1 /*
2 * Driver interaction with Linux nl80211/cfg80211 - Scanning
3 * Copyright(c) 2015 Intel Deutschland GmbH
4 * Copyright (c) 2002-2014, Jouni Malinen <j@w1.fi>
5 * Copyright (c) 2007, Johannes Berg <johannes@sipsolutions.net>
6 * Copyright (c) 2009-2010, Atheros Communications
7 *
8 * This software may be distributed under the terms of the BSD license.
9 * See README for more details.
10 */
11
12 #include "includes.h"
13 #include <time.h>
14 #include <netlink/genl/genl.h>
15
16 #include "utils/common.h"
17 #include "utils/eloop.h"
18 #include "common/ieee802_11_defs.h"
19 #include "common/ieee802_11_common.h"
20 #include "common/qca-vendor.h"
21 #include "driver_nl80211.h"
22
23
24 #define MAX_NL80211_NOISE_FREQS 100
25
26 struct nl80211_noise_info {
27 u32 freq[MAX_NL80211_NOISE_FREQS];
28 s8 noise[MAX_NL80211_NOISE_FREQS];
29 unsigned int count;
30 };
31
get_noise_for_scan_results(struct nl_msg * msg,void * arg)32 static int get_noise_for_scan_results(struct nl_msg *msg, void *arg)
33 {
34 struct nlattr *tb[NL80211_ATTR_MAX + 1];
35 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
36 struct nlattr *sinfo[NL80211_SURVEY_INFO_MAX + 1];
37 static struct nla_policy survey_policy[NL80211_SURVEY_INFO_MAX + 1] = {
38 [NL80211_SURVEY_INFO_FREQUENCY] = { .type = NLA_U32 },
39 [NL80211_SURVEY_INFO_NOISE] = { .type = NLA_U8 },
40 };
41 struct nl80211_noise_info *info = arg;
42
43 if (info->count >= MAX_NL80211_NOISE_FREQS)
44 return NL_SKIP;
45
46 nla_parse(tb, NL80211_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
47 genlmsg_attrlen(gnlh, 0), NULL);
48
49 if (!tb[NL80211_ATTR_SURVEY_INFO]) {
50 wpa_printf(MSG_DEBUG, "nl80211: Survey data missing");
51 return NL_SKIP;
52 }
53
54 if (nla_parse_nested(sinfo, NL80211_SURVEY_INFO_MAX,
55 tb[NL80211_ATTR_SURVEY_INFO],
56 survey_policy)) {
57 wpa_printf(MSG_DEBUG, "nl80211: Failed to parse nested "
58 "attributes");
59 return NL_SKIP;
60 }
61
62 if (!sinfo[NL80211_SURVEY_INFO_NOISE])
63 return NL_SKIP;
64
65 if (!sinfo[NL80211_SURVEY_INFO_FREQUENCY])
66 return NL_SKIP;
67
68 info->freq[info->count] =
69 nla_get_u32(sinfo[NL80211_SURVEY_INFO_FREQUENCY]);
70 info->noise[info->count] =
71 (s8) nla_get_u8(sinfo[NL80211_SURVEY_INFO_NOISE]);
72 info->count++;
73
74 return NL_SKIP;
75 }
76
77
nl80211_get_noise_for_scan_results(struct wpa_driver_nl80211_data * drv,struct nl80211_noise_info * info)78 static int nl80211_get_noise_for_scan_results(
79 struct wpa_driver_nl80211_data *drv, struct nl80211_noise_info *info)
80 {
81 struct nl_msg *msg;
82
83 os_memset(info, 0, sizeof(*info));
84 msg = nl80211_drv_msg(drv, NLM_F_DUMP, NL80211_CMD_GET_SURVEY);
85 return send_and_recv_resp(drv, msg, get_noise_for_scan_results, info);
86 }
87
88
nl80211_abort_scan(struct i802_bss * bss)89 static int nl80211_abort_scan(struct i802_bss *bss)
90 {
91 int ret;
92 struct nl_msg *msg;
93 struct wpa_driver_nl80211_data *drv = bss->drv;
94
95 wpa_printf(MSG_DEBUG, "nl80211: Abort scan");
96 msg = nl80211_cmd_msg(bss, 0, NL80211_CMD_ABORT_SCAN);
97 ret = send_and_recv_cmd(drv, msg);
98 if (ret) {
99 wpa_printf(MSG_DEBUG, "nl80211: Abort scan failed: ret=%d (%s)",
100 ret, strerror(-ret));
101 }
102 return ret;
103 }
104
105
106 #ifdef CONFIG_DRIVER_NL80211_QCA
nl80211_abort_vendor_scan(struct wpa_driver_nl80211_data * drv,u64 scan_cookie)107 static int nl80211_abort_vendor_scan(struct wpa_driver_nl80211_data *drv,
108 u64 scan_cookie)
109 {
110 struct nl_msg *msg;
111 struct nlattr *params;
112 int ret;
113
114 wpa_printf(MSG_DEBUG, "nl80211: Abort vendor scan with cookie 0x%llx",
115 (long long unsigned int) scan_cookie);
116
117 msg = nl80211_drv_msg(drv, 0, NL80211_CMD_VENDOR);
118 if (!msg ||
119 nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, OUI_QCA) ||
120 nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD,
121 QCA_NL80211_VENDOR_SUBCMD_ABORT_SCAN) ||
122 !(params = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA)) ||
123 nla_put_u64(msg, QCA_WLAN_VENDOR_ATTR_SCAN_COOKIE, scan_cookie))
124 goto fail;
125
126 nla_nest_end(msg, params);
127
128 ret = send_and_recv_cmd(drv, msg);
129 msg = NULL;
130 if (ret) {
131 wpa_printf(MSG_INFO,
132 "nl80211: Aborting vendor scan with cookie 0x%llx failed: ret=%d (%s)",
133 (long long unsigned int) scan_cookie, ret,
134 strerror(-ret));
135 goto fail;
136 }
137 return 0;
138 fail:
139 nlmsg_free(msg);
140 return -1;
141 }
142 #endif /* CONFIG_DRIVER_NL80211_QCA */
143
144
145 /**
146 * wpa_driver_nl80211_scan_timeout - Scan timeout to report scan completion
147 * @eloop_ctx: Driver private data
148 * @timeout_ctx: ctx argument given to wpa_driver_nl80211_init()
149 *
150 * This function can be used as registered timeout when starting a scan to
151 * generate a scan completed event if the driver does not report this.
