1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * cfg80211 MLME SAP interface 4 * 5 * Copyright (c) 2009, Jouni Malinen <j@w1.fi> 6 * Copyright (c) 2015 Intel Deutschland GmbH 7 * Copyright (C) 2019-2020, 2022 Intel Corporation 8 */ 9 10 #include <linux/kernel.h> 11 #include <linux/module.h> 12 #include <linux/etherdevice.h> 13 #include <linux/netdevice.h> 14 #include <linux/nl80211.h> 15 #include <linux/slab.h> 16 #include <linux/wireless.h> 17 #include <net/cfg80211.h> 18 #include <net/iw_handler.h> 19 #include "core.h" 20 #include "nl80211.h" 21 #include "rdev-ops.h" 22 23 24 void cfg80211_rx_assoc_resp(struct net_device *dev, 25 struct cfg80211_rx_assoc_resp *data) 26 { 27 struct wireless_dev *wdev = dev->ieee80211_ptr; 28 struct wiphy *wiphy = wdev->wiphy; 29 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 30 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)data->buf; 31 struct cfg80211_connect_resp_params cr = { 32 .timeout_reason = NL80211_TIMEOUT_UNSPECIFIED, 33 .req_ie = data->req_ies, 34 .req_ie_len = data->req_ies_len, 35 .resp_ie = mgmt->u.assoc_resp.variable, 36 .resp_ie_len = data->len - 37 offsetof(struct ieee80211_mgmt, 38 u.assoc_resp.variable), 39 .status = le16_to_cpu(mgmt->u.assoc_resp.status_code), 40 .ap_mld_addr = data->ap_mld_addr, 41 }; 42 unsigned int link_id; 43 44 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) { 45 cr.links[link_id].bss = data->links[link_id].bss; 46 if (!cr.links[link_id].bss) 47 continue; 48 cr.links[link_id].bssid = data->links[link_id].bss->bssid; 49 cr.links[link_id].addr = data->links[link_id].addr; 50 /* need to have local link addresses for MLO connections */ 51 WARN_ON(cr.ap_mld_addr && !cr.links[link_id].addr); 52 53 BUG_ON(!cr.links[link_id].bss->channel); 54 55 if (cr.links[link_id].bss->channel->band == NL80211_BAND_S1GHZ) { 56 WARN_ON(link_id); 57 cr.resp_ie = (u8 *)&mgmt->u.s1g_assoc_resp.variable; 58 cr.resp_ie_len = data->len - 59 offsetof(struct ieee80211_mgmt, 60 u.s1g_assoc_resp.variable); 61 } 62 63 if (cr.ap_mld_addr) 64 cr.valid_links |= BIT(link_id); 65 } 66 67 trace_cfg80211_send_rx_assoc(dev, data); 68 69 /* 70 * This is a bit of a hack, we don't notify userspace of 71 * a (re-)association reply if we tried to send a reassoc 72 * and got a reject -- we only try again with an assoc 73 * frame instead of reassoc. 74 */ 75 if (cfg80211_sme_rx_assoc_resp(wdev, cr.status)) { 76 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) { 77 struct cfg80211_bss *bss = data->links[link_id].bss; 78 79 if (!bss) 80 continue; 81 82 cfg80211_unhold_bss(bss_from_pub(bss)); 83 cfg80211_put_bss(wiphy, bss); 84 } 85 return; 86 } 87 88 nl80211_send_rx_assoc(rdev, dev, data); 89 /* update current_bss etc., consumes the bss reference */ 90 __cfg80211_connect_result(dev, &cr, cr.status == WLAN_STATUS_SUCCESS); 91 } 92 EXPORT_SYMBOL(cfg80211_rx_assoc_resp); 93 94 static void cfg80211_process_auth(struct wireless_dev *wdev, 95 const u8 *buf, size_t len) 96 { 97 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 98 99 nl80211_send_rx_auth(rdev, wdev->netdev, buf, len, GFP_KERNEL); 100 cfg80211_sme_rx_auth(wdev, buf, len); 101 } 102 103 static void cfg80211_process_deauth(struct wireless_dev *wdev, 104 const u8 *buf, size_t len, 105 bool reconnect) 106 { 107 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 108 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf; 109 const u8 *bssid = mgmt->bssid; 110 u16 reason_code = le16_to_cpu(mgmt->u.deauth.reason_code); 111 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr); 112 113 nl80211_send_deauth(rdev, wdev->netdev, buf, len, reconnect, GFP_KERNEL); 114 115 if (!wdev->connected || !ether_addr_equal(wdev->u.client.connected_addr, bssid)) 116 return; 117 118 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap); 119 cfg80211_sme_deauth(wdev); 120 } 121 122 static void cfg80211_process_disassoc(struct wireless_dev *wdev, 123 const u8 *buf, size_t len, 124 bool reconnect) 125 { 126 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 127 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf; 128 const u8 *bssid = mgmt->bssid; 129 u16 reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code); 