xref: /freebsd/contrib/wpa/wpa_supplicant/scan.c (revision 5b56413d04e608379c9a306373554a8e4d321bc0)
1 /*
2  * WPA Supplicant - Scanning
3  * Copyright (c) 2003-2019, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "common/ieee802_11_defs.h"
14 #include "common/wpa_ctrl.h"
15 #include "config.h"
16 #include "wpa_supplicant_i.h"
17 #include "driver_i.h"
18 #include "wps_supplicant.h"
19 #include "p2p_supplicant.h"
20 #include "p2p/p2p.h"
21 #include "hs20_supplicant.h"
22 #include "notify.h"
23 #include "bss.h"
24 #include "scan.h"
25 #include "mesh.h"
26 
27 static struct wpabuf * wpa_supplicant_extra_ies(struct wpa_supplicant *wpa_s);
28 
29 
30 static void wpa_supplicant_gen_assoc_event(struct wpa_supplicant *wpa_s)
31 {
32 	struct wpa_ssid *ssid;
33 	union wpa_event_data data;
34 
35 	ssid = wpa_supplicant_get_ssid(wpa_s);
36 	if (ssid == NULL)
37 		return;
38 
39 	if (wpa_s->current_ssid == NULL) {
40 		wpa_s->current_ssid = ssid;
41 		wpas_notify_network_changed(wpa_s);
42 	}
43 	wpa_supplicant_initiate_eapol(wpa_s);
44 	wpa_dbg(wpa_s, MSG_DEBUG, "Already associated with a configured "
45 		"network - generating associated event");
46 	os_memset(&data, 0, sizeof(data));
47 	wpa_supplicant_event(wpa_s, EVENT_ASSOC, &data);
48 }
49 
50 
51 #ifdef CONFIG_WPS
52 static int wpas_wps_in_use(struct wpa_supplicant *wpa_s,
53 			   enum wps_request_type *req_type)
54 {
55 	struct wpa_ssid *ssid;
56 	int wps = 0;
57 
58 	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
59 		if (!(ssid->key_mgmt & WPA_KEY_MGMT_WPS))
60 			continue;
61 
62 		wps = 1;
63 		*req_type = wpas_wps_get_req_type(ssid);
64 		if (ssid->eap.phase1 && os_strstr(ssid->eap.phase1, "pbc=1"))
65 			return 2;
66 	}
67 
68 #ifdef CONFIG_P2P
69 	if (!wpa_s->global->p2p_disabled && wpa_s->global->p2p &&
70 	    !wpa_s->conf->p2p_disabled) {
71 		wpa_s->wps->dev.p2p = 1;
72 		if (!wps) {
73 			wps = 1;
74 			*req_type = WPS_REQ_ENROLLEE_INFO;
75 		}
76 	}
77 #endif /* CONFIG_P2P */
78 
79 	return wps;
80 }
81 #endif /* CONFIG_WPS */
82 
83 
84 static int wpa_setup_mac_addr_rand_params(struct wpa_driver_scan_params *params,
85 					  const u8 *mac_addr)
86 {
87 	u8 *tmp;
88 
89 	if (params->mac_addr) {
90 		params->mac_addr_mask = NULL;
91 		os_free(params->mac_addr);
92 		params->mac_addr = NULL;
93 	}
94 
95 	params->mac_addr_rand = 1;
96 
97 	if (!mac_addr)
98 		return 0;
99 
100 	tmp = os_malloc(2 * ETH_ALEN);
101 	if (!tmp)
102 		return -1;
103 
104 	os_memcpy(tmp, mac_addr, 2 * ETH_ALEN);
105 	params->mac_addr = tmp;
106 	params->mac_addr_mask = tmp + ETH_ALEN;
107 	return 0;
108 }
109 
110 
111 /**
112  * wpa_supplicant_enabled_networks - Check whether there are enabled networks
113  * @wpa_s: Pointer to wpa_supplicant data
114  * Returns: 0 if no networks are enabled, >0 if networks are enabled
115  *
116  * This function is used to figure out whether any networks (or Interworking
117  * with enabled credentials and auto_interworking) are present in the current
118  * configuration.
119  */
120 int wpa_supplicant_enabled_networks(struct wpa_supplicant *wpa_s)
121 {
122 	struct wpa_ssid *ssid = wpa_s->conf->ssid;
123 	int count = 0, disabled = 0;
124 
125 	if (wpa_s->p2p_mgmt)
126 		return 0; /* no normal network profiles on p2p_mgmt interface */
127 
128 	while (ssid) {
129 		if (!wpas_network_disabled(wpa_s, ssid))
130 			count++;
131 		else
132 			disabled++;
133 		ssid = ssid->next;
134 	}
135 	if (wpa_s->conf->cred && wpa_s->conf->interworking &&
136 	    wpa_s->conf->auto_interworking)
137 		count++;
138 	if (count == 0 && disabled > 0) {
139 		wpa_dbg(wpa_s, MSG_DEBUG, "No enabled networks (%d disabled "
140 			"networks)", disabled);
141 	}
142 	return count;
143 }
144 
145 
146 static void wpa_supplicant_assoc_try(struct wpa_supplicant *wpa_s,
147 				     struct wpa_ssid *ssid)
148 {
149 	int min_temp_disabled = 0;
150 
151 	while (ssid) {
152 		if (!wpas_network_disabled(wpa_s, ssid)) {
153 			int temp_disabled = wpas_temp_disabled(wpa_s, ssid);
154 
155 			if (temp_disabled <= 0)
156 				break;
157 
158 			if (!min_temp_disabled ||
159 			    temp_disabled < min_temp_disabled)
160 				min_temp_disabled = temp_disabled;
161 		}
162 		ssid = ssid->next;
163 	}
164 
165 	/* ap_scan=2 mode - try to associate with each SSID. */
166 	if (ssid == NULL) {
167 		wpa_dbg(wpa_s, MSG_DEBUG, "wpa_supplicant_assoc_try: Reached "
168 			"end of scan list - go back to beginning");
169 		wpa_s->prev_scan_ssid = WILDCARD_SSID_SCAN;
170 		wpa_supplicant_req_scan(wpa_s, min_temp_disabled, 0);
171 		return;
172 	}
173 	if (ssid->next) {
174 		/* Continue from the next SSID on the next attempt. */
175 		wpa_s->prev_scan_ssid = ssid;
176 	} else {
177 		/* Start from the beginning of the SSID list. */
178 		wpa_s->prev_scan_ssid = WILDCARD_SSID_SCAN;
179 	}
180 	wpa_supplicant_associate(wpa_s, NULL, ssid);
181 }
182 
183 
184 static void wpas_trigger_scan_cb(struct wpa_radio_work *work, int deinit)
185 {
186 	struct wpa_supplicant *wpa_s = work->wpa_s;
187 	struct wpa_driver_scan_params *params = work->ctx;
188 	int ret;
189 
190 	if (deinit) {
191 		if (!work->started) {
192 			wpa_scan_free_params(params);
193 			return;
194 		}
195 		wpa_supplicant_notify_scanning(wpa_s, 0);
196 		wpas_notify_scan_done(wpa_s, 0);
197 		wpa_s->scan_work = NULL;
198 		return;
199 	}
200 
201 	if ((wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_SCAN) &&
202 	    wpa_s->wpa_state <= WPA_SCANNING)
203 		wpa_setup_mac_addr_rand_params(params, wpa_s->mac_addr_scan);
204 
205 	if (wpas_update_random_addr_disassoc(wpa_s) < 0) {
206 		wpa_msg(wpa_s, MSG_INFO,
207 			"Failed to assign random MAC address for a scan");
208 		wpa_scan_free_params(params);
209 		wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_SCAN_FAILED "ret=-1");
210 		radio_work_done(work);
211 		return;
212 	}
213 
214 	wpa_supplicant_notify_scanning(wpa_s, 1);
215 
216 	if (wpa_s->clear_driver_scan_cache) {
217 		wpa_printf(MSG_DEBUG,
218 			   "Request driver to clear scan cache due to local BSS flush");
219 		params->only_new_results = 1;
220 	}
221 	ret = wpa_drv_scan(wpa_s, params);
222 	/*
223 	 * Store the obtained vendor scan cookie (if any) in wpa_s context.
224 	 * The current design is to allow only one scan request on each
225 	 * interface, hence having this scan cookie stored in wpa_s context is
226 	 * fine for now.
227 	 *
228 	 * Revisit this logic if concurrent scan operations per interface
229 	 * is supported.
230 	 */
231 	if (ret == 0)
232 		wpa_s->curr_scan_cookie = params->scan_cookie;
233 	wpa_scan_free_params(params);
234 	work->ctx = NULL;
235 	if (ret) {
236 		int retry = wpa_s->last_scan_req != MANUAL_SCAN_REQ &&
237 			!wpa_s->beacon_rep_data.token;
238 
239 		if (wpa_s->disconnected)
240 			retry = 0;
241 
242 		/* do not retry if operation is not supported */
243 		if (ret == -EOPNOTSUPP)
244 			retry = 0;
245 
246 		wpa_supplicant_notify_scanning(wpa_s, 0);
247 		wpas_notify_scan_done(wpa_s, 0);
248 		if (wpa_s->wpa_state == WPA_SCANNING)
249 			wpa_supplicant_set_state(wpa_s,
250 						 wpa_s->scan_prev_wpa_state);
251 		wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_SCAN_FAILED "ret=%d%s",
252 			ret, retry ? " retry=1" : "");
253 		radio_work_done(work);
254 
255 		if (retry) {
256 			/* Restore scan_req since we will try to scan again */
257 			wpa_s->scan_req = wpa_s->last_scan_req;
258 			wpa_supplicant_req_scan(wpa_s, 1, 0);
259 		} else if (wpa_s->scan_res_handler) {
260 			/* Clear the scan_res_handler */
261 			wpa_s->scan_res_handler = NULL;
262 		}
263 
264 #ifndef CONFIG_NO_RRM
265 		if (wpa_s->beacon_rep_data.token)
266 			wpas_rrm_refuse_request(wpa_s);
267 #endif /* CONFIG_NO_RRM */
268 
269 		return;
270 	}
271 
272 	os_get_reltime(&wpa_s->scan_trigger_time);
273 	wpa_s->scan_runs++;
274 	wpa_s->normal_scans++;
275 	wpa_s->own_scan_requested = 1;
276 	wpa_s->clear_driver_scan_cache = 0;
277 	wpa_s->scan_work = work;
278 }
279 
280 
281 /**
282  * wpa_supplicant_trigger_scan - Request driver to start a scan
283  * @wpa_s: Pointer to wpa_supplicant data
284  * @params: Scan parameters
285  * @default_ies: Whether or not to use the default IEs in the Probe Request
286  * frames. Note that this will free any existing IEs set in @params, so this
287  * shouldn't be set if the IEs have already been set with
288  * wpa_supplicant_extra_ies(). Otherwise, wpabuf_free() will lead to a
289  * double-free.
290  * @next: Whether or not to perform this scan as the next radio work
291  * Returns: 0 on success, -1 on failure
292  */
293 int wpa_supplicant_trigger_scan(struct wpa_supplicant *wpa_s,
294 				struct wpa_driver_scan_params *params,
295 				bool default_ies, bool next)
296 {
297 	struct wpa_driver_scan_params *ctx;
298 	struct wpabuf *ies = NULL;
299 
300 	if (wpa_s->scan_work) {
301 		wpa_dbg(wpa_s, MSG_INFO, "Reject scan trigger since one is already pending");
302 		return -1;
303 	}
304 
305 	if (default_ies) {
306 		if (params->extra_ies_len) {
307 			os_free((u8 *) params->extra_ies);
308 			params->extra_ies = NULL;
309 			params->extra_ies_len = 0;
310 		}
311 		ies = wpa_supplicant_extra_ies(wpa_s);
312 		if (ies) {
313 			params->extra_ies = wpabuf_head(ies);
314 			params->extra_ies_len = wpabuf_len(ies);
315 		}
316 	}
317 	ctx = wpa_scan_clone_params(params);
318 	if (ies) {
319 		wpabuf_free(ies);
320 		params->extra_ies = NULL;
321 		params->extra_ies_len = 0;
322 	}
323 	wpa_s->last_scan_all_chan = !params->freqs;
324 	wpa_s->last_scan_non_coloc_6ghz = params->non_coloc_6ghz;
325 
326 	if (wpa_s->crossed_6ghz_dom) {
327 		wpa_printf(MSG_DEBUG, "First scan after crossing 6 GHz domain");
328 		wpa_s->crossed_6ghz_dom = false;
329 	}
330 
331 	if (!ctx ||
332 	    radio_add_work(wpa_s, 0, "scan", next, wpas_trigger_scan_cb,
333 			   ctx) < 0) {
334 		wpa_scan_free_params(ctx);
335 		wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_SCAN_FAILED "ret=-1");
336 		return -1;
337 	}
338 
339 	wpa_s->wps_scan_done = false;
340 
341 	return 0;
342 }
343 
344 
345 static void
346 wpa_supplicant_delayed_sched_scan_timeout(void *eloop_ctx, void *timeout_ctx)
347 {
348 	struct wpa_supplicant *wpa_s = eloop_ctx;
349 
350 	wpa_dbg(wpa_s, MSG_DEBUG, "Starting delayed sched scan");
351 
352 	if (wpa_supplicant_req_sched_scan(wpa_s))
353 		wpa_supplicant_req_scan(wpa_s, 0, 0);
354 }
355 
356 
357 static void
358 wpa_supplicant_sched_scan_timeout(void *eloop_ctx, void *timeout_ctx)
359 {
360 	struct wpa_supplicant *wpa_s = eloop_ctx;
361 
362 	wpa_dbg(wpa_s, MSG_DEBUG, "Sched scan timeout - stopping it");
363 
364 	wpa_s->sched_scan_timed_out = 1;
365 	wpa_supplicant_cancel_sched_scan(wpa_s);
366 }
367 
368 
369 static int
370 wpa_supplicant_start_sched_scan(struct wpa_supplicant *wpa_s,
371 				struct wpa_driver_scan_params *params)
372 {
373 	int ret;
374 
375 	wpa_supplicant_notify_scanning(wpa_s, 1);
376 	ret = wpa_drv_sched_scan(wpa_s, params);
377 	if (ret)
378 		wpa_supplicant_notify_scanning(wpa_s, 0);
379 	else
380 		wpa_s->sched_scanning = 1;
381 
382 	return ret;
383 }
384 
385 
386 static int wpa_supplicant_stop_sched_scan(struct wpa_supplicant *wpa_s)
387 {
388 	int ret;
389 
390 	ret = wpa_drv_stop_sched_scan(wpa_s);
391 	if (ret) {
392 		wpa_dbg(wpa_s, MSG_DEBUG, "stopping sched_scan failed!");
393 		/* TODO: what to do if stopping fails? */
394 		return -1;
395 	}
396 
397 	return ret;
398 }
399 
400 
401 static struct wpa_driver_scan_filter *
402 wpa_supplicant_build_filter_ssids(struct wpa_config *conf, size_t *num_ssids)
403 {
404 	struct wpa_driver_scan_filter *ssids;
405 	struct wpa_ssid *ssid;
406 	size_t count;
407 
408 	*num_ssids = 0;
409 	if (!conf->filter_ssids)
410 		return NULL;
411 
412 	for (count = 0, ssid = conf->ssid; ssid; ssid = ssid->next) {
413 		if (ssid->ssid && ssid->ssid_len)
414 			count++;
415 	}
416 	if (count == 0)
417 		return NULL;
418 	ssids = os_calloc(count, sizeof(struct wpa_driver_scan_filter));
419 	if (ssids == NULL)
420 		return NULL;
421 
422 	for (ssid = conf->ssid; ssid; ssid = ssid->next) {
423 		if (!ssid->ssid || !ssid->ssid_len)
424 			continue;
425 		os_memcpy(ssids[*num_ssids].ssid, ssid->ssid, ssid->ssid_len);
426 		ssids[*num_ssids].ssid_len = ssid->ssid_len;
427 		(*num_ssids)++;
428 	}
429 
430 	return ssids;
431 }
432 
433 
434 static void wpa_supplicant_optimize_freqs(
435 	struct wpa_supplicant *wpa_s, struct wpa_driver_scan_params *params)
436 {
437 #ifdef CONFIG_P2P
438 	if (params->freqs == NULL && wpa_s->p2p_in_provisioning &&
439 	    wpa_s->go_params) {
440 		/* Optimize provisioning state scan based on GO information */
441 		if (wpa_s->p2p_in_provisioning < 5 &&
442 		    wpa_s->go_params->freq > 0) {
443 			wpa_dbg(wpa_s, MSG_DEBUG, "P2P: Scan only GO "
444 				"preferred frequency %d MHz",
445 				wpa_s->go_params->freq);
446 			params->freqs = os_calloc(2, sizeof(int));
447 			if (params->freqs)
448 				params->freqs[0] = wpa_s->go_params->freq;
449 		} else if (wpa_s->p2p_in_provisioning < 8 &&
450 			   wpa_s->go_params->freq_list[0]) {
451 			wpa_dbg(wpa_s, MSG_DEBUG, "P2P: Scan only common "
452 				"channels");
453 			int_array_concat(&params->freqs,
454 					 wpa_s->go_params->freq_list);
455 			if (params->freqs)
456 				int_array_sort_unique(params->freqs);
457 		}
458 		wpa_s->p2p_in_provisioning++;
459 	}
460 
461 	if (params->freqs == NULL && wpa_s->p2p_in_invitation) {
462 		struct wpa_ssid *ssid = wpa_s->current_ssid;
463 
464 		/*
465 		 * Perform a single-channel scan if the GO has already been
466 		 * discovered on another non-P2P interface. Note that a scan
467 		 * initiated by a P2P interface (e.g., the device interface)
468 		 * should already have sufficient IEs and scan results will be
469 		 * fetched on interface creation in that case.
470 		 */
471 		if (wpa_s->p2p_in_invitation == 1 && ssid) {
472 			struct wpa_supplicant *ifs;
473 			struct wpa_bss *bss = NULL;
474 			const u8 *bssid = ssid->bssid_set ? ssid->bssid : NULL;
475 
476 			dl_list_for_each(ifs, &wpa_s->radio->ifaces,
477 					 struct wpa_supplicant, radio_list) {
478 				bss = wpa_bss_get(ifs, bssid, ssid->ssid,
479 						  ssid->ssid_len);
480 				if (bss)
481 					break;
482 			}
483 			if (bss && !disabled_freq(wpa_s, bss->freq)) {
484 				params->freqs = os_calloc(2, sizeof(int));
485 				if (params->freqs) {
486 					wpa_dbg(wpa_s, MSG_DEBUG,
487 						"P2P: Scan only the known GO frequency %d MHz during invitation",
488 						bss->freq);
489 					params->freqs[0] = bss->freq;
490 				}
491 			}
492 		}
493 
494 		/*
495 		 * Optimize scan based on GO information during persistent
496 		 * group reinvocation
497 		 */
498 		if (!params->freqs && wpa_s->p2p_in_invitation < 5 &&
499 		    wpa_s->p2p_invite_go_freq > 0) {
500 			if (wpa_s->p2p_invite_go_freq == 2 ||
501 			    wpa_s->p2p_invite_go_freq == 5) {
502 				enum hostapd_hw_mode mode;
503 
504 				wpa_dbg(wpa_s, MSG_DEBUG,
505 					"P2P: Scan only GO preferred band %d GHz during invitation",
506 					wpa_s->p2p_invite_go_freq);
507 
508 				if (!wpa_s->hw.modes)
509 					return;
510 				mode = wpa_s->p2p_invite_go_freq == 5 ?
511 					HOSTAPD_MODE_IEEE80211A :
512 					HOSTAPD_MODE_IEEE80211G;
513 				if (wpa_s->p2p_in_invitation <= 2)
514 					wpa_add_scan_freqs_list(wpa_s, mode,
515 								params, false,
516 								false, true);
517 				if (!params->freqs || params->freqs[0] == 0)
518 					wpa_add_scan_freqs_list(wpa_s, mode,
519 								params, false,
520 								false, false);
521 			} else {
522 				wpa_dbg(wpa_s, MSG_DEBUG,
523 					"P2P: Scan only GO preferred frequency %d MHz during invitation",
524 					wpa_s->p2p_invite_go_freq);
525 				params->freqs = os_calloc(2, sizeof(int));
526 				if (params->freqs)
527 					params->freqs[0] =
528 					    wpa_s->p2p_invite_go_freq;
529 			}
530 		}
531 		wpa_s->p2p_in_invitation++;
532 		if (wpa_s->p2p_in_invitation > 20) {
533 			/*
534 			 * This should not really happen since the variable is
535 			 * cleared on group removal, but if it does happen, make
536 			 * sure we do not get stuck in special invitation scan
537 			 * mode.
538 			 */
539 			wpa_dbg(wpa_s, MSG_DEBUG, "P2P: Clear p2p_in_invitation");
540 			wpa_s->p2p_in_invitation = 0;
541 			wpa_s->p2p_retry_limit = 0;
542 		}
543 	}
544 #endif /* CONFIG_P2P */
545 
546 #ifdef CONFIG_WPS
547 	if (params->freqs == NULL && wpa_s->after_wps && wpa_s->wps_freq) {
548 		/*
549 		 * Optimize post-provisioning scan based on channel used
550 		 * during provisioning.
