linux/net/mac80211/mlme.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * BSS client mode implementation
   4 * Copyright 2003-2008, Jouni Malinen <j@w1.fi>
   5 * Copyright 2004, Instant802 Networks, Inc.
   6 * Copyright 2005, Devicescape Software, Inc.
   7 * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
   8 * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
   9 * Copyright 2013-2014  Intel Mobile Communications GmbH
  10 * Copyright (C) 2015 - 2017 Intel Deutschland GmbH
  11 * Copyright (C) 2018 - 2021 Intel Corporation
  12 */
  13
  14#include <linux/delay.h>
  15#include <linux/fips.h>
  16#include <linux/if_ether.h>
  17#include <linux/skbuff.h>
  18#include <linux/if_arp.h>
  19#include <linux/etherdevice.h>
  20#include <linux/moduleparam.h>
  21#include <linux/rtnetlink.h>
  22#include <linux/crc32.h>
  23#include <linux/slab.h>
  24#include <linux/export.h>
  25#include <net/mac80211.h>
  26#include <asm/unaligned.h>
  27
  28#include "ieee80211_i.h"
  29#include "driver-ops.h"
  30#include "rate.h"
  31#include "led.h"
  32#include "fils_aead.h"
  33
  34#define IEEE80211_AUTH_TIMEOUT          (HZ / 5)
  35#define IEEE80211_AUTH_TIMEOUT_LONG     (HZ / 2)
  36#define IEEE80211_AUTH_TIMEOUT_SHORT    (HZ / 10)
  37#define IEEE80211_AUTH_TIMEOUT_SAE      (HZ * 2)
  38#define IEEE80211_AUTH_MAX_TRIES        3
  39#define IEEE80211_AUTH_WAIT_ASSOC       (HZ * 5)
  40#define IEEE80211_ASSOC_TIMEOUT         (HZ / 5)
  41#define IEEE80211_ASSOC_TIMEOUT_LONG    (HZ / 2)
  42#define IEEE80211_ASSOC_TIMEOUT_SHORT   (HZ / 10)
  43#define IEEE80211_ASSOC_MAX_TRIES       3
  44
  45static int max_nullfunc_tries = 2;
  46module_param(max_nullfunc_tries, int, 0644);
  47MODULE_PARM_DESC(max_nullfunc_tries,
  48                 "Maximum nullfunc tx tries before disconnecting (reason 4).");
  49
  50static int max_probe_tries = 5;
  51module_param(max_probe_tries, int, 0644);
  52MODULE_PARM_DESC(max_probe_tries,
  53                 "Maximum probe tries before disconnecting (reason 4).");
  54
  55/*
  56 * Beacon loss timeout is calculated as N frames times the
  57 * advertised beacon interval.  This may need to be somewhat
  58 * higher than what hardware might detect to account for
  59 * delays in the host processing frames. But since we also
  60 * probe on beacon miss before declaring the connection lost
  61 * default to what we want.
  62 */
  63static int beacon_loss_count = 7;
  64module_param(beacon_loss_count, int, 0644);
  65MODULE_PARM_DESC(beacon_loss_count,
  66                 "Number of beacon intervals before we decide beacon was lost.");
  67
  68/*
  69 * Time the connection can be idle before we probe
  70 * it to see if we can still talk to the AP.
  71 */
  72#define IEEE80211_CONNECTION_IDLE_TIME  (30 * HZ)
  73/*
  74 * Time we wait for a probe response after sending
  75 * a probe request because of beacon loss or for
  76 * checking the connection still works.
  77 */
  78static int probe_wait_ms = 500;
  79module_param(probe_wait_ms, int, 0644);
  80MODULE_PARM_DESC(probe_wait_ms,
  81                 "Maximum time(ms) to wait for probe response"
  82                 " before disconnecting (reason 4).");
  83
  84/*
  85 * How many Beacon frames need to have been used in average signal strength
  86 * before starting to indicate signal change events.
  87 */
  88#define IEEE80211_SIGNAL_AVE_MIN_COUNT  4
  89
  90/*
  91 * We can have multiple work items (and connection probing)
  92 * scheduling this timer, but we need to take care to only
  93 * reschedule it when it should fire _earlier_ than it was
  94 * asked for before, or if it's not pending right now. This
  95 * function ensures that. Note that it then is required to
  96 * run this function for all timeouts after the first one
  97 * has happened -- the work that runs from this timer will
  98 * do that.
  99 */
 100static void run_again(struct ieee80211_sub_if_data *sdata,
 101                      unsigned long timeout)
 102{
 103        sdata_assert_lock(sdata);
 104
 105        if (!timer_pending(&sdata->u.mgd.timer) ||
 106            time_before(timeout, sdata->u.mgd.timer.expires))
 107                mod_timer(&sdata->u.mgd.timer, timeout);
 108}
 109
 110void ieee80211_sta_reset_beacon_monitor(struct ieee80211_sub_if_data *sdata)
 111{
 112        if (sdata->vif.driver_flags & IEEE80211_VIF_BEACON_FILTER)
 113                return;
 114
 115        if (ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
 116                return;
 117
 118        mod_timer(&sdata->u.mgd.bcn_mon_timer,
 119                  round_jiffies_up(jiffies + sdata->u.mgd.beacon_timeout));
 120}
 121
 122void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata)
 123{
 124        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
 125
 126        if (unlikely(!ifmgd->associated))
 127                return;
 128
 129        if (ifmgd->probe_send_count)
 130                ifmgd->probe_send_count = 0;
 131
 132        if (ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
 133                return;
 134
 135        mod_timer(&ifmgd->conn_mon_timer,
 136                  round_jiffies_up(jiffies + IEEE80211_CONNECTION_IDLE_TIME));
 137}
 138
 139static int ecw2cw(int ecw)
 140{
 141        return (1 << ecw) - 1;
 142}
 143
 144static u32
 145ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
 146                             struct ieee80211_supported_band *sband,
 147                             struct ieee80211_channel *channel,
 148                             u32 vht_cap_info,
 149                             const struct ieee80211_ht_operation *ht_oper,
 150                             const struct ieee80211_vht_operation *vht_oper,
 151                             const struct ieee80211_he_operation *he_oper,
 152                             const struct ieee80211_s1g_oper_ie *s1g_oper,
 153                             struct cfg80211_chan_def *chandef, bool tracking)
 154{
 155        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
 156        struct cfg80211_chan_def vht_chandef;
 157        struct ieee80211_sta_ht_cap sta_ht_cap;
 158        u32 ht_cfreq, ret;
 159
 160        memset(chandef, 0, sizeof(struct cfg80211_chan_def));
 161        chandef->chan = channel;
 162        chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
 163        chandef->center_freq1 = channel->center_freq;
 164        chandef->freq1_offset = channel->freq_offset;
 165
 166        if (channel->band == NL80211_BAND_6GHZ) {
 167                if (!ieee80211_chandef_he_6ghz_oper(sdata, he_oper, chandef))
 168                        ret = IEEE80211_STA_DISABLE_HT |
 169                              IEEE80211_STA_DISABLE_VHT |
 170                              IEEE80211_STA_DISABLE_HE;
 171                else
 172                        ret = 0;
 173                vht_chandef = *chandef;
 174                goto out;
 175        } else if (sband->band == NL80211_BAND_S1GHZ) {
 176                if (!ieee80211_chandef_s1g_oper(s1g_oper, chandef)) {
 177                        sdata_info(sdata,
 178                                   "Missing S1G Operation Element? Trying operating == primary\n");
 179                        chandef->width = ieee80211_s1g_channel_width(channel);
 180                }
 181
 182                ret = IEEE80211_STA_DISABLE_HT | IEEE80211_STA_DISABLE_40MHZ |
 183                      IEEE80211_STA_DISABLE_VHT |
 184                      IEEE80211_STA_DISABLE_80P80MHZ |
 185                      IEEE80211_STA_DISABLE_160MHZ;
 186                goto out;
 187        }
 188
 189        memcpy(&sta_ht_cap, &sband->ht_cap, sizeof(sta_ht_cap));
 190        ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap);
 191
 192        if (!ht_oper || !sta_ht_cap.ht_supported) {
 193                ret = IEEE80211_STA_DISABLE_HT |
 194                      IEEE80211_STA_DISABLE_VHT |
 195                      IEEE80211_STA_DISABLE_HE;
 196                goto out;
 197        }
 198
 199        chandef->width = NL80211_CHAN_WIDTH_20;
 200
 201        ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan,
 202                                                  channel->band);
 203        /* check that channel matches the right operating channel */
 204        if (!tracking && channel->center_freq != ht_cfreq) {
 205                /*
 206                 * It's possible that some APs are confused here;
 207                 * Netgear WNDR3700 sometimes reports 4 higher than
 208                 * the actual channel in association responses, but
 209                 * since we look at probe response/beacon data here
 210                 * it should be OK.
 211                 */
 212                sdata_info(sdata,
 213                           "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n",
 214                           channel->center_freq, ht_cfreq,
 215                           ht_oper->primary_chan, channel->band);
 216                ret = IEEE80211_STA_DISABLE_HT |
 217                      IEEE80211_STA_DISABLE_VHT |
 218                      IEEE80211_STA_DISABLE_HE;
 219                goto out;
 220        }
 221
 222        /* check 40 MHz support, if we have it */
 223        if (sta_ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40) {
 224                ieee80211_chandef_ht_oper(ht_oper, chandef);
 225        } else {
 226                /* 40 MHz (and 80 MHz) must be supported for VHT */
 227                ret = IEEE80211_STA_DISABLE_VHT;
 228                /* also mark 40 MHz disabled */
 229                ret |= IEEE80211_STA_DISABLE_40MHZ;
 230                goto out;
 231        }
 232
 233        if (!vht_oper || !sband->vht_cap.vht_supported) {
 234                ret = IEEE80211_STA_DISABLE_VHT;
 235                goto out;
 236        }
 237
 238        vht_chandef = *chandef;
 239        if (!(ifmgd->flags & IEEE80211_STA_DISABLE_HE) && he_oper &&
 240            (le32_to_cpu(he_oper->he_oper_params) &
 241             IEEE80211_HE_OPERATION_VHT_OPER_INFO)) {
 242                struct ieee80211_vht_operation he_oper_vht_cap;
 243
 244                /*
 245                 * Set only first 3 bytes (other 2 aren't used in
 246                 * ieee80211_chandef_vht_oper() anyway)
 247                 */
 248                memcpy(&he_oper_vht_cap, he_oper->optional, 3);
 249                he_oper_vht_cap.basic_mcs_set = cpu_to_le16(0);
 250
 251                if (!ieee80211_chandef_vht_oper(&sdata->local->hw, vht_cap_info,
 252                                                &he_oper_vht_cap, ht_oper,
 253                                                &vht_chandef)) {
 254                        if (!(ifmgd->flags & IEEE80211_STA_DISABLE_HE))
 255                                sdata_info(sdata,
 256                                           "HE AP VHT information is invalid, disable HE\n");
 257                        ret = IEEE80211_STA_DISABLE_HE;
 258                        goto out;
 259                }
 260        } else if (!ieee80211_chandef_vht_oper(&sdata->local->hw,
 261                                               vht_cap_info,
 262                                               vht_oper, ht_oper,
 263                                               &vht_chandef)) {
 264                if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
 265                        sdata_info(sdata,
 266                                   "AP VHT information is invalid, disable VHT\n");
 267                ret = IEEE80211_STA_DISABLE_VHT;
 268                goto out;
 269        }
 270
 271        if (!cfg80211_chandef_valid(&vht_chandef)) {
 272                if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
 273                        sdata_info(sdata,
 274                                   "AP VHT information is invalid, disable VHT\n");
 275                ret = IEEE80211_STA_DISABLE_VHT;
 276                goto out;
 277        }
 278
 279        if (cfg80211_chandef_identical(chandef, &vht_chandef)) {
 280                ret = 0;
 281                goto out;
 282        }
 283
 284        if (!cfg80211_chandef_compatible(chandef, &vht_chandef)) {
 285                if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
 286                        sdata_info(sdata,
 287                                   "AP VHT information doesn't match HT, disable VHT\n");
 288                ret = IEEE80211_STA_DISABLE_VHT;
 289                goto out;
 290        }
 291
 292        *chandef = vht_chandef;
 293
 294        ret = 0;
 295
 296out:
 297        /*
 298         * When tracking the current AP, don't do any further checks if the
 299         * new chandef is identical to the one we're currently using for the
 300         * connection. This keeps us from playing ping-pong with regulatory,
 301         * without it the following can happen (for example):
 302         *  - connect to an AP with 80 MHz, world regdom allows 80 MHz
 303         *  - AP advertises regdom US
 304         *  - CRDA loads regdom US with 80 MHz prohibited (old database)
 305         *  - the code below detects an unsupported channel, downgrades, and
 306         *    we disconnect from the AP in the caller
 307         *  - disconnect causes CRDA to reload world regdomain and the game
 308         *    starts anew.
 309         * (see https://bugzilla.kernel.org/show_bug.cgi?id=70881)
 310         *
 311         * It seems possible that there are still scenarios with CSA or real
 312         * bandwidth changes where a this could happen, but those cases are
 313         * less common and wouldn't completely prevent using the AP.
 314         */
 315        if (tracking &&
 316            cfg80211_chandef_identical(chandef, &sdata->vif.bss_conf.chandef))
 317                return ret;
 318
 319        /* don't print the message below for VHT mismatch if VHT is disabled */
 320        if (ret & IEEE80211_STA_DISABLE_VHT)
 321                vht_chandef = *chandef;
 322
 323        /*
 324         * Ignore the DISABLED flag when we're already connected and only
 325         * tracking the APs beacon for bandwidth changes - otherwise we
 326         * might get disconnected here if we connect to an AP, update our
 327         * regulatory information based on the AP's country IE and the
 328         * information we have is wrong/outdated and disables the channel
 329         * that we're actually using for the connection to the AP.
 330         */
 331        while (!cfg80211_chandef_usable(sdata->local->hw.wiphy, chandef,
 332                                        tracking ? 0 :
 333                                                   IEEE80211_CHAN_DISABLED)) {
 334                if (WARN_ON(chandef->width == NL80211_CHAN_WIDTH_20_NOHT)) {
 335                        ret = IEEE80211_STA_DISABLE_HT |
 336                              IEEE80211_STA_DISABLE_VHT |
 337                              IEEE80211_STA_DISABLE_HE;
 338                        break;
 339                }
 340
 341                ret |= ieee80211_chandef_downgrade(chandef);
 342        }
 343
 344        if (!he_oper || !cfg80211_chandef_usable(sdata->wdev.wiphy, chandef,
 345                                                 IEEE80211_CHAN_NO_HE))
 346                ret |= IEEE80211_STA_DISABLE_HE;
 347
 348        if (chandef->width != vht_chandef.width && !tracking)
 349                sdata_info(sdata,
 350                           "capabilities/regulatory prevented using AP HT/VHT configuration, downgraded\n");
 351
 352        WARN_ON_ONCE(!cfg80211_chandef_valid(chandef));
 353        return ret;
 354}
 355
 356static int ieee80211_config_bw(struct ieee80211_sub_if_data *sdata,
 357                               struct sta_info *sta,
 358                               const struct ieee80211_ht_cap *ht_cap,
 359                               const struct ieee80211_vht_cap *vht_cap,
 360                               const struct ieee80211_ht_operation *ht_oper,
 361                               const struct ieee80211_vht_operation *vht_oper,
 362                               const struct ieee80211_he_operation *he_oper,
 363                               const struct ieee80211_s1g_oper_ie *s1g_oper,
 364                               const u8 *bssid, u32 *changed)
 365{
 366        struct ieee80211_local *local = sdata->local;
 367        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
 368        struct ieee80211_channel *chan = sdata->vif.bss_conf.chandef.chan;
 369        struct ieee80211_supported_band *sband =
 370                local->hw.wiphy->bands[chan->band];
 371        struct cfg80211_chan_def chandef;
 372        u16 ht_opmode;
 373        u32 flags;
 374        u32 vht_cap_info = 0;
 375        int ret;
 376
 377        /* if HT was/is disabled, don't track any bandwidth changes */
 378        if (ifmgd->flags & IEEE80211_STA_DISABLE_HT || !ht_oper)
 379                return 0;
 380
 381        /* don't check VHT if we associated as non-VHT station */
 382        if (ifmgd->flags & IEEE80211_STA_DISABLE_VHT)
 383                vht_oper = NULL;
 384
 385        /* don't check HE if we associated as non-HE station */
 386        if (ifmgd->flags & IEEE80211_STA_DISABLE_HE ||
 387            !ieee80211_get_he_iftype_cap(sband,
 388                                         ieee80211_vif_type_p2p(&sdata->vif)))
 389
 390                he_oper = NULL;
 391
 392        if (WARN_ON_ONCE(!sta))
 393                return -EINVAL;
 394
 395        /*
 396         * if bss configuration changed store the new one -
 397         * this may be applicable even if channel is identical
 398         */
 399        ht_opmode = le16_to_cpu(ht_oper->operation_mode);
 400        if (sdata->vif.bss_conf.ht_operation_mode != ht_opmode) {
 401                *changed |= BSS_CHANGED_HT;
 402                sdata->vif.bss_conf.ht_operation_mode = ht_opmode;
 403        }
 404
 405        if (vht_cap)
 406                vht_cap_info = le32_to_cpu(vht_cap->vht_cap_info);
 407
 408        /* calculate new channel (type) based on HT/VHT/HE operation IEs */
 409        flags = ieee80211_determine_chantype(sdata, sband, chan, vht_cap_info,
 410                                             ht_oper, vht_oper, he_oper,
 411                                             s1g_oper, &chandef, true);
 412
 413        /*
 414         * Downgrade the new channel if we associated with restricted
 415         * capabilities. For example, if we associated as a 20 MHz STA
 416         * to a 40 MHz AP (due to regulatory, capabilities or config
 417         * reasons) then switching to a 40 MHz channel now won't do us
 418         * any good -- we couldn't use it with the AP.
 419         */
 420        if (ifmgd->flags & IEEE80211_STA_DISABLE_80P80MHZ &&
 421            chandef.width == NL80211_CHAN_WIDTH_80P80)
 422                flags |= ieee80211_chandef_downgrade(&chandef);
 423        if (ifmgd->flags & IEEE80211_STA_DISABLE_160MHZ &&
 424            chandef.width == NL80211_CHAN_WIDTH_160)
 425                flags |= ieee80211_chandef_downgrade(&chandef);
 426        if (ifmgd->flags & IEEE80211_STA_DISABLE_40MHZ &&
 427            chandef.width > NL80211_CHAN_WIDTH_20)
 428                flags |= ieee80211_chandef_downgrade(&chandef);
 429
 430        if (cfg80211_chandef_identical(&chandef, &sdata->vif.bss_conf.chandef))
 431                return 0;
 432
 433        sdata_info(sdata,
 434                   "AP %pM changed bandwidth, new config is %d.%03d MHz, "
 435                   "width %d (%d.%03d/%d MHz)\n",
 436                   ifmgd->bssid, chandef.chan->center_freq,
 437                   chandef.chan->freq_offset, chandef.width,
 438                   chandef.center_freq1, chandef.freq1_offset,
 439                   chandef.center_freq2);
 440
 441        if (flags != (ifmgd->flags & (IEEE80211_STA_DISABLE_HT |
 442                                      IEEE80211_STA_DISABLE_VHT |
 443                                      IEEE80211_STA_DISABLE_HE |
 444                                      IEEE80211_STA_DISABLE_40MHZ |
 445                                      IEEE80211_STA_DISABLE_80P80MHZ |
 446                                      IEEE80211_STA_DISABLE_160MHZ)) ||
 447            !cfg80211_chandef_valid(&chandef)) {
 448                sdata_info(sdata,
 449                           "AP %pM changed caps/bw in a way we can't support (0x%x/0x%x) - disconnect\n",
 450                           ifmgd->bssid, flags, ifmgd->flags);
 451                return -EINVAL;
 452        }
 453
 454        ret = ieee80211_vif_change_bandwidth(sdata, &chandef, changed);
 455
 456        if (ret) {
 457                sdata_info(sdata,
 458                           "AP %pM changed bandwidth to incompatible one - disconnect\n",
 459                           ifmgd->bssid);
 460                return ret;
 461        }
 462
 463        return 0;
 464}
 465
 466/* frame sending functions */
 467
 468static void ieee80211_add_ht_ie(struct ieee80211_sub_if_data *sdata,
 469                                struct sk_buff *skb, u8 ap_ht_param,
 470                                struct ieee80211_supported_band *sband,
 471                                struct ieee80211_channel *channel,
 472                                enum ieee80211_smps_mode smps)
 473{
 474        u8 *pos;
 475        u32 flags = channel->flags;
 476        u16 cap;
 477        struct ieee80211_sta_ht_cap ht_cap;
 478
 479        BUILD_BUG_ON(sizeof(ht_cap) != sizeof(sband->ht_cap));
 480
 481        memcpy(&ht_cap, &sband->ht_cap, sizeof(ht_cap));
 482        ieee80211_apply_htcap_overrides(sdata, &ht_cap);
 483
 484        /* determine capability flags */
 485        cap = ht_cap.cap;
 486
 487        switch (ap_ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET) {
 488        case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
 489                if (flags & IEEE80211_CHAN_NO_HT40PLUS) {
 490                        cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
 491                        cap &= ~IEEE80211_HT_CAP_SGI_40;
 492                }
 493                break;
 494        case IEEE80211_HT_PARAM_CHA_SEC_BELOW:
 495                if (flags & IEEE80211_CHAN_NO_HT40MINUS) {
 496                        cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
 497                        cap &= ~IEEE80211_HT_CAP_SGI_40;
 498                }
 499                break;
 500        }
 501
 502        /*
 503         * If 40 MHz was disabled associate as though we weren't
 504         * capable of 40 MHz -- some broken APs will never fall
 505         * back to trying to transmit in 20 MHz.
