scan.c 105 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * cfg80211 scan result handling
  4. *
  5. * Copyright 2008 Johannes Berg <johannes@sipsolutions.net>
  6. * Copyright 2013-2014 Intel Mobile Communications GmbH
  7. * Copyright 2016 Intel Deutschland GmbH
  8. * Copyright (C) 2018-2025 Intel Corporation
  9. */
  10. #include <linux/kernel.h>
  11. #include <linux/slab.h>
  12. #include <linux/module.h>
  13. #include <linux/netdevice.h>
  14. #include <linux/wireless.h>
  15. #include <linux/nl80211.h>
  16. #include <linux/etherdevice.h>
  17. #include <linux/crc32.h>
  18. #include <linux/bitfield.h>
  19. #include <net/arp.h>
  20. #include <net/cfg80211.h>
  21. #include <net/cfg80211-wext.h>
  22. #include <net/iw_handler.h>
  23. #include <kunit/visibility.h>
  24. #include "core.h"
  25. #include "nl80211.h"
  26. #include "wext-compat.h"
  27. #include "rdev-ops.h"
  28. /**
  29. * DOC: BSS tree/list structure
  30. *
  31. * At the top level, the BSS list is kept in both a list in each
  32. * registered device (@bss_list) as well as an RB-tree for faster
  33. * lookup. In the RB-tree, entries can be looked up using their
  34. * channel, MESHID, MESHCONF (for MBSSes) or channel, BSSID, SSID
  35. * for other BSSes.
  36. *
  37. * Due to the possibility of hidden SSIDs, there's a second level
  38. * structure, the "hidden_list" and "hidden_beacon_bss" pointer.
  39. * The hidden_list connects all BSSes belonging to a single AP
  40. * that has a hidden SSID, and connects beacon and probe response
  41. * entries. For a probe response entry for a hidden SSID, the
  42. * hidden_beacon_bss pointer points to the BSS struct holding the
  43. * beacon's information.
  44. *
  45. * Reference counting is done for all these references except for
  46. * the hidden_list, so that a beacon BSS struct that is otherwise
  47. * not referenced has one reference for being on the bss_list and
  48. * one for each probe response entry that points to it using the
  49. * hidden_beacon_bss pointer. When a BSS struct that has such a
  50. * pointer is get/put, the refcount update is also propagated to
  51. * the referenced struct, this ensure that it cannot get removed
  52. * while somebody is using the probe response version.
  53. *
  54. * Note that the hidden_beacon_bss pointer never changes, due to
  55. * the reference counting. Therefore, no locking is needed for
  56. * it.
  57. *
  58. * Also note that the hidden_beacon_bss pointer is only relevant
  59. * if the driver uses something other than the IEs, e.g. private
  60. * data stored in the BSS struct, since the beacon IEs are
  61. * also linked into the probe response struct.
  62. */
  63. /*
  64. * Limit the number of BSS entries stored in mac80211. Each one is
  65. * a bit over 4k at most, so this limits to roughly 4-5M of memory.
  66. * If somebody wants to really attack this though, they'd likely
  67. * use small beacons, and only one type of frame, limiting each of
  68. * the entries to a much smaller size (in order to generate more
  69. * entries in total, so overhead is bigger.)
  70. */
  71. static int bss_entries_limit = 1000;
  72. module_param(bss_entries_limit, int, 0644);
  73. MODULE_PARM_DESC(bss_entries_limit,
  74. "limit to number of scan BSS entries (per wiphy, default 1000)");
  75. #define IEEE80211_SCAN_RESULT_EXPIRE (30 * HZ)
  76. static void bss_free(struct cfg80211_internal_bss *bss)
  77. {
  78. struct cfg80211_bss_ies *ies;
  79. if (WARN_ON(atomic_read(&bss->hold)))
  80. return;
  81. ies = (void *)rcu_access_pointer(bss->pub.beacon_ies);
  82. if (ies && !bss->pub.hidden_beacon_bss)
  83. kfree_rcu(ies, rcu_head);
  84. ies = (void *)rcu_access_pointer(bss->pub.proberesp_ies);
  85. if (ies)
  86. kfree_rcu(ies, rcu_head);
  87. /*
  88. * This happens when the module is removed, it doesn't
  89. * really matter any more save for completeness
  90. */
  91. if (!list_empty(&bss->hidden_list))
  92. list_del(&bss->hidden_list);
  93. kfree(bss);
  94. }
  95. static inline void bss_ref_get(struct cfg80211_registered_device *rdev,
  96. struct cfg80211_internal_bss *bss)
  97. {
  98. lockdep_assert_held(&rdev->bss_lock);
  99. bss->refcount++;
  100. if (bss->pub.hidden_beacon_bss)
  101. bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++;
  102. if (bss->pub.transmitted_bss)
  103. bss_from_pub(bss->pub.transmitted_bss)->refcount++;
  104. }
  105. static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
  106. struct cfg80211_internal_bss *bss)
  107. {
  108. lockdep_assert_held(&rdev->bss_lock);
  109. if (bss->pub.hidden_beacon_bss) {
  110. struct cfg80211_internal_bss *hbss;
  111. hbss = bss_from_pub(bss->pub.hidden_beacon_bss);
  112. hbss->refcount--;
  113. if (hbss->refcount == 0)
  114. bss_free(hbss);
  115. }
  116. if (bss->pub.transmitted_bss) {
  117. struct cfg80211_internal_bss *tbss;
  118. tbss = bss_from_pub(bss->pub.transmitted_bss);
  119. tbss->refcount--;
  120. if (tbss->refcount == 0)
  121. bss_free(tbss);
  122. }
  123. bss->refcount--;
  124. if (bss->refcount == 0)
  125. bss_free(bss);
  126. }
  127. static bool __cfg80211_unlink_bss(struct cfg80211_registered_device *rdev,
  128. struct cfg80211_internal_bss *bss)
  129. {
  130. lockdep_assert_held(&rdev->bss_lock);
  131. if (!list_empty(&bss->hidden_list)) {
  132. /*
  133. * don't remove the beacon entry if it has
  134. * probe responses associated with it
  135. */
  136. if (!bss->pub.hidden_beacon_bss)
  137. return false;
  138. /*
  139. * if it's a probe response entry break its
  140. * link to the other entries in the group
  141. */
  142. list_del_init(&bss->hidden_list);
  143. }
  144. list_del_init(&bss->list);
  145. list_del_init(&bss->pub.nontrans_list);
  146. rb_erase(&bss->rbn, &rdev->bss_tree);
  147. rdev->bss_entries--;
  148. WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list),
  149. "rdev bss entries[%d]/list[empty:%d] corruption\n",
  150. rdev->bss_entries, list_empty(&rdev->bss_list));
  151. bss_ref_put(rdev, bss);
  152. return true;
  153. }
  154. bool cfg80211_is_element_inherited(const struct element *elem,
  155. const struct element *non_inherit_elem)
  156. {
  157. u8 id_len, ext_id_len, i, loop_len, id;
  158. const u8 *list;
  159. if (elem->id == WLAN_EID_MULTIPLE_BSSID)
  160. return false;
  161. if (elem->id == WLAN_EID_EXTENSION && elem->datalen > 1 &&
  162. elem->data[0] == WLAN_EID_EXT_EHT_MULTI_LINK)
  163. return false;
  164. if (!non_inherit_elem || non_inherit_elem->datalen < 2)
  165. return true;
  166. /*
  167. * non inheritance element format is:
  168. * ext ID (56) | IDs list len | list | extension IDs list len | list
  169. * Both lists are optional. Both lengths are mandatory.
  170. * This means valid length is:
  171. * elem_len = 1 (extension ID) + 2 (list len fields) + list lengths
  172. */
  173. id_len = non_inherit_elem->data[1];
  174. if (non_inherit_elem->datalen < 3 + id_len)
  175. return true;
  176. ext_id_len = non_inherit_elem->data[2 + id_len];
  177. if (non_inherit_elem->datalen < 3 + id_len + ext_id_len)
  178. return true;
  179. if (elem->id == WLAN_EID_EXTENSION) {
  180. if (!ext_id_len)
  181. return true;
  182. loop_len = ext_id_len;
  183. list = &non_inherit_elem->data[3 + id_len];
  184. id = elem->data[0];
  185. } else {
  186. if (!id_len)
  187. return true;
  188. loop_len = id_len;
  189. list = &non_inherit_elem->data[2];
  190. id = elem->id;
  191. }
  192. for (i = 0; i < loop_len; i++) {
  193. if (list[i] == id)
  194. return false;
  195. }
  196. return true;
  197. }
  198. EXPORT_SYMBOL(cfg80211_is_element_inherited);
  199. static size_t cfg80211_copy_elem_with_frags(const struct element *elem,
  200. const u8 *ie, size_t ie_len,
  201. u8 **pos, u8 *buf, size_t buf_len)
  202. {
  203. if (WARN_ON((u8 *)elem < ie || elem->data > ie + ie_len ||
  204. elem->data + elem->datalen > ie + ie_len))
  205. return 0;
  206. if (elem->datalen + 2 > buf + buf_len - *pos)
  207. return 0;
  208. memcpy(*pos, elem, elem->datalen + 2);
  209. *pos += elem->datalen + 2;
  210. /* Finish if it is not fragmented */
  211. if (elem->datalen != 255)
  212. return *pos - buf;
  213. ie_len = ie + ie_len - elem->data - elem->datalen;
  214. ie = (const u8 *)elem->data + elem->datalen;
  215. for_each_element(elem, ie, ie_len) {
  216. if (elem->id != WLAN_EID_FRAGMENT)
  217. break;
  218. if (elem->datalen + 2 > buf + buf_len - *pos)
  219. return 0;
  220. memcpy(*pos, elem, elem->datalen + 2);
  221. *pos += elem->datalen + 2;
  222. if (elem->datalen != 255)
  223. break;
  224. }
  225. return *pos - buf;
  226. }
  227. VISIBLE_IF_CFG80211_KUNIT size_t
  228. cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
  229. const u8 *subie, size_t subie_len,
  230. u8 *new_ie, size_t new_ie_len)
  231. {
  232. const struct element *non_inherit_elem, *parent, *sub;
  233. u8 *pos = new_ie;
  234. const u8 *mbssid_index_ie;
  235. u8 id, ext_id, bssid_index = 255;
  236. unsigned int match_len;
  237. non_inherit_elem = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
  238. subie, subie_len);
  239. mbssid_index_ie = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX, subie,
  240. subie_len);
  241. if (mbssid_index_ie && mbssid_index_ie[1] > 0 &&
  242. mbssid_index_ie[2] > 0 && mbssid_index_ie[2] <= 46)
  243. bssid_index = mbssid_index_ie[2];
  244. /* We copy the elements one by one from the parent to the generated
  245. * elements.
  246. * If they are not inherited (included in subie or in the non
  247. * inheritance element), then we copy all occurrences the first time
  248. * we see this element type.
  249. */
  250. for_each_element(parent, ie, ielen) {
  251. if (parent->id == WLAN_EID_FRAGMENT)
  252. continue;
  253. if (parent->id == WLAN_EID_EXTENSION) {
  254. if (parent->datalen < 1)
  255. continue;
  256. id = WLAN_EID_EXTENSION;
  257. ext_id = parent->data[0];
  258. match_len = 1;
  259. } else {
  260. id = parent->id;
  261. match_len = 0;
  262. }
  263. /* Find first occurrence in subie */
  264. sub = cfg80211_find_elem_match(id, subie, subie_len,
  265. &ext_id, match_len, 0);
  266. /* Copy from parent if not in subie and inherited */
  267. if (!sub &&
  268. cfg80211_is_element_inherited(parent, non_inherit_elem)) {
  269. if (!cfg80211_copy_elem_with_frags(parent,
  270. ie, ielen,
  271. &pos, new_ie,
  272. new_ie_len))
  273. return 0;
  274. continue;
  275. }
  276. /* For ML probe response, match the MLE in the frame body with
  277. * MLD id being 'bssid_index'
  278. */
  279. if (parent->id == WLAN_EID_EXTENSION && parent->datalen > 1 &&
  280. parent->data[0] == WLAN_EID_EXT_EHT_MULTI_LINK &&
  281. bssid_index == ieee80211_mle_get_mld_id(parent->data + 1)) {
  282. if (!cfg80211_copy_elem_with_frags(parent,
  283. ie, ielen,
  284. &pos, new_ie,
  285. new_ie_len))
  286. return 0;
  287. /* Continue here to prevent processing the MLE in
  288. * sub-element, which AP MLD should not carry
  289. */
  290. continue;
  291. }
  292. /* Already copied if an earlier element had the same type */
  293. if (cfg80211_find_elem_match(id, ie, (u8 *)parent - ie,
  294. &ext_id, match_len, 0))
  295. continue;
  296. /* Not inheriting, copy all similar elements from subie */
  297. while (sub) {
  298. if (!cfg80211_copy_elem_with_frags(sub,
  299. subie, subie_len,
  300. &pos, new_ie,
  301. new_ie_len))
  302. return 0;
  303. sub = cfg80211_find_elem_match(id,
  304. sub->data + sub->datalen,
  305. subie_len + subie -
  306. (sub->data +
  307. sub->datalen),
  308. &ext_id, match_len, 0);
  309. }
  310. }
  311. /* The above misses elements that are included in subie but not in the
  312. * parent, so do a pass over subie and append those.
  313. * Skip the non-tx BSSID caps and non-inheritance element.
  314. */
  315. for_each_element(sub, subie, subie_len) {
  316. if (sub->id == WLAN_EID_NON_TX_BSSID_CAP)
  317. continue;
  318. if (sub->id == WLAN_EID_FRAGMENT)
  319. continue;
  320. if (sub->id == WLAN_EID_EXTENSION) {
  321. if (sub->datalen < 1)
  322. continue;
  323. id = WLAN_EID_EXTENSION;
  324. ext_id = sub->data[0];
  325. match_len = 1;
  326. if (ext_id == WLAN_EID_EXT_NON_INHERITANCE)
  327. continue;
  328. } else {
  329. id = sub->id;
  330. match_len = 0;
  331. }
  332. /* Processed if one was included in the parent */
  333. if (cfg80211_find_elem_match(id, ie, ielen,
  334. &ext_id, match_len, 0))
  335. continue;
  336. if (!cfg80211_copy_elem_with_frags(sub, subie, subie_len,
  337. &pos, new_ie, new_ie_len))
  338. return 0;
  339. }
  340. return pos - new_ie;
  341. }
  342. EXPORT_SYMBOL_IF_CFG80211_KUNIT(cfg80211_gen_new_ie);
  343. static bool is_bss(struct cfg80211_bss *a, const u8 *bssid,
  344. const u8 *ssid, size_t ssid_len)
  345. {
  346. const struct cfg80211_bss_ies *ies;
  347. const struct element *ssid_elem;
  348. if (bssid && !ether_addr_equal(a->bssid, bssid))
  349. return false;
  350. if (!ssid)
  351. return true;
  352. ies = rcu_access_pointer(a->ies);
  353. if (!ies)
  354. return false;
  355. ssid_elem = cfg80211_find_elem(WLAN_EID_SSID, ies->data, ies->len);
  356. if (!ssid_elem)
  357. return false;
  358. if (ssid_elem->datalen != ssid_len)
  359. return false;
  360. return memcmp(ssid_elem->data, ssid, ssid_len) == 0;
  361. }
  362. static int
  363. cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss,
  364. struct cfg80211_bss *nontrans_bss)
  365. {
  366. const struct element *ssid_elem;
  367. struct cfg80211_bss *bss = NULL;
  368. rcu_read_lock();
  369. ssid_elem = ieee80211_bss_get_elem(nontrans_bss, WLAN_EID_SSID);
  370. if (!ssid_elem) {
  371. rcu_read_unlock();
  372. return -EINVAL;
  373. }
  374. /* check if nontrans_bss is in the list */
  375. list_for_each_entry(bss, &trans_bss->nontrans_list, nontrans_list) {
  376. if (is_bss(bss, nontrans_bss->bssid, ssid_elem->data,
  377. ssid_elem->datalen)) {
  378. rcu_read_unlock();
  379. return 0;
  380. }
  381. }
  382. rcu_read_unlock();
  383. /*
  384. * This is a bit weird - it's not on the list, but already on another
  385. * one! The only way that could happen is if there's some BSSID/SSID
  386. * shared by multiple APs in their multi-BSSID profiles, potentially
  387. * with hidden SSID mixed in ... ignore it.
  388. */
  389. if (!list_empty(&nontrans_bss->nontrans_list))
  390. return -EINVAL;
  391. /* add to the list */
  392. list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
  393. return 0;
  394. }
  395. static void __cfg80211_bss_expire(struct cfg80211_registered_device *rdev,
  396. unsigned long expire_time)
  397. {
  398. struct cfg80211_internal_bss *bss, *tmp;
  399. bool expired = false;
  400. lockdep_assert_held(&rdev->bss_lock);
  401. list_for_each_entry_safe(bss, tmp, &rdev->bss_list, list) {
  402. if (atomic_read(&bss->hold))
  403. continue;
  404. if (!time_after(expire_time, bss->ts))
  405. continue;
  406. if (__cfg80211_unlink_bss(rdev, bss))
  407. expired = true;
  408. }
  409. if (expired)
  410. rdev->bss_generation++;
  411. }
  412. static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev)
  413. {
  414. struct cfg80211_internal_bss *bss, *oldest = NULL;
  415. bool ret;
  416. lockdep_assert_held(&rdev->bss_lock);
  417. list_for_each_entry(bss, &rdev->bss_list, list) {
  418. if (atomic_read(&bss->hold))
  419. continue;
  420. if (!list_empty(&bss->hidden_list) &&
  421. !bss->pub.hidden_beacon_bss)
  422. continue;
  423. if (oldest && time_before(oldest->ts, bss->ts))
  424. continue;
  425. oldest = bss;
  426. }
  427. if (WARN_ON(!oldest))
  428. return false;
  429. /*
  430. * The callers make sure to increase rdev->bss_generation if anything
  431. * gets removed (and a new entry added), so there's no need to also do
  432. * it here.
