xref: /freebsd/sys/net80211/ieee80211_scan_sw.c (revision 370e009188ba90c3290b1479aa06ec98b66e140a)
1 /*-
2  * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD$");
28 
29 /*
30  * IEEE 802.11 scanning support.
31  */
32 #include "opt_wlan.h"
33 
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/proc.h>
37 #include <sys/kernel.h>
38 #include <sys/malloc.h>
39 #include <sys/condvar.h>
40 
41 #include <sys/socket.h>
42 
43 #include <net/if.h>
44 #include <net/if_var.h>
45 #include <net/if_media.h>
46 #include <net/if_private.h>
47 #include <net/ethernet.h>
48 
49 #include <net80211/ieee80211_var.h>
50 
51 #include <net80211/ieee80211_scan_sw.h>
52 
53 #include <net/bpf.h>
54 
55 struct scan_state {
56 	struct ieee80211_scan_state base;	/* public state */
57 
58 	u_int			ss_iflags;	/* flags used internally */
59 #define	ISCAN_MINDWELL 		0x0001		/* min dwell time reached */
60 #define	ISCAN_DISCARD		0x0002		/* discard rx'd frames */
61 #define ISCAN_INTERRUPT		0x0004		/* interrupt current scan */
62 #define	ISCAN_CANCEL		0x0008		/* cancel current scan */
63 #define ISCAN_PAUSE		(ISCAN_INTERRUPT | ISCAN_CANCEL)
64 #define	ISCAN_ABORT		0x0010		/* end the scan immediately */
65 #define	ISCAN_RUNNING		0x0020		/* scan was started */
66 
67 	unsigned long		ss_chanmindwell;  /* min dwell on curchan */
68 	unsigned long		ss_scanend;	/* time scan must stop */
69 	u_int			ss_duration;	/* duration for next scan */
70 	struct task		ss_scan_start;	/* scan start */
71 	struct timeout_task	ss_scan_curchan;  /* scan execution */
72 };
73 #define	SCAN_PRIVATE(ss)	((struct scan_state *) ss)
74 
75 /*
76  * Amount of time to go off-channel during a background
77  * scan.  This value should be large enough to catch most
78  * ap's but short enough that we can return on-channel
79  * before our listen interval expires.
80  *
81  * XXX tunable
82  * XXX check against configured listen interval
83  */
84 #define	IEEE80211_SCAN_OFFCHANNEL	msecs_to_ticks(150)
85 
86 static	void scan_curchan(struct ieee80211_scan_state *, unsigned long);
87 static	void scan_mindwell(struct ieee80211_scan_state *);
88 static	void scan_signal(struct ieee80211_scan_state *, int);
89 static	void scan_signal_locked(struct ieee80211_scan_state *, int);
90 static	void scan_start(void *, int);
91 static	void scan_curchan_task(void *, int);
92 static	void scan_end(struct ieee80211_scan_state *, int);
93 static	void scan_done(struct ieee80211_scan_state *, int);
94 
95 MALLOC_DEFINE(M_80211_SCAN, "80211scan", "802.11 scan state");
96 
97 static void
98 ieee80211_swscan_detach(struct ieee80211com *ic)
99 {
100 	struct ieee80211_scan_state *ss = ic->ic_scan;
101 
102 	if (ss != NULL) {
103 		scan_signal(ss, ISCAN_ABORT);
104 		ieee80211_draintask(ic, &SCAN_PRIVATE(ss)->ss_scan_start);
105 		taskqueue_drain_timeout(ic->ic_tq,
106 		    &SCAN_PRIVATE(ss)->ss_scan_curchan);
107 		KASSERT((ic->ic_flags & IEEE80211_F_SCAN) == 0,
108 		    ("scan still running"));
109 
110 		/*
111 		 * For now, do the ss_ops detach here rather
112 		 * than ieee80211_scan_detach().
113 		 *
114 		 * I'll figure out how to cleanly split things up
115 		 * at a later date.
116 		 */
117 		if (ss->ss_ops != NULL) {
118 			ss->ss_ops->scan_detach(ss);
119 			ss->ss_ops = NULL;
120 		}
121 		ic->ic_scan = NULL;
122 		IEEE80211_FREE(SCAN_PRIVATE(ss), M_80211_SCAN);
123 	}
124 }
125 
126 static void
127 ieee80211_swscan_vattach(struct ieee80211vap *vap)
128 {
129 	/* nothing to do for now */
130 	/*
131 	 * TODO: all of the vap scan calls should be methods!
132 	 */
133 
134 }
135 
136 static void
137 ieee80211_swscan_vdetach(struct ieee80211vap *vap)
138 {
139 	struct ieee80211com *ic = vap->iv_ic;
140 	struct ieee80211_scan_state *ss = ic->ic_scan;
141 
142 	IEEE80211_LOCK_ASSERT(ic);
143 
144 	if (ss != NULL && ss->ss_vap == vap &&
145 	    (ic->ic_flags & IEEE80211_F_SCAN))
146 		scan_signal_locked(ss, ISCAN_ABORT);
147 }
148 
149 static void
150 ieee80211_swscan_set_scan_duration(struct ieee80211vap *vap, u_int duration)
151 {
152 	struct ieee80211com *ic = vap->iv_ic;
153 	struct ieee80211_scan_state *ss = ic->ic_scan;
154 
155 	IEEE80211_LOCK_ASSERT(ic);
156 
157 	/* NB: flush frames rx'd before 1st channel change */
158 	SCAN_PRIVATE(ss)->ss_iflags |= ISCAN_DISCARD;
159 	SCAN_PRIVATE(ss)->ss_duration = duration;
160 }
161 
162 /*
163  * Start a scan unless one is already going.