 506         */
 507        if (sdata->u.mgd.flags & IEEE80211_STA_DISABLE_40MHZ) {
 508                cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
 509                cap &= ~IEEE80211_HT_CAP_SGI_40;
 510        }
 511
 512        /* set SM PS mode properly */
 513        cap &= ~IEEE80211_HT_CAP_SM_PS;
 514        switch (smps) {
 515        case IEEE80211_SMPS_AUTOMATIC:
 516        case IEEE80211_SMPS_NUM_MODES:
 517                WARN_ON(1);
 518                fallthrough;
 519        case IEEE80211_SMPS_OFF:
 520                cap |= WLAN_HT_CAP_SM_PS_DISABLED <<
 521                        IEEE80211_HT_CAP_SM_PS_SHIFT;
 522                break;
 523        case IEEE80211_SMPS_STATIC:
 524                cap |= WLAN_HT_CAP_SM_PS_STATIC <<
 525                        IEEE80211_HT_CAP_SM_PS_SHIFT;
 526                break;
 527        case IEEE80211_SMPS_DYNAMIC:
 528                cap |= WLAN_HT_CAP_SM_PS_DYNAMIC <<
 529                        IEEE80211_HT_CAP_SM_PS_SHIFT;
 530                break;
 531        }
 532
 533        /* reserve and fill IE */
 534        pos = skb_put(skb, sizeof(struct ieee80211_ht_cap) + 2);
 535        ieee80211_ie_build_ht_cap(pos, &ht_cap, cap);
 536}
 537
 538/* This function determines vht capability flags for the association
 539 * and builds the IE.
 540 * Note - the function may set the owner of the MU-MIMO capability
 541 */
 542static void ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
 543                                 struct sk_buff *skb,
 544                                 struct ieee80211_supported_band *sband,
 545                                 struct ieee80211_vht_cap *ap_vht_cap)
 546{
 547        struct ieee80211_local *local = sdata->local;
 548        u8 *pos;
 549        u32 cap;
 550        struct ieee80211_sta_vht_cap vht_cap;
 551        u32 mask, ap_bf_sts, our_bf_sts;
 552
 553        BUILD_BUG_ON(sizeof(vht_cap) != sizeof(sband->vht_cap));
 554
 555        memcpy(&vht_cap, &sband->vht_cap, sizeof(vht_cap));
 556        ieee80211_apply_vhtcap_overrides(sdata, &vht_cap);
 557
 558        /* determine capability flags */
 559        cap = vht_cap.cap;
 560
 561        if (sdata->u.mgd.flags & IEEE80211_STA_DISABLE_80P80MHZ) {
 562                u32 bw = cap & IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
 563
 564                cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
 565                if (bw == IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ ||
 566                    bw == IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ)
 567                        cap |= IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ;
 568        }
 569
 570        if (sdata->u.mgd.flags & IEEE80211_STA_DISABLE_160MHZ) {
 571                cap &= ~IEEE80211_VHT_CAP_SHORT_GI_160;
 572                cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
 573        }
 574
 575        /*
 576         * Some APs apparently get confused if our capabilities are better
 577         * than theirs, so restrict what we advertise in the assoc request.
 578         */
 579        if (!(ap_vht_cap->vht_cap_info &
 580                        cpu_to_le32(IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE)))
 581                cap &= ~(IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE |
 582                         IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE);
 583        else if (!(ap_vht_cap->vht_cap_info &
 584                        cpu_to_le32(IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE)))
 585                cap &= ~IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE;
 586
 587        /*
 588         * If some other vif is using the MU-MIMO capability we cannot associate
 589         * using MU-MIMO - this will lead to contradictions in the group-id
 590         * mechanism.
 591         * Ownership is defined since association request, in order to avoid
 592         * simultaneous associations with MU-MIMO.
 593         */
 594        if (cap & IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE) {
 595                bool disable_mu_mimo = false;
 596                struct ieee80211_sub_if_data *other;
 597
 598                list_for_each_entry_rcu(other, &local->interfaces, list) {
 599                        if (other->vif.mu_mimo_owner) {
 600                                disable_mu_mimo = true;
 601                                break;
 602                        }
 603                }
 604                if (disable_mu_mimo)
 605                        cap &= ~IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE;
 606                else
 607                        sdata->vif.mu_mimo_owner = true;
 608        }
 609
 610        mask = IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK;
 611
 612        ap_bf_sts = le32_to_cpu(ap_vht_cap->vht_cap_info) & mask;
 613        our_bf_sts = cap & mask;
 614
 615        if (ap_bf_sts < our_bf_sts) {
 616                cap &= ~mask;
 617                cap |= ap_bf_sts;
 618        }
 619
 620        /* reserve and fill IE */
 621        pos = skb_put(skb, sizeof(struct ieee80211_vht_cap) + 2);
 622        ieee80211_ie_build_vht_cap(pos, &vht_cap, cap);
 623}
 624
 625/* This function determines HE capability flags for the association
 626 * and builds the IE.
 627 */
 628static void ieee80211_add_he_ie(struct ieee80211_sub_if_data *sdata,
 629                                struct sk_buff *skb,
 630                                struct ieee80211_supported_band *sband)
 631{
 632        u8 *pos;
 633        const struct ieee80211_sta_he_cap *he_cap = NULL;
 634        struct ieee80211_chanctx_conf *chanctx_conf;
 635        u8 he_cap_size;
 636        bool reg_cap = false;
 637
 638        rcu_read_lock();
 639        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
 640        if (!WARN_ON_ONCE(!chanctx_conf))
 641                reg_cap = cfg80211_chandef_usable(sdata->wdev.wiphy,
 642                                                  &chanctx_conf->def,
 643                                                  IEEE80211_CHAN_NO_HE);
 644
 645        rcu_read_unlock();
 646
 647        he_cap = ieee80211_get_he_iftype_cap(sband,
 648                                             ieee80211_vif_type_p2p(&sdata->vif));
 649        if (!he_cap || !reg_cap)
 650                return;
 651
 652        /*
 653         * TODO: the 1 added is because this temporarily is under the EXTENSION
 654         * IE. Get rid of it when it moves.
 655         */
 656        he_cap_size =
 657                2 + 1 + sizeof(he_cap->he_cap_elem) +
 658                ieee80211_he_mcs_nss_size(&he_cap->he_cap_elem) +
 659                ieee80211_he_ppe_size(he_cap->ppe_thres[0],
 660                                      he_cap->he_cap_elem.phy_cap_info);
 661        pos = skb_put(skb, he_cap_size);
 662        ieee80211_ie_build_he_cap(pos, he_cap, pos + he_cap_size);
 663
 664        ieee80211_ie_build_he_6ghz_cap(sdata, skb);
 665}
 666
 667static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
 668{
 669        struct ieee80211_local *local = sdata->local;
 670        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
 671        struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
 672        struct sk_buff *skb;
 673        struct ieee80211_mgmt *mgmt;
 674        u8 *pos, qos_info, *ie_start;
 675        size_t offset = 0, noffset;
 676        int i, count, rates_len, supp_rates_len, shift;
 677        u16 capab;
 678        struct ieee80211_supported_band *sband;
 679        struct ieee80211_chanctx_conf *chanctx_conf;
 680        struct ieee80211_channel *chan;
 681        u32 rates = 0;
 682        __le16 listen_int;
 683        struct element *ext_capa = NULL;
 684        enum nl80211_iftype iftype = ieee80211_vif_type_p2p(&sdata->vif);
 685        const struct ieee80211_sband_iftype_data *iftd;
 686        struct ieee80211_prep_tx_info info = {};
 687
 688        /* we know it's writable, cast away the const */
 689        if (assoc_data->ie_len)
 690                ext_capa = (void *)cfg80211_find_elem(WLAN_EID_EXT_CAPABILITY,
 691                                                      assoc_data->ie,
 692                                                      assoc_data->ie_len);
 693
 694        sdata_assert_lock(sdata);
 695
 696        rcu_read_lock();
 697        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
 698        if (WARN_ON(!chanctx_conf)) {
 699                rcu_read_unlock();
 700                return;
 701        }
 702        chan = chanctx_conf->def.chan;
 703        rcu_read_unlock();
 704        sband = local->hw.wiphy->bands[chan->band];
 705        shift = ieee80211_vif_get_shift(&sdata->vif);
 706
 707        if (assoc_data->supp_rates_len) {
 708                /*
 709                 * Get all rates supported by the device and the AP as
 710                 * some APs don't like getting a superset of their rates
 711                 * in the association request (e.g. D-Link DAP 1353 in
 712                 * b-only mode)...
 713                 */
 714                rates_len = ieee80211_parse_bitrates(&chanctx_conf->def, sband,
 715                                                     assoc_data->supp_rates,
 716                                                     assoc_data->supp_rates_len,
 717                                                     &rates);
 718        } else {
 719                /*
 720                 * In case AP not provide any supported rates information
 721                 * before association, we send information element(s) with
 722                 * all rates that we support.
 723                 */
 724                rates_len = 0;
 725                for (i = 0; i < sband->n_bitrates; i++) {
 726                        rates |= BIT(i);
 727                        rates_len++;
 728                }
 729        }
 730
 731        iftd = ieee80211_get_sband_iftype_data(sband, iftype);
 732
 733        skb = alloc_skb(local->hw.extra_tx_headroom +
 734                        sizeof(*mgmt) + /* bit too much but doesn't matter */
 735                        2 + assoc_data->ssid_len + /* SSID */
 736                        4 + rates_len + /* (extended) rates */
 737                        4 + /* power capability */
 738                        2 + 2 * sband->n_channels + /* supported channels */
 739                        2 + sizeof(struct ieee80211_ht_cap) + /* HT */
 740                        2 + sizeof(struct ieee80211_vht_cap) + /* VHT */
 741                        2 + 1 + sizeof(struct ieee80211_he_cap_elem) + /* HE */
 742                                sizeof(struct ieee80211_he_mcs_nss_supp) +
 743                                IEEE80211_HE_PPE_THRES_MAX_LEN +
 744                        2 + 1 + sizeof(struct ieee80211_he_6ghz_capa) +
 745                        assoc_data->ie_len + /* extra IEs */
 746                        (assoc_data->fils_kek_len ? 16 /* AES-SIV */ : 0) +
 747                        9 + /* WMM */
 748                        (iftd ? iftd->vendor_elems.len : 0),
 749                        GFP_KERNEL);
 750        if (!skb)
 751                return;
 752
 753        skb_reserve(skb, local->hw.extra_tx_headroom);
 754
 755        capab = WLAN_CAPABILITY_ESS;
 756
 757        if (sband->band == NL80211_BAND_2GHZ) {
 758                capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
 759                capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
 760        }
 761
 762        if (assoc_data->capability & WLAN_CAPABILITY_PRIVACY)
 763                capab |= WLAN_CAPABILITY_PRIVACY;
 764
 765        if ((assoc_data->capability & WLAN_CAPABILITY_SPECTRUM_MGMT) &&
 766            ieee80211_hw_check(&local->hw, SPECTRUM_MGMT))
 767                capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
 768
 769        if (ifmgd->flags & IEEE80211_STA_ENABLE_RRM)
 770                capab |= WLAN_CAPABILITY_RADIO_MEASURE;
 771
 772        mgmt = skb_put_zero(skb, 24);
 773        memcpy(mgmt->da, assoc_data->bss->bssid, ETH_ALEN);
 774        memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
 775        memcpy(mgmt->bssid, assoc_data->bss->bssid, ETH_ALEN);
 776
 777        listen_int = cpu_to_le16(sband->band == NL80211_BAND_S1GHZ ?
 778                        ieee80211_encode_usf(local->hw.conf.listen_interval) :
 779                        local->hw.conf.listen_interval);
 780        if (!is_zero_ether_addr(assoc_data->prev_bssid)) {
 781                skb_put(skb, 10);
 782                mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
 783                                                  IEEE80211_STYPE_REASSOC_REQ);
 784                mgmt->u.reassoc_req.capab_info = cpu_to_le16(capab);
 785                mgmt->u.reassoc_req.listen_interval = listen_int;
 786                memcpy(mgmt->u.reassoc_req.current_ap, assoc_data->prev_bssid,
 787                       ETH_ALEN);
 788                info.subtype = IEEE80211_STYPE_REASSOC_REQ;
 789        } else {
 790                skb_put(skb, 4);
 791                mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
 792                                                  IEEE80211_STYPE_ASSOC_REQ);
 793                mgmt->u.assoc_req.capab_info = cpu_to_le16(capab);
 794                mgmt->u.assoc_req.listen_interval = listen_int;
 795                info.subtype = IEEE80211_STYPE_ASSOC_REQ;
 796        }
 797
 798        /* SSID */
 799        pos = skb_put(skb, 2 + assoc_data->ssid_len);
 800        ie_start = pos;
 801        *pos++ = WLAN_EID_SSID;
 802        *pos++ = assoc_data->ssid_len;
 803        memcpy(pos, assoc_data->ssid, assoc_data->ssid_len);
 804
 805        if (sband->band == NL80211_BAND_S1GHZ)
 806                goto skip_rates;
 807
 808        /* add all rates which were marked to be used above */
 809        supp_rates_len = rates_len;
 810        if (supp_rates_len > 8)
 811                supp_rates_len = 8;
 812
 813        pos = skb_put(skb, supp_rates_len + 2);
 814        *pos++ = WLAN_EID_SUPP_RATES;
 815        *pos++ = supp_rates_len;
 816
 817        count = 0;
 818        for (i = 0; i < sband->n_bitrates; i++) {
 819                if (BIT(i) & rates) {
 820                        int rate = DIV_ROUND_UP(sband->bitrates[i].bitrate,
 821                                                5 * (1 << shift));
 822                        *pos++ = (u8) rate;
 823                        if (++count == 8)
 824                                break;
 825                }
 826        }
 827
 828        if (rates_len > count) {
 829                pos = skb_put(skb, rates_len - count + 2);
 830                *pos++ = WLAN_EID_EXT_SUPP_RATES;
 831                *pos++ = rates_len - count;
 832
 833                for (i++; i < sband->n_bitrates; i++) {
 834                        if (BIT(i) & rates) {
 835                                int rate;
 836                                rate = DIV_ROUND_UP(sband->bitrates[i].bitrate,
 837                                                    5 * (1 << shift));
 838                                *pos++ = (u8) rate;
 839                        }
 840                }
 841        }
 842
 843skip_rates:
 844        if (capab & WLAN_CAPABILITY_SPECTRUM_MGMT ||
 845            capab & WLAN_CAPABILITY_RADIO_MEASURE) {
 846                pos = skb_put(skb, 4);
 847                *pos++ = WLAN_EID_PWR_CAPABILITY;
 848                *pos++ = 2;
 849                *pos++ = 0; /* min tx power */
 850                 /* max tx power */
 851                *pos++ = ieee80211_chandef_max_power(&chanctx_conf->def);
 852        }
 853
 854        /*
 855         * Per spec, we shouldn't include the list of channels if we advertise
 856         * support for extended channel switching, but we've always done that;
 857         * (for now?) apply this restriction only on the (new) 6 GHz band.
 858         */
 859        if (capab & WLAN_CAPABILITY_SPECTRUM_MGMT &&
 860            (sband->band != NL80211_BAND_6GHZ ||
 861             !ext_capa || ext_capa->datalen < 1 ||
 862             !(ext_capa->data[0] & WLAN_EXT_CAPA1_EXT_CHANNEL_SWITCHING))) {
 863                /* TODO: get this in reg domain format */
 864                pos = skb_put(skb, 2 * sband->n_channels + 2);
 865                *pos++ = WLAN_EID_SUPPORTED_CHANNELS;
 866                *pos++ = 2 * sband->n_channels;
 867                for (i = 0; i < sband->n_channels; i++) {
 868                        *pos++ = ieee80211_frequency_to_channel(
 869                                        sband->channels[i].center_freq);
 870                        *pos++ = 1; /* one channel in the subband*/
 871                }
 872        }
 873
 874        /* Set MBSSID support for HE AP if needed */
 875        if (ieee80211_hw_check(&local->hw, SUPPORTS_ONLY_HE_MULTI_BSSID) &&
 876            !(ifmgd->flags & IEEE80211_STA_DISABLE_HE) && assoc_data->ie_len &&
 877            ext_capa && ext_capa->datalen >= 3)
 878                ext_capa->data[2] |= WLAN_EXT_CAPA3_MULTI_BSSID_SUPPORT;
 879
 880        /* if present, add any custom IEs that go before HT */
 881        if (assoc_data->ie_len) {
 882                static const u8 before_ht[] = {
 883                        WLAN_EID_SSID,
 884                        WLAN_EID_SUPP_RATES,
 885                        WLAN_EID_EXT_SUPP_RATES,
 886                        WLAN_EID_PWR_CAPABILITY,
 887                        WLAN_EID_SUPPORTED_CHANNELS,
 888                        WLAN_EID_RSN,
 889                        WLAN_EID_QOS_CAPA,
 890                        WLAN_EID_RRM_ENABLED_CAPABILITIES,
 891                        WLAN_EID_MOBILITY_DOMAIN,
 892                        WLAN_EID_FAST_BSS_TRANSITION,   /* reassoc only */
 893                        WLAN_EID_RIC_DATA,              /* reassoc only */
 894                        WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
 895                };
 896                static const u8 after_ric[] = {
 897                        WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
 898                        WLAN_EID_HT_CAPABILITY,
 899                        WLAN_EID_BSS_COEX_2040,
 900                        /* luckily this is almost always there */
 901                        WLAN_EID_EXT_CAPABILITY,
 902                        WLAN_EID_QOS_TRAFFIC_CAPA,
 903                        WLAN_EID_TIM_BCAST_REQ,
 904                        WLAN_EID_INTERWORKING,
 905                        /* 60 GHz (Multi-band, DMG, MMS) can't happen */
 906                        WLAN_EID_VHT_CAPABILITY,
 907                        WLAN_EID_OPMODE_NOTIF,
 908                };
 909
 910                noffset = ieee80211_ie_split_ric(assoc_data->ie,
 911                                                 assoc_data->ie_len,
 912                                                 before_ht,
 913                                                 ARRAY_SIZE(before_ht),
 914                                                 after_ric,
 915                                                 ARRAY_SIZE(after_ric),
 916                                                 offset);
 917                skb_put_data(skb, assoc_data->ie + offset, noffset - offset);
 918                offset = noffset;
 919        }
 920
 921        if (WARN_ON_ONCE((ifmgd->flags & IEEE80211_STA_DISABLE_HT) &&
 922                         !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)))
 923                ifmgd->flags |= IEEE80211_STA_DISABLE_VHT;
 924
 925        if (sband->band != NL80211_BAND_6GHZ &&
 926            !(ifmgd->flags & IEEE80211_STA_DISABLE_HT))
 927                ieee80211_add_ht_ie(sdata, skb, assoc_data->ap_ht_param,
 928                                    sband, chan, sdata->smps_mode);
 929
 930        /* if present, add any custom IEs that go before VHT */
 931        if (assoc_data->ie_len) {
 932                static const u8 before_vht[] = {
 933                        /*
 934                         * no need to list the ones split off before HT
 935                         * or generated here
 936                         */
 937                        WLAN_EID_BSS_COEX_2040,
 938                        WLAN_EID_EXT_CAPABILITY,
 939                        WLAN_EID_QOS_TRAFFIC_CAPA,
 940                        WLAN_EID_TIM_BCAST_REQ,
 941                        WLAN_EID_INTERWORKING,
 942                        /* 60 GHz (Multi-band, DMG, MMS) can't happen */
 943                };
 944
 945                /* RIC already taken above, so no need to handle here anymore */
 946                noffset = ieee80211_ie_split(assoc_data->ie, assoc_data->ie_len,
 947                                             before_vht, ARRAY_SIZE(before_vht),
 948                                             offset);
 949                skb_put_data(skb, assoc_data->ie + offset, noffset - offset);
 950                offset = noffset;
 951        }
 952
 953        /* if present, add any custom IEs that go before HE */
 954        if (assoc_data->ie_len) {
 955                static const u8 before_he[] = {
 956                        /*
 957                         * no need to list the ones split off before VHT
 958                         * or generated here
 959                         */
 960                        WLAN_EID_OPMODE_NOTIF,
 961                        WLAN_EID_EXTENSION, WLAN_EID_EXT_FUTURE_CHAN_GUIDANCE,
 962                        /* 11ai elements */
 963                        WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_SESSION,
 964                        WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_PUBLIC_KEY,
 965                        WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_KEY_CONFIRM,
 966                        WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_HLP_CONTAINER,
 967                        WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_IP_ADDR_ASSIGN,
 968                        /* TODO: add 11ah/11aj/11ak elements */
 969                };
 970
 971                /* RIC already taken above, so no need to handle here anymore */
 972                noffset = ieee80211_ie_split(assoc_data->ie, assoc_data->ie_len,
 973                                             before_he, ARRAY_SIZE(before_he),
 974                                             offset);
 975                pos = skb_put(skb, noffset - offset);
 976                memcpy(pos, assoc_data->ie + offset, noffset - offset);
 977                offset = noffset;
 978        }
 979
 980        if (sband->band != NL80211_BAND_6GHZ &&
 981            !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
 982                ieee80211_add_vht_ie(sdata, skb, sband,
 983                                     &assoc_data->ap_vht_cap);
 984
 985        /*
 986         * If AP doesn't support HT, mark HE as disabled.
 987         * If on the 5GHz band, make sure it supports VHT.
