1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * cfg80211 MLME SAP interface 4 * 5 * Copyright (c) 2009, Jouni Malinen <j@w1.fi> 6 * Copyright (c) 2015 Intel Deutschland GmbH 7 * Copyright (C) 2019-2020, 2022 Intel Corporation 8 */ 9 10 #include <linux/kernel.h> 11 #include <linux/module.h> 12 #include <linux/etherdevice.h> 13 #include <linux/netdevice.h> 14 #include <linux/nl80211.h> 15 #include <linux/slab.h> 16 #include <linux/wireless.h> 17 #include <net/cfg80211.h> 18 #include <net/iw_handler.h> 19 #include "core.h" 20 #include "nl80211.h" 21 #include "rdev-ops.h" 22 23 24 void cfg80211_rx_assoc_resp(struct net_device *dev, 25 struct cfg80211_rx_assoc_resp *data) 26 { 27 struct wireless_dev *wdev = dev->ieee80211_ptr; 28 struct wiphy *wiphy = wdev->wiphy; 29 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 30 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)data->buf; 31 struct cfg80211_connect_resp_params cr = { 32 .timeout_reason = NL80211_TIMEOUT_UNSPECIFIED, 33 .req_ie = data->req_ies, 34 .req_ie_len = data->req_ies_len, 35 .resp_ie = mgmt->u.assoc_resp.variable, 36 .resp_ie_len = data->len - 37 offsetof(struct ieee80211_mgmt, 38 u.assoc_resp.variable), 39 .status = le16_to_cpu(mgmt->u.assoc_resp.status_code), 40 .ap_mld_addr = data->ap_mld_addr, 41 }; 42 unsigned int link_id; 43 44 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) { 45 cr.links[link_id].status = data->links[link_id].status; 46 WARN_ON_ONCE(cr.links[link_id].status != WLAN_STATUS_SUCCESS && 47 (!cr.ap_mld_addr || !cr.links[link_id].bss)); 48 49 cr.links[link_id].bss = data->links[link_id].bss; 50 if (!cr.links[link_id].bss) 51 continue; 52 cr.links[link_id].bssid = data->links[link_id].bss->bssid; 53 cr.links[link_id].addr = data->links[link_id].addr; 54 /* need to have local link addresses for MLO connections */ 55 WARN_ON(cr.ap_mld_addr && !cr.links[link_id].addr); 56 57 BUG_ON(!cr.links[link_id].bss->channel); 58 59 if (cr.links[link_id].bss->channel->band == NL80211_BAND_S1GHZ) { 60 WARN_ON(link_id); 61 cr.resp_ie = (u8 *)&mgmt->u.s1g_assoc_resp.variable; 62 cr.resp_ie_len = data->len - 63 offsetof(struct ieee80211_mgmt, 64 u.s1g_assoc_resp.variable); 65 } 66 67 if (cr.ap_mld_addr) 68 cr.valid_links |= BIT(link_id); 69 } 70 71 trace_cfg80211_send_rx_assoc(dev, data); 72 73 /* 74 * This is a bit of a hack, we don't notify userspace of 75 * a (re-)association reply if we tried to send a reassoc 76 * and got a reject -- we only try again with an assoc 77 * frame instead of reassoc. 78 */ 79 if (cfg80211_sme_rx_assoc_resp(wdev, cr.status)) { 80 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) { 81 struct cfg80211_bss *bss = data->links[link_id].bss; 82 83 if (!bss) 84 continue; 85 86 cfg80211_unhold_bss(bss_from_pub(bss)); 87 cfg80211_put_bss(wiphy, bss); 88 } 89 return; 90 } 91 92 nl80211_send_rx_assoc(rdev, dev, data); 93 /* update current_bss etc., consumes the bss reference */ 94 __cfg80211_connect_result(dev, &cr, cr.status == WLAN_STATUS_SUCCESS); 95 } 96 EXPORT_SYMBOL(cfg80211_rx_assoc_resp); 97 98 static void cfg80211_process_auth(struct wireless_dev *wdev, 99 const u8 *buf, size_t len) 100 { 101 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 102 103 nl80211_send_rx_auth(rdev, wdev->netdev, buf, len, GFP_KERNEL); 104 cfg80211_sme_rx_auth(wdev, buf, len); 105 } 106 107 static void cfg80211_process_deauth(struct wireless_dev *wdev, 108 const u8 *buf, size_t len, 109 bool reconnect) 110 { 111 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 112 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf; 113 const u8 *bssid = mgmt->bssid; 114 u16 reason_code = le16_to_cpu(mgmt->u.deauth.reason_code); 115 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr); 116 117 nl80211_send_deauth(rdev, wdev->netdev, buf, len, reconnect, GFP_KERNEL); 118 119 if (!wdev->connected || !ether_addr_equal(wdev->u.client.connected_addr, bssid)) 120 return; 121 122 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap); 123 cfg80211_sme_deauth(wdev); 124 } 125 126 static void cfg80211_process_disassoc(struct wireless_dev *wdev, 127 const u8 *buf, size_t len, 128 bool reconnect) 129 { 130 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 