551 		 */
552 		wpa_dbg(wpa_s, MSG_DEBUG, "WPS: Scan only frequency %u MHz "
553 			"that was used during provisioning", wpa_s->wps_freq);
554 		params->freqs = os_calloc(2, sizeof(int));
555 		if (params->freqs)
556 			params->freqs[0] = wpa_s->wps_freq;
557 		wpa_s->after_wps--;
558 	} else if (wpa_s->after_wps)
559 		wpa_s->after_wps--;
560 
561 	if (params->freqs == NULL && wpa_s->known_wps_freq && wpa_s->wps_freq)
562 	{
563 		/* Optimize provisioning scan based on already known channel */
564 		wpa_dbg(wpa_s, MSG_DEBUG, "WPS: Scan only frequency %u MHz",
565 			wpa_s->wps_freq);
566 		params->freqs = os_calloc(2, sizeof(int));
567 		if (params->freqs)
568 			params->freqs[0] = wpa_s->wps_freq;
569 		wpa_s->known_wps_freq = 0; /* only do this once */
570 	}
571 #endif /* CONFIG_WPS */
572 }
573 
574 
575 #ifdef CONFIG_INTERWORKING
576 static void wpas_add_interworking_elements(struct wpa_supplicant *wpa_s,
577 					   struct wpabuf *buf)
578 {
579 	wpabuf_put_u8(buf, WLAN_EID_INTERWORKING);
580 	wpabuf_put_u8(buf, is_zero_ether_addr(wpa_s->conf->hessid) ? 1 :
581 		      1 + ETH_ALEN);
582 	wpabuf_put_u8(buf, wpa_s->conf->access_network_type);
583 	/* No Venue Info */
584 	if (!is_zero_ether_addr(wpa_s->conf->hessid))
585 		wpabuf_put_data(buf, wpa_s->conf->hessid, ETH_ALEN);
586 }
587 #endif /* CONFIG_INTERWORKING */
588 
589 
590 #ifdef CONFIG_MBO
591 static void wpas_fils_req_param_add_max_channel(struct wpa_supplicant *wpa_s,
592 						struct wpabuf **ie)
593 {
594 	if (wpabuf_resize(ie, 5)) {
595 		wpa_printf(MSG_DEBUG,
596 			   "Failed to allocate space for FILS Request Parameters element");
597 		return;
598 	}
599 
600 	/* FILS Request Parameters element */
601 	wpabuf_put_u8(*ie, WLAN_EID_EXTENSION);
602 	wpabuf_put_u8(*ie, 3); /* FILS Request attribute length */
603 	wpabuf_put_u8(*ie, WLAN_EID_EXT_FILS_REQ_PARAMS);
604 	/* Parameter control bitmap */
605 	wpabuf_put_u8(*ie, 0);
606 	/* Max Channel Time field - contains the value of MaxChannelTime
607 	 * parameter of the MLME-SCAN.request primitive represented in units of
608 	 * TUs, as an unsigned integer. A Max Channel Time field value of 255
609 	 * is used to indicate any duration of more than 254 TUs, or an
610 	 * unspecified or unknown duration. (IEEE Std 802.11ai-2016, 9.4.2.178)
611 	 */
612 	wpabuf_put_u8(*ie, 255);
613 }
614 #endif /* CONFIG_MBO */
615 
616 
617 void wpa_supplicant_set_default_scan_ies(struct wpa_supplicant *wpa_s)
618 {
619 	struct wpabuf *default_ies = NULL;
620 	u8 ext_capab[18];
621 	int ext_capab_len, frame_id;
622 	enum wpa_driver_if_type type = WPA_IF_STATION;
623 
624 #ifdef CONFIG_P2P
625 	if (wpa_s->p2p_group_interface == P2P_GROUP_INTERFACE_CLIENT)
626 		type = WPA_IF_P2P_CLIENT;
627 #endif /* CONFIG_P2P */
628 
629 	wpa_drv_get_ext_capa(wpa_s, type);
630 
631 	ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
632 					     sizeof(ext_capab), NULL);
633 	if (ext_capab_len > 0 &&
634 	    wpabuf_resize(&default_ies, ext_capab_len) == 0)
635 		wpabuf_put_data(default_ies, ext_capab, ext_capab_len);
636 
637 #ifdef CONFIG_MBO
638 	if (wpa_s->enable_oce & OCE_STA)
639 		wpas_fils_req_param_add_max_channel(wpa_s, &default_ies);
640 	/* Send MBO and OCE capabilities */
641 	if (wpabuf_resize(&default_ies, 12) == 0)
642 		wpas_mbo_scan_ie(wpa_s, default_ies);
643 #endif /* CONFIG_MBO */
644 
645 	if (type == WPA_IF_P2P_CLIENT)
646 		frame_id = VENDOR_ELEM_PROBE_REQ_P2P;
647 	else
648 		frame_id = VENDOR_ELEM_PROBE_REQ;
649 
650 	if (wpa_s->vendor_elem[frame_id]) {
651 		size_t len;
652 
653 		len = wpabuf_len(wpa_s->vendor_elem[frame_id]);
654 		if (len > 0 && wpabuf_resize(&default_ies, len) == 0)
655 			wpabuf_put_buf(default_ies,
656 				       wpa_s->vendor_elem[frame_id]);
657 	}
658 
659 	if (default_ies)
660 		wpa_drv_set_default_scan_ies(wpa_s, wpabuf_head(default_ies),
661 					     wpabuf_len(default_ies));
662 	wpabuf_free(default_ies);
663 }
664 
665 
666 static struct wpabuf * wpa_supplicant_ml_probe_ie(int mld_id, u16 links)
667 {
668 	struct wpabuf *extra_ie;
669 	u16 control = MULTI_LINK_CONTROL_TYPE_PROBE_REQ;
670 	size_t len = 3 + 4 + 4 * MAX_NUM_MLD_LINKS;
671 	u8 link_id;
672 	u8 *len_pos;
673 
674 	if (mld_id >= 0) {
675 		control |= EHT_ML_PRES_BM_PROBE_REQ_AP_MLD_ID;
676 		len++;
677 	}
678 
679 	extra_ie = wpabuf_alloc(len);
680 	if (!extra_ie)
681 		return NULL;
682 
683 	wpabuf_put_u8(extra_ie, WLAN_EID_EXTENSION);
684 	len_pos = wpabuf_put(extra_ie, 1);
685 	wpabuf_put_u8(extra_ie, WLAN_EID_EXT_MULTI_LINK);
686 
687 	wpabuf_put_le16(extra_ie, control);
688 
689 	/* common info length and MLD ID (if requested) */
690 	if (mld_id >= 0) {
691 		wpabuf_put_u8(extra_ie, 2);
692 		wpabuf_put_u8(extra_ie, mld_id);
693 
694 		wpa_printf(MSG_DEBUG, "MLD: ML probe targeted at MLD ID %d",
695 			   mld_id);
696 	} else {
697 		wpabuf_put_u8(extra_ie, 1);
698 
699 		wpa_printf(MSG_DEBUG, "MLD: ML probe targeted at receiving AP");
700 	}
701 
702 	if (!links)
703 		wpa_printf(MSG_DEBUG, "MLD: Probing all links");
704 	else
705 		wpa_printf(MSG_DEBUG, "MLD: Probing links 0x%04x", links);
706 
707 	for_each_link(links, link_id) {
708 		wpabuf_put_u8(extra_ie, EHT_ML_SUB_ELEM_PER_STA_PROFILE);
709 
710 		/* Subelement length includes only the control */
711 		wpabuf_put_u8(extra_ie, 2);
712 
713 		control = link_id | EHT_PER_STA_CTRL_COMPLETE_PROFILE_MSK;
714 
715 		wpabuf_put_le16(extra_ie, control);
716 	}
717 
718 	*len_pos = (u8 *) wpabuf_put(extra_ie, 0) - len_pos - 1;
719 
720 	return extra_ie;
721 }
722 
723 
724 static struct wpabuf * wpa_supplicant_extra_ies(struct wpa_supplicant *wpa_s)
725 {
726 	struct wpabuf *extra_ie = NULL;
727 	u8 ext_capab[18];
728 	int ext_capab_len;
729 #ifdef CONFIG_WPS
730 	int wps = 0;
731 	enum wps_request_type req_type = WPS_REQ_ENROLLEE_INFO;
732 #endif /* CONFIG_WPS */
733 
734 	if (!is_zero_ether_addr(wpa_s->ml_probe_bssid)) {
735 		extra_ie = wpa_supplicant_ml_probe_ie(wpa_s->ml_probe_mld_id,
736 						      wpa_s->ml_probe_links);
737 
738 		/* No other elements should be included in the probe request */
739 		wpa_printf(MSG_DEBUG, "MLD: Scan including only ML element");
740 		return extra_ie;
741 	}
742 
743 #ifdef CONFIG_P2P
744 	if (wpa_s->p2p_group_interface == P2P_GROUP_INTERFACE_CLIENT)
745 		wpa_drv_get_ext_capa(wpa_s, WPA_IF_P2P_CLIENT);
746 	else
747 #endif /* CONFIG_P2P */
748 		wpa_drv_get_ext_capa(wpa_s, WPA_IF_STATION);
749 
750 	ext_capab_len = wpas_build_ext_capab(wpa_s, ext_capab,
751 					     sizeof(ext_capab), NULL);
752 	if (ext_capab_len > 0 &&
753 	    wpabuf_resize(&extra_ie, ext_capab_len) == 0)
754 		wpabuf_put_data(extra_ie, ext_capab, ext_capab_len);
755 
756 #ifdef CONFIG_INTERWORKING
757 	if (wpa_s->conf->interworking &&
758 	    wpabuf_resize(&extra_ie, 100) == 0)
759 		wpas_add_interworking_elements(wpa_s, extra_ie);
760 #endif /* CONFIG_INTERWORKING */
761 
762 #ifdef CONFIG_MBO
763 	if (wpa_s->enable_oce & OCE_STA)
764 		wpas_fils_req_param_add_max_channel(wpa_s, &extra_ie);
765 #endif /* CONFIG_MBO */
766 
767 #ifdef CONFIG_WPS
768 	wps = wpas_wps_in_use(wpa_s, &req_type);
769 
770 	if (wps) {
771 		struct wpabuf *wps_ie;
772 		wps_ie = wps_build_probe_req_ie(wps == 2 ? DEV_PW_PUSHBUTTON :
773 						DEV_PW_DEFAULT,
774 						&wpa_s->wps->dev,
775 						wpa_s->wps->uuid, req_type,
776 						0, NULL);
777 		if (wps_ie) {
778 			if (wpabuf_resize(&extra_ie, wpabuf_len(wps_ie)) == 0)
779 				wpabuf_put_buf(extra_ie, wps_ie);
780 			wpabuf_free(wps_ie);
781 		}
782 	}
783 
784 #ifdef CONFIG_P2P
785 	if (wps) {
786 		size_t ielen = p2p_scan_ie_buf_len(wpa_s->global->p2p);
787 		if (wpabuf_resize(&extra_ie, ielen) == 0)
788 			wpas_p2p_scan_ie(wpa_s, extra_ie);
789 	}
790 #endif /* CONFIG_P2P */
791 
792 	wpa_supplicant_mesh_add_scan_ie(wpa_s, &extra_ie);
793 
794 #endif /* CONFIG_WPS */
795 
796 #ifdef CONFIG_HS20
797 	if (wpa_s->conf->hs20 && wpabuf_resize(&extra_ie, 9) == 0)
798 		wpas_hs20_add_indication(extra_ie, -1, 0);
799 #endif /* CONFIG_HS20 */
800 
801 #ifdef CONFIG_FST
802 	if (wpa_s->fst_ies &&
803 	    wpabuf_resize(&extra_ie, wpabuf_len(wpa_s->fst_ies)) == 0)
804 		wpabuf_put_buf(extra_ie, wpa_s->fst_ies);
805 #endif /* CONFIG_FST */
806 
807 #ifdef CONFIG_MBO
808 	/* Send MBO and OCE capabilities */
809 	if (wpabuf_resize(&extra_ie, 12) == 0)
810 		wpas_mbo_scan_ie(wpa_s, extra_ie);
811 #endif /* CONFIG_MBO */
812 
813 	if (wpa_s->vendor_elem[VENDOR_ELEM_PROBE_REQ]) {
814 		struct wpabuf *buf = wpa_s->vendor_elem[VENDOR_ELEM_PROBE_REQ];
815 
816 		if (wpabuf_resize(&extra_ie, wpabuf_len(buf)) == 0)
817 			wpabuf_put_buf(extra_ie, buf);
818 	}
819 
820 	return extra_ie;
821 }
822 
823 
824 #ifdef CONFIG_P2P
825 
826 /*
827  * Check whether there are any enabled networks or credentials that could be
828  * used for a non-P2P connection.
829  */
830 static int non_p2p_network_enabled(struct wpa_supplicant *wpa_s)
831 {
832 	struct wpa_ssid *ssid;
833 
834 	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
835 		if (wpas_network_disabled(wpa_s, ssid))
836 			continue;
837 		if (!ssid->p2p_group)
838 			return 1;
839 	}
840 
841 	if (wpa_s->conf->cred && wpa_s->conf->interworking &&
842 	    wpa_s->conf->auto_interworking)
843 		return 1;
844 
845 	return 0;
846 }
847 
848 #endif /* CONFIG_P2P */
849 
850 
851 int wpa_add_scan_freqs_list(struct wpa_supplicant *wpa_s,
852 			    enum hostapd_hw_mode band,
853 			    struct wpa_driver_scan_params *params,
854 			    bool is_6ghz, bool only_6ghz_psc,
855 			    bool exclude_radar)
856 {
857 	/* Include only supported channels for the specified band */
858 	struct hostapd_hw_modes *mode;
859 	int num_chans = 0;
860 	int *freqs, i;
861 
862 	mode = get_mode(wpa_s->hw.modes, wpa_s->hw.num_modes, band, is_6ghz);
863 	if (!mode || !mode->num_channels)
864 		return -1;
865 
866 	if (params->freqs) {
867 		while (params->freqs[num_chans])
868 			num_chans++;
869 	}
870 
871 	freqs = os_realloc(params->freqs,
872 			   (num_chans + mode->num_channels + 1) * sizeof(int));
873 	if (!freqs)
874 		return -1;
875 
876 	params->freqs = freqs;
877 	for (i = 0; i < mode->num_channels; i++) {
878 		if (mode->channels[i].flag & HOSTAPD_CHAN_DISABLED)
879 			continue;
880 		if (exclude_radar &&
881 		    (mode->channels[i].flag & HOSTAPD_CHAN_RADAR))
882 			continue;
883 
884 		if (is_6ghz && only_6ghz_psc &&
885 		    !is_6ghz_psc_frequency(mode->channels[i].freq))
886 			continue;
887 
888 		params->freqs[num_chans++] = mode->channels[i].freq;
889 	}
890 	params->freqs[num_chans] = 0;
891 
892 	return 0;
893 }
894 
895 
896 static void wpa_setband_scan_freqs(struct wpa_supplicant *wpa_s,
897 				   struct wpa_driver_scan_params *params)
898 {
899 	if (wpa_s->hw.modes == NULL)
900 		return; /* unknown what channels the driver supports */
901 	if (params->freqs)
902 		return; /* already using a limited channel set */
903 
904 	if (wpa_s->setband_mask & WPA_SETBAND_5G)
905 		wpa_add_scan_freqs_list(wpa_s, HOSTAPD_MODE_IEEE80211A, params,
906 					false, false, false);
907 	if (wpa_s->setband_mask & WPA_SETBAND_2G)
908 		wpa_add_scan_freqs_list(wpa_s, HOSTAPD_MODE_IEEE80211G, params,
909 					false, false, false);
910 	if (wpa_s->setband_mask & WPA_SETBAND_6G)
911 		wpa_add_scan_freqs_list(wpa_s, HOSTAPD_MODE_IEEE80211A, params,
912 					true, false, false);
913 }
914 
915 
916 static void wpa_add_scan_ssid(struct wpa_supplicant *wpa_s,
917 			      struct wpa_driver_scan_params *params,
918 			      size_t max_ssids, const u8 *ssid, size_t ssid_len)
919 {
920 	unsigned int j;
921 
922 	for (j = 0; j < params->num_ssids; j++) {
923 		if (params->ssids[j].ssid_len == ssid_len &&
924 		    params->ssids[j].ssid &&
925 		    os_memcmp(params->ssids[j].ssid, ssid, ssid_len) == 0)
926 			return; /* already in the list */
927 	}
928 
929 	if (params->num_ssids + 1 > max_ssids) {
930 		wpa_printf(MSG_DEBUG, "Over max scan SSIDs for manual request");
931 		return;
932 	}
933 
934 	wpa_printf(MSG_DEBUG, "Scan SSID (manual request): %s",
935 		   wpa_ssid_txt(ssid, ssid_len));
936 
937 	params->ssids[params->num_ssids].ssid = ssid;
938 	params->ssids[params->num_ssids].ssid_len = ssid_len;
939 	params->num_ssids++;
940 }
941 
942 
943 static void wpa_add_owe_scan_ssid(struct wpa_supplicant *wpa_s,
944 				  struct wpa_driver_scan_params *params,
945 				  struct wpa_ssid *ssid, size_t max_ssids)
946 {
947 #ifdef CONFIG_OWE
948 	struct wpa_bss *bss;
949 
950 	if (!(ssid->key_mgmt & WPA_KEY_MGMT_OWE))
951 		return;
952 
953 	wpa_printf(MSG_DEBUG, "OWE: Look for transition mode AP. ssid=%s",
954 		   wpa_ssid_txt(ssid->ssid, ssid->ssid_len));
955 
956 	dl_list_for_each(bss, &wpa_s->bss, struct wpa_bss, list) {
957 		const u8 *owe, *pos, *end;
958 		const u8 *owe_ssid;
959 		size_t owe_ssid_len;
960 
961 		if (bss->ssid_len != ssid->ssid_len ||
962 		    os_memcmp(bss->ssid, ssid->ssid, ssid->ssid_len) != 0)
963 			continue;
964 
965 		owe = wpa_bss_get_vendor_ie(bss, OWE_IE_VENDOR_TYPE);
966 		if (!owe || owe[1] < 4)
967 			continue;
968 
969 		pos = owe + 6;
970 		end = owe + 2 + owe[1];
971 
972 		/* Must include BSSID and ssid_len */
973 		if (end - pos < ETH_ALEN + 1)
974 			return;
975 
976 		/* Skip BSSID */
977 		pos += ETH_ALEN;
978 		owe_ssid_len = *pos++;
979 		owe_ssid = pos;
980 
981 		if ((size_t) (end - pos) < owe_ssid_len ||
982 		    owe_ssid_len > SSID_MAX_LEN)
983 			return;
984 
985 		wpa_printf(MSG_DEBUG,
986 			   "OWE: scan_ssids: transition mode OWE ssid=%s",
987 			   wpa_ssid_txt(owe_ssid, owe_ssid_len));
988 
989 		wpa_add_scan_ssid(wpa_s, params, max_ssids,
990 				  owe_ssid, owe_ssid_len);
991 		return;
992 	}
993 #endif /* CONFIG_OWE */
994 }
995 
996 
997 static void wpa_set_scan_ssids(struct wpa_supplicant *wpa_s,
998 			       struct wpa_driver_scan_params *params,
999 			       size_t max_ssids)
1000 {
1001 	unsigned int i;
1002 	struct wpa_ssid *ssid;
1003 
1004 	/*
1005 	 * For devices with max_ssids greater than 1, leave the last slot empty
1006 	 * for adding the wildcard scan entry.
1007 	 */
1008 	max_ssids = max_ssids > 1 ? max_ssids - 1 : max_ssids;
1009 
1010 	for (i = 0; i < wpa_s->scan_id_count; i++) {
1011 		ssid = wpa_config_get_network(wpa_s->conf, wpa_s->scan_id[i]);
1012 		if (!ssid)
1013 			continue;
1014 		if (ssid->scan_ssid)
1015 			wpa_add_scan_ssid(wpa_s, params, max_ssids,
1016 					  ssid->ssid, ssid->ssid_len);
1017 		/*
1018 		 * Also add the SSID of the OWE BSS, to allow discovery of
1019 		 * transition mode APs more quickly.
