Linux-libre 3.16.85-gnu
[librecmc/linux-libre.git] / net / wireless / scan.c
1 /*
2  * cfg80211 scan result handling
3  *
4  * Copyright 2008 Johannes Berg <johannes@sipsolutions.net>
5  */
6 #include <linux/kernel.h>
7 #include <linux/slab.h>
8 #include <linux/module.h>
9 #include <linux/netdevice.h>
10 #include <linux/wireless.h>
11 #include <linux/nl80211.h>
12 #include <linux/etherdevice.h>
13 #include <net/arp.h>
14 #include <net/cfg80211.h>
15 #include <net/cfg80211-wext.h>
16 #include <net/iw_handler.h>
17 #include "core.h"
18 #include "nl80211.h"
19 #include "wext-compat.h"
20 #include "rdev-ops.h"
21
22 /**
23  * DOC: BSS tree/list structure
24  *
25  * At the top level, the BSS list is kept in both a list in each
26  * registered device (@bss_list) as well as an RB-tree for faster
27  * lookup. In the RB-tree, entries can be looked up using their
28  * channel, MESHID, MESHCONF (for MBSSes) or channel, BSSID, SSID
29  * for other BSSes.
30  *
31  * Due to the possibility of hidden SSIDs, there's a second level
32  * structure, the "hidden_list" and "hidden_beacon_bss" pointer.
33  * The hidden_list connects all BSSes belonging to a single AP
34  * that has a hidden SSID, and connects beacon and probe response
35  * entries. For a probe response entry for a hidden SSID, the
36  * hidden_beacon_bss pointer points to the BSS struct holding the
37  * beacon's information.
38  *
39  * Reference counting is done for all these references except for
40  * the hidden_list, so that a beacon BSS struct that is otherwise
41  * not referenced has one reference for being on the bss_list and
42  * one for each probe response entry that points to it using the
43  * hidden_beacon_bss pointer. When a BSS struct that has such a
44  * pointer is get/put, the refcount update is also propagated to
45  * the referenced struct, this ensure that it cannot get removed
46  * while somebody is using the probe response version.
47  *
48  * Note that the hidden_beacon_bss pointer never changes, due to
49  * the reference counting. Therefore, no locking is needed for
50  * it.
51  *
52  * Also note that the hidden_beacon_bss pointer is only relevant
53  * if the driver uses something other than the IEs, e.g. private
54  * data stored stored in the BSS struct, since the beacon IEs are
55  * also linked into the probe response struct.
56  */
57
58 /*
59  * Limit the number of BSS entries stored in mac80211. Each one is
60  * a bit over 4k at most, so this limits to roughly 4-5M of memory.
61  * If somebody wants to really attack this though, they'd likely
62  * use small beacons, and only one type of frame, limiting each of
63  * the entries to a much smaller size (in order to generate more
64  * entries in total, so overhead is bigger.)
65  */
66 static int bss_entries_limit = 1000;
67 module_param(bss_entries_limit, int, 0644);
68 MODULE_PARM_DESC(bss_entries_limit,
69                  "limit to number of scan BSS entries (per wiphy, default 1000)");
70
71 #define IEEE80211_SCAN_RESULT_EXPIRE    (30 * HZ)
72
73 static void bss_free(struct cfg80211_internal_bss *bss)
74 {
75         struct cfg80211_bss_ies *ies;
76
77         if (WARN_ON(atomic_read(&bss->hold)))
78                 return;
79
80         ies = (void *)rcu_access_pointer(bss->pub.beacon_ies);
81         if (ies && !bss->pub.hidden_beacon_bss)
82                 kfree_rcu(ies, rcu_head);
83         ies = (void *)rcu_access_pointer(bss->pub.proberesp_ies);
84         if (ies)
85                 kfree_rcu(ies, rcu_head);
86
87         /*
88          * This happens when the module is removed, it doesn't
89          * really matter any more save for completeness
90          */
91         if (!list_empty(&bss->hidden_list))
92                 list_del(&bss->hidden_list);
93
94         kfree(bss);
95 }
96
97 static inline void bss_ref_get(struct cfg80211_registered_device *rdev,
98                                struct cfg80211_internal_bss *bss)
99 {
100         lockdep_assert_held(&rdev->bss_lock);
101
102         bss->refcount++;
103         if (bss->pub.hidden_beacon_bss) {
104                 bss = container_of(bss->pub.hidden_beacon_bss,
105                                    struct cfg80211_internal_bss,
106                                    pub);
107                 bss->refcount++;
108         }
109 }
110
111 static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
112                                struct cfg80211_internal_bss *bss)
113 {
114         lockdep_assert_held(&rdev->bss_lock);
115
116         if (bss->pub.hidden_beacon_bss) {
117                 struct cfg80211_internal_bss *hbss;
118                 hbss = container_of(bss->pub.hidden_beacon_bss,
119                                     struct cfg80211_internal_bss,
120                                     pub);
121                 hbss->refcount--;
122                 if (hbss->refcount == 0)
123                         bss_free(hbss);
124         }
125         bss->refcount--;
126         if (bss->refcount == 0)
127                 bss_free(bss);
128 }
129
130 static bool __cfg80211_unlink_bss(struct cfg80211_registered_device *rdev,
131                                   struct cfg80211_internal_bss *bss)
132 {
133         lockdep_assert_held(&rdev->bss_lock);
134
135         if (!list_empty(&bss->hidden_list)) {
136                 /*
137                  * don't remove the beacon entry if it has
138                  * probe responses associated with it
139                  */
140                 if (!bss->pub.hidden_beacon_bss)
141                         return false;
142                 /*
143                  * if it's a probe response entry break its
144                  * link to the other entries in the group
145                  */
146                 list_del_init(&bss->hidden_list);
147         }
148
149         list_del_init(&bss->list);
150         rb_erase(&bss->rbn, &rdev->bss_tree);
151         rdev->bss_entries--;
152         WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list),
153                   "rdev bss entries[%d]/list[empty:%d] corruption\n",
154                   rdev->bss_entries, list_empty(&rdev->bss_list));
155         bss_ref_put(rdev, bss);
156         return true;
157 }
158
159 static void __cfg80211_bss_expire(struct cfg80211_registered_device *rdev,
160                                   unsigned long expire_time)
161 {
162         struct cfg80211_internal_bss *bss, *tmp;
163         bool expired = false;
164
165         lockdep_assert_held(&rdev->bss_lock);
166
167         list_for_each_entry_safe(bss, tmp, &rdev->bss_list, list) {
168                 if (atomic_read(&bss->hold))
169                         continue;
170                 if (!time_after(expire_time, bss->ts))
171                         continue;
172
173                 if (__cfg80211_unlink_bss(rdev, bss))
174                         expired = true;
175         }
176
177         if (expired)
178                 rdev->bss_generation++;
179 }
180
181 static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev)
182 {
183         struct cfg80211_internal_bss *bss, *oldest = NULL;
184         bool ret;
185
186         lockdep_assert_held(&rdev->bss_lock);
187
188         list_for_each_entry(bss, &rdev->bss_list, list) {
189                 if (atomic_read(&bss->hold))
190                         continue;
191
192                 if (!list_empty(&bss->hidden_list) &&
193                     !bss->pub.hidden_beacon_bss)
194                         continue;
195
196                 if (oldest && time_before(oldest->ts, bss->ts))
197                         continue;
198                 oldest = bss;
199         }
200
201         if (WARN_ON(!oldest))
202                 return false;
203
204         /*
205          * The callers make sure to increase rdev->bss_generation if anything
206          * gets removed (and a new entry added), so there's no need to also do
207          * it here.
