mac80211: support remain-on-channel command

This implements the new remain-on-channel cfg80211
command in mac80211, extending the work interface.

Also change the work purge code to be able to clean
up events properly (pretending they timed out.)

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index ea862df..2e5e841 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1441,6 +1441,28 @@
 	return -EINVAL;
 }
 
+static int ieee80211_remain_on_channel(struct wiphy *wiphy,
+				       struct net_device *dev,
+				       struct ieee80211_channel *chan,
+				       enum nl80211_channel_type channel_type,
+				       unsigned int duration,
+				       u64 *cookie)
+{
+	struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+
+	return ieee80211_wk_remain_on_channel(sdata, chan, channel_type,
+					      duration, cookie);
+}
+
+static int ieee80211_cancel_remain_on_channel(struct wiphy *wiphy,
+					      struct net_device *dev,
+					      u64 cookie)
+{
+	struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+
+	return ieee80211_wk_cancel_remain_on_channel(sdata, cookie);
+}
+
 struct cfg80211_ops mac80211_config_ops = {
 	.add_virtual_intf = ieee80211_add_iface,
 	.del_virtual_intf = ieee80211_del_iface,
@@ -1487,4 +1509,6 @@
 	CFG80211_TESTMODE_CMD(ieee80211_testmode_cmd)
 	.set_power_mgmt = ieee80211_set_power_mgmt,
 	.set_bitrate_mask = ieee80211_set_bitrate_mask,
+	.remain_on_channel = ieee80211_remain_on_channel,
+	.cancel_remain_on_channel = ieee80211_cancel_remain_on_channel,
 };
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index fd912eb..23547eb 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -225,9 +225,11 @@
 };
 
 enum ieee80211_work_type {
+	IEEE80211_WORK_ABORT,
 	IEEE80211_WORK_DIRECT_PROBE,
 	IEEE80211_WORK_AUTH,
 	IEEE80211_WORK_ASSOC,
+	IEEE80211_WORK_REMAIN_ON_CHANNEL,
 };
 
 /**
@@ -283,6 +285,9 @@
 			u8 supp_rates_len;
 			bool wmm_used, use_11n;
 		} assoc;
+		struct {
+			unsigned long timeout;
+		} remain;
 	};
 
 	int ie_len;
@@ -729,6 +734,10 @@
 	enum nl80211_channel_type oper_channel_type;
 	struct ieee80211_channel *oper_channel, *csa_channel;
 
+	/* Temporary remain-on-channel for off-channel operations */
+	struct ieee80211_channel *tmp_channel;
+	enum nl80211_channel_type tmp_channel_type;
+
 	/* SNMP counters */
 	/* dot11CountersTable */
 	u32 dot11TransmittedFragmentCount;
@@ -1162,6 +1171,12 @@
 void ieee80211_work_purge(struct ieee80211_sub_if_data *sdata);
 ieee80211_rx_result ieee80211_work_rx_mgmt(struct ieee80211_sub_if_data *sdata,
 					   struct sk_buff *skb);
+int ieee80211_wk_remain_on_channel(struct ieee80211_sub_if_data *sdata,
+				   struct ieee80211_channel *chan,
+				   enum nl80211_channel_type channel_type,
+				   unsigned int duration, u64 *cookie);
+int ieee80211_wk_cancel_remain_on_channel(
+	struct ieee80211_sub_if_data *sdata, u64 cookie);
 
 #ifdef CONFIG_MAC80211_NOINLINE
 #define debug_noinline noinline
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 5fcd354..d0a14d9 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -107,6 +107,9 @@
 	if (scan_chan) {
 		chan = scan_chan;
 		channel_type = NL80211_CHAN_NO_HT;
+	} else if (local->tmp_channel) {
+		chan = scan_chan = local->tmp_channel;
+		channel_type = local->tmp_channel_type;
 	} else {
 		chan = local->oper_channel;
 		channel_type = local->oper_channel_type;
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index e44f1ed..32d6e66 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -857,6 +857,9 @@
 	if (sdata->local->scanning)
 		return;
 
+	if (sdata->local->tmp_channel)
+		return;
+
 	mutex_lock(&ifmgd->mtx);
 
 	if (!ifmgd->associated)
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index 2cd880e..a7bbfc4 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -106,9 +106,13 @@
 		/*
 		 * only handle non-STA interfaces here, STA interfaces
 		 * are handled in ieee80211_offchannel_stop_station(),
-		 * e.g., from the background scan state machine
+		 * e.g., from the background scan state machine.
+		 *
+		 * In addition, do not stop monitor interface to allow it to be
+		 * used from user space controlled off-channel operations.
 		 */
-		if (sdata->vif.type != NL80211_IFTYPE_STATION)
+		if (sdata->vif.type != NL80211_IFTYPE_STATION &&
+		    sdata->vif.type != NL80211_IFTYPE_MONITOR)
 			netif_stop_queue(sdata->dev);
 	}
 	mutex_unlock(&local->iflist_mtx);
diff --git a/net/mac80211/work.c b/net/mac80211/work.c
index 0b8c31c..0acea7c 100644
--- a/net/mac80211/work.c
+++ b/net/mac80211/work.c
@@ -538,6 +538,44 @@
 	return WORK_ACT_NONE;
 }
 
