1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* BSS client mode implementation
4	* Copyright 2003-2008, Jouni Malinen <j@w1.fi>
5	* Copyright 2004, Instant802 Networks, Inc.
6	* Copyright 2005, Devicescape Software, Inc.
7	* Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
8	* Copyright 2007, Michael Wu <flamingice@sourmilk.net>
9	* Copyright 2013-2014 Intel Mobile Communications GmbH
10	* Copyright (C) 2015 - 2017 Intel Deutschland GmbH
11	* Copyright (C) 2018 - 2026 Intel Corporation
12	*/
13
14	#include <linux/delay.h>
15	#include <linux/fips.h>
16	#include <linux/if_ether.h>
17	#include <linux/skbuff.h>
18	#include <linux/if_arp.h>
19	#include <linux/etherdevice.h>
20	#include <linux/moduleparam.h>
21	#include <linux/rtnetlink.h>
22	#include <linux/crc32.h>
23	#include <linux/slab.h>
24	#include <linux/export.h>
25	#include <net/mac80211.h>
26	#include <linux/unaligned.h>
27
28	#include "ieee80211_i.h"
29	#include "driver-ops.h"
30	#include "rate.h"
31	#include "led.h"
32	#include "fils_aead.h"
33
34	#include <kunit/static_stub.h>
35
36	#define IEEE80211_AUTH_TIMEOUT (HZ / 5)
37	#define IEEE80211_AUTH_TIMEOUT_LONG (HZ / 2)
38	#define IEEE80211_AUTH_TIMEOUT_SHORT (HZ / 10)
39	#define IEEE80211_AUTH_TIMEOUT_SAE (HZ * 2)
40	#define IEEE80211_AUTH_MAX_TRIES 3
41	#define IEEE80211_AUTH_WAIT_ASSOC (HZ * 5)
42	#define IEEE80211_AUTH_WAIT_SAE_RETRY (HZ * 2)
43	#define IEEE80211_ASSOC_TIMEOUT (HZ / 5)
44	#define IEEE80211_ASSOC_TIMEOUT_LONG (HZ / 2)
45	#define IEEE80211_ASSOC_TIMEOUT_SHORT (HZ / 10)
46	#define IEEE80211_ASSOC_MAX_TRIES 3
47
48	#define IEEE80211_ADV_TTLM_SAFETY_BUFFER_MS (100 * USEC_PER_MSEC)
49	#define IEEE80211_ADV_TTLM_ST_UNDERFLOW 0xff00
50
51	#define IEEE80211_NEG_TTLM_REQ_TIMEOUT (HZ / 5)
52
53	static int max_nullfunc_tries = 2;
54	module_param(max_nullfunc_tries, int, 0644);
55	MODULE_PARM_DESC(max_nullfunc_tries,
56	"Maximum nullfunc tx tries before disconnecting (reason 4).");
57
58	static int max_probe_tries = 5;
59	module_param(max_probe_tries, int, 0644);
60	MODULE_PARM_DESC(max_probe_tries,
61	"Maximum probe tries before disconnecting (reason 4).");
62
63	/*
64	* Beacon loss timeout is calculated as N frames times the
65	* advertised beacon interval. This may need to be somewhat
66	* higher than what hardware might detect to account for
67	* delays in the host processing frames. But since we also
68	* probe on beacon miss before declaring the connection lost
69	* default to what we want.
70	*/
71	static int beacon_loss_count = 7;
72	module_param(beacon_loss_count, int, 0644);
73	MODULE_PARM_DESC(beacon_loss_count,
74	"Number of beacon intervals before we decide beacon was lost.");
75
76	/*
77	* Time the connection can be idle before we probe
78	* it to see if we can still talk to the AP.
79	*/
80	#define IEEE80211_CONNECTION_IDLE_TIME (30 * HZ)
81	/*
82	* Time we wait for a probe response after sending
83	* a probe request because of beacon loss or for
84	* checking the connection still works.
85	*/
86	static int probe_wait_ms = 500;
87	module_param(probe_wait_ms, int, 0644);
88	MODULE_PARM_DESC(probe_wait_ms,
89	"Maximum time(ms) to wait for probe response"
90	" before disconnecting (reason 4).");
91
92	/*
93	* How many Beacon frames need to have been used in average signal strength
94	* before starting to indicate signal change events.
95	*/
96	#define IEEE80211_SIGNAL_AVE_MIN_COUNT 4
97
98	/*
99	* We can have multiple work items (and connection probing)
100	* scheduling this timer, but we need to take care to only
101	* reschedule it when it should fire _earlier_ than it was
102	* asked for before, or if it's not pending right now. This
103	* function ensures that. Note that it then is required to
104	* run this function for all timeouts after the first one
105	* has happened -- the work that runs from this timer will
106	* do that.
107	*/
108	static void run_again(struct ieee80211_sub_if_data *sdata,
109	unsigned long timeout)
110	{
111	lockdep_assert_wiphy(sdata->local->hw.wiphy);
112
113	if (!timer_pending(timer: &sdata->u.mgd.timer) ||
114	time_before(timeout, sdata->u.mgd.timer.expires))
115	mod_timer(timer: &sdata->u.mgd.timer, expires: timeout);
116	}
117
118	void ieee80211_sta_reset_beacon_monitor(struct ieee80211_sub_if_data *sdata)
119	{
120	if (sdata->vif.driver_flags & IEEE80211_VIF_BEACON_FILTER)
121	return;
122
123	if (ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
124	return;
125
126	mod_timer(timer: &sdata->u.mgd.bcn_mon_timer,
127	expires: round_jiffies_up(j: jiffies + sdata->u.mgd.beacon_timeout));
128	}
129
130	void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata)
131	{
132	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
133
134	if (unlikely(!ifmgd->associated))
135	return;
136
137	if (ifmgd->probe_send_count)
138	ifmgd->probe_send_count = 0;
139
140	if (ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
141	return;
142
143	mod_timer(timer: &ifmgd->conn_mon_timer,
144	expires: round_jiffies_up(j: jiffies + IEEE80211_CONNECTION_IDLE_TIME));
145	}
146
147	static int ecw2cw(int ecw)
148	{
149	return (1 << ecw) - 1;
150	}
151
152	static enum ieee80211_conn_mode
153	ieee80211_determine_ap_chan(struct ieee80211_sub_if_data *sdata,
154	struct ieee80211_channel *channel,
155	u32 vht_cap_info,
156	const struct ieee802_11_elems *elems,
157	bool ignore_ht_channel_mismatch,
158	const struct ieee80211_conn_settings *conn,
159	struct cfg80211_chan_def *chandef)
160	{
161	const struct ieee80211_ht_operation *ht_oper = elems->ht_operation;
162	const struct ieee80211_vht_operation *vht_oper = elems->vht_operation;
163	const struct ieee80211_he_operation *he_oper = elems->he_operation;
164	const struct ieee80211_eht_operation *eht_oper = elems->eht_operation;
165	struct ieee80211_supported_band *sband =
166	sdata->local->hw.wiphy->bands[channel->band];
167	struct cfg80211_chan_def vht_chandef;
168	bool no_vht = false;
169	u32 ht_cfreq;
170
171	if (ieee80211_hw_check(&sdata->local->hw, STRICT))
172	ignore_ht_channel_mismatch = false;
173
174	*chandef = (struct cfg80211_chan_def) {
175	.chan = channel,
176	.width = NL80211_CHAN_WIDTH_20_NOHT,
177	.center_freq1 = channel->center_freq,
178	.freq1_offset = channel->freq_offset,
179	};
180
181	/* get special S1G case out of the way */
182	if (sband->band == NL80211_BAND_S1GHZ) {
183	if (!ieee80211_chandef_s1g_oper(local: sdata->local, oper: elems->s1g_oper,
184	chandef)) {
185	/* Fallback to default 1MHz */
186	chandef->width = NL80211_CHAN_WIDTH_1;
187	chandef->s1g_primary_2mhz = false;
188	}
189
190	return IEEE80211_CONN_MODE_S1G;
191	}
192
193	/* get special 6 GHz case out of the way */
194	if (sband->band == NL80211_BAND_6GHZ) {
195	enum ieee80211_conn_mode mode = IEEE80211_CONN_MODE_EHT;
196
197	/* this is an error */
198	if (conn->mode < IEEE80211_CONN_MODE_HE)
199	return IEEE80211_CONN_MODE_LEGACY;
200
201	if (!elems->he_6ghz_capa || !elems->he_cap) {
202	sdata_info(sdata,
203	"HE 6 GHz AP is missing HE/HE 6 GHz band capability\n");
204	return IEEE80211_CONN_MODE_LEGACY;
205	}
206
207	if (!eht_oper || !elems->eht_cap) {
208	eht_oper = NULL;
209	mode = IEEE80211_CONN_MODE_HE;
210	}
211
212	if (!ieee80211_chandef_he_6ghz_oper(local: sdata->local, he_oper,
213	eht_oper, chandef)) {
214	sdata_info(sdata, "bad HE/EHT 6 GHz operation\n");
215	return IEEE80211_CONN_MODE_LEGACY;
216	}
217
218	return mode;
219	}
220
221	/* now we have the progression HT, VHT, ... */
222	if (conn->mode < IEEE80211_CONN_MODE_HT)
223	return IEEE80211_CONN_MODE_LEGACY;
224
225	if (!ht_oper || !elems->ht_cap_elem)
226	return IEEE80211_CONN_MODE_LEGACY;
227
228	chandef->width = NL80211_CHAN_WIDTH_20;
229
230	ht_cfreq = ieee80211_channel_to_frequency(chan: ht_oper->primary_chan,
231	band: channel->band);
232	/* check that channel matches the right operating channel */
233	if (!ignore_ht_channel_mismatch && channel->center_freq != ht_cfreq) {
234	/*
235	* It's possible that some APs are confused here;
236	* Netgear WNDR3700 sometimes reports 4 higher than
237	* the actual channel in association responses, but
238	* since we look at probe response/beacon data here
239	* it should be OK.
240	*/
241	sdata_info(sdata,
242	"Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n",
243	channel->center_freq, ht_cfreq,
244	ht_oper->primary_chan, channel->band);
245	return IEEE80211_CONN_MODE_LEGACY;
246	}
247
248	ieee80211_chandef_ht_oper(ht_oper, chandef);
249
250	if (conn->mode < IEEE80211_CONN_MODE_VHT)
251	return IEEE80211_CONN_MODE_HT;
252
253	vht_chandef = *chandef;
254
255	/*
256	* having he_cap/he_oper parsed out implies we're at
257	* least operating as HE STA
258	*/
259	if (elems->he_cap && he_oper &&
260	he_oper->he_oper_params & cpu_to_le32(IEEE80211_HE_OPERATION_VHT_OPER_INFO)) {
261	struct ieee80211_vht_operation he_oper_vht_cap;
262
263	/*
264	* Set only first 3 bytes (other 2 aren't used in
265	* ieee80211_chandef_vht_oper() anyway)
266	*/
267	memcpy(&he_oper_vht_cap, he_oper->optional, 3);
268	he_oper_vht_cap.basic_mcs_set = cpu_to_le16(0);
269
270	if (!ieee80211_chandef_vht_oper(hw: &sdata->local->hw, vht_cap_info,
271	oper: &he_oper_vht_cap, htop: ht_oper,
272	chandef: &vht_chandef)) {
273	sdata_info(sdata,
274	"HE AP VHT information is invalid, disabling HE\n");
275	/* this will cause us to re-parse as VHT STA */
276	return IEEE80211_CONN_MODE_VHT;
277	}
278	} else if (!vht_oper || !elems->vht_cap_elem) {
279	if (sband->band == NL80211_BAND_5GHZ)
280	return IEEE80211_CONN_MODE_HT;
281	no_vht = true;
282	} else if (sband->band == NL80211_BAND_2GHZ) {
283	no_vht = true;
284	} else if (!ieee80211_chandef_vht_oper(hw: &sdata->local->hw,
285	vht_cap_info,
286	oper: vht_oper, htop: ht_oper,
287	chandef: &vht_chandef)) {
288	sdata_info(sdata,
289	"AP VHT information is invalid, disabling VHT\n");
290	return IEEE80211_CONN_MODE_HT;
291	}
292
293	if (!cfg80211_chandef_compatible(chandef1: chandef, chandef2: &vht_chandef)) {
294	sdata_info(sdata,
295	"AP VHT information doesn't match HT, disabling VHT\n");
296	return IEEE80211_CONN_MODE_HT;
297	}
298
299	*chandef = vht_chandef;
300
301	/* stick to current max mode if we or the AP don't have HE */
302	if (conn->mode < IEEE80211_CONN_MODE_HE ||
303	!elems->he_operation || !elems->he_cap) {
304	if (no_vht)
305	return IEEE80211_CONN_MODE_HT;
306	return IEEE80211_CONN_MODE_VHT;
307	}
308
309	/* stick to HE if we or the AP don't have EHT */
310	if (conn->mode < IEEE80211_CONN_MODE_EHT ||
311	!eht_oper || !elems->eht_cap)
312	return IEEE80211_CONN_MODE_HE;
313
314	/*
315	* handle the case that the EHT operation indicates that it holds EHT
316	* operation information (in case that the channel width differs from
317	* the channel width reported in HT/VHT/HE).
318	*/
319	if (eht_oper->params & IEEE80211_EHT_OPER_INFO_PRESENT) {
320	struct cfg80211_chan_def eht_chandef = *chandef;
321
322	ieee80211_chandef_eht_oper(info: (const void *)eht_oper->optional,
323	chandef: &eht_chandef);
324
325	eht_chandef.punctured =
326	ieee80211_eht_oper_dis_subchan_bitmap(eht_oper);
327
328	if (!cfg80211_chandef_valid(chandef: &eht_chandef)) {
329	sdata_info(sdata,
330	"AP EHT information is invalid, disabling EHT\n");
331	return IEEE80211_CONN_MODE_HE;
332	}
333
334	if (!cfg80211_chandef_compatible(chandef1: chandef, chandef2: &eht_chandef)) {
335	sdata_info(sdata,
336	"AP EHT information doesn't match HT/VHT/HE, disabling EHT\n");
337	return IEEE80211_CONN_MODE_HE;
338	}
339
340	*chandef = eht_chandef;
341	}
342
343	return IEEE80211_CONN_MODE_EHT;
344	}
345
346	static bool
347	ieee80211_verify_sta_ht_mcs_support(struct ieee80211_sub_if_data *sdata,
348	struct ieee80211_supported_band *sband,
349	const struct ieee80211_ht_operation *ht_op)
350	{
351	struct ieee80211_sta_ht_cap sta_ht_cap;
352	int i;
353
354	if (sband->band == NL80211_BAND_6GHZ)
355	return true;
356
357	if (!ht_op)
358	return false;
359
360	memcpy(&sta_ht_cap, &sband->ht_cap, sizeof(sta_ht_cap));
361	ieee80211_apply_htcap_overrides(sdata, ht_cap: &sta_ht_cap);
362
363	/*
364	* P802.11REVme/D7.0 - 6.5.4.2.4
365	* ...
366	* If the MLME of an HT STA receives an MLME-JOIN.request primitive
367	* with the SelectedBSS parameter containing a Basic HT-MCS Set field
368	* in the HT Operation parameter that contains any unsupported MCSs,
369	* the MLME response in the resulting MLME-JOIN.confirm primitive shall
370	* contain a ResultCode parameter that is not set to the value SUCCESS.
371	* ...
372	*/
373
374	/* Simply check that all basic rates are in the STA RX mask */
375	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
376	if ((ht_op->basic_set[i] & sta_ht_cap.mcs.rx_mask[i]) !=
377	ht_op->basic_set[i])
378	return false;
379	}
380
381	return true;
382	}
383
384	static bool
385	ieee80211_verify_sta_vht_mcs_support(struct ieee80211_sub_if_data *sdata,
386	int link_id,
387	struct ieee80211_supported_band *sband,
388	const struct ieee80211_vht_operation *vht_op)
389	{
390	struct ieee80211_sta_vht_cap sta_vht_cap;
391	u16 ap_min_req_set, sta_rx_mcs_map, sta_tx_mcs_map;
392	int nss;
393
394	if (sband->band != NL80211_BAND_5GHZ)
395	return true;
396
397	if (!vht_op)
398	return false;
399
400	memcpy(&sta_vht_cap, &sband->vht_cap, sizeof(sta_vht_cap));
401	ieee80211_apply_vhtcap_overrides(sdata, vht_cap: &sta_vht_cap);
402
403	ap_min_req_set = le16_to_cpu(vht_op->basic_mcs_set);
404	sta_rx_mcs_map = le16_to_cpu(sta_vht_cap.vht_mcs.rx_mcs_map);
405	sta_tx_mcs_map = le16_to_cpu(sta_vht_cap.vht_mcs.tx_mcs_map);
406
407	/*
408	* Many APs are incorrectly advertising an all-zero value here,
409	* which really means MCS 0-7 are required for 1-8 streams, but
410	* they don't really mean it that way.
411	* Some other APs are incorrectly advertising 3 spatial streams
412	* with MCS 0-7 are required, but don't really mean it that way
413	* and we'll connect only with HT, rather than even HE.
414	* As a result, unfortunately the VHT basic MCS/NSS set cannot
415	* be used at all, so check it only in strict mode.
416	*/
417	if (!ieee80211_hw_check(&sdata->local->hw, STRICT))
418	return true;
419
420	/*
421	* P802.11REVme/D7.0 - 6.5.4.2.4
422	* ...
423	* If the MLME of a VHT STA receives an MLME-JOIN.request primitive
424	* with a SelectedBSS parameter containing a Basic VHT-MCS And NSS Set
425	* field in the VHT Operation parameter that contains any unsupported
426	* <VHT-MCS, NSS> tuple, the MLME response in the resulting
427	* MLME-JOIN.confirm primitive shall contain a ResultCode parameter
428	* that is not set to the value SUCCESS.
429	* ...
430	*/
431	for (nss = 8; nss > 0; nss--) {
432	u8 ap_op_val = (ap_min_req_set >> (2 * (nss - 1))) & 3;
433	u8 sta_rx_val;
434	u8 sta_tx_val;
435
436	if (ap_op_val == IEEE80211_HE_MCS_NOT_SUPPORTED)
437	continue;
438
439	sta_rx_val = (sta_rx_mcs_map >> (2 * (nss - 1))) & 3;
440	sta_tx_val = (sta_tx_mcs_map >> (2 * (nss - 1))) & 3;
441
442	if (sta_rx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
443	sta_tx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
444	sta_rx_val < ap_op_val || sta_tx_val < ap_op_val) {
445	link_id_info(sdata, link_id,
446	"Missing mandatory rates for %d Nss, rx %d, tx %d oper %d, disable VHT\n",
447	nss, sta_rx_val, sta_tx_val, ap_op_val);
448	return false;
449	}
450	}
451
452	return true;
453	}
454
455	static bool
456	ieee80211_verify_peer_he_mcs_support(struct ieee80211_sub_if_data *sdata,
457	int link_id,
458	const struct ieee80211_he_cap_elem *he_cap,
459	const struct ieee80211_he_operation *he_op)
460	{
461	struct ieee80211_he_mcs_nss_supp *he_mcs_nss_supp;
462	u16 mcs_80_map_tx, mcs_80_map_rx;
463	u16 ap_min_req_set;
464	int nss;
465
466	if (!he_cap)
467	return false;
468
469	/* mcs_nss is right after he_cap info */
470	he_mcs_nss_supp = (void *)(he_cap + 1);
471
472	mcs_80_map_tx = le16_to_cpu(he_mcs_nss_supp->tx_mcs_80);
473	mcs_80_map_rx = le16_to_cpu(he_mcs_nss_supp->rx_mcs_80);
474
475	/* P802.11-REVme/D0.3
476	* 27.1.1 Introduction to the HE PHY
477	* ...
478	* An HE STA shall support the following features:
479	* ...
480	* Single spatial stream HE-MCSs 0 to 7 (transmit and receive) in all
481	* supported channel widths for HE SU PPDUs
482	*/
483	if ((mcs_80_map_tx & 0x3) == IEEE80211_HE_MCS_NOT_SUPPORTED ||
484	(mcs_80_map_rx & 0x3) == IEEE80211_HE_MCS_NOT_SUPPORTED) {
485	link_id_info(sdata, link_id,
486	"Missing mandatory rates for 1 Nss, rx 0x%x, tx 0x%x, disable HE\n",
487	mcs_80_map_tx, mcs_80_map_rx);
488	return false;
489	}
490
491	if (!he_op)
492	return true;
493
494	ap_min_req_set = le16_to_cpu(he_op->he_mcs_nss_set);
495
496	/*
497	* Apparently iPhone 13 (at least iOS version 15.3.1) sets this to all
498	* zeroes, which is nonsense, and completely inconsistent with itself
499	* (it doesn't have 8 streams). Accept the settings in this case anyway.
500	*/
501	if (!ieee80211_hw_check(&sdata->local->hw, STRICT) && !ap_min_req_set)
502	return true;
503
504	/* make sure the AP is consistent with itself
505	*
506	* P802.11-REVme/D0.3
507	* 26.17.1 Basic HE BSS operation
508	*
509	* A STA that is operating in an HE BSS shall be able to receive and
510	* transmit at each of the <HE-MCS, NSS> tuple values indicated by the
511	* Basic HE-MCS And NSS Set field of the HE Operation parameter of the
512	* MLME-START.request primitive and shall be able to receive at each of
513	* the <HE-MCS, NSS> tuple values indicated by the Supported HE-MCS and
514	* NSS Set field in the HE Capabilities parameter of the MLMESTART.request
515	* primitive
516	*/
517	for (nss = 8; nss > 0; nss--) {
518	u8 ap_op_val = (ap_min_req_set >> (2 * (nss - 1))) & 3;
519	u8 ap_rx_val;
520	u8 ap_tx_val;
521
522	if (ap_op_val == IEEE80211_HE_MCS_NOT_SUPPORTED)
523	continue;
524
525	ap_rx_val = (mcs_80_map_rx >> (2 * (nss - 1))) & 3;
526	ap_tx_val = (mcs_80_map_tx >> (2 * (nss - 1))) & 3;
527
528	if (ap_rx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
529	ap_tx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
530	ap_rx_val < ap_op_val || ap_tx_val < ap_op_val) {
531	link_id_info(sdata, link_id,
532	"Invalid rates for %d Nss, rx %d, tx %d oper %d, disable HE\n",
533	nss, ap_rx_val, ap_tx_val, ap_op_val);
534	return false;
535	}
536	}
537
538	return true;
539	}
540
541	static bool
542	ieee80211_verify_sta_he_mcs_support(struct ieee80211_sub_if_data *sdata,
543	struct ieee80211_supported_band *sband,
544	const struct ieee80211_he_operation *he_op)
545	{
546	const struct ieee80211_sta_he_cap *sta_he_cap =
547	ieee80211_get_he_iftype_cap_vif(sband, vif: &sdata->vif);
548	u16 ap_min_req_set;
549	int i;
550
551	if (!sta_he_cap || !he_op)
552	return false;
553
554	ap_min_req_set = le16_to_cpu(he_op->he_mcs_nss_set);
555
556	/*
557	* Apparently iPhone 13 (at least iOS version 15.3.1) sets this to all
558	* zeroes, which is nonsense, and completely inconsistent with itself
559	* (it doesn't have 8 streams). Accept the settings in this case anyway.
560	*/
561	if (!ieee80211_hw_check(&sdata->local->hw, STRICT) && !ap_min_req_set)
562	return true;
563
564	/* Need to go over for 80MHz, 160MHz and for 80+80 */
565	for (i = 0; i < 3; i++) {
566	const struct ieee80211_he_mcs_nss_supp *sta_mcs_nss_supp =
567	&sta_he_cap->he_mcs_nss_supp;
568	u16 sta_mcs_map_rx =
569	le16_to_cpu(((__le16 *)sta_mcs_nss_supp)[2 * i]);
570	u16 sta_mcs_map_tx =
571	le16_to_cpu(((__le16 *)sta_mcs_nss_supp)[2 * i + 1]);
572	u8 nss;
573	bool verified = true;
574
575	/*
576	* For each band there is a maximum of 8 spatial streams
577	* possible. Each of the sta_mcs_map_* is a 16-bit struct built
578	* of 2 bits per NSS (1-8), with the values defined in enum
579	* ieee80211_he_mcs_support. Need to make sure STA TX and RX
580	* capabilities aren't less than the AP's minimum requirements
581	* for this HE BSS per SS.
582	* It is enough to find one such band that meets the reqs.
583	*/
584	for (nss = 8; nss > 0; nss--) {
585	u8 sta_rx_val = (sta_mcs_map_rx >> (2 * (nss - 1))) & 3;
586	u8 sta_tx_val = (sta_mcs_map_tx >> (2 * (nss - 1))) & 3;
587	u8 ap_val = (ap_min_req_set >> (2 * (nss - 1))) & 3;
588
589	if (ap_val == IEEE80211_HE_MCS_NOT_SUPPORTED)
590	continue;
591
592	/*
593	* Make sure the HE AP doesn't require MCSs that aren't
594	* supported by the client as required by spec
595	*
596	* P802.11-REVme/D0.3
597	* 26.17.1 Basic HE BSS operation
598	*
599	* An HE STA shall not attempt to join * (MLME-JOIN.request primitive)
600	* a BSS, unless it supports (i.e., is able to both transmit and
601	* receive using) all of the <HE-MCS, NSS> tuples in the basic
602	* HE-MCS and NSS set.
603	*/
604	if (sta_rx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
605	sta_tx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
606	(ap_val > sta_rx_val) || (ap_val > sta_tx_val)) {
607	verified = false;
608	break;
609	}
610	}
611
612	if (verified)
613	return true;
614	}
615
616	/* If here, STA doesn't meet AP's HE min requirements */
617	return false;
618	}
619
620	static u8
621	ieee80211_get_eht_cap_mcs_nss(const struct ieee80211_sta_he_cap *sta_he_cap,
622	const struct ieee80211_sta_eht_cap *sta_eht_cap,
623	unsigned int idx, int bw)
624	{
625	u8 he_phy_cap0 = sta_he_cap->he_cap_elem.phy_cap_info[0];
626	u8 eht_phy_cap0 = sta_eht_cap->eht_cap_elem.phy_cap_info[0];
627
628	/* handle us being a 20 MHz-only EHT STA - with four values
629	* for MCS 0-7, 8-9, 10-11, 12-13.
630	*/
631	if (!(he_phy_cap0 & IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_MASK_ALL))
632	return sta_eht_cap->eht_mcs_nss_supp.only_20mhz.rx_tx_max_nss[idx];
633
634	/* the others have MCS 0-9 together, rather than separately from 0-7 */
635	if (idx > 0)
636	idx--;
637
638	switch (bw) {
639	case 0:
640	return sta_eht_cap->eht_mcs_nss_supp.bw._80.rx_tx_max_nss[idx];
641	case 1:
642	if (!(he_phy_cap0 &
643	(IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G |
644	IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G)))
645	return 0xff; /* pass check */
646	return sta_eht_cap->eht_mcs_nss_supp.bw._160.rx_tx_max_nss[idx];
647	case 2:
648	if (!(eht_phy_cap0 & IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ))
649	return 0xff; /* pass check */
650	return sta_eht_cap->eht_mcs_nss_supp.bw._320.rx_tx_max_nss[idx];
651	}
652
653	WARN_ON(1);
654	return 0;
655	}
656
657	static bool
658	ieee80211_verify_sta_eht_mcs_support(struct ieee80211_sub_if_data *sdata,
659	struct ieee80211_supported_band *sband,
660	const struct ieee80211_eht_operation *eht_op)
661	{
662	const struct ieee80211_sta_he_cap *sta_he_cap =
663	ieee80211_get_he_iftype_cap_vif(sband, vif: &sdata->vif);
664	const struct ieee80211_sta_eht_cap *sta_eht_cap =
665	ieee80211_get_eht_iftype_cap_vif(sband, vif: &sdata->vif);
666	const struct ieee80211_eht_mcs_nss_supp_20mhz_only *req;
667	unsigned int i;
668
669	if (!sta_he_cap || !sta_eht_cap || !eht_op)
670	return false;
671
672	req = &eht_op->basic_mcs_nss;
673
674	for (i = 0; i < ARRAY_SIZE(req->rx_tx_max_nss); i++) {
675	u8 req_rx_nss, req_tx_nss;
676	unsigned int bw;
677
678	req_rx_nss = u8_get_bits(v: req->rx_tx_max_nss[i],
679	IEEE80211_EHT_MCS_NSS_RX);
680	req_tx_nss = u8_get_bits(v: req->rx_tx_max_nss[i],
681	IEEE80211_EHT_MCS_NSS_TX);
682
683	for (bw = 0; bw < 3; bw++) {
684	u8 have, have_rx_nss, have_tx_nss;
685
686	have = ieee80211_get_eht_cap_mcs_nss(sta_he_cap,
687	sta_eht_cap,
688	idx: i, bw);
689	have_rx_nss = u8_get_bits(v: have,
690	IEEE80211_EHT_MCS_NSS_RX);
691	have_tx_nss = u8_get_bits(v: have,
692	IEEE80211_EHT_MCS_NSS_TX);
693
694	if (req_rx_nss > have_rx_nss ||
695	req_tx_nss > have_tx_nss)
696	return false;
697	}
698	}
699
700	return true;
701	}
702
703	static void ieee80211_get_rates(struct ieee80211_supported_band *sband,
704	const u8 *supp_rates,
705	unsigned int supp_rates_len,
706	const u8 *ext_supp_rates,
707	unsigned int ext_supp_rates_len,
708	u32 *rates, u32 *basic_rates,
709	unsigned long *unknown_rates_selectors,
710	bool *have_higher_than_11mbit,
711	int *min_rate, int *min_rate_index)
712	{
713	int i, j;
714
715	for (i = 0; i < supp_rates_len + ext_supp_rates_len; i++) {
716	u8 supp_rate = i < supp_rates_len ?
717	supp_rates[i] :
718	ext_supp_rates[i - supp_rates_len];
719	int rate = supp_rate & 0x7f;
720	bool is_basic = !!(supp_rate & 0x80);
721
722	if ((rate * 5) > 110 && have_higher_than_11mbit)
723	*have_higher_than_11mbit = true;
724
725	/*
726	* Skip membership selectors since they're not rates.
727	*
728	* Note: Even though the membership selector and the basic
729	* rate flag share the same bit, they are not exactly
730	* the same.
731	*/
732	if (is_basic && rate >= BSS_MEMBERSHIP_SELECTOR_MIN) {
733	if (unknown_rates_selectors)
734	set_bit(nr: rate, addr: unknown_rates_selectors);
735	continue;
736	}
737
738	for (j = 0; j < sband->n_bitrates; j++) {
739	struct ieee80211_rate *br;
740	int brate;
741
742	br = &sband->bitrates[j];
743
744	brate = DIV_ROUND_UP(br->bitrate, 5);
745	if (brate == rate) {
746	if (rates)
747	*rates |= BIT(j);
748	if (is_basic && basic_rates)
749	*basic_rates |= BIT(j);
750	if (min_rate && (rate * 5) < *min_rate) {
751	*min_rate = rate * 5;
752	if (min_rate_index)
753	*min_rate_index = j;
754	}
755	break;
756	}
757	}
758
759	/* Handle an unknown entry as if it is an unknown selector */
760	if (is_basic && unknown_rates_selectors && j == sband->n_bitrates)
761	set_bit(nr: rate, addr: unknown_rates_selectors);
762	}
763	}
764
765	static bool ieee80211_chandef_usable(struct ieee80211_sub_if_data *sdata,
766	const struct cfg80211_chan_def *chandef,
767	u32 prohibited_flags)
768	{
769	if (!cfg80211_chandef_usable(wiphy: sdata->local->hw.wiphy,
770	chandef, prohibited_flags))
771	return false;
772
773	if (chandef->punctured &&
774	ieee80211_hw_check(&sdata->local->hw, DISALLOW_PUNCTURING))
775	return false;
776
777	return true;
778	}
779
780	static int ieee80211_chandef_num_subchans(const struct cfg80211_chan_def *c)
781	{
782	if (c->width == NL80211_CHAN_WIDTH_80P80)
783	return 4 + 4;
784
785	return cfg80211_chandef_get_width(c) / 20;
786	}
787
788	static int ieee80211_chandef_num_widths(const struct cfg80211_chan_def *c)
789	{
790	switch (c->width) {
791	case NL80211_CHAN_WIDTH_20:
792	case NL80211_CHAN_WIDTH_20_NOHT:
793	return 1;
794	case NL80211_CHAN_WIDTH_40:
795	return 2;
796	case NL80211_CHAN_WIDTH_80P80:
797	case NL80211_CHAN_WIDTH_80:
798	return 3;
799	case NL80211_CHAN_WIDTH_160:
800	return 4;
801	case NL80211_CHAN_WIDTH_320:
802	return 5;
803	default:
804	WARN_ON(1);
805	return 0;
806	}
807	}
808
809	VISIBLE_IF_MAC80211_KUNIT int
810	ieee80211_calc_chandef_subchan_offset(const struct cfg80211_chan_def *ap,
811	u8 n_partial_subchans)
812	{
813	int n = ieee80211_chandef_num_subchans(c: ap);
814	struct cfg80211_chan_def tmp = *ap;
815	int offset = 0;
816
817	/*
818	* Given a chandef (in this context, it's the AP's) and a number
819	* of subchannels that we want to look at ('n_partial_subchans'),
820	* calculate the offset in number of subchannels between the full
821	* and the subset with the desired width.
822	*/
823
824	/* same number of subchannels means no offset, obviously */
825	if (n == n_partial_subchans)
826	return 0;
827
828	/* don't WARN - misconfigured APs could cause this if their N > width */
829	if (n < n_partial_subchans)
830	return 0;
831
832	while (ieee80211_chandef_num_subchans(c: &tmp) > n_partial_subchans) {
833	u32 prev = tmp.center_freq1;
834
835	ieee80211_chandef_downgrade(chandef: &tmp, NULL);
836
837	/*
838	* if center_freq moved up, half the original channels
839	* are gone now but were below, so increase offset
840	*/
841	if (prev < tmp.center_freq1)
842	offset += ieee80211_chandef_num_subchans(c: &tmp);
843	}
844
845	/*
846	* 80+80 with secondary 80 below primary - four subchannels for it
847	* (we cannot downgrade *to* 80+80, so no need to consider 'tmp')
848	*/
849	if (ap->width == NL80211_CHAN_WIDTH_80P80 &&
850	ap->center_freq2 < ap->center_freq1)
851	offset += 4;
852
853	return offset;
854	}
855	EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_calc_chandef_subchan_offset);
856
857	VISIBLE_IF_MAC80211_KUNIT void
858	ieee80211_rearrange_tpe_psd(struct ieee80211_parsed_tpe_psd *psd,
859	const struct cfg80211_chan_def *ap,
860	const struct cfg80211_chan_def *used)
861	{
862	u8 needed = ieee80211_chandef_num_subchans(c: used);
863	u8 have = ieee80211_chandef_num_subchans(c: ap);
864	u8 tmp[IEEE80211_TPE_PSD_ENTRIES_320MHZ];
865	u8 offset;
866
867	if (!psd->valid)
868	return;
869
870	/* if N is zero, all defaults were used, no point in rearranging */
871	if (!psd->n)
872	goto out;
873
874	BUILD_BUG_ON(sizeof(tmp) != sizeof(psd->power));
875
876	/*
877	* This assumes that 'N' is consistent with the HE channel, as
878	* it should be (otherwise the AP is broken).
879	*
880	* In psd->power we have values in the order 0..N, 0..K, where
881	* N+K should cover the entire channel per 'ap', but even if it
882	* doesn't then we've pre-filled 'unlimited' as defaults.
883	*
884	* But this is all the wrong order, we want to have them in the
885	* order of the 'used' channel.
886	*
887	* So for example, we could have a 320 MHz EHT AP, which has the
888	* HE channel as 80 MHz (e.g. due to puncturing, which doesn't
889	* seem to be considered for the TPE), as follows:
890	*
891	* EHT 320: | | | | | | | | | | | | | | | | |
892	* HE 80: | | | | |
893	* used 160: | | | | | | | | |
894	*
895	* N entries: |--|--|--|--|
896	* K entries: |--|--|--|--|--|--|--|--| |--|--|--|--|
897	* power idx: 4 5 6 7 8 9 10 11 0 1 2 3 12 13 14 15
898	* full chan: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
899	* used chan: 0 1 2 3 4 5 6 7
900	*
901	* The idx in the power array ('power idx') is like this since it
902	* comes directly from the element's N and K entries in their
903	* element order, and those are this way for HE compatibility.
904	*
905	* Rearrange them as desired here, first by putting them into the
906	* 'full chan' order, and then selecting the necessary subset for
907	* the 'used chan'.
908	*/
909
910	/* first reorder according to AP channel */
911	offset = ieee80211_calc_chandef_subchan_offset(ap, psd->n);
912	for (int i = 0; i < have; i++) {
913	if (i < offset)
914	tmp[i] = psd->power[i + psd->n];
915	else if (i < offset + psd->n)
916	tmp[i] = psd->power[i - offset];
917	else
918	tmp[i] = psd->power[i];
919	}
920
921	/*
922	* and then select the subset for the used channel
923	* (set everything to defaults first in case a driver is confused)
924	*/
925	memset(psd->power, IEEE80211_TPE_PSD_NO_LIMIT, sizeof(psd->power));
926	offset = ieee80211_calc_chandef_subchan_offset(ap, needed);
927	for (int i = 0; i < needed; i++)
928	psd->power[i] = tmp[offset + i];
929
930	out:
931	/* limit, but don't lie if there are defaults in the data */
932	if (needed < psd->count)
933	psd->count = needed;
934	}
935	EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_rearrange_tpe_psd);
936
937	static void ieee80211_rearrange_tpe(struct ieee80211_parsed_tpe *tpe,
938	const struct cfg80211_chan_def *ap,
939	const struct cfg80211_chan_def *used)
940	{
941	/* ignore this completely for narrow/invalid channels */
942	if (!ieee80211_chandef_num_subchans(c: ap) ||
943	!ieee80211_chandef_num_subchans(c: used)) {
944	ieee80211_clear_tpe(tpe);
945	return;
946	}
947
948	for (int i = 0; i < 2; i++) {
949	int needed_pwr_count;
950
951	ieee80211_rearrange_tpe_psd(&tpe->psd_local[i], ap, used);
952	ieee80211_rearrange_tpe_psd(&tpe->psd_reg_client[i], ap, used);
953
954	/* limit this to the widths we actually need */
955	needed_pwr_count = ieee80211_chandef_num_widths(c: used);
956	if (needed_pwr_count < tpe->max_local[i].count)
957	tpe->max_local[i].count = needed_pwr_count;
958	if (needed_pwr_count < tpe->max_reg_client[i].count)
959	tpe->max_reg_client[i].count = needed_pwr_count;
960	}
961	}
962
963	/*
964	* The AP part of the channel request is used to distinguish settings
965	* to the device used for wider bandwidth OFDMA. This is used in the
966	* channel context code to assign two channel contexts even if they're
967	* both for the same channel, if the AP bandwidths are incompatible.
968	* If not EHT (or driver override) then ap.chan == NULL indicates that
969	* there's no wider BW OFDMA used.
