1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * BSS client mode implementation
4
 * Copyright 2003-2008, Jouni Malinen <[email protected]>
5
 * Copyright 2004, Instant802 Networks, Inc.
6
 * Copyright 2005, Devicescape Software, Inc.
7
 * Copyright 2006-2007	Jiri Benc <[email protected]>
8
 * Copyright 2007, Michael Wu <[email protected]>
9
 * Copyright 2013-2014  Intel Mobile Communications GmbH
10
 * Copyright (C) 2015 - 2017 Intel Deutschland GmbH
11
 * Copyright (C) 2018 - 2026 Intel Corporation
12
 */
13

14
#include <linux/delay.h>
15
#include <linux/fips.h>
16
#include <linux/if_ether.h>
17
#include <linux/skbuff.h>
18
#include <linux/if_arp.h>
19
#include <linux/etherdevice.h>
20
#include <linux/moduleparam.h>
21
#include <linux/rtnetlink.h>
22
#include <linux/crc32.h>
23
#include <linux/slab.h>
24
#include <linux/export.h>
25
#include <net/mac80211.h>
26
#include <linux/unaligned.h>
27

28
#include "ieee80211_i.h"
29
#include "driver-ops.h"
30
#include "rate.h"
31
#include "led.h"
32
#include "fils_aead.h"
33

34
#include <kunit/static_stub.h>
35

36
#define IEEE80211_AUTH_TIMEOUT		(HZ / 5)
37
#define IEEE80211_AUTH_TIMEOUT_LONG	(HZ / 2)
38
#define IEEE80211_AUTH_TIMEOUT_SHORT	(HZ / 10)
39
#define IEEE80211_AUTH_TIMEOUT_SAE	(HZ * 2)
40
#define IEEE80211_AUTH_MAX_TRIES	3
41
#define IEEE80211_AUTH_WAIT_ASSOC	(HZ * 5)
42
#define IEEE80211_AUTH_WAIT_SAE_RETRY	(HZ * 2)
43
#define IEEE80211_ASSOC_TIMEOUT		(HZ / 5)
44
#define IEEE80211_ASSOC_TIMEOUT_LONG	(HZ / 2)
45
#define IEEE80211_ASSOC_TIMEOUT_SHORT	(HZ / 10)
46
#define IEEE80211_ASSOC_MAX_TRIES	3
47

48
#define IEEE80211_ADV_TTLM_SAFETY_BUFFER_MS (100 * USEC_PER_MSEC)
49
#define IEEE80211_ADV_TTLM_ST_UNDERFLOW 0xff00
50

51
#define IEEE80211_NEG_TTLM_REQ_TIMEOUT (HZ / 5)
52

53
static int max_nullfunc_tries = 2;
54
module_param(max_nullfunc_tries, int, 0644);
55
MODULE_PARM_DESC(max_nullfunc_tries,
56
		 "Maximum nullfunc tx tries before disconnecting (reason 4).");
57

58
static int max_probe_tries = 5;
59
module_param(max_probe_tries, int, 0644);
60
MODULE_PARM_DESC(max_probe_tries,
61
		 "Maximum probe tries before disconnecting (reason 4).");
62

63
/*
64
 * Beacon loss timeout is calculated as N frames times the
65
 * advertised beacon interval.  This may need to be somewhat
66
 * higher than what hardware might detect to account for
67
 * delays in the host processing frames. But since we also
68
 * probe on beacon miss before declaring the connection lost
69
 * default to what we want.
70
 */
71
static int beacon_loss_count = 7;
72
module_param(beacon_loss_count, int, 0644);
73
MODULE_PARM_DESC(beacon_loss_count,
74
		 "Number of beacon intervals before we decide beacon was lost.");
75

76
/*
77
 * Time the connection can be idle before we probe
78
 * it to see if we can still talk to the AP.
79
 */
80
#define IEEE80211_CONNECTION_IDLE_TIME	(30 * HZ)
81
/*
82
 * Time we wait for a probe response after sending
83
 * a probe request because of beacon loss or for
84
 * checking the connection still works.
85
 */
86
static int probe_wait_ms = 500;
87
module_param(probe_wait_ms, int, 0644);
88
MODULE_PARM_DESC(probe_wait_ms,
89
		 "Maximum time(ms) to wait for probe response"
90
		 " before disconnecting (reason 4).");
91

92
/*
93
 * How many Beacon frames need to have been used in average signal strength
94
 * before starting to indicate signal change events.
95
 */
96
#define IEEE80211_SIGNAL_AVE_MIN_COUNT	4
97

98
/*
99
 * We can have multiple work items (and connection probing)
100
 * scheduling this timer, but we need to take care to only
101
 * reschedule it when it should fire _earlier_ than it was
102
 * asked for before, or if it's not pending right now. This
103
 * function ensures that. Note that it then is required to
104
 * run this function for all timeouts after the first one
105
 * has happened -- the work that runs from this timer will
106
 * do that.
107
 */
108
static void run_again(struct ieee80211_sub_if_data *sdata,
109
		      unsigned long timeout)
110
{
111
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
112

113
	if (!timer_pending(&sdata->u.mgd.timer) ||
114
	    time_before(timeout, sdata->u.mgd.timer.expires))
115
		mod_timer(&sdata->u.mgd.timer, timeout);
116
}
117

118
void ieee80211_sta_reset_beacon_monitor(struct ieee80211_sub_if_data *sdata)
119
{
120
	if (sdata->vif.driver_flags & IEEE80211_VIF_BEACON_FILTER)
121
		return;
122

123
	if (ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
124
		return;
125

126
	mod_timer(&sdata->u.mgd.bcn_mon_timer,
127
		  round_jiffies_up(jiffies + sdata->u.mgd.beacon_timeout));
128
}
129

130
void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata)
131
{
132
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
133

134
	if (unlikely(!ifmgd->associated))
135
		return;
136

137
	if (ifmgd->probe_send_count)
138
		ifmgd->probe_send_count = 0;
139

140
	if (ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
141
		return;
142

143
	mod_timer(&ifmgd->conn_mon_timer,
144
		  round_jiffies_up(jiffies + IEEE80211_CONNECTION_IDLE_TIME));
145
}
146

147
static int ecw2cw(int ecw)
148
{
149
	return (1 << ecw) - 1;
150
}
151

152
static enum ieee80211_conn_mode
153
ieee80211_determine_ap_chan(struct ieee80211_sub_if_data *sdata,
154
			    struct ieee80211_channel *channel,
155
			    u32 vht_cap_info,
156
			    const struct ieee802_11_elems *elems,
157
			    bool ignore_ht_channel_mismatch,
158
			    const struct ieee80211_conn_settings *conn,
159
			    struct cfg80211_chan_def *chandef)
160
{
161
	const struct ieee80211_ht_operation *ht_oper = elems->ht_operation;
162
	const struct ieee80211_vht_operation *vht_oper = elems->vht_operation;
163
	const struct ieee80211_he_operation *he_oper = elems->he_operation;
164
	const struct ieee80211_eht_operation *eht_oper = elems->eht_operation;
165
	const struct ieee80211_uhr_operation *uhr_oper = elems->uhr_operation;
166
	struct ieee80211_supported_band *sband =
167
		sdata->local->hw.wiphy->bands[channel->band];
168
	struct cfg80211_chan_def vht_chandef;
169
	bool no_vht = false;
170
	u32 ht_cfreq;
171

172
	if (ieee80211_hw_check(&sdata->local->hw, STRICT))
173
		ignore_ht_channel_mismatch = false;
174

175
	*chandef = (struct cfg80211_chan_def) {
176
		.chan = channel,
177
		.width = NL80211_CHAN_WIDTH_20_NOHT,
178
		.center_freq1 = channel->center_freq,
179
		.freq1_offset = channel->freq_offset,
180
	};
181

182
	/* get special S1G case out of the way */
183
	if (sband->band == NL80211_BAND_S1GHZ) {
184
		if (!ieee80211_chandef_s1g_oper(sdata->local, elems->s1g_oper,
185
						chandef)) {
186
			/* Fallback to default 1MHz */
187
			chandef->width = NL80211_CHAN_WIDTH_1;
188
			chandef->s1g_primary_2mhz = false;
189
		}
190

191
		return IEEE80211_CONN_MODE_S1G;
192
	}
193

194
	/* get special 6 GHz case out of the way */
195
	if (sband->band == NL80211_BAND_6GHZ) {
196
		enum ieee80211_conn_mode mode = IEEE80211_CONN_MODE_HIGHEST;
197

198
		/* this is an error */
199
		if (conn->mode < IEEE80211_CONN_MODE_HE)
200
			return IEEE80211_CONN_MODE_LEGACY;
201

202
		if (!elems->he_6ghz_capa || !elems->he_cap) {
203
			sdata_info(sdata,
204
				   "HE 6 GHz AP is missing HE/HE 6 GHz band capability\n");
205
			return IEEE80211_CONN_MODE_LEGACY;
206
		}
207

208
		if (!eht_oper || !elems->eht_cap) {
209
			eht_oper = NULL;
210
			mode = IEEE80211_CONN_MODE_HE;
211
		}
212

213
		if (!ieee80211_chandef_he_6ghz_oper(sdata->local, he_oper,
214
						    eht_oper, chandef)) {
215
			sdata_info(sdata, "bad HE/EHT 6 GHz operation\n");
216
			return IEEE80211_CONN_MODE_LEGACY;
217
		}
218

219
		if (eht_oper && ieee80211_hw_check(&sdata->local->hw, STRICT)) {
220
			struct cfg80211_chan_def he_chandef = *chandef;
221

222
			if (!ieee80211_chandef_he_6ghz_oper(sdata->local,
223
							    he_oper, NULL,
224
							    &he_chandef)) {
225
				sdata_info(sdata,
226
					   "bad HE operation in EHT AP\n");
227
				return IEEE80211_CONN_MODE_LEGACY;
228
			}
229

230
			if (!cfg80211_chandef_compatible(chandef,
231
							 &he_chandef)) {
232
				sdata_info(sdata, "HE/EHT incompatible\n");
233
				return IEEE80211_CONN_MODE_LEGACY;
234
			}
235
		}
236

237
		if (mode <= IEEE80211_CONN_MODE_EHT)
238
			return mode;
239
		goto check_uhr;
240
	}
241

242
	/* now we have the progression HT, VHT, ... */
243
	if (conn->mode < IEEE80211_CONN_MODE_HT)
244
		return IEEE80211_CONN_MODE_LEGACY;
245

246
	if (!ht_oper || !elems->ht_cap_elem)
247
		return IEEE80211_CONN_MODE_LEGACY;
248

249
	chandef->width = NL80211_CHAN_WIDTH_20;
250

251
	ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan,
252
						  channel->band);
253
	/* check that channel matches the right operating channel */
254
	if (!ignore_ht_channel_mismatch && channel->center_freq != ht_cfreq) {
255
		/*
256
		 * It's possible that some APs are confused here;
257
		 * Netgear WNDR3700 sometimes reports 4 higher than
258
		 * the actual channel in association responses, but
259
		 * since we look at probe response/beacon data here
260
		 * it should be OK.
261
		 */
262
		sdata_info(sdata,
263
			   "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n",
264
			   channel->center_freq, ht_cfreq,
265
			   ht_oper->primary_chan, channel->band);
266
		return IEEE80211_CONN_MODE_LEGACY;
267
	}
268

269
	ieee80211_chandef_ht_oper(ht_oper, chandef);
270

271
	if (conn->mode < IEEE80211_CONN_MODE_VHT)
272
		return IEEE80211_CONN_MODE_HT;
273

274
	vht_chandef = *chandef;
275

276
	/*
277
	 * having he_cap/he_oper parsed out implies we're at
278
	 * least operating as HE STA
279
	 */
280
	if (elems->he_cap && he_oper &&
281
	    he_oper->he_oper_params & cpu_to_le32(IEEE80211_HE_OPERATION_VHT_OPER_INFO)) {
282
		struct ieee80211_vht_operation he_oper_vht_cap;
283

284
		/*
285
		 * Set only first 3 bytes (other 2 aren't used in
286
		 * ieee80211_chandef_vht_oper() anyway)
287
		 */
288
		memcpy(&he_oper_vht_cap, he_oper->optional, 3);
289
		he_oper_vht_cap.basic_mcs_set = cpu_to_le16(0);
290

291
		if (!ieee80211_chandef_vht_oper(&sdata->local->hw, vht_cap_info,
292
						&he_oper_vht_cap, ht_oper,
293
						&vht_chandef)) {
294
			sdata_info(sdata,
295
				   "HE AP VHT information is invalid, disabling HE\n");
296
			/* this will cause us to re-parse as VHT STA */
297
			return IEEE80211_CONN_MODE_VHT;
298
		}
299
	} else if (!vht_oper || !elems->vht_cap_elem) {
300
		if (sband->band == NL80211_BAND_5GHZ)
301
			return IEEE80211_CONN_MODE_HT;
302
		no_vht = true;
303
	} else if (sband->band == NL80211_BAND_2GHZ) {
304
		no_vht = true;
305
	} else if (!ieee80211_chandef_vht_oper(&sdata->local->hw,
306
					       vht_cap_info,
307
					       vht_oper, ht_oper,
308
					       &vht_chandef)) {
309
		sdata_info(sdata,
310
			   "AP VHT information is invalid, disabling VHT\n");
311
		return IEEE80211_CONN_MODE_HT;
312
	}
313

314
	if (!cfg80211_chandef_compatible(chandef, &vht_chandef)) {
315
		sdata_info(sdata,
316
			   "AP VHT information doesn't match HT, disabling VHT\n");
317
		return IEEE80211_CONN_MODE_HT;
318
	}
319

320
	*chandef = vht_chandef;
321

322
	/* stick to current max mode if we or the AP don't have HE */
323
	if (conn->mode < IEEE80211_CONN_MODE_HE ||
324
	    !elems->he_operation || !elems->he_cap) {
325
		if (no_vht)
326
			return IEEE80211_CONN_MODE_HT;
327
		return IEEE80211_CONN_MODE_VHT;
328
	}
329

330
	/* stick to HE if we or the AP don't have EHT */
331
	if (conn->mode < IEEE80211_CONN_MODE_EHT ||
332
	    !eht_oper || !elems->eht_cap)
333
		return IEEE80211_CONN_MODE_HE;
334

335
	/*
336
	 * handle the case that the EHT operation indicates that it holds EHT
337
	 * operation information (in case that the channel width differs from
338
	 * the channel width reported in HT/VHT/HE).
339
	 */
340
	if (eht_oper->params & IEEE80211_EHT_OPER_INFO_PRESENT) {
341
		struct cfg80211_chan_def eht_chandef = *chandef;
342

343
		ieee80211_chandef_eht_oper((const void *)eht_oper->optional,
344
					   &eht_chandef);
345

346
		eht_chandef.punctured =
347
			ieee80211_eht_oper_dis_subchan_bitmap(eht_oper);
348

349
		if (!cfg80211_chandef_valid(&eht_chandef)) {
350
			sdata_info(sdata,
351
				   "AP EHT information is invalid, disabling EHT\n");
352
			return IEEE80211_CONN_MODE_HE;
353
		}
354

355
		if (!cfg80211_chandef_compatible(chandef, &eht_chandef)) {
356
			sdata_info(sdata,
357
				   "AP EHT information doesn't match HT/VHT/HE, disabling EHT\n");
358
			return IEEE80211_CONN_MODE_HE;
359
		}
360

361
		*chandef = eht_chandef;
362
	}
363

364
check_uhr:
365
	if (conn->mode < IEEE80211_CONN_MODE_UHR || !uhr_oper)
366
		return IEEE80211_CONN_MODE_EHT;
367

368
	/*
369
	 * In beacons we don't have all the data - but we know the size was OK,
370
	 * so if the size is valid as a non-beacon case, we have more data and
371
	 * can validate the NPCA parameters.
372
	 */
373
	if (ieee80211_uhr_oper_size_ok((const void *)uhr_oper,
374
				       elems->uhr_operation_len,
375
				       false)) {
376
		struct cfg80211_chan_def npca_chandef = *chandef;
377
		const struct ieee80211_uhr_npca_info *npca;
378
		const __le16 *dis_subch_bmap;
379
		u16 punct = chandef->punctured, npca_punct;
380

381
		npca = ieee80211_uhr_npca_info(uhr_oper);
382
		if (npca) {
383
			int width = cfg80211_chandef_get_width(chandef);
384
			u8 offs = le32_get_bits(npca->params,
385
						IEEE80211_UHR_NPCA_PARAMS_PRIMARY_CHAN_OFFS);
386
			u32 cf1 = chandef->center_freq1;
387
			bool pri_upper, npca_upper;
388

389
			pri_upper = chandef->chan->center_freq > cf1;
390
			npca_upper = 20 * offs >= width / 2;
391

392
			if (20 * offs >= cfg80211_chandef_get_width(chandef) ||
393
			    pri_upper == npca_upper) {
394
				sdata_info(sdata,
395
					   "AP UHR NPCA primary channel invalid, disabling UHR\n");
396
				return IEEE80211_CONN_MODE_EHT;
397
			}
398
		}
399

400
		dis_subch_bmap = ieee80211_uhr_npca_dis_subch_bitmap(uhr_oper);
401

402
		if (dis_subch_bmap) {
403
			npca_punct = get_unaligned_le16(dis_subch_bmap);
404
			npca_chandef.punctured = npca_punct;
405
		}
406

407
		/*
408
		 * must be a valid puncturing pattern for this channel as
409
		 * well as puncturing all subchannels that are already in
410
		 * the disabled subchannel bitmap on the primary channel
411
		 */
412
		if (!cfg80211_chandef_valid(&npca_chandef) ||
413
		    ((punct & npca_punct) != punct)) {
414
			sdata_info(sdata,
415
				   "AP UHR NPCA disabled subchannel bitmap invalid, disabling UHR\n");
416
			return IEEE80211_CONN_MODE_EHT;
417
		}
418
	}
419

420
	return IEEE80211_CONN_MODE_UHR;
421
}
422

423
static bool
424
ieee80211_verify_sta_ht_mcs_support(struct ieee80211_sub_if_data *sdata,
425
				    struct ieee80211_supported_band *sband,
426
				    const struct ieee80211_ht_operation *ht_op)
427
{
428
	struct ieee80211_sta_ht_cap sta_ht_cap;
429
	int i;
430

431
	if (sband->band == NL80211_BAND_6GHZ)
432
		return true;
433

434
	if (!ht_op)
435
		return false;
436

437
	memcpy(&sta_ht_cap, &sband->ht_cap, sizeof(sta_ht_cap));
438
	ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap);
439

440
	/*
441
	 * P802.11REVme/D7.0 - 6.5.4.2.4
442
	 * ...
443
	 * If the MLME of an HT STA receives an MLME-JOIN.request primitive
444
	 * with the SelectedBSS parameter containing a Basic HT-MCS Set field
445
	 * in the HT Operation parameter that contains any unsupported MCSs,
446
	 * the MLME response in the resulting MLME-JOIN.confirm primitive shall
447
	 * contain a ResultCode parameter that is not set to the value SUCCESS.
448
	 * ...
449
	 */
450

451
	/* Simply check that all basic rates are in the STA RX mask */
452
	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
453
		if ((ht_op->basic_set[i] & sta_ht_cap.mcs.rx_mask[i]) !=
454
		    ht_op->basic_set[i])
455
			return false;
456
	}
457

458
	return true;
459
}
460

461
static bool
462
ieee80211_verify_sta_vht_mcs_support(struct ieee80211_sub_if_data *sdata,
463
				     int link_id,
464
				     struct ieee80211_supported_band *sband,
465
				     const struct ieee80211_vht_operation *vht_op)
466
{
467
	struct ieee80211_sta_vht_cap sta_vht_cap;
468
	u16 ap_min_req_set, sta_rx_mcs_map, sta_tx_mcs_map;
469
	int nss;
470

471
	if (sband->band != NL80211_BAND_5GHZ)
472
		return true;
473

474
	if (!vht_op)
475
		return false;
476

477
	memcpy(&sta_vht_cap, &sband->vht_cap, sizeof(sta_vht_cap));
478
	ieee80211_apply_vhtcap_overrides(sdata, &sta_vht_cap);
479

480
	ap_min_req_set = le16_to_cpu(vht_op->basic_mcs_set);
481
	sta_rx_mcs_map = le16_to_cpu(sta_vht_cap.vht_mcs.rx_mcs_map);
482
	sta_tx_mcs_map = le16_to_cpu(sta_vht_cap.vht_mcs.tx_mcs_map);
483

484
	/*
485
	 * Many APs are incorrectly advertising an all-zero value here,
486
	 * which really means MCS 0-7 are required for 1-8 streams, but
487
	 * they don't really mean it that way.
488
	 * Some other APs are incorrectly advertising 3 spatial streams
489
	 * with MCS 0-7 are required, but don't really mean it that way
490
	 * and we'll connect only with HT, rather than even HE.
491
	 * As a result, unfortunately the VHT basic MCS/NSS set cannot
492
	 * be used at all, so check it only in strict mode.
493
	 */
494
	if (!ieee80211_hw_check(&sdata->local->hw, STRICT))
495
		return true;
496

497
	/*
498
	 * P802.11REVme/D7.0 - 6.5.4.2.4
499
	 * ...
500
	 * If the MLME of a VHT STA receives an MLME-JOIN.request primitive
501
	 * with a SelectedBSS parameter containing a Basic VHT-MCS And NSS Set
502
	 * field in the VHT Operation parameter that contains any unsupported
503
	 * <VHT-MCS, NSS> tuple, the MLME response in the resulting
504
	 * MLME-JOIN.confirm primitive shall contain a ResultCode parameter
505
	 * that is not set to the value SUCCESS.
506
	 * ...
507
	 */
508
	for (nss = 8; nss > 0; nss--) {
509
		u8 ap_op_val = (ap_min_req_set >> (2 * (nss - 1))) & 3;
510
		u8 sta_rx_val;
511
		u8 sta_tx_val;
512

513
		if (ap_op_val == IEEE80211_HE_MCS_NOT_SUPPORTED)
514
			continue;
515

516
		sta_rx_val = (sta_rx_mcs_map >> (2 * (nss - 1))) & 3;
517
		sta_tx_val = (sta_tx_mcs_map >> (2 * (nss - 1))) & 3;
518

519
		if (sta_rx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
520
		    sta_tx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
521
		    sta_rx_val < ap_op_val || sta_tx_val < ap_op_val) {
522
			link_id_info(sdata, link_id,
523
				     "Missing mandatory rates for %d Nss, rx %d, tx %d oper %d, disable VHT\n",
524
				     nss, sta_rx_val, sta_tx_val, ap_op_val);
525
			return false;
526
		}
527
	}
528

529
	return true;
530
}
531

532
static bool
533
ieee80211_verify_peer_he_mcs_support(struct ieee80211_sub_if_data *sdata,
534
				     int link_id,
535
				     const struct ieee80211_he_cap_elem *he_cap,
536
				     const struct ieee80211_he_operation *he_op)
537
{
538
	struct ieee80211_he_mcs_nss_supp *he_mcs_nss_supp;
539
	u16 mcs_80_map_tx, mcs_80_map_rx;
540
	u16 ap_min_req_set;
541
	int nss;
542

543
	if (!he_cap)
544
		return false;
545

546
	/* mcs_nss is right after he_cap info */
547
	he_mcs_nss_supp = (void *)(he_cap + 1);
548

549
	mcs_80_map_tx = le16_to_cpu(he_mcs_nss_supp->tx_mcs_80);
550
	mcs_80_map_rx = le16_to_cpu(he_mcs_nss_supp->rx_mcs_80);
551

552
	/* P802.11-REVme/D0.3
553
	 * 27.1.1 Introduction to the HE PHY
554
	 * ...
555
	 * An HE STA shall support the following features:
556
	 * ...
557
	 * Single spatial stream HE-MCSs 0 to 7 (transmit and receive) in all
558
	 * supported channel widths for HE SU PPDUs
559
	 */
560
	if ((mcs_80_map_tx & 0x3) == IEEE80211_HE_MCS_NOT_SUPPORTED ||
561
	    (mcs_80_map_rx & 0x3) == IEEE80211_HE_MCS_NOT_SUPPORTED) {
562
		link_id_info(sdata, link_id,
563
			     "Missing mandatory rates for 1 Nss, rx 0x%x, tx 0x%x, disable HE\n",
564
			     mcs_80_map_tx, mcs_80_map_rx);
565
		return false;
566
	}
567

568
	if (!he_op)
569
		return true;
570

571
	ap_min_req_set = le16_to_cpu(he_op->he_mcs_nss_set);
572

573
	/*
574
	 * Apparently iPhone 13 (at least iOS version 15.3.1) sets this to all
575
	 * zeroes, which is nonsense, and completely inconsistent with itself
576
	 * (it doesn't have 8 streams). Accept the settings in this case anyway.
577
	 */
578
	if (!ieee80211_hw_check(&sdata->local->hw, STRICT) && !ap_min_req_set)
579
		return true;
580

581
	/* make sure the AP is consistent with itself
582
	 *
583
	 * P802.11-REVme/D0.3
584
	 * 26.17.1 Basic HE BSS operation
585
	 *
586
	 * A STA that is operating in an HE BSS shall be able to receive and
587
	 * transmit at each of the <HE-MCS, NSS> tuple values indicated by the
588
	 * Basic HE-MCS And NSS Set field of the HE Operation parameter of the
589
	 * MLME-START.request primitive and shall be able to receive at each of
590
	 * the <HE-MCS, NSS> tuple values indicated by the Supported HE-MCS and
591
	 * NSS Set field in the HE Capabilities parameter of the MLMESTART.request
592
	 * primitive
593
	 */
594
	for (nss = 8; nss > 0; nss--) {
595
		u8 ap_op_val = (ap_min_req_set >> (2 * (nss - 1))) & 3;
596
		u8 ap_rx_val;
597
		u8 ap_tx_val;
598

599
		if (ap_op_val == IEEE80211_HE_MCS_NOT_SUPPORTED)
600
			continue;
601

602
		ap_rx_val = (mcs_80_map_rx >> (2 * (nss - 1))) & 3;
603
		ap_tx_val = (mcs_80_map_tx >> (2 * (nss - 1))) & 3;
604

605
		if (ap_rx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
606
		    ap_tx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
607
		    ap_rx_val < ap_op_val || ap_tx_val < ap_op_val) {
608
			link_id_info(sdata, link_id,
609
				     "Invalid rates for %d Nss, rx %d, tx %d oper %d, disable HE\n",
610
				     nss, ap_rx_val, ap_tx_val, ap_op_val);
611
			return false;
612
		}
613
	}
614

615
	return true;
616
}
617

618
static bool
619
ieee80211_verify_sta_he_mcs_support(struct ieee80211_sub_if_data *sdata,
620
				    struct ieee80211_supported_band *sband,
621
				    const struct ieee80211_he_operation *he_op)
622
{
623
	const struct ieee80211_sta_he_cap *sta_he_cap =
624
		ieee80211_get_he_iftype_cap_vif(sband, &sdata->vif);
625
	u16 ap_min_req_set;
626
	int i;
627

628
	if (!sta_he_cap || !he_op)
629
		return false;
630

631
	ap_min_req_set = le16_to_cpu(he_op->he_mcs_nss_set);
632

633
	/*
634
	 * Apparently iPhone 13 (at least iOS version 15.3.1) sets this to all
635
	 * zeroes, which is nonsense, and completely inconsistent with itself
636
	 * (it doesn't have 8 streams). Accept the settings in this case anyway.
637
	 */
638
	if (!ieee80211_hw_check(&sdata->local->hw, STRICT) && !ap_min_req_set)
639
		return true;
640

641
	/* Need to go over for 80MHz, 160MHz and for 80+80 */
642
	for (i = 0; i < 3; i++) {
643
		const struct ieee80211_he_mcs_nss_supp *sta_mcs_nss_supp =
644
			&sta_he_cap->he_mcs_nss_supp;
645
		u16 sta_mcs_map_rx =
646
			le16_to_cpu(((__le16 *)sta_mcs_nss_supp)[2 * i]);
647
		u16 sta_mcs_map_tx =
648
			le16_to_cpu(((__le16 *)sta_mcs_nss_supp)[2 * i + 1]);
649
		u8 nss;
650
		bool verified = true;
651

652
		/*
653
		 * For each band there is a maximum of 8 spatial streams
654
		 * possible. Each of the sta_mcs_map_* is a 16-bit struct built
655
		 * of 2 bits per NSS (1-8), with the values defined in enum
656
		 * ieee80211_he_mcs_support. Need to make sure STA TX and RX
657
		 * capabilities aren't less than the AP's minimum requirements
658
		 * for this HE BSS per SS.
659
		 * It is enough to find one such band that meets the reqs.
660
		 */
661
		for (nss = 8; nss > 0; nss--) {
662
			u8 sta_rx_val = (sta_mcs_map_rx >> (2 * (nss - 1))) & 3;
663
			u8 sta_tx_val = (sta_mcs_map_tx >> (2 * (nss - 1))) & 3;
664
			u8 ap_val = (ap_min_req_set >> (2 * (nss - 1))) & 3;
665

666
			if (ap_val == IEEE80211_HE_MCS_NOT_SUPPORTED)
667
				continue;
668

669
			/*
670
			 * Make sure the HE AP doesn't require MCSs that aren't
671
			 * supported by the client as required by spec
672
			 *
673
			 * P802.11-REVme/D0.3
674
			 * 26.17.1 Basic HE BSS operation
675
			 *
676
			 * An HE STA shall not attempt to join * (MLME-JOIN.request primitive)
677
			 * a BSS, unless it supports (i.e., is able to both transmit and
678
			 * receive using) all of the <HE-MCS, NSS> tuples in the basic
679
			 * HE-MCS and NSS set.
680
			 */
681
			if (sta_rx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
682
			    sta_tx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
683
			    (ap_val > sta_rx_val) || (ap_val > sta_tx_val)) {
684
				verified = false;
685
				break;
686
			}
687
		}
688

689
		if (verified)
690
			return true;
691
	}
692

693
	/* If here, STA doesn't meet AP's HE min requirements */
694
	return false;
695
}
696

697
static u8
698
ieee80211_get_eht_cap_mcs_nss(const struct ieee80211_sta_he_cap *sta_he_cap,
699
			      const struct ieee80211_sta_eht_cap *sta_eht_cap,
700
			      unsigned int idx, int bw)
701
{
702
	u8 he_phy_cap0 = sta_he_cap->he_cap_elem.phy_cap_info[0];
703
	u8 eht_phy_cap0 = sta_eht_cap->eht_cap_elem.phy_cap_info[0];
704

705
	/* handle us being a 20 MHz-only EHT STA - with four values
706
	 * for MCS 0-7, 8-9, 10-11, 12-13.
707
	 */
708
	if (!(he_phy_cap0 & IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_MASK_ALL))
709
		return sta_eht_cap->eht_mcs_nss_supp.only_20mhz.rx_tx_max_nss[idx];
710

711
	/* the others have MCS 0-9 together, rather than separately from 0-7 */
712
	if (idx > 0)
713
		idx--;
714

715
	switch (bw) {
716
	case 0:
717
		return sta_eht_cap->eht_mcs_nss_supp.bw._80.rx_tx_max_nss[idx];
718
	case 1:
719
		if (!(he_phy_cap0 &
720
		      (IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G |
721
		       IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G)))
722
			return 0xff; /* pass check */
723
		return sta_eht_cap->eht_mcs_nss_supp.bw._160.rx_tx_max_nss[idx];
724
	case 2:
725
		if (!(eht_phy_cap0 & IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ))
726
			return 0xff; /* pass check */
727
		return sta_eht_cap->eht_mcs_nss_supp.bw._320.rx_tx_max_nss[idx];
728
	}
729

730
	WARN_ON(1);
731
	return 0;
732
}
733

734
static bool
735
ieee80211_verify_sta_eht_mcs_support(struct ieee80211_sub_if_data *sdata,
736
				     struct ieee80211_supported_band *sband,
737
				     const struct ieee80211_eht_operation *eht_op)
738
{
739
	const struct ieee80211_sta_he_cap *sta_he_cap =
740
		ieee80211_get_he_iftype_cap_vif(sband, &sdata->vif);
741
	const struct ieee80211_sta_eht_cap *sta_eht_cap =
742
		ieee80211_get_eht_iftype_cap_vif(sband, &sdata->vif);
743
	const struct ieee80211_eht_mcs_nss_supp_20mhz_only *req;
744
	unsigned int i;
745

746
	if (!sta_he_cap || !sta_eht_cap || !eht_op)
747
		return false;
748

749
	req = &eht_op->basic_mcs_nss;
750

751
	for (i = 0; i < ARRAY_SIZE(req->rx_tx_max_nss); i++) {
752
		u8 req_rx_nss, req_tx_nss;
753
		unsigned int bw;
754

755
		req_rx_nss = u8_get_bits(req->rx_tx_max_nss[i],
756
					 IEEE80211_EHT_MCS_NSS_RX);
757
		req_tx_nss = u8_get_bits(req->rx_tx_max_nss[i],
758
					 IEEE80211_EHT_MCS_NSS_TX);
759

760
		for (bw = 0; bw < 3; bw++) {
761
			u8 have, have_rx_nss, have_tx_nss;
762

763
			have = ieee80211_get_eht_cap_mcs_nss(sta_he_cap,
764
							     sta_eht_cap,
765
							     i, bw);
766
			have_rx_nss = u8_get_bits(have,
767
						  IEEE80211_EHT_MCS_NSS_RX);
768
			have_tx_nss = u8_get_bits(have,
769
						  IEEE80211_EHT_MCS_NSS_TX);
770

771
			if (req_rx_nss > have_rx_nss ||
772
			    req_tx_nss > have_tx_nss)
773
				return false;
774
		}
775
	}
776

777
	return true;
778
}
779

780
static void ieee80211_get_rates(struct ieee80211_supported_band *sband,
781
				const u8 *supp_rates,
782
				unsigned int supp_rates_len,
783
				const u8 *ext_supp_rates,
784
				unsigned int ext_supp_rates_len,
785
				u32 *rates, u32 *basic_rates,
786
				unsigned long *unknown_rates_selectors,
787
				bool *have_higher_than_11mbit,
788
				int *min_rate, int *min_rate_index)
789
{
790
	int i, j;
791

792
	for (i = 0; i < supp_rates_len + ext_supp_rates_len; i++) {
793
		u8 supp_rate = i < supp_rates_len ?
794
				supp_rates[i] :
795
				ext_supp_rates[i - supp_rates_len];
796
		int rate = supp_rate & 0x7f;
797
		bool is_basic = !!(supp_rate & 0x80);
798

799
		if ((rate * 5) > 110 && have_higher_than_11mbit)
800
			*have_higher_than_11mbit = true;
801

802
		/*
803
		 * Skip membership selectors since they're not rates.
804
		 *
805
		 * Note: Even though the membership selector and the basic
806
		 *	 rate flag share the same bit, they are not exactly
807
		 *	 the same.
808
		 */
809
		if (is_basic && rate >= BSS_MEMBERSHIP_SELECTOR_MIN) {
810
			if (unknown_rates_selectors)
811
				set_bit(rate, unknown_rates_selectors);
812
			continue;
813
		}
814

815
		for (j = 0; j < sband->n_bitrates; j++) {
816
			struct ieee80211_rate *br;
817
			int brate;
818

819
			br = &sband->bitrates[j];
820

821
			brate = DIV_ROUND_UP(br->bitrate, 5);
822
			if (brate == rate) {
823
				if (rates)
824
					*rates |= BIT(j);
825
				if (is_basic && basic_rates)
826
					*basic_rates |= BIT(j);
827
				if (min_rate && (rate * 5) < *min_rate) {
828
					*min_rate = rate * 5;
829
					if (min_rate_index)
830
						*min_rate_index = j;
831
				}
832
				break;
833
			}
834
		}
835

836
		/* Handle an unknown entry as if it is an unknown selector */
837
		if (is_basic && unknown_rates_selectors && j == sband->n_bitrates)
838
			set_bit(rate, unknown_rates_selectors);
839
	}
840
}
841

842
static bool ieee80211_chandef_usable(struct ieee80211_sub_if_data *sdata,
843
				     const struct cfg80211_chan_def *chandef,
844
				     u32 prohibited_flags)
845
{
846
	if (!cfg80211_chandef_usable(sdata->local->hw.wiphy,
847
				     chandef, prohibited_flags))
848
		return false;
849

850
	if (chandef->punctured &&
851
	    ieee80211_hw_check(&sdata->local->hw, DISALLOW_PUNCTURING))
852
		return false;
853

854
	return true;
855
}
856

857
static int ieee80211_chandef_num_subchans(const struct cfg80211_chan_def *c)
858
{
859
	if (c->width == NL80211_CHAN_WIDTH_80P80)
860
		return 4 + 4;
861

862
	return cfg80211_chandef_get_width(c) / 20;
863
}
864

865
static int ieee80211_chandef_num_widths(const struct cfg80211_chan_def *c)
866
{
867
	switch (c->width) {
868
	case NL80211_CHAN_WIDTH_20:
869
	case NL80211_CHAN_WIDTH_20_NOHT:
870
		return 1;
871
	case NL80211_CHAN_WIDTH_40:
872
		return 2;
873
	case NL80211_CHAN_WIDTH_80P80:
874
	case NL80211_CHAN_WIDTH_80:
875
		return 3;
876
	case NL80211_CHAN_WIDTH_160:
877
		return 4;
878
	case NL80211_CHAN_WIDTH_320:
879
		return 5;
880
	default:
881
		WARN_ON(1);
882
		return 0;
883
	}
884
}
885

886
VISIBLE_IF_MAC80211_KUNIT int
887
ieee80211_calc_chandef_subchan_offset(const struct cfg80211_chan_def *ap,
888
				      u8 n_partial_subchans)
889
{
890
	int n = ieee80211_chandef_num_subchans(ap);
891
	struct cfg80211_chan_def tmp = *ap;
892
	int offset = 0;
893

894
	/*
895
	 * Given a chandef (in this context, it's the AP's) and a number
896
	 * of subchannels that we want to look at ('n_partial_subchans'),
897
	 * calculate the offset in number of subchannels between the full
898
	 * and the subset with the desired width.
899
	 */
900

901
	/* same number of subchannels means no offset, obviously */
902
	if (n == n_partial_subchans)
903
		return 0;
904

905
	/* don't WARN - misconfigured APs could cause this if their N > width */
906
	if (n < n_partial_subchans)
907
		return 0;
908

909
	while (ieee80211_chandef_num_subchans(&tmp) > n_partial_subchans) {
910
		u32 prev = tmp.center_freq1;
911

912
		ieee80211_chandef_downgrade(&tmp, NULL);
913

914
		/*
915
		 * if center_freq moved up, half the original channels
916
		 * are gone now but were below, so increase offset
917
		 */
918
		if (prev < tmp.center_freq1)
919
			offset += ieee80211_chandef_num_subchans(&tmp);
920
	}
921

922
	/*
923
	 * 80+80 with secondary 80 below primary - four subchannels for it
924
	 * (we cannot downgrade *to* 80+80, so no need to consider 'tmp')
925
	 */
926
	if (ap->width == NL80211_CHAN_WIDTH_80P80 &&
927
	    ap->center_freq2 < ap->center_freq1)
928
		offset += 4;
929

930
	return offset;
931
}
932
EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_calc_chandef_subchan_offset);
933

934
VISIBLE_IF_MAC80211_KUNIT void
935
ieee80211_rearrange_tpe_psd(struct ieee80211_parsed_tpe_psd *psd,
936
			    const struct cfg80211_chan_def *ap,
937
			    const struct cfg80211_chan_def *used)
938
{
939
	u8 needed = ieee80211_chandef_num_subchans(used);
940
	u8 have = ieee80211_chandef_num_subchans(ap);
941
	u8 tmp[IEEE80211_TPE_PSD_ENTRIES_320MHZ];
942
	u8 offset;
943

944
	if (!psd->valid)
945
		return;
946

947
	/* if N is zero, all defaults were used, no point in rearranging */
948
	if (!psd->n)
949
		goto out;
950

951
	BUILD_BUG_ON(sizeof(tmp) != sizeof(psd->power));
952

953
	/*
954
	 * This assumes that 'N' is consistent with the HE channel, as
955
	 * it should be (otherwise the AP is broken).
956
	 *
957
	 * In psd->power we have values in the order 0..N, 0..K, where
958
	 * N+K should cover the entire channel per 'ap', but even if it
959
	 * doesn't then we've pre-filled 'unlimited' as defaults.
960
	 *
961
	 * But this is all the wrong order, we want to have them in the
962
	 * order of the 'used' channel.
963
	 *
964
	 * So for example, we could have a 320 MHz EHT AP, which has the
965
	 * HE channel as 80 MHz (e.g. due to puncturing, which doesn't
966
	 * seem to be considered for the TPE), as follows:
967
	 *
968
	 * EHT  320:   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |
969
	 * HE    80:                           |  |  |  |  |
970
	 * used 160:                           |  |  |  |  |  |  |  |  |
971
	 *
972
	 * N entries:                          |--|--|--|--|
973
	 * K entries:  |--|--|--|--|--|--|--|--|           |--|--|--|--|
974
	 * power idx:   4  5  6  7  8  9  10 11 0  1  2  3  12 13 14 15
975
	 * full chan:   0  1  2  3  4  5  6  7  8  9  10 11 12 13 14 15
976
	 * used chan:                           0  1  2  3  4  5  6  7
977
	 *
978
	 * The idx in the power array ('power idx') is like this since it
979
	 * comes directly from the element's N and K entries in their
980
	 * element order, and those are this way for HE compatibility.
981
	 *
982
	 * Rearrange them as desired here, first by putting them into the
983
	 * 'full chan' order, and then selecting the necessary subset for
984
	 * the 'used chan'.
985
	 */
986

987
	/* first reorder according to AP channel */
988
	offset = ieee80211_calc_chandef_subchan_offset(ap, psd->n);
989
	for (int i = 0; i < have; i++) {
990
		if (i < offset)
991
			tmp[i] = psd->power[i + psd->n];
992
		else if (i < offset + psd->n)
993
			tmp[i] = psd->power[i - offset];
994
		else
995
			tmp[i] = psd->power[i];
996
	}
997

998
	/*
999
	 * and then select the subset for the used channel
1000
	 * (set everything to defaults first in case a driver is confused)
1001
	 */
1002
	memset(psd->power, IEEE80211_TPE_PSD_NO_LIMIT, sizeof(psd->power));
1003
	offset = ieee80211_calc_chandef_subchan_offset(ap, needed);
1004
	for (int i = 0; i < needed; i++)
1005
		psd->power[i] = tmp[offset + i];
1006

1007
out:
1008
	/* limit, but don't lie if there are defaults in the data */
1009
	if (needed < psd->count)
1010
		psd->count = needed;
1011
}
1012
EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_rearrange_tpe_psd);
1013

1014
static void ieee80211_rearrange_tpe(struct ieee80211_parsed_tpe *tpe,
1015
				    const struct cfg80211_chan_def *ap,
1016
				    const struct cfg80211_chan_def *used)
1017
{
1018
	/* ignore this completely for narrow/invalid channels */
1019
	if (!ieee80211_chandef_num_subchans(ap) ||
1020
	    !ieee80211_chandef_num_subchans(used)) {
1021
		ieee80211_clear_tpe(tpe);
1022
		return;
1023
	}
1024

1025
	for (int i = 0; i < 2; i++) {
1026
		int needed_pwr_count;
1027

1028
		ieee80211_rearrange_tpe_psd(&tpe->psd_local[i], ap, used);
1029
		ieee80211_rearrange_tpe_psd(&tpe->psd_reg_client[i], ap, used);
1030

1031
		/* limit this to the widths we actually need */
1032
		needed_pwr_count = ieee80211_chandef_num_widths(used);
1033
		if (needed_pwr_count < tpe->max_local[i].count)
1034
			tpe->max_local[i].count = needed_pwr_count;
1035
		if (needed_pwr_count < tpe->max_reg_client[i].count)
1036
			tpe->max_reg_client[i].count = needed_pwr_count;
1037
	}
1038
}
1039

1040
/*
1041
 * The AP part of the channel request is used to distinguish settings
1042
 * to the device used for wider bandwidth OFDMA. This is used in the
1043
 * channel context code to assign two channel contexts even if they're
1044
 * both for the same channel, if the AP bandwidths are incompatible.
1045
 * If not EHT (or driver override) then ap.chan == NULL indicates that
1046
 * there's no wider BW OFDMA used.
1047
 */
1048
static void ieee80211_set_chanreq_ap(struct ieee80211_sub_if_data *sdata,
1049
				     struct ieee80211_chan_req *chanreq,
1050
				     struct ieee80211_conn_settings *conn,
1051
				     struct cfg80211_chan_def *ap_chandef)
1052
{
1053
	chanreq->ap.chan = NULL;
1054

1055
	if (conn->mode < IEEE80211_CONN_MODE_EHT)
1056
		return;
1057
	if (sdata->vif.driver_flags & IEEE80211_VIF_IGNORE_OFDMA_WIDER_BW)
1058
		return;
1059

1060
	chanreq->ap = *ap_chandef;
1061
}
1062

1063
VISIBLE_IF_MAC80211_KUNIT struct ieee802_11_elems *
1064
ieee80211_determine_chan_mode(struct ieee80211_sub_if_data *sdata,
1065
			      struct ieee80211_conn_settings *conn,
1066
			      struct cfg80211_bss *cbss, int link_id,
1067
			      struct ieee80211_chan_req *chanreq,
1068
			      struct cfg80211_chan_def *ap_chandef,
1069
			      unsigned long *userspace_selectors)
1070
{
1071
	const struct cfg80211_bss_ies *ies = rcu_dereference(cbss->ies);
1072
	struct ieee80211_bss *bss = (void *)cbss->priv;
1073
	struct ieee80211_channel *channel = cbss->channel;
1074
	struct ieee80211_elems_parse_params parse_params = {
1075
		.link_id = -1,
1076
		.from_ap = true,
1077
		.start = ies->data,
1078
		.len = ies->len,
1079
		.type = ies->from_beacon ?
1080
			IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON :
1081
			IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_RESP,
1082
	};
1083
	struct ieee802_11_elems *elems;
1084
	struct ieee80211_supported_band *sband;
1085
	enum ieee80211_conn_mode ap_mode;
1086
	unsigned long unknown_rates_selectors[BITS_TO_LONGS(128)] = {};
1087
	unsigned long sta_selectors[BITS_TO_LONGS(128)] = {};
1088
	int ret;
1089

1090
again:
1091
	parse_params.mode = conn->mode;
1092
	elems = ieee802_11_parse_elems_full(&parse_params);
1093
	if (!elems)
1094
		return ERR_PTR(-ENOMEM);
1095

1096
	ap_mode = ieee80211_determine_ap_chan(sdata, channel, bss->vht_cap_info,
1097
					      elems, false, conn, ap_chandef);
1098

1099
	/* this should be impossible since parsing depends on our mode */
1100
	if (WARN_ON(ap_mode > conn->mode)) {
1101
		ret = -EINVAL;
1102
		goto free;
1103
	}
1104

1105
	if (conn->mode != ap_mode) {
1106
		conn->mode = ap_mode;
1107
		kfree(elems);
1108
		goto again;
1109
	}
1110

1111
	mlme_link_id_dbg(sdata, link_id, "determined AP %pM to be %s\n",
1112
			 cbss->bssid, ieee80211_conn_mode_str(ap_mode));
1113

1114
	sband = sdata->local->hw.wiphy->bands[channel->band];
1115

1116
	ieee80211_get_rates(sband, elems->supp_rates, elems->supp_rates_len,
1117
			    elems->ext_supp_rates, elems->ext_supp_rates_len,
1118
			    NULL, NULL, unknown_rates_selectors, NULL, NULL,
1119
			    NULL);
1120

1121
	switch (channel->band) {
1122
	case NL80211_BAND_S1GHZ:
1123
		if (WARN_ON(ap_mode != IEEE80211_CONN_MODE_S1G)) {
1124
			ret = -EINVAL;
1125
			goto free;
1126
		}
1127

1128
		chanreq->oper = *ap_chandef;
1129
		if (!cfg80211_chandef_usable(sdata->wdev.wiphy, &chanreq->oper,
1130
					     IEEE80211_CHAN_DISABLED)) {
1131
			ret = -EINVAL;
1132
			goto free;
1133
		}
1134

1135
		return elems;
1136
	case NL80211_BAND_6GHZ:
1137
		if (ap_mode < IEEE80211_CONN_MODE_HE) {
1138
			link_id_info(sdata, link_id,
1139
				     "Rejecting non-HE 6/7 GHz connection");
1140
			ret = -EINVAL;
1141
			goto free;
1142
		}
1143
		break;
1144
	default:
1145
		if (WARN_ON(ap_mode == IEEE80211_CONN_MODE_S1G)) {
1146
			ret = -EINVAL;
1147
			goto free;
1148
		}
1149
	}
1150

1151
	switch (ap_mode) {
1152
	case IEEE80211_CONN_MODE_S1G:
1153
		WARN_ON(1);
1154
		ret = -EINVAL;
1155
		goto free;
1156
	case IEEE80211_CONN_MODE_LEGACY:
1157
		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
1158
		break;
1159
	case IEEE80211_CONN_MODE_HT:
1160
		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1161
				       conn->bw_limit,
1162
				       IEEE80211_CONN_BW_LIMIT_40);
1163
		break;
1164
	case IEEE80211_CONN_MODE_VHT:
1165
	case IEEE80211_CONN_MODE_HE:
1166
		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1167
				       conn->bw_limit,
1168
				       IEEE80211_CONN_BW_LIMIT_160);
1169
		break;
1170
	case IEEE80211_CONN_MODE_EHT:
1171
	case IEEE80211_CONN_MODE_UHR:
1172
		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1173
				       conn->bw_limit,
1174
				       IEEE80211_CONN_BW_LIMIT_320);
1175
		break;
1176
	}
1177

1178
	chanreq->oper = *ap_chandef;
1179

1180
	bitmap_copy(sta_selectors, userspace_selectors, 128);
1181
	if (conn->mode >= IEEE80211_CONN_MODE_HT)
1182
		set_bit(BSS_MEMBERSHIP_SELECTOR_HT_PHY, sta_selectors);
1183
	if (conn->mode >= IEEE80211_CONN_MODE_VHT)
1184
		set_bit(BSS_MEMBERSHIP_SELECTOR_VHT_PHY, sta_selectors);
1185
	if (conn->mode >= IEEE80211_CONN_MODE_HE)
1186
		set_bit(BSS_MEMBERSHIP_SELECTOR_HE_PHY, sta_selectors);
1187
	if (conn->mode >= IEEE80211_CONN_MODE_EHT)
1188
		set_bit(BSS_MEMBERSHIP_SELECTOR_EHT_PHY, sta_selectors);
1189
	if (conn->mode >= IEEE80211_CONN_MODE_UHR)
1190
		set_bit(BSS_MEMBERSHIP_SELECTOR_UHR_PHY, sta_selectors);
1191

1192
	/*
1193
	 * We do not support EPD or GLK so never add them.
1194
	 * SAE_H2E is handled through userspace_selectors.
1195
	 */
1196

1197
	/* Check if we support all required features */
1198
	if (!bitmap_subset(unknown_rates_selectors, sta_selectors, 128)) {
1199
		link_id_info(sdata, link_id,
1200
			     "required basic rate or BSS membership selectors not supported or disabled, rejecting connection\n");
1201
		ret = -EINVAL;
1202
		goto free;
1203
	}
1204

1205
	ieee80211_set_chanreq_ap(sdata, chanreq, conn, ap_chandef);
1206

1207
	while (!ieee80211_chandef_usable(sdata, &chanreq->oper,
1208
					 IEEE80211_CHAN_DISABLED)) {
1209
		if (chanreq->oper.width == NL80211_CHAN_WIDTH_20_NOHT) {
1210
			link_id_info(sdata, link_id,
1211
				     "unusable channel (%d MHz) for connection\n",
1212
				     chanreq->oper.chan->center_freq);
1213
			ret = -EINVAL;
1214
			goto free;
1215
		}
1216

1217
		ieee80211_chanreq_downgrade(chanreq, conn);
1218
	}
1219

1220
	if (conn->mode >= IEEE80211_CONN_MODE_HE &&
1221
	    !cfg80211_chandef_usable(sdata->wdev.wiphy, &chanreq->oper,
1222
				     IEEE80211_CHAN_NO_HE)) {
1223
		conn->mode = IEEE80211_CONN_MODE_VHT;
1224
		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1225
				       conn->bw_limit,
1226
				       IEEE80211_CONN_BW_LIMIT_160);
1227
	}
1228

1229
	if (conn->mode >= IEEE80211_CONN_MODE_EHT &&
1230
	    !cfg80211_chandef_usable(sdata->wdev.wiphy, &chanreq->oper,
1231
				     IEEE80211_CHAN_NO_EHT)) {
1232
		conn->mode = IEEE80211_CONN_MODE_HE;
1233
		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1234
				       conn->bw_limit,
1235
				       IEEE80211_CONN_BW_LIMIT_160);
1236
	}
1237

1238
	if (conn->mode >= IEEE80211_CONN_MODE_UHR &&
1239
	    !cfg80211_chandef_usable(sdata->wdev.wiphy, &chanreq->oper,
1240
				     IEEE80211_CHAN_NO_UHR))
1241
		conn->mode = IEEE80211_CONN_MODE_EHT;
1242

1243
	if (chanreq->oper.width != ap_chandef->width || ap_mode != conn->mode)
1244
		link_id_info(sdata, link_id,
1245
			     "regulatory prevented using AP config, downgraded\n");
1246

1247
	if (conn->mode >= IEEE80211_CONN_MODE_HT &&
1248
	    !ieee80211_verify_sta_ht_mcs_support(sdata, sband,
1249
						 elems->ht_operation)) {
1250
		conn->mode = IEEE80211_CONN_MODE_LEGACY;
1251
		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
1252
		link_id_info(sdata, link_id,
1253
			     "required MCSes not supported, disabling HT\n");
1254
	}
1255

1256
	if (conn->mode >= IEEE80211_CONN_MODE_VHT &&
1257
	    !ieee80211_verify_sta_vht_mcs_support(sdata, link_id, sband,
1258
						  elems->vht_operation)) {
1259
		conn->mode = IEEE80211_CONN_MODE_HT;
1260
		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1261
				       conn->bw_limit,
1262
				       IEEE80211_CONN_BW_LIMIT_40);
1263
		link_id_info(sdata, link_id,
1264
			     "required MCSes not supported, disabling VHT\n");
1265
	}
1266

1267
	if (conn->mode >= IEEE80211_CONN_MODE_HE &&
1268
	    (!ieee80211_verify_peer_he_mcs_support(sdata, link_id,
1269
						   (void *)elems->he_cap,
1270
						   elems->he_operation) ||
1271
	     !ieee80211_verify_sta_he_mcs_support(sdata, sband,
1272
						  elems->he_operation))) {
1273
		conn->mode = IEEE80211_CONN_MODE_VHT;
1274
		link_id_info(sdata, link_id,
1275
			     "required MCSes not supported, disabling HE\n");
1276
	}
1277

1278
	if (conn->mode >= IEEE80211_CONN_MODE_EHT &&
1279
	    !ieee80211_verify_sta_eht_mcs_support(sdata, sband,
1280
						  elems->eht_operation)) {
1281
		conn->mode = IEEE80211_CONN_MODE_HE;
1282
		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1283
				       conn->bw_limit,
1284
				       IEEE80211_CONN_BW_LIMIT_160);
1285
		link_id_info(sdata, link_id,
1286
			     "required MCSes not supported, disabling EHT\n");
1287
	}
1288

1289
	if (conn->mode >= IEEE80211_CONN_MODE_EHT &&
1290
	    channel->band != NL80211_BAND_2GHZ &&
1291
	    conn->bw_limit == IEEE80211_CONN_BW_LIMIT_40) {
1292
		conn->mode = IEEE80211_CONN_MODE_HE;
1293
		link_id_info(sdata, link_id,
1294
			     "required bandwidth not supported, disabling EHT\n");
1295
	}
1296

1297
	/* the mode can only decrease, so this must terminate */
1298
	if (ap_mode != conn->mode) {
1299
		kfree(elems);
1300
		goto again;
1301
	}
1302

1303
	mlme_link_id_dbg(sdata, link_id,
1304
			 "connecting with %s mode, max bandwidth %d MHz\n",
1305
			 ieee80211_conn_mode_str(conn->mode),
1306
			 20 * (1 << conn->bw_limit));
1307

1308
	if (WARN_ON_ONCE(!cfg80211_chandef_valid(&chanreq->oper))) {
1309
		ret = -EINVAL;
1310
		goto free;
1311
	}
1312

1313
	return elems;
1314
free:
1315
	kfree(elems);
1316
	return ERR_PTR(ret);
1317
}
1318
EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_determine_chan_mode);
1319

1320
static int ieee80211_config_bw(struct ieee80211_link_data *link,
1321
			       struct ieee802_11_elems *elems,
1322
			       bool update, u64 *changed, u16 stype)
1323
{
1324
	struct ieee80211_channel *channel = link->conf->chanreq.oper.chan;
1325
	struct ieee80211_sub_if_data *sdata = link->sdata;
1326
	struct ieee80211_chan_req chanreq = {};
1327
	struct cfg80211_chan_def ap_chandef;
1328
	enum ieee80211_conn_mode ap_mode;
1329
	const char *frame;
1330
	u32 vht_cap_info = 0;
1331
	u16 ht_opmode;
1332
	int ret;
1333

1334
	switch (stype) {
1335
	case IEEE80211_STYPE_BEACON:
1336
		frame = "beacon";
1337
		break;
1338
	case IEEE80211_STYPE_ASSOC_RESP:
1339
		frame = "assoc response";
1340
		break;
1341
	case IEEE80211_STYPE_REASSOC_RESP:
1342
		frame = "reassoc response";
1343
		break;
1344
	case IEEE80211_STYPE_ACTION:
1345
		/* the only action frame that gets here */
1346
		frame = "ML reconf response";
1347
		break;
1348
	default:
1349
		return -EINVAL;
1350
	}
1351

1352
	/* don't track any bandwidth changes in legacy/S1G modes */
1353
	if (link->u.mgd.conn.mode == IEEE80211_CONN_MODE_LEGACY ||
1354
	    link->u.mgd.conn.mode == IEEE80211_CONN_MODE_S1G)
1355
		return 0;
1356

1357
	if (elems->vht_cap_elem)
1358
		vht_cap_info = le32_to_cpu(elems->vht_cap_elem->vht_cap_info);
1359

1360
	ap_mode = ieee80211_determine_ap_chan(sdata, channel, vht_cap_info,
1361
					      elems, true, &link->u.mgd.conn,
1362
					      &ap_chandef);
1363

1364
	if (ap_mode != link->u.mgd.conn.mode) {
1365
		link_info(link,
1366
			  "AP %pM appears to change mode (expected %s, found %s) in %s, disconnect\n",
1367
			  link->u.mgd.bssid,
1368
			  ieee80211_conn_mode_str(link->u.mgd.conn.mode),
1369
			  ieee80211_conn_mode_str(ap_mode), frame);
1370
		return -EINVAL;
1371
	}
1372

1373
	chanreq.oper = ap_chandef;
1374
	ieee80211_set_chanreq_ap(sdata, &chanreq, &link->u.mgd.conn,
1375
				 &ap_chandef);
1376