152 */
wpa_driver_nl80211_scan_timeout(void * eloop_ctx,void * timeout_ctx)153 void wpa_driver_nl80211_scan_timeout(void *eloop_ctx, void *timeout_ctx)
154 {
155 struct wpa_driver_nl80211_data *drv = eloop_ctx;
156 struct i802_bss *bss;
157
158 wpa_printf(MSG_DEBUG, "nl80211: Scan timeout - try to abort it");
159 #ifdef CONFIG_DRIVER_NL80211_QCA
160 if (drv->vendor_scan_cookie &&
161 nl80211_abort_vendor_scan(drv, drv->vendor_scan_cookie) == 0)
162 return;
163 #endif /* CONFIG_DRIVER_NL80211_QCA */
164
165 for (bss = drv->first_bss; bss; bss = bss->next) {
166 if (bss->scan_link)
167 break;
168 }
169
170 if (!bss) {
171 wpa_printf(MSG_DEBUG, "nl80211: Failed to find scan BSS");
172 return;
173 }
174
175 if (!drv->vendor_scan_cookie &&
176 nl80211_abort_scan(bss) == 0) {
177 bss->scan_link = NULL;
178 return;
179 }
180
181 wpa_printf(MSG_DEBUG, "nl80211: Failed to abort scan");
182
183 if (drv->ap_scan_as_station != NL80211_IFTYPE_UNSPECIFIED)
184 nl80211_restore_ap_mode(bss);
185
186 wpa_printf(MSG_DEBUG, "nl80211: Try to get scan results");
187 wpa_supplicant_event(timeout_ctx, EVENT_SCAN_RESULTS, NULL);
188 }
189
190
191 static struct nl_msg *
nl80211_scan_common(struct i802_bss * bss,u8 cmd,struct wpa_driver_scan_params * params)192 nl80211_scan_common(struct i802_bss *bss, u8 cmd,
193 struct wpa_driver_scan_params *params)
194 {
195 struct wpa_driver_nl80211_data *drv = bss->drv;
196 struct nl_msg *msg;
197 size_t i;
198 u32 scan_flags = 0;
199
200 msg = nl80211_cmd_msg(bss, 0, cmd);
201 if (!msg)
202 return NULL;
203
204 if (params->num_ssids) {
205 struct nlattr *ssids;
206
207 ssids = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
208 if (ssids == NULL)
209 goto fail;
210 for (i = 0; i < params->num_ssids; i++) {
211 wpa_printf(MSG_MSGDUMP, "nl80211: Scan SSID %s",
212 wpa_ssid_txt(params->ssids[i].ssid,
213 params->ssids[i].ssid_len));
214 if (nla_put(msg, i + 1, params->ssids[i].ssid_len,
215 params->ssids[i].ssid))
216 goto fail;
217 }
218 nla_nest_end(msg, ssids);
219
220 /*
221 * If allowed, scan for 6 GHz APs that are reported by other
222 * APs. Note that if the flag is not set and 6 GHz channels are
223 * to be scanned, it is highly likely that non-PSC channels
224 * would be scanned passively (due to the Probe Request frame
225 * transmission restrictions mandated in IEEE Std 802.11ax-2021,
226 * 26.17.2.3 (Scanning in the 6 GHz band). Passive scanning of
227 * all non-PSC channels would take a significant amount of time.
228 */
229 if (!params->non_coloc_6ghz) {
230 wpa_printf(MSG_DEBUG,
231 "nl80211: Scan co-located APs on 6 GHz");
232 scan_flags |= NL80211_SCAN_FLAG_COLOCATED_6GHZ;
233 }
234 } else {
235 wpa_printf(MSG_DEBUG, "nl80211: Passive scan requested");
236 }
237
238 if (params->extra_ies) {
239 wpa_hexdump(MSG_MSGDUMP, "nl80211: Scan extra IEs",
240 params->extra_ies, params->extra_ies_len);
241 if (params->extra_ies_len > drv->capa.max_probe_req_ie_len)
242 wpa_printf(MSG_INFO,
243 "nl80211: Extra IEs for scan do not fit driver limit (%zu > %zu) - this is likely to fail",
244 params->extra_ies_len,
245 drv->capa.max_probe_req_ie_len);
246 if (nla_put(msg, NL80211_ATTR_IE, params->extra_ies_len,
247 params->extra_ies))
248 goto fail;
249 }
250
251 if (params->freqs) {
252 struct nlattr *freqs;
253 freqs = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
254 if (freqs == NULL)
255 goto fail;
256 for (i = 0; params->freqs[i]; i++) {
257 wpa_printf(MSG_MSGDUMP, "nl80211: Scan frequency %u "
258 "MHz", params->freqs[i]);
259 if (nla_put_u32(msg, i + 1, params->freqs[i]))
260 goto fail;
261 }
262 nla_nest_end(msg, freqs);
263 }
264
265 os_free(drv->filter_ssids);
266 drv->filter_ssids = params->filter_ssids;
267 params->filter_ssids = NULL;
268 drv->num_filter_ssids = params->num_filter_ssids;
269
270 if (!drv->hostapd && is_ap_interface(drv->nlmode)) {
271 wpa_printf(MSG_DEBUG, "nl80211: Add NL80211_SCAN_FLAG_AP");
272 scan_flags |= NL80211_SCAN_FLAG_AP;
273 }
274
275 if (params->only_new_results) {
276 wpa_printf(MSG_DEBUG, "nl80211: Add NL80211_SCAN_FLAG_FLUSH");
277 scan_flags |= NL80211_SCAN_FLAG_FLUSH;
278 }
279
280 if (params->low_priority && drv->have_low_prio_scan) {
281 wpa_printf(MSG_DEBUG,
282 "nl80211: Add NL80211_SCAN_FLAG_LOW_PRIORITY");
283 scan_flags |= NL80211_SCAN_FLAG_LOW_PRIORITY;
284 }
285
286 if (params->mac_addr_rand) {
287 wpa_printf(MSG_DEBUG,
288 "nl80211: Add NL80211_SCAN_FLAG_RANDOM_ADDR");
289 scan_flags |= NL80211_SCAN_FLAG_RANDOM_ADDR;
290
291 if (params->mac_addr) {
292 wpa_printf(MSG_DEBUG, "nl80211: MAC address: " MACSTR,
293 MAC2STR(params->mac_addr));
294 if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
295 params->mac_addr))
296 goto fail;
297 }
298
299 if (params->mac_addr_mask) {
300 wpa_printf(MSG_DEBUG, "nl80211: MAC address mask: "
301 MACSTR, MAC2STR(params->mac_addr_mask));
302 if (nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
303 params->mac_addr_mask))
304 goto fail;
305 }
306 }
307
308 if (params->duration) {
309 if (!(drv->capa.rrm_flags &
310 WPA_DRIVER_FLAGS_SUPPORT_SET_SCAN_DWELL) ||
311 nla_put_u16(msg, NL80211_ATTR_MEASUREMENT_DURATION,
312 params->duration))
313 goto fail;
314
315 if (params->duration_mandatory &&
316 nla_put_flag(msg,
317 NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY))
318 goto fail;
319 }
320
321 if (params->oce_scan) {
322 wpa_printf(MSG_DEBUG,
323 "nl80211: Add NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME");
324 wpa_printf(MSG_DEBUG,
325 "nl80211: Add NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP");
326 wpa_printf(MSG_DEBUG,
327 "nl80211: Add NL80211_SCAN_FLAG_OCE_PROBE_REQ_MIN_TX_RATE");
328 wpa_printf(MSG_DEBUG,
329 "nl80211: Add NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION");
330 scan_flags |= NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME |
331 NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP |
332 NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE |
333 NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION;
334 }
335
336 if (params->min_probe_req_content) {
337 if (drv->capa.flags2 & WPA_DRIVER_FLAGS2_SCAN_MIN_PREQ)
338 scan_flags |= NL80211_SCAN_FLAG_MIN_PREQ_CONTENT;
339 else
340 wpa_printf(MSG_DEBUG,
341 "nl80211: NL80211_SCAN_FLAG_MIN_PREQ_CONTENT not supported");
342 }
343
344 if (scan_flags &&
345 nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, scan_flags))
346 goto fail;
347
348 return msg;
349
350 fail:
351 nlmsg_free(msg);
352 return NULL;
353 }
354
355
356 /**
357 * wpa_driver_nl80211_scan - Request the driver to initiate scan
358 * @bss: Pointer to private driver data from wpa_driver_nl80211_init()
359 * @params: Scan parameters
360 * Returns: 0 on success, -1 on failure
361 */
wpa_driver_nl80211_scan(struct i802_bss * bss,struct wpa_driver_scan_params * params)362 int wpa_driver_nl80211_scan(struct i802_bss *bss,
363 struct wpa_driver_scan_params *params)
364 {
365 struct wpa_driver_nl80211_data *drv = bss->drv;
366 int ret = -1, timeout;
367 struct nl_msg *msg = NULL;
368
369 wpa_dbg(bss->ctx, MSG_DEBUG, "nl80211: scan request");
370 drv->scan_for_auth = 0;
371
372 if (TEST_FAIL())
373 return -1;
374
375 msg = nl80211_scan_common(bss, NL80211_CMD_TRIGGER_SCAN, params);
376 if (!msg)
377 return -1;
378
379 if (params->p2p_probe) {
380 struct nlattr *rates;
381
382 wpa_printf(MSG_DEBUG, "nl80211: P2P probe - mask SuppRates");
383
384 rates = nla_nest_start(msg, NL80211_ATTR_SCAN_SUPP_RATES);
385 if (rates == NULL)
386 goto fail;
387
388 /*
389 * Remove 2.4 GHz rates 1, 2, 5.5, 11 Mbps from supported rates
390 * by masking out everything else apart from the OFDM rates 6,
391 * 9, 12, 18, 24, 36, 48, 54 Mbps from non-MCS rates. All 5 GHz
392 * rates are left enabled.
