1// SPDX-License-Identifier: GPL-2.0 2/* 3 * cfg80211 scan result handling 4 * 5 * Copyright 2008 Johannes Berg <johannes@sipsolutions.net> 6 * Copyright 2013-2014 Intel Mobile Communications GmbH 7 * Copyright 2016 Intel Deutschland GmbH 8 * Copyright (C) 2018-2023 Intel Corporation 9 */ 10#include <linux/kernel.h> 11#include <linux/slab.h> 12#include <linux/module.h> 13#include <linux/netdevice.h> 14#include <linux/wireless.h> 15#include <linux/nl80211.h> 16#include <linux/etherdevice.h> 17#include <linux/crc32.h> 18#include <linux/bitfield.h> 19#include <net/arp.h> 20#include <net/cfg80211.h> 21#include <net/cfg80211-wext.h> 22#include <net/iw_handler.h> 23#include "core.h" 24#include "nl80211.h" 25#include "wext-compat.h" 26#include "rdev-ops.h" 27 28/** 29 * DOC: BSS tree/list structure 30 * 31 * At the top level, the BSS list is kept in both a list in each 32 * registered device (@bss_list) as well as an RB-tree for faster 33 * lookup. In the RB-tree, entries can be looked up using their 34 * channel, MESHID, MESHCONF (for MBSSes) or channel, BSSID, SSID 35 * for other BSSes. 36 * 37 * Due to the possibility of hidden SSIDs, there's a second level 38 * structure, the "hidden_list" and "hidden_beacon_bss" pointer. 39 * The hidden_list connects all BSSes belonging to a single AP 40 * that has a hidden SSID, and connects beacon and probe response 41 * entries. For a probe response entry for a hidden SSID, the 42 * hidden_beacon_bss pointer points to the BSS struct holding the 43 * beacon's information. 44 * 45 * Reference counting is done for all these references except for 46 * the hidden_list, so that a beacon BSS struct that is otherwise 47 * not referenced has one reference for being on the bss_list and 48 * one for each probe response entry that points to it using the 49 * hidden_beacon_bss pointer. When a BSS struct that has such a 50 * pointer is get/put, the refcount update is also propagated to 51 * the referenced struct, this ensure that it cannot get removed 52 * while somebody is using the probe response version. 53 * 54 * Note that the hidden_beacon_bss pointer never changes, due to 55 * the reference counting. Therefore, no locking is needed for 56 * it. 57 * 58 * Also note that the hidden_beacon_bss pointer is only relevant 59 * if the driver uses something other than the IEs, e.g. private 60 * data stored in the BSS struct, since the beacon IEs are 61 * also linked into the probe response struct. 62 */ 63 64/* 65 * Limit the number of BSS entries stored in mac80211. Each one is 66 * a bit over 4k at most, so this limits to roughly 4-5M of memory. 67 * If somebody wants to really attack this though, they'd likely 68 * use small beacons, and only one type of frame, limiting each of 69 * the entries to a much smaller size (in order to generate more 70 * entries in total, so overhead is bigger.) 71 */ 72static int bss_entries_limit = 1000; 73module_param(bss_entries_limit, int, 0644); 74MODULE_PARM_DESC(bss_entries_limit, 75 "limit to number of scan BSS entries (per wiphy, default 1000)"); 76 77#define IEEE80211_SCAN_RESULT_EXPIRE (30 * HZ) 78 79/** 80 * struct cfg80211_colocated_ap - colocated AP information 81 * 82 * @list: linked list to all colocated aPS 83 * @bssid: BSSID of the reported AP 84 * @ssid: SSID of the reported AP 85 * @ssid_len: length of the ssid 86 * @center_freq: frequency the reported AP is on 87 * @unsolicited_probe: the reported AP is part of an ESS, where all the APs 88 * that operate in the same channel as the reported AP and that might be 89 * detected by a STA receiving this frame, are transmitting unsolicited 90 * Probe Response frames every 20 TUs 91 * @oct_recommended: OCT is recommended to exchange MMPDUs with the reported AP 92 * @same_ssid: the reported AP has the same SSID as the reporting AP 93 * @multi_bss: the reported AP is part of a multiple BSSID set 94 * @transmitted_bssid: the reported AP is the transmitting BSSID 95 * @colocated_ess: all the APs that share the same ESS as the reported AP are 96 * colocated and can be discovered via legacy bands. 97 * @short_ssid_valid: short_ssid is valid and can be used 98 * @short_ssid: the short SSID for this SSID 99 * @psd_20: The 20MHz PSD EIRP of the primary 20MHz channel for the reported AP 100 */ 101struct cfg80211_colocated_ap { 102 struct list_head list; 103 u8 bssid[ETH_ALEN]; 104 u8 ssid[IEEE80211_MAX_SSID_LEN]; 105 size_t ssid_len; 106 u32 short_ssid; 107 u32 center_freq; 108 u8 unsolicited_probe:1, 109 oct_recommended:1, 110 same_ssid:1, 111 multi_bss:1, 112 transmitted_bssid:1, 113 colocated_ess:1, 114 short_ssid_valid:1; 115 s8 psd_20; 116}; 117 118static void bss_free(struct cfg80211_internal_bss *bss) 119{ 120 struct cfg80211_bss_ies *ies; 121 122 if (WARN_ON(atomic_read(&bss->hold))) 123 return; 124 125 ies = (void *)rcu_access_pointer(bss->pub.beacon_ies); 126 if (ies && !bss->pub.hidden_beacon_bss) 127 kfree_rcu(ies, rcu_head); 128 ies = (void *)rcu_access_pointer(bss->pub.proberesp_ies); 129 if (ies) 130 kfree_rcu(ies, rcu_head); 131 132 /* 133 * This happens when the module is removed, it doesn't 134 * really matter any more save for completeness 135 */ 136 if (!list_empty(&bss->hidden_list)) 137 list_del(&bss->hidden_list); 138 139 kfree(bss); 140} 141 142static inline void bss_ref_get(struct cfg80211_registered_device *rdev, 143 struct cfg80211_internal_bss *bss) 144{ 145 lockdep_assert_held(&rdev->bss_lock); 146 147 bss->refcount++; 148 149 if (bss->pub.hidden_beacon_bss) 150 bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; 151 152 if (bss->pub.transmitted_bss) 153 bss_from_pub(bss->pub.transmitted_bss)->refcount++; 154} 155 156static inline void bss_ref_put(struct cfg80211_registered_device *rdev, 157 struct cfg80211_internal_bss *bss) 158{ 159 lockdep_assert_held(&rdev->bss_lock); 160 161 if (bss->pub.hidden_beacon_bss) { 162 struct cfg80211_internal_bss *hbss; 163 164 hbss = bss_from_pub(bss->pub.hidden_beacon_bss); 165 hbss->refcount--; 166 if (hbss->refcount == 0) 167 bss_free(hbss); 168 } 169 170 if (bss->pub.transmitted_bss) { 171 struct cfg80211_internal_bss *tbss; 172 173 tbss = bss_from_pub(bss->pub.transmitted_bss); 174 tbss->refcount--; 175 if (tbss->refcount == 0) 176 bss_free(tbss); 177 } 178 179 bss->refcount--; 180 if (bss->refcount == 0) 181 bss_free(bss); 182} 183 184static bool __cfg80211_unlink_bss(struct cfg80211_registered_device *rdev, 185 struct cfg80211_internal_bss *bss) 186{ 187 lockdep_assert_held(&rdev->bss_lock); 188 189 if (!list_empty(&bss->hidden_list)) { 190 /* 191 * don't remove the beacon entry if it has 192 * probe responses associated with it 193 */ 194 if (!bss->pub.hidden_beacon_bss) 195 return false; 196 /* 197 * if it's a probe response entry break its 198 * link to the other entries in the group 199 */ 200 list_del_init(&bss->hidden_list); 201 } 202 203 list_del_init(&bss->list); 204 list_del_init(&bss->pub.nontrans_list); 205 rb_erase(&bss->rbn, &rdev->bss_tree); 206 rdev->bss_entries--; 207 WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list), 208 "rdev bss entries[%d]/list[empty:%d] corruption\n", 209 rdev->bss_entries, list_empty(&rdev->bss_list)); 210 bss_ref_put(rdev, bss); 211 return true; 212} 213 214bool cfg80211_is_element_inherited(const struct element *elem, 215 const struct element *non_inherit_elem) 216{ 217 u8 id_len, ext_id_len, i, loop_len, id; 218 const u8 *list; 219 220 if (elem->id == WLAN_EID_MULTIPLE_BSSID) 221 return false; 222 223 if (elem->id == WLAN_EID_EXTENSION && elem->datalen > 1 && 224 elem->data[0] == WLAN_EID_EXT_EHT_MULTI_LINK) 225 return false; 226 227 if (!non_inherit_elem || non_inherit_elem->datalen < 2) 228 return true; 229 230 /* 231 * non inheritance element format is: 232 * ext ID (56) | IDs list len | list | extension IDs list len | list 233 * Both lists are optional. Both lengths are mandatory. 234 * This means valid length is: 235 * elem_len = 1 (extension ID) + 2 (list len fields) + list lengths 236 */ 237 id_len = non_inherit_elem->data[1]; 238 if (non_inherit_elem->datalen < 3 + id_len) 239 return true; 240 241 ext_id_len = non_inherit_elem->data[2 + id_len]; 242 if (non_inherit_elem->datalen < 3 + id_len + ext_id_len) 243 return true; 244 245 if (elem->id == WLAN_EID_EXTENSION) { 246 if (!ext_id_len) 247 return true; 248 loop_len = ext_id_len; 249 list = &non_inherit_elem->data[3 + id_len]; 250 id = elem->data[0]; 251 } else { 252 if (!id_len) 253 return true; 254 loop_len = id_len; 255 list = &non_inherit_elem->data[2]; 256 id = elem->id; 257 } 258 259 for (i = 0; i < loop_len; i++) { 260 if (list[i] == id) 261 return false; 262 } 263 264 return true; 265} 266EXPORT_SYMBOL(cfg80211_is_element_inherited); 267 268static size_t cfg80211_copy_elem_with_frags(const struct element *elem, 269 const u8 *ie, size_t ie_len, 270 u8 **pos, u8 *buf, size_t buf_len) 271{ 272 if (WARN_ON((u8 *)elem < ie || elem->data > ie + ie_len || 273 elem->data + elem->datalen > ie + ie_len)) 274 return 0; 275 276 if (elem->datalen + 2 > buf + buf_len - *pos) 277 return 0; 278 279 memcpy(*pos, elem, elem->datalen + 2); 280 *pos += elem->datalen + 2; 281 282 /* Finish if it is not fragmented */ 283 if (elem->datalen != 255) 284 return *pos - buf; 285 286 ie_len = ie + ie_len - elem->data - elem->datalen; 287 ie = (const u8 *)elem->data + elem->datalen; 288 289 for_each_element(elem, ie, ie_len) { 290 if (elem->id != WLAN_EID_FRAGMENT) 291 break; 292 293 if (elem->datalen + 2 > buf + buf_len - *pos) 294 return 0; 295 296 memcpy(*pos, elem, elem->datalen + 2); 297 *pos += elem->datalen + 2; 298 299 if (elem->datalen != 255) 300 break; 301 } 302 303 return *pos - buf; 304} 305 306static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, 307 const u8 *subie, size_t subie_len, 308 u8 *new_ie, size_t new_ie_len) 309{ 310 const struct element *non_inherit_elem, *parent, *sub; 311 u8 *pos = new_ie; 312 u8 id, ext_id; 313 unsigned int match_len; 314 315 non_inherit_elem = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 316 subie, subie_len); 317 318 /* We copy the elements one by one from the parent to the generated 319 * elements. 320 * If they are not inherited (included in subie or in the non 321 * inheritance element), then we copy all occurrences the first time 322 * we see this element type. 323 */ 324 for_each_element(parent, ie, ielen) { 325 if (parent->id == WLAN_EID_FRAGMENT) 326 continue; 327 328 if (parent->id == WLAN_EID_EXTENSION) { 329 if (parent->datalen < 1) 330 continue; 331 332 id = WLAN_EID_EXTENSION; 333 ext_id = parent->data[0]; 334 match_len = 1; 335 } else { 336 id = parent->id; 337 match_len = 0; 338 } 339 340 /* Find first occurrence in subie */ 341 sub = cfg80211_find_elem_match(id, subie, subie_len, 342 &ext_id, match_len, 0); 343 344 /* Copy from parent if not in subie and inherited */ 345 if (!sub && 346 cfg80211_is_element_inherited(parent, non_inherit_elem)) { 347 if (!cfg80211_copy_elem_with_frags(parent, 348 ie, ielen, 349 &pos, new_ie, 350 new_ie_len)) 351 return 0; 352 353 continue; 354 } 355 356 /* Already copied if an earlier element had the same type */ 357 if (cfg80211_find_elem_match(id, ie, (u8 *)parent - ie, 358 &ext_id, match_len, 0)) 359 continue; 360 361 /* Not inheriting, copy all similar elements from subie */ 362 while (sub) { 363 if (!cfg80211_copy_elem_with_frags(sub, 364 subie, subie_len, 365 &pos, new_ie, 366 new_ie_len)) 367 return 0; 368 369 sub = cfg80211_find_elem_match(id, 370 sub->data + sub->datalen, 371 subie_len + subie - 372 (sub->data + 373 sub->datalen), 374 &ext_id, match_len, 0); 375 } 376 } 377 378 /* The above misses elements that are included in subie but not in the 379 * parent, so do a pass over subie and append those. 380 * Skip the non-tx BSSID caps and non-inheritance element. 