970	*/
971	static void ieee80211_set_chanreq_ap(struct ieee80211_sub_if_data *sdata,
972	struct ieee80211_chan_req *chanreq,
973	struct ieee80211_conn_settings *conn,
974	struct cfg80211_chan_def *ap_chandef)
975	{
976	chanreq->ap.chan = NULL;
977
978	if (conn->mode < IEEE80211_CONN_MODE_EHT)
979	return;
980	if (sdata->vif.driver_flags & IEEE80211_VIF_IGNORE_OFDMA_WIDER_BW)
981	return;
982
983	chanreq->ap = *ap_chandef;
984	}
985
986	VISIBLE_IF_MAC80211_KUNIT struct ieee802_11_elems *
987	ieee80211_determine_chan_mode(struct ieee80211_sub_if_data *sdata,
988	struct ieee80211_conn_settings *conn,
989	struct cfg80211_bss *cbss, int link_id,
990	struct ieee80211_chan_req *chanreq,
991	struct cfg80211_chan_def *ap_chandef,
992	unsigned long *userspace_selectors)
993	{
994	const struct cfg80211_bss_ies *ies = rcu_dereference(cbss->ies);
995	struct ieee80211_bss *bss = (void *)cbss->priv;
996	struct ieee80211_channel *channel = cbss->channel;
997	struct ieee80211_elems_parse_params parse_params = {
998	.link_id = -1,
999	.from_ap = true,
1000	.start = ies->data,
1001	.len = ies->len,
1002	.type = ies->from_beacon ?
1003	IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON :
1004	IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_RESP,
1005	};
1006	struct ieee802_11_elems *elems;
1007	struct ieee80211_supported_band *sband;
1008	enum ieee80211_conn_mode ap_mode;
1009	unsigned long unknown_rates_selectors[BITS_TO_LONGS(128)] = {};
1010	unsigned long sta_selectors[BITS_TO_LONGS(128)] = {};
1011	int ret;
1012
1013	again:
1014	parse_params.mode = conn->mode;
1015	elems = ieee802_11_parse_elems_full(params: &parse_params);
1016	if (!elems)
1017	return ERR_PTR(error: -ENOMEM);
1018
1019	ap_mode = ieee80211_determine_ap_chan(sdata, channel, vht_cap_info: bss->vht_cap_info,
1020	elems, ignore_ht_channel_mismatch: false, conn, chandef: ap_chandef);
1021
1022	/* this should be impossible since parsing depends on our mode */
1023	if (WARN_ON(ap_mode > conn->mode)) {
1024	ret = -EINVAL;
1025	goto free;
1026	}
1027
1028	if (conn->mode != ap_mode) {
1029	conn->mode = ap_mode;
1030	kfree(objp: elems);
1031	goto again;
1032	}
1033
1034	mlme_link_id_dbg(sdata, link_id, "determined AP %pM to be %s\n",
1035	cbss->bssid, ieee80211_conn_mode_str(ap_mode));
1036
1037	sband = sdata->local->hw.wiphy->bands[channel->band];
1038
1039	ieee80211_get_rates(sband, supp_rates: elems->supp_rates, supp_rates_len: elems->supp_rates_len,
1040	ext_supp_rates: elems->ext_supp_rates, ext_supp_rates_len: elems->ext_supp_rates_len,
1041	NULL, NULL, unknown_rates_selectors, NULL, NULL,
1042	NULL);
1043
1044	switch (channel->band) {
1045	case NL80211_BAND_S1GHZ:
1046	if (WARN_ON(ap_mode != IEEE80211_CONN_MODE_S1G)) {
1047	ret = -EINVAL;
1048	goto free;
1049	}
1050
1051	chanreq->oper = *ap_chandef;
1052	if (!cfg80211_chandef_usable(wiphy: sdata->wdev.wiphy, chandef: &chanreq->oper,
1053	prohibited_flags: IEEE80211_CHAN_DISABLED)) {
1054	ret = -EINVAL;
1055	goto free;
1056	}
1057
1058	return elems;
1059	case NL80211_BAND_6GHZ:
1060	if (ap_mode < IEEE80211_CONN_MODE_HE) {
1061	link_id_info(sdata, link_id,
1062	"Rejecting non-HE 6/7 GHz connection");
1063	ret = -EINVAL;
1064	goto free;
1065	}
1066	break;
1067	default:
1068	if (WARN_ON(ap_mode == IEEE80211_CONN_MODE_S1G)) {
1069	ret = -EINVAL;
1070	goto free;
1071	}
1072	}
1073
1074	switch (ap_mode) {
1075	case IEEE80211_CONN_MODE_S1G:
1076	WARN_ON(1);
1077	ret = -EINVAL;
1078	goto free;
1079	case IEEE80211_CONN_MODE_LEGACY:
1080	conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
1081	break;
1082	case IEEE80211_CONN_MODE_HT:
1083	conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1084	conn->bw_limit,
1085	IEEE80211_CONN_BW_LIMIT_40);
1086	break;
1087	case IEEE80211_CONN_MODE_VHT:
1088	case IEEE80211_CONN_MODE_HE:
1089	conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1090	conn->bw_limit,
1091	IEEE80211_CONN_BW_LIMIT_160);
1092	break;
1093	case IEEE80211_CONN_MODE_EHT:
1094	conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1095	conn->bw_limit,
1096	IEEE80211_CONN_BW_LIMIT_320);
1097	break;
1098	}
1099
1100	chanreq->oper = *ap_chandef;
1101
1102	bitmap_copy(dst: sta_selectors, src: userspace_selectors, nbits: 128);
1103	if (conn->mode >= IEEE80211_CONN_MODE_HT)
1104	set_bit(BSS_MEMBERSHIP_SELECTOR_HT_PHY, addr: sta_selectors);
1105	if (conn->mode >= IEEE80211_CONN_MODE_VHT)
1106	set_bit(BSS_MEMBERSHIP_SELECTOR_VHT_PHY, addr: sta_selectors);
1107	if (conn->mode >= IEEE80211_CONN_MODE_HE)
1108	set_bit(BSS_MEMBERSHIP_SELECTOR_HE_PHY, addr: sta_selectors);
1109	if (conn->mode >= IEEE80211_CONN_MODE_EHT)
1110	set_bit(BSS_MEMBERSHIP_SELECTOR_EHT_PHY, addr: sta_selectors);
1111
1112	/*
1113	* We do not support EPD or GLK so never add them.
1114	* SAE_H2E is handled through userspace_selectors.
1115	*/
1116
1117	/* Check if we support all required features */
1118	if (!bitmap_subset(src1: unknown_rates_selectors, src2: sta_selectors, nbits: 128)) {
1119	link_id_info(sdata, link_id,
1120	"required basic rate or BSS membership selectors not supported or disabled, rejecting connection\n");
1121	ret = -EINVAL;
1122	goto free;
1123	}
1124
1125	ieee80211_set_chanreq_ap(sdata, chanreq, conn, ap_chandef);
1126
1127	while (!ieee80211_chandef_usable(sdata, chandef: &chanreq->oper,
1128	prohibited_flags: IEEE80211_CHAN_DISABLED)) {
1129	if (chanreq->oper.width == NL80211_CHAN_WIDTH_20_NOHT) {
1130	link_id_info(sdata, link_id,
1131	"unusable channel (%d MHz) for connection\n",
1132	chanreq->oper.chan->center_freq);
1133	ret = -EINVAL;
1134	goto free;
1135	}
1136
1137	ieee80211_chanreq_downgrade(chanreq, conn);
1138	}
1139
1140	if (conn->mode >= IEEE80211_CONN_MODE_HE &&
1141	!cfg80211_chandef_usable(wiphy: sdata->wdev.wiphy, chandef: &chanreq->oper,
1142	prohibited_flags: IEEE80211_CHAN_NO_HE)) {
1143	conn->mode = IEEE80211_CONN_MODE_VHT;
1144	conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1145	conn->bw_limit,
1146	IEEE80211_CONN_BW_LIMIT_160);
1147	}
1148
1149	if (conn->mode >= IEEE80211_CONN_MODE_EHT &&
1150	!cfg80211_chandef_usable(wiphy: sdata->wdev.wiphy, chandef: &chanreq->oper,
1151	prohibited_flags: IEEE80211_CHAN_NO_EHT)) {
1152	conn->mode = IEEE80211_CONN_MODE_HE;
1153	conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1154	conn->bw_limit,
1155	IEEE80211_CONN_BW_LIMIT_160);
1156	}
1157
1158	if (chanreq->oper.width != ap_chandef->width || ap_mode != conn->mode)
1159	link_id_info(sdata, link_id,
1160	"regulatory prevented using AP config, downgraded\n");
1161
1162	if (conn->mode >= IEEE80211_CONN_MODE_HT &&
1163	!ieee80211_verify_sta_ht_mcs_support(sdata, sband,
1164	ht_op: elems->ht_operation)) {
1165	conn->mode = IEEE80211_CONN_MODE_LEGACY;
1166	conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
1167	link_id_info(sdata, link_id,
1168	"required MCSes not supported, disabling HT\n");
1169	}
1170
1171	if (conn->mode >= IEEE80211_CONN_MODE_VHT &&
1172	!ieee80211_verify_sta_vht_mcs_support(sdata, link_id, sband,
1173	vht_op: elems->vht_operation)) {
1174	conn->mode = IEEE80211_CONN_MODE_HT;
1175	conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1176	conn->bw_limit,
1177	IEEE80211_CONN_BW_LIMIT_40);
1178	link_id_info(sdata, link_id,
1179	"required MCSes not supported, disabling VHT\n");
1180	}
1181
1182	if (conn->mode >= IEEE80211_CONN_MODE_HE &&
1183	(!ieee80211_verify_peer_he_mcs_support(sdata, link_id,
1184	he_cap: (void *)elems->he_cap,
1185	he_op: elems->he_operation) ||
1186	!ieee80211_verify_sta_he_mcs_support(sdata, sband,
1187	he_op: elems->he_operation))) {
1188	conn->mode = IEEE80211_CONN_MODE_VHT;
1189	link_id_info(sdata, link_id,
1190	"required MCSes not supported, disabling HE\n");
1191	}
1192
1193	if (conn->mode >= IEEE80211_CONN_MODE_EHT &&
1194	!ieee80211_verify_sta_eht_mcs_support(sdata, sband,
1195	eht_op: elems->eht_operation)) {
1196	conn->mode = IEEE80211_CONN_MODE_HE;
1197	conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1198	conn->bw_limit,
1199	IEEE80211_CONN_BW_LIMIT_160);
1200	link_id_info(sdata, link_id,
1201	"required MCSes not supported, disabling EHT\n");
1202	}
1203
1204	if (conn->mode >= IEEE80211_CONN_MODE_EHT &&
1205	channel->band != NL80211_BAND_2GHZ &&
1206	conn->bw_limit == IEEE80211_CONN_BW_LIMIT_40) {
1207	conn->mode = IEEE80211_CONN_MODE_HE;
1208	link_id_info(sdata, link_id,
1209	"required bandwidth not supported, disabling EHT\n");
1210	}
1211
1212	/* the mode can only decrease, so this must terminate */
1213	if (ap_mode != conn->mode) {
1214	kfree(objp: elems);
1215	goto again;
1216	}
1217
1218	mlme_link_id_dbg(sdata, link_id,
1219	"connecting with %s mode, max bandwidth %d MHz\n",
1220	ieee80211_conn_mode_str(conn->mode),
1221	20 * (1 << conn->bw_limit));
1222
1223	if (WARN_ON_ONCE(!cfg80211_chandef_valid(&chanreq->oper))) {
1224	ret = -EINVAL;
1225	goto free;
1226	}
1227
1228	return elems;
1229	free:
1230	kfree(objp: elems);
1231	return ERR_PTR(error: ret);
1232	}
1233	EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_determine_chan_mode);
1234
1235	static int ieee80211_config_bw(struct ieee80211_link_data *link,
1236	struct ieee802_11_elems *elems,
1237	bool update, u64 *changed, u16 stype)
1238	{
1239	struct ieee80211_channel *channel = link->conf->chanreq.oper.chan;
1240	struct ieee80211_sub_if_data *sdata = link->sdata;
1241	struct ieee80211_chan_req chanreq = {};
1242	struct cfg80211_chan_def ap_chandef;
1243	enum ieee80211_conn_mode ap_mode;
1244	const char *frame;
1245	u32 vht_cap_info = 0;
1246	u16 ht_opmode;
1247	int ret;
1248
1249	switch (stype) {
1250	case IEEE80211_STYPE_BEACON:
1251	frame = "beacon";
1252	break;
1253	case IEEE80211_STYPE_ASSOC_RESP:
1254	frame = "assoc response";
1255	break;
1256	case IEEE80211_STYPE_REASSOC_RESP:
1257	frame = "reassoc response";
1258	break;
1259	case IEEE80211_STYPE_ACTION:
1260	/* the only action frame that gets here */
1261	frame = "ML reconf response";
1262	break;
1263	default:
1264	return -EINVAL;
1265	}
1266
1267	/* don't track any bandwidth changes in legacy/S1G modes */
1268	if (link->u.mgd.conn.mode == IEEE80211_CONN_MODE_LEGACY ||
1269	link->u.mgd.conn.mode == IEEE80211_CONN_MODE_S1G)
1270	return 0;
1271
1272	if (elems->vht_cap_elem)
1273	vht_cap_info = le32_to_cpu(elems->vht_cap_elem->vht_cap_info);
1274
1275	ap_mode = ieee80211_determine_ap_chan(sdata, channel, vht_cap_info,
1276	elems, ignore_ht_channel_mismatch: true, conn: &link->u.mgd.conn,
1277	chandef: &ap_chandef);
1278
1279	if (ap_mode != link->u.mgd.conn.mode) {
1280	link_info(link,
1281	"AP %pM appears to change mode (expected %s, found %s) in %s, disconnect\n",
1282	link->u.mgd.bssid,
1283	ieee80211_conn_mode_str(link->u.mgd.conn.mode),
1284	ieee80211_conn_mode_str(ap_mode), frame);
1285	return -EINVAL;
1286	}
1287
1288	chanreq.oper = ap_chandef;
1289	ieee80211_set_chanreq_ap(sdata, chanreq: &chanreq, conn: &link->u.mgd.conn,
1290	ap_chandef: &ap_chandef);
1291
1292	/*
1293	* if HT operation mode changed store the new one -
1294	* this may be applicable even if channel is identical
1295	*/
1296	if (elems->ht_operation) {
1297	ht_opmode = le16_to_cpu(elems->ht_operation->operation_mode);
1298	if (link->conf->ht_operation_mode != ht_opmode) {
1299	*changed |= BSS_CHANGED_HT;
1300	link->conf->ht_operation_mode = ht_opmode;
1301	}
1302	}
1303
1304	/*
1305	* Downgrade the new channel if we associated with restricted
1306	* bandwidth capabilities. For example, if we associated as a
1307	* 20 MHz STA to a 40 MHz AP (due to regulatory, capabilities
1308	* or config reasons) then switching to a 40 MHz channel now
1309	* won't do us any good -- we couldn't use it with the AP.
1310	*/
1311	while (link->u.mgd.conn.bw_limit <
1312	ieee80211_min_bw_limit_from_chandef(chandef: &chanreq.oper))
1313	ieee80211_chandef_downgrade(chandef: &chanreq.oper, NULL);
1314
1315	/* TPE element is not present in (re)assoc/ML reconfig response */
1316	if (stype == IEEE80211_STYPE_BEACON &&
1317	ap_chandef.chan->band == NL80211_BAND_6GHZ &&
1318	link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HE) {
1319	ieee80211_rearrange_tpe(tpe: &elems->tpe, ap: &ap_chandef,
1320	used: &chanreq.oper);
1321	if (memcmp(p: &link->conf->tpe, q: &elems->tpe, size: sizeof(elems->tpe))) {
1322	link->conf->tpe = elems->tpe;
1323	*changed |= BSS_CHANGED_TPE;
1324	}
1325	}
1326
1327	if (ieee80211_chanreq_identical(a: &chanreq, b: &link->conf->chanreq))
1328	return 0;
1329
1330	link_info(link,
1331	"AP %pM changed bandwidth in %s, new used config is %d.%03d MHz, width %d (%d.%03d/%d MHz)\n",
1332	link->u.mgd.bssid, frame, chanreq.oper.chan->center_freq,
1333	chanreq.oper.chan->freq_offset, chanreq.oper.width,
1334	chanreq.oper.center_freq1, chanreq.oper.freq1_offset,
1335	chanreq.oper.center_freq2);
1336
1337	if (!cfg80211_chandef_valid(chandef: &chanreq.oper)) {
1338	sdata_info(sdata,
1339	"AP %pM changed caps/bw in %s in a way we can't support - disconnect\n",
1340	link->u.mgd.bssid, frame);
1341	return -EINVAL;
1342	}
1343
1344	if (!update) {
1345	link->conf->chanreq = chanreq;
1346	return 0;
1347	}
1348
1349	/*
1350	* We're tracking the current AP here, so don't do any further checks
1351	* here. This keeps us from playing ping-pong with regulatory, without
1352	* it the following can happen (for example):
1353	* - connect to an AP with 80 MHz, world regdom allows 80 MHz
1354	* - AP advertises regdom US
1355	* - CRDA loads regdom US with 80 MHz prohibited (old database)
1356	* - we detect an unsupported channel and disconnect
1357	* - disconnect causes CRDA to reload world regdomain and the game
1358	* starts anew.
1359	* (see https://bugzilla.kernel.org/show_bug.cgi?id=70881)
1360	*
1361	* It seems possible that there are still scenarios with CSA or real
1362	* bandwidth changes where a this could happen, but those cases are
1363	* less common and wouldn't completely prevent using the AP.
1364	*/
1365
1366	ret = ieee80211_link_change_chanreq(link, req: &chanreq, changed);
1367	if (ret) {
1368	sdata_info(sdata,
1369	"AP %pM changed bandwidth in %s to incompatible one - disconnect\n",
1370	link->u.mgd.bssid, frame);
1371	return ret;
1372	}
1373
1374	cfg80211_schedule_channels_check(wdev: &sdata->wdev);
1375	return 0;
1376	}
1377
1378	/* frame sending functions */
1379
1380	static void ieee80211_add_ht_ie(struct ieee80211_sub_if_data *sdata,
1381	struct sk_buff *skb, u8 ap_ht_param,
1382	struct ieee80211_supported_band *sband,
1383	struct ieee80211_channel *channel,
1384	enum ieee80211_smps_mode smps,
1385	const struct ieee80211_conn_settings *conn)
1386	{
1387	u8 *pos;
1388	u32 flags = channel->flags;
1389	u16 cap;
1390	struct ieee80211_sta_ht_cap ht_cap;
1391
1392	BUILD_BUG_ON(sizeof(ht_cap) != sizeof(sband->ht_cap));
1393
1394	memcpy(&ht_cap, &sband->ht_cap, sizeof(ht_cap));
1395	ieee80211_apply_htcap_overrides(sdata, ht_cap: &ht_cap);
1396
1397	/* determine capability flags */
1398	cap = ht_cap.cap;
1399
1400	switch (ap_ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET) {
1401	case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
1402	if (flags & IEEE80211_CHAN_NO_HT40PLUS) {
1403	cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
1404	cap &= ~IEEE80211_HT_CAP_SGI_40;
1405	}
1406	break;
1407	case IEEE80211_HT_PARAM_CHA_SEC_BELOW:
1408	if (flags & IEEE80211_CHAN_NO_HT40MINUS) {
1409	cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
1410	cap &= ~IEEE80211_HT_CAP_SGI_40;
1411	}
1412	break;
1413	}
1414
1415	/*
1416	* If 40 MHz was disabled associate as though we weren't
1417	* capable of 40 MHz -- some broken APs will never fall
1418	* back to trying to transmit in 20 MHz.
1419	*/
1420	if (conn->bw_limit <= IEEE80211_CONN_BW_LIMIT_20) {
1421	cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
1422	cap &= ~IEEE80211_HT_CAP_SGI_40;
1423	}
1424
1425	/* set SM PS mode properly */
1426	cap &= ~IEEE80211_HT_CAP_SM_PS;
1427	switch (smps) {
1428	case IEEE80211_SMPS_AUTOMATIC:
1429	case IEEE80211_SMPS_NUM_MODES:
1430	WARN_ON(1);
1431	fallthrough;
1432	case IEEE80211_SMPS_OFF:
1433	cap |= WLAN_HT_CAP_SM_PS_DISABLED <<
1434	IEEE80211_HT_CAP_SM_PS_SHIFT;
1435	break;
1436	case IEEE80211_SMPS_STATIC:
1437	cap |= WLAN_HT_CAP_SM_PS_STATIC <<
1438	IEEE80211_HT_CAP_SM_PS_SHIFT;
1439	break;
1440	case IEEE80211_SMPS_DYNAMIC:
1441	cap |= WLAN_HT_CAP_SM_PS_DYNAMIC <<
1442	IEEE80211_HT_CAP_SM_PS_SHIFT;
1443	break;
1444	}
1445
1446	/* reserve and fill IE */
1447	pos = skb_put(skb, len: sizeof(struct ieee80211_ht_cap) + 2);
1448	ieee80211_ie_build_ht_cap(pos, ht_cap: &ht_cap, cap);
1449	}
1450
1451	/* This function determines vht capability flags for the association
1452	* and builds the IE.
1453	* Note - the function returns true to own the MU-MIMO capability
1454	*/
1455	static bool ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
1456	struct sk_buff *skb,
1457	struct ieee80211_supported_band *sband,
1458	struct ieee80211_vht_cap *ap_vht_cap,
1459	const struct ieee80211_conn_settings *conn)
1460	{
1461	struct ieee80211_local *local = sdata->local;
1462	u8 *pos;
1463	u32 cap;
1464	struct ieee80211_sta_vht_cap vht_cap;
1465	u32 mask, ap_bf_sts, our_bf_sts;
1466	bool mu_mimo_owner = false;
1467
1468	BUILD_BUG_ON(sizeof(vht_cap) != sizeof(sband->vht_cap));
1469
1470	memcpy(&vht_cap, &sband->vht_cap, sizeof(vht_cap));
1471	ieee80211_apply_vhtcap_overrides(sdata, vht_cap: &vht_cap);
1472
1473	/* determine capability flags */
1474	cap = vht_cap.cap;
1475
1476	if (conn->bw_limit <= IEEE80211_CONN_BW_LIMIT_80) {
1477	cap &= ~IEEE80211_VHT_CAP_SHORT_GI_160;
1478	cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
1479	}
1480
1481	/*
1482	* Some APs apparently get confused if our capabilities are better
1483	* than theirs, so restrict what we advertise in the assoc request.
1484	*/
1485	if (!ieee80211_hw_check(&local->hw, STRICT)) {
1486	if (!(ap_vht_cap->vht_cap_info &
1487	cpu_to_le32(IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE)))
1488	cap &= ~(IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE |
1489	IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE);
1490	else if (!(ap_vht_cap->vht_cap_info &
1491	cpu_to_le32(IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE)))
1492	cap &= ~IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE;
1493	}
1494
1495	/*
1496	* If some other vif is using the MU-MIMO capability we cannot associate
1497	* using MU-MIMO - this will lead to contradictions in the group-id
1498	* mechanism.
1499	* Ownership is defined since association request, in order to avoid
1500	* simultaneous associations with MU-MIMO.
1501	*/
1502	if (cap & IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE) {
1503	bool disable_mu_mimo = false;
1504	struct ieee80211_sub_if_data *other;
1505
1506	list_for_each_entry(other, &local->interfaces, list) {
1507	if (other->vif.bss_conf.mu_mimo_owner) {
1508	disable_mu_mimo = true;
1509	break;
1510	}
1511	}
1512	if (disable_mu_mimo)
1513	cap &= ~IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE;
1514	else
1515	mu_mimo_owner = true;
1516	}
1517
1518	mask = IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK;
1519
1520	ap_bf_sts = le32_to_cpu(ap_vht_cap->vht_cap_info) & mask;
1521	our_bf_sts = cap & mask;
1522
1523	if (ap_bf_sts < our_bf_sts) {
1524	cap &= ~mask;
1525	cap |= ap_bf_sts;
1526	}
1527
1528	/* reserve and fill IE */
1529	pos = skb_put(skb, len: sizeof(struct ieee80211_vht_cap) + 2);
1530	ieee80211_ie_build_vht_cap(pos, vht_cap: &vht_cap, cap);
1531
1532	return mu_mimo_owner;
1533	}
1534
1535	static void ieee80211_assoc_add_rates(struct ieee80211_local *local,
1536	struct sk_buff *skb,
1537	enum nl80211_chan_width width,
1538	struct ieee80211_supported_band *sband,
1539	struct ieee80211_mgd_assoc_data *assoc_data)
1540	{
1541	u32 rates;
1542
1543	if (assoc_data->supp_rates_len &&
1544	!ieee80211_hw_check(&local->hw, STRICT)) {
1545	/*
1546	* Get all rates supported by the device and the AP as
1547	* some APs don't like getting a superset of their rates
1548	* in the association request (e.g. D-Link DAP 1353 in
1549	* b-only mode)...
1550	*/
1551	ieee80211_parse_bitrates(width, sband,
1552	srates: assoc_data->supp_rates,
1553	srates_len: assoc_data->supp_rates_len,
1554	rates: &rates);
1555	} else {
1556	/*
1557	* In case AP not provide any supported rates information
1558	* before association, we send information element(s) with
1559	* all rates that we support.
1560	*/
1561	rates = ~0;
1562	}
1563
1564	ieee80211_put_srates_elem(skb, sband, basic_rates: 0, masked_rates: ~rates,
1565	element_id: WLAN_EID_SUPP_RATES);
1566	ieee80211_put_srates_elem(skb, sband, basic_rates: 0, masked_rates: ~rates,
1567	element_id: WLAN_EID_EXT_SUPP_RATES);
1568	}
1569
1570	static size_t ieee80211_add_before_ht_elems(struct sk_buff *skb,
1571	const u8 *elems,
1572	size_t elems_len,
1573	size_t offset)
1574	{
1575	size_t noffset;
1576
1577	static const u8 before_ht[] = {
1578	WLAN_EID_SSID,
1579	WLAN_EID_SUPP_RATES,
1580	WLAN_EID_EXT_SUPP_RATES,
1581	WLAN_EID_PWR_CAPABILITY,
1582	WLAN_EID_SUPPORTED_CHANNELS,
1583	WLAN_EID_RSN,
1584	WLAN_EID_QOS_CAPA,
1585	WLAN_EID_RRM_ENABLED_CAPABILITIES,
1586	WLAN_EID_MOBILITY_DOMAIN,
1587	WLAN_EID_FAST_BSS_TRANSITION, /* reassoc only */
1588	WLAN_EID_RIC_DATA, /* reassoc only */
1589	WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
1590	};
1591	static const u8 after_ric[] = {
1592	WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
1593	WLAN_EID_HT_CAPABILITY,
1594	WLAN_EID_BSS_COEX_2040,
1595	/* luckily this is almost always there */
1596	WLAN_EID_EXT_CAPABILITY,
1597	WLAN_EID_QOS_TRAFFIC_CAPA,
1598	WLAN_EID_TIM_BCAST_REQ,
1599	WLAN_EID_INTERWORKING,
1600	/* 60 GHz (Multi-band, DMG, MMS) can't happen */
1601	WLAN_EID_VHT_CAPABILITY,
1602	WLAN_EID_OPMODE_NOTIF,
1603	};
1604
1605	if (!elems_len)
1606	return offset;
1607
1608	noffset = ieee80211_ie_split_ric(ies: elems, ielen: elems_len,
1609	ids: before_ht,
1610	ARRAY_SIZE(before_ht),
1611	after_ric,
1612	ARRAY_SIZE(after_ric),
1613	offset);
1614	skb_put_data(skb, data: elems + offset, len: noffset - offset);
1615
1616	return noffset;
1617	}
1618
1619	static size_t ieee80211_add_before_vht_elems(struct sk_buff *skb,
1620	const u8 *elems,
1621	size_t elems_len,
1622	size_t offset)
1623	{
1624	static const u8 before_vht[] = {
1625	/*
1626	* no need to list the ones split off before HT
1627	* or generated here
1628	*/
1629	WLAN_EID_BSS_COEX_2040,
1630	WLAN_EID_EXT_CAPABILITY,
1631	WLAN_EID_QOS_TRAFFIC_CAPA,
1632	WLAN_EID_TIM_BCAST_REQ,
1633	WLAN_EID_INTERWORKING,
1634	/* 60 GHz (Multi-band, DMG, MMS) can't happen */
1635	};
1636	size_t noffset;
1637
1638	if (!elems_len)
1639	return offset;
1640
1641	/* RIC already taken care of in ieee80211_add_before_ht_elems() */
1642	noffset = ieee80211_ie_split(ies: elems, ielen: elems_len,
1643	ids: before_vht, ARRAY_SIZE(before_vht),
1644	offset);
1645	skb_put_data(skb, data: elems + offset, len: noffset - offset);
1646
1647	return noffset;
1648	}
1649
1650	static size_t ieee80211_add_before_he_elems(struct sk_buff *skb,
1651	const u8 *elems,
1652	size_t elems_len,
1653	size_t offset)
1654	{
1655	static const u8 before_he[] = {
1656	/*
1657	* no need to list the ones split off before VHT
1658	* or generated here
1659	*/
1660	WLAN_EID_OPMODE_NOTIF,
1661	WLAN_EID_EXTENSION, WLAN_EID_EXT_FUTURE_CHAN_GUIDANCE,
1662	/* 11ai elements */
1663	WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_SESSION,
1664	WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_PUBLIC_KEY,
1665	WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_KEY_CONFIRM,
1666	WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_HLP_CONTAINER,
1667	WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_IP_ADDR_ASSIGN,
1668	/* TODO: add 11ah/11aj/11ak elements */
1669	};
1670	size_t noffset;
1671
1672	if (!elems_len)
1673	return offset;
1674
1675	/* RIC already taken care of in ieee80211_add_before_ht_elems() */
1676	noffset = ieee80211_ie_split(ies: elems, ielen: elems_len,
1677	ids: before_he, ARRAY_SIZE(before_he),
1678	offset);
1679	skb_put_data(skb, data: elems + offset, len: noffset - offset);
1680
1681	return noffset;
1682	}
1683
1684	static size_t ieee80211_add_before_reg_conn(struct sk_buff *skb,
1685	const u8 *elems, size_t elems_len,
1686	size_t offset)
1687	{
1688	static const u8 before_reg_conn[] = {
1689	/*
1690	* no need to list the ones split off before HE
1691	* or generated here
1692	*/
1693	WLAN_EID_EXTENSION, WLAN_EID_EXT_DH_PARAMETER,
1694	WLAN_EID_EXTENSION, WLAN_EID_EXT_KNOWN_STA_IDENTIFCATION,
1695	};
1696	size_t noffset;
1697
1698	if (!elems_len)
1699	return offset;
1700
1701	noffset = ieee80211_ie_split(ies: elems, ielen: elems_len, ids: before_reg_conn,
1702	ARRAY_SIZE(before_reg_conn), offset);
1703	skb_put_data(skb, data: elems + offset, len: noffset - offset);
1704
1705	return noffset;
1706	}
1707
1708	#define PRESENT_ELEMS_MAX 8
1709	#define PRESENT_ELEM_EXT_OFFS 0x100
1710
1711	static void
1712	ieee80211_assoc_add_ml_elem(struct ieee80211_sub_if_data *sdata,
1713	struct sk_buff *skb, u16 capab,
1714	const struct element *ext_capa,
1715	const u16 *present_elems,
1716	struct ieee80211_mgd_assoc_data *assoc_data);
1717
1718	static size_t
1719	ieee80211_add_link_elems(struct ieee80211_sub_if_data *sdata,
1720	struct sk_buff *skb, u16 *capab,
1721	const struct element *ext_capa,
1722	const u8 *extra_elems,
1723	size_t extra_elems_len,
1724	unsigned int link_id,
1725	struct ieee80211_link_data *link,
1726	u16 *present_elems,
1727	struct ieee80211_mgd_assoc_data *assoc_data)
1728	{
1729	enum nl80211_iftype iftype = ieee80211_vif_type_p2p(vif: &sdata->vif);
1730	struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
1731	struct ieee80211_channel *chan = cbss->channel;
1732	const struct ieee80211_sband_iftype_data *iftd;
1733	struct ieee80211_local *local = sdata->local;
1734	struct ieee80211_supported_band *sband;
1735	enum nl80211_chan_width width = NL80211_CHAN_WIDTH_20;
1736	struct ieee80211_chanctx_conf *chanctx_conf;
1737	enum ieee80211_smps_mode smps_mode;
1738	u16 orig_capab = *capab;
1739	size_t offset = 0;
1740	int present_elems_len = 0;
1741	u8 *pos;
1742	int i;
1743
1744	#define ADD_PRESENT_ELEM(id) do { \
1745	/* need a last for termination - we use 0 == SSID */ \
1746	if (!WARN_ON(present_elems_len >= PRESENT_ELEMS_MAX - 1)) \
1747	present_elems[present_elems_len++] = (id); \
1748	} while (0)
1749	#define ADD_PRESENT_EXT_ELEM(id) ADD_PRESENT_ELEM(PRESENT_ELEM_EXT_OFFS | (id))
1750
1751	if (link)
1752	smps_mode = link->smps_mode;
1753	else if (sdata->u.mgd.powersave)
1754	smps_mode = IEEE80211_SMPS_DYNAMIC;
1755	else
1756	smps_mode = IEEE80211_SMPS_OFF;
1757
1758	if (link) {
1759	/*
1760	* 5/10 MHz scenarios are only viable without MLO, in which
1761	* case this pointer should be used ... All of this is a bit
1762	* unclear though, not sure this even works at all.
1763	*/
1764	rcu_read_lock();
1765	chanctx_conf = rcu_dereference(link->conf->chanctx_conf);
1766	if (chanctx_conf)
1767	width = chanctx_conf->def.width;
1768	rcu_read_unlock();
1769	}
1770
1771	sband = local->hw.wiphy->bands[chan->band];
1772	iftd = ieee80211_get_sband_iftype_data(sband, iftype);
1773
1774	if (sband->band == NL80211_BAND_2GHZ) {
1775	*capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
1776	*capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
1777	}
1778
1779	if ((cbss->capability & WLAN_CAPABILITY_SPECTRUM_MGMT) &&
1780	ieee80211_hw_check(&local->hw, SPECTRUM_MGMT))
1781	*capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
1782
1783	if (sband->band != NL80211_BAND_S1GHZ)
1784	ieee80211_assoc_add_rates(local, skb, width, sband, assoc_data);
1785
1786	if (*capab & WLAN_CAPABILITY_SPECTRUM_MGMT ||
1787	*capab & WLAN_CAPABILITY_RADIO_MEASURE) {
1788	struct cfg80211_chan_def chandef = {
1789	.width = width,
1790	.chan = chan,
1791	};
1792
1793	pos = skb_put(skb, len: 4);
1794	*pos++ = WLAN_EID_PWR_CAPABILITY;
1795	*pos++ = 2;
1796	*pos++ = 0; /* min tx power */
1797	/* max tx power */
1798	*pos++ = ieee80211_chandef_max_power(chandef: &chandef);
1799	ADD_PRESENT_ELEM(WLAN_EID_PWR_CAPABILITY);
1800	}
1801
1802	/*
1803	* Per spec, we shouldn't include the list of channels if we advertise
1804	* support for extended channel switching, but we've always done that;
1805	* (for now?) apply this restriction only on the (new) 6 GHz band.
1806	*/
1807	if (*capab & WLAN_CAPABILITY_SPECTRUM_MGMT &&
1808	(sband->band != NL80211_BAND_6GHZ ||
1809	!ext_capa || ext_capa->datalen < 1 ||
1810	!(ext_capa->data[0] & WLAN_EXT_CAPA1_EXT_CHANNEL_SWITCHING))) {
1811	/* TODO: get this in reg domain format */
1812	pos = skb_put(skb, len: 2 * sband->n_channels + 2);
1813	*pos++ = WLAN_EID_SUPPORTED_CHANNELS;
1814	*pos++ = 2 * sband->n_channels;
1815	for (i = 0; i < sband->n_channels; i++) {
1816	int cf = sband->channels[i].center_freq;
1817
1818	*pos++ = ieee80211_frequency_to_channel(freq: cf);
1819	*pos++ = 1; /* one channel in the subband*/
1820	}
1821	ADD_PRESENT_ELEM(WLAN_EID_SUPPORTED_CHANNELS);
1822	}
1823
1824	/* if present, add any custom IEs that go before HT */
1825	offset = ieee80211_add_before_ht_elems(skb, elems: extra_elems,
1826	elems_len: extra_elems_len,
1827	offset);
1828
1829	if (sband->band != NL80211_BAND_6GHZ &&
1830	assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_HT) {
1831	ieee80211_add_ht_ie(sdata, skb,
1832	ap_ht_param: assoc_data->link[link_id].ap_ht_param,
1833	sband, channel: chan, smps: smps_mode,
1834	conn: &assoc_data->link[link_id].conn);
1835	ADD_PRESENT_ELEM(WLAN_EID_HT_CAPABILITY);
1836	}
1837
1838	/* if present, add any custom IEs that go before VHT */
1839	offset = ieee80211_add_before_vht_elems(skb, elems: extra_elems,
1840	elems_len: extra_elems_len,
1841	offset);
1842
1843	if (sband->band != NL80211_BAND_6GHZ &&
1844	assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_VHT &&
1845	sband->vht_cap.vht_supported) {
1846	bool mu_mimo_owner =
1847	ieee80211_add_vht_ie(sdata, skb, sband,
1848	ap_vht_cap: &assoc_data->link[link_id].ap_vht_cap,
1849	conn: &assoc_data->link[link_id].conn);
1850
1851	if (link)
1852	link->conf->mu_mimo_owner = mu_mimo_owner;
1853	ADD_PRESENT_ELEM(WLAN_EID_VHT_CAPABILITY);
1854	}
1855
1856	/* if present, add any custom IEs that go before HE */
1857	offset = ieee80211_add_before_he_elems(skb, elems: extra_elems,
1858	elems_len: extra_elems_len,
1859	offset);
1860
1861	if (assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_HE) {
1862	ieee80211_put_he_cap(skb, sdata, sband,
1863	conn: &assoc_data->link[link_id].conn);
1864	ADD_PRESENT_EXT_ELEM(WLAN_EID_EXT_HE_CAPABILITY);
1865	if (sband->band == NL80211_BAND_6GHZ)
1866	ieee80211_put_he_6ghz_cap(skb, sdata, smps_mode);
1867	}
1868
1869	/*
1870	* if present, add any custom IEs that go before regulatory
1871	* connectivity element
1872	*/
1873	offset = ieee80211_add_before_reg_conn(skb, elems: extra_elems,
1874	elems_len: extra_elems_len, offset);
1875
1876	if (sband->band == NL80211_BAND_6GHZ) {
1877	/*
1878	* as per Section E.2.7 of IEEE 802.11 REVme D7.0, non-AP STA
1879	* capable of operating on the 6 GHz band shall transmit
1880	* regulatory connectivity element.
