1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * cfg80211 MLME SAP interface 4 * 5 * Copyright (c) 2009, Jouni Malinen <j@w1.fi> 6 * Copyright (c) 2015 Intel Deutschland GmbH 7 * Copyright (C) 2019-2020, 2022 Intel Corporation 8 */ 9 10 #include <linux/kernel.h> 11 #include <linux/module.h> 12 #include <linux/etherdevice.h> 13 #include <linux/netdevice.h> 14 #include <linux/nl80211.h> 15 #include <linux/slab.h> 16 #include <linux/wireless.h> 17 #include <net/cfg80211.h> 18 #include <net/iw_handler.h> 19 #include "core.h" 20 #include "nl80211.h" 21 #include "rdev-ops.h" 22 23 24 void cfg80211_rx_assoc_resp(struct net_device *dev, 25 struct cfg80211_rx_assoc_resp *data) 26 { 27 struct wireless_dev *wdev = dev->ieee80211_ptr; 28 struct wiphy *wiphy = wdev->wiphy; 29 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 30 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)data->buf; 31 struct cfg80211_connect_resp_params cr = { 32 .timeout_reason = NL80211_TIMEOUT_UNSPECIFIED, 33 .req_ie = data->req_ies, 34 .req_ie_len = data->req_ies_len, 35 .resp_ie = mgmt->u.assoc_resp.variable, 36 .resp_ie_len = data->len - 37 offsetof(struct ieee80211_mgmt, 38 u.assoc_resp.variable), 39 .status = le16_to_cpu(mgmt->u.assoc_resp.status_code), 40 .ap_mld_addr = data->ap_mld_addr, 41 }; 42 unsigned int link_id; 43 44 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) { 45 cr.links[link_id].status = data->links[link_id].status; 46 WARN_ON_ONCE(cr.links[link_id].status != WLAN_STATUS_SUCCESS && 47 (!cr.ap_mld_addr || !cr.links[link_id].bss)); 48 49 cr.links[link_id].bss = data->links[link_id].bss; 50 if (!cr.links[link_id].bss) 51 continue; 52 cr.links[link_id].bssid = data->links[link_id].bss->bssid; 53 cr.links[link_id].addr = data->links[link_id].addr; 54 /* need to have local link addresses for MLO connections */ 55 WARN_ON(cr.ap_mld_addr && !cr.links[link_id].addr); 56 57 BUG_ON(!cr.links[link_id].bss->channel); 58 59 if (cr.links[link_id].bss->channel->band == NL80211_BAND_S1GHZ) { 60 WARN_ON(link_id); 61 cr.resp_ie = (u8 *)&mgmt->u.s1g_assoc_resp.variable; 62 cr.resp_ie_len = data->len - 63 offsetof(struct ieee80211_mgmt, 64 u.s1g_assoc_resp.variable); 65 } 66 67 if (cr.ap_mld_addr) 68 cr.valid_links |= BIT(link_id); 69 } 70 71 trace_cfg80211_send_rx_assoc(dev, data); 72 73 /* 74 * This is a bit of a hack, we don't notify userspace of 75 * a (re-)association reply if we tried to send a reassoc 76 * and got a reject -- we only try again with an assoc 77 * frame instead of reassoc. 78 */ 79 if (cfg80211_sme_rx_assoc_resp(wdev, cr.status)) { 80 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) { 81 struct cfg80211_bss *bss = data->links[link_id].bss; 82 83 if (!bss) 84 continue; 85 86 cfg80211_unhold_bss(bss_from_pub(bss)); 87 cfg80211_put_bss(wiphy, bss); 88 } 89 return; 90 } 91 92 nl80211_send_rx_assoc(rdev, dev, data); 93 /* update current_bss etc., consumes the bss reference */ 94 __cfg80211_connect_result(dev, &cr, cr.status == WLAN_STATUS_SUCCESS); 95 } 96 EXPORT_SYMBOL(cfg80211_rx_assoc_resp); 97 98 static void cfg80211_process_auth(struct wireless_dev *wdev, 99 const u8 *buf, size_t len) 100 { 101 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 102 103 nl80211_send_rx_auth(rdev, wdev->netdev, buf, len, GFP_KERNEL); 104 cfg80211_sme_rx_auth(wdev, buf, len); 105 } 106 107 static void cfg80211_process_deauth(struct wireless_dev *wdev, 108 const u8 *buf, size_t len, 109 bool reconnect) 110 { 111 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 112 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf; 113 const u8 *bssid = mgmt->bssid; 114 u16 reason_code = le16_to_cpu(mgmt->u.deauth.reason_code); 115 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr); 116 117 nl80211_send_deauth(rdev, wdev->netdev, buf, len, reconnect, GFP_KERNEL); 118 119 if (!wdev->connected || !ether_addr_equal(wdev->u.client.connected_addr, bssid)) 120 return; 121 122 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap); 123 cfg80211_sme_deauth(wdev); 124 } 125 126 static void cfg80211_process_disassoc(struct wireless_dev *wdev, 127 const u8 *buf, size_t len, 128 bool reconnect) 129 { 130 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 