xref: /openbmc/linux/net/mac80211/mlme.c (revision b04b4f78)
1 /*
2  * BSS client mode implementation
3  * Copyright 2003-2008, Jouni Malinen <j@w1.fi>
4  * Copyright 2004, Instant802 Networks, Inc.
5  * Copyright 2005, Devicescape Software, Inc.
6  * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
7  * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
8  *
9  * This program is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License version 2 as
11  * published by the Free Software Foundation.
12  */
13 
14 #include <linux/delay.h>
15 #include <linux/if_ether.h>
16 #include <linux/skbuff.h>
17 #include <linux/if_arp.h>
18 #include <linux/etherdevice.h>
19 #include <linux/rtnetlink.h>
20 #include <net/mac80211.h>
21 #include <asm/unaligned.h>
22 
23 #include "ieee80211_i.h"
24 #include "rate.h"
25 #include "led.h"
26 
27 #define IEEE80211_ASSOC_SCANS_MAX_TRIES 2
28 #define IEEE80211_AUTH_TIMEOUT (HZ / 5)
29 #define IEEE80211_AUTH_MAX_TRIES 3
30 #define IEEE80211_ASSOC_TIMEOUT (HZ / 5)
31 #define IEEE80211_ASSOC_MAX_TRIES 3
32 #define IEEE80211_MONITORING_INTERVAL (2 * HZ)
33 #define IEEE80211_PROBE_IDLE_TIME (60 * HZ)
34 #define IEEE80211_RETRY_AUTH_INTERVAL (1 * HZ)
35 
36 /* utils */
37 static int ecw2cw(int ecw)
38 {
39 	return (1 << ecw) - 1;
40 }
41 
42 static u8 *ieee80211_bss_get_ie(struct ieee80211_bss *bss, u8 ie)
43 {
44 	u8 *end, *pos;
45 
46 	pos = bss->cbss.information_elements;
47 	if (pos == NULL)
48 		return NULL;
49 	end = pos + bss->cbss.len_information_elements;
50 
51 	while (pos + 1 < end) {
52 		if (pos + 2 + pos[1] > end)
53 			break;
54 		if (pos[0] == ie)
55 			return pos;
56 		pos += 2 + pos[1];
57 	}
58 
59 	return NULL;
60 }
61 
62 static int ieee80211_compatible_rates(struct ieee80211_bss *bss,
63 				      struct ieee80211_supported_band *sband,
64 				      u32 *rates)
65 {
66 	int i, j, count;
67 	*rates = 0;
68 	count = 0;
69 	for (i = 0; i < bss->supp_rates_len; i++) {
70 		int rate = (bss->supp_rates[i] & 0x7F) * 5;
71 
72 		for (j = 0; j < sband->n_bitrates; j++)
73 			if (sband->bitrates[j].bitrate == rate) {
74 				*rates |= BIT(j);
75 				count++;
76 				break;
77 			}
78 	}
79 
80 	return count;
81 }
82 
83 /* frame sending functions */
84 
85 static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
86 {
87 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
88 	struct ieee80211_local *local = sdata->local;
89 	struct sk_buff *skb;
90 	struct ieee80211_mgmt *mgmt;
91 	u8 *pos, *ies, *ht_ie;
92 	int i, len, count, rates_len, supp_rates_len;
93 	u16 capab;
94 	struct ieee80211_bss *bss;
95 	int wmm = 0;
96 	struct ieee80211_supported_band *sband;
97 	u32 rates = 0;
98 
99 	skb = dev_alloc_skb(local->hw.extra_tx_headroom +
100 			    sizeof(*mgmt) + 200 + ifmgd->extra_ie_len +
101 			    ifmgd->ssid_len);
102 	if (!skb) {
103 		printk(KERN_DEBUG "%s: failed to allocate buffer for assoc "
104 		       "frame\n", sdata->dev->name);
105 		return;
106 	}
107 	skb_reserve(skb, local->hw.extra_tx_headroom);
108 
109 	sband = local->hw.wiphy->bands[local->hw.conf.channel->band];
110 
111 	capab = ifmgd->capab;
112 
113 	if (local->hw.conf.channel->band == IEEE80211_BAND_2GHZ) {
114 		if (!(local->hw.flags & IEEE80211_HW_2GHZ_SHORT_SLOT_INCAPABLE))
115 			capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
116 		if (!(local->hw.flags & IEEE80211_HW_2GHZ_SHORT_PREAMBLE_INCAPABLE))
117 			capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
118 	}
119 
120 	bss = ieee80211_rx_bss_get(local, ifmgd->bssid,
121 				   local->hw.conf.channel->center_freq,
122 				   ifmgd->ssid, ifmgd->ssid_len);
123 	if (bss) {
124 		if (bss->cbss.capability & WLAN_CAPABILITY_PRIVACY)
125 			capab |= WLAN_CAPABILITY_PRIVACY;
126 		if (bss->wmm_used)
127 			wmm = 1;
128 
129 		/* get all rates supported by the device and the AP as
130 		 * some APs don't like getting a superset of their rates
131 		 * in the association request (e.g. D-Link DAP 1353 in
132 		 * b-only mode) */
133 		rates_len = ieee80211_compatible_rates(bss, sband, &rates);
134 
135 		if ((bss->cbss.capability & WLAN_CAPABILITY_SPECTRUM_MGMT) &&
136 		    (local->hw.flags & IEEE80211_HW_SPECTRUM_MGMT))
137 			capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
138 
139 		ieee80211_rx_bss_put(local, bss);
140 	} else {
141 		rates = ~0;
142 		rates_len = sband->n_bitrates;
143 	}
144 
145 	mgmt = (struct ieee80211_mgmt *) skb_put(skb, 24);
146 	memset(mgmt, 0, 24);
147 	memcpy(mgmt->da, ifmgd->bssid, ETH_ALEN);
148 	memcpy(mgmt->sa, sdata->dev->dev_addr, ETH_ALEN);
149 	memcpy(mgmt->bssid, ifmgd->bssid, ETH_ALEN);
150 
151 	if (ifmgd->flags & IEEE80211_STA_PREV_BSSID_SET) {
152 		skb_put(skb, 10);
153 		mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
154 						  IEEE80211_STYPE_REASSOC_REQ);
155 		mgmt->u.reassoc_req.capab_info = cpu_to_le16(capab);
156 		mgmt->u.reassoc_req.listen_interval =
157 				cpu_to_le16(local->hw.conf.listen_interval);
158 		memcpy(mgmt->u.reassoc_req.current_ap, ifmgd->prev_bssid,
159 		       ETH_ALEN);
160 	} else {
161 		skb_put(skb, 4);
162 		mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
163 						  IEEE80211_STYPE_ASSOC_REQ);
164 		mgmt->u.assoc_req.capab_info = cpu_to_le16(capab);
165 		mgmt->u.assoc_req.listen_interval =
166 				cpu_to_le16(local->hw.conf.listen_interval);
167 	}
168 
169 	/* SSID */
170 	ies = pos = skb_put(skb, 2 + ifmgd->ssid_len);
171 	*pos++ = WLAN_EID_SSID;
172 	*pos++ = ifmgd->ssid_len;
173 	memcpy(pos, ifmgd->ssid, ifmgd->ssid_len);
174 
175 	/* add all rates which were marked to be used above */
176 	supp_rates_len = rates_len;
177 	if (supp_rates_len > 8)
178 		supp_rates_len = 8;
179 
180 	len = sband->n_bitrates;
181 	pos = skb_put(skb, supp_rates_len + 2);
182 	*pos++ = WLAN_EID_SUPP_RATES;
183 	*pos++ = supp_rates_len;
184 
185 	count = 0;
186 	for (i = 0; i < sband->n_bitrates; i++) {
187 		if (BIT(i) & rates) {
188 			int rate = sband->bitrates[i].bitrate;
189 			*pos++ = (u8) (rate / 5);
190 			if (++count == 8)
191 				break;
192 		}
193 	}
194 
195 	if (rates_len > count) {
196 		pos = skb_put(skb, rates_len - count + 2);
197 		*pos++ = WLAN_EID_EXT_SUPP_RATES;
198 		*pos++ = rates_len - count;
199 
200 		for (i++; i < sband->n_bitrates; i++) {
201 			if (BIT(i) & rates) {
202 				int rate = sband->bitrates[i].bitrate;
203 				*pos++ = (u8) (rate / 5);
204 			}
205 		}
206 	}
207 
208 	if (capab & WLAN_CAPABILITY_SPECTRUM_MGMT) {
209 		/* 1. power capabilities */
210 		pos = skb_put(skb, 4);
211 		*pos++ = WLAN_EID_PWR_CAPABILITY;
212 		*pos++ = 2;
213 		*pos++ = 0; /* min tx power */
214 		*pos++ = local->hw.conf.channel->max_power; /* max tx power */
215 
216 		/* 2. supported channels */
217 		/* TODO: get this in reg domain format */
218 		pos = skb_put(skb, 2 * sband->n_channels + 2);
219 		*pos++ = WLAN_EID_SUPPORTED_CHANNELS;
220 		*pos++ = 2 * sband->n_channels;
221 		for (i = 0; i < sband->n_channels; i++) {
222 			*pos++ = ieee80211_frequency_to_channel(
223 					sband->channels[i].center_freq);
224 			*pos++ = 1; /* one channel in the subband*/
225 		}
226 	}
227 
228 	if (ifmgd->extra_ie) {
229 		pos = skb_put(skb, ifmgd->extra_ie_len);
230 		memcpy(pos, ifmgd->extra_ie, ifmgd->extra_ie_len);
231 	}
232 
233 	if (wmm && (ifmgd->flags & IEEE80211_STA_WMM_ENABLED)) {
234 		pos = skb_put(skb, 9);
235 		*pos++ = WLAN_EID_VENDOR_SPECIFIC;
236 		*pos++ = 7; /* len */
237 		*pos++ = 0x00; /* Microsoft OUI 00:50:F2 */
238 		*pos++ = 0x50;
239 		*pos++ = 0xf2;
240 		*pos++ = 2; /* WME */
241 		*pos++ = 0; /* WME info */
242 		*pos++ = 1; /* WME ver */
243 		*pos++ = 0;
244 	}
245 
246 	/* wmm support is a must to HT */
247 	/*
248 	 * IEEE802.11n does not allow TKIP/WEP as pairwise
249 	 * ciphers in HT mode. We still associate in non-ht
250 	 * mode (11a/b/g) if any one of these ciphers is
251 	 * configured as pairwise.
