.ie = new_ie; 2964 data.ielen = cfg80211_gen_new_ie(tx_data->ie, tx_data->ielen, 2965 profile, profile_len, 2966 new_ie, 2967 IEEE80211_MAX_DATA_LEN); 2968 if (!data.ielen) 2969 continue; 2970 2971 /* The generated elements do not contain: 2972 * - Basic ML element 2973 * - A TBTT entry in the RNR for the transmitting AP 2974 * 2975 * This information is needed both internally and in userspace 2976 * as such, we should append it here. 2977 */ 2978 if (data.ielen + 3 + sizeof(*ml_elem) + ml_common_len > 2979 IEEE80211_MAX_DATA_LEN) 2980 continue; 2981 2982 /* Copy the Basic Multi-Link element including the common 2983 * information, and then fix up the link ID and BSS param 2984 * change count. 2985 * Note that the ML element length has been verified and we 2986 * also checked that it contains the link ID. 2987 */ 2988 new_ie[data.ielen++] = WLAN_EID_EXTENSION; 2989 new_ie[data.ielen++] = 1 + sizeof(*ml_elem) + ml_common_len; 2990 new_ie[data.ielen++] = WLAN_EID_EXT_EHT_MULTI_LINK; 2991 memcpy(new_ie + data.ielen, ml_elem, 2992 sizeof(*ml_elem) + ml_common_len); 2993 2994 new_ie[data.ielen + sizeof(*ml_elem) + 1 + ETH_ALEN] = link_id; 2995 new_ie[data.ielen + sizeof(*ml_elem) + 1 + ETH_ALEN + 1] = 2996 param_ch_count; 2997 2998 data.ielen += sizeof(*ml_elem) + ml_common_len; 2999 3000 if (reporter_rnr && (use_for & NL80211_BSS_USE_FOR_NORMAL)) { 3001 if (data.ielen + sizeof(struct element) + 3002 reporter_rnr->datalen > IEEE80211_MAX_DATA_LEN) 3003 continue; 3004 3005 memcpy(new_ie + data.ielen, reporter_rnr, 3006 sizeof(struct element) + reporter_rnr->datalen); 3007 data.ielen += sizeof(struct element) + 3008 reporter_rnr->datalen; 3009 } 3010 3011 bss = cfg80211_inform_single_bss_data(wiphy, &data, gfp); 3012 if (!bss) 3013 break; 3014 cfg80211_put_bss(wiphy, bss); 3015 } 3016 3017out: 3018 kfree(reporter_rnr); 3019 kfree(new_ie); 3020 kfree(mle); 3021} 3022 3023static void cfg80211_parse_ml_sta_data(struct wiphy *wiphy, 3024 struct cfg80211_inform_single_bss_data *tx_data, 3025 struct cfg80211_bss *source_bss, 3026 gfp_t gfp) 3027{ 3028 const struct element *elem; 3029 3030 if (!source_bss) 3031 return; 3032 3033 if (tx_data->ftype != CFG80211_BSS_FTYPE_PRESP) 3034 return; 3035 3036 for_each_element_extid(elem, WLAN_EID_EXT_EHT_MULTI_LINK, 3037 tx_data->ie, tx_data->ielen) 3038 cfg80211_parse_ml_elem_sta_data(wiphy, tx_data, source_bss, 3039 elem, gfp); 3040} 3041 3042struct cfg80211_bss * 3043cfg80211_inform_bss_data(struct wiphy *wiphy, 3044 struct cfg80211_inform_bss *data, 3045 enum cfg80211_bss_frame_type ftype, 3046 const u8 *bssid, u64 tsf, u16 capability, 3047 u16 beacon_interval, const u8 *ie, size_t ielen, 3048 gfp_t gfp) 3049{ 3050 struct cfg80211_inform_single_bss_data inform_data = { 3051 .drv_data = data, 3052 .ftype = ftype, 3053 .tsf = tsf, 3054 .capability = capability, 3055 .beacon_interval = beacon_interval, 3056 .ie = ie, 3057 .ielen = ielen, 3058 .use_for = data->restrict_use ? 