• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Marvell Wireless LAN device driver: scan ioctl and command handling
3  *
4  * Copyright (C) 2011, Marvell International Ltd.
5  *
6  * This software file (the "File") is distributed by Marvell International
7  * Ltd. under the terms of the GNU General Public License Version 2, June 1991
8  * (the "License").  You may use, redistribute and/or modify this File in
9  * accordance with the terms and conditions of the License, a copy of which
10  * is available by writing to the Free Software Foundation, Inc.,
11  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA or on the
12  * worldwide web at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
13  *
14  * THE FILE IS DISTRIBUTED AS-IS, WITHOUT WARRANTY OF ANY KIND, AND THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
16  * ARE EXPRESSLY DISCLAIMED.  The License provides additional details about
17  * this warranty disclaimer.
18  */
19 
20 #include "decl.h"
21 #include "ioctl.h"
22 #include "util.h"
23 #include "fw.h"
24 #include "main.h"
25 #include "11n.h"
26 #include "cfg80211.h"
27 
28 /* The maximum number of channels the firmware can scan per command */
29 #define MWIFIEX_MAX_CHANNELS_PER_SPECIFIC_SCAN   14
30 
31 #define MWIFIEX_DEF_CHANNELS_PER_SCAN_CMD	4
32 #define MWIFIEX_LIMIT_1_CHANNEL_PER_SCAN_CMD	15
33 #define MWIFIEX_LIMIT_2_CHANNELS_PER_SCAN_CMD	27
34 #define MWIFIEX_LIMIT_3_CHANNELS_PER_SCAN_CMD	35
35 
36 /* Memory needed to store a max sized Channel List TLV for a firmware scan */
37 #define CHAN_TLV_MAX_SIZE  (sizeof(struct mwifiex_ie_types_header)         \
38 				+ (MWIFIEX_MAX_CHANNELS_PER_SPECIFIC_SCAN     \
39 				*sizeof(struct mwifiex_chan_scan_param_set)))
40 
41 /* Memory needed to store supported rate */
42 #define RATE_TLV_MAX_SIZE   (sizeof(struct mwifiex_ie_types_rates_param_set) \
43 				+ HOSTCMD_SUPPORTED_RATES)
44 
45 /* Memory needed to store a max number/size WildCard SSID TLV for a firmware
46 	scan */
47 #define WILDCARD_SSID_TLV_MAX_SIZE  \
48 	(MWIFIEX_MAX_SSID_LIST_LENGTH *					\
49 		(sizeof(struct mwifiex_ie_types_wildcard_ssid_params)	\
50 			+ IEEE80211_MAX_SSID_LEN))
51 
52 /* Maximum memory needed for a mwifiex_scan_cmd_config with all TLVs at max */
53 #define MAX_SCAN_CFG_ALLOC (sizeof(struct mwifiex_scan_cmd_config)        \
54 				+ sizeof(struct mwifiex_ie_types_num_probes)   \
55 				+ sizeof(struct mwifiex_ie_types_htcap)       \
56 				+ CHAN_TLV_MAX_SIZE                 \
57 				+ RATE_TLV_MAX_SIZE                 \
58 				+ WILDCARD_SSID_TLV_MAX_SIZE)
59 
60 
61 union mwifiex_scan_cmd_config_tlv {
62 	/* Scan configuration (variable length) */
63 	struct mwifiex_scan_cmd_config config;
64 	/* Max allocated block */
65 	u8 config_alloc_buf[MAX_SCAN_CFG_ALLOC];
66 };
67 
68 enum cipher_suite {
69 	CIPHER_SUITE_TKIP,
70 	CIPHER_SUITE_CCMP,
71 	CIPHER_SUITE_MAX
72 };
73 static u8 mwifiex_wpa_oui[CIPHER_SUITE_MAX][4] = {
74 	{ 0x00, 0x50, 0xf2, 0x02 },	/* TKIP */
75 	{ 0x00, 0x50, 0xf2, 0x04 },	/* AES  */
76 };
77 static u8 mwifiex_rsn_oui[CIPHER_SUITE_MAX][4] = {
78 	{ 0x00, 0x0f, 0xac, 0x02 },	/* TKIP */
79 	{ 0x00, 0x0f, 0xac, 0x04 },	/* AES  */
80 };
81 
82 /*
83  * This function parses a given IE for a given OUI.
84  *
85  * This is used to parse a WPA/RSN IE to find if it has
86  * a given oui in PTK.
87  */
88 static u8
mwifiex_search_oui_in_ie(struct ie_body * iebody,u8 * oui)89 mwifiex_search_oui_in_ie(struct ie_body *iebody, u8 *oui)
90 {
91 	u8 count;
92 
93 	count = iebody->ptk_cnt[0];
94 
95 	/* There could be multiple OUIs for PTK hence
96 	   1) Take the length.
97 	   2) Check all the OUIs for AES.
98 	   3) If one of them is AES then pass success. */
99 	while (count) {
100 		if (!memcmp(iebody->ptk_body, oui, sizeof(iebody->ptk_body)))
101 			return MWIFIEX_OUI_PRESENT;
102 
103 		--count;
104 		if (count)
105 			iebody = (struct ie_body *) ((u8 *) iebody +
106 						sizeof(iebody->ptk_body));
107 	}
108 
109 	pr_debug("info: %s: OUI is not found in PTK\n", __func__);
110 	return MWIFIEX_OUI_NOT_PRESENT;
111 }
112 
113 /*
114  * This function checks if a given OUI is present in a RSN IE.
115  *
116  * The function first checks if a RSN IE is present or not in the
117  * BSS descriptor. It tries to locate the OUI only if such an IE is
118  * present.
119  */
120 static u8
mwifiex_is_rsn_oui_present(struct mwifiex_bssdescriptor * bss_desc,u32 cipher)121 mwifiex_is_rsn_oui_present(struct mwifiex_bssdescriptor *bss_desc, u32 cipher)
122 {
123 	u8 *oui;
124 	struct ie_body *iebody;
125 	u8 ret = MWIFIEX_OUI_NOT_PRESENT;
126 
127 	if (((bss_desc->bcn_rsn_ie) && ((*(bss_desc->bcn_rsn_ie)).
128 					ieee_hdr.element_id == WLAN_EID_RSN))) {
129 		iebody = (struct ie_body *)
130 			 (((u8 *) bss_desc->bcn_rsn_ie->data) +
131 			  RSN_GTK_OUI_OFFSET);
132 		oui = &mwifiex_rsn_oui[cipher][0];
133 		ret = mwifiex_search_oui_in_ie(iebody, oui);
134 		if (ret)
135 			return ret;
136 	}
137 	return ret;
138 }
139 
140 /*
141  * This function checks if a given OUI is present in a WPA IE.
142  *
143  * The function first checks if a WPA IE is present or not in the
144  * BSS descriptor. It tries to locate the OUI only if such an IE is
145  * present.
146  */
147 static u8
mwifiex_is_wpa_oui_present(struct mwifiex_bssdescriptor * bss_desc,u32 cipher)148 mwifiex_is_wpa_oui_present(struct mwifiex_bssdescriptor *bss_desc, u32 cipher)
149 {
150 	u8 *oui;
151 	struct ie_body *iebody;
152 	u8 ret = MWIFIEX_OUI_NOT_PRESENT;
153 
154 	if (((bss_desc->bcn_wpa_ie) &&
155 	     ((*(bss_desc->bcn_wpa_ie)).vend_hdr.element_id ==
156 	      WLAN_EID_VENDOR_SPECIFIC))) {
157 		iebody = (struct ie_body *) bss_desc->bcn_wpa_ie->data;
158 		oui = &mwifiex_wpa_oui[cipher][0];
159 		ret = mwifiex_search_oui_in_ie(iebody, oui);
160 		if (ret)
161 			return ret;
162 	}
163 	return ret;
164 }
165 
166 /*
167  * This function compares two SSIDs and checks if they match.
168  */
169 s32
mwifiex_ssid_cmp(struct cfg80211_ssid * ssid1,struct cfg80211_ssid * ssid2)170 mwifiex_ssid_cmp(struct cfg80211_ssid *ssid1, struct cfg80211_ssid *ssid2)
171 {
172 	if (!ssid1 || !ssid2 || (ssid1->ssid_len != ssid2->ssid_len))
173 		return -1;
174 	return memcmp(ssid1->ssid, ssid2->ssid, ssid1->ssid_len);
175 }
176 
177 /*
178  * This function checks if wapi is enabled in driver and scanned network is
179  * compatible with it.
180  */
181 static bool
mwifiex_is_bss_wapi(struct mwifiex_private * priv,struct mwifiex_bssdescriptor * bss_desc)182 mwifiex_is_bss_wapi(struct mwifiex_private *priv,
183 		    struct mwifiex_bssdescriptor *bss_desc)
184 {
185 	if (priv->sec_info.wapi_enabled &&
186 	    (bss_desc->bcn_wapi_ie &&
187 	     ((*(bss_desc->bcn_wapi_ie)).ieee_hdr.element_id ==
188 			WLAN_EID_BSS_AC_ACCESS_DELAY))) {
189 		return true;
190 	}
191 	return false;
192 }
193 
194 /*
195  * This function checks if driver is configured with no security mode and
196  * scanned network is compatible with it.
197  */
198 static bool
mwifiex_is_bss_no_sec(struct mwifiex_private * priv,struct mwifiex_bssdescriptor * bss_desc)199 mwifiex_is_bss_no_sec(struct mwifiex_private *priv,
200 		      struct mwifiex_bssdescriptor *bss_desc)
201 {
202 	if (!priv->sec_info.wep_enabled && !priv->sec_info.wpa_enabled &&
203 	    !priv->sec_info.wpa2_enabled && ((!bss_desc->bcn_wpa_ie) ||
204 		((*(bss_desc->bcn_wpa_ie)).vend_hdr.element_id !=
205 		 WLAN_EID_VENDOR_SPECIFIC)) &&
206 	    ((!bss_desc->bcn_rsn_ie) ||
207 		((*(bss_desc->bcn_rsn_ie)).ieee_hdr.element_id !=
208 		 WLAN_EID_RSN)) &&
209 	    !priv->sec_info.encryption_mode && !bss_desc->privacy) {
210 		return true;
211 	}
212 	return false;
213 }
214 
215 /*
216  * This function checks if static WEP is enabled in driver and scanned network
217  * is compatible with it.
218  */
219 static bool
mwifiex_is_bss_static_wep(struct mwifiex_private * priv,struct mwifiex_bssdescriptor * bss_desc)220 mwifiex_is_bss_static_wep(struct mwifiex_private *priv,
221 			  struct mwifiex_bssdescriptor *bss_desc)
222 {
223 	if (priv->sec_info.wep_enabled && !priv->sec_info.wpa_enabled &&
224 	    !priv->sec_info.wpa2_enabled && bss_desc->privacy) {
225 		return true;
226 	}
227 	return false;
228 }
229 
230 /*
231  * This function checks if wpa is enabled in driver and scanned network is
232  * compatible with it.
233  */
234 static bool
mwifiex_is_bss_wpa(struct mwifiex_private * priv,struct mwifiex_bssdescriptor * bss_desc)235 mwifiex_is_bss_wpa(struct mwifiex_private *priv,
236 		   struct mwifiex_bssdescriptor *bss_desc)
237 {
238 	if (!priv->sec_info.wep_enabled && priv->sec_info.wpa_enabled &&
239 	    !priv->sec_info.wpa2_enabled && ((bss_desc->bcn_wpa_ie) &&
240 	    ((*(bss_desc->bcn_wpa_ie)).
241 	     vend_hdr.element_id == WLAN_EID_VENDOR_SPECIFIC))
242 	   /*
243 	    * Privacy bit may NOT be set in some APs like
244 	    * LinkSys WRT54G && bss_desc->privacy
245 	    */
246 	 ) {
247 		dev_dbg(priv->adapter->dev, "info: %s: WPA:"
248 			" wpa_ie=%#x wpa2_ie=%#x WEP=%s WPA=%s WPA2=%s "
249 			"EncMode=%#x privacy=%#x\n", __func__,
250 			(bss_desc->bcn_wpa_ie) ?
