2 * cfg80211 scan result handling
4 * Copyright 2008 Johannes Berg <johannes@sipsolutions.net>
6 #include <linux/kernel.h>
7 #include <linux/slab.h>
8 #include <linux/module.h>
9 #include <linux/netdevice.h>
10 #include <linux/wireless.h>
11 #include <linux/nl80211.h>
12 #include <linux/etherdevice.h>
14 #include <net/cfg80211.h>
15 #include <net/cfg80211-wext.h>
16 #include <net/iw_handler.h>
19 #include "wext-compat.h"
23 * DOC: BSS tree/list structure
25 * At the top level, the BSS list is kept in both a list in each
26 * registered device (@bss_list) as well as an RB-tree for faster
27 * lookup. In the RB-tree, entries can be looked up using their
28 * channel, MESHID, MESHCONF (for MBSSes) or channel, BSSID, SSID
31 * Due to the possibility of hidden SSIDs, there's a second level
32 * structure, the "hidden_list" and "hidden_beacon_bss" pointer.
33 * The hidden_list connects all BSSes belonging to a single AP
34 * that has a hidden SSID, and connects beacon and probe response
35 * entries. For a probe response entry for a hidden SSID, the
36 * hidden_beacon_bss pointer points to the BSS struct holding the
37 * beacon's information.
39 * Reference counting is done for all these references except for
40 * the hidden_list, so that a beacon BSS struct that is otherwise
41 * not referenced has one reference for being on the bss_list and
42 * one for each probe response entry that points to it using the
43 * hidden_beacon_bss pointer. When a BSS struct that has such a
44 * pointer is get/put, the refcount update is also propagated to
45 * the referenced struct, this ensure that it cannot get removed
46 * while somebody is using the probe response version.
48 * Note that the hidden_beacon_bss pointer never changes, due to
49 * the reference counting. Therefore, no locking is needed for
52 * Also note that the hidden_beacon_bss pointer is only relevant
53 * if the driver uses something other than the IEs, e.g. private
54 * data stored stored in the BSS struct, since the beacon IEs are
55 * also linked into the probe response struct.
59 * Limit the number of BSS entries stored in mac80211. Each one is
60 * a bit over 4k at most, so this limits to roughly 4-5M of memory.
61 * If somebody wants to really attack this though, they'd likely
62 * use small beacons, and only one type of frame, limiting each of
63 * the entries to a much smaller size (in order to generate more
64 * entries in total, so overhead is bigger.)
66 static int bss_entries_limit = 1000;
67 module_param(bss_entries_limit, int, 0644);
68 MODULE_PARM_DESC(bss_entries_limit,
69 "limit to number of scan BSS entries (per wiphy, default 1000)");
71 #define IEEE80211_SCAN_RESULT_EXPIRE (30 * HZ)
73 static void bss_free(struct cfg80211_internal_bss *bss)
75 struct cfg80211_bss_ies *ies;
77 if (WARN_ON(atomic_read(&bss->hold)))
80 ies = (void *)rcu_access_pointer(bss->pub.beacon_ies);
81 if (ies && !bss->pub.hidden_beacon_bss)
82 kfree_rcu(ies, rcu_head);
83 ies = (void *)rcu_access_pointer(bss->pub.proberesp_ies);
85 kfree_rcu(ies, rcu_head);
88 * This happens when the module is removed, it doesn't
89 * really matter any more save for completeness
91 if (!list_empty(&bss->hidden_list))
92 list_del(&bss->hidden_list);
97 static inline void bss_ref_get(struct cfg80211_registered_device *rdev,
98 struct cfg80211_internal_bss *bss)
100 lockdep_assert_held(&rdev->bss_lock);
103 if (bss->pub.hidden_beacon_bss) {
104 bss = container_of(bss->pub.hidden_beacon_bss,
105 struct cfg80211_internal_bss,
111 static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
112 struct cfg80211_internal_bss *bss)
114 lockdep_assert_held(&rdev->bss_lock);
116 if (bss->pub.hidden_beacon_bss) {
117 struct cfg80211_internal_bss *hbss;
118 hbss = container_of(bss->pub.hidden_beacon_bss,
119 struct cfg80211_internal_bss,
122 if (hbss->refcount == 0)
126 if (bss->refcount == 0)
130 static bool __cfg80211_unlink_bss(struct cfg80211_registered_device *rdev,
131 struct cfg80211_internal_bss *bss)
133 lockdep_assert_held(&rdev->bss_lock);
135 if (!list_empty(&bss->hidden_list)) {
137 * don't remove the beacon entry if it has
138 * probe responses associated with it
140 if (!bss->pub.hidden_beacon_bss)
143 * if it's a probe response entry break its
144 * link to the other entries in the group
146 list_del_init(&bss->hidden_list);
149 list_del_init(&bss->list);
150 rb_erase(&bss->rbn, &rdev->bss_tree);
152 WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list),
153 "rdev bss entries[%d]/list[empty:%d] corruption\n",
154 rdev->bss_entries, list_empty(&rdev->bss_list));
155 bss_ref_put(rdev, bss);
159 static void __cfg80211_bss_expire(struct cfg80211_registered_device *rdev,
160 unsigned long expire_time)
162 struct cfg80211_internal_bss *bss, *tmp;
163 bool expired = false;
165 lockdep_assert_held(&rdev->bss_lock);
167 list_for_each_entry_safe(bss, tmp, &rdev->bss_list, list) {
168 if (atomic_read(&bss->hold))
170 if (!time_after(expire_time, bss->ts))
173 if (__cfg80211_unlink_bss(rdev, bss))
178 rdev->bss_generation++;
181 static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev)
183 struct cfg80211_internal_bss *bss, *oldest = NULL;
186 lockdep_assert_held(&rdev->bss_lock);
188 list_for_each_entry(bss, &rdev->bss_list, list) {
189 if (atomic_read(&bss->hold))
192 if (!list_empty(&bss->hidden_list) &&
193 !bss->pub.hidden_beacon_bss)
196 if (oldest && time_before(oldest->ts, bss->ts))
201 if (WARN_ON(!oldest))
205 * The callers make sure to increase rdev->bss_generation if anything
206 * gets removed (and a new entry added), so there's no need to also do
210 ret = __cfg80211_unlink_bss(rdev, oldest);
215 void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
218 struct cfg80211_scan_request *request;
219 struct wireless_dev *wdev;
221 #ifdef CONFIG_CFG80211_WEXT
222 union iwreq_data wrqu;
227 if (rdev->scan_msg) {
228 nl80211_send_scan_result(rdev, rdev->scan_msg);
229 rdev->scan_msg = NULL;
233 request = rdev->scan_req;
237 wdev = request->wdev;
240 * This must be before sending the other events!