1377
	/*
1378
	 * if HT operation mode changed store the new one -
1379
	 * this may be applicable even if channel is identical
1380
	 */
1381
	if (elems->ht_operation) {
1382
		ht_opmode = le16_to_cpu(elems->ht_operation->operation_mode);
1383
		if (link->conf->ht_operation_mode != ht_opmode) {
1384
			*changed |= BSS_CHANGED_HT;
1385
			link->conf->ht_operation_mode = ht_opmode;
1386
		}
1387
	}
1388

1389
	/*
1390
	 * Downgrade the new channel if we associated with restricted
1391
	 * bandwidth capabilities. For example, if we associated as a
1392
	 * 20 MHz STA to a 40 MHz AP (due to regulatory, capabilities
1393
	 * or config reasons) then switching to a 40 MHz channel now
1394
	 * won't do us any good -- we couldn't use it with the AP.
1395
	 */
1396
	while (link->u.mgd.conn.bw_limit <
1397
			ieee80211_min_bw_limit_from_chandef(&chanreq.oper))
1398
		ieee80211_chandef_downgrade(&chanreq.oper, NULL);
1399

1400
	/* TPE element is not present in (re)assoc/ML reconfig response */
1401
	if (stype == IEEE80211_STYPE_BEACON &&
1402
	    ap_chandef.chan->band == NL80211_BAND_6GHZ &&
1403
	    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HE) {
1404
		ieee80211_rearrange_tpe(&elems->tpe, &ap_chandef,
1405
					&chanreq.oper);
1406
		if (memcmp(&link->conf->tpe, &elems->tpe, sizeof(elems->tpe))) {
1407
			link->conf->tpe = elems->tpe;
1408
			*changed |= BSS_CHANGED_TPE;
1409
		}
1410
	}
1411

1412
	if (ieee80211_chanreq_identical(&chanreq, &link->conf->chanreq))
1413
		return 0;
1414

1415
	link_info(link,
1416
		  "AP %pM changed bandwidth in %s, new used config is %d.%03d MHz, width %d (%d.%03d/%d MHz)\n",
1417
		  link->u.mgd.bssid, frame, chanreq.oper.chan->center_freq,
1418
		  chanreq.oper.chan->freq_offset, chanreq.oper.width,
1419
		  chanreq.oper.center_freq1, chanreq.oper.freq1_offset,
1420
		  chanreq.oper.center_freq2);
1421

1422
	if (!cfg80211_chandef_valid(&chanreq.oper)) {
1423
		sdata_info(sdata,
1424
			   "AP %pM changed caps/bw in %s in a way we can't support - disconnect\n",
1425
			   link->u.mgd.bssid, frame);
1426
		return -EINVAL;
1427
	}
1428

1429
	if (!update) {
1430
		link->conf->chanreq = chanreq;
1431
		return 0;
1432
	}
1433

1434
	/*
1435
	 * We're tracking the current AP here, so don't do any further checks
1436
	 * here. This keeps us from playing ping-pong with regulatory, without
1437
	 * it the following can happen (for example):
1438
	 *  - connect to an AP with 80 MHz, world regdom allows 80 MHz
1439
	 *  - AP advertises regdom US
1440
	 *  - CRDA loads regdom US with 80 MHz prohibited (old database)
1441
	 *  - we detect an unsupported channel and disconnect
1442
	 *  - disconnect causes CRDA to reload world regdomain and the game
1443
	 *    starts anew.
1444
	 * (see https://bugzilla.kernel.org/show_bug.cgi?id=70881)
1445
	 *
1446
	 * It seems possible that there are still scenarios with CSA or real
1447
	 * bandwidth changes where a this could happen, but those cases are
1448
	 * less common and wouldn't completely prevent using the AP.
1449
	 */
1450

1451
	ret = ieee80211_link_change_chanreq(link, &chanreq, changed);
1452
	if (ret) {
1453
		sdata_info(sdata,
1454
			   "AP %pM changed bandwidth in %s to incompatible one - disconnect\n",
1455
			   link->u.mgd.bssid, frame);
1456
		return ret;
1457
	}
1458

1459
	cfg80211_schedule_channels_check(&sdata->wdev);
1460
	return 0;
1461
}
1462

1463
/* frame sending functions */
1464

1465
static void ieee80211_add_ht_ie(struct ieee80211_sub_if_data *sdata,
1466
				struct sk_buff *skb, u8 ap_ht_param,
1467
				struct ieee80211_supported_band *sband,
1468
				struct ieee80211_channel *channel,
1469
				enum ieee80211_smps_mode smps,
1470
				const struct ieee80211_conn_settings *conn)
1471
{
1472
	u8 *pos;
1473
	u32 flags = channel->flags;
1474
	u16 cap;
1475
	struct ieee80211_sta_ht_cap ht_cap;
1476

1477
	BUILD_BUG_ON(sizeof(ht_cap) != sizeof(sband->ht_cap));
1478

1479
	memcpy(&ht_cap, &sband->ht_cap, sizeof(ht_cap));
1480
	ieee80211_apply_htcap_overrides(sdata, &ht_cap);
1481

1482
	/* determine capability flags */
1483
	cap = ht_cap.cap;
1484

1485
	switch (ap_ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET) {
1486
	case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
1487
		if (flags & IEEE80211_CHAN_NO_HT40PLUS) {
1488
			cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
1489
			cap &= ~IEEE80211_HT_CAP_SGI_40;
1490
		}
1491
		break;
1492
	case IEEE80211_HT_PARAM_CHA_SEC_BELOW:
1493
		if (flags & IEEE80211_CHAN_NO_HT40MINUS) {
1494
			cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
1495
			cap &= ~IEEE80211_HT_CAP_SGI_40;
1496
		}
1497
		break;
1498
	}
1499

1500
	/*
1501
	 * If 40 MHz was disabled associate as though we weren't
1502
	 * capable of 40 MHz -- some broken APs will never fall
1503
	 * back to trying to transmit in 20 MHz.
1504
	 */
1505
	if (conn->bw_limit <= IEEE80211_CONN_BW_LIMIT_20) {
1506
		cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
1507
		cap &= ~IEEE80211_HT_CAP_SGI_40;
1508
	}
1509

1510
	/* set SM PS mode properly */
1511
	cap &= ~IEEE80211_HT_CAP_SM_PS;
1512
	switch (smps) {
1513
	case IEEE80211_SMPS_AUTOMATIC:
1514
	case IEEE80211_SMPS_NUM_MODES:
1515
		WARN_ON(1);
1516
		fallthrough;
1517
	case IEEE80211_SMPS_OFF:
1518
		cap |= WLAN_HT_CAP_SM_PS_DISABLED <<
1519
			IEEE80211_HT_CAP_SM_PS_SHIFT;
1520
		break;
1521
	case IEEE80211_SMPS_STATIC:
1522
		cap |= WLAN_HT_CAP_SM_PS_STATIC <<
1523
			IEEE80211_HT_CAP_SM_PS_SHIFT;
1524
		break;
1525
	case IEEE80211_SMPS_DYNAMIC:
1526
		cap |= WLAN_HT_CAP_SM_PS_DYNAMIC <<
1527
			IEEE80211_HT_CAP_SM_PS_SHIFT;
1528
		break;
1529
	}
1530

1531
	/* reserve and fill IE */
1532
	pos = skb_put(skb, sizeof(struct ieee80211_ht_cap) + 2);
1533
	ieee80211_ie_build_ht_cap(pos, &ht_cap, cap);
1534
}
1535

1536
/* This function determines vht capability flags for the association
1537
 * and builds the IE.
1538
 * Note - the function returns true to own the MU-MIMO capability
1539
 */
1540
static bool ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
1541
				 struct sk_buff *skb,
1542
				 struct ieee80211_supported_band *sband,
1543
				 struct ieee80211_vht_cap *ap_vht_cap,
1544
				 const struct ieee80211_conn_settings *conn)
1545
{
1546
	struct ieee80211_local *local = sdata->local;
1547
	u8 *pos;
1548
	u32 cap;
1549
	struct ieee80211_sta_vht_cap vht_cap;
1550
	u32 mask, ap_bf_sts, our_bf_sts;
1551
	bool mu_mimo_owner = false;
1552

1553
	BUILD_BUG_ON(sizeof(vht_cap) != sizeof(sband->vht_cap));
1554

1555
	memcpy(&vht_cap, &sband->vht_cap, sizeof(vht_cap));
1556
	ieee80211_apply_vhtcap_overrides(sdata, &vht_cap);
1557

1558
	/* determine capability flags */
1559
	cap = vht_cap.cap;
1560

1561
	if (conn->bw_limit <= IEEE80211_CONN_BW_LIMIT_80) {
1562
		cap &= ~IEEE80211_VHT_CAP_SHORT_GI_160;
1563
		cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
1564
	}
1565

1566
	/*
1567
	 * Some APs apparently get confused if our capabilities are better
1568
	 * than theirs, so restrict what we advertise in the assoc request.
1569
	 */
1570
	if (!ieee80211_hw_check(&local->hw, STRICT)) {
1571
		if (!(ap_vht_cap->vht_cap_info &
1572
				cpu_to_le32(IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE)))
1573
			cap &= ~(IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE |
1574
				 IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE);
1575
		else if (!(ap_vht_cap->vht_cap_info &
1576
				cpu_to_le32(IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE)))
1577
			cap &= ~IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE;
1578
	}
1579

1580
	/*
1581
	 * If some other vif is using the MU-MIMO capability we cannot associate
1582
	 * using MU-MIMO - this will lead to contradictions in the group-id
1583
	 * mechanism.
1584
	 * Ownership is defined since association request, in order to avoid
1585
	 * simultaneous associations with MU-MIMO.
1586
	 */
1587
	if (cap & IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE) {
1588
		bool disable_mu_mimo = false;
1589
		struct ieee80211_sub_if_data *other;
1590

1591
		list_for_each_entry(other, &local->interfaces, list) {
1592
			if (other->vif.bss_conf.mu_mimo_owner) {
1593
				disable_mu_mimo = true;
1594
				break;
1595
			}
1596
		}
1597
		if (disable_mu_mimo)
1598
			cap &= ~IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE;
1599
		else
1600
			mu_mimo_owner = true;
1601
	}
1602

1603
	mask = IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK;
1604

1605
	ap_bf_sts = le32_to_cpu(ap_vht_cap->vht_cap_info) & mask;
1606
	our_bf_sts = cap & mask;
1607

1608
	if (ap_bf_sts < our_bf_sts) {
1609
		cap &= ~mask;
1610
		cap |= ap_bf_sts;
1611
	}
1612

1613
	/* reserve and fill IE */
1614
	pos = skb_put(skb, sizeof(struct ieee80211_vht_cap) + 2);
1615
	ieee80211_ie_build_vht_cap(pos, &vht_cap, cap);
1616

1617
	return mu_mimo_owner;
1618
}
1619

1620
static void ieee80211_assoc_add_rates(struct ieee80211_local *local,
1621
				      struct sk_buff *skb,
1622
				      enum nl80211_chan_width width,
1623
				      struct ieee80211_supported_band *sband,
1624
				      struct ieee80211_mgd_assoc_data *assoc_data)
1625
{
1626
	u32 rates;
1627

1628
	if (assoc_data->supp_rates_len &&
1629
	    !ieee80211_hw_check(&local->hw, STRICT)) {
1630
		/*
1631
		 * Get all rates supported by the device and the AP as
1632
		 * some APs don't like getting a superset of their rates
1633
		 * in the association request (e.g. D-Link DAP 1353 in
1634
		 * b-only mode)...
1635
		 */
1636
		ieee80211_parse_bitrates(sband,
1637
					 assoc_data->supp_rates,
1638
					 assoc_data->supp_rates_len,
1639
					 &rates);
1640
	} else {
1641
		/*
1642
		 * In case AP not provide any supported rates information
1643
		 * before association, we send information element(s) with
1644
		 * all rates that we support.
1645
		 */
1646
		rates = ~0;
1647
	}
1648

1649
	ieee80211_put_srates_elem(skb, sband, 0, ~rates,
1650
				  WLAN_EID_SUPP_RATES);
1651
	ieee80211_put_srates_elem(skb, sband, 0, ~rates,
1652
				  WLAN_EID_EXT_SUPP_RATES);
1653
}
1654

1655
static size_t ieee80211_add_before_ht_elems(struct sk_buff *skb,
1656
					    const u8 *elems,
1657
					    size_t elems_len,
1658
					    size_t offset)
1659
{
1660
	size_t noffset;
1661

1662
	static const u8 before_ht[] = {
1663
		WLAN_EID_SSID,
1664
		WLAN_EID_SUPP_RATES,
1665
		WLAN_EID_EXT_SUPP_RATES,
1666
		WLAN_EID_PWR_CAPABILITY,
1667
		WLAN_EID_SUPPORTED_CHANNELS,
1668
		WLAN_EID_RSN,
1669
		WLAN_EID_QOS_CAPA,
1670
		WLAN_EID_RRM_ENABLED_CAPABILITIES,
1671
		WLAN_EID_MOBILITY_DOMAIN,
1672
		WLAN_EID_FAST_BSS_TRANSITION,	/* reassoc only */
1673
		WLAN_EID_RIC_DATA,		/* reassoc only */
1674
		WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
1675
	};
1676
	static const u8 after_ric[] = {
1677
		WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
1678
		WLAN_EID_HT_CAPABILITY,
1679
		WLAN_EID_BSS_COEX_2040,
1680
		/* luckily this is almost always there */
1681
		WLAN_EID_EXT_CAPABILITY,
1682
		WLAN_EID_QOS_TRAFFIC_CAPA,
1683
		WLAN_EID_TIM_BCAST_REQ,
1684
		WLAN_EID_INTERWORKING,
1685
		/* 60 GHz (Multi-band, DMG, MMS) can't happen */
1686
		WLAN_EID_VHT_CAPABILITY,
1687
		WLAN_EID_OPMODE_NOTIF,
1688
	};
1689

1690
	if (!elems_len)
1691
		return offset;
1692

1693
	noffset = ieee80211_ie_split_ric(elems, elems_len,
1694
					 before_ht,
1695
					 ARRAY_SIZE(before_ht),
1696
					 after_ric,
1697
					 ARRAY_SIZE(after_ric),
1698
					 offset);
1699
	skb_put_data(skb, elems + offset, noffset - offset);
1700

1701
	return noffset;
1702
}
1703

1704
static size_t ieee80211_add_before_vht_elems(struct sk_buff *skb,
1705
					     const u8 *elems,
1706
					     size_t elems_len,
1707
					     size_t offset)
1708
{
1709
	static const u8 before_vht[] = {
1710
		/*
1711
		 * no need to list the ones split off before HT
1712
		 * or generated here
1713
		 */
1714
		WLAN_EID_BSS_COEX_2040,
1715
		WLAN_EID_EXT_CAPABILITY,
1716
		WLAN_EID_QOS_TRAFFIC_CAPA,
1717
		WLAN_EID_TIM_BCAST_REQ,
1718
		WLAN_EID_INTERWORKING,
1719
		/* 60 GHz (Multi-band, DMG, MMS) can't happen */
1720
	};
1721
	size_t noffset;
1722

1723
	if (!elems_len)
1724
		return offset;
1725

1726
	/* RIC already taken care of in ieee80211_add_before_ht_elems() */
1727
	noffset = ieee80211_ie_split(elems, elems_len,
1728
				     before_vht, ARRAY_SIZE(before_vht),
1729
				     offset);
1730
	skb_put_data(skb, elems + offset, noffset - offset);
1731

1732
	return noffset;
1733
}
1734

1735
static size_t ieee80211_add_before_he_elems(struct sk_buff *skb,
1736
					    const u8 *elems,
1737
					    size_t elems_len,
1738
					    size_t offset)
1739
{
1740
	static const u8 before_he[] = {
1741
		/*
1742
		 * no need to list the ones split off before VHT
1743
		 * or generated here
1744
		 */
1745
		WLAN_EID_OPMODE_NOTIF,
1746
		WLAN_EID_EXTENSION, WLAN_EID_EXT_FUTURE_CHAN_GUIDANCE,
1747
		/* 11ai elements */
1748
		WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_SESSION,
1749
		WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_PUBLIC_KEY,
1750
		WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_KEY_CONFIRM,
1751
		WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_HLP_CONTAINER,
1752
		WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_IP_ADDR_ASSIGN,
1753
		/* TODO: add 11ah/11aj/11ak elements */
1754
	};
1755
	size_t noffset;
1756

1757
	if (!elems_len)
1758
		return offset;
1759

1760
	/* RIC already taken care of in ieee80211_add_before_ht_elems() */
1761
	noffset = ieee80211_ie_split(elems, elems_len,
1762
				     before_he, ARRAY_SIZE(before_he),
1763
				     offset);
1764
	skb_put_data(skb, elems + offset, noffset - offset);
1765

1766
	return noffset;
1767
}
1768

1769
static size_t ieee80211_add_before_reg_conn(struct sk_buff *skb,
1770
					    const u8 *elems, size_t elems_len,
1771
					    size_t offset)
1772
{
1773
	static const u8 before_reg_conn[] = {
1774
		/*
1775
		 * no need to list the ones split off before HE
1776
		 * or generated here
1777
		 */
1778
		WLAN_EID_EXTENSION, WLAN_EID_EXT_DH_PARAMETER,
1779
		WLAN_EID_EXTENSION, WLAN_EID_EXT_KNOWN_STA_IDENTIFCATION,
1780
	};
1781
	size_t noffset;
1782

1783
	if (!elems_len)
1784
		return offset;
1785

1786
	noffset = ieee80211_ie_split(elems, elems_len, before_reg_conn,
1787
				     ARRAY_SIZE(before_reg_conn), offset);
1788
	skb_put_data(skb, elems + offset, noffset - offset);
1789

1790
	return noffset;
1791
}
1792

1793
#define PRESENT_ELEMS_MAX	8
1794
#define PRESENT_ELEM_EXT_OFFS	0x100
1795

1796
static void
1797
ieee80211_assoc_add_ml_elem(struct ieee80211_sub_if_data *sdata,
1798
			    struct sk_buff *skb, u16 capab,
1799
			    const struct element *ext_capa,
1800
			    const u16 *present_elems,
1801
			    struct ieee80211_mgd_assoc_data *assoc_data);
1802

1803
static size_t
1804
ieee80211_add_link_elems(struct ieee80211_sub_if_data *sdata,
1805
			 struct sk_buff *skb, u16 *capab,
1806
			 const struct element *ext_capa,
1807
			 const u8 *extra_elems,
1808
			 size_t extra_elems_len,
1809
			 unsigned int link_id,
1810
			 struct ieee80211_link_data *link,
1811
			 u16 *present_elems,
1812
			 struct ieee80211_mgd_assoc_data *assoc_data)
1813
{
1814
	enum nl80211_iftype iftype = ieee80211_vif_type_p2p(&sdata->vif);
1815
	struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
1816
	struct ieee80211_channel *chan = cbss->channel;
1817
	const struct ieee80211_sband_iftype_data *iftd;
1818
	struct ieee80211_local *local = sdata->local;
1819
	struct ieee80211_supported_band *sband;
1820
	enum nl80211_chan_width width = NL80211_CHAN_WIDTH_20;
1821
	struct ieee80211_chanctx_conf *chanctx_conf;
1822
	enum ieee80211_smps_mode smps_mode;
1823
	u16 orig_capab = *capab;
1824
	size_t offset = 0;
1825
	int present_elems_len = 0;
1826
	u8 *pos;
1827
	int i;
1828

1829
#define ADD_PRESENT_ELEM(id) do {					\
1830
	/* need a last for termination - we use 0 == SSID */		\
1831
	if (!WARN_ON(present_elems_len >= PRESENT_ELEMS_MAX - 1))	\
1832
		present_elems[present_elems_len++] = (id);		\
1833
} while (0)
1834
#define ADD_PRESENT_EXT_ELEM(id) ADD_PRESENT_ELEM(PRESENT_ELEM_EXT_OFFS | (id))
1835

1836
	if (link)
1837
		smps_mode = link->smps_mode;
1838
	else if (sdata->u.mgd.powersave)
1839
		smps_mode = IEEE80211_SMPS_DYNAMIC;
1840
	else
1841
		smps_mode = IEEE80211_SMPS_OFF;
1842

1843
	if (link) {
1844
		/*
1845
		 * 5/10 MHz scenarios are only viable without MLO, in which
1846
		 * case this pointer should be used ... All of this is a bit
1847
		 * unclear though, not sure this even works at all.
1848
		 */
1849
		rcu_read_lock();
1850
		chanctx_conf = rcu_dereference(link->conf->chanctx_conf);
1851
		if (chanctx_conf)
1852
			width = chanctx_conf->def.width;
1853
		rcu_read_unlock();
1854
	}
1855

1856
	sband = local->hw.wiphy->bands[chan->band];
1857
	iftd = ieee80211_get_sband_iftype_data(sband, iftype);
1858

1859
	if (sband->band == NL80211_BAND_2GHZ) {
1860
		*capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
1861
		*capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
1862
	}
1863

1864
	if ((cbss->capability & WLAN_CAPABILITY_SPECTRUM_MGMT) &&
1865
	    ieee80211_hw_check(&local->hw, SPECTRUM_MGMT))
1866
		*capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
1867

1868
	if (sband->band != NL80211_BAND_S1GHZ)
1869
		ieee80211_assoc_add_rates(local, skb, width, sband, assoc_data);
1870

1871
	if (*capab & WLAN_CAPABILITY_SPECTRUM_MGMT ||
1872
	    *capab & WLAN_CAPABILITY_RADIO_MEASURE) {
1873
		struct cfg80211_chan_def chandef = {
1874
			.width = width,
1875
			.chan = chan,
1876
		};
1877

1878
		pos = skb_put(skb, 4);
1879
		*pos++ = WLAN_EID_PWR_CAPABILITY;
1880
		*pos++ = 2;
1881
		*pos++ = 0; /* min tx power */
1882
		 /* max tx power */
1883
		*pos++ = ieee80211_chandef_max_power(&chandef);
1884
		ADD_PRESENT_ELEM(WLAN_EID_PWR_CAPABILITY);
1885
	}
1886

1887
	/*
1888
	 * Per spec, we shouldn't include the list of channels if we advertise
1889
	 * support for extended channel switching, but we've always done that;
1890
	 * (for now?) apply this restriction only on the (new) 6 GHz band.
1891
	 */
1892
	if (*capab & WLAN_CAPABILITY_SPECTRUM_MGMT &&
1893
	    (sband->band != NL80211_BAND_6GHZ ||
1894
	     !ext_capa || ext_capa->datalen < 1 ||
1895
	     !(ext_capa->data[0] & WLAN_EXT_CAPA1_EXT_CHANNEL_SWITCHING))) {
1896
		/* TODO: get this in reg domain format */
1897
		pos = skb_put(skb, 2 * sband->n_channels + 2);
1898
		*pos++ = WLAN_EID_SUPPORTED_CHANNELS;
1899
		*pos++ = 2 * sband->n_channels;
1900
		for (i = 0; i < sband->n_channels; i++) {
1901
			int cf = sband->channels[i].center_freq;
1902

1903
			*pos++ = ieee80211_frequency_to_channel(cf);
1904
			*pos++ = 1; /* one channel in the subband*/
1905
		}
1906
		ADD_PRESENT_ELEM(WLAN_EID_SUPPORTED_CHANNELS);
1907
	}
1908

1909
	/* if present, add any custom IEs that go before HT */
1910
	offset = ieee80211_add_before_ht_elems(skb, extra_elems,
1911
					       extra_elems_len,
1912
					       offset);
1913

1914
	if (sband->band != NL80211_BAND_6GHZ &&
1915
	    assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_HT) {
1916
		ieee80211_add_ht_ie(sdata, skb,
1917
				    assoc_data->link[link_id].ap_ht_param,
1918
				    sband, chan, smps_mode,
1919
				    &assoc_data->link[link_id].conn);
1920
		ADD_PRESENT_ELEM(WLAN_EID_HT_CAPABILITY);
1921
	}
1922

1923
	/* if present, add any custom IEs that go before VHT */
1924
	offset = ieee80211_add_before_vht_elems(skb, extra_elems,
1925
						extra_elems_len,
1926
						offset);
1927

1928
	if (sband->band != NL80211_BAND_6GHZ &&
1929
	    assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_VHT &&
1930
	    sband->vht_cap.vht_supported) {
1931
		bool mu_mimo_owner =
1932
			ieee80211_add_vht_ie(sdata, skb, sband,
1933
					     &assoc_data->link[link_id].ap_vht_cap,
1934
					     &assoc_data->link[link_id].conn);
1935

1936
		if (link)
1937
			link->conf->mu_mimo_owner = mu_mimo_owner;
1938
		ADD_PRESENT_ELEM(WLAN_EID_VHT_CAPABILITY);
1939
	}
1940

1941
	/* if present, add any custom IEs that go before HE */
1942
	offset = ieee80211_add_before_he_elems(skb, extra_elems,
1943
					       extra_elems_len,
1944
					       offset);
1945

1946
	if (assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_HE) {
1947
		ieee80211_put_he_cap(skb, sdata, sband,
1948
				     &assoc_data->link[link_id].conn);
1949
		ADD_PRESENT_EXT_ELEM(WLAN_EID_EXT_HE_CAPABILITY);
1950
		if (sband->band == NL80211_BAND_6GHZ)
1951
			ieee80211_put_he_6ghz_cap(skb, sdata, smps_mode);
1952
	}
1953

1954
	/*
1955
	 * if present, add any custom IEs that go before regulatory
1956
	 * connectivity element
1957
	 */
1958
	offset = ieee80211_add_before_reg_conn(skb, extra_elems,
1959
					       extra_elems_len, offset);
1960

1961
	if (sband->band == NL80211_BAND_6GHZ) {
1962
		/*
1963
		 * as per Section E.2.7 of IEEE 802.11 REVme D7.0, non-AP STA
1964
		 * capable of operating on the 6 GHz band shall transmit
1965
		 * regulatory connectivity element.
1966
		 */
1967
		ieee80211_put_reg_conn(skb, chan->flags);
1968
	}
1969

1970
	/*
1971
	 * careful - need to know about all the present elems before
1972
	 * calling ieee80211_assoc_add_ml_elem(), so add these if
1973
	 * we're going to put them after the ML element
1974
	 */
1975
	if (assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_EHT)
1976
		ADD_PRESENT_EXT_ELEM(WLAN_EID_EXT_EHT_CAPABILITY);
1977
	if (assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_UHR)
1978
		ADD_PRESENT_EXT_ELEM(WLAN_EID_EXT_UHR_CAPA);
1979

1980
	if (link_id == assoc_data->assoc_link_id)
1981
		ieee80211_assoc_add_ml_elem(sdata, skb, orig_capab, ext_capa,
1982
					    present_elems, assoc_data);
1983

1984
	/* crash if somebody gets it wrong */
1985
	present_elems = NULL;
1986

1987
	if (assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_EHT)
1988
		ieee80211_put_eht_cap(skb, sdata, sband,
1989
				      &assoc_data->link[link_id].conn);
1990

1991
	if (assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_UHR)
1992
		ieee80211_put_uhr_cap(skb, sdata, sband);
1993

1994
	if (sband->band == NL80211_BAND_S1GHZ) {
1995
		ieee80211_add_aid_request_ie(sdata, skb);
1996
		ieee80211_add_s1g_capab_ie(sdata, &sband->s1g_cap, skb);
1997
	}
1998

1999
	if (iftd && iftd->vendor_elems.data && iftd->vendor_elems.len)
2000
		skb_put_data(skb, iftd->vendor_elems.data, iftd->vendor_elems.len);
2001

2002
	return offset;
2003
}
2004

2005
static void ieee80211_add_non_inheritance_elem(struct sk_buff *skb,
2006
					       const u16 *outer,
2007
					       const u16 *inner)
2008
{
2009
	unsigned int skb_len = skb->len;
2010
	bool at_extension = false;
2011
	bool added = false;
2012
	int i, j;
2013
	u8 *len, *list_len = NULL;
2014

2015
	skb_put_u8(skb, WLAN_EID_EXTENSION);
2016
	len = skb_put(skb, 1);
2017
	skb_put_u8(skb, WLAN_EID_EXT_NON_INHERITANCE);
2018

2019
	for (i = 0; i < PRESENT_ELEMS_MAX && outer[i]; i++) {
2020
		u16 elem = outer[i];
2021
		bool have_inner = false;
2022

2023
		/* should at least be sorted in the sense of normal -> ext */
2024
		WARN_ON(at_extension && elem < PRESENT_ELEM_EXT_OFFS);
2025

2026
		/* switch to extension list */
2027
		if (!at_extension && elem >= PRESENT_ELEM_EXT_OFFS) {
2028
			at_extension = true;
2029
			if (!list_len)
2030
				skb_put_u8(skb, 0);
2031
			list_len = NULL;
2032
		}
2033

2034
		for (j = 0; j < PRESENT_ELEMS_MAX && inner[j]; j++) {
2035
			if (elem == inner[j]) {
2036
				have_inner = true;
2037
				break;
2038
			}
2039
		}
2040

2041
		if (have_inner)
2042
			continue;
2043

2044
		if (!list_len) {
2045
			list_len = skb_put(skb, 1);
2046
			*list_len = 0;
2047
		}
2048
		*list_len += 1;
2049
		skb_put_u8(skb, (u8)elem);
2050
		added = true;
2051
	}
2052

2053
	/* if we added a list but no extension list, make a zero-len one */
2054
	if (added && (!at_extension || !list_len))
2055
		skb_put_u8(skb, 0);
2056

2057
	/* if nothing added remove extension element completely */
2058
	if (!added)
2059
		skb_trim(skb, skb_len);
2060
	else
2061
		*len = skb->len - skb_len - 2;
2062
}
2063

2064
static void
2065
ieee80211_assoc_add_ml_elem(struct ieee80211_sub_if_data *sdata,
2066
			    struct sk_buff *skb, u16 capab,
2067
			    const struct element *ext_capa,
2068
			    const u16 *outer_present_elems,
2069
			    struct ieee80211_mgd_assoc_data *assoc_data)
2070
{
2071
	struct ieee80211_local *local = sdata->local;
2072
	struct ieee80211_multi_link_elem *ml_elem;
2073
	struct ieee80211_mle_basic_common_info *common;
2074
	const struct wiphy_iftype_ext_capab *ift_ext_capa;
2075
	__le16 eml_capa = 0, mld_capa_ops = 0;
2076
	unsigned int link_id;
2077
	u8 *ml_elem_len;
2078
	void *capab_pos;
2079

2080
	if (!ieee80211_vif_is_mld(&sdata->vif))
2081
		return;
2082

2083
	ift_ext_capa = cfg80211_get_iftype_ext_capa(local->hw.wiphy,
2084
						    ieee80211_vif_type_p2p(&sdata->vif));
2085
	if (ift_ext_capa) {
2086
		eml_capa = cpu_to_le16(ift_ext_capa->eml_capabilities);
2087
		mld_capa_ops = cpu_to_le16(ift_ext_capa->mld_capa_and_ops);
2088
	}
2089

2090
	skb_put_u8(skb, WLAN_EID_EXTENSION);
2091
	ml_elem_len = skb_put(skb, 1);
2092
	skb_put_u8(skb, WLAN_EID_EXT_EHT_MULTI_LINK);
2093
	ml_elem = skb_put(skb, sizeof(*ml_elem));
2094
	ml_elem->control =
2095
		cpu_to_le16(IEEE80211_ML_CONTROL_TYPE_BASIC |
2096
			    IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP);
2097
	common = skb_put(skb, sizeof(*common));
2098
	common->len = sizeof(*common) +
2099
		      2;  /* MLD capa/ops */
2100
	memcpy(common->mld_mac_addr, sdata->vif.addr, ETH_ALEN);
2101

2102
	/* add EML_CAPA only if needed, see Draft P802.11be_D2.1, 35.3.17 */
2103
	if (eml_capa &
2104
	    cpu_to_le16((IEEE80211_EML_CAP_EMLSR_SUPP |
2105
			 IEEE80211_EML_CAP_EMLMR_SUPPORT))) {
2106
		common->len += 2; /* EML capabilities */
2107
		ml_elem->control |=
2108
			cpu_to_le16(IEEE80211_MLC_BASIC_PRES_EML_CAPA);
2109
		skb_put_data(skb, &eml_capa, sizeof(eml_capa));
2110
	}
2111
	skb_put_data(skb, &mld_capa_ops, sizeof(mld_capa_ops));
2112

2113
	if (assoc_data->ext_mld_capa_ops) {
2114
		ml_elem->control |=
2115
			cpu_to_le16(IEEE80211_MLC_BASIC_PRES_EXT_MLD_CAPA_OP);
2116
		common->len += 2;
2117
		skb_put_data(skb, &assoc_data->ext_mld_capa_ops,
2118
			     sizeof(assoc_data->ext_mld_capa_ops));
2119
	}
2120

2121
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
2122
		u16 link_present_elems[PRESENT_ELEMS_MAX] = {};
2123
		const u8 *extra_elems;
2124
		size_t extra_elems_len;
2125
		size_t extra_used;
2126
		u8 *subelem_len = NULL;
2127
		__le16 ctrl;
2128

2129
		if (!assoc_data->link[link_id].bss ||
2130
		    link_id == assoc_data->assoc_link_id)
2131
			continue;
2132

2133
		extra_elems = assoc_data->link[link_id].elems;
2134
		extra_elems_len = assoc_data->link[link_id].elems_len;
2135

2136
		skb_put_u8(skb, IEEE80211_MLE_SUBELEM_PER_STA_PROFILE);
2137
		subelem_len = skb_put(skb, 1);
2138

2139
		ctrl = cpu_to_le16(link_id |
2140
				   IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE |
2141
				   IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT);
2142
		skb_put_data(skb, &ctrl, sizeof(ctrl));
2143
		skb_put_u8(skb, 1 + ETH_ALEN); /* STA Info Length */
2144
		skb_put_data(skb, assoc_data->link[link_id].addr,
2145
			     ETH_ALEN);
2146
		/*
2147
		 * Now add the contents of the (re)association request,
2148
		 * but the "listen interval" and "current AP address"
2149
		 * (if applicable) are skipped. So we only have
2150
		 * the capability field (remember the position and fill
2151
		 * later), followed by the elements added below by
2152
		 * calling ieee80211_add_link_elems().
2153
		 */
2154
		capab_pos = skb_put(skb, 2);
2155

2156
		extra_used = ieee80211_add_link_elems(sdata, skb, &capab,
2157
						      ext_capa,
2158
						      extra_elems,
2159
						      extra_elems_len,
2160
						      link_id, NULL,
2161
						      link_present_elems,
2162
						      assoc_data);
2163
		if (extra_elems)
2164
			skb_put_data(skb, extra_elems + extra_used,
2165
				     extra_elems_len - extra_used);
2166

2167
		put_unaligned_le16(capab, capab_pos);
2168

2169
		ieee80211_add_non_inheritance_elem(skb, outer_present_elems,
2170
						   link_present_elems);
2171

2172
		ieee80211_fragment_element(skb, subelem_len,
2173
					   IEEE80211_MLE_SUBELEM_FRAGMENT);
2174
	}
2175

2176
	ieee80211_fragment_element(skb, ml_elem_len, WLAN_EID_FRAGMENT);
2177
}
2178

2179
static int
2180
ieee80211_link_common_elems_size(struct ieee80211_sub_if_data *sdata,
2181
				 enum nl80211_iftype iftype,
2182
				 struct cfg80211_bss *cbss,
2183
				 size_t elems_len)
2184
{
2185
	struct ieee80211_local *local = sdata->local;
2186
	const struct ieee80211_sband_iftype_data *iftd;
2187
	struct ieee80211_supported_band *sband;
2188
	size_t size = 0;
2189

2190
	if (!cbss)
2191
		return size;
2192

2193
	sband = local->hw.wiphy->bands[cbss->channel->band];
2194

2195
	/* add STA profile elements length */
2196
	size += elems_len;
2197

2198
	/* and supported rates length */
2199
	size += 4 + sband->n_bitrates;
2200

2201
	/* supported channels */
2202
	size += 2 + 2 * sband->n_channels;
2203

2204
	iftd = ieee80211_get_sband_iftype_data(sband, iftype);
2205
	if (iftd)
2206
		size += iftd->vendor_elems.len;
2207

2208
	/* power capability */
2209
	size += 4;
2210

2211
	/* HT, VHT, HE, EHT */
2212
	size += 2 + sizeof(struct ieee80211_ht_cap);
2213
	size += 2 + sizeof(struct ieee80211_vht_cap);
2214
	size += 2 + 1 + sizeof(struct ieee80211_he_cap_elem) +
2215
		sizeof(struct ieee80211_he_mcs_nss_supp) +
2216
		IEEE80211_HE_PPE_THRES_MAX_LEN;
2217

2218
	if (sband->band == NL80211_BAND_6GHZ) {
2219
		size += 2 + 1 + sizeof(struct ieee80211_he_6ghz_capa);
2220
		/* reg connection */
2221
		size += 4;
2222
	}
2223

2224
	size += 2 + 1 + sizeof(struct ieee80211_eht_cap_elem) +
2225
		sizeof(struct ieee80211_eht_mcs_nss_supp) +
2226
		IEEE80211_EHT_PPE_THRES_MAX_LEN;
2227

2228
	size += 2 + 1 + sizeof(struct ieee80211_uhr_cap) +
2229
		sizeof(struct ieee80211_uhr_cap_phy);
2230

2231
	return size;
2232
}
2233

2234
static int ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
2235
{
2236
	struct ieee80211_local *local = sdata->local;
2237
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2238
	struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
2239
	struct ieee80211_link_data *link;
2240
	struct sk_buff *skb;
2241
	struct ieee80211_mgmt *mgmt;
2242
	u8 *pos, qos_info, *ie_start;
2243
	size_t offset, noffset;
2244
	u16 capab = 0, link_capab;
2245
	__le16 listen_int;
2246
	struct element *ext_capa = NULL;
2247
	enum nl80211_iftype iftype = ieee80211_vif_type_p2p(&sdata->vif);
2248
	struct ieee80211_prep_tx_info info = {};
2249
	unsigned int link_id, n_links = 0;
2250
	u16 present_elems[PRESENT_ELEMS_MAX] = {};
2251
	struct sta_info *sta;
2252
	bool assoc_encrypt;
2253
	void *capab_pos;
2254
	size_t size;
2255
	int ret;
2256

2257
	/* we know it's writable, cast away the const */
2258
	if (assoc_data->ie_len)
2259
		ext_capa = (void *)cfg80211_find_elem(WLAN_EID_EXT_CAPABILITY,
2260
						      assoc_data->ie,
2261
						      assoc_data->ie_len);
2262

2263
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
2264

2265
	size = local->hw.extra_tx_headroom +
2266
	       sizeof(*mgmt) + /* bit too much but doesn't matter */
2267
	       2 + assoc_data->ssid_len + /* SSID */
2268
	       assoc_data->ie_len + /* extra IEs */
2269
	       (assoc_data->fils_kek_len ? 16 /* AES-SIV */ : 0) +
2270
	       9; /* WMM */
2271

2272
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
2273
		struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
2274
		size_t elems_len = assoc_data->link[link_id].elems_len;
2275

2276
		if (!cbss)
2277
			continue;
2278

2279
		n_links++;
2280

2281
		size += ieee80211_link_common_elems_size(sdata, iftype, cbss,
2282
							 elems_len);
2283

2284
		/* non-inheritance element */
2285
		size += 2 + 2 + PRESENT_ELEMS_MAX;
2286

2287
		/* should be the same across all BSSes */
2288
		if (cbss->capability & WLAN_CAPABILITY_PRIVACY)
2289
			capab |= WLAN_CAPABILITY_PRIVACY;
2290
	}
2291

2292
	if (ieee80211_vif_is_mld(&sdata->vif)) {
2293
		/* consider the multi-link element with STA profile */
2294
		size += sizeof(struct ieee80211_multi_link_elem);
2295
		/* max common info field in basic multi-link element */
2296
		size += sizeof(struct ieee80211_mle_basic_common_info) +
2297
			2 + /* capa & op */
2298
			2 + /* ext capa & op */
2299
			2; /* EML capa */
2300

2301
		/* The capability elements were already considered above */
2302
		size += (n_links - 1) *
2303
			(1 + 1 + /* subelement ID/length */
2304
			 2 + /* STA control */
2305
			 1 + ETH_ALEN + 2 /* STA Info field */);
2306
	}
2307

2308
	link = sdata_dereference(sdata->link[assoc_data->assoc_link_id], sdata);
2309
	if (WARN_ON(!link))
2310
		return -EINVAL;
2311

2312
	if (WARN_ON(!assoc_data->link[assoc_data->assoc_link_id].bss))
2313
		return -EINVAL;
2314

2315
	skb = alloc_skb(size, GFP_KERNEL);
2316
	if (!skb)
2317
		return -ENOMEM;
2318

2319
	skb_reserve(skb, local->hw.extra_tx_headroom);
2320

2321
	if (ifmgd->flags & IEEE80211_STA_ENABLE_RRM)
2322
		capab |= WLAN_CAPABILITY_RADIO_MEASURE;
2323

2324
	/* Set MBSSID support for HE AP if needed */
2325
	if (ieee80211_hw_check(&local->hw, SUPPORTS_ONLY_HE_MULTI_BSSID) &&
2326
	    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HE &&
2327
	    ext_capa && ext_capa->datalen >= 3)
2328
		ext_capa->data[2] |= WLAN_EXT_CAPA3_MULTI_BSSID_SUPPORT;
2329

2330
	mgmt = skb_put_zero(skb, 24);
2331
	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
2332
	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
2333
	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
2334

2335
	listen_int = cpu_to_le16(assoc_data->s1g ?
2336
			ieee80211_encode_usf(local->hw.conf.listen_interval) :
2337
			local->hw.conf.listen_interval);
2338
	if (!is_zero_ether_addr(assoc_data->prev_ap_addr)) {
2339
		skb_put(skb, 10);
2340
		mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
2341
						  IEEE80211_STYPE_REASSOC_REQ);
2342
		capab_pos = &mgmt->u.reassoc_req.capab_info;
2343
		mgmt->u.reassoc_req.listen_interval = listen_int;
2344
		memcpy(mgmt->u.reassoc_req.current_ap,
2345
		       assoc_data->prev_ap_addr, ETH_ALEN);
2346
		info.subtype = IEEE80211_STYPE_REASSOC_REQ;
2347
	} else {
2348
		skb_put(skb, 4);
2349
		mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
2350
						  IEEE80211_STYPE_ASSOC_REQ);
2351
		capab_pos = &mgmt->u.assoc_req.capab_info;
2352
		mgmt->u.assoc_req.listen_interval = listen_int;
2353
		info.subtype = IEEE80211_STYPE_ASSOC_REQ;
2354
	}
2355

2356
	/* SSID */
2357
	pos = skb_put(skb, 2 + assoc_data->ssid_len);
2358
	ie_start = pos;
2359
	*pos++ = WLAN_EID_SSID;
2360
	*pos++ = assoc_data->ssid_len;
2361
	memcpy(pos, assoc_data->ssid, assoc_data->ssid_len);
2362

2363
	/*
2364
	 * This bit is technically reserved, so it shouldn't matter for either
2365
	 * the AP or us, but it also means we shouldn't set it. However, we've
2366
	 * always set it in the past, and apparently some EHT APs check that
2367
	 * we don't set it. To avoid interoperability issues with old APs that
2368
	 * for some reason check it and want it to be set, set the bit for all
2369
	 * pre-EHT connections as we used to do.
2370
	 */
2371
	if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_EHT &&
2372
	    !ieee80211_hw_check(&local->hw, STRICT))
2373
		capab |= WLAN_CAPABILITY_ESS;
2374

2375
	/* add the elements for the assoc (main) link */
2376
	link_capab = capab;
2377
	offset = ieee80211_add_link_elems(sdata, skb, &link_capab,
2378
					  ext_capa,
2379
					  assoc_data->ie,
2380
					  assoc_data->ie_len,
2381
					  assoc_data->assoc_link_id, link,
2382
					  present_elems, assoc_data);
2383
	put_unaligned_le16(link_capab, capab_pos);
2384

2385
	/* if present, add any custom non-vendor IEs */
2386
	if (assoc_data->ie_len) {
2387
		noffset = ieee80211_ie_split_vendor(assoc_data->ie,
2388
						    assoc_data->ie_len,
2389
						    offset);
2390
		skb_put_data(skb, assoc_data->ie + offset, noffset - offset);
2391
		offset = noffset;
2392
	}
2393

2394
	if (assoc_data->wmm) {
2395
		if (assoc_data->uapsd) {
2396
			qos_info = ifmgd->uapsd_queues;
2397
			qos_info |= (ifmgd->uapsd_max_sp_len <<
2398
				     IEEE80211_WMM_IE_STA_QOSINFO_SP_SHIFT);
2399
		} else {
2400
			qos_info = 0;
2401
		}
2402

2403
		pos = ieee80211_add_wmm_info_ie(skb_put(skb, 9), qos_info);
2404
	}
2405

2406
	/* add any remaining custom (i.e. vendor specific here) IEs */
2407
	if (assoc_data->ie_len) {
2408
		noffset = assoc_data->ie_len;
2409
		skb_put_data(skb, assoc_data->ie + offset, noffset - offset);
2410
	}
2411

2412
	if (assoc_data->fils_kek_len) {
2413
		ret = fils_encrypt_assoc_req(skb, assoc_data);
2414
		if (ret < 0) {
2415
			dev_kfree_skb(skb);
2416
			return ret;
2417
		}
2418
	}
2419

2420
	pos = skb_tail_pointer(skb);
2421
	kfree(ifmgd->assoc_req_ies);
2422
	ifmgd->assoc_req_ies = kmemdup(ie_start, pos - ie_start, GFP_ATOMIC);
2423
	if (!ifmgd->assoc_req_ies) {
2424
		dev_kfree_skb(skb);
2425
		return -ENOMEM;
2426
	}
2427

2428
	ifmgd->assoc_req_ies_len = pos - ie_start;
2429

2430
	info.link_id = assoc_data->assoc_link_id;
2431
	drv_mgd_prepare_tx(local, sdata, &info);
2432

2433
	sta = sta_info_get_bss(sdata, sdata->vif.cfg.ap_addr);
2434

2435
	assoc_encrypt = sta && sta->sta.epp_peer &&
2436
			wiphy_dereference(sdata->local->hw.wiphy,
2437
					  sta->ptk[sta->ptk_idx]);
2438

2439
	if (!assoc_encrypt)
2440
		IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2441

2442
	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
2443
		IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS |
2444
						IEEE80211_TX_INTFL_MLME_CONN_TX;
2445
	ieee80211_tx_skb(sdata, skb);
2446

2447
	return 0;
2448
}
2449

2450
void ieee80211_send_pspoll(struct ieee80211_local *local,
2451
			   struct ieee80211_sub_if_data *sdata)
2452
{
2453
	struct ieee80211_pspoll *pspoll;
2454
	struct sk_buff *skb;
2455

2456
	skb = ieee80211_pspoll_get(&local->hw, &sdata->vif);
2457
	if (!skb)
2458
		return;
2459

2460
	pspoll = (struct ieee80211_pspoll *) skb->data;
2461
	pspoll->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
2462

2463
	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2464
	ieee80211_tx_skb(sdata, skb);
2465
}
2466

2467
void ieee80211_send_nullfunc(struct ieee80211_local *local,
2468
			     struct ieee80211_sub_if_data *sdata,
2469
			     bool powersave)
2470
{
2471
	struct sk_buff *skb;
2472
	struct ieee80211_hdr_3addr *nullfunc;
2473
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2474

2475
	skb = ieee80211_nullfunc_get(&local->hw, &sdata->vif, -1,
2476
				     !ieee80211_hw_check(&local->hw,
2477
							 DOESNT_SUPPORT_QOS_NDP));
2478
	if (!skb)
2479
		return;
2480

2481
	nullfunc = (struct ieee80211_hdr_3addr *) skb->data;
2482
	if (powersave)
2483
		nullfunc->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
2484

2485
	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT |
2486
					IEEE80211_TX_INTFL_OFFCHAN_TX_OK;
2487

2488
	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
2489
		IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS;
2490

2491
	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL)
2492
		IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_USE_MINRATE;
2493

2494
	ieee80211_tx_skb(sdata, skb);
2495
}
2496

2497
void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local,
2498
				   struct ieee80211_sub_if_data *sdata)
2499
{
2500
	struct sk_buff *skb;
2501
	struct ieee80211_hdr *nullfunc;
2502
	__le16 fc;
2503

2504
	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
2505
		return;
2506

2507
	skb = dev_alloc_skb(local->hw.extra_tx_headroom + 30);
2508
	if (!skb)
2509
		return;
2510

2511
	skb_reserve(skb, local->hw.extra_tx_headroom);
2512

2513
	nullfunc = skb_put_zero(skb, 30);
2514
	fc = cpu_to_le16(IEEE80211_FTYPE_DATA | IEEE80211_STYPE_NULLFUNC |
2515
			 IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS);
2516
	nullfunc->frame_control = fc;
2517
	memcpy(nullfunc->addr1, sdata->vif.cfg.ap_addr, ETH_ALEN);
2518
	memcpy(nullfunc->addr2, sdata->vif.addr, ETH_ALEN);
2519
	memcpy(nullfunc->addr3, sdata->vif.cfg.ap_addr, ETH_ALEN);
2520
	memcpy(nullfunc->addr4, sdata->vif.addr, ETH_ALEN);
2521

2522
	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2523
	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_USE_MINRATE;
2524
	ieee80211_tx_skb(sdata, skb);
2525
}
2526

2527
/* spectrum management related things */
2528
static void ieee80211_csa_switch_work(struct wiphy *wiphy,
2529
				      struct wiphy_work *work)
2530
{
2531
	struct ieee80211_link_data *link =
2532
		container_of(work, struct ieee80211_link_data,
2533
			     u.mgd.csa.switch_work.work);
2534
	struct ieee80211_sub_if_data *sdata = link->sdata;
2535
	struct ieee80211_local *local = sdata->local;
2536
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2537
	int ret;
2538

2539
	if (!ieee80211_sdata_running(sdata))
2540
		return;
2541

2542
	lockdep_assert_wiphy(local->hw.wiphy);
2543

2544
	if (!ifmgd->associated)
2545
		return;
2546

2547
	if (!link->conf->csa_active)
2548
		return;
2549

2550
	/*
2551
	 * If the link isn't active (now), we cannot wait for beacons, won't
2552
	 * have a reserved chanctx, etc. Just switch over the chandef and
2553
	 * update cfg80211 directly.
2554
	 */
2555
	if (!ieee80211_vif_link_active(&sdata->vif, link->link_id)) {
2556
		struct link_sta_info *link_sta;
2557
		struct sta_info *ap_sta;
2558

2559
		link->conf->chanreq = link->csa.chanreq;
2560
		cfg80211_ch_switch_notify(sdata->dev, &link->csa.chanreq.oper,
2561
					  link->link_id);
2562
		link->conf->csa_active = false;
2563

2564
		ap_sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
2565
		if (WARN_ON(!ap_sta))
2566
			return;
2567

2568
		link_sta = wiphy_dereference(wiphy,
2569
					     ap_sta->link[link->link_id]);
2570
		if (WARN_ON(!link_sta))
2571
			return;
2572

2573
		link_sta->pub->bandwidth =
2574
			_ieee80211_sta_cur_vht_bw(link_sta,
2575
						  &link->csa.chanreq.oper);
2576
		return;
2577
	}
2578

2579
	/*
2580
	 * using reservation isn't immediate as it may be deferred until later
2581
	 * with multi-vif. once reservation is complete it will re-schedule the
2582
	 * work with no reserved_chanctx so verify chandef to check if it
2583
	 * completed successfully
2584
	 */
2585

2586
	if (link->reserved_chanctx) {
2587
		/*
2588
		 * with multi-vif csa driver may call ieee80211_csa_finish()
2589
		 * many times while waiting for other interfaces to use their
2590
		 * reservations
2591
		 */
2592
		if (link->reserved_ready)
2593
			return;
2594

2595
		ret = ieee80211_link_use_reserved_context(link);
2596
		if (ret) {
2597
			link_info(link,
2598
				  "failed to use reserved channel context, disconnecting (err=%d)\n",
2599
				  ret);
2600
			wiphy_work_queue(sdata->local->hw.wiphy,
2601
					 &ifmgd->csa_connection_drop_work);
2602
		}
2603
		return;
2604
	}
2605

2606
	if (!ieee80211_chanreq_identical(&link->conf->chanreq,
2607
					 &link->csa.chanreq)) {
2608
		link_info(link,
2609
			  "failed to finalize channel switch, disconnecting\n");
2610
		wiphy_work_queue(sdata->local->hw.wiphy,
2611
				 &ifmgd->csa_connection_drop_work);
2612
		return;
2613
	}
2614

2615
	link->u.mgd.csa.waiting_bcn = true;
2616

2617
	/*
2618
	 * The next beacon really should always be different, so this should
2619
	 * have no effect whatsoever. However, some APs (we observed this in
2620
	 * an Asus AXE11000), the beacon after the CSA might be identical to
2621
	 * the last beacon on the old channel - in this case we'd ignore it.
2622
	 * Resetting the CRC will lead us to handle it better (albeit with a
2623
	 * disconnect, but clearly the AP is broken.)
2624
	 */
2625
	link->u.mgd.beacon_crc_valid = false;
2626

2627
	/* apply new TPE restrictions immediately on the new channel */
2628
	if (link->u.mgd.csa.ap_chandef.chan->band == NL80211_BAND_6GHZ &&
2629
	    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HE) {
2630
		ieee80211_rearrange_tpe(&link->u.mgd.csa.tpe,
2631
					&link->u.mgd.csa.ap_chandef,
2632
					&link->conf->chanreq.oper);
2633
		if (memcmp(&link->conf->tpe, &link->u.mgd.csa.tpe,
2634
			   sizeof(link->u.mgd.csa.tpe))) {
2635
			link->conf->tpe = link->u.mgd.csa.tpe;
2636
			ieee80211_link_info_change_notify(sdata, link,
2637
							  BSS_CHANGED_TPE);
2638
		}
2639
	}
2640

2641
	/*
2642
	 * It is not necessary to reset these timers if any link does not
2643
	 * have an active CSA and that link still receives the beacons
2644
	 * when other links have active CSA.
2645
	 */
2646
	for_each_link_data(sdata, link) {
2647
		if (!link->conf->csa_active)
2648
			return;
2649
	}
2650

2651
	/*
2652
	 * Reset the beacon monitor and connection monitor timers when CSA
2653
	 * is active for all links in MLO when channel switch occurs in all
2654
	 * the links.
2655
	 */
2656
	ieee80211_sta_reset_beacon_monitor(sdata);
2657
	ieee80211_sta_reset_conn_monitor(sdata);
2658
}
2659

2660
static void ieee80211_chswitch_post_beacon(struct ieee80211_link_data *link)
2661
{
2662
	struct ieee80211_sub_if_data *sdata = link->sdata;
2663
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2664
	int ret;
2665

2666
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
2667

2668
	WARN_ON(!link->conf->csa_active);
2669

2670
	ieee80211_vif_unblock_queues_csa(sdata);
2671

2672
	link->conf->csa_active = false;
2673
	link->u.mgd.csa.blocked_tx = false;
2674
	link->u.mgd.csa.waiting_bcn = false;
2675

2676
	ret = drv_post_channel_switch(link);
2677
	if (ret) {
2678
		link_info(link,
2679
			  "driver post channel switch failed, disconnecting\n");
2680
		wiphy_work_queue(sdata->local->hw.wiphy,
2681
				 &ifmgd->csa_connection_drop_work);
2682
		return;
2683
	}
2684

2685
	cfg80211_ch_switch_notify(sdata->dev, &link->conf->chanreq.oper,
2686
				  link->link_id);
2687
}
2688

2689
void ieee80211_chswitch_done(struct ieee80211_vif *vif, bool success,
2690
			     unsigned int link_id)
2691
{
2692
	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
2693

2694
	trace_api_chswitch_done(sdata, success, link_id);
2695

2696
	rcu_read_lock();
2697

2698
	if (!success) {
2699
		sdata_info(sdata,
2700
			   "driver channel switch failed (link %d), disconnecting\n",
2701
			   link_id);
2702
		wiphy_work_queue(sdata->local->hw.wiphy,
2703
				 &sdata->u.mgd.csa_connection_drop_work);
2704
	} else {
2705
		struct ieee80211_link_data *link =
2706
			rcu_dereference(sdata->link[link_id]);
2707

2708
		if (WARN_ON(!link)) {
2709
			rcu_read_unlock();
2710
			return;
2711
		}
2712

2713
		wiphy_hrtimer_work_queue(sdata->local->hw.wiphy,
2714
					 &link->u.mgd.csa.switch_work, 0);
2715
	}
2716

2717
	rcu_read_unlock();
2718
}
2719
EXPORT_SYMBOL(ieee80211_chswitch_done);
2720

2721
static void
2722
ieee80211_sta_abort_chanswitch(struct ieee80211_link_data *link)
2723
{
2724
	struct ieee80211_sub_if_data *sdata = link->sdata;
2725
	struct ieee80211_local *local = sdata->local;
2726

2727
	lockdep_assert_wiphy(local->hw.wiphy);
2728

2729
	if (!local->ops->abort_channel_switch)
2730
		return;
2731

2732
	if (rcu_access_pointer(link->conf->chanctx_conf))
2733
		ieee80211_link_unreserve_chanctx(link);
2734

2735
	ieee80211_vif_unblock_queues_csa(sdata);
2736

2737
	link->conf->csa_active = false;
2738
	link->u.mgd.csa.blocked_tx = false;
2739

2740
	drv_abort_channel_switch(link);
2741
}
2742

2743
struct sta_csa_rnr_iter_data {
2744
	struct ieee80211_link_data *link;
2745
	struct ieee80211_channel *chan;
2746
	u8 mld_id;
2747
};
2748

2749
static enum cfg80211_rnr_iter_ret
2750
ieee80211_sta_csa_rnr_iter(void *_data, u8 type,
2751
			   const struct ieee80211_neighbor_ap_info *info,
2752
			   const u8 *tbtt_info, u8 tbtt_info_len)
2753
{
2754
	struct sta_csa_rnr_iter_data *data = _data;
2755
	struct ieee80211_link_data *link = data->link;
2756
	struct ieee80211_sub_if_data *sdata = link->sdata;
2757
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2758
	const struct ieee80211_tbtt_info_ge_11 *ti;
2759
	enum nl80211_band band;
2760
	unsigned int center_freq;
2761
	int link_id;
2762

2763
	if (type != IEEE80211_TBTT_INFO_TYPE_TBTT)
2764
		return RNR_ITER_CONTINUE;
2765

2766
	if (tbtt_info_len < sizeof(*ti))
2767
		return RNR_ITER_CONTINUE;
2768

2769
	ti = (const void *)tbtt_info;
2770

2771
	if (ti->mld_params.mld_id != data->mld_id)
2772
		return RNR_ITER_CONTINUE;
2773

2774
	link_id = le16_get_bits(ti->mld_params.params,
2775
				IEEE80211_RNR_MLD_PARAMS_LINK_ID);
2776
	if (link_id != data->link->link_id)
2777
		return RNR_ITER_CONTINUE;
2778

