1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * cfg80211 scan result handling 4 * 5 * Copyright 2008 Johannes Berg <johannes@sipsolutions.net> 6 * Copyright 2013-2014 Intel Mobile Communications GmbH 7 * Copyright 2016 Intel Deutschland GmbH 8 * Copyright (C) 2018-2024 Intel Corporation 9 */ 10 #include <linux/kernel.h> 11 #include <linux/slab.h> 12 #include <linux/module.h> 13 #include <linux/netdevice.h> 14 #include <linux/wireless.h> 15 #include <linux/nl80211.h> 16 #include <linux/etherdevice.h> 17 #include <linux/crc32.h> 18 #include <linux/bitfield.h> 19 #include <net/arp.h> 20 #include <net/cfg80211.h> 21 #include <net/cfg80211-wext.h> 22 #include <net/iw_handler.h> 23 #include <kunit/visibility.h> 24 #include "core.h" 25 #include "nl80211.h" 26 #include "wext-compat.h" 27 #include "rdev-ops.h" 28 29 /** 30 * DOC: BSS tree/list structure 31 * 32 * At the top level, the BSS list is kept in both a list in each 33 * registered device (@bss_list) as well as an RB-tree for faster 34 * lookup. In the RB-tree, entries can be looked up using their 35 * channel, MESHID, MESHCONF (for MBSSes) or channel, BSSID, SSID 36 * for other BSSes. 37 * 38 * Due to the possibility of hidden SSIDs, there's a second level 39 * structure, the "hidden_list" and "hidden_beacon_bss" pointer. 40 * The hidden_list connects all BSSes belonging to a single AP 41 * that has a hidden SSID, and connects beacon and probe response 42 * entries. For a probe response entry for a hidden SSID, the 43 * hidden_beacon_bss pointer points to the BSS struct holding the 44 * beacon's information. 45 * 46 * Reference counting is done for all these references except for 47 * the hidden_list, so that a beacon BSS struct that is otherwise 48 * not referenced has one reference for being on the bss_list and 49 * one for each probe response entry that points to it using the 50 * hidden_beacon_bss pointer. When a BSS struct that has such a 51 * pointer is get/put, the refcount update is also propagated to 52 * the referenced struct, this ensure that it cannot get removed 53 * while somebody is using the probe response version. 54 * 55 * Note that the hidden_beacon_bss pointer never changes, due to 56 * the reference counting. Therefore, no locking is needed for 57 * it. 58 * 59 * Also note that the hidden_beacon_bss pointer is only relevant 60 * if the driver uses something other than the IEs, e.g. private 61 * data stored in the BSS struct, since the beacon IEs are 62 * also linked into the probe response struct. 63 */ 64 65 /* 66 * Limit the number of BSS entries stored in mac80211. Each one is 67 * a bit over 4k at most, so this limits to roughly 4-5M of memory. 68 * If somebody wants to really attack this though, they'd likely 69 * use small beacons, and only one type of frame, limiting each of 70 * the entries to a much smaller size (in order to generate more 71 * entries in total, so overhead is bigger.) 72 */ 73 static int bss_entries_limit = 1000; 74 module_param(bss_entries_limit, int, 0644); 75 MODULE_PARM_DESC(bss_entries_limit, 76 "limit to number of scan BSS entries (per wiphy, default 1000)"); 77 78 #define IEEE80211_SCAN_RESULT_EXPIRE (30 * HZ) 79 80 static void bss_free(struct cfg80211_internal_bss *bss) 81 { 82 struct cfg80211_bss_ies *ies; 83 84 if (WARN_ON(atomic_read(&bss->hold))) 85 return; 86 87 ies = (void *)rcu_access_pointer(bss->pub.beacon_ies); 88 if (ies && !bss->pub.hidden_beacon_bss) 89 kfree_rcu(ies, rcu_head); 90 ies = (void *)rcu_access_pointer(bss->pub.proberesp_ies); 91 if (ies) 92 kfree_rcu(ies, rcu_head); 93 94 /* 95 * This happens when the module is removed, it doesn't 96 * really matter any more save for completeness 97 */ 98 if (!list_empty(&bss->hidden_list)) 99 list_del(&bss->hidden_list); 100 101 kfree(bss); 102 } 103 104 static inline void bss_ref_get(struct cfg80211_registered_device *rdev, 105 struct cfg80211_internal_bss *bss) 106 { 107 lockdep_assert_held(&rdev->bss_lock); 108 109 bss->refcount++; 110 111 if (bss->pub.hidden_beacon_bss) 112 bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; 113 114 if (bss->pub.transmitted_bss) 115 bss_from_pub(bss->pub.transmitted_bss)->refcount++; 116 } 117 118 static inline void bss_ref_put(struct cfg80211_registered_device *rdev, 119 struct cfg80211_internal_bss *bss) 120 { 121 lockdep_assert_held(&rdev->bss_lock); 122 123 if (bss->pub.hidden_beacon_bss) { 124 struct cfg80211_internal_bss *hbss; 125 126 hbss = bss_from_pub(bss->pub.hidden_beacon_bss); 127 hbss->refcount--; 128 if (hbss->refcount == 0) 129 bss_free(hbss); 130 } 131 132 if (bss->pub.transmitted_bss) { 133 struct cfg80211_internal_bss *tbss; 134 135 tbss = bss_from_pub(bss->pub.transmitted_bss); 136 tbss->refcount--; 137 if (tbss->refcount == 0) 138 bss_free(tbss); 139 } 140 141 bss->refcount--; 142 if (bss->refcount == 0) 143 bss_free(bss); 144 } 145 146 static bool __cfg80211_unlink_bss(struct cfg80211_registered_device *rdev, 147 struct cfg80211_internal_bss *bss) 148 { 149 lockdep_assert_held(&rdev->bss_lock); 150 151 if (!list_empty(&bss->hidden_list)) { 152 /* 153 * don't remove the beacon entry if it has 154 * probe responses associated with it 155 */ 156 if (!bss->pub.hidden_beacon_bss) 157 return false; 158 /* 159 * if it's a probe response entry break its 160 * link to the other entries in the group 161 */ 162 list_del_init(&bss->hidden_list); 163 } 164 165 list_del_init(&bss->list); 166 list_del_init(&bss->pub.nontrans_list); 167 rb_erase(&bss->rbn, &rdev->bss_tree); 168 rdev->bss_entries--; 169 WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list), 170 "rdev bss entries[%d]/list[empty:%d] corruption\n", 171 rdev->bss_entries, list_empty(&rdev->bss_list)); 172 bss_ref_put(rdev, bss); 173 return true; 174 } 175 176 bool cfg80211_is_element_inherited(const struct element *elem, 177 const struct element *non_inherit_elem) 178 { 179 u8 id_len, ext_id_len, i, loop_len, id; 180 const u8 *list; 181 182 if (elem->id == WLAN_EID_MULTIPLE_BSSID) 183 return false; 184 185 if (elem->id == WLAN_EID_EXTENSION && elem->datalen > 1 && 186 elem->data[0] == WLAN_EID_EXT_EHT_MULTI_LINK) 187 return false; 188 189 if (!non_inherit_elem || non_inherit_elem->datalen < 2) 190 return true; 191 192 /* 193 * non inheritance element format is: 194 * ext ID (56) | IDs list len | list | extension IDs list len | list 195 * Both lists are optional. Both lengths are mandatory. 196 * This means valid length is: 197 * elem_len = 1 (extension ID) + 2 (list len fields) + list lengths 198 */ 199 id_len = non_inherit_elem->data[1]; 200 if (non_inherit_elem->datalen < 3 + id_len) 201 return true; 202 203 ext_id_len = non_inherit_elem->data[2 + id_len]; 204 if (non_inherit_elem->datalen < 3 + id_len + ext_id_len) 205 return true; 206 207 if (elem->id == WLAN_EID_EXTENSION) { 208 if (!ext_id_len) 209 return true; 210 loop_len = ext_id_len; 211 list = &non_inherit_elem->data[3 + id_len]; 212 id = elem->data[0]; 213 } else { 214 if (!id_len) 215 return true; 216 loop_len = id_len; 217 list = &non_inherit_elem->data[2]; 218 id = elem->id; 219 } 220 221 for (i = 0; i < loop_len; i++) { 222 if (list[i] == id) 223 return false; 224 } 225 226 return true; 227 } 228 EXPORT_SYMBOL(cfg80211_is_element_inherited); 229 230 static size_t cfg80211_copy_elem_with_frags(const struct element *elem, 231 const u8 *ie, size_t ie_len, 232 u8 **pos, u8 *buf, size_t buf_len) 233 { 234 if (WARN_ON((u8 *)elem < ie || elem->data > ie + ie_len || 235 elem->data + elem->datalen > ie + ie_len)) 236 return 0; 237 238 if (elem->datalen + 2 > buf + buf_len - *pos) 239 return 0; 240 241 memcpy(*pos, elem, elem->datalen + 2); 242 *pos += elem->datalen + 2; 243 244 /* Finish if it is not fragmented */ 245 if (elem->datalen != 255) 246 return *pos - buf; 247 248 ie_len = ie + ie_len - elem->data - elem->datalen; 249 ie = (const u8 *)elem->data + elem->datalen; 250 251 for_each_element(elem, ie, ie_len) { 252 if (elem->id != WLAN_EID_FRAGMENT) 253 break; 254 255 if (elem->datalen + 2 > buf + buf_len - *pos) 256 return 0; 257 258 memcpy(*pos, elem, elem->datalen + 2); 259 *pos += elem->datalen + 2; 260 261 if (elem->datalen != 255) 262 break; 263 } 264 265 return *pos - buf; 266 } 267 268 VISIBLE_IF_CFG80211_KUNIT size_t 269 cfg80211_gen_new_ie(const u8 *ie, size_t ielen, 270 const u8 *subie, size_t subie_len, 271 u8 *new_ie, size_t new_ie_len) 272 { 273 const struct element *non_inherit_elem, *parent, *sub; 274 u8 *pos = new_ie; 275 const u8 *mbssid_index_ie; 276 u8 id, ext_id, bssid_index = 255; 277 unsigned int match_len; 278 279 non_inherit_elem = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 280 subie, subie_len); 281 282 mbssid_index_ie = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX, subie, 283 subie_len); 284 if (mbssid_index_ie && mbssid_index_ie[1] > 0 && 285 mbssid_index_ie[2] > 0 && mbssid_index_ie[2] <= 46) 286 bssid_index = mbssid_index_ie[2]; 287 288 /* We copy the elements one by one from the parent to the generated 289 * elements. 290 * If they are not inherited (included in subie or in the non 291 * inheritance element), then we copy all occurrences the first time 292 * we see this element type. 293 */ 294 for_each_element(parent, ie, ielen) { 295 if (parent->id == WLAN_EID_FRAGMENT) 296 continue; 297 298 if (parent->id == WLAN_EID_EXTENSION) { 299 if (parent->datalen < 1) 300 continue; 301 302 id = WLAN_EID_EXTENSION; 303 ext_id = parent->data[0]; 304 match_len = 1; 305 } else { 306 id = parent->id; 307 match_len = 0; 308 } 309 310 /* Find first occurrence in subie */ 311 sub = cfg80211_find_elem_match(id, subie, subie_len, 312 &ext_id, match_len, 0); 313 314 /* Copy from parent if not in subie and inherited */ 315 if (!sub && 316 cfg80211_is_element_inherited(parent, non_inherit_elem)) { 317 if (!cfg80211_copy_elem_with_frags(parent, 318 ie, ielen, 319 &pos, new_ie, 320 new_ie_len)) 321 return 0; 322 323 continue; 324 } 325 326 /* For ML probe response, match the MLE in the frame body with 327 * MLD id being 'bssid_index' 328 */ 329 if (parent->id == WLAN_EID_EXTENSION && parent->datalen > 1 && 330 parent->data[0] == WLAN_EID_EXT_EHT_MULTI_LINK && 331 bssid_index == ieee80211_mle_get_mld_id(parent->data + 1)) { 332 if (!cfg80211_copy_elem_with_frags(parent, 333 ie, ielen, 334 &pos, new_ie, 335 new_ie_len)) 336 return 0; 337 338 /* Continue here to prevent processing the MLE in 339 * sub-element, which AP MLD should not carry 340 */ 341 continue; 342 } 343 344 /* Already copied if an earlier element had the same type */ 345 if (cfg80211_find_elem_match(id, ie, (u8 *)parent - ie, 346 &ext_id, match_len, 0)) 347 continue; 348 349 /* Not inheriting, copy all similar elements from subie */ 350 while (sub) { 351 if (!cfg80211_copy_elem_with_frags(sub, 352 subie, subie_len, 353 &pos, new_ie, 354 new_ie_len)) 355 return 0; 356 357 sub = cfg80211_find_elem_match(id, 358 sub->data + sub->datalen, 359 subie_len + subie - 360 (sub->data + 361 sub->datalen), 362 &ext_id, match_len, 0); 363 } 364 } 365 366 /* The above misses elements that are included in subie but not in the 367 * parent, so do a pass over subie and append those. 368 * Skip the non-tx BSSID caps and non-inheritance element. 369 */ 370 for_each_element(sub, subie, subie_len) { 371 if (sub->id == WLAN_EID_NON_TX_BSSID_CAP) 372 continue; 373 374 if (sub->id == WLAN_EID_FRAGMENT) 375 continue; 376 377 if (sub->id == WLAN_EID_EXTENSION) { 378 if (sub->datalen < 1) 379 continue; 380 381 id = WLAN_EID_EXTENSION; 382 ext_id = sub->data[0]; 383 match_len = 1; 384 385 if (ext_id == WLAN_EID_EXT_NON_INHERITANCE) 386 continue; 387 } else { 388 id = sub->id; 389 match_len = 0; 390 } 391 392 /* Processed if one was included in the parent */ 393 if (cfg80211_find_elem_match(id, ie, ielen, 394 &ext_id, match_len, 0)) 395 continue; 396 397 if (!cfg80211_copy_elem_with_frags(sub, subie, subie_len, 398 &pos, new_ie, new_ie_len)) 399 return 0; 400 } 401 402 return pos - new_ie; 403 } 404 EXPORT_SYMBOL_IF_CFG80211_KUNIT(cfg80211_gen_new_ie); 405 406 static bool is_bss(struct cfg80211_bss *a, const u8 *bssid, 407 const u8 *ssid, size_t ssid_len) 408 { 409 const struct cfg80211_bss_ies *ies; 410 const struct element *ssid_elem; 411 412 if (bssid && !ether_addr_equal(a->bssid, bssid)) 413 return false; 414 415 if (!ssid) 416 return true; 417 418 ies = rcu_access_pointer(a->ies); 419 if (!ies) 420 return false; 421 ssid_elem = cfg80211_find_elem(WLAN_EID_SSID, ies->data, ies->len); 422 if (!ssid_elem) 423 return false; 424 if (ssid_elem->datalen != ssid_len) 425 return false; 426 return memcmp(ssid_elem->data, ssid, ssid_len) == 0; 427 } 428 429 static int 430 cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss, 431 struct cfg80211_bss *nontrans_bss) 432 { 433 const struct element *ssid_elem; 434 struct cfg80211_bss *bss = NULL; 435 436 rcu_read_lock(); 437 ssid_elem = ieee80211_bss_get_elem(nontrans_bss, WLAN_EID_SSID); 438 if (!ssid_elem) { 439 rcu_read_unlock(); 440 return -EINVAL; 441 } 442 443 /* check if nontrans_bss is in the list */ 444 list_for_each_entry(bss, &trans_bss->nontrans_list, nontrans_list) { 445 if (is_bss(bss, nontrans_bss->bssid, ssid_elem->data, 446 ssid_elem->datalen)) { 447 rcu_read_unlock(); 448 return 0; 449 } 450 } 451 452 rcu_read_unlock(); 453 454 /* 455 * This is a bit weird - it's not on the list, but already on another 456 * one! The only way that could happen is if there's some BSSID/SSID 457 * shared by multiple APs in their multi-BSSID profiles, potentially 458 * with hidden SSID mixed in ... ignore it. 459 */ 460 if (!list_empty(&nontrans_bss->nontrans_list)) 461 return -EINVAL; 462 463 /* add to the list */ 464 list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); 465 return 0; 466 } 467 468 static void __cfg80211_bss_expire(struct cfg80211_registered_device *rdev, 469 unsigned long expire_time) 470 { 471 struct cfg80211_internal_bss *bss, *tmp; 472 bool expired = false; 473 474 lockdep_assert_held(&rdev->bss_lock); 475 476 list_for_each_entry_safe(bss, tmp, &rdev->bss_list, list) { 477 if (atomic_read(&bss->hold)) 478 continue; 479 if (!time_after(expire_time, bss->ts)) 480 continue; 481 482 if (__cfg80211_unlink_bss(rdev, bss)) 483 expired = true; 484 } 485 486 if (expired) 487 rdev->bss_generation++; 488 } 489 490 static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev) 491 { 492 struct cfg80211_internal_bss *bss, *oldest = NULL; 493 bool ret; 494 495 lockdep_assert_held(&rdev->bss_lock); 496 497 list_for_each_entry(bss, &rdev->bss_list, list) { 498 if (atomic_read(&bss->hold)) 499 continue; 500 501 if (!list_empty(&bss->hidden_list) && 502 !bss->pub.hidden_beacon_bss) 503 continue; 504 505 if (oldest && time_before(oldest->ts, bss->ts)) 506 continue; 507 oldest = bss; 508 } 509 510 if (WARN_ON(!oldest)) 511 return false; 512 513 /* 514 * The callers make sure to increase rdev->bss_generation if anything 515 * gets removed (and a new entry added), so there's no need to also do 516 * it here. 517 */ 518 519 ret = __cfg80211_unlink_bss(rdev, oldest); 520 WARN_ON(!ret); 521 return ret; 522 } 523 524 static u8 cfg80211_parse_bss_param(u8 data, 525 struct cfg80211_colocated_ap *coloc_ap) 526 { 527 coloc_ap->oct_recommended = 528 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_OCT_RECOMMENDED); 529 coloc_ap->same_ssid = 530 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_SAME_SSID); 531 coloc_ap->multi_bss = 532 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID); 533 coloc_ap->transmitted_bssid = 534 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID); 535 coloc_ap->unsolicited_probe = 536 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_PROBE_ACTIVE); 537 coloc_ap->colocated_ess = 538 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_COLOC_ESS); 539 540 return u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_COLOC_AP); 541 } 542 543 static int cfg80211_calc_short_ssid(const struct cfg80211_bss_ies *ies, 544 const struct element **elem, u32 *s_ssid) 545 { 546 547 *elem = cfg80211_find_elem(WLAN_EID_SSID, ies->data, ies->len); 548 if (!