1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * cfg80211 MLME SAP interface 4 * 5 * Copyright (c) 2009, Jouni Malinen <j@w1.fi> 6 * Copyright (c) 2015 Intel Deutschland GmbH 7 * Copyright (C) 2019-2020, 2022 Intel Corporation 8 */ 9 10 #include <linux/kernel.h> 11 #include <linux/module.h> 12 #include <linux/etherdevice.h> 13 #include <linux/netdevice.h> 14 #include <linux/nl80211.h> 15 #include <linux/slab.h> 16 #include <linux/wireless.h> 17 #include <net/cfg80211.h> 18 #include <net/iw_handler.h> 19 #include "core.h" 20 #include "nl80211.h" 21 #include "rdev-ops.h" 22 23 24 void cfg80211_rx_assoc_resp(struct net_device *dev, 25 struct cfg80211_rx_assoc_resp *data) 26 { 27 struct wireless_dev *wdev = dev->ieee80211_ptr; 28 struct wiphy *wiphy = wdev->wiphy; 29 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 30 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)data->buf; 31 struct cfg80211_connect_resp_params cr = { 32 .timeout_reason = NL80211_TIMEOUT_UNSPECIFIED, 33 .req_ie = data->req_ies, 34 .req_ie_len = data->req_ies_len, 35 .resp_ie = mgmt->u.assoc_resp.variable, 36 .resp_ie_len = data->len - 37 offsetof(struct ieee80211_mgmt, 38 u.assoc_resp.variable), 39 .status = le16_to_cpu(mgmt->u.assoc_resp.status_code), 40 .ap_mld_addr = data->ap_mld_addr, 41 }; 42 unsigned int link_id; 43 44 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) { 45 cr.links[link_id].status = data->links[link_id].status; 46 WARN_ON_ONCE(cr.links[link_id].status != WLAN_STATUS_SUCCESS && 47 (!cr.ap_mld_addr || !cr.links[link_id].bss)); 48 49 cr.links[link_id].bss = data->links[link_id].bss; 50 if (!cr.links[link_id].bss) 51 continue; 52 cr.links[link_id].bssid = data->links[link_id].bss->bssid; 53 cr.links[link_id].addr = data->links[link_id].addr; 54 /* need to have local link addresses for MLO connections */ 55 WARN_ON(cr.ap_mld_addr && !cr.links[link_id].addr); 56 57 BUG_ON(!cr.links[link_id].bss->channel); 58 59 if (cr.links[link_id].bss->channel->band == NL80211_BAND_S1GHZ) { 60 WARN_ON(link_id); 61 cr.resp_ie = (u8 *)&mgmt->u.s1g_assoc_resp.variable; 62 cr.resp_ie_len = data->len - 63 offsetof(struct ieee80211_mgmt, 64 u.s1g_assoc_resp.variable); 65 } 66 67 if (cr.ap_mld_addr) 68 cr.valid_links |= BIT(link_id); 69 } 70 71 trace_cfg80211_send_rx_assoc(dev, data); 72 73 /* 74 * This is a bit of a hack, we don't notify userspace of 75 * a (re-)association reply if we tried to send a reassoc 76 * and got a reject -- we only try again with an assoc 77 * frame instead of reassoc. 78 */ 79 if (cfg80211_sme_rx_assoc_resp(wdev, cr.status)) { 80 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) { 81 struct cfg80211_bss *bss = data->links[link_id].bss; 82 83 if (!bss) 84 continue; 85 86 cfg80211_unhold_bss(bss_from_pub(bss)); 87 cfg80211_put_bss(wiphy, bss); 88 } 89 return; 90 } 91 92 nl80211_send_rx_assoc(rdev, dev, data); 93 /* update current_bss etc., consumes the bss reference */ 94 __cfg80211_connect_result(dev, &cr, cr.status == WLAN_STATUS_SUCCESS); 95 } 96 EXPORT_SYMBOL(cfg80211_rx_assoc_resp); 97 98 static void cfg80211_process_auth(struct wireless_dev *wdev, 99 const u8 *buf, size_t len) 100 { 101 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 102 103 nl80211_send_rx_auth(rdev, wdev->netdev, buf, len, GFP_KERNEL); 104 cfg80211_sme_rx_auth(wdev, buf, len); 105 } 106 107 static void cfg80211_process_deauth(struct wireless_dev *wdev, 108 const u8 *buf, size_t len, 109 bool reconnect) 110 { 111 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 112 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf; 113 const u8 *bssid = mgmt->bssid; 114 u16 reason_code = le16_to_cpu(mgmt->u.deauth.reason_code); 115 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr); 116 117 nl80211_send_deauth(rdev, wdev->netdev, buf, len, reconnect, GFP_KERNEL); 118 119 if (!wdev->connected || !ether_addr_equal(wdev->u.client.connected_addr, bssid)) 120 return; 121 122 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap); 123 cfg80211_sme_deauth(wdev); 124 } 125 126 static void cfg80211_process_disassoc(struct wireless_dev *wdev, 127 const u8 *buf, size_t len, 128 bool reconnect) 129 { 130 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 131 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf; 132 const u8 *bssid = mgmt->bssid; 133 u16 reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code); 134 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr); 135 136 nl80211_send_disassoc(rdev, wdev->netdev, buf, len, reconnect, 137 GFP_KERNEL); 138 139 if (WARN_ON(!wdev->connected || 140 !ether_addr_equal(wdev->u.client.connected_addr, bssid))) 141 return; 142 143 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap); 144 cfg80211_sme_disassoc(wdev); 145 } 146 147 void cfg80211_rx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len) 148 { 149 struct wireless_dev *wdev = dev->ieee80211_ptr; 150 struct ieee80211_mgmt *mgmt = (void *)buf; 151 152 ASSERT_WDEV_LOCK(wdev); 153 154 trace_cfg80211_rx_mlme_mgmt(dev, buf, len); 155 156 if (WARN_ON(len < 2)) 157 return; 158 159 if (ieee80211_is_auth(mgmt->frame_control)) 160 cfg80211_process_auth(wdev, buf, len); 161 else if (ieee80211_is_deauth(mgmt->frame_control)) 162 cfg80211_process_deauth(wdev, buf, len, false); 163 else if (ieee80211_is_disassoc(mgmt->frame_control)) 164 cfg80211_process_disassoc(wdev, buf, len, false); 165 } 166 EXPORT_SYMBOL(cfg80211_rx_mlme_mgmt); 167 168 void cfg80211_auth_timeout(struct net_device *dev, const u8 *addr) 169 { 170 struct wireless_dev *wdev = dev->ieee80211_ptr; 171 struct wiphy *wiphy = wdev->wiphy; 172 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 173 174 trace_cfg80211_send_auth_timeout(dev, addr); 175 176 nl80211_send_auth_timeout(rdev, dev, addr, GFP_KERNEL); 177 cfg80211_sme_auth_timeout(wdev); 178 } 179 EXPORT_SYMBOL(cfg80211_auth_timeout); 180 181 void cfg80211_assoc_failure(struct net_device *dev, 182 struct cfg80211_assoc_failure *data) 183 { 184 struct wireless_dev *wdev = dev->ieee80211_ptr; 185 struct wiphy *wiphy = wdev->wiphy; 186 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 187 const u8 *addr = data->ap_mld_addr ?: data->bss[0]->bssid; 188 int i; 189 190 trace_cfg80211_send_assoc_failure(dev, data); 191 192 if (data->timeout) { 193 nl80211_send_assoc_timeout(rdev, dev, addr, GFP_KERNEL); 194 cfg80211_sme_assoc_timeout(wdev); 195 } else { 196 cfg80211_sme_abandon_assoc(wdev); 197 } 198 199 for (i = 0; i < ARRAY_SIZE(data->bss); i++) { 200 struct cfg80211_bss *bss = data->bss[i]; 201 202 if (!bss) 203 continue; 204 205 cfg80211_unhold_bss(bss_from_pub(bss)); 206 cfg80211_put_bss(wiphy, bss); 207 } 208 } 209 EXPORT_SYMBOL(cfg80211_assoc_failure); 210 211 void cfg80211_tx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len, 212 bool reconnect) 213 { 214 struct wireless_dev *wdev = dev->ieee80211_ptr; 215 struct ieee80211_mgmt *mgmt = (void *)buf; 216 217 ASSERT_WDEV_LOCK(wdev); 218 219 trace_cfg80211_tx_mlme_mgmt(dev, buf, len, reconnect); 220 221 if (WARN_ON(len < 2)) 222 return; 223 224 if (ieee80211_is_deauth(mgmt->frame_control)) 225 cfg80211_process_deauth(wdev, buf, len, reconnect); 226 else 227 cfg80211_process_disassoc(wdev, buf, len, reconnect); 228 } 229 EXPORT_SYMBOL(cfg80211_tx_mlme_mgmt); 230 231 void cfg80211_michael_mic_failure(struct net_device *dev, const u8 *addr, 232 enum nl80211_key_type key_type, int key_id, 233 const u8 *tsc, gfp_t gfp) 234 { 235 struct wiphy *wiphy = dev->ieee80211_ptr->wiphy; 236 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 237 #ifdef CONFIG_CFG80211_WEXT 238 union iwreq_data wrqu; 239 char *buf = kmalloc(128, gfp); 240 241 if (buf) { 242 sprintf(buf, "MLME-MICHAELMICFAILURE.indication(" 243 "keyid=%d %scast addr=%pM)", key_id, 244 key_type == NL80211_KEYTYPE_GROUP ? "broad" : "uni", 245 addr); 246 memset(&wrqu, 0, sizeof(wrqu)); 247 wrqu.data.length = strlen(buf); 248 wireless_send_event(dev, IWEVCUSTOM, &wrqu, buf); 249 kfree(buf); 250 } 251 #endif 252 253 trace_cfg80211_michael_mic_failure(dev, addr, key_type, key_id, tsc); 254 nl80211_michael_mic_failure(rdev, dev, addr, key_type, key_id, tsc, gfp); 255 } 256 EXPORT_SYMBOL(cfg80211_michael_mic_failure); 257 258 /* some MLME handling for userspace SME */ 259 int cfg80211_mlme_auth(struct cfg80211_registered_device *rdev, 260 struct net_device *dev, 261 struct cfg80211_auth_request *req) 262 { 263 struct wireless_dev *wdev = dev->ieee80211_ptr; 264 265 ASSERT_WDEV_LOCK(wdev); 266 267 if (!req->bss) 268 return -ENOENT; 269 270 if (req->link_id >= 0 && 271 !