1 /* 2 * cfg80211 scan result handling 3 * 4 * Copyright 2008 Johannes Berg <johannes@sipsolutions.net> 5 * Copyright 2013-2014 Intel Mobile Communications GmbH 6 * Copyright 2016 Intel Deutschland GmbH 7 */ 8 #include <linux/kernel.h> 9 #include <linux/slab.h> 10 #include <linux/module.h> 11 #include <linux/netdevice.h> 12 #include <linux/wireless.h> 13 #include <linux/nl80211.h> 14 #include <linux/etherdevice.h> 15 #include <net/arp.h> 16 #include <net/cfg80211.h> 17 #include <net/cfg80211-wext.h> 18 #include <net/iw_handler.h> 19 #include "core.h" 20 #include "nl80211.h" 21 #include "wext-compat.h" 22 #include "rdev-ops.h" 23 24 /** 25 * DOC: BSS tree/list structure 26 * 27 * At the top level, the BSS list is kept in both a list in each 28 * registered device (@bss_list) as well as an RB-tree for faster 29 * lookup. In the RB-tree, entries can be looked up using their 30 * channel, MESHID, MESHCONF (for MBSSes) or channel, BSSID, SSID 31 * for other BSSes. 32 * 33 * Due to the possibility of hidden SSIDs, there's a second level 34 * structure, the "hidden_list" and "hidden_beacon_bss" pointer. 35 * The hidden_list connects all BSSes belonging to a single AP 36 * that has a hidden SSID, and connects beacon and probe response 37 * entries. For a probe response entry for a hidden SSID, the 38 * hidden_beacon_bss pointer points to the BSS struct holding the 39 * beacon's information. 40 * 41 * Reference counting is done for all these references except for 42 * the hidden_list, so that a beacon BSS struct that is otherwise 43 * not referenced has one reference for being on the bss_list and 44 * one for each probe response entry that points to it using the 45 * hidden_beacon_bss pointer. When a BSS struct that has such a 46 * pointer is get/put, the refcount update is also propagated to 47 * the referenced struct, this ensure that it cannot get removed 48 * while somebody is using the probe response version. 49 * 50 * Note that the hidden_beacon_bss pointer never changes, due to 51 * the reference counting. Therefore, no locking is needed for 52 * it. 53 * 54 * Also note that the hidden_beacon_bss pointer is only relevant 55 * if the driver uses something other than the IEs, e.g. private 56 * data stored stored in the BSS struct, since the beacon IEs are 57 * also linked into the probe response struct. 58 */ 59 60 /* 61 * Limit the number of BSS entries stored in mac80211. Each one is 62 * a bit over 4k at most, so this limits to roughly 4-5M of memory. 63 * If somebody wants to really attack this though, they'd likely 64 * use small beacons, and only one type of frame, limiting each of 65 * the entries to a much smaller size (in order to generate more 66 * entries in total, so overhead is bigger.) 67 */ 68 static int bss_entries_limit = 1000; 69 module_param(bss_entries_limit, int, 0644); 70 MODULE_PARM_DESC(bss_entries_limit, 71 "limit to number of scan BSS entries (per wiphy, default 1000)"); 72 73 #define IEEE80211_SCAN_RESULT_EXPIRE (30 * HZ) 74 75 static void bss_free(struct cfg80211_internal_bss *bss) 76 { 77 struct cfg80211_bss_ies *ies; 78 79 if (WARN_ON(atomic_read(&bss->hold))) 80 return; 81 82 ies = (void *)rcu_access_pointer(bss->pub.beacon_ies); 83 if (ies && !bss->pub.hidden_beacon_bss) 84 kfree_rcu(ies, rcu_head); 85 ies = (void *)rcu_access_pointer(bss->pub.proberesp_ies); 86 if (ies) 87 kfree_rcu(ies, rcu_head); 88 89 /* 90 * This happens when the module is removed, it doesn't 91 * really matter any more save for completeness 92 */ 93 if (!list_empty(&bss->hidden_list)) 94 list_del(&bss->hidden_list); 95 96 kfree(bss); 97 } 98 99 static inline void bss_ref_get(struct cfg80211_registered_device *rdev, 100 struct cfg80211_internal_bss *bss) 101 { 102 lockdep_assert_held(&rdev->bss_lock); 103 104 bss->refcount++; 105 if (bss->pub.hidden_beacon_bss) { 106 bss = container_of(bss->pub.hidden_beacon_bss, 107 struct cfg80211_internal_bss, 108 pub); 109 bss->refcount++; 110 } 111 } 112 113 static inline void bss_ref_put(struct cfg80211_registered_device *rdev, 114 struct cfg80211_internal_bss *bss) 115 { 116 lockdep_assert_held(&rdev->bss_lock); 117 118 if (bss->pub.hidden_beacon_bss) { 119 struct cfg80211_internal_bss *hbss; 120 hbss = container_of(bss->pub.hidden_beacon_bss, 121 struct cfg80211_internal_bss, 122 pub); 123 hbss->refcount--; 124 if (hbss->refcount == 0) 125 bss_free(hbss); 126 } 127 bss->refcount--; 128 if (bss->refcount == 0) 129 bss_free(bss); 130 } 131 132 static bool __cfg80211_unlink_bss(struct cfg80211_registered_device *rdev, 133 struct cfg80211_internal_bss *bss) 134 { 135 lockdep_assert_held(&rdev->bss_lock); 136 137 if (!list_empty(&bss->hidden_list)) { 138 /* 139 * don't remove the beacon entry if it has 140 * probe responses associated with it 141 */ 142 if (!bss->pub.hidden_beacon_bss) 143 return false; 144 /* 145 * if it's a probe response entry break its 146 * link to the other entries in the group 147 */ 148 list_del_init(&bss->hidden_list); 149 } 150 151 list_del_init(&bss->list); 152 rb_erase(&bss->rbn, &rdev->bss_tree); 153 rdev->bss_entries--; 154 WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list), 155 "rdev bss entries[%d]/list[empty:%d] corruption\n", 156 rdev->bss_entries, list_empty(&rdev->bss_list)); 157 bss_ref_put(rdev, bss); 158 return true; 159 } 160 161 static void __cfg80211_bss_expire(struct cfg80211_registered_device *rdev, 162 unsigned long expire_time) 163 { 164 struct cfg80211_internal_bss *bss, *tmp; 165 bool expired = false; 166 167 lockdep_assert_held(&rdev->bss_lock); 168 169 list_for_each_entry_safe(bss, tmp, &rdev->bss_list, list) { 170 if (atomic_read(&bss->hold)) 171 continue; 172 if (!time_after(expire_time, bss->ts)) 173 continue; 174 175 if (__cfg80211_unlink_bss(rdev, bss)) 176 expired = true; 177 } 178 179 if (expired) 180 rdev->bss_generation++; 181 } 182 183 static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev) 184 { 185 struct cfg80211_internal_bss *bss, *oldest = NULL; 186 bool ret; 187 188 lockdep_assert_held(&rdev->bss_lock); 189 190 list_for_each_entry(bss, &rdev->bss_list, list) { 191 if (atomic_read(&bss->hold)) 192 continue; 193 194 if (!list_empty(&bss->hidden_list) && 195 !bss->pub.hidden_beacon_bss) 196 continue; 197 198 if (oldest && time_before(oldest->ts, bss->ts)) 199 continue; 200 oldest = bss; 201 } 202 203 if (WARN_ON(!oldest)) 204 return false; 205 206 /* 207 * The callers make sure to increase rdev->bss_generation if anything 208 * gets removed (and a new entry added), so there's no need to also do 209 * it here. 210 */ 211 212 ret = __cfg80211_unlink_bss(rdev, oldest); 213 WARN_ON(!ret); 214 return ret; 215 } 216 217 void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, 218 bool send_message) 219 { 220 struct cfg80211_scan_request *request; 221 struct wireless_dev *wdev; 222 struct sk_buff *msg; 223 #ifdef CONFIG_CFG80211_WEXT 224 union iwreq_data wrqu; 225 #endif 226 227 ASSERT_RTNL(); 228 229 if (rdev->scan_msg) { 230 nl80211_send_scan_result(rdev, rdev->scan_msg); 231 rdev->scan_msg = NULL; 232 return; 233 } 234 235 request = rdev->scan_req; 236 if (!request) 237 return; 238 239 wdev = request->wdev; 240 241 /* 242 * This must be before sending the other events! 243 * Otherwise, wpa_supplicant gets completely confused with 244 * wext events. 245 */ 246 if (wdev->netdev) 247 cfg80211_sme_scan_done(wdev->netdev); 248 249 if (!request->info.aborted && 250 request->flags & NL80211_SCAN_FLAG_FLUSH) { 251 /* flush entries from previous scans */ 252 spin_lock_bh(&rdev->bss_lock); 253 __cfg80211_bss_expire(rdev, request->scan_start); 254 spin_unlock_bh(&rdev->bss_lock); 255 } 256 257 msg = nl80211_build_scan_msg(rdev, wdev, request->info.aborted); 258 259 #ifdef CONFIG_CFG80211_WEXT 260 if (wdev->netdev && !request->info.aborted) { 261 memset(&wrqu, 0, sizeof(wrqu)); 262 263 wireless_send_event(wdev->netdev, SIOCGIWSCAN, &wrqu, NULL); 264 } 265 #endif 266 267 if (wdev->netdev) 268 dev_put(wdev->netdev); 269 270 rdev->scan_req = NULL; 271 kfree(request); 272 273 if (!send_message) 274 rdev->scan_msg = msg; 275 else 276 nl80211_send_scan_result(rdev, msg); 277 } 278 279 void __cfg80211_scan_done(struct work_struct *wk) 280 { 281 struct cfg80211_registered_device *rdev; 282 283 rdev = container_of(wk, struct cfg80211_registered_device, 284 scan_done_wk); 285 286 rtnl_lock(); 287 ___cfg80211_scan_done(rdev, true); 288 rtnl_unlock(); 289 } 290 291 void cfg80211_scan_done(struct cfg80211_scan_request *request, 292 struct cfg80211_scan_info *info) 293 { 294 trace_cfg80211_scan_done(request, info); 295 WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req); 296 297 request->info = *info; 298 request->notified = true; 299 queue_work(cfg80211_wq, &wiphy_to_rdev(request->wiphy)->scan_done_wk); 300 } 301 EXPORT_SYMBOL(cfg80211_scan_done); 302 303 void __cfg80211_sched_scan_results(struct work_struct *wk) 304 { 305 struct cfg80211_registered_device *rdev; 306 struct cfg80211_sched_scan_request *request; 307 308 rdev = container_of(wk, struct cfg80211_registered_device, 309 sched_scan_results_wk); 310 311 rtnl_lock(); 312 313 request = rtnl_dereference(rdev->sched_scan_req); 314 315 /* we don't have sched_scan_req anymore if the scan is stopping */ 316 if (request) { 317 if (request->flags & NL80211_SCAN_FLAG_FLUSH) { 318 /* flush entries from previous scans */ 319 spin_lock_bh(&rdev->bss_lock); 320 __cfg80211_bss_expire(rdev, request->scan_start); 321 spin_unlock_bh(&rdev->bss_lock); 322 request->scan_start = jiffies; 323 } 324 nl80211_send_sched_scan_results(rdev, request->dev); 325 } 326 327 rtnl_unlock(); 328 } 329 330 void cfg80211_sched_scan_results(struct wiphy *wiphy) 331 { 332 trace_cfg80211_sched_scan_results(wiphy); 333 /* ignore if we're not scanning */ 334 335 if (rcu_access_pointer(wiphy_to_rdev(wiphy)->sched_scan_req)) 336 queue_work(cfg80211_wq, 337 &wiphy_to_rdev(wiphy)->sched_scan_results_wk); 338 } 339 EXPORT_SYMBOL(cfg80211_sched_scan_results); 340 341 void cfg80211_sched_scan_stopped_rtnl(struct wiphy *wiphy) 342 { 343 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 344 345 ASSERT_RTNL(); 346 347 trace_cfg80211_sched_scan_stopped(wiphy); 348 349 __cfg80211_stop_sched_scan(rdev, true); 350 } 351 EXPORT_SYMBOL(cfg80211_sched_scan_stopped_rtnl); 352 353 void cfg80211_sched_scan_stopped(struct wiphy *wiphy) 354 { 355 rtnl_lock(); 356 cfg80211_sched_scan_stopped_rtnl(wiphy); 357 rtnl_unlock(); 358 } 359 EXPORT_SYMBOL(cfg80211_sched_scan_stopped); 360 361 int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev, 362 bool driver_initiated) 363 { 364 struct cfg80211_sched_scan_request *sched_scan_req; 365 struct net_device *dev; 366 367 ASSERT_RTNL(); 368 369 if (!rdev->sched_scan_req) 370 return -ENOENT; 371 372 sched_scan_req = rtnl_dereference(rdev->sched_scan_req); 373 dev = sched_scan_req->dev; 374 375 if (!driver_initiated) { 376 int err = rdev_sched_scan_stop(rdev, dev); 377 if (err) 378 return err; 379 } 380 381 nl80211_send_sched_scan(rdev, dev, NL80211_CMD_SCHED_SCAN_STOPPED); 382 383 RCU_INIT_POINTER(rdev->sched_scan_req, NULL); 384 kfree_rcu(sched_scan_req, rcu_head); 385 386 return 0; 387 } 388 389 void cfg80211_bss_age(struct cfg80211_registered_device *rdev, 390 unsigned long age_secs) 391 { 392 struct cfg80211_internal_bss *bss; 393 unsigned long age_jiffies = msecs_to_jiffies(age_secs * MSEC_PER_SEC); 394 395 spin_lock_bh(&rdev->bss_lock); 396 list_for_each_entry(bss, &rdev->bss_list, list) 397 bss->ts -= age_jiffies; 398 spin_unlock_bh(&rdev->bss_lock); 399 } 400 401 void cfg80211_bss_expire(struct cfg80211_registered_device *rdev) 402 { 403 __cfg80211_bss_expire(rdev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE); 404 } 405 406 const u8 *cfg80211_find_ie_match(u8 eid, const u8 *ies, int len, 407 const u8 *match, int match_len, 408 int match_offset) 409 { 410 /* match_offset can't be smaller than 2, unless match_len is 411 * zero, in which case match_offset must be zero as well. 412 */ 413 if (WARN_ON((match_len && match_offset < 2) || 414 (!match_len && match_offset))) 415 return NULL; 416 417 while (len >= 2 && len >= ies[1] + 2) { 418 if ((ies[0] == eid) && 419 (ies[1] + 2 >= match_offset + match_len) && 420 !memcmp(ies + match_offset, match, match_len)) 421 return ies; 422 423 len -= ies[1] + 2; 424 ies += ies[1] + 2; 425 } 426 427 return NULL; 428 } 429 EXPORT_SYMBOL(cfg80211_find_ie_match); 430 431 const u8 *cfg80211_find_vendor_ie(unsigned int oui, int oui_type, 432 const u8 *ies, int len) 433 { 434 const u8 *ie; 435 u8 match[] = { oui >> 16, oui >> 8, oui, oui_type }; 436 int match_len = (oui_type < 0) ? 