xref: /openbmc/linux/net/wireless/scan.c (revision fa7f32422ea1ac276b45b96a540ed5981caaa61f)
1 /*
2  * cfg80211 scan result handling
3  *
4  * Copyright 2008 Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  * Copyright 2016	Intel Deutschland GmbH
7  */
8 #include <linux/kernel.h>
9 #include <linux/slab.h>
10 #include <linux/module.h>
11 #include <linux/netdevice.h>
12 #include <linux/wireless.h>
13 #include <linux/nl80211.h>
14 #include <linux/etherdevice.h>
15 #include <net/arp.h>
16 #include <net/cfg80211.h>
17 #include <net/cfg80211-wext.h>
18 #include <net/iw_handler.h>
19 #include "core.h"
20 #include "nl80211.h"
21 #include "wext-compat.h"
22 #include "rdev-ops.h"
23 
24 /**
25  * DOC: BSS tree/list structure
26  *
27  * At the top level, the BSS list is kept in both a list in each
28  * registered device (@bss_list) as well as an RB-tree for faster
29  * lookup. In the RB-tree, entries can be looked up using their
30  * channel, MESHID, MESHCONF (for MBSSes) or channel, BSSID, SSID
31  * for other BSSes.
32  *
33  * Due to the possibility of hidden SSIDs, there's a second level
34  * structure, the "hidden_list" and "hidden_beacon_bss" pointer.
35  * The hidden_list connects all BSSes belonging to a single AP
36  * that has a hidden SSID, and connects beacon and probe response
37  * entries. For a probe response entry for a hidden SSID, the
38  * hidden_beacon_bss pointer points to the BSS struct holding the
39  * beacon's information.
40  *
41  * Reference counting is done for all these references except for
42  * the hidden_list, so that a beacon BSS struct that is otherwise
43  * not referenced has one reference for being on the bss_list and
44  * one for each probe response entry that points to it using the
45  * hidden_beacon_bss pointer. When a BSS struct that has such a
46  * pointer is get/put, the refcount update is also propagated to
47  * the referenced struct, this ensure that it cannot get removed
48  * while somebody is using the probe response version.
49  *
50  * Note that the hidden_beacon_bss pointer never changes, due to
51  * the reference counting. Therefore, no locking is needed for
52  * it.
53  *
54  * Also note that the hidden_beacon_bss pointer is only relevant
55  * if the driver uses something other than the IEs, e.g. private
56  * data stored stored in the BSS struct, since the beacon IEs are
57  * also linked into the probe response struct.
58  */
59 
60 #define IEEE80211_SCAN_RESULT_EXPIRE	(30 * HZ)
61 
62 static void bss_free(struct cfg80211_internal_bss *bss)
63 {
64 	struct cfg80211_bss_ies *ies;
65 
66 	if (WARN_ON(atomic_read(&bss->hold)))
67 		return;
68 
69 	ies = (void *)rcu_access_pointer(bss->pub.beacon_ies);
70 	if (ies && !bss->pub.hidden_beacon_bss)
71 		kfree_rcu(ies, rcu_head);
72 	ies = (void *)rcu_access_pointer(bss->pub.proberesp_ies);
73 	if (ies)
74 		kfree_rcu(ies, rcu_head);
75 
76 	/*
77 	 * This happens when the module is removed, it doesn't
78 	 * really matter any more save for completeness
79 	 */
80 	if (!list_empty(&bss->hidden_list))
81 		list_del(&bss->hidden_list);
82 
83 	kfree(bss);
84 }
85 
86 static inline void bss_ref_get(struct cfg80211_registered_device *rdev,
87 			       struct cfg80211_internal_bss *bss)
88 {
89 	lockdep_assert_held(&rdev->bss_lock);
90 
91 	bss->refcount++;
92 	if (bss->pub.hidden_beacon_bss) {
93 		bss = container_of(bss->pub.hidden_beacon_bss,
94 				   struct cfg80211_internal_bss,
95 				   pub);
96 		bss->refcount++;
97 	}
98 }
99 
100 static inline void bss_ref_put(struct cfg80211_registered_device *rdev,
101 			       struct cfg80211_internal_bss *bss)
102 {
103 	lockdep_assert_held(&rdev->bss_lock);
104 
105 	if (bss->pub.hidden_beacon_bss) {
106 		struct cfg80211_internal_bss *hbss;
107 		hbss = container_of(bss->pub.hidden_beacon_bss,
108 				    struct cfg80211_internal_bss,
109 				    pub);
110 		hbss->refcount--;
111 		if (hbss->refcount == 0)
112 			bss_free(hbss);
113 	}
114 	bss->refcount--;
115 	if (bss->refcount == 0)
116 		bss_free(bss);
117 }
118 
119 static bool __cfg80211_unlink_bss(struct cfg80211_registered_device *rdev,
120 				  struct cfg80211_internal_bss *bss)
121 {
122 	lockdep_assert_held(&rdev->bss_lock);
123 
124 	if (!list_empty(&bss->hidden_list)) {
125 		/*
126 		 * don't remove the beacon entry if it has
127 		 * probe responses associated with it
128 		 */
129 		if (!bss->pub.hidden_beacon_bss)
130 			return false;
131 		/*
132 		 * if it's a probe response entry break its
133 		 * link to the other entries in the group
134 		 */
135 		list_del_init(&bss->hidden_list);
136 	}
137 
138 	list_del_init(&bss->list);
139 	rb_erase(&bss->rbn, &rdev->bss_tree);
140 	bss_ref_put(rdev, bss);
141 	return true;
142 }
143 
144 static void __cfg80211_bss_expire(struct cfg80211_registered_device *rdev,
145 				  unsigned long expire_time)
146 {
147 	struct cfg80211_internal_bss *bss, *tmp;
148 	bool expired = false;
149 
150 	lockdep_assert_held(&rdev->bss_lock);
151 
152 	list_for_each_entry_safe(bss, tmp, &rdev->bss_list, list) {
153 		if (atomic_read(&bss->hold))
154 			continue;
155 		if (!time_after(expire_time, bss->ts))
156 			continue;
157 
158 		if (__cfg80211_unlink_bss(rdev, bss))
159 			expired = true;
160 	}
161 
162 	if (expired)
163 		rdev->bss_generation++;
164 }
165 
166 void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
167 			   bool send_message)
168 {
169 	struct cfg80211_scan_request *request;
170 	struct wireless_dev *wdev;
171 	struct sk_buff *msg;
172 #ifdef CONFIG_CFG80211_WEXT
173 	union iwreq_data wrqu;
174 #endif
175 
176 	ASSERT_RTNL();
177 
178 	if (rdev->scan_msg) {
179 		nl80211_send_scan_result(rdev, rdev->scan_msg);
180 		rdev->scan_msg = NULL;
181 		return;
182 	}
183 
184 	request = rdev->scan_req;
185 	if (!request)
186 		return;
187 
188 	wdev = request->wdev;
189 
190 	/*
191 	 * This must be before sending the other events!
192 	 * Otherwise, wpa_supplicant gets completely confused with
193 	 * wext events.