251 			(*(bss_desc->bcn_wpa_ie)).
252 			vend_hdr.element_id : 0,
253 			(bss_desc->bcn_rsn_ie) ?
254 			(*(bss_desc->bcn_rsn_ie)).
255 			ieee_hdr.element_id : 0,
256 			(priv->sec_info.wep_enabled) ? "e" : "d",
257 			(priv->sec_info.wpa_enabled) ? "e" : "d",
258 			(priv->sec_info.wpa2_enabled) ? "e" : "d",
259 			priv->sec_info.encryption_mode,
260 			bss_desc->privacy);
261 		return true;
262 	}
263 	return false;
264 }
265 
266 /*
267  * This function checks if wpa2 is enabled in driver and scanned network is
268  * compatible with it.
269  */
270 static bool
mwifiex_is_bss_wpa2(struct mwifiex_private * priv,struct mwifiex_bssdescriptor * bss_desc)271 mwifiex_is_bss_wpa2(struct mwifiex_private *priv,
272 		    struct mwifiex_bssdescriptor *bss_desc)
273 {
274 	if (!priv->sec_info.wep_enabled &&
275 	    !priv->sec_info.wpa_enabled &&
276 	    priv->sec_info.wpa2_enabled &&
277 	    ((bss_desc->bcn_rsn_ie) &&
278 	     ((*(bss_desc->bcn_rsn_ie)).ieee_hdr.element_id == WLAN_EID_RSN))) {
279 		/*
280 		 * Privacy bit may NOT be set in some APs like
281 		 * LinkSys WRT54G && bss_desc->privacy
282 		 */
283 		dev_dbg(priv->adapter->dev, "info: %s: WPA2: "
284 			" wpa_ie=%#x wpa2_ie=%#x WEP=%s WPA=%s WPA2=%s "
285 			"EncMode=%#x privacy=%#x\n", __func__,
286 			(bss_desc->bcn_wpa_ie) ?
287 			(*(bss_desc->bcn_wpa_ie)).
288 			vend_hdr.element_id : 0,
289 			(bss_desc->bcn_rsn_ie) ?
290 			(*(bss_desc->bcn_rsn_ie)).
291 			ieee_hdr.element_id : 0,
292 			(priv->sec_info.wep_enabled) ? "e" : "d",
293 			(priv->sec_info.wpa_enabled) ? "e" : "d",
294 			(priv->sec_info.wpa2_enabled) ? "e" : "d",
295 			priv->sec_info.encryption_mode,
296 			bss_desc->privacy);
297 		return true;
298 	}
299 	return false;
300 }
301 
302 /*
303  * This function checks if adhoc AES is enabled in driver and scanned network is
304  * compatible with it.
305  */
306 static bool
mwifiex_is_bss_adhoc_aes(struct mwifiex_private * priv,struct mwifiex_bssdescriptor * bss_desc)307 mwifiex_is_bss_adhoc_aes(struct mwifiex_private *priv,
308 			 struct mwifiex_bssdescriptor *bss_desc)
309 {
310 	if (!priv->sec_info.wep_enabled && !priv->sec_info.wpa_enabled &&
311 	    !priv->sec_info.wpa2_enabled &&
312 	    ((!bss_desc->bcn_wpa_ie) ||
313 	     ((*(bss_desc->bcn_wpa_ie)).
314 	      vend_hdr.element_id != WLAN_EID_VENDOR_SPECIFIC)) &&
315 	    ((!bss_desc->bcn_rsn_ie) ||
316 	     ((*(bss_desc->bcn_rsn_ie)).ieee_hdr.element_id != WLAN_EID_RSN)) &&
317 	    !priv->sec_info.encryption_mode && bss_desc->privacy) {
318 		return true;
319 	}
320 	return false;
321 }
322 
323 /*
324  * This function checks if dynamic WEP is enabled in driver and scanned network
325  * is compatible with it.
326  */
327 static bool
mwifiex_is_bss_dynamic_wep(struct mwifiex_private * priv,struct mwifiex_bssdescriptor * bss_desc)328 mwifiex_is_bss_dynamic_wep(struct mwifiex_private *priv,
329 			   struct mwifiex_bssdescriptor *bss_desc)
330 {
331 	if (!priv->sec_info.wep_enabled && !priv->sec_info.wpa_enabled &&
332 	    !priv->sec_info.wpa2_enabled &&
333 	    ((!bss_desc->bcn_wpa_ie) ||
334 	     ((*(bss_desc->bcn_wpa_ie)).
335 	      vend_hdr.element_id != WLAN_EID_VENDOR_SPECIFIC)) &&
336 	    ((!bss_desc->bcn_rsn_ie) ||
337 	     ((*(bss_desc->bcn_rsn_ie)).ieee_hdr.element_id != WLAN_EID_RSN)) &&
338 	    priv->sec_info.encryption_mode && bss_desc->privacy) {
339 		dev_dbg(priv->adapter->dev, "info: %s: dynamic "
340 			"WEP: wpa_ie=%#x wpa2_ie=%#x "
341 			"EncMode=%#x privacy=%#x\n",
342 			__func__,
343 			(bss_desc->bcn_wpa_ie) ?
344 			(*(bss_desc->bcn_wpa_ie)).
345 			vend_hdr.element_id : 0,
346 			(bss_desc->bcn_rsn_ie) ?
347 			(*(bss_desc->bcn_rsn_ie)).
348 			ieee_hdr.element_id : 0,
349 			priv->sec_info.encryption_mode,
350 			bss_desc->privacy);
351 		return true;
352 	}
353 	return false;
354 }
355 
356 /*
357  * This function checks if a scanned network is compatible with the driver
358  * settings.
359  *
360  *   WEP     WPA    WPA2   ad-hoc encrypt                  Network
361  * enabled enabled enabled  AES    mode   Privacy WPA WPA2 Compatible
362  *    0       0       0      0     NONE      0     0   0   yes No security
363  *    0       1       0      0      x        1x    1   x   yes WPA (disable
364  *                                                         HT if no AES)
365  *    0       0       1      0      x        1x    x   1   yes WPA2 (disable
366  *                                                         HT if no AES)
367  *    0       0       0      1     NONE      1     0   0   yes Ad-hoc AES
368  *    1       0       0      0     NONE      1     0   0   yes Static WEP
369  *                                                         (disable HT)
370  *    0       0       0      0    !=NONE     1     0   0   yes Dynamic WEP
371  *
372  * Compatibility is not matched while roaming, except for mode.
373  */
374 static s32
mwifiex_is_network_compatible(struct mwifiex_private * priv,struct mwifiex_bssdescriptor * bss_desc,u32 mode)375 mwifiex_is_network_compatible(struct mwifiex_private *priv,
376 			      struct mwifiex_bssdescriptor *bss_desc, u32 mode)
377 {
378 	struct mwifiex_adapter *adapter = priv->adapter;
379 
380 	bss_desc->disable_11n = false;
381 
382 	/* Don't check for compatibility if roaming */
383 	if (priv->media_connected &&
384 	    (priv->bss_mode == NL80211_IFTYPE_STATION) &&
385 	    (bss_desc->bss_mode == NL80211_IFTYPE_STATION))
386 		return 0;
387 
388 	if (priv->wps.session_enable) {
389 		dev_dbg(adapter->dev,
390 			"info: return success directly in WPS period\n");
391 		return 0;
392 	}
393 
394 	if (mwifiex_is_bss_wapi(priv, bss_desc)) {
395 		dev_dbg(adapter->dev, "info: return success for WAPI AP\n");
396 		return 0;
397 	}
398 
399 	if (bss_desc->bss_mode == mode) {
400 		if (mwifiex_is_bss_no_sec(priv, bss_desc)) {
401 			/* No security */
402 			return 0;
403 		} else if (mwifiex_is_bss_static_wep(priv, bss_desc)) {
404 			/* Static WEP enabled */
405 			dev_dbg(adapter->dev, "info: Disable 11n in WEP mode.\n");
406 			bss_desc->disable_11n = true;
407 			return 0;
408 		} else if (mwifiex_is_bss_wpa(priv, bss_desc)) {
409 			/* WPA enabled */
410 			if (((priv->adapter->config_bands & BAND_GN ||
411 			      priv->adapter->config_bands & BAND_AN) &&
412 			     bss_desc->bcn_ht_cap) &&
413 			    !mwifiex_is_wpa_oui_present(bss_desc,
414 							 CIPHER_SUITE_CCMP)) {
415 
416 				if (mwifiex_is_wpa_oui_present
417 						(bss_desc, CIPHER_SUITE_TKIP)) {
418 					dev_dbg(adapter->dev,
419 						"info: Disable 11n if AES "
420 						"is not supported by AP\n");
421 					bss_desc->disable_11n = true;
422 				} else {
423 					return -1;
424 				}
425 			}
426 			return 0;
427 		} else if (mwifiex_is_bss_wpa2(priv, bss_desc)) {
428 			/* WPA2 enabled */
429 			if (((priv->adapter->config_bands & BAND_GN ||
430 			      priv->adapter->config_bands & BAND_AN) &&
431 			     bss_desc->bcn_ht_cap) &&
432 			    !mwifiex_is_rsn_oui_present(bss_desc,
433 							CIPHER_SUITE_CCMP)) {
434 
435 				if (mwifiex_is_rsn_oui_present
436 						(bss_desc, CIPHER_SUITE_TKIP)) {
437 					dev_dbg(adapter->dev,
438 						"info: Disable 11n if AES "
439 						"is not supported by AP\n");
440 					bss_desc->disable_11n = true;
441 				} else {
442 					return -1;
443 				}
444 			}
445 			return 0;
446 		} else if (mwifiex_is_bss_adhoc_aes(priv, bss_desc)) {
447 			/* Ad-hoc AES enabled */
448 			return 0;
449 		} else if (mwifiex_is_bss_dynamic_wep(priv, bss_desc)) {
450 			/* Dynamic WEP enabled */
451 			return 0;
452 		}
453 
454 		/* Security doesn't match */
455 		dev_dbg(adapter->dev,
456 			"info: %s: failed: wpa_ie=%#x wpa2_ie=%#x WEP=%s "
457 			"WPA=%s WPA2=%s EncMode=%#x privacy=%#x\n", __func__,
458 			(bss_desc->bcn_wpa_ie) ?
459 			(*(bss_desc->bcn_wpa_ie)).vend_hdr.element_id : 0,
460 			(bss_desc->bcn_rsn_ie) ?
461 			(*(bss_desc->bcn_rsn_ie)).ieee_hdr.element_id : 0,
462 			(priv->sec_info.wep_enabled) ? "e" : "d",
463 			(priv->sec_info.wpa_enabled) ? "e" : "d",
464 			(priv->sec_info.wpa2_enabled) ? "e" : "d",
465 			priv->sec_info.encryption_mode, bss_desc->privacy);
466 		return -1;
467 	}
468 
469 	/* Mode doesn't match */
470 	return -1;
471 }
472 
473 /*
474  * This function creates a channel list for the driver to scan, based
475  * on region/band information.
476  *
477  * This routine is used for any scan that is not provided with a
478  * specific channel list to scan.