2779
	/* we found the entry for our link! */
2780

2781
	/* this AP is confused, it had this right before ... just disconnect */
2782
	if (!ieee80211_operating_class_to_band(info->op_class, &band)) {
2783
		link_info(link,
2784
			  "AP now has invalid operating class in RNR, disconnect\n");
2785
		wiphy_work_queue(sdata->local->hw.wiphy,
2786
				 &ifmgd->csa_connection_drop_work);
2787
		return RNR_ITER_BREAK;
2788
	}
2789

2790
	center_freq = ieee80211_channel_to_frequency(info->channel, band);
2791
	data->chan = ieee80211_get_channel(sdata->local->hw.wiphy, center_freq);
2792

2793
	return RNR_ITER_BREAK;
2794
}
2795

2796
static void
2797
ieee80211_sta_other_link_csa_disappeared(struct ieee80211_link_data *link,
2798
					 struct ieee802_11_elems *elems)
2799
{
2800
	struct ieee80211_sub_if_data *sdata = link->sdata;
2801
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2802
	struct sta_csa_rnr_iter_data data = {
2803
		.link = link,
2804
	};
2805

2806
	/*
2807
	 * If we get here, we see a beacon from another link without
2808
	 * CSA still being reported for it, so now we have to check
2809
	 * if the CSA was aborted or completed. This may not even be
2810
	 * perfectly possible if the CSA was only done for changing
2811
	 * the puncturing, but in that case if the link in inactive
2812
	 * we don't really care, and if it's an active link (or when
2813
	 * it's activated later) we'll get a beacon and adjust.
2814
	 */
2815

2816
	if (WARN_ON(!elems->ml_basic))
2817
		return;
2818

2819
	data.mld_id = ieee80211_mle_get_mld_id((const void *)elems->ml_basic);
2820

2821
	/*
2822
	 * So in order to do this, iterate the RNR element(s) and see
2823
	 * what channel is reported now.
2824
	 */
2825
	cfg80211_iter_rnr(elems->ie_start, elems->total_len,
2826
			  ieee80211_sta_csa_rnr_iter, &data);
2827

2828
	if (!data.chan) {
2829
		link_info(link,
2830
			  "couldn't find (valid) channel in RNR for CSA, disconnect\n");
2831
		wiphy_work_queue(sdata->local->hw.wiphy,
2832
				 &ifmgd->csa_connection_drop_work);
2833
		return;
2834
	}
2835

2836
	/*
2837
	 * If it doesn't match the CSA, then assume it aborted. This
2838
	 * may erroneously detect that it was _not_ aborted when it
2839
	 * was in fact aborted, but only changed the bandwidth or the
2840
	 * puncturing configuration, but we don't have enough data to
2841
	 * detect that.
2842
	 */
2843
	if (data.chan != link->csa.chanreq.oper.chan)
2844
		ieee80211_sta_abort_chanswitch(link);
2845
}
2846

2847
enum ieee80211_csa_source {
2848
	IEEE80211_CSA_SOURCE_BEACON,
2849
	IEEE80211_CSA_SOURCE_OTHER_LINK,
2850
	IEEE80211_CSA_SOURCE_PROT_ACTION,
2851
	IEEE80211_CSA_SOURCE_UNPROT_ACTION,
2852
};
2853

2854
static void
2855
ieee80211_sta_process_chanswitch(struct ieee80211_link_data *link,
2856
				 u64 timestamp, u32 device_timestamp,
2857
				 struct ieee802_11_elems *full_elems,
2858
				 struct ieee802_11_elems *csa_elems,
2859
				 enum ieee80211_csa_source source)
2860
{
2861
	struct ieee80211_sub_if_data *sdata = link->sdata;
2862
	struct ieee80211_local *local = sdata->local;
2863
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2864
	struct ieee80211_chanctx *chanctx = NULL;
2865
	struct ieee80211_chanctx_conf *conf;
2866
	struct ieee80211_csa_ie csa_ie = {};
2867
	struct ieee80211_channel_switch ch_switch = {
2868
		.link_id = link->link_id,
2869
		.timestamp = timestamp,
2870
		.device_timestamp = device_timestamp,
2871
	};
2872
	u32 csa_time_tu;
2873
	ktime_t now;
2874
	int res;
2875

2876
	lockdep_assert_wiphy(local->hw.wiphy);
2877

2878
	if (csa_elems) {
2879
		struct cfg80211_bss *cbss = link->conf->bss;
2880
		enum nl80211_band current_band;
2881
		struct ieee80211_bss *bss;
2882

2883
		if (WARN_ON(!cbss))
2884
			return;
2885

2886
		current_band = cbss->channel->band;
2887
		bss = (void *)cbss->priv;
2888

2889
		res = ieee80211_parse_ch_switch_ie(sdata, csa_elems,
2890
						   current_band,
2891
						   bss->vht_cap_info,
2892
						   &link->u.mgd.conn,
2893
						   link->u.mgd.bssid,
2894
						   source == IEEE80211_CSA_SOURCE_UNPROT_ACTION,
2895
						   &csa_ie);
2896
		if (res == 0) {
2897
			ch_switch.block_tx = csa_ie.mode;
2898
			ch_switch.chandef = csa_ie.chanreq.oper;
2899
			ch_switch.count = csa_ie.count;
2900
			ch_switch.delay = csa_ie.max_switch_time;
2901
		}
2902

2903
		link->u.mgd.csa.tpe = csa_elems->csa_tpe;
2904
	} else {
2905
		/*
2906
		 * If there was no per-STA profile for this link, we
2907
		 * get called with csa_elems == NULL. This of course means
2908
		 * there are no CSA elements, so set res=1 indicating
2909
		 * no more CSA.
2910
		 */
2911
		res = 1;
2912
	}
2913

2914
	if (res < 0) {
2915
		/* ignore this case, not a protected frame */
2916
		if (source == IEEE80211_CSA_SOURCE_UNPROT_ACTION)
2917
			return;
2918
		goto drop_connection;
2919
	}
2920

2921
	if (link->conf->csa_active) {
2922
		switch (source) {
2923
		case IEEE80211_CSA_SOURCE_PROT_ACTION:
2924
		case IEEE80211_CSA_SOURCE_UNPROT_ACTION:
2925
			/* already processing - disregard action frames */
2926
			return;
2927
		case IEEE80211_CSA_SOURCE_BEACON:
2928
			if (link->u.mgd.csa.waiting_bcn) {
2929
				ieee80211_chswitch_post_beacon(link);
2930
				/*
2931
				 * If the CSA is still present after the switch
2932
				 * we need to consider it as a new CSA (possibly
2933
				 * to self). This happens by not returning here
2934
				 * so we'll get to the check below.
2935
				 */
2936
			} else if (res) {
2937
				ieee80211_sta_abort_chanswitch(link);
2938
				return;
2939
			} else {
2940
				drv_channel_switch_rx_beacon(sdata, &ch_switch);
2941
				return;
2942
			}
2943
			break;
2944
		case IEEE80211_CSA_SOURCE_OTHER_LINK:
2945
			/* active link: we want to see the beacon to continue */
2946
			if (ieee80211_vif_link_active(&sdata->vif,
2947
						      link->link_id))
2948
				return;
2949

2950
			/* switch work ran, so just complete the process */
2951
			if (link->u.mgd.csa.waiting_bcn) {
2952
				ieee80211_chswitch_post_beacon(link);
2953
				/*
2954
				 * If the CSA is still present after the switch
2955
				 * we need to consider it as a new CSA (possibly
2956
				 * to self). This happens by not returning here
2957
				 * so we'll get to the check below.
2958
				 */
2959
				break;
2960
			}
2961

2962
			/* link still has CSA but we already know, do nothing */
2963
			if (!res)
2964
				return;
2965

2966
			/* check in the RNR if the CSA aborted */
2967
			ieee80211_sta_other_link_csa_disappeared(link,
2968
								 full_elems);
2969
			return;
2970
		}
2971
	}
2972

2973
	/* no active CSA nor a new one */
2974
	if (res) {
2975
		/*
2976
		 * However, we may have stopped queues when receiving a public
2977
		 * action frame that couldn't be protected, if it had the quiet
2978
		 * bit set. This is a trade-off, we want to be quiet as soon as
2979
		 * possible, but also don't trust the public action frame much,
2980
		 * as it can't be protected.
2981
		 */
2982
		if (unlikely(link->u.mgd.csa.blocked_tx)) {
2983
			link->u.mgd.csa.blocked_tx = false;
2984
			ieee80211_vif_unblock_queues_csa(sdata);
2985
		}
2986
		return;
2987
	}
2988

2989
	/*
2990
	 * We don't really trust public action frames, but block queues (go to
2991
	 * quiet mode) for them anyway, we should get a beacon soon to either
2992
	 * know what the CSA really is, or figure out the public action frame
2993
	 * was actually an attack.
2994
	 */
2995
	if (source == IEEE80211_CSA_SOURCE_UNPROT_ACTION) {
2996
		if (csa_ie.mode) {
2997
			link->u.mgd.csa.blocked_tx = true;
2998
			ieee80211_vif_block_queues_csa(sdata);
2999
		}
3000
		return;
3001
	}
3002

3003
	if (link->conf->chanreq.oper.chan->band !=
3004
	    csa_ie.chanreq.oper.chan->band) {
3005
		link_info(link,
3006
			  "AP %pM switches to different band (%d MHz, width:%d, CF1/2: %d/%d MHz), disconnecting\n",
3007
			  link->u.mgd.bssid,
3008
			  csa_ie.chanreq.oper.chan->center_freq,
3009
			  csa_ie.chanreq.oper.width,
3010
			  csa_ie.chanreq.oper.center_freq1,
3011
			  csa_ie.chanreq.oper.center_freq2);
3012
		goto drop_connection;
3013
	}
3014

3015
	if (!cfg80211_chandef_usable(local->hw.wiphy, &csa_ie.chanreq.oper,
3016
				     IEEE80211_CHAN_DISABLED)) {
3017
		link_info(link,
3018
			  "AP %pM switches to unsupported channel (%d.%03d MHz, width:%d, CF1/2: %d.%03d/%d MHz), disconnecting\n",
3019
			  link->u.mgd.bssid,
3020
			  csa_ie.chanreq.oper.chan->center_freq,
3021
			  csa_ie.chanreq.oper.chan->freq_offset,
3022
			  csa_ie.chanreq.oper.width,
3023
			  csa_ie.chanreq.oper.center_freq1,
3024
			  csa_ie.chanreq.oper.freq1_offset,
3025
			  csa_ie.chanreq.oper.center_freq2);
3026
		goto drop_connection;
3027
	}
3028

3029
	if (cfg80211_chandef_identical(&csa_ie.chanreq.oper,
3030
				       &link->conf->chanreq.oper) &&
3031
	    (!csa_ie.mode || source != IEEE80211_CSA_SOURCE_BEACON)) {
3032
		if (link->u.mgd.csa.ignored_same_chan)
3033
			return;
3034
		link_info(link,
3035
			  "AP %pM tries to chanswitch to same channel, ignore\n",
3036
			  link->u.mgd.bssid);
3037
		link->u.mgd.csa.ignored_same_chan = true;
3038
		return;
3039
	}
3040

3041
	/*
3042
	 * Drop all TDLS peers on the affected link - either we disconnect or
3043
	 * move to a different channel from this point on. There's no telling
3044
	 * what our peer will do.
3045
	 * The TDLS WIDER_BW scenario is also problematic, as peers might now
3046
	 * have an incompatible wider chandef.
3047
	 */
3048
	ieee80211_teardown_tdls_peers(link);
3049

3050
	conf = rcu_dereference_protected(link->conf->chanctx_conf,
3051
					 lockdep_is_held(&local->hw.wiphy->mtx));
3052
	if (ieee80211_vif_link_active(&sdata->vif, link->link_id) && !conf) {
3053
		link_info(link,
3054
			  "no channel context assigned to vif?, disconnecting\n");
3055
		goto drop_connection;
3056
	}
3057

3058
	if (conf)
3059
		chanctx = container_of(conf, struct ieee80211_chanctx, conf);
3060

3061
	if (!ieee80211_hw_check(&local->hw, CHANCTX_STA_CSA)) {
3062
		link_info(link,
3063
			  "driver doesn't support chan-switch with channel contexts\n");
3064
		goto drop_connection;
3065
	}
3066

3067
	if (drv_pre_channel_switch(sdata, &ch_switch)) {
3068
		link_info(link,
3069
			  "preparing for channel switch failed, disconnecting\n");
3070
		goto drop_connection;
3071
	}
3072

3073
	link->u.mgd.csa.ap_chandef = csa_ie.chanreq.ap;
3074

3075
	link->csa.chanreq.oper = csa_ie.chanreq.oper;
3076
	ieee80211_set_chanreq_ap(sdata, &link->csa.chanreq, &link->u.mgd.conn,
3077
				 &csa_ie.chanreq.ap);
3078

3079
	if (chanctx) {
3080
		res = ieee80211_link_reserve_chanctx(link, &link->csa.chanreq,
3081
						     chanctx->mode, false);
3082
		if (res) {
3083
			link_info(link,
3084
				  "failed to reserve channel context for channel switch, disconnecting (err=%d)\n",
3085
				  res);
3086
			goto drop_connection;
3087
		}
3088
	}
3089

3090
	link->conf->csa_active = true;
3091
	link->u.mgd.csa.ignored_same_chan = false;
3092
	link->u.mgd.beacon_crc_valid = false;
3093
	link->u.mgd.csa.blocked_tx = csa_ie.mode;
3094

3095
	if (csa_ie.mode)
3096
		ieee80211_vif_block_queues_csa(sdata);
3097

3098
	cfg80211_ch_switch_started_notify(sdata->dev, &csa_ie.chanreq.oper,
3099
					  link->link_id, csa_ie.count,
3100
					  csa_ie.mode);
3101

3102
	/* we may have to handle timeout for deactivated link in software */
3103
	now = ktime_get_boottime();
3104
	csa_time_tu = (max_t(int, csa_ie.count, 1) - 1) * link->conf->beacon_int;
3105
	link->u.mgd.csa.time = now + us_to_ktime(ieee80211_tu_to_usec(csa_time_tu));
3106

3107
	if (ieee80211_vif_link_active(&sdata->vif, link->link_id) &&
3108
	    local->ops->channel_switch) {
3109
		/*
3110
		 * Use driver's channel switch callback, the driver will
3111
		 * later call ieee80211_chswitch_done(). It may deactivate
3112
		 * the link as well, we handle that elsewhere and queue
3113
		 * the csa.switch_work for the calculated time then.
3114
		 */
3115
		drv_channel_switch(local, sdata, &ch_switch);
3116
		return;
3117
	}
3118

3119
	/* channel switch handled in software */
3120
	wiphy_hrtimer_work_queue(local->hw.wiphy,
3121
				 &link->u.mgd.csa.switch_work,
3122
				 link->u.mgd.csa.time - now);
3123
	return;
3124
 drop_connection:
3125
	/*
3126
	 * This is just so that the disconnect flow will know that
3127
	 * we were trying to switch channel and failed. In case the
3128
	 * mode is 1 (we are not allowed to Tx), we will know not to
3129
	 * send a deauthentication frame. Those two fields will be
3130
	 * reset when the disconnection worker runs.
3131
	 */
3132
	link->conf->csa_active = true;
3133
	link->u.mgd.csa.blocked_tx = csa_ie.mode;
3134

3135
	wiphy_work_queue(sdata->local->hw.wiphy,
3136
			 &ifmgd->csa_connection_drop_work);
3137
}
3138

3139
struct sta_bss_param_ch_cnt_data {
3140
	struct ieee80211_sub_if_data *sdata;
3141
	u8 reporting_link_id;
3142
	u8 mld_id;
3143
};
3144

3145
static enum cfg80211_rnr_iter_ret
3146
ieee80211_sta_bss_param_ch_cnt_iter(void *_data, u8 type,
3147
				    const struct ieee80211_neighbor_ap_info *info,
3148
				    const u8 *tbtt_info, u8 tbtt_info_len)
3149
{
3150
	struct sta_bss_param_ch_cnt_data *data = _data;
3151
	struct ieee80211_sub_if_data *sdata = data->sdata;
3152
	const struct ieee80211_tbtt_info_ge_11 *ti;
3153
	u8 bss_param_ch_cnt;
3154
	int link_id;
3155

3156
	if (type != IEEE80211_TBTT_INFO_TYPE_TBTT)
3157
		return RNR_ITER_CONTINUE;
3158

3159
	if (tbtt_info_len < sizeof(*ti))
3160
		return RNR_ITER_CONTINUE;
3161

3162
	ti = (const void *)tbtt_info;
3163

3164
	if (ti->mld_params.mld_id != data->mld_id)
3165
		return RNR_ITER_CONTINUE;
3166

3167
	link_id = le16_get_bits(ti->mld_params.params,
3168
				IEEE80211_RNR_MLD_PARAMS_LINK_ID);
3169
	bss_param_ch_cnt =
3170
		le16_get_bits(ti->mld_params.params,
3171
			      IEEE80211_RNR_MLD_PARAMS_BSS_CHANGE_COUNT);
3172

3173
	if (bss_param_ch_cnt != 255 &&
3174
	    link_id < ARRAY_SIZE(sdata->link)) {
3175
		struct ieee80211_link_data *link =
3176
			sdata_dereference(sdata->link[link_id], sdata);
3177

3178
		if (link && link->conf->bss_param_ch_cnt != bss_param_ch_cnt) {
3179
			link->conf->bss_param_ch_cnt = bss_param_ch_cnt;
3180
			link->conf->bss_param_ch_cnt_link_id =
3181
				data->reporting_link_id;
3182
		}
3183
	}
3184

3185
	return RNR_ITER_CONTINUE;
3186
}
3187

3188
static void
3189
ieee80211_mgd_update_bss_param_ch_cnt(struct ieee80211_sub_if_data *sdata,
3190
				      struct ieee80211_bss_conf *bss_conf,
3191
				      struct ieee802_11_elems *elems)
3192
{
3193
	struct sta_bss_param_ch_cnt_data data = {
3194
		.reporting_link_id = bss_conf->link_id,
3195
		.sdata = sdata,
3196
	};
3197
	int bss_param_ch_cnt;
3198

3199
	if (!elems->ml_basic)
3200
		return;
3201

3202
	data.mld_id = ieee80211_mle_get_mld_id((const void *)elems->ml_basic);
3203

3204
	cfg80211_iter_rnr(elems->ie_start, elems->total_len,
3205
			  ieee80211_sta_bss_param_ch_cnt_iter, &data);
3206

3207
	bss_param_ch_cnt =
3208
		ieee80211_mle_get_bss_param_ch_cnt((const void *)elems->ml_basic);
3209

3210
	/*
3211
	 * Update bss_param_ch_cnt_link_id even if bss_param_ch_cnt
3212
	 * didn't change to indicate that we got a beacon on our own
3213
	 * link.
3214
	 */
3215
	if (bss_param_ch_cnt >= 0 && bss_param_ch_cnt != 255) {
3216
		bss_conf->bss_param_ch_cnt = bss_param_ch_cnt;
3217
		bss_conf->bss_param_ch_cnt_link_id =
3218
			bss_conf->link_id;
3219
	}
3220
}
3221

3222
static bool
3223
ieee80211_find_80211h_pwr_constr(struct ieee80211_channel *channel,
3224
				 const u8 *country_ie, u8 country_ie_len,
3225
				 const u8 *pwr_constr_elem,
3226
				 int *chan_pwr, int *pwr_reduction)
3227
{
3228
	struct ieee80211_country_ie_triplet *triplet;
3229
	int chan = ieee80211_frequency_to_channel(channel->center_freq);
3230
	int i, chan_increment;
3231
	bool have_chan_pwr = false;
3232

3233
	/* Invalid IE */
3234
	if (country_ie_len % 2 || country_ie_len < IEEE80211_COUNTRY_IE_MIN_LEN)
3235
		return false;
3236

3237
	triplet = (void *)(country_ie + 3);
3238
	country_ie_len -= 3;
3239

3240
	switch (channel->band) {
3241
	default:
3242
		WARN_ON_ONCE(1);
3243
		fallthrough;
3244
	case NL80211_BAND_2GHZ:
3245
	case NL80211_BAND_60GHZ:
3246
	case NL80211_BAND_LC:
3247
		chan_increment = 1;
3248
		break;
3249
	case NL80211_BAND_5GHZ:
3250
		chan_increment = 4;
3251
		break;
3252
	case NL80211_BAND_6GHZ:
3253
		/*
3254
		 * In the 6 GHz band, the "maximum transmit power level"
3255
		 * field in the triplets is reserved, and thus will be
3256
		 * zero and we shouldn't use it to control TX power.
3257
		 * The actual TX power will be given in the transmit
3258
		 * power envelope element instead.
3259
		 */
3260
		return false;
3261
	}
3262

3263
	/* find channel */
3264
	while (country_ie_len >= 3) {
3265
		u8 first_channel = triplet->chans.first_channel;
3266

3267
		if (first_channel >= IEEE80211_COUNTRY_EXTENSION_ID)
3268
			goto next;
3269

3270
		for (i = 0; i < triplet->chans.num_channels; i++) {
3271
			if (first_channel + i * chan_increment == chan) {
3272
				have_chan_pwr = true;
3273
				*chan_pwr = triplet->chans.max_power;
3274
				break;
3275
			}
3276
		}
3277
		if (have_chan_pwr)
3278
			break;
3279

3280
 next:
3281
		triplet++;
3282
		country_ie_len -= 3;
3283
	}
3284

3285
	if (have_chan_pwr && pwr_constr_elem)
3286
		*pwr_reduction = *pwr_constr_elem;
3287
	else
3288
		*pwr_reduction = 0;
3289

3290
	return have_chan_pwr;
3291
}
3292

3293
static void ieee80211_find_cisco_dtpc(struct ieee80211_channel *channel,
3294
				      const u8 *cisco_dtpc_ie,
3295
				      int *pwr_level)
3296
{
3297
	/* From practical testing, the first data byte of the DTPC element
3298
	 * seems to contain the requested dBm level, and the CLI on Cisco
3299
	 * APs clearly state the range is -127 to 127 dBm, which indicates
3300
	 * a signed byte, although it seemingly never actually goes negative.
3301
	 * The other byte seems to always be zero.
3302
	 */
3303
	*pwr_level = (__s8)cisco_dtpc_ie[4];
3304
}
3305

3306
static u64 ieee80211_handle_pwr_constr(struct ieee80211_link_data *link,
3307
				       struct ieee80211_channel *channel,
3308
				       struct ieee80211_mgmt *mgmt,
3309
				       const u8 *country_ie, u8 country_ie_len,
3310
				       const u8 *pwr_constr_ie,
3311
				       const u8 *cisco_dtpc_ie)
3312
{
3313
	struct ieee80211_sub_if_data *sdata = link->sdata;
3314
	bool has_80211h_pwr = false, has_cisco_pwr = false;
3315
	int chan_pwr = 0, pwr_reduction_80211h = 0;
3316
	int pwr_level_cisco, pwr_level_80211h;
3317
	int new_ap_level;
3318
	__le16 capab = mgmt->u.probe_resp.capab_info;
3319

3320
	if (ieee80211_is_s1g_beacon(mgmt->frame_control))
3321
		return 0;	/* TODO */
3322

3323
	if (country_ie &&
3324
	    (capab & cpu_to_le16(WLAN_CAPABILITY_SPECTRUM_MGMT) ||
3325
	     capab & cpu_to_le16(WLAN_CAPABILITY_RADIO_MEASURE))) {
3326
		has_80211h_pwr = ieee80211_find_80211h_pwr_constr(
3327
			channel, country_ie, country_ie_len,
3328
			pwr_constr_ie, &chan_pwr, &pwr_reduction_80211h);
3329
		pwr_level_80211h =
3330
			max_t(int, 0, chan_pwr - pwr_reduction_80211h);
3331
	}
3332

3333
	if (cisco_dtpc_ie) {
3334
		ieee80211_find_cisco_dtpc(
3335
			channel, cisco_dtpc_ie, &pwr_level_cisco);
3336
		has_cisco_pwr = true;
3337
	}
3338

3339
	if (!has_80211h_pwr && !has_cisco_pwr)
3340
		return 0;
3341

3342
	/* If we have both 802.11h and Cisco DTPC, apply both limits
3343
	 * by picking the smallest of the two power levels advertised.
3344
	 */
3345
	if (has_80211h_pwr &&
3346
	    (!has_cisco_pwr || pwr_level_80211h <= pwr_level_cisco)) {
3347
		new_ap_level = pwr_level_80211h;
3348

3349
		if (link->ap_power_level == new_ap_level)
3350
			return 0;
3351

3352
		sdata_dbg(sdata,
3353
			  "Limiting TX power to %d (%d - %d) dBm as advertised by %pM\n",
3354
			  pwr_level_80211h, chan_pwr, pwr_reduction_80211h,
3355
			  link->u.mgd.bssid);
3356
	} else {  /* has_cisco_pwr is always true here. */
3357
		new_ap_level = pwr_level_cisco;
3358

3359
		if (link->ap_power_level == new_ap_level)
3360
			return 0;
3361

3362
		sdata_dbg(sdata,
3363
			  "Limiting TX power to %d dBm as advertised by %pM\n",
3364
			  pwr_level_cisco, link->u.mgd.bssid);
3365
	}
3366

3367
	link->ap_power_level = new_ap_level;
3368
	if (__ieee80211_recalc_txpower(link))
3369
		return BSS_CHANGED_TXPOWER;
3370
	return 0;
3371
}
3372

3373
/* powersave */
3374
static void ieee80211_enable_ps(struct ieee80211_local *local,
3375
				struct ieee80211_sub_if_data *sdata)
3376
{
3377
	struct ieee80211_conf *conf = &local->hw.conf;
3378

3379
	/*
3380
	 * If we are scanning right now then the parameters will
3381
	 * take effect when scan finishes.
3382
	 */
3383
	if (local->scanning)
3384
		return;
3385

3386
	if (conf->dynamic_ps_timeout > 0 &&
3387
	    !ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS)) {
3388
		mod_timer(&local->dynamic_ps_timer, jiffies +
3389
			  msecs_to_jiffies(conf->dynamic_ps_timeout));
3390
	} else {
3391
		if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK))
3392
			ieee80211_send_nullfunc(local, sdata, true);
3393

3394
		if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
3395
		    ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
3396
			return;
3397

3398
		conf->flags |= IEEE80211_CONF_PS;
3399
		ieee80211_hw_config(local, -1, IEEE80211_CONF_CHANGE_PS);
3400
	}
3401
}
3402

3403
static void ieee80211_change_ps(struct ieee80211_local *local)
3404
{
3405
	struct ieee80211_conf *conf = &local->hw.conf;
3406

3407
	if (local->ps_sdata) {
3408
		ieee80211_enable_ps(local, local->ps_sdata);
3409
	} else if (conf->flags & IEEE80211_CONF_PS) {
3410
		conf->flags &= ~IEEE80211_CONF_PS;
3411
		ieee80211_hw_config(local, -1, IEEE80211_CONF_CHANGE_PS);
3412
		timer_delete_sync(&local->dynamic_ps_timer);
3413
		wiphy_work_cancel(local->hw.wiphy,
3414
				  &local->dynamic_ps_enable_work);
3415
	}
3416
}
3417

3418
static bool ieee80211_powersave_allowed(struct ieee80211_sub_if_data *sdata)
3419
{
3420
	struct ieee80211_local *local = sdata->local;
3421
	struct ieee80211_if_managed *mgd = &sdata->u.mgd;
3422
	struct sta_info *sta = NULL;
3423
	bool authorized = false;
3424

3425
	if (!mgd->powersave)
3426
		return false;
3427

3428
	if (mgd->broken_ap)
3429
		return false;
3430

3431
	if (!mgd->associated)
3432
		return false;
3433

3434
	if (mgd->flags & IEEE80211_STA_CONNECTION_POLL)
3435
		return false;
3436

3437
	if (!(local->hw.wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO) &&
3438
	    !sdata->deflink.u.mgd.have_beacon)
3439
		return false;
3440

3441
	rcu_read_lock();
3442
	sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
3443
	if (sta)
3444
		authorized = test_sta_flag(sta, WLAN_STA_AUTHORIZED);
3445
	rcu_read_unlock();
3446

3447
	return authorized;
3448
}
3449

3450
/* need to hold RTNL or interface lock */
3451
void ieee80211_recalc_ps(struct ieee80211_local *local)
3452
{
3453
	struct ieee80211_sub_if_data *sdata, *found = NULL;
3454
	int count = 0;
3455
	int timeout;
3456

3457
	if (!ieee80211_hw_check(&local->hw, SUPPORTS_PS) ||
3458
	    ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS)) {
3459
		local->ps_sdata = NULL;
3460
		return;
3461
	}
3462

3463
	list_for_each_entry(sdata, &local->interfaces, list) {
3464
		if (!ieee80211_sdata_running(sdata))
3465
			continue;
3466
		if (sdata->vif.type == NL80211_IFTYPE_AP) {
3467
			/* If an AP vif is found, then disable PS
3468
			 * by setting the count to zero thereby setting
3469
			 * ps_sdata to NULL.
3470
			 */
3471
			count = 0;
3472
			break;
3473
		}
3474
		if (sdata->vif.type != NL80211_IFTYPE_STATION)
3475
			continue;
3476
		found = sdata;
3477
		count++;
3478
	}
3479

3480
	if (count == 1 && ieee80211_powersave_allowed(found)) {
3481
		u8 dtimper = found->deflink.u.mgd.dtim_period;
3482

3483
		timeout = local->dynamic_ps_forced_timeout;
3484
		if (timeout < 0)
3485
			timeout = 100;
3486
		local->hw.conf.dynamic_ps_timeout = timeout;
3487

3488
		/* If the TIM IE is invalid, pretend the value is 1 */
3489
		if (!dtimper)
3490
			dtimper = 1;
3491

3492
		local->hw.conf.ps_dtim_period = dtimper;
3493
		local->ps_sdata = found;
3494
	} else {
3495
		local->ps_sdata = NULL;
3496
	}
3497

3498
	ieee80211_change_ps(local);
3499
}
3500

3501
void ieee80211_recalc_ps_vif(struct ieee80211_sub_if_data *sdata)
3502
{
3503
	bool ps_allowed = ieee80211_powersave_allowed(sdata);
3504

3505
	if (sdata->vif.cfg.ps != ps_allowed) {
3506
		sdata->vif.cfg.ps = ps_allowed;
3507
		ieee80211_vif_cfg_change_notify(sdata, BSS_CHANGED_PS);
3508
	}
3509
}
3510

3511
void ieee80211_dynamic_ps_disable_work(struct wiphy *wiphy,
3512
				       struct wiphy_work *work)
3513
{
3514
	struct ieee80211_local *local =
3515
		container_of(work, struct ieee80211_local,
3516
			     dynamic_ps_disable_work);
3517

3518
	if (local->hw.conf.flags & IEEE80211_CONF_PS) {
3519
		local->hw.conf.flags &= ~IEEE80211_CONF_PS;
3520
		ieee80211_hw_config(local, -1, IEEE80211_CONF_CHANGE_PS);
3521
	}
3522

3523
	ieee80211_wake_queues_by_reason(&local->hw,
3524
					IEEE80211_MAX_QUEUE_MAP,
3525
					IEEE80211_QUEUE_STOP_REASON_PS,
3526
					false);
3527
}
3528

3529
void ieee80211_dynamic_ps_enable_work(struct wiphy *wiphy,
3530
				      struct wiphy_work *work)
3531
{
3532
	struct ieee80211_local *local =
3533
		container_of(work, struct ieee80211_local,
3534
			     dynamic_ps_enable_work);
3535
	struct ieee80211_sub_if_data *sdata = local->ps_sdata;
3536
	struct ieee80211_if_managed *ifmgd;
3537
	unsigned long flags;
3538
	int q;
3539

3540
	/* can only happen when PS was just disabled anyway */
3541
	if (!sdata)
3542
		return;
3543

3544
	ifmgd = &sdata->u.mgd;
3545

3546
	if (local->hw.conf.flags & IEEE80211_CONF_PS)
3547
		return;
3548

3549
	if (local->hw.conf.dynamic_ps_timeout > 0) {
3550
		/* don't enter PS if TX frames are pending */
3551
		if (drv_tx_frames_pending(local)) {
3552
			mod_timer(&local->dynamic_ps_timer, jiffies +
3553
				  msecs_to_jiffies(
3554
				  local->hw.conf.dynamic_ps_timeout));
3555
			return;
3556
		}
3557

3558
		/*
3559
		 * transmission can be stopped by others which leads to
3560
		 * dynamic_ps_timer expiry. Postpone the ps timer if it
3561
		 * is not the actual idle state.
3562
		 */
3563
		spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
3564
		for (q = 0; q < local->hw.queues; q++) {
3565
			if (local->queue_stop_reasons[q]) {
3566
				spin_unlock_irqrestore(&local->queue_stop_reason_lock,
3567
						       flags);
3568
				mod_timer(&local->dynamic_ps_timer, jiffies +
3569
					  msecs_to_jiffies(
3570
					  local->hw.conf.dynamic_ps_timeout));
3571
				return;
3572
			}
3573
		}
3574
		spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
3575
	}
3576

3577
	if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
3578
	    !(ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED)) {
3579
		if (drv_tx_frames_pending(local)) {
3580
			mod_timer(&local->dynamic_ps_timer, jiffies +
3581
				  msecs_to_jiffies(
3582
				  local->hw.conf.dynamic_ps_timeout));
3583
		} else {
3584
			ieee80211_send_nullfunc(local, sdata, true);
3585
			/* Flush to get the tx status of nullfunc frame */
3586
			ieee80211_flush_queues(local, sdata, false);
3587
		}
3588
	}
3589

3590
	if (!(ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS) &&
3591
	      ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK)) ||
3592
	    (ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED)) {
3593
		ifmgd->flags &= ~IEEE80211_STA_NULLFUNC_ACKED;
3594
		local->hw.conf.flags |= IEEE80211_CONF_PS;
3595
		ieee80211_hw_config(local, -1, IEEE80211_CONF_CHANGE_PS);
3596
	}
3597
}
3598

3599
void ieee80211_dynamic_ps_timer(struct timer_list *t)
3600
{
3601
	struct ieee80211_local *local = timer_container_of(local, t,
3602
							   dynamic_ps_timer);
3603

3604
	wiphy_work_queue(local->hw.wiphy, &local->dynamic_ps_enable_work);
3605
}
3606

3607
void ieee80211_dfs_cac_timer_work(struct wiphy *wiphy, struct wiphy_work *work)
3608
{
3609
	struct ieee80211_link_data *link =
3610
		container_of(work, struct ieee80211_link_data,
3611
			     dfs_cac_timer_work.work);
3612
	struct cfg80211_chan_def chandef = link->conf->chanreq.oper;
3613
	struct ieee80211_sub_if_data *sdata = link->sdata;
3614

3615
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
3616

3617
	if (sdata->wdev.links[link->link_id].cac_started) {
3618
		ieee80211_link_release_channel(link);
3619
		cfg80211_cac_event(sdata->dev, &chandef,
3620
				   NL80211_RADAR_CAC_FINISHED,
3621
				   GFP_KERNEL, link->link_id);
3622
	}
3623
}
3624

3625
static bool
3626
__ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
3627
{
3628
	struct ieee80211_local *local = sdata->local;
3629
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3630
	bool ret = false;
3631
	int ac;
3632

3633
	if (local->hw.queues < IEEE80211_NUM_ACS)
3634
		return false;
3635

3636
	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
3637
		struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
3638
		int non_acm_ac;
3639
		unsigned long now = jiffies;
3640

3641
		if (tx_tspec->action == TX_TSPEC_ACTION_NONE &&
3642
		    tx_tspec->admitted_time &&
3643
		    time_after(now, tx_tspec->time_slice_start + HZ)) {
3644
			tx_tspec->consumed_tx_time = 0;
3645
			tx_tspec->time_slice_start = now;
3646

3647
			if (tx_tspec->downgraded)
3648
				tx_tspec->action =
3649
					TX_TSPEC_ACTION_STOP_DOWNGRADE;
3650
		}
3651

3652
		switch (tx_tspec->action) {
3653
		case TX_TSPEC_ACTION_STOP_DOWNGRADE:
3654
			/* take the original parameters */
3655
			if (drv_conf_tx(local, &sdata->deflink, ac,
3656
					&sdata->deflink.tx_conf[ac]))
3657
				link_err(&sdata->deflink,
3658
					 "failed to set TX queue parameters for queue %d\n",
3659
					 ac);
3660
			tx_tspec->action = TX_TSPEC_ACTION_NONE;
3661
			tx_tspec->downgraded = false;
3662
			ret = true;
3663
			break;
3664
		case TX_TSPEC_ACTION_DOWNGRADE:
3665
			if (time_after(now, tx_tspec->time_slice_start + HZ)) {
3666
				tx_tspec->action = TX_TSPEC_ACTION_NONE;
3667
				ret = true;
3668
				break;
3669
			}
3670
			/* downgrade next lower non-ACM AC */
3671
			for (non_acm_ac = ac + 1;
3672
			     non_acm_ac < IEEE80211_NUM_ACS;
3673
			     non_acm_ac++)
3674
				if (!(sdata->wmm_acm & BIT(7 - 2 * non_acm_ac)))
3675
					break;
3676
			/* Usually the loop will result in using BK even if it
3677
			 * requires admission control, but such a configuration
3678
			 * makes no sense and we have to transmit somehow - the
3679
			 * AC selection does the same thing.
3680
			 * If we started out trying to downgrade from BK, then
3681
			 * the extra condition here might be needed.
3682
			 */
3683
			if (non_acm_ac >= IEEE80211_NUM_ACS)
3684
				non_acm_ac = IEEE80211_AC_BK;
3685
			if (drv_conf_tx(local, &sdata->deflink, ac,
3686
					&sdata->deflink.tx_conf[non_acm_ac]))
3687
				link_err(&sdata->deflink,
3688
					 "failed to set TX queue parameters for queue %d\n",
3689
					 ac);
3690
			tx_tspec->action = TX_TSPEC_ACTION_NONE;
3691
			ret = true;
3692
			wiphy_delayed_work_queue(local->hw.wiphy,
3693
						 &ifmgd->tx_tspec_wk,
3694
						 tx_tspec->time_slice_start +
3695
						 HZ - now + 1);
3696
			break;
3697
		case TX_TSPEC_ACTION_NONE:
3698
			/* nothing now */
3699
			break;
3700
		}
3701
	}
3702

3703
	return ret;
3704
}
3705

3706
void ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
3707
{
3708
	if (__ieee80211_sta_handle_tspec_ac_params(sdata))
3709
		ieee80211_link_info_change_notify(sdata, &sdata->deflink,
3710
						  BSS_CHANGED_QOS);
3711
}
3712

3713
static void ieee80211_sta_handle_tspec_ac_params_wk(struct wiphy *wiphy,
3714
						    struct wiphy_work *work)
3715
{
3716
	struct ieee80211_sub_if_data *sdata;
3717

3718
	sdata = container_of(work, struct ieee80211_sub_if_data,
3719
			     u.mgd.tx_tspec_wk.work);
3720
	ieee80211_sta_handle_tspec_ac_params(sdata);
3721
}
3722

3723
void ieee80211_mgd_set_link_qos_params(struct ieee80211_link_data *link)
3724
{
3725
	struct ieee80211_sub_if_data *sdata = link->sdata;
3726
	struct ieee80211_local *local = sdata->local;
3727
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3728
	struct ieee80211_tx_queue_params *params = link->tx_conf;
3729
	u8 ac;
3730

3731
	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
3732
		mlme_dbg(sdata,
3733
			 "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",
3734
			 ac, params[ac].acm,
3735
			 params[ac].aifs, params[ac].cw_min, params[ac].cw_max,
3736
			 params[ac].txop, params[ac].uapsd,
3737
			 ifmgd->tx_tspec[ac].downgraded);
3738
		if (!ifmgd->tx_tspec[ac].downgraded &&
3739
		    drv_conf_tx(local, link, ac, &params[ac]))
3740
			link_err(link,
3741
				 "failed to set TX queue parameters for AC %d\n",
3742
				 ac);
3743
	}
3744
}
3745

3746
/* MLME */
3747
static bool
3748
_ieee80211_sta_wmm_params(struct ieee80211_local *local,
3749
			  struct ieee80211_link_data *link,
3750
			  const u8 *wmm_param, size_t wmm_param_len,
3751
			  const struct ieee80211_mu_edca_param_set *mu_edca)
3752
{
3753
	struct ieee80211_sub_if_data *sdata = link->sdata;
3754
	struct ieee80211_tx_queue_params params[IEEE80211_NUM_ACS];
3755
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3756
	size_t left;
3757
	int count, mu_edca_count, ac;
3758
	const u8 *pos;
3759
	u8 uapsd_queues = 0;
3760

3761
	if (!local->ops->conf_tx)
3762
		return false;
3763

3764
	if (local->hw.queues < IEEE80211_NUM_ACS)
3765
		return false;
3766

3767
	if (!wmm_param)
3768
		return false;
3769

3770
	if (wmm_param_len < 8 || wmm_param[5] /* version */ != 1)
3771
		return false;
3772

3773
	if (ifmgd->flags & IEEE80211_STA_UAPSD_ENABLED)
3774
		uapsd_queues = ifmgd->uapsd_queues;
3775

3776
	count = wmm_param[6] & 0x0f;
3777
	/* -1 is the initial value of ifmgd->mu_edca_last_param_set.
3778
	 * if mu_edca was preset before and now it disappeared tell
3779
	 * the driver about it.
3780
	 */
3781
	mu_edca_count = mu_edca ? mu_edca->mu_qos_info & 0x0f : -1;
3782
	if (count == link->u.mgd.wmm_last_param_set &&
3783
	    mu_edca_count == link->u.mgd.mu_edca_last_param_set)
3784
		return false;
3785
	link->u.mgd.wmm_last_param_set = count;
3786
	link->u.mgd.mu_edca_last_param_set = mu_edca_count;
3787

3788
	pos = wmm_param + 8;
3789
	left = wmm_param_len - 8;
3790

3791
	memset(&params, 0, sizeof(params));
3792

3793
	sdata->wmm_acm = 0;
3794
	for (; left >= 4; left -= 4, pos += 4) {
3795
		int aci = (pos[0] >> 5) & 0x03;
3796
		int acm = (pos[0] >> 4) & 0x01;
3797
		bool uapsd = false;
3798

3799
		switch (aci) {
3800
		case 1: /* AC_BK */
3801
			ac = IEEE80211_AC_BK;
3802
			if (acm)
3803
				sdata->wmm_acm |= BIT(1) | BIT(2); /* BK/- */
3804
			if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_BK)
3805
				uapsd = true;
3806
			params[ac].mu_edca = !!mu_edca;
3807
			if (mu_edca)
3808
				params[ac].mu_edca_param_rec = mu_edca->ac_bk;
3809
			break;
3810
		case 2: /* AC_VI */
3811
			ac = IEEE80211_AC_VI;
3812
			if (acm)
3813
				sdata->wmm_acm |= BIT(4) | BIT(5); /* CL/VI */
3814
			if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_VI)
3815
				uapsd = true;
3816
			params[ac].mu_edca = !!mu_edca;
3817
			if (mu_edca)
3818
				params[ac].mu_edca_param_rec = mu_edca->ac_vi;
3819
			break;
3820
		case 3: /* AC_VO */
3821
			ac = IEEE80211_AC_VO;
3822
			if (acm)
3823
				sdata->wmm_acm |= BIT(6) | BIT(7); /* VO/NC */
3824
			if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_VO)
3825
				uapsd = true;
3826
			params[ac].mu_edca = !!mu_edca;
3827
			if (mu_edca)
3828
				params[ac].mu_edca_param_rec = mu_edca->ac_vo;
3829
			break;
3830
		case 0: /* AC_BE */
3831
		default:
3832
			ac = IEEE80211_AC_BE;
3833
			if (acm)
3834
				sdata->wmm_acm |= BIT(0) | BIT(3); /* BE/EE */
3835
			if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_BE)
3836
				uapsd = true;
3837
			params[ac].mu_edca = !!mu_edca;
3838
			if (mu_edca)
3839
				params[ac].mu_edca_param_rec = mu_edca->ac_be;
3840
			break;
3841
		}
3842

3843
		params[ac].aifs = pos[0] & 0x0f;
3844

3845
		if (params[ac].aifs < 2) {
3846
			link_info(link,
3847
				  "AP has invalid WMM params (AIFSN=%d for ACI %d), will use 2\n",
3848
				  params[ac].aifs, aci);
3849
			params[ac].aifs = 2;
3850
		}
3851
		params[ac].cw_max = ecw2cw((pos[1] & 0xf0) >> 4);
3852
		params[ac].cw_min = ecw2cw(pos[1] & 0x0f);
3853
		params[ac].txop = get_unaligned_le16(pos + 2);
3854
		params[ac].acm = acm;
3855
		params[ac].uapsd = uapsd;
3856

3857
		if (params[ac].cw_min == 0 ||
3858
		    params[ac].cw_min > params[ac].cw_max) {
3859
			link_info(link,
3860
				  "AP has invalid WMM params (CWmin/max=%d/%d for ACI %d), using defaults\n",
3861
				  params[ac].cw_min, params[ac].cw_max, aci);
3862
			return false;
3863
		}
3864
		ieee80211_regulatory_limit_wmm_params(sdata, &params[ac], ac);
3865
	}
3866

3867
	/* WMM specification requires all 4 ACIs. */
3868
	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
3869
		if (params[ac].cw_min == 0) {
3870
			link_info(link,
3871
				  "AP has invalid WMM params (missing AC %d), using defaults\n",
3872
				  ac);
3873
			return false;
3874
		}
3875
	}
3876

3877
	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++)
3878
		link->tx_conf[ac] = params[ac];
3879

3880
	return true;
3881
}
3882

3883
static bool
3884
ieee80211_sta_wmm_params(struct ieee80211_local *local,
3885
			 struct ieee80211_link_data *link,
3886
			 const u8 *wmm_param, size_t wmm_param_len,
3887
			 const struct ieee80211_mu_edca_param_set *mu_edca)
3888
{
3889
	if (!_ieee80211_sta_wmm_params(local, link, wmm_param, wmm_param_len,
3890
				       mu_edca))
3891
		return false;
3892

3893
	ieee80211_mgd_set_link_qos_params(link);
3894

3895
	/* enable WMM or activate new settings */
3896
	link->conf->qos = true;
3897
	return true;
3898
}
3899

3900
static void __ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
3901
{
3902
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
3903

3904
	sdata->u.mgd.flags &= ~IEEE80211_STA_CONNECTION_POLL;
3905
	ieee80211_run_deferred_scan(sdata->local);
3906
}
3907

3908
static void ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
3909
{
3910
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
3911

3912
	__ieee80211_stop_poll(sdata);
3913
}
3914

3915
static u64 ieee80211_handle_bss_capability(struct ieee80211_link_data *link,
3916
					   u16 capab, bool erp_valid, u8 erp)
3917
{
3918
	struct ieee80211_bss_conf *bss_conf = link->conf;
3919
	struct ieee80211_supported_band *sband;
3920
	u64 changed = 0;
3921
	bool use_protection;
3922
	bool use_short_preamble;
3923
	bool use_short_slot;
3924

3925
	sband = ieee80211_get_link_sband(link);
3926
	if (!sband)
3927
		return changed;
3928

3929
	if (erp_valid) {
3930
		use_protection = (erp & WLAN_ERP_USE_PROTECTION) != 0;
3931
		use_short_preamble = (erp & WLAN_ERP_BARKER_PREAMBLE) == 0;
3932
	} else {
3933
		use_protection = false;
3934
		use_short_preamble = !!(capab & WLAN_CAPABILITY_SHORT_PREAMBLE);
3935
	}
3936

3937
	use_short_slot = !!(capab & WLAN_CAPABILITY_SHORT_SLOT_TIME);
3938
	if (sband->band == NL80211_BAND_5GHZ ||
3939
	    sband->band == NL80211_BAND_6GHZ)
3940
		use_short_slot = true;
3941

3942
	if (use_protection != bss_conf->use_cts_prot) {
3943
		bss_conf->use_cts_prot = use_protection;
3944
		changed |= BSS_CHANGED_ERP_CTS_PROT;
3945
	}
3946

3947
	if (use_short_preamble != bss_conf->use_short_preamble) {
3948
		bss_conf->use_short_preamble = use_short_preamble;
3949
		changed |= BSS_CHANGED_ERP_PREAMBLE;
3950
	}
3951

3952
	if (use_short_slot != bss_conf->use_short_slot) {
3953
		bss_conf->use_short_slot = use_short_slot;
3954
		changed |= BSS_CHANGED_ERP_SLOT;
3955
	}
3956

3957
	return changed;
3958
}
3959

3960
static u64 ieee80211_link_set_associated(struct ieee80211_link_data *link,
3961
					 struct cfg80211_bss *cbss)
3962
{
3963
	struct ieee80211_sub_if_data *sdata = link->sdata;
3964
	struct ieee80211_bss_conf *bss_conf = link->conf;
3965
	struct ieee80211_bss *bss = (void *)cbss->priv;
3966
	u64 changed = BSS_CHANGED_QOS;
3967

3968
	/* not really used in MLO */
3969
	sdata->u.mgd.beacon_timeout =
3970
		usecs_to_jiffies(ieee80211_tu_to_usec(beacon_loss_count *
3971
						      bss_conf->beacon_int));
3972

3973
	changed |= ieee80211_handle_bss_capability(link,
3974
						   bss_conf->assoc_capability,
3975
						   bss->has_erp_value,
3976
						   bss->erp_value);
3977

3978
	ieee80211_check_rate_mask(link);
3979

3980
	link->conf->bss = cbss;
3981
	memcpy(link->u.mgd.bssid, cbss->bssid, ETH_ALEN);
3982

3983
	if (sdata->vif.p2p ||
3984
	    sdata->vif.driver_flags & IEEE80211_VIF_GET_NOA_UPDATE) {
3985
		const struct cfg80211_bss_ies *ies;
3986

3987
		rcu_read_lock();
3988
		ies = rcu_dereference(cbss->ies);
3989
		if (ies) {
3990
			int ret;
3991

3992
			ret = cfg80211_get_p2p_attr(
3993
					ies->data, ies->len,
3994
					IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
3995
					(u8 *) &bss_conf->p2p_noa_attr,
3996
					sizeof(bss_conf->p2p_noa_attr));
3997
			if (ret >= 2) {
3998
				link->u.mgd.p2p_noa_index =
3999
					bss_conf->p2p_noa_attr.index;
4000
				changed |= BSS_CHANGED_P2P_PS;
4001
			}
4002
		}
4003
		rcu_read_unlock();
4004
	}
4005

4006
	if (link->u.mgd.have_beacon) {
4007
		bss_conf->beacon_rate = bss->beacon_rate;
4008
		changed |= BSS_CHANGED_BEACON_INFO;
4009
	} else {
4010
		bss_conf->beacon_rate = NULL;
4011
	}
4012

4013
	/* Tell the driver to monitor connection quality (if supported) */
4014
	if (sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_CQM_RSSI &&
4015
	    bss_conf->cqm_rssi_thold)
4016
		changed |= BSS_CHANGED_CQM;
4017

4018
	return changed;
4019
}
4020

4021
static void ieee80211_set_associated(struct ieee80211_sub_if_data *sdata,
4022
				     struct ieee80211_mgd_assoc_data *assoc_data,
4023
				     u64 changed[IEEE80211_MLD_MAX_NUM_LINKS])
4024
{
4025
	struct ieee80211_local *local = sdata->local;
4026
	struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg;
4027
	u64 vif_changed = BSS_CHANGED_ASSOC;
4028
	unsigned int link_id;
4029

4030
	lockdep_assert_wiphy(local->hw.wiphy);
4031

4032
	sdata->u.mgd.associated = true;
4033

4034
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
4035
		struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
4036
		struct ieee80211_link_data *link;
4037

4038
		if (!cbss ||
4039
		    assoc_data->link[link_id].status != WLAN_STATUS_SUCCESS)
4040
			continue;
4041

4042
		if (ieee80211_vif_is_mld(&sdata->vif) &&
4043
		    !(ieee80211_vif_usable_links(&sdata->vif) & BIT(link_id)))
4044
			continue;
4045

4046
		link = sdata_dereference(sdata->link[link_id], sdata);
4047
		if (WARN_ON(!link))
4048
			return;
4049

4050
		changed[link_id] |= ieee80211_link_set_associated(link, cbss);
4051
	}
4052

4053
	/* just to be sure */
4054
	ieee80211_stop_poll(sdata);
4055

4056
	ieee80211_led_assoc(local, 1);
4057

4058
	vif_cfg->assoc = 1;
4059

4060
	/* Enable ARP filtering */
4061
	if (vif_cfg->arp_addr_cnt)
4062
		vif_changed |= BSS_CHANGED_ARP_FILTER;
4063

4064
	if (ieee80211_vif_is_mld(&sdata->vif)) {
4065
		for (link_id = 0;
4066
		     link_id < IEEE80211_MLD_MAX_NUM_LINKS;
4067
		     link_id++) {
4068
			struct ieee80211_link_data *link;
4069
			struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
4070

4071
			if (!cbss ||
4072
			    !(BIT(link_id) &
4073
			      ieee80211_vif_usable_links(&sdata->vif)) ||
4074
			    assoc_data->link[link_id].status != WLAN_STATUS_SUCCESS)
4075
				continue;
4076

4077
			link = sdata_dereference(sdata->link[link_id], sdata);
4078
			if (WARN_ON(!link))
4079
				return;
4080

4081
			ieee80211_link_info_change_notify(sdata, link,
4082
							  changed[link_id]);
4083

4084
			ieee80211_recalc_smps(sdata, link);
4085
		}
4086

4087
		ieee80211_vif_cfg_change_notify(sdata, vif_changed);
4088
	} else {
4089
		ieee80211_bss_info_change_notify(sdata,
4090
						 vif_changed | changed[0]);
4091
	}
4092

4093
	ieee80211_recalc_ps(local);
4094

4095
	/* leave this here to not change ordering in non-MLO cases */
4096
	if (!ieee80211_vif_is_mld(&sdata->vif))
4097
		ieee80211_recalc_smps(sdata, &sdata->deflink);
4098
	ieee80211_recalc_ps_vif(sdata);
4099

4100
	netif_carrier_on(sdata->dev);
4101
}
4102

4103
static void ieee80211_ml_reconf_reset(struct ieee80211_sub_if_data *sdata)
4104
{
4105
	struct ieee80211_mgd_assoc_data *add_links_data =
4106
		sdata->u.mgd.reconf.add_links_data;
4107

4108
	if (!ieee80211_vif_is_mld(&sdata->vif) ||
4109
	    !(sdata->u.mgd.reconf.added_links |
4110
	      sdata->u.mgd.reconf.removed_links))
4111
		return;
4112

4113
	wiphy_delayed_work_cancel(sdata->local->hw.wiphy,
4114
				  &sdata->u.mgd.reconf.wk);
4115
	sdata->u.mgd.reconf.added_links = 0;
4116
	sdata->u.mgd.reconf.removed_links = 0;
4117
	sdata->u.mgd.reconf.dialog_token = 0;
4118

4119
	if (add_links_data) {
4120
		struct cfg80211_mlo_reconf_done_data done_data = {};
4121
		u8 link_id;
4122

4123
		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
4124
		     link_id++)
4125
			done_data.links[link_id].bss =
4126
				add_links_data->link[link_id].bss;
4127

4128
		cfg80211_mlo_reconf_add_done(sdata->dev, &done_data);
4129

4130
		kfree(sdata->u.mgd.reconf.add_links_data);
4131
		sdata->u.mgd.reconf.add_links_data = NULL;
4132
	}
4133
}
4134

4135
static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
4136
				   u16 stype, u16 reason, bool tx,
4137
				   u8 *frame_buf)
4138
{
4139
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4140
	struct ieee80211_local *local = sdata->local;
4141
	struct sta_info *ap_sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
4142
	unsigned int link_id;
4143
	u64 changed = 0;
4144
	struct ieee80211_prep_tx_info info = {
4145
		.subtype = stype,
4146
		.was_assoc = true,
4147
		.link_id = ffs(sdata->vif.active_links) - 1,
4148
	};
4149

4150
	lockdep_assert_wiphy(local->hw.wiphy);
4151

4152
	if (frame_buf)
4153
		memset(frame_buf, 0, IEEE80211_DEAUTH_FRAME_LEN);
4154

4155
	if (WARN_ON(!ap_sta))
4156
		return;
4157

4158
	if (WARN_ON_ONCE(tx && !frame_buf))
4159
		return;
4160

4161
	if (WARN_ON(!ifmgd->associated))
4162
		return;
4163

4164
	ieee80211_stop_poll(sdata);
4165

4166
	ifmgd->associated = false;
4167

4168
	if (tx) {
4169
		bool tx_link_found = false;
4170

4171
		for (link_id = 0;
4172
		     link_id < ARRAY_SIZE(sdata->link);
4173
		     link_id++) {
4174
			struct ieee80211_link_data *link;
4175

4176
			if (!ieee80211_vif_link_active(&sdata->vif, link_id))
4177
				continue;
4178

4179
			link = sdata_dereference(sdata->link[link_id], sdata);
4180
			if (WARN_ON_ONCE(!link))
4181
				continue;
4182

4183
			if (link->u.mgd.csa.blocked_tx)
4184
				continue;
4185

4186
			tx_link_found = true;
4187
			break;
4188
		}
4189

4190
		tx = tx_link_found;
4191
	}
4192

4193
	/* other links will be destroyed */
4194
	sdata->deflink.conf->bss = NULL;
4195
	sdata->deflink.conf->epcs_support = false;
4196
	sdata->deflink.smps_mode = IEEE80211_SMPS_OFF;
4197

4198
	netif_carrier_off(sdata->dev);
4199

4200
	/*
4201
	 * if we want to get out of ps before disassoc (why?) we have
4202
	 * to do it before sending disassoc, as otherwise the null-packet
4203
	 * won't be valid.
4204
	 */
4205
	if (local->hw.conf.flags & IEEE80211_CONF_PS) {
4206
		local->hw.conf.flags &= ~IEEE80211_CONF_PS;
4207
		ieee80211_hw_config(local, -1, IEEE80211_CONF_CHANGE_PS);
4208
	}
4209
	local->ps_sdata = NULL;
4210

4211
	/* disable per-vif ps */
4212
	ieee80211_recalc_ps_vif(sdata);
4213

4214
	/* make sure ongoing transmission finishes */
4215
	synchronize_net();
4216

4217
	/*
4218
	 * drop any frame before deauth/disassoc, this can be data or
4219
	 * management frame. Since we are disconnecting, we should not
4220
	 * insist sending these frames which can take time and delay
4221
	 * the disconnection and possible the roaming.
4222
	 */
4223
	ieee80211_flush_queues(local, sdata, true);
4224

4225
	if (tx) {
4226
		drv_mgd_prepare_tx(sdata->local, sdata, &info);
4227

4228
		ieee80211_send_deauth_disassoc(sdata, sdata->vif.cfg.ap_addr,
4229
					       sdata->vif.cfg.ap_addr, stype,
4230
					       reason, true, frame_buf);
4231

4232
		/* flush out frame - make sure the deauth was actually sent */
4233
		ieee80211_flush_queues(local, sdata, false);
4234

4235
		drv_mgd_complete_tx(sdata->local, sdata, &info);
4236
	} else if (frame_buf) {
4237
		ieee80211_send_deauth_disassoc(sdata, sdata->vif.cfg.ap_addr,
4238
					       sdata->vif.cfg.ap_addr, stype,
4239
					       reason, false, frame_buf);
4240
	}
4241