208          */
209
210         ret = __cfg80211_unlink_bss(rdev, oldest);
211         WARN_ON(!ret);
212         return ret;
213 }
214
215 void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
216                            bool send_message)
217 {
218         struct cfg80211_scan_request *request;
219         struct wireless_dev *wdev;
220         struct sk_buff *msg;
221 #ifdef CONFIG_CFG80211_WEXT
222         union iwreq_data wrqu;
223 #endif
224
225         ASSERT_RTNL();
226
227         if (rdev->scan_msg) {
228                 nl80211_send_scan_result(rdev, rdev->scan_msg);
229                 rdev->scan_msg = NULL;
230                 return;
231         }
232
233         request = rdev->scan_req;
234         if (!request)
235                 return;
236
237         wdev = request->wdev;
238
239         /*
240          * This must be before sending the other events!
241          * Otherwise, wpa_supplicant gets completely confused with
242          * wext events.
243          */
244         if (wdev->netdev)
245                 cfg80211_sme_scan_done(wdev->netdev);
246
247         if (!request->aborted &&
248             request->flags & NL80211_SCAN_FLAG_FLUSH) {
249                 /* flush entries from previous scans */
250                 spin_lock_bh(&rdev->bss_lock);
251                 __cfg80211_bss_expire(rdev, request->scan_start);
252                 spin_unlock_bh(&rdev->bss_lock);
253         }
254
255         msg = nl80211_build_scan_msg(rdev, wdev, request->aborted);
256
257 #ifdef CONFIG_CFG80211_WEXT
258         if (wdev->netdev && !request->aborted) {
259                 memset(&wrqu, 0, sizeof(wrqu));
260
261                 wireless_send_event(wdev->netdev, SIOCGIWSCAN, &wrqu, NULL);
262         }
263 #endif
264
265         if (wdev->netdev)
266                 dev_put(wdev->netdev);
267
268         rdev->scan_req = NULL;
269         kfree(request);
270
271         if (!send_message)
272                 rdev->scan_msg = msg;
273         else
274                 nl80211_send_scan_result(rdev, msg);
275 }
276
277 void __cfg80211_scan_done(struct work_struct *wk)
278 {
279         struct cfg80211_registered_device *rdev;
280
281         rdev = container_of(wk, struct cfg80211_registered_device,
282                             scan_done_wk);
283
284         rtnl_lock();
285         ___cfg80211_scan_done(rdev, true);
286         rtnl_unlock();
287 }
288
289 void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted)
290 {
291         trace_cfg80211_scan_done(request, aborted);
292         WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req);
293
294         request->aborted = aborted;
295         request->notified = true;
296         queue_work(cfg80211_wq, &wiphy_to_rdev(request->wiphy)->scan_done_wk);
297 }
298 EXPORT_SYMBOL(cfg80211_scan_done);
299
300 void __cfg80211_sched_scan_results(struct work_struct *wk)
301 {
302         struct cfg80211_registered_device *rdev;
303         struct cfg80211_sched_scan_request *request;
304
305         rdev = container_of(wk, struct cfg80211_registered_device,
306                             sched_scan_results_wk);
307
308         rtnl_lock();
309
310         request = rdev->sched_scan_req;
311
312         /* we don't have sched_scan_req anymore if the scan is stopping */
313         if (request) {
314                 if (request->flags & NL80211_SCAN_FLAG_FLUSH) {
315                         /* flush entries from previous scans */
316                         spin_lock_bh(&rdev->bss_lock);
317                         __cfg80211_bss_expire(rdev, request->scan_start);
318                         spin_unlock_bh(&rdev->bss_lock);
319                         request->scan_start =
320                                 jiffies + msecs_to_jiffies(request->interval);
321                 }
322                 nl80211_send_sched_scan_results(rdev, request->dev);
323         }
324
325         rtnl_unlock();
326 }
327
328 void cfg80211_sched_scan_results(struct wiphy *wiphy)
329 {
330         trace_cfg80211_sched_scan_results(wiphy);
331         /* ignore if we're not scanning */
332         if (wiphy_to_rdev(wiphy)->sched_scan_req)
333                 queue_work(cfg80211_wq,
334                            &wiphy_to_rdev(wiphy)->sched_scan_results_wk);
335 }
336 EXPORT_SYMBOL(cfg80211_sched_scan_results);
337
338 void cfg80211_sched_scan_stopped_rtnl(struct wiphy *wiphy)
339 {
340         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
341
342         ASSERT_RTNL();
343
344         trace_cfg80211_sched_scan_stopped(wiphy);
345
346         __cfg80211_stop_sched_scan(rdev, true);
347 }
348 EXPORT_SYMBOL(cfg80211_sched_scan_stopped_rtnl);
349
350 void cfg80211_sched_scan_stopped(struct wiphy *wiphy)
351 {
352         rtnl_lock();
353         cfg80211_sched_scan_stopped_rtnl(wiphy);
354         rtnl_unlock();
355 }
356 EXPORT_SYMBOL(cfg80211_sched_scan_stopped);
357
358 int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
359                                bool driver_initiated)
360 {
361         struct net_device *dev;
362
363         ASSERT_RTNL();
364
365         if (!rdev->sched_scan_req)
366                 return -ENOENT;
367
368         dev = rdev->sched_scan_req->dev;
369
370         if (!driver_initiated) {
371                 int err = rdev_sched_scan_stop(rdev, dev);
372                 if (err)
373                         return err;
374         }
375
376         nl80211_send_sched_scan(rdev, dev, NL80211_CMD_SCHED_SCAN_STOPPED);
377
378         kfree(rdev->sched_scan_req);
379         rdev->sched_scan_req = NULL;
380
381         return 0;
382 }
383
384 void cfg80211_bss_age(struct cfg80211_registered_device *rdev,
385                       unsigned long age_secs)
386 {
387         struct cfg80211_internal_bss *bss;
388         unsigned long age_jiffies = msecs_to_jiffies(age_secs * MSEC_PER_SEC);
389
390         spin_lock_bh(&rdev->bss_lock);
391         list_for_each_entry(bss, &rdev->bss_list, list)
392                 bss->ts -= age_jiffies;
393         spin_unlock_bh(&rdev->bss_lock);
394 }
395
396 void cfg80211_bss_expire(struct cfg80211_registered_device *rdev)
397 {
398         __cfg80211_bss_expire(rdev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE);
399 }
400
401 const u8 *cfg80211_find_ie(u8 eid, const u8 *ies, int len)
402 {
403         while (len > 2 && ies[0] != eid) {
404                 len -= ies[1] + 2;
405                 ies += ies[1] + 2;
406         }
407         if (len < 2)
408                 return NULL;
409         if (len < 2 + ies[1])
410                 return NULL;
411         return ies;
412 }
413 EXPORT_SYMBOL(cfg80211_find_ie);
414
415 const u8 *cfg80211_find_vendor_ie(unsigned int oui, u8 oui_type,
416                                   const u8 *ies, int len)
417 {
418         struct ieee80211_vendor_ie *ie;
419         const u8 *pos = ies, *end = ies + len;
420         int ie_oui;
421
422         while (pos < end) {
423                 pos = cfg80211_find_ie(WLAN_EID_VENDOR_SPECIFIC, pos,
424                                        end - pos);
425                 if (!pos)
426                         return NULL;
427
428                 ie = (struct ieee80211_vendor_ie *)pos;
429
430                 /* make sure we can access ie->len */
431                 BUILD_BUG_ON(offsetof(struct ieee80211_vendor_ie, len) != 1);
432
433                 if (ie->len < sizeof(*ie))
434                         goto cont;
435
436                 ie_oui = ie->oui[0] << 16 | ie->oui[1] << 8 | ie->oui[2];
437                 if (ie_oui == oui && ie->oui_type == oui_type)
438                         return pos;
439 cont:
440                 pos += 2 + ie->len;
441         }
442         return NULL;
443 }
444 EXPORT_SYMBOL(cfg80211_find_vendor_ie);
445
446 static bool is_bss(struct cfg80211_bss *a, const u8 *bssid,
447                    const u8 *ssid, size_t ssid_len)
448 {
449         const struct cfg80211_bss_ies *ies;