(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO)) 272 return -EINVAL; 273 274 if (req->auth_type == NL80211_AUTHTYPE_SHARED_KEY) { 275 if (!req->key || !req->key_len || 276 req->key_idx < 0 || req->key_idx > 3) 277 return -EINVAL; 278 } 279 280 if (wdev->connected && 281 ether_addr_equal(req->bss->bssid, wdev->u.client.connected_addr)) 282 return -EALREADY; 283 284 if (ether_addr_equal(req->bss->bssid, dev->dev_addr) || 285 (req->link_id >= 0 && 286 ether_addr_equal(req->ap_mld_addr, dev->dev_addr))) 287 return -EINVAL; 288 289 return rdev_auth(rdev, dev, req); 290 } 291 292 /* Do a logical ht_capa &= ht_capa_mask. */ 293 void cfg80211_oper_and_ht_capa(struct ieee80211_ht_cap *ht_capa, 294 const struct ieee80211_ht_cap *ht_capa_mask) 295 { 296 int i; 297 u8 *p1, *p2; 298 if (!ht_capa_mask) { 299 memset(ht_capa, 0, sizeof(*ht_capa)); 300 return; 301 } 302 303 p1 = (u8*)(ht_capa); 304 p2 = (u8*)(ht_capa_mask); 305 for (i = 0; i < sizeof(*ht_capa); i++) 306 p1[i] &= p2[i]; 307 } 308 309 /* Do a logical vht_capa &= vht_capa_mask. */ 310 void cfg80211_oper_and_vht_capa(struct ieee80211_vht_cap *vht_capa, 311 const struct ieee80211_vht_cap *vht_capa_mask) 312 { 313 int i; 314 u8 *p1, *p2; 315 if (!vht_capa_mask) { 316 memset(vht_capa, 0, sizeof(*vht_capa)); 317 return; 318 } 319 320 p1 = (u8*)(vht_capa); 321 p2 = (u8*)(vht_capa_mask); 322 for (i = 0; i < sizeof(*vht_capa); i++) 323 p1[i] &= p2[i]; 324 } 325 326 /* Note: caller must cfg80211_put_bss() regardless of result */ 327 int cfg80211_mlme_assoc(struct cfg80211_registered_device *rdev, 328 struct net_device *dev, 329 struct cfg80211_assoc_request *req) 330 { 331 struct wireless_dev *wdev = dev->ieee80211_ptr; 332 int err, i, j; 333 334 ASSERT_WDEV_LOCK(wdev); 335 336 for (i = 1; i < ARRAY_SIZE(req->links); i++) { 337 if (!req->links[i].bss) 338 continue; 339 for (j = 0; j < i; j++) { 340 if (req->links[i].bss == req->links[j].bss) 341 return -EINVAL; 342 } 343 344 if (ether_addr_equal(req->links[i].bss->bssid, dev->dev_addr)) 345 return -EINVAL; 346 } 347 348 if (wdev->connected && 349 (!req->prev_bssid || 350 !ether_addr_equal(wdev->u.client.connected_addr, req->prev_bssid))) 351 return -EALREADY; 352 353 if ((req->bss && ether_addr_equal(req->bss->bssid, dev->dev_addr)) || 354 (req->link_id >= 0 && 355 ether_addr_equal(req->ap_mld_addr, dev->dev_addr))) 356 return -EINVAL; 357 358 cfg80211_oper_and_ht_capa(&req->ht_capa_mask, 359 rdev->wiphy.ht_capa_mod_mask); 360 cfg80211_oper_and_vht_capa(&req->vht_capa_mask, 361 rdev->wiphy.vht_capa_mod_mask); 362 363 err = rdev_assoc(rdev, dev, req); 364 if (!err) { 365 int link_id; 366 367 if (req->bss) { 368 cfg80211_ref_bss(&rdev->wiphy, req->bss); 369 cfg80211_hold_bss(bss_from_pub(req->bss)); 370 } 371 372 for (link_id = 0; link_id < ARRAY_SIZE(req->links); link_id++) { 373 if (!req->links[link_id].bss) 374 continue; 375 cfg80211_ref_bss(&rdev->wiphy, req->links[link_id].bss); 376 cfg80211_hold_bss(bss_from_pub(req->links[link_id].bss)); 377 } 378 } 379 return err; 380 } 381 382 int cfg80211_mlme_deauth(struct cfg80211_registered_device *rdev, 383 struct net_device *dev, const u8 *bssid, 384 const u8 *ie, int ie_len, u16 reason, 385 bool local_state_change) 386 { 387 struct wireless_dev *wdev = dev->ieee80211_ptr; 388 struct cfg80211_deauth_request req = { 389 .bssid = bssid, 390 .reason_code = reason, 391 .ie = ie, 392 .ie_len = ie_len, 393 .local_state_change = local_state_change, 394 }; 395 396 ASSERT_WDEV_LOCK(wdev); 397 398 if (local_state_change && 399 (!wdev->connected || 400 !ether_addr_equal(wdev->u.client.connected_addr, bssid))) 401 return 0; 402 403 if (ether_addr_equal(wdev->disconnect_bssid, bssid) || 404 (wdev->connected && 405 ether_addr_equal(wdev->u.client.connected_addr, bssid))) 406 wdev->conn_owner_nlportid = 0; 407 408 return rdev_deauth(rdev, dev, &req); 409 } 410 411 int cfg80211_mlme_disassoc(struct cfg80211_registered_device *rdev, 412 struct net_device *dev, const u8 *ap_addr, 413 const u8 *ie, int ie_len, u16 reason, 414 bool local_state_change) 415 { 416 struct wireless_dev *wdev = dev->ieee80211_ptr; 417 struct cfg80211_disassoc_request req = { 418 .reason_code = reason, 419 .local_state_change = local_state_change, 420 .ie = ie, 421 .ie_len = ie_len, 422 .ap_addr = ap_addr, 423 }; 424 int err; 425 426 ASSERT_WDEV_LOCK(wdev); 427 428 if (!wdev->connected) 429 return -ENOTCONN; 430 431 if (memcmp(wdev->u.client.connected_addr, ap_addr, ETH_ALEN)) 