1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * cfg80211 scan result handling 4 * 5 * Copyright 2008 Johannes Berg <johannes@sipsolutions.net> 6 * Copyright 2013-2014 Intel Mobile Communications GmbH 7 * Copyright 2016 Intel Deutschland GmbH 8 * Copyright (C) 2018-2019 Intel Corporation 9 */ 10 #include <linux/kernel.h> 11 #include <linux/slab.h> 12 #include <linux/module.h> 13 #include <linux/netdevice.h> 14 #include <linux/wireless.h> 15 #include <linux/nl80211.h> 16 #include <linux/etherdevice.h> 17 #include <net/arp.h> 18 #include <net/cfg80211.h> 19 #include <net/cfg80211-wext.h> 20 #include <net/iw_handler.h> 21 #include "core.h" 22 #include "nl80211.h" 23 #include "wext-compat.h" 24 #include "rdev-ops.h" 25 26 /** 27 * DOC: BSS tree/list structure 28 * 29 * At the top level, the BSS list is kept in both a list in each 30 * registered device (@bss_list) as well as an RB-tree for faster 31 * lookup. In the RB-tree, entries can be looked up using their 32 * channel, MESHID, MESHCONF (for MBSSes) or channel, BSSID, SSID 33 * for other BSSes. 34 * 35 * Due to the possibility of hidden SSIDs, there's a second level 36 * structure, the "hidden_list" and "hidden_beacon_bss" pointer. 37 * The hidden_list connects all BSSes belonging to a single AP 38 * that has a hidden SSID, and connects beacon and probe response 39 * entries. For a probe response entry for a hidden SSID, the 40 * hidden_beacon_bss pointer points to the BSS struct holding the 41 * beacon's information. 42 * 43 * Reference counting is done for all these references except for 44 * the hidden_list, so that a beacon BSS struct that is otherwise 45 * not referenced has one reference for being on the bss_list and 46 * one for each probe response entry that points to it using the 47 * hidden_beacon_bss pointer. When a BSS struct that has such a 48 * pointer is get/put, the refcount update is also propagated to 49 * the referenced struct, this ensure that it cannot get removed 50 * while somebody is using the probe response version. 51 * 52 * Note that the hidden_beacon_bss pointer never changes, due to 53 * the reference counting. Therefore, no locking is needed for 54 * it. 55 * 56 * Also note that the hidden_beacon_bss pointer is only relevant 57 * if the driver uses something other than the IEs, e.g. private 58 * data stored stored in the BSS struct, since the beacon IEs are 59 * also linked into the probe response struct. 60 */ 61 62 /* 63 * Limit the number of BSS entries stored in mac80211. Each one is 64 * a bit over 4k at most, so this limits to roughly 4-5M of memory. 65 * If somebody wants to really attack this though, they'd likely 66 * use small beacons, and only one type of frame, limiting each of 67 * the entries to a much smaller size (in order to generate more 68 * entries in total, so overhead is bigger.) 69 */ 70 static int bss_entries_limit = 1000; 71 module_param(bss_entries_limit, int, 0644); 72 MODULE_PARM_DESC(bss_entries_limit, 73 "limit to number of scan BSS entries (per wiphy, default 1000)"); 74 75 #define IEEE80211_SCAN_RESULT_EXPIRE (30 * HZ) 76 77 static void bss_free(struct cfg80211_internal_bss *bss) 78 { 79 struct cfg80211_bss_ies *ies; 80 81 if (WARN_ON(atomic_read(&bss->hold))) 82 return; 83 84 ies = (void *)rcu_access_pointer(bss->pub.beacon_ies); 85 if (ies && !bss->pub.hidden_beacon_bss) 86 kfree_rcu(ies, rcu_head); 87 ies = (void *)rcu_access_pointer(bss->pub.proberesp_ies); 88 if (ies) 89 kfree_rcu(ies, rcu_head); 90 91 /* 92 * This happens when the module is removed, it doesn't 93 * really matter any more save for completeness 94 */ 95 if (!list_empty(&bss->hidden_list)) 96 list_del(&bss->hidden_list); 97 98 kfree(bss); 99 } 100 101 static inline void bss_ref_get(struct cfg80211_registered_device *rdev, 102 struct cfg80211_internal_bss *bss) 103 { 104 lockdep_assert_held(&rdev->bss_lock); 105 106 bss->refcount++; 107 if (bss->pub.hidden_beacon_bss) { 108 bss = container_of(bss->pub.hidden_beacon_bss, 109 struct cfg80211_internal_bss, 110 pub); 111 bss->refcount++; 112 } 113 if (bss->pub.transmitted_bss) { 114 bss = container_of(bss->pub.transmitted_bss, 115 struct cfg80211_internal_bss, 116 pub); 117 bss->refcount++; 118 } 119 } 120 121 static inline void bss_ref_put(struct cfg80211_registered_device *rdev, 122 struct cfg80211_internal_bss *bss) 123 { 124 lockdep_assert_held(&rdev->bss_lock); 125 126 if (bss->pub.hidden_beacon_bss) { 127 struct cfg80211_internal_bss *hbss; 128 hbss = container_of(bss->pub.hidden_beacon_bss, 129 struct cfg80211_internal_bss, 130 pub); 131 hbss->refcount--; 132 if (hbss->refcount == 0) 133 bss_free(hbss); 134 } 135 136 if (bss->pub.transmitted_bss) { 137 struct cfg80211_internal_bss *tbss; 138 139 tbss = container_of(bss->pub.transmitted_bss, 140 struct cfg80211_internal_bss, 141 pub); 142 tbss->refcount--; 143 if (tbss->refcount == 0) 144 bss_free(tbss); 145 } 146 147 bss->refcount--; 148 if (bss->refcount == 0) 149 bss_free(bss); 150 } 151 152 static bool __cfg80211_unlink_bss(struct cfg80211_registered_device *rdev, 153 struct cfg80211_internal_bss *bss) 154 { 155 lockdep_assert_held(&rdev->bss_lock); 156 157 if (!list_empty(&bss->hidden_list)) { 158 /* 159 * don't remove the beacon entry if it has 160 * probe responses associated with it 161 */ 162 if (!bss->pub.hidden_beacon_bss) 163 return false; 164 /* 165 * if it's a probe response entry break its 166 * link to the other entries in the group 167 */ 168 list_del_init(&bss->hidden_list); 169 } 170 171 list_del_init(&bss->list); 172 list_del_init(&bss->pub.nontrans_list); 173 rb_erase(&bss->rbn, &rdev->bss_tree); 174 rdev->bss_entries--; 175 WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list), 176 "rdev bss entries[%d]/list[empty:%d] corruption\n", 177 rdev->bss_entries, list_empty(&rdev->bss_list)); 178 bss_ref_put(rdev, bss); 179 return true; 180 } 181 182 static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, 183 const u8 *subelement, size_t subie_len, 184 u8 *new_ie, gfp_t gfp) 185 { 186 u8 *pos, *tmp; 187 const u8 *tmp_old, *tmp_new; 188 u8 *sub_copy; 189 190 /* copy subelement as we need to change its content to 191 * mark an ie after it is processed. 192 */ 193 sub_copy = kmemdup(subelement, subie_len, gfp); 194 if (!sub_copy) 195 return 0; 196 197 pos = &new_ie[0]; 198 199 /* set new ssid */ 200 tmp_new = cfg80211_find_ie(WLAN_EID_SSID, sub_copy, subie_len); 201 if (tmp_new) { 202 memcpy(pos, tmp_new, tmp_new[1] + 2); 203 pos += (tmp_new[1] + 2); 204 } 205 206 /* go through IEs in ie (skip SSID) and subelement, 207 * merge them into new_ie 208 */ 209 tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); 210 tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; 211 212 while (tmp_old + tmp_old[1] + 2 - ie <= ielen) { 213 if (tmp_old[0] == 0) { 214 tmp_old++; 215 continue; 216 } 217 218 if (tmp_old[0] == WLAN_EID_EXTENSION) 219 tmp = (u8 *)cfg80211_find_ext_ie(tmp_old[2], sub_copy, 220 subie_len); 221 else 222 tmp = (u8 *)cfg80211_find_ie(tmp_old[0], sub_copy, 223 subie_len); 224 225 if (!tmp) { 226 /* ie in old ie but not in subelement */ 227 if (tmp_old[0] != WLAN_EID_MULTIPLE_BSSID) { 228 memcpy(pos, tmp_old, tmp_old[1] + 2); 229 pos += tmp_old[1] + 2; 230 } 231 } else { 232 /* ie in transmitting ie also in subelement, 233 * copy from subelement and flag the ie in subelement 234 * as copied (by setting eid field to WLAN_EID_SSID, 235 * which is skipped anyway). 