4242
	/* clear AP addr only after building the needed mgmt frames */
4243
	eth_zero_addr(sdata->deflink.u.mgd.bssid);
4244
	eth_zero_addr(sdata->vif.cfg.ap_addr);
4245

4246
	sdata->vif.cfg.ssid_len = 0;
4247

4248
	/* Remove TDLS peers */
4249
	__sta_info_flush(sdata, false, -1, ap_sta);
4250

4251
	if (sdata->vif.driver_flags & IEEE80211_VIF_REMOVE_AP_AFTER_DISASSOC) {
4252
		/* Only move the AP state */
4253
		sta_info_move_state(ap_sta, IEEE80211_STA_NONE);
4254
	} else {
4255
		/* Remove AP peer */
4256
		sta_info_flush(sdata, -1);
4257
	}
4258

4259
	/* finally reset all BSS / config parameters */
4260
	if (!ieee80211_vif_is_mld(&sdata->vif))
4261
		changed |= ieee80211_reset_erp_info(sdata);
4262

4263
	ieee80211_led_assoc(local, 0);
4264
	changed |= BSS_CHANGED_ASSOC;
4265
	sdata->vif.cfg.assoc = false;
4266

4267
	sdata->deflink.u.mgd.p2p_noa_index = -1;
4268
	memset(&sdata->vif.bss_conf.p2p_noa_attr, 0,
4269
	       sizeof(sdata->vif.bss_conf.p2p_noa_attr));
4270

4271
	/* on the next assoc, re-program HT/VHT parameters */
4272
	memset(&ifmgd->ht_capa, 0, sizeof(ifmgd->ht_capa));
4273
	memset(&ifmgd->ht_capa_mask, 0, sizeof(ifmgd->ht_capa_mask));
4274
	memset(&ifmgd->vht_capa, 0, sizeof(ifmgd->vht_capa));
4275
	memset(&ifmgd->vht_capa_mask, 0, sizeof(ifmgd->vht_capa_mask));
4276

4277
	/*
4278
	 * reset MU-MIMO ownership and group data in default link,
4279
	 * if used, other links are destroyed
4280
	 */
4281
	memset(sdata->vif.bss_conf.mu_group.membership, 0,
4282
	       sizeof(sdata->vif.bss_conf.mu_group.membership));
4283
	memset(sdata->vif.bss_conf.mu_group.position, 0,
4284
	       sizeof(sdata->vif.bss_conf.mu_group.position));
4285
	if (!ieee80211_vif_is_mld(&sdata->vif))
4286
		changed |= BSS_CHANGED_MU_GROUPS;
4287
	sdata->vif.bss_conf.mu_mimo_owner = false;
4288

4289
	sdata->deflink.ap_power_level = IEEE80211_UNSET_POWER_LEVEL;
4290

4291
	timer_delete_sync(&local->dynamic_ps_timer);
4292
	wiphy_work_cancel(local->hw.wiphy, &local->dynamic_ps_enable_work);
4293

4294
	/* Disable ARP filtering */
4295
	if (sdata->vif.cfg.arp_addr_cnt)
4296
		changed |= BSS_CHANGED_ARP_FILTER;
4297

4298
	sdata->vif.bss_conf.qos = false;
4299
	if (!ieee80211_vif_is_mld(&sdata->vif)) {
4300
		changed |= BSS_CHANGED_QOS;
4301
		/* The BSSID (not really interesting) and HT changed */
4302
		changed |= BSS_CHANGED_BSSID | BSS_CHANGED_HT;
4303
		ieee80211_bss_info_change_notify(sdata, changed);
4304
	} else {
4305
		ieee80211_vif_cfg_change_notify(sdata, changed);
4306
	}
4307

4308
	if (sdata->vif.driver_flags & IEEE80211_VIF_REMOVE_AP_AFTER_DISASSOC) {
4309
		/*
4310
		 * After notifying the driver about the disassoc,
4311
		 * remove the ap sta.
4312
		 */
4313
		sta_info_flush(sdata, -1);
4314
	}
4315

4316
	/* disassociated - set to defaults now */
4317
	ieee80211_set_wmm_default(&sdata->deflink, false, false);
4318

4319
	timer_delete_sync(&sdata->u.mgd.conn_mon_timer);
4320
	timer_delete_sync(&sdata->u.mgd.bcn_mon_timer);
4321
	timer_delete_sync(&sdata->u.mgd.timer);
4322

4323
	sdata->vif.bss_conf.dtim_period = 0;
4324
	sdata->vif.bss_conf.beacon_rate = NULL;
4325

4326
	sdata->deflink.u.mgd.have_beacon = false;
4327
	sdata->deflink.u.mgd.tracking_signal_avg = false;
4328
	sdata->deflink.u.mgd.disable_wmm_tracking = false;
4329

4330
	ifmgd->flags = 0;
4331

4332
	for (link_id = 0; link_id < ARRAY_SIZE(sdata->link); link_id++) {
4333
		struct ieee80211_link_data *link;
4334

4335
		link = sdata_dereference(sdata->link[link_id], sdata);
4336
		if (!link)
4337
			continue;
4338
		ieee80211_link_release_channel(link);
4339
	}
4340

4341
	sdata->vif.bss_conf.csa_active = false;
4342
	sdata->deflink.u.mgd.csa.blocked_tx = false;
4343
	sdata->deflink.u.mgd.csa.waiting_bcn = false;
4344
	sdata->deflink.u.mgd.csa.ignored_same_chan = false;
4345
	ieee80211_vif_unblock_queues_csa(sdata);
4346

4347
	/* existing TX TSPEC sessions no longer exist */
4348
	memset(ifmgd->tx_tspec, 0, sizeof(ifmgd->tx_tspec));
4349
	wiphy_delayed_work_cancel(local->hw.wiphy, &ifmgd->tx_tspec_wk);
4350

4351
	sdata->vif.bss_conf.power_type = IEEE80211_REG_UNSET_AP;
4352
	sdata->vif.bss_conf.pwr_reduction = 0;
4353
	ieee80211_clear_tpe(&sdata->vif.bss_conf.tpe);
4354

4355
	sdata->vif.cfg.eml_cap = 0;
4356
	sdata->vif.cfg.eml_med_sync_delay = 0;
4357
	sdata->vif.cfg.mld_capa_op = 0;
4358

4359
	memset(&sdata->u.mgd.ttlm_info, 0,
4360
	       sizeof(sdata->u.mgd.ttlm_info));
4361
	wiphy_hrtimer_work_cancel(sdata->local->hw.wiphy, &ifmgd->ttlm_work);
4362

4363
	memset(&sdata->vif.neg_ttlm, 0, sizeof(sdata->vif.neg_ttlm));
4364
	wiphy_delayed_work_cancel(sdata->local->hw.wiphy,
4365
				  &ifmgd->neg_ttlm_timeout_work);
4366

4367
	sdata->u.mgd.removed_links = 0;
4368
	wiphy_hrtimer_work_cancel(sdata->local->hw.wiphy,
4369
				  &sdata->u.mgd.ml_reconf_work);
4370

4371
	wiphy_work_cancel(sdata->local->hw.wiphy,
4372
			  &ifmgd->teardown_ttlm_work);
4373

4374
	/* if disconnection happens in the middle of the ML reconfiguration
4375
	 * flow, cfg80211 must called to release the BSS references obtained
4376
	 * when the flow started.
4377
	 */
4378
	ieee80211_ml_reconf_reset(sdata);
4379

4380
	ieee80211_vif_set_links(sdata, 0, 0);
4381

4382
	ifmgd->mcast_seq_last = IEEE80211_SN_MODULO;
4383

4384
	ifmgd->epcs.enabled = false;
4385
	ifmgd->epcs.dialog_token = 0;
4386

4387
	memset(ifmgd->userspace_selectors, 0,
4388
	       sizeof(ifmgd->userspace_selectors));
4389
}
4390

4391
static void ieee80211_reset_ap_probe(struct ieee80211_sub_if_data *sdata)
4392
{
4393
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4394
	struct ieee80211_local *local = sdata->local;
4395

4396
	lockdep_assert_wiphy(local->hw.wiphy);
4397

4398
	if (!(ifmgd->flags & IEEE80211_STA_CONNECTION_POLL))
4399
		return;
4400

4401
	__ieee80211_stop_poll(sdata);
4402

4403
	ieee80211_recalc_ps(local);
4404

4405
	if (ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
4406
		return;
4407

4408
	/*
4409
	 * We've received a probe response, but are not sure whether
4410
	 * we have or will be receiving any beacons or data, so let's
4411
	 * schedule the timers again, just in case.
4412
	 */
4413
	ieee80211_sta_reset_beacon_monitor(sdata);
4414

4415
	mod_timer(&ifmgd->conn_mon_timer,
4416
		  round_jiffies_up(jiffies +
4417
				   IEEE80211_CONNECTION_IDLE_TIME));
4418
}
4419

4420
static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata,
4421
					   struct ieee80211_hdr *hdr,
4422
					   u16 tx_time)
4423
{
4424
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4425
	u16 tid;
4426
	int ac;
4427
	struct ieee80211_sta_tx_tspec *tx_tspec;
4428
	unsigned long now = jiffies;
4429

4430
	if (!ieee80211_is_data_qos(hdr->frame_control))
4431
		return;
4432

4433
	tid = ieee80211_get_tid(hdr);
4434
	ac = ieee80211_ac_from_tid(tid);
4435
	tx_tspec = &ifmgd->tx_tspec[ac];
4436

4437
	if (likely(!tx_tspec->admitted_time))
4438
		return;
4439

4440
	if (time_after(now, tx_tspec->time_slice_start + HZ)) {
4441
		tx_tspec->consumed_tx_time = 0;
4442
		tx_tspec->time_slice_start = now;
4443

4444
		if (tx_tspec->downgraded) {
4445
			tx_tspec->action = TX_TSPEC_ACTION_STOP_DOWNGRADE;
4446
			wiphy_delayed_work_queue(sdata->local->hw.wiphy,
4447
						 &ifmgd->tx_tspec_wk, 0);
4448
		}
4449
	}
4450

4451
	if (tx_tspec->downgraded)
4452
		return;
4453

4454
	tx_tspec->consumed_tx_time += tx_time;
4455

4456
	if (tx_tspec->consumed_tx_time >= tx_tspec->admitted_time) {
4457
		tx_tspec->downgraded = true;
4458
		tx_tspec->action = TX_TSPEC_ACTION_DOWNGRADE;
4459
		wiphy_delayed_work_queue(sdata->local->hw.wiphy,
4460
					 &ifmgd->tx_tspec_wk, 0);
4461
	}
4462
}
4463

4464
void ieee80211_sta_tx_notify(struct ieee80211_sub_if_data *sdata,
4465
			     struct ieee80211_hdr *hdr, bool ack, u16 tx_time)
4466
{
4467
	ieee80211_sta_tx_wmm_ac_notify(sdata, hdr, tx_time);
4468

4469
	if (!ieee80211_is_any_nullfunc(hdr->frame_control) ||
4470
	    !sdata->u.mgd.probe_send_count)
4471
		return;
4472

4473
	if (ack)
4474
		sdata->u.mgd.probe_send_count = 0;
4475
	else
4476
		sdata->u.mgd.nullfunc_failed = true;
4477
	wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work);
4478
}
4479

4480
static void ieee80211_mlme_send_probe_req(struct ieee80211_sub_if_data *sdata,
4481
					  const u8 *src, const u8 *dst,
4482
					  const u8 *ssid, size_t ssid_len,
4483
					  struct ieee80211_channel *channel)
4484
{
4485
	struct sk_buff *skb;
4486

4487
	skb = ieee80211_build_probe_req(sdata, src, dst, (u32)-1, channel,
4488
					ssid, ssid_len, NULL, 0,
4489
					IEEE80211_PROBE_FLAG_DIRECTED);
4490
	if (skb)
4491
		ieee80211_tx_skb(sdata, skb);
4492
}
4493

4494
static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
4495
{
4496
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4497
	u8 *dst = sdata->vif.cfg.ap_addr;
4498
	u8 unicast_limit = max(1, max_probe_tries - 3);
4499
	struct sta_info *sta;
4500

4501
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4502

4503
	/*
4504
	 * Try sending broadcast probe requests for the last three
4505
	 * probe requests after the first ones failed since some
4506
	 * buggy APs only support broadcast probe requests.
4507
	 */
4508
	if (ifmgd->probe_send_count >= unicast_limit)
4509
		dst = NULL;
4510

4511
	/*
4512
	 * When the hardware reports an accurate Tx ACK status, it's
4513
	 * better to send a nullfunc frame instead of a probe request,
4514
	 * as it will kick us off the AP quickly if we aren't associated
4515
	 * anymore. The timeout will be reset if the frame is ACKed by
4516
	 * the AP.
4517
	 */
4518
	ifmgd->probe_send_count++;
4519

4520
	if (dst) {
4521
		sta = sta_info_get(sdata, dst);
4522
		if (!WARN_ON(!sta))
4523
			ieee80211_check_fast_rx(sta);
4524
	}
4525

4526
	if (ieee80211_hw_check(&sdata->local->hw, REPORTS_TX_ACK_STATUS)) {
4527
		ifmgd->nullfunc_failed = false;
4528
		ieee80211_send_nullfunc(sdata->local, sdata, false);
4529
	} else {
4530
		ieee80211_mlme_send_probe_req(sdata, sdata->vif.addr, dst,
4531
					      sdata->vif.cfg.ssid,
4532
					      sdata->vif.cfg.ssid_len,
4533
					      sdata->deflink.conf->bss->channel);
4534
	}
4535

4536
	ifmgd->probe_timeout = jiffies + msecs_to_jiffies(probe_wait_ms);
4537
	run_again(sdata, ifmgd->probe_timeout);
4538
}
4539

4540
static void ieee80211_mgd_probe_ap(struct ieee80211_sub_if_data *sdata,
4541
				   bool beacon)
4542
{
4543
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4544
	bool already = false;
4545

4546
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4547

4548
	if (!ieee80211_sdata_running(sdata))
4549
		return;
4550

4551
	if (!ifmgd->associated)
4552
		return;
4553

4554
	if (sdata->local->tmp_channel || sdata->local->scanning)
4555
		return;
4556

4557
	if (sdata->local->suspending) {
4558
		/* reschedule after resume */
4559
		ieee80211_reset_ap_probe(sdata);
4560
		return;
4561
	}
4562

4563
	if (beacon) {
4564
		mlme_dbg_ratelimited(sdata,
4565
				     "detected beacon loss from AP (missed %d beacons) - probing\n",
4566
				     beacon_loss_count);
4567

4568
		ieee80211_cqm_beacon_loss_notify(&sdata->vif, GFP_KERNEL);
4569
	}
4570

4571
	/*
4572
	 * The driver/our work has already reported this event or the
4573
	 * connection monitoring has kicked in and we have already sent
4574
	 * a probe request. Or maybe the AP died and the driver keeps
4575
	 * reporting until we disassociate...
4576
	 *
4577
	 * In either case we have to ignore the current call to this
4578
	 * function (except for setting the correct probe reason bit)
4579
	 * because otherwise we would reset the timer every time and
4580
	 * never check whether we received a probe response!
4581
	 */
4582
	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL)
4583
		already = true;
4584

4585
	ifmgd->flags |= IEEE80211_STA_CONNECTION_POLL;
4586

4587
	if (already)
4588
		return;
4589

4590
	ieee80211_recalc_ps(sdata->local);
4591

4592
	ifmgd->probe_send_count = 0;
4593
	ieee80211_mgd_probe_ap_send(sdata);
4594
}
4595

4596
struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw,
4597
					  struct ieee80211_vif *vif)
4598
{
4599
	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
4600
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4601
	struct cfg80211_bss *cbss;
4602
	struct sk_buff *skb;
4603
	const struct element *ssid;
4604
	int ssid_len;
4605

4606
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4607

4608
	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION ||
4609
		    ieee80211_vif_is_mld(&sdata->vif)))
4610
		return NULL;
4611

4612
	if (ifmgd->associated)
4613
		cbss = sdata->deflink.conf->bss;
4614
	else if (ifmgd->auth_data)
4615
		cbss = ifmgd->auth_data->bss;
4616
	else if (ifmgd->assoc_data && ifmgd->assoc_data->link[0].bss)
4617
		cbss = ifmgd->assoc_data->link[0].bss;
4618
	else
4619
		return NULL;
4620

4621
	rcu_read_lock();
4622
	ssid = ieee80211_bss_get_elem(cbss, WLAN_EID_SSID);
4623
	if (WARN_ONCE(!ssid || ssid->datalen > IEEE80211_MAX_SSID_LEN,
4624
		      "invalid SSID element (len=%d)",
4625
		      ssid ? ssid->datalen : -1))
4626
		ssid_len = 0;
4627
	else
4628
		ssid_len = ssid->datalen;
4629

4630
	skb = ieee80211_build_probe_req(sdata, sdata->vif.addr, cbss->bssid,
4631
					(u32) -1, cbss->channel,
4632
					ssid->data, ssid_len,
4633
					NULL, 0, IEEE80211_PROBE_FLAG_DIRECTED);
4634
	rcu_read_unlock();
4635

4636
	return skb;
4637
}
4638
EXPORT_SYMBOL(ieee80211_ap_probereq_get);
4639

4640
static void ieee80211_report_disconnect(struct ieee80211_sub_if_data *sdata,
4641
					const u8 *buf, size_t len, bool tx,
4642
					u16 reason, bool reconnect)
4643
{
4644
	struct ieee80211_event event = {
4645
		.type = MLME_EVENT,
4646
		.u.mlme.data = tx ? DEAUTH_TX_EVENT : DEAUTH_RX_EVENT,
4647
		.u.mlme.reason = reason,
4648
	};
4649

4650
	if (tx)
4651
		cfg80211_tx_mlme_mgmt(sdata->dev, buf, len, reconnect);
4652
	else
4653
		cfg80211_rx_mlme_mgmt(sdata->dev, buf, len);
4654

4655
	drv_event_callback(sdata->local, sdata, &event);
4656
}
4657

4658
static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
4659
{
4660
	struct ieee80211_local *local = sdata->local;
4661
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4662
	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
4663

4664
	lockdep_assert_wiphy(local->hw.wiphy);
4665

4666
	if (!ifmgd->associated)
4667
		return;
4668

4669
	if (!ifmgd->driver_disconnect) {
4670
		unsigned int link_id;
4671

4672
		/*
4673
		 * AP is probably out of range (or not reachable for another
4674
		 * reason) so remove the bss structs for that AP. In the case
4675
		 * of multi-link, it's not clear that all of them really are
4676
		 * out of range, but if they weren't the driver likely would
4677
		 * have switched to just have a single link active?
4678
		 */
4679
		for (link_id = 0;
4680
		     link_id < ARRAY_SIZE(sdata->link);
4681
		     link_id++) {
4682
			struct ieee80211_link_data *link;
4683

4684
			link = sdata_dereference(sdata->link[link_id], sdata);
4685
			if (!link || !link->conf->bss)
4686
				continue;
4687
			cfg80211_unlink_bss(local->hw.wiphy, link->conf->bss);
4688
			link->conf->bss = NULL;
4689
		}
4690
	}
4691

4692
	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
4693
			       ifmgd->driver_disconnect ?
4694
					WLAN_REASON_DEAUTH_LEAVING :
4695
					WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
4696
			       true, frame_buf);
4697
	/* the other links will be destroyed */
4698
	sdata->vif.bss_conf.csa_active = false;
4699
	sdata->deflink.u.mgd.csa.waiting_bcn = false;
4700
	sdata->deflink.u.mgd.csa.blocked_tx = false;
4701
	ieee80211_vif_unblock_queues_csa(sdata);
4702

4703
	ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
4704
				    WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
4705
				    ifmgd->reconnect);
4706
	ifmgd->reconnect = false;
4707
}
4708

4709
static void ieee80211_beacon_connection_loss_work(struct wiphy *wiphy,
4710
						  struct wiphy_work *work)
4711
{
4712
	struct ieee80211_sub_if_data *sdata =
4713
		container_of(work, struct ieee80211_sub_if_data,
4714
			     u.mgd.beacon_connection_loss_work);
4715
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4716

4717
	if (ifmgd->connection_loss) {
4718
		sdata_info(sdata, "Connection to AP %pM lost\n",
4719
			   sdata->vif.cfg.ap_addr);
4720
		__ieee80211_disconnect(sdata);
4721
		ifmgd->connection_loss = false;
4722
	} else if (ifmgd->driver_disconnect) {
4723
		sdata_info(sdata,
4724
			   "Driver requested disconnection from AP %pM\n",
4725
			   sdata->vif.cfg.ap_addr);
4726
		__ieee80211_disconnect(sdata);
4727
		ifmgd->driver_disconnect = false;
4728
	} else {
4729
		if (ifmgd->associated)
4730
			sdata->deflink.u.mgd.beacon_loss_count++;
4731
		ieee80211_mgd_probe_ap(sdata, true);
4732
	}
4733
}
4734

4735
static void ieee80211_csa_connection_drop_work(struct wiphy *wiphy,
4736
					       struct wiphy_work *work)
4737
{
4738
	struct ieee80211_sub_if_data *sdata =
4739
		container_of(work, struct ieee80211_sub_if_data,
4740
			     u.mgd.csa_connection_drop_work);
4741

4742
	__ieee80211_disconnect(sdata);
4743
}
4744

4745
void ieee80211_beacon_loss(struct ieee80211_vif *vif)
4746
{
4747
	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
4748
	struct ieee80211_hw *hw = &sdata->local->hw;
4749

4750
	trace_api_beacon_loss(sdata);
4751

4752
	sdata->u.mgd.connection_loss = false;
4753
	wiphy_work_queue(hw->wiphy, &sdata->u.mgd.beacon_connection_loss_work);
4754
}
4755
EXPORT_SYMBOL(ieee80211_beacon_loss);
4756

4757
void ieee80211_connection_loss(struct ieee80211_vif *vif)
4758
{
4759
	struct ieee80211_sub_if_data *sdata;
4760
	struct ieee80211_hw *hw;
4761

4762
	KUNIT_STATIC_STUB_REDIRECT(ieee80211_connection_loss, vif);
4763

4764
	sdata = vif_to_sdata(vif);
4765
	hw = &sdata->local->hw;
4766

4767
	trace_api_connection_loss(sdata);
4768

4769
	sdata->u.mgd.connection_loss = true;
4770
	wiphy_work_queue(hw->wiphy, &sdata->u.mgd.beacon_connection_loss_work);
4771
}
4772
EXPORT_SYMBOL(ieee80211_connection_loss);
4773

4774
void ieee80211_disconnect(struct ieee80211_vif *vif, bool reconnect)
4775
{
4776
	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
4777
	struct ieee80211_hw *hw = &sdata->local->hw;
4778

4779
	trace_api_disconnect(sdata, reconnect);
4780

4781
	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
4782
		return;
4783

4784
	sdata->u.mgd.driver_disconnect = true;
4785
	sdata->u.mgd.reconnect = reconnect;
4786
	wiphy_work_queue(hw->wiphy, &sdata->u.mgd.beacon_connection_loss_work);
4787
}
4788
EXPORT_SYMBOL(ieee80211_disconnect);
4789

4790
static void ieee80211_destroy_auth_data(struct ieee80211_sub_if_data *sdata,
4791
					bool assoc)
4792
{
4793
	struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
4794

4795
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4796

4797
	sdata->u.mgd.auth_data = NULL;
4798

4799
	if (!assoc) {
4800
		/*
4801
		 * we are not authenticated yet, the only timer that could be
4802
		 * running is the timeout for the authentication response which
4803
		 * which is not relevant anymore.
4804
		 */
4805
		timer_delete_sync(&sdata->u.mgd.timer);
4806
		sta_info_destroy_addr(sdata, auth_data->ap_addr);
4807

4808
		/* other links are destroyed */
4809
		eth_zero_addr(sdata->deflink.u.mgd.bssid);
4810
		ieee80211_link_info_change_notify(sdata, &sdata->deflink,
4811
						  BSS_CHANGED_BSSID);
4812
		sdata->u.mgd.flags = 0;
4813

4814
		ieee80211_link_release_channel(&sdata->deflink);
4815
		ieee80211_vif_set_links(sdata, 0, 0);
4816
	}
4817

4818
	cfg80211_put_bss(sdata->local->hw.wiphy, auth_data->bss);
4819
	kfree(auth_data);
4820
}
4821

4822
enum assoc_status {
4823
	ASSOC_SUCCESS,
4824
	ASSOC_REJECTED,
4825
	ASSOC_TIMEOUT,
4826
	ASSOC_ABANDON,
4827
};
4828

4829
static void ieee80211_destroy_assoc_data(struct ieee80211_sub_if_data *sdata,
4830
					 enum assoc_status status)
4831
{
4832
	struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data;
4833

4834
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4835

4836
	sdata->u.mgd.assoc_data = NULL;
4837

4838
	if (status != ASSOC_SUCCESS) {
4839
		/*
4840
		 * we are not associated yet, the only timer that could be
4841
		 * running is the timeout for the association response which
4842
		 * which is not relevant anymore.
4843
		 */
4844
		timer_delete_sync(&sdata->u.mgd.timer);
4845
		sta_info_destroy_addr(sdata, assoc_data->ap_addr);
4846

4847
		eth_zero_addr(sdata->deflink.u.mgd.bssid);
4848
		ieee80211_link_info_change_notify(sdata, &sdata->deflink,
4849
						  BSS_CHANGED_BSSID);
4850
		sdata->u.mgd.flags = 0;
4851
		sdata->vif.bss_conf.mu_mimo_owner = false;
4852

4853
		if (status != ASSOC_REJECTED) {
4854
			struct cfg80211_assoc_failure data = {
4855
				.timeout = status == ASSOC_TIMEOUT,
4856
			};
4857
			int i;
4858

4859
			BUILD_BUG_ON(ARRAY_SIZE(data.bss) !=
4860
				     ARRAY_SIZE(assoc_data->link));
4861

4862
			for (i = 0; i < ARRAY_SIZE(data.bss); i++)
4863
				data.bss[i] = assoc_data->link[i].bss;
4864

4865
			if (ieee80211_vif_is_mld(&sdata->vif))
4866
				data.ap_mld_addr = assoc_data->ap_addr;
4867

4868
			cfg80211_assoc_failure(sdata->dev, &data);
4869
		}
4870

4871
		ieee80211_link_release_channel(&sdata->deflink);
4872
		ieee80211_vif_set_links(sdata, 0, 0);
4873
	}
4874

4875
	kfree(assoc_data);
4876
}
4877

4878
static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
4879
				     struct ieee80211_mgmt *mgmt, size_t len)
4880
{
4881
	struct ieee80211_local *local = sdata->local;
4882
	struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
4883
	const struct element *challenge;
4884
	u8 *pos;
4885
	u32 tx_flags = 0;
4886
	struct ieee80211_prep_tx_info info = {
4887
		.subtype = IEEE80211_STYPE_AUTH,
4888
		.link_id = auth_data->link_id,
4889
	};
4890

4891
	pos = mgmt->u.auth.variable;
4892
	challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos,
4893
				       len - (pos - (u8 *)mgmt));
4894
	if (!challenge)
4895
		return;
4896
	auth_data->expected_transaction = 4;
4897
	drv_mgd_prepare_tx(sdata->local, sdata, &info);
4898
	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
4899
		tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
4900
			   IEEE80211_TX_INTFL_MLME_CONN_TX;
4901
	ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0,
4902
			    (void *)challenge,
4903
			    challenge->datalen + sizeof(*challenge),
4904
			    auth_data->ap_addr, auth_data->ap_addr,
4905
			    auth_data->key, auth_data->key_len,
4906
			    auth_data->key_idx, tx_flags);
4907
}
4908

4909
static bool ieee80211_mark_sta_auth(struct ieee80211_sub_if_data *sdata)
4910
{
4911
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4912
	const u8 *ap_addr = ifmgd->auth_data->ap_addr;
4913
	struct sta_info *sta;
4914

4915
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4916

4917
	sdata_info(sdata, "authenticated\n");
4918
	ifmgd->auth_data->done = true;
4919
	ifmgd->auth_data->timeout = jiffies + IEEE80211_AUTH_WAIT_ASSOC;
4920
	ifmgd->auth_data->timeout_started = true;
4921
	run_again(sdata, ifmgd->auth_data->timeout);
4922

4923
	/* move station state to auth */
4924
	sta = sta_info_get(sdata, ap_addr);
4925
	if (!sta) {
4926
		WARN_ONCE(1, "%s: STA %pM not found", sdata->name, ap_addr);
4927
		return false;
4928
	}
4929
	if (sta_info_move_state(sta, IEEE80211_STA_AUTH)) {
4930
		sdata_info(sdata, "failed moving %pM to auth\n", ap_addr);
4931
		return false;
4932
	}
4933

4934
	return true;
4935
}
4936

4937
static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
4938
				   struct ieee80211_mgmt *mgmt, size_t len)
4939
{
4940
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4941
	u16 auth_alg, auth_transaction, status_code, encap_len;
4942
	struct ieee80211_event event = {
4943
		.type = MLME_EVENT,
4944
		.u.mlme.data = AUTH_EVENT,
4945
	};
4946
	struct ieee80211_prep_tx_info info = {
4947
		.subtype = IEEE80211_STYPE_AUTH,
4948
	};
4949
	bool sae_need_confirm = false;
4950
	bool auth_fail = false;
4951

4952
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4953

4954
	if (len < 24 + 6)
4955
		return;
4956

4957
	if (!ifmgd->auth_data || ifmgd->auth_data->done)
4958
		return;
4959

4960
	if (!ether_addr_equal(ifmgd->auth_data->ap_addr, mgmt->bssid))
4961
		return;
4962

4963
	auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
4964
	auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
4965
	status_code = le16_to_cpu(mgmt->u.auth.status_code);
4966

4967
	/*
4968
	 * IEEE 802.1X Authentication:
4969
	 * Header + Authentication Algorithm Number(2 byte) + Authentication
4970
	 * Transaction Sequence Number(2 byte) + Status Code(2 byte) +
4971
	 * Encapsulation Length(2 byte).
4972
	 */
4973
	if (auth_alg == WLAN_AUTH_IEEE8021X && len < 24 + 8)
4974
		return;
4975

4976
	info.link_id = ifmgd->auth_data->link_id;
4977

4978
	if (auth_alg != ifmgd->auth_data->algorithm ||
4979
	    (auth_alg != WLAN_AUTH_SAE &&
4980
	     auth_transaction != ifmgd->auth_data->expected_transaction) ||
4981
	    (auth_alg == WLAN_AUTH_SAE &&
4982
	     (auth_transaction < ifmgd->auth_data->expected_transaction ||
4983
	      auth_transaction > 2))) {
4984
		sdata_info(sdata, "%pM unexpected authentication state: alg %d (expected %d) transact %d (expected %d)\n",
4985
			   mgmt->sa, auth_alg, ifmgd->auth_data->algorithm,
4986
			   auth_transaction,
4987
			   ifmgd->auth_data->expected_transaction);
4988
		goto notify_driver;
4989
	}
4990

4991
	switch (auth_alg) {
4992
	case WLAN_AUTH_IEEE8021X:
4993
		if (status_code != WLAN_STATUS_SUCCESS &&
4994
		    status_code != WLAN_STATUS_8021X_AUTH_SUCCESS)
4995
			auth_fail = true;
4996

4997
		if (!auth_fail) {
4998
			/* Indicates length of encapsulated EAPOL PDU */
4999
			encap_len = get_unaligned_le16(mgmt->u.auth.variable);
5000
		}
5001
		break;
5002
	default:
5003
		if (status_code != WLAN_STATUS_SUCCESS)
5004
			auth_fail = true;
5005
		break;
5006
	}
5007

5008
	if (auth_fail) {
5009
		cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
5010

5011
		if (auth_alg == WLAN_AUTH_SAE &&
5012
		    (status_code == WLAN_STATUS_ANTI_CLOG_REQUIRED ||
5013
		     (auth_transaction == 1 &&
5014
		      (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
5015
		       status_code == WLAN_STATUS_SAE_PK)))) {
5016
			/* waiting for userspace now */
5017
			ifmgd->auth_data->waiting = true;
5018
			ifmgd->auth_data->timeout =
5019
				jiffies + IEEE80211_AUTH_WAIT_SAE_RETRY;
5020
			ifmgd->auth_data->timeout_started = true;
5021
			run_again(sdata, ifmgd->auth_data->timeout);
5022
			if (auth_transaction == 1)
5023
				sae_need_confirm = true;
5024
			goto notify_driver;
5025
		}
5026

5027
		sdata_info(sdata, "%pM denied authentication (status %d)\n",
5028
			   mgmt->sa, status_code);
5029
		ieee80211_destroy_auth_data(sdata, false);
5030
		event.u.mlme.status = MLME_DENIED;
5031
		event.u.mlme.reason = status_code;
5032
		drv_event_callback(sdata->local, sdata, &event);
5033
		goto notify_driver;
5034
	}
5035

5036
	switch (ifmgd->auth_data->algorithm) {
5037
	case WLAN_AUTH_OPEN:
5038
	case WLAN_AUTH_LEAP:
5039
	case WLAN_AUTH_FT:
5040
	case WLAN_AUTH_SAE:
5041
	case WLAN_AUTH_FILS_SK:
5042
	case WLAN_AUTH_FILS_SK_PFS:
5043
	case WLAN_AUTH_FILS_PK:
5044
	case WLAN_AUTH_EPPKE:
5045
	case WLAN_AUTH_IEEE8021X:
5046
		break;
5047
	case WLAN_AUTH_SHARED_KEY:
5048
		if (ifmgd->auth_data->expected_transaction != 4) {
5049
			ieee80211_auth_challenge(sdata, mgmt, len);
5050
			/* need another frame */
5051
			return;
5052
		}
5053
		break;
5054
	default:
5055
		WARN_ONCE(1, "invalid auth alg %d",
5056
			  ifmgd->auth_data->algorithm);
5057
		goto notify_driver;
5058
	}
5059

5060
	event.u.mlme.status = MLME_SUCCESS;
5061
	info.success = 1;
5062
	drv_event_callback(sdata->local, sdata, &event);
5063
	if (ifmgd->auth_data->algorithm != WLAN_AUTH_SAE ||
5064
	    (auth_transaction == 2 &&
5065
	     ifmgd->auth_data->expected_transaction == 2)) {
5066
		switch (ifmgd->auth_data->algorithm) {
5067
		case WLAN_AUTH_IEEE8021X:
5068
			/*
5069
			 * IEEE 802.1X authentication:
5070
			 * - When the full EAP handshake completes over the
5071
			 *   Authentication process, the responder sets the
5072
			 *   Status Code to WLAN_STATUS_8021X_AUTH_SUCCESS as
5073
			 *   specified in "IEEE P802.11bi/D4.0, 12.16.5".
5074
			 *
5075
			 * - In the PMKSA caching case, only two Authentication
5076
			 *   frames are exchanged if the responder (e.g., AP)
5077
			 *   identifies a valid PMKSA, then as specified in
5078
			 *   "IEEE P802.11bi/D4.0, 12.16.8.3", the responder
5079
			 *   shall set the Status Code to SUCCESS in the final
5080
			 *   Authentication frame and must not include an
5081
			 *   encapsulated EAPOL PDU.
5082
			 *
5083
			 * Both conditions are treated as successful
5084
			 * authentication, so mark the state to Authenticated.
5085
			 */
5086
			if (status_code != WLAN_STATUS_8021X_AUTH_SUCCESS &&
5087
			    !(status_code == WLAN_STATUS_SUCCESS &&
5088
			      encap_len == 0))
5089
				break;
5090
			fallthrough;
5091
		default:
5092
			if (!ieee80211_mark_sta_auth(sdata))
5093
				return; /* ignore frame -- wait for timeout */
5094

5095
			break;
5096
		}
5097
	} else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
5098
		   auth_transaction == 1) {
5099
		sae_need_confirm = true;
5100
	} else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
5101
		   auth_transaction == 2) {
5102
		sdata_info(sdata, "SAE peer confirmed\n");
5103
		ifmgd->auth_data->peer_confirmed = true;
5104
	}
5105

5106
	cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
5107
notify_driver:
5108
	if (!sae_need_confirm)
5109
		drv_mgd_complete_tx(sdata->local, sdata, &info);
5110
}
5111

5112
#define case_WLAN(type) \
5113
	case WLAN_REASON_##type: return #type
5114

5115
const char *ieee80211_get_reason_code_string(u16 reason_code)
5116
{
5117
	switch (reason_code) {
5118
	case_WLAN(UNSPECIFIED);
5119
	case_WLAN(PREV_AUTH_NOT_VALID);
5120
	case_WLAN(DEAUTH_LEAVING);
5121
	case_WLAN(DISASSOC_DUE_TO_INACTIVITY);
5122
	case_WLAN(DISASSOC_AP_BUSY);
5123
	case_WLAN(CLASS2_FRAME_FROM_NONAUTH_STA);
5124
	case_WLAN(CLASS3_FRAME_FROM_NONASSOC_STA);
5125
	case_WLAN(DISASSOC_STA_HAS_LEFT);
5126
	case_WLAN(STA_REQ_ASSOC_WITHOUT_AUTH);
5127
	case_WLAN(DISASSOC_BAD_POWER);
5128
	case_WLAN(DISASSOC_BAD_SUPP_CHAN);
5129
	case_WLAN(INVALID_IE);
5130
	case_WLAN(MIC_FAILURE);
5131
	case_WLAN(4WAY_HANDSHAKE_TIMEOUT);
5132
	case_WLAN(GROUP_KEY_HANDSHAKE_TIMEOUT);
5133
	case_WLAN(IE_DIFFERENT);
5134
	case_WLAN(INVALID_GROUP_CIPHER);
5135
	case_WLAN(INVALID_PAIRWISE_CIPHER);
5136
	case_WLAN(INVALID_AKMP);
5137
	case_WLAN(UNSUPP_RSN_VERSION);
5138
	case_WLAN(INVALID_RSN_IE_CAP);
5139
	case_WLAN(IEEE8021X_FAILED);
5140
	case_WLAN(CIPHER_SUITE_REJECTED);
5141
	case_WLAN(DISASSOC_UNSPECIFIED_QOS);
5142
	case_WLAN(DISASSOC_QAP_NO_BANDWIDTH);
5143
	case_WLAN(DISASSOC_LOW_ACK);
5144
	case_WLAN(DISASSOC_QAP_EXCEED_TXOP);
5145
	case_WLAN(QSTA_LEAVE_QBSS);
5146
	case_WLAN(QSTA_NOT_USE);
5147
	case_WLAN(QSTA_REQUIRE_SETUP);
5148
	case_WLAN(QSTA_TIMEOUT);
5149
	case_WLAN(QSTA_CIPHER_NOT_SUPP);
5150
	case_WLAN(MESH_PEER_CANCELED);
5151
	case_WLAN(MESH_MAX_PEERS);
5152
	case_WLAN(MESH_CONFIG);
5153
	case_WLAN(MESH_CLOSE);
5154
	case_WLAN(MESH_MAX_RETRIES);
5155
	case_WLAN(MESH_CONFIRM_TIMEOUT);
5156
	case_WLAN(MESH_INVALID_GTK);
5157
	case_WLAN(MESH_INCONSISTENT_PARAM);
5158
	case_WLAN(MESH_INVALID_SECURITY);
5159
	case_WLAN(MESH_PATH_ERROR);
5160
	case_WLAN(MESH_PATH_NOFORWARD);
5161
	case_WLAN(MESH_PATH_DEST_UNREACHABLE);
5162
	case_WLAN(MAC_EXISTS_IN_MBSS);
5163
	case_WLAN(MESH_CHAN_REGULATORY);
5164
	case_WLAN(MESH_CHAN);
5165
	default: return "<unknown>";
5166
	}
5167
}
5168

5169
static void ieee80211_rx_mgmt_deauth(struct ieee80211_sub_if_data *sdata,
5170
				     struct ieee80211_mgmt *mgmt, size_t len)
5171
{
5172
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
5173
	u16 reason_code = le16_to_cpu(mgmt->u.deauth.reason_code);
5174

5175
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
5176

5177
	if (len < 24 + 2)
5178
		return;
5179

5180
	if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
5181
		ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
5182
		return;
5183
	}
5184

5185
	if (ifmgd->associated &&
5186
	    ether_addr_equal(mgmt->bssid, sdata->vif.cfg.ap_addr)) {
5187
		sdata_info(sdata, "deauthenticated from %pM (Reason: %u=%s)\n",
5188
			   sdata->vif.cfg.ap_addr, reason_code,
5189
			   ieee80211_get_reason_code_string(reason_code));
5190

5191
		ieee80211_set_disassoc(sdata, 0, 0, false, NULL);
5192

5193
		ieee80211_report_disconnect(sdata, (u8 *)mgmt, len, false,
5194
					    reason_code, false);
5195
		return;
5196
	}
5197

5198
	if (ifmgd->assoc_data &&
5199
	    ether_addr_equal(mgmt->bssid, ifmgd->assoc_data->ap_addr)) {
5200
		sdata_info(sdata,
5201
			   "deauthenticated from %pM while associating (Reason: %u=%s)\n",
5202
			   ifmgd->assoc_data->ap_addr, reason_code,
5203
			   ieee80211_get_reason_code_string(reason_code));
5204

5205
		ieee80211_destroy_assoc_data(sdata, ASSOC_ABANDON);
5206

5207
		cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
5208
		return;
5209
	}
5210
}
5211

5212

5213
static void ieee80211_rx_mgmt_disassoc(struct ieee80211_sub_if_data *sdata,
5214
				       struct ieee80211_mgmt *mgmt, size_t len)
5215
{
5216
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
5217
	u16 reason_code;
5218

5219
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
5220

5221
	if (len < 24 + 2)
5222
		return;
5223

5224
	if (!ifmgd->associated ||
5225
	    !ether_addr_equal(mgmt->bssid, sdata->vif.cfg.ap_addr))
5226
		return;
5227

5228
	reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
5229

5230
	if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
5231
		ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
5232
		return;
5233
	}
5234

5235
	sdata_info(sdata, "disassociated from %pM (Reason: %u=%s)\n",
5236
		   sdata->vif.cfg.ap_addr, reason_code,
5237
		   ieee80211_get_reason_code_string(reason_code));
5238

5239
	ieee80211_set_disassoc(sdata, 0, 0, false, NULL);
5240

5241
	ieee80211_report_disconnect(sdata, (u8 *)mgmt, len, false, reason_code,
5242
				    false);
5243
}
5244

5245
static bool ieee80211_twt_req_supported(struct ieee80211_sub_if_data *sdata,
5246
					struct ieee80211_supported_band *sband,
5247
					const struct link_sta_info *link_sta,
5248
					const struct ieee802_11_elems *elems)
5249
{
5250
	const struct ieee80211_sta_he_cap *own_he_cap =
5251
		ieee80211_get_he_iftype_cap_vif(sband, &sdata->vif);
5252

5253
	if (elems->ext_capab_len < 10)
5254
		return false;
5255

5256
	if (!(elems->ext_capab[9] & WLAN_EXT_CAPA10_TWT_RESPONDER_SUPPORT))
5257
		return false;
5258

5259
	return link_sta->pub->he_cap.he_cap_elem.mac_cap_info[0] &
5260
		IEEE80211_HE_MAC_CAP0_TWT_RES &&
5261
		own_he_cap &&
5262
		(own_he_cap->he_cap_elem.mac_cap_info[0] &
5263
			IEEE80211_HE_MAC_CAP0_TWT_REQ);
5264
}
5265

5266
static u64 ieee80211_recalc_twt_req(struct ieee80211_sub_if_data *sdata,
5267
				    struct ieee80211_supported_band *sband,
5268
				    struct ieee80211_link_data *link,
5269
				    struct link_sta_info *link_sta,
5270
				    struct ieee802_11_elems *elems)
5271
{
5272
	bool twt = ieee80211_twt_req_supported(sdata, sband, link_sta, elems);
5273

5274
	if (link->conf->twt_requester != twt) {
5275
		link->conf->twt_requester = twt;
5276
		return BSS_CHANGED_TWT;
5277
	}
5278
	return 0;
5279
}
5280

5281
static bool ieee80211_twt_bcast_support(struct ieee80211_sub_if_data *sdata,
5282
					struct ieee80211_bss_conf *bss_conf,
5283
					struct ieee80211_supported_band *sband,
5284
					struct link_sta_info *link_sta)
5285
{
5286
	const struct ieee80211_sta_he_cap *own_he_cap =
5287
		ieee80211_get_he_iftype_cap_vif(sband, &sdata->vif);
5288

5289
	return bss_conf->he_support &&
5290
		(link_sta->pub->he_cap.he_cap_elem.mac_cap_info[2] &
5291
			IEEE80211_HE_MAC_CAP2_BCAST_TWT) &&
5292
		own_he_cap &&
5293
		(own_he_cap->he_cap_elem.mac_cap_info[2] &
5294
			IEEE80211_HE_MAC_CAP2_BCAST_TWT);
5295
}
5296

5297
static void ieee80211_epcs_changed(struct ieee80211_sub_if_data *sdata,
5298
				   bool enabled)
5299
{
5300
	/* in any case this is called, dialog token should be reset */
5301
	sdata->u.mgd.epcs.dialog_token = 0;
5302

5303
	if (sdata->u.mgd.epcs.enabled == enabled)
5304
		return;
5305

5306
	sdata->u.mgd.epcs.enabled = enabled;
5307
	cfg80211_epcs_changed(sdata->dev, enabled);
5308
}
5309

5310
static void ieee80211_epcs_teardown(struct ieee80211_sub_if_data *sdata)
5311
{
5312
	struct ieee80211_local *local = sdata->local;
5313
	u8 link_id;
5314

5315
	if (!sdata->u.mgd.epcs.enabled)
5316
		return;
5317

5318
	lockdep_assert_wiphy(local->hw.wiphy);
5319

5320
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
5321
		struct ieee802_11_elems *elems;
5322
		struct ieee80211_link_data *link;
5323
		const struct cfg80211_bss_ies *ies;
5324
		bool ret;
5325

5326
		rcu_read_lock();
5327

5328
		link = sdata_dereference(sdata->link[link_id], sdata);
5329
		if (!link || !link->conf || !link->conf->bss) {
5330
			rcu_read_unlock();
5331
			continue;
5332
		}
5333

5334
		if (link->u.mgd.disable_wmm_tracking) {
5335
			rcu_read_unlock();
5336
			ieee80211_set_wmm_default(link, false, false);
5337
			continue;
5338
		}
5339

5340
		ies = rcu_dereference(link->conf->bss->beacon_ies);
5341
		if (!ies) {
5342
			rcu_read_unlock();
5343
			ieee80211_set_wmm_default(link, false, false);
5344
			continue;
5345
		}
5346

5347
		elems = ieee802_11_parse_elems(ies->data, ies->len,
5348
					       IEEE80211_FTYPE_MGMT |
5349
					       IEEE80211_STYPE_BEACON,
5350
					       NULL);
5351
		if (!elems) {
5352
			rcu_read_unlock();
5353
			ieee80211_set_wmm_default(link, false, false);
5354
			continue;
5355
		}
5356

5357
		ret = _ieee80211_sta_wmm_params(local, link,
5358
						elems->wmm_param,
5359
						elems->wmm_param_len,
5360
						elems->mu_edca_param_set);
5361

5362
		kfree(elems);
5363
		rcu_read_unlock();
5364

5365
		if (!ret) {
5366
			ieee80211_set_wmm_default(link, false, false);
5367
			continue;
5368
		}
5369

5370
		ieee80211_mgd_set_link_qos_params(link);
5371
		ieee80211_link_info_change_notify(sdata, link, BSS_CHANGED_QOS);
5372
	}
5373
}
5374

5375
static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
5376
					struct link_sta_info *link_sta,
5377
					struct cfg80211_bss *cbss,
5378
					struct ieee80211_mgmt *mgmt,
5379
					const u8 *elem_start,
5380
					unsigned int elem_len,
5381
					u64 *changed)
5382
{
5383
	struct ieee80211_sub_if_data *sdata = link->sdata;
5384
	struct ieee80211_mgd_assoc_data *assoc_data =
5385
		sdata->u.mgd.assoc_data ?: sdata->u.mgd.reconf.add_links_data;
5386
	struct ieee80211_bss_conf *bss_conf = link->conf;
5387
	struct ieee80211_local *local = sdata->local;
5388
	unsigned int link_id = link->link_id;
5389
	struct ieee80211_elems_parse_params parse_params = {
5390
		.mode = link->u.mgd.conn.mode,
5391
		.start = elem_start,
5392
		.len = elem_len,
5393
		.link_id = link_id == assoc_data->assoc_link_id ? -1 : link_id,
5394
		.from_ap = true,
5395
		.type = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_TYPE,
5396
	};
5397
	bool is_5ghz = cbss->channel->band == NL80211_BAND_5GHZ;
5398
	bool is_6ghz = cbss->channel->band == NL80211_BAND_6GHZ;
5399
	bool is_s1g = cbss->channel->band == NL80211_BAND_S1GHZ;
5400
	const struct cfg80211_bss_ies *bss_ies = NULL;
5401
	struct ieee80211_supported_band *sband;
5402
	struct ieee802_11_elems *elems;
5403
	const __le16 prof_bss_param_ch_present =
5404
		cpu_to_le16(IEEE80211_MLE_STA_CONTROL_BSS_PARAM_CHANGE_CNT_PRESENT);
5405
	u16 capab_info;
5406
	bool ret;
5407

5408
	elems = ieee802_11_parse_elems_full(&parse_params);
5409
	if (!elems)
5410
		return false;
5411

5412
	if (link_id == assoc_data->assoc_link_id) {
5413
		capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
5414

5415
		/*
5416
		 * we should not get to this flow unless the association was
5417
		 * successful, so set the status directly to success
5418
		 */
5419
		assoc_data->link[link_id].status = WLAN_STATUS_SUCCESS;
5420
		if (elems->ml_basic) {
5421
			int bss_param_ch_cnt =
5422
				ieee80211_mle_get_bss_param_ch_cnt((const void *)elems->ml_basic);
5423

5424
			if (bss_param_ch_cnt < 0) {
5425
				ret = false;
5426
				goto out;
5427
			}
5428
			bss_conf->bss_param_ch_cnt = bss_param_ch_cnt;
5429
			bss_conf->bss_param_ch_cnt_link_id = link_id;
5430
		}
5431
	} else if (elems->parse_error & IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC ||
5432
		   !elems->prof ||
5433
		   !(elems->prof->control & prof_bss_param_ch_present)) {
5434
		ret = false;
5435
		goto out;
5436
	} else {
5437
		const u8 *ptr = elems->prof->variable +
5438
				elems->prof->sta_info_len - 1;
5439
		int bss_param_ch_cnt;
5440

5441
		/*
5442
		 * During parsing, we validated that these fields exist,
5443
		 * otherwise elems->prof would have been set to NULL.
5444
		 */
5445
		capab_info = get_unaligned_le16(ptr);
5446
		assoc_data->link[link_id].status = get_unaligned_le16(ptr + 2);
5447
		bss_param_ch_cnt =
5448
			ieee80211_mle_basic_sta_prof_bss_param_ch_cnt(elems->prof);
5449
		bss_conf->bss_param_ch_cnt = bss_param_ch_cnt;
5450
		bss_conf->bss_param_ch_cnt_link_id = link_id;
5451

5452
		if (assoc_data->link[link_id].status != WLAN_STATUS_SUCCESS) {
5453
			link_info(link, "association response status code=%u\n",
5454
				  assoc_data->link[link_id].status);
5455
			ret = true;
5456
			goto out;
5457
		}
5458
	}
5459

5460
	if (!is_s1g && !elems->supp_rates) {
5461
		sdata_info(sdata, "no SuppRates element in AssocResp\n");
5462
		ret = false;
5463
		goto out;
5464
	}
5465

5466
	link->u.mgd.tdls_chan_switch_prohibited =
5467
		elems->ext_capab && elems->ext_capab_len >= 5 &&
5468
		(elems->ext_capab[4] & WLAN_EXT_CAPA5_TDLS_CH_SW_PROHIBITED);
5469

5470
	/*
5471
	 * Some APs are erroneously not including some information in their
5472
	 * (re)association response frames. Try to recover by using the data
5473
	 * from the beacon or probe response. This seems to afflict mobile
5474
	 * 2G/3G/4G wifi routers, reported models include the "Onda PN51T",
5475
	 * "Vodafone PocketWiFi 2", "ZTE MF60" and a similar T-Mobile device.
5476
	 */
5477
	if (!ieee80211_hw_check(&local->hw, STRICT) && !is_6ghz &&
5478
	    ((assoc_data->wmm && !elems->wmm_param) ||
5479
	     (link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT &&
5480
	      (!elems->ht_cap_elem || !elems->ht_operation)) ||
5481
	     (is_5ghz && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT &&
5482
	      (!elems->vht_cap_elem || !elems->vht_operation)))) {
5483
		const struct cfg80211_bss_ies *ies;
5484
		struct ieee802_11_elems *bss_elems;
5485

5486
		rcu_read_lock();
5487
		ies = rcu_dereference(cbss->ies);
5488
		if (ies)
5489
			bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
5490
					  GFP_ATOMIC);
5491
		rcu_read_unlock();
5492
		if (!bss_ies) {
5493
			ret = false;
5494
			goto out;
5495
		}
5496

5497
		parse_params.start = bss_ies->data;
5498
		parse_params.len = bss_ies->len;
5499
		parse_params.bss = cbss;
5500
		parse_params.link_id = -1;
5501
		bss_elems = ieee802_11_parse_elems_full(&parse_params);
5502
		if (!bss_elems) {
5503
			ret = false;
5504
			goto out;
5505
		}
5506

5507
		if (assoc_data->wmm &&
5508
		    !elems->wmm_param && bss_elems->wmm_param) {
5509
			elems->wmm_param = bss_elems->wmm_param;
5510
			sdata_info(sdata,
5511
				   "AP bug: WMM param missing from AssocResp\n");
5512
		}
5513

5514
		/*
5515
		 * Also check if we requested HT/VHT, otherwise the AP doesn't
5516
		 * have to include the IEs in the (re)association response.
5517
		 */
5518
		if (!elems->ht_cap_elem && bss_elems->ht_cap_elem &&
5519
		    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT) {
5520
			elems->ht_cap_elem = bss_elems->ht_cap_elem;
5521
			sdata_info(sdata,
5522
				   "AP bug: HT capability missing from AssocResp\n");
5523
		}
5524
		if (!elems->ht_operation && bss_elems->ht_operation &&
5525
		    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT) {
5526
			elems->ht_operation = bss_elems->ht_operation;
5527
			sdata_info(sdata,
5528
				   "AP bug: HT operation missing from AssocResp\n");
5529
		}
5530

5531
		if (is_5ghz) {
5532
			if (!elems->vht_cap_elem && bss_elems->vht_cap_elem &&
5533
			    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
5534
				elems->vht_cap_elem = bss_elems->vht_cap_elem;
5535
				sdata_info(sdata,
5536
					   "AP bug: VHT capa missing from AssocResp\n");
5537
			}
5538

5539
			if (!elems->vht_operation && bss_elems->vht_operation &&
5540
			    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
5541
				elems->vht_operation = bss_elems->vht_operation;
5542
				sdata_info(sdata,
5543
					   "AP bug: VHT operation missing from AssocResp\n");
5544
			}
5545
		}
5546
		kfree(bss_elems);
5547
	}
5548

5549
	/*
5550
	 * We previously checked these in the beacon/probe response, so
5551
	 * they should be present here. This is just a safety net.
5552
	 * Note that the ieee80211_config_bw() below would also check
5553
	 * for this (and more), but this has better error reporting.
5554
	 */
5555
	if (!is_6ghz && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT &&
5556
	    (!elems->wmm_param || !elems->ht_cap_elem || !elems->ht_operation)) {
5557
		sdata_info(sdata,
5558
			   "HT AP is missing WMM params or HT capability/operation\n");
5559
		ret = false;
5560
		goto out;
5561
	}
5562

5563
	if (is_5ghz && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT &&
5564
	    (!elems->vht_cap_elem || !elems->vht_operation)) {
5565
		sdata_info(sdata,
5566
			   "VHT AP is missing VHT capability/operation\n");
5567
		ret = false;
5568
		goto out;
5569
	}
5570

5571
	/* check/update if AP changed anything in assoc response vs. scan */
5572
	if (ieee80211_config_bw(link, elems,
5573
				link_id == assoc_data->assoc_link_id,
5574
				changed,
5575
				le16_to_cpu(mgmt->frame_control) &
5576
					IEEE80211_FCTL_STYPE)) {
5577
		ret = false;
5578
		goto out;
5579
	}
5580

5581
	if (WARN_ON(!link->conf->chanreq.oper.chan)) {
5582
		ret = false;
5583
		goto out;
5584
	}
5585
	sband = local->hw.wiphy->bands[link->conf->chanreq.oper.chan->band];
5586

5587
	/* Set up internal HT/VHT capabilities */
5588
	if (elems->ht_cap_elem && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT)
5589
		ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, &sband->ht_cap,
5590
						  elems->ht_cap_elem,
5591
						  link_sta);
5592

5593
	if (elems->vht_cap_elem &&
5594
	    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
5595
		const struct ieee80211_vht_cap *bss_vht_cap = NULL;
5596
		const struct cfg80211_bss_ies *ies;
5597

5598
		/*
5599
		 * Cisco AP module 9115 with FW 17.3 has a bug and sends a
5600
		 * too large maximum MPDU length in the association response
5601
		 * (indicating 12k) that it cannot actually process ...
5602
		 * Work around that.
5603
		 */
5604
		rcu_read_lock();
5605
		ies = rcu_dereference(cbss->ies);
5606
		if (ies) {
5607
			const struct element *elem;
5608

5609
			elem = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY,
5610
						  ies->data, ies->len);
5611
			if (elem && elem->datalen >= sizeof(*bss_vht_cap))
5612
				bss_vht_cap = (const void *)elem->data;
5613
		}
5614

5615
		if (ieee80211_hw_check(&local->hw, STRICT) &&
5616
		    (!bss_vht_cap || memcmp(bss_vht_cap, elems->vht_cap_elem,
5617
					    sizeof(*bss_vht_cap)))) {
5618
			rcu_read_unlock();
5619
			ret = false;
5620
			link_info(link, "VHT capabilities mismatch\n");
5621
			goto out;
5622
		}
5623

5624
		ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
5625
						    &sband->vht_cap,
5626
						    elems->vht_cap_elem,
5627
						    bss_vht_cap, link_sta);
5628
		rcu_read_unlock();
5629
	}
5630

5631
	if (elems->he_operation &&
5632
	    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HE &&
5633
	    elems->he_cap) {
5634
		ieee80211_he_cap_ie_to_sta_he_cap(sdata, sband,
5635
						  elems->he_cap,
5636
						  elems->he_cap_len,
5637
						  elems->he_6ghz_capa,
5638
						  link_sta);
5639

5640
		bss_conf->he_support = link_sta->pub->he_cap.has_he;
5641
		if (elems->rsnx && elems->rsnx_len &&
5642
		    (elems->rsnx[0] & WLAN_RSNX_CAPA_PROTECTED_TWT) &&
5643
		    wiphy_ext_feature_isset(local->hw.wiphy,
5644
					    NL80211_EXT_FEATURE_PROTECTED_TWT))
5645
			bss_conf->twt_protected = true;
5646
		else
5647
			bss_conf->twt_protected = false;
5648