1881	*/
1882	ieee80211_put_reg_conn(skb, flags: chan->flags);
1883	}
1884
1885	/*
1886	* careful - need to know about all the present elems before
1887	* calling ieee80211_assoc_add_ml_elem(), so add this one if
1888	* we're going to put it after the ML element
1889	*/
1890	if (assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_EHT)
1891	ADD_PRESENT_EXT_ELEM(WLAN_EID_EXT_EHT_CAPABILITY);
1892
1893	if (link_id == assoc_data->assoc_link_id)
1894	ieee80211_assoc_add_ml_elem(sdata, skb, capab: orig_capab, ext_capa,
1895	present_elems, assoc_data);
1896
1897	/* crash if somebody gets it wrong */
1898	present_elems = NULL;
1899
1900	if (assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_EHT)
1901	ieee80211_put_eht_cap(skb, sdata, sband,
1902	conn: &assoc_data->link[link_id].conn);
1903
1904	if (sband->band == NL80211_BAND_S1GHZ) {
1905	ieee80211_add_aid_request_ie(sdata, skb);
1906	ieee80211_add_s1g_capab_ie(sdata, caps: &sband->s1g_cap, skb);
1907	}
1908
1909	if (iftd && iftd->vendor_elems.data && iftd->vendor_elems.len)
1910	skb_put_data(skb, data: iftd->vendor_elems.data, len: iftd->vendor_elems.len);
1911
1912	return offset;
1913	}
1914
1915	static void ieee80211_add_non_inheritance_elem(struct sk_buff *skb,
1916	const u16 *outer,
1917	const u16 *inner)
1918	{
1919	unsigned int skb_len = skb->len;
1920	bool at_extension = false;
1921	bool added = false;
1922	int i, j;
1923	u8 *len, *list_len = NULL;
1924
1925	skb_put_u8(skb, val: WLAN_EID_EXTENSION);
1926	len = skb_put(skb, len: 1);
1927	skb_put_u8(skb, val: WLAN_EID_EXT_NON_INHERITANCE);
1928
1929	for (i = 0; i < PRESENT_ELEMS_MAX && outer[i]; i++) {
1930	u16 elem = outer[i];
1931	bool have_inner = false;
1932
1933	/* should at least be sorted in the sense of normal -> ext */
1934	WARN_ON(at_extension && elem < PRESENT_ELEM_EXT_OFFS);
1935
1936	/* switch to extension list */
1937	if (!at_extension && elem >= PRESENT_ELEM_EXT_OFFS) {
1938	at_extension = true;
1939	if (!list_len)
1940	skb_put_u8(skb, val: 0);
1941	list_len = NULL;
1942	}
1943
1944	for (j = 0; j < PRESENT_ELEMS_MAX && inner[j]; j++) {
1945	if (elem == inner[j]) {
1946	have_inner = true;
1947	break;
1948	}
1949	}
1950
1951	if (have_inner)
1952	continue;
1953
1954	if (!list_len) {
1955	list_len = skb_put(skb, len: 1);
1956	*list_len = 0;
1957	}
1958	*list_len += 1;
1959	skb_put_u8(skb, val: (u8)elem);
1960	added = true;
1961	}
1962
1963	/* if we added a list but no extension list, make a zero-len one */
1964	if (added && (!at_extension || !list_len))
1965	skb_put_u8(skb, val: 0);
1966
1967	/* if nothing added remove extension element completely */
1968	if (!added)
1969	skb_trim(skb, len: skb_len);
1970	else
1971	*len = skb->len - skb_len - 2;
1972	}
1973
1974	static void
1975	ieee80211_assoc_add_ml_elem(struct ieee80211_sub_if_data *sdata,
1976	struct sk_buff *skb, u16 capab,
1977	const struct element *ext_capa,
1978	const u16 *outer_present_elems,
1979	struct ieee80211_mgd_assoc_data *assoc_data)
1980	{
1981	struct ieee80211_local *local = sdata->local;
1982	struct ieee80211_multi_link_elem *ml_elem;
1983	struct ieee80211_mle_basic_common_info *common;
1984	const struct wiphy_iftype_ext_capab *ift_ext_capa;
1985	__le16 eml_capa = 0, mld_capa_ops = 0;
1986	unsigned int link_id;
1987	u8 *ml_elem_len;
1988	void *capab_pos;
1989
1990	if (!ieee80211_vif_is_mld(vif: &sdata->vif))
1991	return;
1992
1993	ift_ext_capa = cfg80211_get_iftype_ext_capa(wiphy: local->hw.wiphy,
1994	type: ieee80211_vif_type_p2p(vif: &sdata->vif));
1995	if (ift_ext_capa) {
1996	eml_capa = cpu_to_le16(ift_ext_capa->eml_capabilities);
1997	mld_capa_ops = cpu_to_le16(ift_ext_capa->mld_capa_and_ops);
1998	}
1999
2000	skb_put_u8(skb, val: WLAN_EID_EXTENSION);
2001	ml_elem_len = skb_put(skb, len: 1);
2002	skb_put_u8(skb, val: WLAN_EID_EXT_EHT_MULTI_LINK);
2003	ml_elem = skb_put(skb, len: sizeof(*ml_elem));
2004	ml_elem->control =
2005	cpu_to_le16(IEEE80211_ML_CONTROL_TYPE_BASIC |
2006	IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP);
2007	common = skb_put(skb, len: sizeof(*common));
2008	common->len = sizeof(*common) +
2009	2; /* MLD capa/ops */
2010	memcpy(common->mld_mac_addr, sdata->vif.addr, ETH_ALEN);
2011
2012	/* add EML_CAPA only if needed, see Draft P802.11be_D2.1, 35.3.17 */
2013	if (eml_capa &
2014	cpu_to_le16((IEEE80211_EML_CAP_EMLSR_SUPP |
2015	IEEE80211_EML_CAP_EMLMR_SUPPORT))) {
2016	common->len += 2; /* EML capabilities */
2017	ml_elem->control |=
2018	cpu_to_le16(IEEE80211_MLC_BASIC_PRES_EML_CAPA);
2019	skb_put_data(skb, data: &eml_capa, len: sizeof(eml_capa));
2020	}
2021	skb_put_data(skb, data: &mld_capa_ops, len: sizeof(mld_capa_ops));
2022
2023	if (assoc_data->ext_mld_capa_ops) {
2024	ml_elem->control |=
2025	cpu_to_le16(IEEE80211_MLC_BASIC_PRES_EXT_MLD_CAPA_OP);
2026	common->len += 2;
2027	skb_put_data(skb, data: &assoc_data->ext_mld_capa_ops,
2028	len: sizeof(assoc_data->ext_mld_capa_ops));
2029	}
2030
2031	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
2032	u16 link_present_elems[PRESENT_ELEMS_MAX] = {};
2033	const u8 *extra_elems;
2034	size_t extra_elems_len;
2035	size_t extra_used;
2036	u8 *subelem_len = NULL;
2037	__le16 ctrl;
2038
2039	if (!assoc_data->link[link_id].bss ||
2040	link_id == assoc_data->assoc_link_id)
2041	continue;
2042
2043	extra_elems = assoc_data->link[link_id].elems;
2044	extra_elems_len = assoc_data->link[link_id].elems_len;
2045
2046	skb_put_u8(skb, val: IEEE80211_MLE_SUBELEM_PER_STA_PROFILE);
2047	subelem_len = skb_put(skb, len: 1);
2048
2049	ctrl = cpu_to_le16(link_id |
2050	IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE |
2051	IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT);
2052	skb_put_data(skb, data: &ctrl, len: sizeof(ctrl));
2053	skb_put_u8(skb, val: 1 + ETH_ALEN); /* STA Info Length */
2054	skb_put_data(skb, data: assoc_data->link[link_id].addr,
2055	ETH_ALEN);
2056	/*
2057	* Now add the contents of the (re)association request,
2058	* but the "listen interval" and "current AP address"
2059	* (if applicable) are skipped. So we only have
2060	* the capability field (remember the position and fill
2061	* later), followed by the elements added below by
2062	* calling ieee80211_add_link_elems().
2063	*/
2064	capab_pos = skb_put(skb, len: 2);
2065
2066	extra_used = ieee80211_add_link_elems(sdata, skb, capab: &capab,
2067	ext_capa,
2068	extra_elems,
2069	extra_elems_len,
2070	link_id, NULL,
2071	present_elems: link_present_elems,
2072	assoc_data);
2073	if (extra_elems)
2074	skb_put_data(skb, data: extra_elems + extra_used,
2075	len: extra_elems_len - extra_used);
2076
2077	put_unaligned_le16(val: capab, p: capab_pos);
2078
2079	ieee80211_add_non_inheritance_elem(skb, outer: outer_present_elems,
2080	inner: link_present_elems);
2081
2082	ieee80211_fragment_element(skb, len_pos: subelem_len,
2083	frag_id: IEEE80211_MLE_SUBELEM_FRAGMENT);
2084	}
2085
2086	ieee80211_fragment_element(skb, len_pos: ml_elem_len, frag_id: WLAN_EID_FRAGMENT);
2087	}
2088
2089	static int
2090	ieee80211_link_common_elems_size(struct ieee80211_sub_if_data *sdata,
2091	enum nl80211_iftype iftype,
2092	struct cfg80211_bss *cbss,
2093	size_t elems_len)
2094	{
2095	struct ieee80211_local *local = sdata->local;
2096	const struct ieee80211_sband_iftype_data *iftd;
2097	struct ieee80211_supported_band *sband;
2098	size_t size = 0;
2099
2100	if (!cbss)
2101	return size;
2102
2103	sband = local->hw.wiphy->bands[cbss->channel->band];
2104
2105	/* add STA profile elements length */
2106	size += elems_len;
2107
2108	/* and supported rates length */
2109	size += 4 + sband->n_bitrates;
2110
2111	/* supported channels */
2112	size += 2 + 2 * sband->n_channels;
2113
2114	iftd = ieee80211_get_sband_iftype_data(sband, iftype);
2115	if (iftd)
2116	size += iftd->vendor_elems.len;
2117
2118	/* power capability */
2119	size += 4;
2120
2121	/* HT, VHT, HE, EHT */
2122	size += 2 + sizeof(struct ieee80211_ht_cap);
2123	size += 2 + sizeof(struct ieee80211_vht_cap);
2124	size += 2 + 1 + sizeof(struct ieee80211_he_cap_elem) +
2125	sizeof(struct ieee80211_he_mcs_nss_supp) +
2126	IEEE80211_HE_PPE_THRES_MAX_LEN;
2127
2128	if (sband->band == NL80211_BAND_6GHZ) {
2129	size += 2 + 1 + sizeof(struct ieee80211_he_6ghz_capa);
2130	/* reg connection */
2131	size += 4;
2132	}
2133
2134	size += 2 + 1 + sizeof(struct ieee80211_eht_cap_elem) +
2135	sizeof(struct ieee80211_eht_mcs_nss_supp) +
2136	IEEE80211_EHT_PPE_THRES_MAX_LEN;
2137
2138	return size;
2139	}
2140
2141	static int ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
2142	{
2143	struct ieee80211_local *local = sdata->local;
2144	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2145	struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
2146	struct ieee80211_link_data *link;
2147	struct sk_buff *skb;
2148	struct ieee80211_mgmt *mgmt;
2149	u8 *pos, qos_info, *ie_start;
2150	size_t offset, noffset;
2151	u16 capab = 0, link_capab;
2152	__le16 listen_int;
2153	struct element *ext_capa = NULL;
2154	enum nl80211_iftype iftype = ieee80211_vif_type_p2p(vif: &sdata->vif);
2155	struct ieee80211_prep_tx_info info = {};
2156	unsigned int link_id, n_links = 0;
2157	u16 present_elems[PRESENT_ELEMS_MAX] = {};
2158	void *capab_pos;
2159	size_t size;
2160	int ret;
2161
2162	/* we know it's writable, cast away the const */
2163	if (assoc_data->ie_len)
2164	ext_capa = (void *)cfg80211_find_elem(eid: WLAN_EID_EXT_CAPABILITY,
2165	ies: assoc_data->ie,
2166	len: assoc_data->ie_len);
2167
2168	lockdep_assert_wiphy(sdata->local->hw.wiphy);
2169
2170	size = local->hw.extra_tx_headroom +
2171	sizeof(*mgmt) + /* bit too much but doesn't matter */
2172	2 + assoc_data->ssid_len + /* SSID */
2173	assoc_data->ie_len + /* extra IEs */
2174	(assoc_data->fils_kek_len ? 16 /* AES-SIV */ : 0) +
2175	9; /* WMM */
2176
2177	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
2178	struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
2179	size_t elems_len = assoc_data->link[link_id].elems_len;
2180
2181	if (!cbss)
2182	continue;
2183
2184	n_links++;
2185
2186	size += ieee80211_link_common_elems_size(sdata, iftype, cbss,
2187	elems_len);
2188
2189	/* non-inheritance element */
2190	size += 2 + 2 + PRESENT_ELEMS_MAX;
2191
2192	/* should be the same across all BSSes */
2193	if (cbss->capability & WLAN_CAPABILITY_PRIVACY)
2194	capab |= WLAN_CAPABILITY_PRIVACY;
2195	}
2196
2197	if (ieee80211_vif_is_mld(vif: &sdata->vif)) {
2198	/* consider the multi-link element with STA profile */
2199	size += sizeof(struct ieee80211_multi_link_elem);
2200	/* max common info field in basic multi-link element */
2201	size += sizeof(struct ieee80211_mle_basic_common_info) +
2202	2 + /* capa & op */
2203	2 + /* ext capa & op */
2204	2; /* EML capa */
2205
2206	/* The capability elements were already considered above */
2207	size += (n_links - 1) *
2208	(1 + 1 + /* subelement ID/length */
2209	2 + /* STA control */
2210	1 + ETH_ALEN + 2 /* STA Info field */);
2211	}
2212
2213	link = sdata_dereference(sdata->link[assoc_data->assoc_link_id], sdata);
2214	if (WARN_ON(!link))
2215	return -EINVAL;
2216
2217	if (WARN_ON(!assoc_data->link[assoc_data->assoc_link_id].bss))
2218	return -EINVAL;
2219
2220	skb = alloc_skb(size, GFP_KERNEL);
2221	if (!skb)
2222	return -ENOMEM;
2223
2224	skb_reserve(skb, len: local->hw.extra_tx_headroom);
2225
2226	if (ifmgd->flags & IEEE80211_STA_ENABLE_RRM)
2227	capab |= WLAN_CAPABILITY_RADIO_MEASURE;
2228
2229	/* Set MBSSID support for HE AP if needed */
2230	if (ieee80211_hw_check(&local->hw, SUPPORTS_ONLY_HE_MULTI_BSSID) &&
2231	link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HE &&
2232	ext_capa && ext_capa->datalen >= 3)
2233	ext_capa->data[2] |= WLAN_EXT_CAPA3_MULTI_BSSID_SUPPORT;
2234
2235	mgmt = skb_put_zero(skb, len: 24);
2236	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
2237	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
2238	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
2239
2240	listen_int = cpu_to_le16(assoc_data->s1g ?
2241	ieee80211_encode_usf(local->hw.conf.listen_interval) :
2242	local->hw.conf.listen_interval);
2243	if (!is_zero_ether_addr(addr: assoc_data->prev_ap_addr)) {
2244	skb_put(skb, len: 10);
2245	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
2246	IEEE80211_STYPE_REASSOC_REQ);
2247	capab_pos = &mgmt->u.reassoc_req.capab_info;
2248	mgmt->u.reassoc_req.listen_interval = listen_int;
2249	memcpy(mgmt->u.reassoc_req.current_ap,
2250	assoc_data->prev_ap_addr, ETH_ALEN);
2251	info.subtype = IEEE80211_STYPE_REASSOC_REQ;
2252	} else {
2253	skb_put(skb, len: 4);
2254	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
2255	IEEE80211_STYPE_ASSOC_REQ);
2256	capab_pos = &mgmt->u.assoc_req.capab_info;
2257	mgmt->u.assoc_req.listen_interval = listen_int;
2258	info.subtype = IEEE80211_STYPE_ASSOC_REQ;
2259	}
2260
2261	/* SSID */
2262	pos = skb_put(skb, len: 2 + assoc_data->ssid_len);
2263	ie_start = pos;
2264	*pos++ = WLAN_EID_SSID;
2265	*pos++ = assoc_data->ssid_len;
2266	memcpy(pos, assoc_data->ssid, assoc_data->ssid_len);
2267
2268	/*
2269	* This bit is technically reserved, so it shouldn't matter for either
2270	* the AP or us, but it also means we shouldn't set it. However, we've
2271	* always set it in the past, and apparently some EHT APs check that
2272	* we don't set it. To avoid interoperability issues with old APs that
2273	* for some reason check it and want it to be set, set the bit for all
2274	* pre-EHT connections as we used to do.
2275	*/
2276	if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_EHT &&
2277	!ieee80211_hw_check(&local->hw, STRICT))
2278	capab |= WLAN_CAPABILITY_ESS;
2279
2280	/* add the elements for the assoc (main) link */
2281	link_capab = capab;
2282	offset = ieee80211_add_link_elems(sdata, skb, capab: &link_capab,
2283	ext_capa,
2284	extra_elems: assoc_data->ie,
2285	extra_elems_len: assoc_data->ie_len,
2286	link_id: assoc_data->assoc_link_id, link,
2287	present_elems, assoc_data);
2288	put_unaligned_le16(val: link_capab, p: capab_pos);
2289
2290	/* if present, add any custom non-vendor IEs */
2291	if (assoc_data->ie_len) {
2292	noffset = ieee80211_ie_split_vendor(ies: assoc_data->ie,
2293	ielen: assoc_data->ie_len,
2294	offset);
2295	skb_put_data(skb, data: assoc_data->ie + offset, len: noffset - offset);
2296	offset = noffset;
2297	}
2298
2299	if (assoc_data->wmm) {
2300	if (assoc_data->uapsd) {
2301	qos_info = ifmgd->uapsd_queues;
2302	qos_info |= (ifmgd->uapsd_max_sp_len <<
2303	IEEE80211_WMM_IE_STA_QOSINFO_SP_SHIFT);
2304	} else {
2305	qos_info = 0;
2306	}
2307
2308	pos = ieee80211_add_wmm_info_ie(buf: skb_put(skb, len: 9), qosinfo: qos_info);
2309	}
2310
2311	/* add any remaining custom (i.e. vendor specific here) IEs */
2312	if (assoc_data->ie_len) {
2313	noffset = assoc_data->ie_len;
2314	skb_put_data(skb, data: assoc_data->ie + offset, len: noffset - offset);
2315	}
2316
2317	if (assoc_data->fils_kek_len) {
2318	ret = fils_encrypt_assoc_req(skb, assoc_data);
2319	if (ret < 0) {
2320	dev_kfree_skb(skb);
2321	return ret;
2322	}
2323	}
2324
2325	pos = skb_tail_pointer(skb);
2326	kfree(objp: ifmgd->assoc_req_ies);
2327	ifmgd->assoc_req_ies = kmemdup(ie_start, pos - ie_start, GFP_ATOMIC);
2328	if (!ifmgd->assoc_req_ies) {
2329	dev_kfree_skb(skb);
2330	return -ENOMEM;
2331	}
2332
2333	ifmgd->assoc_req_ies_len = pos - ie_start;
2334
2335	info.link_id = assoc_data->assoc_link_id;
2336	drv_mgd_prepare_tx(local, sdata, info: &info);
2337
2338	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2339	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
2340	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS |
2341	IEEE80211_TX_INTFL_MLME_CONN_TX;
2342	ieee80211_tx_skb(sdata, skb);
2343
2344	return 0;
2345	}
2346
2347	void ieee80211_send_pspoll(struct ieee80211_local *local,
2348	struct ieee80211_sub_if_data *sdata)
2349	{
2350	struct ieee80211_pspoll *pspoll;
2351	struct sk_buff *skb;
2352
2353	skb = ieee80211_pspoll_get(hw: &local->hw, vif: &sdata->vif);
2354	if (!skb)
2355	return;
2356
2357	pspoll = (struct ieee80211_pspoll *) skb->data;
2358	pspoll->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
2359
2360	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2361	ieee80211_tx_skb(sdata, skb);
2362	}
2363
2364	void ieee80211_send_nullfunc(struct ieee80211_local *local,
2365	struct ieee80211_sub_if_data *sdata,
2366	bool powersave)
2367	{
2368	struct sk_buff *skb;
2369	struct ieee80211_hdr_3addr *nullfunc;
2370	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2371
2372	skb = ieee80211_nullfunc_get(hw: &local->hw, vif: &sdata->vif, link_id: -1,
2373	qos_ok: !ieee80211_hw_check(&local->hw,
2374	DOESNT_SUPPORT_QOS_NDP));
2375	if (!skb)
2376	return;
2377
2378	nullfunc = (struct ieee80211_hdr_3addr *) skb->data;
2379	if (powersave)
2380	nullfunc->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
2381
2382	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT |
2383	IEEE80211_TX_INTFL_OFFCHAN_TX_OK;
2384
2385	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
2386	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS;
2387
2388	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL)
2389	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_USE_MINRATE;
2390
2391	ieee80211_tx_skb(sdata, skb);
2392	}
2393
2394	void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local,
2395	struct ieee80211_sub_if_data *sdata)
2396	{
2397	struct sk_buff *skb;
2398	struct ieee80211_hdr *nullfunc;
2399	__le16 fc;
2400
2401	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
2402	return;
2403
2404	skb = dev_alloc_skb(length: local->hw.extra_tx_headroom + 30);
2405	if (!skb)
2406	return;
2407
2408	skb_reserve(skb, len: local->hw.extra_tx_headroom);
2409
2410	nullfunc = skb_put_zero(skb, len: 30);
2411	fc = cpu_to_le16(IEEE80211_FTYPE_DATA | IEEE80211_STYPE_NULLFUNC |
2412	IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS);
2413	nullfunc->frame_control = fc;
2414	memcpy(nullfunc->addr1, sdata->deflink.u.mgd.bssid, ETH_ALEN);
2415	memcpy(nullfunc->addr2, sdata->vif.addr, ETH_ALEN);
2416	memcpy(nullfunc->addr3, sdata->deflink.u.mgd.bssid, ETH_ALEN);
2417	memcpy(nullfunc->addr4, sdata->vif.addr, ETH_ALEN);
2418
2419	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2420	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_USE_MINRATE;
2421	ieee80211_tx_skb(sdata, skb);
2422	}
2423
2424	/* spectrum management related things */
2425	static void ieee80211_csa_switch_work(struct wiphy *wiphy,
2426	struct wiphy_work *work)
2427	{
2428	struct ieee80211_link_data *link =
2429	container_of(work, struct ieee80211_link_data,
2430	u.mgd.csa.switch_work.work);
2431	struct ieee80211_sub_if_data *sdata = link->sdata;
2432	struct ieee80211_local *local = sdata->local;
2433	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2434	int ret;
2435
2436	if (!ieee80211_sdata_running(sdata))
2437	return;
2438
2439	lockdep_assert_wiphy(local->hw.wiphy);
2440
2441	if (!ifmgd->associated)
2442	return;
2443
2444	if (!link->conf->csa_active)
2445	return;
2446
2447	/*
2448	* If the link isn't active (now), we cannot wait for beacons, won't
2449	* have a reserved chanctx, etc. Just switch over the chandef and
2450	* update cfg80211 directly.
2451	*/
2452	if (!ieee80211_vif_link_active(vif: &sdata->vif, link_id: link->link_id)) {
2453	struct link_sta_info *link_sta;
2454	struct sta_info *ap_sta;
2455
2456	link->conf->chanreq = link->csa.chanreq;
2457	cfg80211_ch_switch_notify(dev: sdata->dev, chandef: &link->csa.chanreq.oper,
2458	link_id: link->link_id);
2459	link->conf->csa_active = false;
2460
2461	ap_sta = sta_info_get(sdata, addr: sdata->vif.cfg.ap_addr);
2462	if (WARN_ON(!ap_sta))
2463	return;
2464
2465	link_sta = wiphy_dereference(wiphy,
2466	ap_sta->link[link->link_id]);
2467	if (WARN_ON(!link_sta))
2468	return;
2469
2470	link_sta->pub->bandwidth =
2471	_ieee80211_sta_cur_vht_bw(link_sta,
2472	chandef: &link->csa.chanreq.oper);
2473	return;
2474	}
2475
2476	/*
2477	* using reservation isn't immediate as it may be deferred until later
2478	* with multi-vif. once reservation is complete it will re-schedule the
2479	* work with no reserved_chanctx so verify chandef to check if it
2480	* completed successfully
2481	*/
2482
2483	if (link->reserved_chanctx) {
2484	/*
2485	* with multi-vif csa driver may call ieee80211_csa_finish()
2486	* many times while waiting for other interfaces to use their
2487	* reservations
2488	*/
2489	if (link->reserved_ready)
2490	return;
2491
2492	ret = ieee80211_link_use_reserved_context(link);
2493	if (ret) {
2494	link_info(link,
2495	"failed to use reserved channel context, disconnecting (err=%d)\n",
2496	ret);
2497	wiphy_work_queue(wiphy: sdata->local->hw.wiphy,
2498	work: &ifmgd->csa_connection_drop_work);
2499	}
2500	return;
2501	}
2502
2503	if (!ieee80211_chanreq_identical(a: &link->conf->chanreq,
2504	b: &link->csa.chanreq)) {
2505	link_info(link,
2506	"failed to finalize channel switch, disconnecting\n");
2507	wiphy_work_queue(wiphy: sdata->local->hw.wiphy,
2508	work: &ifmgd->csa_connection_drop_work);
2509	return;
2510	}
2511
2512	link->u.mgd.csa.waiting_bcn = true;
2513
2514	/*
2515	* The next beacon really should always be different, so this should
2516	* have no effect whatsoever. However, some APs (we observed this in
2517	* an Asus AXE11000), the beacon after the CSA might be identical to
2518	* the last beacon on the old channel - in this case we'd ignore it.
2519	* Resetting the CRC will lead us to handle it better (albeit with a
2520	* disconnect, but clearly the AP is broken.)
2521	*/
2522	link->u.mgd.beacon_crc_valid = false;
2523
2524	/* apply new TPE restrictions immediately on the new channel */
2525	if (link->u.mgd.csa.ap_chandef.chan->band == NL80211_BAND_6GHZ &&
2526	link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HE) {
2527	ieee80211_rearrange_tpe(tpe: &link->u.mgd.csa.tpe,
2528	ap: &link->u.mgd.csa.ap_chandef,
2529	used: &link->conf->chanreq.oper);
2530	if (memcmp(p: &link->conf->tpe, q: &link->u.mgd.csa.tpe,
2531	size: sizeof(link->u.mgd.csa.tpe))) {
2532	link->conf->tpe = link->u.mgd.csa.tpe;
2533	ieee80211_link_info_change_notify(sdata, link,
2534	changed: BSS_CHANGED_TPE);
2535	}
2536	}
2537
2538	/*
2539	* It is not necessary to reset these timers if any link does not
2540	* have an active CSA and that link still receives the beacons
2541	* when other links have active CSA.
2542	*/
2543	for_each_link_data(sdata, link) {
2544	if (!link->conf->csa_active)
2545	return;
2546	}
2547
2548	/*
2549	* Reset the beacon monitor and connection monitor timers when CSA
2550	* is active for all links in MLO when channel switch occurs in all
2551	* the links.
2552	*/
2553	ieee80211_sta_reset_beacon_monitor(sdata);
2554	ieee80211_sta_reset_conn_monitor(sdata);
2555	}
2556
2557	static void ieee80211_chswitch_post_beacon(struct ieee80211_link_data *link)
2558	{
2559	struct ieee80211_sub_if_data *sdata = link->sdata;
2560	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2561	int ret;
2562
2563	lockdep_assert_wiphy(sdata->local->hw.wiphy);
2564
2565	WARN_ON(!link->conf->csa_active);
2566
2567	ieee80211_vif_unblock_queues_csa(sdata);
2568
2569	link->conf->csa_active = false;
2570	link->u.mgd.csa.blocked_tx = false;
2571	link->u.mgd.csa.waiting_bcn = false;
2572
2573	ret = drv_post_channel_switch(link);
2574	if (ret) {
2575	link_info(link,
2576	"driver post channel switch failed, disconnecting\n");
2577	wiphy_work_queue(wiphy: sdata->local->hw.wiphy,
2578	work: &ifmgd->csa_connection_drop_work);
2579	return;
2580	}
2581
2582	cfg80211_ch_switch_notify(dev: sdata->dev, chandef: &link->conf->chanreq.oper,
2583	link_id: link->link_id);
2584	}
2585
2586	void ieee80211_chswitch_done(struct ieee80211_vif *vif, bool success,
2587	unsigned int link_id)
2588	{
2589	struct ieee80211_sub_if_data *sdata = vif_to_sdata(p: vif);
2590
2591	trace_api_chswitch_done(sdata, success, link_id);
2592
2593	rcu_read_lock();
2594
2595	if (!success) {
2596	sdata_info(sdata,
2597	"driver channel switch failed (link %d), disconnecting\n",
2598	link_id);
2599	wiphy_work_queue(wiphy: sdata->local->hw.wiphy,
2600	work: &sdata->u.mgd.csa_connection_drop_work);
2601	} else {
2602	struct ieee80211_link_data *link =
2603	rcu_dereference(sdata->link[link_id]);
2604
2605	if (WARN_ON(!link)) {
2606	rcu_read_unlock();
2607	return;
2608	}
2609
2610	wiphy_hrtimer_work_queue(wiphy: sdata->local->hw.wiphy,
2611	hrwork: &link->u.mgd.csa.switch_work, delay: 0);
2612	}
2613
2614	rcu_read_unlock();
2615	}
2616	EXPORT_SYMBOL(ieee80211_chswitch_done);
2617
2618	static void
2619	ieee80211_sta_abort_chanswitch(struct ieee80211_link_data *link)
2620	{
2621	struct ieee80211_sub_if_data *sdata = link->sdata;
2622	struct ieee80211_local *local = sdata->local;
2623
2624	lockdep_assert_wiphy(local->hw.wiphy);
2625
2626	if (!local->ops->abort_channel_switch)
2627	return;
2628
2629	if (rcu_access_pointer(link->conf->chanctx_conf))
2630	ieee80211_link_unreserve_chanctx(link);
2631
2632	ieee80211_vif_unblock_queues_csa(sdata);
2633
2634	link->conf->csa_active = false;
2635	link->u.mgd.csa.blocked_tx = false;
2636
2637	drv_abort_channel_switch(link);
2638	}
2639
2640	struct sta_csa_rnr_iter_data {
2641	struct ieee80211_link_data *link;
2642	struct ieee80211_channel *chan;
2643	u8 mld_id;
2644	};
2645
2646	static enum cfg80211_rnr_iter_ret
2647	ieee80211_sta_csa_rnr_iter(void *_data, u8 type,
2648	const struct ieee80211_neighbor_ap_info *info,
2649	const u8 *tbtt_info, u8 tbtt_info_len)
2650	{
2651	struct sta_csa_rnr_iter_data *data = _data;
2652	struct ieee80211_link_data *link = data->link;
2653	struct ieee80211_sub_if_data *sdata = link->sdata;
2654	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2655	const struct ieee80211_tbtt_info_ge_11 *ti;
2656	enum nl80211_band band;
2657	unsigned int center_freq;
2658	int link_id;
2659
2660	if (type != IEEE80211_TBTT_INFO_TYPE_TBTT)
2661	return RNR_ITER_CONTINUE;
2662
2663	if (tbtt_info_len < sizeof(*ti))
2664	return RNR_ITER_CONTINUE;
2665
2666	ti = (const void *)tbtt_info;
2667
2668	if (ti->mld_params.mld_id != data->mld_id)
2669	return RNR_ITER_CONTINUE;
2670
2671	link_id = le16_get_bits(v: ti->mld_params.params,
2672	IEEE80211_RNR_MLD_PARAMS_LINK_ID);
2673	if (link_id != data->link->link_id)
2674	return RNR_ITER_CONTINUE;
2675
2676	/* we found the entry for our link! */
2677
2678	/* this AP is confused, it had this right before ... just disconnect */
2679	if (!ieee80211_operating_class_to_band(operating_class: info->op_class, band: &band)) {
2680	link_info(link,
2681	"AP now has invalid operating class in RNR, disconnect\n");
2682	wiphy_work_queue(wiphy: sdata->local->hw.wiphy,
2683	work: &ifmgd->csa_connection_drop_work);
2684	return RNR_ITER_BREAK;
2685	}
2686
2687	center_freq = ieee80211_channel_to_frequency(chan: info->channel, band);
2688	data->chan = ieee80211_get_channel(wiphy: sdata->local->hw.wiphy, freq: center_freq);
2689
2690	return RNR_ITER_BREAK;
2691	}
2692
2693	static void
2694	ieee80211_sta_other_link_csa_disappeared(struct ieee80211_link_data *link,
2695	struct ieee802_11_elems *elems)
2696	{
2697	struct ieee80211_sub_if_data *sdata = link->sdata;
2698	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2699	struct sta_csa_rnr_iter_data data = {
2700	.link = link,
2701	};
2702
2703	/*
2704	* If we get here, we see a beacon from another link without
2705	* CSA still being reported for it, so now we have to check
2706	* if the CSA was aborted or completed. This may not even be
2707	* perfectly possible if the CSA was only done for changing
2708	* the puncturing, but in that case if the link in inactive
2709	* we don't really care, and if it's an active link (or when
2710	* it's activated later) we'll get a beacon and adjust.
2711	*/
2712
2713	if (WARN_ON(!elems->ml_basic))
2714	return;
2715
2716	data.mld_id = ieee80211_mle_get_mld_id(data: (const void *)elems->ml_basic);
2717
2718	/*
2719	* So in order to do this, iterate the RNR element(s) and see
2720	* what channel is reported now.
2721	*/
2722	cfg80211_iter_rnr(elems: elems->ie_start, elems_len: elems->total_len,
2723	iter: ieee80211_sta_csa_rnr_iter, iter_data: &data);
2724
2725	if (!data.chan) {
2726	link_info(link,
2727	"couldn't find (valid) channel in RNR for CSA, disconnect\n");
2728	wiphy_work_queue(wiphy: sdata->local->hw.wiphy,
2729	work: &ifmgd->csa_connection_drop_work);
2730	return;
2731	}
2732
2733	/*
2734	* If it doesn't match the CSA, then assume it aborted. This
2735	* may erroneously detect that it was _not_ aborted when it
2736	* was in fact aborted, but only changed the bandwidth or the
2737	* puncturing configuration, but we don't have enough data to
2738	* detect that.
2739	*/
2740	if (data.chan != link->csa.chanreq.oper.chan)
2741	ieee80211_sta_abort_chanswitch(link);
2742	}
2743
2744	enum ieee80211_csa_source {
2745	IEEE80211_CSA_SOURCE_BEACON,
2746	IEEE80211_CSA_SOURCE_OTHER_LINK,
2747	IEEE80211_CSA_SOURCE_PROT_ACTION,
2748	IEEE80211_CSA_SOURCE_UNPROT_ACTION,
2749	};
2750
2751	static void
2752	ieee80211_sta_process_chanswitch(struct ieee80211_link_data *link,
2753	u64 timestamp, u32 device_timestamp,
2754	struct ieee802_11_elems *full_elems,
2755	struct ieee802_11_elems *csa_elems,
2756	enum ieee80211_csa_source source)
2757	{
2758	struct ieee80211_sub_if_data *sdata = link->sdata;
2759	struct ieee80211_local *local = sdata->local;
2760	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2761	struct ieee80211_chanctx *chanctx = NULL;
2762	struct ieee80211_chanctx_conf *conf;
2763	struct ieee80211_csa_ie csa_ie = {};
2764	struct ieee80211_channel_switch ch_switch = {
2765	.link_id = link->link_id,
2766	.timestamp = timestamp,
2767	.device_timestamp = device_timestamp,
2768	};
2769	u32 csa_time_tu;
2770	ktime_t now;
2771	int res;
2772
2773	lockdep_assert_wiphy(local->hw.wiphy);
2774
2775	if (csa_elems) {
2776	struct cfg80211_bss *cbss = link->conf->bss;
2777	enum nl80211_band current_band;
2778	struct ieee80211_bss *bss;
2779
2780	if (WARN_ON(!cbss))
2781	return;
2782
2783	current_band = cbss->channel->band;
2784	bss = (void *)cbss->priv;
2785
2786	res = ieee80211_parse_ch_switch_ie(sdata, elems: csa_elems,
2787	current_band,
2788	vht_cap_info: bss->vht_cap_info,
2789	conn: &link->u.mgd.conn,
2790	bssid: link->u.mgd.bssid,
2791	unprot_action: source == IEEE80211_CSA_SOURCE_UNPROT_ACTION,
2792	csa_ie: &csa_ie);
2793	if (res == 0) {
2794	ch_switch.block_tx = csa_ie.mode;
2795	ch_switch.chandef = csa_ie.chanreq.oper;
2796	ch_switch.count = csa_ie.count;
2797	ch_switch.delay = csa_ie.max_switch_time;
2798	}
2799
2800	link->u.mgd.csa.tpe = csa_elems->csa_tpe;
2801	} else {
2802	/*
2803	* If there was no per-STA profile for this link, we
2804	* get called with csa_elems == NULL. This of course means
2805	* there are no CSA elements, so set res=1 indicating
2806	* no more CSA.
2807	*/
2808	res = 1;
2809	}
2810
2811	if (res < 0) {
2812	/* ignore this case, not a protected frame */
2813	if (source == IEEE80211_CSA_SOURCE_UNPROT_ACTION)
2814	return;
2815	goto drop_connection;
2816	}
2817
2818	if (link->conf->csa_active) {
2819	switch (source) {
2820	case IEEE80211_CSA_SOURCE_PROT_ACTION:
2821	case IEEE80211_CSA_SOURCE_UNPROT_ACTION:
2822	/* already processing - disregard action frames */
2823	return;
2824	case IEEE80211_CSA_SOURCE_BEACON:
2825	if (link->u.mgd.csa.waiting_bcn) {
2826	ieee80211_chswitch_post_beacon(link);
2827	/*
2828	* If the CSA is still present after the switch
2829	* we need to consider it as a new CSA (possibly
2830	* to self). This happens by not returning here
2831	* so we'll get to the check below.
2832	*/
2833	} else if (res) {
2834	ieee80211_sta_abort_chanswitch(link);
2835	return;
2836	} else {
2837	drv_channel_switch_rx_beacon(sdata, ch_switch: &ch_switch);
2838	return;
2839	}
2840	break;
2841	case IEEE80211_CSA_SOURCE_OTHER_LINK:
2842	/* active link: we want to see the beacon to continue */
2843	if (ieee80211_vif_link_active(vif: &sdata->vif,
2844	link_id: link->link_id))
2845	return;
2846
2847	/* switch work ran, so just complete the process */
2848	if (link->u.mgd.csa.waiting_bcn) {
2849	ieee80211_chswitch_post_beacon(link);
2850	/*
2851	* If the CSA is still present after the switch
2852	* we need to consider it as a new CSA (possibly
2853	* to self). This happens by not returning here
2854	* so we'll get to the check below.
2855	*/
2856	break;
2857	}
2858
2859	/* link still has CSA but we already know, do nothing */
2860	if (!res)
2861	return;
2862
2863	/* check in the RNR if the CSA aborted */
2864	ieee80211_sta_other_link_csa_disappeared(link,
2865	elems: full_elems);
2866	return;
2867	}
2868	}
2869
2870	/* no active CSA nor a new one */
2871	if (res) {
2872	/*
2873	* However, we may have stopped queues when receiving a public
2874	* action frame that couldn't be protected, if it had the quiet
2875	* bit set. This is a trade-off, we want to be quiet as soon as
2876	* possible, but also don't trust the public action frame much,
2877	* as it can't be protected.
2878	*/
2879	if (unlikely(link->u.mgd.csa.blocked_tx)) {
2880	link->u.mgd.csa.blocked_tx = false;
2881	ieee80211_vif_unblock_queues_csa(sdata);
2882	}
2883	return;
2884	}
2885
2886	/*
2887	* We don't really trust public action frames, but block queues (go to
2888	* quiet mode) for them anyway, we should get a beacon soon to either
2889	* know what the CSA really is, or figure out the public action frame
2890	* was actually an attack.