236 * For vendor ie, compare OUI + type + subType to 237 * determine if they are the same ie. 238 */ 239 if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) { 240 if (!memcmp(tmp_old + 2, tmp + 2, 5)) { 241 /* same vendor ie, copy from 242 * subelement 243 */ 244 memcpy(pos, tmp, tmp[1] + 2); 245 pos += tmp[1] + 2; 246 tmp[0] = WLAN_EID_SSID; 247 } else { 248 memcpy(pos, tmp_old, tmp_old[1] + 2); 249 pos += tmp_old[1] + 2; 250 } 251 } else { 252 /* copy ie from subelement into new ie */ 253 memcpy(pos, tmp, tmp[1] + 2); 254 pos += tmp[1] + 2; 255 tmp[0] = WLAN_EID_SSID; 256 } 257 } 258 259 if (tmp_old + tmp_old[1] + 2 - ie == ielen) 260 break; 261 262 tmp_old += tmp_old[1] + 2; 263 } 264 265 /* go through subelement again to check if there is any ie not 266 * copied to new ie, skip ssid, capability, bssid-index ie 267 */ 268 tmp_new = sub_copy; 269 while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { 270 if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || 271 tmp_new[0] == WLAN_EID_SSID || 272 tmp_new[0] == WLAN_EID_MULTI_BSSID_IDX)) { 273 memcpy(pos, tmp_new, tmp_new[1] + 2); 274 pos += tmp_new[1] + 2; 275 } 276 if (tmp_new + tmp_new[1] + 2 - sub_copy == subie_len) 277 break; 278 tmp_new += tmp_new[1] + 2; 279 } 280 281 kfree(sub_copy); 282 return pos - new_ie; 283 } 284 285 static bool is_bss(struct cfg80211_bss *a, const u8 *bssid, 286 const u8 *ssid, size_t ssid_len) 287 { 288 const struct cfg80211_bss_ies *ies; 289 const u8 *ssidie; 290 291 if (bssid && !ether_addr_equal(a->bssid, bssid)) 292 return false; 293 294 if (!ssid) 295 return true; 296 297 ies = rcu_access_pointer(a->ies); 298 if (!ies) 299 return false; 300 ssidie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 301 if (!ssidie) 302 return false; 303 if (ssidie[1] != ssid_len) 304 return false; 305 return memcmp(ssidie + 2, ssid, ssid_len) == 0; 306 } 307 308 static int 309 cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss, 310 struct cfg80211_bss *nontrans_bss) 311 { 312 const u8 *ssid; 313 size_t ssid_len; 314 struct cfg80211_bss *bss = NULL; 315 316 rcu_read_lock(); 317 ssid = ieee80211_bss_get_ie(nontrans_bss, WLAN_EID_SSID); 318 if (!ssid) { 319 rcu_read_unlock(); 320 return -EINVAL; 321 } 322 ssid_len = ssid[1]; 323 ssid = ssid + 2; 324 rcu_read_unlock(); 325 326 /* check if nontrans_bss is in the list */ 327 list_for_each_entry(bss, &trans_bss->nontrans_list, nontrans_list) { 328 if (is_bss(bss, nontrans_bss->bssid, ssid, ssid_len)) 329 return 0; 330 } 331 332 /* add to the list */ 333 list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); 334 return 0; 335 } 336 337 static void __cfg80211_bss_expire(struct cfg80211_registered_device *rdev, 338 unsigned long expire_time) 339 { 340 struct cfg80211_internal_bss *bss, *tmp; 341 bool expired = false; 342 343 lockdep_assert_held(&rdev->bss_lock); 344 345 list_for_each_entry_safe(bss, tmp, &rdev->bss_list, list) { 346 if (atomic_read(&bss->hold)) 347 continue; 348 if (!time_after(expire_time, bss->ts)) 349 continue; 350 351 if (__cfg80211_unlink_bss(rdev, bss)) 352 expired = true; 353 } 354 355 if (expired) 356 rdev->bss_generation++; 357 } 358 359 static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev) 360 { 361 struct cfg80211_internal_bss *bss, *oldest = NULL; 362 bool ret; 363 364 lockdep_assert_held(&rdev->bss_lock); 365 366 list_for_each_entry(bss, &rdev->bss_list, list) { 367 if (atomic_read(&bss->hold)) 368 continue; 369 370 if (!list_empty(&bss->hidden_list) && 371 !bss->pub.hidden_beacon_bss) 372 continue; 373 374 if (oldest && time_before(oldest->ts, bss->ts)) 375 continue; 376 oldest = bss; 377 } 378 379 if (WARN_ON(!oldest)) 380 return false; 381 382 /* 383 * The callers make sure to increase rdev->bss_generation if anything 384 * gets removed (and a new entry added), so there's no need to also do 385 * it here. 386 */ 387 388 ret = __cfg80211_unlink_bss(rdev, oldest); 389 WARN_ON(!ret); 390 return ret; 391 } 392 393 void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, 394 bool send_message) 395 { 396 struct cfg80211_scan_request *request; 397 struct wireless_dev *wdev; 398 struct sk_buff *msg; 399 #ifdef CONFIG_CFG80211_WEXT 400 union iwreq_data wrqu; 401 #endif 402 403 ASSERT_RTNL(); 404 405 if (rdev->scan_msg) { 406 nl80211_send_scan_msg(rdev, rdev->scan_msg); 407 rdev->scan_msg = NULL; 408 return; 409 } 410 411 request = rdev->scan_req; 412 if (!request) 413 return; 414 415 wdev = request->wdev; 416 417 /* 418 * This must be before sending the other events! 419 * Otherwise, wpa_supplicant gets completely confused with 420 * wext events. 421 */ 422 if (wdev->netdev) 423 cfg80211_sme_scan_done(wdev->netdev); 424 425 if (!request->info.aborted && 426 request->flags & NL80211_SCAN_FLAG_FLUSH) { 427 /* flush entries from previous scans */ 428 spin_lock_bh(&rdev->bss_lock); 429 __cfg80211_bss_expire(rdev, request->scan_start); 430 spin_unlock_bh(&rdev->bss_lock); 431 } 432 433 msg = nl80211_build_scan_msg(rdev, wdev, request->info.aborted); 434 435 #ifdef CONFIG_CFG80211_WEXT 436 if (wdev->netdev && !request->info.aborted) { 437 memset(&wrqu, 0, sizeof(wrqu)); 438 439 wireless_send_event(wdev->netdev, SIOCGIWSCAN, &wrqu, NULL); 440 } 441 #endif 442 443 if (wdev->netdev) 444 dev_put(wdev->netdev); 445 446 rdev->scan_req = NULL; 447 kfree(request); 448 449 if (!send_message) 450 rdev->scan_msg = msg; 451 else 452 nl80211_send_scan_msg(rdev, msg); 453 } 454 455 void __cfg80211_scan_done(struct work_struct *wk) 456 { 457 struct cfg80211_registered_device *rdev; 458 459 rdev = container_of(wk, struct cfg80211_registered_device, 460 scan_done_wk); 461 462 rtnl_lock(); 463 ___cfg80211_scan_done(rdev, true); 464 rtnl_unlock(); 465 } 466 467 void cfg80211_scan_done(struct cfg80211_scan_request *request, 468 struct cfg80211_scan_info *info) 469 { 470 trace_cfg80211_scan_done(request, info); 471 WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req); 472 473 request->info = *info; 474 request->notified = true; 475 queue_work(cfg80211_wq, &wiphy_to_rdev(request->wiphy)->scan_done_wk); 476 } 477 EXPORT_SYMBOL(cfg80211_scan_done); 478 479 void cfg80211_add_sched_scan_req(struct cfg80211_registered_device *rdev, 480 struct cfg80211_sched_scan_request *req) 481 { 482 ASSERT_RTNL(); 483 484 list_add_rcu(&req->list, &rdev->sched_scan_req_list); 485 } 486 487 static void cfg80211_del_sched_scan_req(struct cfg80211_registered_device *rdev, 488 struct cfg80211_sched_scan_request *req) 489 { 490 ASSERT_RTNL(); 491 492 list_del_rcu(&req->list); 493 kfree_rcu(req, rcu_head); 494 } 495 496 static struct cfg80211_sched_scan_request * 497 cfg80211_find_sched_scan_req(struct cfg80211_registered_device *rdev, u64 reqid) 498 { 499 struct cfg80211_sched_scan_request *pos; 500 501 WARN_ON_ONCE(!rcu_read_lock_held() && !lockdep_rtnl_is_held()); 502 503 list_for_each_entry_rcu(pos, &rdev->sched_scan_req_list, list) { 504 if (pos->reqid == reqid) 505 return pos; 506 } 507 return NULL; 508 } 509 510 /* 511 * Determines if a scheduled scan request can be handled. When a legacy 512 * scheduled scan is running no other scheduled scan is allowed regardless 513 * whether the request is for legacy or multi-support scan. When a multi-support 514 * scheduled scan is running a request for legacy scan is not allowed. In this 515 * case a request for multi-support scan can be handled if resources are 516 * available, ie. struct wiphy::max_sched_scan_reqs limit is not yet reached. 517 */ 518 int cfg80211_sched_scan_req_possible(struct cfg80211_registered_device *rdev, 519 bool want_multi) 520 { 521 struct cfg80211_sched_scan_request *pos; 522 int i = 0; 523 524 list_for_each_entry(pos, &rdev->sched_scan_req_list, list) { 525 /* request id zero means legacy in progress */ 526 if (!i && !pos->reqid) 527 return -EINPROGRESS; 528 i++; 529 } 530 531 if (i) { 532 /* no legacy allowed when multi request(s) are active */ 533 if (!want_multi) 534 return -EINPROGRESS; 535 536 /* resource limit reached */ 537 if (i == rdev->wiphy.max_sched_scan_reqs) 538 return -ENOSPC; 539 } 540 return 0; 541 } 542 543 void cfg80211_sched_scan_results_wk(struct work_struct *work) 544 { 545 struct cfg80211_registered_device *rdev; 546 struct cfg80211_sched_scan_request *req, *tmp; 547 548 rdev = container_of(work, struct cfg80211_registered_device, 549 sched_scan_res_wk); 550 551 rtnl_lock(); 552 list_for_each_entry_safe(req, tmp, &rdev->sched_scan_req_list, list) { 553 if (req->report_results) { 554 req->report_results = false; 555 if (req->flags & NL80211_SCAN_FLAG_FLUSH) { 556 /* flush entries from previous scans */ 557 spin_lock_bh(&rdev->bss_lock); 558 __cfg80211_bss_expire(rdev, req->scan_start); 559 spin_unlock_bh(&rdev->bss_lock); 560 req->scan_start = jiffies; 561 } 562 nl80211_send_sched_scan(req, 563 NL80211_CMD_SCHED_SCAN_RESULTS); 564 } 565 } 566 rtnl_unlock(); 567 } 568 569 void cfg80211_sched_scan_results(struct wiphy *wiphy, u64 reqid) 570 { 571 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 572 struct cfg80211_sched_scan_request *request; 573 574 trace_cfg80211_sched_scan_results(wiphy, reqid); 575 /* ignore if we're not scanning */ 576 577 rcu_read_lock(); 578 request = cfg80211_find_sched_scan_req(rdev, reqid); 579 if (request) { 580 request->report_results = true; 581 queue_work(cfg80211_wq, &rdev->sched_scan_res_wk); 582 } 583 rcu_read_unlock(); 584 } 585 EXPORT_SYMBOL(cfg80211_sched_scan_results); 586 587 void cfg80211_sched_scan_stopped_rtnl(struct wiphy *wiphy, u64 reqid) 588 { 589 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 590 591 ASSERT_RTNL(); 592 593 trace_cfg80211_sched_scan_stopped(wiphy, reqid); 594 595 __cfg80211_stop_sched_scan(rdev, reqid, true); 