1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * cfg80211 scan result handling 4 * 5 * Copyright 2008 Johannes Berg <johannes@sipsolutions.net> 6 * Copyright 2013-2014 Intel Mobile Communications GmbH 7 * Copyright 2016 Intel Deutschland GmbH 8 * Copyright (C) 2018-2024 Intel Corporation 9 */ 10 #include <linux/kernel.h> 11 #include <linux/slab.h> 12 #include <linux/module.h> 13 #include <linux/netdevice.h> 14 #include <linux/wireless.h> 15 #include <linux/nl80211.h> 16 #include <linux/etherdevice.h> 17 #include <linux/crc32.h> 18 #include <linux/bitfield.h> 19 #include <net/arp.h> 20 #include <net/cfg80211.h> 21 #include <net/cfg80211-wext.h> 22 #include <net/iw_handler.h> 23 #include <kunit/visibility.h> 24 #include "core.h" 25 #include "nl80211.h" 26 #include "wext-compat.h" 27 #include "rdev-ops.h" 28 29 /** 30 * DOC: BSS tree/list structure 31 * 32 * At the top level, the BSS list is kept in both a list in each 33 * registered device (@bss_list) as well as an RB-tree for faster 34 * lookup. In the RB-tree, entries can be looked up using their 35 * channel, MESHID, MESHCONF (for MBSSes) or channel, BSSID, SSID 36 * for other BSSes. 37 * 38 * Due to the possibility of hidden SSIDs, there's a second level 39 * structure, the "hidden_list" and "hidden_beacon_bss" pointer. 40 * The hidden_list connects all BSSes belonging to a single AP 41 * that has a hidden SSID, and connects beacon and probe response 42 * entries. For a probe response entry for a hidden SSID, the 43 * hidden_beacon_bss pointer points to the BSS struct holding the 44 * beacon's information. 45 * 46 * Reference counting is done for all these references except for 47 * the hidden_list, so that a beacon BSS struct that is otherwise 48 * not referenced has one reference for being on the bss_list and 49 * one for each probe response entry that points to it using the 50 * hidden_beacon_bss pointer. When a BSS struct that has such a 51 * pointer is get/put, the refcount update is also propagated to 52 * the referenced struct, this ensure that it cannot get removed 53 * while somebody is using the probe response version. 54 * 55 * Note that the hidden_beacon_bss pointer never changes, due to 56 * the reference counting. Therefore, no locking is needed for 57 * it. 58 * 59 * Also note that the hidden_beacon_bss pointer is only relevant 60 * if the driver uses something other than the IEs, e.g. private 61 * data stored in the BSS struct, since the beacon IEs are 62 * also linked into the probe response struct. 63 */ 64 65 /* 66 * Limit the number of BSS entries stored in mac80211. Each one is 67 * a bit over 4k at most, so this limits to roughly 4-5M of memory. 68 * If somebody wants to really attack this though, they'd likely 69 * use small beacons, and only one type of frame, limiting each of 70 * the entries to a much smaller size (in order to generate more 71 * entries in total, so overhead is bigger.) 72 */ 73 static int bss_entries_limit = 1000; 74 module_param(bss_entries_limit, int, 0644); 75 MODULE_PARM_DESC(bss_entries_limit, 76 "limit to number of scan BSS entries (per wiphy, default 1000)"); 77 78 #define IEEE80211_SCAN_RESULT_EXPIRE (30 * HZ) 79 80 static void bss_free(struct cfg80211_internal_bss *bss) 81 { 82 struct cfg80211_bss_ies *ies; 83 84 if (WARN_ON(atomic_read(&bss->hold))) 85 return; 86 87 ies = (void *)rcu_access_pointer(bss->pub.beacon_ies); 88 if (ies && !bss->pub.hidden_beacon_bss) 89 kfree_rcu(ies, rcu_head); 90 ies = (void *)rcu_access_pointer(bss->pub.proberesp_ies); 91 if (ies) 92 kfree_rcu(ies, rcu_head); 93 94 /* 95 * This happens when the module is removed, it doesn't 96 * really matter any more save for completeness 97 */ 98 if (!list_empty(&bss->hidden_list)) 99 list_del(&bss->hidden_list); 100 101 kfree(bss); 102 } 103 104 static inline void bss_ref_get(struct cfg80211_registered_device *rdev, 105 struct cfg80211_internal_bss *bss) 106 { 107 lockdep_assert_held(&rdev->bss_lock); 108 109 bss->refcount++; 110 111 if (bss->pub.hidden_beacon_bss) 112 bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; 113 114 if (bss->pub.transmitted_bss) 115 bss_from_pub(bss->pub.transmitted_bss)->refcount++; 116 } 117 118 static inline void bss_ref_put(struct cfg80211_registered_device *rdev, 119 struct cfg80211_internal_bss *bss) 120 { 121 lockdep_assert_held(&rdev->bss_lock); 122 123 if (bss->pub.hidden_beacon_bss) { 124 struct cfg80211_internal_bss *hbss; 125 126 hbss = bss_from_pub(bss->pub.hidden_beacon_bss); 127 hbss->refcount--; 128 if (hbss->refcount == 0) 129 bss_free(hbss); 130 } 131 132 if (bss->pub.transmitted_bss) { 133 struct cfg80211_internal_bss *tbss; 134 135 tbss = bss_from_pub(bss->pub.transmitted_bss); 136 tbss->refcount--; 137 if (tbss->refcount == 0) 138 bss_free(tbss); 139 } 140 141 bss->refcount--; 142 if (bss->refcount == 0) 143 bss_free(bss); 144 } 145 146 static bool __cfg80211_unlink_bss(struct cfg80211_registered_device *rdev, 147 struct cfg80211_internal_bss *bss) 148 { 149 lockdep_assert_held(&rdev->bss_lock); 150 151 if (!list_empty(&bss->hidden_list)) { 152 /* 153 * don't remove the beacon entry if it has 154 * probe responses associated with it 155 */ 156 if (!bss->pub.hidden_beacon_bss) 157 return false; 158 /* 159 * if it's a probe response entry break its 160 * link to the other entries in the group 161 */ 162 list_del_init(&bss->hidden_list); 163 } 164 165 list_del_init(&bss->list); 166 list_del_init(&bss->pub.nontrans_list); 167 rb_erase(&bss->rbn, &rdev->bss_tree); 168 rdev->bss_entries--; 169 WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list), 170 "rdev bss entries[%d]/list[empty:%d] corruption\n", 171 rdev->bss_entries, list_empty(&rdev->bss_list)); 172 bss_ref_put(rdev, bss); 173 return true; 174 } 175 176 bool cfg80211_is_element_inherited(const struct element *elem, 177 const struct element *non_inherit_elem) 178 { 179 u8 id_len, ext_id_len, i, loop_len, id; 180 const u8 *list; 181 182 if (elem->id == WLAN_EID_MULTIPLE_BSSID) 183 return false; 184 185 if (elem->id == WLAN_EID_EXTENSION && elem->datalen > 1 && 186 elem->data[0] == WLAN_EID_EXT_EHT_MULTI_LINK) 187 return false; 188 189 if (!non_inherit_elem || non_inherit_elem->datalen < 2) 190 return true; 191 192 /* 193 * non inheritance element format is: 194 * ext ID (56) | IDs list len | list | extension IDs list len | list 195 * Both lists are optional. Both lengths are mandatory. 196 * This means valid length is: 197 * elem_len = 1 (extension ID) + 2 (list len fields) + list lengths 198 */ 199 id_len = non_inherit_elem->data[1]; 200 if (non_inherit_elem->datalen < 3 + id_len) 201 return true; 202 203 ext_id_len = non_inherit_elem->data[2 + id_len]; 204 if (non_inherit_elem->datalen < 3 + id_len + ext_id_len) 205 return true; 206 207 if (elem->id == WLAN_EID_EXTENSION) { 208 if (!ext_id_len) 209 return true; 210 loop_len = ext_id_len; 211 list = &non_inherit_elem->data[3 + id_len]; 212 id = elem->data[0]; 213 } else { 214 if (!id_len) 215 return true; 216 loop_len = id_len; 217 list = &non_inherit_elem->data[2]; 218 id = elem->id; 219 } 220 221 for (i = 0; i < loop_len; i++) { 222 if (list[i] == id) 223 return false; 224 } 225 226 return true; 227 } 228 EXPORT_SYMBOL(cfg80211_is_element_inherited); 229 230 static size_t cfg80211_copy_elem_with_frags(const struct element *elem, 231 const u8 *ie, size_t ie_len, 232 u8 **pos, u8 *buf, size_t buf_len) 233 { 234 if (WARN_ON((u8 *)elem < ie || elem->data > ie + ie_len || 235 elem->data + elem->datalen > ie + ie_len)) 236 return 0; 237 238 if (elem->datalen + 2 > buf + buf_len - *pos) 239 return 0; 240 241 memcpy(*pos, elem, elem->datalen + 2); 242 *pos += elem->datalen + 2; 243 244 /* Finish if it is not fragmented */ 245 if (elem->datalen != 255) 246 return *pos - buf; 247 248 ie_len = ie + ie_len - elem->data - elem->datalen; 249 ie = (const u8 *)elem->data + elem->datalen; 250 251 for_each_element(elem, ie, ie_len) { 252 if (elem->id != WLAN_EID_FRAGMENT) 253 break; 254 255 if (elem->datalen + 2 > buf + buf_len - *pos) 256 return 0; 257 258 memcpy(*pos, elem, elem->datalen + 2); 259 *pos += elem->datalen + 2; 260 261 if (elem->datalen != 255) 262 break; 263 } 264 265 return *pos - buf; 266 } 267 268 VISIBLE_IF_CFG80211_KUNIT size_t 269 cfg80211_gen_new_ie(const u8 *ie, size_t ielen, 270 const u8 *subie, size_t subie_len, 271 u8 *new_ie, size_t new_ie_len) 272 { 273 const struct element *non_inherit_elem, *parent, *sub; 274 u8 *pos = new_ie; 275 u8 id, ext_id; 276 unsigned int match_len; 277 278 non_inherit_elem = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 279 subie, subie_len); 280 281 /* We copy the elements one by one from the parent to the generated 282 * elements. 283 * If they are not inherited (included in subie or in the non 284 * inheritance element), then we copy all occurrences the first time 285 * we see this element type. 286 */ 287 for_each_element(parent, ie, ielen) { 288 if (parent->id == WLAN_EID_FRAGMENT) 289 continue; 290 291 if (parent->id == WLAN_EID_EXTENSION) { 292 if (parent->datalen < 1) 293 continue; 294 295 id = WLAN_EID_EXTENSION; 296 ext_id = parent->data[0]; 297 match_len = 1; 298 } else { 299 id = parent->id; 300 match_len = 0; 301 } 302 303 /* Find first occurrence in subie */ 304 sub = cfg80211_find_elem_match(id, subie, subie_len, 305 &ext_id, match_len, 0); 306 307 /* Copy from parent if not in subie and inherited */ 308 if (!sub && 309 cfg80211_is_element_inherited(parent, non_inherit_elem)) { 310 if (!cfg80211_copy_elem_with_frags(parent, 311 ie, ielen, 312 &pos, new_ie, 313 new_ie_len)) 314 return 0; 315 316 continue; 317 } 318 319 /* Already copied if an earlier element had the same type */ 320 if (cfg80211_find_elem_match(id, ie, (u8 *)parent - ie, 321 &ext_id, match_len, 0)) 322 continue; 323 324 /* Not inheriting, copy all similar elements from subie */ 325 while (sub) { 326 if (!cfg80211_copy_elem_with_frags(sub, 327 subie, subie_len, 328 &pos, new_ie, 329 new_ie_len)) 330 return 0; 331 332 sub = cfg80211_find_elem_match(id, 333 sub->data + sub->datalen, 334 subie_len + subie - 335 (sub->data + 336 sub->datalen), 337 &ext_id, match_len, 0); 338 } 339 } 340 341 /* The above misses elements that are included in subie but not in the 342 * parent, so do a pass over subie and append those. 343 * Skip the non-tx BSSID caps and non-inheritance element. 344 */ 345 for_each_element(sub, subie, subie_len) { 346 if (sub->id == WLAN_EID_NON_TX_BSSID_CAP) 347 continue; 348 349 if (sub->id == WLAN_EID_FRAGMENT) 350 continue; 351 352 if (sub->id == WLAN_EID_EXTENSION) { 353 if (sub->datalen < 1) 354 continue; 355 356 id = WLAN_EID_EXTENSION; 357 ext_id = sub->data[0]; 358 match_len = 1; 359 360 if (ext_id == WLAN_EID_EXT_NON_INHERITANCE) 361 continue; 362 } else { 363 id = sub->id; 364 match_len = 0; 365 } 366 367 /* Processed if one was included in the parent */ 368 if (cfg80211_find_elem_match(id, ie, ielen, 369 &ext_id, match_len, 0)) 370 continue; 371 372 if (!cfg80211_copy_elem_with_frags(sub, subie, subie_len, 373 &pos, new_ie, new_ie_len)) 374 return 0; 375 } 376 377 return pos - new_ie; 378 } 379 EXPORT_SYMBOL_IF_CFG80211_KUNIT(cfg80211_gen_new_ie); 380 381 static bool is_bss(struct cfg80211_bss *a, const u8 *bssid, 382 const u8 *ssid, size_t ssid_len) 383 { 384 const struct cfg80211_bss_ies *ies; 385 const struct element *ssid_elem; 386 387 if (bssid && !ether_addr_equal(a->bssid, bssid)) 388 return false; 389 390 if (!ssid) 391 return true; 392 393 ies = rcu_access_pointer(a->ies); 394 if (!ies) 395 return false; 396 ssid_elem = cfg80211_find_elem(WLAN_EID_SSID, ies->data, ies->len); 397 if (!ssid_elem) 398 return false; 399 if (ssid_elem->datalen != ssid_len) 400 return false; 401 return memcmp(ssid_elem->data, ssid, ssid_len) == 0; 402 } 403 404 static int 405 cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss, 406 struct cfg80211_bss *nontrans_bss) 407 { 408 const struct element *ssid_elem; 409 struct cfg80211_bss *bss = NULL; 410 411 rcu_read_lock(); 412 ssid_elem = ieee80211_bss_get_elem(nontrans_bss, WLAN_EID_SSID); 413 if (!ssid_elem) { 414 rcu_read_unlock(); 415 return -EINVAL; 416 } 417 418 /* check if nontrans_bss is in the list */ 419 list_for_each_entry(bss, &trans_bss->nontrans_list, nontrans_list) { 420 if (is_bss(bss, nontrans_bss->bssid, ssid_elem->data, 421 ssid_elem->datalen)) { 422 rcu_read_unlock(); 423 return 0; 424 } 425 } 426 427 rcu_read_unlock(); 428 429 /* 430 * This is a bit weird - it's not on the list, but already on another 431 * one! The only way that could happen is if there's some BSSID/SSID 432 * shared by multiple APs in their multi-BSSID profiles, potentially 433 * with hidden SSID mixed in ... ignore it. 434 */ 435 if (!list_empty(&nontrans_bss->nontrans_list)) 436 return -EINVAL; 437 438 /* add to the list */ 439 list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); 440 return 0; 441 } 442 443 static void __cfg80211_bss_expire(struct cfg80211_registered_device *rdev, 444 unsigned long expire_time) 445 { 446 struct cfg80211_internal_bss *bss, *tmp; 447 bool expired = false; 448 449 lockdep_assert_held(&rdev->bss_lock); 450 451 list_for_each_entry_safe(bss, tmp, &rdev->bss_list, list) { 452 if (atomic_read(&bss->hold)) 453 continue; 454 if (!time_after(expire_time, bss->ts)) 455 continue; 456 457 if (__cfg80211_unlink_bss(rdev, bss)) 458 expired = true; 459 } 460 461 if (expired) 462 rdev->bss_generation++; 463 } 464 465 static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev) 466 { 467 struct cfg80211_internal_bss *bss, *oldest = NULL; 468 bool ret; 469 470 lockdep_assert_held(&rdev->bss_lock); 471 472 list_for_each_entry(bss, &rdev->bss_list, list) { 473 if (atomic_read(&bss->hold)) 474 continue; 475 476 if (!list_empty(&bss->hidden_list) && 477 !bss->pub.hidden_beacon_bss) 478 continue; 479 480 if (oldest && time_before(oldest->ts, bss->ts)) 481 continue; 482 oldest = bss; 483 } 484 485 if (WARN_ON(!oldest)) 486 return false; 487 488 /* 489 * The callers make sure to increase rdev->bss_generation if anything 490 * gets removed (and a new entry added), so there's no need to also do 491 * it here. 492 */ 493 494 ret = __cfg80211_unlink_bss(rdev, oldest); 495 WARN_ON(!ret); 496 return ret; 497 } 498 499 static u8 cfg80211_parse_bss_param(u8 data, 500 struct cfg80211_colocated_ap *coloc_ap) 501 { 502 coloc_ap->oct_recommended = 503 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_OCT_RECOMMENDED); 504 coloc_ap->same_ssid = 505 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_SAME_SSID); 506 coloc_ap->multi_bss = 507 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID); 508 coloc_ap->transmitted_bssid = 509 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID); 510 coloc_ap->unsolicited_probe = 511 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_PROBE_ACTIVE); 512 coloc_ap->colocated_ess = 513 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_COLOC_ESS); 514 515 return u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_COLOC_AP); 516 } 517 518 static int cfg80211_calc_short_ssid(const struct cfg80211_bss_ies *ies, 519 const struct element **elem, u32 *s_ssid) 520 { 521 522 *elem = cfg80211_find_elem(WLAN_EID_SSID, ies->data, ies->len); 523 if (!