2891	*/
2892	if (source == IEEE80211_CSA_SOURCE_UNPROT_ACTION) {
2893	if (csa_ie.mode) {
2894	link->u.mgd.csa.blocked_tx = true;
2895	ieee80211_vif_block_queues_csa(sdata);
2896	}
2897	return;
2898	}
2899
2900	if (link->conf->chanreq.oper.chan->band !=
2901	csa_ie.chanreq.oper.chan->band) {
2902	link_info(link,
2903	"AP %pM switches to different band (%d MHz, width:%d, CF1/2: %d/%d MHz), disconnecting\n",
2904	link->u.mgd.bssid,
2905	csa_ie.chanreq.oper.chan->center_freq,
2906	csa_ie.chanreq.oper.width,
2907	csa_ie.chanreq.oper.center_freq1,
2908	csa_ie.chanreq.oper.center_freq2);
2909	goto drop_connection;
2910	}
2911
2912	if (!cfg80211_chandef_usable(wiphy: local->hw.wiphy, chandef: &csa_ie.chanreq.oper,
2913	prohibited_flags: IEEE80211_CHAN_DISABLED)) {
2914	link_info(link,
2915	"AP %pM switches to unsupported channel (%d.%03d MHz, width:%d, CF1/2: %d.%03d/%d MHz), disconnecting\n",
2916	link->u.mgd.bssid,
2917	csa_ie.chanreq.oper.chan->center_freq,
2918	csa_ie.chanreq.oper.chan->freq_offset,
2919	csa_ie.chanreq.oper.width,
2920	csa_ie.chanreq.oper.center_freq1,
2921	csa_ie.chanreq.oper.freq1_offset,
2922	csa_ie.chanreq.oper.center_freq2);
2923	goto drop_connection;
2924	}
2925
2926	if (cfg80211_chandef_identical(chandef1: &csa_ie.chanreq.oper,
2927	chandef2: &link->conf->chanreq.oper) &&
2928	(!csa_ie.mode || source != IEEE80211_CSA_SOURCE_BEACON)) {
2929	if (link->u.mgd.csa.ignored_same_chan)
2930	return;
2931	link_info(link,
2932	"AP %pM tries to chanswitch to same channel, ignore\n",
2933	link->u.mgd.bssid);
2934	link->u.mgd.csa.ignored_same_chan = true;
2935	return;
2936	}
2937
2938	/*
2939	* Drop all TDLS peers on the affected link - either we disconnect or
2940	* move to a different channel from this point on. There's no telling
2941	* what our peer will do.
2942	* The TDLS WIDER_BW scenario is also problematic, as peers might now
2943	* have an incompatible wider chandef.
2944	*/
2945	ieee80211_teardown_tdls_peers(link);
2946
2947	conf = rcu_dereference_protected(link->conf->chanctx_conf,
2948	lockdep_is_held(&local->hw.wiphy->mtx));
2949	if (ieee80211_vif_link_active(vif: &sdata->vif, link_id: link->link_id) && !conf) {
2950	link_info(link,
2951	"no channel context assigned to vif?, disconnecting\n");
2952	goto drop_connection;
2953	}
2954
2955	if (conf)
2956	chanctx = container_of(conf, struct ieee80211_chanctx, conf);
2957
2958	if (!ieee80211_hw_check(&local->hw, CHANCTX_STA_CSA)) {
2959	link_info(link,
2960	"driver doesn't support chan-switch with channel contexts\n");
2961	goto drop_connection;
2962	}
2963
2964	if (drv_pre_channel_switch(sdata, ch_switch: &ch_switch)) {
2965	link_info(link,
2966	"preparing for channel switch failed, disconnecting\n");
2967	goto drop_connection;
2968	}
2969
2970	link->u.mgd.csa.ap_chandef = csa_ie.chanreq.ap;
2971
2972	link->csa.chanreq.oper = csa_ie.chanreq.oper;
2973	ieee80211_set_chanreq_ap(sdata, chanreq: &link->csa.chanreq, conn: &link->u.mgd.conn,
2974	ap_chandef: &csa_ie.chanreq.ap);
2975
2976	if (chanctx) {
2977	res = ieee80211_link_reserve_chanctx(link, req: &link->csa.chanreq,
2978	mode: chanctx->mode, radar_required: false);
2979	if (res) {
2980	link_info(link,
2981	"failed to reserve channel context for channel switch, disconnecting (err=%d)\n",
2982	res);
2983	goto drop_connection;
2984	}
2985	}
2986
2987	link->conf->csa_active = true;
2988	link->u.mgd.csa.ignored_same_chan = false;
2989	link->u.mgd.beacon_crc_valid = false;
2990	link->u.mgd.csa.blocked_tx = csa_ie.mode;
2991
2992	if (csa_ie.mode)
2993	ieee80211_vif_block_queues_csa(sdata);
2994
2995	cfg80211_ch_switch_started_notify(dev: sdata->dev, chandef: &csa_ie.chanreq.oper,
2996	link_id: link->link_id, count: csa_ie.count,
2997	quiet: csa_ie.mode);
2998
2999	/* we may have to handle timeout for deactivated link in software */
3000	now = ktime_get_boottime();
3001	csa_time_tu = (max_t(int, csa_ie.count, 1) - 1) * link->conf->beacon_int;
3002	link->u.mgd.csa.time = now + us_to_ktime(us: ieee80211_tu_to_usec(tu: csa_time_tu));
3003
3004	if (ieee80211_vif_link_active(vif: &sdata->vif, link_id: link->link_id) &&
3005	local->ops->channel_switch) {
3006	/*
3007	* Use driver's channel switch callback, the driver will
3008	* later call ieee80211_chswitch_done(). It may deactivate
3009	* the link as well, we handle that elsewhere and queue
3010	* the csa.switch_work for the calculated time then.
3011	*/
3012	drv_channel_switch(local, sdata, ch_switch: &ch_switch);
3013	return;
3014	}
3015
3016	/* channel switch handled in software */
3017	wiphy_hrtimer_work_queue(wiphy: local->hw.wiphy,
3018	hrwork: &link->u.mgd.csa.switch_work,
3019	delay: link->u.mgd.csa.time - now);
3020	return;
3021	drop_connection:
3022	/*
3023	* This is just so that the disconnect flow will know that
3024	* we were trying to switch channel and failed. In case the
3025	* mode is 1 (we are not allowed to Tx), we will know not to
3026	* send a deauthentication frame. Those two fields will be
3027	* reset when the disconnection worker runs.
3028	*/
3029	link->conf->csa_active = true;
3030	link->u.mgd.csa.blocked_tx = csa_ie.mode;
3031
3032	wiphy_work_queue(wiphy: sdata->local->hw.wiphy,
3033	work: &ifmgd->csa_connection_drop_work);
3034	}
3035
3036	struct sta_bss_param_ch_cnt_data {
3037	struct ieee80211_sub_if_data *sdata;
3038	u8 reporting_link_id;
3039	u8 mld_id;
3040	};
3041
3042	static enum cfg80211_rnr_iter_ret
3043	ieee80211_sta_bss_param_ch_cnt_iter(void *_data, u8 type,
3044	const struct ieee80211_neighbor_ap_info *info,
3045	const u8 *tbtt_info, u8 tbtt_info_len)
3046	{
3047	struct sta_bss_param_ch_cnt_data *data = _data;
3048	struct ieee80211_sub_if_data *sdata = data->sdata;
3049	const struct ieee80211_tbtt_info_ge_11 *ti;
3050	u8 bss_param_ch_cnt;
3051	int link_id;
3052
3053	if (type != IEEE80211_TBTT_INFO_TYPE_TBTT)
3054	return RNR_ITER_CONTINUE;
3055
3056	if (tbtt_info_len < sizeof(*ti))
3057	return RNR_ITER_CONTINUE;
3058
3059	ti = (const void *)tbtt_info;
3060
3061	if (ti->mld_params.mld_id != data->mld_id)
3062	return RNR_ITER_CONTINUE;
3063
3064	link_id = le16_get_bits(v: ti->mld_params.params,
3065	IEEE80211_RNR_MLD_PARAMS_LINK_ID);
3066	bss_param_ch_cnt =
3067	le16_get_bits(v: ti->mld_params.params,
3068	IEEE80211_RNR_MLD_PARAMS_BSS_CHANGE_COUNT);
3069
3070	if (bss_param_ch_cnt != 255 &&
3071	link_id < ARRAY_SIZE(sdata->link)) {
3072	struct ieee80211_link_data *link =
3073	sdata_dereference(sdata->link[link_id], sdata);
3074
3075	if (link && link->conf->bss_param_ch_cnt != bss_param_ch_cnt) {
3076	link->conf->bss_param_ch_cnt = bss_param_ch_cnt;
3077	link->conf->bss_param_ch_cnt_link_id =
3078	data->reporting_link_id;
3079	}
3080	}
3081
3082	return RNR_ITER_CONTINUE;
3083	}
3084
3085	static void
3086	ieee80211_mgd_update_bss_param_ch_cnt(struct ieee80211_sub_if_data *sdata,
3087	struct ieee80211_bss_conf *bss_conf,
3088	struct ieee802_11_elems *elems)
3089	{
3090	struct sta_bss_param_ch_cnt_data data = {
3091	.reporting_link_id = bss_conf->link_id,
3092	.sdata = sdata,
3093	};
3094	int bss_param_ch_cnt;
3095
3096	if (!elems->ml_basic)
3097	return;
3098
3099	data.mld_id = ieee80211_mle_get_mld_id(data: (const void *)elems->ml_basic);
3100
3101	cfg80211_iter_rnr(elems: elems->ie_start, elems_len: elems->total_len,
3102	iter: ieee80211_sta_bss_param_ch_cnt_iter, iter_data: &data);
3103
3104	bss_param_ch_cnt =
3105	ieee80211_mle_get_bss_param_ch_cnt(data: (const void *)elems->ml_basic);
3106
3107	/*
3108	* Update bss_param_ch_cnt_link_id even if bss_param_ch_cnt
3109	* didn't change to indicate that we got a beacon on our own
3110	* link.
3111	*/
3112	if (bss_param_ch_cnt >= 0 && bss_param_ch_cnt != 255) {
3113	bss_conf->bss_param_ch_cnt = bss_param_ch_cnt;
3114	bss_conf->bss_param_ch_cnt_link_id =
3115	bss_conf->link_id;
3116	}
3117	}
3118
3119	static bool
3120	ieee80211_find_80211h_pwr_constr(struct ieee80211_channel *channel,
3121	const u8 *country_ie, u8 country_ie_len,
3122	const u8 *pwr_constr_elem,
3123	int *chan_pwr, int *pwr_reduction)
3124	{
3125	struct ieee80211_country_ie_triplet *triplet;
3126	int chan = ieee80211_frequency_to_channel(freq: channel->center_freq);
3127	int i, chan_increment;
3128	bool have_chan_pwr = false;
3129
3130	/* Invalid IE */
3131	if (country_ie_len % 2 || country_ie_len < IEEE80211_COUNTRY_IE_MIN_LEN)
3132	return false;
3133
3134	triplet = (void *)(country_ie + 3);
3135	country_ie_len -= 3;
3136
3137	switch (channel->band) {
3138	default:
3139	WARN_ON_ONCE(1);
3140	fallthrough;
3141	case NL80211_BAND_2GHZ:
3142	case NL80211_BAND_60GHZ:
3143	case NL80211_BAND_LC:
3144	chan_increment = 1;
3145	break;
3146	case NL80211_BAND_5GHZ:
3147	chan_increment = 4;
3148	break;
3149	case NL80211_BAND_6GHZ:
3150	/*
3151	* In the 6 GHz band, the "maximum transmit power level"
3152	* field in the triplets is reserved, and thus will be
3153	* zero and we shouldn't use it to control TX power.
3154	* The actual TX power will be given in the transmit
3155	* power envelope element instead.
3156	*/
3157	return false;
3158	}
3159
3160	/* find channel */
3161	while (country_ie_len >= 3) {
3162	u8 first_channel = triplet->chans.first_channel;
3163
3164	if (first_channel >= IEEE80211_COUNTRY_EXTENSION_ID)
3165	goto next;
3166
3167	for (i = 0; i < triplet->chans.num_channels; i++) {
3168	if (first_channel + i * chan_increment == chan) {
3169	have_chan_pwr = true;
3170	*chan_pwr = triplet->chans.max_power;
3171	break;
3172	}
3173	}
3174	if (have_chan_pwr)
3175	break;
3176
3177	next:
3178	triplet++;
3179	country_ie_len -= 3;
3180	}
3181
3182	if (have_chan_pwr && pwr_constr_elem)
3183	*pwr_reduction = *pwr_constr_elem;
3184	else
3185	*pwr_reduction = 0;
3186
3187	return have_chan_pwr;
3188	}
3189
3190	static void ieee80211_find_cisco_dtpc(struct ieee80211_channel *channel,
3191	const u8 *cisco_dtpc_ie,
3192	int *pwr_level)
3193	{
3194	/* From practical testing, the first data byte of the DTPC element
3195	* seems to contain the requested dBm level, and the CLI on Cisco
3196	* APs clearly state the range is -127 to 127 dBm, which indicates
3197	* a signed byte, although it seemingly never actually goes negative.
3198	* The other byte seems to always be zero.
3199	*/
3200	*pwr_level = (__s8)cisco_dtpc_ie[4];
3201	}
3202
3203	static u64 ieee80211_handle_pwr_constr(struct ieee80211_link_data *link,
3204	struct ieee80211_channel *channel,
3205	struct ieee80211_mgmt *mgmt,
3206	const u8 *country_ie, u8 country_ie_len,
3207	const u8 *pwr_constr_ie,
3208	const u8 *cisco_dtpc_ie)
3209	{
3210	struct ieee80211_sub_if_data *sdata = link->sdata;
3211	bool has_80211h_pwr = false, has_cisco_pwr = false;
3212	int chan_pwr = 0, pwr_reduction_80211h = 0;
3213	int pwr_level_cisco, pwr_level_80211h;
3214	int new_ap_level;
3215	__le16 capab = mgmt->u.probe_resp.capab_info;
3216
3217	if (ieee80211_is_s1g_beacon(fc: mgmt->frame_control))
3218	return 0; /* TODO */
3219
3220	if (country_ie &&
3221	(capab & cpu_to_le16(WLAN_CAPABILITY_SPECTRUM_MGMT) ||
3222	capab & cpu_to_le16(WLAN_CAPABILITY_RADIO_MEASURE))) {
3223	has_80211h_pwr = ieee80211_find_80211h_pwr_constr(
3224	channel, country_ie, country_ie_len,
3225	pwr_constr_elem: pwr_constr_ie, chan_pwr: &chan_pwr, pwr_reduction: &pwr_reduction_80211h);
3226	pwr_level_80211h =
3227	max_t(int, 0, chan_pwr - pwr_reduction_80211h);
3228	}
3229
3230	if (cisco_dtpc_ie) {
3231	ieee80211_find_cisco_dtpc(
3232	channel, cisco_dtpc_ie, pwr_level: &pwr_level_cisco);
3233	has_cisco_pwr = true;
3234	}
3235
3236	if (!has_80211h_pwr && !has_cisco_pwr)
3237	return 0;
3238
3239	/* If we have both 802.11h and Cisco DTPC, apply both limits
3240	* by picking the smallest of the two power levels advertised.
3241	*/
3242	if (has_80211h_pwr &&
3243	(!has_cisco_pwr || pwr_level_80211h <= pwr_level_cisco)) {
3244	new_ap_level = pwr_level_80211h;
3245
3246	if (link->ap_power_level == new_ap_level)
3247	return 0;
3248
3249	sdata_dbg(sdata,
3250	"Limiting TX power to %d (%d - %d) dBm as advertised by %pM\n",
3251	pwr_level_80211h, chan_pwr, pwr_reduction_80211h,
3252	link->u.mgd.bssid);
3253	} else { /* has_cisco_pwr is always true here. */
3254	new_ap_level = pwr_level_cisco;
3255
3256	if (link->ap_power_level == new_ap_level)
3257	return 0;
3258
3259	sdata_dbg(sdata,
3260	"Limiting TX power to %d dBm as advertised by %pM\n",
3261	pwr_level_cisco, link->u.mgd.bssid);
3262	}
3263
3264	link->ap_power_level = new_ap_level;
3265	if (__ieee80211_recalc_txpower(link))
3266	return BSS_CHANGED_TXPOWER;
3267	return 0;
3268	}
3269
3270	/* powersave */
3271	static void ieee80211_enable_ps(struct ieee80211_local *local,
3272	struct ieee80211_sub_if_data *sdata)
3273	{
3274	struct ieee80211_conf *conf = &local->hw.conf;
3275
3276	/*
3277	* If we are scanning right now then the parameters will
3278	* take effect when scan finishes.
3279	*/
3280	if (local->scanning)
3281	return;
3282
3283	if (conf->dynamic_ps_timeout > 0 &&
3284	!ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS)) {
3285	mod_timer(timer: &local->dynamic_ps_timer, expires: jiffies +
3286	msecs_to_jiffies(m: conf->dynamic_ps_timeout));
3287	} else {
3288	if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK))
3289	ieee80211_send_nullfunc(local, sdata, powersave: true);
3290
3291	if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
3292	ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
3293	return;
3294
3295	conf->flags |= IEEE80211_CONF_PS;
3296	ieee80211_hw_config(local, radio_idx: -1, changed: IEEE80211_CONF_CHANGE_PS);
3297	}
3298	}
3299
3300	static void ieee80211_change_ps(struct ieee80211_local *local)
3301	{
3302	struct ieee80211_conf *conf = &local->hw.conf;
3303
3304	if (local->ps_sdata) {
3305	ieee80211_enable_ps(local, sdata: local->ps_sdata);
3306	} else if (conf->flags & IEEE80211_CONF_PS) {
3307	conf->flags &= ~IEEE80211_CONF_PS;
3308	ieee80211_hw_config(local, radio_idx: -1, changed: IEEE80211_CONF_CHANGE_PS);
3309	timer_delete_sync(timer: &local->dynamic_ps_timer);
3310	wiphy_work_cancel(wiphy: local->hw.wiphy,
3311	work: &local->dynamic_ps_enable_work);
3312	}
3313	}
3314
3315	static bool ieee80211_powersave_allowed(struct ieee80211_sub_if_data *sdata)
3316	{
3317	struct ieee80211_local *local = sdata->local;
3318	struct ieee80211_if_managed *mgd = &sdata->u.mgd;
3319	struct sta_info *sta = NULL;
3320	bool authorized = false;
3321
3322	if (!mgd->powersave)
3323	return false;
3324
3325	if (mgd->broken_ap)
3326	return false;
3327
3328	if (!mgd->associated)
3329	return false;
3330
3331	if (mgd->flags & IEEE80211_STA_CONNECTION_POLL)
3332	return false;
3333
3334	if (!(local->hw.wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO) &&
3335	!sdata->deflink.u.mgd.have_beacon)
3336	return false;
3337
3338	rcu_read_lock();
3339	sta = sta_info_get(sdata, addr: sdata->vif.cfg.ap_addr);
3340	if (sta)
3341	authorized = test_sta_flag(sta, flag: WLAN_STA_AUTHORIZED);
3342	rcu_read_unlock();
3343
3344	return authorized;
3345	}
3346
3347	/* need to hold RTNL or interface lock */
3348	void ieee80211_recalc_ps(struct ieee80211_local *local)
3349	{
3350	struct ieee80211_sub_if_data *sdata, *found = NULL;
3351	int count = 0;
3352	int timeout;
3353
3354	if (!ieee80211_hw_check(&local->hw, SUPPORTS_PS) ||
3355	ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS)) {
3356	local->ps_sdata = NULL;
3357	return;
3358	}
3359
3360	list_for_each_entry(sdata, &local->interfaces, list) {
3361	if (!ieee80211_sdata_running(sdata))
3362	continue;
3363	if (sdata->vif.type == NL80211_IFTYPE_AP) {
3364	/* If an AP vif is found, then disable PS
3365	* by setting the count to zero thereby setting
3366	* ps_sdata to NULL.
3367	*/
3368	count = 0;
3369	break;
3370	}
3371	if (sdata->vif.type != NL80211_IFTYPE_STATION)
3372	continue;
3373	found = sdata;
3374	count++;
3375	}
3376
3377	if (count == 1 && ieee80211_powersave_allowed(sdata: found)) {
3378	u8 dtimper = found->deflink.u.mgd.dtim_period;
3379
3380	timeout = local->dynamic_ps_forced_timeout;
3381	if (timeout < 0)
3382	timeout = 100;
3383	local->hw.conf.dynamic_ps_timeout = timeout;
3384
3385	/* If the TIM IE is invalid, pretend the value is 1 */
3386	if (!dtimper)
3387	dtimper = 1;
3388
3389	local->hw.conf.ps_dtim_period = dtimper;
3390	local->ps_sdata = found;
3391	} else {
3392	local->ps_sdata = NULL;
3393	}
3394
3395	ieee80211_change_ps(local);
3396	}
3397
3398	void ieee80211_recalc_ps_vif(struct ieee80211_sub_if_data *sdata)
3399	{
3400	bool ps_allowed = ieee80211_powersave_allowed(sdata);
3401
3402	if (sdata->vif.cfg.ps != ps_allowed) {
3403	sdata->vif.cfg.ps = ps_allowed;
3404	ieee80211_vif_cfg_change_notify(sdata, changed: BSS_CHANGED_PS);
3405	}
3406	}
3407
3408	void ieee80211_dynamic_ps_disable_work(struct wiphy *wiphy,
3409	struct wiphy_work *work)
3410	{
3411	struct ieee80211_local *local =
3412	container_of(work, struct ieee80211_local,
3413	dynamic_ps_disable_work);
3414
3415	if (local->hw.conf.flags & IEEE80211_CONF_PS) {
3416	local->hw.conf.flags &= ~IEEE80211_CONF_PS;
3417	ieee80211_hw_config(local, radio_idx: -1, changed: IEEE80211_CONF_CHANGE_PS);
3418	}
3419
3420	ieee80211_wake_queues_by_reason(hw: &local->hw,
3421	queues: IEEE80211_MAX_QUEUE_MAP,
3422	reason: IEEE80211_QUEUE_STOP_REASON_PS,
3423	refcounted: false);
3424	}
3425
3426	void ieee80211_dynamic_ps_enable_work(struct wiphy *wiphy,
3427	struct wiphy_work *work)
3428	{
3429	struct ieee80211_local *local =
3430	container_of(work, struct ieee80211_local,
3431	dynamic_ps_enable_work);
3432	struct ieee80211_sub_if_data *sdata = local->ps_sdata;
3433	struct ieee80211_if_managed *ifmgd;
3434	unsigned long flags;
3435	int q;
3436
3437	/* can only happen when PS was just disabled anyway */
3438	if (!sdata)
3439	return;
3440
3441	ifmgd = &sdata->u.mgd;
3442
3443	if (local->hw.conf.flags & IEEE80211_CONF_PS)
3444	return;
3445
3446	if (local->hw.conf.dynamic_ps_timeout > 0) {
3447	/* don't enter PS if TX frames are pending */
3448	if (drv_tx_frames_pending(local)) {
3449	mod_timer(timer: &local->dynamic_ps_timer, expires: jiffies +
3450	msecs_to_jiffies(
3451	m: local->hw.conf.dynamic_ps_timeout));
3452	return;
3453	}
3454
3455	/*
3456	* transmission can be stopped by others which leads to
3457	* dynamic_ps_timer expiry. Postpone the ps timer if it
3458	* is not the actual idle state.
3459	*/
3460	spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
3461	for (q = 0; q < local->hw.queues; q++) {
3462	if (local->queue_stop_reasons[q]) {
3463	spin_unlock_irqrestore(lock: &local->queue_stop_reason_lock,
3464	flags);
3465	mod_timer(timer: &local->dynamic_ps_timer, expires: jiffies +
3466	msecs_to_jiffies(
3467	m: local->hw.conf.dynamic_ps_timeout));
3468	return;
3469	}
3470	}
3471	spin_unlock_irqrestore(lock: &local->queue_stop_reason_lock, flags);
3472	}
3473
3474	if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
3475	!(ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED)) {
3476	if (drv_tx_frames_pending(local)) {
3477	mod_timer(timer: &local->dynamic_ps_timer, expires: jiffies +
3478	msecs_to_jiffies(
3479	m: local->hw.conf.dynamic_ps_timeout));
3480	} else {
3481	ieee80211_send_nullfunc(local, sdata, powersave: true);
3482	/* Flush to get the tx status of nullfunc frame */
3483	ieee80211_flush_queues(local, sdata, drop: false);
3484	}
3485	}
3486
3487	if (!(ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS) &&
3488	ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK)) ||
3489	(ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED)) {
3490	ifmgd->flags &= ~IEEE80211_STA_NULLFUNC_ACKED;
3491	local->hw.conf.flags |= IEEE80211_CONF_PS;
3492	ieee80211_hw_config(local, radio_idx: -1, changed: IEEE80211_CONF_CHANGE_PS);
3493	}
3494	}
3495
3496	void ieee80211_dynamic_ps_timer(struct timer_list *t)
3497	{
3498	struct ieee80211_local *local = timer_container_of(local, t,
3499	dynamic_ps_timer);
3500
3501	wiphy_work_queue(wiphy: local->hw.wiphy, work: &local->dynamic_ps_enable_work);
3502	}
3503
3504	void ieee80211_dfs_cac_timer_work(struct wiphy *wiphy, struct wiphy_work *work)
3505	{
3506	struct ieee80211_link_data *link =
3507	container_of(work, struct ieee80211_link_data,
3508	dfs_cac_timer_work.work);
3509	struct cfg80211_chan_def chandef = link->conf->chanreq.oper;
3510	struct ieee80211_sub_if_data *sdata = link->sdata;
3511
3512	lockdep_assert_wiphy(sdata->local->hw.wiphy);
3513
3514	if (sdata->wdev.links[link->link_id].cac_started) {
3515	ieee80211_link_release_channel(link);
3516	cfg80211_cac_event(netdev: sdata->dev, chandef: &chandef,
3517	event: NL80211_RADAR_CAC_FINISHED,
3518	GFP_KERNEL, link_id: link->link_id);
3519	}
3520	}
3521
3522	static bool
3523	__ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
3524	{
3525	struct ieee80211_local *local = sdata->local;
3526	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3527	bool ret = false;
3528	int ac;
3529
3530	if (local->hw.queues < IEEE80211_NUM_ACS)
3531	return false;
3532
3533	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
3534	struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
3535	int non_acm_ac;
3536	unsigned long now = jiffies;
3537
3538	if (tx_tspec->action == TX_TSPEC_ACTION_NONE &&
3539	tx_tspec->admitted_time &&
3540	time_after(now, tx_tspec->time_slice_start + HZ)) {
3541	tx_tspec->consumed_tx_time = 0;
3542	tx_tspec->time_slice_start = now;
3543
3544	if (tx_tspec->downgraded)
3545	tx_tspec->action =
3546	TX_TSPEC_ACTION_STOP_DOWNGRADE;
3547	}
3548
3549	switch (tx_tspec->action) {
3550	case TX_TSPEC_ACTION_STOP_DOWNGRADE:
3551	/* take the original parameters */
3552	if (drv_conf_tx(local, link: &sdata->deflink, ac,
3553	params: &sdata->deflink.tx_conf[ac]))
3554	link_err(&sdata->deflink,
3555	"failed to set TX queue parameters for queue %d\n",
3556	ac);
3557	tx_tspec->action = TX_TSPEC_ACTION_NONE;
3558	tx_tspec->downgraded = false;
3559	ret = true;
3560	break;
3561	case TX_TSPEC_ACTION_DOWNGRADE:
3562	if (time_after(now, tx_tspec->time_slice_start + HZ)) {
3563	tx_tspec->action = TX_TSPEC_ACTION_NONE;
3564	ret = true;
3565	break;
3566	}
3567	/* downgrade next lower non-ACM AC */
3568	for (non_acm_ac = ac + 1;
3569	non_acm_ac < IEEE80211_NUM_ACS;
3570	non_acm_ac++)
3571	if (!(sdata->wmm_acm & BIT(7 - 2 * non_acm_ac)))
3572	break;
3573	/* Usually the loop will result in using BK even if it
3574	* requires admission control, but such a configuration
3575	* makes no sense and we have to transmit somehow - the
3576	* AC selection does the same thing.
3577	* If we started out trying to downgrade from BK, then
3578	* the extra condition here might be needed.
3579	*/
3580	if (non_acm_ac >= IEEE80211_NUM_ACS)
3581	non_acm_ac = IEEE80211_AC_BK;
3582	if (drv_conf_tx(local, link: &sdata->deflink, ac,
3583	params: &sdata->deflink.tx_conf[non_acm_ac]))
3584	link_err(&sdata->deflink,
3585	"failed to set TX queue parameters for queue %d\n",
3586	ac);
3587	tx_tspec->action = TX_TSPEC_ACTION_NONE;
3588	ret = true;
3589	wiphy_delayed_work_queue(wiphy: local->hw.wiphy,
3590	dwork: &ifmgd->tx_tspec_wk,
3591	delay: tx_tspec->time_slice_start +
3592	HZ - now + 1);
3593	break;
3594	case TX_TSPEC_ACTION_NONE:
3595	/* nothing now */
3596	break;
3597	}
3598	}
3599
3600	return ret;
3601	}
3602
3603	void ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
3604	{
3605	if (__ieee80211_sta_handle_tspec_ac_params(sdata))
3606	ieee80211_link_info_change_notify(sdata, link: &sdata->deflink,
3607	changed: BSS_CHANGED_QOS);
3608	}
3609
3610	static void ieee80211_sta_handle_tspec_ac_params_wk(struct wiphy *wiphy,
3611	struct wiphy_work *work)
3612	{
3613	struct ieee80211_sub_if_data *sdata;
3614
3615	sdata = container_of(work, struct ieee80211_sub_if_data,
3616	u.mgd.tx_tspec_wk.work);
3617	ieee80211_sta_handle_tspec_ac_params(sdata);
3618	}
3619
3620	void ieee80211_mgd_set_link_qos_params(struct ieee80211_link_data *link)
3621	{
3622	struct ieee80211_sub_if_data *sdata = link->sdata;
3623	struct ieee80211_local *local = sdata->local;
3624	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3625	struct ieee80211_tx_queue_params *params = link->tx_conf;
3626	u8 ac;
3627
3628	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
3629	mlme_dbg(sdata,
3630	"WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",
3631	ac, params[ac].acm,
3632	params[ac].aifs, params[ac].cw_min, params[ac].cw_max,
3633	params[ac].txop, params[ac].uapsd,
3634	ifmgd->tx_tspec[ac].downgraded);
3635	if (!ifmgd->tx_tspec[ac].downgraded &&
3636	drv_conf_tx(local, link, ac, params: &params[ac]))
3637	link_err(link,
3638	"failed to set TX queue parameters for AC %d\n",
3639	ac);
3640	}
3641	}
3642
3643	/* MLME */
3644	static bool
3645	_ieee80211_sta_wmm_params(struct ieee80211_local *local,
3646	struct ieee80211_link_data *link,
3647	const u8 *wmm_param, size_t wmm_param_len,
3648	const struct ieee80211_mu_edca_param_set *mu_edca)
3649	{
3650	struct ieee80211_sub_if_data *sdata = link->sdata;
3651	struct ieee80211_tx_queue_params params[IEEE80211_NUM_ACS];
3652	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3653	size_t left;
3654	int count, mu_edca_count, ac;
3655	const u8 *pos;
3656	u8 uapsd_queues = 0;
3657
3658	if (!local->ops->conf_tx)
3659	return false;
3660
3661	if (local->hw.queues < IEEE80211_NUM_ACS)
3662	return false;
3663
3664	if (!wmm_param)
3665	return false;
3666
3667	if (wmm_param_len < 8 || wmm_param[5] /* version */ != 1)
3668	return false;
3669
3670	if (ifmgd->flags & IEEE80211_STA_UAPSD_ENABLED)
3671	uapsd_queues = ifmgd->uapsd_queues;
3672
3673	count = wmm_param[6] & 0x0f;
3674	/* -1 is the initial value of ifmgd->mu_edca_last_param_set.
3675	* if mu_edca was preset before and now it disappeared tell
3676	* the driver about it.
3677	*/
3678	mu_edca_count = mu_edca ? mu_edca->mu_qos_info & 0x0f : -1;
3679	if (count == link->u.mgd.wmm_last_param_set &&
3680	mu_edca_count == link->u.mgd.mu_edca_last_param_set)
3681	return false;
3682	link->u.mgd.wmm_last_param_set = count;
3683	link->u.mgd.mu_edca_last_param_set = mu_edca_count;
3684
3685	pos = wmm_param + 8;
3686	left = wmm_param_len - 8;
3687
3688	memset(&params, 0, sizeof(params));
3689
3690	sdata->wmm_acm = 0;
3691	for (; left >= 4; left -= 4, pos += 4) {
3692	int aci = (pos[0] >> 5) & 0x03;
3693	int acm = (pos[0] >> 4) & 0x01;
3694	bool uapsd = false;
3695
3696	switch (aci) {
3697	case 1: /* AC_BK */
3698	ac = IEEE80211_AC_BK;
3699	if (acm)
3700	sdata->wmm_acm |= BIT(1) | BIT(2); /* BK/- */
3701	if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_BK)
3702	uapsd = true;
3703	params[ac].mu_edca = !!mu_edca;
3704	if (mu_edca)
3705	params[ac].mu_edca_param_rec = mu_edca->ac_bk;
3706	break;
3707	case 2: /* AC_VI */
3708	ac = IEEE80211_AC_VI;
3709	if (acm)
3710	sdata->wmm_acm |= BIT(4) | BIT(5); /* CL/VI */
3711	if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_VI)
3712	uapsd = true;
3713	params[ac].mu_edca = !!mu_edca;
3714	if (mu_edca)
3715	params[ac].mu_edca_param_rec = mu_edca->ac_vi;
3716	break;
3717	case 3: /* AC_VO */
3718	ac = IEEE80211_AC_VO;
3719	if (acm)
3720	sdata->wmm_acm |= BIT(6) | BIT(7); /* VO/NC */
3721	if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_VO)
3722	uapsd = true;
3723	params[ac].mu_edca = !!mu_edca;
3724	if (mu_edca)
3725	params[ac].mu_edca_param_rec = mu_edca->ac_vo;
3726	break;
3727	case 0: /* AC_BE */
3728	default:
3729	ac = IEEE80211_AC_BE;
3730	if (acm)
3731	sdata->wmm_acm |= BIT(0) | BIT(3); /* BE/EE */
3732	if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_BE)
3733	uapsd = true;
3734	params[ac].mu_edca = !!mu_edca;
3735	if (mu_edca)
3736	params[ac].mu_edca_param_rec = mu_edca->ac_be;
3737	break;
3738	}
3739
3740	params[ac].aifs = pos[0] & 0x0f;
3741
3742	if (params[ac].aifs < 2) {
3743	link_info(link,
3744	"AP has invalid WMM params (AIFSN=%d for ACI %d), will use 2\n",
3745	params[ac].aifs, aci);
3746	params[ac].aifs = 2;
3747	}
3748	params[ac].cw_max = ecw2cw(ecw: (pos[1] & 0xf0) >> 4);
3749	params[ac].cw_min = ecw2cw(ecw: pos[1] & 0x0f);
3750	params[ac].txop = get_unaligned_le16(p: pos + 2);
3751	params[ac].acm = acm;
3752	params[ac].uapsd = uapsd;
3753
3754	if (params[ac].cw_min == 0 ||
3755	params[ac].cw_min > params[ac].cw_max) {
3756	link_info(link,
3757	"AP has invalid WMM params (CWmin/max=%d/%d for ACI %d), using defaults\n",
3758	params[ac].cw_min, params[ac].cw_max, aci);
3759	return false;
3760	}
3761	ieee80211_regulatory_limit_wmm_params(sdata, qparam: &params[ac], ac);
3762	}
3763
3764	/* WMM specification requires all 4 ACIs. */
3765	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
3766	if (params[ac].cw_min == 0) {
3767	link_info(link,
3768	"AP has invalid WMM params (missing AC %d), using defaults\n",
3769	ac);
3770	return false;
3771	}
3772	}
3773
3774	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++)
3775	link->tx_conf[ac] = params[ac];
3776
3777	return true;
3778	}
3779
3780	static bool
3781	ieee80211_sta_wmm_params(struct ieee80211_local *local,
3782	struct ieee80211_link_data *link,
3783	const u8 *wmm_param, size_t wmm_param_len,
3784	const struct ieee80211_mu_edca_param_set *mu_edca)
3785	{
3786	if (!_ieee80211_sta_wmm_params(local, link, wmm_param, wmm_param_len,
3787	mu_edca))
3788	return false;
3789
3790	ieee80211_mgd_set_link_qos_params(link);
3791
3792	/* enable WMM or activate new settings */
3793	link->conf->qos = true;
3794	return true;
3795	}
3796
3797	static void __ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
3798	{
3799	lockdep_assert_wiphy(sdata->local->hw.wiphy);
3800
3801	sdata->u.mgd.flags &= ~IEEE80211_STA_CONNECTION_POLL;
3802	ieee80211_run_deferred_scan(local: sdata->local);
3803	}
3804
3805	static void ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
3806	{
3807	lockdep_assert_wiphy(sdata->local->hw.wiphy);
3808
3809	__ieee80211_stop_poll(sdata);
3810	}
3811
3812	static u64 ieee80211_handle_bss_capability(struct ieee80211_link_data *link,
3813	u16 capab, bool erp_valid, u8 erp)
3814	{
3815	struct ieee80211_bss_conf *bss_conf = link->conf;
3816	struct ieee80211_supported_band *sband;
3817	u64 changed = 0;
3818	bool use_protection;
3819	bool use_short_preamble;
3820	bool use_short_slot;
3821
3822	sband = ieee80211_get_link_sband(link);
3823	if (!sband)
3824	return changed;
3825
3826	if (erp_valid) {
3827	use_protection = (erp & WLAN_ERP_USE_PROTECTION) != 0;
3828	use_short_preamble = (erp & WLAN_ERP_BARKER_PREAMBLE) == 0;
3829	} else {
3830	use_protection = false;
3831	use_short_preamble = !!(capab & WLAN_CAPABILITY_SHORT_PREAMBLE);
3832	}
3833
3834	use_short_slot = !!(capab & WLAN_CAPABILITY_SHORT_SLOT_TIME);
3835	if (sband->band == NL80211_BAND_5GHZ ||
3836	sband->band == NL80211_BAND_6GHZ)
3837	use_short_slot = true;
3838
3839	if (use_protection != bss_conf->use_cts_prot) {
3840	bss_conf->use_cts_prot = use_protection;
3841	changed |= BSS_CHANGED_ERP_CTS_PROT;
3842	}
3843
3844	if (use_short_preamble != bss_conf->use_short_preamble) {
3845	bss_conf->use_short_preamble = use_short_preamble;
3846	changed |= BSS_CHANGED_ERP_PREAMBLE;
3847	}
3848
3849	if (use_short_slot != bss_conf->use_short_slot) {
3850	bss_conf->use_short_slot = use_short_slot;
3851	changed |= BSS_CHANGED_ERP_SLOT;
3852	}
3853
3854	return changed;
3855	}
3856
3857	static u64 ieee80211_link_set_associated(struct ieee80211_link_data *link,
3858	struct cfg80211_bss *cbss)
3859	{
3860	struct ieee80211_sub_if_data *sdata = link->sdata;
3861	struct ieee80211_bss_conf *bss_conf = link->conf;
3862	struct ieee80211_bss *bss = (void *)cbss->priv;
3863	u64 changed = BSS_CHANGED_QOS;
3864
3865	/* not really used in MLO */
3866	sdata->u.mgd.beacon_timeout =
3867	usecs_to_jiffies(u: ieee80211_tu_to_usec(tu: beacon_loss_count *
3868	bss_conf->beacon_int));
3869
3870	changed |= ieee80211_handle_bss_capability(link,
3871	capab: bss_conf->assoc_capability,
3872	erp_valid: bss->has_erp_value,
3873	erp: bss->erp_value);
3874
3875	ieee80211_check_rate_mask(link);
3876
3877	link->conf->bss = cbss;
3878	memcpy(link->u.mgd.bssid, cbss->bssid, ETH_ALEN);
3879
3880	if (sdata->vif.p2p ||
3881	sdata->vif.driver_flags & IEEE80211_VIF_GET_NOA_UPDATE) {
3882	const struct cfg80211_bss_ies *ies;
3883
3884	rcu_read_lock();
3885	ies = rcu_dereference(cbss->ies);
3886	if (ies) {
3887	int ret;
3888
3889	ret = cfg80211_get_p2p_attr(
3890	ies: ies->data, len: ies->len,
3891	attr: IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
3892	buf: (u8 *) &bss_conf->p2p_noa_attr,
3893	bufsize: sizeof(bss_conf->p2p_noa_attr));
3894	if (ret >= 2) {
3895	link->u.mgd.p2p_noa_index =
3896	bss_conf->p2p_noa_attr.index;
3897	changed |= BSS_CHANGED_P2P_PS;
3898	}
3899	}
3900	rcu_read_unlock();
3901	}
3902
3903	if (link->u.mgd.have_beacon) {
3904	bss_conf->beacon_rate = bss->beacon_rate;
3905	changed |= BSS_CHANGED_BEACON_INFO;
3906	} else {
3907	bss_conf->beacon_rate = NULL;
3908	}
3909
3910	/* Tell the driver to monitor connection quality (if supported) */
3911	if (sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_CQM_RSSI &&
3912	bss_conf->cqm_rssi_thold)
3913	changed |= BSS_CHANGED_CQM;
3914
3915	return changed;
3916	}
3917
3918	static void ieee80211_set_associated(struct ieee80211_sub_if_data *sdata,
3919	struct ieee80211_mgd_assoc_data *assoc_data,
3920	u64 changed[IEEE80211_MLD_MAX_NUM_LINKS])
3921	{
3922	struct ieee80211_local *local = sdata->local;
3923	struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg;
3924	u64 vif_changed = BSS_CHANGED_ASSOC;
3925	unsigned int link_id;
3926
3927	lockdep_assert_wiphy(local->hw.wiphy);
3928
3929	sdata->u.mgd.associated = true;
3930
3931	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
3932	struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
3933	struct ieee80211_link_data *link;
3934
3935	if (!cbss ||
3936	assoc_data->link[link_id].status != WLAN_STATUS_SUCCESS)
3937	continue;
3938
3939	if (ieee80211_vif_is_mld(vif: &sdata->vif) &&
3940	!(ieee80211_vif_usable_links(vif: &sdata->vif) & BIT(link_id)))
3941	continue;
3942
3943	link = sdata_dereference(sdata->link[link_id], sdata);
3944	if (WARN_ON(!link))
3945	return;
3946
3947	changed[link_id] |= ieee80211_link_set_associated(link, cbss);
3948	}
3949
3950	/* just to be sure */
3951	ieee80211_stop_poll(sdata);
3952
3953	ieee80211_led_assoc(local, associated: 1);
3954
3955	vif_cfg->assoc = 1;
3956
3957	/* Enable ARP filtering */
3958	if (vif_cfg->arp_addr_cnt)
3959	vif_changed |= BSS_CHANGED_ARP_FILTER;
3960
3961	if (ieee80211_vif_is_mld(vif: &sdata->vif)) {
3962	for (link_id = 0;
3963	link_id < IEEE80211_MLD_MAX_NUM_LINKS;
3964	link_id++) {
3965	struct ieee80211_link_data *link;
3966	struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
3967
3968	if (!cbss ||
3969	!(BIT(link_id) &
3970	ieee80211_vif_usable_links(vif: &sdata->vif)) ||
3971	assoc_data->link[link_id].status != WLAN_STATUS_SUCCESS)
3972	continue;
3973
3974	link = sdata_dereference(sdata->link[link_id], sdata);
3975	if (WARN_ON(!link))
3976	return;
3977
3978	ieee80211_link_info_change_notify(sdata, link,
3979	changed: changed[link_id]);
3980
3981	ieee80211_recalc_smps(sdata, link);
3982	}
3983
3984	ieee80211_vif_cfg_change_notify(sdata, changed: vif_changed);
3985	} else {
3986	ieee80211_bss_info_change_notify(sdata,
3987	changed: vif_changed | changed[0]);
3988	}
3989
3990	ieee80211_recalc_ps(local);
3991
3992	/* leave this here to not change ordering in non-MLO cases */
3993	if (!ieee80211_vif_is_mld(vif: &sdata->vif))
3994	ieee80211_recalc_smps(sdata, link: &sdata->deflink);
3995	ieee80211_recalc_ps_vif(sdata);
3996
3997	netif_carrier_on(dev: sdata->dev);
3998	}
3999
4000	static void ieee80211_ml_reconf_reset(struct ieee80211_sub_if_data *sdata)
4001	{
4002	struct ieee80211_mgd_assoc_data *add_links_data =
4003	sdata->u.mgd.reconf.add_links_data;
4004
4005	if (!ieee80211_vif_is_mld(vif: &sdata->vif) ||
4006	!(sdata->u.mgd.reconf.added_links |
4007	sdata->u.mgd.reconf.removed_links))
4008	return;
4009
4010	wiphy_delayed_work_cancel(wiphy: sdata->local->hw.wiphy,
4011	dwork: &sdata->u.mgd.reconf.wk);
4012	sdata->u.mgd.reconf.added_links = 0;
4013	sdata->u.mgd.reconf.removed_links = 0;
4014	sdata->u.mgd.reconf.dialog_token = 0;
4015
4016	if (add_links_data) {
4017	struct cfg80211_mlo_reconf_done_data done_data = {};
4018	u8 link_id;
4019
4020	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
4021	link_id++)
4022	done_data.links[link_id].bss =
4023	add_links_data->link[link_id].bss;
4024
4025	cfg80211_mlo_reconf_add_done(dev: sdata->dev, data: &done_data);
4026
4027	kfree(objp: sdata->u.mgd.reconf.add_links_data);
4028	sdata->u.mgd.reconf.add_links_data = NULL;
4029	}
4030	}
4031
4032	static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
4033	u16 stype, u16 reason, bool tx,
4034	u8 *frame_buf)
4035	{
4036	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4037	struct ieee80211_local *local = sdata->local;
4038	struct sta_info *ap_sta = sta_info_get(sdata, addr: sdata->vif.cfg.ap_addr);
4039	unsigned int link_id;
4040	u64 changed = 0;
4041	struct ieee80211_prep_tx_info info = {
4042	.subtype = stype,
4043	.was_assoc = true,
4044	.link_id = ffs(sdata->vif.active_links) - 1,
4045	};
4046
4047	lockdep_assert_wiphy(local->hw.wiphy);
4048
4049	if (frame_buf)
4050	memset(frame_buf, 0, IEEE80211_DEAUTH_FRAME_LEN);
4051
4052	if (WARN_ON(!ap_sta))
4053	return;
4054
4055	if (WARN_ON_ONCE(tx && !frame_buf))
4056	return;
4057
4058	if (WARN_ON(!ifmgd->associated))
4059	return;
4060
4061	ieee80211_stop_poll(sdata);
4062
4063	ifmgd->associated = false;
4064
4065	if (tx) {
4066	bool tx_link_found = false;
4067
4068	for (link_id = 0;
4069	link_id < ARRAY_SIZE(sdata->link);
4070	link_id++) {
4071	struct ieee80211_link_data *link;
4072
4073	if (!ieee80211_vif_link_active(vif: &sdata->vif, link_id))
4074	continue;
4075
4076	link = sdata_dereference(sdata->link[link_id], sdata);
4077	if (WARN_ON_ONCE(!link))
4078	continue;
4079
4080	if (link->u.mgd.csa.blocked_tx)
4081	continue;
4082
4083	tx_link_found = true;
4084	break;
4085	}
4086
4087	tx = tx_link_found;
4088	}
4089
4090	/* other links will be destroyed */
4091	sdata->deflink.conf->bss = NULL;
4092	sdata->deflink.conf->epcs_support = false;
4093	sdata->deflink.smps_mode = IEEE80211_SMPS_OFF;
4094
4095	netif_carrier_off(dev: sdata->dev);
4096
4097	/*
4098	* if we want to get out of ps before disassoc (why?) we have
4099	* to do it before sending disassoc, as otherwise the null-packet
4100	* won't be valid.
