xref: /openbmc/linux/net/mac80211/mlme.c (revision d7a3d85e)
1 /*
2  * BSS client mode implementation
3  * Copyright 2003-2008, Jouni Malinen <j@w1.fi>
4  * Copyright 2004, Instant802 Networks, Inc.
5  * Copyright 2005, Devicescape Software, Inc.
6  * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
7  * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
8  * Copyright 2013-2014  Intel Mobile Communications GmbH
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2 as
12  * published by the Free Software Foundation.
13  */
14 
15 #include <linux/delay.h>
16 #include <linux/if_ether.h>
17 #include <linux/skbuff.h>
18 #include <linux/if_arp.h>
19 #include <linux/etherdevice.h>
20 #include <linux/moduleparam.h>
21 #include <linux/rtnetlink.h>
22 #include <linux/pm_qos.h>
23 #include <linux/crc32.h>
24 #include <linux/slab.h>
25 #include <linux/export.h>
26 #include <net/mac80211.h>
27 #include <asm/unaligned.h>
28 
29 #include "ieee80211_i.h"
30 #include "driver-ops.h"
31 #include "rate.h"
32 #include "led.h"
33 
34 #define IEEE80211_AUTH_TIMEOUT		(HZ / 5)
35 #define IEEE80211_AUTH_TIMEOUT_LONG	(HZ / 2)
36 #define IEEE80211_AUTH_TIMEOUT_SHORT	(HZ / 10)
37 #define IEEE80211_AUTH_MAX_TRIES	3
38 #define IEEE80211_AUTH_WAIT_ASSOC	(HZ * 5)
39 #define IEEE80211_ASSOC_TIMEOUT		(HZ / 5)
40 #define IEEE80211_ASSOC_TIMEOUT_LONG	(HZ / 2)
41 #define IEEE80211_ASSOC_TIMEOUT_SHORT	(HZ / 10)
42 #define IEEE80211_ASSOC_MAX_TRIES	3
43 
44 static int max_nullfunc_tries = 2;
45 module_param(max_nullfunc_tries, int, 0644);
46 MODULE_PARM_DESC(max_nullfunc_tries,
47 		 "Maximum nullfunc tx tries before disconnecting (reason 4).");
48 
49 static int max_probe_tries = 5;
50 module_param(max_probe_tries, int, 0644);
51 MODULE_PARM_DESC(max_probe_tries,
52 		 "Maximum probe tries before disconnecting (reason 4).");
53 
54 /*
55  * Beacon loss timeout is calculated as N frames times the
56  * advertised beacon interval.  This may need to be somewhat
57  * higher than what hardware might detect to account for
58  * delays in the host processing frames. But since we also
59  * probe on beacon miss before declaring the connection lost
60  * default to what we want.
61  */
62 static int beacon_loss_count = 7;
63 module_param(beacon_loss_count, int, 0644);
64 MODULE_PARM_DESC(beacon_loss_count,
65 		 "Number of beacon intervals before we decide beacon was lost.");
66 
67 /*
68  * Time the connection can be idle before we probe
69  * it to see if we can still talk to the AP.
70  */
71 #define IEEE80211_CONNECTION_IDLE_TIME	(30 * HZ)
72 /*
73  * Time we wait for a probe response after sending
74  * a probe request because of beacon loss or for
75  * checking the connection still works.
76  */
77 static int probe_wait_ms = 500;
78 module_param(probe_wait_ms, int, 0644);
79 MODULE_PARM_DESC(probe_wait_ms,
80 		 "Maximum time(ms) to wait for probe response"
81 		 " before disconnecting (reason 4).");
82 
83 /*
84  * Weight given to the latest Beacon frame when calculating average signal
85  * strength for Beacon frames received in the current BSS. This must be
86  * between 1 and 15.
87  */
88 #define IEEE80211_SIGNAL_AVE_WEIGHT	3
89 
90 /*
91  * How many Beacon frames need to have been used in average signal strength
92  * before starting to indicate signal change events.
93  */
94 #define IEEE80211_SIGNAL_AVE_MIN_COUNT	4
95 
96 /*
97  * We can have multiple work items (and connection probing)
98  * scheduling this timer, but we need to take care to only
99  * reschedule it when it should fire _earlier_ than it was
100  * asked for before, or if it's not pending right now. This
101  * function ensures that. Note that it then is required to
102  * run this function for all timeouts after the first one
103  * has happened -- the work that runs from this timer will
104  * do that.
105  */
106 static void run_again(struct ieee80211_sub_if_data *sdata,
107 		      unsigned long timeout)
108 {
109 	sdata_assert_lock(sdata);
110 
111 	if (!timer_pending(&sdata->u.mgd.timer) ||
112 	    time_before(timeout, sdata->u.mgd.timer.expires))
113 		mod_timer(&sdata->u.mgd.timer, timeout);
114 }
115 
116 void ieee80211_sta_reset_beacon_monitor(struct ieee80211_sub_if_data *sdata)
117 {
118 	if (sdata->vif.driver_flags & IEEE80211_VIF_BEACON_FILTER)
119 		return;
120 
121 	if (sdata->local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR)
122 		return;
123 
124 	mod_timer(&sdata->u.mgd.bcn_mon_timer,
125 		  round_jiffies_up(jiffies + sdata->u.mgd.beacon_timeout));
126 }
127 
128 void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata)
129 {
130 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
131 
132 	if (unlikely(!sdata->u.mgd.associated))
133 		return;
134 
135 	ifmgd->probe_send_count = 0;
136 
137 	if (sdata->local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR)
138 		return;
139 
140 	mod_timer(&sdata->u.mgd.conn_mon_timer,
141 		  round_jiffies_up(jiffies + IEEE80211_CONNECTION_IDLE_TIME));
142 }
143 
144 static int ecw2cw(int ecw)
145 {
146 	return (1 << ecw) - 1;
147 }
148 
149 static u32
150 ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata,
151 			     struct ieee80211_supported_band *sband,
152 			     struct ieee80211_channel *channel,
153 			     const struct ieee80211_ht_cap *ht_cap,
154 			     const struct ieee80211_ht_operation *ht_oper,
155 			     const struct ieee80211_vht_operation *vht_oper,
156 			     struct cfg80211_chan_def *chandef, bool tracking)
157 {
158 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
159 	struct cfg80211_chan_def vht_chandef;
160 	struct ieee80211_sta_ht_cap sta_ht_cap;
161 	u32 ht_cfreq, ret;
162 
163 	memcpy(&sta_ht_cap, &sband->ht_cap, sizeof(sta_ht_cap));
164 	ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap);
165 
166 	chandef->chan = channel;
167 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
168 	chandef->center_freq1 = channel->center_freq;
169 	chandef->center_freq2 = 0;
170 
171 	if (!ht_cap || !ht_oper || !sta_ht_cap.ht_supported) {
172 		ret = IEEE80211_STA_DISABLE_HT | IEEE80211_STA_DISABLE_VHT;
173 		goto out;
174 	}
175 
176 	chandef->width = NL80211_CHAN_WIDTH_20;
177 
178 	if (!(ht_cap->cap_info &
179 	      cpu_to_le16(IEEE80211_HT_CAP_SUP_WIDTH_20_40))) {
180 		ret = IEEE80211_STA_DISABLE_40MHZ;
181 		vht_chandef = *chandef;
182 		goto out;
183 	}
184 
185 	ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan,
186 						  channel->band);
187 	/* check that channel matches the right operating channel */
188 	if (!tracking && channel->center_freq != ht_cfreq) {
189 		/*
190 		 * It's possible that some APs are confused here;
191 		 * Netgear WNDR3700 sometimes reports 4 higher than
192 		 * the actual channel in association responses, but
193 		 * since we look at probe response/beacon data here
194 		 * it should be OK.
195 		 */
196 		sdata_info(sdata,
197 			   "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n",
198 			   channel->center_freq, ht_cfreq,
199 			   ht_oper->primary_chan, channel->band);
200 		ret = IEEE80211_STA_DISABLE_HT | IEEE80211_STA_DISABLE_VHT;
201 		goto out;
202 	}
203 
204 	/* check 40 MHz support, if we have it */
205 	if (sta_ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40) {
206 		switch (ht_oper->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET) {
207 		case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
208 			chandef->width = NL80211_CHAN_WIDTH_40;
209 			chandef->center_freq1 += 10;
210 			break;
211 		case IEEE80211_HT_PARAM_CHA_SEC_BELOW:
212 			chandef->width = NL80211_CHAN_WIDTH_40;
213 			chandef->center_freq1 -= 10;
214 			break;
215 		}
216 	} else {
217 		/* 40 MHz (and 80 MHz) must be supported for VHT */
218 		ret = IEEE80211_STA_DISABLE_VHT;
219 		/* also mark 40 MHz disabled */
220 		ret |= IEEE80211_STA_DISABLE_40MHZ;
221 		goto out;
222 	}
223 
224 	if (!vht_oper || !sband->vht_cap.vht_supported) {
225 		ret = IEEE80211_STA_DISABLE_VHT;
226 		goto out;
227 	}
228 
229 	vht_chandef.chan = channel;
230 	vht_chandef.center_freq1 =
231 		ieee80211_channel_to_frequency(vht_oper->center_freq_seg1_idx,
232 					       channel->band);
233 	vht_chandef.center_freq2 = 0;
234 
235 	switch (vht_oper->chan_width) {
236 	case IEEE80211_VHT_CHANWIDTH_USE_HT:
237 		vht_chandef.width = chandef->width;
238 		vht_chandef.center_freq1 = chandef->center_freq1;
239 		break;
240 	case IEEE80211_VHT_CHANWIDTH_80MHZ:
241 		vht_chandef.width = NL80211_CHAN_WIDTH_80;
242 		break;
243 	case IEEE80211_VHT_CHANWIDTH_160MHZ:
244 		vht_chandef.width = NL80211_CHAN_WIDTH_160;
245 		break;
246 	case IEEE80211_VHT_CHANWIDTH_80P80MHZ:
247 		vht_chandef.width = NL80211_CHAN_WIDTH_80P80;
248 		vht_chandef.center_freq2 =
249 			ieee80211_channel_to_frequency(
250 				vht_oper->center_freq_seg2_idx,
251 				channel->band);
252 		break;
253 	default:
254 		if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
255 			sdata_info(sdata,
256 				   "AP VHT operation IE has invalid channel width (%d), disable VHT\n",
257 				   vht_oper->chan_width);
258 		ret = IEEE80211_STA_DISABLE_VHT;
259 		goto out;
260 	}
261 
262 	if (!cfg80211_chandef_valid(&vht_chandef)) {
263 		if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
264 			sdata_info(sdata,
265 				   "AP VHT information is invalid, disable VHT\n");
266 		ret = IEEE80211_STA_DISABLE_VHT;
267 		goto out;
268 	}
269 
270 	if (cfg80211_chandef_identical(chandef, &vht_chandef)) {
271 		ret = 0;
272 		goto out;
273 	}
274 
275 	if (!cfg80211_chandef_compatible(chandef, &vht_chandef)) {
276 		if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
277 			sdata_info(sdata,
278 				   "AP VHT information doesn't match HT, disable VHT\n");
279 		ret = IEEE80211_STA_DISABLE_VHT;
280 		goto out;
281 	}
282 
283 	*chandef = vht_chandef;
284 
285 	ret = 0;
286 
287 out:
288 	/*
289 	 * When tracking the current AP, don't do any further checks if the
290 	 * new chandef is identical to the one we're currently using for the
291 	 * connection. This keeps us from playing ping-pong with regulatory,
292 	 * without it the following can happen (for example):
293 	 *  - connect to an AP with 80 MHz, world regdom allows 80 MHz
294 	 *  - AP advertises regdom US
295 	 *  - CRDA loads regdom US with 80 MHz prohibited (old database)
296 	 *  - the code below detects an unsupported channel, downgrades, and
297 	 *    we disconnect from the AP in the caller
298 	 *  - disconnect causes CRDA to reload world regdomain and the game
299 	 *    starts anew.
300 	 * (see https://bugzilla.kernel.org/show_bug.cgi?id=70881)
301 	 *
302 	 * It seems possible that there are still scenarios with CSA or real
303 	 * bandwidth changes where a this could happen, but those cases are
304 	 * less common and wouldn't completely prevent using the AP.
305 	 */
306 	if (tracking &&
307 	    cfg80211_chandef_identical(chandef, &sdata->vif.bss_conf.chandef))
308 		return ret;
309 
310 	/* don't print the message below for VHT mismatch if VHT is disabled */
311 	if (ret & IEEE80211_STA_DISABLE_VHT)
312 		vht_chandef = *chandef;
313 
314 	/*
315 	 * Ignore the DISABLED flag when we're already connected and only
316 	 * tracking the APs beacon for bandwidth changes - otherwise we
317 	 * might get disconnected here if we connect to an AP, update our
318 	 * regulatory information based on the AP's country IE and the
319 	 * information we have is wrong/outdated and disables the channel
320 	 * that we're actually using for the connection to the AP.
321 	 */
322 	while (!cfg80211_chandef_usable(sdata->local->hw.wiphy, chandef,
323 					tracking ? 0 :
324 						   IEEE80211_CHAN_DISABLED)) {
325 		if (WARN_ON(chandef->width == NL80211_CHAN_WIDTH_20_NOHT)) {
326 			ret = IEEE80211_STA_DISABLE_HT |
327 			      IEEE80211_STA_DISABLE_VHT;
328 			break;
329 		}
330 
331 		ret |= ieee80211_chandef_downgrade(chandef);
332 	}
333 
334 	if (chandef->width != vht_chandef.width && !tracking)
335 		sdata_info(sdata,
336 			   "capabilities/regulatory prevented using AP HT/VHT configuration, downgraded\n");
337 
338 	WARN_ON_ONCE(!cfg80211_chandef_valid(chandef));
339 	return ret;
340 }
341 
342 static int ieee80211_config_bw(struct ieee80211_sub_if_data *sdata,
343 			       struct sta_info *sta,
344 			       const struct ieee80211_ht_cap *ht_cap,
345 			       const struct ieee80211_ht_operation *ht_oper,
346 			       const struct ieee80211_vht_operation *vht_oper,
347 			       const u8 *bssid, u32 *changed)
348 {
349 	struct ieee80211_local *local = sdata->local;
350 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
351 	struct ieee80211_supported_band *sband;
352 	struct ieee80211_channel *chan;
353 	struct cfg80211_chan_def chandef;
354 	u16 ht_opmode;
355 	u32 flags;
356 	enum ieee80211_sta_rx_bandwidth new_sta_bw;
357 	int ret;
358 
359 	/* if HT was/is disabled, don't track any bandwidth changes */
360 	if (ifmgd->flags & IEEE80211_STA_DISABLE_HT || !ht_oper)
361 		return 0;
362 
363 	/* don't check VHT if we associated as non-VHT station */
364 	if (ifmgd->flags & IEEE80211_STA_DISABLE_VHT)
365 		vht_oper = NULL;
366 
367 	if (WARN_ON_ONCE(!sta))
368 		return -EINVAL;
369 
370 	/*
371 	 * if bss configuration changed store the new one -
372 	 * this may be applicable even if channel is identical
373 	 */
374 	ht_opmode = le16_to_cpu(ht_oper->operation_mode);
375 	if (sdata->vif.bss_conf.ht_operation_mode != ht_opmode) {
376 		*changed |= BSS_CHANGED_HT;
377 		sdata->vif.bss_conf.ht_operation_mode = ht_opmode;
378 	}
379 
380 	chan = sdata->vif.bss_conf.chandef.chan;
381 	sband = local->hw.wiphy->bands[chan->band];
382 
383 	/* calculate new channel (type) based on HT/VHT operation IEs */
384 	flags = ieee80211_determine_chantype(sdata, sband, chan,
385 					     ht_cap, ht_oper, vht_oper,
386 					     &chandef, true);
387 
388 	/*
389 	 * Downgrade the new channel if we associated with restricted
390 	 * capabilities. For example, if we associated as a 20 MHz STA
391 	 * to a 40 MHz AP (due to regulatory, capabilities or config
392 	 * reasons) then switching to a 40 MHz channel now won't do us
393 	 * any good -- we couldn't use it with the AP.
394 	 */
395 	if (ifmgd->flags & IEEE80211_STA_DISABLE_80P80MHZ &&
396 	    chandef.width == NL80211_CHAN_WIDTH_80P80)
397 		flags |= ieee80211_chandef_downgrade(&chandef);
398 	if (ifmgd->flags & IEEE80211_STA_DISABLE_160MHZ &&
399 	    chandef.width == NL80211_CHAN_WIDTH_160)
400 		flags |= ieee80211_chandef_downgrade(&chandef);
401 	if (ifmgd->flags & IEEE80211_STA_DISABLE_40MHZ &&
402 	    chandef.width > NL80211_CHAN_WIDTH_20)
403 		flags |= ieee80211_chandef_downgrade(&chandef);
404 
405 	if (cfg80211_chandef_identical(&chandef, &sdata->vif.bss_conf.chandef))
406 		return 0;
407 
408 	sdata_info(sdata,
409 		   "AP %pM changed bandwidth, new config is %d MHz, width %d (%d/%d MHz)\n",
410 		   ifmgd->bssid, chandef.chan->center_freq, chandef.width,
411 		   chandef.center_freq1, chandef.center_freq2);
412 
413 	if (flags != (ifmgd->flags & (IEEE80211_STA_DISABLE_HT |
414 				      IEEE80211_STA_DISABLE_VHT |
415 				      IEEE80211_STA_DISABLE_40MHZ |
416 				      IEEE80211_STA_DISABLE_80P80MHZ |
417 				      IEEE80211_STA_DISABLE_160MHZ)) ||
418 	    !cfg80211_chandef_valid(&chandef)) {
419 		sdata_info(sdata,
420 			   "AP %pM changed bandwidth in a way we can't support - disconnect\n",
421 			   ifmgd->bssid);
422 		return -EINVAL;
423 	}
424 
425 	switch (chandef.width) {
426 	case NL80211_CHAN_WIDTH_20_NOHT:
427 	case NL80211_CHAN_WIDTH_20:
428 		new_sta_bw = IEEE80211_STA_RX_BW_20;
429 		break;
430 	case NL80211_CHAN_WIDTH_40:
431 		new_sta_bw = IEEE80211_STA_RX_BW_40;
432 		break;
433 	case NL80211_CHAN_WIDTH_80:
434 		new_sta_bw = IEEE80211_STA_RX_BW_80;
435 		break;
436 	case NL80211_CHAN_WIDTH_80P80:
437 	case NL80211_CHAN_WIDTH_160:
438 		new_sta_bw = IEEE80211_STA_RX_BW_160;
439 		break;
440 	default:
441 		return -EINVAL;
442 	}
443 
444 	if (new_sta_bw > sta->cur_max_bandwidth)
445 		new_sta_bw = sta->cur_max_bandwidth;
446 
447 	if (new_sta_bw < sta->sta.bandwidth) {
448 		sta->sta.bandwidth = new_sta_bw;
449 		rate_control_rate_update(local, sband, sta,
450 					 IEEE80211_RC_BW_CHANGED);
451 	}
452 
453 	ret = ieee80211_vif_change_bandwidth(sdata, &chandef, changed);
454 	if (ret) {
455 		sdata_info(sdata,
456 			   "AP %pM changed bandwidth to incompatible one - disconnect\n",
457 			   ifmgd->bssid);
458 		return ret;
459 	}
460 
461 	if (new_sta_bw > sta->sta.bandwidth) {
462 		sta->sta.bandwidth = new_sta_bw;
463 		rate_control_rate_update(local, sband, sta,
464 					 IEEE80211_RC_BW_CHANGED);
465 	}
466 
467 	return 0;
468 }
469 
470 /* frame sending functions */
471 
472 static void ieee80211_add_ht_ie(struct ieee80211_sub_if_data *sdata,
473 				struct sk_buff *skb, u8 ap_ht_param,
474 				struct ieee80211_supported_band *sband,
475 				struct ieee80211_channel *channel,
476 				enum ieee80211_smps_mode smps)
477 {
478 	u8 *pos;
479 	u32 flags = channel->flags;
480 	u16 cap;
481 	struct ieee80211_sta_ht_cap ht_cap;
482 
483 	BUILD_BUG_ON(sizeof(ht_cap) != sizeof(sband->ht_cap));
484 
485 	memcpy(&ht_cap, &sband->ht_cap, sizeof(ht_cap));
486 	ieee80211_apply_htcap_overrides(sdata, &ht_cap);
487 
488 	/* determine capability flags */
489 	cap = ht_cap.cap;
490 
491 	switch (ap_ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET) {
492 	case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
493 		if (flags & IEEE80211_CHAN_NO_HT40PLUS) {
494 			cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
495 			cap &= ~IEEE80211_HT_CAP_SGI_40;
496 		}
497 		break;
498 	case IEEE80211_HT_PARAM_CHA_SEC_BELOW:
499 		if (flags & IEEE80211_CHAN_NO_HT40MINUS) {
500 			cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
501 			cap &= ~IEEE80211_HT_CAP_SGI_40;
502 		}
503 		break;
504 	}
505 
506 	/*
507 	 * If 40 MHz was disabled associate as though we weren't
508 	 * capable of 40 MHz -- some broken APs will never fall
509 	 * back to trying to transmit in 20 MHz.
510 	 */
511 	if (sdata->u.mgd.flags & IEEE80211_STA_DISABLE_40MHZ) {
512 		cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
513 		cap &= ~IEEE80211_HT_CAP_SGI_40;
514 	}
515 
516 	/* set SM PS mode properly */
517 	cap &= ~IEEE80211_HT_CAP_SM_PS;
518 	switch (smps) {
519 	case IEEE80211_SMPS_AUTOMATIC:
520 	case IEEE80211_SMPS_NUM_MODES:
521 		WARN_ON(1);
522 	case IEEE80211_SMPS_OFF:
523 		cap |= WLAN_HT_CAP_SM_PS_DISABLED <<
524 			IEEE80211_HT_CAP_SM_PS_SHIFT;
525 		break;
526 	case IEEE80211_SMPS_STATIC:
527 		cap |= WLAN_HT_CAP_SM_PS_STATIC <<
528 			IEEE80211_HT_CAP_SM_PS_SHIFT;
529 		break;
530 	case IEEE80211_SMPS_DYNAMIC:
531 		cap |= WLAN_HT_CAP_SM_PS_DYNAMIC <<
532 			IEEE80211_HT_CAP_SM_PS_SHIFT;
533 		break;
534 	}
535 
536 	/* reserve and fill IE */
537 	pos = skb_put(skb, sizeof(struct ieee80211_ht_cap) + 2);
538 	ieee80211_ie_build_ht_cap(pos, &ht_cap, cap);
539 }
540 
541 static void ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
542 				 struct sk_buff *skb,
543 				 struct ieee80211_supported_band *sband,
544 				 struct ieee80211_vht_cap *ap_vht_cap)
545 {
546 	u8 *pos;
547 	u32 cap;
548 	struct ieee80211_sta_vht_cap vht_cap;
549 	u32 mask, ap_bf_sts, our_bf_sts;
550 
551 	BUILD_BUG_ON(sizeof(vht_cap) != sizeof(sband->vht_cap));
552 
553 	memcpy(&vht_cap, &sband->vht_cap, sizeof(vht_cap));
554 	ieee80211_apply_vhtcap_overrides(sdata, &vht_cap);
555 
556 	/* determine capability flags */
557 	cap = vht_cap.cap;
558 
559 	if (sdata->u.mgd.flags & IEEE80211_STA_DISABLE_80P80MHZ) {
560 		u32 bw = cap & IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
561 
562 		cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
563 		if (bw == IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ ||
564 		    bw == IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ)
565 			cap |= IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ;
566 	}
567 
568 	if (sdata->u.mgd.flags & IEEE80211_STA_DISABLE_160MHZ) {
569 		cap &= ~IEEE80211_VHT_CAP_SHORT_GI_160;
570 		cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
571 	}
572 
573 	/*
574 	 * Some APs apparently get confused if our capabilities are better
575 	 * than theirs, so restrict what we advertise in the assoc request.
576 	 */
577 	if (!(ap_vht_cap->vht_cap_info &
578 			cpu_to_le32(IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE)))
579 		cap &= ~IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE;
580 
581 	mask = IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK;
582 
583 	ap_bf_sts = le32_to_cpu(ap_vht_cap->vht_cap_info) & mask;
584 	our_bf_sts = cap & mask;
585 
586 	if (ap_bf_sts < our_bf_sts) {
587 		cap &= ~mask;
588 		cap |= ap_bf_sts;
589 	}
590 
591 	/* reserve and fill IE */
592 	pos = skb_put(skb, sizeof(struct ieee80211_vht_cap) + 2);
593 	ieee80211_ie_build_vht_cap(pos, &vht_cap, cap);
594 }
595 
596 static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
597 {
598 	struct ieee80211_local *local = sdata->local;
599 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
600 	struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
601 	struct sk_buff *skb;
602 	struct ieee80211_mgmt *mgmt;
603 	u8 *pos, qos_info;
604 	size_t offset = 0, noffset;
605 	int i, count, rates_len, supp_rates_len, shift;
606 	u16 capab;
607 	struct ieee80211_supported_band *sband;
608 	struct ieee80211_chanctx_conf *chanctx_conf;
609 	struct ieee80211_channel *chan;
610 	u32 rate_flags, rates = 0;
611 
612 	sdata_assert_lock(sdata);
613 
614 	rcu_read_lock();
615 	chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
616 	if (WARN_ON(!chanctx_conf)) {
617 		rcu_read_unlock();
618 		return;
619 	}
620 	chan = chanctx_conf->def.chan;
621 	rate_flags = ieee80211_chandef_rate_flags(&chanctx_conf->def);
622 	rcu_read_unlock();
623 	sband = local->hw.wiphy->bands[chan->band];
624 	shift = ieee80211_vif_get_shift(&sdata->vif);
625 
626 	if (assoc_data->supp_rates_len) {
627 		/*
628 		 * Get all rates supported by the device and the AP as
629 		 * some APs don't like getting a superset of their rates
630 		 * in the association request (e.g. D-Link DAP 1353 in
631 		 * b-only mode)...
632 		 */
633 		rates_len = ieee80211_parse_bitrates(&chanctx_conf->def, sband,
634 						     assoc_data->supp_rates,
635 						     assoc_data->supp_rates_len,
636 						     &rates);
637 	} else {
638 		/*
639 		 * In case AP not provide any supported rates information
640 		 * before association, we send information element(s) with
641 		 * all rates that we support.