3059 data->use_for : 3060 NL80211_BSS_USE_FOR_ALL, 3061 .cannot_use_reasons = data->cannot_use_reasons, 3062 }; 3063 struct cfg80211_bss *res; 3064 3065 memcpy(inform_data.bssid, bssid, ETH_ALEN); 3066 3067 res = cfg80211_inform_single_bss_data(wiphy, &inform_data, gfp); 3068 if (!res) 3069 return NULL; 3070 3071 /* don't do any further MBSSID/ML handling for S1G */ 3072 if (ftype == CFG80211_BSS_FTYPE_S1G_BEACON) 3073 return res; 3074 3075 cfg80211_parse_mbssid_data(wiphy, &inform_data, res, gfp); 3076 3077 cfg80211_parse_ml_sta_data(wiphy, &inform_data, res, gfp); 3078 3079 return res; 3080} 3081EXPORT_SYMBOL(cfg80211_inform_bss_data); 3082 3083struct cfg80211_bss * 3084cfg80211_inform_bss_frame_data(struct wiphy *wiphy, 3085 struct cfg80211_inform_bss *data, 3086 struct ieee80211_mgmt *mgmt, size_t len, 3087 gfp_t gfp) 3088{ 3089 size_t min_hdr_len = offsetof(struct ieee80211_mgmt, 3090 u.probe_resp.variable); 3091 struct ieee80211_ext *ext = NULL; 3092 enum cfg80211_bss_frame_type ftype; 3093 u16 beacon_interval; 3094 const u8 *bssid; 3095 u16 capability; 3096 const u8 *ie; 3097 size_t ielen; 3098 u64 tsf; 3099 3100 if (WARN_ON(!mgmt)) 3101 return NULL; 3102 3103 if (WARN_ON(!wiphy)) 3104 return NULL; 3105 3106 BUILD_BUG_ON(offsetof(struct ieee80211_mgmt, u.probe_resp.variable) != 3107 offsetof(struct ieee80211_mgmt, u.beacon.variable)); 3108 3109 trace_cfg80211_inform_bss_frame(wiphy, data, mgmt, len); 3110 3111 if (ieee80211_is_s1g_beacon(mgmt->frame_control)) { 3112 ext = (void *) mgmt; 3113 min_hdr_len = offsetof(struct ieee80211_ext, u.s1g_beacon); 3114 if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) 3115 min_hdr_len = offsetof(struct ieee80211_ext, 3116 u.s1g_short_beacon.variable); 3117 } 3118 3119 if (WARN_ON(len < min_hdr_len)) 3120 return NULL; 3121 3122 ielen = len - min_hdr_len; 3123 ie = mgmt->u.probe_resp.variable; 3124 if (ext) { 3125 const struct ieee80211_s1g_bcn_compat_ie *compat; 3126 const struct element *elem; 3127 3128 if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) 3129 ie = ext->u.s1g_short_beacon.variable; 3130 else 3131 ie = ext->u.s1g_beacon.variable; 3132 3133 elem = cfg80211_find_elem(WLAN_EID_S1G_BCN_COMPAT, ie, ielen); 3134 if (!elem) 3135 return NULL; 3136 if (elem->datalen < sizeof(*compat)) 3137 return NULL; 3138 compat = (void *)elem->data; 3139 bssid = ext->u.s1g_beacon.sa; 3140 capability = le16_to_cpu(compat->compat_info); 3141 beacon_interval = le16_to_cpu(compat->beacon_int); 3142 } else { 3143 bssid = mgmt->bssid; 3144 beacon_interval = le16_to_cpu(mgmt->u.probe_resp.beacon_int); 3145 capability = le16_to_cpu(mgmt->u.probe_resp.capab_info); 3146 } 3147 3148 tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); 3149 3150 if (ieee80211_is_probe_resp(mgmt->frame_control)) 3151 ftype = CFG80211_BSS_FTYPE_PRESP; 3152 else if (ext) 3153 ftype = CFG80211_BSS_FTYPE_S1G_BEACON; 3154 else 3155 ftype = CFG80211_BSS_FTYPE_BEACON; 3156 3157 return cfg80211_inform_bss_data(wiphy, data, ftype, 3158 bssid, tsf, capability, 3159 beacon_interval, ie, ielen, 3160 gfp); 3161} 3162EXPORT_SYMBOL(cfg80211_inform_bss_frame_data); 3163 3164void cfg80211_ref_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 3165{ 3166 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3167 