450         const u8 *ssidie;
451
452         if (bssid && !ether_addr_equal(a->bssid, bssid))
453                 return false;
454
455         if (!ssid)
456                 return true;
457
458         ies = rcu_access_pointer(a->ies);
459         if (!ies)
460                 return false;
461         ssidie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
462         if (!ssidie)
463                 return false;
464         if (ssidie[1] != ssid_len)
465                 return false;
466         return memcmp(ssidie + 2, ssid, ssid_len) == 0;
467 }
468
469 /**
470  * enum bss_compare_mode - BSS compare mode
471  * @BSS_CMP_REGULAR: regular compare mode (for insertion and normal find)
472  * @BSS_CMP_HIDE_ZLEN: find hidden SSID with zero-length mode
473  * @BSS_CMP_HIDE_NUL: find hidden SSID with NUL-ed out mode
474  */
475 enum bss_compare_mode {
476         BSS_CMP_REGULAR,
477         BSS_CMP_HIDE_ZLEN,
478         BSS_CMP_HIDE_NUL,
479 };
480
481 static int cmp_bss(struct cfg80211_bss *a,
482                    struct cfg80211_bss *b,
483                    enum bss_compare_mode mode)
484 {
485         const struct cfg80211_bss_ies *a_ies, *b_ies;
486         const u8 *ie1 = NULL;
487         const u8 *ie2 = NULL;
488         int i, r;
489
490         if (a->channel != b->channel)
491                 return b->channel->center_freq - a->channel->center_freq;
492
493         a_ies = rcu_access_pointer(a->ies);
494         if (!a_ies)
495                 return -1;
496         b_ies = rcu_access_pointer(b->ies);
497         if (!b_ies)
498                 return 1;
499
500         if (WLAN_CAPABILITY_IS_STA_BSS(a->capability))
501                 ie1 = cfg80211_find_ie(WLAN_EID_MESH_ID,
502                                        a_ies->data, a_ies->len);
503         if (WLAN_CAPABILITY_IS_STA_BSS(b->capability))
504                 ie2 = cfg80211_find_ie(WLAN_EID_MESH_ID,
505                                        b_ies->data, b_ies->len);
506         if (ie1 && ie2) {
507                 int mesh_id_cmp;
508
509                 if (ie1[1] == ie2[1])
510                         mesh_id_cmp = memcmp(ie1 + 2, ie2 + 2, ie1[1]);
511                 else
512                         mesh_id_cmp = ie2[1] - ie1[1];
513
514                 ie1 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG,
515                                        a_ies->data, a_ies->len);
516                 ie2 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG,
517                                        b_ies->data, b_ies->len);
518                 if (ie1 && ie2) {
519                         if (mesh_id_cmp)
520                                 return mesh_id_cmp;
521                         if (ie1[1] != ie2[1])
522                                 return ie2[1] - ie1[1];
523                         return memcmp(ie1 + 2, ie2 + 2, ie1[1]);
524                 }
525         }
526
527         r = memcmp(a->bssid, b->bssid, sizeof(a->bssid));
528         if (r)
529                 return r;
530
531         ie1 = cfg80211_find_ie(WLAN_EID_SSID, a_ies->data, a_ies->len);
532         ie2 = cfg80211_find_ie(WLAN_EID_SSID, b_ies->data, b_ies->len);
533
534         if (!ie1 && !ie2)
535                 return 0;
536
537         /*
538          * Note that with "hide_ssid", the function returns a match if
539          * the already-present BSS ("b") is a hidden SSID beacon for
540          * the new BSS ("a").
541          */
542
543         /* sort missing IE before (left of) present IE */
544         if (!ie1)
545                 return -1;
546         if (!ie2)
547                 return 1;
548
549         switch (mode) {
550         case BSS_CMP_HIDE_ZLEN:
551                 /*
552                  * In ZLEN mode we assume the BSS entry we're
553                  * looking for has a zero-length SSID. So if
554                  * the one we're looking at right now has that,
555                  * return 0. Otherwise, return the difference
556                  * in length, but since we're looking for the
557                  * 0-length it's really equivalent to returning
558                  * the length of the one we're looking at.
559                  *
560                  * No content comparison is needed as we assume
561                  * the content length is zero.
562                  */
563                 return ie2[1];
564         case BSS_CMP_REGULAR:
565         default:
566                 /* sort by length first, then by contents */
567                 if (ie1[1] != ie2[1])
568                         return ie2[1] - ie1[1];
569                 return memcmp(ie1 + 2, ie2 + 2, ie1[1]);
570         case BSS_CMP_HIDE_NUL:
571                 if (ie1[1] != ie2[1])
572                         return ie2[1] - ie1[1];
573                 /* this is equivalent to memcmp(zeroes, ie2 + 2, len) */
574                 for (i = 0; i < ie2[1]; i++)
575                         if (ie2[i + 2])
576                                 return -1;
577                 return 0;
578         }
579 }
580
581 /* Returned bss is reference counted and must be cleaned up appropriately. */
582 struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy,
583                                       struct ieee80211_channel *channel,
584                                       const u8 *bssid,
585                                       const u8 *ssid, size_t ssid_len,
586                                       u16 capa_mask, u16 capa_val)
587 {
588         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
589         struct cfg80211_internal_bss *bss, *res = NULL;
590         unsigned long now = jiffies;
591
592         trace_cfg80211_get_bss(wiphy, channel, bssid, ssid, ssid_len, capa_mask,
593                                capa_val);
594
595         spin_lock_bh(&rdev->bss_lock);
596
597         list_for_each_entry(bss, &rdev->bss_list, list) {
598                 if ((bss->pub.capability & capa_mask) != capa_val)
599                         continue;
600                 if (channel && bss->pub.channel != channel)
601                         continue;
602                 if (!is_valid_ether_addr(bss->pub.bssid))
603                         continue;
604                 /* Don't get expired BSS structs */
605                 if (time_after(now, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE) &&
606                     !atomic_read(&bss->hold))
607                         continue;
608                 if (is_bss(&bss->pub, bssid, ssid, ssid_len)) {
609                         res = bss;
610                         bss_ref_get(rdev, res);
611                         break;
612                 }
613         }
614
615         spin_unlock_bh(&rdev->bss_lock);
616         if (!res)
617                 return NULL;
618         trace_cfg80211_return_bss(&res->pub);
619         return &res->pub;
620 }
621 EXPORT_SYMBOL(cfg80211_get_bss);
622
623 static void rb_insert_bss(struct cfg80211_registered_device *rdev,
624                           struct cfg80211_internal_bss *bss)
625 {
626         struct rb_node **p = &rdev->bss_tree.rb_node;
627         struct rb_node *parent = NULL;
628         struct cfg80211_internal_bss *tbss;
629         int cmp;
630
631         while (*p) {
632                 parent = *p;
633                 tbss = rb_entry(parent, struct cfg80211_internal_bss, rbn);
634
635                 cmp = cmp_bss(&bss->pub, &tbss->pub, BSS_CMP_REGULAR);
636
637                 if (WARN_ON(!cmp)) {
638                         /* will sort of leak this BSS */
639                         return;
640                 }
641
642                 if (cmp < 0)
643                         p = &(*p)->rb_left;
644                 else
645                         p = &(*p)->rb_right;
646         }
647
648         rb_link_node(&bss->rbn, parent, p);
649         rb_insert_color(&bss->rbn, &rdev->bss_tree);
650 }
651
652 static struct cfg80211_internal_bss *
653 rb_find_bss(struct cfg80211_registered_device *rdev,