241 * Otherwise, wpa_supplicant gets completely confused with
245 cfg80211_sme_scan_done(wdev->netdev);
247 if (!request->aborted &&
248 request->flags & NL80211_SCAN_FLAG_FLUSH) {
249 /* flush entries from previous scans */
250 spin_lock_bh(&rdev->bss_lock);
251 __cfg80211_bss_expire(rdev, request->scan_start);
252 spin_unlock_bh(&rdev->bss_lock);
255 msg = nl80211_build_scan_msg(rdev, wdev, request->aborted);
257 #ifdef CONFIG_CFG80211_WEXT
258 if (wdev->netdev && !request->aborted) {
259 memset(&wrqu, 0, sizeof(wrqu));
261 wireless_send_event(wdev->netdev, SIOCGIWSCAN, &wrqu, NULL);
266 dev_put(wdev->netdev);
268 rdev->scan_req = NULL;
272 rdev->scan_msg = msg;
274 nl80211_send_scan_result(rdev, msg);
277 void __cfg80211_scan_done(struct work_struct *wk)
279 struct cfg80211_registered_device *rdev;
281 rdev = container_of(wk, struct cfg80211_registered_device,
285 ___cfg80211_scan_done(rdev, true);
289 void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted)
291 trace_cfg80211_scan_done(request, aborted);
292 WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req);
294 request->aborted = aborted;
295 request->notified = true;
296 queue_work(cfg80211_wq, &wiphy_to_rdev(request->wiphy)->scan_done_wk);
298 EXPORT_SYMBOL(cfg80211_scan_done);
300 void __cfg80211_sched_scan_results(struct work_struct *wk)
302 struct cfg80211_registered_device *rdev;
303 struct cfg80211_sched_scan_request *request;
305 rdev = container_of(wk, struct cfg80211_registered_device,
306 sched_scan_results_wk);
310 request = rdev->sched_scan_req;
312 /* we don't have sched_scan_req anymore if the scan is stopping */
314 if (request->flags & NL80211_SCAN_FLAG_FLUSH) {
315 /* flush entries from previous scans */
316 spin_lock_bh(&rdev->bss_lock);
317 __cfg80211_bss_expire(rdev, request->scan_start);
318 spin_unlock_bh(&rdev->bss_lock);
319 request->scan_start =
320 jiffies + msecs_to_jiffies(request->interval);
322 nl80211_send_sched_scan_results(rdev, request->dev);
328 void cfg80211_sched_scan_results(struct wiphy *wiphy)
330 trace_cfg80211_sched_scan_results(wiphy);
331 /* ignore if we're not scanning */
332 if (wiphy_to_rdev(wiphy)->sched_scan_req)
333 queue_work(cfg80211_wq,
334 &wiphy_to_rdev(wiphy)->sched_scan_results_wk);
336 EXPORT_SYMBOL(cfg80211_sched_scan_results);
338 void cfg80211_sched_scan_stopped_rtnl(struct wiphy *wiphy)
340 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
344 trace_cfg80211_sched_scan_stopped(wiphy);
346 __cfg80211_stop_sched_scan(rdev, true);
348 EXPORT_SYMBOL(cfg80211_sched_scan_stopped_rtnl);
350 void cfg80211_sched_scan_stopped(struct wiphy *wiphy)
353 cfg80211_sched_scan_stopped_rtnl(wiphy);
356 EXPORT_SYMBOL(cfg80211_sched_scan_stopped);
358 int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
359 bool driver_initiated)
361 struct net_device *dev;
365 if (!rdev->sched_scan_req)
368 dev = rdev->sched_scan_req->dev;
370 if (!driver_initiated) {
371 int err = rdev_sched_scan_stop(rdev, dev);
376 nl80211_send_sched_scan(rdev, dev, NL80211_CMD_SCHED_SCAN_STOPPED);
378 kfree(rdev->sched_scan_req);
379 rdev->sched_scan_req = NULL;
384 void cfg80211_bss_age(struct cfg80211_registered_device *rdev,
385 unsigned long age_secs)
387 struct cfg80211_internal_bss *bss;
388 unsigned long age_jiffies = msecs_to_jiffies(age_secs * MSEC_PER_SEC);
390 spin_lock_bh(&rdev->bss_lock);
391 list_for_each_entry(bss, &rdev->bss_list, list)
392 bss->ts -= age_jiffies;