130 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr); 131 132 nl80211_send_disassoc(rdev, wdev->netdev, buf, len, reconnect, 133 GFP_KERNEL); 134 135 if (WARN_ON(!wdev->connected || 136 !ether_addr_equal(wdev->u.client.connected_addr, bssid))) 137 return; 138 139 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap); 140 cfg80211_sme_disassoc(wdev); 141 } 142 143 void cfg80211_rx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len) 144 { 145 struct wireless_dev *wdev = dev->ieee80211_ptr; 146 struct ieee80211_mgmt *mgmt = (void *)buf; 147 148 ASSERT_WDEV_LOCK(wdev); 149 150 trace_cfg80211_rx_mlme_mgmt(dev, buf, len); 151 152 if (WARN_ON(len < 2)) 153 return; 154 155 if (ieee80211_is_auth(mgmt->frame_control)) 156 cfg80211_process_auth(wdev, buf, len); 157 else if (ieee80211_is_deauth(mgmt->frame_control)) 158 cfg80211_process_deauth(wdev, buf, len, false); 159 else if (ieee80211_is_disassoc(mgmt->frame_control)) 160 cfg80211_process_disassoc(wdev, buf, len, false); 161 } 162 EXPORT_SYMBOL(cfg80211_rx_mlme_mgmt); 163 164 void cfg80211_auth_timeout(struct net_device *dev, const u8 *addr) 165 { 166 struct wireless_dev *wdev = dev->ieee80211_ptr; 167 struct wiphy *wiphy = wdev->wiphy; 168 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 169 170 trace_cfg80211_send_auth_timeout(dev, addr); 171 172 nl80211_send_auth_timeout(rdev, dev, addr, GFP_KERNEL); 173 cfg80211_sme_auth_timeout(wdev); 174 } 175 EXPORT_SYMBOL(cfg80211_auth_timeout); 176 177 void cfg80211_assoc_failure(struct net_device *dev, 178 struct cfg80211_assoc_failure *data) 179 { 180 struct wireless_dev *wdev = dev->ieee80211_ptr; 181 struct wiphy *wiphy = wdev->wiphy; 182 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 183 const u8 *addr = data->ap_mld_addr ?: data->bss[0]->bssid; 184 int i; 185 186 trace_cfg80211_send_assoc_failure(dev, data); 187 188 if (data->timeout) { 189 nl80211_send_assoc_timeout(rdev, dev, addr, GFP_KERNEL); 190 cfg80211_sme_assoc_timeout(wdev); 191 } else { 192 cfg80211_sme_abandon_assoc(wdev); 193 } 194 195 for (i = 0; i < ARRAY_SIZE(data->bss); i++) { 196 struct cfg80211_bss *bss = data->bss[i]; 197 198 if (!bss) 199 continue; 200 201 cfg80211_unhold_bss(bss_from_pub(bss)); 202 cfg80211_put_bss(wiphy, bss); 203 } 204 } 205 EXPORT_SYMBOL(cfg80211_assoc_failure); 206 207 void cfg80211_tx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len, 208 bool reconnect) 209 { 210 struct wireless_dev *wdev = dev->ieee80211_ptr; 211 struct ieee80211_mgmt *mgmt = (void *)buf; 212 213 ASSERT_WDEV_LOCK(wdev); 214 215 trace_cfg80211_tx_mlme_mgmt(dev, buf, len, reconnect); 216 217 if (WARN_ON(len < 2)) 218 return; 219 220 if (ieee80211_is_deauth(mgmt->frame_control)) 221 cfg80211_process_deauth(wdev, buf, len, reconnect); 222 else 223 cfg80211_process_disassoc(wdev, buf, len, reconnect); 224 } 225 EXPORT_SYMBOL(cfg80211_tx_mlme_mgmt); 226 227 void cfg80211_michael_mic_failure(struct net_device *dev, const u8 *addr, 228 enum nl80211_key_type key_type, int key_id, 229 const u8 *tsc, gfp_t gfp) 230 { 231 struct wiphy *wiphy = dev->ieee80211_ptr->wiphy; 232 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 233 #ifdef CONFIG_CFG80211_WEXT 234 union iwreq_data wrqu; 235 char *buf = kmalloc(128, gfp); 236 237 if (buf) { 238 sprintf(buf, "MLME-MICHAELMICFAILURE.indication(" 239 "keyid=%d %scast addr=%pM)", key_id, 240 key_type == NL80211_KEYTYPE_GROUP ? "broad" : "uni", 241 addr); 242 memset(&wrqu, 0, sizeof(wrqu)); 243 wrqu.data.length = strlen(buf); 244 wireless_send_event(dev, IWEVCUSTOM, &wrqu, buf); 245 kfree(buf); 246 } 247 #endif 248 249 trace_cfg80211_michael_mic_failure(dev, addr, key_type, key_id, tsc); 250 nl80211_michael_mic_failure(rdev, dev, addr, key_type, key_id, tsc, gfp); 251 } 252 EXPORT_SYMBOL(cfg80211_michael_mic_failure); 253 254 /* some MLME handling for userspace SME */ 255 int cfg80211_mlme_auth(struct cfg80211_registered_device *rdev, 256 struct net_device *dev, 257 struct cfg80211_auth_request *req) 258 { 259 struct wireless_dev *wdev = dev->ieee80211_ptr; 260 261 ASSERT_WDEV_LOCK(wdev); 262 263 if (!req->bss) 264 return -ENOENT; 265 266 if (req->link_id >= 0 && 267 !