131 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf; 132 const u8 *bssid = mgmt->bssid; 133 u16 reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code); 134 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr); 135 136 nl80211_send_disassoc(rdev, wdev->netdev, buf, len, reconnect, 137 GFP_KERNEL); 138 139 if (WARN_ON(!wdev->connected || 140 !ether_addr_equal(wdev->u.client.connected_addr, bssid))) 141 return; 142 143 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap); 144 cfg80211_sme_disassoc(wdev); 145 } 146 147 void cfg80211_rx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len) 148 { 149 struct wireless_dev *wdev = dev->ieee80211_ptr; 150 struct ieee80211_mgmt *mgmt = (void *)buf; 151 152 ASSERT_WDEV_LOCK(wdev); 153 154 trace_cfg80211_rx_mlme_mgmt(dev, buf, len); 155 156 if (WARN_ON(len < 2)) 157 return; 158 159 if (ieee80211_is_auth(mgmt->frame_control)) 160 cfg80211_process_auth(wdev, buf, len); 161 else if (ieee80211_is_deauth(mgmt->frame_control)) 162 cfg80211_process_deauth(wdev, buf, len, false); 163 else if (ieee80211_is_disassoc(mgmt->frame_control)) 164 cfg80211_process_disassoc(wdev, buf, len, false); 165 } 166 EXPORT_SYMBOL(cfg80211_rx_mlme_mgmt); 167 168 void cfg80211_auth_timeout(struct net_device *dev, const u8 *addr) 169 { 170 struct wireless_dev *wdev = dev->ieee80211_ptr; 171 struct wiphy *wiphy = wdev->wiphy; 172 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 173 174 trace_cfg80211_send_auth_timeout(dev, addr); 175 176 nl80211_send_auth_timeout(rdev, dev, addr, GFP_KERNEL); 177 cfg80211_sme_auth_timeout(wdev); 178 } 179 EXPORT_SYMBOL(cfg80211_auth_timeout); 180 181 void cfg80211_assoc_failure(struct net_device *dev, 182 struct cfg80211_assoc_failure *data) 183 { 184 struct wireless_dev *wdev = dev->ieee80211_ptr; 185 struct wiphy *wiphy = wdev->wiphy; 186 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 187 const u8 *addr = data->ap_mld_addr ?: data->bss[0]->bssid; 188 int i; 189 190 trace_cfg80211_send_assoc_failure(dev, data); 191 192 if (data->timeout) { 193 nl80211_send_assoc_timeout(rdev, dev, addr, GFP_KERNEL); 194 cfg80211_sme_assoc_timeout(wdev); 195 } else { 196 cfg80211_sme_abandon_assoc(wdev); 197 } 198 199 for (i = 0; i < ARRAY_SIZE(data->bss); i++) { 200 struct cfg80211_bss *bss = data->bss[i]; 201 202 if (!bss) 203 continue; 204 205 cfg80211_unhold_bss(bss_from_pub(bss)); 206 cfg80211_put_bss(wiphy, bss); 207 } 208 } 209 EXPORT_SYMBOL(cfg80211_assoc_failure); 210 211 void cfg80211_tx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len, 212 bool reconnect) 213 { 214 struct wireless_dev *wdev = dev->ieee80211_ptr; 215 struct ieee80211_mgmt *mgmt = (void *)buf; 216 217 ASSERT_WDEV_LOCK(wdev); 218 219 trace_cfg80211_tx_mlme_mgmt(dev, buf, len, reconnect); 220 221 if (WARN_ON(len < 2)) 222 return; 223 224 if (ieee80211_is_deauth(mgmt->frame_control)) 225 cfg80211_process_deauth(wdev, buf, len, reconnect); 226 else 227 cfg80211_process_disassoc(wdev, buf, len, reconnect); 228 } 229 EXPORT_SYMBOL(cfg80211_tx_mlme_mgmt); 230 231 void cfg80211_michael_mic_failure(struct net_device *dev, const u8 *addr, 232 enum nl80211_key_type key_type, int key_id, 233 const u8 *tsc, gfp_t gfp) 234 { 235 struct wiphy *wiphy = dev->ieee80211_ptr->wiphy; 236 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 237 #ifdef CONFIG_CFG80211_WEXT 238 union iwreq_data wrqu; 239 char *buf = kmalloc(128, gfp); 240 241 if (buf) { 242 sprintf(buf, "MLME-MICHAELMICFAILURE.indication(" 243 "keyid=%d %scast addr=%pM)", key_id, 244 key_type == NL80211_KEYTYPE_GROUP ? "broad" : "uni", 245 addr); 246 memset(&wrqu, 0, sizeof(wrqu)); 247 wrqu.data.length = strlen(buf); 248 wireless_send_event(dev, IWEVCUSTOM, &wrqu, buf); 249 kfree(buf); 250 } 251 #endif 252 253 trace_cfg80211_michael_mic_failure(dev, addr, key_type, key_id, tsc); 254 nl80211_michael_mic_failure(rdev, dev, addr, key_type, key_id, tsc, gfp); 255 } 256 EXPORT_SYMBOL(cfg80211_michael_mic_failure); 257 258 /* some MLME handling for userspace SME */ 259 int cfg80211_mlme_auth(struct cfg80211_registered_device *rdev, 260 struct net_device *dev, 261 struct cfg80211_auth_request *req) 262 { 263 struct wireless_dev *wdev = dev->ieee80211_ptr; 264 265 ASSERT_WDEV_LOCK(wdev); 266 267 if (!req->bss) 268 return -ENOENT; 269 270 if (req->link_id >= 0 && 271 !