642 		 */
643 		rates_len = 0;
644 		for (i = 0; i < sband->n_bitrates; i++) {
645 			if ((rate_flags & sband->bitrates[i].flags)
646 			    != rate_flags)
647 				continue;
648 			rates |= BIT(i);
649 			rates_len++;
650 		}
651 	}
652 
653 	skb = alloc_skb(local->hw.extra_tx_headroom +
654 			sizeof(*mgmt) + /* bit too much but doesn't matter */
655 			2 + assoc_data->ssid_len + /* SSID */
656 			4 + rates_len + /* (extended) rates */
657 			4 + /* power capability */
658 			2 + 2 * sband->n_channels + /* supported channels */
659 			2 + sizeof(struct ieee80211_ht_cap) + /* HT */
660 			2 + sizeof(struct ieee80211_vht_cap) + /* VHT */
661 			assoc_data->ie_len + /* extra IEs */
662 			9, /* WMM */
663 			GFP_KERNEL);
664 	if (!skb)
665 		return;
666 
667 	skb_reserve(skb, local->hw.extra_tx_headroom);
668 
669 	capab = WLAN_CAPABILITY_ESS;
670 
671 	if (sband->band == IEEE80211_BAND_2GHZ) {
672 		if (!(local->hw.flags & IEEE80211_HW_2GHZ_SHORT_SLOT_INCAPABLE))
673 			capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
674 		if (!(local->hw.flags & IEEE80211_HW_2GHZ_SHORT_PREAMBLE_INCAPABLE))
675 			capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
676 	}
677 
678 	if (assoc_data->capability & WLAN_CAPABILITY_PRIVACY)
679 		capab |= WLAN_CAPABILITY_PRIVACY;
680 
681 	if ((assoc_data->capability & WLAN_CAPABILITY_SPECTRUM_MGMT) &&
682 	    (local->hw.flags & IEEE80211_HW_SPECTRUM_MGMT))
683 		capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
684 
685 	if (ifmgd->flags & IEEE80211_STA_ENABLE_RRM)
686 		capab |= WLAN_CAPABILITY_RADIO_MEASURE;
687 
688 	mgmt = (struct ieee80211_mgmt *) skb_put(skb, 24);
689 	memset(mgmt, 0, 24);
690 	memcpy(mgmt->da, assoc_data->bss->bssid, ETH_ALEN);
691 	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
692 	memcpy(mgmt->bssid, assoc_data->bss->bssid, ETH_ALEN);
693 
694 	if (!is_zero_ether_addr(assoc_data->prev_bssid)) {
695 		skb_put(skb, 10);
696 		mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
697 						  IEEE80211_STYPE_REASSOC_REQ);
698 		mgmt->u.reassoc_req.capab_info = cpu_to_le16(capab);
699 		mgmt->u.reassoc_req.listen_interval =
700 				cpu_to_le16(local->hw.conf.listen_interval);
701 		memcpy(mgmt->u.reassoc_req.current_ap, assoc_data->prev_bssid,
702 		       ETH_ALEN);
703 	} else {
704 		skb_put(skb, 4);
705 		mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
706 						  IEEE80211_STYPE_ASSOC_REQ);
707 		mgmt->u.assoc_req.capab_info = cpu_to_le16(capab);
708 		mgmt->u.assoc_req.listen_interval =
709 				cpu_to_le16(local->hw.conf.listen_interval);
710 	}
711 
712 	/* SSID */
713 	pos = skb_put(skb, 2 + assoc_data->ssid_len);
714 	*pos++ = WLAN_EID_SSID;
715 	*pos++ = assoc_data->ssid_len;
716 	memcpy(pos, assoc_data->ssid, assoc_data->ssid_len);
717 
718 	/* add all rates which were marked to be used above */
719 	supp_rates_len = rates_len;
720 	if (supp_rates_len > 8)
721 		supp_rates_len = 8;
722 
723 	pos = skb_put(skb, supp_rates_len + 2);
724 	*pos++ = WLAN_EID_SUPP_RATES;
725 	*pos++ = supp_rates_len;
726 
727 	count = 0;
728 	for (i = 0; i < sband->n_bitrates; i++) {
729 		if (BIT(i) & rates) {
730 			int rate = DIV_ROUND_UP(sband->bitrates[i].bitrate,
731 						5 * (1 << shift));
732 			*pos++ = (u8) rate;
733 			if (++count == 8)
734 				break;
735 		}
736 	}
737 
738 	if (rates_len > count) {
739 		pos = skb_put(skb, rates_len - count + 2);
740 		*pos++ = WLAN_EID_EXT_SUPP_RATES;
741 		*pos++ = rates_len - count;
742 
743 		for (i++; i < sband->n_bitrates; i++) {
744 			if (BIT(i) & rates) {
745 				int rate;
746 				rate = DIV_ROUND_UP(sband->bitrates[i].bitrate,
747 						    5 * (1 << shift));
748 				*pos++ = (u8) rate;
749 			}
750 		}
751 	}
752 
753 	if (capab & WLAN_CAPABILITY_SPECTRUM_MGMT ||
754 	    capab & WLAN_CAPABILITY_RADIO_MEASURE) {
755 		pos = skb_put(skb, 4);
756 		*pos++ = WLAN_EID_PWR_CAPABILITY;
757 		*pos++ = 2;
758 		*pos++ = 0; /* min tx power */
759 		 /* max tx power */
760 		*pos++ = ieee80211_chandef_max_power(&chanctx_conf->def);
761 	}
762 
763 	if (capab & WLAN_CAPABILITY_SPECTRUM_MGMT) {
764 		/* TODO: get this in reg domain format */
765 		pos = skb_put(skb, 2 * sband->n_channels + 2);
766 		*pos++ = WLAN_EID_SUPPORTED_CHANNELS;
767 		*pos++ = 2 * sband->n_channels;
768 		for (i = 0; i < sband->n_channels; i++) {
769 			*pos++ = ieee80211_frequency_to_channel(
770 					sband->channels[i].center_freq);
771 			*pos++ = 1; /* one channel in the subband*/
772 		}
773 	}
774 
775 	/* if present, add any custom IEs that go before HT */
776 	if (assoc_data->ie_len) {
777 		static const u8 before_ht[] = {
778 			WLAN_EID_SSID,
779 			WLAN_EID_SUPP_RATES,
780 			WLAN_EID_EXT_SUPP_RATES,
781 			WLAN_EID_PWR_CAPABILITY,
782 			WLAN_EID_SUPPORTED_CHANNELS,
783 			WLAN_EID_RSN,
784 			WLAN_EID_QOS_CAPA,
785 			WLAN_EID_RRM_ENABLED_CAPABILITIES,
786 			WLAN_EID_MOBILITY_DOMAIN,
787 			WLAN_EID_FAST_BSS_TRANSITION,	/* reassoc only */
788 			WLAN_EID_RIC_DATA,		/* reassoc only */
789 			WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
790 		};
791 		static const u8 after_ric[] = {
792 			WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
793 			WLAN_EID_HT_CAPABILITY,
794 			WLAN_EID_BSS_COEX_2040,
795 			WLAN_EID_EXT_CAPABILITY,
796 			WLAN_EID_QOS_TRAFFIC_CAPA,
797 			WLAN_EID_TIM_BCAST_REQ,
798 			WLAN_EID_INTERWORKING,
799 			/* 60GHz doesn't happen right now */
800 			WLAN_EID_VHT_CAPABILITY,
801 			WLAN_EID_OPMODE_NOTIF,
802 		};
803 
804 		noffset = ieee80211_ie_split_ric(assoc_data->ie,
805 						 assoc_data->ie_len,
806 						 before_ht,
807 						 ARRAY_SIZE(before_ht),
808 						 after_ric,
809 						 ARRAY_SIZE(after_ric),
810 						 offset);
811 		pos = skb_put(skb, noffset - offset);
812 		memcpy(pos, assoc_data->ie + offset, noffset - offset);
813 		offset = noffset;
814 	}
815 
816 	if (WARN_ON_ONCE((ifmgd->flags & IEEE80211_STA_DISABLE_HT) &&
817 			 !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)))
818 		ifmgd->flags |= IEEE80211_STA_DISABLE_VHT;
819 
820 	if (!(ifmgd->flags & IEEE80211_STA_DISABLE_HT))
821 		ieee80211_add_ht_ie(sdata, skb, assoc_data->ap_ht_param,
822 				    sband, chan, sdata->smps_mode);
823 
824 	/* if present, add any custom IEs that go before VHT */
825 	if (assoc_data->ie_len) {
826 		static const u8 before_vht[] = {
827 			WLAN_EID_SSID,
828 			WLAN_EID_SUPP_RATES,
829 			WLAN_EID_EXT_SUPP_RATES,
830 			WLAN_EID_PWR_CAPABILITY,
831 			WLAN_EID_SUPPORTED_CHANNELS,
832 			WLAN_EID_RSN,
833 			WLAN_EID_QOS_CAPA,
834 			WLAN_EID_RRM_ENABLED_CAPABILITIES,
835 			WLAN_EID_MOBILITY_DOMAIN,
836 			WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
837 			WLAN_EID_HT_CAPABILITY,
838 			WLAN_EID_BSS_COEX_2040,
839 			WLAN_EID_EXT_CAPABILITY,
840 			WLAN_EID_QOS_TRAFFIC_CAPA,
841 			WLAN_EID_TIM_BCAST_REQ,
842 			WLAN_EID_INTERWORKING,
843 		};
844 
845 		/* RIC already taken above, so no need to handle here anymore */
846 		noffset = ieee80211_ie_split(assoc_data->ie, assoc_data->ie_len,
847 					     before_vht, ARRAY_SIZE(before_vht),
848 					     offset);
849 		pos = skb_put(skb, noffset - offset);
850 		memcpy(pos, assoc_data->ie + offset, noffset - offset);
851 		offset = noffset;
852 	}
853 
854 	if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
855 		ieee80211_add_vht_ie(sdata, skb, sband,
856 				     &assoc_data->ap_vht_cap);
857 
858 	/* if present, add any custom non-vendor IEs that go after HT */
859 	if (assoc_data->ie_len) {
860 		noffset = ieee80211_ie_split_vendor(assoc_data->ie,
861 						    assoc_data->ie_len,
862 						    offset);
863 		pos = skb_put(skb, noffset - offset);
864 		memcpy(pos, assoc_data->ie + offset, noffset - offset);
865 		offset = noffset;
866 	}
867 
868 	if (assoc_data->wmm) {
869 		if (assoc_data->uapsd) {
870 			qos_info = ifmgd->uapsd_queues;
871 			qos_info |= (ifmgd->uapsd_max_sp_len <<
872 				     IEEE80211_WMM_IE_STA_QOSINFO_SP_SHIFT);
873 		} else {
874 			qos_info = 0;
875 		}
876 
877 		pos = ieee80211_add_wmm_info_ie(skb_put(skb, 9), qos_info);
878 	}
879 
880 	/* add any remaining custom (i.e. vendor specific here) IEs */
881 	if (assoc_data->ie_len) {
882 		noffset = assoc_data->ie_len;
883 		pos = skb_put(skb, noffset - offset);
884 		memcpy(pos, assoc_data->ie + offset, noffset - offset);
885 	}
886 
887 	drv_mgd_prepare_tx(local, sdata);
888 
889 	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
890 	if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)
891 		IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS |
892 						IEEE80211_TX_INTFL_MLME_CONN_TX;
893 	ieee80211_tx_skb(sdata, skb);
894 }
895 
896 void ieee80211_send_pspoll(struct ieee80211_local *local,
897 			   struct ieee80211_sub_if_data *sdata)
898 {
899 	struct ieee80211_pspoll *pspoll;
900 	struct sk_buff *skb;
901 
902 	skb = ieee80211_pspoll_get(&local->hw, &sdata->vif);
903 	if (!skb)
904 		return;
905 
906 	pspoll = (struct ieee80211_pspoll *) skb->data;
907 	pspoll->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
908 
909 	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
910 	ieee80211_tx_skb(sdata, skb);
911 }
912 
913 void ieee80211_send_nullfunc(struct ieee80211_local *local,
914 			     struct ieee80211_sub_if_data *sdata,
915 			     int powersave)
916 {
917 	struct sk_buff *skb;
918 	struct ieee80211_hdr_3addr *nullfunc;
919 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
920 
921 	skb = ieee80211_nullfunc_get(&local->hw, &sdata->vif);
922 	if (!skb)
923 		return;
924 
925 	nullfunc = (struct ieee80211_hdr_3addr *) skb->data;
926 	if (powersave)
927 		nullfunc->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
928 
929 	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT |
930 					IEEE80211_TX_INTFL_OFFCHAN_TX_OK;
931 
932 	if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)
933 		IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS;
934 
935 	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL)
936 		IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_USE_MINRATE;
937 
938 	ieee80211_tx_skb(sdata, skb);
939 }
940 
941 static void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local,
942 					  struct ieee80211_sub_if_data *sdata)
943 {
944 	struct sk_buff *skb;
945 	struct ieee80211_hdr *nullfunc;
946 	__le16 fc;
947 
948 	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
949 		return;
950 
951 	skb = dev_alloc_skb(local->hw.extra_tx_headroom + 30);
952 	if (!skb)
953 		return;
954 
955 	skb_reserve(skb, local->hw.extra_tx_headroom);
956 
957 	nullfunc = (struct ieee80211_hdr *) skb_put(skb, 30);
958 	memset(nullfunc, 0, 30);
959 	fc = cpu_to_le16(IEEE80211_FTYPE_DATA | IEEE80211_STYPE_NULLFUNC |
960 			 IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS);
961 	nullfunc->frame_control = fc;
962 	memcpy(nullfunc->addr1, sdata->u.mgd.bssid, ETH_ALEN);
963 	memcpy(nullfunc->addr2, sdata->vif.addr, ETH_ALEN);
964 	memcpy(nullfunc->addr3, sdata->u.mgd.bssid, ETH_ALEN);
965 	memcpy(nullfunc->addr4, sdata->vif.addr, ETH_ALEN);
966 
967 	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
968 	ieee80211_tx_skb(sdata, skb);
969 }
970 
971 /* spectrum management related things */
972 static void ieee80211_chswitch_work(struct work_struct *work)
973 {
974 	struct ieee80211_sub_if_data *sdata =
975 		container_of(work, struct ieee80211_sub_if_data, u.mgd.chswitch_work);
976 	struct ieee80211_local *local = sdata->local;
977 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
978 	int ret;
979 
980 	if (!ieee80211_sdata_running(sdata))
981 		return;
982 
983 	sdata_lock(sdata);
984 	mutex_lock(&local->mtx);
985 	mutex_lock(&local->chanctx_mtx);
986 
987 	if (!ifmgd->associated)
988 		goto out;
989 
990 	if (!sdata->vif.csa_active)
991 		goto out;
992 
993 	/*
994 	 * using reservation isn't immediate as it may be deferred until later
995 	 * with multi-vif. once reservation is complete it will re-schedule the
996 	 * work with no reserved_chanctx so verify chandef to check if it
997 	 * completed successfully
998 	 */
999 
1000 	if (sdata->reserved_chanctx) {
1001 		/*
1002 		 * with multi-vif csa driver may call ieee80211_csa_finish()
1003 		 * many times while waiting for other interfaces to use their
1004 		 * reservations
1005 		 */
1006 		if (sdata->reserved_ready)
1007 			goto out;
1008 
1009 		ret = ieee80211_vif_use_reserved_context(sdata);
1010 		if (ret) {
1011 			sdata_info(sdata,
1012 				   "failed to use reserved channel context, disconnecting (err=%d)\n",
1013 				   ret);
1014 			ieee80211_queue_work(&sdata->local->hw,
1015 					     &ifmgd->csa_connection_drop_work);
1016 			goto out;
1017 		}
1018 
1019 		goto out;
1020 	}
1021 
1022 	if (!cfg80211_chandef_identical(&sdata->vif.bss_conf.chandef,
1023 					&sdata->csa_chandef)) {
1024 		sdata_info(sdata,
1025 			   "failed to finalize channel switch, disconnecting\n");
1026 		ieee80211_queue_work(&sdata->local->hw,
1027 				     &ifmgd->csa_connection_drop_work);
1028 		goto out;
1029 	}
1030 
1031 	/* XXX: shouldn't really modify cfg80211-owned data! */
1032 	ifmgd->associated->channel = sdata->csa_chandef.chan;
1033 
1034 	ifmgd->csa_waiting_bcn = true;
1035 
1036 	ieee80211_sta_reset_beacon_monitor(sdata);
1037 	ieee80211_sta_reset_conn_monitor(sdata);
1038 
1039 out:
1040 	mutex_unlock(&local->chanctx_mtx);
1041 	mutex_unlock(&local->mtx);
1042 	sdata_unlock(sdata);
1043 }
1044 
1045 static void ieee80211_chswitch_post_beacon(struct ieee80211_sub_if_data *sdata)
1046 {
1047 	struct ieee80211_local *local = sdata->local;
1048 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1049 	int ret;
1050 
1051 	sdata_assert_lock(sdata);
1052 
1053 	WARN_ON(!sdata->vif.csa_active);
1054 
1055 	if (sdata->csa_block_tx) {
1056 		ieee80211_wake_vif_queues(local, sdata,
1057 					  IEEE80211_QUEUE_STOP_REASON_CSA);
1058 		sdata->csa_block_tx = false;
1059 	}
1060 
1061 	sdata->vif.csa_active = false;
1062 	ifmgd->csa_waiting_bcn = false;
1063 
1064 	ret = drv_post_channel_switch(sdata);
1065 	if (ret) {
1066 		sdata_info(sdata,
1067 			   "driver post channel switch failed, disconnecting\n");
1068 		ieee80211_queue_work(&local->hw,
1069 				     &ifmgd->csa_connection_drop_work);
1070 		return;
1071 	}
1072 
1073 	cfg80211_ch_switch_notify(sdata->dev, &sdata->reserved_chandef);
1074 }
1075 
1076 void ieee80211_chswitch_done(struct ieee80211_vif *vif, bool success)
1077 {
1078 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
1079 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1080 
1081 	trace_api_chswitch_done(sdata, success);
1082 	if (!success) {
1083 		sdata_info(sdata,
1084 			   "driver channel switch failed, disconnecting\n");
1085 		ieee80211_queue_work(&sdata->local->hw,
1086 				     &ifmgd->csa_connection_drop_work);
1087 	} else {
1088 		ieee80211_queue_work(&sdata->local->hw, &ifmgd->chswitch_work);
1089 	}
1090 }
1091 EXPORT_SYMBOL(ieee80211_chswitch_done);
1092 
1093 static void ieee80211_chswitch_timer(unsigned long data)
1094 {
1095 	struct ieee80211_sub_if_data *sdata =
1096 		(struct ieee80211_sub_if_data *) data;
1097 
1098 	ieee80211_queue_work(&sdata->local->hw, &sdata->u.mgd.chswitch_work);
1099 }
1100 
1101 static void
1102 ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
1103 				 u64 timestamp, u32 device_timestamp,
1104 				 struct ieee802_11_elems *elems,
1105 				 bool beacon)
1106 {
1107 	struct ieee80211_local *local = sdata->local;
1108 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1109 	struct cfg80211_bss *cbss = ifmgd->associated;
1110 	struct ieee80211_chanctx_conf *conf;
1111 	struct ieee80211_chanctx *chanctx;
1112 	enum ieee80211_band current_band;
1113 	struct ieee80211_csa_ie csa_ie;
1114 	struct ieee80211_channel_switch ch_switch;
1115 	int res;
1116 
1117 	sdata_assert_lock(sdata);
1118 
1119 	if (!cbss)
1120 		return;
1121 
1122 	if (local->scanning)
1123 		return;
1124 
1125 	/* disregard subsequent announcements if we are already processing */
1126 	if (sdata->vif.csa_active)
1127 		return;
1128 
1129 	current_band = cbss->channel->band;
1130 	memset(&csa_ie, 0, sizeof(csa_ie));
1131 	res = ieee80211_parse_ch_switch_ie(sdata, elems, current_band,
1132 					   ifmgd->flags,
1133 					   ifmgd->associated->bssid, &csa_ie);
1134 	if (res	< 0)
1135 		ieee80211_queue_work(&local->hw,
1136 				     &ifmgd->csa_connection_drop_work);
1137 	if (res)
1138 		return;
1139 
1140 	if (!cfg80211_chandef_usable(local->hw.wiphy, &csa_ie.chandef,
1141 				     IEEE80211_CHAN_DISABLED)) {
1142 		sdata_info(sdata,
1143 			   "AP %pM switches to unsupported channel (%d MHz, width:%d, CF1/2: %d/%d MHz), disconnecting\n",
1144 			   ifmgd->associated->bssid,
1145 			   csa_ie.chandef.chan->center_freq,
1146 			   csa_ie.chandef.width, csa_ie.chandef.center_freq1,
1147 			   csa_ie.chandef.center_freq2);
1148 		ieee80211_queue_work(&local->hw,
1149 				     &ifmgd->csa_connection_drop_work);
1150 		return;
1151 	}
1152 
1153 	if (cfg80211_chandef_identical(&csa_ie.chandef,
1154 				       &sdata->vif.bss_conf.chandef)) {
1155 		if (ifmgd->csa_ignored_same_chan)
1156 			return;
1157 		sdata_info(sdata,
1158 			   "AP %pM tries to chanswitch to same channel, ignore\n",
1159 			   ifmgd->associated->bssid);
1160 		ifmgd->csa_ignored_same_chan = true;
1161 		return;
1162 	}
1163 
1164 	mutex_lock(&local->mtx);
1165 	mutex_lock(&local->chanctx_mtx);
1166 	conf = rcu_dereference_protected(sdata->vif.chanctx_conf,
1167 					 lockdep_is_held(&local->chanctx_mtx));
1168 	if (!conf) {
1169 		sdata_info(sdata,
1170 			   "no channel context assigned to vif?, disconnecting\n");
1171 		goto drop_connection;
1172 	}
1173 
1174 	chanctx = container_of(conf, struct ieee80211_chanctx, conf);
1175 
1176 	if (local->use_chanctx &&
1177 	    !(local->hw.flags & IEEE80211_HW_CHANCTX_STA_CSA)) {
1178 		sdata_info(sdata,
1179 			   "driver doesn't support chan-switch with channel contexts\n");
1180 		goto drop_connection;
1181 	}
1182 
1183 	ch_switch.timestamp = timestamp;
1184 	ch_switch.device_timestamp = device_timestamp;
1185 	ch_switch.block_tx = csa_ie.mode;
1186 	ch_switch.chandef = csa_ie.chandef;
1187 	ch_switch.count = csa_ie.count;
1188 
1189 	if (drv_pre_channel_switch(sdata, &ch_switch)) {
1190 		sdata_info(sdata,
1191 			   "preparing for channel switch failed, disconnecting\n");
1192 		goto drop_connection;
1193 	}
1194 
1195 	res = ieee80211_vif_reserve_chanctx(sdata, &csa_ie.chandef,
1196 					    chanctx->mode, false);
1197 	if (res) {
1198 		sdata_info(sdata,
1199 			   "failed to reserve channel context for channel switch, disconnecting (err=%d)\n",
1200 			   res);
1201 		goto drop_connection;
1202 	}
1203 	mutex_unlock(&local->chanctx_mtx);
1204 
1205 	sdata->vif.csa_active = true;
1206 	sdata->csa_chandef = csa_ie.chandef;
1207 	sdata->csa_block_tx = csa_ie.mode;
1208 	ifmgd->csa_ignored_same_chan = false;
1209 
1210 	if (sdata->csa_block_tx)
1211 		ieee80211_stop_vif_queues(local, sdata,
1212 					  IEEE80211_QUEUE_STOP_REASON_CSA);
1213 	mutex_unlock(&local->mtx);
1214 
1215 	cfg80211_ch_switch_started_notify(sdata->dev, &csa_ie.chandef,
1216 					  csa_ie.count);
1217 
1218 	if (local->ops->channel_switch) {
1219 		/* use driver's channel switch callback */
1220 		drv_channel_switch(local, sdata, &ch_switch);
1221 		return;
1222 	}
1223 
1224 	/* channel switch handled in software */
1225 	if (csa_ie.count <= 1)
1226 		ieee80211_queue_work(&local->hw, &ifmgd->chswitch_work);
1227 	else
1228 		mod_timer(&ifmgd->chswitch_timer,
1229 			  TU_TO_EXP_TIME((csa_ie.count - 1) *
1230 					 cbss->beacon_interval));
1231 	return;
1232  drop_connection:
1233 	ieee80211_queue_work(&local->hw, &ifmgd->csa_connection_drop_work);
1234 	mutex_unlock(&local->chanctx_mtx);
1235 	mutex_unlock(&local->mtx);
1236 }
1237 
1238 static bool
1239 ieee80211_find_80211h_pwr_constr(struct ieee80211_sub_if_data *sdata,
1240 				 struct ieee80211_channel *channel,
1241 				 const u8 *country_ie, u8 country_ie_len,
1242 				 const u8 *pwr_constr_elem,
1243 				 int *chan_pwr, int *pwr_reduction)
1244 {
1245 	struct ieee80211_country_ie_triplet *triplet;
1246 	int chan = ieee80211_frequency_to_channel(channel->center_freq);
1247 	int i, chan_increment;
1248 	bool have_chan_pwr = false;
1249 
1250 	/* Invalid IE */
1251 	if (country_ie_len % 2 || country_ie_len < IEEE80211_COUNTRY_IE_MIN_LEN)
1252 		return false;
1253 
1254 	triplet = (void *)(country_ie + 3);
1255 	country_ie_len -= 3;
1256 
1257 	switch (channel->band) {
1258 	default:
1259 		WARN_ON_ONCE(1);
1260 		/* fall through */
1261 	case IEEE80211_BAND_2GHZ:
1262 	case IEEE80211_BAND_60GHZ:
1263 		chan_increment = 1;
1264 		break;
1265 	case IEEE80211_BAND_5GHZ:
1266 		chan_increment = 4;
1267 		break;
1268 	}
1269 
1270 	/* find channel */
1271 	while (country_ie_len >= 3) {
1272 		u8 first_channel = triplet->chans.first_channel;
1273 
1274 		if (first_channel >= IEEE80211_COUNTRY_EXTENSION_ID)
1275 			goto next;
1276 
1277 		for (i = 0; i < triplet->chans.num_channels; i++) {
1278 			if (first_channel + i * chan_increment == chan) {
1279 				have_chan_pwr = true;
1280 				*chan_pwr = triplet->chans.max_power;
1281 				break;
1282 			}
1283 		}
1284 		if (have_chan_pwr)
1285 			break;
1286 
1287  next:
1288 		triplet++;
1289 		country_ie_len -= 3;
1290 	}
1291 
1292 	if (have_chan_pwr && pwr_constr_elem)
1293 		*pwr_reduction = *pwr_constr_elem;
1294 	else
1295 		*pwr_reduction = 0;
1296 
1297 	return have_chan_pwr;
1298 }
1299 
1300 static void ieee80211_find_cisco_dtpc(struct ieee80211_sub_if_data *sdata,
1301 				      struct ieee80211_channel *channel,
1302 				      const u8 *cisco_dtpc_ie,
1303 				      int *pwr_level)
1304 {
1305 	/* From practical testing, the first data byte of the DTPC element
1306 	 * seems to contain the requested dBm level, and the CLI on Cisco
1307 	 * APs clearly state the range is -127 to 127 dBm, which indicates
1308 	 * a signed byte, although it seemingly never actually goes negative.