  433. */
  434. ret = __cfg80211_unlink_bss(rdev, oldest);
  435. WARN_ON(!ret);
  436. return ret;
  437. }
  438. static u8 cfg80211_parse_bss_param(u8 data,
  439. struct cfg80211_colocated_ap *coloc_ap)
  440. {
  441. coloc_ap->oct_recommended =
  442. u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_OCT_RECOMMENDED);
  443. coloc_ap->same_ssid =
  444. u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_SAME_SSID);
  445. coloc_ap->multi_bss =
  446. u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID);
  447. coloc_ap->transmitted_bssid =
  448. u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID);
  449. coloc_ap->unsolicited_probe =
  450. u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_PROBE_ACTIVE);
  451. coloc_ap->colocated_ess =
  452. u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_COLOC_ESS);
  453. return u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_COLOC_AP);
  454. }
  455. static int cfg80211_calc_short_ssid(const struct cfg80211_bss_ies *ies,
  456. const struct element **elem, u32 *s_ssid)
  457. {
  458. *elem = cfg80211_find_elem(WLAN_EID_SSID, ies->data, ies->len);
  459. if (!*elem || (*elem)->datalen > IEEE80211_MAX_SSID_LEN)
  460. return -EINVAL;
  461. *s_ssid = ~crc32_le(~0, (*elem)->data, (*elem)->datalen);
  462. return 0;
  463. }
  464. VISIBLE_IF_CFG80211_KUNIT void
  465. cfg80211_free_coloc_ap_list(struct list_head *coloc_ap_list)
  466. {
  467. struct cfg80211_colocated_ap *ap, *tmp_ap;
  468. list_for_each_entry_safe(ap, tmp_ap, coloc_ap_list, list) {
  469. list_del(&ap->list);
  470. kfree(ap);
  471. }
  472. }
  473. EXPORT_SYMBOL_IF_CFG80211_KUNIT(cfg80211_free_coloc_ap_list);
  474. static int cfg80211_parse_ap_info(struct cfg80211_colocated_ap *entry,
  475. const u8 *pos, u8 length,
  476. const struct element *ssid_elem,
  477. u32 s_ssid_tmp)
  478. {
  479. u8 bss_params;
  480. entry->psd_20 = IEEE80211_RNR_TBTT_PARAMS_PSD_RESERVED;
  481. /* The length is already verified by the caller to contain bss_params */
  482. if (length > sizeof(struct ieee80211_tbtt_info_7_8_9)) {
  483. struct ieee80211_tbtt_info_ge_11 *tbtt_info = (void *)pos;
  484. memcpy(entry->bssid, tbtt_info->bssid, ETH_ALEN);
  485. entry->short_ssid = le32_to_cpu(tbtt_info->short_ssid);
  486. entry->short_ssid_valid = true;
  487. bss_params = tbtt_info->bss_params;
  488. /* Ignore disabled links */
  489. if (length >= offsetofend(typeof(*tbtt_info), mld_params)) {
  490. if (le16_get_bits(tbtt_info->mld_params.params,
  491. IEEE80211_RNR_MLD_PARAMS_DISABLED_LINK))
  492. return -EINVAL;
  493. }
  494. if (length >= offsetofend(struct ieee80211_tbtt_info_ge_11,
  495. psd_20))
  496. entry->psd_20 = tbtt_info->psd_20;
  497. } else {
  498. struct ieee80211_tbtt_info_7_8_9 *tbtt_info = (void *)pos;
  499. memcpy(entry->bssid, tbtt_info->bssid, ETH_ALEN);
  500. bss_params = tbtt_info->bss_params;
  501. if (length == offsetofend(struct ieee80211_tbtt_info_7_8_9,
  502. psd_20))
  503. entry->psd_20 = tbtt_info->psd_20;
  504. }
  505. /* ignore entries with invalid BSSID */
  506. if (!is_valid_ether_addr(entry->bssid))
  507. return -EINVAL;
  508. /* skip non colocated APs */
  509. if (!cfg80211_parse_bss_param(bss_params, entry))
  510. return -EINVAL;
  511. /* no information about the short ssid. Consider the entry valid
  512. * for now. It would later be dropped in case there are explicit
  513. * SSIDs that need to be matched
  514. */
  515. if (!entry->same_ssid && !entry->short_ssid_valid)
  516. return 0;
  517. if (entry->same_ssid) {
  518. entry->short_ssid = s_ssid_tmp;
  519. entry->short_ssid_valid = true;
  520. /*
  521. * This is safe because we validate datalen in
  522. * cfg80211_parse_colocated_ap(), before calling this
  523. * function.
  524. */
  525. memcpy(&entry->ssid, &ssid_elem->data, ssid_elem->datalen);
  526. entry->ssid_len = ssid_elem->datalen;
  527. }
  528. return 0;
  529. }
  530. bool cfg80211_iter_rnr(const u8 *elems, size_t elems_len,
  531. enum cfg80211_rnr_iter_ret
  532. (*iter)(void *data, u8 type,
  533. const struct ieee80211_neighbor_ap_info *info,
  534. const u8 *tbtt_info, u8 tbtt_info_len),
  535. void *iter_data)
  536. {
  537. const struct element *rnr;
  538. const u8 *pos, *end;
  539. for_each_element_id(rnr, WLAN_EID_REDUCED_NEIGHBOR_REPORT,
  540. elems, elems_len) {
  541. const struct ieee80211_neighbor_ap_info *info;
  542. pos = rnr->data;
  543. end = rnr->data + rnr->datalen;
  544. /* RNR IE may contain more than one NEIGHBOR_AP_INFO */
  545. while (sizeof(*info) <= end - pos) {
  546. u8 length, i, count;
  547. u8 type;
  548. info = (void *)pos;
  549. count = u8_get_bits(info->tbtt_info_hdr,
  550. IEEE80211_AP_INFO_TBTT_HDR_COUNT) +
  551. 1;
  552. length = info->tbtt_info_len;
  553. pos += sizeof(*info);
  554. if (count * length > end - pos)
  555. return false;
  556. type = u8_get_bits(info->tbtt_info_hdr,
  557. IEEE80211_AP_INFO_TBTT_HDR_TYPE);
  558. for (i = 0; i < count; i++) {
  559. switch (iter(iter_data, type, info,
  560. pos, length)) {
  561. case RNR_ITER_CONTINUE:
  562. break;
  563. case RNR_ITER_BREAK:
  564. return true;
  565. case RNR_ITER_ERROR:
  566. return false;
  567. }
  568. pos += length;
  569. }
  570. }
  571. if (pos != end)
  572. return false;
  573. }
  574. return true;
  575. }
  576. EXPORT_SYMBOL_GPL(cfg80211_iter_rnr);
  577. struct colocated_ap_data {
  578. const struct element *ssid_elem;
  579. struct list_head ap_list;
  580. u32 s_ssid_tmp;
  581. int n_coloc;
  582. };
  583. static enum cfg80211_rnr_iter_ret
  584. cfg80211_parse_colocated_ap_iter(void *_data, u8 type,
  585. const struct ieee80211_neighbor_ap_info *info,
  586. const u8 *tbtt_info, u8 tbtt_info_len)
  587. {
  588. struct colocated_ap_data *data = _data;
  589. struct cfg80211_colocated_ap *entry;
  590. enum nl80211_band band;
  591. if (type != IEEE80211_TBTT_INFO_TYPE_TBTT)
  592. return RNR_ITER_CONTINUE;
  593. if (!ieee80211_operating_class_to_band(info->op_class, &band))
  594. return RNR_ITER_CONTINUE;
  595. /* TBTT info must include bss param + BSSID + (short SSID or
  596. * same_ssid bit to be set). Ignore other options, and move to
  597. * the next AP info
  598. */
  599. if (band != NL80211_BAND_6GHZ ||
  600. !(tbtt_info_len == offsetofend(struct ieee80211_tbtt_info_7_8_9,
  601. bss_params) ||
  602. tbtt_info_len == sizeof(struct ieee80211_tbtt_info_7_8_9) ||
  603. tbtt_info_len >= offsetofend(struct ieee80211_tbtt_info_ge_11,
  604. bss_params)))
  605. return RNR_ITER_CONTINUE;
  606. entry = kzalloc_obj(*entry, GFP_ATOMIC);
  607. if (!entry)
  608. return RNR_ITER_ERROR;
  609. entry->center_freq =
  610. ieee80211_channel_to_frequency(info->channel, band);
  611. if (!cfg80211_parse_ap_info(entry, tbtt_info, tbtt_info_len,
  612. data->ssid_elem, data->s_ssid_tmp)) {
  613. struct cfg80211_colocated_ap *tmp;
  614. /* Don't add duplicate BSSIDs on the same channel. */
  615. list_for_each_entry(tmp, &data->ap_list, list) {
  616. if (ether_addr_equal(tmp->bssid, entry->bssid) &&
  617. tmp->center_freq == entry->center_freq) {
  618. kfree(entry);
  619. return RNR_ITER_CONTINUE;
  620. }
  621. }
  622. data->n_coloc++;
  623. list_add_tail(&entry->list, &data->ap_list);
  624. } else {
  625. kfree(entry);
  626. }
  627. return RNR_ITER_CONTINUE;
  628. }
  629. VISIBLE_IF_CFG80211_KUNIT int
  630. cfg80211_parse_colocated_ap(const struct cfg80211_bss_ies *ies,
  631. struct list_head *list)
  632. {
  633. struct colocated_ap_data data = {};
  634. int ret;
  635. INIT_LIST_HEAD(&data.ap_list);
  636. ret = cfg80211_calc_short_ssid(ies, &data.ssid_elem, &data.s_ssid_tmp);
  637. if (ret)
  638. return 0;
  639. if (!cfg80211_iter_rnr(ies->data, ies->len,
  640. cfg80211_parse_colocated_ap_iter, &data)) {
  641. cfg80211_free_coloc_ap_list(&data.ap_list);
  642. return 0;
  643. }
  644. list_splice_tail(&data.ap_list, list);
  645. return data.n_coloc;
  646. }
  647. EXPORT_SYMBOL_IF_CFG80211_KUNIT(cfg80211_parse_colocated_ap);
  648. static void cfg80211_scan_req_add_chan(struct cfg80211_scan_request *request,
  649. struct ieee80211_channel *chan,
  650. bool add_to_6ghz)
  651. {
  652. int i;
  653. u32 n_channels = request->n_channels;
  654. struct cfg80211_scan_6ghz_params *params =
  655. &request->scan_6ghz_params[request->n_6ghz_params];
  656. for (i = 0; i < n_channels; i++) {
  657. if (request->channels[i] == chan) {
  658. if (add_to_6ghz)
  659. params->channel_idx = i;
  660. return;
  661. }
  662. }
  663. request->n_channels++;
  664. request->channels[n_channels] = chan;
  665. if (add_to_6ghz)
  666. request->scan_6ghz_params[request->n_6ghz_params].channel_idx =
  667. n_channels;
  668. }
  669. static bool cfg80211_find_ssid_match(struct cfg80211_colocated_ap *ap,
  670. struct cfg80211_scan_request *request)
  671. {
  672. int i;
  673. u32 s_ssid;
  674. for (i = 0; i < request->n_ssids; i++) {
  675. /* wildcard ssid in the scan request */
  676. if (!request->ssids[i].ssid_len) {
  677. if (ap->multi_bss && !ap->transmitted_bssid)
  678. continue;
  679. return true;
  680. }
  681. if (ap->ssid_len &&
  682. ap->ssid_len == request->ssids[i].ssid_len) {
  683. if (!memcmp(request->ssids[i].ssid, ap->ssid,
  684. ap->ssid_len))
  685. return true;
  686. } else if (ap->short_ssid_valid) {
  687. s_ssid = ~crc32_le(~0, request->ssids[i].ssid,
  688. request->ssids[i].ssid_len);
  689. if (ap->short_ssid == s_ssid)
  690. return true;
  691. }
  692. }
  693. return false;
  694. }
  695. static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev,
  696. bool first_part)
  697. {
  698. u8 i;
  699. struct cfg80211_colocated_ap *ap;
  700. int n_channels, count = 0, err;
  701. struct cfg80211_scan_request_int *request, *rdev_req = rdev->scan_req;
  702. LIST_HEAD(coloc_ap_list);
  703. bool need_scan_psc = true;
  704. const struct ieee80211_sband_iftype_data *iftd;
  705. size_t size, offs_ssids, offs_6ghz_params, offs_ies;
  706. rdev_req->req.scan_6ghz = true;
  707. rdev_req->req.first_part = first_part;
  708. if (!rdev->wiphy.bands[NL80211_BAND_6GHZ])
  709. return -EOPNOTSUPP;
  710. iftd = ieee80211_get_sband_iftype_data(rdev->wiphy.bands[NL80211_BAND_6GHZ],
  711. rdev_req->req.wdev->iftype);
  712. if (!iftd || !iftd->he_cap.has_he)
  713. return -EOPNOTSUPP;
  714. n_channels = rdev->wiphy.bands[NL80211_BAND_6GHZ]->n_channels;
  715. if (rdev_req->req.flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ) {
  716. struct cfg80211_internal_bss *intbss;
  717. spin_lock_bh(&rdev->bss_lock);
  718. list_for_each_entry(intbss, &rdev->bss_list, list) {
  719. struct cfg80211_bss *res = &intbss->pub;
  720. const struct cfg80211_bss_ies *ies;
  721. const struct element *ssid_elem;
  722. struct cfg80211_colocated_ap *entry;
  723. u32 s_ssid_tmp;
  724. int ret;
  725. ies = rcu_access_pointer(res->ies);
  726. count += cfg80211_parse_colocated_ap(ies,
  727. &coloc_ap_list);
  728. /* In case the scan request specified a specific BSSID
  729. * and the BSS is found and operating on 6GHz band then
  730. * add this AP to the collocated APs list.
  731. * This is relevant for ML probe requests when the lower
  732. * band APs have not been discovered.
  733. */
  734. if (is_broadcast_ether_addr(rdev_req->req.bssid) ||
  735. !ether_addr_equal(rdev_req->req.bssid, res->bssid) ||
  736. res->channel->band != NL80211_BAND_6GHZ)
  737. continue;
  738. ret = cfg80211_calc_short_ssid(ies, &ssid_elem,
  739. &s_ssid_tmp);
  740. if (ret)
  741. continue;
  742. entry = kzalloc_obj(*entry, GFP_ATOMIC);
  743. if (!entry)
  744. continue;
  745. memcpy(entry->bssid, res->bssid, ETH_ALEN);
  746. entry->short_ssid = s_ssid_tmp;
  747. memcpy(entry->ssid, ssid_elem->data,
  748. ssid_elem->datalen);
  749. entry->ssid_len = ssid_elem->datalen;
  750. entry->short_ssid_valid = true;
  751. entry->center_freq = res->channel->center_freq;
  752. list_add_tail(&entry->list, &coloc_ap_list);
  753. count++;
  754. }
  755. spin_unlock_bh(&rdev->bss_lock);
  756. }
  757. size = struct_size(request, req.channels, n_channels);
  758. offs_ssids = size;
  759. size += sizeof(*request->req.ssids) * rdev_req->req.n_ssids;
  760. offs_6ghz_params = size;
  761. size += sizeof(*request->req.scan_6ghz_params) * count;
  762. offs_ies = size;
  763. size += rdev_req->req.ie_len;
  764. request = kzalloc(size, GFP_KERNEL);
  765. if (!request) {
  766. cfg80211_free_coloc_ap_list(&coloc_ap_list);
  767. return -ENOMEM;
  768. }
  769. *request = *rdev_req;
  770. request->req.n_channels = 0;
  771. request->req.n_6ghz_params = 0;
  772. if (rdev_req->req.n_ssids) {
  773. /*
  774. * Add the ssids from the parent scan request to the new
  775. * scan request, so the driver would be able to use them
  776. * in its probe requests to discover hidden APs on PSC
  777. * channels.
  778. */
  779. request->req.ssids = (void *)request + offs_ssids;
  780. memcpy(request->req.ssids, rdev_req->req.ssids,
  781. sizeof(*request->req.ssids) * request->req.n_ssids);
  782. }
  783. request->req.scan_6ghz_params = (void *)request + offs_6ghz_params;
  784. if (rdev_req->req.ie_len) {
  785. void *ie = (void *)request + offs_ies;
  786. memcpy(ie, rdev_req->req.ie, rdev_req->req.ie_len);
  787. request->req.ie = ie;
  788. }
  789. /*
  790. * PSC channels should not be scanned in case of direct scan with 1 SSID
  791. * and at least one of the reported co-located APs with same SSID
  792. * indicating that all APs in the same ESS are co-located
  793. */
  794. if (count &&
  795. request->req.n_ssids == 1 &&
  796. request->req.ssids[0].ssid_len) {
  797. list_for_each_entry(ap, &coloc_ap_list, list) {
  798. if (ap->colocated_ess &&
  799. cfg80211_find_ssid_match(ap, &request->req)) {
  800. need_scan_psc = false;
  801. break;
  802. }
  803. }
  804. }
  805. /*
  806. * add to the scan request the channels that need to be scanned
  807. * regardless of the collocated APs (PSC channels or all channels
  808. * in case that NL80211_SCAN_FLAG_COLOCATED_6GHZ is not set)
  809. */
  810. for (i = 0; i < rdev_req->req.n_channels; i++) {
  811. if (rdev_req->req.channels[i]->band == NL80211_BAND_6GHZ &&
  812. ((need_scan_psc &&
  813. cfg80211_channel_is_psc(rdev_req->req.channels[i])) ||
  814. !(rdev_req->req.flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ))) {
  815. cfg80211_scan_req_add_chan(&request->req,
  816. rdev_req->req.channels[i],
  817. false);
  818. }
  819. }
  820. if (!(rdev_req->req.flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ))
  821. goto skip;
  822. list_for_each_entry(ap, &coloc_ap_list, list) {
  823. bool found = false;
  824. struct cfg80211_scan_6ghz_params *scan_6ghz_params =
  825. &request->req.scan_6ghz_params[request->req.n_6ghz_params];
  826. struct ieee80211_channel *chan =
  827. ieee80211_get_channel(&rdev->wiphy, ap->center_freq);
  828. if (!chan || chan->flags & IEEE80211_CHAN_DISABLED ||
  829. !cfg80211_wdev_channel_allowed(rdev_req->req.wdev, chan))
  830. continue;
  831. for (i = 0; i < rdev_req->req.n_channels; i++) {
  832. if (rdev_req->req.channels[i] == chan)
  833. found = true;
  834. }
  835. if (!found)
  836. continue;
  837. if (request->req.n_ssids > 0 &&
  838. !cfg80211_find_ssid_match(ap, &request->req))
  839. continue;
  840. if (!is_broadcast_ether_addr(request->req.bssid) &&
  841. !ether_addr_equal(request->req.bssid, ap->bssid))
  842. continue;
  843. if (!request->req.n_ssids && ap->multi_bss &&
  844. !ap->transmitted_bssid)
  845. continue;
  846. cfg80211_scan_req_add_chan(&request->req, chan, true);
  847. memcpy(scan_6ghz_params->bssid, ap->bssid, ETH_ALEN);
  848. scan_6ghz_params->short_ssid = ap->short_ssid;
  849. scan_6ghz_params->short_ssid_valid = ap->short_ssid_valid;
  850. scan_6ghz_params->unsolicited_probe = ap->unsolicited_probe;
  851. scan_6ghz_params->psd_20 = ap->psd_20;
  852. /*
  853. * If a PSC channel is added to the scan and 'need_scan_psc' is
  854. * set to false, then all the APs that the scan logic is
  855. * interested with on the channel are collocated and thus there
  856. * is no need to perform the initial PSC channel listen.