(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO)) 268 return -EINVAL; 269 270 if (req->auth_type == NL80211_AUTHTYPE_SHARED_KEY) { 271 if (!req->key || !req->key_len || 272 req->key_idx < 0 || req->key_idx > 3) 273 return -EINVAL; 274 } 275 276 if (wdev->connected && 277 ether_addr_equal(req->bss->bssid, wdev->u.client.connected_addr)) 278 return -EALREADY; 279 280 return rdev_auth(rdev, dev, req); 281 } 282 283 /* Do a logical ht_capa &= ht_capa_mask. */ 284 void cfg80211_oper_and_ht_capa(struct ieee80211_ht_cap *ht_capa, 285 const struct ieee80211_ht_cap *ht_capa_mask) 286 { 287 int i; 288 u8 *p1, *p2; 289 if (!ht_capa_mask) { 290 memset(ht_capa, 0, sizeof(*ht_capa)); 291 return; 292 } 293 294 p1 = (u8*)(ht_capa); 295 p2 = (u8*)(ht_capa_mask); 296 for (i = 0; i < sizeof(*ht_capa); i++) 297 p1[i] &= p2[i]; 298 } 299 300 /* Do a logical vht_capa &= vht_capa_mask. */ 301 void cfg80211_oper_and_vht_capa(struct ieee80211_vht_cap *vht_capa, 302 const struct ieee80211_vht_cap *vht_capa_mask) 303 { 304 int i; 305 u8 *p1, *p2; 306 if (!vht_capa_mask) { 307 memset(vht_capa, 0, sizeof(*vht_capa)); 308 return; 309 } 310 311 p1 = (u8*)(vht_capa); 312 p2 = (u8*)(vht_capa_mask); 313 for (i = 0; i < sizeof(*vht_capa); i++) 314 p1[i] &= p2[i]; 315 } 316 317 /* Note: caller must cfg80211_put_bss() regardless of result */ 318 int cfg80211_mlme_assoc(struct cfg80211_registered_device *rdev, 319 struct net_device *dev, 320 struct cfg80211_assoc_request *req) 321 { 322 struct wireless_dev *wdev = dev->ieee80211_ptr; 323 int err, i, j; 324 325 ASSERT_WDEV_LOCK(wdev); 326 327 for (i = 1; i < ARRAY_SIZE(req->links); i++) { 328 if (!req->links[i].bss) 329 continue; 330 for (j = 0; j < i; j++) { 331 if (req->links[i].bss == req->links[j].bss) 332 return -EINVAL; 333 } 334 } 335 336 if (wdev->connected && 337 (!req->prev_bssid || 338 !ether_addr_equal(wdev->u.client.connected_addr, req->prev_bssid))) 339 return -EALREADY; 340 341 cfg80211_oper_and_ht_capa(&req->ht_capa_mask, 342 rdev->wiphy.ht_capa_mod_mask); 343 cfg80211_oper_and_vht_capa(&req->vht_capa_mask, 344 rdev->wiphy.vht_capa_mod_mask); 345 346 err = rdev_assoc(rdev, dev, req); 347 if (!err) { 348 int link_id; 349 350 if (req->bss) { 351 cfg80211_ref_bss(&rdev->wiphy, req->bss); 352 cfg80211_hold_bss(bss_from_pub(req->bss)); 353 } 354 355 for (link_id = 0; link_id < ARRAY_SIZE(req->links); link_id++) { 356 if (!req->links[link_id].bss) 357 continue; 358 cfg80211_ref_bss(&rdev->wiphy, req->links[link_id].bss); 359 cfg80211_hold_bss(bss_from_pub(req->links[link_id].bss)); 360 } 361 } 362 return err; 363 } 364 365 int cfg80211_mlme_deauth(struct cfg80211_registered_device *rdev, 366 struct net_device *dev, const u8 *bssid, 367 const u8 *ie, int ie_len, u16 reason, 368 bool local_state_change) 369 { 370 struct wireless_dev *wdev = dev->ieee80211_ptr; 371 struct cfg80211_deauth_request req = { 372 .bssid = bssid, 373 .reason_code = reason, 374 .ie = ie, 375 .ie_len = ie_len, 376 .local_state_change = local_state_change, 377 }; 378 379 ASSERT_WDEV_LOCK(wdev); 380 381 if (local_state_change && 382 (!wdev->connected || 383 !ether_addr_equal(wdev->u.client.connected_addr, bssid))) 384 return 0; 385 386 if (ether_addr_equal(wdev->disconnect_bssid, bssid) || 387 (wdev->connected && 388 ether_addr_equal(wdev->u.client.connected_addr, bssid))) 389 wdev->conn_owner_nlportid = 0; 390 391 return rdev_deauth(rdev, dev, &req); 392 } 393 394 int cfg80211_mlme_disassoc(struct cfg80211_registered_device *rdev, 395 struct net_device *dev, const u8 *ap_addr, 396 const u8 *ie, int ie_len, u16 reason, 397 bool local_state_change) 398 { 399 struct wireless_dev *wdev = dev->ieee80211_ptr; 400 struct cfg80211_disassoc_request req = { 401 .reason_code = reason, 402 .local_state_change = local_state_change, 403 .ie = ie, 404 .ie_len = ie_len, 405 .ap_addr = ap_addr, 406 }; 407 int err; 408 409 ASSERT_WDEV_LOCK(wdev); 410 411 if (!wdev->connected) 412 return -ENOTCONN; 413 414 if (memcmp(wdev->u.client.connected_addr, ap_addr, ETH_ALEN)) 415 return -ENOTCONN; 416 417 err = rdev_disassoc(rdev, dev, &req); 418 if (err) 419 return err; 420 421 /* driver should have