1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * cfg80211 MLME SAP interface
4 *
5 * Copyright (c) 2009, Jouni Malinen <j@w1.fi>
6 * Copyright (c) 2015 Intel Deutschland GmbH
7 * Copyright (C) 2019-2020, 2022 Intel Corporation
8 */
9
10 #include <linux/kernel.h>
11 #include <linux/module.h>
12 #include <linux/etherdevice.h>
13 #include <linux/netdevice.h>
14 #include <linux/nl80211.h>
15 #include <linux/slab.h>
16 #include <linux/wireless.h>
17 #include <net/cfg80211.h>
18 #include <net/iw_handler.h>
19 #include "core.h"
20 #include "nl80211.h"
21 #include "rdev-ops.h"
22
23
cfg80211_rx_assoc_resp(struct net_device * dev,struct cfg80211_rx_assoc_resp * data)24 void cfg80211_rx_assoc_resp(struct net_device *dev,
25 struct cfg80211_rx_assoc_resp *data)
26 {
27 struct wireless_dev *wdev = dev->ieee80211_ptr;
28 struct wiphy *wiphy = wdev->wiphy;
29 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
30 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)data->buf;
31 struct cfg80211_connect_resp_params cr = {
32 .timeout_reason = NL80211_TIMEOUT_UNSPECIFIED,
33 .req_ie = data->req_ies,
34 .req_ie_len = data->req_ies_len,
35 .resp_ie = mgmt->u.assoc_resp.variable,
36 .resp_ie_len = data->len -
37 offsetof(struct ieee80211_mgmt,
38 u.assoc_resp.variable),
39 .status = le16_to_cpu(mgmt->u.assoc_resp.status_code),
40 .ap_mld_addr = data->ap_mld_addr,
41 };
42 unsigned int link_id;
43
44 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) {
45 cr.links[link_id].status = data->links[link_id].status;
46 WARN_ON_ONCE(cr.links[link_id].status != WLAN_STATUS_SUCCESS &&
47 (!cr.ap_mld_addr || !cr.links[link_id].bss));
48
49 cr.links[link_id].bss = data->links[link_id].bss;
50 if (!cr.links[link_id].bss)
51 continue;
52 cr.links[link_id].bssid = data->links[link_id].bss->bssid;
53 cr.links[link_id].addr = data->links[link_id].addr;
54 /* need to have local link addresses for MLO connections */
55 WARN_ON(cr.ap_mld_addr && !cr.links[link_id].addr);
56
57 if (cr.links[link_id].bss->channel->band == NL80211_BAND_S1GHZ) {
58 WARN_ON(link_id);
59 cr.resp_ie = (u8 *)&mgmt->u.s1g_assoc_resp.variable;
60 cr.resp_ie_len = data->len -
61 offsetof(struct ieee80211_mgmt,
62 u.s1g_assoc_resp.variable);
63 }
64
65 if (cr.ap_mld_addr)
66 cr.valid_links |= BIT(link_id);
67 }
68
69 trace_cfg80211_send_rx_assoc(dev, data);
70
71 /*
72 * This is a bit of a hack, we don't notify userspace of
73 * a (re-)association reply if we tried to send a reassoc
74 * and got a reject -- we only try again with an assoc
75 * frame instead of reassoc.
76 */
77 if (cfg80211_sme_rx_assoc_resp(wdev, cr.status)) {
78 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) {
79 struct cfg80211_bss *bss = data->links[link_id].bss;
80
81 if (!bss)
82 continue;
83
84 cfg80211_unhold_bss(bss_from_pub(bss));
85 cfg80211_put_bss(wiphy, bss);
86 }
87 return;
88 }
89
90 nl80211_send_rx_assoc(rdev, dev, data);
91 /* update current_bss etc., consumes the bss reference */
92 __cfg80211_connect_result(dev, &cr, cr.status == WLAN_STATUS_SUCCESS);
93 }
94 EXPORT_SYMBOL(cfg80211_rx_assoc_resp);
95
cfg80211_process_auth(struct wireless_dev * wdev,const u8 * buf,size_t len)96 static void cfg80211_process_auth(struct wireless_dev *wdev,
97 const u8 *buf, size_t len)
98 {
99 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
100
101 nl80211_send_rx_auth(rdev, wdev->netdev, buf, len, GFP_KERNEL);
102 cfg80211_sme_rx_auth(wdev, buf, len);
103 }
104
cfg80211_process_deauth(struct wireless_dev * wdev,const u8 * buf,size_t len,bool reconnect)105 static void cfg80211_process_deauth(struct wireless_dev *wdev,
106 const u8 *buf, size_t len,
107 bool reconnect)
108 {
109 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
110 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf;
111 const u8 *bssid = mgmt->bssid;
112 u16 reason_code = le16_to_cpu(mgmt->u.deauth.reason_code);
113 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr);
114
115 nl80211_send_deauth(rdev, wdev->netdev, buf, len, reconnect, GFP_KERNEL);
116
117 if (!wdev->connected || !ether_addr_equal(wdev->u.client.connected_addr, bssid))
118 return;
119
120 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap);
121 cfg80211_sme_deauth(wdev);
122 }
123
cfg80211_process_disassoc(struct wireless_dev * wdev,const u8 * buf,size_t len,bool reconnect)124 static void cfg80211_process_disassoc(struct wireless_dev *wdev,
125 const u8 *buf, size_t len,
126 bool reconnect)
127 {
128 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
129 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf;
130 const u8 *bssid = mgmt->bssid;