654             struct cfg80211_internal_bss *res,
655             enum bss_compare_mode mode)
656 {
657         struct rb_node *n = rdev->bss_tree.rb_node;
658         struct cfg80211_internal_bss *bss;
659         int r;
660
661         while (n) {
662                 bss = rb_entry(n, struct cfg80211_internal_bss, rbn);
663                 r = cmp_bss(&res->pub, &bss->pub, mode);
664
665                 if (r == 0)
666                         return bss;
667                 else if (r < 0)
668                         n = n->rb_left;
669                 else
670                         n = n->rb_right;
671         }
672
673         return NULL;
674 }
675
676 static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev,
677                                    struct cfg80211_internal_bss *new)
678 {
679         const struct cfg80211_bss_ies *ies;
680         struct cfg80211_internal_bss *bss;
681         const u8 *ie;
682         int i, ssidlen;
683         u8 fold = 0;
684         u32 n_entries = 0;
685
686         ies = rcu_access_pointer(new->pub.beacon_ies);
687         if (WARN_ON(!ies))
688                 return false;
689
690         ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
691         if (!ie) {
692                 /* nothing to do */
693                 return true;
694         }
695
696         ssidlen = ie[1];
697         for (i = 0; i < ssidlen; i++)
698                 fold |= ie[2 + i];
699
700         if (fold) {
701                 /* not a hidden SSID */
702                 return true;
703         }
704
705         /* This is the bad part ... */
706
707         list_for_each_entry(bss, &rdev->bss_list, list) {
708                 /*
709                  * we're iterating all the entries anyway, so take the
710                  * opportunity to validate the list length accounting
711                  */
712                 n_entries++;
713
714                 if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid))
715                         continue;
716                 if (bss->pub.channel != new->pub.channel)
717                         continue;
718                 if (bss->pub.scan_width != new->pub.scan_width)
719                         continue;
720                 if (rcu_access_pointer(bss->pub.beacon_ies))
721                         continue;
722                 ies = rcu_access_pointer(bss->pub.ies);
723                 if (!ies)
724                         continue;
725                 ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
726                 if (!ie)
727                         continue;
728                 if (ssidlen && ie[1] != ssidlen)
729                         continue;
730                 if (WARN_ON_ONCE(bss->pub.hidden_beacon_bss))
731                         continue;
732                 if (WARN_ON_ONCE(!list_empty(&bss->hidden_list)))
733                         list_del(&bss->hidden_list);
734                 /* combine them */
735                 list_add(&bss->hidden_list, &new->hidden_list);
736                 bss->pub.hidden_beacon_bss = &new->pub;
737                 new->refcount += bss->refcount;
738                 rcu_assign_pointer(bss->pub.beacon_ies,
739                                    new->pub.beacon_ies);
740         }
741
742         WARN_ONCE(n_entries != rdev->bss_entries,
743                   "rdev bss entries[%d]/list[len:%d] corruption\n",
744                   rdev->bss_entries, n_entries);
745
746         return true;
747 }
748
749 /* Returned bss is reference counted and must be cleaned up appropriately. */
750 static struct cfg80211_internal_bss *
751 cfg80211_bss_update(struct cfg80211_registered_device *rdev,
752                     struct cfg80211_internal_bss *tmp,
753                     bool signal_valid)
754 {
755         struct cfg80211_internal_bss *found = NULL;
756
757         if (WARN_ON(!tmp->pub.channel))
758                 return NULL;
759
760         tmp->ts = jiffies;
761
762         spin_lock_bh(&rdev->bss_lock);
763
764         if (WARN_ON(!rcu_access_pointer(tmp->pub.ies))) {
765                 spin_unlock_bh(&rdev->bss_lock);
766                 return NULL;
767         }
768
769         found = rb_find_bss(rdev, tmp, BSS_CMP_REGULAR);
770
771         if (found) {
772                 /* Update IEs */
773                 if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
774                         const struct cfg80211_bss_ies *old;
775
776                         old = rcu_access_pointer(found->pub.proberesp_ies);
777
778                         rcu_assign_pointer(found->pub.proberesp_ies,
779                                            tmp->pub.proberesp_ies);
780                         /* Override possible earlier Beacon frame IEs */
781                         rcu_assign_pointer(found->pub.ies,
782                                            tmp->pub.proberesp_ies);
783                         if (old)
784                                 kfree_rcu((struct cfg80211_bss_ies *)old,
785                                           rcu_head);
786                 } else if (rcu_access_pointer(tmp->pub.beacon_ies)) {
787                         const struct cfg80211_bss_ies *old;
788                         struct cfg80211_internal_bss *bss;
789
790                         if (found->pub.hidden_beacon_bss &&
791                             !list_empty(&found->hidden_list)) {
792                                 const struct cfg80211_bss_ies *f;
793
794                                 /*
795                                  * The found BSS struct is one of the probe
796                                  * response members of a group, but we're
797                                  * receiving a beacon (beacon_ies in the tmp
798                                  * bss is used). This can only mean that the
799                                  * AP changed its beacon from not having an
800                                  * SSID to showing it, which is confusing so
801                                  * drop this information.
802                                  */
803
804                                 f = rcu_access_pointer(tmp->pub.beacon_ies);
805                                 kfree_rcu((struct cfg80211_bss_ies *)f,
806                                           rcu_head);
807                                 goto drop;
808                         }
809
810                         old = rcu_access_pointer(found->pub.beacon_ies);
811
812                         rcu_assign_pointer(found->pub.beacon_ies,
813                                            tmp->pub.beacon_ies);
814
815                         /* Override IEs if they were from a beacon before */
816                         if (old == rcu_access_pointer(found->pub.ies))
817                                 rcu_assign_pointer(found->pub.ies,
818                                                    tmp->pub.beacon_ies);
819
820                         /* Assign beacon IEs to all sub entries */
821                         list_for_each_entry(bss, &found->hidden_list,
822                                             hidden_list) {
823                                 const struct cfg80211_bss_ies *ies;
824
825                                 ies = rcu_access_pointer(bss->pub.beacon_ies);
826                                 WARN_ON(ies != old);
827
828                                 rcu_assign_pointer(bss->pub.beacon_ies,
829                                                    tmp->pub.beacon_ies);
830                         }
831
832                         if (old)
833                                 kfree_rcu((struct cfg80211_bss_ies *)old,
834                                           rcu_head);
835                 }
836
837                 found->pub.beacon_interval = tmp->pub.beacon_interval;
838                 /*
839                  * don't update the signal if beacon was heard on
840                  * adjacent channel.