131 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf; 132 const u8 *bssid = mgmt->bssid; 133 u16 reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code); 134 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr); 135 136 nl80211_send_disassoc(rdev, wdev->netdev, buf, len, reconnect, 137 GFP_KERNEL); 138 139 if (WARN_ON(!wdev->connected || 140 !ether_addr_equal(wdev->u.client.connected_addr, bssid))) 141 return; 142 143 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap); 144 cfg80211_sme_disassoc(wdev); 145 } 146 147 void cfg80211_rx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len) 148 { 149 struct wireless_dev *wdev = dev->ieee80211_ptr; 150 struct ieee80211_mgmt *mgmt = (void *)buf; 151 152 ASSERT_WDEV_LOCK(wdev); 153 154 trace_cfg80211_rx_mlme_mgmt(dev, buf, len); 155 156 if (WARN_ON(len < 2)) 157 return; 158 159 if (ieee80211_is_auth(mgmt->frame_control)) 160 cfg80211_process_auth(wdev, buf, len); 161 else if (ieee80211_is_deauth(mgmt->frame_control)) 162 cfg80211_process_deauth(wdev, buf, len, false); 163 else if (ieee80211_is_disassoc(mgmt->frame_control)) 164 cfg80211_process_disassoc(wdev, buf, len, false); 165 } 166 EXPORT_SYMBOL(cfg80211_rx_mlme_mgmt); 167 168 void cfg80211_auth_timeout(struct net_device *dev, const u8 *addr) 169 { 170 struct wireless_dev *wdev = dev->ieee80211_ptr; 171 struct wiphy *wiphy = wdev->wiphy; 172 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 173 174 trace_cfg80211_send_auth_timeout(dev, addr); 175 176 nl80211_send_auth_timeout(rdev, dev, addr, GFP_KERNEL); 177 cfg80211_sme_auth_timeout(wdev); 178 } 179 EXPORT_SYMBOL(cfg80211_auth_timeout); 180 181 void cfg80211_assoc_failure(struct net_device *dev, 182 struct cfg80211_assoc_failure *data) 183 { 184 struct wireless_dev *wdev = dev->ieee80211_ptr; 185 struct wiphy *wiphy = wdev->wiphy; 186 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 187 const u8 *addr = data->ap_mld_addr ?: data->bss[0]->bssid; 188 int i; 189 190 trace_cfg80211_send_assoc_failure(dev, data); 191 192 if (data->timeout) { 193 nl80211_send_assoc_timeout(rdev, dev, addr, GFP_KERNEL); 194 cfg80211_sme_assoc_timeout(wdev); 195 } else { 196 cfg80211_sme_abandon_assoc(wdev); 197 } 198 199 for (i = 0; i < ARRAY_SIZE(data->bss); i++) { 200 struct cfg80211_bss *bss = data->bss[i]; 201 202 if (!bss) 203 continue; 204 205 cfg80211_unhold_bss(bss_from_pub(bss)); 206 cfg80211_put_bss(wiphy, bss); 207 } 208 } 209 EXPORT_SYMBOL(cfg80211_assoc_failure); 210 211 void cfg80211_tx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len, 212 bool reconnect) 213 { 214 struct wireless_dev *wdev = dev->ieee80211_ptr; 215 struct ieee80211_mgmt *mgmt = (void *)buf; 216 217 ASSERT_WDEV_LOCK(wdev); 218 219 trace_cfg80211_tx_mlme_mgmt(dev, buf, len, reconnect); 220 221 if (WARN_ON(len < 2)) 222 return; 223 224 if (ieee80211_is_deauth(mgmt->frame_control)) 225 cfg80211_process_deauth(wdev, buf, len, reconnect); 226 else 227 cfg80211_process_disassoc(wdev, buf, len, reconnect); 228 } 229 EXPORT_SYMBOL(cfg80211_tx_mlme_mgmt); 230 231 void cfg80211_michael_mic_failure(struct net_device *dev, const u8 *addr, 232 enum nl80211_key_type key_type, int key_id, 233 const u8 *tsc, gfp_t gfp) 234 { 235 struct wiphy *wiphy = dev->ieee80211_ptr->wiphy; 236 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 237 #ifdef CONFIG_CFG80211_WEXT 238 union iwreq_data wrqu; 239 char *buf = kmalloc(128, gfp); 240 241 if (buf) { 242 sprintf(buf, "MLME-MICHAELMICFAILURE.indication(" 243 "keyid=%d %scast addr=%pM)", key_id, 244 key_type == NL80211_KEYTYPE_GROUP ? "broad" : "uni", 245 addr); 246 memset(&wrqu, 0, sizeof(wrqu)); 247 wrqu.data.length = strlen(buf); 248 wireless_send_event(dev, IWEVCUSTOM, &wrqu, buf); 249 kfree(buf); 250 } 251 #endif 252 253 trace_cfg80211_michael_mic_failure(dev, addr, key_type, key_id, tsc); 254 nl80211_michael_mic_failure(rdev, dev, addr, key_type, key_id, tsc, gfp); 255 } 256 EXPORT_SYMBOL(cfg80211_michael_mic_failure); 257 258 /* some MLME handling for userspace SME */ 259 int cfg80211_mlme_auth(struct cfg80211_registered_device *rdev, 260 struct net_device *dev, 261 struct cfg80211_auth_request *req) 262 { 263 struct wireless_dev *wdev = dev->ieee80211_ptr; 264 265 ASSERT_WDEV_LOCK(wdev); 266 267 if (!req->bss) 268 return -ENOENT; 269 270 if (req->link_id >= 0 && 271 !