194 	 */
195 	if (wdev->netdev)
196 		cfg80211_sme_scan_done(wdev->netdev);
197 
198 	if (!request->info.aborted &&
199 	    request->flags & NL80211_SCAN_FLAG_FLUSH) {
200 		/* flush entries from previous scans */
201 		spin_lock_bh(&rdev->bss_lock);
202 		__cfg80211_bss_expire(rdev, request->scan_start);
203 		spin_unlock_bh(&rdev->bss_lock);
204 	}
205 
206 	msg = nl80211_build_scan_msg(rdev, wdev, request->info.aborted);
207 
208 #ifdef CONFIG_CFG80211_WEXT
209 	if (wdev->netdev && !request->info.aborted) {
210 		memset(&wrqu, 0, sizeof(wrqu));
211 
212 		wireless_send_event(wdev->netdev, SIOCGIWSCAN, &wrqu, NULL);
213 	}
214 #endif
215 
216 	if (wdev->netdev)
217 		dev_put(wdev->netdev);
218 
219 	rdev->scan_req = NULL;
220 	kfree(request);
221 
222 	if (!send_message)
223 		rdev->scan_msg = msg;
224 	else
225 		nl80211_send_scan_result(rdev, msg);
226 }
227 
228 void __cfg80211_scan_done(struct work_struct *wk)
229 {
230 	struct cfg80211_registered_device *rdev;
231 
232 	rdev = container_of(wk, struct cfg80211_registered_device,
233 			    scan_done_wk);
234 
235 	rtnl_lock();
236 	___cfg80211_scan_done(rdev, true);
237 	rtnl_unlock();
238 }
239 
240 void cfg80211_scan_done(struct cfg80211_scan_request *request,
241 			struct cfg80211_scan_info *info)
242 {
243 	trace_cfg80211_scan_done(request, info);
244 	WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req);
245 
246 	request->info = *info;
247 	request->notified = true;
248 	queue_work(cfg80211_wq, &wiphy_to_rdev(request->wiphy)->scan_done_wk);
249 }
250 EXPORT_SYMBOL(cfg80211_scan_done);
251 
252 void __cfg80211_sched_scan_results(struct work_struct *wk)
253 {
254 	struct cfg80211_registered_device *rdev;
255 	struct cfg80211_sched_scan_request *request;
256 
257 	rdev = container_of(wk, struct cfg80211_registered_device,
258 			    sched_scan_results_wk);
259 
260 	rtnl_lock();
261 
262 	request = rtnl_dereference(rdev->sched_scan_req);
263 
264 	/* we don't have sched_scan_req anymore if the scan is stopping */
265 	if (request) {
266 		if (request->flags & NL80211_SCAN_FLAG_FLUSH) {
267 			/* flush entries from previous scans */
268 			spin_lock_bh(&rdev->bss_lock);
269 			__cfg80211_bss_expire(rdev, request->scan_start);
270 			spin_unlock_bh(&rdev->bss_lock);
271 			request->scan_start = jiffies;
272 		}
273 		nl80211_send_sched_scan_results(rdev, request->dev);
274 	}
275 
276 	rtnl_unlock();
277 }
278 
279 void cfg80211_sched_scan_results(struct wiphy *wiphy)
280 {
281 	trace_cfg80211_sched_scan_results(wiphy);
282 	/* ignore if we're not scanning */
283 
284 	if (rcu_access_pointer(wiphy_to_rdev(wiphy)->sched_scan_req))
285 		queue_work(cfg80211_wq,
286 			   &wiphy_to_rdev(wiphy)->sched_scan_results_wk);
287 }
288 EXPORT_SYMBOL(cfg80211_sched_scan_results);
289 
290 void cfg80211_sched_scan_stopped_rtnl(struct wiphy *wiphy)
291 {
292 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
293 
294 	ASSERT_RTNL();
295 
296 	trace_cfg80211_sched_scan_stopped(wiphy);
297 
298 	__cfg80211_stop_sched_scan(rdev, true);
299 }
300 EXPORT_SYMBOL(cfg80211_sched_scan_stopped_rtnl);
301 
302 void cfg80211_sched_scan_stopped(struct wiphy *wiphy)
303 {
304 	rtnl_lock();
305 	cfg80211_sched_scan_stopped_rtnl(wiphy);
306 	rtnl_unlock();
307 }
308 EXPORT_SYMBOL(cfg80211_sched_scan_stopped);
309 
310 int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
311 			       bool driver_initiated)
312 {
313 	struct cfg80211_sched_scan_request *sched_scan_req;
314 	struct net_device *dev;
315 
316 	ASSERT_RTNL();
317 
318 	if (!rdev->sched_scan_req)
319 		return -ENOENT;
320 
321 	sched_scan_req = rtnl_dereference(rdev->sched_scan_req);
322 	dev = sched_scan_req->dev;
323 
324 	if (!driver_initiated) {
325 		int err = rdev_sched_scan_stop(rdev, dev);
326 		if (err)
327 			return err;
328 	}
329 
330 	nl80211_send_sched_scan(rdev, dev, NL80211_CMD_SCHED_SCAN_STOPPED);
331 
332 	RCU_INIT_POINTER(rdev->sched_scan_req, NULL);
333 	kfree_rcu(sched_scan_req, rcu_head);
334 
335 	return 0;
336 }
337 
338 void cfg80211_bss_age(struct cfg80211_registered_device *rdev,
339                       unsigned long age_secs)
340 {
341 	struct cfg80211_internal_bss *bss;
342 	unsigned long age_jiffies = msecs_to_jiffies(age_secs * MSEC_PER_SEC);
343 
344 	spin_lock_bh(&rdev->bss_lock);
345 	list_for_each_entry(bss, &rdev->bss_list, list)
346 		bss->ts -= age_jiffies;
347 	spin_unlock_bh(&rdev->bss_lock);
348 }
349 
350 void cfg80211_bss_expire(struct cfg80211_registered_device *rdev)
351 {
352 	__cfg80211_bss_expire(rdev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE);
353 }
354 
355 const u8 *cfg80211_find_ie_match(u8 eid, const u8 *ies, int len,
356 				 const u8 *match, int match_len,
357 				 int match_offset)
358 {
359 	/* match_offset can't be smaller than 2, unless match_len is
360 	 * zero, in which case match_offset must be zero as well.
361 	 */
362 	if (WARN_ON((match_len && match_offset < 2) ||
363 		    (!match_len && match_offset)))
364 		return NULL;
365 
366 	while (len >= 2 && len >= ies[1] + 2) {
367 		if ((ies[0] == eid) &&
368 		    (ies[1] + 2 >= match_offset + match_len) &&
369 		    !memcmp(ies + match_offset, match, match_len))
370 			return ies;
371 
372 		len -= ies[1] + 2;
373 		ies += ies[1] + 2;
374 	}
375 
376 	return NULL;
377 }
378 EXPORT_SYMBOL(cfg80211_find_ie_match);
379 
380 const u8 *cfg80211_find_vendor_ie(unsigned int oui, int oui_type,
381 				  const u8 *ies, int len)
382 {
383 	const u8 *ie;
384 	u8 match[] = { oui >> 16, oui >> 8, oui, oui_type };
385 	int match_len = (oui_type < 0) ? 3 : sizeof(match);
386 
387 	if (WARN_ON(oui_type > 0xff))
388 		return NULL;
389 
390 	ie = cfg80211_find_ie_match(WLAN_EID_VENDOR_SPECIFIC, ies, len,
391 				    match, match_len, 2);
392 
393 	if (ie && (ie[1] < 4))
394 		return NULL;
395 
396 	return ie;
397 }
398 EXPORT_SYMBOL(cfg80211_find_vendor_ie);
399 
400 static bool is_bss(struct cfg80211_bss *a, const u8 *bssid,
401 		   const u8 *ssid, size_t ssid_len)
402 {
403 	const struct cfg80211_bss_ies *ies;
404 	const u8 *ssidie;
405 
406 	if (bssid && !ether_addr_equal(a->bssid, bssid))
407 		return false;
408 
409 	if (!ssid)
410 		return true;
411 
412 	ies = rcu_access_pointer(a->ies);
413 	if (!ies)
414 		return false;
415 	ssidie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
416 	if (!ssidie)
417 		return false;
418 	if (ssidie[1] != ssid_len)
419 		return false;
420 	return memcmp(ssidie + 2, ssid, ssid_len) == 0;
421 }
422 
423 /**
424  * enum bss_compare_mode - BSS compare mode
425  * @BSS_CMP_REGULAR: regular compare mode (for insertion and normal find)
426  * @BSS_CMP_HIDE_ZLEN: find hidden SSID with zero-length mode
427  * @BSS_CMP_HIDE_NUL: find hidden SSID with NUL-ed out mode
428  */
429 enum bss_compare_mode {
430 	BSS_CMP_REGULAR,
431 	BSS_CMP_HIDE_ZLEN,
432 	BSS_CMP_HIDE_NUL,
433 };
434 
435 static int cmp_bss(struct cfg80211_bss *a,
436 		   struct cfg80211_bss *b,
437 		   enum bss_compare_mode mode)
438 {
439 	const struct cfg80211_bss_ies *a_ies, *b_ies;
440 	const u8 *ie1 = NULL;
441 	const u8 *ie2 = NULL;
442 	int i, r;
443 
444 	if (a->channel != b->channel)
445 		return b->channel->center_freq - a->channel->center_freq;
446 
447 	a_ies = rcu_access_pointer(a->ies);
448 	if (!a_ies)
449 		return -1;
450 	b_ies = rcu_access_pointer(b->ies);
451 	if (!b_ies)
452 		return 1;
453 
454 	if (WLAN_CAPABILITY_IS_STA_BSS(a->capability))
455 		ie1 = cfg80211_find_ie(WLAN_EID_MESH_ID,
456 				       a_ies->data, a_ies->len);
457 	if (WLAN_CAPABILITY_IS_STA_BSS(b->capability))
458 		ie2 = cfg80211_find_ie(WLAN_EID_MESH_ID,
459 				       b_ies->data, b_ies->len);
460 	if (ie1 && ie2) {
461 		int mesh_id_cmp;
462 
463 		if (ie1[1] == ie2[1])
464 			mesh_id_cmp = memcmp(ie1 + 2, ie2 + 2, ie1[1]);
465 		else
466 			mesh_id_cmp = ie2[1] - ie1[1];
467 
468 		ie1 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG,
469 				       a_ies->data, a_ies->len);
470 		ie2 = cfg80211_find_ie(WLAN_EID_MESH_CONFIG,
471 				       b_ies->data, b_ies->len);
472 		if (ie1 && ie2) {
473 			if (mesh_id_cmp)
474 				return mesh_id_cmp;
475 			if (ie1[1] != ie2[1])
476 				return ie2[1] - ie1[1];
477 			return memcmp(ie1 + 2, ie2 + 2, ie1[1]);
478 		}
479 	}
480 
481 	r = memcmp(a->bssid, b->bssid, sizeof(a->bssid));
482 	if (r)
483 		return r;
484 
485 	ie1 = cfg80211_find_ie(WLAN_EID_SSID, a_ies->data, a_ies->len);
486 	ie2 = cfg80211_find_ie(WLAN_EID_SSID, b_ies->data, b_ies->len);
487 
488 	if (!ie1 && !ie2)
489 		return 0;
490 
491 	/*
492 	 * Note that with "hide_ssid", the function returns a match if
493 	 * the already-present BSS ("b") is a hidden SSID beacon for
494 	 * the new BSS ("a").