381 */ 382 for_each_element(sub, subie, subie_len) { 383 if (sub->id == WLAN_EID_NON_TX_BSSID_CAP) 384 continue; 385 386 if (sub->id == WLAN_EID_FRAGMENT) 387 continue; 388 389 if (sub->id == WLAN_EID_EXTENSION) { 390 if (sub->datalen < 1) 391 continue; 392 393 id = WLAN_EID_EXTENSION; 394 ext_id = sub->data[0]; 395 match_len = 1; 396 397 if (ext_id == WLAN_EID_EXT_NON_INHERITANCE) 398 continue; 399 } else { 400 id = sub->id; 401 match_len = 0; 402 } 403 404 /* Processed if one was included in the parent */ 405 if (cfg80211_find_elem_match(id, ie, ielen, 406 &ext_id, match_len, 0)) 407 continue; 408 409 if (!cfg80211_copy_elem_with_frags(sub, subie, subie_len, 410 &pos, new_ie, new_ie_len)) 411 return 0; 412 } 413 414 return pos - new_ie; 415} 416 417static bool is_bss(struct cfg80211_bss *a, const u8 *bssid, 418 const u8 *ssid, size_t ssid_len) 419{ 420 const struct cfg80211_bss_ies *ies; 421 const struct element *ssid_elem; 422 423 if (bssid && !ether_addr_equal(a->bssid, bssid)) 424 return false; 425 426 if (!ssid) 427 return true; 428 429 ies = rcu_access_pointer(a->ies); 430 if (!ies) 431 return false; 432 ssid_elem = cfg80211_find_elem(WLAN_EID_SSID, ies->data, ies->len); 433 if (!ssid_elem) 434 return false; 435 if (ssid_elem->datalen != ssid_len) 436 return false; 437 return memcmp(ssid_elem->data, ssid, ssid_len) == 0; 438} 439 440static int 441cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss, 442 struct cfg80211_bss *nontrans_bss) 443{ 444 const struct element *ssid_elem; 445 struct cfg80211_bss *bss = NULL; 446 447 rcu_read_lock(); 448 ssid_elem = ieee80211_bss_get_elem(nontrans_bss, WLAN_EID_SSID); 449 if (!ssid_elem) { 450 rcu_read_unlock(); 451 return -EINVAL; 452 } 453 454 /* check if nontrans_bss is in the list */ 455 list_for_each_entry(bss, &trans_bss->nontrans_list, nontrans_list) { 456 if (is_bss(bss, nontrans_bss->bssid, ssid_elem->data, 457 ssid_elem->datalen)) { 458 rcu_read_unlock(); 459 return 0; 460 } 461 } 462 463 rcu_read_unlock(); 464 465 /* 466 * This is a bit weird - it's not on the list, but already on another 467 * one! The only way that could happen is if there's some BSSID/SSID 468 * shared by multiple APs in their multi-BSSID profiles, potentially 469 * with hidden SSID mixed in ... ignore it. 470 */ 471 if (!list_empty(&nontrans_bss->nontrans_list)) 472 return -EINVAL; 473 474 /* add to the list */ 475 list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); 476 return 0; 477} 478 479static void __cfg80211_bss_expire(struct cfg80211_registered_device *rdev, 480 unsigned long expire_time) 481{ 482 struct cfg80211_internal_bss *bss, *tmp; 483 bool expired = false; 484 485 lockdep_assert_held(&rdev->bss_lock); 486 487 list_for_each_entry_safe(bss, tmp, &rdev->bss_list, list) { 488 if (atomic_read(&bss->hold)) 489 continue; 490 if (!time_after(expire_time, bss->ts)) 491 continue; 492 493 if (__cfg80211_unlink_bss(rdev, bss)) 494 expired = true; 495 } 496 497 if (expired) 498 rdev->bss_generation++; 499} 500 501static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev) 502{ 503 struct cfg80211_internal_bss *bss, *oldest = NULL; 504 bool ret; 505 506 lockdep_assert_held(&rdev->bss_lock); 507 508 list_for_each_entry(bss, &rdev->bss_list, list) { 509 if (atomic_read(&bss->hold)) 510 continue; 511 512 if (!list_empty(&bss->hidden_list) && 513 !bss->pub.hidden_beacon_bss) 514 continue; 515 516 if (oldest && time_before(oldest->ts, bss->ts)) 517 continue; 518 oldest = bss; 519 } 520 521 if (WARN_ON(!oldest)) 522 return false; 523 524 /* 525 * The callers make sure to increase rdev->bss_generation if anything 526 * gets removed (and a new entry added), so there's no need to also do 527 * it here. 528 */ 529 530 ret = __cfg80211_unlink_bss(rdev, oldest); 531 WARN_ON(!ret); 532 return ret; 533} 534 535static u8 cfg80211_parse_bss_param(u8 data, 536 struct cfg80211_colocated_ap *coloc_ap) 537{ 538 coloc_ap->oct_recommended = 539 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_OCT_RECOMMENDED); 540 coloc_ap->same_ssid = 541 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_SAME_SSID); 542 coloc_ap->multi_bss = 543 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_MULTI_BSSID); 544 coloc_ap->transmitted_bssid = 545 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_TRANSMITTED_BSSID); 546 coloc_ap->unsolicited_probe = 547 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_PROBE_ACTIVE); 548 coloc_ap->colocated_ess = 549 u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_COLOC_ESS); 550 551 return u8_get_bits(data, IEEE80211_RNR_TBTT_PARAMS_COLOC_AP); 552} 553 554static int cfg80211_calc_short_ssid(const struct cfg80211_bss_ies *ies, 555 const struct element **elem, u32 *s_ssid) 556{ 557 558 *elem = cfg80211_find_elem(WLAN_EID_SSID, ies->data, ies->len); 559 if (!*elem || (*elem)->datalen > IEEE80211_MAX_SSID_LEN) 560 return -EINVAL; 561 562 *s_ssid = ~crc32_le(~0, (*elem)->data, (*elem)->datalen); 563 return 0; 564} 565 566static void cfg80211_free_coloc_ap_list(struct list_head *coloc_ap_list) 567{ 568 struct cfg80211_colocated_ap *ap, *tmp_ap; 569 570 list_for_each_entry_safe(ap, tmp_ap, coloc_ap_list, list) { 571 list_del(&ap->list); 572 kfree(ap); 573 } 574} 575 576static int cfg80211_parse_ap_info(struct cfg80211_colocated_ap *entry, 577 const u8 *pos, u8 length, 578 const struct element *ssid_elem, 579 u32 s_ssid_tmp) 580{ 581 u8 bss_params; 582 583 entry->psd_20 = IEEE80211_RNR_TBTT_PARAMS_PSD_RESERVED; 584 585 /* The length is already verified by the caller to contain bss_params */ 586 if (length > sizeof(struct ieee80211_tbtt_info_7_8_9)) { 587 struct ieee80211_tbtt_info_ge_11 *tbtt_info = (void *)pos; 588 589 memcpy(entry->bssid, tbtt_info->bssid, ETH_ALEN); 590 entry->short_ssid = le32_to_cpu(tbtt_info->short_ssid); 591 entry->short_ssid_valid = true; 592 593 bss_params = tbtt_info->bss_params; 594 595 /* Ignore disabled links */ 596 if (length >= offsetofend(typeof(*tbtt_info), mld_params)) { 597 if (le16_get_bits(tbtt_info->mld_params.params, 598 IEEE80211_RNR_MLD_PARAMS_DISABLED_LINK)) 599 return -EINVAL; 600 } 601 602 if (length >= offsetofend(struct ieee80211_tbtt_info_ge_11, 603 psd_20)) 604 entry->psd_20 = tbtt_info->psd_20; 605 } else { 606 struct ieee80211_tbtt_info_7_8_9 *tbtt_info = (void *)pos; 607 608 memcpy(entry->bssid, tbtt_info->bssid, ETH_ALEN); 609 610 bss_params = tbtt_info->bss_params; 611 612 if (length == offsetofend(struct ieee80211_tbtt_info_7_8_9, 613 psd_20)) 614 entry->psd_20 = tbtt_info->psd_20; 615 } 616 617 /* ignore entries with invalid BSSID */ 618 if (!is_valid_ether_addr(entry->bssid)) 619 return -EINVAL; 620 621 /* skip non colocated APs */ 622 if (!cfg80211_parse_bss_param(bss_params, entry)) 623 return -EINVAL; 624 625 /* no information about the short ssid. Consider the entry valid 626 * for now. It would later be dropped in case there are explicit 627 * SSIDs that need to be matched 628 */ 629 if (!entry->same_ssid && !entry->short_ssid_valid) 630 return 0; 631 632 if (entry->same_ssid) { 633 entry->short_ssid = s_ssid_tmp; 634 entry->short_ssid_valid = true; 635 636 /* 637 * This is safe because we validate datalen in 638 * cfg80211_parse_colocated_ap(), before calling this 639 * function. 640 */ 641 memcpy(&entry->ssid, &ssid_elem->data, ssid_elem->datalen); 642 entry->ssid_len = ssid_elem->datalen; 643 } 644 645 return 0; 646} 647 648static int cfg80211_parse_colocated_ap(const struct cfg80211_bss_ies *ies, 649 struct list_head *list) 650{ 651 struct ieee80211_neighbor_ap_info *ap_info; 652 const struct element *elem, *ssid_elem; 653 const u8 *pos, *end; 654 u32 s_ssid_tmp; 655 int n_coloc = 0, ret; 656 LIST_HEAD(ap_list); 657 658 ret = cfg80211_calc_short_ssid(ies, &ssid_elem, &s_ssid_tmp); 659 if (ret) 660 return 0; 661 662 for_each_element_id(elem, WLAN_EID_REDUCED_NEIGHBOR_REPORT, 663 ies->data, ies->len) { 664 pos = elem->data; 665 end = elem->data + elem->datalen; 666 667 /* RNR IE may contain more than one NEIGHBOR_AP_INFO */ 668 while (pos + sizeof(*ap_info) <= end) { 669 enum nl80211_band band; 670 int freq; 671 u8 length, i, count; 672 673 ap_info = (void *)pos; 674 count = u8_get_bits(ap_info->tbtt_info_hdr, 675 IEEE80211_AP_INFO_TBTT_HDR_COUNT) + 1; 676 length = ap_info->tbtt_info_len; 677 678 pos += sizeof(*ap_info); 679 680 if (!ieee80211_operating_class_to_band(ap_info->op_class, 681 &band)) 682 break; 683 684 freq = ieee80211_channel_to_frequency(ap_info->channel, 685 band); 686 687 if (end - pos < count * length) 688 break; 689 690 if (u8_get_bits(ap_info->tbtt_info_hdr, 691 IEEE80211_AP_INFO_TBTT_HDR_TYPE) != 692 IEEE80211_TBTT_INFO_TYPE_TBTT) { 693 pos += count * length; 694 continue; 695 } 696 697 /* TBTT info must include bss param + BSSID + 698 * (short SSID or same_ssid bit to be set). 699 * ignore other options, and move to the 700 * next AP info 701 */ 702 if (band != NL80211_BAND_6GHZ || 703 !(length == offsetofend(struct ieee80211_tbtt_info_7_8_9, 704 bss_params) || 705 length == sizeof(struct ieee80211_tbtt_info_7_8_9) || 706 length >= offsetofend(struct ieee80211_tbtt_info_ge_11, 707 bss_params))) { 708 pos += count * length; 709 continue; 710 } 711 712 for (i = 0; i < count; i++) { 713 struct cfg80211_colocated_ap *entry; 714 715 entry = kzalloc(sizeof(*entry) + IEEE80211_MAX_SSID_LEN, 716 GFP_ATOMIC); 717 718 if (!entry) 719 goto error; 720 721 entry->center_freq = freq; 722 723 if (!cfg80211_parse_ap_info(entry, pos, length, 724 ssid_elem, 725 s_ssid_tmp)) { 726 n_coloc++; 727 list_add_tail(&entry->list, &ap_list); 728 } else { 729 kfree(entry); 730 } 731 732 pos += length; 733 } 734 } 735 736error: 737 if (pos != end) { 738 cfg80211_free_coloc_ap_list(&ap_list); 739 return 0; 740 } 741 } 742 743 list_splice_tail(&ap_list, list); 744 return n_coloc; 745} 746 747static void cfg80211_scan_req_add_chan(struct cfg80211_scan_request *request, 748 struct ieee80211_channel *chan, 749 bool add_to_6ghz) 750{ 751 int i; 752 u32 n_channels = request->n_channels; 753 struct cfg80211_scan_6ghz_params *params = 754 &request->scan_6ghz_params[request->n_6ghz_params]; 755 756 for (i = 0; i < n_channels; i++) { 757 if (request->channels[i] == chan) { 758 if (add_to_6ghz) 759 params->channel_idx = i; 760 return; 761 } 762 } 763 764 request->channels[n_channels] = chan; 765 if (add_to_6ghz) 766 request->scan_6ghz_params[request->n_6ghz_params].channel_idx = 767 n_channels; 768 769 request->n_channels++; 770} 771 772static bool cfg80211_find_ssid_match(struct cfg80211_colocated_ap *ap, 773 struct cfg80211_scan_request *request) 774{ 775 int i; 776 u32 s_ssid; 777 778 for (i = 0; i < request->n_ssids; i++) { 779 /* wildcard ssid in the scan request */ 780 if (!request->ssids[i].ssid_len) { 781 if (ap->multi_bss && !ap->transmitted_bssid) 782 continue; 783 784 return true; 785 } 786 787 if (ap->ssid_len && 788 ap->ssid_len == request->ssids[i].ssid_len) { 789 if (!memcmp(request->ssids[i].ssid, ap->ssid, 790 ap->ssid_len)) 791 return true; 792 } else if (ap->short_ssid_valid) { 793 s_ssid = ~crc32_le(~0, request->ssids[i].ssid, 794 request->ssids[i].ssid_len); 795 796 if (ap->short_ssid == s_ssid) 797 return true; 798 } 799 } 800 801 return false; 802} 803 804static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev) 805{ 806 u8 i; 807 struct cfg80211_colocated_ap *ap; 808 int n_channels, count = 0, err; 809 struct cfg80211_scan_request *request, *rdev_req = rdev->scan_req; 810 LIST_HEAD(coloc_ap_list); 811 bool need_scan_psc = true; 812 const struct ieee80211_sband_iftype_data *iftd; 813 814 rdev_req->scan_6ghz = true; 815 816 if (!rdev->wiphy.bands[NL80211_BAND_6GHZ]) 817 return -EOPNOTSUPP; 818 819 iftd = ieee80211_get_sband_iftype_data(rdev->wiphy.bands[NL80211_BAND_6GHZ], 820 rdev_req->wdev->iftype); 821 if (!iftd || !iftd->he_cap.has_he) 822 return -EOPNOTSUPP; 823 824 n_channels = rdev->wiphy.bands[NL80211_BAND_6GHZ]->n_channels; 825 826 if (rdev_req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ) { 827 struct cfg80211_internal_bss *intbss; 828 829 spin_lock_bh(&rdev->bss_lock); 830 list_for_each_entry(intbss, &rdev->bss_list, list) { 831 struct cfg80211_bss *res = &intbss->pub; 832 const struct cfg80211_bss_ies *ies; 833 834 ies = rcu_access_pointer(res->ies); 835 count += cfg80211_parse_colocated_ap(ies, 836 &coloc_ap_list); 837 } 838 spin_unlock_bh(&rdev->bss_lock); 839 } 840 841 request = kzalloc(struct_size(request, channels, n_channels) + 842 sizeof(*request->scan_6ghz_params) * count + 843 sizeof(*request->ssids) * rdev_req->n_ssids, 844 GFP_KERNEL); 845 if (!request) { 846 cfg80211_free_coloc_ap_list(&coloc_ap_list); 847 return -ENOMEM; 848 } 849 850 *request = *rdev_req; 851 request->n_channels = 0; 852 request->scan_6ghz_params = 853 (void *)&request->channels[n_channels]; 854 855 /* 856 * PSC channels should not be scanned in case of direct scan with 1 SSID 857 * and at least one of the reported co-located APs with same SSID 858 * indicating that all APs in the same ESS are co-located 859 */ 860 if (count && request->n_ssids == 1 && request->ssids[0].ssid_len) { 861 list_for_each_entry(ap, &coloc_ap_list, list) { 862 if (ap->colocated_ess && 863 cfg80211_find_ssid_match(ap, request)) { 864 need_scan_psc = false; 865 break; 866 } 867 } 868 } 869 870 /* 871 * add to the scan request the channels that need to be scanned 872 * regardless of the collocated APs (PSC channels or all channels 873 * in case that NL80211_SCAN_FLAG_COLOCATED_6GHZ is not set) 874 */ 875 for (i = 0; i < rdev_req->n_channels; i++) { 876 if (rdev_req->channels[i]->band == NL80211_BAND_6GHZ && 877 ((need_scan_psc && 878 cfg80211_channel_is_psc(rdev_req->channels[i])) || 879 !(rdev_req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ))) { 880 cfg80211_scan_req_add_chan(request, 881 rdev_req->channels[i], 882 false); 883 } 884 } 885 886 if (!(rdev_req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ)) 887 goto skip; 888 889 list_for_each_entry(ap, &coloc_ap_list, list) { 890 bool found = false; 891 struct cfg80211_scan_6ghz_params *scan_6ghz_params = 892 &request->scan_6ghz_params[request->n_6ghz_params]; 893 struct ieee80211_channel *chan = 894 ieee80211_get_channel(&rdev->wiphy, ap->center_freq); 895 896 if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) 897 continue; 898 899 for (i = 0; i < rdev_req->n_channels; i++) { 900 if (rdev_req->channels[i] == chan) 901 found = true; 902 } 903 904 if (!found) 905 continue; 906 907 if (request->n_ssids > 0 && 908 !cfg80211_find_ssid_match(ap, request)) 909 continue; 910 911 if (!is_broadcast_ether_addr(request->bssid) && 912 !ether_addr_equal(request->bssid, ap->bssid)) 913 continue; 914 915 if (!request->n_ssids && ap->multi_bss && !ap->transmitted_bssid) 916 continue; 917 918 cfg80211_scan_req_add_chan(request, chan, true); 919 memcpy(scan_6ghz_params->bssid, ap->bssid, ETH_ALEN); 920 scan_6ghz_params->short_ssid = ap->short_ssid; 921 scan_6ghz_params->short_ssid_valid = ap->short_ssid_valid; 922 scan_6ghz_params->unsolicited_probe = ap->unsolicited_probe; 923 scan_6ghz_params->psd_20 = ap->psd_20; 924 925 /* 926 * If a PSC channel is added to the scan and 'need_scan_psc' is 927 * set to false, then all the APs that the scan logic is 928 * interested with on the channel are collocated and thus there 929 * is no need to perform the initial PSC channel listen. 