841                  */
842                 if (signal_valid)
843                         found->pub.signal = tmp->pub.signal;
844                 found->pub.capability = tmp->pub.capability;
845                 found->ts = tmp->ts;
846         } else {
847                 struct cfg80211_internal_bss *new;
848                 struct cfg80211_internal_bss *hidden;
849                 struct cfg80211_bss_ies *ies;
850
851                 /*
852                  * create a copy -- the "res" variable that is passed in
853                  * is allocated on the stack since it's not needed in the
854                  * more common case of an update
855                  */
856                 new = kzalloc(sizeof(*new) + rdev->wiphy.bss_priv_size,
857                               GFP_ATOMIC);
858                 if (!new) {
859                         ies = (void *)rcu_dereference(tmp->pub.beacon_ies);
860                         if (ies)
861                                 kfree_rcu(ies, rcu_head);
862                         ies = (void *)rcu_dereference(tmp->pub.proberesp_ies);
863                         if (ies)
864                                 kfree_rcu(ies, rcu_head);
865                         goto drop;
866                 }
867                 memcpy(new, tmp, sizeof(*new));
868                 new->refcount = 1;
869                 INIT_LIST_HEAD(&new->hidden_list);
870
871                 if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
872                         hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
873                         if (!hidden)
874                                 hidden = rb_find_bss(rdev, tmp,
875                                                      BSS_CMP_HIDE_NUL);
876                         if (hidden) {
877                                 new->pub.hidden_beacon_bss = &hidden->pub;
878                                 list_add(&new->hidden_list,
879                                          &hidden->hidden_list);
880                                 hidden->refcount++;
881                                 rcu_assign_pointer(new->pub.beacon_ies,
882                                                    hidden->pub.beacon_ies);
883                         }
884                 } else {
885                         /*
886                          * Ok so we found a beacon, and don't have an entry. If
887                          * it's a beacon with hidden SSID, we might be in for an
888                          * expensive search for any probe responses that should
889                          * be grouped with this beacon for updates ...
890                          */
891                         if (!cfg80211_combine_bsses(rdev, new)) {
892                                 kfree(new);
893                                 goto drop;
894                         }
895                 }
896
897                 if (rdev->bss_entries >= bss_entries_limit &&
898                     !cfg80211_bss_expire_oldest(rdev)) {
899                         kfree(new);
900                         goto drop;
901                 }
902
903                 list_add_tail(&new->list, &rdev->bss_list);
904                 rdev->bss_entries++;
905                 rb_insert_bss(rdev, new);
906                 found = new;
907         }
908
909         rdev->bss_generation++;
910         bss_ref_get(rdev, found);
911         spin_unlock_bh(&rdev->bss_lock);
912
913         return found;
914  drop:
915         spin_unlock_bh(&rdev->bss_lock);
916         return NULL;
917 }
918
919 static struct ieee80211_channel *
920 cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
921                          struct ieee80211_channel *channel)
922 {
923         const u8 *tmp;
924         u32 freq;
925         int channel_number = -1;
926
927         tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen);
928         if (tmp && tmp[1] == 1) {
929                 channel_number = tmp[2];
930         } else {
931                 tmp = cfg80211_find_ie(WLAN_EID_HT_OPERATION, ie, ielen);
932                 if (tmp && tmp[1] >= sizeof(struct ieee80211_ht_operation)) {
933                         struct ieee80211_ht_operation *htop = (void *)(tmp + 2);
934
935                         channel_number = htop->primary_chan;
936                 }
937         }
938
939         if (channel_number < 0)
940                 return channel;
941
942         freq = ieee80211_channel_to_frequency(channel_number, channel->band);
943         channel = ieee80211_get_channel(wiphy, freq);
944         if (!channel)
945                 return NULL;
946         if (channel->flags & IEEE80211_CHAN_DISABLED)
947                 return NULL;
948         return channel;
949 }
950
951 /* Returned bss is reference counted and must be cleaned up appropriately. */
952 struct cfg80211_bss*
953 cfg80211_inform_bss_width(struct wiphy *wiphy,
954                           struct ieee80211_channel *rx_channel,
955                           enum nl80211_bss_scan_width scan_width,
956                           const u8 *bssid, u64 tsf, u16 capability,
957                           u16 beacon_interval, const u8 *ie, size_t ielen,
958                           s32 signal, gfp_t gfp)
959 {
960         struct cfg80211_bss_ies *ies;
961         struct ieee80211_channel *channel;
962         struct cfg80211_internal_bss tmp = {}, *res;
963         bool signal_valid;
964
965         if (WARN_ON(!wiphy))
966                 return NULL;
967
968         if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
969                         (signal < 0 || signal > 100)))
970                 return NULL;
971
972         channel = cfg80211_get_bss_channel(wiphy, ie, ielen, rx_channel);
973         if (!channel)
974                 return NULL;
975
976         memcpy(tmp.pub.bssid, bssid, ETH_ALEN);
977         tmp.pub.channel = channel;
978         tmp.pub.scan_width = scan_width;
979         tmp.pub.signal = signal;
980         tmp.pub.beacon_interval = beacon_interval;
981         tmp.pub.capability = capability;
982         /*
983          * Since we do not know here whether the IEs are from a Beacon or Probe
984          * Response frame, we need to pick one of the options and only use it
985          * with the driver that does not provide the full Beacon/Probe Response
986          * frame. Use Beacon frame pointer to avoid indicating that this should
987          * override the IEs pointer should we have received an earlier
988          * indication of Probe Response data.
989          */
990         ies = kmalloc(sizeof(*ies) + ielen, gfp);
991         if (!ies)
992                 return NULL;
993         ies->len = ielen;
994         ies->tsf = tsf;
995         memcpy(ies->data, ie, ielen);
996
997         rcu_assign_pointer(tmp.pub.beacon_ies, ies);
998         rcu_assign_pointer(tmp.pub.ies, ies);
999
1000         signal_valid = abs(rx_channel->center_freq - channel->center_freq) <=
1001                 wiphy->max_adj_channel_rssi_comp;
1002         res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid);
1003         if (!res)
1004                 return NULL;
1005
1006         if (res->pub.capability & WLAN_CAPABILITY_ESS)
1007                 regulatory_hint_found_beacon(wiphy, channel, gfp);
1008
1009         trace_cfg80211_return_bss(&res->pub);
1010         /* cfg80211_bss_update gives us a referenced result */
1011         return &res->pub;
1012 }
1013 EXPORT_SYMBOL(cfg80211_inform_bss_width);
1014
1015 /* Returned bss is reference counted and must be cleaned up appropriately. */
1016 struct cfg80211_bss *
1017 cfg80211_inform_bss_width_frame(struct wiphy *wiphy,
1018                                 struct ieee80211_channel *rx_channel,
1019                                 enum nl80211_bss_scan_width scan_width,
1020                                 struct ieee80211_mgmt *mgmt, size_t len,