3168 if (!pub) 3169 return; 3170 3171 spin_lock_bh(&rdev->bss_lock); 3172 bss_ref_get(rdev, bss_from_pub(pub)); 3173 spin_unlock_bh(&rdev->bss_lock); 3174} 3175EXPORT_SYMBOL(cfg80211_ref_bss); 3176 3177void cfg80211_put_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 3178{ 3179 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3180 3181 if (!pub) 3182 return; 3183 3184 spin_lock_bh(&rdev->bss_lock); 3185 bss_ref_put(rdev, bss_from_pub(pub)); 3186 spin_unlock_bh(&rdev->bss_lock); 3187} 3188EXPORT_SYMBOL(cfg80211_put_bss); 3189 3190void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 3191{ 3192 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3193 struct cfg80211_internal_bss *bss, *tmp1; 3194 struct cfg80211_bss *nontrans_bss, *tmp; 3195 3196 if (WARN_ON(!pub)) 3197 return; 3198 3199 bss = bss_from_pub(pub); 3200 3201 spin_lock_bh(&rdev->bss_lock); 3202 if (list_empty(&bss->list)) 3203 goto out; 3204 3205 list_for_each_entry_safe(nontrans_bss, tmp, 3206 &pub->nontrans_list, 3207 nontrans_list) { 3208 tmp1 = bss_from_pub(nontrans_bss); 3209 if (__cfg80211_unlink_bss(rdev, tmp1)) 3210 rdev->bss_generation++; 3211 } 3212 3213 if (__cfg80211_unlink_bss(rdev, bss)) 3214 rdev->bss_generation++; 3215out: 3216 spin_unlock_bh(&rdev->bss_lock); 3217} 3218EXPORT_SYMBOL(cfg80211_unlink_bss); 3219 3220void cfg80211_bss_iter(struct wiphy *wiphy, 3221 struct cfg80211_chan_def *chandef, 3222 void (*iter)(struct wiphy *wiphy, 3223 struct cfg80211_bss *bss, 3224 void *data), 3225 void *iter_data) 3226{ 3227 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3228 struct cfg80211_internal_bss *bss; 3229 3230 spin_lock_bh(&rdev->bss_lock); 3231 3232 list_for_each_entry(bss, &rdev->bss_list, list) { 3233 if (!chandef || cfg80211_is_sub_chan(chandef, bss->pub.channel, 3234 false)) 3235 iter(wiphy, &bss->pub, iter_data); 3236 } 3237 3238 spin_unlock_bh(&rdev->bss_lock); 3239} 3240EXPORT_SYMBOL(cfg80211_bss_iter); 3241 3242void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev, 3243 unsigned int link_id, 3244 struct ieee80211_channel *chan) 3245{ 3246 struct wiphy *wiphy = wdev->wiphy; 3247 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3248 struct cfg80211_internal_bss *cbss = wdev->links[link_id].client.current_bss; 3249 struct cfg80211_internal_bss *new = NULL; 3250 struct cfg80211_internal_bss *bss; 3251 struct cfg80211_bss *nontrans_bss; 3252 struct cfg80211_bss *tmp; 3253 3254 spin_lock_bh(&rdev->bss_lock); 3255 3256 /* 3257 * Some APs use CSA also for bandwidth changes, i.e., without actually 3258 * changing the control channel, so no need to update in such a case. 3259 */ 3260 if (cbss->pub.channel == chan) 3261 goto done; 3262 3263 /* use transmitting bss */ 3264 if (cbss->pub.transmitted_bss) 3265 cbss = bss_from_pub(cbss->pub.transmitted_bss); 3266 3267 cbss->pub.channel = chan; 3268 3269 list_for_each_entry(bss, &rdev->bss_list, list) { 3270 if (!cfg80211_bss_type_match(bss->pub.capability, 3271 bss->pub.channel->band, 3272 wdev->conn_bss_type)) 3273 continue; 3274 3275 if (bss == cbss) 3276 continue; 3277 