1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * cfg80211 MLME SAP interface
4 *
5 * Copyright (c) 2009, Jouni Malinen <j@w1.fi>
6 * Copyright (c) 2015 Intel Deutschland GmbH
7 * Copyright (C) 2019-2020, 2022 Intel Corporation
8 */
9
10 #include <linux/kernel.h>
11 #include <linux/module.h>
12 #include <linux/etherdevice.h>
13 #include <linux/netdevice.h>
14 #include <linux/nl80211.h>
15 #include <linux/slab.h>
16 #include <linux/wireless.h>
17 #include <net/cfg80211.h>
18 #include <net/iw_handler.h>
19 #include "core.h"
20 #include "nl80211.h"
21 #include "rdev-ops.h"
22
23
cfg80211_rx_assoc_resp(struct net_device * dev,struct cfg80211_rx_assoc_resp * data)24 void cfg80211_rx_assoc_resp(struct net_device *dev,
25 struct cfg80211_rx_assoc_resp *data)
26 {
27 struct wireless_dev *wdev = dev->ieee80211_ptr;
28 struct wiphy *wiphy = wdev->wiphy;
29 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
30 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)data->buf;
31 struct cfg80211_connect_resp_params cr = {
32 .timeout_reason = NL80211_TIMEOUT_UNSPECIFIED,
33 .req_ie = data->req_ies,
34 .req_ie_len = data->req_ies_len,
35 .resp_ie = mgmt->u.assoc_resp.variable,
36 .resp_ie_len = data->len -
37 offsetof(struct ieee80211_mgmt,
38 u.assoc_resp.variable),
39 .status = le16_to_cpu(mgmt->u.assoc_resp.status_code),
40 .ap_mld_addr = data->ap_mld_addr,
41 };
42 unsigned int link_id;
43
44 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) {
45 cr.links[link_id].bss = data->links[link_id].bss;
46 if (!cr.links[link_id].bss)
47 continue;
48 cr.links[link_id].bssid = data->links[link_id].bss->bssid;
49 cr.links[link_id].addr = data->links[link_id].addr;
50 /* need to have local link addresses for MLO connections */
51 WARN_ON(cr.ap_mld_addr && !cr.links[link_id].addr);
52
53 if (cr.links[link_id].bss->channel->band == NL80211_BAND_S1GHZ) {
54 WARN_ON(link_id);
55 cr.resp_ie = (u8 *)&mgmt->u.s1g_assoc_resp.variable;
56 cr.resp_ie_len = data->len -
57 offsetof(struct ieee80211_mgmt,
58 u.s1g_assoc_resp.variable);
59 }
60
61 if (cr.ap_mld_addr)
62 cr.valid_links |= BIT(link_id);
63 }
64
65 trace_cfg80211_send_rx_assoc(dev, data);
66
67 /*
68 * This is a bit of a hack, we don't notify userspace of
69 * a (re-)association reply if we tried to send a reassoc
70 * and got a reject -- we only try again with an assoc
71 * frame instead of reassoc.
72 */
73 if (cfg80211_sme_rx_assoc_resp(wdev, cr.status)) {
74 for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) {
75 struct cfg80211_bss *bss = data->links[link_id].bss;
76
77 if (!bss)
78 continue;
79
80 cfg80211_unhold_bss(bss_from_pub(bss));
81 cfg80211_put_bss(wiphy, bss);
82 }
83 return;
84 }
85
86 nl80211_send_rx_assoc(rdev, dev, data);
87 /* update current_bss etc., consumes the bss reference */
88 __cfg80211_connect_result(dev, &cr, cr.status == WLAN_STATUS_SUCCESS);
89 }
90 EXPORT_SYMBOL(cfg80211_rx_assoc_resp);
91
cfg80211_process_auth(struct wireless_dev * wdev,const u8 * buf,size_t len)92 static void cfg80211_process_auth(struct wireless_dev *wdev,
93 const u8 *buf, size_t len)
94 {
95 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
96
97 nl80211_send_rx_auth(rdev, wdev->netdev, buf, len, GFP_KERNEL);
98 cfg80211_sme_rx_auth(wdev, buf, len);
99 }
100
cfg80211_process_deauth(struct wireless_dev * wdev,const u8 * buf,size_t len,bool reconnect)101 static void cfg80211_process_deauth(struct wireless_dev *wdev,
102 const u8 *buf, size_t len,
103 bool reconnect)
104 {
105 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
106 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf;
107 const u8 *bssid = mgmt->bssid;
108 u16 reason_code = le16_to_cpu(mgmt->u.deauth.reason_code);
109 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr);
110
111 nl80211_send_deauth(rdev, wdev->netdev, buf, len, reconnect, GFP_KERNEL);
112
113 if (!wdev->connected || !ether_addr_equal(wdev->u.client.connected_addr, bssid))
114 return;
115
116 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap);
117 cfg80211_sme_deauth(wdev);
118 }
119
cfg80211_process_disassoc(struct wireless_dev * wdev,const u8 * buf,size_t len,bool reconnect)120 static void cfg80211_process_disassoc(struct wireless_dev *wdev,
121 const u8 *buf, size_t len,
122 bool reconnect)
123 {
124 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
125 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf;
126 const u8 *bssid = mgmt->bssid;
127 u16 reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
128 bool from_ap = !ether_addr_equal(mgmt->sa, wdev->netdev->dev_addr);