1020 		 */
1021 		wpa_add_owe_scan_ssid(wpa_s, params, ssid, max_ssids);
1022 	}
1023 
1024 	wpa_s->scan_id_count = 0;
1025 }
1026 
1027 
1028 static int wpa_set_ssids_from_scan_req(struct wpa_supplicant *wpa_s,
1029 				       struct wpa_driver_scan_params *params,
1030 				       size_t max_ssids)
1031 {
1032 	unsigned int i;
1033 
1034 	if (wpa_s->ssids_from_scan_req == NULL ||
1035 	    wpa_s->num_ssids_from_scan_req == 0)
1036 		return 0;
1037 
1038 	if (wpa_s->num_ssids_from_scan_req > max_ssids) {
1039 		wpa_s->num_ssids_from_scan_req = max_ssids;
1040 		wpa_printf(MSG_DEBUG, "Over max scan SSIDs from scan req: %u",
1041 			   (unsigned int) max_ssids);
1042 	}
1043 
1044 	for (i = 0; i < wpa_s->num_ssids_from_scan_req; i++) {
1045 		params->ssids[i].ssid = wpa_s->ssids_from_scan_req[i].ssid;
1046 		params->ssids[i].ssid_len =
1047 			wpa_s->ssids_from_scan_req[i].ssid_len;
1048 		wpa_hexdump_ascii(MSG_DEBUG, "specific SSID",
1049 				  params->ssids[i].ssid,
1050 				  params->ssids[i].ssid_len);
1051 	}
1052 
1053 	params->num_ssids = wpa_s->num_ssids_from_scan_req;
1054 	wpa_s->num_ssids_from_scan_req = 0;
1055 	return 1;
1056 }
1057 
1058 
1059 static void wpa_supplicant_scan(void *eloop_ctx, void *timeout_ctx)
1060 {
1061 	struct wpa_supplicant *wpa_s = eloop_ctx;
1062 	struct wpa_ssid *ssid;
1063 	int ret, p2p_in_prog;
1064 	struct wpabuf *extra_ie = NULL;
1065 	struct wpa_driver_scan_params params;
1066 	struct wpa_driver_scan_params *scan_params;
1067 	size_t max_ssids;
1068 	int connect_without_scan = 0;
1069 
1070 	wpa_s->ignore_post_flush_scan_res = 0;
1071 
1072 	if (wpa_s->wpa_state == WPA_INTERFACE_DISABLED) {
1073 		wpa_dbg(wpa_s, MSG_DEBUG, "Skip scan - interface disabled");
1074 		return;
1075 	}
1076 
1077 	if (wpa_s->disconnected && wpa_s->scan_req == NORMAL_SCAN_REQ) {
1078 		wpa_dbg(wpa_s, MSG_DEBUG, "Disconnected - do not scan");
1079 		wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
1080 		return;
1081 	}
1082 
1083 	if (wpa_s->scanning) {
1084 		/*
1085 		 * If we are already in scanning state, we shall reschedule the
1086 		 * the incoming scan request.
1087 		 */
1088 		wpa_dbg(wpa_s, MSG_DEBUG, "Already scanning - Reschedule the incoming scan req");
1089 		wpa_supplicant_req_scan(wpa_s, 1, 0);
1090 		return;
1091 	}
1092 
1093 	if (!wpa_supplicant_enabled_networks(wpa_s) &&
1094 	    wpa_s->scan_req == NORMAL_SCAN_REQ) {
1095 		wpa_dbg(wpa_s, MSG_DEBUG, "No enabled networks - do not scan");
1096 		wpa_supplicant_set_state(wpa_s, WPA_INACTIVE);
1097 		return;
1098 	}
1099 
1100 	if (wpa_s->conf->ap_scan != 0 &&
1101 	    (wpa_s->drv_flags & WPA_DRIVER_FLAGS_WIRED)) {
1102 		wpa_dbg(wpa_s, MSG_DEBUG, "Using wired authentication - "
1103 			"overriding ap_scan configuration");
1104 		wpa_s->conf->ap_scan = 0;
1105 		wpas_notify_ap_scan_changed(wpa_s);
1106 	}
1107 
1108 	if (wpa_s->conf->ap_scan == 0) {
1109 		wpa_supplicant_gen_assoc_event(wpa_s);
1110 		return;
1111 	}
1112 
1113 	ssid = NULL;
1114 	if (wpa_s->scan_req != MANUAL_SCAN_REQ &&
1115 	    wpa_s->connect_without_scan) {
1116 		connect_without_scan = 1;
1117 		for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
1118 			if (ssid == wpa_s->connect_without_scan)
1119 				break;
1120 		}
1121 	}
1122 
1123 	p2p_in_prog = wpas_p2p_in_progress(wpa_s);
1124 	if (p2p_in_prog && p2p_in_prog != 2 &&
1125 	    (!ssid ||
1126 	     (ssid->mode != WPAS_MODE_AP && ssid->mode != WPAS_MODE_P2P_GO))) {
1127 		wpa_dbg(wpa_s, MSG_DEBUG, "Delay station mode scan while P2P operation is in progress");
1128 		wpa_supplicant_req_scan(wpa_s, 5, 0);
1129 		return;
1130 	}
1131 
1132 	/*
1133 	 * Don't cancel the scan based on ongoing PNO; defer it. Some scans are
1134 	 * used for changing modes inside wpa_supplicant (roaming,
1135 	 * auto-reconnect, etc). Discarding the scan might hurt these processes.
1136 	 * The normal use case for PNO is to suspend the host immediately after
1137 	 * starting PNO, so the periodic 100 ms attempts to run the scan do not
1138 	 * normally happen in practice multiple times, i.e., this is simply
1139 	 * restarting scanning once the host is woken up and PNO stopped.
1140 	 */
1141 	if (wpa_s->pno || wpa_s->pno_sched_pending) {
1142 		wpa_dbg(wpa_s, MSG_DEBUG, "Defer scan - PNO is in progress");
1143 		wpa_supplicant_req_scan(wpa_s, 0, 100000);
1144 		return;
1145 	}
1146 
1147 	if (wpa_s->conf->ap_scan == 2)
1148 		max_ssids = 1;
1149 	else {
1150 		max_ssids = wpa_s->max_scan_ssids;
1151 		if (max_ssids > WPAS_MAX_SCAN_SSIDS)
1152 			max_ssids = WPAS_MAX_SCAN_SSIDS;
1153 	}
1154 
1155 	wpa_s->last_scan_req = wpa_s->scan_req;
1156 	wpa_s->scan_req = NORMAL_SCAN_REQ;
1157 
1158 	if (connect_without_scan) {
1159 		wpa_s->connect_without_scan = NULL;
1160 		if (ssid) {
1161 			wpa_printf(MSG_DEBUG, "Start a pre-selected network "
1162 				   "without scan step");
1163 			wpa_supplicant_associate(wpa_s, NULL, ssid);
1164 			return;
1165 		}
1166 	}
1167 
1168 	os_memset(&params, 0, sizeof(params));
1169 
1170 	wpa_s->scan_prev_wpa_state = wpa_s->wpa_state;
1171 	if (wpa_s->wpa_state == WPA_DISCONNECTED ||
1172 	    wpa_s->wpa_state == WPA_INACTIVE)
1173 		wpa_supplicant_set_state(wpa_s, WPA_SCANNING);
1174 
1175 	/*
1176 	 * If autoscan has set its own scanning parameters
1177 	 */
1178 	if (wpa_s->autoscan_params != NULL) {
1179 		scan_params = wpa_s->autoscan_params;
1180 		goto scan;
1181 	}
1182 
1183 	if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
1184 	    wpa_set_ssids_from_scan_req(wpa_s, &params, max_ssids)) {
1185 		wpa_printf(MSG_DEBUG, "Use specific SSIDs from SCAN command");
1186 		goto ssid_list_set;
1187 	}
1188 
1189 #ifdef CONFIG_P2P
1190 	if ((wpa_s->p2p_in_provisioning || wpa_s->show_group_started) &&
1191 	    wpa_s->go_params && !wpa_s->conf->passive_scan) {
1192 		wpa_printf(MSG_DEBUG, "P2P: Use specific SSID for scan during P2P group formation (p2p_in_provisioning=%d show_group_started=%d)",
1193 			   wpa_s->p2p_in_provisioning,
1194 			   wpa_s->show_group_started);
1195 		params.ssids[0].ssid = wpa_s->go_params->ssid;
1196 		params.ssids[0].ssid_len = wpa_s->go_params->ssid_len;
1197 		params.num_ssids = 1;
1198 		params.bssid = wpa_s->go_params->peer_interface_addr;
1199 		wpa_printf(MSG_DEBUG, "P2P: Use specific BSSID " MACSTR
1200 			   " (peer interface address) for scan",
1201 			   MAC2STR(params.bssid));
1202 		goto ssid_list_set;
1203 	}
1204 
1205 	if (wpa_s->p2p_in_invitation) {
1206 		if (wpa_s->current_ssid) {
1207 			wpa_printf(MSG_DEBUG, "P2P: Use specific SSID for scan during invitation");
1208 			params.ssids[0].ssid = wpa_s->current_ssid->ssid;
1209 			params.ssids[0].ssid_len =
1210 				wpa_s->current_ssid->ssid_len;
1211 			params.num_ssids = 1;
1212 			if (wpa_s->current_ssid->bssid_set) {
1213 				params.bssid = wpa_s->current_ssid->bssid;
1214 				wpa_printf(MSG_DEBUG, "P2P: Use specific BSSID "
1215 					   MACSTR " for scan",
1216 					   MAC2STR(params.bssid));
1217 			}
1218 		} else {
1219 			wpa_printf(MSG_DEBUG, "P2P: No specific SSID known for scan during invitation");
1220 		}
1221 		goto ssid_list_set;
1222 	}
1223 #endif /* CONFIG_P2P */
1224 
1225 	/* Find the starting point from which to continue scanning */
1226 	ssid = wpa_s->conf->ssid;
1227 	if (wpa_s->prev_scan_ssid != WILDCARD_SSID_SCAN) {
1228 		while (ssid) {
1229 			if (ssid == wpa_s->prev_scan_ssid) {
1230 				ssid = ssid->next;
1231 				break;
1232 			}
1233 			ssid = ssid->next;
1234 		}
1235 	}
1236 
1237 	if (wpa_s->last_scan_req != MANUAL_SCAN_REQ &&
1238 #ifdef CONFIG_AP
1239 	    !wpa_s->ap_iface &&
1240 #endif /* CONFIG_AP */
1241 	    wpa_s->conf->ap_scan == 2) {
1242 		wpa_s->connect_without_scan = NULL;
1243 		wpa_s->prev_scan_wildcard = 0;
1244 		wpa_supplicant_assoc_try(wpa_s, ssid);
1245 		return;
1246 	} else if (wpa_s->conf->ap_scan == 2) {
1247 		/*
1248 		 * User-initiated scan request in ap_scan == 2; scan with
1249 		 * wildcard SSID.
1250 		 */
1251 		ssid = NULL;
1252 	} else if (wpa_s->reattach && wpa_s->current_ssid != NULL) {
1253 		/*
1254 		 * Perform single-channel single-SSID scan for
1255 		 * reassociate-to-same-BSS operation.
1256 		 */
1257 		/* Setup SSID */
1258 		ssid = wpa_s->current_ssid;
1259 		wpa_hexdump_ascii(MSG_DEBUG, "Scan SSID",
1260 				  ssid->ssid, ssid->ssid_len);
1261 		params.ssids[0].ssid = ssid->ssid;
1262 		params.ssids[0].ssid_len = ssid->ssid_len;
1263 		params.num_ssids = 1;
1264 
1265 		/*
1266 		 * Allocate memory for frequency array, allocate one extra
1267 		 * slot for the zero-terminator.
1268 		 */
1269 		params.freqs = os_malloc(sizeof(int) * 2);
1270 		if (params.freqs) {
1271 			params.freqs[0] = wpa_s->assoc_freq;
1272 			params.freqs[1] = 0;
1273 		}
1274 
1275 		/*
1276 		 * Reset the reattach flag so that we fall back to full scan if
1277 		 * this scan fails.
1278 		 */
1279 		wpa_s->reattach = 0;
1280 	} else {
1281 		struct wpa_ssid *start = ssid, *tssid;
1282 		int freqs_set = 0;
1283 		if (ssid == NULL && max_ssids > 1)
1284 			ssid = wpa_s->conf->ssid;
1285 		while (ssid) {
1286 			if (!wpas_network_disabled(wpa_s, ssid) &&
1287 			    ssid->scan_ssid) {
1288 				wpa_hexdump_ascii(MSG_DEBUG, "Scan SSID",
1289 						  ssid->ssid, ssid->ssid_len);
1290 				params.ssids[params.num_ssids].ssid =
1291 					ssid->ssid;
1292 				params.ssids[params.num_ssids].ssid_len =
1293 					ssid->ssid_len;
1294 				params.num_ssids++;
1295 				if (params.num_ssids + 1 >= max_ssids)
1296 					break;
1297 			}
1298 
1299 			if (!wpas_network_disabled(wpa_s, ssid)) {
1300 				/*
1301 				 * Also add the SSID of the OWE BSS, to allow
1302 				 * discovery of transition mode APs more
1303 				 * quickly.
1304 				 */
1305 				wpa_add_owe_scan_ssid(wpa_s, &params, ssid,
1306 						      max_ssids);
1307 			}
1308 
1309 			ssid = ssid->next;
1310 			if (ssid == start)
1311 				break;
1312 			if (ssid == NULL && max_ssids > 1 &&
1313 			    start != wpa_s->conf->ssid)
1314 				ssid = wpa_s->conf->ssid;
1315 		}
1316 
1317 		if (wpa_s->scan_id_count &&
1318 		    wpa_s->last_scan_req == MANUAL_SCAN_REQ)
1319 			wpa_set_scan_ssids(wpa_s, &params, max_ssids);
1320 
1321 		for (tssid = wpa_s->conf->ssid;
1322 		     wpa_s->last_scan_req != MANUAL_SCAN_REQ && tssid;
1323 		     tssid = tssid->next) {
1324 			if (wpas_network_disabled(wpa_s, tssid))
1325 				continue;
1326 			if (((params.freqs || !freqs_set) &&
1327 			     tssid->scan_freq) &&
1328 			    int_array_len(params.freqs) < 100) {
1329 				int_array_concat(&params.freqs,
1330 						 tssid->scan_freq);
1331 			} else {
1332 				os_free(params.freqs);
1333 				params.freqs = NULL;
1334 			}
1335 			freqs_set = 1;
1336 		}
1337 		int_array_sort_unique(params.freqs);
1338 	}
1339 
1340 	if (ssid && max_ssids == 1) {
1341 		/*
1342 		 * If the driver is limited to 1 SSID at a time interleave
1343 		 * wildcard SSID scans with specific SSID scans to avoid
1344 		 * waiting a long time for a wildcard scan.
1345 		 */
1346 		if (!wpa_s->prev_scan_wildcard) {
1347 			params.ssids[0].ssid = NULL;
1348 			params.ssids[0].ssid_len = 0;
1349 			wpa_s->prev_scan_wildcard = 1;
1350 			wpa_dbg(wpa_s, MSG_DEBUG, "Starting AP scan for "
1351 				"wildcard SSID (Interleave with specific)");
1352 		} else {
1353 			wpa_s->prev_scan_ssid = ssid;
1354 			wpa_s->prev_scan_wildcard = 0;
1355 			wpa_dbg(wpa_s, MSG_DEBUG,
1356 				"Starting AP scan for specific SSID: %s",
1357 				wpa_ssid_txt(ssid->ssid, ssid->ssid_len));
1358 		}
1359 	} else if (ssid) {
1360 		/* max_ssids > 1 */
1361 
1362 		wpa_s->prev_scan_ssid = ssid;
1363 		wpa_dbg(wpa_s, MSG_DEBUG, "Include wildcard SSID in "
1364 			"the scan request");
1365 		params.num_ssids++;
1366 	} else if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
1367 		   wpa_s->manual_scan_passive && params.num_ssids == 0) {
1368 		wpa_dbg(wpa_s, MSG_DEBUG, "Use passive scan based on manual request");
1369 	} else if (wpa_s->conf->passive_scan) {
1370 		wpa_dbg(wpa_s, MSG_DEBUG,
1371 			"Use passive scan based on configuration");
1372 	} else {
1373 		wpa_s->prev_scan_ssid = WILDCARD_SSID_SCAN;
1374 		params.num_ssids++;
1375 		wpa_dbg(wpa_s, MSG_DEBUG, "Starting AP scan for wildcard "
1376 			"SSID");
1377 	}
1378 
1379 ssid_list_set:
1380 	wpa_supplicant_optimize_freqs(wpa_s, &params);
1381 	extra_ie = wpa_supplicant_extra_ies(wpa_s);
1382 
1383 	if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
1384 	    wpa_s->manual_scan_only_new) {
1385 		wpa_printf(MSG_DEBUG,
1386 			   "Request driver to clear scan cache due to manual only_new=1 scan");
1387 		params.only_new_results = 1;
1388 	}
1389 
1390 	if (wpa_s->last_scan_req == MANUAL_SCAN_REQ && params.freqs == NULL &&
1391 	    wpa_s->manual_scan_freqs) {
1392 		wpa_dbg(wpa_s, MSG_DEBUG, "Limit manual scan to specified channels");
1393 		params.freqs = wpa_s->manual_scan_freqs;
1394 		wpa_s->manual_scan_freqs = NULL;
1395 	}
1396 
1397 	if (params.freqs == NULL && wpa_s->select_network_scan_freqs) {
1398 		wpa_dbg(wpa_s, MSG_DEBUG,
1399 			"Limit select_network scan to specified channels");
1400 		params.freqs = wpa_s->select_network_scan_freqs;
1401 		wpa_s->select_network_scan_freqs = NULL;
1402 	}
1403 
1404 	if (params.freqs == NULL && wpa_s->next_scan_freqs) {
1405 		wpa_dbg(wpa_s, MSG_DEBUG, "Optimize scan based on previously "
1406 			"generated frequency list");
1407 		params.freqs = wpa_s->next_scan_freqs;
1408 	} else
1409 		os_free(wpa_s->next_scan_freqs);
1410 	wpa_s->next_scan_freqs = NULL;
1411 	wpa_setband_scan_freqs(wpa_s, &params);
1412 
1413 	/* See if user specified frequencies. If so, scan only those. */
1414 	if (wpa_s->last_scan_req == INITIAL_SCAN_REQ &&
1415 	    wpa_s->conf->initial_freq_list && !params.freqs) {
1416 		wpa_dbg(wpa_s, MSG_DEBUG,
1417 			"Optimize scan based on conf->initial_freq_list");
1418 		int_array_concat(&params.freqs, wpa_s->conf->initial_freq_list);
1419 	} else if (wpa_s->conf->freq_list && !params.freqs) {
1420 		wpa_dbg(wpa_s, MSG_DEBUG,
1421 			"Optimize scan based on conf->freq_list");
1422 		int_array_concat(&params.freqs, wpa_s->conf->freq_list);
1423 	}
1424 
1425 	/* Use current associated channel? */
1426 	if (wpa_s->conf->scan_cur_freq && !params.freqs) {
1427 		unsigned int num = wpa_s->num_multichan_concurrent;
1428 
1429 		params.freqs = os_calloc(num + 1, sizeof(int));
1430 		if (params.freqs) {
1431 			num = get_shared_radio_freqs(wpa_s, params.freqs, num,
1432 						     false);
1433 			if (num > 0) {
1434 				wpa_dbg(wpa_s, MSG_DEBUG, "Scan only the "
1435 					"current operating channels since "
1436 					"scan_cur_freq is enabled");
1437 			} else {
1438 				os_free(params.freqs);
1439 				params.freqs = NULL;
1440 			}
1441 		}
1442 	}
1443 
1444 #ifdef CONFIG_MBO
1445 	if (wpa_s->enable_oce & OCE_STA)
1446 		params.oce_scan = 1;
1447 #endif /* CONFIG_MBO */
1448 
1449 	params.filter_ssids = wpa_supplicant_build_filter_ssids(
1450 		wpa_s->conf, &params.num_filter_ssids);
1451 	if (extra_ie) {
1452 		params.extra_ies = wpabuf_head(extra_ie);
1453 		params.extra_ies_len = wpabuf_len(extra_ie);
1454 	}
1455 
1456 #ifdef CONFIG_P2P
1457 	if (wpa_s->p2p_in_provisioning || wpa_s->p2p_in_invitation ||
1458 	    (wpa_s->show_group_started && wpa_s->go_params)) {
1459 		/*
1460 		 * The interface may not yet be in P2P mode, so we have to
1461 		 * explicitly request P2P probe to disable CCK rates.
1462 		 */
1463 		params.p2p_probe = 1;
1464 	}
1465 #endif /* CONFIG_P2P */
1466 
1467 	if ((wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_SCAN) &&
1468 	    wpa_s->wpa_state <= WPA_SCANNING)
1469 		wpa_setup_mac_addr_rand_params(&params, wpa_s->mac_addr_scan);
1470 
1471 	if (!is_zero_ether_addr(wpa_s->next_scan_bssid)) {
1472 		struct wpa_bss *bss;
1473 
1474 		params.bssid = wpa_s->next_scan_bssid;
1475 		bss = wpa_bss_get_bssid_latest(wpa_s, params.bssid);
1476 		if (!wpa_s->next_scan_bssid_wildcard_ssid &&
1477 		    bss && bss->ssid_len && params.num_ssids == 1 &&
1478 		    params.ssids[0].ssid_len == 0) {
1479 			params.ssids[0].ssid = bss->ssid;
1480 			params.ssids[0].ssid_len = bss->ssid_len;
1481 			wpa_dbg(wpa_s, MSG_DEBUG,
1482 				"Scan a previously specified BSSID " MACSTR
1483 				" and SSID %s",
1484 				MAC2STR(params.bssid),
1485 				wpa_ssid_txt(bss->ssid, bss->ssid_len));
1486 		} else {
1487 			wpa_dbg(wpa_s, MSG_DEBUG,
1488 				"Scan a previously specified BSSID " MACSTR,
1489 				MAC2STR(params.bssid));
1490 		}
1491 	} else if (!is_zero_ether_addr(wpa_s->ml_probe_bssid)) {
1492 		wpa_printf(MSG_DEBUG, "Scanning for ML probe request");
1493 		params.bssid = wpa_s->ml_probe_bssid;
1494 		params.min_probe_req_content = true;
1495 	}
1496 
1497 
1498 	if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
1499 	    wpa_s->manual_non_coloc_6ghz) {
1500 		wpa_dbg(wpa_s, MSG_DEBUG, "Collocated 6 GHz logic is disabled");
1501 		params.non_coloc_6ghz = 1;
1502 	}
1503 
1504 	scan_params = &params;
1505 
1506 scan:
1507 #ifdef CONFIG_P2P
1508 	/*
1509 	 * If the driver does not support multi-channel concurrency and a
1510 	 * virtual interface that shares the same radio with the wpa_s interface
1511 	 * is operating there may not be need to scan other channels apart from
1512 	 * the current operating channel on the other virtual interface. Filter
1513 	 * out other channels in case we are trying to find a connection for a
1514 	 * station interface when we are not configured to prefer station
1515 	 * connection and a concurrent operation is already in process.