(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO)) 272 return -EINVAL; 273 274 if (req->auth_type == NL80211_AUTHTYPE_SHARED_KEY) { 275 if (!req->key || !req->key_len || 276 req->key_idx < 0 || req->key_idx > 3) 277 return -EINVAL; 278 } 279 280 if (wdev->connected && 281 ether_addr_equal(req->bss->bssid, wdev->u.client.connected_addr)) 282 return -EALREADY; 283 284 return rdev_auth(rdev, dev, req); 285 } 286 287 /* Do a logical ht_capa &= ht_capa_mask. */ 288 void cfg80211_oper_and_ht_capa(struct ieee80211_ht_cap *ht_capa, 289 const struct ieee80211_ht_cap *ht_capa_mask) 290 { 291 int i; 292 u8 *p1, *p2; 293 if (!ht_capa_mask) { 294 memset(ht_capa, 0, sizeof(*ht_capa)); 295 return; 296 } 297 298 p1 = (u8*)(ht_capa); 299 p2 = (u8*)(ht_capa_mask); 300 for (i = 0; i < sizeof(*ht_capa); i++) 301 p1[i] &= p2[i]; 302 } 303 304 /* Do a logical vht_capa &= vht_capa_mask. */ 305 void cfg80211_oper_and_vht_capa(struct ieee80211_vht_cap *vht_capa, 306 const struct ieee80211_vht_cap *vht_capa_mask) 307 { 308 int i; 309 u8 *p1, *p2; 310 if (!vht_capa_mask) { 311 memset(vht_capa, 0, sizeof(*vht_capa)); 312 return; 313 } 314 315 p1 = (u8*)(vht_capa); 316 p2 = (u8*)(vht_capa_mask); 317 for (i = 0; i < sizeof(*vht_capa); i++) 318 p1[i] &= p2[i]; 319 } 320 321 /* Note: caller must cfg80211_put_bss() regardless of result */ 322 int cfg80211_mlme_assoc(struct cfg80211_registered_device *rdev, 323 struct net_device *dev, 324 struct cfg80211_assoc_request *req) 325 { 326 struct wireless_dev *wdev = dev->ieee80211_ptr; 327 int err, i, j; 328 329 ASSERT_WDEV_LOCK(wdev); 330 331 for (i = 1; i < ARRAY_SIZE(req->links); i++) { 332 if (!req->links[i].bss) 333 continue; 334 for (j = 0; j < i; j++) { 335 if (req->links[i].bss == req->links[j].bss) 336 return -EINVAL; 337 } 338 } 339 340 if (wdev->connected && 341 (!req->prev_bssid || 342 !ether_addr_equal(wdev->u.client.connected_addr, req->prev_bssid))) 343 return -EALREADY; 344 345 cfg80211_oper_and_ht_capa(&req->ht_capa_mask, 346 rdev->wiphy.ht_capa_mod_mask); 347 cfg80211_oper_and_vht_capa(&req->vht_capa_mask, 348 rdev->wiphy.vht_capa_mod_mask); 349 350 err = rdev_assoc(rdev, dev, req); 351 if (!err) { 352 int link_id; 353 354 if (req->bss) { 355 cfg80211_ref_bss(&rdev->wiphy, req->bss); 356 cfg80211_hold_bss(bss_from_pub(req->bss)); 357 } 358 359 for (link_id = 0; link_id < ARRAY_SIZE(req->links); link_id++) { 360 if (!req->links[link_id].bss) 361 continue; 362 cfg80211_ref_bss(&rdev->wiphy, req->links[link_id].bss); 363 cfg80211_hold_bss(bss_from_pub(req->links[link_id].bss)); 364 } 365 } 366 return err; 367 } 368 369 int cfg80211_mlme_deauth(struct cfg80211_registered_device *rdev, 370 struct net_device *dev, const u8 *bssid, 371 const u8 *ie, int ie_len, u16 reason, 372 bool local_state_change) 373 { 374 struct wireless_dev *wdev = dev->ieee80211_ptr; 375 struct cfg80211_deauth_request req = { 376 .bssid = bssid, 377 .reason_code = reason, 378 .ie = ie, 379 .ie_len = ie_len, 380 .local_state_change = local_state_change, 381 }; 382 383 ASSERT_WDEV_LOCK(wdev); 384 385 if (local_state_change && 386 (!wdev->connected || 387 !ether_addr_equal(wdev->u.client.connected_addr, bssid))) 388 return 0; 389 390 if (ether_addr_equal(wdev->disconnect_bssid, bssid) || 391 (wdev->connected && 392 ether_addr_equal(wdev->u.client.connected_addr, bssid))) 393 wdev->conn_owner_nlportid = 0; 394 395 return rdev_deauth(rdev, dev, &req); 396 } 397 398 int cfg80211_mlme_disassoc(struct cfg80211_registered_device *rdev, 399 struct net_device *dev, const u8 *ap_addr, 400 const u8 *ie, int ie_len, u16 reason, 401 bool local_state_change) 402 { 403 struct wireless_dev *wdev = dev->ieee80211_ptr; 404 struct cfg80211_disassoc_request req = { 405 .reason_code = reason, 406 .local_state_change = local_state_change, 407 .ie = ie, 408 .ie_len = ie_len, 409 .ap_addr = ap_addr, 410 }; 411 int err; 412 413 ASSERT_WDEV_LOCK(wdev); 414 415 if (!wdev->connected) 416 return -ENOTCONN; 417 418 if (memcmp(wdev->u.client.connected_addr, ap_addr, ETH_ALEN)) 419 return -ENOTCONN; 420 421 err = rdev_disassoc(rdev, dev, &req); 