  857. */
  858. if (cfg80211_channel_is_psc(chan) && !need_scan_psc)
  859. scan_6ghz_params->psc_no_listen = true;
  860. request->req.n_6ghz_params++;
  861. }
  862. skip:
  863. cfg80211_free_coloc_ap_list(&coloc_ap_list);
  864. if (request->req.n_channels) {
  865. struct cfg80211_scan_request_int *old = rdev->int_scan_req;
  866. rdev->int_scan_req = request;
  867. /*
  868. * If this scan follows a previous scan, save the scan start
  869. * info from the first part of the scan
  870. */
  871. if (!first_part && !WARN_ON(!old))
  872. rdev->int_scan_req->info = old->info;
  873. err = rdev_scan(rdev, request);
  874. if (err) {
  875. rdev->int_scan_req = old;
  876. kfree(request);
  877. } else {
  878. kfree(old);
  879. }
  880. return err;
  881. }
  882. kfree(request);
  883. return -EINVAL;
  884. }
  885. int cfg80211_scan(struct cfg80211_registered_device *rdev)
  886. {
  887. struct cfg80211_scan_request_int *request;
  888. struct cfg80211_scan_request_int *rdev_req = rdev->scan_req;
  889. u32 n_channels = 0, idx, i;
  890. if (!(rdev->wiphy.flags & WIPHY_FLAG_SPLIT_SCAN_6GHZ)) {
  891. rdev_req->req.first_part = true;
  892. return rdev_scan(rdev, rdev_req);
  893. }
  894. for (i = 0; i < rdev_req->req.n_channels; i++) {
  895. if (rdev_req->req.channels[i]->band != NL80211_BAND_6GHZ)
  896. n_channels++;
  897. }
  898. if (!n_channels)
  899. return cfg80211_scan_6ghz(rdev, true);
  900. request = kzalloc_flex(*request, req.channels, n_channels);
  901. if (!request)
  902. return -ENOMEM;
  903. *request = *rdev_req;
  904. request->req.n_channels = n_channels;
  905. for (i = idx = 0; i < rdev_req->req.n_channels; i++) {
  906. if (rdev_req->req.channels[i]->band != NL80211_BAND_6GHZ)
  907. request->req.channels[idx++] =
  908. rdev_req->req.channels[i];
  909. }
  910. rdev_req->req.scan_6ghz = false;
  911. rdev_req->req.first_part = true;
  912. rdev->int_scan_req = request;
  913. return rdev_scan(rdev, request);
  914. }
  915. void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
  916. bool send_message)
  917. {
  918. struct cfg80211_scan_request_int *request, *rdev_req;
  919. struct wireless_dev *wdev;
  920. struct sk_buff *msg;
  921. #ifdef CONFIG_CFG80211_WEXT
  922. union iwreq_data wrqu;
  923. #endif
  924. lockdep_assert_held(&rdev->wiphy.mtx);
  925. if (rdev->scan_msg) {
  926. nl80211_send_scan_msg(rdev, rdev->scan_msg);
  927. rdev->scan_msg = NULL;
  928. return;
  929. }
  930. rdev_req = rdev->scan_req;
  931. if (!rdev_req)
  932. return;
  933. wdev = rdev_req->req.wdev;
  934. request = rdev->int_scan_req ? rdev->int_scan_req : rdev_req;
  935. if (wdev_running(wdev) &&
  936. (rdev->wiphy.flags & WIPHY_FLAG_SPLIT_SCAN_6GHZ) &&
  937. !rdev_req->req.scan_6ghz && !request->info.aborted &&
  938. !cfg80211_scan_6ghz(rdev, false))
  939. return;
  940. /*
  941. * This must be before sending the other events!
  942. * Otherwise, wpa_supplicant gets completely confused with
  943. * wext events.
  944. */
  945. if (wdev->netdev)
  946. cfg80211_sme_scan_done(wdev->netdev);
  947. if (!request->info.aborted &&
  948. request->req.flags & NL80211_SCAN_FLAG_FLUSH) {
  949. /* flush entries from previous scans */
  950. spin_lock_bh(&rdev->bss_lock);
  951. __cfg80211_bss_expire(rdev, request->req.scan_start);
  952. spin_unlock_bh(&rdev->bss_lock);
  953. }
  954. msg = nl80211_build_scan_msg(rdev, wdev, request->info.aborted);
  955. #ifdef CONFIG_CFG80211_WEXT
  956. if (wdev->netdev && !request->info.aborted) {
  957. memset(&wrqu, 0, sizeof(wrqu));
  958. wireless_send_event(wdev->netdev, SIOCGIWSCAN, &wrqu, NULL);
  959. }
  960. #endif
  961. dev_put(wdev->netdev);
  962. kfree(rdev->int_scan_req);
  963. rdev->int_scan_req = NULL;
  964. kfree(rdev->scan_req);
  965. rdev->scan_req = NULL;
  966. if (!send_message)
  967. rdev->scan_msg = msg;
  968. else
  969. nl80211_send_scan_msg(rdev, msg);
  970. }
  971. void __cfg80211_scan_done(struct wiphy *wiphy, struct wiphy_work *wk)
  972. {
  973. ___cfg80211_scan_done(wiphy_to_rdev(wiphy), true);
  974. }
  975. void cfg80211_scan_done(struct cfg80211_scan_request *request,
  976. struct cfg80211_scan_info *info)
  977. {
  978. struct cfg80211_scan_request_int *intreq =
  979. container_of(request, struct cfg80211_scan_request_int, req);
  980. struct cfg80211_registered_device *rdev = wiphy_to_rdev(request->wiphy);
  981. struct cfg80211_scan_info old_info = intreq->info;
  982. trace_cfg80211_scan_done(intreq, info);
  983. WARN_ON(intreq != rdev->scan_req &&
  984. intreq != rdev->int_scan_req);
  985. intreq->info = *info;
  986. /*
  987. * In case the scan is split, the scan_start_tsf and tsf_bssid should
  988. * be of the first part. In such a case old_info.scan_start_tsf should
  989. * be non zero.
  990. */
  991. if (request->scan_6ghz && old_info.scan_start_tsf) {
  992. intreq->info.scan_start_tsf = old_info.scan_start_tsf;
  993. memcpy(intreq->info.tsf_bssid, old_info.tsf_bssid,
  994. sizeof(intreq->info.tsf_bssid));
  995. }
  996. intreq->notified = true;
  997. wiphy_work_queue(request->wiphy, &rdev->scan_done_wk);
  998. }
  999. EXPORT_SYMBOL(cfg80211_scan_done);
  1000. void cfg80211_add_sched_scan_req(struct cfg80211_registered_device *rdev,
  1001. struct cfg80211_sched_scan_request *req)
  1002. {
  1003. lockdep_assert_held(&rdev->wiphy.mtx);
  1004. list_add_rcu(&req->list, &rdev->sched_scan_req_list);
  1005. }
  1006. static void cfg80211_del_sched_scan_req(struct cfg80211_registered_device *rdev,
  1007. struct cfg80211_sched_scan_request *req)
  1008. {
  1009. lockdep_assert_held(&rdev->wiphy.mtx);
  1010. list_del_rcu(&req->list);
  1011. kfree_rcu(req, rcu_head);
  1012. }
  1013. static struct cfg80211_sched_scan_request *
  1014. cfg80211_find_sched_scan_req(struct cfg80211_registered_device *rdev, u64 reqid)
  1015. {
  1016. struct cfg80211_sched_scan_request *pos;
  1017. list_for_each_entry_rcu(pos, &rdev->sched_scan_req_list, list,
  1018. lockdep_is_held(&rdev->wiphy.mtx)) {
  1019. if (pos->reqid == reqid)
  1020. return pos;
  1021. }
  1022. return NULL;
  1023. }
  1024. /*
  1025. * Determines if a scheduled scan request can be handled. When a legacy
  1026. * scheduled scan is running no other scheduled scan is allowed regardless
  1027. * whether the request is for legacy or multi-support scan. When a multi-support
  1028. * scheduled scan is running a request for legacy scan is not allowed. In this
  1029. * case a request for multi-support scan can be handled if resources are
  1030. * available, ie. struct wiphy::max_sched_scan_reqs limit is not yet reached.
  1031. */
  1032. int cfg80211_sched_scan_req_possible(struct cfg80211_registered_device *rdev,
  1033. bool want_multi)
  1034. {
  1035. struct cfg80211_sched_scan_request *pos;
  1036. int i = 0;
  1037. list_for_each_entry(pos, &rdev->sched_scan_req_list, list) {
  1038. /* request id zero means legacy in progress */
  1039. if (!i && !pos->reqid)
  1040. return -EINPROGRESS;
  1041. i++;
  1042. }
  1043. if (i) {
  1044. /* no legacy allowed when multi request(s) are active */
  1045. if (!want_multi)
  1046. return -EINPROGRESS;
  1047. /* resource limit reached */
  1048. if (i == rdev->wiphy.max_sched_scan_reqs)
  1049. return -ENOSPC;
  1050. }
  1051. return 0;
  1052. }
  1053. void cfg80211_sched_scan_results_wk(struct work_struct *work)
  1054. {
  1055. struct cfg80211_registered_device *rdev;
  1056. struct cfg80211_sched_scan_request *req, *tmp;
  1057. rdev = container_of(work, struct cfg80211_registered_device,
  1058. sched_scan_res_wk);
  1059. guard(wiphy)(&rdev->wiphy);
  1060. list_for_each_entry_safe(req, tmp, &rdev->sched_scan_req_list, list) {
  1061. if (req->report_results) {
  1062. req->report_results = false;
  1063. if (req->flags & NL80211_SCAN_FLAG_FLUSH) {
  1064. /* flush entries from previous scans */
  1065. spin_lock_bh(&rdev->bss_lock);
  1066. __cfg80211_bss_expire(rdev, req->scan_start);
  1067. spin_unlock_bh(&rdev->bss_lock);
  1068. req->scan_start = jiffies;
  1069. }
  1070. nl80211_send_sched_scan(req,
  1071. NL80211_CMD_SCHED_SCAN_RESULTS);
  1072. }
  1073. }
  1074. }
  1075. void cfg80211_sched_scan_results(struct wiphy *wiphy, u64 reqid)
  1076. {
  1077. struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
  1078. struct cfg80211_sched_scan_request *request;
  1079. trace_cfg80211_sched_scan_results(wiphy, reqid);
  1080. /* ignore if we're not scanning */
  1081. rcu_read_lock();
  1082. request = cfg80211_find_sched_scan_req(rdev, reqid);
  1083. if (request) {
  1084. request->report_results = true;
  1085. queue_work(cfg80211_wq, &rdev->sched_scan_res_wk);
  1086. }
  1087. rcu_read_unlock();
  1088. }
  1089. EXPORT_SYMBOL(cfg80211_sched_scan_results);
  1090. void cfg80211_sched_scan_stopped_locked(struct wiphy *wiphy, u64 reqid)
  1091. {
  1092. struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
  1093. lockdep_assert_held(&wiphy->mtx);
  1094. trace_cfg80211_sched_scan_stopped(wiphy, reqid);
  1095. __cfg80211_stop_sched_scan(rdev, reqid, true);
  1096. }
  1097. EXPORT_SYMBOL(cfg80211_sched_scan_stopped_locked);
  1098. void cfg80211_sched_scan_stopped(struct wiphy *wiphy, u64 reqid)
  1099. {
  1100. guard(wiphy)(wiphy);
  1101. cfg80211_sched_scan_stopped_locked(wiphy, reqid);
  1102. }
  1103. EXPORT_SYMBOL(cfg80211_sched_scan_stopped);
  1104. int cfg80211_stop_sched_scan_req(struct cfg80211_registered_device *rdev,
  1105. struct cfg80211_sched_scan_request *req,
  1106. bool driver_initiated)
  1107. {
  1108. lockdep_assert_held(&rdev->wiphy.mtx);
  1109. if (!driver_initiated) {
  1110. int err = rdev_sched_scan_stop(rdev, req->dev, req->reqid);
  1111. if (err)
  1112. return err;
  1113. }
  1114. nl80211_send_sched_scan(req, NL80211_CMD_SCHED_SCAN_STOPPED);
  1115. cfg80211_del_sched_scan_req(rdev, req);
  1116. return 0;
  1117. }
  1118. int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
  1119. u64 reqid, bool driver_initiated)
  1120. {
  1121. struct cfg80211_sched_scan_request *sched_scan_req;
  1122. lockdep_assert_held(&rdev->wiphy.mtx);
  1123. sched_scan_req = cfg80211_find_sched_scan_req(rdev, reqid);
  1124. if (!sched_scan_req)
  1125. return -ENOENT;
  1126. return cfg80211_stop_sched_scan_req(rdev, sched_scan_req,
  1127. driver_initiated);
  1128. }
  1129. void cfg80211_bss_age(struct cfg80211_registered_device *rdev,
  1130. unsigned long age_secs)
  1131. {
  1132. struct cfg80211_internal_bss *bss;
  1133. unsigned long age_jiffies = secs_to_jiffies(age_secs);
  1134. spin_lock_bh(&rdev->bss_lock);
  1135. list_for_each_entry(bss, &rdev->bss_list, list)
  1136. bss->ts -= age_jiffies;
  1137. spin_unlock_bh(&rdev->bss_lock);
  1138. }
  1139. void cfg80211_bss_expire(struct cfg80211_registered_device *rdev)
  1140. {
  1141. __cfg80211_bss_expire(rdev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE);
  1142. }
  1143. void cfg80211_bss_flush(struct wiphy *wiphy)
  1144. {
  1145. struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
  1146. spin_lock_bh(&rdev->bss_lock);
  1147. __cfg80211_bss_expire(rdev, jiffies);
  1148. spin_unlock_bh(&rdev->bss_lock);
  1149. }
  1150. EXPORT_SYMBOL(cfg80211_bss_flush);
  1151. const struct element *
  1152. cfg80211_find_elem_match(u8 eid, const u8 *ies, unsigned int len,
  1153. const u8 *match, unsigned int match_len,
  1154. unsigned int match_offset)
  1155. {
  1156. const struct element *elem;
  1157. for_each_element_id(elem, eid, ies, len) {
  1158. if (elem->datalen >= match_offset + match_len &&
  1159. !memcmp(elem->data + match_offset, match, match_len))
  1160. return elem;
  1161. }
  1162. return NULL;
  1163. }
  1164. EXPORT_SYMBOL(cfg80211_find_elem_match);
  1165. const struct element *cfg80211_find_vendor_elem(unsigned int oui, int oui_type,
  1166. const u8 *ies,
  1167. unsigned int len)
  1168. {
  1169. const struct element *elem;
  1170. u8 match[] = { oui >> 16, oui >> 8, oui, oui_type };
  1171. int match_len = (oui_type < 0) ? 3 : sizeof(match);
  1172. if (WARN_ON(oui_type > 0xff))
  1173. return NULL;
  1174. elem = cfg80211_find_elem_match(WLAN_EID_VENDOR_SPECIFIC, ies, len,
  1175. match, match_len, 0);
  1176. if (!elem || elem->datalen < 4)
  1177. return NULL;
  1178. return elem;
  1179. }
  1180. EXPORT_SYMBOL(cfg80211_find_vendor_elem);
  1181. /**
  1182. * enum bss_compare_mode - BSS compare mode
  1183. * @BSS_CMP_REGULAR: regular compare mode (for insertion and normal find)
  1184. * @BSS_CMP_HIDE_ZLEN: find hidden SSID with zero-length mode
  1185. * @BSS_CMP_HIDE_NUL: find hidden SSID with NUL-ed out mode
  1186. */
  1187. enum bss_compare_mode {
  1188. BSS_CMP_REGULAR,
  1189. BSS_CMP_HIDE_ZLEN,
  1190. BSS_CMP_HIDE_NUL,
  1191. };
  1192. static int cmp_bss(struct cfg80211_bss *a,
  1193. struct cfg80211_bss *b,
  1194. enum bss_compare_mode mode)
  1195. {
  1196. const struct cfg80211_bss_ies *a_ies, *b_ies;
  1197. const u8 *ie1 = NULL;
  1198. const u8 *ie2 = NULL;
  1199. int i, r;
  1200. if (a->channel != b->channel)
  1201. return (b->channel->center_freq * 1000 + b->channel->freq_offset) -
  1202. (a->channel->center_freq * 1000 + a->channel->freq_offset);
  1203. a_ies = rcu_access_pointer(a->ies);
  1204. if (!a_ies)
  1205. return -1;
  1206. b_ies = rcu_access_pointer(b->ies);
  1207. if (!b_ies)
  1208. return 1;
  1209. if (WLAN_CAPABILITY_IS_STA_BSS(a->capability))
  1210. ie1 = cfg80211_find_ie(WLAN_EID_MESH_ID,
  1211. a_ies->data, a_ies->len);
  1212. if (WLAN_CAPABILITY_IS_STA_BSS(b->capability))
  1213. ie2 = cfg80211_find_ie(WLAN_EID_MESH_ID,
  1214. b_ies->data, b_ies->len);
  1215. if (ie1 && ie2) {
  1216. int mesh_id_cmp;
  1217. if (ie1[1] == ie2[1])
  1218. mesh_id_cmp = memcmp(ie1 + 2, ie2 + 2, ie1[1]);
  1219. else
  1220. mesh_id_cmp = ie2[1] - ie1[1];
  1221. ie1 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG,
  1222. a_ies->data, a_ies->len);
  1223. ie2 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG,
  1224. b_ies->data, b_ies->len);
  1225. if (ie1 && ie2) {
  1226. if (mesh_id_cmp)
  1227. return mesh_id_cmp;
  1228. if (ie1[1] != ie2[1])
  1229. return ie2[1] - ie1[1];
  1230. return memcmp(ie1 + 2, ie2 + 2, ie1[1]);
  1231. }
  1232. }
  1233. r = memcmp(a->bssid, b->bssid, sizeof(a->bssid));
  1234. if (r)
  1235. return r;
  1236. ie1 = cfg80211_find_ie(WLAN_EID_SSID, a_ies->data, a_ies->len);
  1237. ie2 = cfg80211_find_ie(WLAN_EID_SSID, b_ies->data, b_ies->len);
  1238. if (!ie1 && !ie2)
  1239. return 0;
  1240. /*
  1241. * Note that with "hide_ssid", the function returns a match if
  1242. * the already-present BSS ("b") is a hidden SSID beacon for
  1243. * the new BSS ("a").
  1244. */
  1245. /* sort missing IE before (left of) present IE */
  1246. if (!ie1)
  1247. return -1;
  1248. if (!ie2)
  1249. return 1;
  1250. switch (mode) {
  1251. case BSS_CMP_HIDE_ZLEN:
  1252. /*
  1253. * In ZLEN mode we assume the BSS entry we're
  1254. * looking for has a zero-length SSID. So if
  1255. * the one we're looking at right now has that,
  1256. * return 0. Otherwise, return the difference
  1257. * in length, but since we're looking for the
  1258. * 0-length it's really equivalent to returning
  1259. * the length of the one we're looking at.
  1260. *
  1261. * No content comparison is needed as we assume
  1262. * the content length is zero.
