1 /* 2 * Scanning implementation 3 * 4 * Copyright 2003, Jouni Malinen <jkmaline@cc.hut.fi> 5 * Copyright 2004, Instant802 Networks, Inc. 6 * Copyright 2005, Devicescape Software, Inc. 7 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 8 * Copyright 2007, Michael Wu <flamingice@sourmilk.net> 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License version 2 as 12 * published by the Free Software Foundation. 13 */ 14 15 /* TODO: figure out how to avoid that the "current BSS" expires */ 16 17 #include <linux/wireless.h> 18 #include <linux/if_arp.h> 19 #include <linux/rtnetlink.h> 20 #include <net/mac80211.h> 21 #include <net/iw_handler.h> 22 23 #include "ieee80211_i.h" 24 #include "driver-ops.h" 25 #include "mesh.h" 26 27 #define IEEE80211_PROBE_DELAY (HZ / 33) 28 #define IEEE80211_CHANNEL_TIME (HZ / 33) 29 #define IEEE80211_PASSIVE_CHANNEL_TIME (HZ / 5) 30 31 struct ieee80211_bss * 32 ieee80211_rx_bss_get(struct ieee80211_local *local, u8 *bssid, int freq, 33 u8 *ssid, u8 ssid_len) 34 { 35 return (void *)cfg80211_get_bss(local->hw.wiphy, 36 ieee80211_get_channel(local->hw.wiphy, 37 freq), 38 bssid, ssid, ssid_len, 39 0, 0); 40 } 41 42 static void ieee80211_rx_bss_free(struct cfg80211_bss *cbss) 43 { 44 struct ieee80211_bss *bss = (void *)cbss; 45 46 kfree(bss_mesh_id(bss)); 47 kfree(bss_mesh_cfg(bss)); 48 } 49 50 void ieee80211_rx_bss_put(struct ieee80211_local *local, 51 struct ieee80211_bss *bss) 52 { 53 cfg80211_put_bss((struct cfg80211_bss *)bss); 54 } 55 56 struct ieee80211_bss * 57 ieee80211_bss_info_update(struct ieee80211_local *local, 58 struct ieee80211_rx_status *rx_status, 59 struct ieee80211_mgmt *mgmt, 60 size_t len, 61 struct ieee802_11_elems *elems, 62 struct ieee80211_channel *channel, 63 bool beacon) 64 { 65 struct ieee80211_bss *bss; 66 int clen; 67 s32 signal = 0; 68 69 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 70 signal = rx_status->signal * 100; 71 else if (local->hw.flags & IEEE80211_HW_SIGNAL_UNSPEC) 72 signal = (rx_status->signal * 100) / local->hw.max_signal; 73 74 bss = (void *)cfg80211_inform_bss_frame(local->hw.wiphy, channel, 75 mgmt, len, signal, GFP_ATOMIC); 76 77 if (!bss) 78 return NULL; 79 80 bss->cbss.free_priv = ieee80211_rx_bss_free; 81 82 /* save the ERP value so that it is available at association time */ 83 if (elems->erp_info && elems->erp_info_len >= 1) { 84 bss->erp_value = elems->erp_info[0]; 85 bss->has_erp_value = 1; 86 } 87 88 if (elems->tim) { 89 struct ieee80211_tim_ie *tim_ie = 90 (struct ieee80211_tim_ie *)elems->tim; 91 bss->dtim_period = tim_ie->dtim_period; 92 } 93 94 /* set default value for buggy APs */ 95 if (!elems->tim || bss->dtim_period == 0) 96 bss->dtim_period = 1; 97 98 bss->supp_rates_len = 0; 99 if (elems->supp_rates) { 100 clen = IEEE80211_MAX_SUPP_RATES - bss->supp_rates_len; 101 if (clen > elems->supp_rates_len) 102 clen = elems->supp_rates_len; 103 memcpy(&bss->supp_rates[bss->supp_rates_len], elems->supp_rates, 104 clen); 105 bss->supp_rates_len += clen; 106 } 107 if (elems->ext_supp_rates) { 108 clen = IEEE80211_MAX_SUPP_RATES - bss->supp_rates_len; 109 if (clen > elems->ext_supp_rates_len) 110 clen = elems->ext_supp_rates_len; 111 memcpy(&bss->supp_rates[bss->supp_rates_len], 112 elems->ext_supp_rates, clen); 113 bss->supp_rates_len += clen; 114 } 115 116 bss->wmm_used = elems->wmm_param || elems->wmm_info; 117 118 if (!beacon) 119 bss->last_probe_resp = jiffies; 120 121 return bss; 122 } 123 124 void ieee80211_rx_bss_remove(struct ieee80211_sub_if_data *sdata, u8 *bssid, 125 int freq, u8 *ssid, u8 ssid_len) 126 { 127 struct ieee80211_bss *bss; 128 struct ieee80211_local *local = sdata->local; 129 130 bss = ieee80211_rx_bss_get(local, bssid, freq, ssid, ssid_len); 131 if (bss) { 132 cfg80211_unlink_bss(local->hw.wiphy, (void *)bss); 133 ieee80211_rx_bss_put(local, bss); 134 } 135 } 136 137 ieee80211_rx_result 138 ieee80211_scan_rx(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb, 139 struct ieee80211_rx_status *rx_status) 140 { 141 struct ieee80211_mgmt *mgmt; 142 struct ieee80211_bss *bss; 143 u8 *elements; 144 struct ieee80211_channel *channel; 145 size_t baselen; 146 int freq; 147 __le16 fc; 148 bool presp, beacon = false; 149 struct ieee802_11_elems elems; 150 151 if (skb->len < 2) 152 return RX_DROP_UNUSABLE; 153 154 mgmt = (struct ieee80211_mgmt *) skb->data; 155 fc = mgmt->frame_control; 156 157 if (ieee80211_is_ctl(fc)) 158 return RX_CONTINUE; 159 160 if (skb->len < 24) 161 return RX_DROP_MONITOR; 162 163 presp = ieee80211_is_probe_resp(fc); 164 if (presp) { 165 /* ignore ProbeResp to foreign address */ 166 if (memcmp(mgmt->da, sdata->dev->dev_addr, ETH_ALEN)) 167 return RX_DROP_MONITOR; 168 169 presp = true; 170 elements = mgmt->u.probe_resp.variable; 171 baselen = offsetof(struct ieee80211_mgmt, u.probe_resp.variable); 172 } else { 173 beacon = ieee80211_is_beacon(fc); 174 baselen = offsetof(struct ieee80211_mgmt, u.beacon.variable); 175 elements = mgmt->u.beacon.variable; 176 } 177 178 if (!presp && !beacon) 179 return RX_CONTINUE; 180 181 if (baselen > skb->len) 182 return RX_DROP_MONITOR; 183 184 ieee802_11_parse_elems(elements, skb->len - baselen, &elems); 185 186 if (elems.ds_params && elems.ds_params_len == 1) 187 freq = ieee80211_channel_to_frequency(elems.ds_params[0]); 188 else 189 freq = rx_status->freq; 190 191 channel = ieee80211_get_channel(sdata->local->hw.wiphy, freq); 192 193 if (!channel || channel->flags & IEEE80211_CHAN_DISABLED) 194 return RX_DROP_MONITOR; 195 196 bss = ieee80211_bss_info_update(sdata->local, rx_status, 197 mgmt, skb->len, &elems, 198 channel, beacon); 199 if (bss) 200 ieee80211_rx_bss_put(sdata->local, bss); 201 202 dev_kfree_skb(skb); 203 return RX_QUEUED; 204 } 205 206 /* 207 * inform AP that we will go to sleep so that it will buffer the frames 208 * while we scan 209 */ 210 static void ieee80211_scan_ps_enable(struct ieee80211_sub_if_data *sdata) 211 { 212 struct ieee80211_local *local = sdata->local; 213 bool ps = false; 214 215 /* FIXME: what to do when local->pspolling is true? */ 216 217 del_timer_sync(&local->dynamic_ps_timer); 218 cancel_work_sync(&local->dynamic_ps_enable_work); 219 220 if (local->hw.conf.flags & IEEE80211_CONF_PS) { 221 ps = true; 222 local->hw.conf.flags &= ~IEEE80211_CONF_PS; 223 ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS); 224 } 225 226 if (!ps || !