+static enum work_action __must_check
+ieee80211_remain_on_channel_timeout(struct ieee80211_work *wk)
+{
+	struct ieee80211_sub_if_data *sdata = wk->sdata;
+	struct ieee80211_local *local = sdata->local;
+
+	/*
+	 * First time we run, do nothing -- the generic code will
+	 * have switched to the right channel etc.
+	 */
+	if (wk->timeout != wk->remain.timeout) {
+		wk->timeout = wk->remain.timeout;
+		return WORK_ACT_NONE;
+	}
+
+	/*
+	 * We are done serving the remain-on-channel command; kill the work
+	 * item to allow idle state to be entered again. In addition, clear the
+	 * temporary channel information to allow operational channel to be
+	 * used.
+	 */
+	list_del(&wk->list);
+	free_work(wk);
+
+	if (local->tmp_channel) {
+		cfg80211_remain_on_channel_expired(sdata->dev, (u64)wk,
+						   local->tmp_channel,
+						   local->tmp_channel_type,
+						   GFP_KERNEL);
+
+		local->tmp_channel = NULL;
+		ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+		ieee80211_offchannel_return(local, true);
+	}
+
+	return WORK_ACT_NONE;
+}
+
 static void ieee80211_auth_challenge(struct ieee80211_work *wk,
 				     struct ieee80211_mgmt *mgmt,
 				     size_t len)
@@ -825,6 +863,8 @@
 			/* nothing */
 			rma = WORK_ACT_NONE;
 			break;
+		case IEEE80211_WORK_ABORT:
+			rma = WORK_ACT_TIMEOUT;
 		case IEEE80211_WORK_DIRECT_PROBE:
 			rma = ieee80211_direct_probe(wk);
 			break;
@@ -834,6 +874,9 @@
 		case IEEE80211_WORK_ASSOC:
 			rma = ieee80211_associate(wk);
 			break;
+		case IEEE80211_WORK_REMAIN_ON_CHANNEL:
+			rma = ieee80211_remain_on_channel_timeout(wk);
+			break;
 		}
 
 		switch (rma) {
@@ -900,14 +943,25 @@
 void ieee80211_work_purge(struct ieee80211_sub_if_data *sdata)
 {
 	struct ieee80211_local *local = sdata->local;
-	struct ieee80211_work *wk, *tmp;
+	struct ieee80211_work *wk;
 
 	mutex_lock(&local->work_mtx);
-	list_for_each_entry_safe(wk, tmp, &local->work_list, list) {
+	list_for_each_entry(wk, &local->work_list, list) {
 		if (wk->sdata != sdata)
 			continue;
-		list_del(&wk->list);
-		free_work(wk);
+		wk->type = IEEE80211_WORK_ABORT;
+	}
+	mutex_unlock(&local->work_mtx);
+
+	/* run cleanups etc. */
+	ieee80211_work_work(&local->work_work);
+
+	mutex_lock(&local->work_mtx);
+	list_for_each_entry(wk, &local->work_list, list) {
+		if (wk->sdata != sdata)
+			continue;
+		WARN_ON(1);
+		break;
 	}
 	mutex_unlock(&local->work_mtx);
 }
@@ -949,3 +1003,75 @@
 
 	return RX_CONTINUE;
 }
+
+int ieee80211_wk_remain_on_channel(struct ieee80211_sub_if_data *sdata,
+				   struct ieee80211_channel *chan,
+				   enum nl80211_channel_type channel_type,
+				   unsigned int duration, u64 *cookie)
+{
+	struct ieee80211_local *local = sdata->local;
+	struct ieee80211_work *wk;
+
+	wk = kzalloc(sizeof(*wk), GFP_KERNEL);
+	if (!wk)
+		return -ENOMEM;
+
+	wk->type = IEEE80211_WORK_REMAIN_ON_CHANNEL;
+	wk->chan = chan;
+	wk->sdata = sdata;
+
+	wk->remain.timeout = jiffies + msecs_to_jiffies(duration);
+
+	*cookie = (u64)wk;
+
+	ieee80211_add_work(wk);
+
+	/*
+	 * TODO: could optimize this by leaving the station vifs in awake mode
+	 * if they happen to be on the same channel as the requested channel
+	 */
+	ieee80211_offchannel_stop_beaconing(local);
+	ieee80211_offchannel_stop_station(local);
+
+	sdata->local->tmp_channel = chan;
+	sdata->local->tmp_channel_type = channel_type;
+	ieee80211_hw_config(sdata->local, IEEE80211_CONF_CHANGE_CHANNEL);
+
+	cfg80211_ready_on_channel(sdata->dev, (u64)wk, chan, channel_type,
+				  duration, GFP_KERNEL);
+
+	return 0;
+}
+
+int ieee80211_wk_cancel_remain_on_channel(struct ieee80211_sub_if_data *sdata,
+					  u64 cookie)
+{
+	struct ieee80211_local *local = sdata->local;
+	struct ieee80211_work *wk, *tmp;
+	bool found = false;
+
+	mutex_lock(&local->work_mtx);
+	list_for_each_entry_safe(wk, tmp, &local->work_list, list) {
+		if ((u64)wk == cookie) {
+			found = true;
+			list_del(&wk->list);
+			free_work(wk);
+			break;
+		}
+	}
+	mutex_unlock(&local->work_mtx);
+
+	if (!found)
+		return -ENOENT;
+
+	if (sdata->local->tmp_channel) {
+		sdata->local->tmp_channel = NULL;
+		ieee80211_hw_config(sdata->local,
+				    IEEE80211_CONF_CHANGE_CHANNEL);
+		ieee80211_offchannel_return(sdata->local, true);
+	}
+
+	ieee80211_recalc_idle(local);
+
+	return 0;
+}