1516 	 */
1517 	if (wpa_s->scan_for_connection &&
1518 	    wpa_s->last_scan_req == NORMAL_SCAN_REQ &&
1519 	    !scan_params->freqs && !params.freqs &&
1520 	    wpas_is_p2p_prioritized(wpa_s) &&
1521 	    wpa_s->p2p_group_interface == NOT_P2P_GROUP_INTERFACE &&
1522 	    non_p2p_network_enabled(wpa_s)) {
1523 		unsigned int num = wpa_s->num_multichan_concurrent;
1524 
1525 		params.freqs = os_calloc(num + 1, sizeof(int));
1526 		if (params.freqs) {
1527 			/*
1528 			 * Exclude the operating frequency of the current
1529 			 * interface since we're looking to transition off of
1530 			 * it.
1531 			 */
1532 			num = get_shared_radio_freqs(wpa_s, params.freqs, num,
1533 						     true);
1534 			if (num > 0 && num == wpa_s->num_multichan_concurrent) {
1535 				wpa_dbg(wpa_s, MSG_DEBUG, "Scan only the current operating channels since all channels are already used");
1536 			} else {
1537 				os_free(params.freqs);
1538 				params.freqs = NULL;
1539 			}
1540 		}
1541 	}
1542 
1543 	if (!params.freqs && wpas_is_6ghz_supported(wpa_s, true) &&
1544 	    (wpa_s->p2p_in_invitation || wpa_s->p2p_in_provisioning))
1545 		wpas_p2p_scan_freqs(wpa_s, &params, true);
1546 #endif /* CONFIG_P2P */
1547 
1548 	ret = wpa_supplicant_trigger_scan(wpa_s, scan_params, false, false);
1549 
1550 	if (ret && wpa_s->last_scan_req == MANUAL_SCAN_REQ && params.freqs &&
1551 	    !wpa_s->manual_scan_freqs) {
1552 		/* Restore manual_scan_freqs for the next attempt */
1553 		wpa_s->manual_scan_freqs = params.freqs;
1554 		params.freqs = NULL;
1555 	}
1556 
1557 	wpabuf_free(extra_ie);
1558 	os_free(params.freqs);
1559 	os_free(params.filter_ssids);
1560 	os_free(params.mac_addr);
1561 
1562 	if (ret) {
1563 		wpa_msg(wpa_s, MSG_WARNING, "Failed to initiate AP scan");
1564 		if (wpa_s->scan_prev_wpa_state != wpa_s->wpa_state)
1565 			wpa_supplicant_set_state(wpa_s,
1566 						 wpa_s->scan_prev_wpa_state);
1567 		/* Restore scan_req since we will try to scan again */
1568 		wpa_s->scan_req = wpa_s->last_scan_req;
1569 		wpa_supplicant_req_scan(wpa_s, 1, 0);
1570 	} else {
1571 		wpa_s->scan_for_connection = 0;
1572 #ifdef CONFIG_INTERWORKING
1573 		wpa_s->interworking_fast_assoc_tried = 0;
1574 #endif /* CONFIG_INTERWORKING */
1575 		wpa_s->next_scan_bssid_wildcard_ssid = 0;
1576 		if (params.bssid)
1577 			os_memset(wpa_s->next_scan_bssid, 0, ETH_ALEN);
1578 	}
1579 
1580 	wpa_s->ml_probe_mld_id = -1;
1581 	wpa_s->ml_probe_links = 0;
1582 	os_memset(wpa_s->ml_probe_bssid, 0, sizeof(wpa_s->ml_probe_bssid));
1583 }
1584 
1585 
1586 void wpa_supplicant_update_scan_int(struct wpa_supplicant *wpa_s, int sec)
1587 {
1588 	struct os_reltime remaining, new_int;
1589 	int cancelled;
1590 
1591 	cancelled = eloop_cancel_timeout_one(wpa_supplicant_scan, wpa_s, NULL,
1592 					     &remaining);
1593 
1594 	new_int.sec = sec;
1595 	new_int.usec = 0;
1596 	if (cancelled && os_reltime_before(&remaining, &new_int)) {
1597 		new_int.sec = remaining.sec;
1598 		new_int.usec = remaining.usec;
1599 	}
1600 
1601 	if (cancelled) {
1602 		eloop_register_timeout(new_int.sec, new_int.usec,
1603 				       wpa_supplicant_scan, wpa_s, NULL);
1604 	}
1605 	wpa_s->scan_interval = sec;
1606 }
1607 
1608 
1609 /**
1610  * wpa_supplicant_req_scan - Schedule a scan for neighboring access points
1611  * @wpa_s: Pointer to wpa_supplicant data
1612  * @sec: Number of seconds after which to scan
1613  * @usec: Number of microseconds after which to scan
1614  *
1615  * This function is used to schedule a scan for neighboring access points after
1616  * the specified time.
1617  */
1618 void wpa_supplicant_req_scan(struct wpa_supplicant *wpa_s, int sec, int usec)
1619 {
1620 	int res;
1621 
1622 	if (wpa_s->p2p_mgmt) {
1623 		wpa_dbg(wpa_s, MSG_DEBUG,
1624 			"Ignore scan request (%d.%06d sec) on p2p_mgmt interface",
1625 			sec, usec);
1626 		return;
1627 	}
1628 
1629 	res = eloop_deplete_timeout(sec, usec, wpa_supplicant_scan, wpa_s,
1630 				    NULL);
1631 	if (res == 1) {
1632 		wpa_dbg(wpa_s, MSG_DEBUG, "Rescheduling scan request: %d.%06d sec",
1633 			sec, usec);
1634 	} else if (res == 0) {
1635 		wpa_dbg(wpa_s, MSG_DEBUG, "Ignore new scan request for %d.%06d sec since an earlier request is scheduled to trigger sooner",
1636 			sec, usec);
1637 	} else {
1638 		wpa_dbg(wpa_s, MSG_DEBUG, "Setting scan request: %d.%06d sec",
1639 			sec, usec);
1640 		eloop_register_timeout(sec, usec, wpa_supplicant_scan, wpa_s, NULL);
1641 	}
1642 }
1643 
1644 
1645 /**
1646  * wpa_supplicant_delayed_sched_scan - Request a delayed scheduled scan
1647  * @wpa_s: Pointer to wpa_supplicant data
1648  * @sec: Number of seconds after which to scan
1649  * @usec: Number of microseconds after which to scan
1650  * Returns: 0 on success or -1 otherwise
1651  *
1652  * This function is used to schedule periodic scans for neighboring
1653  * access points after the specified time.
1654  */
1655 int wpa_supplicant_delayed_sched_scan(struct wpa_supplicant *wpa_s,
1656 				      int sec, int usec)
1657 {
1658 	if (!wpa_s->sched_scan_supported)
1659 		return -1;
1660 
1661 	eloop_register_timeout(sec, usec,
1662 			       wpa_supplicant_delayed_sched_scan_timeout,
1663 			       wpa_s, NULL);
1664 
1665 	return 0;
1666 }
1667 
1668 
1669 static void
1670 wpa_scan_set_relative_rssi_params(struct wpa_supplicant *wpa_s,
1671 				  struct wpa_driver_scan_params *params)
1672 {
1673 	if (wpa_s->wpa_state != WPA_COMPLETED ||
1674 	    !(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SCHED_SCAN_RELATIVE_RSSI) ||
1675 	    wpa_s->srp.relative_rssi_set == 0)
1676 		return;
1677 
1678 	params->relative_rssi_set = 1;
1679 	params->relative_rssi = wpa_s->srp.relative_rssi;
1680 
1681 	if (wpa_s->srp.relative_adjust_rssi == 0)
1682 		return;
1683 
1684 	params->relative_adjust_band = wpa_s->srp.relative_adjust_band;
1685 	params->relative_adjust_rssi = wpa_s->srp.relative_adjust_rssi;
1686 }
1687 
1688 
1689 /**
1690  * wpa_supplicant_req_sched_scan - Start a periodic scheduled scan
1691  * @wpa_s: Pointer to wpa_supplicant data
1692  * Returns: 0 is sched_scan was started or -1 otherwise
1693  *
1694  * This function is used to schedule periodic scans for neighboring
1695  * access points repeating the scan continuously.
1696  */
1697 int wpa_supplicant_req_sched_scan(struct wpa_supplicant *wpa_s)
1698 {
1699 	struct wpa_driver_scan_params params;
1700 	struct wpa_driver_scan_params *scan_params;
1701 	enum wpa_states prev_state;
1702 	struct wpa_ssid *ssid = NULL;
1703 	struct wpabuf *extra_ie = NULL;
1704 	int ret;
1705 	unsigned int max_sched_scan_ssids;
1706 	int wildcard = 0;
1707 	int need_ssids;
1708 	struct sched_scan_plan scan_plan;
1709 
1710 	if (!wpa_s->sched_scan_supported)
1711 		return -1;
1712 
1713 	if (wpa_s->max_sched_scan_ssids > WPAS_MAX_SCAN_SSIDS)
1714 		max_sched_scan_ssids = WPAS_MAX_SCAN_SSIDS;
1715 	else
1716 		max_sched_scan_ssids = wpa_s->max_sched_scan_ssids;
1717 	if (max_sched_scan_ssids < 1 || wpa_s->conf->disable_scan_offload)
1718 		return -1;
1719 
1720 	wpa_s->sched_scan_stop_req = 0;
1721 
1722 	if (wpa_s->sched_scanning) {
1723 		wpa_dbg(wpa_s, MSG_DEBUG, "Already sched scanning");
1724 		return 0;
1725 	}
1726 
1727 	need_ssids = 0;
1728 	for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) {
1729 		if (!wpas_network_disabled(wpa_s, ssid) && !ssid->scan_ssid) {
1730 			/* Use wildcard SSID to find this network */
1731 			wildcard = 1;
1732 		} else if (!wpas_network_disabled(wpa_s, ssid) &&
1733 			   ssid->ssid_len)
1734 			need_ssids++;
1735 
1736 #ifdef CONFIG_WPS
1737 		if (!wpas_network_disabled(wpa_s, ssid) &&
1738 		    ssid->key_mgmt == WPA_KEY_MGMT_WPS) {
1739 			/*
1740 			 * Normal scan is more reliable and faster for WPS
1741 			 * operations and since these are for short periods of
1742 			 * time, the benefit of trying to use sched_scan would
1743 			 * be limited.
1744 			 */
1745 			wpa_dbg(wpa_s, MSG_DEBUG, "Use normal scan instead of "
1746 				"sched_scan for WPS");
1747 			return -1;
1748 		}
1749 #endif /* CONFIG_WPS */
1750 	}
1751 	if (wildcard)
1752 		need_ssids++;
1753 
1754 	if (wpa_s->normal_scans < 3 &&
1755 	    (need_ssids <= wpa_s->max_scan_ssids ||
1756 	     wpa_s->max_scan_ssids >= (int) max_sched_scan_ssids)) {
1757 		/*
1758 		 * When normal scan can speed up operations, use that for the
1759 		 * first operations before starting the sched_scan to allow
1760 		 * user space sleep more. We do this only if the normal scan
1761 		 * has functionality that is suitable for this or if the
1762 		 * sched_scan does not have better support for multiple SSIDs.
1763 		 */
1764 		wpa_dbg(wpa_s, MSG_DEBUG, "Use normal scan instead of "
1765 			"sched_scan for initial scans (normal_scans=%d)",
1766 			wpa_s->normal_scans);
1767 		return -1;
1768 	}
1769 
1770 	os_memset(&params, 0, sizeof(params));
1771 
1772 	/* If we can't allocate space for the filters, we just don't filter */
1773 	params.filter_ssids = os_calloc(wpa_s->max_match_sets,
1774 					sizeof(struct wpa_driver_scan_filter));
1775 
1776 	prev_state = wpa_s->wpa_state;
1777 	if (wpa_s->wpa_state == WPA_DISCONNECTED ||
1778 	    wpa_s->wpa_state == WPA_INACTIVE)
1779 		wpa_supplicant_set_state(wpa_s, WPA_SCANNING);
1780 
1781 	if (wpa_s->autoscan_params != NULL) {
1782 		scan_params = wpa_s->autoscan_params;
1783 		goto scan;
1784 	}
1785 
1786 	/* Find the starting point from which to continue scanning */
1787 	ssid = wpa_s->conf->ssid;
1788 	if (wpa_s->prev_sched_ssid) {
1789 		while (ssid) {
1790 			if (ssid == wpa_s->prev_sched_ssid) {
1791 				ssid = ssid->next;
1792 				break;
1793 			}
1794 			ssid = ssid->next;
1795 		}
1796 	}
1797 
1798 	if (!ssid || !wpa_s->prev_sched_ssid) {
1799 		wpa_dbg(wpa_s, MSG_DEBUG, "Beginning of SSID list");
1800 		wpa_s->sched_scan_timeout = max_sched_scan_ssids * 2;
1801 		wpa_s->first_sched_scan = 1;
1802 		ssid = wpa_s->conf->ssid;
1803 		wpa_s->prev_sched_ssid = ssid;
1804 	}
1805 
1806 	if (wildcard) {
1807 		wpa_dbg(wpa_s, MSG_DEBUG, "Add wildcard SSID to sched_scan");
1808 		params.num_ssids++;
1809 	}
1810 
1811 	while (ssid) {
1812 		if (wpas_network_disabled(wpa_s, ssid))
1813 			goto next;
1814 
1815 		if (params.num_filter_ssids < wpa_s->max_match_sets &&
1816 		    params.filter_ssids && ssid->ssid && ssid->ssid_len) {
1817 			wpa_dbg(wpa_s, MSG_DEBUG, "add to filter ssid: %s",
1818 				wpa_ssid_txt(ssid->ssid, ssid->ssid_len));
1819 			os_memcpy(params.filter_ssids[params.num_filter_ssids].ssid,
1820 				  ssid->ssid, ssid->ssid_len);
1821 			params.filter_ssids[params.num_filter_ssids].ssid_len =
1822 				ssid->ssid_len;
1823 			params.num_filter_ssids++;
1824 		} else if (params.filter_ssids && ssid->ssid && ssid->ssid_len)
1825 		{
1826 			wpa_dbg(wpa_s, MSG_DEBUG, "Not enough room for SSID "
1827 				"filter for sched_scan - drop filter");
1828 			os_free(params.filter_ssids);
1829 			params.filter_ssids = NULL;
1830 			params.num_filter_ssids = 0;
1831 		}
1832 
1833 		if (ssid->scan_ssid && ssid->ssid && ssid->ssid_len) {
1834 			if (params.num_ssids == max_sched_scan_ssids)
1835 				break; /* only room for broadcast SSID */
1836 			wpa_dbg(wpa_s, MSG_DEBUG,
1837 				"add to active scan ssid: %s",
1838 				wpa_ssid_txt(ssid->ssid, ssid->ssid_len));
1839 			params.ssids[params.num_ssids].ssid =
1840 				ssid->ssid;
1841 			params.ssids[params.num_ssids].ssid_len =
1842 				ssid->ssid_len;
1843 			params.num_ssids++;
1844 			if (params.num_ssids >= max_sched_scan_ssids) {
1845 				wpa_s->prev_sched_ssid = ssid;
1846 				do {
1847 					ssid = ssid->next;
1848 				} while (ssid &&
1849 					 (wpas_network_disabled(wpa_s, ssid) ||
1850 					  !ssid->scan_ssid));
1851 				break;
1852 			}
1853 		}
1854 
1855 	next:
1856 		wpa_s->prev_sched_ssid = ssid;
1857 		ssid = ssid->next;
1858 	}
1859 
1860 	if (params.num_filter_ssids == 0) {
1861 		os_free(params.filter_ssids);
1862 		params.filter_ssids = NULL;
1863 	}
1864 
1865 	extra_ie = wpa_supplicant_extra_ies(wpa_s);
1866 	if (extra_ie) {
1867 		params.extra_ies = wpabuf_head(extra_ie);
1868 		params.extra_ies_len = wpabuf_len(extra_ie);
1869 	}
1870 
1871 	if (wpa_s->conf->filter_rssi)
1872 		params.filter_rssi = wpa_s->conf->filter_rssi;
1873 
1874 	/* See if user specified frequencies. If so, scan only those. */
1875 	if (wpa_s->conf->freq_list && !params.freqs) {
1876 		wpa_dbg(wpa_s, MSG_DEBUG,
1877 			"Optimize scan based on conf->freq_list");
1878 		int_array_concat(&params.freqs, wpa_s->conf->freq_list);
1879 	}
1880 
1881 #ifdef CONFIG_MBO
1882 	if (wpa_s->enable_oce & OCE_STA)
1883 		params.oce_scan = 1;
1884 #endif /* CONFIG_MBO */
1885 
1886 	scan_params = &params;
1887 
1888 scan:
1889 	wpa_s->sched_scan_timed_out = 0;
1890 
1891 	/*
1892 	 * We cannot support multiple scan plans if the scan request includes
1893 	 * too many SSID's, so in this case use only the last scan plan and make
1894 	 * it run infinitely. It will be stopped by the timeout.
1895 	 */
1896 	if (wpa_s->sched_scan_plans_num == 1 ||
1897 	    (wpa_s->sched_scan_plans_num && !ssid && wpa_s->first_sched_scan)) {
1898 		params.sched_scan_plans = wpa_s->sched_scan_plans;
1899 		params.sched_scan_plans_num = wpa_s->sched_scan_plans_num;
1900 	} else if (wpa_s->sched_scan_plans_num > 1) {
1901 		wpa_dbg(wpa_s, MSG_DEBUG,
1902 			"Too many SSIDs. Default to using single scheduled_scan plan");
1903 		params.sched_scan_plans =
1904 			&wpa_s->sched_scan_plans[wpa_s->sched_scan_plans_num -
1905 						 1];
1906 		params.sched_scan_plans_num = 1;
1907 	} else {
1908 		if (wpa_s->conf->sched_scan_interval)
1909 			scan_plan.interval = wpa_s->conf->sched_scan_interval;
1910 		else
1911 			scan_plan.interval = 10;
1912 
1913 		if (scan_plan.interval > wpa_s->max_sched_scan_plan_interval) {
1914 			wpa_printf(MSG_WARNING,
1915 				   "Scan interval too long(%u), use the maximum allowed(%u)",
1916 				   scan_plan.interval,
1917 				   wpa_s->max_sched_scan_plan_interval);
1918 			scan_plan.interval =
1919 				wpa_s->max_sched_scan_plan_interval;
1920 		}
1921 
1922 		scan_plan.iterations = 0;
1923 		params.sched_scan_plans = &scan_plan;
1924 		params.sched_scan_plans_num = 1;
1925 	}
1926 
1927 	params.sched_scan_start_delay = wpa_s->conf->sched_scan_start_delay;
1928 
1929 	if (ssid || !wpa_s->first_sched_scan) {
1930 		wpa_dbg(wpa_s, MSG_DEBUG,
1931 			"Starting sched scan after %u seconds: interval %u timeout %d",
1932 			params.sched_scan_start_delay,
1933 			params.sched_scan_plans[0].interval,
1934 			wpa_s->sched_scan_timeout);
1935 	} else {
1936 		wpa_dbg(wpa_s, MSG_DEBUG,
1937 			"Starting sched scan after %u seconds (no timeout)",
1938 			params.sched_scan_start_delay);
1939 	}
1940 
1941 	wpa_setband_scan_freqs(wpa_s, scan_params);
1942 
1943 	if ((wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_SCHED_SCAN) &&
1944 	    wpa_s->wpa_state <= WPA_SCANNING)
1945 		wpa_setup_mac_addr_rand_params(&params,
1946 					       wpa_s->mac_addr_sched_scan);
1947 
1948 	wpa_scan_set_relative_rssi_params(wpa_s, scan_params);
1949 
1950 	ret = wpa_supplicant_start_sched_scan(wpa_s, scan_params);
1951 	wpabuf_free(extra_ie);
1952 	os_free(params.filter_ssids);
1953 	os_free(params.mac_addr);
1954 	if (ret) {
1955 		wpa_msg(wpa_s, MSG_WARNING, "Failed to initiate sched scan");
1956 		if (prev_state != wpa_s->wpa_state)
1957 			wpa_supplicant_set_state(wpa_s, prev_state);
1958 		return ret;
1959 	}
1960 
1961 	/* If we have more SSIDs to scan, add a timeout so we scan them too */
1962 	if (ssid || !wpa_s->first_sched_scan) {
1963 		wpa_s->sched_scan_timed_out = 0;
1964 		eloop_register_timeout(wpa_s->sched_scan_timeout, 0,
1965 				       wpa_supplicant_sched_scan_timeout,
1966 				       wpa_s, NULL);
1967 		wpa_s->first_sched_scan = 0;
1968 		wpa_s->sched_scan_timeout /= 2;
1969 		params.sched_scan_plans[0].interval *= 2;
1970 		if ((unsigned int) wpa_s->sched_scan_timeout <
1971 		    params.sched_scan_plans[0].interval ||
1972 		    params.sched_scan_plans[0].interval >
1973 		    wpa_s->max_sched_scan_plan_interval) {
1974 			params.sched_scan_plans[0].interval = 10;
1975 			wpa_s->sched_scan_timeout = max_sched_scan_ssids * 2;
1976 		}
1977 	}
1978 
1979 	/* If there is no more ssids, start next time from the beginning */
1980 	if (!ssid)
1981 		wpa_s->prev_sched_ssid = NULL;
1982 
1983 	return 0;
1984 }
1985 
1986 
1987 /**
1988  * wpa_supplicant_cancel_scan - Cancel a scheduled scan request
1989  * @wpa_s: Pointer to wpa_supplicant data
1990  *
1991  * This function is used to cancel a scan request scheduled with
1992  * wpa_supplicant_req_scan().