*elem || (*elem)->datalen > IEEE80211_MAX_SSID_LEN) 524 return -EINVAL; 525 526 *s_ssid = ~crc32_le(~0, (*elem)->data, (*elem)->datalen); 527 return 0; 528 } 529 530 VISIBLE_IF_CFG80211_KUNIT void 531 cfg80211_free_coloc_ap_list(struct list_head *coloc_ap_list) 532 { 533 struct cfg80211_colocated_ap *ap, *tmp_ap; 534 535 list_for_each_entry_safe(ap, tmp_ap, coloc_ap_list, list) { 536 list_del(&ap->list); 537 kfree(ap); 538 } 539 } 540 EXPORT_SYMBOL_IF_CFG80211_KUNIT(cfg80211_free_coloc_ap_list); 541 542 static int cfg80211_parse_ap_info(struct cfg80211_colocated_ap *entry, 543 const u8 *pos, u8 length, 544 const struct element *ssid_elem, 545 u32 s_ssid_tmp) 546 { 547 u8 bss_params; 548 549 entry->psd_20 = IEEE80211_RNR_TBTT_PARAMS_PSD_RESERVED; 550 551 /* The length is already verified by the caller to contain bss_params */ 552 if (length > sizeof(struct ieee80211_tbtt_info_7_8_9)) { 553 struct ieee80211_tbtt_info_ge_11 *tbtt_info = (void *)pos; 554 555 memcpy(entry->bssid, tbtt_info->bssid, ETH_ALEN); 556 entry->short_ssid = le32_to_cpu(tbtt_info->short_ssid); 557 entry->short_ssid_valid = true; 558 559 bss_params = tbtt_info->bss_params; 560 561 /* Ignore disabled links */ 562 if (length >= offsetofend(typeof(*tbtt_info), mld_params)) { 563 if (le16_get_bits(tbtt_info->mld_params.params, 564 IEEE80211_RNR_MLD_PARAMS_DISABLED_LINK)) 565 return -EINVAL; 566 } 567 568 if (length >= offsetofend(struct ieee80211_tbtt_info_ge_11, 569 psd_20)) 570 entry->psd_20 = tbtt_info->psd_20; 571 } else { 572 struct ieee80211_tbtt_info_7_8_9 *tbtt_info = (void *)pos; 573 574 memcpy(entry->bssid, tbtt_info->bssid, ETH_ALEN); 575 576 bss_params = tbtt_info->bss_params; 577 578 if (length == offsetofend(struct ieee80211_tbtt_info_7_8_9, 579 psd_20)) 580 entry->psd_20 = tbtt_info->psd_20; 581 } 582 583 /* ignore entries with invalid BSSID */ 584 if (!is_valid_ether_addr(entry->bssid)) 585 return -EINVAL; 586 587 /* skip non colocated APs */ 588 if (!cfg80211_parse_bss_param(bss_params, entry)) 589 return -EINVAL; 590 591 /* no information about the short ssid. Consider the entry valid 592 * for now. It would later be dropped in case there are explicit 593 * SSIDs that need to be matched 594 */ 595 if (!entry->same_ssid && !entry->short_ssid_valid) 596 return 0; 597 598 if (entry->same_ssid) { 599 entry->short_ssid = s_ssid_tmp; 600 entry->short_ssid_valid = true; 601 602 /* 603 * This is safe because we validate datalen in 604 * cfg80211_parse_colocated_ap(), before calling this 605 * function. 606 */ 607 memcpy(&entry->ssid, &ssid_elem->data, ssid_elem->datalen); 608 entry->ssid_len = ssid_elem->datalen; 609 } 610 611 return 0; 612 } 613 614 bool cfg80211_iter_rnr(const u8 *elems, size_t elems_len, 615 enum cfg80211_rnr_iter_ret 616 (*iter)(void *data, u8 type, 617 const struct ieee80211_neighbor_ap_info *info, 618 const u8 *tbtt_info, u8 tbtt_info_len), 619 void *iter_data) 620 { 621 const struct element *rnr; 622 const u8 *pos, *end; 623 624 for_each_element_id(rnr, WLAN_EID_REDUCED_NEIGHBOR_REPORT, 625 elems, elems_len) { 626 const struct ieee80211_neighbor_ap_info *info; 627 628 pos = rnr->data; 629 end = rnr->data + rnr->datalen; 630 631 /* RNR IE may contain more than one NEIGHBOR_AP_INFO */ 632 while (sizeof(*info) <= end - pos) { 633 u8 length, i, count; 634 u8 type; 635 636 info = (void *)pos; 637 count = u8_get_bits(info->tbtt_info_hdr, 638 IEEE80211_AP_INFO_TBTT_HDR_COUNT) + 639 1; 640 length = info->tbtt_info_len; 641 642 pos += sizeof(*info); 643 644 if (count * length > end - pos) 645 return false; 646 647 type = u8_get_bits(info->tbtt_info_hdr, 648 IEEE80211_AP_INFO_TBTT_HDR_TYPE); 649 650 for (i = 0; i < count; i++) { 651 switch (iter(iter_data, type, info, 652 pos, length)) { 653 case RNR_ITER_CONTINUE: 654 break; 655 case RNR_ITER_BREAK: 656 return true; 657 case RNR_ITER_ERROR: 658 return false; 659 } 660 661 pos += length; 662 } 663 } 664 665 if (pos != end) 666 return false; 667 } 668 669 return true; 670 } 671 EXPORT_SYMBOL_GPL(cfg80211_iter_rnr); 672 673 struct colocated_ap_data { 674 const struct element *ssid_elem; 675 struct list_head ap_list; 676 u32 s_ssid_tmp; 677 int n_coloc; 678 }; 679 680 static enum cfg80211_rnr_iter_ret 681 cfg80211_parse_colocated_ap_iter(void *_data, u8 type, 682 const struct ieee80211_neighbor_ap_info *info, 683 const u8 *tbtt_info, u8 tbtt_info_len) 684 { 685 struct colocated_ap_data *data = _data; 686 struct cfg80211_colocated_ap *entry; 687 enum nl80211_band band; 688 689 if (type != IEEE80211_TBTT_INFO_TYPE_TBTT) 690 return RNR_ITER_CONTINUE; 691 692 if (!ieee80211_operating_class_to_band(info->op_class, &band)) 693 return RNR_ITER_CONTINUE; 694 695 /* TBTT info must include bss param + BSSID + (short SSID or 696 * same_ssid bit to be set). Ignore other options, and move to 697 * the next AP info 698 */ 699 if (band != NL80211_BAND_6GHZ || 700 !(tbtt_info_len == offsetofend(struct ieee80211_tbtt_info_7_8_9, 701 bss_params) || 702 tbtt_info_len == sizeof(struct ieee80211_tbtt_info_7_8_9) || 703 tbtt_info_len >= offsetofend(struct ieee80211_tbtt_info_ge_11, 704 bss_params))) 705 return RNR_ITER_CONTINUE; 706 707 entry = kzalloc(sizeof(*entry) + IEEE80211_MAX_SSID_LEN, GFP_ATOMIC); 708 if (!entry) 709 return RNR_ITER_ERROR; 710 711 entry->center_freq = 712 ieee80211_channel_to_frequency(info->channel, band); 713 714 if (!cfg80211_parse_ap_info(entry, tbtt_info, tbtt_info_len, 715 data->ssid_elem, data->s_ssid_tmp)) { 716 data->n_coloc++; 717 list_add_tail(&entry->list, &data->ap_list); 718 } else { 719 kfree(entry); 720 } 721 722 return RNR_ITER_CONTINUE; 723 } 724 725 VISIBLE_IF_CFG80211_KUNIT int 726 cfg80211_parse_colocated_ap(const struct cfg80211_bss_ies *ies, 727 struct list_head *list) 728 { 729 struct colocated_ap_data data = {}; 730 int ret; 731 732 INIT_LIST_HEAD(&data.ap_list); 733 734 ret = cfg80211_calc_short_ssid(ies, &data.ssid_elem, &data.s_ssid_tmp); 735 if (ret) 736 return 0; 737 738 if (!cfg80211_iter_rnr(ies->data, ies->len, 739 cfg80211_parse_colocated_ap_iter, &data)) { 740 cfg80211_free_coloc_ap_list(&data.ap_list); 741 return 0; 742 } 743 744 list_splice_tail(&data.ap_list, list); 745 return data.n_coloc; 746 } 747 EXPORT_SYMBOL_IF_CFG80211_KUNIT(cfg80211_parse_colocated_ap); 748 749 static void cfg80211_scan_req_add_chan(struct cfg80211_scan_request *request, 750 struct ieee80211_channel *chan, 751 bool add_to_6ghz) 752 { 753 int i; 754 u32 n_channels = request->n_channels; 755 struct cfg80211_scan_6ghz_params *params = 756 &request->scan_6ghz_params[request->n_6ghz_params]; 757 758 for (i = 0; i < n_channels; i++) { 759 if (request->channels[i] == chan) { 760 if (add_to_6ghz) 761 params->channel_idx = i; 762 return; 763 } 764 } 765 766 request->channels[n_channels] = chan; 767 if (add_to_6ghz) 768 request->scan_6ghz_params[request->n_6ghz_params].channel_idx = 769 n_channels; 770 771 request->n_channels++; 772 } 773 774 static bool cfg80211_find_ssid_match(struct cfg80211_colocated_ap *ap, 775 struct cfg80211_scan_request *request) 776 { 777 int i; 778 u32 s_ssid; 779 780 for (i = 0; i < request->n_ssids; i++) { 781 /* wildcard ssid in the scan request */ 782 if (!request->ssids[i].ssid_len) { 783 if (ap->multi_bss && !ap->transmitted_bssid) 784 continue; 785 786 return true; 787 } 788 789 if (ap->ssid_len && 790 ap->ssid_len == request->ssids[i].ssid_len) { 791 if (!memcmp(request->ssids[i].ssid, ap->ssid, 792 ap->ssid_len)) 793 return true; 794 } else if (ap->short_ssid_valid) { 795 s_ssid = ~crc32_le(~0, request->ssids[i].ssid, 796 request->ssids[i].ssid_len); 797 798 if (ap->short_ssid == s_ssid) 799 return true; 800 } 801 } 802 803 return false; 804 } 805 806 static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev) 807 { 808 u8 i; 809 struct cfg80211_colocated_ap *ap; 810 int n_channels, count = 0, err; 811 struct cfg80211_scan_request *request, *rdev_req = rdev->scan_req; 812 LIST_HEAD(coloc_ap_list); 813 bool need_scan_psc = true; 814 const struct ieee80211_sband_iftype_data *iftd; 815 size_t size, offs_ssids, offs_6ghz_params, offs_ies; 816 817 rdev_req->scan_6ghz = true; 818 819 if (!rdev->wiphy.bands[NL80211_BAND_6GHZ]) 820 return -EOPNOTSUPP; 821 822 iftd = ieee80211_get_sband_iftype_data(rdev->wiphy.bands[NL80211_BAND_6GHZ], 823 rdev_req->wdev->iftype); 824 if (!iftd || !iftd->he_cap.has_he) 825 return -EOPNOTSUPP; 826 827 n_channels = rdev->wiphy.bands[NL80211_BAND_6GHZ]->n_channels; 828 829 if (rdev_req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ) { 830 struct cfg80211_internal_bss *intbss; 831 832 spin_lock_bh(&rdev->bss_lock); 833 list_for_each_entry(intbss, &rdev->bss_list, list) { 834 struct cfg80211_bss *res = &intbss->pub; 835 const struct cfg80211_bss_ies *ies; 836 const struct element *ssid_elem; 837 struct cfg80211_colocated_ap *entry; 838 u32 s_ssid_tmp; 839 int ret; 840 841 ies = rcu_access_pointer(res->ies); 842 count += cfg80211_parse_colocated_ap(ies, 843 &coloc_ap_list); 844 845 /* In case the scan request specified a specific BSSID 846 * and the BSS is found and operating on 6GHz band then 847 * add this AP to the collocated APs list. 848 * This is relevant for ML probe requests when the lower 849 * band APs have not been discovered. 850 */ 851 if (is_broadcast_ether_addr(rdev_req->bssid) || 852 !ether_addr_equal(rdev_req->bssid, res->bssid) || 853 res->channel->band != NL80211_BAND_6GHZ) 854 continue; 855 856 ret = cfg80211_calc_short_ssid(ies, &ssid_elem, 857 &s_ssid_tmp); 858 if (ret) 859 continue; 860 861 entry = kzalloc(sizeof(*entry) + IEEE80211_MAX_SSID_LEN, 862 GFP_ATOMIC); 863 864 if (!entry) 865 continue; 866 867 memcpy(entry->bssid, res->bssid, ETH_ALEN); 868 entry->short_ssid = s_ssid_tmp; 869 memcpy(entry->ssid, ssid_elem->data, 870 ssid_elem->datalen); 871 entry->ssid_len = ssid_elem->datalen; 872 entry->short_ssid_valid = true; 873 entry->center_freq = res->channel->center_freq; 874 875 list_add_tail(&entry->list, &coloc_ap_list); 876 count++; 877 } 878 spin_unlock_bh(&rdev->bss_lock); 879 } 880 881 size = struct_size(request, channels, n_channels); 882 offs_ssids = size; 883 size += sizeof(*request->ssids) * rdev_req->n_ssids; 884 offs_6ghz_params = size; 885 size += sizeof(*request->scan_6ghz_params) * count; 886 offs_ies = size; 887 size += rdev_req->ie_len; 888 889 request = kzalloc(size, GFP_KERNEL); 890 if (!request) { 891 cfg80211_free_coloc_ap_list(&coloc_ap_list); 892 return -ENOMEM; 893 } 894 895 *request = *rdev_req; 896 request->n_channels = 0; 897 request->n_6ghz_params = 0; 898 if (rdev_req->n_ssids) { 899 /* 900 * Add the ssids from the parent scan request to the new 901 * scan request, so the driver would be able to use them 902 * in its probe requests to discover hidden APs on PSC 903 * channels. 904 */ 905 request->ssids = (void *)request + offs_ssids; 906 memcpy(request->ssids, rdev_req->ssids, 907 sizeof(*request->ssids) * request->n_ssids); 908 } 909 request->scan_6ghz_params = (void *)request + offs_6ghz_params; 910 911 if (rdev_req->ie_len) { 912 void *ie = (void *)request + offs_ies; 913 914 memcpy(ie, rdev_req->ie, rdev_req->ie_len); 915 request->ie = ie; 916 } 917 918 /* 919 * PSC channels should not be scanned in case of direct scan with 1 SSID 920 * and at least one of the reported co-located APs with same SSID 921 * indicating that all APs in the same ESS are co-located 922 */ 923 if (count && request->n_ssids == 1 && request->ssids[0].ssid_len) { 924 list_for_each_entry(ap, &coloc_ap_list, list) { 925 if (ap->colocated_ess && 926 cfg80211_find_ssid_match(ap, request)) { 927 need_scan_psc = false; 928 break; 929 } 930 } 931 } 932 933 /* 934 * add to the scan request the channels that need to be scanned 935 * regardless of the collocated APs (PSC channels or all channels 936 * in case that NL80211_SCAN_FLAG_COLOCATED_6GHZ is not set) 937 */ 938 for (i = 0; i < rdev_req->n_channels; i++) { 939 if (rdev_req->channels[i]->band == NL80211_BAND_6GHZ && 940 ((need_scan_psc && 941 cfg80211_channel_is_psc(rdev_req->channels[i])) || 942 !(rdev_req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ))) { 943 cfg80211_scan_req_add_chan(request, 944 rdev_req->channels[i], 945 false); 946 } 947 } 948 949 if (!(rdev_req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ)) 950 goto skip; 951 952 list_for_each_entry(ap, &coloc_ap_list, list) { 953 bool found = false; 954 struct cfg80211_scan_6ghz_params *scan_6ghz_params = 955 &request->scan_6ghz_params[request->n_6ghz_params]; 956 struct ieee80211_channel *chan = 957 ieee80211_get_channel(&rdev->wiphy, ap->center_freq); 958 959 if (!chan || chan->flags & IEEE80211_CHAN_DISABLED || 960 !cfg80211_wdev_channel_allowed(rdev_req->wdev, chan)) 961 continue; 962 963 for (i = 0; i < rdev_req->n_channels; i++) { 964 if (rdev_req->channels[i] == chan) 965 found = true; 966 } 967 968 if (!found) 969 continue; 970 971 if (request->n_ssids > 0 && 972 !cfg80211_find_ssid_match(ap, request)) 973 continue; 974 975 if (!is_broadcast_ether_addr(request->bssid) && 976 !ether_addr_equal(request->bssid, ap->bssid)) 977 continue; 978 979 if (!request->n_ssids && ap->multi_bss && !ap->transmitted_bssid) 980 continue; 981 982 cfg80211_scan_req_add_chan(request, chan, true); 983 memcpy(scan_6ghz_params->bssid, ap->bssid, ETH_ALEN); 984 scan_6ghz_params->short_ssid = ap->short_ssid; 985 scan_6ghz_params->short_ssid_valid = ap->short_ssid_valid; 986 scan_6ghz_params->unsolicited_probe = ap->unsolicited_probe; 987 scan_6ghz_params->psd_20 = ap->psd_20; 988 989 /* 990 * If a PSC channel is added to the scan and 'need_scan_psc' is 991 * set to false, then all the APs that the scan logic is 992 * interested with on the channel are collocated and thus there 993 * is no need to perform the initial PSC channel listen. 