 988         */
 989        if (ifmgd->flags & IEEE80211_STA_DISABLE_HT ||
 990            (sband->band == NL80211_BAND_5GHZ &&
 991             ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
 992                ifmgd->flags |= IEEE80211_STA_DISABLE_HE;
 993
 994        if (!(ifmgd->flags & IEEE80211_STA_DISABLE_HE))
 995                ieee80211_add_he_ie(sdata, skb, sband);
 996
 997        /* if present, add any custom non-vendor IEs that go after HE */
 998        if (assoc_data->ie_len) {
 999                noffset = ieee80211_ie_split_vendor(assoc_data->ie,
1000                                                    assoc_data->ie_len,
1001                                                    offset);
1002                skb_put_data(skb, assoc_data->ie + offset, noffset - offset);
1003                offset = noffset;
1004        }
1005
1006        if (assoc_data->wmm) {
1007                if (assoc_data->uapsd) {
1008                        qos_info = ifmgd->uapsd_queues;
1009                        qos_info |= (ifmgd->uapsd_max_sp_len <<
1010                                     IEEE80211_WMM_IE_STA_QOSINFO_SP_SHIFT);
1011                } else {
1012                        qos_info = 0;
1013                }
1014
1015                pos = ieee80211_add_wmm_info_ie(skb_put(skb, 9), qos_info);
1016        }
1017
1018        if (sband->band == NL80211_BAND_S1GHZ) {
1019                ieee80211_add_aid_request_ie(sdata, skb);
1020                ieee80211_add_s1g_capab_ie(sdata, &sband->s1g_cap, skb);
1021        }
1022
1023        if (iftd && iftd->vendor_elems.data && iftd->vendor_elems.len)
1024                skb_put_data(skb, iftd->vendor_elems.data, iftd->vendor_elems.len);
1025
1026        /* add any remaining custom (i.e. vendor specific here) IEs */
1027        if (assoc_data->ie_len) {
1028                noffset = assoc_data->ie_len;
1029                skb_put_data(skb, assoc_data->ie + offset, noffset - offset);
1030        }
1031
1032        if (assoc_data->fils_kek_len &&
1033            fils_encrypt_assoc_req(skb, assoc_data) < 0) {
1034                dev_kfree_skb(skb);
1035                return;
1036        }
1037
1038        pos = skb_tail_pointer(skb);
1039        kfree(ifmgd->assoc_req_ies);
1040        ifmgd->assoc_req_ies = kmemdup(ie_start, pos - ie_start, GFP_ATOMIC);
1041        ifmgd->assoc_req_ies_len = pos - ie_start;
1042
1043        drv_mgd_prepare_tx(local, sdata, &info);
1044
1045        IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
1046        if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
1047                IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS |
1048                                                IEEE80211_TX_INTFL_MLME_CONN_TX;
1049        ieee80211_tx_skb(sdata, skb);
1050}
1051
1052void ieee80211_send_pspoll(struct ieee80211_local *local,
1053                           struct ieee80211_sub_if_data *sdata)
1054{
1055        struct ieee80211_pspoll *pspoll;
1056        struct sk_buff *skb;
1057
1058        skb = ieee80211_pspoll_get(&local->hw, &sdata->vif);
1059        if (!skb)
1060                return;
1061
1062        pspoll = (struct ieee80211_pspoll *) skb->data;
1063        pspoll->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
1064
1065        IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
1066        ieee80211_tx_skb(sdata, skb);
1067}
1068
1069void ieee80211_send_nullfunc(struct ieee80211_local *local,
1070                             struct ieee80211_sub_if_data *sdata,
1071                             bool powersave)
1072{
1073        struct sk_buff *skb;
1074        struct ieee80211_hdr_3addr *nullfunc;
1075        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1076
1077        skb = ieee80211_nullfunc_get(&local->hw, &sdata->vif,
1078                !ieee80211_hw_check(&local->hw, DOESNT_SUPPORT_QOS_NDP));
1079        if (!skb)
1080                return;
1081
1082        nullfunc = (struct ieee80211_hdr_3addr *) skb->data;
1083        if (powersave)
1084                nullfunc->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
1085
1086        IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT |
1087                                        IEEE80211_TX_INTFL_OFFCHAN_TX_OK;
1088
1089        if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
1090                IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS;
1091
1092        if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL)
1093                IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_USE_MINRATE;
1094
1095        ieee80211_tx_skb(sdata, skb);
1096}
1097
1098void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local,
1099                                   struct ieee80211_sub_if_data *sdata)
1100{
1101        struct sk_buff *skb;
1102        struct ieee80211_hdr *nullfunc;
1103        __le16 fc;
1104
1105        if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
1106                return;
1107
1108        skb = dev_alloc_skb(local->hw.extra_tx_headroom + 30);
1109        if (!skb)
1110                return;
1111
1112        skb_reserve(skb, local->hw.extra_tx_headroom);
1113
1114        nullfunc = skb_put_zero(skb, 30);
1115        fc = cpu_to_le16(IEEE80211_FTYPE_DATA | IEEE80211_STYPE_NULLFUNC |
1116                         IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS);
1117        nullfunc->frame_control = fc;
1118        memcpy(nullfunc->addr1, sdata->u.mgd.bssid, ETH_ALEN);
1119        memcpy(nullfunc->addr2, sdata->vif.addr, ETH_ALEN);
1120        memcpy(nullfunc->addr3, sdata->u.mgd.bssid, ETH_ALEN);
1121        memcpy(nullfunc->addr4, sdata->vif.addr, ETH_ALEN);
1122
1123        IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
1124        ieee80211_tx_skb(sdata, skb);
1125}
1126
1127/* spectrum management related things */
1128static void ieee80211_chswitch_work(struct work_struct *work)
1129{
1130        struct ieee80211_sub_if_data *sdata =
1131                container_of(work, struct ieee80211_sub_if_data, u.mgd.chswitch_work);
1132        struct ieee80211_local *local = sdata->local;
1133        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1134        int ret;
1135
1136        if (!ieee80211_sdata_running(sdata))
1137                return;
1138
1139        sdata_lock(sdata);
1140        mutex_lock(&local->mtx);
1141        mutex_lock(&local->chanctx_mtx);
1142
1143        if (!ifmgd->associated)
1144                goto out;
1145
1146        if (!sdata->vif.csa_active)
1147                goto out;
1148
1149        /*
1150         * using reservation isn't immediate as it may be deferred until later
1151         * with multi-vif. once reservation is complete it will re-schedule the
1152         * work with no reserved_chanctx so verify chandef to check if it
1153         * completed successfully
1154         */
1155
1156        if (sdata->reserved_chanctx) {
1157                /*
1158                 * with multi-vif csa driver may call ieee80211_csa_finish()
1159                 * many times while waiting for other interfaces to use their
1160                 * reservations
1161                 */
1162                if (sdata->reserved_ready)
1163                        goto out;
1164
1165                ret = ieee80211_vif_use_reserved_context(sdata);
1166                if (ret) {
1167                        sdata_info(sdata,
1168                                   "failed to use reserved channel context, disconnecting (err=%d)\n",
1169                                   ret);
1170                        ieee80211_queue_work(&sdata->local->hw,
1171                                             &ifmgd->csa_connection_drop_work);
1172                        goto out;
1173                }
1174
1175                goto out;
1176        }
1177
1178        if (!cfg80211_chandef_identical(&sdata->vif.bss_conf.chandef,
1179                                        &sdata->csa_chandef)) {
1180                sdata_info(sdata,
1181                           "failed to finalize channel switch, disconnecting\n");
1182                ieee80211_queue_work(&sdata->local->hw,
1183                                     &ifmgd->csa_connection_drop_work);
1184                goto out;
1185        }
1186
1187        ifmgd->csa_waiting_bcn = true;
1188
1189        ieee80211_sta_reset_beacon_monitor(sdata);
1190        ieee80211_sta_reset_conn_monitor(sdata);
1191
1192out:
1193        mutex_unlock(&local->chanctx_mtx);
1194        mutex_unlock(&local->mtx);
1195        sdata_unlock(sdata);
1196}
1197
1198static void ieee80211_chswitch_post_beacon(struct ieee80211_sub_if_data *sdata)
1199{
1200        struct ieee80211_local *local = sdata->local;
1201        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1202        int ret;
1203
1204        sdata_assert_lock(sdata);
1205
1206        WARN_ON(!sdata->vif.csa_active);
1207
1208        if (sdata->csa_block_tx) {
1209                ieee80211_wake_vif_queues(local, sdata,
1210                                          IEEE80211_QUEUE_STOP_REASON_CSA);
1211                sdata->csa_block_tx = false;
1212        }
1213
1214        sdata->vif.csa_active = false;
1215        ifmgd->csa_waiting_bcn = false;
1216        /*
1217         * If the CSA IE is still present on the beacon after the switch,
1218         * we need to consider it as a new CSA (possibly to self).
1219         */
1220        ifmgd->beacon_crc_valid = false;
1221
1222        ret = drv_post_channel_switch(sdata);
1223        if (ret) {
1224                sdata_info(sdata,
1225                           "driver post channel switch failed, disconnecting\n");
1226                ieee80211_queue_work(&local->hw,
1227                                     &ifmgd->csa_connection_drop_work);
1228                return;
1229        }
1230
1231        cfg80211_ch_switch_notify(sdata->dev, &sdata->reserved_chandef);
1232}
1233
1234void ieee80211_chswitch_done(struct ieee80211_vif *vif, bool success)
1235{
1236        struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
1237        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1238
1239        trace_api_chswitch_done(sdata, success);
1240        if (!success) {
1241                sdata_info(sdata,
1242                           "driver channel switch failed, disconnecting\n");
1243                ieee80211_queue_work(&sdata->local->hw,
1244                                     &ifmgd->csa_connection_drop_work);
1245        } else {
1246                ieee80211_queue_work(&sdata->local->hw, &ifmgd->chswitch_work);
1247        }
1248}
1249EXPORT_SYMBOL(ieee80211_chswitch_done);
1250
1251static void ieee80211_chswitch_timer(struct timer_list *t)
1252{
1253        struct ieee80211_sub_if_data *sdata =
1254                from_timer(sdata, t, u.mgd.chswitch_timer);
1255
1256        ieee80211_queue_work(&sdata->local->hw, &sdata->u.mgd.chswitch_work);
1257}
1258
1259static void
1260ieee80211_sta_abort_chanswitch(struct ieee80211_sub_if_data *sdata)
1261{
1262        struct ieee80211_local *local = sdata->local;
1263
1264        if (!local->ops->abort_channel_switch)
1265                return;
1266
1267        mutex_lock(&local->mtx);
1268
1269        mutex_lock(&local->chanctx_mtx);
1270        ieee80211_vif_unreserve_chanctx(sdata);
1271        mutex_unlock(&local->chanctx_mtx);
1272
1273        if (sdata->csa_block_tx)
1274                ieee80211_wake_vif_queues(local, sdata,
1275                                          IEEE80211_QUEUE_STOP_REASON_CSA);
1276
1277        sdata->csa_block_tx = false;
1278        sdata->vif.csa_active = false;
1279
1280        mutex_unlock(&local->mtx);
1281
1282        drv_abort_channel_switch(sdata);
1283}
1284
1285static void
1286ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
1287                                 u64 timestamp, u32 device_timestamp,
1288                                 struct ieee802_11_elems *elems,
1289                                 bool beacon)
1290{
1291        struct ieee80211_local *local = sdata->local;
1292        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1293        struct cfg80211_bss *cbss = ifmgd->associated;
1294        struct ieee80211_chanctx_conf *conf;
1295        struct ieee80211_chanctx *chanctx;
1296        enum nl80211_band current_band;
1297        struct ieee80211_csa_ie csa_ie;
1298        struct ieee80211_channel_switch ch_switch;
1299        struct ieee80211_bss *bss;
1300        int res;
1301
1302        sdata_assert_lock(sdata);
1303
1304        if (!cbss)
1305                return;
1306
1307        if (local->scanning)
1308                return;
1309
1310        current_band = cbss->channel->band;
1311        bss = (void *)cbss->priv;
1312        res = ieee80211_parse_ch_switch_ie(sdata, elems, current_band,
1313                                           bss->vht_cap_info,
1314                                           ifmgd->flags,
1315                                           ifmgd->associated->bssid, &csa_ie);
1316
1317        if (!res) {
1318                ch_switch.timestamp = timestamp;
1319                ch_switch.device_timestamp = device_timestamp;
1320                ch_switch.block_tx = csa_ie.mode;
1321                ch_switch.chandef = csa_ie.chandef;
1322                ch_switch.count = csa_ie.count;
1323                ch_switch.delay = csa_ie.max_switch_time;
1324        }
1325
1326        if (res < 0)
1327                goto lock_and_drop_connection;
1328
1329        if (beacon && sdata->vif.csa_active && !ifmgd->csa_waiting_bcn) {
1330                if (res)
1331                        ieee80211_sta_abort_chanswitch(sdata);
1332                else
1333                        drv_channel_switch_rx_beacon(sdata, &ch_switch);
1334                return;
1335        } else if (sdata->vif.csa_active || res) {
1336                /* disregard subsequent announcements if already processing */
1337                return;
1338        }
1339
1340        if (sdata->vif.bss_conf.chandef.chan->band !=
1341            csa_ie.chandef.chan->band) {
1342                sdata_info(sdata,
1343                           "AP %pM switches to different band (%d MHz, width:%d, CF1/2: %d/%d MHz), disconnecting\n",
1344                           ifmgd->associated->bssid,
1345                           csa_ie.chandef.chan->center_freq,
1346                           csa_ie.chandef.width, csa_ie.chandef.center_freq1,
1347                           csa_ie.chandef.center_freq2);
1348                goto lock_and_drop_connection;
1349        }
1350
1351        if (!cfg80211_chandef_usable(local->hw.wiphy, &csa_ie.chandef,
1352                                     IEEE80211_CHAN_DISABLED)) {
1353                sdata_info(sdata,
1354                           "AP %pM switches to unsupported channel "
1355                           "(%d.%03d MHz, width:%d, CF1/2: %d.%03d/%d MHz), "
1356                           "disconnecting\n",
1357                           ifmgd->associated->bssid,
1358                           csa_ie.chandef.chan->center_freq,
1359                           csa_ie.chandef.chan->freq_offset,
1360                           csa_ie.chandef.width, csa_ie.chandef.center_freq1,
1361                           csa_ie.chandef.freq1_offset,
1362                           csa_ie.chandef.center_freq2);
1363                goto lock_and_drop_connection;
1364        }
1365
1366        if (cfg80211_chandef_identical(&csa_ie.chandef,
1367                                       &sdata->vif.bss_conf.chandef) &&
1368            (!csa_ie.mode || !beacon)) {
1369                if (ifmgd->csa_ignored_same_chan)
1370                        return;
1371                sdata_info(sdata,
1372                           "AP %pM tries to chanswitch to same channel, ignore\n",
1373                           ifmgd->associated->bssid);
1374                ifmgd->csa_ignored_same_chan = true;
1375                return;
1376        }
1377
1378        /*
1379         * Drop all TDLS peers - either we disconnect or move to a different
1380         * channel from this point on. There's no telling what our peer will do.
1381         * The TDLS WIDER_BW scenario is also problematic, as peers might now
1382         * have an incompatible wider chandef.
1383         */
1384        ieee80211_teardown_tdls_peers(sdata);
1385
1386        mutex_lock(&local->mtx);
1387        mutex_lock(&local->chanctx_mtx);
1388        conf = rcu_dereference_protected(sdata->vif.chanctx_conf,
1389                                         lockdep_is_held(&local->chanctx_mtx));
1390        if (!conf) {
1391                sdata_info(sdata,
1392                           "no channel context assigned to vif?, disconnecting\n");
1393                goto drop_connection;
1394        }
1395
1396        chanctx = container_of(conf, struct ieee80211_chanctx, conf);
1397
1398        if (local->use_chanctx &&
1399            !ieee80211_hw_check(&local->hw, CHANCTX_STA_CSA)) {
1400                sdata_info(sdata,
1401                           "driver doesn't support chan-switch with channel contexts\n");
1402                goto drop_connection;
1403        }
1404
1405        if (drv_pre_channel_switch(sdata, &ch_switch)) {
1406                sdata_info(sdata,
1407                           "preparing for channel switch failed, disconnecting\n");
1408                goto drop_connection;
1409        }
1410
1411        res = ieee80211_vif_reserve_chanctx(sdata, &csa_ie.chandef,
1412                                            chanctx->mode, false);
1413        if (res) {
1414                sdata_info(sdata,
1415                           "failed to reserve channel context for channel switch, disconnecting (err=%d)\n",
1416                           res);
1417                goto drop_connection;
1418        }
1419        mutex_unlock(&local->chanctx_mtx);
1420
1421        sdata->vif.csa_active = true;
1422        sdata->csa_chandef = csa_ie.chandef;
1423        sdata->csa_block_tx = csa_ie.mode;
1424        ifmgd->csa_ignored_same_chan = false;
1425        ifmgd->beacon_crc_valid = false;
1426
1427        if (sdata->csa_block_tx)
1428                ieee80211_stop_vif_queues(local, sdata,
1429                                          IEEE80211_QUEUE_STOP_REASON_CSA);
1430        mutex_unlock(&local->mtx);
1431
1432        cfg80211_ch_switch_started_notify(sdata->dev, &csa_ie.chandef,
1433                                          csa_ie.count, csa_ie.mode);
1434
1435        if (local->ops->channel_switch) {
1436                /* use driver's channel switch callback */
1437                drv_channel_switch(local, sdata, &ch_switch);
1438                return;
1439        }
1440
1441        /* channel switch handled in software */
1442        if (csa_ie.count <= 1)
1443                ieee80211_queue_work(&local->hw, &ifmgd->chswitch_work);
1444        else
1445                mod_timer(&ifmgd->chswitch_timer,
1446                          TU_TO_EXP_TIME((csa_ie.count - 1) *
1447                                         cbss->beacon_interval));
1448        return;
1449 lock_and_drop_connection:
1450        mutex_lock(&local->mtx);
1451        mutex_lock(&local->chanctx_mtx);
1452 drop_connection:
1453        /*
1454         * This is just so that the disconnect flow will know that
1455         * we were trying to switch channel and failed. In case the
1456         * mode is 1 (we are not allowed to Tx), we will know not to
1457         * send a deauthentication frame. Those two fields will be
1458         * reset when the disconnection worker runs.
1459         */
1460        sdata->vif.csa_active = true;
1461        sdata->csa_block_tx = csa_ie.mode;
1462
1463        ieee80211_queue_work(&local->hw, &ifmgd->csa_connection_drop_work);
1464        mutex_unlock(&local->chanctx_mtx);
1465        mutex_unlock(&local->mtx);
1466}
1467
1468static bool
1469ieee80211_find_80211h_pwr_constr(struct ieee80211_sub_if_data *sdata,
1470                                 struct ieee80211_channel *channel,
1471                                 const u8 *country_ie, u8 country_ie_len,
1472                                 const u8 *pwr_constr_elem,
1473                                 int *chan_pwr, int *pwr_reduction)
1474{
1475        struct ieee80211_country_ie_triplet *triplet;
1476        int chan = ieee80211_frequency_to_channel(channel->center_freq);
1477        int i, chan_increment;
1478        bool have_chan_pwr = false;
1479
1480        /* Invalid IE */
1481        if (country_ie_len % 2 || country_ie_len < IEEE80211_COUNTRY_IE_MIN_LEN)
1482                return false;
1483
1484        triplet = (void *)(country_ie + 3);
1485        country_ie_len -= 3;
1486
1487        switch (channel->band) {
1488        default:
1489                WARN_ON_ONCE(1);
1490                fallthrough;
1491        case NL80211_BAND_2GHZ:
1492        case NL80211_BAND_60GHZ:
1493                chan_increment = 1;
1494                break;
1495        case NL80211_BAND_5GHZ:
1496                chan_increment = 4;
1497                break;
1498        case NL80211_BAND_6GHZ:
1499                /*
1500                 * In the 6 GHz band, the "maximum transmit power level"
1501                 * field in the triplets is reserved, and thus will be
1502                 * zero and we shouldn't use it to control TX power.
1503                 * The actual TX power will be given in the transmit
1504                 * power envelope element instead.
1505                 */
1506                return false;
1507        }
1508
1509        /* find channel */
1510        while (country_ie_len >= 3) {
1511                u8 first_channel = triplet->chans.first_channel;
1512
1513                if (first_channel >= IEEE80211_COUNTRY_EXTENSION_ID)
1514                        goto next;
1515
1516                for (i = 0; i < triplet->chans.num_channels; i++) {
1517                        if (first_channel + i * chan_increment == chan) {
1518                                have_chan_pwr = true;
1519                                *chan_pwr = triplet->chans.max_power;
1520                                break;
1521                        }
1522                }
1523                if (have_chan_pwr)
1524                        break;
1525
1526 next:
1527                triplet++;
1528                country_ie_len -= 3;
1529        }
1530
1531        if (have_chan_pwr && pwr_constr_elem)
1532                *pwr_reduction = *pwr_constr_elem;
1533        else
1534                *pwr_reduction = 0;
1535
1536        return have_chan_pwr;
1537}
1538
1539static void ieee80211_find_cisco_dtpc(struct ieee80211_sub_if_data *sdata,
1540                                      struct ieee80211_channel *channel,
1541                                      const u8 *cisco_dtpc_ie,
1542                                      int *pwr_level)
1543{
1544        /* From practical testing, the first data byte of the DTPC element
1545         * seems to contain the requested dBm level, and the CLI on Cisco
1546         * APs clearly state the range is -127 to 127 dBm, which indicates
1547         * a signed byte, although it seemingly never actually goes negative.
1548         * The other byte seems to always be zero.