*elem || (*elem)->datalen > IEEE80211_MAX_SSID_LEN) 549 return -EINVAL; 550 551 *s_ssid = ~crc32_le(~0, (*elem)->data, (*elem)->datalen); 552 return 0; 553 } 554 555 VISIBLE_IF_CFG80211_KUNIT void 556 cfg80211_free_coloc_ap_list(struct list_head *coloc_ap_list) 557 { 558 struct cfg80211_colocated_ap *ap, *tmp_ap; 559 560 list_for_each_entry_safe(ap, tmp_ap, coloc_ap_list, list) { 561 list_del(&ap->list); 562 kfree(ap); 563 } 564 } 565 EXPORT_SYMBOL_IF_CFG80211_KUNIT(cfg80211_free_coloc_ap_list); 566 567 static int cfg80211_parse_ap_info(struct cfg80211_colocated_ap *entry, 568 const u8 *pos, u8 length, 569 const struct element *ssid_elem, 570 u32 s_ssid_tmp) 571 { 572 u8 bss_params; 573 574 entry->psd_20 = IEEE80211_RNR_TBTT_PARAMS_PSD_RESERVED; 575 576 /* The length is already verified by the caller to contain bss_params */ 577 if (length > sizeof(struct ieee80211_tbtt_info_7_8_9)) { 578 struct ieee80211_tbtt_info_ge_11 *tbtt_info = (void *)pos; 579 580 memcpy(entry->bssid, tbtt_info->bssid, ETH_ALEN); 581 entry->short_ssid = le32_to_cpu(tbtt_info->short_ssid); 582 entry->short_ssid_valid = true; 583 584 bss_params = tbtt_info->bss_params; 585 586 /* Ignore disabled links */ 587 if (length >= offsetofend(typeof(*tbtt_info), mld_params)) { 588 if (le16_get_bits(tbtt_info->mld_params.params, 589 IEEE80211_RNR_MLD_PARAMS_DISABLED_LINK)) 590 return -EINVAL; 591 } 592 593 if (length >= offsetofend(struct ieee80211_tbtt_info_ge_11, 594 psd_20)) 595 entry->psd_20 = tbtt_info->psd_20; 596 } else { 597 struct ieee80211_tbtt_info_7_8_9 *tbtt_info = (void *)pos; 598 599 memcpy(entry->bssid, tbtt_info->bssid, ETH_ALEN); 600 601 bss_params = tbtt_info->bss_params; 602 603 if (length == offsetofend(struct ieee80211_tbtt_info_7_8_9, 604 psd_20)) 605 entry->psd_20 = tbtt_info->psd_20; 606 } 607 608 /* ignore entries with invalid BSSID */ 609 if (!is_valid_ether_addr(entry->bssid)) 610 return -EINVAL; 611 612 /* skip non colocated APs */ 613 if (!cfg80211_parse_bss_param(bss_params, entry)) 614 return -EINVAL; 615 616 /* no information about the short ssid. Consider the entry valid 617 * for now. It would later be dropped in case there are explicit 618 * SSIDs that need to be matched 619 */ 620 if (!entry->same_ssid && !entry->short_ssid_valid) 621 return 0; 622 623 if (entry->same_ssid) { 624 entry->short_ssid = s_ssid_tmp; 625 entry->short_ssid_valid = true; 626 627 /* 628 * This is safe because we validate datalen in 629 * cfg80211_parse_colocated_ap(), before calling this 630 * function. 631 */ 632 memcpy(&entry->ssid, &ssid_elem->data, ssid_elem->datalen); 633 entry->ssid_len = ssid_elem->datalen; 634 } 635 636 return 0; 637 } 638 639 bool cfg80211_iter_rnr(const u8 *elems, size_t elems_len, 640 enum cfg80211_rnr_iter_ret 641 (*iter)(void *data, u8 type, 642 const struct ieee80211_neighbor_ap_info *info, 643 const u8 *tbtt_info, u8 tbtt_info_len), 644 void *iter_data) 645 { 646 const struct element *rnr; 647 const u8 *pos, *end; 648 649 for_each_element_id(rnr, WLAN_EID_REDUCED_NEIGHBOR_REPORT, 650 elems, elems_len) { 651 const struct ieee80211_neighbor_ap_info *info; 652 653 pos = rnr->data; 654 end = rnr->data + rnr->datalen; 655 656 /* RNR IE may contain more than one NEIGHBOR_AP_INFO */ 657 while (sizeof(*info) <= end - pos) { 658 u8 length, i, count; 659 u8 type; 660 661 info = (void *)pos; 662 count = u8_get_bits(info->tbtt_info_hdr, 663 IEEE80211_AP_INFO_TBTT_HDR_COUNT) + 664 1; 665 length = info->tbtt_info_len; 666 667 pos += sizeof(*info); 668 669 if (count * length > end - pos) 670 return false; 671 672 type = u8_get_bits(info->tbtt_info_hdr, 673 IEEE80211_AP_INFO_TBTT_HDR_TYPE); 674 675 for (i = 0; i < count; i++) { 676 switch (iter(iter_data, type, info, 677 pos, length)) { 678 case RNR_ITER_CONTINUE: 679 break; 680 case RNR_ITER_BREAK: 681 return true; 682 case RNR_ITER_ERROR: 683 return false; 684 } 685 686 pos += length; 687 } 688 } 689 690 if (pos != end) 691 return false; 692 } 693 694 return true; 695 } 696 EXPORT_SYMBOL_GPL(cfg80211_iter_rnr); 697 698 struct colocated_ap_data { 699 const struct element *ssid_elem; 700 struct list_head ap_list; 701 u32 s_ssid_tmp; 702 int n_coloc; 703 }; 704 705 static enum cfg80211_rnr_iter_ret 706 cfg80211_parse_colocated_ap_iter(void *_data, u8 type, 707 const struct ieee80211_neighbor_ap_info *info, 708 const u8 *tbtt_info, u8 tbtt_info_len) 709 { 710 struct colocated_ap_data *data = _data; 711 struct cfg80211_colocated_ap *entry; 712 enum nl80211_band band; 713 714 if (type != IEEE80211_TBTT_INFO_TYPE_TBTT) 715 return RNR_ITER_CONTINUE; 716 717 if (!ieee80211_operating_class_to_band(info->op_class, &band)) 718 return RNR_ITER_CONTINUE; 719 720 /* TBTT info must include bss param + BSSID + (short SSID or 721 * same_ssid bit to be set). Ignore other options, and move to 722 * the next AP info 723 */ 724 if (band != NL80211_BAND_6GHZ || 725 !(tbtt_info_len == offsetofend(struct ieee80211_tbtt_info_7_8_9, 726 bss_params) || 727 tbtt_info_len == sizeof(struct ieee80211_tbtt_info_7_8_9) || 728 tbtt_info_len >= offsetofend(struct ieee80211_tbtt_info_ge_11, 729 bss_params))) 730 return RNR_ITER_CONTINUE; 731 732 entry = kzalloc(sizeof(*entry), GFP_ATOMIC); 733 if (!entry) 734 return RNR_ITER_ERROR; 735 736 entry->center_freq = 737 ieee80211_channel_to_frequency(info->channel, band); 738 739 if (!cfg80211_parse_ap_info(entry, tbtt_info, tbtt_info_len, 740 data->ssid_elem, data->s_ssid_tmp)) { 741 struct cfg80211_colocated_ap *tmp; 742 743 /* Don't add duplicate BSSIDs on the same channel. */ 744 list_for_each_entry(tmp, &data->ap_list, list) { 745 if (ether_addr_equal(tmp->bssid, entry->bssid) && 746 tmp->center_freq == entry->center_freq) { 747 kfree(entry); 748 return RNR_ITER_CONTINUE; 749 } 750 } 751 752 data->n_coloc++; 753 list_add_tail(&entry->list, &data->ap_list); 754 } else { 755 kfree(entry); 756 } 757 758 return RNR_ITER_CONTINUE; 759 } 760 761 VISIBLE_IF_CFG80211_KUNIT int 762 cfg80211_parse_colocated_ap(const struct cfg80211_bss_ies *ies, 763 struct list_head *list) 764 { 765 struct colocated_ap_data data = {}; 766 int ret; 767 768 INIT_LIST_HEAD(&data.ap_list); 769 770 ret = cfg80211_calc_short_ssid(ies, &data.ssid_elem, &data.s_ssid_tmp); 771 if (ret) 772 return 0; 773 774 if (!cfg80211_iter_rnr(ies->data, ies->len, 775 cfg80211_parse_colocated_ap_iter, &data)) { 776 cfg80211_free_coloc_ap_list(&data.ap_list); 777 return 0; 778 } 779 780 list_splice_tail(&data.ap_list, list); 781 return data.n_coloc; 782 } 783 EXPORT_SYMBOL_IF_CFG80211_KUNIT(cfg80211_parse_colocated_ap); 784 785 static void cfg80211_scan_req_add_chan(struct cfg80211_scan_request *request, 786 struct ieee80211_channel *chan, 787 bool add_to_6ghz) 788 { 789 int i; 790 u32 n_channels = request->n_channels; 791 struct cfg80211_scan_6ghz_params *params = 792 &request->scan_6ghz_params[request->n_6ghz_params]; 793 794 for (i = 0; i < n_channels; i++) { 795 if (request->channels[i] == chan) { 796 if (add_to_6ghz) 797 params->channel_idx = i; 798 return; 799 } 800 } 801 802 request->n_channels++; 803 request->channels[n_channels] = chan; 804 if (add_to_6ghz) 805 request->scan_6ghz_params[request->n_6ghz_params].channel_idx = 806 n_channels; 807 } 808 809 static bool cfg80211_find_ssid_match(struct cfg80211_colocated_ap *ap, 810 struct cfg80211_scan_request *request) 811 { 812 int i; 813 u32 s_ssid; 814 815 for (i = 0; i < request->n_ssids; i++) { 816 /* wildcard ssid in the scan request */ 817 if (!request->ssids[i].ssid_len) { 818 if (ap->multi_bss && !ap->transmitted_bssid) 819 continue; 820 821 return true; 822 } 823 824 if (ap->ssid_len && 825 ap->ssid_len == request->ssids[i].ssid_len) { 826 if (!memcmp(request->ssids[i].ssid, ap->ssid, 827 ap->ssid_len)) 828 return true; 829 } else if (ap->short_ssid_valid) { 830 s_ssid = ~crc32_le(~0, request->ssids[i].ssid, 831 request->ssids[i].ssid_len); 832 833 if (ap->short_ssid == s_ssid) 834 return true; 835 } 836 } 837 838 return false; 839 } 840 841 static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev) 842 { 843 u8 i; 844 struct cfg80211_colocated_ap *ap; 845 int n_channels, count = 0, err; 846 struct cfg80211_scan_request *request, *rdev_req = rdev->scan_req; 847 LIST_HEAD(coloc_ap_list); 848 bool need_scan_psc = true; 849 const struct ieee80211_sband_iftype_data *iftd; 850 size_t size, offs_ssids, offs_6ghz_params, offs_ies; 851 852 rdev_req->scan_6ghz = true; 853 854 if (!rdev->wiphy.bands[NL80211_BAND_6GHZ]) 855 return -EOPNOTSUPP; 856 857 iftd = ieee80211_get_sband_iftype_data(rdev->wiphy.bands[NL80211_BAND_6GHZ], 858 rdev_req->wdev->iftype); 859 if (!iftd || !iftd->he_cap.has_he) 860 return -EOPNOTSUPP; 861 862 n_channels = rdev->wiphy.bands[NL80211_BAND_6GHZ]->n_channels; 863 864 if (rdev_req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ) { 865 struct cfg80211_internal_bss *intbss; 866 867 spin_lock_bh(&rdev->bss_lock); 868 list_for_each_entry(intbss, &rdev->bss_list, list) { 869 struct cfg80211_bss *res = &intbss->pub; 870 const struct cfg80211_bss_ies *ies; 871 const struct element *ssid_elem; 872 struct cfg80211_colocated_ap *entry; 873 u32 s_ssid_tmp; 874 int ret; 875 876 ies = rcu_access_pointer(res->ies); 877 count += cfg80211_parse_colocated_ap(ies, 878 &coloc_ap_list); 879 880 /* In case the scan request specified a specific BSSID 881 * and the BSS is found and operating on 6GHz band then 882 * add this AP to the collocated APs list. 883 * This is relevant for ML probe requests when the lower 884 * band APs have not been discovered. 885 */ 886 if (is_broadcast_ether_addr(rdev_req->bssid) || 887 !ether_addr_equal(rdev_req->bssid, res->bssid) || 888 res->channel->band != NL80211_BAND_6GHZ) 889 continue; 890 891 ret = cfg80211_calc_short_ssid(ies, &ssid_elem, 892 &s_ssid_tmp); 893 if (ret) 894 continue; 895 896 entry = kzalloc(sizeof(*entry), GFP_ATOMIC); 897 if (!entry) 898 continue; 899 900 memcpy(entry->bssid, res->bssid, ETH_ALEN); 901 entry->short_ssid = s_ssid_tmp; 902 memcpy(entry->ssid, ssid_elem->data, 903 ssid_elem->datalen); 904 entry->ssid_len = ssid_elem->datalen; 905 entry->short_ssid_valid = true; 906 entry->center_freq = res->channel->center_freq; 907 908 list_add_tail(&entry->list, &coloc_ap_list); 909 count++; 910 } 911 spin_unlock_bh(&rdev->bss_lock); 912 } 913 914 size = struct_size(request, channels, n_channels); 915 offs_ssids = size; 916 size += sizeof(*request->ssids) * rdev_req->n_ssids; 917 offs_6ghz_params = size; 918 size += sizeof(*request->scan_6ghz_params) * count; 919 offs_ies = size; 920 size += rdev_req->ie_len; 921 922 request = kzalloc(size, GFP_KERNEL); 923 if (!request) { 924 cfg80211_free_coloc_ap_list(&coloc_ap_list); 925 return -ENOMEM; 926 } 927 928 *request = *rdev_req; 929 request->n_channels = 0; 930 request->n_6ghz_params = 0; 931 if (rdev_req->n_ssids) { 932 /* 933 * Add the ssids from the parent scan request to the new 934 * scan request, so the driver would be able to use them 935 * in its probe requests to discover hidden APs on PSC 936 * channels. 937 */ 938 request->ssids = (void *)request + offs_ssids; 939 memcpy(request->ssids, rdev_req->ssids, 940 sizeof(*request->ssids) * request->n_ssids); 941 } 942 request->scan_6ghz_params = (void *)request + offs_6ghz_params; 943 944 if (rdev_req->ie_len) { 945 void *ie = (void *)request + offs_ies; 946 947 memcpy(ie, rdev_req->ie, rdev_req->ie_len); 948 request->ie = ie; 949 } 950 951 /* 952 * PSC channels should not be scanned in case of direct scan with 1 SSID 953 * and at least one of the reported co-located APs with same SSID 954 * indicating that all APs in the same ESS are co-located 955 */ 956 if (count && request->n_ssids == 1 && request->ssids[0].ssid_len) { 957 list_for_each_entry(ap, &coloc_ap_list, list) { 958 if (ap->colocated_ess && 959 cfg80211_find_ssid_match(ap, request)) { 960 need_scan_psc = false; 961 break; 962 } 963 } 964 } 965 966 /* 967 * add to the scan request the channels that need to be scanned 968 * regardless of the collocated APs (PSC channels or all channels 969 * in case that NL80211_SCAN_FLAG_COLOCATED_6GHZ is not set) 970 */ 971 for (i = 0; i < rdev_req->n_channels; i++) { 972 if (rdev_req->channels[i]->band == NL80211_BAND_6GHZ && 973 ((need_scan_psc && 974 cfg80211_channel_is_psc(rdev_req->channels[i])) || 975 !(rdev_req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ))) { 976 cfg80211_scan_req_add_chan(request, 977 rdev_req->channels[i], 978 false); 979 } 980 } 981 982 if (!(rdev_req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ)) 983 goto skip; 984 985 list_for_each_entry(ap, &coloc_ap_list, list) { 986 bool found = false; 987 struct cfg80211_scan_6ghz_params *scan_6ghz_params = 988 &request->scan_6ghz_params[request->n_6ghz_params]; 989 struct ieee80211_channel *chan = 990 ieee80211_get_channel(&rdev->wiphy, ap->center_freq); 991 992 if (!chan || chan->flags & IEEE80211_CHAN_DISABLED || 993 !cfg80211_wdev_channel_allowed(rdev_req->wdev, chan)) 994 continue; 995 996 for (i = 0; i < rdev_req->n_channels; i++) { 997 if (rdev_req->channels[i] == chan) 998 found = true; 999 } 1000 1001 if (!found) 1002 continue; 1003 1004 if (request->n_ssids > 0 && 1005 !cfg80211_find_ssid_match(ap, request)) 1006 continue; 1007 1008 if (!is_broadcast_ether_addr(request->bssid) && 1009 !ether_addr_equal(request->bssid, ap->bssid)) 1010 continue; 1011 1012 if (!request->n_ssids && ap->multi_bss && !ap->transmitted_bssid) 1013 continue; 1014 1015 cfg80211_scan_req_add_chan(request, chan, true); 1016 memcpy(scan_6ghz_params->bssid, ap->bssid, ETH_ALEN); 1017 scan_6ghz_params->short_ssid = ap->short_ssid; 1018 scan_6ghz_params->short_ssid_valid = ap->short_ssid_valid; 1019 scan_6ghz_params->unsolicited_probe = ap->unsolicited_probe; 1020 scan_6ghz_params->psd_20 = ap->psd_20; 1021 1022 /* 1023 * If a PSC channel is added to the scan and 'need_scan_psc' is 1024 * set to false, then all the APs that the scan logic is 1025 * interested with on the channel are collocated and thus there 1026 * is no need to perform the initial PSC channel listen. 