252 	 */
253 	if (wmm && (ifmgd->flags & IEEE80211_STA_WMM_ENABLED) &&
254 	    sband->ht_cap.ht_supported &&
255 	    (ht_ie = ieee80211_bss_get_ie(bss, WLAN_EID_HT_INFORMATION)) &&
256 	    ht_ie[1] >= sizeof(struct ieee80211_ht_info) &&
257 	    (!(ifmgd->flags & IEEE80211_STA_TKIP_WEP_USED))) {
258 		struct ieee80211_ht_info *ht_info =
259 			(struct ieee80211_ht_info *)(ht_ie + 2);
260 		u16 cap = sband->ht_cap.cap;
261 		__le16 tmp;
262 		u32 flags = local->hw.conf.channel->flags;
263 
264 		switch (ht_info->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET) {
265 		case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
266 			if (flags & IEEE80211_CHAN_NO_FAT_ABOVE) {
267 				cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
268 				cap &= ~IEEE80211_HT_CAP_SGI_40;
269 			}
270 			break;
271 		case IEEE80211_HT_PARAM_CHA_SEC_BELOW:
272 			if (flags & IEEE80211_CHAN_NO_FAT_BELOW) {
273 				cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
274 				cap &= ~IEEE80211_HT_CAP_SGI_40;
275 			}
276 			break;
277 		}
278 
279 		tmp = cpu_to_le16(cap);
280 		pos = skb_put(skb, sizeof(struct ieee80211_ht_cap)+2);
281 		*pos++ = WLAN_EID_HT_CAPABILITY;
282 		*pos++ = sizeof(struct ieee80211_ht_cap);
283 		memset(pos, 0, sizeof(struct ieee80211_ht_cap));
284 		memcpy(pos, &tmp, sizeof(u16));
285 		pos += sizeof(u16);
286 		/* TODO: needs a define here for << 2 */
287 		*pos++ = sband->ht_cap.ampdu_factor |
288 			 (sband->ht_cap.ampdu_density << 2);
289 		memcpy(pos, &sband->ht_cap.mcs, sizeof(sband->ht_cap.mcs));
290 	}
291 
292 	kfree(ifmgd->assocreq_ies);
293 	ifmgd->assocreq_ies_len = (skb->data + skb->len) - ies;
294 	ifmgd->assocreq_ies = kmalloc(ifmgd->assocreq_ies_len, GFP_KERNEL);
295 	if (ifmgd->assocreq_ies)
296 		memcpy(ifmgd->assocreq_ies, ies, ifmgd->assocreq_ies_len);
297 
298 	ieee80211_tx_skb(sdata, skb, 0);
299 }
300 
301 
302 static void ieee80211_send_deauth_disassoc(struct ieee80211_sub_if_data *sdata,
303 					   u16 stype, u16 reason)
304 {
305 	struct ieee80211_local *local = sdata->local;
306 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
307 	struct sk_buff *skb;
308 	struct ieee80211_mgmt *mgmt;
309 
310 	skb = dev_alloc_skb(local->hw.extra_tx_headroom + sizeof(*mgmt));
311 	if (!skb) {
312 		printk(KERN_DEBUG "%s: failed to allocate buffer for "
313 		       "deauth/disassoc frame\n", sdata->dev->name);
314 		return;
315 	}
316 	skb_reserve(skb, local->hw.extra_tx_headroom);
317 
318 	mgmt = (struct ieee80211_mgmt *) skb_put(skb, 24);
319 	memset(mgmt, 0, 24);
320 	memcpy(mgmt->da, ifmgd->bssid, ETH_ALEN);
321 	memcpy(mgmt->sa, sdata->dev->dev_addr, ETH_ALEN);
322 	memcpy(mgmt->bssid, ifmgd->bssid, ETH_ALEN);
323 	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | stype);
324 	skb_put(skb, 2);
325 	/* u.deauth.reason_code == u.disassoc.reason_code */
326 	mgmt->u.deauth.reason_code = cpu_to_le16(reason);
327 
328 	ieee80211_tx_skb(sdata, skb, ifmgd->flags & IEEE80211_STA_MFP_ENABLED);
329 }
330 
331 void ieee80211_send_pspoll(struct ieee80211_local *local,
332 			   struct ieee80211_sub_if_data *sdata)
333 {
334 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
335 	struct ieee80211_pspoll *pspoll;
336 	struct sk_buff *skb;
337 	u16 fc;
338 
339 	skb = dev_alloc_skb(local->hw.extra_tx_headroom + sizeof(*pspoll));
340 	if (!skb) {
341 		printk(KERN_DEBUG "%s: failed to allocate buffer for "
342 		       "pspoll frame\n", sdata->dev->name);
343 		return;
344 	}
345 	skb_reserve(skb, local->hw.extra_tx_headroom);
346 
347 	pspoll = (struct ieee80211_pspoll *) skb_put(skb, sizeof(*pspoll));
348 	memset(pspoll, 0, sizeof(*pspoll));
349 	fc = IEEE80211_FTYPE_CTL | IEEE80211_STYPE_PSPOLL | IEEE80211_FCTL_PM;
350 	pspoll->frame_control = cpu_to_le16(fc);
351 	pspoll->aid = cpu_to_le16(ifmgd->aid);
352 
353 	/* aid in PS-Poll has its two MSBs each set to 1 */
354 	pspoll->aid |= cpu_to_le16(1 << 15 | 1 << 14);
355 
356 	memcpy(pspoll->bssid, ifmgd->bssid, ETH_ALEN);
357 	memcpy(pspoll->ta, sdata->dev->dev_addr, ETH_ALEN);
358 
359 	ieee80211_tx_skb(sdata, skb, 0);
360 }
361 
362 /* MLME */
363 static void ieee80211_sta_wmm_params(struct ieee80211_local *local,
364 				     struct ieee80211_if_managed *ifmgd,
365 				     u8 *wmm_param, size_t wmm_param_len)
366 {
367 	struct ieee80211_tx_queue_params params;
368 	size_t left;
369 	int count;
370 	u8 *pos;
371 
372 	if (!(ifmgd->flags & IEEE80211_STA_WMM_ENABLED))
373 		return;
374 
375 	if (!wmm_param)
376 		return;
377 
378 	if (wmm_param_len < 8 || wmm_param[5] /* version */ != 1)
379 		return;
380 	count = wmm_param[6] & 0x0f;
381 	if (count == ifmgd->wmm_last_param_set)
382 		return;
383 	ifmgd->wmm_last_param_set = count;
384 
385 	pos = wmm_param + 8;
386 	left = wmm_param_len - 8;
387 
388 	memset(&params, 0, sizeof(params));
389 
390 	local->wmm_acm = 0;
391 	for (; left >= 4; left -= 4, pos += 4) {
392 		int aci = (pos[0] >> 5) & 0x03;
393 		int acm = (pos[0] >> 4) & 0x01;
394 		int queue;
395 
396 		switch (aci) {
397 		case 1: /* AC_BK */
398 			queue = 3;
399 			if (acm)
400 				local->wmm_acm |= BIT(1) | BIT(2); /* BK/- */
401 			break;
402 		case 2: /* AC_VI */
403 			queue = 1;
404 			if (acm)
405 				local->wmm_acm |= BIT(4) | BIT(5); /* CL/VI */
406 			break;
407 		case 3: /* AC_VO */
408 			queue = 0;
409 			if (acm)
410 				local->wmm_acm |= BIT(6) | BIT(7); /* VO/NC */
411 			break;
412 		case 0: /* AC_BE */
413 		default:
414 			queue = 2;
415 			if (acm)
416 				local->wmm_acm |= BIT(0) | BIT(3); /* BE/EE */
417 			break;
418 		}
419 
420 		params.aifs = pos[0] & 0x0f;
421 		params.cw_max = ecw2cw((pos[1] & 0xf0) >> 4);
422 		params.cw_min = ecw2cw(pos[1] & 0x0f);
423 		params.txop = get_unaligned_le16(pos + 2);
424 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
425 		printk(KERN_DEBUG "%s: WMM queue=%d aci=%d acm=%d aifs=%d "
426 		       "cWmin=%d cWmax=%d txop=%d\n",
427 		       local->mdev->name, queue, aci, acm, params.aifs, params.cw_min,
428 		       params.cw_max, params.txop);
429 #endif
430 		if (local->ops->conf_tx &&
431 		    local->ops->conf_tx(local_to_hw(local), queue, &params)) {
432 			printk(KERN_DEBUG "%s: failed to set TX queue "
433 			       "parameters for queue %d\n", local->mdev->name, queue);
434 		}
435 	}
436 }
437 
438 static bool ieee80211_check_tim(struct ieee802_11_elems *elems, u16 aid)
439 {
440 	u8 mask;
441 	u8 index, indexn1, indexn2;
442 	struct ieee80211_tim_ie *tim = (struct ieee80211_tim_ie *) elems->tim;
443 
444 	if (unlikely(!tim || elems->tim_len < 4))
445 		return false;
446 
447 	aid &= 0x3fff;
448 	index = aid / 8;
449 	mask  = 1 << (aid & 7);
450 
451 	indexn1 = tim->bitmap_ctrl & 0xfe;
452 	indexn2 = elems->tim_len + indexn1 - 4;
453 
454 	if (index < indexn1 || index > indexn2)
455 		return false;
456 
457 	index -= indexn1;
458 
459 	return !!(tim->virtual_map[index] & mask);
460 }
461 
462 static u32 ieee80211_handle_bss_capability(struct ieee80211_sub_if_data *sdata,
463 					   u16 capab, bool erp_valid, u8 erp)
464 {
465 	struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
466 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
467 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
468 #endif
469 	u32 changed = 0;
470 	bool use_protection;
471 	bool use_short_preamble;
472 	bool use_short_slot;
473 
474 	if (erp_valid) {
475 		use_protection = (erp & WLAN_ERP_USE_PROTECTION) != 0;
476 		use_short_preamble = (erp & WLAN_ERP_BARKER_PREAMBLE) == 0;
477 	} else {
478 		use_protection = false;
479 		use_short_preamble = !!(capab & WLAN_CAPABILITY_SHORT_PREAMBLE);
480 	}
481 
482 	use_short_slot = !!(capab & WLAN_CAPABILITY_SHORT_SLOT_TIME);
483 
484 	if (use_protection != bss_conf->use_cts_prot) {
485 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
486 		if (net_ratelimit()) {
487 			printk(KERN_DEBUG "%s: CTS protection %s (BSSID=%pM)\n",
488 			       sdata->dev->name,
489 			       use_protection ? "enabled" : "disabled",
490 			       ifmgd->bssid);
491 		}
492 #endif
493 		bss_conf->use_cts_prot = use_protection;
494 		changed |= BSS_CHANGED_ERP_CTS_PROT;
495 	}
496 
497 	if (use_short_preamble != bss_conf->use_short_preamble) {
498 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
499 		if (net_ratelimit()) {
500 			printk(KERN_DEBUG "%s: switched to %s barker preamble"
501 			       " (BSSID=%pM)\n",
502 			       sdata->dev->name,
503 			       use_short_preamble ? "short" : "long",
504 			       ifmgd->bssid);
505 		}
506 #endif
507 		bss_conf->use_short_preamble = use_short_preamble;
508 		changed |= BSS_CHANGED_ERP_PREAMBLE;
509 	}
510 
511 	if (use_short_slot != bss_conf->use_short_slot) {
512 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
513 		if (net_ratelimit()) {
514 			printk(KERN_DEBUG "%s: switched to %s slot time"
515 			       " (BSSID=%pM)\n",
516 			       sdata->dev->name,
517 			       use_short_slot ? "short" : "long",
518 			       ifmgd->bssid);
519 		}
520 #endif
521 		bss_conf->use_short_slot = use_short_slot;
522 		changed |= BSS_CHANGED_ERP_SLOT;
523 	}
524 
525 	return changed;
526 }
527 
528 static void ieee80211_sta_send_apinfo(struct ieee80211_sub_if_data *sdata)
529 {
530 	union iwreq_data wrqu;
531 
532 	memset(&wrqu, 0, sizeof(wrqu));
533 	if (sdata->u.mgd.flags & IEEE80211_STA_ASSOCIATED)
534 		memcpy(wrqu.ap_addr.sa_data, sdata->u.mgd.bssid, ETH_ALEN);
535 	wrqu.ap_addr.sa_family = ARPHRD_ETHER;
536 	wireless_send_event(sdata->dev, SIOCGIWAP, &wrqu, NULL);
537 }
538 
539 static void ieee80211_sta_send_associnfo(struct ieee80211_sub_if_data *sdata)
540 {
541 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
542 	char *buf;
543 	size_t len;
544 	int i;
545 	union iwreq_data wrqu;
546 
547 	if (!ifmgd->assocreq_ies && !ifmgd->assocresp_ies)
548 		return;
549 
550 	buf = kmalloc(50 + 2 * (ifmgd->assocreq_ies_len +
551 				ifmgd->assocresp_ies_len), GFP_KERNEL);
552 	if (!buf)
553 		return;
554 
555 	len = sprintf(buf, "ASSOCINFO(");
556 	if (ifmgd->assocreq_ies) {
557 		len += sprintf(buf + len, "ReqIEs=");
558 		for (i = 0; i < ifmgd->assocreq_ies_len; i++) {
559 			len += sprintf(buf + len, "%02x",
560 				       ifmgd->assocreq_ies[i]);
561 		}
562 	}
563 	if (ifmgd->assocresp_ies) {
564 		if (ifmgd->assocreq_ies)
565 			len += sprintf(buf + len, " ");
566 		len += sprintf(buf + len, "RespIEs=");
567 		for (i = 0; i < ifmgd->assocresp_ies_len; i++) {
568 			len += sprintf(buf + len, "%02x",
569 				       ifmgd->assocresp_ies[i]);
570 		}
571 	}
572 	len += sprintf(buf + len, ")");
573 
574 	if (len > IW_CUSTOM_MAX) {
575 		len = sprintf(buf, "ASSOCRESPIE=");
576 		for (i = 0; i < ifmgd->assocresp_ies_len; i++) {
577 			len += sprintf(buf + len, "%02x",
578 				       ifmgd->assocresp_ies[i]);
579 		}
580 	}
581 
582 	if (len <= IW_CUSTOM_MAX) {
583 		memset(&wrqu, 0, sizeof(wrqu));
584 		wrqu.data.length = len;
585 		wireless_send_event(sdata->dev, IWEVCUSTOM, &wrqu, buf);
586 	}
587 
588 	kfree(buf);
589 }
590 
591 
592 static void ieee80211_set_associated(struct ieee80211_sub_if_data *sdata,
593 				     u32 bss_info_changed)
594 {
595 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
596 	struct ieee80211_local *local = sdata->local;
597 	struct ieee80211_conf *conf = &local_to_hw(local)->conf;
598 
599 	struct ieee80211_bss *bss;
600 
601 	bss_info_changed |= BSS_CHANGED_ASSOC;
602 	ifmgd->flags |= IEEE80211_STA_ASSOCIATED;
603 
604 	bss = ieee80211_rx_bss_get(local, ifmgd->bssid,
605 				   conf->channel->center_freq,
606 				   ifmgd->ssid, ifmgd->ssid_len);
607 	if (bss) {
608 		/* set timing information */
609 		sdata->vif.bss_conf.beacon_int = bss->cbss.beacon_interval;
610 		sdata->vif.bss_conf.timestamp = bss->cbss.tsf;
611 		sdata->vif.bss_conf.dtim_period = bss->dtim_period;
612 
613 		bss_info_changed |= ieee80211_handle_bss_capability(sdata,
614 			bss->cbss.capability, bss->has_erp_value, bss->erp_value);
615 
616 		cfg80211_hold_bss(&bss->cbss);
617 
618 		ieee80211_rx_bss_put(local, bss);
619 	}
620 
621 	ifmgd->flags |= IEEE80211_STA_PREV_BSSID_SET;
622 	memcpy(ifmgd->prev_bssid, sdata->u.mgd.bssid, ETH_ALEN);
623 	ieee80211_sta_send_associnfo(sdata);
624 
625 	ifmgd->last_probe = jiffies;
626 	ieee80211_led_assoc(local, 1);
627 
628 	sdata->vif.bss_conf.assoc = 1;
629 	/*
630 	 * For now just always ask the driver to update the basic rateset
631 	 * when we have associated, we aren't checking whether it actually
632 	 * changed or not.