1549         */
1550        *pwr_level = (__s8)cisco_dtpc_ie[4];
1551}
1552
1553static u32 ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata,
1554                                       struct ieee80211_channel *channel,
1555                                       struct ieee80211_mgmt *mgmt,
1556                                       const u8 *country_ie, u8 country_ie_len,
1557                                       const u8 *pwr_constr_ie,
1558                                       const u8 *cisco_dtpc_ie)
1559{
1560        bool has_80211h_pwr = false, has_cisco_pwr = false;
1561        int chan_pwr = 0, pwr_reduction_80211h = 0;
1562        int pwr_level_cisco, pwr_level_80211h;
1563        int new_ap_level;
1564        __le16 capab = mgmt->u.probe_resp.capab_info;
1565
1566        if (ieee80211_is_s1g_beacon(mgmt->frame_control))
1567                return 0;       /* TODO */
1568
1569        if (country_ie &&
1570            (capab & cpu_to_le16(WLAN_CAPABILITY_SPECTRUM_MGMT) ||
1571             capab & cpu_to_le16(WLAN_CAPABILITY_RADIO_MEASURE))) {
1572                has_80211h_pwr = ieee80211_find_80211h_pwr_constr(
1573                        sdata, channel, country_ie, country_ie_len,
1574                        pwr_constr_ie, &chan_pwr, &pwr_reduction_80211h);
1575                pwr_level_80211h =
1576                        max_t(int, 0, chan_pwr - pwr_reduction_80211h);
1577        }
1578
1579        if (cisco_dtpc_ie) {
1580                ieee80211_find_cisco_dtpc(
1581                        sdata, channel, cisco_dtpc_ie, &pwr_level_cisco);
1582                has_cisco_pwr = true;
1583        }
1584
1585        if (!has_80211h_pwr && !has_cisco_pwr)
1586                return 0;
1587
1588        /* If we have both 802.11h and Cisco DTPC, apply both limits
1589         * by picking the smallest of the two power levels advertised.
1590         */
1591        if (has_80211h_pwr &&
1592            (!has_cisco_pwr || pwr_level_80211h <= pwr_level_cisco)) {
1593                new_ap_level = pwr_level_80211h;
1594
1595                if (sdata->ap_power_level == new_ap_level)
1596                        return 0;
1597
1598                sdata_dbg(sdata,
1599                          "Limiting TX power to %d (%d - %d) dBm as advertised by %pM\n",
1600                          pwr_level_80211h, chan_pwr, pwr_reduction_80211h,
1601                          sdata->u.mgd.bssid);
1602        } else {  /* has_cisco_pwr is always true here. */
1603                new_ap_level = pwr_level_cisco;
1604
1605                if (sdata->ap_power_level == new_ap_level)
1606                        return 0;
1607
1608                sdata_dbg(sdata,
1609                          "Limiting TX power to %d dBm as advertised by %pM\n",
1610                          pwr_level_cisco, sdata->u.mgd.bssid);
1611        }
1612
1613        sdata->ap_power_level = new_ap_level;
1614        if (__ieee80211_recalc_txpower(sdata))
1615                return BSS_CHANGED_TXPOWER;
1616        return 0;
1617}
1618
1619/* powersave */
1620static void ieee80211_enable_ps(struct ieee80211_local *local,
1621                                struct ieee80211_sub_if_data *sdata)
1622{
1623        struct ieee80211_conf *conf = &local->hw.conf;
1624
1625        /*
1626         * If we are scanning right now then the parameters will
1627         * take effect when scan finishes.
1628         */
1629        if (local->scanning)
1630                return;
1631
1632        if (conf->dynamic_ps_timeout > 0 &&
1633            !ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS)) {
1634                mod_timer(&local->dynamic_ps_timer, jiffies +
1635                          msecs_to_jiffies(conf->dynamic_ps_timeout));
1636        } else {
1637                if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK))
1638                        ieee80211_send_nullfunc(local, sdata, true);
1639
1640                if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
1641                    ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
1642                        return;
1643
1644                conf->flags |= IEEE80211_CONF_PS;
1645                ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
1646        }
1647}
1648
1649static void ieee80211_change_ps(struct ieee80211_local *local)
1650{
1651        struct ieee80211_conf *conf = &local->hw.conf;
1652
1653        if (local->ps_sdata) {
1654                ieee80211_enable_ps(local, local->ps_sdata);
1655        } else if (conf->flags & IEEE80211_CONF_PS) {
1656                conf->flags &= ~IEEE80211_CONF_PS;
1657                ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
1658                del_timer_sync(&local->dynamic_ps_timer);
1659                cancel_work_sync(&local->dynamic_ps_enable_work);
1660        }
1661}
1662
1663static bool ieee80211_powersave_allowed(struct ieee80211_sub_if_data *sdata)
1664{
1665        struct ieee80211_if_managed *mgd = &sdata->u.mgd;
1666        struct sta_info *sta = NULL;
1667        bool authorized = false;
1668
1669        if (!mgd->powersave)
1670                return false;
1671
1672        if (mgd->broken_ap)
1673                return false;
1674
1675        if (!mgd->associated)
1676                return false;
1677
1678        if (mgd->flags & IEEE80211_STA_CONNECTION_POLL)
1679                return false;
1680
1681        if (!mgd->have_beacon)
1682                return false;
1683
1684        rcu_read_lock();
1685        sta = sta_info_get(sdata, mgd->bssid);
1686        if (sta)
1687                authorized = test_sta_flag(sta, WLAN_STA_AUTHORIZED);
1688        rcu_read_unlock();
1689
1690        return authorized;
1691}
1692
1693/* need to hold RTNL or interface lock */
1694void ieee80211_recalc_ps(struct ieee80211_local *local)
1695{
1696        struct ieee80211_sub_if_data *sdata, *found = NULL;
1697        int count = 0;
1698        int timeout;
1699
1700        if (!ieee80211_hw_check(&local->hw, SUPPORTS_PS)) {
1701                local->ps_sdata = NULL;
1702                return;
1703        }
1704
1705        list_for_each_entry(sdata, &local->interfaces, list) {
1706                if (!ieee80211_sdata_running(sdata))
1707                        continue;
1708                if (sdata->vif.type == NL80211_IFTYPE_AP) {
1709                        /* If an AP vif is found, then disable PS
1710                         * by setting the count to zero thereby setting
1711                         * ps_sdata to NULL.
1712                         */
1713                        count = 0;
1714                        break;
1715                }
1716                if (sdata->vif.type != NL80211_IFTYPE_STATION)
1717                        continue;
1718                found = sdata;
1719                count++;
1720        }
1721
1722        if (count == 1 && ieee80211_powersave_allowed(found)) {
1723                u8 dtimper = found->u.mgd.dtim_period;
1724
1725                timeout = local->dynamic_ps_forced_timeout;
1726                if (timeout < 0)
1727                        timeout = 100;
1728                local->hw.conf.dynamic_ps_timeout = timeout;
1729
1730                /* If the TIM IE is invalid, pretend the value is 1 */
1731                if (!dtimper)
1732                        dtimper = 1;
1733
1734                local->hw.conf.ps_dtim_period = dtimper;
1735                local->ps_sdata = found;
1736        } else {
1737                local->ps_sdata = NULL;
1738        }
1739
1740        ieee80211_change_ps(local);
1741}
1742
1743void ieee80211_recalc_ps_vif(struct ieee80211_sub_if_data *sdata)
1744{
1745        bool ps_allowed = ieee80211_powersave_allowed(sdata);
1746
1747        if (sdata->vif.bss_conf.ps != ps_allowed) {
1748                sdata->vif.bss_conf.ps = ps_allowed;
1749                ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_PS);
1750        }
1751}
1752
1753void ieee80211_dynamic_ps_disable_work(struct work_struct *work)
1754{
1755        struct ieee80211_local *local =
1756                container_of(work, struct ieee80211_local,
1757                             dynamic_ps_disable_work);
1758
1759        if (local->hw.conf.flags & IEEE80211_CONF_PS) {
1760                local->hw.conf.flags &= ~IEEE80211_CONF_PS;
1761                ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
1762        }
1763
1764        ieee80211_wake_queues_by_reason(&local->hw,
1765                                        IEEE80211_MAX_QUEUE_MAP,
1766                                        IEEE80211_QUEUE_STOP_REASON_PS,
1767                                        false);
1768}
1769
1770void ieee80211_dynamic_ps_enable_work(struct work_struct *work)
1771{
1772        struct ieee80211_local *local =
1773                container_of(work, struct ieee80211_local,
1774                             dynamic_ps_enable_work);
1775        struct ieee80211_sub_if_data *sdata = local->ps_sdata;
1776        struct ieee80211_if_managed *ifmgd;
1777        unsigned long flags;
1778        int q;
1779
1780        /* can only happen when PS was just disabled anyway */
1781        if (!sdata)
1782                return;
1783
1784        ifmgd = &sdata->u.mgd;
1785
1786        if (local->hw.conf.flags & IEEE80211_CONF_PS)
1787                return;
1788
1789        if (local->hw.conf.dynamic_ps_timeout > 0) {
1790                /* don't enter PS if TX frames are pending */
1791                if (drv_tx_frames_pending(local)) {
1792                        mod_timer(&local->dynamic_ps_timer, jiffies +
1793                                  msecs_to_jiffies(
1794                                  local->hw.conf.dynamic_ps_timeout));
1795                        return;
1796                }
1797
1798                /*
1799                 * transmission can be stopped by others which leads to
1800                 * dynamic_ps_timer expiry. Postpone the ps timer if it
1801                 * is not the actual idle state.
1802                 */
1803                spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
1804                for (q = 0; q < local->hw.queues; q++) {
1805                        if (local->queue_stop_reasons[q]) {
1806                                spin_unlock_irqrestore(&local->queue_stop_reason_lock,
1807                                                       flags);
1808                                mod_timer(&local->dynamic_ps_timer, jiffies +
1809                                          msecs_to_jiffies(
1810                                          local->hw.conf.dynamic_ps_timeout));
1811                                return;
1812                        }
1813                }
1814                spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
1815        }
1816
1817        if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
1818            !(ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED)) {
1819                if (drv_tx_frames_pending(local)) {
1820                        mod_timer(&local->dynamic_ps_timer, jiffies +
1821                                  msecs_to_jiffies(
1822                                  local->hw.conf.dynamic_ps_timeout));
1823                } else {
1824                        ieee80211_send_nullfunc(local, sdata, true);
1825                        /* Flush to get the tx status of nullfunc frame */
1826                        ieee80211_flush_queues(local, sdata, false);
1827                }
1828        }
1829
1830        if (!(ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS) &&
1831              ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK)) ||
1832            (ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED)) {
1833                ifmgd->flags &= ~IEEE80211_STA_NULLFUNC_ACKED;
1834                local->hw.conf.flags |= IEEE80211_CONF_PS;
1835                ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
1836        }
1837}
1838
1839void ieee80211_dynamic_ps_timer(struct timer_list *t)
1840{
1841        struct ieee80211_local *local = from_timer(local, t, dynamic_ps_timer);
1842
1843        ieee80211_queue_work(&local->hw, &local->dynamic_ps_enable_work);
1844}
1845
1846void ieee80211_dfs_cac_timer_work(struct work_struct *work)
1847{
1848        struct delayed_work *delayed_work = to_delayed_work(work);
1849        struct ieee80211_sub_if_data *sdata =
1850                container_of(delayed_work, struct ieee80211_sub_if_data,
1851                             dfs_cac_timer_work);
1852        struct cfg80211_chan_def chandef = sdata->vif.bss_conf.chandef;
1853
1854        mutex_lock(&sdata->local->mtx);
1855        if (sdata->wdev.cac_started) {
1856                ieee80211_vif_release_channel(sdata);
1857                cfg80211_cac_event(sdata->dev, &chandef,
1858                                   NL80211_RADAR_CAC_FINISHED,
1859                                   GFP_KERNEL);
1860        }
1861        mutex_unlock(&sdata->local->mtx);
1862}
1863
1864static bool
1865__ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
1866{
1867        struct ieee80211_local *local = sdata->local;
1868        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1869        bool ret = false;
1870        int ac;
1871
1872        if (local->hw.queues < IEEE80211_NUM_ACS)
1873                return false;
1874
1875        for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
1876                struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
1877                int non_acm_ac;
1878                unsigned long now = jiffies;
1879
1880                if (tx_tspec->action == TX_TSPEC_ACTION_NONE &&
1881                    tx_tspec->admitted_time &&
1882                    time_after(now, tx_tspec->time_slice_start + HZ)) {
1883                        tx_tspec->consumed_tx_time = 0;
1884                        tx_tspec->time_slice_start = now;
1885
1886                        if (tx_tspec->downgraded)
1887                                tx_tspec->action =
1888                                        TX_TSPEC_ACTION_STOP_DOWNGRADE;
1889                }
1890
1891                switch (tx_tspec->action) {
1892                case TX_TSPEC_ACTION_STOP_DOWNGRADE:
1893                        /* take the original parameters */
1894                        if (drv_conf_tx(local, sdata, ac, &sdata->tx_conf[ac]))
1895                                sdata_err(sdata,
1896                                          "failed to set TX queue parameters for queue %d\n",
1897                                          ac);
1898                        tx_tspec->action = TX_TSPEC_ACTION_NONE;
1899                        tx_tspec->downgraded = false;
1900                        ret = true;
1901                        break;
1902                case TX_TSPEC_ACTION_DOWNGRADE:
1903                        if (time_after(now, tx_tspec->time_slice_start + HZ)) {
1904                                tx_tspec->action = TX_TSPEC_ACTION_NONE;
1905                                ret = true;
1906                                break;
1907                        }
1908                        /* downgrade next lower non-ACM AC */
1909                        for (non_acm_ac = ac + 1;
1910                             non_acm_ac < IEEE80211_NUM_ACS;
1911                             non_acm_ac++)
1912                                if (!(sdata->wmm_acm & BIT(7 - 2 * non_acm_ac)))
1913                                        break;
1914                        /* Usually the loop will result in using BK even if it
1915                         * requires admission control, but such a configuration
1916                         * makes no sense and we have to transmit somehow - the
1917                         * AC selection does the same thing.
1918                         * If we started out trying to downgrade from BK, then
1919                         * the extra condition here might be needed.
1920                         */
1921                        if (non_acm_ac >= IEEE80211_NUM_ACS)
1922                                non_acm_ac = IEEE80211_AC_BK;
1923                        if (drv_conf_tx(local, sdata, ac,
1924                                        &sdata->tx_conf[non_acm_ac]))
1925                                sdata_err(sdata,
1926                                          "failed to set TX queue parameters for queue %d\n",
1927                                          ac);
1928                        tx_tspec->action = TX_TSPEC_ACTION_NONE;
1929                        ret = true;
1930                        schedule_delayed_work(&ifmgd->tx_tspec_wk,
1931                                tx_tspec->time_slice_start + HZ - now + 1);
1932                        break;
1933                case TX_TSPEC_ACTION_NONE:
1934                        /* nothing now */
1935                        break;
1936                }
1937        }
1938
1939        return ret;
1940}
1941
1942void ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
1943{
1944        if (__ieee80211_sta_handle_tspec_ac_params(sdata))
1945                ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_QOS);
1946}
1947
1948static void ieee80211_sta_handle_tspec_ac_params_wk(struct work_struct *work)
1949{
1950        struct ieee80211_sub_if_data *sdata;
1951
1952        sdata = container_of(work, struct ieee80211_sub_if_data,
1953                             u.mgd.tx_tspec_wk.work);
1954        ieee80211_sta_handle_tspec_ac_params(sdata);
1955}
1956
1957/* MLME */
1958static bool
1959ieee80211_sta_wmm_params(struct ieee80211_local *local,
1960                         struct ieee80211_sub_if_data *sdata,
1961                         const u8 *wmm_param, size_t wmm_param_len,
1962                         const struct ieee80211_mu_edca_param_set *mu_edca)
1963{
1964        struct ieee80211_tx_queue_params params[IEEE80211_NUM_ACS];
1965        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1966        size_t left;
1967        int count, mu_edca_count, ac;
1968        const u8 *pos;
1969        u8 uapsd_queues = 0;
1970
1971        if (!local->ops->conf_tx)
1972                return false;
1973
1974        if (local->hw.queues < IEEE80211_NUM_ACS)
1975                return false;
1976
1977        if (!wmm_param)
1978                return false;
1979
1980        if (wmm_param_len < 8 || wmm_param[5] /* version */ != 1)
1981                return false;
1982
1983        if (ifmgd->flags & IEEE80211_STA_UAPSD_ENABLED)
1984                uapsd_queues = ifmgd->uapsd_queues;
1985
1986        count = wmm_param[6] & 0x0f;
1987        /* -1 is the initial value of ifmgd->mu_edca_last_param_set.
1988         * if mu_edca was preset before and now it disappeared tell
1989         * the driver about it.
1990         */
1991        mu_edca_count = mu_edca ? mu_edca->mu_qos_info & 0x0f : -1;
1992        if (count == ifmgd->wmm_last_param_set &&
1993            mu_edca_count == ifmgd->mu_edca_last_param_set)
1994                return false;
1995        ifmgd->wmm_last_param_set = count;
1996        ifmgd->mu_edca_last_param_set = mu_edca_count;
1997
1998        pos = wmm_param + 8;
1999        left = wmm_param_len - 8;
2000
2001        memset(&params, 0, sizeof(params));
2002
2003        sdata->wmm_acm = 0;
2004        for (; left >= 4; left -= 4, pos += 4) {
2005                int aci = (pos[0] >> 5) & 0x03;
2006                int acm = (pos[0] >> 4) & 0x01;
2007                bool uapsd = false;
2008
2009                switch (aci) {
2010                case 1: /* AC_BK */
2011                        ac = IEEE80211_AC_BK;
2012                        if (acm)
2013                                sdata->wmm_acm |= BIT(1) | BIT(2); /* BK/- */
2014                        if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_BK)
2015                                uapsd = true;
2016                        params[ac].mu_edca = !!mu_edca;
2017                        if (mu_edca)
2018                                params[ac].mu_edca_param_rec = mu_edca->ac_bk;
2019                        break;
2020                case 2: /* AC_VI */
2021                        ac = IEEE80211_AC_VI;
2022                        if (acm)
2023                                sdata->wmm_acm |= BIT(4) | BIT(5); /* CL/VI */
2024                        if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_VI)
2025                                uapsd = true;
2026                        params[ac].mu_edca = !!mu_edca;
2027                        if (mu_edca)
2028                                params[ac].mu_edca_param_rec = mu_edca->ac_vi;
2029                        break;
2030                case 3: /* AC_VO */
2031                        ac = IEEE80211_AC_VO;
2032                        if (acm)
2033                                sdata->wmm_acm |= BIT(6) | BIT(7); /* VO/NC */
2034                        if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_VO)
2035                                uapsd = true;
2036                        params[ac].mu_edca = !!mu_edca;
2037                        if (mu_edca)
2038                                params[ac].mu_edca_param_rec = mu_edca->ac_vo;
2039                        break;
2040                case 0: /* AC_BE */
2041                default:
2042                        ac = IEEE80211_AC_BE;
2043                        if (acm)
2044                                sdata->wmm_acm |= BIT(0) | BIT(3); /* BE/EE */
2045                        if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_BE)
2046                                uapsd = true;
2047                        params[ac].mu_edca = !!mu_edca;
2048                        if (mu_edca)
2049                                params[ac].mu_edca_param_rec = mu_edca->ac_be;
2050                        break;
2051                }
2052
2053                params[ac].aifs = pos[0] & 0x0f;
2054
2055                if (params[ac].aifs < 2) {
2056                        sdata_info(sdata,
2057                                   "AP has invalid WMM params (AIFSN=%d for ACI %d), will use 2\n",
2058                                   params[ac].aifs, aci);
2059                        params[ac].aifs = 2;
2060                }
2061                params[ac].cw_max = ecw2cw((pos[1] & 0xf0) >> 4);
2062                params[ac].cw_min = ecw2cw(pos[1] & 0x0f);
2063                params[ac].txop = get_unaligned_le16(pos + 2);
2064                params[ac].acm = acm;
2065                params[ac].uapsd = uapsd;
2066
2067                if (params[ac].cw_min == 0 ||
2068                    params[ac].cw_min > params[ac].cw_max) {
2069                        sdata_info(sdata,
2070                                   "AP has invalid WMM params (CWmin/max=%d/%d for ACI %d), using defaults\n",
2071                                   params[ac].cw_min, params[ac].cw_max, aci);
2072                        return false;
2073                }
2074                ieee80211_regulatory_limit_wmm_params(sdata, &params[ac], ac);
2075        }
2076
2077        /* WMM specification requires all 4 ACIs. */
2078        for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
2079                if (params[ac].cw_min == 0) {
2080                        sdata_info(sdata,
2081                                   "AP has invalid WMM params (missing AC %d), using defaults\n",
2082                                   ac);
2083                        return false;
2084                }
2085        }
2086
2087        for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
2088                mlme_dbg(sdata,
2089                         "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",
2090                         ac, params[ac].acm,
2091                         params[ac].aifs, params[ac].cw_min, params[ac].cw_max,
2092                         params[ac].txop, params[ac].uapsd,
2093                         ifmgd->tx_tspec[ac].downgraded);
2094                sdata->tx_conf[ac] = params[ac];
2095                if (!ifmgd->tx_tspec[ac].downgraded &&
2096                    drv_conf_tx(local, sdata, ac, &params[ac]))
2097                        sdata_err(sdata,
2098                                  "failed to set TX queue parameters for AC %d\n",
2099                                  ac);
2100        }
2101
2102        /* enable WMM or activate new settings */
2103        sdata->vif.bss_conf.qos = true;
2104        return true;
2105}
2106
2107static void __ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
2108{
2109        lockdep_assert_held(&sdata->local->mtx);
2110
2111        sdata->u.mgd.flags &= ~IEEE80211_STA_CONNECTION_POLL;
2112        ieee80211_run_deferred_scan(sdata->local);
2113}
2114
2115static void ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
2116{
2117        mutex_lock(&sdata->local->mtx);
2118        __ieee80211_stop_poll(sdata);
2119        mutex_unlock(&sdata->local->mtx);
2120}
2121
2122static u32 ieee80211_handle_bss_capability(struct ieee80211_sub_if_data *sdata,
2123                                           u16 capab, bool erp_valid, u8 erp)
2124{
2125        struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
2126        struct ieee80211_supported_band *sband;
2127        u32 changed = 0;
2128        bool use_protection;
2129        bool use_short_preamble;
2130        bool use_short_slot;
2131
2132        sband = ieee80211_get_sband(sdata);
2133        if (!sband)
2134                return changed;
2135
2136        if (erp_valid) {
2137                use_protection = (erp & WLAN_ERP_USE_PROTECTION) != 0;
2138                use_short_preamble = (erp & WLAN_ERP_BARKER_PREAMBLE) == 0;
2139        } else {
2140                use_protection = false;
2141                use_short_preamble = !!(capab & WLAN_CAPABILITY_SHORT_PREAMBLE);
2142        }
2143
2144        use_short_slot = !!(capab & WLAN_CAPABILITY_SHORT_SLOT_TIME);
2145        if (sband->band == NL80211_BAND_5GHZ ||
2146            sband->band == NL80211_BAND_6GHZ)
2147                use_short_slot = true;
2148
2149        if (use_protection != bss_conf->use_cts_prot) {
2150                bss_conf->use_cts_prot = use_protection;
2151                changed |= BSS_CHANGED_ERP_CTS_PROT;
2152        }
2153
2154        if (use_short_preamble != bss_conf->use_short_preamble) {
2155                bss_conf->use_short_preamble = use_short_preamble;
2156                changed |= BSS_CHANGED_ERP_PREAMBLE;
2157        }
2158
2159        if (use_short_slot != bss_conf->use_short_slot) {
2160                bss_conf->use_short_slot = use_short_slot;
2161                changed |= BSS_CHANGED_ERP_SLOT;
2162        }
2163
2164        return changed;
2165}
2166
2167static void ieee80211_set_associated(struct ieee80211_sub_if_data *sdata,
2168                                     struct cfg80211_bss *cbss,
2169                                     u32 bss_info_changed)
2170{
2171        struct ieee80211_bss *bss = (void *)cbss->priv;
2172        struct ieee80211_local *local = sdata->local;
2173        struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
2174
2175        bss_info_changed |= BSS_CHANGED_ASSOC;
2176        bss_info_changed |= ieee80211_handle_bss_capability(sdata,
2177                bss_conf->assoc_capability, bss->has_erp_value, bss->erp_value);
2178
2179        sdata->u.mgd.beacon_timeout = usecs_to_jiffies(ieee80211_tu_to_usec(
2180                beacon_loss_count * bss_conf->beacon_int));
2181
2182        sdata->u.mgd.associated = cbss;
2183        memcpy(sdata->u.mgd.bssid, cbss->bssid, ETH_ALEN);
2184
2185        ieee80211_check_rate_mask(sdata);
2186
2187        sdata->u.mgd.flags |= IEEE80211_STA_RESET_SIGNAL_AVE;
2188
2189        if (sdata->vif.p2p ||
2190            sdata->vif.driver_flags & IEEE80211_VIF_GET_NOA_UPDATE) {
2191                const struct cfg80211_bss_ies *ies;
2192
2193                rcu_read_lock();
2194                ies = rcu_dereference(cbss->ies);
2195                if (ies) {
2196                        int ret;
2197
2198                        ret = cfg80211_get_p2p_attr(
2199                                        ies->data, ies->len,
2200                                        IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
2201                                        (u8 *) &bss_conf->p2p_noa_attr,
2202                                        sizeof(bss_conf->p2p_noa_attr));
2203                        if (ret >= 2) {
2204                                sdata->u.mgd.p2p_noa_index =
2205                                        bss_conf->p2p_noa_attr.index;
2206                                bss_info_changed |= BSS_CHANGED_P2P_PS;
2207                        }
2208                }
2209                rcu_read_unlock();
2210        }
2211
2212        /* just to be sure */
2213        ieee80211_stop_poll(sdata);
2214
2215        ieee80211_led_assoc(local, 1);
2216
2217        if (sdata->u.mgd.have_beacon) {
2218                /*
2219                 * If the AP is buggy we may get here with no DTIM period
2220                 * known, so assume it's 1 which is the only safe assumption
2221                 * in that case, although if the TIM IE is broken powersave
2222                 * probably just won't work at all.