422 if (err) 423 return err; 424 425 /* driver should have reported the disassoc */ 426 WARN_ON(wdev->connected); 427 return 0; 428 } 429 430 void cfg80211_mlme_down(struct cfg80211_registered_device *rdev, 431 struct net_device *dev) 432 { 433 struct wireless_dev *wdev = dev->ieee80211_ptr; 434 u8 bssid[ETH_ALEN]; 435 436 ASSERT_WDEV_LOCK(wdev); 437 438 if (!rdev->ops->deauth) 439 return; 440 441 if (!wdev->connected) 442 return; 443 444 memcpy(bssid, wdev->u.client.connected_addr, ETH_ALEN); 445 cfg80211_mlme_deauth(rdev, dev, bssid, NULL, 0, 446 WLAN_REASON_DEAUTH_LEAVING, false); 447 } 448 449 struct cfg80211_mgmt_registration { 450 struct list_head list; 451 struct wireless_dev *wdev; 452 453 u32 nlportid; 454 455 int match_len; 456 457 __le16 frame_type; 458 459 bool multicast_rx; 460 461 u8 match[]; 462 }; 463 464 static void cfg80211_mgmt_registrations_update(struct wireless_dev *wdev) 465 { 466 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 467 struct wireless_dev *tmp; 468 struct cfg80211_mgmt_registration *reg; 469 struct mgmt_frame_regs upd = {}; 470 471 lockdep_assert_held(&rdev->wiphy.mtx); 472 473 spin_lock_bh(&rdev->mgmt_registrations_lock); 474 if (!wdev->mgmt_registrations_need_update) { 475 spin_unlock_bh(&rdev->mgmt_registrations_lock); 476 return; 477 } 478 479 rcu_read_lock(); 480 list_for_each_entry_rcu(tmp, &rdev->wiphy.wdev_list, list) { 481 list_for_each_entry(reg, &tmp->mgmt_registrations, list) { 482 u32 mask = BIT(le16_to_cpu(reg->frame_type) >> 4); 483 u32 mcast_mask = 0; 484 485 if (reg->multicast_rx) 486 mcast_mask = mask; 487 488 upd.global_stypes |= mask; 489 upd.global_mcast_stypes |= mcast_mask; 490 491 if (tmp == wdev) { 492 upd.interface_stypes |= mask; 493 upd.interface_mcast_stypes |= mcast_mask; 494 } 495 } 496 } 497 rcu_read_unlock(); 498 499 wdev->mgmt_registrations_need_update = 0; 500 spin_unlock_bh(&rdev->mgmt_registrations_lock); 501 502 rdev_update_mgmt_frame_registrations(rdev, wdev, &upd); 503 } 504 505 void cfg80211_mgmt_registrations_update_wk(struct work_struct *wk) 506 { 507 struct cfg80211_registered_device *rdev; 508 struct wireless_dev *wdev; 509 510 rdev = container_of(wk, struct cfg80211_registered_device, 511 mgmt_registrations_update_wk); 512 513 wiphy_lock(&rdev->wiphy); 514 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) 515 cfg80211_mgmt_registrations_update(wdev); 516 wiphy_unlock(&rdev->wiphy); 517 } 518 519 int cfg80211_mlme_register_mgmt(struct wireless_dev *wdev, u32 snd_portid, 520 u16 frame_type, const u8 *match_data, 521 int match_len, bool multicast_rx, 522 struct netlink_ext_ack *extack) 523 { 524 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 525 struct cfg80211_mgmt_registration *reg, *nreg; 526 int err = 0; 527 u16 mgmt_type; 528 bool update_multicast = false; 529 530 if (!wdev->wiphy->mgmt_stypes) 531 return -EOPNOTSUPP; 532 533 if ((frame_type & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT) { 534 NL_SET_ERR_MSG(extack, "frame type not management"); 535 return -EINVAL; 536 } 537 538 if (frame_type & ~(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) { 539 NL_SET_ERR_MSG(extack, "Invalid frame type"); 540 return -EINVAL; 541 } 542 543 mgmt_type = (frame_type & IEEE80211_FCTL_STYPE) >> 4; 544 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].rx & BIT(mgmt_type))) { 545 NL_SET_ERR_MSG(extack, 546 "Registration to specific type not supported"); 547 return -EINVAL; 548 } 549 550 /* 551 * To support Pre Association Security Negotiation (PASN), registration 552 * for authentication frames should be supported. However, as some 553 * versions of the user space daemons wrongly register to all types of 554 * authentication frames (which might result in unexpected behavior) 555 * allow such registration if the request is for a specific 556 * authentication algorithm number. 557 */ 558 if (wdev->iftype == NL80211_IFTYPE_STATION && 559 (frame_type & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_AUTH && 560 !