5649
		*changed |= ieee80211_recalc_twt_req(sdata, sband, link,
5650
						     link_sta, elems);
5651

5652
		if (elems->eht_operation && elems->eht_cap &&
5653
		    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_EHT) {
5654
			ieee80211_eht_cap_ie_to_sta_eht_cap(sdata, sband,
5655
							    elems->he_cap,
5656
							    elems->he_cap_len,
5657
							    elems->eht_cap,
5658
							    elems->eht_cap_len,
5659
							    link_sta);
5660

5661
			bss_conf->eht_support = link_sta->pub->eht_cap.has_eht;
5662
			bss_conf->epcs_support = bss_conf->eht_support &&
5663
				!!(elems->eht_cap->fixed.mac_cap_info[0] &
5664
				   IEEE80211_EHT_MAC_CAP0_EPCS_PRIO_ACCESS);
5665

5666
			/* EPCS might be already enabled but a new added link
5667
			 * does not support EPCS. This should not really happen
5668
			 * in practice.
5669
			 */
5670
			if (sdata->u.mgd.epcs.enabled &&
5671
			    !bss_conf->epcs_support)
5672
				ieee80211_epcs_teardown(sdata);
5673
		} else {
5674
			bss_conf->eht_support = false;
5675
			bss_conf->epcs_support = false;
5676
		}
5677
	} else {
5678
		bss_conf->he_support = false;
5679
		bss_conf->twt_requester = false;
5680
		bss_conf->twt_protected = false;
5681
		bss_conf->eht_support = false;
5682
		bss_conf->epcs_support = false;
5683
	}
5684

5685
	if (elems->uhr_operation && elems->uhr_cap &&
5686
	    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_UHR) {
5687
		ieee80211_uhr_cap_ie_to_sta_uhr_cap(sdata, sband,
5688
						    elems->uhr_cap,
5689
						    elems->uhr_cap_len,
5690
						    link_sta);
5691

5692
		bss_conf->uhr_support = link_sta->pub->uhr_cap.has_uhr;
5693
	} else {
5694
		bss_conf->uhr_support = false;
5695
	}
5696

5697
	if (elems->s1g_oper &&
5698
	    link->u.mgd.conn.mode == IEEE80211_CONN_MODE_S1G &&
5699
	    elems->s1g_capab)
5700
		ieee80211_s1g_cap_to_sta_s1g_cap(sdata, elems->s1g_capab,
5701
						 link_sta);
5702

5703
	bss_conf->twt_broadcast =
5704
		ieee80211_twt_bcast_support(sdata, bss_conf, sband, link_sta);
5705

5706
	if (bss_conf->he_support) {
5707
		bss_conf->he_bss_color.color =
5708
			le32_get_bits(elems->he_operation->he_oper_params,
5709
				      IEEE80211_HE_OPERATION_BSS_COLOR_MASK);
5710
		bss_conf->he_bss_color.partial =
5711
			le32_get_bits(elems->he_operation->he_oper_params,
5712
				      IEEE80211_HE_OPERATION_PARTIAL_BSS_COLOR);
5713
		bss_conf->he_bss_color.enabled =
5714
			!le32_get_bits(elems->he_operation->he_oper_params,
5715
				       IEEE80211_HE_OPERATION_BSS_COLOR_DISABLED);
5716

5717
		if (bss_conf->he_bss_color.enabled)
5718
			*changed |= BSS_CHANGED_HE_BSS_COLOR;
5719

5720
		bss_conf->htc_trig_based_pkt_ext =
5721
			le32_get_bits(elems->he_operation->he_oper_params,
5722
				      IEEE80211_HE_OPERATION_DFLT_PE_DURATION_MASK);
5723
		bss_conf->frame_time_rts_th =
5724
			le32_get_bits(elems->he_operation->he_oper_params,
5725
				      IEEE80211_HE_OPERATION_RTS_THRESHOLD_MASK);
5726

5727
		bss_conf->uora_exists = !!elems->uora_element;
5728
		if (elems->uora_element)
5729
			bss_conf->uora_ocw_range = elems->uora_element[0];
5730

5731
		ieee80211_he_op_ie_to_bss_conf(&sdata->vif, elems->he_operation);
5732
		ieee80211_he_spr_ie_to_bss_conf(&sdata->vif, elems->he_spr);
5733
		/* TODO: OPEN: what happens if BSS color disable is set? */
5734
	}
5735

5736
	if (cbss->transmitted_bss) {
5737
		bss_conf->nontransmitted = true;
5738
		ether_addr_copy(bss_conf->transmitter_bssid,
5739
				cbss->transmitted_bss->bssid);
5740
		bss_conf->bssid_indicator = cbss->max_bssid_indicator;
5741
		bss_conf->bssid_index = cbss->bssid_index;
5742
	}
5743

5744
	/*
5745
	 * Some APs, e.g. Netgear WNDR3700, report invalid HT operation data
5746
	 * in their association response, so ignore that data for our own
5747
	 * configuration. If it changed since the last beacon, we'll get the
5748
	 * next beacon and update then.
5749
	 */
5750

5751
	/*
5752
	 * If an operating mode notification IE is present, override the
5753
	 * NSS calculation (that would be done in rate_control_rate_init())
5754
	 * and use the # of streams from that element.
5755
	 */
5756
	if (elems->opmode_notif &&
5757
	    !(*elems->opmode_notif & IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF)) {
5758
		u8 nss;
5759

5760
		nss = *elems->opmode_notif & IEEE80211_OPMODE_NOTIF_RX_NSS_MASK;
5761
		nss >>= IEEE80211_OPMODE_NOTIF_RX_NSS_SHIFT;
5762
		nss += 1;
5763
		link_sta->pub->rx_nss = nss;
5764
	}
5765

5766
	/*
5767
	 * Always handle WMM once after association regardless
5768
	 * of the first value the AP uses. Setting -1 here has
5769
	 * that effect because the AP values is an unsigned
5770
	 * 4-bit value.
5771
	 */
5772
	link->u.mgd.wmm_last_param_set = -1;
5773
	link->u.mgd.mu_edca_last_param_set = -1;
5774

5775
	if (link->u.mgd.disable_wmm_tracking) {
5776
		ieee80211_set_wmm_default(link, false, false);
5777
	} else if (!ieee80211_sta_wmm_params(local, link, elems->wmm_param,
5778
					     elems->wmm_param_len,
5779
					     elems->mu_edca_param_set)) {
5780
		/* still enable QoS since we might have HT/VHT */
5781
		ieee80211_set_wmm_default(link, false, true);
5782
		/* disable WMM tracking in this case to disable
5783
		 * tracking WMM parameter changes in the beacon if
5784
		 * the parameters weren't actually valid. Doing so
5785
		 * avoids changing parameters very strangely when
5786
		 * the AP is going back and forth between valid and
5787
		 * invalid parameters.
5788
		 */
5789
		link->u.mgd.disable_wmm_tracking = true;
5790
	}
5791

5792
	if (elems->max_idle_period_ie) {
5793
		bss_conf->max_idle_period =
5794
			le16_to_cpu(elems->max_idle_period_ie->max_idle_period);
5795
		bss_conf->protected_keep_alive =
5796
			!!(elems->max_idle_period_ie->idle_options &
5797
			   WLAN_IDLE_OPTIONS_PROTECTED_KEEP_ALIVE);
5798
		*changed |= BSS_CHANGED_KEEP_ALIVE;
5799
	} else {
5800
		bss_conf->max_idle_period = 0;
5801
		bss_conf->protected_keep_alive = false;
5802
	}
5803

5804
	/* set assoc capability (AID was already set earlier),
5805
	 * ieee80211_set_associated() will tell the driver */
5806
	bss_conf->assoc_capability = capab_info;
5807

5808
	ret = true;
5809
out:
5810
	kfree(elems);
5811
	kfree(bss_ies);
5812
	return ret;
5813
}
5814

5815
static int ieee80211_mgd_setup_link_sta(struct ieee80211_link_data *link,
5816
					struct sta_info *sta,
5817
					struct link_sta_info *link_sta,
5818
					struct cfg80211_bss *cbss)
5819
{
5820
	struct ieee80211_sub_if_data *sdata = link->sdata;
5821
	struct ieee80211_local *local = sdata->local;
5822
	struct ieee80211_bss *bss = (void *)cbss->priv;
5823
	u32 rates = 0, basic_rates = 0;
5824
	bool have_higher_than_11mbit = false;
5825
	int min_rate = INT_MAX, min_rate_index = -1;
5826
	struct ieee80211_supported_band *sband;
5827

5828
	memcpy(link_sta->addr, cbss->bssid, ETH_ALEN);
5829
	memcpy(link_sta->pub->addr, cbss->bssid, ETH_ALEN);
5830

5831
	/* TODO: S1G Basic Rate Set is expressed elsewhere */
5832
	if (cbss->channel->band == NL80211_BAND_S1GHZ) {
5833
		ieee80211_s1g_sta_rate_init(sta);
5834
		return 0;
5835
	}
5836

5837
	sband = local->hw.wiphy->bands[cbss->channel->band];
5838

5839
	ieee80211_get_rates(sband, bss->supp_rates, bss->supp_rates_len,
5840
			    NULL, 0,
5841
			    &rates, &basic_rates, NULL,
5842
			    &have_higher_than_11mbit,
5843
			    &min_rate, &min_rate_index);
5844

5845
	/*
5846
	 * This used to be a workaround for basic rates missing
5847
	 * in the association response frame. Now that we no
5848
	 * longer use the basic rates from there, it probably
5849
	 * doesn't happen any more, but keep the workaround so
5850
	 * in case some *other* APs are buggy in different ways
5851
	 * we can connect -- with a warning.
5852
	 * Allow this workaround only in case the AP provided at least
5853
	 * one rate.
5854
	 */
5855
	if (min_rate_index < 0) {
5856
		link_info(link, "No legacy rates in association response\n");
5857
		return -EINVAL;
5858
	} else if (!basic_rates) {
5859
		link_info(link, "No basic rates, using min rate instead\n");
5860
		basic_rates = BIT(min_rate_index);
5861
	}
5862

5863
	if (rates)
5864
		link_sta->pub->supp_rates[cbss->channel->band] = rates;
5865
	else
5866
		link_info(link, "No rates found, keeping mandatory only\n");
5867

5868
	link->conf->basic_rates = basic_rates;
5869

5870
	/* cf. IEEE 802.11 9.2.12 */
5871
	link->operating_11g_mode = sband->band == NL80211_BAND_2GHZ &&
5872
				   have_higher_than_11mbit;
5873

5874
	return 0;
5875
}
5876

5877
static u8 ieee80211_max_rx_chains(struct ieee80211_link_data *link,
5878
				  struct cfg80211_bss *cbss)
5879
{
5880
	struct ieee80211_he_mcs_nss_supp *he_mcs_nss_supp;
5881
	const struct element *ht_cap_elem, *vht_cap_elem;
5882
	const struct cfg80211_bss_ies *ies;
5883
	const struct ieee80211_ht_cap *ht_cap;
5884
	const struct ieee80211_vht_cap *vht_cap;
5885
	const struct ieee80211_he_cap_elem *he_cap;
5886
	const struct element *he_cap_elem;
5887
	u16 mcs_80_map, mcs_160_map;
5888
	int i, mcs_nss_size;
5889
	bool support_160;
5890
	u8 chains = 1;
5891

5892
	if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_HT)
5893
		return chains;
5894

5895
	ht_cap_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_HT_CAPABILITY);
5896
	if (ht_cap_elem && ht_cap_elem->datalen >= sizeof(*ht_cap)) {
5897
		ht_cap = (void *)ht_cap_elem->data;
5898
		chains = ieee80211_mcs_to_chains(&ht_cap->mcs);
5899
		/*
5900
		 * TODO: use "Tx Maximum Number Spatial Streams Supported" and
5901
		 *	 "Tx Unequal Modulation Supported" fields.
5902
		 */
5903
	}
5904

5905
	if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_VHT)
5906
		return chains;
5907

5908
	vht_cap_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_VHT_CAPABILITY);
5909
	if (vht_cap_elem && vht_cap_elem->datalen >= sizeof(*vht_cap)) {
5910
		u8 nss;
5911
		u16 tx_mcs_map;
5912

5913
		vht_cap = (void *)vht_cap_elem->data;
5914
		tx_mcs_map = le16_to_cpu(vht_cap->supp_mcs.tx_mcs_map);
5915
		for (nss = 8; nss > 0; nss--) {
5916
			if (((tx_mcs_map >> (2 * (nss - 1))) & 3) !=
5917
					IEEE80211_VHT_MCS_NOT_SUPPORTED)
5918
				break;
5919
		}
5920
		/* TODO: use "Tx Highest Supported Long GI Data Rate" field? */
5921
		chains = max(chains, nss);
5922
	}
5923

5924
	if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_HE)
5925
		return chains;
5926

5927
	ies = rcu_dereference(cbss->ies);
5928
	he_cap_elem = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY,
5929
					     ies->data, ies->len);
5930

5931
	if (!he_cap_elem || he_cap_elem->datalen < sizeof(*he_cap) + 1)
5932
		return chains;
5933

5934
	/* skip one byte ext_tag_id */
5935
	he_cap = (void *)(he_cap_elem->data + 1);
5936
	mcs_nss_size = ieee80211_he_mcs_nss_size(he_cap);
5937

5938
	/* invalid HE IE */
5939
	if (he_cap_elem->datalen < 1 + mcs_nss_size + sizeof(*he_cap))
5940
		return chains;
5941

5942
	/* mcs_nss is right after he_cap info */
5943
	he_mcs_nss_supp = (void *)(he_cap + 1);
5944

5945
	mcs_80_map = le16_to_cpu(he_mcs_nss_supp->tx_mcs_80);
5946

5947
	for (i = 7; i >= 0; i--) {
5948
		u8 mcs_80 = mcs_80_map >> (2 * i) & 3;
5949

5950
		if (mcs_80 != IEEE80211_VHT_MCS_NOT_SUPPORTED) {
5951
			chains = max_t(u8, chains, i + 1);
5952
			break;
5953
		}
5954
	}
5955

5956
	support_160 = he_cap->phy_cap_info[0] &
5957
		      IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G;
5958

5959
	if (!support_160)
5960
		return chains;
5961

5962
	mcs_160_map = le16_to_cpu(he_mcs_nss_supp->tx_mcs_160);
5963
	for (i = 7; i >= 0; i--) {
5964
		u8 mcs_160 = mcs_160_map >> (2 * i) & 3;
5965

5966
		if (mcs_160 != IEEE80211_VHT_MCS_NOT_SUPPORTED) {
5967
			chains = max_t(u8, chains, i + 1);
5968
			break;
5969
		}
5970
	}
5971

5972
	return chains;
5973
}
5974

5975
static void
5976
ieee80211_determine_our_sta_mode(struct ieee80211_sub_if_data *sdata,
5977
				 struct ieee80211_supported_band *sband,
5978
				 struct cfg80211_assoc_request *req,
5979
				 bool wmm_used, int link_id,
5980
				 struct ieee80211_conn_settings *conn)
5981
{
5982
	struct ieee80211_sta_ht_cap sta_ht_cap = sband->ht_cap;
5983
	bool is_5ghz = sband->band == NL80211_BAND_5GHZ;
5984
	bool is_6ghz = sband->band == NL80211_BAND_6GHZ;
5985
	const struct ieee80211_sta_he_cap *he_cap;
5986
	const struct ieee80211_sta_eht_cap *eht_cap;
5987
	const struct ieee80211_sta_uhr_cap *uhr_cap;
5988
	struct ieee80211_sta_vht_cap vht_cap;
5989

5990
	if (sband->band == NL80211_BAND_S1GHZ) {
5991
		conn->mode = IEEE80211_CONN_MODE_S1G;
5992
		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
5993
		mlme_dbg(sdata, "operating as S1G STA\n");
5994
		return;
5995
	}
5996

5997
	conn->mode = IEEE80211_CONN_MODE_LEGACY;
5998
	conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
5999

6000
	ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap);
6001

6002
	if (req && req->flags & ASSOC_REQ_DISABLE_HT) {
6003
		mlme_link_id_dbg(sdata, link_id,
6004
				 "HT disabled by flag, limiting to legacy\n");
6005
		goto out;
6006
	}
6007

6008
	if (!wmm_used) {
6009
		mlme_link_id_dbg(sdata, link_id,
6010
				 "WMM/QoS not supported, limiting to legacy\n");
6011
		goto out;
6012
	}
6013

6014
	if (req) {
6015
		unsigned int i;
6016

6017
		for (i = 0; i < req->crypto.n_ciphers_pairwise; i++) {
6018
			if (req->crypto.ciphers_pairwise[i] == WLAN_CIPHER_SUITE_WEP40 ||
6019
			    req->crypto.ciphers_pairwise[i] == WLAN_CIPHER_SUITE_TKIP ||
6020
			    req->crypto.ciphers_pairwise[i] == WLAN_CIPHER_SUITE_WEP104) {
6021
				netdev_info(sdata->dev,
6022
					    "WEP/TKIP use, limiting to legacy\n");
6023
				goto out;
6024
			}
6025
		}
6026
	}
6027

6028
	if (!sta_ht_cap.ht_supported && !is_6ghz) {
6029
		mlme_link_id_dbg(sdata, link_id,
6030
				 "HT not supported (and not on 6 GHz), limiting to legacy\n");
6031
		goto out;
6032
	}
6033

6034
	/* HT is fine */
6035
	conn->mode = IEEE80211_CONN_MODE_HT;
6036
	conn->bw_limit = sta_ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40 ?
6037
		IEEE80211_CONN_BW_LIMIT_40 :
6038
		IEEE80211_CONN_BW_LIMIT_20;
6039

6040
	memcpy(&vht_cap, &sband->vht_cap, sizeof(vht_cap));
6041
	ieee80211_apply_vhtcap_overrides(sdata, &vht_cap);
6042

6043
	if (req && req->flags & ASSOC_REQ_DISABLE_VHT) {
6044
		mlme_link_id_dbg(sdata, link_id,
6045
				 "VHT disabled by flag, limiting to HT\n");
6046
		goto out;
6047
	}
6048

6049
	if (vht_cap.vht_supported && is_5ghz) {
6050
		bool have_80mhz = false;
6051
		unsigned int i;
6052

6053
		if (conn->bw_limit == IEEE80211_CONN_BW_LIMIT_20) {
6054
			mlme_link_id_dbg(sdata, link_id,
6055
					 "no 40 MHz support on 5 GHz, limiting to HT\n");
6056
			goto out;
6057
		}
6058

6059
		/* Allow VHT if at least one channel on the sband supports 80 MHz */
6060
		for (i = 0; i < sband->n_channels; i++) {
6061
			if (sband->channels[i].flags & (IEEE80211_CHAN_DISABLED |
6062
							IEEE80211_CHAN_NO_80MHZ))
6063
				continue;
6064

6065
			have_80mhz = true;
6066
			break;
6067
		}
6068

6069
		if (!have_80mhz) {
6070
			mlme_link_id_dbg(sdata, link_id,
6071
					 "no 80 MHz channel support on 5 GHz, limiting to HT\n");
6072
			goto out;
6073
		}
6074
	} else if (is_5ghz) { /* !vht_supported but on 5 GHz */
6075
		mlme_link_id_dbg(sdata, link_id,
6076
				 "no VHT support on 5 GHz, limiting to HT\n");
6077
		goto out;
6078
	}
6079

6080
	/* VHT - if we have - is fine, including 80 MHz, check 160 below again */
6081
	if (sband->band != NL80211_BAND_2GHZ) {
6082
		conn->mode = IEEE80211_CONN_MODE_VHT;
6083
		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_160;
6084
	}
6085

6086
	if (is_5ghz &&
6087
	    !(vht_cap.cap & (IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ |
6088
			     IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ |
6089
			     IEEE80211_VHT_CAP_EXT_NSS_BW_MASK))) {
6090
		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_80;
6091
		mlme_link_id_dbg(sdata, link_id,
6092
				 "no VHT 160 MHz capability on 5 GHz, limiting to 80 MHz");
6093
	}
6094

6095
	if (req && req->flags & ASSOC_REQ_DISABLE_HE) {
6096
		mlme_link_id_dbg(sdata, link_id,
6097
				 "HE disabled by flag, limiting to HT/VHT\n");
6098
		goto out;
6099
	}
6100

6101
	he_cap = ieee80211_get_he_iftype_cap_vif(sband, &sdata->vif);
6102
	if (!he_cap) {
6103
		WARN_ON(is_6ghz);
6104
		mlme_link_id_dbg(sdata, link_id,
6105
				 "no HE support, limiting to HT/VHT\n");
6106
		goto out;
6107
	}
6108

6109
	/* so we have HE */
6110
	conn->mode = IEEE80211_CONN_MODE_HE;
6111

6112
	/* check bandwidth */
6113
	switch (sband->band) {
6114
	default:
6115
	case NL80211_BAND_2GHZ:
6116
		if (he_cap->he_cap_elem.phy_cap_info[0] &
6117
		    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_IN_2G)
6118
			break;
6119
		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
6120
		mlme_link_id_dbg(sdata, link_id,
6121
				 "no 40 MHz HE cap in 2.4 GHz, limiting to 20 MHz\n");
6122
		break;
6123
	case NL80211_BAND_5GHZ:
6124
		if (!(he_cap->he_cap_elem.phy_cap_info[0] &
6125
		      IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_80MHZ_IN_5G)) {
6126
			conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
6127
			mlme_link_id_dbg(sdata, link_id,
6128
					 "no 40/80 MHz HE cap in 5 GHz, limiting to 20 MHz\n");
6129
			break;
6130
		}
6131
		if (!(he_cap->he_cap_elem.phy_cap_info[0] &
6132
		      IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G)) {
6133
			conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
6134
					       conn->bw_limit,
6135
					       IEEE80211_CONN_BW_LIMIT_80);
6136
			mlme_link_id_dbg(sdata, link_id,
6137
					 "no 160 MHz HE cap in 5 GHz, limiting to 80 MHz\n");
6138
		}
6139
		break;
6140
	case NL80211_BAND_6GHZ:
6141
		if (he_cap->he_cap_elem.phy_cap_info[0] &
6142
		    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G)
6143
			break;
6144
		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
6145
				       conn->bw_limit,
6146
				       IEEE80211_CONN_BW_LIMIT_80);
6147
		mlme_link_id_dbg(sdata, link_id,
6148
				 "no 160 MHz HE cap in 6 GHz, limiting to 80 MHz\n");
6149
		break;
6150
	}
6151

6152
	if (req && req->flags & ASSOC_REQ_DISABLE_EHT) {
6153
		mlme_link_id_dbg(sdata, link_id,
6154
				 "EHT disabled by flag, limiting to HE\n");
6155
		goto out;
6156
	}
6157

6158
	eht_cap = ieee80211_get_eht_iftype_cap_vif(sband, &sdata->vif);
6159
	if (!eht_cap) {
6160
		mlme_link_id_dbg(sdata, link_id,
6161
				 "no EHT support, limiting to HE\n");
6162
		goto out;
6163
	}
6164
	conn->mode = IEEE80211_CONN_MODE_EHT;
6165

6166
	/* check bandwidth */
6167
	if (is_6ghz &&
6168
	    eht_cap->eht_cap_elem.phy_cap_info[0] & IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ)
6169
		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_320;
6170
	else if (is_6ghz)
6171
		mlme_link_id_dbg(sdata, link_id,
6172
				 "no EHT 320 MHz cap in 6 GHz, limiting to 160 MHz\n");
6173

6174
	if (req && req->flags & ASSOC_REQ_DISABLE_UHR) {
6175
		mlme_link_id_dbg(sdata, link_id,
6176
				 "UHR disabled by flag, limiting to EHT\n");
6177
		goto out;
6178
	}
6179

6180
	uhr_cap = ieee80211_get_uhr_iftype_cap_vif(sband, &sdata->vif);
6181
	if (!uhr_cap) {
6182
		mlme_link_id_dbg(sdata, link_id,
6183
				 "no UHR support, limiting to EHT\n");
6184
		goto out;
6185
	}
6186
	conn->mode = IEEE80211_CONN_MODE_UHR;
6187

6188
out:
6189
	mlme_link_id_dbg(sdata, link_id,
6190
			 "determined local STA to be %s, BW limited to %d MHz\n",
6191
			 ieee80211_conn_mode_str(conn->mode),
6192
			 20 * (1 << conn->bw_limit));
6193
}
6194

6195
static void
6196
ieee80211_determine_our_sta_mode_auth(struct ieee80211_sub_if_data *sdata,
6197
				      struct ieee80211_supported_band *sband,
6198
				      struct cfg80211_auth_request *req,
6199
				      bool wmm_used,
6200
				      struct ieee80211_conn_settings *conn)
6201
{
6202
	ieee80211_determine_our_sta_mode(sdata, sband, NULL, wmm_used,
6203
					 req->link_id > 0 ? req->link_id : 0,
6204
					 conn);
6205
}
6206

6207
static void
6208
ieee80211_determine_our_sta_mode_assoc(struct ieee80211_sub_if_data *sdata,
6209
				       struct ieee80211_supported_band *sband,
6210
				       struct cfg80211_assoc_request *req,
6211
				       bool wmm_used, int link_id,
6212
				       struct ieee80211_conn_settings *conn)
6213
{
6214
	struct ieee80211_conn_settings tmp;
6215

6216
	WARN_ON(!req);
6217

6218
	ieee80211_determine_our_sta_mode(sdata, sband, req, wmm_used, link_id,
6219
					 &tmp);
6220

6221
	conn->mode = min_t(enum ieee80211_conn_mode,
6222
			   conn->mode, tmp.mode);
6223
	conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
6224
			       conn->bw_limit, tmp.bw_limit);
6225
}
6226

6227
static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
6228
				  struct ieee80211_link_data *link,
6229
				  int link_id,
6230
				  struct cfg80211_bss *cbss, bool mlo,
6231
				  struct ieee80211_conn_settings *conn,
6232
				  unsigned long *userspace_selectors)
6233
{
6234
	struct ieee80211_local *local = sdata->local;
6235
	bool is_6ghz = cbss->channel->band == NL80211_BAND_6GHZ;
6236
	struct ieee80211_chan_req chanreq = {};
6237
	struct cfg80211_chan_def ap_chandef;
6238
	struct ieee802_11_elems *elems;
6239
	int ret;
6240

6241
	lockdep_assert_wiphy(local->hw.wiphy);
6242

6243
	rcu_read_lock();
6244
	elems = ieee80211_determine_chan_mode(sdata, conn, cbss, link_id,
6245
					      &chanreq, &ap_chandef,
6246
					      userspace_selectors);
6247

6248
	if (IS_ERR(elems)) {
6249
		rcu_read_unlock();
6250
		return PTR_ERR(elems);
6251
	}
6252

6253
	if (mlo && !elems->ml_basic) {
6254
		sdata_info(sdata, "Rejecting MLO as it is not supported by AP\n");
6255
		rcu_read_unlock();
6256
		kfree(elems);
6257
		return -EINVAL;
6258
	}
6259

6260
	if (link && is_6ghz && conn->mode >= IEEE80211_CONN_MODE_HE) {
6261
		const struct ieee80211_he_6ghz_oper *he_6ghz_oper;
6262

6263
		if (elems->pwr_constr_elem)
6264
			link->conf->pwr_reduction = *elems->pwr_constr_elem;
6265

6266
		he_6ghz_oper = ieee80211_he_6ghz_oper(elems->he_operation);
6267
		if (he_6ghz_oper)
6268
			link->conf->power_type =
6269
				cfg80211_6ghz_power_type(he_6ghz_oper->control,
6270
							 cbss->channel->flags);
6271
		else
6272
			link_info(link,
6273
				  "HE 6 GHz operation missing (on %d MHz), expect issues\n",
6274
				  cbss->channel->center_freq);
6275

6276
		link->conf->tpe = elems->tpe;
6277
		ieee80211_rearrange_tpe(&link->conf->tpe, &ap_chandef,
6278
					&chanreq.oper);
6279
	}
6280
	rcu_read_unlock();
6281
	/* the element data was RCU protected so no longer valid anyway */
6282
	kfree(elems);
6283
	elems = NULL;
6284

6285
	if (!link)
6286
		return 0;
6287

6288
	rcu_read_lock();
6289
	link->needed_rx_chains = min(ieee80211_max_rx_chains(link, cbss),
6290
				     local->rx_chains);
6291
	rcu_read_unlock();
6292

6293
	/*
6294
	 * If this fails (possibly due to channel context sharing
6295
	 * on incompatible channels, e.g. 80+80 and 160 sharing the
6296
	 * same control channel) try to use a smaller bandwidth.
6297
	 */
6298
	ret = ieee80211_link_use_channel(link, &chanreq,
6299
					 IEEE80211_CHANCTX_SHARED);
6300

6301
	/* don't downgrade for 5/10/S1G MHz channels, though. */
6302
	if (chanreq.oper.width == NL80211_CHAN_WIDTH_5 ||
6303
	    chanreq.oper.width == NL80211_CHAN_WIDTH_10 ||
6304
	    cfg80211_chandef_is_s1g(&chanreq.oper))
6305
		return ret;
6306

6307
	while (ret && chanreq.oper.width != NL80211_CHAN_WIDTH_20_NOHT) {
6308
		ieee80211_chanreq_downgrade(&chanreq, conn);
6309

6310
		ret = ieee80211_link_use_channel(link, &chanreq,
6311
						 IEEE80211_CHANCTX_SHARED);
6312
	}
6313

6314
	return ret;
6315
}
6316

6317
static bool ieee80211_get_dtim(const struct cfg80211_bss_ies *ies,
6318
			       u8 *dtim_count, u8 *dtim_period)
6319
{
6320
	const u8 *tim_ie = cfg80211_find_ie(WLAN_EID_TIM, ies->data, ies->len);
6321
	const u8 *idx_ie = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX, ies->data,
6322
					 ies->len);
6323
	const struct ieee80211_tim_ie *tim = NULL;
6324
	const struct ieee80211_bssid_index *idx;
6325
	bool valid = tim_ie && tim_ie[1] >= 2;
6326

6327
	if (valid)
6328
		tim = (void *)(tim_ie + 2);
6329

6330
	if (dtim_count)
6331
		*dtim_count = valid ? tim->dtim_count : 0;
6332

6333
	if (dtim_period)
6334
		*dtim_period = valid ? tim->dtim_period : 0;
6335

6336
	/* Check if value is overridden by non-transmitted profile */
6337
	if (!idx_ie || idx_ie[1] < 3)
6338
		return valid;
6339

6340
	idx = (void *)(idx_ie + 2);
6341

6342
	if (dtim_count)
6343
		*dtim_count = idx->dtim_count;
6344

6345
	if (dtim_period)
6346
		*dtim_period = idx->dtim_period;
6347

6348
	return true;
6349
}
6350

6351
static u16 ieee80211_get_ttlm(u8 bm_size, u8 *data)
6352
{
6353
	if (bm_size == 1)
6354
		return *data;
6355

6356
	return get_unaligned_le16(data);
6357
}
6358

6359
static int
6360
ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata,
6361
			const struct ieee80211_ttlm_elem *ttlm,
6362
			struct ieee80211_adv_ttlm_info *ttlm_info)
6363
{
6364
	/* The element size was already validated in
6365
	 * ieee80211_tid_to_link_map_size_ok()
6366
	 */
6367
	u8 control, link_map_presence, map_size, tid;
6368
	u8 *pos;
6369

6370
	memset(ttlm_info, 0, sizeof(*ttlm_info));
6371
	pos = (void *)ttlm->optional;
6372
	control	= ttlm->control;
6373

6374
	if ((control & IEEE80211_TTLM_CONTROL_DIRECTION) !=
6375
	    IEEE80211_TTLM_DIRECTION_BOTH) {
6376
		sdata_info(sdata, "Invalid advertised T2L map direction\n");
6377
		return -EINVAL;
6378
	}
6379

6380
	if (!(control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP)) {
6381
		link_map_presence = *pos;
6382
		pos++;
6383
	}
6384

6385
	if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) {
6386
		ttlm_info->switch_time = get_unaligned_le16(pos);
6387

6388
		/* Since ttlm_info->switch_time == 0 means no switch time, bump
6389
		 * it by 1.
6390
		 */
6391
		if (!ttlm_info->switch_time)
6392
			ttlm_info->switch_time = 1;
6393

6394
		pos += 2;
6395
	}
6396

6397
	if (control & IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT) {
6398
		ttlm_info->duration = pos[0] | pos[1] << 8 | pos[2] << 16;
6399
		pos += 3;
6400
	}
6401

6402
	if (control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) {
6403
		ttlm_info->map = 0xffff;
6404
		return 0;
6405
	}
6406

6407
	if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE)
6408
		map_size = 1;
6409
	else
6410
		map_size = 2;
6411

6412
	/* According to Draft P802.11be_D3.0 clause 35.3.7.1.7, an AP MLD shall
6413
	 * not advertise a TID-to-link mapping that does not map all TIDs to the
6414
	 * same link set, reject frame if not all links have mapping
6415
	 */
6416
	if (link_map_presence != 0xff) {
6417
		sdata_info(sdata,
6418
			   "Invalid advertised T2L mapping presence indicator\n");
6419
		return -EINVAL;
6420
	}
6421

6422
	ttlm_info->map = ieee80211_get_ttlm(map_size, pos);
6423
	if (!ttlm_info->map) {
6424
		sdata_info(sdata,
6425
			   "Invalid advertised T2L map for TID 0\n");
6426
		return -EINVAL;
6427
	}
6428

6429
	pos += map_size;
6430

6431
	for (tid = 1; tid < 8; tid++) {
6432
		u16 map = ieee80211_get_ttlm(map_size, pos);
6433

6434
		if (map != ttlm_info->map) {
6435
			sdata_info(sdata, "Invalid advertised T2L map for tid %d\n",
6436
				   tid);
6437
			return -EINVAL;
6438
		}
6439

6440
		pos += map_size;
6441
	}
6442
	return 0;
6443
}
6444

6445
static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
6446
				    struct ieee80211_mgmt *mgmt,
6447
				    struct ieee802_11_elems *elems,
6448
				    const u8 *elem_start, unsigned int elem_len)
6449
{
6450
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
6451
	struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
6452
	struct ieee80211_local *local = sdata->local;
6453
	unsigned int link_id;
6454
	struct sta_info *sta;
6455
	u64 changed[IEEE80211_MLD_MAX_NUM_LINKS] = {};
6456
	u16 valid_links = 0, dormant_links = 0;
6457
	int err;
6458

6459
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
6460
	/*
6461
	 * station info was already allocated and inserted before
6462
	 * the association and should be available to us
6463
	 */
6464
	sta = sta_info_get(sdata, assoc_data->ap_addr);
6465
	if (WARN_ON(!sta))
6466
		goto out_err;
6467

6468
	sta->sta.spp_amsdu = assoc_data->spp_amsdu;
6469

6470
	if (ieee80211_vif_is_mld(&sdata->vif)) {
6471
		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
6472
			if (!assoc_data->link[link_id].bss)
6473
				continue;
6474

6475
			valid_links |= BIT(link_id);
6476

6477
			if (link_id != assoc_data->assoc_link_id) {
6478
				err = ieee80211_sta_allocate_link(sta, link_id);
6479
				if (err)
6480
					goto out_err;
6481
			}
6482
		}
6483

6484
		/*
6485
		 * We do not support setting a negotiated TTLM during
6486
		 * association. As such, we can assume that if there is a TTLM,
6487
		 * then it is the currently active advertised TTLM.
6488
		 * In that case, there must be exactly one TTLM that does not
6489
		 * have a switch time set. This mapping should also leave us
6490
		 * with at least one usable link.
6491
		 */
6492
		if (elems->ttlm_num > 1) {
6493
			sdata_info(sdata,
6494
				   "More than one advertised TTLM in association response\n");
6495
			goto out_err;
6496
		} else if (elems->ttlm_num == 1) {
6497
			if (ieee80211_parse_adv_t2l(sdata, elems->ttlm[0],
6498
						    &sdata->u.mgd.ttlm_info) ||
6499
			    sdata->u.mgd.ttlm_info.switch_time != 0 ||
6500
			    !(valid_links & sdata->u.mgd.ttlm_info.map)) {
6501
				sdata_info(sdata,
6502
					   "Invalid advertised TTLM in association response\n");
6503
				goto out_err;
6504
			}
6505

6506
			sdata->u.mgd.ttlm_info.active = true;
6507
			dormant_links =
6508
				valid_links & ~sdata->u.mgd.ttlm_info.map;
6509
		}
6510

6511
		ieee80211_vif_set_links(sdata, valid_links, dormant_links);
6512
	}
6513

6514
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
6515
		struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
6516
		struct ieee80211_link_data *link;
6517
		struct link_sta_info *link_sta;
6518

6519
		if (!cbss)
6520
			continue;
6521

6522
		link = sdata_dereference(sdata->link[link_id], sdata);
6523
		if (WARN_ON(!link))
6524
			goto out_err;
6525

6526
		if (ieee80211_vif_is_mld(&sdata->vif))
6527
			link_info(link,
6528
				  "local address %pM, AP link address %pM%s\n",
6529
				  link->conf->addr,
6530
				  assoc_data->link[link_id].bss->bssid,
6531
				  link_id == assoc_data->assoc_link_id ?
6532
					" (assoc)" : "");
6533

6534
		link_sta = rcu_dereference_protected(sta->link[link_id],
6535
						     lockdep_is_held(&local->hw.wiphy->mtx));
6536
		if (WARN_ON(!link_sta))
6537
			goto out_err;
6538

6539
		if (!link->u.mgd.have_beacon) {
6540
			const struct cfg80211_bss_ies *ies;
6541

6542
			rcu_read_lock();
6543
			ies = rcu_dereference(cbss->beacon_ies);
6544
			if (ies)
6545
				link->u.mgd.have_beacon = true;
6546
			else
6547
				ies = rcu_dereference(cbss->ies);
6548
			ieee80211_get_dtim(ies,
6549
					   &link->conf->sync_dtim_count,
6550
					   &link->u.mgd.dtim_period);
6551
			link->conf->beacon_int = cbss->beacon_interval;
6552
			rcu_read_unlock();
6553
		}
6554

6555
		link->conf->dtim_period = link->u.mgd.dtim_period ?: 1;
6556

6557
		if (link_id != assoc_data->assoc_link_id) {
6558
			link->u.mgd.conn = assoc_data->link[link_id].conn;
6559

6560
			err = ieee80211_prep_channel(sdata, link, link_id, cbss,
6561
						     true, &link->u.mgd.conn,
6562
						     sdata->u.mgd.userspace_selectors);
6563
			if (err) {
6564
				link_info(link, "prep_channel failed\n");
6565
				goto out_err;
6566
			}
6567
		}
6568

6569
		err = ieee80211_mgd_setup_link_sta(link, sta, link_sta,
6570
						   assoc_data->link[link_id].bss);
6571
		if (err)
6572
			goto out_err;
6573

6574
		if (!ieee80211_assoc_config_link(link, link_sta,
6575
						 assoc_data->link[link_id].bss,
6576
						 mgmt, elem_start, elem_len,
6577
						 &changed[link_id]))
6578
			goto out_err;
6579

6580
		if (assoc_data->link[link_id].status != WLAN_STATUS_SUCCESS) {
6581
			valid_links &= ~BIT(link_id);
6582
			ieee80211_sta_remove_link(sta, link_id);
6583
			continue;
6584
		}
6585

6586
		if (link_id != assoc_data->assoc_link_id) {
6587
			err = ieee80211_sta_activate_link(sta, link_id);
6588
			if (err)
6589
				goto out_err;
6590
		}
6591
	}
6592

6593
	/* links might have changed due to rejected ones, set them again */
6594
	ieee80211_vif_set_links(sdata, valid_links, dormant_links);
6595

6596
	rate_control_rate_init_all_links(sta);
6597

6598
	if (ifmgd->flags & IEEE80211_STA_MFP_ENABLED) {
6599
		set_sta_flag(sta, WLAN_STA_MFP);
6600
		sta->sta.mfp = true;
6601
	} else {
6602
		sta->sta.mfp = false;
6603
	}
6604

6605
	ieee80211_sta_set_max_amsdu_subframes(sta, elems->ext_capab,
6606
					      elems->ext_capab_len);
6607

6608
	sta->sta.wme = (elems->wmm_param || elems->s1g_capab) &&
6609
		       local->hw.queues >= IEEE80211_NUM_ACS;
6610

6611
	err = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
6612
	if (!err && !(ifmgd->flags & IEEE80211_STA_CONTROL_PORT))
6613
		err = sta_info_move_state(sta, IEEE80211_STA_AUTHORIZED);
6614
	if (err) {
6615
		sdata_info(sdata,
6616
			   "failed to move station %pM to desired state\n",
6617
			   sta->sta.addr);
6618
		WARN_ON(__sta_info_destroy(sta));
6619
		goto out_err;
6620
	}
6621

6622
	if (sdata->wdev.use_4addr)
6623
		drv_sta_set_4addr(local, sdata, &sta->sta, true);
6624

6625
	ieee80211_set_associated(sdata, assoc_data, changed);
6626

6627
	/*
6628
	 * If we're using 4-addr mode, let the AP know that we're
6629
	 * doing so, so that it can create the STA VLAN on its side
6630
	 */
6631
	if (ifmgd->use_4addr)
6632
		ieee80211_send_4addr_nullfunc(local, sdata);
6633

6634
	/*
6635
	 * Start timer to probe the connection to the AP now.
6636
	 * Also start the timer that will detect beacon loss.
6637
	 */
6638
	ieee80211_sta_reset_beacon_monitor(sdata);
6639
	ieee80211_sta_reset_conn_monitor(sdata);
6640

6641
	return true;
6642
out_err:
6643
	eth_zero_addr(sdata->vif.cfg.ap_addr);
6644
	return false;
6645
}
6646

6647
static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
6648
					 struct ieee80211_mgmt *mgmt,
6649
					 size_t len)
6650
{
6651
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
6652
	struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
6653
	u16 capab_info, status_code, aid;
6654
	struct ieee80211_elems_parse_params parse_params = {
6655
		.bss = NULL,
6656
		.link_id = -1,
6657
		.from_ap = true,
6658
		.type = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_TYPE,
6659
	};
6660
	struct ieee802_11_elems *elems;
6661
	int ac;
6662
	const u8 *elem_start;
6663
	unsigned int elem_len;
6664
	bool reassoc;
6665
	struct ieee80211_event event = {
6666
		.type = MLME_EVENT,
6667
		.u.mlme.data = ASSOC_EVENT,
6668
	};
6669
	struct ieee80211_prep_tx_info info = {};
6670
	struct cfg80211_rx_assoc_resp_data resp = {
6671
		.uapsd_queues = -1,
6672
	};
6673
	u8 ap_mld_addr[ETH_ALEN] __aligned(2);
6674
	unsigned int link_id;
6675
	u16 max_aid = IEEE80211_MAX_AID;
6676

6677
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
6678

6679
	if (!assoc_data)
6680
		return;
6681

6682
	info.link_id = assoc_data->assoc_link_id;
6683

6684
	parse_params.mode =
6685
		assoc_data->link[assoc_data->assoc_link_id].conn.mode;
6686

6687
	if (!ether_addr_equal(assoc_data->ap_addr, mgmt->bssid) ||
6688
	    !ether_addr_equal(assoc_data->ap_addr, mgmt->sa))
6689
		return;
6690

6691
	/*
6692
	 * AssocResp and ReassocResp have identical structure, so process both
6693
	 * of them in this function.
6694
	 */
6695

6696
	if (len < 24 + 6)
6697
		return;
6698

6699
	reassoc = ieee80211_is_reassoc_resp(mgmt->frame_control);
6700
	capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
6701
	status_code = le16_to_cpu(mgmt->u.assoc_resp.status_code);
6702
	if (assoc_data->s1g) {
6703
		elem_start = mgmt->u.s1g_assoc_resp.variable;
6704
		max_aid = IEEE80211_MAX_SUPPORTED_S1G_AID;
6705
	} else {
6706
		elem_start = mgmt->u.assoc_resp.variable;
6707
	}
6708

6709
	/*
6710
	 * Note: this may not be perfect, AP might misbehave - if
6711
	 * anyone needs to rely on perfect complete notification
6712
	 * with the exact right subtype, then we need to track what
6713
	 * we actually transmitted.
6714
	 */
6715
	info.subtype = reassoc ? IEEE80211_STYPE_REASSOC_REQ :
6716
				 IEEE80211_STYPE_ASSOC_REQ;
6717

6718
	if (assoc_data->fils_kek_len &&
6719
	    fils_decrypt_assoc_resp(sdata, (u8 *)mgmt, &len, assoc_data) < 0)
6720
		return;
6721

6722
	elem_len = len - (elem_start - (u8 *)mgmt);
6723
	parse_params.start = elem_start;
6724
	parse_params.len = elem_len;
6725
	elems = ieee802_11_parse_elems_full(&parse_params);
6726
	if (!elems)
6727
		goto notify_driver;
6728

6729
	if (elems->aid_resp)
6730
		aid = le16_to_cpu(elems->aid_resp->aid);
6731
	else
6732
		aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
6733

6734
	/*
6735
	 * The 5 MSB of the AID field are reserved for a non-S1G STA. For
6736
	 * an S1G STA the 3 MSBs are reserved.
6737
	 * (802.11-2016 9.4.1.8 AID field).
6738
	 */
6739
	aid &= assoc_data->s1g ? 0x1fff : 0x7ff;
6740

6741
	sdata_info(sdata,
6742
		   "RX %sssocResp from %pM (capab=0x%x status=%d aid=%d)\n",
6743
		   reassoc ? "Rea" : "A", assoc_data->ap_addr,
6744
		   capab_info, status_code, aid);
6745

6746
	ifmgd->broken_ap = false;
6747

6748
	if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
6749
	    elems->timeout_int &&
6750
	    elems->timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
6751
		u32 tu, ms;
6752

6753
		cfg80211_assoc_comeback(sdata->dev, assoc_data->ap_addr,
6754
					le32_to_cpu(elems->timeout_int->value));
6755

6756
		tu = le32_to_cpu(elems->timeout_int->value);
6757
		ms = tu * 1024 / 1000;
6758
		sdata_info(sdata,
6759
			   "%pM rejected association temporarily; comeback duration %u TU (%u ms)\n",
6760
			   assoc_data->ap_addr, tu, ms);
6761
		assoc_data->timeout = jiffies + msecs_to_jiffies(ms);
6762
		assoc_data->timeout_started = true;
6763
		assoc_data->comeback = true;
6764
		if (ms > IEEE80211_ASSOC_TIMEOUT)
6765
			run_again(sdata, assoc_data->timeout);
6766
		goto notify_driver;
6767
	}
6768

6769
	if (status_code != WLAN_STATUS_SUCCESS) {
6770
		sdata_info(sdata, "%pM denied association (code=%d)\n",
6771
			   assoc_data->ap_addr, status_code);
6772
		event.u.mlme.status = MLME_DENIED;
6773
		event.u.mlme.reason = status_code;
6774
		drv_event_callback(sdata->local, sdata, &event);
6775
	} else {
6776
		if (aid == 0 || aid > max_aid) {
6777
			sdata_info(sdata,
6778
				   "invalid AID value %d (out of range), turn off PS\n",
6779
				   aid);
6780
			aid = 0;
6781
			ifmgd->broken_ap = true;
6782
		}
6783

6784
		if (ieee80211_vif_is_mld(&sdata->vif)) {
6785
			struct ieee80211_mle_basic_common_info *common;
6786

6787
			if (!elems->ml_basic) {
6788
				sdata_info(sdata,
6789
					   "MLO association with %pM but no (basic) multi-link element in response!\n",
6790
					   assoc_data->ap_addr);
6791
				goto abandon_assoc;
6792
			}
6793

6794
			common = (void *)elems->ml_basic->variable;
6795

6796
			if (memcmp(assoc_data->ap_addr,
6797
				   common->mld_mac_addr, ETH_ALEN)) {
6798
				sdata_info(sdata,
6799
					   "AP MLD MAC address mismatch: got %pM expected %pM\n",
6800
					   common->mld_mac_addr,
6801
					   assoc_data->ap_addr);
6802
				goto abandon_assoc;
6803
			}
6804

6805
			sdata->vif.cfg.eml_cap =
6806
				ieee80211_mle_get_eml_cap((const void *)elems->ml_basic);
6807
			sdata->vif.cfg.eml_med_sync_delay =
6808
				ieee80211_mle_get_eml_med_sync_delay((const void *)elems->ml_basic);
6809
			sdata->vif.cfg.mld_capa_op =
6810
				ieee80211_mle_get_mld_capa_op((const void *)elems->ml_basic);
6811
		}
6812

6813
		sdata->vif.cfg.aid = aid;
6814
		sdata->vif.cfg.s1g = assoc_data->s1g;
6815

6816
		if (!ieee80211_assoc_success(sdata, mgmt, elems,
6817
					     elem_start, elem_len)) {
6818
			/* oops -- internal error -- send timeout for now */
6819
			ieee80211_destroy_assoc_data(sdata, ASSOC_TIMEOUT);
6820
			goto notify_driver;
6821
		}
6822
		event.u.mlme.status = MLME_SUCCESS;
6823
		drv_event_callback(sdata->local, sdata, &event);
6824
		sdata_info(sdata, "associated\n");
6825

6826
		info.success = 1;
6827
	}
6828

6829
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
6830
		struct ieee80211_link_data *link;
6831

6832
		if (!assoc_data->link[link_id].bss)
6833
			continue;
6834

6835
		resp.links[link_id].bss = assoc_data->link[link_id].bss;
6836
		ether_addr_copy(resp.links[link_id].addr,
6837
				assoc_data->link[link_id].addr);
6838
		resp.links[link_id].status = assoc_data->link[link_id].status;
6839

6840
		link = sdata_dereference(sdata->link[link_id], sdata);
6841
		if (!link)
6842
			continue;
6843

6844
		/* get uapsd queues configuration - same for all links */
6845
		resp.uapsd_queues = 0;
6846
		for (ac = 0; ac < IEEE80211_NUM_ACS; ac++)
6847
			if (link->tx_conf[ac].uapsd)
6848
				resp.uapsd_queues |= ieee80211_ac_to_qos_mask[ac];
6849
	}
6850

6851
	if (ieee80211_vif_is_mld(&sdata->vif)) {
6852
		ether_addr_copy(ap_mld_addr, sdata->vif.cfg.ap_addr);
6853
		resp.ap_mld_addr = ap_mld_addr;
6854
	}
6855

6856
	ieee80211_destroy_assoc_data(sdata,
6857
				     status_code == WLAN_STATUS_SUCCESS ?
6858
					ASSOC_SUCCESS :
6859
					ASSOC_REJECTED);
6860

6861
	resp.buf = (u8 *)mgmt;
6862
	resp.len = len;
6863
	resp.req_ies = ifmgd->assoc_req_ies;
6864
	resp.req_ies_len = ifmgd->assoc_req_ies_len;
6865
	cfg80211_rx_assoc_resp(sdata->dev, &resp);
6866
notify_driver:
6867
	drv_mgd_complete_tx(sdata->local, sdata, &info);
6868
	kfree(elems);
6869
	return;
6870
abandon_assoc:
6871
	ieee80211_destroy_assoc_data(sdata, ASSOC_ABANDON);
6872
	goto notify_driver;
6873
}
6874

6875
static void ieee80211_rx_bss_info(struct ieee80211_link_data *link,
6876
				  struct ieee80211_mgmt *mgmt, size_t len,
6877
				  struct ieee80211_rx_status *rx_status)
6878
{
6879
	struct ieee80211_sub_if_data *sdata = link->sdata;
6880
	struct ieee80211_local *local = sdata->local;
6881
	struct ieee80211_bss *bss;
6882
	struct ieee80211_channel *channel;
6883

6884
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
6885

6886
	channel = ieee80211_get_channel_khz(local->hw.wiphy,
6887
					ieee80211_rx_status_to_khz(rx_status));
6888
	if (!channel)
6889
		return;
6890

6891
	bss = ieee80211_bss_info_update(local, rx_status, mgmt, len, channel);
6892
	if (bss) {
6893
		link->conf->beacon_rate = bss->beacon_rate;
6894
		ieee80211_rx_bss_put(local, bss);
6895
	}
6896
}
6897

6898

6899
static void ieee80211_rx_mgmt_probe_resp(struct ieee80211_link_data *link,
6900
					 struct sk_buff *skb)
6901
{
6902
	struct ieee80211_sub_if_data *sdata = link->sdata;
6903
	struct ieee80211_mgmt *mgmt = (void *)skb->data;
6904
	struct ieee80211_if_managed *ifmgd;
6905
	struct ieee80211_rx_status *rx_status = (void *) skb->cb;
6906
	struct ieee80211_channel *channel;
6907
	size_t baselen, len = skb->len;
6908

6909
	ifmgd = &sdata->u.mgd;
6910

6911
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
6912

6913
	/*
6914
	 * According to Draft P802.11ax D6.0 clause 26.17.2.3.2:
6915
	 * "If a 6 GHz AP receives a Probe Request frame  and responds with
6916
	 * a Probe Response frame [..], the Address 1 field of the Probe
6917
	 * Response frame shall be set to the broadcast address [..]"
6918
	 * So, on 6GHz band we should also accept broadcast responses.
6919
	 */
6920
	channel = ieee80211_get_channel_khz(sdata->local->hw.wiphy,
6921
					    ieee80211_rx_status_to_khz(rx_status));
6922
	if (!channel)
6923
		return;
6924

6925
	if (!ether_addr_equal(mgmt->da, sdata->vif.addr) &&
6926
	    (channel->band != NL80211_BAND_6GHZ ||
6927
	     !is_broadcast_ether_addr(mgmt->da)))
6928
		return; /* ignore ProbeResp to foreign address */
6929

6930
	baselen = (u8 *) mgmt->u.probe_resp.variable - (u8 *) mgmt;
6931
	if (baselen > len)
6932
		return;
6933

6934
	ieee80211_rx_bss_info(link, mgmt, len, rx_status);
6935

6936
	if (ifmgd->associated &&
6937
	    ether_addr_equal(mgmt->bssid, link->u.mgd.bssid))
6938
		ieee80211_reset_ap_probe(sdata);
6939
}
6940

6941
/*
6942
 * This is the canonical list of information elements we care about,
6943
 * the filter code also gives us all changes to the Microsoft OUI
6944
 * (00:50:F2) vendor IE which is used for WMM which we need to track,
6945
 * as well as the DTPC IE (part of the Cisco OUI) used for signaling
6946
 * changes to requested client power.
6947
 *
6948
 * We implement beacon filtering in software since that means we can
6949
 * avoid processing the frame here and in cfg80211, and userspace
6950
 * will not be able to tell whether the hardware supports it or not.
6951
 *
6952
 * XXX: This list needs to be dynamic -- userspace needs to be able to
6953
 *	add items it requires. It also needs to be able to tell us to
6954
 *	look out for other vendor IEs.
6955
 */
6956
static const u64 care_about_ies =
6957
	(1ULL << WLAN_EID_COUNTRY) |
6958
	(1ULL << WLAN_EID_ERP_INFO) |
6959
	(1ULL << WLAN_EID_CHANNEL_SWITCH) |
6960
	(1ULL << WLAN_EID_PWR_CONSTRAINT) |
6961
	(1ULL << WLAN_EID_HT_CAPABILITY) |
6962
	(1ULL << WLAN_EID_HT_OPERATION) |
6963
	(1ULL << WLAN_EID_EXT_CHANSWITCH_ANN);
6964

6965
static void ieee80211_handle_beacon_sig(struct ieee80211_link_data *link,
6966
					struct ieee80211_if_managed *ifmgd,
6967
					struct ieee80211_bss_conf *bss_conf,
6968
					struct ieee80211_local *local,
6969
					struct ieee80211_rx_status *rx_status)
6970
{
6971
	struct ieee80211_sub_if_data *sdata = link->sdata;
6972

6973
	/* Track average RSSI from the Beacon frames of the current AP */
6974

6975
	if (!link->u.mgd.tracking_signal_avg) {
6976
		link->u.mgd.tracking_signal_avg = true;
6977
		ewma_beacon_signal_init(&link->u.mgd.ave_beacon_signal);
6978
		link->u.mgd.last_cqm_event_signal = 0;
6979
		link->u.mgd.count_beacon_signal = 1;
6980
		link->u.mgd.last_ave_beacon_signal = 0;
6981
	} else {
6982
		link->u.mgd.count_beacon_signal++;
6983
	}
6984

6985
	ewma_beacon_signal_add(&link->u.mgd.ave_beacon_signal,
6986
			       -rx_status->signal);
6987

6988
	if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold &&
6989
	    link->u.mgd.count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
6990
		int sig = -ewma_beacon_signal_read(&link->u.mgd.ave_beacon_signal);
6991
		int last_sig = link->u.mgd.last_ave_beacon_signal;
6992
		struct ieee80211_event event = {
6993
			.type = RSSI_EVENT,
6994
		};
6995

6996
		/*
6997
		 * if signal crosses either of the boundaries, invoke callback
6998
		 * with appropriate parameters
6999
		 */
7000
		if (sig > ifmgd->rssi_max_thold &&
7001
		    (last_sig <= ifmgd->rssi_min_thold || last_sig == 0)) {
7002
			link->u.mgd.last_ave_beacon_signal = sig;
7003
			event.u.rssi.data = RSSI_EVENT_HIGH;
7004
			drv_event_callback(local, sdata, &event);
7005
		} else if (sig < ifmgd->rssi_min_thold &&
7006
			   (last_sig >= ifmgd->rssi_max_thold ||
7007
			   last_sig == 0)) {
7008
			link->u.mgd.last_ave_beacon_signal = sig;
7009
			event.u.rssi.data = RSSI_EVENT_LOW;
7010
			drv_event_callback(local, sdata, &event);
7011
		}
7012
	}
7013

7014
	if (bss_conf->cqm_rssi_thold &&
7015
	    link->u.mgd.count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT &&
7016
	    !(sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_CQM_RSSI)) {
7017
		int sig = -ewma_beacon_signal_read(&link->u.mgd.ave_beacon_signal);
7018
		int last_event = link->u.mgd.last_cqm_event_signal;
7019
		int thold = bss_conf->cqm_rssi_thold;
7020
		int hyst = bss_conf->cqm_rssi_hyst;
7021

7022
		if (sig < thold &&
7023
		    (last_event == 0 || sig < last_event - hyst)) {
7024
			link->u.mgd.last_cqm_event_signal = sig;
7025
			ieee80211_cqm_rssi_notify(
7026
				&sdata->vif,
7027
				NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW,
7028
				sig, GFP_KERNEL);
7029
		} else if (sig > thold &&
7030
			   (last_event == 0 || sig > last_event + hyst)) {
7031
			link->u.mgd.last_cqm_event_signal = sig;
7032
			ieee80211_cqm_rssi_notify(
7033
				&sdata->vif,
7034
				NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH,
7035
				sig, GFP_KERNEL);
7036
		}
7037
	}
7038

7039
	if (bss_conf->cqm_rssi_low &&
7040
	    link->u.mgd.count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
7041
		int sig = -ewma_beacon_signal_read(&link->u.mgd.ave_beacon_signal);
7042
		int last_event = link->u.mgd.last_cqm_event_signal;
7043
		int low = bss_conf->cqm_rssi_low;
7044
		int high = bss_conf->cqm_rssi_high;
7045

