1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * cfg80211 MLME SAP interface 4 * 5 * Copyright (c) 2009, Jouni Malinen <j@w1.fi> 6 * Copyright (c) 2015 Intel Deutschland GmbH 7 * Copyright (C) 2019-2020, 2022-2023 Intel Corporation 8 */ 9 10 #include <linux/kernel.h> 11 #include <linux/module.h> 12 #include <linux/etherdevice.h> 13 #include <linux/netdevice.h> 14 #include <linux/nl80211.h> 15 #include <linux/slab.h> 16 #include <linux/wireless.h> 17 #include <net/cfg80211.h> 18 #include <net/iw_handler.h> 19 #include "core.h" 20 #include "nl80211.h" 21 #include "rdev-ops.h" 22 23 24 void cfg80211_rx_assoc_resp(struct net_device *dev, 25 struct cfg80211_rx_assoc_resp *data) 26 { 27 struct wireless_dev *wdev = dev->ieee80211_ptr; 28 struct wiphy *wiphy = wdev->wiphy; 29 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 30 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)data->buf; 31 struct cfg80211_connect_resp_params cr = { 32 .timeout_reason = NL80211_TIMEOUT_UNSPECIFIED, 33 .req_ie = data->req_ies, 34 .req_ie_len = data->req_ies_len, 35 .resp_ie = mgmt->u.assoc_resp.variable, 36 .resp_ie_len = data->len - 37 offsetof(struct ieee80211_mgmt, 38 u.assoc_resp.variable), 39 .status = le16_to_cpu(mgmt->u.assoc_resp.status_code), 40 .ap_mld_addr = data->ap_mld_addr, 41 }; 42 unsigned int link_id; 43 44 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) { 45 cr.links[link_id].status = data->links[link_id].status; 46 WARN_ON_ONCE(cr.links[link_id].status != WLAN_STATUS_SUCCESS && 47 (!cr.ap_mld_addr || !cr.links[link_id].bss)); 48 49 cr.links[link_id].bss = data->links[link_id].bss; 50 if (!cr.links[link_id].bss) 51 continue; 52 cr.links[link_id].bssid = data->links[link_id].bss->bssid; 53 cr.links[link_id].addr = data->links[link_id].addr; 54 /* need to have local link addresses for MLO connections */ 55 WARN_ON(cr.ap_mld_addr && !cr.links[link_id].addr); 56 57 BUG_ON(!cr.links[link_id].bss->channel); 58 59 if (cr.links[link_id].bss->channel->band == NL80211_BAND_S1GHZ) { 60 WARN_ON(link_id); 61 cr.resp_ie = (u8 *)&mgmt->u.s1g_assoc_resp.variable; 62 cr.resp_ie_len = data->len - 63 offsetof(struct ieee80211_mgmt, 64 u.s1g_assoc_resp.variable); 65 } 66 67 if (cr.ap_mld_addr) 68 cr.valid_links |= BIT(link_id); 69 } 70 71 trace_cfg80211_send_rx_assoc(dev, data); 72 73 /* 74 * This is a bit of a hack, we don't notify userspace of 75 * a (re-)association reply if we tried to send a reassoc 76 * and got a reject -- we only try again with an assoc 77 * frame instead of reassoc. 78 */ 79 if (cfg80211_sme_rx_assoc_resp(wdev, cr.status)) { 80 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) { 81 struct cfg80211_bss *bss = data->links[link_id].bss; 82 83 if (!bss) 84 continue; 85 86 cfg80211_unhold_bss(bss_from_pub(bss)); 87 cfg80211_put_bss(wiphy, bss); 88 } 89 return; 90 } 91 92 nl80211_send_rx_assoc(rdev, dev, data); 93 /* update current_bss etc., consumes the bss reference */ 94 __cfg80211_connect_result(dev, &cr, cr.status == WLAN_STATUS_SUCCESS); 95 } 96 EXPORT_SYMBOL(cfg80211_rx_assoc_resp); 97 98 static void cfg80211_process_auth(struct wireless_dev *wdev, 99 const u8 *buf, size_t len) 100 { 101 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 102 103 nl80211_send_rx_auth(rdev, wdev->netdev, buf, len, GFP_KERNEL); 104 cfg80211_sme_rx_auth(wdev, buf, len); 105 } 106 107 static void cfg80211_process_deauth(struct wireless_dev *wdev, 108 const u8 *buf, size_t len, 109 bool reconnect) 110 { 111 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 112 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf; 113 const u8 *bssid = mgmt->bssid; 114 u16 reason_code = le16_to_cpu(mgmt->u.deauth.reason_code); 115 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr); 116 117 nl80211_send_deauth(rdev, wdev->netdev, buf, len, reconnect, GFP_KERNEL); 118 119 if (!wdev->connected || !ether_addr_equal(wdev->u.client.connected_addr, bssid)) 120 return; 121 122 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap); 123 cfg80211_sme_deauth(wdev); 124 } 125 126 static void cfg80211_process_disassoc(struct wireless_dev *wdev, 127 const u8 *buf, size_t len, 128 bool reconnect) 129 { 130 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 131 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf; 132 const u8 *bssid = mgmt->bssid; 133 u16 reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code); 134 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr); 135 136 nl80211_send_disassoc(rdev, wdev->netdev, buf, len, reconnect, 137 GFP_KERNEL); 138 139 if (WARN_ON(!wdev->connected || 140 !ether_addr_equal(wdev->u.client.connected_addr, bssid))) 141 return; 142 143 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap); 144 cfg80211_sme_disassoc(wdev); 145 } 146 147 void cfg80211_rx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len) 148 { 149 struct wireless_dev *wdev = dev->ieee80211_ptr; 150 struct ieee80211_mgmt *mgmt = (void *)buf; 151 152 lockdep_assert_wiphy(wdev->wiphy); 153 154 trace_cfg80211_rx_mlme_mgmt(dev, buf, len); 155 156 if (WARN_ON(len < 2)) 157 return; 158 159 if (ieee80211_is_auth(mgmt->frame_control)) 160 cfg80211_process_auth(wdev, buf, len); 161 else if (ieee80211_is_deauth(mgmt->frame_control)) 162 cfg80211_process_deauth(wdev, buf, len, false); 163 else if (ieee80211_is_disassoc(mgmt->frame_control)) 164 cfg80211_process_disassoc(wdev, buf, len, false); 165 } 166 EXPORT_SYMBOL(cfg80211_rx_mlme_mgmt); 167 168 void cfg80211_auth_timeout(struct net_device *dev, const u8 *addr) 169 { 170 struct wireless_dev *wdev = dev->ieee80211_ptr; 171 struct wiphy *wiphy = wdev->wiphy; 172 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 173 174 trace_cfg80211_send_auth_timeout(dev, addr); 175 176 nl80211_send_auth_timeout(rdev, dev, addr, GFP_KERNEL); 177 cfg80211_sme_auth_timeout(wdev); 178 } 179 EXPORT_SYMBOL(cfg80211_auth_timeout); 180 181 void cfg80211_assoc_failure(struct net_device *dev, 182 struct cfg80211_assoc_failure *data) 183 { 184 struct wireless_dev *wdev = dev->ieee80211_ptr; 185 struct wiphy *wiphy = wdev->wiphy; 186 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 187 const u8 *addr = data->ap_mld_addr ?: data->bss[0]->bssid; 188 int i; 189 190 trace_cfg80211_send_assoc_failure(dev, data); 191 192 if (data->timeout) { 193 nl80211_send_assoc_timeout(rdev, dev, addr, GFP_KERNEL); 194 cfg80211_sme_assoc_timeout(wdev); 195 } else { 196 cfg80211_sme_abandon_assoc(wdev); 197 } 198 199 for (i = 0; i < ARRAY_SIZE(data->bss); i++) { 200 struct cfg80211_bss *bss = data->bss[i]; 201 202 if (!bss) 203 continue; 204 205 cfg80211_unhold_bss(bss_from_pub(bss)); 206 cfg80211_put_bss(wiphy, bss); 207 } 208 } 209 EXPORT_SYMBOL(cfg80211_assoc_failure); 210 211 void cfg80211_tx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len, 212 bool reconnect) 213 { 214 struct wireless_dev *wdev = dev->ieee80211_ptr; 215 struct ieee80211_mgmt *mgmt = (void *)buf; 216 217 lockdep_assert_wiphy(wdev->wiphy); 218 219 trace_cfg80211_tx_mlme_mgmt(dev, buf, len, reconnect); 220 221 if (WARN_ON(len < 2)) 222 return; 223 224 if (ieee80211_is_deauth(mgmt->frame_control)) 225 cfg80211_process_deauth(wdev, buf, len, reconnect); 226 else 227 cfg80211_process_disassoc(wdev, buf, len, reconnect); 228 } 229 EXPORT_SYMBOL(cfg80211_tx_mlme_mgmt); 230 231 void cfg80211_michael_mic_failure(struct net_device *dev, const u8 *addr, 232 enum nl80211_key_type key_type, int key_id, 233 const u8 *tsc, gfp_t gfp) 234 { 235 struct wiphy *wiphy = dev->ieee80211_ptr->wiphy; 236 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 237 #ifdef CONFIG_CFG80211_WEXT 238 union iwreq_data wrqu; 239 char *buf = kmalloc(128, gfp); 240 241 if (buf) { 242 sprintf(buf, "MLME-MICHAELMICFAILURE.indication(" 243 "keyid=%d %scast addr=%pM)", key_id, 244 key_type == NL80211_KEYTYPE_GROUP ? "broad" : "uni", 245 addr); 246 memset(&wrqu, 0, sizeof(wrqu)); 247 wrqu.data.length = strlen(buf); 248 wireless_send_event(dev, IWEVCUSTOM, &wrqu, buf); 249 kfree(buf); 250 } 251 #endif 252 253 trace_cfg80211_michael_mic_failure(dev, addr, key_type, key_id, tsc); 254 nl80211_michael_mic_failure(rdev, dev, addr, key_type, key_id, tsc, gfp); 255 } 256 EXPORT_SYMBOL(cfg80211_michael_mic_failure); 257 258 /* some MLME handling for userspace SME */ 259 int cfg80211_mlme_auth(struct cfg80211_registered_device *rdev, 260 struct net_device *dev, 261 struct cfg80211_auth_request *req) 262 { 263 struct wireless_dev *wdev = dev->ieee80211_ptr; 264 265 lockdep_assert_wiphy(wdev->wiphy); 266 267 if (!req->bss) 268 return -ENOENT; 269 270 if (req->link_id >= 0 && 271 !