(match_data && match_len >= 2)) { 561 NL_SET_ERR_MSG(extack, 562 "Authentication algorithm number required"); 563 return -EINVAL; 564 } 565 566 nreg = kzalloc(sizeof(*reg) + match_len, GFP_KERNEL); 567 if (!nreg) 568 return -ENOMEM; 569 570 spin_lock_bh(&rdev->mgmt_registrations_lock); 571 572 list_for_each_entry(reg, &wdev->mgmt_registrations, list) { 573 int mlen = min(match_len, reg->match_len); 574 575 if (frame_type != le16_to_cpu(reg->frame_type)) 576 continue; 577 578 if (memcmp(reg->match, match_data, mlen) == 0) { 579 if (reg->multicast_rx != multicast_rx) { 580 update_multicast = true; 581 reg->multicast_rx = multicast_rx; 582 break; 583 } 584 NL_SET_ERR_MSG(extack, "Match already configured"); 585 err = -EALREADY; 586 break; 587 } 588 } 589 590 if (err) 591 goto out; 592 593 if (update_multicast) { 594 kfree(nreg); 595 } else { 596 memcpy(nreg->match, match_data, match_len); 597 nreg->match_len = match_len; 598 nreg->nlportid = snd_portid; 599 nreg->frame_type = cpu_to_le16(frame_type); 600 nreg->wdev = wdev; 601 nreg->multicast_rx = multicast_rx; 602 list_add(&nreg->list, &wdev->mgmt_registrations); 603 } 604 wdev->mgmt_registrations_need_update = 1; 605 spin_unlock_bh(&rdev->mgmt_registrations_lock); 606 607 cfg80211_mgmt_registrations_update(wdev); 608 609 return 0; 610 611 out: 612 kfree(nreg); 613 spin_unlock_bh(&rdev->mgmt_registrations_lock); 614 615 return err; 616 } 617 618 void cfg80211_mlme_unregister_socket(struct wireless_dev *wdev, u32 nlportid) 619 { 620 struct wiphy *wiphy = wdev->wiphy; 621 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 622 struct cfg80211_mgmt_registration *reg, *tmp; 623 624 spin_lock_bh(&rdev->mgmt_registrations_lock); 625 626 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) { 627 if (reg->nlportid != nlportid) 628 continue; 629 630 list_del(®->list); 631 kfree(reg); 632 633 wdev->mgmt_registrations_need_update = 1; 634 schedule_work(&rdev->mgmt_registrations_update_wk); 635 } 636 637 spin_unlock_bh(&rdev->mgmt_registrations_lock); 638 639 if (nlportid && rdev->crit_proto_nlportid == nlportid) { 640 rdev->crit_proto_nlportid = 0; 641 rdev_crit_proto_stop(rdev, wdev); 642 } 643 644 if (nlportid == wdev->ap_unexpected_nlportid) 645 wdev->ap_unexpected_nlportid = 0; 646 } 647 648 void cfg80211_mlme_purge_registrations(struct wireless_dev *wdev) 649 { 650 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 651 struct cfg80211_mgmt_registration *reg, *tmp; 652 653 spin_lock_bh(&rdev->mgmt_registrations_lock); 654 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) { 655 list_del(®->list); 656 kfree(reg); 657 } 658 wdev->mgmt_registrations_need_update = 1; 659 spin_unlock_bh(&rdev->mgmt_registrations_lock); 660 661 cfg80211_mgmt_registrations_update(wdev); 662 } 663 664 static bool cfg80211_allowed_address(struct wireless_dev *wdev, const u8 *addr) 665 { 666 int i; 667 668 for_each_valid_link(wdev, i) { 669 if (ether_addr_equal(addr, wdev->links[i].addr)) 670 return true; 671 } 672 673 return ether_addr_equal(addr, wdev_address(wdev)); 674 } 675 676 int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev, 677 struct wireless_dev *wdev, 678 struct cfg80211_mgmt_tx_params *params, u64 *cookie) 679 { 680 const struct ieee80211_mgmt *mgmt; 681 u16 stype; 682 683 if (!wdev->wiphy->mgmt_stypes) 684 return -EOPNOTSUPP; 685 686 if (!rdev->ops->mgmt_tx) 687 return -EOPNOTSUPP; 688 689 if (params->len < 24 + 1) 690 return -EINVAL; 691 692 mgmt = (const struct ieee80211_mgmt *)params->buf; 693 694 if (!ieee80211_is_mgmt(mgmt->frame_control)) 695 return -EINVAL; 696 697 stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE; 698 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].tx & BIT(stype >> 4))) 699 return -EINVAL; 700 701 if (ieee80211_is_action(mgmt->frame_control) && 702 mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) { 703 int err = 0; 704 705 wdev_lock(wdev); 706 707 switch (wdev->iftype) { 708 case NL80211_IFTYPE_ADHOC: 709 /* 710 * check for IBSS DA must be done by driver as 711 * cfg80211 doesn't track the stations 712 */ 713 if (!wdev->u.ibss.current_bss || 714 !ether_addr_equal(wdev->u.ibss.current_bss->pub.bssid, 715 mgmt->bssid)) { 716 err = -ENOTCONN; 717 break; 718 } 719 break; 720 case NL80211_IFTYPE_STATION: 721 case NL80211_IFTYPE_P2P_CLIENT: 722 if (!wdev->connected) { 723 err = -ENOTCONN; 724 break; 725 } 726 727 /* FIXME: MLD may address this