129
130 nl80211_send_disassoc(rdev, wdev->netdev, buf, len, reconnect,
131 GFP_KERNEL);
132
133 if (WARN_ON(!wdev->connected ||
134 !ether_addr_equal(wdev->u.client.connected_addr, bssid)))
135 return;
136
137 __cfg80211_disconnected(wdev->netdev, NULL, 0, reason_code, from_ap);
138 cfg80211_sme_disassoc(wdev);
139 }
140
cfg80211_rx_mlme_mgmt(struct net_device * dev,const u8 * buf,size_t len)141 void cfg80211_rx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len)
142 {
143 struct wireless_dev *wdev = dev->ieee80211_ptr;
144 struct ieee80211_mgmt *mgmt = (void *)buf;
145
146 ASSERT_WDEV_LOCK(wdev);
147
148 trace_cfg80211_rx_mlme_mgmt(dev, buf, len);
149
150 if (WARN_ON(len < 2))
151 return;
152
153 if (ieee80211_is_auth(mgmt->frame_control))
154 cfg80211_process_auth(wdev, buf, len);
155 else if (ieee80211_is_deauth(mgmt->frame_control))
156 cfg80211_process_deauth(wdev, buf, len, false);
157 else if (ieee80211_is_disassoc(mgmt->frame_control))
158 cfg80211_process_disassoc(wdev, buf, len, false);
159 }
160 EXPORT_SYMBOL(cfg80211_rx_mlme_mgmt);
161
cfg80211_auth_timeout(struct net_device * dev,const u8 * addr)162 void cfg80211_auth_timeout(struct net_device *dev, const u8 *addr)
163 {
164 struct wireless_dev *wdev = dev->ieee80211_ptr;
165 struct wiphy *wiphy = wdev->wiphy;
166 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
167
168 trace_cfg80211_send_auth_timeout(dev, addr);
169
170 nl80211_send_auth_timeout(rdev, dev, addr, GFP_KERNEL);
171 cfg80211_sme_auth_timeout(wdev);
172 }
173 EXPORT_SYMBOL(cfg80211_auth_timeout);
174
cfg80211_assoc_failure(struct net_device * dev,struct cfg80211_assoc_failure * data)175 void cfg80211_assoc_failure(struct net_device *dev,
176 struct cfg80211_assoc_failure *data)
177 {
178 struct wireless_dev *wdev = dev->ieee80211_ptr;
179 struct wiphy *wiphy = wdev->wiphy;
180 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
181 const u8 *addr = data->ap_mld_addr ?: data->bss[0]->bssid;
182 int i;
183
184 trace_cfg80211_send_assoc_failure(dev, data);
185
186 if (data->timeout) {
187 nl80211_send_assoc_timeout(rdev, dev, addr, GFP_KERNEL);
188 cfg80211_sme_assoc_timeout(wdev);
189 } else {
190 cfg80211_sme_abandon_assoc(wdev);
191 }
192
193 for (i = 0; i < ARRAY_SIZE(data->bss); i++) {
194 struct cfg80211_bss *bss = data->bss[i];
195
196 if (!bss)
197 continue;
198
199 cfg80211_unhold_bss(bss_from_pub(bss));
200 cfg80211_put_bss(wiphy, bss);
201 }
202 }
203 EXPORT_SYMBOL(cfg80211_assoc_failure);
204
cfg80211_tx_mlme_mgmt(struct net_device * dev,const u8 * buf,size_t len,bool reconnect)205 void cfg80211_tx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len,
206 bool reconnect)
207 {
208 struct wireless_dev *wdev = dev->ieee80211_ptr;
209 struct ieee80211_mgmt *mgmt = (void *)buf;
210
211 ASSERT_WDEV_LOCK(wdev);
212
213 trace_cfg80211_tx_mlme_mgmt(dev, buf, len, reconnect);
214
215 if (WARN_ON(len < 2))
216 return;
217
218 if (ieee80211_is_deauth(mgmt->frame_control))
219 cfg80211_process_deauth(wdev, buf, len, reconnect);
220 else
221 cfg80211_process_disassoc(wdev, buf, len, reconnect);
222 }
223 EXPORT_SYMBOL(cfg80211_tx_mlme_mgmt);
224
cfg80211_michael_mic_failure(struct net_device * dev,const u8 * addr,enum nl80211_key_type key_type,int key_id,const u8 * tsc,gfp_t gfp)225 void cfg80211_michael_mic_failure(struct net_device *dev, const u8 *addr,
226 enum nl80211_key_type key_type, int key_id,
227 const u8 *tsc, gfp_t gfp)
228 {
229 struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
230 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
231 #ifdef CONFIG_CFG80211_WEXT
232 union iwreq_data wrqu;
233 char *buf = kmalloc(128, gfp);
234
235 if (buf) {
236 sprintf(buf, "MLME-MICHAELMICFAILURE.indication("
237 "keyid=%d %scast addr=%pM)", key_id,
238 key_type == NL80211_KEYTYPE_GROUP ? "broad" : "uni",
239 addr);
240 memset(&wrqu, 0, sizeof(wrqu));
241 wrqu.data.length = strlen(buf);
242 wireless_send_event(dev, IWEVCUSTOM, &wrqu, buf);
243 kfree(buf);
244 }
245 #endif
246
247 trace_cfg80211_michael_mic_failure(dev, addr, key_type, key_id, tsc);
248 nl80211_michael_mic_failure(rdev, dev, addr, key_type, key_id, tsc, gfp);
249 }
250 EXPORT_SYMBOL(cfg80211_michael_mic_failure);
251
252 /* some MLME handling for userspace SME */
cfg80211_mlme_auth(struct cfg80211_registered_device * rdev,struct net_device * dev,struct cfg80211_auth_request * req)253 int cfg80211_mlme_auth(struct cfg80211_registered_device *rdev,
254 struct net_device *dev,
255 struct cfg80211_auth_request *req)
256 {
257 struct wireless_dev *wdev = dev->ieee80211_ptr;