1027 */ 1028 if (cfg80211_channel_is_psc(chan) && !need_scan_psc) 1029 scan_6ghz_params->psc_no_listen = true; 1030 1031 request->n_6ghz_params++; 1032 } 1033 1034 skip: 1035 cfg80211_free_coloc_ap_list(&coloc_ap_list); 1036 1037 if (request->n_channels) { 1038 struct cfg80211_scan_request *old = rdev->int_scan_req; 1039 1040 rdev->int_scan_req = request; 1041 1042 /* 1043 * If this scan follows a previous scan, save the scan start 1044 * info from the first part of the scan 1045 */ 1046 if (old) 1047 rdev->int_scan_req->info = old->info; 1048 1049 err = rdev_scan(rdev, request); 1050 if (err) { 1051 rdev->int_scan_req = old; 1052 kfree(request); 1053 } else { 1054 kfree(old); 1055 } 1056 1057 return err; 1058 } 1059 1060 kfree(request); 1061 return -EINVAL; 1062 } 1063 1064 int cfg80211_scan(struct cfg80211_registered_device *rdev) 1065 { 1066 struct cfg80211_scan_request *request; 1067 struct cfg80211_scan_request *rdev_req = rdev->scan_req; 1068 u32 n_channels = 0, idx, i; 1069 1070 if (!(rdev->wiphy.flags & WIPHY_FLAG_SPLIT_SCAN_6GHZ)) 1071 return rdev_scan(rdev, rdev_req); 1072 1073 for (i = 0; i < rdev_req->n_channels; i++) { 1074 if (rdev_req->channels[i]->band != NL80211_BAND_6GHZ) 1075 n_channels++; 1076 } 1077 1078 if (!n_channels) 1079 return cfg80211_scan_6ghz(rdev); 1080 1081 request = kzalloc(struct_size(request, channels, n_channels), 1082 GFP_KERNEL); 1083 if (!request) 1084 return -ENOMEM; 1085 1086 *request = *rdev_req; 1087 request->n_channels = n_channels; 1088 1089 for (i = idx = 0; i < rdev_req->n_channels; i++) { 1090 if (rdev_req->channels[i]->band != NL80211_BAND_6GHZ) 1091 request->channels[idx++] = rdev_req->channels[i]; 1092 } 1093 1094 rdev_req->scan_6ghz = false; 1095 rdev->int_scan_req = request; 1096 return rdev_scan(rdev, request); 1097 } 1098 1099 void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, 1100 bool send_message) 1101 { 1102 struct cfg80211_scan_request *request, *rdev_req; 1103 struct wireless_dev *wdev; 1104 struct sk_buff *msg; 1105 #ifdef CONFIG_CFG80211_WEXT 1106 union iwreq_data wrqu; 1107 #endif 1108 1109 lockdep_assert_held(&rdev->wiphy.mtx); 1110 1111 if (rdev->scan_msg) { 1112 nl80211_send_scan_msg(rdev, rdev->scan_msg); 1113 rdev->scan_msg = NULL; 1114 return; 1115 } 1116 1117 rdev_req = rdev->scan_req; 1118 if (!rdev_req) 1119 return; 1120 1121 wdev = rdev_req->wdev; 1122 request = rdev->int_scan_req ? rdev->int_scan_req : rdev_req; 1123 1124 if (wdev_running(wdev) && 1125 (rdev->wiphy.flags & WIPHY_FLAG_SPLIT_SCAN_6GHZ) && 1126 !rdev_req->scan_6ghz && !request->info.aborted && 1127 !cfg80211_scan_6ghz(rdev)) 1128 return; 1129 1130 /* 1131 * This must be before sending the other events! 1132 * Otherwise, wpa_supplicant gets completely confused with 1133 * wext events. 1134 */ 1135 if (wdev->netdev) 1136 cfg80211_sme_scan_done(wdev->netdev); 1137 1138 if (!request->info.aborted && 1139 request->flags & NL80211_SCAN_FLAG_FLUSH) { 1140 /* flush entries from previous scans */ 1141 spin_lock_bh(&rdev->bss_lock); 1142 __cfg80211_bss_expire(rdev, request->scan_start); 1143 spin_unlock_bh(&rdev->bss_lock); 1144 } 1145 1146 msg = nl80211_build_scan_msg(rdev, wdev, request->info.aborted); 1147 1148 #ifdef CONFIG_CFG80211_WEXT 1149 if (wdev->netdev && !request->info.aborted) { 1150 memset(&wrqu, 0, sizeof(wrqu)); 1151 1152 wireless_send_event(wdev->netdev, SIOCGIWSCAN, &wrqu, NULL); 1153 } 1154 #endif 1155 1156 dev_put(wdev->netdev); 1157 1158 kfree(rdev->int_scan_req); 1159 rdev->int_scan_req = NULL; 1160 1161 kfree(rdev->scan_req); 1162 rdev->scan_req = NULL; 1163 1164 if (!send_message) 1165 rdev->scan_msg = msg; 1166 else 1167 nl80211_send_scan_msg(rdev, msg); 1168 } 1169 1170 void __cfg80211_scan_done(struct wiphy *wiphy, struct wiphy_work *wk) 1171 { 1172 ___cfg80211_scan_done(wiphy_to_rdev(wiphy), true); 1173 } 1174 1175 void cfg80211_scan_done(struct cfg80211_scan_request *request, 1176 struct cfg80211_scan_info *info) 1177 { 1178 struct cfg80211_scan_info old_info = request->info; 1179 1180 trace_cfg80211_scan_done(request, info); 1181 WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req && 1182 request != wiphy_to_rdev(request->wiphy)->int_scan_req); 1183 1184 request->info = *info; 1185 1186 /* 1187 * In case the scan is split, the scan_start_tsf and tsf_bssid should 1188 * be of the first part. In such a case old_info.scan_start_tsf should 1189 * be non zero. 1190 */ 1191 if (request->scan_6ghz && old_info.scan_start_tsf) { 1192 request->info.scan_start_tsf = old_info.scan_start_tsf; 1193 memcpy(request->info.tsf_bssid, old_info.tsf_bssid, 1194 sizeof(request->info.tsf_bssid)); 1195 } 1196 1197 request->notified = true; 1198 wiphy_work_queue(request->wiphy, 1199 &wiphy_to_rdev(request->wiphy)->scan_done_wk); 1200 } 1201 EXPORT_SYMBOL(cfg80211_scan_done); 1202 1203 void cfg80211_add_sched_scan_req(struct cfg80211_registered_device *rdev, 1204 struct cfg80211_sched_scan_request *req) 1205 { 1206 lockdep_assert_held(&rdev->wiphy.mtx); 1207 1208 list_add_rcu(&req->list, &rdev->sched_scan_req_list); 1209 } 1210 1211 static void cfg80211_del_sched_scan_req(struct cfg80211_registered_device *rdev, 1212 struct cfg80211_sched_scan_request *req) 1213 { 1214 lockdep_assert_held(&rdev->wiphy.mtx); 1215 1216 list_del_rcu(&req->list); 1217 kfree_rcu(req, rcu_head); 1218 } 1219 1220 static struct cfg80211_sched_scan_request * 1221 cfg80211_find_sched_scan_req(struct cfg80211_registered_device *rdev, u64 reqid) 1222 { 1223 struct cfg80211_sched_scan_request *pos; 1224 1225 list_for_each_entry_rcu(pos, &rdev->sched_scan_req_list, list, 1226 lockdep_is_held(&rdev->wiphy.mtx)) { 1227 if (pos->reqid == reqid) 1228 return pos; 1229 } 1230 return NULL; 1231 } 1232 1233 /* 1234 * Determines if a scheduled scan request can be handled. When a legacy 1235 * scheduled scan is running no other scheduled scan is allowed regardless 1236 * whether the request is for legacy or multi-support scan. When a multi-support 1237 * scheduled scan is running a request for legacy scan is not allowed. In this 1238 * case a request for multi-support scan can be handled if resources are 1239 * available, ie. struct wiphy::max_sched_scan_reqs limit is not yet reached. 1240 */ 1241 int cfg80211_sched_scan_req_possible(struct cfg80211_registered_device *rdev, 1242 bool want_multi) 1243 { 1244 struct cfg80211_sched_scan_request *pos; 1245 int i = 0; 1246 1247 list_for_each_entry(pos, &rdev->sched_scan_req_list, list) { 1248 /* request id zero means legacy in progress */ 1249 if (!i && !pos->reqid) 1250 return -EINPROGRESS; 1251 i++; 1252 } 1253 1254 if (i) { 1255 /* no legacy allowed when multi request(s) are active */ 1256 if (!want_multi) 1257 return -EINPROGRESS; 1258 1259 /* resource limit reached */ 1260 if (i == rdev->wiphy.max_sched_scan_reqs) 1261 return -ENOSPC; 1262 } 1263 return 0; 1264 } 1265 1266 void cfg80211_sched_scan_results_wk(struct work_struct *work) 1267 { 1268 struct cfg80211_registered_device *rdev; 1269 struct cfg80211_sched_scan_request *req, *tmp; 1270 1271 rdev = container_of(work, struct cfg80211_registered_device, 1272 sched_scan_res_wk); 1273 1274 guard(wiphy)(&rdev->wiphy); 1275 1276 list_for_each_entry_safe(req, tmp, &rdev->sched_scan_req_list, list) { 1277 if (req->report_results) { 1278 req->report_results = false; 1279 if (req->flags & NL80211_SCAN_FLAG_FLUSH) { 1280 /* flush entries from previous scans */ 1281 spin_lock_bh(&rdev->bss_lock); 1282 __cfg80211_bss_expire(rdev, req->scan_start); 1283 spin_unlock_bh(&rdev->bss_lock); 1284 req->scan_start = jiffies; 1285 } 1286 nl80211_send_sched_scan(req, 1287 NL80211_CMD_SCHED_SCAN_RESULTS); 1288 } 1289 } 1290 } 1291 1292 void cfg80211_sched_scan_results(struct wiphy *wiphy, u64 reqid) 1293 { 1294 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1295 struct cfg80211_sched_scan_request *request; 1296 1297 trace_cfg80211_sched_scan_results(wiphy, reqid); 1298 /* ignore if we're not scanning */ 1299 1300 rcu_read_lock(); 1301 request = cfg80211_find_sched_scan_req(rdev, reqid); 1302 if (request) { 1303 request->report_results = true; 1304 queue_work(cfg80211_wq, &rdev->sched_scan_res_wk); 1305 } 1306 rcu_read_unlock(); 1307 } 1308 EXPORT_SYMBOL(cfg80211_sched_scan_results); 1309 1310 void cfg80211_sched_scan_stopped_locked(struct wiphy *wiphy, u64 reqid) 1311 { 1312 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1313 1314 lockdep_assert_held(&wiphy->mtx); 1315 1316 trace_cfg80211_sched_scan_stopped(wiphy, reqid); 1317 1318 __cfg80211_stop_sched_scan(rdev, reqid, true); 1319 } 1320 EXPORT_SYMBOL(cfg80211_sched_scan_stopped_locked); 1321 1322 void cfg80211_sched_scan_stopped(struct wiphy *wiphy, u64 reqid) 1323 { 1324 guard(wiphy)(wiphy); 1325 1326 cfg80211_sched_scan_stopped_locked(wiphy, reqid); 1327 } 1328 EXPORT_SYMBOL(cfg80211_sched_scan_stopped); 1329 1330 int cfg80211_stop_sched_scan_req(struct cfg80211_registered_device *rdev, 1331 struct cfg80211_sched_scan_request *req, 1332 bool driver_initiated) 1333 { 1334 lockdep_assert_held(&rdev->wiphy.mtx); 1335 1336 if (!driver_initiated) { 1337 int err = rdev_sched_scan_stop(rdev, req->dev, req->reqid); 1338 if (err) 1339 return err; 1340 } 1341 1342 nl80211_send_sched_scan(req, NL80211_CMD_SCHED_SCAN_STOPPED); 1343 1344 cfg80211_del_sched_scan_req(rdev, req); 1345 1346 return 0; 1347 } 1348 1349 int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev, 1350 u64 reqid, bool driver_initiated) 1351 { 1352 struct cfg80211_sched_scan_request *sched_scan_req; 1353 1354 lockdep_assert_held(&rdev->wiphy.mtx); 1355 1356 sched_scan_req = cfg80211_find_sched_scan_req(rdev, reqid); 1357 if (!sched_scan_req) 1358 return -ENOENT; 1359 1360 return cfg80211_stop_sched_scan_req(rdev, sched_scan_req, 1361 driver_initiated); 1362 } 1363 1364 void cfg80211_bss_age(struct cfg80211_registered_device *rdev, 1365 unsigned long age_secs) 1366 { 1367 struct cfg80211_internal_bss *bss; 1368 unsigned long age_jiffies = msecs_to_jiffies(age_secs * MSEC_PER_SEC); 1369 1370 spin_lock_bh(&rdev->bss_lock); 1371 list_for_each_entry(bss, &rdev->bss_list, list) 1372 bss->ts -= age_jiffies; 1373 spin_unlock_bh(&rdev->bss_lock); 1374 } 1375 1376 void cfg80211_bss_expire(struct cfg80211_registered_device *rdev) 1377 { 1378 __cfg80211_bss_expire(rdev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE); 1379 } 1380 1381 void cfg80211_bss_flush(struct wiphy *wiphy) 1382 { 1383 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1384 1385 spin_lock_bh(&rdev->bss_lock); 1386 __cfg80211_bss_expire(rdev, jiffies); 1387 spin_unlock_bh(&rdev->bss_lock); 1388 } 1389 EXPORT_SYMBOL(cfg80211_bss_flush); 1390 1391 const struct element * 1392 cfg80211_find_elem_match(u8 eid, const u8 *ies, unsigned int len, 1393 const u8 *match, unsigned int match_len, 1394 unsigned int match_offset) 1395 { 1396 const struct element *elem; 1397 1398 for_each_element_id(elem, eid, ies, len) { 1399 if (elem->datalen >= match_offset + match_len && 1400 !memcmp(elem->data + match_offset, match, match_len)) 1401 return elem; 1402 } 1403 1404 return NULL; 1405 } 1406 EXPORT_SYMBOL(cfg80211_find_elem_match); 1407 1408 const struct element *cfg80211_find_vendor_elem(unsigned int oui, int oui_type, 1409 const u8 *ies, 1410 unsigned int len) 1411 { 1412 const struct element *elem; 1413 u8 match[] = { oui >> 16, oui >> 8, oui, oui_type }; 1414 int match_len = (oui_type < 0) ? 3 : sizeof(match); 1415 1416 if (WARN_ON(oui_type > 0xff)) 1417 return NULL; 1418 1419 elem = cfg80211_find_elem_match(WLAN_EID_VENDOR_SPECIFIC, ies, len, 1420 match, match_len, 0); 1421 1422 if (!elem || elem->datalen < 4) 1423 return NULL; 1424 1425 return elem; 1426 } 1427 EXPORT_SYMBOL(cfg80211_find_vendor_elem); 1428 1429 /** 1430 * enum bss_compare_mode - BSS compare mode 1431 * @BSS_CMP_REGULAR: regular compare mode (for insertion and normal find) 1432 * @BSS_CMP_HIDE_ZLEN: find hidden SSID with zero-length mode 1433 * @BSS_CMP_HIDE_NUL: find hidden SSID with NUL-ed out mode 1434 */ 1435 enum bss_compare_mode { 1436 BSS_CMP_REGULAR, 1437 BSS_CMP_HIDE_ZLEN, 1438 BSS_CMP_HIDE_NUL, 1439 }; 1440 1441 static int cmp_bss(struct cfg80211_bss *a, 1442 struct cfg80211_bss *b, 1443 enum bss_compare_mode mode) 1444 { 1445 const struct cfg80211_bss_ies *a_ies, *b_ies; 1446 const u8 *ie1 = NULL; 1447 const u8 *ie2 = NULL; 1448 int i, r; 1449 1450 if (a->channel != b->channel) 1451 return (b->channel->center_freq * 1000 + b->channel->freq_offset) - 1452 (a->channel->center_freq * 1000 + a->channel->freq_offset); 1453 1454 a_ies = rcu_access_pointer(a->ies); 1455 if (!a_ies) 1456 return -1; 1457 b_ies = rcu_access_pointer(b->ies); 1458 if (!b_ies) 1459 return 1; 1460 1461 if (WLAN_CAPABILITY_IS_STA_BSS(a->capability)) 1462 ie1 = cfg80211_find_ie(WLAN_EID_MESH_ID, 1463 a_ies->data, a_ies->len); 1464 if (WLAN_CAPABILITY_IS_STA_BSS(b->capability)) 1465 ie2 = cfg80211_find_ie(WLAN_EID_MESH_ID, 1466 b_ies->data, b_ies->len); 1467 if (ie1 && ie2) { 1468 int mesh_id_cmp; 1469 1470 if (ie1[1] == ie2[1]) 1471 mesh_id_cmp = memcmp(ie1 + 2, ie2 + 2, ie1[1]); 1472 else 1473 mesh_id_cmp = ie2[1] - ie1[1]; 1474 1475 ie1 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG, 1476 a_ies->data, a_ies->len); 1477 ie2 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG, 1478 b_ies->data, b_ies->len); 1479 if (ie1 && ie2) { 1480 if (mesh_id_cmp) 1481 return mesh_id_cmp; 1482 if (ie1[1] != ie2[1]) 1483 return ie2[1] - ie1[1]; 1484 return memcmp(ie1 + 2, ie2 + 2, ie1[1]); 1485 } 1486 } 1487 1488 r = memcmp(a->bssid, b->bssid, sizeof(a->bssid)); 1489 if (r) 1490 return r; 1491 1492 ie1 = cfg80211_find_ie(WLAN_EID_SSID, a_ies->data, a_ies->len); 1493 ie2 = cfg80211_find_ie(WLAN_EID_SSID, b_ies->data, b_ies->len); 1494 1495 if (!ie1 && !ie2) 1496 return 0; 1497 1498 /* 1499 * Note that with "hide_ssid", the function returns a match if 1500 * the already-present BSS ("b") is a hidden SSID beacon for 1501 * the new BSS ("a"). 