differently */ 728 729 if (!ether_addr_equal(wdev->u.client.connected_addr, 730 mgmt->bssid)) { 731 err = -ENOTCONN; 732 break; 733 } 734 735 /* for station, check that DA is the AP */ 736 if (!ether_addr_equal(wdev->u.client.connected_addr, 737 mgmt->da)) { 738 err = -ENOTCONN; 739 break; 740 } 741 break; 742 case NL80211_IFTYPE_AP: 743 case NL80211_IFTYPE_P2P_GO: 744 case NL80211_IFTYPE_AP_VLAN: 745 if (!ether_addr_equal(mgmt->bssid, wdev_address(wdev)) && 746 (params->link_id < 0 || 747 !ether_addr_equal(mgmt->bssid, 748 wdev->links[params->link_id].addr))) 749 err = -EINVAL; 750 break; 751 case NL80211_IFTYPE_MESH_POINT: 752 if (!ether_addr_equal(mgmt->sa, mgmt->bssid)) { 753 err = -EINVAL; 754 break; 755 } 756 /* 757 * check for mesh DA must be done by driver as 758 * cfg80211 doesn't track the stations 759 */ 760 break; 761 case NL80211_IFTYPE_P2P_DEVICE: 762 /* 763 * fall through, P2P device only supports 764 * public action frames 765 */ 766 case NL80211_IFTYPE_NAN: 767 default: 768 err = -EOPNOTSUPP; 769 break; 770 } 771 wdev_unlock(wdev); 772 773 if (err) 774 return err; 775 } 776 777 if (!cfg80211_allowed_address(wdev, mgmt->sa)) { 778 /* Allow random TA to be used with Public Action frames if the 779 * driver has indicated support for this. Otherwise, only allow 780 * the local address to be used. 781 */ 782 if (!ieee80211_is_action(mgmt->frame_control) || 783 mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) 784 return -EINVAL; 785 if (!wdev->connected && 786 !wiphy_ext_feature_isset( 787 &rdev->wiphy, 788 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA)) 789 return -EINVAL; 790 if (wdev->connected && 791 !wiphy_ext_feature_isset( 792 &rdev->wiphy, 793 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA_CONNECTED)) 794 return -EINVAL; 795 } 796 797 /* Transmit the management frame as requested by user space */ 798 return rdev_mgmt_tx(rdev, wdev, params, cookie); 799 } 800 801 bool cfg80211_rx_mgmt_ext(struct wireless_dev *wdev, 802 struct cfg80211_rx_info *info) 803 { 804 struct wiphy *wiphy = wdev->wiphy; 805 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 806 struct cfg80211_mgmt_registration *reg; 807 const struct ieee80211_txrx_stypes *stypes = 808 &wiphy->mgmt_stypes[wdev->iftype]; 809 struct ieee80211_mgmt *mgmt = (void *)info->buf; 810 const u8 *data; 811 int data_len; 812 bool result = false; 813 __le16 ftype = mgmt->frame_control & 814 cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE); 815 u16 stype; 816 817 trace_cfg80211_rx_mgmt(wdev, info); 818 stype = (le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE) >> 4; 819 820 if (!(stypes->rx & BIT(stype))) { 821 trace_cfg80211_return_bool(false); 822 return false; 823 } 824 825 data = info->buf + ieee80211_hdrlen(mgmt->frame_control); 826 data_len = info->len - ieee80211_hdrlen(mgmt->frame_control); 827 828 spin_lock_bh(&rdev->mgmt_registrations_lock); 829 830 list_for_each_entry(reg, &wdev->mgmt_registrations, list) { 831 if (reg->frame_type != ftype) 832 continue; 833 834 if (reg->match_len > data_len) 835 continue; 836 837 if (memcmp(reg->match, data, reg->match_len)) 838 continue; 839 840 /* found match! */ 841 842 /* Indicate the received Action frame to user space */ 843 if (nl80211_send_mgmt(rdev, wdev, reg->nlportid, info, 844 GFP_ATOMIC)) 845 continue; 846 847 result = true; 848 break; 849 } 850 851 spin_unlock_bh(&rdev->mgmt_registrations_lock); 852 853 trace_cfg80211_return_bool(result); 854 return result; 855 } 856 EXPORT_SYMBOL(cfg80211_rx_mgmt_ext); 857 858 void cfg80211_sched_dfs_chan_update(struct cfg80211_registered_device *rdev) 859 { 860 cancel_delayed_work(&rdev->dfs_update_channels_wk); 861 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk, 0); 862 } 863 864 void cfg80211_dfs_channels_update_work(struct work_struct *work) 865 { 866 struct delayed_work *delayed_work = to_delayed_work(work); 867 struct cfg80211_registered_device *rdev; 868 struct cfg80211_chan_def chandef; 869 struct ieee80211_supported_band *sband; 870 struct ieee80211_channel *c; 871 struct wiphy *wiphy; 872 bool check_again = false; 873 unsigned long timeout, next_time = 0; 874 unsigned long time_dfs_update; 875 enum nl80211_radar_event radar_event; 876 int bandid, i; 877 878 rdev = container_of(delayed_work, struct cfg80211_registered_device, 879 dfs_update_channels_wk); 880 wiphy = &rdev->wiphy; 881 882 rtnl_lock(); 883 for (bandid = 0; bandid < NUM_NL80211_BANDS; bandid++) { 884 sband = wiphy->bands[bandid]; 885 if (!sband) 886 continue; 887 888 for (i = 0; i < sband->n_channels; i++) { 889 c = &sband->channels[i]; 890 891 if (!