930 */ 931 if (cfg80211_channel_is_psc(chan) && !need_scan_psc) 932 scan_6ghz_params->psc_no_listen = true; 933 934 request->n_6ghz_params++; 935 } 936 937skip: 938 cfg80211_free_coloc_ap_list(&coloc_ap_list); 939 940 if (request->n_channels) { 941 struct cfg80211_scan_request *old = rdev->int_scan_req; 942 rdev->int_scan_req = request; 943 944 /* 945 * Add the ssids from the parent scan request to the new scan 946 * request, so the driver would be able to use them in its 947 * probe requests to discover hidden APs on PSC channels. 948 */ 949 request->ssids = (void *)&request->channels[request->n_channels]; 950 request->n_ssids = rdev_req->n_ssids; 951 memcpy(request->ssids, rdev_req->ssids, sizeof(*request->ssids) * 952 request->n_ssids); 953 954 /* 955 * If this scan follows a previous scan, save the scan start 956 * info from the first part of the scan 957 */ 958 if (old) 959 rdev->int_scan_req->info = old->info; 960 961 err = rdev_scan(rdev, request); 962 if (err) { 963 rdev->int_scan_req = old; 964 kfree(request); 965 } else { 966 kfree(old); 967 } 968 969 return err; 970 } 971 972 kfree(request); 973 return -EINVAL; 974} 975 976int cfg80211_scan(struct cfg80211_registered_device *rdev) 977{ 978 struct cfg80211_scan_request *request; 979 struct cfg80211_scan_request *rdev_req = rdev->scan_req; 980 u32 n_channels = 0, idx, i; 981 982 if (!(rdev->wiphy.flags & WIPHY_FLAG_SPLIT_SCAN_6GHZ)) 983 return rdev_scan(rdev, rdev_req); 984 985 for (i = 0; i < rdev_req->n_channels; i++) { 986 if (rdev_req->channels[i]->band != NL80211_BAND_6GHZ) 987 n_channels++; 988 } 989 990 if (!n_channels) 991 return cfg80211_scan_6ghz(rdev); 992 993 request = kzalloc(struct_size(request, channels, n_channels), 994 GFP_KERNEL); 995 if (!request) 996 return -ENOMEM; 997 998 *request = *rdev_req; 999 request->n_channels = n_channels; 1000 1001 for (i = idx = 0; i < rdev_req->n_channels; i++) { 1002 if (rdev_req->channels[i]->band != NL80211_BAND_6GHZ) 1003 request->channels[idx++] = rdev_req->channels[i]; 1004 } 1005 1006 rdev_req->scan_6ghz = false; 1007 rdev->int_scan_req = request; 1008 return rdev_scan(rdev, request); 1009} 1010 1011void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, 1012 bool send_message) 1013{ 1014 struct cfg80211_scan_request *request, *rdev_req; 1015 struct wireless_dev *wdev; 1016 struct sk_buff *msg; 1017#ifdef CONFIG_CFG80211_WEXT 1018 union iwreq_data wrqu; 1019#endif 1020 1021 lockdep_assert_held(&rdev->wiphy.mtx); 1022 1023 if (rdev->scan_msg) { 1024 nl80211_send_scan_msg(rdev, rdev->scan_msg); 1025 rdev->scan_msg = NULL; 1026 return; 1027 } 1028 1029 rdev_req = rdev->scan_req; 1030 if (!rdev_req) 1031 return; 1032 1033 wdev = rdev_req->wdev; 1034 request = rdev->int_scan_req ? rdev->int_scan_req : rdev_req; 1035 1036 if (wdev_running(wdev) && 1037 (rdev->wiphy.flags & WIPHY_FLAG_SPLIT_SCAN_6GHZ) && 1038 !rdev_req->scan_6ghz && !request->info.aborted && 1039 !cfg80211_scan_6ghz(rdev)) 1040 return; 1041 1042 /* 1043 * This must be before sending the other events! 1044 * Otherwise, wpa_supplicant gets completely confused with 1045 * wext events. 1046 */ 1047 if (wdev->netdev) 1048 cfg80211_sme_scan_done(wdev->netdev); 1049 1050 if (!request->info.aborted && 1051 request->flags & NL80211_SCAN_FLAG_FLUSH) { 1052 /* flush entries from previous scans */ 1053 spin_lock_bh(&rdev->bss_lock); 1054 __cfg80211_bss_expire(rdev, request->scan_start); 1055 spin_unlock_bh(&rdev->bss_lock); 1056 } 1057 1058 msg = nl80211_build_scan_msg(rdev, wdev, request->info.aborted); 1059 1060#ifdef CONFIG_CFG80211_WEXT 1061 if (wdev->netdev && !request->info.aborted) { 1062 memset(&wrqu, 0, sizeof(wrqu)); 1063 1064 wireless_send_event(wdev->netdev, SIOCGIWSCAN, &wrqu, NULL); 1065 } 1066#endif 1067 1068 dev_put(wdev->netdev); 1069 1070 kfree(rdev->int_scan_req); 1071 rdev->int_scan_req = NULL; 1072 1073 kfree(rdev->scan_req); 1074 rdev->scan_req = NULL; 1075 1076 if (!send_message) 1077 rdev->scan_msg = msg; 1078 else 1079 nl80211_send_scan_msg(rdev, msg); 1080} 1081 1082void __cfg80211_scan_done(struct wiphy *wiphy, struct wiphy_work *wk) 1083{ 1084 ___cfg80211_scan_done(wiphy_to_rdev(wiphy), true); 1085} 1086 1087void cfg80211_scan_done(struct cfg80211_scan_request *request, 1088 struct cfg80211_scan_info *info) 1089{ 1090 struct cfg80211_scan_info old_info = request->info; 1091 1092 trace_cfg80211_scan_done(request, info); 1093 WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req && 1094 request != wiphy_to_rdev(request->wiphy)->int_scan_req); 1095 1096 request->info = *info; 1097 1098 /* 1099 * In case the scan is split, the scan_start_tsf and tsf_bssid should 1100 * be of the first part. In such a case old_info.scan_start_tsf should 1101 * be non zero. 1102 */ 1103 if (request->scan_6ghz && old_info.scan_start_tsf) { 1104 request->info.scan_start_tsf = old_info.scan_start_tsf; 1105 memcpy(request->info.tsf_bssid, old_info.tsf_bssid, 1106 sizeof(request->info.tsf_bssid)); 1107 } 1108 1109 request->notified = true; 1110 wiphy_work_queue(request->wiphy, 1111 &wiphy_to_rdev(request->wiphy)->scan_done_wk); 1112} 1113EXPORT_SYMBOL(cfg80211_scan_done); 1114 1115void cfg80211_add_sched_scan_req(struct cfg80211_registered_device *rdev, 1116 struct cfg80211_sched_scan_request *req) 1117{ 1118 lockdep_assert_held(&rdev->wiphy.mtx); 1119 1120 list_add_rcu(&req->list, &rdev->sched_scan_req_list); 1121} 1122 1123static void cfg80211_del_sched_scan_req(struct cfg80211_registered_device *rdev, 1124 struct cfg80211_sched_scan_request *req) 1125{ 1126 lockdep_assert_held(&rdev->wiphy.mtx); 1127 1128 list_del_rcu(&req->list); 1129 kfree_rcu(req, rcu_head); 1130} 1131 1132static struct cfg80211_sched_scan_request * 1133cfg80211_find_sched_scan_req(struct cfg80211_registered_device *rdev, u64 reqid) 1134{ 1135 struct cfg80211_sched_scan_request *pos; 1136 1137 list_for_each_entry_rcu(pos, &rdev->sched_scan_req_list, list, 1138 lockdep_is_held(&rdev->wiphy.mtx)) { 1139 if (pos->reqid == reqid) 1140 return pos; 1141 } 1142 return NULL; 1143} 1144 1145/* 1146 * Determines if a scheduled scan request can be handled. When a legacy 1147 * scheduled scan is running no other scheduled scan is allowed regardless 1148 * whether the request is for legacy or multi-support scan. When a multi-support 1149 * scheduled scan is running a request for legacy scan is not allowed. In this 1150 * case a request for multi-support scan can be handled if resources are 1151 * available, ie. struct wiphy::max_sched_scan_reqs limit is not yet reached. 1152 */ 1153int cfg80211_sched_scan_req_possible(struct cfg80211_registered_device *rdev, 1154 bool want_multi) 1155{ 1156 struct cfg80211_sched_scan_request *pos; 1157 int i = 0; 1158 1159 list_for_each_entry(pos, &rdev->sched_scan_req_list, list) { 1160 /* request id zero means legacy in progress */ 1161 if (!i && !pos->reqid) 1162 return -EINPROGRESS; 1163 i++; 1164 } 1165 1166 if (i) { 1167 /* no legacy allowed when multi request(s) are active */ 1168 if (!want_multi) 1169 return -EINPROGRESS; 1170 1171 /* resource limit reached */ 1172 if (i == rdev->wiphy.max_sched_scan_reqs) 1173 return -ENOSPC; 1174 } 1175 return 0; 1176} 1177 1178void cfg80211_sched_scan_results_wk(struct work_struct *work) 1179{ 1180 struct cfg80211_registered_device *rdev; 1181 struct cfg80211_sched_scan_request *req, *tmp; 1182 1183 rdev = container_of(work, struct cfg80211_registered_device, 1184 sched_scan_res_wk); 1185 1186 wiphy_lock(&rdev->wiphy); 1187 list_for_each_entry_safe(req, tmp, &rdev->sched_scan_req_list, list) { 1188 if (req->report_results) { 1189 req->report_results = false; 1190 if (req->flags & NL80211_SCAN_FLAG_FLUSH) { 1191 /* flush entries from previous scans */ 1192 spin_lock_bh(&rdev->bss_lock); 1193 __cfg80211_bss_expire(rdev, req->scan_start); 1194 spin_unlock_bh(&rdev->bss_lock); 1195 req->scan_start = jiffies; 1196 } 1197 nl80211_send_sched_scan(req, 1198 NL80211_CMD_SCHED_SCAN_RESULTS); 1199 } 1200 } 1201 wiphy_unlock(&rdev->wiphy); 1202} 1203 1204void cfg80211_sched_scan_results(struct wiphy *wiphy, u64 reqid) 1205{ 1206 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1207 struct cfg80211_sched_scan_request *request; 1208 1209 trace_cfg80211_sched_scan_results(wiphy, reqid); 1210 /* ignore if we're not scanning */ 1211 1212 rcu_read_lock(); 1213 request = cfg80211_find_sched_scan_req(rdev, reqid); 1214 if (request) { 1215 request->report_results = true; 1216 queue_work(cfg80211_wq, &rdev->sched_scan_res_wk); 1217 } 1218 rcu_read_unlock(); 1219} 1220EXPORT_SYMBOL(cfg80211_sched_scan_results); 1221 1222void cfg80211_sched_scan_stopped_locked(struct wiphy *wiphy, u64 reqid) 1223{ 1224 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1225 1226 lockdep_assert_held(&wiphy->mtx); 1227 1228 trace_cfg80211_sched_scan_stopped(wiphy, reqid); 1229 1230 __cfg80211_stop_sched_scan(rdev, reqid, true); 1231} 1232EXPORT_SYMBOL(cfg80211_sched_scan_stopped_locked); 1233 1234void cfg80211_sched_scan_stopped(struct wiphy *wiphy, u64 reqid) 1235{ 1236 wiphy_lock(wiphy); 1237 cfg80211_sched_scan_stopped_locked(wiphy, reqid); 1238 wiphy_unlock(wiphy); 1239} 1240EXPORT_SYMBOL(cfg80211_sched_scan_stopped); 1241 1242int cfg80211_stop_sched_scan_req(struct cfg80211_registered_device *rdev, 1243 struct cfg80211_sched_scan_request *req, 1244 bool driver_initiated) 1245{ 1246 lockdep_assert_held(&rdev->wiphy.mtx); 1247 1248 if (!driver_initiated) { 1249 int err = rdev_sched_scan_stop(rdev, req->dev, req->reqid); 1250 if (err) 1251 return err; 1252 } 1253 1254 nl80211_send_sched_scan(req, NL80211_CMD_SCHED_SCAN_STOPPED); 1255 1256 cfg80211_del_sched_scan_req(rdev, req); 1257 1258 return 0; 1259} 1260 1261int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev, 1262 u64 reqid, bool driver_initiated) 1263{ 1264 struct cfg80211_sched_scan_request *sched_scan_req; 1265 1266 lockdep_assert_held(&rdev->wiphy.mtx); 1267 1268 sched_scan_req = cfg80211_find_sched_scan_req(rdev, reqid); 1269 if (!sched_scan_req) 1270 return -ENOENT; 1271 1272 return cfg80211_stop_sched_scan_req(rdev, sched_scan_req, 1273 driver_initiated); 1274} 1275 1276void cfg80211_bss_age(struct cfg80211_registered_device *rdev, 1277 unsigned long age_secs) 1278{ 1279 struct cfg80211_internal_bss *bss; 1280 unsigned long age_jiffies = msecs_to_jiffies(age_secs * MSEC_PER_SEC); 1281 1282 spin_lock_bh(&rdev->bss_lock); 1283 list_for_each_entry(bss, &rdev->bss_list, list) 1284 bss->ts -= age_jiffies; 1285 spin_unlock_bh(&rdev->bss_lock); 1286} 1287 1288void cfg80211_bss_expire(struct cfg80211_registered_device *rdev) 1289{ 1290 __cfg80211_bss_expire(rdev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE); 1291} 1292 1293void cfg80211_bss_flush(struct wiphy *wiphy) 1294{ 1295 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1296 1297 spin_lock_bh(&rdev->bss_lock); 1298 __cfg80211_bss_expire(rdev, jiffies); 1299 spin_unlock_bh(&rdev->bss_lock); 1300} 1301EXPORT_SYMBOL(cfg80211_bss_flush); 1302 1303const struct element * 1304cfg80211_find_elem_match(u8 eid, const u8 *ies, unsigned int len, 1305 const u8 *match, unsigned int match_len, 1306 unsigned int match_offset) 1307{ 1308 const struct element *elem; 1309 1310 for_each_element_id(elem, eid, ies, len) { 1311 if (elem->datalen >= match_offset + match_len && 1312 !memcmp(elem->data + match_offset, match, match_len)) 1313 return elem; 1314 } 1315 1316 return NULL; 1317} 1318EXPORT_SYMBOL(cfg80211_find_elem_match); 1319 1320const struct element *cfg80211_find_vendor_elem(unsigned int oui, int oui_type, 1321 const u8 *ies, 1322 unsigned int len) 1323{ 1324 const struct element *elem; 1325 u8 match[] = { oui >> 16, oui >> 8, oui, oui_type }; 1326 int match_len = (oui_type < 0) ? 