164  */
165 static int
166 ieee80211_swscan_start_scan_locked(const struct ieee80211_scanner *scan,
167 	struct ieee80211vap *vap, int flags, u_int duration,
168 	u_int mindwell, u_int maxdwell,
169 	u_int nssid, const struct ieee80211_scan_ssid ssids[])
170 {
171 	struct ieee80211com *ic = vap->iv_ic;
172 	struct ieee80211_scan_state *ss = ic->ic_scan;
173 
174 	IEEE80211_LOCK_ASSERT(ic);
175 
176 	if (ic->ic_flags & IEEE80211_F_CSAPENDING) {
177 		IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
178 		    "%s: scan inhibited by pending channel change\n", __func__);
179 	} else if ((ic->ic_flags & IEEE80211_F_SCAN) == 0) {
180 		IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
181 		    "%s: %s scan, duration %u mindwell %u maxdwell %u, desired mode %s, %s%s%s%s%s%s\n"
182 		    , __func__
183 		    , flags & IEEE80211_SCAN_ACTIVE ? "active" : "passive"
184 		    , duration, mindwell, maxdwell
185 		    , ieee80211_phymode_name[vap->iv_des_mode]
186 		    , flags & IEEE80211_SCAN_FLUSH ? "flush" : "append"
187 		    , flags & IEEE80211_SCAN_NOPICK ? ", nopick" : ""
188 		    , flags & IEEE80211_SCAN_NOJOIN ? ", nojoin" : ""
189 		    , flags & IEEE80211_SCAN_NOBCAST ? ", nobcast" : ""
190 		    , flags & IEEE80211_SCAN_PICK1ST ? ", pick1st" : ""
191 		    , flags & IEEE80211_SCAN_ONCE ? ", once" : ""
192 		);
193 
194 		ieee80211_scan_update_locked(vap, scan);
195 		if (ss->ss_ops != NULL) {
196 			if ((flags & IEEE80211_SCAN_NOSSID) == 0)
197 				ieee80211_scan_copy_ssid(vap, ss, nssid, ssids);
198 
199 			/* NB: top 4 bits for internal use */
200 			ss->ss_flags = flags & 0xfff;
201 			if (ss->ss_flags & IEEE80211_SCAN_ACTIVE)
202 				vap->iv_stats.is_scan_active++;
203 			else
204 				vap->iv_stats.is_scan_passive++;
205 			if (flags & IEEE80211_SCAN_FLUSH)
206 				ss->ss_ops->scan_flush(ss);
207 			if (flags & IEEE80211_SCAN_BGSCAN)
208 				ic->ic_flags_ext |= IEEE80211_FEXT_BGSCAN;
209 
210 			/* Set duration for this particular scan */
211 			ieee80211_swscan_set_scan_duration(vap, duration);
212 
213 			ss->ss_next = 0;
214 			ss->ss_mindwell = mindwell;
215 			ss->ss_maxdwell = maxdwell;
216 			/* NB: scan_start must be before the scan runtask */
217 			ss->ss_ops->scan_start(ss, vap);
218 #ifdef IEEE80211_DEBUG
219 			if (ieee80211_msg_scan(vap))
220 				ieee80211_scan_dump(ss);
221 #endif /* IEEE80211_DEBUG */
222 			ic->ic_flags |= IEEE80211_F_SCAN;
223 
224 			/* Start scan task */
225 			ieee80211_runtask(ic, &SCAN_PRIVATE(ss)->ss_scan_start);
226 		}
227 		return 1;
228 	} else {
229 		IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
230 		    "%s: %s scan already in progress\n", __func__,
231 		    ss->ss_flags & IEEE80211_SCAN_ACTIVE ? "active" : "passive");
232 	}
233 	return 0;
234 }
235 
236 /*
237  * Start a scan unless one is already going.
238  *
239  * Called without the comlock held; grab the comlock as appropriate.
240  */
241 static int
242 ieee80211_swscan_start_scan(const struct ieee80211_scanner *scan,
243     struct ieee80211vap *vap, int flags,
244     u_int duration, u_int mindwell, u_int maxdwell,
245     u_int nssid, const struct ieee80211_scan_ssid ssids[])
246 {
247 	struct ieee80211com *ic = vap->iv_ic;
248 	int result;
249 
250 	IEEE80211_UNLOCK_ASSERT(ic);
251 
252 	IEEE80211_LOCK(ic);
253 	result = ieee80211_swscan_start_scan_locked(scan, vap, flags, duration,
254 	    mindwell, maxdwell, nssid, ssids);
255 	IEEE80211_UNLOCK(ic);
256 
257 	return result;
258 }
259 
260 /*
261  * Check the scan cache for an ap/channel to use; if that
262  * fails then kick off a new scan.
263  *
264  * Called with the comlock held.
265  *
266  * XXX TODO: split out!
267  */
268 static int
269 ieee80211_swscan_check_scan(const struct ieee80211_scanner *scan,
270     struct ieee80211vap *vap, int flags,
271     u_int duration, u_int mindwell, u_int maxdwell,
272     u_int nssid, const struct ieee80211_scan_ssid ssids[])
273 {
274 	struct ieee80211com *ic = vap->iv_ic;
275 	struct ieee80211_scan_state *ss = ic->ic_scan;
276 	int result;
277 
278 	IEEE80211_LOCK_ASSERT(ic);
279 
280 	if (ss->ss_ops != NULL) {
281 		/* XXX verify ss_ops matches vap->iv_opmode */
282 		if ((flags & IEEE80211_SCAN_NOSSID) == 0) {
283 			/*
284 			 * Update the ssid list and mark flags so if
285 			 * we call start_scan it doesn't duplicate work.