479  */
480 static int
mwifiex_scan_create_channel_list(struct mwifiex_private * priv,const struct mwifiex_user_scan_cfg * user_scan_in,struct mwifiex_chan_scan_param_set * scan_chan_list,u8 filtered_scan)481 mwifiex_scan_create_channel_list(struct mwifiex_private *priv,
482 				 const struct mwifiex_user_scan_cfg
483 							*user_scan_in,
484 				 struct mwifiex_chan_scan_param_set
485 							*scan_chan_list,
486 				 u8 filtered_scan)
487 {
488 	enum ieee80211_band band;
489 	struct ieee80211_supported_band *sband;
490 	struct ieee80211_channel *ch;
491 	struct mwifiex_adapter *adapter = priv->adapter;
492 	int chan_idx = 0, i;
493 
494 	for (band = 0; (band < IEEE80211_NUM_BANDS) ; band++) {
495 
496 		if (!priv->wdev->wiphy->bands[band])
497 			continue;
498 
499 		sband = priv->wdev->wiphy->bands[band];
500 
501 		for (i = 0; (i < sband->n_channels) ; i++) {
502 			ch = &sband->channels[i];
503 			if (ch->flags & IEEE80211_CHAN_DISABLED)
504 				continue;
505 			scan_chan_list[chan_idx].radio_type = band;
506 
507 			if (user_scan_in &&
508 			    user_scan_in->chan_list[0].scan_time)
509 				scan_chan_list[chan_idx].max_scan_time =
510 					cpu_to_le16((u16) user_scan_in->
511 					chan_list[0].scan_time);
512 			else if (ch->flags & IEEE80211_CHAN_PASSIVE_SCAN)
513 				scan_chan_list[chan_idx].max_scan_time =
514 					cpu_to_le16(adapter->passive_scan_time);
515 			else
516 				scan_chan_list[chan_idx].max_scan_time =
517 					cpu_to_le16(adapter->active_scan_time);
518 
519 			if (ch->flags & IEEE80211_CHAN_PASSIVE_SCAN)
520 				scan_chan_list[chan_idx].chan_scan_mode_bitmap
521 					|= MWIFIEX_PASSIVE_SCAN;
522 			else
523 				scan_chan_list[chan_idx].chan_scan_mode_bitmap
524 					&= ~MWIFIEX_PASSIVE_SCAN;
525 			scan_chan_list[chan_idx].chan_number =
526 							(u32) ch->hw_value;
527 			if (filtered_scan) {
528 				scan_chan_list[chan_idx].max_scan_time =
529 				cpu_to_le16(adapter->specific_scan_time);
530 				scan_chan_list[chan_idx].chan_scan_mode_bitmap
531 					|= MWIFIEX_DISABLE_CHAN_FILT;
532 			}
533 			chan_idx++;
534 		}
535 
536 	}
537 	return chan_idx;
538 }
539 
540 /*
541  * This function constructs and sends multiple scan config commands to
542  * the firmware.
543  *
544  * Previous routines in the code flow have created a scan command configuration
545  * with any requested TLVs.  This function splits the channel TLV into maximum
546  * channels supported per scan lists and sends the portion of the channel TLV,
547  * along with the other TLVs, to the firmware.
548  */
549 static int
mwifiex_scan_channel_list(struct mwifiex_private * priv,u32 max_chan_per_scan,u8 filtered_scan,struct mwifiex_scan_cmd_config * scan_cfg_out,struct mwifiex_ie_types_chan_list_param_set * chan_tlv_out,struct mwifiex_chan_scan_param_set * scan_chan_list)550 mwifiex_scan_channel_list(struct mwifiex_private *priv,
551 			  u32 max_chan_per_scan, u8 filtered_scan,
552 			  struct mwifiex_scan_cmd_config *scan_cfg_out,
553 			  struct mwifiex_ie_types_chan_list_param_set
554 			  *chan_tlv_out,
555 			  struct mwifiex_chan_scan_param_set *scan_chan_list)
556 {
557 	int ret = 0;
558 	struct mwifiex_chan_scan_param_set *tmp_chan_list;
559 	struct mwifiex_chan_scan_param_set *start_chan;
560 
561 	u32 tlv_idx;
562 	u32 total_scan_time;
563 	u32 done_early;
564 
565 	if (!scan_cfg_out || !chan_tlv_out || !scan_chan_list) {
566 		dev_dbg(priv->adapter->dev,
567 			"info: Scan: Null detect: %p, %p, %p\n",
568 		       scan_cfg_out, chan_tlv_out, scan_chan_list);
569 		return -1;
570 	}
571 
572 	chan_tlv_out->header.type = cpu_to_le16(TLV_TYPE_CHANLIST);
573 
574 	/* Set the temp channel struct pointer to the start of the desired
575 	   list */
576 	tmp_chan_list = scan_chan_list;
577 
578 	/* Loop through the desired channel list, sending a new firmware scan
579 	   commands for each max_chan_per_scan channels (or for 1,6,11
580 	   individually if configured accordingly) */
581 	while (tmp_chan_list->chan_number) {
582 
583 		tlv_idx = 0;
584 		total_scan_time = 0;
585 		chan_tlv_out->header.len = 0;
586 		start_chan = tmp_chan_list;
587 		done_early = false;
588 
589 		/*
590 		 * Construct the Channel TLV for the scan command.  Continue to
591 		 * insert channel TLVs until:
592 		 *   - the tlv_idx hits the maximum configured per scan command
593 		 *   - the next channel to insert is 0 (end of desired channel
594 		 *     list)
595 		 *   - done_early is set (controlling individual scanning of
596 		 *     1,6,11)
597 		 */
598 		while (tlv_idx < max_chan_per_scan &&
599 		       tmp_chan_list->chan_number && !done_early) {
600 
601 			dev_dbg(priv->adapter->dev,
602 				"info: Scan: Chan(%3d), Radio(%d),"
603 				" Mode(%d, %d), Dur(%d)\n",
604 				tmp_chan_list->chan_number,
605 				tmp_chan_list->radio_type,
606 				tmp_chan_list->chan_scan_mode_bitmap
607 				& MWIFIEX_PASSIVE_SCAN,
608 				(tmp_chan_list->chan_scan_mode_bitmap
609 				 & MWIFIEX_DISABLE_CHAN_FILT) >> 1,
610 				le16_to_cpu(tmp_chan_list->max_scan_time));
611 
612 			/* Copy the current channel TLV to the command being
613 			   prepared */
614 			memcpy(chan_tlv_out->chan_scan_param + tlv_idx,
615 			       tmp_chan_list,
616 			       sizeof(chan_tlv_out->chan_scan_param));
617 
618 			/* Increment the TLV header length by the size
619 			   appended */
620 			le16_add_cpu(&chan_tlv_out->header.len,
621 				     sizeof(chan_tlv_out->chan_scan_param));
622 
623 			/*
624 			 * The tlv buffer length is set to the number of bytes
625 			 * of the between the channel tlv pointer and the start
626 			 * of the tlv buffer.  This compensates for any TLVs
627 			 * that were appended before the channel list.
628 			 */
629 			scan_cfg_out->tlv_buf_len = (u32) ((u8 *) chan_tlv_out -
630 							scan_cfg_out->tlv_buf);
631 
632 			/* Add the size of the channel tlv header and the data
633 			   length */
634 			scan_cfg_out->tlv_buf_len +=
635 				(sizeof(chan_tlv_out->header)
636 				 + le16_to_cpu(chan_tlv_out->header.len));
637 
638 			/* Increment the index to the channel tlv we are
639 			   constructing */
640 			tlv_idx++;
641 
642 			/* Count the total scan time per command */
643 			total_scan_time +=
644 				le16_to_cpu(tmp_chan_list->max_scan_time);
645 
646 			done_early = false;
647 
648 			/* Stop the loop if the *current* channel is in the
649 			   1,6,11 set and we are not filtering on a BSSID
650 			   or SSID. */
651 			if (!filtered_scan &&
652 			    (tmp_chan_list->chan_number == 1 ||
653 			     tmp_chan_list->chan_number == 6 ||
654 			     tmp_chan_list->chan_number == 11))
655 				done_early = true;
656 
657 			/* Increment the tmp pointer to the next channel to
658 			   be scanned */
659 			tmp_chan_list++;
660 
661 			/* Stop the loop if the *next* channel is in the 1,6,11
662 			   set.  This will cause it to be the only channel
663 			   scanned on the next interation */
664 			if (!filtered_scan &&
665 			    (tmp_chan_list->chan_number == 1 ||
666 			     tmp_chan_list->chan_number == 6 ||
667 			     tmp_chan_list->chan_number == 11))
668 				done_early = true;
669 		}
670 
671 		/* The total scan time should be less than scan command timeout
672 		   value */
673 		if (total_scan_time > MWIFIEX_MAX_TOTAL_SCAN_TIME) {
674 			dev_err(priv->adapter->dev, "total scan time %dms"
675 				" is over limit (%dms), scan skipped\n",
676 				total_scan_time, MWIFIEX_MAX_TOTAL_SCAN_TIME);
677 			ret = -1;
678 			break;
679 		}
680 
681 		priv->adapter->scan_channels = start_chan;
682 
683 		/* Send the scan command to the firmware with the specified
684 		   cfg */
685 		ret = mwifiex_send_cmd_async(priv, HostCmd_CMD_802_11_SCAN,
686 					     HostCmd_ACT_GEN_SET, 0,
687 					     scan_cfg_out);
688 		if (ret)
689 			break;
690 	}
691 
692 	if (ret)
693 		return -1;
694 
695 	return 0;
696 }
697 
698 /*
699  * This function constructs a scan command configuration structure to use
700  * in scan commands.
701  *
702  * Application layer or other functions can invoke network scanning
703  * with a scan configuration supplied in a user scan configuration structure.
704  * This structure is used as the basis of one or many scan command configuration
705  * commands that are sent to the command processing module and eventually to the
706  * firmware.
707  *
708  * This function creates a scan command configuration structure  based on the
709  * following user supplied parameters (if present):
710  *      - SSID filter
711  *      - BSSID filter
712  *      - Number of Probes to be sent
713  *      - Channel list
714  *
715  * If the SSID or BSSID filter is not present, the filter is disabled/cleared.
716  * If the number of probes is not set, adapter default setting is used.
717  */
718 static void
mwifiex_config_scan(struct mwifiex_private * priv,const struct mwifiex_user_scan_cfg * user_scan_in,struct mwifiex_scan_cmd_config * scan_cfg_out,struct mwifiex_ie_types_chan_list_param_set ** chan_list_out,struct mwifiex_chan_scan_param_set * scan_chan_list,u8 * max_chan_per_scan,u8 * filtered_scan,u8 * scan_current_only)719 mwifiex_config_scan(struct mwifiex_private *priv,
720 		    const struct mwifiex_user_scan_cfg *user_scan_in,
721 		    struct mwifiex_scan_cmd_config *scan_cfg_out,
722 		    struct mwifiex_ie_types_chan_list_param_set **chan_list_out,
723 		    struct mwifiex_chan_scan_param_set *scan_chan_list,
724 		    u8 *max_chan_per_scan, u8 *filtered_scan,
725 		    u8 *scan_current_only)
726 {
727 	struct mwifiex_adapter *adapter = priv->adapter;
728 	struct mwifiex_ie_types_num_probes *num_probes_tlv;
729 	struct mwifiex_ie_types_wildcard_ssid_params *wildcard_ssid_tlv;
730 	struct mwifiex_ie_types_rates_param_set *rates_tlv;
731 	u8 *tlv_pos;
732 	u32 num_probes;
733 	u32 ssid_len;
734 	u32 chan_idx;
735 	u32 chan_num;
736 	u32 scan_type;
737 	u16 scan_dur;
738 	u8 channel;
739 	u8 radio_type;
740 	int i;
741 	u8 ssid_filter;
742 	u8 rates[MWIFIEX_SUPPORTED_RATES];
743 	u32 rates_size;
744 	struct mwifiex_ie_types_htcap *ht_cap;
745 
746 	/* The tlv_buf_len is calculated for each scan command.  The TLVs added
747 	   in this routine will be preserved since the routine that sends the
748 	   command will append channelTLVs at *chan_list_out.  The difference
749 	   between the *chan_list_out and the tlv_buf start will be used to
750 	   calculate the size of anything we add in this routine. */
751 	scan_cfg_out->tlv_buf_len = 0;
752 
753 	/* Running tlv pointer.  Assigned to chan_list_out at end of function
754 	   so later routines know where channels can be added to the command
755 	   buf */
756 	tlv_pos = scan_cfg_out->tlv_buf;
757 
758 	/* Initialize the scan as un-filtered; the flag is later set to TRUE
759 	   below if a SSID or BSSID filter is sent in the command */
760 	*filtered_scan = false;
761 
762 	/* Initialize the scan as not being only on the current channel.  If
763 	   the channel list is customized, only contains one channel, and is
764 	   the active channel, this is set true and data flow is not halted. */
765 	*scan_current_only = false;
766 
767 	if (user_scan_in) {
768 
769 		/* Default the ssid_filter flag to TRUE, set false under
770 		   certain wildcard conditions and qualified by the existence
771 		   of an SSID list before marking the scan as filtered */
772 		ssid_filter = true;
773 
774 		/* Set the BSS type scan filter, use Adapter setting if
775 		   unset */
776 		scan_cfg_out->bss_mode =
777 			(user_scan_in->bss_mode ? (u8) user_scan_in->
778 			 bss_mode : (u8) adapter->scan_mode);
779 
780 		/* Set the number of probes to send, use Adapter setting
781 		   if unset */
782 		num_probes =
783 			(user_scan_in->num_probes ? user_scan_in->
784 			 num_probes : adapter->scan_probes);
785 
786 		/*
787 		 * Set the BSSID filter to the incoming configuration,
788 		 * if non-zero.  If not set, it will remain disabled
789 		 * (all zeros).