994 */ 995 if (cfg80211_channel_is_psc(chan) && !need_scan_psc) 996 scan_6ghz_params->psc_no_listen = true; 997 998 request->n_6ghz_params++; 999 } 1000 1001 skip: 1002 cfg80211_free_coloc_ap_list(&coloc_ap_list); 1003 1004 if (request->n_channels) { 1005 struct cfg80211_scan_request *old = rdev->int_scan_req; 1006 1007 rdev->int_scan_req = request; 1008 1009 /* 1010 * If this scan follows a previous scan, save the scan start 1011 * info from the first part of the scan 1012 */ 1013 if (old) 1014 rdev->int_scan_req->info = old->info; 1015 1016 err = rdev_scan(rdev, request); 1017 if (err) { 1018 rdev->int_scan_req = old; 1019 kfree(request); 1020 } else { 1021 kfree(old); 1022 } 1023 1024 return err; 1025 } 1026 1027 kfree(request); 1028 return -EINVAL; 1029 } 1030 1031 int cfg80211_scan(struct cfg80211_registered_device *rdev) 1032 { 1033 struct cfg80211_scan_request *request; 1034 struct cfg80211_scan_request *rdev_req = rdev->scan_req; 1035 u32 n_channels = 0, idx, i; 1036 1037 if (!(rdev->wiphy.flags & WIPHY_FLAG_SPLIT_SCAN_6GHZ)) 1038 return rdev_scan(rdev, rdev_req); 1039 1040 for (i = 0; i < rdev_req->n_channels; i++) { 1041 if (rdev_req->channels[i]->band != NL80211_BAND_6GHZ) 1042 n_channels++; 1043 } 1044 1045 if (!n_channels) 1046 return cfg80211_scan_6ghz(rdev); 1047 1048 request = kzalloc(struct_size(request, channels, n_channels), 1049 GFP_KERNEL); 1050 if (!request) 1051 return -ENOMEM; 1052 1053 *request = *rdev_req; 1054 request->n_channels = n_channels; 1055 1056 for (i = idx = 0; i < rdev_req->n_channels; i++) { 1057 if (rdev_req->channels[i]->band != NL80211_BAND_6GHZ) 1058 request->channels[idx++] = rdev_req->channels[i]; 1059 } 1060 1061 rdev_req->scan_6ghz = false; 1062 rdev->int_scan_req = request; 1063 return rdev_scan(rdev, request); 1064 } 1065 1066 void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, 1067 bool send_message) 1068 { 1069 struct cfg80211_scan_request *request, *rdev_req; 1070 struct wireless_dev *wdev; 1071 struct sk_buff *msg; 1072 #ifdef CONFIG_CFG80211_WEXT 1073 union iwreq_data wrqu; 1074 #endif 1075 1076 lockdep_assert_held(&rdev->wiphy.mtx); 1077 1078 if (rdev->scan_msg) { 1079 nl80211_send_scan_msg(rdev, rdev->scan_msg); 1080 rdev->scan_msg = NULL; 1081 return; 1082 } 1083 1084 rdev_req = rdev->scan_req; 1085 if (!rdev_req) 1086 return; 1087 1088 wdev = rdev_req->wdev; 1089 request = rdev->int_scan_req ? rdev->int_scan_req : rdev_req; 1090 1091 if (wdev_running(wdev) && 1092 (rdev->wiphy.flags & WIPHY_FLAG_SPLIT_SCAN_6GHZ) && 1093 !rdev_req->scan_6ghz && !request->info.aborted && 1094 !cfg80211_scan_6ghz(rdev)) 1095 return; 1096 1097 /* 1098 * This must be before sending the other events! 1099 * Otherwise, wpa_supplicant gets completely confused with 1100 * wext events. 1101 */ 1102 if (wdev->netdev) 1103 cfg80211_sme_scan_done(wdev->netdev); 1104 1105 if (!request->info.aborted && 1106 request->flags & NL80211_SCAN_FLAG_FLUSH) { 1107 /* flush entries from previous scans */ 1108 spin_lock_bh(&rdev->bss_lock); 1109 __cfg80211_bss_expire(rdev, request->scan_start); 1110 spin_unlock_bh(&rdev->bss_lock); 1111 } 1112 1113 msg = nl80211_build_scan_msg(rdev, wdev, request->info.aborted); 1114 1115 #ifdef CONFIG_CFG80211_WEXT 1116 if (wdev->netdev && !request->info.aborted) { 1117 memset(&wrqu, 0, sizeof(wrqu)); 1118 1119 wireless_send_event(wdev->netdev, SIOCGIWSCAN, &wrqu, NULL); 1120 } 1121 #endif 1122 1123 dev_put(wdev->netdev); 1124 1125 kfree(rdev->int_scan_req); 1126 rdev->int_scan_req = NULL; 1127 1128 kfree(rdev->scan_req); 1129 rdev->scan_req = NULL; 1130 1131 if (!send_message) 1132 rdev->scan_msg = msg; 1133 else 1134 nl80211_send_scan_msg(rdev, msg); 1135 } 1136 1137 void __cfg80211_scan_done(struct wiphy *wiphy, struct wiphy_work *wk) 1138 { 1139 ___cfg80211_scan_done(wiphy_to_rdev(wiphy), true); 1140 } 1141 1142 void cfg80211_scan_done(struct cfg80211_scan_request *request, 1143 struct cfg80211_scan_info *info) 1144 { 1145 struct cfg80211_scan_info old_info = request->info; 1146 1147 trace_cfg80211_scan_done(request, info); 1148 WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req && 1149 request != wiphy_to_rdev(request->wiphy)->int_scan_req); 1150 1151 request->info = *info; 1152 1153 /* 1154 * In case the scan is split, the scan_start_tsf and tsf_bssid should 1155 * be of the first part. In such a case old_info.scan_start_tsf should 1156 * be non zero. 1157 */ 1158 if (request->scan_6ghz && old_info.scan_start_tsf) { 1159 request->info.scan_start_tsf = old_info.scan_start_tsf; 1160 memcpy(request->info.tsf_bssid, old_info.tsf_bssid, 1161 sizeof(request->info.tsf_bssid)); 1162 } 1163 1164 request->notified = true; 1165 wiphy_work_queue(request->wiphy, 1166 &wiphy_to_rdev(request->wiphy)->scan_done_wk); 1167 } 1168 EXPORT_SYMBOL(cfg80211_scan_done); 1169 1170 void cfg80211_add_sched_scan_req(struct cfg80211_registered_device *rdev, 1171 struct cfg80211_sched_scan_request *req) 1172 { 1173 lockdep_assert_held(&rdev->wiphy.mtx); 1174 1175 list_add_rcu(&req->list, &rdev->sched_scan_req_list); 1176 } 1177 1178 static void cfg80211_del_sched_scan_req(struct cfg80211_registered_device *rdev, 1179 struct cfg80211_sched_scan_request *req) 1180 { 1181 lockdep_assert_held(&rdev->wiphy.mtx); 1182 1183 list_del_rcu(&req->list); 1184 kfree_rcu(req, rcu_head); 1185 } 1186 1187 static struct cfg80211_sched_scan_request * 1188 cfg80211_find_sched_scan_req(struct cfg80211_registered_device *rdev, u64 reqid) 1189 { 1190 struct cfg80211_sched_scan_request *pos; 1191 1192 list_for_each_entry_rcu(pos, &rdev->sched_scan_req_list, list, 1193 lockdep_is_held(&rdev->wiphy.mtx)) { 1194 if (pos->reqid == reqid) 1195 return pos; 1196 } 1197 return NULL; 1198 } 1199 1200 /* 1201 * Determines if a scheduled scan request can be handled. When a legacy 1202 * scheduled scan is running no other scheduled scan is allowed regardless 1203 * whether the request is for legacy or multi-support scan. When a multi-support 1204 * scheduled scan is running a request for legacy scan is not allowed. In this 1205 * case a request for multi-support scan can be handled if resources are 1206 * available, ie. struct wiphy::max_sched_scan_reqs limit is not yet reached. 1207 */ 1208 int cfg80211_sched_scan_req_possible(struct cfg80211_registered_device *rdev, 1209 bool want_multi) 1210 { 1211 struct cfg80211_sched_scan_request *pos; 1212 int i = 0; 1213 1214 list_for_each_entry(pos, &rdev->sched_scan_req_list, list) { 1215 /* request id zero means legacy in progress */ 1216 if (!i && !pos->reqid) 1217 return -EINPROGRESS; 1218 i++; 1219 } 1220 1221 if (i) { 1222 /* no legacy allowed when multi request(s) are active */ 1223 if (!want_multi) 1224 return -EINPROGRESS; 1225 1226 /* resource limit reached */ 1227 if (i == rdev->wiphy.max_sched_scan_reqs) 1228 return -ENOSPC; 1229 } 1230 return 0; 1231 } 1232 1233 void cfg80211_sched_scan_results_wk(struct work_struct *work) 1234 { 1235 struct cfg80211_registered_device *rdev; 1236 struct cfg80211_sched_scan_request *req, *tmp; 1237 1238 rdev = container_of(work, struct cfg80211_registered_device, 1239 sched_scan_res_wk); 1240 1241 wiphy_lock(&rdev->wiphy); 1242 list_for_each_entry_safe(req, tmp, &rdev->sched_scan_req_list, list) { 1243 if (req->report_results) { 1244 req->report_results = false; 1245 if (req->flags & NL80211_SCAN_FLAG_FLUSH) { 1246 /* flush entries from previous scans */ 1247 spin_lock_bh(&rdev->bss_lock); 1248 __cfg80211_bss_expire(rdev, req->scan_start); 1249 spin_unlock_bh(&rdev->bss_lock); 1250 req->scan_start = jiffies; 1251 } 1252 nl80211_send_sched_scan(req, 1253 NL80211_CMD_SCHED_SCAN_RESULTS); 1254 } 1255 } 1256 wiphy_unlock(&rdev->wiphy); 1257 } 1258 1259 void cfg80211_sched_scan_results(struct wiphy *wiphy, u64 reqid) 1260 { 1261 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1262 struct cfg80211_sched_scan_request *request; 1263 1264 trace_cfg80211_sched_scan_results(wiphy, reqid); 1265 /* ignore if we're not scanning */ 1266 1267 rcu_read_lock(); 1268 request = cfg80211_find_sched_scan_req(rdev, reqid); 1269 if (request) { 1270 request->report_results = true; 1271 queue_work(cfg80211_wq, &rdev->sched_scan_res_wk); 1272 } 1273 rcu_read_unlock(); 1274 } 1275 EXPORT_SYMBOL(cfg80211_sched_scan_results); 1276 1277 void cfg80211_sched_scan_stopped_locked(struct wiphy *wiphy, u64 reqid) 1278 { 1279 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1280 1281 lockdep_assert_held(&wiphy->mtx); 1282 1283 trace_cfg80211_sched_scan_stopped(wiphy, reqid); 1284 1285 __cfg80211_stop_sched_scan(rdev, reqid, true); 1286 } 1287 EXPORT_SYMBOL(cfg80211_sched_scan_stopped_locked); 1288 1289 void cfg80211_sched_scan_stopped(struct wiphy *wiphy, u64 reqid) 1290 { 1291 wiphy_lock(wiphy); 1292 cfg80211_sched_scan_stopped_locked(wiphy, reqid); 1293 wiphy_unlock(wiphy); 1294 } 1295 EXPORT_SYMBOL(cfg80211_sched_scan_stopped); 1296 1297 int cfg80211_stop_sched_scan_req(struct cfg80211_registered_device *rdev, 1298 struct cfg80211_sched_scan_request *req, 1299 bool driver_initiated) 1300 { 1301 lockdep_assert_held(&rdev->wiphy.mtx); 1302 1303 if (!driver_initiated) { 1304 int err = rdev_sched_scan_stop(rdev, req->dev, req->reqid); 1305 if (err) 1306 return err; 1307 } 1308 1309 nl80211_send_sched_scan(req, NL80211_CMD_SCHED_SCAN_STOPPED); 1310 1311 cfg80211_del_sched_scan_req(rdev, req); 1312 1313 return 0; 1314 } 1315 1316 int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev, 1317 u64 reqid, bool driver_initiated) 1318 { 1319 struct cfg80211_sched_scan_request *sched_scan_req; 1320 1321 lockdep_assert_held(&rdev->wiphy.mtx); 1322 1323 sched_scan_req = cfg80211_find_sched_scan_req(rdev, reqid); 1324 if (!sched_scan_req) 1325 return -ENOENT; 1326 1327 return cfg80211_stop_sched_scan_req(rdev, sched_scan_req, 1328 driver_initiated); 1329 } 1330 1331 void cfg80211_bss_age(struct cfg80211_registered_device *rdev, 1332 unsigned long age_secs) 1333 { 1334 struct cfg80211_internal_bss *bss; 1335 unsigned long age_jiffies = msecs_to_jiffies(age_secs * MSEC_PER_SEC); 1336 1337 spin_lock_bh(&rdev->bss_lock); 1338 list_for_each_entry(bss, &rdev->bss_list, list) 1339 bss->ts -= age_jiffies; 1340 spin_unlock_bh(&rdev->bss_lock); 1341 } 1342 1343 void cfg80211_bss_expire(struct cfg80211_registered_device *rdev) 1344 { 1345 __cfg80211_bss_expire(rdev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE); 1346 } 1347 1348 void cfg80211_bss_flush(struct wiphy *wiphy) 1349 { 1350 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1351 1352 spin_lock_bh(&rdev->bss_lock); 1353 __cfg80211_bss_expire(rdev, jiffies); 1354 spin_unlock_bh(&rdev->bss_lock); 1355 } 1356 EXPORT_SYMBOL(cfg80211_bss_flush); 1357 1358 const struct element * 1359 cfg80211_find_elem_match(u8 eid, const u8 *ies, unsigned int len, 1360 const u8 *match, unsigned int match_len, 1361 unsigned int match_offset) 1362 { 1363 const struct element *elem; 1364 1365 for_each_element_id(elem, eid, ies, len) { 1366 if (elem->datalen >= match_offset + match_len && 1367 !memcmp(elem->data + match_offset, match, match_len)) 1368 return elem; 1369 } 1370 1371 return NULL; 1372 } 1373 EXPORT_SYMBOL(cfg80211_find_elem_match); 1374 1375 const struct element *cfg80211_find_vendor_elem(unsigned int oui, int oui_type, 1376 const u8 *ies, 1377 unsigned int len) 1378 { 1379 const struct element *elem; 1380 u8 match[] = { oui >> 16, oui >> 8, oui, oui_type }; 1381 int match_len = (oui_type < 0) ? 3 : sizeof(match); 1382 1383 if (WARN_ON(oui_type > 0xff)) 1384 return NULL; 1385 1386 elem = cfg80211_find_elem_match(WLAN_EID_VENDOR_SPECIFIC, ies, len, 1387 match, match_len, 0); 1388 1389 if (!elem || elem->datalen < 4) 1390 return NULL; 1391 1392 return elem; 1393 } 1394 EXPORT_SYMBOL(cfg80211_find_vendor_elem); 1395 1396 /** 1397 * enum bss_compare_mode - BSS compare mode 1398 * @BSS_CMP_REGULAR: regular compare mode (for insertion and normal find) 1399 * @BSS_CMP_HIDE_ZLEN: find hidden SSID with zero-length mode 1400 * @BSS_CMP_HIDE_NUL: find hidden SSID with NUL-ed out mode 1401 */ 1402 enum bss_compare_mode { 1403 BSS_CMP_REGULAR, 1404 BSS_CMP_HIDE_ZLEN, 1405 BSS_CMP_HIDE_NUL, 1406 }; 1407 1408 static int cmp_bss(struct cfg80211_bss *a, 1409 struct cfg80211_bss *b, 1410 enum bss_compare_mode mode) 1411 { 1412 const struct cfg80211_bss_ies *a_ies, *b_ies; 1413 const u8 *ie1 = NULL; 1414 const u8 *ie2 = NULL; 1415 int i, r; 1416 1417 if (a->channel != b->channel) 1418 return (b->channel->center_freq * 1000 + b->channel->freq_offset) - 1419 (a->channel->center_freq * 1000 + a->channel->freq_offset); 1420 1421 a_ies = rcu_access_pointer(a->ies); 1422 if (!a_ies) 1423 return -1; 1424 b_ies = rcu_access_pointer(b->ies); 1425 if (!b_ies) 1426 return 1; 1427 1428 if (WLAN_CAPABILITY_IS_STA_BSS(a->capability)) 1429 ie1 = cfg80211_find_ie(WLAN_EID_MESH_ID, 1430 a_ies->data, a_ies->len); 1431 if (WLAN_CAPABILITY_IS_STA_BSS(b->capability)) 1432 ie2 = cfg80211_find_ie(WLAN_EID_MESH_ID, 1433 b_ies->data, b_ies->len); 1434 if (ie1 && ie2) { 1435 int mesh_id_cmp; 1436 1437 if (ie1[1] == ie2[1]) 1438 mesh_id_cmp = memcmp(ie1 + 2, ie2 + 2, ie1[1]); 1439 else 1440 mesh_id_cmp = ie2[1] - ie1[1]; 1441 1442 ie1 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG, 1443 a_ies->data, a_ies->len); 1444 ie2 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG, 1445 b_ies->data, b_ies->len); 1446 if (ie1 && ie2) { 1447 if (mesh_id_cmp) 1448 return mesh_id_cmp; 1449 if (ie1[1] != ie2[1]) 1450 return ie2[1] - ie1[1]; 1451 return memcmp(ie1 + 2, ie2 + 2, ie1[1]); 1452 } 1453 } 1454 1455 r = memcmp(a->bssid, b->bssid, sizeof(a->bssid)); 1456 if (r) 1457 return r; 1458 1459 ie1 = cfg80211_find_ie(WLAN_EID_SSID, a_ies->data, a_ies->len); 1460 ie2 = cfg80211_find_ie(WLAN_EID_SSID, b_ies->data, b_ies->len); 1461 1462 if (!ie1 && !ie2) 1463 return 0; 1464 1465 /* 1466 * Note that with "hide_ssid", the function returns a match if 1467 * the already-present BSS ("b") is a hidden SSID beacon for 1468 * the new BSS ("a"). 