286 			 */
287 			ieee80211_scan_copy_ssid(vap, ss, nssid, ssids);
288 			flags |= IEEE80211_SCAN_NOSSID;
289 		}
290 		if ((ic->ic_flags & IEEE80211_F_SCAN) == 0 &&
291 		    (flags & IEEE80211_SCAN_FLUSH) == 0 &&
292 		    ieee80211_time_before(ticks, ic->ic_lastscan + vap->iv_scanvalid)) {
293 			/*
294 			 * We're not currently scanning and the cache is
295 			 * deemed hot enough to consult.  Lock out others
296 			 * by marking IEEE80211_F_SCAN while we decide if
297 			 * something is already in the scan cache we can
298 			 * use.  Also discard any frames that might come
299 			 * in while temporarily marked as scanning.
300 			 */
301 			IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
302 			    "cache hot; ic_lastscan=%d, scanvalid=%d, ticks=%d\n",
303 			    ic->ic_lastscan,
304 			    vap->iv_scanvalid,
305 			    ticks);
306 			SCAN_PRIVATE(ss)->ss_iflags |= ISCAN_DISCARD;
307 			ic->ic_flags |= IEEE80211_F_SCAN;
308 
309 			/* NB: need to use supplied flags in check */
310 			ss->ss_flags = flags & 0xff;
311 			result = ss->ss_ops->scan_end(ss, vap);
312 
313 			ic->ic_flags &= ~IEEE80211_F_SCAN;
314 			SCAN_PRIVATE(ss)->ss_iflags &= ~ISCAN_DISCARD;
315 			IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
316 			    "%s: scan_end returned %d\n", __func__, result);
317 			if (result) {
318 				ieee80211_notify_scan_done(vap);
319 				return 1;
320 			}
321 		}
322 	}
323 	result = ieee80211_swscan_start_scan_locked(scan, vap, flags, duration,
324 	    mindwell, maxdwell, nssid, ssids);
325 
326 	return result;
327 }
328 
329 /*
330  * Restart a previous scan.  If the previous scan completed
331  * then we start again using the existing channel list.
332  */
333 static int
334 ieee80211_swscan_bg_scan(const struct ieee80211_scanner *scan,
335     struct ieee80211vap *vap, int flags)
336 {
337 	struct ieee80211com *ic = vap->iv_ic;
338 	struct ieee80211_scan_state *ss = ic->ic_scan;
339 	bool scanning;
340 
341 	/* XXX assert unlocked? */
342 	// IEEE80211_UNLOCK_ASSERT(ic);
343 
344 	IEEE80211_LOCK(ic);
345 	scanning = ic->ic_flags & IEEE80211_F_SCAN;
346 	if (!scanning) {
347 		u_int duration;
348 		/*
349 		 * Go off-channel for a fixed interval that is large
350 		 * enough to catch most ap's but short enough that
351 		 * we can return on-channel before our listen interval
352 		 * expires.
353 		 */
354 		duration = IEEE80211_SCAN_OFFCHANNEL;
355 
356 		IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
357 		    "%s: %s scan, ticks %u duration %u\n", __func__,
358 		    ss->ss_flags & IEEE80211_SCAN_ACTIVE ? "active" : "passive",
359 		    ticks, duration);
360 
361 		ieee80211_scan_update_locked(vap, scan);
362 		if (ss->ss_ops != NULL) {
363 			ss->ss_vap = vap;
364 			/*
365 			 * A background scan does not select a new sta; it
366 			 * just refreshes the scan cache.  Also, indicate
367 			 * the scan logic should follow the beacon schedule:
368 			 * we go off-channel and scan for a while, then
369 			 * return to the bss channel to receive a beacon,
370 			 * then go off-channel again.  All during this time
371 			 * we notify the ap we're in power save mode.  When
372 			 * the scan is complete we leave power save mode.
373 			 * If any beacon indicates there are frames pending
374 			 * for us then we drop out of power save mode
375 			 * (and background scan) automatically by way of the
376 			 * usual sta power save logic.
377 			 */
378 			ss->ss_flags |= IEEE80211_SCAN_NOPICK
379 				     |  IEEE80211_SCAN_BGSCAN
380 				     |  flags
381 				     ;
382 			/* if previous scan completed, restart */
383 			if (ss->ss_next >= ss->ss_last) {
384 				if (ss->ss_flags & IEEE80211_SCAN_ACTIVE)
385 					vap->iv_stats.is_scan_active++;
386 				else
387 					vap->iv_stats.is_scan_passive++;
388 				/*
389 				 * NB: beware of the scan cache being flushed;
390 				 *     if the channel list is empty use the
391 				 *     scan_start method to populate it.
392 				 */
393 				ss->ss_next = 0;
394 				if (ss->ss_last != 0)
395 					ss->ss_ops->scan_restart(ss, vap);
396 				else {
397 					ss->ss_ops->scan_start(ss, vap);
398 #ifdef IEEE80211_DEBUG
399 					if (ieee80211_msg_scan(vap))
400 						ieee80211_scan_dump(ss);
401 #endif /* IEEE80211_DEBUG */
402 				}
403 			}
404 			ieee80211_swscan_set_scan_duration(vap, duration);
405 			ss->ss_maxdwell = duration;
406 			ic->ic_flags |= IEEE80211_F_SCAN;
407 			ic->ic_flags_ext |= IEEE80211_FEXT_BGSCAN;
408 			ieee80211_runtask(ic,
409 			    &SCAN_PRIVATE(ss)->ss_scan_start);
410 			scanning = true;
411 		} else {
412 			/* XXX msg+stat */
413 		}
414 	} else {
415 		IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
416 		    "%s: %s scan already in progress\n", __func__,
417 		    ss->ss_flags & IEEE80211_SCAN_ACTIVE ? "active" : "passive");
418 	}
419 	IEEE80211_UNLOCK(ic);
420 
421 	return (scanning);
422 }
423 
424 /*
425  * Taskqueue work to cancel a scan.