2223                 */
2224                bss_conf->dtim_period = sdata->u.mgd.dtim_period ?: 1;
2225                bss_conf->beacon_rate = bss->beacon_rate;
2226                bss_info_changed |= BSS_CHANGED_BEACON_INFO;
2227        } else {
2228                bss_conf->beacon_rate = NULL;
2229                bss_conf->dtim_period = 0;
2230        }
2231
2232        bss_conf->assoc = 1;
2233
2234        /* Tell the driver to monitor connection quality (if supported) */
2235        if (sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_CQM_RSSI &&
2236            bss_conf->cqm_rssi_thold)
2237                bss_info_changed |= BSS_CHANGED_CQM;
2238
2239        /* Enable ARP filtering */
2240        if (bss_conf->arp_addr_cnt)
2241                bss_info_changed |= BSS_CHANGED_ARP_FILTER;
2242
2243        ieee80211_bss_info_change_notify(sdata, bss_info_changed);
2244
2245        mutex_lock(&local->iflist_mtx);
2246        ieee80211_recalc_ps(local);
2247        mutex_unlock(&local->iflist_mtx);
2248
2249        ieee80211_recalc_smps(sdata);
2250        ieee80211_recalc_ps_vif(sdata);
2251
2252        netif_carrier_on(sdata->dev);
2253}
2254
2255static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
2256                                   u16 stype, u16 reason, bool tx,
2257                                   u8 *frame_buf)
2258{
2259        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2260        struct ieee80211_local *local = sdata->local;
2261        u32 changed = 0;
2262        struct ieee80211_prep_tx_info info = {
2263                .subtype = stype,
2264        };
2265
2266        sdata_assert_lock(sdata);
2267
2268        if (WARN_ON_ONCE(tx && !frame_buf))
2269                return;
2270
2271        if (WARN_ON(!ifmgd->associated))
2272                return;
2273
2274        ieee80211_stop_poll(sdata);
2275
2276        ifmgd->associated = NULL;
2277        netif_carrier_off(sdata->dev);
2278
2279        /*
2280         * if we want to get out of ps before disassoc (why?) we have
2281         * to do it before sending disassoc, as otherwise the null-packet
2282         * won't be valid.
2283         */
2284        if (local->hw.conf.flags & IEEE80211_CONF_PS) {
2285                local->hw.conf.flags &= ~IEEE80211_CONF_PS;
2286                ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
2287        }
2288        local->ps_sdata = NULL;
2289
2290        /* disable per-vif ps */
2291        ieee80211_recalc_ps_vif(sdata);
2292
2293        /* make sure ongoing transmission finishes */
2294        synchronize_net();
2295
2296        /*
2297         * drop any frame before deauth/disassoc, this can be data or
2298         * management frame. Since we are disconnecting, we should not
2299         * insist sending these frames which can take time and delay
2300         * the disconnection and possible the roaming.
2301         */
2302        if (tx)
2303                ieee80211_flush_queues(local, sdata, true);
2304
2305        /* deauthenticate/disassociate now */
2306        if (tx || frame_buf) {
2307                /*
2308                 * In multi channel scenarios guarantee that the virtual
2309                 * interface is granted immediate airtime to transmit the
2310                 * deauthentication frame by calling mgd_prepare_tx, if the
2311                 * driver requested so.
2312                 */
2313                if (ieee80211_hw_check(&local->hw, DEAUTH_NEED_MGD_TX_PREP) &&
2314                    !ifmgd->have_beacon) {
2315                        drv_mgd_prepare_tx(sdata->local, sdata, &info);
2316                }
2317
2318                ieee80211_send_deauth_disassoc(sdata, ifmgd->bssid,
2319                                               ifmgd->bssid, stype, reason,
2320                                               tx, frame_buf);
2321        }
2322
2323        /* flush out frame - make sure the deauth was actually sent */
2324        if (tx)
2325                ieee80211_flush_queues(local, sdata, false);
2326
2327        drv_mgd_complete_tx(sdata->local, sdata, &info);
2328
2329        /* clear bssid only after building the needed mgmt frames */
2330        eth_zero_addr(ifmgd->bssid);
2331
2332        sdata->vif.bss_conf.ssid_len = 0;
2333
2334        /* remove AP and TDLS peers */
2335        sta_info_flush(sdata);
2336
2337        /* finally reset all BSS / config parameters */
2338        changed |= ieee80211_reset_erp_info(sdata);
2339
2340        ieee80211_led_assoc(local, 0);
2341        changed |= BSS_CHANGED_ASSOC;
2342        sdata->vif.bss_conf.assoc = false;
2343
2344        ifmgd->p2p_noa_index = -1;
2345        memset(&sdata->vif.bss_conf.p2p_noa_attr, 0,
2346               sizeof(sdata->vif.bss_conf.p2p_noa_attr));
2347
2348        /* on the next assoc, re-program HT/VHT parameters */
2349        memset(&ifmgd->ht_capa, 0, sizeof(ifmgd->ht_capa));
2350        memset(&ifmgd->ht_capa_mask, 0, sizeof(ifmgd->ht_capa_mask));
2351        memset(&ifmgd->vht_capa, 0, sizeof(ifmgd->vht_capa));
2352        memset(&ifmgd->vht_capa_mask, 0, sizeof(ifmgd->vht_capa_mask));
2353
2354        /* reset MU-MIMO ownership and group data */
2355        memset(sdata->vif.bss_conf.mu_group.membership, 0,
2356               sizeof(sdata->vif.bss_conf.mu_group.membership));
2357        memset(sdata->vif.bss_conf.mu_group.position, 0,
2358               sizeof(sdata->vif.bss_conf.mu_group.position));
2359        changed |= BSS_CHANGED_MU_GROUPS;
2360        sdata->vif.mu_mimo_owner = false;
2361
2362        sdata->ap_power_level = IEEE80211_UNSET_POWER_LEVEL;
2363
2364        del_timer_sync(&local->dynamic_ps_timer);
2365        cancel_work_sync(&local->dynamic_ps_enable_work);
2366
2367        /* Disable ARP filtering */
2368        if (sdata->vif.bss_conf.arp_addr_cnt)
2369                changed |= BSS_CHANGED_ARP_FILTER;
2370
2371        sdata->vif.bss_conf.qos = false;
2372        changed |= BSS_CHANGED_QOS;
2373
2374        /* The BSSID (not really interesting) and HT changed */
2375        changed |= BSS_CHANGED_BSSID | BSS_CHANGED_HT;
2376        ieee80211_bss_info_change_notify(sdata, changed);
2377
2378        /* disassociated - set to defaults now */
2379        ieee80211_set_wmm_default(sdata, false, false);
2380
2381        del_timer_sync(&sdata->u.mgd.conn_mon_timer);
2382        del_timer_sync(&sdata->u.mgd.bcn_mon_timer);
2383        del_timer_sync(&sdata->u.mgd.timer);
2384        del_timer_sync(&sdata->u.mgd.chswitch_timer);
2385
2386        sdata->vif.bss_conf.dtim_period = 0;
2387        sdata->vif.bss_conf.beacon_rate = NULL;
2388
2389        ifmgd->have_beacon = false;
2390
2391        ifmgd->flags = 0;
2392        mutex_lock(&local->mtx);
2393        ieee80211_vif_release_channel(sdata);
2394
2395        sdata->vif.csa_active = false;
2396        ifmgd->csa_waiting_bcn = false;
2397        ifmgd->csa_ignored_same_chan = false;
2398        if (sdata->csa_block_tx) {
2399                ieee80211_wake_vif_queues(local, sdata,
2400                                          IEEE80211_QUEUE_STOP_REASON_CSA);
2401                sdata->csa_block_tx = false;
2402        }
2403        mutex_unlock(&local->mtx);
2404
2405        /* existing TX TSPEC sessions no longer exist */
2406        memset(ifmgd->tx_tspec, 0, sizeof(ifmgd->tx_tspec));
2407        cancel_delayed_work_sync(&ifmgd->tx_tspec_wk);
2408
2409        sdata->encrypt_headroom = IEEE80211_ENCRYPT_HEADROOM;
2410}
2411
2412static void ieee80211_reset_ap_probe(struct ieee80211_sub_if_data *sdata)
2413{
2414        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2415        struct ieee80211_local *local = sdata->local;
2416
2417        mutex_lock(&local->mtx);
2418        if (!(ifmgd->flags & IEEE80211_STA_CONNECTION_POLL))
2419                goto out;
2420
2421        __ieee80211_stop_poll(sdata);
2422
2423        mutex_lock(&local->iflist_mtx);
2424        ieee80211_recalc_ps(local);
2425        mutex_unlock(&local->iflist_mtx);
2426
2427        if (ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
2428                goto out;
2429
2430        /*
2431         * We've received a probe response, but are not sure whether
2432         * we have or will be receiving any beacons or data, so let's
2433         * schedule the timers again, just in case.
2434         */
2435        ieee80211_sta_reset_beacon_monitor(sdata);
2436
2437        mod_timer(&ifmgd->conn_mon_timer,
2438                  round_jiffies_up(jiffies +
2439                                   IEEE80211_CONNECTION_IDLE_TIME));
2440out:
2441        mutex_unlock(&local->mtx);
2442}
2443
2444static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata,
2445                                           struct ieee80211_hdr *hdr,
2446                                           u16 tx_time)
2447{
2448        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2449        u16 tid = ieee80211_get_tid(hdr);
2450        int ac = ieee80211_ac_from_tid(tid);
2451        struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
2452        unsigned long now = jiffies;
2453
2454        if (likely(!tx_tspec->admitted_time))
2455                return;
2456
2457        if (time_after(now, tx_tspec->time_slice_start + HZ)) {
2458                tx_tspec->consumed_tx_time = 0;
2459                tx_tspec->time_slice_start = now;
2460
2461                if (tx_tspec->downgraded) {
2462                        tx_tspec->action = TX_TSPEC_ACTION_STOP_DOWNGRADE;
2463                        schedule_delayed_work(&ifmgd->tx_tspec_wk, 0);
2464                }
2465        }
2466
2467        if (tx_tspec->downgraded)
2468                return;
2469
2470        tx_tspec->consumed_tx_time += tx_time;
2471
2472        if (tx_tspec->consumed_tx_time >= tx_tspec->admitted_time) {
2473                tx_tspec->downgraded = true;
2474                tx_tspec->action = TX_TSPEC_ACTION_DOWNGRADE;
2475                schedule_delayed_work(&ifmgd->tx_tspec_wk, 0);
2476        }
2477}
2478
2479void ieee80211_sta_tx_notify(struct ieee80211_sub_if_data *sdata,
2480                             struct ieee80211_hdr *hdr, bool ack, u16 tx_time)
2481{
2482        ieee80211_sta_tx_wmm_ac_notify(sdata, hdr, tx_time);
2483
2484        if (!ieee80211_is_any_nullfunc(hdr->frame_control) ||
2485            !sdata->u.mgd.probe_send_count)
2486                return;
2487
2488        if (ack)
2489                sdata->u.mgd.probe_send_count = 0;
2490        else
2491                sdata->u.mgd.nullfunc_failed = true;
2492        ieee80211_queue_work(&sdata->local->hw, &sdata->work);
2493}
2494
2495static void ieee80211_mlme_send_probe_req(struct ieee80211_sub_if_data *sdata,
2496                                          const u8 *src, const u8 *dst,
2497                                          const u8 *ssid, size_t ssid_len,
2498                                          struct ieee80211_channel *channel)
2499{
2500        struct sk_buff *skb;
2501
2502        skb = ieee80211_build_probe_req(sdata, src, dst, (u32)-1, channel,
2503                                        ssid, ssid_len, NULL, 0,
2504                                        IEEE80211_PROBE_FLAG_DIRECTED);
2505        if (skb)
2506                ieee80211_tx_skb(sdata, skb);
2507}
2508
2509static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
2510{
2511        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2512        const u8 *ssid;
2513        u8 *dst = ifmgd->associated->bssid;
2514        u8 unicast_limit = max(1, max_probe_tries - 3);
2515        struct sta_info *sta;
2516
2517        /*
2518         * Try sending broadcast probe requests for the last three
2519         * probe requests after the first ones failed since some
2520         * buggy APs only support broadcast probe requests.
2521         */
2522        if (ifmgd->probe_send_count >= unicast_limit)
2523                dst = NULL;
2524
2525        /*
2526         * When the hardware reports an accurate Tx ACK status, it's
2527         * better to send a nullfunc frame instead of a probe request,
2528         * as it will kick us off the AP quickly if we aren't associated
2529         * anymore. The timeout will be reset if the frame is ACKed by
2530         * the AP.
2531         */
2532        ifmgd->probe_send_count++;
2533
2534        if (dst) {
2535                mutex_lock(&sdata->local->sta_mtx);
2536                sta = sta_info_get(sdata, dst);
2537                if (!WARN_ON(!sta))
2538                        ieee80211_check_fast_rx(sta);
2539                mutex_unlock(&sdata->local->sta_mtx);
2540        }
2541
2542        if (ieee80211_hw_check(&sdata->local->hw, REPORTS_TX_ACK_STATUS)) {
2543                ifmgd->nullfunc_failed = false;
2544                ieee80211_send_nullfunc(sdata->local, sdata, false);
2545        } else {
2546                int ssid_len;
2547
2548                rcu_read_lock();
2549                ssid = ieee80211_bss_get_ie(ifmgd->associated, WLAN_EID_SSID);
2550                if (WARN_ON_ONCE(ssid == NULL))
2551                        ssid_len = 0;
2552                else
2553                        ssid_len = ssid[1];
2554
2555                ieee80211_mlme_send_probe_req(sdata, sdata->vif.addr, dst,
2556                                              ssid + 2, ssid_len,
2557                                              ifmgd->associated->channel);
2558                rcu_read_unlock();
2559        }
2560
2561        ifmgd->probe_timeout = jiffies + msecs_to_jiffies(probe_wait_ms);
2562        run_again(sdata, ifmgd->probe_timeout);
2563}
2564
2565static void ieee80211_mgd_probe_ap(struct ieee80211_sub_if_data *sdata,
2566                                   bool beacon)
2567{
2568        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2569        bool already = false;
2570
2571        if (!ieee80211_sdata_running(sdata))
2572                return;
2573
2574        sdata_lock(sdata);
2575
2576        if (!ifmgd->associated)
2577                goto out;
2578
2579        mutex_lock(&sdata->local->mtx);
2580
2581        if (sdata->local->tmp_channel || sdata->local->scanning) {
2582                mutex_unlock(&sdata->local->mtx);
2583                goto out;
2584        }
2585
2586        if (beacon) {
2587                mlme_dbg_ratelimited(sdata,
2588                                     "detected beacon loss from AP (missed %d beacons) - probing\n",
2589                                     beacon_loss_count);
2590
2591                ieee80211_cqm_beacon_loss_notify(&sdata->vif, GFP_KERNEL);
2592        }
2593
2594        /*
2595         * The driver/our work has already reported this event or the
2596         * connection monitoring has kicked in and we have already sent
2597         * a probe request. Or maybe the AP died and the driver keeps
2598         * reporting until we disassociate...
2599         *
2600         * In either case we have to ignore the current call to this
2601         * function (except for setting the correct probe reason bit)
2602         * because otherwise we would reset the timer every time and
2603         * never check whether we received a probe response!
2604         */
2605        if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL)
2606                already = true;
2607
2608        ifmgd->flags |= IEEE80211_STA_CONNECTION_POLL;
2609
2610        mutex_unlock(&sdata->local->mtx);
2611
2612        if (already)
2613                goto out;
2614
2615        mutex_lock(&sdata->local->iflist_mtx);
2616        ieee80211_recalc_ps(sdata->local);
2617        mutex_unlock(&sdata->local->iflist_mtx);
2618
2619        ifmgd->probe_send_count = 0;
2620        ieee80211_mgd_probe_ap_send(sdata);
2621 out:
2622        sdata_unlock(sdata);
2623}
2624
2625struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw,
2626                                          struct ieee80211_vif *vif)
2627{
2628        struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
2629        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2630        struct cfg80211_bss *cbss;
2631        struct sk_buff *skb;
2632        const u8 *ssid;
2633        int ssid_len;
2634
2635        if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
2636                return NULL;
2637
2638        sdata_assert_lock(sdata);
2639
2640        if (ifmgd->associated)
2641                cbss = ifmgd->associated;
2642        else if (ifmgd->auth_data)
2643                cbss = ifmgd->auth_data->bss;
2644        else if (ifmgd->assoc_data)
2645                cbss = ifmgd->assoc_data->bss;
2646        else
2647                return NULL;
2648
2649        rcu_read_lock();
2650        ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID);
2651        if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN,
2652                      "invalid SSID element (len=%d)", ssid ? ssid[1] : -1))
2653                ssid_len = 0;
2654        else
2655                ssid_len = ssid[1];
2656
2657        skb = ieee80211_build_probe_req(sdata, sdata->vif.addr, cbss->bssid,
2658                                        (u32) -1, cbss->channel,
2659                                        ssid + 2, ssid_len,
2660                                        NULL, 0, IEEE80211_PROBE_FLAG_DIRECTED);
2661        rcu_read_unlock();
2662
2663        return skb;
2664}
2665EXPORT_SYMBOL(ieee80211_ap_probereq_get);
2666
2667static void ieee80211_report_disconnect(struct ieee80211_sub_if_data *sdata,
2668                                        const u8 *buf, size_t len, bool tx,
2669                                        u16 reason, bool reconnect)
2670{
2671        struct ieee80211_event event = {
2672                .type = MLME_EVENT,
2673                .u.mlme.data = tx ? DEAUTH_TX_EVENT : DEAUTH_RX_EVENT,
2674                .u.mlme.reason = reason,
2675        };
2676
2677        if (tx)
2678                cfg80211_tx_mlme_mgmt(sdata->dev, buf, len, reconnect);
2679        else
2680                cfg80211_rx_mlme_mgmt(sdata->dev, buf, len);
2681
2682        drv_event_callback(sdata->local, sdata, &event);
2683}
2684
2685static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
2686{
2687        struct ieee80211_local *local = sdata->local;
2688        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2689        u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
2690        bool tx;
2691
2692        sdata_lock(sdata);
2693        if (!ifmgd->associated) {
2694                sdata_unlock(sdata);
2695                return;
2696        }
2697
2698        tx = !sdata->csa_block_tx;
2699
2700        if (!ifmgd->driver_disconnect) {
2701                /*
2702                 * AP is probably out of range (or not reachable for another
2703                 * reason) so remove the bss struct for that AP.