(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO)) 272 return -EINVAL; 273 274 if (req->auth_type == NL80211_AUTHTYPE_SHARED_KEY) { 275 if (!req->key || !req->key_len || 276 req->key_idx < 0 || req->key_idx > 3) 277 return -EINVAL; 278 } 279 280 if (wdev->connected && 281 ether_addr_equal(req->bss->bssid, wdev->u.client.connected_addr)) 282 return -EALREADY; 283 284 return rdev_auth(rdev, dev, req); 285 } 286 287 /* Do a logical ht_capa &= ht_capa_mask. */ 288 void cfg80211_oper_and_ht_capa(struct ieee80211_ht_cap *ht_capa, 289 const struct ieee80211_ht_cap *ht_capa_mask) 290 { 291 int i; 292 u8 *p1, *p2; 293 if (!ht_capa_mask) { 294 memset(ht_capa, 0, sizeof(*ht_capa)); 295 return; 296 } 297 298 p1 = (u8*)(ht_capa); 299 p2 = (u8*)(ht_capa_mask); 300 for (i = 0; i < sizeof(*ht_capa); i++) 301 p1[i] &= p2[i]; 302 } 303 304 /* Do a logical vht_capa &= vht_capa_mask. */ 305 void cfg80211_oper_and_vht_capa(struct ieee80211_vht_cap *vht_capa, 306 const struct ieee80211_vht_cap *vht_capa_mask) 307 { 308 int i; 309 u8 *p1, *p2; 310 if (!vht_capa_mask) { 311 memset(vht_capa, 0, sizeof(*vht_capa)); 312 return; 313 } 314 315 p1 = (u8*)(vht_capa); 316 p2 = (u8*)(vht_capa_mask); 317 for (i = 0; i < sizeof(*vht_capa); i++) 318 p1[i] &= p2[i]; 319 } 320 321 /* Note: caller must cfg80211_put_bss() regardless of result */ 322 int cfg80211_mlme_assoc(struct cfg80211_registered_device *rdev, 323 struct net_device *dev, 324 struct cfg80211_assoc_request *req) 325 { 326 struct wireless_dev *wdev = dev->ieee80211_ptr; 327 int err, i, j; 328 329 ASSERT_WDEV_LOCK(wdev); 330 331 for (i = 1; i < ARRAY_SIZE(req->links); i++) { 332 if (!req->links[i].bss) 333 continue; 334 for (j = 0; j < i; j++) { 335 if (req->links[i].bss == req->links[j].bss) 336 return -EINVAL; 337 } 338 } 339 340 if (wdev->connected && 341 (!req->prev_bssid || 342 !ether_addr_equal(wdev->u.client.connected_addr, req->prev_bssid))) 343 return -EALREADY; 344 345 cfg80211_oper_and_ht_capa(&req->ht_capa_mask, 346 rdev->wiphy.ht_capa_mod_mask); 347 cfg80211_oper_and_vht_capa(&req->vht_capa_mask, 348 rdev->wiphy.vht_capa_mod_mask); 349 350 err = rdev_assoc(rdev, dev, req); 351 if (!err) { 352 int link_id; 353 354 if (req->bss) { 355 cfg80211_ref_bss(&rdev->wiphy, req->bss); 356 cfg80211_hold_bss(bss_from_pub(req->bss)); 357 } 358 359 for (link_id = 0; link_id < ARRAY_SIZE(req->links); link_id++) { 360 if (!req->links[link_id].bss) 361 continue; 362 cfg80211_ref_bss(&rdev->wiphy, req->links[link_id].bss); 363 cfg80211_hold_bss(bss_from_pub(req->links[link_id].bss)); 364 } 365 } 366 return err; 367 } 368 369 int cfg80211_mlme_deauth(struct cfg80211_registered_device *rdev, 370 struct net_device *dev, const u8 *bssid, 371 const u8 *ie, int ie_len, u16 reason, 372 bool local_state_change) 373 { 374 struct wireless_dev *wdev = dev->ieee80211_ptr; 375 struct cfg80211_deauth_request req = { 376 .bssid = bssid, 377 .reason_code = reason, 378 .ie = ie, 379 .ie_len = ie_len, 380 .local_state_change = local_state_change, 381 }; 382 383 ASSERT_WDEV_LOCK(wdev); 384 385 if (local_state_change && 386 (!wdev->connected || 387 !ether_addr_equal(wdev->u.client.connected_addr, bssid))) 388 return 0; 389 390 if (ether_addr_equal(wdev->disconnect_bssid, bssid) || 391 (wdev->connected && 392 ether_addr_equal(wdev->u.client.connected_addr, bssid))) 393 wdev->conn_owner_nlportid = 0; 394 395 return rdev_deauth(rdev, dev, &req); 396 } 397 398 int cfg80211_mlme_disassoc(struct cfg80211_registered_device *rdev, 399 struct net_device *dev, const u8 *ap_addr, 400 const u8 *ie, int ie_len, u16 reason, 401 bool local_state_change) 402 { 403 struct wireless_dev *wdev = dev->ieee80211_ptr; 404 struct cfg80211_disassoc_request req = { 405 .reason_code = reason, 406 .local_state_change = local_state_change, 407 .ie = ie, 408 .ie_len = ie_len, 409 .ap_addr = ap_addr, 410 }; 411 int err; 412 413 ASSERT_WDEV_LOCK(wdev); 414 415 if (!wdev->connected) 416 return -ENOTCONN; 417 418 if (memcmp(wdev->u.client.connected_addr, ap_addr, ETH_ALEN)) 419 return -ENOTCONN; 