393 */
394 if (nla_put(msg, NL80211_BAND_2GHZ, 8,
395 "\x0c\x12\x18\x24\x30\x48\x60\x6c"))
396 goto fail;
397 nla_nest_end(msg, rates);
398
399 if (nla_put_flag(msg, NL80211_ATTR_TX_NO_CCK_RATE))
400 goto fail;
401 }
402
403 if (params->bssid) {
404 wpa_printf(MSG_DEBUG, "nl80211: Scan for a specific BSSID: "
405 MACSTR, MAC2STR(params->bssid));
406 if (nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid))
407 goto fail;
408 /* NL80211_ATTR_MAC was used for this purpose initially and the
409 * NL80211_ATTR_BSSID was added in 2016 when MAC address
410 * randomization was added. For compatibility with older kernel
411 * versions, add the NL80211_ATTR_MAC attribute as well when
412 * the conflicting functionality is not in use. */
413 if (!params->mac_addr_rand &&
414 nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, params->bssid))
415 goto fail;
416 }
417
418 ret = send_and_recv_cmd(drv, msg);
419 msg = NULL;
420 if (ret) {
421 wpa_printf(MSG_DEBUG, "nl80211: Scan trigger failed: ret=%d "
422 "(%s)", ret, strerror(-ret));
423 if (drv->hostapd && is_ap_interface(drv->nlmode)) {
424 #ifdef CONFIG_IEEE80211BE
425 /* For multi link BSS, retry scan if any other links
426 * are busy scanning. */
427 if (ret == -EBUSY &&
428 nl80211_link_valid(bss->valid_links,
429 params->link_id)) {
430 struct i802_bss *link_bss;
431 u8 link_id;
432
433 wpa_printf(MSG_DEBUG,
434 "nl80211: Scan trigger on multi link BSS failed (requested link=%d on interface %s)",
435 params->link_id, bss->ifname);
436
437 for (link_bss = drv->first_bss; link_bss;
438 link_bss = link_bss->next) {
439 if (link_bss->scan_link)
440 break;
441 }
442
443 if (!link_bss) {
444 wpa_printf(MSG_DEBUG,
445 "nl80211: BSS information already running scan not available");
446 goto fail;
447 }
448
449 link_id = nl80211_get_link_id_from_link(
450 link_bss, link_bss->scan_link);
451 wpa_printf(MSG_DEBUG,
452 "nl80211: Scan already running on interface %s link %d",
453 link_bss->ifname, link_id);
454 goto fail;
455 }
456 #endif /* CONFIG_IEEE80211BE */
457
458 /*
459 * mac80211 does not allow scan requests in AP mode, so
460 * try to do this in station mode.
461 */
462 drv->ap_scan_as_station = drv->nlmode;
463 if (wpa_driver_nl80211_set_mode(
464 bss, NL80211_IFTYPE_STATION) ||
465 wpa_driver_nl80211_scan(bss, params)) {
466 nl80211_restore_ap_mode(bss);
467 goto fail;
468 }
469
470 ret = 0;
471 } else
472 goto fail;
473 }
474
475 drv->scan_state = SCAN_REQUESTED;
476 /* Not all drivers generate "scan completed" wireless event, so try to
477 * read results after a timeout. */
478 timeout = drv->uses_6ghz ? 20 : 10;
479 if (drv->uses_s1g)
480 timeout += 5;
481 if (drv->scan_complete_events) {
482 /*
483 * The driver seems to deliver events to notify when scan is
484 * complete, so use longer timeout to avoid race conditions
485 * with scanning and following association request.
486 */
487 timeout = 30;
488 }
489 wpa_printf(MSG_DEBUG, "Scan requested (ret=%d) - scan timeout %d "
490 "seconds", ret, timeout);
491 eloop_cancel_timeout(wpa_driver_nl80211_scan_timeout, drv, bss->ctx);
492 eloop_register_timeout(timeout, 0, wpa_driver_nl80211_scan_timeout,
493 drv, bss->ctx);
494 drv->last_scan_cmd = NL80211_CMD_TRIGGER_SCAN;
495
496 bss->scan_link = bss->flink;
497 if (is_ap_interface(drv->nlmode) &&
498 nl80211_link_valid(bss->valid_links, params->link_id)) {
499 wpa_dbg(bss->ctx, MSG_DEBUG,
500 "nl80211: Scan requested for link %d",
501 params->link_id);
502 bss->scan_link = nl80211_get_link(bss, params->link_id);
503 }
504
505 fail:
506 nlmsg_free(msg);
507 return ret;
508 }
509
510
511 static int
nl80211_sched_scan_add_scan_plans(struct wpa_driver_nl80211_data * drv,struct nl_msg * msg,struct wpa_driver_scan_params * params)512 nl80211_sched_scan_add_scan_plans(struct wpa_driver_nl80211_data *drv,
513 struct nl_msg *msg,
514 struct wpa_driver_scan_params *params)
515 {
516 struct nlattr *plans;
517 struct sched_scan_plan *scan_plans = params->sched_scan_plans;
518 unsigned int i;
519
520 plans = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
521 if (!plans)
522 return -1;
523
524 for (i = 0; i < params->sched_scan_plans_num; i++) {
525 struct nlattr *plan = nla_nest_start(msg, i + 1);
526
527 if (!plan)
528 return -1;
529
530 if (!scan_plans[i].interval ||
531 scan_plans[i].interval >
532 drv->capa.max_sched_scan_plan_interval) {
533 wpa_printf(MSG_DEBUG,
534 "nl80211: sched scan plan no. %u: Invalid interval: %u",
535 i, scan_plans[i].interval);
536 return -1;
537 }
538
539 if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
540 scan_plans[i].interval))
541 return -1;
542
543 if (scan_plans[i].iterations >
544 drv->capa.max_sched_scan_plan_iterations) {
545 wpa_printf(MSG_DEBUG,
546 "nl80211: sched scan plan no. %u: Invalid number of iterations: %u",
547 i, scan_plans[i].iterations);
548 return -1;
549 }
550
551 if (scan_plans[i].iterations &&
552 nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
553 scan_plans[i].iterations))
554 return -1;
555
556 nla_nest_end(msg, plan);
557
558 /*
559 * All the scan plans must specify the number of iterations
560 * except the last plan, which will run infinitely. So if the
561 * number of iterations is not specified, this ought to be the
562 * last scan plan.