1993  */
1994 void wpa_supplicant_cancel_scan(struct wpa_supplicant *wpa_s)
1995 {
1996 	wpa_dbg(wpa_s, MSG_DEBUG, "Cancelling scan request");
1997 	eloop_cancel_timeout(wpa_supplicant_scan, wpa_s, NULL);
1998 }
1999 
2000 
2001 /**
2002  * wpa_supplicant_cancel_delayed_sched_scan - Stop a delayed scheduled scan
2003  * @wpa_s: Pointer to wpa_supplicant data
2004  *
2005  * This function is used to stop a delayed scheduled scan.
2006  */
2007 void wpa_supplicant_cancel_delayed_sched_scan(struct wpa_supplicant *wpa_s)
2008 {
2009 	if (!wpa_s->sched_scan_supported)
2010 		return;
2011 
2012 	wpa_dbg(wpa_s, MSG_DEBUG, "Cancelling delayed sched scan");
2013 	eloop_cancel_timeout(wpa_supplicant_delayed_sched_scan_timeout,
2014 			     wpa_s, NULL);
2015 }
2016 
2017 
2018 /**
2019  * wpa_supplicant_cancel_sched_scan - Stop running scheduled scans
2020  * @wpa_s: Pointer to wpa_supplicant data
2021  *
2022  * This function is used to stop a periodic scheduled scan.
2023  */
2024 void wpa_supplicant_cancel_sched_scan(struct wpa_supplicant *wpa_s)
2025 {
2026 	if (!wpa_s->sched_scanning)
2027 		return;
2028 
2029 	if (wpa_s->sched_scanning)
2030 		wpa_s->sched_scan_stop_req = 1;
2031 
2032 	wpa_dbg(wpa_s, MSG_DEBUG, "Cancelling sched scan");
2033 	eloop_cancel_timeout(wpa_supplicant_sched_scan_timeout, wpa_s, NULL);
2034 	wpa_supplicant_stop_sched_scan(wpa_s);
2035 }
2036 
2037 
2038 /**
2039  * wpa_supplicant_notify_scanning - Indicate possible scan state change
2040  * @wpa_s: Pointer to wpa_supplicant data
2041  * @scanning: Whether scanning is currently in progress
2042  *
2043  * This function is to generate scanning notifycations. It is called whenever
2044  * there may have been a change in scanning (scan started, completed, stopped).
2045  * wpas_notify_scanning() is called whenever the scanning state changed from the
2046  * previously notified state.
2047  */
2048 void wpa_supplicant_notify_scanning(struct wpa_supplicant *wpa_s,
2049 				    int scanning)
2050 {
2051 	if (wpa_s->scanning != scanning) {
2052 		wpa_s->scanning = scanning;
2053 		wpas_notify_scanning(wpa_s);
2054 	}
2055 }
2056 
2057 
2058 static int wpa_scan_get_max_rate(const struct wpa_scan_res *res)
2059 {
2060 	int rate = 0;
2061 	const u8 *ie;
2062 	int i;
2063 
2064 	ie = wpa_scan_get_ie(res, WLAN_EID_SUPP_RATES);
2065 	for (i = 0; ie && i < ie[1]; i++) {
2066 		if ((ie[i + 2] & 0x7f) > rate)
2067 			rate = ie[i + 2] & 0x7f;
2068 	}
2069 
2070 	ie = wpa_scan_get_ie(res, WLAN_EID_EXT_SUPP_RATES);
2071 	for (i = 0; ie && i < ie[1]; i++) {
2072 		if ((ie[i + 2] & 0x7f) > rate)
2073 			rate = ie[i + 2] & 0x7f;
2074 	}
2075 
2076 	return rate;
2077 }
2078 
2079 
2080 /**
2081  * wpa_scan_get_ie - Fetch a specified information element from a scan result
2082  * @res: Scan result entry
2083  * @ie: Information element identitifier (WLAN_EID_*)
2084  * Returns: Pointer to the information element (id field) or %NULL if not found
2085  *
2086  * This function returns the first matching information element in the scan
2087  * result.
2088  */
2089 const u8 * wpa_scan_get_ie(const struct wpa_scan_res *res, u8 ie)
2090 {
2091 	size_t ie_len = res->ie_len;
2092 
2093 	/* Use the Beacon frame IEs if res->ie_len is not available */
2094 	if (!ie_len)
2095 		ie_len = res->beacon_ie_len;
2096 
2097 	return get_ie((const u8 *) (res + 1), ie_len, ie);
2098 }
2099 
2100 
2101 const u8 * wpa_scan_get_ml_ie(const struct wpa_scan_res *res, u8 type)
2102 {
2103 	size_t ie_len = res->ie_len;
2104 
2105 	/* Use the Beacon frame IEs if res->ie_len is not available */
2106 	if (!ie_len)
2107 		ie_len = res->beacon_ie_len;
2108 
2109 	return get_ml_ie((const u8 *) (res + 1), ie_len, type);
2110 }
2111 
2112 
2113 /**
2114  * wpa_scan_get_vendor_ie - Fetch vendor information element from a scan result
2115  * @res: Scan result entry
2116  * @vendor_type: Vendor type (four octets starting the IE payload)
2117  * Returns: Pointer to the information element (id field) or %NULL if not found
2118  *
2119  * This function returns the first matching information element in the scan
2120  * result.
2121  */
2122 const u8 * wpa_scan_get_vendor_ie(const struct wpa_scan_res *res,
2123 				  u32 vendor_type)
2124 {
2125 	const u8 *ies;
2126 	const struct element *elem;
2127 
2128 	ies = (const u8 *) (res + 1);
2129 
2130 	for_each_element_id(elem, WLAN_EID_VENDOR_SPECIFIC, ies, res->ie_len) {
2131 		if (elem->datalen >= 4 &&
2132 		    vendor_type == WPA_GET_BE32(elem->data))
2133 			return &elem->id;
2134 	}
2135 
2136 	return NULL;
2137 }
2138 
2139 
2140 /**
2141  * wpa_scan_get_vendor_ie_beacon - Fetch vendor information from a scan result
2142  * @res: Scan result entry
2143  * @vendor_type: Vendor type (four octets starting the IE payload)
2144  * Returns: Pointer to the information element (id field) or %NULL if not found
2145  *
2146  * This function returns the first matching information element in the scan
2147  * result.
2148  *
2149  * This function is like wpa_scan_get_vendor_ie(), but uses IE buffer only
2150  * from Beacon frames instead of either Beacon or Probe Response frames.
2151  */
2152 const u8 * wpa_scan_get_vendor_ie_beacon(const struct wpa_scan_res *res,
2153 					 u32 vendor_type)
2154 {
2155 	const u8 *ies;
2156 	const struct element *elem;
2157 
2158 	if (res->beacon_ie_len == 0)
2159 		return NULL;
2160 
2161 	ies = (const u8 *) (res + 1);
2162 	ies += res->ie_len;
2163 
2164 	for_each_element_id(elem, WLAN_EID_VENDOR_SPECIFIC, ies,
2165 			    res->beacon_ie_len) {
2166 		if (elem->datalen >= 4 &&
2167 		    vendor_type == WPA_GET_BE32(elem->data))
2168 			return &elem->id;
2169 	}
2170 
2171 	return NULL;
2172 }
2173 
2174 
2175 /**
2176  * wpa_scan_get_vendor_ie_multi - Fetch vendor IE data from a scan result
2177  * @res: Scan result entry
2178  * @vendor_type: Vendor type (four octets starting the IE payload)
2179  * Returns: Pointer to the information element payload or %NULL if not found
2180  *
2181  * This function returns concatenated payload of possibly fragmented vendor
2182  * specific information elements in the scan result. The caller is responsible
2183  * for freeing the returned buffer.
2184  */
2185 struct wpabuf * wpa_scan_get_vendor_ie_multi(const struct wpa_scan_res *res,
2186 					     u32 vendor_type)
2187 {
2188 	struct wpabuf *buf;
2189 	const u8 *end, *pos;
2190 
2191 	buf = wpabuf_alloc(res->ie_len);
2192 	if (buf == NULL)
2193 		return NULL;
2194 
2195 	pos = (const u8 *) (res + 1);
2196 	end = pos + res->ie_len;
2197 
2198 	while (end - pos > 1) {
2199 		u8 ie, len;
2200 
2201 		ie = pos[0];
2202 		len = pos[1];
2203 		if (len > end - pos - 2)
2204 			break;
2205 		pos += 2;
2206 		if (ie == WLAN_EID_VENDOR_SPECIFIC && len >= 4 &&
2207 		    vendor_type == WPA_GET_BE32(pos))
2208 			wpabuf_put_data(buf, pos + 4, len - 4);
2209 		pos += len;
2210 	}
2211 
2212 	if (wpabuf_len(buf) == 0) {
2213 		wpabuf_free(buf);
2214 		buf = NULL;
2215 	}
2216 
2217 	return buf;
2218 }
2219 
2220 
2221 static int wpas_channel_width_offset(enum chan_width cw)
2222 {
2223 	switch (cw) {
2224 	case CHAN_WIDTH_40:
2225 		return 1;
2226 	case CHAN_WIDTH_80:
2227 		return 2;
2228 	case CHAN_WIDTH_80P80:
2229 	case CHAN_WIDTH_160:
2230 		return 3;
2231 	case CHAN_WIDTH_320:
2232 		return 4;
2233 	default:
2234 		return 0;
2235 	}
2236 }
2237 
2238 
2239 /**
2240  * wpas_channel_width_tx_pwr - Calculate the max transmit power at the channel
2241  * width
2242  * @ies: Information elements
2243  * @ies_len: Length of elements
2244  * @cw: The channel width
2245  * Returns: The max transmit power at the channel width, TX_POWER_NO_CONSTRAINT
2246  * if it is not constrained.
2247  *
2248  * This function is only used to estimate the actual signal RSSI when associated
2249  * based on the beacon RSSI at the STA. Beacon frames are transmitted on 20 MHz
2250  * channels, while the Data frames usually use higher channel width. Therefore
2251  * their RSSIs may be different. Assuming there is a fixed gap between the TX
2252  * power limit of the STA defined by the Transmit Power Envelope element and the
2253  * TX power of the AP, the difference in the TX power of X MHz and Y MHz at the
2254  * STA equals to the difference at the AP, and the difference in the signal RSSI
2255  * at the STA. tx_pwr is a floating point number in the standard, but the error
2256  * of casting to int is trivial in comparing two BSSes.
2257  */
2258 static int wpas_channel_width_tx_pwr(const u8 *ies, size_t ies_len,
2259 				     enum chan_width cw)
2260 {
2261 	int offset = wpas_channel_width_offset(cw);
2262 	const struct element *elem;
2263 	int max_tx_power = TX_POWER_NO_CONSTRAINT, tx_pwr = 0;
2264 
2265 	for_each_element_id(elem, WLAN_EID_TRANSMIT_POWER_ENVELOPE, ies,
2266 			    ies_len) {
2267 		int max_tx_pwr_count;
2268 		enum max_tx_pwr_interpretation tx_pwr_intrpn;
2269 		enum reg_6g_client_type client_type;
2270 
2271 		if (elem->datalen < 1)
2272 			continue;
2273 
2274 		/*
2275 		 * IEEE Std 802.11ax-2021, 9.4.2.161 (Transmit Power Envelope
2276 		 * element) defines Maximum Transmit Power Count (B0-B2),
2277 		 * Maximum Transmit Power Interpretation (B3-B5), and Maximum
2278 		 * Transmit Power Category (B6-B7).
2279 		 */
2280 		max_tx_pwr_count = elem->data[0] & 0x07;
2281 		tx_pwr_intrpn = (elem->data[0] >> 3) & 0x07;
2282 		client_type = (elem->data[0] >> 6) & 0x03;
2283 
2284 		if (client_type != REG_DEFAULT_CLIENT)
2285 			continue;
2286 
2287 		if (tx_pwr_intrpn == LOCAL_EIRP ||
2288 		    tx_pwr_intrpn == REGULATORY_CLIENT_EIRP) {
2289 			int offs;
2290 
2291 			max_tx_pwr_count = MIN(max_tx_pwr_count, 3);
2292 			offs = MIN(offset, max_tx_pwr_count) + 1;
2293 			if (elem->datalen <= offs)
2294 				continue;
2295 			tx_pwr = (signed char) elem->data[offs];
2296 			/*
2297 			 * Maximum Transmit Power subfield is encoded as an
2298 			 * 8-bit 2s complement signed integer in the range -64
2299 			 * dBm to 63 dBm with a 0.5 dB step. 63.5 dBm means no
2300 			 * local maximum transmit power constraint.
2301 			 */
2302 			if (tx_pwr == 127)
2303 				continue;
2304 			tx_pwr /= 2;
2305 			max_tx_power = MIN(max_tx_power, tx_pwr);
2306 		} else if (tx_pwr_intrpn == LOCAL_EIRP_PSD ||
2307 			   tx_pwr_intrpn == REGULATORY_CLIENT_EIRP_PSD) {
2308 			if (elem->datalen < 2)
2309 				continue;
2310 
2311 			tx_pwr = (signed char) elem->data[1];
2312 			/*
2313 			 * Maximum Transmit PSD subfield is encoded as an 8-bit
2314 			 * 2s complement signed integer. -128 indicates that the
2315 			 * corresponding 20 MHz channel cannot be used for
2316 			 * transmission. +127 indicates that no maximum PSD
2317 			 * limit is specified for the corresponding 20 MHz
2318 			 * channel.
2319 			 */
2320 			if (tx_pwr == 127 || tx_pwr == -128)
2321 				continue;
2322 
2323 			/*
2324 			 * The Maximum Transmit PSD subfield indicates the
2325 			 * maximum transmit PSD for the 20 MHz channel. Suppose
2326 			 * the PSD value is X dBm/MHz, the TX power of N MHz is
2327 			 * X + 10*log10(N) = X + 10*log10(20) + 10*log10(N/20) =
2328 			 * X + 13 + 3*log2(N/20)
2329 			 */
2330 			tx_pwr = tx_pwr / 2 + 13 + offset * 3;
2331 			max_tx_power = MIN(max_tx_power, tx_pwr);
2332 		}
2333 	}
2334 
2335 	return max_tx_power;
2336 }
2337 
2338 
2339 /**
2340  * Estimate the RSSI bump of channel width |cw| with respect to 20 MHz channel.
2341  * If the TX power has no constraint, it is unable to estimate the RSSI bump.
2342  */
2343 int wpas_channel_width_rssi_bump(const u8 *ies, size_t ies_len,
2344 				 enum chan_width cw)
2345 {
2346 	int max_20mhz_tx_pwr = wpas_channel_width_tx_pwr(ies, ies_len,
2347 							 CHAN_WIDTH_20);
2348 	int max_cw_tx_pwr = wpas_channel_width_tx_pwr(ies, ies_len, cw);
2349 
2350 	return (max_20mhz_tx_pwr == TX_POWER_NO_CONSTRAINT ||
2351 		max_cw_tx_pwr == TX_POWER_NO_CONSTRAINT) ?
2352 		0 : (max_cw_tx_pwr - max_20mhz_tx_pwr);
2353 }
2354 
2355 
2356 int wpas_adjust_snr_by_chanwidth(const u8 *ies, size_t ies_len,
2357 				 enum chan_width max_cw, int snr)
2358 {
2359 	int rssi_bump = wpas_channel_width_rssi_bump(ies, ies_len, max_cw);
2360 	/*
2361 	 * The noise has uniform power spectral density (PSD) across the
2362 	 * frequency band, its power is proportional to the channel width.
2363 	 * Suppose the PSD of noise is X dBm/MHz, the noise power of N MHz is
2364 	 * X + 10*log10(N), and the noise power bump with respect to 20 MHz is
2365 	 * 10*log10(N) - 10*log10(20) = 10*log10(N/20) = 3*log2(N/20)
2366 	 */
2367 	int noise_bump = 3 * wpas_channel_width_offset(max_cw);
2368 
2369 	return snr + rssi_bump - noise_bump;
2370 }
2371 
2372 
2373 /* Compare function for sorting scan results. Return >0 if @b is considered
2374  * better. */
2375 static int wpa_scan_result_compar(const void *a, const void *b)
2376 {
2377 	struct wpa_scan_res **_wa = (void *) a;
2378 	struct wpa_scan_res **_wb = (void *) b;
2379 	struct wpa_scan_res *wa = *_wa;
2380 	struct wpa_scan_res *wb = *_wb;
2381 	int wpa_a, wpa_b;
2382 	int snr_a, snr_b, snr_a_full, snr_b_full;
2383 	size_t ies_len;
2384 	const u8 *rsne_a, *rsne_b;
2385 
2386 	/* WPA/WPA2 support preferred */
2387 	wpa_a = wpa_scan_get_vendor_ie(wa, WPA_IE_VENDOR_TYPE) != NULL ||
2388 		wpa_scan_get_ie(wa, WLAN_EID_RSN) != NULL;
2389 	wpa_b = wpa_scan_get_vendor_ie(wb, WPA_IE_VENDOR_TYPE) != NULL ||
2390 		wpa_scan_get_ie(wb, WLAN_EID_RSN) != NULL;
2391 
2392 	if (wpa_b && !wpa_a)
2393 		return 1;
2394 	if (!wpa_b && wpa_a)
2395 		return -1;
2396 
2397 	/* privacy support preferred */
2398 	if ((wa->caps & IEEE80211_CAP_PRIVACY) == 0 &&
2399 	    (wb->caps & IEEE80211_CAP_PRIVACY))
2400 		return 1;
2401 	if ((wa->caps & IEEE80211_CAP_PRIVACY) &&
2402 	    (wb->caps & IEEE80211_CAP_PRIVACY) == 0)
2403 		return -1;
2404 
2405 	if (wa->flags & wb->flags & WPA_SCAN_LEVEL_DBM) {
2406 		/*
2407 		 * The scan result estimates SNR over 20 MHz, while Data frames
2408 		 * usually use wider channel width. The TX power and noise power
2409 		 * are both affected by the channel width.