3 : sizeof(match); 437 438 if (WARN_ON(oui_type > 0xff)) 439 return NULL; 440 441 ie = cfg80211_find_ie_match(WLAN_EID_VENDOR_SPECIFIC, ies, len, 442 match, match_len, 2); 443 444 if (ie && (ie[1] < 4)) 445 return NULL; 446 447 return ie; 448 } 449 EXPORT_SYMBOL(cfg80211_find_vendor_ie); 450 451 static bool is_bss(struct cfg80211_bss *a, const u8 *bssid, 452 const u8 *ssid, size_t ssid_len) 453 { 454 const struct cfg80211_bss_ies *ies; 455 const u8 *ssidie; 456 457 if (bssid && !ether_addr_equal(a->bssid, bssid)) 458 return false; 459 460 if (!ssid) 461 return true; 462 463 ies = rcu_access_pointer(a->ies); 464 if (!ies) 465 return false; 466 ssidie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 467 if (!ssidie) 468 return false; 469 if (ssidie[1] != ssid_len) 470 return false; 471 return memcmp(ssidie + 2, ssid, ssid_len) == 0; 472 } 473 474 /** 475 * enum bss_compare_mode - BSS compare mode 476 * @BSS_CMP_REGULAR: regular compare mode (for insertion and normal find) 477 * @BSS_CMP_HIDE_ZLEN: find hidden SSID with zero-length mode 478 * @BSS_CMP_HIDE_NUL: find hidden SSID with NUL-ed out mode 479 */ 480 enum bss_compare_mode { 481 BSS_CMP_REGULAR, 482 BSS_CMP_HIDE_ZLEN, 483 BSS_CMP_HIDE_NUL, 484 }; 485 486 static int cmp_bss(struct cfg80211_bss *a, 487 struct cfg80211_bss *b, 488 enum bss_compare_mode mode) 489 { 490 const struct cfg80211_bss_ies *a_ies, *b_ies; 491 const u8 *ie1 = NULL; 492 const u8 *ie2 = NULL; 493 int i, r; 494 495 if (a->channel != b->channel) 496 return b->channel->center_freq - a->channel->center_freq; 497 498 a_ies = rcu_access_pointer(a->ies); 499 if (!a_ies) 500 return -1; 501 b_ies = rcu_access_pointer(b->ies); 502 if (!b_ies) 503 return 1; 504 505 if (WLAN_CAPABILITY_IS_STA_BSS(a->capability)) 506 ie1 = cfg80211_find_ie(WLAN_EID_MESH_ID, 507 a_ies->data, a_ies->len); 508 if (WLAN_CAPABILITY_IS_STA_BSS(b->capability)) 509 ie2 = cfg80211_find_ie(WLAN_EID_MESH_ID, 510 b_ies->data, b_ies->len); 511 if (ie1 && ie2) { 512 int mesh_id_cmp; 513 514 if (ie1[1] == ie2[1]) 515 mesh_id_cmp = memcmp(ie1 + 2, ie2 + 2, ie1[1]); 516 else 517 mesh_id_cmp = ie2[1] - ie1[1]; 518 519 ie1 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG, 520 a_ies->data, a_ies->len); 521 ie2 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG, 522 b_ies->data, b_ies->len); 523 if (ie1 && ie2) { 524 if (mesh_id_cmp) 525 return mesh_id_cmp; 526 if (ie1[1] != ie2[1]) 527 return ie2[1] - ie1[1]; 528 return memcmp(ie1 + 2, ie2 + 2, ie1[1]); 529 } 530 } 531 532 r = memcmp(a->bssid, b->bssid, sizeof(a->bssid)); 533 if (r) 534 return r; 535 536 ie1 = cfg80211_find_ie(WLAN_EID_SSID, a_ies->data, a_ies->len); 537 ie2 = cfg80211_find_ie(WLAN_EID_SSID, b_ies->data, b_ies->len); 538 539 if (!ie1 && !ie2) 540 return 0; 541 542 /* 543 * Note that with "hide_ssid", the function returns a match if 544 * the already-present BSS ("b") is a hidden SSID beacon for 545 * the new BSS ("a"). 546 */ 547 548 /* sort missing IE before (left of) present IE */ 549 if (!ie1) 550 return -1; 551 if (!ie2) 552 return 1; 553 554 switch (mode) { 555 case BSS_CMP_HIDE_ZLEN: 556 /* 557 * In ZLEN mode we assume the BSS entry we're 558 * looking for has a zero-length SSID. So if 559 * the one we're looking at right now has that, 560 * return 0. Otherwise, return the difference 561 * in length, but since we're looking for the 562 * 0-length it's really equivalent to returning 563 * the length of the one we're looking at. 564 * 565 * No content comparison is needed as we assume 566 * the content length is zero. 567 */ 568 return ie2[1]; 569 case BSS_CMP_REGULAR: 570 default: 571 /* sort by length first, then by contents */ 572 if (ie1[1] != ie2[1]) 573 return ie2[1] - ie1[1]; 574 return memcmp(ie1 + 2, ie2 + 2, ie1[1]); 575 case BSS_CMP_HIDE_NUL: 576 if (ie1[1] != ie2[1]) 577 return ie2[1] - ie1[1]; 578 /* this is equivalent to memcmp(zeroes, ie2 + 2, len) */ 579 for (i = 0; i < ie2[1]; i++) 580 if (ie2[i + 2]) 581 return -1; 582 return 0; 583 } 584 } 585 586 static bool cfg80211_bss_type_match(u16 capability, 587 enum nl80211_band band, 588 enum ieee80211_bss_type bss_type) 589 { 590 bool ret = true; 591 u16 mask, val; 592 593 if (bss_type == IEEE80211_BSS_TYPE_ANY) 594 return ret; 595 596 if (band == NL80211_BAND_60GHZ) { 597 mask = WLAN_CAPABILITY_DMG_TYPE_MASK; 598 switch (bss_type) { 599 case IEEE80211_BSS_TYPE_ESS: 600 val = WLAN_CAPABILITY_DMG_TYPE_AP; 601 break; 602 case IEEE80211_BSS_TYPE_PBSS: 603 val = WLAN_CAPABILITY_DMG_TYPE_PBSS; 604 break; 605 case IEEE80211_BSS_TYPE_IBSS: 606 val = WLAN_CAPABILITY_DMG_TYPE_IBSS; 607 break; 608 default: 609 return false; 610 } 611 } else { 612 mask = WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS; 613 switch (bss_type) { 614 case IEEE80211_BSS_TYPE_ESS: 615 val = WLAN_CAPABILITY_ESS; 616 break; 617 case IEEE80211_BSS_TYPE_IBSS: 618 val = WLAN_CAPABILITY_IBSS; 619 break; 620 case IEEE80211_BSS_TYPE_MBSS: 621 val = 0; 622 break; 623 default: 624 return false; 625 } 626 } 627 628 ret = ((capability & mask) == val); 629 return ret; 630 } 631 632 /* Returned bss is reference counted and must be cleaned up appropriately. */ 633 struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy, 634 struct ieee80211_channel *channel, 635 const u8 *bssid, 636 const u8 *ssid, size_t ssid_len, 637 enum ieee80211_bss_type bss_type, 638 enum ieee80211_privacy privacy) 639 { 640 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 641 struct cfg80211_internal_bss *bss, *res = NULL; 642 unsigned long now = jiffies; 643 int bss_privacy; 644 645 trace_cfg80211_get_bss(wiphy, channel, bssid, ssid, ssid_len, bss_type, 646 privacy); 647 648 spin_lock_bh(&rdev->bss_lock); 649 650 list_for_each_entry(bss, &rdev->bss_list, list) { 651 if (!cfg80211_bss_type_match(bss->pub.capability, 652 bss->pub.channel->band, bss_type)) 653 continue; 654 655 bss_privacy = (bss->pub.capability & WLAN_CAPABILITY_PRIVACY); 656 if ((privacy == IEEE80211_PRIVACY_ON && !bss_privacy) || 657 (privacy == IEEE80211_PRIVACY_OFF && bss_privacy)) 658 continue; 659 if (channel && bss->pub.channel != channel) 660 continue; 661 if (!is_valid_ether_addr(bss->pub.bssid)) 