7046
		if (sig < low &&
7047
		    (last_event == 0 || last_event >= low)) {
7048
			link->u.mgd.last_cqm_event_signal = sig;
7049
			ieee80211_cqm_rssi_notify(
7050
				&sdata->vif,
7051
				NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW,
7052
				sig, GFP_KERNEL);
7053
		} else if (sig > high &&
7054
			   (last_event == 0 || last_event <= high)) {
7055
			link->u.mgd.last_cqm_event_signal = sig;
7056
			ieee80211_cqm_rssi_notify(
7057
				&sdata->vif,
7058
				NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH,
7059
				sig, GFP_KERNEL);
7060
		}
7061
	}
7062
}
7063

7064
static bool ieee80211_rx_our_beacon(const u8 *tx_bssid,
7065
				    struct cfg80211_bss *bss)
7066
{
7067
	if (ether_addr_equal(tx_bssid, bss->bssid))
7068
		return true;
7069
	if (!bss->transmitted_bss)
7070
		return false;
7071
	return ether_addr_equal(tx_bssid, bss->transmitted_bss->bssid);
7072
}
7073

7074
static void ieee80211_ml_reconf_work(struct wiphy *wiphy,
7075
				     struct wiphy_work *work)
7076
{
7077
	struct ieee80211_sub_if_data *sdata =
7078
		container_of(work, struct ieee80211_sub_if_data,
7079
			     u.mgd.ml_reconf_work.work);
7080
	u16 new_valid_links, new_active_links, new_dormant_links;
7081
	struct sta_info *sta;
7082
	int ret;
7083

7084
	if (!sdata->u.mgd.removed_links)
7085
		return;
7086

7087
	sdata_info(sdata,
7088
		   "MLO Reconfiguration: work: valid=0x%x, removed=0x%x\n",
7089
		   sdata->vif.valid_links, sdata->u.mgd.removed_links);
7090

7091
	new_valid_links = sdata->vif.valid_links & ~sdata->u.mgd.removed_links;
7092
	if (new_valid_links == sdata->vif.valid_links)
7093
		return;
7094

7095
	if (!new_valid_links ||
7096
	    !(new_valid_links & ~sdata->vif.dormant_links)) {
7097
		sdata_info(sdata, "No valid links after reconfiguration\n");
7098
		ret = -EINVAL;
7099
		goto out;
7100
	}
7101

7102
	new_active_links = sdata->vif.active_links & ~sdata->u.mgd.removed_links;
7103
	if (new_active_links != sdata->vif.active_links) {
7104
		if (!new_active_links)
7105
			new_active_links =
7106
				BIT(ffs(new_valid_links &
7107
					~sdata->vif.dormant_links) - 1);
7108

7109
		ret = ieee80211_set_active_links(&sdata->vif, new_active_links);
7110
		if (ret) {
7111
			sdata_info(sdata,
7112
				   "Failed setting active links\n");
7113
			goto out;
7114
		}
7115
	}
7116

7117
	sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
7118
	if (sta) {
7119
		unsigned long removed_links = sdata->u.mgd.removed_links;
7120
		unsigned int link_id;
7121

7122
		for_each_set_bit(link_id, &removed_links,
7123
				 IEEE80211_MLD_MAX_NUM_LINKS)
7124
			ieee80211_sta_remove_link(sta, link_id);
7125
	}
7126

7127
	new_dormant_links = sdata->vif.dormant_links & ~sdata->u.mgd.removed_links;
7128

7129
	ret = ieee80211_vif_set_links(sdata, new_valid_links,
7130
				      new_dormant_links);
7131
	if (ret)
7132
		sdata_info(sdata, "Failed setting valid links\n");
7133

7134
	ieee80211_vif_cfg_change_notify(sdata, BSS_CHANGED_MLD_VALID_LINKS);
7135

7136
out:
7137
	if (!ret)
7138
		cfg80211_links_removed(sdata->dev, sdata->u.mgd.removed_links);
7139
	else
7140
		__ieee80211_disconnect(sdata);
7141

7142
	sdata->u.mgd.removed_links = 0;
7143
}
7144

7145
static void ieee80211_ml_reconfiguration(struct ieee80211_sub_if_data *sdata,
7146
					 struct ieee802_11_elems *elems)
7147
{
7148
	const struct element *sub;
7149
	unsigned long removed_links = 0;
7150
	u16 link_removal_timeout[IEEE80211_MLD_MAX_NUM_LINKS] = {};
7151
	u8 link_id;
7152
	u32 delay;
7153

7154
	if (!ieee80211_vif_is_mld(&sdata->vif) || !elems->ml_reconf)
7155
		return;
7156

7157
	/* Directly parse the sub elements as the common information doesn't
7158
	 * hold any useful information.
7159
	 */
7160
	for_each_mle_subelement(sub, (const u8 *)elems->ml_reconf,
7161
				elems->ml_reconf_len) {
7162
		struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data;
7163
		u8 *pos = prof->variable;
7164
		u16 control;
7165

7166
		if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
7167
			continue;
7168

7169
		if (!ieee80211_mle_reconf_sta_prof_size_ok(sub->data,
7170
							   sub->datalen))
7171
			return;
7172

7173
		control = le16_to_cpu(prof->control);
7174
		link_id = control & IEEE80211_MLE_STA_RECONF_CONTROL_LINK_ID;
7175

7176
		if (link_id >= IEEE80211_MLD_MAX_NUM_LINKS)
7177
			continue;
7178

7179
		removed_links |= BIT(link_id);
7180

7181
		/* the MAC address should not be included, but handle it */
7182
		if (control &
7183
		    IEEE80211_MLE_STA_RECONF_CONTROL_STA_MAC_ADDR_PRESENT)
7184
			pos += 6;
7185

7186
		/* According to Draft P802.11be_D3.0, the control should
7187
		 * include the AP Removal Timer present. If the AP Removal Timer
7188
		 * is not present assume immediate removal.
7189
		 */
7190
		if (control &
7191
		    IEEE80211_MLE_STA_RECONF_CONTROL_AP_REM_TIMER_PRESENT)
7192
			link_removal_timeout[link_id] = get_unaligned_le16(pos);
7193
	}
7194

7195
	removed_links &= sdata->vif.valid_links;
7196
	if (!removed_links) {
7197
		/* In case the removal was cancelled, abort it */
7198
		if (sdata->u.mgd.removed_links) {
7199
			sdata->u.mgd.removed_links = 0;
7200
			wiphy_hrtimer_work_cancel(sdata->local->hw.wiphy,
7201
						  &sdata->u.mgd.ml_reconf_work);
7202
		}
7203
		return;
7204
	}
7205

7206
	delay = 0;
7207
	for_each_set_bit(link_id, &removed_links, IEEE80211_MLD_MAX_NUM_LINKS) {
7208
		struct ieee80211_bss_conf *link_conf =
7209
			sdata_dereference(sdata->vif.link_conf[link_id], sdata);
7210
		u32 link_delay;
7211

7212
		if (!link_conf) {
7213
			removed_links &= ~BIT(link_id);
7214
			continue;
7215
		}
7216

7217
		if (link_removal_timeout[link_id] < 1)
7218
			link_delay = 0;
7219
		else
7220
			link_delay = link_conf->beacon_int *
7221
				(link_removal_timeout[link_id] - 1);
7222

7223
		if (!delay)
7224
			delay = link_delay;
7225
		else
7226
			delay = min(delay, link_delay);
7227
	}
7228

7229
	sdata->u.mgd.removed_links = removed_links;
7230
	wiphy_hrtimer_work_queue(sdata->local->hw.wiphy,
7231
				 &sdata->u.mgd.ml_reconf_work,
7232
				 us_to_ktime(ieee80211_tu_to_usec(delay)));
7233
}
7234

7235
static int ieee80211_ttlm_set_links(struct ieee80211_sub_if_data *sdata,
7236
				    u16 active_links, u16 dormant_links,
7237
				    u16 suspended_links)
7238
{
7239
	u64 changed = 0;
7240
	int ret;
7241

7242
	if (!active_links) {
7243
		ret = -EINVAL;
7244
		goto out;
7245
	}
7246

7247
	/* If there is an active negotiated TTLM, it should be discarded by
7248
	 * the new negotiated/advertised TTLM.
7249
	 */
7250
	if (sdata->vif.neg_ttlm.valid) {
7251
		memset(&sdata->vif.neg_ttlm, 0, sizeof(sdata->vif.neg_ttlm));
7252
		sdata->vif.suspended_links = 0;
7253
		changed = BSS_CHANGED_MLD_TTLM;
7254
	}
7255

7256
	if (sdata->vif.active_links != active_links) {
7257
		/* usable links are affected when active_links are changed,
7258
		 * so notify the driver about the status change
7259
		 */
7260
		changed |= BSS_CHANGED_MLD_VALID_LINKS;
7261
		active_links &= sdata->vif.active_links;
7262
		if (!active_links)
7263
			active_links =
7264
				BIT(__ffs(sdata->vif.valid_links &
7265
				    ~dormant_links));
7266
		ret = ieee80211_set_active_links(&sdata->vif, active_links);
7267
		if (ret) {
7268
			sdata_info(sdata, "Failed to set TTLM active links\n");
7269
			goto out;
7270
		}
7271
	}
7272

7273
	ret = ieee80211_vif_set_links(sdata, sdata->vif.valid_links,
7274
				      dormant_links);
7275
	if (ret) {
7276
		sdata_info(sdata, "Failed to set TTLM dormant links\n");
7277
		goto out;
7278
	}
7279

7280
	sdata->vif.suspended_links = suspended_links;
7281
	if (sdata->vif.suspended_links)
7282
		changed |= BSS_CHANGED_MLD_TTLM;
7283

7284
	ieee80211_vif_cfg_change_notify(sdata, changed);
7285

7286
out:
7287
	if (ret)
7288
		ieee80211_disconnect(&sdata->vif, false);
7289

7290
	return ret;
7291
}
7292

7293
static void ieee80211_tid_to_link_map_work(struct wiphy *wiphy,
7294
					   struct wiphy_work *work)
7295
{
7296
	u16 new_active_links, new_dormant_links;
7297
	struct ieee80211_sub_if_data *sdata =
7298
		container_of(work, struct ieee80211_sub_if_data,
7299
			     u.mgd.ttlm_work.work);
7300

7301
	new_active_links = sdata->u.mgd.ttlm_info.map &
7302
			   sdata->vif.valid_links;
7303
	new_dormant_links = ~sdata->u.mgd.ttlm_info.map &
7304
			    sdata->vif.valid_links;
7305

7306
	ieee80211_vif_set_links(sdata, sdata->vif.valid_links, 0);
7307
	if (ieee80211_ttlm_set_links(sdata, new_active_links, new_dormant_links,
7308
				     0))
7309
		return;
7310

7311
	sdata->u.mgd.ttlm_info.active = true;
7312
	sdata->u.mgd.ttlm_info.switch_time = 0;
7313
}
7314

7315
static void ieee80211_process_adv_ttlm(struct ieee80211_sub_if_data *sdata,
7316
					  struct ieee802_11_elems *elems,
7317
					  u64 beacon_ts)
7318
{
7319
	u8 i;
7320
	int ret;
7321

7322
	if (!ieee80211_vif_is_mld(&sdata->vif))
7323
		return;
7324

7325
	if (!elems->ttlm_num) {
7326
		if (sdata->u.mgd.ttlm_info.switch_time) {
7327
			/* if a planned TID-to-link mapping was cancelled -
7328
			 * abort it
7329
			 */
7330
			wiphy_hrtimer_work_cancel(sdata->local->hw.wiphy,
7331
						  &sdata->u.mgd.ttlm_work);
7332
		} else if (sdata->u.mgd.ttlm_info.active) {
7333
			/* if no TID-to-link element, set to default mapping in
7334
			 * which all TIDs are mapped to all setup links
7335
			 */
7336
			ret = ieee80211_vif_set_links(sdata,
7337
						      sdata->vif.valid_links,
7338
						      0);
7339
			if (ret) {
7340
				sdata_info(sdata, "Failed setting valid/dormant links\n");
7341
				return;
7342
			}
7343
			ieee80211_vif_cfg_change_notify(sdata,
7344
							BSS_CHANGED_MLD_VALID_LINKS);
7345
		}
7346
		memset(&sdata->u.mgd.ttlm_info, 0,
7347
		       sizeof(sdata->u.mgd.ttlm_info));
7348
		return;
7349
	}
7350

7351
	for (i = 0; i < elems->ttlm_num; i++) {
7352
		struct ieee80211_adv_ttlm_info ttlm_info;
7353
		u32 res;
7354

7355
		res = ieee80211_parse_adv_t2l(sdata, elems->ttlm[i],
7356
					      &ttlm_info);
7357

7358
		if (res) {
7359
			__ieee80211_disconnect(sdata);
7360
			return;
7361
		}
7362

7363
		if (ttlm_info.switch_time) {
7364
			u16 beacon_ts_tu, st_tu, delay;
7365
			u64 delay_usec;
7366
			u64 mask;
7367

7368
			/* The t2l map switch time is indicated with a partial
7369
			 * TSF value (bits 10 to 25), get the partial beacon TS
7370
			 * as well, and calc the delay to the start time.
7371
			 */
7372
			mask = GENMASK_ULL(25, 10);
7373
			beacon_ts_tu = (beacon_ts & mask) >> 10;
7374
			st_tu = ttlm_info.switch_time;
7375
			delay = st_tu - beacon_ts_tu;
7376

7377
			/*
7378
			 * If the switch time is far in the future, then it
7379
			 * could also be the previous switch still being
7380
			 * announced.
7381
			 * We can simply ignore it for now, if it is a future
7382
			 * switch the AP will continue to announce it anyway.
7383
			 */
7384
			if (delay > IEEE80211_ADV_TTLM_ST_UNDERFLOW)
7385
				return;
7386

7387
			delay_usec = ieee80211_tu_to_usec(delay);
7388

7389
			/* Link switching can take time, so schedule it
7390
			 * 100ms before to be ready on time
7391
			 */
7392
			if (delay_usec > IEEE80211_ADV_TTLM_SAFETY_BUFFER_MS)
7393
				delay_usec -=
7394
					IEEE80211_ADV_TTLM_SAFETY_BUFFER_MS;
7395
			else
7396
				delay_usec = 0;
7397

7398
			sdata->u.mgd.ttlm_info = ttlm_info;
7399
			wiphy_hrtimer_work_cancel(sdata->local->hw.wiphy,
7400
						  &sdata->u.mgd.ttlm_work);
7401
			wiphy_hrtimer_work_queue(sdata->local->hw.wiphy,
7402
						 &sdata->u.mgd.ttlm_work,
7403
						 us_to_ktime(delay_usec));
7404
			return;
7405
		}
7406
	}
7407
}
7408

7409
static void
7410
ieee80211_mgd_check_cross_link_csa(struct ieee80211_sub_if_data *sdata,
7411
				   int reporting_link_id,
7412
				   struct ieee802_11_elems *elems)
7413
{
7414
	const struct element *sta_profiles[IEEE80211_MLD_MAX_NUM_LINKS] = {};
7415
	ssize_t sta_profiles_len[IEEE80211_MLD_MAX_NUM_LINKS] = {};
7416
	const struct element *sub;
7417
	const u8 *subelems;
7418
	size_t subelems_len;
7419
	u8 common_size;
7420
	int link_id;
7421

7422
	if (!ieee80211_mle_size_ok((u8 *)elems->ml_basic, elems->ml_basic_len))
7423
		return;
7424

7425
	common_size = ieee80211_mle_common_size((u8 *)elems->ml_basic);
7426
	subelems = (u8 *)elems->ml_basic + common_size;
7427
	subelems_len = elems->ml_basic_len - common_size;
7428

7429
	for_each_element_id(sub, IEEE80211_MLE_SUBELEM_PER_STA_PROFILE,
7430
			    subelems, subelems_len) {
7431
		struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data;
7432
		struct ieee80211_link_data *link;
7433
		ssize_t len;
7434

7435
		if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data,
7436
							  sub->datalen))
7437
			continue;
7438

7439
		link_id = le16_get_bits(prof->control,
7440
					IEEE80211_MLE_STA_CONTROL_LINK_ID);
7441
		/* need a valid link ID, but also not our own, both AP bugs */
7442
		if (link_id == reporting_link_id ||
7443
		    link_id >= IEEE80211_MLD_MAX_NUM_LINKS)
7444
			continue;
7445

7446
		link = sdata_dereference(sdata->link[link_id], sdata);
7447
		if (!link)
7448
			continue;
7449

7450
		len = cfg80211_defragment_element(sub, subelems, subelems_len,
7451
						  NULL, 0,
7452
						  IEEE80211_MLE_SUBELEM_FRAGMENT);
7453
		if (WARN_ON(len < 0))
7454
			continue;
7455

7456
		sta_profiles[link_id] = sub;
7457
		sta_profiles_len[link_id] = len;
7458
	}
7459

7460
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
7461
		struct ieee80211_mle_per_sta_profile *prof;
7462
		struct ieee802_11_elems *prof_elems;
7463
		struct ieee80211_link_data *link;
7464
		ssize_t len;
7465

7466
		if (link_id == reporting_link_id)
7467
			continue;
7468

7469
		link = sdata_dereference(sdata->link[link_id], sdata);
7470
		if (!link)
7471
			continue;
7472

7473
		if (!sta_profiles[link_id]) {
7474
			prof_elems = NULL;
7475
			goto handle;
7476
		}
7477

7478
		/* we can defragment in-place, won't use the buffer again */
7479
		len = cfg80211_defragment_element(sta_profiles[link_id],
7480
						  subelems, subelems_len,
7481
						  (void *)sta_profiles[link_id],
7482
						  sta_profiles_len[link_id],
7483
						  IEEE80211_MLE_SUBELEM_FRAGMENT);
7484
		if (WARN_ON(len != sta_profiles_len[link_id]))
7485
			continue;
7486

7487
		prof = (void *)sta_profiles[link_id];
7488
		prof_elems = ieee802_11_parse_elems(prof->variable +
7489
						    (prof->sta_info_len - 1),
7490
						    len -
7491
						    (prof->sta_info_len - 1),
7492
						    IEEE80211_FTYPE_MGMT |
7493
						    IEEE80211_STYPE_BEACON,
7494
						    NULL);
7495

7496
		/* memory allocation failed - let's hope that's transient */
7497
		if (!prof_elems)
7498
			continue;
7499

7500
handle:
7501
		/*
7502
		 * FIXME: the timings here are obviously incorrect,
7503
		 * but only older Intel drivers seem to care, and
7504
		 * those don't have MLO. If you really need this,
7505
		 * the problem is having to calculate it with the
7506
		 * TSF offset etc. The device_timestamp is still
7507
		 * correct, of course.
7508
		 */
7509
		ieee80211_sta_process_chanswitch(link, 0, 0, elems, prof_elems,
7510
						 IEEE80211_CSA_SOURCE_OTHER_LINK);
7511
		kfree(prof_elems);
7512
	}
7513
}
7514

7515
static bool ieee80211_mgd_ssid_mismatch(struct ieee80211_sub_if_data *sdata,
7516
					const struct ieee802_11_elems *elems)
7517
{
7518
	struct ieee80211_vif_cfg *cfg = &sdata->vif.cfg;
7519
	static u8 zero_ssid[IEEE80211_MAX_SSID_LEN];
7520

7521
	if (!elems->ssid)
7522
		return false;
7523

7524
	/* hidden SSID: zero length */
7525
	if (elems->ssid_len == 0)
7526
		return false;
7527

7528
	if (elems->ssid_len != cfg->ssid_len)
7529
		return true;
7530

7531
	/* hidden SSID: zeroed out */
7532
	if (!memcmp(elems->ssid, zero_ssid, elems->ssid_len))
7533
		return false;
7534

7535
	return memcmp(elems->ssid, cfg->ssid, cfg->ssid_len);
7536
}
7537

7538
static bool
7539
ieee80211_rx_beacon_freq_valid(struct ieee80211_local *local,
7540
			       struct ieee80211_mgmt *mgmt,
7541
			       struct ieee80211_rx_status *rx_status,
7542
			       struct ieee80211_chanctx_conf *chanctx)
7543
{
7544
	u32 pri_2mhz_khz;
7545
	struct ieee80211_channel *s1g_sibling_1mhz;
7546
	u32 pri_khz = ieee80211_channel_to_khz(chanctx->def.chan);
7547
	u32 rx_khz = ieee80211_rx_status_to_khz(rx_status);
7548

7549
	if (rx_khz == pri_khz)
7550
		return true;
7551

7552
	if (!chanctx->def.s1g_primary_2mhz)
7553
		return false;
7554

7555
	/*
7556
	 * If we have an S1G interface with a 2MHz primary, beacons are
7557
	 * sent on the center frequency of the 2MHz primary. Find the sibling
7558
	 * 1MHz channel and calculate the 2MHz primary center frequency.
7559
	 */
7560
	s1g_sibling_1mhz = cfg80211_s1g_get_primary_sibling(local->hw.wiphy,
7561
							    &chanctx->def);
7562
	if (!s1g_sibling_1mhz)
7563
		return false;
7564

7565
	pri_2mhz_khz =
7566
		(pri_khz + ieee80211_channel_to_khz(s1g_sibling_1mhz)) / 2;
7567
	return rx_khz == pri_2mhz_khz;
7568
}
7569

7570
static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link,
7571
				     struct ieee80211_hdr *hdr, size_t len,
7572
				     struct ieee80211_rx_status *rx_status)
7573
{
7574
	struct ieee80211_sub_if_data *sdata = link->sdata;
7575
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
7576
	struct ieee80211_bss_conf *bss_conf = link->conf;
7577
	struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg;
7578
	struct ieee80211_mgmt *mgmt = (void *) hdr;
7579
	struct ieee80211_ext *ext = NULL;
7580
	size_t baselen;
7581
	struct ieee802_11_elems *elems;
7582
	struct ieee80211_local *local = sdata->local;
7583
	struct ieee80211_chanctx_conf *chanctx_conf;
7584
	struct ieee80211_supported_band *sband;
7585
	struct ieee80211_channel *chan;
7586
	struct link_sta_info *link_sta;
7587
	struct sta_info *sta;
7588
	u64 changed = 0;
7589
	bool erp_valid;
7590
	u8 erp_value = 0;
7591
	u32 ncrc = 0;
7592
	u8 *bssid, *variable = mgmt->u.beacon.variable;
7593
	u8 deauth_buf[IEEE80211_DEAUTH_FRAME_LEN];
7594
	struct ieee80211_elems_parse_params parse_params = {
7595
		.mode = link->u.mgd.conn.mode,
7596
		.link_id = -1,
7597
		.from_ap = true,
7598
		.type = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_TYPE,
7599
	};
7600

7601
	lockdep_assert_wiphy(local->hw.wiphy);
7602

7603
	/* Process beacon from the current BSS */
7604
	bssid = ieee80211_get_bssid(hdr, len, sdata->vif.type);
7605
	if (ieee80211_is_s1g_beacon(mgmt->frame_control)) {
7606
		ext = (void *)mgmt;
7607
		variable = ext->u.s1g_beacon.variable +
7608
			   ieee80211_s1g_optional_len(ext->frame_control);
7609
	}
7610

7611
	baselen = (u8 *) variable - (u8 *) mgmt;
7612
	if (baselen > len)
7613
		return;
7614

7615
	parse_params.start = variable;
7616
	parse_params.len = len - baselen;
7617

7618
	rcu_read_lock();
7619
	chanctx_conf = rcu_dereference(bss_conf->chanctx_conf);
7620
	if (!chanctx_conf) {
7621
		rcu_read_unlock();
7622
		return;
7623
	}
7624

7625
	if (!ieee80211_rx_beacon_freq_valid(local, mgmt, rx_status,
7626
					    chanctx_conf)) {
7627
		rcu_read_unlock();
7628
		return;
7629
	}
7630
	chan = chanctx_conf->def.chan;
7631
	rcu_read_unlock();
7632

7633
	if (ifmgd->assoc_data && ifmgd->assoc_data->need_beacon &&
7634
	    !WARN_ON(ieee80211_vif_is_mld(&sdata->vif)) &&
7635
	    ieee80211_rx_our_beacon(bssid, ifmgd->assoc_data->link[0].bss)) {
7636
		parse_params.bss = ifmgd->assoc_data->link[0].bss;
7637
		elems = ieee802_11_parse_elems_full(&parse_params);
7638
		if (!elems)
7639
			return;
7640

7641
		ieee80211_rx_bss_info(link, mgmt, len, rx_status);
7642

7643
		if (elems->dtim_period)
7644
			link->u.mgd.dtim_period = elems->dtim_period;
7645
		link->u.mgd.have_beacon = true;
7646
		ifmgd->assoc_data->need_beacon = false;
7647
		if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY) &&
7648
		    !ieee80211_is_s1g_beacon(hdr->frame_control)) {
7649
			bss_conf->sync_tsf =
7650
				le64_to_cpu(mgmt->u.beacon.timestamp);
7651
			bss_conf->sync_device_ts =
7652
				rx_status->device_timestamp;
7653
			bss_conf->sync_dtim_count = elems->dtim_count;
7654
		}
7655

7656
		if (elems->mbssid_config_ie)
7657
			bss_conf->profile_periodicity =
7658
				elems->mbssid_config_ie->profile_periodicity;
7659
		else
7660
			bss_conf->profile_periodicity = 0;
7661

7662
		if (elems->ext_capab_len >= 11 &&
7663
		    (elems->ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
7664
			bss_conf->ema_ap = true;
7665
		else
7666
			bss_conf->ema_ap = false;
7667

7668
		/* continue assoc process */
7669
		ifmgd->assoc_data->timeout = jiffies;
7670
		ifmgd->assoc_data->timeout_started = true;
7671
		run_again(sdata, ifmgd->assoc_data->timeout);
7672
		kfree(elems);
7673
		return;
7674
	}
7675

7676
	if (!ifmgd->associated ||
7677
	    !ieee80211_rx_our_beacon(bssid, bss_conf->bss))
7678
		return;
7679
	bssid = link->u.mgd.bssid;
7680

7681
	if (!(rx_status->flag & RX_FLAG_NO_SIGNAL_VAL))
7682
		ieee80211_handle_beacon_sig(link, ifmgd, bss_conf,
7683
					    local, rx_status);
7684

7685
	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL) {
7686
		mlme_dbg_ratelimited(sdata,
7687
				     "cancelling AP probe due to a received beacon\n");
7688
		ieee80211_reset_ap_probe(sdata);
7689
	}
7690

7691
	/*
7692
	 * Push the beacon loss detection into the future since
7693
	 * we are processing a beacon from the AP just now.
7694
	 */
7695
	ieee80211_sta_reset_beacon_monitor(sdata);
7696

7697
	/* TODO: CRC urrently not calculated on S1G Beacon Compatibility
7698
	 * element (which carries the beacon interval). Don't forget to add a
7699
	 * bit to care_about_ies[] above if mac80211 is interested in a
7700
	 * changing S1G element.
7701
	 */
7702
	if (!ieee80211_is_s1g_beacon(hdr->frame_control))
7703
		ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
7704
	parse_params.bss = bss_conf->bss;
7705
	parse_params.filter = care_about_ies;
7706
	parse_params.crc = ncrc;
7707
	elems = ieee802_11_parse_elems_full(&parse_params);
7708
	if (!elems)
7709
		return;
7710

7711
	if (rx_status->flag & RX_FLAG_DECRYPTED &&
7712
	    ieee80211_mgd_ssid_mismatch(sdata, elems)) {
7713
		sdata_info(sdata, "SSID mismatch for AP %pM, disconnect\n",
7714
			   sdata->vif.cfg.ap_addr);
7715
		__ieee80211_disconnect(sdata);
7716
		return;
7717
	}
7718

7719
	ncrc = elems->crc;
7720

7721
	if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
7722
	    ieee80211_check_tim(elems->tim, elems->tim_len, vif_cfg->aid,
7723
				vif_cfg->s1g)) {
7724
		if (local->hw.conf.dynamic_ps_timeout > 0) {
7725
			if (local->hw.conf.flags & IEEE80211_CONF_PS) {
7726
				local->hw.conf.flags &= ~IEEE80211_CONF_PS;
7727
				ieee80211_hw_config(local, -1,
7728
						    IEEE80211_CONF_CHANGE_PS);
7729
			}
7730
			ieee80211_send_nullfunc(local, sdata, false);
7731
		} else if (!local->pspolling && sdata->u.mgd.powersave) {
7732
			local->pspolling = true;
7733

7734
			/*
7735
			 * Here is assumed that the driver will be
7736
			 * able to send ps-poll frame and receive a
7737
			 * response even though power save mode is
7738
			 * enabled, but some drivers might require
7739
			 * to disable power save here. This needs
7740
			 * to be investigated.
7741
			 */
7742
			ieee80211_send_pspoll(local, sdata);
7743
		}
7744
	}
7745

7746
	if (sdata->vif.p2p ||
7747
	    sdata->vif.driver_flags & IEEE80211_VIF_GET_NOA_UPDATE) {
7748
		struct ieee80211_p2p_noa_attr noa = {};
7749
		int ret;
7750

7751
		ret = cfg80211_get_p2p_attr(variable,
7752
					    len - baselen,
7753
					    IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
7754
					    (u8 *) &noa, sizeof(noa));
7755
		if (ret >= 2) {
7756
			if (link->u.mgd.p2p_noa_index != noa.index) {
7757
				/* valid noa_attr and index changed */
7758
				link->u.mgd.p2p_noa_index = noa.index;
7759
				memcpy(&bss_conf->p2p_noa_attr, &noa, sizeof(noa));
7760
				changed |= BSS_CHANGED_P2P_PS;
7761
				/*
7762
				 * make sure we update all information, the CRC
7763
				 * mechanism doesn't look at P2P attributes.
7764
				 */
7765
				link->u.mgd.beacon_crc_valid = false;
7766
			}
7767
		} else if (link->u.mgd.p2p_noa_index != -1) {
7768
			/* noa_attr not found and we had valid noa_attr before */
7769
			link->u.mgd.p2p_noa_index = -1;
7770
			memset(&bss_conf->p2p_noa_attr, 0, sizeof(bss_conf->p2p_noa_attr));
7771
			changed |= BSS_CHANGED_P2P_PS;
7772
			link->u.mgd.beacon_crc_valid = false;
7773
		}
7774
	}
7775

7776
	/*
7777
	 * Update beacon timing and dtim count on every beacon appearance. This
7778
	 * will allow the driver to use the most updated values. Do it before
7779
	 * comparing this one with last received beacon.
7780
	 * IMPORTANT: These parameters would possibly be out of sync by the time
7781
	 * the driver will use them. The synchronized view is currently
7782
	 * guaranteed only in certain callbacks.
7783
	 */
7784
	if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY) &&
7785
	    !ieee80211_is_s1g_beacon(hdr->frame_control)) {
7786
		bss_conf->sync_tsf =
7787
			le64_to_cpu(mgmt->u.beacon.timestamp);
7788
		bss_conf->sync_device_ts =
7789
			rx_status->device_timestamp;
7790
		bss_conf->sync_dtim_count = elems->dtim_count;
7791
	}
7792

7793
	if ((ncrc == link->u.mgd.beacon_crc && link->u.mgd.beacon_crc_valid) ||
7794
	    (ext && ieee80211_is_s1g_short_beacon(ext->frame_control,
7795
						  parse_params.start,
7796
						  parse_params.len)))
7797
		goto free;
7798
	link->u.mgd.beacon_crc = ncrc;
7799
	link->u.mgd.beacon_crc_valid = true;
7800

7801
	ieee80211_rx_bss_info(link, mgmt, len, rx_status);
7802

7803
	ieee80211_sta_process_chanswitch(link, rx_status->mactime,
7804
					 rx_status->device_timestamp,
7805
					 elems, elems,
7806
					 IEEE80211_CSA_SOURCE_BEACON);
7807

7808
	/* note that after this elems->ml_basic can no longer be used fully */
7809
	ieee80211_mgd_check_cross_link_csa(sdata, rx_status->link_id, elems);
7810

7811
	ieee80211_mgd_update_bss_param_ch_cnt(sdata, bss_conf, elems);
7812

7813
	if (!sdata->u.mgd.epcs.enabled &&
7814
	    !link->u.mgd.disable_wmm_tracking &&
7815
	    ieee80211_sta_wmm_params(local, link, elems->wmm_param,
7816
				     elems->wmm_param_len,
7817
				     elems->mu_edca_param_set))
7818
		changed |= BSS_CHANGED_QOS;
7819

7820
	/*
7821
	 * If we haven't had a beacon before, tell the driver about the
7822
	 * DTIM period (and beacon timing if desired) now.
7823
	 */
7824
	if (!link->u.mgd.have_beacon) {
7825
		/* a few bogus AP send dtim_period = 0 or no TIM IE */
7826
		bss_conf->dtim_period = elems->dtim_period ?: 1;
7827

7828
		changed |= BSS_CHANGED_BEACON_INFO;
7829
		link->u.mgd.have_beacon = true;
7830

7831
		ieee80211_recalc_ps(local);
7832

7833
		ieee80211_recalc_ps_vif(sdata);
7834
	}
7835

7836
	if (elems->erp_info) {
7837
		erp_valid = true;
7838
		erp_value = elems->erp_info[0];
7839
	} else {
7840
		erp_valid = false;
7841
	}
7842

7843
	if (!ieee80211_is_s1g_beacon(hdr->frame_control))
7844
		changed |= ieee80211_handle_bss_capability(link,
7845
				le16_to_cpu(mgmt->u.beacon.capab_info),
7846
				erp_valid, erp_value);
7847

7848
	sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
7849
	if (WARN_ON(!sta)) {
7850
		goto free;
7851
	}
7852
	link_sta = rcu_dereference_protected(sta->link[link->link_id],
7853
					     lockdep_is_held(&local->hw.wiphy->mtx));
7854
	if (WARN_ON(!link_sta)) {
7855
		goto free;
7856
	}
7857

7858
	if (WARN_ON(!bss_conf->chanreq.oper.chan))
7859
		goto free;
7860

7861
	sband = local->hw.wiphy->bands[bss_conf->chanreq.oper.chan->band];
7862

7863
	changed |= ieee80211_recalc_twt_req(sdata, sband, link, link_sta, elems);
7864

7865
	if (ieee80211_config_bw(link, elems, true, &changed,
7866
				IEEE80211_STYPE_BEACON)) {
7867
		ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
7868
				       WLAN_REASON_DEAUTH_LEAVING,
7869
				       true, deauth_buf);
7870
		ieee80211_report_disconnect(sdata, deauth_buf,
7871
					    sizeof(deauth_buf), true,
7872
					    WLAN_REASON_DEAUTH_LEAVING,
7873
					    false);
7874
		goto free;
7875
	}
7876

7877
	if (elems->opmode_notif)
7878
		ieee80211_vht_handle_opmode(sdata, link_sta,
7879
					    *elems->opmode_notif,
7880
					    rx_status->band);
7881

7882
	changed |= ieee80211_handle_pwr_constr(link, chan, mgmt,
7883
					       elems->country_elem,
7884
					       elems->country_elem_len,
7885
					       elems->pwr_constr_elem,
7886
					       elems->cisco_dtpc_elem);
7887

7888
	ieee80211_ml_reconfiguration(sdata, elems);
7889
	ieee80211_process_adv_ttlm(sdata, elems,
7890
				      le64_to_cpu(mgmt->u.beacon.timestamp));
7891

7892
	ieee80211_link_info_change_notify(sdata, link, changed);
7893
free:
7894
	kfree(elems);
7895
}
7896

7897
static void ieee80211_apply_neg_ttlm(struct ieee80211_sub_if_data *sdata,
7898
				     struct ieee80211_neg_ttlm neg_ttlm)
7899
{
7900
	u16 new_active_links, new_dormant_links, new_suspended_links, map = 0;
7901
	u8 i;
7902

7903
	for (i = 0; i < IEEE80211_TTLM_NUM_TIDS; i++)
7904
		map |= neg_ttlm.downlink[i] | neg_ttlm.uplink[i];
7905

7906
	/* If there is an active TTLM, unset previously suspended links */
7907
	if (sdata->vif.neg_ttlm.valid)
7908
		sdata->vif.dormant_links &= ~sdata->vif.suspended_links;
7909

7910
	/* exclude links that are already disabled by advertised TTLM */
7911
	new_active_links =
7912
		map & sdata->vif.valid_links & ~sdata->vif.dormant_links;
7913
	new_suspended_links =
7914
		(~map & sdata->vif.valid_links) & ~sdata->vif.dormant_links;
7915
	new_dormant_links = sdata->vif.dormant_links | new_suspended_links;
7916
	if (ieee80211_ttlm_set_links(sdata, new_active_links,
7917
				     new_dormant_links, new_suspended_links))
7918
		return;
7919

7920
	sdata->vif.neg_ttlm = neg_ttlm;
7921
	sdata->vif.neg_ttlm.valid = true;
7922
}
7923

7924
static void ieee80211_neg_ttlm_timeout_work(struct wiphy *wiphy,
7925
					    struct wiphy_work *work)
7926
{
7927
	struct ieee80211_sub_if_data *sdata =
7928
		container_of(work, struct ieee80211_sub_if_data,
7929
			     u.mgd.neg_ttlm_timeout_work.work);
7930

7931
	sdata_info(sdata,
7932
		   "No negotiated TTLM response from AP, disconnecting.\n");
7933

7934
	__ieee80211_disconnect(sdata);
7935
}
7936

7937
static void
7938
ieee80211_neg_ttlm_add_suggested_map(struct sk_buff *skb,
7939
				     struct ieee80211_neg_ttlm *neg_ttlm)
7940
{
7941
	u8 i, direction[IEEE80211_TTLM_MAX_CNT];
7942

7943
	if (memcmp(neg_ttlm->downlink, neg_ttlm->uplink,
7944
		   sizeof(neg_ttlm->downlink))) {
7945
		direction[0] = IEEE80211_TTLM_DIRECTION_DOWN;
7946
		direction[1] = IEEE80211_TTLM_DIRECTION_UP;
7947
	} else {
7948
		direction[0] = IEEE80211_TTLM_DIRECTION_BOTH;
7949
	}
7950

7951
	for (i = 0; i < ARRAY_SIZE(direction); i++) {
7952
		u8 tid, len, map_ind = 0, *len_pos, *map_ind_pos, *pos;
7953
		__le16 map;
7954

7955
		len = sizeof(struct ieee80211_ttlm_elem) + 1 + 1;
7956

7957
		pos = skb_put(skb, len + 2);
7958
		*pos++ = WLAN_EID_EXTENSION;
7959
		len_pos = pos++;
7960
		*pos++ = WLAN_EID_EXT_TID_TO_LINK_MAPPING;
7961
		*pos++ = direction[i];
7962
		map_ind_pos = pos++;
7963
		for (tid = 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) {
7964
			map = direction[i] == IEEE80211_TTLM_DIRECTION_UP ?
7965
				cpu_to_le16(neg_ttlm->uplink[tid]) :
7966
				cpu_to_le16(neg_ttlm->downlink[tid]);
7967
			if (!map)
7968
				continue;
7969

7970
			len += 2;
7971
			map_ind |= BIT(tid);
7972
			skb_put_data(skb, &map, sizeof(map));
7973
		}
7974

7975
		*map_ind_pos = map_ind;
7976
		*len_pos = len;
7977

7978
		if (direction[i] == IEEE80211_TTLM_DIRECTION_BOTH)
7979
			break;
7980
	}
7981
}
7982

7983
static void
7984
ieee80211_send_neg_ttlm_req(struct ieee80211_sub_if_data *sdata,
7985
			    struct ieee80211_neg_ttlm *neg_ttlm,
7986
			    u8 dialog_token)
7987
{
7988
	struct ieee80211_local *local = sdata->local;
7989
	struct ieee80211_mgmt *mgmt;
7990
	struct sk_buff *skb;
7991
	int hdr_len = IEEE80211_MIN_ACTION_SIZE(ttlm_req);
7992
	int ttlm_max_len = 2 + 1 + sizeof(struct ieee80211_ttlm_elem) + 1 +
7993
		2 * 2 * IEEE80211_TTLM_NUM_TIDS;
7994

7995
	skb = dev_alloc_skb(local->tx_headroom + hdr_len + ttlm_max_len);
7996
	if (!skb)
7997
		return;
7998

7999
	skb_reserve(skb, local->tx_headroom);
8000
	mgmt = skb_put_zero(skb, hdr_len);
8001
	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
8002
					  IEEE80211_STYPE_ACTION);
8003
	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
8004
	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
8005
	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
8006

8007
	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
8008
	mgmt->u.action.action_code = WLAN_PROTECTED_EHT_ACTION_TTLM_REQ;
8009
	mgmt->u.action.ttlm_req.dialog_token = dialog_token;
8010
	ieee80211_neg_ttlm_add_suggested_map(skb, neg_ttlm);
8011
	ieee80211_tx_skb(sdata, skb);
8012
}
8013

8014
int ieee80211_req_neg_ttlm(struct ieee80211_sub_if_data *sdata,
8015
			   struct cfg80211_ttlm_params *params)
8016
{
8017
	struct ieee80211_neg_ttlm neg_ttlm = {};
8018
	u8 i;
8019

8020
	if (!ieee80211_vif_is_mld(&sdata->vif) ||
8021
	    !(sdata->vif.cfg.mld_capa_op &
8022
	      IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_SUPP))
8023
		return -EINVAL;
8024

8025
	for (i = 0; i < IEEE80211_TTLM_NUM_TIDS; i++) {
8026
		if ((params->dlink[i] & ~sdata->vif.valid_links) ||
8027
		    (params->ulink[i] & ~sdata->vif.valid_links))
8028
			return -EINVAL;
8029

8030
		neg_ttlm.downlink[i] = params->dlink[i];
8031
		neg_ttlm.uplink[i] = params->ulink[i];
8032
	}
8033

8034
	if (drv_can_neg_ttlm(sdata->local, sdata, &neg_ttlm) !=
8035
	    NEG_TTLM_RES_ACCEPT)
8036
		return -EINVAL;
8037

8038
	ieee80211_apply_neg_ttlm(sdata, neg_ttlm);
8039
	sdata->u.mgd.dialog_token_alloc++;
8040
	ieee80211_send_neg_ttlm_req(sdata, &sdata->vif.neg_ttlm,
8041
				    sdata->u.mgd.dialog_token_alloc);
8042
	wiphy_delayed_work_cancel(sdata->local->hw.wiphy,
8043
				  &sdata->u.mgd.neg_ttlm_timeout_work);
8044
	wiphy_delayed_work_queue(sdata->local->hw.wiphy,
8045
				 &sdata->u.mgd.neg_ttlm_timeout_work,
8046
				 IEEE80211_NEG_TTLM_REQ_TIMEOUT);
8047
	return 0;
8048
}
8049

8050
static void
8051
ieee80211_send_neg_ttlm_res(struct ieee80211_sub_if_data *sdata,
8052
			    enum ieee80211_neg_ttlm_res ttlm_res,
8053
			    u8 dialog_token,
8054
			    struct ieee80211_neg_ttlm *neg_ttlm)
8055
{
8056
	struct ieee80211_local *local = sdata->local;
8057
	struct ieee80211_mgmt *mgmt;
8058
	struct sk_buff *skb;
8059
	int hdr_len = IEEE80211_MIN_ACTION_SIZE(ttlm_res);
8060
	int ttlm_max_len = 2 + 1 + sizeof(struct ieee80211_ttlm_elem) + 1 +
8061
		2 * 2 * IEEE80211_TTLM_NUM_TIDS;
8062
	u16 status_code;
8063

8064
	skb = dev_alloc_skb(local->tx_headroom + hdr_len + ttlm_max_len);
8065
	if (!skb)
8066
		return;
8067

8068
	skb_reserve(skb, local->tx_headroom);
8069
	mgmt = skb_put_zero(skb, hdr_len);
8070
	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
8071
					  IEEE80211_STYPE_ACTION);
8072
	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
8073
	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
8074
	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
8075

8076
	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
8077
	mgmt->u.action.action_code = WLAN_PROTECTED_EHT_ACTION_TTLM_RES;
8078
	mgmt->u.action.ttlm_res.dialog_token = dialog_token;
8079
	switch (ttlm_res) {
8080
	default:
8081
		WARN_ON(1);
8082
		fallthrough;
8083
	case NEG_TTLM_RES_REJECT:
8084
		status_code = WLAN_STATUS_DENIED_TID_TO_LINK_MAPPING;
8085
		break;
8086
	case NEG_TTLM_RES_ACCEPT:
8087
		status_code = WLAN_STATUS_SUCCESS;
8088
		break;
8089
	case NEG_TTLM_RES_SUGGEST_PREFERRED:
8090
		status_code = WLAN_STATUS_PREF_TID_TO_LINK_MAPPING_SUGGESTED;
8091
		ieee80211_neg_ttlm_add_suggested_map(skb, neg_ttlm);
8092
		break;
8093
	}
8094

8095
	mgmt->u.action.ttlm_res.status_code = cpu_to_le16(status_code);
8096
	ieee80211_tx_skb(sdata, skb);
8097
}
8098

8099
static int
8100
ieee80211_parse_neg_ttlm(struct ieee80211_sub_if_data *sdata,
8101
			 const struct ieee80211_ttlm_elem *ttlm,
8102
			 struct ieee80211_neg_ttlm *neg_ttlm,
8103
			 u8 *direction)
8104
{
8105
	u8 control, link_map_presence, map_size, tid;
8106
	u8 *pos;
8107

8108
	/* The element size was already validated in
8109
	 * ieee80211_tid_to_link_map_size_ok()
8110
	 */
8111
	pos = (void *)ttlm->optional;
8112

8113
	control = ttlm->control;
8114

8115
	/* mapping switch time and expected duration fields are not expected
8116
	 * in case of negotiated TTLM
8117
	 */
8118
	if (control & (IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT |
8119
		       IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT)) {
8120
		mlme_dbg(sdata,
8121
			 "Invalid TTLM element in negotiated TTLM request\n");
8122
		return -EINVAL;
8123
	}
8124

8125
	if (control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) {
8126
		for (tid = 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) {
8127
			neg_ttlm->downlink[tid] = sdata->vif.valid_links;
8128
			neg_ttlm->uplink[tid] = sdata->vif.valid_links;
8129
		}
8130
		*direction = IEEE80211_TTLM_DIRECTION_BOTH;
8131
		return 0;
8132
	}
8133

8134
	*direction = u8_get_bits(control, IEEE80211_TTLM_CONTROL_DIRECTION);
8135
	if (*direction != IEEE80211_TTLM_DIRECTION_DOWN &&
8136
	    *direction != IEEE80211_TTLM_DIRECTION_UP &&
8137
	    *direction != IEEE80211_TTLM_DIRECTION_BOTH)
8138
		return -EINVAL;
8139

8140
	link_map_presence = *pos;
8141
	pos++;
8142

8143
	if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE)
8144
		map_size = 1;
8145
	else
8146
		map_size = 2;
8147

8148
	for (tid = 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) {
8149
		u16 map;
8150

8151
		if (link_map_presence & BIT(tid)) {
8152
			map = ieee80211_get_ttlm(map_size, pos);
8153
			if (!map) {
8154
				mlme_dbg(sdata,
8155
					 "No active links for TID %d", tid);
8156
				return -EINVAL;
8157
			}
8158
		} else {
8159
			map = 0;
8160
		}
8161

8162
		switch (*direction) {
8163
		case IEEE80211_TTLM_DIRECTION_BOTH:
8164
			neg_ttlm->downlink[tid] = map;
8165
			neg_ttlm->uplink[tid] = map;
8166
			break;
8167
		case IEEE80211_TTLM_DIRECTION_DOWN:
8168
			neg_ttlm->downlink[tid] = map;
8169
			break;
8170
		case IEEE80211_TTLM_DIRECTION_UP:
8171
			neg_ttlm->uplink[tid] = map;
8172
			break;
8173
		default:
8174
			return -EINVAL;
8175
		}
8176
		pos += map_size;
8177
	}
8178
	return 0;
8179
}
8180

8181
void ieee80211_process_neg_ttlm_req(struct ieee80211_sub_if_data *sdata,
8182
				    struct ieee80211_mgmt *mgmt, size_t len)
8183
{
8184
	u8 dialog_token, direction[IEEE80211_TTLM_MAX_CNT] = {}, i;
8185
	size_t ies_len;
8186
	enum ieee80211_neg_ttlm_res ttlm_res = NEG_TTLM_RES_ACCEPT;
8187
	struct ieee802_11_elems *elems = NULL;
8188
	struct ieee80211_neg_ttlm neg_ttlm = {};
8189

8190
	BUILD_BUG_ON(ARRAY_SIZE(direction) != ARRAY_SIZE(elems->ttlm));
8191

8192
	if (!ieee80211_vif_is_mld(&sdata->vif))
8193
		return;
8194

8195
	dialog_token = mgmt->u.action.ttlm_req.dialog_token;
8196
	ies_len  = len - IEEE80211_MIN_ACTION_SIZE(ttlm_req);
8197
	elems = ieee802_11_parse_elems(mgmt->u.action.ttlm_req.variable,
8198
				       ies_len,
8199
				       IEEE80211_FTYPE_MGMT |
8200
				       IEEE80211_STYPE_ACTION,
8201
				       NULL);
8202
	if (!elems) {
8203
		ttlm_res = NEG_TTLM_RES_REJECT;
8204
		goto out;
8205
	}
8206

8207
	for (i = 0; i < elems->ttlm_num; i++) {
8208
		if (ieee80211_parse_neg_ttlm(sdata, elems->ttlm[i],
8209
					     &neg_ttlm, &direction[i]) ||
8210
		    (direction[i] == IEEE80211_TTLM_DIRECTION_BOTH &&
8211
		     elems->ttlm_num != 1)) {
8212
			ttlm_res = NEG_TTLM_RES_REJECT;
8213
			goto out;
8214
		}
8215
	}
8216

8217
	if (!elems->ttlm_num ||
8218
	    (elems->ttlm_num == 2 && direction[0] == direction[1])) {
8219
		ttlm_res = NEG_TTLM_RES_REJECT;
8220
		goto out;
8221
	}
8222

8223
	for (i = 0; i < IEEE80211_TTLM_NUM_TIDS; i++) {
8224
		if ((neg_ttlm.downlink[i] &&
8225
		     (neg_ttlm.downlink[i] & ~sdata->vif.valid_links)) ||
8226
		    (neg_ttlm.uplink[i] &&
8227
		     (neg_ttlm.uplink[i] & ~sdata->vif.valid_links))) {
8228
			ttlm_res = NEG_TTLM_RES_REJECT;
8229
			goto out;
8230
		}
8231
	}
8232

8233
	ttlm_res = drv_can_neg_ttlm(sdata->local, sdata, &neg_ttlm);
8234

8235
	if (ttlm_res != NEG_TTLM_RES_ACCEPT)
8236
		goto out;
8237

8238
	ieee80211_apply_neg_ttlm(sdata, neg_ttlm);
8239
out:
8240
	kfree(elems);
8241
	ieee80211_send_neg_ttlm_res(sdata, ttlm_res, dialog_token, &neg_ttlm);
8242
}
8243

8244
void ieee80211_process_neg_ttlm_res(struct ieee80211_sub_if_data *sdata,
8245
				    struct ieee80211_mgmt *mgmt, size_t len)
8246
{
8247
	if (!ieee80211_vif_is_mld(&sdata->vif) ||
8248
	    mgmt->u.action.ttlm_res.dialog_token != sdata->u.mgd.dialog_token_alloc)
8249
		return;
8250

8251
	wiphy_delayed_work_cancel(sdata->local->hw.wiphy,
8252
				  &sdata->u.mgd.neg_ttlm_timeout_work);
8253

8254
	/* MLD station sends a TID to link mapping request, mainly to handle
8255
	 * BTM (BSS transition management) request, in which case it needs to
8256
	 * restrict the active links set.
8257
	 * In this case it's not expected that the MLD AP will reject the
8258
	 * negotiated TTLM request.
8259
	 * This can be better implemented in the future, to handle request
8260
	 * rejections.
8261
	 */
8262
	if (le16_to_cpu(mgmt->u.action.ttlm_res.status_code) != WLAN_STATUS_SUCCESS)
8263
		__ieee80211_disconnect(sdata);
8264
}
8265

8266
void ieee80211_process_ttlm_teardown(struct ieee80211_sub_if_data *sdata)
8267
{
8268
	u16 new_dormant_links;
8269

8270
	if (!sdata->vif.neg_ttlm.valid)
8271
		return;
8272

8273
	memset(&sdata->vif.neg_ttlm, 0, sizeof(sdata->vif.neg_ttlm));
8274
	new_dormant_links =
8275
		sdata->vif.dormant_links & ~sdata->vif.suspended_links;
8276
	sdata->vif.suspended_links = 0;
8277
	ieee80211_vif_set_links(sdata, sdata->vif.valid_links,
8278
				new_dormant_links);
8279
	ieee80211_vif_cfg_change_notify(sdata, BSS_CHANGED_MLD_TTLM |
8280
					       BSS_CHANGED_MLD_VALID_LINKS);
8281
}
8282

8283
static void ieee80211_teardown_ttlm_work(struct wiphy *wiphy,
8284
					 struct wiphy_work *work)
8285
{
8286
	struct ieee80211_sub_if_data *sdata =
8287
		container_of(work, struct ieee80211_sub_if_data,
8288
			     u.mgd.teardown_ttlm_work);
8289

8290
	ieee80211_process_ttlm_teardown(sdata);
8291
}
8292

8293
void ieee80211_send_teardown_neg_ttlm(struct ieee80211_vif *vif)
8294
{
8295
	int frame_len = IEEE80211_MIN_ACTION_SIZE(ttlm_tear_down);
8296
	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
8297
	struct ieee80211_local *local = sdata->local;
8298
	struct ieee80211_mgmt *mgmt;
8299
	struct sk_buff *skb;
8300
	struct ieee80211_tx_info *info;
8301

8302
	skb = dev_alloc_skb(local->hw.extra_tx_headroom + frame_len);
8303
	if (!skb)
8304
		return;
8305

8306
	skb_reserve(skb, local->hw.extra_tx_headroom);
8307
	mgmt = skb_put_zero(skb, frame_len);
8308
	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
8309
					  IEEE80211_STYPE_ACTION);
8310
	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
8311
	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
8312
	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
8313

8314
	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
8315
	mgmt->u.action.action_code = WLAN_PROTECTED_EHT_ACTION_TTLM_TEARDOWN;
8316

8317
	info = IEEE80211_SKB_CB(skb);
8318
	info->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS;
8319
	info->status_data = IEEE80211_STATUS_TYPE_NEG_TTLM;
8320
	ieee80211_tx_skb(sdata, skb);
8321
}
8322
EXPORT_SYMBOL(ieee80211_send_teardown_neg_ttlm);
8323

8324
void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata,
8325
				 struct sk_buff *skb)
8326
{
8327
	struct ieee80211_link_data *link = &sdata->deflink;
8328
	struct ieee80211_rx_status *rx_status;
8329
	struct ieee80211_hdr *hdr;
8330
	u16 fc;
8331

8332
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8333

8334
	rx_status = (struct ieee80211_rx_status *) skb->cb;
8335
	hdr = (struct ieee80211_hdr *) skb->data;
8336
	fc = le16_to_cpu(hdr->frame_control);
8337

8338
	switch (fc & IEEE80211_FCTL_STYPE) {
8339
	case IEEE80211_STYPE_S1G_BEACON:
8340
		ieee80211_rx_mgmt_beacon(link, hdr, skb->len, rx_status);
8341
		break;
8342
	}
8343
}
8344

8345
void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
8346
				  struct sk_buff *skb)
8347
{
8348
	struct ieee80211_link_data *link = &sdata->deflink;
8349
	struct ieee80211_rx_status *rx_status;
8350
	struct ieee802_11_elems *elems;
8351
	struct ieee80211_mgmt *mgmt;
8352
	u16 fc;
8353
	int ies_len;
8354

8355
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8356

8357
	rx_status = (struct ieee80211_rx_status *) skb->cb;
8358
	mgmt = (struct ieee80211_mgmt *) skb->data;
8359
	fc = le16_to_cpu(mgmt->frame_control);
8360

8361
	if (rx_status->link_valid) {
8362
		link = sdata_dereference(sdata->link[rx_status->link_id],
8363
					 sdata);
8364
		if (!link)
8365
			return;
8366
	}
8367

8368
	switch (fc & IEEE80211_FCTL_STYPE) {
8369
	case IEEE80211_STYPE_BEACON:
8370
		ieee80211_rx_mgmt_beacon(link, (void *)mgmt,
8371
					 skb->len, rx_status);
8372
		break;
8373
	case IEEE80211_STYPE_PROBE_RESP:
8374
		ieee80211_rx_mgmt_probe_resp(link, skb);
8375
		break;
8376
	case IEEE80211_STYPE_AUTH:
8377
		ieee80211_rx_mgmt_auth(sdata, mgmt, skb->len);
8378
		break;
8379
	case IEEE80211_STYPE_DEAUTH:
8380
		ieee80211_rx_mgmt_deauth(sdata, mgmt, skb->len);
8381
		break;
8382
	case IEEE80211_STYPE_DISASSOC:
8383
		ieee80211_rx_mgmt_disassoc(sdata, mgmt, skb->len);
8384
		break;
8385
	case IEEE80211_STYPE_ASSOC_RESP:
8386
	case IEEE80211_STYPE_REASSOC_RESP:
8387
		ieee80211_rx_mgmt_assoc_resp(sdata, mgmt, skb->len);
8388
		break;
8389
	case IEEE80211_STYPE_ACTION:
8390
		if (!sdata->u.mgd.associated ||
8391
		    !ether_addr_equal(mgmt->bssid, sdata->vif.cfg.ap_addr))
8392
			break;
8393

8394
		switch (mgmt->u.action.category) {
8395
		case WLAN_CATEGORY_SPECTRUM_MGMT:
8396
			ies_len = skb->len -
8397
				  offsetof(struct ieee80211_mgmt,
8398
					   u.action.chan_switch.variable);
8399

8400
			if (ies_len < 0)
8401
				break;
8402

8403
			/* CSA IE cannot be overridden, no need for BSSID */
8404
			elems = ieee802_11_parse_elems(mgmt->u.action.chan_switch.variable,
8405
						       ies_len,
8406
						       IEEE80211_FTYPE_MGMT |
8407
						       IEEE80211_STYPE_ACTION,
8408
						       NULL);
8409

8410
			if (elems && !elems->parse_error) {
8411
				enum ieee80211_csa_source src =
8412
					IEEE80211_CSA_SOURCE_PROT_ACTION;
8413

8414
				ieee80211_sta_process_chanswitch(link,
8415
								 rx_status->mactime,
8416
								 rx_status->device_timestamp,
8417
								 elems, elems,
8418
								 src);
8419
			}
8420
			kfree(elems);
8421
			break;
8422
		case WLAN_CATEGORY_PUBLIC:
8423
		case WLAN_CATEGORY_PROTECTED_DUAL_OF_ACTION:
8424
			ies_len = skb->len -
8425
				  offsetof(struct ieee80211_mgmt,
8426
					   u.action.ext_chan_switch.variable);
8427

8428
			if (ies_len < 0)
8429
				break;
8430

8431
			/*
8432
			 * extended CSA IE can't be overridden, no need for
8433
			 * BSSID
8434
			 */
8435
			elems = ieee802_11_parse_elems(mgmt->u.action.ext_chan_switch.variable,
8436
						       ies_len,
8437
						       IEEE80211_FTYPE_MGMT |
8438
						       IEEE80211_STYPE_ACTION,
8439
						       NULL);
8440