(local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK)) 227 /* 228 * If power save was enabled, no need to send a nullfunc 229 * frame because AP knows that we are sleeping. But if the 230 * hardware is creating the nullfunc frame for power save 231 * status (ie. IEEE80211_HW_PS_NULLFUNC_STACK is not 232 * enabled) and power save was enabled, the firmware just 233 * sent a null frame with power save disabled. So we need 234 * to send a new nullfunc frame to inform the AP that we 235 * are again sleeping. 236 */ 237 ieee80211_send_nullfunc(local, sdata, 1); 238 } 239 240 /* inform AP that we are awake again, unless power save is enabled */ 241 static void ieee80211_scan_ps_disable(struct ieee80211_sub_if_data *sdata) 242 { 243 struct ieee80211_local *local = sdata->local; 244 245 if (!local->ps_sdata) 246 ieee80211_send_nullfunc(local, sdata, 0); 247 else { 248 /* 249 * In !IEEE80211_HW_PS_NULLFUNC_STACK case the hardware 250 * will send a nullfunc frame with the powersave bit set 251 * even though the AP already knows that we are sleeping. 252 * This could be avoided by sending a null frame with power 253 * save bit disabled before enabling the power save, but 254 * this doesn't gain anything. 255 * 256 * When IEEE80211_HW_PS_NULLFUNC_STACK is enabled, no need 257 * to send a nullfunc frame because AP already knows that 258 * we are sleeping, let's just enable power save mode in 259 * hardware. 260 */ 261 local->hw.conf.flags |= IEEE80211_CONF_PS; 262 ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS); 263 } 264 } 265 266 static void ieee80211_restore_scan_ies(struct ieee80211_local *local) 267 { 268 kfree(local->scan_req->ie); 269 local->scan_req->ie = local->orig_ies; 270 local->scan_req->ie_len = local->orig_ies_len; 271 } 272 273 void ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted) 274 { 275 struct ieee80211_local *local = hw_to_local(hw); 276 struct ieee80211_sub_if_data *sdata; 277 bool was_hw_scan; 278 279 mutex_lock(&local->scan_mtx); 280 281 if (WARN_ON(!local->hw_scanning && !local->sw_scanning)) { 282 mutex_unlock(&local->scan_mtx); 283 return; 284 } 285 286 if (WARN_ON(!local->scan_req)) { 287 mutex_unlock(&local->scan_mtx); 288 return; 289 } 290 291 if (local->hw_scanning) 292 ieee80211_restore_scan_ies(local); 293 294 if (local->scan_req != &local->int_scan_req) 295 cfg80211_scan_done(local->scan_req, aborted); 296 local->scan_req = NULL; 297 298 was_hw_scan = local->hw_scanning; 299 local->hw_scanning = false; 300 local->sw_scanning = false; 301 local->scan_channel = NULL; 302 303 /* we only have to protect scan_req and hw/sw scan */ 304 mutex_unlock(&local->scan_mtx); 305 306 ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL); 307 if (was_hw_scan) 308 goto done; 309 310 netif_tx_lock_bh(local->mdev); 311 netif_addr_lock(local->mdev); 312 local->filter_flags &= ~FIF_BCN_PRBRESP_PROMISC; 313 drv_configure_filter(local, FIF_BCN_PRBRESP_PROMISC, 314 &local->filter_flags, 315 local->mdev->mc_count, 316 local->mdev->mc_list); 317 318 netif_addr_unlock(local->mdev); 319 netif_tx_unlock_bh(local->mdev); 