258
259 ASSERT_WDEV_LOCK(wdev);
260
261 if (!req->bss)
262 return -ENOENT;
263
264 if (req->link_id >= 0 &&
265 !(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
266 return -EINVAL;
267
268 if (req->auth_type == NL80211_AUTHTYPE_SHARED_KEY) {
269 if (!req->key || !req->key_len ||
270 req->key_idx < 0 || req->key_idx > 3)
271 return -EINVAL;
272 }
273
274 if (wdev->connected &&
275 ether_addr_equal(req->bss->bssid, wdev->u.client.connected_addr))
276 return -EALREADY;
277
278 return rdev_auth(rdev, dev, req);
279 }
280
281 /* Do a logical ht_capa &= ht_capa_mask. */
cfg80211_oper_and_ht_capa(struct ieee80211_ht_cap * ht_capa,const struct ieee80211_ht_cap * ht_capa_mask)282 void cfg80211_oper_and_ht_capa(struct ieee80211_ht_cap *ht_capa,
283 const struct ieee80211_ht_cap *ht_capa_mask)
284 {
285 int i;
286 u8 *p1, *p2;
287 if (!ht_capa_mask) {
288 memset(ht_capa, 0, sizeof(*ht_capa));
289 return;
290 }
291
292 p1 = (u8*)(ht_capa);
293 p2 = (u8*)(ht_capa_mask);
294 for (i = 0; i < sizeof(*ht_capa); i++)
295 p1[i] &= p2[i];
296 }
297
298 /* Do a logical vht_capa &= vht_capa_mask. */
cfg80211_oper_and_vht_capa(struct ieee80211_vht_cap * vht_capa,const struct ieee80211_vht_cap * vht_capa_mask)299 void cfg80211_oper_and_vht_capa(struct ieee80211_vht_cap *vht_capa,
300 const struct ieee80211_vht_cap *vht_capa_mask)
301 {
302 int i;
303 u8 *p1, *p2;
304 if (!vht_capa_mask) {
305 memset(vht_capa, 0, sizeof(*vht_capa));
306 return;
307 }
308
309 p1 = (u8*)(vht_capa);
310 p2 = (u8*)(vht_capa_mask);
311 for (i = 0; i < sizeof(*vht_capa); i++)
312 p1[i] &= p2[i];
313 }
314
315 /* Note: caller must cfg80211_put_bss() regardless of result */
cfg80211_mlme_assoc(struct cfg80211_registered_device * rdev,struct net_device * dev,struct cfg80211_assoc_request * req)316 int cfg80211_mlme_assoc(struct cfg80211_registered_device *rdev,
317 struct net_device *dev,
318 struct cfg80211_assoc_request *req)
319 {
320 struct wireless_dev *wdev = dev->ieee80211_ptr;
321 int err, i, j;
322
323 ASSERT_WDEV_LOCK(wdev);
324
325 for (i = 1; i < ARRAY_SIZE(req->links); i++) {
326 if (!req->links[i].bss)
327 continue;
328 for (j = 0; j < i; j++) {
329 if (req->links[i].bss == req->links[j].bss)
330 return -EINVAL;
331 }
332 }
333
334 if (wdev->connected &&
335 (!req->prev_bssid ||
336 !ether_addr_equal(wdev->u.client.connected_addr, req->prev_bssid)))
337 return -EALREADY;
338
339 cfg80211_oper_and_ht_capa(&req->ht_capa_mask,
340 rdev->wiphy.ht_capa_mod_mask);
341 cfg80211_oper_and_vht_capa(&req->vht_capa_mask,
342 rdev->wiphy.vht_capa_mod_mask);
343
344 err = rdev_assoc(rdev, dev, req);
345 if (!err) {
346 int link_id;
347
348 if (req->bss) {
349 cfg80211_ref_bss(&rdev->wiphy, req->bss);
350 cfg80211_hold_bss(bss_from_pub(req->bss));
351 }
352
353 for (link_id = 0; link_id < ARRAY_SIZE(req->links); link_id++) {
354 if (!req->links[link_id].bss)
355 continue;
356 cfg80211_ref_bss(&rdev->wiphy, req->links[link_id].bss);
357 cfg80211_hold_bss(bss_from_pub(req->links[link_id].bss));
358 }
359 }
360 return err;
361 }
362
cfg80211_mlme_deauth(struct cfg80211_registered_device * rdev,struct net_device * dev,const u8 * bssid,const u8 * ie,int ie_len,u16 reason,bool local_state_change)363 int cfg80211_mlme_deauth(struct cfg80211_registered_device *rdev,
364 struct net_device *dev, const u8 *bssid,
365 const u8 *ie, int ie_len, u16 reason,
366 bool local_state_change)
367 {
368 struct wireless_dev *wdev = dev->ieee80211_ptr;
369 struct cfg80211_deauth_request req = {
370 .bssid = bssid,
371 .reason_code = reason,
372 .ie = ie,
373 .ie_len = ie_len,
374 .local_state_change = local_state_change,
375 };
376
377 ASSERT_WDEV_LOCK(wdev);
378
379 if (local_state_change &&
380 (!wdev->connected ||
381 !ether_addr_equal(wdev->u.client.connected_addr, bssid)))
382 return 0;
383
384 if (ether_addr_equal(wdev->disconnect_bssid, bssid) ||
385 (wdev->connected &&
386 ether_addr_equal(wdev->u.client.connected_addr, bssid)))
387 wdev->conn_owner_nlportid = 0;
388
389 return rdev_deauth(rdev, dev, &req);
390 }
391
cfg80211_mlme_disassoc(struct cfg80211_registered_device * rdev,struct net_device * dev,const u8 * ap_addr,const u8 * ie,int ie_len,u16 reason,bool local_state_change)392 int cfg80211_mlme_disassoc(struct cfg80211_registered_device *rdev,
393 struct net_device *dev, const u8 *ap_addr,
394 const u8 *ie, int ie_len, u16 reason,
395 bool local_state_change)
396 {
397 struct wireless_dev *wdev = dev->ieee80211_ptr;
398 struct cfg80211_disassoc_request req = {
399 .reason_code = reason,
400 .local_state_change = local_state_change,