1309 	 * The other byte seems to always be zero.
1310 	 */
1311 	*pwr_level = (__s8)cisco_dtpc_ie[4];
1312 }
1313 
1314 static u32 ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata,
1315 				       struct ieee80211_channel *channel,
1316 				       struct ieee80211_mgmt *mgmt,
1317 				       const u8 *country_ie, u8 country_ie_len,
1318 				       const u8 *pwr_constr_ie,
1319 				       const u8 *cisco_dtpc_ie)
1320 {
1321 	bool has_80211h_pwr = false, has_cisco_pwr = false;
1322 	int chan_pwr = 0, pwr_reduction_80211h = 0;
1323 	int pwr_level_cisco, pwr_level_80211h;
1324 	int new_ap_level;
1325 	__le16 capab = mgmt->u.probe_resp.capab_info;
1326 
1327 	if (country_ie &&
1328 	    (capab & cpu_to_le16(WLAN_CAPABILITY_SPECTRUM_MGMT) ||
1329 	     capab & cpu_to_le16(WLAN_CAPABILITY_RADIO_MEASURE))) {
1330 		has_80211h_pwr = ieee80211_find_80211h_pwr_constr(
1331 			sdata, channel, country_ie, country_ie_len,
1332 			pwr_constr_ie, &chan_pwr, &pwr_reduction_80211h);
1333 		pwr_level_80211h =
1334 			max_t(int, 0, chan_pwr - pwr_reduction_80211h);
1335 	}
1336 
1337 	if (cisco_dtpc_ie) {
1338 		ieee80211_find_cisco_dtpc(
1339 			sdata, channel, cisco_dtpc_ie, &pwr_level_cisco);
1340 		has_cisco_pwr = true;
1341 	}
1342 
1343 	if (!has_80211h_pwr && !has_cisco_pwr)
1344 		return 0;
1345 
1346 	/* If we have both 802.11h and Cisco DTPC, apply both limits
1347 	 * by picking the smallest of the two power levels advertised.
1348 	 */
1349 	if (has_80211h_pwr &&
1350 	    (!has_cisco_pwr || pwr_level_80211h <= pwr_level_cisco)) {
1351 		sdata_dbg(sdata,
1352 			  "Limiting TX power to %d (%d - %d) dBm as advertised by %pM\n",
1353 			  pwr_level_80211h, chan_pwr, pwr_reduction_80211h,
1354 			  sdata->u.mgd.bssid);
1355 		new_ap_level = pwr_level_80211h;
1356 	} else {  /* has_cisco_pwr is always true here. */
1357 		sdata_dbg(sdata,
1358 			  "Limiting TX power to %d dBm as advertised by %pM\n",
1359 			  pwr_level_cisco, sdata->u.mgd.bssid);
1360 		new_ap_level = pwr_level_cisco;
1361 	}
1362 
1363 	if (sdata->ap_power_level == new_ap_level)
1364 		return 0;
1365 
1366 	sdata->ap_power_level = new_ap_level;
1367 	if (__ieee80211_recalc_txpower(sdata))
1368 		return BSS_CHANGED_TXPOWER;
1369 	return 0;
1370 }
1371 
1372 /* powersave */
1373 static void ieee80211_enable_ps(struct ieee80211_local *local,
1374 				struct ieee80211_sub_if_data *sdata)
1375 {
1376 	struct ieee80211_conf *conf = &local->hw.conf;
1377 
1378 	/*
1379 	 * If we are scanning right now then the parameters will
1380 	 * take effect when scan finishes.
1381 	 */
1382 	if (local->scanning)
1383 		return;
1384 
1385 	if (conf->dynamic_ps_timeout > 0 &&
1386 	    !(local->hw.flags & IEEE80211_HW_SUPPORTS_DYNAMIC_PS)) {
1387 		mod_timer(&local->dynamic_ps_timer, jiffies +
1388 			  msecs_to_jiffies(conf->dynamic_ps_timeout));
1389 	} else {
1390 		if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK)
1391 			ieee80211_send_nullfunc(local, sdata, 1);
1392 
1393 		if ((local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK) &&
1394 		    (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS))
1395 			return;
1396 
1397 		conf->flags |= IEEE80211_CONF_PS;
1398 		ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
1399 	}
1400 }
1401 
1402 static void ieee80211_change_ps(struct ieee80211_local *local)
1403 {
1404 	struct ieee80211_conf *conf = &local->hw.conf;
1405 
1406 	if (local->ps_sdata) {
1407 		ieee80211_enable_ps(local, local->ps_sdata);
1408 	} else if (conf->flags & IEEE80211_CONF_PS) {
1409 		conf->flags &= ~IEEE80211_CONF_PS;
1410 		ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
1411 		del_timer_sync(&local->dynamic_ps_timer);
1412 		cancel_work_sync(&local->dynamic_ps_enable_work);
1413 	}
1414 }
1415 
1416 static bool ieee80211_powersave_allowed(struct ieee80211_sub_if_data *sdata)
1417 {
1418 	struct ieee80211_if_managed *mgd = &sdata->u.mgd;
1419 	struct sta_info *sta = NULL;
1420 	bool authorized = false;
1421 
1422 	if (!mgd->powersave)
1423 		return false;
1424 
1425 	if (mgd->broken_ap)
1426 		return false;
1427 
1428 	if (!mgd->associated)
1429 		return false;
1430 
1431 	if (mgd->flags & IEEE80211_STA_CONNECTION_POLL)
1432 		return false;
1433 
1434 	if (!mgd->have_beacon)
1435 		return false;
1436 
1437 	rcu_read_lock();
1438 	sta = sta_info_get(sdata, mgd->bssid);
1439 	if (sta)
1440 		authorized = test_sta_flag(sta, WLAN_STA_AUTHORIZED);
1441 	rcu_read_unlock();
1442 
1443 	return authorized;
1444 }
1445 
1446 /* need to hold RTNL or interface lock */
1447 void ieee80211_recalc_ps(struct ieee80211_local *local, s32 latency)
1448 {
1449 	struct ieee80211_sub_if_data *sdata, *found = NULL;
1450 	int count = 0;
1451 	int timeout;
1452 
1453 	if (!(local->hw.flags & IEEE80211_HW_SUPPORTS_PS)) {
1454 		local->ps_sdata = NULL;
1455 		return;
1456 	}
1457 
1458 	list_for_each_entry(sdata, &local->interfaces, list) {
1459 		if (!ieee80211_sdata_running(sdata))
1460 			continue;
1461 		if (sdata->vif.type == NL80211_IFTYPE_AP) {
1462 			/* If an AP vif is found, then disable PS
1463 			 * by setting the count to zero thereby setting
1464 			 * ps_sdata to NULL.
1465 			 */
1466 			count = 0;
1467 			break;
1468 		}
1469 		if (sdata->vif.type != NL80211_IFTYPE_STATION)
1470 			continue;
1471 		found = sdata;
1472 		count++;
1473 	}
1474 
1475 	if (count == 1 && ieee80211_powersave_allowed(found)) {
1476 		s32 beaconint_us;
1477 
1478 		if (latency < 0)
1479 			latency = pm_qos_request(PM_QOS_NETWORK_LATENCY);
1480 
1481 		beaconint_us = ieee80211_tu_to_usec(
1482 					found->vif.bss_conf.beacon_int);
1483 
1484 		timeout = local->dynamic_ps_forced_timeout;
1485 		if (timeout < 0) {
1486 			/*
1487 			 * Go to full PSM if the user configures a very low
1488 			 * latency requirement.
1489 			 * The 2000 second value is there for compatibility
1490 			 * until the PM_QOS_NETWORK_LATENCY is configured
1491 			 * with real values.
1492 			 */
1493 			if (latency > (1900 * USEC_PER_MSEC) &&
1494 			    latency != (2000 * USEC_PER_SEC))
1495 				timeout = 0;
1496 			else
1497 				timeout = 100;
1498 		}
1499 		local->hw.conf.dynamic_ps_timeout = timeout;
1500 
1501 		if (beaconint_us > latency) {
1502 			local->ps_sdata = NULL;
1503 		} else {
1504 			int maxslp = 1;
1505 			u8 dtimper = found->u.mgd.dtim_period;
1506 
1507 			/* If the TIM IE is invalid, pretend the value is 1 */
1508 			if (!dtimper)
1509 				dtimper = 1;
1510 			else if (dtimper > 1)
1511 				maxslp = min_t(int, dtimper,
1512 						    latency / beaconint_us);
1513 
1514 			local->hw.conf.max_sleep_period = maxslp;
1515 			local->hw.conf.ps_dtim_period = dtimper;
1516 			local->ps_sdata = found;
1517 		}
1518 	} else {
1519 		local->ps_sdata = NULL;
1520 	}
1521 
1522 	ieee80211_change_ps(local);
1523 }
1524 
1525 void ieee80211_recalc_ps_vif(struct ieee80211_sub_if_data *sdata)
1526 {
1527 	bool ps_allowed = ieee80211_powersave_allowed(sdata);
1528 
1529 	if (sdata->vif.bss_conf.ps != ps_allowed) {
1530 		sdata->vif.bss_conf.ps = ps_allowed;
1531 		ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_PS);
1532 	}
1533 }
1534 
1535 void ieee80211_dynamic_ps_disable_work(struct work_struct *work)
1536 {
1537 	struct ieee80211_local *local =
1538 		container_of(work, struct ieee80211_local,
1539 			     dynamic_ps_disable_work);
1540 
1541 	if (local->hw.conf.flags & IEEE80211_CONF_PS) {
1542 		local->hw.conf.flags &= ~IEEE80211_CONF_PS;
1543 		ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
1544 	}
1545 
1546 	ieee80211_wake_queues_by_reason(&local->hw,
1547 					IEEE80211_MAX_QUEUE_MAP,
1548 					IEEE80211_QUEUE_STOP_REASON_PS,
1549 					false);
1550 }
1551 
1552 void ieee80211_dynamic_ps_enable_work(struct work_struct *work)
1553 {
1554 	struct ieee80211_local *local =
1555 		container_of(work, struct ieee80211_local,
1556 			     dynamic_ps_enable_work);
1557 	struct ieee80211_sub_if_data *sdata = local->ps_sdata;
1558 	struct ieee80211_if_managed *ifmgd;
1559 	unsigned long flags;
1560 	int q;
1561 
1562 	/* can only happen when PS was just disabled anyway */
1563 	if (!sdata)
1564 		return;
1565 
1566 	ifmgd = &sdata->u.mgd;
1567 
1568 	if (local->hw.conf.flags & IEEE80211_CONF_PS)
1569 		return;
1570 
1571 	if (local->hw.conf.dynamic_ps_timeout > 0) {
1572 		/* don't enter PS if TX frames are pending */
1573 		if (drv_tx_frames_pending(local)) {
1574 			mod_timer(&local->dynamic_ps_timer, jiffies +
1575 				  msecs_to_jiffies(
1576 				  local->hw.conf.dynamic_ps_timeout));
1577 			return;
1578 		}
1579 
1580 		/*
1581 		 * transmission can be stopped by others which leads to
1582 		 * dynamic_ps_timer expiry. Postpone the ps timer if it
1583 		 * is not the actual idle state.
1584 		 */
1585 		spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
1586 		for (q = 0; q < local->hw.queues; q++) {
1587 			if (local->queue_stop_reasons[q]) {
1588 				spin_unlock_irqrestore(&local->queue_stop_reason_lock,
1589 						       flags);
1590 				mod_timer(&local->dynamic_ps_timer, jiffies +
1591 					  msecs_to_jiffies(
1592 					  local->hw.conf.dynamic_ps_timeout));
1593 				return;
1594 			}
1595 		}
1596 		spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
1597 	}
1598 
1599 	if ((local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK) &&
1600 	    !(ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED)) {
1601 		if (drv_tx_frames_pending(local)) {
1602 			mod_timer(&local->dynamic_ps_timer, jiffies +
1603 				  msecs_to_jiffies(
1604 				  local->hw.conf.dynamic_ps_timeout));
1605 		} else {
1606 			ieee80211_send_nullfunc(local, sdata, 1);
1607 			/* Flush to get the tx status of nullfunc frame */
1608 			ieee80211_flush_queues(local, sdata, false);
1609 		}
1610 	}
1611 
1612 	if (!((local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS) &&
1613 	      (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK)) ||
1614 	    (ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED)) {
1615 		ifmgd->flags &= ~IEEE80211_STA_NULLFUNC_ACKED;
1616 		local->hw.conf.flags |= IEEE80211_CONF_PS;
1617 		ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
1618 	}
1619 }
1620 
1621 void ieee80211_dynamic_ps_timer(unsigned long data)
1622 {
1623 	struct ieee80211_local *local = (void *) data;
1624 
1625 	ieee80211_queue_work(&local->hw, &local->dynamic_ps_enable_work);
1626 }
1627 
1628 void ieee80211_dfs_cac_timer_work(struct work_struct *work)
1629 {
1630 	struct delayed_work *delayed_work =
1631 		container_of(work, struct delayed_work, work);
1632 	struct ieee80211_sub_if_data *sdata =
1633 		container_of(delayed_work, struct ieee80211_sub_if_data,
1634 			     dfs_cac_timer_work);
1635 	struct cfg80211_chan_def chandef = sdata->vif.bss_conf.chandef;
1636 
1637 	mutex_lock(&sdata->local->mtx);
1638 	if (sdata->wdev.cac_started) {
1639 		ieee80211_vif_release_channel(sdata);
1640 		cfg80211_cac_event(sdata->dev, &chandef,
1641 				   NL80211_RADAR_CAC_FINISHED,
1642 				   GFP_KERNEL);
1643 	}
1644 	mutex_unlock(&sdata->local->mtx);
1645 }
1646 
1647 static bool
1648 __ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
1649 {
1650 	struct ieee80211_local *local = sdata->local;
1651 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1652 	bool ret = false;
1653 	int ac;
1654 
1655 	if (local->hw.queues < IEEE80211_NUM_ACS)
1656 		return false;
1657 
1658 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
1659 		struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
1660 		int non_acm_ac;
1661 		unsigned long now = jiffies;
1662 
1663 		if (tx_tspec->action == TX_TSPEC_ACTION_NONE &&
1664 		    tx_tspec->admitted_time &&
1665 		    time_after(now, tx_tspec->time_slice_start + HZ)) {
1666 			tx_tspec->consumed_tx_time = 0;
1667 			tx_tspec->time_slice_start = now;
1668 
1669 			if (tx_tspec->downgraded)
1670 				tx_tspec->action =
1671 					TX_TSPEC_ACTION_STOP_DOWNGRADE;
1672 		}
1673 
1674 		switch (tx_tspec->action) {
1675 		case TX_TSPEC_ACTION_STOP_DOWNGRADE:
1676 			/* take the original parameters */
1677 			if (drv_conf_tx(local, sdata, ac, &sdata->tx_conf[ac]))
1678 				sdata_err(sdata,
1679 					  "failed to set TX queue parameters for queue %d\n",
1680 					  ac);
1681 			tx_tspec->action = TX_TSPEC_ACTION_NONE;
1682 			tx_tspec->downgraded = false;
1683 			ret = true;
1684 			break;
1685 		case TX_TSPEC_ACTION_DOWNGRADE:
1686 			if (time_after(now, tx_tspec->time_slice_start + HZ)) {
1687 				tx_tspec->action = TX_TSPEC_ACTION_NONE;
1688 				ret = true;
1689 				break;
1690 			}
1691 			/* downgrade next lower non-ACM AC */
1692 			for (non_acm_ac = ac + 1;
1693 			     non_acm_ac < IEEE80211_NUM_ACS;
1694 			     non_acm_ac++)
1695 				if (!(sdata->wmm_acm & BIT(7 - 2 * non_acm_ac)))
1696 					break;
1697 			/* The loop will result in using BK even if it requires
1698 			 * admission control, such configuration makes no sense
1699 			 * and we have to transmit somehow - the AC selection
1700 			 * does the same thing.
1701 			 */
1702 			if (drv_conf_tx(local, sdata, ac,
1703 					&sdata->tx_conf[non_acm_ac]))
1704 				sdata_err(sdata,
1705 					  "failed to set TX queue parameters for queue %d\n",
1706 					  ac);
1707 			tx_tspec->action = TX_TSPEC_ACTION_NONE;
1708 			ret = true;
1709 			schedule_delayed_work(&ifmgd->tx_tspec_wk,
1710 				tx_tspec->time_slice_start + HZ - now + 1);
1711 			break;
1712 		case TX_TSPEC_ACTION_NONE:
1713 			/* nothing now */
1714 			break;
1715 		}
1716 	}
1717 
1718 	return ret;
1719 }
1720 
1721 void ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
1722 {
1723 	if (__ieee80211_sta_handle_tspec_ac_params(sdata))
1724 		ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_QOS);
1725 }
1726 
1727 static void ieee80211_sta_handle_tspec_ac_params_wk(struct work_struct *work)
1728 {
1729 	struct ieee80211_sub_if_data *sdata;
1730 
1731 	sdata = container_of(work, struct ieee80211_sub_if_data,
1732 			     u.mgd.tx_tspec_wk.work);
1733 	ieee80211_sta_handle_tspec_ac_params(sdata);
1734 }
1735 
1736 /* MLME */
1737 static bool ieee80211_sta_wmm_params(struct ieee80211_local *local,
1738 				     struct ieee80211_sub_if_data *sdata,
1739 				     const u8 *wmm_param, size_t wmm_param_len)
1740 {
1741 	struct ieee80211_tx_queue_params params;
1742 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1743 	size_t left;
1744 	int count;
1745 	const u8 *pos;
1746 	u8 uapsd_queues = 0;
1747 
1748 	if (!local->ops->conf_tx)
1749 		return false;
1750 
1751 	if (local->hw.queues < IEEE80211_NUM_ACS)
1752 		return false;
1753 
1754 	if (!wmm_param)
1755 		return false;
1756 
1757 	if (wmm_param_len < 8 || wmm_param[5] /* version */ != 1)
1758 		return false;
1759 
1760 	if (ifmgd->flags & IEEE80211_STA_UAPSD_ENABLED)
1761 		uapsd_queues = ifmgd->uapsd_queues;
1762 
1763 	count = wmm_param[6] & 0x0f;
1764 	if (count == ifmgd->wmm_last_param_set)
1765 		return false;
1766 	ifmgd->wmm_last_param_set = count;
1767 
1768 	pos = wmm_param + 8;
1769 	left = wmm_param_len - 8;
1770 
1771 	memset(&params, 0, sizeof(params));
1772 
1773 	sdata->wmm_acm = 0;
1774 	for (; left >= 4; left -= 4, pos += 4) {
1775 		int aci = (pos[0] >> 5) & 0x03;
1776 		int acm = (pos[0] >> 4) & 0x01;
1777 		bool uapsd = false;
1778 		int queue;
1779 
1780 		switch (aci) {
1781 		case 1: /* AC_BK */
1782 			queue = 3;
1783 			if (acm)
1784 				sdata->wmm_acm |= BIT(1) | BIT(2); /* BK/- */
1785 			if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_BK)
1786 				uapsd = true;
1787 			break;
1788 		case 2: /* AC_VI */
1789 			queue = 1;
1790 			if (acm)
1791 				sdata->wmm_acm |= BIT(4) | BIT(5); /* CL/VI */
1792 			if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_VI)
1793 				uapsd = true;
1794 			break;
1795 		case 3: /* AC_VO */
1796 			queue = 0;
1797 			if (acm)
1798 				sdata->wmm_acm |= BIT(6) | BIT(7); /* VO/NC */
1799 			if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_VO)
1800 				uapsd = true;
1801 			break;
1802 		case 0: /* AC_BE */
1803 		default:
1804 			queue = 2;
1805 			if (acm)
1806 				sdata->wmm_acm |= BIT(0) | BIT(3); /* BE/EE */
1807 			if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_BE)
1808 				uapsd = true;
1809 			break;
1810 		}
1811 
1812 		params.aifs = pos[0] & 0x0f;
1813 		params.cw_max = ecw2cw((pos[1] & 0xf0) >> 4);
1814 		params.cw_min = ecw2cw(pos[1] & 0x0f);
1815 		params.txop = get_unaligned_le16(pos + 2);
1816 		params.acm = acm;
1817 		params.uapsd = uapsd;
1818 
1819 		mlme_dbg(sdata,
1820 			 "WMM queue=%d aci=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",
1821 			 queue, aci, acm,
1822 			 params.aifs, params.cw_min, params.cw_max,
1823 			 params.txop, params.uapsd,
1824 			 ifmgd->tx_tspec[queue].downgraded);
1825 		sdata->tx_conf[queue] = params;
1826 		if (!ifmgd->tx_tspec[queue].downgraded &&
1827 		    drv_conf_tx(local, sdata, queue, &params))
1828 			sdata_err(sdata,
1829 				  "failed to set TX queue parameters for queue %d\n",
1830 				  queue);
1831 	}
1832 
1833 	/* enable WMM or activate new settings */
1834 	sdata->vif.bss_conf.qos = true;
1835 	return true;
1836 }
1837 
1838 static void __ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
1839 {
1840 	lockdep_assert_held(&sdata->local->mtx);
1841 
1842 	sdata->u.mgd.flags &= ~IEEE80211_STA_CONNECTION_POLL;
1843 	ieee80211_run_deferred_scan(sdata->local);
1844 }
1845 
1846 static void ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
1847 {
1848 	mutex_lock(&sdata->local->mtx);
1849 	__ieee80211_stop_poll(sdata);
1850 	mutex_unlock(&sdata->local->mtx);
1851 }
1852 
1853 static u32 ieee80211_handle_bss_capability(struct ieee80211_sub_if_data *sdata,
1854 					   u16 capab, bool erp_valid, u8 erp)
1855 {
1856 	struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
1857 	u32 changed = 0;
1858 	bool use_protection;
1859 	bool use_short_preamble;
1860 	bool use_short_slot;
1861 
1862 	if (erp_valid) {
1863 		use_protection = (erp & WLAN_ERP_USE_PROTECTION) != 0;
1864 		use_short_preamble = (erp & WLAN_ERP_BARKER_PREAMBLE) == 0;
1865 	} else {
1866 		use_protection = false;
1867 		use_short_preamble = !!(capab & WLAN_CAPABILITY_SHORT_PREAMBLE);
1868 	}
1869 
1870 	use_short_slot = !!(capab & WLAN_CAPABILITY_SHORT_SLOT_TIME);
1871 	if (ieee80211_get_sdata_band(sdata) == IEEE80211_BAND_5GHZ)
1872 		use_short_slot = true;
1873 
1874 	if (use_protection != bss_conf->use_cts_prot) {
1875 		bss_conf->use_cts_prot = use_protection;
1876 		changed |= BSS_CHANGED_ERP_CTS_PROT;
1877 	}
1878 
1879 	if (use_short_preamble != bss_conf->use_short_preamble) {
1880 		bss_conf->use_short_preamble = use_short_preamble;
1881 		changed |= BSS_CHANGED_ERP_PREAMBLE;
1882 	}
1883 
1884 	if (use_short_slot != bss_conf->use_short_slot) {
1885 		bss_conf->use_short_slot = use_short_slot;
1886 		changed |= BSS_CHANGED_ERP_SLOT;
1887 	}
1888 
1889 	return changed;
1890 }
1891 
1892 static void ieee80211_set_associated(struct ieee80211_sub_if_data *sdata,
1893 				     struct cfg80211_bss *cbss,
1894 				     u32 bss_info_changed)
1895 {
1896 	struct ieee80211_bss *bss = (void *)cbss->priv;
1897 	struct ieee80211_local *local = sdata->local;
1898 	struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
1899 
1900 	bss_info_changed |= BSS_CHANGED_ASSOC;
1901 	bss_info_changed |= ieee80211_handle_bss_capability(sdata,
1902 		bss_conf->assoc_capability, bss->has_erp_value, bss->erp_value);
1903 
1904 	sdata->u.mgd.beacon_timeout = usecs_to_jiffies(ieee80211_tu_to_usec(
1905 		beacon_loss_count * bss_conf->beacon_int));
1906 
1907 	sdata->u.mgd.associated = cbss;
1908 	memcpy(sdata->u.mgd.bssid, cbss->bssid, ETH_ALEN);
1909 
1910 	sdata->u.mgd.flags |= IEEE80211_STA_RESET_SIGNAL_AVE;
1911 
1912 	if (sdata->vif.p2p) {
1913 		const struct cfg80211_bss_ies *ies;
1914 
1915 		rcu_read_lock();
1916 		ies = rcu_dereference(cbss->ies);
1917 		if (ies) {
1918 			int ret;
1919 
1920 			ret = cfg80211_get_p2p_attr(
1921 					ies->data, ies->len,
1922 					IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
1923 					(u8 *) &bss_conf->p2p_noa_attr,
1924 					sizeof(bss_conf->p2p_noa_attr));
1925 			if (ret >= 2) {
1926 				sdata->u.mgd.p2p_noa_index =
1927 					bss_conf->p2p_noa_attr.index;
1928 				bss_info_changed |= BSS_CHANGED_P2P_PS;
1929 			}
1930 		}
1931 		rcu_read_unlock();
1932 	}
1933 
1934 	/* just to be sure */
1935 	ieee80211_stop_poll(sdata);
1936 
1937 	ieee80211_led_assoc(local, 1);
1938 
1939 	if (sdata->u.mgd.have_beacon) {
1940 		/*
1941 		 * If the AP is buggy we may get here with no DTIM period
1942 		 * known, so assume it's 1 which is the only safe assumption
1943 		 * in that case, although if the TIM IE is broken powersave
1944 		 * probably just won't work at all.