2410 		 */
2411 		ies_len = wa->ie_len ? wa->ie_len : wa->beacon_ie_len;
2412 		snr_a_full = wpas_adjust_snr_by_chanwidth((const u8 *) (wa + 1),
2413 							  ies_len, wa->max_cw,
2414 							  wa->snr);
2415 		snr_a = MIN(snr_a_full, GREAT_SNR);
2416 		ies_len = wb->ie_len ? wb->ie_len : wb->beacon_ie_len;
2417 		snr_b_full = wpas_adjust_snr_by_chanwidth((const u8 *) (wb + 1),
2418 							  ies_len, wb->max_cw,
2419 							  wb->snr);
2420 		snr_b = MIN(snr_b_full, GREAT_SNR);
2421 	} else {
2422 		/* Level is not in dBm, so we can't calculate
2423 		 * SNR. Just use raw level (units unknown). */
2424 		snr_a = snr_a_full = wa->level;
2425 		snr_b = snr_b_full = wb->level;
2426 	}
2427 
2428 	/* If SNR of a SAE BSS is good or at least as high as the PSK BSS,
2429 	 * prefer SAE over PSK for mixed WPA3-Personal transition mode and
2430 	 * WPA2-Personal deployments */
2431 	rsne_a = wpa_scan_get_ie(wa, WLAN_EID_RSN);
2432 	rsne_b = wpa_scan_get_ie(wb, WLAN_EID_RSN);
2433 	if (rsne_a && rsne_b) {
2434 		struct wpa_ie_data data;
2435 		bool psk_a = false, psk_b = false, sae_a = false, sae_b = false;
2436 
2437 		if (wpa_parse_wpa_ie_rsn(rsne_a, 2 + rsne_a[1], &data) == 0) {
2438 			psk_a = wpa_key_mgmt_wpa_psk_no_sae(data.key_mgmt);
2439 			sae_a = wpa_key_mgmt_sae(data.key_mgmt);
2440 		}
2441 		if (wpa_parse_wpa_ie_rsn(rsne_b, 2 + rsne_b[1], &data) == 0) {
2442 			psk_b = wpa_key_mgmt_wpa_psk_no_sae(data.key_mgmt);
2443 			sae_b = wpa_key_mgmt_sae(data.key_mgmt);
2444 		}
2445 
2446 		if (sae_a && !sae_b && psk_b &&
2447 		    (snr_a >= GREAT_SNR || snr_a >= snr_b))
2448 			return -1;
2449 		if (sae_b && !sae_a && psk_a &&
2450 		    (snr_b >= GREAT_SNR || snr_b >= snr_a))
2451 			return 1;
2452 	}
2453 
2454 	/* If SNR is close, decide by max rate or frequency band. For cases
2455 	 * involving the 6 GHz band, use the throughput estimate irrespective
2456 	 * of the SNR difference since the LPI/VLP rules may result in
2457 	 * significant differences in SNR for cases where the estimated
2458 	 * throughput can be considerably higher with the lower SNR. */
2459 	if (snr_a && snr_b && (abs(snr_b - snr_a) < 7 ||
2460 			       is_6ghz_freq(wa->freq) ||
2461 			       is_6ghz_freq(wb->freq))) {
2462 		if (wa->est_throughput != wb->est_throughput)
2463 			return (int) wb->est_throughput -
2464 				(int) wa->est_throughput;
2465 	}
2466 	if ((snr_a && snr_b && abs(snr_b - snr_a) < 5) ||
2467 	    (wa->qual && wb->qual && abs(wb->qual - wa->qual) < 10)) {
2468 		if (is_6ghz_freq(wa->freq) ^ is_6ghz_freq(wb->freq))
2469 			return is_6ghz_freq(wa->freq) ? -1 : 1;
2470 		if (IS_5GHZ(wa->freq) ^ IS_5GHZ(wb->freq))
2471 			return IS_5GHZ(wa->freq) ? -1 : 1;
2472 	}
2473 
2474 	/* all things being equal, use SNR; if SNRs are
2475 	 * identical, use quality values since some drivers may only report
2476 	 * that value and leave the signal level zero */
2477 	if (snr_b_full == snr_a_full)
2478 		return wb->qual - wa->qual;
2479 	return snr_b_full - snr_a_full;
2480 }
2481 
2482 
2483 #ifdef CONFIG_WPS
2484 /* Compare function for sorting scan results when searching a WPS AP for
2485  * provisioning. Return >0 if @b is considered better. */
2486 static int wpa_scan_result_wps_compar(const void *a, const void *b)
2487 {
2488 	struct wpa_scan_res **_wa = (void *) a;
2489 	struct wpa_scan_res **_wb = (void *) b;
2490 	struct wpa_scan_res *wa = *_wa;
2491 	struct wpa_scan_res *wb = *_wb;
2492 	int uses_wps_a, uses_wps_b;
2493 	struct wpabuf *wps_a, *wps_b;
2494 	int res;
2495 
2496 	/* Optimization - check WPS IE existence before allocated memory and
2497 	 * doing full reassembly. */
2498 	uses_wps_a = wpa_scan_get_vendor_ie(wa, WPS_IE_VENDOR_TYPE) != NULL;
2499 	uses_wps_b = wpa_scan_get_vendor_ie(wb, WPS_IE_VENDOR_TYPE) != NULL;
2500 	if (uses_wps_a && !uses_wps_b)
2501 		return -1;
2502 	if (!uses_wps_a && uses_wps_b)
2503 		return 1;
2504 
2505 	if (uses_wps_a && uses_wps_b) {
2506 		wps_a = wpa_scan_get_vendor_ie_multi(wa, WPS_IE_VENDOR_TYPE);
2507 		wps_b = wpa_scan_get_vendor_ie_multi(wb, WPS_IE_VENDOR_TYPE);
2508 		res = wps_ap_priority_compar(wps_a, wps_b);
2509 		wpabuf_free(wps_a);
2510 		wpabuf_free(wps_b);
2511 		if (res)
2512 			return res;
2513 	}
2514 
2515 	/*
2516 	 * Do not use current AP security policy as a sorting criteria during
2517 	 * WPS provisioning step since the AP may get reconfigured at the
2518 	 * completion of provisioning.
2519 	 */
2520 
2521 	/* all things being equal, use signal level; if signal levels are
2522 	 * identical, use quality values since some drivers may only report
2523 	 * that value and leave the signal level zero */
2524 	if (wb->level == wa->level)
2525 		return wb->qual - wa->qual;
2526 	return wb->level - wa->level;
2527 }
2528 #endif /* CONFIG_WPS */
2529 
2530 
2531 static void dump_scan_res(struct wpa_scan_results *scan_res)
2532 {
2533 #ifndef CONFIG_NO_STDOUT_DEBUG
2534 	size_t i;
2535 
2536 	if (scan_res->res == NULL || scan_res->num == 0)
2537 		return;
2538 
2539 	wpa_printf(MSG_EXCESSIVE, "Sorted scan results");
2540 
2541 	for (i = 0; i < scan_res->num; i++) {
2542 		struct wpa_scan_res *r = scan_res->res[i];
2543 		u8 *pos;
2544 		const u8 *ssid_ie, *ssid = NULL;
2545 		size_t ssid_len = 0;
2546 
2547 		ssid_ie = wpa_scan_get_ie(r, WLAN_EID_SSID);
2548 		if (ssid_ie) {
2549 			ssid = ssid_ie + 2;
2550 			ssid_len = ssid_ie[1];
2551 		}
2552 
2553 		if (r->flags & WPA_SCAN_LEVEL_DBM) {
2554 			int noise_valid = !(r->flags & WPA_SCAN_NOISE_INVALID);
2555 
2556 			wpa_printf(MSG_EXCESSIVE, MACSTR
2557 				   " ssid=%s freq=%d qual=%d noise=%d%s level=%d snr=%d%s flags=0x%x age=%u est=%u",
2558 				   MAC2STR(r->bssid),
2559 				   wpa_ssid_txt(ssid, ssid_len),
2560 				   r->freq, r->qual,
2561 				   r->noise, noise_valid ? "" : "~", r->level,
2562 				   r->snr, r->snr >= GREAT_SNR ? "*" : "",
2563 				   r->flags,
2564 				   r->age, r->est_throughput);
2565 		} else {
2566 			wpa_printf(MSG_EXCESSIVE, MACSTR
2567 				   " ssid=%s freq=%d qual=%d noise=%d level=%d flags=0x%x age=%u est=%u",
2568 				   MAC2STR(r->bssid),
2569 				   wpa_ssid_txt(ssid, ssid_len),
2570 				   r->freq, r->qual,
2571 				   r->noise, r->level, r->flags, r->age,
2572 				   r->est_throughput);
2573 		}
2574 		pos = (u8 *) (r + 1);
2575 		if (r->ie_len)
2576 			wpa_hexdump(MSG_EXCESSIVE, "IEs", pos, r->ie_len);
2577 		pos += r->ie_len;
2578 		if (r->beacon_ie_len)
2579 			wpa_hexdump(MSG_EXCESSIVE, "Beacon IEs",
2580 				    pos, r->beacon_ie_len);
2581 	}
2582 #endif /* CONFIG_NO_STDOUT_DEBUG */
2583 }
2584 
2585 
2586 /**
2587  * wpa_supplicant_filter_bssid_match - Is the specified BSSID allowed
2588  * @wpa_s: Pointer to wpa_supplicant data
2589  * @bssid: BSSID to check
2590  * Returns: 0 if the BSSID is filtered or 1 if not
2591  *
2592  * This function is used to filter out specific BSSIDs from scan reslts mainly
2593  * for testing purposes (SET bssid_filter ctrl_iface command).
2594  */
2595 int wpa_supplicant_filter_bssid_match(struct wpa_supplicant *wpa_s,
2596 				      const u8 *bssid)
2597 {
2598 	size_t i;
2599 
2600 	if (wpa_s->bssid_filter == NULL)
2601 		return 1;
2602 
2603 	for (i = 0; i < wpa_s->bssid_filter_count; i++) {
2604 		if (ether_addr_equal(wpa_s->bssid_filter + i * ETH_ALEN, bssid))
2605 			return 1;
2606 	}
2607 
2608 	return 0;
2609 }
2610 
2611 
2612 static void filter_scan_res(struct wpa_supplicant *wpa_s,
2613 			    struct wpa_scan_results *res)
2614 {
2615 	size_t i, j;
2616 
2617 	if (wpa_s->bssid_filter == NULL)
2618 		return;
2619 
2620 	for (i = 0, j = 0; i < res->num; i++) {
2621 		if (wpa_supplicant_filter_bssid_match(wpa_s,
2622 						      res->res[i]->bssid)) {
2623 			res->res[j++] = res->res[i];
2624 		} else {
2625 			os_free(res->res[i]);
2626 			res->res[i] = NULL;
2627 		}
2628 	}
2629 
2630 	if (res->num != j) {
2631 		wpa_printf(MSG_DEBUG, "Filtered out %d scan results",
2632 			   (int) (res->num - j));
2633 		res->num = j;
2634 	}
2635 }
2636 
2637 
2638 void scan_snr(struct wpa_scan_res *res)
2639 {
2640 	if (res->flags & WPA_SCAN_NOISE_INVALID) {
2641 		res->noise = is_6ghz_freq(res->freq) ?
2642 			DEFAULT_NOISE_FLOOR_6GHZ :
2643 			(IS_5GHZ(res->freq) ?
2644 			 DEFAULT_NOISE_FLOOR_5GHZ : DEFAULT_NOISE_FLOOR_2GHZ);
2645 	}
2646 
2647 	if (res->flags & WPA_SCAN_LEVEL_DBM) {
2648 		res->snr = res->level - res->noise;
2649 	} else {
2650 		/* Level is not in dBm, so we can't calculate
2651 		 * SNR. Just use raw level (units unknown). */
2652 		res->snr = res->level;
2653 	}
2654 }
2655 
2656 
2657 /* Minimum SNR required to achieve a certain bitrate. */
2658 struct minsnr_bitrate_entry {
2659 	int minsnr;
2660 	unsigned int bitrate; /* in Mbps */
2661 };
2662 
2663 /* VHT needs to be enabled in order to achieve MCS8 and MCS9 rates. */
2664 static const int vht_mcs = 8;
2665 
2666 static const struct minsnr_bitrate_entry vht20_table[] = {
2667 	{ 0, 0 },
2668 	{ 2, 6500 },   /* HT20 MCS0 */
2669 	{ 5, 13000 },  /* HT20 MCS1 */
2670 	{ 9, 19500 },  /* HT20 MCS2 */
2671 	{ 11, 26000 }, /* HT20 MCS3 */
2672 	{ 15, 39000 }, /* HT20 MCS4 */
2673 	{ 18, 52000 }, /* HT20 MCS5 */
2674 	{ 20, 58500 }, /* HT20 MCS6 */
2675 	{ 25, 65000 }, /* HT20 MCS7 */
2676 	{ 29, 78000 }, /* VHT20 MCS8 */
2677 	{ -1, 78000 }  /* SNR > 29 */
2678 };
2679 
2680 static const struct minsnr_bitrate_entry vht40_table[] = {
2681 	{ 0, 0 },
2682 	{ 5, 13500 },   /* HT40 MCS0 */
2683 	{ 8, 27000 },   /* HT40 MCS1 */
2684 	{ 12, 40500 },  /* HT40 MCS2 */
2685 	{ 14, 54000 },  /* HT40 MCS3 */
2686 	{ 18, 81000 },  /* HT40 MCS4 */
2687 	{ 21, 108000 }, /* HT40 MCS5 */
2688 	{ 23, 121500 }, /* HT40 MCS6 */
2689 	{ 28, 135000 }, /* HT40 MCS7 */
2690 	{ 32, 162000 }, /* VHT40 MCS8 */
2691 	{ 34, 180000 }, /* VHT40 MCS9 */
2692 	{ -1, 180000 }  /* SNR > 34 */
2693 };
2694 
2695 static const struct minsnr_bitrate_entry vht80_table[] = {
2696 	{ 0, 0 },
2697 	{ 8, 29300 },   /* VHT80 MCS0 */
2698 	{ 11, 58500 },  /* VHT80 MCS1 */
2699 	{ 15, 87800 },  /* VHT80 MCS2 */
2700 	{ 17, 117000 }, /* VHT80 MCS3 */
2701 	{ 21, 175500 }, /* VHT80 MCS4 */
2702 	{ 24, 234000 }, /* VHT80 MCS5 */
2703 	{ 26, 263300 }, /* VHT80 MCS6 */
2704 	{ 31, 292500 }, /* VHT80 MCS7 */
2705 	{ 35, 351000 }, /* VHT80 MCS8 */
2706 	{ 37, 390000 }, /* VHT80 MCS9 */
2707 	{ -1, 390000 }  /* SNR > 37 */
2708 };
2709 
2710 
2711 static const struct minsnr_bitrate_entry vht160_table[] = {
2712 	{ 0, 0 },
2713 	{ 11, 58500 },  /* VHT160 MCS0 */
2714 	{ 14, 117000 }, /* VHT160 MCS1 */
2715 	{ 18, 175500 }, /* VHT160 MCS2 */
2716 	{ 20, 234000 }, /* VHT160 MCS3 */
2717 	{ 24, 351000 }, /* VHT160 MCS4 */
2718 	{ 27, 468000 }, /* VHT160 MCS5 */
2719 	{ 29, 526500 }, /* VHT160 MCS6 */
2720 	{ 34, 585000 }, /* VHT160 MCS7 */
2721 	{ 38, 702000 }, /* VHT160 MCS8 */
2722 	{ 40, 780000 }, /* VHT160 MCS9 */
2723 	{ -1, 780000 }  /* SNR > 37 */
2724 };
2725 
2726 /* EHT needs to be enabled in order to achieve MCS12 and MCS13 rates. */
2727 #define EHT_MCS 12
2728 
2729 static const struct minsnr_bitrate_entry he20_table[] = {
2730 	{ 0, 0 },
2731 	{ 2, 8600 },    /* HE20 MCS0 */
2732 	{ 5, 17200 },   /* HE20 MCS1 */
2733 	{ 9, 25800 },   /* HE20 MCS2 */
2734 	{ 11, 34400 },  /* HE20 MCS3 */
2735 	{ 15, 51600 },  /* HE20 MCS4 */
2736 	{ 18, 68800 },  /* HE20 MCS5 */
2737 	{ 20, 77400 },  /* HE20 MCS6 */
2738 	{ 25, 86000 },  /* HE20 MCS7 */
2739 	{ 29, 103200 }, /* HE20 MCS8 */
2740 	{ 31, 114700 }, /* HE20 MCS9 */
2741 	{ 34, 129000 }, /* HE20 MCS10 */
2742 	{ 36, 143400 }, /* HE20 MCS11 */
2743 	{ 39, 154900 }, /* EHT20 MCS12 */
2744 	{ 42, 172100 }, /* EHT20 MCS13 */
2745 	{ -1, 172100 }  /* SNR > 42 */
2746 };
2747 
2748 static const struct minsnr_bitrate_entry he40_table[] = {
2749 	{ 0, 0 },
2750 	{ 5, 17200 },   /* HE40 MCS0 */
2751 	{ 8, 34400 },   /* HE40 MCS1 */
2752 	{ 12, 51600 },  /* HE40 MCS2 */
2753 	{ 14, 68800 },  /* HE40 MCS3 */
2754 	{ 18, 103200 }, /* HE40 MCS4 */
2755 	{ 21, 137600 }, /* HE40 MCS5 */
2756 	{ 23, 154900 }, /* HE40 MCS6 */
2757 	{ 28, 172100 }, /* HE40 MCS7 */
2758 	{ 32, 206500 }, /* HE40 MCS8 */
2759 	{ 34, 229400 }, /* HE40 MCS9 */
2760 	{ 37, 258100 }, /* HE40 MCS10 */
2761 	{ 39, 286800 }, /* HE40 MCS11 */
2762 	{ 42, 309500 }, /* EHT40 MCS12 */
2763 	{ 45, 344100 }, /* EHT40 MCS13 */
2764 	{ -1, 344100 }  /* SNR > 45 */
2765 };
2766 
2767 static const struct minsnr_bitrate_entry he80_table[] = {
2768 	{ 0, 0 },
2769 	{ 8, 36000 },   /* HE80 MCS0 */
2770 	{ 11, 72100 },  /* HE80 MCS1 */
2771 	{ 15, 108100 }, /* HE80 MCS2 */
2772 	{ 17, 144100 }, /* HE80 MCS3 */
2773 	{ 21, 216200 }, /* HE80 MCS4 */
2774 	{ 24, 288200 }, /* HE80 MCS5 */
2775 	{ 26, 324300 }, /* HE80 MCS6 */
2776 	{ 31, 360300 }, /* HE80 MCS7 */
2777 	{ 35, 432400 }, /* HE80 MCS8 */
2778 	{ 37, 480400 }, /* HE80 MCS9 */
2779 	{ 40, 540400 }, /* HE80 MCS10 */
2780 	{ 42, 600500 }, /* HE80 MCS11 */
2781 	{ 45, 648500 }, /* EHT80 MCS12 */
2782 	{ 48, 720600 }, /* EHT80 MCS13 */
2783 	{ -1, 720600 }  /* SNR > 48 */
2784 };
2785 
2786 
2787 static const struct minsnr_bitrate_entry he160_table[] = {
2788 	{ 0, 0 },
2789 	{ 11, 72100 },   /* HE160 MCS0 */
2790 	{ 14, 144100 },  /* HE160 MCS1 */
2791 	{ 18, 216200 },  /* HE160 MCS2 */
2792 	{ 20, 288200 },  /* HE160 MCS3 */
2793 	{ 24, 432400 },  /* HE160 MCS4 */
2794 	{ 27, 576500 },  /* HE160 MCS5 */
2795 	{ 29, 648500 },  /* HE160 MCS6 */
2796 	{ 34, 720600 },  /* HE160 MCS7 */
2797 	{ 38, 864700 },  /* HE160 MCS8 */
2798 	{ 40, 960800 },  /* HE160 MCS9 */
2799 	{ 43, 1080900 }, /* HE160 MCS10 */
2800 	{ 45, 1201000 }, /* HE160 MCS11 */
2801 	{ 48, 1297100 }, /* EHT160 MCS12 */
2802 	{ 51, 1441200 }, /* EHT160 MCS13 */
2803 	{ -1, 1441200 }  /* SNR > 51 */
2804 };
2805 
2806 /* See IEEE P802.11be/D2.0, Table 36-86: EHT-MCSs for 4x996-tone RU, NSS,u = 1
2807  */
2808 static const struct minsnr_bitrate_entry eht320_table[] = {
2809 	{ 0, 0 },
2810 	{ 14, 144100 },   /* EHT320 MCS0 */
2811 	{ 17, 288200 },   /* EHT320 MCS1 */
2812 	{ 21, 432400 },   /* EHT320 MCS2 */
2813 	{ 23, 576500 },   /* EHT320 MCS3 */
2814 	{ 27, 864700 },   /* EHT320 MCS4 */
2815 	{ 30, 1152900 },  /* EHT320 MCS5 */
2816 	{ 32, 1297100 },  /* EHT320 MCS6 */
2817 	{ 37, 1441200 },  /* EHT320 MCS7 */
2818 	{ 41, 1729400 },  /* EHT320 MCS8 */
2819 	{ 43, 1921500 },  /* EHT320 MCS9 */
2820 	{ 46, 2161800 },  /* EHT320 MCS10 */
2821 	{ 48, 2401900 },  /* EHT320 MCS11 */
2822 	{ 51, 2594100 },  /* EHT320 MCS12 */
2823 	{ 54, 2882400 },  /* EHT320 MCS13 */
2824 	{ -1, 2882400 }   /* SNR > 54 */
2825 };
2826 
2827 static unsigned int interpolate_rate(int snr, int snr0, int snr1,
2828 				     int rate0, int rate1)
2829 {
2830 	return rate0 + (snr - snr0) * (rate1 - rate0) / (snr1 - snr0);
2831 }
2832 
2833 
2834 static unsigned int max_rate(const struct minsnr_bitrate_entry table[],
2835 			     int snr, bool vht)
2836 {
2837 	const struct minsnr_bitrate_entry *prev, *entry = table;
2838 
2839 	while ((entry->minsnr != -1) &&
2840 	       (snr >= entry->minsnr) &&
2841 	       (vht || entry - table <= vht_mcs))
2842 		entry++;
2843 	if (entry == table)
2844 		return entry->bitrate;
2845 	prev = entry - 1;
2846 	if (entry->minsnr == -1 || (!vht && entry - table > vht_mcs))
2847 		return prev->bitrate;
2848 	return interpolate_rate(snr, prev->minsnr, entry->minsnr, prev->bitrate,
2849 				entry->bitrate);
2850 }
2851 
2852 
2853 static unsigned int max_ht20_rate(int snr, bool vht)
2854 {
2855 	return max_rate(vht20_table, snr, vht);
2856 }
2857 
2858 
2859 static unsigned int max_ht40_rate(int snr, bool vht)
2860 {
2861 	return max_rate(vht40_table, snr, vht);
2862 }
2863 
2864 
2865 static unsigned int max_vht80_rate(int snr)
2866 {
2867 	return max_rate(vht80_table, snr, 1);
2868 }
2869 
2870 
2871 static unsigned int max_vht160_rate(int snr)
2872 {
2873 	return max_rate(vht160_table, snr, 1);
2874 }
2875 
2876 
2877 static unsigned int max_he_eht_rate(const struct minsnr_bitrate_entry table[],
2878 				    int snr, bool eht)
2879 {
2880 	const struct minsnr_bitrate_entry *prev, *entry = table;
2881 
2882 	while (entry->minsnr != -1 && snr >= entry->minsnr &&
2883 	       (eht || entry - table <= EHT_MCS))
2884 		entry++;
2885 	if (entry == table)
2886 		return 0;
2887 	prev = entry - 1;
2888 	if (entry->minsnr == -1 || (!eht && entry - table > EHT_MCS))
2889 		return prev->bitrate;
2890 	return interpolate_rate(snr, prev->minsnr, entry->minsnr,
2891 				prev->bitrate, entry->bitrate);
2892 }
2893 
2894 
2895 unsigned int wpas_get_est_tpt(const struct wpa_supplicant *wpa_s,
2896 			      const u8 *ies, size_t ies_len, int rate,
2897 			      int snr, int freq, enum chan_width *max_cw)
2898 {
2899 	struct hostapd_hw_modes *hw_mode;
2900 	unsigned int est, tmp;
2901 	const u8 *ie;
2902 	/*
2903 	 * No need to apply a bump to the noise here because the
2904 	 * minsnr_bitrate_entry tables are based on MCS tables where this has
2905 	 * been taken into account.