131 u16 reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
132 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr);
133
134 nl80211_send_disassoc(rdev, wdev->netdev, buf, len, reconnect,
135 GFP_KERNEL);
136
137 if (WARN_ON(!wdev->connected ||
138 !ether_addr_equal(wdev->u.client.connected_addr, bssid)))
139 return;
140
141 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap);
142 cfg80211_sme_disassoc(wdev);
143 }
144
cfg80211_rx_mlme_mgmt(struct net_device * dev,const u8 * buf,size_t len)145 void cfg80211_rx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len)
146 {
147 struct wireless_dev *wdev = dev->ieee80211_ptr;
148 struct ieee80211_mgmt *mgmt = (void *)buf;
149
150 ASSERT_WDEV_LOCK(wdev);
151
152 trace_cfg80211_rx_mlme_mgmt(dev, buf, len);
153
154 if (WARN_ON(len < 2))
155 return;
156
157 if (ieee80211_is_auth(mgmt->frame_control))
158 cfg80211_process_auth(wdev, buf, len);
159 else if (ieee80211_is_deauth(mgmt->frame_control))
160 cfg80211_process_deauth(wdev, buf, len, false);
161 else if (ieee80211_is_disassoc(mgmt->frame_control))
162 cfg80211_process_disassoc(wdev, buf, len, false);
163 }
164 EXPORT_SYMBOL(cfg80211_rx_mlme_mgmt);
165
cfg80211_auth_timeout(struct net_device * dev,const u8 * addr)166 void cfg80211_auth_timeout(struct net_device *dev, const u8 *addr)
167 {
168 struct wireless_dev *wdev = dev->ieee80211_ptr;
169 struct wiphy *wiphy = wdev->wiphy;
170 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
171
172 trace_cfg80211_send_auth_timeout(dev, addr);
173
174 nl80211_send_auth_timeout(rdev, dev, addr, GFP_KERNEL);
175 cfg80211_sme_auth_timeout(wdev);
176 }
177 EXPORT_SYMBOL(cfg80211_auth_timeout);
178
cfg80211_assoc_failure(struct net_device * dev,struct cfg80211_assoc_failure * data)179 void cfg80211_assoc_failure(struct net_device *dev,
180 struct cfg80211_assoc_failure *data)
181 {
182 struct wireless_dev *wdev = dev->ieee80211_ptr;
183 struct wiphy *wiphy = wdev->wiphy;
184 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
185 const u8 *addr = data->ap_mld_addr ?: data->bss[0]->bssid;
186 int i;
187
188 trace_cfg80211_send_assoc_failure(dev, data);
189
190 if (data->timeout) {
191 nl80211_send_assoc_timeout(rdev, dev, addr, GFP_KERNEL);
192 cfg80211_sme_assoc_timeout(wdev);
193 } else {
194 cfg80211_sme_abandon_assoc(wdev);
195 }
196
197 for (i = 0; i < ARRAY_SIZE(data->bss); i++) {
198 struct cfg80211_bss *bss = data->bss[i];
199
200 if (!bss)
201 continue;
202
203 cfg80211_unhold_bss(bss_from_pub(bss));
204 cfg80211_put_bss(wiphy, bss);
205 }
206 }
207 EXPORT_SYMBOL(cfg80211_assoc_failure);
208
cfg80211_tx_mlme_mgmt(struct net_device * dev,const u8 * buf,size_t len,bool reconnect)209 void cfg80211_tx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len,
210 bool reconnect)
211 {
212 struct wireless_dev *wdev = dev->ieee80211_ptr;
213 struct ieee80211_mgmt *mgmt = (void *)buf;
214
215 ASSERT_WDEV_LOCK(wdev);
216
217 trace_cfg80211_tx_mlme_mgmt(dev, buf, len, reconnect);
218
219 if (WARN_ON(len < 2))
220 return;
221
222 if (ieee80211_is_deauth(mgmt->frame_control))
223 cfg80211_process_deauth(wdev, buf, len, reconnect);
224 else
225 cfg80211_process_disassoc(wdev, buf, len, reconnect);
226 }
227 EXPORT_SYMBOL(cfg80211_tx_mlme_mgmt);
228
cfg80211_michael_mic_failure(struct net_device * dev,const u8 * addr,enum nl80211_key_type key_type,int key_id,const u8 * tsc,gfp_t gfp)229 void cfg80211_michael_mic_failure(struct net_device *dev, const u8 *addr,
230 enum nl80211_key_type key_type, int key_id,
231 const u8 *tsc, gfp_t gfp)
232 {
233 struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
234 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
235 #ifdef CONFIG_CFG80211_WEXT
236 union iwreq_data wrqu;
237 char *buf = kmalloc(128, gfp);
238
239 if (buf) {
240 sprintf(buf, "MLME-MICHAELMICFAILURE.indication("
241 "keyid=%d %scast addr=%pM)", key_id,
242 key_type == NL80211_KEYTYPE_GROUP ? "broad" : "uni",
243 addr);
244 memset(&wrqu, 0, sizeof(wrqu));
245 wrqu.data.length = strlen(buf);
246 wireless_send_event(dev, IWEVCUSTOM, &wrqu, buf);
247 kfree(buf);
248 }
249 #endif
250
251 trace_cfg80211_michael_mic_failure(dev, addr, key_type, key_id, tsc);
252 nl80211_michael_mic_failure(rdev, dev, addr, key_type, key_id, tsc, gfp);
253 }
254 EXPORT_SYMBOL(cfg80211_michael_mic_failure);
255
256 /* some MLME handling for userspace SME */
cfg80211_mlme_auth(struct cfg80211_registered_device * rdev,struct net_device * dev,struct cfg80211_auth_request * req)257 int cfg80211_mlme_auth(struct cfg80211_registered_device *rdev,
258 struct net_device *dev,