  1263. */
  1264. return ie2[1];
  1265. case BSS_CMP_REGULAR:
  1266. default:
  1267. /* sort by length first, then by contents */
  1268. if (ie1[1] != ie2[1])
  1269. return ie2[1] - ie1[1];
  1270. return memcmp(ie1 + 2, ie2 + 2, ie1[1]);
  1271. case BSS_CMP_HIDE_NUL:
  1272. if (ie1[1] != ie2[1])
  1273. return ie2[1] - ie1[1];
  1274. /* this is equivalent to memcmp(zeroes, ie2 + 2, len) */
  1275. for (i = 0; i < ie2[1]; i++)
  1276. if (ie2[i + 2])
  1277. return -1;
  1278. return 0;
  1279. }
  1280. }
  1281. static bool cfg80211_bss_type_match(u16 capability,
  1282. enum nl80211_band band,
  1283. enum ieee80211_bss_type bss_type)
  1284. {
  1285. bool ret = true;
  1286. u16 mask, val;
  1287. if (bss_type == IEEE80211_BSS_TYPE_ANY)
  1288. return ret;
  1289. if (band == NL80211_BAND_60GHZ) {
  1290. mask = WLAN_CAPABILITY_DMG_TYPE_MASK;
  1291. switch (bss_type) {
  1292. case IEEE80211_BSS_TYPE_ESS:
  1293. val = WLAN_CAPABILITY_DMG_TYPE_AP;
  1294. break;
  1295. case IEEE80211_BSS_TYPE_PBSS:
  1296. val = WLAN_CAPABILITY_DMG_TYPE_PBSS;
  1297. break;
  1298. case IEEE80211_BSS_TYPE_IBSS:
  1299. val = WLAN_CAPABILITY_DMG_TYPE_IBSS;
  1300. break;
  1301. default:
  1302. return false;
  1303. }
  1304. } else {
  1305. mask = WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS;
  1306. switch (bss_type) {
  1307. case IEEE80211_BSS_TYPE_ESS:
  1308. val = WLAN_CAPABILITY_ESS;
  1309. break;
  1310. case IEEE80211_BSS_TYPE_IBSS:
  1311. val = WLAN_CAPABILITY_IBSS;
  1312. break;
  1313. case IEEE80211_BSS_TYPE_MBSS:
  1314. val = 0;
  1315. break;
  1316. default:
  1317. return false;
  1318. }
  1319. }
  1320. ret = ((capability & mask) == val);
  1321. return ret;
  1322. }
  1323. /* Returned bss is reference counted and must be cleaned up appropriately. */
  1324. struct cfg80211_bss *__cfg80211_get_bss(struct wiphy *wiphy,
  1325. struct ieee80211_channel *channel,
  1326. const u8 *bssid,
  1327. const u8 *ssid, size_t ssid_len,
  1328. enum ieee80211_bss_type bss_type,
  1329. enum ieee80211_privacy privacy,
  1330. u32 use_for)
  1331. {
  1332. struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
  1333. struct cfg80211_internal_bss *bss, *res = NULL;
  1334. unsigned long now = jiffies;
  1335. int bss_privacy;
  1336. trace_cfg80211_get_bss(wiphy, channel, bssid, ssid, ssid_len, bss_type,
  1337. privacy);
  1338. spin_lock_bh(&rdev->bss_lock);
  1339. list_for_each_entry(bss, &rdev->bss_list, list) {
  1340. if (!cfg80211_bss_type_match(bss->pub.capability,
  1341. bss->pub.channel->band, bss_type))
  1342. continue;
  1343. bss_privacy = (bss->pub.capability & WLAN_CAPABILITY_PRIVACY);
  1344. if ((privacy == IEEE80211_PRIVACY_ON && !bss_privacy) ||
  1345. (privacy == IEEE80211_PRIVACY_OFF && bss_privacy))
  1346. continue;
  1347. if (channel && bss->pub.channel != channel)
  1348. continue;
  1349. if (!is_valid_ether_addr(bss->pub.bssid))
  1350. continue;
  1351. if ((bss->pub.use_for & use_for) != use_for)
  1352. continue;
  1353. /* Don't get expired BSS structs */
  1354. if (time_after(now, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE) &&
  1355. !atomic_read(&bss->hold))
  1356. continue;
  1357. if (is_bss(&bss->pub, bssid, ssid, ssid_len)) {
  1358. res = bss;
  1359. bss_ref_get(rdev, res);
  1360. break;
  1361. }
  1362. }
  1363. spin_unlock_bh(&rdev->bss_lock);
  1364. if (!res)
  1365. return NULL;
  1366. trace_cfg80211_return_bss(&res->pub);
  1367. return &res->pub;
  1368. }
  1369. EXPORT_SYMBOL(__cfg80211_get_bss);
  1370. static bool rb_insert_bss(struct cfg80211_registered_device *rdev,
  1371. struct cfg80211_internal_bss *bss)
  1372. {
  1373. struct rb_node **p = &rdev->bss_tree.rb_node;
  1374. struct rb_node *parent = NULL;
  1375. struct cfg80211_internal_bss *tbss;
  1376. int cmp;
  1377. while (*p) {
  1378. parent = *p;
  1379. tbss = rb_entry(parent, struct cfg80211_internal_bss, rbn);
  1380. cmp = cmp_bss(&bss->pub, &tbss->pub, BSS_CMP_REGULAR);
  1381. if (WARN_ON(!cmp)) {
  1382. /* will sort of leak this BSS */
  1383. return false;
  1384. }
  1385. if (cmp < 0)
  1386. p = &(*p)->rb_left;
  1387. else
  1388. p = &(*p)->rb_right;
  1389. }
  1390. rb_link_node(&bss->rbn, parent, p);
  1391. rb_insert_color(&bss->rbn, &rdev->bss_tree);
  1392. return true;
  1393. }
  1394. static struct cfg80211_internal_bss *
  1395. rb_find_bss(struct cfg80211_registered_device *rdev,
  1396. struct cfg80211_internal_bss *res,
  1397. enum bss_compare_mode mode)
  1398. {
  1399. struct rb_node *n = rdev->bss_tree.rb_node;
  1400. struct cfg80211_internal_bss *bss;
  1401. int r;
  1402. while (n) {
  1403. bss = rb_entry(n, struct cfg80211_internal_bss, rbn);
  1404. r = cmp_bss(&res->pub, &bss->pub, mode);
  1405. if (r == 0)
  1406. return bss;
  1407. else if (r < 0)
  1408. n = n->rb_left;
  1409. else
  1410. n = n->rb_right;
  1411. }
  1412. return NULL;
  1413. }
  1414. static void cfg80211_insert_bss(struct cfg80211_registered_device *rdev,
  1415. struct cfg80211_internal_bss *bss)
  1416. {
  1417. lockdep_assert_held(&rdev->bss_lock);
  1418. if (!rb_insert_bss(rdev, bss))
  1419. return;
  1420. list_add_tail(&bss->list, &rdev->bss_list);
  1421. rdev->bss_entries++;
  1422. }
  1423. static void cfg80211_rehash_bss(struct cfg80211_registered_device *rdev,
  1424. struct cfg80211_internal_bss *bss)
  1425. {
  1426. lockdep_assert_held(&rdev->bss_lock);
  1427. rb_erase(&bss->rbn, &rdev->bss_tree);
  1428. if (!rb_insert_bss(rdev, bss)) {
  1429. list_del(&bss->list);
  1430. if (!list_empty(&bss->hidden_list))
  1431. list_del_init(&bss->hidden_list);
  1432. if (!list_empty(&bss->pub.nontrans_list))
  1433. list_del_init(&bss->pub.nontrans_list);
  1434. rdev->bss_entries--;
  1435. }
  1436. rdev->bss_generation++;
  1437. }
  1438. static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev,
  1439. struct cfg80211_internal_bss *new)
  1440. {
  1441. const struct cfg80211_bss_ies *ies;
  1442. struct cfg80211_internal_bss *bss;
  1443. const u8 *ie;
  1444. int i, ssidlen;
  1445. u8 fold = 0;
  1446. u32 n_entries = 0;
  1447. ies = rcu_access_pointer(new->pub.beacon_ies);
  1448. if (WARN_ON(!ies))
  1449. return false;
  1450. ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
  1451. if (!ie) {
  1452. /* nothing to do */
  1453. return true;
  1454. }
  1455. ssidlen = ie[1];
  1456. for (i = 0; i < ssidlen; i++)
  1457. fold |= ie[2 + i];
  1458. if (fold) {
  1459. /* not a hidden SSID */
  1460. return true;
  1461. }
  1462. /* This is the bad part ... */
  1463. list_for_each_entry(bss, &rdev->bss_list, list) {
  1464. /*
  1465. * we're iterating all the entries anyway, so take the
  1466. * opportunity to validate the list length accounting
  1467. */
  1468. n_entries++;
  1469. if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid))
  1470. continue;
  1471. if (bss->pub.channel != new->pub.channel)
  1472. continue;
  1473. if (rcu_access_pointer(bss->pub.beacon_ies))
  1474. continue;
  1475. ies = rcu_access_pointer(bss->pub.ies);
  1476. if (!ies)
  1477. continue;
  1478. ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
  1479. if (!ie)
  1480. continue;
  1481. if (ssidlen && ie[1] != ssidlen)
  1482. continue;
  1483. if (WARN_ON_ONCE(bss->pub.hidden_beacon_bss))
  1484. continue;
  1485. if (WARN_ON_ONCE(!list_empty(&bss->hidden_list)))
  1486. list_del(&bss->hidden_list);
  1487. /* combine them */
  1488. list_add(&bss->hidden_list, &new->hidden_list);
  1489. bss->pub.hidden_beacon_bss = &new->pub;
  1490. new->refcount += bss->refcount;
  1491. rcu_assign_pointer(bss->pub.beacon_ies,
  1492. new->pub.beacon_ies);
  1493. }
  1494. WARN_ONCE(n_entries != rdev->bss_entries,
  1495. "rdev bss entries[%d]/list[len:%d] corruption\n",
  1496. rdev->bss_entries, n_entries);
  1497. return true;
  1498. }
  1499. static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known,
  1500. const struct cfg80211_bss_ies *new_ies,
  1501. const struct cfg80211_bss_ies *old_ies)
  1502. {
  1503. struct cfg80211_internal_bss *bss;
  1504. /* Assign beacon IEs to all sub entries */
  1505. list_for_each_entry(bss, &known->hidden_list, hidden_list) {
  1506. const struct cfg80211_bss_ies *ies;
  1507. ies = rcu_access_pointer(bss->pub.beacon_ies);
  1508. WARN_ON(ies != old_ies);
  1509. rcu_assign_pointer(bss->pub.beacon_ies, new_ies);
  1510. bss->ts = known->ts;
  1511. bss->pub.ts_boottime = known->pub.ts_boottime;
  1512. }
  1513. }
  1514. static void cfg80211_check_stuck_ecsa(struct cfg80211_registered_device *rdev,
  1515. struct cfg80211_internal_bss *known,
  1516. const struct cfg80211_bss_ies *old)
  1517. {
  1518. const struct ieee80211_ext_chansw_ie *ecsa;
  1519. const struct element *elem_new, *elem_old;
  1520. const struct cfg80211_bss_ies *new, *bcn;
  1521. if (known->pub.proberesp_ecsa_stuck)
  1522. return;
  1523. new = rcu_dereference_protected(known->pub.proberesp_ies,
  1524. lockdep_is_held(&rdev->bss_lock));
  1525. if (WARN_ON(!new))
  1526. return;
  1527. if (new->tsf - old->tsf < USEC_PER_SEC)
  1528. return;
  1529. elem_old = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN,
  1530. old->data, old->len);
  1531. if (!elem_old)
  1532. return;
  1533. elem_new = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN,
  1534. new->data, new->len);
  1535. if (!elem_new)
  1536. return;
  1537. bcn = rcu_dereference_protected(known->pub.beacon_ies,
  1538. lockdep_is_held(&rdev->bss_lock));
  1539. if (bcn &&
  1540. cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN,
  1541. bcn->data, bcn->len))
  1542. return;
  1543. if (elem_new->datalen != elem_old->datalen)
  1544. return;
  1545. if (elem_new->datalen < sizeof(struct ieee80211_ext_chansw_ie))
  1546. return;
  1547. if (memcmp(elem_new->data, elem_old->data, elem_new->datalen))
  1548. return;
  1549. ecsa = (void *)elem_new->data;
  1550. if (!ecsa->mode)
  1551. return;
  1552. if (ecsa->new_ch_num !=
  1553. ieee80211_frequency_to_channel(known->pub.channel->center_freq))
  1554. return;
  1555. known->pub.proberesp_ecsa_stuck = 1;
  1556. }
  1557. static bool
  1558. cfg80211_update_known_bss(struct cfg80211_registered_device *rdev,
  1559. struct cfg80211_internal_bss *known,
  1560. struct cfg80211_internal_bss *new,
  1561. bool signal_valid)
  1562. {
  1563. lockdep_assert_held(&rdev->bss_lock);
  1564. /* Update time stamps */
  1565. known->ts = new->ts;
  1566. known->pub.ts_boottime = new->pub.ts_boottime;
  1567. /* Update IEs */
  1568. if (rcu_access_pointer(new->pub.proberesp_ies)) {
  1569. const struct cfg80211_bss_ies *old;
  1570. old = rcu_access_pointer(known->pub.proberesp_ies);
  1571. rcu_assign_pointer(known->pub.proberesp_ies,
  1572. new->pub.proberesp_ies);
  1573. /* Override possible earlier Beacon frame IEs */
  1574. rcu_assign_pointer(known->pub.ies,
  1575. new->pub.proberesp_ies);
  1576. if (old) {
  1577. cfg80211_check_stuck_ecsa(rdev, known, old);
  1578. kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
  1579. }
  1580. }
  1581. if (rcu_access_pointer(new->pub.beacon_ies)) {
  1582. const struct cfg80211_bss_ies *old;
  1583. if (known->pub.hidden_beacon_bss &&
  1584. !list_empty(&known->hidden_list)) {
  1585. const struct cfg80211_bss_ies *f;
  1586. /* The known BSS struct is one of the probe
  1587. * response members of a group, but we're
  1588. * receiving a beacon (beacon_ies in the new
  1589. * bss is used). This can only mean that the
  1590. * AP changed its beacon from not having an
  1591. * SSID to showing it, which is confusing so
  1592. * drop this information.
  1593. */
  1594. f = rcu_access_pointer(new->pub.beacon_ies);
  1595. if (!new->pub.hidden_beacon_bss)
  1596. kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head);
  1597. return false;
  1598. }
  1599. old = rcu_access_pointer(known->pub.beacon_ies);
  1600. rcu_assign_pointer(known->pub.beacon_ies, new->pub.beacon_ies);
  1601. /* Override IEs if they were from a beacon before */
  1602. if (old == rcu_access_pointer(known->pub.ies))
  1603. rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies);
  1604. cfg80211_update_hidden_bsses(known,
  1605. rcu_access_pointer(new->pub.beacon_ies),
  1606. old);
  1607. if (old)
  1608. kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
  1609. }
  1610. known->pub.beacon_interval = new->pub.beacon_interval;
  1611. /* don't update the signal if beacon was heard on
  1612. * adjacent channel.
  1613. */
  1614. if (signal_valid)
  1615. known->pub.signal = new->pub.signal;
  1616. known->pub.capability = new->pub.capability;
  1617. known->parent_tsf = new->parent_tsf;
  1618. known->pub.chains = new->pub.chains;
  1619. memcpy(known->pub.chain_signal, new->pub.chain_signal,
  1620. IEEE80211_MAX_CHAINS);
  1621. ether_addr_copy(known->parent_bssid, new->parent_bssid);
  1622. known->pub.max_bssid_indicator = new->pub.max_bssid_indicator;
  1623. known->pub.bssid_index = new->pub.bssid_index;
  1624. known->pub.use_for = new->pub.use_for;
  1625. known->pub.cannot_use_reasons = new->pub.cannot_use_reasons;
  1626. known->bss_source = new->bss_source;
  1627. return true;
  1628. }
  1629. /* Returned bss is reference counted and must be cleaned up appropriately. */
  1630. static struct cfg80211_internal_bss *
  1631. __cfg80211_bss_update(struct cfg80211_registered_device *rdev,
  1632. struct cfg80211_internal_bss *tmp,
  1633. bool signal_valid, unsigned long ts)
  1634. {
  1635. struct cfg80211_internal_bss *found = NULL;
  1636. struct cfg80211_bss_ies *ies;
  1637. if (WARN_ON(!tmp->pub.channel))
  1638. goto free_ies;
  1639. tmp->ts = ts;
  1640. if (WARN_ON(!rcu_access_pointer(tmp->pub.ies)))
  1641. goto free_ies;
  1642. found = rb_find_bss(rdev, tmp, BSS_CMP_REGULAR);
  1643. if (found) {
  1644. if (!cfg80211_update_known_bss(rdev, found, tmp, signal_valid))
  1645. return NULL;
  1646. } else {
  1647. struct cfg80211_internal_bss *new;
  1648. struct cfg80211_internal_bss *hidden;
  1649. /*
  1650. * create a copy -- the "res" variable that is passed in
  1651. * is allocated on the stack since it's not needed in the
  1652. * more common case of an update
  1653. */
  1654. new = kzalloc(sizeof(*new) + rdev->wiphy.bss_priv_size,
  1655. GFP_ATOMIC);
  1656. if (!new)
  1657. goto free_ies;
  1658. memcpy(new, tmp, sizeof(*new));
  1659. new->refcount = 1;
  1660. INIT_LIST_HEAD(&new->hidden_list);
  1661. INIT_LIST_HEAD(&new->pub.nontrans_list);
  1662. /* we'll set this later if it was non-NULL */
  1663. new->pub.transmitted_bss = NULL;
  1664. if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
  1665. hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
  1666. if (!hidden)
  1667. hidden = rb_find_bss(rdev, tmp,
  1668. BSS_CMP_HIDE_NUL);
  1669. if (hidden) {
  1670. new->pub.hidden_beacon_bss = &hidden->pub;
  1671. list_add(&new->hidden_list,
  1672. &hidden->hidden_list);
  1673. hidden->refcount++;
  1674. ies = (void *)rcu_access_pointer(new->pub.beacon_ies);
  1675. rcu_assign_pointer(new->pub.beacon_ies,
  1676. hidden->pub.beacon_ies);
  1677. if (ies)
  1678. kfree_rcu(ies, rcu_head);
  1679. }
  1680. } else {
  1681. /*
  1682. * Ok so we found a beacon, and don't have an entry. If
  1683. * it's a beacon with hidden SSID, we might be in for an
  1684. * expensive search for any probe responses that should
  1685. * be grouped with this beacon for updates ...