563 */
564 if (!scan_plans[i].iterations)
565 break;
566 }
567
568 if (i != params->sched_scan_plans_num - 1) {
569 wpa_printf(MSG_DEBUG,
570 "nl80211: All sched scan plans but the last must specify number of iterations");
571 return -1;
572 }
573
574 nla_nest_end(msg, plans);
575 return 0;
576 }
577
578
579 /**
580 * wpa_driver_nl80211_sched_scan - Initiate a scheduled scan
581 * @priv: Pointer to private driver data from wpa_driver_nl80211_init()
582 * @params: Scan parameters
583 * Returns: 0 on success, -1 on failure or if not supported
584 */
wpa_driver_nl80211_sched_scan(void * priv,struct wpa_driver_scan_params * params)585 int wpa_driver_nl80211_sched_scan(void *priv,
586 struct wpa_driver_scan_params *params)
587 {
588 struct i802_bss *bss = priv;
589 struct wpa_driver_nl80211_data *drv = bss->drv;
590 int ret = -1;
591 struct nl_msg *msg;
592 size_t i;
593
594 wpa_dbg(drv->ctx, MSG_DEBUG, "nl80211: sched_scan request");
595
596 #ifdef ANDROID
597 if (!drv->capa.sched_scan_supported)
598 return android_pno_start(bss, params);
599 #endif /* ANDROID */
600
601 if (!params->sched_scan_plans_num ||
602 params->sched_scan_plans_num > drv->capa.max_sched_scan_plans) {
603 wpa_printf(MSG_ERROR,
604 "nl80211: Invalid number of sched scan plans: %u",
605 params->sched_scan_plans_num);
606 return -1;
607 }
608
609 msg = nl80211_scan_common(bss, NL80211_CMD_START_SCHED_SCAN, params);
610 if (!msg)
611 goto fail;
612
613 if (drv->capa.max_sched_scan_plan_iterations) {
614 if (nl80211_sched_scan_add_scan_plans(drv, msg, params))
615 goto fail;
616 } else {
617 if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
618 params->sched_scan_plans[0].interval * 1000))
619 goto fail;
620 }
621
622 if ((drv->num_filter_ssids &&
623 (int) drv->num_filter_ssids <= drv->capa.max_match_sets) ||
624 params->filter_rssi) {
625 struct nlattr *match_sets;
626 match_sets = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_MATCH);
627 if (match_sets == NULL)
628 goto fail;
629
630 for (i = 0; i < drv->num_filter_ssids; i++) {
631 struct nlattr *match_set_ssid;
632 wpa_printf(MSG_MSGDUMP,
633 "nl80211: Sched scan filter SSID %s",
634 wpa_ssid_txt(drv->filter_ssids[i].ssid,
635 drv->filter_ssids[i].ssid_len));
636
637 match_set_ssid = nla_nest_start(msg, i + 1);
638 if (match_set_ssid == NULL ||
639 nla_put(msg, NL80211_ATTR_SCHED_SCAN_MATCH_SSID,
640 drv->filter_ssids[i].ssid_len,
641 drv->filter_ssids[i].ssid) ||
642 (params->filter_rssi &&
643 nla_put_u32(msg,
644 NL80211_SCHED_SCAN_MATCH_ATTR_RSSI,
645 params->filter_rssi)))
646 goto fail;
647
648 nla_nest_end(msg, match_set_ssid);
649 }
650
651 /*
652 * Due to backward compatibility code, newer kernels treat this
653 * matchset (with only an RSSI filter) as the default for all
654 * other matchsets, unless it's the only one, in which case the
655 * matchset will actually allow all SSIDs above the RSSI.
656 */
657 if (params->filter_rssi) {
658 struct nlattr *match_set_rssi;
659 match_set_rssi = nla_nest_start(msg, 0);
660 if (match_set_rssi == NULL ||
661 nla_put_u32(msg, NL80211_SCHED_SCAN_MATCH_ATTR_RSSI,
662 params->filter_rssi))
663 goto fail;
664 wpa_printf(MSG_MSGDUMP,
665 "nl80211: Sched scan RSSI filter %d dBm",
666 params->filter_rssi);
667 nla_nest_end(msg, match_set_rssi);
668 }
669
670 nla_nest_end(msg, match_sets);
671 }
672
673 if (params->relative_rssi_set) {
674 struct nl80211_bss_select_rssi_adjust rssi_adjust;
675
676 os_memset(&rssi_adjust, 0, sizeof(rssi_adjust));
677 wpa_printf(MSG_DEBUG, "nl80211: Relative RSSI: %d",
678 params->relative_rssi);
679 if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
680 params->relative_rssi))
681 goto fail;
682
683 if (params->relative_adjust_rssi) {
684 int pref_band_set = 1;
685
686 switch (params->relative_adjust_band) {
687 case WPA_SETBAND_5G:
688 rssi_adjust.band = NL80211_BAND_5GHZ;
689 break;
690 case WPA_SETBAND_2G:
691 rssi_adjust.band = NL80211_BAND_2GHZ;
692 break;
693 default:
694 pref_band_set = 0;
695 break;
696 }
697 rssi_adjust.delta = params->relative_adjust_rssi;
698
699 if (pref_band_set &&
700 nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
701 sizeof(rssi_adjust), &rssi_adjust))
702 goto fail;
703 }
704 }
705
706 if (params->sched_scan_start_delay &&
707 nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY,
708 params->sched_scan_start_delay))
709 goto fail;
710
711 ret = send_and_recv_cmd(drv, msg);
712
713 /* TODO: if we get an error here, we should fall back to normal scan */
714
715 msg = NULL;
716 if (ret) {
717 wpa_printf(MSG_DEBUG, "nl80211: Sched scan start failed: "
718 "ret=%d (%s)", ret, strerror(-ret));
719 goto fail;
720 }
721
722 wpa_printf(MSG_DEBUG, "nl80211: Sched scan requested (ret=%d)", ret);
723
724 fail:
725 nlmsg_free(msg);
726 return ret;
727 }
728
729
730 /**
731 * wpa_driver_nl80211_stop_sched_scan - Stop a scheduled scan
732 * @priv: Pointer to private driver data from wpa_driver_nl80211_init()
733 * Returns: 0 on success, -1 on failure or if not supported
734 */
wpa_driver_nl80211_stop_sched_scan(void * priv)735 int wpa_driver_nl80211_stop_sched_scan(void *priv)
736 {
737 struct i802_bss *bss = priv;
738 struct wpa_driver_nl80211_data *drv = bss->drv;
739 int ret;
740 struct nl_msg *msg;
741
742 #ifdef ANDROID
743 if (!drv->capa.sched_scan_supported)
744 return android_pno_stop(bss);