393 spin_unlock_bh(&rdev->bss_lock);
396 void cfg80211_bss_expire(struct cfg80211_registered_device *rdev)
398 __cfg80211_bss_expire(rdev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE);
401 const u8 *cfg80211_find_ie(u8 eid, const u8 *ies, int len)
403 while (len > 2 && ies[0] != eid) {
409 if (len < 2 + ies[1])
413 EXPORT_SYMBOL(cfg80211_find_ie);
415 const u8 *cfg80211_find_vendor_ie(unsigned int oui, u8 oui_type,
416 const u8 *ies, int len)
418 struct ieee80211_vendor_ie *ie;
419 const u8 *pos = ies, *end = ies + len;
423 pos = cfg80211_find_ie(WLAN_EID_VENDOR_SPECIFIC, pos,
428 ie = (struct ieee80211_vendor_ie *)pos;
430 /* make sure we can access ie->len */
431 BUILD_BUG_ON(offsetof(struct ieee80211_vendor_ie, len) != 1);
433 if (ie->len < sizeof(*ie))
436 ie_oui = ie->oui[0] << 16 | ie->oui[1] << 8 | ie->oui[2];
437 if (ie_oui == oui && ie->oui_type == oui_type)
444 EXPORT_SYMBOL(cfg80211_find_vendor_ie);
446 static bool is_bss(struct cfg80211_bss *a, const u8 *bssid,
447 const u8 *ssid, size_t ssid_len)
449 const struct cfg80211_bss_ies *ies;
452 if (bssid && !ether_addr_equal(a->bssid, bssid))
458 ies = rcu_access_pointer(a->ies);
461 ssidie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
464 if (ssidie[1] != ssid_len)
466 return memcmp(ssidie + 2, ssid, ssid_len) == 0;
470 * enum bss_compare_mode - BSS compare mode
471 * @BSS_CMP_REGULAR: regular compare mode (for insertion and normal find)
472 * @BSS_CMP_HIDE_ZLEN: find hidden SSID with zero-length mode
473 * @BSS_CMP_HIDE_NUL: find hidden SSID with NUL-ed out mode
475 enum bss_compare_mode {
481 static int cmp_bss(struct cfg80211_bss *a,
482 struct cfg80211_bss *b,
483 enum bss_compare_mode mode)
485 const struct cfg80211_bss_ies *a_ies, *b_ies;
486 const u8 *ie1 = NULL;
487 const u8 *ie2 = NULL;
490 if (a->channel != b->channel)
491 return b->channel->center_freq - a->channel->center_freq;
493 a_ies = rcu_access_pointer(a->ies);
496 b_ies = rcu_access_pointer(b->ies);
500 if (WLAN_CAPABILITY_IS_STA_BSS(a->capability))
501 ie1 = cfg80211_find_ie(WLAN_EID_MESH_ID,
502 a_ies->data, a_ies->len);
503 if (WLAN_CAPABILITY_IS_STA_BSS(b->capability))
504 ie2 = cfg80211_find_ie(WLAN_EID_MESH_ID,
505 b_ies->data, b_ies->len);
509 if (ie1[1] == ie2[1])
510 mesh_id_cmp = memcmp(ie1 + 2, ie2 + 2, ie1[1]);
512 mesh_id_cmp = ie2[1] - ie1[1];
514 ie1 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG,
515 a_ies->data, a_ies->len);
516 ie2 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG,
517 b_ies->data, b_ies->len);
521 if (ie1[1] != ie2[1])
522 return ie2[1] - ie1[1];
523 return memcmp(ie1 + 2, ie2 + 2, ie1[1]);
527 r = memcmp(a->bssid, b->bssid, sizeof(a->bssid));
531 ie1 = cfg80211_find_ie(WLAN_EID_SSID, a_ies->data, a_ies->len);
532 ie2 = cfg80211_find_ie(WLAN_EID_SSID, b_ies->data, b_ies->len);
538 * Note that with "hide_ssid", the function returns a match if
539 * the already-present BSS ("b") is a hidden SSID beacon for
543 /* sort missing IE before (left of) present IE */
550 case BSS_CMP_HIDE_ZLEN:
552 * In ZLEN mode we assume the BSS entry we're
553 * looking for has a zero-length SSID. So if
554 * the one we're looking at right now has that,
555 * return 0. Otherwise, return the difference
556 * in length, but since we're looking for the
557 * 0-length it's really equivalent to returning
558 * the length of the one we're looking at.
560 * No content comparison is needed as we assume
561 * the content length is zero.