1469 */ 1470 1471 /* sort missing IE before (left of) present IE */ 1472 if (!ie1) 1473 return -1; 1474 if (!ie2) 1475 return 1; 1476 1477 switch (mode) { 1478 case BSS_CMP_HIDE_ZLEN: 1479 /* 1480 * In ZLEN mode we assume the BSS entry we're 1481 * looking for has a zero-length SSID. So if 1482 * the one we're looking at right now has that, 1483 * return 0. Otherwise, return the difference 1484 * in length, but since we're looking for the 1485 * 0-length it's really equivalent to returning 1486 * the length of the one we're looking at. 1487 * 1488 * No content comparison is needed as we assume 1489 * the content length is zero. 1490 */ 1491 return ie2[1]; 1492 case BSS_CMP_REGULAR: 1493 default: 1494 /* sort by length first, then by contents */ 1495 if (ie1[1] != ie2[1]) 1496 return ie2[1] - ie1[1]; 1497 return memcmp(ie1 + 2, ie2 + 2, ie1[1]); 1498 case BSS_CMP_HIDE_NUL: 1499 if (ie1[1] != ie2[1]) 1500 return ie2[1] - ie1[1]; 1501 /* this is equivalent to memcmp(zeroes, ie2 + 2, len) */ 1502 for (i = 0; i < ie2[1]; i++) 1503 if (ie2[i + 2]) 1504 return -1; 1505 return 0; 1506 } 1507 } 1508 1509 static bool cfg80211_bss_type_match(u16 capability, 1510 enum nl80211_band band, 1511 enum ieee80211_bss_type bss_type) 1512 { 1513 bool ret = true; 1514 u16 mask, val; 1515 1516 if (bss_type == IEEE80211_BSS_TYPE_ANY) 1517 return ret; 1518 1519 if (band == NL80211_BAND_60GHZ) { 1520 mask = WLAN_CAPABILITY_DMG_TYPE_MASK; 1521 switch (bss_type) { 1522 case IEEE80211_BSS_TYPE_ESS: 1523 val = WLAN_CAPABILITY_DMG_TYPE_AP; 1524 break; 1525 case IEEE80211_BSS_TYPE_PBSS: 1526 val = WLAN_CAPABILITY_DMG_TYPE_PBSS; 1527 break; 1528 case IEEE80211_BSS_TYPE_IBSS: 1529 val = WLAN_CAPABILITY_DMG_TYPE_IBSS; 1530 break; 1531 default: 1532 return false; 1533 } 1534 } else { 1535 mask = WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS; 1536 switch (bss_type) { 1537 case IEEE80211_BSS_TYPE_ESS: 1538 val = WLAN_CAPABILITY_ESS; 1539 break; 1540 case IEEE80211_BSS_TYPE_IBSS: 1541 val = WLAN_CAPABILITY_IBSS; 1542 break; 1543 case IEEE80211_BSS_TYPE_MBSS: 1544 val = 0; 1545 break; 1546 default: 1547 return false; 1548 } 1549 } 1550 1551 ret = ((capability & mask) == val); 1552 return ret; 1553 } 1554 1555 /* Returned bss is reference counted and must be cleaned up appropriately. */ 1556 struct cfg80211_bss *__cfg80211_get_bss(struct wiphy *wiphy, 1557 struct ieee80211_channel *channel, 1558 const u8 *bssid, 1559 const u8 *ssid, size_t ssid_len, 1560 enum ieee80211_bss_type bss_type, 1561 enum ieee80211_privacy privacy, 1562 u32 use_for) 1563 { 1564 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1565 struct cfg80211_internal_bss *bss, *res = NULL; 1566 unsigned long now = jiffies; 1567 int bss_privacy; 1568 1569 trace_cfg80211_get_bss(wiphy, channel, bssid, ssid, ssid_len, bss_type, 1570 privacy); 1571 1572 spin_lock_bh(&rdev->bss_lock); 1573 1574 list_for_each_entry(bss, &rdev->bss_list, list) { 1575 if (!cfg80211_bss_type_match(bss->pub.capability, 1576 bss->pub.channel->band, bss_type)) 1577 continue; 1578 1579 bss_privacy = (bss->pub.capability & WLAN_CAPABILITY_PRIVACY); 1580 if ((privacy == IEEE80211_PRIVACY_ON && !bss_privacy) || 1581 (privacy == IEEE80211_PRIVACY_OFF && bss_privacy)) 1582 continue; 1583 if (channel && bss->pub.channel != channel) 1584 continue; 1585 if (!is_valid_ether_addr(bss->pub.bssid)) 1586 continue; 1587 if ((bss->pub.use_for & use_for) != use_for) 1588 continue; 1589 /* Don't get expired BSS structs */ 1590 if (time_after(now, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE) && 1591 !atomic_read(&bss->hold)) 1592 continue; 1593 if (is_bss(&bss->pub, bssid, ssid, ssid_len)) { 1594 res = bss; 1595 bss_ref_get(rdev, res); 1596 break; 1597 } 1598 } 1599 1600 spin_unlock_bh(&rdev->bss_lock); 1601 if (!res) 1602 return NULL; 1603 trace_cfg80211_return_bss(&res->pub); 1604 return &res->pub; 1605 } 1606 EXPORT_SYMBOL(__cfg80211_get_bss); 1607 1608 static bool rb_insert_bss(struct cfg80211_registered_device *rdev, 1609 struct cfg80211_internal_bss *bss) 1610 { 1611 struct rb_node **p = &rdev->bss_tree.rb_node; 1612 struct rb_node *parent = NULL; 1613 struct cfg80211_internal_bss *tbss; 1614 int cmp; 1615 1616 while (*p) { 1617 parent = *p; 1618 tbss = rb_entry(parent, struct cfg80211_internal_bss, rbn); 1619 1620 cmp = cmp_bss(&bss->pub, &tbss->pub, BSS_CMP_REGULAR); 1621 1622 if (WARN_ON(!cmp)) { 1623 /* will sort of leak this BSS */ 1624 return false; 1625 } 1626 1627 if (cmp < 0) 1628 p = &(*p)->rb_left; 1629 else 1630 p = &(*p)->rb_right; 1631 } 1632 1633 rb_link_node(&bss->rbn, parent, p); 1634 rb_insert_color(&bss->rbn, &rdev->bss_tree); 1635 return true; 1636 } 1637 1638 static struct cfg80211_internal_bss * 1639 rb_find_bss(struct cfg80211_registered_device *rdev, 1640 struct cfg80211_internal_bss *res, 1641 enum bss_compare_mode mode) 1642 { 1643 struct rb_node *n = rdev->bss_tree.rb_node; 1644 struct cfg80211_internal_bss *bss; 1645 int r; 1646 1647 while (n) { 1648 bss = rb_entry(n, struct cfg80211_internal_bss, rbn); 1649 r = cmp_bss(&res->pub, &bss->pub, mode); 1650 1651 if (r == 0) 1652 return bss; 1653 else if (r < 0) 1654 n = n->rb_left; 1655 else 1656 n = n->rb_right; 1657 } 1658 1659 return NULL; 1660 } 1661 1662 static void cfg80211_insert_bss(struct cfg80211_registered_device *rdev, 1663 struct cfg80211_internal_bss *bss) 1664 { 1665 lockdep_assert_held(&rdev->bss_lock); 1666 1667 if (!rb_insert_bss(rdev, bss)) 1668 return; 1669 list_add_tail(&bss->list, &rdev->bss_list); 1670 rdev->bss_entries++; 1671 } 1672 1673 static void cfg80211_rehash_bss(struct cfg80211_registered_device *rdev, 1674 struct cfg80211_internal_bss *bss) 1675 { 1676 lockdep_assert_held(&rdev->bss_lock); 1677 1678 rb_erase(&bss->rbn, &rdev->bss_tree); 1679 if (!rb_insert_bss(rdev, bss)) { 1680 list_del(&bss->list); 1681 if (!list_empty(&bss->hidden_list)) 1682 list_del_init(&bss->hidden_list); 1683 if (!list_empty(&bss->pub.nontrans_list)) 1684 list_del_init(&bss->pub.nontrans_list); 1685 rdev->bss_entries--; 1686 } 1687 rdev->bss_generation++; 1688 } 1689 1690 static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev, 1691 struct cfg80211_internal_bss *new) 1692 { 1693 const struct cfg80211_bss_ies *ies; 1694 struct cfg80211_internal_bss *bss; 1695 const u8 *ie; 1696 int i, ssidlen; 1697 u8 fold = 0; 1698 u32 n_entries = 0; 1699 1700 ies = rcu_access_pointer(new->pub.beacon_ies); 1701 if (WARN_ON(!ies)) 1702 return false; 1703 1704 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 1705 if (!ie) { 1706 /* nothing to do */ 1707 return true; 1708 } 1709 1710 ssidlen = ie[1]; 1711 for (i = 0; i < ssidlen; i++) 1712 fold |= ie[2 + i]; 1713 1714 if (fold) { 1715 /* not a hidden SSID */ 1716 return true; 1717 } 1718 1719 /* This is the bad part ... */ 1720 1721 list_for_each_entry(bss, &rdev->bss_list, list) { 1722 /* 1723 * we're iterating all the entries anyway, so take the 1724 * opportunity to validate the list length accounting 1725 */ 1726 n_entries++; 1727 1728 if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid)) 1729 continue; 1730 if (bss->pub.channel != new->pub.channel) 1731 continue; 1732 if (rcu_access_pointer(bss->pub.beacon_ies)) 1733 continue; 1734 ies = rcu_access_pointer(bss->pub.ies); 1735 if (!ies) 1736 continue; 1737 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 1738 if (!ie) 1739 continue; 1740 if (ssidlen && ie[1] != ssidlen) 1741 continue; 1742 if (WARN_ON_ONCE(bss->pub.hidden_beacon_bss)) 1743 continue; 1744 if (WARN_ON_ONCE(!list_empty(&bss->hidden_list))) 1745 list_del(&bss->hidden_list); 1746 /* combine them */ 1747 list_add(&bss->hidden_list, &new->hidden_list); 1748 bss->pub.hidden_beacon_bss = &new->pub; 1749 new->refcount += bss->refcount; 1750 rcu_assign_pointer(bss->pub.beacon_ies, 1751 new->pub.beacon_ies); 1752 } 1753 1754 WARN_ONCE(n_entries != rdev->bss_entries, 1755 "rdev bss entries[%d]/list[len:%d] corruption\n", 1756 rdev->bss_entries, n_entries); 1757 1758 return true; 1759 } 1760 1761 static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known, 1762 const struct cfg80211_bss_ies *new_ies, 1763 const struct cfg80211_bss_ies *old_ies) 1764 { 1765 struct cfg80211_internal_bss *bss; 1766 1767 /* Assign beacon IEs to all sub entries */ 1768 list_for_each_entry(bss, &known->hidden_list, hidden_list) { 1769 const struct cfg80211_bss_ies *ies; 1770 1771 ies = rcu_access_pointer(bss->pub.beacon_ies); 1772 WARN_ON(ies != old_ies); 1773 1774 rcu_assign_pointer(bss->pub.beacon_ies, new_ies); 1775 } 1776 } 1777 1778 static void cfg80211_check_stuck_ecsa(struct cfg80211_registered_device *rdev, 1779 struct cfg80211_internal_bss *known, 1780 const struct cfg80211_bss_ies *old) 1781 { 1782 const struct ieee80211_ext_chansw_ie *ecsa; 1783 const struct element *elem_new, *elem_old; 1784 const struct cfg80211_bss_ies *new, *bcn; 1785 1786 if (known->pub.proberesp_ecsa_stuck) 1787 return; 1788 1789 new = rcu_dereference_protected(known->pub.proberesp_ies, 1790 lockdep_is_held(&rdev->bss_lock)); 1791 if (WARN_ON(!new)) 1792 return; 1793 1794 if (new->tsf - old->tsf < USEC_PER_SEC) 1795 return; 1796 1797 elem_old = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, 1798 old->data, old->len); 1799 if (!elem_old) 1800 return; 1801 1802 elem_new = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, 1803 new->data, new->len); 1804 if (!elem_new) 1805 return; 1806 1807 bcn = rcu_dereference_protected(known->pub.beacon_ies, 1808 lockdep_is_held(&rdev->bss_lock)); 1809 if (bcn && 1810 cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN, 1811 bcn->data, bcn->len)) 1812 return; 1813 1814 if (elem_new->datalen != elem_old->datalen) 1815 return; 1816 if (elem_new->datalen < sizeof(struct ieee80211_ext_chansw_ie)) 1817 return; 1818 if (memcmp(elem_new->data, elem_old->data, elem_new->datalen)) 1819 return; 1820 1821 ecsa = (void *)elem_new->data; 1822 1823 if (!ecsa->mode) 1824 return; 1825 1826 if (ecsa->new_ch_num != 1827 ieee80211_frequency_to_channel(known->pub.channel->center_freq)) 1828 return; 1829 1830 known->pub.proberesp_ecsa_stuck = 1; 1831 } 1832 1833 static bool 1834 cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, 1835 struct cfg80211_internal_bss *known, 1836 struct cfg80211_internal_bss *new, 1837 bool signal_valid) 1838 { 1839 lockdep_assert_held(&rdev->bss_lock); 1840 1841 /* Update IEs */ 1842 if (rcu_access_pointer(new->pub.proberesp_ies)) { 1843 const struct cfg80211_bss_ies *old; 1844 1845 old = rcu_access_pointer(known->pub.proberesp_ies); 1846 1847 rcu_assign_pointer(known->pub.proberesp_ies, 1848 new->pub.proberesp_ies); 1849 /* Override possible earlier Beacon frame IEs */ 1850 rcu_assign_pointer(known->pub.ies, 1851 new->pub.proberesp_ies); 1852 if (old) { 1853 cfg80211_check_stuck_ecsa(rdev, known, old); 1854 kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); 1855 } 1856 } 1857 1858 if (rcu_access_pointer(new->pub.beacon_ies)) { 1859 const struct cfg80211_bss_ies *old; 1860 1861 if (known->pub.hidden_beacon_bss && 1862 !list_empty(&known->hidden_list)) { 1863 const struct cfg80211_bss_ies *f; 1864 1865 /* The known BSS struct is one of the probe 1866 * response members of a group, but we're 1867 * receiving a beacon (beacon_ies in the new 1868 * bss is used). This can only mean that the 1869 * AP changed its beacon from not having an 1870 * SSID to showing it, which is confusing so 1871 * drop this information. 1872 */ 1873 1874 f = rcu_access_pointer(new->pub.beacon_ies); 1875 kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); 1876 return false; 1877 } 1878 1879 old = rcu_access_pointer(known->pub.beacon_ies); 1880 1881 rcu_assign_pointer(known->pub.beacon_ies, new->pub.beacon_ies); 1882 1883 /* Override IEs if they were from a beacon before */ 1884 if (old == rcu_access_pointer(known->pub.ies)) 1885 rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); 1886 1887 cfg80211_update_hidden_bsses(known, 1888 rcu_access_pointer(new->pub.beacon_ies), 1889 old); 1890 1891 if (old) 1892 kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); 1893 } 1894 1895 known->pub.beacon_interval = new->pub.beacon_interval; 1896 1897 /* don't update the signal if beacon was heard on 1898 * adjacent channel. 1899 */ 1900 if (signal_valid) 1901 known->pub.signal = new->pub.signal; 1902 known->pub.capability = new->pub.capability; 1903 known->ts = new->ts; 1904 known->ts_boottime = new->ts_boottime; 1905 known->parent_tsf = new->parent_tsf; 1906 known->pub.chains = new->pub.chains; 1907 memcpy(known->pub.chain_signal, new->pub.chain_signal, 1908 IEEE80211_MAX_CHAINS); 1909 ether_addr_copy(known->parent_bssid, new->parent_bssid); 1910 known->pub.max_bssid_indicator = new->pub.max_bssid_indicator; 1911 known->pub.bssid_index = new->pub.bssid_index; 1912 known->pub.use_for &= new->pub.use_for; 1913 known->pub.cannot_use_reasons = new->pub.cannot_use_reasons; 1914 known->bss_source = new->bss_source; 1915 1916 return true; 1917 } 1918 1919 /* Returned bss is reference counted and must be cleaned up appropriately. */ 1920 static struct cfg80211_internal_bss * 1921 __cfg80211_bss_update(struct cfg80211_registered_device *rdev, 1922 struct cfg80211_internal_bss *tmp, 1923 bool signal_valid, unsigned long ts) 1924 { 1925 struct cfg80211_internal_bss *found = NULL; 1926 struct cfg80211_bss_ies *ies; 1927 1928 if (WARN_ON(!tmp->pub.channel)) 1929 goto free_ies; 1930 1931 tmp->ts = ts; 1932 1933 if (WARN_ON(!rcu_access_pointer(tmp->pub.ies))) 1934 goto free_ies; 1935 1936 found = rb_find_bss(rdev, tmp, BSS_CMP_REGULAR); 1937 1938 if (found) { 1939 if (!cfg80211_update_known_bss(rdev, found, tmp, signal_valid)) 1940 return NULL; 1941 } else { 1942 struct cfg80211_internal_bss *new; 1943 struct cfg80211_internal_bss *hidden; 1944 1945 /* 1946 * create a copy -- the "res" variable that is passed in 1947 * is allocated on the stack since it's not needed in the 1948 * more common case of an update 1949 */ 1950 new = kzalloc(sizeof(*new) + rdev->wiphy.bss_priv_size, 1951 GFP_ATOMIC); 1952 if (!new) 1953 goto free_ies; 1954 memcpy(new, tmp, sizeof(*new)); 1955 new->refcount = 1; 1956 INIT_LIST_HEAD(&new->hidden_list); 1957 INIT_LIST_HEAD(&new->pub.nontrans_list); 1958 /* we'll set this later if it was non-NULL */ 1959 new->pub.transmitted_bss = NULL; 1960 1961 if (rcu_access_pointer(tmp->pub.proberesp_ies)) { 1962 hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); 1963 if (!hidden) 1964 hidden = rb_find_bss(rdev, tmp, 1965 BSS_CMP_HIDE_NUL); 1966 if (hidden) { 1967 new->pub.hidden_beacon_bss = &hidden->pub; 1968 list_add(&new->hidden_list, 1969 &hidden->hidden_list); 1970 hidden->refcount++; 1971 1972 ies = (void *)rcu_access_pointer(new->pub.beacon_ies); 1973 rcu_assign_pointer(new->pub.beacon_ies, 1974 hidden->pub.beacon_ies); 1975 if (ies) 1976 kfree_rcu(ies, rcu_head); 1977 } 1978 } else { 1979 /* 1980 * Ok so we found a beacon, and don't have an entry. If 1981 * it's a beacon with hidden SSID, we might be in for an 1982 * expensive search for any probe responses that should 1983 * be grouped with this beacon for updates ... 