426  *
427  * Note: for offload scan devices, we may want to call into the
428  * driver to try and cancel scanning, however it may not be cancelable.
429  */
430 static void
431 cancel_scan(struct ieee80211vap *vap, int any, const char *func)
432 {
433 	struct ieee80211com *ic = vap->iv_ic;
434 	struct ieee80211_scan_state *ss = ic->ic_scan;
435 	struct scan_state *ss_priv = SCAN_PRIVATE(ss);
436 	int signal;
437 
438 	IEEE80211_LOCK(ic);
439 	signal = any ? ISCAN_PAUSE : ISCAN_CANCEL;
440 	if ((ic->ic_flags & IEEE80211_F_SCAN) &&
441 	    (any || ss->ss_vap == vap) &&
442 	    (ss_priv->ss_iflags & signal) == 0) {
443 		IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
444 		    "%s: %s %s scan\n", func,
445 		    any ? "pause" : "cancel",
446 		    ss->ss_flags & IEEE80211_SCAN_ACTIVE ?
447 			"active" : "passive");
448 
449 		/* clear bg scan NOPICK */
450 		ss->ss_flags &= ~IEEE80211_SCAN_NOPICK;
451 		/* mark request and wake up the scan task */
452 		scan_signal_locked(ss, signal);
453 	} else {
454 		IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
455 		    "%s: called; F_SCAN=%d, vap=%s, signal=%d\n",
456 			func,
457 			!! (ic->ic_flags & IEEE80211_F_SCAN),
458 			(ss->ss_vap == vap ? "match" : "nomatch"),
459 			!! (ss_priv->ss_iflags & signal));
460 	}
461 	IEEE80211_UNLOCK(ic);
462 }
463 
464 /*
465  * Cancel any scan currently going on for the specified vap.
466  */
467 static void
468 ieee80211_swscan_cancel_scan(struct ieee80211vap *vap)
469 {
470 	cancel_scan(vap, 0, __func__);
471 }
472 
473 /*
474  * Cancel any scan currently going on.
475  */
476 static void
477 ieee80211_swscan_cancel_anyscan(struct ieee80211vap *vap)
478 {
479 
480 	/* XXX for now - just don't do this per packet. */
481 	if (vap->iv_flags_ext & IEEE80211_FEXT_SCAN_OFFLOAD)
482 		return;
483 
484 	cancel_scan(vap, 1, __func__);
485 }
486 
487 /*
488  * Manually switch to the next channel in the channel list.
489  * Provided for drivers that manage scanning themselves
490  * (e.g. for firmware-based devices).
491  */
492 static void
493 ieee80211_swscan_scan_next(struct ieee80211vap *vap)
494 {
495 	struct ieee80211_scan_state *ss = vap->iv_ic->ic_scan;
496 
497 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN, "%s: called\n", __func__);
498 
499 	/* wake up the scan task */
500 	scan_signal(ss, 0);
501 }
502 
503 /*
504  * Manually stop a scan that is currently running.
505  * Provided for drivers that are not able to scan single channels
506  * (e.g. for firmware-based devices).
507  */
508 static void
509 ieee80211_swscan_scan_done(struct ieee80211vap *vap)
510 {
511 	struct ieee80211com *ic = vap->iv_ic;
512 	struct ieee80211_scan_state *ss = ic->ic_scan;
513 
514 	IEEE80211_LOCK_ASSERT(ic);
515 
516 	scan_signal_locked(ss, 0);
517 }
518 
519 /*
520  * Probe the current channel, if allowed, while scanning.
521  * If the channel is not marked passive-only then send
522  * a probe request immediately.  Otherwise mark state and
523  * listen for beacons on the channel; if we receive something
524  * then we'll transmit a probe request.
525  */
526 static void
527 ieee80211_swscan_probe_curchan(struct ieee80211vap *vap, int force)
528 {
529 	struct ieee80211com *ic = vap->iv_ic;
530 	struct ieee80211_scan_state *ss = ic->ic_scan;
531 	struct ifnet *ifp = vap->iv_ifp;
532 	int i;
533 
534 	/*
535 	 * Full-offload scan devices don't require this.
536 	 */
537 	if (vap->iv_flags_ext & IEEE80211_FEXT_SCAN_OFFLOAD)
538 		return;
539 
540 	/*
541 	 * Send directed probe requests followed by any
542 	 * broadcast probe request.
543 	 * XXX remove dependence on ic/vap->iv_bss
544 	 */
545 	for (i = 0; i < ss->ss_nssid; i++)
546 		ieee80211_send_probereq(vap->iv_bss,
547 			vap->iv_myaddr, ifp->if_broadcastaddr,
548 			ifp->if_broadcastaddr,
549 			ss->ss_ssid[i].ssid, ss->ss_ssid[i].len);
550 	if ((ss->ss_flags & IEEE80211_SCAN_NOBCAST) == 0)
551 		ieee80211_send_probereq(vap->iv_bss,
552 			vap->iv_myaddr, ifp->if_broadcastaddr,
553 			ifp->if_broadcastaddr,
554 			"", 0);
555 }
556 
557 /*
558  * Scan curchan.  If this is an active scan and the channel
559  * is not marked passive then send probe request frame(s).