564 case BSS_CMP_REGULAR:
566 /* sort by length first, then by contents */
567 if (ie1[1] != ie2[1])
568 return ie2[1] - ie1[1];
569 return memcmp(ie1 + 2, ie2 + 2, ie1[1]);
570 case BSS_CMP_HIDE_NUL:
571 if (ie1[1] != ie2[1])
572 return ie2[1] - ie1[1];
573 /* this is equivalent to memcmp(zeroes, ie2 + 2, len) */
574 for (i = 0; i < ie2[1]; i++)
581 /* Returned bss is reference counted and must be cleaned up appropriately. */
582 struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy,
583 struct ieee80211_channel *channel,
585 const u8 *ssid, size_t ssid_len,
586 u16 capa_mask, u16 capa_val)
588 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
589 struct cfg80211_internal_bss *bss, *res = NULL;
590 unsigned long now = jiffies;
592 trace_cfg80211_get_bss(wiphy, channel, bssid, ssid, ssid_len, capa_mask,
595 spin_lock_bh(&rdev->bss_lock);
597 list_for_each_entry(bss, &rdev->bss_list, list) {
598 if ((bss->pub.capability & capa_mask) != capa_val)
600 if (channel && bss->pub.channel != channel)
602 if (!is_valid_ether_addr(bss->pub.bssid))
604 /* Don't get expired BSS structs */
605 if (time_after(now, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE) &&
606 !atomic_read(&bss->hold))
608 if (is_bss(&bss->pub, bssid, ssid, ssid_len)) {
610 bss_ref_get(rdev, res);
615 spin_unlock_bh(&rdev->bss_lock);
618 trace_cfg80211_return_bss(&res->pub);
621 EXPORT_SYMBOL(cfg80211_get_bss);
623 static void rb_insert_bss(struct cfg80211_registered_device *rdev,
624 struct cfg80211_internal_bss *bss)
626 struct rb_node **p = &rdev->bss_tree.rb_node;
627 struct rb_node *parent = NULL;
628 struct cfg80211_internal_bss *tbss;
633 tbss = rb_entry(parent, struct cfg80211_internal_bss, rbn);
635 cmp = cmp_bss(&bss->pub, &tbss->pub, BSS_CMP_REGULAR);
638 /* will sort of leak this BSS */
648 rb_link_node(&bss->rbn, parent, p);
649 rb_insert_color(&bss->rbn, &rdev->bss_tree);
652 static struct cfg80211_internal_bss *
653 rb_find_bss(struct cfg80211_registered_device *rdev,
654 struct cfg80211_internal_bss *res,
655 enum bss_compare_mode mode)
657 struct rb_node *n = rdev->bss_tree.rb_node;
658 struct cfg80211_internal_bss *bss;
662 bss = rb_entry(n, struct cfg80211_internal_bss, rbn);
663 r = cmp_bss(&res->pub, &bss->pub, mode);
676 static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev,
677 struct cfg80211_internal_bss *new)
679 const struct cfg80211_bss_ies *ies;
680 struct cfg80211_internal_bss *bss;
686 ies = rcu_access_pointer(new->pub.beacon_ies);
690 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
697 for (i = 0; i < ssidlen; i++)
701 /* not a hidden SSID */
705 /* This is the bad part ... */
707 list_for_each_entry(bss, &rdev->bss_list, list) {
709 * we're iterating all the entries anyway, so take the
710 * opportunity to validate the list length accounting
714 if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid))
716 if (bss->pub.channel != new->pub.channel)
718 if (bss->pub.scan_width != new->pub.scan_width)
720 if (rcu_access_pointer(bss->pub.beacon_ies))
722 ies = rcu_access_pointer(bss->pub.ies);
725 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
728 if (ssidlen && ie[1] != ssidlen)
730 if (WARN_ON_ONCE(bss->pub.hidden_beacon_bss))
732 if (WARN_ON_ONCE(!list_empty(&bss->hidden_list)))
733 list_del(&bss->hidden_list);
735 list_add(&bss->hidden_list, &new->hidden_list);
736 bss->pub.hidden_beacon_bss = &new->pub;
737 new->refcount += bss->refcount;
738 rcu_assign_pointer(bss->pub.beacon_ies,
739 new->pub.beacon_ies);
742 WARN_ONCE(n_entries != rdev->bss_entries,
743 "rdev bss entries[%d]/list[len:%d] corruption\n",
744 rdev->bss_entries, n_entries);
749 /* Returned bss is reference counted and must be cleaned up appropriately. */
750 static struct cfg80211_internal_bss *
751 cfg80211_bss_update(struct cfg80211_registered_device *rdev,
752 struct cfg80211_internal_bss *tmp,
755 struct cfg80211_internal_bss *found = NULL;
757 if (WARN_ON(!tmp->pub.channel))
762 spin_lock_bh(&rdev->bss_lock);
764 if (WARN_ON(!rcu_access_pointer(tmp->pub.ies))) {
765 spin_unlock_bh(&rdev->bss_lock);
769 found = rb_find_bss(rdev, tmp, BSS_CMP_REGULAR);
773 if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
774 const struct cfg80211_bss_ies *old;
776 old = rcu_access_pointer(found->pub.proberesp_ies);
778 rcu_assign_pointer(found->pub.proberesp_ies,
779 tmp->pub.proberesp_ies);
780 /* Override possible earlier Beacon frame IEs */
781 rcu_assign_pointer(found->pub.ies,
782 tmp->pub.proberesp_ies);
784 kfree_rcu((struct cfg80211_bss_ies *)old,
786 } else if (rcu_access_pointer(tmp->pub.beacon_ies)) {
787 const struct cfg80211_bss_ies *old;
788 struct cfg80211_internal_bss *bss;
790 if (found->pub.hidden_beacon_bss &&
791 !list_empty(&found->hidden_list)) {
792 const struct cfg80211_bss_ies *f;
795 * The found BSS struct is one of the probe
796 * response members of a group, but we're
797 * receiving a beacon (beacon_ies in the tmp
798 * bss is used). This can only mean that the
799 * AP changed its beacon from not having an
800 * SSID to showing it, which is confusing so
801 * drop this information.