790 		 */
791 		memcpy(scan_cfg_out->specific_bssid,
792 		       user_scan_in->specific_bssid,
793 		       sizeof(scan_cfg_out->specific_bssid));
794 
795 		for (i = 0; i < user_scan_in->num_ssids; i++) {
796 			ssid_len = user_scan_in->ssid_list[i].ssid_len;
797 
798 			wildcard_ssid_tlv =
799 				(struct mwifiex_ie_types_wildcard_ssid_params *)
800 				tlv_pos;
801 			wildcard_ssid_tlv->header.type =
802 				cpu_to_le16(TLV_TYPE_WILDCARDSSID);
803 			wildcard_ssid_tlv->header.len = cpu_to_le16(
804 				(u16) (ssid_len + sizeof(wildcard_ssid_tlv->
805 							 max_ssid_length)));
806 
807 			/*
808 			 * max_ssid_length = 0 tells firmware to perform
809 			 * specific scan for the SSID filled, whereas
810 			 * max_ssid_length = IEEE80211_MAX_SSID_LEN is for
811 			 * wildcard scan.
812 			 */
813 			if (ssid_len)
814 				wildcard_ssid_tlv->max_ssid_length = 0;
815 			else
816 				wildcard_ssid_tlv->max_ssid_length =
817 							IEEE80211_MAX_SSID_LEN;
818 
819 			memcpy(wildcard_ssid_tlv->ssid,
820 			       user_scan_in->ssid_list[i].ssid, ssid_len);
821 
822 			tlv_pos += (sizeof(wildcard_ssid_tlv->header)
823 				+ le16_to_cpu(wildcard_ssid_tlv->header.len));
824 
825 			dev_dbg(adapter->dev, "info: scan: ssid[%d]: %s, %d\n",
826 				i, wildcard_ssid_tlv->ssid,
827 				wildcard_ssid_tlv->max_ssid_length);
828 
829 			/* Empty wildcard ssid with a maxlen will match many or
830 			   potentially all SSIDs (maxlen == 32), therefore do
831 			   not treat the scan as
832 			   filtered. */
833 			if (!ssid_len && wildcard_ssid_tlv->max_ssid_length)
834 				ssid_filter = false;
835 		}
836 
837 		/*
838 		 *  The default number of channels sent in the command is low to
839 		 *  ensure the response buffer from the firmware does not
840 		 *  truncate scan results.  That is not an issue with an SSID
841 		 *  or BSSID filter applied to the scan results in the firmware.
842 		 */
843 		if ((i && ssid_filter) ||
844 		    !is_zero_ether_addr(scan_cfg_out->specific_bssid))
845 			*filtered_scan = true;
846 	} else {
847 		scan_cfg_out->bss_mode = (u8) adapter->scan_mode;
848 		num_probes = adapter->scan_probes;
849 	}
850 
851 	/*
852 	 *  If a specific BSSID or SSID is used, the number of channels in the
853 	 *  scan command will be increased to the absolute maximum.
854 	 */
855 	if (*filtered_scan)
856 		*max_chan_per_scan = MWIFIEX_MAX_CHANNELS_PER_SPECIFIC_SCAN;
857 	else
858 		*max_chan_per_scan = MWIFIEX_DEF_CHANNELS_PER_SCAN_CMD;
859 
860 	/* If the input config or adapter has the number of Probes set,
861 	   add tlv */
862 	if (num_probes) {
863 
864 		dev_dbg(adapter->dev, "info: scan: num_probes = %d\n",
865 			num_probes);
866 
867 		num_probes_tlv = (struct mwifiex_ie_types_num_probes *) tlv_pos;
868 		num_probes_tlv->header.type = cpu_to_le16(TLV_TYPE_NUMPROBES);
869 		num_probes_tlv->header.len =
870 			cpu_to_le16(sizeof(num_probes_tlv->num_probes));
871 		num_probes_tlv->num_probes = cpu_to_le16((u16) num_probes);
872 
873 		tlv_pos += sizeof(num_probes_tlv->header) +
874 			le16_to_cpu(num_probes_tlv->header.len);
875 
876 	}
877 
878 	/* Append rates tlv */
879 	memset(rates, 0, sizeof(rates));
880 
881 	rates_size = mwifiex_get_supported_rates(priv, rates);
882 
883 	rates_tlv = (struct mwifiex_ie_types_rates_param_set *) tlv_pos;
884 	rates_tlv->header.type = cpu_to_le16(WLAN_EID_SUPP_RATES);
885 	rates_tlv->header.len = cpu_to_le16((u16) rates_size);
886 	memcpy(rates_tlv->rates, rates, rates_size);
887 	tlv_pos += sizeof(rates_tlv->header) + rates_size;
888 
889 	dev_dbg(adapter->dev, "info: SCAN_CMD: Rates size = %d\n", rates_size);
890 
891 	if (ISSUPP_11NENABLED(priv->adapter->fw_cap_info) &&
892 	    (priv->adapter->config_bands & BAND_GN ||
893 	     priv->adapter->config_bands & BAND_AN)) {
894 		ht_cap = (struct mwifiex_ie_types_htcap *) tlv_pos;
895 		memset(ht_cap, 0, sizeof(struct mwifiex_ie_types_htcap));
896 		ht_cap->header.type = cpu_to_le16(WLAN_EID_HT_CAPABILITY);
897 		ht_cap->header.len =
898 				cpu_to_le16(sizeof(struct ieee80211_ht_cap));
899 		radio_type =
900 			mwifiex_band_to_radio_type(priv->adapter->config_bands);
901 		mwifiex_fill_cap_info(priv, radio_type, ht_cap);
902 		tlv_pos += sizeof(struct mwifiex_ie_types_htcap);
903 	}
904 
905 	/* Append vendor specific IE TLV */
906 	mwifiex_cmd_append_vsie_tlv(priv, MWIFIEX_VSIE_MASK_SCAN, &tlv_pos);
907 
908 	/*
909 	 * Set the output for the channel TLV to the address in the tlv buffer
910 	 *   past any TLVs that were added in this function (SSID, num_probes).
911 	 *   Channel TLVs will be added past this for each scan command,
912 	 *   preserving the TLVs that were previously added.
913 	 */
914 	*chan_list_out =
915 		(struct mwifiex_ie_types_chan_list_param_set *) tlv_pos;
916 
917 	if (user_scan_in && user_scan_in->chan_list[0].chan_number) {
918 
919 		dev_dbg(adapter->dev, "info: Scan: Using supplied channel list\n");
920 
921 		for (chan_idx = 0;
922 		     chan_idx < MWIFIEX_USER_SCAN_CHAN_MAX &&
923 		     user_scan_in->chan_list[chan_idx].chan_number;
924 		     chan_idx++) {
925 
926 			channel = user_scan_in->chan_list[chan_idx].chan_number;
927 			(scan_chan_list + chan_idx)->chan_number = channel;
928 
929 			radio_type =
930 				user_scan_in->chan_list[chan_idx].radio_type;
931 			(scan_chan_list + chan_idx)->radio_type = radio_type;
932 
933 			scan_type = user_scan_in->chan_list[chan_idx].scan_type;
934 
935 			if (scan_type == MWIFIEX_SCAN_TYPE_PASSIVE)
936 				(scan_chan_list +
937 				 chan_idx)->chan_scan_mode_bitmap
938 					|= MWIFIEX_PASSIVE_SCAN;
939 			else
940 				(scan_chan_list +
941 				 chan_idx)->chan_scan_mode_bitmap
942 					&= ~MWIFIEX_PASSIVE_SCAN;
943 
944 			if (*filtered_scan)
945 				(scan_chan_list +
946 				 chan_idx)->chan_scan_mode_bitmap
947 					|= MWIFIEX_DISABLE_CHAN_FILT;
948 
949 			if (user_scan_in->chan_list[chan_idx].scan_time) {
950 				scan_dur = (u16) user_scan_in->
951 					chan_list[chan_idx].scan_time;
952 			} else {
953 				if (scan_type == MWIFIEX_SCAN_TYPE_PASSIVE)
954 					scan_dur = adapter->passive_scan_time;
955 				else if (*filtered_scan)
956 					scan_dur = adapter->specific_scan_time;
957 				else
958 					scan_dur = adapter->active_scan_time;
959 			}
960 
961 			(scan_chan_list + chan_idx)->min_scan_time =
962 				cpu_to_le16(scan_dur);
963 			(scan_chan_list + chan_idx)->max_scan_time =
964 				cpu_to_le16(scan_dur);
965 		}
966 
967 		/* Check if we are only scanning the current channel */
968 		if ((chan_idx == 1) &&
969 		    (user_scan_in->chan_list[0].chan_number ==
970 		     priv->curr_bss_params.bss_descriptor.channel)) {
971 			*scan_current_only = true;
972 			dev_dbg(adapter->dev,
973 				"info: Scan: Scanning current channel only\n");
974 		}
975 		chan_num = chan_idx;
976 	} else {
977 		dev_dbg(adapter->dev,
978 			"info: Scan: Creating full region channel list\n");
979 		chan_num = mwifiex_scan_create_channel_list(priv, user_scan_in,
980 							    scan_chan_list,
981 							    *filtered_scan);
982 	}
983 
984 	/*
985 	 * In associated state we will reduce the number of channels scanned per
986 	 * scan command to avoid any traffic delay/loss. This number is decided
987 	 * based on total number of channels to be scanned due to constraints
988 	 * of command buffers.
989 	 */
990 	if (priv->media_connected) {
991 		if (chan_num < MWIFIEX_LIMIT_1_CHANNEL_PER_SCAN_CMD)
992 			*max_chan_per_scan = 1;
993 		else if (chan_num < MWIFIEX_LIMIT_2_CHANNELS_PER_SCAN_CMD)
994 			*max_chan_per_scan = 2;
995 		else if (chan_num < MWIFIEX_LIMIT_3_CHANNELS_PER_SCAN_CMD)
996 			*max_chan_per_scan = 3;
997 		else
998 			*max_chan_per_scan = 4;
999 	}
1000 }
1001 
1002 /*
1003  * This function inspects the scan response buffer for pointers to
1004  * expected TLVs.
1005  *
1006  * TLVs can be included at the end of the scan response BSS information.
1007  *
1008  * Data in the buffer is parsed pointers to TLVs that can potentially
1009  * be passed back in the response.