560  * Arrange for the channel change after maxdwell ticks.
561  */
562 static void
563 scan_curchan(struct ieee80211_scan_state *ss, unsigned long maxdwell)
564 {
565 	struct ieee80211vap *vap  = ss->ss_vap;
566 	struct ieee80211com *ic = ss->ss_ic;
567 
568 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
569 	    "%s: calling; maxdwell=%lu\n",
570 	    __func__,
571 	    maxdwell);
572 	IEEE80211_LOCK(ic);
573 	if (ss->ss_flags & IEEE80211_SCAN_ACTIVE)
574 		ieee80211_probe_curchan(vap, 0);
575 	taskqueue_enqueue_timeout(ic->ic_tq,
576 	    &SCAN_PRIVATE(ss)->ss_scan_curchan, maxdwell);
577 	IEEE80211_UNLOCK(ic);
578 }
579 
580 static void
581 scan_signal(struct ieee80211_scan_state *ss, int iflags)
582 {
583 	struct ieee80211com *ic = ss->ss_ic;
584 
585 	IEEE80211_UNLOCK_ASSERT(ic);
586 
587 	IEEE80211_LOCK(ic);
588 	scan_signal_locked(ss, iflags);
589 	IEEE80211_UNLOCK(ic);
590 }
591 
592 static void
593 scan_signal_locked(struct ieee80211_scan_state *ss, int iflags)
594 {
595 	struct scan_state *ss_priv = SCAN_PRIVATE(ss);
596 	struct timeout_task *scan_task = &ss_priv->ss_scan_curchan;
597 	struct ieee80211com *ic = ss->ss_ic;
598 
599 	IEEE80211_LOCK_ASSERT(ic);
600 
601 	ss_priv->ss_iflags |= iflags;
602 	if (ss_priv->ss_iflags & ISCAN_RUNNING) {
603 		if (taskqueue_cancel_timeout(ic->ic_tq, scan_task, NULL) == 0)
604 			taskqueue_enqueue_timeout(ic->ic_tq, scan_task, 0);
605 	}
606 }
607 
608 /*
609  * Handle mindwell requirements completed; initiate a channel
610  * change to the next channel asap.
611  */
612 static void
613 scan_mindwell(struct ieee80211_scan_state *ss)
614 {
615 
616 	IEEE80211_DPRINTF(ss->ss_vap, IEEE80211_MSG_SCAN, "%s: called\n",
617 	    __func__);
618 
619 	scan_signal(ss, 0);
620 }
621 
622 static void
623 scan_start(void *arg, int pending)
624 {
625 #define	ISCAN_REP	(ISCAN_MINDWELL | ISCAN_DISCARD)
626 	struct ieee80211_scan_state *ss = (struct ieee80211_scan_state *) arg;
627 	struct scan_state *ss_priv = SCAN_PRIVATE(ss);
628 	struct ieee80211vap *vap = ss->ss_vap;
629 	struct ieee80211com *ic = ss->ss_ic;
630 
631 	IEEE80211_LOCK(ic);
632 	if (vap == NULL || (ic->ic_flags & IEEE80211_F_SCAN) == 0 ||
633 	    (ss_priv->ss_iflags & ISCAN_ABORT)) {
634 		/* Cancelled before we started */
635 		scan_done(ss, 0);
636 		return;
637 	}
638 
639 	if (ss->ss_next == ss->ss_last) {
640 		IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
641 			"%s: no channels to scan\n", __func__);
642 		scan_done(ss, 1);
643 		return;
644 	}
645 
646 	/*
647 	 * Put the station into power save mode.
648 	 *
649 	 * This is only required if we're not a full-offload devices;
650 	 * those devices manage scan/traffic differently.
651 	 */
652 	if (((vap->iv_flags_ext & IEEE80211_FEXT_SCAN_OFFLOAD) == 0) &&
653 	    vap->iv_opmode == IEEE80211_M_STA &&
654 	    vap->iv_state == IEEE80211_S_RUN) {
655 		if ((vap->iv_bss->ni_flags & IEEE80211_NODE_PWR_MGT) == 0) {
656 			/* Enable station power save mode */
657 			vap->iv_sta_ps(vap, 1);
658 			/* Wait until null data frame will be ACK'ed */
659 			mtx_sleep(vap, IEEE80211_LOCK_OBJ(ic), PCATCH,
660 			    "sta_ps", msecs_to_ticks(10));
661 			if (ss_priv->ss_iflags & ISCAN_ABORT) {
662 				scan_done(ss, 0);
663 				return;
664 			}
665 		}
666 	}
667 
668 	ss_priv->ss_scanend = ticks + ss_priv->ss_duration;
669 
670 	/* XXX scan state can change! Re-validate scan state! */
671 
672 	IEEE80211_UNLOCK(ic);
673 
674 	ic->ic_scan_start(ic);		/* notify driver */
675 
676 	scan_curchan_task(ss, 0);
677 }
678 
679 static void
680 scan_curchan_task(void *arg, int pending)
681 {
682 	struct ieee80211_scan_state *ss = arg;
683 	struct scan_state *ss_priv = SCAN_PRIVATE(ss);
684 	struct ieee80211com *ic = ss->ss_ic;
685 	struct ieee80211_channel *chan;
686 	unsigned long maxdwell;
687 	int scandone, scanstop;
688 
689 	IEEE80211_LOCK(ic);
690 end:
691 	/*
692 	 * Note: only /end/ the scan if we're CANCEL rather than
693 	 * CANCEL+INTERRUPT (ie, 'PAUSE').