804 f = rcu_access_pointer(tmp->pub.beacon_ies);
805 kfree_rcu((struct cfg80211_bss_ies *)f,
810 old = rcu_access_pointer(found->pub.beacon_ies);
812 rcu_assign_pointer(found->pub.beacon_ies,
813 tmp->pub.beacon_ies);
815 /* Override IEs if they were from a beacon before */
816 if (old == rcu_access_pointer(found->pub.ies))
817 rcu_assign_pointer(found->pub.ies,
818 tmp->pub.beacon_ies);
820 /* Assign beacon IEs to all sub entries */
821 list_for_each_entry(bss, &found->hidden_list,
823 const struct cfg80211_bss_ies *ies;
825 ies = rcu_access_pointer(bss->pub.beacon_ies);
828 rcu_assign_pointer(bss->pub.beacon_ies,
829 tmp->pub.beacon_ies);
833 kfree_rcu((struct cfg80211_bss_ies *)old,
837 found->pub.beacon_interval = tmp->pub.beacon_interval;
839 * don't update the signal if beacon was heard on
843 found->pub.signal = tmp->pub.signal;
844 found->pub.capability = tmp->pub.capability;
847 struct cfg80211_internal_bss *new;
848 struct cfg80211_internal_bss *hidden;
849 struct cfg80211_bss_ies *ies;
852 * create a copy -- the "res" variable that is passed in
853 * is allocated on the stack since it's not needed in the
854 * more common case of an update
856 new = kzalloc(sizeof(*new) + rdev->wiphy.bss_priv_size,
859 ies = (void *)rcu_dereference(tmp->pub.beacon_ies);
861 kfree_rcu(ies, rcu_head);
862 ies = (void *)rcu_dereference(tmp->pub.proberesp_ies);
864 kfree_rcu(ies, rcu_head);
867 memcpy(new, tmp, sizeof(*new));
869 INIT_LIST_HEAD(&new->hidden_list);
871 if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
872 hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
874 hidden = rb_find_bss(rdev, tmp,
877 new->pub.hidden_beacon_bss = &hidden->pub;
878 list_add(&new->hidden_list,
879 &hidden->hidden_list);
881 rcu_assign_pointer(new->pub.beacon_ies,
882 hidden->pub.beacon_ies);
886 * Ok so we found a beacon, and don't have an entry. If
887 * it's a beacon with hidden SSID, we might be in for an
888 * expensive search for any probe responses that should
889 * be grouped with this beacon for updates ...
891 if (!cfg80211_combine_bsses(rdev, new)) {
897 if (rdev->bss_entries >= bss_entries_limit &&
898 !cfg80211_bss_expire_oldest(rdev)) {
903 list_add_tail(&new->list, &rdev->bss_list);
905 rb_insert_bss(rdev, new);
909 rdev->bss_generation++;
910 bss_ref_get(rdev, found);
911 spin_unlock_bh(&rdev->bss_lock);
915 spin_unlock_bh(&rdev->bss_lock);
919 static struct ieee80211_channel *
920 cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
921 struct ieee80211_channel *channel)
925 int channel_number = -1;
927 tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen);
928 if (tmp && tmp[1] == 1) {
929 channel_number = tmp[2];
931 tmp = cfg80211_find_ie(WLAN_EID_HT_OPERATION, ie, ielen);
932 if (tmp && tmp[1] >= sizeof(struct ieee80211_ht_operation)) {
933 struct ieee80211_ht_operation *htop = (void *)(tmp + 2);
935 channel_number = htop->primary_chan;
939 if (channel_number < 0)
942 freq = ieee80211_channel_to_frequency(channel_number, channel->band);
943 channel = ieee80211_get_channel(wiphy, freq);
946 if (channel->flags & IEEE80211_CHAN_DISABLED)
951 /* Returned bss is reference counted and must be cleaned up appropriately. */
953 cfg80211_inform_bss_width(struct wiphy *wiphy,
954 struct ieee80211_channel *rx_channel,
955 enum nl80211_bss_scan_width scan_width,
956 const u8 *bssid, u64 tsf, u16 capability,
957 u16 beacon_interval, const u8 *ie, size_t ielen,
958 s32 signal, gfp_t gfp)
960 struct cfg80211_bss_ies *ies;
961 struct ieee80211_channel *channel;
962 struct cfg80211_internal_bss tmp = {}, *res;
968 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
969 (signal < 0 || signal > 100)))
972 channel = cfg80211_get_bss_channel(wiphy, ie, ielen, rx_channel);
976 memcpy(tmp.pub.bssid, bssid, ETH_ALEN);
977 tmp.pub.channel = channel;
978 tmp.pub.scan_width = scan_width;
979 tmp.pub.signal = signal;
980 tmp.pub.beacon_interval = beacon_interval;
981 tmp.pub.capability = capability;
983 * Since we do not know here whether the IEs are from a Beacon or Probe
984 * Response frame, we need to pick one of the options and only use it
985 * with the driver that does not provide the full Beacon/Probe Response
986 * frame. Use Beacon frame pointer to avoid indicating that this should
987 * override the IEs pointer should we have received an earlier
988 * indication of Probe Response data.