420 421 err = rdev_disassoc(rdev, dev, &req); 422 if (err) 423 return err; 424 425 /* driver should have reported the disassoc */ 426 WARN_ON(wdev->connected); 427 return 0; 428 } 429 430 void cfg80211_mlme_down(struct cfg80211_registered_device *rdev, 431 struct net_device *dev) 432 { 433 struct wireless_dev *wdev = dev->ieee80211_ptr; 434 u8 bssid[ETH_ALEN]; 435 436 ASSERT_WDEV_LOCK(wdev); 437 438 if (!rdev->ops->deauth) 439 return; 440 441 if (!wdev->connected) 442 return; 443 444 memcpy(bssid, wdev->u.client.connected_addr, ETH_ALEN); 445 cfg80211_mlme_deauth(rdev, dev, bssid, NULL, 0, 446 WLAN_REASON_DEAUTH_LEAVING, false); 447 } 448 449 struct cfg80211_mgmt_registration { 450 struct list_head list; 451 struct wireless_dev *wdev; 452 453 u32 nlportid; 454 455 int match_len; 456 457 __le16 frame_type; 458 459 bool multicast_rx; 460 461 u8 match[]; 462 }; 463 464 static void cfg80211_mgmt_registrations_update(struct wireless_dev *wdev) 465 { 466 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 467 struct wireless_dev *tmp; 468 struct cfg80211_mgmt_registration *reg; 469 struct mgmt_frame_regs upd = {}; 470 471 lockdep_assert_held(&rdev->wiphy.mtx); 472 473 spin_lock_bh(&rdev->mgmt_registrations_lock); 474 if (!wdev->mgmt_registrations_need_update) { 475 spin_unlock_bh(&rdev->mgmt_registrations_lock); 476 return; 477 } 478 479 rcu_read_lock(); 480 list_for_each_entry_rcu(tmp, &rdev->wiphy.wdev_list, list) { 481 list_for_each_entry(reg, &tmp->mgmt_registrations, list) { 482 u32 mask = BIT(le16_to_cpu(reg->frame_type) >> 4); 483 u32 mcast_mask = 0; 484 485 if (reg->multicast_rx) 486 mcast_mask = mask; 487 488 upd.global_stypes |= mask; 489 upd.global_mcast_stypes |= mcast_mask; 490 491 if (tmp == wdev) { 492 upd.interface_stypes |= mask; 493 upd.interface_mcast_stypes |= mcast_mask; 494 } 495 } 496 } 497 rcu_read_unlock(); 498 499 wdev->mgmt_registrations_need_update = 0; 500 spin_unlock_bh(&rdev->mgmt_registrations_lock); 501 502 rdev_update_mgmt_frame_registrations(rdev, wdev, &upd); 503 } 504 505 void cfg80211_mgmt_registrations_update_wk(struct work_struct *wk) 506 { 507 struct cfg80211_registered_device *rdev; 508 struct wireless_dev *wdev; 509 510 rdev = container_of(wk, struct cfg80211_registered_device, 511 mgmt_registrations_update_wk); 512 513 wiphy_lock(&rdev->wiphy); 514 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) 515 cfg80211_mgmt_registrations_update(wdev); 516 wiphy_unlock(&rdev->wiphy); 517 } 518 519 int cfg80211_mlme_register_mgmt(struct wireless_dev *wdev, u32 snd_portid, 520 u16 frame_type, const u8 *match_data, 521 int match_len, bool multicast_rx, 522 struct netlink_ext_ack *extack) 523 { 524 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 525 struct cfg80211_mgmt_registration *reg, *nreg; 526 int err = 0; 527 u16 mgmt_type; 528 bool update_multicast = false; 529 530 if (!wdev->wiphy->mgmt_stypes) 531 return -EOPNOTSUPP; 532 533 if ((frame_type & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT) { 534 NL_SET_ERR_MSG(extack, "frame type not management"); 535 return -EINVAL; 536 } 537 538 if (frame_type & ~(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) { 539 NL_SET_ERR_MSG(extack, "Invalid frame type"); 540 return -EINVAL; 541 } 542 543 mgmt_type = (frame_type & IEEE80211_FCTL_STYPE) >> 4; 544 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].rx & BIT(mgmt_type))) { 545 NL_SET_ERR_MSG(extack, 546 "Registration to specific type not supported"); 547 return -EINVAL; 548 } 549 550 /* 551 * To support Pre Association Security Negotiation (PASN), registration 552 * for authentication frames should be supported. However, as some 553 * versions of the user space daemons wrongly register to all types of 554 * authentication frames (which might result in unexpected behavior) 555 * allow such registration if the request is for a specific 556 * authentication algorithm number. 557 */ 558 if (wdev->iftype == NL80211_IFTYPE_STATION && 559 (frame_type & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_AUTH && 560 !