3 : sizeof(match); 1327 1328 if (WARN_ON(oui_type > 0xff)) 1329 return NULL; 1330 1331 elem = cfg80211_find_elem_match(WLAN_EID_VENDOR_SPECIFIC, ies, len, 1332 match, match_len, 0); 1333 1334 if (!elem || elem->datalen < 4) 1335 return NULL; 1336 1337 return elem; 1338} 1339EXPORT_SYMBOL(cfg80211_find_vendor_elem); 1340 1341/** 1342 * enum bss_compare_mode - BSS compare mode 1343 * @BSS_CMP_REGULAR: regular compare mode (for insertion and normal find) 1344 * @BSS_CMP_HIDE_ZLEN: find hidden SSID with zero-length mode 1345 * @BSS_CMP_HIDE_NUL: find hidden SSID with NUL-ed out mode 1346 */ 1347enum bss_compare_mode { 1348 BSS_CMP_REGULAR, 1349 BSS_CMP_HIDE_ZLEN, 1350 BSS_CMP_HIDE_NUL, 1351}; 1352 1353static int cmp_bss(struct cfg80211_bss *a, 1354 struct cfg80211_bss *b, 1355 enum bss_compare_mode mode) 1356{ 1357 const struct cfg80211_bss_ies *a_ies, *b_ies; 1358 const u8 *ie1 = NULL; 1359 const u8 *ie2 = NULL; 1360 int i, r; 1361 1362 if (a->channel != b->channel) 1363 return (b->channel->center_freq * 1000 + b->channel->freq_offset) - 1364 (a->channel->center_freq * 1000 + a->channel->freq_offset); 1365 1366 a_ies = rcu_access_pointer(a->ies); 1367 if (!a_ies) 1368 return -1; 1369 b_ies = rcu_access_pointer(b->ies); 1370 if (!b_ies) 1371 return 1; 1372 1373 if (WLAN_CAPABILITY_IS_STA_BSS(a->capability)) 1374 ie1 = cfg80211_find_ie(WLAN_EID_MESH_ID, 1375 a_ies->data, a_ies->len); 1376 if (WLAN_CAPABILITY_IS_STA_BSS(b->capability)) 1377 ie2 = cfg80211_find_ie(WLAN_EID_MESH_ID, 1378 b_ies->data, b_ies->len); 1379 if (ie1 && ie2) { 1380 int mesh_id_cmp; 1381 1382 if (ie1[1] == ie2[1]) 1383 mesh_id_cmp = memcmp(ie1 + 2, ie2 + 2, ie1[1]); 1384 else 1385 mesh_id_cmp = ie2[1] - ie1[1]; 1386 1387 ie1 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG, 1388 a_ies->data, a_ies->len); 1389 ie2 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG, 1390 b_ies->data, b_ies->len); 1391 if (ie1 && ie2) { 1392 if (mesh_id_cmp) 1393 return mesh_id_cmp; 1394 if (ie1[1] != ie2[1]) 1395 return ie2[1] - ie1[1]; 1396 return memcmp(ie1 + 2, ie2 + 2, ie1[1]); 1397 } 1398 } 1399 1400 r = memcmp(a->bssid, b->bssid, sizeof(a->bssid)); 1401 if (r) 1402 return r; 1403 1404 ie1 = cfg80211_find_ie(WLAN_EID_SSID, a_ies->data, a_ies->len); 1405 ie2 = cfg80211_find_ie(WLAN_EID_SSID, b_ies->data, b_ies->len); 1406 1407 if (!ie1 && !ie2) 1408 return 0; 1409 1410 /* 1411 * Note that with "hide_ssid", the function returns a match if 1412 * the already-present BSS ("b") is a hidden SSID beacon for 1413 * the new BSS ("a"). 1414 */ 1415 1416 /* sort missing IE before (left of) present IE */ 1417 if (!ie1) 1418 return -1; 1419 if (!ie2) 1420 return 1; 1421 1422 switch (mode) { 1423 case BSS_CMP_HIDE_ZLEN: 1424 /* 1425 * In ZLEN mode we assume the BSS entry we're 1426 * looking for has a zero-length SSID. So if 1427 * the one we're looking at right now has that, 1428 * return 0. Otherwise, return the difference 1429 * in length, but since we're looking for the 1430 * 0-length it's really equivalent to returning 1431 * the length of the one we're looking at. 1432 * 1433 * No content comparison is needed as we assume 1434 * the content length is zero. 1435 */ 1436 return ie2[1]; 1437 case BSS_CMP_REGULAR: 1438 default: 1439 /* sort by length first, then by contents */ 1440 if (ie1[1] != ie2[1]) 1441 return ie2[1] - ie1[1]; 1442 return memcmp(ie1 + 2, ie2 + 2, ie1[1]); 1443 case BSS_CMP_HIDE_NUL: 1444 if (ie1[1] != ie2[1]) 1445 return ie2[1] - ie1[1]; 1446 /* this is equivalent to memcmp(zeroes, ie2 + 2, len) */ 1447 for (i = 0; i < ie2[1]; i++) 1448 if (ie2[i + 2]) 1449 return -1; 1450 return 0; 1451 } 1452} 1453 1454static bool cfg80211_bss_type_match(u16 capability, 1455 enum nl80211_band band, 1456 enum ieee80211_bss_type bss_type) 1457{ 1458 bool ret = true; 1459 u16 mask, val; 1460 1461 if (bss_type == IEEE80211_BSS_TYPE_ANY) 1462 return ret; 1463 1464 if (band == NL80211_BAND_60GHZ) { 1465 mask = WLAN_CAPABILITY_DMG_TYPE_MASK; 1466 switch (bss_type) { 1467 case IEEE80211_BSS_TYPE_ESS: 1468 val = WLAN_CAPABILITY_DMG_TYPE_AP; 1469 break; 1470 case IEEE80211_BSS_TYPE_PBSS: 1471 val = WLAN_CAPABILITY_DMG_TYPE_PBSS; 1472 break; 1473 case IEEE80211_BSS_TYPE_IBSS: 1474 val = WLAN_CAPABILITY_DMG_TYPE_IBSS; 1475 break; 1476 default: 1477 return false; 1478 } 1479 } else { 1480 mask = WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS; 1481 switch (bss_type) { 1482 case IEEE80211_BSS_TYPE_ESS: 1483 val = WLAN_CAPABILITY_ESS; 1484 break; 1485 case IEEE80211_BSS_TYPE_IBSS: 1486 val = WLAN_CAPABILITY_IBSS; 1487 break; 1488 case IEEE80211_BSS_TYPE_MBSS: 1489 val = 0; 1490 break; 1491 default: 1492 return false; 1493 } 1494 } 1495 1496 ret = ((capability & mask) == val); 1497 return ret; 1498} 1499 1500/* Returned bss is reference counted and must be cleaned up appropriately. */ 1501struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy, 1502 struct ieee80211_channel *channel, 1503 const u8 *bssid, 1504 const u8 *ssid, size_t ssid_len, 1505 enum ieee80211_bss_type bss_type, 1506 enum ieee80211_privacy privacy) 1507{ 1508 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 1509 struct cfg80211_internal_bss *bss, *res = NULL; 1510 unsigned long now = jiffies; 1511 int bss_privacy; 1512 1513 trace_cfg80211_get_bss(wiphy, channel, bssid, ssid, ssid_len, bss_type, 1514 privacy); 1515 1516 spin_lock_bh(&rdev->bss_lock); 1517 1518 list_for_each_entry(bss, &rdev->bss_list, list) { 1519 if (!cfg80211_bss_type_match(bss->pub.capability, 1520 bss->pub.channel->band, bss_type)) 1521 continue; 1522 1523 bss_privacy = (bss->pub.capability & WLAN_CAPABILITY_PRIVACY); 1524 if ((privacy == IEEE80211_PRIVACY_ON && !bss_privacy) || 1525 (privacy == IEEE80211_PRIVACY_OFF && bss_privacy)) 1526 continue; 1527 if (channel && bss->pub.channel != channel) 1528 continue; 1529 if (!is_valid_ether_addr(bss->pub.bssid)) 1530 continue; 1531 /* Don't get expired BSS structs */ 1532 if (time_after(now, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE) && 1533 !atomic_read(&bss->hold)) 1534 continue; 1535 if (is_bss(&bss->pub, bssid, ssid, ssid_len)) { 1536 res = bss; 1537 bss_ref_get(rdev, res); 1538 break; 1539 } 1540 } 1541 1542 spin_unlock_bh(&rdev->bss_lock); 1543 if (!res) 1544 return NULL; 1545 trace_cfg80211_return_bss(&res->pub); 1546 return &res->pub; 1547} 1548EXPORT_SYMBOL(cfg80211_get_bss); 1549 1550static void rb_insert_bss(struct cfg80211_registered_device *rdev, 1551 struct cfg80211_internal_bss *bss) 1552{ 1553 struct rb_node **p = &rdev->bss_tree.rb_node; 1554 struct rb_node *parent = NULL; 1555 struct cfg80211_internal_bss *tbss; 1556 int cmp; 1557 1558 while (*p) { 1559 parent = *p; 1560 tbss = rb_entry(parent, struct cfg80211_internal_bss, rbn); 1561 1562 cmp = cmp_bss(&bss->pub, &tbss->pub, BSS_CMP_REGULAR); 1563 1564 if (WARN_ON(!cmp)) { 1565 /* will sort of leak this BSS */ 1566 return; 1567 } 1568 1569 if (cmp < 0) 1570 p = &(*p)->rb_left; 1571 else 1572 p = &(*p)->rb_right; 1573 } 1574 1575 rb_link_node(&bss->rbn, parent, p); 1576 rb_insert_color(&bss->rbn, &rdev->bss_tree); 1577} 1578 1579static struct cfg80211_internal_bss * 1580rb_find_bss(struct cfg80211_registered_device *rdev, 1581 struct cfg80211_internal_bss *res, 1582 enum bss_compare_mode mode) 1583{ 1584 struct rb_node *n = rdev->bss_tree.rb_node; 1585 struct cfg80211_internal_bss *bss; 1586 int r; 1587 1588 while (n) { 1589 bss = rb_entry(n, struct cfg80211_internal_bss, rbn); 1590 r = cmp_bss(&res->pub, &bss->pub, mode); 1591 1592 if (r == 0) 1593 return bss; 1594 else if (r < 0) 1595 n = n->rb_left; 1596 else 1597 n = n->rb_right; 1598 } 1599 1600 return NULL; 1601} 1602 1603static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev, 1604 struct cfg80211_internal_bss *new) 1605{ 1606 const struct cfg80211_bss_ies *ies; 1607 struct cfg80211_internal_bss *bss; 1608 const u8 *ie; 1609 int i, ssidlen; 1610 u8 fold = 0; 1611 u32 n_entries = 0; 1612 1613 ies = rcu_access_pointer(new->pub.beacon_ies); 1614 if (WARN_ON(!ies)) 1615 return false; 1616 1617 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 1618 if (!ie) { 1619 /* nothing to do */ 1620 return true; 1621 } 1622 1623 ssidlen = ie[1]; 1624 for (i = 0; i < ssidlen; i++) 1625 fold |= ie[2 + i]; 1626 1627 if (fold) { 1628 /* not a hidden SSID */ 1629 return true; 1630 } 1631 1632 /* This is the bad part ... */ 1633 1634 list_for_each_entry(bss, &rdev->bss_list, list) { 1635 /* 1636 * we're iterating all the entries anyway, so take the 1637 * opportunity to validate the list length accounting 1638 */ 1639 n_entries++; 1640 1641 if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid)) 1642 continue; 1643 if (bss->pub.channel != new->pub.channel) 1644 continue; 1645 if (bss->pub.scan_width != new->pub.scan_width) 1646 continue; 1647 if (rcu_access_pointer(bss->pub.beacon_ies)) 1648 continue; 1649 ies = rcu_access_pointer(bss->pub.ies); 1650 if (!ies) 1651 continue; 1652 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len); 1653 if (!ie) 1654 continue; 1655 if (ssidlen && ie[1] != ssidlen) 1656 continue; 1657 if (WARN_ON_ONCE(bss->pub.hidden_beacon_bss)) 1658 continue; 1659 if (WARN_ON_ONCE(!list_empty(&bss->hidden_list))) 1660 list_del(&bss->hidden_list); 1661 /* combine them */ 1662 list_add(&bss->hidden_list, &new->hidden_list); 1663 bss->pub.hidden_beacon_bss = &new->pub; 1664 new->refcount += bss->refcount; 1665 rcu_assign_pointer(bss->pub.beacon_ies, 1666 new->pub.beacon_ies); 1667 } 1668 1669 WARN_ONCE(n_entries != rdev->bss_entries, 1670 "rdev bss entries[%d]/list[len:%d] corruption\n", 1671 rdev->bss_entries, n_entries); 1672 1673 return true; 1674} 1675 1676static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known, 1677 const struct cfg80211_bss_ies *new_ies, 1678 const struct cfg80211_bss_ies *old_ies) 1679{ 1680 struct cfg80211_internal_bss *bss; 1681 1682 /* Assign beacon IEs to all sub entries */ 1683 list_for_each_entry(bss, &known->hidden_list, hidden_list) { 1684 const struct cfg80211_bss_ies *ies; 1685 1686 ies = rcu_access_pointer(bss->pub.beacon_ies); 1687 WARN_ON(ies != old_ies); 1688 1689 rcu_assign_pointer(bss->pub.beacon_ies, new_ies); 1690 } 1691} 1692 1693static bool 1694cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, 1695 struct cfg80211_internal_bss *known, 1696 struct cfg80211_internal_bss *new, 1697 bool signal_valid) 1698{ 1699 lockdep_assert_held(&rdev->bss_lock); 1700 1701 /* Update IEs */ 1702 if (rcu_access_pointer(new->pub.proberesp_ies)) { 1703 const struct cfg80211_bss_ies *old; 1704 1705 old = rcu_access_pointer(known->pub.proberesp_ies); 1706 1707 rcu_assign_pointer(known->pub.proberesp_ies, 1708 new->pub.proberesp_ies); 1709 /* Override possible earlier Beacon frame IEs */ 1710 rcu_assign_pointer(known->pub.ies, 1711 new->pub.proberesp_ies); 1712 if (old) 1713 kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); 1714 } else if (rcu_access_pointer(new->pub.beacon_ies)) { 1715 const struct cfg80211_bss_ies *old; 1716 1717 if (known->pub.hidden_beacon_bss && 1718 !list_empty(&known->hidden_list)) { 1719 const struct cfg80211_bss_ies *f; 1720 1721 /* The known BSS struct is one of the probe 1722 * response members of a group, but we're 1723 * receiving a beacon (beacon_ies in the new 1724 * bss is used). This can only mean that the 1725 * AP changed its beacon from not having an 1726 * SSID to showing it, which is confusing so 1727 * drop this information. 1728 */ 1729 1730 f = rcu_access_pointer(new->pub.beacon_ies); 1731 kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); 1732 return false; 1733 } 1734 1735 old = rcu_access_pointer(known->pub.beacon_ies); 1736 1737 rcu_assign_pointer(known->pub.beacon_ies, new->pub.beacon_ies); 1738 1739 /* Override IEs if they were from a beacon before */ 1740 if (old == rcu_access_pointer(known->pub.ies)) 1741 rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); 1742 1743 cfg80211_update_hidden_bsses(known, 1744 rcu_access_pointer(new->pub.beacon_ies), 1745 old); 1746 1747 if (old) 1748 kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); 1749 } 1750 1751 known->pub.beacon_interval = new->pub.beacon_interval; 1752 1753 /* don't update the signal if beacon was heard on 1754 * adjacent channel. 1755 */ 1756 if (signal_valid) 1757 known->pub.signal = new->pub.signal; 1758 known->pub.capability = new->pub.capability; 1759 known->ts = new->ts; 1760 known->ts_boottime = new->ts_boottime; 1761 known->parent_tsf = new->parent_tsf; 1762 known->pub.chains = new->pub.chains; 1763 memcpy(known->pub.chain_signal, new->pub.chain_signal, 1764 IEEE80211_MAX_CHAINS); 1765 ether_addr_copy(known->parent_bssid, new->parent_bssid); 1766 known->pub.max_bssid_indicator = new->pub.max_bssid_indicator; 1767 known->pub.bssid_index = new->pub.bssid_index; 1768 1769 return true; 1770} 1771 1772/* Returned bss is reference counted and must be cleaned up appropriately. */ 1773static struct cfg80211_internal_bss * 1774__cfg80211_bss_update(struct cfg80211_registered_device *rdev, 1775 struct cfg80211_internal_bss *tmp, 1776 bool signal_valid, unsigned long ts) 1777{ 1778 struct cfg80211_internal_bss *found = NULL; 1779 1780 if (WARN_ON(!tmp->pub.channel)) 1781 return NULL; 1782 1783 tmp->ts = ts; 1784 1785 if (WARN_ON(!rcu_access_pointer(tmp->pub.ies))) { 1786 return NULL; 1787 } 1788 1789 found = rb_find_bss(rdev, tmp, BSS_CMP_REGULAR); 1790 1791 if (found) { 1792 if (!cfg80211_update_known_bss(rdev, found, tmp, signal_valid)) 1793 return NULL; 1794 } else { 1795 struct cfg80211_internal_bss *new; 1796 struct cfg80211_internal_bss *hidden; 1797 struct cfg80211_bss_ies *ies; 1798 1799 /* 1800 * create a copy -- the "res" variable that is passed in 1801 * is allocated on the stack since it's not needed in the 1802 * more common case of an update 1803 */ 1804 new = kzalloc(sizeof(*new) + rdev->wiphy.bss_priv_size, 1805 GFP_ATOMIC); 1806 if (!new) { 1807 ies = (void *)rcu_dereference(tmp->pub.beacon_ies); 1808 if (ies) 1809 kfree_rcu(ies, rcu_head); 1810 ies = (void *)rcu_dereference(tmp->pub.proberesp_ies); 1811 if (ies) 1812 kfree_rcu(ies, rcu_head); 1813 return NULL; 1814 } 1815 memcpy(new, tmp, sizeof(*new)); 1816 new->refcount = 1; 1817 INIT_LIST_HEAD(&new->hidden_list); 1818 INIT_LIST_HEAD(&new->pub.nontrans_list); 1819 /* we'll set this later if it was non-NULL */ 1820 new->pub.transmitted_bss = NULL; 1821 1822 if (rcu_access_pointer(tmp->pub.proberesp_ies)) { 1823 hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); 1824 if (!hidden) 1825 hidden = rb_find_bss(rdev, tmp, 1826 BSS_CMP_HIDE_NUL); 1827 if (hidden) { 1828 new->pub.hidden_beacon_bss = &hidden->pub; 1829 list_add(&new->hidden_list, 1830 &hidden->hidden_list); 1831 hidden->refcount++; 1832 1833 ies = (void *)rcu_access_pointer(new->pub.beacon_ies); 1834 rcu_assign_pointer(new->pub.beacon_ies, 1835 hidden->pub.beacon_ies); 1836 if (ies) 1837 kfree_rcu(ies, rcu_head); 1838 } 1839 } else { 1840 /* 1841 * Ok so we found a beacon, and don't have an entry. If 1842 * it's a beacon with hidden SSID, we might be in for an 1843 * expensive search for any probe responses that should 1844 * be grouped with this beacon for updates ... 