662 continue; 663 /* Don't get expired BSS structs */ 664 if (time_after(now, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE) && 665 !atomic_read(&bss->hold)) 666 continue; 667 if (is_bss(&bss->pub, bssid, ssid, ssid_len)) { 668 res = bss; 669 bss_ref_get(rdev, res); 670 break; 671 } 672 } 673 674 spin_unlock_bh(&rdev->bss_lock); 675 if (!res) 676 return NULL; 677 trace_cfg80211_return_bss(&res->pub); 678 return &res->pub; 679 } 680 EXPORT_SYMBOL(cfg80211_get_bss); 681 682 static void rb_insert_bss(struct cfg80211_registered_device *rdev, 683 struct cfg80211_internal_bss *bss) 684 { 685 struct rb_node **p = &rdev->bss_tree.rb_node; 686 struct rb_node *parent = NULL; 687 struct cfg80211_internal_bss *tbss; 688 int cmp; 689 690 while (*p) { 691 parent = *p; 692 tbss = rb_entry(parent, struct cfg80211_internal_bss, rbn); 693 694 cmp = cmp_bss(&bss->pub, &tbss->pub, BSS_CMP_REGULAR); 695 696 if (WARN_ON(!cmp)) { 697 /* will sort of leak this BSS */ 698 return; 699 } 700 701 if (cmp < 0) 702 p = &(*p)->rb_left; 703 else 704 p = &(*p)->rb_right; 705 } 706 707 rb_link_node(&bss->rbn, parent, p); 708 rb_insert_color(&bss->rbn, &rdev->bss_tree); 709 } 710 711 static struct cfg80211_internal_bss * 712 rb_find_bss(struct cfg80211_registered_device *rdev, 713 struct cfg80211_internal_bss *res, 714 enum bss_compare_mode mode) 715 { 716 struct rb_node *n = rdev->bss_tree.rb_node; 717 struct cfg80211_internal_bss *bss; 718 int r; 719 720 while (n) { 721 bss = rb_entry(n, struct cfg80211_internal_bss, rbn); 722 r = cmp_bss(&res->pub, &bss->pub, mode); 723 724 if (r == 0) 725 return bss; 726 else if (r < 0) 727 n = n->rb_left; 728 else 729 n = n->rb_right; 730 } 731 732 return NULL; 733 } 734 735 static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev, 736 struct cfg80211_internal_bss *new) 737 { 738 const struct cfg80211_bss_ies *ies; 739 struct cfg80211_internal_bss *bss; 740 const u8 *ie; 741 int i, ssidlen; 742 u8 fold = 0; 743 u32 n_entries = 0; 744 745 ies = rcu_access_pointer(new->pub.beacon_ies); 746 if (WARN_ON(!ies)) 747 return false; 748 749 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 750 if (!ie) { 751 /* nothing to do */ 752 return true; 753 } 754 755 ssidlen = ie[1]; 756 for (i = 0; i < ssidlen; i++) 757 fold |= ie[2 + i]; 758 759 if (fold) { 760 /* not a hidden SSID */ 761 return true; 762 } 763 764 /* This is the bad part ... */ 765 766 list_for_each_entry(bss, &rdev->bss_list, list) { 767 /* 768 * we're iterating all the entries anyway, so take the 769 * opportunity to validate the list length accounting 770 */ 771 n_entries++; 772 773 if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid)) 774 continue; 775 if (bss->pub.channel != new->pub.channel) 776 continue; 777 if (bss->pub.scan_width != new->pub.scan_width) 778 continue; 779 if (rcu_access_pointer(bss->pub.beacon_ies)) 780 continue; 781 ies = rcu_access_pointer(bss->pub.ies); 782 if (!ies) 783 continue; 784 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 785 if (!ie) 786 continue; 787 if (ssidlen && ie[1] != ssidlen) 788 continue; 789 if (WARN_ON_ONCE(bss->pub.hidden_beacon_bss)) 790 continue; 791 if (WARN_ON_ONCE(!list_empty(&bss->hidden_list))) 792 list_del(&bss->hidden_list); 793 /* combine them */ 794 list_add(&bss->hidden_list, &new->hidden_list); 795 bss->pub.hidden_beacon_bss = &new->pub; 796 new->refcount += bss->refcount; 797 rcu_assign_pointer(bss->pub.beacon_ies, 798 new->pub.beacon_ies); 799 } 800 801 WARN_ONCE(n_entries != rdev->bss_entries, 802 "rdev bss entries[%d]/list[len:%d] corruption\n", 803 rdev->bss_entries, n_entries); 804 805 return true; 806 } 807 808 /* Returned bss is reference counted and must be cleaned up appropriately. */ 809 static struct cfg80211_internal_bss * 810 cfg80211_bss_update(struct cfg80211_registered_device *rdev, 811 struct cfg80211_internal_bss *tmp, 812 bool signal_valid) 813 { 814 struct cfg80211_internal_bss *found = NULL; 815 816 if (WARN_ON(!tmp->pub.channel)) 817 return NULL; 818 819 tmp->ts = jiffies; 820 821 spin_lock_bh(&rdev->bss_lock); 822 823 if (WARN_ON(!rcu_access_pointer(tmp->pub.ies))) { 824 spin_unlock_bh(&rdev->bss_lock); 825 return NULL; 826 } 827 828 found = rb_find_bss(rdev, tmp, BSS_CMP_REGULAR); 829 830 if (found) { 831 /* Update IEs */ 832 if (rcu_access_pointer(tmp->pub.proberesp_ies)) { 833 const struct cfg80211_bss_ies *old; 834 835 old = rcu_access_pointer(found->pub.proberesp_ies); 836 837 rcu_assign_pointer(found->pub.proberesp_ies, 838 tmp->pub.proberesp_ies); 839 /* Override possible earlier Beacon frame IEs */ 840 rcu_assign_pointer(found->pub.ies, 841 tmp->pub.proberesp_ies); 842 if (old) 843 kfree_rcu((struct cfg80211_bss_ies *)old, 844 rcu_head); 845 } else if (rcu_access_pointer(tmp->pub.beacon_ies)) { 846 const struct cfg80211_bss_ies *old; 847 struct cfg80211_internal_bss *bss; 848 849 if (found->pub.hidden_beacon_bss && 850 !list_empty(&found->hidden_list)) { 851 const struct cfg80211_bss_ies *f; 852 853 /* 854 * The found BSS struct is one of the probe 855 * response members of a group, but we're 856 * receiving a beacon (beacon_ies in the tmp 857 * bss is used). This can only mean that the 858 * AP changed its beacon from not having an 859 * SSID to showing it, which is confusing so 860 * drop this information. 861 */ 862 863 f = rcu_access_pointer(tmp->pub.beacon_ies); 864 kfree_rcu((struct cfg80211_bss_ies *)f, 865 rcu_head); 866 goto drop; 867 } 868 869 old = rcu_access_pointer(found->pub.beacon_ies); 870 871 rcu_assign_pointer(found->pub.beacon_ies, 872 tmp->pub.beacon_ies); 873 874 /* Override IEs if they were from a beacon before */ 875 if (old == rcu_access_pointer(found->pub.ies)) 876 rcu_assign_pointer(found->pub.ies, 877 tmp->pub.beacon_ies); 878 879 /* Assign beacon IEs to all sub entries */ 880 list_for_each_entry(bss, &found->hidden_list, 881 hidden_list) { 882 const struct cfg80211_bss_ies *ies; 883 884 ies = rcu_access_pointer(bss->pub.beacon_ies); 885 WARN_ON(ies != old); 886 887 rcu_assign_pointer(bss->pub.beacon_ies, 888 tmp->pub.beacon_ies); 889 } 890 891 if (old) 892 kfree_rcu((struct cfg80211_bss_ies *)old, 893 rcu_head); 894 } 895 896 found->pub.beacon_interval = tmp->pub.beacon_interval; 897 /* 898 * don't update the signal if beacon was heard on 899 * adjacent channel. 