  1686. */
  1687. if (!cfg80211_combine_bsses(rdev, new)) {
  1688. bss_ref_put(rdev, new);
  1689. return NULL;
  1690. }
  1691. }
  1692. if (rdev->bss_entries >= bss_entries_limit &&
  1693. !cfg80211_bss_expire_oldest(rdev)) {
  1694. bss_ref_put(rdev, new);
  1695. return NULL;
  1696. }
  1697. /* This must be before the call to bss_ref_get */
  1698. if (tmp->pub.transmitted_bss) {
  1699. new->pub.transmitted_bss = tmp->pub.transmitted_bss;
  1700. bss_ref_get(rdev, bss_from_pub(tmp->pub.transmitted_bss));
  1701. }
  1702. cfg80211_insert_bss(rdev, new);
  1703. found = new;
  1704. }
  1705. rdev->bss_generation++;
  1706. bss_ref_get(rdev, found);
  1707. return found;
  1708. free_ies:
  1709. ies = (void *)rcu_access_pointer(tmp->pub.beacon_ies);
  1710. if (ies)
  1711. kfree_rcu(ies, rcu_head);
  1712. ies = (void *)rcu_access_pointer(tmp->pub.proberesp_ies);
  1713. if (ies)
  1714. kfree_rcu(ies, rcu_head);
  1715. return NULL;
  1716. }
  1717. struct cfg80211_internal_bss *
  1718. cfg80211_bss_update(struct cfg80211_registered_device *rdev,
  1719. struct cfg80211_internal_bss *tmp,
  1720. bool signal_valid, unsigned long ts)
  1721. {
  1722. struct cfg80211_internal_bss *res;
  1723. spin_lock_bh(&rdev->bss_lock);
  1724. res = __cfg80211_bss_update(rdev, tmp, signal_valid, ts);
  1725. spin_unlock_bh(&rdev->bss_lock);
  1726. return res;
  1727. }
  1728. int cfg80211_get_ies_channel_number(const u8 *ie, size_t ielen,
  1729. enum nl80211_band band)
  1730. {
  1731. const struct element *tmp;
  1732. if (band == NL80211_BAND_6GHZ) {
  1733. struct ieee80211_he_operation *he_oper;
  1734. tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie,
  1735. ielen);
  1736. if (tmp && tmp->datalen >= sizeof(*he_oper) &&
  1737. tmp->datalen >= ieee80211_he_oper_size(&tmp->data[1])) {
  1738. const struct ieee80211_he_6ghz_oper *he_6ghz_oper;
  1739. he_oper = (void *)&tmp->data[1];
  1740. he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper);
  1741. if (!he_6ghz_oper)
  1742. return -1;
  1743. return he_6ghz_oper->primary;
  1744. }
  1745. } else if (band == NL80211_BAND_S1GHZ) {
  1746. tmp = cfg80211_find_elem(WLAN_EID_S1G_OPERATION, ie, ielen);
  1747. if (tmp && tmp->datalen >= sizeof(struct ieee80211_s1g_oper_ie)) {
  1748. struct ieee80211_s1g_oper_ie *s1gop = (void *)tmp->data;
  1749. return s1gop->oper_ch;
  1750. }
  1751. } else {
  1752. tmp = cfg80211_find_elem(WLAN_EID_DS_PARAMS, ie, ielen);
  1753. if (tmp && tmp->datalen == 1)
  1754. return tmp->data[0];
  1755. tmp = cfg80211_find_elem(WLAN_EID_HT_OPERATION, ie, ielen);
  1756. if (tmp &&
  1757. tmp->datalen >= sizeof(struct ieee80211_ht_operation)) {
  1758. struct ieee80211_ht_operation *htop = (void *)tmp->data;
  1759. return htop->primary_chan;
  1760. }
  1761. }
  1762. return -1;
  1763. }
  1764. EXPORT_SYMBOL(cfg80211_get_ies_channel_number);
  1765. /*
  1766. * Update RX channel information based on the available frame payload
  1767. * information. This is mainly for the 2.4 GHz band where frames can be received
  1768. * from neighboring channels and the Beacon frames use the DSSS Parameter Set
  1769. * element to indicate the current (transmitting) channel, but this might also
  1770. * be needed on other bands if RX frequency does not match with the actual
  1771. * operating channel of a BSS, or if the AP reports a different primary channel.
  1772. */
  1773. static struct ieee80211_channel *
  1774. cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
  1775. struct ieee80211_channel *channel)
  1776. {
  1777. u32 freq;
  1778. int channel_number;
  1779. struct ieee80211_channel *alt_channel;
  1780. channel_number = cfg80211_get_ies_channel_number(ie, ielen,
  1781. channel->band);
  1782. if (channel_number < 0) {
  1783. /* No channel information in frame payload */
  1784. return channel;
  1785. }
  1786. freq = ieee80211_channel_to_freq_khz(channel_number, channel->band);
  1787. /*
  1788. * Frame info (beacon/prob res) is the same as received channel,
  1789. * no need for further processing.
  1790. */
  1791. if (freq == ieee80211_channel_to_khz(channel))
  1792. return channel;
  1793. alt_channel = ieee80211_get_channel_khz(wiphy, freq);
  1794. if (!alt_channel) {
  1795. if (channel->band == NL80211_BAND_2GHZ ||
  1796. channel->band == NL80211_BAND_6GHZ) {
  1797. /*
  1798. * Better not allow unexpected channels when that could
  1799. * be going beyond the 1-11 range (e.g., discovering
  1800. * BSS on channel 12 when radio is configured for
  1801. * channel 11) or beyond the 6 GHz channel range.
  1802. */
  1803. return NULL;
  1804. }
  1805. /* No match for the payload channel number - ignore it */
  1806. return channel;
  1807. }
  1808. /*
  1809. * Use the channel determined through the payload channel number
  1810. * instead of the RX channel reported by the driver.
  1811. */
  1812. if (alt_channel->flags & IEEE80211_CHAN_DISABLED)
  1813. return NULL;
  1814. return alt_channel;
  1815. }
  1816. struct cfg80211_inform_single_bss_data {
  1817. struct cfg80211_inform_bss *drv_data;
  1818. enum cfg80211_bss_frame_type ftype;
  1819. struct ieee80211_channel *channel;
  1820. u8 bssid[ETH_ALEN];
  1821. u64 tsf;
  1822. u16 capability;
  1823. u16 beacon_interval;
  1824. const u8 *ie;
  1825. size_t ielen;
  1826. enum bss_source_type bss_source;
  1827. /* Set if reporting bss_source != BSS_SOURCE_DIRECT */
  1828. struct cfg80211_bss *source_bss;
  1829. u8 max_bssid_indicator;
  1830. u8 bssid_index;
  1831. u8 use_for;
  1832. u64 cannot_use_reasons;
  1833. };
  1834. enum ieee80211_ap_reg_power
  1835. cfg80211_get_6ghz_power_type(const u8 *elems, size_t elems_len,
  1836. u32 client_flags)
  1837. {
  1838. const struct ieee80211_he_6ghz_oper *he_6ghz_oper;
  1839. struct ieee80211_he_operation *he_oper;
  1840. const struct element *tmp;
  1841. tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION,
  1842. elems, elems_len);
  1843. if (!tmp || tmp->datalen < sizeof(*he_oper) + 1 ||
  1844. tmp->datalen < ieee80211_he_oper_size(tmp->data + 1))
  1845. return IEEE80211_REG_UNSET_AP;
  1846. he_oper = (void *)&tmp->data[1];
  1847. he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper);
  1848. if (!he_6ghz_oper)
  1849. return IEEE80211_REG_UNSET_AP;
  1850. return cfg80211_6ghz_power_type(he_6ghz_oper->control, client_flags);
  1851. }
  1852. static bool cfg80211_6ghz_power_type_valid(const u8 *elems, size_t elems_len,
  1853. const u32 flags)
  1854. {
  1855. switch (cfg80211_get_6ghz_power_type(elems, elems_len, flags)) {
  1856. case IEEE80211_REG_LPI_AP:
  1857. return true;
  1858. case IEEE80211_REG_SP_AP:
  1859. return !(flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT);
  1860. case IEEE80211_REG_VLP_AP:
  1861. return !(flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT);
  1862. default:
  1863. return false;
  1864. }
  1865. }
  1866. /* Returned bss is reference counted and must be cleaned up appropriately. */
  1867. static struct cfg80211_bss *
  1868. cfg80211_inform_single_bss_data(struct wiphy *wiphy,
  1869. struct cfg80211_inform_single_bss_data *data,
  1870. gfp_t gfp)
  1871. {
  1872. struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
  1873. struct cfg80211_inform_bss *drv_data = data->drv_data;
  1874. struct cfg80211_bss_ies *ies;
  1875. struct ieee80211_channel *channel;
  1876. struct cfg80211_internal_bss tmp = {}, *res;
  1877. int bss_type;
  1878. bool signal_valid;
  1879. unsigned long ts;
  1880. if (WARN_ON(!wiphy))
  1881. return NULL;
  1882. if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
  1883. (drv_data->signal < 0 || drv_data->signal > 100)))
  1884. return NULL;
  1885. if (WARN_ON(data->bss_source != BSS_SOURCE_DIRECT && !data->source_bss))
  1886. return NULL;
  1887. channel = data->channel;
  1888. if (!channel)
  1889. channel = cfg80211_get_bss_channel(wiphy, data->ie, data->ielen,
  1890. drv_data->chan);
  1891. if (!channel)
  1892. return NULL;
  1893. if (channel->band == NL80211_BAND_6GHZ &&
  1894. !cfg80211_6ghz_power_type_valid(data->ie, data->ielen,
  1895. channel->flags)) {
  1896. data->use_for = 0;
  1897. data->cannot_use_reasons =
  1898. NL80211_BSS_CANNOT_USE_6GHZ_PWR_MISMATCH;
  1899. }
  1900. memcpy(tmp.pub.bssid, data->bssid, ETH_ALEN);
  1901. tmp.pub.channel = channel;
  1902. if (data->bss_source != BSS_SOURCE_STA_PROFILE)
  1903. tmp.pub.signal = drv_data->signal;
  1904. else
  1905. tmp.pub.signal = 0;
  1906. tmp.pub.beacon_interval = data->beacon_interval;
  1907. tmp.pub.capability = data->capability;
  1908. tmp.pub.ts_boottime = drv_data->boottime_ns;
  1909. tmp.parent_tsf = drv_data->parent_tsf;
  1910. ether_addr_copy(tmp.parent_bssid, drv_data->parent_bssid);
  1911. tmp.pub.chains = drv_data->chains;
  1912. memcpy(tmp.pub.chain_signal, drv_data->chain_signal,
  1913. IEEE80211_MAX_CHAINS);
  1914. tmp.pub.use_for = data->use_for;
  1915. tmp.pub.cannot_use_reasons = data->cannot_use_reasons;
  1916. tmp.bss_source = data->bss_source;
  1917. switch (data->bss_source) {
  1918. case BSS_SOURCE_MBSSID:
  1919. tmp.pub.transmitted_bss = data->source_bss;
  1920. fallthrough;
  1921. case BSS_SOURCE_STA_PROFILE:
  1922. ts = bss_from_pub(data->source_bss)->ts;
  1923. tmp.pub.bssid_index = data->bssid_index;
  1924. tmp.pub.max_bssid_indicator = data->max_bssid_indicator;
  1925. break;
  1926. case BSS_SOURCE_DIRECT:
  1927. ts = jiffies;
  1928. if (channel->band == NL80211_BAND_60GHZ) {
  1929. bss_type = data->capability &
  1930. WLAN_CAPABILITY_DMG_TYPE_MASK;
  1931. if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP ||
  1932. bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS)
  1933. regulatory_hint_found_beacon(wiphy, channel,
  1934. gfp);
  1935. } else {
  1936. if (data->capability & WLAN_CAPABILITY_ESS)
  1937. regulatory_hint_found_beacon(wiphy, channel,
  1938. gfp);
  1939. }
  1940. break;
  1941. }
  1942. /*
  1943. * If we do not know here whether the IEs are from a Beacon or Probe
  1944. * Response frame, we need to pick one of the options and only use it
  1945. * with the driver that does not provide the full Beacon/Probe Response
  1946. * frame. Use Beacon frame pointer to avoid indicating that this should
  1947. * override the IEs pointer should we have received an earlier
  1948. * indication of Probe Response data.
  1949. */
  1950. ies = kzalloc(sizeof(*ies) + data->ielen, gfp);
  1951. if (!ies)
  1952. return NULL;
  1953. ies->len = data->ielen;
  1954. ies->tsf = data->tsf;
  1955. ies->from_beacon = false;
  1956. memcpy(ies->data, data->ie, data->ielen);
  1957. switch (data->ftype) {
  1958. case CFG80211_BSS_FTYPE_BEACON:
  1959. case CFG80211_BSS_FTYPE_S1G_BEACON:
  1960. ies->from_beacon = true;
  1961. fallthrough;
  1962. case CFG80211_BSS_FTYPE_UNKNOWN:
  1963. rcu_assign_pointer(tmp.pub.beacon_ies, ies);
  1964. break;
  1965. case CFG80211_BSS_FTYPE_PRESP:
  1966. rcu_assign_pointer(tmp.pub.proberesp_ies, ies);
  1967. break;
  1968. }
  1969. rcu_assign_pointer(tmp.pub.ies, ies);
  1970. signal_valid = drv_data->chan == channel;
  1971. spin_lock_bh(&rdev->bss_lock);
  1972. res = __cfg80211_bss_update(rdev, &tmp, signal_valid, ts);
  1973. if (!res)
  1974. goto drop;
  1975. rdev_inform_bss(rdev, &res->pub, ies, drv_data->drv_data);
  1976. if (data->bss_source == BSS_SOURCE_MBSSID) {
  1977. /* this is a nontransmitting bss, we need to add it to
  1978. * transmitting bss' list if it is not there
  1979. */
  1980. if (cfg80211_add_nontrans_list(data->source_bss, &res->pub)) {
  1981. if (__cfg80211_unlink_bss(rdev, res)) {
  1982. rdev->bss_generation++;
  1983. res = NULL;
  1984. }
  1985. }
  1986. if (!res)
  1987. goto drop;
  1988. }
  1989. spin_unlock_bh(&rdev->bss_lock);
  1990. trace_cfg80211_return_bss(&res->pub);
  1991. /* __cfg80211_bss_update gives us a referenced result */
  1992. return &res->pub;
  1993. drop:
  1994. spin_unlock_bh(&rdev->bss_lock);
  1995. return NULL;
  1996. }
  1997. static const struct element
  1998. *cfg80211_get_profile_continuation(const u8 *ie, size_t ielen,
  1999. const struct element *mbssid_elem,
  2000. const struct element *sub_elem)
  2001. {
  2002. const u8 *mbssid_end = mbssid_elem->data + mbssid_elem->datalen;
  2003. const struct element *next_mbssid;
  2004. const struct element *next_sub;
  2005. next_mbssid = cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID,
  2006. mbssid_end,
  2007. ielen - (mbssid_end - ie));
  2008. /*
  2009. * If it is not the last subelement in current MBSSID IE or there isn't
  2010. * a next MBSSID IE - profile is complete.
  2011. */
  2012. if ((sub_elem->data + sub_elem->datalen < mbssid_end - 1) ||
  2013. !next_mbssid)
  2014. return NULL;
  2015. /* For any length error, just return NULL */
  2016. if (next_mbssid->datalen < 4)
  2017. return NULL;
  2018. next_sub = (void *)&next_mbssid->data[1];
  2019. if (next_mbssid->data + next_mbssid->datalen <
  2020. next_sub->data + next_sub->datalen)
  2021. return NULL;
  2022. if (next_sub->id != 0 || next_sub->datalen < 2)
  2023. return NULL;
  2024. /*
  2025. * Check if the first element in the next sub element is a start
  2026. * of a new profile
  2027. */
  2028. return next_sub->data[0] == WLAN_EID_NON_TX_BSSID_CAP ?
  2029. NULL : next_mbssid;
  2030. }
  2031. size_t cfg80211_merge_profile(const u8 *ie, size_t ielen,
  2032. const struct element *mbssid_elem,
  2033. const struct element *sub_elem,
  2034. u8 *merged_ie, size_t max_copy_len)
  2035. {
  2036. size_t copied_len = sub_elem->datalen;
  2037. const struct element *next_mbssid;
  2038. if (sub_elem->datalen > max_copy_len)
  2039. return 0;
  2040. memcpy(merged_ie, sub_elem->data, sub_elem->datalen);
  2041. while ((next_mbssid = cfg80211_get_profile_continuation(ie, ielen,
  2042. mbssid_elem,
  2043. sub_elem))) {
  2044. const struct element *next_sub = (void *)&next_mbssid->data[1];
  2045. if (copied_len + next_sub->datalen > max_copy_len)
  2046. break;
  2047. memcpy(merged_ie + copied_len, next_sub->data,
  2048. next_sub->datalen);
  2049. copied_len += next_sub->datalen;
  2050. }
  2051. return copied_len;
  2052. }
  2053. EXPORT_SYMBOL(cfg80211_merge_profile);
  2054. static void
  2055. cfg80211_parse_mbssid_data(struct wiphy *wiphy,
  2056. struct cfg80211_inform_single_bss_data *tx_data,
  2057. struct cfg80211_bss *source_bss,
  2058. gfp_t gfp)
  2059. {
  2060. struct cfg80211_inform_single_bss_data data = {
  2061. .drv_data = tx_data->drv_data,
  2062. .ftype = tx_data->ftype,
  2063. .tsf = tx_data->tsf,
  2064. .beacon_interval = tx_data->beacon_interval,
  2065. .source_bss = source_bss,
  2066. .bss_source = BSS_SOURCE_MBSSID,
  2067. .use_for = tx_data->use_for,
  2068. .cannot_use_reasons = tx_data->cannot_use_reasons,
  2069. };
  2070. const u8 *mbssid_index_ie;
  2071. const struct element *elem, *sub;
  2072. u8 *new_ie, *profile;
  2073. u64 seen_indices = 0;
  2074. struct cfg80211_bss *bss;
  2075. if (!source_bss)
  2076. return;
  2077. if (!cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID,
  2078. tx_data->ie, tx_data->ielen))
  2079. return;
  2080. if (!wiphy->support_mbssid)
  2081. return;
  2082. if (wiphy->support_only_he_mbssid &&
  2083. !cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY,
  2084. tx_data->ie, tx_data->ielen))
  2085. return;
  2086. new_ie = kmalloc(IEEE80211_MAX_DATA_LEN, gfp);
  2087. if (!new_ie)
  2088. return;
  2089. profile = kmalloc(tx_data->ielen, gfp);
  2090. if (!profile)
  2091. goto out;
  2092. for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID,
  2093. tx_data->ie, tx_data->ielen) {
  2094. if (elem->datalen < 4)
  2095. continue;
  2096. if (elem->data[0] < 1 || (int)elem->data[0] > 8)
  2097. continue;
  2098. for_each_element(sub, elem->data + 1, elem->datalen - 1) {
  2099. u8 profile_len;
  2100. if (sub->id != 0 || sub->datalen < 4) {
  2101. /* not a valid BSS profile */
  2102. continue;
  2103. }
  2104. if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP ||
  2105. sub->data[1] != 2) {
  2106. /* The first element within the Nontransmitted
  2107. * BSSID Profile is not the Nontransmitted
  2108. * BSSID Capability element.