reported the disassoc */ 422 WARN_ON(wdev->connected); 423 return 0; 424 } 425 426 void cfg80211_mlme_down(struct cfg80211_registered_device *rdev, 427 struct net_device *dev) 428 { 429 struct wireless_dev *wdev = dev->ieee80211_ptr; 430 u8 bssid[ETH_ALEN]; 431 432 ASSERT_WDEV_LOCK(wdev); 433 434 if (!rdev->ops->deauth) 435 return; 436 437 if (!wdev->connected) 438 return; 439 440 memcpy(bssid, wdev->u.client.connected_addr, ETH_ALEN); 441 cfg80211_mlme_deauth(rdev, dev, bssid, NULL, 0, 442 WLAN_REASON_DEAUTH_LEAVING, false); 443 } 444 445 struct cfg80211_mgmt_registration { 446 struct list_head list; 447 struct wireless_dev *wdev; 448 449 u32 nlportid; 450 451 int match_len; 452 453 __le16 frame_type; 454 455 bool multicast_rx; 456 457 u8 match[]; 458 }; 459 460 static void cfg80211_mgmt_registrations_update(struct wireless_dev *wdev) 461 { 462 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 463 struct wireless_dev *tmp; 464 struct cfg80211_mgmt_registration *reg; 465 struct mgmt_frame_regs upd = {}; 466 467 lockdep_assert_held(&rdev->wiphy.mtx); 468 469 spin_lock_bh(&rdev->mgmt_registrations_lock); 470 if (!wdev->mgmt_registrations_need_update) { 471 spin_unlock_bh(&rdev->mgmt_registrations_lock); 472 return; 473 } 474 475 rcu_read_lock(); 476 list_for_each_entry_rcu(tmp, &rdev->wiphy.wdev_list, list) { 477 list_for_each_entry(reg, &tmp->mgmt_registrations, list) { 478 u32 mask = BIT(le16_to_cpu(reg->frame_type) >> 4); 479 u32 mcast_mask = 0; 480 481 if (reg->multicast_rx) 482 mcast_mask = mask; 483 484 upd.global_stypes |= mask; 485 upd.global_mcast_stypes |= mcast_mask; 486 487 if (tmp == wdev) { 488 upd.interface_stypes |= mask; 489 upd.interface_mcast_stypes |= mcast_mask; 490 } 491 } 492 } 493 rcu_read_unlock(); 494 495 wdev->mgmt_registrations_need_update = 0; 496 spin_unlock_bh(&rdev->mgmt_registrations_lock); 497 498 rdev_update_mgmt_frame_registrations(rdev, wdev, &upd); 499 } 500 501 void cfg80211_mgmt_registrations_update_wk(struct work_struct *wk) 502 { 503 struct cfg80211_registered_device *rdev; 504 struct wireless_dev *wdev; 505 506 rdev = container_of(wk, struct cfg80211_registered_device, 507 mgmt_registrations_update_wk); 508 509 wiphy_lock(&rdev->wiphy); 510 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) 511 cfg80211_mgmt_registrations_update(wdev); 512 wiphy_unlock(&rdev->wiphy); 513 } 514 515 int cfg80211_mlme_register_mgmt(struct wireless_dev *wdev, u32 snd_portid, 516 u16 frame_type, const u8 *match_data, 517 int match_len, bool multicast_rx, 518 struct netlink_ext_ack *extack) 519 { 520 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 521 struct cfg80211_mgmt_registration *reg, *nreg; 522 int err = 0; 523 u16 mgmt_type; 524 bool update_multicast = false; 525 526 if (!wdev->wiphy->mgmt_stypes) 527 return -EOPNOTSUPP; 528 529 if ((frame_type & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT) { 530 NL_SET_ERR_MSG(extack, "frame type not management"); 531 return -EINVAL; 532 } 533 534 if (frame_type & ~(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) { 535 NL_SET_ERR_MSG(extack, "Invalid frame type"); 536 return -EINVAL; 537 } 538 539 mgmt_type = (frame_type & IEEE80211_FCTL_STYPE) >> 4; 540 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].rx & BIT(mgmt_type))) { 541 NL_SET_ERR_MSG(extack, 542 "Registration to specific type not supported"); 543 return -EINVAL; 544 } 545 546 /* 547 * To support Pre Association Security Negotiation (PASN), registration 548 * for authentication frames should be supported. However, as some 549 * versions of the user space daemons wrongly register to all types of 550 * authentication frames (which might result in unexpected behavior) 551 * allow such registration if the request is for a specific 552 * authentication algorithm number. 553 */ 554 if (wdev->iftype == NL80211_IFTYPE_STATION && 555 (frame_type & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_AUTH && 556 !