694 	 *
695 	 * We can stop the scan if we hit cancel, but we shouldn't
696 	 * call scan_end(ss, 1) if we're just PAUSEing the scan.
697 	 */
698 	scandone = (ss->ss_next >= ss->ss_last) ||
699 	    ((ss_priv->ss_iflags & ISCAN_PAUSE) == ISCAN_CANCEL);
700 	scanstop = (ss->ss_next >= ss->ss_last) ||
701 	    ((ss_priv->ss_iflags & ISCAN_CANCEL) != 0);
702 
703 	IEEE80211_DPRINTF(ss->ss_vap, IEEE80211_MSG_SCAN,
704 	    "%s: loop start; scandone=%d, scanstop=%d, ss_iflags=0x%x, ss_next=%u, ss_last=%u\n",
705 	    __func__,
706 	    scandone,
707 	    scanstop,
708 	    (uint32_t) ss_priv->ss_iflags,
709 	    (uint32_t) ss->ss_next,
710 	    (uint32_t) ss->ss_last);
711 
712 	if (scanstop || (ss->ss_flags & IEEE80211_SCAN_GOTPICK) ||
713 	    (ss_priv->ss_iflags & ISCAN_ABORT) ||
714 	     ieee80211_time_after(ticks + ss->ss_mindwell, ss_priv->ss_scanend)) {
715 		ss_priv->ss_iflags &= ~ISCAN_RUNNING;
716 		scan_end(ss, scandone);
717 		return;
718 	} else
719 		ss_priv->ss_iflags |= ISCAN_RUNNING;
720 
721 	chan = ss->ss_chans[ss->ss_next++];
722 
723 	/*
724 	 * Watch for truncation due to the scan end time.
725 	 */
726 	if (ieee80211_time_after(ticks + ss->ss_maxdwell, ss_priv->ss_scanend))
727 		maxdwell = ss_priv->ss_scanend - ticks;
728 	else
729 		maxdwell = ss->ss_maxdwell;
730 
731 	IEEE80211_DPRINTF(ss->ss_vap, IEEE80211_MSG_SCAN,
732 	    "%s: chan %3d%c -> %3d%c [%s, dwell min %lums max %lums]\n",
733 	    __func__,
734 	    ieee80211_chan2ieee(ic, ic->ic_curchan),
735 	    ieee80211_channel_type_char(ic->ic_curchan),
736 	    ieee80211_chan2ieee(ic, chan),
737 	    ieee80211_channel_type_char(chan),
738 	    (ss->ss_flags & IEEE80211_SCAN_ACTIVE) &&
739 		(chan->ic_flags & IEEE80211_CHAN_PASSIVE) == 0 ?
740 		"active" : "passive",
741 	    ticks_to_msecs(ss->ss_mindwell), ticks_to_msecs(maxdwell));
742 
743 	/*
744 	 * Potentially change channel and phy mode.
745 	 */
746 	ic->ic_curchan = chan;
747 	ic->ic_rt = ieee80211_get_ratetable(chan);
748 	IEEE80211_UNLOCK(ic);
749 	/*
750 	 * Perform the channel change and scan unlocked so the driver
751 	 * may sleep. Once set_channel returns the hardware has
752 	 * completed the channel change.
753 	 */
754 	ic->ic_set_channel(ic);
755 	ieee80211_radiotap_chan_change(ic);
756 
757 	/*
758 	 * Scan curchan.  Drivers for "intelligent hardware"
759 	 * override ic_scan_curchan to tell the device to do
760 	 * the work.  Otherwise we manage the work ourselves;
761 	 * sending a probe request (as needed), and arming the
762 	 * timeout to switch channels after maxdwell ticks.
763 	 *
764 	 * scan_curchan should only pause for the time required to
765 	 * prepare/initiate the hardware for the scan (if at all).
766 	 */
767 	ic->ic_scan_curchan(ss, maxdwell);
768 	IEEE80211_LOCK(ic);
769 
770 	/* XXX scan state can change! Re-validate scan state! */
771 
772 	ss_priv->ss_chanmindwell = ticks + ss->ss_mindwell;
773 	/* clear mindwell lock and initial channel change flush */
774 	ss_priv->ss_iflags &= ~ISCAN_REP;
775 
776 	if (ss_priv->ss_iflags & (ISCAN_CANCEL|ISCAN_ABORT)) {
777 		taskqueue_cancel_timeout(ic->ic_tq, &ss_priv->ss_scan_curchan,
778 		    NULL);
779 		goto end;
780 	}
781 
782 	IEEE80211_DPRINTF(ss->ss_vap, IEEE80211_MSG_SCAN, "%s: waiting\n",
783 	    __func__);
784 	IEEE80211_UNLOCK(ic);
785 }
786 
787 static void
788 scan_end(struct ieee80211_scan_state *ss, int scandone)
789 {
790 	struct scan_state *ss_priv = SCAN_PRIVATE(ss);
791 	struct ieee80211vap *vap = ss->ss_vap;
792 	struct ieee80211com *ic = ss->ss_ic;
793 
794 	IEEE80211_LOCK_ASSERT(ic);
795 
796 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN, "%s: out\n", __func__);
797 
798 	if (ss_priv->ss_iflags & ISCAN_ABORT) {
799 		scan_done(ss, scandone);
800 		return;
801 	}
802 
803 	IEEE80211_UNLOCK(ic);
804 	ic->ic_scan_end(ic);		/* notify driver */
805 	IEEE80211_LOCK(ic);
806 	/* XXX scan state can change! Re-validate scan state! */
807 
808 	/*
809 	 * Since a cancellation may have occurred during one of the
810 	 * driver calls (whilst unlocked), update scandone.