3278 if (!cmp_bss(&bss->pub, &cbss->pub, BSS_CMP_REGULAR)) { 3279 new = bss; 3280 break; 3281 } 3282 } 3283 3284 if (new) { 3285 /* to save time, update IEs for transmitting bss only */ 3286 cfg80211_update_known_bss(rdev, cbss, new, false); 3287 new->pub.proberesp_ies = NULL; 3288 new->pub.beacon_ies = NULL; 3289 3290 list_for_each_entry_safe(nontrans_bss, tmp, 3291 &new->pub.nontrans_list, 3292 nontrans_list) { 3293 bss = bss_from_pub(nontrans_bss); 3294 if (__cfg80211_unlink_bss(rdev, bss)) 3295 rdev->bss_generation++; 3296 } 3297 3298 WARN_ON(atomic_read(&new->hold)); 3299 if (!WARN_ON(!__cfg80211_unlink_bss(rdev, new))) 3300 rdev->bss_generation++; 3301 } 3302 3303 rb_erase(&cbss->rbn, &rdev->bss_tree); 3304 rb_insert_bss(rdev, cbss); 3305 rdev->bss_generation++; 3306 3307 list_for_each_entry_safe(nontrans_bss, tmp, 3308 &cbss->pub.nontrans_list, 3309 nontrans_list) { 3310 bss = bss_from_pub(nontrans_bss); 3311 bss->pub.channel = chan; 3312 rb_erase(&bss->rbn, &rdev->bss_tree); 3313 rb_insert_bss(rdev, bss); 3314 rdev->bss_generation++; 3315 } 3316 3317done: 3318 spin_unlock_bh(&rdev->bss_lock); 3319} 3320 3321#ifdef CONFIG_CFG80211_WEXT 3322static struct cfg80211_registered_device * 3323cfg80211_get_dev_from_ifindex(struct net *net, int ifindex) 3324{ 3325 struct cfg80211_registered_device *rdev; 3326 struct net_device *dev; 3327 3328 ASSERT_RTNL(); 3329 3330 dev = dev_get_by_index(net, ifindex); 3331 if (!dev) 3332 return ERR_PTR(-ENODEV); 3333 if (dev->ieee80211_ptr) 3334 rdev = wiphy_to_rdev(dev->ieee80211_ptr->wiphy); 3335 else 3336 rdev = ERR_PTR(-ENODEV); 3337 dev_put(dev); 3338 return rdev; 3339} 3340 3341int cfg80211_wext_siwscan(struct net_device *dev, 3342 struct iw_request_info *info, 3343 union iwreq_data *wrqu, char *extra) 3344{ 3345 struct cfg80211_registered_device *rdev; 3346 struct wiphy *wiphy; 3347 struct iw_scan_req *wreq = NULL; 3348 struct cfg80211_scan_request *creq; 3349 int i, err, n_channels = 0; 3350 enum nl80211_band band; 3351 3352 if (!netif_running(dev)) 3353 return -ENETDOWN; 3354 3355 if (wrqu->data.length == sizeof(struct iw_scan_req)) 3356 wreq = (struct iw_scan_req *)extra; 3357 3358 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex); 3359 3360 if (IS_ERR(rdev)) 3361 return PTR_ERR(rdev); 3362 3363 if (rdev->scan_req || rdev->scan_msg) 3364 return -EBUSY; 3365 3366 wiphy = &rdev->wiphy; 3367 3368 /* Determine number of channels, needed to allocate creq */ 3369 if (wreq && wreq->num_channels) 3370 n_channels = wreq->num_channels; 3371 else 3372 n_channels = ieee80211_get_num_supported_channels(wiphy); 3373 3374 creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) + 3375 n_channels * sizeof(void *), 3376 GFP_ATOMIC); 3377 if (!creq) 3378 return -ENOMEM; 3379 3380 creq->wiphy = wiphy; 3381 creq->wdev = dev->ieee80211_ptr; 3382 /* SSIDs come after channels */ 3383 creq->ssids = (void *)&creq->channels[n_channels]; 3384 creq->n_channels = n_channels; 3385 creq->n_ssids = 1; 3386 creq->scan_start = jiffies; 3387 3388 /* translate "Scan on frequencies" request */ 3389 i = 0; 3390 for (band = 0; band < NUM_NL80211_BANDS; band++) { 3391 int j; 3392 3393 if (!wiphy->bands[band]) 3394 continue; 3395 3396 for (j = 0; j < wiphy->bands[band]->n_channels; j++) { 3397 /* ignore disabled channels */ 3398 if (wiphy->bands[band]->channels[j].flags & 3399 IEEE80211_CHAN_DISABLED) 3400 continue; 3401 3402 /* If we have a wireless request structure and the 3403 * wireless request specifies frequencies, then search 3404 * for the matching hardware channel. 