633 	 */
634 	bss_info_changed |= BSS_CHANGED_BASIC_RATES;
635 	ieee80211_bss_info_change_notify(sdata, bss_info_changed);
636 
637 	if (local->powersave) {
638 		if (!(local->hw.flags & IEEE80211_HW_SUPPORTS_DYNAMIC_PS) &&
639 		    local->hw.conf.dynamic_ps_timeout > 0) {
640 			mod_timer(&local->dynamic_ps_timer, jiffies +
641 				  msecs_to_jiffies(
642 					local->hw.conf.dynamic_ps_timeout));
643 		} else {
644 			if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK)
645 				ieee80211_send_nullfunc(local, sdata, 1);
646 			conf->flags |= IEEE80211_CONF_PS;
647 			ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
648 		}
649 	}
650 
651 	netif_tx_start_all_queues(sdata->dev);
652 	netif_carrier_on(sdata->dev);
653 
654 	ieee80211_sta_send_apinfo(sdata);
655 }
656 
657 static void ieee80211_direct_probe(struct ieee80211_sub_if_data *sdata)
658 {
659 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
660 	struct ieee80211_local *local = sdata->local;
661 
662 	ifmgd->direct_probe_tries++;
663 	if (ifmgd->direct_probe_tries > IEEE80211_AUTH_MAX_TRIES) {
664 		printk(KERN_DEBUG "%s: direct probe to AP %pM timed out\n",
665 		       sdata->dev->name, ifmgd->bssid);
666 		ifmgd->state = IEEE80211_STA_MLME_DISABLED;
667 		ieee80211_sta_send_apinfo(sdata);
668 
669 		/*
670 		 * Most likely AP is not in the range so remove the
671 		 * bss information associated to the AP
672 		 */
673 		ieee80211_rx_bss_remove(sdata, ifmgd->bssid,
674 				sdata->local->hw.conf.channel->center_freq,
675 				ifmgd->ssid, ifmgd->ssid_len);
676 
677 		/*
678 		 * We might have a pending scan which had no chance to run yet
679 		 * due to state == IEEE80211_STA_MLME_DIRECT_PROBE.
680 		 * Hence, queue the STAs work again
681 		 */
682 		queue_work(local->hw.workqueue, &ifmgd->work);
683 		return;
684 	}
685 
686 	printk(KERN_DEBUG "%s: direct probe to AP %pM try %d\n",
687 			sdata->dev->name, ifmgd->bssid,
688 			ifmgd->direct_probe_tries);
689 
690 	ifmgd->state = IEEE80211_STA_MLME_DIRECT_PROBE;
691 
692 	set_bit(IEEE80211_STA_REQ_DIRECT_PROBE, &ifmgd->request);
693 
694 	/* Direct probe is sent to broadcast address as some APs
695 	 * will not answer to direct packet in unassociated state.
696 	 */
697 	ieee80211_send_probe_req(sdata, NULL,
698 				 ifmgd->ssid, ifmgd->ssid_len, NULL, 0);
699 
700 	mod_timer(&ifmgd->timer, jiffies + IEEE80211_AUTH_TIMEOUT);
701 }
702 
703 
704 static void ieee80211_authenticate(struct ieee80211_sub_if_data *sdata)
705 {
706 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
707 	struct ieee80211_local *local = sdata->local;
708 	u8 *ies;
709 	size_t ies_len;
710 
711 	ifmgd->auth_tries++;
712 	if (ifmgd->auth_tries > IEEE80211_AUTH_MAX_TRIES) {
713 		printk(KERN_DEBUG "%s: authentication with AP %pM"
714 		       " timed out\n",
715 		       sdata->dev->name, ifmgd->bssid);
716 		ifmgd->state = IEEE80211_STA_MLME_DISABLED;
717 		ieee80211_sta_send_apinfo(sdata);
718 		ieee80211_rx_bss_remove(sdata, ifmgd->bssid,
719 				sdata->local->hw.conf.channel->center_freq,
720 				ifmgd->ssid, ifmgd->ssid_len);
721 
722 		/*
723 		 * We might have a pending scan which had no chance to run yet
724 		 * due to state == IEEE80211_STA_MLME_AUTHENTICATE.
725 		 * Hence, queue the STAs work again
726 		 */
727 		queue_work(local->hw.workqueue, &ifmgd->work);
728 		return;
729 	}
730 
731 	ifmgd->state = IEEE80211_STA_MLME_AUTHENTICATE;
732 	printk(KERN_DEBUG "%s: authenticate with AP %pM\n",
733 	       sdata->dev->name, ifmgd->bssid);
734 
735 	if (ifmgd->flags & IEEE80211_STA_EXT_SME) {
736 		ies = ifmgd->sme_auth_ie;
737 		ies_len = ifmgd->sme_auth_ie_len;
738 	} else {
739 		ies = NULL;
740 		ies_len = 0;
741 	}
742 	ieee80211_send_auth(sdata, 1, ifmgd->auth_alg, ies, ies_len,
743 			    ifmgd->bssid, 0);
744 	ifmgd->auth_transaction = 2;
745 
746 	mod_timer(&ifmgd->timer, jiffies + IEEE80211_AUTH_TIMEOUT);
747 }
748 
749 /*
750  * The disassoc 'reason' argument can be either our own reason
751  * if self disconnected or a reason code from the AP.
752  */
753 static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
754 				   bool deauth, bool self_disconnected,
755 				   u16 reason)
756 {
757 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
758 	struct ieee80211_local *local = sdata->local;
759 	struct ieee80211_conf *conf = &local_to_hw(local)->conf;
760 	struct ieee80211_bss *bss;
761 	struct sta_info *sta;
762 	u32 changed = 0, config_changed = 0;
763 
764 	rcu_read_lock();
765 
766 	sta = sta_info_get(local, ifmgd->bssid);
767 	if (!sta) {
768 		rcu_read_unlock();
769 		return;
770 	}
771 
772 	if (deauth) {
773 		ifmgd->direct_probe_tries = 0;
774 		ifmgd->auth_tries = 0;
775 	}
776 	ifmgd->assoc_scan_tries = 0;
777 	ifmgd->assoc_tries = 0;
778 
779 	netif_tx_stop_all_queues(sdata->dev);
780 	netif_carrier_off(sdata->dev);
781 
782 	ieee80211_sta_tear_down_BA_sessions(sta);
783 
784 	bss = ieee80211_rx_bss_get(local, ifmgd->bssid,
785 				   conf->channel->center_freq,
786 				   ifmgd->ssid, ifmgd->ssid_len);
787 
788 	if (bss) {
789 		cfg80211_unhold_bss(&bss->cbss);
790 		ieee80211_rx_bss_put(local, bss);
791 	}
792 
793 	if (self_disconnected) {
794 		if (deauth)
795 			ieee80211_send_deauth_disassoc(sdata,
796 				IEEE80211_STYPE_DEAUTH, reason);
797 		else
798 			ieee80211_send_deauth_disassoc(sdata,
799 				IEEE80211_STYPE_DISASSOC, reason);
800 	}
801 
802 	ifmgd->flags &= ~IEEE80211_STA_ASSOCIATED;
803 	changed |= ieee80211_reset_erp_info(sdata);
804 
805 	ieee80211_led_assoc(local, 0);
806 	changed |= BSS_CHANGED_ASSOC;
807 	sdata->vif.bss_conf.assoc = false;
808 
809 	ieee80211_sta_send_apinfo(sdata);
810 
811 	if (self_disconnected || reason == WLAN_REASON_DISASSOC_STA_HAS_LEFT) {
812 		ifmgd->state = IEEE80211_STA_MLME_DISABLED;
813 		ieee80211_rx_bss_remove(sdata, ifmgd->bssid,
814 				sdata->local->hw.conf.channel->center_freq,
815 				ifmgd->ssid, ifmgd->ssid_len);
816 	}
817 
818 	rcu_read_unlock();
819 
820 	/* channel(_type) changes are handled by ieee80211_hw_config */
821 	local->oper_channel_type = NL80211_CHAN_NO_HT;
822 
823 	local->power_constr_level = 0;
824 
825 	del_timer_sync(&local->dynamic_ps_timer);
826 	cancel_work_sync(&local->dynamic_ps_enable_work);
827 
828 	if (local->hw.conf.flags & IEEE80211_CONF_PS) {
829 		local->hw.conf.flags &= ~IEEE80211_CONF_PS;
830 		config_changed |= IEEE80211_CONF_CHANGE_PS;
831 	}
832 
833 	ieee80211_hw_config(local, config_changed);
834 	ieee80211_bss_info_change_notify(sdata, changed);
835 
836 	rcu_read_lock();
837 
838 	sta = sta_info_get(local, ifmgd->bssid);
839 	if (!sta) {
840 		rcu_read_unlock();
841 		return;
842 	}
843 
844 	sta_info_unlink(&sta);
845 
846 	rcu_read_unlock();
847 
848 	sta_info_destroy(sta);
849 }
850 
851 static int ieee80211_sta_wep_configured(struct ieee80211_sub_if_data *sdata)
852 {
853 	if (!sdata || !sdata->default_key ||
854 	    sdata->default_key->conf.alg != ALG_WEP)
855 		return 0;
856 	return 1;
857 }
858 
859 static int ieee80211_privacy_mismatch(struct ieee80211_sub_if_data *sdata)
860 {
861 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
862 	struct ieee80211_local *local = sdata->local;
863 	struct ieee80211_bss *bss;
864 	int bss_privacy;
865 	int wep_privacy;
866 	int privacy_invoked;
867 
868 	if (!ifmgd || (ifmgd->flags & IEEE80211_STA_EXT_SME))
869 		return 0;
870 
871 	bss = ieee80211_rx_bss_get(local, ifmgd->bssid,
872 				   local->hw.conf.channel->center_freq,
873 				   ifmgd->ssid, ifmgd->ssid_len);
874 	if (!bss)
875 		return 0;
876 
877 	bss_privacy = !!(bss->cbss.capability & WLAN_CAPABILITY_PRIVACY);
878 	wep_privacy = !!ieee80211_sta_wep_configured(sdata);
879 	privacy_invoked = !!(ifmgd->flags & IEEE80211_STA_PRIVACY_INVOKED);
880 
881 	ieee80211_rx_bss_put(local, bss);
882 
883 	if ((bss_privacy == wep_privacy) || (bss_privacy == privacy_invoked))
884 		return 0;
885 
886 	return 1;
887 }
888 
889 static void ieee80211_associate(struct ieee80211_sub_if_data *sdata)
890 {
891 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
892 	struct ieee80211_local *local = sdata->local;
893 
894 	ifmgd->assoc_tries++;
895 	if (ifmgd->assoc_tries > IEEE80211_ASSOC_MAX_TRIES) {
896 		printk(KERN_DEBUG "%s: association with AP %pM"
897 		       " timed out\n",
898 		       sdata->dev->name, ifmgd->bssid);
899 		ifmgd->state = IEEE80211_STA_MLME_DISABLED;
900 		ieee80211_sta_send_apinfo(sdata);
901 		ieee80211_rx_bss_remove(sdata, ifmgd->bssid,
902 				sdata->local->hw.conf.channel->center_freq,
903 				ifmgd->ssid, ifmgd->ssid_len);
904 		/*
905 		 * We might have a pending scan which had no chance to run yet
906 		 * due to state == IEEE80211_STA_MLME_ASSOCIATE.