1502 */ 1503 1504 /* sort missing IE before (left of) present IE */ 1505 if (!ie1) 1506 return -1; 1507 if (!ie2) 1508 return 1; 1509 1510 switch (mode) { 1511 case BSS_CMP_HIDE_ZLEN: 1512 /* 1513 * In ZLEN mode we assume the BSS entry we're 1514 * looking for has a zero-length SSID. So if 1515 * the one we're looking at right now has that, 1516 * return 0. Otherwise, return the difference 1517 * in length, but since we're looking for the 1518 * 0-length it's really equivalent to returning 1519 * the length of the one we're looking at. 1520 * 1521 * No content comparison is needed as we assume 1522 * the content length is zero. 1523 */ 1524 return ie2[1]; 1525 case BSS_CMP_REGULAR: 1526 default: 1527 /* sort by length first, then by contents */ 1528 if (ie1[1] != ie2[1]) 1529 return ie2[1] - ie1[1]; 1530 return memcmp(ie1 + 2, ie2 + 2, ie1[1]); 1531 case BSS_CMP_HIDE_NUL: 1532 if (ie1[1] != ie2[1]) 1533 return ie2[1] - ie1[1]; 1534 /* this is equivalent to memcmp(zeroes, ie2 + 2, len) */ 1535 for (i = 0; i < ie2[1]; i++) 1536 if (ie2[i + 2]) 1537 return -1; 1538 return 0; 1539 } 1540 } 1541 1542 static bool cfg80211_bss_type_match(u16 capability, 1543 enum nl80211_band band, 1544 enum ieee80211_bss_type bss_type) 1545 { 1546 bool ret = true; 1547 u16 mask, val; 1548 1549 if (bss_type == IEEE80211_BSS_TYPE_ANY) 1550 return ret; 1551 1552 if (band == NL80211_BAND_60GHZ) { 1553 mask = WLAN_CAPABILITY_DMG_TYPE_MASK; 1554 switch (bss_type) { 1555 case IEEE80211_BSS_TYPE_ESS: 1556 val = WLAN_CAPABILITY_DMG_TYPE_AP; 1557 break; 1558 case IEEE80211_BSS_TYPE_PBSS: 1559 val = WLAN_CAPABILITY_DMG_TYPE_PBSS; 1560 break; 1561 case IEEE80211_BSS_TYPE_IBSS: 1562 val = WLAN_CAPABILITY_DMG_TYPE_IBSS; 1563 break; 1564 default: 1565 return false; 1566 } 1567 } else { 1568 mask = WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS; 1569 switch (bss_type) { 1570 case IEEE80211_BSS_TYPE_ESS: 1571 val = WLAN_CAPABILITY_ESS; 1572 break; 1573 case IEEE80211_BSS_TYPE_IBSS: 1574 val = WLAN_CAPABILITY_IBSS; 1575 break; 1576 case IEEE80211_BSS_TYPE_MBSS: 1577 val = 0; 1578 break; 1579 default: 1580 return false; 1581 } 1582 } 1583 1584 ret = ((capability & mask) == val); 1585 return ret; 1586 } 1587 1588 /* Returned bss is reference counted and must be cleaned up appropriately. */ 1589 struct cfg80211_bss *__cfg80211_get_bss(struct wiphy *wiphy, 1590 struct ieee80211_channel *channel, 1591 const u8 *bssid, 1592 const u8 *ssid, size_t ssid_len, 1593 enum ieee80211_bss_type bss_type, 1594 enum ieee80211_privacy privacy, 1595 u32 use_for) 1596 { 1597 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1598 struct cfg80211_internal_bss *bss, *res = NULL; 1599 unsigned long now = jiffies; 1600 int bss_privacy; 1601 1602 trace_cfg80211_get_bss(wiphy, channel, bssid, ssid, ssid_len, bss_type, 1603 privacy); 1604 1605 spin_lock_bh(&rdev->bss_lock); 1606 1607 list_for_each_entry(bss, &rdev->bss_list, list) { 1608 if (!cfg80211_bss_type_match(bss->pub.capability, 1609 bss->pub.channel->band, bss_type)) 1610 continue; 1611 1612 bss_privacy = (bss->pub.capability & WLAN_CAPABILITY_PRIVACY); 1613 if ((privacy == IEEE80211_PRIVACY_ON && !bss_privacy) || 1614 (privacy == IEEE80211_PRIVACY_OFF && bss_privacy)) 1615 continue; 1616 if (channel && bss->pub.channel != channel) 1617 continue; 1618 if (!is_valid_ether_addr(bss->pub.bssid)) 1619 continue; 1620 if ((bss->pub.use_for & use_for) != use_for) 1621 continue; 1622 /* Don't get expired BSS structs */ 1623 if (time_after(now, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE) && 1624 !atomic_read(&bss->hold)) 1625 continue; 1626 if (is_bss(&bss->pub, bssid, ssid, ssid_len)) { 1627 res = bss; 1628 bss_ref_get(rdev, res); 1629 break; 1630 } 1631 } 1632 1633 spin_unlock_bh(&rdev->bss_lock); 1634 if (!res) 1635 return NULL; 1636 trace_cfg80211_return_bss(&res->pub); 1637 return &res->pub; 1638 } 1639 EXPORT_SYMBOL(__cfg80211_get_bss); 1640 1641 static bool rb_insert_bss(struct cfg80211_registered_device *rdev, 1642 struct cfg80211_internal_bss *bss) 1643 { 1644 struct rb_node **p = &rdev->bss_tree.rb_node; 1645 struct rb_node *parent = NULL; 1646 struct cfg80211_internal_bss *tbss; 1647 int cmp; 1648 1649 while (*p) { 1650 parent = *p; 1651 tbss = rb_entry(parent, struct cfg80211_internal_bss, rbn); 1652 1653 cmp = cmp_bss(&bss->pub, &tbss->pub, BSS_CMP_REGULAR); 1654 1655 if (WARN_ON(!cmp)) { 1656 /* will sort of leak this BSS */ 1657 return false; 1658 } 1659 1660 if (cmp < 0) 1661 p = &(*p)->rb_left; 1662 else 1663 p = &(*p)->rb_right; 1664 } 1665 1666 rb_link_node(&bss->rbn, parent, p); 1667 rb_insert_color(&bss->rbn, &rdev->bss_tree); 1668 return true; 1669 } 1670 1671 static struct cfg80211_internal_bss * 1672 rb_find_bss(struct cfg80211_registered_device *rdev, 1673 struct cfg80211_internal_bss *res, 1674 enum bss_compare_mode mode) 1675 { 1676 struct rb_node *n = rdev->bss_tree.rb_node; 1677 struct cfg80211_internal_bss *bss; 1678 int r; 1679 1680 while (n) { 1681 bss = rb_entry(n, struct cfg80211_internal_bss, rbn); 1682 r = cmp_bss(&res->pub, &bss->pub, mode); 1683 1684 if (r == 0) 1685 return bss; 1686 else if (r < 0) 1687 n = n->rb_left; 1688 else 1689 n = n->rb_right; 1690 } 1691 1692 return NULL; 1693 } 1694 1695 static void cfg80211_insert_bss(struct cfg80211_registered_device *rdev, 1696 struct cfg80211_internal_bss *bss) 1697 { 1698 lockdep_assert_held(&rdev->bss_lock); 1699 1700 if (!rb_insert_bss(rdev, bss)) 1701 return; 1702 list_add_tail(&bss->list, &rdev->bss_list); 1703 rdev->bss_entries++; 1704 } 1705 1706 static void cfg80211_rehash_bss(struct cfg80211_registered_device *rdev, 1707 struct cfg80211_internal_bss *bss) 1708 { 1709 lockdep_assert_held(&rdev->bss_lock); 1710 1711 rb_erase(&bss->rbn, &rdev->bss_tree); 1712 if (!rb_insert_bss(rdev, bss)) { 1713 list_del(&bss->list); 1714 if (!list_empty(&bss->hidden_list)) 1715 list_del_init(&bss->hidden_list); 1716 if (!list_empty(&bss->pub.nontrans_list)) 1717 list_del_init(&bss->pub.nontrans_list); 1718 rdev->bss_entries--; 1719 } 1720 rdev->bss_generation++; 1721 } 1722 1723 static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev, 1724 struct cfg80211_internal_bss *new) 1725 { 1726 const struct cfg80211_bss_ies *ies; 1727 struct cfg80211_internal_bss *bss; 1728 const u8 *ie; 1729 int i, ssidlen; 1730 u8 fold = 0; 1731 u32 n_entries = 0; 1732 1733 ies = rcu_access_pointer(new->pub.beacon_ies); 1734 if (WARN_ON(!ies)) 1735 return false; 1736 1737 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 1738 if (!ie) { 1739 /* nothing to do */ 1740 return true; 1741 } 1742 1743 ssidlen = ie[1]; 1744 for (i = 0; i < ssidlen; i++) 1745 fold |= ie[2 + i]; 1746 1747 if (fold) { 1748 /* not a hidden SSID */ 1749 return true; 1750 } 1751 1752 /* This is the bad part ... */ 1753 1754 list_for_each_entry(bss, &rdev->bss_list, list) { 1755 /* 1756 * we're iterating all the entries anyway, so take the 1757 * opportunity to validate the list length accounting 1758 */ 1759 n_entries++; 1760 1761 if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid)) 1762 continue; 1763 if (bss->pub.channel != new->pub.channel) 1764 continue; 1765 if (rcu_access_pointer(bss->pub.beacon_ies)) 1766 continue; 1767 ies = rcu_access_pointer(bss->pub.ies); 1768 if (!ies) 1769 continue; 1770 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 1771 if (!ie) 1772 continue; 1773 if (ssidlen && ie[1] != ssidlen) 1774 continue; 1775 if (WARN_ON_ONCE(bss->pub.hidden_beacon_bss)) 1776 continue; 1777 if (WARN_ON_ONCE(!list_empty(&bss->hidden_list))) 1778 list_del(&bss->hidden_list); 1779 /* combine them */ 1780 list_add(&bss->hidden_list, &new->hidden_list); 1781 bss->pub.hidden_beacon_bss = &new->pub; 1782 new->refcount += bss->refcount; 1783 rcu_assign_pointer(bss->pub.beacon_ies, 1784 new->pub.beacon_ies); 1785 } 1786 1787 WARN_ONCE(n_entries != rdev->bss_entries, 1788 "rdev bss entries[%d]/list[len:%d] corruption\n", 1789 rdev->bss_entries, n_entries); 1790 1791 return true; 1792 } 1793 1794 static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known, 1795 const struct cfg80211_bss_ies *new_ies, 1796 const struct cfg80211_bss_ies *old_ies) 1797 { 1798 struct cfg80211_internal_bss *bss; 1799 1800 /* Assign beacon IEs to all sub entries */ 1801 list_for_each_entry(bss, &known->hidden_list, hidden_list) { 1802 const struct cfg80211_bss_ies *ies; 1803 1804 ies = rcu_access_pointer(bss->pub.beacon_ies); 1805 WARN_ON(ies != old_ies); 1806 1807 rcu_assign_pointer(bss->pub.beacon_ies, new_ies); 1808 } 1809 } 1810 1811 static void cfg80211_check_stuck_ecsa(struct cfg80211_registered_device *rdev, 1812 struct cfg80211_internal_bss *known, 1813 const struct cfg80211_bss_ies *old) 1814 { 1815 const struct ieee80211_ext_chansw_ie *ecsa; 1816 const struct element *elem_new, *elem_old; 1817 const struct cfg80211_bss_ies *new, *bcn; 1818 1819 if (known->pub.proberesp_ecsa_stuck) 1820 return; 1821 1822 new = rcu_dereference_protected(known->pub.proberesp_ies, 1823 lockdep_is_held(&rdev->bss_lock)); 1824 if (WARN_ON(!new)) 1825 return; 1826 1827 if (new->tsf - old->tsf < USEC_PER_SEC) 1828 return; 1829 1830 elem_old = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, 1831 old->data, old->len); 1832 if (!elem_old) 1833 return; 1834 1835 elem_new = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, 1836 new->data, new->len); 1837 if (!elem_new) 1838 return; 1839 1840 bcn = rcu_dereference_protected(known->pub.beacon_ies, 1841 lockdep_is_held(&rdev->bss_lock)); 1842 if (bcn && 1843 cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, 1844 bcn->data, bcn->len)) 1845 return; 1846 1847 if (elem_new->datalen != elem_old->datalen) 1848 return; 1849 if (elem_new->datalen < sizeof(struct ieee80211_ext_chansw_ie)) 1850 return; 1851 if (memcmp(elem_new->data, elem_old->data, elem_new->datalen)) 1852 return; 1853 1854 ecsa = (void *)elem_new->data; 1855 1856 if (!ecsa->mode) 1857 return; 1858 1859 if (ecsa->new_ch_num != 1860 ieee80211_frequency_to_channel(known->pub.channel->center_freq)) 1861 return; 1862 1863 known->pub.proberesp_ecsa_stuck = 1; 1864 } 1865 1866 static bool 1867 cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, 1868 struct cfg80211_internal_bss *known, 1869 struct cfg80211_internal_bss *new, 1870 bool signal_valid) 1871 { 1872 lockdep_assert_held(&rdev->bss_lock); 1873 1874 /* Update IEs */ 1875 if (rcu_access_pointer(new->pub.proberesp_ies)) { 1876 const struct cfg80211_bss_ies *old; 1877 1878 old = rcu_access_pointer(known->pub.proberesp_ies); 1879 1880 rcu_assign_pointer(known->pub.proberesp_ies, 1881 new->pub.proberesp_ies); 1882 /* Override possible earlier Beacon frame IEs */ 1883 rcu_assign_pointer(known->pub.ies, 1884 new->pub.proberesp_ies); 1885 if (old) { 1886 cfg80211_check_stuck_ecsa(rdev, known, old); 1887 kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); 1888 } 1889 } 1890 1891 if (rcu_access_pointer(new->pub.beacon_ies)) { 1892 const struct cfg80211_bss_ies *old; 1893 1894 if (known->pub.hidden_beacon_bss && 1895 !list_empty(&known->hidden_list)) { 1896 const struct cfg80211_bss_ies *f; 1897 1898 /* The known BSS struct is one of the probe 1899 * response members of a group, but we're 1900 * receiving a beacon (beacon_ies in the new 1901 * bss is used). This can only mean that the 1902 * AP changed its beacon from not having an 1903 * SSID to showing it, which is confusing so 1904 * drop this information. 1905 */ 1906 1907 f = rcu_access_pointer(new->pub.beacon_ies); 1908 kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); 1909 return false; 1910 } 1911 1912 old = rcu_access_pointer(known->pub.beacon_ies); 1913 1914 rcu_assign_pointer(known->pub.beacon_ies, new->pub.beacon_ies); 1915 1916 /* Override IEs if they were from a beacon before */ 1917 if (old == rcu_access_pointer(known->pub.ies)) 1918 rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); 1919 1920 cfg80211_update_hidden_bsses(known, 1921 rcu_access_pointer(new->pub.beacon_ies), 1922 old); 1923 1924 if (old) 1925 kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); 1926 } 1927 1928 known->pub.beacon_interval = new->pub.beacon_interval; 1929 1930 /* don't update the signal if beacon was heard on 1931 * adjacent channel. 1932 */ 1933 if (signal_valid) 1934 known->pub.signal = new->pub.signal; 1935 known->pub.capability = new->pub.capability; 1936 known->ts = new->ts; 1937 known->ts_boottime = new->ts_boottime; 1938 known->parent_tsf = new->parent_tsf; 1939 known->pub.chains = new->pub.chains; 1940 memcpy(known->pub.chain_signal, new->pub.chain_signal, 1941 IEEE80211_MAX_CHAINS); 1942 ether_addr_copy(known->parent_bssid, new->parent_bssid); 1943 known->pub.max_bssid_indicator = new->pub.max_bssid_indicator; 1944 known->pub.bssid_index = new->pub.bssid_index; 1945 known->pub.use_for &= new->pub.use_for; 1946 known->pub.cannot_use_reasons = new->pub.cannot_use_reasons; 1947 known->bss_source = new->bss_source; 1948 1949 return true; 1950 } 1951 1952 /* Returned bss is reference counted and must be cleaned up appropriately. */ 1953 static struct cfg80211_internal_bss * 1954 __cfg80211_bss_update(struct cfg80211_registered_device *rdev, 1955 struct cfg80211_internal_bss *tmp, 1956 bool signal_valid, unsigned long ts) 1957 { 1958 struct cfg80211_internal_bss *found = NULL; 1959 struct cfg80211_bss_ies *ies; 1960 1961 if (WARN_ON(!tmp->pub.channel)) 1962 goto free_ies; 1963 1964 tmp->ts = ts; 1965 1966 if (WARN_ON(!rcu_access_pointer(tmp->pub.ies))) 1967 goto free_ies; 1968 1969 found = rb_find_bss(rdev, tmp, BSS_CMP_REGULAR); 1970 1971 if (found) { 1972 if (!cfg80211_update_known_bss(rdev, found, tmp, signal_valid)) 1973 return NULL; 1974 } else { 1975 struct cfg80211_internal_bss *new; 1976 struct cfg80211_internal_bss *hidden; 1977 1978 /* 1979 * create a copy -- the "res" variable that is passed in 1980 * is allocated on the stack since it's not needed in the 1981 * more common case of an update 1982 */ 1983 new = kzalloc(sizeof(*new) + rdev->wiphy.bss_priv_size, 1984 GFP_ATOMIC); 1985 if (!new) 1986 goto free_ies; 1987 memcpy(new, tmp, sizeof(*new)); 1988 new->refcount = 1; 1989 INIT_LIST_HEAD(&new->hidden_list); 1990 INIT_LIST_HEAD(&new->pub.nontrans_list); 1991 /* we'll set this later if it was non-NULL */ 1992 new->pub.transmitted_bss = NULL; 1993 1994 if (rcu_access_pointer(tmp->pub.proberesp_ies)) { 1995 hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); 1996 if (!hidden) 1997 hidden = rb_find_bss(rdev, tmp, 1998 BSS_CMP_HIDE_NUL); 1999 if (hidden) { 2000 new->pub.hidden_beacon_bss = &hidden->pub; 2001 list_add(&new->hidden_list, 2002 &hidden->hidden_list); 2003 hidden->refcount++; 2004 2005 ies = (void *)rcu_access_pointer(new->pub.beacon_ies); 2006 rcu_assign_pointer(new->pub.beacon_ies, 2007 hidden->pub.beacon_ies); 2008 if (ies) 2009 kfree_rcu(ies, rcu_head); 2010 } 2011 } else { 2012 /* 2013 * Ok so we found a beacon, and don't have an entry. If 2014 * it's a beacon with hidden SSID, we might be in for an 2015 * expensive search for any probe responses that should 2016 * be grouped with this beacon for updates ... 