900 */ 901 if (signal_valid) 902 found->pub.signal = tmp->pub.signal; 903 found->pub.capability = tmp->pub.capability; 904 found->ts = tmp->ts; 905 found->ts_boottime = tmp->ts_boottime; 906 found->parent_tsf = tmp->parent_tsf; 907 ether_addr_copy(found->parent_bssid, tmp->parent_bssid); 908 } else { 909 struct cfg80211_internal_bss *new; 910 struct cfg80211_internal_bss *hidden; 911 struct cfg80211_bss_ies *ies; 912 913 /* 914 * create a copy -- the "res" variable that is passed in 915 * is allocated on the stack since it's not needed in the 916 * more common case of an update 917 */ 918 new = kzalloc(sizeof(*new) + rdev->wiphy.bss_priv_size, 919 GFP_ATOMIC); 920 if (!new) { 921 ies = (void *)rcu_dereference(tmp->pub.beacon_ies); 922 if (ies) 923 kfree_rcu(ies, rcu_head); 924 ies = (void *)rcu_dereference(tmp->pub.proberesp_ies); 925 if (ies) 926 kfree_rcu(ies, rcu_head); 927 goto drop; 928 } 929 memcpy(new, tmp, sizeof(*new)); 930 new->refcount = 1; 931 INIT_LIST_HEAD(&new->hidden_list); 932 933 if (rcu_access_pointer(tmp->pub.proberesp_ies)) { 934 hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); 935 if (!hidden) 936 hidden = rb_find_bss(rdev, tmp, 937 BSS_CMP_HIDE_NUL); 938 if (hidden) { 939 new->pub.hidden_beacon_bss = &hidden->pub; 940 list_add(&new->hidden_list, 941 &hidden->hidden_list); 942 hidden->refcount++; 943 rcu_assign_pointer(new->pub.beacon_ies, 944 hidden->pub.beacon_ies); 945 } 946 } else { 947 /* 948 * Ok so we found a beacon, and don't have an entry. If 949 * it's a beacon with hidden SSID, we might be in for an 950 * expensive search for any probe responses that should 951 * be grouped with this beacon for updates ... 952 */ 953 if (!cfg80211_combine_bsses(rdev, new)) { 954 kfree(new); 955 goto drop; 956 } 957 } 958 959 if (rdev->bss_entries >= bss_entries_limit && 960 !cfg80211_bss_expire_oldest(rdev)) { 961 kfree(new); 962 goto drop; 963 } 964 965 list_add_tail(&new->list, &rdev->bss_list); 966 rdev->bss_entries++; 967 rb_insert_bss(rdev, new); 968 found = new; 969 } 970 971 rdev->bss_generation++; 972 bss_ref_get(rdev, found); 973 spin_unlock_bh(&rdev->bss_lock); 974 975 return found; 976 drop: 977 spin_unlock_bh(&rdev->bss_lock); 978 return NULL; 979 } 980 981 static struct ieee80211_channel * 982 cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen, 983 struct ieee80211_channel *channel) 984 { 985 const u8 *tmp; 986 u32 freq; 987 int channel_number = -1; 988 989 tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen); 990 if (tmp && tmp[1] == 1) { 991 channel_number = tmp[2]; 992 } else { 993 tmp = cfg80211_find_ie(WLAN_EID_HT_OPERATION, ie, ielen); 994 if (tmp && tmp[1] >= sizeof(struct ieee80211_ht_operation)) { 995 struct ieee80211_ht_operation *htop = (void *)(tmp + 2); 996 997 channel_number = htop->primary_chan; 998 } 999 } 1000 1001 if (channel_number < 0) 1002 return channel; 1003 1004 freq = ieee80211_channel_to_frequency(channel_number, channel->band); 1005 channel = ieee80211_get_channel(wiphy, freq); 1006 if (!channel) 1007 return NULL; 1008 if (channel->flags & IEEE80211_CHAN_DISABLED) 1009 return NULL; 1010 return channel; 1011 } 1012 1013 /* Returned bss is reference counted and must be cleaned up appropriately. */ 1014 struct cfg80211_bss * 1015 cfg80211_inform_bss_data(struct wiphy *wiphy, 1016 struct cfg80211_inform_bss *data, 1017 enum cfg80211_bss_frame_type ftype, 1018 const u8 *bssid, u64 tsf, u16 capability, 1019 u16 beacon_interval, const u8 *ie, size_t ielen, 1020 gfp_t gfp) 1021 { 1022 struct cfg80211_bss_ies *ies; 1023 struct ieee80211_channel *channel; 1024 struct cfg80211_internal_bss tmp = {}, *res; 1025 int bss_type; 1026 bool signal_valid; 1027 1028 if (WARN_ON(!wiphy)) 1029 return NULL; 1030 1031 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && 1032 (data->signal < 0 || data->signal > 100))) 1033 return NULL; 1034 1035 channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan); 1036 if (!channel) 1037 return NULL; 1038 1039 memcpy(tmp.pub.bssid, bssid, ETH_ALEN); 1040 tmp.pub.channel = channel; 1041 tmp.pub.scan_width = data->scan_width; 1042 tmp.pub.signal = data->signal; 1043 tmp.pub.beacon_interval = beacon_interval; 1044 tmp.pub.capability = capability; 1045 tmp.ts_boottime = data->boottime_ns; 1046 1047 /* 1048 * If we do not know here whether the IEs are from a Beacon or Probe 1049 * Response frame, we need to pick one of the options and only use it 1050 * with the driver that does not provide the full Beacon/Probe Response 1051 * frame. Use Beacon frame pointer to avoid indicating that this should 1052 * override the IEs pointer should we have received an earlier 1053 * indication of Probe Response data. 1054 */ 1055 ies = kzalloc(sizeof(*ies) + ielen, gfp); 1056 if (!ies) 1057 return NULL; 1058 ies->len = ielen; 1059 ies->tsf = tsf; 1060 ies->from_beacon = false; 1061 memcpy(ies->data, ie, ielen); 1062 1063 switch (ftype) { 1064 case CFG80211_BSS_FTYPE_BEACON: 1065 ies->from_beacon = true; 1066 /* fall through to assign */ 1067 case CFG80211_BSS_FTYPE_UNKNOWN: 1068 rcu_assign_pointer(tmp.pub.beacon_ies, ies); 1069 break; 1070 case CFG80211_BSS_FTYPE_PRESP: 1071 rcu_assign_pointer(tmp.pub.proberesp_ies, ies); 1072 break; 1073 } 1074 rcu_assign_pointer(tmp.pub.ies, ies); 1075 1076 signal_valid = abs(data->chan->center_freq - channel->center_freq) <= 1077 wiphy->max_adj_channel_rssi_comp; 1078 res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid); 1079 if (!res) 1080 return NULL; 1081 1082 if (channel->band == NL80211_BAND_60GHZ) { 1083 bss_type = res->pub.capability & WLAN_CAPABILITY_DMG_TYPE_MASK; 1084 if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP || 1085 bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS) 1086 regulatory_hint_found_beacon(wiphy, channel, gfp); 1087 } else { 1088 if (res->pub.capability & WLAN_CAPABILITY_ESS) 1089 regulatory_hint_found_beacon(wiphy, channel, gfp); 1090 } 1091 1092 trace_cfg80211_return_bss(&res->pub); 1093 /* cfg80211_bss_update gives us a referenced result */ 1094 return &res->pub; 1095 } 1096 EXPORT_SYMBOL(cfg80211_inform_bss_data); 1097 1098 /* cfg80211_inform_bss_width_frame helper */ 1099 struct cfg80211_bss * 1100 cfg80211_inform_bss_frame_data(struct