(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO)) 272 return -EINVAL; 273 274 if (req->auth_type == NL80211_AUTHTYPE_SHARED_KEY) { 275 if (!req->key || !req->key_len || 276 req->key_idx < 0 || req->key_idx > 3) 277 return -EINVAL; 278 } 279 280 if (wdev->connected && 281 ether_addr_equal(req->bss->bssid, wdev->u.client.connected_addr)) 282 return -EALREADY; 283 284 if (ether_addr_equal(req->bss->bssid, dev->dev_addr) || 285 (req->link_id >= 0 && 286 ether_addr_equal(req->ap_mld_addr, dev->dev_addr))) 287 return -EINVAL; 288 289 return rdev_auth(rdev, dev, req); 290 } 291 292 /* Do a logical ht_capa &= ht_capa_mask. */ 293 void cfg80211_oper_and_ht_capa(struct ieee80211_ht_cap *ht_capa, 294 const struct ieee80211_ht_cap *ht_capa_mask) 295 { 296 int i; 297 u8 *p1, *p2; 298 if (!ht_capa_mask) { 299 memset(ht_capa, 0, sizeof(*ht_capa)); 300 return; 301 } 302 303 p1 = (u8*)(ht_capa); 304 p2 = (u8*)(ht_capa_mask); 305 for (i = 0; i < sizeof(*ht_capa); i++) 306 p1[i] &= p2[i]; 307 } 308 309 /* Do a logical vht_capa &= vht_capa_mask. */ 310 void cfg80211_oper_and_vht_capa(struct ieee80211_vht_cap *vht_capa, 311 const struct ieee80211_vht_cap *vht_capa_mask) 312 { 313 int i; 314 u8 *p1, *p2; 315 if (!vht_capa_mask) { 316 memset(vht_capa, 0, sizeof(*vht_capa)); 317 return; 318 } 319 320 p1 = (u8*)(vht_capa); 321 p2 = (u8*)(vht_capa_mask); 322 for (i = 0; i < sizeof(*vht_capa); i++) 323 p1[i] &= p2[i]; 324 } 325 326 /* Note: caller must cfg80211_put_bss() regardless of result */ 327 int cfg80211_mlme_assoc(struct cfg80211_registered_device *rdev, 328 struct net_device *dev, 329 struct cfg80211_assoc_request *req) 330 { 331 struct wireless_dev *wdev = dev->ieee80211_ptr; 332 int err, i, j; 333 334 lockdep_assert_wiphy(wdev->wiphy); 335 336 for (i = 1; i < ARRAY_SIZE(req->links); i++) { 337 if (!req->links[i].bss) 338 continue; 339 for (j = 0; j < i; j++) { 340 if (req->links[i].bss == req->links[j].bss) 341 return -EINVAL; 342 } 343 344 if (ether_addr_equal(req->links[i].bss->bssid, dev->dev_addr)) 345 return -EINVAL; 346 } 347 348 if (wdev->connected && 349 (!req->prev_bssid || 350 !ether_addr_equal(wdev->u.client.connected_addr, req->prev_bssid))) 351 return -EALREADY; 352 353 if ((req->bss && ether_addr_equal(req->bss->bssid, dev->dev_addr)) || 354 (req->link_id >= 0 && 355 ether_addr_equal(req->ap_mld_addr, dev->dev_addr))) 356 return -EINVAL; 357 358 cfg80211_oper_and_ht_capa(&req->ht_capa_mask, 359 rdev->wiphy.ht_capa_mod_mask); 360 cfg80211_oper_and_vht_capa(&req->vht_capa_mask, 361 rdev->wiphy.vht_capa_mod_mask); 362 363 err = rdev_assoc(rdev, dev, req); 364 if (!err) { 365 int link_id; 366 367 if (req->bss) { 368 cfg80211_ref_bss(&rdev->wiphy, req->bss); 369 cfg80211_hold_bss(bss_from_pub(req->bss)); 370 } 371 372 for (link_id = 0; link_id < ARRAY_SIZE(req->links); link_id++) { 373 if (!req->links[link_id].bss) 374 continue; 375 cfg80211_ref_bss(&rdev->wiphy, req->links[link_id].bss); 376 cfg80211_hold_bss(bss_from_pub(req->links[link_id].bss)); 377 } 378 } 379 return err; 380 } 381 382 int cfg80211_mlme_deauth(struct cfg80211_registered_device *rdev, 383 struct net_device *dev, const u8 *bssid, 384 const u8 *ie, int ie_len, u16 reason, 385 bool local_state_change) 386 { 387 struct wireless_dev *wdev = dev->ieee80211_ptr; 388 struct cfg80211_deauth_request req = { 389 .bssid = bssid, 390 .reason_code = reason, 391 .ie = ie, 392 .ie_len = ie_len, 393 .local_state_change = local_state_change, 394 }; 395 396 lockdep_assert_wiphy(wdev->wiphy); 397 398 if (local_state_change && 399 (!wdev->connected || 400 !ether_addr_equal(wdev->u.client.connected_addr, bssid))) 401 return 0; 402 403 if (ether_addr_equal(wdev->disconnect_bssid, bssid) || 404 (wdev->connected && 405 ether_addr_equal(wdev->u.client.connected_addr, bssid))) 406 wdev->conn_owner_nlportid = 0; 407 408 return rdev_deauth(rdev, dev, &req); 409 } 410 411 int cfg80211_mlme_disassoc(struct cfg80211_registered_device *rdev, 412 struct net_device *dev, const u8 *ap_addr, 413 const u8 *ie, int ie_len, u16 reason, 414 bool local_state_change) 415 { 416 struct wireless_dev *wdev = dev->ieee80211_ptr; 417 struct cfg80211_disassoc_request req = { 418 .reason_code = reason, 419 .local_state_change = local_state_change, 420 .ie = ie, 421 .ie_len = ie_len, 422 .ap_addr = ap_addr, 423 }; 424 int err; 425 426 lockdep_assert_wiphy(wdev->wiphy); 427 428 if (!wdev->connected) 429 return -ENOTCONN; 430 