8441
			if (elems && !elems->parse_error) {
8442
				enum ieee80211_csa_source src;
8443

8444
				if (mgmt->u.action.category ==
8445
						WLAN_CATEGORY_PROTECTED_DUAL_OF_ACTION)
8446
					src = IEEE80211_CSA_SOURCE_PROT_ACTION;
8447
				else
8448
					src = IEEE80211_CSA_SOURCE_UNPROT_ACTION;
8449

8450
				/* for the handling code pretend it was an IE */
8451
				elems->ext_chansw_ie =
8452
					&mgmt->u.action.ext_chan_switch.data;
8453

8454
				ieee80211_sta_process_chanswitch(link,
8455
								 rx_status->mactime,
8456
								 rx_status->device_timestamp,
8457
								 elems, elems,
8458
								 src);
8459
			}
8460

8461
			kfree(elems);
8462
			break;
8463
		}
8464
		break;
8465
	}
8466
}
8467

8468
static void ieee80211_sta_timer(struct timer_list *t)
8469
{
8470
	struct ieee80211_sub_if_data *sdata =
8471
		timer_container_of(sdata, t, u.mgd.timer);
8472

8473
	wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work);
8474
}
8475

8476
void ieee80211_sta_connection_lost(struct ieee80211_sub_if_data *sdata,
8477
				   u8 reason, bool tx)
8478
{
8479
	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
8480

8481
	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, reason,
8482
			       tx, frame_buf);
8483

8484
	ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
8485
				    reason, false);
8486
}
8487

8488
static int ieee80211_auth(struct ieee80211_sub_if_data *sdata)
8489
{
8490
	struct ieee80211_local *local = sdata->local;
8491
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8492
	struct ieee80211_mgd_auth_data *auth_data = ifmgd->auth_data;
8493
	u32 tx_flags = 0;
8494
	u16 trans = 1;
8495
	u16 status = 0;
8496
	struct ieee80211_prep_tx_info info = {
8497
		.subtype = IEEE80211_STYPE_AUTH,
8498
	};
8499

8500
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8501

8502
	if (WARN_ON_ONCE(!auth_data))
8503
		return -EINVAL;
8504

8505
	if (auth_data->algorithm == WLAN_AUTH_EPPKE &&
8506
	    ieee80211_vif_is_mld(&sdata->vif) &&
8507
	    !cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_MULTI_LINK,
8508
				    auth_data->data, auth_data->data_len))
8509
		return -EINVAL;
8510

8511
	auth_data->tries++;
8512

8513
	if (auth_data->tries > IEEE80211_AUTH_MAX_TRIES) {
8514
		sdata_info(sdata, "authentication with %pM timed out\n",
8515
			   auth_data->ap_addr);
8516

8517
		/*
8518
		 * Most likely AP is not in the range so remove the
8519
		 * bss struct for that AP.
8520
		 */
8521
		cfg80211_unlink_bss(local->hw.wiphy, auth_data->bss);
8522

8523
		return -ETIMEDOUT;
8524
	}
8525

8526
	if (auth_data->algorithm == WLAN_AUTH_SAE ||
8527
	    auth_data->algorithm == WLAN_AUTH_EPPKE)
8528
		info.duration = jiffies_to_msecs(IEEE80211_AUTH_TIMEOUT_SAE);
8529

8530
	info.link_id = auth_data->link_id;
8531
	drv_mgd_prepare_tx(local, sdata, &info);
8532

8533
	sdata_info(sdata, "send auth to %pM (try %d/%d)\n",
8534
		   auth_data->ap_addr, auth_data->tries,
8535
		   IEEE80211_AUTH_MAX_TRIES);
8536

8537
	auth_data->expected_transaction = 2;
8538

8539
	if (auth_data->algorithm == WLAN_AUTH_SAE) {
8540
		trans = auth_data->trans;
8541
		status = auth_data->status;
8542
		auth_data->expected_transaction = trans;
8543
	} else if (auth_data->algorithm == WLAN_AUTH_EPPKE) {
8544
		trans = auth_data->trans;
8545
		status = auth_data->status;
8546
	} else if (auth_data->algorithm == WLAN_AUTH_IEEE8021X) {
8547
		trans = auth_data->trans;
8548
		status = auth_data->status;
8549
		auth_data->expected_transaction = trans + 1;
8550
	}
8551

8552
	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
8553
		tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
8554
			   IEEE80211_TX_INTFL_MLME_CONN_TX;
8555

8556
	ieee80211_send_auth(sdata, trans, auth_data->algorithm, status,
8557
			    auth_data->data, auth_data->data_len,
8558
			    auth_data->ap_addr, auth_data->ap_addr,
8559
			    NULL, 0, 0, tx_flags);
8560

8561
	if (tx_flags == 0) {
8562
		if (auth_data->algorithm == WLAN_AUTH_SAE)
8563
			auth_data->timeout = jiffies +
8564
				IEEE80211_AUTH_TIMEOUT_SAE;
8565
		else
8566
			auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
8567
	} else {
8568
		auth_data->timeout =
8569
			round_jiffies_up(jiffies + IEEE80211_AUTH_TIMEOUT_LONG);
8570
	}
8571

8572
	auth_data->timeout_started = true;
8573
	run_again(sdata, auth_data->timeout);
8574

8575
	return 0;
8576
}
8577

8578
static int ieee80211_do_assoc(struct ieee80211_sub_if_data *sdata)
8579
{
8580
	struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data;
8581
	struct ieee80211_local *local = sdata->local;
8582
	int ret;
8583

8584
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8585

8586
	assoc_data->tries++;
8587
	assoc_data->comeback = false;
8588
	if (assoc_data->tries > IEEE80211_ASSOC_MAX_TRIES) {
8589
		sdata_info(sdata, "association with %pM timed out\n",
8590
			   assoc_data->ap_addr);
8591

8592
		/*
8593
		 * Most likely AP is not in the range so remove the
8594
		 * bss struct for that AP.
8595
		 */
8596
		cfg80211_unlink_bss(local->hw.wiphy,
8597
				    assoc_data->link[assoc_data->assoc_link_id].bss);
8598

8599
		return -ETIMEDOUT;
8600
	}
8601

8602
	sdata_info(sdata, "associate with %pM (try %d/%d)\n",
8603
		   assoc_data->ap_addr, assoc_data->tries,
8604
		   IEEE80211_ASSOC_MAX_TRIES);
8605
	ret = ieee80211_send_assoc(sdata);
8606
	if (ret)
8607
		return ret;
8608

8609
	if (!ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS)) {
8610
		assoc_data->timeout = jiffies + IEEE80211_ASSOC_TIMEOUT;
8611
		assoc_data->timeout_started = true;
8612
		run_again(sdata, assoc_data->timeout);
8613
	} else {
8614
		assoc_data->timeout =
8615
			round_jiffies_up(jiffies +
8616
					 IEEE80211_ASSOC_TIMEOUT_LONG);
8617
		assoc_data->timeout_started = true;
8618
		run_again(sdata, assoc_data->timeout);
8619
	}
8620

8621
	return 0;
8622
}
8623

8624
void ieee80211_mgd_conn_tx_status(struct ieee80211_sub_if_data *sdata,
8625
				  __le16 fc, bool acked)
8626
{
8627
	struct ieee80211_local *local = sdata->local;
8628

8629
	sdata->u.mgd.status_fc = fc;
8630
	sdata->u.mgd.status_acked = acked;
8631
	sdata->u.mgd.status_received = true;
8632

8633
	wiphy_work_queue(local->hw.wiphy, &sdata->work);
8634
}
8635

8636
void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata)
8637
{
8638
	struct ieee80211_local *local = sdata->local;
8639
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8640

8641
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8642

8643
	if (ifmgd->status_received) {
8644
		__le16 fc = ifmgd->status_fc;
8645
		bool status_acked = ifmgd->status_acked;
8646

8647
		ifmgd->status_received = false;
8648
		if (ifmgd->auth_data && ieee80211_is_auth(fc)) {
8649
			if (status_acked) {
8650
				if (ifmgd->auth_data->algorithm ==
8651
				    WLAN_AUTH_SAE)
8652
					ifmgd->auth_data->timeout =
8653
						jiffies +
8654
						IEEE80211_AUTH_TIMEOUT_SAE;
8655
				else
8656
					ifmgd->auth_data->timeout =
8657
						jiffies +
8658
						IEEE80211_AUTH_TIMEOUT_SHORT;
8659
				run_again(sdata, ifmgd->auth_data->timeout);
8660
			} else {
8661
				ifmgd->auth_data->timeout = jiffies - 1;
8662
			}
8663
			ifmgd->auth_data->timeout_started = true;
8664
		} else if (ifmgd->assoc_data &&
8665
			   !ifmgd->assoc_data->comeback &&
8666
			   (ieee80211_is_assoc_req(fc) ||
8667
			    ieee80211_is_reassoc_req(fc))) {
8668
			/*
8669
			 * Update association timeout based on the TX status
8670
			 * for the (Re)Association Request frame. Skip this if
8671
			 * we have already processed a (Re)Association Response
8672
			 * frame that indicated need for association comeback
8673
			 * at a specific time in the future. This could happen
8674
			 * if the TX status information is delayed enough for
8675
			 * the response to be received and processed first.
8676
			 */
8677
			if (status_acked) {
8678
				ifmgd->assoc_data->timeout =
8679
					jiffies + IEEE80211_ASSOC_TIMEOUT_SHORT;
8680
				run_again(sdata, ifmgd->assoc_data->timeout);
8681
			} else {
8682
				ifmgd->assoc_data->timeout = jiffies - 1;
8683
			}
8684
			ifmgd->assoc_data->timeout_started = true;
8685
		}
8686
	}
8687

8688
	if (ifmgd->auth_data && ifmgd->auth_data->timeout_started &&
8689
	    time_after(jiffies, ifmgd->auth_data->timeout)) {
8690
		if (ifmgd->auth_data->done || ifmgd->auth_data->waiting) {
8691
			/*
8692
			 * ok ... we waited for assoc or continuation but
8693
			 * userspace didn't do it, so kill the auth data
8694
			 */
8695
			ieee80211_destroy_auth_data(sdata, false);
8696
		} else if (ieee80211_auth(sdata)) {
8697
			u8 ap_addr[ETH_ALEN];
8698
			struct ieee80211_event event = {
8699
				.type = MLME_EVENT,
8700
				.u.mlme.data = AUTH_EVENT,
8701
				.u.mlme.status = MLME_TIMEOUT,
8702
			};
8703

8704
			memcpy(ap_addr, ifmgd->auth_data->ap_addr, ETH_ALEN);
8705

8706
			ieee80211_destroy_auth_data(sdata, false);
8707

8708
			cfg80211_auth_timeout(sdata->dev, ap_addr);
8709
			drv_event_callback(sdata->local, sdata, &event);
8710
		}
8711
	} else if (ifmgd->auth_data && ifmgd->auth_data->timeout_started)
8712
		run_again(sdata, ifmgd->auth_data->timeout);
8713

8714
	if (ifmgd->assoc_data && ifmgd->assoc_data->timeout_started &&
8715
	    time_after(jiffies, ifmgd->assoc_data->timeout)) {
8716
		if ((ifmgd->assoc_data->need_beacon &&
8717
		     !sdata->deflink.u.mgd.have_beacon) ||
8718
		    ieee80211_do_assoc(sdata)) {
8719
			struct ieee80211_event event = {
8720
				.type = MLME_EVENT,
8721
				.u.mlme.data = ASSOC_EVENT,
8722
				.u.mlme.status = MLME_TIMEOUT,
8723
			};
8724

8725
			ieee80211_destroy_assoc_data(sdata, ASSOC_TIMEOUT);
8726
			drv_event_callback(sdata->local, sdata, &event);
8727
		}
8728
	} else if (ifmgd->assoc_data && ifmgd->assoc_data->timeout_started)
8729
		run_again(sdata, ifmgd->assoc_data->timeout);
8730

8731
	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL &&
8732
	    ifmgd->associated) {
8733
		u8 *bssid = sdata->deflink.u.mgd.bssid;
8734
		int max_tries;
8735

8736
		if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
8737
			max_tries = max_nullfunc_tries;
8738
		else
8739
			max_tries = max_probe_tries;
8740

8741
		/* ACK received for nullfunc probing frame */
8742
		if (!ifmgd->probe_send_count)
8743
			ieee80211_reset_ap_probe(sdata);
8744
		else if (ifmgd->nullfunc_failed) {
8745
			if (ifmgd->probe_send_count < max_tries) {
8746
				mlme_dbg(sdata,
8747
					 "No ack for nullfunc frame to AP %pM, try %d/%i\n",
8748
					 bssid, ifmgd->probe_send_count,
8749
					 max_tries);
8750
				ieee80211_mgd_probe_ap_send(sdata);
8751
			} else {
8752
				mlme_dbg(sdata,
8753
					 "No ack for nullfunc frame to AP %pM, disconnecting.\n",
8754
					 bssid);
8755
				ieee80211_sta_connection_lost(sdata,
8756
					WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
8757
					false);
8758
			}
8759
		} else if (time_is_after_jiffies(ifmgd->probe_timeout))
8760
			run_again(sdata, ifmgd->probe_timeout);
8761
		else if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS)) {
8762
			mlme_dbg(sdata,
8763
				 "Failed to send nullfunc to AP %pM after %dms, disconnecting\n",
8764
				 bssid, probe_wait_ms);
8765
			ieee80211_sta_connection_lost(sdata,
8766
				WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, false);
8767
		} else if (ifmgd->probe_send_count < max_tries) {
8768
			mlme_dbg(sdata,
8769
				 "No probe response from AP %pM after %dms, try %d/%i\n",
8770
				 bssid, probe_wait_ms,
8771
				 ifmgd->probe_send_count, max_tries);
8772
			ieee80211_mgd_probe_ap_send(sdata);
8773
		} else {
8774
			/*
8775
			 * We actually lost the connection ... or did we?
8776
			 * Let's make sure!
8777
			 */
8778
			mlme_dbg(sdata,
8779
				 "No probe response from AP %pM after %dms, disconnecting.\n",
8780
				 bssid, probe_wait_ms);
8781

8782
			ieee80211_sta_connection_lost(sdata,
8783
				WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, false);
8784
		}
8785
	}
8786
}
8787

8788
static bool
8789
ieee80211_is_csa_in_progress(struct ieee80211_sub_if_data *sdata)
8790
{
8791
	/*
8792
	 * In MLO, check the CSA flags 'active' and 'waiting_bcn' for all
8793
	 * the links.
8794
	 */
8795
	struct ieee80211_link_data *link;
8796

8797
	guard(rcu)();
8798

8799
	for_each_link_data_rcu(sdata, link) {
8800
		if (!(link->conf->csa_active &&
8801
		      !link->u.mgd.csa.waiting_bcn))
8802
			return false;
8803
	}
8804

8805
	return true;
8806
}
8807

8808
static void ieee80211_sta_bcn_mon_timer(struct timer_list *t)
8809
{
8810
	struct ieee80211_sub_if_data *sdata =
8811
		timer_container_of(sdata, t, u.mgd.bcn_mon_timer);
8812

8813
	if (ieee80211_is_csa_in_progress(sdata))
8814
		return;
8815

8816
	if (sdata->vif.driver_flags & IEEE80211_VIF_BEACON_FILTER)
8817
		return;
8818

8819
	sdata->u.mgd.connection_loss = false;
8820
	wiphy_work_queue(sdata->local->hw.wiphy,
8821
			 &sdata->u.mgd.beacon_connection_loss_work);
8822
}
8823

8824
static unsigned long
8825
ieee80211_latest_active_link_conn_timeout(struct ieee80211_sub_if_data *sdata)
8826
{
8827
	unsigned long latest_timeout = jiffies;
8828
	unsigned int link_id;
8829
	struct sta_info *sta;
8830

8831
	guard(rcu)();
8832

8833
	sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
8834
	if (!sta)
8835
		return 0;
8836

8837
	for (link_id = 0; link_id < ARRAY_SIZE(sta->link);
8838
	     link_id++) {
8839
		struct link_sta_info *link_sta;
8840
		unsigned long timeout;
8841

8842
		link_sta = rcu_dereference(sta->link[link_id]);
8843
		if (!link_sta)
8844
			continue;
8845

8846
		timeout = link_sta->status_stats.last_ack;
8847
		if (time_before(timeout, link_sta->rx_stats.last_rx))
8848
			timeout = link_sta->rx_stats.last_rx;
8849

8850
		timeout += IEEE80211_CONNECTION_IDLE_TIME;
8851

8852
		/*
8853
		 * latest_timeout holds the timeout of the link
8854
		 * that will expire last among all links in an
8855
		 * non-AP MLD STA. This ensures that the connection
8856
		 * monitor timer is only reset if at least one link
8857
		 * is still active, and it is scheduled to fire at
8858
		 * the latest possible timeout.
8859
		 */
8860
		if (time_after(timeout, latest_timeout))
8861
			latest_timeout = timeout;
8862
	}
8863

8864
	return latest_timeout;
8865
}
8866

8867
static void ieee80211_sta_conn_mon_timer(struct timer_list *t)
8868
{
8869
	struct ieee80211_sub_if_data *sdata =
8870
		timer_container_of(sdata, t, u.mgd.conn_mon_timer);
8871
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8872
	struct ieee80211_local *local = sdata->local;
8873
	unsigned long latest_timeout;
8874

8875
	if (ieee80211_is_csa_in_progress(sdata))
8876
		return;
8877

8878
	latest_timeout = ieee80211_latest_active_link_conn_timeout(sdata);
8879

8880
	/*
8881
	 * If latest timeout is after now, then update timer to fire at
8882
	 * the later date, but do not actually probe at this time.
8883
	 */
8884
	if (time_is_after_jiffies(latest_timeout)) {
8885
		mod_timer(&ifmgd->conn_mon_timer,
8886
			  round_jiffies_up(latest_timeout));
8887
		return;
8888
	}
8889

8890
	wiphy_work_queue(local->hw.wiphy, &sdata->u.mgd.monitor_work);
8891
}
8892

8893
static void ieee80211_sta_monitor_work(struct wiphy *wiphy,
8894
				       struct wiphy_work *work)
8895
{
8896
	struct ieee80211_sub_if_data *sdata =
8897
		container_of(work, struct ieee80211_sub_if_data,
8898
			     u.mgd.monitor_work);
8899

8900
	ieee80211_mgd_probe_ap(sdata, false);
8901
}
8902

8903
static void ieee80211_restart_sta_timer(struct ieee80211_sub_if_data *sdata)
8904
{
8905
	if (sdata->vif.type == NL80211_IFTYPE_STATION) {
8906
		__ieee80211_stop_poll(sdata);
8907

8908
		/* let's probe the connection once */
8909
		if (!ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
8910
			wiphy_work_queue(sdata->local->hw.wiphy,
8911
					 &sdata->u.mgd.monitor_work);
8912
	}
8913
}
8914

8915
#ifdef CONFIG_PM
8916
void ieee80211_mgd_quiesce(struct ieee80211_sub_if_data *sdata)
8917
{
8918
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8919
	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
8920

8921
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8922

8923
	if (ifmgd->auth_data || ifmgd->assoc_data) {
8924
		const u8 *ap_addr = ifmgd->auth_data ?
8925
				ifmgd->auth_data->ap_addr :
8926
				ifmgd->assoc_data->ap_addr;
8927

8928
		/*
8929
		 * If we are trying to authenticate / associate while suspending,
8930
		 * cfg80211 won't know and won't actually abort those attempts,
8931
		 * thus we need to do that ourselves.
8932
		 */
8933
		ieee80211_send_deauth_disassoc(sdata, ap_addr, ap_addr,
8934
					       IEEE80211_STYPE_DEAUTH,
8935
					       WLAN_REASON_DEAUTH_LEAVING,
8936
					       false, frame_buf);
8937
		if (ifmgd->assoc_data)
8938
			ieee80211_destroy_assoc_data(sdata, ASSOC_ABANDON);
8939
		if (ifmgd->auth_data)
8940
			ieee80211_destroy_auth_data(sdata, false);
8941
		cfg80211_tx_mlme_mgmt(sdata->dev, frame_buf,
8942
				      IEEE80211_DEAUTH_FRAME_LEN,
8943
				      false);
8944
	}
8945

8946
	/* This is a bit of a hack - we should find a better and more generic
8947
	 * solution to this. Normally when suspending, cfg80211 will in fact
8948
	 * deauthenticate. However, it doesn't (and cannot) stop an ongoing
8949
	 * auth (not so important) or assoc (this is the problem) process.
8950
	 *
8951
	 * As a consequence, it can happen that we are in the process of both
8952
	 * associating and suspending, and receive an association response
8953
	 * after cfg80211 has checked if it needs to disconnect, but before
8954
	 * we actually set the flag to drop incoming frames. This will then
8955
	 * cause the workqueue flush to process the association response in
8956
	 * the suspend, resulting in a successful association just before it
8957
	 * tries to remove the interface from the driver, which now though
8958
	 * has a channel context assigned ... this results in issues.
8959
	 *
8960
	 * To work around this (for now) simply deauth here again if we're
8961
	 * now connected.
8962
	 */
8963
	if (ifmgd->associated && !sdata->local->wowlan) {
8964
		u8 bssid[ETH_ALEN];
8965
		struct cfg80211_deauth_request req = {
8966
			.reason_code = WLAN_REASON_DEAUTH_LEAVING,
8967
			.bssid = bssid,
8968
		};
8969

8970
		memcpy(bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
8971
		ieee80211_mgd_deauth(sdata, &req);
8972
	}
8973
}
8974
#endif
8975

8976
void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata)
8977
{
8978
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8979

8980
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8981

8982
	if (!ifmgd->associated)
8983
		return;
8984

8985
	if (sdata->flags & IEEE80211_SDATA_DISCONNECT_RESUME) {
8986
		sdata->flags &= ~IEEE80211_SDATA_DISCONNECT_RESUME;
8987
		mlme_dbg(sdata, "driver requested disconnect after resume\n");
8988
		ieee80211_sta_connection_lost(sdata,
8989
					      WLAN_REASON_UNSPECIFIED,
8990
					      true);
8991
		return;
8992
	}
8993

8994
	if (sdata->flags & IEEE80211_SDATA_DISCONNECT_HW_RESTART) {
8995
		sdata->flags &= ~IEEE80211_SDATA_DISCONNECT_HW_RESTART;
8996
		mlme_dbg(sdata, "driver requested disconnect after hardware restart\n");
8997
		ieee80211_sta_connection_lost(sdata,
8998
					      WLAN_REASON_UNSPECIFIED,
8999
					      true);
9000
		return;
9001
	}
9002
}
9003

9004
static void ieee80211_request_smps_mgd_work(struct wiphy *wiphy,
9005
					    struct wiphy_work *work)
9006
{
9007
	struct ieee80211_link_data *link =
9008
		container_of(work, struct ieee80211_link_data,
9009
			     u.mgd.request_smps_work);
9010

9011
	__ieee80211_request_smps_mgd(link->sdata, link,
9012
				     link->u.mgd.driver_smps_mode);
9013
}
9014

9015
static void ieee80211_ml_sta_reconf_timeout(struct wiphy *wiphy,
9016
					    struct wiphy_work *work)
9017
{
9018
	struct ieee80211_sub_if_data *sdata =
9019
		container_of(work, struct ieee80211_sub_if_data,
9020
			     u.mgd.reconf.wk.work);
9021

9022
	if (!sdata->u.mgd.reconf.added_links &&
9023
	    !sdata->u.mgd.reconf.removed_links)
9024
		return;
9025

9026
	sdata_info(sdata,
9027
		   "mlo: reconf: timeout: added=0x%x, removed=0x%x\n",
9028
		   sdata->u.mgd.reconf.added_links,
9029
		   sdata->u.mgd.reconf.removed_links);
9030

9031
	__ieee80211_disconnect(sdata);
9032
}
9033

9034
/* interface setup */
9035
void ieee80211_sta_setup_sdata(struct ieee80211_sub_if_data *sdata)
9036
{
9037
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
9038

9039
	wiphy_work_init(&ifmgd->monitor_work, ieee80211_sta_monitor_work);
9040
	wiphy_work_init(&ifmgd->beacon_connection_loss_work,
9041
			ieee80211_beacon_connection_loss_work);
9042
	wiphy_work_init(&ifmgd->csa_connection_drop_work,
9043
			ieee80211_csa_connection_drop_work);
9044
	wiphy_delayed_work_init(&ifmgd->tdls_peer_del_work,
9045
				ieee80211_tdls_peer_del_work);
9046
	wiphy_hrtimer_work_init(&ifmgd->ml_reconf_work,
9047
				ieee80211_ml_reconf_work);
9048
	wiphy_delayed_work_init(&ifmgd->reconf.wk,
9049
				ieee80211_ml_sta_reconf_timeout);
9050
	timer_setup(&ifmgd->timer, ieee80211_sta_timer, 0);
9051
	timer_setup(&ifmgd->bcn_mon_timer, ieee80211_sta_bcn_mon_timer, 0);
9052
	timer_setup(&ifmgd->conn_mon_timer, ieee80211_sta_conn_mon_timer, 0);
9053
	wiphy_delayed_work_init(&ifmgd->tx_tspec_wk,
9054
				ieee80211_sta_handle_tspec_ac_params_wk);
9055
	wiphy_hrtimer_work_init(&ifmgd->ttlm_work,
9056
				ieee80211_tid_to_link_map_work);
9057
	wiphy_delayed_work_init(&ifmgd->neg_ttlm_timeout_work,
9058
				ieee80211_neg_ttlm_timeout_work);
9059
	wiphy_work_init(&ifmgd->teardown_ttlm_work,
9060
			ieee80211_teardown_ttlm_work);
9061

9062
	ifmgd->flags = 0;
9063
	ifmgd->powersave = sdata->wdev.ps;
9064
	ifmgd->uapsd_queues = sdata->local->hw.uapsd_queues;
9065
	ifmgd->uapsd_max_sp_len = sdata->local->hw.uapsd_max_sp_len;
9066
	/* Setup TDLS data */
9067
	spin_lock_init(&ifmgd->teardown_lock);
9068
	ifmgd->teardown_skb = NULL;
9069
	ifmgd->orig_teardown_skb = NULL;
9070
	ifmgd->mcast_seq_last = IEEE80211_SN_MODULO;
9071
}
9072

9073
static void ieee80211_recalc_smps_work(struct wiphy *wiphy,
9074
				       struct wiphy_work *work)
9075
{
9076
	struct ieee80211_link_data *link =
9077
		container_of(work, struct ieee80211_link_data,
9078
			     u.mgd.recalc_smps);
9079

9080
	ieee80211_recalc_smps(link->sdata, link);
9081
}
9082

9083
void ieee80211_mgd_setup_link(struct ieee80211_link_data *link)
9084
{
9085
	struct ieee80211_sub_if_data *sdata = link->sdata;
9086
	struct ieee80211_local *local = sdata->local;
9087
	unsigned int link_id = link->link_id;
9088

9089
	link->u.mgd.p2p_noa_index = -1;
9090
	link->conf->bssid = link->u.mgd.bssid;
9091
	link->smps_mode = IEEE80211_SMPS_OFF;
9092

9093
	wiphy_work_init(&link->u.mgd.request_smps_work,
9094
			ieee80211_request_smps_mgd_work);
9095
	wiphy_work_init(&link->u.mgd.recalc_smps,
9096
			ieee80211_recalc_smps_work);
9097
	if (local->hw.wiphy->features & NL80211_FEATURE_DYNAMIC_SMPS)
9098
		link->u.mgd.req_smps = IEEE80211_SMPS_AUTOMATIC;
9099
	else
9100
		link->u.mgd.req_smps = IEEE80211_SMPS_OFF;
9101

9102
	wiphy_hrtimer_work_init(&link->u.mgd.csa.switch_work,
9103
				ieee80211_csa_switch_work);
9104

9105
	ieee80211_clear_tpe(&link->conf->tpe);
9106

9107
	if (sdata->u.mgd.assoc_data)
9108
		ether_addr_copy(link->conf->addr,
9109
				sdata->u.mgd.assoc_data->link[link_id].addr);
9110
	else if (sdata->u.mgd.reconf.add_links_data)
9111
		ether_addr_copy(link->conf->addr,
9112
				sdata->u.mgd.reconf.add_links_data->link[link_id].addr);
9113
	else if (!is_valid_ether_addr(link->conf->addr))
9114
		eth_random_addr(link->conf->addr);
9115
}
9116

9117
/* scan finished notification */
9118
void ieee80211_mlme_notify_scan_completed(struct ieee80211_local *local)
9119
{
9120
	struct ieee80211_sub_if_data *sdata;
9121

9122
	/* Restart STA timers */
9123
	rcu_read_lock();
9124
	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
9125
		if (ieee80211_sdata_running(sdata))
9126
			ieee80211_restart_sta_timer(sdata);
9127
	}
9128
	rcu_read_unlock();
9129
}
9130

9131
static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
9132
				     struct cfg80211_bss *cbss, s8 link_id,
9133
				     const u8 *ap_mld_addr, bool assoc,
9134
				     struct ieee80211_conn_settings *conn,
9135
				     bool override,
9136
				     unsigned long *userspace_selectors)
9137
{
9138
	struct ieee80211_local *local = sdata->local;
9139
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
9140
	struct ieee80211_bss *bss = (void *)cbss->priv;
9141
	struct sta_info *new_sta = NULL;
9142
	struct ieee80211_link_data *link;
9143
	bool have_sta = false;
9144
	bool mlo;
9145
	int err;
9146
	u16 new_links;
9147

9148
	if (link_id >= 0) {
9149
		mlo = true;
9150
		if (WARN_ON(!ap_mld_addr))
9151
			return -EINVAL;
9152
		new_links = BIT(link_id);
9153
	} else {
9154
		if (WARN_ON(ap_mld_addr))
9155
			return -EINVAL;
9156
		ap_mld_addr = cbss->bssid;
9157
		new_links = 0;
9158
		link_id = 0;
9159
		mlo = false;
9160
	}
9161

9162
	if (assoc) {
9163
		rcu_read_lock();
9164
		have_sta = sta_info_get(sdata, ap_mld_addr);
9165
		rcu_read_unlock();
9166
	}
9167

9168
	if (mlo && !have_sta &&
9169
	    WARN_ON(sdata->vif.valid_links || sdata->vif.active_links))
9170
		return -EINVAL;
9171

9172
	err = ieee80211_vif_set_links(sdata, new_links, 0);
9173
	if (err)
9174
		return err;
9175

9176
	link = sdata_dereference(sdata->link[link_id], sdata);
9177
	if (WARN_ON(!link)) {
9178
		err = -ENOLINK;
9179
		goto out_err;
9180
	}
9181

9182
	if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data)) {
9183
		err = -EINVAL;
9184
		goto out_err;
9185
	}
9186

9187
	/* If a reconfig is happening, bail out */
9188
	if (local->in_reconfig) {
9189
		err = -EBUSY;
9190
		goto out_err;
9191
	}
9192

9193
	if (!have_sta) {
9194
		if (mlo)
9195
			new_sta = sta_info_alloc_with_link(sdata, ap_mld_addr,
9196
							   link_id, cbss->bssid,
9197
							   GFP_KERNEL);
9198
		else
9199
			new_sta = sta_info_alloc(sdata, ap_mld_addr, GFP_KERNEL);
9200

9201
		if (!new_sta) {
9202
			err = -ENOMEM;
9203
			goto out_err;
9204
		}
9205

9206
		if (ifmgd->auth_data &&
9207
		    (ifmgd->auth_data->algorithm == WLAN_AUTH_EPPKE ||
9208
		     ifmgd->auth_data->algorithm == WLAN_AUTH_IEEE8021X))
9209
			new_sta->sta.epp_peer = true;
9210

9211
		new_sta->sta.mlo = mlo;
9212
	}
9213

9214
	/*
9215
	 * Set up the information for the new channel before setting the
9216
	 * new channel. We can't - completely race-free - change the basic
9217
	 * rates bitmap and the channel (sband) that it refers to, but if
9218
	 * we set it up before we at least avoid calling into the driver's
9219
	 * bss_info_changed() method with invalid information (since we do
9220
	 * call that from changing the channel - only for IDLE and perhaps
9221
	 * some others, but ...).
9222
	 *
9223
	 * So to avoid that, just set up all the new information before the
9224
	 * channel, but tell the driver to apply it only afterwards, since
9225
	 * it might need the new channel for that.
9226
	 */
9227
	if (new_sta) {
9228
		const struct cfg80211_bss_ies *ies;
9229
		struct link_sta_info *link_sta;
9230

9231
		rcu_read_lock();
9232
		link_sta = rcu_dereference(new_sta->link[link_id]);
9233
		if (WARN_ON(!link_sta)) {
9234
			rcu_read_unlock();
9235
			sta_info_free(local, new_sta);
9236
			err = -EINVAL;
9237
			goto out_err;
9238
		}
9239

9240
		err = ieee80211_mgd_setup_link_sta(link, new_sta,
9241
						   link_sta, cbss);
9242
		if (err) {
9243
			rcu_read_unlock();
9244
			sta_info_free(local, new_sta);
9245
			goto out_err;
9246
		}
9247

9248
		memcpy(link->u.mgd.bssid, cbss->bssid, ETH_ALEN);
9249

9250
		/* set timing information */
9251
		link->conf->beacon_int = cbss->beacon_interval;
9252
		ies = rcu_dereference(cbss->beacon_ies);
9253
		if (ies) {
9254
			link->conf->sync_tsf = ies->tsf;
9255
			link->conf->sync_device_ts =
9256
				bss->device_ts_beacon;
9257

9258
			ieee80211_get_dtim(ies,
9259
					   &link->conf->sync_dtim_count,
9260
					   NULL);
9261
		} else if (!ieee80211_hw_check(&sdata->local->hw,
9262
					       TIMING_BEACON_ONLY)) {
9263
			ies = rcu_dereference(cbss->proberesp_ies);
9264
			/* must be non-NULL since beacon IEs were NULL */
9265
			link->conf->sync_tsf = ies->tsf;
9266
			link->conf->sync_device_ts =
9267
				bss->device_ts_presp;
9268
			link->conf->sync_dtim_count = 0;
9269
		} else {
9270
			link->conf->sync_tsf = 0;
9271
			link->conf->sync_device_ts = 0;
9272
			link->conf->sync_dtim_count = 0;
9273
		}
9274
		rcu_read_unlock();
9275
	}
9276

9277
	if (new_sta || override) {
9278
		/*
9279
		 * Only set this if we're also going to calculate the AP
9280
		 * settings etc., otherwise this was set before in a
9281
		 * previous call. Note override is set to %true in assoc
9282
		 * if the settings were changed.
9283
		 */
9284
		link->u.mgd.conn = *conn;
9285
		err = ieee80211_prep_channel(sdata, link, link->link_id, cbss,
9286
					     mlo, &link->u.mgd.conn,
9287
					     userspace_selectors);
9288
		if (err) {
9289
			if (new_sta)
9290
				sta_info_free(local, new_sta);
9291
			goto out_err;
9292
		}
9293
		/* pass out for use in assoc */
9294
		*conn = link->u.mgd.conn;
9295
	}
9296

9297
	if (new_sta) {
9298
		/*
9299
		 * tell driver about BSSID, basic rates and timing
9300
		 * this was set up above, before setting the channel
9301
		 */
9302
		ieee80211_link_info_change_notify(sdata, link,
9303
						  BSS_CHANGED_BSSID |
9304
						  BSS_CHANGED_BASIC_RATES |
9305
						  BSS_CHANGED_BEACON_INT);
9306

9307
		if (assoc)
9308
			sta_info_pre_move_state(new_sta, IEEE80211_STA_AUTH);
9309

9310
		err = sta_info_insert(new_sta);
9311
		new_sta = NULL;
9312
		if (err) {
9313
			sdata_info(sdata,
9314
				   "failed to insert STA entry for the AP (error %d)\n",
9315
				   err);
9316
			goto out_release_chan;
9317
		}
9318
	} else
9319
		WARN_ON_ONCE(!ether_addr_equal(link->u.mgd.bssid, cbss->bssid));
9320

9321
	/* Cancel scan to ensure that nothing interferes with connection */
9322
	if (local->scanning)
9323
		ieee80211_scan_cancel(local);
9324

9325
	return 0;
9326

9327
out_release_chan:
9328
	ieee80211_link_release_channel(link);
9329
out_err:
9330
	ieee80211_vif_set_links(sdata, 0, 0);
9331
	return err;
9332
}
9333

9334
static bool ieee80211_mgd_csa_present(struct ieee80211_sub_if_data *sdata,
9335
				      const struct cfg80211_bss_ies *ies,
9336
				      u8 cur_channel, bool ignore_ecsa)
9337
{
9338
	const struct element *csa_elem, *ecsa_elem;
9339
	struct ieee80211_channel_sw_ie *csa = NULL;
9340
	struct ieee80211_ext_chansw_ie *ecsa = NULL;
9341

9342
	if (!ies)
9343
		return false;
9344

9345
	csa_elem = cfg80211_find_elem(WLAN_EID_CHANNEL_SWITCH,
9346
				      ies->data, ies->len);
9347
	if (csa_elem && csa_elem->datalen == sizeof(*csa))
9348
		csa = (void *)csa_elem->data;
9349

9350
	ecsa_elem = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN,
9351
				       ies->data, ies->len);
9352
	if (ecsa_elem && ecsa_elem->datalen == sizeof(*ecsa))
9353
		ecsa = (void *)ecsa_elem->data;
9354

9355
	if (csa && csa->count == 0)
9356
		csa = NULL;
9357
	if (csa && !csa->mode && csa->new_ch_num == cur_channel)
9358
		csa = NULL;
9359

9360
	if (ecsa && ecsa->count == 0)
9361
		ecsa = NULL;
9362
	if (ecsa && !ecsa->mode && ecsa->new_ch_num == cur_channel)
9363
		ecsa = NULL;
9364

9365
	if (ignore_ecsa && ecsa) {
9366
		sdata_info(sdata,
9367
			   "Ignoring ECSA in probe response - was considered stuck!\n");
9368
		return csa;
9369
	}
9370

9371
	return csa || ecsa;
9372
}
9373

9374
static bool ieee80211_mgd_csa_in_process(struct ieee80211_sub_if_data *sdata,
9375
					 struct cfg80211_bss *bss)
9376
{
9377
	u8 cur_channel;
9378
	bool ret;
9379

9380
	cur_channel = ieee80211_frequency_to_channel(bss->channel->center_freq);
9381

9382
	rcu_read_lock();
9383
	if (ieee80211_mgd_csa_present(sdata,
9384
				      rcu_dereference(bss->beacon_ies),
9385
				      cur_channel, false)) {
9386
		ret = true;
9387
		goto out;
9388
	}
9389

9390
	if (ieee80211_mgd_csa_present(sdata,
9391
				      rcu_dereference(bss->proberesp_ies),
9392
				      cur_channel, bss->proberesp_ecsa_stuck)) {
9393
		ret = true;
9394
		goto out;
9395
	}
9396

9397
	ret = false;
9398
out:
9399
	rcu_read_unlock();
9400
	return ret;
9401
}
9402

9403
static void ieee80211_parse_cfg_selectors(unsigned long *userspace_selectors,
9404
					  const u8 *supported_selectors,
9405
					  u8 supported_selectors_len)
9406
{
9407
	if (supported_selectors) {
9408
		for (int i = 0; i < supported_selectors_len; i++) {
9409
			set_bit(supported_selectors[i],
9410
				userspace_selectors);
9411
		}
9412
	} else {
9413
		/* Assume SAE_H2E support for backward compatibility. */
9414
		set_bit(BSS_MEMBERSHIP_SELECTOR_SAE_H2E,
9415
			userspace_selectors);
9416
	}
9417
}
9418

9419
/* config hooks */
9420
int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
9421
		       struct cfg80211_auth_request *req)
9422
{
9423
	struct ieee80211_local *local = sdata->local;
9424
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
9425
	struct ieee80211_mgd_auth_data *auth_data;
9426
	struct ieee80211_conn_settings conn;
9427
	struct ieee80211_link_data *link;
9428
	struct ieee80211_supported_band *sband;
9429
	struct ieee80211_bss *bss;
9430
	u16 auth_alg;
9431
	int err;
9432
	bool cont_auth, wmm_used;
9433

9434
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
9435

9436
	/* prepare auth data structure */
9437

9438
	switch (req->auth_type) {
9439
	case NL80211_AUTHTYPE_OPEN_SYSTEM:
9440
		auth_alg = WLAN_AUTH_OPEN;
9441
		break;
9442
	case NL80211_AUTHTYPE_SHARED_KEY:
9443
		if (fips_enabled)
9444
			return -EOPNOTSUPP;
9445
		auth_alg = WLAN_AUTH_SHARED_KEY;
9446
		break;
9447
	case NL80211_AUTHTYPE_FT:
9448
		auth_alg = WLAN_AUTH_FT;
9449
		break;
9450
	case NL80211_AUTHTYPE_NETWORK_EAP:
9451
		auth_alg = WLAN_AUTH_LEAP;
9452
		break;
9453
	case NL80211_AUTHTYPE_SAE:
9454
		auth_alg = WLAN_AUTH_SAE;
9455
		break;
9456
	case NL80211_AUTHTYPE_FILS_SK:
9457
		auth_alg = WLAN_AUTH_FILS_SK;
9458
		break;
9459
	case NL80211_AUTHTYPE_FILS_SK_PFS:
9460
		auth_alg = WLAN_AUTH_FILS_SK_PFS;
9461
		break;
9462
	case NL80211_AUTHTYPE_FILS_PK:
9463
		auth_alg = WLAN_AUTH_FILS_PK;
9464
		break;
9465
	case NL80211_AUTHTYPE_EPPKE:
9466
		auth_alg = WLAN_AUTH_EPPKE;
9467
		break;
9468
	case NL80211_AUTHTYPE_IEEE8021X:
9469
		auth_alg = WLAN_AUTH_IEEE8021X;
9470
		break;
9471
	default:
9472
		return -EOPNOTSUPP;
9473
	}
9474

9475
	if (ifmgd->assoc_data)
9476
		return -EBUSY;
9477

9478
	if (ieee80211_mgd_csa_in_process(sdata, req->bss)) {
9479
		sdata_info(sdata, "AP is in CSA process, reject auth\n");
9480
		return -EINVAL;
9481
	}
9482

9483
	auth_data = kzalloc(sizeof(*auth_data) + req->auth_data_len +
9484
			    req->ie_len, GFP_KERNEL);
9485
	if (!auth_data)
9486
		return -ENOMEM;
9487

9488
	memcpy(auth_data->ap_addr,
9489
	       req->ap_mld_addr ?: req->bss->bssid,
9490
	       ETH_ALEN);
9491
	auth_data->bss = req->bss;
9492
	auth_data->link_id = req->link_id;
9493

9494
	if (req->auth_data_len >= 4) {
9495
		if (req->auth_type == NL80211_AUTHTYPE_SAE ||
9496
		    req->auth_type == NL80211_AUTHTYPE_EPPKE ||
9497
		    req->auth_type == NL80211_AUTHTYPE_IEEE8021X) {
9498
			__le16 *pos = (__le16 *) req->auth_data;
9499

9500
			auth_data->trans = le16_to_cpu(pos[0]);
9501
			auth_data->status = le16_to_cpu(pos[1]);
9502
		}
9503

9504
		memcpy(auth_data->data, req->auth_data + 4,
9505
		       req->auth_data_len - 4);
9506
		auth_data->data_len += req->auth_data_len - 4;
9507
	}
9508

9509
	/* Check if continuing authentication or trying to authenticate with the
9510
	 * same BSS that we were in the process of authenticating with and avoid
9511
	 * removal and re-addition of the STA entry in
9512
	 * ieee80211_prep_connection().
9513
	 */
9514
	cont_auth = ifmgd->auth_data && req->bss == ifmgd->auth_data->bss &&
9515
		    ifmgd->auth_data->link_id == req->link_id;
9516

9517
	if (req->ie && req->ie_len) {
9518
		memcpy(&auth_data->data[auth_data->data_len],
9519
		       req->ie, req->ie_len);
9520
		auth_data->data_len += req->ie_len;
9521
	}
9522

9523
	if (req->key && req->key_len) {
9524
		auth_data->key_len = req->key_len;
9525
		auth_data->key_idx = req->key_idx;
9526
		memcpy(auth_data->key, req->key, req->key_len);
9527
	}
9528

9529
	ieee80211_parse_cfg_selectors(auth_data->userspace_selectors,
9530
				      req->supported_selectors,
9531
				      req->supported_selectors_len);
9532

9533
	auth_data->algorithm = auth_alg;
9534

9535
	/* try to authenticate/probe */
9536

9537
	if (ifmgd->auth_data) {
9538
		if (cont_auth && req->auth_type == NL80211_AUTHTYPE_SAE) {
9539
			auth_data->peer_confirmed =
9540
				ifmgd->auth_data->peer_confirmed;
9541
		}
9542
		ieee80211_destroy_auth_data(sdata, cont_auth);
9543
	}
9544

9545
	/* prep auth_data so we don't go into idle on disassoc */
9546
	ifmgd->auth_data = auth_data;
9547

9548
	/* If this is continuation of an ongoing SAE authentication exchange
9549
	 * (i.e., request to send SAE Confirm) and the peer has already
9550
	 * confirmed, mark authentication completed since we are about to send
9551
	 * out SAE Confirm.
9552
	 */
9553
	if (cont_auth && req->auth_type == NL80211_AUTHTYPE_SAE &&
9554
	    auth_data->peer_confirmed && auth_data->trans == 2)
9555
		ieee80211_mark_sta_auth(sdata);
9556

9557
	if (cont_auth && req->auth_type == NL80211_AUTHTYPE_EPPKE &&
9558
	    auth_data->trans == 3)
9559
		ieee80211_mark_sta_auth(sdata);
9560

9561
	if (ifmgd->associated) {
9562
		u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
9563

9564
		sdata_info(sdata,
9565
			   "disconnect from AP %pM for new auth to %pM\n",
9566
			   sdata->vif.cfg.ap_addr, auth_data->ap_addr);
9567
		ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
9568
				       WLAN_REASON_UNSPECIFIED,
9569
				       false, frame_buf);
9570

9571
		ieee80211_report_disconnect(sdata, frame_buf,
9572
					    sizeof(frame_buf), true,
9573
					    WLAN_REASON_UNSPECIFIED,
9574
					    false);
9575
	}
9576

9577
	/* needed for transmitting the auth frame(s) properly */
9578
	memcpy(sdata->vif.cfg.ap_addr, auth_data->ap_addr, ETH_ALEN);
9579

9580
	bss = (void *)req->bss->priv;
9581
	wmm_used = bss->wmm_used && (local->hw.queues >= IEEE80211_NUM_ACS);
9582

9583
	sband = local->hw.wiphy->bands[req->bss->channel->band];
9584

9585
	ieee80211_determine_our_sta_mode_auth(sdata, sband, req, wmm_used,
9586
					      &conn);
9587

9588
	err = ieee80211_prep_connection(sdata, req->bss, req->link_id,
9589
					req->ap_mld_addr, cont_auth,
9590
					&conn, false,
9591
					auth_data->userspace_selectors);
9592
	if (err)
9593
		goto err_clear;
9594

9595
	if (req->link_id >= 0)
9596
		link = sdata_dereference(sdata->link[req->link_id], sdata);
9597
	else
9598
		link = &sdata->deflink;
9599

9600
	if (WARN_ON(!link)) {
9601
		err = -ENOLINK;
9602
		goto err_clear;
9603
	}
9604

9605
	sdata_info(sdata, "authenticate with %pM (local address=%pM)\n",
9606
		   auth_data->ap_addr, link->conf->addr);
9607

9608
	err = ieee80211_auth(sdata);
9609
	if (err) {
9610
		sta_info_destroy_addr(sdata, auth_data->ap_addr);
9611
		goto err_clear;
9612
	}
9613

9614
	/* hold our own reference */
9615
	cfg80211_ref_bss(local->hw.wiphy, auth_data->bss);
9616
	return 0;
9617

9618
 err_clear:
9619
	if (!ieee80211_vif_is_mld(&sdata->vif)) {
9620
		eth_zero_addr(sdata->deflink.u.mgd.bssid);
9621
		ieee80211_link_info_change_notify(sdata, &sdata->deflink,
9622
						  BSS_CHANGED_BSSID);
9623
		ieee80211_link_release_channel(&sdata->deflink);
9624
	}
9625
	ifmgd->auth_data = NULL;
9626
	kfree(auth_data);
9627
	return err;
9628
}
9629

9630
static void
9631
ieee80211_setup_assoc_link(struct ieee80211_sub_if_data *sdata,
9632
			   struct ieee80211_mgd_assoc_data *assoc_data,
9633
			   struct cfg80211_assoc_request *req,
9634
			   struct ieee80211_conn_settings *conn,
9635
			   unsigned int link_id)
9636
{
9637
	struct ieee80211_local *local = sdata->local;
9638
	const struct cfg80211_bss_ies *bss_ies;
9639
	struct ieee80211_supported_band *sband;
9640
	struct ieee80211_link_data *link;
9641
	struct cfg80211_bss *cbss;
9642
	struct ieee80211_bss *bss;
9643

9644
	cbss = assoc_data->link[link_id].bss;
9645
	if (WARN_ON(!cbss))
9646
		return;
9647

9648
	bss = (void *)cbss->priv;
9649

9650
	sband = local->hw.wiphy->bands[cbss->channel->band];
9651
	if (WARN_ON(!sband))
9652
		return;
9653

9654
	link = sdata_dereference(sdata->link[link_id], sdata);
9655
	if (WARN_ON(!link))
9656
		return;
9657

9658
	/* for MLO connections assume advertising all rates is OK */
9659
	if (!req->ap_mld_addr) {
9660
		assoc_data->supp_rates = bss->supp_rates;
9661
		assoc_data->supp_rates_len = bss->supp_rates_len;
9662
	}
9663

9664
	/* copy and link elems for the STA profile */
9665
	if (req->links[link_id].elems_len) {
9666
		memcpy(assoc_data->ie_pos, req->links[link_id].elems,
9667
		       req->links[link_id].elems_len);
9668
		assoc_data->link[link_id].elems = assoc_data->ie_pos;
9669
		assoc_data->link[link_id].elems_len = req->links[link_id].elems_len;
9670
		assoc_data->ie_pos += req->links[link_id].elems_len;
9671
	}
9672

9673
	link->u.mgd.beacon_crc_valid = false;
9674
	link->u.mgd.dtim_period = 0;
9675
	link->u.mgd.have_beacon = false;
9676

9677
	/* override HT configuration only if the AP and we support it */
9678
	if (conn->mode >= IEEE80211_CONN_MODE_HT) {
9679
		struct ieee80211_sta_ht_cap sta_ht_cap;
9680

9681
		memcpy(&sta_ht_cap, &sband->ht_cap, sizeof(sta_ht_cap));
9682
		ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap);
9683
	}
9684

9685
	rcu_read_lock();
9686
	bss_ies = rcu_dereference(cbss->beacon_ies);
9687
	if (bss_ies) {
9688
		u8 dtim_count = 0;
9689

9690
		ieee80211_get_dtim(bss_ies, &dtim_count,
9691
				   &link->u.mgd.dtim_period);
9692

9693
		sdata->deflink.u.mgd.have_beacon = true;
9694

9695
		if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY)) {
9696
			link->conf->sync_tsf = bss_ies->tsf;
9697
			link->conf->sync_device_ts = bss->device_ts_beacon;
9698
			link->conf->sync_dtim_count = dtim_count;
9699
		}
9700
	} else {
9701
		bss_ies = rcu_dereference(cbss->ies);
9702
	}
9703

9704
	if (bss_ies) {
9705
		const struct element *elem;
9706

9707
		elem = cfg80211_find_ext_elem(WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION,
9708
					      bss_ies->data, bss_ies->len);
9709
		if (elem && elem->datalen >= 3)
9710
			link->conf->profile_periodicity = elem->data[2];
9711
		else
9712
			link->conf->profile_periodicity = 0;
9713

9714
		elem = cfg80211_find_elem(WLAN_EID_EXT_CAPABILITY,
9715
					  bss_ies->data, bss_ies->len);
9716
		if (elem && elem->datalen >= 11 &&
9717
		    (elem->data[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
9718
			link->conf->ema_ap = true;
9719
		else
9720
			link->conf->ema_ap = false;
9721
	}
9722
	rcu_read_unlock();
9723

9724
	if (bss->corrupt_data) {
9725
		char *corrupt_type = "data";
9726

9727
		if (bss->corrupt_data & IEEE80211_BSS_CORRUPT_BEACON) {
9728
			if (bss->corrupt_data & IEEE80211_BSS_CORRUPT_PROBE_RESP)
9729
				corrupt_type = "beacon and probe response";
9730
			else
9731
				corrupt_type = "beacon";
9732
		} else if (bss->corrupt_data & IEEE80211_BSS_CORRUPT_PROBE_RESP) {
9733
			corrupt_type = "probe response";
9734
		}
9735
		sdata_info(sdata, "associating to AP %pM with corrupt %s\n",
9736
			   cbss->bssid, corrupt_type);
9737
	}
9738

9739
	if (link->u.mgd.req_smps == IEEE80211_SMPS_AUTOMATIC) {
9740
		if (sdata->u.mgd.powersave)
9741
			link->smps_mode = IEEE80211_SMPS_DYNAMIC;
9742
		else
9743
			link->smps_mode = IEEE80211_SMPS_OFF;
9744
	} else {
9745
		link->smps_mode = link->u.mgd.req_smps;
9746
	}
9747
}
9748

9749
static int
9750
ieee80211_mgd_get_ap_ht_vht_capa(struct ieee80211_sub_if_data *sdata,
9751
				 struct ieee80211_mgd_assoc_data *assoc_data,
9752
				 int link_id)
9753
{
9754
	struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
9755
	enum nl80211_band band = cbss->channel->band;
9756
	struct ieee80211_supported_band *sband;
9757
	const struct element *elem;
9758
	int err;
9759

9760
	/* neither HT nor VHT elements used on 6 GHz */
9761
	if (band == NL80211_BAND_6GHZ)
9762
		return 0;
9763

9764
	if (assoc_data->link[link_id].conn.mode < IEEE80211_CONN_MODE_HT)
9765
		return 0;
9766

9767
	rcu_read_lock();
9768
	elem = ieee80211_bss_get_elem(cbss, WLAN_EID_HT_OPERATION);
9769
	if (!elem || elem->datalen < sizeof(struct ieee80211_ht_operation)) {
9770
		mlme_link_id_dbg(sdata, link_id, "no HT operation on BSS %pM\n",
9771
				 cbss->bssid);
9772
		err = -EINVAL;
9773
		goto out_rcu;
9774
	}
9775
	assoc_data->link[link_id].ap_ht_param =
9776
		((struct ieee80211_ht_operation *)(elem->data))->ht_param;
9777
	rcu_read_unlock();
9778

9779
	if (assoc_data->link[link_id].conn.mode < IEEE80211_CONN_MODE_VHT)
9780
		return 0;
9781

9782
	/* some drivers want to support VHT on 2.4 GHz even */
9783
	sband = sdata->local->hw.wiphy->bands[band];
9784
	if (!sband->vht_cap.vht_supported)
9785
		return 0;
9786

9787
	rcu_read_lock();
9788
	elem = ieee80211_bss_get_elem(cbss, WLAN_EID_VHT_CAPABILITY);
9789
	/* but even then accept it not being present on the AP */
9790
	if (!elem && band == NL80211_BAND_2GHZ) {
9791
		err = 0;
9792
		goto out_rcu;
9793
	}
9794
	if (!elem || elem->datalen < sizeof(struct ieee80211_vht_cap)) {
9795
		mlme_link_id_dbg(sdata, link_id, "no VHT capa on BSS %pM\n",
9796
				 cbss->bssid);
9797
		err = -EINVAL;
9798
		goto out_rcu;
9799
	}
9800
	memcpy(&assoc_data->link[link_id].ap_vht_cap, elem->data,
9801
	       sizeof(struct ieee80211_vht_cap));
9802
	rcu_read_unlock();
9803

9804
	return 0;
9805
out_rcu:
9806
	rcu_read_unlock();
9807
	return err;
9808
}
9809

9810
static bool
9811
ieee80211_mgd_assoc_bss_has_mld_ext_capa_ops(struct cfg80211_assoc_request *req)
9812
{
9813
	const struct cfg80211_bss_ies *ies;
9814
	struct cfg80211_bss *bss;
9815
	const struct element *ml;
9816

9817
	/* not an MLO connection if link_id < 0, so irrelevant */
9818
	if (req->link_id < 0)
9819
		return false;
9820

9821
	bss = req->links[req->link_id].bss;
9822

9823
	guard(rcu)();
9824
	ies = rcu_dereference(bss->ies);
9825
	for_each_element_extid(ml, WLAN_EID_EXT_EHT_MULTI_LINK,
9826
			       ies->data, ies->len) {
9827
		const struct ieee80211_multi_link_elem *mle;
9828

9829
		if (!ieee80211_mle_type_ok(ml->data + 1,
9830
					   IEEE80211_ML_CONTROL_TYPE_BASIC,
9831
					   ml->datalen - 1))
9832
			continue;
9833

9834
		mle = (void *)(ml->data + 1);
9835
		if (mle->control & cpu_to_le16(IEEE80211_MLC_BASIC_PRES_EXT_MLD_CAPA_OP))
9836
			return true;
9837
	}
9838

9839
	return false;
9840

9841
}
9842

9843
int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
9844
			struct cfg80211_assoc_request *req)
9845
{
9846
	unsigned int assoc_link_id = req->link_id < 0 ? 0 : req->link_id;
9847
	struct ieee80211_local *local = sdata->local;
9848
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
9849
	struct ieee80211_mgd_assoc_data *assoc_data;
9850
	const struct element *ssid_elem;
9851
	struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg;
9852
	struct ieee80211_link_data *link;
9853
	struct cfg80211_bss *cbss;
9854
	bool override, uapsd_supported;
9855
	bool match_auth;
9856
	int i, err;
9857
	size_t size = sizeof(*assoc_data) + req->ie_len;
9858

9859
	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++)
9860
		size += req->links[i].elems_len;
9861

9862
	assoc_data = kzalloc(size, GFP_KERNEL);
9863
	if (!assoc_data)
9864
		return -ENOMEM;
9865

9866
	cbss = req->link_id < 0 ? req->bss : req->links[req->link_id].bss;
9867

9868
	if (ieee80211_mgd_csa_in_process(sdata, cbss)) {
9869
		sdata_info(sdata, "AP is in CSA process, reject assoc\n");
9870
		err = -EINVAL;
9871
		goto err_free;
9872
	}
9873

9874
	rcu_read_lock();
9875
	ssid_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_SSID);
9876
	if (!ssid_elem || ssid_elem->datalen > sizeof(assoc_data->ssid)) {
9877
		rcu_read_unlock();
9878
		err = -EINVAL;
9879
		goto err_free;
9880
	}
9881

9882
	memcpy(assoc_data->ssid, ssid_elem->data, ssid_elem->datalen);
9883
	assoc_data->ssid_len = ssid_elem->datalen;
9884
	rcu_read_unlock();
9885