1021                                 s32 signal, gfp_t gfp)
1022 {
1023         struct cfg80211_internal_bss tmp = {}, *res;
1024         struct cfg80211_bss_ies *ies;
1025         struct ieee80211_channel *channel;
1026         bool signal_valid;
1027         size_t ielen = len - offsetof(struct ieee80211_mgmt,
1028                                       u.probe_resp.variable);
1029
1030         BUILD_BUG_ON(offsetof(struct ieee80211_mgmt, u.probe_resp.variable) !=
1031                         offsetof(struct ieee80211_mgmt, u.beacon.variable));
1032
1033         trace_cfg80211_inform_bss_width_frame(wiphy, rx_channel, scan_width, mgmt,
1034                                               len, signal);
1035
1036         if (WARN_ON(!mgmt))
1037                 return NULL;
1038
1039         if (WARN_ON(!wiphy))
1040                 return NULL;
1041
1042         if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
1043                     (signal < 0 || signal > 100)))
1044                 return NULL;
1045
1046         if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
1047                 return NULL;
1048
1049         channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable,
1050                                            ielen, rx_channel);
1051         if (!channel)
1052                 return NULL;
1053
1054         ies = kmalloc(sizeof(*ies) + ielen, gfp);
1055         if (!ies)
1056                 return NULL;
1057         ies->len = ielen;
1058         ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp);
1059         memcpy(ies->data, mgmt->u.probe_resp.variable, ielen);
1060
1061         if (ieee80211_is_probe_resp(mgmt->frame_control))
1062                 rcu_assign_pointer(tmp.pub.proberesp_ies, ies);
1063         else
1064                 rcu_assign_pointer(tmp.pub.beacon_ies, ies);
1065         rcu_assign_pointer(tmp.pub.ies, ies);
1066         
1067         memcpy(tmp.pub.bssid, mgmt->bssid, ETH_ALEN);
1068         tmp.pub.channel = channel;
1069         tmp.pub.scan_width = scan_width;
1070         tmp.pub.signal = signal;
1071         tmp.pub.beacon_interval = le16_to_cpu(mgmt->u.probe_resp.beacon_int);
1072         tmp.pub.capability = le16_to_cpu(mgmt->u.probe_resp.capab_info);
1073
1074         signal_valid = abs(rx_channel->center_freq - channel->center_freq) <=
1075                 wiphy->max_adj_channel_rssi_comp;
1076         res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid);
1077         if (!res)
1078                 return NULL;
1079
1080         if (res->pub.capability & WLAN_CAPABILITY_ESS)
1081                 regulatory_hint_found_beacon(wiphy, channel, gfp);
1082
1083         trace_cfg80211_return_bss(&res->pub);
1084         /* cfg80211_bss_update gives us a referenced result */
1085         return &res->pub;
1086 }
1087 EXPORT_SYMBOL(cfg80211_inform_bss_width_frame);
1088
1089 void cfg80211_ref_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
1090 {
1091         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1092         struct cfg80211_internal_bss *bss;
1093
1094         if (!pub)
1095                 return;
1096
1097         bss = container_of(pub, struct cfg80211_internal_bss, pub);
1098
1099         spin_lock_bh(&rdev->bss_lock);
1100         bss_ref_get(rdev, bss);
1101         spin_unlock_bh(&rdev->bss_lock);
1102 }
1103 EXPORT_SYMBOL(cfg80211_ref_bss);
1104
1105 void cfg80211_put_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
1106 {
1107         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1108         struct cfg80211_internal_bss *bss;
1109
1110         if (!pub)
1111                 return;
1112
1113         bss = container_of(pub, struct cfg80211_internal_bss, pub);
1114
1115         spin_lock_bh(&rdev->bss_lock);
1116         bss_ref_put(rdev, bss);
1117         spin_unlock_bh(&rdev->bss_lock);
1118 }
1119 EXPORT_SYMBOL(cfg80211_put_bss);
1120
1121 void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
1122 {
1123         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1124         struct cfg80211_internal_bss *bss;
1125
1126         if (WARN_ON(!pub))
1127                 return;
1128
1129         bss = container_of(pub, struct cfg80211_internal_bss, pub);
1130
1131         spin_lock_bh(&rdev->bss_lock);
1132         if (!list_empty(&bss->list)) {
1133                 if (__cfg80211_unlink_bss(rdev, bss))
1134                         rdev->bss_generation++;
1135         }
1136         spin_unlock_bh(&rdev->bss_lock);
1137 }
1138 EXPORT_SYMBOL(cfg80211_unlink_bss);
1139
1140 #ifdef CONFIG_CFG80211_WEXT
1141 static struct cfg80211_registered_device *
1142 cfg80211_get_dev_from_ifindex(struct net *net, int ifindex)
1143 {
1144         struct cfg80211_registered_device *rdev;
1145         struct net_device *dev;
1146
1147         ASSERT_RTNL();
1148
1149         dev = dev_get_by_index(net, ifindex);
1150         if (!dev)
1151                 return ERR_PTR(-ENODEV);
1152         if (dev->ieee80211_ptr)
1153                 rdev = wiphy_to_rdev(dev->ieee80211_ptr->wiphy);
1154         else
1155                 rdev = ERR_PTR(-ENODEV);
1156         dev_put(dev);
1157         return rdev;
1158 }
1159
1160 int cfg80211_wext_siwscan(struct net_device *dev,
1161                           struct iw_request_info *info,
1162                           union iwreq_data *wrqu, char *extra)
1163 {
1164         struct cfg80211_registered_device *rdev;
1165         struct wiphy *wiphy;
1166         struct iw_scan_req *wreq = NULL;
1167         struct cfg80211_scan_request *creq = NULL;
1168         int i, err, n_channels = 0;
1169         enum ieee80211_band band;
1170
1171         if (!netif_running(dev))
1172                 return -ENETDOWN;
1173
1174         if (wrqu->data.length == sizeof(struct iw_scan_req))
1175                 wreq = (struct iw_scan_req *)extra;
1176
1177         rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex);
1178
1179         if (IS_ERR(rdev))
1180                 return PTR_ERR(rdev);
1181
1182         if (rdev->scan_req || rdev->scan_msg) {
1183                 err = -EBUSY;
1184                 goto out;
1185         }
1186
1187         wiphy = &rdev->wiphy;
1188
1189         /* Determine number of channels, needed to allocate creq */
1190         if (wreq && wreq->num_channels)
1191                 n_channels = wreq->num_channels;
1192         else
1193                 n_channels = ieee80211_get_num_supported_channels(wiphy);
1194
1195         creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) +
1196                        n_channels * sizeof(void *),
1197                        GFP_ATOMIC);
1198         if (!creq) {
1199                 err = -ENOMEM;
1200                 goto out;
1201         }
1202
1203         creq->wiphy = wiphy;
1204         creq->wdev = dev->ieee80211_ptr;
1205         /* SSIDs come after channels */
1206         creq->ssids = (void *)&creq->channels[n_channels];
1207         creq->n_channels = n_channels;
1208         creq->n_ssids = 1;
1209         creq->scan_start = jiffies;
1210
1211         /* translate "Scan on frequencies" request */
1212         i = 0;
1213         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
1214                 int j;
1215
1216                 if (!wiphy->bands[band])
1217                         continue;
1218
1219                 for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
1220                         /* ignore disabled channels */
1221                         if (wiphy->bands[band]->channels[j].flags &
1222                                                 IEEE80211_CHAN_DISABLED)
1223                                 continue;
1224
1225                         /* If we have a wireless request structure and the
1226                          * wireless request specifies frequencies, then search
1227                          * for the matching hardware channel.