4101	*/
4102	if (local->hw.conf.flags & IEEE80211_CONF_PS) {
4103	local->hw.conf.flags &= ~IEEE80211_CONF_PS;
4104	ieee80211_hw_config(local, radio_idx: -1, changed: IEEE80211_CONF_CHANGE_PS);
4105	}
4106	local->ps_sdata = NULL;
4107
4108	/* disable per-vif ps */
4109	ieee80211_recalc_ps_vif(sdata);
4110
4111	/* make sure ongoing transmission finishes */
4112	synchronize_net();
4113
4114	/*
4115	* drop any frame before deauth/disassoc, this can be data or
4116	* management frame. Since we are disconnecting, we should not
4117	* insist sending these frames which can take time and delay
4118	* the disconnection and possible the roaming.
4119	*/
4120	ieee80211_flush_queues(local, sdata, drop: true);
4121
4122	if (tx) {
4123	drv_mgd_prepare_tx(local: sdata->local, sdata, info: &info);
4124
4125	ieee80211_send_deauth_disassoc(sdata, da: sdata->vif.cfg.ap_addr,
4126	bssid: sdata->vif.cfg.ap_addr, stype,
4127	reason, send_frame: true, frame_buf);
4128
4129	/* flush out frame - make sure the deauth was actually sent */
4130	ieee80211_flush_queues(local, sdata, drop: false);
4131
4132	drv_mgd_complete_tx(local: sdata->local, sdata, info: &info);
4133	} else if (frame_buf) {
4134	ieee80211_send_deauth_disassoc(sdata, da: sdata->vif.cfg.ap_addr,
4135	bssid: sdata->vif.cfg.ap_addr, stype,
4136	reason, send_frame: false, frame_buf);
4137	}
4138
4139	/* clear AP addr only after building the needed mgmt frames */
4140	eth_zero_addr(addr: sdata->deflink.u.mgd.bssid);
4141	eth_zero_addr(addr: sdata->vif.cfg.ap_addr);
4142
4143	sdata->vif.cfg.ssid_len = 0;
4144
4145	/* Remove TDLS peers */
4146	__sta_info_flush(sdata, vlans: false, link_id: -1, do_not_flush_sta: ap_sta);
4147
4148	if (sdata->vif.driver_flags & IEEE80211_VIF_REMOVE_AP_AFTER_DISASSOC) {
4149	/* Only move the AP state */
4150	sta_info_move_state(sta: ap_sta, new_state: IEEE80211_STA_NONE);
4151	} else {
4152	/* Remove AP peer */
4153	sta_info_flush(sdata, link_id: -1);
4154	}
4155
4156	/* finally reset all BSS / config parameters */
4157	if (!ieee80211_vif_is_mld(vif: &sdata->vif))
4158	changed |= ieee80211_reset_erp_info(sdata);
4159
4160	ieee80211_led_assoc(local, associated: 0);
4161	changed |= BSS_CHANGED_ASSOC;
4162	sdata->vif.cfg.assoc = false;
4163
4164	sdata->deflink.u.mgd.p2p_noa_index = -1;
4165	memset(&sdata->vif.bss_conf.p2p_noa_attr, 0,
4166	sizeof(sdata->vif.bss_conf.p2p_noa_attr));
4167
4168	/* on the next assoc, re-program HT/VHT parameters */
4169	memset(&ifmgd->ht_capa, 0, sizeof(ifmgd->ht_capa));
4170	memset(&ifmgd->ht_capa_mask, 0, sizeof(ifmgd->ht_capa_mask));
4171	memset(&ifmgd->vht_capa, 0, sizeof(ifmgd->vht_capa));
4172	memset(&ifmgd->vht_capa_mask, 0, sizeof(ifmgd->vht_capa_mask));
4173
4174	/*
4175	* reset MU-MIMO ownership and group data in default link,
4176	* if used, other links are destroyed
4177	*/
4178	memset(sdata->vif.bss_conf.mu_group.membership, 0,
4179	sizeof(sdata->vif.bss_conf.mu_group.membership));
4180	memset(sdata->vif.bss_conf.mu_group.position, 0,
4181	sizeof(sdata->vif.bss_conf.mu_group.position));
4182	if (!ieee80211_vif_is_mld(vif: &sdata->vif))
4183	changed |= BSS_CHANGED_MU_GROUPS;
4184	sdata->vif.bss_conf.mu_mimo_owner = false;
4185
4186	sdata->deflink.ap_power_level = IEEE80211_UNSET_POWER_LEVEL;
4187
4188	timer_delete_sync(timer: &local->dynamic_ps_timer);
4189	wiphy_work_cancel(wiphy: local->hw.wiphy, work: &local->dynamic_ps_enable_work);
4190
4191	/* Disable ARP filtering */
4192	if (sdata->vif.cfg.arp_addr_cnt)
4193	changed |= BSS_CHANGED_ARP_FILTER;
4194
4195	sdata->vif.bss_conf.qos = false;
4196	if (!ieee80211_vif_is_mld(vif: &sdata->vif)) {
4197	changed |= BSS_CHANGED_QOS;
4198	/* The BSSID (not really interesting) and HT changed */
4199	changed |= BSS_CHANGED_BSSID | BSS_CHANGED_HT;
4200	ieee80211_bss_info_change_notify(sdata, changed);
4201	} else {
4202	ieee80211_vif_cfg_change_notify(sdata, changed);
4203	}
4204
4205	if (sdata->vif.driver_flags & IEEE80211_VIF_REMOVE_AP_AFTER_DISASSOC) {
4206	/*
4207	* After notifying the driver about the disassoc,
4208	* remove the ap sta.
4209	*/
4210	sta_info_flush(sdata, link_id: -1);
4211	}
4212
4213	/* disassociated - set to defaults now */
4214	ieee80211_set_wmm_default(link: &sdata->deflink, bss_notify: false, enable_qos: false);
4215
4216	timer_delete_sync(timer: &sdata->u.mgd.conn_mon_timer);
4217	timer_delete_sync(timer: &sdata->u.mgd.bcn_mon_timer);
4218	timer_delete_sync(timer: &sdata->u.mgd.timer);
4219
4220	sdata->vif.bss_conf.dtim_period = 0;
4221	sdata->vif.bss_conf.beacon_rate = NULL;
4222
4223	sdata->deflink.u.mgd.have_beacon = false;
4224	sdata->deflink.u.mgd.tracking_signal_avg = false;
4225	sdata->deflink.u.mgd.disable_wmm_tracking = false;
4226
4227	ifmgd->flags = 0;
4228
4229	for (link_id = 0; link_id < ARRAY_SIZE(sdata->link); link_id++) {
4230	struct ieee80211_link_data *link;
4231
4232	link = sdata_dereference(sdata->link[link_id], sdata);
4233	if (!link)
4234	continue;
4235	ieee80211_link_release_channel(link);
4236	}
4237
4238	sdata->vif.bss_conf.csa_active = false;
4239	sdata->deflink.u.mgd.csa.blocked_tx = false;
4240	sdata->deflink.u.mgd.csa.waiting_bcn = false;
4241	sdata->deflink.u.mgd.csa.ignored_same_chan = false;
4242	ieee80211_vif_unblock_queues_csa(sdata);
4243
4244	/* existing TX TSPEC sessions no longer exist */
4245	memset(ifmgd->tx_tspec, 0, sizeof(ifmgd->tx_tspec));
4246	wiphy_delayed_work_cancel(wiphy: local->hw.wiphy, dwork: &ifmgd->tx_tspec_wk);
4247
4248	sdata->vif.bss_conf.power_type = IEEE80211_REG_UNSET_AP;
4249	sdata->vif.bss_conf.pwr_reduction = 0;
4250	ieee80211_clear_tpe(tpe: &sdata->vif.bss_conf.tpe);
4251
4252	sdata->vif.cfg.eml_cap = 0;
4253	sdata->vif.cfg.eml_med_sync_delay = 0;
4254	sdata->vif.cfg.mld_capa_op = 0;
4255
4256	memset(&sdata->u.mgd.ttlm_info, 0,
4257	sizeof(sdata->u.mgd.ttlm_info));
4258	wiphy_hrtimer_work_cancel(wiphy: sdata->local->hw.wiphy, hrtimer: &ifmgd->ttlm_work);
4259
4260	memset(&sdata->vif.neg_ttlm, 0, sizeof(sdata->vif.neg_ttlm));
4261	wiphy_delayed_work_cancel(wiphy: sdata->local->hw.wiphy,
4262	dwork: &ifmgd->neg_ttlm_timeout_work);
4263
4264	sdata->u.mgd.removed_links = 0;
4265	wiphy_hrtimer_work_cancel(wiphy: sdata->local->hw.wiphy,
4266	hrtimer: &sdata->u.mgd.ml_reconf_work);
4267
4268	wiphy_work_cancel(wiphy: sdata->local->hw.wiphy,
4269	work: &ifmgd->teardown_ttlm_work);
4270
4271	/* if disconnection happens in the middle of the ML reconfiguration
4272	* flow, cfg80211 must called to release the BSS references obtained
4273	* when the flow started.
4274	*/
4275	ieee80211_ml_reconf_reset(sdata);
4276
4277	ieee80211_vif_set_links(sdata, new_links: 0, dormant_links: 0);
4278
4279	ifmgd->mcast_seq_last = IEEE80211_SN_MODULO;
4280
4281	ifmgd->epcs.enabled = false;
4282	ifmgd->epcs.dialog_token = 0;
4283
4284	memset(ifmgd->userspace_selectors, 0,
4285	sizeof(ifmgd->userspace_selectors));
4286	}
4287
4288	static void ieee80211_reset_ap_probe(struct ieee80211_sub_if_data *sdata)
4289	{
4290	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4291	struct ieee80211_local *local = sdata->local;
4292
4293	lockdep_assert_wiphy(local->hw.wiphy);
4294
4295	if (!(ifmgd->flags & IEEE80211_STA_CONNECTION_POLL))
4296	return;
4297
4298	__ieee80211_stop_poll(sdata);
4299
4300	ieee80211_recalc_ps(local);
4301
4302	if (ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
4303	return;
4304
4305	/*
4306	* We've received a probe response, but are not sure whether
4307	* we have or will be receiving any beacons or data, so let's
4308	* schedule the timers again, just in case.
4309	*/
4310	ieee80211_sta_reset_beacon_monitor(sdata);
4311
4312	mod_timer(timer: &ifmgd->conn_mon_timer,
4313	expires: round_jiffies_up(j: jiffies +
4314	IEEE80211_CONNECTION_IDLE_TIME));
4315	}
4316
4317	static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata,
4318	struct ieee80211_hdr *hdr,
4319	u16 tx_time)
4320	{
4321	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4322	u16 tid;
4323	int ac;
4324	struct ieee80211_sta_tx_tspec *tx_tspec;
4325	unsigned long now = jiffies;
4326
4327	if (!ieee80211_is_data_qos(fc: hdr->frame_control))
4328	return;
4329
4330	tid = ieee80211_get_tid(hdr);
4331	ac = ieee80211_ac_from_tid(tid);
4332	tx_tspec = &ifmgd->tx_tspec[ac];
4333
4334	if (likely(!tx_tspec->admitted_time))
4335	return;
4336
4337	if (time_after(now, tx_tspec->time_slice_start + HZ)) {
4338	tx_tspec->consumed_tx_time = 0;
4339	tx_tspec->time_slice_start = now;
4340
4341	if (tx_tspec->downgraded) {
4342	tx_tspec->action = TX_TSPEC_ACTION_STOP_DOWNGRADE;
4343	wiphy_delayed_work_queue(wiphy: sdata->local->hw.wiphy,
4344	dwork: &ifmgd->tx_tspec_wk, delay: 0);
4345	}
4346	}
4347
4348	if (tx_tspec->downgraded)
4349	return;
4350
4351	tx_tspec->consumed_tx_time += tx_time;
4352
4353	if (tx_tspec->consumed_tx_time >= tx_tspec->admitted_time) {
4354	tx_tspec->downgraded = true;
4355	tx_tspec->action = TX_TSPEC_ACTION_DOWNGRADE;
4356	wiphy_delayed_work_queue(wiphy: sdata->local->hw.wiphy,
4357	dwork: &ifmgd->tx_tspec_wk, delay: 0);
4358	}
4359	}
4360
4361	void ieee80211_sta_tx_notify(struct ieee80211_sub_if_data *sdata,
4362	struct ieee80211_hdr *hdr, bool ack, u16 tx_time)
4363	{
4364	ieee80211_sta_tx_wmm_ac_notify(sdata, hdr, tx_time);
4365
4366	if (!ieee80211_is_any_nullfunc(fc: hdr->frame_control) ||
4367	!sdata->u.mgd.probe_send_count)
4368	return;
4369
4370	if (ack)
4371	sdata->u.mgd.probe_send_count = 0;
4372	else
4373	sdata->u.mgd.nullfunc_failed = true;
4374	wiphy_work_queue(wiphy: sdata->local->hw.wiphy, work: &sdata->work);
4375	}
4376
4377	static void ieee80211_mlme_send_probe_req(struct ieee80211_sub_if_data *sdata,
4378	const u8 *src, const u8 *dst,
4379	const u8 *ssid, size_t ssid_len,
4380	struct ieee80211_channel *channel)
4381	{
4382	struct sk_buff *skb;
4383
4384	skb = ieee80211_build_probe_req(sdata, src, dst, ratemask: (u32)-1, chan: channel,
4385	ssid, ssid_len, NULL, ie_len: 0,
4386	flags: IEEE80211_PROBE_FLAG_DIRECTED);
4387	if (skb)
4388	ieee80211_tx_skb(sdata, skb);
4389	}
4390
4391	static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
4392	{
4393	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4394	u8 *dst = sdata->vif.cfg.ap_addr;
4395	u8 unicast_limit = max(1, max_probe_tries - 3);
4396	struct sta_info *sta;
4397
4398	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4399
4400	/*
4401	* Try sending broadcast probe requests for the last three
4402	* probe requests after the first ones failed since some
4403	* buggy APs only support broadcast probe requests.
4404	*/
4405	if (ifmgd->probe_send_count >= unicast_limit)
4406	dst = NULL;
4407
4408	/*
4409	* When the hardware reports an accurate Tx ACK status, it's
4410	* better to send a nullfunc frame instead of a probe request,
4411	* as it will kick us off the AP quickly if we aren't associated
4412	* anymore. The timeout will be reset if the frame is ACKed by
4413	* the AP.
4414	*/
4415	ifmgd->probe_send_count++;
4416
4417	if (dst) {
4418	sta = sta_info_get(sdata, addr: dst);
4419	if (!WARN_ON(!sta))
4420	ieee80211_check_fast_rx(sta);
4421	}
4422
4423	if (ieee80211_hw_check(&sdata->local->hw, REPORTS_TX_ACK_STATUS)) {
4424	ifmgd->nullfunc_failed = false;
4425	ieee80211_send_nullfunc(local: sdata->local, sdata, powersave: false);
4426	} else {
4427	ieee80211_mlme_send_probe_req(sdata, src: sdata->vif.addr, dst,
4428	ssid: sdata->vif.cfg.ssid,
4429	ssid_len: sdata->vif.cfg.ssid_len,
4430	channel: sdata->deflink.conf->bss->channel);
4431	}
4432
4433	ifmgd->probe_timeout = jiffies + msecs_to_jiffies(m: probe_wait_ms);
4434	run_again(sdata, timeout: ifmgd->probe_timeout);
4435	}
4436
4437	static void ieee80211_mgd_probe_ap(struct ieee80211_sub_if_data *sdata,
4438	bool beacon)
4439	{
4440	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4441	bool already = false;
4442
4443	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4444
4445	if (!ieee80211_sdata_running(sdata))
4446	return;
4447
4448	if (!ifmgd->associated)
4449	return;
4450
4451	if (sdata->local->tmp_channel || sdata->local->scanning)
4452	return;
4453
4454	if (sdata->local->suspending) {
4455	/* reschedule after resume */
4456	ieee80211_reset_ap_probe(sdata);
4457	return;
4458	}
4459
4460	if (beacon) {
4461	mlme_dbg_ratelimited(sdata,
4462	"detected beacon loss from AP (missed %d beacons) - probing\n",
4463	beacon_loss_count);
4464
4465	ieee80211_cqm_beacon_loss_notify(vif: &sdata->vif, GFP_KERNEL);
4466	}
4467
4468	/*
4469	* The driver/our work has already reported this event or the
4470	* connection monitoring has kicked in and we have already sent
4471	* a probe request. Or maybe the AP died and the driver keeps
4472	* reporting until we disassociate...
4473	*
4474	* In either case we have to ignore the current call to this
4475	* function (except for setting the correct probe reason bit)
4476	* because otherwise we would reset the timer every time and
4477	* never check whether we received a probe response!
4478	*/
4479	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL)
4480	already = true;
4481
4482	ifmgd->flags |= IEEE80211_STA_CONNECTION_POLL;
4483
4484	if (already)
4485	return;
4486
4487	ieee80211_recalc_ps(local: sdata->local);
4488
4489	ifmgd->probe_send_count = 0;
4490	ieee80211_mgd_probe_ap_send(sdata);
4491	}
4492
4493	struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw,
4494	struct ieee80211_vif *vif)
4495	{
4496	struct ieee80211_sub_if_data *sdata = vif_to_sdata(p: vif);
4497	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4498	struct cfg80211_bss *cbss;
4499	struct sk_buff *skb;
4500	const struct element *ssid;
4501	int ssid_len;
4502
4503	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4504
4505	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION ||
4506	ieee80211_vif_is_mld(&sdata->vif)))
4507	return NULL;
4508
4509	if (ifmgd->associated)
4510	cbss = sdata->deflink.conf->bss;
4511	else if (ifmgd->auth_data)
4512	cbss = ifmgd->auth_data->bss;
4513	else if (ifmgd->assoc_data && ifmgd->assoc_data->link[0].bss)
4514	cbss = ifmgd->assoc_data->link[0].bss;
4515	else
4516	return NULL;
4517
4518	rcu_read_lock();
4519	ssid = ieee80211_bss_get_elem(bss: cbss, id: WLAN_EID_SSID);
4520	if (WARN_ONCE(!ssid || ssid->datalen > IEEE80211_MAX_SSID_LEN,
4521	"invalid SSID element (len=%d)",
4522	ssid ? ssid->datalen : -1))
4523	ssid_len = 0;
4524	else
4525	ssid_len = ssid->datalen;
4526
4527	skb = ieee80211_build_probe_req(sdata, src: sdata->vif.addr, dst: cbss->bssid,
4528	ratemask: (u32) -1, chan: cbss->channel,
4529	ssid: ssid->data, ssid_len,
4530	NULL, ie_len: 0, flags: IEEE80211_PROBE_FLAG_DIRECTED);
4531	rcu_read_unlock();
4532
4533	return skb;
4534	}
4535	EXPORT_SYMBOL(ieee80211_ap_probereq_get);
4536
4537	static void ieee80211_report_disconnect(struct ieee80211_sub_if_data *sdata,
4538	const u8 *buf, size_t len, bool tx,
4539	u16 reason, bool reconnect)
4540	{
4541	struct ieee80211_event event = {
4542	.type = MLME_EVENT,
4543	.u.mlme.data = tx ? DEAUTH_TX_EVENT : DEAUTH_RX_EVENT,
4544	.u.mlme.reason = reason,
4545	};
4546
4547	if (tx)
4548	cfg80211_tx_mlme_mgmt(dev: sdata->dev, buf, len, reconnect);
4549	else
4550	cfg80211_rx_mlme_mgmt(dev: sdata->dev, buf, len);
4551
4552	drv_event_callback(local: sdata->local, sdata, event: &event);
4553	}
4554
4555	static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
4556	{
4557	struct ieee80211_local *local = sdata->local;
4558	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4559	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
4560
4561	lockdep_assert_wiphy(local->hw.wiphy);
4562
4563	if (!ifmgd->associated)
4564	return;
4565
4566	if (!ifmgd->driver_disconnect) {
4567	unsigned int link_id;
4568
4569	/*
4570	* AP is probably out of range (or not reachable for another
4571	* reason) so remove the bss structs for that AP. In the case
4572	* of multi-link, it's not clear that all of them really are
4573	* out of range, but if they weren't the driver likely would
4574	* have switched to just have a single link active?
4575	*/
4576	for (link_id = 0;
4577	link_id < ARRAY_SIZE(sdata->link);
4578	link_id++) {
4579	struct ieee80211_link_data *link;
4580
4581	link = sdata_dereference(sdata->link[link_id], sdata);
4582	if (!link || !link->conf->bss)
4583	continue;
4584	cfg80211_unlink_bss(wiphy: local->hw.wiphy, bss: link->conf->bss);
4585	link->conf->bss = NULL;
4586	}
4587	}
4588
4589	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
4590	reason: ifmgd->driver_disconnect ?
4591	WLAN_REASON_DEAUTH_LEAVING :
4592	WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
4593	tx: true, frame_buf);
4594	/* the other links will be destroyed */
4595	sdata->vif.bss_conf.csa_active = false;
4596	sdata->deflink.u.mgd.csa.waiting_bcn = false;
4597	sdata->deflink.u.mgd.csa.blocked_tx = false;
4598	ieee80211_vif_unblock_queues_csa(sdata);
4599
4600	ieee80211_report_disconnect(sdata, buf: frame_buf, len: sizeof(frame_buf), tx: true,
4601	reason: WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
4602	reconnect: ifmgd->reconnect);
4603	ifmgd->reconnect = false;
4604	}
4605
4606	static void ieee80211_beacon_connection_loss_work(struct wiphy *wiphy,
4607	struct wiphy_work *work)
4608	{
4609	struct ieee80211_sub_if_data *sdata =
4610	container_of(work, struct ieee80211_sub_if_data,
4611	u.mgd.beacon_connection_loss_work);
4612	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4613
4614	if (ifmgd->connection_loss) {
4615	sdata_info(sdata, "Connection to AP %pM lost\n",
4616	sdata->vif.cfg.ap_addr);
4617	__ieee80211_disconnect(sdata);
4618	ifmgd->connection_loss = false;
4619	} else if (ifmgd->driver_disconnect) {
4620	sdata_info(sdata,
4621	"Driver requested disconnection from AP %pM\n",
4622	sdata->vif.cfg.ap_addr);
4623	__ieee80211_disconnect(sdata);
4624	ifmgd->driver_disconnect = false;
4625	} else {
4626	if (ifmgd->associated)
4627	sdata->deflink.u.mgd.beacon_loss_count++;
4628	ieee80211_mgd_probe_ap(sdata, beacon: true);
4629	}
4630	}
4631
4632	static void ieee80211_csa_connection_drop_work(struct wiphy *wiphy,
4633	struct wiphy_work *work)
4634	{
4635	struct ieee80211_sub_if_data *sdata =
4636	container_of(work, struct ieee80211_sub_if_data,
4637	u.mgd.csa_connection_drop_work);
4638
4639	__ieee80211_disconnect(sdata);
4640	}
4641
4642	void ieee80211_beacon_loss(struct ieee80211_vif *vif)
4643	{
4644	struct ieee80211_sub_if_data *sdata = vif_to_sdata(p: vif);
4645	struct ieee80211_hw *hw = &sdata->local->hw;
4646
4647	trace_api_beacon_loss(sdata);
4648
4649	sdata->u.mgd.connection_loss = false;
4650	wiphy_work_queue(wiphy: hw->wiphy, work: &sdata->u.mgd.beacon_connection_loss_work);
4651	}
4652	EXPORT_SYMBOL(ieee80211_beacon_loss);
4653
4654	void ieee80211_connection_loss(struct ieee80211_vif *vif)
4655	{
4656	struct ieee80211_sub_if_data *sdata;
4657	struct ieee80211_hw *hw;
4658
4659	KUNIT_STATIC_STUB_REDIRECT(ieee80211_connection_loss, vif);
4660
4661	sdata = vif_to_sdata(p: vif);
4662	hw = &sdata->local->hw;
4663
4664	trace_api_connection_loss(sdata);
4665
4666	sdata->u.mgd.connection_loss = true;
4667	wiphy_work_queue(wiphy: hw->wiphy, work: &sdata->u.mgd.beacon_connection_loss_work);
4668	}
4669	EXPORT_SYMBOL(ieee80211_connection_loss);
4670
4671	void ieee80211_disconnect(struct ieee80211_vif *vif, bool reconnect)
4672	{
4673	struct ieee80211_sub_if_data *sdata = vif_to_sdata(p: vif);
4674	struct ieee80211_hw *hw = &sdata->local->hw;
4675
4676	trace_api_disconnect(sdata, reconnect);
4677
4678	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
4679	return;
4680
4681	sdata->u.mgd.driver_disconnect = true;
4682	sdata->u.mgd.reconnect = reconnect;
4683	wiphy_work_queue(wiphy: hw->wiphy, work: &sdata->u.mgd.beacon_connection_loss_work);
4684	}
4685	EXPORT_SYMBOL(ieee80211_disconnect);
4686
4687	static void ieee80211_destroy_auth_data(struct ieee80211_sub_if_data *sdata,
4688	bool assoc)
4689	{
4690	struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
4691
4692	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4693
4694	sdata->u.mgd.auth_data = NULL;
4695
4696	if (!assoc) {
4697	/*
4698	* we are not authenticated yet, the only timer that could be
4699	* running is the timeout for the authentication response which
4700	* which is not relevant anymore.
4701	*/
4702	timer_delete_sync(timer: &sdata->u.mgd.timer);
4703	sta_info_destroy_addr(sdata, addr: auth_data->ap_addr);
4704
4705	/* other links are destroyed */
4706	eth_zero_addr(addr: sdata->deflink.u.mgd.bssid);
4707	ieee80211_link_info_change_notify(sdata, link: &sdata->deflink,
4708	changed: BSS_CHANGED_BSSID);
4709	sdata->u.mgd.flags = 0;
4710
4711	ieee80211_link_release_channel(link: &sdata->deflink);
4712	ieee80211_vif_set_links(sdata, new_links: 0, dormant_links: 0);
4713	}
4714
4715	cfg80211_put_bss(wiphy: sdata->local->hw.wiphy, bss: auth_data->bss);
4716	kfree(objp: auth_data);
4717	}
4718
4719	enum assoc_status {
4720	ASSOC_SUCCESS,
4721	ASSOC_REJECTED,
4722	ASSOC_TIMEOUT,
4723	ASSOC_ABANDON,
4724	};
4725
4726	static void ieee80211_destroy_assoc_data(struct ieee80211_sub_if_data *sdata,
4727	enum assoc_status status)
4728	{
4729	struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data;
4730
4731	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4732
4733	sdata->u.mgd.assoc_data = NULL;
4734
4735	if (status != ASSOC_SUCCESS) {
4736	/*
4737	* we are not associated yet, the only timer that could be
4738	* running is the timeout for the association response which
4739	* which is not relevant anymore.