431 if (memcmp(wdev->u.client.connected_addr, ap_addr, ETH_ALEN)) 432 return -ENOTCONN; 433 434 err = rdev_disassoc(rdev, dev, &req); 435 if (err) 436 return err; 437 438 /* driver should have reported the disassoc */ 439 WARN_ON(wdev->connected); 440 return 0; 441 } 442 443 void cfg80211_mlme_down(struct cfg80211_registered_device *rdev, 444 struct net_device *dev) 445 { 446 struct wireless_dev *wdev = dev->ieee80211_ptr; 447 u8 bssid[ETH_ALEN]; 448 449 lockdep_assert_wiphy(wdev->wiphy); 450 451 if (!rdev->ops->deauth) 452 return; 453 454 if (!wdev->connected) 455 return; 456 457 memcpy(bssid, wdev->u.client.connected_addr, ETH_ALEN); 458 cfg80211_mlme_deauth(rdev, dev, bssid, NULL, 0, 459 WLAN_REASON_DEAUTH_LEAVING, false); 460 } 461 462 struct cfg80211_mgmt_registration { 463 struct list_head list; 464 struct wireless_dev *wdev; 465 466 u32 nlportid; 467 468 int match_len; 469 470 __le16 frame_type; 471 472 bool multicast_rx; 473 474 u8 match[]; 475 }; 476 477 static void cfg80211_mgmt_registrations_update(struct wireless_dev *wdev) 478 { 479 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 480 struct wireless_dev *tmp; 481 struct cfg80211_mgmt_registration *reg; 482 struct mgmt_frame_regs upd = {}; 483 484 lockdep_assert_held(&rdev->wiphy.mtx); 485 486 spin_lock_bh(&rdev->mgmt_registrations_lock); 487 if (!wdev->mgmt_registrations_need_update) { 488 spin_unlock_bh(&rdev->mgmt_registrations_lock); 489 return; 490 } 491 492 rcu_read_lock(); 493 list_for_each_entry_rcu(tmp, &rdev->wiphy.wdev_list, list) { 494 list_for_each_entry(reg, &tmp->mgmt_registrations, list) { 495 u32 mask = BIT(le16_to_cpu(reg->frame_type) >> 4); 496 u32 mcast_mask = 0; 497 498 if (reg->multicast_rx) 499 mcast_mask = mask; 500 501 upd.global_stypes |= mask; 502 upd.global_mcast_stypes |= mcast_mask; 503 504 if (tmp == wdev) { 505 upd.interface_stypes |= mask; 506 upd.interface_mcast_stypes |= mcast_mask; 507 } 508 } 509 } 510 rcu_read_unlock(); 511 512 wdev->mgmt_registrations_need_update = 0; 513 spin_unlock_bh(&rdev->mgmt_registrations_lock); 514 515 rdev_update_mgmt_frame_registrations(rdev, wdev, &upd); 516 } 517 518 void cfg80211_mgmt_registrations_update_wk(struct work_struct *wk) 519 { 520 struct cfg80211_registered_device *rdev; 521 struct wireless_dev *wdev; 522 523 rdev = container_of(wk, struct cfg80211_registered_device, 524 mgmt_registrations_update_wk); 525 526 wiphy_lock(&rdev->wiphy); 527 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) 528 cfg80211_mgmt_registrations_update(wdev); 529 wiphy_unlock(&rdev->wiphy); 530 } 531 532 int cfg80211_mlme_register_mgmt(struct wireless_dev *wdev, u32 snd_portid, 533 u16 frame_type, const u8 *match_data, 534 int match_len, bool multicast_rx, 535 struct netlink_ext_ack *extack) 536 { 537 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 538 struct cfg80211_mgmt_registration *reg, *nreg; 539 int err = 0; 540 u16 mgmt_type; 541 bool update_multicast = false; 542 543 if (!wdev->wiphy->mgmt_stypes) 544 return -EOPNOTSUPP; 545 546 if ((frame_type & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT) { 547 NL_SET_ERR_MSG(extack, "frame type not management"); 548 return -EINVAL; 549 } 550 551 if (frame_type & ~(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) { 552 NL_SET_ERR_MSG(extack, "Invalid frame type"); 553 return -EINVAL; 554 } 555 556 mgmt_type = (frame_type & IEEE80211_FCTL_STYPE) >> 4; 557 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].rx & BIT(mgmt_type))) { 558 NL_SET_ERR_MSG(extack, 559 "Registration to specific type not supported"); 560 return -EINVAL; 561 } 562 563 /* 564 * To support Pre Association Security Negotiation (PASN), registration 565 * for authentication frames should be supported. However, as some 566 * versions of the user space daemons wrongly register to all types of 567 * authentication frames (which might result in unexpected behavior) 568 * allow such registration if the request is for a specific 569 * authentication algorithm number. 570 */ 571 if (wdev->iftype == NL80211_IFTYPE_STATION && 572 (frame_type & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_AUTH && 573 !