596 } 597 EXPORT_SYMBOL(cfg80211_sched_scan_stopped_rtnl); 598 599 void cfg80211_sched_scan_stopped(struct wiphy *wiphy, u64 reqid) 600 { 601 rtnl_lock(); 602 cfg80211_sched_scan_stopped_rtnl(wiphy, reqid); 603 rtnl_unlock(); 604 } 605 EXPORT_SYMBOL(cfg80211_sched_scan_stopped); 606 607 int cfg80211_stop_sched_scan_req(struct cfg80211_registered_device *rdev, 608 struct cfg80211_sched_scan_request *req, 609 bool driver_initiated) 610 { 611 ASSERT_RTNL(); 612 613 if (!driver_initiated) { 614 int err = rdev_sched_scan_stop(rdev, req->dev, req->reqid); 615 if (err) 616 return err; 617 } 618 619 nl80211_send_sched_scan(req, NL80211_CMD_SCHED_SCAN_STOPPED); 620 621 cfg80211_del_sched_scan_req(rdev, req); 622 623 return 0; 624 } 625 626 int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev, 627 u64 reqid, bool driver_initiated) 628 { 629 struct cfg80211_sched_scan_request *sched_scan_req; 630 631 ASSERT_RTNL(); 632 633 sched_scan_req = cfg80211_find_sched_scan_req(rdev, reqid); 634 if (!sched_scan_req) 635 return -ENOENT; 636 637 return cfg80211_stop_sched_scan_req(rdev, sched_scan_req, 638 driver_initiated); 639 } 640 641 void cfg80211_bss_age(struct cfg80211_registered_device *rdev, 642 unsigned long age_secs) 643 { 644 struct cfg80211_internal_bss *bss; 645 unsigned long age_jiffies = msecs_to_jiffies(age_secs * MSEC_PER_SEC); 646 647 spin_lock_bh(&rdev->bss_lock); 648 list_for_each_entry(bss, &rdev->bss_list, list) 649 bss->ts -= age_jiffies; 650 spin_unlock_bh(&rdev->bss_lock); 651 } 652 653 void cfg80211_bss_expire(struct cfg80211_registered_device *rdev) 654 { 655 __cfg80211_bss_expire(rdev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE); 656 } 657 658 const struct element * 659 cfg80211_find_elem_match(u8 eid, const u8 *ies, unsigned int len, 660 const u8 *match, unsigned int match_len, 661 unsigned int match_offset) 662 { 663 const struct element *elem; 664 665 for_each_element_id(elem, eid, ies, len) { 666 if (elem->datalen >= match_offset + match_len && 667 !memcmp(elem->data + match_offset, match, match_len)) 668 return elem; 669 } 670 671 return NULL; 672 } 673 EXPORT_SYMBOL(cfg80211_find_elem_match); 674 675 const struct element *cfg80211_find_vendor_elem(unsigned int oui, int oui_type, 676 const u8 *ies, 677 unsigned int len) 678 { 679 const struct element *elem; 680 u8 match[] = { oui >> 16, oui >> 8, oui, oui_type }; 681 int match_len = (oui_type < 0) ? 3 : sizeof(match); 682 683 if (WARN_ON(oui_type > 0xff)) 684 return NULL; 685 686 elem = cfg80211_find_elem_match(WLAN_EID_VENDOR_SPECIFIC, ies, len, 687 match, match_len, 0); 688 689 if (!elem || elem->datalen < 4) 690 return NULL; 691 692 return elem; 693 } 694 EXPORT_SYMBOL(cfg80211_find_vendor_elem); 695 696 /** 697 * enum bss_compare_mode - BSS compare mode 698 * @BSS_CMP_REGULAR: regular compare mode (for insertion and normal find) 699 * @BSS_CMP_HIDE_ZLEN: find hidden SSID with zero-length mode 700 * @BSS_CMP_HIDE_NUL: find hidden SSID with NUL-ed out mode 701 */ 702 enum bss_compare_mode { 703 BSS_CMP_REGULAR, 704 BSS_CMP_HIDE_ZLEN, 705 BSS_CMP_HIDE_NUL, 706 }; 707 708 static int cmp_bss(struct cfg80211_bss *a, 709 struct cfg80211_bss *b, 710 enum bss_compare_mode mode) 711 { 712 const struct cfg80211_bss_ies *a_ies, *b_ies; 713 const u8 *ie1 = NULL; 714 const u8 *ie2 = NULL; 715 int i, r; 716 717 if (a->channel != b->channel) 718 return b->channel->center_freq - a->channel->center_freq; 719 720 a_ies = rcu_access_pointer(a->ies); 721 if (!a_ies) 722 return -1; 723 b_ies = rcu_access_pointer(b->ies); 724 if (!b_ies) 725 return 1; 726 727 if (WLAN_CAPABILITY_IS_STA_BSS(a->capability)) 728 ie1 = cfg80211_find_ie(WLAN_EID_MESH_ID, 729 a_ies->data, a_ies->len); 730 if (WLAN_CAPABILITY_IS_STA_BSS(b->capability)) 731 ie2 = cfg80211_find_ie(WLAN_EID_MESH_ID, 732 b_ies->data, b_ies->len); 733 if (ie1 && ie2) { 734 int mesh_id_cmp; 735 736 if (ie1[1] == ie2[1]) 737 mesh_id_cmp = memcmp(ie1 + 2, ie2 + 2, ie1[1]); 738 else 739 mesh_id_cmp = ie2[1] - ie1[1]; 740 741 ie1 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG, 742 a_ies->data, a_ies->len); 743 ie2 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG, 744 b_ies->data, b_ies->len); 745 if (ie1 && ie2) { 746 if (mesh_id_cmp) 747 return mesh_id_cmp; 748 if (ie1[1] != ie2[1]) 749 return ie2[1] - ie1[1]; 750 return memcmp(ie1 + 2, ie2 + 2, ie1[1]); 751 } 752 } 753 754 r = memcmp(a->bssid, b->bssid, sizeof(a->bssid)); 755 if (r) 756 return r; 757 758 ie1 = cfg80211_find_ie(WLAN_EID_SSID, a_ies->data, a_ies->len); 759 ie2 = cfg80211_find_ie(WLAN_EID_SSID, b_ies->data, b_ies->len); 760 761 if (!ie1 && !ie2) 762 return 0; 763 764 /* 765 * Note that with "hide_ssid", the function returns a match if 766 * the already-present BSS ("b") is a hidden SSID beacon for 767 * the new BSS ("a"). 768 */ 769 770 /* sort missing IE before (left of) present IE */ 771 if (!ie1) 772 return -1; 773 if (!ie2) 774 return 1; 775 776 switch (mode) { 777 case BSS_CMP_HIDE_ZLEN: 778 /* 779 * In ZLEN mode we assume the BSS entry we're 780 * looking for has a zero-length SSID. So if 781 * the one we're looking at right now has that, 782 * return 0. Otherwise, return the difference 783 * in length, but since we're looking for the 784 * 0-length it's really equivalent to returning 785 * the length of the one we're looking at. 786 * 787 * No content comparison is needed as we assume 788 * the content length is zero. 789 */ 790 return ie2[1]; 791 case BSS_CMP_REGULAR: 792 default: 793 /* sort by length first, then by contents */ 794 if (ie1[1] != ie2[1]) 795 return ie2[1] - ie1[1]; 796 return memcmp(ie1 + 2, ie2 + 2, ie1[1]); 797 case BSS_CMP_HIDE_NUL: 798 if (ie1[1] != ie2[1]) 799 return ie2[1] - ie1[1]; 800 /* this is equivalent to memcmp(zeroes, ie2 + 2, len) */ 801 for (i = 0; i < ie2[1]; i++) 802 if (ie2[i + 2]) 803 return -1; 804 return 0; 805 } 806 } 807 808 static bool cfg80211_bss_type_match(u16 capability, 809 enum nl80211_band band, 810 enum ieee80211_bss_type bss_type) 811 { 812 bool ret = true; 813 u16 mask, val; 814 815 if (bss_type == IEEE80211_BSS_TYPE_ANY) 816 return ret; 817 818 if (band == NL80211_BAND_60GHZ) { 819 mask = WLAN_CAPABILITY_DMG_TYPE_MASK; 820 switch (bss_type) { 821 case IEEE80211_BSS_TYPE_ESS: 822 val = WLAN_CAPABILITY_DMG_TYPE_AP; 823 break; 824 case IEEE80211_BSS_TYPE_PBSS: 825 val = WLAN_CAPABILITY_DMG_TYPE_PBSS; 826 break; 827 case IEEE80211_BSS_TYPE_IBSS: 828 val = WLAN_CAPABILITY_DMG_TYPE_IBSS; 829 break; 830 default: 831 return false; 832 } 833 } else { 834 mask = WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS; 835 switch (bss_type) { 836 case IEEE80211_BSS_TYPE_ESS: 837 val = WLAN_CAPABILITY_ESS; 838 break; 839 case IEEE80211_BSS_TYPE_IBSS: 840 val = WLAN_CAPABILITY_IBSS; 841 break; 842 case IEEE80211_BSS_TYPE_MBSS: 843 val = 0; 844 break; 845 default: 846 return false; 847 } 848 } 849 850 ret = ((capability & mask) == val); 851 return ret; 852 } 853 854 /* Returned bss is reference counted and must be cleaned up appropriately. */ 855 struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy, 856 struct ieee80211_channel *channel, 857 const u8 *bssid, 858 const u8 *ssid, size_t ssid_len, 859 enum ieee80211_bss_type bss_type, 860 enum ieee80211_privacy privacy) 861 { 862 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 863 struct cfg80211_internal_bss *bss, *res = NULL; 864 unsigned long now = jiffies; 865 int bss_privacy; 866 867 trace_cfg80211_get_bss(wiphy, channel, bssid, ssid, ssid_len, bss_type, 868 privacy); 869 870 spin_lock_bh(&rdev->bss_lock); 871 872 list_for_each_entry(bss, &rdev->bss_list, list) { 873 if (!cfg80211_bss_type_match(bss->pub.capability, 874 bss->pub.channel->band, bss_type)) 875 continue; 876 877 bss_privacy = (bss->pub.capability & WLAN_CAPABILITY_PRIVACY); 878 if ((privacy == IEEE80211_PRIVACY_ON && !bss_privacy) || 879 (privacy == IEEE80211_PRIVACY_OFF && bss_privacy)) 880 continue; 881 if (channel && bss->pub.channel != channel) 882 continue; 883 if (!is_valid_ether_addr(bss->pub.bssid)) 884 continue; 885 /* Don't get expired BSS structs */ 886 if (time_after(now, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE) && 887 !atomic_read(&bss->hold)) 888 continue; 889 if (is_bss(&bss->pub, bssid, ssid, ssid_len)) { 890 res = bss; 891 bss_ref_get(rdev, res); 892 break; 893 } 894 } 895 896 spin_unlock_bh(&rdev->bss_lock); 897 if (!res) 898 return NULL; 899 trace_cfg80211_return_bss(&res->pub); 900 return &res->pub; 901 } 902 EXPORT_SYMBOL(cfg80211_get_bss); 903 904 static void rb_insert_bss(struct