259 struct cfg80211_auth_request *req)
260 {
261 struct wireless_dev *wdev = dev->ieee80211_ptr;
262
263 ASSERT_WDEV_LOCK(wdev);
264
265 if (!req->bss)
266 return -ENOENT;
267
268 if (req->link_id >= 0 &&
269 !(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
270 return -EINVAL;
271
272 if (req->auth_type == NL80211_AUTHTYPE_SHARED_KEY) {
273 if (!req->key || !req->key_len ||
274 req->key_idx < 0 || req->key_idx > 3)
275 return -EINVAL;
276 }
277
278 if (wdev->connected &&
279 ether_addr_equal(req->bss->bssid, wdev->u.client.connected_addr))
280 return -EALREADY;
281
282 return rdev_auth(rdev, dev, req);
283 }
284
285 /* Do a logical ht_capa &= ht_capa_mask. */
cfg80211_oper_and_ht_capa(struct ieee80211_ht_cap * ht_capa,const struct ieee80211_ht_cap * ht_capa_mask)286 void cfg80211_oper_and_ht_capa(struct ieee80211_ht_cap *ht_capa,
287 const struct ieee80211_ht_cap *ht_capa_mask)
288 {
289 int i;
290 u8 *p1, *p2;
291 if (!ht_capa_mask) {
292 memset(ht_capa, 0, sizeof(*ht_capa));
293 return;
294 }
295
296 p1 = (u8*)(ht_capa);
297 p2 = (u8*)(ht_capa_mask);
298 for (i = 0; i < sizeof(*ht_capa); i++)
299 p1[i] &= p2[i];
300 }
301
302 /* Do a logical vht_capa &= vht_capa_mask. */
cfg80211_oper_and_vht_capa(struct ieee80211_vht_cap * vht_capa,const struct ieee80211_vht_cap * vht_capa_mask)303 void cfg80211_oper_and_vht_capa(struct ieee80211_vht_cap *vht_capa,
304 const struct ieee80211_vht_cap *vht_capa_mask)
305 {
306 int i;
307 u8 *p1, *p2;
308 if (!vht_capa_mask) {
309 memset(vht_capa, 0, sizeof(*vht_capa));
310 return;
311 }
312
313 p1 = (u8*)(vht_capa);
314 p2 = (u8*)(vht_capa_mask);
315 for (i = 0; i < sizeof(*vht_capa); i++)
316 p1[i] &= p2[i];
317 }
318
319 /* Note: caller must cfg80211_put_bss() regardless of result */
cfg80211_mlme_assoc(struct cfg80211_registered_device * rdev,struct net_device * dev,struct cfg80211_assoc_request * req)320 int cfg80211_mlme_assoc(struct cfg80211_registered_device *rdev,
321 struct net_device *dev,
322 struct cfg80211_assoc_request *req)
323 {
324 struct wireless_dev *wdev = dev->ieee80211_ptr;
325 int err, i, j;
326
327 ASSERT_WDEV_LOCK(wdev);
328
329 for (i = 1; i < ARRAY_SIZE(req->links); i++) {
330 if (!req->links[i].bss)
331 continue;
332 for (j = 0; j < i; j++) {
333 if (req->links[i].bss == req->links[j].bss)
334 return -EINVAL;
335 }
336 }
337
338 if (wdev->connected &&
339 (!req->prev_bssid ||
340 !ether_addr_equal(wdev->u.client.connected_addr, req->prev_bssid)))
341 return -EALREADY;
342
343 cfg80211_oper_and_ht_capa(&req->ht_capa_mask,
344 rdev->wiphy.ht_capa_mod_mask);
345 cfg80211_oper_and_vht_capa(&req->vht_capa_mask,
346 rdev->wiphy.vht_capa_mod_mask);
347
348 err = rdev_assoc(rdev, dev, req);
349 if (!err) {
350 int link_id;
351
352 if (req->bss) {
353 cfg80211_ref_bss(&rdev->wiphy, req->bss);
354 cfg80211_hold_bss(bss_from_pub(req->bss));
355 }
356
357 for (link_id = 0; link_id < ARRAY_SIZE(req->links); link_id++) {
358 if (!req->links[link_id].bss)
359 continue;
360 cfg80211_ref_bss(&rdev->wiphy, req->links[link_id].bss);
361 cfg80211_hold_bss(bss_from_pub(req->links[link_id].bss));
362 }
363 }
364 return err;
365 }
366
cfg80211_mlme_deauth(struct cfg80211_registered_device * rdev,struct net_device * dev,const u8 * bssid,const u8 * ie,int ie_len,u16 reason,bool local_state_change)367 int cfg80211_mlme_deauth(struct cfg80211_registered_device *rdev,
368 struct net_device *dev, const u8 *bssid,
369 const u8 *ie, int ie_len, u16 reason,
370 bool local_state_change)
371 {
372 struct wireless_dev *wdev = dev->ieee80211_ptr;
373 struct cfg80211_deauth_request req = {
374 .bssid = bssid,
375 .reason_code = reason,
376 .ie = ie,
377 .ie_len = ie_len,
378 .local_state_change = local_state_change,
379 };
380
381 ASSERT_WDEV_LOCK(wdev);
382
383 if (local_state_change &&
384 (!wdev->connected ||
385 !ether_addr_equal(wdev->u.client.connected_addr, bssid)))
386 return 0;
387
388 if (ether_addr_equal(wdev->disconnect_bssid, bssid) ||
389 (wdev->connected &&
390 ether_addr_equal(wdev->u.client.connected_addr, bssid)))
391 wdev->conn_owner_nlportid = 0;
392
393 return rdev_deauth(rdev, dev, &req);
394 }
395
cfg80211_mlme_disassoc(struct cfg80211_registered_device * rdev,struct net_device * dev,const u8 * ap_addr,const u8 * ie,int ie_len,u16 reason,bool local_state_change)396 int cfg80211_mlme_disassoc(struct cfg80211_registered_device *rdev,
397 struct net_device *dev, const u8 *ap_addr,
398 const u8 *ie, int ie_len, u16 reason,
399 bool local_state_change)
400 {
401 struct wireless_dev *wdev = dev->ieee80211_ptr;
402 struct cfg80211_disassoc_request req = {