745 #endif /* ANDROID */
746
747 msg = nl80211_bss_msg(bss, 0, NL80211_CMD_STOP_SCHED_SCAN);
748 ret = send_and_recv_cmd(drv, msg);
749 if (ret) {
750 wpa_printf(MSG_DEBUG,
751 "nl80211: Sched scan stop failed: ret=%d (%s)",
752 ret, strerror(-ret));
753 } else {
754 wpa_printf(MSG_DEBUG,
755 "nl80211: Sched scan stop sent");
756 }
757
758 return ret;
759 }
760
761
nl80211_scan_filtered(struct wpa_driver_nl80211_data * drv,const u8 * ie,size_t ie_len)762 static int nl80211_scan_filtered(struct wpa_driver_nl80211_data *drv,
763 const u8 *ie, size_t ie_len)
764 {
765 const u8 *ssid;
766 size_t i;
767
768 if (drv->filter_ssids == NULL)
769 return 0;
770
771 ssid = get_ie(ie, ie_len, WLAN_EID_SSID);
772 if (ssid == NULL)
773 return 1;
774
775 for (i = 0; i < drv->num_filter_ssids; i++) {
776 if (ssid[1] == drv->filter_ssids[i].ssid_len &&
777 os_memcmp(ssid + 2, drv->filter_ssids[i].ssid, ssid[1]) ==
778 0)
779 return 0;
780 }
781
782 return 1;
783 }
784
785
786 static struct wpa_scan_res *
nl80211_parse_bss_info(struct wpa_driver_nl80211_data * drv,struct nl_msg * msg,const u8 * bssid)787 nl80211_parse_bss_info(struct wpa_driver_nl80211_data *drv,
788 struct nl_msg *msg, const u8 *bssid)
789 {
790 struct nlattr *tb[NL80211_ATTR_MAX + 1];
791 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
792 struct nlattr *bss[NL80211_BSS_MAX + 1];
793 static struct nla_policy bss_policy[NL80211_BSS_MAX + 1] = {
794 [NL80211_BSS_BSSID] = { .type = NLA_UNSPEC },
795 [NL80211_BSS_FREQUENCY] = { .type = NLA_U32 },
796 [NL80211_BSS_TSF] = { .type = NLA_U64 },
797 [NL80211_BSS_BEACON_INTERVAL] = { .type = NLA_U16 },
798 [NL80211_BSS_CAPABILITY] = { .type = NLA_U16 },
799 [NL80211_BSS_INFORMATION_ELEMENTS] = { .type = NLA_UNSPEC },
800 [NL80211_BSS_SIGNAL_MBM] = { .type = NLA_U32 },
801 [NL80211_BSS_SIGNAL_UNSPEC] = { .type = NLA_U8 },
802 [NL80211_BSS_STATUS] = { .type = NLA_U32 },
803 [NL80211_BSS_SEEN_MS_AGO] = { .type = NLA_U32 },
804 [NL80211_BSS_BEACON_IES] = { .type = NLA_UNSPEC },
805 [NL80211_BSS_BEACON_TSF] = { .type = NLA_U64 },
806 [NL80211_BSS_PARENT_TSF] = { .type = NLA_U64 },
807 [NL80211_BSS_PARENT_BSSID] = { .type = NLA_UNSPEC },
808 [NL80211_BSS_LAST_SEEN_BOOTTIME] = { .type = NLA_U64 },
809 };
810 struct wpa_scan_res *r;
811 const u8 *ie, *beacon_ie;
812 size_t ie_len, beacon_ie_len;
813 u8 *pos;
814
815 nla_parse(tb, NL80211_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
816 genlmsg_attrlen(gnlh, 0), NULL);
817 if (!tb[NL80211_ATTR_BSS])
818 return NULL;
819 if (nla_parse_nested(bss, NL80211_BSS_MAX, tb[NL80211_ATTR_BSS],
820 bss_policy))
821 return NULL;
822 if (bssid && bss[NL80211_BSS_BSSID] &&
823 !ether_addr_equal(bssid, nla_data(bss[NL80211_BSS_BSSID])))
824 return NULL;
825 if (bss[NL80211_BSS_INFORMATION_ELEMENTS]) {
826 ie = nla_data(bss[NL80211_BSS_INFORMATION_ELEMENTS]);
827 ie_len = nla_len(bss[NL80211_BSS_INFORMATION_ELEMENTS]);
828 } else {
829 ie = NULL;
830 ie_len = 0;
831 }
832 if (bss[NL80211_BSS_BEACON_IES]) {
833 beacon_ie = nla_data(bss[NL80211_BSS_BEACON_IES]);
834 beacon_ie_len = nla_len(bss[NL80211_BSS_BEACON_IES]);
835 } else {
836 beacon_ie = NULL;
837 beacon_ie_len = 0;
838 }
839
840 if (nl80211_scan_filtered(drv, ie ? ie : beacon_ie,
841 ie ? ie_len : beacon_ie_len))
842 return NULL;
843
844 r = os_zalloc(sizeof(*r) + ie_len + beacon_ie_len);
845 if (r == NULL)
846 return NULL;
847 if (bss[NL80211_BSS_BSSID])
848 os_memcpy(r->bssid, nla_data(bss[NL80211_BSS_BSSID]),
849 ETH_ALEN);
850 if (bss[NL80211_BSS_FREQUENCY])
851 r->freq = nla_get_u32(bss[NL80211_BSS_FREQUENCY]);
852 if (bss[NL80211_BSS_BEACON_INTERVAL])
853 r->beacon_int = nla_get_u16(bss[NL80211_BSS_BEACON_INTERVAL]);
854 if (bss[NL80211_BSS_CAPABILITY])
855 r->caps = nla_get_u16(bss[NL80211_BSS_CAPABILITY]);
856 r->flags |= WPA_SCAN_NOISE_INVALID;
857 if (bss[NL80211_BSS_SIGNAL_MBM]) {
858 r->level = nla_get_u32(bss[NL80211_BSS_SIGNAL_MBM]);
859 r->level /= 100; /* mBm to dBm */
860 r->flags |= WPA_SCAN_LEVEL_DBM | WPA_SCAN_QUAL_INVALID;
861 } else if (bss[NL80211_BSS_SIGNAL_UNSPEC]) {
862 r->level = nla_get_u8(bss[NL80211_BSS_SIGNAL_UNSPEC]);
863 r->flags |= WPA_SCAN_QUAL_INVALID;
864 } else
865 r->flags |= WPA_SCAN_LEVEL_INVALID | WPA_SCAN_QUAL_INVALID;
866 if (bss[NL80211_BSS_TSF])
867 r->tsf = nla_get_u64(bss[NL80211_BSS_TSF]);
868 if (bss[NL80211_BSS_BEACON_TSF]) {
869 u64 tsf = nla_get_u64(bss[NL80211_BSS_BEACON_TSF]);
870 if (tsf > r->tsf) {
871 r->tsf = tsf;
872 r->beacon_newer = true;
873 }
874 }
875 if (bss[NL80211_BSS_SEEN_MS_AGO])
876 r->age = nla_get_u32(bss[NL80211_BSS_SEEN_MS_AGO]);
877 if (bss[NL80211_BSS_LAST_SEEN_BOOTTIME]) {
878 u64 boottime;
879 struct timespec ts;
880
881 #ifndef CLOCK_BOOTTIME
882 #define CLOCK_BOOTTIME 7
883 #endif
884 if (clock_gettime(CLOCK_BOOTTIME, &ts) == 0) {
885 /* Use more accurate boottime information to update the
886 * scan result age since the driver reports this and
887 * CLOCK_BOOTTIME is available. */
888 boottime = nla_get_u64(
889 bss[NL80211_BSS_LAST_SEEN_BOOTTIME]);
890 r->age = ((u64) ts.tv_sec * 1000000000 +
891 ts.tv_nsec - boottime) / 1000000;
892 }
893 }
894 r->ie_len = ie_len;
895 pos = (u8 *) (r + 1);
896 if (ie) {
897 os_memcpy(pos, ie, ie_len);
898 pos += ie_len;
899 }
900 r->beacon_ie_len = beacon_ie_len;
901 if (beacon_ie)
902 os_memcpy(pos, beacon_ie, beacon_ie_len);
903
904 if (bss[NL80211_BSS_STATUS]) {