  2109. */
  2110. continue;
  2111. }
  2112. memset(profile, 0, tx_data->ielen);
  2113. profile_len = cfg80211_merge_profile(tx_data->ie,
  2114. tx_data->ielen,
  2115. elem,
  2116. sub,
  2117. profile,
  2118. tx_data->ielen);
  2119. /* found a Nontransmitted BSSID Profile */
  2120. mbssid_index_ie = cfg80211_find_ie
  2121. (WLAN_EID_MULTI_BSSID_IDX,
  2122. profile, profile_len);
  2123. if (!mbssid_index_ie || mbssid_index_ie[1] < 1 ||
  2124. mbssid_index_ie[2] == 0 ||
  2125. mbssid_index_ie[2] > 46 ||
  2126. mbssid_index_ie[2] >= (1 << elem->data[0])) {
  2127. /* No valid Multiple BSSID-Index element */
  2128. continue;
  2129. }
  2130. if (seen_indices & BIT_ULL(mbssid_index_ie[2]))
  2131. /* We don't support legacy split of a profile */
  2132. net_dbg_ratelimited("Partial info for BSSID index %d\n",
  2133. mbssid_index_ie[2]);
  2134. seen_indices |= BIT_ULL(mbssid_index_ie[2]);
  2135. data.bssid_index = mbssid_index_ie[2];
  2136. data.max_bssid_indicator = elem->data[0];
  2137. cfg80211_gen_new_bssid(tx_data->bssid,
  2138. data.max_bssid_indicator,
  2139. data.bssid_index,
  2140. data.bssid);
  2141. memset(new_ie, 0, IEEE80211_MAX_DATA_LEN);
  2142. data.ie = new_ie;
  2143. data.ielen = cfg80211_gen_new_ie(tx_data->ie,
  2144. tx_data->ielen,
  2145. profile,
  2146. profile_len,
  2147. new_ie,
  2148. IEEE80211_MAX_DATA_LEN);
  2149. if (!data.ielen)
  2150. continue;
  2151. data.capability = get_unaligned_le16(profile + 2);
  2152. bss = cfg80211_inform_single_bss_data(wiphy, &data, gfp);
  2153. if (!bss)
  2154. break;
  2155. cfg80211_put_bss(wiphy, bss);
  2156. }
  2157. }
  2158. out:
  2159. kfree(new_ie);
  2160. kfree(profile);
  2161. }
  2162. ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies,
  2163. size_t ieslen, u8 *data, size_t data_len,
  2164. u8 frag_id)
  2165. {
  2166. const struct element *next;
  2167. ssize_t copied;
  2168. u8 elem_datalen;
  2169. if (!elem)
  2170. return -EINVAL;
  2171. /* elem might be invalid after the memmove */
  2172. next = (void *)(elem->data + elem->datalen);
  2173. elem_datalen = elem->datalen;
  2174. if (elem->id == WLAN_EID_EXTENSION) {
  2175. copied = elem->datalen - 1;
  2176. if (data) {
  2177. if (copied > data_len)
  2178. return -ENOSPC;
  2179. memmove(data, elem->data + 1, copied);
  2180. }
  2181. } else {
  2182. copied = elem->datalen;
  2183. if (data) {
  2184. if (copied > data_len)
  2185. return -ENOSPC;
  2186. memmove(data, elem->data, copied);
  2187. }
  2188. }
  2189. /* Fragmented elements must have 255 bytes */
  2190. if (elem_datalen < 255)
  2191. return copied;
  2192. for (elem = next;
  2193. elem->data < ies + ieslen &&
  2194. elem->data + elem->datalen <= ies + ieslen;
  2195. elem = next) {
  2196. /* elem might be invalid after the memmove */
  2197. next = (void *)(elem->data + elem->datalen);
  2198. if (elem->id != frag_id)
  2199. break;
  2200. elem_datalen = elem->datalen;
  2201. if (data) {
  2202. if (copied + elem_datalen > data_len)
  2203. return -ENOSPC;
  2204. memmove(data + copied, elem->data, elem_datalen);
  2205. }
  2206. copied += elem_datalen;
  2207. /* Only the last fragment may be short */
  2208. if (elem_datalen != 255)
  2209. break;
  2210. }
  2211. return copied;
  2212. }
  2213. EXPORT_SYMBOL(cfg80211_defragment_element);
  2214. struct cfg80211_mle {
  2215. struct ieee80211_multi_link_elem *mle;
  2216. struct ieee80211_mle_per_sta_profile
  2217. *sta_prof[IEEE80211_MLD_MAX_NUM_LINKS];
  2218. ssize_t sta_prof_len[IEEE80211_MLD_MAX_NUM_LINKS];
  2219. u8 data[];
  2220. };
  2221. static struct cfg80211_mle *
  2222. cfg80211_defrag_mle(const struct element *mle, const u8 *ie, size_t ielen,
  2223. gfp_t gfp)
  2224. {
  2225. const struct element *elem;
  2226. struct cfg80211_mle *res;
  2227. size_t buf_len;
  2228. ssize_t mle_len;
  2229. u8 common_size, idx;
  2230. if (!mle || !ieee80211_mle_size_ok(mle->data + 1, mle->datalen - 1))
  2231. return NULL;
  2232. /* Required length for first defragmentation */
  2233. buf_len = mle->datalen - 1;
  2234. for_each_element(elem, mle->data + mle->datalen,
  2235. ie + ielen - mle->data - mle->datalen) {
  2236. if (elem->id != WLAN_EID_FRAGMENT)
  2237. break;
  2238. buf_len += elem->datalen;
  2239. }
  2240. res = kzalloc_flex(*res, data, buf_len, gfp);
  2241. if (!res)
  2242. return NULL;
  2243. mle_len = cfg80211_defragment_element(mle, ie, ielen,
  2244. res->data, buf_len,
  2245. WLAN_EID_FRAGMENT);
  2246. if (mle_len < 0)
  2247. goto error;
  2248. res->mle = (void *)res->data;
  2249. /* Find the sub-element area in the buffer */
  2250. common_size = ieee80211_mle_common_size((u8 *)res->mle);
  2251. ie = res->data + common_size;
  2252. ielen = mle_len - common_size;
  2253. idx = 0;
  2254. for_each_element_id(elem, IEEE80211_MLE_SUBELEM_PER_STA_PROFILE,
  2255. ie, ielen) {
  2256. res->sta_prof[idx] = (void *)elem->data;
  2257. res->sta_prof_len[idx] = elem->datalen;
  2258. idx++;
  2259. if (idx >= IEEE80211_MLD_MAX_NUM_LINKS)
  2260. break;
  2261. }
  2262. if (!for_each_element_completed(elem, ie, ielen))
  2263. goto error;
  2264. /* Defragment sta_info in-place */
  2265. for (idx = 0; idx < IEEE80211_MLD_MAX_NUM_LINKS && res->sta_prof[idx];
  2266. idx++) {
  2267. if (res->sta_prof_len[idx] < 255)
  2268. continue;
  2269. elem = (void *)res->sta_prof[idx] - 2;
  2270. if (idx + 1 < ARRAY_SIZE(res->sta_prof) &&
  2271. res->sta_prof[idx + 1])
  2272. buf_len = (u8 *)res->sta_prof[idx + 1] -
  2273. (u8 *)res->sta_prof[idx];
  2274. else
  2275. buf_len = ielen + ie - (u8 *)elem;
  2276. res->sta_prof_len[idx] =
  2277. cfg80211_defragment_element(elem,
  2278. (u8 *)elem, buf_len,
  2279. (u8 *)res->sta_prof[idx],
  2280. buf_len,
  2281. IEEE80211_MLE_SUBELEM_FRAGMENT);
  2282. if (res->sta_prof_len[idx] < 0)
  2283. goto error;
  2284. }
  2285. return res;
  2286. error:
  2287. kfree(res);
  2288. return NULL;
  2289. }
  2290. struct tbtt_info_iter_data {
  2291. const struct ieee80211_neighbor_ap_info *ap_info;
  2292. u8 param_ch_count;
  2293. u32 use_for;
  2294. u8 mld_id, link_id;
  2295. bool non_tx;
  2296. };
  2297. static enum cfg80211_rnr_iter_ret
  2298. cfg802121_mld_ap_rnr_iter(void *_data, u8 type,
  2299. const struct ieee80211_neighbor_ap_info *info,
  2300. const u8 *tbtt_info, u8 tbtt_info_len)
  2301. {
  2302. const struct ieee80211_rnr_mld_params *mld_params;
  2303. struct tbtt_info_iter_data *data = _data;
  2304. u8 link_id;
  2305. bool non_tx = false;
  2306. if (type == IEEE80211_TBTT_INFO_TYPE_TBTT &&
  2307. tbtt_info_len >= offsetofend(struct ieee80211_tbtt_info_ge_11,
  2308. mld_params)) {
  2309. const struct ieee80211_tbtt_info_ge_11 *tbtt_info_ge_11 =
  2310. (void *)tbtt_info;
  2311. non_tx = (tbtt_info_ge_11->bss_params &
  2312. (IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID |
  2313. IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID)) ==
  2314. IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID;
  2315. mld_params = &tbtt_info_ge_11->mld_params;
  2316. } else if (type == IEEE80211_TBTT_INFO_TYPE_MLD &&
  2317. tbtt_info_len >= sizeof(struct ieee80211_rnr_mld_params))
  2318. mld_params = (void *)tbtt_info;
  2319. else
  2320. return RNR_ITER_CONTINUE;
  2321. link_id = le16_get_bits(mld_params->params,
  2322. IEEE80211_RNR_MLD_PARAMS_LINK_ID);
  2323. if (data->mld_id != mld_params->mld_id)
  2324. return RNR_ITER_CONTINUE;
  2325. if (data->link_id != link_id)
  2326. return RNR_ITER_CONTINUE;
  2327. data->ap_info = info;
  2328. data->param_ch_count =
  2329. le16_get_bits(mld_params->params,
  2330. IEEE80211_RNR_MLD_PARAMS_BSS_CHANGE_COUNT);
  2331. data->non_tx = non_tx;
  2332. if (type == IEEE80211_TBTT_INFO_TYPE_TBTT)
  2333. data->use_for = NL80211_BSS_USE_FOR_ALL;
  2334. else
  2335. data->use_for = NL80211_BSS_USE_FOR_MLD_LINK;
  2336. return RNR_ITER_BREAK;
  2337. }
  2338. static u8
  2339. cfg80211_rnr_info_for_mld_ap(const u8 *ie, size_t ielen, u8 mld_id, u8 link_id,
  2340. const struct ieee80211_neighbor_ap_info **ap_info,
  2341. u8 *param_ch_count, bool *non_tx)
  2342. {
  2343. struct tbtt_info_iter_data data = {
  2344. .mld_id = mld_id,
  2345. .link_id = link_id,
  2346. };
  2347. cfg80211_iter_rnr(ie, ielen, cfg802121_mld_ap_rnr_iter, &data);
  2348. *ap_info = data.ap_info;
  2349. *param_ch_count = data.param_ch_count;
  2350. *non_tx = data.non_tx;
  2351. return data.use_for;
  2352. }
  2353. static struct element *
  2354. cfg80211_gen_reporter_rnr(struct cfg80211_bss *source_bss, bool is_mbssid,
  2355. bool same_mld, u8 link_id, u8 bss_change_count,
  2356. gfp_t gfp)
  2357. {
  2358. const struct cfg80211_bss_ies *ies;
  2359. struct ieee80211_neighbor_ap_info ap_info;
  2360. struct ieee80211_tbtt_info_ge_11 tbtt_info;
  2361. u32 short_ssid;
  2362. const struct element *elem;
  2363. struct element *res;
  2364. /*
  2365. * We only generate the RNR to permit ML lookups. For that we do not
  2366. * need an entry for the corresponding transmitting BSS, lets just skip
  2367. * it even though it would be easy to add.
  2368. */
  2369. if (!same_mld)
  2370. return NULL;
  2371. /* We could use tx_data->ies if we change cfg80211_calc_short_ssid */
  2372. rcu_read_lock();
  2373. ies = rcu_dereference(source_bss->ies);
  2374. ap_info.tbtt_info_len = offsetofend(typeof(tbtt_info), mld_params);
  2375. ap_info.tbtt_info_hdr =
  2376. u8_encode_bits(IEEE80211_TBTT_INFO_TYPE_TBTT,
  2377. IEEE80211_AP_INFO_TBTT_HDR_TYPE) |
  2378. u8_encode_bits(0, IEEE80211_AP_INFO_TBTT_HDR_COUNT);
  2379. ap_info.channel = ieee80211_frequency_to_channel(source_bss->channel->center_freq);
  2380. /* operating class */
  2381. elem = cfg80211_find_elem(WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
  2382. ies->data, ies->len);
  2383. if (elem && elem->datalen >= 1) {
  2384. ap_info.op_class = elem->data[0];
  2385. } else {
  2386. struct cfg80211_chan_def chandef;
  2387. /* The AP is not providing us with anything to work with. So
  2388. * make up a somewhat reasonable operating class, but don't
  2389. * bother with it too much as no one will ever use the
  2390. * information.
  2391. */
  2392. cfg80211_chandef_create(&chandef, source_bss->channel,
  2393. NL80211_CHAN_NO_HT);
  2394. if (!ieee80211_chandef_to_operating_class(&chandef,
  2395. &ap_info.op_class))
  2396. goto out_unlock;
  2397. }
  2398. /* Just set TBTT offset and PSD 20 to invalid/unknown */
  2399. tbtt_info.tbtt_offset = 255;
  2400. tbtt_info.psd_20 = IEEE80211_RNR_TBTT_PARAMS_PSD_RESERVED;
  2401. memcpy(tbtt_info.bssid, source_bss->bssid, ETH_ALEN);
  2402. if (cfg80211_calc_short_ssid(ies, &elem, &short_ssid))
  2403. goto out_unlock;
  2404. rcu_read_unlock();
  2405. tbtt_info.short_ssid = cpu_to_le32(short_ssid);
  2406. tbtt_info.bss_params = IEEE80211_RNR_TBTT_PARAMS_SAME_SSID;
  2407. if (is_mbssid) {
  2408. tbtt_info.bss_params |= IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID;
  2409. tbtt_info.bss_params |= IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID;
  2410. }
  2411. tbtt_info.mld_params.mld_id = 0;
  2412. tbtt_info.mld_params.params =
  2413. le16_encode_bits(link_id, IEEE80211_RNR_MLD_PARAMS_LINK_ID) |
  2414. le16_encode_bits(bss_change_count,
  2415. IEEE80211_RNR_MLD_PARAMS_BSS_CHANGE_COUNT);
  2416. res = kzalloc_flex(*res, data, sizeof(ap_info) + ap_info.tbtt_info_len,
  2417. gfp);
  2418. if (!res)
  2419. return NULL;
  2420. /* Copy the data */
  2421. res->id = WLAN_EID_REDUCED_NEIGHBOR_REPORT;
  2422. res->datalen = sizeof(ap_info) + ap_info.tbtt_info_len;
  2423. memcpy(res->data, &ap_info, sizeof(ap_info));
  2424. memcpy(res->data + sizeof(ap_info), &tbtt_info, ap_info.tbtt_info_len);
  2425. return res;
  2426. out_unlock:
  2427. rcu_read_unlock();
  2428. return NULL;
  2429. }
  2430. static void
  2431. cfg80211_parse_ml_elem_sta_data(struct wiphy *wiphy,
  2432. struct cfg80211_inform_single_bss_data *tx_data,
  2433. struct cfg80211_bss *source_bss,
  2434. const struct element *elem,
  2435. gfp_t gfp)
  2436. {
  2437. struct cfg80211_inform_single_bss_data data = {
  2438. .drv_data = tx_data->drv_data,
  2439. .ftype = tx_data->ftype,
  2440. .source_bss = source_bss,
  2441. .bss_source = BSS_SOURCE_STA_PROFILE,
  2442. };
  2443. struct element *reporter_rnr = NULL;
  2444. struct ieee80211_multi_link_elem *ml_elem;
  2445. struct cfg80211_mle *mle;
  2446. const struct element *ssid_elem;
  2447. const u8 *ssid = NULL;
  2448. size_t ssid_len = 0;
  2449. u16 control;
  2450. u8 ml_common_len;
  2451. u8 *new_ie = NULL;
  2452. struct cfg80211_bss *bss;
  2453. u8 mld_id, reporter_link_id, bss_change_count;
  2454. u16 seen_links = 0;
  2455. u8 i;
  2456. if (!ieee80211_mle_type_ok(elem->data + 1,
  2457. IEEE80211_ML_CONTROL_TYPE_BASIC,
  2458. elem->datalen - 1))
  2459. return;
  2460. ml_elem = (void *)(elem->data + 1);
  2461. control = le16_to_cpu(ml_elem->control);
  2462. ml_common_len = ml_elem->variable[0];
  2463. /* Must be present when transmitted by an AP (in a probe response) */
  2464. if (!(control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT) ||
  2465. !(control & IEEE80211_MLC_BASIC_PRES_LINK_ID) ||
  2466. !(control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP))
  2467. return;
  2468. reporter_link_id = ieee80211_mle_get_link_id(elem->data + 1);
  2469. bss_change_count = ieee80211_mle_get_bss_param_ch_cnt(elem->data + 1);
  2470. /*
  2471. * The MLD ID of the reporting AP is always zero. It is set if the AP
  2472. * is part of an MBSSID set and will be non-zero for ML Elements
  2473. * relating to a nontransmitted BSS (matching the Multi-BSSID Index,
  2474. * Draft P802.11be_D3.2, 35.3.4.2)
  2475. */
  2476. mld_id = ieee80211_mle_get_mld_id(elem->data + 1);
  2477. /* Fully defrag the ML element for sta information/profile iteration */
  2478. mle = cfg80211_defrag_mle(elem, tx_data->ie, tx_data->ielen, gfp);
  2479. if (!mle)
  2480. return;
  2481. /* No point in doing anything if there is no per-STA profile */
  2482. if (!mle->sta_prof[0])
  2483. goto out;
  2484. new_ie = kmalloc(IEEE80211_MAX_DATA_LEN, gfp);
  2485. if (!new_ie)
  2486. goto out;
  2487. reporter_rnr = cfg80211_gen_reporter_rnr(source_bss,
  2488. u16_get_bits(control,
  2489. IEEE80211_MLC_BASIC_PRES_MLD_ID),
  2490. mld_id == 0, reporter_link_id,
  2491. bss_change_count,
  2492. gfp);
  2493. ssid_elem = cfg80211_find_elem(WLAN_EID_SSID, tx_data->ie,
  2494. tx_data->ielen);
  2495. if (ssid_elem) {
  2496. ssid = ssid_elem->data;
  2497. ssid_len = ssid_elem->datalen;
  2498. }
  2499. for (i = 0; i < ARRAY_SIZE(mle->sta_prof) && mle->sta_prof[i]; i++) {
  2500. const struct ieee80211_neighbor_ap_info *ap_info;
  2501. enum nl80211_band band;
  2502. u32 freq;
  2503. const u8 *profile;
  2504. ssize_t profile_len;
  2505. u8 param_ch_count;
  2506. u8 link_id, use_for;
  2507. bool non_tx;
  2508. if (!ieee80211_mle_basic_sta_prof_size_ok((u8 *)mle->sta_prof[i],
  2509. mle->sta_prof_len[i]))
  2510. continue;
  2511. control = le16_to_cpu(mle->sta_prof[i]->control);
  2512. if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE))
  2513. continue;
  2514. link_id = u16_get_bits(control,
  2515. IEEE80211_MLE_STA_CONTROL_LINK_ID);
  2516. if (seen_links & BIT(link_id))
  2517. break;
  2518. seen_links |= BIT(link_id);
  2519. if (!(control & IEEE80211_MLE_STA_CONTROL_BEACON_INT_PRESENT) ||
  2520. !(control & IEEE80211_MLE_STA_CONTROL_TSF_OFFS_PRESENT) ||
  2521. !(control & IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT))
  2522. continue;
  2523. memcpy(data.bssid, mle->sta_prof[i]->variable, ETH_ALEN);
  2524. data.beacon_interval =
  2525. get_unaligned_le16(mle->sta_prof[i]->variable + 6);
  2526. data.tsf = tx_data->tsf +
  2527. get_unaligned_le64(mle->sta_prof[i]->variable + 8);
  2528. /* sta_info_len counts itself */
  2529. profile = mle->sta_prof[i]->variable +
  2530. mle->sta_prof[i]->sta_info_len - 1;
  2531. profile_len = (u8 *)mle->sta_prof[i] + mle->sta_prof_len[i] -
  2532. profile;
  2533. if (profile_len < 2)
  2534. continue;
  2535. data.capability = get_unaligned_le16(profile);
  2536. profile += 2;
  2537. profile_len -= 2;
  2538. /* Find in RNR to look up channel information */
  2539. use_for = cfg80211_rnr_info_for_mld_ap(tx_data->ie,
  2540. tx_data->ielen,
  2541. mld_id, link_id,
  2542. &ap_info,
  2543. &param_ch_count,
  2544. &non_tx);
  2545. if (!use_for)
  2546. continue;
  2547. /*
  2548. * As of 802.11be_D5.0, the specification does not give us any
  2549. * way of discovering both the MaxBSSID and the Multiple-BSSID
  2550. * Index. It does seem like the Multiple-BSSID Index element
  2551. * may be provided, but section 9.4.2.45 explicitly forbids
  2552. * including a Multiple-BSSID Element (in this case without any
  2553. * subelements).