1845 */ 1846 if (!cfg80211_combine_bsses(rdev, new)) { 1847 bss_ref_put(rdev, new); 1848 return NULL; 1849 } 1850 } 1851 1852 if (rdev->bss_entries >= bss_entries_limit && 1853 !cfg80211_bss_expire_oldest(rdev)) { 1854 bss_ref_put(rdev, new); 1855 return NULL; 1856 } 1857 1858 /* This must be before the call to bss_ref_get */ 1859 if (tmp->pub.transmitted_bss) { 1860 new->pub.transmitted_bss = tmp->pub.transmitted_bss; 1861 bss_ref_get(rdev, bss_from_pub(tmp->pub.transmitted_bss)); 1862 } 1863 1864 list_add_tail(&new->list, &rdev->bss_list); 1865 rdev->bss_entries++; 1866 rb_insert_bss(rdev, new); 1867 found = new; 1868 } 1869 1870 rdev->bss_generation++; 1871 bss_ref_get(rdev, found); 1872 1873 return found; 1874} 1875 1876struct cfg80211_internal_bss * 1877cfg80211_bss_update(struct cfg80211_registered_device *rdev, 1878 struct cfg80211_internal_bss *tmp, 1879 bool signal_valid, unsigned long ts) 1880{ 1881 struct cfg80211_internal_bss *res; 1882 1883 spin_lock_bh(&rdev->bss_lock); 1884 res = __cfg80211_bss_update(rdev, tmp, signal_valid, ts); 1885 spin_unlock_bh(&rdev->bss_lock); 1886 1887 return res; 1888} 1889 1890int cfg80211_get_ies_channel_number(const u8 *ie, size_t ielen, 1891 enum nl80211_band band) 1892{ 1893 const struct element *tmp; 1894 1895 if (band == NL80211_BAND_6GHZ) { 1896 struct ieee80211_he_operation *he_oper; 1897 1898 tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie, 1899 ielen); 1900 if (tmp && tmp->datalen >= sizeof(*he_oper) && 1901 tmp->datalen >= ieee80211_he_oper_size(&tmp->data[1])) { 1902 const struct ieee80211_he_6ghz_oper *he_6ghz_oper; 1903 1904 he_oper = (void *)&tmp->data[1]; 1905 1906 he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper); 1907 if (!he_6ghz_oper) 1908 return -1; 1909 1910 return he_6ghz_oper->primary; 1911 } 1912 } else if (band == NL80211_BAND_S1GHZ) { 1913 tmp = cfg80211_find_elem(WLAN_EID_S1G_OPERATION, ie, ielen); 1914 if (tmp && tmp->datalen >= sizeof(struct ieee80211_s1g_oper_ie)) { 1915 struct ieee80211_s1g_oper_ie *s1gop = (void *)tmp->data; 1916 1917 return s1gop->oper_ch; 1918 } 1919 } else { 1920 tmp = cfg80211_find_elem(WLAN_EID_DS_PARAMS, ie, ielen); 1921 if (tmp && tmp->datalen == 1) 1922 return tmp->data[0]; 1923 1924 tmp = cfg80211_find_elem(WLAN_EID_HT_OPERATION, ie, ielen); 1925 if (tmp && 1926 tmp->datalen >= sizeof(struct ieee80211_ht_operation)) { 1927 struct ieee80211_ht_operation *htop = (void *)tmp->data; 1928 1929 return htop->primary_chan; 1930 } 1931 } 1932 1933 return -1; 1934} 1935EXPORT_SYMBOL(cfg80211_get_ies_channel_number); 1936 1937/* 1938 * Update RX channel information based on the available frame payload 1939 * information. This is mainly for the 2.4 GHz band where frames can be received 1940 * from neighboring channels and the Beacon frames use the DSSS Parameter Set 1941 * element to indicate the current (transmitting) channel, but this might also 1942 * be needed on other bands if RX frequency does not match with the actual 1943 * operating channel of a BSS, or if the AP reports a different primary channel. 1944 */ 1945static struct ieee80211_channel * 1946cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen, 1947 struct ieee80211_channel *channel, 1948 enum nl80211_bss_scan_width scan_width) 1949{ 1950 u32 freq; 1951 int channel_number; 1952 struct ieee80211_channel *alt_channel; 1953 1954 channel_number = cfg80211_get_ies_channel_number(ie, ielen, 1955 channel->band); 1956 1957 if (channel_number < 0) { 1958 /* No channel information in frame payload */ 1959 return channel; 1960 } 1961 1962 freq = ieee80211_channel_to_freq_khz(channel_number, channel->band); 1963 1964 /* 1965 * Frame info (beacon/prob res) is the same as received channel, 1966 * no need for further processing. 1967 */ 1968 if (freq == ieee80211_channel_to_khz(channel)) 1969 return channel; 1970 1971 alt_channel = ieee80211_get_channel_khz(wiphy, freq); 1972 if (!alt_channel) { 1973 if (channel->band == NL80211_BAND_2GHZ || 1974 channel->band == NL80211_BAND_6GHZ) { 1975 /* 1976 * Better not allow unexpected channels when that could 1977 * be going beyond the 1-11 range (e.g., discovering 1978 * BSS on channel 12 when radio is configured for 1979 * channel 11) or beyond the 6 GHz channel range. 1980 */ 1981 return NULL; 1982 } 1983 1984 /* No match for the payload channel number - ignore it */ 1985 return channel; 1986 } 1987 1988 if (scan_width == NL80211_BSS_CHAN_WIDTH_10 || 1989 scan_width == NL80211_BSS_CHAN_WIDTH_5) { 1990 /* 1991 * Ignore channel number in 5 and 10 MHz channels where there 1992 * may not be an n:1 or 1:n mapping between frequencies and 1993 * channel numbers. 1994 */ 1995 return channel; 1996 } 1997 1998 /* 1999 * Use the channel determined through the payload channel number 2000 * instead of the RX channel reported by the driver. 2001 */ 2002 if (alt_channel->flags & IEEE80211_CHAN_DISABLED) 2003 return NULL; 2004 return alt_channel; 2005} 2006 2007struct cfg80211_inform_single_bss_data { 2008 struct cfg80211_inform_bss *drv_data; 2009 enum cfg80211_bss_frame_type ftype; 2010 struct ieee80211_channel *channel; 2011 u8 bssid[ETH_ALEN]; 2012 u64 tsf; 2013 u16 capability; 2014 u16 beacon_interval; 2015 const u8 *ie; 2016 size_t ielen; 2017 2018 enum { 2019 BSS_SOURCE_DIRECT = 0, 2020 BSS_SOURCE_MBSSID, 2021 BSS_SOURCE_STA_PROFILE, 2022 } bss_source; 2023 /* Set if reporting bss_source != BSS_SOURCE_DIRECT */ 2024 struct cfg80211_bss *source_bss; 2025 u8 max_bssid_indicator; 2026 u8 bssid_index; 2027}; 2028 2029/* Returned bss is reference counted and must be cleaned up appropriately. */ 2030static struct cfg80211_bss * 2031cfg80211_inform_single_bss_data(struct wiphy *wiphy, 2032 struct cfg80211_inform_single_bss_data *data, 2033 gfp_t gfp) 2034{ 2035 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 2036 struct cfg80211_inform_bss *drv_data = data->drv_data; 2037 struct cfg80211_bss_ies *ies; 2038 struct ieee80211_channel *channel; 2039 struct cfg80211_internal_bss tmp = {}, *res; 2040 int bss_type; 2041 bool signal_valid; 2042 unsigned long ts; 2043 2044 if (WARN_ON(!wiphy)) 2045 return NULL; 2046 2047 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && 2048 (drv_data->signal < 0 || drv_data->signal > 100))) 2049 return NULL; 2050 2051 if (WARN_ON(data->bss_source != BSS_SOURCE_DIRECT && !data->source_bss)) 2052 return NULL; 2053 2054 channel = data->channel; 2055 if (!channel) 2056 channel = cfg80211_get_bss_channel(wiphy, data->ie, data->ielen, 2057 drv_data->chan, 2058 drv_data->scan_width); 2059 if (!channel) 2060 return NULL; 2061 2062 memcpy(tmp.pub.bssid, data->bssid, ETH_ALEN); 2063 tmp.pub.channel = channel; 2064 tmp.pub.scan_width = drv_data->scan_width; 2065 if (data->bss_source != BSS_SOURCE_STA_PROFILE) 2066 tmp.pub.signal = drv_data->signal; 2067 else 2068 tmp.pub.signal = 0; 2069 tmp.pub.beacon_interval = data->beacon_interval; 2070 tmp.pub.capability = data->capability; 2071 tmp.ts_boottime = drv_data->boottime_ns; 2072 tmp.parent_tsf = drv_data->parent_tsf; 2073 ether_addr_copy(tmp.parent_bssid, drv_data->parent_bssid); 2074 2075 if (data->bss_source != BSS_SOURCE_DIRECT) { 2076 tmp.pub.transmitted_bss = data->source_bss; 2077 ts = bss_from_pub(data->source_bss)->ts; 2078 tmp.pub.bssid_index = data->bssid_index; 2079 tmp.pub.max_bssid_indicator = data->max_bssid_indicator; 2080 } else { 2081 ts = jiffies; 2082 2083 if (channel->band == NL80211_BAND_60GHZ) { 2084 bss_type = data->capability & 2085 WLAN_CAPABILITY_DMG_TYPE_MASK; 2086 if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP || 2087 bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS) 2088 regulatory_hint_found_beacon(wiphy, channel, 2089 gfp); 2090 } else { 2091 if (data->capability & WLAN_CAPABILITY_ESS) 2092 regulatory_hint_found_beacon(wiphy, channel, 2093 gfp); 2094 } 2095 } 2096 2097 /* 2098 * If we do not know here whether the IEs are from a Beacon or Probe 2099 * Response frame, we need to pick one of the options and only use it 2100 * with the driver that does not provide the full Beacon/Probe Response 2101 * frame. Use Beacon frame pointer to avoid indicating that this should 2102 * override the IEs pointer should we have received an earlier 2103 * indication of Probe Response data. 2104 */ 2105 ies = kzalloc(sizeof(*ies) + data->ielen, gfp); 2106 if (!ies) 2107 return NULL; 2108 ies->len = data->ielen; 2109 ies->tsf = data->tsf; 2110 ies->from_beacon = false; 2111 memcpy(ies->data, data->ie, data->ielen); 2112 2113 switch (data->ftype) { 2114 case CFG80211_BSS_FTYPE_BEACON: 2115 ies->from_beacon = true; 2116 fallthrough; 2117 case CFG80211_BSS_FTYPE_UNKNOWN: 2118 rcu_assign_pointer(tmp.pub.beacon_ies, ies); 2119 break; 2120 case CFG80211_BSS_FTYPE_PRESP: 2121 rcu_assign_pointer(tmp.pub.proberesp_ies, ies); 2122 break; 2123 } 2124 rcu_assign_pointer(tmp.pub.ies, ies); 2125 2126 signal_valid = drv_data->chan == channel; 2127 spin_lock_bh(&rdev->bss_lock); 2128 res = __cfg80211_bss_update(rdev, &tmp, signal_valid, ts); 2129 if (!res) 2130 goto drop; 2131 2132 rdev_inform_bss(rdev, &res->pub, ies, drv_data->drv_data); 2133 2134 if (data->bss_source == BSS_SOURCE_MBSSID) { 2135 /* this is a nontransmitting bss, we need to add it to 2136 * transmitting bss' list if it is not there 2137 */ 2138 if (cfg80211_add_nontrans_list(data->source_bss, &res->pub)) { 2139 if (__cfg80211_unlink_bss(rdev, res)) { 2140 rdev->bss_generation++; 2141 res = NULL; 2142 } 2143 } 2144 2145 if (!res) 2146 goto drop; 2147 } 2148 spin_unlock_bh(&rdev->bss_lock); 2149 2150 trace_cfg80211_return_bss(&res->pub); 2151 /* __cfg80211_bss_update gives us a referenced result */ 2152 return &res->pub; 2153 2154drop: 2155 spin_unlock_bh(&rdev->bss_lock); 2156 return NULL; 2157} 2158 2159static const struct element 2160*cfg80211_get_profile_continuation(const u8 *ie, size_t ielen, 2161 const struct element *mbssid_elem, 2162 const struct element *sub_elem) 2163{ 2164 const u8 *mbssid_end = mbssid_elem->data + mbssid_elem->datalen; 2165 const struct element *next_mbssid; 2166 const struct element *next_sub; 2167 2168 next_mbssid = cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID, 2169 mbssid_end, 2170 ielen - (mbssid_end - ie)); 2171 2172 /* 2173 * If it is not the last subelement in current MBSSID IE or there isn't 2174 * a next MBSSID IE - profile is complete. 2175 */ 2176 if ((sub_elem->data + sub_elem->datalen < mbssid_end - 1) || 2177 !next_mbssid) 2178 return NULL; 2179 2180 /* For any length error, just return NULL */ 2181 2182 if (next_mbssid->datalen < 4) 2183 return NULL; 2184 2185 next_sub = (void *)&next_mbssid->data[1]; 2186 2187 if (next_mbssid->data + next_mbssid->datalen < 2188 next_sub->data + next_sub->datalen) 2189 return NULL; 2190 2191 if (next_sub->id != 0 || next_sub->datalen < 2) 2192 return NULL; 2193 2194 /* 2195 * Check if the first element in the next sub element is a start 2196 * of a new profile 2197 */ 2198 return next_sub->data[0] == WLAN_EID_NON_TX_BSSID_CAP ? 