wiphy *wiphy, 1101 struct cfg80211_inform_bss *data, 1102 struct ieee80211_mgmt *mgmt, size_t len, 1103 gfp_t gfp) 1104 1105 { 1106 struct cfg80211_internal_bss tmp = {}, *res; 1107 struct cfg80211_bss_ies *ies; 1108 struct ieee80211_channel *channel; 1109 bool signal_valid; 1110 size_t ielen = len - offsetof(struct ieee80211_mgmt, 1111 u.probe_resp.variable); 1112 int bss_type; 1113 1114 BUILD_BUG_ON(offsetof(struct ieee80211_mgmt, u.probe_resp.variable) != 1115 offsetof(struct ieee80211_mgmt, u.beacon.variable)); 1116 1117 trace_cfg80211_inform_bss_frame(wiphy, data, mgmt, len); 1118 1119 if (WARN_ON(!mgmt)) 1120 return NULL; 1121 1122 if (WARN_ON(!wiphy)) 1123 return NULL; 1124 1125 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && 1126 (data->signal < 0 || data->signal > 100))) 1127 return NULL; 1128 1129 if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable))) 1130 return NULL; 1131 1132 channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable, 1133 ielen, data->chan); 1134 if (!channel) 1135 return NULL; 1136 1137 ies = kzalloc(sizeof(*ies) + ielen, gfp); 1138 if (!ies) 1139 return NULL; 1140 ies->len = ielen; 1141 ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); 1142 ies->from_beacon = ieee80211_is_beacon(mgmt->frame_control); 1143 memcpy(ies->data, mgmt->u.probe_resp.variable, ielen); 1144 1145 if (ieee80211_is_probe_resp(mgmt->frame_control)) 1146 rcu_assign_pointer(tmp.pub.proberesp_ies, ies); 1147 else 1148 rcu_assign_pointer(tmp.pub.beacon_ies, ies); 1149 rcu_assign_pointer(tmp.pub.ies, ies); 1150 1151 memcpy(tmp.pub.bssid, mgmt->bssid, ETH_ALEN); 1152 tmp.pub.channel = channel; 1153 tmp.pub.scan_width = data->scan_width; 1154 tmp.pub.signal = data->signal; 1155 tmp.pub.beacon_interval = le16_to_cpu(mgmt->u.probe_resp.beacon_int); 1156 tmp.pub.capability = le16_to_cpu(mgmt->u.probe_resp.capab_info); 1157 tmp.ts_boottime = data->boottime_ns; 1158 tmp.parent_tsf = data->parent_tsf; 1159 ether_addr_copy(tmp.parent_bssid, data->parent_bssid); 1160 1161 signal_valid = abs(data->chan->center_freq - channel->center_freq) <= 1162 wiphy->max_adj_channel_rssi_comp; 1163 res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid); 1164 if (!res) 1165 return NULL; 1166 1167 if (channel->band == NL80211_BAND_60GHZ) { 1168 bss_type = res->pub.capability & WLAN_CAPABILITY_DMG_TYPE_MASK; 1169 if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP || 1170 bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS) 1171 regulatory_hint_found_beacon(wiphy, channel, gfp); 1172 } else { 1173 if (res->pub.capability & WLAN_CAPABILITY_ESS) 1174 regulatory_hint_found_beacon(wiphy, channel, gfp); 1175 } 1176 1177 trace_cfg80211_return_bss(&res->pub); 1178 /* cfg80211_bss_update gives us a referenced result */ 1179 return &res->pub; 1180 } 1181 EXPORT_SYMBOL(cfg80211_inform_bss_frame_data); 1182 1183 void cfg80211_ref_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 1184 { 1185 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1186 struct cfg80211_internal_bss *bss; 1187 1188 if (!pub) 1189 return; 1190 1191 bss = container_of(pub, struct cfg80211_internal_bss, pub); 1192 1193 spin_lock_bh(&rdev->bss_lock); 1194 bss_ref_get(rdev, bss); 1195 spin_unlock_bh(&rdev->bss_lock); 1196 } 1197 EXPORT_SYMBOL(cfg80211_ref_bss); 1198 1199 void cfg80211_put_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 1200 { 1201 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1202 struct cfg80211_internal_bss *bss; 1203 1204 if (!pub) 1205 return; 1206 1207 bss = container_of(pub, struct cfg80211_internal_bss, pub); 1208 1209 spin_lock_bh(&rdev->bss_lock); 1210 bss_ref_put(rdev, bss); 1211 spin_unlock_bh(&rdev->bss_lock); 1212 } 1213 EXPORT_SYMBOL(cfg80211_put_bss); 1214 1215 void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 1216 { 1217 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1218 struct cfg80211_internal_bss *bss; 1219 1220 if (WARN_ON(!pub)) 1221 return; 1222 1223 bss = container_of(pub, struct cfg80211_internal_bss, pub); 1224 1225 spin_lock_bh(&rdev->bss_lock); 1226 if (!list_empty(&bss->list)) { 1227 if (__cfg80211_unlink_bss(rdev, bss)) 1228 rdev->bss_generation++; 1229 } 1230 spin_unlock_bh(&rdev->bss_lock); 1231 } 1232 EXPORT_SYMBOL(cfg80211_unlink_bss); 1233 1234 #ifdef CONFIG_CFG80211_WEXT 1235 static struct cfg80211_registered_device * 1236 cfg80211_get_dev_from_ifindex(struct net *net, int ifindex) 1237 { 1238 struct cfg80211_registered_device *rdev; 1239 struct net_device *dev; 1240 1241 ASSERT_RTNL(); 1242 1243 dev = dev_get_by_index(net, ifindex); 1244 if (!dev) 1245 return ERR_PTR(-ENODEV); 1246 if (dev->ieee80211_ptr) 1247 rdev = wiphy_to_rdev(dev->ieee80211_ptr->wiphy); 1248 else 1249 rdev = ERR_PTR(-ENODEV); 1250 dev_put(dev); 1251 return rdev; 1252 } 1253 1254 int cfg80211_wext_siwscan(struct net_device *dev, 1255 struct iw_request_info *info, 1256 union iwreq_data *wrqu, char *extra) 1257 { 1258 struct cfg80211_registered_device *rdev; 1259 struct wiphy *wiphy; 1260 struct iw_scan_req *wreq = NULL; 1261 struct cfg80211_scan_request *creq = NULL; 1262 int i, err, n_channels = 0; 1263 enum nl80211_band band; 1264 1265 if (!netif_running(dev)) 1266 return -ENETDOWN; 1267 1268 if (wrqu->data.length == sizeof(struct iw_scan_req)) 1269 wreq = (struct iw_scan_req *)extra; 1270 1271 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex); 1272 1273 if (IS_ERR(rdev)) 1274 return PTR_ERR(rdev); 1275 1276 if (rdev->scan_req || rdev->scan_msg) { 1277 err = -EBUSY; 1278 goto out; 1279 } 1280 1281 wiphy = &rdev->wiphy; 1282 1283 /* Determine number of channels, needed to allocate creq */ 1284 if (wreq && wreq->num_channels) 1285 n_channels = wreq->num_channels; 1286 else 1287 n_channels = ieee80211_get_num_supported_channels(wiphy); 1288 1289 creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) + 1290 n_channels * sizeof(void *), 1291 GFP_ATOMIC); 1292 if (!creq) { 1293 err = -ENOMEM; 1294 goto out; 1295 } 1296 1297 creq->wiphy = wiphy; 1298 creq->wdev = dev->ieee80211_ptr; 1299 /* SSIDs come after channels */ 1300 creq->ssids = (void *)&creq->channels[n_channels]; 1301 creq->n_channels = n_channels; 1302 creq->n_ssids = 1; 1303 creq->scan_start = jiffies; 1304 1305 /* translate "Scan on frequencies" request */ 1306 i = 0; 1307 for (band = 0; band < NUM_NL80211_BANDS; band++) { 1308 int j; 1309 1310 if (!wiphy->bands[band]) 1311 continue; 1312 1313 for (j = 0; j < wiphy->bands[band]->n_channels; j++) { 1314 /* ignore disabled channels */ 1315 if (wiphy->bands[band]->channels[j].flags & 1316 IEEE80211_CHAN_DISABLED) 1317 continue; 1318 1319 /* If we have a wireless request structure and the 1320 * wireless request specifies frequencies, then search 1321 * for the matching hardware channel. 