1984 */ 1985 if (!cfg80211_combine_bsses(rdev, new)) { 1986 bss_ref_put(rdev, new); 1987 return NULL; 1988 } 1989 } 1990 1991 if (rdev->bss_entries >= bss_entries_limit && 1992 !cfg80211_bss_expire_oldest(rdev)) { 1993 bss_ref_put(rdev, new); 1994 return NULL; 1995 } 1996 1997 /* This must be before the call to bss_ref_get */ 1998 if (tmp->pub.transmitted_bss) { 1999 new->pub.transmitted_bss = tmp->pub.transmitted_bss; 2000 bss_ref_get(rdev, bss_from_pub(tmp->pub.transmitted_bss)); 2001 } 2002 2003 cfg80211_insert_bss(rdev, new); 2004 found = new; 2005 } 2006 2007 rdev->bss_generation++; 2008 bss_ref_get(rdev, found); 2009 2010 return found; 2011 2012 free_ies: 2013 ies = (void *)rcu_access_pointer(tmp->pub.beacon_ies); 2014 if (ies) 2015 kfree_rcu(ies, rcu_head); 2016 ies = (void *)rcu_access_pointer(tmp->pub.proberesp_ies); 2017 if (ies) 2018 kfree_rcu(ies, rcu_head); 2019 2020 return NULL; 2021 } 2022 2023 struct cfg80211_internal_bss * 2024 cfg80211_bss_update(struct cfg80211_registered_device *rdev, 2025 struct cfg80211_internal_bss *tmp, 2026 bool signal_valid, unsigned long ts) 2027 { 2028 struct cfg80211_internal_bss *res; 2029 2030 spin_lock_bh(&rdev->bss_lock); 2031 res = __cfg80211_bss_update(rdev, tmp, signal_valid, ts); 2032 spin_unlock_bh(&rdev->bss_lock); 2033 2034 return res; 2035 } 2036 2037 int cfg80211_get_ies_channel_number(const u8 *ie, size_t ielen, 2038 enum nl80211_band band) 2039 { 2040 const struct element *tmp; 2041 2042 if (band == NL80211_BAND_6GHZ) { 2043 struct ieee80211_he_operation *he_oper; 2044 2045 tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie, 2046 ielen); 2047 if (tmp && tmp->datalen >= sizeof(*he_oper) && 2048 tmp->datalen >= ieee80211_he_oper_size(&tmp->data[1])) { 2049 const struct ieee80211_he_6ghz_oper *he_6ghz_oper; 2050 2051 he_oper = (void *)&tmp->data[1]; 2052 2053 he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper); 2054 if (!he_6ghz_oper) 2055 return -1; 2056 2057 return he_6ghz_oper->primary; 2058 } 2059 } else if (band == NL80211_BAND_S1GHZ) { 2060 tmp = cfg80211_find_elem(WLAN_EID_S1G_OPERATION, ie, ielen); 2061 if (tmp && tmp->datalen >= sizeof(struct ieee80211_s1g_oper_ie)) { 2062 struct ieee80211_s1g_oper_ie *s1gop = (void *)tmp->data; 2063 2064 return s1gop->oper_ch; 2065 } 2066 } else { 2067 tmp = cfg80211_find_elem(WLAN_EID_DS_PARAMS, ie, ielen); 2068 if (tmp && tmp->datalen == 1) 2069 return tmp->data[0]; 2070 2071 tmp = cfg80211_find_elem(WLAN_EID_HT_OPERATION, ie, ielen); 2072 if (tmp && 2073 tmp->datalen >= sizeof(struct ieee80211_ht_operation)) { 2074 struct ieee80211_ht_operation *htop = (void *)tmp->data; 2075 2076 return htop->primary_chan; 2077 } 2078 } 2079 2080 return -1; 2081 } 2082 EXPORT_SYMBOL(cfg80211_get_ies_channel_number); 2083 2084 /* 2085 * Update RX channel information based on the available frame payload 2086 * information. This is mainly for the 2.4 GHz band where frames can be received 2087 * from neighboring channels and the Beacon frames use the DSSS Parameter Set 2088 * element to indicate the current (transmitting) channel, but this might also 2089 * be needed on other bands if RX frequency does not match with the actual 2090 * operating channel of a BSS, or if the AP reports a different primary channel. 2091 */ 2092 static struct ieee80211_channel * 2093 cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen, 2094 struct ieee80211_channel *channel) 2095 { 2096 u32 freq; 2097 int channel_number; 2098 struct ieee80211_channel *alt_channel; 2099 2100 channel_number = cfg80211_get_ies_channel_number(ie, ielen, 2101 channel->band); 2102 2103 if (channel_number < 0) { 2104 /* No channel information in frame payload */ 2105 return channel; 2106 } 2107 2108 freq = ieee80211_channel_to_freq_khz(channel_number, channel->band); 2109 2110 /* 2111 * Frame info (beacon/prob res) is the same as received channel, 2112 * no need for further processing. 2113 */ 2114 if (freq == ieee80211_channel_to_khz(channel)) 2115 return channel; 2116 2117 alt_channel = ieee80211_get_channel_khz(wiphy, freq); 2118 if (!alt_channel) { 2119 if (channel->band == NL80211_BAND_2GHZ || 2120 channel->band == NL80211_BAND_6GHZ) { 2121 /* 2122 * Better not allow unexpected channels when that could 2123 * be going beyond the 1-11 range (e.g., discovering 2124 * BSS on channel 12 when radio is configured for 2125 * channel 11) or beyond the 6 GHz channel range. 2126 */ 2127 return NULL; 2128 } 2129 2130 /* No match for the payload channel number - ignore it */ 2131 return channel; 2132 } 2133 2134 /* 2135 * Use the channel determined through the payload channel number 2136 * instead of the RX channel reported by the driver. 2137 */ 2138 if (alt_channel->flags & IEEE80211_CHAN_DISABLED) 2139 return NULL; 2140 return alt_channel; 2141 } 2142 2143 struct cfg80211_inform_single_bss_data { 2144 struct cfg80211_inform_bss *drv_data; 2145 enum cfg80211_bss_frame_type ftype; 2146 struct ieee80211_channel *channel; 2147 u8 bssid[ETH_ALEN]; 2148 u64 tsf; 2149 u16 capability; 2150 u16 beacon_interval; 2151 const u8 *ie; 2152 size_t ielen; 2153 2154 enum bss_source_type bss_source; 2155 /* Set if reporting bss_source != BSS_SOURCE_DIRECT */ 2156 struct cfg80211_bss *source_bss; 2157 u8 max_bssid_indicator; 2158 u8 bssid_index; 2159 2160 u8 use_for; 2161 u64 cannot_use_reasons; 2162 }; 2163 2164 enum ieee80211_ap_reg_power 2165 cfg80211_get_6ghz_power_type(const u8 *elems, size_t elems_len) 2166 { 2167 const struct ieee80211_he_6ghz_oper *he_6ghz_oper; 2168 struct ieee80211_he_operation *he_oper; 2169 const struct element *tmp; 2170 2171 tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, 2172 elems, elems_len); 2173 if (!tmp || tmp->datalen < sizeof(*he_oper) + 1 || 2174 tmp->datalen < ieee80211_he_oper_size(tmp->data + 1)) 2175 return IEEE80211_REG_UNSET_AP; 2176 2177 he_oper = (void *)&tmp->data[1]; 2178 he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper); 2179 2180 if (!he_6ghz_oper) 2181 return IEEE80211_REG_UNSET_AP; 2182 2183 switch (u8_get_bits(he_6ghz_oper->control, 2184 IEEE80211_HE_6GHZ_OPER_CTRL_REG_INFO)) { 2185 case IEEE80211_6GHZ_CTRL_REG_LPI_AP: 2186 case IEEE80211_6GHZ_CTRL_REG_INDOOR_LPI_AP: 2187 return IEEE80211_REG_LPI_AP; 2188 case IEEE80211_6GHZ_CTRL_REG_SP_AP: 2189 case IEEE80211_6GHZ_CTRL_REG_INDOOR_SP_AP: 2190 return IEEE80211_REG_SP_AP; 2191 case IEEE80211_6GHZ_CTRL_REG_VLP_AP: 2192 return IEEE80211_REG_VLP_AP; 2193 default: 2194 return IEEE80211_REG_UNSET_AP; 2195 } 2196 } 2197 2198 static bool cfg80211_6ghz_power_type_valid(const u8 *elems, size_t elems_len, 2199 const u32 flags) 2200 { 2201 switch (cfg80211_get_6ghz_power_type(elems, elems_len)) { 2202 case IEEE80211_REG_LPI_AP: 2203 return true; 2204 case IEEE80211_REG_SP_AP: 2205 return !(flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT); 2206 case IEEE80211_REG_VLP_AP: 2207 return !(flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT); 2208 default: 2209 return false; 2210 } 2211 } 2212 2213 /* Returned bss is reference counted and must be cleaned up appropriately. */ 2214 static struct cfg80211_bss * 2215 cfg80211_inform_single_bss_data(struct wiphy *wiphy, 2216 struct cfg80211_inform_single_bss_data *data, 2217 gfp_t gfp) 2218 { 2219 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 2220 struct cfg80211_inform_bss *drv_data = data->drv_data; 2221 struct cfg80211_bss_ies *ies; 2222 struct ieee80211_channel *channel; 2223 struct cfg80211_internal_bss tmp = {}, *res; 2224 int bss_type; 2225 bool signal_valid; 2226 unsigned long ts; 2227 2228 if (WARN_ON(!wiphy)) 2229 return NULL; 2230 2231 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && 2232 (drv_data->signal < 0 || drv_data->signal > 100))) 2233 return NULL; 2234 2235 if (WARN_ON(data->bss_source != BSS_SOURCE_DIRECT && !data->source_bss)) 2236 return NULL; 2237 2238 channel = data->channel; 2239 if (!channel) 2240 channel = cfg80211_get_bss_channel(wiphy, data->ie, data->ielen, 2241 drv_data->chan); 2242 if (!channel) 2243 return NULL; 2244 2245 if (channel->band == NL80211_BAND_6GHZ && 2246 !cfg80211_6ghz_power_type_valid(data->ie, data->ielen, 2247 channel->flags)) { 2248 data->use_for = 0; 2249 data->cannot_use_reasons = 2250 NL80211_BSS_CANNOT_USE_6GHZ_PWR_MISMATCH; 2251 } 2252 2253 memcpy(tmp.pub.bssid, data->bssid, ETH_ALEN); 2254 tmp.pub.channel = channel; 2255 if (data->bss_source != BSS_SOURCE_STA_PROFILE) 2256 tmp.pub.signal = drv_data->signal; 2257 else 2258 tmp.pub.signal = 0; 2259 tmp.pub.beacon_interval = data->beacon_interval; 2260 tmp.pub.capability = data->capability; 2261 tmp.ts_boottime = drv_data->boottime_ns; 2262 tmp.parent_tsf = drv_data->parent_tsf; 2263 ether_addr_copy(tmp.parent_bssid, drv_data->parent_bssid); 2264 tmp.pub.chains = drv_data->chains; 2265 memcpy(tmp.pub.chain_signal, drv_data->chain_signal, 2266 IEEE80211_MAX_CHAINS); 2267 tmp.pub.use_for = data->use_for; 2268 tmp.pub.cannot_use_reasons = data->cannot_use_reasons; 2269 tmp.bss_source = data->bss_source; 2270 2271 switch (data->bss_source) { 2272 case BSS_SOURCE_MBSSID: 2273 tmp.pub.transmitted_bss = data->source_bss; 2274 fallthrough; 2275 case BSS_SOURCE_STA_PROFILE: 2276 ts = bss_from_pub(data->source_bss)->ts; 2277 tmp.pub.bssid_index = data->bssid_index; 2278 tmp.pub.max_bssid_indicator = data->max_bssid_indicator; 2279 break; 2280 case BSS_SOURCE_DIRECT: 2281 ts = jiffies; 2282 2283 if (channel->band == NL80211_BAND_60GHZ) { 2284 bss_type = data->capability & 2285 WLAN_CAPABILITY_DMG_TYPE_MASK; 2286 if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP || 2287 bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS) 2288 regulatory_hint_found_beacon(wiphy, channel, 2289 gfp); 2290 } else { 2291 if (data->capability & WLAN_CAPABILITY_ESS) 2292 regulatory_hint_found_beacon(wiphy, channel, 2293 gfp); 2294 } 2295 break; 2296 } 2297 2298 /* 2299 * If we do not know here whether the IEs are from a Beacon or Probe 2300 * Response frame, we need to pick one of the options and only use it 2301 * with the driver that does not provide the full Beacon/Probe Response 2302 * frame. Use Beacon frame pointer to avoid indicating that this should 2303 * override the IEs pointer should we have received an earlier 2304 * indication of Probe Response data. 2305 */ 2306 ies = kzalloc(sizeof(*ies) + data->ielen, gfp); 2307 if (!ies) 2308 return NULL; 2309 ies->len = data->ielen; 2310 ies->tsf = data->tsf; 2311 ies->from_beacon = false; 2312 memcpy(ies->data, data->ie, data->ielen); 2313 2314 switch (data->ftype) { 2315 case CFG80211_BSS_FTYPE_BEACON: 2316 case CFG80211_BSS_FTYPE_S1G_BEACON: 2317 ies->from_beacon = true; 2318 fallthrough; 2319 case CFG80211_BSS_FTYPE_UNKNOWN: 2320 rcu_assign_pointer(tmp.pub.beacon_ies, ies); 2321 break; 2322 case CFG80211_BSS_FTYPE_PRESP: 2323 rcu_assign_pointer(tmp.pub.proberesp_ies, ies); 2324 break; 2325 } 2326 rcu_assign_pointer(tmp.pub.ies, ies); 2327 2328 signal_valid = drv_data->chan == channel; 2329 spin_lock_bh(&rdev->bss_lock); 2330 res = __cfg80211_bss_update(rdev, &tmp, signal_valid, ts); 2331 if (!res) 2332 goto drop; 2333 2334 rdev_inform_bss(rdev, &res->pub, ies, drv_data->drv_data); 2335 2336 if (data->bss_source == BSS_SOURCE_MBSSID) { 2337 /* this is a nontransmitting bss, we need to add it to 2338 * transmitting bss' list if it is not there 2339 */ 2340 if (cfg80211_add_nontrans_list(data->source_bss, &res->pub)) { 2341 if (__cfg80211_unlink_bss(rdev, res)) { 2342 rdev->bss_generation++; 2343 res = NULL; 2344 } 2345 } 2346 2347 if (!res) 2348 goto drop; 2349 } 2350 spin_unlock_bh(&rdev->bss_lock); 2351 2352 trace_cfg80211_return_bss(&res->pub); 2353 /* __cfg80211_bss_update gives us a referenced result */ 2354 return &res->pub; 2355 2356 drop: 2357 spin_unlock_bh(&rdev->bss_lock); 2358 return NULL; 2359 } 2360 2361 static const struct element 2362 *cfg80211_get_profile_continuation(const u8 *ie, size_t ielen, 2363 const struct element *mbssid_elem, 2364 const struct element *sub_elem) 2365 { 2366 const u8 *mbssid_end = mbssid_elem->data + mbssid_elem->datalen; 2367 const struct element *next_mbssid; 2368 const struct element *next_sub; 2369 2370 next_mbssid = cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID, 2371 mbssid_end, 2372 ielen - (mbssid_end - ie)); 2373 2374 /* 2375 * If it is not the last subelement in current MBSSID IE or there isn't 2376 * a next MBSSID IE - profile is complete. 2377 */ 2378 if ((sub_elem->data + sub_elem->datalen < mbssid_end - 1) || 2379 !next_mbssid) 2380 return NULL; 2381 2382 /* For any length error, just return NULL */ 2383 2384 if (next_mbssid->datalen < 4) 2385 return NULL; 2386 2387 next_sub = (void *)&next_mbssid->data[1]; 2388 2389 if (next_mbssid->data + next_mbssid->datalen < 2390 next_sub->data + next_sub->datalen) 2391 return NULL; 2392 2393 if (next_sub->id != 0 || next_sub->datalen < 2) 2394 return NULL; 2395 2396 /* 2397 * Check if the first element in the next sub element is a start 2398 * of a new profile 2399 */ 2400 return next_sub->data[0] == WLAN_EID_NON_TX_BSSID_CAP ? 2401 NULL : next_mbssid; 2402 } 2403 2404 size_t cfg80211_merge_profile(const u8 *ie, size_t ielen, 2405 const struct element *mbssid_elem, 2406 const struct element *sub_elem, 2407 u8 *merged_ie, size_t max_copy_len) 2408 { 2409 size_t copied_len = sub_elem->datalen; 2410 const struct element *next_mbssid; 2411 2412 if (sub_elem->datalen > max_copy_len) 2413 return 0; 2414 2415 memcpy(merged_ie, sub_elem->data, sub_elem->datalen); 2416 2417 while ((next_mbssid = cfg80211_get_profile_continuation(ie, ielen, 2418 mbssid_elem, 2419 sub_elem))) { 2420 const struct element *next_sub = (void *)&next_mbssid->data[1]; 2421 2422 if (copied_len + next_sub->datalen > max_copy_len) 2423 break; 2424 memcpy(merged_ie + copied_len, next_sub->data, 2425 next_sub->datalen); 2426 copied_len += next_sub->datalen; 2427 } 2428 2429 return copied_len; 2430 } 2431 EXPORT_SYMBOL(cfg80211_merge_profile); 2432 2433 static void 2434 cfg80211_parse_mbssid_data(struct wiphy *wiphy, 2435 struct cfg80211_inform_single_bss_data *tx_data, 2436 struct cfg80211_bss *source_bss, 2437 gfp_t gfp) 2438 { 2439 struct cfg80211_inform_single_bss_data data = { 2440 .drv_data = tx_data->drv_data, 2441 .ftype = tx_data->ftype, 2442 .tsf = tx_data->tsf, 2443 .beacon_interval = tx_data->beacon_interval, 2444 .source_bss = source_bss, 2445 .bss_source = BSS_SOURCE_MBSSID, 2446 .use_for = tx_data->use_for, 2447 .cannot_use_reasons = tx_data->cannot_use_reasons, 2448 }; 2449 const u8 *mbssid_index_ie; 2450 const struct element *elem, *sub; 2451 u8 *new_ie, *profile; 2452 u64 seen_indices = 0; 2453 struct cfg80211_bss *bss; 2454 2455 if (!source_bss) 2456 return; 2457 if (!cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID, 2458 tx_data->ie, tx_data->ielen)) 2459 return; 2460 if (!wiphy->support_mbssid) 2461 return; 2462 if (wiphy->support_only_he_mbssid && 2463 !cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, 2464 tx_data->ie, tx_data->ielen)) 2465 return; 2466 2467 new_ie = kmalloc(IEEE80211_MAX_DATA_LEN, gfp); 2468 if (!new_ie) 2469 return; 2470 2471 profile = kmalloc(tx_data->ielen, gfp); 2472 if (!profile) 2473 goto out; 2474 2475 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, 2476 tx_data->ie, tx_data->ielen) { 2477 if (elem->datalen < 4) 2478 continue; 2479 if (elem->data[0] < 1 || (int)elem->data[0] > 8) 2480 continue; 2481 for_each_element(sub, elem->data + 1, elem->datalen - 1) { 2482 u8 profile_len; 2483 2484 if (sub->id != 0 || sub->datalen < 4) { 2485 /* not a valid BSS profile */ 2486 continue; 2487 } 2488 2489 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP || 2490 sub->data[1] != 2) { 2491 /* The first element within the Nontransmitted 2492 * BSSID Profile is not the Nontransmitted 2493 * BSSID Capability element. 