(match_data && match_len >= 2)) { 561 NL_SET_ERR_MSG(extack, 562 "Authentication algorithm number required"); 563 return -EINVAL; 564 } 565 566 nreg = kzalloc(sizeof(*reg) + match_len, GFP_KERNEL); 567 if (!nreg) 568 return -ENOMEM; 569 570 spin_lock_bh(&rdev->mgmt_registrations_lock); 571 572 list_for_each_entry(reg, &wdev->mgmt_registrations, list) { 573 int mlen = min(match_len, reg->match_len); 574 575 if (frame_type != le16_to_cpu(reg->frame_type)) 576 continue; 577 578 if (memcmp(reg->match, match_data, mlen) == 0) { 579 if (reg->multicast_rx != multicast_rx) { 580 update_multicast = true; 581 reg->multicast_rx = multicast_rx; 582 break; 583 } 584 NL_SET_ERR_MSG(extack, "Match already configured"); 585 err = -EALREADY; 586 break; 587 } 588 } 589 590 if (err) 591 goto out; 592 593 if (update_multicast) { 594 kfree(nreg); 595 } else { 596 memcpy(nreg->match, match_data, match_len); 597 nreg->match_len = match_len; 598 nreg->nlportid = snd_portid; 599 nreg->frame_type = cpu_to_le16(frame_type); 600 nreg->wdev = wdev; 601 nreg->multicast_rx = multicast_rx; 602 list_add(&nreg->list, &wdev->mgmt_registrations); 603 } 604 wdev->mgmt_registrations_need_update = 1; 605 spin_unlock_bh(&rdev->mgmt_registrations_lock); 606 607 cfg80211_mgmt_registrations_update(wdev); 608 609 return 0; 610 611 out: 612 kfree(nreg); 613 spin_unlock_bh(&rdev->mgmt_registrations_lock); 614 615 return err; 616 } 617 618 void cfg80211_mlme_unregister_socket(struct wireless_dev *wdev, u32 nlportid) 619 { 620 struct wiphy *wiphy = wdev->wiphy; 621 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 622 struct cfg80211_mgmt_registration *reg, *tmp; 623 624 spin_lock_bh(&rdev->mgmt_registrations_lock); 625 626 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) { 627 if (reg->nlportid != nlportid) 628 continue; 629 630 list_del(®->list); 631 kfree(reg); 632 633 wdev->mgmt_registrations_need_update = 1; 634 schedule_work(&rdev->mgmt_registrations_update_wk); 635 } 636 637 spin_unlock_bh(&rdev->mgmt_registrations_lock); 638 639 if (nlportid && rdev->crit_proto_nlportid == nlportid) { 640 rdev->crit_proto_nlportid = 0; 641 rdev_crit_proto_stop(rdev, wdev); 642 } 643 644 if (nlportid == wdev->ap_unexpected_nlportid) 645 wdev->ap_unexpected_nlportid = 0; 646 } 647 648 void cfg80211_mlme_purge_registrations(struct wireless_dev *wdev) 649 { 650 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 651 struct cfg80211_mgmt_registration *reg, *tmp; 652 653 spin_lock_bh(&rdev->mgmt_registrations_lock); 654 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) { 655 list_del(®->list); 656 kfree(reg); 657 } 658 wdev->mgmt_registrations_need_update = 1; 659 spin_unlock_bh(&rdev->mgmt_registrations_lock); 660 661 cfg80211_mgmt_registrations_update(wdev); 662 } 663 664 static bool cfg80211_allowed_address(struct wireless_dev *wdev, const u8 *addr) 665 { 666 int i; 667 668 for_each_valid_link(wdev, i) { 669 if (ether_addr_equal(addr, wdev->links[i].addr)) 670 return true; 671 } 672 673 return ether_addr_equal(addr, wdev_address(wdev)); 674 } 675 676 int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev, 677 struct wireless_dev *wdev, 678 struct cfg80211_mgmt_tx_params *params, u64 *cookie) 679 { 680 const struct ieee80211_mgmt *mgmt; 681 u16 stype; 682 683 if (!wdev->wiphy->mgmt_stypes) 684 return -EOPNOTSUPP; 685 686 if (!rdev->ops->mgmt_tx) 687 return -EOPNOTSUPP; 688 689 if (params->len < 24 + 1) 690 return -EINVAL; 691 692 mgmt = (const struct ieee80211_mgmt *)params->buf; 693 694 if (!ieee80211_is_mgmt(mgmt->frame_control)) 695 return -EINVAL; 696 697 stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE; 698 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].tx & BIT(stype >> 4))) 699 return -EINVAL; 700 701 if (ieee80211_is_action(mgmt->frame_control) && 702 mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) { 703 int err = 0; 704 705 wdev_lock(wdev); 706 707 switch (wdev->iftype) { 708 case NL80211_IFTYPE_ADHOC: 709 /* 710 * check for IBSS DA must be done by driver as 711 * cfg80211 doesn't track the stations 712 */ 713 if (!wdev->u.ibss.current_bss || 714 !ether_addr_equal(wdev->u.ibss.current_bss->pub.bssid, 715 mgmt->bssid)) { 716 err = -ENOTCONN; 717 break; 718 } 719 break; 720 case NL80211_IFTYPE_STATION: 721 case NL80211_IFTYPE_P2P_CLIENT: 722 if (!wdev->connected) { 723 err = -ENOTCONN; 724 break; 725 } 726 727 /* FIXME: MLD may address this differently */ 728 729 if (!ether_addr_equal(wdev->u.client.connected_addr, 730 mgmt->bssid)) { 731 err = -ENOTCONN; 732 break; 733 } 734 735 /* for station, check that DA is the AP */ 736 if (!ether_addr_equal(wdev->u.client.connected_addr, 737 mgmt->da)) { 738 err = -ENOTCONN; 739 break; 740 } 741 break; 742 case NL80211_IFTYPE_AP: 743 case NL80211_IFTYPE_P2P_GO: 744 case NL80211_IFTYPE_AP_VLAN: 745 if (!ether_addr_equal(mgmt->bssid, wdev_address(wdev))) 746 err = -EINVAL; 747 break; 748 case NL80211_IFTYPE_MESH_POINT: 749 if (!ether_addr_equal(mgmt->sa, mgmt->bssid)) { 750 err = -EINVAL; 751 break; 752 } 753 /* 754 * check for mesh DA must be done by driver as 755 * cfg80211 doesn't track the stations 756 */ 757 break; 758 case NL80211_IFTYPE_P2P_DEVICE: 759 /* 760 * fall through, P2P device only supports 761 * public action frames 762 */ 763 case NL80211_IFTYPE_NAN: 764 default: 765 err = -EOPNOTSUPP; 766 break; 767 } 768 wdev_unlock(wdev); 769 770 if (err) 771 return err; 772 } 773 774 if (!cfg80211_allowed_address(wdev, mgmt->sa)) { 775 /* Allow random TA to be used with Public Action frames if the 776 * driver has indicated support for this. Otherwise, only allow 777 * the local address to be used. 778 */ 779 if (!ieee80211_is_action(mgmt->frame_control) || 780 mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) 781 return -EINVAL; 782 if (!wdev->connected && 783 !wiphy_ext_feature_isset( 784 &rdev->wiphy, 785 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA)) 786 return -EINVAL; 787 if (wdev->connected && 788 !wiphy_ext_feature_isset( 789 &rdev->wiphy, 790 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA_CONNECTED)) 791 return -EINVAL; 792 } 793 794 /* Transmit the management frame as requested by user space */ 795 return rdev_mgmt_tx(rdev, wdev, params, cookie); 796 } 797 798 bool cfg80211_rx_mgmt_ext(struct wireless_dev *wdev, 799 struct cfg80211_rx_info *info) 800 { 801 struct wiphy *wiphy = wdev->wiphy; 802 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 803 struct cfg80211_mgmt_registration *reg; 804 const struct ieee80211_txrx_stypes *stypes = 805 &wiphy->mgmt_stypes[wdev->iftype]; 806 struct ieee80211_mgmt *mgmt = (void *)info->buf; 807 const u8 *data; 808 int data_len; 809 bool result = false; 810 __le16 ftype = mgmt->frame_control & 811 cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE); 812 u16 stype; 813 814 trace_cfg80211_rx_mgmt(wdev, info); 815 stype = (le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE) >> 4; 816 817 if (!(stypes->rx & BIT(stype))) { 818 trace_cfg80211_return_bool(false); 819 return false; 820 } 821 822 data = info->buf + ieee80211_hdrlen(mgmt->frame_control); 823 data_len = info->len - ieee80211_hdrlen(mgmt->frame_control); 824 825 spin_lock_bh(&rdev->mgmt_registrations_lock); 826 827 list_for_each_entry(reg, &wdev->mgmt_registrations, list) { 828 if (reg->frame_type != ftype) 829 continue; 830 831 if (reg->match_len > data_len) 832 continue; 833 834 if (memcmp(reg->match, data, reg->match_len)) 835 continue; 836 837 /* found match! */ 838 839 /* Indicate the received Action frame to user space */ 840 if (nl80211_send_mgmt(rdev, wdev, reg->nlportid, info, 841 GFP_ATOMIC)) 842 continue; 843 844 result = true; 845 break; 846 } 847 848 spin_unlock_bh(&rdev->mgmt_registrations_lock); 849 850 trace_cfg80211_return_bool(result); 851 return result; 852 } 853 EXPORT_SYMBOL(cfg80211_rx_mgmt_ext); 854 855 void cfg80211_sched_dfs_chan_update(struct cfg80211_registered_device *rdev) 856 { 857 cancel_delayed_work(&rdev->dfs_update_channels_wk); 858 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk, 0); 859 } 860 861 void cfg80211_dfs_channels_update_work(struct work_struct *work) 862 { 863 struct delayed_work *delayed_work = to_delayed_work(work); 864 struct cfg80211_registered_device *rdev; 865 struct cfg80211_chan_def chandef; 866 struct ieee80211_supported_band *sband; 867 struct ieee80211_channel *c; 868 struct wiphy *wiphy; 869 bool check_again = false; 870 unsigned long timeout, next_time = 0; 871 unsigned long time_dfs_update; 872 enum nl80211_radar_event radar_event; 873 int bandid, i; 874 875 rdev = container_of(delayed_work, struct cfg80211_registered_device, 876 dfs_update_channels_wk); 877 wiphy = &rdev->wiphy; 878 879 rtnl_lock(); 880 for (bandid = 0; bandid < NUM_NL80211_BANDS; bandid++) { 881 sband = wiphy->bands[bandid]; 882 if (!sband) 883 continue; 884 885 for (i = 0; i < sband->n_channels; i++) { 886 c = &sband->channels[i]; 887 888 if (!