403 .reason_code = reason,
404 .local_state_change = local_state_change,
405 .ie = ie,
406 .ie_len = ie_len,
407 .ap_addr = ap_addr,
408 };
409 int err;
410
411 ASSERT_WDEV_LOCK(wdev);
412
413 if (!wdev->connected)
414 return -ENOTCONN;
415
416 if (memcmp(wdev->u.client.connected_addr, ap_addr, ETH_ALEN))
417 return -ENOTCONN;
418
419 err = rdev_disassoc(rdev, dev, &req);
420 if (err)
421 return err;
422
423 /* driver should have reported the disassoc */
424 WARN_ON(wdev->connected);
425 return 0;
426 }
427
cfg80211_mlme_down(struct cfg80211_registered_device * rdev,struct net_device * dev)428 void cfg80211_mlme_down(struct cfg80211_registered_device *rdev,
429 struct net_device *dev)
430 {
431 struct wireless_dev *wdev = dev->ieee80211_ptr;
432 u8 bssid[ETH_ALEN];
433
434 ASSERT_WDEV_LOCK(wdev);
435
436 if (!rdev->ops->deauth)
437 return;
438
439 if (!wdev->connected)
440 return;
441
442 memcpy(bssid, wdev->u.client.connected_addr, ETH_ALEN);
443 cfg80211_mlme_deauth(rdev, dev, bssid, NULL, 0,
444 WLAN_REASON_DEAUTH_LEAVING, false);
445 }
446
447 struct cfg80211_mgmt_registration {
448 struct list_head list;
449 struct wireless_dev *wdev;
450
451 u32 nlportid;
452
453 int match_len;
454
455 __le16 frame_type;
456
457 bool multicast_rx;
458
459 u8 match[];
460 };
461
cfg80211_mgmt_registrations_update(struct wireless_dev * wdev)462 static void cfg80211_mgmt_registrations_update(struct wireless_dev *wdev)
463 {
464 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
465 struct wireless_dev *tmp;
466 struct cfg80211_mgmt_registration *reg;
467 struct mgmt_frame_regs upd = {};
468
469 lockdep_assert_held(&rdev->wiphy.mtx);
470
471 spin_lock_bh(&rdev->mgmt_registrations_lock);
472 if (!wdev->mgmt_registrations_need_update) {
473 spin_unlock_bh(&rdev->mgmt_registrations_lock);
474 return;
475 }
476
477 rcu_read_lock();
478 list_for_each_entry_rcu(tmp, &rdev->wiphy.wdev_list, list) {
479 list_for_each_entry(reg, &tmp->mgmt_registrations, list) {
480 u32 mask = BIT(le16_to_cpu(reg->frame_type) >> 4);
481 u32 mcast_mask = 0;
482
483 if (reg->multicast_rx)
484 mcast_mask = mask;
485
486 upd.global_stypes |= mask;
487 upd.global_mcast_stypes |= mcast_mask;
488
489 if (tmp == wdev) {
490 upd.interface_stypes |= mask;
491 upd.interface_mcast_stypes |= mcast_mask;
492 }
493 }
494 }
495 rcu_read_unlock();
496
497 wdev->mgmt_registrations_need_update = 0;
498 spin_unlock_bh(&rdev->mgmt_registrations_lock);
499
500 rdev_update_mgmt_frame_registrations(rdev, wdev, &upd);
501 }
502
cfg80211_mgmt_registrations_update_wk(struct work_struct * wk)503 void cfg80211_mgmt_registrations_update_wk(struct work_struct *wk)
504 {
505 struct cfg80211_registered_device *rdev;
506 struct wireless_dev *wdev;
507
508 rdev = container_of(wk, struct cfg80211_registered_device,
509 mgmt_registrations_update_wk);
510
511 wiphy_lock(&rdev->wiphy);
512 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list)
513 cfg80211_mgmt_registrations_update(wdev);
514 wiphy_unlock(&rdev->wiphy);
515 }
516
cfg80211_mlme_register_mgmt(struct wireless_dev * wdev,u32 snd_portid,u16 frame_type,const u8 * match_data,int match_len,bool multicast_rx,struct netlink_ext_ack * extack)517 int cfg80211_mlme_register_mgmt(struct wireless_dev *wdev, u32 snd_portid,
518 u16 frame_type, const u8 *match_data,
519 int match_len, bool multicast_rx,
520 struct netlink_ext_ack *extack)
521 {
522 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
523 struct cfg80211_mgmt_registration *reg, *nreg;
524 int err = 0;
525 u16 mgmt_type;
526 bool update_multicast = false;
527
528 if (!wdev->wiphy->mgmt_stypes)
529 return -EOPNOTSUPP;
530
531 if ((frame_type & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT) {
532 NL_SET_ERR_MSG(extack, "frame type not management");
533 return -EINVAL;
534 }
535
536 if (frame_type & ~(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) {
537 NL_SET_ERR_MSG(extack, "Invalid frame type");
538 return -EINVAL;
539 }
540
541 mgmt_type = (frame_type & IEEE80211_FCTL_STYPE) >> 4;
542 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].rx & BIT(mgmt_type))) {
543 NL_SET_ERR_MSG(extack,
544 "Registration to specific type not supported");
545 return -EINVAL;
546 }
547
548 /*
549 * To support Pre Association Security Negotiation (PASN), registration
550 * for authentication frames should be supported. However, as some
551 * versions of the user space daemons wrongly register to all types of
552 * authentication frames (which might result in unexpected behavior)
553 * allow such registration if the request is for a specific
554 * authentication algorithm number.