1945 		 */
1946 		bss_conf->dtim_period = sdata->u.mgd.dtim_period ?: 1;
1947 		bss_conf->beacon_rate = bss->beacon_rate;
1948 		bss_info_changed |= BSS_CHANGED_BEACON_INFO;
1949 	} else {
1950 		bss_conf->beacon_rate = NULL;
1951 		bss_conf->dtim_period = 0;
1952 	}
1953 
1954 	bss_conf->assoc = 1;
1955 
1956 	/* Tell the driver to monitor connection quality (if supported) */
1957 	if (sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_CQM_RSSI &&
1958 	    bss_conf->cqm_rssi_thold)
1959 		bss_info_changed |= BSS_CHANGED_CQM;
1960 
1961 	/* Enable ARP filtering */
1962 	if (bss_conf->arp_addr_cnt)
1963 		bss_info_changed |= BSS_CHANGED_ARP_FILTER;
1964 
1965 	ieee80211_bss_info_change_notify(sdata, bss_info_changed);
1966 
1967 	mutex_lock(&local->iflist_mtx);
1968 	ieee80211_recalc_ps(local, -1);
1969 	mutex_unlock(&local->iflist_mtx);
1970 
1971 	ieee80211_recalc_smps(sdata);
1972 	ieee80211_recalc_ps_vif(sdata);
1973 
1974 	netif_carrier_on(sdata->dev);
1975 }
1976 
1977 static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
1978 				   u16 stype, u16 reason, bool tx,
1979 				   u8 *frame_buf)
1980 {
1981 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1982 	struct ieee80211_local *local = sdata->local;
1983 	u32 changed = 0;
1984 
1985 	sdata_assert_lock(sdata);
1986 
1987 	if (WARN_ON_ONCE(tx && !frame_buf))
1988 		return;
1989 
1990 	if (WARN_ON(!ifmgd->associated))
1991 		return;
1992 
1993 	ieee80211_stop_poll(sdata);
1994 
1995 	ifmgd->associated = NULL;
1996 	netif_carrier_off(sdata->dev);
1997 
1998 	/*
1999 	 * if we want to get out of ps before disassoc (why?) we have
2000 	 * to do it before sending disassoc, as otherwise the null-packet
2001 	 * won't be valid.
2002 	 */
2003 	if (local->hw.conf.flags & IEEE80211_CONF_PS) {
2004 		local->hw.conf.flags &= ~IEEE80211_CONF_PS;
2005 		ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
2006 	}
2007 	local->ps_sdata = NULL;
2008 
2009 	/* disable per-vif ps */
2010 	ieee80211_recalc_ps_vif(sdata);
2011 
2012 	/* make sure ongoing transmission finishes */
2013 	synchronize_net();
2014 
2015 	/*
2016 	 * drop any frame before deauth/disassoc, this can be data or
2017 	 * management frame. Since we are disconnecting, we should not
2018 	 * insist sending these frames which can take time and delay
2019 	 * the disconnection and possible the roaming.
2020 	 */
2021 	if (tx)
2022 		ieee80211_flush_queues(local, sdata, true);
2023 
2024 	/* deauthenticate/disassociate now */
2025 	if (tx || frame_buf)
2026 		ieee80211_send_deauth_disassoc(sdata, ifmgd->bssid, stype,
2027 					       reason, tx, frame_buf);
2028 
2029 	/* flush out frame - make sure the deauth was actually sent */
2030 	if (tx)
2031 		ieee80211_flush_queues(local, sdata, false);
2032 
2033 	/* clear bssid only after building the needed mgmt frames */
2034 	eth_zero_addr(ifmgd->bssid);
2035 
2036 	/* remove AP and TDLS peers */
2037 	sta_info_flush(sdata);
2038 
2039 	/* finally reset all BSS / config parameters */
2040 	changed |= ieee80211_reset_erp_info(sdata);
2041 
2042 	ieee80211_led_assoc(local, 0);
2043 	changed |= BSS_CHANGED_ASSOC;
2044 	sdata->vif.bss_conf.assoc = false;
2045 
2046 	ifmgd->p2p_noa_index = -1;
2047 	memset(&sdata->vif.bss_conf.p2p_noa_attr, 0,
2048 	       sizeof(sdata->vif.bss_conf.p2p_noa_attr));
2049 
2050 	/* on the next assoc, re-program HT/VHT parameters */
2051 	memset(&ifmgd->ht_capa, 0, sizeof(ifmgd->ht_capa));
2052 	memset(&ifmgd->ht_capa_mask, 0, sizeof(ifmgd->ht_capa_mask));
2053 	memset(&ifmgd->vht_capa, 0, sizeof(ifmgd->vht_capa));
2054 	memset(&ifmgd->vht_capa_mask, 0, sizeof(ifmgd->vht_capa_mask));
2055 
2056 	sdata->ap_power_level = IEEE80211_UNSET_POWER_LEVEL;
2057 
2058 	del_timer_sync(&local->dynamic_ps_timer);
2059 	cancel_work_sync(&local->dynamic_ps_enable_work);
2060 
2061 	/* Disable ARP filtering */
2062 	if (sdata->vif.bss_conf.arp_addr_cnt)
2063 		changed |= BSS_CHANGED_ARP_FILTER;
2064 
2065 	sdata->vif.bss_conf.qos = false;
2066 	changed |= BSS_CHANGED_QOS;
2067 
2068 	/* The BSSID (not really interesting) and HT changed */
2069 	changed |= BSS_CHANGED_BSSID | BSS_CHANGED_HT;
2070 	ieee80211_bss_info_change_notify(sdata, changed);
2071 
2072 	/* disassociated - set to defaults now */
2073 	ieee80211_set_wmm_default(sdata, false);
2074 
2075 	del_timer_sync(&sdata->u.mgd.conn_mon_timer);
2076 	del_timer_sync(&sdata->u.mgd.bcn_mon_timer);
2077 	del_timer_sync(&sdata->u.mgd.timer);
2078 	del_timer_sync(&sdata->u.mgd.chswitch_timer);
2079 
2080 	sdata->vif.bss_conf.dtim_period = 0;
2081 	sdata->vif.bss_conf.beacon_rate = NULL;
2082 
2083 	ifmgd->have_beacon = false;
2084 
2085 	ifmgd->flags = 0;
2086 	mutex_lock(&local->mtx);
2087 	ieee80211_vif_release_channel(sdata);
2088 
2089 	sdata->vif.csa_active = false;
2090 	ifmgd->csa_waiting_bcn = false;
2091 	ifmgd->csa_ignored_same_chan = false;
2092 	if (sdata->csa_block_tx) {
2093 		ieee80211_wake_vif_queues(local, sdata,
2094 					  IEEE80211_QUEUE_STOP_REASON_CSA);
2095 		sdata->csa_block_tx = false;
2096 	}
2097 	mutex_unlock(&local->mtx);
2098 
2099 	/* existing TX TSPEC sessions no longer exist */
2100 	memset(ifmgd->tx_tspec, 0, sizeof(ifmgd->tx_tspec));
2101 	cancel_delayed_work_sync(&ifmgd->tx_tspec_wk);
2102 
2103 	sdata->encrypt_headroom = IEEE80211_ENCRYPT_HEADROOM;
2104 }
2105 
2106 void ieee80211_sta_rx_notify(struct ieee80211_sub_if_data *sdata,
2107 			     struct ieee80211_hdr *hdr)
2108 {
2109 	/*
2110 	 * We can postpone the mgd.timer whenever receiving unicast frames
2111 	 * from AP because we know that the connection is working both ways
2112 	 * at that time. But multicast frames (and hence also beacons) must
2113 	 * be ignored here, because we need to trigger the timer during
2114 	 * data idle periods for sending the periodic probe request to the
2115 	 * AP we're connected to.
2116 	 */
2117 	if (is_multicast_ether_addr(hdr->addr1))
2118 		return;
2119 
2120 	ieee80211_sta_reset_conn_monitor(sdata);
2121 }
2122 
2123 static void ieee80211_reset_ap_probe(struct ieee80211_sub_if_data *sdata)
2124 {
2125 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2126 	struct ieee80211_local *local = sdata->local;
2127 
2128 	mutex_lock(&local->mtx);
2129 	if (!(ifmgd->flags & IEEE80211_STA_CONNECTION_POLL))
2130 		goto out;
2131 
2132 	__ieee80211_stop_poll(sdata);
2133 
2134 	mutex_lock(&local->iflist_mtx);
2135 	ieee80211_recalc_ps(local, -1);
2136 	mutex_unlock(&local->iflist_mtx);
2137 
2138 	if (sdata->local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR)
2139 		goto out;
2140 
2141 	/*
2142 	 * We've received a probe response, but are not sure whether
2143 	 * we have or will be receiving any beacons or data, so let's
2144 	 * schedule the timers again, just in case.
2145 	 */
2146 	ieee80211_sta_reset_beacon_monitor(sdata);
2147 
2148 	mod_timer(&ifmgd->conn_mon_timer,
2149 		  round_jiffies_up(jiffies +
2150 				   IEEE80211_CONNECTION_IDLE_TIME));
2151 out:
2152 	mutex_unlock(&local->mtx);
2153 }
2154 
2155 static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata,
2156 					   struct ieee80211_hdr *hdr,
2157 					   u16 tx_time)
2158 {
2159 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2160 	u16 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
2161 	int ac = ieee80211_ac_from_tid(tid);
2162 	struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
2163 	unsigned long now = jiffies;
2164 
2165 	if (likely(!tx_tspec->admitted_time))
2166 		return;
2167 
2168 	if (time_after(now, tx_tspec->time_slice_start + HZ)) {
2169 		tx_tspec->consumed_tx_time = 0;
2170 		tx_tspec->time_slice_start = now;
2171 
2172 		if (tx_tspec->downgraded) {
2173 			tx_tspec->action = TX_TSPEC_ACTION_STOP_DOWNGRADE;
2174 			schedule_delayed_work(&ifmgd->tx_tspec_wk, 0);
2175 		}
2176 	}
2177 
2178 	if (tx_tspec->downgraded)
2179 		return;
2180 
2181 	tx_tspec->consumed_tx_time += tx_time;
2182 
2183 	if (tx_tspec->consumed_tx_time >= tx_tspec->admitted_time) {
2184 		tx_tspec->downgraded = true;
2185 		tx_tspec->action = TX_TSPEC_ACTION_DOWNGRADE;
2186 		schedule_delayed_work(&ifmgd->tx_tspec_wk, 0);
2187 	}
2188 }
2189 
2190 void ieee80211_sta_tx_notify(struct ieee80211_sub_if_data *sdata,
2191 			     struct ieee80211_hdr *hdr, bool ack, u16 tx_time)
2192 {
2193 	ieee80211_sta_tx_wmm_ac_notify(sdata, hdr, tx_time);
2194 
2195 	if (!ieee80211_is_data(hdr->frame_control))
2196 	    return;
2197 
2198 	if (ieee80211_is_nullfunc(hdr->frame_control) &&
2199 	    sdata->u.mgd.probe_send_count > 0) {
2200 		if (ack)
2201 			ieee80211_sta_reset_conn_monitor(sdata);
2202 		else
2203 			sdata->u.mgd.nullfunc_failed = true;
2204 		ieee80211_queue_work(&sdata->local->hw, &sdata->work);
2205 		return;
2206 	}
2207 
2208 	if (ack)
2209 		ieee80211_sta_reset_conn_monitor(sdata);
2210 }
2211 
2212 static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
2213 {
2214 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2215 	const u8 *ssid;
2216 	u8 *dst = ifmgd->associated->bssid;
2217 	u8 unicast_limit = max(1, max_probe_tries - 3);
2218 
2219 	/*
2220 	 * Try sending broadcast probe requests for the last three
2221 	 * probe requests after the first ones failed since some
2222 	 * buggy APs only support broadcast probe requests.
2223 	 */
2224 	if (ifmgd->probe_send_count >= unicast_limit)
2225 		dst = NULL;
2226 
2227 	/*
2228 	 * When the hardware reports an accurate Tx ACK status, it's
2229 	 * better to send a nullfunc frame instead of a probe request,
2230 	 * as it will kick us off the AP quickly if we aren't associated
2231 	 * anymore. The timeout will be reset if the frame is ACKed by
2232 	 * the AP.
2233 	 */
2234 	ifmgd->probe_send_count++;
2235 
2236 	if (sdata->local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS) {
2237 		ifmgd->nullfunc_failed = false;
2238 		ieee80211_send_nullfunc(sdata->local, sdata, 0);
2239 	} else {
2240 		int ssid_len;
2241 
2242 		rcu_read_lock();
2243 		ssid = ieee80211_bss_get_ie(ifmgd->associated, WLAN_EID_SSID);
2244 		if (WARN_ON_ONCE(ssid == NULL))
2245 			ssid_len = 0;
2246 		else
2247 			ssid_len = ssid[1];
2248 
2249 		ieee80211_send_probe_req(sdata, sdata->vif.addr, dst,
2250 					 ssid + 2, ssid_len, NULL,
2251 					 0, (u32) -1, true, 0,
2252 					 ifmgd->associated->channel, false);
2253 		rcu_read_unlock();
2254 	}
2255 
2256 	ifmgd->probe_timeout = jiffies + msecs_to_jiffies(probe_wait_ms);
2257 	run_again(sdata, ifmgd->probe_timeout);
2258 }
2259 
2260 static void ieee80211_mgd_probe_ap(struct ieee80211_sub_if_data *sdata,
2261 				   bool beacon)
2262 {
2263 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2264 	bool already = false;
2265 
2266 	if (!ieee80211_sdata_running(sdata))
2267 		return;
2268 
2269 	sdata_lock(sdata);
2270 
2271 	if (!ifmgd->associated)
2272 		goto out;
2273 
2274 	mutex_lock(&sdata->local->mtx);
2275 
2276 	if (sdata->local->tmp_channel || sdata->local->scanning) {
2277 		mutex_unlock(&sdata->local->mtx);
2278 		goto out;
2279 	}
2280 
2281 	if (beacon) {
2282 		mlme_dbg_ratelimited(sdata,
2283 				     "detected beacon loss from AP (missed %d beacons) - probing\n",
2284 				     beacon_loss_count);
2285 
2286 		ieee80211_cqm_beacon_loss_notify(&sdata->vif, GFP_KERNEL);
2287 	}
2288 
2289 	/*
2290 	 * The driver/our work has already reported this event or the
2291 	 * connection monitoring has kicked in and we have already sent
2292 	 * a probe request. Or maybe the AP died and the driver keeps
2293 	 * reporting until we disassociate...
2294 	 *
2295 	 * In either case we have to ignore the current call to this
2296 	 * function (except for setting the correct probe reason bit)
2297 	 * because otherwise we would reset the timer every time and
2298 	 * never check whether we received a probe response!
2299 	 */
2300 	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL)
2301 		already = true;
2302 
2303 	ifmgd->flags |= IEEE80211_STA_CONNECTION_POLL;
2304 
2305 	mutex_unlock(&sdata->local->mtx);
2306 
2307 	if (already)
2308 		goto out;
2309 
2310 	mutex_lock(&sdata->local->iflist_mtx);
2311 	ieee80211_recalc_ps(sdata->local, -1);
2312 	mutex_unlock(&sdata->local->iflist_mtx);
2313 
2314 	ifmgd->probe_send_count = 0;
2315 	ieee80211_mgd_probe_ap_send(sdata);
2316  out:
2317 	sdata_unlock(sdata);
2318 }
2319 
2320 struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw,
2321 					  struct ieee80211_vif *vif)
2322 {
2323 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
2324 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2325 	struct cfg80211_bss *cbss;
2326 	struct sk_buff *skb;
2327 	const u8 *ssid;
2328 	int ssid_len;
2329 
2330 	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
2331 		return NULL;
2332 
2333 	sdata_assert_lock(sdata);
2334 
2335 	if (ifmgd->associated)
2336 		cbss = ifmgd->associated;
2337 	else if (ifmgd->auth_data)
2338 		cbss = ifmgd->auth_data->bss;
2339 	else if (ifmgd->assoc_data)
2340 		cbss = ifmgd->assoc_data->bss;
2341 	else
2342 		return NULL;
2343 
2344 	rcu_read_lock();
2345 	ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID);
2346 	if (WARN_ON_ONCE(ssid == NULL))
2347 		ssid_len = 0;
2348 	else
2349 		ssid_len = ssid[1];
2350 
2351 	skb = ieee80211_build_probe_req(sdata, sdata->vif.addr, cbss->bssid,
2352 					(u32) -1, cbss->channel,
2353 					ssid + 2, ssid_len,
2354 					NULL, 0, true);
2355 	rcu_read_unlock();
2356 
2357 	return skb;
2358 }
2359 EXPORT_SYMBOL(ieee80211_ap_probereq_get);
2360 
2361 static void ieee80211_report_disconnect(struct ieee80211_sub_if_data *sdata,
2362 					const u8 *buf, size_t len, bool tx,
2363 					u16 reason)
2364 {
2365 	struct ieee80211_event event = {
2366 		.type = MLME_EVENT,
2367 		.u.mlme.data = tx ? DEAUTH_TX_EVENT : DEAUTH_RX_EVENT,
2368 		.u.mlme.reason = reason,
2369 	};
2370 
2371 	if (tx)
2372 		cfg80211_tx_mlme_mgmt(sdata->dev, buf, len);
2373 	else
2374 		cfg80211_rx_mlme_mgmt(sdata->dev, buf, len);
2375 
2376 	drv_event_callback(sdata->local, sdata, &event);
2377 }
2378 
2379 static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
2380 {
2381 	struct ieee80211_local *local = sdata->local;
2382 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2383 	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
2384 
2385 	sdata_lock(sdata);
2386 	if (!ifmgd->associated) {
2387 		sdata_unlock(sdata);
2388 		return;
2389 	}
2390 
2391 	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
2392 			       WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
2393 			       true, frame_buf);
2394 	mutex_lock(&local->mtx);
2395 	sdata->vif.csa_active = false;
2396 	ifmgd->csa_waiting_bcn = false;
2397 	if (sdata->csa_block_tx) {
2398 		ieee80211_wake_vif_queues(local, sdata,
2399 					  IEEE80211_QUEUE_STOP_REASON_CSA);
2400 		sdata->csa_block_tx = false;
2401 	}
2402 	mutex_unlock(&local->mtx);
2403 
2404 	ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
2405 				    WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY);
2406 
2407 	sdata_unlock(sdata);
2408 }
2409 
2410 static void ieee80211_beacon_connection_loss_work(struct work_struct *work)
2411 {
2412 	struct ieee80211_sub_if_data *sdata =
2413 		container_of(work, struct ieee80211_sub_if_data,
2414 			     u.mgd.beacon_connection_loss_work);
2415 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2416 	struct sta_info *sta;
2417 
2418 	if (ifmgd->associated) {
2419 		rcu_read_lock();
2420 		sta = sta_info_get(sdata, ifmgd->bssid);
2421 		if (sta)
2422 			sta->beacon_loss_count++;
2423 		rcu_read_unlock();
2424 	}
2425 
2426 	if (ifmgd->connection_loss) {
2427 		sdata_info(sdata, "Connection to AP %pM lost\n",
2428 			   ifmgd->bssid);
2429 		__ieee80211_disconnect(sdata);
2430 	} else {
2431 		ieee80211_mgd_probe_ap(sdata, true);
2432 	}
2433 }
2434 
2435 static void ieee80211_csa_connection_drop_work(struct work_struct *work)
2436 {
2437 	struct ieee80211_sub_if_data *sdata =
2438 		container_of(work, struct ieee80211_sub_if_data,
2439 			     u.mgd.csa_connection_drop_work);
2440 
2441 	__ieee80211_disconnect(sdata);
2442 }
2443 
2444 void ieee80211_beacon_loss(struct ieee80211_vif *vif)
2445 {
2446 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
2447 	struct ieee80211_hw *hw = &sdata->local->hw;
2448 
2449 	trace_api_beacon_loss(sdata);
2450 
2451 	sdata->u.mgd.connection_loss = false;
2452 	ieee80211_queue_work(hw, &sdata->u.mgd.beacon_connection_loss_work);
2453 }
2454 EXPORT_SYMBOL(ieee80211_beacon_loss);
2455 
2456 void ieee80211_connection_loss(struct ieee80211_vif *vif)
2457 {
2458 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
2459 	struct ieee80211_hw *hw = &sdata->local->hw;
2460 
2461 	trace_api_connection_loss(sdata);
2462 
2463 	sdata->u.mgd.connection_loss = true;
2464 	ieee80211_queue_work(hw, &sdata->u.mgd.beacon_connection_loss_work);
2465 }
2466 EXPORT_SYMBOL(ieee80211_connection_loss);
2467 
2468 
2469 static void ieee80211_destroy_auth_data(struct ieee80211_sub_if_data *sdata,
2470 					bool assoc)
2471 {
2472 	struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
2473 
2474 	sdata_assert_lock(sdata);
2475 
2476 	if (!assoc) {
2477 		/*
2478 		 * we are not authenticated yet, the only timer that could be
2479 		 * running is the timeout for the authentication response which
2480 		 * which is not relevant anymore.
2481 		 */
2482 		del_timer_sync(&sdata->u.mgd.timer);
2483 		sta_info_destroy_addr(sdata, auth_data->bss->bssid);
2484 
2485 		eth_zero_addr(sdata->u.mgd.bssid);
2486 		ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
2487 		sdata->u.mgd.flags = 0;
2488 		mutex_lock(&sdata->local->mtx);
2489 		ieee80211_vif_release_channel(sdata);
2490 		mutex_unlock(&sdata->local->mtx);
2491 	}
2492 
2493 	cfg80211_put_bss(sdata->local->hw.wiphy, auth_data->bss);
2494 	kfree(auth_data);
2495 	sdata->u.mgd.auth_data = NULL;
2496 }
2497 
2498 static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
2499 				     struct ieee80211_mgmt *mgmt, size_t len)
2500 {
2501 	struct ieee80211_local *local = sdata->local;
2502 	struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
2503 	u8 *pos;
2504 	struct ieee802_11_elems elems;
2505 	u32 tx_flags = 0;
2506 
2507 	pos = mgmt->u.auth.variable;
2508 	ieee802_11_parse_elems(pos, len - (pos - (u8 *) mgmt), false, &elems);
2509 	if (!elems.challenge)
2510 		return;
2511 	auth_data->expected_transaction = 4;
2512 	drv_mgd_prepare_tx(sdata->local, sdata);
2513 	if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)
2514 		tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
2515 			   IEEE80211_TX_INTFL_MLME_CONN_TX;
2516 	ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0,
2517 			    elems.challenge - 2, elems.challenge_len + 2,
2518 			    auth_data->bss->bssid, auth_data->bss->bssid,
2519 			    auth_data->key, auth_data->key_len,
2520 			    auth_data->key_idx, tx_flags);
2521 }
2522 
2523 static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
2524 				   struct ieee80211_mgmt *mgmt, size_t len)
2525 {
2526 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2527 	u8 bssid[ETH_ALEN];
2528 	u16 auth_alg, auth_transaction, status_code;
2529 	struct sta_info *sta;
2530 	struct ieee80211_event event = {
2531 		.type = MLME_EVENT,
2532 		.u.mlme.data = AUTH_EVENT,
2533 	};
2534 
2535 	sdata_assert_lock(sdata);
2536 
2537 	if (len < 24 + 6)
2538 		return;
2539 
2540 	if (!ifmgd->auth_data || ifmgd->auth_data->done)
2541 		return;
2542 
2543 	memcpy(bssid, ifmgd->auth_data->bss->bssid, ETH_ALEN);
2544 
2545 	if (!ether_addr_equal(bssid, mgmt->bssid))
2546 		return;
2547 
2548 	auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
2549 	auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
2550 	status_code = le16_to_cpu(mgmt->u.auth.status_code);
2551 
2552 	if (auth_alg != ifmgd->auth_data->algorithm ||
2553 	    auth_transaction != ifmgd->auth_data->expected_transaction) {
2554 		sdata_info(sdata, "%pM unexpected authentication state: alg %d (expected %d) transact %d (expected %d)\n",
2555 			   mgmt->sa, auth_alg, ifmgd->auth_data->algorithm,
2556 			   auth_transaction,
2557 			   ifmgd->auth_data->expected_transaction);
2558 		return;
2559 	}
2560 
2561 	if (status_code != WLAN_STATUS_SUCCESS) {
2562 		sdata_info(sdata, "%pM denied authentication (status %d)\n",
2563 			   mgmt->sa, status_code);
2564 		ieee80211_destroy_auth_data(sdata, false);
2565 		cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
2566 		event.u.mlme.status = MLME_DENIED;
2567 		event.u.mlme.reason = status_code;
2568 		drv_event_callback(sdata->local, sdata, &event);
2569 		return;
2570 	}
2571 
2572 	switch (ifmgd->auth_data->algorithm) {
2573 	case WLAN_AUTH_OPEN:
2574 	case WLAN_AUTH_LEAP:
2575 	case WLAN_AUTH_FT:
2576 	case WLAN_AUTH_SAE:
2577 		break;
2578 	case WLAN_AUTH_SHARED_KEY:
2579 		if (ifmgd->auth_data->expected_transaction != 4) {
2580 			ieee80211_auth_challenge(sdata, mgmt, len);
2581 			/* need another frame */
2582 			return;
2583 		}
2584 		break;
2585 	default:
2586 		WARN_ONCE(1, "invalid auth alg %d",
2587 			  ifmgd->auth_data->algorithm);
2588 		return;
2589 	}
2590 
2591 	event.u.mlme.status = MLME_SUCCESS;
2592 	drv_event_callback(sdata->local, sdata, &event);
2593 	sdata_info(sdata, "authenticated\n");
2594 	ifmgd->auth_data->done = true;
2595 	ifmgd->auth_data->timeout = jiffies + IEEE80211_AUTH_WAIT_ASSOC;
2596 	ifmgd->auth_data->timeout_started = true;
2597 	run_again(sdata, ifmgd->auth_data->timeout);
2598 
2599 	if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
2600 	    ifmgd->auth_data->expected_transaction != 2) {
2601 		/*
2602 		 * Report auth frame to user space for processing since another
2603 		 * round of Authentication frames is still needed.