(match_data && match_len >= 2)) { 574 NL_SET_ERR_MSG(extack, 575 "Authentication algorithm number required"); 576 return -EINVAL; 577 } 578 579 nreg = kzalloc(sizeof(*reg) + match_len, GFP_KERNEL); 580 if (!nreg) 581 return -ENOMEM; 582 583 spin_lock_bh(&rdev->mgmt_registrations_lock); 584 585 list_for_each_entry(reg, &wdev->mgmt_registrations, list) { 586 int mlen = min(match_len, reg->match_len); 587 588 if (frame_type != le16_to_cpu(reg->frame_type)) 589 continue; 590 591 if (memcmp(reg->match, match_data, mlen) == 0) { 592 if (reg->multicast_rx != multicast_rx) { 593 update_multicast = true; 594 reg->multicast_rx = multicast_rx; 595 break; 596 } 597 NL_SET_ERR_MSG(extack, "Match already configured"); 598 err = -EALREADY; 599 break; 600 } 601 } 602 603 if (err) 604 goto out; 605 606 if (update_multicast) { 607 kfree(nreg); 608 } else { 609 memcpy(nreg->match, match_data, match_len); 610 nreg->match_len = match_len; 611 nreg->nlportid = snd_portid; 612 nreg->frame_type = cpu_to_le16(frame_type); 613 nreg->wdev = wdev; 614 nreg->multicast_rx = multicast_rx; 615 list_add(&nreg->list, &wdev->mgmt_registrations); 616 } 617 wdev->mgmt_registrations_need_update = 1; 618 spin_unlock_bh(&rdev->mgmt_registrations_lock); 619 620 cfg80211_mgmt_registrations_update(wdev); 621 622 return 0; 623 624 out: 625 kfree(nreg); 626 spin_unlock_bh(&rdev->mgmt_registrations_lock); 627 628 return err; 629 } 630 631 void cfg80211_mlme_unregister_socket(struct wireless_dev *wdev, u32 nlportid) 632 { 633 struct wiphy *wiphy = wdev->wiphy; 634 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 635 struct cfg80211_mgmt_registration *reg, *tmp; 636 637 spin_lock_bh(&rdev->mgmt_registrations_lock); 638 639 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) { 640 if (reg->nlportid != nlportid) 641 continue; 642 643 list_del(®->list); 644 kfree(reg); 645 646 wdev->mgmt_registrations_need_update = 1; 647 schedule_work(&rdev->mgmt_registrations_update_wk); 648 } 649 650 spin_unlock_bh(&rdev->mgmt_registrations_lock); 651 652 if (nlportid && rdev->crit_proto_nlportid == nlportid) { 653 rdev->crit_proto_nlportid = 0; 654 rdev_crit_proto_stop(rdev, wdev); 655 } 656 657 if (nlportid == wdev->ap_unexpected_nlportid) 658 wdev->ap_unexpected_nlportid = 0; 659 } 660 661 void cfg80211_mlme_purge_registrations(struct wireless_dev *wdev) 662 { 663 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 664 struct cfg80211_mgmt_registration *reg, *tmp; 665 666 spin_lock_bh(&rdev->mgmt_registrations_lock); 667 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) { 668 list_del(®->list); 669 kfree(reg); 670 } 671 wdev->mgmt_registrations_need_update = 1; 672 spin_unlock_bh(&rdev->mgmt_registrations_lock); 673 674 cfg80211_mgmt_registrations_update(wdev); 675 } 676 677 static bool cfg80211_allowed_address(struct wireless_dev *wdev, const u8 *addr) 678 { 679 int i; 680 681 for_each_valid_link(wdev, i) { 682 if (ether_addr_equal(addr, wdev->links[i].addr)) 683 return true; 684 } 685 686 return ether_addr_equal(addr, wdev_address(wdev)); 687 } 688 689 static bool cfg80211_allowed_random_address(struct wireless_dev *wdev, 690 const struct ieee80211_mgmt *mgmt) 691 { 692 if (ieee80211_is_auth(mgmt->frame_control) || 693 ieee80211_is_deauth(mgmt->frame_control)) { 694 /* Allow random TA to be used with authentication and 695 * deauthentication frames if the driver has indicated support. 696 */ 697 if (wiphy_ext_feature_isset( 698 wdev->wiphy, 699 NL80211_EXT_FEATURE_AUTH_AND_DEAUTH_RANDOM_TA)) 700 return true; 701 } else if (ieee80211_is_action(mgmt->frame_control) && 702 mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) { 703 /* Allow random TA to be used with Public Action frames if the 704 * driver has indicated support. 705 */ 706 if (!wdev->connected && 707 wiphy_ext_feature_isset( 708 wdev->wiphy, 709 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA)) 710 return true; 711 712 if (wdev->connected && 713 wiphy_ext_feature_isset( 714 wdev->wiphy, 715 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA_CONNECTED)) 716 return true; 717 } 718 719 return false; 720 } 721 722 int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev, 723 struct wireless_dev *wdev, 724 struct cfg80211_mgmt_tx_params *params, u64 *cookie) 725 { 726 const struct ieee80211_mgmt *mgmt; 727 u16 stype; 728 729 lockdep_assert_wiphy(&rdev->wiphy); 730 731 if (!wdev->wiphy->mgmt_stypes) 732 return -EOPNOTSUPP; 733 734 if (!rdev->ops->mgmt_tx) 735 return -EOPNOTSUPP; 736 737 if (params->len < 24 + 1) 738 return -EINVAL; 739 740 mgmt = (const struct ieee80211_mgmt *)params->buf; 741 742 if (!ieee80211_is_mgmt(mgmt->frame_control)) 743 return -EINVAL; 744 745 stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE; 746 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].tx & BIT(stype >> 4))) 747 return -EINVAL; 748 749 if (ieee80211_is_action(mgmt->frame_control) && 750 mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) { 751 int err = 0; 752 753 switch (wdev->iftype) { 754 case NL80211_IFTYPE_ADHOC: 755 /* 756 * check for IBSS DA must be done by driver as 757 * cfg80211 doesn't track the stations 758 */ 759 if (!wdev->u.ibss.current_bss || 760 !ether_addr_equal(wdev->u.ibss.current_bss->pub.bssid, 761 mgmt->bssid)) { 762 err = -ENOTCONN; 763 break; 764 } 765 break; 766 case NL80211_IFTYPE_STATION: 767 case NL80211_IFTYPE_P2P_CLIENT: 768 if (!wdev->connected) { 769 err = -ENOTCONN; 770 break; 771 } 772 773 /* FIXME: MLD may address this differently */ 774 775 if (!ether_addr_equal(wdev->u.client.connected_addr, 776 mgmt->bssid)) { 777 err = -ENOTCONN; 778 break; 779 } 780 781 /* for station, check that DA is the AP */ 782 if (!ether_addr_equal(wdev->u.client.connected_addr, 783 mgmt->da)) { 784 err = -ENOTCONN; 785 break; 786 } 787 break; 788 case NL80211_IFTYPE_AP: 789 case NL80211_IFTYPE_P2P_GO: 790 case NL80211_IFTYPE_AP_VLAN: 791 if (!ether_addr_equal(mgmt->bssid, wdev_address(wdev)) && 792 (params->link_id < 0 || 793 !ether_addr_equal(mgmt->bssid, 794 wdev->links[params->link_id].addr))) 795 err = -EINVAL; 796 break; 797 case NL80211_IFTYPE_MESH_POINT: 798 if (!ether_addr_equal(mgmt->sa, mgmt->bssid)) { 799 err = -EINVAL; 800 break; 801 } 802 /* 803 * check for mesh DA must be done by driver as 804 * cfg80211 doesn't track the stations 805 */ 806 break; 807 case NL80211_IFTYPE_P2P_DEVICE: 808 /* 809 * fall through, P2P device only supports 810 * public action frames 811 */ 812 case NL80211_IFTYPE_NAN: 813 default: 814 err = -EOPNOTSUPP; 815 break; 816 } 817 818 if (err) 819 return err; 820 } 821 822 if (!cfg80211_allowed_address(wdev, mgmt->sa) && 823 !cfg80211_allowed_random_address(wdev, mgmt)) 824 return -EINVAL; 825 826 /* Transmit the management frame as requested by user space */ 827 return rdev_mgmt_tx(rdev, wdev, params, cookie); 828 } 829 830 bool cfg80211_rx_mgmt_ext(struct wireless_dev *wdev, 831 struct cfg80211_rx_info *info) 832 { 833 struct wiphy *wiphy = wdev->wiphy; 834 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 835 struct cfg80211_mgmt_registration *reg; 836 const struct ieee80211_txrx_stypes *stypes = 837 &wiphy->mgmt_stypes[wdev->iftype]; 838 struct ieee80211_mgmt *mgmt = (void *)info->buf; 839 const u8 *data; 840 int data_len; 841 bool result = false; 842 __le16 ftype = mgmt->frame_control & 843 cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE); 844 u16 stype; 845 846 trace_cfg80211_rx_mgmt(wdev, info); 847 stype = (le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE) >> 4; 848 849 if (!(stypes->rx & BIT(stype))) { 850 trace_cfg80211_return_bool(false); 851 return false; 852 } 853 854 data = info->buf + ieee80211_hdrlen(mgmt->frame_control); 855 data_len = info->len - ieee80211_hdrlen(mgmt->frame_control); 856 857 spin_lock_bh(&rdev->mgmt_registrations_lock); 858 859 list_for_each_entry(reg, &wdev->mgmt_registrations, list) { 860 if (reg->frame_type != ftype) 861 continue; 862 863 if (reg->match_len > data_len) 864 continue; 865 866 if (memcmp(reg->match, data, reg->match_len)) 867 continue; 868 869 /* found match! */ 870 871 /* Indicate the received Action frame to user space */ 872 if (nl80211_send_mgmt(rdev, wdev, reg->nlportid, info, 873 GFP_ATOMIC)) 874 continue; 875 876 result = true; 877 break; 878 } 879 880 spin_unlock_bh(&rdev->mgmt_registrations_lock); 881 882 trace_cfg80211_return_bool(result); 883 return result; 884 } 885 EXPORT_SYMBOL(cfg80211_rx_mgmt_ext); 886 887 void cfg80211_sched_dfs_chan_update(struct cfg80211_registered_device *rdev) 888 { 889 cancel_delayed_work(&rdev->dfs_update_channels_wk); 890 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk, 0); 891 } 892 893 void cfg80211_dfs_channels_update_work(struct work_struct *work) 894 { 895 struct delayed_work *delayed_work = to_delayed_work(work); 896 struct cfg80211_registered_device *rdev; 897 struct cfg80211_chan_def chandef; 898 struct ieee80211_supported_band *sband; 899 struct ieee80211_channel *c; 900 struct wiphy *wiphy; 901 bool check_again = false; 902 unsigned long timeout, next_time = 0; 903 unsigned long time_dfs_update; 904 enum nl80211_radar_event radar_event; 905 int bandid, i; 906 907 rdev = container_of(delayed_work, struct cfg80211_registered_device, 908 dfs_update_channels_wk); 909 wiphy = &rdev->wiphy; 910 911 rtnl_lock(); 912 for (bandid = 0; bandid < NUM_NL80211_BANDS; bandid++) { 913 sband = wiphy->bands[bandid]; 914 if (!sband) 915 continue; 916 917 for (i = 0; i < sband->n_channels; i++) { 918 c = &sband->channels[i]; 919 920 if (!