907 		 * Hence, queue the STAs work again
908 		 */
909 		queue_work(local->hw.workqueue, &ifmgd->work);
910 		return;
911 	}
912 
913 	ifmgd->state = IEEE80211_STA_MLME_ASSOCIATE;
914 	printk(KERN_DEBUG "%s: associate with AP %pM\n",
915 	       sdata->dev->name, ifmgd->bssid);
916 	if (ieee80211_privacy_mismatch(sdata)) {
917 		printk(KERN_DEBUG "%s: mismatch in privacy configuration and "
918 		       "mixed-cell disabled - abort association\n", sdata->dev->name);
919 		ifmgd->state = IEEE80211_STA_MLME_DISABLED;
920 		return;
921 	}
922 
923 	ieee80211_send_assoc(sdata);
924 
925 	mod_timer(&ifmgd->timer, jiffies + IEEE80211_ASSOC_TIMEOUT);
926 }
927 
928 void ieee80211_sta_rx_notify(struct ieee80211_sub_if_data *sdata,
929 			     struct ieee80211_hdr *hdr)
930 {
931 	/*
932 	 * We can postpone the mgd.timer whenever receiving unicast frames
933 	 * from AP because we know that the connection is working both ways
934 	 * at that time. But multicast frames (and hence also beacons) must
935 	 * be ignored here, because we need to trigger the timer during
936 	 * data idle periods for sending the periodical probe request to
937 	 * the AP.
938 	 */
939 	if (!is_multicast_ether_addr(hdr->addr1))
940 		mod_timer(&sdata->u.mgd.timer,
941 			  jiffies + IEEE80211_MONITORING_INTERVAL);
942 }
943 
944 void ieee80211_beacon_loss_work(struct work_struct *work)
945 {
946 	struct ieee80211_sub_if_data *sdata =
947 		container_of(work, struct ieee80211_sub_if_data,
948 			     u.mgd.beacon_loss_work);
949 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
950 
951 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
952 	if (net_ratelimit()) {
953 		printk(KERN_DEBUG "%s: driver reports beacon loss from AP %pM "
954 		       "- sending probe request\n", sdata->dev->name,
955 		       sdata->u.mgd.bssid);
956 	}
957 #endif
958 
959 	ifmgd->flags |= IEEE80211_STA_PROBEREQ_POLL;
960 	ieee80211_send_probe_req(sdata, ifmgd->bssid, ifmgd->ssid,
961 				 ifmgd->ssid_len, NULL, 0);
962 
963 	mod_timer(&ifmgd->timer, jiffies + IEEE80211_MONITORING_INTERVAL);
964 }
965 
966 void ieee80211_beacon_loss(struct ieee80211_vif *vif)
967 {
968 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
969 
970 	queue_work(sdata->local->hw.workqueue,
971 		   &sdata->u.mgd.beacon_loss_work);
972 }
973 EXPORT_SYMBOL(ieee80211_beacon_loss);
974 
975 static void ieee80211_associated(struct ieee80211_sub_if_data *sdata)
976 {
977 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
978 	struct ieee80211_local *local = sdata->local;
979 	struct sta_info *sta;
980 	bool disassoc = false;
981 
982 	/* TODO: start monitoring current AP signal quality and number of
983 	 * missed beacons. Scan other channels every now and then and search
984 	 * for better APs. */
985 	/* TODO: remove expired BSSes */
986 
987 	ifmgd->state = IEEE80211_STA_MLME_ASSOCIATED;
988 
989 	rcu_read_lock();
990 
991 	sta = sta_info_get(local, ifmgd->bssid);
992 	if (!sta) {
993 		printk(KERN_DEBUG "%s: No STA entry for own AP %pM\n",
994 		       sdata->dev->name, ifmgd->bssid);
995 		disassoc = true;
996 		goto unlock;
997 	}
998 
999 	if ((ifmgd->flags & IEEE80211_STA_PROBEREQ_POLL) &&
1000 	    time_after(jiffies, sta->last_rx + IEEE80211_MONITORING_INTERVAL)) {
1001 		printk(KERN_DEBUG "%s: no probe response from AP %pM "
1002 		       "- disassociating\n",
1003 		       sdata->dev->name, ifmgd->bssid);
1004 		disassoc = true;
1005 		ifmgd->flags &= ~IEEE80211_STA_PROBEREQ_POLL;
1006 		goto unlock;
1007 	}
1008 
1009 	/*
1010 	 * Beacon filtering is only enabled with power save and then the
1011 	 * stack should not check for beacon loss.
1012 	 */
1013 	if (!((local->hw.flags & IEEE80211_HW_BEACON_FILTER) &&
1014 	      (local->hw.conf.flags & IEEE80211_CONF_PS)) &&
1015 	    time_after(jiffies,
1016 		       ifmgd->last_beacon + IEEE80211_MONITORING_INTERVAL)) {
1017 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
1018 		if (net_ratelimit()) {
1019 			printk(KERN_DEBUG "%s: beacon loss from AP %pM "
1020 			       "- sending probe request\n",
1021 			       sdata->dev->name, ifmgd->bssid);
1022 		}
1023 #endif
1024 		ifmgd->flags |= IEEE80211_STA_PROBEREQ_POLL;
1025 		ieee80211_send_probe_req(sdata, ifmgd->bssid, ifmgd->ssid,
1026 					 ifmgd->ssid_len, NULL, 0);
1027 		goto unlock;
1028 
1029 	}
1030 
1031 	if (time_after(jiffies, sta->last_rx + IEEE80211_PROBE_IDLE_TIME)) {
1032 		ifmgd->flags |= IEEE80211_STA_PROBEREQ_POLL;
1033 		ieee80211_send_probe_req(sdata, ifmgd->bssid, ifmgd->ssid,
1034 					 ifmgd->ssid_len, NULL, 0);
1035 	}
1036 
1037  unlock:
1038 	rcu_read_unlock();
1039 
1040 	if (disassoc)
1041 		ieee80211_set_disassoc(sdata, true, true,
1042 					WLAN_REASON_PREV_AUTH_NOT_VALID);
1043 	else
1044 		mod_timer(&ifmgd->timer, jiffies +
1045 				      IEEE80211_MONITORING_INTERVAL);
1046 }
1047 
1048 
1049 static void ieee80211_auth_completed(struct ieee80211_sub_if_data *sdata)
1050 {
1051 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1052 
1053 	printk(KERN_DEBUG "%s: authenticated\n", sdata->dev->name);
1054 	ifmgd->flags |= IEEE80211_STA_AUTHENTICATED;
1055 	if (ifmgd->flags & IEEE80211_STA_EXT_SME) {
1056 		/* Wait for SME to request association */
1057 		ifmgd->state = IEEE80211_STA_MLME_DISABLED;
1058 	} else
1059 		ieee80211_associate(sdata);
1060 }
1061 
1062 
1063 static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
1064 				     struct ieee80211_mgmt *mgmt,
1065 				     size_t len)
1066 {
1067 	u8 *pos;
1068 	struct ieee802_11_elems elems;
1069 
1070 	pos = mgmt->u.auth.variable;
1071 	ieee802_11_parse_elems(pos, len - (pos - (u8 *) mgmt), &elems);
1072 	if (!elems.challenge)
1073 		return;
1074 	ieee80211_send_auth(sdata, 3, sdata->u.mgd.auth_alg,
1075 			    elems.challenge - 2, elems.challenge_len + 2,
1076 			    sdata->u.mgd.bssid, 1);
1077 	sdata->u.mgd.auth_transaction = 4;
1078 }
1079 
1080 static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
1081 				   struct ieee80211_mgmt *mgmt,
1082 				   size_t len)
1083 {
1084 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1085 	u16 auth_alg, auth_transaction, status_code;
1086 
1087 	if (ifmgd->state != IEEE80211_STA_MLME_AUTHENTICATE)
1088 		return;
1089 
1090 	if (len < 24 + 6)
1091 		return;
1092 
1093 	if (memcmp(ifmgd->bssid, mgmt->sa, ETH_ALEN) != 0)
1094 		return;
1095 
1096 	if (memcmp(ifmgd->bssid, mgmt->bssid, ETH_ALEN) != 0)
1097 		return;
1098 
1099 	auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
1100 	auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
1101 	status_code = le16_to_cpu(mgmt->u.auth.status_code);
1102 
1103 	if (auth_alg != ifmgd->auth_alg ||
1104 	    auth_transaction != ifmgd->auth_transaction)
1105 		return;
1106 
1107 	if (status_code != WLAN_STATUS_SUCCESS) {
1108 		if (status_code == WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG) {
1109 			u8 algs[3];
1110 			const int num_algs = ARRAY_SIZE(algs);
1111 			int i, pos;
1112 			algs[0] = algs[1] = algs[2] = 0xff;
1113 			if (ifmgd->auth_algs & IEEE80211_AUTH_ALG_OPEN)
1114 				algs[0] = WLAN_AUTH_OPEN;
1115 			if (ifmgd->auth_algs & IEEE80211_AUTH_ALG_SHARED_KEY)
1116 				algs[1] = WLAN_AUTH_SHARED_KEY;
1117 			if (ifmgd->auth_algs & IEEE80211_AUTH_ALG_LEAP)
1118 				algs[2] = WLAN_AUTH_LEAP;
1119 			if (ifmgd->auth_alg == WLAN_AUTH_OPEN)
1120 				pos = 0;
1121 			else if (ifmgd->auth_alg == WLAN_AUTH_SHARED_KEY)
1122 				pos = 1;
1123 			else
1124 				pos = 2;