3405 */ 3406 if (wreq && wreq->num_channels) { 3407 int k; 3408 int wiphy_freq = wiphy->bands[band]->channels[j].center_freq; 3409 for (k = 0; k < wreq->num_channels; k++) { 3410 struct iw_freq *freq = 3411 &wreq->channel_list[k]; 3412 int wext_freq = 3413 cfg80211_wext_freq(freq); 3414 3415 if (wext_freq == wiphy_freq) 3416 goto wext_freq_found; 3417 } 3418 goto wext_freq_not_found; 3419 } 3420 3421 wext_freq_found: 3422 creq->channels[i] = &wiphy->bands[band]->channels[j]; 3423 i++; 3424 wext_freq_not_found: ; 3425 } 3426 } 3427 /* No channels found? */ 3428 if (!i) { 3429 err = -EINVAL; 3430 goto out; 3431 } 3432 3433 /* Set real number of channels specified in creq->channels[] */ 3434 creq->n_channels = i; 3435 3436 /* translate "Scan for SSID" request */ 3437 if (wreq) { 3438 if (wrqu->data.flags & IW_SCAN_THIS_ESSID) { 3439 if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) { 3440 err = -EINVAL; 3441 goto out; 3442 } 3443 memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len); 3444 creq->ssids[0].ssid_len = wreq->essid_len; 3445 } 3446 if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE) 3447 creq->n_ssids = 0; 3448 } 3449 3450 for (i = 0; i < NUM_NL80211_BANDS; i++) 3451 if (wiphy->bands[i]) 3452 creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1; 3453 3454 eth_broadcast_addr(creq->bssid); 3455 3456 wiphy_lock(&rdev->wiphy); 3457 3458 rdev->scan_req = creq; 3459 err = rdev_scan(rdev, creq); 3460 if (err) { 3461 rdev->scan_req = NULL; 3462 /* creq will be freed below */ 3463 } else { 3464 nl80211_send_scan_start(rdev, dev->ieee80211_ptr); 3465 /* creq now owned by driver */ 3466 creq = NULL; 3467 dev_hold(dev); 3468 } 3469 wiphy_unlock(&rdev->wiphy); 3470 out: 3471 kfree(creq); 3472 return err; 3473} 3474EXPORT_WEXT_HANDLER(cfg80211_wext_siwscan); 3475 3476static char *ieee80211_scan_add_ies(struct iw_request_info *info, 3477 const struct cfg80211_bss_ies *ies, 3478 char *current_ev, char *end_buf) 3479{ 3480 const u8 *pos, *end, *next; 3481 struct iw_event iwe; 3482 3483 if (!ies) 3484 return current_ev; 3485 3486 /* 3487 * If needed, fragment the IEs buffer (at IE boundaries) into short 3488 * enough fragments to fit into IW_GENERIC_IE_MAX octet messages. 