1010  */
1011 static void
mwifiex_ret_802_11_scan_get_tlv_ptrs(struct mwifiex_adapter * adapter,struct mwifiex_ie_types_data * tlv,u32 tlv_buf_size,u32 req_tlv_type,struct mwifiex_ie_types_data ** tlv_data)1012 mwifiex_ret_802_11_scan_get_tlv_ptrs(struct mwifiex_adapter *adapter,
1013 				     struct mwifiex_ie_types_data *tlv,
1014 				     u32 tlv_buf_size, u32 req_tlv_type,
1015 				     struct mwifiex_ie_types_data **tlv_data)
1016 {
1017 	struct mwifiex_ie_types_data *current_tlv;
1018 	u32 tlv_buf_left;
1019 	u32 tlv_type;
1020 	u32 tlv_len;
1021 
1022 	current_tlv = tlv;
1023 	tlv_buf_left = tlv_buf_size;
1024 	*tlv_data = NULL;
1025 
1026 	dev_dbg(adapter->dev, "info: SCAN_RESP: tlv_buf_size = %d\n",
1027 		tlv_buf_size);
1028 
1029 	while (tlv_buf_left >= sizeof(struct mwifiex_ie_types_header)) {
1030 
1031 		tlv_type = le16_to_cpu(current_tlv->header.type);
1032 		tlv_len = le16_to_cpu(current_tlv->header.len);
1033 
1034 		if (sizeof(tlv->header) + tlv_len > tlv_buf_left) {
1035 			dev_err(adapter->dev, "SCAN_RESP: TLV buffer corrupt\n");
1036 			break;
1037 		}
1038 
1039 		if (req_tlv_type == tlv_type) {
1040 			switch (tlv_type) {
1041 			case TLV_TYPE_TSFTIMESTAMP:
1042 				dev_dbg(adapter->dev, "info: SCAN_RESP: TSF "
1043 					"timestamp TLV, len = %d\n", tlv_len);
1044 				*tlv_data = current_tlv;
1045 				break;
1046 			case TLV_TYPE_CHANNELBANDLIST:
1047 				dev_dbg(adapter->dev, "info: SCAN_RESP: channel"
1048 					" band list TLV, len = %d\n", tlv_len);
1049 				*tlv_data = current_tlv;
1050 				break;
1051 			default:
1052 				dev_err(adapter->dev,
1053 					"SCAN_RESP: unhandled TLV = %d\n",
1054 				       tlv_type);
1055 				/* Give up, this seems corrupted */
1056 				return;
1057 			}
1058 		}
1059 
1060 		if (*tlv_data)
1061 			break;
1062 
1063 
1064 		tlv_buf_left -= (sizeof(tlv->header) + tlv_len);
1065 		current_tlv =
1066 			(struct mwifiex_ie_types_data *) (current_tlv->data +
1067 							  tlv_len);
1068 
1069 	}			/* while */
1070 }
1071 
1072 /*
1073  * This function parses provided beacon buffer and updates
1074  * respective fields in bss descriptor structure.
1075  */
mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter * adapter,struct mwifiex_bssdescriptor * bss_entry)1076 int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
1077 				    struct mwifiex_bssdescriptor *bss_entry)
1078 {
1079 	int ret = 0;
1080 	u8 element_id;
1081 	struct ieee_types_fh_param_set *fh_param_set;
1082 	struct ieee_types_ds_param_set *ds_param_set;
1083 	struct ieee_types_cf_param_set *cf_param_set;
1084 	struct ieee_types_ibss_param_set *ibss_param_set;
1085 	u8 *current_ptr;
1086 	u8 *rate;
1087 	u8 element_len;
1088 	u16 total_ie_len;
1089 	u8 bytes_to_copy;
1090 	u8 rate_size;
1091 	u8 found_data_rate_ie;
1092 	u32 bytes_left;
1093 	struct ieee_types_vendor_specific *vendor_ie;
1094 	const u8 wpa_oui[4] = { 0x00, 0x50, 0xf2, 0x01 };
1095 	const u8 wmm_oui[4] = { 0x00, 0x50, 0xf2, 0x02 };
1096 
1097 	found_data_rate_ie = false;
1098 	rate_size = 0;
1099 	current_ptr = bss_entry->beacon_buf;
1100 	bytes_left = bss_entry->beacon_buf_size;
1101 
1102 	/* Process variable IE */
1103 	while (bytes_left >= 2) {
1104 		element_id = *current_ptr;
1105 		element_len = *(current_ptr + 1);
1106 		total_ie_len = element_len + sizeof(struct ieee_types_header);
1107 
1108 		if (bytes_left < total_ie_len) {
1109 			dev_err(adapter->dev, "err: InterpretIE: in processing"
1110 				" IE, bytes left < IE length\n");
1111 			return -1;
1112 		}
1113 		switch (element_id) {
1114 		case WLAN_EID_SSID:
1115 			bss_entry->ssid.ssid_len = element_len;
1116 			memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
1117 			       element_len);
1118 			dev_dbg(adapter->dev,
1119 				"info: InterpretIE: ssid: %-32s\n",
1120 				bss_entry->ssid.ssid);
1121 			break;
1122 
1123 		case WLAN_EID_SUPP_RATES:
1124 			memcpy(bss_entry->data_rates, current_ptr + 2,
1125 			       element_len);
1126 			memcpy(bss_entry->supported_rates, current_ptr + 2,
1127 			       element_len);
1128 			rate_size = element_len;
1129 			found_data_rate_ie = true;
1130 			break;
1131 
1132 		case WLAN_EID_FH_PARAMS:
1133 			fh_param_set =
1134 				(struct ieee_types_fh_param_set *) current_ptr;
1135 			memcpy(&bss_entry->phy_param_set.fh_param_set,
1136 			       fh_param_set,
1137 			       sizeof(struct ieee_types_fh_param_set));
1138 			break;
1139 
1140 		case WLAN_EID_DS_PARAMS:
1141 			ds_param_set =
1142 				(struct ieee_types_ds_param_set *) current_ptr;
1143 
1144 			bss_entry->channel = ds_param_set->current_chan;
1145 
1146 			memcpy(&bss_entry->phy_param_set.ds_param_set,
1147 			       ds_param_set,
1148 			       sizeof(struct ieee_types_ds_param_set));
1149 			break;
1150 
1151 		case WLAN_EID_CF_PARAMS:
1152 			cf_param_set =
1153 				(struct ieee_types_cf_param_set *) current_ptr;
1154 			memcpy(&bss_entry->ss_param_set.cf_param_set,
1155 			       cf_param_set,
1156 			       sizeof(struct ieee_types_cf_param_set));
1157 			break;
1158 
1159 		case WLAN_EID_IBSS_PARAMS:
1160 			ibss_param_set =
1161 				(struct ieee_types_ibss_param_set *)
1162 				current_ptr;
1163 			memcpy(&bss_entry->ss_param_set.ibss_param_set,
1164 			       ibss_param_set,
1165 			       sizeof(struct ieee_types_ibss_param_set));
1166 			break;
1167 
1168 		case WLAN_EID_ERP_INFO:
1169 			bss_entry->erp_flags = *(current_ptr + 2);
1170 			break;
1171 
1172 		case WLAN_EID_EXT_SUPP_RATES:
1173 			/*
1174 			 * Only process extended supported rate
1175 			 * if data rate is already found.
1176 			 * Data rate IE should come before
1177 			 * extended supported rate IE
1178 			 */
1179 			if (found_data_rate_ie) {
1180 				if ((element_len + rate_size) >
1181 				    MWIFIEX_SUPPORTED_RATES)
1182 					bytes_to_copy =
1183 						(MWIFIEX_SUPPORTED_RATES -
1184 						 rate_size);
1185 				else
1186 					bytes_to_copy = element_len;
1187 
1188 				rate = (u8 *) bss_entry->data_rates;
1189 				rate += rate_size;
1190 				memcpy(rate, current_ptr + 2, bytes_to_copy);
1191 
1192 				rate = (u8 *) bss_entry->supported_rates;
1193 				rate += rate_size;
1194 				memcpy(rate, current_ptr + 2, bytes_to_copy);
1195 			}
1196 			break;
1197 
1198 		case WLAN_EID_VENDOR_SPECIFIC:
1199 			vendor_ie = (struct ieee_types_vendor_specific *)
1200 					current_ptr;
1201 
1202 			if (!memcmp
1203 			    (vendor_ie->vend_hdr.oui, wpa_oui,
1204 			     sizeof(wpa_oui))) {
1205 				bss_entry->bcn_wpa_ie =
1206 					(struct ieee_types_vendor_specific *)
1207 					current_ptr;
1208 				bss_entry->wpa_offset = (u16)
1209 					(current_ptr - bss_entry->beacon_buf);
1210 			} else if (!memcmp(vendor_ie->vend_hdr.oui, wmm_oui,
1211 				    sizeof(wmm_oui))) {
1212 				if (total_ie_len ==
1213 				    sizeof(struct ieee_types_wmm_parameter) ||
1214 				    total_ie_len ==
1215 				    sizeof(struct ieee_types_wmm_info))
1216 					/*
1217 					 * Only accept and copy the WMM IE if
1218 					 * it matches the size expected for the
1219 					 * WMM Info IE or the WMM Parameter IE.
1220 					 */
1221 					memcpy((u8 *) &bss_entry->wmm_ie,
1222 					       current_ptr, total_ie_len);
1223 			}
1224 			break;
1225 		case WLAN_EID_RSN:
1226 			bss_entry->bcn_rsn_ie =
1227 				(struct ieee_types_generic *) current_ptr;
1228 			bss_entry->rsn_offset = (u16) (current_ptr -
1229 							bss_entry->beacon_buf);
1230 			break;
1231 		case WLAN_EID_BSS_AC_ACCESS_DELAY:
1232 			bss_entry->bcn_wapi_ie =
1233 				(struct ieee_types_generic *) current_ptr;
1234 			bss_entry->wapi_offset = (u16) (current_ptr -
1235 							bss_entry->beacon_buf);
1236 			break;
1237 		case WLAN_EID_HT_CAPABILITY:
1238 			bss_entry->bcn_ht_cap = (struct ieee80211_ht_cap *)
1239 					(current_ptr +
1240 					sizeof(struct ieee_types_header));
1241 			bss_entry->ht_cap_offset = (u16) (current_ptr +
1242 					sizeof(struct ieee_types_header) -
1243 					bss_entry->beacon_buf);
1244 			break;
1245 		case WLAN_EID_HT_OPERATION:
1246 			bss_entry->bcn_ht_oper =
1247 				(struct ieee80211_ht_operation *)(current_ptr +
1248 					sizeof(struct ieee_types_header));
1249 			bss_entry->ht_info_offset = (u16) (current_ptr +
1250 					sizeof(struct ieee_types_header) -
1251 					bss_entry->beacon_buf);
1252 			break;
1253 		case WLAN_EID_VHT_CAPABILITY:
1254 			bss_entry->disable_11ac = false;
1255 			bss_entry->bcn_vht_cap =
1256 				(void *)(current_ptr +
1257 					 sizeof(struct ieee_types_header));
1258 			bss_entry->vht_cap_offset =
1259 					(u16)((u8 *)bss_entry->bcn_vht_cap -
1260 					      bss_entry->beacon_buf);
1261 			break;
1262 		case WLAN_EID_VHT_OPERATION:
1263 			bss_entry->bcn_vht_oper =
1264 				(void *)(current_ptr +
1265 					 sizeof(struct ieee_types_header));
1266 			bss_entry->vht_info_offset =
1267 					(u16)((u8 *)bss_entry->bcn_vht_oper -
1268 					      bss_entry->beacon_buf);
1269 			break;
1270 		case WLAN_EID_BSS_COEX_2040:
1271 			bss_entry->bcn_bss_co_2040 = current_ptr +
1272 				sizeof(struct ieee_types_header);
1273 			bss_entry->bss_co_2040_offset = (u16) (current_ptr +
1274 					sizeof(struct ieee_types_header) -
1275 						bss_entry->beacon_buf);
1276 			break;
1277 		case WLAN_EID_EXT_CAPABILITY:
1278 			bss_entry->bcn_ext_cap = current_ptr +
1279 				sizeof(struct ieee_types_header);
1280 			bss_entry->ext_cap_offset = (u16) (current_ptr +
1281 					sizeof(struct ieee_types_header) -
1282 					bss_entry->beacon_buf);
1283 			break;
1284 		case WLAN_EID_OPMODE_NOTIF:
1285 			bss_entry->oper_mode =
1286 				(void *)(current_ptr +
1287 					 sizeof(struct ieee_types_header));
1288 			bss_entry->oper_mode_offset =
1289 					(u16)((u8 *)bss_entry->oper_mode -
1290 					      bss_entry->beacon_buf);
1291 			break;
1292 		default:
1293 			break;
1294 		}
1295 
1296 		current_ptr += element_len + 2;
1297 
1298 		/* Need to account for IE ID and IE Len */
1299 		bytes_left -= (element_len + 2);
1300 
1301 	}	/* while (bytes_left > 2) */
1302 	return ret;
1303 }
1304 
1305 /*
1306  * This function converts radio type scan parameter to a band configuration
1307  * to be used in join command.