555 */
556 if (wdev->iftype == NL80211_IFTYPE_STATION &&
557 (frame_type & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_AUTH &&
558 !(match_data && match_len >= 2)) {
559 NL_SET_ERR_MSG(extack,
560 "Authentication algorithm number required");
561 return -EINVAL;
562 }
563
564 nreg = kzalloc(sizeof(*reg) + match_len, GFP_KERNEL);
565 if (!nreg)
566 return -ENOMEM;
567
568 spin_lock_bh(&rdev->mgmt_registrations_lock);
569
570 list_for_each_entry(reg, &wdev->mgmt_registrations, list) {
571 int mlen = min(match_len, reg->match_len);
572
573 if (frame_type != le16_to_cpu(reg->frame_type))
574 continue;
575
576 if (memcmp(reg->match, match_data, mlen) == 0) {
577 if (reg->multicast_rx != multicast_rx) {
578 update_multicast = true;
579 reg->multicast_rx = multicast_rx;
580 break;
581 }
582 NL_SET_ERR_MSG(extack, "Match already configured");
583 err = -EALREADY;
584 break;
585 }
586 }
587
588 if (err)
589 goto out;
590
591 if (update_multicast) {
592 kfree(nreg);
593 } else {
594 memcpy(nreg->match, match_data, match_len);
595 nreg->match_len = match_len;
596 nreg->nlportid = snd_portid;
597 nreg->frame_type = cpu_to_le16(frame_type);
598 nreg->wdev = wdev;
599 nreg->multicast_rx = multicast_rx;
600 list_add(&nreg->list, &wdev->mgmt_registrations);
601 }
602 wdev->mgmt_registrations_need_update = 1;
603 spin_unlock_bh(&rdev->mgmt_registrations_lock);
604
605 cfg80211_mgmt_registrations_update(wdev);
606
607 return 0;
608
609 out:
610 kfree(nreg);
611 spin_unlock_bh(&rdev->mgmt_registrations_lock);
612
613 return err;
614 }
615
cfg80211_mlme_unregister_socket(struct wireless_dev * wdev,u32 nlportid)616 void cfg80211_mlme_unregister_socket(struct wireless_dev *wdev, u32 nlportid)
617 {
618 struct wiphy *wiphy = wdev->wiphy;
619 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
620 struct cfg80211_mgmt_registration *reg, *tmp;
621
622 spin_lock_bh(&rdev->mgmt_registrations_lock);
623
624 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) {
625 if (reg->nlportid != nlportid)
626 continue;
627
628 list_del(®->list);
629 kfree(reg);
630
631 wdev->mgmt_registrations_need_update = 1;
632 schedule_work(&rdev->mgmt_registrations_update_wk);
633 }
634
635 spin_unlock_bh(&rdev->mgmt_registrations_lock);
636
637 if (nlportid && rdev->crit_proto_nlportid == nlportid) {
638 rdev->crit_proto_nlportid = 0;
639 rdev_crit_proto_stop(rdev, wdev);
640 }
641
642 if (nlportid == wdev->ap_unexpected_nlportid)
643 wdev->ap_unexpected_nlportid = 0;
644 }
645
cfg80211_mlme_purge_registrations(struct wireless_dev * wdev)646 void cfg80211_mlme_purge_registrations(struct wireless_dev *wdev)
647 {
648 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
649 struct cfg80211_mgmt_registration *reg, *tmp;
650
651 spin_lock_bh(&rdev->mgmt_registrations_lock);
652 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) {
653 list_del(®->list);
654 kfree(reg);
655 }
656 wdev->mgmt_registrations_need_update = 1;
657 spin_unlock_bh(&rdev->mgmt_registrations_lock);
658
659 cfg80211_mgmt_registrations_update(wdev);
660 }
661
cfg80211_allowed_address(struct wireless_dev * wdev,const u8 * addr)662 static bool cfg80211_allowed_address(struct wireless_dev *wdev, const u8 *addr)
663 {
664 int i;
665
666 for_each_valid_link(wdev, i) {
667 if (ether_addr_equal(addr, wdev->links[i].addr))
668 return true;
669 }
670
671 return ether_addr_equal(addr, wdev_address(wdev));
672 }
673
cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,struct cfg80211_mgmt_tx_params * params,u64 * cookie)674 int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
675 struct wireless_dev *wdev,
676 struct cfg80211_mgmt_tx_params *params, u64 *cookie)
677 {
678 const struct ieee80211_mgmt *mgmt;
679 u16 stype;
680
681 if (!wdev->wiphy->mgmt_stypes)
682 return -EOPNOTSUPP;
683
684 if (!rdev->ops->mgmt_tx)
685 return -EOPNOTSUPP;
686
687 if (params->len < 24 + 1)
688 return -EINVAL;
689
690 mgmt = (const struct ieee80211_mgmt *)params->buf;
691
692 if (!ieee80211_is_mgmt(mgmt->frame_control))
693 return -EINVAL;
694
695 stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE;
696 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].tx & BIT(stype >> 4)))
697 return -EINVAL;
698
699 if (ieee80211_is_action(mgmt->frame_control) &&
700 mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) {
701 int err = 0;
702
703 wdev_lock(wdev);
704
705 switch (wdev->iftype) {
706 case NL80211_IFTYPE_ADHOC:
707 /*
708 * check for IBSS DA must be done by driver as
709 * cfg80211 doesn't track the stations
710 */
711 if (!wdev->u.ibss.current_bss ||
712 !ether_addr_equal(wdev->u.ibss.current_bss->pub.bssid,
713 mgmt->bssid)) {