495 	 */
496 
497 	/* sort missing IE before (left of) present IE */
498 	if (!ie1)
499 		return -1;
500 	if (!ie2)
501 		return 1;
502 
503 	switch (mode) {
504 	case BSS_CMP_HIDE_ZLEN:
505 		/*
506 		 * In ZLEN mode we assume the BSS entry we're
507 		 * looking for has a zero-length SSID. So if
508 		 * the one we're looking at right now has that,
509 		 * return 0. Otherwise, return the difference
510 		 * in length, but since we're looking for the
511 		 * 0-length it's really equivalent to returning
512 		 * the length of the one we're looking at.
513 		 *
514 		 * No content comparison is needed as we assume
515 		 * the content length is zero.
516 		 */
517 		return ie2[1];
518 	case BSS_CMP_REGULAR:
519 	default:
520 		/* sort by length first, then by contents */
521 		if (ie1[1] != ie2[1])
522 			return ie2[1] - ie1[1];
523 		return memcmp(ie1 + 2, ie2 + 2, ie1[1]);
524 	case BSS_CMP_HIDE_NUL:
525 		if (ie1[1] != ie2[1])
526 			return ie2[1] - ie1[1];
527 		/* this is equivalent to memcmp(zeroes, ie2 + 2, len) */
528 		for (i = 0; i < ie2[1]; i++)
529 			if (ie2[i + 2])
530 				return -1;
531 		return 0;
532 	}
533 }
534 
535 static bool cfg80211_bss_type_match(u16 capability,
536 				    enum nl80211_band band,
537 				    enum ieee80211_bss_type bss_type)
538 {
539 	bool ret = true;
540 	u16 mask, val;
541 
542 	if (bss_type == IEEE80211_BSS_TYPE_ANY)
543 		return ret;
544 
545 	if (band == NL80211_BAND_60GHZ) {
546 		mask = WLAN_CAPABILITY_DMG_TYPE_MASK;
547 		switch (bss_type) {
548 		case IEEE80211_BSS_TYPE_ESS:
549 			val = WLAN_CAPABILITY_DMG_TYPE_AP;
550 			break;
551 		case IEEE80211_BSS_TYPE_PBSS:
552 			val = WLAN_CAPABILITY_DMG_TYPE_PBSS;
553 			break;
554 		case IEEE80211_BSS_TYPE_IBSS:
555 			val = WLAN_CAPABILITY_DMG_TYPE_IBSS;
556 			break;
557 		default:
558 			return false;
559 		}
560 	} else {
561 		mask = WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS;
562 		switch (bss_type) {
563 		case IEEE80211_BSS_TYPE_ESS:
564 			val = WLAN_CAPABILITY_ESS;
565 			break;
566 		case IEEE80211_BSS_TYPE_IBSS:
567 			val = WLAN_CAPABILITY_IBSS;
568 			break;
569 		case IEEE80211_BSS_TYPE_MBSS:
570 			val = 0;
571 			break;
572 		default:
573 			return false;
574 		}
575 	}
576 
577 	ret = ((capability & mask) == val);
578 	return ret;
579 }
580 
581 /* Returned bss is reference counted and must be cleaned up appropriately. */
582 struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy,
583 				      struct ieee80211_channel *channel,
584 				      const u8 *bssid,
585 				      const u8 *ssid, size_t ssid_len,
586 				      enum ieee80211_bss_type bss_type,
587 				      enum ieee80211_privacy privacy)
588 {
589 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
590 	struct cfg80211_internal_bss *bss, *res = NULL;
591 	unsigned long now = jiffies;
592 	int bss_privacy;
593 
594 	trace_cfg80211_get_bss(wiphy, channel, bssid, ssid, ssid_len, bss_type,
595 			       privacy);
596 
597 	spin_lock_bh(&rdev->bss_lock);
598 
599 	list_for_each_entry(bss, &rdev->bss_list, list) {
600 		if (!cfg80211_bss_type_match(bss->pub.capability,
601 					     bss->pub.channel->band, bss_type))
602 			continue;
603 
604 		bss_privacy = (bss->pub.capability & WLAN_CAPABILITY_PRIVACY);
605 		if ((privacy == IEEE80211_PRIVACY_ON && !bss_privacy) ||
606 		    (privacy == IEEE80211_PRIVACY_OFF && bss_privacy))
607 			continue;
608 		if (channel && bss->pub.channel != channel)
609 			continue;
610 		if (!is_valid_ether_addr(bss->pub.bssid))
611 			continue;
612 		/* Don't get expired BSS structs */
613 		if (time_after(now, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE) &&
614 		    !atomic_read(&bss->hold))
615 			continue;
616 		if (is_bss(&bss->pub, bssid, ssid, ssid_len)) {
617 			res = bss;
618 			bss_ref_get(rdev, res);
619 			break;
620 		}
621 	}
622 
623 	spin_unlock_bh(&rdev->bss_lock);
624 	if (!res)
625 		return NULL;
626 	trace_cfg80211_return_bss(&res->pub);
627 	return &res->pub;
628 }
629 EXPORT_SYMBOL(cfg80211_get_bss);
630 
631 static void rb_insert_bss(struct cfg80211_registered_device *rdev,
632 			  struct cfg80211_internal_bss *bss)
633 {
634 	struct rb_node **p = &rdev->bss_tree.rb_node;
635 	struct rb_node *parent = NULL;
636 	struct cfg80211_internal_bss *tbss;
637 	int cmp;
638 
639 	while (*p) {
640 		parent = *p;
641 		tbss = rb_entry(parent, struct cfg80211_internal_bss, rbn);
642 
643 		cmp = cmp_bss(&bss->pub, &tbss->pub, BSS_CMP_REGULAR);
644 
645 		if (WARN_ON(!cmp)) {
646 			/* will sort of leak this BSS */
647 			return;
648 		}
649 
650 		if (cmp < 0)
651 			p = &(*p)->rb_left;
652 		else
653 			p = &(*p)->rb_right;
654 	}
655 
656 	rb_link_node(&bss->rbn, parent, p);
657 	rb_insert_color(&bss->rbn, &rdev->bss_tree);
658 }
659 
660 static struct cfg80211_internal_bss *
661 rb_find_bss(struct cfg80211_registered_device *rdev,
662 	    struct cfg80211_internal_bss *res,
663 	    enum bss_compare_mode mode)
664 {
665 	struct rb_node *n = rdev->bss_tree.rb_node;
666 	struct cfg80211_internal_bss *bss;
667 	int r;
668 
669 	while (n) {
670 		bss = rb_entry(n, struct cfg80211_internal_bss, rbn);
671 		r = cmp_bss(&res->pub, &bss->pub, mode);
672 
673 		if (r == 0)
674 			return bss;
675 		else if (r < 0)
676 			n = n->rb_left;
677 		else
678 			n = n->rb_right;
679 	}
680 
681 	return NULL;
682 }
683 
684 static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev,
685 				   struct cfg80211_internal_bss *new)
686 {
687 	const struct cfg80211_bss_ies *ies;
688 	struct cfg80211_internal_bss *bss;
689 	const u8 *ie;
690 	int i, ssidlen;
691 	u8 fold = 0;
692 
693 	ies = rcu_access_pointer(new->pub.beacon_ies);
694 	if (WARN_ON(!ies))
695 		return false;
696 
697 	ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
698 	if (!ie) {
699 		/* nothing to do */
700 		return true;
701 	}
702 
703 	ssidlen = ie[1];
704 	for (i = 0; i < ssidlen; i++)
705 		fold |= ie[2 + i];
706 