2704                 */
2705                cfg80211_unlink_bss(local->hw.wiphy, ifmgd->associated);
2706        }
2707
2708        ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
2709                               ifmgd->driver_disconnect ?
2710                                        WLAN_REASON_DEAUTH_LEAVING :
2711                                        WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
2712                               tx, frame_buf);
2713        mutex_lock(&local->mtx);
2714        sdata->vif.csa_active = false;
2715        ifmgd->csa_waiting_bcn = false;
2716        if (sdata->csa_block_tx) {
2717                ieee80211_wake_vif_queues(local, sdata,
2718                                          IEEE80211_QUEUE_STOP_REASON_CSA);
2719                sdata->csa_block_tx = false;
2720        }
2721        mutex_unlock(&local->mtx);
2722
2723        ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), tx,
2724                                    WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
2725                                    ifmgd->reconnect);
2726        ifmgd->reconnect = false;
2727
2728        sdata_unlock(sdata);
2729}
2730
2731static void ieee80211_beacon_connection_loss_work(struct work_struct *work)
2732{
2733        struct ieee80211_sub_if_data *sdata =
2734                container_of(work, struct ieee80211_sub_if_data,
2735                             u.mgd.beacon_connection_loss_work);
2736        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2737
2738        if (ifmgd->associated)
2739                ifmgd->beacon_loss_count++;
2740
2741        if (ifmgd->connection_loss) {
2742                sdata_info(sdata, "Connection to AP %pM lost\n",
2743                           ifmgd->bssid);
2744                __ieee80211_disconnect(sdata);
2745                ifmgd->connection_loss = false;
2746        } else if (ifmgd->driver_disconnect) {
2747                sdata_info(sdata,
2748                           "Driver requested disconnection from AP %pM\n",
2749                           ifmgd->bssid);
2750                __ieee80211_disconnect(sdata);
2751                ifmgd->driver_disconnect = false;
2752        } else {
2753                ieee80211_mgd_probe_ap(sdata, true);
2754        }
2755}
2756
2757static void ieee80211_csa_connection_drop_work(struct work_struct *work)
2758{
2759        struct ieee80211_sub_if_data *sdata =
2760                container_of(work, struct ieee80211_sub_if_data,
2761                             u.mgd.csa_connection_drop_work);
2762
2763        __ieee80211_disconnect(sdata);
2764}
2765
2766void ieee80211_beacon_loss(struct ieee80211_vif *vif)
2767{
2768        struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
2769        struct ieee80211_hw *hw = &sdata->local->hw;
2770
2771        trace_api_beacon_loss(sdata);
2772
2773        sdata->u.mgd.connection_loss = false;
2774        ieee80211_queue_work(hw, &sdata->u.mgd.beacon_connection_loss_work);
2775}
2776EXPORT_SYMBOL(ieee80211_beacon_loss);
2777
2778void ieee80211_connection_loss(struct ieee80211_vif *vif)
2779{
2780        struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
2781        struct ieee80211_hw *hw = &sdata->local->hw;
2782
2783        trace_api_connection_loss(sdata);
2784
2785        sdata->u.mgd.connection_loss = true;
2786        ieee80211_queue_work(hw, &sdata->u.mgd.beacon_connection_loss_work);
2787}
2788EXPORT_SYMBOL(ieee80211_connection_loss);
2789
2790void ieee80211_disconnect(struct ieee80211_vif *vif, bool reconnect)
2791{
2792        struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
2793        struct ieee80211_hw *hw = &sdata->local->hw;
2794
2795        trace_api_disconnect(sdata, reconnect);
2796
2797        if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
2798                return;
2799
2800        sdata->u.mgd.driver_disconnect = true;
2801        sdata->u.mgd.reconnect = reconnect;
2802        ieee80211_queue_work(hw, &sdata->u.mgd.beacon_connection_loss_work);
2803}
2804EXPORT_SYMBOL(ieee80211_disconnect);
2805
2806static void ieee80211_destroy_auth_data(struct ieee80211_sub_if_data *sdata,
2807                                        bool assoc)
2808{
2809        struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
2810
2811        sdata_assert_lock(sdata);
2812
2813        if (!assoc) {
2814                /*
2815                 * we are not authenticated yet, the only timer that could be
2816                 * running is the timeout for the authentication response which
2817                 * which is not relevant anymore.
2818                 */
2819                del_timer_sync(&sdata->u.mgd.timer);
2820                sta_info_destroy_addr(sdata, auth_data->bss->bssid);
2821
2822                eth_zero_addr(sdata->u.mgd.bssid);
2823                ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
2824                sdata->u.mgd.flags = 0;
2825                mutex_lock(&sdata->local->mtx);
2826                ieee80211_vif_release_channel(sdata);
2827                mutex_unlock(&sdata->local->mtx);
2828        }
2829
2830        cfg80211_put_bss(sdata->local->hw.wiphy, auth_data->bss);
2831        kfree(auth_data);
2832        sdata->u.mgd.auth_data = NULL;
2833}
2834
2835static void ieee80211_destroy_assoc_data(struct ieee80211_sub_if_data *sdata,
2836                                         bool assoc, bool abandon)
2837{
2838        struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data;
2839
2840        sdata_assert_lock(sdata);
2841
2842        if (!assoc) {
2843                /*
2844                 * we are not associated yet, the only timer that could be
2845                 * running is the timeout for the association response which
2846                 * which is not relevant anymore.
2847                 */
2848                del_timer_sync(&sdata->u.mgd.timer);
2849                sta_info_destroy_addr(sdata, assoc_data->bss->bssid);
2850
2851                eth_zero_addr(sdata->u.mgd.bssid);
2852                ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
2853                sdata->u.mgd.flags = 0;
2854                sdata->vif.mu_mimo_owner = false;
2855
2856                mutex_lock(&sdata->local->mtx);
2857                ieee80211_vif_release_channel(sdata);
2858                mutex_unlock(&sdata->local->mtx);
2859
2860                if (abandon)
2861                        cfg80211_abandon_assoc(sdata->dev, assoc_data->bss);
2862        }
2863
2864        kfree(assoc_data);
2865        sdata->u.mgd.assoc_data = NULL;
2866}
2867
2868static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
2869                                     struct ieee80211_mgmt *mgmt, size_t len)
2870{
2871        struct ieee80211_local *local = sdata->local;
2872        struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
2873        u8 *pos;
2874        struct ieee802_11_elems elems;
2875        u32 tx_flags = 0;
2876        struct ieee80211_prep_tx_info info = {
2877                .subtype = IEEE80211_STYPE_AUTH,
2878        };
2879
2880        pos = mgmt->u.auth.variable;
2881        ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
2882                               mgmt->bssid, auth_data->bss->bssid);
2883        if (!elems.challenge)
2884                return;
2885        auth_data->expected_transaction = 4;
2886        drv_mgd_prepare_tx(sdata->local, sdata, &info);
2887        if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
2888                tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
2889                           IEEE80211_TX_INTFL_MLME_CONN_TX;
2890        ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0,
2891                            elems.challenge - 2, elems.challenge_len + 2,
2892                            auth_data->bss->bssid, auth_data->bss->bssid,
2893                            auth_data->key, auth_data->key_len,
2894                            auth_data->key_idx, tx_flags);
2895}
2896
2897static bool ieee80211_mark_sta_auth(struct ieee80211_sub_if_data *sdata,
2898                                    const u8 *bssid)
2899{
2900        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2901        struct sta_info *sta;
2902        bool result = true;
2903
2904        sdata_info(sdata, "authenticated\n");
2905        ifmgd->auth_data->done = true;
2906        ifmgd->auth_data->timeout = jiffies + IEEE80211_AUTH_WAIT_ASSOC;
2907        ifmgd->auth_data->timeout_started = true;
2908        run_again(sdata, ifmgd->auth_data->timeout);
2909
2910        /* move station state to auth */
2911        mutex_lock(&sdata->local->sta_mtx);
2912        sta = sta_info_get(sdata, bssid);
2913        if (!sta) {
2914                WARN_ONCE(1, "%s: STA %pM not found", sdata->name, bssid);
2915                result = false;
2916                goto out;
2917        }
2918        if (sta_info_move_state(sta, IEEE80211_STA_AUTH)) {
2919                sdata_info(sdata, "failed moving %pM to auth\n", bssid);
2920                result = false;
2921                goto out;
2922        }
2923
2924out:
2925        mutex_unlock(&sdata->local->sta_mtx);
2926        return result;
2927}
2928
2929static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
2930                                   struct ieee80211_mgmt *mgmt, size_t len)
2931{
2932        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2933        u8 bssid[ETH_ALEN];
2934        u16 auth_alg, auth_transaction, status_code;
2935        struct ieee80211_event event = {
2936                .type = MLME_EVENT,
2937                .u.mlme.data = AUTH_EVENT,
2938        };
2939        struct ieee80211_prep_tx_info info = {
2940                .subtype = IEEE80211_STYPE_AUTH,
2941        };
2942
2943        sdata_assert_lock(sdata);
2944
2945        if (len < 24 + 6)
2946                return;
2947
2948        if (!ifmgd->auth_data || ifmgd->auth_data->done)
2949                return;
2950
2951        memcpy(bssid, ifmgd->auth_data->bss->bssid, ETH_ALEN);
2952
2953        if (!ether_addr_equal(bssid, mgmt->bssid))
2954                return;
2955
2956        auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
2957        auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
2958        status_code = le16_to_cpu(mgmt->u.auth.status_code);
2959
2960        if (auth_alg != ifmgd->auth_data->algorithm ||
2961            (auth_alg != WLAN_AUTH_SAE &&
2962             auth_transaction != ifmgd->auth_data->expected_transaction) ||
2963            (auth_alg == WLAN_AUTH_SAE &&
2964             (auth_transaction < ifmgd->auth_data->expected_transaction ||
2965              auth_transaction > 2))) {
2966                sdata_info(sdata, "%pM unexpected authentication state: alg %d (expected %d) transact %d (expected %d)\n",
2967                           mgmt->sa, auth_alg, ifmgd->auth_data->algorithm,
2968                           auth_transaction,
2969                           ifmgd->auth_data->expected_transaction);
2970                goto notify_driver;
2971        }
2972
2973        if (status_code != WLAN_STATUS_SUCCESS) {
2974                cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
2975
2976                if (auth_alg == WLAN_AUTH_SAE &&
2977                    (status_code == WLAN_STATUS_ANTI_CLOG_REQUIRED ||
2978                     (auth_transaction == 1 &&
2979                      (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
2980                       status_code == WLAN_STATUS_SAE_PK))))
2981                        goto notify_driver;
2982
2983                sdata_info(sdata, "%pM denied authentication (status %d)\n",
2984                           mgmt->sa, status_code);
2985                ieee80211_destroy_auth_data(sdata, false);
2986                event.u.mlme.status = MLME_DENIED;
2987                event.u.mlme.reason = status_code;
2988                drv_event_callback(sdata->local, sdata, &event);
2989                goto notify_driver;
2990        }
2991
2992        switch (ifmgd->auth_data->algorithm) {
2993        case WLAN_AUTH_OPEN:
2994        case WLAN_AUTH_LEAP:
2995        case WLAN_AUTH_FT:
2996        case WLAN_AUTH_SAE:
2997        case WLAN_AUTH_FILS_SK:
2998        case WLAN_AUTH_FILS_SK_PFS:
2999        case WLAN_AUTH_FILS_PK:
3000                break;
3001        case WLAN_AUTH_SHARED_KEY:
3002                if (ifmgd->auth_data->expected_transaction != 4) {
3003                        ieee80211_auth_challenge(sdata, mgmt, len);
3004                        /* need another frame */
3005                        return;
3006                }
3007                break;
3008        default:
3009                WARN_ONCE(1, "invalid auth alg %d",
3010                          ifmgd->auth_data->algorithm);
3011                goto notify_driver;
3012        }
3013
3014        event.u.mlme.status = MLME_SUCCESS;
3015        info.success = 1;
3016        drv_event_callback(sdata->local, sdata, &event);
3017        if (ifmgd->auth_data->algorithm != WLAN_AUTH_SAE ||
3018            (auth_transaction == 2 &&
3019             ifmgd->auth_data->expected_transaction == 2)) {
3020                if (!ieee80211_mark_sta_auth(sdata, bssid))
3021                        return; /* ignore frame -- wait for timeout */
3022        } else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
3023                   auth_transaction == 2) {
3024                sdata_info(sdata, "SAE peer confirmed\n");
3025                ifmgd->auth_data->peer_confirmed = true;
3026        }
3027
3028        cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
3029notify_driver:
3030        drv_mgd_complete_tx(sdata->local, sdata, &info);
3031}
3032
3033#define case_WLAN(type) \
3034        case WLAN_REASON_##type: return #type
3035
3036const char *ieee80211_get_reason_code_string(u16 reason_code)
3037{
3038        switch (reason_code) {
3039        case_WLAN(UNSPECIFIED);
3040        case_WLAN(PREV_AUTH_NOT_VALID);
3041        case_WLAN(DEAUTH_LEAVING);
3042        case_WLAN(DISASSOC_DUE_TO_INACTIVITY);
3043        case_WLAN(DISASSOC_AP_BUSY);
3044        case_WLAN(CLASS2_FRAME_FROM_NONAUTH_STA);
3045        case_WLAN(CLASS3_FRAME_FROM_NONASSOC_STA);
3046        case_WLAN(DISASSOC_STA_HAS_LEFT);
3047        case_WLAN(STA_REQ_ASSOC_WITHOUT_AUTH);
3048        case_WLAN(DISASSOC_BAD_POWER);
3049        case_WLAN(DISASSOC_BAD_SUPP_CHAN);
3050        case_WLAN(INVALID_IE);
3051        case_WLAN(MIC_FAILURE);
3052        case_WLAN(4WAY_HANDSHAKE_TIMEOUT);
3053        case_WLAN(GROUP_KEY_HANDSHAKE_TIMEOUT);
3054        case_WLAN(IE_DIFFERENT);
3055        case_WLAN(INVALID_GROUP_CIPHER);
3056        case_WLAN(INVALID_PAIRWISE_CIPHER);
3057        case_WLAN(INVALID_AKMP);
3058        case_WLAN(UNSUPP_RSN_VERSION);
3059        case_WLAN(INVALID_RSN_IE_CAP);
3060        case_WLAN(IEEE8021X_FAILED);
3061        case_WLAN(CIPHER_SUITE_REJECTED);
3062        case_WLAN(DISASSOC_UNSPECIFIED_QOS);
3063        case_WLAN(DISASSOC_QAP_NO_BANDWIDTH);
3064        case_WLAN(DISASSOC_LOW_ACK);
3065        case_WLAN(DISASSOC_QAP_EXCEED_TXOP);
3066        case_WLAN(QSTA_LEAVE_QBSS);
3067        case_WLAN(QSTA_NOT_USE);
3068        case_WLAN(QSTA_REQUIRE_SETUP);
3069        case_WLAN(QSTA_TIMEOUT);
3070        case_WLAN(QSTA_CIPHER_NOT_SUPP);
3071        case_WLAN(MESH_PEER_CANCELED);
3072        case_WLAN(MESH_MAX_PEERS);
3073        case_WLAN(MESH_CONFIG);
3074        case_WLAN(MESH_CLOSE);
3075        case_WLAN(MESH_MAX_RETRIES);
3076        case_WLAN(MESH_CONFIRM_TIMEOUT);
3077        case_WLAN(MESH_INVALID_GTK);
3078        case_WLAN(MESH_INCONSISTENT_PARAM);
3079        case_WLAN(MESH_INVALID_SECURITY);
3080        case_WLAN(MESH_PATH_ERROR);
3081        case_WLAN(MESH_PATH_NOFORWARD);
3082        case_WLAN(MESH_PATH_DEST_UNREACHABLE);
3083        case_WLAN(MAC_EXISTS_IN_MBSS);
3084        case_WLAN(MESH_CHAN_REGULATORY);
3085        case_WLAN(MESH_CHAN);
3086        default: return "<unknown>";
3087        }
3088}
3089
3090static void ieee80211_rx_mgmt_deauth(struct ieee80211_sub_if_data *sdata,
3091                                     struct ieee80211_mgmt *mgmt, size_t len)
3092{
3093        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3094        u16 reason_code = le16_to_cpu(mgmt->u.deauth.reason_code);
3095
3096        sdata_assert_lock(sdata);
3097
3098        if (len < 24 + 2)
3099                return;
3100
3101        if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
3102                ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
3103                return;
3104        }
3105
3106        if (ifmgd->associated &&
3107            ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid)) {
3108                const u8 *bssid = ifmgd->associated->bssid;
3109
3110                sdata_info(sdata, "deauthenticated from %pM (Reason: %u=%s)\n",
3111                           bssid, reason_code,
3112                           ieee80211_get_reason_code_string(reason_code));
3113
3114                ieee80211_set_disassoc(sdata, 0, 0, false, NULL);
3115
3116                ieee80211_report_disconnect(sdata, (u8 *)mgmt, len, false,
3117                                            reason_code, false);
3118                return;
3119        }
3120
3121        if (ifmgd->assoc_data &&
3122            ether_addr_equal(mgmt->bssid, ifmgd->assoc_data->bss->bssid)) {
3123                const u8 *bssid = ifmgd->assoc_data->bss->bssid;
3124
3125                sdata_info(sdata,
3126                           "deauthenticated from %pM while associating (Reason: %u=%s)\n",
3127                           bssid, reason_code,
3128                           ieee80211_get_reason_code_string(reason_code));
3129
3130                ieee80211_destroy_assoc_data(sdata, false, true);
3131
3132                cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
3133                return;
3134        }
3135}
3136
3137
3138static void ieee80211_rx_mgmt_disassoc(struct ieee80211_sub_if_data *sdata,
3139                                       struct ieee80211_mgmt *mgmt, size_t len)
3140{
3141        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3142        u16 reason_code;
3143
3144        sdata_assert_lock(sdata);
3145
3146        if (len < 24 + 2)
3147                return;
3148
3149        if (!ifmgd->associated ||
3150            !ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid))
3151                return;
3152
3153        reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
3154
3155        if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
3156                ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
3157                return;
3158        }
3159
3160        sdata_info(sdata, "disassociated from %pM (Reason: %u=%s)\n",
3161                   mgmt->sa, reason_code,
3162                   ieee80211_get_reason_code_string(reason_code));
3163
3164        ieee80211_set_disassoc(sdata, 0, 0, false, NULL);
3165
3166        ieee80211_report_disconnect(sdata, (u8 *)mgmt, len, false, reason_code,
3167                                    false);
3168}
3169
3170static void ieee80211_get_rates(struct ieee80211_supported_band *sband,
3171                                u8 *supp_rates, unsigned int supp_rates_len,
3172                                u32 *rates, u32 *basic_rates,
3173                                bool *have_higher_than_11mbit,
3174                                int *min_rate, int *min_rate_index,
3175                                int shift)
3176{
3177        int i, j;
3178
3179        for (i = 0; i < supp_rates_len; i++) {
3180                int rate = supp_rates[i] & 0x7f;
3181                bool is_basic = !!(supp_rates[i] & 0x80);
3182
3183                if ((rate * 5 * (1 << shift)) > 110)
3184                        *have_higher_than_11mbit = true;
3185
3186                /*
3187                 * Skip HT, VHT, HE and SAE H2E only BSS membership selectors
3188                 * since they're not rates.
3189                 *
3190                 * Note: Even though the membership selector and the basic
3191                 *       rate flag share the same bit, they are not exactly
3192                 *       the same.