714 err = -ENOTCONN;
715 break;
716 }
717 break;
718 case NL80211_IFTYPE_STATION:
719 case NL80211_IFTYPE_P2P_CLIENT:
720 if (!wdev->connected) {
721 err = -ENOTCONN;
722 break;
723 }
724
725 /* FIXME: MLD may address this differently */
726
727 if (!ether_addr_equal(wdev->u.client.connected_addr,
728 mgmt->bssid)) {
729 err = -ENOTCONN;
730 break;
731 }
732
733 /* for station, check that DA is the AP */
734 if (!ether_addr_equal(wdev->u.client.connected_addr,
735 mgmt->da)) {
736 err = -ENOTCONN;
737 break;
738 }
739 break;
740 case NL80211_IFTYPE_AP:
741 case NL80211_IFTYPE_P2P_GO:
742 case NL80211_IFTYPE_AP_VLAN:
743 if (!ether_addr_equal(mgmt->bssid, wdev_address(wdev)) &&
744 (params->link_id < 0 ||
745 !ether_addr_equal(mgmt->bssid,
746 wdev->links[params->link_id].addr)))
747 err = -EINVAL;
748 break;
749 case NL80211_IFTYPE_MESH_POINT:
750 if (!ether_addr_equal(mgmt->sa, mgmt->bssid)) {
751 err = -EINVAL;
752 break;
753 }
754 /*
755 * check for mesh DA must be done by driver as
756 * cfg80211 doesn't track the stations
757 */
758 break;
759 case NL80211_IFTYPE_P2P_DEVICE:
760 /*
761 * fall through, P2P device only supports
762 * public action frames
763 */
764 case NL80211_IFTYPE_NAN:
765 default:
766 err = -EOPNOTSUPP;
767 break;
768 }
769 wdev_unlock(wdev);
770
771 if (err)
772 return err;
773 }
774
775 if (!cfg80211_allowed_address(wdev, mgmt->sa)) {
776 /* Allow random TA to be used with Public Action frames if the
777 * driver has indicated support for this. Otherwise, only allow
778 * the local address to be used.
779 */
780 if (!ieee80211_is_action(mgmt->frame_control) ||
781 mgmt->u.action.category != WLAN_CATEGORY_PUBLIC)
782 return -EINVAL;
783 if (!wdev->connected &&
784 !wiphy_ext_feature_isset(
785 &rdev->wiphy,
786 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA))
787 return -EINVAL;
788 if (wdev->connected &&
789 !wiphy_ext_feature_isset(
790 &rdev->wiphy,
791 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA_CONNECTED))
792 return -EINVAL;
793 }
794
795 /* Transmit the management frame as requested by user space */
796 return rdev_mgmt_tx(rdev, wdev, params, cookie);
797 }
798
cfg80211_rx_mgmt_ext(struct wireless_dev * wdev,struct cfg80211_rx_info * info)799 bool cfg80211_rx_mgmt_ext(struct wireless_dev *wdev,
800 struct cfg80211_rx_info *info)
801 {
802 struct wiphy *wiphy = wdev->wiphy;
803 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
804 struct cfg80211_mgmt_registration *reg;
805 const struct ieee80211_txrx_stypes *stypes =
806 &wiphy->mgmt_stypes[wdev->iftype];
807 struct ieee80211_mgmt *mgmt = (void *)info->buf;
808 const u8 *data;
809 int data_len;
810 bool result = false;
811 __le16 ftype = mgmt->frame_control &
812 cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE);
813 u16 stype;
814
815 trace_cfg80211_rx_mgmt(wdev, info);
816 stype = (le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE) >> 4;
817
818 if (!(stypes->rx & BIT(stype))) {
819 trace_cfg80211_return_bool(false);
820 return false;
821 }
822
823 data = info->buf + ieee80211_hdrlen(mgmt->frame_control);
824 data_len = info->len - ieee80211_hdrlen(mgmt->frame_control);
825
826 spin_lock_bh(&rdev->mgmt_registrations_lock);
827
828 list_for_each_entry(reg, &wdev->mgmt_registrations, list) {
829 if (reg->frame_type != ftype)
830 continue;
831
832 if (reg->match_len > data_len)
833 continue;
834
835 if (memcmp(reg->match, data, reg->match_len))
836 continue;
837
838 /* found match! */
839
840 /* Indicate the received Action frame to user space */
841 if (nl80211_send_mgmt(rdev, wdev, reg->nlportid, info,
842 GFP_ATOMIC))
843 continue;
844
845 result = true;
846 break;
847 }
848
849 spin_unlock_bh(&rdev->mgmt_registrations_lock);
850
851 trace_cfg80211_return_bool(result);
852 return result;
853 }
854 EXPORT_SYMBOL(cfg80211_rx_mgmt_ext);
855
cfg80211_sched_dfs_chan_update(struct cfg80211_registered_device * rdev)856 void cfg80211_sched_dfs_chan_update(struct cfg80211_registered_device *rdev)
857 {
858 cancel_delayed_work(&rdev->dfs_update_channels_wk);
859 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk, 0);
860 }
861
cfg80211_dfs_channels_update_work(struct work_struct * work)862 void cfg80211_dfs_channels_update_work(struct work_struct *work)
863 {
864 struct delayed_work *delayed_work = to_delayed_work(work);
865 struct cfg80211_registered_device *rdev;
866 struct cfg80211_chan_def chandef;
867 struct ieee80211_supported_band *sband;
868 struct ieee80211_channel *c;
869 struct wiphy *wiphy;
870 bool check_again = false;
871 unsigned long timeout, next_time = 0;
872 unsigned long time_dfs_update;
873 enum nl80211_radar_event radar_event;