432 return -ENOTCONN; 433 434 err = rdev_disassoc(rdev, dev, &req); 435 if (err) 436 return err; 437 438 /* driver should have reported the disassoc */ 439 WARN_ON(wdev->connected); 440 return 0; 441 } 442 443 void cfg80211_mlme_down(struct cfg80211_registered_device *rdev, 444 struct net_device *dev) 445 { 446 struct wireless_dev *wdev = dev->ieee80211_ptr; 447 u8 bssid[ETH_ALEN]; 448 449 ASSERT_WDEV_LOCK(wdev); 450 451 if (!rdev->ops->deauth) 452 return; 453 454 if (!wdev->connected) 455 return; 456 457 memcpy(bssid, wdev->u.client.connected_addr, ETH_ALEN); 458 cfg80211_mlme_deauth(rdev, dev, bssid, NULL, 0, 459 WLAN_REASON_DEAUTH_LEAVING, false); 460 } 461 462 struct cfg80211_mgmt_registration { 463 struct list_head list; 464 struct wireless_dev *wdev; 465 466 u32 nlportid; 467 468 int match_len; 469 470 __le16 frame_type; 471 472 bool multicast_rx; 473 474 u8 match[]; 475 }; 476 477 static void cfg80211_mgmt_registrations_update(struct wireless_dev *wdev) 478 { 479 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 480 struct wireless_dev *tmp; 481 struct cfg80211_mgmt_registration *reg; 482 struct mgmt_frame_regs upd = {}; 483 484 lockdep_assert_held(&rdev->wiphy.mtx); 485 486 spin_lock_bh(&rdev->mgmt_registrations_lock); 487 if (!wdev->mgmt_registrations_need_update) { 488 spin_unlock_bh(&rdev->mgmt_registrations_lock); 489 return; 490 } 491 492 rcu_read_lock(); 493 list_for_each_entry_rcu(tmp, &rdev->wiphy.wdev_list, list) { 494 list_for_each_entry(reg, &tmp->mgmt_registrations, list) { 495 u32 mask = BIT(le16_to_cpu(reg->frame_type) >> 4); 496 u32 mcast_mask = 0; 497 498 if (reg->multicast_rx) 499 mcast_mask = mask; 500 501 upd.global_stypes |= mask; 502 upd.global_mcast_stypes |= mcast_mask; 503 504 if (tmp == wdev) { 505 upd.interface_stypes |= mask; 506 upd.interface_mcast_stypes |= mcast_mask; 507 } 508 } 509 } 510 rcu_read_unlock(); 511 512 wdev->mgmt_registrations_need_update = 0; 513 spin_unlock_bh(&rdev->mgmt_registrations_lock); 514 515 rdev_update_mgmt_frame_registrations(rdev, wdev, &upd); 516 } 517 518 void cfg80211_mgmt_registrations_update_wk(struct work_struct *wk) 519 { 520 struct cfg80211_registered_device *rdev; 521 struct wireless_dev *wdev; 522 523 rdev = container_of(wk, struct cfg80211_registered_device, 524 mgmt_registrations_update_wk); 525 526 wiphy_lock(&rdev->wiphy); 527 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) 528 cfg80211_mgmt_registrations_update(wdev); 529 wiphy_unlock(&rdev->wiphy); 530 } 531 532 int cfg80211_mlme_register_mgmt(struct wireless_dev *wdev, u32 snd_portid, 533 u16 frame_type, const u8 *match_data, 534 int match_len, bool multicast_rx, 535 struct netlink_ext_ack *extack) 536 { 537 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 538 struct cfg80211_mgmt_registration *reg, *nreg; 539 int err = 0; 540 u16 mgmt_type; 541 bool update_multicast = false; 542 543 if (!wdev->wiphy->mgmt_stypes) 544 return -EOPNOTSUPP; 545 546 if ((frame_type & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT) { 547 NL_SET_ERR_MSG(extack, "frame type not management"); 548 return -EINVAL; 549 } 550 551 if (frame_type & ~(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) { 552 NL_SET_ERR_MSG(extack, "Invalid frame type"); 553 return -EINVAL; 554 } 555 556 mgmt_type = (frame_type & IEEE80211_FCTL_STYPE) >> 4; 557 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].rx & BIT(mgmt_type))) { 558 NL_SET_ERR_MSG(extack, 559 "Registration to specific type not supported"); 560 return -EINVAL; 561 } 562 563 /* 564 * To support Pre Association Security Negotiation (PASN), registration 565 * for authentication frames should be supported. However, as some 566 * versions of the user space daemons wrongly register to all types of 567 * authentication frames (which might result in unexpected behavior) 568 * allow such registration if the request is for a specific 569 * authentication algorithm number. 570 */ 571 if (wdev->iftype == NL80211_IFTYPE_STATION && 572 (frame_type & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_AUTH && 573 !