2494 */ 2495 continue; 2496 } 2497 2498 memset(profile, 0, tx_data->ielen); 2499 profile_len = cfg80211_merge_profile(tx_data->ie, 2500 tx_data->ielen, 2501 elem, 2502 sub, 2503 profile, 2504 tx_data->ielen); 2505 2506 /* found a Nontransmitted BSSID Profile */ 2507 mbssid_index_ie = cfg80211_find_ie 2508 (WLAN_EID_MULTI_BSSID_IDX, 2509 profile, profile_len); 2510 if (!mbssid_index_ie || mbssid_index_ie[1] < 1 || 2511 mbssid_index_ie[2] == 0 || 2512 mbssid_index_ie[2] > 46 || 2513 mbssid_index_ie[2] >= (1 << elem->data[0])) { 2514 /* No valid Multiple BSSID-Index element */ 2515 continue; 2516 } 2517 2518 if (seen_indices & BIT_ULL(mbssid_index_ie[2])) 2519 /* We don't support legacy split of a profile */ 2520 net_dbg_ratelimited("Partial info for BSSID index %d\n", 2521 mbssid_index_ie[2]); 2522 2523 seen_indices |= BIT_ULL(mbssid_index_ie[2]); 2524 2525 data.bssid_index = mbssid_index_ie[2]; 2526 data.max_bssid_indicator = elem->data[0]; 2527 2528 cfg80211_gen_new_bssid(tx_data->bssid, 2529 data.max_bssid_indicator, 2530 data.bssid_index, 2531 data.bssid); 2532 2533 memset(new_ie, 0, IEEE80211_MAX_DATA_LEN); 2534 data.ie = new_ie; 2535 data.ielen = cfg80211_gen_new_ie(tx_data->ie, 2536 tx_data->ielen, 2537 profile, 2538 profile_len, 2539 new_ie, 2540 IEEE80211_MAX_DATA_LEN); 2541 if (!data.ielen) 2542 continue; 2543 2544 data.capability = get_unaligned_le16(profile + 2); 2545 bss = cfg80211_inform_single_bss_data(wiphy, &data, gfp); 2546 if (!bss) 2547 break; 2548 cfg80211_put_bss(wiphy, bss); 2549 } 2550 } 2551 2552 out: 2553 kfree(new_ie); 2554 kfree(profile); 2555 } 2556 2557 ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies, 2558 size_t ieslen, u8 *data, size_t data_len, 2559 u8 frag_id) 2560 { 2561 const struct element *next; 2562 ssize_t copied; 2563 u8 elem_datalen; 2564 2565 if (!elem) 2566 return -EINVAL; 2567 2568 /* elem might be invalid after the memmove */ 2569 next = (void *)(elem->data + elem->datalen); 2570 elem_datalen = elem->datalen; 2571 2572 if (elem->id == WLAN_EID_EXTENSION) { 2573 copied = elem->datalen - 1; 2574 2575 if (data) { 2576 if (copied > data_len) 2577 return -ENOSPC; 2578 2579 memmove(data, elem->data + 1, copied); 2580 } 2581 } else { 2582 copied = elem->datalen; 2583 2584 if (data) { 2585 if (copied > data_len) 2586 return -ENOSPC; 2587 2588 memmove(data, elem->data, copied); 2589 } 2590 } 2591 2592 /* Fragmented elements must have 255 bytes */ 2593 if (elem_datalen < 255) 2594 return copied; 2595 2596 for (elem = next; 2597 elem->data < ies + ieslen && 2598 elem->data + elem->datalen <= ies + ieslen; 2599 elem = next) { 2600 /* elem might be invalid after the memmove */ 2601 next = (void *)(elem->data + elem->datalen); 2602 2603 if (elem->id != frag_id) 2604 break; 2605 2606 elem_datalen = elem->datalen; 2607 2608 if (data) { 2609 if (copied + elem_datalen > data_len) 2610 return -ENOSPC; 2611 2612 memmove(data + copied, elem->data, elem_datalen); 2613 } 2614 2615 copied += elem_datalen; 2616 2617 /* Only the last fragment may be short */ 2618 if (elem_datalen != 255) 2619 break; 2620 } 2621 2622 return copied; 2623 } 2624 EXPORT_SYMBOL(cfg80211_defragment_element); 2625 2626 struct cfg80211_mle { 2627 struct ieee80211_multi_link_elem *mle; 2628 struct ieee80211_mle_per_sta_profile 2629 *sta_prof[IEEE80211_MLD_MAX_NUM_LINKS]; 2630 ssize_t sta_prof_len[IEEE80211_MLD_MAX_NUM_LINKS]; 2631 2632 u8 data[]; 2633 }; 2634 2635 static struct cfg80211_mle * 2636 cfg80211_defrag_mle(const struct element *mle, const u8 *ie, size_t ielen, 2637 gfp_t gfp) 2638 { 2639 const struct element *elem; 2640 struct cfg80211_mle *res; 2641 size_t buf_len; 2642 ssize_t mle_len; 2643 u8 common_size, idx; 2644 2645 if (!mle || !ieee80211_mle_size_ok(mle->data + 1, mle->datalen - 1)) 2646 return NULL; 2647 2648 /* Required length for first defragmentation */ 2649 buf_len = mle->datalen - 1; 2650 for_each_element(elem, mle->data + mle->datalen, 2651 ielen - sizeof(*mle) + mle->datalen) { 2652 if (elem->id != WLAN_EID_FRAGMENT) 2653 break; 2654 2655 buf_len += elem->datalen; 2656 } 2657 2658 res = kzalloc(struct_size(res, data, buf_len), gfp); 2659 if (!res) 2660 return NULL; 2661 2662 mle_len = cfg80211_defragment_element(mle, ie, ielen, 2663 res->data, buf_len, 2664 WLAN_EID_FRAGMENT); 2665 if (mle_len < 0) 2666 goto error; 2667 2668 res->mle = (void *)res->data; 2669 2670 /* Find the sub-element area in the buffer */ 2671 common_size = ieee80211_mle_common_size((u8 *)res->mle); 2672 ie = res->data + common_size; 2673 ielen = mle_len - common_size; 2674 2675 idx = 0; 2676 for_each_element_id(elem, IEEE80211_MLE_SUBELEM_PER_STA_PROFILE, 2677 ie, ielen) { 2678 res->sta_prof[idx] = (void *)elem->data; 2679 res->sta_prof_len[idx] = elem->datalen; 2680 2681 idx++; 2682 if (idx >= IEEE80211_MLD_MAX_NUM_LINKS) 2683 break; 2684 } 2685 if (!for_each_element_completed(elem, ie, ielen)) 2686 goto error; 2687 2688 /* Defragment sta_info in-place */ 2689 for (idx = 0; idx < IEEE80211_MLD_MAX_NUM_LINKS && res->sta_prof[idx]; 2690 idx++) { 2691 if (res->sta_prof_len[idx] < 255) 2692 continue; 2693 2694 elem = (void *)res->sta_prof[idx] - 2; 2695 2696 if (idx + 1 < ARRAY_SIZE(res->sta_prof) && 2697 res->sta_prof[idx + 1]) 2698 buf_len = (u8 *)res->sta_prof[idx + 1] - 2699 (u8 *)res->sta_prof[idx]; 2700 else 2701 buf_len = ielen + ie - (u8 *)elem; 2702 2703 res->sta_prof_len[idx] = 2704 cfg80211_defragment_element(elem, 2705 (u8 *)elem, buf_len, 2706 (u8 *)res->sta_prof[idx], 2707 buf_len, 2708 IEEE80211_MLE_SUBELEM_FRAGMENT); 2709 if (res->sta_prof_len[idx] < 0) 2710 goto error; 2711 } 2712 2713 return res; 2714 2715 error: 2716 kfree(res); 2717 return NULL; 2718 } 2719 2720 struct tbtt_info_iter_data { 2721 const struct ieee80211_neighbor_ap_info *ap_info; 2722 u8 param_ch_count; 2723 u32 use_for; 2724 u8 mld_id, link_id; 2725 bool non_tx; 2726 }; 2727 2728 static enum cfg80211_rnr_iter_ret 2729 cfg802121_mld_ap_rnr_iter(void *_data, u8 type, 2730 const struct ieee80211_neighbor_ap_info *info, 2731 const u8 *tbtt_info, u8 tbtt_info_len) 2732 { 2733 const struct ieee80211_rnr_mld_params *mld_params; 2734 struct tbtt_info_iter_data *data = _data; 2735 u8 link_id; 2736 bool non_tx = false; 2737 2738 if (type == IEEE80211_TBTT_INFO_TYPE_TBTT && 2739 tbtt_info_len >= offsetofend(struct ieee80211_tbtt_info_ge_11, 2740 mld_params)) { 2741 const struct ieee80211_tbtt_info_ge_11 *tbtt_info_ge_11 = 2742 (void *)tbtt_info; 2743 2744 non_tx = (tbtt_info_ge_11->bss_params & 2745 (IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID | 2746 IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID)) == 2747 IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID; 2748 mld_params = &tbtt_info_ge_11->mld_params; 2749 } else if (type == IEEE80211_TBTT_INFO_TYPE_MLD && 2750 tbtt_info_len >= sizeof(struct ieee80211_rnr_mld_params)) 2751 mld_params = (void *)tbtt_info; 2752 else 2753 return RNR_ITER_CONTINUE; 2754 2755 link_id = le16_get_bits(mld_params->params, 2756 IEEE80211_RNR_MLD_PARAMS_LINK_ID); 2757 2758 if (data->mld_id != mld_params->mld_id) 2759 return RNR_ITER_CONTINUE; 2760 2761 if (data->link_id != link_id) 2762 return RNR_ITER_CONTINUE; 2763 2764 data->ap_info = info; 2765 data->param_ch_count = 2766 le16_get_bits(mld_params->params, 2767 IEEE80211_RNR_MLD_PARAMS_BSS_CHANGE_COUNT); 2768 data->non_tx = non_tx; 2769 2770 if (type == IEEE80211_TBTT_INFO_TYPE_TBTT) 2771 data->use_for = NL80211_BSS_USE_FOR_ALL; 2772 else 2773 data->use_for = NL80211_BSS_USE_FOR_MLD_LINK; 2774 return RNR_ITER_BREAK; 2775 } 2776 2777 static u8 2778 cfg80211_rnr_info_for_mld_ap(const u8 *ie, size_t ielen, u8 mld_id, u8 link_id, 2779 const struct ieee80211_neighbor_ap_info **ap_info, 2780 u8 *param_ch_count, bool *non_tx) 2781 { 2782 struct tbtt_info_iter_data data = { 2783 .mld_id = mld_id, 2784 .link_id = link_id, 2785 }; 2786 2787 cfg80211_iter_rnr(ie, ielen, cfg802121_mld_ap_rnr_iter, &data); 2788 2789 *ap_info = data.ap_info; 2790 *param_ch_count = data.param_ch_count; 2791 *non_tx = data.non_tx; 2792 2793 return data.use_for; 2794 } 2795 2796 static struct element * 2797 cfg80211_gen_reporter_rnr(struct cfg80211_bss *source_bss, bool is_mbssid, 2798 bool same_mld, u8 link_id, u8 bss_change_count, 2799 gfp_t gfp) 2800 { 2801 const struct cfg80211_bss_ies *ies; 2802 struct ieee80211_neighbor_ap_info ap_info; 2803 struct ieee80211_tbtt_info_ge_11 tbtt_info; 2804 u32 short_ssid; 2805 const struct element *elem; 2806 struct element *res; 2807 2808 /* 2809 * We only generate the RNR to permit ML lookups. For that we do not 2810 * need an entry for the corresponding transmitting BSS, lets just skip 2811 * it even though it would be easy to add. 2812 */ 2813 if (!same_mld) 2814 return NULL; 2815 2816 /* We could use tx_data->ies if we change cfg80211_calc_short_ssid */ 2817 rcu_read_lock(); 2818 ies = rcu_dereference(source_bss->ies); 2819 2820 ap_info.tbtt_info_len = offsetofend(typeof(tbtt_info), mld_params); 2821 ap_info.tbtt_info_hdr = 2822 u8_encode_bits(IEEE80211_TBTT_INFO_TYPE_TBTT, 2823 IEEE80211_AP_INFO_TBTT_HDR_TYPE) | 2824 u8_encode_bits(0, IEEE80211_AP_INFO_TBTT_HDR_COUNT); 2825 2826 ap_info.channel = ieee80211_frequency_to_channel(source_bss->channel->center_freq); 2827 2828 /* operating class */ 2829 elem = cfg80211_find_elem(WLAN_EID_SUPPORTED_REGULATORY_CLASSES, 2830 ies->data, ies->len); 2831 if (elem && elem->datalen >= 1) { 2832 ap_info.op_class = elem->data[0]; 2833 } else { 2834 struct cfg80211_chan_def chandef; 2835 2836 /* The AP is not providing us with anything to work with. So 2837 * make up a somewhat reasonable operating class, but don't 2838 * bother with it too much as no one will ever use the 2839 * information. 2840 */ 2841 cfg80211_chandef_create(&chandef, source_bss->channel, 2842 NL80211_CHAN_NO_HT); 2843 2844 if (!ieee80211_chandef_to_operating_class(&chandef, 2845 &ap_info.op_class)) 2846 goto out_unlock; 2847 } 2848 2849 /* Just set TBTT offset and PSD 20 to invalid/unknown */ 2850 tbtt_info.tbtt_offset = 255; 2851 tbtt_info.psd_20 = IEEE80211_RNR_TBTT_PARAMS_PSD_RESERVED; 2852 2853 memcpy(tbtt_info.bssid, source_bss->bssid, ETH_ALEN); 2854 if (cfg80211_calc_short_ssid(ies, &elem, &short_ssid)) 2855 goto out_unlock; 2856 2857 rcu_read_unlock(); 2858 2859 tbtt_info.short_ssid = cpu_to_le32(short_ssid); 2860 2861 tbtt_info.bss_params = IEEE80211_RNR_TBTT_PARAMS_SAME_SSID; 2862 2863 if (is_mbssid) { 2864 tbtt_info.bss_params |= IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID; 2865 tbtt_info.bss_params |= IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID; 2866 } 2867 2868 tbtt_info.mld_params.mld_id = 0; 2869 tbtt_info.mld_params.params = 2870 le16_encode_bits(link_id, IEEE80211_RNR_MLD_PARAMS_LINK_ID) | 2871 le16_encode_bits(bss_change_count, 2872 IEEE80211_RNR_MLD_PARAMS_BSS_CHANGE_COUNT); 2873 2874 res = kzalloc(struct_size(res, data, 2875 sizeof(ap_info) + ap_info.tbtt_info_len), 2876 gfp); 2877 if (!res) 2878 return NULL; 2879 2880 /* Copy the data */ 2881 res->id = WLAN_EID_REDUCED_NEIGHBOR_REPORT; 2882 res->datalen = sizeof(ap_info) + ap_info.tbtt_info_len; 2883 memcpy(res->data, &ap_info, sizeof(ap_info)); 2884 memcpy(res->data + sizeof(ap_info), &tbtt_info, ap_info.tbtt_info_len); 2885 2886 return res; 2887 2888 out_unlock: 2889 rcu_read_unlock(); 2890 return NULL; 2891 } 2892 2893 static void 2894 cfg80211_parse_ml_elem_sta_data(struct wiphy *wiphy, 2895 struct cfg80211_inform_single_bss_data *tx_data, 2896 struct cfg80211_bss *source_bss, 2897 const struct element *elem, 2898 gfp_t gfp) 2899 { 2900 struct cfg80211_inform_single_bss_data data = { 2901 .drv_data = tx_data->drv_data, 2902 .ftype = tx_data->ftype, 2903 .source_bss = source_bss, 2904 .bss_source = BSS_SOURCE_STA_PROFILE, 2905 }; 2906 struct element *reporter_rnr = NULL; 2907 struct ieee80211_multi_link_elem *ml_elem; 2908 struct cfg80211_mle *mle; 2909 const struct element *ssid_elem; 2910 const u8 *ssid = NULL; 2911 size_t ssid_len = 0; 2912 u16 control; 2913 u8 ml_common_len; 2914 u8 *new_ie = NULL; 2915 struct cfg80211_bss *bss; 2916 u8 mld_id, reporter_link_id, bss_change_count; 2917 u16 seen_links = 0; 2918 u8 i; 2919 2920 if (!ieee80211_mle_type_ok(elem->data + 1, 2921 IEEE80211_ML_CONTROL_TYPE_BASIC, 2922 elem->datalen - 1)) 2923 return; 2924 2925 ml_elem = (void *)(elem->data + 1); 2926 control = le16_to_cpu(ml_elem->control); 2927 ml_common_len = ml_elem->variable[0]; 2928 2929 /* Must be present when transmitted by an AP (in a probe response) */ 2930 if (!(control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT) || 2931 !(control & IEEE80211_MLC_BASIC_PRES_LINK_ID) || 2932 !