401 .ie = ie,
402 .ie_len = ie_len,
403 .ap_addr = ap_addr,
404 };
405 int err;
406
407 ASSERT_WDEV_LOCK(wdev);
408
409 if (!wdev->connected)
410 return -ENOTCONN;
411
412 if (memcmp(wdev->u.client.connected_addr, ap_addr, ETH_ALEN))
413 return -ENOTCONN;
414
415 err = rdev_disassoc(rdev, dev, &req);
416 if (err)
417 return err;
418
419 /* driver should have reported the disassoc */
420 WARN_ON(wdev->connected);
421 return 0;
422 }
423
cfg80211_mlme_down(struct cfg80211_registered_device * rdev,struct net_device * dev)424 void cfg80211_mlme_down(struct cfg80211_registered_device *rdev,
425 struct net_device *dev)
426 {
427 struct wireless_dev *wdev = dev->ieee80211_ptr;
428 u8 bssid[ETH_ALEN];
429
430 ASSERT_WDEV_LOCK(wdev);
431
432 if (!rdev->ops->deauth)
433 return;
434
435 if (!wdev->connected)
436 return;
437
438 memcpy(bssid, wdev->u.client.connected_addr, ETH_ALEN);
439 cfg80211_mlme_deauth(rdev, dev, bssid, NULL, 0,
440 WLAN_REASON_DEAUTH_LEAVING, false);
441 }
442
443 struct cfg80211_mgmt_registration {
444 struct list_head list;
445 struct wireless_dev *wdev;
446
447 u32 nlportid;
448
449 int match_len;
450
451 __le16 frame_type;
452
453 bool multicast_rx;
454
455 u8 match[];
456 };
457
cfg80211_mgmt_registrations_update(struct wireless_dev * wdev)458 static void cfg80211_mgmt_registrations_update(struct wireless_dev *wdev)
459 {
460 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
461 struct wireless_dev *tmp;
462 struct cfg80211_mgmt_registration *reg;
463 struct mgmt_frame_regs upd = {};
464
465 lockdep_assert_held(&rdev->wiphy.mtx);
466
467 spin_lock_bh(&rdev->mgmt_registrations_lock);
468 if (!wdev->mgmt_registrations_need_update) {
469 spin_unlock_bh(&rdev->mgmt_registrations_lock);
470 return;
471 }
472
473 rcu_read_lock();
474 list_for_each_entry_rcu(tmp, &rdev->wiphy.wdev_list, list) {
475 list_for_each_entry(reg, &tmp->mgmt_registrations, list) {
476 u32 mask = BIT(le16_to_cpu(reg->frame_type) >> 4);
477 u32 mcast_mask = 0;
478
479 if (reg->multicast_rx)
480 mcast_mask = mask;
481
482 upd.global_stypes |= mask;
483 upd.global_mcast_stypes |= mcast_mask;
484
485 if (tmp == wdev) {
486 upd.interface_stypes |= mask;
487 upd.interface_mcast_stypes |= mcast_mask;
488 }
489 }
490 }
491 rcu_read_unlock();
492
493 wdev->mgmt_registrations_need_update = 0;
494 spin_unlock_bh(&rdev->mgmt_registrations_lock);
495
496 rdev_update_mgmt_frame_registrations(rdev, wdev, &upd);
497 }
498
cfg80211_mgmt_registrations_update_wk(struct work_struct * wk)499 void cfg80211_mgmt_registrations_update_wk(struct work_struct *wk)
500 {
501 struct cfg80211_registered_device *rdev;
502 struct wireless_dev *wdev;
503
504 rdev = container_of(wk, struct cfg80211_registered_device,
505 mgmt_registrations_update_wk);
506
507 wiphy_lock(&rdev->wiphy);
508 list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list)
509 cfg80211_mgmt_registrations_update(wdev);
510 wiphy_unlock(&rdev->wiphy);
511 }
512
cfg80211_mlme_register_mgmt(struct wireless_dev * wdev,u32 snd_portid,u16 frame_type,const u8 * match_data,int match_len,bool multicast_rx,struct netlink_ext_ack * extack)513 int cfg80211_mlme_register_mgmt(struct wireless_dev *wdev, u32 snd_portid,
514 u16 frame_type, const u8 *match_data,
515 int match_len, bool multicast_rx,
516 struct netlink_ext_ack *extack)
517 {
518 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
519 struct cfg80211_mgmt_registration *reg, *nreg;
520 int err = 0;
521 u16 mgmt_type;
522 bool update_multicast = false;
523
524 if (!wdev->wiphy->mgmt_stypes)
525 return -EOPNOTSUPP;
526
527 if ((frame_type & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT) {
528 NL_SET_ERR_MSG(extack, "frame type not management");
529 return -EINVAL;
530 }
531
532 if (frame_type & ~(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) {
533 NL_SET_ERR_MSG(extack, "Invalid frame type");
534 return -EINVAL;
535 }
536
537 mgmt_type = (frame_type & IEEE80211_FCTL_STYPE) >> 4;
538 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].rx & BIT(mgmt_type))) {
539 NL_SET_ERR_MSG(extack,
540 "Registration to specific type not supported");
541 return -EINVAL;
542 }
543
544 /*
545 * To support Pre Association Security Negotiation (PASN), registration
546 * for authentication frames should be supported. However, as some
547 * versions of the user space daemons wrongly register to all types of
548 * authentication frames (which might result in unexpected behavior)
549 * allow such registration if the request is for a specific
550 * authentication algorithm number.