2604 		 */
2605 		cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
2606 		return;
2607 	}
2608 
2609 	/* move station state to auth */
2610 	mutex_lock(&sdata->local->sta_mtx);
2611 	sta = sta_info_get(sdata, bssid);
2612 	if (!sta) {
2613 		WARN_ONCE(1, "%s: STA %pM not found", sdata->name, bssid);
2614 		goto out_err;
2615 	}
2616 	if (sta_info_move_state(sta, IEEE80211_STA_AUTH)) {
2617 		sdata_info(sdata, "failed moving %pM to auth\n", bssid);
2618 		goto out_err;
2619 	}
2620 	mutex_unlock(&sdata->local->sta_mtx);
2621 
2622 	cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
2623 	return;
2624  out_err:
2625 	mutex_unlock(&sdata->local->sta_mtx);
2626 	/* ignore frame -- wait for timeout */
2627 }
2628 
2629 #define case_WLAN(type) \
2630 	case WLAN_REASON_##type: return #type
2631 
2632 static const char *ieee80211_get_reason_code_string(u16 reason_code)
2633 {
2634 	switch (reason_code) {
2635 	case_WLAN(UNSPECIFIED);
2636 	case_WLAN(PREV_AUTH_NOT_VALID);
2637 	case_WLAN(DEAUTH_LEAVING);
2638 	case_WLAN(DISASSOC_DUE_TO_INACTIVITY);
2639 	case_WLAN(DISASSOC_AP_BUSY);
2640 	case_WLAN(CLASS2_FRAME_FROM_NONAUTH_STA);
2641 	case_WLAN(CLASS3_FRAME_FROM_NONASSOC_STA);
2642 	case_WLAN(DISASSOC_STA_HAS_LEFT);
2643 	case_WLAN(STA_REQ_ASSOC_WITHOUT_AUTH);
2644 	case_WLAN(DISASSOC_BAD_POWER);
2645 	case_WLAN(DISASSOC_BAD_SUPP_CHAN);
2646 	case_WLAN(INVALID_IE);
2647 	case_WLAN(MIC_FAILURE);
2648 	case_WLAN(4WAY_HANDSHAKE_TIMEOUT);
2649 	case_WLAN(GROUP_KEY_HANDSHAKE_TIMEOUT);
2650 	case_WLAN(IE_DIFFERENT);
2651 	case_WLAN(INVALID_GROUP_CIPHER);
2652 	case_WLAN(INVALID_PAIRWISE_CIPHER);
2653 	case_WLAN(INVALID_AKMP);
2654 	case_WLAN(UNSUPP_RSN_VERSION);
2655 	case_WLAN(INVALID_RSN_IE_CAP);
2656 	case_WLAN(IEEE8021X_FAILED);
2657 	case_WLAN(CIPHER_SUITE_REJECTED);
2658 	case_WLAN(DISASSOC_UNSPECIFIED_QOS);
2659 	case_WLAN(DISASSOC_QAP_NO_BANDWIDTH);
2660 	case_WLAN(DISASSOC_LOW_ACK);
2661 	case_WLAN(DISASSOC_QAP_EXCEED_TXOP);
2662 	case_WLAN(QSTA_LEAVE_QBSS);
2663 	case_WLAN(QSTA_NOT_USE);
2664 	case_WLAN(QSTA_REQUIRE_SETUP);
2665 	case_WLAN(QSTA_TIMEOUT);
2666 	case_WLAN(QSTA_CIPHER_NOT_SUPP);
2667 	case_WLAN(MESH_PEER_CANCELED);
2668 	case_WLAN(MESH_MAX_PEERS);
2669 	case_WLAN(MESH_CONFIG);
2670 	case_WLAN(MESH_CLOSE);
2671 	case_WLAN(MESH_MAX_RETRIES);
2672 	case_WLAN(MESH_CONFIRM_TIMEOUT);
2673 	case_WLAN(MESH_INVALID_GTK);
2674 	case_WLAN(MESH_INCONSISTENT_PARAM);
2675 	case_WLAN(MESH_INVALID_SECURITY);
2676 	case_WLAN(MESH_PATH_ERROR);
2677 	case_WLAN(MESH_PATH_NOFORWARD);
2678 	case_WLAN(MESH_PATH_DEST_UNREACHABLE);
2679 	case_WLAN(MAC_EXISTS_IN_MBSS);
2680 	case_WLAN(MESH_CHAN_REGULATORY);
2681 	case_WLAN(MESH_CHAN);
2682 	default: return "<unknown>";
2683 	}
2684 }
2685 
2686 static void ieee80211_rx_mgmt_deauth(struct ieee80211_sub_if_data *sdata,
2687 				     struct ieee80211_mgmt *mgmt, size_t len)
2688 {
2689 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2690 	const u8 *bssid = NULL;
2691 	u16 reason_code;
2692 
2693 	sdata_assert_lock(sdata);
2694 
2695 	if (len < 24 + 2)
2696 		return;
2697 
2698 	if (!ifmgd->associated ||
2699 	    !ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid))
2700 		return;
2701 
2702 	bssid = ifmgd->associated->bssid;
2703 
2704 	reason_code = le16_to_cpu(mgmt->u.deauth.reason_code);
2705 
2706 	sdata_info(sdata, "deauthenticated from %pM (Reason: %u=%s)\n",
2707 		   bssid, reason_code, ieee80211_get_reason_code_string(reason_code));
2708 
2709 	ieee80211_set_disassoc(sdata, 0, 0, false, NULL);
2710 
2711 	ieee80211_report_disconnect(sdata, (u8 *)mgmt, len, false, reason_code);
2712 }
2713 
2714 
2715 static void ieee80211_rx_mgmt_disassoc(struct ieee80211_sub_if_data *sdata,
2716 				       struct ieee80211_mgmt *mgmt, size_t len)
2717 {
2718 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2719 	u16 reason_code;
2720 
2721 	sdata_assert_lock(sdata);
2722 
2723 	if (len < 24 + 2)
2724 		return;
2725 
2726 	if (!ifmgd->associated ||
2727 	    !ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid))
2728 		return;
2729 
2730 	reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
2731 
2732 	sdata_info(sdata, "disassociated from %pM (Reason: %u)\n",
2733 		   mgmt->sa, reason_code);
2734 
2735 	ieee80211_set_disassoc(sdata, 0, 0, false, NULL);
2736 
2737 	ieee80211_report_disconnect(sdata, (u8 *)mgmt, len, false, reason_code);
2738 }
2739 
2740 static void ieee80211_get_rates(struct ieee80211_supported_band *sband,
2741 				u8 *supp_rates, unsigned int supp_rates_len,
2742 				u32 *rates, u32 *basic_rates,
2743 				bool *have_higher_than_11mbit,
2744 				int *min_rate, int *min_rate_index,
2745 				int shift, u32 rate_flags)
2746 {
2747 	int i, j;
2748 
2749 	for (i = 0; i < supp_rates_len; i++) {
2750 		int rate = supp_rates[i] & 0x7f;
2751 		bool is_basic = !!(supp_rates[i] & 0x80);
2752 
2753 		if ((rate * 5 * (1 << shift)) > 110)
2754 			*have_higher_than_11mbit = true;
2755 
2756 		/*
2757 		 * BSS_MEMBERSHIP_SELECTOR_HT_PHY is defined in 802.11n-2009
2758 		 * 7.3.2.2 as a magic value instead of a rate. Hence, skip it.
2759 		 *
2760 		 * Note: Even through the membership selector and the basic
2761 		 *	 rate flag share the same bit, they are not exactly
2762 		 *	 the same.
2763 		 */
2764 		if (!!(supp_rates[i] & 0x80) &&
2765 		    (supp_rates[i] & 0x7f) == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
2766 			continue;
2767 
2768 		for (j = 0; j < sband->n_bitrates; j++) {
2769 			struct ieee80211_rate *br;
2770 			int brate;
2771 
2772 			br = &sband->bitrates[j];
2773 			if ((rate_flags & br->flags) != rate_flags)
2774 				continue;
2775 
2776 			brate = DIV_ROUND_UP(br->bitrate, (1 << shift) * 5);
2777 			if (brate == rate) {
2778 				*rates |= BIT(j);
2779 				if (is_basic)
2780 					*basic_rates |= BIT(j);
2781 				if ((rate * 5) < *min_rate) {
2782 					*min_rate = rate * 5;
2783 					*min_rate_index = j;
2784 				}
2785 				break;
2786 			}
2787 		}
2788 	}
2789 }
2790 
2791 static void ieee80211_destroy_assoc_data(struct ieee80211_sub_if_data *sdata,
2792 					 bool assoc)
2793 {
2794 	struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data;
2795 
2796 	sdata_assert_lock(sdata);
2797 
2798 	if (!assoc) {
2799 		/*
2800 		 * we are not associated yet, the only timer that could be
2801 		 * running is the timeout for the association response which
2802 		 * which is not relevant anymore.
2803 		 */
2804 		del_timer_sync(&sdata->u.mgd.timer);
2805 		sta_info_destroy_addr(sdata, assoc_data->bss->bssid);
2806 
2807 		eth_zero_addr(sdata->u.mgd.bssid);
2808 		ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
2809 		sdata->u.mgd.flags = 0;
2810 		mutex_lock(&sdata->local->mtx);
2811 		ieee80211_vif_release_channel(sdata);
2812 		mutex_unlock(&sdata->local->mtx);
2813 	}
2814 
2815 	kfree(assoc_data);
2816 	sdata->u.mgd.assoc_data = NULL;
2817 }
2818 
2819 static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
2820 				    struct cfg80211_bss *cbss,
2821 				    struct ieee80211_mgmt *mgmt, size_t len)
2822 {
2823 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2824 	struct ieee80211_local *local = sdata->local;
2825 	struct ieee80211_supported_band *sband;
2826 	struct sta_info *sta;
2827 	u8 *pos;
2828 	u16 capab_info, aid;
2829 	struct ieee802_11_elems elems;
2830 	struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
2831 	const struct cfg80211_bss_ies *bss_ies = NULL;
2832 	struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
2833 	u32 changed = 0;
2834 	int err;
2835 	bool ret;
2836 
2837 	/* AssocResp and ReassocResp have identical structure */
2838 
2839 	aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
2840 	capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
2841 
2842 	if ((aid & (BIT(15) | BIT(14))) != (BIT(15) | BIT(14)))
2843 		sdata_info(sdata, "invalid AID value 0x%x; bits 15:14 not set\n",
2844 			   aid);
2845 	aid &= ~(BIT(15) | BIT(14));
2846 
2847 	ifmgd->broken_ap = false;
2848 
2849 	if (aid == 0 || aid > IEEE80211_MAX_AID) {
2850 		sdata_info(sdata, "invalid AID value %d (out of range), turn off PS\n",
2851 			   aid);
2852 		aid = 0;
2853 		ifmgd->broken_ap = true;
2854 	}
2855 
2856 	pos = mgmt->u.assoc_resp.variable;
2857 	ieee802_11_parse_elems(pos, len - (pos - (u8 *) mgmt), false, &elems);
2858 
2859 	if (!elems.supp_rates) {
2860 		sdata_info(sdata, "no SuppRates element in AssocResp\n");
2861 		return false;
2862 	}
2863 
2864 	ifmgd->aid = aid;
2865 	ifmgd->tdls_chan_switch_prohibited =
2866 		elems.ext_capab && elems.ext_capab_len >= 5 &&
2867 		(elems.ext_capab[4] & WLAN_EXT_CAPA5_TDLS_CH_SW_PROHIBITED);
2868 
2869 	/*
2870 	 * Some APs are erroneously not including some information in their
2871 	 * (re)association response frames. Try to recover by using the data
2872 	 * from the beacon or probe response. This seems to afflict mobile
2873 	 * 2G/3G/4G wifi routers, reported models include the "Onda PN51T",
2874 	 * "Vodafone PocketWiFi 2", "ZTE MF60" and a similar T-Mobile device.
2875 	 */
2876 	if ((assoc_data->wmm && !elems.wmm_param) ||
2877 	    (!(ifmgd->flags & IEEE80211_STA_DISABLE_HT) &&
2878 	     (!elems.ht_cap_elem || !elems.ht_operation)) ||
2879 	    (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
2880 	     (!elems.vht_cap_elem || !elems.vht_operation))) {
2881 		const struct cfg80211_bss_ies *ies;
2882 		struct ieee802_11_elems bss_elems;
2883 
2884 		rcu_read_lock();
2885 		ies = rcu_dereference(cbss->ies);
2886 		if (ies)
2887 			bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
2888 					  GFP_ATOMIC);
2889 		rcu_read_unlock();
2890 		if (!bss_ies)
2891 			return false;
2892 
2893 		ieee802_11_parse_elems(bss_ies->data, bss_ies->len,
2894 				       false, &bss_elems);
2895 		if (assoc_data->wmm &&
2896 		    !elems.wmm_param && bss_elems.wmm_param) {
2897 			elems.wmm_param = bss_elems.wmm_param;
2898 			sdata_info(sdata,
2899 				   "AP bug: WMM param missing from AssocResp\n");
2900 		}
2901 
2902 		/*
2903 		 * Also check if we requested HT/VHT, otherwise the AP doesn't
2904 		 * have to include the IEs in the (re)association response.
2905 		 */
2906 		if (!elems.ht_cap_elem && bss_elems.ht_cap_elem &&
2907 		    !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
2908 			elems.ht_cap_elem = bss_elems.ht_cap_elem;
2909 			sdata_info(sdata,
2910 				   "AP bug: HT capability missing from AssocResp\n");
2911 		}
2912 		if (!elems.ht_operation && bss_elems.ht_operation &&
2913 		    !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) {
2914 			elems.ht_operation = bss_elems.ht_operation;
2915 			sdata_info(sdata,
2916 				   "AP bug: HT operation missing from AssocResp\n");
2917 		}
2918 		if (!elems.vht_cap_elem && bss_elems.vht_cap_elem &&
2919 		    !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
2920 			elems.vht_cap_elem = bss_elems.vht_cap_elem;
2921 			sdata_info(sdata,
2922 				   "AP bug: VHT capa missing from AssocResp\n");
2923 		}
2924 		if (!elems.vht_operation && bss_elems.vht_operation &&
2925 		    !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) {
2926 			elems.vht_operation = bss_elems.vht_operation;
2927 			sdata_info(sdata,
2928 				   "AP bug: VHT operation missing from AssocResp\n");
2929 		}
2930 	}
2931 
2932 	/*
2933 	 * We previously checked these in the beacon/probe response, so
2934 	 * they should be present here. This is just a safety net.
2935 	 */
2936 	if (!(ifmgd->flags & IEEE80211_STA_DISABLE_HT) &&
2937 	    (!elems.wmm_param || !elems.ht_cap_elem || !elems.ht_operation)) {
2938 		sdata_info(sdata,
2939 			   "HT AP is missing WMM params or HT capability/operation\n");
2940 		ret = false;
2941 		goto out;
2942 	}
2943 
2944 	if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
2945 	    (!elems.vht_cap_elem || !elems.vht_operation)) {
2946 		sdata_info(sdata,
2947 			   "VHT AP is missing VHT capability/operation\n");
2948 		ret = false;
2949 		goto out;
2950 	}
2951 
2952 	mutex_lock(&sdata->local->sta_mtx);
2953 	/*
2954 	 * station info was already allocated and inserted before
2955 	 * the association and should be available to us
2956 	 */
2957 	sta = sta_info_get(sdata, cbss->bssid);
2958 	if (WARN_ON(!sta)) {
2959 		mutex_unlock(&sdata->local->sta_mtx);
2960 		ret = false;
2961 		goto out;
2962 	}
2963 
2964 	sband = local->hw.wiphy->bands[ieee80211_get_sdata_band(sdata)];
2965 
2966 	/* Set up internal HT/VHT capabilities */
2967 	if (elems.ht_cap_elem && !(ifmgd->flags & IEEE80211_STA_DISABLE_HT))
2968 		ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,
2969 						  elems.ht_cap_elem, sta);
2970 
2971 	if (elems.vht_cap_elem && !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
2972 		ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
2973 						    elems.vht_cap_elem, sta);
2974 
2975 	/*
2976 	 * Some APs, e.g. Netgear WNDR3700, report invalid HT operation data
2977 	 * in their association response, so ignore that data for our own
2978 	 * configuration. If it changed since the last beacon, we'll get the
2979 	 * next beacon and update then.
2980 	 */
2981 
2982 	/*
2983 	 * If an operating mode notification IE is present, override the
2984 	 * NSS calculation (that would be done in rate_control_rate_init())
2985 	 * and use the # of streams from that element.
2986 	 */
2987 	if (elems.opmode_notif &&
2988 	    !(*elems.opmode_notif & IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF)) {
2989 		u8 nss;
2990 
2991 		nss = *elems.opmode_notif & IEEE80211_OPMODE_NOTIF_RX_NSS_MASK;
2992 		nss >>= IEEE80211_OPMODE_NOTIF_RX_NSS_SHIFT;
2993 		nss += 1;
2994 		sta->sta.rx_nss = nss;
2995 	}
2996 
2997 	rate_control_rate_init(sta);
2998 
2999 	if (ifmgd->flags & IEEE80211_STA_MFP_ENABLED) {
3000 		set_sta_flag(sta, WLAN_STA_MFP);
3001 		sta->sta.mfp = true;
3002 	} else {
3003 		sta->sta.mfp = false;
3004 	}
3005 
3006 	sta->sta.wme = elems.wmm_param && local->hw.queues >= IEEE80211_NUM_ACS;
3007 
3008 	err = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
3009 	if (!err && !(ifmgd->flags & IEEE80211_STA_CONTROL_PORT))
3010 		err = sta_info_move_state(sta, IEEE80211_STA_AUTHORIZED);
3011 	if (err) {
3012 		sdata_info(sdata,
3013 			   "failed to move station %pM to desired state\n",
3014 			   sta->sta.addr);
3015 		WARN_ON(__sta_info_destroy(sta));
3016 		mutex_unlock(&sdata->local->sta_mtx);
3017 		ret = false;
3018 		goto out;
3019 	}
3020 
3021 	mutex_unlock(&sdata->local->sta_mtx);
3022 
3023 	/*
3024 	 * Always handle WMM once after association regardless
3025 	 * of the first value the AP uses. Setting -1 here has
3026 	 * that effect because the AP values is an unsigned
3027 	 * 4-bit value.
3028 	 */
3029 	ifmgd->wmm_last_param_set = -1;
3030 
3031 	if (!(ifmgd->flags & IEEE80211_STA_DISABLE_WMM) && elems.wmm_param)
3032 		ieee80211_sta_wmm_params(local, sdata, elems.wmm_param,
3033 					 elems.wmm_param_len);
3034 	else
3035 		ieee80211_set_wmm_default(sdata, false);
3036 	changed |= BSS_CHANGED_QOS;
3037 
3038 	/* set AID and assoc capability,
3039 	 * ieee80211_set_associated() will tell the driver */
3040 	bss_conf->aid = aid;
3041 	bss_conf->assoc_capability = capab_info;
3042 	ieee80211_set_associated(sdata, cbss, changed);
3043 
3044 	/*
3045 	 * If we're using 4-addr mode, let the AP know that we're
3046 	 * doing so, so that it can create the STA VLAN on its side
3047 	 */
3048 	if (ifmgd->use_4addr)
3049 		ieee80211_send_4addr_nullfunc(local, sdata);
3050 
3051 	/*
3052 	 * Start timer to probe the connection to the AP now.
3053 	 * Also start the timer that will detect beacon loss.
3054 	 */
3055 	ieee80211_sta_rx_notify(sdata, (struct ieee80211_hdr *)mgmt);
3056 	ieee80211_sta_reset_beacon_monitor(sdata);
3057 
3058 	ret = true;
3059  out:
3060 	kfree(bss_ies);
3061 	return ret;
3062 }
3063 
3064 static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
3065 					 struct ieee80211_mgmt *mgmt,
3066 					 size_t len)
3067 {
3068 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3069 	struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
3070 	u16 capab_info, status_code, aid;
3071 	struct ieee802_11_elems elems;
3072 	int ac, uapsd_queues = -1;
3073 	u8 *pos;
3074 	bool reassoc;
3075 	struct cfg80211_bss *bss;
3076 	struct ieee80211_event event = {
3077 		.type = MLME_EVENT,
3078 		.u.mlme.data = ASSOC_EVENT,
3079 	};
3080 
3081 	sdata_assert_lock(sdata);
3082 
3083 	if (!assoc_data)
3084 		return;
3085 	if (!ether_addr_equal(assoc_data->bss->bssid, mgmt->bssid))
3086 		return;
3087 
3088 	/*
3089 	 * AssocResp and ReassocResp have identical structure, so process both
3090 	 * of them in this function.
3091 	 */
3092 
3093 	if (len < 24 + 6)
3094 		return;
3095 
3096 	reassoc = ieee80211_is_reassoc_req(mgmt->frame_control);
3097 	capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
3098 	status_code = le16_to_cpu(mgmt->u.assoc_resp.status_code);
3099 	aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
3100 
3101 	sdata_info(sdata,
3102 		   "RX %sssocResp from %pM (capab=0x%x status=%d aid=%d)\n",
3103 		   reassoc ? "Rea" : "A", mgmt->sa,
3104 		   capab_info, status_code, (u16)(aid & ~(BIT(15) | BIT(14))));
3105 
3106 	pos = mgmt->u.assoc_resp.variable;
3107 	ieee802_11_parse_elems(pos, len - (pos - (u8 *) mgmt), false, &elems);
3108 
3109 	if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
3110 	    elems.timeout_int &&
3111 	    elems.timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
3112 		u32 tu, ms;
3113 		tu = le32_to_cpu(elems.timeout_int->value);
3114 		ms = tu * 1024 / 1000;
3115 		sdata_info(sdata,
3116 			   "%pM rejected association temporarily; comeback duration %u TU (%u ms)\n",
3117 			   mgmt->sa, tu, ms);
3118 		assoc_data->timeout = jiffies + msecs_to_jiffies(ms);
3119 		assoc_data->timeout_started = true;
3120 		if (ms > IEEE80211_ASSOC_TIMEOUT)
3121 			run_again(sdata, assoc_data->timeout);
3122 		return;
3123 	}
3124 
3125 	bss = assoc_data->bss;
3126 
3127 	if (status_code != WLAN_STATUS_SUCCESS) {
3128 		sdata_info(sdata, "%pM denied association (code=%d)\n",
3129 			   mgmt->sa, status_code);
3130 		ieee80211_destroy_assoc_data(sdata, false);
3131 		event.u.mlme.status = MLME_DENIED;
3132 		event.u.mlme.reason = status_code;
3133 		drv_event_callback(sdata->local, sdata, &event);
3134 	} else {
3135 		if (!ieee80211_assoc_success(sdata, bss, mgmt, len)) {
3136 			/* oops -- internal error -- send timeout for now */
3137 			ieee80211_destroy_assoc_data(sdata, false);
3138 			cfg80211_assoc_timeout(sdata->dev, bss);
3139 			return;
3140 		}
3141 		event.u.mlme.status = MLME_SUCCESS;
3142 		drv_event_callback(sdata->local, sdata, &event);
3143 		sdata_info(sdata, "associated\n");
3144 
3145 		/*
3146 		 * destroy assoc_data afterwards, as otherwise an idle
3147 		 * recalc after assoc_data is NULL but before associated
3148 		 * is set can cause the interface to go idle
3149 		 */
3150 		ieee80211_destroy_assoc_data(sdata, true);
3151 
3152 		/* get uapsd queues configuration */
3153 		uapsd_queues = 0;
3154 		for (ac = 0; ac < IEEE80211_NUM_ACS; ac++)
3155 			if (sdata->tx_conf[ac].uapsd)
3156 				uapsd_queues |= BIT(ac);
3157 	}
3158 
3159 	cfg80211_rx_assoc_resp(sdata->dev, bss, (u8 *)mgmt, len, uapsd_queues);
3160 }
3161 
3162 static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
3163 				  struct ieee80211_mgmt *mgmt, size_t len,
3164 				  struct ieee80211_rx_status *rx_status,
3165 				  struct ieee802_11_elems *elems)
3166 {
3167 	struct ieee80211_local *local = sdata->local;
3168 	struct ieee80211_bss *bss;
3169 	struct ieee80211_channel *channel;
3170 
3171 	sdata_assert_lock(sdata);
3172 
3173 	channel = ieee80211_get_channel(local->hw.wiphy, rx_status->freq);
3174 	if (!channel)
3175 		return;
3176 
3177 	bss = ieee80211_bss_info_update(local, rx_status, mgmt, len, elems,
3178 					channel);
3179 	if (bss) {
3180 		sdata->vif.bss_conf.beacon_rate = bss->beacon_rate;
3181 		ieee80211_rx_bss_put(local, bss);
3182 	}
3183 }
3184 
3185 
3186 static void ieee80211_rx_mgmt_probe_resp(struct ieee80211_sub_if_data *sdata,
3187 					 struct sk_buff *skb)
3188 {
3189 	struct ieee80211_mgmt *mgmt = (void *)skb->data;
3190 	struct ieee80211_if_managed *ifmgd;
3191 	struct ieee80211_rx_status *rx_status = (void *) skb->cb;
3192 	size_t baselen, len = skb->len;
3193 	struct ieee802_11_elems elems;
3194 
3195 	ifmgd = &sdata->u.mgd;
3196 
3197 	sdata_assert_lock(sdata);
3198 
3199 	if (!ether_addr_equal(mgmt->da, sdata->vif.addr))
3200 		return; /* ignore ProbeResp to foreign address */
3201 
3202 	baselen = (u8 *) mgmt->u.probe_resp.variable - (u8 *) mgmt;
3203 	if (baselen > len)
3204 		return;
3205 
3206 	ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
3207 			       false, &elems);
3208 
3209 	ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems);
3210 
3211 	if (ifmgd->associated &&
3212 	    ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid))
3213 		ieee80211_reset_ap_probe(sdata);
3214 
3215 	if (ifmgd->auth_data && !ifmgd->auth_data->bss->proberesp_ies &&
3216 	    ether_addr_equal(mgmt->bssid, ifmgd->auth_data->bss->bssid)) {
3217 		/* got probe response, continue with auth */
3218 		sdata_info(sdata, "direct probe responded\n");
3219 		ifmgd->auth_data->tries = 0;
3220 		ifmgd->auth_data->timeout = jiffies;
3221 		ifmgd->auth_data->timeout_started = true;
3222 		run_again(sdata, ifmgd->auth_data->timeout);
3223 	}
3224 }
3225 
3226 /*
3227  * This is the canonical list of information elements we care about,
3228  * the filter code also gives us all changes to the Microsoft OUI
3229  * (00:50:F2) vendor IE which is used for WMM which we need to track,
3230  * as well as the DTPC IE (part of the Cisco OUI) used for signaling
3231  * changes to requested client power.
3232  *
3233  * We implement beacon filtering in software since that means we can
3234  * avoid processing the frame here and in cfg80211, and userspace
3235  * will not be able to tell whether the hardware supports it or not.