(match_data && match_len >= 2)) { 557 NL_SET_ERR_MSG(extack, 558 "Authentication algorithm number required"); 559 return -EINVAL; 560 } 561 562 nreg = kzalloc(sizeof(*reg) + match_len, GFP_KERNEL); 563 if (!nreg) 564 return -ENOMEM; 565 566 spin_lock_bh(&rdev->mgmt_registrations_lock); 567 568 list_for_each_entry(reg, &wdev->mgmt_registrations, list) { 569 int mlen = min(match_len, reg->match_len); 570 571 if (frame_type != le16_to_cpu(reg->frame_type)) 572 continue; 573 574 if (memcmp(reg->match, match_data, mlen) == 0) { 575 if (reg->multicast_rx != multicast_rx) { 576 update_multicast = true; 577 reg->multicast_rx = multicast_rx; 578 break; 579 } 580 NL_SET_ERR_MSG(extack, "Match already configured"); 581 err = -EALREADY; 582 break; 583 } 584 } 585 586 if (err) 587 goto out; 588 589 if (update_multicast) { 590 kfree(nreg); 591 } else { 592 memcpy(nreg->match, match_data, match_len); 593 nreg->match_len = match_len; 594 nreg->nlportid = snd_portid; 595 nreg->frame_type = cpu_to_le16(frame_type); 596 nreg->wdev = wdev; 597 nreg->multicast_rx = multicast_rx; 598 list_add(&nreg->list, &wdev->mgmt_registrations); 599 } 600 wdev->mgmt_registrations_need_update = 1; 601 spin_unlock_bh(&rdev->mgmt_registrations_lock); 602 603 cfg80211_mgmt_registrations_update(wdev); 604 605 return 0; 606 607 out: 608 kfree(nreg); 609 spin_unlock_bh(&rdev->mgmt_registrations_lock); 610 611 return err; 612 } 613 614 void cfg80211_mlme_unregister_socket(struct wireless_dev *wdev, u32 nlportid) 615 { 616 struct wiphy *wiphy = wdev->wiphy; 617 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 618 struct cfg80211_mgmt_registration *reg, *tmp; 619 620 spin_lock_bh(&rdev->mgmt_registrations_lock); 621 622 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) { 623 if (reg->nlportid != nlportid) 624 continue; 625 626 list_del(®->list); 627 kfree(reg); 628 629 wdev->mgmt_registrations_need_update = 1; 630 schedule_work(&rdev->mgmt_registrations_update_wk); 631 } 632 633 spin_unlock_bh(&rdev->mgmt_registrations_lock); 634 635 if (nlportid && rdev->crit_proto_nlportid == nlportid) { 636 rdev->crit_proto_nlportid = 0; 637 rdev_crit_proto_stop(rdev, wdev); 638 } 639 640 if (nlportid == wdev->ap_unexpected_nlportid) 641 wdev->ap_unexpected_nlportid = 0; 642 } 643 644 void cfg80211_mlme_purge_registrations(struct wireless_dev *wdev) 645 { 646 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 647 struct cfg80211_mgmt_registration *reg, *tmp; 648 649 spin_lock_bh(&rdev->mgmt_registrations_lock); 650 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) { 651 list_del(®->list); 652 kfree(reg); 653 } 654 wdev->mgmt_registrations_need_update = 1; 655 spin_unlock_bh(&rdev->mgmt_registrations_lock); 656 657 cfg80211_mgmt_registrations_update(wdev); 658 } 659 660 static bool cfg80211_allowed_address(struct wireless_dev *wdev, const u8 *addr) 661 { 662 int i; 663 664 for_each_valid_link(wdev, i) { 665 if (ether_addr_equal(addr, wdev->links[i].addr)) 666 return true; 667 } 668 669 return ether_addr_equal(addr, wdev_address(wdev)); 670 } 671 672 int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev, 673 struct wireless_dev *wdev, 674 struct cfg80211_mgmt_tx_params *params, u64 *cookie) 675 { 676 const struct ieee80211_mgmt *mgmt; 677 u16 stype; 678 679 if (!wdev->wiphy->mgmt_stypes) 680 return -EOPNOTSUPP; 681 682 if (!rdev->ops->mgmt_tx) 683 return -EOPNOTSUPP; 684 685 if (params->len < 24 + 1) 686 return -EINVAL; 687 688 mgmt = (const struct ieee80211_mgmt *)params->buf; 689 690 if (!ieee80211_is_mgmt(mgmt->frame_control)) 691 return -EINVAL; 692 693 stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE; 694 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].tx & BIT(stype >> 4))) 695 return -EINVAL; 696 697 if (ieee80211_is_action(mgmt->frame_control) && 698 mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) { 699 int err = 0; 700 701 wdev_lock(wdev); 702 703 switch (wdev->iftype) { 704 case NL80211_IFTYPE_ADHOC: 705 /* 706 * check for IBSS DA must be done by driver as 707 * cfg80211 doesn't track the stations 708 */ 709 if (!wdev->u.ibss.current_bss || 710 !ether_addr_equal(wdev->u.ibss.current_bss->pub.bssid, 711 mgmt->bssid)) { 712 err = -ENOTCONN; 713 break; 714 } 715 break; 716 case NL80211_IFTYPE_STATION: 717 case NL80211_IFTYPE_P2P_CLIENT: 718 if (!wdev->connected) { 719 err = -ENOTCONN; 720 break; 721 } 722 723 /* FIXME: MLD may address this