551 */
552 if (wdev->iftype == NL80211_IFTYPE_STATION &&
553 (frame_type & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_AUTH &&
554 !(match_data && match_len >= 2)) {
555 NL_SET_ERR_MSG(extack,
556 "Authentication algorithm number required");
557 return -EINVAL;
558 }
559
560 nreg = kzalloc(sizeof(*reg) + match_len, GFP_KERNEL);
561 if (!nreg)
562 return -ENOMEM;
563
564 spin_lock_bh(&rdev->mgmt_registrations_lock);
565
566 list_for_each_entry(reg, &wdev->mgmt_registrations, list) {
567 int mlen = min(match_len, reg->match_len);
568
569 if (frame_type != le16_to_cpu(reg->frame_type))
570 continue;
571
572 if (memcmp(reg->match, match_data, mlen) == 0) {
573 if (reg->multicast_rx != multicast_rx) {
574 update_multicast = true;
575 reg->multicast_rx = multicast_rx;
576 break;
577 }
578 NL_SET_ERR_MSG(extack, "Match already configured");
579 err = -EALREADY;
580 break;
581 }
582 }
583
584 if (err)
585 goto out;
586
587 if (update_multicast) {
588 kfree(nreg);
589 } else {
590 memcpy(nreg->match, match_data, match_len);
591 nreg->match_len = match_len;
592 nreg->nlportid = snd_portid;
593 nreg->frame_type = cpu_to_le16(frame_type);
594 nreg->wdev = wdev;
595 nreg->multicast_rx = multicast_rx;
596 list_add(&nreg->list, &wdev->mgmt_registrations);
597 }
598 wdev->mgmt_registrations_need_update = 1;
599 spin_unlock_bh(&rdev->mgmt_registrations_lock);
600
601 cfg80211_mgmt_registrations_update(wdev);
602
603 return 0;
604
605 out:
606 kfree(nreg);
607 spin_unlock_bh(&rdev->mgmt_registrations_lock);
608
609 return err;
610 }
611
cfg80211_mlme_unregister_socket(struct wireless_dev * wdev,u32 nlportid)612 void cfg80211_mlme_unregister_socket(struct wireless_dev *wdev, u32 nlportid)
613 {
614 struct wiphy *wiphy = wdev->wiphy;
615 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
616 struct cfg80211_mgmt_registration *reg, *tmp;
617
618 spin_lock_bh(&rdev->mgmt_registrations_lock);
619
620 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) {
621 if (reg->nlportid != nlportid)
622 continue;
623
624 list_del(®->list);
625 kfree(reg);
626
627 wdev->mgmt_registrations_need_update = 1;
628 schedule_work(&rdev->mgmt_registrations_update_wk);
629 }
630
631 spin_unlock_bh(&rdev->mgmt_registrations_lock);
632
633 if (nlportid && rdev->crit_proto_nlportid == nlportid) {
634 rdev->crit_proto_nlportid = 0;
635 rdev_crit_proto_stop(rdev, wdev);
636 }
637
638 if (nlportid == wdev->ap_unexpected_nlportid)
639 wdev->ap_unexpected_nlportid = 0;
640 }
641
cfg80211_mlme_purge_registrations(struct wireless_dev * wdev)642 void cfg80211_mlme_purge_registrations(struct wireless_dev *wdev)
643 {
644 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
645 struct cfg80211_mgmt_registration *reg, *tmp;
646
647 spin_lock_bh(&rdev->mgmt_registrations_lock);
648 list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) {
649 list_del(®->list);
650 kfree(reg);
651 }
652 wdev->mgmt_registrations_need_update = 1;
653 spin_unlock_bh(&rdev->mgmt_registrations_lock);
654
655 cfg80211_mgmt_registrations_update(wdev);
656 }
657
cfg80211_allowed_address(struct wireless_dev * wdev,const u8 * addr)658 static bool cfg80211_allowed_address(struct wireless_dev *wdev, const u8 *addr)
659 {
660 int i;
661
662 for_each_valid_link(wdev, i) {
663 if (ether_addr_equal(addr, wdev->links[i].addr))
664 return true;
665 }
666
667 return ether_addr_equal(addr, wdev_address(wdev));
668 }
669
cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,struct cfg80211_mgmt_tx_params * params,u64 * cookie)670 int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
671 struct wireless_dev *wdev,
672 struct cfg80211_mgmt_tx_params *params, u64 *cookie)
673 {
674 const struct ieee80211_mgmt *mgmt;
675 u16 stype;
676
677 if (!wdev->wiphy->mgmt_stypes)
678 return -EOPNOTSUPP;
679
680 if (!rdev->ops->mgmt_tx)
681 return -EOPNOTSUPP;
682
683 if (params->len < 24 + 1)
684 return -EINVAL;
685
686 mgmt = (const struct ieee80211_mgmt *)params->buf;
687
688 if (!ieee80211_is_mgmt(mgmt->frame_control))
689 return -EINVAL;
690
691 stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE;
692 if (!(wdev->wiphy->mgmt_stypes[wdev->iftype].tx & BIT(stype >> 4)))
693 return -EINVAL;
694
695 if (ieee80211_is_action(mgmt->frame_control) &&
696 mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) {
697 int err = 0;
698
699 wdev_lock(wdev);
700
701 switch (wdev->iftype) {
702 case NL80211_IFTYPE_ADHOC:
703 /*
704 * check for IBSS DA must be done by driver as
705 * cfg80211 doesn't track the stations
706 */
707 if (!wdev->u.ibss.current_bss ||
708 !ether_addr_equal(wdev->u.ibss.current_bss->pub.bssid,
709 mgmt->bssid)) {
710 err = -ENOTCONN;