1308  */
1309 static u8
mwifiex_radio_type_to_band(u8 radio_type)1310 mwifiex_radio_type_to_band(u8 radio_type)
1311 {
1312 	switch (radio_type) {
1313 	case HostCmd_SCAN_RADIO_TYPE_A:
1314 		return BAND_A;
1315 	case HostCmd_SCAN_RADIO_TYPE_BG:
1316 	default:
1317 		return BAND_G;
1318 	}
1319 }
1320 
1321 /*
1322  * This is an internal function used to start a scan based on an input
1323  * configuration.
1324  *
1325  * This uses the input user scan configuration information when provided in
1326  * order to send the appropriate scan commands to firmware to populate or
1327  * update the internal driver scan table.
1328  */
mwifiex_scan_networks(struct mwifiex_private * priv,const struct mwifiex_user_scan_cfg * user_scan_in)1329 int mwifiex_scan_networks(struct mwifiex_private *priv,
1330 			  const struct mwifiex_user_scan_cfg *user_scan_in)
1331 {
1332 	int ret;
1333 	struct mwifiex_adapter *adapter = priv->adapter;
1334 	struct cmd_ctrl_node *cmd_node;
1335 	union mwifiex_scan_cmd_config_tlv *scan_cfg_out;
1336 	struct mwifiex_ie_types_chan_list_param_set *chan_list_out;
1337 	struct mwifiex_chan_scan_param_set *scan_chan_list;
1338 	u8 filtered_scan;
1339 	u8 scan_current_chan_only;
1340 	u8 max_chan_per_scan;
1341 	unsigned long flags;
1342 
1343 	if (adapter->scan_processing) {
1344 		dev_err(adapter->dev, "cmd: Scan already in process...\n");
1345 		return -EBUSY;
1346 	}
1347 
1348 	if (priv->scan_block) {
1349 		dev_err(adapter->dev,
1350 			"cmd: Scan is blocked during association...\n");
1351 		return -EBUSY;
1352 	}
1353 
1354 	spin_lock_irqsave(&adapter->mwifiex_cmd_lock, flags);
1355 	adapter->scan_processing = true;
1356 	spin_unlock_irqrestore(&adapter->mwifiex_cmd_lock, flags);
1357 
1358 	scan_cfg_out = kzalloc(sizeof(union mwifiex_scan_cmd_config_tlv),
1359 			       GFP_KERNEL);
1360 	if (!scan_cfg_out) {
1361 		ret = -ENOMEM;
1362 		goto done;
1363 	}
1364 
1365 	scan_chan_list = kcalloc(MWIFIEX_USER_SCAN_CHAN_MAX,
1366 				 sizeof(struct mwifiex_chan_scan_param_set),
1367 				 GFP_KERNEL);
1368 	if (!scan_chan_list) {
1369 		kfree(scan_cfg_out);
1370 		ret = -ENOMEM;
1371 		goto done;
1372 	}
1373 
1374 	mwifiex_config_scan(priv, user_scan_in, &scan_cfg_out->config,
1375 			    &chan_list_out, scan_chan_list, &max_chan_per_scan,
1376 			    &filtered_scan, &scan_current_chan_only);
1377 
1378 	ret = mwifiex_scan_channel_list(priv, max_chan_per_scan, filtered_scan,
1379 					&scan_cfg_out->config, chan_list_out,
1380 					scan_chan_list);
1381 
1382 	/* Get scan command from scan_pending_q and put to cmd_pending_q */
1383 	if (!ret) {
1384 		spin_lock_irqsave(&adapter->scan_pending_q_lock, flags);
1385 		if (!list_empty(&adapter->scan_pending_q)) {
1386 			cmd_node = list_first_entry(&adapter->scan_pending_q,
1387 						    struct cmd_ctrl_node, list);
1388 			list_del(&cmd_node->list);
1389 			spin_unlock_irqrestore(&adapter->scan_pending_q_lock,
1390 					       flags);
1391 			mwifiex_insert_cmd_to_pending_q(adapter, cmd_node,
1392 							true);
1393 			queue_work(adapter->workqueue, &adapter->main_work);
1394 
1395 			/* Perform internal scan synchronously */
1396 			if (!priv->scan_request) {
1397 				dev_dbg(adapter->dev, "wait internal scan\n");
1398 				mwifiex_wait_queue_complete(adapter, cmd_node);
1399 			}
1400 		} else {
1401 			spin_unlock_irqrestore(&adapter->scan_pending_q_lock,
1402 					       flags);
1403 		}
1404 	}
1405 
1406 	kfree(scan_cfg_out);
1407 	kfree(scan_chan_list);
1408 done:
1409 	if (ret) {
1410 		spin_lock_irqsave(&adapter->mwifiex_cmd_lock, flags);
1411 		adapter->scan_processing = false;
1412 		spin_unlock_irqrestore(&adapter->mwifiex_cmd_lock, flags);
1413 	}
1414 	return ret;
1415 }
1416 
1417 /*
1418  * This function prepares a scan command to be sent to the firmware.
1419  *
1420  * This uses the scan command configuration sent to the command processing
1421  * module in command preparation stage to configure a scan command structure
1422  * to send to firmware.
1423  *
1424  * The fixed fields specifying the BSS type and BSSID filters as well as a
1425  * variable number/length of TLVs are sent in the command to firmware.
1426  *
1427  * Preparation also includes -
1428  *      - Setting command ID, and proper size
1429  *      - Ensuring correct endian-ness
1430  */
mwifiex_cmd_802_11_scan(struct host_cmd_ds_command * cmd,struct mwifiex_scan_cmd_config * scan_cfg)1431 int mwifiex_cmd_802_11_scan(struct host_cmd_ds_command *cmd,
1432 			    struct mwifiex_scan_cmd_config *scan_cfg)
1433 {
1434 	struct host_cmd_ds_802_11_scan *scan_cmd = &cmd->params.scan;
1435 
1436 	/* Set fixed field variables in scan command */
1437 	scan_cmd->bss_mode = scan_cfg->bss_mode;
1438 	memcpy(scan_cmd->bssid, scan_cfg->specific_bssid,
1439 	       sizeof(scan_cmd->bssid));
1440 	memcpy(scan_cmd->tlv_buffer, scan_cfg->tlv_buf, scan_cfg->tlv_buf_len);
1441 
1442 	cmd->command = cpu_to_le16(HostCmd_CMD_802_11_SCAN);
1443 
1444 	/* Size is equal to the sizeof(fixed portions) + the TLV len + header */
1445 	cmd->size = cpu_to_le16((u16) (sizeof(scan_cmd->bss_mode)
1446 					  + sizeof(scan_cmd->bssid)
1447 					  + scan_cfg->tlv_buf_len + S_DS_GEN));
1448 
1449 	return 0;
1450 }
1451 
1452 /*
1453  * This function checks compatibility of requested network with current
1454  * driver settings.
1455  */
mwifiex_check_network_compatibility(struct mwifiex_private * priv,struct mwifiex_bssdescriptor * bss_desc)1456 int mwifiex_check_network_compatibility(struct mwifiex_private *priv,
1457 					struct mwifiex_bssdescriptor *bss_desc)
1458 {
1459 	int ret = -1;
1460 
1461 	if (!bss_desc)
1462 		return -1;
1463 
1464 	if ((mwifiex_get_cfp(priv, (u8) bss_desc->bss_band,
1465 			     (u16) bss_desc->channel, 0))) {
1466 		switch (priv->bss_mode) {
1467 		case NL80211_IFTYPE_STATION:
1468 		case NL80211_IFTYPE_ADHOC:
1469 			ret = mwifiex_is_network_compatible(priv, bss_desc,
1470 							    priv->bss_mode);
1471 			if (ret)
1472 				dev_err(priv->adapter->dev,
1473 					"Incompatible network settings\n");
1474 			break;
1475 		default:
1476 			ret = 0;
1477 		}
1478 	}
1479 
1480 	return ret;
1481 }
1482 
mwifiex_update_curr_bss_params(struct mwifiex_private * priv,struct cfg80211_bss * bss)1483 static int mwifiex_update_curr_bss_params(struct mwifiex_private *priv,
1484 					  struct cfg80211_bss *bss)
1485 {
1486 	struct mwifiex_bssdescriptor *bss_desc;
1487 	int ret;
1488 	unsigned long flags;
1489 
1490 	/* Allocate and fill new bss descriptor */
1491 	bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor), GFP_KERNEL);
1492 	if (!bss_desc)
1493 		return -ENOMEM;
1494 
1495 	ret = mwifiex_fill_new_bss_desc(priv, bss, bss_desc);
1496 	if (ret)
1497 		goto done;
1498 
1499 	ret = mwifiex_check_network_compatibility(priv, bss_desc);
1500 	if (ret)
1501 		goto done;
1502 
1503 	spin_lock_irqsave(&priv->curr_bcn_buf_lock, flags);
1504 	/* Make a copy of current BSSID descriptor */
1505 	memcpy(&priv->curr_bss_params.bss_descriptor, bss_desc,
1506 	       sizeof(priv->curr_bss_params.bss_descriptor));
1507 
1508 	/* The contents of beacon_ie will be copied to its own buffer
1509 	 * in mwifiex_save_curr_bcn()
1510 	 */
1511 	mwifiex_save_curr_bcn(priv);
1512 	spin_unlock_irqrestore(&priv->curr_bcn_buf_lock, flags);
1513 
1514 done:
1515 	/* beacon_ie buffer was allocated in function
1516 	 * mwifiex_fill_new_bss_desc(). Free it now.
1517 	 */
1518 	kfree(bss_desc->beacon_buf);
1519 	kfree(bss_desc);
1520 	return 0;
1521 }
1522 
1523 /*
1524  * This function handles the command response of scan.
1525  *
1526  * The response buffer for the scan command has the following
1527  * memory layout:
1528  *
1529  *      .-------------------------------------------------------------.
1530  *      |  Header (4 * sizeof(t_u16)):  Standard command response hdr |
1531  *      .-------------------------------------------------------------.
1532  *      |  BufSize (t_u16) : sizeof the BSS Description data          |
1533  *      .-------------------------------------------------------------.
1534  *      |  NumOfSet (t_u8) : Number of BSS Descs returned             |
1535  *      .-------------------------------------------------------------.
1536  *      |  BSSDescription data (variable, size given in BufSize)      |
1537  *      .-------------------------------------------------------------.
1538  *      |  TLV data (variable, size calculated using Header->Size,    |
1539  *      |            BufSize and sizeof the fixed fields above)       |
1540  *      .-------------------------------------------------------------.