874 int bandid, i;
875
876 rdev = container_of(delayed_work, struct cfg80211_registered_device,
877 dfs_update_channels_wk);
878 wiphy = &rdev->wiphy;
879
880 rtnl_lock();
881 for (bandid = 0; bandid < NUM_NL80211_BANDS; bandid++) {
882 sband = wiphy->bands[bandid];
883 if (!sband)
884 continue;
885
886 for (i = 0; i < sband->n_channels; i++) {
887 c = &sband->channels[i];
888
889 if (!(c->flags & IEEE80211_CHAN_RADAR))
890 continue;
891
892 if (c->dfs_state != NL80211_DFS_UNAVAILABLE &&
893 c->dfs_state != NL80211_DFS_AVAILABLE)
894 continue;
895
896 if (c->dfs_state == NL80211_DFS_UNAVAILABLE) {
897 time_dfs_update = IEEE80211_DFS_MIN_NOP_TIME_MS;
898 radar_event = NL80211_RADAR_NOP_FINISHED;
899 } else {
900 if (regulatory_pre_cac_allowed(wiphy) ||
901 cfg80211_any_wiphy_oper_chan(wiphy, c))
902 continue;
903
904 time_dfs_update = REG_PRE_CAC_EXPIRY_GRACE_MS;
905 radar_event = NL80211_RADAR_PRE_CAC_EXPIRED;
906 }
907
908 timeout = c->dfs_state_entered +
909 msecs_to_jiffies(time_dfs_update);
910
911 if (time_after_eq(jiffies, timeout)) {
912 c->dfs_state = NL80211_DFS_USABLE;
913 c->dfs_state_entered = jiffies;
914
915 cfg80211_chandef_create(&chandef, c,
916 NL80211_CHAN_NO_HT);
917
918 nl80211_radar_notify(rdev, &chandef,
919 radar_event, NULL,
920 GFP_ATOMIC);
921
922 regulatory_propagate_dfs_state(wiphy, &chandef,
923 c->dfs_state,
924 radar_event);
925 continue;
926 }
927
928 if (!check_again)
929 next_time = timeout - jiffies;
930 else
931 next_time = min(next_time, timeout - jiffies);
932 check_again = true;
933 }
934 }
935 rtnl_unlock();
936
937 /* reschedule if there are other channels waiting to be cleared again */
938 if (check_again)
939 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk,
940 next_time);
941 }
942
943
__cfg80211_radar_event(struct wiphy * wiphy,struct cfg80211_chan_def * chandef,bool offchan,gfp_t gfp)944 void __cfg80211_radar_event(struct wiphy *wiphy,
945 struct cfg80211_chan_def *chandef,
946 bool offchan, gfp_t gfp)
947 {
948 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
949
950 trace_cfg80211_radar_event(wiphy, chandef, offchan);
951
952 /* only set the chandef supplied channel to unavailable, in
953 * case the radar is detected on only one of multiple channels
954 * spanned by the chandef.
955 */
956 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_UNAVAILABLE);
957
958 if (offchan)
959 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk);
960
961 cfg80211_sched_dfs_chan_update(rdev);
962
963 nl80211_radar_notify(rdev, chandef, NL80211_RADAR_DETECTED, NULL, gfp);
964
965 memcpy(&rdev->radar_chandef, chandef, sizeof(struct cfg80211_chan_def));
966 queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
967 }
968 EXPORT_SYMBOL(__cfg80211_radar_event);
969
cfg80211_cac_event(struct net_device * netdev,const struct cfg80211_chan_def * chandef,enum nl80211_radar_event event,gfp_t gfp)970 void cfg80211_cac_event(struct net_device *netdev,
971 const struct cfg80211_chan_def *chandef,
972 enum nl80211_radar_event event, gfp_t gfp)
973 {
974 struct wireless_dev *wdev = netdev->ieee80211_ptr;
975 struct wiphy *wiphy = wdev->wiphy;
976 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
977 unsigned long timeout;
978
979 /* not yet supported */
980 if (wdev->valid_links)
981 return;
982
983 trace_cfg80211_cac_event(netdev, event);
984
985 if (WARN_ON(!wdev->cac_started && event != NL80211_RADAR_CAC_STARTED))
986 return;
987
988 switch (event) {
989 case NL80211_RADAR_CAC_FINISHED:
990 timeout = wdev->cac_start_time +
991 msecs_to_jiffies(wdev->cac_time_ms);
992 WARN_ON(!time_after_eq(jiffies, timeout));
993 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE);
994 memcpy(&rdev->cac_done_chandef, chandef,
995 sizeof(struct cfg80211_chan_def));
996 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk);
997 cfg80211_sched_dfs_chan_update(rdev);
998 fallthrough;
999 case NL80211_RADAR_CAC_ABORTED:
1000 wdev->cac_started = false;
1001 break;
1002 case NL80211_RADAR_CAC_STARTED:
1003 wdev->cac_started = true;
1004 break;
1005 default:
1006 WARN_ON(1);
1007 return;
1008 }
1009
1010 nl80211_radar_notify(rdev, chandef, event, netdev, gfp);
1011 }
1012 EXPORT_SYMBOL(cfg80211_cac_event);
1013
1014 static void
__cfg80211_background_cac_event(struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,const struct cfg80211_chan_def * chandef,enum nl80211_radar_event event)1015 __cfg80211_background_cac_event(struct cfg80211_registered_device *rdev,
1016 struct wireless_dev *wdev,
1017 const struct cfg80211_chan_def *chandef,
1018 enum nl80211_radar_event event)
1019 {
1020 struct wiphy *wiphy = &rdev->wiphy;
1021 struct net_device *netdev;