cfg80211_registered_device *rdev, 905 struct cfg80211_internal_bss *bss) 906 { 907 struct rb_node **p = &rdev->bss_tree.rb_node; 908 struct rb_node *parent = NULL; 909 struct cfg80211_internal_bss *tbss; 910 int cmp; 911 912 while (*p) { 913 parent = *p; 914 tbss = rb_entry(parent, struct cfg80211_internal_bss, rbn); 915 916 cmp = cmp_bss(&bss->pub, &tbss->pub, BSS_CMP_REGULAR); 917 918 if (WARN_ON(!cmp)) { 919 /* will sort of leak this BSS */ 920 return; 921 } 922 923 if (cmp < 0) 924 p = &(*p)->rb_left; 925 else 926 p = &(*p)->rb_right; 927 } 928 929 rb_link_node(&bss->rbn, parent, p); 930 rb_insert_color(&bss->rbn, &rdev->bss_tree); 931 } 932 933 static struct cfg80211_internal_bss * 934 rb_find_bss(struct cfg80211_registered_device *rdev, 935 struct cfg80211_internal_bss *res, 936 enum bss_compare_mode mode) 937 { 938 struct rb_node *n = rdev->bss_tree.rb_node; 939 struct cfg80211_internal_bss *bss; 940 int r; 941 942 while (n) { 943 bss = rb_entry(n, struct cfg80211_internal_bss, rbn); 944 r = cmp_bss(&res->pub, &bss->pub, mode); 945 946 if (r == 0) 947 return bss; 948 else if (r < 0) 949 n = n->rb_left; 950 else 951 n = n->rb_right; 952 } 953 954 return NULL; 955 } 956 957 static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev, 958 struct cfg80211_internal_bss *new) 959 { 960 const struct cfg80211_bss_ies *ies; 961 struct cfg80211_internal_bss *bss; 962 const u8 *ie; 963 int i, ssidlen; 964 u8 fold = 0; 965 u32 n_entries = 0; 966 967 ies = rcu_access_pointer(new->pub.beacon_ies); 968 if (WARN_ON(!ies)) 969 return false; 970 971 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 972 if (!ie) { 973 /* nothing to do */ 974 return true; 975 } 976 977 ssidlen = ie[1]; 978 for (i = 0; i < ssidlen; i++) 979 fold |= ie[2 + i]; 980 981 if (fold) { 982 /* not a hidden SSID */ 983 return true; 984 } 985 986 /* This is the bad part ... */ 987 988 list_for_each_entry(bss, &rdev->bss_list, list) { 989 /* 990 * we're iterating all the entries anyway, so take the 991 * opportunity to validate the list length accounting 992 */ 993 n_entries++; 994 995 if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid)) 996 continue; 997 if (bss->pub.channel != new->pub.channel) 998 continue; 999 if (bss->pub.scan_width != new->pub.scan_width) 1000 continue; 1001 if (rcu_access_pointer(bss->pub.beacon_ies)) 1002 continue; 1003 ies = rcu_access_pointer(bss->pub.ies); 1004 if (!ies) 1005 continue; 1006 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 1007 if (!ie) 1008 continue; 1009 if (ssidlen && ie[1] != ssidlen) 1010 continue; 1011 if (WARN_ON_ONCE(bss->pub.hidden_beacon_bss)) 1012 continue; 1013 if (WARN_ON_ONCE(!list_empty(&bss->hidden_list))) 1014 list_del(&bss->hidden_list); 1015 /* combine them */ 1016 list_add(&bss->hidden_list, &new->hidden_list); 1017 bss->pub.hidden_beacon_bss = &new->pub; 1018 new->refcount += bss->refcount; 1019 rcu_assign_pointer(bss->pub.beacon_ies, 1020 new->pub.beacon_ies); 1021 } 1022 1023 WARN_ONCE(n_entries != rdev->bss_entries, 1024 "rdev bss entries[%d]/list[len:%d] corruption\n", 1025 rdev->bss_entries, n_entries); 1026 1027 return true; 1028 } 1029 1030 struct cfg80211_non_tx_bss { 1031 struct cfg80211_bss *tx_bss; 1032 u8 max_bssid_indicator; 1033 u8 bssid_index; 1034 }; 1035 1036 /* Returned bss is reference counted and must be cleaned up appropriately. */ 1037 static struct cfg80211_internal_bss * 1038 cfg80211_bss_update(struct cfg80211_registered_device *rdev, 1039 struct cfg80211_internal_bss *tmp, 1040 bool signal_valid) 1041 { 1042 struct cfg80211_internal_bss *found = NULL; 1043 1044 if (WARN_ON(!tmp->pub.channel)) 1045 return NULL; 1046 1047 tmp->ts = jiffies; 1048 1049 spin_lock_bh(&rdev->bss_lock); 1050 1051 if (WARN_ON(!rcu_access_pointer(tmp->pub.ies))) { 1052 spin_unlock_bh(&rdev->bss_lock); 1053 return NULL; 1054 } 1055 1056 found = rb_find_bss(rdev, tmp, BSS_CMP_REGULAR); 1057 1058 if (found) { 1059 /* Update IEs */ 1060 if (rcu_access_pointer(tmp->pub.proberesp_ies)) { 1061 const struct cfg80211_bss_ies *old; 1062 1063 old = rcu_access_pointer(found->pub.proberesp_ies); 1064 1065 rcu_assign_pointer(found->pub.proberesp_ies, 1066 tmp->pub.proberesp_ies); 1067 /* Override possible earlier Beacon frame IEs */ 1068 rcu_assign_pointer(found->pub.ies, 1069 tmp->pub.proberesp_ies); 1070 if (old) 1071 kfree_rcu((struct cfg80211_bss_ies *)old, 1072 rcu_head); 1073 } else if (rcu_access_pointer(tmp->pub.beacon_ies)) { 1074 const struct cfg80211_bss_ies *old; 1075 struct cfg80211_internal_bss *bss; 1076 1077 if (found->pub.hidden_beacon_bss && 1078 !list_empty(&found->hidden_list)) { 1079 const struct cfg80211_bss_ies *f; 1080 1081 /* 1082 * The found BSS struct is one of the probe 1083 * response members of a group, but we're 1084 * receiving a beacon (beacon_ies in the tmp 1085 * bss is used). This can only mean that the 1086 * AP changed its beacon from not having an 1087 * SSID to showing it, which is confusing so 1088 * drop this information. 1089 */ 1090 1091 f = rcu_access_pointer(tmp->pub.beacon_ies); 1092 kfree_rcu((struct cfg80211_bss_ies *)f, 1093 rcu_head); 1094 goto drop; 1095 } 1096 1097 old = rcu_access_pointer(found->pub.beacon_ies); 1098 1099 rcu_assign_pointer(found->pub.beacon_ies, 1100 tmp->pub.beacon_ies); 1101 1102 /* Override IEs if they were from a beacon before */ 1103 if (old == rcu_access_pointer(found->pub.ies)) 1104 rcu_assign_pointer(found->pub.ies, 1105 tmp->pub.beacon_ies); 1106 1107 /* Assign beacon IEs to all sub entries */ 1108 list_for_each_entry(bss, &found->hidden_list, 1109 hidden_list) { 1110 const struct cfg80211_bss_ies *ies; 1111 1112 ies = rcu_access_pointer(bss->pub.beacon_ies); 1113 WARN_ON(ies != old); 1114 1115 rcu_assign_pointer(bss->pub.beacon_ies, 1116 tmp->pub.beacon_ies); 1117 } 1118 1119 if (old) 1120 kfree_rcu((struct cfg80211_bss_ies *)old, 1121 rcu_head); 1122 } 1123 1124 found->pub.beacon_interval = tmp->pub.beacon_interval; 1125 /* 1126 * don't update the signal if beacon was heard on 1127 * adjacent channel. 1128 */ 1129 if (signal_valid) 1130 found->pub.signal = tmp->pub.signal; 1131 found->pub.capability = tmp->pub.capability; 1132 found->ts = tmp->ts; 1133 found->ts_boottime = tmp->ts_boottime; 1134 found->parent_tsf = tmp->parent_tsf; 1135 found->pub.chains = tmp->pub.chains; 1136 memcpy(found->pub.chain_signal, tmp->pub.chain_signal, 1137 IEEE80211_MAX_CHAINS); 1138 ether_addr_copy(found->parent_bssid, tmp->parent_bssid); 1139 found->pub.max_bssid_indicator = tmp->pub.max_bssid_indicator; 1140 found->pub.bssid_index = tmp->pub.bssid_index; 1141 } else { 1142 struct cfg80211_internal_bss *new; 1143 struct cfg80211_internal_bss *hidden; 1144 struct cfg80211_bss_ies *ies; 1145 1146 /* 1147 * create a copy -- the "res" variable that is passed in 1148 * is allocated on the stack since it's not needed in the 1149 * more common case of an update 1150 */ 1151 new = kzalloc(sizeof(*new) + rdev->wiphy.bss_priv_size, 1152 GFP_ATOMIC); 1153 if (!new) { 1154 ies = (void *)rcu_dereference(tmp->pub.beacon_ies); 1155 if (ies) 1156 kfree_rcu(ies, rcu_head); 1157 ies = (void *)rcu_dereference(tmp->pub.proberesp_ies); 1158 if (ies) 1159 kfree_rcu(ies, rcu_head); 1160 goto drop; 1161 } 1162 memcpy(new, tmp, sizeof(*new)); 1163 new->refcount = 1; 1164 INIT_LIST_HEAD(&new->hidden_list); 1165 INIT_LIST_HEAD(&new->pub.nontrans_list); 1166 1167 if (rcu_access_pointer(tmp->pub.proberesp_ies)) { 1168 hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); 1169 if (!hidden) 1170 hidden = rb_find_bss(rdev, tmp, 1171 BSS_CMP_HIDE_NUL); 1172 if (hidden) { 1173 new->pub.hidden_beacon_bss = &hidden->pub; 1174 list_add(&new->hidden_list, 1175 &hidden->hidden_list); 1176 hidden->refcount++; 1177 rcu_assign_pointer(new->pub.beacon_ies, 1178 hidden->pub.beacon_ies); 1179 } 1180 } else { 1181 /* 1182 * Ok so we found a beacon, and don't have an entry. If 1183 * it's a beacon with hidden SSID, we might be in for an 1184 * expensive search for any probe responses that should 1185 * be grouped with this beacon for updates ... 