1125 			for (i = 0; i < num_algs; i++) {
1126 				pos++;
1127 				if (pos >= num_algs)
1128 					pos = 0;
1129 				if (algs[pos] == ifmgd->auth_alg ||
1130 				    algs[pos] == 0xff)
1131 					continue;
1132 				if (algs[pos] == WLAN_AUTH_SHARED_KEY &&
1133 				    !ieee80211_sta_wep_configured(sdata))
1134 					continue;
1135 				ifmgd->auth_alg = algs[pos];
1136 				break;
1137 			}
1138 		}
1139 		return;
1140 	}
1141 
1142 	switch (ifmgd->auth_alg) {
1143 	case WLAN_AUTH_OPEN:
1144 	case WLAN_AUTH_LEAP:
1145 	case WLAN_AUTH_FT:
1146 		ieee80211_auth_completed(sdata);
1147 		cfg80211_send_rx_auth(sdata->dev, (u8 *) mgmt, len);
1148 		break;
1149 	case WLAN_AUTH_SHARED_KEY:
1150 		if (ifmgd->auth_transaction == 4) {
1151 			ieee80211_auth_completed(sdata);
1152 			cfg80211_send_rx_auth(sdata->dev, (u8 *) mgmt, len);
1153 		} else
1154 			ieee80211_auth_challenge(sdata, mgmt, len);
1155 		break;
1156 	}
1157 }
1158 
1159 
1160 static void ieee80211_rx_mgmt_deauth(struct ieee80211_sub_if_data *sdata,
1161 				     struct ieee80211_mgmt *mgmt,
1162 				     size_t len)
1163 {
1164 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1165 	u16 reason_code;
1166 
1167 	if (len < 24 + 2)
1168 		return;
1169 
1170 	if (memcmp(ifmgd->bssid, mgmt->sa, ETH_ALEN))
1171 		return;
1172 
1173 	reason_code = le16_to_cpu(mgmt->u.deauth.reason_code);
1174 
1175 	if (ifmgd->flags & IEEE80211_STA_AUTHENTICATED)
1176 		printk(KERN_DEBUG "%s: deauthenticated (Reason: %u)\n",
1177 				sdata->dev->name, reason_code);
1178 
1179 	if (!(ifmgd->flags & IEEE80211_STA_EXT_SME) &&
1180 	    (ifmgd->state == IEEE80211_STA_MLME_AUTHENTICATE ||
1181 	     ifmgd->state == IEEE80211_STA_MLME_ASSOCIATE ||
1182 	     ifmgd->state == IEEE80211_STA_MLME_ASSOCIATED)) {
1183 		ifmgd->state = IEEE80211_STA_MLME_DIRECT_PROBE;
1184 		mod_timer(&ifmgd->timer, jiffies +
1185 				      IEEE80211_RETRY_AUTH_INTERVAL);
1186 	}
1187 
1188 	ieee80211_set_disassoc(sdata, true, false, 0);
1189 	ifmgd->flags &= ~IEEE80211_STA_AUTHENTICATED;
1190 	cfg80211_send_rx_deauth(sdata->dev, (u8 *) mgmt, len);
1191 }
1192 
1193 
1194 static void ieee80211_rx_mgmt_disassoc(struct ieee80211_sub_if_data *sdata,
1195 				       struct ieee80211_mgmt *mgmt,
1196 				       size_t len)
1197 {
1198 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1199 	u16 reason_code;
1200 
1201 	if (len < 24 + 2)
1202 		return;
1203 
1204 	if (memcmp(ifmgd->bssid, mgmt->sa, ETH_ALEN))
1205 		return;
1206 
1207 	reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
1208 
1209 	if (ifmgd->flags & IEEE80211_STA_ASSOCIATED)
1210 		printk(KERN_DEBUG "%s: disassociated (Reason: %u)\n",
1211 				sdata->dev->name, reason_code);
1212 
1213 	if (!(ifmgd->flags & IEEE80211_STA_EXT_SME) &&
1214 	    ifmgd->state == IEEE80211_STA_MLME_ASSOCIATED) {
1215 		ifmgd->state = IEEE80211_STA_MLME_ASSOCIATE;
1216 		mod_timer(&ifmgd->timer, jiffies +
1217 				      IEEE80211_RETRY_AUTH_INTERVAL);
1218 	}
1219 
1220 	ieee80211_set_disassoc(sdata, false, false, reason_code);
1221 	cfg80211_send_rx_disassoc(sdata->dev, (u8 *) mgmt, len);
1222 }
1223 
1224 
1225 static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
1226 					 struct ieee80211_mgmt *mgmt,
1227 					 size_t len,
1228 					 int reassoc)
1229 {
1230 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1231 	struct ieee80211_local *local = sdata->local;
1232 	struct ieee80211_supported_band *sband;
1233 	struct sta_info *sta;
1234 	u32 rates, basic_rates;
1235 	u16 capab_info, status_code, aid;
1236 	struct ieee802_11_elems elems;
1237 	struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
1238 	u8 *pos;
1239 	u32 changed = 0;
1240 	int i, j;
1241 	bool have_higher_than_11mbit = false, newsta = false;
1242 	u16 ap_ht_cap_flags;
1243 
1244 	/* AssocResp and ReassocResp have identical structure, so process both
1245 	 * of them in this function. */
1246 
1247 	if (ifmgd->state != IEEE80211_STA_MLME_ASSOCIATE)
1248 		return;
1249 
1250 	if (len < 24 + 6)
1251 		return;
1252 
1253 	if (memcmp(ifmgd->bssid, mgmt->sa, ETH_ALEN) != 0)
1254 		return;
1255 
1256 	capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
1257 	status_code = le16_to_cpu(mgmt->u.assoc_resp.status_code);
1258 	aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
1259 
1260 	printk(KERN_DEBUG "%s: RX %sssocResp from %pM (capab=0x%x "
1261 	       "status=%d aid=%d)\n",
1262 	       sdata->dev->name, reassoc ? "Rea" : "A", mgmt->sa,
1263 	       capab_info, status_code, (u16)(aid & ~(BIT(15) | BIT(14))));
1264 
1265 	pos = mgmt->u.assoc_resp.variable;
1266 	ieee802_11_parse_elems(pos, len - (pos - (u8 *) mgmt), &elems);
1267 
1268 	if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
1269 	    elems.timeout_int && elems.timeout_int_len == 5 &&
1270 	    elems.timeout_int[0] == WLAN_TIMEOUT_ASSOC_COMEBACK) {
1271 		u32 tu, ms;
1272 		tu = get_unaligned_le32(elems.timeout_int + 1);
1273 		ms = tu * 1024 / 1000;
1274 		printk(KERN_DEBUG "%s: AP rejected association temporarily; "
1275 		       "comeback duration %u TU (%u ms)\n",
1276 		       sdata->dev->name, tu, ms);
1277 		if (ms > IEEE80211_ASSOC_TIMEOUT)
1278 			mod_timer(&ifmgd->timer,
1279 				  jiffies + msecs_to_jiffies(ms));
1280 		return;
1281 	}
1282 
1283 	if (status_code != WLAN_STATUS_SUCCESS) {
1284 		printk(KERN_DEBUG "%s: AP denied association (code=%d)\n",
1285 		       sdata->dev->name, status_code);
1286 		/* if this was a reassociation, ensure we try a "full"
1287 		 * association next time. This works around some broken APs
1288 		 * which do not correctly reject reassociation requests. */
1289 		ifmgd->flags &= ~IEEE80211_STA_PREV_BSSID_SET;
1290 		return;
1291 	}
1292 
1293 	if ((aid & (BIT(15) | BIT(14))) != (BIT(15) | BIT(14)))
1294 		printk(KERN_DEBUG "%s: invalid aid value %d; bits 15:14 not "
1295 		       "set\n", sdata->dev->name, aid);
1296 	aid &= ~(BIT(15) | BIT(14));
1297 
1298 	if (!elems.supp_rates) {
1299 		printk(KERN_DEBUG "%s: no SuppRates element in AssocResp\n",
1300 		       sdata->dev->name);
1301 		return;
1302 	}
1303 
1304 	printk(KERN_DEBUG "%s: associated\n", sdata->dev->name);
1305 	ifmgd->aid = aid;
1306 	ifmgd->ap_capab = capab_info;
1307 
1308 	kfree(ifmgd->assocresp_ies);
1309 	ifmgd->assocresp_ies_len = len - (pos - (u8 *) mgmt);
1310 	ifmgd->assocresp_ies = kmalloc(ifmgd->assocresp_ies_len, GFP_KERNEL);
1311 	if (ifmgd->assocresp_ies)
1312 		memcpy(ifmgd->assocresp_ies, pos, ifmgd->assocresp_ies_len);
1313 
1314 	rcu_read_lock();
1315 
1316 	/* Add STA entry for the AP */
1317 	sta = sta_info_get(local, ifmgd->bssid);
1318 	if (!sta) {
1319 		newsta = true;
1320 
1321 		sta = sta_info_alloc(sdata, ifmgd->bssid, GFP_ATOMIC);
1322 		if (!sta) {
1323 			printk(KERN_DEBUG "%s: failed to alloc STA entry for"
1324 			       " the AP\n", sdata->dev->name);
1325 			rcu_read_unlock();
1326 			return;
1327 		}
1328 
1329 		/* update new sta with its last rx activity */
1330 		sta->last_rx = jiffies;
1331 	}
1332 
1333 	/*
1334 	 * FIXME: Do we really need to update the sta_info's information here?
1335 	 *	  We already know about the AP (we found it in our list) so it
1336 	 *	  should already be filled with the right info, no?
1337 	 *	  As is stands, all this is racy because typically we assume
1338 	 *	  the information that is filled in here (except flags) doesn't
1339 	 *	  change while a STA structure is alive. As such, it should move
1340 	 *	  to between the sta_info_alloc() and sta_info_insert() above.