1228                          */
1229                         if (wreq && wreq->num_channels) {
1230                                 int k;
1231                                 int wiphy_freq = wiphy->bands[band]->channels[j].center_freq;
1232                                 for (k = 0; k < wreq->num_channels; k++) {
1233                                         struct iw_freq *freq =
1234                                                 &wreq->channel_list[k];
1235                                         int wext_freq =
1236                                                 cfg80211_wext_freq(freq);
1237
1238                                         if (wext_freq == wiphy_freq)
1239                                                 goto wext_freq_found;
1240                                 }
1241                                 goto wext_freq_not_found;
1242                         }
1243
1244                 wext_freq_found:
1245                         creq->channels[i] = &wiphy->bands[band]->channels[j];
1246                         i++;
1247                 wext_freq_not_found: ;
1248                 }
1249         }
1250         /* No channels found? */
1251         if (!i) {
1252                 err = -EINVAL;
1253                 goto out;
1254         }
1255
1256         /* Set real number of channels specified in creq->channels[] */
1257         creq->n_channels = i;
1258
1259         /* translate "Scan for SSID" request */
1260         if (wreq) {
1261                 if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
1262                         if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) {
1263                                 err = -EINVAL;
1264                                 goto out;
1265                         }
1266                         memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
1267                         creq->ssids[0].ssid_len = wreq->essid_len;
1268                 }
1269                 if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE)
1270                         creq->n_ssids = 0;
1271         }
1272
1273         for (i = 0; i < IEEE80211_NUM_BANDS; i++)
1274                 if (wiphy->bands[i])
1275                         creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1;
1276
1277         rdev->scan_req = creq;
1278         err = rdev_scan(rdev, creq);
1279         if (err) {
1280                 rdev->scan_req = NULL;
1281                 /* creq will be freed below */
1282         } else {
1283                 nl80211_send_scan_start(rdev, dev->ieee80211_ptr);
1284                 /* creq now owned by driver */
1285                 creq = NULL;
1286                 dev_hold(dev);
1287         }
1288  out:
1289         kfree(creq);
1290         return err;
1291 }
1292 EXPORT_SYMBOL_GPL(cfg80211_wext_siwscan);
1293
1294 static void ieee80211_scan_add_ies(struct iw_request_info *info,
1295                                    const struct cfg80211_bss_ies *ies,
1296                                    char **current_ev, char *end_buf)
1297 {
1298         const u8 *pos, *end, *next;
1299         struct iw_event iwe;
1300
1301         if (!ies)
1302                 return;
1303
1304         /*
1305          * If needed, fragment the IEs buffer (at IE boundaries) into short
1306          * enough fragments to fit into IW_GENERIC_IE_MAX octet messages.
1307          */
1308         pos = ies->data;
1309         end = pos + ies->len;
1310
1311         while (end - pos > IW_GENERIC_IE_MAX) {
1312                 next = pos + 2 + pos[1];
1313                 while (next + 2 + next[1] - pos < IW_GENERIC_IE_MAX)
1314                         next = next + 2 + next[1];
1315
1316                 memset(&iwe, 0, sizeof(iwe));
1317                 iwe.cmd = IWEVGENIE;
1318                 iwe.u.data.length = next - pos;
1319                 *current_ev = iwe_stream_add_point(info, *current_ev,
1320                                                    end_buf, &iwe,
1321                                                    (void *)pos);
1322
1323                 pos = next;
1324         }
1325
1326         if (end > pos) {
1327                 memset(&iwe, 0, sizeof(iwe));
1328                 iwe.cmd = IWEVGENIE;
1329                 iwe.u.data.length = end - pos;
1330                 *current_ev = iwe_stream_add_point(info, *current_ev,
1331                                                    end_buf, &iwe,
1332                                                    (void *)pos);
1333         }
1334 }
1335
1336 static char *
1337 ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info,
1338               struct cfg80211_internal_bss *bss, char *current_ev,
1339               char *end_buf)
1340 {
1341         const struct cfg80211_bss_ies *ies;
1342         struct iw_event iwe;
1343         const u8 *ie;
1344         u8 *buf, *cfg, *p;
1345         int rem, i, sig;
1346         bool ismesh = false;
1347
1348         memset(&iwe, 0, sizeof(iwe));
1349         iwe.cmd = SIOCGIWAP;
1350         iwe.u.ap_addr.sa_family = ARPHRD_ETHER;
1351         memcpy(iwe.u.ap_addr.sa_data, bss->pub.bssid, ETH_ALEN);
1352         current_ev = iwe_stream_add_event(info, current_ev, end_buf, &iwe,
1353                                           IW_EV_ADDR_LEN);
1354
1355         memset(&iwe, 0, sizeof(iwe));
1356         iwe.cmd = SIOCGIWFREQ;
1357         iwe.u.freq.m = ieee80211_frequency_to_channel(bss->pub.channel->center_freq);
1358         iwe.u.freq.e = 0;
1359         current_ev = iwe_stream_add_event(info, current_ev, end_buf, &iwe,
1360                                           IW_EV_FREQ_LEN);
1361
1362         memset(&iwe, 0, sizeof(iwe));
1363         iwe.cmd = SIOCGIWFREQ;
1364         iwe.u.freq.m = bss->pub.channel->center_freq;
1365         iwe.u.freq.e = 6;
1366         current_ev = iwe_stream_add_event(info, current_ev, end_buf, &iwe,
1367                                           IW_EV_FREQ_LEN);
1368
1369         if (wiphy->signal_type != CFG80211_SIGNAL_TYPE_NONE) {
1370                 memset(&iwe, 0, sizeof(iwe));
1371                 iwe.cmd = IWEVQUAL;
1372                 iwe.u.qual.updated = IW_QUAL_LEVEL_UPDATED |
1373                                      IW_QUAL_NOISE_INVALID |
1374                                      IW_QUAL_QUAL_UPDATED;
1375                 switch (wiphy->signal_type) {
1376                 case CFG80211_SIGNAL_TYPE_MBM:
1377                         sig = bss->pub.signal / 100;
1378                         iwe.u.qual.level = sig;
1379                         iwe.u.qual.updated |= IW_QUAL_DBM;
1380                         if (sig < -110)         /* rather bad */
1381                                 sig = -110;
1382                         else if (sig > -40)     /* perfect */
1383                                 sig = -40;
1384                         /* will give a range of 0 .. 70 */
1385                         iwe.u.qual.qual = sig + 110;
1386                         break;
1387                 case CFG80211_SIGNAL_TYPE_UNSPEC:
1388                         iwe.u.qual.level = bss->pub.signal;
1389                         /* will give range 0 .. 100 */
1390                         iwe.u.qual.qual = bss->pub.signal;
1391                         break;
1392                 default:
1393                         /* not reached */
1394                         break;
1395                 }
1396                 current_ev = iwe_stream_add_event(info, current_ev, end_buf,
1397                                                   &iwe, IW_EV_QUAL_LEN);
1398         }
1399
1400         memset(&iwe, 0, sizeof(iwe));
1401         iwe.cmd = SIOCGIWENCODE;
1402         if (bss->pub.capability & WLAN_CAPABILITY_PRIVACY)
1403                 iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY;
1404         else
1405                 iwe.u.data.flags = IW_ENCODE_DISABLED;
1406         iwe.u.data.length = 0;
1407         current_ev = iwe_stream_add_point(info, current_ev, end_buf,
1408                                           &iwe, "");
1409
1410         rcu_read_lock();
1411         ies = rcu_dereference(bss->pub.ies);
1412         rem = ies->len;
1413         ie = ies->data;
1414
1415         while (rem >= 2) {
1416                 /* invalid data */
1417                 if (ie[1] > rem - 2)
1418                         break;
1419
1420                 switch (ie[0]) {
1421                 case WLAN_EID_SSID:
1422                         memset(&iwe, 0, sizeof(iwe));
1423                         iwe.cmd = SIOCGIWESSID;
1424                         iwe.u.data.length = ie[1];
1425                         iwe.u.data.flags = 1;
1426                         current_ev = iwe_stream_add_point(info, current_ev, end_buf,