(c->flags & IEEE80211_CHAN_RADAR)) 889 continue; 890 891 if (c->dfs_state != NL80211_DFS_UNAVAILABLE && 892 c->dfs_state != NL80211_DFS_AVAILABLE) 893 continue; 894 895 if (c->dfs_state == NL80211_DFS_UNAVAILABLE) { 896 time_dfs_update = IEEE80211_DFS_MIN_NOP_TIME_MS; 897 radar_event = NL80211_RADAR_NOP_FINISHED; 898 } else { 899 if (regulatory_pre_cac_allowed(wiphy) || 900 cfg80211_any_wiphy_oper_chan(wiphy, c)) 901 continue; 902 903 time_dfs_update = REG_PRE_CAC_EXPIRY_GRACE_MS; 904 radar_event = NL80211_RADAR_PRE_CAC_EXPIRED; 905 } 906 907 timeout = c->dfs_state_entered + 908 msecs_to_jiffies(time_dfs_update); 909 910 if (time_after_eq(jiffies, timeout)) { 911 c->dfs_state = NL80211_DFS_USABLE; 912 c->dfs_state_entered = jiffies; 913 914 cfg80211_chandef_create(&chandef, c, 915 NL80211_CHAN_NO_HT); 916 917 nl80211_radar_notify(rdev, &chandef, 918 radar_event, NULL, 919 GFP_ATOMIC); 920 921 regulatory_propagate_dfs_state(wiphy, &chandef, 922 c->dfs_state, 923 radar_event); 924 continue; 925 } 926 927 if (!check_again) 928 next_time = timeout - jiffies; 929 else 930 next_time = min(next_time, timeout - jiffies); 931 check_again = true; 932 } 933 } 934 rtnl_unlock(); 935 936 /* reschedule if there are other channels waiting to be cleared again */ 937 if (check_again) 938 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk, 939 next_time); 940 } 941 942 943 void __cfg80211_radar_event(struct wiphy *wiphy, 944 struct cfg80211_chan_def *chandef, 945 bool offchan, gfp_t gfp) 946 { 947 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 948 949 trace_cfg80211_radar_event(wiphy, chandef, offchan); 950 951 /* only set the chandef supplied channel to unavailable, in 952 * case the radar is detected on only one of multiple channels 953 * spanned by the chandef. 954 */ 955 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_UNAVAILABLE); 956 957 if (offchan) 958 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk); 959 960 cfg80211_sched_dfs_chan_update(rdev); 961 962 nl80211_radar_notify(rdev, chandef, NL80211_RADAR_DETECTED, NULL, gfp); 963 964 memcpy(&rdev->radar_chandef, chandef, sizeof(struct cfg80211_chan_def)); 965 queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk); 966 } 967 EXPORT_SYMBOL(__cfg80211_radar_event); 968 969 void cfg80211_cac_event(struct net_device *netdev, 970 const struct cfg80211_chan_def *chandef, 971 enum nl80211_radar_event event, gfp_t gfp) 972 { 973 struct wireless_dev *wdev = netdev->ieee80211_ptr; 974 struct wiphy *wiphy = wdev->wiphy; 975 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 976 unsigned long timeout; 977 978 /* not yet supported */ 979 if (wdev->valid_links) 980 return; 981 982 trace_cfg80211_cac_event(netdev, event); 983 984 if (WARN_ON(!wdev->cac_started && event != NL80211_RADAR_CAC_STARTED)) 985 return; 986 987 switch (event) { 988 case NL80211_RADAR_CAC_FINISHED: 989 timeout = wdev->cac_start_time + 990 msecs_to_jiffies(wdev->cac_time_ms); 991 WARN_ON(!time_after_eq(jiffies, timeout)); 992 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE); 993 memcpy(&rdev->cac_done_chandef, chandef, 994 sizeof(struct cfg80211_chan_def)); 995 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk); 996 cfg80211_sched_dfs_chan_update(rdev); 997 fallthrough; 998 case NL80211_RADAR_CAC_ABORTED: 999 wdev->cac_started = false; 1000 break; 1001 case NL80211_RADAR_CAC_STARTED: 1002 wdev->cac_started = true; 1003 break; 1004 default: 1005 WARN_ON(1); 1006 return; 1007 } 1008 1009 nl80211_radar_notify(rdev, chandef, event, netdev, gfp); 1010 } 1011 EXPORT_SYMBOL(cfg80211_cac_event); 1012 1013 static void 1014 __cfg80211_background_cac_event(struct cfg80211_registered_device *rdev, 1015 struct wireless_dev *wdev, 1016 const struct cfg80211_chan_def *chandef, 1017 enum nl80211_radar_event event) 1018 { 