3489 */ 3490 pos = ies->data; 3491 end = pos + ies->len; 3492 3493 while (end - pos > IW_GENERIC_IE_MAX) { 3494 next = pos + 2 + pos[1]; 3495 while (next + 2 + next[1] - pos < IW_GENERIC_IE_MAX) 3496 next = next + 2 + next[1]; 3497 3498 memset(&iwe, 0, sizeof(iwe)); 3499 iwe.cmd = IWEVGENIE; 3500 iwe.u.data.length = next - pos; 3501 current_ev = iwe_stream_add_point_check(info, current_ev, 3502 end_buf, &iwe, 3503 (void *)pos); 3504 if (IS_ERR(current_ev)) 3505 return current_ev; 3506 pos = next; 3507 } 3508 3509 if (end > pos) { 3510 memset(&iwe, 0, sizeof(iwe)); 3511 iwe.cmd = IWEVGENIE; 3512 iwe.u.data.length = end - pos; 3513 current_ev = iwe_stream_add_point_check(info, current_ev, 3514 end_buf, &iwe, 3515 (void *)pos); 3516 if (IS_ERR(current_ev)) 3517 return current_ev; 3518 } 3519 3520 return current_ev; 3521} 3522 3523static char * 3524ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info, 3525 struct cfg80211_internal_bss *bss, char *current_ev, 3526 char *end_buf) 3527{ 3528 const struct cfg80211_bss_ies *ies; 3529 struct iw_event iwe; 3530 const u8 *ie; 3531 u8 buf[50]; 3532 u8 *cfg, *p, *tmp; 3533 int rem, i, sig; 3534 bool ismesh = false; 3535 3536 memset(&iwe, 0, sizeof(iwe)); 3537 iwe.cmd = SIOCGIWAP; 3538 iwe.u.ap_addr.sa_family = ARPHRD_ETHER; 3539 memcpy(iwe.u.ap_addr.sa_data, bss->pub.bssid, ETH_ALEN); 3540 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 3541 IW_EV_ADDR_LEN); 3542 if (IS_ERR(current_ev)) 3543 return current_ev; 3544 3545 memset(&iwe, 0, sizeof(iwe)); 3546 iwe.cmd = SIOCGIWFREQ; 3547 iwe.u.freq.m = ieee80211_frequency_to_channel(bss->pub.channel->center_freq); 3548 iwe.u.freq.e = 0; 3549 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 3550 IW_EV_FREQ_LEN); 3551 if (IS_ERR(current_ev)) 3552 return current_ev; 3553 3554 memset(&iwe, 0, sizeof(iwe)); 3555 iwe.cmd = SIOCGIWFREQ; 3556 iwe.u.freq.m = bss->pub.channel->center_freq; 3557 iwe.u.freq.e = 6; 3558 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 3559 IW_EV_FREQ_LEN); 3560 if (IS_ERR(current_ev)) 3561 return current_ev; 3562 3563 if (wiphy->signal_type != CFG80211_SIGNAL_TYPE_NONE) { 3564 memset(&iwe, 0, sizeof(iwe)); 3565 iwe.cmd = IWEVQUAL; 3566 iwe.u.qual.updated = IW_QUAL_LEVEL_UPDATED | 3567 IW_QUAL_NOISE_INVALID | 3568 IW_QUAL_QUAL_UPDATED; 3569 switch (wiphy->signal_type) { 3570 case CFG80211_SIGNAL_TYPE_MBM: 3571 sig = bss->pub.signal / 100; 3572 iwe.u.qual.level = sig; 3573 iwe.u.qual.updated |= IW_QUAL_DBM; 3574 if (sig < -110) /* rather bad */ 3575 sig = -110; 3576 else if (sig > -40) /* perfect */ 3577 sig = -40; 3578 /* will give a range of 0 .. 70 */ 3579 iwe.u.qual.qual = sig + 110; 3580 break; 3581 case CFG80211_SIGNAL_TYPE_UNSPEC: 3582 iwe.u.qual.level = bss->pub.signal; 3583 /* will give range 0 .. 100 */ 3584 iwe.u.qual.qual = bss->pub.signal; 3585 break; 3586 default: 3587 /* not reached */ 3588 break; 3589 } 3590 current_ev = iwe_stream_add_event_check(info, current_ev, 3591 end_buf, &iwe, 3592 IW_EV_QUAL_LEN); 3593 if (IS_ERR(current_ev)) 3594 return current_ev; 3595 } 3596 3597 memset(&iwe, 0, sizeof(iwe)); 3598 iwe.cmd = SIOCGIWENCODE; 3599 if (bss->pub.capability & WLAN_CAPABILITY_PRIVACY) 3600 iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY; 3601 else 3602 iwe.u.data.flags = IW_ENCODE_DISABLED; 3603 iwe.u.data.length = 0; 3604 current_ev = iwe_stream_add_point_check(info, current_ev, end_buf, 3605 &iwe, ""); 3606 if (IS_ERR(current_ev)) 3607 return current_ev; 3608 3609 rcu_read_lock(); 3610 ies = rcu_dereference(bss->pub.ies); 