1541  */
mwifiex_ret_802_11_scan(struct mwifiex_private * priv,struct host_cmd_ds_command * resp)1542 int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,
1543 			    struct host_cmd_ds_command *resp)
1544 {
1545 	int ret = 0;
1546 	struct mwifiex_adapter *adapter = priv->adapter;
1547 	struct cmd_ctrl_node *cmd_node;
1548 	struct host_cmd_ds_802_11_scan_rsp *scan_rsp;
1549 	struct mwifiex_ie_types_data *tlv_data;
1550 	struct mwifiex_ie_types_tsf_timestamp *tsf_tlv;
1551 	u8 *bss_info;
1552 	u32 scan_resp_size;
1553 	u32 bytes_left;
1554 	u32 idx;
1555 	u32 tlv_buf_size;
1556 	struct mwifiex_chan_freq_power *cfp;
1557 	struct mwifiex_ie_types_chan_band_list_param_set *chan_band_tlv;
1558 	struct chan_band_param_set *chan_band;
1559 	u8 is_bgscan_resp;
1560 	unsigned long flags;
1561 	struct cfg80211_bss *bss;
1562 
1563 	is_bgscan_resp = (le16_to_cpu(resp->command)
1564 			  == HostCmd_CMD_802_11_BG_SCAN_QUERY);
1565 	if (is_bgscan_resp)
1566 		scan_rsp = &resp->params.bg_scan_query_resp.scan_resp;
1567 	else
1568 		scan_rsp = &resp->params.scan_resp;
1569 
1570 
1571 	if (scan_rsp->number_of_sets > MWIFIEX_MAX_AP) {
1572 		dev_err(adapter->dev, "SCAN_RESP: too many AP returned (%d)\n",
1573 			scan_rsp->number_of_sets);
1574 		ret = -1;
1575 		goto check_next_scan;
1576 	}
1577 
1578 	bytes_left = le16_to_cpu(scan_rsp->bss_descript_size);
1579 	dev_dbg(adapter->dev, "info: SCAN_RESP: bss_descript_size %d\n",
1580 		bytes_left);
1581 
1582 	scan_resp_size = le16_to_cpu(resp->size);
1583 
1584 	dev_dbg(adapter->dev,
1585 		"info: SCAN_RESP: returned %d APs before parsing\n",
1586 		scan_rsp->number_of_sets);
1587 
1588 	bss_info = scan_rsp->bss_desc_and_tlv_buffer;
1589 
1590 	/*
1591 	 * The size of the TLV buffer is equal to the entire command response
1592 	 *   size (scan_resp_size) minus the fixed fields (sizeof()'s), the
1593 	 *   BSS Descriptions (bss_descript_size as bytesLef) and the command
1594 	 *   response header (S_DS_GEN)
1595 	 */
1596 	tlv_buf_size = scan_resp_size - (bytes_left
1597 					 + sizeof(scan_rsp->bss_descript_size)
1598 					 + sizeof(scan_rsp->number_of_sets)
1599 					 + S_DS_GEN);
1600 
1601 	tlv_data = (struct mwifiex_ie_types_data *) (scan_rsp->
1602 						 bss_desc_and_tlv_buffer +
1603 						 bytes_left);
1604 
1605 	/* Search the TLV buffer space in the scan response for any valid
1606 	   TLVs */
1607 	mwifiex_ret_802_11_scan_get_tlv_ptrs(adapter, tlv_data, tlv_buf_size,
1608 					     TLV_TYPE_TSFTIMESTAMP,
1609 					     (struct mwifiex_ie_types_data **)
1610 					     &tsf_tlv);
1611 
1612 	/* Search the TLV buffer space in the scan response for any valid
1613 	   TLVs */
1614 	mwifiex_ret_802_11_scan_get_tlv_ptrs(adapter, tlv_data, tlv_buf_size,
1615 					     TLV_TYPE_CHANNELBANDLIST,
1616 					     (struct mwifiex_ie_types_data **)
1617 					     &chan_band_tlv);
1618 
1619 	for (idx = 0; idx < scan_rsp->number_of_sets && bytes_left; idx++) {
1620 		u8 bssid[ETH_ALEN];
1621 		s32 rssi;
1622 		const u8 *ie_buf;
1623 		size_t ie_len;
1624 		u16 channel = 0;
1625 		u64 fw_tsf = 0;
1626 		u16 beacon_size = 0;
1627 		u32 curr_bcn_bytes;
1628 		u32 freq;
1629 		u16 beacon_period;
1630 		u16 cap_info_bitmap;
1631 		u8 *current_ptr;
1632 		u64 timestamp;
1633 		struct mwifiex_bcn_param *bcn_param;
1634 		struct mwifiex_bss_priv *bss_priv;
1635 
1636 		if (bytes_left >= sizeof(beacon_size)) {
1637 			/* Extract & convert beacon size from command buffer */
1638 			memcpy(&beacon_size, bss_info, sizeof(beacon_size));
1639 			bytes_left -= sizeof(beacon_size);
1640 			bss_info += sizeof(beacon_size);
1641 		}
1642 
1643 		if (!beacon_size || beacon_size > bytes_left) {
1644 			bss_info += bytes_left;
1645 			bytes_left = 0;
1646 			ret = -1;
1647 			goto check_next_scan;
1648 		}
1649 
1650 		/* Initialize the current working beacon pointer for this BSS
1651 		 * iteration */
1652 		current_ptr = bss_info;
1653 
1654 		/* Advance the return beacon pointer past the current beacon */
1655 		bss_info += beacon_size;
1656 		bytes_left -= beacon_size;
1657 
1658 		curr_bcn_bytes = beacon_size;
1659 
1660 		/*
1661 		 * First 5 fields are bssid, RSSI, time stamp, beacon interval,
1662 		 *   and capability information
1663 		 */
1664 		if (curr_bcn_bytes < sizeof(struct mwifiex_bcn_param)) {
1665 			dev_err(adapter->dev,
1666 				"InterpretIE: not enough bytes left\n");
1667 			continue;
1668 		}
1669 		bcn_param = (struct mwifiex_bcn_param *)current_ptr;
1670 		current_ptr += sizeof(*bcn_param);
1671 		curr_bcn_bytes -= sizeof(*bcn_param);
1672 
1673 		memcpy(bssid, bcn_param->bssid, ETH_ALEN);
1674 
1675 		rssi = (s32) bcn_param->rssi;
1676 		rssi = (-rssi) * 100;		/* Convert dBm to mBm */
1677 		dev_dbg(adapter->dev, "info: InterpretIE: RSSI=%d\n", rssi);
1678 
1679 		timestamp = le64_to_cpu(bcn_param->timestamp);
1680 		beacon_period = le16_to_cpu(bcn_param->beacon_period);
1681 
1682 		cap_info_bitmap = le16_to_cpu(bcn_param->cap_info_bitmap);
1683 		dev_dbg(adapter->dev, "info: InterpretIE: capabilities=0x%X\n",
1684 			cap_info_bitmap);
1685 
1686 		/* Rest of the current buffer are IE's */
1687 		ie_buf = current_ptr;
1688 		ie_len = curr_bcn_bytes;
1689 		dev_dbg(adapter->dev,
1690 			"info: InterpretIE: IELength for this AP = %d\n",
1691 			curr_bcn_bytes);
1692 
1693 		while (curr_bcn_bytes >= sizeof(struct ieee_types_header)) {
1694 			u8 element_id, element_len;
1695 
1696 			element_id = *current_ptr;
1697 			element_len = *(current_ptr + 1);
1698 			if (curr_bcn_bytes < element_len +
1699 					sizeof(struct ieee_types_header)) {
1700 				dev_err(priv->adapter->dev,
1701 					"%s: bytes left < IE length\n",
1702 					__func__);
1703 				goto check_next_scan;
1704 			}
1705 			if (element_id == WLAN_EID_DS_PARAMS) {
1706 				channel = *(current_ptr + sizeof(struct ieee_types_header));
1707 				break;
1708 			}
1709 
1710 			current_ptr += element_len +
1711 					sizeof(struct ieee_types_header);
1712 			curr_bcn_bytes -= element_len +
1713 					sizeof(struct ieee_types_header);
1714 		}
1715 
1716 		/*
1717 		 * If the TSF TLV was appended to the scan results, save this
1718 		 * entry's TSF value in the fw_tsf field. It is the firmware's
1719 		 * TSF value at the time the beacon or probe response was
1720 		 * received.
1721 		 */
1722 		if (tsf_tlv)
1723 			memcpy(&fw_tsf, &tsf_tlv->tsf_data[idx * TSF_DATA_SIZE],
1724 			       sizeof(fw_tsf));
1725 
1726 		if (channel) {
1727 			struct ieee80211_channel *chan;
1728 			u8 band;
1729 
1730 			band = BAND_G;
1731 			if (chan_band_tlv) {
1732 				chan_band =
1733 					&chan_band_tlv->chan_band_param[idx];
1734 				band = mwifiex_radio_type_to_band(
1735 						chan_band->radio_type
1736 						& (BIT(0) | BIT(1)));
1737 			}
1738 
1739 			cfp = mwifiex_get_cfp(priv, band, channel, 0);
1740 
1741 			freq = cfp ? cfp->freq : 0;
1742 
1743 			chan = ieee80211_get_channel(priv->wdev->wiphy, freq);
1744 
1745 			if (chan && !(chan->flags & IEEE80211_CHAN_DISABLED)) {
1746 				bss = cfg80211_inform_bss(priv->wdev->wiphy,
1747 					      chan, bssid, timestamp,
1748 					      cap_info_bitmap, beacon_period,
1749 					      ie_buf, ie_len, rssi, GFP_KERNEL);
1750 				bss_priv = (struct mwifiex_bss_priv *)bss->priv;
1751 				bss_priv->band = band;
1752 				bss_priv->fw_tsf = fw_tsf;
1753 				if (priv->media_connected &&
1754 				    !memcmp(bssid,
1755 					    priv->curr_bss_params.bss_descriptor
1756 					    .mac_address, ETH_ALEN))
1757 					mwifiex_update_curr_bss_params(priv,
1758 								       bss);
1759 				cfg80211_put_bss(priv->wdev->wiphy, bss);
1760 			}
1761 		} else {
1762 			dev_dbg(adapter->dev, "missing BSS channel IE\n");
1763 		}
1764 	}
1765 
1766 check_next_scan:
1767 	spin_lock_irqsave(&adapter->scan_pending_q_lock, flags);
1768 	if (list_empty(&adapter->scan_pending_q)) {
1769 		spin_unlock_irqrestore(&adapter->scan_pending_q_lock, flags);
1770 		spin_lock_irqsave(&adapter->mwifiex_cmd_lock, flags);
1771 		adapter->scan_processing = false;
1772 		spin_unlock_irqrestore(&adapter->mwifiex_cmd_lock, flags);
1773 
1774 		/* Need to indicate IOCTL complete */
1775 		if (adapter->curr_cmd->wait_q_enabled) {
1776 			adapter->cmd_wait_q.status = 0;
1777 			if (!priv->scan_request) {
1778 				dev_dbg(adapter->dev,
1779 					"complete internal scan\n");
1780 				mwifiex_complete_cmd(adapter,
1781 						     adapter->curr_cmd);
1782 			}
1783 		}
1784 		if (priv->report_scan_result)
1785 			priv->report_scan_result = false;
1786 
1787 		if (priv->user_scan_cfg) {
1788 			if (priv->scan_request) {
1789 				dev_dbg(priv->adapter->dev,
1790 					"info: notifying scan done\n");
1791 				cfg80211_scan_done(priv->scan_request, 0);
1792 				priv->scan_request = NULL;
1793 			} else {
1794 				dev_dbg(priv->adapter->dev,
1795 					"info: scan already aborted\n");
1796 			}
1797 
1798 			kfree(priv->user_scan_cfg);
1799 			priv->user_scan_cfg = NULL;
1800 		}
1801 	} else {
1802 		if (priv->user_scan_cfg && !priv->scan_request) {
1803 			spin_unlock_irqrestore(&adapter->scan_pending_q_lock,
1804 					       flags);
1805 			adapter->scan_delay_cnt = MWIFIEX_MAX_SCAN_DELAY_CNT;
1806 			mod_timer(&priv->scan_delay_timer, jiffies);
1807 			dev_dbg(priv->adapter->dev,
1808 				"info: %s: triggerring scan abort\n", __func__);
1809 		} else if (!mwifiex_wmm_lists_empty(adapter) &&
1810 			   (priv->scan_request && (priv->scan_request->flags &
1811 					    NL80211_SCAN_FLAG_LOW_PRIORITY))) {
1812 			spin_unlock_irqrestore(&adapter->scan_pending_q_lock,
1813 					       flags);
1814 			adapter->scan_delay_cnt = 1;
1815 			mod_timer(&priv->scan_delay_timer, jiffies +
1816 				  msecs_to_jiffies(MWIFIEX_SCAN_DELAY_MSEC));
1817 			dev_dbg(priv->adapter->dev,
1818 				"info: %s: deferring scan\n", __func__);
1819 		} else {
1820 			/* Get scan command from scan_pending_q and put to
1821 			   cmd_pending_q */
1822 			cmd_node = list_first_entry(&adapter->scan_pending_q,
1823 						    struct cmd_ctrl_node, list);
1824 			list_del(&cmd_node->list);
1825 			spin_unlock_irqrestore(&adapter->scan_pending_q_lock,
1826 					       flags);
1827 			mwifiex_insert_cmd_to_pending_q(adapter, cmd_node,
1828 							true);
1829 		}
1830 	}
1831 
1832 	return ret;
1833 }
1834 
1835 /*
1836  * This function prepares command for background scan query.