  2554. * Without both pieces of information we cannot calculate the
  2555. * reference BSSID, so simply ignore the BSS.
  2556. */
  2557. if (non_tx)
  2558. continue;
  2559. /* We could sanity check the BSSID is included */
  2560. if (!ieee80211_operating_class_to_band(ap_info->op_class,
  2561. &band))
  2562. continue;
  2563. freq = ieee80211_channel_to_freq_khz(ap_info->channel, band);
  2564. data.channel = ieee80211_get_channel_khz(wiphy, freq);
  2565. /* Skip if RNR element specifies an unsupported channel */
  2566. if (!data.channel)
  2567. continue;
  2568. /* Skip if BSS entry generated from MBSSID or DIRECT source
  2569. * frame data available already.
  2570. */
  2571. bss = cfg80211_get_bss(wiphy, data.channel, data.bssid, ssid,
  2572. ssid_len, IEEE80211_BSS_TYPE_ANY,
  2573. IEEE80211_PRIVACY_ANY);
  2574. if (bss) {
  2575. struct cfg80211_internal_bss *ibss = bss_from_pub(bss);
  2576. if (data.capability == bss->capability &&
  2577. ibss->bss_source != BSS_SOURCE_STA_PROFILE) {
  2578. cfg80211_put_bss(wiphy, bss);
  2579. continue;
  2580. }
  2581. cfg80211_put_bss(wiphy, bss);
  2582. }
  2583. if (use_for == NL80211_BSS_USE_FOR_MLD_LINK &&
  2584. !(wiphy->flags & WIPHY_FLAG_SUPPORTS_NSTR_NONPRIMARY)) {
  2585. use_for = 0;
  2586. data.cannot_use_reasons =
  2587. NL80211_BSS_CANNOT_USE_NSTR_NONPRIMARY;
  2588. }
  2589. data.use_for = use_for;
  2590. /* Generate new elements */
  2591. memset(new_ie, 0, IEEE80211_MAX_DATA_LEN);
  2592. data.ie = new_ie;
  2593. data.ielen = cfg80211_gen_new_ie(tx_data->ie, tx_data->ielen,
  2594. profile, profile_len,
  2595. new_ie,
  2596. IEEE80211_MAX_DATA_LEN);
  2597. if (!data.ielen)
  2598. continue;
  2599. /* The generated elements do not contain:
  2600. * - Basic ML element
  2601. * - A TBTT entry in the RNR for the transmitting AP
  2602. *
  2603. * This information is needed both internally and in userspace
  2604. * as such, we should append it here.
  2605. */
  2606. if (data.ielen + 3 + sizeof(*ml_elem) + ml_common_len >
  2607. IEEE80211_MAX_DATA_LEN)
  2608. continue;
  2609. /* Copy the Basic Multi-Link element including the common
  2610. * information, and then fix up the link ID and BSS param
  2611. * change count.
  2612. * Note that the ML element length has been verified and we
  2613. * also checked that it contains the link ID.
  2614. */
  2615. new_ie[data.ielen++] = WLAN_EID_EXTENSION;
  2616. new_ie[data.ielen++] = 1 + sizeof(*ml_elem) + ml_common_len;
  2617. new_ie[data.ielen++] = WLAN_EID_EXT_EHT_MULTI_LINK;
  2618. memcpy(new_ie + data.ielen, ml_elem,
  2619. sizeof(*ml_elem) + ml_common_len);
  2620. new_ie[data.ielen + sizeof(*ml_elem) + 1 + ETH_ALEN] = link_id;
  2621. new_ie[data.ielen + sizeof(*ml_elem) + 1 + ETH_ALEN + 1] =
  2622. param_ch_count;
  2623. data.ielen += sizeof(*ml_elem) + ml_common_len;
  2624. if (reporter_rnr && (use_for & NL80211_BSS_USE_FOR_NORMAL)) {
  2625. if (data.ielen + sizeof(struct element) +
  2626. reporter_rnr->datalen > IEEE80211_MAX_DATA_LEN)
  2627. continue;
  2628. memcpy(new_ie + data.ielen, reporter_rnr,
  2629. sizeof(struct element) + reporter_rnr->datalen);
  2630. data.ielen += sizeof(struct element) +
  2631. reporter_rnr->datalen;
  2632. }
  2633. bss = cfg80211_inform_single_bss_data(wiphy, &data, gfp);
  2634. if (!bss)
  2635. break;
  2636. cfg80211_put_bss(wiphy, bss);
  2637. }
  2638. out:
  2639. kfree(reporter_rnr);
  2640. kfree(new_ie);
  2641. kfree(mle);
  2642. }
  2643. static void cfg80211_parse_ml_sta_data(struct wiphy *wiphy,
  2644. struct cfg80211_inform_single_bss_data *tx_data,
  2645. struct cfg80211_bss *source_bss,
  2646. gfp_t gfp)
  2647. {
  2648. const struct element *elem;
  2649. if (!source_bss)
  2650. return;
  2651. if (tx_data->ftype != CFG80211_BSS_FTYPE_PRESP)
  2652. return;
  2653. for_each_element_extid(elem, WLAN_EID_EXT_EHT_MULTI_LINK,
  2654. tx_data->ie, tx_data->ielen)
  2655. cfg80211_parse_ml_elem_sta_data(wiphy, tx_data, source_bss,
  2656. elem, gfp);
  2657. }
  2658. struct cfg80211_bss *
  2659. cfg80211_inform_bss_data(struct wiphy *wiphy,
  2660. struct cfg80211_inform_bss *data,
  2661. enum cfg80211_bss_frame_type ftype,
  2662. const u8 *bssid, u64 tsf, u16 capability,
  2663. u16 beacon_interval, const u8 *ie, size_t ielen,
  2664. gfp_t gfp)
  2665. {
  2666. struct cfg80211_inform_single_bss_data inform_data = {
  2667. .drv_data = data,
  2668. .ftype = ftype,
  2669. .tsf = tsf,
  2670. .capability = capability,
  2671. .beacon_interval = beacon_interval,
  2672. .ie = ie,
  2673. .ielen = ielen,
  2674. .use_for = data->restrict_use ?
  2675. data->use_for :
  2676. NL80211_BSS_USE_FOR_ALL,
  2677. .cannot_use_reasons = data->cannot_use_reasons,
  2678. };
  2679. struct cfg80211_bss *res;
  2680. memcpy(inform_data.bssid, bssid, ETH_ALEN);
  2681. res = cfg80211_inform_single_bss_data(wiphy, &inform_data, gfp);
  2682. if (!res)
  2683. return NULL;
  2684. /* don't do any further MBSSID/ML handling for S1G */
  2685. if (ftype == CFG80211_BSS_FTYPE_S1G_BEACON)
  2686. return res;
  2687. cfg80211_parse_mbssid_data(wiphy, &inform_data, res, gfp);
  2688. cfg80211_parse_ml_sta_data(wiphy, &inform_data, res, gfp);
  2689. return res;
  2690. }
  2691. EXPORT_SYMBOL(cfg80211_inform_bss_data);
  2692. struct cfg80211_bss *
  2693. cfg80211_inform_bss_frame_data(struct wiphy *wiphy,
  2694. struct cfg80211_inform_bss *data,
  2695. struct ieee80211_mgmt *mgmt, size_t len,
  2696. gfp_t gfp)
  2697. {
  2698. size_t min_hdr_len;
  2699. struct ieee80211_ext *ext = NULL;
  2700. enum cfg80211_bss_frame_type ftype;
  2701. u16 beacon_interval;
  2702. const u8 *bssid;
  2703. u16 capability;
  2704. const u8 *ie;
  2705. size_t ielen;
  2706. u64 tsf;
  2707. size_t s1g_optional_len;
  2708. if (WARN_ON(!mgmt))
  2709. return NULL;
  2710. if (WARN_ON(!wiphy))
  2711. return NULL;
  2712. BUILD_BUG_ON(offsetof(struct ieee80211_mgmt, u.probe_resp.variable) !=
  2713. offsetof(struct ieee80211_mgmt, u.beacon.variable));
  2714. trace_cfg80211_inform_bss_frame(wiphy, data, mgmt, len);
  2715. if (ieee80211_is_s1g_beacon(mgmt->frame_control)) {
  2716. ext = (void *) mgmt;
  2717. s1g_optional_len =
  2718. ieee80211_s1g_optional_len(ext->frame_control);
  2719. min_hdr_len =
  2720. offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +
  2721. s1g_optional_len;
  2722. } else {
  2723. /* same for beacons */
  2724. min_hdr_len = offsetof(struct ieee80211_mgmt,
  2725. u.probe_resp.variable);
  2726. }
  2727. if (WARN_ON(len < min_hdr_len))
  2728. return NULL;
  2729. ielen = len - min_hdr_len;
  2730. ie = mgmt->u.probe_resp.variable;
  2731. if (ext) {
  2732. const struct ieee80211_s1g_bcn_compat_ie *compat;
  2733. const struct element *elem;
  2734. ie = ext->u.s1g_beacon.variable + s1g_optional_len;
  2735. elem = cfg80211_find_elem(WLAN_EID_S1G_BCN_COMPAT, ie, ielen);
  2736. if (!elem)
  2737. return NULL;
  2738. if (elem->datalen < sizeof(*compat))
  2739. return NULL;
  2740. compat = (void *)elem->data;
  2741. bssid = ext->u.s1g_beacon.sa;
  2742. capability = le16_to_cpu(compat->compat_info);
  2743. beacon_interval = le16_to_cpu(compat->beacon_int);
  2744. } else {
  2745. bssid = mgmt->bssid;
  2746. beacon_interval = le16_to_cpu(mgmt->u.probe_resp.beacon_int);
  2747. capability = le16_to_cpu(mgmt->u.probe_resp.capab_info);
  2748. }
  2749. tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp);
  2750. if (ieee80211_is_probe_resp(mgmt->frame_control))
  2751. ftype = CFG80211_BSS_FTYPE_PRESP;
  2752. else if (ext)
  2753. ftype = CFG80211_BSS_FTYPE_S1G_BEACON;
  2754. else
  2755. ftype = CFG80211_BSS_FTYPE_BEACON;
  2756. return cfg80211_inform_bss_data(wiphy, data, ftype,
  2757. bssid, tsf, capability,
  2758. beacon_interval, ie, ielen,
  2759. gfp);
  2760. }
  2761. EXPORT_SYMBOL(cfg80211_inform_bss_frame_data);
  2762. void cfg80211_ref_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
  2763. {
  2764. struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
  2765. if (!pub)
  2766. return;
  2767. spin_lock_bh(&rdev->bss_lock);
  2768. bss_ref_get(rdev, bss_from_pub(pub));
  2769. spin_unlock_bh(&rdev->bss_lock);
  2770. }
  2771. EXPORT_SYMBOL(cfg80211_ref_bss);
  2772. void cfg80211_put_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
  2773. {
  2774. struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
  2775. if (!pub)
  2776. return;
  2777. spin_lock_bh(&rdev->bss_lock);
  2778. bss_ref_put(rdev, bss_from_pub(pub));
  2779. spin_unlock_bh(&rdev->bss_lock);
  2780. }
  2781. EXPORT_SYMBOL(cfg80211_put_bss);
  2782. void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
  2783. {
  2784. struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
  2785. struct cfg80211_internal_bss *bss, *tmp1;
  2786. struct cfg80211_bss *nontrans_bss, *tmp;
  2787. if (WARN_ON(!pub))
  2788. return;
  2789. bss = bss_from_pub(pub);
  2790. spin_lock_bh(&rdev->bss_lock);
  2791. if (list_empty(&bss->list))
  2792. goto out;
  2793. list_for_each_entry_safe(nontrans_bss, tmp,
  2794. &pub->nontrans_list,
  2795. nontrans_list) {
  2796. tmp1 = bss_from_pub(nontrans_bss);
  2797. if (__cfg80211_unlink_bss(rdev, tmp1))
  2798. rdev->bss_generation++;
  2799. }
  2800. if (__cfg80211_unlink_bss(rdev, bss))
  2801. rdev->bss_generation++;
  2802. out:
  2803. spin_unlock_bh(&rdev->bss_lock);
  2804. }
  2805. EXPORT_SYMBOL(cfg80211_unlink_bss);
  2806. void cfg80211_bss_iter(struct wiphy *wiphy,
  2807. struct cfg80211_chan_def *chandef,
  2808. void (*iter)(struct wiphy *wiphy,
  2809. struct cfg80211_bss *bss,
  2810. void *data),
  2811. void *iter_data)
  2812. {
  2813. struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
  2814. struct cfg80211_internal_bss *bss;
  2815. spin_lock_bh(&rdev->bss_lock);
  2816. list_for_each_entry(bss, &rdev->bss_list, list) {
  2817. if (!chandef || cfg80211_is_sub_chan(chandef, bss->pub.channel,
  2818. false))
  2819. iter(wiphy, &bss->pub, iter_data);
  2820. }
  2821. spin_unlock_bh(&rdev->bss_lock);
  2822. }
  2823. EXPORT_SYMBOL(cfg80211_bss_iter);
  2824. void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev,
  2825. unsigned int link_id,
  2826. struct ieee80211_channel *chan)
  2827. {
  2828. struct wiphy *wiphy = wdev->wiphy;
  2829. struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
  2830. struct cfg80211_internal_bss *cbss = wdev->links[link_id].client.current_bss;
  2831. struct cfg80211_internal_bss *new = NULL;
  2832. struct cfg80211_internal_bss *bss;
  2833. struct cfg80211_bss *nontrans_bss;
  2834. struct cfg80211_bss *tmp;
  2835. spin_lock_bh(&rdev->bss_lock);
  2836. /*
  2837. * Some APs use CSA also for bandwidth changes, i.e., without actually
  2838. * changing the control channel, so no need to update in such a case.
  2839. */
  2840. if (cbss->pub.channel == chan)
  2841. goto done;
  2842. /* use transmitting bss */
  2843. if (cbss->pub.transmitted_bss)
  2844. cbss = bss_from_pub(cbss->pub.transmitted_bss);
  2845. cbss->pub.channel = chan;
  2846. list_for_each_entry(bss, &rdev->bss_list, list) {
  2847. if (!cfg80211_bss_type_match(bss->pub.capability,
  2848. bss->pub.channel->band,
  2849. wdev->conn_bss_type))
  2850. continue;
  2851. if (bss == cbss)
  2852. continue;
  2853. if (!cmp_bss(&bss->pub, &cbss->pub, BSS_CMP_REGULAR)) {
  2854. new = bss;
  2855. break;
  2856. }
  2857. }
  2858. if (new) {
  2859. /* to save time, update IEs for transmitting bss only */
  2860. cfg80211_update_known_bss(rdev, cbss, new, false);
  2861. new->pub.proberesp_ies = NULL;
  2862. new->pub.beacon_ies = NULL;
  2863. list_for_each_entry_safe(nontrans_bss, tmp,
  2864. &new->pub.nontrans_list,
  2865. nontrans_list) {
  2866. bss = bss_from_pub(nontrans_bss);
  2867. if (__cfg80211_unlink_bss(rdev, bss))
  2868. rdev->bss_generation++;
  2869. }
  2870. WARN_ON(atomic_read(&new->hold));
  2871. if (!WARN_ON(!__cfg80211_unlink_bss(rdev, new)))
  2872. rdev->bss_generation++;
  2873. }
  2874. cfg80211_rehash_bss(rdev, cbss);
  2875. list_for_each_entry_safe(nontrans_bss, tmp,
  2876. &cbss->pub.nontrans_list,
  2877. nontrans_list) {
  2878. bss = bss_from_pub(nontrans_bss);
  2879. bss->pub.channel = chan;
  2880. cfg80211_rehash_bss(rdev, bss);
  2881. }
  2882. done:
  2883. spin_unlock_bh(&rdev->bss_lock);
  2884. }
  2885. #ifdef CONFIG_CFG80211_WEXT
  2886. static struct cfg80211_registered_device *
  2887. cfg80211_get_dev_from_ifindex(struct net *net, int ifindex)
  2888. {
  2889. struct cfg80211_registered_device *rdev;
  2890. struct net_device *dev;
  2891. ASSERT_RTNL();
  2892. dev = dev_get_by_index(net, ifindex);
  2893. if (!dev)
  2894. return ERR_PTR(-ENODEV);
  2895. if (dev->ieee80211_ptr)
  2896. rdev = wiphy_to_rdev(dev->ieee80211_ptr->wiphy);
  2897. else
  2898. rdev = ERR_PTR(-ENODEV);
  2899. dev_put(dev);
  2900. return rdev;
  2901. }
  2902. int cfg80211_wext_siwscan(struct net_device *dev,
  2903. struct iw_request_info *info,
  2904. union iwreq_data *wrqu, char *extra)
  2905. {
  2906. struct cfg80211_registered_device *rdev;
  2907. struct wiphy *wiphy;
  2908. struct iw_scan_req *wreq = NULL;
  2909. struct cfg80211_scan_request_int *creq;
  2910. int i, err, n_channels = 0;
  2911. enum nl80211_band band;
  2912. if (!netif_running(dev))
  2913. return -ENETDOWN;
  2914. if (wrqu->data.length == sizeof(struct iw_scan_req))
  2915. wreq = (struct iw_scan_req *)extra;
  2916. rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex);
  2917. if (IS_ERR(rdev))
  2918. return PTR_ERR(rdev);
  2919. if (rdev->scan_req || rdev->scan_msg)
  2920. return -EBUSY;
  2921. wiphy = &rdev->wiphy;
  2922. /* Determine number of channels, needed to allocate creq */
  2923. if (wreq && wreq->num_channels) {
  2924. /* Passed from userspace so should be checked */
  2925. if (unlikely(wreq->num_channels > IW_MAX_FREQUENCIES))
  2926. return -EINVAL;
  2927. n_channels = wreq->num_channels;
  2928. } else {
  2929. n_channels = ieee80211_get_num_supported_channels(wiphy);
  2930. }
  2931. creq = kzalloc(struct_size(creq, req.channels, n_channels) +
  2932. sizeof(struct cfg80211_ssid),
  2933. GFP_ATOMIC);
  2934. if (!creq)
  2935. return -ENOMEM;
  2936. creq->req.wiphy = wiphy;
  2937. creq->req.wdev = dev->ieee80211_ptr;
  2938. /* SSIDs come after channels */
  2939. creq->req.ssids = (void *)creq +
  2940. struct_size(creq, req.channels, n_channels);
  2941. creq->req.n_channels = n_channels;
  2942. creq->req.n_ssids = 1;
  2943. creq->req.scan_start = jiffies;
  2944. /* translate "Scan on frequencies" request */
  2945. i = 0;
  2946. for (band = 0; band < NUM_NL80211_BANDS; band++) {
  2947. int j;
  2948. if (!wiphy->bands[band])
  2949. continue;
  2950. for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
  2951. struct ieee80211_channel *chan;
  2952. /* ignore disabled channels */
  2953. chan = &wiphy->bands[band]->channels[j];
  2954. if (chan->flags & IEEE80211_CHAN_DISABLED ||
  2955. !cfg80211_wdev_channel_allowed(creq->req.wdev, chan))
  2956. continue;
  2957. /* If we have a wireless request structure and the
  2958. * wireless request specifies frequencies, then search
  2959. * for the matching hardware channel.