(control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP)) 2933 return; 2934 2935 reporter_link_id = ieee80211_mle_get_link_id(elem->data + 1); 2936 bss_change_count = ieee80211_mle_get_bss_param_ch_cnt(elem->data + 1); 2937 2938 /* 2939 * The MLD ID of the reporting AP is always zero. It is set if the AP 2940 * is part of an MBSSID set and will be non-zero for ML Elements 2941 * relating to a nontransmitted BSS (matching the Multi-BSSID Index, 2942 * Draft P802.11be_D3.2, 35.3.4.2) 2943 */ 2944 mld_id = ieee80211_mle_get_mld_id(elem->data + 1); 2945 2946 /* Fully defrag the ML element for sta information/profile iteration */ 2947 mle = cfg80211_defrag_mle(elem, tx_data->ie, tx_data->ielen, gfp); 2948 if (!mle) 2949 return; 2950 2951 /* No point in doing anything if there is no per-STA profile */ 2952 if (!mle->sta_prof[0]) 2953 goto out; 2954 2955 new_ie = kmalloc(IEEE80211_MAX_DATA_LEN, gfp); 2956 if (!new_ie) 2957 goto out; 2958 2959 reporter_rnr = cfg80211_gen_reporter_rnr(source_bss, 2960 u16_get_bits(control, 2961 IEEE80211_MLC_BASIC_PRES_MLD_ID), 2962 mld_id == 0, reporter_link_id, 2963 bss_change_count, 2964 gfp); 2965 2966 ssid_elem = cfg80211_find_elem(WLAN_EID_SSID, tx_data->ie, 2967 tx_data->ielen); 2968 if (ssid_elem) { 2969 ssid = ssid_elem->data; 2970 ssid_len = ssid_elem->datalen; 2971 } 2972 2973 for (i = 0; i < ARRAY_SIZE(mle->sta_prof) && mle->sta_prof[i]; i++) { 2974 const struct ieee80211_neighbor_ap_info *ap_info; 2975 enum nl80211_band band; 2976 u32 freq; 2977 const u8 *profile; 2978 ssize_t profile_len; 2979 u8 param_ch_count; 2980 u8 link_id, use_for; 2981 bool non_tx; 2982 2983 if (!ieee80211_mle_basic_sta_prof_size_ok((u8 *)mle->sta_prof[i], 2984 mle->sta_prof_len[i])) 2985 continue; 2986 2987 control = le16_to_cpu(mle->sta_prof[i]->control); 2988 2989 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE)) 2990 continue; 2991 2992 link_id = u16_get_bits(control, 2993 IEEE80211_MLE_STA_CONTROL_LINK_ID); 2994 if (seen_links & BIT(link_id)) 2995 break; 2996 seen_links |= BIT(link_id); 2997 2998 if (!(control & IEEE80211_MLE_STA_CONTROL_BEACON_INT_PRESENT) || 2999 !(control & IEEE80211_MLE_STA_CONTROL_TSF_OFFS_PRESENT) || 3000 !(control & IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT)) 3001 continue; 3002 3003 memcpy(data.bssid, mle->sta_prof[i]->variable, ETH_ALEN); 3004 data.beacon_interval = 3005 get_unaligned_le16(mle->sta_prof[i]->variable + 6); 3006 data.tsf = tx_data->tsf + 3007 get_unaligned_le64(mle->sta_prof[i]->variable + 8); 3008 3009 /* sta_info_len counts itself */ 3010 profile = mle->sta_prof[i]->variable + 3011 mle->sta_prof[i]->sta_info_len - 1; 3012 profile_len = (u8 *)mle->sta_prof[i] + mle->sta_prof_len[i] - 3013 profile; 3014 3015 if (profile_len < 2) 3016 continue; 3017 3018 data.capability = get_unaligned_le16(profile); 3019 profile += 2; 3020 profile_len -= 2; 3021 3022 /* Find in RNR to look up channel information */ 3023 use_for = cfg80211_rnr_info_for_mld_ap(tx_data->ie, 3024 tx_data->ielen, 3025 mld_id, link_id, 3026 &ap_info, 3027 ¶m_ch_count, 3028 &non_tx); 3029 if (!use_for) 3030 continue; 3031 3032 /* 3033 * As of 802.11be_D5.0, the specification does not give us any 3034 * way of discovering both the MaxBSSID and the Multiple-BSSID 3035 * Index. It does seem like the Multiple-BSSID Index element 3036 * may be provided, but section 9.4.2.45 explicitly forbids 3037 * including a Multiple-BSSID Element (in this case without any 3038 * subelements). 3039 * Without both pieces of information we cannot calculate the 3040 * reference BSSID, so simply ignore the BSS. 3041 */ 3042 if (non_tx) 3043 continue; 3044 3045 /* We could sanity check the BSSID is included */ 3046 3047 if (!ieee80211_operating_class_to_band(ap_info->op_class, 3048 &band)) 3049 continue; 3050 3051 freq = ieee80211_channel_to_freq_khz(ap_info->channel, band); 3052 data.channel = ieee80211_get_channel_khz(wiphy, freq); 3053 3054 /* Skip if RNR element specifies an unsupported channel */ 3055 if (!data.channel) 3056 continue; 3057 3058 /* Skip if BSS entry generated from MBSSID or DIRECT source 3059 * frame data available already. 3060 */ 3061 bss = cfg80211_get_bss(wiphy, data.channel, data.bssid, ssid, 3062 ssid_len, IEEE80211_BSS_TYPE_ANY, 3063 IEEE80211_PRIVACY_ANY); 3064 if (bss) { 3065 struct cfg80211_internal_bss *ibss = bss_from_pub(bss); 3066 3067 if (data.capability == bss->capability && 3068 ibss->bss_source != BSS_SOURCE_STA_PROFILE) { 3069 cfg80211_put_bss(wiphy, bss); 3070 continue; 3071 } 3072 cfg80211_put_bss(wiphy, bss); 3073 } 3074 3075 if (use_for == NL80211_BSS_USE_FOR_MLD_LINK && 3076 !(wiphy->flags & WIPHY_FLAG_SUPPORTS_NSTR_NONPRIMARY)) { 3077 use_for = 0; 3078 data.cannot_use_reasons = 3079 NL80211_BSS_CANNOT_USE_NSTR_NONPRIMARY; 3080 } 3081 data.use_for = use_for; 3082 3083 /* Generate new elements */ 3084 memset(new_ie, 0, IEEE80211_MAX_DATA_LEN); 3085 data.ie = new_ie; 3086 data.ielen = cfg80211_gen_new_ie(tx_data->ie, tx_data->ielen, 3087 profile, profile_len, 3088 new_ie, 3089 IEEE80211_MAX_DATA_LEN); 3090 if (!data.ielen) 3091 continue; 3092 3093 /* The generated elements do not contain: 3094 * - Basic ML element 3095 * - A TBTT entry in the RNR for the transmitting AP 3096 * 3097 * This information is needed both internally and in userspace 3098 * as such, we should append it here. 3099 */ 3100 if (data.ielen + 3 + sizeof(*ml_elem) + ml_common_len > 3101 IEEE80211_MAX_DATA_LEN) 3102 continue; 3103 3104 /* Copy the Basic Multi-Link element including the common 3105 * information, and then fix up the link ID and BSS param 3106 * change count. 3107 * Note that the ML element length has been verified and we 3108 * also checked that it contains the link ID. 3109 */ 3110 new_ie[data.ielen++] = WLAN_EID_EXTENSION; 3111 new_ie[data.ielen++] = 1 + sizeof(*ml_elem) + ml_common_len; 3112 new_ie[data.ielen++] = WLAN_EID_EXT_EHT_MULTI_LINK; 3113 memcpy(new_ie + data.ielen, ml_elem, 3114 sizeof(*ml_elem) + ml_common_len); 3115 3116 new_ie[data.ielen + sizeof(*ml_elem) + 1 + ETH_ALEN] = link_id; 3117 new_ie[data.ielen + sizeof(*ml_elem) + 1 + ETH_ALEN + 1] = 3118 param_ch_count; 3119 3120 data.ielen += sizeof(*ml_elem) + ml_common_len; 3121 3122 if (reporter_rnr && (use_for & NL80211_BSS_USE_FOR_NORMAL)) { 3123 if (data.ielen + sizeof(struct element) + 3124 reporter_rnr->datalen > IEEE80211_MAX_DATA_LEN) 3125 continue; 3126 3127 memcpy(new_ie + data.ielen, reporter_rnr, 3128 sizeof(struct element) + reporter_rnr->datalen); 3129 data.ielen += sizeof(struct element) + 3130 reporter_rnr->datalen; 3131 } 3132 3133 bss = cfg80211_inform_single_bss_data(wiphy, &data, gfp); 3134 if (!bss) 3135 break; 3136 cfg80211_put_bss(wiphy, bss); 3137 } 3138 3139 out: 3140 kfree(reporter_rnr); 3141 kfree(new_ie); 3142 kfree(mle); 3143 } 3144 3145 static void cfg80211_parse_ml_sta_data(struct wiphy *wiphy, 3146 struct cfg80211_inform_single_bss_data *tx_data, 3147 struct cfg80211_bss *source_bss, 3148 gfp_t gfp) 3149 { 3150 const struct element *elem; 3151 3152 if (!source_bss) 3153 return; 3154 3155 if (tx_data->ftype != CFG80211_BSS_FTYPE_PRESP) 3156 return; 3157 3158 for_each_element_extid(elem, WLAN_EID_EXT_EHT_MULTI_LINK, 3159 tx_data->ie, tx_data->ielen) 3160 cfg80211_parse_ml_elem_sta_data(wiphy, tx_data, source_bss, 3161 elem, gfp); 3162 } 3163 3164 struct cfg80211_bss * 3165 cfg80211_inform_bss_data(struct wiphy *wiphy, 3166 struct cfg80211_inform_bss *data, 3167 enum cfg80211_bss_frame_type ftype, 3168 const u8 *bssid, u64 tsf, u16 capability, 3169 u16 beacon_interval, const u8 *ie, size_t ielen, 3170 gfp_t gfp) 3171 { 3172 struct cfg80211_inform_single_bss_data inform_data = { 3173 .drv_data = data, 3174 .ftype = ftype, 3175 .tsf = tsf, 3176 .capability = capability, 3177 .beacon_interval = beacon_interval, 3178 .ie = ie, 3179 .ielen = ielen, 3180 .use_for = data->restrict_use ? 3181 data->use_for : 3182 NL80211_BSS_USE_FOR_ALL, 3183 .cannot_use_reasons = data->cannot_use_reasons, 3184 }; 3185 struct cfg80211_bss *res; 3186 3187 memcpy(inform_data.bssid, bssid, ETH_ALEN); 3188 3189 res = cfg80211_inform_single_bss_data(wiphy, &inform_data, gfp); 3190 if (!res) 3191 return NULL; 3192 3193 /* don't do any further MBSSID/ML handling for S1G */ 3194 if (ftype == CFG80211_BSS_FTYPE_S1G_BEACON) 3195 return res; 3196 3197 cfg80211_parse_mbssid_data(wiphy, &inform_data, res, gfp); 3198 3199 cfg80211_parse_ml_sta_data(wiphy, &inform_data, res, gfp); 3200 3201 return res; 3202 } 3203 EXPORT_SYMBOL(cfg80211_inform_bss_data); 3204 3205 struct cfg80211_bss * 3206 cfg80211_inform_bss_frame_data(struct wiphy *wiphy, 3207 struct cfg80211_inform_bss *data, 3208 struct ieee80211_mgmt *mgmt, size_t len, 3209 gfp_t gfp) 3210 { 3211 size_t min_hdr_len; 3212 struct ieee80211_ext *ext = NULL; 3213 enum cfg80211_bss_frame_type ftype; 3214 u16 beacon_interval; 3215 const u8 *bssid; 3216 u16 capability; 3217 const u8 *ie; 3218 size_t ielen; 3219 u64 tsf; 3220 3221 if (WARN_ON(!mgmt)) 3222 return NULL; 3223 3224 if (WARN_ON(!wiphy)) 3225 return NULL; 3226 3227 BUILD_BUG_ON(offsetof(struct ieee80211_mgmt, u.probe_resp.variable) != 3228 offsetof(struct ieee80211_mgmt, u.beacon.variable)); 3229 3230 trace_cfg80211_inform_bss_frame(wiphy, data, mgmt, len); 3231 3232 if (ieee80211_is_s1g_beacon(mgmt->frame_control)) { 3233 ext = (void *) mgmt; 3234 if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) 3235 min_hdr_len = offsetof(struct ieee80211_ext, 3236 u.s1g_short_beacon.variable); 3237 else 3238 min_hdr_len = offsetof(struct ieee80211_ext, 3239 u.s1g_beacon.variable); 3240 } else { 3241 /* same for beacons */ 3242 min_hdr_len = offsetof(struct ieee80211_mgmt, 3243 u.probe_resp.variable); 3244 } 3245 3246 if (WARN_ON(len < min_hdr_len)) 3247 return NULL; 3248 3249 ielen = len - min_hdr_len; 3250 ie = mgmt->u.probe_resp.variable; 3251 if (ext) { 3252 const struct ieee80211_s1g_bcn_compat_ie *compat; 3253 const struct element *elem; 3254 3255 if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) 3256 ie = ext->u.s1g_short_beacon.variable; 3257 else 3258 ie = ext->u.s1g_beacon.variable; 3259 3260 elem = cfg80211_find_elem(WLAN_EID_S1G_BCN_COMPAT, ie, ielen); 3261 if (!elem) 3262 return NULL; 3263 if (elem->datalen < sizeof(*compat)) 3264 return NULL; 3265 compat = (void *)elem->data; 3266 bssid = ext->u.s1g_beacon.sa; 3267 capability = le16_to_cpu(compat->compat_info); 3268 beacon_interval = le16_to_cpu(compat->beacon_int); 3269 } else { 3270 bssid = mgmt->bssid; 3271 beacon_interval = le16_to_cpu(mgmt->u.probe_resp.beacon_int); 3272 capability = le16_to_cpu(mgmt->u.probe_resp.capab_info); 3273 } 3274 3275 tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); 3276 3277 if (ieee80211_is_probe_resp(mgmt->frame_control)) 3278 ftype = CFG80211_BSS_FTYPE_PRESP; 3279 else if (ext) 3280 ftype = CFG80211_BSS_FTYPE_S1G_BEACON; 3281 else 3282 ftype = CFG80211_BSS_FTYPE_BEACON; 3283 3284 return cfg80211_inform_bss_data(wiphy, data, ftype, 3285 bssid, tsf, capability, 3286 beacon_interval, ie, ielen, 3287 gfp); 3288 } 3289 EXPORT_SYMBOL(cfg80211_inform_bss_frame_data); 3290 3291 void cfg80211_ref_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 3292 { 3293 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3294 3295 if (!pub) 3296 return; 3297 3298 spin_lock_bh(&rdev->bss_lock); 3299 bss_ref_get(rdev, bss_from_pub(pub)); 3300 spin_unlock_bh(&rdev->bss_lock); 3301 } 3302 EXPORT_SYMBOL(cfg80211_ref_bss); 3303 3304 void cfg80211_put_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 3305 { 3306 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3307 3308 if (!pub) 3309 return; 3310 3311 spin_lock_bh(&rdev->bss_lock); 3312 bss_ref_put(rdev, bss_from_pub(pub)); 3313 spin_unlock_bh(&rdev->bss_lock); 3314 } 3315 EXPORT_SYMBOL(cfg80211_put_bss); 3316 3317 void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 3318 { 3319 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3320 struct cfg80211_internal_bss *bss, *tmp1; 3321 struct cfg80211_bss *nontrans_bss, *tmp; 3322 3323 if (WARN_ON(!pub)) 3324 return; 3325 3326 bss = bss_from_pub(pub); 3327 3328 spin_lock_bh(&rdev->bss_lock); 3329 if (list_empty(&bss->list)) 3330 goto out; 3331 3332 list_for_each_entry_safe(nontrans_bss, tmp, 3333 &pub->nontrans_list, 3334 nontrans_list) { 3335 tmp1 = bss_from_pub(nontrans_bss); 3336 if (__cfg80211_unlink_bss(rdev, tmp1)) 3337 rdev->bss_generation++; 3338 } 3339 3340 if (__cfg80211_unlink_bss(rdev, bss)) 3341 rdev->bss_generation++; 3342 out: 3343 spin_unlock_bh(&rdev->bss_lock); 3344 } 3345 EXPORT_SYMBOL(cfg80211_unlink_bss); 3346 3347 void cfg80211_bss_iter(struct wiphy *wiphy, 3348 struct cfg80211_chan_def *chandef, 3349 void (*iter)(struct wiphy *wiphy, 3350 struct cfg80211_bss *bss, 3351 void *data), 3352 void *iter_data) 3353 { 3354 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3355 struct cfg80211_internal_bss *bss; 3356 3357 spin_lock_bh(&rdev->bss_lock); 3358 3359 list_for_each_entry(bss, &rdev->bss_list, list) { 3360 if (!chandef || cfg80211_is_sub_chan(chandef, bss->pub.channel, 3361 false)) 3362 iter(wiphy, &bss->pub, iter_data); 3363 } 3364 3365 spin_unlock_bh(&rdev->bss_lock); 3366 } 3367 EXPORT_SYMBOL(cfg80211_bss_iter); 3368 3369 void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev, 3370 unsigned int link_id, 3371 struct ieee80211_channel *chan) 3372 { 3373 struct wiphy *wiphy = wdev->wiphy; 3374 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3375 struct cfg80211_internal_bss *cbss = wdev->links[link_id].client.current_bss; 3376 struct cfg80211_internal_bss *new = NULL; 3377 struct cfg80211_internal_bss *bss; 3378 struct cfg80211_bss *nontrans_bss; 3379 struct cfg80211_bss *tmp; 3380 3381 spin_lock_bh(&rdev->bss_lock); 3382 3383 /* 3384 * Some APs use CSA also for bandwidth changes, i.e., without actually 3385 * changing the control channel, so no need to update in such a case. 3386 */ 3387 if (cbss->pub.channel == chan) 3388 goto done; 3389 3390 /* use transmitting bss */ 3391 if (cbss->pub.transmitted_bss) 3392 cbss = bss_from_pub(cbss->pub.transmitted_bss); 3393 3394 cbss->pub.channel = chan; 3395 3396 list_for_each_entry(bss, &rdev->bss_list, list) { 3397 if (!cfg80211_bss_type_match(bss->pub.capability, 3398 bss->pub.channel->band, 3399 wdev->conn_bss_type)) 3400 continue; 3401 3402 if (bss == cbss) 3403 continue; 3404 3405 if (!cmp_bss(&bss->pub, &cbss->pub, BSS_CMP_REGULAR)) { 3406 new = bss; 3407 break; 3408 } 3409 } 3410 3411 if (new) { 3412 /* to save time, update IEs for transmitting bss only */ 3413 cfg80211_update_known_bss(rdev, cbss, new, false); 3414 new->pub.proberesp_ies = NULL; 3415 new->pub.beacon_ies = NULL; 3416 3417 list_for_each_entry_safe(nontrans_bss, tmp, 3418 &new->pub.nontrans_list, 3419 nontrans_list) { 3420 bss = bss_from_pub(nontrans_bss); 3421 if (__cfg80211_unlink_bss(rdev, bss)) 3422 rdev->bss_generation++; 3423 } 3424 3425 WARN_ON(atomic_read(&new->hold)); 3426 if (!WARN_ON(!