1837  *
1838  * Preparation includes -
1839  *      - Setting command ID and proper size
1840  *      - Setting background scan flush parameter
1841  *      - Ensuring correct endian-ness
1842  */
mwifiex_cmd_802_11_bg_scan_query(struct host_cmd_ds_command * cmd)1843 int mwifiex_cmd_802_11_bg_scan_query(struct host_cmd_ds_command *cmd)
1844 {
1845 	struct host_cmd_ds_802_11_bg_scan_query *bg_query =
1846 		&cmd->params.bg_scan_query;
1847 
1848 	cmd->command = cpu_to_le16(HostCmd_CMD_802_11_BG_SCAN_QUERY);
1849 	cmd->size = cpu_to_le16(sizeof(struct host_cmd_ds_802_11_bg_scan_query)
1850 				+ S_DS_GEN);
1851 
1852 	bg_query->flush = 1;
1853 
1854 	return 0;
1855 }
1856 
1857 /*
1858  * This function inserts scan command node to the scan pending queue.
1859  */
1860 void
mwifiex_queue_scan_cmd(struct mwifiex_private * priv,struct cmd_ctrl_node * cmd_node)1861 mwifiex_queue_scan_cmd(struct mwifiex_private *priv,
1862 		       struct cmd_ctrl_node *cmd_node)
1863 {
1864 	struct mwifiex_adapter *adapter = priv->adapter;
1865 	unsigned long flags;
1866 
1867 	cmd_node->wait_q_enabled = true;
1868 	cmd_node->condition = &adapter->scan_wait_q_woken;
1869 	spin_lock_irqsave(&adapter->scan_pending_q_lock, flags);
1870 	list_add_tail(&cmd_node->list, &adapter->scan_pending_q);
1871 	spin_unlock_irqrestore(&adapter->scan_pending_q_lock, flags);
1872 }
1873 
1874 /*
1875  * This function sends a scan command for all available channels to the
1876  * firmware, filtered on a specific SSID.
1877  */
mwifiex_scan_specific_ssid(struct mwifiex_private * priv,struct cfg80211_ssid * req_ssid)1878 static int mwifiex_scan_specific_ssid(struct mwifiex_private *priv,
1879 				      struct cfg80211_ssid *req_ssid)
1880 {
1881 	struct mwifiex_adapter *adapter = priv->adapter;
1882 	int ret;
1883 	struct mwifiex_user_scan_cfg *scan_cfg;
1884 
1885 	if (adapter->scan_processing) {
1886 		dev_err(adapter->dev, "cmd: Scan already in process...\n");
1887 		return -EBUSY;
1888 	}
1889 
1890 	if (priv->scan_block) {
1891 		dev_err(adapter->dev,
1892 			"cmd: Scan is blocked during association...\n");
1893 		return -EBUSY;
1894 	}
1895 
1896 	scan_cfg = kzalloc(sizeof(struct mwifiex_user_scan_cfg), GFP_KERNEL);
1897 	if (!scan_cfg)
1898 		return -ENOMEM;
1899 
1900 	scan_cfg->ssid_list = req_ssid;
1901 	scan_cfg->num_ssids = 1;
1902 
1903 	ret = mwifiex_scan_networks(priv, scan_cfg);
1904 
1905 	kfree(scan_cfg);
1906 	return ret;
1907 }
1908 
1909 /*
1910  * Sends IOCTL request to start a scan.
1911  *
1912  * This function allocates the IOCTL request buffer, fills it
1913  * with requisite parameters and calls the IOCTL handler.
1914  *
1915  * Scan command can be issued for both normal scan and specific SSID
1916  * scan, depending upon whether an SSID is provided or not.
1917  */
mwifiex_request_scan(struct mwifiex_private * priv,struct cfg80211_ssid * req_ssid)1918 int mwifiex_request_scan(struct mwifiex_private *priv,
1919 			 struct cfg80211_ssid *req_ssid)
1920 {
1921 	int ret;
1922 
1923 	if (down_interruptible(&priv->async_sem)) {
1924 		dev_err(priv->adapter->dev, "%s: acquire semaphore\n",
1925 			__func__);
1926 		return -1;
1927 	}
1928 
1929 	priv->adapter->scan_wait_q_woken = false;
1930 
1931 	if (req_ssid && req_ssid->ssid_len != 0)
1932 		/* Specific SSID scan */
1933 		ret = mwifiex_scan_specific_ssid(priv, req_ssid);
1934 	else
1935 		/* Normal scan */
1936 		ret = mwifiex_scan_networks(priv, NULL);
1937 
1938 	up(&priv->async_sem);
1939 
1940 	return ret;
1941 }
1942 
1943 /*
1944  * This function appends the vendor specific IE TLV to a buffer.
1945  */
1946 int
mwifiex_cmd_append_vsie_tlv(struct mwifiex_private * priv,u16 vsie_mask,u8 ** buffer)1947 mwifiex_cmd_append_vsie_tlv(struct mwifiex_private *priv,
1948 			    u16 vsie_mask, u8 **buffer)
1949 {
1950 	int id, ret_len = 0;
1951 	struct mwifiex_ie_types_vendor_param_set *vs_param_set;
1952 
1953 	if (!buffer)
1954 		return 0;
1955 	if (!(*buffer))
1956 		return 0;
1957 
1958 	/*
1959 	 * Traverse through the saved vendor specific IE array and append
1960 	 * the selected(scan/assoc/adhoc) IE as TLV to the command
1961 	 */
1962 	for (id = 0; id < MWIFIEX_MAX_VSIE_NUM; id++) {
1963 		if (priv->vs_ie[id].mask & vsie_mask) {
1964 			vs_param_set =
1965 				(struct mwifiex_ie_types_vendor_param_set *)
1966 				*buffer;
1967 			vs_param_set->header.type =
1968 				cpu_to_le16(TLV_TYPE_PASSTHROUGH);
1969 			vs_param_set->header.len =
1970 				cpu_to_le16((((u16) priv->vs_ie[id].ie[1])
1971 				& 0x00FF) + 2);
1972 			memcpy(vs_param_set->ie, priv->vs_ie[id].ie,
1973 			       le16_to_cpu(vs_param_set->header.len));
1974 			*buffer += le16_to_cpu(vs_param_set->header.len) +
1975 				   sizeof(struct mwifiex_ie_types_header);
1976 			ret_len += le16_to_cpu(vs_param_set->header.len) +
1977 				   sizeof(struct mwifiex_ie_types_header);
1978 		}
1979 	}
1980 	return ret_len;
1981 }
1982 
1983 /*
1984  * This function saves a beacon buffer of the current BSS descriptor.
1985  *
1986  * The current beacon buffer is saved so that it can be restored in the
1987  * following cases that makes the beacon buffer not to contain the current
1988  * ssid's beacon buffer.
1989  *      - The current ssid was not found somehow in the last scan.
1990  *      - The current ssid was the last entry of the scan table and overloaded.
1991  */
1992 void
mwifiex_save_curr_bcn(struct mwifiex_private * priv)1993 mwifiex_save_curr_bcn(struct mwifiex_private *priv)
1994 {
1995 	struct mwifiex_bssdescriptor *curr_bss =
1996 		&priv->curr_bss_params.bss_descriptor;
1997 
1998 	if (!curr_bss->beacon_buf_size)
1999 		return;
2000 
2001 	/* allocate beacon buffer at 1st time; or if it's size has changed */
2002 	if (!priv->curr_bcn_buf ||
2003 	    priv->curr_bcn_size != curr_bss->beacon_buf_size) {
2004 		priv->curr_bcn_size = curr_bss->beacon_buf_size;
2005 
2006 		kfree(priv->curr_bcn_buf);
2007 		priv->curr_bcn_buf = kmalloc(curr_bss->beacon_buf_size,
2008 					     GFP_ATOMIC);
2009 		if (!priv->curr_bcn_buf)
2010 			return;
2011 	}
2012 
2013 	memcpy(priv->curr_bcn_buf, curr_bss->beacon_buf,
2014 	       curr_bss->beacon_buf_size);
2015 	dev_dbg(priv->adapter->dev, "info: current beacon saved %d\n",
2016 		priv->curr_bcn_size);
2017 
2018 	curr_bss->beacon_buf = priv->curr_bcn_buf;
2019 
2020 	/* adjust the pointers in the current BSS descriptor */
2021 	if (curr_bss->bcn_wpa_ie)
2022 		curr_bss->bcn_wpa_ie =
2023 			(struct ieee_types_vendor_specific *)
2024 			(curr_bss->beacon_buf +
2025 			 curr_bss->wpa_offset);
2026 
2027 	if (curr_bss->bcn_rsn_ie)
2028 		curr_bss->bcn_rsn_ie = (struct ieee_types_generic *)
2029 			(curr_bss->beacon_buf +
2030 			 curr_bss->rsn_offset);
2031 
2032 	if (curr_bss->bcn_ht_cap)
2033 		curr_bss->bcn_ht_cap = (struct ieee80211_ht_cap *)
2034 			(curr_bss->beacon_buf +
2035 			 curr_bss->ht_cap_offset);
2036 
2037 	if (curr_bss->bcn_ht_oper)
2038 		curr_bss->bcn_ht_oper = (struct ieee80211_ht_operation *)
2039 			(curr_bss->beacon_buf +
2040 			 curr_bss->ht_info_offset);
2041 
2042 	if (curr_bss->bcn_vht_cap)
2043 		curr_bss->bcn_ht_cap = (void *)(curr_bss->beacon_buf +
2044 						curr_bss->vht_cap_offset);
2045 
2046 	if (curr_bss->bcn_vht_oper)
2047 		curr_bss->bcn_ht_oper = (void *)(curr_bss->beacon_buf +
2048 						 curr_bss->vht_info_offset);
2049 
2050 	if (curr_bss->bcn_bss_co_2040)
2051 		curr_bss->bcn_bss_co_2040 =
2052 			(curr_bss->beacon_buf + curr_bss->bss_co_2040_offset);
2053 
2054 	if (curr_bss->bcn_ext_cap)
2055 		curr_bss->bcn_ext_cap = curr_bss->beacon_buf +
2056 			curr_bss->ext_cap_offset;
2057 
2058 	if (curr_bss->oper_mode)
2059 		curr_bss->oper_mode = (void *)(curr_bss->beacon_buf +
2060 					       curr_bss->oper_mode_offset);
2061 }
2062 
2063 /*
2064  * This function frees the current BSS descriptor beacon buffer.
2065  */
2066 void
mwifiex_free_curr_bcn(struct mwifiex_private * priv)2067 mwifiex_free_curr_bcn(struct mwifiex_private *priv)
2068 {
2069 	kfree(priv->curr_bcn_buf);
2070 	priv->curr_bcn_buf = NULL;
2071 }
2072