Scan trigger failed: ret=-22 (Invalid argument)

YOSHINO Yoshihito yy.y.ja.jp at gmail.com
Fri Dec 22 23:14:48 PST 2017 

Hello,

I use wpa_supplicant in Debian GNU/Linux unstable.
I have stuck in a problem with wpa_supplicant 2.6. After upgrading
wpa_supplicant from 2.4 to 2.6 my laptop (MacBook Air with wifi chip
"Broadcom Limited BCM4360 802.11ac Wireless Network Adapter
[14e4:43a0] (rev 03)",
with broadcom-sta's wl kernel module) fails to start scanning AP repeatedly
with the following (-ddd) messages:

wlp3s0: State: DISCONNECTED -> SCANNING
wlp3s0: Starting AP scan for wildcard SSID (Interleave with specific)
wlp3s0: Add radio work 'scan'@0x55fff6d144c0
wlp3s0: First radio work item in the queue - schedule start immediately
wlp3s0: Starting radio work 'scan'@0x55fff6d144c0 after 0.000011 second wait
wlp3s0: nl80211: scan request
nl80211: Scan extra IEs - hexdump(len=6): 7f 04 00 00 0a 02
nl80211: Scan trigger failed: ret=-22 (Invalid argument)
wlp3s0: State: SCANNING -> DISCONNECTED
nl80211: Set wlp3s0 operstate 0->0 (DORMANT)
netlink: Operstate: ifindex=2 linkmode=-1 (no change), operstate=5
(IF_OPER_DORMANT)
wlp3s0: CTRL-EVENT-SCAN-FAILED ret=-22 retry=1
wlp3s0: Radio work 'scan'@0x55fff6d144c0 done in 0.000103 seconds
wlp3s0: radio_work_free('scan'@0x55fff6d144c0: num_active_works --> 0
wlp3s0: Setting scan request: 1.000000 sec
EAPOL: disable timer tick
wlp3s0: State: DISCONNECTED -> SCANNING
(snip)

This has been reported more than a year ago with wpa_supplicant version 2.5 to
Debian's bug report system: https://bugs.debian.org/833507 (wpasupplicant:
Unable to connect WLAN (wlan0: CTRL-EVENT-SCAN-FAILED ret=-22)).

I have bisected commits between 2.4 and 2.6 and found the commit around 2.5-dev
https://w1.fi/cgit/hostap/commit/?id=ad4430971fb90cffe31c872e0e0e6cc8781048be
is the cause of the problem.
It looks like the current wl kernel module does not accept a Probe Request
frame with at least some part of the Extended Capabilities element.

wpas_ext_capab_byte function in wpa_supplicant/wpa_supplicant.c unconditionally
sets WNM-related values. Disabling the code like this

--- a/wpa_supplicant/wpa_supplicant.c    2017-12-16 10:21:25.000000000 +0900
+++ b/wpa_supplicant/wpa_supplicant.c    2017-12-23 14:23:41.244680071 +0900
@@ -1428,13 +1428,16 @@
         break;
     case 2: /* Bits 16-23 */
 #ifdef CONFIG_WNM
-        *pos |= 0x02; /* Bit 17 - WNM-Sleep Mode */
-        *pos |= 0x08; /* Bit 19 - BSS Transition */
+        if (0) { /* FIXME switch depending on the kernel module */
+            *pos |= 0x02; /* Bit 17 - WNM-Sleep Mode */
+            *pos |= 0x08; /* Bit 19 - BSS Transition */
+        }
 #endif /* CONFIG_WNM */
         break;
     case 3: /* Bits 24-31 */
 #ifdef CONFIG_WNM
-        *pos |= 0x02; /* Bit 25 - SSID List */
+        if (0) /* FIXME switch depending on the kernel module */
+            *pos |= 0x02; /* Bit 25 - SSID List */
 #endif /* CONFIG_WNM */
 #ifdef CONFIG_INTERWORKING
         if (wpa_s->conf->interworking)

my machine restores to work well as before:

wlp3s0: State: DISCONNECTED -> SCANNING
wlp3s0: Starting AP scan for wildcard SSID (Interleave with specific)
wlp3s0: Add radio work 'scan'@0x5557661af4a0
wlp3s0: First radio work item in the queue - schedule start immediately
wlp3s0: Starting radio work 'scan'@0x5557661af4a0 after 0.000008 second wait
wlp3s0: nl80211: scan request
Scan requested (ret=0) - scan timeout 10 seconds
nl80211: Event message available
nl80211: Drv Event 33 (NL80211_CMD_TRIGGER_SCAN) received for wlp3s0
wlp3s0: nl80211: Scan trigger
wlp3s0: Event SCAN_STARTED (47) received
wlp3s0: Own scan request started a scan in 0.000062 seconds

Likewise a CONFIG_MBO block (several lines below the patch) would also need to
be disabled, which I have not tested yet because Debian's .config does not set
this option.

While one of my collegues uses Lenovo Thinkpad laptop, with Intel's iwlwifi
kernel module, which works with normal wpa_supplicant 2.6 without any problems.
So it should switch depending on the kernel module used.

I think one way to fix it would be to add some configuration variable for each
network (via ctrl_iface/dbus and/or in wpa_supplicant.conf(5)) to decide
whether it should emit WNM-related values or not and set the variable by hand
or an external program like NetworkManager depending on the kernel module the
network interface uses.

Any ideas?

Thanks in advance,
-- 
YOSHINO Yoshihito <yy.y.ja.jp at gmail.com>

More information about the Hostap mailing list