(c->flags & IEEE80211_CHAN_RADAR)) 892 continue; 893 894 if (c->dfs_state != NL80211_DFS_UNAVAILABLE && 895 c->dfs_state != NL80211_DFS_AVAILABLE) 896 continue; 897 898 if (c->dfs_state == NL80211_DFS_UNAVAILABLE) { 899 time_dfs_update = IEEE80211_DFS_MIN_NOP_TIME_MS; 900 radar_event = NL80211_RADAR_NOP_FINISHED; 901 } else { 902 if (regulatory_pre_cac_allowed(wiphy) || 903 cfg80211_any_wiphy_oper_chan(wiphy, c)) 904 continue; 905 906 time_dfs_update = REG_PRE_CAC_EXPIRY_GRACE_MS; 907 radar_event = NL80211_RADAR_PRE_CAC_EXPIRED; 908 } 909 910 timeout = c->dfs_state_entered + 911 msecs_to_jiffies(time_dfs_update); 912 913 if (time_after_eq(jiffies, timeout)) { 914 c->dfs_state = NL80211_DFS_USABLE; 915 c->dfs_state_entered = jiffies; 916 917 cfg80211_chandef_create(&chandef, c, 918 NL80211_CHAN_NO_HT); 919 920 nl80211_radar_notify(rdev, &chandef, 921 radar_event, NULL, 922 GFP_ATOMIC); 923 924 regulatory_propagate_dfs_state(wiphy, &chandef, 925 c->dfs_state, 926 radar_event); 927 continue; 928 } 929 930 if (!check_again) 931 next_time = timeout - jiffies; 932 else 933 next_time = min(next_time, timeout - jiffies); 934 check_again = true; 935 } 936 } 937 rtnl_unlock(); 938 939 /* reschedule if there are other channels waiting to be cleared again */ 940 if (check_again) 941 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk, 942 next_time); 943 } 944 945 946 void __cfg80211_radar_event(struct wiphy *wiphy, 947 struct cfg80211_chan_def *chandef, 948 bool offchan, gfp_t gfp) 949 { 950 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 951 952 trace_cfg80211_radar_event(wiphy, chandef, offchan); 953 954 /* only set the chandef supplied channel to unavailable, in 955 * case the radar is detected on only one of multiple channels 956 * spanned by the chandef. 957 */ 958 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_UNAVAILABLE); 959 960 if (offchan) 961 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk); 962 963 cfg80211_sched_dfs_chan_update(rdev); 964 965 nl80211_radar_notify(rdev, chandef, NL80211_RADAR_DETECTED, NULL, gfp); 966 967 memcpy(&rdev->radar_chandef, chandef, sizeof(struct cfg80211_chan_def)); 968 queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk); 969 } 970 EXPORT_SYMBOL(__cfg80211_radar_event); 971 972 void cfg80211_cac_event(struct net_device *netdev, 973 const struct cfg80211_chan_def *chandef, 974 enum nl80211_radar_event event, gfp_t gfp) 975 { 976 struct wireless_dev *wdev = netdev->ieee80211_ptr; 977 struct wiphy *wiphy = wdev->wiphy; 978 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 979 unsigned long timeout; 980 981 /* not yet supported */ 982 if (wdev->valid_links) 983 return; 984 985 trace_cfg80211_cac_event(netdev, event); 986 987 if (WARN_ON(!wdev->cac_started && event != NL80211_RADAR_CAC_STARTED)) 988 return; 989 990 switch (event) { 991 case NL80211_RADAR_CAC_FINISHED: 992 timeout = wdev->cac_start_time + 993 msecs_to_jiffies(wdev->cac_time_ms); 994 WARN_ON(!time_after_eq(jiffies, timeout)); 995 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE); 996 memcpy(&rdev->cac_done_chandef, chandef, 997 sizeof(struct cfg80211_chan_def)); 998 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk); 999 cfg80211_sched_dfs_chan_update(rdev); 1000 fallthrough; 1001 case NL80211_RADAR_CAC_ABORTED: 1002 wdev->cac_started = false; 1003 break; 1004 case NL80211_RADAR_CAC_STARTED: 1005 wdev->cac_started = true; 1006 break; 1007 default: 1008 WARN_ON(1); 1009 return; 1010 } 1011 1012 nl80211_radar_notify(rdev, chandef, event, netdev, gfp); 1013 } 1014 EXPORT_SYMBOL(cfg80211_cac_event); 1015 1016 static void 1017 __cfg80211_background_cac_event(struct cfg80211_registered_device *rdev, 1018 struct wireless_dev *wdev, 1019 const struct cfg80211_chan_def *chandef, 1020 enum nl80211_radar_event