2199 NULL : next_mbssid; 2200} 2201 2202size_t cfg80211_merge_profile(const u8 *ie, size_t ielen, 2203 const struct element *mbssid_elem, 2204 const struct element *sub_elem, 2205 u8 *merged_ie, size_t max_copy_len) 2206{ 2207 size_t copied_len = sub_elem->datalen; 2208 const struct element *next_mbssid; 2209 2210 if (sub_elem->datalen > max_copy_len) 2211 return 0; 2212 2213 memcpy(merged_ie, sub_elem->data, sub_elem->datalen); 2214 2215 while ((next_mbssid = cfg80211_get_profile_continuation(ie, ielen, 2216 mbssid_elem, 2217 sub_elem))) { 2218 const struct element *next_sub = (void *)&next_mbssid->data[1]; 2219 2220 if (copied_len + next_sub->datalen > max_copy_len) 2221 break; 2222 memcpy(merged_ie + copied_len, next_sub->data, 2223 next_sub->datalen); 2224 copied_len += next_sub->datalen; 2225 } 2226 2227 return copied_len; 2228} 2229EXPORT_SYMBOL(cfg80211_merge_profile); 2230 2231static void 2232cfg80211_parse_mbssid_data(struct wiphy *wiphy, 2233 struct cfg80211_inform_single_bss_data *tx_data, 2234 struct cfg80211_bss *source_bss, 2235 gfp_t gfp) 2236{ 2237 struct cfg80211_inform_single_bss_data data = { 2238 .drv_data = tx_data->drv_data, 2239 .ftype = tx_data->ftype, 2240 .tsf = tx_data->tsf, 2241 .beacon_interval = tx_data->beacon_interval, 2242 .source_bss = source_bss, 2243 .bss_source = BSS_SOURCE_MBSSID, 2244 }; 2245 const u8 *mbssid_index_ie; 2246 const struct element *elem, *sub; 2247 u8 *new_ie, *profile; 2248 u64 seen_indices = 0; 2249 struct cfg80211_bss *bss; 2250 2251 if (!source_bss) 2252 return; 2253 if (!cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID, 2254 tx_data->ie, tx_data->ielen)) 2255 return; 2256 if (!wiphy->support_mbssid) 2257 return; 2258 if (wiphy->support_only_he_mbssid && 2259 !cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, 2260 tx_data->ie, tx_data->ielen)) 2261 return; 2262 2263 new_ie = kmalloc(IEEE80211_MAX_DATA_LEN, gfp); 2264 if (!new_ie) 2265 return; 2266 2267 profile = kmalloc(tx_data->ielen, gfp); 2268 if (!profile) 2269 goto out; 2270 2271 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, 2272 tx_data->ie, tx_data->ielen) { 2273 if (elem->datalen < 4) 2274 continue; 2275 if (elem->data[0] < 1 || (int)elem->data[0] > 8) 2276 continue; 2277 for_each_element(sub, elem->data + 1, elem->datalen - 1) { 2278 u8 profile_len; 2279 2280 if (sub->id != 0 || sub->datalen < 4) { 2281 /* not a valid BSS profile */ 2282 continue; 2283 } 2284 2285 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP || 2286 sub->data[1] != 2) { 2287 /* The first element within the Nontransmitted 2288 * BSSID Profile is not the Nontransmitted 2289 * BSSID Capability element. 2290 */ 2291 continue; 2292 } 2293 2294 memset(profile, 0, tx_data->ielen); 2295 profile_len = cfg80211_merge_profile(tx_data->ie, 2296 tx_data->ielen, 2297 elem, 2298 sub, 2299 profile, 2300 tx_data->ielen); 2301 2302 /* found a Nontransmitted BSSID Profile */ 2303 mbssid_index_ie = cfg80211_find_ie 2304 (WLAN_EID_MULTI_BSSID_IDX, 2305 profile, profile_len); 2306 if (!mbssid_index_ie || mbssid_index_ie[1] < 1 || 2307 mbssid_index_ie[2] == 0 || 2308 mbssid_index_ie[2] > 46) { 2309 /* No valid Multiple BSSID-Index element */ 2310 continue; 2311 } 2312 2313 if (seen_indices & BIT_ULL(mbssid_index_ie[2])) 2314 /* We don't support legacy split of a profile */ 2315 net_dbg_ratelimited("Partial info for BSSID index %d\n", 2316 mbssid_index_ie[2]); 2317 2318 seen_indices |= BIT_ULL(mbssid_index_ie[2]); 2319 2320 data.bssid_index = mbssid_index_ie[2]; 2321 data.max_bssid_indicator = elem->data[0]; 2322 2323 cfg80211_gen_new_bssid(tx_data->bssid, 2324 data.max_bssid_indicator, 2325 data.bssid_index, 2326 data.bssid); 2327 2328 memset(new_ie, 0, IEEE80211_MAX_DATA_LEN); 2329 data.ie = new_ie; 2330 data.ielen = cfg80211_gen_new_ie(tx_data->ie, 2331 tx_data->ielen, 2332 profile, 2333 profile_len, 2334 new_ie, 2335 IEEE80211_MAX_DATA_LEN); 2336 if (!data.ielen) 2337 continue; 2338 2339 data.capability = get_unaligned_le16(profile + 2); 2340 bss = cfg80211_inform_single_bss_data(wiphy, &data, gfp); 2341 if (!bss) 2342 break; 2343 cfg80211_put_bss(wiphy, bss); 2344 } 2345 } 2346 2347out: 2348 kfree(new_ie); 2349 kfree(profile); 2350} 2351 2352ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies, 2353 size_t ieslen, u8 *data, size_t data_len, 2354 u8 frag_id) 2355{ 2356 const struct element *next; 2357 ssize_t copied; 2358 u8 elem_datalen; 2359 2360 if (!elem) 2361 return -EINVAL; 2362 2363 /* elem might be invalid after the memmove */ 2364 next = (void *)(elem->data + elem->datalen); 2365 elem_datalen = elem->datalen; 2366 2367 if (elem->id == WLAN_EID_EXTENSION) { 2368 copied = elem->datalen - 1; 2369 if (copied > data_len) 2370 return -ENOSPC; 2371 2372 memmove(data, elem->data + 1, copied); 2373 } else { 2374 copied = elem->datalen; 2375 if (copied > data_len) 2376 return -ENOSPC; 2377 2378 memmove(data, elem->data, copied); 2379 } 2380 2381 /* Fragmented elements must have 255 bytes */ 2382 if (elem_datalen < 255) 2383 return copied; 2384 2385 for (elem = next; 2386 elem->data < ies + ieslen && 2387 elem->data + elem->datalen <= ies + ieslen; 2388 elem = next) { 2389 /* elem might be invalid after the memmove */ 2390 next = (void *)(elem->data + elem->datalen); 2391 2392 if (elem->id != frag_id) 2393 break; 2394 2395 elem_datalen = elem->datalen; 2396 2397 if (copied + elem_datalen > data_len) 2398 return -ENOSPC; 2399 2400 memmove(data + copied, elem->data, elem_datalen); 2401 copied += elem_datalen; 2402 2403 /* Only the last fragment may be short */ 2404 if (elem_datalen != 255) 2405 break; 2406 } 2407 2408 return copied; 2409} 2410EXPORT_SYMBOL(cfg80211_defragment_element); 2411 2412struct cfg80211_mle { 2413 struct ieee80211_multi_link_elem *mle; 2414 struct ieee80211_mle_per_sta_profile 2415 *sta_prof[IEEE80211_MLD_MAX_NUM_LINKS]; 2416 ssize_t sta_prof_len[IEEE80211_MLD_MAX_NUM_LINKS]; 2417 2418 u8 data[]; 2419}; 2420 2421static struct cfg80211_mle * 2422cfg80211_defrag_mle(const struct element *mle, const u8 *ie, size_t ielen, 2423 gfp_t gfp) 2424{ 2425 const struct element *elem; 2426 struct cfg80211_mle *res; 2427 size_t buf_len; 2428 ssize_t mle_len; 2429 u8 common_size, idx; 2430 2431 if (!mle || !ieee80211_mle_size_ok(mle->data + 1, mle->datalen - 1)) 2432 return NULL; 2433 2434 /* Required length for first defragmentation */ 2435 buf_len = mle->datalen - 1; 2436 for_each_element(elem, mle->data + mle->datalen, 2437 ielen - sizeof(*mle) + mle->datalen) { 2438 if (elem->id != WLAN_EID_FRAGMENT) 2439 break; 2440 2441 buf_len += elem->datalen; 2442 } 2443 2444 res = kzalloc(struct_size(res, data, buf_len), gfp); 2445 if (!res) 2446 return NULL; 2447 2448 mle_len = cfg80211_defragment_element(mle, ie, ielen, 2449 res->data, buf_len, 2450 WLAN_EID_FRAGMENT); 2451 if (mle_len < 0) 2452 goto error; 2453 2454 res->mle = (void *)res->data; 2455 2456 /* Find the sub-element area in the buffer */ 2457 common_size = ieee80211_mle_common_size((u8 *)res->mle); 2458 ie = res->data + common_size; 2459 ielen = mle_len - common_size; 2460 2461 idx = 0; 2462 for_each_element_id(elem, IEEE80211_MLE_SUBELEM_PER_STA_PROFILE, 2463 ie, ielen) { 2464 res->sta_prof[idx] = (void *)elem->data; 2465 res->sta_prof_len[idx] = elem->datalen; 2466 2467 idx++; 2468 if (idx >= IEEE80211_MLD_MAX_NUM_LINKS) 2469 break; 2470 } 2471 if (!for_each_element_completed(elem, ie, ielen)) 2472 goto error; 2473 2474 /* Defragment sta_info in-place */ 2475 for (idx = 0; idx < IEEE80211_MLD_MAX_NUM_LINKS && res->sta_prof[idx]; 2476 idx++) { 2477 if (res->sta_prof_len[idx] < 255) 2478 continue; 2479 2480 elem = (void *)res->sta_prof[idx] - 2; 2481 2482 if (idx + 1 < ARRAY_SIZE(res->sta_prof) && 2483 res->sta_prof[idx + 1]) 2484 buf_len = (u8 *)res->sta_prof[idx + 1] - 2485 (u8 *)res->sta_prof[idx]; 2486 else 2487 buf_len = ielen + ie - (u8 *)elem; 2488 2489 res->sta_prof_len[idx] = 2490 cfg80211_defragment_element(elem, 2491 (u8 *)elem, buf_len, 2492 (u8 *)res->sta_prof[idx], 2493 buf_len, 2494 IEEE80211_MLE_SUBELEM_FRAGMENT); 2495 if (res->sta_prof_len[idx] < 0) 2496 goto error; 2497 } 2498 2499 return res; 2500 2501error: 2502 kfree(res); 2503 return NULL; 2504} 2505 2506static bool 2507cfg80211_tbtt_info_for_mld_ap(const u8 *ie, size_t ielen, u8 mld_id, u8 link_id, 2508 const struct ieee80211_neighbor_ap_info **ap_info, 2509 const u8 **tbtt_info) 2510{ 2511 const struct ieee80211_neighbor_ap_info *info; 2512 const struct element *rnr; 2513 const u8 *pos, *end; 2514 2515 for_each_element_id(rnr, WLAN_EID_REDUCED_NEIGHBOR_REPORT, ie, ielen) { 2516 pos = rnr->data; 2517 end = rnr->data + rnr->datalen; 2518 2519 /* RNR IE may contain more than one NEIGHBOR_AP_INFO */ 2520 while (sizeof(*info) <= end - pos) { 2521 const struct ieee80211_rnr_mld_params *mld_params; 2522 u16 params; 2523 u8 length, i, count, mld_params_offset; 2524 u8 type, lid; 2525 2526 info = (void *)pos; 2527 count = u8_get_bits(info->tbtt_info_hdr, 2528 IEEE80211_AP_INFO_TBTT_HDR_COUNT) + 1; 2529 length = info->tbtt_info_len; 2530 2531 pos += sizeof(*info); 2532 2533 if (count * length > end - pos) 2534 return false; 2535 2536 type = u8_get_bits(info->tbtt_info_hdr, 2537 IEEE80211_AP_INFO_TBTT_HDR_TYPE); 2538 2539 /* Only accept full TBTT information. NSTR mobile APs 2540 * use the shortened version, but we ignore them here. 2541 */ 2542 if (type == IEEE80211_TBTT_INFO_TYPE_TBTT && 2543 length >= 2544 offsetofend(struct ieee80211_tbtt_info_ge_11, 2545 mld_params)) { 2546 mld_params_offset = 2547 offsetof(struct ieee80211_tbtt_info_ge_11, mld_params); 2548 } else { 2549 pos += count * length; 2550 continue; 2551 } 2552 2553 for (i = 0; i < count; i++) { 2554 mld_params = (void *)pos + mld_params_offset; 2555 params = le16_to_cpu(mld_params->params); 2556 2557 lid = u16_get_bits(params, 2558 IEEE80211_RNR_MLD_PARAMS_LINK_ID); 2559 2560 if (mld_id == mld_params->mld_id && 2561 link_id == lid) { 2562 *ap_info = info; 2563 *tbtt_info = pos; 2564 2565 return true; 2566 } 2567 2568 pos += length; 2569 } 2570 } 2571 } 2572 2573 return false; 2574} 2575 2576static void 2577cfg80211_parse_ml_elem_sta_data(struct wiphy *wiphy, 2578 struct cfg80211_inform_single_bss_data *tx_data, 2579 struct cfg80211_bss *source_bss, 2580 const struct element *elem, 2581 gfp_t gfp) 2582{ 2583 struct cfg80211_inform_single_bss_data data = { 2584 .drv_data = tx_data->drv_data, 2585 .ftype = tx_data->ftype, 2586 .source_bss = source_bss, 2587 .bss_source = BSS_SOURCE_STA_PROFILE, 2588 }; 2589 struct ieee80211_multi_link_elem *ml_elem; 2590 struct cfg80211_mle *mle; 2591 u16 control; 2592 u8 *new_ie; 2593 struct cfg80211_bss *bss; 2594 int mld_id; 2595 u16 seen_links = 0; 2596 const u8 *pos; 2597 u8 i; 2598 2599 if (!ieee80211_mle_size_ok(elem->data + 1, elem->datalen - 1)) 2600 return; 2601 2602 ml_elem = (void *)elem->data + 1; 2603 control = le16_to_cpu(ml_elem->control); 2604 if (u16_get_bits(control, IEEE80211_ML_CONTROL_TYPE) != 2605 IEEE80211_ML_CONTROL_TYPE_BASIC) 2606 return; 2607 2608 /* Must be present when transmitted by an AP (in a probe response) */ 2609 if (!(control & IEEE80211_MLC_BASIC_PRES_BSS_PARAM_CH_CNT) || 2610 !(control & IEEE80211_MLC_BASIC_PRES_LINK_ID) || 2611 !(control & IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP)) 2612 return; 2613 2614 /* length + MLD MAC address + link ID info + BSS Params Change Count */ 2615 pos = ml_elem->variable + 1 + 6 + 1 + 1; 2616 2617 if (u16_get_bits(control, IEEE80211_MLC_BASIC_PRES_MED_SYNC_DELAY)) 2618 pos += 2; 2619 if (u16_get_bits(control, IEEE80211_MLC_BASIC_PRES_EML_CAPA)) 2620 pos += 2; 2621 2622 /* MLD capabilities and operations */ 2623 pos += 2; 2624 2625 /* 2626 * The MLD ID of the reporting AP is always zero. It is set if the AP 2627 * is part of an MBSSID set and will be non-zero for ML Elements 2628 * relating to a nontransmitted BSS (matching the Multi-BSSID Index, 2629 * Draft P802.11be_D3.2, 35.3.4.2) 2630 */ 2631 if (u16_get_bits(control, IEEE80211_MLC_BASIC_PRES_MLD_ID)) { 2632 mld_id = *pos; 2633 pos += 1; 2634 } else { 2635 mld_id = 0; 2636 } 2637 2638 /* Extended MLD capabilities and operations */ 2639 pos += 2; 2640 2641 /* Fully defrag the ML element for sta information/profile iteration */ 2642 mle = cfg80211_defrag_mle(elem, tx_data->ie, tx_data->ielen, gfp); 2643 if (!mle) 2644 return; 2645 2646 new_ie = kmalloc(IEEE80211_MAX_DATA_LEN, gfp); 2647 if (!new_ie) 2648 goto out; 2649 2650 for (i = 0; i < ARRAY_SIZE(mle->sta_prof) && mle->sta_prof[i]; i++) { 2651 const struct ieee80211_neighbor_ap_info *ap_info; 2652 enum nl80211_band band; 2653 u32 freq; 2654 const u8 *profile; 2655 const u8 *tbtt_info; 2656 ssize_t profile_len; 2657 u8 link_id; 2658 2659 if (!ieee80211_mle_basic_sta_prof_size_ok((u8 *)mle->sta_prof[i], 2660 mle->sta_prof_len[i])) 2661 continue; 2662 2663 control = le16_to_cpu(mle->sta_prof[i]->control); 2664 2665 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE)) 2666 continue; 2667 2668 link_id = u16_get_bits(control, 2669 IEEE80211_MLE_STA_CONTROL_LINK_ID); 2670 if (seen_links & BIT(link_id)) 2671 break; 2672 seen_links |= BIT(link_id); 2673 2674 if (!(control & IEEE80211_MLE_STA_CONTROL_BEACON_INT_PRESENT) || 2675 !(control & IEEE80211_MLE_STA_CONTROL_TSF_OFFS_PRESENT) || 2676 !