3193                 */
3194                if (supp_rates[i] == (0x80 | BSS_MEMBERSHIP_SELECTOR_HT_PHY) ||
3195                    supp_rates[i] == (0x80 | BSS_MEMBERSHIP_SELECTOR_VHT_PHY) ||
3196                    supp_rates[i] == (0x80 | BSS_MEMBERSHIP_SELECTOR_HE_PHY) ||
3197                    supp_rates[i] == (0x80 | BSS_MEMBERSHIP_SELECTOR_SAE_H2E))
3198                        continue;
3199
3200                for (j = 0; j < sband->n_bitrates; j++) {
3201                        struct ieee80211_rate *br;
3202                        int brate;
3203
3204                        br = &sband->bitrates[j];
3205
3206                        brate = DIV_ROUND_UP(br->bitrate, (1 << shift) * 5);
3207                        if (brate == rate) {
3208                                *rates |= BIT(j);
3209                                if (is_basic)
3210                                        *basic_rates |= BIT(j);
3211                                if ((rate * 5) < *min_rate) {
3212                                        *min_rate = rate * 5;
3213                                        *min_rate_index = j;
3214                                }
3215                                break;
3216                        }
3217                }
3218        }
3219}
3220
3221static bool ieee80211_twt_req_supported(const struct sta_info *sta,
3222                                        const struct ieee802_11_elems *elems)
3223{
3224        if (elems->ext_capab_len < 10)
3225                return false;
3226
3227        if (!(elems->ext_capab[9] & WLAN_EXT_CAPA10_TWT_RESPONDER_SUPPORT))
3228                return false;
3229
3230        return sta->sta.he_cap.he_cap_elem.mac_cap_info[0] &
3231                IEEE80211_HE_MAC_CAP0_TWT_RES;
3232}
3233
3234static int ieee80211_recalc_twt_req(struct ieee80211_sub_if_data *sdata,
3235                                    struct sta_info *sta,
3236                                    struct ieee802_11_elems *elems)
3237{
3238        bool twt = ieee80211_twt_req_supported(sta, elems);
3239
3240        if (sdata->vif.bss_conf.twt_requester != twt) {
3241                sdata->vif.bss_conf.twt_requester = twt;
3242                return BSS_CHANGED_TWT;
3243        }
3244        return 0;
3245}
3246
3247static bool ieee80211_twt_bcast_support(struct ieee80211_sub_if_data *sdata,
3248                                        struct ieee80211_bss_conf *bss_conf,
3249                                        struct ieee80211_supported_band *sband,
3250                                        struct sta_info *sta)
3251{
3252        const struct ieee80211_sta_he_cap *own_he_cap =
3253                ieee80211_get_he_iftype_cap(sband,
3254                                            ieee80211_vif_type_p2p(&sdata->vif));
3255
3256        return bss_conf->he_support &&
3257                (sta->sta.he_cap.he_cap_elem.mac_cap_info[2] &
3258                        IEEE80211_HE_MAC_CAP2_BCAST_TWT) &&
3259                own_he_cap &&
3260                (own_he_cap->he_cap_elem.mac_cap_info[2] &
3261                        IEEE80211_HE_MAC_CAP2_BCAST_TWT);
3262}
3263
3264static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
3265                                    struct cfg80211_bss *cbss,
3266                                    struct ieee80211_mgmt *mgmt, size_t len,
3267                                    struct ieee802_11_elems *elems)
3268{
3269        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3270        struct ieee80211_local *local = sdata->local;
3271        struct ieee80211_supported_band *sband;
3272        struct sta_info *sta;
3273        u16 capab_info, aid;
3274        struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
3275        const struct cfg80211_bss_ies *bss_ies = NULL;
3276        struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
3277        bool is_6ghz = cbss->channel->band == NL80211_BAND_6GHZ;
3278        bool is_s1g = cbss->channel->band == NL80211_BAND_S1GHZ;
3279        u32 changed = 0;
3280        u8 *pos;
3281        int err;
3282        bool ret;
3283
3284        /* AssocResp and ReassocResp have identical structure */
3285
3286        pos = mgmt->u.assoc_resp.variable;
3287        aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
3288        if (is_s1g) {
3289                pos = (u8 *) mgmt->u.s1g_assoc_resp.variable;
3290                aid = 0; /* TODO */
3291        }
3292        capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
3293        ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems,
3294                               mgmt->bssid, assoc_data->bss->bssid);
3295
3296        if (elems->aid_resp)
3297                aid = le16_to_cpu(elems->aid_resp->aid);
3298
3299        /*
3300         * The 5 MSB of the AID field are reserved
3301         * (802.11-2016 9.4.1.8 AID field)
3302         */
3303        aid &= 0x7ff;
3304
3305        ifmgd->broken_ap = false;
3306
3307        if (aid == 0 || aid > IEEE80211_MAX_AID) {
3308                sdata_info(sdata, "invalid AID value %d (out of range), turn off PS\n",
3309                           aid);
3310                aid = 0;
3311                ifmgd->broken_ap = true;
3312        }
3313
3314        if (!is_s1g && !elems->supp_rates) {
3315                sdata_info(sdata, "no SuppRates element in AssocResp\n");
3316                return false;
3317        }
3318
3319        sdata->vif.bss_conf.aid = aid;
3320        ifmgd->tdls_chan_switch_prohibited =
3321                elems->ext_capab && elems->ext_capab_len >= 5 &&
3322                (elems->ext_capab[4] & WLAN_EXT_CAPA5_TDLS_CH_SW_PROHIBITED);
3323
3324        /*
3325         * Some APs are erroneously not including some information in their
3326         * (re)association response frames. Try to recover by using the data
3327         * from the beacon or probe response. This seems to afflict mobile
3328         * 2G/3G/4G wifi routers, reported models include the "Onda PN51T",
3329         * "Vodafone PocketWiFi 2", "ZTE MF60" and a similar T-Mobile device.
3330         */
3331        if (!is_6ghz &&
3332            ((assoc_data->wmm && !elems->wmm_param) ||
3333             (!(ifmgd->flags & IEEE80211_STA_DISABLE_HT) &&
3334              (!elems->ht_cap_elem || !elems->ht_operation)) ||
3335             (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
3336              (!elems->vht_cap_elem || !elems->vht_operation)))) {
3337                const struct cfg80211_bss_ies *ies;
3338                struct ieee802_11_elems bss_elems;
3339
3340                rcu_read_lock();
3341                ies = rcu_dereference(cbss->ies);
3342                if (ies)
3343                        bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
3344                                          GFP_ATOMIC);
3345                rcu_read_unlock();
3346                if (!bss_ies)
3347                        return false;
3348
3349                ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
3350                                       false, &bss_elems,
3351                                       mgmt->bssid,
3352                                       assoc_data->bss->bssid);
3353                if (assoc_data->wmm &&
3354                    !elems->wmm_param && bss_elems.wmm_param) {
3355                        elems->wmm_param = bss_elems.wmm_param;
3356                        sdata_info(sdata,
3357                                   "AP bug: WMM param missing from AssocResp\n");
3358                }
3359
3360                /*
3361                 * Also check if we requested HT/VHT, otherwise the AP doesn't
3362                 * have to include the IEs in the (re)association response.
3363                 */
3364                if (!elems->ht_cap_elem && bss_elems.ht_cap_elem &&
3365                    !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
3366                        elems->ht_cap_elem = bss_elems.ht_cap_elem;
3367                        sdata_info(sdata,
3368                                   "AP bug: HT capability missing from AssocResp\n");
3369                }
3370                if (!elems->ht_operation && bss_elems.ht_operation &&
3371                    !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
3372                        elems->ht_operation = bss_elems.ht_operation;
3373                        sdata_info(sdata,
3374                                   "AP bug: HT operation missing from AssocResp\n");
3375                }
3376                if (!elems->vht_cap_elem && bss_elems.vht_cap_elem &&
3377                    !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
3378                        elems->vht_cap_elem = bss_elems.vht_cap_elem;
3379                        sdata_info(sdata,
3380                                   "AP bug: VHT capa missing from AssocResp\n");
3381                }
3382                if (!elems->vht_operation && bss_elems.vht_operation &&
3383                    !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
3384                        elems->vht_operation = bss_elems.vht_operation;
3385                        sdata_info(sdata,
3386                                   "AP bug: VHT operation missing from AssocResp\n");
3387                }
3388        }
3389
3390        /*
3391         * We previously checked these in the beacon/probe response, so
3392         * they should be present here. This is just a safety net.
3393         */
3394        if (!is_6ghz && !(ifmgd->flags & IEEE80211_STA_DISABLE_HT) &&
3395            (!elems->wmm_param || !elems->ht_cap_elem || !elems->ht_operation)) {
3396                sdata_info(sdata,
3397                           "HT AP is missing WMM params or HT capability/operation\n");
3398                ret = false;
3399                goto out;
3400        }
3401
3402        if (!is_6ghz && !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
3403            (!elems->vht_cap_elem || !elems->vht_operation)) {
3404                sdata_info(sdata,
3405                           "VHT AP is missing VHT capability/operation\n");
3406                ret = false;
3407                goto out;
3408        }
3409
3410        if (is_6ghz && !(ifmgd->flags & IEEE80211_STA_DISABLE_HE) &&
3411            !elems->he_6ghz_capa) {
3412                sdata_info(sdata,
3413                           "HE 6 GHz AP is missing HE 6 GHz band capability\n");
3414                ret = false;
3415                goto out;
3416        }
3417
3418        mutex_lock(&sdata->local->sta_mtx);
3419        /*
3420         * station info was already allocated and inserted before
3421         * the association and should be available to us
3422         */
3423        sta = sta_info_get(sdata, cbss->bssid);
3424        if (WARN_ON(!sta)) {
3425                mutex_unlock(&sdata->local->sta_mtx);
3426                ret = false;
3427                goto out;
3428        }
3429
3430        sband = ieee80211_get_sband(sdata);
3431        if (!sband) {
3432                mutex_unlock(&sdata->local->sta_mtx);
3433                ret = false;
3434                goto out;
3435        }
3436
3437        if (!(ifmgd->flags & IEEE80211_STA_DISABLE_HE) &&
3438            (!elems->he_cap || !elems->he_operation)) {
3439                mutex_unlock(&sdata->local->sta_mtx);
3440                sdata_info(sdata,
3441                           "HE AP is missing HE capability/operation\n");
3442                ret = false;
3443                goto out;
3444        }
3445
3446        /* Set up internal HT/VHT capabilities */
3447        if (elems->ht_cap_elem && !(ifmgd->flags & IEEE80211_STA_DISABLE_HT))
3448                ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,
3449                                                  elems->ht_cap_elem, sta);
3450
3451        if (elems->vht_cap_elem && !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
3452                ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
3453                                                    elems->vht_cap_elem, sta);
3454
3455        if (elems->he_operation && !(ifmgd->flags & IEEE80211_STA_DISABLE_HE) &&
3456            elems->he_cap) {
3457                ieee80211_he_cap_ie_to_sta_he_cap(sdata, sband,
3458                                                  elems->he_cap,
3459                                                  elems->he_cap_len,
3460                                                  elems->he_6ghz_capa,
3461                                                  sta);
3462
3463                bss_conf->he_support = sta->sta.he_cap.has_he;
3464                if (elems->rsnx && elems->rsnx_len &&
3465                    (elems->rsnx[0] & WLAN_RSNX_CAPA_PROTECTED_TWT) &&
3466                    wiphy_ext_feature_isset(local->hw.wiphy,
3467                                            NL80211_EXT_FEATURE_PROTECTED_TWT))
3468                        bss_conf->twt_protected = true;
3469                else
3470                        bss_conf->twt_protected = false;
3471
3472                changed |= ieee80211_recalc_twt_req(sdata, sta, elems);
3473        } else {
3474                bss_conf->he_support = false;
3475                bss_conf->twt_requester = false;
3476                bss_conf->twt_protected = false;
3477        }
3478
3479        bss_conf->twt_broadcast =
3480                ieee80211_twt_bcast_support(sdata, bss_conf, sband, sta);
3481
3482        if (bss_conf->he_support) {
3483                bss_conf->he_bss_color.color =
3484                        le32_get_bits(elems->he_operation->he_oper_params,
3485                                      IEEE80211_HE_OPERATION_BSS_COLOR_MASK);
3486                bss_conf->he_bss_color.partial =
3487                        le32_get_bits(elems->he_operation->he_oper_params,
3488                                      IEEE80211_HE_OPERATION_PARTIAL_BSS_COLOR);
3489                bss_conf->he_bss_color.enabled =
3490                        !le32_get_bits(elems->he_operation->he_oper_params,
3491                                       IEEE80211_HE_OPERATION_BSS_COLOR_DISABLED);
3492
3493                if (bss_conf->he_bss_color.enabled)
3494                        changed |= BSS_CHANGED_HE_BSS_COLOR;
3495
3496                bss_conf->htc_trig_based_pkt_ext =
3497                        le32_get_bits(elems->he_operation->he_oper_params,
3498                              IEEE80211_HE_OPERATION_DFLT_PE_DURATION_MASK);
3499                bss_conf->frame_time_rts_th =
3500                        le32_get_bits(elems->he_operation->he_oper_params,
3501                              IEEE80211_HE_OPERATION_RTS_THRESHOLD_MASK);
3502
3503                bss_conf->uora_exists = !!elems->uora_element;
3504                if (elems->uora_element)
3505                        bss_conf->uora_ocw_range = elems->uora_element[0];
3506
3507                ieee80211_he_op_ie_to_bss_conf(&sdata->vif, elems->he_operation);
3508                ieee80211_he_spr_ie_to_bss_conf(&sdata->vif, elems->he_spr);
3509                /* TODO: OPEN: what happens if BSS color disable is set? */
3510        }
3511
3512        if (cbss->transmitted_bss) {
3513                bss_conf->nontransmitted = true;
3514                ether_addr_copy(bss_conf->transmitter_bssid,
3515                                cbss->transmitted_bss->bssid);
3516                bss_conf->bssid_indicator = cbss->max_bssid_indicator;
3517                bss_conf->bssid_index = cbss->bssid_index;
3518        }
3519
3520        /*
3521         * Some APs, e.g. Netgear WNDR3700, report invalid HT operation data
3522         * in their association response, so ignore that data for our own
3523         * configuration. If it changed since the last beacon, we'll get the
3524         * next beacon and update then.
3525         */
3526
3527        /*
3528         * If an operating mode notification IE is present, override the
3529         * NSS calculation (that would be done in rate_control_rate_init())
3530         * and use the # of streams from that element.
3531         */
3532        if (elems->opmode_notif &&
3533            !(*elems->opmode_notif & IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF)) {
3534                u8 nss;
3535
3536                nss = *elems->opmode_notif & IEEE80211_OPMODE_NOTIF_RX_NSS_MASK;
3537                nss >>= IEEE80211_OPMODE_NOTIF_RX_NSS_SHIFT;
3538                nss += 1;
3539                sta->sta.rx_nss = nss;
3540        }
3541
3542        rate_control_rate_init(sta);
3543
3544        if (ifmgd->flags & IEEE80211_STA_MFP_ENABLED) {
3545                set_sta_flag(sta, WLAN_STA_MFP);
3546                sta->sta.mfp = true;
3547        } else {
3548                sta->sta.mfp = false;
3549        }
3550
3551        sta->sta.wme = (elems->wmm_param || elems->s1g_capab) &&
3552                       local->hw.queues >= IEEE80211_NUM_ACS;
3553
3554        err = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
3555        if (!err && !(ifmgd->flags & IEEE80211_STA_CONTROL_PORT))
3556                err = sta_info_move_state(sta, IEEE80211_STA_AUTHORIZED);
3557        if (err) {
3558                sdata_info(sdata,
3559                           "failed to move station %pM to desired state\n",
3560                           sta->sta.addr);
3561                WARN_ON(__sta_info_destroy(sta));
3562                mutex_unlock(&sdata->local->sta_mtx);
3563                ret = false;
3564                goto out;
3565        }
3566
3567        if (sdata->wdev.use_4addr)
3568                drv_sta_set_4addr(local, sdata, &sta->sta, true);
3569
3570        mutex_unlock(&sdata->local->sta_mtx);
3571
3572        /*
3573         * Always handle WMM once after association regardless
3574         * of the first value the AP uses. Setting -1 here has
3575         * that effect because the AP values is an unsigned
3576         * 4-bit value.
3577         */
3578        ifmgd->wmm_last_param_set = -1;
3579        ifmgd->mu_edca_last_param_set = -1;
3580
3581        if (ifmgd->flags & IEEE80211_STA_DISABLE_WMM) {
3582                ieee80211_set_wmm_default(sdata, false, false);
3583        } else if (!ieee80211_sta_wmm_params(local, sdata, elems->wmm_param,
3584                                             elems->wmm_param_len,
3585                                             elems->mu_edca_param_set)) {
3586                /* still enable QoS since we might have HT/VHT */
3587                ieee80211_set_wmm_default(sdata, false, true);
3588                /* set the disable-WMM flag in this case to disable
3589                 * tracking WMM parameter changes in the beacon if
3590                 * the parameters weren't actually valid. Doing so
3591                 * avoids changing parameters very strangely when
3592                 * the AP is going back and forth between valid and
3593                 * invalid parameters.
3594                 */
3595                ifmgd->flags |= IEEE80211_STA_DISABLE_WMM;
3596        }
3597        changed |= BSS_CHANGED_QOS;
3598
3599        if (elems->max_idle_period_ie) {
3600                bss_conf->max_idle_period =
3601                        le16_to_cpu(elems->max_idle_period_ie->max_idle_period);
3602                bss_conf->protected_keep_alive =
3603                        !!(elems->max_idle_period_ie->idle_options &
3604                           WLAN_IDLE_OPTIONS_PROTECTED_KEEP_ALIVE);
3605                changed |= BSS_CHANGED_KEEP_ALIVE;
3606        } else {
3607                bss_conf->max_idle_period = 0;
3608                bss_conf->protected_keep_alive = false;
3609        }
3610
3611        /* set assoc capability (AID was already set earlier),
3612         * ieee80211_set_associated() will tell the driver */
3613        bss_conf->assoc_capability = capab_info;
3614        ieee80211_set_associated(sdata, cbss, changed);
3615
3616        /*
3617         * If we're using 4-addr mode, let the AP know that we're
3618         * doing so, so that it can create the STA VLAN on its side
3619         */
3620        if (ifmgd->use_4addr)
3621                ieee80211_send_4addr_nullfunc(local, sdata);
3622
3623        /*
3624         * Start timer to probe the connection to the AP now.
3625         * Also start the timer that will detect beacon loss.
3626         */
3627        ieee80211_sta_reset_beacon_monitor(sdata);
3628        ieee80211_sta_reset_conn_monitor(sdata);
3629
3630        ret = true;
3631 out:
3632        kfree(bss_ies);
3633        return ret;
3634}
3635
3636static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
3637                                         struct ieee80211_mgmt *mgmt,
3638                                         size_t len)
3639{
3640        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3641        struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
3642        u16 capab_info, status_code, aid;
3643        struct ieee802_11_elems elems;
3644        int ac, uapsd_queues = -1;
3645        u8 *pos;
3646        bool reassoc;
3647        struct cfg80211_bss *cbss;
3648        struct ieee80211_event event = {
3649                .type = MLME_EVENT,
3650                .u.mlme.data = ASSOC_EVENT,
3651        };
3652        struct ieee80211_prep_tx_info info = {};
3653
3654        sdata_assert_lock(sdata);
3655
3656        if (!assoc_data)
3657                return;
3658
3659        if (!ether_addr_equal(assoc_data->bss->bssid, mgmt->bssid))
3660                return;
3661
3662        cbss = assoc_data->bss;
3663
3664        /*
3665         * AssocResp and ReassocResp have identical structure, so process both
3666         * of them in this function.
3667         */
3668
3669        if (len < 24 + 6)
3670                return;
3671
3672        reassoc = ieee80211_is_reassoc_resp(mgmt->frame_control);
3673        capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
3674        status_code = le16_to_cpu(mgmt->u.assoc_resp.status_code);
3675        pos = mgmt->u.assoc_resp.variable;
3676        aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
3677        if (cbss->channel->band == NL80211_BAND_S1GHZ) {
3678                pos = (u8 *) mgmt->u.s1g_assoc_resp.variable;
3679                aid = 0; /* TODO */
3680        }
3681
3682        /*
3683         * Note: this may not be perfect, AP might misbehave - if
3684         * anyone needs to rely on perfect complete notification
3685         * with the exact right subtype, then we need to track what
3686         * we actually transmitted.