1427                                                           &iwe, (u8 *)ie + 2);
1428                         break;
1429                 case WLAN_EID_MESH_ID:
1430                         memset(&iwe, 0, sizeof(iwe));
1431                         iwe.cmd = SIOCGIWESSID;
1432                         iwe.u.data.length = ie[1];
1433                         iwe.u.data.flags = 1;
1434                         current_ev = iwe_stream_add_point(info, current_ev, end_buf,
1435                                                           &iwe, (u8 *)ie + 2);
1436                         break;
1437                 case WLAN_EID_MESH_CONFIG:
1438                         ismesh = true;
1439                         if (ie[1] != sizeof(struct ieee80211_meshconf_ie))
1440                                 break;
1441                         buf = kmalloc(50, GFP_ATOMIC);
1442                         if (!buf)
1443                                 break;
1444                         cfg = (u8 *)ie + 2;
1445                         memset(&iwe, 0, sizeof(iwe));
1446                         iwe.cmd = IWEVCUSTOM;
1447                         sprintf(buf, "Mesh Network Path Selection Protocol ID: "
1448                                 "0x%02X", cfg[0]);
1449                         iwe.u.data.length = strlen(buf);
1450                         current_ev = iwe_stream_add_point(info, current_ev,
1451                                                           end_buf,
1452                                                           &iwe, buf);
1453                         sprintf(buf, "Path Selection Metric ID: 0x%02X",
1454                                 cfg[1]);
1455                         iwe.u.data.length = strlen(buf);
1456                         current_ev = iwe_stream_add_point(info, current_ev,
1457                                                           end_buf,
1458                                                           &iwe, buf);
1459                         sprintf(buf, "Congestion Control Mode ID: 0x%02X",
1460                                 cfg[2]);
1461                         iwe.u.data.length = strlen(buf);
1462                         current_ev = iwe_stream_add_point(info, current_ev,
1463                                                           end_buf,
1464                                                           &iwe, buf);
1465                         sprintf(buf, "Synchronization ID: 0x%02X", cfg[3]);
1466                         iwe.u.data.length = strlen(buf);
1467                         current_ev = iwe_stream_add_point(info, current_ev,
1468                                                           end_buf,
1469                                                           &iwe, buf);
1470                         sprintf(buf, "Authentication ID: 0x%02X", cfg[4]);
1471                         iwe.u.data.length = strlen(buf);
1472                         current_ev = iwe_stream_add_point(info, current_ev,
1473                                                           end_buf,
1474                                                           &iwe, buf);
1475                         sprintf(buf, "Formation Info: 0x%02X", cfg[5]);
1476                         iwe.u.data.length = strlen(buf);
1477                         current_ev = iwe_stream_add_point(info, current_ev,
1478                                                           end_buf,
1479                                                           &iwe, buf);
1480                         sprintf(buf, "Capabilities: 0x%02X", cfg[6]);
1481                         iwe.u.data.length = strlen(buf);
1482                         current_ev = iwe_stream_add_point(info, current_ev,
1483                                                           end_buf,
1484                                                           &iwe, buf);
1485                         kfree(buf);
1486                         break;
1487                 case WLAN_EID_SUPP_RATES:
1488                 case WLAN_EID_EXT_SUPP_RATES:
1489                         /* display all supported rates in readable format */
1490                         p = current_ev + iwe_stream_lcp_len(info);
1491
1492                         memset(&iwe, 0, sizeof(iwe));
1493                         iwe.cmd = SIOCGIWRATE;
1494                         /* Those two flags are ignored... */
1495                         iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0;
1496
1497                         for (i = 0; i < ie[1]; i++) {
1498                                 iwe.u.bitrate.value =
1499                                         ((ie[i + 2] & 0x7f) * 500000);
1500                                 p = iwe_stream_add_value(info, current_ev, p,
1501                                                 end_buf, &iwe, IW_EV_PARAM_LEN);
1502                         }
1503                         current_ev = p;
1504                         break;
1505                 }
1506                 rem -= ie[1] + 2;
1507                 ie += ie[1] + 2;
1508         }
1509
1510         if (bss->pub.capability & (WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS) ||
1511             ismesh) {
1512                 memset(&iwe, 0, sizeof(iwe));
1513                 iwe.cmd = SIOCGIWMODE;
1514                 if (ismesh)
1515                         iwe.u.mode = IW_MODE_MESH;
1516                 else if (bss->pub.capability & WLAN_CAPABILITY_ESS)
1517                         iwe.u.mode = IW_MODE_MASTER;
1518                 else
1519                         iwe.u.mode = IW_MODE_ADHOC;
1520                 current_ev = iwe_stream_add_event(info, current_ev, end_buf,
1521                                                   &iwe, IW_EV_UINT_LEN);
1522         }
1523
1524         buf = kmalloc(31, GFP_ATOMIC);
1525         if (buf) {
1526                 memset(&iwe, 0, sizeof(iwe));
1527                 iwe.cmd = IWEVCUSTOM;
1528                 sprintf(buf, "tsf=%016llx", (unsigned long long)(ies->tsf));
1529                 iwe.u.data.length = strlen(buf);
1530                 current_ev = iwe_stream_add_point(info, current_ev, end_buf,
1531                                                   &iwe, buf);
1532                 memset(&iwe, 0, sizeof(iwe));
1533                 iwe.cmd = IWEVCUSTOM;
1534                 sprintf(buf, " Last beacon: %ums ago",
1535                         elapsed_jiffies_msecs(bss->ts));
1536                 iwe.u.data.length = strlen(buf);
1537                 current_ev = iwe_stream_add_point(info, current_ev,
1538                                                   end_buf, &iwe, buf);
1539                 kfree(buf);
1540         }
1541
1542         ieee80211_scan_add_ies(info, ies, &current_ev, end_buf);
1543         rcu_read_unlock();
1544
1545         return current_ev;
1546 }
1547
1548
1549 static int ieee80211_scan_results(struct cfg80211_registered_device *rdev,
1550                                   struct iw_request_info *info,
1551                                   char *buf, size_t len)
1552 {
1553         char *current_ev = buf;
1554         char *end_buf = buf + len;
1555         struct cfg80211_internal_bss *bss;
1556
1557         spin_lock_bh(&rdev->bss_lock);
1558         cfg80211_bss_expire(rdev);
1559
1560         list_for_each_entry(bss, &rdev->bss_list, list) {
1561                 if (buf + len - current_ev <= IW_EV_ADDR_LEN) {
1562                         spin_unlock_bh(&rdev->bss_lock);
1563                         return -E2BIG;
1564                 }
1565                 current_ev = ieee80211_bss(&rdev->wiphy, info, bss,
1566                                            current_ev, end_buf);
1567         }
1568         spin_unlock_bh(&rdev->bss_lock);
1569         return current_ev - buf;
1570 }
1571
1572
1573 int cfg80211_wext_giwscan(struct net_device *dev,
1574                           struct iw_request_info *info,
1575                           struct iw_point *data, char *extra)
1576 {
1577         struct cfg80211_registered_device *rdev;
1578         int res;
1579
1580         if (!netif_running(dev))
1581                 return -ENETDOWN;
1582
1583         rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex);
1584
1585         if (IS_ERR(rdev))
1586                 return PTR_ERR(rdev);
1587
1588         if (rdev->scan_req || rdev->scan_msg)
1589                 return -EAGAIN;
1590
1591         res = ieee80211_scan_results(rdev, info, extra, data->length);
1592         data->length = 0;
1593         if (res >= 0) {
1594                 data->length = res;
1595                 res = 0;
1596         }
1597
1598         return res;
1599 }
1600 EXPORT_SYMBOL_GPL(cfg80211_wext_giwscan);
1601 #endif