1322 */ 1323 if (wreq && wreq->num_channels) { 1324 int k; 1325 int wiphy_freq = wiphy->bands[band]->channels[j].center_freq; 1326 for (k = 0; k < wreq->num_channels; k++) { 1327 struct iw_freq *freq = 1328 &wreq->channel_list[k]; 1329 int wext_freq = 1330 cfg80211_wext_freq(freq); 1331 1332 if (wext_freq == wiphy_freq) 1333 goto wext_freq_found; 1334 } 1335 goto wext_freq_not_found; 1336 } 1337 1338 wext_freq_found: 1339 creq->channels[i] = &wiphy->bands[band]->channels[j]; 1340 i++; 1341 wext_freq_not_found: ; 1342 } 1343 } 1344 /* No channels found? */ 1345 if (!i) { 1346 err = -EINVAL; 1347 goto out; 1348 } 1349 1350 /* Set real number of channels specified in creq->channels[] */ 1351 creq->n_channels = i; 1352 1353 /* translate "Scan for SSID" request */ 1354 if (wreq) { 1355 if (wrqu->data.flags & IW_SCAN_THIS_ESSID) { 1356 if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) { 1357 err = -EINVAL; 1358 goto out; 1359 } 1360 memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len); 1361 creq->ssids[0].ssid_len = wreq->essid_len; 1362 } 1363 if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE) 1364 creq->n_ssids = 0; 1365 } 1366 1367 for (i = 0; i < NUM_NL80211_BANDS; i++) 1368 if (wiphy->bands[i]) 1369 creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1; 1370 1371 eth_broadcast_addr(creq->bssid); 1372 1373 rdev->scan_req = creq; 1374 err = rdev_scan(rdev, creq); 1375 if (err) { 1376 rdev->scan_req = NULL; 1377 /* creq will be freed below */ 1378 } else { 1379 nl80211_send_scan_start(rdev, dev->ieee80211_ptr); 1380 /* creq now owned by driver */ 1381 creq = NULL; 1382 dev_hold(dev); 1383 } 1384 out: 1385 kfree(creq); 1386 return err; 1387 } 1388 EXPORT_WEXT_HANDLER(cfg80211_wext_siwscan); 1389 1390 static char *ieee80211_scan_add_ies(struct iw_request_info *info, 1391 const struct cfg80211_bss_ies *ies, 1392 char *current_ev, char *end_buf) 1393 { 1394 const u8 *pos, *end, *next; 1395 struct iw_event iwe; 1396 1397 if (!ies) 1398 return current_ev; 1399 1400 /* 1401 * If needed, fragment the IEs buffer (at IE boundaries) into short 1402 * enough fragments to fit into IW_GENERIC_IE_MAX octet messages. 1403 */ 1404 pos = ies->data; 1405 end = pos + ies->len; 1406 1407 while (end - pos > IW_GENERIC_IE_MAX) { 1408 next = pos + 2 + pos[1]; 1409 while (next + 2 + next[1] - pos < IW_GENERIC_IE_MAX) 1410 next = next + 2 + next[1]; 1411 1412 memset(&iwe, 0, sizeof(iwe)); 1413 iwe.cmd = IWEVGENIE; 1414 iwe.u.data.length = next - pos; 1415 current_ev = iwe_stream_add_point_check(info, current_ev, 1416 end_buf, &iwe, 1417 (void *)pos); 1418 if (IS_ERR(current_ev)) 1419 return current_ev; 1420 pos = next; 1421 } 1422 1423 if (end > pos) { 1424 memset(&iwe, 0, sizeof(iwe)); 1425 iwe.cmd = IWEVGENIE; 1426 iwe.u.data.length = end - pos; 1427 current_ev = iwe_stream_add_point_check(info, current_ev, 1428 end_buf, &iwe, 1429 (void *)pos); 1430 if (IS_ERR(current_ev)) 1431 return current_ev; 1432 } 1433 1434 return current_ev; 1435 } 1436 1437 static char * 1438 ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info, 1439 struct cfg80211_internal_bss *bss, char *current_ev, 1440 char *end_buf) 1441 { 1442 const struct cfg80211_bss_ies *ies; 1443 struct iw_event iwe; 1444 const u8 *ie; 1445 u8 buf[50]; 1446 u8 *cfg, *p, *tmp; 1447 int rem, i, sig; 1448 bool ismesh = false; 1449 1450 memset(&iwe, 0, sizeof(iwe)); 1451 iwe.cmd = SIOCGIWAP; 1452 iwe.u.ap_addr.sa_family = ARPHRD_ETHER; 1453 memcpy(iwe.u.ap_addr.sa_data, bss->pub.bssid, ETH_ALEN); 1454 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 1455 IW_EV_ADDR_LEN); 1456 if (IS_ERR(current_ev)) 1457 return current_ev; 1458 1459 memset(&iwe, 0, sizeof(iwe)); 1460 iwe.cmd = SIOCGIWFREQ; 1461 iwe.u.freq.m = ieee80211_frequency_to_channel(bss->pub.channel->center_freq); 1462 iwe.u.freq.e = 0; 1463 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 1464 IW_EV_FREQ_LEN); 1465 if (IS_ERR(current_ev)) 1466 return current_ev; 1467 1468 memset(&iwe, 0, sizeof(iwe)); 1469 iwe.cmd = SIOCGIWFREQ; 1470 iwe.u.freq.m = bss->pub.channel->center_freq; 1471 iwe.u.freq.e = 6; 1472 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 1473 IW_EV_FREQ_LEN); 1474 if (IS_ERR(current_ev)) 1475 return current_ev; 1476 1477 if (wiphy->signal_type != CFG80211_SIGNAL_TYPE_NONE) { 1478 memset(&iwe, 0, sizeof(iwe)); 1479 iwe.cmd = IWEVQUAL; 1480 iwe.u.qual.updated = IW_QUAL_LEVEL_UPDATED | 1481 IW_QUAL_NOISE_INVALID | 1482 IW_QUAL_QUAL_UPDATED; 1483 switch (wiphy->signal_type) { 1484 case CFG80211_SIGNAL_TYPE_MBM: 1485 sig = bss->pub.signal / 100; 1486 iwe.u.qual.level = sig; 1487 iwe.u.qual.updated |= IW_QUAL_DBM; 1488 if (sig < -110) /* rather bad */ 1489 sig = -110; 1490 else if (sig > -40) /* perfect */ 1491 sig = -40; 1492 /* will give a range of 0 .. 70 */ 1493 iwe.u.qual.qual = sig + 110; 1494 break; 1495 case CFG80211_SIGNAL_TYPE_UNSPEC: 1496 iwe.u.qual.level = bss->pub.signal; 1497 /* will give range 0 .. 