905 enum nl80211_bss_status status;
906 status = nla_get_u32(bss[NL80211_BSS_STATUS]);
907 switch (status) {
908 case NL80211_BSS_STATUS_ASSOCIATED:
909 r->flags |= WPA_SCAN_ASSOCIATED;
910 break;
911 default:
912 break;
913 }
914 }
915
916 if (bss[NL80211_BSS_PARENT_TSF] && bss[NL80211_BSS_PARENT_BSSID]) {
917 r->parent_tsf = nla_get_u64(bss[NL80211_BSS_PARENT_TSF]);
918 os_memcpy(r->tsf_bssid, nla_data(bss[NL80211_BSS_PARENT_BSSID]),
919 ETH_ALEN);
920 }
921
922 return r;
923 }
924
925
926 struct nl80211_bss_info_arg {
927 struct wpa_driver_nl80211_data *drv;
928 struct wpa_scan_results *res;
929 const u8 *bssid;
930 };
931
bss_info_handler(struct nl_msg * msg,void * arg)932 static int bss_info_handler(struct nl_msg *msg, void *arg)
933 {
934 struct nl80211_bss_info_arg *_arg = arg;
935 struct wpa_scan_results *res = _arg->res;
936 struct wpa_scan_res **tmp;
937 struct wpa_scan_res *r;
938
939 r = nl80211_parse_bss_info(_arg->drv, msg, _arg->bssid);
940 if (!r)
941 return NL_SKIP;
942
943 if (!res) {
944 os_free(r);
945 return NL_SKIP;
946 }
947 tmp = os_realloc_array(res->res, res->num + 1,
948 sizeof(struct wpa_scan_res *));
949 if (tmp == NULL) {
950 os_free(r);
951 return NL_SKIP;
952 }
953 tmp[res->num++] = r;
954 res->res = tmp;
955
956 return NL_SKIP;
957 }
958
959
clear_state_mismatch(struct wpa_driver_nl80211_data * drv,const u8 * addr)960 static void clear_state_mismatch(struct wpa_driver_nl80211_data *drv,
961 const u8 *addr)
962 {
963 if (drv->capa.flags & WPA_DRIVER_FLAGS_SME) {
964 wpa_printf(MSG_DEBUG, "nl80211: Clear possible state "
965 "mismatch (" MACSTR ")", MAC2STR(addr));
966 wpa_driver_nl80211_mlme(drv, addr,
967 NL80211_CMD_DEAUTHENTICATE,
968 WLAN_REASON_PREV_AUTH_NOT_VALID, 1,
969 drv->first_bss);
970 }
971 }
972
973
nl80211_check_bss_status(struct wpa_driver_nl80211_data * drv,struct wpa_scan_res * r)974 static void nl80211_check_bss_status(struct wpa_driver_nl80211_data *drv,
975 struct wpa_scan_res *r)
976 {
977 if (!(r->flags & WPA_SCAN_ASSOCIATED))
978 return;
979
980 wpa_printf(MSG_DEBUG, "nl80211: Scan results indicate BSS status with "
981 MACSTR " as associated", MAC2STR(r->bssid));
982 if (is_sta_interface(drv->nlmode) && !drv->associated) {
983 wpa_printf(MSG_DEBUG,
984 "nl80211: Local state (not associated) does not match with BSS state");
985 clear_state_mismatch(drv, r->bssid);
986 } else if (is_sta_interface(drv->nlmode) &&
987 !ether_addr_equal(drv->bssid, r->bssid)) {
988 wpa_printf(MSG_DEBUG,
989 "nl80211: Local state (associated with " MACSTR
990 ") does not match with BSS state",
991 MAC2STR(drv->bssid));
992
993 if (!ether_addr_equal(drv->sta_mlo_info.ap_mld_addr,
994 drv->bssid)) {
995 clear_state_mismatch(drv, r->bssid);
996
997 if (!is_zero_ether_addr(drv->sta_mlo_info.ap_mld_addr))
998 clear_state_mismatch(
999 drv, drv->sta_mlo_info.ap_mld_addr);
1000 else
1001 clear_state_mismatch(drv, drv->bssid);
1002
1003 } else {
1004 wpa_printf(MSG_DEBUG,
1005 "nl80211: BSSID is the MLD address");
1006 }
1007 }
1008 }
1009
1010
wpa_driver_nl80211_check_bss_status(struct wpa_driver_nl80211_data * drv,struct wpa_scan_results * res)1011 static void wpa_driver_nl80211_check_bss_status(
1012 struct wpa_driver_nl80211_data *drv, struct wpa_scan_results *res)
1013 {
1014 size_t i;
1015
1016 for (i = 0; i < res->num; i++)
1017 nl80211_check_bss_status(drv, res->res[i]);
1018 }
1019
1020
nl80211_update_scan_res_noise(struct wpa_scan_res * res,struct nl80211_noise_info * info)1021 static void nl80211_update_scan_res_noise(struct wpa_scan_res *res,
1022 struct nl80211_noise_info *info)
1023 {
1024 unsigned int i;
1025
1026 for (i = 0; res && i < info->count; i++) {
1027 if ((int) info->freq[i] != res->freq ||
1028 !(res->flags & WPA_SCAN_NOISE_INVALID))
1029 continue;
1030 res->noise = info->noise[i];
1031 res->flags &= ~WPA_SCAN_NOISE_INVALID;
1032 }
1033 }
1034
1035
1036 static struct wpa_scan_results *
nl80211_get_scan_results(struct wpa_driver_nl80211_data * drv,const u8 * bssid)1037 nl80211_get_scan_results(struct wpa_driver_nl80211_data *drv, const u8 *bssid)
1038 {
1039 struct nl_msg *msg;
1040 struct wpa_scan_results *res;
1041 int ret;
1042 struct nl80211_bss_info_arg arg;
1043 int count = 0;
1044
1045 try_again:
1046 res = os_zalloc(sizeof(*res));
1047 if (res == NULL)
1048 return NULL;
1049 if (!(msg = nl80211_cmd_msg(drv->first_bss, NLM_F_DUMP,
1050 NL80211_CMD_GET_SCAN))) {
1051 wpa_scan_results_free(res);
1052 return NULL;
1053 }
1054
1055 arg.drv = drv;
1056 arg.res = res;
1057 arg.bssid = bssid;
1058 ret = send_and_recv_resp(drv, msg, bss_info_handler, &arg);
1059 if (ret == -EAGAIN) {
1060 count++;
1061 if (count >= 10) {
1062 wpa_printf(MSG_INFO,
1063 "nl80211: Failed to receive consistent scan result dump");
1064 } else {
1065 wpa_printf(MSG_DEBUG,
1066 "nl80211: Failed to receive consistent scan result dump - try again");
1067 wpa_scan_results_free(res);
1068 goto try_again;
1069 }
1070 }
1071 if (ret == 0) {
1072 struct nl80211_noise_info info;
1073
1074 wpa_printf(MSG_DEBUG, "nl80211: Received scan results (%lu "
1075 "BSSes)", (unsigned long) res->num);
1076 if (nl80211_get_noise_for_scan_results(drv, &info) == 0) {
1077 size_t i;
1078
1079 for (i = 0; i < res->num; ++i)
1080 nl80211_update_scan_res_noise(res->res[i],
1081 &info);
1082 }
1083 return res;
1084 }