(match_data && match_len >= 2)) { 574 NL_SET_ERR_MSG(extack, 575 "Authentication algorithm number required"); 576 return -EINVAL; 577 } 578 579 nreg = kzalloc(sizeof(*reg) + match_len, GFP_KERNEL); 580 if (!nreg) 581 return -ENOMEM; 582 583 spin_lock_bh(&rdev->mgmt_registrations_lock); 584 585 list_for_each_entry(reg, &wdev->mgmt_registrations, list) { 586 int mlen = min(match_len, reg->match_len); 587 588 if (frame_type != le16_to_cpu(reg->frame_type)) 589 continue; 590 591 if (memcmp(reg->match, match_data, mlen) == 0) { 592 if (reg->multicast_rx != multicast_rx) { 593 update_multicast = true; 594 reg->multicast_rx = multicast_rx; 595 break; 596 } 597 NL_SET_ERR_MSG(extack, "Match already configured"); 598 err = -EALREADY; 599 break; 600 } 601 } 602 603 if (err) 604 goto out; 605 606 if (update_multicast) { 607 kfree(nreg); 608 } else { 609 memcpy(nreg->match, match_data, match_len); 610 nreg->match_len = match_len; 611 nreg->nlportid = snd_portid; 612 nreg->frame_type = cpu_to_le16(frame_type); 613 nreg->wdev = wdev; 614 nreg->multicast_rx = multicast_rx; 615 list_add(&nreg->list, &wdev->mgmt_registrations); 616 } 617 wdev->mgmt_registrations_need_update = 1; 618 spin_unlock_bh(&rdev->mgmt_registrations_lock); 619 620 cfg80211_mgmt_registrations_update(wdev); 621 622 return 0; 623 624 out: 625 kfree(nreg); 626 spin_unlock_bh(&rdev->mgmt_registrations_lock); 627 628 return err; 629 } 630 631 void cfg80211_mlme_unregister_socket(struct wireless_dev *wdev, u32 nlportid) 632 { 633 struct wiphy *wiphy = wdev->wiphy; 634 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 635 struct cfg80211_mgmt_registration *reg, *tmp; 636 637 spin_lock_bh(&rdev->mgmt_registrations_lock); 638 639 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) { 640 if (reg->nlportid != nlportid) 641 continue; 642 643 list_del(®->list); 644 kfree(reg); 645 646 wdev->mgmt_registrations_need_update = 1; 647 schedule_work(&rdev->mgmt_registrations_update_wk); 648 } 649 650 spin_unlock_bh(&rdev->mgmt_registrations_lock); 651 652 if (nlportid && rdev->crit_proto_nlportid == nlportid) { 653 rdev->crit_proto_nlportid = 0; 654 rdev_crit_proto_stop(rdev, wdev); 655 } 656 657 if (nlportid == wdev->ap_unexpected_nlportid) 658 wdev->ap_unexpected_nlportid = 0; 659 } 660 661 void cfg80211_mlme_purge_registrations(struct wireless_dev *wdev) 662 { 663 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); 664 struct cfg80211_mgmt_registration *reg, *tmp; 665 666 spin_lock_bh(&rdev->mgmt_registrations_lock); 667 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) { 668 list_del(®->list); 669 kfree(reg); 670 } 671 wdev->mgmt_registrations_need_update = 1; 672 spin_unlock_bh(&rdev->mgmt_registrations_lock); 673 674 cfg80211_mgmt_registrations_update(wdev); 675 } 676 677 static bool cfg80211_allowed_address(struct wireless_dev *wdev, const u8 *addr) 678 { 679 int i; 680 681 for_each_valid_link(wdev, i) { 682 if (ether_addr_equal(addr, wdev->links[i].addr)) 683 return true; 684 } 685 686 return ether_addr_equal(addr, wdev_address(wdev)); 687 } 688 689 static bool cfg80211_allowed_random_address(struct wireless_dev *wdev, 690 const struct ieee80211_mgmt *mgmt) 691 { 692 if (ieee80211_is_auth(mgmt->frame_control) || 693 ieee80211_is_deauth(mgmt->frame_control)) { 694 /* Allow random TA to be used with authentication and 695 * deauthentication frames if the driver has indicated support. 696 */ 697 if (wiphy_ext_feature_isset( 698 wdev->wiphy, 699 NL80211_EXT_FEATURE_AUTH_AND_DEAUTH_RANDOM_TA)) 700 return true; 701 } else if (ieee80211_is_action(mgmt->frame_control) && 702 mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) { 703 /* Allow random TA to be used with Public Action frames if the 704 * driver has indicated support. 705 */ 706 if (!wdev->connected && 707 wiphy_ext_feature_isset( 708 wdev->wiphy, 709 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA)) 710 return true; 711 712 if (wdev->connected && 713 wiphy_ext_feature_isset( 714 wdev->wiphy, 715 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA_CONNECTED)) 716 return true; 717 } 718 719 return false; 720 } 721 722 int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev, 723 struct wireless_dev *wdev, 724 struct cfg80211_mgmt_tx_params *params, u64 *cookie) 725 { 726 const struct ieee80211_mgmt *mgmt; 727 u16 stype; 728 729 if (!wdev->wiphy->mgmt_stypes) 730 return -EOPNOTSUPP; 731 732 if (!rdev->ops->mgmt_tx) 733 return -EOPNOTSUPP; 734 735 if (params->len < 24 + 1) 736 return -EINVAL; 737 738 mgmt = (const struct ieee80211_mgmt *)params->buf; 739 740 if (!ieee80211_is_mgmt(mgmt->frame_control)) 741 return -EINVAL; 742 743 stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE; 744 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].tx & BIT(stype >> 4))) 745 return -EINVAL; 746 747 if (ieee80211_is_action(mgmt->frame_control) && 748 mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) { 749 int err = 0; 750 751 wdev_lock(wdev); 752 753 switch (wdev->iftype) { 754 case NL80211_IFTYPE_ADHOC: 755 /* 756 * check for IBSS DA must be done by driver as 757 * cfg80211 doesn't track the stations 758 */ 759 if (!wdev->u.ibss.current_bss || 760 !ether_addr_equal(wdev->u.ibss.current_bss->pub.bssid, 761 mgmt->bssid)) { 762 err = -ENOTCONN; 763 break; 764 } 765 break; 766 case NL80211_IFTYPE_STATION: 767 case NL80211_IFTYPE_P2P_CLIENT: 768 if (!wdev->connected) { 769 err = -ENOTCONN; 770 break; 771 } 772 773 /* FIXME: MLD may address this differently */ 774 775 if (!ether_addr_equal(wdev->u.client.connected_addr, 776 mgmt->bssid)) { 777 err = -ENOTCONN; 778 break; 779 } 780 781 /* for station, check that DA is the AP */ 782 if (!ether_addr_equal(wdev->u.client.connected_addr, 783 mgmt->da)) { 784 err = -ENOTCONN; 785 break; 786 } 787 break; 788 case NL80211_IFTYPE_AP: 789 case NL80211_IFTYPE_P2P_GO: 790 case NL80211_IFTYPE_AP_VLAN: 791 if (!ether_addr_equal(mgmt->bssid, wdev_address(wdev)) && 792 (params->link_id < 0 || 793 !ether_addr_equal(mgmt->bssid, 794 wdev->links[params->link_id].addr))) 795 err = -EINVAL; 796 break; 797 case NL80211_IFTYPE_MESH_POINT: 798 if (!ether_addr_equal(mgmt->sa, mgmt->bssid)) { 799 err = -EINVAL; 800 break; 801 } 802 /* 803 * check for mesh DA must be done by driver as 804 * cfg80211 doesn't track the stations 805 */ 806 break; 807 case NL80211_IFTYPE_P2P_DEVICE: 808 /* 809 * fall through, P2P device only supports 810 * public action frames 811 */ 812 case NL80211_IFTYPE_NAN: 813 default: 814 err = -EOPNOTSUPP; 815 break; 816 } 817 wdev_unlock(wdev); 818 819 if (err) 820 return err; 821 } 822 823 if (!cfg80211_allowed_address(wdev, mgmt->sa) && 824 !cfg80211_allowed_random_address(wdev, mgmt)) 825 return -EINVAL; 826 827 /* Transmit the management frame as requested by user space */ 828 return rdev_mgmt_tx(rdev, wdev, params, cookie); 829 } 830 831 bool cfg80211_rx_mgmt_ext(struct wireless_dev *wdev, 832 struct cfg80211_rx_info *info) 833 { 834 struct wiphy *wiphy = wdev->wiphy; 835 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 836 struct cfg80211_mgmt_registration *reg; 837 const struct ieee80211_txrx_stypes *stypes = 838 &wiphy->mgmt_stypes[wdev->iftype]; 839 struct ieee80211_mgmt *mgmt = (void *)info->buf; 840 const u8 *data; 841 int data_len; 842 bool result = false; 843 __le16 ftype = mgmt->frame_control & 844 cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE); 845 u16 stype; 846 847 trace_cfg80211_rx_mgmt(wdev, info); 848 stype = (le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE) >> 4; 849 850 if (!(stypes->rx & BIT(stype))) { 851 trace_cfg80211_return_bool(false); 852 return false; 853 } 854 855 data = info->buf + ieee80211_hdrlen(mgmt->frame_control); 856 data_len = info->len - ieee80211_hdrlen(mgmt->frame_control); 857 858 spin_lock_bh(&rdev->mgmt_registrations_lock); 859 860 list_for_each_entry(reg, &wdev->mgmt_registrations, list) { 861 if (reg->frame_type != ftype) 862 continue; 863 864 if (reg->match_len > data_len) 865 continue; 866 867 if (memcmp(reg->match, data, reg->match_len)) 868 continue; 869 870 /* found match! */ 871 872 /* Indicate the received Action frame to user space */ 873 if (nl80211_send_mgmt(rdev, wdev, reg->nlportid, info, 874 GFP_ATOMIC)) 875 continue; 876 877 result = true; 878 break; 879 } 880 881 spin_unlock_bh(&rdev->mgmt_registrations_lock); 882 883 trace_cfg80211_return_bool(result); 884 return result; 885 } 886 EXPORT_SYMBOL(cfg80211_rx_mgmt_ext); 887 888 void cfg80211_sched_dfs_chan_update(struct cfg80211_registered_device *rdev) 889 { 890 cancel_delayed_work(&rdev->dfs_update_channels_wk); 891 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk, 0); 892 } 893 894 void cfg80211_dfs_channels_update_work(struct work_struct *work) 895 { 896 struct delayed_work *delayed_work = to_delayed_work(work); 897 struct cfg80211_registered_device *rdev; 898 struct cfg80211_chan_def chandef; 899 struct ieee80211_supported_band *sband; 900 struct ieee80211_channel *c; 901 struct wiphy *wiphy; 902 bool check_again = false; 903 unsigned long timeout, next_time = 0; 904 unsigned long time_dfs_update; 905 enum nl80211_radar_event radar_event; 906 int bandid, i; 907 908 rdev = container_of(delayed_work, struct cfg80211_registered_device, 909 dfs_update_channels_wk); 910 wiphy = &rdev->wiphy; 911 912 rtnl_lock(); 913 for (bandid = 0; bandid < NUM_NL80211_BANDS; bandid++) { 914 sband = wiphy->bands[bandid]; 915 if (!sband) 916 continue; 917 918 for (i = 0; i < sband->n_channels; i++) { 919 c = &sband->channels[i]; 920 921 if (!