3611 rem = ies->len; 3612 ie = ies->data; 3613 3614 while (rem >= 2) { 3615 /* invalid data */ 3616 if (ie[1] > rem - 2) 3617 break; 3618 3619 switch (ie[0]) { 3620 case WLAN_EID_SSID: 3621 memset(&iwe, 0, sizeof(iwe)); 3622 iwe.cmd = SIOCGIWESSID; 3623 iwe.u.data.length = ie[1]; 3624 iwe.u.data.flags = 1; 3625 current_ev = iwe_stream_add_point_check(info, 3626 current_ev, 3627 end_buf, &iwe, 3628 (u8 *)ie + 2); 3629 if (IS_ERR(current_ev)) 3630 goto unlock; 3631 break; 3632 case WLAN_EID_MESH_ID: 3633 memset(&iwe, 0, sizeof(iwe)); 3634 iwe.cmd = SIOCGIWESSID; 3635 iwe.u.data.length = ie[1]; 3636 iwe.u.data.flags = 1; 3637 current_ev = iwe_stream_add_point_check(info, 3638 current_ev, 3639 end_buf, &iwe, 3640 (u8 *)ie + 2); 3641 if (IS_ERR(current_ev)) 3642 goto unlock; 3643 break; 3644 case WLAN_EID_MESH_CONFIG: 3645 ismesh = true; 3646 if (ie[1] != sizeof(struct ieee80211_meshconf_ie)) 3647 break; 3648 cfg = (u8 *)ie + 2; 3649 memset(&iwe, 0, sizeof(iwe)); 3650 iwe.cmd = IWEVCUSTOM; 3651 iwe.u.data.length = sprintf(buf, 3652 "Mesh Network Path Selection Protocol ID: 0x%02X", 3653 cfg[0]); 3654 current_ev = iwe_stream_add_point_check(info, 3655 current_ev, 3656 end_buf, 3657 &iwe, buf); 3658 if (IS_ERR(current_ev)) 3659 goto unlock; 3660 iwe.u.data.length = sprintf(buf, 3661 "Path Selection Metric ID: 0x%02X", 3662 cfg[1]); 3663 current_ev = iwe_stream_add_point_check(info, 3664 current_ev, 3665 end_buf, 3666 &iwe, buf); 3667 if (IS_ERR(current_ev)) 3668 goto unlock; 3669 iwe.u.data.length = sprintf(buf, 3670 "Congestion Control Mode ID: 0x%02X", 3671 cfg[2]); 3672 current_ev = iwe_stream_add_point_check(info, 3673 current_ev, 3674 end_buf, 3675 &iwe, buf); 3676 if (IS_ERR(current_ev)) 3677 goto unlock; 3678 iwe.u.data.length = sprintf(buf, 3679 "Synchronization ID: 0x%02X", 3680 cfg[3]); 3681 current_ev = iwe_stream_add_point_check(info, 3682 current_ev, 3683 end_buf, 3684 &iwe, buf); 3685 if (IS_ERR(current_ev)) 3686 goto unlock; 3687 iwe.u.data.length = sprintf(buf, 3688 "Authentication ID: 0x%02X", 3689 cfg[4]); 3690 current_ev = iwe_stream_add_point_check(info, 3691 current_ev, 3692 end_buf, 3693 &iwe, buf); 3694 if (IS_ERR(current_ev)) 3695 goto unlock; 3696 iwe.u.data.length = sprintf(buf, 3697 "Formation Info: 0x%02X", 3698 cfg[5]); 3699 current_ev = iwe_stream_add_point_check(info, 3700 current_ev, 3701 end_buf, 3702 &iwe, buf); 3703 if (IS_ERR(current_ev)) 3704 goto unlock; 3705 iwe.u.data.length = sprintf(buf, 3706 "Capabilities: 0x%02X", 3707 cfg[6]); 3708 current_ev = iwe_stream_add_point_check(info, 3709 current_ev, 3710 end_buf, 3711 &iwe, buf); 3712 if (IS_ERR(current_ev)) 3713 goto unlock; 3714 break; 3715 case WLAN_EID_SUPP_RATES: 3716 case WLAN_EID_EXT_SUPP_RATES: 3717 /* display all supported rates in readable format */ 3718 p = current_ev + iwe_stream_lcp_len(info); 3719 3720 memset(&iwe, 0, sizeof(iwe)); 3721 iwe.cmd = SIOCGIWRATE; 3722 /* Those two flags are ignored... */ 3723 iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0; 3724 3725 for (i = 0; i < ie[1]; i++) { 3726 iwe.u.bitrate.value = 3727 ((ie[i + 2] & 