707 	if (fold) {
708 		/* not a hidden SSID */
709 		return true;
710 	}
711 
712 	/* This is the bad part ... */
713 
714 	list_for_each_entry(bss, &rdev->bss_list, list) {
715 		if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid))
716 			continue;
717 		if (bss->pub.channel != new->pub.channel)
718 			continue;
719 		if (bss->pub.scan_width != new->pub.scan_width)
720 			continue;
721 		if (rcu_access_pointer(bss->pub.beacon_ies))
722 			continue;
723 		ies = rcu_access_pointer(bss->pub.ies);
724 		if (!ies)
725 			continue;
726 		ie = cfg80211_find_ie(WLAN_EID_SSID, ies->data, ies->len);
727 		if (!ie)
728 			continue;
729 		if (ssidlen && ie[1] != ssidlen)
730 			continue;
731 		if (WARN_ON_ONCE(bss->pub.hidden_beacon_bss))
732 			continue;
733 		if (WARN_ON_ONCE(!list_empty(&bss->hidden_list)))
734 			list_del(&bss->hidden_list);
735 		/* combine them */
736 		list_add(&bss->hidden_list, &new->hidden_list);
737 		bss->pub.hidden_beacon_bss = &new->pub;
738 		new->refcount += bss->refcount;
739 		rcu_assign_pointer(bss->pub.beacon_ies,
740 				   new->pub.beacon_ies);
741 	}
742 
743 	return true;
744 }
745 
746 /* Returned bss is reference counted and must be cleaned up appropriately. */
747 static struct cfg80211_internal_bss *
748 cfg80211_bss_update(struct cfg80211_registered_device *rdev,
749 		    struct cfg80211_internal_bss *tmp,
750 		    bool signal_valid)
751 {
752 	struct cfg80211_internal_bss *found = NULL;
753 
754 	if (WARN_ON(!tmp->pub.channel))
755 		return NULL;
756 
757 	tmp->ts = jiffies;
758 
759 	spin_lock_bh(&rdev->bss_lock);
760 
761 	if (WARN_ON(!rcu_access_pointer(tmp->pub.ies))) {
762 		spin_unlock_bh(&rdev->bss_lock);
763 		return NULL;
764 	}
765 
766 	found = rb_find_bss(rdev, tmp, BSS_CMP_REGULAR);
767 
768 	if (found) {
769 		/* Update IEs */
770 		if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
771 			const struct cfg80211_bss_ies *old;
772 
773 			old = rcu_access_pointer(found->pub.proberesp_ies);
774 
775 			rcu_assign_pointer(found->pub.proberesp_ies,
776 					   tmp->pub.proberesp_ies);
777 			/* Override possible earlier Beacon frame IEs */
778 			rcu_assign_pointer(found->pub.ies,
779 					   tmp->pub.proberesp_ies);
780 			if (old)
781 				kfree_rcu((struct cfg80211_bss_ies *)old,
782 					  rcu_head);
783 		} else if (rcu_access_pointer(tmp->pub.beacon_ies)) {
784 			const struct cfg80211_bss_ies *old;
785 			struct cfg80211_internal_bss *bss;
786 
787 			if (found->pub.hidden_beacon_bss &&
788 			    !list_empty(&found->hidden_list)) {
789 				const struct cfg80211_bss_ies *f;
790 
791 				/*
792 				 * The found BSS struct is one of the probe
793 				 * response members of a group, but we're
794 				 * receiving a beacon (beacon_ies in the tmp
795 				 * bss is used). This can only mean that the
796 				 * AP changed its beacon from not having an
797 				 * SSID to showing it, which is confusing so
798 				 * drop this information.
799 				 */
800 
801 				f = rcu_access_pointer(tmp->pub.beacon_ies);
802 				kfree_rcu((struct cfg80211_bss_ies *)f,
803 					  rcu_head);
804 				goto drop;
805 			}
806 
807 			old = rcu_access_pointer(found->pub.beacon_ies);
808 
809 			rcu_assign_pointer(found->pub.beacon_ies,
810 					   tmp->pub.beacon_ies);
811 
812 			/* Override IEs if they were from a beacon before */
813 			if (old == rcu_access_pointer(found->pub.ies))
814 				rcu_assign_pointer(found->pub.ies,
815 						   tmp->pub.beacon_ies);
816 
817 			/* Assign beacon IEs to all sub entries */
818 			list_for_each_entry(bss, &found->hidden_list,
819 					    hidden_list) {
820 				const struct cfg80211_bss_ies *ies;
821 
822 				ies = rcu_access_pointer(bss->pub.beacon_ies);
823 				WARN_ON(ies != old);
824 
825 				rcu_assign_pointer(bss->pub.beacon_ies,
826 						   tmp->pub.beacon_ies);
827 			}
828 
829 			if (old)
830 				kfree_rcu((struct cfg80211_bss_ies *)old,
831 					  rcu_head);
832 		}
833 
834 		found->pub.beacon_interval = tmp->pub.beacon_interval;
835 		/*
836 		 * don't update the signal if beacon was heard on
837 		 * adjacent channel.
838 		 */
839 		if (signal_valid)
840 			found->pub.signal = tmp->pub.signal;
841 		found->pub.capability = tmp->pub.capability;
842 		found->ts = tmp->ts;
843 		found->ts_boottime = tmp->ts_boottime;
844 		found->parent_tsf = tmp->parent_tsf;
845 		ether_addr_copy(found->parent_bssid, tmp->parent_bssid);
846 	} else {
847 		struct cfg80211_internal_bss *new;
848 		struct cfg80211_internal_bss *hidden;
849 		struct cfg80211_bss_ies *ies;
850 
851 		/*
852 		 * create a copy -- the "res" variable that is passed in
853 		 * is allocated on the stack since it's not needed in the
854 		 * more common case of an update
855 		 */
856 		new = kzalloc(sizeof(*new) + rdev->wiphy.bss_priv_size,
857 			      GFP_ATOMIC);
858 		if (!new) {
859 			ies = (void *)rcu_dereference(tmp->pub.beacon_ies);
860 			if (ies)
861 				kfree_rcu(ies, rcu_head);
862 			ies = (void *)rcu_dereference(tmp->pub.proberesp_ies);
863 			if (ies)
864 				kfree_rcu(ies, rcu_head);
865 			goto drop;
866 		}
867 		memcpy(new, tmp, sizeof(*new));
868 		new->refcount = 1;
869 		INIT_LIST_HEAD(&new->hidden_list);
870 
871 		if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
872 			hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
873 			if (!hidden)
874 				hidden = rb_find_bss(rdev, tmp,
875 						     BSS_CMP_HIDE_NUL);
876 			if (hidden) {
877 				new->pub.hidden_beacon_bss = &hidden->pub;
878 				list_add(&new->hidden_list,
879 					 &hidden->hidden_list);
880 				hidden->refcount++;
881 				rcu_assign_pointer(new->pub.beacon_ies,
882 						   hidden->pub.beacon_ies);
883 			}
884 		} else {
885 			/*
886 			 * Ok so we found a beacon, and don't have an entry. If
887 			 * it's a beacon with hidden SSID, we might be in for an
888 			 * expensive search for any probe responses that should
889 			 * be grouped with this beacon for updates ...