1186 */ 1187 if (!cfg80211_combine_bsses(rdev, new)) { 1188 kfree(new); 1189 goto drop; 1190 } 1191 } 1192 1193 if (rdev->bss_entries >= bss_entries_limit && 1194 !cfg80211_bss_expire_oldest(rdev)) { 1195 kfree(new); 1196 goto drop; 1197 } 1198 1199 /* This must be before the call to bss_ref_get */ 1200 if (tmp->pub.transmitted_bss) { 1201 struct cfg80211_internal_bss *pbss = 1202 container_of(tmp->pub.transmitted_bss, 1203 struct cfg80211_internal_bss, 1204 pub); 1205 1206 new->pub.transmitted_bss = tmp->pub.transmitted_bss; 1207 bss_ref_get(rdev, pbss); 1208 } 1209 1210 list_add_tail(&new->list, &rdev->bss_list); 1211 rdev->bss_entries++; 1212 rb_insert_bss(rdev, new); 1213 found = new; 1214 } 1215 1216 rdev->bss_generation++; 1217 bss_ref_get(rdev, found); 1218 spin_unlock_bh(&rdev->bss_lock); 1219 1220 return found; 1221 drop: 1222 spin_unlock_bh(&rdev->bss_lock); 1223 return NULL; 1224 } 1225 1226 /* 1227 * Update RX channel information based on the available frame payload 1228 * information. This is mainly for the 2.4 GHz band where frames can be received 1229 * from neighboring channels and the Beacon frames use the DSSS Parameter Set 1230 * element to indicate the current (transmitting) channel, but this might also 1231 * be needed on other bands if RX frequency does not match with the actual 1232 * operating channel of a BSS. 1233 */ 1234 static struct ieee80211_channel * 1235 cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen, 1236 struct ieee80211_channel *channel, 1237 enum nl80211_bss_scan_width scan_width) 1238 { 1239 const u8 *tmp; 1240 u32 freq; 1241 int channel_number = -1; 1242 struct ieee80211_channel *alt_channel; 1243 1244 tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen); 1245 if (tmp && tmp[1] == 1) { 1246 channel_number = tmp[2]; 1247 } else { 1248 tmp = cfg80211_find_ie(WLAN_EID_HT_OPERATION, ie, ielen); 1249 if (tmp && tmp[1] >= sizeof(struct ieee80211_ht_operation)) { 1250 struct ieee80211_ht_operation *htop = (void *)(tmp + 2); 1251 1252 channel_number = htop->primary_chan; 1253 } 1254 } 1255 1256 if (channel_number < 0) { 1257 /* No channel information in frame payload */ 1258 return channel; 1259 } 1260 1261 freq = ieee80211_channel_to_frequency(channel_number, channel->band); 1262 alt_channel = ieee80211_get_channel(wiphy, freq); 1263 if (!alt_channel) { 1264 if (channel->band == NL80211_BAND_2GHZ) { 1265 /* 1266 * Better not allow unexpected channels when that could 1267 * be going beyond the 1-11 range (e.g., discovering 1268 * BSS on channel 12 when radio is configured for 1269 * channel 11. 1270 */ 1271 return NULL; 1272 } 1273 1274 /* No match for the payload channel number - ignore it */ 1275 return channel; 1276 } 1277 1278 if (scan_width == NL80211_BSS_CHAN_WIDTH_10 || 1279 scan_width == NL80211_BSS_CHAN_WIDTH_5) { 1280 /* 1281 * Ignore channel number in 5 and 10 MHz channels where there 1282 * may not be an n:1 or 1:n mapping between frequencies and 1283 * channel numbers. 1284 */ 1285 return channel; 1286 } 1287 1288 /* 1289 * Use the channel determined through the payload channel number 1290 * instead of the RX channel reported by the driver. 1291 */ 1292 if (alt_channel->flags & IEEE80211_CHAN_DISABLED) 1293 return NULL; 1294 return alt_channel; 1295 } 1296 1297 /* Returned bss is reference counted and must be cleaned up appropriately. */ 1298 static struct cfg80211_bss * 1299 cfg80211_inform_single_bss_data(struct wiphy *wiphy, 1300 struct cfg80211_inform_bss *data, 1301 enum cfg80211_bss_frame_type ftype, 1302 const u8 *bssid, u64 tsf, u16 capability, 1303 u16 beacon_interval, const u8 *ie, size_t ielen, 1304 struct cfg80211_non_tx_bss *non_tx_data, 1305 gfp_t gfp) 1306 { 1307 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1308 struct cfg80211_bss_ies *ies; 1309 struct ieee80211_channel *channel; 1310 struct cfg80211_internal_bss tmp = {}, *res; 1311 int bss_type; 1312 bool signal_valid; 1313 1314 if (WARN_ON(!wiphy)) 1315 return NULL; 1316 1317 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && 1318 (data->signal < 0 || data->signal > 100))) 1319 return NULL; 1320 1321 channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan, 1322 data->scan_width); 1323 if (!channel) 1324 return NULL; 1325 1326 memcpy(tmp.pub.bssid, bssid, ETH_ALEN); 1327 tmp.pub.channel = channel; 1328 tmp.pub.scan_width = data->scan_width; 1329 tmp.pub.signal = data->signal; 1330 tmp.pub.beacon_interval = beacon_interval; 1331 tmp.pub.capability = capability; 1332 tmp.ts_boottime = data->boottime_ns; 1333 if (non_tx_data) { 1334 tmp.pub.transmitted_bss = non_tx_data->tx_bss; 1335 tmp.pub.bssid_index = non_tx_data->bssid_index; 1336 tmp.pub.max_bssid_indicator = non_tx_data->max_bssid_indicator; 1337 } 1338 1339 /* 1340 * If we do not know here whether the IEs are from a Beacon or Probe 1341 * Response frame, we need to pick one of the options and only use it 1342 * with the driver that does not provide the full Beacon/Probe Response 1343 * frame. Use Beacon frame pointer to avoid indicating that this should 1344 * override the IEs pointer should we have received an earlier 1345 * indication of Probe Response data. 1346 */ 1347 ies = kzalloc(sizeof(*ies) + ielen, gfp); 1348 if (!ies) 1349 return NULL; 1350 ies->len = ielen; 1351 ies->tsf = tsf; 1352 ies->from_beacon = false; 1353 memcpy(ies->data, ie, ielen); 1354 1355 switch (ftype) { 1356 case CFG80211_BSS_FTYPE_BEACON: 1357 ies->from_beacon = true; 1358 /* fall through */ 1359 case CFG80211_BSS_FTYPE_UNKNOWN: 1360 rcu_assign_pointer(tmp.pub.beacon_ies, ies); 1361 break; 1362 case CFG80211_BSS_FTYPE_PRESP: 1363 rcu_assign_pointer(tmp.pub.proberesp_ies, ies); 1364 break; 1365 } 1366 rcu_assign_pointer(tmp.pub.ies, ies); 1367 1368 signal_valid = abs(data->chan->center_freq - channel->center_freq) <= 1369 wiphy->max_adj_channel_rssi_comp; 1370 res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid); 1371 if (!res) 1372 return NULL; 1373 1374 if (channel->band == NL80211_BAND_60GHZ) { 1375 bss_type = res->pub.capability & WLAN_CAPABILITY_DMG_TYPE_MASK; 1376 if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP || 1377 bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS) 1378 regulatory_hint_found_beacon(wiphy, channel, gfp); 1379 } else { 1380 if (res->pub.capability & WLAN_CAPABILITY_ESS) 1381 regulatory_hint_found_beacon(wiphy, channel, gfp); 1382 } 1383 1384 if (non_tx_data && non_tx_data->tx_bss) { 1385 /* this is a nontransmitting bss, we need to add it to 1386 * transmitting bss' list if it is not there 1387 */ 1388 if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, 1389 &res->pub)) { 1390 if (__cfg80211_unlink_bss(rdev, res)) 1391 rdev->bss_generation++; 1392 } 1393 } 1394 1395 trace_cfg80211_return_bss(&res->pub); 1396 /* cfg80211_bss_update gives us a referenced result */ 1397 return &res->pub; 1398 } 1399 1400 static void cfg80211_parse_mbssid_data(struct wiphy *wiphy, 1401 struct cfg80211_inform_bss *data, 1402 enum cfg80211_bss_frame_type ftype, 1403 const u8 *bssid, u64 tsf, 1404 u16 beacon_interval, const u8 *ie, 1405 size_t ielen, 1406 struct cfg80211_non_tx_bss *non_tx_data, 1407 gfp_t gfp) 1408 { 1409 const u8 *mbssid_index_ie; 1410 const struct element *elem, *sub; 1411 size_t new_ie_len; 1412 u8 new_bssid[ETH_ALEN]; 1413 u8 *new_ie; 1414 u16 capability; 1415 struct cfg80211_bss *bss; 1416 1417 if (!non_tx_data) 1418 return; 1419 if (!cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen)) 1420 return; 1421 if (!wiphy->support_mbssid) 1422 return; 1423 if (wiphy->support_only_he_mbssid && 1424 !cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ie, ielen)) 1425 return; 1426 1427 new_ie = kmalloc(IEEE80211_MAX_DATA_LEN, gfp); 1428 if (!new_ie) 1429 return; 1430 1431 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) { 1432 if (elem->datalen < 4) 1433 continue; 1434 for_each_element(sub, elem->data + 1, elem->datalen - 1) { 1435 if (sub->id != 0 || sub->datalen < 4) { 1436 /* not a valid BSS profile */ 1437 continue; 1438 } 1439 1440 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP || 1441 sub->data[1] != 2) { 1442 /* The first element within the Nontransmitted 1443 * BSSID Profile is not the Nontransmitted 1444 * BSSID Capability element. 