1085 wpa_printf(MSG_DEBUG, "nl80211: Scan result fetch failed: ret=%d "
1086 "(%s)", ret, strerror(-ret));
1087 wpa_scan_results_free(res);
1088 return NULL;
1089 }
1090
1091
1092 /**
1093 * wpa_driver_nl80211_get_scan_results - Fetch the latest scan results
1094 * @priv: Pointer to private nl80211 data from wpa_driver_nl80211_init()
1095 * @bssid: Return results only for the specified BSSID, %NULL for all
1096 * Returns: Scan results on success, -1 on failure
1097 */
wpa_driver_nl80211_get_scan_results(void * priv,const u8 * bssid)1098 struct wpa_scan_results * wpa_driver_nl80211_get_scan_results(void *priv,
1099 const u8 *bssid)
1100 {
1101 struct i802_bss *bss = priv;
1102 struct wpa_driver_nl80211_data *drv = bss->drv;
1103 struct wpa_scan_results *res;
1104
1105 res = nl80211_get_scan_results(drv, bssid);
1106 if (res)
1107 wpa_driver_nl80211_check_bss_status(drv, res);
1108 return res;
1109 }
1110
1111
1112 struct nl80211_dump_scan_ctx {
1113 struct wpa_driver_nl80211_data *drv;
1114 int idx;
1115 };
1116
nl80211_dump_scan_handler(struct nl_msg * msg,void * arg)1117 static int nl80211_dump_scan_handler(struct nl_msg *msg, void *arg)
1118 {
1119 struct nl80211_dump_scan_ctx *ctx = arg;
1120 struct wpa_scan_res *r;
1121
1122 r = nl80211_parse_bss_info(ctx->drv, msg, NULL);
1123 if (!r)
1124 return NL_SKIP;
1125 wpa_printf(MSG_DEBUG, "nl80211: %d " MACSTR " %d%s",
1126 ctx->idx, MAC2STR(r->bssid), r->freq,
1127 r->flags & WPA_SCAN_ASSOCIATED ? " [assoc]" : "");
1128 ctx->idx++;
1129 os_free(r);
1130 return NL_SKIP;
1131 }
1132
1133
nl80211_dump_scan(struct wpa_driver_nl80211_data * drv)1134 void nl80211_dump_scan(struct wpa_driver_nl80211_data *drv)
1135 {
1136 struct nl_msg *msg;
1137 struct nl80211_dump_scan_ctx ctx;
1138
1139 wpa_printf(MSG_DEBUG, "nl80211: Scan result dump");
1140 ctx.drv = drv;
1141 ctx.idx = 0;
1142 msg = nl80211_cmd_msg(drv->first_bss, NLM_F_DUMP, NL80211_CMD_GET_SCAN);
1143 if (msg)
1144 send_and_recv_resp(drv, msg, nl80211_dump_scan_handler, &ctx);
1145 }
1146
1147
wpa_driver_nl80211_abort_scan(void * priv,u64 scan_cookie)1148 int wpa_driver_nl80211_abort_scan(void *priv, u64 scan_cookie)
1149 {
1150 struct i802_bss *bss = priv;
1151 #ifdef CONFIG_DRIVER_NL80211_QCA
1152 struct wpa_driver_nl80211_data *drv = bss->drv;
1153
1154 /*
1155 * If scan_cookie is zero, a normal scan through kernel (cfg80211)
1156 * was triggered, hence abort the cfg80211 scan instead of the vendor
1157 * scan.
1158 */
1159 if (drv->scan_vendor_cmd_avail && scan_cookie)
1160 return nl80211_abort_vendor_scan(drv, scan_cookie);
1161 #endif /* CONFIG_DRIVER_NL80211_QCA */
1162 return nl80211_abort_scan(bss);
1163 }
1164
1165
1166 #ifdef CONFIG_DRIVER_NL80211_QCA
1167
scan_cookie_handler(struct nl_msg * msg,void * arg)1168 static int scan_cookie_handler(struct nl_msg *msg, void *arg)
1169 {
1170 struct nlattr *tb[NL80211_ATTR_MAX + 1];
1171 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1172 u64 *cookie = arg;
1173
1174 nla_parse(tb, NL80211_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
1175 genlmsg_attrlen(gnlh, 0), NULL);
1176
1177 if (tb[NL80211_ATTR_VENDOR_DATA]) {
1178 struct nlattr *nl_vendor = tb[NL80211_ATTR_VENDOR_DATA];
1179 struct nlattr *tb_vendor[QCA_WLAN_VENDOR_ATTR_SCAN_MAX + 1];
1180
1181 nla_parse(tb_vendor, QCA_WLAN_VENDOR_ATTR_SCAN_MAX,
1182 nla_data(nl_vendor), nla_len(nl_vendor), NULL);
1183
1184 if (tb_vendor[QCA_WLAN_VENDOR_ATTR_SCAN_COOKIE])
1185 *cookie = nla_get_u64(
1186 tb_vendor[QCA_WLAN_VENDOR_ATTR_SCAN_COOKIE]);
1187 }
1188
1189 return NL_SKIP;
1190 }
1191
1192
1193 /**
1194 * wpa_driver_nl80211_vendor_scan - Request the driver to initiate a vendor scan
1195 * @bss: Pointer to private driver data from wpa_driver_nl80211_init()
1196 * @params: Scan parameters
1197 * Returns: 0 on success, -1 on failure
1198 */
wpa_driver_nl80211_vendor_scan(struct i802_bss * bss,struct wpa_driver_scan_params * params)1199 int wpa_driver_nl80211_vendor_scan(struct i802_bss *bss,
1200 struct wpa_driver_scan_params *params)
1201 {
1202 struct wpa_driver_nl80211_data *drv = bss->drv;
1203 struct nl_msg *msg = NULL;
1204 struct nlattr *attr;
1205 size_t i;
1206 u32 scan_flags = 0;
1207 int ret = -1;
1208 u64 cookie = 0;
1209
1210 wpa_dbg(drv->ctx, MSG_DEBUG, "nl80211: vendor scan request");
1211 drv->scan_for_auth = 0;
1212
1213 if (!(msg = nl80211_bss_msg(bss, 0, NL80211_CMD_VENDOR)) ||
1214 nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, OUI_QCA) ||
1215 nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD,
1216 QCA_NL80211_VENDOR_SUBCMD_TRIGGER_SCAN) )
1217 goto fail;
1218
1219 attr = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1220 if (attr == NULL)
1221 goto fail;
1222
1223 if (params->num_ssids) {
1224 struct nlattr *ssids;
1225
1226 ssids = nla_nest_start(msg, QCA_WLAN_VENDOR_ATTR_SCAN_SSIDS);
1227 if (ssids == NULL)
1228 goto fail;
1229 for (i = 0; i < params->num_ssids; i++) {
1230 wpa_printf(MSG_MSGDUMP, "nl80211: Scan SSID %s",
1231 wpa_ssid_txt(params->ssids[i].ssid,
1232 params->ssids[i].ssid_len));
1233 if (nla_put(msg, i + 1, params->ssids[i].ssid_len,
1234 params->ssids[i].ssid))
1235 goto fail;
1236 }
1237 nla_nest_end(msg, ssids);
1238 }
1239
1240 if (params->extra_ies) {
1241 wpa_hexdump(MSG_MSGDUMP, "nl80211: Scan extra IEs",
1242 params->extra_ies, params->extra_ies_len);
1243 if (nla_put(msg, QCA_WLAN_VENDOR_ATTR_SCAN_IE,