2906 	 */
2907 	int adjusted_snr;
2908 	bool ht40 = false, vht80 = false, vht160 = false;
2909 
2910 	/* Limit based on estimated SNR */
2911 	if (rate > 1 * 2 && snr < 1)
2912 		rate = 1 * 2;
2913 	else if (rate > 2 * 2 && snr < 4)
2914 		rate = 2 * 2;
2915 	else if (rate > 6 * 2 && snr < 5)
2916 		rate = 6 * 2;
2917 	else if (rate > 9 * 2 && snr < 6)
2918 		rate = 9 * 2;
2919 	else if (rate > 12 * 2 && snr < 7)
2920 		rate = 12 * 2;
2921 	else if (rate > 12 * 2 && snr < 8)
2922 		rate = 14 * 2;
2923 	else if (rate > 12 * 2 && snr < 9)
2924 		rate = 16 * 2;
2925 	else if (rate > 18 * 2 && snr < 10)
2926 		rate = 18 * 2;
2927 	else if (rate > 24 * 2 && snr < 11)
2928 		rate = 24 * 2;
2929 	else if (rate > 24 * 2 && snr < 12)
2930 		rate = 27 * 2;
2931 	else if (rate > 24 * 2 && snr < 13)
2932 		rate = 30 * 2;
2933 	else if (rate > 24 * 2 && snr < 14)
2934 		rate = 33 * 2;
2935 	else if (rate > 36 * 2 && snr < 15)
2936 		rate = 36 * 2;
2937 	else if (rate > 36 * 2 && snr < 16)
2938 		rate = 39 * 2;
2939 	else if (rate > 36 * 2 && snr < 17)
2940 		rate = 42 * 2;
2941 	else if (rate > 36 * 2 && snr < 18)
2942 		rate = 45 * 2;
2943 	else if (rate > 48 * 2 && snr < 19)
2944 		rate = 48 * 2;
2945 	else if (rate > 48 * 2 && snr < 20)
2946 		rate = 51 * 2;
2947 	else if (rate > 54 * 2 && snr < 21)
2948 		rate = 54 * 2;
2949 	est = rate * 500;
2950 
2951 	hw_mode = get_mode_with_freq(wpa_s->hw.modes, wpa_s->hw.num_modes,
2952 				     freq);
2953 
2954 	if (hw_mode && hw_mode->ht_capab) {
2955 		ie = get_ie(ies, ies_len, WLAN_EID_HT_CAP);
2956 		if (ie) {
2957 			*max_cw = CHAN_WIDTH_20;
2958 			tmp = max_ht20_rate(snr, false);
2959 			if (tmp > est)
2960 				est = tmp;
2961 		}
2962 	}
2963 
2964 	ie = get_ie(ies, ies_len, WLAN_EID_HT_OPERATION);
2965 	if (ie && ie[1] >= 2 &&
2966 	    (ie[3] & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK))
2967 		ht40 = true;
2968 
2969 	if (hw_mode &&
2970 	    (hw_mode->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET)) {
2971 		if (ht40) {
2972 			*max_cw = CHAN_WIDTH_40;
2973 			adjusted_snr = snr +
2974 				wpas_channel_width_rssi_bump(ies, ies_len,
2975 							     CHAN_WIDTH_40);
2976 			tmp = max_ht40_rate(adjusted_snr, false);
2977 			if (tmp > est)
2978 				est = tmp;
2979 		}
2980 	}
2981 
2982 	/* Determine VHT BSS bandwidth based on IEEE Std 802.11-2020,
2983 	 * Table 11-23 (VHT BSS bandwidth) */
2984 	ie = get_ie(ies, ies_len, WLAN_EID_VHT_OPERATION);
2985 	if (ie && ie[1] >= 3) {
2986 		u8 cw = ie[2] & VHT_OPMODE_CHANNEL_WIDTH_MASK;
2987 		u8 seg0 = ie[3];
2988 		u8 seg1 = ie[4];
2989 
2990 		if (cw)
2991 			vht80 = true;
2992 		if (cw == 2 ||
2993 		    (cw == 3 && (seg1 > 0 && abs(seg1 - seg0) == 16)))
2994 			vht160 = true;
2995 		if (cw == 1 &&
2996 		    ((seg1 > 0 && abs(seg1 - seg0) == 8) ||
2997 		     (seg1 > 0 && abs(seg1 - seg0) == 16)))
2998 			vht160 = true;
2999 	}
3000 
3001 	if (hw_mode && hw_mode->vht_capab) {
3002 		/* Use +1 to assume VHT is always faster than HT */
3003 		ie = get_ie(ies, ies_len, WLAN_EID_VHT_CAP);
3004 		if (ie) {
3005 			if (*max_cw == CHAN_WIDTH_UNKNOWN)
3006 				*max_cw = CHAN_WIDTH_20;
3007 			tmp = max_ht20_rate(snr, true) + 1;
3008 			if (tmp > est)
3009 				est = tmp;
3010 
3011 			if (ht40) {
3012 				*max_cw = CHAN_WIDTH_40;
3013 				adjusted_snr = snr +
3014 					wpas_channel_width_rssi_bump(
3015 						ies, ies_len, CHAN_WIDTH_40);
3016 				tmp = max_ht40_rate(adjusted_snr, true) + 1;
3017 				if (tmp > est)
3018 					est = tmp;
3019 			}
3020 
3021 			if (vht80) {
3022 				*max_cw = CHAN_WIDTH_80;
3023 				adjusted_snr = snr +
3024 					wpas_channel_width_rssi_bump(
3025 						ies, ies_len, CHAN_WIDTH_80);
3026 				tmp = max_vht80_rate(adjusted_snr) + 1;
3027 				if (tmp > est)
3028 					est = tmp;
3029 			}
3030 
3031 			if (vht160 &&
3032 			    (hw_mode->vht_capab &
3033 			     (VHT_CAP_SUPP_CHAN_WIDTH_160MHZ |
3034 			      VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ))) {
3035 				*max_cw = CHAN_WIDTH_160;
3036 				adjusted_snr = snr +
3037 					wpas_channel_width_rssi_bump(
3038 						ies, ies_len, CHAN_WIDTH_160);
3039 				tmp = max_vht160_rate(adjusted_snr) + 1;
3040 				if (tmp > est)
3041 					est = tmp;
3042 			}
3043 		}
3044 	}
3045 
3046 	if (hw_mode && hw_mode->he_capab[IEEE80211_MODE_INFRA].he_supported) {
3047 		/* Use +2 to assume HE is always faster than HT/VHT */
3048 		struct ieee80211_he_capabilities *he;
3049 		struct ieee80211_eht_capabilities *eht;
3050 		struct he_capabilities *own_he;
3051 		u8 cw, boost = 2;
3052 		const u8 *eht_ie;
3053 		bool is_eht = false;
3054 
3055 		ie = get_ie_ext(ies, ies_len, WLAN_EID_EXT_HE_CAPABILITIES);
3056 		if (!ie || (ie[1] < 1 + IEEE80211_HE_CAPAB_MIN_LEN))
3057 			return est;
3058 		he = (struct ieee80211_he_capabilities *) &ie[3];
3059 		own_he = &hw_mode->he_capab[IEEE80211_MODE_INFRA];
3060 
3061 		/* Use +3 to assume EHT is always faster than HE */
3062 		if (hw_mode->eht_capab[IEEE80211_MODE_INFRA].eht_supported) {
3063 			eht_ie = get_ie_ext(ies, ies_len,
3064 					    WLAN_EID_EXT_EHT_CAPABILITIES);
3065 			if (eht_ie &&
3066 			    (eht_ie[1] >= 1 + IEEE80211_EHT_CAPAB_MIN_LEN)) {
3067 				is_eht = true;
3068 				boost = 3;
3069 			}
3070 		}
3071 
3072 		if (*max_cw == CHAN_WIDTH_UNKNOWN)
3073 			*max_cw = CHAN_WIDTH_20;
3074 		tmp = max_he_eht_rate(he20_table, snr, is_eht) + boost;
3075 		if (tmp > est)
3076 			est = tmp;
3077 
3078 		cw = he->he_phy_capab_info[HE_PHYCAP_CHANNEL_WIDTH_SET_IDX] &
3079 			own_he->phy_cap[HE_PHYCAP_CHANNEL_WIDTH_SET_IDX];
3080 		if ((cw &
3081 		     (IS_2P4GHZ(freq) ?
3082 		      HE_PHYCAP_CHANNEL_WIDTH_SET_40MHZ_IN_2G :
3083 		      HE_PHYCAP_CHANNEL_WIDTH_SET_40MHZ_80MHZ_IN_5G)) && ht40) {
3084 			if (*max_cw == CHAN_WIDTH_UNKNOWN ||
3085 			    *max_cw < CHAN_WIDTH_40)
3086 				*max_cw = CHAN_WIDTH_40;
3087 			adjusted_snr = snr + wpas_channel_width_rssi_bump(
3088 				ies, ies_len, CHAN_WIDTH_40);
3089 			tmp = max_he_eht_rate(he40_table, adjusted_snr,
3090 					      is_eht) + boost;
3091 			if (tmp > est)
3092 				est = tmp;
3093 		}
3094 
3095 		if (!IS_2P4GHZ(freq) &&
3096 		    (cw & HE_PHYCAP_CHANNEL_WIDTH_SET_40MHZ_80MHZ_IN_5G) &&
3097 		    (!IS_5GHZ(freq) || vht80)) {
3098 			if (*max_cw == CHAN_WIDTH_UNKNOWN ||
3099 			    *max_cw < CHAN_WIDTH_80)
3100 				*max_cw = CHAN_WIDTH_80;
3101 			adjusted_snr = snr + wpas_channel_width_rssi_bump(
3102 				ies, ies_len, CHAN_WIDTH_80);
3103 			tmp = max_he_eht_rate(he80_table, adjusted_snr,
3104 					      is_eht) + boost;
3105 			if (tmp > est)
3106 				est = tmp;
3107 		}
3108 
3109 		if (!IS_2P4GHZ(freq) &&
3110 		    (cw & (HE_PHYCAP_CHANNEL_WIDTH_SET_160MHZ_IN_5G |
3111 			   HE_PHYCAP_CHANNEL_WIDTH_SET_80PLUS80MHZ_IN_5G)) &&
3112 		    (!IS_5GHZ(freq) || vht160)) {
3113 			if (*max_cw == CHAN_WIDTH_UNKNOWN ||
3114 			    *max_cw < CHAN_WIDTH_160)
3115 				*max_cw = CHAN_WIDTH_160;
3116 			adjusted_snr = snr + wpas_channel_width_rssi_bump(
3117 				ies, ies_len, CHAN_WIDTH_160);
3118 			tmp = max_he_eht_rate(he160_table, adjusted_snr,
3119 					      is_eht) + boost;
3120 			if (tmp > est)
3121 				est = tmp;
3122 		}
3123 
3124 		if (!is_eht)
3125 			return est;
3126 
3127 		eht = (struct ieee80211_eht_capabilities *) &eht_ie[3];
3128 
3129 		if (is_6ghz_freq(freq) &&
3130 		    (eht->phy_cap[EHT_PHYCAP_320MHZ_IN_6GHZ_SUPPORT_IDX] &
3131 		     EHT_PHYCAP_320MHZ_IN_6GHZ_SUPPORT_MASK)) {
3132 			if (*max_cw == CHAN_WIDTH_UNKNOWN ||
3133 			    *max_cw < CHAN_WIDTH_320)
3134 				*max_cw = CHAN_WIDTH_320;
3135 			adjusted_snr = snr + wpas_channel_width_rssi_bump(
3136 				ies, ies_len, CHAN_WIDTH_320);
3137 			tmp = max_he_eht_rate(eht320_table, adjusted_snr, true);
3138 			if (tmp > est)
3139 				est = tmp;
3140 		}
3141 	}
3142 
3143 	return est;
3144 }
3145 
3146 
3147 void scan_est_throughput(struct wpa_supplicant *wpa_s,
3148 			 struct wpa_scan_res *res)
3149 {
3150 	int rate; /* max legacy rate in 500 kb/s units */
3151 	int snr = res->snr;
3152 	const u8 *ies = (const void *) (res + 1);
3153 	size_t ie_len = res->ie_len;
3154 
3155 	if (res->est_throughput)
3156 		return;
3157 
3158 	/* Get maximum legacy rate */
3159 	rate = wpa_scan_get_max_rate(res);
3160 
3161 	if (!ie_len)
3162 		ie_len = res->beacon_ie_len;
3163 	res->est_throughput = wpas_get_est_tpt(wpa_s, ies, ie_len, rate, snr,
3164 					       res->freq, &res->max_cw);
3165 
3166 	/* TODO: channel utilization and AP load (e.g., from AP Beacon) */
3167 }
3168 
3169 
3170 /**
3171  * wpa_supplicant_get_scan_results - Get scan results
3172  * @wpa_s: Pointer to wpa_supplicant data
3173  * @info: Information about what was scanned or %NULL if not available
3174  * @new_scan: Whether a new scan was performed
3175  * @bssid: Return BSS entries only for a single BSSID, %NULL for all
3176  * Returns: Scan results, %NULL on failure
3177  *
3178  * This function request the current scan results from the driver and updates
3179  * the local BSS list wpa_s->bss. The caller is responsible for freeing the
3180  * results with wpa_scan_results_free().
3181  */
3182 struct wpa_scan_results *
3183 wpa_supplicant_get_scan_results(struct wpa_supplicant *wpa_s,
3184 				struct scan_info *info, int new_scan,
3185 				const u8 *bssid)
3186 {
3187 	struct wpa_scan_results *scan_res;
3188 	size_t i;
3189 	int (*compar)(const void *, const void *) = wpa_scan_result_compar;
3190 
3191 	scan_res = wpa_drv_get_scan_results(wpa_s, bssid);
3192 	if (scan_res == NULL) {
3193 		wpa_dbg(wpa_s, MSG_DEBUG, "Failed to get scan results");
3194 		return NULL;
3195 	}
3196 	if (scan_res->fetch_time.sec == 0) {
3197 		/*
3198 		 * Make sure we have a valid timestamp if the driver wrapper
3199 		 * does not set this.
3200 		 */
3201 		os_get_reltime(&scan_res->fetch_time);
3202 	}
3203 	filter_scan_res(wpa_s, scan_res);
3204 
3205 	for (i = 0; i < scan_res->num; i++) {
3206 		struct wpa_scan_res *scan_res_item = scan_res->res[i];
3207 
3208 		scan_snr(scan_res_item);
3209 		scan_est_throughput(wpa_s, scan_res_item);
3210 	}
3211 
3212 #ifdef CONFIG_WPS
3213 	if (wpas_wps_searching(wpa_s)) {
3214 		wpa_dbg(wpa_s, MSG_DEBUG, "WPS: Order scan results with WPS "
3215 			"provisioning rules");
3216 		compar = wpa_scan_result_wps_compar;
3217 	}
3218 #endif /* CONFIG_WPS */
3219 
3220 	if (scan_res->res) {
3221 		qsort(scan_res->res, scan_res->num,
3222 		      sizeof(struct wpa_scan_res *), compar);
3223 	}
3224 	dump_scan_res(scan_res);
3225 
3226 	if (wpa_s->ignore_post_flush_scan_res) {
3227 		/* FLUSH command aborted an ongoing scan and these are the
3228 		 * results from the aborted scan. Do not process the results to
3229 		 * maintain flushed state. */
3230 		wpa_dbg(wpa_s, MSG_DEBUG,
3231 			"Do not update BSS table based on pending post-FLUSH scan results");
3232 		wpa_s->ignore_post_flush_scan_res = 0;
3233 		return scan_res;
3234 	}
3235 
3236 	wpa_bss_update_start(wpa_s);
3237 	for (i = 0; i < scan_res->num; i++)
3238 		wpa_bss_update_scan_res(wpa_s, scan_res->res[i],
3239 					&scan_res->fetch_time);
3240 	wpa_bss_update_end(wpa_s, info, new_scan);
3241 
3242 	return scan_res;
3243 }
3244 
3245 
3246 /**
3247  * wpa_supplicant_update_scan_results - Update scan results from the driver
3248  * @wpa_s: Pointer to wpa_supplicant data
3249  * @bssid: Update BSS entries only for a single BSSID, %NULL for all
3250  * Returns: 0 on success, -1 on failure
3251  *
3252  * This function updates the BSS table within wpa_supplicant based on the
3253  * currently available scan results from the driver without requesting a new
3254  * scan. This is used in cases where the driver indicates an association
3255  * (including roaming within ESS) and wpa_supplicant does not yet have the
3256  * needed information to complete the connection (e.g., to perform validation
3257  * steps in 4-way handshake).