890 			 */
891 			if (!cfg80211_combine_bsses(rdev, new)) {
892 				kfree(new);
893 				goto drop;
894 			}
895 		}
896 
897 		list_add_tail(&new->list, &rdev->bss_list);
898 		rb_insert_bss(rdev, new);
899 		found = new;
900 	}
901 
902 	rdev->bss_generation++;
903 	bss_ref_get(rdev, found);
904 	spin_unlock_bh(&rdev->bss_lock);
905 
906 	return found;
907  drop:
908 	spin_unlock_bh(&rdev->bss_lock);
909 	return NULL;
910 }
911 
912 static struct ieee80211_channel *
913 cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
914 			 struct ieee80211_channel *channel)
915 {
916 	const u8 *tmp;
917 	u32 freq;
918 	int channel_number = -1;
919 
920 	tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen);
921 	if (tmp && tmp[1] == 1) {
922 		channel_number = tmp[2];
923 	} else {
924 		tmp = cfg80211_find_ie(WLAN_EID_HT_OPERATION, ie, ielen);
925 		if (tmp && tmp[1] >= sizeof(struct ieee80211_ht_operation)) {
926 			struct ieee80211_ht_operation *htop = (void *)(tmp + 2);
927 
928 			channel_number = htop->primary_chan;
929 		}
930 	}
931 
932 	if (channel_number < 0)
933 		return channel;
934 
935 	freq = ieee80211_channel_to_frequency(channel_number, channel->band);
936 	channel = ieee80211_get_channel(wiphy, freq);
937 	if (!channel)
938 		return NULL;
939 	if (channel->flags & IEEE80211_CHAN_DISABLED)
940 		return NULL;
941 	return channel;
942 }
943 
944 /* Returned bss is reference counted and must be cleaned up appropriately. */
945 struct cfg80211_bss *
946 cfg80211_inform_bss_data(struct wiphy *wiphy,
947 			 struct cfg80211_inform_bss *data,
948 			 enum cfg80211_bss_frame_type ftype,
949 			 const u8 *bssid, u64 tsf, u16 capability,
950 			 u16 beacon_interval, const u8 *ie, size_t ielen,
951 			 gfp_t gfp)
952 {
953 	struct cfg80211_bss_ies *ies;
954 	struct ieee80211_channel *channel;
955 	struct cfg80211_internal_bss tmp = {}, *res;
956 	int bss_type;
957 	bool signal_valid;
958 
959 	if (WARN_ON(!wiphy))
960 		return NULL;
961 
962 	if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
963 		    (data->signal < 0 || data->signal > 100)))
964 		return NULL;
965 
966 	channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan);
967 	if (!channel)
968 		return NULL;
969 
970 	memcpy(tmp.pub.bssid, bssid, ETH_ALEN);
971 	tmp.pub.channel = channel;
972 	tmp.pub.scan_width = data->scan_width;
973 	tmp.pub.signal = data->signal;
974 	tmp.pub.beacon_interval = beacon_interval;
975 	tmp.pub.capability = capability;
976 	tmp.ts_boottime = data->boottime_ns;
977 
978 	/*
979 	 * If we do not know here whether the IEs are from a Beacon or Probe
980 	 * Response frame, we need to pick one of the options and only use it
981 	 * with the driver that does not provide the full Beacon/Probe Response
982 	 * frame. Use Beacon frame pointer to avoid indicating that this should
983 	 * override the IEs pointer should we have received an earlier
984 	 * indication of Probe Response data.
985 	 */
986 	ies = kzalloc(sizeof(*ies) + ielen, gfp);
987 	if (!ies)
988 		return NULL;
989 	ies->len = ielen;
990 	ies->tsf = tsf;
991 	ies->from_beacon = false;
992 	memcpy(ies->data, ie, ielen);
993 
994 	switch (ftype) {
995 	case CFG80211_BSS_FTYPE_BEACON:
996 		ies->from_beacon = true;
997 		/* fall through to assign */
998 	case CFG80211_BSS_FTYPE_UNKNOWN:
999 		rcu_assign_pointer(tmp.pub.beacon_ies, ies);
1000 		break;
1001 	case CFG80211_BSS_FTYPE_PRESP:
1002 		rcu_assign_pointer(tmp.pub.proberesp_ies, ies);
1003 		break;
1004 	}
1005 	rcu_assign_pointer(tmp.pub.ies, ies);
1006 
1007 	signal_valid = abs(data->chan->center_freq - channel->center_freq) <=
1008 		wiphy->max_adj_channel_rssi_comp;
1009 	res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid);
1010 	if (!res)
1011 		return NULL;
1012 
1013 	if (channel->band == NL80211_BAND_60GHZ) {
1014 		bss_type = res->pub.capability & WLAN_CAPABILITY_DMG_TYPE_MASK;
1015 		if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP ||
1016 		    bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS)
1017 			regulatory_hint_found_beacon(wiphy, channel, gfp);
1018 	} else {
1019 		if (res->pub.capability & WLAN_CAPABILITY_ESS)
1020 			regulatory_hint_found_beacon(wiphy, channel, gfp);
1021 	}
1022 
1023 	trace_cfg80211_return_bss(&res->pub);
1024 	/* cfg80211_bss_update gives us a referenced result */
1025 	return &res->pub;
1026 }
1027 EXPORT_SYMBOL(cfg80211_inform_bss_data);
1028 
1029 /* cfg80211_inform_bss_width_frame helper */
1030 struct cfg80211_bss *
1031 cfg80211_inform_bss_frame_data(struct wiphy *wiphy,
1032 			       struct cfg80211_inform_bss *data,
1033 			       struct ieee80211_mgmt *mgmt, size_t len,
1034 			       gfp_t gfp)
1035 
1036 {
1037 	struct cfg80211_internal_bss tmp = {}, *res;
1038 	struct cfg80211_bss_ies *ies;
1039 	struct ieee80211_channel *channel;
1040 	bool signal_valid;
1041 	size_t ielen = len - offsetof(struct ieee80211_mgmt,
1042 				      u.probe_resp.variable);
1043 	int bss_type;
1044 
1045 	BUILD_BUG_ON(offsetof(struct ieee80211_mgmt, u.probe_resp.variable) !=
1046 			offsetof(struct ieee80211_mgmt, u.beacon.variable));
1047 
1048 	trace_cfg80211_inform_bss_frame(wiphy, data, mgmt, len);
1049 
1050 	if (WARN_ON(!mgmt))
1051 		return NULL;
1052 
1053 	if (WARN_ON(!wiphy))
1054 		return NULL;
1055 
1056 	if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
1057 		    (data->signal < 0 || data->signal > 100)))
1058 		return NULL;
1059 
1060 	if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
1061 		return NULL;
1062 
1063 	channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable,
1064 					   ielen, data->chan);
1065 	if (!channel)
1066 		return NULL;
1067 
1068 	ies = kzalloc(sizeof(*ies) + ielen, gfp);
1069 	if (!ies)
1070 		return NULL;
1071 	ies->len = ielen;
1072 	ies->tsf = le64_to_cpu(mgmt->u.probe_resp.timestamp);
1073 	ies->from_beacon = ieee80211_is_beacon(mgmt->frame_control);
1074 	memcpy(ies->data, mgmt->u.probe_resp.variable, ielen);
1075 
1076 	if (ieee80211_is_probe_resp(mgmt->frame_control))
1077 		rcu_assign_pointer(tmp.pub.proberesp_ies, ies);
1078 	else
1079 		rcu_assign_pointer(tmp.pub.beacon_ies, ies);
1080 	rcu_assign_pointer(tmp.pub.ies, ies);
1081 
1082 	memcpy(tmp.pub.bssid, mgmt->bssid, ETH_ALEN);
1083 	tmp.pub.channel = channel;
1084 	tmp.pub.scan_width = data->scan_width;
1085 	tmp.pub.signal = data->signal;
1086 	tmp.pub.beacon_interval = le16_to_cpu(mgmt->u.probe_resp.beacon_int);
1087 	tmp.pub.capability = le16_to_cpu(mgmt->u.probe_resp.capab_info);
1088 	tmp.ts_boottime = data->boottime_ns;
1089 	tmp.parent_tsf = data->parent_tsf;
1090 	ether_addr_copy(tmp.parent_bssid, data->parent_bssid);
1091 
1092 	signal_valid = abs(data->chan->center_freq - channel->center_freq) <=
1093 		wiphy->max_adj_channel_rssi_comp;
1094 	res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid);
1095 	if (!res)
1096 		return NULL;
1097 
1098 	if (channel->band == NL80211_BAND_60GHZ) {
1099 		bss_type = res->pub.capability & WLAN_CAPABILITY_DMG_TYPE_MASK;