1022
1023 lockdep_assert_wiphy(&rdev->wiphy);
1024
1025 if (!cfg80211_chandef_valid(chandef))
1026 return;
1027
1028 if (!rdev->background_radar_wdev)
1029 return;
1030
1031 switch (event) {
1032 case NL80211_RADAR_CAC_FINISHED:
1033 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE);
1034 memcpy(&rdev->cac_done_chandef, chandef, sizeof(*chandef));
1035 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk);
1036 cfg80211_sched_dfs_chan_update(rdev);
1037 wdev = rdev->background_radar_wdev;
1038 break;
1039 case NL80211_RADAR_CAC_ABORTED:
1040 if (!cancel_delayed_work(&rdev->background_cac_done_wk))
1041 return;
1042 wdev = rdev->background_radar_wdev;
1043 break;
1044 case NL80211_RADAR_CAC_STARTED:
1045 break;
1046 default:
1047 return;
1048 }
1049
1050 netdev = wdev ? wdev->netdev : NULL;
1051 nl80211_radar_notify(rdev, chandef, event, netdev, GFP_KERNEL);
1052 }
1053
1054 static void
cfg80211_background_cac_event(struct cfg80211_registered_device * rdev,const struct cfg80211_chan_def * chandef,enum nl80211_radar_event event)1055 cfg80211_background_cac_event(struct cfg80211_registered_device *rdev,
1056 const struct cfg80211_chan_def *chandef,
1057 enum nl80211_radar_event event)
1058 {
1059 wiphy_lock(&rdev->wiphy);
1060 __cfg80211_background_cac_event(rdev, rdev->background_radar_wdev,
1061 chandef, event);
1062 wiphy_unlock(&rdev->wiphy);
1063 }
1064
cfg80211_background_cac_done_wk(struct work_struct * work)1065 void cfg80211_background_cac_done_wk(struct work_struct *work)
1066 {
1067 struct delayed_work *delayed_work = to_delayed_work(work);
1068 struct cfg80211_registered_device *rdev;
1069
1070 rdev = container_of(delayed_work, struct cfg80211_registered_device,
1071 background_cac_done_wk);
1072 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef,
1073 NL80211_RADAR_CAC_FINISHED);
1074 }
1075
cfg80211_background_cac_abort_wk(struct work_struct * work)1076 void cfg80211_background_cac_abort_wk(struct work_struct *work)
1077 {
1078 struct cfg80211_registered_device *rdev;
1079
1080 rdev = container_of(work, struct cfg80211_registered_device,
1081 background_cac_abort_wk);
1082 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef,
1083 NL80211_RADAR_CAC_ABORTED);
1084 }
1085
cfg80211_background_cac_abort(struct wiphy * wiphy)1086 void cfg80211_background_cac_abort(struct wiphy *wiphy)
1087 {
1088 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1089
1090 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk);
1091 }
1092 EXPORT_SYMBOL(cfg80211_background_cac_abort);
1093
1094 int
cfg80211_start_background_radar_detection(struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,struct cfg80211_chan_def * chandef)1095 cfg80211_start_background_radar_detection(struct cfg80211_registered_device *rdev,
1096 struct wireless_dev *wdev,
1097 struct cfg80211_chan_def *chandef)
1098 {
1099 unsigned int cac_time_ms;
1100 int err;
1101
1102 lockdep_assert_wiphy(&rdev->wiphy);
1103
1104 if (!wiphy_ext_feature_isset(&rdev->wiphy,
1105 NL80211_EXT_FEATURE_RADAR_BACKGROUND))
1106 return -EOPNOTSUPP;
1107
1108 /* Offchannel chain already locked by another wdev */
1109 if (rdev->background_radar_wdev && rdev->background_radar_wdev != wdev)
1110 return -EBUSY;
1111
1112 /* CAC already in progress on the offchannel chain */
1113 if (rdev->background_radar_wdev == wdev &&
1114 delayed_work_pending(&rdev->background_cac_done_wk))
1115 return -EBUSY;
1116
1117 err = rdev_set_radar_background(rdev, chandef);
1118 if (err)
1119 return err;
1120
1121 cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, chandef);
1122 if (!cac_time_ms)
1123 cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
1124
1125 rdev->background_radar_chandef = *chandef;
1126 rdev->background_radar_wdev = wdev; /* Get offchain ownership */
1127
1128 __cfg80211_background_cac_event(rdev, wdev, chandef,
1129 NL80211_RADAR_CAC_STARTED);
1130 queue_delayed_work(cfg80211_wq, &rdev->background_cac_done_wk,
1131 msecs_to_jiffies(cac_time_ms));
1132
1133 return 0;
1134 }
1135
cfg80211_stop_background_radar_detection(struct wireless_dev * wdev)1136 void cfg80211_stop_background_radar_detection(struct wireless_dev *wdev)
1137 {
1138 struct wiphy *wiphy = wdev->wiphy;
1139 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1140
1141 lockdep_assert_wiphy(wiphy);
1142
1143 if (wdev != rdev->background_radar_wdev)
1144 return;
1145
1146 rdev_set_radar_background(rdev, NULL);
1147 rdev->background_radar_wdev = NULL; /* Release offchain ownership */
1148
1149 __cfg80211_background_cac_event(rdev, wdev,
1150 &rdev->background_radar_chandef,
1151 NL80211_RADAR_CAC_ABORTED);
1152 }
1153