__cfg80211_unlink_bss(rdev, new))) 3427 rdev->bss_generation++; 3428 } 3429 cfg80211_rehash_bss(rdev, cbss); 3430 3431 list_for_each_entry_safe(nontrans_bss, tmp, 3432 &cbss->pub.nontrans_list, 3433 nontrans_list) { 3434 bss = bss_from_pub(nontrans_bss); 3435 bss->pub.channel = chan; 3436 cfg80211_rehash_bss(rdev, bss); 3437 } 3438 3439 done: 3440 spin_unlock_bh(&rdev->bss_lock); 3441 } 3442 3443 #ifdef CONFIG_CFG80211_WEXT 3444 static struct cfg80211_registered_device * 3445 cfg80211_get_dev_from_ifindex(struct net *net, int ifindex) 3446 { 3447 struct cfg80211_registered_device *rdev; 3448 struct net_device *dev; 3449 3450 ASSERT_RTNL(); 3451 3452 dev = dev_get_by_index(net, ifindex); 3453 if (!dev) 3454 return ERR_PTR(-ENODEV); 3455 if (dev->ieee80211_ptr) 3456 rdev = wiphy_to_rdev(dev->ieee80211_ptr->wiphy); 3457 else 3458 rdev = ERR_PTR(-ENODEV); 3459 dev_put(dev); 3460 return rdev; 3461 } 3462 3463 int cfg80211_wext_siwscan(struct net_device *dev, 3464 struct iw_request_info *info, 3465 union iwreq_data *wrqu, char *extra) 3466 { 3467 struct cfg80211_registered_device *rdev; 3468 struct wiphy *wiphy; 3469 struct iw_scan_req *wreq = NULL; 3470 struct cfg80211_scan_request *creq; 3471 int i, err, n_channels = 0; 3472 enum nl80211_band band; 3473 3474 if (!netif_running(dev)) 3475 return -ENETDOWN; 3476 3477 if (wrqu->data.length == sizeof(struct iw_scan_req)) 3478 wreq = (struct iw_scan_req *)extra; 3479 3480 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex); 3481 3482 if (IS_ERR(rdev)) 3483 return PTR_ERR(rdev); 3484 3485 if (rdev->scan_req || rdev->scan_msg) 3486 return -EBUSY; 3487 3488 wiphy = &rdev->wiphy; 3489 3490 /* Determine number of channels, needed to allocate creq */ 3491 if (wreq && wreq->num_channels) { 3492 /* Passed from userspace so should be checked */ 3493 if (unlikely(wreq->num_channels > IW_MAX_FREQUENCIES)) 3494 return -EINVAL; 3495 n_channels = wreq->num_channels; 3496 } else { 3497 n_channels = ieee80211_get_num_supported_channels(wiphy); 3498 } 3499 3500 creq = kzalloc(struct_size(creq, channels, n_channels) + 3501 sizeof(struct cfg80211_ssid), 3502 GFP_ATOMIC); 3503 if (!creq) 3504 return -ENOMEM; 3505 3506 creq->wiphy = wiphy; 3507 creq->wdev = dev->ieee80211_ptr; 3508 /* SSIDs come after channels */ 3509 creq->ssids = (void *)creq + struct_size(creq, channels, n_channels); 3510 creq->n_channels = n_channels; 3511 creq->n_ssids = 1; 3512 creq->scan_start = jiffies; 3513 3514 /* translate "Scan on frequencies" request */ 3515 i = 0; 3516 for (band = 0; band < NUM_NL80211_BANDS; band++) { 3517 int j; 3518 3519 if (!wiphy->bands[band]) 3520 continue; 3521 3522 for (j = 0; j < wiphy->bands[band]->n_channels; j++) { 3523 struct ieee80211_channel *chan; 3524 3525 /* ignore disabled channels */ 3526 chan = &wiphy->bands[band]->channels[j]; 3527 if (chan->flags & IEEE80211_CHAN_DISABLED || 3528 !cfg80211_wdev_channel_allowed(creq->wdev, chan)) 3529 continue; 3530 3531 /* If we have a wireless request structure and the 3532 * wireless request specifies frequencies, then search 3533 * for the matching hardware channel. 3534 */ 3535 if (wreq && wreq->num_channels) { 3536 int k; 3537 int wiphy_freq = wiphy->bands[band]->channels[j].center_freq; 3538 for (k = 0; k < wreq->num_channels; k++) { 3539 struct iw_freq *freq = 3540 &wreq->channel_list[k]; 3541 int wext_freq = 3542 cfg80211_wext_freq(freq); 3543 3544 if (wext_freq == wiphy_freq) 3545 goto wext_freq_found; 3546 } 3547 goto wext_freq_not_found; 3548 } 3549 3550 wext_freq_found: 3551 creq->channels[i] = &wiphy->bands[band]->channels[j]; 3552 i++; 3553 wext_freq_not_found: ; 3554 } 3555 } 3556 /* No channels found? */ 3557 if (!i) { 3558 err = -EINVAL; 3559 goto out; 3560 } 3561 3562 /* Set real number of channels specified in creq->channels[] */ 3563 creq->n_channels = i; 3564 3565 /* translate "Scan for SSID" request */ 3566 if (wreq) { 3567 if (wrqu->data.flags & IW_SCAN_THIS_ESSID) { 3568 if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) { 3569 err = -EINVAL; 3570 goto out; 3571 } 3572 memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len); 3573 creq->ssids[0].ssid_len = wreq->essid_len; 3574 } 3575 if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE) { 3576 creq->ssids = NULL; 3577 creq->n_ssids = 0; 3578 } 3579 } 3580 3581 for (i = 0; i < NUM_NL80211_BANDS; i++) 3582 if (wiphy->bands[i]) 3583 creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1; 3584 3585 eth_broadcast_addr(creq->bssid); 3586 3587 wiphy_lock(&rdev->wiphy); 3588 3589 rdev->scan_req = creq; 3590 err = rdev_scan(rdev, creq); 3591 if (err) { 3592 rdev->scan_req = NULL; 3593 /* creq will be freed below */ 3594 } else { 3595 nl80211_send_scan_start(rdev, dev->ieee80211_ptr); 3596 /* creq now owned by driver */ 3597 creq = NULL; 3598 dev_hold(dev); 3599 } 3600 wiphy_unlock(&rdev->wiphy); 3601 out: 3602 kfree(creq); 3603 return err; 3604 } 3605 3606 static char *ieee80211_scan_add_ies(struct iw_request_info *info, 3607 const struct cfg80211_bss_ies *ies, 3608 char *current_ev, char *end_buf) 3609 { 3610 const u8 *pos, *end, *next; 3611 struct iw_event iwe; 3612 3613 if (!ies) 3614 return current_ev; 3615 3616 /* 3617 * If needed, fragment the IEs buffer (at IE boundaries) into short 3618 * enough fragments to fit into IW_GENERIC_IE_MAX octet messages. 3619 */ 3620 pos = ies->data; 3621 end = pos + ies->len; 3622 3623 while (end - pos > IW_GENERIC_IE_MAX) { 3624 next = pos + 2 + pos[1]; 3625 while (next + 2 + next[1] - pos < IW_GENERIC_IE_MAX) 3626 next = next + 2 + next[1]; 3627 3628 memset(&iwe, 0, sizeof(iwe)); 3629 iwe.cmd = IWEVGENIE; 3630 iwe.u.data.length = next - pos; 3631 current_ev = iwe_stream_add_point_check(info, current_ev, 3632 end_buf, &iwe, 3633 (void *)pos); 3634 if (IS_ERR(current_ev)) 3635 return current_ev; 3636 pos = next; 3637 } 3638 3639 if (end > pos) { 3640 memset(&iwe, 0, sizeof(iwe)); 3641 iwe.cmd = IWEVGENIE; 3642 iwe.u.data.length = end - pos; 3643 current_ev = iwe_stream_add_point_check(info, current_ev, 3644 end_buf, &iwe, 3645 (void *)pos); 3646 if (IS_ERR(current_ev)) 3647 return current_ev; 3648 } 3649 3650 return current_ev; 3651 } 3652 3653 static char * 3654 ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info, 3655 struct cfg80211_internal_bss *bss, char *current_ev, 3656 char *end_buf) 3657 { 3658 const struct cfg80211_bss_ies *ies; 3659 struct iw_event iwe; 3660 const u8 *ie; 3661 u8 buf[50]; 3662 u8 *cfg, *p, *tmp; 3663 int rem, i, sig; 3664 bool ismesh = false; 3665 3666 memset(&iwe, 0, sizeof(iwe)); 3667 iwe.cmd = SIOCGIWAP; 3668 iwe.u.ap_addr.sa_family = ARPHRD_ETHER; 3669 memcpy(iwe.u.ap_addr.sa_data, bss->pub.bssid, ETH_ALEN); 3670 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 3671 IW_EV_ADDR_LEN); 3672 if (IS_ERR(current_ev)) 3673 return current_ev; 3674 3675 memset(&iwe, 0, sizeof(iwe)); 3676 iwe.cmd = SIOCGIWFREQ; 3677 iwe.u.freq.m = ieee80211_frequency_to_channel(bss->pub.channel->center_freq); 3678 iwe.u.freq.e = 0; 3679 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 3680 IW_EV_FREQ_LEN); 3681 if (IS_ERR(current_ev)) 3682 return current_ev; 3683 3684 memset(&iwe, 0, sizeof(iwe)); 3685 iwe.cmd = SIOCGIWFREQ; 3686 iwe.u.freq.m = bss->pub.channel->center_freq; 3687 iwe.u.freq.e = 6; 3688 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 3689 IW_EV_FREQ_LEN); 3690 if (IS_ERR(current_ev)) 3691 return current_ev; 3692 3693 if (wiphy->signal_type != CFG80211_SIGNAL_TYPE_NONE) { 3694 memset(&iwe, 0, sizeof(iwe)); 3695 iwe.cmd = IWEVQUAL; 3696 iwe.u.qual.updated = IW_QUAL_LEVEL_UPDATED | 3697 IW_QUAL_NOISE_INVALID | 3698 IW_QUAL_QUAL_UPDATED; 3699 switch (wiphy->signal_type) { 3700 case CFG80211_SIGNAL_TYPE_MBM: 3701 sig = bss->pub.signal / 100; 3702 iwe.u.qual.level = sig; 3703 iwe.u.qual.updated |= IW_QUAL_DBM; 3704 if (sig < -110) /* rather bad */ 3705 sig = -110; 3706 else if (sig > -40) /* perfect */ 3707 sig = -40; 3708 /* will give a range of 0 .. 70 */ 3709 iwe.u.qual.qual = sig + 110; 3710 break; 3711 case CFG80211_SIGNAL_TYPE_UNSPEC: 3712 iwe.u.qual.level = bss->pub.signal; 3713 /* will give range 0 .. 100 */ 3714 iwe.u.qual.qual = bss->pub.signal; 3715 break; 3716 default: 3717 /* not reached */ 3718 break; 3719 } 3720 current_ev = iwe_stream_add_event_check(info, current_ev, 3721 end_buf, &iwe, 3722 IW_EV_QUAL_LEN); 3723 if (IS_ERR(current_ev)) 3724 return current_ev; 3725 } 3726 3727 memset(&iwe, 0, sizeof(iwe)); 3728 iwe.cmd = SIOCGIWENCODE; 3729 if (bss->pub.capability & WLAN_CAPABILITY_PRIVACY) 3730 iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY; 3731 else 3732 iwe.u.data.flags = IW_ENCODE_DISABLED; 3733 iwe.u.data.length = 0; 3734 current_ev = iwe_stream_add_point_check(info, current_ev, end_buf, 3735 &iwe, ""); 3736 if (IS_ERR(current_ev)) 3737 return current_ev; 3738 3739 rcu_read_lock(); 3740 ies = rcu_dereference(bss->pub.ies); 3741 rem = ies->len; 3742 ie = ies->data; 3743 3744 while (rem >= 2) { 3745 /* invalid data */ 3746 if (ie[1] > rem - 2) 3747 break; 3748 3749 switch (ie[0]) { 3750 case WLAN_EID_SSID: 3751 memset(&iwe, 0, sizeof(iwe)); 3752 iwe.cmd = SIOCGIWESSID; 3753 iwe.u.data.length = ie[1]; 3754 iwe.u.data.flags = 1; 3755 current_ev = iwe_stream_add_point_check(info, 3756 current_ev, 3757 end_buf, &iwe, 3758 (u8 *)ie + 2); 3759 if (IS_ERR(current_ev)) 3760 goto unlock; 3761 break; 3762 case WLAN_EID_MESH_ID: 3763 memset(&iwe, 0, sizeof(iwe)); 3764 iwe.cmd = SIOCGIWESSID; 3765 iwe.u.data.length = ie[1]; 3766 iwe.u.data.flags = 1; 3767 current_ev = iwe_stream_add_point_check(info, 3768 current_ev, 3769 end_buf, &iwe, 3770 (u8 *)ie + 2); 3771 if (IS_ERR(current_ev)) 3772 goto unlock; 3773 break; 3774 case WLAN_EID_MESH_CONFIG: 3775 ismesh = true; 3776 if (ie[1] != sizeof(struct ieee80211_meshconf_ie)) 3777 break; 3778 cfg = (u8 *)ie + 2; 3779 memset(&iwe, 0, sizeof(iwe)); 3780 iwe.cmd = IWEVCUSTOM; 3781 iwe.u.data.length = sprintf(buf, 3782 "Mesh Network Path Selection Protocol ID: 0x%02X", 3783 cfg[0]); 3784 current_ev = iwe_stream_add_point_check(info, 3785 current_ev, 3786 end_buf, 3787 &iwe, buf); 3788 if (IS_ERR(current_ev)) 3789 goto unlock; 3790 iwe.u.data.length = sprintf(buf, 3791 "Path Selection Metric ID: 0x%02X", 3792 cfg[1]); 3793 current_ev = iwe_stream_add_point_check(info, 3794 current_ev, 3795 end_buf, 3796 &iwe, buf); 3797 if (IS_ERR(current_ev)) 3798 goto unlock; 3799 iwe.u.data.length = sprintf(buf, 3800 "Congestion Control Mode ID: 0x%02X", 3801 cfg[2]); 3802 current_ev = iwe_stream_add_point_check(info, 3803 current_ev, 3804 end_buf, 3805 &iwe, buf); 3806 if (IS_ERR(current_ev)) 3807 goto unlock; 3808 iwe.u.data.length = sprintf(buf, 3809 "Synchronization ID: 0x%02X", 3810 cfg[3]); 3811 current_ev = iwe_stream_add_point_check(info, 3812 current_ev, 3813 end_buf, 3814 &iwe, buf); 3815 if (IS_ERR(current_ev)) 3816 goto unlock; 3817 iwe.u.data.length = sprintf(buf, 3818 "Authentication ID: 0x%02X", 3819 cfg[4]); 3820 current_ev = iwe_stream_add_point_check(info, 3821 current_ev, 3822 end_buf, 3823 &iwe, buf); 3824 if (IS_ERR(current_ev)) 3825 goto unlock; 3826 iwe.u.data.length = sprintf(buf, 3827 "Formation Info: 0x%02X", 3828 cfg[5]); 3829 current_ev = iwe_stream_add_point_check(info, 3830 current_ev, 3831 end_buf, 3832 &iwe, buf); 3833 if (IS_ERR(current_ev)) 3834 goto unlock; 3835 iwe.u.data.length = sprintf(buf, 3836 "Capabilities: 0x%02X", 3837 cfg[6]); 3838 current_ev = iwe_stream_add_point_check(info, 3839 current_ev, 3840 end_buf, 3841 &iwe, buf); 3842 if (IS_ERR(current_ev)) 3843 goto unlock; 3844 break; 3845 case WLAN_EID_SUPP_RATES: 3846 case WLAN_EID_EXT_SUPP_RATES: 3847 /* display all supported rates in readable format */ 3848 p = current_ev + iwe_stream_lcp_len(info); 3849 3850 memset(&iwe, 0, sizeof(iwe)); 3851 iwe.cmd = SIOCGIWRATE; 3852 /* Those two flags are ignored... */ 3853 iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0; 3854 3855 for (i = 0; i < ie[1]; i++) { 3856 iwe.u.bitrate.value = 3857 ((ie[i + 2] & 0x7f) * 500000); 3858 tmp = p; 3859 p = iwe_stream_add_value(info, current_ev, p, 3860 end_buf, &iwe, 3861 IW_EV_PARAM_LEN); 3862 if (p == tmp) { 3863 current_ev = ERR_PTR(-E2BIG); 3864 goto unlock; 3865 } 3866 } 3867 current_ev = p; 3868 break; 3869 } 3870 rem -= ie[1] + 2; 3871 ie += ie[1] + 2; 3872 } 3873 3874 if (bss->pub.capability & (WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS) || 3875 ismesh) { 3876 memset(&iwe, 0, sizeof(iwe)); 3877 iwe.cmd = SIOCGIWMODE; 3878 if (ismesh) 3879 iwe.u.mode = IW_MODE_MESH; 3880 else if (bss->pub.capability & WLAN_CAPABILITY_ESS) 3881 iwe.u.mode = IW_MODE_MASTER; 3882 else 3883 iwe.u.mode = IW_MODE_ADHOC; 3884 current_ev = iwe_stream_add_event_check(info, current_ev, 3885 end_buf, &iwe, 3886 IW_EV_UINT_LEN); 3887 if (IS_ERR(current_ev)) 3888 goto unlock; 3889 } 3890 3891 memset(&iwe, 0, sizeof(iwe)); 3892 iwe.cmd = IWEVCUSTOM; 3893 iwe.u.data.length = sprintf(buf, "tsf=%016llx", 3894 (unsigned long long)(ies->tsf)); 3895 current_ev = iwe_stream_add_point_check(info, current_ev, end_buf, 3896 &iwe, buf); 3897 if (IS_ERR(current_ev)) 3898 goto unlock; 3899 memset(&iwe, 0, sizeof(iwe)); 3900 iwe.cmd = IWEVCUSTOM; 3901 iwe.u.data.length = sprintf(buf, " Last beacon: %ums ago", 3902 elapsed_jiffies_msecs(bss->ts)); 3903 current_ev = iwe_stream_add_point_check(info, current_ev, 3904 end_buf, &iwe, buf); 3905 if (IS_ERR(current_ev)) 3906 goto unlock; 3907 3908 current_ev = ieee80211_scan_add_ies(info, ies, current_ev, end_buf); 3909 3910 unlock: 3911 rcu_read_unlock(); 3912 return current_ev; 3913 } 3914 3915 3916 static int ieee80211_scan_results(struct cfg80211_registered_device *rdev, 3917 struct iw_request_info *info, 3918 char *buf, size_t len) 3919 { 3920 char *current_ev = buf; 3921 char *end_buf = buf + len; 3922 struct cfg80211_internal_bss *bss; 3923 int err = 0; 3924 3925 spin_lock_bh(&rdev->bss_lock); 3926 cfg80211_bss_expire(rdev); 3927 3928 list_for_each_entry(bss, &rdev->bss_list, list) { 3929 if (buf + len - current_ev <= IW_EV_ADDR_LEN) { 3930 err = -E2BIG; 3931 break; 3932 } 3933 current_ev = ieee80211_bss(&rdev->wiphy, info, bss, 3934 current_ev, end_buf); 3935 if (IS_ERR(current_ev)) { 3936 err = PTR_ERR(current_ev); 3937 break; 3938 } 3939 } 3940 spin_unlock_bh(&rdev->bss_lock); 3941 3942 if (err) 3943 return err; 3944 return current_ev - buf; 3945 } 3946 3947 3948 int cfg80211_wext_giwscan(struct net_device *dev, 3949 struct iw_request_info *info, 3950 union iwreq_data *wrqu, char *extra) 3951 { 3952 struct iw_point *data = &wrqu->data; 3953 struct cfg80211_registered_device *rdev; 3954 int res; 3955 3956 if (!netif_running(dev)) 3957 return -ENETDOWN; 3958 3959 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex); 3960 3961 if (IS_ERR(rdev)) 3962 return PTR_ERR(rdev); 3963 3964 if (rdev->scan_req || rdev->scan_msg) 3965 return -EAGAIN; 3966 3967 res = ieee80211_scan_results(rdev, info, extra, data->length); 3968 data->length = 0; 3969 if (res >= 0) { 3970 data->length = res; 3971 res = 0; 3972 } 3973 3974 return res; 3975 } 3976 #endif 3977