3687         */
3688        info.subtype = reassoc ? IEEE80211_STYPE_REASSOC_REQ :
3689                                 IEEE80211_STYPE_ASSOC_REQ;
3690
3691        sdata_info(sdata,
3692                   "RX %sssocResp from %pM (capab=0x%x status=%d aid=%d)\n",
3693                   reassoc ? "Rea" : "A", mgmt->sa,
3694                   capab_info, status_code, (u16)(aid & ~(BIT(15) | BIT(14))));
3695
3696        if (assoc_data->fils_kek_len &&
3697            fils_decrypt_assoc_resp(sdata, (u8 *)mgmt, &len, assoc_data) < 0)
3698                return;
3699
3700        ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
3701                               mgmt->bssid, assoc_data->bss->bssid);
3702
3703        if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
3704            elems.timeout_int &&
3705            elems.timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
3706                u32 tu, ms;
3707                tu = le32_to_cpu(elems.timeout_int->value);
3708                ms = tu * 1024 / 1000;
3709                sdata_info(sdata,
3710                           "%pM rejected association temporarily; comeback duration %u TU (%u ms)\n",
3711                           mgmt->sa, tu, ms);
3712                assoc_data->timeout = jiffies + msecs_to_jiffies(ms);
3713                assoc_data->timeout_started = true;
3714                if (ms > IEEE80211_ASSOC_TIMEOUT)
3715                        run_again(sdata, assoc_data->timeout);
3716                goto notify_driver;
3717        }
3718
3719        if (status_code != WLAN_STATUS_SUCCESS) {
3720                sdata_info(sdata, "%pM denied association (code=%d)\n",
3721                           mgmt->sa, status_code);
3722                ieee80211_destroy_assoc_data(sdata, false, false);
3723                event.u.mlme.status = MLME_DENIED;
3724                event.u.mlme.reason = status_code;
3725                drv_event_callback(sdata->local, sdata, &event);
3726        } else {
3727                if (!ieee80211_assoc_success(sdata, cbss, mgmt, len, &elems)) {
3728                        /* oops -- internal error -- send timeout for now */
3729                        ieee80211_destroy_assoc_data(sdata, false, false);
3730                        cfg80211_assoc_timeout(sdata->dev, cbss);
3731                        goto notify_driver;
3732                }
3733                event.u.mlme.status = MLME_SUCCESS;
3734                drv_event_callback(sdata->local, sdata, &event);
3735                sdata_info(sdata, "associated\n");
3736
3737                /*
3738                 * destroy assoc_data afterwards, as otherwise an idle
3739                 * recalc after assoc_data is NULL but before associated
3740                 * is set can cause the interface to go idle
3741                 */
3742                ieee80211_destroy_assoc_data(sdata, true, false);
3743
3744                /* get uapsd queues configuration */
3745                uapsd_queues = 0;
3746                for (ac = 0; ac < IEEE80211_NUM_ACS; ac++)
3747                        if (sdata->tx_conf[ac].uapsd)
3748                                uapsd_queues |= ieee80211_ac_to_qos_mask[ac];
3749
3750                info.success = 1;
3751        }
3752
3753        cfg80211_rx_assoc_resp(sdata->dev, cbss, (u8 *)mgmt, len, uapsd_queues,
3754                               ifmgd->assoc_req_ies, ifmgd->assoc_req_ies_len);
3755notify_driver:
3756        drv_mgd_complete_tx(sdata->local, sdata, &info);
3757}
3758
3759static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
3760                                  struct ieee80211_mgmt *mgmt, size_t len,
3761                                  struct ieee80211_rx_status *rx_status)
3762{
3763        struct ieee80211_local *local = sdata->local;
3764        struct ieee80211_bss *bss;
3765        struct ieee80211_channel *channel;
3766
3767        sdata_assert_lock(sdata);
3768
3769        channel = ieee80211_get_channel_khz(local->hw.wiphy,
3770                                        ieee80211_rx_status_to_khz(rx_status));
3771        if (!channel)
3772                return;
3773
3774        bss = ieee80211_bss_info_update(local, rx_status, mgmt, len, channel);
3775        if (bss) {
3776                sdata->vif.bss_conf.beacon_rate = bss->beacon_rate;
3777                ieee80211_rx_bss_put(local, bss);
3778        }
3779}
3780
3781
3782static void ieee80211_rx_mgmt_probe_resp(struct ieee80211_sub_if_data *sdata,
3783                                         struct sk_buff *skb)
3784{
3785        struct ieee80211_mgmt *mgmt = (void *)skb->data;
3786        struct ieee80211_if_managed *ifmgd;
3787        struct ieee80211_rx_status *rx_status = (void *) skb->cb;
3788        struct ieee80211_channel *channel;
3789        size_t baselen, len = skb->len;
3790
3791        ifmgd = &sdata->u.mgd;
3792
3793        sdata_assert_lock(sdata);
3794
3795        /*
3796         * According to Draft P802.11ax D6.0 clause 26.17.2.3.2:
3797         * "If a 6 GHz AP receives a Probe Request frame  and responds with
3798         * a Probe Response frame [..], the Address 1 field of the Probe
3799         * Response frame shall be set to the broadcast address [..]"
3800         * So, on 6GHz band we should also accept broadcast responses.
3801         */
3802        channel = ieee80211_get_channel(sdata->local->hw.wiphy,
3803                                        rx_status->freq);
3804        if (!channel)
3805                return;
3806
3807        if (!ether_addr_equal(mgmt->da, sdata->vif.addr) &&
3808            (channel->band != NL80211_BAND_6GHZ ||
3809             !is_broadcast_ether_addr(mgmt->da)))
3810                return; /* ignore ProbeResp to foreign address */
3811
3812        baselen = (u8 *) mgmt->u.probe_resp.variable - (u8 *) mgmt;
3813        if (baselen > len)
3814                return;
3815
3816        ieee80211_rx_bss_info(sdata, mgmt, len, rx_status);
3817
3818        if (ifmgd->associated &&
3819            ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid))
3820                ieee80211_reset_ap_probe(sdata);
3821}
3822
3823/*
3824 * This is the canonical list of information elements we care about,
3825 * the filter code also gives us all changes to the Microsoft OUI
3826 * (00:50:F2) vendor IE which is used for WMM which we need to track,
3827 * as well as the DTPC IE (part of the Cisco OUI) used for signaling
3828 * changes to requested client power.
3829 *
3830 * We implement beacon filtering in software since that means we can
3831 * avoid processing the frame here and in cfg80211, and userspace
3832 * will not be able to tell whether the hardware supports it or not.
3833 *
3834 * XXX: This list needs to be dynamic -- userspace needs to be able to
3835 *      add items it requires. It also needs to be able to tell us to
3836 *      look out for other vendor IEs.
3837 */
3838static const u64 care_about_ies =
3839        (1ULL << WLAN_EID_COUNTRY) |
3840        (1ULL << WLAN_EID_ERP_INFO) |
3841        (1ULL << WLAN_EID_CHANNEL_SWITCH) |
3842        (1ULL << WLAN_EID_PWR_CONSTRAINT) |
3843        (1ULL << WLAN_EID_HT_CAPABILITY) |
3844        (1ULL << WLAN_EID_HT_OPERATION) |
3845        (1ULL << WLAN_EID_EXT_CHANSWITCH_ANN);
3846
3847static void ieee80211_handle_beacon_sig(struct ieee80211_sub_if_data *sdata,
3848                                        struct ieee80211_if_managed *ifmgd,
3849                                        struct ieee80211_bss_conf *bss_conf,
3850                                        struct ieee80211_local *local,
3851                                        struct ieee80211_rx_status *rx_status)
3852{
3853        /* Track average RSSI from the Beacon frames of the current AP */
3854
3855        if (ifmgd->flags & IEEE80211_STA_RESET_SIGNAL_AVE) {
3856                ifmgd->flags &= ~IEEE80211_STA_RESET_SIGNAL_AVE;
3857                ewma_beacon_signal_init(&ifmgd->ave_beacon_signal);
3858                ifmgd->last_cqm_event_signal = 0;
3859                ifmgd->count_beacon_signal = 1;
3860                ifmgd->last_ave_beacon_signal = 0;
3861        } else {
3862                ifmgd->count_beacon_signal++;
3863        }
3864
3865        ewma_beacon_signal_add(&ifmgd->ave_beacon_signal, -rx_status->signal);
3866
3867        if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold &&
3868            ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
3869                int sig = -ewma_beacon_signal_read(&ifmgd->ave_beacon_signal);
3870                int last_sig = ifmgd->last_ave_beacon_signal;
3871                struct ieee80211_event event = {
3872                        .type = RSSI_EVENT,
3873                };
3874
3875                /*
3876                 * if signal crosses either of the boundaries, invoke callback
3877                 * with appropriate parameters
3878                 */
3879                if (sig > ifmgd->rssi_max_thold &&
3880                    (last_sig <= ifmgd->rssi_min_thold || last_sig == 0)) {
3881                        ifmgd->last_ave_beacon_signal = sig;
3882                        event.u.rssi.data = RSSI_EVENT_HIGH;
3883                        drv_event_callback(local, sdata, &event);
3884                } else if (sig < ifmgd->rssi_min_thold &&
3885                           (last_sig >= ifmgd->rssi_max_thold ||
3886                           last_sig == 0)) {
3887                        ifmgd->last_ave_beacon_signal = sig;
3888                        event.u.rssi.data = RSSI_EVENT_LOW;
3889                        drv_event_callback(local, sdata, &event);
3890                }
3891        }
3892
3893        if (bss_conf->cqm_rssi_thold &&
3894            ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT &&
3895            !(sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_CQM_RSSI)) {
3896                int sig = -ewma_beacon_signal_read(&ifmgd->ave_beacon_signal);
3897                int last_event = ifmgd->last_cqm_event_signal;
3898                int thold = bss_conf->cqm_rssi_thold;
3899                int hyst = bss_conf->cqm_rssi_hyst;
3900
3901                if (sig < thold &&
3902                    (last_event == 0 || sig < last_event - hyst)) {
3903                        ifmgd->last_cqm_event_signal = sig;
3904                        ieee80211_cqm_rssi_notify(
3905                                &sdata->vif,
3906                                NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW,
3907                                sig, GFP_KERNEL);
3908                } else if (sig > thold &&
3909                           (last_event == 0 || sig > last_event + hyst)) {
3910                        ifmgd->last_cqm_event_signal = sig;
3911                        ieee80211_cqm_rssi_notify(
3912                                &sdata->vif,
3913                                NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH,
3914                                sig, GFP_KERNEL);
3915                }
3916        }
3917
3918        if (bss_conf->cqm_rssi_low &&
3919            ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
3920                int sig = -ewma_beacon_signal_read(&ifmgd->ave_beacon_signal);
3921                int last_event = ifmgd->last_cqm_event_signal;
3922                int low = bss_conf->cqm_rssi_low;
3923                int high = bss_conf->cqm_rssi_high;
3924
3925                if (sig < low &&
3926                    (last_event == 0 || last_event >= low)) {
3927                        ifmgd->last_cqm_event_signal = sig;
3928                        ieee80211_cqm_rssi_notify(
3929                                &sdata->vif,
3930                                NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW,
3931                                sig, GFP_KERNEL);
3932                } else if (sig > high &&
3933                           (last_event == 0 || last_event <= high)) {
3934                        ifmgd->last_cqm_event_signal = sig;
3935                        ieee80211_cqm_rssi_notify(
3936                                &sdata->vif,
3937                                NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH,
3938                                sig, GFP_KERNEL);
3939                }
3940        }
3941}
3942
3943static bool ieee80211_rx_our_beacon(const u8 *tx_bssid,
3944                                    struct cfg80211_bss *bss)
3945{
3946        if (ether_addr_equal(tx_bssid, bss->bssid))
3947                return true;
3948        if (!bss->transmitted_bss)
3949                return false;
3950        return ether_addr_equal(tx_bssid, bss->transmitted_bss->bssid);
3951}
3952
3953static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
3954                                     struct ieee80211_hdr *hdr, size_t len,
3955                                     struct ieee80211_rx_status *rx_status)
3956{
3957        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3958        struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
3959        struct ieee80211_mgmt *mgmt = (void *) hdr;
3960        size_t baselen;
3961        struct ieee802_11_elems elems;
3962        struct ieee80211_local *local = sdata->local;
3963        struct ieee80211_chanctx_conf *chanctx_conf;
3964        struct ieee80211_channel *chan;
3965        struct sta_info *sta;
3966        u32 changed = 0;
3967        bool erp_valid;
3968        u8 erp_value = 0;
3969        u32 ncrc = 0;
3970        u8 *bssid, *variable = mgmt->u.beacon.variable;
3971        u8 deauth_buf[IEEE80211_DEAUTH_FRAME_LEN];
3972
3973        sdata_assert_lock(sdata);
3974
3975        /* Process beacon from the current BSS */
3976        bssid = ieee80211_get_bssid(hdr, len, sdata->vif.type);
3977        if (ieee80211_is_s1g_beacon(mgmt->frame_control)) {
3978                struct ieee80211_ext *ext = (void *) mgmt;
3979
3980                if (ieee80211_is_s1g_short_beacon(ext->frame_control))
3981                        variable = ext->u.s1g_short_beacon.variable;
3982                else
3983                        variable = ext->u.s1g_beacon.variable;
3984        }
3985
3986        baselen = (u8 *) variable - (u8 *) mgmt;
3987        if (baselen > len)
3988                return;
3989
3990        rcu_read_lock();
3991        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
3992        if (!chanctx_conf) {
3993                rcu_read_unlock();
3994                return;
3995        }
3996
3997        if (ieee80211_rx_status_to_khz(rx_status) !=
3998            ieee80211_channel_to_khz(chanctx_conf->def.chan)) {
3999                rcu_read_unlock();
4000                return;
4001        }
4002        chan = chanctx_conf->def.chan;
4003        rcu_read_unlock();
4004
4005        if (ifmgd->assoc_data && ifmgd->assoc_data->need_beacon &&
4006            ieee80211_rx_our_beacon(bssid, ifmgd->assoc_data->bss)) {
4007                ieee802_11_parse_elems(variable,
4008                                       len - baselen, false, &elems,
4009                                       bssid,
4010                                       ifmgd->assoc_data->bss->bssid);
4011
4012                ieee80211_rx_bss_info(sdata, mgmt, len, rx_status);
4013
4014                if (elems.dtim_period)
4015                        ifmgd->dtim_period = elems.dtim_period;
4016                ifmgd->have_beacon = true;
4017                ifmgd->assoc_data->need_beacon = false;
4018                if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY)) {
4019                        sdata->vif.bss_conf.sync_tsf =
4020                                le64_to_cpu(mgmt->u.beacon.timestamp);
4021                        sdata->vif.bss_conf.sync_device_ts =
4022                                rx_status->device_timestamp;
4023                        sdata->vif.bss_conf.sync_dtim_count = elems.dtim_count;
4024                }
4025
4026                if (elems.mbssid_config_ie)
4027                        bss_conf->profile_periodicity =
4028                                elems.mbssid_config_ie->profile_periodicity;
4029                else
4030                        bss_conf->profile_periodicity = 0;
4031
4032                if (elems.ext_capab_len >= 11 &&
4033                    (elems.ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
4034                        bss_conf->ema_ap = true;
4035                else
4036                        bss_conf->ema_ap = false;
4037
4038                /* continue assoc process */
4039                ifmgd->assoc_data->timeout = jiffies;
4040                ifmgd->assoc_data->timeout_started = true;
4041                run_again(sdata, ifmgd->assoc_data->timeout);
4042                return;
4043        }
4044
4045        if (!ifmgd->associated ||
4046            !ieee80211_rx_our_beacon(bssid,  ifmgd->associated))
4047                return;
4048        bssid = ifmgd->associated->bssid;
4049
4050        if (!(rx_status->flag & RX_FLAG_NO_SIGNAL_VAL))
4051                ieee80211_handle_beacon_sig(sdata, ifmgd, bss_conf,
4052                                            local, rx_status);
4053
4054        if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL) {
4055                mlme_dbg_ratelimited(sdata,
4056                                     "cancelling AP probe due to a received beacon\n");
4057                ieee80211_reset_ap_probe(sdata);
4058        }
4059
4060        /*
4061         * Push the beacon loss detection into the future since
4062         * we are processing a beacon from the AP just now.
4063         */
4064        ieee80211_sta_reset_beacon_monitor(sdata);
4065
4066        /* TODO: CRC urrently not calculated on S1G Beacon Compatibility
4067         * element (which carries the beacon interval). Don't forget to add a
4068         * bit to care_about_ies[] above if mac80211 is interested in a
4069         * changing S1G element.
4070         */
4071        if (!ieee80211_is_s1g_beacon(hdr->frame_control))
4072                ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
4073        ncrc = ieee802_11_parse_elems_crc(variable,
4074                                          len - baselen, false, &elems,
4075                                          care_about_ies, ncrc,
4076                                          mgmt->bssid, bssid);
4077
4078        if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
4079            ieee80211_check_tim(elems.tim, elems.tim_len, bss_conf->aid)) {
4080                if (local->hw.conf.dynamic_ps_timeout > 0) {
4081                        if (local->hw.conf.flags & IEEE80211_CONF_PS) {
4082                                local->hw.conf.flags &= ~IEEE80211_CONF_PS;
4083                                ieee80211_hw_config(local,
4084                                                    IEEE80211_CONF_CHANGE_PS);
4085                        }
4086                        ieee80211_send_nullfunc(local, sdata, false);
4087                } else if (!local->pspolling && sdata->u.mgd.powersave) {
4088                        local->pspolling = true;
4089
4090                        /*
4091                         * Here is assumed that the driver will be
4092                         * able to send ps-poll frame and receive a
4093                         * response even though power save mode is
4094                         * enabled, but some drivers might require
4095                         * to disable power save here. This needs
4096                         * to be investigated.
4097                         */
4098                        ieee80211_send_pspoll(local, sdata);
4099                }
4100        }
4101
4102        if (sdata->vif.p2p ||
4103            sdata->vif.driver_flags & IEEE80211_VIF_GET_NOA_UPDATE) {
4104                struct ieee80211_p2p_noa_attr noa = {};
4105                int ret;
4106
4107                ret = cfg80211_get_p2p_attr(variable,
4108                                            len - baselen,
4109                                            IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
4110                                            (u8 *) &noa, sizeof(noa));
4111                if (ret >= 2) {
4112                        if (sdata->u.mgd.p2p_noa_index != noa.index) {
4113                                /* valid noa_attr and index changed */
4114                                sdata->u.mgd.p2p_noa_index = noa.index;
4115                                memcpy(&bss_conf->p2p_noa_attr, &noa, sizeof(noa));
4116                                changed |= BSS_CHANGED_P2P_PS;
4117                                /*
4118                                 * make sure we update all information, the CRC
4119                                 * mechanism doesn't look at P2P attributes.
4120                                 */
4121                                ifmgd->beacon_crc_valid = false;
4122                        }
4123                } else if (sdata->u.mgd.p2p_noa_index != -1) {
4124                        /* noa_attr not found and we had valid noa_attr before */
4125                        sdata->u.mgd.p2p_noa_index = -1;
4126                        memset(&bss_conf->p2p_noa_attr, 0, sizeof(bss_conf->p2p_noa_attr));
4127                        changed |= BSS_CHANGED_P2P_PS;
4128                        ifmgd->beacon_crc_valid = false;
4129                }
4130        }
4131
4132        if (ifmgd->csa_waiting_bcn)
4133                ieee80211_chswitch_post_beacon(sdata);
4134
4135        /*
4136         * Update beacon timing and dtim count on every beacon appearance. This
4137         * will allow the driver to use the most updated values. Do it before
4138         * comparing this one with last received beacon.
4139         * IMPORTANT: These parameters would possibly be out of sync by the time
4140         * the driver will use them. The synchronized view is currently
4141         * guaranteed only in certain callbacks.
4142         */
4143        if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY) &&
4144            !ieee80211_is_s1g_beacon(hdr->frame_control)) {
4145                sdata->vif.bss_conf.sync_tsf =
4146                        le64_to_cpu(mgmt->u.beacon.timestamp);
4147                sdata->vif.bss_conf.sync_device_ts =
4148                        rx_status->device_timestamp;
4149                sdata->vif.bss_conf.sync_dtim_count = elems.dtim_count;
4150        }
4151
4152        if ((ncrc == ifmgd->beacon_crc && ifmgd->beacon_crc_valid) ||
4153            ieee80211_is_s1g_short_beacon(mgmt->frame_control))
4154                return;
4155        ifmgd->beacon_crc = ncrc;
4156        ifmgd->beacon_crc_valid = true;
4157
4158        ieee80211_rx_bss_info(sdata, mgmt, len, rx_status);
4159
4160        ieee80211_sta_process_chanswitch(sdata, rx_status->mactime,
4161                                         rx_status->device_timestamp,
4162                                         &elems, true);
4163
4164        if (!(ifmgd->flags & IEEE80211_STA_DISABLE_WMM) &&
4165            ieee80211_sta_wmm_params(local, sdata, elems.wmm_param,
4166                                     elems.wmm_param_len,
4167                                     elems.mu_edca_param_set))
4168                changed |= BSS_CHANGED_QOS;
4169
4170        /*
4171         * If we haven't had a beacon before, tell the driver about the
4172         * DTIM period (and beacon timing if desired) now.
4173         */
4174        if (!ifmgd->have_beacon) {
4175                /* a few bogus AP send dtim_period = 0 or no TIM IE */
4176                bss_conf->dtim_period = elems.dtim_period ?: 1;
4177
4178                changed |= BSS_CHANGED_BEACON_INFO;
4179                ifmgd->have_beacon = true;
4180
4181                mutex_lock(&local->iflist_mtx);
4182                ieee80211_recalc_ps(local);
4183                mutex_unlock(&local->iflist_mtx);
4184
4185                ieee80211_recalc_ps_vif(sdata);
4186        }
4187
4188        if (elems.erp_info) {
4189                erp_valid = true;
4190                erp_value = elems.erp_info[0];
4191        } else {
4192                erp_valid = false;
4193        }
4194
4195        if (!ieee80211_is_s1g_beacon(hdr->frame_control))
4196                changed |= ieee80211_handle_bss_capability(sdata,
4197                                le16_to_cpu(mgmt->u.beacon.capab_info),
4198                                erp_valid, erp_value);
4199
4200        mutex_lock(&local->sta_mtx);
4201        sta = sta_info_get(sdata, bssid);
4202
4203        changed |= ieee80211_recalc_twt_req(sdata, sta, &elems);
4204
4205        if (ieee80211_config_bw(sdata, sta, elems.ht_cap_elem,
4206                                elems.vht_cap_elem, elems.ht_operation,
4207                                elems.vht_operation, elems.he_operation,
4208                                elems.s1g_oper, bssid, &changed)) {
4209                mutex_unlock(&local->sta_mtx);
4210                sdata_info(sdata,
4211                           "failed to follow AP %pM bandwidth change, disconnect\n",
4212                           bssid);
4213                ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
4214                                       WLAN_REASON_DEAUTH_LEAVING,
4215                                       true, deauth_buf);
4216                ieee80211_report_disconnect(sdata, deauth_buf,
4217                                            sizeof(deauth_buf), true,
4218                                            WLAN_REASON_DEAUTH_LEAVING,
4219                                            false);
4220                return;
4221        }
4222
4223        if (sta && elems.opmode_notif)
4224                ieee80211_vht_handle_opmode(sdata, sta, *elems.opmode_notif,
4225                                            rx_status->band);
4226        mutex_unlock(&local->sta_mtx);
4227
4228        changed |= ieee80211_handle_pwr_constr(sdata, chan, mgmt,
4229                                               elems.country_elem,
4230                                               elems.country_elem_len,
4231