320 321 drv_sw_scan_complete(local); 322 323 mutex_lock(&local->iflist_mtx); 324 list_for_each_entry(sdata, &local->interfaces, list) { 325 if (!netif_running(sdata->dev)) 326 continue; 327 328 /* Tell AP we're back */ 329 if (sdata->vif.type == NL80211_IFTYPE_STATION) { 330 if (sdata->u.mgd.flags & IEEE80211_STA_ASSOCIATED) { 331 ieee80211_scan_ps_disable(sdata); 332 netif_tx_wake_all_queues(sdata->dev); 333 } 334 } else 335 netif_tx_wake_all_queues(sdata->dev); 336 337 /* re-enable beaconing */ 338 if (sdata->vif.type == NL80211_IFTYPE_AP || 339 sdata->vif.type == NL80211_IFTYPE_ADHOC || 340 sdata->vif.type == NL80211_IFTYPE_MESH_POINT) 341 ieee80211_bss_info_change_notify( 342 sdata, BSS_CHANGED_BEACON_ENABLED); 343 } 344 mutex_unlock(&local->iflist_mtx); 345 346 done: 347 ieee80211_recalc_idle(local); 348 ieee80211_mlme_notify_scan_completed(local); 349 ieee80211_ibss_notify_scan_completed(local); 350 ieee80211_mesh_notify_scan_completed(local); 351 } 352 EXPORT_SYMBOL(ieee80211_scan_completed); 353 354 static int ieee80211_start_sw_scan(struct ieee80211_local *local) 355 { 356 struct ieee80211_sub_if_data *sdata; 357 358 /* 359 * Hardware/driver doesn't support hw_scan, so use software 360 * scanning instead. First send a nullfunc frame with power save 361 * bit on so that AP will buffer the frames for us while we are not 362 * listening, then send probe requests to each channel and wait for 363 * the responses. After all channels are scanned, tune back to the 364 * original channel and send a nullfunc frame with power save bit 365 * off to trigger the AP to send us all the buffered frames. 366 * 367 * Note that while local->sw_scanning is true everything else but 368 * nullfunc frames and probe requests will be dropped in 369 * ieee80211_tx_h_check_assoc(). 370 */ 371 drv_sw_scan_start(local); 372 373 mutex_lock(&local->iflist_mtx); 374 list_for_each_entry(sdata, &local->interfaces, list) { 375 if (!netif_running(sdata->dev)) 376 continue; 377 378 /* disable beaconing */ 379 if (sdata->vif.type == NL80211_IFTYPE_AP || 380 sdata->vif.type == NL80211_IFTYPE_ADHOC || 381 sdata->vif.type == NL80211_IFTYPE_MESH_POINT) 382 ieee80211_bss_info_change_notify( 383 sdata, BSS_CHANGED_BEACON_ENABLED); 384 385 if (sdata->vif.type == NL80211_IFTYPE_STATION) { 386 if (sdata->u.mgd.flags & IEEE80211_STA_ASSOCIATED) { 387 netif_tx_stop_all_queues(sdata->dev); 388 ieee80211_scan_ps_enable(sdata); 389 } 390 } else 391 netif_tx_stop_all_queues(sdata->dev); 392 } 393 mutex_unlock(&local->iflist_mtx); 394 395 local->scan_state = SCAN_SET_CHANNEL; 396 local->scan_channel_idx = 0; 397 398 netif_addr_lock_bh(local->mdev); 399 local->filter_flags |= FIF_BCN_PRBRESP_PROMISC; 400 drv_configure_filter(local, FIF_BCN_PRBRESP_PROMISC, 401 &local->filter_flags, 402 local->mdev->mc_count, 403 local->mdev->mc_list); 404 netif_addr_unlock_bh(local->mdev); 405 406 /* TODO: start scan as soon as all nullfunc frames are ACKed */ 407 queue_delayed_work(local->hw.workqueue, &local->scan_work, 408 IEEE80211_CHANNEL_TIME); 409 410 return 0; 411 } 412 413 414 static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata, 