1100 		if (bss_type == WLAN_CAPABILITY_DMG_TYPE_AP ||
1101 		    bss_type == WLAN_CAPABILITY_DMG_TYPE_PBSS)
1102 			regulatory_hint_found_beacon(wiphy, channel, gfp);
1103 	} else {
1104 		if (res->pub.capability & WLAN_CAPABILITY_ESS)
1105 			regulatory_hint_found_beacon(wiphy, channel, gfp);
1106 	}
1107 
1108 	trace_cfg80211_return_bss(&res->pub);
1109 	/* cfg80211_bss_update gives us a referenced result */
1110 	return &res->pub;
1111 }
1112 EXPORT_SYMBOL(cfg80211_inform_bss_frame_data);
1113 
1114 void cfg80211_ref_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
1115 {
1116 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1117 	struct cfg80211_internal_bss *bss;
1118 
1119 	if (!pub)
1120 		return;
1121 
1122 	bss = container_of(pub, struct cfg80211_internal_bss, pub);
1123 
1124 	spin_lock_bh(&rdev->bss_lock);
1125 	bss_ref_get(rdev, bss);
1126 	spin_unlock_bh(&rdev->bss_lock);
1127 }
1128 EXPORT_SYMBOL(cfg80211_ref_bss);
1129 
1130 void cfg80211_put_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
1131 {
1132 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1133 	struct cfg80211_internal_bss *bss;
1134 
1135 	if (!pub)
1136 		return;
1137 
1138 	bss = container_of(pub, struct cfg80211_internal_bss, pub);
1139 
1140 	spin_lock_bh(&rdev->bss_lock);
1141 	bss_ref_put(rdev, bss);
1142 	spin_unlock_bh(&rdev->bss_lock);
1143 }
1144 EXPORT_SYMBOL(cfg80211_put_bss);
1145 
1146 void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
1147 {
1148 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
1149 	struct cfg80211_internal_bss *bss;
1150 
1151 	if (WARN_ON(!pub))
1152 		return;
1153 
1154 	bss = container_of(pub, struct cfg80211_internal_bss, pub);
1155 
1156 	spin_lock_bh(&rdev->bss_lock);
1157 	if (!list_empty(&bss->list)) {
1158 		if (__cfg80211_unlink_bss(rdev, bss))
1159 			rdev->bss_generation++;
1160 	}
1161 	spin_unlock_bh(&rdev->bss_lock);
1162 }
1163 EXPORT_SYMBOL(cfg80211_unlink_bss);
1164 
1165 #ifdef CONFIG_CFG80211_WEXT
1166 static struct cfg80211_registered_device *
1167 cfg80211_get_dev_from_ifindex(struct net *net, int ifindex)
1168 {
1169 	struct cfg80211_registered_device *rdev;
1170 	struct net_device *dev;
1171 
1172 	ASSERT_RTNL();
1173 
1174 	dev = dev_get_by_index(net, ifindex);
1175 	if (!dev)
1176 		return ERR_PTR(-ENODEV);
1177 	if (dev->ieee80211_ptr)
1178 		rdev = wiphy_to_rdev(dev->ieee80211_ptr->wiphy);
1179 	else
1180 		rdev = ERR_PTR(-ENODEV);
1181 	dev_put(dev);
1182 	return rdev;
1183 }
1184 
1185 int cfg80211_wext_siwscan(struct net_device *dev,
1186 			  struct iw_request_info *info,
1187 			  union iwreq_data *wrqu, char *extra)
1188 {
1189 	struct cfg80211_registered_device *rdev;
1190 	struct wiphy *wiphy;
1191 	struct iw_scan_req *wreq = NULL;
1192 	struct cfg80211_scan_request *creq = NULL;
1193 	int i, err, n_channels = 0;
1194 	enum nl80211_band band;
1195 
1196 	if (!netif_running(dev))
1197 		return -ENETDOWN;
1198 
1199 	if (wrqu->data.length == sizeof(struct iw_scan_req))
1200 		wreq = (struct iw_scan_req *)extra;
1201 
1202 	rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex);
1203 
1204 	if (IS_ERR(rdev))
1205 		return PTR_ERR(rdev);
1206 
1207 	if (rdev->scan_req || rdev->scan_msg) {
1208 		err = -EBUSY;
1209 		goto out;
1210 	}
1211 
1212 	wiphy = &rdev->wiphy;
1213 
1214 	/* Determine number of channels, needed to allocate creq */
1215 	if (wreq && wreq->num_channels)
1216 		n_channels = wreq->num_channels;
1217 	else
1218 		n_channels = ieee80211_get_num_supported_channels(wiphy);
1219 
1220 	creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) +
1221 		       n_channels * sizeof(void *),
1222 		       GFP_ATOMIC);
1223 	if (!creq) {
1224 		err = -ENOMEM;
1225 		goto out;
1226 	}
1227 
1228 	creq->wiphy = wiphy;
1229 	creq->wdev = dev->ieee80211_ptr;
1230 	/* SSIDs come after channels */
1231 	creq->ssids = (void *)&creq->channels[n_channels];
1232 	creq->n_channels = n_channels;
1233 	creq->n_ssids = 1;
1234 	creq->scan_start = jiffies;
1235 
1236 	/* translate "Scan on frequencies" request */
1237 	i = 0;
1238 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
1239 		int j;
1240 
1241 		if (!wiphy->bands[band])
1242 			continue;
1243 
1244 		for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
1245 			/* ignore disabled channels */
1246 			if (wiphy->bands[band]->channels[j].flags &
1247 						IEEE80211_CHAN_DISABLED)
1248 				continue;
1249 
1250 			/* If we have a wireless request structure and the
1251 			 * wireless request specifies frequencies, then search
1252 			 * for the matching hardware channel.
1253 			 */
1254 			if (wreq && wreq->num_channels) {
1255 				int k;
1256 				int wiphy_freq = wiphy->bands[band]->channels[j].center_freq;
1257 				for (k = 0; k < wreq->num_channels; k++) {
1258 					struct iw_freq *freq =
1259 						&wreq->channel_list[k];
1260 					int wext_freq =
1261 						cfg80211_wext_freq(freq);
1262 
1263 					if (wext_freq == wiphy_freq)
1264 						goto wext_freq_found;
1265 				}
1266 				goto wext_freq_not_found;
1267 			}
1268 
1269 		wext_freq_found:
1270 			creq->channels[i] = &wiphy->bands[band]->channels[j];
1271 			i++;
1272 		wext_freq_not_found: ;
1273 		}
1274 	}
1275 	/* No channels found? */
1276 	if (!i) {
1277 		err = -EINVAL;
1278 		goto out;
1279 	}
1280 
1281 	/* Set real number of channels specified in creq->channels[] */
1282 	creq->n_channels = i;
1283 
1284 	/* translate "Scan for SSID" request */
1285 	if (wreq) {
1286 		if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
1287 			if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) {
1288 				err = -EINVAL;
1289 				goto out;
1290 			}
1291 			memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
1292 			creq->ssids[0].ssid_len = wreq->essid_len;
1293 		}
1294 		if (wreq->scan_type == IW_SCAN_TYPE_PASSIVE)
1295 			creq->n_ssids = 0;
1296 	}
1297 
1298 	for (i = 0; i < NUM_NL80211_BANDS; i++)
1299 		if (wiphy->bands[i])
1300 			creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1;
1301 
1302 	eth_broadcast_addr(creq->bssid);
1303 
1304 	rdev->scan_req = creq;
1305 	err = rdev_scan(rdev, creq);
1306 	if (err) {
1307 		rdev->scan_req = NULL;
1308 		/* creq will be freed below */
1309 	} else {
1310 		nl80211_send_scan_start(rdev, dev->ieee80211_ptr);
1311 		/* creq now owned by driver */
1312 		creq = NULL;
1313 		dev_hold(dev);
1314 	}
1315  out:
1316 	kfree(creq);
1317 	return err;
1318 }
1319 EXPORT_WEXT_HANDLER(cfg80211_wext_siwscan);
1320 
1321 static char *ieee80211_scan_add_ies(struct iw_request_info *info,
1322 				    const struct cfg80211_bss_ies *ies,
1323 				    char *current_ev, char *end_buf)
1324 {
1325 	const u8 *pos, *end, *next;
1326 	struct iw_event iwe;
1327 
1328 	if (!ies)
1329 		return current_ev;
1330 
1331 	/*
1332 	 * If needed, fragment the IEs buffer (at IE boundaries) into short
1333 	 * enough fragments to fit into IW_GENERIC_IE_MAX octet messages.