3258  */
3259 int wpa_supplicant_update_scan_results(struct wpa_supplicant *wpa_s,
3260 				       const u8 *bssid)
3261 {
3262 	struct wpa_scan_results *scan_res;
3263 	scan_res = wpa_supplicant_get_scan_results(wpa_s, NULL, 0, bssid);
3264 	if (scan_res == NULL)
3265 		return -1;
3266 	wpa_scan_results_free(scan_res);
3267 
3268 	return 0;
3269 }
3270 
3271 
3272 /**
3273  * scan_only_handler - Reports scan results
3274  */
3275 void scan_only_handler(struct wpa_supplicant *wpa_s,
3276 		       struct wpa_scan_results *scan_res)
3277 {
3278 	wpa_dbg(wpa_s, MSG_DEBUG, "Scan-only results received");
3279 	if (wpa_s->last_scan_req == MANUAL_SCAN_REQ &&
3280 	    wpa_s->manual_scan_use_id && wpa_s->own_scan_running) {
3281 		wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS "id=%u",
3282 			     wpa_s->manual_scan_id);
3283 		wpa_s->manual_scan_use_id = 0;
3284 	} else {
3285 		wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SCAN_RESULTS);
3286 	}
3287 	wpas_notify_scan_results(wpa_s);
3288 	wpas_notify_scan_done(wpa_s, 1);
3289 	if (wpa_s->scan_work) {
3290 		struct wpa_radio_work *work = wpa_s->scan_work;
3291 		wpa_s->scan_work = NULL;
3292 		radio_work_done(work);
3293 	}
3294 
3295 	if (wpa_s->wpa_state == WPA_SCANNING)
3296 		wpa_supplicant_set_state(wpa_s, wpa_s->scan_prev_wpa_state);
3297 }
3298 
3299 
3300 int wpas_scan_scheduled(struct wpa_supplicant *wpa_s)
3301 {
3302 	return eloop_is_timeout_registered(wpa_supplicant_scan, wpa_s, NULL);
3303 }
3304 
3305 
3306 struct wpa_driver_scan_params *
3307 wpa_scan_clone_params(const struct wpa_driver_scan_params *src)
3308 {
3309 	struct wpa_driver_scan_params *params;
3310 	size_t i;
3311 	u8 *n;
3312 
3313 	params = os_zalloc(sizeof(*params));
3314 	if (params == NULL)
3315 		return NULL;
3316 
3317 	for (i = 0; i < src->num_ssids; i++) {
3318 		if (src->ssids[i].ssid) {
3319 			n = os_memdup(src->ssids[i].ssid,
3320 				      src->ssids[i].ssid_len);
3321 			if (n == NULL)
3322 				goto failed;
3323 			params->ssids[i].ssid = n;
3324 			params->ssids[i].ssid_len = src->ssids[i].ssid_len;
3325 		}
3326 	}
3327 	params->num_ssids = src->num_ssids;
3328 
3329 	if (src->extra_ies) {
3330 		n = os_memdup(src->extra_ies, src->extra_ies_len);
3331 		if (n == NULL)
3332 			goto failed;
3333 		params->extra_ies = n;
3334 		params->extra_ies_len = src->extra_ies_len;
3335 	}
3336 
3337 	if (src->freqs) {
3338 		int len = int_array_len(src->freqs);
3339 		params->freqs = os_memdup(src->freqs, (len + 1) * sizeof(int));
3340 		if (params->freqs == NULL)
3341 			goto failed;
3342 	}
3343 
3344 	if (src->filter_ssids) {
3345 		params->filter_ssids = os_memdup(src->filter_ssids,
3346 						 sizeof(*params->filter_ssids) *
3347 						 src->num_filter_ssids);
3348 		if (params->filter_ssids == NULL)
3349 			goto failed;
3350 		params->num_filter_ssids = src->num_filter_ssids;
3351 	}
3352 
3353 	params->filter_rssi = src->filter_rssi;
3354 	params->p2p_probe = src->p2p_probe;
3355 	params->only_new_results = src->only_new_results;
3356 	params->low_priority = src->low_priority;
3357 	params->duration = src->duration;
3358 	params->duration_mandatory = src->duration_mandatory;
3359 	params->oce_scan = src->oce_scan;
3360 	params->link_id = src->link_id;
3361 
3362 	if (src->sched_scan_plans_num > 0) {
3363 		params->sched_scan_plans =
3364 			os_memdup(src->sched_scan_plans,
3365 				  sizeof(*src->sched_scan_plans) *
3366 				  src->sched_scan_plans_num);
3367 		if (!params->sched_scan_plans)
3368 			goto failed;
3369 
3370 		params->sched_scan_plans_num = src->sched_scan_plans_num;
3371 	}
3372 
3373 	if (src->mac_addr_rand &&
3374 	    wpa_setup_mac_addr_rand_params(params, src->mac_addr))
3375 		goto failed;
3376 
3377 	if (src->bssid) {
3378 		u8 *bssid;
3379 
3380 		bssid = os_memdup(src->bssid, ETH_ALEN);
3381 		if (!bssid)
3382 			goto failed;
3383 		params->bssid = bssid;
3384 	}
3385 
3386 	params->relative_rssi_set = src->relative_rssi_set;
3387 	params->relative_rssi = src->relative_rssi;
3388 	params->relative_adjust_band = src->relative_adjust_band;
3389 	params->relative_adjust_rssi = src->relative_adjust_rssi;
3390 	params->p2p_include_6ghz = src->p2p_include_6ghz;
3391 	params->non_coloc_6ghz = src->non_coloc_6ghz;
3392 	params->min_probe_req_content = src->min_probe_req_content;
3393 	return params;
3394 
3395 failed:
3396 	wpa_scan_free_params(params);
3397 	return NULL;
3398 }
3399 
3400 
3401 void wpa_scan_free_params(struct wpa_driver_scan_params *params)
3402 {
3403 	size_t i;
3404 
3405 	if (params == NULL)
3406 		return;
3407 
3408 	for (i = 0; i < params->num_ssids; i++)
3409 		os_free((u8 *) params->ssids[i].ssid);
3410 	os_free((u8 *) params->extra_ies);
3411 	os_free(params->freqs);
3412 	os_free(params->filter_ssids);
3413 	os_free(params->sched_scan_plans);
3414 
3415 	/*
3416 	 * Note: params->mac_addr_mask points to same memory allocation and
3417 	 * must not be freed separately.
3418 	 */
3419 	os_free((u8 *) params->mac_addr);
3420 
3421 	os_free((u8 *) params->bssid);
3422 
3423 	os_free(params);
3424 }
3425 
3426 
3427 int wpas_start_pno(struct wpa_supplicant *wpa_s)
3428 {
3429 	int ret;
3430 	size_t prio, i, num_ssid, num_match_ssid;
3431 	struct wpa_ssid *ssid;
3432 	struct wpa_driver_scan_params params;
3433 	struct sched_scan_plan scan_plan;
3434 	unsigned int max_sched_scan_ssids;
3435 
3436 	if (!wpa_s->sched_scan_supported)
3437 		return -1;
3438 
3439 	if (wpa_s->max_sched_scan_ssids > WPAS_MAX_SCAN_SSIDS)
3440 		max_sched_scan_ssids = WPAS_MAX_SCAN_SSIDS;
3441 	else
3442 		max_sched_scan_ssids = wpa_s->max_sched_scan_ssids;
3443 	if (max_sched_scan_ssids < 1)
3444 		return -1;
3445 
3446 	if (wpa_s->pno || wpa_s->pno_sched_pending)
3447 		return 0;
3448 
3449 	if ((wpa_s->wpa_state > WPA_SCANNING) &&
3450 	    (wpa_s->wpa_state < WPA_COMPLETED)) {
3451 		wpa_printf(MSG_ERROR, "PNO: In assoc process");
3452 		return -EAGAIN;
3453 	}
3454 
3455 	if (wpa_s->wpa_state == WPA_SCANNING) {
3456 		wpa_supplicant_cancel_scan(wpa_s);
3457 		if (wpa_s->sched_scanning) {
3458 			wpa_printf(MSG_DEBUG, "Schedule PNO on completion of "
3459 				   "ongoing sched scan");
3460 			wpa_supplicant_cancel_sched_scan(wpa_s);
3461 			wpa_s->pno_sched_pending = 1;
3462 			return 0;
3463 		}
3464 	}
3465 
3466 	if (wpa_s->sched_scan_stop_req) {
3467 		wpa_printf(MSG_DEBUG,
3468 			   "Schedule PNO after previous sched scan has stopped");
3469 		wpa_s->pno_sched_pending = 1;
3470 		return 0;
3471 	}
3472 
3473 	os_memset(&params, 0, sizeof(params));
3474 
3475 	num_ssid = num_match_ssid = 0;
3476 	ssid = wpa_s->conf->ssid;
3477 	while (ssid) {
3478 		if (!wpas_network_disabled(wpa_s, ssid)) {
3479 			num_match_ssid++;
3480 			if (ssid->scan_ssid)
3481 				num_ssid++;
3482 		}
3483 		ssid = ssid->next;
3484 	}
3485 
3486 	if (num_match_ssid == 0) {
3487 		wpa_printf(MSG_DEBUG, "PNO: No configured SSIDs");
3488 		return -1;
3489 	}
3490 
3491 	if (num_match_ssid > num_ssid) {
3492 		params.num_ssids++; /* wildcard */
3493 		num_ssid++;
3494 	}
3495 
3496 	if (num_ssid > max_sched_scan_ssids) {
3497 		wpa_printf(MSG_DEBUG, "PNO: Use only the first %u SSIDs from "
3498 			   "%u", max_sched_scan_ssids, (unsigned int) num_ssid);
3499 		num_ssid = max_sched_scan_ssids;
3500 	}
3501 
3502 	if (num_match_ssid > wpa_s->max_match_sets) {
3503 		num_match_ssid = wpa_s->max_match_sets;
3504 		wpa_dbg(wpa_s, MSG_DEBUG, "PNO: Too many SSIDs to match");
3505 	}
3506 	params.filter_ssids = os_calloc(num_match_ssid,
3507 					sizeof(struct wpa_driver_scan_filter));
3508 	if (params.filter_ssids == NULL)
3509 		return -1;
3510 
3511 	i = 0;
3512 	prio = 0;
3513 	ssid = wpa_s->conf->pssid[prio];
3514 	while (ssid) {
3515 		if (!wpas_network_disabled(wpa_s, ssid)) {
3516 			if (ssid->scan_ssid && params.num_ssids < num_ssid) {
3517 				params.ssids[params.num_ssids].ssid =
3518 					ssid->ssid;
3519 				params.ssids[params.num_ssids].ssid_len =
3520 					 ssid->ssid_len;
3521 				params.num_ssids++;
3522 			}
3523 			os_memcpy(params.filter_ssids[i].ssid, ssid->ssid,
3524 				  ssid->ssid_len);
3525 			params.filter_ssids[i].ssid_len = ssid->ssid_len;
3526 			params.num_filter_ssids++;
3527 			i++;
3528 			if (i == num_match_ssid)
3529 				break;
3530 		}
3531 		if (ssid->pnext)
3532 			ssid = ssid->pnext;
3533 		else if (prio + 1 == wpa_s->conf->num_prio)
3534 			break;
3535 		else
3536 			ssid = wpa_s->conf->pssid[++prio];
3537 	}
3538 
3539 	if (wpa_s->conf->filter_rssi)
3540 		params.filter_rssi = wpa_s->conf->filter_rssi;
3541 
3542 	if (wpa_s->sched_scan_plans_num) {
3543 		params.sched_scan_plans = wpa_s->sched_scan_plans;
3544 		params.sched_scan_plans_num = wpa_s->sched_scan_plans_num;
3545 	} else {
3546 		/* Set one scan plan that will run infinitely */
3547 		if (wpa_s->conf->sched_scan_interval)
3548 			scan_plan.interval = wpa_s->conf->sched_scan_interval;
3549 		else
3550 			scan_plan.interval = 10;
3551 
3552 		scan_plan.iterations = 0;
3553 		params.sched_scan_plans = &scan_plan;
3554 		params.sched_scan_plans_num = 1;
3555 	}
3556 
3557 	params.sched_scan_start_delay = wpa_s->conf->sched_scan_start_delay;
3558 
3559 	if (params.freqs == NULL && wpa_s->manual_sched_scan_freqs) {
3560 		wpa_dbg(wpa_s, MSG_DEBUG, "Limit sched scan to specified channels");
3561 		params.freqs = wpa_s->manual_sched_scan_freqs;
3562 	}
3563 
3564 	if ((wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_PNO) &&
3565 	    wpa_s->wpa_state <= WPA_SCANNING)
3566 		wpa_setup_mac_addr_rand_params(&params, wpa_s->mac_addr_pno);
3567 
3568 	wpa_scan_set_relative_rssi_params(wpa_s, &params);
3569 
3570 	ret = wpa_supplicant_start_sched_scan(wpa_s, &params);
3571 	os_free(params.filter_ssids);
3572 	os_free(params.mac_addr);
3573 	if (ret == 0)
3574 		wpa_s->pno = 1;
3575 	else
3576 		wpa_msg(wpa_s, MSG_ERROR, "Failed to schedule PNO");
3577 	return ret;
3578 }
3579 
3580 
3581 int wpas_stop_pno(struct wpa_supplicant *wpa_s)
3582 {
3583 	int ret = 0;
3584 
3585 	if (!wpa_s->pno)
3586 		return 0;
3587 
3588 	ret = wpa_supplicant_stop_sched_scan(wpa_s);
3589 	wpa_s->sched_scan_stop_req = 1;
3590 
3591 	wpa_s->pno = 0;
3592 	wpa_s->pno_sched_pending = 0;
3593 
3594 	if (wpa_s->wpa_state == WPA_SCANNING)
3595 		wpa_supplicant_req_scan(wpa_s, 0, 0);
3596 
3597 	return ret;
3598 }
3599 
3600 
3601 void wpas_mac_addr_rand_scan_clear(struct wpa_supplicant *wpa_s,
3602 				    unsigned int type)
3603 {
3604 	type &= MAC_ADDR_RAND_ALL;
3605 	wpa_s->mac_addr_rand_enable &= ~type;
3606 
3607 	if (type & MAC_ADDR_RAND_SCAN) {
3608 		os_free(wpa_s->mac_addr_scan);
3609 		wpa_s->mac_addr_scan = NULL;
3610 	}
3611 
3612 	if (type & MAC_ADDR_RAND_SCHED_SCAN) {
3613 		os_free(wpa_s->mac_addr_sched_scan);
3614 		wpa_s->mac_addr_sched_scan = NULL;
3615 	}
3616 
3617 	if (type & MAC_ADDR_RAND_PNO) {
3618 		os_free(wpa_s->mac_addr_pno);
3619 		wpa_s->mac_addr_pno = NULL;
3620 	}
3621 }
3622 
3623 
3624 int wpas_mac_addr_rand_scan_set(struct wpa_supplicant *wpa_s,
3625 				unsigned int type, const u8 *addr,
3626 				const u8 *mask)
3627 {
3628 	u8 *tmp = NULL;
3629 
3630 	if ((wpa_s->mac_addr_rand_supported & type) != type ) {
3631 		wpa_printf(MSG_INFO,
3632 			   "scan: MAC randomization type %u != supported=%u",
3633 			   type, wpa_s->mac_addr_rand_supported);
3634 		return -1;
3635 	}
3636 
3637 	wpas_mac_addr_rand_scan_clear(wpa_s, type);
3638 
3639 	if (addr) {
3640 		tmp = os_malloc(2 * ETH_ALEN);
3641 		if (!tmp)
3642 			return -1;
3643 		os_memcpy(tmp, addr, ETH_ALEN);
3644 		os_memcpy(tmp + ETH_ALEN, mask, ETH_ALEN);
3645 	}
3646 
3647 	if (type == MAC_ADDR_RAND_SCAN) {
3648 		wpa_s->mac_addr_scan = tmp;
3649 	} else if (type == MAC_ADDR_RAND_SCHED_SCAN) {
3650 		wpa_s->mac_addr_sched_scan = tmp;
3651 	} else if (type == MAC_ADDR_RAND_PNO) {
3652 		wpa_s->mac_addr_pno = tmp;
3653 	} else {
3654 		wpa_printf(MSG_INFO,
3655 			   "scan: Invalid MAC randomization type=0x%x",
3656 			   type);
3657 		os_free(tmp);
3658 		return -1;
3659 	}
3660 
3661 	wpa_s->mac_addr_rand_enable |= type;
3662 	return 0;
3663 }
3664 
3665 
3666 int wpas_mac_addr_rand_scan_get_mask(struct wpa_supplicant *wpa_s,
3667 				     unsigned int type, u8 *mask)
3668 {
3669 	const u8 *to_copy;
3670 
3671 	if ((wpa_s->mac_addr_rand_enable & type) != type)
3672 		return -1;
3673 
3674 	if (type == MAC_ADDR_RAND_SCAN) {
3675 		to_copy = wpa_s->mac_addr_scan;
3676 	} else if (type == MAC_ADDR_RAND_SCHED_SCAN) {
3677 		to_copy = wpa_s->mac_addr_sched_scan;
3678 	} else if (type == MAC_ADDR_RAND_PNO) {
3679 		to_copy = wpa_s->mac_addr_pno;
3680 	} else {
3681 		wpa_printf(MSG_DEBUG,
3682 			   "scan: Invalid MAC randomization type=0x%x",
3683 			   type);
3684 		return -1;
3685 	}
3686 
3687 	os_memcpy(mask, to_copy + ETH_ALEN, ETH_ALEN);
3688 	return 0;
3689 }
3690 
3691 
3692 int wpas_abort_ongoing_scan(struct wpa_supplicant *wpa_s)
3693 {
3694 	struct wpa_radio_work *work;
3695 	struct wpa_radio *radio = wpa_s->radio;
3696 
3697 	dl_list_for_each(work, &radio->work, struct wpa_radio_work, list) {
3698 		if (work->wpa_s != wpa_s || !work->started ||
3699 		    (os_strcmp(work->type, "scan") != 0 &&
3700 		     os_strcmp(work->type, "p2p-scan") != 0))
3701 			continue;
3702 		wpa_dbg(wpa_s, MSG_DEBUG, "Abort an ongoing scan");
3703 		return wpa_drv_abort_scan(wpa_s, wpa_s->curr_scan_cookie);
3704 	}
3705 
3706 	wpa_dbg(wpa_s, MSG_DEBUG, "No ongoing scan/p2p-scan found to abort");
3707 	return -1;
3708 }
3709 
3710 
3711 int wpas_sched_scan_plans_set(struct wpa_supplicant *wpa_s, const char *cmd)
3712 {
3713 	struct sched_scan_plan *scan_plans = NULL;
3714 	const char *token, *context = NULL;
3715 	unsigned int num = 0;
3716 
3717 	if (!cmd)
3718 		return -1;
3719 
3720 	if (!cmd[0]) {
3721 		wpa_printf(MSG_DEBUG, "Clear sched scan plans");
3722 		os_free(wpa_s->sched_scan_plans);
3723 		wpa_s->sched_scan_plans = NULL;
3724 		wpa_s->sched_scan_plans_num = 0;
3725 		return 0;
3726 	}
3727 
3728 	while ((token = cstr_token(cmd, " ", &context))) {
3729 		int ret;
3730 		struct sched_scan_plan *scan_plan, *n;
3731 
3732 		n = os_realloc_array(scan_plans, num + 1, sizeof(*scan_plans));
3733 		if (!n)
3734 			goto fail;
3735 
3736 		scan_plans = n;
3737 		scan_plan = &scan_plans[num];
3738 		num++;
3739 
3740 		ret = sscanf(token, "%u:%u", &scan_plan->interval,
3741 			     &scan_plan->iterations);
3742 		if (ret <= 0 || ret > 2 || !scan_plan->interval) {
3743 			wpa_printf(MSG_ERROR,
3744 				   "Invalid sched scan plan input: %s", token);
3745 			goto fail;
3746 		}
3747 
3748 		if (scan_plan->interval > wpa_s->max_sched_scan_plan_interval) {
3749 			wpa_printf(MSG_WARNING,
3750 				   "scan plan %u: Scan interval too long(%u), use the maximum allowed(%u)",
3751 				   num, scan_plan->interval,
3752 				   wpa_s->max_sched_scan_plan_interval);
3753 			scan_plan->interval =
3754 				wpa_s->max_sched_scan_plan_interval;
3755 		}
3756 
3757 		if (ret == 1) {
3758 			scan_plan->iterations = 0;
3759 			break;
3760 		}
3761 
3762 		if (!scan_plan->iterations) {
3763 			wpa_printf(MSG_ERROR,
3764 				   "scan plan %u: Number of iterations cannot be zero",
3765 				   num);
3766 			goto fail;
3767 		}
3768 
3769 		if (scan_plan->iterations >
3770 		    wpa_s->max_sched_scan_plan_iterations) {
3771 			wpa_printf(MSG_WARNING,
3772 				   "scan plan %u: Too many iterations(%u), use the maximum allowed(%u)",
3773 				   num, scan_plan->iterations,
3774 				   wpa_s->max_sched_scan_plan_iterations);
3775 			scan_plan->iterations =
3776 				wpa_s->max_sched_scan_plan_iterations;
3777 		}
3778 
3779 		wpa_printf(MSG_DEBUG,
3780 			   "scan plan %u: interval=%u iterations=%u",
3781 			   num, scan_plan->interval, scan_plan->iterations);
3782 	}
3783 
3784 	if (!scan_plans) {
3785 		wpa_printf(MSG_ERROR, "Invalid scan plans entry");
3786 		goto fail;
3787 	}
3788 
3789 	if (cstr_token(cmd, " ", &context) || scan_plans[num - 1].iterations) {
3790 		wpa_printf(MSG_ERROR,
3791 			   "All scan plans but the last must specify a number of iterations");
3792 		goto fail;
3793 	}
3794 
3795 	wpa_printf(MSG_DEBUG, "scan plan %u (last plan): interval=%u",
3796 		   num, scan_plans[num - 1].interval);
3797 
3798 	if (num > wpa_s->max_sched_scan_plans) {
3799 		wpa_printf(MSG_WARNING,
3800 			   "Too many scheduled scan plans (only %u supported)",
3801 			   wpa_s->max_sched_scan_plans);
3802 		wpa_printf(MSG_WARNING,
3803 			   "Use only the first %u scan plans, and the last one (in infinite loop)",
3804 			   wpa_s->max_sched_scan_plans - 1);
3805 		os_memcpy(&scan_plans[wpa_s->max_sched_scan_plans - 1],
3806 			  &scan_plans[num - 1], sizeof(*scan_plans));
3807 		num = wpa_s->max_sched_scan_plans;
3808 	}
3809 
3810 	os_free(wpa_s->sched_scan_plans);
3811 	wpa_s->sched_scan_plans = scan_plans;
3812 	wpa_s->sched_scan_plans_num = num;
3813 
3814 	return 0;
3815 
3816 fail:
3817 	os_free(scan_plans);
3818 	wpa_printf(MSG_ERROR, "invalid scan plans list");
3819 	return -1;
3820 }
3821 
3822 
3823 /**
3824  * wpas_scan_reset_sched_scan - Reset sched_scan state
3825  * @wpa_s: Pointer to wpa_supplicant data
3826  *
3827  * This function is used to cancel a running scheduled scan and to reset an
3828  * internal scan state to continue with a regular scan on the following
3829  * wpa_supplicant_req_scan() calls.
3830  */
3831 void wpas_scan_reset_sched_scan(struct wpa_supplicant *wpa_s)
3832 {
3833 	wpa_s->normal_scans = 0;
3834 	if (wpa_s->sched_scanning) {
3835 		wpa_s->sched_scan_timed_out = 0;
3836 		wpa_s->prev_sched_ssid = NULL;
3837 		wpa_supplicant_cancel_sched_scan(wpa_s);
3838 	}
3839 }
3840 
3841 
3842 void wpas_scan_restart_sched_scan(struct wpa_supplicant *wpa_s)
3843 {
3844 	/* simulate timeout to restart the sched scan */
3845 	wpa_s->sched_scan_timed_out = 1;
3846 	wpa_s->prev_sched_ssid = NULL;
3847 	wpa_supplicant_cancel_sched_scan(wpa_s);
3848 }
3849