3236  *
3237  * XXX: This list needs to be dynamic -- userspace needs to be able to
3238  *	add items it requires. It also needs to be able to tell us to
3239  *	look out for other vendor IEs.
3240  */
3241 static const u64 care_about_ies =
3242 	(1ULL << WLAN_EID_COUNTRY) |
3243 	(1ULL << WLAN_EID_ERP_INFO) |
3244 	(1ULL << WLAN_EID_CHANNEL_SWITCH) |
3245 	(1ULL << WLAN_EID_PWR_CONSTRAINT) |
3246 	(1ULL << WLAN_EID_HT_CAPABILITY) |
3247 	(1ULL << WLAN_EID_HT_OPERATION) |
3248 	(1ULL << WLAN_EID_EXT_CHANSWITCH_ANN);
3249 
3250 static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
3251 				     struct ieee80211_mgmt *mgmt, size_t len,
3252 				     struct ieee80211_rx_status *rx_status)
3253 {
3254 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3255 	struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf;
3256 	size_t baselen;
3257 	struct ieee802_11_elems elems;
3258 	struct ieee80211_local *local = sdata->local;
3259 	struct ieee80211_chanctx_conf *chanctx_conf;
3260 	struct ieee80211_channel *chan;
3261 	struct sta_info *sta;
3262 	u32 changed = 0;
3263 	bool erp_valid;
3264 	u8 erp_value = 0;
3265 	u32 ncrc;
3266 	u8 *bssid;
3267 	u8 deauth_buf[IEEE80211_DEAUTH_FRAME_LEN];
3268 
3269 	sdata_assert_lock(sdata);
3270 
3271 	/* Process beacon from the current BSS */
3272 	baselen = (u8 *) mgmt->u.beacon.variable - (u8 *) mgmt;
3273 	if (baselen > len)
3274 		return;
3275 
3276 	rcu_read_lock();
3277 	chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
3278 	if (!chanctx_conf) {
3279 		rcu_read_unlock();
3280 		return;
3281 	}
3282 
3283 	if (rx_status->freq != chanctx_conf->def.chan->center_freq) {
3284 		rcu_read_unlock();
3285 		return;
3286 	}
3287 	chan = chanctx_conf->def.chan;
3288 	rcu_read_unlock();
3289 
3290 	if (ifmgd->assoc_data && ifmgd->assoc_data->need_beacon &&
3291 	    ether_addr_equal(mgmt->bssid, ifmgd->assoc_data->bss->bssid)) {
3292 		ieee802_11_parse_elems(mgmt->u.beacon.variable,
3293 				       len - baselen, false, &elems);
3294 
3295 		ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems);
3296 		if (elems.tim && !elems.parse_error) {
3297 			const struct ieee80211_tim_ie *tim_ie = elems.tim;
3298 			ifmgd->dtim_period = tim_ie->dtim_period;
3299 		}
3300 		ifmgd->have_beacon = true;
3301 		ifmgd->assoc_data->need_beacon = false;
3302 		if (local->hw.flags & IEEE80211_HW_TIMING_BEACON_ONLY) {
3303 			sdata->vif.bss_conf.sync_tsf =
3304 				le64_to_cpu(mgmt->u.beacon.timestamp);
3305 			sdata->vif.bss_conf.sync_device_ts =
3306 				rx_status->device_timestamp;
3307 			if (elems.tim)
3308 				sdata->vif.bss_conf.sync_dtim_count =
3309 					elems.tim->dtim_count;
3310 			else
3311 				sdata->vif.bss_conf.sync_dtim_count = 0;
3312 		}
3313 		/* continue assoc process */
3314 		ifmgd->assoc_data->timeout = jiffies;
3315 		ifmgd->assoc_data->timeout_started = true;
3316 		run_again(sdata, ifmgd->assoc_data->timeout);
3317 		return;
3318 	}
3319 
3320 	if (!ifmgd->associated ||
3321 	    !ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid))
3322 		return;
3323 	bssid = ifmgd->associated->bssid;
3324 
3325 	/* Track average RSSI from the Beacon frames of the current AP */
3326 	ifmgd->last_beacon_signal = rx_status->signal;
3327 	if (ifmgd->flags & IEEE80211_STA_RESET_SIGNAL_AVE) {
3328 		ifmgd->flags &= ~IEEE80211_STA_RESET_SIGNAL_AVE;
3329 		ifmgd->ave_beacon_signal = rx_status->signal * 16;
3330 		ifmgd->last_cqm_event_signal = 0;
3331 		ifmgd->count_beacon_signal = 1;
3332 		ifmgd->last_ave_beacon_signal = 0;
3333 	} else {
3334 		ifmgd->ave_beacon_signal =
3335 			(IEEE80211_SIGNAL_AVE_WEIGHT * rx_status->signal * 16 +
3336 			 (16 - IEEE80211_SIGNAL_AVE_WEIGHT) *
3337 			 ifmgd->ave_beacon_signal) / 16;
3338 		ifmgd->count_beacon_signal++;
3339 	}
3340 
3341 	if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold &&
3342 	    ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
3343 		int sig = ifmgd->ave_beacon_signal;
3344 		int last_sig = ifmgd->last_ave_beacon_signal;
3345 		struct ieee80211_event event = {
3346 			.type = RSSI_EVENT,
3347 		};
3348 
3349 		/*
3350 		 * if signal crosses either of the boundaries, invoke callback
3351 		 * with appropriate parameters
3352 		 */
3353 		if (sig > ifmgd->rssi_max_thold &&
3354 		    (last_sig <= ifmgd->rssi_min_thold || last_sig == 0)) {
3355 			ifmgd->last_ave_beacon_signal = sig;
3356 			event.u.rssi.data = RSSI_EVENT_HIGH;
3357 			drv_event_callback(local, sdata, &event);
3358 		} else if (sig < ifmgd->rssi_min_thold &&
3359 			   (last_sig >= ifmgd->rssi_max_thold ||
3360 			   last_sig == 0)) {
3361 			ifmgd->last_ave_beacon_signal = sig;
3362 			event.u.rssi.data = RSSI_EVENT_LOW;
3363 			drv_event_callback(local, sdata, &event);
3364 		}
3365 	}
3366 
3367 	if (bss_conf->cqm_rssi_thold &&
3368 	    ifmgd->count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT &&
3369 	    !(sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_CQM_RSSI)) {
3370 		int sig = ifmgd->ave_beacon_signal / 16;
3371 		int last_event = ifmgd->last_cqm_event_signal;
3372 		int thold = bss_conf->cqm_rssi_thold;
3373 		int hyst = bss_conf->cqm_rssi_hyst;
3374 		if (sig < thold &&
3375 		    (last_event == 0 || sig < last_event - hyst)) {
3376 			ifmgd->last_cqm_event_signal = sig;
3377 			ieee80211_cqm_rssi_notify(
3378 				&sdata->vif,
3379 				NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW,
3380 				GFP_KERNEL);
3381 		} else if (sig > thold &&
3382 			   (last_event == 0 || sig > last_event + hyst)) {
3383 			ifmgd->last_cqm_event_signal = sig;
3384 			ieee80211_cqm_rssi_notify(
3385 				&sdata->vif,
3386 				NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH,
3387 				GFP_KERNEL);
3388 		}
3389 	}
3390 
3391 	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL) {
3392 		mlme_dbg_ratelimited(sdata,
3393 				     "cancelling AP probe due to a received beacon\n");
3394 		ieee80211_reset_ap_probe(sdata);
3395 	}
3396 
3397 	/*
3398 	 * Push the beacon loss detection into the future since
3399 	 * we are processing a beacon from the AP just now.
3400 	 */
3401 	ieee80211_sta_reset_beacon_monitor(sdata);
3402 
3403 	ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
3404 	ncrc = ieee802_11_parse_elems_crc(mgmt->u.beacon.variable,
3405 					  len - baselen, false, &elems,
3406 					  care_about_ies, ncrc);
3407 
3408 	if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK) {
3409 		bool directed_tim = ieee80211_check_tim(elems.tim,
3410 							elems.tim_len,
3411 							ifmgd->aid);
3412 		if (directed_tim) {
3413 			if (local->hw.conf.dynamic_ps_timeout > 0) {
3414 				if (local->hw.conf.flags & IEEE80211_CONF_PS) {
3415 					local->hw.conf.flags &= ~IEEE80211_CONF_PS;
3416 					ieee80211_hw_config(local,
3417 							    IEEE80211_CONF_CHANGE_PS);
3418 				}
3419 				ieee80211_send_nullfunc(local, sdata, 0);
3420 			} else if (!local->pspolling && sdata->u.mgd.powersave) {
3421 				local->pspolling = true;
3422 
3423 				/*
3424 				 * Here is assumed that the driver will be
3425 				 * able to send ps-poll frame and receive a
3426 				 * response even though power save mode is
3427 				 * enabled, but some drivers might require
3428 				 * to disable power save here. This needs
3429 				 * to be investigated.
3430 				 */
3431 				ieee80211_send_pspoll(local, sdata);
3432 			}
3433 		}
3434 	}
3435 
3436 	if (sdata->vif.p2p) {
3437 		struct ieee80211_p2p_noa_attr noa = {};
3438 		int ret;
3439 
3440 		ret = cfg80211_get_p2p_attr(mgmt->u.beacon.variable,
3441 					    len - baselen,
3442 					    IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
3443 					    (u8 *) &noa, sizeof(noa));
3444 		if (ret >= 2) {
3445 			if (sdata->u.mgd.p2p_noa_index != noa.index) {
3446 				/* valid noa_attr and index changed */
3447 				sdata->u.mgd.p2p_noa_index = noa.index;
3448 				memcpy(&bss_conf->p2p_noa_attr, &noa, sizeof(noa));
3449 				changed |= BSS_CHANGED_P2P_PS;
3450 				/*
3451 				 * make sure we update all information, the CRC
3452 				 * mechanism doesn't look at P2P attributes.
3453 				 */
3454 				ifmgd->beacon_crc_valid = false;
3455 			}
3456 		} else if (sdata->u.mgd.p2p_noa_index != -1) {
3457 			/* noa_attr not found and we had valid noa_attr before */
3458 			sdata->u.mgd.p2p_noa_index = -1;
3459 			memset(&bss_conf->p2p_noa_attr, 0, sizeof(bss_conf->p2p_noa_attr));
3460 			changed |= BSS_CHANGED_P2P_PS;
3461 			ifmgd->beacon_crc_valid = false;
3462 		}
3463 	}
3464 
3465 	if (ifmgd->csa_waiting_bcn)
3466 		ieee80211_chswitch_post_beacon(sdata);
3467 
3468 	/*
3469 	 * Update beacon timing and dtim count on every beacon appearance. This
3470 	 * will allow the driver to use the most updated values. Do it before
3471 	 * comparing this one with last received beacon.
3472 	 * IMPORTANT: These parameters would possibly be out of sync by the time
3473 	 * the driver will use them. The synchronized view is currently
3474 	 * guaranteed only in certain callbacks.
3475 	 */
3476 	if (local->hw.flags & IEEE80211_HW_TIMING_BEACON_ONLY) {
3477 		sdata->vif.bss_conf.sync_tsf =
3478 			le64_to_cpu(mgmt->u.beacon.timestamp);
3479 		sdata->vif.bss_conf.sync_device_ts =
3480 			rx_status->device_timestamp;
3481 		if (elems.tim)
3482 			sdata->vif.bss_conf.sync_dtim_count =
3483 				elems.tim->dtim_count;
3484 		else
3485 			sdata->vif.bss_conf.sync_dtim_count = 0;
3486 	}
3487 
3488 	if (ncrc == ifmgd->beacon_crc && ifmgd->beacon_crc_valid)
3489 		return;
3490 	ifmgd->beacon_crc = ncrc;
3491 	ifmgd->beacon_crc_valid = true;
3492 
3493 	ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems);
3494 
3495 	ieee80211_sta_process_chanswitch(sdata, rx_status->mactime,
3496 					 rx_status->device_timestamp,
3497 					 &elems, true);
3498 
3499 	if (!(ifmgd->flags & IEEE80211_STA_DISABLE_WMM) &&
3500 	    ieee80211_sta_wmm_params(local, sdata, elems.wmm_param,
3501 				     elems.wmm_param_len))
3502 		changed |= BSS_CHANGED_QOS;
3503 
3504 	/*
3505 	 * If we haven't had a beacon before, tell the driver about the
3506 	 * DTIM period (and beacon timing if desired) now.
3507 	 */
3508 	if (!ifmgd->have_beacon) {
3509 		/* a few bogus AP send dtim_period = 0 or no TIM IE */
3510 		if (elems.tim)
3511 			bss_conf->dtim_period = elems.tim->dtim_period ?: 1;
3512 		else
3513 			bss_conf->dtim_period = 1;
3514 
3515 		changed |= BSS_CHANGED_BEACON_INFO;
3516 		ifmgd->have_beacon = true;
3517 
3518 		mutex_lock(&local->iflist_mtx);
3519 		ieee80211_recalc_ps(local, -1);
3520 		mutex_unlock(&local->iflist_mtx);
3521 
3522 		ieee80211_recalc_ps_vif(sdata);
3523 	}
3524 
3525 	if (elems.erp_info) {
3526 		erp_valid = true;
3527 		erp_value = elems.erp_info[0];
3528 	} else {
3529 		erp_valid = false;
3530 	}
3531 	changed |= ieee80211_handle_bss_capability(sdata,
3532 			le16_to_cpu(mgmt->u.beacon.capab_info),
3533 			erp_valid, erp_value);
3534 
3535 	mutex_lock(&local->sta_mtx);
3536 	sta = sta_info_get(sdata, bssid);
3537 
3538 	if (ieee80211_config_bw(sdata, sta,
3539 				elems.ht_cap_elem, elems.ht_operation,
3540 				elems.vht_operation, bssid, &changed)) {
3541 		mutex_unlock(&local->sta_mtx);
3542 		ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
3543 				       WLAN_REASON_DEAUTH_LEAVING,
3544 				       true, deauth_buf);
3545 		ieee80211_report_disconnect(sdata, deauth_buf,
3546 					    sizeof(deauth_buf), true,
3547 					    WLAN_REASON_DEAUTH_LEAVING);
3548 		return;
3549 	}
3550 
3551 	if (sta && elems.opmode_notif)
3552 		ieee80211_vht_handle_opmode(sdata, sta, *elems.opmode_notif,
3553 					    rx_status->band, true);
3554 	mutex_unlock(&local->sta_mtx);
3555 
3556 	changed |= ieee80211_handle_pwr_constr(sdata, chan, mgmt,
3557 					       elems.country_elem,
3558 					       elems.country_elem_len,
3559 					       elems.pwr_constr_elem,
3560 					       elems.cisco_dtpc_elem);
3561 
3562 	ieee80211_bss_info_change_notify(sdata, changed);
3563 }
3564 
3565 void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
3566 				  struct sk_buff *skb)
3567 {
3568 	struct ieee80211_rx_status *rx_status;
3569 	struct ieee80211_mgmt *mgmt;
3570 	u16 fc;
3571 	struct ieee802_11_elems elems;
3572 	int ies_len;
3573 
3574 	rx_status = (struct ieee80211_rx_status *) skb->cb;
3575 	mgmt = (struct ieee80211_mgmt *) skb->data;
3576 	fc = le16_to_cpu(mgmt->frame_control);
3577 
3578 	sdata_lock(sdata);
3579 
3580 	switch (fc & IEEE80211_FCTL_STYPE) {
3581 	case IEEE80211_STYPE_BEACON:
3582 		ieee80211_rx_mgmt_beacon(sdata, mgmt, skb->len, rx_status);
3583 		break;
3584 	case IEEE80211_STYPE_PROBE_RESP:
3585 		ieee80211_rx_mgmt_probe_resp(sdata, skb);
3586 		break;
3587 	case IEEE80211_STYPE_AUTH:
3588 		ieee80211_rx_mgmt_auth(sdata, mgmt, skb->len);
3589 		break;
3590 	case IEEE80211_STYPE_DEAUTH:
3591 		ieee80211_rx_mgmt_deauth(sdata, mgmt, skb->len);
3592 		break;
3593 	case IEEE80211_STYPE_DISASSOC:
3594 		ieee80211_rx_mgmt_disassoc(sdata, mgmt, skb->len);
3595 		break;
3596 	case IEEE80211_STYPE_ASSOC_RESP:
3597 	case IEEE80211_STYPE_REASSOC_RESP:
3598 		ieee80211_rx_mgmt_assoc_resp(sdata, mgmt, skb->len);
3599 		break;
3600 	case IEEE80211_STYPE_ACTION:
3601 		if (mgmt->u.action.category == WLAN_CATEGORY_SPECTRUM_MGMT) {
3602 			ies_len = skb->len -
3603 				  offsetof(struct ieee80211_mgmt,
3604 					   u.action.u.chan_switch.variable);
3605 
3606 			if (ies_len < 0)
3607 				break;
3608 
3609 			ieee802_11_parse_elems(
3610 				mgmt->u.action.u.chan_switch.variable,
3611 				ies_len, true, &elems);
3612 
3613 			if (elems.parse_error)
3614 				break;
3615 
3616 			ieee80211_sta_process_chanswitch(sdata,
3617 						 rx_status->mactime,
3618 						 rx_status->device_timestamp,
3619 						 &elems, false);
3620 		} else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
3621 			ies_len = skb->len -
3622 				  offsetof(struct ieee80211_mgmt,
3623 					   u.action.u.ext_chan_switch.variable);
3624 
3625 			if (ies_len < 0)
3626 				break;
3627 
3628 			ieee802_11_parse_elems(
3629 				mgmt->u.action.u.ext_chan_switch.variable,
3630 				ies_len, true, &elems);
3631 
3632 			if (elems.parse_error)
3633 				break;
3634 
3635 			/* for the handling code pretend this was also an IE */
3636 			elems.ext_chansw_ie =
3637 				&mgmt->u.action.u.ext_chan_switch.data;
3638 
3639 			ieee80211_sta_process_chanswitch(sdata,
3640 						 rx_status->mactime,
3641 						 rx_status->device_timestamp,
3642 						 &elems, false);
3643 		}
3644 		break;
3645 	}
3646 	sdata_unlock(sdata);
3647 }
3648 
3649 static void ieee80211_sta_timer(unsigned long data)
3650 {
3651 	struct ieee80211_sub_if_data *sdata =
3652 		(struct ieee80211_sub_if_data *) data;
3653 
3654 	ieee80211_queue_work(&sdata->local->hw, &sdata->work);
3655 }
3656 
3657 static void ieee80211_sta_connection_lost(struct ieee80211_sub_if_data *sdata,
3658 					  u8 *bssid, u8 reason, bool tx)
3659 {
3660 	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
3661 
3662 	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, reason,
3663 			       tx, frame_buf);
3664 
3665 	ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
3666 				    reason);
3667 }
3668 
3669 static int ieee80211_probe_auth(struct ieee80211_sub_if_data *sdata)
3670 {
3671 	struct ieee80211_local *local = sdata->local;
3672 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3673 	struct ieee80211_mgd_auth_data *auth_data = ifmgd->auth_data;
3674 	u32 tx_flags = 0;
3675 
3676 	sdata_assert_lock(sdata);
3677 
3678 	if (WARN_ON_ONCE(!auth_data))
3679 		return -EINVAL;
3680 
3681 	auth_data->tries++;
3682 
3683 	if (auth_data->tries > IEEE80211_AUTH_MAX_TRIES) {
3684 		sdata_info(sdata, "authentication with %pM timed out\n",
3685 			   auth_data->bss->bssid);
3686 
3687 		/*
3688 		 * Most likely AP is not in the range so remove the
3689 		 * bss struct for that AP.
3690 		 */
3691 		cfg80211_unlink_bss(local->hw.wiphy, auth_data->bss);
3692 
3693 		return -ETIMEDOUT;
3694 	}
3695 
3696 	drv_mgd_prepare_tx(local, sdata);
3697 
3698 	if (auth_data->bss->proberesp_ies) {
3699 		u16 trans = 1;
3700 		u16 status = 0;
3701 
3702 		sdata_info(sdata, "send auth to %pM (try %d/%d)\n",
3703 			   auth_data->bss->bssid, auth_data->tries,
3704 			   IEEE80211_AUTH_MAX_TRIES);
3705 
3706 		auth_data->expected_transaction = 2;
3707 
3708 		if (auth_data->algorithm == WLAN_AUTH_SAE) {
3709 			trans = auth_data->sae_trans;
3710 			status = auth_data->sae_status;
3711 			auth_data->expected_transaction = trans;
3712 		}
3713 
3714 		if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)
3715 			tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
3716 				   IEEE80211_TX_INTFL_MLME_CONN_TX;
3717 
3718 		ieee80211_send_auth(sdata, trans, auth_data->algorithm, status,
3719 				    auth_data->data, auth_data->data_len,
3720 				    auth_data->bss->bssid,
3721 				    auth_data->bss->bssid, NULL, 0, 0,
3722 				    tx_flags);
3723 	} else {
3724 		const u8 *ssidie;
3725 
3726 		sdata_info(sdata, "direct probe to %pM (try %d/%i)\n",
3727 			   auth_data->bss->bssid, auth_data->tries,
3728 			   IEEE80211_AUTH_MAX_TRIES);
3729 
3730 		rcu_read_lock();
3731 		ssidie = ieee80211_bss_get_ie(auth_data->bss, WLAN_EID_SSID);
3732 		if (!ssidie) {
3733 			rcu_read_unlock();
3734 			return -EINVAL;
3735 		}
3736 		/*
3737 		 * Direct probe is sent to broadcast address as some APs
3738 		 * will not answer to direct packet in unassociated state.
3739 		 */
3740 		ieee80211_send_probe_req(sdata, sdata->vif.addr, NULL,
3741 					 ssidie + 2, ssidie[1],
3742 					 NULL, 0, (u32) -1, true, 0,
3743 					 auth_data->bss->channel, false);
3744 		rcu_read_unlock();
3745 	}
3746 
3747 	if (tx_flags == 0) {
3748 		auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
3749 		auth_data->timeout_started = true;
3750 		run_again(sdata, auth_data->timeout);
3751 	} else {
3752 		auth_data->timeout =
3753 			round_jiffies_up(jiffies + IEEE80211_AUTH_TIMEOUT_LONG);
3754 		auth_data->timeout_started = true;
3755 		run_again(sdata, auth_data->timeout);
3756 	}
3757 
3758 	return 0;
3759 }
3760 
3761 static int ieee80211_do_assoc(struct ieee80211_sub_if_data *sdata)
3762 {
3763 	struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data;
3764 	struct ieee80211_local *local = sdata->local;
3765 
3766 	sdata_assert_lock(sdata);
3767 
3768 	assoc_data->tries++;
3769 	if (assoc_data->tries > IEEE80211_ASSOC_MAX_TRIES) {
3770 		sdata_info(sdata, "association with %pM timed out\n",
3771 			   assoc_data->bss->bssid);
3772 
3773 		/*
3774 		 * Most likely AP is not in the range so remove the
3775 		 * bss struct for that AP.