(c->flags & IEEE80211_CHAN_RADAR)) 922 continue; 923 924 if (c->dfs_state != NL80211_DFS_UNAVAILABLE && 925 c->dfs_state != NL80211_DFS_AVAILABLE) 926 continue; 927 928 if (c->dfs_state == NL80211_DFS_UNAVAILABLE) { 929 time_dfs_update = IEEE80211_DFS_MIN_NOP_TIME_MS; 930 radar_event = NL80211_RADAR_NOP_FINISHED; 931 } else { 932 if (regulatory_pre_cac_allowed(wiphy) || 933 cfg80211_any_wiphy_oper_chan(wiphy, c)) 934 continue; 935 936 time_dfs_update = REG_PRE_CAC_EXPIRY_GRACE_MS; 937 radar_event = NL80211_RADAR_PRE_CAC_EXPIRED; 938 } 939 940 timeout = c->dfs_state_entered + 941 msecs_to_jiffies(time_dfs_update); 942 943 if (time_after_eq(jiffies, timeout)) { 944 c->dfs_state = NL80211_DFS_USABLE; 945 c->dfs_state_entered = jiffies; 946 947 cfg80211_chandef_create(&chandef, c, 948 NL80211_CHAN_NO_HT); 949 950 nl80211_radar_notify(rdev, &chandef, 951 radar_event, NULL, 952 GFP_ATOMIC); 953 954 regulatory_propagate_dfs_state(wiphy, &chandef, 955 c->dfs_state, 956 radar_event); 957 continue; 958 } 959 960 if (!check_again) 961 next_time = timeout - jiffies; 962 else 963 next_time = min(next_time, timeout - jiffies); 964 check_again = true; 965 } 966 } 967 rtnl_unlock(); 968 969 /* reschedule if there are other channels waiting to be cleared again */ 970 if (check_again) 971 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk, 972 next_time); 973 } 974 975 976 void __cfg80211_radar_event(struct wiphy *wiphy, 977 struct cfg80211_chan_def *chandef, 978 bool offchan, gfp_t gfp) 979 { 980 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 981 982 trace_cfg80211_radar_event(wiphy, chandef, offchan); 983 984 /* only set the chandef supplied channel to unavailable, in 985 * case the radar is detected on only one of multiple channels 986 * spanned by the chandef. 987 */ 988 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_UNAVAILABLE); 989 990 if (offchan) 991 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk); 992 993 cfg80211_sched_dfs_chan_update(rdev); 994 995 nl80211_radar_notify(rdev, chandef, NL80211_RADAR_DETECTED, NULL, gfp); 996 997 memcpy(&rdev->radar_chandef, chandef, sizeof(struct cfg80211_chan_def)); 998 queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk); 999 } 1000 EXPORT_SYMBOL(__cfg80211_radar_event); 1001 1002 void cfg80211_cac_event(struct net_device *netdev, 1003 const struct cfg80211_chan_def *chandef, 1004 enum nl80211_radar_event event, gfp_t gfp) 1005 { 1006 struct wireless_dev *wdev = netdev->ieee80211_ptr; 1007 struct wiphy *wiphy = wdev->wiphy; 1008 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1009 unsigned long timeout; 1010 1011 /* not yet supported */ 1012 if (wdev->valid_links) 1013 return; 1014 1015 trace_cfg80211_cac_event(netdev, event); 1016 1017 if (WARN_ON(!wdev->cac_started && event != NL80211_RADAR_CAC_STARTED)) 1018 return; 1019 1020 switch (event) { 1021 case NL80211_RADAR_CAC_FINISHED: 1022 timeout = wdev->cac_start_time + 1023 msecs_to_jiffies(wdev->cac_time_ms); 1024 WARN_ON(!time_after_eq(jiffies, timeout)); 1025 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE); 1026 memcpy(&rdev->cac_done_chandef, chandef, 1027 sizeof(struct cfg80211_chan_def)); 1028 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk); 1029 cfg80211_sched_dfs_chan_update(rdev); 1030 fallthrough; 1031 case NL80211_RADAR_CAC_ABORTED: 1032 wdev->cac_started = false; 1033 break; 1034 case NL80211_RADAR_CAC_STARTED: 1035 wdev->cac_started = true; 1036 break; 1037 default: 1038 WARN_ON(1); 1039 return; 1040 } 1041 1042 nl80211_radar_notify(rdev, chandef, event, netdev, gfp); 1043 } 1044 EXPORT_SYMBOL(cfg80211_cac_event); 1045 1046 static void 1047 __cfg80211_background_cac_event(struct cfg80211_registered_device *rdev, 1048 struct wireless_dev *wdev, 1049 const struct cfg80211_chan_def *chandef, 1050 enum nl80211_radar_event event) 1051 { 1052 struct wiphy *wiphy = &rdev->wiphy; 1053 struct net_device *netdev; 1054 1055 lockdep_assert_wiphy(&rdev->wiphy); 1056 1057 if (!cfg80211_chandef_valid(chandef)) 1058 return; 1059 1060 if (!rdev->background_radar_wdev) 1061 return; 1062 1063 switch (event) { 1064 case NL80211_RADAR_CAC_FINISHED: 1065 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE); 1066 memcpy(&rdev->cac_done_chandef, chandef, sizeof(*chandef)); 1067 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk); 1068 cfg80211_sched_dfs_chan_update(rdev); 1069 wdev = rdev->background_radar_wdev; 1070 break; 1071 case NL80211_RADAR_CAC_ABORTED: 1072 if (!cancel_delayed_work(&rdev->background_cac_done_wk)) 1073 return; 1074 wdev = rdev->background_radar_wdev; 1075 break; 1076 case NL80211_RADAR_CAC_STARTED: 1077 break; 1078 default: 1079 return; 1080 } 1081 1082 netdev = wdev ? wdev->netdev : NULL; 1083 nl80211_radar_notify(rdev, chandef, event, netdev, GFP_KERNEL); 1084 } 1085 1086 static void 1087 cfg80211_background_cac_event(struct cfg80211_registered_device *rdev, 1088 const struct cfg80211_chan_def *chandef, 1089 enum nl80211_radar_event event) 1090 { 1091 wiphy_lock(&rdev->wiphy); 1092 __cfg80211_background_cac_event(rdev, rdev->background_radar_wdev, 1093 chandef, event); 1094 wiphy_unlock(&rdev->wiphy); 1095 } 1096 1097 void cfg80211_background_cac_done_wk(struct work_struct *work) 1098 { 1099 struct delayed_work *delayed_work = to_delayed_work(work); 1100 struct cfg80211_registered_device *rdev; 1101 1102 rdev = container_of(delayed_work, struct cfg80211_registered_device, 1103 background_cac_done_wk); 1104 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef, 1105 NL80211_RADAR_CAC_FINISHED); 1106 } 1107 1108 void cfg80211_background_cac_abort_wk(struct work_struct *work) 1109 { 1110 struct cfg80211_registered_device *rdev; 1111 1112 rdev = container_of(work, struct cfg80211_registered_device, 1113 background_cac_abort_wk); 1114 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef, 1115 NL80211_RADAR_CAC_ABORTED); 1116 } 1117 1118 void cfg80211_background_cac_abort(struct wiphy *wiphy) 1119 { 1120 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1121 1122 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk); 1123 } 1124 EXPORT_SYMBOL(cfg80211_background_cac_abort); 1125 1126 int 1127 cfg80211_start_background_radar_detection(struct cfg80211_registered_device *rdev, 1128 struct wireless_dev *wdev, 1129 struct cfg80211_chan_def *chandef) 1130 { 1131 unsigned int cac_time_ms; 1132 int err; 1133 1134 lockdep_assert_wiphy(&rdev->wiphy); 1135 1136 if (!wiphy_ext_feature_isset(&rdev->wiphy, 1137 NL80211_EXT_FEATURE_RADAR_BACKGROUND)) 1138 return -EOPNOTSUPP; 1139 1140 /* Offchannel chain already locked by another wdev */ 1141 if (rdev->background_radar_wdev && rdev->background_radar_wdev != wdev) 1142 return -EBUSY; 1143 1144 /* CAC already in progress on the offchannel chain */ 1145 if (rdev->background_radar_wdev == wdev && 1146 delayed_work_pending(&rdev->background_cac_done_wk)) 1147 return -EBUSY; 1148 1149 err = rdev_set_radar_background(rdev, chandef); 1150 if (err) 1151 return err; 1152 1153 cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, chandef); 1154 if (!cac_time_ms) 1155 cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS; 1156 1157 rdev->background_radar_chandef = *chandef; 1158 rdev->background_radar_wdev = wdev; /* Get offchain ownership */ 1159 1160 __cfg80211_background_cac_event(rdev, wdev, chandef, 1161 NL80211_RADAR_CAC_STARTED); 1162 queue_delayed_work(cfg80211_wq, &rdev->background_cac_done_wk, 1163 msecs_to_jiffies(cac_time_ms)); 1164 1165 return 0; 1166 } 1167 1168 void cfg80211_stop_background_radar_detection(struct wireless_dev *wdev) 1169 { 1170 struct wiphy *wiphy = wdev->wiphy; 1171 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1172 1173 lockdep_assert_wiphy(wiphy); 1174 1175 if (wdev != rdev->background_radar_wdev) 1176 return; 1177 1178 rdev_set_radar_background(rdev, NULL); 1179 rdev->background_radar_wdev = NULL; /* Release offchain ownership */ 1180 1181 __cfg80211_background_cac_event(rdev, wdev, 1182 &rdev->background_radar_chandef, 1183 NL80211_RADAR_CAC_ABORTED); 1184 } 1185