(control & IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT)) 2677 continue; 2678 2679 memcpy(data.bssid, mle->sta_prof[i]->variable, ETH_ALEN); 2680 data.beacon_interval = 2681 get_unaligned_le16(mle->sta_prof[i]->variable + 6); 2682 data.tsf = tx_data->tsf + 2683 get_unaligned_le64(mle->sta_prof[i]->variable + 8); 2684 2685 /* sta_info_len counts itself */ 2686 profile = mle->sta_prof[i]->variable + 2687 mle->sta_prof[i]->sta_info_len - 1; 2688 profile_len = (u8 *)mle->sta_prof[i] + mle->sta_prof_len[i] - 2689 profile; 2690 2691 if (profile_len < 2) 2692 continue; 2693 2694 data.capability = get_unaligned_le16(profile); 2695 profile += 2; 2696 profile_len -= 2; 2697 2698 /* Find in RNR to look up channel information */ 2699 if (!cfg80211_tbtt_info_for_mld_ap(tx_data->ie, tx_data->ielen, 2700 mld_id, link_id, 2701 &ap_info, &tbtt_info)) 2702 continue; 2703 2704 /* We could sanity check the BSSID is included */ 2705 2706 if (!ieee80211_operating_class_to_band(ap_info->op_class, 2707 &band)) 2708 continue; 2709 2710 freq = ieee80211_channel_to_freq_khz(ap_info->channel, band); 2711 data.channel = ieee80211_get_channel_khz(wiphy, freq); 2712 2713 /* Generate new elements */ 2714 memset(new_ie, 0, IEEE80211_MAX_DATA_LEN); 2715 data.ie = new_ie; 2716 data.ielen = cfg80211_gen_new_ie(tx_data->ie, tx_data->ielen, 2717 profile, profile_len, 2718 new_ie, 2719 IEEE80211_MAX_DATA_LEN); 2720 if (!data.ielen) 2721 continue; 2722 2723 bss = cfg80211_inform_single_bss_data(wiphy, &data, gfp); 2724 if (!bss) 2725 break; 2726 cfg80211_put_bss(wiphy, bss); 2727 } 2728 2729out: 2730 kfree(new_ie); 2731 kfree(mle); 2732} 2733 2734static void cfg80211_parse_ml_sta_data(struct wiphy *wiphy, 2735 struct cfg80211_inform_single_bss_data *tx_data, 2736 struct cfg80211_bss *source_bss, 2737 gfp_t gfp) 2738{ 2739 const struct element *elem; 2740 2741 if (!source_bss) 2742 return; 2743 2744 if (tx_data->ftype != CFG80211_BSS_FTYPE_PRESP) 2745 return; 2746 2747 for_each_element_extid(elem, WLAN_EID_EXT_EHT_MULTI_LINK, 2748 tx_data->ie, tx_data->ielen) 2749 cfg80211_parse_ml_elem_sta_data(wiphy, tx_data, source_bss, 2750 elem, gfp); 2751} 2752 2753struct cfg80211_bss * 2754cfg80211_inform_bss_data(struct wiphy *wiphy, 2755 struct cfg80211_inform_bss *data, 2756 enum cfg80211_bss_frame_type ftype, 2757 const u8 *bssid, u64 tsf, u16 capability, 2758 u16 beacon_interval, const u8 *ie, size_t ielen, 2759 gfp_t gfp) 2760{ 2761 struct cfg80211_inform_single_bss_data inform_data = { 2762 .drv_data = data, 2763 .ftype = ftype, 2764 .tsf = tsf, 2765 .capability = capability, 2766 .beacon_interval = beacon_interval, 2767 .ie = ie, 2768 .ielen = ielen, 2769 }; 2770 struct cfg80211_bss *res; 2771 2772 memcpy(inform_data.bssid, bssid, ETH_ALEN); 2773 2774 res = cfg80211_inform_single_bss_data(wiphy, &inform_data, gfp); 2775 if (!res) 2776 return NULL; 2777 2778 cfg80211_parse_mbssid_data(wiphy, &inform_data, res, gfp); 2779 2780 cfg80211_parse_ml_sta_data(wiphy, &inform_data, res, gfp); 2781 2782 return res; 2783} 2784EXPORT_SYMBOL(cfg80211_inform_bss_data); 2785 2786/* cfg80211_inform_bss_width_frame helper */ 2787static struct cfg80211_bss * 2788cfg80211_inform_single_bss_frame_data(struct wiphy *wiphy, 2789 struct cfg80211_inform_bss *data, 2790 struct ieee80211_mgmt *mgmt, size_t len, 2791 gfp_t gfp) 2792{ 2793 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 2794 struct cfg80211_internal_bss tmp = {}, *res; 2795 struct cfg80211_bss_ies *ies; 2796 struct ieee80211_channel *channel; 2797 bool signal_valid; 2798 struct ieee80211_ext *ext = NULL; 2799 u8 *bssid, *variable; 2800 u16 capability, beacon_int; 2801 size_t ielen, min_hdr_len = offsetof(struct ieee80211_mgmt, 2802 u.probe_resp.variable); 2803 int bss_type; 2804 2805 BUILD_BUG_ON(offsetof(struct ieee80211_mgmt, u.probe_resp.variable) != 2806 offsetof(struct ieee80211_mgmt, u.beacon.variable)); 2807 2808 trace_cfg80211_inform_bss_frame(wiphy, data, mgmt, len); 2809 2810 if (WARN_ON(!mgmt)) 2811 return NULL; 2812 2813 if (WARN_ON(!wiphy)) 2814 return NULL; 2815 2816 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && 2817 (data->signal < 0 || data->signal > 100))) 2818 return NULL; 2819 2820 if (ieee80211_is_s1g_beacon(mgmt->frame_control)) { 2821 ext = (void *) mgmt; 2822 min_hdr_len = offsetof(struct ieee80211_ext, u.s1g_beacon); 2823 if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) 2824 min_hdr_len = offsetof(struct ieee80211_ext, 2825 u.s1g_short_beacon.variable); 2826 } 2827 2828 if (WARN_ON(len < min_hdr_len)) 2829 return NULL; 2830 2831 ielen = len - min_hdr_len; 2832 variable = mgmt->u.probe_resp.variable; 2833 if (ext) { 2834 if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) 2835 variable = ext->u.s1g_short_beacon.variable; 2836 else 2837 variable = ext->u.s1g_beacon.variable; 2838 } 2839 2840 channel = cfg80211_get_bss_channel(wiphy, variable, 2841 ielen, data->chan, data->scan_width); 2842 if (!channel) 2843 return NULL; 2844 2845 if (ext) { 2846 const struct ieee80211_s1g_bcn_compat_ie *compat; 2847 const struct element *elem; 2848 2849 elem = cfg80211_find_elem(WLAN_EID_S1G_BCN_COMPAT, 2850 variable, ielen); 2851 if (!elem) 2852 return NULL; 2853 if (elem->datalen < sizeof(*compat)) 2854 return NULL; 2855 compat = (void *)elem->data; 2856 bssid = ext->u.s1g_beacon.sa; 2857 capability = le16_to_cpu(compat->compat_info); 2858 beacon_int = le16_to_cpu(compat->beacon_int); 2859 } else { 2860 bssid = mgmt->bssid; 2861 beacon_int = le16_to_cpu(mgmt->u.probe_resp.beacon_int); 2862 capability = le16_to_cpu(mgmt->u.probe_resp.capab_info); 2863 } 2864 2865 if (channel->band == NL80211_BAND_60GHZ) { 2866 bss_type = capability & WLAN_CAPABILITY_DMG_TYPE_MASK; 2867 if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP || 2868 bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS) 2869 regulatory_hint_found_beacon(wiphy, channel, gfp); 2870 } else { 2871 if (capability & WLAN_CAPABILITY_ESS) 2872 regulatory_hint_found_beacon(wiphy, channel, gfp); 2873 } 2874 2875 ies = kzalloc(sizeof(*ies) + ielen, gfp); 2876 if (!ies) 2877 return NULL; 2878 ies->len = ielen; 2879 ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); 2880 ies->from_beacon = ieee80211_is_beacon(mgmt->frame_control) || 2881 ieee80211_is_s1g_beacon(mgmt->frame_control); 2882 memcpy(ies->data, variable, ielen); 2883 2884 if (ieee80211_is_probe_resp(mgmt->frame_control)) 2885 rcu_assign_pointer(tmp.pub.proberesp_ies, ies); 2886 else 2887 rcu_assign_pointer(tmp.pub.beacon_ies, ies); 2888 rcu_assign_pointer(tmp.pub.ies, ies); 2889 2890 memcpy(tmp.pub.bssid, bssid, ETH_ALEN); 2891 tmp.pub.beacon_interval = beacon_int; 2892 tmp.pub.capability = capability; 2893 tmp.pub.channel = channel; 2894 tmp.pub.scan_width = data->scan_width; 2895 tmp.pub.signal = data->signal; 2896 tmp.ts_boottime = data->boottime_ns; 2897 tmp.parent_tsf = data->parent_tsf; 2898 tmp.pub.chains = data->chains; 2899 memcpy(tmp.pub.chain_signal, data->chain_signal, IEEE80211_MAX_CHAINS); 2900 ether_addr_copy(tmp.parent_bssid, data->parent_bssid); 2901 2902 signal_valid = data->chan == channel; 2903 spin_lock_bh(&rdev->bss_lock); 2904 res = __cfg80211_bss_update(rdev, &tmp, signal_valid, jiffies); 2905 if (!res) 2906 goto drop; 2907 2908 rdev_inform_bss(rdev, &res->pub, ies, data->drv_data); 2909 2910 spin_unlock_bh(&rdev->bss_lock); 2911 2912 trace_cfg80211_return_bss(&res->pub); 2913 /* __cfg80211_bss_update gives us a referenced result */ 2914 return &res->pub; 2915 2916drop: 2917 spin_unlock_bh(&rdev->bss_lock); 2918 return NULL; 2919} 2920 2921struct cfg80211_bss * 2922cfg80211_inform_bss_frame_data(struct wiphy *wiphy, 2923 struct cfg80211_inform_bss *data, 2924 struct ieee80211_mgmt *mgmt, size_t len, 2925 gfp_t gfp) 2926{ 2927 struct cfg80211_inform_single_bss_data inform_data = { 2928 .drv_data = data, 2929 .ie = mgmt->u.probe_resp.variable, 2930 .ielen = len - offsetof(struct ieee80211_mgmt, 2931 u.probe_resp.variable), 2932 }; 2933 struct cfg80211_bss *res; 2934 2935 res = cfg80211_inform_single_bss_frame_data(wiphy, data, mgmt, 2936 len, gfp); 2937 if (!res) 2938 return NULL; 2939 2940 /* don't do any further MBSSID/ML handling for S1G */ 2941 if (ieee80211_is_s1g_beacon(mgmt->frame_control)) 2942 return res; 2943 2944 inform_data.ftype = ieee80211_is_beacon(mgmt->frame_control) ? 2945 CFG80211_BSS_FTYPE_BEACON : CFG80211_BSS_FTYPE_PRESP; 2946 memcpy(inform_data.bssid, mgmt->bssid, ETH_ALEN); 2947 inform_data.tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp); 2948 inform_data.beacon_interval = 2949 le16_to_cpu(mgmt->u.probe_resp.beacon_int); 2950 2951 /* process each non-transmitting bss */ 2952 cfg80211_parse_mbssid_data(wiphy, &inform_data, res, gfp); 2953 2954 cfg80211_parse_ml_sta_data(wiphy, &inform_data, res, gfp); 2955 2956 return res; 2957} 2958EXPORT_SYMBOL(cfg80211_inform_bss_frame_data); 2959 2960void cfg80211_ref_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 2961{ 2962 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 2963 2964 if (!pub) 2965 return; 2966 2967 spin_lock_bh(&rdev->bss_lock); 2968 bss_ref_get(rdev, bss_from_pub(pub)); 2969 spin_unlock_bh(&rdev->bss_lock); 2970} 2971EXPORT_SYMBOL(cfg80211_ref_bss); 2972 2973void cfg80211_put_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 2974{ 2975 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 2976 2977 if (!pub) 2978 return; 2979 2980 spin_lock_bh(&rdev->bss_lock); 2981 bss_ref_put(rdev, bss_from_pub(pub)); 2982 spin_unlock_bh(&rdev->bss_lock); 2983} 2984EXPORT_SYMBOL(cfg80211_put_bss); 2985 2986void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) 2987{ 2988 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 2989 struct cfg80211_internal_bss *bss, *tmp1; 2990 struct cfg80211_bss *nontrans_bss, *tmp; 2991 2992 if (WARN_ON(!pub)) 2993 return; 2994 2995 bss = bss_from_pub(pub); 2996 2997 spin_lock_bh(&rdev->bss_lock); 2998 if (list_empty(&bss->list)) 2999 goto out; 3000 3001 list_for_each_entry_safe(nontrans_bss, tmp, 3002 &pub->nontrans_list, 3003 nontrans_list) { 3004 tmp1 = bss_from_pub(nontrans_bss); 3005 if (__cfg80211_unlink_bss(rdev, tmp1)) 3006 rdev->bss_generation++; 3007 } 3008 3009 if (__cfg80211_unlink_bss(rdev, bss)) 3010 rdev->bss_generation++; 3011out: 3012 spin_unlock_bh(&rdev->bss_lock); 3013} 3014EXPORT_SYMBOL(cfg80211_unlink_bss); 3015 3016void cfg80211_bss_iter(struct wiphy *wiphy, 3017 struct cfg80211_chan_def *chandef, 3018 void (*iter)(struct wiphy *wiphy, 3019 struct cfg80211_bss *bss, 3020 void *data), 3021 void *iter_data) 3022{ 3023 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3024 struct cfg80211_internal_bss *bss; 3025 3026 spin_lock_bh(&rdev->bss_lock); 3027 3028 list_for_each_entry(bss, &rdev->bss_list, list) { 3029 if (!chandef || cfg80211_is_sub_chan(chandef, bss->pub.channel, 3030 false)) 3031 iter(wiphy, &bss->pub, iter_data); 3032 } 3033 3034 spin_unlock_bh(&rdev->bss_lock); 3035} 3036EXPORT_SYMBOL(cfg80211_bss_iter); 3037 3038void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev, 3039 unsigned int link_id, 3040 struct ieee80211_channel *chan) 3041{ 3042 struct wiphy *wiphy = wdev->wiphy; 3043 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); 3044 struct cfg80211_internal_bss *cbss = wdev->links[link_id].client.current_bss; 3045 struct cfg80211_internal_bss *new = NULL; 3046 struct cfg80211_internal_bss *bss; 3047 struct cfg80211_bss *nontrans_bss; 3048 struct cfg80211_bss *tmp; 3049 3050 spin_lock_bh(&rdev->bss_lock); 3051 3052 /* 3053 * Some APs use CSA also for bandwidth changes, i.e., without actually 3054 * changing the control channel, so no need to update in such a case. 3055 */ 3056 if (cbss->pub.channel == chan) 3057 goto done; 3058 3059 /* use transmitting bss */ 3060 if (cbss->pub.transmitted_bss) 3061 cbss = bss_from_pub(cbss->pub.transmitted_bss); 3062 3063 cbss->pub.channel = chan; 3064 3065 list_for_each_entry(bss, &rdev->bss_list, list) { 3066 if (!cfg80211_bss_type_match(bss->pub.capability, 3067 bss->pub.channel->band, 3068 wdev->conn_bss_type)) 3069 continue; 3070 3071 if (bss == cbss) 3072 continue; 3073 3074 if (!cmp_bss(&bss->pub, &cbss->pub, BSS_CMP_REGULAR)) { 3075 new = bss; 3076 break; 3077 } 3078 } 3079 3080 if (new) { 3081 /* to save time, update IEs for transmitting bss only */ 3082 if (cfg80211_update_known_bss(rdev, cbss, new, false)) { 3083 new->pub.proberesp_ies = NULL; 3084 new->pub.beacon_ies = NULL; 3085 } 3086 3087 list_for_each_entry_safe(nontrans_bss, tmp, 3088 &new->pub.nontrans_list, 3089 nontrans_list) { 3090 bss = bss_from_pub(nontrans_bss); 3091 if (__cfg80211_unlink_bss(rdev, bss)) 3092 rdev->bss_generation++; 3093 } 3094 3095 WARN_ON(atomic_read(&new->hold)); 3096 if (!WARN_ON(!__cfg80211_unlink_bss(rdev, new))) 3097 rdev->bss_generation++; 3098 } 3099 3100 rb_erase(&cbss->rbn, &rdev->bss_tree); 3101 rb_insert_bss(rdev, cbss); 3102 rdev->bss_generation++; 3103 3104 list_for_each_entry_safe(nontrans_bss, tmp, 3105 &cbss->pub.nontrans_list, 3106 nontrans_list) { 3107 bss = bss_from_pub(nontrans_bss); 3108 bss->pub.channel = chan; 3109 rb_erase(&bss->rbn, &rdev->bss_tree); 3110 rb_insert_bss(rdev, bss); 3111 rdev->bss_generation++; 3112 } 3113 3114done: 3115 spin_unlock_bh(&rdev->bss_lock); 3116} 3117 3118#ifdef CONFIG_CFG80211_WEXT 3119static struct cfg80211_registered_device * 3120cfg80211_get_dev_from_ifindex(struct net *net, int ifindex) 3121{ 3122 struct cfg80211_registered_device *rdev; 3123 struct net_device *dev; 3124 3125 ASSERT_RTNL(); 3126 3127 dev = dev_get_by_index(net, ifindex); 3128 if (!dev) 3129 return ERR_PTR(-ENODEV); 3130 if (dev->ieee80211_ptr) 3131 rdev = wiphy_to_rdev(dev->ieee80211_ptr->wiphy); 3132 else 3133 rdev = ERR_PTR(-ENODEV); 3134 dev_put(dev); 3135 return rdev; 3136} 3137 3138int cfg80211_wext_siwscan(struct net_device *dev, 3139 struct iw_request_info *info, 3140 union iwreq_data *wrqu, char *extra) 3141{ 3142 struct cfg80211_registered_device *rdev; 3143 struct wiphy *wiphy; 3144 struct iw_scan_req *wreq = NULL; 3145 struct cfg80211_scan_request *creq; 3146 int i, err, n_channels = 0; 3147 enum nl80211_band band; 3148 3149 if (!netif_running(dev)) 3150 return -ENETDOWN; 3151 3152 if (wrqu->data.length == sizeof(struct iw_scan_req)) 3153 wreq = (struct iw_scan_req *)extra; 3154 3155 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex); 3156 3157 if (IS_ERR(rdev)) 3158 return PTR_ERR(rdev); 3159 3160 if (rdev->scan_req || rdev->scan_msg) 3161 return -EBUSY; 3162 3163 wiphy = &rdev->wiphy; 3164 3165 /* Determine number of channels, needed to allocate creq */ 3166 if (wreq && wreq->num_channels) 3167 n_channels = wreq->num_channels; 3168 else 3169 n_channels = ieee80211_get_num_supported_channels(wiphy); 3170 3171 creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) + 3172 n_channels * sizeof(void *), 3173 GFP_ATOMIC); 3174 if (!creq) 3175 return -ENOMEM; 3176 3177 creq->wiphy = wiphy; 3178 creq->wdev = dev->ieee80211_ptr; 3179 /* SSIDs come after channels */ 3180 creq->ssids = (void *)&creq->channels[n_channels]; 3181 creq->n_channels = n_channels; 3182 creq->n_ssids = 1; 3183 creq->scan_start = jiffies; 3184 3185 /* translate "Scan on frequencies" request */ 3186 i = 0; 3187 for (band = 0; band < NUM_NL80211_BANDS; band++) { 3188 int j; 3189 3190 if (!wiphy->bands[band]) 3191 continue; 3192 3193 for (j = 0; j < wiphy->bands[band]->n_channels; j++) { 3194 /* ignore disabled channels */ 3195 if (wiphy->bands[band]->channels[j].flags & 3196 IEEE80211_CHAN_DISABLED) 3197 continue; 3198 3199 /* If we have a wireless request structure and the 3200 * wireless request specifies frequencies, then search 3201 * for the matching hardware channel. 