2017 */ 2018 if (!cfg80211_combine_bsses(rdev, new)) { 2019 bss_ref_put(rdev, new); 2020 return NULL; 2021 } 2022 } 2023 2024 if (rdev->bss_entries >= bss_entries_limit && 2025 !cfg80211_bss_expire_oldest(rdev)) { 2026 bss_ref_put(rdev, new); 2027 return NULL; 2028 } 2029 2030 /* This must be before the call to bss_ref_get */ 2031 if (tmp->pub.transmitted_bss) { 2032 new->pub.transmitted_bss = tmp->pub.transmitted_bss; 2033 bss_ref_get(rdev, bss_from_pub(tmp->pub.transmitted_bss)); 2034 } 2035 2036 cfg80211_insert_bss(rdev, new); 2037 found = new; 2038 } 2039 2040 rdev->bss_generation++; 2041 bss_ref_get(rdev, found); 2042 2043 return found; 2044 2045 free_ies: 2046 ies = (void *)rcu_access_pointer(tmp->pub.beacon_ies); 2047 if (ies) 2048 kfree_rcu(ies, rcu_head); 2049 ies = (void *)rcu_access_pointer(tmp->pub.proberesp_ies); 2050 if (ies) 2051 kfree_rcu(ies, rcu_head); 2052 2053 return NULL; 2054 } 2055 2056 struct cfg80211_internal_bss * 2057 cfg80211_bss_update(struct cfg80211_registered_device *rdev, 2058 struct cfg80211_internal_bss *tmp, 2059 bool signal_valid, unsigned long ts) 2060 { 2061 struct cfg80211_internal_bss *res; 2062 2063 spin_lock_bh(&rdev->bss_lock); 2064 res = __cfg80211_bss_update(rdev, tmp, signal_valid, ts); 2065 spin_unlock_bh(&rdev->bss_lock); 2066 2067 return res; 2068 } 2069 2070 int cfg80211_get_ies_channel_number(const u8 *ie, size_t ielen, 2071 enum nl80211_band band) 2072 { 2073 const struct element *tmp; 2074 2075 if (band == NL80211_BAND_6GHZ) { 2076 struct ieee80211_he_operation *he_oper; 2077 2078 tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie, 2079 ielen); 2080 if (tmp && tmp->datalen >= sizeof(*he_oper) && 2081 tmp->datalen >= ieee80211_he_oper_size(&tmp->data[1])) { 2082 const struct ieee80211_he_6ghz_oper *he_6ghz_oper; 2083 2084 he_oper = (void *)&tmp->data[1]; 2085 2086 he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper); 2087 if (!he_6ghz_oper) 2088 return -1; 2089 2090 return he_6ghz_oper->primary; 2091 } 2092 } else if (band == NL80211_BAND_S1GHZ) { 2093 tmp = cfg80211_find_elem(WLAN_EID_S1G_OPERATION, ie, ielen); 2094 if (tmp && tmp->datalen >= sizeof(struct ieee80211_s1g_oper_ie)) { 2095 struct ieee80211_s1g_oper_ie *s1gop = (void *)tmp->data; 2096 2097 return s1gop->oper_ch; 2098 } 2099 } else { 2100 tmp = cfg80211_find_elem(WLAN_EID_DS_PARAMS, ie, ielen); 2101 if (tmp && tmp->datalen == 1) 2102 return tmp->data[0]; 2103 2104 tmp = cfg80211_find_elem(WLAN_EID_HT_OPERATION, ie, ielen); 2105 if (tmp && 2106 tmp->datalen >= sizeof(struct ieee80211_ht_operation)) { 2107 struct ieee80211_ht_operation *htop = (void *)tmp->data; 2108 2109 return htop->primary_chan; 2110 } 2111 } 2112 2113 return -1; 2114 } 2115 EXPORT_SYMBOL(cfg80211_get_ies_channel_number); 2116 2117 /* 2118 * Update RX channel information based on the available frame payload 2119 * information. This is mainly for the 2.4 GHz band where frames can be received 2120 * from neighboring channels and the Beacon frames use the DSSS Parameter Set 2121 * element to indicate the current (transmitting) channel, but this might also 2122 * be needed on other bands if RX frequency does not match with the actual 2123 * operating channel of a BSS, or if the AP reports a different primary channel. 2124 */ 2125 static struct ieee80211_channel * 2126 cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen, 2127 struct ieee80211_channel *channel) 2128 { 2129 u32 freq; 2130 int channel_number; 2131 struct ieee80211_channel *alt_channel; 2132 2133 channel_number = cfg80211_get_ies_channel_number(ie, ielen, 2134 channel->band); 2135 2136 if (channel_number < 0) { 2137 /* No channel information in frame payload */ 2138 return channel; 2139 } 2140 2141 freq = ieee80211_channel_to_freq_khz(channel_number, channel->band); 2142 2143 /* 2144 * Frame info (beacon/prob res) is the same as received channel, 2145 * no need for further processing. 2146 */ 2147 if (freq == ieee80211_channel_to_khz(channel)) 2148 return channel; 2149 2150 alt_channel = ieee80211_get_channel_khz(wiphy, freq); 2151 if (!alt_channel) { 2152 if (channel->band == NL80211_BAND_2GHZ || 2153 channel->band == NL80211_BAND_6GHZ) { 2154 /* 2155 * Better not allow unexpected channels when that could 2156 * be going beyond the 1-11 range (e.g., discovering 2157 * BSS on channel 12 when radio is configured for 2158 * channel 11) or beyond the 6 GHz channel range. 2159 */ 2160 return NULL; 2161 } 2162 2163 /* No match for the payload channel number - ignore it */ 2164 return channel; 2165 } 2166 2167 /* 2168 * Use the channel determined through the payload channel number 2169 * instead of the RX channel reported by the driver. 2170 */ 2171 if (alt_channel->flags & IEEE80211_CHAN_DISABLED) 2172 return NULL; 2173 return alt_channel; 2174 } 2175 2176 struct cfg80211_inform_single_bss_data { 2177 struct cfg80211_inform_bss *drv_data; 2178 enum cfg80211_bss_frame_type ftype; 2179 struct ieee80211_channel *channel; 2180 u8 bssid[ETH_ALEN]; 2181 u64 tsf; 2182 u16 capability; 2183 u16 beacon_interval; 2184 const u8 *ie; 2185 size_t ielen; 2186 2187 enum bss_source_type bss_source; 2188 /* Set if reporting bss_source != BSS_SOURCE_DIRECT */ 2189 struct cfg80211_bss *source_bss; 2190 u8 max_bssid_indicator; 2191 u8 bssid_index; 2192 2193 u8 use_for; 2194 u64 cannot_use_reasons; 2195 }; 2196 2197 enum ieee80211_ap_reg_power 2198 cfg80211_get_6ghz_power_type(const u8 *elems, size_t elems_len) 2199 { 2200 const struct ieee80211_he_6ghz_oper *he_6ghz_oper; 2201 struct ieee80211_he_operation *he_oper; 2202 const struct element *tmp; 2203 2204 tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, 2205 elems, elems_len); 2206 if (!tmp || tmp->datalen < sizeof(*he_oper) + 1 || 2207 tmp->datalen < ieee80211_he_oper_size(tmp->data + 1)) 2208 return IEEE80211_REG_UNSET_AP; 2209 2210 he_oper = (void *)&tmp->data[1]; 2211 he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper); 2212 2213 if (!he_6ghz_oper) 2214 return IEEE80211_REG_UNSET_AP; 2215 2216 switch (u8_get_bits(he_6ghz_oper->control, 2217 IEEE80211_HE_6GHZ_OPER_CTRL_REG_INFO)) { 2218 case IEEE80211_6GHZ_CTRL_REG_LPI_AP: 2219 case IEEE80211_6GHZ_CTRL_REG_INDOOR_LPI_AP: 2220 return IEEE80211_REG_LPI_AP; 2221 case IEEE80211_6GHZ_CTRL_REG_SP_AP: 2222 case IEEE80211_6GHZ_CTRL_REG_INDOOR_SP_AP: 2223 return IEEE80211_REG_SP_AP; 2224 case IEEE80211_6GHZ_CTRL_REG_VLP_AP: 2225 return IEEE80211_REG_VLP_AP; 2226 default: 2227 return IEEE80211_REG_UNSET_AP; 2228 } 2229 } 2230 2231 static bool cfg80211_6ghz_power_type_valid(const u8 *elems, size_t elems_len, 2232 const u32 flags) 2233 { 2234 switch (cfg80211_get_6ghz_power_type(elems, elems_len)) { 2235 case IEEE80211_REG_LPI_AP: 2236 return true; 2237 case IEEE80211_REG_SP_AP: 2238 return !(flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT); 2239 case IEEE80211_REG_VLP_AP: 2240 return !(flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT); 2241 default: 2242 return false; 2243 } 2244 } 2245 2246 /* Returned bss is reference counted and must be cleaned up appropriately. */ 2247 static struct cfg80211_bss * 2248 cfg80211_inform_single_bss_data(struct wiphy *wiphy, 2249 struct cfg80211_inform_single_bss_data *data, 2250 gfp_t gfp) 2251 { 2252 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 2253 struct cfg80211_inform_bss *drv_data = data->drv_data; 2254 struct cfg80211_bss_ies *ies; 2255 struct ieee80211_channel *channel; 2256 struct cfg80211_internal_bss tmp = {}, *res; 2257 int bss_type; 2258 bool signal_valid; 2259 unsigned long ts; 2260 2261 if (WARN_ON(!wiphy)) 2262 return NULL; 2263 2264 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && 2265 (drv_data->signal < 0 || drv_data->signal > 100))) 2266 return NULL; 2267 2268 if (WARN_ON(data->bss_source != BSS_SOURCE_DIRECT && !data->source_bss)) 2269 return NULL; 2270 2271 channel = data->channel; 2272 if (!channel) 2273 channel = cfg80211_get_bss_channel(wiphy, data->ie, data->ielen, 2274 drv_data->chan); 2275 if (!channel) 2276 return NULL; 2277 2278 if (channel->band == NL80211_BAND_6GHZ && 2279 !cfg80211_6ghz_power_type_valid(data->ie, data->ielen, 2280 channel->flags)) { 2281 data->use_for = 0; 2282 data->cannot_use_reasons = 2283 NL80211_BSS_CANNOT_USE_6GHZ_PWR_MISMATCH; 2284 } 2285 2286 memcpy(tmp.pub.bssid, data->bssid, ETH_ALEN); 2287 tmp.pub.channel = channel; 2288 if (data->bss_source != BSS_SOURCE_STA_PROFILE) 2289 tmp.pub.signal = drv_data->signal; 2290 else 2291 tmp.pub.signal = 0; 2292 tmp.pub.beacon_interval = data->beacon_interval; 2293 tmp.pub.capability = data->capability; 2294 tmp.ts_boottime = drv_data->boottime_ns; 2295 tmp.parent_tsf = drv_data->parent_tsf; 2296 ether_addr_copy(tmp.parent_bssid, drv_data->parent_bssid); 2297 tmp.pub.chains = drv_data->chains; 2298 memcpy(tmp.pub.chain_signal, drv_data->chain_signal, 2299 IEEE80211_MAX_CHAINS); 2300 tmp.pub.use_for = data->use_for; 2301 tmp.pub.cannot_use_reasons = data->cannot_use_reasons; 2302 tmp.bss_source = data->bss_source; 2303 2304 switch (data->bss_source) { 2305 case BSS_SOURCE_MBSSID: 2306 tmp.pub.transmitted_bss = data->source_bss; 2307 fallthrough; 2308 case BSS_SOURCE_STA_PROFILE: 2309 ts = bss_from_pub(data->source_bss)->ts; 2310 tmp.pub.bssid_index = data->bssid_index; 2311 tmp.pub.max_bssid_indicator = data->max_bssid_indicator; 2312 break; 2313 case BSS_SOURCE_DIRECT: 2314 ts = jiffies; 2315 2316 if (channel->band == NL80211_BAND_60GHZ) { 2317 bss_type = data->capability & 2318 WLAN_CAPABILITY_DMG_TYPE_MASK; 2319 if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP || 2320 bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS) 2321 regulatory_hint_found_beacon(wiphy, channel, 2322 gfp); 2323 } else { 2324 if (data->capability & WLAN_CAPABILITY_ESS) 2325 regulatory_hint_found_beacon(wiphy, channel, 2326 gfp); 2327 } 2328 break; 2329 } 2330 2331 /* 2332 * If we do not know here whether the IEs are from a Beacon or Probe 2333 * Response frame, we need to pick one of the options and only use it 2334 * with the driver that does not provide the full Beacon/Probe Response 2335 * frame. Use Beacon frame pointer to avoid indicating that this should 2336 * override the IEs pointer should we have received an earlier 2337 * indication of Probe Response data. 2338 */ 2339 ies = kzalloc(sizeof(*ies) + data->ielen, gfp); 2340 if (!ies) 2341 return NULL; 2342 ies->len = data->ielen; 2343 ies->tsf = data->tsf; 2344 ies->from_beacon = false; 2345 memcpy(ies->data, data->ie, data->ielen); 2346 2347 switch (data->ftype) { 2348 case CFG80211_BSS_FTYPE_BEACON: 2349 case CFG80211_BSS_FTYPE_S1G_BEACON: 2350 ies->from_beacon = true; 2351 fallthrough; 2352 case CFG80211_BSS_FTYPE_UNKNOWN: 2353 rcu_assign_pointer(tmp.pub.beacon_ies, ies); 2354 break; 2355 case CFG80211_BSS_FTYPE_PRESP: 2356 rcu_assign_pointer(tmp.pub.proberesp_ies, ies); 2357 break; 2358 } 2359 rcu_assign_pointer(tmp.pub.ies, ies); 2360 2361 signal_valid = drv_data->chan == channel; 2362 spin_lock_bh(&rdev->bss_lock); 2363 res = __cfg80211_bss_update(rdev, &tmp, signal_valid, ts); 2364 if (!res) 2365 goto drop; 2366 2367 rdev_inform_bss(rdev, &res->pub, ies, drv_data->drv_data); 2368 2369 if (data->bss_source == BSS_SOURCE_MBSSID) { 2370 /* this is a nontransmitting bss, we need to add it to 2371 * transmitting bss' list if it is not there 2372 */ 2373 if (cfg80211_add_nontrans_list(data->source_bss, &res->pub)) { 2374 if (__cfg80211_unlink_bss(rdev, res)) { 2375 rdev->bss_generation++; 2376 res = NULL; 2377 } 2378 } 2379 2380 if (!res) 2381 goto drop; 2382 } 2383 spin_unlock_bh(&rdev->bss_lock); 2384 2385 trace_cfg80211_return_bss(&res->pub); 2386 /* __cfg80211_bss_update gives us a referenced result */ 2387 return &res->pub; 2388 2389 drop: 2390 spin_unlock_bh(&rdev->bss_lock); 2391 return NULL; 2392 } 2393 2394 static const struct element 2395 *cfg80211_get_profile_continuation(const u8 *ie, size_t ielen, 2396 const struct element *mbssid_elem, 2397 const struct element *sub_elem) 2398 { 2399 const u8 *mbssid_end = mbssid_elem->data + mbssid_elem->datalen; 2400 const struct element *next_mbssid; 2401 const struct element *next_sub; 2402 2403 next_mbssid = cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID, 2404 mbssid_end, 2405 ielen - (mbssid_end - ie)); 2406 2407 /* 2408 * If it is not the last subelement in current MBSSID IE or there isn't 2409 * a next MBSSID IE - profile is complete. 2410 */ 2411 if ((sub_elem->data + sub_elem->datalen < mbssid_end - 1) || 2412 !next_mbssid) 2413 return NULL; 2414 2415 /* For any length error, just return NULL */ 2416 2417 if (next_mbssid->datalen < 4) 2418 return NULL; 2419 2420 next_sub = (void *)&next_mbssid->data[1]; 2421 2422 if (next_mbssid->data + next_mbssid->datalen < 2423 next_sub->data + next_sub->datalen) 2424 return NULL; 2425 2426 if (next_sub->id != 0 || next_sub->datalen < 2) 2427 return NULL; 2428 2429 /* 2430 * Check if the first element in the next sub element is a start 2431 * of a new profile 2432 */ 2433 return next_sub->data[0] == WLAN_EID_NON_TX_BSSID_CAP ? 