event) 1021 { 1022 struct wiphy *wiphy = &rdev->wiphy; 1023 struct net_device *netdev; 1024 1025 lockdep_assert_wiphy(&rdev->wiphy); 1026 1027 if (!cfg80211_chandef_valid(chandef)) 1028 return; 1029 1030 if (!rdev->background_radar_wdev) 1031 return; 1032 1033 switch (event) { 1034 case NL80211_RADAR_CAC_FINISHED: 1035 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE); 1036 memcpy(&rdev->cac_done_chandef, chandef, sizeof(*chandef)); 1037 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk); 1038 cfg80211_sched_dfs_chan_update(rdev); 1039 wdev = rdev->background_radar_wdev; 1040 break; 1041 case NL80211_RADAR_CAC_ABORTED: 1042 if (!cancel_delayed_work(&rdev->background_cac_done_wk)) 1043 return; 1044 wdev = rdev->background_radar_wdev; 1045 break; 1046 case NL80211_RADAR_CAC_STARTED: 1047 break; 1048 default: 1049 return; 1050 } 1051 1052 netdev = wdev ? wdev->netdev : NULL; 1053 nl80211_radar_notify(rdev, chandef, event, netdev, GFP_KERNEL); 1054 } 1055 1056 static void 1057 cfg80211_background_cac_event(struct cfg80211_registered_device *rdev, 1058 const struct cfg80211_chan_def *chandef, 1059 enum nl80211_radar_event event) 1060 { 1061 wiphy_lock(&rdev->wiphy); 1062 __cfg80211_background_cac_event(rdev, rdev->background_radar_wdev, 1063 chandef, event); 1064 wiphy_unlock(&rdev->wiphy); 1065 } 1066 1067 void cfg80211_background_cac_done_wk(struct work_struct *work) 1068 { 1069 struct delayed_work *delayed_work = to_delayed_work(work); 1070 struct cfg80211_registered_device *rdev; 1071 1072 rdev = container_of(delayed_work, struct cfg80211_registered_device, 1073 background_cac_done_wk); 1074 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef, 1075 NL80211_RADAR_CAC_FINISHED); 1076 } 1077 1078 void cfg80211_background_cac_abort_wk(struct work_struct *work) 1079 { 1080 struct cfg80211_registered_device *rdev; 1081 1082 rdev = container_of(work, struct cfg80211_registered_device, 1083 background_cac_abort_wk); 1084 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef, 1085 NL80211_RADAR_CAC_ABORTED); 1086 } 1087 1088 void cfg80211_background_cac_abort(struct wiphy *wiphy) 1089 { 1090 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1091 1092 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk); 1093 } 1094 EXPORT_SYMBOL(cfg80211_background_cac_abort); 1095 1096 int 1097 cfg80211_start_background_radar_detection(struct cfg80211_registered_device *rdev, 1098 struct wireless_dev *wdev, 1099 struct cfg80211_chan_def *chandef) 1100 { 1101 unsigned int cac_time_ms; 1102 int err; 1103 1104 lockdep_assert_wiphy(&rdev->wiphy); 1105 1106 if (!wiphy_ext_feature_isset(&rdev->wiphy, 1107 NL80211_EXT_FEATURE_RADAR_BACKGROUND)) 1108 return -EOPNOTSUPP; 1109 1110 /* Offchannel chain already locked by another wdev */ 1111 if (rdev->background_radar_wdev && rdev->background_radar_wdev != wdev) 1112 return -EBUSY; 1113 1114 /* CAC already in progress on the offchannel chain */ 1115 if (rdev->background_radar_wdev == wdev && 1116 delayed_work_pending(&rdev->background_cac_done_wk)) 1117 return -EBUSY; 1118 1119 err = rdev_set_radar_background(rdev, chandef); 1120 if (err) 1121 return err; 1122 1123 cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, chandef); 1124 if (!cac_time_ms) 1125 cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS; 1126 1127 rdev->background_radar_chandef = *chandef; 1128 rdev->background_radar_wdev = wdev; /* Get offchain ownership */ 1129 1130 __cfg80211_background_cac_event(rdev, wdev, chandef, 1131 NL80211_RADAR_CAC_STARTED); 1132 queue_delayed_work(cfg80211_wq, &rdev->background_cac_done_wk, 1133 msecs_to_jiffies(cac_time_ms)); 1134 1135 return 0; 1136 } 1137 1138 void cfg80211_stop_background_radar_detection(struct wireless_dev *wdev) 1139 { 1140 struct wiphy *wiphy = wdev->wiphy; 1141 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1142 1143 lockdep_assert_wiphy(wiphy); 1144 1145 if (wdev != rdev->background_radar_wdev) 1146 return; 1147 1148 rdev_set_radar_background(rdev, NULL); 1149 rdev->background_radar_wdev = NULL; /* Release offchain ownership */ 1150 1151 __cfg80211_background_cac_event(rdev, wdev, 1152 &rdev->background_radar_chandef, 1153 NL80211_RADAR_CAC_ABORTED); 1154 } 1155