differently */ 724 725 if (!ether_addr_equal(wdev->u.client.connected_addr, 726 mgmt->bssid)) { 727 err = -ENOTCONN; 728 break; 729 } 730 731 /* for station, check that DA is the AP */ 732 if (!ether_addr_equal(wdev->u.client.connected_addr, 733 mgmt->da)) { 734 err = -ENOTCONN; 735 break; 736 } 737 break; 738 case NL80211_IFTYPE_AP: 739 case NL80211_IFTYPE_P2P_GO: 740 case NL80211_IFTYPE_AP_VLAN: 741 if (!ether_addr_equal(mgmt->bssid, wdev_address(wdev))) 742 err = -EINVAL; 743 break; 744 case NL80211_IFTYPE_MESH_POINT: 745 if (!ether_addr_equal(mgmt->sa, mgmt->bssid)) { 746 err = -EINVAL; 747 break; 748 } 749 /* 750 * check for mesh DA must be done by driver as 751 * cfg80211 doesn't track the stations 752 */ 753 break; 754 case NL80211_IFTYPE_P2P_DEVICE: 755 /* 756 * fall through, P2P device only supports 757 * public action frames 758 */ 759 case NL80211_IFTYPE_NAN: 760 default: 761 err = -EOPNOTSUPP; 762 break; 763 } 764 wdev_unlock(wdev); 765 766 if (err) 767 return err; 768 } 769 770 if (!cfg80211_allowed_address(wdev, mgmt->sa)) { 771 /* Allow random TA to be used with Public Action frames if the 772 * driver has indicated support for this. Otherwise, only allow 773 * the local address to be used. 774 */ 775 if (!ieee80211_is_action(mgmt->frame_control) || 776 mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) 777 return -EINVAL; 778 if (!wdev->connected && 779 !wiphy_ext_feature_isset( 780 &rdev->wiphy, 781 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA)) 782 return -EINVAL; 783 if (wdev->connected && 784 !wiphy_ext_feature_isset( 785 &rdev->wiphy, 786 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA_CONNECTED)) 787 return -EINVAL; 788 } 789 790 /* Transmit the management frame as requested by user space */ 791 return rdev_mgmt_tx(rdev, wdev, params, cookie); 792 } 793 794 bool cfg80211_rx_mgmt_ext(struct wireless_dev *wdev, 795 struct cfg80211_rx_info *info) 796 { 797 struct wiphy *wiphy = wdev->wiphy; 798 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 799 struct cfg80211_mgmt_registration *reg; 800 const struct ieee80211_txrx_stypes *stypes = 801 &wiphy->mgmt_stypes[wdev->iftype]; 802 struct ieee80211_mgmt *mgmt = (void *)info->buf; 803 const u8 *data; 804 int data_len; 805 bool result = false; 806 __le16 ftype = mgmt->frame_control & 807 cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE); 808 u16 stype; 809 810 trace_cfg80211_rx_mgmt(wdev, info); 811 stype = (le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE) >> 4; 812 813 if (!(stypes->rx & BIT(stype))) { 814 trace_cfg80211_return_bool(false); 815 return false; 816 } 817 818 data = info->buf + ieee80211_hdrlen(mgmt->frame_control); 819 data_len = info->len - ieee80211_hdrlen(mgmt->frame_control); 820 821 spin_lock_bh(&rdev->mgmt_registrations_lock); 822 823 list_for_each_entry(reg, &wdev->mgmt_registrations, list) { 824 if (reg->frame_type != ftype) 825 continue; 826 827 if (reg->match_len > data_len) 828 continue; 829 830 if (memcmp(reg->match, data, reg->match_len)) 831 continue; 832 833 /* found match! */ 834 835 /* Indicate the received Action frame to user space */ 836 if (nl80211_send_mgmt(rdev, wdev, reg->nlportid, info, 837 GFP_ATOMIC)) 838 continue; 839 840 result = true; 841 break; 842 } 843 844 spin_unlock_bh(&rdev->mgmt_registrations_lock); 845 846 trace_cfg80211_return_bool(result); 847 return result; 848 } 849 EXPORT_SYMBOL(cfg80211_rx_mgmt_ext); 850 851 void cfg80211_sched_dfs_chan_update(struct cfg80211_registered_device *rdev) 852 { 853 cancel_delayed_work(&rdev->dfs_update_channels_wk); 854 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk, 0); 855 } 856 857 void cfg80211_dfs_channels_update_work(struct work_struct *work) 858 { 859 struct delayed_work *delayed_work = to_delayed_work(work); 860 struct cfg80211_registered_device *rdev; 861 struct cfg80211_chan_def chandef; 862 struct ieee80211_supported_band *sband; 863 struct ieee80211_channel *c; 864 struct wiphy *wiphy; 865 bool check_again = false; 866 unsigned long timeout, next_time = 0; 867 unsigned long time_dfs_update; 868 enum nl80211_radar_event radar_event; 869 int bandid, i; 870 871 rdev = container_of(delayed_work, struct cfg80211_registered_device, 872 dfs_update_channels_wk); 873 wiphy = &rdev->wiphy; 874 875 rtnl_lock(); 876 for (bandid = 0; bandid < NUM_NL80211_BANDS; bandid++) { 877 sband = wiphy->bands[bandid]; 878 if (!sband) 879 continue; 880 881 for (i = 0; i < sband->n_channels; i++) { 882 c = &sband->channels[i]; 883 884 if (!