1244 params->extra_ies_len, params->extra_ies))
1245 goto fail;
1246 }
1247
1248 if (params->freqs) {
1249 struct nlattr *freqs;
1250
1251 freqs = nla_nest_start(msg,
1252 QCA_WLAN_VENDOR_ATTR_SCAN_FREQUENCIES);
1253 if (freqs == NULL)
1254 goto fail;
1255 for (i = 0; params->freqs[i]; i++) {
1256 wpa_printf(MSG_MSGDUMP,
1257 "nl80211: Scan frequency %u MHz",
1258 params->freqs[i]);
1259 if (nla_put_u32(msg, i + 1, params->freqs[i]))
1260 goto fail;
1261 }
1262 nla_nest_end(msg, freqs);
1263 }
1264
1265 os_free(drv->filter_ssids);
1266 drv->filter_ssids = params->filter_ssids;
1267 params->filter_ssids = NULL;
1268 drv->num_filter_ssids = params->num_filter_ssids;
1269
1270 if (params->low_priority && drv->have_low_prio_scan) {
1271 wpa_printf(MSG_DEBUG,
1272 "nl80211: Add NL80211_SCAN_FLAG_LOW_PRIORITY");
1273 scan_flags |= NL80211_SCAN_FLAG_LOW_PRIORITY;
1274 }
1275
1276 if (params->mac_addr_rand) {
1277 wpa_printf(MSG_DEBUG,
1278 "nl80211: Add NL80211_SCAN_FLAG_RANDOM_ADDR");
1279 scan_flags |= NL80211_SCAN_FLAG_RANDOM_ADDR;
1280
1281 if (params->mac_addr) {
1282 wpa_printf(MSG_DEBUG, "nl80211: MAC address: " MACSTR,
1283 MAC2STR(params->mac_addr));
1284 if (nla_put(msg, QCA_WLAN_VENDOR_ATTR_SCAN_MAC,
1285 ETH_ALEN, params->mac_addr))
1286 goto fail;
1287 }
1288
1289 if (params->mac_addr_mask) {
1290 wpa_printf(MSG_DEBUG, "nl80211: MAC address mask: "
1291 MACSTR, MAC2STR(params->mac_addr_mask));
1292 if (nla_put(msg, QCA_WLAN_VENDOR_ATTR_SCAN_MAC_MASK,
1293 ETH_ALEN, params->mac_addr_mask))
1294 goto fail;
1295 }
1296 }
1297
1298 if (scan_flags &&
1299 nla_put_u32(msg, QCA_WLAN_VENDOR_ATTR_SCAN_FLAGS, scan_flags))
1300 goto fail;
1301
1302 if (params->p2p_probe) {
1303 struct nlattr *rates;
1304
1305 wpa_printf(MSG_DEBUG, "nl80211: P2P probe - mask SuppRates");
1306
1307 rates = nla_nest_start(msg,
1308 QCA_WLAN_VENDOR_ATTR_SCAN_SUPP_RATES);
1309 if (rates == NULL)
1310 goto fail;
1311
1312 /*
1313 * Remove 2.4 GHz rates 1, 2, 5.5, 11 Mbps from supported rates
1314 * by masking out everything else apart from the OFDM rates 6,
1315 * 9, 12, 18, 24, 36, 48, 54 Mbps from non-MCS rates. All 5 GHz
1316 * rates are left enabled.
1317 */
1318 if (nla_put(msg, NL80211_BAND_2GHZ, 8,
1319 "\x0c\x12\x18\x24\x30\x48\x60\x6c"))
1320 goto fail;
1321 nla_nest_end(msg, rates);
1322
1323 if (nla_put_flag(msg, QCA_WLAN_VENDOR_ATTR_SCAN_TX_NO_CCK_RATE))
1324 goto fail;
1325 }
1326
1327 if (params->bssid) {
1328 wpa_printf(MSG_DEBUG, "nl80211: Scan for a specific BSSID: "
1329 MACSTR, MAC2STR(params->bssid));
1330 if (nla_put(msg, QCA_WLAN_VENDOR_ATTR_SCAN_BSSID, ETH_ALEN,
1331 params->bssid))
1332 goto fail;
1333 }
1334
1335 if (is_ap_interface(drv->nlmode) &&
1336 params->link_id != NL80211_DRV_LINK_ID_NA &&
1337 nla_put_u8(msg, QCA_WLAN_VENDOR_ATTR_SCAN_LINK_ID, params->link_id))
1338 goto fail;
1339
1340 nla_nest_end(msg, attr);
1341
1342 ret = send_and_recv_resp(drv, msg, scan_cookie_handler, &cookie);
1343 msg = NULL;
1344 if (ret) {
1345 wpa_printf(MSG_DEBUG,
1346 "nl80211: Vendor scan trigger failed: ret=%d (%s)",
1347 ret, strerror(-ret));
1348 goto fail;
1349 }
1350
1351 drv->vendor_scan_cookie = cookie;
1352 drv->scan_state = SCAN_REQUESTED;
1353 /* Pass the cookie to the caller to help distinguish the scans. */
1354 params->scan_cookie = cookie;
1355
1356 wpa_printf(MSG_DEBUG,
1357 "nl80211: Vendor scan requested (ret=%d) - scan timeout 30 seconds, scan cookie:0x%llx",
1358 ret, (long long unsigned int) cookie);
1359 eloop_cancel_timeout(wpa_driver_nl80211_scan_timeout, drv, bss->ctx);
1360 eloop_register_timeout(30, 0, wpa_driver_nl80211_scan_timeout,
1361 drv, bss->ctx);
1362 drv->last_scan_cmd = NL80211_CMD_VENDOR;
1363
1364 fail:
1365 nlmsg_free(msg);
1366 return ret;
1367 }
1368
1369
1370 /**
1371 * nl80211_set_default_scan_ies - Set the scan default IEs to the driver
1372 * @priv: Pointer to private driver data from wpa_driver_nl80211_init()
1373 * @ies: Pointer to IEs buffer
1374 * @ies_len: Length of IEs in bytes
1375 * Returns: 0 on success, -1 on failure
1376 */
nl80211_set_default_scan_ies(void * priv,const u8 * ies,size_t ies_len)1377 int nl80211_set_default_scan_ies(void *priv, const u8 *ies, size_t ies_len)
1378 {
1379 struct i802_bss *bss = priv;
1380 struct wpa_driver_nl80211_data *drv = bss->drv;
1381 struct nl_msg *msg = NULL;
1382 struct nlattr *attr;
1383 int ret = -1;
1384
1385 if (!drv->set_wifi_conf_vendor_cmd_avail)
1386 return -1;
1387
1388 if (!(msg = nl80211_bss_msg(bss, 0, NL80211_CMD_VENDOR)) ||
1389 nla_put_u32(msg, NL80211_ATTR_VENDOR_ID, OUI_QCA) ||
1390 nla_put_u32(msg, NL80211_ATTR_VENDOR_SUBCMD,
1391 QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION))
1392 goto fail;
1393
1394 attr = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1395 if (attr == NULL)
1396 goto fail;
1397
1398 wpa_hexdump(MSG_MSGDUMP, "nl80211: Scan default IEs", ies, ies_len);
1399 if (nla_put(msg, QCA_WLAN_VENDOR_ATTR_CONFIG_SCAN_DEFAULT_IES,
1400 ies_len, ies))
1401 goto fail;
1402
1403 nla_nest_end(msg, attr);
1404
1405 ret = send_and_recv_cmd(drv, msg);
1406 msg = NULL;
1407 if (ret) {
1408 wpa_printf(MSG_ERROR,
1409 "nl80211: Set scan default IEs failed: ret=%d (%s)",
1410 ret, strerror(-ret));
1411 goto fail;
1412 }
1413
1414 fail:
1415 nlmsg_free(msg);
1416 return ret;
1417 }
1418
1419 #endif /* CONFIG_DRIVER_NL80211_QCA */
1420