1341 	 */
1342 
1343 	set_sta_flags(sta, WLAN_STA_AUTH | WLAN_STA_ASSOC | WLAN_STA_ASSOC_AP |
1344 			   WLAN_STA_AUTHORIZED);
1345 
1346 	rates = 0;
1347 	basic_rates = 0;
1348 	sband = local->hw.wiphy->bands[local->hw.conf.channel->band];
1349 
1350 	for (i = 0; i < elems.supp_rates_len; i++) {
1351 		int rate = (elems.supp_rates[i] & 0x7f) * 5;
1352 		bool is_basic = !!(elems.supp_rates[i] & 0x80);
1353 
1354 		if (rate > 110)
1355 			have_higher_than_11mbit = true;
1356 
1357 		for (j = 0; j < sband->n_bitrates; j++) {
1358 			if (sband->bitrates[j].bitrate == rate) {
1359 				rates |= BIT(j);
1360 				if (is_basic)
1361 					basic_rates |= BIT(j);
1362 				break;
1363 			}
1364 		}
1365 	}
1366 
1367 	for (i = 0; i < elems.ext_supp_rates_len; i++) {
1368 		int rate = (elems.ext_supp_rates[i] & 0x7f) * 5;
1369 		bool is_basic = !!(elems.ext_supp_rates[i] & 0x80);
1370 
1371 		if (rate > 110)
1372 			have_higher_than_11mbit = true;
1373 
1374 		for (j = 0; j < sband->n_bitrates; j++) {
1375 			if (sband->bitrates[j].bitrate == rate) {
1376 				rates |= BIT(j);
1377 				if (is_basic)
1378 					basic_rates |= BIT(j);
1379 				break;
1380 			}
1381 		}
1382 	}
1383 
1384 	sta->sta.supp_rates[local->hw.conf.channel->band] = rates;
1385 	sdata->vif.bss_conf.basic_rates = basic_rates;
1386 
1387 	/* cf. IEEE 802.11 9.2.12 */
1388 	if (local->hw.conf.channel->band == IEEE80211_BAND_2GHZ &&
1389 	    have_higher_than_11mbit)
1390 		sdata->flags |= IEEE80211_SDATA_OPERATING_GMODE;
1391 	else
1392 		sdata->flags &= ~IEEE80211_SDATA_OPERATING_GMODE;
1393 
1394 	/* If TKIP/WEP is used, no need to parse AP's HT capabilities */
1395 	if (elems.ht_cap_elem && !(ifmgd->flags & IEEE80211_STA_TKIP_WEP_USED))
1396 		ieee80211_ht_cap_ie_to_sta_ht_cap(sband,
1397 				elems.ht_cap_elem, &sta->sta.ht_cap);
1398 
1399 	ap_ht_cap_flags = sta->sta.ht_cap.cap;
1400 
1401 	rate_control_rate_init(sta);
1402 
1403 	if (ifmgd->flags & IEEE80211_STA_MFP_ENABLED)
1404 		set_sta_flags(sta, WLAN_STA_MFP);
1405 
1406 	if (elems.wmm_param)
1407 		set_sta_flags(sta, WLAN_STA_WME);
1408 
1409 	if (newsta) {
1410 		int err = sta_info_insert(sta);
1411 		if (err) {
1412 			printk(KERN_DEBUG "%s: failed to insert STA entry for"
1413 			       " the AP (error %d)\n", sdata->dev->name, err);
1414 			rcu_read_unlock();
1415 			return;
1416 		}
1417 	}
1418 
1419 	rcu_read_unlock();
1420 
1421 	if (elems.wmm_param)
1422 		ieee80211_sta_wmm_params(local, ifmgd, elems.wmm_param,
1423 					 elems.wmm_param_len);
1424 
1425 	if (elems.ht_info_elem && elems.wmm_param &&
1426 	    (ifmgd->flags & IEEE80211_STA_WMM_ENABLED) &&
1427 	    !(ifmgd->flags & IEEE80211_STA_TKIP_WEP_USED))
1428 		changed |= ieee80211_enable_ht(sdata, elems.ht_info_elem,
1429 					       ap_ht_cap_flags);
1430 
1431 	/* set AID and assoc capability,
1432 	 * ieee80211_set_associated() will tell the driver */
1433 	bss_conf->aid = aid;
1434 	bss_conf->assoc_capability = capab_info;
1435 	ieee80211_set_associated(sdata, changed);
1436 
1437 	/*
1438 	 * initialise the time of last beacon to be the association time,
1439 	 * otherwise beacon loss check will trigger immediately
1440 	 */
1441 	ifmgd->last_beacon = jiffies;
1442 
1443 	ieee80211_associated(sdata);
1444 	cfg80211_send_rx_assoc(sdata->dev, (u8 *) mgmt, len);
1445 }
1446 
1447 
1448 static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
1449 				  struct ieee80211_mgmt *mgmt,
1450 				  size_t len,
1451 				  struct ieee80211_rx_status *rx_status,
1452 				  struct ieee802_11_elems *elems,
1453 				  bool beacon)
1454 {
1455 	struct ieee80211_local *local = sdata->local;
1456 	int freq;
1457 	struct ieee80211_bss *bss;
1458 	struct ieee80211_channel *channel;
1459 
1460 	if (elems->ds_params && elems->ds_params_len == 1)
1461 		freq = ieee80211_channel_to_frequency(elems->ds_params[0]);
1462 	else
1463 		freq = rx_status->freq;
1464 
1465 	channel = ieee80211_get_channel(local->hw.wiphy, freq);
1466 
1467 	if (!channel || channel->flags & IEEE80211_CHAN_DISABLED)
1468 		return;
1469 
1470 	bss = ieee80211_bss_info_update(local, rx_status, mgmt, len, elems,
1471 					channel, beacon);
1472 	if (!bss)
1473 		return;
1474 
1475 	if (elems->ch_switch_elem && (elems->ch_switch_elem_len == 3) &&
1476 	    (memcmp(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN) == 0)) {
1477 		struct ieee80211_channel_sw_ie *sw_elem =
1478 			(struct ieee80211_channel_sw_ie *)elems->ch_switch_elem;
1479 		ieee80211_process_chanswitch(sdata, sw_elem, bss);
1480 	}
1481 
1482 	ieee80211_rx_bss_put(local, bss);
1483 }
1484 
1485 
1486 static void ieee80211_rx_mgmt_probe_resp(struct ieee80211_sub_if_data *sdata,
1487 					 struct ieee80211_mgmt *mgmt,
1488 					 size_t len,
1489 					 struct ieee80211_rx_status *rx_status)
1490 {
1491 	struct ieee80211_if_managed *ifmgd;
1492 	size_t baselen;
1493 	struct ieee802_11_elems elems;
1494 
1495 	ifmgd = &sdata->u.mgd;
1496 
1497 	if (memcmp(mgmt->da, sdata->dev->dev_addr, ETH_ALEN))
1498 		return; /* ignore ProbeResp to foreign address */
1499 
1500 	baselen = (u8 *) mgmt->u.probe_resp.variable - (u8 *) mgmt;
1501 	if (baselen > len)
1502 		return;
1503 
1504 	ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
1505 				&elems);
1506 
1507 	ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems, false);
1508 
1509 	/* direct probe may be part of the association flow */
1510 	if (test_and_clear_bit(IEEE80211_STA_REQ_DIRECT_PROBE,
1511 			       &ifmgd->request)) {
1512 		printk(KERN_DEBUG "%s direct probe responded\n",
1513 		       sdata->dev->name);
1514 		ieee80211_authenticate(sdata);
1515 	}
1516 
1517 	if (ifmgd->flags & IEEE80211_STA_PROBEREQ_POLL)
1518 		ifmgd->flags &= ~IEEE80211_STA_PROBEREQ_POLL;
1519 }
1520 
1521 static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
1522 				     struct ieee80211_mgmt *mgmt,
1523 				     size_t len,
1524 				     struct ieee80211_rx_status *rx_status)
1525 {
1526 	struct ieee80211_if_managed *ifmgd;
1527 	size_t baselen;
1528 	struct ieee802_11_elems elems;
1529 	struct ieee80211_local *local = sdata->local;
1530 	u32 changed = 0;
1531 	bool erp_valid, directed_tim;
1532 	u8 erp_value = 0;
1533 
1534 	/* Process beacon from the current BSS */
1535 	baselen = (u8 *) mgmt->u.beacon.variable - (u8 *) mgmt;
1536 	if (baselen > len)
1537 		return;
1538 
1539 	ieee802_11_parse_elems(mgmt->u.beacon.variable, len - baselen, &elems);
1540 
1541 	ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems, true);
1542 
1543 	if (sdata->vif.type != NL80211_IFTYPE_STATION)
1544 		return;
1545 
1546 	ifmgd = &sdata->u.mgd;
1547 
1548 	if (!(ifmgd->flags & IEEE80211_STA_ASSOCIATED) ||
1549 	    memcmp(ifmgd->bssid, mgmt->bssid, ETH_ALEN) != 0)
1550 		return;
1551 
1552 	if (rx_status->freq != local->hw.conf.channel->center_freq)
1553 		return;
1554 
1555 	ieee80211_sta_wmm_params(local, ifmgd, elems.wmm_param,
1556 				 elems.wmm_param_len);
1557 
1558 	if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK) {
1559 		directed_tim = ieee80211_check_tim(&elems, ifmgd->aid);
1560 
1561 		if (directed_tim) {
1562 			if (local->hw.conf.dynamic_ps_timeout > 0) {
1563 				local->hw.conf.flags &= ~IEEE80211_CONF_PS;
1564 				ieee80211_hw_config(local,
1565 						    IEEE80211_CONF_CHANGE_PS);
1566 				ieee80211_send_nullfunc(local, sdata, 0);
1567 			} else {
1568 				local->pspolling = true;
1569 
1570 				/*
1571 				 * Here is assumed that the driver will be
1572 				 * able to send ps-poll frame and receive a
1573 				 * response even though power save mode is
1574 				 * enabled, but some drivers might require
1575 				 * to disable power save here. This needs
1576 				 * to be investigated.
1577 				 */
1578 				ieee80211_send_pspoll(local, sdata);
1579 			}
1580 		}
1581 	}
1582 
1583 	if (elems.erp_info && elems.erp_info_len >= 1) {
1584 		erp_valid = true;
1585 		erp_value = elems.erp_info[0];
1586 	} else {
1587 		erp_valid = false;
1588 	}
1589 	changed |= ieee80211_handle_bss_capability(sdata,
1590 			le16_to_cpu(mgmt->u.beacon.capab_info),
1591 			erp_valid, erp_value);
1592 
1593 
1594 	if (elems.ht_cap_elem && elems.ht_info_elem && elems.wmm_param &&
1595 	    !(ifmgd->flags & IEEE80211_STA_TKIP_WEP_USED)) {
1596 		struct sta_info *sta;
1597 		struct ieee80211_supported_band *sband;
1598 		u16 ap_ht_cap_flags;
1599 
1600 		rcu_read_lock();
1601 
1602 		sta = sta_info_get(local, ifmgd->bssid);
1603 		if (!sta) {
1604 			rcu_read_unlock();
1605 			return;
1606 		}
1607 
1608 		sband = local->hw.wiphy->bands[local->hw.conf.channel->band];
1609 
1610 		ieee80211_ht_cap_ie_to_sta_ht_cap(sband,
1611 				elems.ht_cap_elem, &sta->sta.ht_cap);
1612 
1613 		ap_ht_cap_flags = sta->sta.ht_cap.cap;
1614 
1615 		rcu_read_unlock();
1616 
1617 		changed |= ieee80211_enable_ht(sdata, elems.ht_info_elem,
1618 					       ap_ht_cap_flags);
1619 	}
1620 
1621 	if (elems.country_elem) {
1622 		/* Note we are only reviewing this on beacons
1623 		 * for the BSSID we are associated to */
1624 		regulatory_hint_11d(local->hw.wiphy,
1625 			elems.country_elem, elems.country_elem_len);
1626 
1627 		/* TODO: IBSS also needs this */
1628 		if (elems.pwr_constr_elem)
1629 			ieee80211_handle_pwr_constr(sdata,
1630 				le16_to_cpu(mgmt->u.probe_resp.capab_info),
1631 				elems.pwr_constr_elem,
1632 				elems.pwr_constr_elem_len);
1633 	}
1634 
1635 	ieee80211_bss_info_change_notify(sdata, changed);
1636 }
1637 
1638 ieee80211_rx_result ieee80211_sta_rx_mgmt(struct ieee80211_sub_if_data *sdata,
1639 					  struct sk_buff *skb,
1640 					  struct ieee80211_rx_status *rx_status)