711 break;
712 }
713 break;
714 case NL80211_IFTYPE_STATION:
715 case NL80211_IFTYPE_P2P_CLIENT:
716 if (!wdev->connected) {
717 err = -ENOTCONN;
718 break;
719 }
720
721 /* FIXME: MLD may address this differently */
722
723 if (!ether_addr_equal(wdev->u.client.connected_addr,
724 mgmt->bssid)) {
725 err = -ENOTCONN;
726 break;
727 }
728
729 /* for station, check that DA is the AP */
730 if (!ether_addr_equal(wdev->u.client.connected_addr,
731 mgmt->da)) {
732 err = -ENOTCONN;
733 break;
734 }
735 break;
736 case NL80211_IFTYPE_AP:
737 case NL80211_IFTYPE_P2P_GO:
738 case NL80211_IFTYPE_AP_VLAN:
739 if (!ether_addr_equal(mgmt->bssid, wdev_address(wdev)) &&
740 (params->link_id < 0 ||
741 !ether_addr_equal(mgmt->bssid,
742 wdev->links[params->link_id].addr)))
743 err = -EINVAL;
744 break;
745 case NL80211_IFTYPE_MESH_POINT:
746 if (!ether_addr_equal(mgmt->sa, mgmt->bssid)) {
747 err = -EINVAL;
748 break;
749 }
750 /*
751 * check for mesh DA must be done by driver as
752 * cfg80211 doesn't track the stations
753 */
754 break;
755 case NL80211_IFTYPE_P2P_DEVICE:
756 /*
757 * fall through, P2P device only supports
758 * public action frames
759 */
760 case NL80211_IFTYPE_NAN:
761 default:
762 err = -EOPNOTSUPP;
763 break;
764 }
765 wdev_unlock(wdev);
766
767 if (err)
768 return err;
769 }
770
771 if (!cfg80211_allowed_address(wdev, mgmt->sa)) {
772 /* Allow random TA to be used with Public Action frames if the
773 * driver has indicated support for this. Otherwise, only allow
774 * the local address to be used.
775 */
776 if (!ieee80211_is_action(mgmt->frame_control) ||
777 mgmt->u.action.category != WLAN_CATEGORY_PUBLIC)
778 return -EINVAL;
779 if (!wdev->connected &&
780 !wiphy_ext_feature_isset(
781 &rdev->wiphy,
782 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA))
783 return -EINVAL;
784 if (wdev->connected &&
785 !wiphy_ext_feature_isset(
786 &rdev->wiphy,
787 NL80211_EXT_FEATURE_MGMT_TX_RANDOM_TA_CONNECTED))
788 return -EINVAL;
789 }
790
791 /* Transmit the management frame as requested by user space */
792 return rdev_mgmt_tx(rdev, wdev, params, cookie);
793 }
794
cfg80211_rx_mgmt_ext(struct wireless_dev * wdev,struct cfg80211_rx_info * info)795 bool cfg80211_rx_mgmt_ext(struct wireless_dev *wdev,
796 struct cfg80211_rx_info *info)
797 {
798 struct wiphy *wiphy = wdev->wiphy;
799 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
800 struct cfg80211_mgmt_registration *reg;
801 const struct ieee80211_txrx_stypes *stypes =
802 &wiphy->mgmt_stypes[wdev->iftype];
803 struct ieee80211_mgmt *mgmt = (void *)info->buf;
804 const u8 *data;
805 int data_len;
806 bool result = false;
807 __le16 ftype = mgmt->frame_control &
808 cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE);
809 u16 stype;
810
811 trace_cfg80211_rx_mgmt(wdev, info);
812 stype = (le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE) >> 4;
813
814 if (!(stypes->rx & BIT(stype))) {
815 trace_cfg80211_return_bool(false);
816 return false;
817 }
818
819 data = info->buf + ieee80211_hdrlen(mgmt->frame_control);
820 data_len = info->len - ieee80211_hdrlen(mgmt->frame_control);
821
822 spin_lock_bh(&rdev->mgmt_registrations_lock);
823
824 list_for_each_entry(reg, &wdev->mgmt_registrations, list) {
825 if (reg->frame_type != ftype)
826 continue;
827
828 if (reg->match_len > data_len)
829 continue;
830
831 if (memcmp(reg->match, data, reg->match_len))
832 continue;
833
834 /* found match! */
835
836 /* Indicate the received Action frame to user space */
837 if (nl80211_send_mgmt(rdev, wdev, reg->nlportid, info,
838 GFP_ATOMIC))
839 continue;
840
841 result = true;
842 break;
843 }
844
845 spin_unlock_bh(&rdev->mgmt_registrations_lock);
846
847 trace_cfg80211_return_bool(result);
848 return result;
849 }
850 EXPORT_SYMBOL(cfg80211_rx_mgmt_ext);
851
cfg80211_sched_dfs_chan_update(struct cfg80211_registered_device * rdev)852 void cfg80211_sched_dfs_chan_update(struct cfg80211_registered_device *rdev)
853 {
854 cancel_delayed_work(&rdev->dfs_update_channels_wk);
855 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk, 0);
856 }
857
cfg80211_dfs_channels_update_work(struct work_struct * work)858 void cfg80211_dfs_channels_update_work(struct work_struct *work)
859 {
860 struct delayed_work *delayed_work = to_delayed_work(work);
861 struct cfg80211_registered_device *rdev;
862 struct cfg80211_chan_def chandef;
863 struct ieee80211_supported_band *sband;
864 struct ieee80211_channel *c;
865 struct wiphy *wiphy;
866 bool check_again = false;
867 unsigned long timeout, next_time = 0;
868 unsigned long time_dfs_update;
869 enum nl80211_radar_event radar_event;
870 int bandid, i;
871