(c->flags & IEEE80211_CHAN_RADAR)) 885 continue; 886 887 if (c->dfs_state != NL80211_DFS_UNAVAILABLE && 888 c->dfs_state != NL80211_DFS_AVAILABLE) 889 continue; 890 891 if (c->dfs_state == NL80211_DFS_UNAVAILABLE) { 892 time_dfs_update = IEEE80211_DFS_MIN_NOP_TIME_MS; 893 radar_event = NL80211_RADAR_NOP_FINISHED; 894 } else { 895 if (regulatory_pre_cac_allowed(wiphy) || 896 cfg80211_any_wiphy_oper_chan(wiphy, c)) 897 continue; 898 899 time_dfs_update = REG_PRE_CAC_EXPIRY_GRACE_MS; 900 radar_event = NL80211_RADAR_PRE_CAC_EXPIRED; 901 } 902 903 timeout = c->dfs_state_entered + 904 msecs_to_jiffies(time_dfs_update); 905 906 if (time_after_eq(jiffies, timeout)) { 907 c->dfs_state = NL80211_DFS_USABLE; 908 c->dfs_state_entered = jiffies; 909 910 cfg80211_chandef_create(&chandef, c, 911 NL80211_CHAN_NO_HT); 912 913 nl80211_radar_notify(rdev, &chandef, 914 radar_event, NULL, 915 GFP_ATOMIC); 916 917 regulatory_propagate_dfs_state(wiphy, &chandef, 918 c->dfs_state, 919 radar_event); 920 continue; 921 } 922 923 if (!check_again) 924 next_time = timeout - jiffies; 925 else 926 next_time = min(next_time, timeout - jiffies); 927 check_again = true; 928 } 929 } 930 rtnl_unlock(); 931 932 /* reschedule if there are other channels waiting to be cleared again */ 933 if (check_again) 934 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk, 935 next_time); 936 } 937 938 939 void __cfg80211_radar_event(struct wiphy *wiphy, 940 struct cfg80211_chan_def *chandef, 941 bool offchan, gfp_t gfp) 942 { 943 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 944 945 trace_cfg80211_radar_event(wiphy, chandef, offchan); 946 947 /* only set the chandef supplied channel to unavailable, in 948 * case the radar is detected on only one of multiple channels 949 * spanned by the chandef. 950 */ 951 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_UNAVAILABLE); 952 953 if (offchan) 954 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk); 955 956 cfg80211_sched_dfs_chan_update(rdev); 957 958 nl80211_radar_notify(rdev, chandef, NL80211_RADAR_DETECTED, NULL, gfp); 959 960 memcpy(&rdev->radar_chandef, chandef, sizeof(struct cfg80211_chan_def)); 961 queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk); 962 } 963 EXPORT_SYMBOL(__cfg80211_radar_event); 964 965 void cfg80211_cac_event(struct net_device *netdev, 966 const struct cfg80211_chan_def *chandef, 967 enum nl80211_radar_event event, gfp_t gfp) 968 { 969 struct wireless_dev *wdev = netdev->ieee80211_ptr; 970 struct wiphy *wiphy = wdev->wiphy; 971 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 972 unsigned long timeout; 973 974 /* not yet supported */ 975 if (wdev->valid_links) 976 return; 977 978 trace_cfg80211_cac_event(netdev, event); 979 980 if (WARN_ON(!wdev->cac_started && event != NL80211_RADAR_CAC_STARTED)) 981 return; 982 983 switch (event) { 984 case NL80211_RADAR_CAC_FINISHED: 985 timeout = wdev->cac_start_time + 986 msecs_to_jiffies(wdev->cac_time_ms); 987 WARN_ON(!time_after_eq(jiffies, timeout)); 988 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE); 989 memcpy(&rdev->cac_done_chandef, chandef, 990 sizeof(struct cfg80211_chan_def)); 991 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk); 992 cfg80211_sched_dfs_chan_update(rdev); 993 fallthrough; 994 case NL80211_RADAR_CAC_ABORTED: 995 wdev->cac_started = false; 996 break; 997 case NL80211_RADAR_CAC_STARTED: 998 wdev->cac_started = true; 999 break; 1000 default: 1001 WARN_ON(1); 1002 return; 1003 } 1004 1005 nl80211_radar_notify(rdev, chandef, event, netdev, gfp); 1006 } 1007 EXPORT_SYMBOL(cfg80211_cac_event); 1008 1009 static void 1010 __cfg80211_background_cac_event(struct cfg80211_registered_device *rdev, 1011 struct wireless_dev *wdev, 1012 const struct cfg80211_chan_def *chandef, 1013 enum nl80211_radar_event event) 1014 { 1015 struct wiphy *wiphy = &rdev->wiphy; 1016 struct net_device *netdev; 1017 1018 lockdep_assert_wiphy(&rdev->wiphy); 1019 1020 if (!cfg80211_chandef_valid(chandef)) 1021 return; 1022 1023 if (!rdev->background_radar_wdev) 1024 return; 1025 1026 switch (event) { 1027 case NL80211_RADAR_CAC_FINISHED: 1028 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE); 1029 memcpy(&rdev->cac_done_chandef, chandef, sizeof(*chandef)); 1030 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk); 1031 cfg80211_sched_dfs_chan_update(rdev); 1032 wdev = rdev->background_radar_wdev; 1033 break; 1034 case NL80211_RADAR_CAC_ABORTED: 1035 if (!cancel_delayed_work(&rdev->background_cac_done_wk)) 1036 return; 1037 wdev = rdev->background_radar_wdev; 1038 break; 1039 case NL80211_RADAR_CAC_STARTED: 1040 break; 1041 default: 1042 return; 1043 } 1044 1045 netdev = wdev ? wdev->netdev : NULL; 1046 nl80211_radar_notify(rdev, chandef, event, netdev, GFP_KERNEL); 1047 } 1048 1049 static void 1050 cfg80211_background_cac_event(struct cfg80211_registered_device *rdev, 1051 const struct cfg80211_chan_def *chandef, 1052 enum nl80211_radar_event event) 1053 { 1054 wiphy_lock(&rdev->wiphy); 1055 __cfg80211_background_cac_event(rdev, rdev->background_radar_wdev, 1056 chandef, event); 1057 wiphy_unlock(&rdev->wiphy); 1058 } 1059 1060 void cfg80211_background_cac_done_wk(struct work_struct *work) 1061 { 1062 struct delayed_work *delayed_work = to_delayed_work(work); 1063 struct cfg80211_registered_device *rdev; 1064 1065 rdev = container_of(delayed_work, struct cfg80211_registered_device, 1066 background_cac_done_wk); 1067 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef, 1068 NL80211_RADAR_CAC_FINISHED); 1069 } 1070 1071 void cfg80211_background_cac_abort_wk(struct work_struct *work) 1072 { 1073 struct cfg80211_registered_device *rdev; 1074 1075 rdev = container_of(work, struct cfg80211_registered_device, 1076 background_cac_abort_wk); 1077 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef, 1078 NL80211_RADAR_CAC_ABORTED); 1079 } 1080 1081 void cfg80211_background_cac_abort(struct wiphy *wiphy) 1082 { 1083 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1084 1085 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk); 1086 } 1087 EXPORT_SYMBOL(cfg80211_background_cac_abort); 1088 1089 int 1090 cfg80211_start_background_radar_detection(struct cfg80211_registered_device *rdev, 1091 struct wireless_dev *wdev, 1092 struct cfg80211_chan_def *chandef) 1093 { 1094 unsigned int cac_time_ms; 1095 int err; 1096 1097 lockdep_assert_wiphy(&rdev->wiphy); 1098 1099 if (!wiphy_ext_feature_isset(&rdev->wiphy, 1100 NL80211_EXT_FEATURE_RADAR_BACKGROUND)) 1101 return -EOPNOTSUPP; 1102 1103 /* Offchannel chain already locked by another wdev */ 1104 if (rdev->background_radar_wdev && rdev->background_radar_wdev != wdev) 1105 return -EBUSY; 1106 1107 /* CAC already in progress on the offchannel chain */ 1108 if (rdev->background_radar_wdev == wdev && 1109 delayed_work_pending(&rdev->background_cac_done_wk)) 1110 return -EBUSY; 1111 1112 err = rdev_set_radar_background(rdev, chandef); 1113 if (err) 1114 return err; 1115 1116 cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, chandef); 1117 if (!cac_time_ms) 1118 cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS; 1119 1120 rdev->background_radar_chandef = *chandef; 1121 rdev->background_radar_wdev = wdev; /* Get offchain ownership */ 1122 1123 __cfg80211_background_cac_event(rdev, wdev, chandef, 1124 NL80211_RADAR_CAC_STARTED); 1125 queue_delayed_work(cfg80211_wq, &rdev->background_cac_done_wk, 1126 msecs_to_jiffies(cac_time_ms)); 1127 1128 return 0; 1129 } 1130 1131 void cfg80211_stop_background_radar_detection(struct wireless_dev *wdev) 1132 { 1133 struct wiphy *wiphy = wdev->wiphy; 1134 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1135 1136 lockdep_assert_wiphy(wiphy); 1137 1138 if (wdev != rdev->background_radar_wdev) 1139 return; 1140 1141 rdev_set_radar_background(rdev, NULL); 1142 rdev->background_radar_wdev = NULL; /* Release offchain ownership */ 1143 1144 __cfg80211_background_cac_event(rdev, wdev, 1145 &rdev->background_radar_chandef, 1146 NL80211_RADAR_CAC_ABORTED); 1147 } 1148