2434 NULL : next_mbssid; 2435 } 2436 2437 size_t cfg80211_merge_profile(const u8 *ie, size_t ielen, 2438 const struct element *mbssid_elem, 2439 const struct element *sub_elem, 2440 u8 *merged_ie, size_t max_copy_len) 2441 { 2442 size_t copied_len = sub_elem->datalen; 2443 const struct element *next_mbssid; 2444 2445 if (sub_elem->datalen > max_copy_len) 2446 return 0; 2447 2448 memcpy(merged_ie, sub_elem->data, sub_elem->datalen); 2449 2450 while ((next_mbssid = cfg80211_get_profile_continuation(ie, ielen, 2451 mbssid_elem, 2452 sub_elem))) { 2453 const struct element *next_sub = (void *)&next_mbssid->data[1]; 2454 2455 if (copied_len + next_sub->datalen > max_copy_len) 2456 break; 2457 memcpy(merged_ie + copied_len, next_sub->data, 2458 next_sub->datalen); 2459 copied_len += next_sub->datalen; 2460 } 2461 2462 return copied_len; 2463 } 2464 EXPORT_SYMBOL(cfg80211_merge_profile); 2465 2466 static void 2467 cfg80211_parse_mbssid_data(struct wiphy *wiphy, 2468 struct cfg80211_inform_single_bss_data *tx_data, 2469 struct cfg80211_bss *source_bss, 2470 gfp_t gfp) 2471 { 2472 struct cfg80211_inform_single_bss_data data = { 2473 .drv_data = tx_data->drv_data, 2474 .ftype = tx_data->ftype, 2475 .tsf = tx_data->tsf, 2476 .beacon_interval = tx_data->beacon_interval, 2477 .source_bss = source_bss, 2478 .bss_source = BSS_SOURCE_MBSSID, 2479 .use_for = tx_data->use_for, 2480 .cannot_use_reasons = tx_data->cannot_use_reasons, 2481 }; 2482 const u8 *mbssid_index_ie; 2483 const struct element *elem, *sub; 2484 u8 *new_ie, *profile; 2485 u64 seen_indices = 0; 2486 struct cfg80211_bss *bss; 2487 2488 if (!source_bss) 2489 return; 2490 if (!cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID, 2491 tx_data->ie, tx_data->ielen)) 2492 return; 2493 if (!wiphy->support_mbssid) 2494 return; 2495 if (wiphy->support_only_he_mbssid && 2496 !cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, 2497 tx_data->ie, tx_data->ielen)) 2498 return; 2499 2500 new_ie = kmalloc(IEEE80211_MAX_DATA_LEN, gfp); 2501 if (!new_ie) 2502 return; 2503 2504 profile = kmalloc(tx_data->ielen, gfp); 2505 if (!profile) 2506 goto out; 2507 2508 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, 2509 tx_data->ie, tx_data->ielen) { 2510 if (elem->datalen < 4) 2511 continue; 2512 if (elem->data[0] < 1 || (int)elem->data[0] > 8) 2513 continue; 2514 for_each_element(sub, elem->data + 1, elem->datalen - 1) { 2515 u8 profile_len; 2516 2517 if (sub->id != 0 || sub->datalen < 4) { 2518 /* not a valid BSS profile */ 2519 continue; 2520 } 2521 2522 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP || 2523 sub->data[1] != 2) { 2524 /* The first element within the Nontransmitted 2525 * BSSID Profile is not the Nontransmitted 2526 * BSSID Capability element. 2527 */ 2528 continue; 2529 } 2530 2531 memset(profile, 0, tx_data->ielen); 2532 profile_len = cfg80211_merge_profile(tx_data->ie, 2533 tx_data->ielen, 2534 elem, 2535 sub, 2536 profile, 2537 tx_data->ielen); 2538 2539 /* found a Nontransmitted BSSID Profile */ 2540 mbssid_index_ie = cfg80211_find_ie 2541 (WLAN_EID_MULTI_BSSID_IDX, 2542 profile, profile_len); 2543 if (!mbssid_index_ie || mbssid_index_ie[1] < 1 || 2544 mbssid_index_ie[2] == 0 || 2545 mbssid_index_ie[2] > 46 || 2546 mbssid_index_ie[2] >= (1 << elem->data[0])) { 2547 /* No valid Multiple BSSID-Index element */ 2548 continue; 2549 } 2550 2551 if (seen_indices & BIT_ULL(mbssid_index_ie[2])) 2552 /* We don't support legacy split of a profile */ 2553 net_dbg_ratelimited("Partial info for BSSID index %d\n", 2554 mbssid_index_ie[2]); 2555 2556 seen_indices |= BIT_ULL(mbssid_index_ie[2]); 2557 2558 data.bssid_index = mbssid_index_ie[2]; 2559 data.max_bssid_indicator = elem->data[0]; 2560 2561 cfg80211_gen_new_bssid(tx_data->bssid, 2562 data.max_bssid_indicator, 2563 data.bssid_index, 2564 data.bssid); 2565 2566 memset(new_ie, 0, IEEE80211_MAX_DATA_LEN); 2567 data.ie = new_ie; 2568 data.ielen = cfg80211_gen_new_ie(tx_data->ie, 2569 tx_data->ielen, 2570 profile, 2571 profile_len, 2572 new_ie, 2573 IEEE80211_MAX_DATA_LEN); 2574 if (!data.ielen) 2575 continue; 2576 2577 data.capability = get_unaligned_le16(profile + 2); 2578 bss = cfg80211_inform_single_bss_data(wiphy, &data, gfp); 2579 if (!bss) 2580 break; 2581 cfg80211_put_bss(wiphy, bss); 2582 } 2583 } 2584 2585 out: 2586 kfree(new_ie); 2587 kfree(profile); 2588 } 2589 2590 ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies, 2591 size_t ieslen, u8 *data, size_t data_len, 2592 u8 frag_id) 2593 { 2594 const struct element *next; 2595 ssize_t copied; 2596 u8 elem_datalen; 2597 2598 if (!elem) 2599 return -EINVAL; 2600 2601 /* elem might be invalid after the memmove */ 2602 next = (void *)(elem->data + elem->datalen); 2603 elem_datalen = elem->datalen; 2604 2605 if (elem->id == WLAN_EID_EXTENSION) { 2606 copied = elem->datalen - 1; 2607 2608 if (data) { 2609 if (copied > data_len) 2610 return -ENOSPC; 2611 2612 memmove(data, elem->data + 1, copied); 2613 } 2614 } else { 2615 copied = elem->datalen; 2616 2617 if (data) { 2618 if (copied > data_len) 2619 return -ENOSPC; 2620 2621 memmove(data, elem->data, copied); 2622 } 2623 } 2624 2625 /* Fragmented elements must have 255 bytes */ 2626 if (elem_datalen < 255) 2627 return copied; 2628 2629 for (elem = next; 2630 elem->data < ies + ieslen && 2631 elem->data + elem->datalen <= ies + ieslen; 2632 elem = next) { 2633 /* elem might be invalid after the memmove */ 2634 next = (void *)(elem->data + elem->datalen); 2635 2636 if (elem->id != frag_id) 2637 break; 2638 2639 elem_datalen = elem->datalen; 2640 2641 if (data) { 2642 if (copied + elem_datalen > data_len) 2643 return -ENOSPC; 2644 2645 memmove(data + copied, elem->data, elem_datalen); 2646 } 2647 2648 copied += elem_datalen; 2649 2650 /* Only the last fragment may be short */ 2651 if (elem_datalen != 255) 2652 break; 2653 } 2654 2655 return copied; 2656 } 2657 EXPORT_SYMBOL(cfg80211_defragment_element); 2658 2659 struct cfg80211_mle { 2660 struct ieee80211_multi_link_elem *mle; 2661 struct ieee80211_mle_per_sta_profile 2662 *sta_prof[IEEE80211_MLD_MAX_NUM_LINKS]; 2663 ssize_t sta_prof_len[IEEE80211_MLD_MAX_NUM_LINKS]; 2664 2665 u8 data[]; 2666 }; 2667 2668 static struct cfg80211_mle * 2669 cfg80211_defrag_mle(const struct element *mle, const u8 *ie, size_t ielen, 2670 gfp_t gfp) 2671 { 2672 const struct element *elem; 2673 struct cfg80211_mle *res; 2674 size_t buf_len; 2675 ssize_t mle_len; 2676 u8 common_size, idx; 2677 2678 if (!mle || !ieee80211_mle_size_ok(mle->data + 1, mle->datalen - 1)) 2679 return NULL; 2680 2681 /* Required length for first defragmentation */ 2682 buf_len = mle->datalen - 1; 2683 for_each_element(elem, mle->data + mle->datalen, 2684 ielen - sizeof(*mle) + mle->datalen) { 2685 if (elem->id != WLAN_EID_FRAGMENT) 2686 break; 2687 2688 buf_len += elem->datalen; 2689 } 2690 2691 res = kzalloc(struct_size(res, data, buf_len), gfp); 2692 if (!res) 2693 return NULL; 2694 2695 mle_len = cfg80211_defragment_element(mle, ie, ielen, 2696 res->data, buf_len, 2697 WLAN_EID_FRAGMENT); 2698 if (mle_len < 0) 2699 goto error; 2700 2701 res->mle = (void *)res->data; 2702 2703 /* Find the sub-element area in the buffer */ 2704 common_size = ieee80211_mle_common_size((u8 *)res->mle); 2705 ie = res->data + common_size; 2706 ielen = mle_len - common_size; 2707 2708 idx = 0; 2709 for_each_element_id(elem, IEEE80211_MLE_SUBELEM_PER_STA_PROFILE, 2710 ie, ielen) { 2711 res->sta_prof[idx] = (void *)elem->data; 2712 res->sta_prof_len[idx] = elem->datalen; 2713 2714 idx++; 2715 if (idx >= IEEE80211_MLD_MAX_NUM_LINKS) 2716 break; 2717 } 2718 if (!for_each_element_completed(elem, ie, ielen)) 2719 goto error; 2720 2721 /* Defragment sta_info in-place */ 2722 for (idx = 0; idx < IEEE80211_MLD_MAX_NUM_LINKS && res->sta_prof[idx]; 2723 idx++) { 2724 if (res->sta_prof_len[idx] < 255) 2725 continue; 2726 2727 elem = (void *)res->sta_prof[idx] - 2; 2728 2729 if (idx + 1 < ARRAY_SIZE(res->sta_prof) && 2730 res->sta_prof[idx + 1]) 2731 buf_len = (u8 *)res->sta_prof[idx + 1] - 2732 (u8 *)res->sta_prof[idx]; 2733 else 2734 buf_len = ielen + ie - (u8 *)elem; 2735 2736 res->sta_prof_len[idx] = 2737 cfg80211_defragment_element(elem, 2738 (u8 *)elem, buf_len, 2739 (u8 *)res->sta_prof[idx], 2740 buf_len, 2741 IEEE80211_MLE_SUBELEM_FRAGMENT); 2742 if (res->sta_prof_len[idx] < 0) 2743 goto error; 2744 } 2745 2746 return res; 2747 2748 error: 2749 kfree(res); 2750 return NULL; 2751 } 2752 2753 struct tbtt_info_iter_data { 2754 const struct ieee80211_neighbor_ap_info *ap_info; 2755 u8 param_ch_count; 2756 u32 use_for; 2757 u8 mld_id, link_id; 2758 bool non_tx; 2759 }; 2760 2761 static enum cfg80211_rnr_iter_ret 2762 cfg802121_mld_ap_rnr_iter(void *_data, u8 type, 2763 const struct ieee80211_neighbor_ap_info *info, 2764 const u8 *tbtt_info, u8 tbtt_info_len) 2765 { 2766 const struct ieee80211_rnr_mld_params *mld_params; 2767 struct tbtt_info_iter_data *data = _data; 2768 u8 link_id; 2769 bool non_tx = false; 2770 2771 if (type == IEEE80211_TBTT_INFO_TYPE_TBTT && 2772 tbtt_info_len >= offsetofend(struct ieee80211_tbtt_info_ge_11, 2773 mld_params)) { 2774 const struct ieee80211_tbtt_info_ge_11 *tbtt_info_ge_11 = 2775 (void *)tbtt_info; 2776 2777 non_tx = (tbtt_info_ge_11->bss_params & 2778 (IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID | 2779 IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID)) == 2780 IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID; 2781 mld_params = &tbtt_info_ge_11->mld_params; 2782 } else if (type == IEEE80211_TBTT_INFO_TYPE_MLD && 2783 tbtt_info_len >= sizeof(struct ieee80211_rnr_mld_params)) 2784 mld_params = (void *)tbtt_info; 2785 else 2786 return RNR_ITER_CONTINUE; 2787 2788 link_id = le16_get_bits(mld_params->params, 2789 IEEE80211_RNR_MLD_PARAMS_LINK_ID); 2790 2791 if (data->mld_id != mld_params->mld_id) 2792 return RNR_ITER_CONTINUE; 2793 2794 if (data->link_id != link_id) 2795 return RNR_ITER_CONTINUE; 2796 2797 data->ap_info = info; 2798 data->param_ch_count = 2799 le16_get_bits(mld_params->params, 2800 IEEE80211_RNR_MLD_PARAMS_BSS_CHANGE_COUNT); 2801 data->non_tx = non_tx; 2802 2803 if (type == IEEE80211_TBTT_INFO_TYPE_TBTT) 2804 data->use_for = NL80211_BSS_USE_FOR_ALL; 2805 else 2806 data->use_for = NL80211_BSS_USE_FOR_MLD_LINK; 2807 return RNR_ITER_BREAK; 2808 } 2809 2810 static u8 2811 cfg80211_rnr_info_for_mld_ap(const u8 *ie, size_t ielen, u8 mld_id, u8 link_id, 2812 const struct ieee80211_neighbor_ap_info **ap_info, 2813 u8 *param_ch_count, bool *non_tx) 2814 { 2815 struct tbtt_info_iter_data data = { 2816 .mld_id = mld_id, 2817 .link_id = link_id, 2818 }; 2819 2820 cfg80211_iter_rnr(ie, ielen, cfg802121_mld_ap_rnr_iter, &data); 2821 2822 *ap_info = data.ap_info; 2823 *param_ch_count = data.param_ch_count; 2824 *non_tx = data.non_tx; 2825 2826 return data.use_for; 2827 } 2828 2829 static struct element * 2830 cfg80211_gen_reporter_rnr(struct cfg80211_bss *source_bss, bool is_mbssid, 2831 bool same_mld, u8 link_id, u8 bss_change_count, 2832 gfp_t gfp) 2833 { 2834 const struct cfg80211_bss_ies *ies; 2835 struct ieee80211_neighbor_ap_info ap_info; 2836 struct ieee80211_tbtt_info_ge_11 tbtt_info; 2837 u32 short_ssid; 2838 const struct element *elem; 2839 struct element *res; 2840 2841 /* 2842 * We only generate the RNR to permit ML lookups. For that we do not 2843 * need an entry for the corresponding transmitting BSS, lets just skip 2844 * it even though it would be easy to add. 2845 */ 2846 if (!same_mld) 2847 return NULL; 2848 2849 /* We could use tx_data->ies if we change cfg80211_calc_short_ssid */ 2850 rcu_read_lock(); 2851 ies = rcu_dereference(source_bss->ies); 2852 2853 ap_info.tbtt_info_len = offsetofend(typeof(tbtt_info), mld_params); 2854 ap_info.tbtt_info_hdr = 2855 u8_encode_bits(IEEE80211_TBTT_INFO_TYPE_TBTT, 2856 IEEE80211_AP_INFO_TBTT_HDR_TYPE) | 2857 u8_encode_bits(0, IEEE80211_AP_INFO_TBTT_HDR_COUNT); 2858 2859 ap_info.channel = ieee80211_frequency_to_channel(source_bss->channel->center_freq); 2860 2861 /* operating class */ 2862 elem = cfg80211_find_elem(WLAN_EID_SUPPORTED_REGULATORY_CLASSES, 2863 ies->data, ies->len); 2864 if (elem && elem->datalen >= 1) { 2865 ap_info.op_class = elem->data[0]; 2866 } else { 2867 struct cfg80211_chan_def chandef; 2868 2869 /* The AP is not providing us with anything to work with. So 2870 * make up a somewhat reasonable operating class, but don't 2871 * bother with it too much as no one will ever use the 2872 * information. 2873 */ 2874 cfg80211_chandef_create(&chandef, source_bss->channel, 2875 NL80211_CHAN_NO_HT); 2876 2877 if (!ieee80211_chandef_to_operating_class(&chandef, 2878 &ap_info.op_class)) 2879 goto out_unlock; 2880 } 2881 2882 /* Just set TBTT offset and PSD 20 to invalid/unknown */ 2883 tbtt_info.tbtt_offset = 255; 2884 tbtt_info.psd_20 = IEEE80211_RNR_TBTT_PARAMS_PSD_RESERVED; 2885 2886 memcpy(tbtt_info.bssid, source_bss->bssid, ETH_ALEN); 2887 if (cfg80211_calc_short_ssid(ies, &elem, &short_ssid)) 2888 goto out_unlock; 2889 2890 rcu_read_unlock(); 2891 2892 tbtt_info.short_ssid = cpu_to_le32(short_ssid); 2893 2894 tbtt_info.bss_params = IEEE80211_RNR_TBTT_PARAMS_SAME_SSID; 2895 2896 if (is_mbssid) { 2897 tbtt_info.bss_params |= IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID; 2898 tbtt_info.bss_params |= IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID; 2899 } 2900 2901 tbtt_info.mld_params.mld_id = 0; 2902 tbtt_info.mld_params.params = 2903 le16_encode_bits(link_id, IEEE80211_RNR_MLD_PARAMS_LINK_ID) | 2904 le16_encode_bits(bss_change_count, 2905 IEEE80211_RNR_MLD_PARAMS_BSS_CHANGE_COUNT); 2906 2907 res = kzalloc(struct_size(res, data, 2908 sizeof(ap_info) + ap_info.tbtt_info_len), 2909 gfp); 2910 if (!res) 2911 return NULL; 2912 2913 /* Copy the data */ 2914 res->id = WLAN_EID_REDUCED_NEIGHBOR_REPORT; 2915 res->datalen = sizeof(ap_info) + ap_info.tbtt_info_len; 2916 memcpy(res->data, &ap_info, sizeof(ap_info)); 2917 memcpy(res->data + sizeof(ap_info), &tbtt_info, ap_info.tbtt_info_len); 2918 2919 return res; 2920 2921 out_unlock: 2922 rcu_read_unlock(); 2923 return NULL; 2924 } 2925 2926 static void 2927 cfg80211_parse_ml_elem_sta_data(struct wiphy *wiphy, 2928 struct cfg80211_inform_single_bss_data *tx_data, 2929 struct cfg80211_bss *source_bss, 2930 const struct element *elem, 2931 gfp_t gfp) 2932 { 2933 struct cfg80211_inform_single_bss_data data = { 2934 .drv_data = tx_data->drv_data, 2935 .ftype = tx_data->ftype, 2936 .source_bss = source_bss, 2937 .bss_source = BSS_SOURCE_STA_PROFILE, 2938 }; 2939 struct element *reporter_rnr = NULL; 2940 struct ieee80211_multi_link_elem *ml_elem; 2941 struct cfg80211_mle *mle; 2942 const struct element *ssid_elem; 2943 const u8 *ssid = NULL; 2944 size_t ssid_len = 0; 2945 u16 control; 2946 u8 ml_common_len; 2947 u8 *new_ie = NULL; 2948 struct cfg80211_bss *bss; 2949 u8 mld_id, reporter_link_id, bss_change_count; 2950 u16 seen_links = 0; 2951 u8 i; 2952 2953 if (!ieee80211_mle_type_ok(elem->data + 1, 2954 IEEE80211_ML_CONTROL_TYPE_BASIC, 2955 elem->datalen - 1)) 2956 return; 2957 2958 ml_elem = (void *)(elem->data + 1); 2959 control = le16_to_cpu(ml_elem->control); 2960 ml_common_len = ml_elem->variable[0]; 2961 2962 /* Must be present when transmitted by an AP (in a probe response) */ 2963 if (!(control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT) || 2964 !(control & IEEE80211_MLC_BASIC_PRES_LINK_ID) || 2965 !