1641 {
1642 	struct ieee80211_local *local = sdata->local;
1643 	struct ieee80211_mgmt *mgmt;
1644 	u16 fc;
1645 
1646 	if (skb->len < 24)
1647 		return RX_DROP_MONITOR;
1648 
1649 	mgmt = (struct ieee80211_mgmt *) skb->data;
1650 	fc = le16_to_cpu(mgmt->frame_control);
1651 
1652 	switch (fc & IEEE80211_FCTL_STYPE) {
1653 	case IEEE80211_STYPE_PROBE_REQ:
1654 	case IEEE80211_STYPE_PROBE_RESP:
1655 	case IEEE80211_STYPE_BEACON:
1656 		memcpy(skb->cb, rx_status, sizeof(*rx_status));
1657 	case IEEE80211_STYPE_AUTH:
1658 	case IEEE80211_STYPE_ASSOC_RESP:
1659 	case IEEE80211_STYPE_REASSOC_RESP:
1660 	case IEEE80211_STYPE_DEAUTH:
1661 	case IEEE80211_STYPE_DISASSOC:
1662 		skb_queue_tail(&sdata->u.mgd.skb_queue, skb);
1663 		queue_work(local->hw.workqueue, &sdata->u.mgd.work);
1664 		return RX_QUEUED;
1665 	}
1666 
1667 	return RX_DROP_MONITOR;
1668 }
1669 
1670 static void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
1671 					 struct sk_buff *skb)
1672 {
1673 	struct ieee80211_rx_status *rx_status;
1674 	struct ieee80211_mgmt *mgmt;
1675 	u16 fc;
1676 
1677 	rx_status = (struct ieee80211_rx_status *) skb->cb;
1678 	mgmt = (struct ieee80211_mgmt *) skb->data;
1679 	fc = le16_to_cpu(mgmt->frame_control);
1680 
1681 	switch (fc & IEEE80211_FCTL_STYPE) {
1682 	case IEEE80211_STYPE_PROBE_RESP:
1683 		ieee80211_rx_mgmt_probe_resp(sdata, mgmt, skb->len,
1684 					     rx_status);
1685 		break;
1686 	case IEEE80211_STYPE_BEACON:
1687 		ieee80211_rx_mgmt_beacon(sdata, mgmt, skb->len,
1688 					 rx_status);
1689 		break;
1690 	case IEEE80211_STYPE_AUTH:
1691 		ieee80211_rx_mgmt_auth(sdata, mgmt, skb->len);
1692 		break;
1693 	case IEEE80211_STYPE_ASSOC_RESP:
1694 		ieee80211_rx_mgmt_assoc_resp(sdata, mgmt, skb->len, 0);
1695 		break;
1696 	case IEEE80211_STYPE_REASSOC_RESP:
1697 		ieee80211_rx_mgmt_assoc_resp(sdata, mgmt, skb->len, 1);
1698 		break;
1699 	case IEEE80211_STYPE_DEAUTH:
1700 		ieee80211_rx_mgmt_deauth(sdata, mgmt, skb->len);
1701 		break;
1702 	case IEEE80211_STYPE_DISASSOC:
1703 		ieee80211_rx_mgmt_disassoc(sdata, mgmt, skb->len);
1704 		break;
1705 	}
1706 
1707 	kfree_skb(skb);
1708 }
1709 
1710 static void ieee80211_sta_timer(unsigned long data)
1711 {
1712 	struct ieee80211_sub_if_data *sdata =
1713 		(struct ieee80211_sub_if_data *) data;
1714 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1715 	struct ieee80211_local *local = sdata->local;
1716 
1717 	set_bit(IEEE80211_STA_REQ_RUN, &ifmgd->request);
1718 	queue_work(local->hw.workqueue, &ifmgd->work);
1719 }
1720 
1721 static void ieee80211_sta_reset_auth(struct ieee80211_sub_if_data *sdata)
1722 {
1723 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1724 	struct ieee80211_local *local = sdata->local;
1725 
1726 	if (local->ops->reset_tsf) {
1727 		/* Reset own TSF to allow time synchronization work. */
1728 		local->ops->reset_tsf(local_to_hw(local));
1729 	}
1730 
1731 	ifmgd->wmm_last_param_set = -1; /* allow any WMM update */
1732 
1733 
1734 	if (ifmgd->auth_algs & IEEE80211_AUTH_ALG_OPEN)
1735 		ifmgd->auth_alg = WLAN_AUTH_OPEN;
1736 	else if (ifmgd->auth_algs & IEEE80211_AUTH_ALG_SHARED_KEY)
1737 		ifmgd->auth_alg = WLAN_AUTH_SHARED_KEY;
1738 	else if (ifmgd->auth_algs & IEEE80211_AUTH_ALG_LEAP)
1739 		ifmgd->auth_alg = WLAN_AUTH_LEAP;
1740 	else if (ifmgd->auth_algs & IEEE80211_AUTH_ALG_FT)
1741 		ifmgd->auth_alg = WLAN_AUTH_FT;
1742 	else
1743 		ifmgd->auth_alg = WLAN_AUTH_OPEN;
1744 	ifmgd->auth_transaction = -1;
1745 	ifmgd->flags &= ~IEEE80211_STA_ASSOCIATED;
1746 	ifmgd->assoc_scan_tries = 0;
1747 	ifmgd->direct_probe_tries = 0;
1748 	ifmgd->auth_tries = 0;
1749 	ifmgd->assoc_tries = 0;
1750 	netif_tx_stop_all_queues(sdata->dev);
1751 	netif_carrier_off(sdata->dev);
1752 }
1753 
1754 static int ieee80211_sta_config_auth(struct ieee80211_sub_if_data *sdata)
1755 {
1756 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1757 	struct ieee80211_local *local = sdata->local;
1758 	struct ieee80211_bss *bss;
1759 	u8 *bssid = ifmgd->bssid, *ssid = ifmgd->ssid;
1760 	u8 ssid_len = ifmgd->ssid_len;
1761 	u16 capa_mask = WLAN_CAPABILITY_ESS;
1762 	u16 capa_val = WLAN_CAPABILITY_ESS;
1763 	struct ieee80211_channel *chan = local->oper_channel;
1764 
1765 	if (!(ifmgd->flags & IEEE80211_STA_EXT_SME) &&
1766 	    ifmgd->flags & (IEEE80211_STA_AUTO_SSID_SEL |
1767 			    IEEE80211_STA_AUTO_BSSID_SEL |
1768 			    IEEE80211_STA_AUTO_CHANNEL_SEL)) {
1769 		capa_mask |= WLAN_CAPABILITY_PRIVACY;
1770 		if (sdata->default_key)
1771 			capa_val |= WLAN_CAPABILITY_PRIVACY;
1772 	}
1773 
1774 	if (ifmgd->flags & IEEE80211_STA_AUTO_CHANNEL_SEL)
1775 		chan = NULL;
1776 
1777 	if (ifmgd->flags & IEEE80211_STA_AUTO_BSSID_SEL)
1778 		bssid = NULL;
1779 
1780 	if (ifmgd->flags & IEEE80211_STA_AUTO_SSID_SEL) {
1781 		ssid = NULL;
1782 		ssid_len = 0;
1783 	}
1784 
1785 	bss = (void *)cfg80211_get_bss(local->hw.wiphy, chan,
1786 				       bssid, ssid, ssid_len,
1787 				       capa_mask, capa_val);
1788 
1789 	if (bss) {
1790 		ieee80211_set_freq(sdata, bss->cbss.channel->center_freq);
1791 		if (!(ifmgd->flags & IEEE80211_STA_SSID_SET))
1792 			ieee80211_sta_set_ssid(sdata, bss->ssid,
1793 					       bss->ssid_len);
1794 		ieee80211_sta_set_bssid(sdata, bss->cbss.bssid);
1795 		ieee80211_sta_def_wmm_params(sdata, bss->supp_rates_len,
1796 						    bss->supp_rates);
1797 		if (sdata->u.mgd.mfp == IEEE80211_MFP_REQUIRED)
1798 			sdata->u.mgd.flags |= IEEE80211_STA_MFP_ENABLED;
1799 		else
1800 			sdata->u.mgd.flags &= ~IEEE80211_STA_MFP_ENABLED;
1801 
1802 		/* Send out direct probe if no probe resp was received or
1803 		 * the one we have is outdated
1804 		 */
1805 		if (!bss->last_probe_resp ||
1806 		    time_after(jiffies, bss->last_probe_resp
1807 					+ IEEE80211_SCAN_RESULT_EXPIRE))
1808 			ifmgd->state = IEEE80211_STA_MLME_DIRECT_PROBE;
1809 		else
1810 			ifmgd->state = IEEE80211_STA_MLME_AUTHENTICATE;
1811 
1812 		ieee80211_rx_bss_put(local, bss);
1813 		ieee80211_sta_reset_auth(sdata);
1814 		return 0;
1815 	} else {
1816 		if (ifmgd->assoc_scan_tries < IEEE80211_ASSOC_SCANS_MAX_TRIES) {
1817 			ifmgd->assoc_scan_tries++;
1818 			/* XXX maybe racy? */
1819 			if (local->scan_req)
1820 				return -1;
1821 			memcpy(local->int_scan_req.ssids[0].ssid,
1822 			       ifmgd->ssid, IEEE80211_MAX_SSID_LEN);
1823 			if (ifmgd->flags & IEEE80211_STA_AUTO_SSID_SEL)
1824 				local->int_scan_req.ssids[0].ssid_len = 0;
1825 			else
1826 				local->int_scan_req.ssids[0].ssid_len = ifmgd->ssid_len;
1827 
1828 			if (ieee80211_start_scan(sdata, &local->int_scan_req))
1829 				ieee80211_scan_failed(local);
1830 
1831 			ifmgd->state = IEEE80211_STA_MLME_AUTHENTICATE;
1832 			set_bit(IEEE80211_STA_REQ_AUTH, &ifmgd->request);
1833 		} else {
1834 			ifmgd->assoc_scan_tries = 0;
1835 			ifmgd->state = IEEE80211_STA_MLME_DISABLED;
1836 		}
1837 	}
1838 	return -1;
1839 }
1840 
1841 
1842 static void ieee80211_sta_work(struct work_struct *work)
1843 {
1844 	struct ieee80211_sub_if_data *sdata =
1845 		container_of(work, struct ieee80211_sub_if_data, u.mgd.work);
1846 	struct ieee80211_local *local = sdata->local;
1847 	struct ieee80211_if_managed *ifmgd;
1848 	struct sk_buff *skb;
1849 
1850 	if (!netif_running(sdata->dev))
1851 		return;
1852 
1853 	if (local->sw_scanning || local->hw_scanning)
1854 		return;
1855 
1856 	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
1857 		return;
1858 	ifmgd = &sdata->u.mgd;
1859 
1860 	while ((skb = skb_dequeue(&ifmgd->skb_queue)))
1861 		ieee80211_sta_rx_queued_mgmt(sdata, skb);
1862 
1863 	if (ifmgd->state != IEEE80211_STA_MLME_DIRECT_PROBE &&
1864 	    ifmgd->state != IEEE80211_STA_MLME_AUTHENTICATE &&
1865 	    ifmgd->state != IEEE80211_STA_MLME_ASSOCIATE &&
1866 	    test_and_clear_bit(IEEE80211_STA_REQ_SCAN, &ifmgd->request)) {
1867 		/*
1868 		 * The call to ieee80211_start_scan can fail but ieee80211_request_scan
1869 		 * (which queued ieee80211_sta_work) did not return an error. Thus, call
1870 		 * ieee80211_scan_failed here if ieee80211_start_scan fails in order to
1871 		 * notify the scan requester.
1872 		 */
1873 		if (ieee80211_start_scan(sdata, local->scan_req))
1874 			ieee80211_scan_failed(local);
1875 		return;
1876 	}
1877 
1878 	if (test_and_clear_bit(IEEE80211_STA_REQ_AUTH, &ifmgd->request)) {
1879 		if (ieee80211_sta_config_auth(sdata))
1880 			return;
1881 		clear_bit(IEEE80211_STA_REQ_RUN, &ifmgd->request);
1882 	} else if (!test_and_clear_bit(IEEE80211_STA_REQ_RUN, &ifmgd->request))
1883 		return;
1884 
1885 	switch (ifmgd->state) {
1886 	case IEEE80211_STA_MLME_DISABLED:
1887 		break;
1888 	case IEEE80211_STA_MLME_DIRECT_PROBE:
1889 		ieee80211_direct_probe(sdata);
1890 		break;
1891 	case IEEE80211_STA_MLME_AUTHENTICATE:
1892 		ieee80211_authenticate(sdata);
1893 		break;
1894 	case IEEE80211_STA_MLME_ASSOCIATE:
1895 		ieee80211_associate(sdata);
1896 		break;
1897 	case IEEE80211_STA_MLME_ASSOCIATED:
1898 		ieee80211_associated(sdata);
1899 		break;
1900 	default:
1901 		WARN_ON(1);
1902 		break;
1903 	}
1904 
1905 	if (ieee80211_privacy_mismatch(sdata)) {
1906 		printk(KERN_DEBUG "%s: privacy configuration mismatch and "
1907 		       "mixed-cell disabled - disassociate\n", sdata->dev->name);
1908 
1909 		ieee80211_set_disassoc(sdata, false, true,
1910 					WLAN_REASON_UNSPECIFIED);
1911 	}
1912 }
1913 
1914 static void ieee80211_restart_sta_timer(struct ieee80211_sub_if_data *sdata)
1915 {
1916 	if (sdata->vif.type == NL80211_IFTYPE_STATION) {
1917 		/*
1918 		 * Need to update last_beacon to avoid beacon loss
1919 		 * test to trigger.