3776 		 */
3777 		cfg80211_unlink_bss(local->hw.wiphy, assoc_data->bss);
3778 
3779 		return -ETIMEDOUT;
3780 	}
3781 
3782 	sdata_info(sdata, "associate with %pM (try %d/%d)\n",
3783 		   assoc_data->bss->bssid, assoc_data->tries,
3784 		   IEEE80211_ASSOC_MAX_TRIES);
3785 	ieee80211_send_assoc(sdata);
3786 
3787 	if (!(local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)) {
3788 		assoc_data->timeout = jiffies + IEEE80211_ASSOC_TIMEOUT;
3789 		assoc_data->timeout_started = true;
3790 		run_again(sdata, assoc_data->timeout);
3791 	} else {
3792 		assoc_data->timeout =
3793 			round_jiffies_up(jiffies +
3794 					 IEEE80211_ASSOC_TIMEOUT_LONG);
3795 		assoc_data->timeout_started = true;
3796 		run_again(sdata, assoc_data->timeout);
3797 	}
3798 
3799 	return 0;
3800 }
3801 
3802 void ieee80211_mgd_conn_tx_status(struct ieee80211_sub_if_data *sdata,
3803 				  __le16 fc, bool acked)
3804 {
3805 	struct ieee80211_local *local = sdata->local;
3806 
3807 	sdata->u.mgd.status_fc = fc;
3808 	sdata->u.mgd.status_acked = acked;
3809 	sdata->u.mgd.status_received = true;
3810 
3811 	ieee80211_queue_work(&local->hw, &sdata->work);
3812 }
3813 
3814 void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata)
3815 {
3816 	struct ieee80211_local *local = sdata->local;
3817 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3818 
3819 	sdata_lock(sdata);
3820 
3821 	if (ifmgd->status_received) {
3822 		__le16 fc = ifmgd->status_fc;
3823 		bool status_acked = ifmgd->status_acked;
3824 
3825 		ifmgd->status_received = false;
3826 		if (ifmgd->auth_data &&
3827 		    (ieee80211_is_probe_req(fc) || ieee80211_is_auth(fc))) {
3828 			if (status_acked) {
3829 				ifmgd->auth_data->timeout =
3830 					jiffies + IEEE80211_AUTH_TIMEOUT_SHORT;
3831 				run_again(sdata, ifmgd->auth_data->timeout);
3832 			} else {
3833 				ifmgd->auth_data->timeout = jiffies - 1;
3834 			}
3835 			ifmgd->auth_data->timeout_started = true;
3836 		} else if (ifmgd->assoc_data &&
3837 			   (ieee80211_is_assoc_req(fc) ||
3838 			    ieee80211_is_reassoc_req(fc))) {
3839 			if (status_acked) {
3840 				ifmgd->assoc_data->timeout =
3841 					jiffies + IEEE80211_ASSOC_TIMEOUT_SHORT;
3842 				run_again(sdata, ifmgd->assoc_data->timeout);
3843 			} else {
3844 				ifmgd->assoc_data->timeout = jiffies - 1;
3845 			}
3846 			ifmgd->assoc_data->timeout_started = true;
3847 		}
3848 	}
3849 
3850 	if (ifmgd->auth_data && ifmgd->auth_data->timeout_started &&
3851 	    time_after(jiffies, ifmgd->auth_data->timeout)) {
3852 		if (ifmgd->auth_data->done) {
3853 			/*
3854 			 * ok ... we waited for assoc but userspace didn't,
3855 			 * so let's just kill the auth data
3856 			 */
3857 			ieee80211_destroy_auth_data(sdata, false);
3858 		} else if (ieee80211_probe_auth(sdata)) {
3859 			u8 bssid[ETH_ALEN];
3860 			struct ieee80211_event event = {
3861 				.type = MLME_EVENT,
3862 				.u.mlme.data = AUTH_EVENT,
3863 				.u.mlme.status = MLME_TIMEOUT,
3864 			};
3865 
3866 			memcpy(bssid, ifmgd->auth_data->bss->bssid, ETH_ALEN);
3867 
3868 			ieee80211_destroy_auth_data(sdata, false);
3869 
3870 			cfg80211_auth_timeout(sdata->dev, bssid);
3871 			drv_event_callback(sdata->local, sdata, &event);
3872 		}
3873 	} else if (ifmgd->auth_data && ifmgd->auth_data->timeout_started)
3874 		run_again(sdata, ifmgd->auth_data->timeout);
3875 
3876 	if (ifmgd->assoc_data && ifmgd->assoc_data->timeout_started &&
3877 	    time_after(jiffies, ifmgd->assoc_data->timeout)) {
3878 		if ((ifmgd->assoc_data->need_beacon && !ifmgd->have_beacon) ||
3879 		    ieee80211_do_assoc(sdata)) {
3880 			struct cfg80211_bss *bss = ifmgd->assoc_data->bss;
3881 			struct ieee80211_event event = {
3882 				.type = MLME_EVENT,
3883 				.u.mlme.data = ASSOC_EVENT,
3884 				.u.mlme.status = MLME_TIMEOUT,
3885 			};
3886 
3887 			ieee80211_destroy_assoc_data(sdata, false);
3888 			cfg80211_assoc_timeout(sdata->dev, bss);
3889 			drv_event_callback(sdata->local, sdata, &event);
3890 		}
3891 	} else if (ifmgd->assoc_data && ifmgd->assoc_data->timeout_started)
3892 		run_again(sdata, ifmgd->assoc_data->timeout);
3893 
3894 	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL &&
3895 	    ifmgd->associated) {
3896 		u8 bssid[ETH_ALEN];
3897 		int max_tries;
3898 
3899 		memcpy(bssid, ifmgd->associated->bssid, ETH_ALEN);
3900 
3901 		if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)
3902 			max_tries = max_nullfunc_tries;
3903 		else
3904 			max_tries = max_probe_tries;
3905 
3906 		/* ACK received for nullfunc probing frame */
3907 		if (!ifmgd->probe_send_count)
3908 			ieee80211_reset_ap_probe(sdata);
3909 		else if (ifmgd->nullfunc_failed) {
3910 			if (ifmgd->probe_send_count < max_tries) {
3911 				mlme_dbg(sdata,
3912 					 "No ack for nullfunc frame to AP %pM, try %d/%i\n",
3913 					 bssid, ifmgd->probe_send_count,
3914 					 max_tries);
3915 				ieee80211_mgd_probe_ap_send(sdata);
3916 			} else {
3917 				mlme_dbg(sdata,
3918 					 "No ack for nullfunc frame to AP %pM, disconnecting.\n",
3919 					 bssid);
3920 				ieee80211_sta_connection_lost(sdata, bssid,
3921 					WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
3922 					false);
3923 			}
3924 		} else if (time_is_after_jiffies(ifmgd->probe_timeout))
3925 			run_again(sdata, ifmgd->probe_timeout);
3926 		else if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS) {
3927 			mlme_dbg(sdata,
3928 				 "Failed to send nullfunc to AP %pM after %dms, disconnecting\n",
3929 				 bssid, probe_wait_ms);
3930 			ieee80211_sta_connection_lost(sdata, bssid,
3931 				WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, false);
3932 		} else if (ifmgd->probe_send_count < max_tries) {
3933 			mlme_dbg(sdata,
3934 				 "No probe response from AP %pM after %dms, try %d/%i\n",
3935 				 bssid, probe_wait_ms,
3936 				 ifmgd->probe_send_count, max_tries);
3937 			ieee80211_mgd_probe_ap_send(sdata);
3938 		} else {
3939 			/*
3940 			 * We actually lost the connection ... or did we?
3941 			 * Let's make sure!
3942 			 */
3943 			wiphy_debug(local->hw.wiphy,
3944 				    "%s: No probe response from AP %pM"
3945 				    " after %dms, disconnecting.\n",
3946 				    sdata->name,
3947 				    bssid, probe_wait_ms);
3948 
3949 			ieee80211_sta_connection_lost(sdata, bssid,
3950 				WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, false);
3951 		}
3952 	}
3953 
3954 	sdata_unlock(sdata);
3955 }
3956 
3957 static void ieee80211_sta_bcn_mon_timer(unsigned long data)
3958 {
3959 	struct ieee80211_sub_if_data *sdata =
3960 		(struct ieee80211_sub_if_data *) data;
3961 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3962 
3963 	if (sdata->vif.csa_active && !ifmgd->csa_waiting_bcn)
3964 		return;
3965 
3966 	sdata->u.mgd.connection_loss = false;
3967 	ieee80211_queue_work(&sdata->local->hw,
3968 			     &sdata->u.mgd.beacon_connection_loss_work);
3969 }
3970 
3971 static void ieee80211_sta_conn_mon_timer(unsigned long data)
3972 {
3973 	struct ieee80211_sub_if_data *sdata =
3974 		(struct ieee80211_sub_if_data *) data;
3975 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3976 	struct ieee80211_local *local = sdata->local;
3977 
3978 	if (sdata->vif.csa_active && !ifmgd->csa_waiting_bcn)
3979 		return;
3980 
3981 	ieee80211_queue_work(&local->hw, &ifmgd->monitor_work);
3982 }
3983 
3984 static void ieee80211_sta_monitor_work(struct work_struct *work)
3985 {
3986 	struct ieee80211_sub_if_data *sdata =
3987 		container_of(work, struct ieee80211_sub_if_data,
3988 			     u.mgd.monitor_work);
3989 
3990 	ieee80211_mgd_probe_ap(sdata, false);
3991 }
3992 
3993 static void ieee80211_restart_sta_timer(struct ieee80211_sub_if_data *sdata)
3994 {
3995 	u32 flags;
3996 
3997 	if (sdata->vif.type == NL80211_IFTYPE_STATION) {
3998 		__ieee80211_stop_poll(sdata);
3999 
4000 		/* let's probe the connection once */
4001 		flags = sdata->local->hw.flags;
4002 		if (!(flags & IEEE80211_HW_CONNECTION_MONITOR))
4003 			ieee80211_queue_work(&sdata->local->hw,
4004 					     &sdata->u.mgd.monitor_work);
4005 		/* and do all the other regular work too */
4006 		ieee80211_queue_work(&sdata->local->hw, &sdata->work);
4007 	}
4008 }
4009 
4010 #ifdef CONFIG_PM
4011 void ieee80211_mgd_quiesce(struct ieee80211_sub_if_data *sdata)
4012 {
4013 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4014 	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
4015 
4016 	sdata_lock(sdata);
4017 
4018 	if (ifmgd->auth_data || ifmgd->assoc_data) {
4019 		const u8 *bssid = ifmgd->auth_data ?
4020 				ifmgd->auth_data->bss->bssid :
4021 				ifmgd->assoc_data->bss->bssid;
4022 
4023 		/*
4024 		 * If we are trying to authenticate / associate while suspending,
4025 		 * cfg80211 won't know and won't actually abort those attempts,
4026 		 * thus we need to do that ourselves.
4027 		 */
4028 		ieee80211_send_deauth_disassoc(sdata, bssid,
4029 					       IEEE80211_STYPE_DEAUTH,
4030 					       WLAN_REASON_DEAUTH_LEAVING,
4031 					       false, frame_buf);
4032 		if (ifmgd->assoc_data)
4033 			ieee80211_destroy_assoc_data(sdata, false);
4034 		if (ifmgd->auth_data)
4035 			ieee80211_destroy_auth_data(sdata, false);
4036 		cfg80211_tx_mlme_mgmt(sdata->dev, frame_buf,
4037 				      IEEE80211_DEAUTH_FRAME_LEN);
4038 	}
4039 
4040 	/* This is a bit of a hack - we should find a better and more generic
4041 	 * solution to this. Normally when suspending, cfg80211 will in fact
4042 	 * deauthenticate. However, it doesn't (and cannot) stop an ongoing
4043 	 * auth (not so important) or assoc (this is the problem) process.
4044 	 *
4045 	 * As a consequence, it can happen that we are in the process of both
4046 	 * associating and suspending, and receive an association response
4047 	 * after cfg80211 has checked if it needs to disconnect, but before
4048 	 * we actually set the flag to drop incoming frames. This will then
4049 	 * cause the workqueue flush to process the association response in
4050 	 * the suspend, resulting in a successful association just before it
4051 	 * tries to remove the interface from the driver, which now though
4052 	 * has a channel context assigned ... this results in issues.
4053 	 *
4054 	 * To work around this (for now) simply deauth here again if we're
4055 	 * now connected.
4056 	 */
4057 	if (ifmgd->associated && !sdata->local->wowlan) {
4058 		u8 bssid[ETH_ALEN];
4059 		struct cfg80211_deauth_request req = {
4060 			.reason_code = WLAN_REASON_DEAUTH_LEAVING,
4061 			.bssid = bssid,
4062 		};
4063 
4064 		memcpy(bssid, ifmgd->associated->bssid, ETH_ALEN);
4065 		ieee80211_mgd_deauth(sdata, &req);
4066 	}
4067 
4068 	sdata_unlock(sdata);
4069 }
4070 
4071 void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata)
4072 {
4073 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4074 
4075 	sdata_lock(sdata);
4076 	if (!ifmgd->associated) {
4077 		sdata_unlock(sdata);
4078 		return;
4079 	}
4080 
4081 	if (sdata->flags & IEEE80211_SDATA_DISCONNECT_RESUME) {
4082 		sdata->flags &= ~IEEE80211_SDATA_DISCONNECT_RESUME;
4083 		mlme_dbg(sdata, "driver requested disconnect after resume\n");
4084 		ieee80211_sta_connection_lost(sdata,
4085 					      ifmgd->associated->bssid,
4086 					      WLAN_REASON_UNSPECIFIED,
4087 					      true);
4088 		sdata_unlock(sdata);
4089 		return;
4090 	}
4091 	sdata_unlock(sdata);
4092 }
4093 #endif
4094 
4095 /* interface setup */
4096 void ieee80211_sta_setup_sdata(struct ieee80211_sub_if_data *sdata)
4097 {
4098 	struct ieee80211_if_managed *ifmgd;
4099 
4100 	ifmgd = &sdata->u.mgd;
4101 	INIT_WORK(&ifmgd->monitor_work, ieee80211_sta_monitor_work);
4102 	INIT_WORK(&ifmgd->chswitch_work, ieee80211_chswitch_work);
4103 	INIT_WORK(&ifmgd->beacon_connection_loss_work,
4104 		  ieee80211_beacon_connection_loss_work);
4105 	INIT_WORK(&ifmgd->csa_connection_drop_work,
4106 		  ieee80211_csa_connection_drop_work);
4107 	INIT_WORK(&ifmgd->request_smps_work, ieee80211_request_smps_mgd_work);
4108 	INIT_DELAYED_WORK(&ifmgd->tdls_peer_del_work,
4109 			  ieee80211_tdls_peer_del_work);
4110 	setup_timer(&ifmgd->timer, ieee80211_sta_timer,
4111 		    (unsigned long) sdata);
4112 	setup_timer(&ifmgd->bcn_mon_timer, ieee80211_sta_bcn_mon_timer,
4113 		    (unsigned long) sdata);
4114 	setup_timer(&ifmgd->conn_mon_timer, ieee80211_sta_conn_mon_timer,
4115 		    (unsigned long) sdata);
4116 	setup_timer(&ifmgd->chswitch_timer, ieee80211_chswitch_timer,
4117 		    (unsigned long) sdata);
4118 	INIT_DELAYED_WORK(&ifmgd->tx_tspec_wk,
4119 			  ieee80211_sta_handle_tspec_ac_params_wk);
4120 
4121 	ifmgd->flags = 0;
4122 	ifmgd->powersave = sdata->wdev.ps;
4123 	ifmgd->uapsd_queues = sdata->local->hw.uapsd_queues;
4124 	ifmgd->uapsd_max_sp_len = sdata->local->hw.uapsd_max_sp_len;
4125 	ifmgd->p2p_noa_index = -1;
4126 
4127 	if (sdata->local->hw.wiphy->features & NL80211_FEATURE_DYNAMIC_SMPS)
4128 		ifmgd->req_smps = IEEE80211_SMPS_AUTOMATIC;
4129 	else
4130 		ifmgd->req_smps = IEEE80211_SMPS_OFF;
4131 
4132 	/* Setup TDLS data */
4133 	spin_lock_init(&ifmgd->teardown_lock);
4134 	ifmgd->teardown_skb = NULL;
4135 	ifmgd->orig_teardown_skb = NULL;
4136 }
4137 
4138 /* scan finished notification */
4139 void ieee80211_mlme_notify_scan_completed(struct ieee80211_local *local)
4140 {
4141 	struct ieee80211_sub_if_data *sdata;
4142 
4143 	/* Restart STA timers */
4144 	rcu_read_lock();
4145 	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
4146 		if (ieee80211_sdata_running(sdata))
4147 			ieee80211_restart_sta_timer(sdata);
4148 	}
4149 	rcu_read_unlock();
4150 }
4151 
4152 int ieee80211_max_network_latency(struct notifier_block *nb,
4153 				  unsigned long data, void *dummy)
4154 {
4155 	s32 latency_usec = (s32) data;
4156 	struct ieee80211_local *local =
4157 		container_of(nb, struct ieee80211_local,
4158 			     network_latency_notifier);
4159 
4160 	mutex_lock(&local->iflist_mtx);
4161 	ieee80211_recalc_ps(local, latency_usec);
4162 	mutex_unlock(&local->iflist_mtx);
4163 
4164 	return NOTIFY_OK;
4165 }
4166 
4167 static u8 ieee80211_ht_vht_rx_chains(struct ieee80211_sub_if_data *sdata,
4168 				     struct cfg80211_bss *cbss)
4169 {
4170 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4171 	const u8 *ht_cap_ie, *vht_cap_ie;
4172 	const struct ieee80211_ht_cap *ht_cap;
4173 	const struct ieee80211_vht_cap *vht_cap;
4174 	u8 chains = 1;
4175 
4176 	if (ifmgd->flags & IEEE80211_STA_DISABLE_HT)
4177 		return chains;
4178 
4179 	ht_cap_ie = ieee80211_bss_get_ie(cbss, WLAN_EID_HT_CAPABILITY);
4180 	if (ht_cap_ie && ht_cap_ie[1] >= sizeof(*ht_cap)) {
4181 		ht_cap = (void *)(ht_cap_ie + 2);
4182 		chains = ieee80211_mcs_to_chains(&ht_cap->mcs);
4183 		/*
4184 		 * TODO: use "Tx Maximum Number Spatial Streams Supported" and
4185 		 *	 "Tx Unequal Modulation Supported" fields.
4186 		 */
4187 	}
4188 
4189 	if (ifmgd->flags & IEEE80211_STA_DISABLE_VHT)
4190 		return chains;
4191 
4192 	vht_cap_ie = ieee80211_bss_get_ie(cbss, WLAN_EID_VHT_CAPABILITY);
4193 	if (vht_cap_ie && vht_cap_ie[1] >= sizeof(*vht_cap)) {
4194 		u8 nss;
4195 		u16 tx_mcs_map;
4196 
4197 		vht_cap = (void *)(vht_cap_ie + 2);
4198 		tx_mcs_map = le16_to_cpu(vht_cap->supp_mcs.tx_mcs_map);
4199 		for (nss = 8; nss > 0; nss--) {
4200 			if (((tx_mcs_map >> (2 * (nss - 1))) & 3) !=
4201 					IEEE80211_VHT_MCS_NOT_SUPPORTED)
4202 				break;
4203 		}
4204 		/* TODO: use "Tx Highest Supported Long GI Data Rate" field? */
4205 		chains = max(chains, nss);
4206 	}
4207 
4208 	return chains;
4209 }
4210 
4211 static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
4212 				  struct cfg80211_bss *cbss)
4213 {
4214 	struct ieee80211_local *local = sdata->local;
4215 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4216 	const struct ieee80211_ht_cap *ht_cap = NULL;
4217 	const struct ieee80211_ht_operation *ht_oper = NULL;
4218 	const struct ieee80211_vht_operation *vht_oper = NULL;
4219 	struct ieee80211_supported_band *sband;
4220 	struct cfg80211_chan_def chandef;
4221 	int ret;
4222 
4223 	sband = local->hw.wiphy->bands[cbss->channel->band];
4224 
4225 	ifmgd->flags &= ~(IEEE80211_STA_DISABLE_40MHZ |
4226 			  IEEE80211_STA_DISABLE_80P80MHZ |
4227 			  IEEE80211_STA_DISABLE_160MHZ);
4228 
4229 	rcu_read_lock();
4230 
4231 	if (!(ifmgd->flags & IEEE80211_STA_DISABLE_HT) &&
4232 	    sband->ht_cap.ht_supported) {
4233 		const u8 *ht_oper_ie, *ht_cap_ie;
4234 
4235 		ht_oper_ie = ieee80211_bss_get_ie(cbss, WLAN_EID_HT_OPERATION);
4236 		if (ht_oper_ie && ht_oper_ie[1] >= sizeof(*ht_oper))
4237 			ht_oper = (void *)(ht_oper_ie + 2);
4238 
4239 		ht_cap_ie = ieee80211_bss_get_ie(cbss, WLAN_EID_HT_CAPABILITY);
4240 		if (ht_cap_ie && ht_cap_ie[1] >= sizeof(*ht_cap))
4241 			ht_cap = (void *)(ht_cap_ie + 2);
4242 
4243 		if (!ht_cap) {
4244 			ifmgd->flags |= IEEE80211_STA_DISABLE_HT;
4245 			ht_oper = NULL;
4246 		}
4247 	}
4248 
4249 	if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT) &&
4250 	    sband->vht_cap.vht_supported) {
4251 		const u8 *vht_oper_ie, *vht_cap;
4252 
4253 		vht_oper_ie = ieee80211_bss_get_ie(cbss,
4254 						   WLAN_EID_VHT_OPERATION);
4255 		if (vht_oper_ie && vht_oper_ie[1] >= sizeof(*vht_oper))
4256 			vht_oper = (void *)(vht_oper_ie + 2);
4257 		if (vht_oper && !ht_oper) {
4258 			vht_oper = NULL;
4259 			sdata_info(sdata,
4260 				   "AP advertised VHT without HT, disabling both\n");
4261 			ifmgd->flags |= IEEE80211_STA_DISABLE_HT;
4262 			ifmgd->flags |= IEEE80211_STA_DISABLE_VHT;
4263 		}
4264 
4265 		vht_cap = ieee80211_bss_get_ie(cbss, WLAN_EID_VHT_CAPABILITY);
4266 		if (!vht_cap || vht_cap[1] < sizeof(struct ieee80211_vht_cap)) {
4267 			ifmgd->flags |= IEEE80211_STA_DISABLE_VHT;
4268 			vht_oper = NULL;
4269 		}
4270 	}
4271 
4272 	ifmgd->flags |= ieee80211_determine_chantype(sdata, sband,
4273 						     cbss->channel,
4274 						     ht_cap, ht_oper, vht_oper,
4275 						     &chandef, false);
4276 
4277 	sdata->needed_rx_chains = min(ieee80211_ht_vht_rx_chains(sdata, cbss),
4278 				      local->rx_chains);
4279 
4280 	rcu_read_unlock();
4281 
4282 	/* will change later if needed */
4283 	sdata->smps_mode = IEEE80211_SMPS_OFF;
4284 
4285 	mutex_lock(&local->mtx);
4286 	/*
4287 	 * If this fails (possibly due to channel context sharing
4288 	 * on incompatible channels, e.g. 80+80 and 160 sharing the
4289 	 * same control channel) try to use a smaller bandwidth.
4290 	 */
4291 	ret = ieee80211_vif_use_channel(sdata, &chandef,
4292 					IEEE80211_CHANCTX_SHARED);
4293 
4294 	/* don't downgrade for 5 and 10 MHz channels, though. */
4295 	if (chandef.width == NL80211_CHAN_WIDTH_5 ||
4296 	    chandef.width == NL80211_CHAN_WIDTH_10)
4297 		goto out;
4298 
4299 	while (ret && chandef.width != NL80211_CHAN_WIDTH_20_NOHT) {
4300 		ifmgd->flags |= ieee80211_chandef_downgrade(&chandef);
4301 		ret = ieee80211_vif_use_channel(sdata, &chandef,
4302 						IEEE80211_CHANCTX_SHARED);
4303 	}
4304  out:
4305 	mutex_unlock(&local->mtx);
4306 	return ret;
4307 }
4308 
4309 static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
4310 				     struct cfg80211_bss *cbss, bool assoc)
4311 {
4312 	struct ieee80211_local *local = sdata->local;
4313 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4314 	struct ieee80211_bss *bss = (void *)cbss->priv;
4315 	struct sta_info *new_sta = NULL;
4316 	struct ieee80211_supported_band *sband;
4317 	struct ieee80211_sta_ht_cap sta_ht_cap;
4318 	bool have_sta = false, is_override = false;
4319 	int err;
4320 
4321 	sband = local->hw.wiphy->bands[cbss->channel->band];
4322 
4323 	if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data))
4324 		return -EINVAL;
4325 
4326 	if (assoc) {
4327 		rcu_read_lock();
4328 		have_sta = sta_info_get(sdata, cbss->bssid);
4329 		rcu_read_unlock();
4330 	}
4331 
4332 	if (!have_sta) {
4333 		new_sta = sta_info_alloc(sdata, cbss->bssid, GFP_KERNEL);
4334 		if (!new_sta)
4335 			return -ENOMEM;
4336 	}
4337 
4338 	memcpy(&sta_ht_cap, &sband->ht_cap, sizeof(sta_ht_cap));
4339 	ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap);
4340 
4341 	is_override = (sta_ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40) !=
4342 		      (sband->ht_cap.cap &
4343 		       IEEE80211_HT_CAP_SUP_WIDTH_20_40);
4344 
4345 	if (new_sta || is_override) {
4346 		err = ieee80211_prep_channel(sdata, cbss);
4347 		if (err) {
4348 			if (new_sta)
4349 				sta_info_free(local, new_sta);
4350 			return -EINVAL;
4351 		}
4352 	}
4353 
4354 	if (new_sta) {
4355 		u32 rates = 0, basic_rates = 0;
4356 		bool have_higher_than_11mbit;
4357 		int min_rate = INT_MAX, min_rate_index = -1;
4358 		struct ieee80211_chanctx_conf *chanctx_conf;
4359 		const struct cfg80211_bss_ies *ies;
4360 		int shift = ieee80211_vif_get_shift(&sdata->vif);
4361 		u32 rate_flags;
4362 
4363 		rcu_read_lock();
4364 		chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
4365 		if (WARN_ON(!chanctx_conf)) {
4366 			rcu_read_unlock();
4367 			sta_info_free(local, new_sta);
4368 			return -EINVAL;
4369 		}
4370 		rate_flags = ieee80211_chandef_rate_flags(&chanctx_conf->def);
4371 		rcu_read_unlock();
4372 
4373 		ieee80211_get_rates(sband, bss->supp_rates,
4374 				    bss->supp_rates_len,
4375 				    &rates, &basic_rates,
4376 				    &have_higher_than_11mbit,
4377 				    &min_rate, &min_rate_index,
4378 				    shift, rate_flags);
4379 
4380 		/*
4381 		 * This used to be a workaround for basic rates missing
4382 		 * in the association response frame. Now that we no
4383 		 * longer use the basic rates from there, it probably
4384 		 * doesn't happen any more, but keep the workaround so
4385 		 * in case some *other* APs are buggy in different ways
4386 		 * we can connect -- with a warning.