(control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP)) 2966 return; 2967 2968 reporter_link_id = ieee80211_mle_get_link_id(elem->data + 1); 2969 bss_change_count = ieee80211_mle_get_bss_param_ch_cnt(elem->data + 1); 2970 2971 /* 2972 * The MLD ID of the reporting AP is always zero. It is set if the AP 2973 * is part of an MBSSID set and will be non-zero for ML Elements 2974 * relating to a nontransmitted BSS (matching the Multi-BSSID Index, 2975 * Draft P802.11be_D3.2, 35.3.4.2) 2976 */ 2977 mld_id = ieee80211_mle_get_mld_id(elem->data + 1); 2978 2979 /* Fully defrag the ML element for sta information/profile iteration */ 2980 mle = cfg80211_defrag_mle(elem, tx_data->ie, tx_data->ielen, gfp); 2981 if (!mle) 2982 return; 2983 2984 /* No point in doing anything if there is no per-STA profile */ 2985 if (!mle->sta_prof[0]) 2986 goto out; 2987 2988 new_ie = kmalloc(IEEE80211_MAX_DATA_LEN, gfp); 2989 if (!new_ie) 2990 goto out; 2991 2992 reporter_rnr = cfg80211_gen_reporter_rnr(source_bss, 2993 u16_get_bits(control, 2994 IEEE80211_MLC_BASIC_PRES_MLD_ID), 2995 mld_id == 0, reporter_link_id, 2996 bss_change_count, 2997 gfp); 2998 2999 ssid_elem = cfg80211_find_elem(WLAN_EID_SSID, tx_data->ie, 3000 tx_data->ielen); 3001 if (ssid_elem) { 3002 ssid = ssid_elem->data; 3003 ssid_len = ssid_elem->datalen; 3004 } 3005 3006 for (i = 0; i < ARRAY_SIZE(mle->sta_prof) && mle->sta_prof[i]; i++) { 3007 const struct ieee80211_neighbor_ap_info *ap_info; 3008 enum nl80211_band band; 3009 u32 freq; 3010 const u8 *profile; 3011 ssize_t profile_len; 3012 u8 param_ch_count; 3013 u8 link_id, use_for; 3014 bool non_tx; 3015 3016 if (!ieee80211_mle_basic_sta_prof_size_ok((u8 *)mle->sta_prof[i], 3017 mle->sta_prof_len[i])) 3018 continue; 3019 3020 control = le16_to_cpu(mle->sta_prof[i]->control); 3021 3022 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE)) 3023 continue; 3024 3025 link_id = u16_get_bits(control, 3026 IEEE80211_MLE_STA_CONTROL_LINK_ID); 3027 if (seen_links & BIT(link_id)) 3028 break; 3029 seen_links |= BIT(link_id); 3030 3031 if (!(control & IEEE80211_MLE_STA_CONTROL_BEACON_INT_PRESENT) || 3032 !(control & IEEE80211_MLE_STA_CONTROL_TSF_OFFS_PRESENT) || 3033 !(control & IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT)) 3034 continue; 3035 3036 memcpy(data.bssid, mle->sta_prof[i]->variable, ETH_ALEN); 3037 data.beacon_interval = 3038 get_unaligned_le16(mle->sta_prof[i]->variable + 6); 3039 data.tsf = tx_data->tsf + 3040 get_unaligned_le64(mle->sta_prof[i]->variable + 8); 3041 3042 /* sta_info_len counts itself */ 3043 profile = mle->sta_prof[i]->variable + 3044 mle->sta_prof[i]->sta_info_len - 1; 3045 profile_len = (u8 *)mle->sta_prof[i] + mle->sta_prof_len[i] - 3046 profile; 3047 3048 if (profile_len < 2) 3049 continue; 3050 3051 data.capability = get_unaligned_le16(profile); 3052 profile += 2; 3053 profile_len -= 2; 3054 3055 /* Find in RNR to look up channel information */ 3056 use_for = cfg80211_rnr_info_for_mld_ap(tx_data->ie, 3057 tx_data->ielen, 3058 mld_id, link_id, 3059 &ap_info, 3060 ¶m_ch_count, 3061 &non_tx); 3062 if (!use_for) 3063 continue; 3064 3065 /* 3066 * As of 802.11be_D5.0, the specification does not give us any 3067 * way of discovering both the MaxBSSID and the Multiple-BSSID 3068 * Index. It does seem like the Multiple-BSSID Index element 3069 * may be provided, but section 9.4.2.45 explicitly forbids 3070 * including a Multiple-BSSID Element (in this case without any 3071 * subelements). 3072 * Without both pieces of information we cannot calculate the 3073 * reference BSSID, so simply ignore the BSS. 3074 */ 3075 if (non_tx) 3076 continue; 3077 3078 /* We could sanity check the BSSID is included */ 3079 3080 if (!ieee80211_operating_class_to_band(ap_info->op_class, 3081 &band)) 3082 continue; 3083 3084 freq = ieee80211_channel_to_freq_khz(ap_info->channel, band); 3085 data.channel = ieee80211_get_channel_khz(wiphy, freq); 3086 3087 /* Skip if RNR element specifies an unsupported channel */ 3088 if (!data.channel) 3089 continue; 3090 3091 /* Skip if BSS entry generated from MBSSID or DIRECT source 3092 * frame data available already. 3093 */ 3094 bss = cfg80211_get_bss(wiphy, data.channel, data.bssid, ssid, 3095 ssid_len, IEEE80211_BSS_TYPE_ANY, 3096 IEEE80211_PRIVACY_ANY); 3097 if (bss) { 3098 struct cfg80211_internal_bss *ibss = bss_from_pub(bss); 3099 3100 if (data.capability == bss->capability && 3101 ibss->bss_source != BSS_SOURCE_STA_PROFILE) { 3102 cfg80211_put_bss(wiphy, bss); 3103 continue; 3104 } 3105 cfg80211_put_bss(wiphy, bss); 3106 } 3107 3108 if (use_for == NL80211_BSS_USE_FOR_MLD_LINK && 3109 !(wiphy->flags & WIPHY_FLAG_SUPPORTS_NSTR_NONPRIMARY)) { 3110 use_for = 0; 3111 data.cannot_use_reasons = 3112 NL80211_BSS_CANNOT_USE_NSTR_NONPRIMARY; 3113 } 3114 data.use_for = use_for; 3115 3116 /* Generate new elements */ 3117 memset(new_ie, 0, IEEE80211_MAX_DATA_LEN); 3118 data.ie = new_ie; 3119 data.ielen = cfg80211_gen_new_ie(tx_data->ie, tx_data->ielen, 3120 profile, profile_len, 3121 new_ie, 3122 IEEE80211_MAX_DATA_LEN); 3123 if (!data.ielen) 3124 continue; 3125 3126 /* The generated elements do not contain: 3127 * - Basic ML element 3128 * - A TBTT entry in the RNR for the transmitting AP 3129 * 3130 * This information is needed both internally and in userspace 3131 * as such, we should append it here. 3132 */ 3133 if (data.ielen + 3 + sizeof(*ml_elem) + ml_common_len > 3134 IEEE80211_MAX_DATA_LEN) 3135 continue; 3136 3137 /* Copy the Basic Multi-Link element including the common 3138 * information, and then fix up the link ID and BSS param 3139 * change count. 3140 * Note that the ML element length has been verified and we 3141 * also checked that it contains the link ID. 3142 */ 3143 new_ie[data.ielen++] = WLAN_EID_EXTENSION; 3144 new_ie[data.ielen++] = 1 + sizeof(*ml_elem) + ml_common_len; 3145 new_ie[data.ielen++] = WLAN_EID_EXT_EHT_MULTI_LINK; 3146 memcpy(new_ie + data.ielen, ml_elem, 3147 sizeof(*ml_elem) + ml_common_len); 3148 3149 new_ie[data.ielen + sizeof(*ml_elem) + 1 + ETH_ALEN] = link_id; 3150 new_ie[data.ielen + sizeof(*ml_elem) + 1 + ETH_ALEN + 1] = 3151 param_ch_count; 3152 3153 data.ielen += sizeof(*ml_elem) + ml_common_len; 3154 3155 if (reporter_rnr && (use_for & NL80211_BSS_USE_FOR_NORMAL)) { 3156 if (data.ielen + sizeof(struct element) + 3157 reporter_rnr->datalen > IEEE80211_MAX_DATA_LEN) 3158 continue; 3159 3160 memcpy(new_ie + data.ielen, reporter_rnr, 3161 sizeof(struct element) + reporter_rnr->datalen); 3162 data.ielen += sizeof(struct element) + 3163 reporter_rnr->datalen; 3164 } 3165 3166 bss = cfg80211_inform_single_bss_data(wiphy, &data, gfp); 3167 if (!bss) 3168 break; 3169 cfg80211_put_bss(wiphy, bss); 3170 } 3171 3172 out: 3173 kfree(reporter_rnr); 3174 kfree(new_ie); 3175 kfree(mle); 3176 } 3177 3178 static void cfg80211_parse_ml_sta_data(struct wiphy *wiphy, 3179 struct cfg80211_inform_single_bss_data *tx_data, 3180 struct cfg80211_bss *source_bss, 3181 gfp_t gfp) 3182 { 3183 const struct element *elem; 3184 3185 if (!source_bss) 3186 return; 3187 3188 if (tx_data->ftype != CFG80211_BSS_FTYPE_PRESP) 3189 return; 3190 3191 for_each_element_extid(elem, WLAN_EID_EXT_EHT_MULTI_LINK, 3192 tx_data->ie, tx_data->ielen) 3193 cfg80211_parse_ml_elem_sta_data(wiphy, tx_data, source_bss, 3194 elem, gfp); 3195 } 3196 3197 struct cfg80211_bss * 3198 cfg80211_inform_bss_data(struct wiphy *wiphy, 3199 struct cfg80211_inform_bss *data, 3200 enum cfg80211_bss_frame_type ftype, 3201 const u8 *bssid, u64 tsf, u16 capability, 3202 u16 beacon_interval, const u8 *ie, size_t ielen, 3203 gfp_t gfp) 3204 { 3205 struct cfg80211_inform_single_bss_data inform_data = { 3206 .drv_data = data, 3207 .ftype = ftype, 3208 .tsf = tsf, 3209 .capability = capability, 3210 .beacon_interval = beacon_interval, 3211 .ie = ie, 3212 .ielen = ielen, 3213 .use_for = data->restrict_use ? 3214 data->use_for : 3215 NL80211_BSS_USE_FOR_ALL, 3216 .cannot_use_reasons = data->cannot_use_reasons, 3217 }; 3218 struct cfg80211_bss *res; 3219 3220 memcpy(inform_data.bssid, bssid, ETH_ALEN); 3221 3222 res = cfg80211_inform_single_bss_data(wiphy, &inform_data, gfp); 3223 if (!res) 3224 return NULL; 3225 3226 /* don't do any further MBSSID/ML handling for S1G */ 3227 if (ftype == CFG80211_BSS_FTYPE_S1G_BEACON) 3228 return res; 3229 3230 cfg80211_parse_mbssid_data(wiphy, &inform_data, res, gfp); 3231 3232 cfg80211_parse_ml_sta_data(wiphy, &inform_data, res, gfp); 3233 3234 return res; 3235 } 3236 EXPORT_SYMBOL(cfg80211_inform_bss_data); 3237 3238 struct cfg80211_bss * 3239 cfg80211_inform_bss_frame_data(struct wiphy *wiphy, 3240 struct cfg80211_inform_bss *data, 3241 struct ieee80211_mgmt *mgmt, size_t len, 3242 gfp_t gfp) 3243 { 3244 size_t min_hdr_len; 3245 struct ieee80211_ext *ext = NULL; 3246 enum cfg80211_bss_frame_type ftype; 3247 u16 beacon_interval; 3248 const u8 *bssid; 3249 u16 capability; 3250 const u8 *ie; 3251 size_t ielen; 3252 u64 tsf; 3253 3254 if (WARN_ON(!mgmt)) 3255 return NULL; 3256 3257 if (WARN_ON(!wiphy)) 3258 return NULL; 3259 3260 BUILD_BUG_ON(offsetof(struct ieee80211_mgmt, u.probe_resp.variable) != 3261 offsetof(struct ieee80211_mgmt, u.beacon.variable)); 3262 3263 trace_cfg80211_inform_bss_frame(wiphy, data, mgmt, len); 3264 3265 if (ieee80211_is_s1g_beacon(mgmt->frame_control)) { 3266 ext = (void *) mgmt; 3267 if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) 3268 min_hdr_len = offsetof(struct ieee80211_ext, 3269 u.s1g_short_beacon.variable); 3270 else 3271 min_hdr_len = offsetof(struct ieee80211_ext, 3272 u.s1g_beacon.variable); 3273 } else { 3274 /* same for beacons */ 3275 min_hdr_len = offsetof(struct ieee80211_mgmt, 3276 u.probe_resp.variable); 3277 } 3278 3279 if (WARN_ON(len < min_hdr_len)) 3280 return NULL; 3281 3282 ielen = len - min_hdr_len; 3283 ie = mgmt->u.probe_resp.variable; 3284 if (ext) { 3285 const struct ieee80211_s1g_bcn_compat_ie *compat; 3286 const struct element *elem; 3287 3288 if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) 3289 ie = ext->u.s1g_short_beacon.variable; 3290 else 3291 ie = ext->u.s1g_beacon.variable; 3292 3293 elem = cfg80211_find_elem(WLAN_EID_S1G_BCN_COMPAT, ie, ielen); 3294 if (!elem) 3295 return NULL; 3296 if (elem->datalen < sizeof(*compat)) 3297 return NULL; 3298 compat = (void *)elem->data; 3299 bssid = ext->u.s1g_beacon.sa; 3300 capability = le16_to_cpu(compat->compat_info); 3301 beacon_interval = le16_to_cpu(compat->beacon_int); 3302 } else { 3303 bssid = mgmt->bssid; 3304 beacon_interval = le16_to_cpu(mgmt->u.probe_resp.beacon_int); 3305 capability = le16_to_cpu(mgmt->u.probe_resp.capab_info); 3306 } 3307 3308 tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); 3309 3310 if (ieee80211_is_probe_resp(mgmt->frame_control)) 3311 ftype = CFG80211_BSS_FTYPE_PRESP; 3312 else if (ext) 3313 ftype = CFG80211_BSS_FTYPE_S1G_BEACON; 3314 else 3315 ftype = CFG80211_BSS_FTYPE_BEACON; 3316 3317 return cfg80211_inform_bss_data(wiphy, data, ftype, 3318 bssid, tsf, capability, 3319 beacon_interval, ie, ielen, 3320 gfp); 3321 } 3322 EXPORT_SYMBOL(cfg80211_inform_bss_frame_data); 3323 3324 void cfg80211_ref_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 3325 { 3326 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3327 3328 if (!pub) 3329 return; 3330 3331 spin_lock_bh(&rdev->bss_lock); 3332 bss_ref_get(rdev, bss_from_pub(pub)); 3333 spin_unlock_bh(&rdev->bss_lock); 3334 } 3335 EXPORT_SYMBOL(cfg80211_ref_bss); 3336 3337 void cfg80211_put_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 3338 { 3339 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3340 3341 if (!pub) 3342 return; 3343 3344 spin_lock_bh(&rdev->bss_lock); 3345 bss_ref_put(rdev, bss_from_pub(pub)); 3346 spin_unlock_bh(&rdev->bss_lock); 3347 } 3348 EXPORT_SYMBOL(cfg80211_put_bss); 3349 3350 void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 3351 { 3352 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3353 struct cfg80211_internal_bss *bss, *tmp1; 3354 struct cfg80211_bss *nontrans_bss, *tmp; 3355 3356 if (WARN_ON(!pub)) 3357 return; 3358 3359 bss = bss_from_pub(pub); 3360 3361 spin_lock_bh(&rdev->bss_lock); 3362 if (list_empty(&bss->list)) 3363 goto out; 3364 3365 list_for_each_entry_safe(nontrans_bss, tmp, 3366 &pub->nontrans_list, 3367 nontrans_list) { 3368 tmp1 = bss_from_pub(nontrans_bss); 3369 if (__cfg80211_unlink_bss(rdev, tmp1)) 3370 rdev->bss_generation++; 3371 } 3372 3373 if (__cfg80211_unlink_bss(rdev, bss)) 3374 rdev->bss_generation++; 3375 out: 3376 spin_unlock_bh(&rdev->bss_lock); 3377 } 3378 EXPORT_SYMBOL(cfg80211_unlink_bss); 3379 3380 void cfg80211_bss_iter(struct wiphy *wiphy, 3381 struct cfg80211_chan_def *chandef, 3382 void (*iter)(struct wiphy *wiphy, 3383 struct cfg80211_bss *bss, 3384 void *data), 3385 void *iter_data) 3386 { 3387 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3388 struct cfg80211_internal_bss *bss; 3389 3390 spin_lock_bh(&rdev->bss_lock); 3391 3392 list_for_each_entry(bss, &rdev->bss_list, list) { 3393 if (!chandef || cfg80211_is_sub_chan(chandef, bss->pub.channel, 3394 false)) 3395 iter(wiphy, &bss->pub, iter_data); 3396 } 3397 3398 spin_unlock_bh(&rdev->bss_lock); 3399 } 3400 EXPORT_SYMBOL(cfg80211_bss_iter); 3401 3402 void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev, 3403 unsigned int link_id, 3404 struct ieee80211_channel *chan) 3405 { 3406 struct wiphy *wiphy = wdev->wiphy; 3407 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3408 struct cfg80211_internal_bss *cbss = wdev->links[link_id].client.current_bss; 3409 struct cfg80211_internal_bss *new = NULL; 3410 struct cfg80211_internal_bss *bss; 3411 struct cfg80211_bss *nontrans_bss; 3412 struct cfg80211_bss *tmp; 3413 3414 spin_lock_bh(&rdev->bss_lock); 3415 3416 /* 3417 * Some APs use CSA also for bandwidth changes, i.e., without actually 3418 * changing the control channel, so no need to update in such a case. 3419 */ 3420 if (cbss->pub.channel == chan) 3421 goto done; 3422 3423 /* use transmitting bss */ 3424 if (cbss->pub.transmitted_bss) 3425 cbss = bss_from_pub(cbss->pub.transmitted_bss); 3426 3427 cbss->pub.channel = chan; 3428 3429 list_for_each_entry(bss, &rdev->bss_list, list) { 3430 if (!cfg80211_bss_type_match(bss->pub.capability, 3431 bss->pub.channel->band, 3432 wdev->conn_bss_type)) 3433 continue; 3434 3435 if (bss == cbss) 3436 continue; 3437 3438 if (!cmp_bss(&bss->pub, &cbss->pub, BSS_CMP_REGULAR)) { 3439 new = bss; 3440 break; 3441 } 3442 } 3443 3444 if (new) { 3445 /* to save time, update IEs for transmitting bss only */ 3446 cfg80211_update_known_bss(rdev, cbss, new, false); 3447 new->pub.proberesp_ies = NULL; 3448 new->pub.beacon_ies = NULL; 3449 3450 list_for_each_entry_safe(nontrans_bss, tmp, 3451 &new->pub.nontrans_list, 3452 nontrans_list) { 3453 bss = bss_from_pub(nontrans_bss); 3454 if (__cfg80211_unlink_bss(rdev, bss)) 3455 rdev->bss_generation++; 3456 } 3457 3458 WARN_ON(atomic_read(&new->hold)); 3459 if (!WARN_ON(!