415 struct cfg80211_scan_request *req) 416 { 417 struct ieee80211_local *local = sdata->local; 418 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; 419 int rc; 420 421 if (local->scan_req) 422 return -EBUSY; 423 424 if (local->ops->hw_scan) { 425 u8 *ies; 426 int ielen; 427 428 ies = kmalloc(2 + IEEE80211_MAX_SSID_LEN + 429 local->scan_ies_len + req->ie_len, GFP_KERNEL); 430 if (!ies) 431 return -ENOMEM; 432 433 ielen = ieee80211_build_preq_ies(local, ies, 434 req->ie, req->ie_len); 435 local->orig_ies = req->ie; 436 local->orig_ies_len = req->ie_len; 437 req->ie = ies; 438 req->ie_len = ielen; 439 } 440 441 local->scan_req = req; 442 local->scan_sdata = sdata; 443 444 if (req != &local->int_scan_req && 445 sdata->vif.type == NL80211_IFTYPE_STATION && 446 (ifmgd->state == IEEE80211_STA_MLME_DIRECT_PROBE || 447 ifmgd->state == IEEE80211_STA_MLME_AUTHENTICATE || 448 ifmgd->state == IEEE80211_STA_MLME_ASSOCIATE)) { 449 /* actually wait for the assoc to finish/time out */ 450 set_bit(IEEE80211_STA_REQ_SCAN, &ifmgd->request); 451 return 0; 452 } 453 454 if (local->ops->hw_scan) 455 local->hw_scanning = true; 456 else 457 local->sw_scanning = true; 458 /* 459 * Kicking off the scan need not be protected, 460 * only the scan variable stuff, since now 461 * local->scan_req is assigned and other callers 462 * will abort their scan attempts. 463 * 464 * This avoids getting a scan_mtx -> iflist_mtx 465 * dependency, so that the scan completed calls 466 * have more locking freedom. 467 */ 468 469 ieee80211_recalc_idle(local); 470 mutex_unlock(&local->scan_mtx); 471 472 if (local->ops->hw_scan) 473 rc = drv_hw_scan(local, local->scan_req); 474 else 475 rc = ieee80211_start_sw_scan(local); 476 477 mutex_lock(&local->scan_mtx); 478 479 if (rc) { 480 if (local->ops->hw_scan) { 481 local->hw_scanning = false; 482 ieee80211_restore_scan_ies(local); 483 } else 484 local->sw_scanning = false; 485 486 ieee80211_recalc_idle(local); 487 488 local->scan_req = NULL; 489 local->scan_sdata = NULL; 490 } 491 492 return rc; 493 } 494 495 void ieee80211_scan_work(struct work_struct *work) 496 { 497 struct ieee80211_local *local = 498 container_of(work, struct ieee80211_local, scan_work.work); 499 struct ieee80211_sub_if_data *sdata = local->scan_sdata; 500 struct ieee80211_channel *chan; 501 int skip, i; 502 unsigned long next_delay = 0; 503 504 mutex_lock(&local->scan_mtx); 505 if (!sdata || !local->scan_req) { 506 mutex_unlock(&local->scan_mtx); 507 return; 508 } 509 510 if (local->scan_req && !(local->sw_scanning || local->hw_scanning)) { 511 struct cfg80211_scan_request *req = local->scan_req; 512 int rc; 513 514 local->scan_req = NULL; 515 516 rc = __ieee80211_start_scan(sdata, req); 517 mutex_unlock(&local->scan_mtx); 518 519 if (rc) 520 ieee80211_scan_completed(&local->hw, true); 521 return; 522 } 523 524 mutex_unlock(&local->scan_mtx); 525 526 /* 527 * Avoid re-scheduling when the sdata is going away. 528 */ 529 if (!netif_running(sdata->dev)) { 530 ieee80211_scan_completed(&local->hw, true); 531 return; 532 } 533 534 switch (local->scan_state) { 535 case SCAN_SET_CHANNEL: 536 /* if no more bands/channels