4387 		 */
4388 		if (!basic_rates && min_rate_index >= 0) {
4389 			sdata_info(sdata,
4390 				   "No basic rates, using min rate instead\n");
4391 			basic_rates = BIT(min_rate_index);
4392 		}
4393 
4394 		new_sta->sta.supp_rates[cbss->channel->band] = rates;
4395 		sdata->vif.bss_conf.basic_rates = basic_rates;
4396 
4397 		/* cf. IEEE 802.11 9.2.12 */
4398 		if (cbss->channel->band == IEEE80211_BAND_2GHZ &&
4399 		    have_higher_than_11mbit)
4400 			sdata->flags |= IEEE80211_SDATA_OPERATING_GMODE;
4401 		else
4402 			sdata->flags &= ~IEEE80211_SDATA_OPERATING_GMODE;
4403 
4404 		memcpy(ifmgd->bssid, cbss->bssid, ETH_ALEN);
4405 
4406 		/* set timing information */
4407 		sdata->vif.bss_conf.beacon_int = cbss->beacon_interval;
4408 		rcu_read_lock();
4409 		ies = rcu_dereference(cbss->beacon_ies);
4410 		if (ies) {
4411 			const u8 *tim_ie;
4412 
4413 			sdata->vif.bss_conf.sync_tsf = ies->tsf;
4414 			sdata->vif.bss_conf.sync_device_ts =
4415 				bss->device_ts_beacon;
4416 			tim_ie = cfg80211_find_ie(WLAN_EID_TIM,
4417 						  ies->data, ies->len);
4418 			if (tim_ie && tim_ie[1] >= 2)
4419 				sdata->vif.bss_conf.sync_dtim_count = tim_ie[2];
4420 			else
4421 				sdata->vif.bss_conf.sync_dtim_count = 0;
4422 		} else if (!(local->hw.flags &
4423 					IEEE80211_HW_TIMING_BEACON_ONLY)) {
4424 			ies = rcu_dereference(cbss->proberesp_ies);
4425 			/* must be non-NULL since beacon IEs were NULL */
4426 			sdata->vif.bss_conf.sync_tsf = ies->tsf;
4427 			sdata->vif.bss_conf.sync_device_ts =
4428 				bss->device_ts_presp;
4429 			sdata->vif.bss_conf.sync_dtim_count = 0;
4430 		} else {
4431 			sdata->vif.bss_conf.sync_tsf = 0;
4432 			sdata->vif.bss_conf.sync_device_ts = 0;
4433 			sdata->vif.bss_conf.sync_dtim_count = 0;
4434 		}
4435 		rcu_read_unlock();
4436 
4437 		/* tell driver about BSSID, basic rates and timing */
4438 		ieee80211_bss_info_change_notify(sdata,
4439 			BSS_CHANGED_BSSID | BSS_CHANGED_BASIC_RATES |
4440 			BSS_CHANGED_BEACON_INT);
4441 
4442 		if (assoc)
4443 			sta_info_pre_move_state(new_sta, IEEE80211_STA_AUTH);
4444 
4445 		err = sta_info_insert(new_sta);
4446 		new_sta = NULL;
4447 		if (err) {
4448 			sdata_info(sdata,
4449 				   "failed to insert STA entry for the AP (error %d)\n",
4450 				   err);
4451 			return err;
4452 		}
4453 	} else
4454 		WARN_ON_ONCE(!ether_addr_equal(ifmgd->bssid, cbss->bssid));
4455 
4456 	/* Cancel scan to ensure that nothing interferes with connection */
4457 	if (local->scanning)
4458 		ieee80211_scan_cancel(local);
4459 
4460 	return 0;
4461 }
4462 
4463 /* config hooks */
4464 int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
4465 		       struct cfg80211_auth_request *req)
4466 {
4467 	struct ieee80211_local *local = sdata->local;
4468 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4469 	struct ieee80211_mgd_auth_data *auth_data;
4470 	u16 auth_alg;
4471 	int err;
4472 
4473 	/* prepare auth data structure */
4474 
4475 	switch (req->auth_type) {
4476 	case NL80211_AUTHTYPE_OPEN_SYSTEM:
4477 		auth_alg = WLAN_AUTH_OPEN;
4478 		break;
4479 	case NL80211_AUTHTYPE_SHARED_KEY:
4480 		if (IS_ERR(local->wep_tx_tfm))
4481 			return -EOPNOTSUPP;
4482 		auth_alg = WLAN_AUTH_SHARED_KEY;
4483 		break;
4484 	case NL80211_AUTHTYPE_FT:
4485 		auth_alg = WLAN_AUTH_FT;
4486 		break;
4487 	case NL80211_AUTHTYPE_NETWORK_EAP:
4488 		auth_alg = WLAN_AUTH_LEAP;
4489 		break;
4490 	case NL80211_AUTHTYPE_SAE:
4491 		auth_alg = WLAN_AUTH_SAE;
4492 		break;
4493 	default:
4494 		return -EOPNOTSUPP;
4495 	}
4496 
4497 	auth_data = kzalloc(sizeof(*auth_data) + req->sae_data_len +
4498 			    req->ie_len, GFP_KERNEL);
4499 	if (!auth_data)
4500 		return -ENOMEM;
4501 
4502 	auth_data->bss = req->bss;
4503 
4504 	if (req->sae_data_len >= 4) {
4505 		__le16 *pos = (__le16 *) req->sae_data;
4506 		auth_data->sae_trans = le16_to_cpu(pos[0]);
4507 		auth_data->sae_status = le16_to_cpu(pos[1]);
4508 		memcpy(auth_data->data, req->sae_data + 4,
4509 		       req->sae_data_len - 4);
4510 		auth_data->data_len += req->sae_data_len - 4;
4511 	}
4512 
4513 	if (req->ie && req->ie_len) {
4514 		memcpy(&auth_data->data[auth_data->data_len],
4515 		       req->ie, req->ie_len);
4516 		auth_data->data_len += req->ie_len;
4517 	}
4518 
4519 	if (req->key && req->key_len) {
4520 		auth_data->key_len = req->key_len;
4521 		auth_data->key_idx = req->key_idx;
4522 		memcpy(auth_data->key, req->key, req->key_len);
4523 	}
4524 
4525 	auth_data->algorithm = auth_alg;
4526 
4527 	/* try to authenticate/probe */
4528 
4529 	if ((ifmgd->auth_data && !ifmgd->auth_data->done) ||
4530 	    ifmgd->assoc_data) {
4531 		err = -EBUSY;
4532 		goto err_free;
4533 	}
4534 
4535 	if (ifmgd->auth_data)
4536 		ieee80211_destroy_auth_data(sdata, false);
4537 
4538 	/* prep auth_data so we don't go into idle on disassoc */
4539 	ifmgd->auth_data = auth_data;
4540 
4541 	if (ifmgd->associated) {
4542 		u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
4543 
4544 		ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
4545 				       WLAN_REASON_UNSPECIFIED,
4546 				       false, frame_buf);
4547 
4548 		ieee80211_report_disconnect(sdata, frame_buf,
4549 					    sizeof(frame_buf), true,
4550 					    WLAN_REASON_UNSPECIFIED);
4551 	}
4552 
4553 	sdata_info(sdata, "authenticate with %pM\n", req->bss->bssid);
4554 
4555 	err = ieee80211_prep_connection(sdata, req->bss, false);
4556 	if (err)
4557 		goto err_clear;
4558 
4559 	err = ieee80211_probe_auth(sdata);
4560 	if (err) {
4561 		sta_info_destroy_addr(sdata, req->bss->bssid);
4562 		goto err_clear;
4563 	}
4564 
4565 	/* hold our own reference */
4566 	cfg80211_ref_bss(local->hw.wiphy, auth_data->bss);
4567 	return 0;
4568 
4569  err_clear:
4570 	eth_zero_addr(ifmgd->bssid);
4571 	ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
4572 	ifmgd->auth_data = NULL;
4573  err_free:
4574 	kfree(auth_data);
4575 	return err;
4576 }
4577 
4578 static bool ieee80211_usable_wmm_params(struct ieee80211_sub_if_data *sdata,
4579 					const u8 *wmm_param, int len)
4580 {
4581 	const u8 *pos;
4582 	size_t left;
4583 
4584 	if (len < 8)
4585 		return false;
4586 
4587 	if (wmm_param[5] != 1 /* version */)
4588 		return false;
4589 
4590 	pos = wmm_param + 8;
4591 	left = len - 8;
4592 
4593 	for (; left >= 4; left -= 4, pos += 4) {
4594 		u8 aifsn = pos[0] & 0x0f;
4595 		u8 ecwmin = pos[1] & 0x0f;
4596 		u8 ecwmax = (pos[1] & 0xf0) >> 4;
4597 		int aci = (pos[0] >> 5) & 0x03;
4598 
4599 		if (aifsn < 2) {
4600 			sdata_info(sdata,
4601 				   "AP has invalid WMM params (AIFSN=%d for ACI %d), disabling WMM\n",
4602 				   aifsn, aci);
4603 			return false;
4604 		}
4605 		if (ecwmin > ecwmax) {
4606 			sdata_info(sdata,
4607 				   "AP has invalid WMM params (ECWmin/max=%d/%d for ACI %d), disabling WMM\n",
4608 				   ecwmin, ecwmax, aci);
4609 			return false;
4610 		}
4611 	}
4612 
4613 	return true;
4614 }
4615 
4616 int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
4617 			struct cfg80211_assoc_request *req)
4618 {
4619 	struct ieee80211_local *local = sdata->local;
4620 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4621 	struct ieee80211_bss *bss = (void *)req->bss->priv;
4622 	struct ieee80211_mgd_assoc_data *assoc_data;
4623 	const struct cfg80211_bss_ies *beacon_ies;
4624 	struct ieee80211_supported_band *sband;
4625 	const u8 *ssidie, *ht_ie, *vht_ie;
4626 	int i, err;
4627 
4628 	assoc_data = kzalloc(sizeof(*assoc_data) + req->ie_len, GFP_KERNEL);
4629 	if (!assoc_data)
4630 		return -ENOMEM;
4631 
4632 	rcu_read_lock();
4633 	ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID);
4634 	if (!ssidie) {
4635 		rcu_read_unlock();
4636 		kfree(assoc_data);
4637 		return -EINVAL;
4638 	}
4639 	memcpy(assoc_data->ssid, ssidie + 2, ssidie[1]);
4640 	assoc_data->ssid_len = ssidie[1];
4641 	rcu_read_unlock();
4642 
4643 	if (ifmgd->associated) {
4644 		u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
4645 
4646 		ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
4647 				       WLAN_REASON_UNSPECIFIED,
4648 				       false, frame_buf);
4649 
4650 		ieee80211_report_disconnect(sdata, frame_buf,
4651 					    sizeof(frame_buf), true,
4652 					    WLAN_REASON_UNSPECIFIED);
4653 	}
4654 
4655 	if (ifmgd->auth_data && !ifmgd->auth_data->done) {
4656 		err = -EBUSY;
4657 		goto err_free;
4658 	}
4659 
4660 	if (ifmgd->assoc_data) {
4661 		err = -EBUSY;
4662 		goto err_free;
4663 	}
4664 
4665 	if (ifmgd->auth_data) {
4666 		bool match;
4667 
4668 		/* keep sta info, bssid if matching */
4669 		match = ether_addr_equal(ifmgd->bssid, req->bss->bssid);
4670 		ieee80211_destroy_auth_data(sdata, match);
4671 	}
4672 
4673 	/* prepare assoc data */
4674 
4675 	ifmgd->beacon_crc_valid = false;
4676 
4677 	assoc_data->wmm = bss->wmm_used &&
4678 			  (local->hw.queues >= IEEE80211_NUM_ACS);
4679 	if (assoc_data->wmm) {
4680 		/* try to check validity of WMM params IE */
4681 		const struct cfg80211_bss_ies *ies;
4682 		const u8 *wp, *start, *end;
4683 
4684 		rcu_read_lock();
4685 		ies = rcu_dereference(req->bss->ies);
4686 		start = ies->data;
4687 		end = start + ies->len;
4688 
4689 		while (true) {
4690 			wp = cfg80211_find_vendor_ie(
4691 				WLAN_OUI_MICROSOFT,
4692 				WLAN_OUI_TYPE_MICROSOFT_WMM,
4693 				start, end - start);
4694 			if (!wp)
4695 				break;
4696 			start = wp + wp[1] + 2;
4697 			/* if this IE is too short, try the next */
4698 			if (wp[1] <= 4)
4699 				continue;
4700 			/* if this IE is WMM params, we found what we wanted */
4701 			if (wp[6] == 1)
4702 				break;
4703 		}
4704 
4705 		if (!wp || !ieee80211_usable_wmm_params(sdata, wp + 2,
4706 							wp[1] - 2)) {
4707 			assoc_data->wmm = false;
4708 			ifmgd->flags |= IEEE80211_STA_DISABLE_WMM;
4709 		}
4710 		rcu_read_unlock();
4711 	}
4712 
4713 	/*
4714 	 * IEEE802.11n does not allow TKIP/WEP as pairwise ciphers in HT mode.
4715 	 * We still associate in non-HT mode (11a/b/g) if any one of these
4716 	 * ciphers is configured as pairwise.
4717 	 * We can set this to true for non-11n hardware, that'll be checked
4718 	 * separately along with the peer capabilities.
4719 	 */
4720 	for (i = 0; i < req->crypto.n_ciphers_pairwise; i++) {
4721 		if (req->crypto.ciphers_pairwise[i] == WLAN_CIPHER_SUITE_WEP40 ||
4722 		    req->crypto.ciphers_pairwise[i] == WLAN_CIPHER_SUITE_TKIP ||
4723 		    req->crypto.ciphers_pairwise[i] == WLAN_CIPHER_SUITE_WEP104) {
4724 			ifmgd->flags |= IEEE80211_STA_DISABLE_HT;
4725 			ifmgd->flags |= IEEE80211_STA_DISABLE_VHT;
4726 			netdev_info(sdata->dev,
4727 				    "disabling HT/VHT due to WEP/TKIP use\n");
4728 		}
4729 	}
4730 
4731 	if (req->flags & ASSOC_REQ_DISABLE_HT) {
4732 		ifmgd->flags |= IEEE80211_STA_DISABLE_HT;
4733 		ifmgd->flags |= IEEE80211_STA_DISABLE_VHT;
4734 	}
4735 
4736 	if (req->flags & ASSOC_REQ_DISABLE_VHT)
4737 		ifmgd->flags |= IEEE80211_STA_DISABLE_VHT;
4738 
4739 	/* Also disable HT if we don't support it or the AP doesn't use WMM */
4740 	sband = local->hw.wiphy->bands[req->bss->channel->band];
4741 	if (!sband->ht_cap.ht_supported ||
4742 	    local->hw.queues < IEEE80211_NUM_ACS || !bss->wmm_used ||
4743 	    ifmgd->flags & IEEE80211_STA_DISABLE_WMM) {
4744 		ifmgd->flags |= IEEE80211_STA_DISABLE_HT;
4745 		if (!bss->wmm_used &&
4746 		    !(ifmgd->flags & IEEE80211_STA_DISABLE_WMM))
4747 			netdev_info(sdata->dev,
4748 				    "disabling HT as WMM/QoS is not supported by the AP\n");
4749 	}
4750 
4751 	/* disable VHT if we don't support it or the AP doesn't use WMM */
4752 	if (!sband->vht_cap.vht_supported ||
4753 	    local->hw.queues < IEEE80211_NUM_ACS || !bss->wmm_used ||
4754 	    ifmgd->flags & IEEE80211_STA_DISABLE_WMM) {
4755 		ifmgd->flags |= IEEE80211_STA_DISABLE_VHT;
4756 		if (!bss->wmm_used &&
4757 		    !(ifmgd->flags & IEEE80211_STA_DISABLE_WMM))
4758 			netdev_info(sdata->dev,
4759 				    "disabling VHT as WMM/QoS is not supported by the AP\n");
4760 	}
4761 
4762 	memcpy(&ifmgd->ht_capa, &req->ht_capa, sizeof(ifmgd->ht_capa));
4763 	memcpy(&ifmgd->ht_capa_mask, &req->ht_capa_mask,
4764 	       sizeof(ifmgd->ht_capa_mask));
4765 
4766 	memcpy(&ifmgd->vht_capa, &req->vht_capa, sizeof(ifmgd->vht_capa));
4767 	memcpy(&ifmgd->vht_capa_mask, &req->vht_capa_mask,
4768 	       sizeof(ifmgd->vht_capa_mask));
4769 
4770 	if (req->ie && req->ie_len) {
4771 		memcpy(assoc_data->ie, req->ie, req->ie_len);
4772 		assoc_data->ie_len = req->ie_len;
4773 	}
4774 
4775 	assoc_data->bss = req->bss;
4776 
4777 	if (ifmgd->req_smps == IEEE80211_SMPS_AUTOMATIC) {
4778 		if (ifmgd->powersave)
4779 			sdata->smps_mode = IEEE80211_SMPS_DYNAMIC;
4780 		else
4781 			sdata->smps_mode = IEEE80211_SMPS_OFF;
4782 	} else
4783 		sdata->smps_mode = ifmgd->req_smps;
4784 
4785 	assoc_data->capability = req->bss->capability;
4786 	assoc_data->supp_rates = bss->supp_rates;
4787 	assoc_data->supp_rates_len = bss->supp_rates_len;
4788 
4789 	rcu_read_lock();
4790 	ht_ie = ieee80211_bss_get_ie(req->bss, WLAN_EID_HT_OPERATION);
4791 	if (ht_ie && ht_ie[1] >= sizeof(struct ieee80211_ht_operation))
4792 		assoc_data->ap_ht_param =
4793 			((struct ieee80211_ht_operation *)(ht_ie + 2))->ht_param;
4794 	else
4795 		ifmgd->flags |= IEEE80211_STA_DISABLE_HT;
4796 	vht_ie = ieee80211_bss_get_ie(req->bss, WLAN_EID_VHT_CAPABILITY);
4797 	if (vht_ie && vht_ie[1] >= sizeof(struct ieee80211_vht_cap))
4798 		memcpy(&assoc_data->ap_vht_cap, vht_ie + 2,
4799 		       sizeof(struct ieee80211_vht_cap));
4800 	else
4801 		ifmgd->flags |= IEEE80211_STA_DISABLE_VHT;
4802 	rcu_read_unlock();
4803 
4804 	if (WARN((sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_UAPSD) &&
4805 		 (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK),
4806 	     "U-APSD not supported with HW_PS_NULLFUNC_STACK\n"))
4807 		sdata->vif.driver_flags &= ~IEEE80211_VIF_SUPPORTS_UAPSD;
4808 
4809 	if (bss->wmm_used && bss->uapsd_supported &&
4810 	    (sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_UAPSD)) {
4811 		assoc_data->uapsd = true;
4812 		ifmgd->flags |= IEEE80211_STA_UAPSD_ENABLED;
4813 	} else {
4814 		assoc_data->uapsd = false;
4815 		ifmgd->flags &= ~IEEE80211_STA_UAPSD_ENABLED;
4816 	}
4817 
4818 	if (req->prev_bssid)
4819 		memcpy(assoc_data->prev_bssid, req->prev_bssid, ETH_ALEN);
4820 
4821 	if (req->use_mfp) {
4822 		ifmgd->mfp = IEEE80211_MFP_REQUIRED;
4823 		ifmgd->flags |= IEEE80211_STA_MFP_ENABLED;
4824 	} else {
4825 		ifmgd->mfp = IEEE80211_MFP_DISABLED;
4826 		ifmgd->flags &= ~IEEE80211_STA_MFP_ENABLED;
4827 	}
4828 
4829 	if (req->flags & ASSOC_REQ_USE_RRM)
4830 		ifmgd->flags |= IEEE80211_STA_ENABLE_RRM;
4831 	else
4832 		ifmgd->flags &= ~IEEE80211_STA_ENABLE_RRM;
4833 
4834 	if (req->crypto.control_port)
4835 		ifmgd->flags |= IEEE80211_STA_CONTROL_PORT;
4836 	else
4837 		ifmgd->flags &= ~IEEE80211_STA_CONTROL_PORT;
4838 
4839 	sdata->control_port_protocol = req->crypto.control_port_ethertype;
4840 	sdata->control_port_no_encrypt = req->crypto.control_port_no_encrypt;
4841 	sdata->encrypt_headroom = ieee80211_cs_headroom(local, &req->crypto,
4842 							sdata->vif.type);
4843 
4844 	/* kick off associate process */
4845 
4846 	ifmgd->assoc_data = assoc_data;
4847 	ifmgd->dtim_period = 0;
4848 	ifmgd->have_beacon = false;
4849 
4850 	err = ieee80211_prep_connection(sdata, req->bss, true);
4851 	if (err)
4852 		goto err_clear;
4853 
4854 	rcu_read_lock();
4855 	beacon_ies = rcu_dereference(req->bss->beacon_ies);
4856 
4857 	if (sdata->local->hw.flags & IEEE80211_HW_NEED_DTIM_BEFORE_ASSOC &&
4858 	    !beacon_ies) {
4859 		/*
4860 		 * Wait up to one beacon interval ...
4861 		 * should this be more if we miss one?
4862 		 */
4863 		sdata_info(sdata, "waiting for beacon from %pM\n",
4864 			   ifmgd->bssid);
4865 		assoc_data->timeout = TU_TO_EXP_TIME(req->bss->beacon_interval);
4866 		assoc_data->timeout_started = true;
4867 		assoc_data->need_beacon = true;
4868 	} else if (beacon_ies) {
4869 		const u8 *tim_ie = cfg80211_find_ie(WLAN_EID_TIM,
4870 						    beacon_ies->data,
4871 						    beacon_ies->len);
4872 		u8 dtim_count = 0;
4873 
4874 		if (tim_ie && tim_ie[1] >= sizeof(struct ieee80211_tim_ie)) {
4875 			const struct ieee80211_tim_ie *tim;
4876 			tim = (void *)(tim_ie + 2);
4877 			ifmgd->dtim_period = tim->dtim_period;
4878 			dtim_count = tim->dtim_count;
4879 		}
4880 		ifmgd->have_beacon = true;
4881 		assoc_data->timeout = jiffies;
4882 		assoc_data->timeout_started = true;
4883 
4884 		if (local->hw.flags & IEEE80211_HW_TIMING_BEACON_ONLY) {
4885 			sdata->vif.bss_conf.sync_tsf = beacon_ies->tsf;
4886 			sdata->vif.bss_conf.sync_device_ts =
4887 				bss->device_ts_beacon;
4888 			sdata->vif.bss_conf.sync_dtim_count = dtim_count;
4889 		}
4890 	} else {
4891 		assoc_data->timeout = jiffies;
4892 		assoc_data->timeout_started = true;
4893 	}
4894 	rcu_read_unlock();
4895 
4896 	run_again(sdata, assoc_data->timeout);
4897 
4898 	if (bss->corrupt_data) {
4899 		char *corrupt_type = "data";
4900 		if (bss->corrupt_data & IEEE80211_BSS_CORRUPT_BEACON) {
4901 			if (bss->corrupt_data &
4902 					IEEE80211_BSS_CORRUPT_PROBE_RESP)
4903 				corrupt_type = "beacon and probe response";
4904 			else
4905 				corrupt_type = "beacon";
4906 		} else if (bss->corrupt_data & IEEE80211_BSS_CORRUPT_PROBE_RESP)
4907 			corrupt_type = "probe response";
4908 		sdata_info(sdata, "associating with AP with corrupt %s\n",
4909 			   corrupt_type);
4910 	}
4911 
4912 	return 0;
4913  err_clear:
4914 	eth_zero_addr(ifmgd->bssid);
4915 	ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
4916 	ifmgd->assoc_data = NULL;
4917  err_free:
4918 	kfree(assoc_data);
4919 	return err;
4920 }
4921 
4922 int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
4923 			 struct cfg80211_deauth_request *req)
4924 {
4925 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4926 	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
4927 	bool tx = !req->local_state_change;
4928 
4929 	if (ifmgd->auth_data &&
4930 	    ether_addr_equal(ifmgd->auth_data->bss->bssid, req->bssid)) {
4931 		sdata_info(sdata,
4932 			   "aborting authentication with %pM by local choice (Reason: %u=%s)\n",
4933 			   req->bssid, req->reason_code,
4934 			   ieee80211_get_reason_code_string(req->reason_code));
4935 
4936 		drv_mgd_prepare_tx(sdata->local, sdata);
4937 		ieee80211_send_deauth_disassoc(sdata, req->bssid,
4938 					       IEEE80211_STYPE_DEAUTH,
4939 					       req->reason_code, tx,
4940 					       frame_buf);
4941 		ieee80211_destroy_auth_data(sdata, false);
4942 		ieee80211_report_disconnect(sdata, frame_buf,
4943 					    sizeof(frame_buf), true,
4944 					    req->reason_code);
4945 
4946 		return 0;
4947 	}
4948 
4949 	if (ifmgd->associated &&
4950 	    ether_addr_equal(ifmgd->associated->bssid, req->bssid)) {
4951 		sdata_info(sdata,
4952 			   "deauthenticating from %pM by local choice (Reason: %u=%s)\n",
4953 			   req->bssid, req->reason_code,
4954 			   ieee80211_get_reason_code_string(req->reason_code));
4955 
4956 		ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
4957 				       req->reason_code, tx, frame_buf);
4958 		ieee80211_report_disconnect(sdata, frame_buf,
4959 					    sizeof(frame_buf), true,
4960 					    req->reason_code);
4961 		return 0;
4962 	}
4963 
4964 	return -ENOTCONN;
4965 }
4966 
4967 int ieee80211_mgd_disassoc(struct ieee80211_sub_if_data *sdata,
4968 			   struct cfg80211_disassoc_request *req)
4969 {
4970 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4971 	u8 bssid[ETH_ALEN];
4972 	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
4973 
4974 	/*
4975 	 * cfg80211 should catch this ... but it's racy since
4976 	 * we can receive a disassoc frame, process it, hand it
4977 	 * to cfg80211 while that's in a locked section already
4978 	 * trying to tell us that the user wants to disconnect.
4979 	 */
4980 	if (ifmgd->associated != req->bss)
4981 		return -ENOLINK;
4982 
4983 	sdata_info(sdata,
4984 		   "disassociating from %pM by local choice (Reason: %u=%s)\n",
4985 		   req->bss->bssid, req->reason_code, ieee80211_get_reason_code_string(req->reason_code));
4986 
4987 	memcpy(bssid, req->bss->bssid, ETH_ALEN);
4988 	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DISASSOC,
4989 			       req->reason_code, !req->local_state_change,
4990 			       frame_buf);
4991 
4992 	ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
4993 				    req->reason_code);
4994 
4995 	return 0;
4996 }
4997 
4998 void ieee80211_mgd_stop(struct ieee80211_sub_if_data *sdata)
4999 {
5000 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
5001 
5002 	/*
5003 	 * Make sure some work items will not run after this,
5004 	 * they will not do anything but might not have been
5005 	 * cancelled when disconnecting.
5006 	 */
5007 	cancel_work_sync(&ifmgd->monitor_work);
5008 	cancel_work_sync(&ifmgd->beacon_connection_loss_work);
5009 	cancel_work_sync(&ifmgd->request_smps_work);
5010 	cancel_work_sync(&ifmgd->csa_connection_drop_work);
5011 	cancel_work_sync(&ifmgd->chswitch_work);
5012 	cancel_delayed_work_sync(&ifmgd->tdls_peer_del_work);
5013 
5014 	sdata_lock(sdata);
5015 	if (ifmgd->assoc_data) {
5016 		struct cfg80211_bss *bss = ifmgd->assoc_data->bss;
5017 		ieee80211_destroy_assoc_data(sdata, false);
5018 		cfg80211_assoc_timeout(sdata->dev, bss);
5019 	}
5020 	if (ifmgd->auth_data)
5021 		ieee80211_destroy_auth_data(sdata, false);
5022 	spin_lock_bh(&ifmgd->teardown_lock);
5023 	if (ifmgd->teardown_skb) {
5024 		kfree_skb(ifmgd->teardown_skb);
5025 		ifmgd->teardown_skb = NULL;
5026 		ifmgd->orig_teardown_skb = NULL;
5027 	}
5028 	spin_unlock_bh(&ifmgd->teardown_lock);
5029 	del_timer_sync(&ifmgd->timer);
5030 	sdata_unlock(sdata);
5031 }
5032 
5033 void ieee80211_cqm_rssi_notify(struct ieee80211_vif *vif,
5034 			       enum nl80211_cqm_rssi_threshold_event rssi_event,
5035 			       gfp_t gfp)
5036 {
5037 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
5038 
5039 	trace_api_cqm_rssi_notify(sdata, rssi_event);
5040 
5041 	cfg80211_cqm_rssi_notify(sdata->dev, rssi_event, gfp);
5042 }
5043 EXPORT_SYMBOL(ieee80211_cqm_rssi_notify);
5044 
5045 void ieee80211_cqm_beacon_loss_notify(struct ieee80211_vif *vif, gfp_t gfp)
5046 {
5047 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
5048 
5049 	trace_api_cqm_beacon_loss_notify(sdata->local, sdata);
5050 
5051 	cfg80211_cqm_beacon_loss_notify(sdata->dev, gfp);
5052 }
5053 EXPORT_SYMBOL(ieee80211_cqm_beacon_loss_notify);
5054