872 rdev = container_of(delayed_work, struct cfg80211_registered_device,
873 dfs_update_channels_wk);
874 wiphy = &rdev->wiphy;
875
876 rtnl_lock();
877 for (bandid = 0; bandid < NUM_NL80211_BANDS; bandid++) {
878 sband = wiphy->bands[bandid];
879 if (!sband)
880 continue;
881
882 for (i = 0; i < sband->n_channels; i++) {
883 c = &sband->channels[i];
884
885 if (!(c->flags & IEEE80211_CHAN_RADAR))
886 continue;
887
888 if (c->dfs_state != NL80211_DFS_UNAVAILABLE &&
889 c->dfs_state != NL80211_DFS_AVAILABLE)
890 continue;
891
892 if (c->dfs_state == NL80211_DFS_UNAVAILABLE) {
893 time_dfs_update = IEEE80211_DFS_MIN_NOP_TIME_MS;
894 radar_event = NL80211_RADAR_NOP_FINISHED;
895 } else {
896 if (regulatory_pre_cac_allowed(wiphy) ||
897 cfg80211_any_wiphy_oper_chan(wiphy, c))
898 continue;
899
900 time_dfs_update = REG_PRE_CAC_EXPIRY_GRACE_MS;
901 radar_event = NL80211_RADAR_PRE_CAC_EXPIRED;
902 }
903
904 timeout = c->dfs_state_entered +
905 msecs_to_jiffies(time_dfs_update);
906
907 if (time_after_eq(jiffies, timeout)) {
908 c->dfs_state = NL80211_DFS_USABLE;
909 c->dfs_state_entered = jiffies;
910
911 cfg80211_chandef_create(&chandef, c,
912 NL80211_CHAN_NO_HT);
913
914 nl80211_radar_notify(rdev, &chandef,
915 radar_event, NULL,
916 GFP_ATOMIC);
917
918 regulatory_propagate_dfs_state(wiphy, &chandef,
919 c->dfs_state,
920 radar_event);
921 continue;
922 }
923
924 if (!check_again)
925 next_time = timeout - jiffies;
926 else
927 next_time = min(next_time, timeout - jiffies);
928 check_again = true;
929 }
930 }
931 rtnl_unlock();
932
933 /* reschedule if there are other channels waiting to be cleared again */
934 if (check_again)
935 queue_delayed_work(cfg80211_wq, &rdev->dfs_update_channels_wk,
936 next_time);
937 }
938
939
__cfg80211_radar_event(struct wiphy * wiphy,struct cfg80211_chan_def * chandef,bool offchan,gfp_t gfp)940 void __cfg80211_radar_event(struct wiphy *wiphy,
941 struct cfg80211_chan_def *chandef,
942 bool offchan, gfp_t gfp)
943 {
944 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
945
946 trace_cfg80211_radar_event(wiphy, chandef, offchan);
947
948 /* only set the chandef supplied channel to unavailable, in
949 * case the radar is detected on only one of multiple channels
950 * spanned by the chandef.
951 */
952 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_UNAVAILABLE);
953
954 if (offchan)
955 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk);
956
957 cfg80211_sched_dfs_chan_update(rdev);
958
959 nl80211_radar_notify(rdev, chandef, NL80211_RADAR_DETECTED, NULL, gfp);
960
961 memcpy(&rdev->radar_chandef, chandef, sizeof(struct cfg80211_chan_def));
962 queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
963 }
964 EXPORT_SYMBOL(__cfg80211_radar_event);
965
cfg80211_cac_event(struct net_device * netdev,const struct cfg80211_chan_def * chandef,enum nl80211_radar_event event,gfp_t gfp)966 void cfg80211_cac_event(struct net_device *netdev,
967 const struct cfg80211_chan_def *chandef,
968 enum nl80211_radar_event event, gfp_t gfp)
969 {
970 struct wireless_dev *wdev = netdev->ieee80211_ptr;
971 struct wiphy *wiphy = wdev->wiphy;
972 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
973 unsigned long timeout;
974
975 /* not yet supported */
976 if (wdev->valid_links)
977 return;
978
979 trace_cfg80211_cac_event(netdev, event);
980
981 if (WARN_ON(!wdev->cac_started && event != NL80211_RADAR_CAC_STARTED))
982 return;
983
984 switch (event) {
985 case NL80211_RADAR_CAC_FINISHED:
986 timeout = wdev->cac_start_time +
987 msecs_to_jiffies(wdev->cac_time_ms);
988 WARN_ON(!time_after_eq(jiffies, timeout));
989 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE);
990 memcpy(&rdev->cac_done_chandef, chandef,
991 sizeof(struct cfg80211_chan_def));
992 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk);
993 cfg80211_sched_dfs_chan_update(rdev);
994 fallthrough;
995 case NL80211_RADAR_CAC_ABORTED:
996 wdev->cac_started = false;
997 break;
998 case NL80211_RADAR_CAC_STARTED:
999 wdev->cac_started = true;
1000 break;
1001 default:
1002 WARN_ON(1);
1003 return;
1004 }
1005
1006 nl80211_radar_notify(rdev, chandef, event, netdev, gfp);
1007 }
1008 EXPORT_SYMBOL(cfg80211_cac_event);
1009
1010 static void
__cfg80211_background_cac_event(struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,const struct cfg80211_chan_def * chandef,enum nl80211_radar_event event)1011 __cfg80211_background_cac_event(struct cfg80211_registered_device *rdev,
1012 struct wireless_dev *wdev,
1013 const struct cfg80211_chan_def *chandef,
1014 enum nl80211_radar_event event)
1015 {
1016 struct wiphy *wiphy = &rdev->wiphy;
1017 struct net_device *netdev;
1018