left, complete scan */ 537 if (local->scan_channel_idx >= local->scan_req->n_channels) { 538 ieee80211_scan_completed(&local->hw, false); 539 return; 540 } 541 skip = 0; 542 chan = local->scan_req->channels[local->scan_channel_idx]; 543 544 if (chan->flags & IEEE80211_CHAN_DISABLED || 545 (sdata->vif.type == NL80211_IFTYPE_ADHOC && 546 chan->flags & IEEE80211_CHAN_NO_IBSS)) 547 skip = 1; 548 549 if (!skip) { 550 local->scan_channel = chan; 551 if (ieee80211_hw_config(local, 552 IEEE80211_CONF_CHANGE_CHANNEL)) 553 skip = 1; 554 } 555 556 /* advance state machine to next channel/band */ 557 local->scan_channel_idx++; 558 559 if (skip) 560 break; 561 562 /* 563 * Probe delay is used to update the NAV, cf. 11.1.3.2.2 564 * (which unfortunately doesn't say _why_ step a) is done, 565 * but it waits for the probe delay or until a frame is 566 * received - and the received frame would update the NAV). 567 * For now, we do not support waiting until a frame is 568 * received. 569 * 570 * In any case, it is not necessary for a passive scan. 571 */ 572 if (chan->flags & IEEE80211_CHAN_PASSIVE_SCAN || 573 !local->scan_req->n_ssids) { 574 next_delay = IEEE80211_PASSIVE_CHANNEL_TIME; 575 break; 576 } 577 578 next_delay = IEEE80211_PROBE_DELAY; 579 local->scan_state = SCAN_SEND_PROBE; 580 break; 581 case SCAN_SEND_PROBE: 582 for (i = 0; i < local->scan_req->n_ssids; i++) 583 ieee80211_send_probe_req( 584 sdata, NULL, 585 local->scan_req->ssids[i].ssid, 586 local->scan_req->ssids[i].ssid_len, 587 local->scan_req->ie, local->scan_req->ie_len); 588 589 /* 590 * After sending probe requests, wait for probe responses 591 * on the channel. 592 */ 593 next_delay = IEEE80211_CHANNEL_TIME; 594 local->scan_state = SCAN_SET_CHANNEL; 595 break; 596 } 597 598 queue_delayed_work(local->hw.workqueue, &local->scan_work, 599 next_delay); 600 } 601 602 int ieee80211_request_scan(struct ieee80211_sub_if_data *sdata, 603 struct cfg80211_scan_request *req) 604 { 605 int res; 606 607 mutex_lock(&sdata->local->scan_mtx); 608 res = __ieee80211_start_scan(sdata, req); 609 mutex_unlock(&sdata->local->scan_mtx); 610 611 return res; 612 } 613 614 int ieee80211_request_internal_scan(struct ieee80211_sub_if_data *sdata, 615 const u8 *ssid, u8 ssid_len) 616 { 617 struct ieee80211_local *local = sdata->local; 618 int ret = -EBUSY; 619 620 mutex_lock(&local->scan_mtx); 621 622 /* busy scanning */ 623 if (local->scan_req) 624 goto unlock; 625 626 memcpy(local->int_scan_req.ssids[0].ssid, ssid, IEEE80211_MAX_SSID_LEN); 627 local->int_scan_req.ssids[0].ssid_len = ssid_len; 628 629 ret = __ieee80211_start_scan(sdata, &sdata->local->int_scan_req); 630 unlock: 631 mutex_unlock(&local->scan_mtx); 632 return ret; 633 } 634 635 void ieee80211_scan_cancel(struct ieee80211_local *local) 636 { 637 bool swscan; 638 639 cancel_delayed_work_sync(&local->scan_work); 640 641 /* 642 * Only call this function when a scan can't be 643 * queued -- mostly at suspend under RTNL. 644 */ 645 mutex_lock(&local->scan_mtx); 646 swscan = local->sw_scanning; 647 mutex_unlock(&local->scan_mtx); 648 649 if (swscan) 650 ieee80211_scan_completed(&local->hw, true); 651 } 652