9886
	if (req->ap_mld_addr)
9887
		memcpy(assoc_data->ap_addr, req->ap_mld_addr, ETH_ALEN);
9888
	else
9889
		memcpy(assoc_data->ap_addr, cbss->bssid, ETH_ALEN);
9890

9891
	/*
9892
	 * Many APs have broken parsing of the extended MLD capa/ops field,
9893
	 * dropping (re-)association request frames or replying with association
9894
	 * response with a failure status if it's present.
9895
	 * Set our value from the userspace request only in strict mode or if
9896
	 * the AP also had that field present.
9897
	 */
9898
	if (ieee80211_hw_check(&local->hw, STRICT) ||
9899
	    ieee80211_mgd_assoc_bss_has_mld_ext_capa_ops(req))
9900
		assoc_data->ext_mld_capa_ops =
9901
			cpu_to_le16(req->ext_mld_capa_ops);
9902

9903
	if (ifmgd->associated) {
9904
		u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
9905

9906
		sdata_info(sdata,
9907
			   "disconnect from AP %pM for new assoc to %pM\n",
9908
			   sdata->vif.cfg.ap_addr, assoc_data->ap_addr);
9909
		ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
9910
				       WLAN_REASON_UNSPECIFIED,
9911
				       false, frame_buf);
9912

9913
		ieee80211_report_disconnect(sdata, frame_buf,
9914
					    sizeof(frame_buf), true,
9915
					    WLAN_REASON_UNSPECIFIED,
9916
					    false);
9917
	}
9918

9919
	memset(sdata->u.mgd.userspace_selectors, 0,
9920
	       sizeof(sdata->u.mgd.userspace_selectors));
9921
	ieee80211_parse_cfg_selectors(sdata->u.mgd.userspace_selectors,
9922
				      req->supported_selectors,
9923
				      req->supported_selectors_len);
9924

9925
	memcpy(&ifmgd->ht_capa, &req->ht_capa, sizeof(ifmgd->ht_capa));
9926
	memcpy(&ifmgd->ht_capa_mask, &req->ht_capa_mask,
9927
	       sizeof(ifmgd->ht_capa_mask));
9928

9929
	memcpy(&ifmgd->vht_capa, &req->vht_capa, sizeof(ifmgd->vht_capa));
9930
	memcpy(&ifmgd->vht_capa_mask, &req->vht_capa_mask,
9931
	       sizeof(ifmgd->vht_capa_mask));
9932

9933
	memcpy(&ifmgd->s1g_capa, &req->s1g_capa, sizeof(ifmgd->s1g_capa));
9934
	memcpy(&ifmgd->s1g_capa_mask, &req->s1g_capa_mask,
9935
	       sizeof(ifmgd->s1g_capa_mask));
9936

9937
	/* keep some setup (AP STA, channel, ...) if matching */
9938
	match_auth = ifmgd->auth_data &&
9939
		     ether_addr_equal(ifmgd->auth_data->ap_addr,
9940
				      assoc_data->ap_addr) &&
9941
		     ifmgd->auth_data->link_id == req->link_id;
9942

9943
	if (req->ap_mld_addr) {
9944
		uapsd_supported = true;
9945

9946
		if (req->flags & (ASSOC_REQ_DISABLE_HT |
9947
				  ASSOC_REQ_DISABLE_VHT |
9948
				  ASSOC_REQ_DISABLE_HE |
9949
				  ASSOC_REQ_DISABLE_EHT)) {
9950
			err = -EINVAL;
9951
			goto err_free;
9952
		}
9953

9954
		for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
9955
			struct ieee80211_supported_band *sband;
9956
			struct cfg80211_bss *link_cbss = req->links[i].bss;
9957
			struct ieee80211_bss *bss;
9958

9959
			if (!link_cbss)
9960
				continue;
9961

9962
			bss = (void *)link_cbss->priv;
9963

9964
			if (!bss->wmm_used) {
9965
				err = -EINVAL;
9966
				req->links[i].error = err;
9967
				goto err_free;
9968
			}
9969

9970
			if (link_cbss->channel->band == NL80211_BAND_S1GHZ) {
9971
				err = -EINVAL;
9972
				req->links[i].error = err;
9973
				goto err_free;
9974
			}
9975

9976
			link = sdata_dereference(sdata->link[i], sdata);
9977
			if (link)
9978
				ether_addr_copy(assoc_data->link[i].addr,
9979
						link->conf->addr);
9980
			else
9981
				eth_random_addr(assoc_data->link[i].addr);
9982
			sband = local->hw.wiphy->bands[link_cbss->channel->band];
9983

9984
			if (match_auth && i == assoc_link_id && link)
9985
				assoc_data->link[i].conn = link->u.mgd.conn;
9986
			else
9987
				assoc_data->link[i].conn =
9988
					ieee80211_conn_settings_unlimited;
9989
			ieee80211_determine_our_sta_mode_assoc(sdata, sband,
9990
							       req, true, i,
9991
							       &assoc_data->link[i].conn);
9992
			assoc_data->link[i].bss = link_cbss;
9993

9994
			if (!bss->uapsd_supported)
9995
				uapsd_supported = false;
9996

9997
			if (assoc_data->link[i].conn.mode < IEEE80211_CONN_MODE_EHT) {
9998
				err = -EINVAL;
9999
				req->links[i].error = err;
10000
				goto err_free;
10001
			}
10002

10003
			err = ieee80211_mgd_get_ap_ht_vht_capa(sdata,
10004
							       assoc_data, i);
10005
			if (err) {
10006
				err = -EINVAL;
10007
				req->links[i].error = err;
10008
				goto err_free;
10009
			}
10010
		}
10011

10012
		assoc_data->wmm = true;
10013
	} else {
10014
		struct ieee80211_supported_band *sband;
10015
		struct ieee80211_bss *bss = (void *)cbss->priv;
10016

10017
		memcpy(assoc_data->link[0].addr, sdata->vif.addr, ETH_ALEN);
10018
		assoc_data->s1g = cbss->channel->band == NL80211_BAND_S1GHZ;
10019

10020
		assoc_data->wmm = bss->wmm_used &&
10021
				  (local->hw.queues >= IEEE80211_NUM_ACS);
10022

10023
		if (cbss->channel->band == NL80211_BAND_6GHZ &&
10024
		    req->flags & (ASSOC_REQ_DISABLE_HT |
10025
				  ASSOC_REQ_DISABLE_VHT |
10026
				  ASSOC_REQ_DISABLE_HE)) {
10027
			err = -EINVAL;
10028
			goto err_free;
10029
		}
10030

10031
		sband = local->hw.wiphy->bands[cbss->channel->band];
10032

10033
		assoc_data->link[0].bss = cbss;
10034

10035
		if (match_auth)
10036
			assoc_data->link[0].conn = sdata->deflink.u.mgd.conn;
10037
		else
10038
			assoc_data->link[0].conn =
10039
				ieee80211_conn_settings_unlimited;
10040
		ieee80211_determine_our_sta_mode_assoc(sdata, sband, req,
10041
						       assoc_data->wmm, 0,
10042
						       &assoc_data->link[0].conn);
10043

10044
		uapsd_supported = bss->uapsd_supported;
10045

10046
		err = ieee80211_mgd_get_ap_ht_vht_capa(sdata, assoc_data, 0);
10047
		if (err)
10048
			goto err_free;
10049
	}
10050

10051
	assoc_data->spp_amsdu = req->flags & ASSOC_REQ_SPP_AMSDU;
10052

10053
	if (ifmgd->auth_data && !ifmgd->auth_data->done) {
10054
		err = -EBUSY;
10055
		goto err_free;
10056
	}
10057

10058
	if (ifmgd->assoc_data) {
10059
		err = -EBUSY;
10060
		goto err_free;
10061
	}
10062

10063
	/* Cleanup is delayed if auth_data matches */
10064
	if (ifmgd->auth_data && !match_auth)
10065
		ieee80211_destroy_auth_data(sdata, false);
10066

10067
	if (req->ie && req->ie_len) {
10068
		memcpy(assoc_data->ie, req->ie, req->ie_len);
10069
		assoc_data->ie_len = req->ie_len;
10070
		assoc_data->ie_pos = assoc_data->ie + assoc_data->ie_len;
10071
	} else {
10072
		assoc_data->ie_pos = assoc_data->ie;
10073
	}
10074

10075
	if (req->fils_kek) {
10076
		/* should already be checked in cfg80211 - so warn */
10077
		if (WARN_ON(req->fils_kek_len > FILS_MAX_KEK_LEN)) {
10078
			err = -EINVAL;
10079
			goto err_free;
10080
		}
10081
		memcpy(assoc_data->fils_kek, req->fils_kek,
10082
		       req->fils_kek_len);
10083
		assoc_data->fils_kek_len = req->fils_kek_len;
10084
	}
10085

10086
	if (req->fils_nonces)
10087
		memcpy(assoc_data->fils_nonces, req->fils_nonces,
10088
		       2 * FILS_NONCE_LEN);
10089

10090
	/* default timeout */
10091
	assoc_data->timeout = jiffies;
10092
	assoc_data->timeout_started = true;
10093

10094
	assoc_data->assoc_link_id = assoc_link_id;
10095

10096
	if (req->ap_mld_addr) {
10097
		/* if there was no authentication, set up the link */
10098
		err = ieee80211_vif_set_links(sdata, BIT(assoc_link_id), 0);
10099
		if (err)
10100
			goto err_clear;
10101
	}
10102

10103
	link = sdata_dereference(sdata->link[assoc_link_id], sdata);
10104
	if (WARN_ON(!link)) {
10105
		err = -EINVAL;
10106
		goto err_clear;
10107
	}
10108

10109
	override = link->u.mgd.conn.mode !=
10110
			assoc_data->link[assoc_link_id].conn.mode ||
10111
		   link->u.mgd.conn.bw_limit !=
10112
			assoc_data->link[assoc_link_id].conn.bw_limit;
10113
	link->u.mgd.conn = assoc_data->link[assoc_link_id].conn;
10114

10115
	ieee80211_setup_assoc_link(sdata, assoc_data, req, &link->u.mgd.conn,
10116
				   assoc_link_id);
10117

10118
	if (WARN((sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_UAPSD) &&
10119
		 ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK),
10120
	     "U-APSD not supported with HW_PS_NULLFUNC_STACK\n"))
10121
		sdata->vif.driver_flags &= ~IEEE80211_VIF_SUPPORTS_UAPSD;
10122

10123
	if (assoc_data->wmm && uapsd_supported &&
10124
	    (sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_UAPSD)) {
10125
		assoc_data->uapsd = true;
10126
		ifmgd->flags |= IEEE80211_STA_UAPSD_ENABLED;
10127
	} else {
10128
		assoc_data->uapsd = false;
10129
		ifmgd->flags &= ~IEEE80211_STA_UAPSD_ENABLED;
10130
	}
10131

10132
	if (req->prev_bssid)
10133
		memcpy(assoc_data->prev_ap_addr, req->prev_bssid, ETH_ALEN);
10134

10135
	if (req->use_mfp) {
10136
		ifmgd->mfp = IEEE80211_MFP_REQUIRED;
10137
		ifmgd->flags |= IEEE80211_STA_MFP_ENABLED;
10138
	} else {
10139
		ifmgd->mfp = IEEE80211_MFP_DISABLED;
10140
		ifmgd->flags &= ~IEEE80211_STA_MFP_ENABLED;
10141
	}
10142

10143
	if (req->flags & ASSOC_REQ_USE_RRM)
10144
		ifmgd->flags |= IEEE80211_STA_ENABLE_RRM;
10145
	else
10146
		ifmgd->flags &= ~IEEE80211_STA_ENABLE_RRM;
10147

10148
	if (req->crypto.control_port)
10149
		ifmgd->flags |= IEEE80211_STA_CONTROL_PORT;
10150
	else
10151
		ifmgd->flags &= ~IEEE80211_STA_CONTROL_PORT;
10152

10153
	sdata->control_port_protocol = req->crypto.control_port_ethertype;
10154
	sdata->control_port_no_encrypt = req->crypto.control_port_no_encrypt;
10155
	sdata->control_port_over_nl80211 =
10156
					req->crypto.control_port_over_nl80211;
10157
	sdata->control_port_no_preauth = req->crypto.control_port_no_preauth;
10158

10159
	/* kick off associate process */
10160
	ifmgd->assoc_data = assoc_data;
10161

10162
	for (i = 0; i < ARRAY_SIZE(assoc_data->link); i++) {
10163
		if (!assoc_data->link[i].bss)
10164
			continue;
10165
		if (i == assoc_data->assoc_link_id)
10166
			continue;
10167
		/* only calculate the mode, hence link == NULL */
10168
		err = ieee80211_prep_channel(sdata, NULL, i,
10169
					     assoc_data->link[i].bss, true,
10170
					     &assoc_data->link[i].conn,
10171
					     sdata->u.mgd.userspace_selectors);
10172
		if (err) {
10173
			req->links[i].error = err;
10174
			goto err_clear;
10175
		}
10176
	}
10177

10178
	memcpy(vif_cfg->ssid, assoc_data->ssid, assoc_data->ssid_len);
10179
	vif_cfg->ssid_len = assoc_data->ssid_len;
10180

10181
	/* needed for transmitting the assoc frames properly */
10182
	memcpy(sdata->vif.cfg.ap_addr, assoc_data->ap_addr, ETH_ALEN);
10183

10184
	err = ieee80211_prep_connection(sdata, cbss, req->link_id,
10185
					req->ap_mld_addr, true,
10186
					&assoc_data->link[assoc_link_id].conn,
10187
					override,
10188
					sdata->u.mgd.userspace_selectors);
10189
	if (err)
10190
		goto err_clear;
10191

10192
	if (ieee80211_hw_check(&sdata->local->hw, NEED_DTIM_BEFORE_ASSOC)) {
10193
		const struct cfg80211_bss_ies *beacon_ies;
10194

10195
		rcu_read_lock();
10196
		beacon_ies = rcu_dereference(req->bss->beacon_ies);
10197
		if (!beacon_ies) {
10198
			/*
10199
			 * Wait up to one beacon interval ...
10200
			 * should this be more if we miss one?
10201
			 */
10202
			sdata_info(sdata, "waiting for beacon from %pM\n",
10203
				   link->u.mgd.bssid);
10204
			assoc_data->timeout = TU_TO_EXP_TIME(req->bss->beacon_interval);
10205
			assoc_data->timeout_started = true;
10206
			assoc_data->need_beacon = true;
10207
		}
10208
		rcu_read_unlock();
10209
	}
10210

10211
	run_again(sdata, assoc_data->timeout);
10212

10213
	/* We are associating, clean up auth_data */
10214
	if (ifmgd->auth_data)
10215
		ieee80211_destroy_auth_data(sdata, true);
10216

10217
	return 0;
10218
 err_clear:
10219
	if (!ifmgd->auth_data) {
10220
		eth_zero_addr(sdata->deflink.u.mgd.bssid);
10221
		ieee80211_link_info_change_notify(sdata, &sdata->deflink,
10222
						  BSS_CHANGED_BSSID);
10223
	}
10224
	ifmgd->assoc_data = NULL;
10225
 err_free:
10226
	kfree(assoc_data);
10227
	return err;
10228
}
10229

10230
int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
10231
			 struct cfg80211_deauth_request *req)
10232
{
10233
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
10234
	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
10235
	bool tx = !req->local_state_change;
10236
	struct ieee80211_prep_tx_info info = {
10237
		.subtype = IEEE80211_STYPE_DEAUTH,
10238
	};
10239

10240
	if (ifmgd->auth_data &&
10241
	    ether_addr_equal(ifmgd->auth_data->ap_addr, req->bssid)) {
10242
		sdata_info(sdata,
10243
			   "aborting authentication with %pM by local choice (Reason: %u=%s)\n",
10244
			   req->bssid, req->reason_code,
10245
			   ieee80211_get_reason_code_string(req->reason_code));
10246

10247
		info.link_id = ifmgd->auth_data->link_id;
10248
		drv_mgd_prepare_tx(sdata->local, sdata, &info);
10249
		ieee80211_send_deauth_disassoc(sdata, req->bssid, req->bssid,
10250
					       IEEE80211_STYPE_DEAUTH,
10251
					       req->reason_code, tx,
10252
					       frame_buf);
10253
		ieee80211_destroy_auth_data(sdata, false);
10254
		ieee80211_report_disconnect(sdata, frame_buf,
10255
					    sizeof(frame_buf), true,
10256
					    req->reason_code, false);
10257
		drv_mgd_complete_tx(sdata->local, sdata, &info);
10258
		return 0;
10259
	}
10260

10261
	if (ifmgd->assoc_data &&
10262
	    ether_addr_equal(ifmgd->assoc_data->ap_addr, req->bssid)) {
10263
		sdata_info(sdata,
10264
			   "aborting association with %pM by local choice (Reason: %u=%s)\n",
10265
			   req->bssid, req->reason_code,
10266
			   ieee80211_get_reason_code_string(req->reason_code));
10267

10268
		info.link_id = ifmgd->assoc_data->assoc_link_id;
10269
		drv_mgd_prepare_tx(sdata->local, sdata, &info);
10270
		ieee80211_send_deauth_disassoc(sdata, req->bssid, req->bssid,
10271
					       IEEE80211_STYPE_DEAUTH,
10272
					       req->reason_code, tx,
10273
					       frame_buf);
10274
		ieee80211_destroy_assoc_data(sdata, ASSOC_ABANDON);
10275
		ieee80211_report_disconnect(sdata, frame_buf,
10276
					    sizeof(frame_buf), true,
10277
					    req->reason_code, false);
10278
		drv_mgd_complete_tx(sdata->local, sdata, &info);
10279
		return 0;
10280
	}
10281

10282
	if (ifmgd->associated &&
10283
	    ether_addr_equal(sdata->vif.cfg.ap_addr, req->bssid)) {
10284
		sdata_info(sdata,
10285
			   "deauthenticating from %pM by local choice (Reason: %u=%s)\n",
10286
			   req->bssid, req->reason_code,
10287
			   ieee80211_get_reason_code_string(req->reason_code));
10288

10289
		ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
10290
				       req->reason_code, tx, frame_buf);
10291
		ieee80211_report_disconnect(sdata, frame_buf,
10292
					    sizeof(frame_buf), true,
10293
					    req->reason_code, false);
10294
		return 0;
10295
	}
10296

10297
	return -ENOTCONN;
10298
}
10299

10300
int ieee80211_mgd_disassoc(struct ieee80211_sub_if_data *sdata,
10301
			   struct cfg80211_disassoc_request *req)
10302
{
10303
	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
10304

10305
	if (!sdata->u.mgd.associated ||
10306
	    memcmp(sdata->vif.cfg.ap_addr, req->ap_addr, ETH_ALEN))
10307
		return -ENOTCONN;
10308

10309
	sdata_info(sdata,
10310
		   "disassociating from %pM by local choice (Reason: %u=%s)\n",
10311
		   req->ap_addr, req->reason_code,
10312
		   ieee80211_get_reason_code_string(req->reason_code));
10313

10314
	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DISASSOC,
10315
			       req->reason_code, !req->local_state_change,
10316
			       frame_buf);
10317

10318
	ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
10319
				    req->reason_code, false);
10320

10321
	return 0;
10322
}
10323

10324
void ieee80211_mgd_stop_link(struct ieee80211_link_data *link)
10325
{
10326
	wiphy_work_cancel(link->sdata->local->hw.wiphy,
10327
			  &link->u.mgd.request_smps_work);
10328
	wiphy_work_cancel(link->sdata->local->hw.wiphy,
10329
			  &link->u.mgd.recalc_smps);
10330
	wiphy_hrtimer_work_cancel(link->sdata->local->hw.wiphy,
10331
				  &link->u.mgd.csa.switch_work);
10332
}
10333

10334
void ieee80211_mgd_stop(struct ieee80211_sub_if_data *sdata)
10335
{
10336
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
10337

10338
	/*
10339
	 * Make sure some work items will not run after this,
10340
	 * they will not do anything but might not have been
10341
	 * cancelled when disconnecting.
10342
	 */
10343
	wiphy_work_cancel(sdata->local->hw.wiphy,
10344
			  &ifmgd->monitor_work);
10345
	wiphy_work_cancel(sdata->local->hw.wiphy,
10346
			  &ifmgd->beacon_connection_loss_work);
10347
	wiphy_work_cancel(sdata->local->hw.wiphy,
10348
			  &ifmgd->csa_connection_drop_work);
10349
	wiphy_delayed_work_cancel(sdata->local->hw.wiphy,
10350
				  &ifmgd->tdls_peer_del_work);
10351

10352
	if (ifmgd->assoc_data)
10353
		ieee80211_destroy_assoc_data(sdata, ASSOC_TIMEOUT);
10354
	if (ifmgd->auth_data)
10355
		ieee80211_destroy_auth_data(sdata, false);
10356
	spin_lock_bh(&ifmgd->teardown_lock);
10357
	if (ifmgd->teardown_skb) {
10358
		kfree_skb(ifmgd->teardown_skb);
10359
		ifmgd->teardown_skb = NULL;
10360
		ifmgd->orig_teardown_skb = NULL;
10361
	}
10362
	kfree(ifmgd->assoc_req_ies);
10363
	ifmgd->assoc_req_ies = NULL;
10364
	ifmgd->assoc_req_ies_len = 0;
10365
	spin_unlock_bh(&ifmgd->teardown_lock);
10366
	timer_delete_sync(&ifmgd->timer);
10367
}
10368

10369
void ieee80211_cqm_rssi_notify(struct ieee80211_vif *vif,
10370
			       enum nl80211_cqm_rssi_threshold_event rssi_event,
10371
			       s32 rssi_level,
10372
			       gfp_t gfp)
10373
{
10374
	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
10375

10376
	trace_api_cqm_rssi_notify(sdata, rssi_event, rssi_level);
10377

10378
	cfg80211_cqm_rssi_notify(sdata->dev, rssi_event, rssi_level, gfp);
10379
}
10380
EXPORT_SYMBOL(ieee80211_cqm_rssi_notify);
10381

10382
void ieee80211_cqm_beacon_loss_notify(struct ieee80211_vif *vif, gfp_t gfp)
10383
{
10384
	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
10385

10386
	trace_api_cqm_beacon_loss_notify(sdata->local, sdata);
10387

10388
	cfg80211_cqm_beacon_loss_notify(sdata->dev, gfp);
10389
}
10390
EXPORT_SYMBOL(ieee80211_cqm_beacon_loss_notify);
10391

10392
static void _ieee80211_enable_rssi_reports(struct ieee80211_sub_if_data *sdata,
10393
					    int rssi_min_thold,
10394
					    int rssi_max_thold)
10395
{
10396
	trace_api_enable_rssi_reports(sdata, rssi_min_thold, rssi_max_thold);
10397

10398
	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
10399
		return;
10400

10401
	/*
10402
	 * Scale up threshold values before storing it, as the RSSI averaging
10403
	 * algorithm uses a scaled up value as well. Change this scaling
10404
	 * factor if the RSSI averaging algorithm changes.
10405
	 */
10406
	sdata->u.mgd.rssi_min_thold = rssi_min_thold*16;
10407
	sdata->u.mgd.rssi_max_thold = rssi_max_thold*16;
10408
}
10409

10410
void ieee80211_enable_rssi_reports(struct ieee80211_vif *vif,
10411
				    int rssi_min_thold,
10412
				    int rssi_max_thold)
10413
{
10414
	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
10415

10416
	WARN_ON(rssi_min_thold == rssi_max_thold ||
10417
		rssi_min_thold > rssi_max_thold);
10418

10419
	_ieee80211_enable_rssi_reports(sdata, rssi_min_thold,
10420
				       rssi_max_thold);
10421
}
10422
EXPORT_SYMBOL(ieee80211_enable_rssi_reports);
10423

10424
void ieee80211_disable_rssi_reports(struct ieee80211_vif *vif)
10425
{
10426
	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
10427

10428
	_ieee80211_enable_rssi_reports(sdata, 0, 0);
10429
}
10430
EXPORT_SYMBOL(ieee80211_disable_rssi_reports);
10431

10432
void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
10433
				      struct ieee80211_mgmt *mgmt, size_t len)
10434
{
10435
	struct ieee80211_local *local = sdata->local;
10436
	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
10437
	struct ieee80211_mgd_assoc_data *add_links_data =
10438
		ifmgd->reconf.add_links_data;
10439
	struct sta_info *sta;
10440
	struct cfg80211_mlo_reconf_done_data done_data = {};
10441
	u16 sta_changed_links = sdata->u.mgd.reconf.added_links |
10442
		                sdata->u.mgd.reconf.removed_links;
10443
	u16 link_mask, valid_links;
10444
	unsigned int link_id;
10445
	size_t orig_len = len;
10446
	u8 i, group_key_data_len;
10447
	u8 *pos;
10448

10449
	if (!ieee80211_vif_is_mld(&sdata->vif) ||
10450
	    len < IEEE80211_MIN_ACTION_SIZE(ml_reconf_resp) ||
10451
	    mgmt->u.action.ml_reconf_resp.dialog_token !=
10452
		sdata->u.mgd.reconf.dialog_token ||
10453
	    !sta_changed_links)
10454
		return;
10455

10456
	pos = mgmt->u.action.ml_reconf_resp.variable;
10457
	len -= offsetofend(typeof(*mgmt), u.action.ml_reconf_resp);
10458

10459
	if (len < mgmt->u.action.ml_reconf_resp.count *
10460
				sizeof(struct ieee80211_ml_reconf_status)) {
10461
		sdata_info(sdata,
10462
			   "mlo: reconf: unexpected len=%zu, count=%u\n",
10463
			   len, mgmt->u.action.ml_reconf_resp.count);
10464
		goto disconnect;
10465
	}
10466

10467
	link_mask = sta_changed_links;
10468
	for (i = 0; i < mgmt->u.action.ml_reconf_resp.count; i++) {
10469
		struct ieee80211_ml_reconf_status *reconf_status = (void *)pos;
10470
		u16 status = le16_to_cpu(reconf_status->status);
10471

10472
		link_id = u8_get_bits(reconf_status->info,
10473
				      IEEE80211_ML_RECONF_LINK_ID_MASK);
10474

10475
		if (!(link_mask & BIT(link_id))) {
10476
			sdata_info(sdata,
10477
				   "mlo: reconf: unexpected link: %u, changed=0x%x\n",
10478
				   link_id, sta_changed_links);
10479
			goto disconnect;
10480
		}
10481

10482
		/* clear the corresponding link, to detect the case that
10483
		 * the same link was included more than one time
10484
		 */
10485
		link_mask &= ~BIT(link_id);
10486

10487
		/* Handle failure to remove links here. Failure to remove added
10488
		 * links will be done later in the flow.
10489
		 */
10490
		if (status != WLAN_STATUS_SUCCESS) {
10491
			sdata_info(sdata,
10492
				   "mlo: reconf: failed on link=%u, status=%u\n",
10493
				   link_id, status);
10494

10495
			/* The AP MLD failed to remove a link that was already
10496
			 * removed locally. As this is not expected behavior,
10497
			 * disconnect
10498
			 */
10499
			if (sdata->u.mgd.reconf.removed_links & BIT(link_id))
10500
				goto disconnect;
10501

10502
			/* The AP MLD failed to add a link. Remove it from the
10503
			 * added links.
10504
			 */
10505
			sdata->u.mgd.reconf.added_links &= ~BIT(link_id);
10506
		}
10507

10508
		pos += sizeof(*reconf_status);
10509
		len -= sizeof(*reconf_status);
10510
	}
10511

10512
	if (link_mask) {
10513
		sdata_info(sdata,
10514
			   "mlo: reconf: no response for links=0x%x\n",
10515
			   link_mask);
10516
		goto disconnect;
10517
	}
10518

10519
	if (!sdata->u.mgd.reconf.added_links)
10520
		goto out;
10521

10522
	if (len < 1 || len < 1 + *pos) {
10523
		sdata_info(sdata,
10524
			   "mlo: reconf: invalid group key data length");
10525
		goto disconnect;
10526
	}
10527

10528
	/* The Group Key Data field must be present when links are added. This
10529
	 * field should be processed by userland.
10530
	 */
10531
	group_key_data_len = *pos++;
10532

10533
	pos += group_key_data_len;
10534
	len -= group_key_data_len + 1;
10535

10536
	/* Process the information for the added links */
10537
	sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
10538
	if (WARN_ON(!sta))
10539
		goto disconnect;
10540

10541
	valid_links = sdata->vif.valid_links;
10542
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10543
		if (!add_links_data->link[link_id].bss ||
10544
		    !(sdata->u.mgd.reconf.added_links & BIT(link_id)))
10545
			continue;
10546

10547
		valid_links |= BIT(link_id);
10548
		if (ieee80211_sta_allocate_link(sta, link_id))
10549
			goto disconnect;
10550
	}
10551

10552
	ieee80211_vif_set_links(sdata, valid_links, sdata->vif.dormant_links);
10553
	link_mask = 0;
10554
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10555
		struct cfg80211_bss *cbss = add_links_data->link[link_id].bss;
10556
		struct ieee80211_link_data *link;
10557
		struct link_sta_info *link_sta;
10558
		u64 changed = 0;
10559

10560
		if (!cbss)
10561
			continue;
10562

10563
		link = sdata_dereference(sdata->link[link_id], sdata);
10564
		if (WARN_ON(!link))
10565
			goto disconnect;
10566

10567
		link_info(link,
10568
			  "mlo: reconf: local address %pM, AP link address %pM\n",
10569
			  add_links_data->link[link_id].addr,
10570
			  add_links_data->link[link_id].bss->bssid);
10571

10572
		link_sta = rcu_dereference_protected(sta->link[link_id],
10573
						     lockdep_is_held(&local->hw.wiphy->mtx));
10574
		if (WARN_ON(!link_sta))
10575
			goto disconnect;
10576

10577
		if (!link->u.mgd.have_beacon) {
10578
			const struct cfg80211_bss_ies *ies;
10579

10580
			rcu_read_lock();
10581
			ies = rcu_dereference(cbss->beacon_ies);
10582
			if (ies)
10583
				link->u.mgd.have_beacon = true;
10584
			else
10585
				ies = rcu_dereference(cbss->ies);
10586
			ieee80211_get_dtim(ies,
10587
					   &link->conf->sync_dtim_count,
10588
					   &link->u.mgd.dtim_period);
10589
			link->conf->beacon_int = cbss->beacon_interval;
10590
			rcu_read_unlock();
10591
		}
10592

10593
		link->conf->dtim_period = link->u.mgd.dtim_period ?: 1;
10594

10595
		link->u.mgd.conn = add_links_data->link[link_id].conn;
10596
		if (ieee80211_prep_channel(sdata, link, link_id, cbss,
10597
					   true, &link->u.mgd.conn,
10598
					   sdata->u.mgd.userspace_selectors)) {
10599
			link_info(link, "mlo: reconf: prep_channel failed\n");
10600
			goto disconnect;
10601
		}
10602

10603
		if (ieee80211_mgd_setup_link_sta(link, sta, link_sta,
10604
						 add_links_data->link[link_id].bss))
10605
			goto disconnect;
10606

10607
		if (!ieee80211_assoc_config_link(link, link_sta,
10608
						 add_links_data->link[link_id].bss,
10609
						 mgmt, pos, len,
10610
						 &changed))
10611
			goto disconnect;
10612

10613
		/* The AP MLD indicated success for this link, but the station
10614
		 * profile status indicated otherwise. Since there is an
10615
		 * inconsistency in the ML reconfiguration response, disconnect
10616
		 */
10617
		if (add_links_data->link[link_id].status != WLAN_STATUS_SUCCESS)
10618
			goto disconnect;
10619

10620
		ieee80211_sta_init_nss(link_sta);
10621
		if (ieee80211_sta_activate_link(sta, link_id))
10622
			goto disconnect;
10623

10624
		changed |= ieee80211_link_set_associated(link, cbss);
10625
		ieee80211_link_info_change_notify(sdata, link, changed);
10626

10627
		ieee80211_recalc_smps(sdata, link);
10628
		link_mask |= BIT(link_id);
10629
	}
10630

10631
	sdata_info(sdata,
10632
		   "mlo: reconf: current valid_links=0x%x, added=0x%x\n",
10633
		   valid_links, link_mask);
10634

10635
	/* links might have changed due to rejected ones, set them again */
10636
	ieee80211_vif_set_links(sdata, valid_links, sdata->vif.dormant_links);
10637
	ieee80211_vif_cfg_change_notify(sdata, BSS_CHANGED_MLD_VALID_LINKS);
10638

10639
	ieee80211_recalc_ps(local);
10640
	ieee80211_recalc_ps_vif(sdata);
10641

10642
	done_data.buf = (const u8 *)mgmt;
10643
	done_data.len = orig_len;
10644
	done_data.added_links = link_mask;
10645

10646
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10647
		done_data.links[link_id].bss = add_links_data->link[link_id].bss;
10648
		done_data.links[link_id].addr =
10649
			add_links_data->link[link_id].addr;
10650
	}
10651

10652
	cfg80211_mlo_reconf_add_done(sdata->dev, &done_data);
10653
	kfree(sdata->u.mgd.reconf.add_links_data);
10654
	sdata->u.mgd.reconf.add_links_data = NULL;
10655
out:
10656
	ieee80211_ml_reconf_reset(sdata);
10657
	return;
10658

10659
disconnect:
10660
	__ieee80211_disconnect(sdata);
10661
}
10662

10663
static struct sk_buff *
10664
ieee80211_build_ml_reconf_req(struct ieee80211_sub_if_data *sdata,
10665
			      struct ieee80211_mgd_assoc_data *add_links_data,
10666
			      u16 removed_links, __le16 ext_mld_capa_ops)
10667
{
10668
	struct ieee80211_local *local = sdata->local;
10669
	struct ieee80211_mgmt *mgmt;
10670
	struct ieee80211_multi_link_elem *ml_elem;
10671
	struct ieee80211_mle_basic_common_info *common;
10672
	enum nl80211_iftype iftype = ieee80211_vif_type_p2p(&sdata->vif);
10673
	struct sk_buff *skb;
10674
	size_t size;
10675
	unsigned int link_id;
10676
	__le16 eml_capa = 0, mld_capa_ops = 0;
10677
	struct ieee80211_tx_info *info;
10678
	u8 common_size, var_common_size;
10679
	u8 *ml_elem_len;
10680
	u16 capab = 0;
10681

10682
	size = local->hw.extra_tx_headroom + sizeof(*mgmt);
10683

10684
	/* Consider the maximal length of the reconfiguration ML element */
10685
	size += sizeof(struct ieee80211_multi_link_elem);
10686

10687
	/* The Basic ML element and the Reconfiguration ML element have the same
10688
	 * fixed common information fields in the context of ML reconfiguration
10689
	 * action frame. The AP MLD MAC address must always be present
10690
	 */
10691
	common_size = sizeof(*common);
10692

10693
	/* when adding links, the MLD capabilities must be present */
10694
	var_common_size = 0;
10695
	if (add_links_data) {
10696
		const struct wiphy_iftype_ext_capab *ift_ext_capa =
10697
			cfg80211_get_iftype_ext_capa(local->hw.wiphy,
10698
						     ieee80211_vif_type_p2p(&sdata->vif));
10699

10700
		if (ift_ext_capa) {
10701
			eml_capa = cpu_to_le16(ift_ext_capa->eml_capabilities);
10702
			mld_capa_ops =
10703
				cpu_to_le16(ift_ext_capa->mld_capa_and_ops);
10704
		}
10705

10706
		/* MLD capabilities and operation */
10707
		var_common_size += 2;
10708

10709
		/* EML capabilities */
10710
		if (eml_capa & cpu_to_le16((IEEE80211_EML_CAP_EMLSR_SUPP |
10711
					    IEEE80211_EML_CAP_EMLMR_SUPPORT)))
10712
			var_common_size += 2;
10713
	}
10714

10715
	if (ext_mld_capa_ops)
10716
		var_common_size += 2;
10717

10718
	/* Add the common information length */
10719
	size += common_size + var_common_size;
10720

10721
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10722
		struct cfg80211_bss *cbss;
10723
		size_t elems_len;
10724

10725
		if (removed_links & BIT(link_id)) {
10726
			size += sizeof(struct ieee80211_mle_per_sta_profile) +
10727
				ETH_ALEN;
10728
			continue;
10729
		}
10730

10731
		if (!add_links_data || !add_links_data->link[link_id].bss)
10732
			continue;
10733

10734
		elems_len = add_links_data->link[link_id].elems_len;
10735
		cbss = add_links_data->link[link_id].bss;
10736

10737
		/* should be the same across all BSSes */
10738
		if (cbss->capability & WLAN_CAPABILITY_PRIVACY)
10739
			capab |= WLAN_CAPABILITY_PRIVACY;
10740

10741
		size += 2 + sizeof(struct ieee80211_mle_per_sta_profile) +
10742
			ETH_ALEN;
10743

10744
		/* WMM */
10745
		size += 9;
10746
		size += ieee80211_link_common_elems_size(sdata, iftype, cbss,
10747
							 elems_len);
10748
	}
10749

10750
	skb = alloc_skb(size, GFP_KERNEL);
10751
	if (!skb)
10752
		return NULL;
10753

10754
	skb_reserve(skb, local->hw.extra_tx_headroom);
10755
	mgmt = skb_put_zero(skb, IEEE80211_MIN_ACTION_SIZE(ml_reconf_req));
10756

10757
	/* Add the MAC header */
10758
	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
10759
					  IEEE80211_STYPE_ACTION);
10760
	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
10761
	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
10762
	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
10763

10764
	/* Add the action frame fixed fields */
10765
	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
10766
	mgmt->u.action.action_code = WLAN_PROTECTED_EHT_ACTION_LINK_RECONFIG_REQ;
10767

10768
	/* allocate a dialog token and store it */
10769
	sdata->u.mgd.reconf.dialog_token = ++sdata->u.mgd.dialog_token_alloc;
10770
	mgmt->u.action.ml_reconf_req.dialog_token =
10771
		sdata->u.mgd.reconf.dialog_token;
10772

10773
	/* Add the ML reconfiguration element and the common information  */
10774
	skb_put_u8(skb, WLAN_EID_EXTENSION);
10775
	ml_elem_len = skb_put(skb, 1);
10776
	skb_put_u8(skb, WLAN_EID_EXT_EHT_MULTI_LINK);
10777
	ml_elem = skb_put(skb, sizeof(*ml_elem));
10778
	ml_elem->control =
10779
		cpu_to_le16(IEEE80211_ML_CONTROL_TYPE_RECONF |
10780
			    IEEE80211_MLC_RECONF_PRES_MLD_MAC_ADDR);
10781
	common = skb_put(skb, common_size);
10782
	common->len = common_size + var_common_size;
10783
	memcpy(common->mld_mac_addr, sdata->vif.addr, ETH_ALEN);
10784

10785
	if (add_links_data) {
10786
		if (eml_capa &
10787
		    cpu_to_le16((IEEE80211_EML_CAP_EMLSR_SUPP |
10788
				 IEEE80211_EML_CAP_EMLMR_SUPPORT))) {
10789
			ml_elem->control |=
10790
				cpu_to_le16(IEEE80211_MLC_RECONF_PRES_EML_CAPA);
10791
			skb_put_data(skb, &eml_capa, sizeof(eml_capa));
10792
		}
10793

10794
		ml_elem->control |=
10795
			cpu_to_le16(IEEE80211_MLC_RECONF_PRES_MLD_CAPA_OP);
10796

10797
		skb_put_data(skb, &mld_capa_ops, sizeof(mld_capa_ops));
10798
	}
10799

10800
	if (ext_mld_capa_ops) {
10801
		ml_elem->control |=
10802
			cpu_to_le16(IEEE80211_MLC_RECONF_PRES_EXT_MLD_CAPA_OP);
10803
		skb_put_data(skb, &ext_mld_capa_ops, sizeof(ext_mld_capa_ops));
10804
	}
10805

10806
	if (sdata->u.mgd.flags & IEEE80211_STA_ENABLE_RRM)
10807
		capab |= WLAN_CAPABILITY_RADIO_MEASURE;
10808

10809
	/* Add the per station profile */
10810
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10811
		u8 *subelem_len = NULL;
10812
		u16 ctrl;
10813
		const u8 *addr;
10814

10815
		/* Skip links that are not changing */
10816
		if (!(removed_links & BIT(link_id)) &&
10817
		    (!add_links_data || !add_links_data->link[link_id].bss))
10818
			continue;
10819

10820
		ctrl = link_id |
10821
		       IEEE80211_MLE_STA_RECONF_CONTROL_STA_MAC_ADDR_PRESENT;
10822

10823
		if (removed_links & BIT(link_id)) {
10824
			struct ieee80211_bss_conf *conf =
10825
				sdata_dereference(sdata->vif.link_conf[link_id],
10826
						  sdata);
10827
			if (!conf)
10828
				continue;
10829

10830
			addr = conf->addr;
10831
			ctrl |= u16_encode_bits(IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_DEL_LINK,
10832
						IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE);
10833
		} else {
10834
			addr = add_links_data->link[link_id].addr;
10835
			ctrl |= IEEE80211_MLE_STA_RECONF_CONTROL_COMPLETE_PROFILE |
10836
				u16_encode_bits(IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_ADD_LINK,
10837
						IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE);
10838
		}
10839

10840
		skb_put_u8(skb, IEEE80211_MLE_SUBELEM_PER_STA_PROFILE);
10841
		subelem_len = skb_put(skb, 1);
10842

10843
		put_unaligned_le16(ctrl, skb_put(skb, sizeof(ctrl)));
10844
		skb_put_u8(skb, 1 + ETH_ALEN);
10845
		skb_put_data(skb, addr, ETH_ALEN);
10846

10847
		if (!(removed_links & BIT(link_id))) {
10848
			u16 link_present_elems[PRESENT_ELEMS_MAX] = {};
10849
			size_t extra_used;
10850
			void *capab_pos;
10851
			u8 qos_info;
10852

10853
			capab_pos = skb_put(skb, 2);
10854

10855
			extra_used =
10856
				ieee80211_add_link_elems(sdata, skb, &capab, NULL,
10857
							 add_links_data->link[link_id].elems,
10858
							 add_links_data->link[link_id].elems_len,
10859
							 link_id, NULL,
10860
							 link_present_elems,
10861
							 add_links_data);
10862

10863
			if (add_links_data->link[link_id].elems)
10864
				skb_put_data(skb,
10865
					     add_links_data->link[link_id].elems +
10866
					     extra_used,
10867
					     add_links_data->link[link_id].elems_len -
10868
					     extra_used);
10869
			if (sdata->u.mgd.flags & IEEE80211_STA_UAPSD_ENABLED) {
10870
				qos_info = sdata->u.mgd.uapsd_queues;
10871
				qos_info |= (sdata->u.mgd.uapsd_max_sp_len <<
10872
					     IEEE80211_WMM_IE_STA_QOSINFO_SP_SHIFT);
10873
			} else {
10874
				qos_info = 0;
10875
			}
10876

10877
			ieee80211_add_wmm_info_ie(skb_put(skb, 9), qos_info);
10878
			put_unaligned_le16(capab, capab_pos);
10879
		}
10880

10881
		ieee80211_fragment_element(skb, subelem_len,
10882
					   IEEE80211_MLE_SUBELEM_FRAGMENT);
10883
	}
10884

10885
	ieee80211_fragment_element(skb, ml_elem_len, WLAN_EID_FRAGMENT);
10886

10887
	info = IEEE80211_SKB_CB(skb);
10888
	info->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS;
10889

10890
	return skb;
10891
}
10892

10893
int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata,
10894
				  struct cfg80211_ml_reconf_req *req)
10895
{
10896
	struct ieee80211_local *local = sdata->local;
10897
	struct ieee80211_mgd_assoc_data *data = NULL;
10898
	struct sta_info *sta;
10899
	struct sk_buff *skb;
10900
	u16 added_links, new_valid_links;
10901
	int link_id, err;
10902

10903
	if (!ieee80211_vif_is_mld(&sdata->vif) ||
10904
	    !(sdata->vif.cfg.mld_capa_op &
10905
	      IEEE80211_MLD_CAP_OP_LINK_RECONF_SUPPORT))
10906
		return -EINVAL;
10907

10908
	/* No support for concurrent ML reconfiguration operation */
10909
	if (sdata->u.mgd.reconf.added_links ||
10910
	    sdata->u.mgd.reconf.removed_links)
10911
		return -EBUSY;
10912

10913
	added_links = 0;
10914
	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10915
		if (!req->add_links[link_id].bss)
10916
			continue;
10917

10918
		added_links |= BIT(link_id);
10919
	}
10920

10921
	sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
10922
	if (WARN_ON(!sta))
10923
		return -ENOLINK;
10924

10925
	/* Adding links to the set of valid link is done only after a successful
10926
	 * ML reconfiguration frame exchange. Here prepare the data for the ML
10927
	 * reconfiguration frame construction and allocate the required
10928
	 * resources
10929
	 */
10930
	if (added_links) {
10931
		bool uapsd_supported;
10932

10933
		data = kzalloc_obj(*data);
10934
		if (!data)
10935
			return -ENOMEM;
10936

10937
		data->assoc_link_id = -1;
10938
		data->wmm = true;
10939

10940
		uapsd_supported = true;
10941
		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
10942
		     link_id++) {
10943
			struct ieee80211_supported_band *sband;
10944
			struct cfg80211_bss *link_cbss =
10945
				req->add_links[link_id].bss;
10946
			struct ieee80211_bss *bss;
10947

10948
			if (!link_cbss)
10949
				continue;
10950

10951
			bss = (void *)link_cbss->priv;
10952

10953
			if (!bss->wmm_used) {
10954
				err = -EINVAL;
10955
				goto err_free;
10956
			}
10957

10958
			if (link_cbss->channel->band == NL80211_BAND_S1GHZ) {
10959
				err = -EINVAL;
10960
				goto err_free;
10961
			}
10962

10963
			eth_random_addr(data->link[link_id].addr);
10964
			data->link[link_id].conn =
10965
				ieee80211_conn_settings_unlimited;
10966
			sband =
10967
				local->hw.wiphy->bands[link_cbss->channel->band];
10968

10969
			ieee80211_determine_our_sta_mode(sdata, sband,
10970
							 NULL, true, link_id,
10971
							 &data->link[link_id].conn);
10972

10973
			data->link[link_id].bss = link_cbss;
10974
			data->link[link_id].elems =
10975
				(u8 *)req->add_links[link_id].elems;
10976
			data->link[link_id].elems_len =
10977
				req->add_links[link_id].elems_len;
10978

10979
			if (!bss->uapsd_supported)
10980
				uapsd_supported = false;
10981

10982
			if (data->link[link_id].conn.mode <
10983
			    IEEE80211_CONN_MODE_EHT) {
10984
				err = -EINVAL;
10985
				goto err_free;
10986
			}
10987

10988
			err = ieee80211_mgd_get_ap_ht_vht_capa(sdata, data,
10989
							       link_id);
10990
			if (err) {
10991
				err = -EINVAL;
10992
				goto err_free;
10993
			}
10994
		}
10995

10996
		/* Require U-APSD support if we enabled it */
10997
		if (sdata->u.mgd.flags & IEEE80211_STA_UAPSD_ENABLED &&
10998
		    !uapsd_supported) {
10999
			err = -EINVAL;
11000
			sdata_info(sdata, "U-APSD on but not available on (all) new links\n");
11001
			goto err_free;
11002
		}
11003

11004
		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
11005
		     link_id++) {
11006
			if (!data->link[link_id].bss)
11007
				continue;
11008

11009
			/* only used to verify the mode, nothing is allocated */
11010
			err = ieee80211_prep_channel(sdata, NULL, link_id,
11011
						     data->link[link_id].bss,
11012
						     true,
11013
						     &data->link[link_id].conn,
11014
						     sdata->u.mgd.userspace_selectors);
11015
			if (err)
11016
				goto err_free;
11017
		}
11018
	}
11019

11020
	/* link removal is done before the ML reconfiguration frame exchange so
11021
	 * that these links will not be used between their removal by the AP MLD
11022
	 * and before the station got the ML reconfiguration response. Based on
11023
	 * Section 35.3.6.4 in Draft P802.11be_D7.0 the AP MLD should accept the
11024
	 * link removal request.
11025
	 */
11026
	if (req->rem_links) {
11027
		u16 new_active_links =
11028
			sdata->vif.active_links & ~req->rem_links;
11029

11030
		new_valid_links = sdata->vif.valid_links & ~req->rem_links;
11031

11032
		/* Should not be left with no valid links to perform the
11033
		 * ML reconfiguration
11034
		 */
11035
		if (!new_valid_links ||
11036
		    !(new_valid_links & ~sdata->vif.dormant_links)) {
11037
			sdata_info(sdata, "mlo: reconf: no valid links\n");
11038
			err = -EINVAL;
11039
			goto err_free;
11040
		}
11041

11042
		if (new_active_links != sdata->vif.active_links) {
11043
			if (!new_active_links)
11044
				new_active_links =
11045
					BIT(__ffs(new_valid_links &
11046
						  ~sdata->vif.dormant_links));
11047

11048
			err = ieee80211_set_active_links(&sdata->vif,
11049
							 new_active_links);
11050
			if (err) {
11051
				sdata_info(sdata,
11052
					   "mlo: reconf: failed set active links\n");
11053
				goto err_free;
11054
			}
11055
		}
11056
	}
11057

11058
	/* Build the SKB before the link removal as the construction of the
11059
	 * station info for removed links requires the local address.
11060
	 * Invalidate the removed links, so that the transmission of the ML
11061
	 * reconfiguration request frame would not be done using them, as the AP
11062
	 * is expected to send the ML reconfiguration response frame on the link
11063
	 * on which the request was received.
11064
	 */
11065
	skb = ieee80211_build_ml_reconf_req(sdata, data, req->rem_links,
11066
					    cpu_to_le16(req->ext_mld_capa_ops));
11067
	if (!skb) {
11068
		err = -ENOMEM;
11069
		goto err_free;
11070
	}
11071

11072
	if (req->rem_links) {
11073
		u16 new_dormant_links =
11074
			sdata->vif.dormant_links & ~req->rem_links;
11075

11076
		err = ieee80211_vif_set_links(sdata, new_valid_links,
11077
					      new_dormant_links);
11078
		if (err) {
11079
			sdata_info(sdata,
11080
				   "mlo: reconf: failed set valid links\n");
11081
			kfree_skb(skb);
11082
			goto err_free;
11083
		}
11084

11085
		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
11086
		     link_id++) {
11087
			if (!(req->rem_links & BIT(link_id)))
11088
				continue;
11089

11090
			ieee80211_sta_remove_link(sta, link_id);
11091
		}
11092

11093
		/* notify the driver and upper layers */
11094
		ieee80211_vif_cfg_change_notify(sdata,
11095
						BSS_CHANGED_MLD_VALID_LINKS);
11096
		cfg80211_links_removed(sdata->dev, req->rem_links);
11097
	}
11098

11099
	sdata_info(sdata, "mlo: reconf: adding=0x%x, removed=0x%x\n",
11100
		   added_links, req->rem_links);
11101

11102
	ieee80211_tx_skb(sdata, skb);
11103

11104
	sdata->u.mgd.reconf.added_links = added_links;
11105
	sdata->u.mgd.reconf.add_links_data = data;
11106
	sdata->u.mgd.reconf.removed_links = req->rem_links;
11107
	wiphy_delayed_work_queue(sdata->local->hw.wiphy,
11108
				 &sdata->u.mgd.reconf.wk,
11109
				 IEEE80211_ASSOC_TIMEOUT_SHORT);
11110
	return 0;
11111

11112
 err_free:
11113
	kfree(data);
11114
	return err;
11115
}
11116

11117
static bool ieee80211_mgd_epcs_supp(struct ieee80211_sub_if_data *sdata)
11118
{
11119
	unsigned long valid_links = sdata->vif.valid_links;
11120
	u8 link_id;
11121

11122
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
11123

11124
	if (!ieee80211_vif_is_mld(&sdata->vif))
11125
		return false;
11126

11127
	for_each_set_bit(link_id, &valid_links, IEEE80211_MLD_MAX_NUM_LINKS) {
11128
		struct ieee80211_bss_conf *bss_conf =
11129
			sdata_dereference(sdata->vif.link_conf[link_id], sdata);
11130

11131
		if (WARN_ON(!bss_conf) || !bss_conf->epcs_support)
11132
			return false;
11133
	}
11134

11135
	return true;
11136
}
11137

11138
int ieee80211_mgd_set_epcs(struct ieee80211_sub_if_data *sdata, bool enable)
11139
{
11140
	int frame_len = IEEE80211_MIN_ACTION_SIZE(epcs) + (enable ? 1 : 0);
11141
	struct ieee80211_local *local = sdata->local;
11142
	struct ieee80211_mgmt *mgmt;
11143
	struct sk_buff *skb;
11144

11145
	if (!ieee80211_mgd_epcs_supp(sdata))
11146
		return -EINVAL;
11147

11148
	if (sdata->u.mgd.epcs.enabled == enable &&
11149
	    !sdata->u.mgd.epcs.dialog_token)
11150
		return 0;
11151

11152
	/* Do not allow enabling EPCS if the AP didn't respond yet.
11153
	 * However, allow disabling EPCS in such a case.
11154
	 */
11155
	if (sdata->u.mgd.epcs.dialog_token && enable)
11156
		return -EALREADY;
11157

11158
	skb = dev_alloc_skb(local->hw.extra_tx_headroom + frame_len);
11159
	if (!skb)
11160
		return -ENOBUFS;
11161

11162
	skb_reserve(skb, local->hw.extra_tx_headroom);
11163
	mgmt = skb_put_zero(skb, frame_len);
11164
	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
11165
					  IEEE80211_STYPE_ACTION);
11166
	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
11167
	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
11168
	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
11169

11170
	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
11171
	if (enable) {
11172
		u8 *pos = mgmt->u.action.epcs.variable;
11173

11174
		mgmt->u.action.action_code =
11175
			WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_REQ;
11176

11177
		*pos = ++sdata->u.mgd.dialog_token_alloc;
11178
		sdata->u.mgd.epcs.dialog_token = *pos;
11179
	} else {
11180
		mgmt->u.action.action_code =
11181
			WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_TEARDOWN;
11182

11183
		ieee80211_epcs_teardown(sdata);
11184
		ieee80211_epcs_changed(sdata, false);
11185
	}
11186

11187
	ieee80211_tx_skb(sdata, skb);
11188
	return 0;
11189
}
11190

11191
static void ieee80211_ml_epcs(struct ieee80211_sub_if_data *sdata,
11192
			      struct ieee802_11_elems *elems)
11193
{
11194
	const struct element *sub;
11195
	size_t scratch_len = elems->ml_epcs_len;
11196
	u8 *scratch __free(kfree) = kzalloc(scratch_len, GFP_KERNEL);
11197

11198
	lockdep_assert_wiphy(sdata->local->hw.wiphy);
11199

11200
	if (!ieee80211_vif_is_mld(&sdata->vif) || !elems->ml_epcs)
11201
		return;
11202

11203
	if (WARN_ON(!scratch))
11204
		return;
11205

11206
	/* Directly parse the sub elements as the common information doesn't
11207
	 * hold any useful information.
11208
	 */
11209
	for_each_mle_subelement(sub, (const u8 *)elems->ml_epcs,
11210
				elems->ml_epcs_len) {
11211
		struct ieee802_11_elems *link_elems __free(kfree) = NULL;
11212
		struct ieee80211_link_data *link;
11213
		u8 *pos = (void *)sub->data;
11214
		u16 control;
11215
		ssize_t len;
11216
		u8 link_id;
11217

11218
		if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
11219
			continue;
11220

11221
		if (sub->datalen < sizeof(control))
11222
			break;
11223

11224
		control = get_unaligned_le16(pos);
11225
		link_id = control & IEEE80211_MLE_STA_EPCS_CONTROL_LINK_ID;
11226

11227
		link = sdata_dereference(sdata->link[link_id], sdata);
11228
		if (!link)
11229
			continue;
11230

11231
		len = cfg80211_defragment_element(sub, (u8 *)elems->ml_epcs,
11232
						  elems->ml_epcs_len,
11233
						  scratch, scratch_len,
11234
						  IEEE80211_MLE_SUBELEM_FRAGMENT);
11235
		if (len < (ssize_t)sizeof(control))
11236
			continue;
11237

11238
		pos = scratch + sizeof(control);
11239
		len -= sizeof(control);
11240

11241
		link_elems = ieee802_11_parse_elems(pos, len,
11242
						    IEEE80211_FTYPE_MGMT |
11243
						    IEEE80211_STYPE_ACTION,
11244
						    NULL);
11245
		if (!link_elems)
11246
			continue;
11247

11248
		if (ieee80211_sta_wmm_params(sdata->local, link,
11249
					     link_elems->wmm_param,
11250
					     link_elems->wmm_param_len,
11251
					     link_elems->mu_edca_param_set))
11252
			ieee80211_link_info_change_notify(sdata, link,
11253
							  BSS_CHANGED_QOS);
11254
	}
11255
}
11256

11257
void ieee80211_process_epcs_ena_resp(struct ieee80211_sub_if_data *sdata,
11258
				     struct ieee80211_mgmt *mgmt, size_t len)
11259
{
11260
	struct ieee802_11_elems *elems __free(kfree) = NULL;
11261
	size_t ies_len;
11262
	u16 status_code;
11263
	u8 *pos, dialog_token;
11264

11265
	if (!ieee80211_mgd_epcs_supp(sdata))
11266
		return;
11267

11268
	/* Handle dialog token and status code */
11269
	pos = mgmt->u.action.epcs.variable;
11270
	dialog_token = *pos;
11271
	status_code = get_unaligned_le16(pos + 1);
11272

11273
	/* An EPCS enable response with dialog token == 0 is an unsolicited
11274
	 * notification from the AP MLD. In such a case, EPCS should already be
11275
	 * enabled and status must be success
11276
	 */
11277
	if (!dialog_token &&
11278
	    (!sdata->u.mgd.epcs.enabled ||
11279
	     status_code != WLAN_STATUS_SUCCESS))
11280
		return;
11281

11282
	if (sdata->u.mgd.epcs.dialog_token != dialog_token)
11283
		return;
11284

11285
	sdata->u.mgd.epcs.dialog_token = 0;
11286

11287
	if (status_code != WLAN_STATUS_SUCCESS)
11288
		return;
11289

11290
	pos += IEEE80211_EPCS_ENA_RESP_BODY_LEN;
11291
	ies_len = len - IEEE80211_MIN_ACTION_SIZE(epcs) -
11292
		IEEE80211_EPCS_ENA_RESP_BODY_LEN;
11293

11294
	elems = ieee802_11_parse_elems(pos, ies_len,
11295
				       IEEE80211_FTYPE_MGMT |
11296
				       IEEE80211_STYPE_ACTION,
11297
				       NULL);
11298
	if (!elems)
11299
		return;
11300

11301
	ieee80211_ml_epcs(sdata, elems);
11302
	ieee80211_epcs_changed(sdata, true);
11303
}
11304

11305
void ieee80211_process_epcs_teardown(struct ieee80211_sub_if_data *sdata,
11306
				     struct ieee80211_mgmt *mgmt, size_t len)
11307
{
11308
	if (!ieee80211_vif_is_mld(&sdata->vif) ||
11309
	    !sdata->u.mgd.epcs.enabled)
11310
		return;
11311

11312
	ieee80211_epcs_teardown(sdata);
11313
	ieee80211_epcs_changed(sdata, false);
11314
}
11315

11316