1019 struct wiphy *wiphy = &rdev->wiphy; 1020 struct net_device *netdev; 1021 1022 lockdep_assert_wiphy(&rdev->wiphy); 1023 1024 if (!cfg80211_chandef_valid(chandef)) 1025 return; 1026 1027 if (!rdev->background_radar_wdev) 1028 return; 1029 1030 switch (event) { 1031 case NL80211_RADAR_CAC_FINISHED: 1032 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE); 1033 memcpy(&rdev->cac_done_chandef, chandef, sizeof(*chandef)); 1034 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk); 1035 cfg80211_sched_dfs_chan_update(rdev); 1036 wdev = rdev->background_radar_wdev; 1037 break; 1038 case NL80211_RADAR_CAC_ABORTED: 1039 if (!cancel_delayed_work(&rdev->background_cac_done_wk)) 1040 return; 1041 wdev = rdev->background_radar_wdev; 1042 break; 1043 case NL80211_RADAR_CAC_STARTED: 1044 break; 1045 default: 1046 return; 1047 } 1048 1049 netdev = wdev ? wdev->netdev : NULL; 1050 nl80211_radar_notify(rdev, chandef, event, netdev, GFP_KERNEL); 1051 } 1052 1053 static void 1054 cfg80211_background_cac_event(struct cfg80211_registered_device *rdev, 1055 const struct cfg80211_chan_def *chandef, 1056 enum nl80211_radar_event event) 1057 { 1058 wiphy_lock(&rdev->wiphy); 1059 __cfg80211_background_cac_event(rdev, rdev->background_radar_wdev, 1060 chandef, event); 1061 wiphy_unlock(&rdev->wiphy); 1062 } 1063 1064 void cfg80211_background_cac_done_wk(struct work_struct *work) 1065 { 1066 struct delayed_work *delayed_work = to_delayed_work(work); 1067 struct cfg80211_registered_device *rdev; 1068 1069 rdev = container_of(delayed_work, struct cfg80211_registered_device, 1070 background_cac_done_wk); 1071 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef, 1072 NL80211_RADAR_CAC_FINISHED); 1073 } 1074 1075 void cfg80211_background_cac_abort_wk(struct work_struct *work) 1076 { 1077 struct cfg80211_registered_device *rdev; 1078 1079 rdev = container_of(work, struct cfg80211_registered_device, 1080 background_cac_abort_wk); 1081 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef, 1082 NL80211_RADAR_CAC_ABORTED); 1083 } 1084 1085 void cfg80211_background_cac_abort(struct wiphy *wiphy) 1086 { 1087 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1088 1089 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk); 1090 } 1091 EXPORT_SYMBOL(cfg80211_background_cac_abort); 1092 1093 int 1094 cfg80211_start_background_radar_detection(struct cfg80211_registered_device *rdev, 1095 struct wireless_dev *wdev, 1096 struct cfg80211_chan_def *chandef) 1097 { 1098 unsigned int cac_time_ms; 1099 int err; 1100 1101 lockdep_assert_wiphy(&rdev->wiphy); 1102 1103 if (!wiphy_ext_feature_isset(&rdev->wiphy, 1104 NL80211_EXT_FEATURE_RADAR_BACKGROUND)) 1105 return -EOPNOTSUPP; 1106 1107 /* Offchannel chain already locked by another wdev */ 1108 if (rdev->background_radar_wdev && rdev->background_radar_wdev != wdev) 1109 return -EBUSY; 1110 1111 /* CAC already in progress on the offchannel chain */ 1112 if (rdev->background_radar_wdev == wdev && 1113 delayed_work_pending(&rdev->background_cac_done_wk)) 1114 return -EBUSY; 1115 1116 err = rdev_set_radar_background(rdev, chandef); 1117 if (err) 1118 return err; 1119 1120 cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, chandef); 1121 if (!cac_time_ms) 1122 cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS; 1123 1124 rdev->background_radar_chandef = *chandef; 1125 rdev->background_radar_wdev = wdev; /* Get offchain ownership */ 1126 1127 __cfg80211_background_cac_event(rdev, wdev, chandef, 1128 NL80211_RADAR_CAC_STARTED); 1129 queue_delayed_work(cfg80211_wq, &rdev->background_cac_done_wk, 1130 msecs_to_jiffies(cac_time_ms)); 1131 1132 return 0; 1133 } 1134 1135 void cfg80211_stop_background_radar_detection(struct wireless_dev *wdev) 1136 { 1137 struct wiphy *wiphy = wdev->wiphy; 1138 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1139 1140 lockdep_assert_wiphy(wiphy); 1141 1142 if (wdev != rdev->background_radar_wdev) 1143 return; 1144 1145 rdev_set_radar_background(rdev, NULL); 1146 rdev->background_radar_wdev = NULL; /* Release offchain ownership */ 1147 1148 __cfg80211_background_cac_event(rdev, wdev, 1149 &rdev->background_radar_chandef, 1150 NL80211_RADAR_CAC_ABORTED); 1151 } 1152