4740	*/
4741	timer_delete_sync(timer: &sdata->u.mgd.timer);
4742	sta_info_destroy_addr(sdata, addr: assoc_data->ap_addr);
4743
4744	eth_zero_addr(addr: sdata->deflink.u.mgd.bssid);
4745	ieee80211_link_info_change_notify(sdata, link: &sdata->deflink,
4746	changed: BSS_CHANGED_BSSID);
4747	sdata->u.mgd.flags = 0;
4748	sdata->vif.bss_conf.mu_mimo_owner = false;
4749
4750	if (status != ASSOC_REJECTED) {
4751	struct cfg80211_assoc_failure data = {
4752	.timeout = status == ASSOC_TIMEOUT,
4753	};
4754	int i;
4755
4756	BUILD_BUG_ON(ARRAY_SIZE(data.bss) !=
4757	ARRAY_SIZE(assoc_data->link));
4758
4759	for (i = 0; i < ARRAY_SIZE(data.bss); i++)
4760	data.bss[i] = assoc_data->link[i].bss;
4761
4762	if (ieee80211_vif_is_mld(vif: &sdata->vif))
4763	data.ap_mld_addr = assoc_data->ap_addr;
4764
4765	cfg80211_assoc_failure(dev: sdata->dev, data: &data);
4766	}
4767
4768	ieee80211_link_release_channel(link: &sdata->deflink);
4769	ieee80211_vif_set_links(sdata, new_links: 0, dormant_links: 0);
4770	}
4771
4772	kfree(objp: assoc_data);
4773	}
4774
4775	static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
4776	struct ieee80211_mgmt *mgmt, size_t len)
4777	{
4778	struct ieee80211_local *local = sdata->local;
4779	struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
4780	const struct element *challenge;
4781	u8 *pos;
4782	u32 tx_flags = 0;
4783	struct ieee80211_prep_tx_info info = {
4784	.subtype = IEEE80211_STYPE_AUTH,
4785	.link_id = auth_data->link_id,
4786	};
4787
4788	pos = mgmt->u.auth.variable;
4789	challenge = cfg80211_find_elem(eid: WLAN_EID_CHALLENGE, ies: pos,
4790	len: len - (pos - (u8 *)mgmt));
4791	if (!challenge)
4792	return;
4793	auth_data->expected_transaction = 4;
4794	drv_mgd_prepare_tx(local: sdata->local, sdata, info: &info);
4795	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
4796	tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
4797	IEEE80211_TX_INTFL_MLME_CONN_TX;
4798	ieee80211_send_auth(sdata, transaction: 3, auth_alg: auth_data->algorithm, status: 0,
4799	extra: (void *)challenge,
4800	extra_len: challenge->datalen + sizeof(*challenge),
4801	bssid: auth_data->ap_addr, da: auth_data->ap_addr,
4802	key: auth_data->key, key_len: auth_data->key_len,
4803	key_idx: auth_data->key_idx, tx_flags);
4804	}
4805
4806	static bool ieee80211_mark_sta_auth(struct ieee80211_sub_if_data *sdata)
4807	{
4808	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4809	const u8 *ap_addr = ifmgd->auth_data->ap_addr;
4810	struct sta_info *sta;
4811
4812	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4813
4814	sdata_info(sdata, "authenticated\n");
4815	ifmgd->auth_data->done = true;
4816	ifmgd->auth_data->timeout = jiffies + IEEE80211_AUTH_WAIT_ASSOC;
4817	ifmgd->auth_data->timeout_started = true;
4818	run_again(sdata, timeout: ifmgd->auth_data->timeout);
4819
4820	/* move station state to auth */
4821	sta = sta_info_get(sdata, addr: ap_addr);
4822	if (!sta) {
4823	WARN_ONCE(1, "%s: STA %pM not found", sdata->name, ap_addr);
4824	return false;
4825	}
4826	if (sta_info_move_state(sta, new_state: IEEE80211_STA_AUTH)) {
4827	sdata_info(sdata, "failed moving %pM to auth\n", ap_addr);
4828	return false;
4829	}
4830
4831	return true;
4832	}
4833
4834	static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
4835	struct ieee80211_mgmt *mgmt, size_t len)
4836	{
4837	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4838	u16 auth_alg, auth_transaction, status_code;
4839	struct ieee80211_event event = {
4840	.type = MLME_EVENT,
4841	.u.mlme.data = AUTH_EVENT,
4842	};
4843	struct ieee80211_prep_tx_info info = {
4844	.subtype = IEEE80211_STYPE_AUTH,
4845	};
4846	bool sae_need_confirm = false;
4847
4848	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4849
4850	if (len < 24 + 6)
4851	return;
4852
4853	if (!ifmgd->auth_data || ifmgd->auth_data->done)
4854	return;
4855
4856	if (!ether_addr_equal(addr1: ifmgd->auth_data->ap_addr, addr2: mgmt->bssid))
4857	return;
4858
4859	auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
4860	auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
4861	status_code = le16_to_cpu(mgmt->u.auth.status_code);
4862
4863	info.link_id = ifmgd->auth_data->link_id;
4864
4865	if (auth_alg != ifmgd->auth_data->algorithm ||
4866	(auth_alg != WLAN_AUTH_SAE &&
4867	auth_transaction != ifmgd->auth_data->expected_transaction) ||
4868	(auth_alg == WLAN_AUTH_SAE &&
4869	(auth_transaction < ifmgd->auth_data->expected_transaction ||
4870	auth_transaction > 2))) {
4871	sdata_info(sdata, "%pM unexpected authentication state: alg %d (expected %d) transact %d (expected %d)\n",
4872	mgmt->sa, auth_alg, ifmgd->auth_data->algorithm,
4873	auth_transaction,
4874	ifmgd->auth_data->expected_transaction);
4875	goto notify_driver;
4876	}
4877
4878	if (status_code != WLAN_STATUS_SUCCESS) {
4879	cfg80211_rx_mlme_mgmt(dev: sdata->dev, buf: (u8 *)mgmt, len);
4880
4881	if (auth_alg == WLAN_AUTH_SAE &&
4882	(status_code == WLAN_STATUS_ANTI_CLOG_REQUIRED ||
4883	(auth_transaction == 1 &&
4884	(status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
4885	status_code == WLAN_STATUS_SAE_PK)))) {
4886	/* waiting for userspace now */
4887	ifmgd->auth_data->waiting = true;
4888	ifmgd->auth_data->timeout =
4889	jiffies + IEEE80211_AUTH_WAIT_SAE_RETRY;
4890	ifmgd->auth_data->timeout_started = true;
4891	run_again(sdata, timeout: ifmgd->auth_data->timeout);
4892	if (auth_transaction == 1)
4893	sae_need_confirm = true;
4894	goto notify_driver;
4895	}
4896
4897	sdata_info(sdata, "%pM denied authentication (status %d)\n",
4898	mgmt->sa, status_code);
4899	ieee80211_destroy_auth_data(sdata, assoc: false);
4900	event.u.mlme.status = MLME_DENIED;
4901	event.u.mlme.reason = status_code;
4902	drv_event_callback(local: sdata->local, sdata, event: &event);
4903	goto notify_driver;
4904	}
4905
4906	switch (ifmgd->auth_data->algorithm) {
4907	case WLAN_AUTH_OPEN:
4908	case WLAN_AUTH_LEAP:
4909	case WLAN_AUTH_FT:
4910	case WLAN_AUTH_SAE:
4911	case WLAN_AUTH_FILS_SK:
4912	case WLAN_AUTH_FILS_SK_PFS:
4913	case WLAN_AUTH_FILS_PK:
4914	break;
4915	case WLAN_AUTH_SHARED_KEY:
4916	if (ifmgd->auth_data->expected_transaction != 4) {
4917	ieee80211_auth_challenge(sdata, mgmt, len);
4918	/* need another frame */
4919	return;
4920	}
4921	break;
4922	default:
4923	WARN_ONCE(1, "invalid auth alg %d",
4924	ifmgd->auth_data->algorithm);
4925	goto notify_driver;
4926	}
4927
4928	event.u.mlme.status = MLME_SUCCESS;
4929	info.success = 1;
4930	drv_event_callback(local: sdata->local, sdata, event: &event);
4931	if (ifmgd->auth_data->algorithm != WLAN_AUTH_SAE ||
4932	(auth_transaction == 2 &&
4933	ifmgd->auth_data->expected_transaction == 2)) {
4934	if (!ieee80211_mark_sta_auth(sdata))
4935	return; /* ignore frame -- wait for timeout */
4936	} else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
4937	auth_transaction == 1) {
4938	sae_need_confirm = true;
4939	} else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
4940	auth_transaction == 2) {
4941	sdata_info(sdata, "SAE peer confirmed\n");
4942	ifmgd->auth_data->peer_confirmed = true;
4943	}
4944
4945	cfg80211_rx_mlme_mgmt(dev: sdata->dev, buf: (u8 *)mgmt, len);
4946	notify_driver:
4947	if (!sae_need_confirm)
4948	drv_mgd_complete_tx(local: sdata->local, sdata, info: &info);
4949	}
4950
4951	#define case_WLAN(type) \
4952	case WLAN_REASON_##type: return #type
4953
4954	const char *ieee80211_get_reason_code_string(u16 reason_code)
4955	{
4956	switch (reason_code) {
4957	case_WLAN(UNSPECIFIED);
4958	case_WLAN(PREV_AUTH_NOT_VALID);
4959	case_WLAN(DEAUTH_LEAVING);
4960	case_WLAN(DISASSOC_DUE_TO_INACTIVITY);
4961	case_WLAN(DISASSOC_AP_BUSY);
4962	case_WLAN(CLASS2_FRAME_FROM_NONAUTH_STA);
4963	case_WLAN(CLASS3_FRAME_FROM_NONASSOC_STA);
4964	case_WLAN(DISASSOC_STA_HAS_LEFT);
4965	case_WLAN(STA_REQ_ASSOC_WITHOUT_AUTH);
4966	case_WLAN(DISASSOC_BAD_POWER);
4967	case_WLAN(DISASSOC_BAD_SUPP_CHAN);
4968	case_WLAN(INVALID_IE);
4969	case_WLAN(MIC_FAILURE);
4970	case_WLAN(4WAY_HANDSHAKE_TIMEOUT);
4971	case_WLAN(GROUP_KEY_HANDSHAKE_TIMEOUT);
4972	case_WLAN(IE_DIFFERENT);
4973	case_WLAN(INVALID_GROUP_CIPHER);
4974	case_WLAN(INVALID_PAIRWISE_CIPHER);
4975	case_WLAN(INVALID_AKMP);
4976	case_WLAN(UNSUPP_RSN_VERSION);
4977	case_WLAN(INVALID_RSN_IE_CAP);
4978	case_WLAN(IEEE8021X_FAILED);
4979	case_WLAN(CIPHER_SUITE_REJECTED);
4980	case_WLAN(DISASSOC_UNSPECIFIED_QOS);
4981	case_WLAN(DISASSOC_QAP_NO_BANDWIDTH);
4982	case_WLAN(DISASSOC_LOW_ACK);
4983	case_WLAN(DISASSOC_QAP_EXCEED_TXOP);
4984	case_WLAN(QSTA_LEAVE_QBSS);
4985	case_WLAN(QSTA_NOT_USE);
4986	case_WLAN(QSTA_REQUIRE_SETUP);
4987	case_WLAN(QSTA_TIMEOUT);
4988	case_WLAN(QSTA_CIPHER_NOT_SUPP);
4989	case_WLAN(MESH_PEER_CANCELED);
4990	case_WLAN(MESH_MAX_PEERS);
4991	case_WLAN(MESH_CONFIG);
4992	case_WLAN(MESH_CLOSE);
4993	case_WLAN(MESH_MAX_RETRIES);
4994	case_WLAN(MESH_CONFIRM_TIMEOUT);
4995	case_WLAN(MESH_INVALID_GTK);
4996	case_WLAN(MESH_INCONSISTENT_PARAM);
4997	case_WLAN(MESH_INVALID_SECURITY);
4998	case_WLAN(MESH_PATH_ERROR);
4999	case_WLAN(MESH_PATH_NOFORWARD);
5000	case_WLAN(MESH_PATH_DEST_UNREACHABLE);
5001	case_WLAN(MAC_EXISTS_IN_MBSS);
5002	case_WLAN(MESH_CHAN_REGULATORY);
5003	case_WLAN(MESH_CHAN);
5004	default: return "<unknown>";
5005	}
5006	}
5007
5008	static void ieee80211_rx_mgmt_deauth(struct ieee80211_sub_if_data *sdata,
5009	struct ieee80211_mgmt *mgmt, size_t len)
5010	{
5011	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
5012	u16 reason_code = le16_to_cpu(mgmt->u.deauth.reason_code);
5013
5014	lockdep_assert_wiphy(sdata->local->hw.wiphy);
5015
5016	if (len < 24 + 2)
5017	return;
5018
5019	if (!ether_addr_equal(addr1: mgmt->bssid, addr2: mgmt->sa)) {
5020	ieee80211_tdls_handle_disconnect(sdata, peer: mgmt->sa, reason: reason_code);
5021	return;
5022	}
5023
5024	if (ifmgd->associated &&
5025	ether_addr_equal(addr1: mgmt->bssid, addr2: sdata->vif.cfg.ap_addr)) {
5026	sdata_info(sdata, "deauthenticated from %pM (Reason: %u=%s)\n",
5027	sdata->vif.cfg.ap_addr, reason_code,
5028	ieee80211_get_reason_code_string(reason_code));
5029
5030	ieee80211_set_disassoc(sdata, stype: 0, reason: 0, tx: false, NULL);
5031
5032	ieee80211_report_disconnect(sdata, buf: (u8 *)mgmt, len, tx: false,
5033	reason: reason_code, reconnect: false);
5034	return;
5035	}
5036
5037	if (ifmgd->assoc_data &&
5038	ether_addr_equal(addr1: mgmt->bssid, addr2: ifmgd->assoc_data->ap_addr)) {
5039	sdata_info(sdata,
5040	"deauthenticated from %pM while associating (Reason: %u=%s)\n",
5041	ifmgd->assoc_data->ap_addr, reason_code,
5042	ieee80211_get_reason_code_string(reason_code));
5043
5044	ieee80211_destroy_assoc_data(sdata, status: ASSOC_ABANDON);
5045
5046	cfg80211_rx_mlme_mgmt(dev: sdata->dev, buf: (u8 *)mgmt, len);
5047	return;
5048	}
5049	}
5050
5051
5052	static void ieee80211_rx_mgmt_disassoc(struct ieee80211_sub_if_data *sdata,
5053	struct ieee80211_mgmt *mgmt, size_t len)
5054	{
5055	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
5056	u16 reason_code;
5057
5058	lockdep_assert_wiphy(sdata->local->hw.wiphy);
5059
5060	if (len < 24 + 2)
5061	return;
5062
5063	if (!ifmgd->associated ||
5064	!ether_addr_equal(addr1: mgmt->bssid, addr2: sdata->vif.cfg.ap_addr))
5065	return;
5066
5067	reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
5068
5069	if (!ether_addr_equal(addr1: mgmt->bssid, addr2: mgmt->sa)) {
5070	ieee80211_tdls_handle_disconnect(sdata, peer: mgmt->sa, reason: reason_code);
5071	return;
5072	}
5073
5074	sdata_info(sdata, "disassociated from %pM (Reason: %u=%s)\n",
5075	sdata->vif.cfg.ap_addr, reason_code,
5076	ieee80211_get_reason_code_string(reason_code));
5077
5078	ieee80211_set_disassoc(sdata, stype: 0, reason: 0, tx: false, NULL);
5079
5080	ieee80211_report_disconnect(sdata, buf: (u8 *)mgmt, len, tx: false, reason: reason_code,
5081	reconnect: false);
5082	}
5083
5084	static bool ieee80211_twt_req_supported(struct ieee80211_sub_if_data *sdata,
5085	struct ieee80211_supported_band *sband,
5086	const struct link_sta_info *link_sta,
5087	const struct ieee802_11_elems *elems)
5088	{
5089	const struct ieee80211_sta_he_cap *own_he_cap =
5090	ieee80211_get_he_iftype_cap_vif(sband, vif: &sdata->vif);
5091
5092	if (elems->ext_capab_len < 10)
5093	return false;
5094
5095	if (!(elems->ext_capab[9] & WLAN_EXT_CAPA10_TWT_RESPONDER_SUPPORT))
5096	return false;
5097
5098	return link_sta->pub->he_cap.he_cap_elem.mac_cap_info[0] &
5099	IEEE80211_HE_MAC_CAP0_TWT_RES &&
5100	own_he_cap &&
5101	(own_he_cap->he_cap_elem.mac_cap_info[0] &
5102	IEEE80211_HE_MAC_CAP0_TWT_REQ);
5103	}
5104
5105	static u64 ieee80211_recalc_twt_req(struct ieee80211_sub_if_data *sdata,
5106	struct ieee80211_supported_band *sband,
5107	struct ieee80211_link_data *link,
5108	struct link_sta_info *link_sta,
5109	struct ieee802_11_elems *elems)
5110	{
5111	bool twt = ieee80211_twt_req_supported(sdata, sband, link_sta, elems);
5112
5113	if (link->conf->twt_requester != twt) {
5114	link->conf->twt_requester = twt;
5115	return BSS_CHANGED_TWT;
5116	}
5117	return 0;
5118	}
5119
5120	static bool ieee80211_twt_bcast_support(struct ieee80211_sub_if_data *sdata,
5121	struct ieee80211_bss_conf *bss_conf,
5122	struct ieee80211_supported_band *sband,
5123	struct link_sta_info *link_sta)
5124	{
5125	const struct ieee80211_sta_he_cap *own_he_cap =
5126	ieee80211_get_he_iftype_cap_vif(sband, vif: &sdata->vif);
5127
5128	return bss_conf->he_support &&
5129	(link_sta->pub->he_cap.he_cap_elem.mac_cap_info[2] &
5130	IEEE80211_HE_MAC_CAP2_BCAST_TWT) &&
5131	own_he_cap &&
5132	(own_he_cap->he_cap_elem.mac_cap_info[2] &
5133	IEEE80211_HE_MAC_CAP2_BCAST_TWT);
5134	}
5135
5136	static void ieee80211_epcs_changed(struct ieee80211_sub_if_data *sdata,
5137	bool enabled)
5138	{
5139	/* in any case this is called, dialog token should be reset */
5140	sdata->u.mgd.epcs.dialog_token = 0;
5141
5142	if (sdata->u.mgd.epcs.enabled == enabled)
5143	return;
5144
5145	sdata->u.mgd.epcs.enabled = enabled;
5146	cfg80211_epcs_changed(netdev: sdata->dev, enabled);
5147	}
5148
5149	static void ieee80211_epcs_teardown(struct ieee80211_sub_if_data *sdata)
5150	{
5151	struct ieee80211_local *local = sdata->local;
5152	u8 link_id;
5153
5154	if (!sdata->u.mgd.epcs.enabled)
5155	return;
5156
5157	lockdep_assert_wiphy(local->hw.wiphy);
5158
5159	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
5160	struct ieee802_11_elems *elems;
5161	struct ieee80211_link_data *link;
5162	const struct cfg80211_bss_ies *ies;
5163	bool ret;
5164
5165	rcu_read_lock();
5166
5167	link = sdata_dereference(sdata->link[link_id], sdata);
5168	if (!link || !link->conf || !link->conf->bss) {
5169	rcu_read_unlock();
5170	continue;
5171	}
5172
5173	if (link->u.mgd.disable_wmm_tracking) {
5174	rcu_read_unlock();
5175	ieee80211_set_wmm_default(link, bss_notify: false, enable_qos: false);
5176	continue;
5177	}
5178
5179	ies = rcu_dereference(link->conf->bss->beacon_ies);
5180	if (!ies) {
5181	rcu_read_unlock();
5182	ieee80211_set_wmm_default(link, bss_notify: false, enable_qos: false);
5183	continue;
5184	}
5185
5186	elems = ieee802_11_parse_elems(start: ies->data, len: ies->len,
5187	IEEE80211_FTYPE_MGMT |
5188	IEEE80211_STYPE_BEACON,
5189	NULL);
5190	if (!elems) {
5191	rcu_read_unlock();
5192	ieee80211_set_wmm_default(link, bss_notify: false, enable_qos: false);
5193	continue;
5194	}
5195
5196	ret = _ieee80211_sta_wmm_params(local, link,
5197	wmm_param: elems->wmm_param,
5198	wmm_param_len: elems->wmm_param_len,
5199	mu_edca: elems->mu_edca_param_set);
5200
5201	kfree(objp: elems);
5202	rcu_read_unlock();
5203
5204	if (!ret) {
5205	ieee80211_set_wmm_default(link, bss_notify: false, enable_qos: false);
5206	continue;
5207	}
5208
5209	ieee80211_mgd_set_link_qos_params(link);
5210	ieee80211_link_info_change_notify(sdata, link, changed: BSS_CHANGED_QOS);
5211	}
5212	}
5213
5214	static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
5215	struct link_sta_info *link_sta,
5216	struct cfg80211_bss *cbss,
5217	struct ieee80211_mgmt *mgmt,
5218	const u8 *elem_start,
5219	unsigned int elem_len,
5220	u64 *changed)
5221	{
5222	struct ieee80211_sub_if_data *sdata = link->sdata;
5223	struct ieee80211_mgd_assoc_data *assoc_data =
5224	sdata->u.mgd.assoc_data ?: sdata->u.mgd.reconf.add_links_data;
5225	struct ieee80211_bss_conf *bss_conf = link->conf;
5226	struct ieee80211_local *local = sdata->local;
5227	unsigned int link_id = link->link_id;
5228	struct ieee80211_elems_parse_params parse_params = {
5229	.mode = link->u.mgd.conn.mode,
5230	.start = elem_start,
5231	.len = elem_len,
5232	.link_id = link_id == assoc_data->assoc_link_id ? -1 : link_id,
5233	.from_ap = true,
5234	.type = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_TYPE,
5235	};
5236	bool is_5ghz = cbss->channel->band == NL80211_BAND_5GHZ;
5237	bool is_6ghz = cbss->channel->band == NL80211_BAND_6GHZ;
5238	bool is_s1g = cbss->channel->band == NL80211_BAND_S1GHZ;
5239	const struct cfg80211_bss_ies *bss_ies = NULL;
5240	struct ieee80211_supported_band *sband;
5241	struct ieee802_11_elems *elems;
5242	const __le16 prof_bss_param_ch_present =
5243	cpu_to_le16(IEEE80211_MLE_STA_CONTROL_BSS_PARAM_CHANGE_CNT_PRESENT);
5244	u16 capab_info;
5245	bool ret;
5246
5247	elems = ieee802_11_parse_elems_full(params: &parse_params);
5248	if (!elems)
5249	return false;
5250
5251	if (link_id == assoc_data->assoc_link_id) {
5252	capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
5253
5254	/*
5255	* we should not get to this flow unless the association was
5256	* successful, so set the status directly to success
5257	*/
5258	assoc_data->link[link_id].status = WLAN_STATUS_SUCCESS;
5259	if (elems->ml_basic) {
5260	int bss_param_ch_cnt =
5261	ieee80211_mle_get_bss_param_ch_cnt(data: (const void *)elems->ml_basic);
5262
5263	if (bss_param_ch_cnt < 0) {
5264	ret = false;
5265	goto out;
5266	}
5267	bss_conf->bss_param_ch_cnt = bss_param_ch_cnt;
5268	bss_conf->bss_param_ch_cnt_link_id = link_id;
5269	}
5270	} else if (elems->parse_error & IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC ||
5271	!elems->prof ||
5272	!(elems->prof->control & prof_bss_param_ch_present)) {
5273	ret = false;
5274	goto out;
5275	} else {
5276	const u8 *ptr = elems->prof->variable +
5277	elems->prof->sta_info_len - 1;
5278	int bss_param_ch_cnt;
5279
5280	/*
5281	* During parsing, we validated that these fields exist,
5282	* otherwise elems->prof would have been set to NULL.
5283	*/
5284	capab_info = get_unaligned_le16(p: ptr);
5285	assoc_data->link[link_id].status = get_unaligned_le16(p: ptr + 2);
5286	bss_param_ch_cnt =
5287	ieee80211_mle_basic_sta_prof_bss_param_ch_cnt(prof: elems->prof);
5288	bss_conf->bss_param_ch_cnt = bss_param_ch_cnt;
5289	bss_conf->bss_param_ch_cnt_link_id = link_id;
5290
5291	if (assoc_data->link[link_id].status != WLAN_STATUS_SUCCESS) {
5292	link_info(link, "association response status code=%u\n",
5293	assoc_data->link[link_id].status);
5294	ret = true;
5295	goto out;
5296	}
5297	}
5298
5299	if (!is_s1g && !elems->supp_rates) {
5300	sdata_info(sdata, "no SuppRates element in AssocResp\n");
5301	ret = false;
5302	goto out;
5303	}
5304
5305	link->u.mgd.tdls_chan_switch_prohibited =
5306	elems->ext_capab && elems->ext_capab_len >= 5 &&
5307	(elems->ext_capab[4] & WLAN_EXT_CAPA5_TDLS_CH_SW_PROHIBITED);
5308
5309	/*
5310	* Some APs are erroneously not including some information in their
5311	* (re)association response frames. Try to recover by using the data
5312	* from the beacon or probe response. This seems to afflict mobile
5313	* 2G/3G/4G wifi routers, reported models include the "Onda PN51T",
5314	* "Vodafone PocketWiFi 2", "ZTE MF60" and a similar T-Mobile device.
5315	*/
5316	if (!ieee80211_hw_check(&local->hw, STRICT) && !is_6ghz &&
5317	((assoc_data->wmm && !elems->wmm_param) ||
5318	(link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT &&
5319	(!elems->ht_cap_elem || !elems->ht_operation)) ||
5320	(is_5ghz && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT &&
5321	(!elems->vht_cap_elem || !elems->vht_operation)))) {
5322	const struct cfg80211_bss_ies *ies;
5323	struct ieee802_11_elems *bss_elems;
5324
5325	rcu_read_lock();
5326	ies = rcu_dereference(cbss->ies);
5327	if (ies)
5328	bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
5329	GFP_ATOMIC);
5330	rcu_read_unlock();
5331	if (!bss_ies) {
5332	ret = false;
5333	goto out;
5334	}
5335
5336	parse_params.start = bss_ies->data;
5337	parse_params.len = bss_ies->len;
5338	parse_params.bss = cbss;
5339	parse_params.link_id = -1;
5340	bss_elems = ieee802_11_parse_elems_full(params: &parse_params);
5341	if (!bss_elems) {
5342	ret = false;
5343	goto out;
5344	}
5345
5346	if (assoc_data->wmm &&
5347	!elems->wmm_param && bss_elems->wmm_param) {
5348	elems->wmm_param = bss_elems->wmm_param;
5349	sdata_info(sdata,
5350	"AP bug: WMM param missing from AssocResp\n");
5351	}
5352
5353	/*
5354	* Also check if we requested HT/VHT, otherwise the AP doesn't
5355	* have to include the IEs in the (re)association response.
5356	*/
5357	if (!elems->ht_cap_elem && bss_elems->ht_cap_elem &&
5358	link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT) {
5359	elems->ht_cap_elem = bss_elems->ht_cap_elem;
5360	sdata_info(sdata,
5361	"AP bug: HT capability missing from AssocResp\n");
5362	}
5363	if (!elems->ht_operation && bss_elems->ht_operation &&
5364	link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT) {
5365	elems->ht_operation = bss_elems->ht_operation;
5366	sdata_info(sdata,
5367	"AP bug: HT operation missing from AssocResp\n");
5368	}
5369
5370	if (is_5ghz) {
5371	if (!elems->vht_cap_elem && bss_elems->vht_cap_elem &&
5372	link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
5373	elems->vht_cap_elem = bss_elems->vht_cap_elem;
5374	sdata_info(sdata,
5375	"AP bug: VHT capa missing from AssocResp\n");
5376	}
5377
5378	if (!elems->vht_operation && bss_elems->vht_operation &&
5379	link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
5380	elems->vht_operation = bss_elems->vht_operation;
5381	sdata_info(sdata,
5382	"AP bug: VHT operation missing from AssocResp\n");
5383	}
5384	}
5385	kfree(objp: bss_elems);
5386	}
5387
5388	/*
5389	* We previously checked these in the beacon/probe response, so
5390	* they should be present here. This is just a safety net.
5391	* Note that the ieee80211_config_bw() below would also check
5392	* for this (and more), but this has better error reporting.
5393	*/
5394	if (!is_6ghz && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT &&
5395	(!elems->wmm_param || !elems->ht_cap_elem || !elems->ht_operation)) {
5396	sdata_info(sdata,
5397	"HT AP is missing WMM params or HT capability/operation\n");
5398	ret = false;
5399	goto out;
5400	}
5401
5402	if (is_5ghz && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT &&
5403	(!elems->vht_cap_elem || !elems->vht_operation)) {
5404	sdata_info(sdata,
5405	"VHT AP is missing VHT capability/operation\n");
5406	ret = false;
5407	goto out;
5408	}
5409
5410	/* check/update if AP changed anything in assoc response vs. scan */
5411	if (ieee80211_config_bw(link, elems,
5412	update: link_id == assoc_data->assoc_link_id,
5413	changed,
5414	le16_to_cpu(mgmt->frame_control) &
5415	IEEE80211_FCTL_STYPE)) {
5416	ret = false;
5417	goto out;
5418	}
5419
5420	if (WARN_ON(!link->conf->chanreq.oper.chan)) {
5421	ret = false;
5422	goto out;
5423	}
5424	sband = local->hw.wiphy->bands[link->conf->chanreq.oper.chan->band];
5425
5426	/* Set up internal HT/VHT capabilities */
5427	if (elems->ht_cap_elem && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT)
5428	ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,
5429	ht_cap_ie: elems->ht_cap_elem,
5430	link_sta);
5431
5432	if (elems->vht_cap_elem &&
5433	link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
5434	const struct ieee80211_vht_cap *bss_vht_cap = NULL;
5435	const struct cfg80211_bss_ies *ies;
5436
5437	/*
5438	* Cisco AP module 9115 with FW 17.3 has a bug and sends a
5439	* too large maximum MPDU length in the association response
5440	* (indicating 12k) that it cannot actually process ...
5441	* Work around that.
5442	*/
5443	rcu_read_lock();
5444	ies = rcu_dereference(cbss->ies);
5445	if (ies) {
5446	const struct element *elem;
5447
5448	elem = cfg80211_find_elem(eid: WLAN_EID_VHT_CAPABILITY,
5449	ies: ies->data, len: ies->len);
5450	if (elem && elem->datalen >= sizeof(*bss_vht_cap))
5451	bss_vht_cap = (const void *)elem->data;
5452	}
5453
5454	if (ieee80211_hw_check(&local->hw, STRICT) &&
5455	(!bss_vht_cap || memcmp(p: bss_vht_cap, q: elems->vht_cap_elem,
5456	size: sizeof(*bss_vht_cap)))) {
5457	rcu_read_unlock();
5458	ret = false;
5459	link_info(link, "VHT capabilities mismatch\n");
5460	goto out;
5461	}
5462
5463	ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
5464	vht_cap_ie: elems->vht_cap_elem,
5465	vht_cap_ie2: bss_vht_cap, link_sta);
5466	rcu_read_unlock();
5467	}
5468
5469	if (elems->he_operation &&
5470	link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HE &&
5471	elems->he_cap) {
5472	ieee80211_he_cap_ie_to_sta_he_cap(sdata, sband,
5473	he_cap_ie: elems->he_cap,
5474	he_cap_len: elems->he_cap_len,
5475	he_6ghz_capa: elems->he_6ghz_capa,
5476	link_sta);
5477
5478	bss_conf->he_support = link_sta->pub->he_cap.has_he;
5479	if (elems->rsnx && elems->rsnx_len &&
5480	(elems->rsnx[0] & WLAN_RSNX_CAPA_PROTECTED_TWT) &&
5481	wiphy_ext_feature_isset(wiphy: local->hw.wiphy,
5482	ftidx: NL80211_EXT_FEATURE_PROTECTED_TWT))
5483	bss_conf->twt_protected = true;
5484	else
5485	bss_conf->twt_protected = false;
5486
5487	*changed |= ieee80211_recalc_twt_req(sdata, sband, link,
5488	link_sta, elems);
5489
5490	if (elems->eht_operation && elems->eht_cap &&
5491	link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_EHT) {
5492	ieee80211_eht_cap_ie_to_sta_eht_cap(sdata, sband,
5493	he_cap_ie: elems->he_cap,
5494	he_cap_len: elems->he_cap_len,
5495	eht_cap_ie_elem: elems->eht_cap,
5496	eht_cap_len: elems->eht_cap_len,
5497	link_sta);
5498
5499	bss_conf->eht_support = link_sta->pub->eht_cap.has_eht;
5500	bss_conf->epcs_support = bss_conf->eht_support &&
5501	!!(elems->eht_cap->fixed.mac_cap_info[0] &
5502	IEEE80211_EHT_MAC_CAP0_EPCS_PRIO_ACCESS);
5503
5504	/* EPCS might be already enabled but a new added link
5505	* does not support EPCS. This should not really happen
5506	* in practice.
5507	*/
5508	if (sdata->u.mgd.epcs.enabled &&
5509	!bss_conf->epcs_support)
5510	ieee80211_epcs_teardown(sdata);
5511	} else {
5512	bss_conf->eht_support = false;
5513	bss_conf->epcs_support = false;
5514	}
5515	} else {
5516	bss_conf->he_support = false;
5517	bss_conf->twt_requester = false;
5518	bss_conf->twt_protected = false;
5519	bss_conf->eht_support = false;
5520	bss_conf->epcs_support = false;
5521	}
5522
5523	if (elems->s1g_oper &&
5524	link->u.mgd.conn.mode == IEEE80211_CONN_MODE_S1G &&
5525	elems->s1g_capab)
5526	ieee80211_s1g_cap_to_sta_s1g_cap(sdata, s1g_cap_ie: elems->s1g_capab,
5527	link_sta);
5528
5529	bss_conf->twt_broadcast =
5530	ieee80211_twt_bcast_support(sdata, bss_conf, sband, link_sta);
5531
5532	if (bss_conf->he_support) {
5533	bss_conf->he_bss_color.color =
5534	le32_get_bits(v: elems->he_operation->he_oper_params,
5535	IEEE80211_HE_OPERATION_BSS_COLOR_MASK);
5536	bss_conf->he_bss_color.partial =
5537	le32_get_bits(v: elems->he_operation->he_oper_params,
5538	IEEE80211_HE_OPERATION_PARTIAL_BSS_COLOR);
5539	bss_conf->he_bss_color.enabled =
5540	!le32_get_bits(v: elems->he_operation->he_oper_params,
5541	IEEE80211_HE_OPERATION_BSS_COLOR_DISABLED);
5542
5543	if (bss_conf->he_bss_color.enabled)
5544	*changed |= BSS_CHANGED_HE_BSS_COLOR;
5545
5546	bss_conf->htc_trig_based_pkt_ext =
5547	le32_get_bits(v: elems->he_operation->he_oper_params,
5548	IEEE80211_HE_OPERATION_DFLT_PE_DURATION_MASK);
5549	bss_conf->frame_time_rts_th =
5550	le32_get_bits(v: elems->he_operation->he_oper_params,
5551	IEEE80211_HE_OPERATION_RTS_THRESHOLD_MASK);
5552
5553	bss_conf->uora_exists = !!elems->uora_element;
5554	if (elems->uora_element)
5555	bss_conf->uora_ocw_range = elems->uora_element[0];
5556
5557	ieee80211_he_op_ie_to_bss_conf(vif: &sdata->vif, he_op_ie_elem: elems->he_operation);
5558	ieee80211_he_spr_ie_to_bss_conf(vif: &sdata->vif, he_spr_ie_elem: elems->he_spr);
5559	/* TODO: OPEN: what happens if BSS color disable is set? */
5560	}
5561
5562	if (cbss->transmitted_bss) {
5563	bss_conf->nontransmitted = true;
5564	ether_addr_copy(dst: bss_conf->transmitter_bssid,
5565	src: cbss->transmitted_bss->bssid);
5566	bss_conf->bssid_indicator = cbss->max_bssid_indicator;
5567	bss_conf->bssid_index = cbss->bssid_index;
5568	}
5569
5570	/*
5571	* Some APs, e.g. Netgear WNDR3700, report invalid HT operation data
5572	* in their association response, so ignore that data for our own
5573	* configuration. If it changed since the last beacon, we'll get the
5574	* next beacon and update then.
5575	*/
5576
5577	/*
5578	* If an operating mode notification IE is present, override the
5579	* NSS calculation (that would be done in rate_control_rate_init())
5580	* and use the # of streams from that element.
5581	*/
5582	if (elems->opmode_notif &&
5583	!(*elems->opmode_notif & IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF)) {
5584	u8 nss;
5585
5586	nss = *elems->opmode_notif & IEEE80211_OPMODE_NOTIF_RX_NSS_MASK;
5587	nss >>= IEEE80211_OPMODE_NOTIF_RX_NSS_SHIFT;
5588	nss += 1;
5589	link_sta->pub->rx_nss = nss;
5590	}
5591
5592	/*
5593	* Always handle WMM once after association regardless
5594	* of the first value the AP uses. Setting -1 here has
5595	* that effect because the AP values is an unsigned
5596	* 4-bit value.
5597	*/
5598	link->u.mgd.wmm_last_param_set = -1;
5599	link->u.mgd.mu_edca_last_param_set = -1;
5600
5601	if (link->u.mgd.disable_wmm_tracking) {
5602	ieee80211_set_wmm_default(link, bss_notify: false, enable_qos: false);
5603	} else if (!ieee80211_sta_wmm_params(local, link, wmm_param: elems->wmm_param,
5604	wmm_param_len: elems->wmm_param_len,
5605	mu_edca: elems->mu_edca_param_set)) {
5606	/* still enable QoS since we might have HT/VHT */
5607	ieee80211_set_wmm_default(link, bss_notify: false, enable_qos: true);
5608	/* disable WMM tracking in this case to disable
5609	* tracking WMM parameter changes in the beacon if
5610	* the parameters weren't actually valid. Doing so
5611	* avoids changing parameters very strangely when
5612	* the AP is going back and forth between valid and
5613	* invalid parameters.
5614	*/
5615	link->u.mgd.disable_wmm_tracking = true;
5616	}
5617
5618	if (elems->max_idle_period_ie) {
5619	bss_conf->max_idle_period =
5620	le16_to_cpu(elems->max_idle_period_ie->max_idle_period);
5621	bss_conf->protected_keep_alive =
5622	!!(elems->max_idle_period_ie->idle_options &
5623	WLAN_IDLE_OPTIONS_PROTECTED_KEEP_ALIVE);
5624	*changed |= BSS_CHANGED_KEEP_ALIVE;
5625	} else {
5626	bss_conf->max_idle_period = 0;
5627	bss_conf->protected_keep_alive = false;
5628	}
5629
5630	/* set assoc capability (AID was already set earlier),
5631	* ieee80211_set_associated() will tell the driver */
5632	bss_conf->assoc_capability = capab_info;
5633
5634	ret = true;
5635	out:
5636	kfree(objp: elems);
5637	kfree(objp: bss_ies);
5638	return ret;
5639	}
5640
5641	static int ieee80211_mgd_setup_link_sta(struct ieee80211_link_data *link,
5642	struct sta_info *sta,
5643	struct link_sta_info *link_sta,
5644	struct cfg80211_bss *cbss)
5645	{
5646	struct ieee80211_sub_if_data *sdata = link->sdata;
5647	struct ieee80211_local *local = sdata->local;
5648	struct ieee80211_bss *bss = (void *)cbss->priv;
5649	u32 rates = 0, basic_rates = 0;
5650	bool have_higher_than_11mbit = false;
5651	int min_rate = INT_MAX, min_rate_index = -1;
5652	struct ieee80211_supported_band *sband;
5653
5654	memcpy(link_sta->addr, cbss->bssid, ETH_ALEN);
5655	memcpy(link_sta->pub->addr, cbss->bssid, ETH_ALEN);
5656
5657	/* TODO: S1G Basic Rate Set is expressed elsewhere */
5658	if (cbss->channel->band == NL80211_BAND_S1GHZ) {
5659	ieee80211_s1g_sta_rate_init(sta);
5660	return 0;
5661	}
5662
5663	sband = local->hw.wiphy->bands[cbss->channel->band];
5664
5665	ieee80211_get_rates(sband, supp_rates: bss->supp_rates, supp_rates_len: bss->supp_rates_len,
5666	NULL, ext_supp_rates_len: 0,
5667	rates: &rates, basic_rates: &basic_rates, NULL,
5668	have_higher_than_11mbit: &have_higher_than_11mbit,
5669	min_rate: &min_rate, min_rate_index: &min_rate_index);
5670
5671	/*
5672	* This used to be a workaround for basic rates missing
5673	* in the association response frame. Now that we no
5674	* longer use the basic rates from there, it probably
5675	* doesn't happen any more, but keep the workaround so
5676	* in case some *other* APs are buggy in different ways
5677	* we can connect -- with a warning.
5678	* Allow this workaround only in case the AP provided at least
5679	* one rate.
5680	*/
5681	if (min_rate_index < 0) {
5682	link_info(link, "No legacy rates in association response\n");
5683	return -EINVAL;
5684	} else if (!basic_rates) {
5685	link_info(link, "No basic rates, using min rate instead\n");
5686	basic_rates = BIT(min_rate_index);
5687	}
5688
5689	if (rates)
5690	link_sta->pub->supp_rates[cbss->channel->band] = rates;
5691	else
5692	link_info(link, "No rates found, keeping mandatory only\n");
5693
5694	link->conf->basic_rates = basic_rates;
5695
5696	/* cf. IEEE 802.11 9.2.12 */
5697	link->operating_11g_mode = sband->band == NL80211_BAND_2GHZ &&
5698	have_higher_than_11mbit;
5699
5700	return 0;
5701	}
5702
5703	static u8 ieee80211_max_rx_chains(struct ieee80211_link_data *link,
5704	struct cfg80211_bss *cbss)
5705	{
5706	struct ieee80211_he_mcs_nss_supp *he_mcs_nss_supp;
5707	const struct element *ht_cap_elem, *vht_cap_elem;
5708	const struct cfg80211_bss_ies *ies;
5709	const struct ieee80211_ht_cap *ht_cap;
5710	const struct ieee80211_vht_cap *vht_cap;
5711	const struct ieee80211_he_cap_elem *he_cap;
5712	const struct element *he_cap_elem;
5713	u16 mcs_80_map, mcs_160_map;
5714	int i, mcs_nss_size;
5715	bool support_160;
5716	u8 chains = 1;
5717
5718	if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_HT)
5719	return chains;
5720
5721	ht_cap_elem = ieee80211_bss_get_elem(bss: cbss, id: WLAN_EID_HT_CAPABILITY);
5722	if (ht_cap_elem && ht_cap_elem->datalen >= sizeof(*ht_cap)) {
5723	ht_cap = (void *)ht_cap_elem->data;
5724	chains = ieee80211_mcs_to_chains(mcs: &ht_cap->mcs);
5725	/*
5726	* TODO: use "Tx Maximum Number Spatial Streams Supported" and
5727	* "Tx Unequal Modulation Supported" fields.