1445 */ 1446 continue; 1447 } 1448 1449 /* found a Nontransmitted BSSID Profile */ 1450 mbssid_index_ie = cfg80211_find_ie 1451 (WLAN_EID_MULTI_BSSID_IDX, 1452 sub->data, sub->datalen); 1453 if (!mbssid_index_ie || mbssid_index_ie[1] < 1 || 1454 mbssid_index_ie[2] == 0) { 1455 /* No valid Multiple BSSID-Index element */ 1456 continue; 1457 } 1458 1459 non_tx_data->bssid_index = mbssid_index_ie[2]; 1460 non_tx_data->max_bssid_indicator = elem->data[0]; 1461 1462 cfg80211_gen_new_bssid(bssid, 1463 non_tx_data->max_bssid_indicator, 1464 non_tx_data->bssid_index, 1465 new_bssid); 1466 memset(new_ie, 0, IEEE80211_MAX_DATA_LEN); 1467 new_ie_len = cfg80211_gen_new_ie(ie, ielen, sub->data, 1468 sub->datalen, new_ie, 1469 gfp); 1470 if (!new_ie_len) 1471 continue; 1472 1473 capability = get_unaligned_le16(sub->data + 2); 1474 bss = cfg80211_inform_single_bss_data(wiphy, data, 1475 ftype, 1476 new_bssid, tsf, 1477 capability, 1478 beacon_interval, 1479 new_ie, 1480 new_ie_len, 1481 non_tx_data, 1482 gfp); 1483 if (!bss) 1484 break; 1485 cfg80211_put_bss(wiphy, bss); 1486 } 1487 } 1488 1489 kfree(new_ie); 1490 } 1491 1492 struct cfg80211_bss * 1493 cfg80211_inform_bss_data(struct wiphy *wiphy, 1494 struct cfg80211_inform_bss *data, 1495 enum cfg80211_bss_frame_type ftype, 1496 const u8 *bssid, u64 tsf, u16 capability, 1497 u16 beacon_interval, const u8 *ie, size_t ielen, 1498 gfp_t gfp) 1499 { 1500 struct cfg80211_bss *res; 1501 struct cfg80211_non_tx_bss non_tx_data; 1502 1503 res = cfg80211_inform_single_bss_data(wiphy, data, ftype, bssid, tsf, 1504 capability, beacon_interval, ie, 1505 ielen, NULL, gfp); 1506 non_tx_data.tx_bss = res; 1507 cfg80211_parse_mbssid_data(wiphy, data, ftype, bssid, tsf, 1508 beacon_interval, ie, ielen, &non_tx_data, 1509 gfp); 1510 return res; 1511 } 1512 EXPORT_SYMBOL(cfg80211_inform_bss_data); 1513 1514 static void 1515 cfg80211_parse_mbssid_frame_data(struct wiphy *wiphy, 1516 struct cfg80211_inform_bss *data, 1517 struct ieee80211_mgmt *mgmt, size_t len, 1518 struct cfg80211_non_tx_bss *non_tx_data, 1519 gfp_t gfp) 1520 { 1521 enum cfg80211_bss_frame_type ftype; 1522 const u8 *ie = mgmt->u.probe_resp.variable; 1523 size_t ielen = len - offsetof(struct ieee80211_mgmt, 1524 u.probe_resp.variable); 1525 1526 ftype = ieee80211_is_beacon(mgmt->frame_control) ? 1527 CFG80211_BSS_FTYPE_BEACON : CFG80211_BSS_FTYPE_PRESP; 1528 1529 cfg80211_parse_mbssid_data(wiphy, data, ftype, mgmt->bssid, 1530 le64_to_cpu(mgmt->u.probe_resp.timestamp), 1531 le16_to_cpu(mgmt->u.probe_resp.beacon_int), 1532 ie, ielen, non_tx_data, gfp); 1533 } 1534 1535 static void 1536 cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, 1537 struct cfg80211_bss *nontrans_bss, 1538 struct ieee80211_mgmt *mgmt, size_t len, 1539 gfp_t gfp) 1540 { 1541 u8 *ie, *new_ie, *pos; 1542 const u8 *nontrans_ssid, *trans_ssid, *mbssid; 1543 size_t ielen = len - offsetof(struct ieee80211_mgmt, 1544 u.probe_resp.variable); 1545 size_t new_ie_len; 1546 struct cfg80211_bss_ies *new_ies; 1547 const struct cfg80211_bss_ies *old; 1548 u8 cpy_len; 1549 1550 ie = mgmt->u.probe_resp.variable; 1551 1552 new_ie_len = ielen; 1553 trans_ssid = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); 1554 if (!trans_ssid) 1555 return; 1556 new_ie_len -= trans_ssid[1]; 1557 mbssid = cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen); 1558 if (!mbssid) 1559 return; 1560 new_ie_len -= mbssid[1]; 1561 rcu_read_lock(); 1562 nontrans_ssid = ieee80211_bss_get_ie(nontrans_bss, WLAN_EID_SSID); 1563 if (!nontrans_ssid) { 1564 rcu_read_unlock(); 1565 return; 1566 } 1567 new_ie_len += nontrans_ssid[1]; 1568 rcu_read_unlock(); 1569 1570 /* generate new ie for nontrans BSS 1571 * 1. replace SSID with nontrans BSS' SSID 1572 * 2. skip MBSSID IE 1573 */ 1574 new_ie = kzalloc(new_ie_len, gfp); 1575 if (!new_ie) 1576 return; 1577 new_ies = kzalloc(sizeof(*new_ies) + new_ie_len, gfp); 1578 if (!new_ies) 1579 goto out_free; 1580 1581 pos = new_ie; 1582 1583 /* copy the nontransmitted SSID */ 1584 cpy_len = nontrans_ssid[1] + 2; 1585 memcpy(pos, nontrans_ssid, cpy_len); 1586 pos += cpy_len; 1587 /* copy the IEs between SSID and MBSSID */ 1588 cpy_len = trans_ssid[1] + 2; 1589 memcpy(pos, (trans_ssid + cpy_len), (mbssid - (trans_ssid + cpy_len))); 1590 pos += (mbssid - (trans_ssid + cpy_len)); 1591 /* copy the IEs after MBSSID */ 1592 cpy_len = mbssid[1] + 2; 1593 memcpy(pos, mbssid + cpy_len, ((ie + ielen) - (mbssid + cpy_len))); 1594 1595 /* update ie */ 1596 new_ies->len = new_ie_len; 1597 new_ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); 1598 new_ies->from_beacon = ieee80211_is_beacon(mgmt->frame_control); 1599 memcpy(new_ies->data, new_ie, new_ie_len); 1600 if (ieee80211_is_probe_resp(mgmt->frame_control)) { 1601 old = rcu_access_pointer(nontrans_bss->proberesp_ies); 1602 rcu_assign_pointer(nontrans_bss->proberesp_ies, new_ies); 1603 rcu_assign_pointer(nontrans_bss->ies, new_ies); 1604 if (old) 1605 kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); 1606 } else { 1607 old = rcu_access_pointer(nontrans_bss->beacon_ies); 1608 rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies); 1609 rcu_assign_pointer(nontrans_bss->ies, new_ies); 1610 if (old) 1611 kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); 1612 } 1613 1614 out_free: 1615 kfree(new_ie); 1616 } 1617 1618 /* cfg80211_inform_bss_width_frame helper */ 1619 static struct cfg80211_bss * 1620 cfg80211_inform_single_bss_frame_data(struct wiphy *wiphy, 1621 struct cfg80211_inform_bss *data, 1622 struct ieee80211_mgmt *mgmt, size_t len, 1623 struct cfg80211_non_tx_bss *non_tx_data, 1624 gfp_t gfp) 1625 { 1626 struct cfg80211_internal_bss tmp = {}, *res; 1627 struct cfg80211_bss_ies *ies; 1628 struct ieee80211_channel *channel; 1629 bool signal_valid; 1630 size_t ielen = len - offsetof(struct ieee80211_mgmt, 1631 u.probe_resp.variable); 1632 int bss_type; 1633 1634 BUILD_BUG_ON(offsetof(struct ieee80211_mgmt, u.probe_resp.variable) != 1635 offsetof(struct ieee80211_mgmt, u.beacon.variable)); 1636 1637 trace_cfg80211_inform_bss_frame(wiphy, data, mgmt, len); 1638 1639 if (WARN_ON(!mgmt)) 1640 return NULL; 1641 1642 if (WARN_ON(!wiphy)) 1643 return NULL; 1644 1645 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && 1646 (data->signal < 0 || data->signal > 100))) 1647 return NULL; 1648 1649 if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable))) 1650 return NULL; 1651 1652 channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable, 1653 ielen, data->chan, data->scan_width); 1654 if (!channel) 1655 return NULL; 1656 1657 ies = kzalloc(sizeof(*ies) + ielen, gfp); 1658 if (!ies) 1659 return NULL; 1660 ies->len = ielen; 1661 ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); 1662 ies->from_beacon = ieee80211_is_beacon(mgmt->frame_control); 1663 memcpy(ies->data, mgmt->u.probe_resp.variable, ielen); 1664 1665 if (ieee80211_is_probe_resp(mgmt->frame_control)) 1666 rcu_assign_pointer(tmp.pub.proberesp_ies, ies); 1667 else 1668 rcu_assign_pointer(tmp.pub.beacon_ies, ies); 1669 rcu_assign_pointer(tmp.pub.ies, ies); 1670 1671 memcpy(tmp.pub.bssid, mgmt->bssid, ETH_ALEN); 1672 tmp.pub.channel = channel; 1673 tmp.pub.scan_width = data->scan_width; 1674 tmp.pub.signal = data->signal; 1675 tmp.pub.beacon_interval = le16_to_cpu(mgmt->u.probe_resp.beacon_int); 1676 tmp.pub.capability = le16_to_cpu(mgmt->u.probe_resp.capab_info); 1677 tmp.ts_boottime = data->boottime_ns; 1678 tmp.parent_tsf = data->parent_tsf; 1679 tmp.pub.chains = data->chains; 1680 memcpy(tmp.pub.chain_signal, data->chain_signal, IEEE80211_MAX_CHAINS); 1681 ether_addr_copy(tmp.parent_bssid, data->parent_bssid); 1682 if (non_tx_data) { 1683 tmp.pub.transmitted_bss = non_tx_data->tx_bss; 1684 tmp.pub.bssid_index = non_tx_data->bssid_index; 1685 tmp.pub.max_bssid_indicator = non_tx_data->max_bssid_indicator; 1686 } 1687 1688 signal_valid = abs(data->chan->center_freq - channel->center_freq) <= 1689 wiphy->max_adj_channel_rssi_comp; 1690 res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid); 1691 if (!res) 1692 return NULL; 1693 1694 if (channel->band == NL80211_BAND_60GHZ) { 1695 bss_type = res->pub.capability & WLAN_CAPABILITY_DMG_TYPE_MASK; 1696 if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP || 1697 bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS) 1698 regulatory_hint_found_beacon(wiphy, channel, gfp); 1699 } else { 1700 if (res->pub.capability & WLAN_CAPABILITY_ESS) 1701 regulatory_hint_found_beacon(wiphy, channel, gfp); 1702 } 1703 1704 trace_cfg80211_return_bss(&res->pub); 1705 /* cfg80211_bss_update gives us a referenced result */ 1706 return &res->pub; 1707 } 1708 1709 struct cfg80211_bss * 1710 cfg80211_inform_bss_frame_data(struct wiphy *wiphy, 1711 struct cfg80211_inform_bss *data, 1712 struct ieee80211_mgmt *mgmt, size_t len, 1713 gfp_t gfp) 1714 { 1715 struct cfg80211_bss *res, *tmp_bss; 1716 const u8 *ie = mgmt->u.probe_resp.variable; 1717 const struct cfg80211_bss_ies *ies1, *ies2; 1718 size_t ielen = len - offsetof(struct ieee80211_mgmt, 1719 u.probe_resp.variable); 1720 struct cfg80211_non_tx_bss non_tx_data; 1721 1722 res = cfg80211_inform_single_bss_frame_data(wiphy, data, mgmt, 1723 len, NULL, gfp); 1724 if (!res || !wiphy->support_mbssid || 1725 !cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen)) 1726 return res; 1727 if (wiphy->support_only_he_mbssid && 1728 !cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ie, ielen)) 1729 return res; 1730 1731 non_tx_data.tx_bss = res; 1732 /* process each non-transmitting bss */ 1733 cfg80211_parse_mbssid_frame_data(wiphy, data, mgmt, len, 1734 &non_tx_data, gfp); 1735 1736 /* check if the res has other nontransmitting bss which is not 1737 * in MBSSID IE 1738 */ 1739 ies1 = rcu_access_pointer(res->ies); 1740 1741 /* go through nontrans_list, if the timestamp of the BSS is 1742 * earlier than the timestamp of the transmitting BSS then 1743 * update it 1744 */ 1745 list_for_each_entry(tmp_bss, &res->nontrans_list, 1746 nontrans_list) { 1747 ies2 = rcu_access_pointer(tmp_bss->ies); 1748 if (ies2->tsf < ies1->tsf) 1749 cfg80211_update_notlisted_nontrans(wiphy, tmp_bss, 1750 mgmt, len, gfp); 1751 } 1752 1753 return res; 1754 } 1755 EXPORT_SYMBOL(cfg80211_inform_bss_frame_data); 1756 1757 void cfg80211_ref_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 1758 { 1759 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1760 struct cfg80211_internal_bss *bss; 1761 1762 if (!pub) 1763 return; 1764 1765 bss = container_of(pub, struct cfg80211_internal_bss, pub); 1766 1767 spin_lock_bh(&rdev->bss_lock); 1768 bss_ref_get(rdev, bss); 1769 spin_unlock_bh(&rdev->bss_lock); 1770 } 1771 EXPORT_SYMBOL(cfg80211_ref_bss); 1772 1773 void cfg80211_put_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 1774 { 1775 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1776 struct cfg80211_internal_bss *bss; 1777 1778 if (!pub) 1779 return; 1780 1781 bss = container_of(pub, struct cfg80211_internal_bss, pub); 1782 1783 spin_lock_bh(&rdev->bss_lock); 1784 bss_ref_put(rdev, bss); 1785 spin_unlock_bh(&rdev->bss_lock); 1786 } 1787 EXPORT_SYMBOL(cfg80211_put_bss); 1788 1789 void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 1790 { 1791 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1792 struct cfg80211_internal_bss *bss, *tmp1; 1793 struct cfg80211_bss *nontrans_bss, *tmp; 1794 1795 if (WARN_ON(!pub)) 1796 return; 1797 1798 bss = container_of(pub, struct cfg80211_internal_bss, pub); 1799 1800 spin_lock_bh(&rdev->bss_lock); 1801 if (list_empty(&bss->list)) 1802 goto out; 1803 1804 list_for_each_entry_safe(nontrans_bss, tmp, 1805 &pub->nontrans_list, 1806 nontrans_list) { 1807 tmp1 = container_of(nontrans_bss, 1808 struct cfg80211_internal_bss, pub); 1809 if (__cfg80211_unlink_bss(rdev, tmp1)) 1810 rdev->bss_generation++; 1811 } 1812 1813 if (__cfg80211_unlink_bss(rdev, bss)) 1814 rdev->bss_generation++; 1815 out: 1816 spin_unlock_bh(&rdev->bss_lock); 1817 } 1818 EXPORT_SYMBOL(cfg80211_unlink_bss); 1819 1820 #ifdef CONFIG_CFG80211_WEXT 1821 static struct cfg80211_registered_device * 1822 cfg80211_get_dev_from_ifindex(struct net *net, int ifindex) 1823 { 1824 struct cfg80211_registered_device *rdev; 1825 struct net_device *dev; 1826 1827 ASSERT_RTNL(); 1828 1829 dev = dev_get_by_index(net, ifindex); 1830 if (!dev) 1831 return ERR_PTR(-ENODEV); 1832 if (dev->ieee80211_ptr) 1833 rdev = wiphy_to_rdev(dev->ieee80211_ptr->wiphy); 1834 else 1835 rdev = ERR_PTR(-ENODEV); 1836 dev_put(dev); 1837 return rdev; 1838 } 1839 1840 int cfg80211_wext_siwscan(struct net_device *dev, 1841 struct iw_request_info *info, 1842 union iwreq_data *wrqu, char *extra) 1843 { 1844 struct cfg80211_registered_device *rdev; 1845 struct wiphy *wiphy; 1846 struct iw_scan_req *wreq = NULL; 1847 struct cfg80211_scan_request *creq = NULL; 1848 int i, err, n_channels = 0; 1849 enum nl80211_band band; 1850 1851 if (!netif_running(dev)) 1852 return -ENETDOWN; 1853 1854 if (wrqu->data.length == sizeof(struct iw_scan_req)) 1855 wreq = (struct iw_scan_req *)extra; 1856 1857 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex); 1858 1859 if (IS_ERR(rdev)) 1860 return PTR_ERR(rdev); 1861 1862 if (rdev->scan_req || rdev->scan_msg) { 1863 err = -EBUSY; 1864 goto out; 1865 } 1866 1867 wiphy = &rdev->wiphy; 1868 1869 /* Determine number of channels, needed to allocate creq */ 1870 if (wreq && wreq->num_channels) 1871 n_channels = wreq->num_channels; 1872 else 1873 n_channels = ieee80211_get_num_supported_channels(wiphy); 1874 1875 creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) + 1876 n_channels * sizeof(void *), 1877 GFP_ATOMIC); 1878 if (!creq) { 1879 err = -ENOMEM; 1880 goto out; 1881 } 1882 1883 creq->wiphy = wiphy; 1884 creq->wdev = dev->ieee80211_ptr; 1885 /* SSIDs come after channels */ 1886 creq->ssids = (void *)&creq->channels[n_channels]; 1887 creq->n_channels = n_channels; 1888 creq->n_ssids = 1; 1889 creq->scan_start = jiffies; 1890 1891 /* translate "Scan on frequencies" request */ 1892 i = 0; 1893 for (band = 0; band < NUM_NL80211_BANDS; band++) { 1894 int j; 1895 1896 if (!wiphy->bands[band]) 1897 continue; 1898 1899 for (j = 0; j < wiphy->bands[band]->n_channels; j++) { 1900 /* ignore disabled channels */ 1901 if (wiphy->bands[band]->channels[j].flags & 1902 IEEE80211_CHAN_DISABLED) 1903 continue; 1904 1905 /* If we have a wireless request structure and the 1906 * wireless request specifies frequencies, then search 1907 * for the matching hardware channel. 1908 */ 1909 if (wreq && wreq->num_channels) { 1910 int k; 1911 int wiphy_freq = wiphy->bands[band]->channels[j].center_freq; 1912 for (k = 0; k < wreq->num_channels; k++) { 1913 struct iw_freq *freq = 1914 &wreq->channel_list[k]; 1915 int wext_freq = 1916 cfg80211_wext_freq(freq); 1917 1918 if (wext_freq == wiphy_freq) 1919 goto wext_freq_found; 1920 } 1921 goto wext_freq_not_found; 1922 } 1923 1924 wext_freq_found: 1925 creq->channels[i] = &wiphy->bands[band]->channels[j]; 1926 i++; 1927 wext_freq_not_found: ; 1928 } 1929 } 1930 /* No channels found? */ 1931 if (!i) { 1932 err = -EINVAL; 1933 goto out; 1934 } 1935 1936 /* Set real number of channels specified in creq->channels[] */ 1937 creq->n_channels = i; 1938 1939 /* translate "Scan for SSID" request */ 1940 if (wreq) { 1941 if (wrqu->data.flags & IW_SCAN_THIS_ESSID) { 1942 if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) { 1943 err = -EINVAL; 1944 goto out; 1945 } 1946 memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len); 1947 creq->ssids[0].ssid_len = wreq->essid_len; 1948 } 1949 if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE) 1950 creq->n_ssids = 0; 1951 } 1952 1953 for (i = 0; i < NUM_NL80211_BANDS; i++) 1954 if (wiphy->bands[i]) 1955 creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1; 1956 1957 eth_broadcast_addr(creq->bssid); 1958 1959 rdev->scan_req = creq; 1960 err = rdev_scan(rdev, creq); 1961 if (err) { 1962 rdev->scan_req = NULL; 1963 /* creq will be freed below */ 1964 } else { 1965 nl80211_send_scan_start(rdev, dev->ieee80211_ptr); 1966 /* creq now owned by driver */ 1967 creq = NULL; 1968 dev_hold(dev); 1969 } 1970 out: 1971 kfree(creq); 1972 return err; 1973 } 1974 EXPORT_WEXT_HANDLER(cfg80211_wext_siwscan); 1975 1976 static char *ieee80211_scan_add_ies(struct iw_request_info *info, 1977 const struct cfg80211_bss_ies *ies, 1978 char *current_ev, char *end_buf) 1979 { 1980 const u8 *pos, *end, *next; 1981 struct iw_event iwe; 1982 1983 if (!ies) 1984 return current_ev; 1985 1986 /* 1987 * If needed, fragment the IEs buffer (at IE boundaries) into short 1988 * enough fragments to fit into IW_GENERIC_IE_MAX octet messages. 