1019 lockdep_assert_wiphy(&rdev->wiphy);
1020
1021 if (!cfg80211_chandef_valid(chandef))
1022 return;
1023
1024 if (!rdev->background_radar_wdev)
1025 return;
1026
1027 switch (event) {
1028 case NL80211_RADAR_CAC_FINISHED:
1029 cfg80211_set_dfs_state(wiphy, chandef, NL80211_DFS_AVAILABLE);
1030 memcpy(&rdev->cac_done_chandef, chandef, sizeof(*chandef));
1031 queue_work(cfg80211_wq, &rdev->propagate_cac_done_wk);
1032 cfg80211_sched_dfs_chan_update(rdev);
1033 wdev = rdev->background_radar_wdev;
1034 break;
1035 case NL80211_RADAR_CAC_ABORTED:
1036 if (!cancel_delayed_work(&rdev->background_cac_done_wk))
1037 return;
1038 wdev = rdev->background_radar_wdev;
1039 break;
1040 case NL80211_RADAR_CAC_STARTED:
1041 break;
1042 default:
1043 return;
1044 }
1045
1046 netdev = wdev ? wdev->netdev : NULL;
1047 nl80211_radar_notify(rdev, chandef, event, netdev, GFP_KERNEL);
1048 }
1049
1050 static void
cfg80211_background_cac_event(struct cfg80211_registered_device * rdev,const struct cfg80211_chan_def * chandef,enum nl80211_radar_event event)1051 cfg80211_background_cac_event(struct cfg80211_registered_device *rdev,
1052 const struct cfg80211_chan_def *chandef,
1053 enum nl80211_radar_event event)
1054 {
1055 wiphy_lock(&rdev->wiphy);
1056 __cfg80211_background_cac_event(rdev, rdev->background_radar_wdev,
1057 chandef, event);
1058 wiphy_unlock(&rdev->wiphy);
1059 }
1060
cfg80211_background_cac_done_wk(struct work_struct * work)1061 void cfg80211_background_cac_done_wk(struct work_struct *work)
1062 {
1063 struct delayed_work *delayed_work = to_delayed_work(work);
1064 struct cfg80211_registered_device *rdev;
1065
1066 rdev = container_of(delayed_work, struct cfg80211_registered_device,
1067 background_cac_done_wk);
1068 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef,
1069 NL80211_RADAR_CAC_FINISHED);
1070 }
1071
cfg80211_background_cac_abort_wk(struct work_struct * work)1072 void cfg80211_background_cac_abort_wk(struct work_struct *work)
1073 {
1074 struct cfg80211_registered_device *rdev;
1075
1076 rdev = container_of(work, struct cfg80211_registered_device,
1077 background_cac_abort_wk);
1078 cfg80211_background_cac_event(rdev, &rdev->background_radar_chandef,
1079 NL80211_RADAR_CAC_ABORTED);
1080 }
1081
cfg80211_background_cac_abort(struct wiphy * wiphy)1082 void cfg80211_background_cac_abort(struct wiphy *wiphy)
1083 {
1084 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1085
1086 queue_work(cfg80211_wq, &rdev->background_cac_abort_wk);
1087 }
1088 EXPORT_SYMBOL(cfg80211_background_cac_abort);
1089
1090 int
cfg80211_start_background_radar_detection(struct cfg80211_registered_device * rdev,struct wireless_dev * wdev,struct cfg80211_chan_def * chandef)1091 cfg80211_start_background_radar_detection(struct cfg80211_registered_device *rdev,
1092 struct wireless_dev *wdev,
1093 struct cfg80211_chan_def *chandef)
1094 {
1095 unsigned int cac_time_ms;
1096 int err;
1097
1098 lockdep_assert_wiphy(&rdev->wiphy);
1099
1100 if (!wiphy_ext_feature_isset(&rdev->wiphy,
1101 NL80211_EXT_FEATURE_RADAR_BACKGROUND))
1102 return -EOPNOTSUPP;
1103
1104 /* Offchannel chain already locked by another wdev */
1105 if (rdev->background_radar_wdev && rdev->background_radar_wdev != wdev)
1106 return -EBUSY;
1107
1108 /* CAC already in progress on the offchannel chain */
1109 if (rdev->background_radar_wdev == wdev &&
1110 delayed_work_pending(&rdev->background_cac_done_wk))
1111 return -EBUSY;
1112
1113 err = rdev_set_radar_background(rdev, chandef);
1114 if (err)
1115 return err;
1116
1117 cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, chandef);
1118 if (!cac_time_ms)
1119 cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
1120
1121 rdev->background_radar_chandef = *chandef;
1122 rdev->background_radar_wdev = wdev; /* Get offchain ownership */
1123
1124 __cfg80211_background_cac_event(rdev, wdev, chandef,
1125 NL80211_RADAR_CAC_STARTED);
1126 queue_delayed_work(cfg80211_wq, &rdev->background_cac_done_wk,
1127 msecs_to_jiffies(cac_time_ms));
1128
1129 return 0;
1130 }
1131
cfg80211_stop_background_radar_detection(struct wireless_dev * wdev)1132 void cfg80211_stop_background_radar_detection(struct wireless_dev *wdev)
1133 {
1134 struct wiphy *wiphy = wdev->wiphy;
1135 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1136
1137 lockdep_assert_wiphy(wiphy);
1138
1139 if (wdev != rdev->background_radar_wdev)
1140 return;
1141
1142 rdev_set_radar_background(rdev, NULL);
1143 rdev->background_radar_wdev = NULL; /* Release offchain ownership */
1144
1145 __cfg80211_background_cac_event(rdev, wdev,
1146 &rdev->background_radar_chandef,
1147 NL80211_RADAR_CAC_ABORTED);
1148 }
1149