__cfg80211_unlink_bss(rdev, new))) 3460 rdev->bss_generation++; 3461 } 3462 cfg80211_rehash_bss(rdev, cbss); 3463 3464 list_for_each_entry_safe(nontrans_bss, tmp, 3465 &cbss->pub.nontrans_list, 3466 nontrans_list) { 3467 bss = bss_from_pub(nontrans_bss); 3468 bss->pub.channel = chan; 3469 cfg80211_rehash_bss(rdev, bss); 3470 } 3471 3472 done: 3473 spin_unlock_bh(&rdev->bss_lock); 3474 } 3475 3476 #ifdef CONFIG_CFG80211_WEXT 3477 static struct cfg80211_registered_device * 3478 cfg80211_get_dev_from_ifindex(struct net *net, int ifindex) 3479 { 3480 struct cfg80211_registered_device *rdev; 3481 struct net_device *dev; 3482 3483 ASSERT_RTNL(); 3484 3485 dev = dev_get_by_index(net, ifindex); 3486 if (!dev) 3487 return ERR_PTR(-ENODEV); 3488 if (dev->ieee80211_ptr) 3489 rdev = wiphy_to_rdev(dev->ieee80211_ptr->wiphy); 3490 else 3491 rdev = ERR_PTR(-ENODEV); 3492 dev_put(dev); 3493 return rdev; 3494 } 3495 3496 int cfg80211_wext_siwscan(struct net_device *dev, 3497 struct iw_request_info *info, 3498 union iwreq_data *wrqu, char *extra) 3499 { 3500 struct cfg80211_registered_device *rdev; 3501 struct wiphy *wiphy; 3502 struct iw_scan_req *wreq = NULL; 3503 struct cfg80211_scan_request *creq; 3504 int i, err, n_channels = 0; 3505 enum nl80211_band band; 3506 3507 if (!netif_running(dev)) 3508 return -ENETDOWN; 3509 3510 if (wrqu->data.length == sizeof(struct iw_scan_req)) 3511 wreq = (struct iw_scan_req *)extra; 3512 3513 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex); 3514 3515 if (IS_ERR(rdev)) 3516 return PTR_ERR(rdev); 3517 3518 if (rdev->scan_req || rdev->scan_msg) 3519 return -EBUSY; 3520 3521 wiphy = &rdev->wiphy; 3522 3523 /* Determine number of channels, needed to allocate creq */ 3524 if (wreq && wreq->num_channels) { 3525 /* Passed from userspace so should be checked */ 3526 if (unlikely(wreq->num_channels > IW_MAX_FREQUENCIES)) 3527 return -EINVAL; 3528 n_channels = wreq->num_channels; 3529 } else { 3530 n_channels = ieee80211_get_num_supported_channels(wiphy); 3531 } 3532 3533 creq = kzalloc(struct_size(creq, channels, n_channels) + 3534 sizeof(struct cfg80211_ssid), 3535 GFP_ATOMIC); 3536 if (!creq) 3537 return -ENOMEM; 3538 3539 creq->wiphy = wiphy; 3540 creq->wdev = dev->ieee80211_ptr; 3541 /* SSIDs come after channels */ 3542 creq->ssids = (void *)creq + struct_size(creq, channels, n_channels); 3543 creq->n_channels = n_channels; 3544 creq->n_ssids = 1; 3545 creq->scan_start = jiffies; 3546 3547 /* translate "Scan on frequencies" request */ 3548 i = 0; 3549 for (band = 0; band < NUM_NL80211_BANDS; band++) { 3550 int j; 3551 3552 if (!wiphy->bands[band]) 3553 continue; 3554 3555 for (j = 0; j < wiphy->bands[band]->n_channels; j++) { 3556 struct ieee80211_channel *chan; 3557 3558 /* ignore disabled channels */ 3559 chan = &wiphy->bands[band]->channels[j]; 3560 if (chan->flags & IEEE80211_CHAN_DISABLED || 3561 !cfg80211_wdev_channel_allowed(creq->wdev, chan)) 3562 continue; 3563 3564 /* If we have a wireless request structure and the 3565 * wireless request specifies frequencies, then search 3566 * for the matching hardware channel. 3567 */ 3568 if (wreq && wreq->num_channels) { 3569 int k; 3570 int wiphy_freq = wiphy->bands[band]->channels[j].center_freq; 3571 for (k = 0; k < wreq->num_channels; k++) { 3572 struct iw_freq *freq = 3573 &wreq->channel_list[k]; 3574 int wext_freq = 3575 cfg80211_wext_freq(freq); 3576 3577 if (wext_freq == wiphy_freq) 3578 goto wext_freq_found; 3579 } 3580 goto wext_freq_not_found; 3581 } 3582 3583 wext_freq_found: 3584 creq->channels[i] = &wiphy->bands[band]->channels[j]; 3585 i++; 3586 wext_freq_not_found: ; 3587 } 3588 } 3589 /* No channels found? */ 3590 if (!i) { 3591 err = -EINVAL; 3592 goto out; 3593 } 3594 3595 /* Set real number of channels specified in creq->channels[] */ 3596 creq->n_channels = i; 3597 3598 /* translate "Scan for SSID" request */ 3599 if (wreq) { 3600 if (wrqu->data.flags & IW_SCAN_THIS_ESSID) { 3601 if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) 3602 return -EINVAL; 3603 memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len); 3604 creq->ssids[0].ssid_len = wreq->essid_len; 3605 } 3606 if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE) { 3607 creq->ssids = NULL; 3608 creq->n_ssids = 0; 3609 } 3610 } 3611 3612 for (i = 0; i < NUM_NL80211_BANDS; i++) 3613 if (wiphy->bands[i]) 3614 creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1; 3615 3616 eth_broadcast_addr(creq->bssid); 3617 3618 scoped_guard(wiphy, &rdev->wiphy) { 3619 rdev->scan_req = creq; 3620 err = rdev_scan(rdev, creq); 3621 if (err) { 3622 rdev->scan_req = NULL; 3623 /* creq will be freed below */ 3624 } else { 3625 nl80211_send_scan_start(rdev, dev->ieee80211_ptr); 3626 /* creq now owned by driver */ 3627 creq = NULL; 3628 dev_hold(dev); 3629 } 3630 } 3631 3632 out: 3633 kfree(creq); 3634 return err; 3635 } 3636 3637 static char *ieee80211_scan_add_ies(struct iw_request_info *info, 3638 const struct cfg80211_bss_ies *ies, 3639 char *current_ev, char *end_buf) 3640 { 3641 const u8 *pos, *end, *next; 3642 struct iw_event iwe; 3643 3644 if (!ies) 3645 return current_ev; 3646 3647 /* 3648 * If needed, fragment the IEs buffer (at IE boundaries) into short 3649 * enough fragments to fit into IW_GENERIC_IE_MAX octet messages. 3650 */ 3651 pos = ies->data; 3652 end = pos + ies->len; 3653 3654 while (end - pos > IW_GENERIC_IE_MAX) { 3655 next = pos + 2 + pos[1]; 3656 while (next + 2 + next[1] - pos < IW_GENERIC_IE_MAX) 3657 next = next + 2 + next[1]; 3658 3659 memset(&iwe, 0, sizeof(iwe)); 3660 iwe.cmd = IWEVGENIE; 3661 iwe.u.data.length = next - pos; 3662 current_ev = iwe_stream_add_point_check(info, current_ev, 3663 end_buf, &iwe, 3664 (void *)pos); 3665 if (IS_ERR(current_ev)) 3666 return current_ev; 3667 pos = next; 3668 } 3669 3670 if (end > pos) { 3671 memset(&iwe, 0, sizeof(iwe)); 3672 iwe.cmd = IWEVGENIE; 3673 iwe.u.data.length = end - pos; 3674 current_ev = iwe_stream_add_point_check(info, current_ev, 3675 end_buf, &iwe, 3676 (void *)pos); 3677 if (IS_ERR(current_ev)) 3678 return current_ev; 3679 } 3680 3681 return current_ev; 3682 } 3683 3684 static char * 3685 ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info, 3686 struct cfg80211_internal_bss *bss, char *current_ev, 3687 char *end_buf) 3688 { 3689 const struct cfg80211_bss_ies *ies; 3690 struct iw_event iwe; 3691 const u8 *ie; 3692 u8 buf[50]; 3693 u8 *cfg, *p, *tmp; 3694 int rem, i, sig; 3695 bool ismesh = false; 3696 3697 memset(&iwe, 0, sizeof(iwe)); 3698 iwe.cmd = SIOCGIWAP; 3699 iwe.u.ap_addr.sa_family = ARPHRD_ETHER; 3700 memcpy(iwe.u.ap_addr.sa_data, bss->pub.bssid, ETH_ALEN); 3701 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 3702 IW_EV_ADDR_LEN); 3703 if (IS_ERR(current_ev)) 3704 return current_ev; 3705 3706 memset(&iwe, 0, sizeof(iwe)); 3707 iwe.cmd = SIOCGIWFREQ; 3708 iwe.u.freq.m = ieee80211_frequency_to_channel(bss->pub.channel->center_freq); 3709 iwe.u.freq.e = 0; 3710 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 3711 IW_EV_FREQ_LEN); 3712 if (IS_ERR(current_ev)) 3713 return current_ev; 3714 3715 memset(&iwe, 0, sizeof(iwe)); 3716 iwe.cmd = SIOCGIWFREQ; 3717 iwe.u.freq.m = bss->pub.channel->center_freq; 3718 iwe.u.freq.e = 6; 3719 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 3720 IW_EV_FREQ_LEN); 3721 if (IS_ERR(current_ev)) 3722 return current_ev; 3723 3724 if (wiphy->signal_type != CFG80211_SIGNAL_TYPE_NONE) { 3725 memset(&iwe, 0, sizeof(iwe)); 3726 iwe.cmd = IWEVQUAL; 3727 iwe.u.qual.updated = IW_QUAL_LEVEL_UPDATED | 3728 IW_QUAL_NOISE_INVALID | 3729 IW_QUAL_QUAL_UPDATED; 3730 switch (wiphy->signal_type) { 3731 case CFG80211_SIGNAL_TYPE_MBM: 3732 sig = bss->pub.signal / 100; 3733 iwe.u.qual.level = sig; 3734 iwe.u.qual.updated |= IW_QUAL_DBM; 3735 if (sig < -110) /* rather bad */ 3736 sig = -110; 3737 else if (sig > -40) /* perfect */ 3738 sig = -40; 3739 /* will give a range of 0 .. 70 */ 3740 iwe.u.qual.qual = sig + 110; 3741 break; 3742 case CFG80211_SIGNAL_TYPE_UNSPEC: 3743 iwe.u.qual.level = bss->pub.signal; 3744 /* will give range 0 .. 100 */ 3745 iwe.u.qual.qual = bss->pub.signal; 3746 break; 3747 default: 3748 /* not reached */ 3749 break; 3750 } 3751 current_ev = iwe_stream_add_event_check(info, current_ev, 3752 end_buf, &iwe, 3753 IW_EV_QUAL_LEN); 3754 if (IS_ERR(current_ev)) 3755 return current_ev; 3756 } 3757 3758 memset(&iwe, 0, sizeof(iwe)); 3759 iwe.cmd = SIOCGIWENCODE; 3760 if (bss->pub.capability & WLAN_CAPABILITY_PRIVACY) 3761 iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY; 3762 else 3763 iwe.u.data.flags = IW_ENCODE_DISABLED; 3764 iwe.u.data.length = 0; 3765 current_ev = iwe_stream_add_point_check(info, current_ev, end_buf, 3766 &iwe, ""); 3767 if (IS_ERR(current_ev)) 3768 return current_ev; 3769 3770 rcu_read_lock(); 3771 ies = rcu_dereference(bss->pub.ies); 3772 rem = ies->len; 3773 ie = ies->data; 3774 3775 while (rem >= 2) { 3776 /* invalid data */ 3777 if (ie[1] > rem - 2) 3778 break; 3779 3780 switch (ie[0]) { 3781 case WLAN_EID_SSID: 3782 memset(&iwe, 0, sizeof(iwe)); 3783 iwe.cmd = SIOCGIWESSID; 3784 iwe.u.data.length = ie[1]; 3785 iwe.u.data.flags = 1; 3786 current_ev = iwe_stream_add_point_check(info, 3787 current_ev, 3788 end_buf, &iwe, 3789 (u8 *)ie + 2); 3790 if (IS_ERR(current_ev)) 3791 goto unlock; 3792 break; 3793 case WLAN_EID_MESH_ID: 3794 memset(&iwe, 0, sizeof(iwe)); 3795 iwe.cmd = SIOCGIWESSID; 3796 iwe.u.data.length = ie[1]; 3797 iwe.u.data.flags = 1; 3798 current_ev = iwe_stream_add_point_check(info, 3799 current_ev, 3800 end_buf, &iwe, 3801 (u8 *)ie + 2); 3802 if (IS_ERR(current_ev)) 3803 goto unlock; 3804 break; 3805 case WLAN_EID_MESH_CONFIG: 3806 ismesh = true; 3807 if (ie[1] != sizeof(struct ieee80211_meshconf_ie)) 3808 break; 3809 cfg = (u8 *)ie + 2; 3810 memset(&iwe, 0, sizeof(iwe)); 3811 iwe.cmd = IWEVCUSTOM; 3812 iwe.u.data.length = sprintf(buf, 3813 "Mesh Network Path Selection Protocol ID: 0x%02X", 3814 cfg[0]); 3815 current_ev = iwe_stream_add_point_check(info, 3816 current_ev, 3817 end_buf, 3818 &iwe, buf); 3819 if (IS_ERR(current_ev)) 3820 goto unlock; 3821 iwe.u.data.length = sprintf(buf, 3822 "Path Selection Metric ID: 0x%02X", 3823 cfg[1]); 3824 current_ev = iwe_stream_add_point_check(info, 3825 current_ev, 3826 end_buf, 3827 &iwe, buf); 3828 if (IS_ERR(current_ev)) 3829 goto unlock; 3830 iwe.u.data.length = sprintf(buf, 3831 "Congestion Control Mode ID: 0x%02X", 3832 cfg[2]); 3833 current_ev = iwe_stream_add_point_check(info, 3834 current_ev, 3835 end_buf, 3836 &iwe, buf); 3837 if (IS_ERR(current_ev)) 3838 goto unlock; 3839 iwe.u.data.length = sprintf(buf, 3840 "Synchronization ID: 0x%02X", 3841 cfg[3]); 3842 current_ev = iwe_stream_add_point_check(info, 3843 current_ev, 3844 end_buf, 3845 &iwe, buf); 3846 if (IS_ERR(current_ev)) 3847 goto unlock; 3848 iwe.u.data.length = sprintf(buf, 3849 "Authentication ID: 0x%02X", 3850 cfg[4]); 3851 current_ev = iwe_stream_add_point_check(info, 3852 current_ev, 3853 end_buf, 3854 &iwe, buf); 3855 if (IS_ERR(current_ev)) 3856 goto unlock; 3857 iwe.u.data.length = sprintf(buf, 3858 "Formation Info: 0x%02X", 3859 cfg[5]); 3860 current_ev = iwe_stream_add_point_check(info, 3861 current_ev, 3862 end_buf, 3863 &iwe, buf); 3864 if (IS_ERR(current_ev)) 3865 goto unlock; 3866 iwe.u.data.length = sprintf(buf, 3867 "Capabilities: 0x%02X", 3868 cfg[6]); 3869 current_ev = iwe_stream_add_point_check(info, 3870 current_ev, 3871 end_buf, 3872 &iwe, buf); 3873 if (IS_ERR(current_ev)) 3874 goto unlock; 3875 break; 3876 case WLAN_EID_SUPP_RATES: 3877 case WLAN_EID_EXT_SUPP_RATES: 3878 /* display all supported rates in readable format */ 3879 p = current_ev + iwe_stream_lcp_len(info); 3880 3881 memset(&iwe, 0, sizeof(iwe)); 3882 iwe.cmd = SIOCGIWRATE; 3883 /* Those two flags are ignored... */ 3884 iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0; 3885 3886 for (i = 0; i < ie[1]; i++) { 3887 iwe.u.bitrate.value = 3888 ((ie[i + 2] & 0x7f) * 500000); 3889 tmp = p; 3890 p = iwe_stream_add_value(info, current_ev, p, 3891 end_buf, &iwe, 3892 IW_EV_PARAM_LEN); 3893 if (p == tmp) { 3894 current_ev = ERR_PTR(-E2BIG); 3895 goto unlock; 3896 } 3897 } 3898 current_ev = p; 3899 break; 3900 } 3901 rem -= ie[1] + 2; 3902 ie += ie[1] + 2; 3903 } 3904 3905 if (bss->pub.capability & (WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS) || 3906 ismesh) { 3907 memset(&iwe, 0, sizeof(iwe)); 3908 iwe.cmd = SIOCGIWMODE; 3909 if (ismesh) 3910 iwe.u.mode = IW_MODE_MESH; 3911 else if (bss->pub.capability & WLAN_CAPABILITY_ESS) 3912 iwe.u.mode = IW_MODE_MASTER; 3913 else 3914 iwe.u.mode = IW_MODE_ADHOC; 3915 current_ev = iwe_stream_add_event_check(info, current_ev, 3916 end_buf, &iwe, 3917 IW_EV_UINT_LEN); 3918 if (IS_ERR(current_ev)) 3919 goto unlock; 3920 } 3921 3922 memset(&iwe, 0, sizeof(iwe)); 3923 iwe.cmd = IWEVCUSTOM; 3924 iwe.u.data.length = sprintf(buf, "tsf=%016llx", 3925 (unsigned long long)(ies->tsf)); 3926 current_ev = iwe_stream_add_point_check(info, current_ev, end_buf, 3927 &iwe, buf); 3928 if (IS_ERR(current_ev)) 3929 goto unlock; 3930 memset(&iwe, 0, sizeof(iwe)); 3931 iwe.cmd = IWEVCUSTOM; 3932 iwe.u.data.length = sprintf(buf, " Last beacon: %ums ago", 3933 elapsed_jiffies_msecs(bss->ts)); 3934 current_ev = iwe_stream_add_point_check(info, current_ev, 3935 end_buf, &iwe, buf); 3936 if (IS_ERR(current_ev)) 3937 goto unlock; 3938 3939 current_ev = ieee80211_scan_add_ies(info, ies, current_ev, end_buf); 3940 3941 unlock: 3942 rcu_read_unlock(); 3943 return current_ev; 3944 } 3945 3946 3947 static int ieee80211_scan_results(struct cfg80211_registered_device *rdev, 3948 struct iw_request_info *info, 3949 char *buf, size_t len) 3950 { 3951 char *current_ev = buf; 3952 char *end_buf = buf + len; 3953 struct cfg80211_internal_bss *bss; 3954 int err = 0; 3955 3956 spin_lock_bh(&rdev->bss_lock); 3957 cfg80211_bss_expire(rdev); 3958 3959 list_for_each_entry(bss, &rdev->bss_list, list) { 3960 if (buf + len - current_ev <= IW_EV_ADDR_LEN) { 3961 err = -E2BIG; 3962 break; 3963 } 3964 current_ev = ieee80211_bss(&rdev->wiphy, info, bss, 3965 current_ev, end_buf); 3966 if (IS_ERR(current_ev)) { 3967 err = PTR_ERR(current_ev); 3968 break; 3969 } 3970 } 3971 spin_unlock_bh(&rdev->bss_lock); 3972 3973 if (err) 3974 return err; 3975 return current_ev - buf; 3976 } 3977 3978 3979 int cfg80211_wext_giwscan(struct net_device *dev, 3980 struct iw_request_info *info, 3981 union iwreq_data *wrqu, char *extra) 3982 { 3983 struct iw_point *data = &wrqu->data; 3984 struct cfg80211_registered_device *rdev; 3985 int res; 3986 3987 if (!netif_running(dev)) 3988 return -ENETDOWN; 3989 3990 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex); 3991 3992 if (IS_ERR(rdev)) 3993 return PTR_ERR(rdev); 3994 3995 if (rdev->scan_req || rdev->scan_msg) 3996 return -EAGAIN; 3997 3998 res = ieee80211_scan_results(rdev, info, extra, data->length); 3999 data->length = 0; 4000 if (res >= 0) { 4001 data->length = res; 4002 res = 0; 4003 } 4004 4005 return res; 4006 } 4007 #endif 4008