1989 */ 1990 pos = ies->data; 1991 end = pos + ies->len; 1992 1993 while (end - pos > IW_GENERIC_IE_MAX) { 1994 next = pos + 2 + pos[1]; 1995 while (next + 2 + next[1] - pos < IW_GENERIC_IE_MAX) 1996 next = next + 2 + next[1]; 1997 1998 memset(&iwe, 0, sizeof(iwe)); 1999 iwe.cmd = IWEVGENIE; 2000 iwe.u.data.length = next - pos; 2001 current_ev = iwe_stream_add_point_check(info, current_ev, 2002 end_buf, &iwe, 2003 (void *)pos); 2004 if (IS_ERR(current_ev)) 2005 return current_ev; 2006 pos = next; 2007 } 2008 2009 if (end > pos) { 2010 memset(&iwe, 0, sizeof(iwe)); 2011 iwe.cmd = IWEVGENIE; 2012 iwe.u.data.length = end - pos; 2013 current_ev = iwe_stream_add_point_check(info, current_ev, 2014 end_buf, &iwe, 2015 (void *)pos); 2016 if (IS_ERR(current_ev)) 2017 return current_ev; 2018 } 2019 2020 return current_ev; 2021 } 2022 2023 static char * 2024 ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info, 2025 struct cfg80211_internal_bss *bss, char *current_ev, 2026 char *end_buf) 2027 { 2028 const struct cfg80211_bss_ies *ies; 2029 struct iw_event iwe; 2030 const u8 *ie; 2031 u8 buf[50]; 2032 u8 *cfg, *p, *tmp; 2033 int rem, i, sig; 2034 bool ismesh = false; 2035 2036 memset(&iwe, 0, sizeof(iwe)); 2037 iwe.cmd = SIOCGIWAP; 2038 iwe.u.ap_addr.sa_family = ARPHRD_ETHER; 2039 memcpy(iwe.u.ap_addr.sa_data, bss->pub.bssid, ETH_ALEN); 2040 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 2041 IW_EV_ADDR_LEN); 2042 if (IS_ERR(current_ev)) 2043 return current_ev; 2044 2045 memset(&iwe, 0, sizeof(iwe)); 2046 iwe.cmd = SIOCGIWFREQ; 2047 iwe.u.freq.m = ieee80211_frequency_to_channel(bss->pub.channel->center_freq); 2048 iwe.u.freq.e = 0; 2049 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 2050 IW_EV_FREQ_LEN); 2051 if (IS_ERR(current_ev)) 2052 return current_ev; 2053 2054 memset(&iwe, 0, sizeof(iwe)); 2055 iwe.cmd = SIOCGIWFREQ; 2056 iwe.u.freq.m = bss->pub.channel->center_freq; 2057 iwe.u.freq.e = 6; 2058 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 2059 IW_EV_FREQ_LEN); 2060 if (IS_ERR(current_ev)) 2061 return current_ev; 2062 2063 if (wiphy->signal_type != CFG80211_SIGNAL_TYPE_NONE) { 2064 memset(&iwe, 0, sizeof(iwe)); 2065 iwe.cmd = IWEVQUAL; 2066 iwe.u.qual.updated = IW_QUAL_LEVEL_UPDATED | 2067 IW_QUAL_NOISE_INVALID | 2068 IW_QUAL_QUAL_UPDATED; 2069 switch (wiphy->signal_type) { 2070 case CFG80211_SIGNAL_TYPE_MBM: 2071 sig = bss->pub.signal / 100; 2072 iwe.u.qual.level = sig; 2073 iwe.u.qual.updated |= IW_QUAL_DBM; 2074 if (sig < -110) /* rather bad */ 2075 sig = -110; 2076 else if (sig > -40) /* perfect */ 2077 sig = -40; 2078 /* will give a range of 0 .. 70 */ 2079 iwe.u.qual.qual = sig + 110; 2080 break; 2081 case CFG80211_SIGNAL_TYPE_UNSPEC: 2082 iwe.u.qual.level = bss->pub.signal; 2083 /* will give range 0 .. 100 */ 2084 iwe.u.qual.qual = bss->pub.signal; 2085 break; 2086 default: 2087 /* not reached */ 2088 break; 2089 } 2090 current_ev = iwe_stream_add_event_check(info, current_ev, 2091 end_buf, &iwe, 2092 IW_EV_QUAL_LEN); 2093 if (IS_ERR(current_ev)) 2094 return current_ev; 2095 } 2096 2097 memset(&iwe, 0, sizeof(iwe)); 2098 iwe.cmd = SIOCGIWENCODE; 2099 if (bss->pub.capability & WLAN_CAPABILITY_PRIVACY) 2100 iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY; 2101 else 2102 iwe.u.data.flags = IW_ENCODE_DISABLED; 2103 iwe.u.data.length = 0; 2104 current_ev = iwe_stream_add_point_check(info, current_ev, end_buf, 2105 &iwe, ""); 2106 if (IS_ERR(current_ev)) 2107 return current_ev; 2108 2109 rcu_read_lock(); 2110 ies = rcu_dereference(bss->pub.ies); 2111 rem = ies->len; 2112 ie = ies->data; 2113 2114 while (rem >= 2) { 2115 /* invalid data */ 2116 if (ie[1] > rem - 2) 2117 break; 2118 2119 switch (ie[0]) { 2120 case WLAN_EID_SSID: 2121 memset(&iwe, 0, sizeof(iwe)); 2122 iwe.cmd = SIOCGIWESSID; 2123 iwe.u.data.length = ie[1]; 2124 iwe.u.data.flags = 1; 2125 current_ev = iwe_stream_add_point_check(info, 2126 current_ev, 2127 end_buf, &iwe, 2128 (u8 *)ie + 2); 2129 if (IS_ERR(current_ev)) 2130 goto unlock; 2131 break; 2132 case WLAN_EID_MESH_ID: 2133 memset(&iwe, 0, sizeof(iwe)); 2134 iwe.cmd = SIOCGIWESSID; 2135 iwe.u.data.length = ie[1]; 2136 iwe.u.data.flags = 1; 2137 current_ev = iwe_stream_add_point_check(info, 2138 current_ev, 2139 end_buf, &iwe, 2140 (u8 *)ie + 2); 2141 if (IS_ERR(current_ev)) 2142 goto unlock; 2143 break; 2144 case WLAN_EID_MESH_CONFIG: 2145 ismesh = true; 2146 if (ie[1] != sizeof(struct ieee80211_meshconf_ie)) 2147 break; 2148 cfg = (u8 *)ie + 2; 2149 memset(&iwe, 0, sizeof(iwe)); 2150 iwe.cmd = IWEVCUSTOM; 2151 sprintf(buf, "Mesh Network Path Selection Protocol ID: " 2152 "0x%02X", cfg[0]); 2153 iwe.u.data.length = strlen(buf); 2154 current_ev = iwe_stream_add_point_check(info, 2155 current_ev, 2156 end_buf, 2157 &iwe, buf); 2158 if (IS_ERR(current_ev)) 2159 goto unlock; 2160 sprintf(buf, "Path Selection Metric ID: 0x%02X", 2161 cfg[1]); 2162 iwe.u.data.length = strlen(buf); 2163 current_ev = iwe_stream_add_point_check(info, 2164 current_ev, 2165 end_buf, 2166 &iwe, buf); 2167 if (IS_ERR(current_ev)) 2168 goto unlock; 2169 sprintf(buf, "Congestion Control Mode ID: 0x%02X", 2170 cfg[2]); 2171 iwe.u.data.length = strlen(buf); 2172 current_ev = iwe_stream_add_point_check(info, 2173 current_ev, 2174 end_buf, 2175 &iwe, buf); 2176 if (IS_ERR(current_ev)) 2177 goto unlock; 2178 sprintf(buf, "Synchronization ID: 0x%02X", cfg[3]); 2179 iwe.u.data.length = strlen(buf); 2180 current_ev = iwe_stream_add_point_check(info, 2181 current_ev, 2182 end_buf, 2183 &iwe, buf); 2184 if (IS_ERR(current_ev)) 2185 goto unlock; 2186 sprintf(buf, "Authentication ID: 0x%02X", cfg[4]); 2187 iwe.u.data.length = strlen(buf); 2188 current_ev = iwe_stream_add_point_check(info, 2189 current_ev, 2190 end_buf, 2191 &iwe, buf); 2192 if (IS_ERR(current_ev)) 2193 goto unlock; 2194 sprintf(buf, "Formation Info: 0x%02X", cfg[5]); 2195 iwe.u.data.length = strlen(buf); 2196 current_ev = iwe_stream_add_point_check(info, 2197 current_ev, 2198 end_buf, 2199 &iwe, buf); 2200 if (IS_ERR(current_ev)) 2201 goto unlock; 2202 sprintf(buf, "Capabilities: 0x%02X", cfg[6]); 2203 iwe.u.data.length = strlen(buf); 2204 current_ev = iwe_stream_add_point_check(info, 2205 current_ev, 2206 end_buf, 2207 &iwe, buf); 2208 if (IS_ERR(current_ev)) 2209 goto unlock; 2210 break; 2211 case WLAN_EID_SUPP_RATES: 2212 case WLAN_EID_EXT_SUPP_RATES: 2213 /* display all supported rates in readable format */ 2214 p = current_ev + iwe_stream_lcp_len(info); 2215 2216 memset(&iwe, 0, sizeof(iwe)); 2217 iwe.cmd = SIOCGIWRATE; 2218 /* Those two flags are ignored... */ 2219 iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0; 2220 2221 for (i = 0; i < ie[1]; i++) { 2222 iwe.u.bitrate.value = 2223 ((ie[i + 2] & 0x7f) * 500000); 2224 tmp = p; 2225 p = iwe_stream_add_value(info, current_ev, p, 2226 end_buf, &iwe, 2227 IW_EV_PARAM_LEN); 2228 if (p == tmp) { 2229 current_ev = ERR_PTR(-E2BIG); 2230 goto unlock; 2231 } 2232 } 2233 current_ev = p; 2234 break; 2235 } 2236 rem -= ie[1] + 2; 2237 ie += ie[1] + 2; 2238 } 2239 2240 if (bss->pub.capability & (WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS) || 2241 ismesh) { 2242 memset(&iwe, 0, sizeof(iwe)); 2243 iwe.cmd = SIOCGIWMODE; 2244 if (ismesh) 2245 iwe.u.mode = IW_MODE_MESH; 2246 else if (bss->pub.capability & WLAN_CAPABILITY_ESS) 2247 iwe.u.mode = IW_MODE_MASTER; 2248 else 2249 iwe.u.mode = IW_MODE_ADHOC; 2250 current_ev = iwe_stream_add_event_check(info, current_ev, 2251 end_buf, &iwe, 2252 IW_EV_UINT_LEN); 2253 if (IS_ERR(current_ev)) 2254 goto unlock; 2255 } 2256 2257 memset(&iwe, 0, sizeof(iwe)); 2258 iwe.cmd = IWEVCUSTOM; 2259 sprintf(buf, "tsf=%016llx", (unsigned long long)(ies->tsf)); 2260 iwe.u.data.length = strlen(buf); 2261 current_ev = iwe_stream_add_point_check(info, current_ev, end_buf, 2262 &iwe, buf); 2263 if (IS_ERR(current_ev)) 2264 goto unlock; 2265 memset(&iwe, 0, sizeof(iwe)); 2266 iwe.cmd = IWEVCUSTOM; 2267 sprintf(buf, " Last beacon: %ums ago", 2268 elapsed_jiffies_msecs(bss->ts)); 2269 iwe.u.data.length = strlen(buf); 2270 current_ev = iwe_stream_add_point_check(info, current_ev, 2271 end_buf, &iwe, buf); 2272 if (IS_ERR(current_ev)) 2273 goto unlock; 2274 2275 current_ev = ieee80211_scan_add_ies(info, ies, current_ev, end_buf); 2276 2277 unlock: 2278 rcu_read_unlock(); 2279 return current_ev; 2280 } 2281 2282 2283 static int ieee80211_scan_results(struct cfg80211_registered_device *rdev, 2284 struct iw_request_info *info, 2285 char *buf, size_t len) 2286 { 2287 char *current_ev = buf; 2288 char *end_buf = buf + len; 2289 struct cfg80211_internal_bss *bss; 2290 int err = 0; 2291 2292 spin_lock_bh(&rdev->bss_lock); 2293 cfg80211_bss_expire(rdev); 2294 2295 list_for_each_entry(bss, &rdev->bss_list, list) { 2296 if (buf + len - current_ev <= IW_EV_ADDR_LEN) { 2297 err = -E2BIG; 2298 break; 2299 } 2300 current_ev = ieee80211_bss(&rdev->wiphy, info, bss, 2301 current_ev, end_buf); 2302 if (IS_ERR(current_ev)) { 2303 err = PTR_ERR(current_ev); 2304 break; 2305 } 2306 } 2307 spin_unlock_bh(&rdev->bss_lock); 2308 2309 if (err) 2310 return err; 2311 return current_ev - buf; 2312 } 2313 2314 2315 int cfg80211_wext_giwscan(struct net_device *dev, 2316 struct iw_request_info *info, 2317 struct iw_point *data, char *extra) 2318 { 2319 struct cfg80211_registered_device *rdev; 2320 int res; 2321 2322 if (!netif_running(dev)) 2323 return -ENETDOWN; 2324 2325 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex); 2326 2327 if (IS_ERR(rdev)) 2328 return PTR_ERR(rdev); 2329 2330 if (rdev->scan_req || rdev->scan_msg) 2331 return -EAGAIN; 2332 2333 res = ieee80211_scan_results(rdev, info, extra, data->length); 2334 data->length = 0; 2335 if (res >= 0) { 2336 data->length = res; 2337 res = 0; 2338 } 2339 2340 return res; 2341 } 2342 EXPORT_WEXT_HANDLER(cfg80211_wext_giwscan); 2343 #endif 2344