5728	*/
5729	}
5730
5731	if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_VHT)
5732	return chains;
5733
5734	vht_cap_elem = ieee80211_bss_get_elem(bss: cbss, id: WLAN_EID_VHT_CAPABILITY);
5735	if (vht_cap_elem && vht_cap_elem->datalen >= sizeof(*vht_cap)) {
5736	u8 nss;
5737	u16 tx_mcs_map;
5738
5739	vht_cap = (void *)vht_cap_elem->data;
5740	tx_mcs_map = le16_to_cpu(vht_cap->supp_mcs.tx_mcs_map);
5741	for (nss = 8; nss > 0; nss--) {
5742	if (((tx_mcs_map >> (2 * (nss - 1))) & 3) !=
5743	IEEE80211_VHT_MCS_NOT_SUPPORTED)
5744	break;
5745	}
5746	/* TODO: use "Tx Highest Supported Long GI Data Rate" field? */
5747	chains = max(chains, nss);
5748	}
5749
5750	if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_HE)
5751	return chains;
5752
5753	ies = rcu_dereference(cbss->ies);
5754	he_cap_elem = cfg80211_find_ext_elem(ext_eid: WLAN_EID_EXT_HE_CAPABILITY,
5755	ies: ies->data, len: ies->len);
5756
5757	if (!he_cap_elem || he_cap_elem->datalen < sizeof(*he_cap) + 1)
5758	return chains;
5759
5760	/* skip one byte ext_tag_id */
5761	he_cap = (void *)(he_cap_elem->data + 1);
5762	mcs_nss_size = ieee80211_he_mcs_nss_size(he_cap);
5763
5764	/* invalid HE IE */
5765	if (he_cap_elem->datalen < 1 + mcs_nss_size + sizeof(*he_cap))
5766	return chains;
5767
5768	/* mcs_nss is right after he_cap info */
5769	he_mcs_nss_supp = (void *)(he_cap + 1);
5770
5771	mcs_80_map = le16_to_cpu(he_mcs_nss_supp->tx_mcs_80);
5772
5773	for (i = 7; i >= 0; i--) {
5774	u8 mcs_80 = mcs_80_map >> (2 * i) & 3;
5775
5776	if (mcs_80 != IEEE80211_VHT_MCS_NOT_SUPPORTED) {
5777	chains = max_t(u8, chains, i + 1);
5778	break;
5779	}
5780	}
5781
5782	support_160 = he_cap->phy_cap_info[0] &
5783	IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G;
5784
5785	if (!support_160)
5786	return chains;
5787
5788	mcs_160_map = le16_to_cpu(he_mcs_nss_supp->tx_mcs_160);
5789	for (i = 7; i >= 0; i--) {
5790	u8 mcs_160 = mcs_160_map >> (2 * i) & 3;
5791
5792	if (mcs_160 != IEEE80211_VHT_MCS_NOT_SUPPORTED) {
5793	chains = max_t(u8, chains, i + 1);
5794	break;
5795	}
5796	}
5797
5798	return chains;
5799	}
5800
5801	static void
5802	ieee80211_determine_our_sta_mode(struct ieee80211_sub_if_data *sdata,
5803	struct ieee80211_supported_band *sband,
5804	struct cfg80211_assoc_request *req,
5805	bool wmm_used, int link_id,
5806	struct ieee80211_conn_settings *conn)
5807	{
5808	struct ieee80211_sta_ht_cap sta_ht_cap = sband->ht_cap;
5809	bool is_5ghz = sband->band == NL80211_BAND_5GHZ;
5810	bool is_6ghz = sband->band == NL80211_BAND_6GHZ;
5811	const struct ieee80211_sta_he_cap *he_cap;
5812	const struct ieee80211_sta_eht_cap *eht_cap;
5813	struct ieee80211_sta_vht_cap vht_cap;
5814
5815	if (sband->band == NL80211_BAND_S1GHZ) {
5816	conn->mode = IEEE80211_CONN_MODE_S1G;
5817	conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
5818	mlme_dbg(sdata, "operating as S1G STA\n");
5819	return;
5820	}
5821
5822	conn->mode = IEEE80211_CONN_MODE_LEGACY;
5823	conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
5824
5825	ieee80211_apply_htcap_overrides(sdata, ht_cap: &sta_ht_cap);
5826
5827	if (req && req->flags & ASSOC_REQ_DISABLE_HT) {
5828	mlme_link_id_dbg(sdata, link_id,
5829	"HT disabled by flag, limiting to legacy\n");
5830	goto out;
5831	}
5832
5833	if (!wmm_used) {
5834	mlme_link_id_dbg(sdata, link_id,
5835	"WMM/QoS not supported, limiting to legacy\n");
5836	goto out;
5837	}
5838
5839	if (req) {
5840	unsigned int i;
5841
5842	for (i = 0; i < req->crypto.n_ciphers_pairwise; i++) {
5843	if (req->crypto.ciphers_pairwise[i] == WLAN_CIPHER_SUITE_WEP40 ||
5844	req->crypto.ciphers_pairwise[i] == WLAN_CIPHER_SUITE_TKIP ||
5845	req->crypto.ciphers_pairwise[i] == WLAN_CIPHER_SUITE_WEP104) {
5846	netdev_info(dev: sdata->dev,
5847	format: "WEP/TKIP use, limiting to legacy\n");
5848	goto out;
5849	}
5850	}
5851	}
5852
5853	if (!sta_ht_cap.ht_supported && !is_6ghz) {
5854	mlme_link_id_dbg(sdata, link_id,
5855	"HT not supported (and not on 6 GHz), limiting to legacy\n");
5856	goto out;
5857	}
5858
5859	/* HT is fine */
5860	conn->mode = IEEE80211_CONN_MODE_HT;
5861	conn->bw_limit = sta_ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40 ?
5862	IEEE80211_CONN_BW_LIMIT_40 :
5863	IEEE80211_CONN_BW_LIMIT_20;
5864
5865	memcpy(&vht_cap, &sband->vht_cap, sizeof(vht_cap));
5866	ieee80211_apply_vhtcap_overrides(sdata, vht_cap: &vht_cap);
5867
5868	if (req && req->flags & ASSOC_REQ_DISABLE_VHT) {
5869	mlme_link_id_dbg(sdata, link_id,
5870	"VHT disabled by flag, limiting to HT\n");
5871	goto out;
5872	}
5873
5874	if (vht_cap.vht_supported && is_5ghz) {
5875	bool have_80mhz = false;
5876	unsigned int i;
5877
5878	if (conn->bw_limit == IEEE80211_CONN_BW_LIMIT_20) {
5879	mlme_link_id_dbg(sdata, link_id,
5880	"no 40 MHz support on 5 GHz, limiting to HT\n");
5881	goto out;
5882	}
5883
5884	/* Allow VHT if at least one channel on the sband supports 80 MHz */
5885	for (i = 0; i < sband->n_channels; i++) {
5886	if (sband->channels[i].flags & (IEEE80211_CHAN_DISABLED |
5887	IEEE80211_CHAN_NO_80MHZ))
5888	continue;
5889
5890	have_80mhz = true;
5891	break;
5892	}
5893
5894	if (!have_80mhz) {
5895	mlme_link_id_dbg(sdata, link_id,
5896	"no 80 MHz channel support on 5 GHz, limiting to HT\n");
5897	goto out;
5898	}
5899	} else if (is_5ghz) { /* !vht_supported but on 5 GHz */
5900	mlme_link_id_dbg(sdata, link_id,
5901	"no VHT support on 5 GHz, limiting to HT\n");
5902	goto out;
5903	}
5904
5905	/* VHT - if we have - is fine, including 80 MHz, check 160 below again */
5906	if (sband->band != NL80211_BAND_2GHZ) {
5907	conn->mode = IEEE80211_CONN_MODE_VHT;
5908	conn->bw_limit = IEEE80211_CONN_BW_LIMIT_160;
5909	}
5910
5911	if (is_5ghz &&
5912	!(vht_cap.cap & (IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ |
5913	IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ))) {
5914	conn->bw_limit = IEEE80211_CONN_BW_LIMIT_80;
5915	mlme_link_id_dbg(sdata, link_id,
5916	"no VHT 160 MHz capability on 5 GHz, limiting to 80 MHz");
5917	}
5918
5919	if (req && req->flags & ASSOC_REQ_DISABLE_HE) {
5920	mlme_link_id_dbg(sdata, link_id,
5921	"HE disabled by flag, limiting to HT/VHT\n");
5922	goto out;
5923	}
5924
5925	he_cap = ieee80211_get_he_iftype_cap_vif(sband, vif: &sdata->vif);
5926	if (!he_cap) {
5927	WARN_ON(is_6ghz);
5928	mlme_link_id_dbg(sdata, link_id,
5929	"no HE support, limiting to HT/VHT\n");
5930	goto out;
5931	}
5932
5933	/* so we have HE */
5934	conn->mode = IEEE80211_CONN_MODE_HE;
5935
5936	/* check bandwidth */
5937	switch (sband->band) {
5938	default:
5939	case NL80211_BAND_2GHZ:
5940	if (he_cap->he_cap_elem.phy_cap_info[0] &
5941	IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_IN_2G)
5942	break;
5943	conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
5944	mlme_link_id_dbg(sdata, link_id,
5945	"no 40 MHz HE cap in 2.4 GHz, limiting to 20 MHz\n");
5946	break;
5947	case NL80211_BAND_5GHZ:
5948	if (!(he_cap->he_cap_elem.phy_cap_info[0] &
5949	IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_80MHZ_IN_5G)) {
5950	conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
5951	mlme_link_id_dbg(sdata, link_id,
5952	"no 40/80 MHz HE cap in 5 GHz, limiting to 20 MHz\n");
5953	break;
5954	}
5955	if (!(he_cap->he_cap_elem.phy_cap_info[0] &
5956	IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G)) {
5957	conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
5958	conn->bw_limit,
5959	IEEE80211_CONN_BW_LIMIT_80);
5960	mlme_link_id_dbg(sdata, link_id,
5961	"no 160 MHz HE cap in 5 GHz, limiting to 80 MHz\n");
5962	}
5963	break;
5964	case NL80211_BAND_6GHZ:
5965	if (he_cap->he_cap_elem.phy_cap_info[0] &
5966	IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G)
5967	break;
5968	conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
5969	conn->bw_limit,
5970	IEEE80211_CONN_BW_LIMIT_80);
5971	mlme_link_id_dbg(sdata, link_id,
5972	"no 160 MHz HE cap in 6 GHz, limiting to 80 MHz\n");
5973	break;
5974	}
5975
5976	if (req && req->flags & ASSOC_REQ_DISABLE_EHT) {
5977	mlme_link_id_dbg(sdata, link_id,
5978	"EHT disabled by flag, limiting to HE\n");
5979	goto out;
5980	}
5981
5982	eht_cap = ieee80211_get_eht_iftype_cap_vif(sband, vif: &sdata->vif);
5983	if (!eht_cap) {
5984	mlme_link_id_dbg(sdata, link_id,
5985	"no EHT support, limiting to HE\n");
5986	goto out;
5987	}
5988
5989	/* we have EHT */
5990
5991	conn->mode = IEEE80211_CONN_MODE_EHT;
5992
5993	/* check bandwidth */
5994	if (is_6ghz &&
5995	eht_cap->eht_cap_elem.phy_cap_info[0] & IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ)
5996	conn->bw_limit = IEEE80211_CONN_BW_LIMIT_320;
5997	else if (is_6ghz)
5998	mlme_link_id_dbg(sdata, link_id,
5999	"no EHT 320 MHz cap in 6 GHz, limiting to 160 MHz\n");
6000
6001	out:
6002	mlme_link_id_dbg(sdata, link_id,
6003	"determined local STA to be %s, BW limited to %d MHz\n",
6004	ieee80211_conn_mode_str(conn->mode),
6005	20 * (1 << conn->bw_limit));
6006	}
6007
6008	static void
6009	ieee80211_determine_our_sta_mode_auth(struct ieee80211_sub_if_data *sdata,
6010	struct ieee80211_supported_band *sband,
6011	struct cfg80211_auth_request *req,
6012	bool wmm_used,
6013	struct ieee80211_conn_settings *conn)
6014	{
6015	ieee80211_determine_our_sta_mode(sdata, sband, NULL, wmm_used,
6016	link_id: req->link_id > 0 ? req->link_id : 0,
6017	conn);
6018	}
6019
6020	static void
6021	ieee80211_determine_our_sta_mode_assoc(struct ieee80211_sub_if_data *sdata,
6022	struct ieee80211_supported_band *sband,
6023	struct cfg80211_assoc_request *req,
6024	bool wmm_used, int link_id,
6025	struct ieee80211_conn_settings *conn)
6026	{
6027	struct ieee80211_conn_settings tmp;
6028
6029	WARN_ON(!req);
6030
6031	ieee80211_determine_our_sta_mode(sdata, sband, req, wmm_used, link_id,
6032	conn: &tmp);
6033
6034	conn->mode = min_t(enum ieee80211_conn_mode,
6035	conn->mode, tmp.mode);
6036	conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
6037	conn->bw_limit, tmp.bw_limit);
6038	}
6039
6040	static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
6041	struct ieee80211_link_data *link,
6042	int link_id,
6043	struct cfg80211_bss *cbss, bool mlo,
6044	struct ieee80211_conn_settings *conn,
6045	unsigned long *userspace_selectors)
6046	{
6047	struct ieee80211_local *local = sdata->local;
6048	bool is_6ghz = cbss->channel->band == NL80211_BAND_6GHZ;
6049	struct ieee80211_chan_req chanreq = {};
6050	struct cfg80211_chan_def ap_chandef;
6051	struct ieee802_11_elems *elems;
6052	int ret;
6053
6054	lockdep_assert_wiphy(local->hw.wiphy);
6055
6056	rcu_read_lock();
6057	elems = ieee80211_determine_chan_mode(sdata, conn, cbss, link_id,
6058	&chanreq, &ap_chandef,
6059	userspace_selectors);
6060
6061	if (IS_ERR(ptr: elems)) {
6062	rcu_read_unlock();
6063	return PTR_ERR(ptr: elems);
6064	}
6065
6066	if (mlo && !elems->ml_basic) {
6067	sdata_info(sdata, "Rejecting MLO as it is not supported by AP\n");
6068	rcu_read_unlock();
6069	kfree(objp: elems);
6070	return -EINVAL;
6071	}
6072
6073	if (link && is_6ghz && conn->mode >= IEEE80211_CONN_MODE_HE) {
6074	const struct ieee80211_he_6ghz_oper *he_6ghz_oper;
6075
6076	if (elems->pwr_constr_elem)
6077	link->conf->pwr_reduction = *elems->pwr_constr_elem;
6078
6079	he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper: elems->he_operation);
6080	if (he_6ghz_oper)
6081	link->conf->power_type =
6082	cfg80211_6ghz_power_type(control: he_6ghz_oper->control,
6083	client_flags: cbss->channel->flags);
6084	else
6085	link_info(link,
6086	"HE 6 GHz operation missing (on %d MHz), expect issues\n",
6087	cbss->channel->center_freq);
6088
6089	link->conf->tpe = elems->tpe;
6090	ieee80211_rearrange_tpe(tpe: &link->conf->tpe, ap: &ap_chandef,
6091	used: &chanreq.oper);
6092	}
6093	rcu_read_unlock();
6094	/* the element data was RCU protected so no longer valid anyway */
6095	kfree(objp: elems);
6096	elems = NULL;
6097
6098	if (!link)
6099	return 0;
6100
6101	rcu_read_lock();
6102	link->needed_rx_chains = min(ieee80211_max_rx_chains(link, cbss),
6103	local->rx_chains);
6104	rcu_read_unlock();
6105
6106	/*
6107	* If this fails (possibly due to channel context sharing
6108	* on incompatible channels, e.g. 80+80 and 160 sharing the
6109	* same control channel) try to use a smaller bandwidth.
6110	*/
6111	ret = ieee80211_link_use_channel(link, req: &chanreq,
6112	mode: IEEE80211_CHANCTX_SHARED);
6113
6114	/* don't downgrade for 5/10/S1G MHz channels, though. */
6115	if (chanreq.oper.width == NL80211_CHAN_WIDTH_5 ||
6116	chanreq.oper.width == NL80211_CHAN_WIDTH_10 ||
6117	cfg80211_chandef_is_s1g(chandef: &chanreq.oper))
6118	return ret;
6119
6120	while (ret && chanreq.oper.width != NL80211_CHAN_WIDTH_20_NOHT) {
6121	ieee80211_chanreq_downgrade(chanreq: &chanreq, conn);
6122
6123	ret = ieee80211_link_use_channel(link, req: &chanreq,
6124	mode: IEEE80211_CHANCTX_SHARED);
6125	}
6126
6127	return ret;
6128	}
6129
6130	static bool ieee80211_get_dtim(const struct cfg80211_bss_ies *ies,
6131	u8 *dtim_count, u8 *dtim_period)
6132	{
6133	const u8 *tim_ie = cfg80211_find_ie(eid: WLAN_EID_TIM, ies: ies->data, len: ies->len);
6134	const u8 *idx_ie = cfg80211_find_ie(eid: WLAN_EID_MULTI_BSSID_IDX, ies: ies->data,
6135	len: ies->len);
6136	const struct ieee80211_tim_ie *tim = NULL;
6137	const struct ieee80211_bssid_index *idx;
6138	bool valid = tim_ie && tim_ie[1] >= 2;
6139
6140	if (valid)
6141	tim = (void *)(tim_ie + 2);
6142
6143	if (dtim_count)
6144	*dtim_count = valid ? tim->dtim_count : 0;
6145
6146	if (dtim_period)
6147	*dtim_period = valid ? tim->dtim_period : 0;
6148
6149	/* Check if value is overridden by non-transmitted profile */
6150	if (!idx_ie || idx_ie[1] < 3)
6151	return valid;
6152
6153	idx = (void *)(idx_ie + 2);
6154
6155	if (dtim_count)
6156	*dtim_count = idx->dtim_count;
6157
6158	if (dtim_period)
6159	*dtim_period = idx->dtim_period;
6160
6161	return true;
6162	}
6163
6164	static u16 ieee80211_get_ttlm(u8 bm_size, u8 *data)
6165	{
6166	if (bm_size == 1)
6167	return *data;
6168
6169	return get_unaligned_le16(p: data);
6170	}
6171
6172	static int
6173	ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata,
6174	const struct ieee80211_ttlm_elem *ttlm,
6175	struct ieee80211_adv_ttlm_info *ttlm_info)
6176	{
6177	/* The element size was already validated in
6178	* ieee80211_tid_to_link_map_size_ok()
6179	*/
6180	u8 control, link_map_presence, map_size, tid;
6181	u8 *pos;
6182
6183	memset(ttlm_info, 0, sizeof(*ttlm_info));
6184	pos = (void *)ttlm->optional;
6185	control = ttlm->control;
6186
6187	if ((control & IEEE80211_TTLM_CONTROL_DIRECTION) !=
6188	IEEE80211_TTLM_DIRECTION_BOTH) {
6189	sdata_info(sdata, "Invalid advertised T2L map direction\n");
6190	return -EINVAL;
6191	}
6192
6193	if (!(control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP)) {
6194	link_map_presence = *pos;
6195	pos++;
6196	}
6197
6198	if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) {
6199	ttlm_info->switch_time = get_unaligned_le16(p: pos);
6200
6201	/* Since ttlm_info->switch_time == 0 means no switch time, bump
6202	* it by 1.
6203	*/
6204	if (!ttlm_info->switch_time)
6205	ttlm_info->switch_time = 1;
6206
6207	pos += 2;
6208	}
6209
6210	if (control & IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT) {
6211	ttlm_info->duration = pos[0] | pos[1] << 8 | pos[2] << 16;
6212	pos += 3;
6213	}
6214
6215	if (control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) {
6216	ttlm_info->map = 0xffff;
6217	return 0;
6218	}
6219
6220	if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE)
6221	map_size = 1;
6222	else
6223	map_size = 2;
6224
6225	/* According to Draft P802.11be_D3.0 clause 35.3.7.1.7, an AP MLD shall
6226	* not advertise a TID-to-link mapping that does not map all TIDs to the
6227	* same link set, reject frame if not all links have mapping
6228	*/
6229	if (link_map_presence != 0xff) {
6230	sdata_info(sdata,
6231	"Invalid advertised T2L mapping presence indicator\n");
6232	return -EINVAL;
6233	}
6234
6235	ttlm_info->map = ieee80211_get_ttlm(bm_size: map_size, data: pos);
6236	if (!ttlm_info->map) {
6237	sdata_info(sdata,
6238	"Invalid advertised T2L map for TID 0\n");
6239	return -EINVAL;
6240	}
6241
6242	pos += map_size;
6243
6244	for (tid = 1; tid < 8; tid++) {
6245	u16 map = ieee80211_get_ttlm(bm_size: map_size, data: pos);
6246
6247	if (map != ttlm_info->map) {
6248	sdata_info(sdata, "Invalid advertised T2L map for tid %d\n",
6249	tid);
6250	return -EINVAL;
6251	}
6252
6253	pos += map_size;
6254	}
6255	return 0;
6256	}
6257
6258	static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
6259	struct ieee80211_mgmt *mgmt,
6260	struct ieee802_11_elems *elems,
6261	const u8 *elem_start, unsigned int elem_len)
6262	{
6263	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
6264	struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
6265	struct ieee80211_local *local = sdata->local;
6266	unsigned int link_id;
6267	struct sta_info *sta;
6268	u64 changed[IEEE80211_MLD_MAX_NUM_LINKS] = {};
6269	u16 valid_links = 0, dormant_links = 0;
6270	int err;
6271
6272	lockdep_assert_wiphy(sdata->local->hw.wiphy);
6273	/*
6274	* station info was already allocated and inserted before
6275	* the association and should be available to us
6276	*/
6277	sta = sta_info_get(sdata, addr: assoc_data->ap_addr);
6278	if (WARN_ON(!sta))
6279	goto out_err;
6280
6281	sta->sta.spp_amsdu = assoc_data->spp_amsdu;
6282
6283	if (ieee80211_vif_is_mld(vif: &sdata->vif)) {
6284	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
6285	if (!assoc_data->link[link_id].bss)
6286	continue;
6287
6288	valid_links |= BIT(link_id);
6289
6290	if (link_id != assoc_data->assoc_link_id) {
6291	err = ieee80211_sta_allocate_link(sta, link_id);
6292	if (err)
6293	goto out_err;
6294	}
6295	}
6296
6297	/*
6298	* We do not support setting a negotiated TTLM during
6299	* association. As such, we can assume that if there is a TTLM,
6300	* then it is the currently active advertised TTLM.
6301	* In that case, there must be exactly one TTLM that does not
6302	* have a switch time set. This mapping should also leave us
6303	* with at least one usable link.
6304	*/
6305	if (elems->ttlm_num > 1) {
6306	sdata_info(sdata,
6307	"More than one advertised TTLM in association response\n");
6308	goto out_err;
6309	} else if (elems->ttlm_num == 1) {
6310	if (ieee80211_parse_adv_t2l(sdata, ttlm: elems->ttlm[0],
6311	ttlm_info: &sdata->u.mgd.ttlm_info) ||
6312	sdata->u.mgd.ttlm_info.switch_time != 0 ||
6313	!(valid_links & sdata->u.mgd.ttlm_info.map)) {
6314	sdata_info(sdata,
6315	"Invalid advertised TTLM in association response\n");
6316	goto out_err;
6317	}
6318
6319	sdata->u.mgd.ttlm_info.active = true;
6320	dormant_links =
6321	valid_links & ~sdata->u.mgd.ttlm_info.map;
6322	}
6323
6324	ieee80211_vif_set_links(sdata, new_links: valid_links, dormant_links);
6325	}
6326
6327	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
6328	struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
6329	struct ieee80211_link_data *link;
6330	struct link_sta_info *link_sta;
6331
6332	if (!cbss)
6333	continue;
6334
6335	link = sdata_dereference(sdata->link[link_id], sdata);
6336	if (WARN_ON(!link))
6337	goto out_err;
6338
6339	if (ieee80211_vif_is_mld(vif: &sdata->vif))
6340	link_info(link,
6341	"local address %pM, AP link address %pM%s\n",
6342	link->conf->addr,
6343	assoc_data->link[link_id].bss->bssid,
6344	link_id == assoc_data->assoc_link_id ?
6345	" (assoc)" : "");
6346
6347	link_sta = rcu_dereference_protected(sta->link[link_id],
6348	lockdep_is_held(&local->hw.wiphy->mtx));
6349	if (WARN_ON(!link_sta))
6350	goto out_err;
6351
6352	if (!link->u.mgd.have_beacon) {
6353	const struct cfg80211_bss_ies *ies;
6354
6355	rcu_read_lock();
6356	ies = rcu_dereference(cbss->beacon_ies);
6357	if (ies)
6358	link->u.mgd.have_beacon = true;
6359	else
6360	ies = rcu_dereference(cbss->ies);
6361	ieee80211_get_dtim(ies,
6362	dtim_count: &link->conf->sync_dtim_count,
6363	dtim_period: &link->u.mgd.dtim_period);
6364	link->conf->beacon_int = cbss->beacon_interval;
6365	rcu_read_unlock();
6366	}
6367
6368	link->conf->dtim_period = link->u.mgd.dtim_period ?: 1;
6369
6370	if (link_id != assoc_data->assoc_link_id) {
6371	link->u.mgd.conn = assoc_data->link[link_id].conn;
6372
6373	err = ieee80211_prep_channel(sdata, link, link_id, cbss,
6374	mlo: true, conn: &link->u.mgd.conn,
6375	userspace_selectors: sdata->u.mgd.userspace_selectors);
6376	if (err) {
6377	link_info(link, "prep_channel failed\n");
6378	goto out_err;
6379	}
6380	}
6381
6382	err = ieee80211_mgd_setup_link_sta(link, sta, link_sta,
6383	cbss: assoc_data->link[link_id].bss);
6384	if (err)
6385	goto out_err;
6386
6387	if (!ieee80211_assoc_config_link(link, link_sta,
6388	cbss: assoc_data->link[link_id].bss,
6389	mgmt, elem_start, elem_len,
6390	changed: &changed[link_id]))
6391	goto out_err;
6392
6393	if (assoc_data->link[link_id].status != WLAN_STATUS_SUCCESS) {
6394	valid_links &= ~BIT(link_id);
6395	ieee80211_sta_remove_link(sta, link_id);
6396	continue;
6397	}
6398
6399	if (link_id != assoc_data->assoc_link_id) {
6400	err = ieee80211_sta_activate_link(sta, link_id);
6401	if (err)
6402	goto out_err;
6403	}
6404	}
6405
6406	/* links might have changed due to rejected ones, set them again */
6407	ieee80211_vif_set_links(sdata, new_links: valid_links, dormant_links);
6408
6409	rate_control_rate_init_all_links(sta);
6410
6411	if (ifmgd->flags & IEEE80211_STA_MFP_ENABLED) {
6412	set_sta_flag(sta, flag: WLAN_STA_MFP);
6413	sta->sta.mfp = true;
6414	} else {
6415	sta->sta.mfp = false;
6416	}
6417
6418	ieee80211_sta_set_max_amsdu_subframes(sta, ext_capab: elems->ext_capab,
6419	ext_capab_len: elems->ext_capab_len);
6420
6421	sta->sta.wme = (elems->wmm_param || elems->s1g_capab) &&
6422	local->hw.queues >= IEEE80211_NUM_ACS;
6423
6424	err = sta_info_move_state(sta, new_state: IEEE80211_STA_ASSOC);
6425	if (!err && !(ifmgd->flags & IEEE80211_STA_CONTROL_PORT))
6426	err = sta_info_move_state(sta, new_state: IEEE80211_STA_AUTHORIZED);
6427	if (err) {
6428	sdata_info(sdata,
6429	"failed to move station %pM to desired state\n",
6430	sta->sta.addr);
6431	WARN_ON(__sta_info_destroy(sta));
6432	goto out_err;
6433	}
6434
6435	if (sdata->wdev.use_4addr)
6436	drv_sta_set_4addr(local, sdata, sta: &sta->sta, enabled: true);
6437
6438	ieee80211_set_associated(sdata, assoc_data, changed);
6439
6440	/*
6441	* If we're using 4-addr mode, let the AP know that we're
6442	* doing so, so that it can create the STA VLAN on its side
6443	*/
6444	if (ifmgd->use_4addr)
6445	ieee80211_send_4addr_nullfunc(local, sdata);
6446
6447	/*
6448	* Start timer to probe the connection to the AP now.
6449	* Also start the timer that will detect beacon loss.
6450	*/
6451	ieee80211_sta_reset_beacon_monitor(sdata);
6452	ieee80211_sta_reset_conn_monitor(sdata);
6453
6454	return true;
6455	out_err:
6456	eth_zero_addr(addr: sdata->vif.cfg.ap_addr);
6457	return false;
6458	}
6459
6460	static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
6461	struct ieee80211_mgmt *mgmt,
6462	size_t len)
6463	{
6464	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
6465	struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
6466	u16 capab_info, status_code, aid;
6467	struct ieee80211_elems_parse_params parse_params = {
6468	.bss = NULL,
6469	.link_id = -1,
6470	.from_ap = true,
6471	.type = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_TYPE,
6472	};
6473	struct ieee802_11_elems *elems;
6474	int ac;
6475	const u8 *elem_start;
6476	unsigned int elem_len;
6477	bool reassoc;
6478	struct ieee80211_event event = {
6479	.type = MLME_EVENT,
6480	.u.mlme.data = ASSOC_EVENT,
6481	};
6482	struct ieee80211_prep_tx_info info = {};
6483	struct cfg80211_rx_assoc_resp_data resp = {
6484	.uapsd_queues = -1,
6485	};
6486	u8 ap_mld_addr[ETH_ALEN] __aligned(2);
6487	unsigned int link_id;
6488	u16 max_aid = IEEE80211_MAX_AID;
6489
6490	lockdep_assert_wiphy(sdata->local->hw.wiphy);
6491
6492	if (!assoc_data)
6493	return;
6494
6495	info.link_id = assoc_data->assoc_link_id;
6496
6497	parse_params.mode =
6498	assoc_data->link[assoc_data->assoc_link_id].conn.mode;
6499
6500	if (!ether_addr_equal(addr1: assoc_data->ap_addr, addr2: mgmt->bssid) ||
6501	!ether_addr_equal(addr1: assoc_data->ap_addr, addr2: mgmt->sa))
6502	return;
6503
6504	/*
6505	* AssocResp and ReassocResp have identical structure, so process both
6506	* of them in this function.
6507	*/
6508
6509	if (len < 24 + 6)
6510	return;
6511
6512	reassoc = ieee80211_is_reassoc_resp(fc: mgmt->frame_control);
6513	capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
6514	status_code = le16_to_cpu(mgmt->u.assoc_resp.status_code);
6515	if (assoc_data->s1g) {
6516	elem_start = mgmt->u.s1g_assoc_resp.variable;
6517	max_aid = IEEE80211_MAX_SUPPORTED_S1G_AID;
6518	} else {
6519	elem_start = mgmt->u.assoc_resp.variable;
6520	}
6521
6522	/*
6523	* Note: this may not be perfect, AP might misbehave - if
6524	* anyone needs to rely on perfect complete notification
6525	* with the exact right subtype, then we need to track what
6526	* we actually transmitted.
6527	*/
6528	info.subtype = reassoc ? IEEE80211_STYPE_REASSOC_REQ :
6529	IEEE80211_STYPE_ASSOC_REQ;
6530
6531	if (assoc_data->fils_kek_len &&
6532	fils_decrypt_assoc_resp(sdata, frame: (u8 *)mgmt, frame_len: &len, assoc_data) < 0)
6533	return;
6534
6535	elem_len = len - (elem_start - (u8 *)mgmt);
6536	parse_params.start = elem_start;
6537	parse_params.len = elem_len;
6538	elems = ieee802_11_parse_elems_full(params: &parse_params);
6539	if (!elems)
6540	goto notify_driver;
6541
6542	if (elems->aid_resp)
6543	aid = le16_to_cpu(elems->aid_resp->aid);
6544	else
6545	aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
6546
6547	/*
6548	* The 5 MSB of the AID field are reserved for a non-S1G STA. For
6549	* an S1G STA the 3 MSBs are reserved.
6550	* (802.11-2016 9.4.1.8 AID field).
6551	*/
6552	aid &= assoc_data->s1g ? 0x1fff : 0x7ff;
6553
6554	sdata_info(sdata,
6555	"RX %sssocResp from %pM (capab=0x%x status=%d aid=%d)\n",
6556	reassoc ? "Rea" : "A", assoc_data->ap_addr,
6557	capab_info, status_code, (u16)(aid & ~(BIT(15) | BIT(14))));
6558
6559	ifmgd->broken_ap = false;
6560
6561	if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
6562	elems->timeout_int &&
6563	elems->timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
6564	u32 tu, ms;
6565
6566	cfg80211_assoc_comeback(netdev: sdata->dev, ap_addr: assoc_data->ap_addr,
6567	le32_to_cpu(elems->timeout_int->value));
6568
6569	tu = le32_to_cpu(elems->timeout_int->value);
6570	ms = tu * 1024 / 1000;
6571	sdata_info(sdata,
6572	"%pM rejected association temporarily; comeback duration %u TU (%u ms)\n",
6573	assoc_data->ap_addr, tu, ms);
6574	assoc_data->timeout = jiffies + msecs_to_jiffies(m: ms);
6575	assoc_data->timeout_started = true;
6576	assoc_data->comeback = true;
6577	if (ms > IEEE80211_ASSOC_TIMEOUT)
6578	run_again(sdata, timeout: assoc_data->timeout);
6579	goto notify_driver;
6580	}
6581
6582	if (status_code != WLAN_STATUS_SUCCESS) {
6583	sdata_info(sdata, "%pM denied association (code=%d)\n",
6584	assoc_data->ap_addr, status_code);
6585	event.u.mlme.status = MLME_DENIED;
6586	event.u.mlme.reason = status_code;
6587	drv_event_callback(local: sdata->local, sdata, event: &event);
6588	} else {
6589	if (aid == 0 || aid > max_aid) {
6590	sdata_info(sdata,
6591	"invalid AID value %d (out of range), turn off PS\n",
6592	aid);
6593	aid = 0;
6594	ifmgd->broken_ap = true;
6595	}
6596
6597	if (ieee80211_vif_is_mld(vif: &sdata->vif)) {
6598	struct ieee80211_mle_basic_common_info *common;
6599
6600	if (!elems->ml_basic) {
6601	sdata_info(sdata,
6602	"MLO association with %pM but no (basic) multi-link element in response!\n",
6603	assoc_data->ap_addr);
6604	goto abandon_assoc;
6605	}
6606
6607	common = (void *)elems->ml_basic->variable;
6608
6609	if (memcmp(p: assoc_data->ap_addr,
6610	q: common->mld_mac_addr, ETH_ALEN)) {
6611	sdata_info(sdata,
6612	"AP MLD MAC address mismatch: got %pM expected %pM\n",
6613	common->mld_mac_addr,
6614	assoc_data->ap_addr);
6615	goto abandon_assoc;
6616	}
6617
6618	sdata->vif.cfg.eml_cap =
6619	ieee80211_mle_get_eml_cap(data: (const void *)elems->ml_basic);
6620	sdata->vif.cfg.eml_med_sync_delay =
6621	ieee80211_mle_get_eml_med_sync_delay(data: (const void *)elems->ml_basic);
6622	sdata->vif.cfg.mld_capa_op =
6623	ieee80211_mle_get_mld_capa_op(data: (const void *)elems->ml_basic);
6624	}
6625
6626	sdata->vif.cfg.aid = aid;
6627	sdata->vif.cfg.s1g = assoc_data->s1g;
6628
6629	if (!ieee80211_assoc_success(sdata, mgmt, elems,
6630	elem_start, elem_len)) {
6631	/* oops -- internal error -- send timeout for now */
6632	ieee80211_destroy_assoc_data(sdata, status: ASSOC_TIMEOUT);
6633	goto notify_driver;
6634	}
6635	event.u.mlme.status = MLME_SUCCESS;
6636	drv_event_callback(local: sdata->local, sdata, event: &event);
6637	sdata_info(sdata, "associated\n");
6638
6639	info.success = 1;
6640	}
6641
6642	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
6643	struct ieee80211_link_data *link;
6644
6645	if (!assoc_data->link[link_id].bss)
6646	continue;
6647
6648	resp.links[link_id].bss = assoc_data->link[link_id].bss;
6649	ether_addr_copy(dst: resp.links[link_id].addr,
6650	src: assoc_data->link[link_id].addr);
6651	resp.links[link_id].status = assoc_data->link[link_id].status;
6652
6653	link = sdata_dereference(sdata->link[link_id], sdata);
6654	if (!link)
6655	continue;
6656
6657	/* get uapsd queues configuration - same for all links */
6658	resp.uapsd_queues = 0;
6659	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++)
6660	if (link->tx_conf[ac].uapsd)
6661	resp.uapsd_queues |= ieee80211_ac_to_qos_mask[ac];
6662	}
6663
6664	if (ieee80211_vif_is_mld(vif: &sdata->vif)) {
6665	ether_addr_copy(dst: ap_mld_addr, src: sdata->vif.cfg.ap_addr);
6666	resp.ap_mld_addr = ap_mld_addr;
6667	}
6668
6669	ieee80211_destroy_assoc_data(sdata,
6670	status: status_code == WLAN_STATUS_SUCCESS ?
6671	ASSOC_SUCCESS :
6672	ASSOC_REJECTED);
6673
6674	resp.buf = (u8 *)mgmt;
6675	resp.len = len;
6676	resp.req_ies = ifmgd->assoc_req_ies;
6677	resp.req_ies_len = ifmgd->assoc_req_ies_len;
6678	cfg80211_rx_assoc_resp(dev: sdata->dev, data: &resp);
6679	notify_driver:
6680	drv_mgd_complete_tx(local: sdata->local, sdata, info: &info);
6681	kfree(objp: elems);
6682	return;
6683	abandon_assoc:
6684	ieee80211_destroy_assoc_data(sdata, status: ASSOC_ABANDON);
6685	goto notify_driver;
6686	}
6687
6688	static void ieee80211_rx_bss_info(struct ieee80211_link_data *link,
6689	struct ieee80211_mgmt *mgmt, size_t len,
6690	struct ieee80211_rx_status *rx_status)
6691	{
6692	struct ieee80211_sub_if_data *sdata = link->sdata;
6693	struct ieee80211_local *local = sdata->local;
6694	struct ieee80211_bss *bss;
6695	struct ieee80211_channel *channel;
6696
6697	lockdep_assert_wiphy(sdata->local->hw.wiphy);
6698
6699	channel = ieee80211_get_channel_khz(wiphy: local->hw.wiphy,
6700	freq: ieee80211_rx_status_to_khz(rx_status));
6701	if (!channel)
6702	return;
6703
6704	bss = ieee80211_bss_info_update(local, rx_status, mgmt, len, channel);
6705	if (bss) {
6706	link->conf->beacon_rate = bss->beacon_rate;
6707	ieee80211_rx_bss_put(local, bss);
6708	}
6709	}
6710
6711
6712	static void ieee80211_rx_mgmt_probe_resp(struct ieee80211_link_data *link,
6713	struct sk_buff *skb)
6714	{
6715	struct ieee80211_sub_if_data *sdata = link->sdata;
6716	struct ieee80211_mgmt *mgmt = (void *)skb->data;
6717	struct ieee80211_if_managed *ifmgd;
6718	struct ieee80211_rx_status *rx_status = (void *) skb->cb;
6719	struct ieee80211_channel *channel;
6720	size_t baselen, len = skb->len;
6721
6722	ifmgd = &sdata->u.mgd;
6723
6724	lockdep_assert_wiphy(sdata->local->hw.wiphy);
6725
6726	/*
6727	* According to Draft P802.11ax D6.0 clause 26.17.2.3.2:
6728	* "If a 6 GHz AP receives a Probe Request frame and responds with
6729	* a Probe Response frame [..], the Address 1 field of the Probe
6730	* Response frame shall be set to the broadcast address [..]"
6731	* So, on 6GHz band we should also accept broadcast responses.
6732	*/
6733	channel = ieee80211_get_channel_khz(wiphy: sdata->local->hw.wiphy,
6734	freq: ieee80211_rx_status_to_khz(rx_status));
6735	if (!channel)
6736	return;
6737
6738	if (!ether_addr_equal(addr1: mgmt->da, addr2: sdata->vif.addr) &&
6739	(channel->band != NL80211_BAND_6GHZ ||
6740	!is_broadcast_ether_addr(addr: mgmt->da)))
6741	return; /* ignore ProbeResp to foreign address */
6742
6743	baselen = (u8 *) mgmt->u.probe_resp.variable - (u8 *) mgmt;
6744	if (baselen > len)
6745	return;
6746
6747	ieee80211_rx_bss_info(link, mgmt, len, rx_status);
6748
6749	if (ifmgd->associated &&
6750	ether_addr_equal(addr1: mgmt->bssid, addr2: link->u.mgd.bssid))
6751	ieee80211_reset_ap_probe(sdata);
6752	}
6753
6754	/*
6755	* This is the canonical list of information elements we care about,
6756	* the filter code also gives us all changes to the Microsoft OUI
6757	* (00:50:F2) vendor IE which is used for WMM which we need to track,
6758	* as well as the DTPC IE (part of the Cisco OUI) used for signaling
6759	* changes to requested client power.
6760	*
6761	* We implement beacon filtering in software since that means we can
6762	* avoid processing the frame here and in cfg80211, and userspace
6763	* will not be able to tell whether the hardware supports it or not.
6764	*
6765	* XXX: This list needs to be dynamic -- userspace needs to be able to
6766	* add items it requires. It also needs to be able to tell us to
6767	* look out for other vendor IEs.