990 ies = kmalloc(sizeof(*ies) + ielen, gfp);
995 memcpy(ies->data, ie, ielen);
997 rcu_assign_pointer(tmp.pub.beacon_ies, ies);
998 rcu_assign_pointer(tmp.pub.ies, ies);
1000 signal_valid = abs(rx_channel->center_freq - channel->center_freq) <=
1001 wiphy->max_adj_channel_rssi_comp;
1002 res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid);
1006 if (res->pub.capability & WLAN_CAPABILITY_ESS)
1007 regulatory_hint_found_beacon(wiphy, channel, gfp);
1009 trace_cfg80211_return_bss(&res->pub);
1010 /* cfg80211_bss_update gives us a referenced result */
1013 EXPORT_SYMBOL(cfg80211_inform_bss_width);
1015 /* Returned bss is reference counted and must be cleaned up appropriately. */
1016 struct cfg80211_bss *
1017 cfg80211_inform_bss_width_frame(struct wiphy *wiphy,
1018 struct ieee80211_channel *rx_channel,
1019 enum nl80211_bss_scan_width scan_width,
1020 struct ieee80211_mgmt *mgmt, size_t len,
1021 s32 signal, gfp_t gfp)
1023 struct cfg80211_internal_bss tmp = {}, *res;
1024 struct cfg80211_bss_ies *ies;
1025 struct ieee80211_channel *channel;
1027 size_t ielen = len - offsetof(struct ieee80211_mgmt,
1028 u.probe_resp.variable);
1030 BUILD_BUG_ON(offsetof(struct ieee80211_mgmt, u.probe_resp.variable) !=
1031 offsetof(struct ieee80211_mgmt, u.beacon.variable));
1033 trace_cfg80211_inform_bss_width_frame(wiphy, rx_channel, scan_width, mgmt,
1039 if (WARN_ON(!wiphy))
1042 if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
1043 (signal < 0 || signal > 100)))
1046 if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
1049 channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable,
1054 ies = kmalloc(sizeof(*ies) + ielen, gfp);
1058 ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp);
1059 memcpy(ies->data, mgmt->u.probe_resp.variable, ielen);
1061 if (ieee80211_is_probe_resp(mgmt->frame_control))
1062 rcu_assign_pointer(tmp.pub.proberesp_ies, ies);
1064 rcu_assign_pointer(tmp.pub.beacon_ies, ies);
1065 rcu_assign_pointer(tmp.pub.ies, ies);
1067 memcpy(tmp.pub.bssid, mgmt->bssid, ETH_ALEN);
1068 tmp.pub.channel = channel;
1069 tmp.pub.scan_width = scan_width;
1070 tmp.pub.signal = signal;
1071 tmp.pub.beacon_interval = le16_to_cpu(mgmt->u.probe_resp.beacon_int);
1072 tmp.pub.capability = le16_to_cpu(mgmt->u.probe_resp.capab_info);
1074 signal_valid = abs(rx_channel->center_freq - channel->center_freq) <=
1075 wiphy->max_adj_channel_rssi_comp;
1076 res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid);
1080 if (res->pub.capability & WLAN_CAPABILITY_ESS)
1081 regulatory_hint_found_beacon(wiphy, channel, gfp);
1083 trace_cfg80211_return_bss(&res->pub);
1084 /* cfg80211_bss_update gives us a referenced result */
1087 EXPORT_SYMBOL(cfg80211_inform_bss_width_frame);
1089 void cfg80211_ref_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
1091 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1092 struct cfg80211_internal_bss *bss;
1097 bss = container_of(pub, struct cfg80211_internal_bss, pub);
1099 spin_lock_bh(&rdev->bss_lock);
1100 bss_ref_get(rdev, bss);
1101 spin_unlock_bh(&rdev->bss_lock);
1103 EXPORT_SYMBOL(cfg80211_ref_bss);
1105 void cfg80211_put_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
1107 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1108 struct cfg80211_internal_bss *bss;
1113 bss = container_of(pub, struct cfg80211_internal_bss, pub);
1115 spin_lock_bh(&rdev->bss_lock);
1116 bss_ref_put(rdev, bss);
1117 spin_unlock_bh(&rdev->bss_lock);
1119 EXPORT_SYMBOL(cfg80211_put_bss);
1121 void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
1123 struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1124 struct cfg80211_internal_bss *bss;
1129 bss = container_of(pub, struct cfg80211_internal_bss, pub);
1131 spin_lock_bh(&rdev->bss_lock);
1132 if (!list_empty(&bss->list)) {
1133 if (__cfg80211_unlink_bss(rdev, bss))
1134 rdev->bss_generation++;
1136 spin_unlock_bh(&rdev->bss_lock);
1138 EXPORT_SYMBOL(cfg80211_unlink_bss);
1140 #ifdef CONFIG_CFG80211_WEXT
1141 static struct cfg80211_registered_device *
1142 cfg80211_get_dev_from_ifindex(struct net *net, int ifindex)
1144 struct cfg80211_registered_device *rdev;
1145 struct net_device *dev;
1149 dev = dev_get_by_index(net, ifindex);
1151 return ERR_PTR(-ENODEV);
1152 if (dev->ieee80211_ptr)
1153 rdev = wiphy_to_rdev(dev->ieee80211_ptr->wiphy);
1155 rdev = ERR_PTR(-ENODEV);
1160 int cfg80211_wext_siwscan(struct net_device *dev,
1161 struct iw_request_info *info,
1162 union iwreq_data *wrqu, char *extra)
1164 struct cfg80211_registered_device *rdev;
1165 struct wiphy *wiphy;
1166 struct iw_scan_req *wreq = NULL;
1167 struct cfg80211_scan_request *creq = NULL;
1168 int i, err, n_channels = 0;
1169 enum ieee80211_band band;
1171 if (!netif_running(dev))
1174 if (wrqu->data.length == sizeof(struct iw_scan_req))
1175 wreq = (struct iw_scan_req *)extra;
1177 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex);
1180 return PTR_ERR(rdev);
1182 if (rdev->scan_req || rdev->scan_msg) {
1187 wiphy = &rdev->wiphy;
1189 /* Determine number of channels, needed to allocate creq */
1190 if (wreq && wreq->num_channels)
1191 n_channels = wreq->num_channels;
1193 n_channels = ieee80211_get_num_supported_channels(wiphy);
1195 creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) +
1196 n_channels * sizeof(void *),
1203 creq->wiphy = wiphy;
1204 creq->wdev = dev->ieee80211_ptr;
1205 /* SSIDs come after channels */
1206 creq->ssids = (void *)&creq->channels[n_channels];
1207 creq->n_channels = n_channels;
1209 creq->scan_start = jiffies;
1211 /* translate "Scan on frequencies" request */
1213 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
1216 if (!wiphy->bands[band])
1219 for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
1220 /* ignore disabled channels */
1221 if (wiphy->bands[band]->channels[j].flags &
1222 IEEE80211_CHAN_DISABLED)
1225 /* If we have a wireless request structure and the
1226 * wireless request specifies frequencies, then search
1227 * for the matching hardware channel.