0x7f) * 500000); 3728 tmp = p; 3729 p = iwe_stream_add_value(info, current_ev, p, 3730 end_buf, &iwe, 3731 IW_EV_PARAM_LEN); 3732 if (p == tmp) { 3733 current_ev = ERR_PTR(-E2BIG); 3734 goto unlock; 3735 } 3736 } 3737 current_ev = p; 3738 break; 3739 } 3740 rem -= ie[1] + 2; 3741 ie += ie[1] + 2; 3742 } 3743 3744 if (bss->pub.capability & (WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS) || 3745 ismesh) { 3746 memset(&iwe, 0, sizeof(iwe)); 3747 iwe.cmd = SIOCGIWMODE; 3748 if (ismesh) 3749 iwe.u.mode = IW_MODE_MESH; 3750 else if (bss->pub.capability & WLAN_CAPABILITY_ESS) 3751 iwe.u.mode = IW_MODE_MASTER; 3752 else 3753 iwe.u.mode = IW_MODE_ADHOC; 3754 current_ev = iwe_stream_add_event_check(info, current_ev, 3755 end_buf, &iwe, 3756 IW_EV_UINT_LEN); 3757 if (IS_ERR(current_ev)) 3758 goto unlock; 3759 } 3760 3761 memset(&iwe, 0, sizeof(iwe)); 3762 iwe.cmd = IWEVCUSTOM; 3763 iwe.u.data.length = sprintf(buf, "tsf=%016llx", 3764 (unsigned long long)(ies->tsf)); 3765 current_ev = iwe_stream_add_point_check(info, current_ev, end_buf, 3766 &iwe, buf); 3767 if (IS_ERR(current_ev)) 3768 goto unlock; 3769 memset(&iwe, 0, sizeof(iwe)); 3770 iwe.cmd = IWEVCUSTOM; 3771 iwe.u.data.length = sprintf(buf, " Last beacon: %ums ago", 3772 elapsed_jiffies_msecs(bss->ts)); 3773 current_ev = iwe_stream_add_point_check(info, current_ev, 3774 end_buf, &iwe, buf); 3775 if (IS_ERR(current_ev)) 3776 goto unlock; 3777 3778 current_ev = ieee80211_scan_add_ies(info, ies, current_ev, end_buf); 3779 3780 unlock: 3781 rcu_read_unlock(); 3782 return current_ev; 3783} 3784 3785 3786static int ieee80211_scan_results(struct cfg80211_registered_device *rdev, 3787 struct iw_request_info *info, 3788 char *buf, size_t len) 3789{ 3790 char *current_ev = buf; 3791 char *end_buf = buf + len; 3792 struct cfg80211_internal_bss *bss; 3793 int err = 0; 3794 3795 spin_lock_bh(&rdev->bss_lock); 3796 cfg80211_bss_expire(rdev); 3797 3798 list_for_each_entry(bss, &rdev->bss_list, list) { 3799 if (buf + len - current_ev <= IW_EV_ADDR_LEN) { 3800 err = -E2BIG; 3801 break; 3802 } 3803 current_ev = ieee80211_bss(&rdev->wiphy, info, bss, 3804 current_ev, end_buf); 3805 if (IS_ERR(current_ev)) { 3806 err = PTR_ERR(current_ev); 3807 break; 3808 } 3809 } 3810 spin_unlock_bh(&rdev->bss_lock); 3811 3812 if (err) 3813 return err; 3814 return current_ev - buf; 3815} 3816 3817 3818int cfg80211_wext_giwscan(struct net_device *dev, 3819 struct iw_request_info *info, 3820 union iwreq_data *wrqu, char *extra) 3821{ 3822 struct iw_point *data = &wrqu->data; 3823 struct cfg80211_registered_device *rdev; 3824 int res; 3825 3826 if (!netif_running(dev)) 3827 return -ENETDOWN; 3828 3829 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex); 3830 3831 if (IS_ERR(rdev)) 3832 return PTR_ERR(rdev); 3833 3834 if (rdev->scan_req || rdev->scan_msg) 3835 return -EAGAIN; 3836 3837 res = ieee80211_scan_results(rdev, info, extra, data->length); 3838 data->length = 0; 3839 if (res >= 0) { 3840 data->length = res; 3841 res = 0; 3842 } 3843 3844 return res; 3845} 3846EXPORT_WEXT_HANDLER(cfg80211_wext_giwscan); 3847#endif 3848