1920 		 */
1921 		sdata->u.mgd.last_beacon = jiffies;
1922 
1923 
1924 		queue_work(sdata->local->hw.workqueue,
1925 			   &sdata->u.mgd.work);
1926 	}
1927 }
1928 
1929 /* interface setup */
1930 void ieee80211_sta_setup_sdata(struct ieee80211_sub_if_data *sdata)
1931 {
1932 	struct ieee80211_if_managed *ifmgd;
1933 
1934 	ifmgd = &sdata->u.mgd;
1935 	INIT_WORK(&ifmgd->work, ieee80211_sta_work);
1936 	INIT_WORK(&ifmgd->chswitch_work, ieee80211_chswitch_work);
1937 	INIT_WORK(&ifmgd->beacon_loss_work, ieee80211_beacon_loss_work);
1938 	setup_timer(&ifmgd->timer, ieee80211_sta_timer,
1939 		    (unsigned long) sdata);
1940 	setup_timer(&ifmgd->chswitch_timer, ieee80211_chswitch_timer,
1941 		    (unsigned long) sdata);
1942 	skb_queue_head_init(&ifmgd->skb_queue);
1943 
1944 	ifmgd->capab = WLAN_CAPABILITY_ESS;
1945 	ifmgd->auth_algs = IEEE80211_AUTH_ALG_OPEN |
1946 		IEEE80211_AUTH_ALG_SHARED_KEY;
1947 	ifmgd->flags |= IEEE80211_STA_CREATE_IBSS |
1948 		IEEE80211_STA_AUTO_BSSID_SEL |
1949 		IEEE80211_STA_AUTO_CHANNEL_SEL;
1950 	if (sdata->local->hw.queues >= 4)
1951 		ifmgd->flags |= IEEE80211_STA_WMM_ENABLED;
1952 }
1953 
1954 /* configuration hooks */
1955 void ieee80211_sta_req_auth(struct ieee80211_sub_if_data *sdata)
1956 {
1957 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1958 	struct ieee80211_local *local = sdata->local;
1959 
1960 	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
1961 		return;
1962 
1963 	if ((ifmgd->flags & (IEEE80211_STA_BSSID_SET |
1964 			     IEEE80211_STA_AUTO_BSSID_SEL)) &&
1965 	    (ifmgd->flags & (IEEE80211_STA_SSID_SET |
1966 			     IEEE80211_STA_AUTO_SSID_SEL))) {
1967 
1968 		if (ifmgd->state == IEEE80211_STA_MLME_ASSOCIATED)
1969 			ieee80211_set_disassoc(sdata, true, true,
1970 					       WLAN_REASON_DEAUTH_LEAVING);
1971 
1972 		if (!(ifmgd->flags & IEEE80211_STA_EXT_SME) ||
1973 		    ifmgd->state != IEEE80211_STA_MLME_ASSOCIATE)
1974 			set_bit(IEEE80211_STA_REQ_AUTH, &ifmgd->request);
1975 		else if (ifmgd->flags & IEEE80211_STA_EXT_SME)
1976 			set_bit(IEEE80211_STA_REQ_RUN, &ifmgd->request);
1977 		queue_work(local->hw.workqueue, &ifmgd->work);
1978 	}
1979 }
1980 
1981 int ieee80211_sta_commit(struct ieee80211_sub_if_data *sdata)
1982 {
1983 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1984 
1985 	if (ifmgd->ssid_len)
1986 		ifmgd->flags |= IEEE80211_STA_SSID_SET;
1987 	else
1988 		ifmgd->flags &= ~IEEE80211_STA_SSID_SET;
1989 
1990 	return 0;
1991 }
1992 
1993 int ieee80211_sta_set_ssid(struct ieee80211_sub_if_data *sdata, char *ssid, size_t len)
1994 {
1995 	struct ieee80211_if_managed *ifmgd;
1996 
1997 	if (len > IEEE80211_MAX_SSID_LEN)
1998 		return -EINVAL;
1999 
2000 	ifmgd = &sdata->u.mgd;
2001 
2002 	if (ifmgd->ssid_len != len || memcmp(ifmgd->ssid, ssid, len) != 0) {
2003 		/*
2004 		 * Do not use reassociation if SSID is changed (different ESS).
2005 		 */
2006 		ifmgd->flags &= ~IEEE80211_STA_PREV_BSSID_SET;
2007 		memset(ifmgd->ssid, 0, sizeof(ifmgd->ssid));
2008 		memcpy(ifmgd->ssid, ssid, len);
2009 		ifmgd->ssid_len = len;
2010 	}
2011 
2012 	return ieee80211_sta_commit(sdata);
2013 }
2014 
2015 int ieee80211_sta_get_ssid(struct ieee80211_sub_if_data *sdata, char *ssid, size_t *len)
2016 {
2017 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2018 	memcpy(ssid, ifmgd->ssid, ifmgd->ssid_len);
2019 	*len = ifmgd->ssid_len;
2020 	return 0;
2021 }
2022 
2023 int ieee80211_sta_set_bssid(struct ieee80211_sub_if_data *sdata, u8 *bssid)
2024 {
2025 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2026 
2027 	if (is_valid_ether_addr(bssid)) {
2028 		memcpy(ifmgd->bssid, bssid, ETH_ALEN);
2029 		ifmgd->flags |= IEEE80211_STA_BSSID_SET;
2030 	} else {
2031 		memset(ifmgd->bssid, 0, ETH_ALEN);
2032 		ifmgd->flags &= ~IEEE80211_STA_BSSID_SET;
2033 	}
2034 
2035 	if (netif_running(sdata->dev)) {
2036 		if (ieee80211_if_config(sdata, IEEE80211_IFCC_BSSID)) {
2037 			printk(KERN_DEBUG "%s: Failed to config new BSSID to "
2038 			       "the low-level driver\n", sdata->dev->name);
2039 		}
2040 	}
2041 
2042 	return ieee80211_sta_commit(sdata);
2043 }
2044 
2045 int ieee80211_sta_set_extra_ie(struct ieee80211_sub_if_data *sdata,
2046 			       const char *ie, size_t len)
2047 {
2048 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2049 
2050 	kfree(ifmgd->extra_ie);
2051 	if (len == 0) {
2052 		ifmgd->extra_ie = NULL;
2053 		ifmgd->extra_ie_len = 0;
2054 		return 0;
2055 	}
2056 	ifmgd->extra_ie = kmalloc(len, GFP_KERNEL);
2057 	if (!ifmgd->extra_ie) {
2058 		ifmgd->extra_ie_len = 0;
2059 		return -ENOMEM;
2060 	}
2061 	memcpy(ifmgd->extra_ie, ie, len);
2062 	ifmgd->extra_ie_len = len;
2063 	return 0;
2064 }
2065 
2066 int ieee80211_sta_deauthenticate(struct ieee80211_sub_if_data *sdata, u16 reason)
2067 {
2068 	printk(KERN_DEBUG "%s: deauthenticating by local choice (reason=%d)\n",
2069 	       sdata->dev->name, reason);
2070 
2071 	if (sdata->vif.type != NL80211_IFTYPE_STATION)
2072 		return -EINVAL;
2073 
2074 	ieee80211_set_disassoc(sdata, true, true, reason);
2075 	return 0;
2076 }
2077 
2078 int ieee80211_sta_disassociate(struct ieee80211_sub_if_data *sdata, u16 reason)
2079 {
2080 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2081 
2082 	printk(KERN_DEBUG "%s: disassociating by local choice (reason=%d)\n",
2083 	       sdata->dev->name, reason);
2084 
2085 	if (sdata->vif.type != NL80211_IFTYPE_STATION)
2086 		return -EINVAL;
2087 
2088 	if (!(ifmgd->flags & IEEE80211_STA_ASSOCIATED))
2089 		return -ENOLINK;
2090 
2091 	ieee80211_set_disassoc(sdata, false, true, reason);
2092 	return 0;
2093 }
2094 
2095 /* scan finished notification */
2096 void ieee80211_mlme_notify_scan_completed(struct ieee80211_local *local)
2097 {
2098 	struct ieee80211_sub_if_data *sdata = local->scan_sdata;
2099 
2100 	/* Restart STA timers */
2101 	rcu_read_lock();
2102 	list_for_each_entry_rcu(sdata, &local->interfaces, list)
2103 		ieee80211_restart_sta_timer(sdata);
2104 	rcu_read_unlock();
2105 }
2106 
2107 void ieee80211_dynamic_ps_disable_work(struct work_struct *work)
2108 {
2109 	struct ieee80211_local *local =
2110 		container_of(work, struct ieee80211_local,
2111 			     dynamic_ps_disable_work);
2112 
2113 	if (local->hw.conf.flags & IEEE80211_CONF_PS) {
2114 		local->hw.conf.flags &= ~IEEE80211_CONF_PS;
2115 		ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
2116 	}
2117 
2118 	ieee80211_wake_queues_by_reason(&local->hw,
2119 					IEEE80211_QUEUE_STOP_REASON_PS);
2120 }
2121 
2122 void ieee80211_dynamic_ps_enable_work(struct work_struct *work)
2123 {
2124 	struct ieee80211_local *local =
2125 		container_of(work, struct ieee80211_local,
2126 			     dynamic_ps_enable_work);
2127 	/* XXX: using scan_sdata is completely broken! */
2128 	struct ieee80211_sub_if_data *sdata = local->scan_sdata;
2129 
2130 	if (local->hw.conf.flags & IEEE80211_CONF_PS)
2131 		return;
2132 
2133 	if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK && sdata)
2134 		ieee80211_send_nullfunc(local, sdata, 1);
2135 
2136 	local->hw.conf.flags |= IEEE80211_CONF_PS;
2137 	ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
2138 }
2139 
2140 void ieee80211_dynamic_ps_timer(unsigned long data)
2141 {
2142 	struct ieee80211_local *local = (void *) data;
2143 
2144 	queue_work(local->hw.workqueue, &local->dynamic_ps_enable_work);
2145 }
2146 
2147 void ieee80211_send_nullfunc(struct ieee80211_local *local,
2148 			     struct ieee80211_sub_if_data *sdata,
2149 			     int powersave)
2150 {
2151 	struct sk_buff *skb;
2152 	struct ieee80211_hdr *nullfunc;
2153 	__le16 fc;
2154 
2155 	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
2156 		return;
2157 
2158 	skb = dev_alloc_skb(local->hw.extra_tx_headroom + 24);
2159 	if (!skb) {
2160 		printk(KERN_DEBUG "%s: failed to allocate buffer for nullfunc "
2161 		       "frame\n", sdata->dev->name);
2162 		return;
2163 	}
2164 	skb_reserve(skb, local->hw.extra_tx_headroom);
2165 
2166 	nullfunc = (struct ieee80211_hdr *) skb_put(skb, 24);
2167 	memset(nullfunc, 0, 24);
2168 	fc = cpu_to_le16(IEEE80211_FTYPE_DATA | IEEE80211_STYPE_NULLFUNC |
2169 			 IEEE80211_FCTL_TODS);
2170 	if (powersave)
2171 		fc |= cpu_to_le16(IEEE80211_FCTL_PM);
2172 	nullfunc->frame_control = fc;
2173 	memcpy(nullfunc->addr1, sdata->u.mgd.bssid, ETH_ALEN);
2174 	memcpy(nullfunc->addr2, sdata->dev->dev_addr, ETH_ALEN);
2175 	memcpy(nullfunc->addr3, sdata->u.mgd.bssid, ETH_ALEN);
2176 
2177 	ieee80211_tx_skb(sdata, skb, 0);
2178 }
2179