  2960. */
  2961. if (wreq && wreq->num_channels) {
  2962. int k;
  2963. int wiphy_freq = wiphy->bands[band]->channels[j].center_freq;
  2964. for (k = 0; k < wreq->num_channels; k++) {
  2965. struct iw_freq *freq =
  2966. &wreq->channel_list[k];
  2967. int wext_freq =
  2968. cfg80211_wext_freq(freq);
  2969. if (wext_freq == wiphy_freq)
  2970. goto wext_freq_found;
  2971. }
  2972. goto wext_freq_not_found;
  2973. }
  2974. wext_freq_found:
  2975. creq->req.channels[i] =
  2976. &wiphy->bands[band]->channels[j];
  2977. i++;
  2978. wext_freq_not_found: ;
  2979. }
  2980. }
  2981. /* No channels found? */
  2982. if (!i) {
  2983. err = -EINVAL;
  2984. goto out;
  2985. }
  2986. /* Set real number of channels specified in creq->req.channels[] */
  2987. creq->req.n_channels = i;
  2988. /* translate "Scan for SSID" request */
  2989. if (wreq) {
  2990. if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
  2991. if (wreq->essid_len > IEEE80211_MAX_SSID_LEN)
  2992. return -EINVAL;
  2993. memcpy(creq->req.ssids[0].ssid, wreq->essid,
  2994. wreq->essid_len);
  2995. creq->req.ssids[0].ssid_len = wreq->essid_len;
  2996. }
  2997. if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE) {
  2998. creq->req.ssids = NULL;
  2999. creq->req.n_ssids = 0;
  3000. }
  3001. }
  3002. for (i = 0; i < NUM_NL80211_BANDS; i++)
  3003. if (wiphy->bands[i])
  3004. creq->req.rates[i] =
  3005. (1 << wiphy->bands[i]->n_bitrates) - 1;
  3006. eth_broadcast_addr(creq->req.bssid);
  3007. scoped_guard(wiphy, &rdev->wiphy) {
  3008. rdev->scan_req = creq;
  3009. err = rdev_scan(rdev, creq);
  3010. if (err) {
  3011. rdev->scan_req = NULL;
  3012. /* creq will be freed below */
  3013. } else {
  3014. nl80211_send_scan_start(rdev, dev->ieee80211_ptr);
  3015. /* creq now owned by driver */
  3016. creq = NULL;
  3017. dev_hold(dev);
  3018. }
  3019. }
  3020. out:
  3021. kfree(creq);
  3022. return err;
  3023. }
  3024. static char *ieee80211_scan_add_ies(struct iw_request_info *info,
  3025. const struct cfg80211_bss_ies *ies,
  3026. char *current_ev, char *end_buf)
  3027. {
  3028. const u8 *pos, *end, *next;
  3029. struct iw_event iwe;
  3030. if (!ies)
  3031. return current_ev;
  3032. /*
  3033. * If needed, fragment the IEs buffer (at IE boundaries) into short
  3034. * enough fragments to fit into IW_GENERIC_IE_MAX octet messages.
  3035. */
  3036. pos = ies->data;
  3037. end = pos + ies->len;
  3038. while (end - pos > IW_GENERIC_IE_MAX) {
  3039. next = pos + 2 + pos[1];
  3040. while (next + 2 + next[1] - pos < IW_GENERIC_IE_MAX)
  3041. next = next + 2 + next[1];
  3042. memset(&iwe, 0, sizeof(iwe));
  3043. iwe.cmd = IWEVGENIE;
  3044. iwe.u.data.length = next - pos;
  3045. current_ev = iwe_stream_add_point_check(info, current_ev,
  3046. end_buf, &iwe,
  3047. (void *)pos);
  3048. if (IS_ERR(current_ev))
  3049. return current_ev;
  3050. pos = next;
  3051. }
  3052. if (end > pos) {
  3053. memset(&iwe, 0, sizeof(iwe));
  3054. iwe.cmd = IWEVGENIE;
  3055. iwe.u.data.length = end - pos;
  3056. current_ev = iwe_stream_add_point_check(info, current_ev,
  3057. end_buf, &iwe,
  3058. (void *)pos);
  3059. if (IS_ERR(current_ev))
  3060. return current_ev;
  3061. }
  3062. return current_ev;
  3063. }
  3064. static char *
  3065. ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info,
  3066. struct cfg80211_internal_bss *bss, char *current_ev,
  3067. char *end_buf)
  3068. {
  3069. const struct cfg80211_bss_ies *ies;
  3070. struct iw_event iwe;
  3071. const u8 *ie;
  3072. u8 buf[50];
  3073. u8 *cfg, *p, *tmp;
  3074. int rem, i, sig;
  3075. bool ismesh = false;
  3076. memset(&iwe, 0, sizeof(iwe));
  3077. iwe.cmd = SIOCGIWAP;
  3078. iwe.u.ap_addr.sa_family = ARPHRD_ETHER;
  3079. memcpy(iwe.u.ap_addr.sa_data, bss->pub.bssid, ETH_ALEN);
  3080. current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe,
  3081. IW_EV_ADDR_LEN);
  3082. if (IS_ERR(current_ev))
  3083. return current_ev;
  3084. memset(&iwe, 0, sizeof(iwe));
  3085. iwe.cmd = SIOCGIWFREQ;
  3086. iwe.u.freq.m = ieee80211_frequency_to_channel(bss->pub.channel->center_freq);
  3087. iwe.u.freq.e = 0;
  3088. current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe,
  3089. IW_EV_FREQ_LEN);
  3090. if (IS_ERR(current_ev))
  3091. return current_ev;
  3092. memset(&iwe, 0, sizeof(iwe));
  3093. iwe.cmd = SIOCGIWFREQ;
  3094. iwe.u.freq.m = bss->pub.channel->center_freq;
  3095. iwe.u.freq.e = 6;
  3096. current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe,
  3097. IW_EV_FREQ_LEN);
  3098. if (IS_ERR(current_ev))
  3099. return current_ev;
  3100. if (wiphy->signal_type != CFG80211_SIGNAL_TYPE_NONE) {
  3101. memset(&iwe, 0, sizeof(iwe));
  3102. iwe.cmd = IWEVQUAL;
  3103. iwe.u.qual.updated = IW_QUAL_LEVEL_UPDATED |
  3104. IW_QUAL_NOISE_INVALID |
  3105. IW_QUAL_QUAL_UPDATED;
  3106. switch (wiphy->signal_type) {
  3107. case CFG80211_SIGNAL_TYPE_MBM:
  3108. sig = bss->pub.signal / 100;
  3109. iwe.u.qual.level = sig;
  3110. iwe.u.qual.updated |= IW_QUAL_DBM;
  3111. if (sig < -110) /* rather bad */
  3112. sig = -110;
  3113. else if (sig > -40) /* perfect */
  3114. sig = -40;
  3115. /* will give a range of 0 .. 70 */
  3116. iwe.u.qual.qual = sig + 110;
  3117. break;
  3118. case CFG80211_SIGNAL_TYPE_UNSPEC:
  3119. iwe.u.qual.level = bss->pub.signal;
  3120. /* will give range 0 .. 100 */
  3121. iwe.u.qual.qual = bss->pub.signal;
  3122. break;
  3123. default:
  3124. /* not reached */
  3125. break;
  3126. }
  3127. current_ev = iwe_stream_add_event_check(info, current_ev,
  3128. end_buf, &iwe,
  3129. IW_EV_QUAL_LEN);
  3130. if (IS_ERR(current_ev))
  3131. return current_ev;
  3132. }
  3133. memset(&iwe, 0, sizeof(iwe));
  3134. iwe.cmd = SIOCGIWENCODE;
  3135. if (bss->pub.capability & WLAN_CAPABILITY_PRIVACY)
  3136. iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY;
  3137. else
  3138. iwe.u.data.flags = IW_ENCODE_DISABLED;
  3139. iwe.u.data.length = 0;
  3140. current_ev = iwe_stream_add_point_check(info, current_ev, end_buf,
  3141. &iwe, "");
  3142. if (IS_ERR(current_ev))
  3143. return current_ev;
  3144. rcu_read_lock();
  3145. ies = rcu_dereference(bss->pub.ies);
  3146. rem = ies->len;
  3147. ie = ies->data;
  3148. while (rem >= 2) {
  3149. /* invalid data */
  3150. if (ie[1] > rem - 2)
  3151. break;
  3152. switch (ie[0]) {
  3153. case WLAN_EID_SSID:
  3154. memset(&iwe, 0, sizeof(iwe));
  3155. iwe.cmd = SIOCGIWESSID;
  3156. iwe.u.data.length = ie[1];
  3157. iwe.u.data.flags = 1;
  3158. current_ev = iwe_stream_add_point_check(info,
  3159. current_ev,
  3160. end_buf, &iwe,
  3161. (u8 *)ie + 2);
  3162. if (IS_ERR(current_ev))
  3163. goto unlock;
  3164. break;
  3165. case WLAN_EID_MESH_ID:
  3166. memset(&iwe, 0, sizeof(iwe));
  3167. iwe.cmd = SIOCGIWESSID;
  3168. iwe.u.data.length = ie[1];
  3169. iwe.u.data.flags = 1;
  3170. current_ev = iwe_stream_add_point_check(info,
  3171. current_ev,
  3172. end_buf, &iwe,
  3173. (u8 *)ie + 2);
  3174. if (IS_ERR(current_ev))
  3175. goto unlock;
  3176. break;
  3177. case WLAN_EID_MESH_CONFIG:
  3178. ismesh = true;
  3179. if (ie[1] != sizeof(struct ieee80211_meshconf_ie))
  3180. break;
  3181. cfg = (u8 *)ie + 2;
  3182. memset(&iwe, 0, sizeof(iwe));
  3183. iwe.cmd = IWEVCUSTOM;
  3184. iwe.u.data.length = sprintf(buf,
  3185. "Mesh Network Path Selection Protocol ID: 0x%02X",
  3186. cfg[0]);
  3187. current_ev = iwe_stream_add_point_check(info,
  3188. current_ev,
  3189. end_buf,
  3190. &iwe, buf);
  3191. if (IS_ERR(current_ev))
  3192. goto unlock;
  3193. iwe.u.data.length = sprintf(buf,
  3194. "Path Selection Metric ID: 0x%02X",
  3195. cfg[1]);
  3196. current_ev = iwe_stream_add_point_check(info,
  3197. current_ev,
  3198. end_buf,
  3199. &iwe, buf);
  3200. if (IS_ERR(current_ev))
  3201. goto unlock;
  3202. iwe.u.data.length = sprintf(buf,
  3203. "Congestion Control Mode ID: 0x%02X",
  3204. cfg[2]);
  3205. current_ev = iwe_stream_add_point_check(info,
  3206. current_ev,
  3207. end_buf,
  3208. &iwe, buf);
  3209. if (IS_ERR(current_ev))
  3210. goto unlock;
  3211. iwe.u.data.length = sprintf(buf,
  3212. "Synchronization ID: 0x%02X",
  3213. cfg[3]);
  3214. current_ev = iwe_stream_add_point_check(info,
  3215. current_ev,
  3216. end_buf,
  3217. &iwe, buf);
  3218. if (IS_ERR(current_ev))
  3219. goto unlock;
  3220. iwe.u.data.length = sprintf(buf,
  3221. "Authentication ID: 0x%02X",
  3222. cfg[4]);
  3223. current_ev = iwe_stream_add_point_check(info,
  3224. current_ev,
  3225. end_buf,
  3226. &iwe, buf);
  3227. if (IS_ERR(current_ev))
  3228. goto unlock;
  3229. iwe.u.data.length = sprintf(buf,
  3230. "Formation Info: 0x%02X",
  3231. cfg[5]);
  3232. current_ev = iwe_stream_add_point_check(info,
  3233. current_ev,
  3234. end_buf,
  3235. &iwe, buf);
  3236. if (IS_ERR(current_ev))
  3237. goto unlock;
  3238. iwe.u.data.length = sprintf(buf,
  3239. "Capabilities: 0x%02X",
  3240. cfg[6]);
  3241. current_ev = iwe_stream_add_point_check(info,
  3242. current_ev,
  3243. end_buf,
  3244. &iwe, buf);
  3245. if (IS_ERR(current_ev))
  3246. goto unlock;
  3247. break;
  3248. case WLAN_EID_SUPP_RATES:
  3249. case WLAN_EID_EXT_SUPP_RATES:
  3250. /* display all supported rates in readable format */
  3251. p = current_ev + iwe_stream_lcp_len(info);
  3252. memset(&iwe, 0, sizeof(iwe));
  3253. iwe.cmd = SIOCGIWRATE;
  3254. /* Those two flags are ignored... */
  3255. iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0;
  3256. for (i = 0; i < ie[1]; i++) {
  3257. iwe.u.bitrate.value =
  3258. ((ie[i + 2] & 0x7f) * 500000);
  3259. tmp = p;
  3260. p = iwe_stream_add_value(info, current_ev, p,
  3261. end_buf, &iwe,
  3262. IW_EV_PARAM_LEN);
  3263. if (p == tmp) {
  3264. current_ev = ERR_PTR(-E2BIG);
  3265. goto unlock;
  3266. }
  3267. }
  3268. current_ev = p;
  3269. break;
  3270. }
  3271. rem -= ie[1] + 2;
  3272. ie += ie[1] + 2;
  3273. }
  3274. if (bss->pub.capability & (WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS) ||
  3275. ismesh) {
  3276. memset(&iwe, 0, sizeof(iwe));
  3277. iwe.cmd = SIOCGIWMODE;
  3278. if (ismesh)
  3279. iwe.u.mode = IW_MODE_MESH;
  3280. else if (bss->pub.capability & WLAN_CAPABILITY_ESS)
  3281. iwe.u.mode = IW_MODE_MASTER;
  3282. else
  3283. iwe.u.mode = IW_MODE_ADHOC;
  3284. current_ev = iwe_stream_add_event_check(info, current_ev,
  3285. end_buf, &iwe,
  3286. IW_EV_UINT_LEN);
  3287. if (IS_ERR(current_ev))
  3288. goto unlock;
  3289. }
  3290. memset(&iwe, 0, sizeof(iwe));
  3291. iwe.cmd = IWEVCUSTOM;
  3292. iwe.u.data.length = sprintf(buf, "tsf=%016llx",
  3293. (unsigned long long)(ies->tsf));
  3294. current_ev = iwe_stream_add_point_check(info, current_ev, end_buf,
  3295. &iwe, buf);
  3296. if (IS_ERR(current_ev))
  3297. goto unlock;
  3298. memset(&iwe, 0, sizeof(iwe));
  3299. iwe.cmd = IWEVCUSTOM;
  3300. iwe.u.data.length = sprintf(buf, " Last beacon: %ums ago",
  3301. elapsed_jiffies_msecs(bss->ts));
  3302. current_ev = iwe_stream_add_point_check(info, current_ev,
  3303. end_buf, &iwe, buf);
  3304. if (IS_ERR(current_ev))
  3305. goto unlock;
  3306. current_ev = ieee80211_scan_add_ies(info, ies, current_ev, end_buf);
  3307. unlock:
  3308. rcu_read_unlock();
  3309. return current_ev;
  3310. }
  3311. static int ieee80211_scan_results(struct cfg80211_registered_device *rdev,
  3312. struct iw_request_info *info,
  3313. char *buf, size_t len)
  3314. {
  3315. char *current_ev = buf;
  3316. char *end_buf = buf + len;
  3317. struct cfg80211_internal_bss *bss;
  3318. int err = 0;
  3319. spin_lock_bh(&rdev->bss_lock);
  3320. cfg80211_bss_expire(rdev);
  3321. list_for_each_entry(bss, &rdev->bss_list, list) {
  3322. if (buf + len - current_ev <= IW_EV_ADDR_LEN) {
  3323. err = -E2BIG;
  3324. break;
  3325. }
  3326. current_ev = ieee80211_bss(&rdev->wiphy, info, bss,
  3327. current_ev, end_buf);
  3328. if (IS_ERR(current_ev)) {
  3329. err = PTR_ERR(current_ev);
  3330. break;
  3331. }
  3332. }
  3333. spin_unlock_bh(&rdev->bss_lock);
  3334. if (err)
  3335. return err;
  3336. return current_ev - buf;
  3337. }
  3338. int cfg80211_wext_giwscan(struct net_device *dev,
  3339. struct iw_request_info *info,
  3340. union iwreq_data *wrqu, char *extra)
  3341. {
  3342. struct iw_point *data = &wrqu->data;
  3343. struct cfg80211_registered_device *rdev;
  3344. int res;
  3345. if (!netif_running(dev))
  3346. return -ENETDOWN;
  3347. rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex);
  3348. if (IS_ERR(rdev))
  3349. return PTR_ERR(rdev);
  3350. if (rdev->scan_req || rdev->scan_msg)
  3351. return -EAGAIN;
  3352. res = ieee80211_scan_results(rdev, info, extra, data->length);
  3353. data->length = 0;
  3354. if (res >= 0) {
  3355. data->length = res;
  3356. res = 0;
  3357. }
  3358. return res;
  3359. }
  3360. #endif