811 	 */
812 	if ((scandone == 0) && ((ss_priv->ss_iflags & ISCAN_PAUSE) == ISCAN_CANCEL)) {
813 		/* XXX printf? */
814 		if_printf(vap->iv_ifp,
815 		    "%s: OOPS! scan cancelled during driver call (1) (ss_iflags=0x%x)!\n",
816 		    __func__,
817 		    ss_priv->ss_iflags);
818 		scandone = 1;
819 	}
820 
821 	/*
822 	 * Record scan complete time.  Note that we also do
823 	 * this when canceled so any background scan will
824 	 * not be restarted for a while.
825 	 */
826 	if (scandone)
827 		ic->ic_lastscan = ticks;
828 	/* return to the bss channel */
829 	if (ic->ic_bsschan != IEEE80211_CHAN_ANYC &&
830 	    ic->ic_curchan != ic->ic_bsschan) {
831 		ieee80211_setupcurchan(ic, ic->ic_bsschan);
832 		IEEE80211_UNLOCK(ic);
833 		ic->ic_set_channel(ic);
834 		ieee80211_radiotap_chan_change(ic);
835 		IEEE80211_LOCK(ic);
836 	}
837 	/* clear internal flags and any indication of a pick */
838 	ss_priv->ss_iflags &= ~ISCAN_REP;
839 	ss->ss_flags &= ~IEEE80211_SCAN_GOTPICK;
840 
841 	/*
842 	 * If not canceled and scan completed, do post-processing.
843 	 * If the callback function returns 0, then it wants to
844 	 * continue/restart scanning.  Unfortunately we needed to
845 	 * notify the driver to end the scan above to avoid having
846 	 * rx frames alter the scan candidate list.
847 	 */
848 	if ((ss_priv->ss_iflags & ISCAN_CANCEL) == 0 &&
849 	    !ss->ss_ops->scan_end(ss, vap) &&
850 	    (ss->ss_flags & IEEE80211_SCAN_ONCE) == 0 &&
851 	    ieee80211_time_before(ticks + ss->ss_mindwell, ss_priv->ss_scanend)) {
852 		IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
853 		    "%s: done, restart "
854 		    "[ticks %u, dwell min %lu scanend %lu]\n",
855 		    __func__,
856 		    ticks, ss->ss_mindwell, ss_priv->ss_scanend);
857 		ss->ss_next = 0;	/* reset to beginning */
858 		if (ss->ss_flags & IEEE80211_SCAN_ACTIVE)
859 			vap->iv_stats.is_scan_active++;
860 		else
861 			vap->iv_stats.is_scan_passive++;
862 
863 		ss->ss_ops->scan_restart(ss, vap);	/* XXX? */
864 		ieee80211_runtask(ic, &ss_priv->ss_scan_start);
865 		IEEE80211_UNLOCK(ic);
866 		return;
867 	}
868 
869 	/* past here, scandone is ``true'' if not in bg mode */
870 	if ((ss->ss_flags & IEEE80211_SCAN_BGSCAN) == 0)
871 		scandone = 1;
872 
873 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
874 	    "%s: %s, [ticks %u, dwell min %lu scanend %lu]\n",
875 	    __func__, scandone ? "done" : "stopped",
876 	    ticks, ss->ss_mindwell, ss_priv->ss_scanend);
877 
878 	/*
879 	 * Since a cancellation may have occurred during one of the
880 	 * driver calls (whilst unlocked), update scandone.
881 	 */
882 	if (scandone == 0 && (ss_priv->ss_iflags & ISCAN_PAUSE) == ISCAN_CANCEL) {
883 		/* XXX printf? */
884 		if_printf(vap->iv_ifp,
885 		    "%s: OOPS! scan cancelled during driver call (2) (ss_iflags=0x%x)!\n",
886 		    __func__,
887 		    ss_priv->ss_iflags);
888 		scandone = 1;
889 	}
890 
891 	scan_done(ss, scandone);
892 }
893 
894 static void
895 scan_done(struct ieee80211_scan_state *ss, int scandone)
896 {
897 	struct scan_state *ss_priv = SCAN_PRIVATE(ss);
898 	struct ieee80211com *ic = ss->ss_ic;
899 	struct ieee80211vap *vap = ss->ss_vap;
900 
901 	IEEE80211_LOCK_ASSERT(ic);
902 
903 	/*
904 	 * Clear the SCAN bit first in case frames are
905 	 * pending on the station power save queue.  If
906 	 * we defer this then the dispatch of the frames
907 	 * may generate a request to cancel scanning.
908 	 */
909 	ic->ic_flags &= ~IEEE80211_F_SCAN;
910 
911 	/*
912 	 * Drop out of power save mode when a scan has
913 	 * completed.  If this scan was prematurely terminated
914 	 * because it is a background scan then don't notify
915 	 * the ap; we'll either return to scanning after we
916 	 * receive the beacon frame or we'll drop out of power
917 	 * save mode because the beacon indicates we have frames
918 	 * waiting for us.
919 	 */
920 	if (scandone) {
921 		/*
922 		 * If we're not a scan offload device, come back out of
923 		 * station powersave.  Offload devices handle this themselves.