3202 */ 3203 if (wreq && wreq->num_channels) { 3204 int k; 3205 int wiphy_freq = wiphy->bands[band]->channels[j].center_freq; 3206 for (k = 0; k < wreq->num_channels; k++) { 3207 struct iw_freq *freq = 3208 &wreq->channel_list[k]; 3209 int wext_freq = 3210 cfg80211_wext_freq(freq); 3211 3212 if (wext_freq == wiphy_freq) 3213 goto wext_freq_found; 3214 } 3215 goto wext_freq_not_found; 3216 } 3217 3218 wext_freq_found: 3219 creq->channels[i] = &wiphy->bands[band]->channels[j]; 3220 i++; 3221 wext_freq_not_found: ; 3222 } 3223 } 3224 /* No channels found? */ 3225 if (!i) { 3226 err = -EINVAL; 3227 goto out; 3228 } 3229 3230 /* Set real number of channels specified in creq->channels[] */ 3231 creq->n_channels = i; 3232 3233 /* translate "Scan for SSID" request */ 3234 if (wreq) { 3235 if (wrqu->data.flags & IW_SCAN_THIS_ESSID) { 3236 if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) { 3237 err = -EINVAL; 3238 goto out; 3239 } 3240 memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len); 3241 creq->ssids[0].ssid_len = wreq->essid_len; 3242 } 3243 if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE) 3244 creq->n_ssids = 0; 3245 } 3246 3247 for (i = 0; i < NUM_NL80211_BANDS; i++) 3248 if (wiphy->bands[i]) 3249 creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1; 3250 3251 eth_broadcast_addr(creq->bssid); 3252 3253 wiphy_lock(&rdev->wiphy); 3254 3255 rdev->scan_req = creq; 3256 err = rdev_scan(rdev, creq); 3257 if (err) { 3258 rdev->scan_req = NULL; 3259 /* creq will be freed below */ 3260 } else { 3261 nl80211_send_scan_start(rdev, dev->ieee80211_ptr); 3262 /* creq now owned by driver */ 3263 creq = NULL; 3264 dev_hold(dev); 3265 } 3266 wiphy_unlock(&rdev->wiphy); 3267 out: 3268 kfree(creq); 3269 return err; 3270} 3271EXPORT_WEXT_HANDLER(cfg80211_wext_siwscan); 3272 3273static char *ieee80211_scan_add_ies(struct iw_request_info *info, 3274 const struct cfg80211_bss_ies *ies, 3275 char *current_ev, char *end_buf) 3276{ 3277 const u8 *pos, *end, *next; 3278 struct iw_event iwe; 3279 3280 if (!ies) 3281 return current_ev; 3282 3283 /* 3284 * If needed, fragment the IEs buffer (at IE boundaries) into short 3285 * enough fragments to fit into IW_GENERIC_IE_MAX octet messages. 3286 */ 3287 pos = ies->data; 3288 end = pos + ies->len; 3289 3290 while (end - pos > IW_GENERIC_IE_MAX) { 3291 next = pos + 2 + pos[1]; 3292 while (next + 2 + next[1] - pos < IW_GENERIC_IE_MAX) 3293 next = next + 2 + next[1]; 3294 3295 memset(&iwe, 0, sizeof(iwe)); 3296 iwe.cmd = IWEVGENIE; 3297 iwe.u.data.length = next - pos; 3298 current_ev = iwe_stream_add_point_check(info, current_ev, 3299 end_buf, &iwe, 3300 (void *)pos); 3301 if (IS_ERR(current_ev)) 3302 return current_ev; 3303 pos = next; 3304 } 3305 3306 if (end > pos) { 3307 memset(&iwe, 0, sizeof(iwe)); 3308 iwe.cmd = IWEVGENIE; 3309 iwe.u.data.length = end - pos; 3310 current_ev = iwe_stream_add_point_check(info, current_ev, 3311 end_buf, &iwe, 3312 (void *)pos); 3313 if (IS_ERR(current_ev)) 3314 return current_ev; 3315 } 3316 3317 return current_ev; 3318} 3319 3320static char * 3321ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info, 3322 struct cfg80211_internal_bss *bss, char *current_ev, 3323 char *end_buf) 3324{ 3325 const struct cfg80211_bss_ies *ies; 3326 struct iw_event iwe; 3327 const u8 *ie; 3328 u8 buf[50]; 3329 u8 *cfg, *p, *tmp; 3330 int rem, i, sig; 3331 bool ismesh = false; 3332 3333 memset(&iwe, 0, sizeof(iwe)); 3334 iwe.cmd = SIOCGIWAP; 3335 iwe.u.ap_addr.sa_family = ARPHRD_ETHER; 3336 memcpy(iwe.u.ap_addr.sa_data, bss->pub.bssid, ETH_ALEN); 3337 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 3338 IW_EV_ADDR_LEN); 3339 if (IS_ERR(current_ev)) 3340 return current_ev; 3341 3342 memset(&iwe, 0, sizeof(iwe)); 3343 iwe.cmd = SIOCGIWFREQ; 3344 iwe.u.freq.m = ieee80211_frequency_to_channel(bss->pub.channel->center_freq); 3345 iwe.u.freq.e = 0; 3346 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 3347 IW_EV_FREQ_LEN); 3348 if (IS_ERR(current_ev)) 3349 return current_ev; 3350 3351 memset(&iwe, 0, sizeof(iwe)); 3352 iwe.cmd = SIOCGIWFREQ; 3353 iwe.u.freq.m = bss->pub.channel->center_freq; 3354 iwe.u.freq.e = 6; 3355 current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe, 3356 IW_EV_FREQ_LEN); 3357 if (IS_ERR(current_ev)) 3358 return current_ev; 3359 3360 if (wiphy->signal_type != CFG80211_SIGNAL_TYPE_NONE) { 3361 memset(&iwe, 0, sizeof(iwe)); 3362 iwe.cmd = IWEVQUAL; 3363 iwe.u.qual.updated = IW_QUAL_LEVEL_UPDATED | 3364 IW_QUAL_NOISE_INVALID | 3365 IW_QUAL_QUAL_UPDATED; 3366 switch (wiphy->signal_type) { 3367 case CFG80211_SIGNAL_TYPE_MBM: 3368 sig = bss->pub.signal / 100; 3369 iwe.u.qual.level = sig; 3370 iwe.u.qual.updated |= IW_QUAL_DBM; 3371 if (sig < -110) /* rather bad */ 3372 sig = -110; 3373 else if (sig > -40) /* perfect */ 3374 sig = -40; 3375 /* will give a range of 0 .. 70 */ 3376 iwe.u.qual.qual = sig + 110; 3377 break; 3378 case CFG80211_SIGNAL_TYPE_UNSPEC: 3379 iwe.u.qual.level = bss->pub.signal; 3380 /* will give range 0 .. 100 */ 3381 iwe.u.qual.qual = bss->pub.signal; 3382 break; 3383 default: 3384 /* not reached */ 3385 break; 3386 } 3387 current_ev = iwe_stream_add_event_check(info, current_ev, 3388 end_buf, &iwe, 3389 IW_EV_QUAL_LEN); 3390 if (IS_ERR(current_ev)) 3391 return current_ev; 3392 } 3393 3394 memset(&iwe, 0, sizeof(iwe)); 3395 iwe.cmd = SIOCGIWENCODE; 3396 if (bss->pub.capability & WLAN_CAPABILITY_PRIVACY) 3397 iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY; 3398 else 3399 iwe.u.data.flags = IW_ENCODE_DISABLED; 3400 iwe.u.data.length = 0; 3401 current_ev = iwe_stream_add_point_check(info, current_ev, end_buf, 3402 &iwe, ""); 3403 if (IS_ERR(current_ev)) 3404 return current_ev; 3405 3406 rcu_read_lock(); 3407 ies = rcu_dereference(bss->pub.ies); 3408 rem = ies->len; 3409 ie = ies->data; 3410 3411 while (rem >= 2) { 3412 /* invalid data */ 3413 if (ie[1] > rem - 2) 3414 break; 3415 3416 switch (ie[0]) { 3417 case WLAN_EID_SSID: 3418 memset(&iwe, 0, sizeof(iwe)); 3419 iwe.cmd = SIOCGIWESSID; 3420 iwe.u.data.length = ie[1]; 3421 iwe.u.data.flags = 1; 3422 current_ev = iwe_stream_add_point_check(info, 3423 current_ev, 3424 end_buf, &iwe, 3425 (u8 *)ie + 2); 3426 if (IS_ERR(current_ev)) 3427 goto unlock; 3428 break; 3429 case WLAN_EID_MESH_ID: 3430 memset(&iwe, 0, sizeof(iwe)); 3431 iwe.cmd = SIOCGIWESSID; 3432 iwe.u.data.length = ie[1]; 3433 iwe.u.data.flags = 1; 3434 current_ev = iwe_stream_add_point_check(info, 3435 current_ev, 3436 end_buf, &iwe, 3437 (u8 *)ie + 2); 3438 if (IS_ERR(current_ev)) 3439 goto unlock; 3440 break; 3441 case WLAN_EID_MESH_CONFIG: 3442 ismesh = true; 3443 if (ie[1] != sizeof(struct ieee80211_meshconf_ie)) 3444 break; 3445 cfg = (u8 *)ie + 2; 3446 memset(&iwe, 0, sizeof(iwe)); 3447 iwe.cmd = IWEVCUSTOM; 3448 sprintf(buf, "Mesh Network Path Selection Protocol ID: " 3449 "0x%02X", cfg[0]); 3450 iwe.u.data.length = strlen(buf); 3451 current_ev = iwe_stream_add_point_check(info, 3452 current_ev, 3453 end_buf, 3454 &iwe, buf); 3455 if (IS_ERR(current_ev)) 3456 goto unlock; 3457 sprintf(buf, "Path Selection Metric ID: 0x%02X", 3458 cfg[1]); 3459 iwe.u.data.length = strlen(buf); 3460 current_ev = iwe_stream_add_point_check(info, 3461 current_ev, 3462 end_buf, 3463 &iwe, buf); 3464 if (IS_ERR(current_ev)) 3465 goto unlock; 3466 sprintf(buf, "Congestion Control Mode ID: 0x%02X", 3467 cfg[2]); 3468 iwe.u.data.length = strlen(buf); 3469 current_ev = iwe_stream_add_point_check(info, 3470 current_ev, 3471 end_buf, 3472 &iwe, buf); 3473 if (IS_ERR(current_ev)) 3474 goto unlock; 3475 sprintf(buf, "Synchronization ID: 0x%02X", cfg[3]); 3476 iwe.u.data.length = strlen(buf); 3477 current_ev = iwe_stream_add_point_check(info, 3478 current_ev, 3479 end_buf, 3480 &iwe, buf); 3481 if (IS_ERR(current_ev)) 3482 goto unlock; 3483 sprintf(buf, "Authentication ID: 0x%02X", cfg[4]); 3484 iwe.u.data.length = strlen(buf); 3485 current_ev = iwe_stream_add_point_check(info, 3486 current_ev, 3487 end_buf, 3488 &iwe, buf); 3489 if (IS_ERR(current_ev)) 3490 goto unlock; 3491 sprintf(buf, "Formation Info: 0x%02X", cfg[5]); 3492 iwe.u.data.length = strlen(buf); 3493 current_ev = iwe_stream_add_point_check(info, 3494 current_ev, 3495 end_buf, 3496 &iwe, buf); 3497 if (IS_ERR(current_ev)) 3498 goto unlock; 3499 sprintf(buf, "Capabilities: 0x%02X", cfg[6]); 3500 iwe.u.data.length = strlen(buf); 3501 current_ev = iwe_stream_add_point_check(info, 3502 current_ev, 3503 end_buf, 3504 &iwe, buf); 3505 if (IS_ERR(current_ev)) 3506 goto unlock; 3507 break; 3508 case WLAN_EID_SUPP_RATES: 3509 case WLAN_EID_EXT_SUPP_RATES: 3510 /* display all supported rates in readable format */ 3511 p = current_ev + iwe_stream_lcp_len(info); 3512 3513 memset(&iwe, 0, sizeof(iwe)); 3514 iwe.cmd = SIOCGIWRATE; 3515 /* Those two flags are ignored... */ 3516 iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0; 3517 3518 for (i = 0; i < ie[1]; i++) { 3519 iwe.u.bitrate.value = 3520 ((ie[i + 2] & 0x7f) * 500000); 3521 tmp = p; 3522 p = iwe_stream_add_value(info, current_ev, p, 3523 end_buf, &iwe, 3524 IW_EV_PARAM_LEN); 3525 if (p == tmp) { 3526 current_ev = ERR_PTR(-E2BIG); 3527 goto unlock; 3528 } 3529 } 3530 current_ev = p; 3531 break; 3532 } 3533 rem -= ie[1] + 2; 3534 ie += ie[1] + 2; 3535 } 3536 3537 if (bss->pub.capability & (WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS) || 3538 ismesh) { 3539 memset(&iwe, 0, sizeof(iwe)); 3540 iwe.cmd = SIOCGIWMODE; 3541 if (ismesh) 3542 iwe.u.mode = IW_MODE_MESH; 3543 else if (bss->pub.capability & WLAN_CAPABILITY_ESS) 3544 iwe.u.mode = IW_MODE_MASTER; 3545 else 3546 iwe.u.mode = IW_MODE_ADHOC; 3547 current_ev = iwe_stream_add_event_check(info, current_ev, 3548 end_buf, &iwe, 3549 IW_EV_UINT_LEN); 3550 if (IS_ERR(current_ev)) 3551 goto unlock; 3552 } 3553 3554 memset(&iwe, 0, sizeof(iwe)); 3555 iwe.cmd = IWEVCUSTOM; 3556 sprintf(buf, "tsf=%016llx", (unsigned long long)(ies->tsf)); 3557 iwe.u.data.length = strlen(buf); 3558 current_ev = iwe_stream_add_point_check(info, current_ev, end_buf, 3559 &iwe, buf); 3560 if (IS_ERR(current_ev)) 3561 goto unlock; 3562 memset(&iwe, 0, sizeof(iwe)); 3563 iwe.cmd = IWEVCUSTOM; 3564 sprintf(buf, " Last beacon: %ums ago", 3565 elapsed_jiffies_msecs(bss->ts)); 3566 iwe.u.data.length = strlen(buf); 3567 current_ev = iwe_stream_add_point_check(info, current_ev, 3568 end_buf, &iwe, buf); 3569 if (IS_ERR(current_ev)) 3570 goto unlock; 3571 3572 current_ev = ieee80211_scan_add_ies(info, ies, current_ev, end_buf); 3573 3574 unlock: 3575 rcu_read_unlock(); 3576 return current_ev; 3577} 3578 3579 3580static int ieee80211_scan_results(struct cfg80211_registered_device *rdev, 3581 struct iw_request_info *info, 3582 char *buf, size_t len) 3583{ 3584 char *current_ev = buf; 3585 char *end_buf = buf + len; 3586 struct cfg80211_internal_bss *bss; 3587 int err = 0; 3588 3589 spin_lock_bh(&rdev->bss_lock); 3590 cfg80211_bss_expire(rdev); 3591 3592 list_for_each_entry(bss, &rdev->bss_list, list) { 3593 if (buf + len - current_ev <= IW_EV_ADDR_LEN) { 3594 err = -E2BIG; 3595 break; 3596 } 3597 current_ev = ieee80211_bss(&rdev->wiphy, info, bss, 3598 current_ev, end_buf); 3599 if (IS_ERR(current_ev)) { 3600 err = PTR_ERR(current_ev); 3601 break; 3602 } 3603 } 3604 spin_unlock_bh(&rdev->bss_lock); 3605 3606 if (err) 3607 return err; 3608 return current_ev - buf; 3609} 3610 3611 3612int cfg80211_wext_giwscan(struct net_device *dev, 3613 struct iw_request_info *info, 3614 union iwreq_data *wrqu, char *extra) 3615{ 3616 struct iw_point *data = &wrqu->data; 3617 struct cfg80211_registered_device *rdev; 3618 int res; 3619 3620 if (!netif_running(dev)) 3621 return -ENETDOWN; 3622 3623 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex); 3624 3625 if (IS_ERR(rdev)) 3626 return PTR_ERR(rdev); 3627 3628 if (rdev->scan_req || rdev->scan_msg) 3629 return -EAGAIN; 3630 3631 res = ieee80211_scan_results(rdev, info, extra, data->length); 3632 data->length = 0; 3633 if (res >= 0) { 3634 data->length = res; 3635 res = 0; 3636 } 3637 3638 return res; 3639} 3640EXPORT_WEXT_HANDLER(cfg80211_wext_giwscan); 3641#endif 3642