1334 	 */
1335 	pos = ies->data;
1336 	end = pos + ies->len;
1337 
1338 	while (end - pos > IW_GENERIC_IE_MAX) {
1339 		next = pos + 2 + pos[1];
1340 		while (next + 2 + next[1] - pos < IW_GENERIC_IE_MAX)
1341 			next = next + 2 + next[1];
1342 
1343 		memset(&iwe, 0, sizeof(iwe));
1344 		iwe.cmd = IWEVGENIE;
1345 		iwe.u.data.length = next - pos;
1346 		current_ev = iwe_stream_add_point_check(info, current_ev,
1347 							end_buf, &iwe,
1348 							(void *)pos);
1349 		if (IS_ERR(current_ev))
1350 			return current_ev;
1351 		pos = next;
1352 	}
1353 
1354 	if (end > pos) {
1355 		memset(&iwe, 0, sizeof(iwe));
1356 		iwe.cmd = IWEVGENIE;
1357 		iwe.u.data.length = end - pos;
1358 		current_ev = iwe_stream_add_point_check(info, current_ev,
1359 							end_buf, &iwe,
1360 							(void *)pos);
1361 		if (IS_ERR(current_ev))
1362 			return current_ev;
1363 	}
1364 
1365 	return current_ev;
1366 }
1367 
1368 static char *
1369 ieee80211_bss(struct wiphy *wiphy, struct iw_request_info *info,
1370 	      struct cfg80211_internal_bss *bss, char *current_ev,
1371 	      char *end_buf)
1372 {
1373 	const struct cfg80211_bss_ies *ies;
1374 	struct iw_event iwe;
1375 	const u8 *ie;
1376 	u8 buf[50];
1377 	u8 *cfg, *p, *tmp;
1378 	int rem, i, sig;
1379 	bool ismesh = false;
1380 
1381 	memset(&iwe, 0, sizeof(iwe));
1382 	iwe.cmd = SIOCGIWAP;
1383 	iwe.u.ap_addr.sa_family = ARPHRD_ETHER;
1384 	memcpy(iwe.u.ap_addr.sa_data, bss->pub.bssid, ETH_ALEN);
1385 	current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe,
1386 						IW_EV_ADDR_LEN);
1387 	if (IS_ERR(current_ev))
1388 		return current_ev;
1389 
1390 	memset(&iwe, 0, sizeof(iwe));
1391 	iwe.cmd = SIOCGIWFREQ;
1392 	iwe.u.freq.m = ieee80211_frequency_to_channel(bss->pub.channel->center_freq);
1393 	iwe.u.freq.e = 0;
1394 	current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe,
1395 						IW_EV_FREQ_LEN);
1396 	if (IS_ERR(current_ev))
1397 		return current_ev;
1398 
1399 	memset(&iwe, 0, sizeof(iwe));
1400 	iwe.cmd = SIOCGIWFREQ;
1401 	iwe.u.freq.m = bss->pub.channel->center_freq;
1402 	iwe.u.freq.e = 6;
1403 	current_ev = iwe_stream_add_event_check(info, current_ev, end_buf, &iwe,
1404 						IW_EV_FREQ_LEN);
1405 	if (IS_ERR(current_ev))
1406 		return current_ev;
1407 
1408 	if (wiphy->signal_type != CFG80211_SIGNAL_TYPE_NONE) {
1409 		memset(&iwe, 0, sizeof(iwe));
1410 		iwe.cmd = IWEVQUAL;
1411 		iwe.u.qual.updated = IW_QUAL_LEVEL_UPDATED |
1412 				     IW_QUAL_NOISE_INVALID |
1413 				     IW_QUAL_QUAL_UPDATED;
1414 		switch (wiphy->signal_type) {
1415 		case CFG80211_SIGNAL_TYPE_MBM:
1416 			sig = bss->pub.signal / 100;
1417 			iwe.u.qual.level = sig;
1418 			iwe.u.qual.updated |= IW_QUAL_DBM;
1419 			if (sig < -110)		/* rather bad */
1420 				sig = -110;
1421 			else if (sig > -40)	/* perfect */
1422 				sig = -40;
1423 			/* will give a range of 0 .. 70 */
1424 			iwe.u.qual.qual = sig + 110;
1425 			break;
1426 		case CFG80211_SIGNAL_TYPE_UNSPEC:
1427 			iwe.u.qual.level = bss->pub.signal;
1428 			/* will give range 0 .. 100 */
1429 			iwe.u.qual.qual = bss->pub.signal;
1430 			break;
1431 		default:
1432 			/* not reached */
1433 			break;
1434 		}
1435 		current_ev = iwe_stream_add_event_check(info, current_ev,
1436 							end_buf, &iwe,
1437 							IW_EV_QUAL_LEN);
1438 		if (IS_ERR(current_ev))
1439 			return current_ev;
1440 	}
1441 
1442 	memset(&iwe, 0, sizeof(iwe));
1443 	iwe.cmd = SIOCGIWENCODE;
1444 	if (bss->pub.capability & WLAN_CAPABILITY_PRIVACY)
1445 		iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY;
1446 	else
1447 		iwe.u.data.flags = IW_ENCODE_DISABLED;
1448 	iwe.u.data.length = 0;
1449 	current_ev = iwe_stream_add_point_check(info, current_ev, end_buf,
1450 						&iwe, "");
1451 	if (IS_ERR(current_ev))
1452 		return current_ev;
1453 
1454 	rcu_read_lock();
1455 	ies = rcu_dereference(bss->pub.ies);
1456 	rem = ies->len;
1457 	ie = ies->data;
1458 
1459 	while (rem >= 2) {
1460 		/* invalid data */
1461 		if (ie[1] > rem - 2)
1462 			break;
1463 
1464 		switch (ie[0]) {
1465 		case WLAN_EID_SSID:
1466 			memset(&iwe, 0, sizeof(iwe));
1467 			iwe.cmd = SIOCGIWESSID;
1468 			iwe.u.data.length = ie[1];
1469 			iwe.u.data.flags = 1;
1470 			current_ev = iwe_stream_add_point_check(info,
1471 								current_ev,
1472 								end_buf, &iwe,
1473 								(u8 *)ie + 2);
1474 			if (IS_ERR(current_ev))
1475 				goto unlock;
1476 			break;
1477 		case WLAN_EID_MESH_ID:
1478 			memset(&iwe, 0, sizeof(iwe));
1479 			iwe.cmd = SIOCGIWESSID;
1480 			iwe.u.data.length = ie[1];
1481 			iwe.u.data.flags = 1;
1482 			current_ev = iwe_stream_add_point_check(info,
1483 								current_ev,
1484 								end_buf, &iwe,
1485 								(u8 *)ie + 2);
1486 			if (IS_ERR(current_ev))
1487 				goto unlock;
1488 			break;
1489 		case WLAN_EID_MESH_CONFIG:
1490 			ismesh = true;
1491 			if (ie[1] != sizeof(struct ieee80211_meshconf_ie))
1492 				break;
1493 			cfg = (u8 *)ie + 2;
1494 			memset(&iwe, 0, sizeof(iwe));
1495 			iwe.cmd = IWEVCUSTOM;
1496 			sprintf(buf, "Mesh Network Path Selection Protocol ID: "
1497 				"0x%02X", cfg[0]);
1498 			iwe.u.data.length = strlen(buf);
1499 			current_ev = iwe_stream_add_point_check(info,
1500 								current_ev,
1501 								end_buf,
1502 								&iwe, buf);
1503 			if (IS_ERR(current_ev))
1504 				goto unlock;
1505 			sprintf(buf, "Path Selection Metric ID: 0x%02X",
1506 				cfg[1]);
1507 			iwe.u.data.length = strlen(buf);