924 		 */
925 		if ((vap->iv_flags_ext & IEEE80211_FEXT_SCAN_OFFLOAD) == 0)
926 			vap->iv_sta_ps(vap, 0);
927 		if (ss->ss_next >= ss->ss_last) {
928 			IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
929 			    "%s: Dropping out of scan; ss_next=%u, ss_last=%u\n",
930 			    __func__,
931 			    (uint32_t) ss->ss_next,
932 			    (uint32_t) ss->ss_last);
933 			ic->ic_flags_ext &= ~IEEE80211_FEXT_BGSCAN;
934 		}
935 
936 		/* send 'scan done' event if not interrupted due to traffic. */
937 		if (!(ss_priv->ss_iflags & ISCAN_INTERRUPT) ||
938 		    (ss->ss_next >= ss->ss_last))
939 			ieee80211_notify_scan_done(vap);
940 	}
941 	ss_priv->ss_iflags &= ~(ISCAN_PAUSE | ISCAN_ABORT);
942 	ss_priv->ss_scanend = 0;
943 	ss->ss_flags &= ~(IEEE80211_SCAN_ONCE | IEEE80211_SCAN_PICK1ST);
944 	IEEE80211_UNLOCK(ic);
945 #undef ISCAN_REP
946 }
947 
948 /*
949  * Process a beacon or probe response frame.
950  */
951 static void
952 ieee80211_swscan_add_scan(struct ieee80211vap *vap,
953 	struct ieee80211_channel *curchan,
954 	const struct ieee80211_scanparams *sp,
955 	const struct ieee80211_frame *wh,
956 	int subtype, int rssi, int noise)
957 {
958 	struct ieee80211com *ic = vap->iv_ic;
959 	struct ieee80211_scan_state *ss = ic->ic_scan;
960 
961 	/* XXX locking */
962 	/*
963 	 * Frames received during startup are discarded to avoid
964 	 * using scan state setup on the initial entry to the timer
965 	 * callback.  This can occur because the device may enable
966 	 * rx prior to our doing the initial channel change in the
967 	 * timer routine.
968 	 */
969 	if (SCAN_PRIVATE(ss)->ss_iflags & ISCAN_DISCARD)
970 		return;
971 #ifdef IEEE80211_DEBUG
972 	if (ieee80211_msg_scan(vap) && (ic->ic_flags & IEEE80211_F_SCAN))
973 		ieee80211_scan_dump_probe_beacon(subtype, 1, wh->i_addr2, sp, rssi);
974 #endif
975 	if (ss->ss_ops != NULL &&
976 	    ss->ss_ops->scan_add(ss, curchan, sp, wh, subtype, rssi, noise)) {
977 		/*
978 		 * If we've reached the min dwell time terminate
979 		 * the timer so we'll switch to the next channel.
980 		 */
981 		if ((SCAN_PRIVATE(ss)->ss_iflags & ISCAN_MINDWELL) == 0 &&
982 		    ieee80211_time_after_eq(ticks, SCAN_PRIVATE(ss)->ss_chanmindwell)) {
983 			IEEE80211_DPRINTF(vap, IEEE80211_MSG_SCAN,
984 			    "%s: chan %3d%c min dwell met (%u > %lu)\n",
985 			    __func__,
986 			    ieee80211_chan2ieee(ic, ic->ic_curchan),
987 			    ieee80211_channel_type_char(ic->ic_curchan),
988 			    ticks, SCAN_PRIVATE(ss)->ss_chanmindwell);
989 			SCAN_PRIVATE(ss)->ss_iflags |= ISCAN_MINDWELL;
990 			/*
991 			 * NB: trigger at next clock tick or wait for the
992 			 * hardware.
993 			 */
994 			ic->ic_scan_mindwell(ss);
995 		}
996 	}
997 }
998 
999 static struct ieee80211_scan_methods swscan_methods = {
1000 	.sc_attach = ieee80211_swscan_attach,
1001 	.sc_detach = ieee80211_swscan_detach,
1002 	.sc_vattach = ieee80211_swscan_vattach,
1003 	.sc_vdetach = ieee80211_swscan_vdetach,
1004 	.sc_set_scan_duration = ieee80211_swscan_set_scan_duration,
1005 	.sc_start_scan = ieee80211_swscan_start_scan,
1006 	.sc_check_scan = ieee80211_swscan_check_scan,
1007 	.sc_bg_scan = ieee80211_swscan_bg_scan,
1008 	.sc_cancel_scan = ieee80211_swscan_cancel_scan,
1009 	.sc_cancel_anyscan = ieee80211_swscan_cancel_anyscan,
1010 	.sc_scan_next = ieee80211_swscan_scan_next,
1011 	.sc_scan_done = ieee80211_swscan_scan_done,
1012 	.sc_scan_probe_curchan = ieee80211_swscan_probe_curchan,
1013 	.sc_add_scan = ieee80211_swscan_add_scan
1014 };
1015 
1016 /*
1017  * Default scan attach method.
1018  */
1019 void
1020 ieee80211_swscan_attach(struct ieee80211com *ic)
1021 {
1022 	struct scan_state *ss;
1023 
1024 	/*
1025 	 * Setup the default methods
1026 	 */
1027 	ic->ic_scan_methods = &swscan_methods;
1028 
1029 	/* Allocate initial scan state */
1030 	ss = (struct scan_state *) IEEE80211_MALLOC(sizeof(struct scan_state),
1031 		M_80211_SCAN, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
1032 	if (ss == NULL) {
1033 		ic->ic_scan = NULL;
1034 		return;
1035 	}
1036 	TASK_INIT(&ss->ss_scan_start, 0, scan_start, ss);
1037 	TIMEOUT_TASK_INIT(ic->ic_tq, &ss->ss_scan_curchan, 0,
1038 	    scan_curchan_task, ss);
1039 
1040 	ic->ic_scan = &ss->base;
1041 	ss->base.ss_ic = ic;
1042 
1043 	ic->ic_scan_curchan = scan_curchan;
1044 	ic->ic_scan_mindwell = scan_mindwell;
1045 }
1046