(c->flags & IEEE80211_CHAN_RADAR)) 921 continue; 922 923 if (c->dfs_state != NL80211_DFS_UNAVAILABLE && 924 c->dfs_state != NL80211_DFS_AVAILABLE) 925 continue; 926 927 if (c->dfs_state == NL80211_DFS_UNAVAILABLE) { 928 time_dfs_update = IEEE80211_DFS_MIN_NOP_TIME_MS; 929 radar_event = NL80211_RADAR_NOP_FINISHED; 930 } else { 931 if (regulatory_pre_cac_allowed(wiphy) || 932 cfg80211_any_wiphy_oper_chan(wiphy, c)) 933 continue; 934 935 time_dfs_update = REG_PRE_CAC_EXPIRY_GRACE_MS; 936 radar_event = NL80211_RADAR_PRE_CAC_EXPIRED; 937 } 938 939 timeout = c->dfs_state_entered + 940 msecs_to_jiffies(time_dfs_update); 941 942 if (time_after_eq(jiffies, timeout)) { 943 c->dfs_state = NL80211_DFS_USABLE; 944 c->dfs_state_entered = jiffies; 945 946 cfg80211_chandef_create(&chandef, c, 947 NL80211_CHAN_NO_HT); 948 949 nl80211_radar_notify(rdev, &chandef, 950 radar_event, NULL, 951 GFP_ATOMIC); 952 953 regulatory_propagate_dfs_state(wiphy, &chandef, 954 c->dfs_state, 955 radar_event); 956 continue; 957 } 958 959 if (!check_again) 960 next_time = timeout - jiffies; 961 else 962 next_time = min(next_time, timeout - jiffies); 963 check_again = true; 964 } 965 } 966 rtnl_unlock(); 967 968 /* reschedule if there are other channels waiting to be cleared again */ 969 if (check_again) 970 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk, 971 next_time); 972 } 973 974 975 void __cfg80211_radar_event(struct wiphy *wiphy, 976 struct cfg80211_chan_def *chandef, 977 bool offchan, gfp_t gfp) 978 { 979 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 980 981 trace_cfg80211_radar_event(wiphy, chandef, offchan); 982 983 /* only set the chandef supplied channel to unavailable, in 984 * case the radar is detected on only one of multiple channels 985 * spanned by the chandef. 986 */ 987 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_UNAVAILABLE); 988 989 if (offchan) 990 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk); 991 992 cfg80211_sched_dfs_chan_update(rdev); 993 994 nl80211_radar_notify(rdev, chandef, NL80211_RADAR_DETECTED, NULL, gfp); 995 996 memcpy(&rdev->radar_chandef, chandef, sizeof(struct cfg80211_chan_def)); 997 queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk); 998 } 999 EXPORT_SYMBOL(__cfg80211_radar_event); 1000 1001 void cfg80211_cac_event(struct net_device *netdev, 1002 const struct cfg80211_chan_def *chandef, 1003 enum nl80211_radar_event event, gfp_t gfp) 1004 { 1005 struct wireless_dev *wdev = netdev->ieee80211_ptr; 1006 struct wiphy *wiphy = wdev->wiphy; 1007 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1008 unsigned long timeout; 1009 1010 /* not yet supported */ 1011 if (wdev->valid_links) 1012 return; 1013 1014 trace_cfg80211_cac_event(netdev, event); 1015 1016 if (WARN_ON(!wdev->cac_started && event != NL80211_RADAR_CAC_STARTED)) 1017 return; 1018 1019 switch (event) { 1020 case NL80211_RADAR_CAC_FINISHED: 1021 timeout = wdev->cac_start_time + 1022 msecs_to_jiffies(wdev->cac_time_ms); 1023 WARN_ON(!time_after_eq(jiffies, timeout)); 1024 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE); 1025 memcpy(&rdev->cac_done_chandef, chandef, 1026 sizeof(struct cfg80211_chan_def)); 1027 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk); 1028 cfg80211_sched_dfs_chan_update(rdev); 1029 fallthrough; 1030 case NL80211_RADAR_CAC_ABORTED: 1031 wdev->cac_started = false; 1032 break; 1033 case NL80211_RADAR_CAC_STARTED: 1034 wdev->cac_started = true; 1035 break; 1036 default: 1037 WARN_ON(1); 1038 return; 1039 } 1040 1041 nl80211_radar_notify(rdev, chandef, event, netdev, gfp); 1042 } 1043 EXPORT_SYMBOL(cfg80211_cac_event); 1044 1045 static void 1046 __cfg80211_background_cac_event(struct cfg80211_registered_device *rdev, 1047 struct wireless_dev *wdev, 1048 const struct cfg80211_chan_def *chandef, 1049 enum nl80211_radar_event event) 1050 { 1051 struct wiphy *wiphy = &rdev->wiphy; 1052 struct net_device *netdev; 1053 1054 lockdep_assert_wiphy(&rdev->wiphy); 1055 1056 if (!cfg80211_chandef_valid(chandef)) 1057 return; 1058 1059 if (!rdev->background_radar_wdev) 1060 return; 1061 1062 switch (event) { 1063 case NL80211_RADAR_CAC_FINISHED: 1064 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE); 1065 memcpy(&rdev->cac_done_chandef, chandef, sizeof(*chandef)); 1066 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk); 1067 cfg80211_sched_dfs_chan_update(rdev); 1068 wdev = rdev->background_radar_wdev; 1069 break; 1070 case NL80211_RADAR_CAC_ABORTED: 1071 if (!cancel_delayed_work(&rdev->background_cac_done_wk)) 1072 return; 1073 wdev = rdev->background_radar_wdev; 1074 break; 1075 case NL80211_RADAR_CAC_STARTED: 1076 break; 1077 default: 1078 return; 1079 } 1080 1081 netdev = wdev ? wdev->netdev : NULL; 1082 nl80211_radar_notify(rdev, chandef, event, netdev, GFP_KERNEL); 1083 } 1084 1085 static void 1086 cfg80211_background_cac_event(struct cfg80211_registered_device *rdev, 1087 const struct cfg80211_chan_def *chandef, 1088 enum nl80211_radar_event event) 1089 { 1090 wiphy_lock(&rdev->wiphy); 1091 __cfg80211_background_cac_event(rdev, rdev->background_radar_wdev, 1092 chandef, event); 1093 wiphy_unlock(&rdev->wiphy); 1094 } 1095 1096 void cfg80211_background_cac_done_wk(struct work_struct *work) 1097 { 1098 struct delayed_work *delayed_work = to_delayed_work(work); 1099 struct cfg80211_registered_device *rdev; 1100 1101 rdev = container_of(delayed_work, struct cfg80211_registered_device, 1102 background_cac_done_wk); 1103 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef, 1104 NL80211_RADAR_CAC_FINISHED); 1105 } 1106 1107 void cfg80211_background_cac_abort_wk(struct work_struct *work) 1108 { 1109 struct cfg80211_registered_device *rdev; 1110 1111 rdev = container_of(work, struct cfg80211_registered_device, 1112 background_cac_abort_wk); 1113 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef, 1114 NL80211_RADAR_CAC_ABORTED); 1115 } 1116 1117 void cfg80211_background_cac_abort(struct wiphy *wiphy) 1118 { 1119 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1120 1121 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk); 1122 } 1123 EXPORT_SYMBOL(cfg80211_background_cac_abort); 1124 1125 int 1126 cfg80211_start_background_radar_detection(struct cfg80211_registered_device *rdev, 1127 struct wireless_dev *wdev, 1128 struct cfg80211_chan_def *chandef) 1129 { 1130 unsigned int cac_time_ms; 1131 int err; 1132 1133 lockdep_assert_wiphy(&rdev->wiphy); 1134 1135 if (!wiphy_ext_feature_isset(&rdev->wiphy, 1136 NL80211_EXT_FEATURE_RADAR_BACKGROUND)) 1137 return -EOPNOTSUPP; 1138 1139 /* Offchannel chain already locked by another wdev */ 1140 if (rdev->background_radar_wdev && rdev->background_radar_wdev != wdev) 1141 return -EBUSY; 1142 1143 /* CAC already in progress on the offchannel chain */ 1144 if (rdev->background_radar_wdev == wdev && 1145 delayed_work_pending(&rdev->background_cac_done_wk)) 1146 return -EBUSY; 1147 1148 err = rdev_set_radar_background(rdev, chandef); 1149 if (err) 1150 return err; 1151 1152 cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, chandef); 1153 if (!cac_time_ms) 1154 cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS; 1155 1156 rdev->background_radar_chandef = *chandef; 1157 rdev->background_radar_wdev = wdev; /* Get offchain ownership */ 1158 1159 __cfg80211_background_cac_event(rdev, wdev, chandef, 1160 NL80211_RADAR_CAC_STARTED); 1161 queue_delayed_work(cfg80211_wq, &rdev->background_cac_done_wk, 1162 msecs_to_jiffies(cac_time_ms)); 1163 1164 return 0; 1165 } 1166 1167 void cfg80211_stop_background_radar_detection(struct wireless_dev *wdev) 1168 { 1169 struct wiphy *wiphy = wdev->wiphy; 1170 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1171 1172 lockdep_assert_wiphy(wiphy); 1173 1174 if (wdev != rdev->background_radar_wdev) 1175 return; 1176 1177 rdev_set_radar_background(rdev, NULL); 1178 rdev->background_radar_wdev = NULL; /* Release offchain ownership */ 1179 1180 __cfg80211_background_cac_event(rdev, wdev, 1181 &rdev->background_radar_chandef, 1182 NL80211_RADAR_CAC_ABORTED); 1183 } 1184