100 */ 1498 iwe.u.qual.qual = bss->pub.signal; 1499 break; 1500 default: 1501 /* not reached */ 1502 break; 1503 } 1504 current_ev = iwe_stream_add_event_check(info, current_ev, 1505 end_buf, &iwe, 1506 IW_EV_QUAL_LEN); 1507 if (IS_ERR(current_ev)) 1508 return current_ev; 1509 } 1510 1511 memset(&iwe, 0, sizeof(iwe)); 1512 iwe.cmd = SIOCGIWENCODE; 1513 if (bss->pub.capability & WLAN_CAPABILITY_PRIVACY) 1514 iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY; 1515 else 1516 iwe.u.data.flags = IW_ENCODE_DISABLED; 1517 iwe.u.data.length = 0; 1518 current_ev = iwe_stream_add_point_check(info, current_ev, end_buf, 1519 &iwe, ""); 1520 if (IS_ERR(current_ev)) 1521 return current_ev; 1522 1523 rcu_read_lock(); 1524 ies = rcu_dereference(bss->pub.ies); 1525 rem = ies->len; 1526 ie = ies->data; 1527 1528 while (rem >= 2) { 1529 /* invalid data */ 1530 if (ie[1] > rem - 2) 1531 break; 1532 1533 switch (ie[0]) { 1534 case WLAN_EID_SSID: 1535 memset(&iwe, 0, sizeof(iwe)); 1536 iwe.cmd = SIOCGIWESSID; 1537 iwe.u.data.length = ie[1]; 1538 iwe.u.data.flags = 1; 1539 current_ev = iwe_stream_add_point_check(info, 1540 current_ev, 1541 end_buf, &iwe, 1542 (u8 *)ie + 2); 1543 if (IS_ERR(current_ev)) 1544 goto unlock; 1545 break; 1546 case WLAN_EID_MESH_ID: 1547 memset(&iwe, 0, sizeof(iwe)); 1548 iwe.cmd = SIOCGIWESSID; 1549 iwe.u.data.length = ie[1]; 1550 iwe.u.data.flags = 1; 1551 current_ev = iwe_stream_add_point_check(info, 1552 current_ev, 1553 end_buf, &iwe, 1554 (u8 *)ie + 2); 1555 if (IS_ERR(current_ev)) 1556 goto unlock; 1557 break; 1558 case WLAN_EID_MESH_CONFIG: 1559 ismesh = true; 1560 if (ie[1] != sizeof(struct ieee80211_meshconf_ie)) 1561 break; 1562 cfg = (u8 *)ie + 2; 1563 memset(&iwe, 0, sizeof(iwe)); 1564 iwe.cmd = IWEVCUSTOM; 1565 sprintf(buf, "Mesh Network Path Selection Protocol ID: " 1566 "0x%02X", cfg[0]); 1567 iwe.u.data.length = strlen(buf); 1568 current_ev = iwe_stream_add_point_check(info, 1569 current_ev, 1570 end_buf, 1571 &iwe, buf); 1572 if (IS_ERR(current_ev)) 1573 goto unlock; 1574 sprintf(buf, "Path Selection Metric ID: 0x%02X", 1575 cfg[1]); 1576 iwe.u.data.length = strlen(buf); 1577 current_ev = iwe_stream_add_point_check(info, 1578 current_ev, 1579 end_buf, 1580 &iwe, buf); 1581 if (IS_ERR(current_ev)) 1582 goto unlock; 1583 sprintf(buf, "Congestion Control Mode ID: 0x%02X", 1584 cfg[2]); 1585 iwe.u.data.length = strlen(buf); 1586 current_ev = iwe_stream_add_point_check(info, 1587 current_ev, 1588 end_buf, 1589 &iwe, buf); 1590 if (IS_ERR(current_ev)) 1591 goto unlock; 1592 sprintf(buf, "Synchronization ID: 0x%02X", cfg[3]); 1593 iwe.u.data.length = strlen(buf); 1594 current_ev = iwe_stream_add_point_check(info, 1595 current_ev, 1596 end_buf, 1597 &iwe, buf); 1598 if (IS_ERR(current_ev)) 1599 goto unlock; 1600 sprintf(buf, "Authentication ID: 0x%02X", cfg[4]); 1601 iwe.u.data.length = strlen(buf); 1602 current_ev = iwe_stream_add_point_check(info, 1603 current_ev, 1604 end_buf, 1605 &iwe, buf); 1606 if (IS_ERR(current_ev)) 1607 goto unlock; 1608 sprintf(buf, "Formation Info: 0x%02X", cfg[5]); 1609 iwe.u.data.length = strlen(buf); 1610 current_ev = iwe_stream_add_point_check(info, 1611 current_ev, 1612 end_buf, 1613 &iwe, buf); 1614 if (IS_ERR(current_ev)) 1615 goto unlock; 1616 sprintf(buf, "Capabilities: 0x%02X", cfg[6]); 1617 iwe.u.data.length = strlen(buf); 1618 current_ev = iwe_stream_add_point_check(info, 1619 current_ev, 1620 end_buf, 1621 &iwe, buf); 1622 if (IS_ERR(current_ev)) 1623 goto unlock; 1624 break; 1625 case WLAN_EID_SUPP_RATES: 1626 case WLAN_EID_EXT_SUPP_RATES: 1627 /* display all supported rates in readable format */ 1628 p = current_ev + iwe_stream_lcp_len(info); 1629 1630 memset(&iwe, 0, sizeof(iwe)); 1631 iwe.cmd = SIOCGIWRATE; 1632 /* Those two flags are ignored... */ 1633 iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0; 1634 1635 for (i = 0; i < ie[1]; i++) { 1636 iwe.u.bitrate.value = 1637 ((ie[i + 2] & 0x7f) * 500000); 1638 tmp = p; 1639 p = iwe_stream_add_value(info, current_ev, p, 1640 end_buf, &iwe, 1641 IW_EV_PARAM_LEN); 1642 if (p == tmp) { 1643 current_ev = ERR_PTR(-E2BIG); 1644 goto unlock; 1645 } 1646 } 1647 current_ev = p; 1648 break; 1649 } 1650 rem -= ie[1] + 2; 1651 ie += ie[1] + 2; 1652 } 1653 1654 if (bss->pub.capability & (WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS) || 1655 ismesh) { 1656 memset(&iwe, 0, sizeof(iwe)); 1657 iwe.cmd = SIOCGIWMODE; 1658 if (ismesh) 1659 iwe.u.mode = IW_MODE_MESH; 1660 else if (bss->pub.capability & WLAN_CAPABILITY_ESS) 1661 iwe.u.mode = IW_MODE_MASTER; 1662 else 1663 iwe.u.mode = IW_MODE_ADHOC; 1664 current_ev = iwe_stream_add_event_check(info, current_ev, 1665 end_buf, &iwe, 1666 IW_EV_UINT_LEN); 1667 if (IS_ERR(current_ev)) 1668 goto unlock; 1669 } 1670 1671 memset(&iwe, 0, sizeof(iwe)); 1672 iwe.cmd = IWEVCUSTOM; 1673 sprintf(buf, "tsf=%016llx", (unsigned long long)(ies->tsf)); 1674 iwe.u.data.length = strlen(buf); 1675 current_ev = iwe_stream_add_point_check(info, current_ev, end_buf, 1676 &iwe, buf); 1677 if (IS_ERR(current_ev)) 1678 goto unlock; 1679 memset(&iwe, 0, sizeof(iwe)); 1680 iwe.cmd = IWEVCUSTOM; 1681 sprintf(buf, " Last beacon: %ums ago", 1682 elapsed_jiffies_msecs(bss->ts)); 1683 iwe.u.data.length = strlen(buf); 1684 current_ev = iwe_stream_add_point_check(info, current_ev, 1685 end_buf, &iwe, buf); 1686 if (IS_ERR(current_ev)) 1687 goto unlock; 1688 1689 current_ev = ieee80211_scan_add_ies(info, ies, current_ev, end_buf); 1690 1691 unlock: 1692 rcu_read_unlock(); 1693 return current_ev; 1694 } 1695 1696 1697 static int ieee80211_scan_results(struct cfg80211_registered_device *rdev, 1698 struct iw_request_info *info, 1699 char *buf, size_t len) 1700 { 1701 char *current_ev = buf; 1702 char *end_buf = buf + len; 1703 struct cfg80211_internal_bss *bss; 1704 int err = 0; 1705 1706 spin_lock_bh(&rdev->bss_lock); 1707 cfg80211_bss_expire(rdev); 1708 1709 list_for_each_entry(bss, &rdev->bss_list, list) { 1710 if (buf + len - current_ev <= IW_EV_ADDR_LEN) { 1711 err = -E2BIG; 1712 break; 1713 } 1714 current_ev = ieee80211_bss(&rdev->wiphy, info, bss, 1715 current_ev, end_buf); 1716 if (IS_ERR(current_ev)) { 1717 err = PTR_ERR(current_ev); 1718 break; 1719 } 1720 } 1721 spin_unlock_bh(&rdev->bss_lock); 1722 1723 if (err) 1724 return err; 1725 return current_ev - buf; 1726 } 1727 1728 1729 int cfg80211_wext_giwscan(struct net_device *dev, 1730 struct iw_request_info *info, 1731 struct iw_point *data, char *extra) 1732 { 1733 struct cfg80211_registered_device *rdev; 1734 int res; 1735 1736 if (!netif_running(dev)) 1737 return -ENETDOWN; 1738 1739 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex); 1740 1741 if (IS_ERR(rdev)) 1742 return PTR_ERR(rdev); 1743 1744 if (rdev->scan_req || rdev->scan_msg) 1745 return -EAGAIN; 1746 1747 res = ieee80211_scan_results(rdev, info, extra, data->length); 1748 data->length = 0; 1749 if (res >= 0) { 1750 data->length = res; 1751 res = 0; 1752 } 1753 1754 return res; 1755 } 1756 EXPORT_WEXT_HANDLER(cfg80211_wext_giwscan); 1757 #endif 1758