1229 if (wreq && wreq->num_channels) {
1231 int wiphy_freq = wiphy->bands[band]->channels[j].center_freq;
1232 for (k = 0; k < wreq->num_channels; k++) {
1233 struct iw_freq *freq =
1234 &wreq->channel_list[k];
1236 cfg80211_wext_freq(freq);
1238 if (wext_freq == wiphy_freq)
1239 goto wext_freq_found;
1241 goto wext_freq_not_found;
1245 creq->channels[i] = &wiphy->bands[band]->channels[j];
1247 wext_freq_not_found: ;
1250 /* No channels found? */
1256 /* Set real number of channels specified in creq->channels[] */
1257 creq->n_channels = i;
1259 /* translate "Scan for SSID" request */
1261 if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
1262 if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) {
1266 memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
1267 creq->ssids[0].ssid_len = wreq->essid_len;
1269 if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE)
1273 for (i = 0; i < IEEE80211_NUM_BANDS; i++)
1274 if (wiphy->bands[i])
1275 creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1;
1277 rdev->scan_req = creq;
1278 err = rdev_scan(rdev, creq);
1280 rdev->scan_req = NULL;
1281 /* creq will be freed below */
1283 nl80211_send_scan_start(rdev, dev->ieee80211_ptr);
1284 /* creq now owned by driver */
1292 EXPORT_SYMBOL_GPL(cfg80211_wext_siwscan);
1294 static void ieee80211_scan_add_ies(struct iw_request_info *info,
1295 const struct cfg80211_bss_ies *ies,
1296 char **current_ev, char *end_buf)
1298 const u8 *pos, *end, *next;
1299 struct iw_event iwe;
1305 * If needed, fragment the IEs buffer (at IE boundaries) into short
1306 * enough fragments to fit into IW_GENERIC_IE_MAX octet messages.
1309 end = pos + ies->len;
1311 while (end - pos > IW_GENERIC_IE_MAX) {
1312 next = pos + 2 + pos[1];
1313 while (next + 2 + next[1] - pos < IW_GENERIC_IE_MAX)
1314 next = next + 2 + next[1];
1316 memset(&iwe, 0, sizeof(iwe));
1317 iwe.cmd = IWEVGENIE;
1318 iwe.u.data.length = next - pos;
1319 *current_ev = iwe_stream_add_point(info, *current_ev,
1327 memset(&iwe, 0, sizeof(iwe));
1328 iwe.cmd = IWEVGENIE;
1329 iwe.u.data.length = end - pos;
1330 *current_ev = iwe_stream_add_point(info, *current_ev,
1337 ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info,
1338 struct cfg80211_internal_bss *bss, char *current_ev,
1341 const struct cfg80211_bss_ies *ies;
1342 struct iw_event iwe;
1346 bool ismesh = false;
1348 memset(&iwe, 0, sizeof(iwe));
1349 iwe.cmd = SIOCGIWAP;
1350 iwe.u.ap_addr.sa_family = ARPHRD_ETHER;
1351 memcpy(iwe.u.ap_addr.sa_data, bss->pub.bssid, ETH_ALEN);
1352 current_ev = iwe_stream_add_event(info, current_ev, end_buf, &iwe,
1355 memset(&iwe, 0, sizeof(iwe));
1356 iwe.cmd = SIOCGIWFREQ;
1357 iwe.u.freq.m = ieee80211_frequency_to_channel(bss->pub.channel->center_freq);
1359 current_ev = iwe_stream_add_event(info, current_ev, end_buf, &iwe,
1362 memset(&iwe, 0, sizeof(iwe));
1363 iwe.cmd = SIOCGIWFREQ;
1364 iwe.u.freq.m = bss->pub.channel->center_freq;
1366 current_ev = iwe_stream_add_event(info, current_ev, end_buf, &iwe,
1369 if (wiphy->signal_type != CFG80211_SIGNAL_TYPE_NONE) {
1370 memset(&iwe, 0, sizeof(iwe));
1372 iwe.u.qual.updated = IW_QUAL_LEVEL_UPDATED |
1373 IW_QUAL_NOISE_INVALID |
1374 IW_QUAL_QUAL_UPDATED;
1375 switch (wiphy->signal_type) {
1376 case CFG80211_SIGNAL_TYPE_MBM:
1377 sig = bss->pub.signal / 100;
1378 iwe.u.qual.level = sig;
1379 iwe.u.qual.updated |= IW_QUAL_DBM;
1380 if (sig < -110) /* rather bad */
1382 else if (sig > -40) /* perfect */
1384 /* will give a range of 0 .. 70 */
1385 iwe.u.qual.qual = sig + 110;
1387 case CFG80211_SIGNAL_TYPE_UNSPEC:
1388 iwe.u.qual.level = bss->pub.signal;
1389 /* will give range 0 .. 100 */
1390 iwe.u.qual.qual = bss->pub.signal;
1396 current_ev = iwe_stream_add_event(info, current_ev, end_buf,
1397 &iwe, IW_EV_QUAL_LEN);
1400 memset(&iwe, 0, sizeof(iwe));
1401 iwe.cmd = SIOCGIWENCODE;
1402 if (bss->pub.capability & WLAN_CAPABILITY_PRIVACY)
1403 iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY;
1405 iwe.u.data.flags = IW_ENCODE_DISABLED;
1406 iwe.u.data.length = 0;
1407 current_ev = iwe_stream_add_point(info, current_ev, end_buf,
1411 ies = rcu_dereference(bss->pub.ies);
1417 if (ie[1] > rem - 2)
1422 memset(&iwe, 0, sizeof(iwe));
1423 iwe.cmd = SIOCGIWESSID;