1508 			current_ev = iwe_stream_add_point_check(info,
1509 								current_ev,
1510 								end_buf,
1511 								&iwe, buf);
1512 			if (IS_ERR(current_ev))
1513 				goto unlock;
1514 			sprintf(buf, "Congestion Control Mode ID: 0x%02X",
1515 				cfg[2]);
1516 			iwe.u.data.length = strlen(buf);
1517 			current_ev = iwe_stream_add_point_check(info,
1518 								current_ev,
1519 								end_buf,
1520 								&iwe, buf);
1521 			if (IS_ERR(current_ev))
1522 				goto unlock;
1523 			sprintf(buf, "Synchronization ID: 0x%02X", cfg[3]);
1524 			iwe.u.data.length = strlen(buf);
1525 			current_ev = iwe_stream_add_point_check(info,
1526 								current_ev,
1527 								end_buf,
1528 								&iwe, buf);
1529 			if (IS_ERR(current_ev))
1530 				goto unlock;
1531 			sprintf(buf, "Authentication ID: 0x%02X", cfg[4]);
1532 			iwe.u.data.length = strlen(buf);
1533 			current_ev = iwe_stream_add_point_check(info,
1534 								current_ev,
1535 								end_buf,
1536 								&iwe, buf);
1537 			if (IS_ERR(current_ev))
1538 				goto unlock;
1539 			sprintf(buf, "Formation Info: 0x%02X", cfg[5]);
1540 			iwe.u.data.length = strlen(buf);
1541 			current_ev = iwe_stream_add_point_check(info,
1542 								current_ev,
1543 								end_buf,
1544 								&iwe, buf);
1545 			if (IS_ERR(current_ev))
1546 				goto unlock;
1547 			sprintf(buf, "Capabilities: 0x%02X", cfg[6]);
1548 			iwe.u.data.length = strlen(buf);
1549 			current_ev = iwe_stream_add_point_check(info,
1550 								current_ev,
1551 								end_buf,
1552 								&iwe, buf);
1553 			if (IS_ERR(current_ev))
1554 				goto unlock;
1555 			break;
1556 		case WLAN_EID_SUPP_RATES:
1557 		case WLAN_EID_EXT_SUPP_RATES:
1558 			/* display all supported rates in readable format */
1559 			p = current_ev + iwe_stream_lcp_len(info);
1560 
1561 			memset(&iwe, 0, sizeof(iwe));
1562 			iwe.cmd = SIOCGIWRATE;
1563 			/* Those two flags are ignored... */
1564 			iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0;
1565 
1566 			for (i = 0; i < ie[1]; i++) {
1567 				iwe.u.bitrate.value =
1568 					((ie[i + 2] & 0x7f) * 500000);
1569 				tmp = p;
1570 				p = iwe_stream_add_value(info, current_ev, p,
1571 							 end_buf, &iwe,
1572 							 IW_EV_PARAM_LEN);
1573 				if (p == tmp) {
1574 					current_ev = ERR_PTR(-E2BIG);
1575 					goto unlock;
1576 				}
1577 			}
1578 			current_ev = p;
1579 			break;
1580 		}
1581 		rem -= ie[1] + 2;
1582 		ie += ie[1] + 2;
1583 	}
1584 
1585 	if (bss->pub.capability & (WLAN_CAPABILITY_ESS | WLAN_CAPABILITY_IBSS) ||
1586 	    ismesh) {
1587 		memset(&iwe, 0, sizeof(iwe));
1588 		iwe.cmd = SIOCGIWMODE;
1589 		if (ismesh)
1590 			iwe.u.mode = IW_MODE_MESH;
1591 		else if (bss->pub.capability & WLAN_CAPABILITY_ESS)
1592 			iwe.u.mode = IW_MODE_MASTER;
1593 		else
1594 			iwe.u.mode = IW_MODE_ADHOC;
1595 		current_ev = iwe_stream_add_event_check(info, current_ev,
1596 							end_buf, &iwe,
1597 							IW_EV_UINT_LEN);
1598 		if (IS_ERR(current_ev))
1599 			goto unlock;
1600 	}
1601 
1602 	memset(&iwe, 0, sizeof(iwe));
1603 	iwe.cmd = IWEVCUSTOM;
1604 	sprintf(buf, "tsf=%016llx", (unsigned long long)(ies->tsf));
1605 	iwe.u.data.length = strlen(buf);
1606 	current_ev = iwe_stream_add_point_check(info, current_ev, end_buf,
1607 						&iwe, buf);
1608 	if (IS_ERR(current_ev))
1609 		goto unlock;
1610 	memset(&iwe, 0, sizeof(iwe));
1611 	iwe.cmd = IWEVCUSTOM;
1612 	sprintf(buf, " Last beacon: %ums ago",
1613 		elapsed_jiffies_msecs(bss->ts));
1614 	iwe.u.data.length = strlen(buf);
1615 	current_ev = iwe_stream_add_point_check(info, current_ev,
1616 						end_buf, &iwe, buf);
1617 	if (IS_ERR(current_ev))
1618 		goto unlock;
1619 
1620 	current_ev = ieee80211_scan_add_ies(info, ies, current_ev, end_buf);
1621 
1622  unlock:
1623 	rcu_read_unlock();
1624 	return current_ev;
1625 }
1626 
1627 
1628 static int ieee80211_scan_results(struct cfg80211_registered_device *rdev,
1629 				  struct iw_request_info *info,
1630 				  char *buf, size_t len)
1631 {
1632 	char *current_ev = buf;
1633 	char *end_buf = buf + len;
1634 	struct cfg80211_internal_bss *bss;
1635 	int err = 0;
1636 
1637 	spin_lock_bh(&rdev->bss_lock);
1638 	cfg80211_bss_expire(rdev);
1639 
1640 	list_for_each_entry(bss, &rdev->bss_list, list) {
1641 		if (buf + len - current_ev <= IW_EV_ADDR_LEN) {
1642 			err = -E2BIG;
1643 			break;
1644 		}
1645 		current_ev = ieee80211_bss(&rdev->wiphy, info, bss,
1646 					   current_ev, end_buf);
1647 		if (IS_ERR(current_ev)) {
1648 			err = PTR_ERR(current_ev);
1649 			break;
1650 		}
1651 	}
1652 	spin_unlock_bh(&rdev->bss_lock);
1653 
1654 	if (err)
1655 		return err;
1656 	return current_ev - buf;
1657 }
1658 
1659 
1660 int cfg80211_wext_giwscan(struct net_device *dev,
1661 			  struct iw_request_info *info,
1662 			  struct iw_point *data, char *extra)
1663 {
1664 	struct cfg80211_registered_device *rdev;
1665 	int res;
1666 
1667 	if (!netif_running(dev))
1668 		return -ENETDOWN;
1669 
1670 	rdev = cfg80211_get_dev_from_ifindex(dev_net(dev), dev->ifindex);
1671 
1672 	if (IS_ERR(rdev))
1673 		return PTR_ERR(rdev);
1674 
1675 	if (rdev->scan_req || rdev->scan_msg)
1676 		return -EAGAIN;
1677 
1678 	res = ieee80211_scan_results(rdev, info, extra, data->length);
1679 	data->length = 0;
1680 	if (res >= 0) {
1681 		data->length = res;
1682 		res = 0;
1683 	}
1684 
1685 	return res;
1686 }
1687 EXPORT_WEXT_HANDLER(cfg80211_wext_giwscan);
1688 #endif
1689