1424 iwe.u.data.length = ie[1];
1425 iwe.u.data.flags = 1;
1426 current_ev = iwe_stream_add_point(info, current_ev, end_buf,
1427 &iwe, (u8 *)ie + 2);
1429 case WLAN_EID_MESH_ID:
1430 memset(&iwe, 0, sizeof(iwe));
1431 iwe.cmd = SIOCGIWESSID;
1432 iwe.u.data.length = ie[1];
1433 iwe.u.data.flags = 1;
1434 current_ev = iwe_stream_add_point(info, current_ev, end_buf,
1435 &iwe, (u8 *)ie + 2);
1437 case WLAN_EID_MESH_CONFIG:
1439 if (ie[1] != sizeof(struct ieee80211_meshconf_ie))
1441 buf = kmalloc(50, GFP_ATOMIC);
1445 memset(&iwe, 0, sizeof(iwe));
1446 iwe.cmd = IWEVCUSTOM;
1447 sprintf(buf, "Mesh Network Path Selection Protocol ID: "
1449 iwe.u.data.length = strlen(buf);
1450 current_ev = iwe_stream_add_point(info, current_ev,
1453 sprintf(buf, "Path Selection Metric ID: 0x%02X",
1455 iwe.u.data.length = strlen(buf);
1456 current_ev = iwe_stream_add_point(info, current_ev,
1459 sprintf(buf, "Congestion Control Mode ID: 0x%02X",
1461 iwe.u.data.length = strlen(buf);
1462 current_ev = iwe_stream_add_point(info, current_ev,
1465 sprintf(buf, "Synchronization ID: 0x%02X", cfg[3]);
1466 iwe.u.data.length = strlen(buf);
1467 current_ev = iwe_stream_add_point(info, current_ev,
1470 sprintf(buf, "Authentication ID: 0x%02X", cfg[4]);
1471 iwe.u.data.length = strlen(buf);
1472 current_ev = iwe_stream_add_point(info, current_ev,
1475 sprintf(buf, "Formation Info: 0x%02X", cfg[5]);
1476 iwe.u.data.length = strlen(buf);
1477 current_ev = iwe_stream_add_point(info, current_ev,
1480 sprintf(buf, "Capabilities: 0x%02X", cfg[6]);
1481 iwe.u.data.length = strlen(buf);
1482 current_ev = iwe_stream_add_point(info, current_ev,
1487 case WLAN_EID_SUPP_RATES:
1488 case WLAN_EID_EXT_SUPP_RATES:
1489 /* display all supported rates in readable format */
1490 p = current_ev + iwe_stream_lcp_len(info);
1492 memset(&iwe, 0, sizeof(iwe));
1493 iwe.cmd = SIOCGIWRATE;
1494 /* Those two flags are ignored... */
1495 iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0;
1497 for (i = 0; i < ie[1]; i++) {
1498 iwe.u.bitrate.value =
1499 ((ie[i + 2] & 0x7f) * 500000);
1500 p = iwe_stream_add_value(info, current_ev, p,
1501 end_buf, &iwe, IW_EV_PARAM_LEN);
1510 if (bss->pub.capability & (WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS) ||
1512 memset(&iwe, 0, sizeof(iwe));
1513 iwe.cmd = SIOCGIWMODE;
1515 iwe.u.mode = IW_MODE_MESH;
1516 else if (bss->pub.capability & WLAN_CAPABILITY_ESS)
1517 iwe.u.mode = IW_MODE_MASTER;
1519 iwe.u.mode = IW_MODE_ADHOC;
1520 current_ev = iwe_stream_add_event(info, current_ev, end_buf,
1521 &iwe, IW_EV_UINT_LEN);
1524 buf = kmalloc(31, GFP_ATOMIC);
1526 memset(&iwe, 0, sizeof(iwe));
1527 iwe.cmd = IWEVCUSTOM;
1528 sprintf(buf, "tsf=%016llx", (unsigned long long)(ies->tsf));
1529 iwe.u.data.length = strlen(buf);
1530 current_ev = iwe_stream_add_point(info, current_ev, end_buf,
1532 memset(&iwe, 0, sizeof(iwe));
1533 iwe.cmd = IWEVCUSTOM;
1534 sprintf(buf, " Last beacon: %ums ago",
1535 elapsed_jiffies_msecs(bss->ts));
1536 iwe.u.data.length = strlen(buf);
1537 current_ev = iwe_stream_add_point(info, current_ev,
1538 end_buf, &iwe, buf);
1542 ieee80211_scan_add_ies(info, ies, ¤t_ev, end_buf);
1549 static int ieee80211_scan_results(struct cfg80211_registered_device *rdev,
1550 struct iw_request_info *info,
1551 char *buf, size_t len)
1553 char *current_ev = buf;
1554 char *end_buf = buf + len;
1555 struct cfg80211_internal_bss *bss;
1557 spin_lock_bh(&rdev->bss_lock);
1558 cfg80211_bss_expire(rdev);
1560 list_for_each_entry(bss, &rdev->bss_list, list) {
1561 if (buf + len - current_ev <= IW_EV_ADDR_LEN) {
1562 spin_unlock_bh(&rdev->bss_lock);
1565 current_ev = ieee80211_bss(&rdev->wiphy, info, bss,
1566 current_ev, end_buf);
1568 spin_unlock_bh(&rdev->bss_lock);
1569 return current_ev - buf;
1573 int cfg80211_wext_giwscan(struct net_device *dev,
1574 struct iw_request_info *info,
1575 struct iw_point *data, char *extra)
1577 struct cfg80211_registered_device *rdev;
1580 if (!netif_running(dev))
1583 rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex);
1586 return PTR_ERR(rdev);
1588 if (rdev->scan_req || rdev->scan_msg)
1591 res = ieee80211_scan_results(rdev, info, extra, data->length);
1600 EXPORT_SYMBOL_GPL(cfg80211_wext_giwscan);