6768	*/
6769	static const u64 care_about_ies =
6770	(1ULL << WLAN_EID_COUNTRY) |
6771	(1ULL << WLAN_EID_ERP_INFO) |
6772	(1ULL << WLAN_EID_CHANNEL_SWITCH) |
6773	(1ULL << WLAN_EID_PWR_CONSTRAINT) |
6774	(1ULL << WLAN_EID_HT_CAPABILITY) |
6775	(1ULL << WLAN_EID_HT_OPERATION) |
6776	(1ULL << WLAN_EID_EXT_CHANSWITCH_ANN);
6777
6778	static void ieee80211_handle_beacon_sig(struct ieee80211_link_data *link,
6779	struct ieee80211_if_managed *ifmgd,
6780	struct ieee80211_bss_conf *bss_conf,
6781	struct ieee80211_local *local,
6782	struct ieee80211_rx_status *rx_status)
6783	{
6784	struct ieee80211_sub_if_data *sdata = link->sdata;
6785
6786	/* Track average RSSI from the Beacon frames of the current AP */
6787
6788	if (!link->u.mgd.tracking_signal_avg) {
6789	link->u.mgd.tracking_signal_avg = true;
6790	ewma_beacon_signal_init(e: &link->u.mgd.ave_beacon_signal);
6791	link->u.mgd.last_cqm_event_signal = 0;
6792	link->u.mgd.count_beacon_signal = 1;
6793	link->u.mgd.last_ave_beacon_signal = 0;
6794	} else {
6795	link->u.mgd.count_beacon_signal++;
6796	}
6797
6798	ewma_beacon_signal_add(e: &link->u.mgd.ave_beacon_signal,
6799	val: -rx_status->signal);
6800
6801	if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold &&
6802	link->u.mgd.count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
6803	int sig = -ewma_beacon_signal_read(e: &link->u.mgd.ave_beacon_signal);
6804	int last_sig = link->u.mgd.last_ave_beacon_signal;
6805	struct ieee80211_event event = {
6806	.type = RSSI_EVENT,
6807	};
6808
6809	/*
6810	* if signal crosses either of the boundaries, invoke callback
6811	* with appropriate parameters
6812	*/
6813	if (sig > ifmgd->rssi_max_thold &&
6814	(last_sig <= ifmgd->rssi_min_thold || last_sig == 0)) {
6815	link->u.mgd.last_ave_beacon_signal = sig;
6816	event.u.rssi.data = RSSI_EVENT_HIGH;
6817	drv_event_callback(local, sdata, event: &event);
6818	} else if (sig < ifmgd->rssi_min_thold &&
6819	(last_sig >= ifmgd->rssi_max_thold ||
6820	last_sig == 0)) {
6821	link->u.mgd.last_ave_beacon_signal = sig;
6822	event.u.rssi.data = RSSI_EVENT_LOW;
6823	drv_event_callback(local, sdata, event: &event);
6824	}
6825	}
6826
6827	if (bss_conf->cqm_rssi_thold &&
6828	link->u.mgd.count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT &&
6829	!(sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_CQM_RSSI)) {
6830	int sig = -ewma_beacon_signal_read(e: &link->u.mgd.ave_beacon_signal);
6831	int last_event = link->u.mgd.last_cqm_event_signal;
6832	int thold = bss_conf->cqm_rssi_thold;
6833	int hyst = bss_conf->cqm_rssi_hyst;
6834
6835	if (sig < thold &&
6836	(last_event == 0 || sig < last_event - hyst)) {
6837	link->u.mgd.last_cqm_event_signal = sig;
6838	ieee80211_cqm_rssi_notify(
6839	vif: &sdata->vif,
6840	rssi_event: NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW,
6841	rssi_level: sig, GFP_KERNEL);
6842	} else if (sig > thold &&
6843	(last_event == 0 || sig > last_event + hyst)) {
6844	link->u.mgd.last_cqm_event_signal = sig;
6845	ieee80211_cqm_rssi_notify(
6846	vif: &sdata->vif,
6847	rssi_event: NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH,
6848	rssi_level: sig, GFP_KERNEL);
6849	}
6850	}
6851
6852	if (bss_conf->cqm_rssi_low &&
6853	link->u.mgd.count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
6854	int sig = -ewma_beacon_signal_read(e: &link->u.mgd.ave_beacon_signal);
6855	int last_event = link->u.mgd.last_cqm_event_signal;
6856	int low = bss_conf->cqm_rssi_low;
6857	int high = bss_conf->cqm_rssi_high;
6858
6859	if (sig < low &&
6860	(last_event == 0 || last_event >= low)) {
6861	link->u.mgd.last_cqm_event_signal = sig;
6862	ieee80211_cqm_rssi_notify(
6863	vif: &sdata->vif,
6864	rssi_event: NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW,
6865	rssi_level: sig, GFP_KERNEL);
6866	} else if (sig > high &&
6867	(last_event == 0 || last_event <= high)) {
6868	link->u.mgd.last_cqm_event_signal = sig;
6869	ieee80211_cqm_rssi_notify(
6870	vif: &sdata->vif,
6871	rssi_event: NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH,
6872	rssi_level: sig, GFP_KERNEL);
6873	}
6874	}
6875	}
6876
6877	static bool ieee80211_rx_our_beacon(const u8 *tx_bssid,
6878	struct cfg80211_bss *bss)
6879	{
6880	if (ether_addr_equal(addr1: tx_bssid, addr2: bss->bssid))
6881	return true;
6882	if (!bss->transmitted_bss)
6883	return false;
6884	return ether_addr_equal(addr1: tx_bssid, addr2: bss->transmitted_bss->bssid);
6885	}
6886
6887	static void ieee80211_ml_reconf_work(struct wiphy *wiphy,
6888	struct wiphy_work *work)
6889	{
6890	struct ieee80211_sub_if_data *sdata =
6891	container_of(work, struct ieee80211_sub_if_data,
6892	u.mgd.ml_reconf_work.work);
6893	u16 new_valid_links, new_active_links, new_dormant_links;
6894	int ret;
6895
6896	if (!sdata->u.mgd.removed_links)
6897	return;
6898
6899	sdata_info(sdata,
6900	"MLO Reconfiguration: work: valid=0x%x, removed=0x%x\n",
6901	sdata->vif.valid_links, sdata->u.mgd.removed_links);
6902
6903	new_valid_links = sdata->vif.valid_links & ~sdata->u.mgd.removed_links;
6904	if (new_valid_links == sdata->vif.valid_links)
6905	return;
6906
6907	if (!new_valid_links ||
6908	!(new_valid_links & ~sdata->vif.dormant_links)) {
6909	sdata_info(sdata, "No valid links after reconfiguration\n");
6910	ret = -EINVAL;
6911	goto out;
6912	}
6913
6914	new_active_links = sdata->vif.active_links & ~sdata->u.mgd.removed_links;
6915	if (new_active_links != sdata->vif.active_links) {
6916	if (!new_active_links)
6917	new_active_links =
6918	BIT(ffs(new_valid_links &
6919	~sdata->vif.dormant_links) - 1);
6920
6921	ret = ieee80211_set_active_links(vif: &sdata->vif, active_links: new_active_links);
6922	if (ret) {
6923	sdata_info(sdata,
6924	"Failed setting active links\n");
6925	goto out;
6926	}
6927	}
6928
6929	new_dormant_links = sdata->vif.dormant_links & ~sdata->u.mgd.removed_links;
6930
6931	ret = ieee80211_vif_set_links(sdata, new_links: new_valid_links,
6932	dormant_links: new_dormant_links);
6933	if (ret)
6934	sdata_info(sdata, "Failed setting valid links\n");
6935
6936	ieee80211_vif_cfg_change_notify(sdata, changed: BSS_CHANGED_MLD_VALID_LINKS);
6937
6938	out:
6939	if (!ret)
6940	cfg80211_links_removed(dev: sdata->dev, link_mask: sdata->u.mgd.removed_links);
6941	else
6942	__ieee80211_disconnect(sdata);
6943
6944	sdata->u.mgd.removed_links = 0;
6945	}
6946
6947	static void ieee80211_ml_reconfiguration(struct ieee80211_sub_if_data *sdata,
6948	struct ieee802_11_elems *elems)
6949	{
6950	const struct element *sub;
6951	unsigned long removed_links = 0;
6952	u16 link_removal_timeout[IEEE80211_MLD_MAX_NUM_LINKS] = {};
6953	u8 link_id;
6954	u32 delay;
6955
6956	if (!ieee80211_vif_is_mld(vif: &sdata->vif) || !elems->ml_reconf)
6957	return;
6958
6959	/* Directly parse the sub elements as the common information doesn't
6960	* hold any useful information.
6961	*/
6962	for_each_mle_subelement(sub, (const u8 *)elems->ml_reconf,
6963	elems->ml_reconf_len) {
6964	struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data;
6965	u8 *pos = prof->variable;
6966	u16 control;
6967
6968	if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
6969	continue;
6970
6971	if (!ieee80211_mle_reconf_sta_prof_size_ok(data: sub->data,
6972	len: sub->datalen))
6973	return;
6974
6975	control = le16_to_cpu(prof->control);
6976	link_id = control & IEEE80211_MLE_STA_RECONF_CONTROL_LINK_ID;
6977
6978	removed_links |= BIT(link_id);
6979
6980	/* the MAC address should not be included, but handle it */
6981	if (control &
6982	IEEE80211_MLE_STA_RECONF_CONTROL_STA_MAC_ADDR_PRESENT)
6983	pos += 6;
6984
6985	/* According to Draft P802.11be_D3.0, the control should
6986	* include the AP Removal Timer present. If the AP Removal Timer
6987	* is not present assume immediate removal.
6988	*/
6989	if (control &
6990	IEEE80211_MLE_STA_RECONF_CONTROL_AP_REM_TIMER_PRESENT)
6991	link_removal_timeout[link_id] = get_unaligned_le16(p: pos);
6992	}
6993
6994	removed_links &= sdata->vif.valid_links;
6995	if (!removed_links) {
6996	/* In case the removal was cancelled, abort it */
6997	if (sdata->u.mgd.removed_links) {
6998	sdata->u.mgd.removed_links = 0;
6999	wiphy_hrtimer_work_cancel(wiphy: sdata->local->hw.wiphy,
7000	hrtimer: &sdata->u.mgd.ml_reconf_work);
7001	}
7002	return;
7003	}
7004
7005	delay = 0;
7006	for_each_set_bit(link_id, &removed_links, IEEE80211_MLD_MAX_NUM_LINKS) {
7007	struct ieee80211_bss_conf *link_conf =
7008	sdata_dereference(sdata->vif.link_conf[link_id], sdata);
7009	u32 link_delay;
7010
7011	if (!link_conf) {
7012	removed_links &= ~BIT(link_id);
7013	continue;
7014	}
7015
7016	if (link_removal_timeout[link_id] < 1)
7017	link_delay = 0;
7018	else
7019	link_delay = link_conf->beacon_int *
7020	(link_removal_timeout[link_id] - 1);
7021
7022	if (!delay)
7023	delay = link_delay;
7024	else
7025	delay = min(delay, link_delay);
7026	}
7027
7028	sdata->u.mgd.removed_links = removed_links;
7029	wiphy_hrtimer_work_queue(wiphy: sdata->local->hw.wiphy,
7030	hrwork: &sdata->u.mgd.ml_reconf_work,
7031	delay: us_to_ktime(us: ieee80211_tu_to_usec(tu: delay)));
7032	}
7033
7034	static int ieee80211_ttlm_set_links(struct ieee80211_sub_if_data *sdata,
7035	u16 active_links, u16 dormant_links,
7036	u16 suspended_links)
7037	{
7038	u64 changed = 0;
7039	int ret;
7040
7041	if (!active_links) {
7042	ret = -EINVAL;
7043	goto out;
7044	}
7045
7046	/* If there is an active negotiated TTLM, it should be discarded by
7047	* the new negotiated/advertised TTLM.
7048	*/
7049	if (sdata->vif.neg_ttlm.valid) {
7050	memset(&sdata->vif.neg_ttlm, 0, sizeof(sdata->vif.neg_ttlm));
7051	sdata->vif.suspended_links = 0;
7052	changed = BSS_CHANGED_MLD_TTLM;
7053	}
7054
7055	if (sdata->vif.active_links != active_links) {
7056	/* usable links are affected when active_links are changed,
7057	* so notify the driver about the status change
7058	*/
7059	changed |= BSS_CHANGED_MLD_VALID_LINKS;
7060	active_links &= sdata->vif.active_links;
7061	if (!active_links)
7062	active_links =
7063	BIT(__ffs(sdata->vif.valid_links &
7064	~dormant_links));
7065	ret = ieee80211_set_active_links(vif: &sdata->vif, active_links);
7066	if (ret) {
7067	sdata_info(sdata, "Failed to set TTLM active links\n");
7068	goto out;
7069	}
7070	}
7071
7072	ret = ieee80211_vif_set_links(sdata, new_links: sdata->vif.valid_links,
7073	dormant_links);
7074	if (ret) {
7075	sdata_info(sdata, "Failed to set TTLM dormant links\n");
7076	goto out;
7077	}
7078
7079	sdata->vif.suspended_links = suspended_links;
7080	if (sdata->vif.suspended_links)
7081	changed |= BSS_CHANGED_MLD_TTLM;
7082
7083	ieee80211_vif_cfg_change_notify(sdata, changed);
7084
7085	out:
7086	if (ret)
7087	ieee80211_disconnect(&sdata->vif, false);
7088
7089	return ret;
7090	}
7091
7092	static void ieee80211_tid_to_link_map_work(struct wiphy *wiphy,
7093	struct wiphy_work *work)
7094	{
7095	u16 new_active_links, new_dormant_links;
7096	struct ieee80211_sub_if_data *sdata =
7097	container_of(work, struct ieee80211_sub_if_data,
7098	u.mgd.ttlm_work.work);
7099
7100	new_active_links = sdata->u.mgd.ttlm_info.map &
7101	sdata->vif.valid_links;
7102	new_dormant_links = ~sdata->u.mgd.ttlm_info.map &
7103	sdata->vif.valid_links;
7104
7105	ieee80211_vif_set_links(sdata, new_links: sdata->vif.valid_links, dormant_links: 0);
7106	if (ieee80211_ttlm_set_links(sdata, active_links: new_active_links, dormant_links: new_dormant_links,
7107	suspended_links: 0))
7108	return;
7109
7110	sdata->u.mgd.ttlm_info.active = true;
7111	sdata->u.mgd.ttlm_info.switch_time = 0;
7112	}
7113
7114	static void ieee80211_process_adv_ttlm(struct ieee80211_sub_if_data *sdata,
7115	struct ieee802_11_elems *elems,
7116	u64 beacon_ts)
7117	{
7118	u8 i;
7119	int ret;
7120
7121	if (!ieee80211_vif_is_mld(vif: &sdata->vif))
7122	return;
7123
7124	if (!elems->ttlm_num) {
7125	if (sdata->u.mgd.ttlm_info.switch_time) {
7126	/* if a planned TID-to-link mapping was cancelled -
7127	* abort it
7128	*/
7129	wiphy_hrtimer_work_cancel(wiphy: sdata->local->hw.wiphy,
7130	hrtimer: &sdata->u.mgd.ttlm_work);
7131	} else if (sdata->u.mgd.ttlm_info.active) {
7132	/* if no TID-to-link element, set to default mapping in
7133	* which all TIDs are mapped to all setup links
7134	*/
7135	ret = ieee80211_vif_set_links(sdata,
7136	new_links: sdata->vif.valid_links,
7137	dormant_links: 0);
7138	if (ret) {
7139	sdata_info(sdata, "Failed setting valid/dormant links\n");
7140	return;
7141	}
7142	ieee80211_vif_cfg_change_notify(sdata,
7143	changed: BSS_CHANGED_MLD_VALID_LINKS);
7144	}
7145	memset(&sdata->u.mgd.ttlm_info, 0,
7146	sizeof(sdata->u.mgd.ttlm_info));
7147	return;
7148	}
7149
7150	for (i = 0; i < elems->ttlm_num; i++) {
7151	struct ieee80211_adv_ttlm_info ttlm_info;
7152	u32 res;
7153
7154	res = ieee80211_parse_adv_t2l(sdata, ttlm: elems->ttlm[i],
7155	ttlm_info: &ttlm_info);
7156
7157	if (res) {
7158	__ieee80211_disconnect(sdata);
7159	return;
7160	}
7161
7162	if (ttlm_info.switch_time) {
7163	u16 beacon_ts_tu, st_tu, delay;
7164	u64 delay_usec;
7165	u64 mask;
7166
7167	/* The t2l map switch time is indicated with a partial
7168	* TSF value (bits 10 to 25), get the partial beacon TS
7169	* as well, and calc the delay to the start time.
7170	*/
7171	mask = GENMASK_ULL(25, 10);
7172	beacon_ts_tu = (beacon_ts & mask) >> 10;
7173	st_tu = ttlm_info.switch_time;
7174	delay = st_tu - beacon_ts_tu;
7175
7176	/*
7177	* If the switch time is far in the future, then it
7178	* could also be the previous switch still being
7179	* announced.
7180	* We can simply ignore it for now, if it is a future
7181	* switch the AP will continue to announce it anyway.
7182	*/
7183	if (delay > IEEE80211_ADV_TTLM_ST_UNDERFLOW)
7184	return;
7185
7186	delay_usec = ieee80211_tu_to_usec(tu: delay);
7187
7188	/* Link switching can take time, so schedule it
7189	* 100ms before to be ready on time
7190	*/
7191	if (delay_usec > IEEE80211_ADV_TTLM_SAFETY_BUFFER_MS)
7192	delay_usec -=
7193	IEEE80211_ADV_TTLM_SAFETY_BUFFER_MS;
7194	else
7195	delay_usec = 0;
7196
7197	sdata->u.mgd.ttlm_info = ttlm_info;
7198	wiphy_hrtimer_work_cancel(wiphy: sdata->local->hw.wiphy,
7199	hrtimer: &sdata->u.mgd.ttlm_work);
7200	wiphy_hrtimer_work_queue(wiphy: sdata->local->hw.wiphy,
7201	hrwork: &sdata->u.mgd.ttlm_work,
7202	delay: us_to_ktime(us: delay_usec));
7203	return;
7204	}
7205	}
7206	}
7207
7208	static void
7209	ieee80211_mgd_check_cross_link_csa(struct ieee80211_sub_if_data *sdata,
7210	int reporting_link_id,
7211	struct ieee802_11_elems *elems)
7212	{
7213	const struct element *sta_profiles[IEEE80211_MLD_MAX_NUM_LINKS] = {};
7214	ssize_t sta_profiles_len[IEEE80211_MLD_MAX_NUM_LINKS] = {};
7215	const struct element *sub;
7216	const u8 *subelems;
7217	size_t subelems_len;
7218	u8 common_size;
7219	int link_id;
7220
7221	if (!ieee80211_mle_size_ok(data: (u8 *)elems->ml_basic, len: elems->ml_basic_len))
7222	return;
7223
7224	common_size = ieee80211_mle_common_size(data: (u8 *)elems->ml_basic);
7225	subelems = (u8 *)elems->ml_basic + common_size;
7226	subelems_len = elems->ml_basic_len - common_size;
7227
7228	for_each_element_id(sub, IEEE80211_MLE_SUBELEM_PER_STA_PROFILE,
7229	subelems, subelems_len) {
7230	struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data;
7231	struct ieee80211_link_data *link;
7232	ssize_t len;
7233
7234	if (!ieee80211_mle_basic_sta_prof_size_ok(data: sub->data,
7235	len: sub->datalen))
7236	continue;
7237
7238	link_id = le16_get_bits(v: prof->control,
7239	IEEE80211_MLE_STA_CONTROL_LINK_ID);
7240	/* need a valid link ID, but also not our own, both AP bugs */
7241	if (link_id == reporting_link_id ||
7242	link_id >= IEEE80211_MLD_MAX_NUM_LINKS)
7243	continue;
7244
7245	link = sdata_dereference(sdata->link[link_id], sdata);
7246	if (!link)
7247	continue;
7248
7249	len = cfg80211_defragment_element(elem: sub, ies: subelems, ieslen: subelems_len,
7250	NULL, data_len: 0,
7251	frag_id: IEEE80211_MLE_SUBELEM_FRAGMENT);
7252	if (WARN_ON(len < 0))
7253	continue;
7254
7255	sta_profiles[link_id] = sub;
7256	sta_profiles_len[link_id] = len;
7257	}
7258
7259	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
7260	struct ieee80211_mle_per_sta_profile *prof;
7261	struct ieee802_11_elems *prof_elems;
7262	struct ieee80211_link_data *link;
7263	ssize_t len;
7264
7265	if (link_id == reporting_link_id)
7266	continue;
7267
7268	link = sdata_dereference(sdata->link[link_id], sdata);
7269	if (!link)
7270	continue;
7271
7272	if (!sta_profiles[link_id]) {
7273	prof_elems = NULL;
7274	goto handle;
7275	}
7276
7277	/* we can defragment in-place, won't use the buffer again */
7278	len = cfg80211_defragment_element(elem: sta_profiles[link_id],
7279	ies: subelems, ieslen: subelems_len,
7280	data: (void *)sta_profiles[link_id],
7281	data_len: sta_profiles_len[link_id],
7282	frag_id: IEEE80211_MLE_SUBELEM_FRAGMENT);
7283	if (WARN_ON(len != sta_profiles_len[link_id]))
7284	continue;
7285
7286	prof = (void *)sta_profiles[link_id];
7287	prof_elems = ieee802_11_parse_elems(start: prof->variable +
7288	(prof->sta_info_len - 1),
7289	len: len -
7290	(prof->sta_info_len - 1),
7291	IEEE80211_FTYPE_MGMT |
7292	IEEE80211_STYPE_BEACON,
7293	NULL);
7294
7295	/* memory allocation failed - let's hope that's transient */
7296	if (!prof_elems)
7297	continue;
7298
7299	handle:
7300	/*
7301	* FIXME: the timings here are obviously incorrect,
7302	* but only older Intel drivers seem to care, and
7303	* those don't have MLO. If you really need this,
7304	* the problem is having to calculate it with the
7305	* TSF offset etc. The device_timestamp is still
7306	* correct, of course.
7307	*/
7308	ieee80211_sta_process_chanswitch(link, timestamp: 0, device_timestamp: 0, full_elems: elems, csa_elems: prof_elems,
7309	source: IEEE80211_CSA_SOURCE_OTHER_LINK);
7310	kfree(objp: prof_elems);
7311	}
7312	}
7313
7314	static bool ieee80211_mgd_ssid_mismatch(struct ieee80211_sub_if_data *sdata,
7315	const struct ieee802_11_elems *elems)
7316	{
7317	struct ieee80211_vif_cfg *cfg = &sdata->vif.cfg;
7318	static u8 zero_ssid[IEEE80211_MAX_SSID_LEN];
7319
7320	if (!elems->ssid)
7321	return false;
7322
7323	/* hidden SSID: zero length */
7324	if (elems->ssid_len == 0)
7325	return false;
7326
7327	if (elems->ssid_len != cfg->ssid_len)
7328	return true;
7329
7330	/* hidden SSID: zeroed out */
7331	if (!memcmp(p: elems->ssid, q: zero_ssid, size: elems->ssid_len))
7332	return false;
7333
7334	return memcmp(p: elems->ssid, q: cfg->ssid, size: cfg->ssid_len);
7335	}
7336
7337	static bool
7338	ieee80211_rx_beacon_freq_valid(struct ieee80211_local *local,
7339	struct ieee80211_mgmt *mgmt,
7340	struct ieee80211_rx_status *rx_status,
7341	struct ieee80211_chanctx_conf *chanctx)
7342	{
7343	u32 pri_2mhz_khz;
7344	struct ieee80211_channel *s1g_sibling_1mhz;
7345	u32 pri_khz = ieee80211_channel_to_khz(chan: chanctx->def.chan);
7346	u32 rx_khz = ieee80211_rx_status_to_khz(rx_status);
7347
7348	if (rx_khz == pri_khz)
7349	return true;
7350
7351	if (!chanctx->def.s1g_primary_2mhz)
7352	return false;
7353
7354	/*
7355	* If we have an S1G interface with a 2MHz primary, beacons are
7356	* sent on the center frequency of the 2MHz primary. Find the sibling
7357	* 1MHz channel and calculate the 2MHz primary center frequency.
7358	*/
7359	s1g_sibling_1mhz = cfg80211_s1g_get_primary_sibling(wiphy: local->hw.wiphy,
7360	chandef: &chanctx->def);
7361	if (!s1g_sibling_1mhz)
7362	return false;
7363
7364	pri_2mhz_khz =
7365	(pri_khz + ieee80211_channel_to_khz(chan: s1g_sibling_1mhz)) / 2;
7366	return rx_khz == pri_2mhz_khz;
7367	}
7368
7369	static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link,
7370	struct ieee80211_hdr *hdr, size_t len,
7371	struct ieee80211_rx_status *rx_status)
7372	{
7373	struct ieee80211_sub_if_data *sdata = link->sdata;
7374	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
7375	struct ieee80211_bss_conf *bss_conf = link->conf;
7376	struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg;
7377	struct ieee80211_mgmt *mgmt = (void *) hdr;
7378	struct ieee80211_ext *ext = NULL;
7379	size_t baselen;
7380	struct ieee802_11_elems *elems;
7381	struct ieee80211_local *local = sdata->local;
7382	struct ieee80211_chanctx_conf *chanctx_conf;
7383	struct ieee80211_supported_band *sband;
7384	struct ieee80211_channel *chan;
7385	struct link_sta_info *link_sta;
7386	struct sta_info *sta;
7387	u64 changed = 0;
7388	bool erp_valid;
7389	u8 erp_value = 0;
7390	u32 ncrc = 0;
7391	u8 *bssid, *variable = mgmt->u.beacon.variable;
7392	u8 deauth_buf[IEEE80211_DEAUTH_FRAME_LEN];
7393	struct ieee80211_elems_parse_params parse_params = {
7394	.mode = link->u.mgd.conn.mode,
7395	.link_id = -1,
7396	.from_ap = true,
7397	.type = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_TYPE,
7398	};
7399
7400	lockdep_assert_wiphy(local->hw.wiphy);
7401
7402	/* Process beacon from the current BSS */
7403	bssid = ieee80211_get_bssid(hdr, len, type: sdata->vif.type);
7404	if (ieee80211_is_s1g_beacon(fc: mgmt->frame_control)) {
7405	ext = (void *)mgmt;
7406	variable = ext->u.s1g_beacon.variable +
7407	ieee80211_s1g_optional_len(fc: ext->frame_control);
7408	}
7409
7410	baselen = (u8 *) variable - (u8 *) mgmt;
7411	if (baselen > len)
7412	return;
7413
7414	parse_params.start = variable;
7415	parse_params.len = len - baselen;
7416
7417	rcu_read_lock();
7418	chanctx_conf = rcu_dereference(bss_conf->chanctx_conf);
7419	if (!chanctx_conf) {
7420	rcu_read_unlock();
7421	return;
7422	}
7423
7424	if (!ieee80211_rx_beacon_freq_valid(local, mgmt, rx_status,
7425	chanctx: chanctx_conf)) {
7426	rcu_read_unlock();
7427	return;
7428	}
7429	chan = chanctx_conf->def.chan;
7430	rcu_read_unlock();
7431
7432	if (ifmgd->assoc_data && ifmgd->assoc_data->need_beacon &&
7433	!WARN_ON(ieee80211_vif_is_mld(&sdata->vif)) &&
7434	ieee80211_rx_our_beacon(tx_bssid: bssid, bss: ifmgd->assoc_data->link[0].bss)) {
7435	parse_params.bss = ifmgd->assoc_data->link[0].bss;
7436	elems = ieee802_11_parse_elems_full(params: &parse_params);
7437	if (!elems)
7438	return;
7439
7440	ieee80211_rx_bss_info(link, mgmt, len, rx_status);
7441
7442	if (elems->dtim_period)
7443	link->u.mgd.dtim_period = elems->dtim_period;
7444	link->u.mgd.have_beacon = true;
7445	ifmgd->assoc_data->need_beacon = false;
7446	if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY) &&
7447	!ieee80211_is_s1g_beacon(fc: hdr->frame_control)) {
7448	bss_conf->sync_tsf =
7449	le64_to_cpu(mgmt->u.beacon.timestamp);
7450	bss_conf->sync_device_ts =
7451	rx_status->device_timestamp;
7452	bss_conf->sync_dtim_count = elems->dtim_count;
7453	}
7454
7455	if (elems->mbssid_config_ie)
7456	bss_conf->profile_periodicity =
7457	elems->mbssid_config_ie->profile_periodicity;
7458	else
7459	bss_conf->profile_periodicity = 0;
7460
7461	if (elems->ext_capab_len >= 11 &&
7462	(elems->ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
7463	bss_conf->ema_ap = true;
7464	else
7465	bss_conf->ema_ap = false;
7466
7467	/* continue assoc process */
7468	ifmgd->assoc_data->timeout = jiffies;
7469	ifmgd->assoc_data->timeout_started = true;
7470	run_again(sdata, timeout: ifmgd->assoc_data->timeout);
7471	kfree(objp: elems);
7472	return;
7473	}
7474
7475	if (!ifmgd->associated ||
7476	!ieee80211_rx_our_beacon(tx_bssid: bssid, bss: bss_conf->bss))
7477	return;
7478	bssid = link->u.mgd.bssid;
7479
7480	if (!(rx_status->flag & RX_FLAG_NO_SIGNAL_VAL))
7481	ieee80211_handle_beacon_sig(link, ifmgd, bss_conf,
7482	local, rx_status);
7483
7484	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL) {
7485	mlme_dbg_ratelimited(sdata,
7486	"cancelling AP probe due to a received beacon\n");
7487	ieee80211_reset_ap_probe(sdata);
7488	}
7489
7490	/*
7491	* Push the beacon loss detection into the future since
7492	* we are processing a beacon from the AP just now.
7493	*/
7494	ieee80211_sta_reset_beacon_monitor(sdata);
7495
7496	/* TODO: CRC urrently not calculated on S1G Beacon Compatibility
7497	* element (which carries the beacon interval). Don't forget to add a
7498	* bit to care_about_ies[] above if mac80211 is interested in a
7499	* changing S1G element.
7500	*/
7501	if (!ieee80211_is_s1g_beacon(fc: hdr->frame_control))
7502	ncrc = crc32_be(crc: 0, p: (void *)&mgmt->u.beacon.beacon_int, len: 4);
7503	parse_params.bss = bss_conf->bss;
7504	parse_params.filter = care_about_ies;
7505	parse_params.crc = ncrc;
7506	elems = ieee802_11_parse_elems_full(params: &parse_params);
7507	if (!elems)
7508	return;
7509
7510	if (rx_status->flag & RX_FLAG_DECRYPTED &&
7511	ieee80211_mgd_ssid_mismatch(sdata, elems)) {
7512	sdata_info(sdata, "SSID mismatch for AP %pM, disconnect\n",
7513	sdata->vif.cfg.ap_addr);
7514	__ieee80211_disconnect(sdata);
7515	return;
7516	}
7517
7518	ncrc = elems->crc;
7519
7520	if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
7521	ieee80211_check_tim(tim: elems->tim, tim_len: elems->tim_len, aid: vif_cfg->aid,
7522	s1g: vif_cfg->s1g)) {
7523	if (local->hw.conf.dynamic_ps_timeout > 0) {
7524	if (local->hw.conf.flags & IEEE80211_CONF_PS) {
7525	local->hw.conf.flags &= ~IEEE80211_CONF_PS;
7526	ieee80211_hw_config(local, radio_idx: -1,
7527	changed: IEEE80211_CONF_CHANGE_PS);
7528	}
7529	ieee80211_send_nullfunc(local, sdata, powersave: false);
7530	} else if (!local->pspolling && sdata->u.mgd.powersave) {
7531	local->pspolling = true;
7532
7533	/*
7534	* Here is assumed that the driver will be
7535	* able to send ps-poll frame and receive a
7536	* response even though power save mode is
7537	* enabled, but some drivers might require
7538	* to disable power save here. This needs
7539	* to be investigated.
7540	*/
7541	ieee80211_send_pspoll(local, sdata);
7542	}
7543	}
7544
7545	if (sdata->vif.p2p ||
7546	sdata->vif.driver_flags & IEEE80211_VIF_GET_NOA_UPDATE) {
7547	struct ieee80211_p2p_noa_attr noa = {};
7548	int ret;
7549
7550	ret = cfg80211_get_p2p_attr(ies: variable,
7551	len: len - baselen,
7552	attr: IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
7553	buf: (u8 *) &noa, bufsize: sizeof(noa));
7554	if (ret >= 2) {
7555	if (link->u.mgd.p2p_noa_index != noa.index) {
7556	/* valid noa_attr and index changed */
7557	link->u.mgd.p2p_noa_index = noa.index;
7558	memcpy(&bss_conf->p2p_noa_attr, &noa, sizeof(noa));
7559	changed |= BSS_CHANGED_P2P_PS;
7560	/*
7561	* make sure we update all information, the CRC
7562	* mechanism doesn't look at P2P attributes.
7563	*/
7564	link->u.mgd.beacon_crc_valid = false;
7565	}
7566	} else if (link->u.mgd.p2p_noa_index != -1) {
7567	/* noa_attr not found and we had valid noa_attr before */
7568	link->u.mgd.p2p_noa_index = -1;
7569	memset(&bss_conf->p2p_noa_attr, 0, sizeof(bss_conf->p2p_noa_attr));
7570	changed |= BSS_CHANGED_P2P_PS;
7571	link->u.mgd.beacon_crc_valid = false;
7572	}
7573	}
7574
7575	/*
7576	* Update beacon timing and dtim count on every beacon appearance. This
7577	* will allow the driver to use the most updated values. Do it before
7578	* comparing this one with last received beacon.
7579	* IMPORTANT: These parameters would possibly be out of sync by the time
7580	* the driver will use them. The synchronized view is currently
7581	* guaranteed only in certain callbacks.
7582	*/
7583	if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY) &&
7584	!ieee80211_is_s1g_beacon(fc: hdr->frame_control)) {
7585	bss_conf->sync_tsf =
7586	le64_to_cpu(mgmt->u.beacon.timestamp);
7587	bss_conf->sync_device_ts =
7588	rx_status->device_timestamp;
7589	bss_conf->sync_dtim_count = elems->dtim_count;
7590	}
7591
7592	if ((ncrc == link->u.mgd.beacon_crc && link->u.mgd.beacon_crc_valid) ||
7593	(ext && ieee80211_is_s1g_short_beacon(fc: ext->frame_control,
7594	variable: parse_params.start,
7595	variable_len: parse_params.len)))
7596	goto free;
7597	link->u.mgd.beacon_crc = ncrc;
7598	link->u.mgd.beacon_crc_valid = true;
7599
7600	ieee80211_rx_bss_info(link, mgmt, len, rx_status);
7601
7602	ieee80211_sta_process_chanswitch(link, timestamp: rx_status->mactime,
7603	device_timestamp: rx_status->device_timestamp,
7604	full_elems: elems, csa_elems: elems,
7605	source: IEEE80211_CSA_SOURCE_BEACON);
7606
7607	/* note that after this elems->ml_basic can no longer be used fully */
7608	ieee80211_mgd_check_cross_link_csa(sdata, reporting_link_id: rx_status->link_id, elems);
7609
7610	ieee80211_mgd_update_bss_param_ch_cnt(sdata, bss_conf, elems);
7611
7612	if (!sdata->u.mgd.epcs.enabled &&
7613	!link->u.mgd.disable_wmm_tracking &&
7614	ieee80211_sta_wmm_params(local, link, wmm_param: elems->wmm_param,
7615	wmm_param_len: elems->wmm_param_len,
7616	mu_edca: elems->mu_edca_param_set))
7617	changed |= BSS_CHANGED_QOS;
7618
7619	/*
7620	* If we haven't had a beacon before, tell the driver about the
7621	* DTIM period (and beacon timing if desired) now.
7622	*/
7623	if (!link->u.mgd.have_beacon) {
7624	/* a few bogus AP send dtim_period = 0 or no TIM IE */
7625	bss_conf->dtim_period = elems->dtim_period ?: 1;
7626
7627	changed |= BSS_CHANGED_BEACON_INFO;
7628	link->u.mgd.have_beacon = true;
7629
7630	ieee80211_recalc_ps(local);
7631
7632	ieee80211_recalc_ps_vif(sdata);
7633	}
7634
7635	if (elems->erp_info) {
7636	erp_valid = true;
7637	erp_value = elems->erp_info[0];
7638	} else {
7639	erp_valid = false;
7640	}
7641
7642	if (!ieee80211_is_s1g_beacon(fc: hdr->frame_control))
7643	changed |= ieee80211_handle_bss_capability(link,
7644	le16_to_cpu(mgmt->u.beacon.capab_info),
7645	erp_valid, erp: erp_value);
7646
7647	sta = sta_info_get(sdata, addr: sdata->vif.cfg.ap_addr);
7648	if (WARN_ON(!sta)) {
7649	goto free;
7650	}
7651	link_sta = rcu_dereference_protected(sta->link[link->link_id],
7652	lockdep_is_held(&local->hw.wiphy->mtx));
7653	if (WARN_ON(!link_sta)) {
7654	goto free;
7655	}
7656
7657	if (WARN_ON(!bss_conf->chanreq.oper.chan))
7658	goto free;
7659
7660	sband = local->hw.wiphy->bands[bss_conf->chanreq.oper.chan->band];
7661
7662	changed |= ieee80211_recalc_twt_req(sdata, sband, link, link_sta, elems);
7663
7664	if (ieee80211_config_bw(link, elems, update: true, changed: &changed,
7665	IEEE80211_STYPE_BEACON)) {
7666	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
7667	reason: WLAN_REASON_DEAUTH_LEAVING,
7668	tx: true, frame_buf: deauth_buf);
7669	ieee80211_report_disconnect(sdata, buf: deauth_buf,
7670	len: sizeof(deauth_buf), tx: true,
7671	reason: WLAN_REASON_DEAUTH_LEAVING,
7672	reconnect: false);
7673	goto free;
7674	}
7675
7676	if (elems->opmode_notif)
7677	ieee80211_vht_handle_opmode(sdata, sta: link_sta,
7678	opmode: *elems->opmode_notif,
7679	band: rx_status->band);
7680
7681	changed |= ieee80211_handle_pwr_constr(link, channel: chan, mgmt,
7682	country_ie: elems->country_elem,
7683	country_ie_len: elems->country_elem_len,
7684	pwr_constr_ie: elems->pwr_constr_elem,
7685	cisco_dtpc_ie: elems->cisco_dtpc_elem);
7686
7687	ieee80211_ml_reconfiguration(sdata, elems);
7688	ieee80211_process_adv_ttlm(sdata, elems,
7689	le64_to_cpu(mgmt->u.beacon.timestamp));
7690
7691	ieee80211_link_info_change_notify(sdata, link, changed);
7692	free:
7693	kfree(objp: elems);
7694	}
7695
7696	static void ieee80211_apply_neg_ttlm(struct ieee80211_sub_if_data *sdata,
7697	struct ieee80211_neg_ttlm neg_ttlm)
7698	{
7699	u16 new_active_links, new_dormant_links, new_suspended_links, map = 0;
7700	u8 i;
7701
7702	for (i = 0; i < IEEE80211_TTLM_NUM_TIDS; i++)
7703	map |= neg_ttlm.downlink[i] | neg_ttlm.uplink[i];
7704
7705	/* If there is an active TTLM, unset previously suspended links */
7706	if (sdata->vif.neg_ttlm.valid)
7707	sdata->vif.dormant_links &= ~sdata->vif.suspended_links;
7708
7709	/* exclude links that are already disabled by advertised TTLM */
7710	new_active_links =
7711	map & sdata->vif.valid_links & ~sdata->vif.dormant_links;
7712	new_suspended_links =
7713	(~map & sdata->vif.valid_links) & ~sdata->vif.dormant_links;
7714	new_dormant_links = sdata->vif.dormant_links | new_suspended_links;
7715	if (ieee80211_ttlm_set_links(sdata, active_links: new_active_links,
7716	dormant_links: new_dormant_links, suspended_links: new_suspended_links))
7717	return;
7718
7719	sdata->vif.neg_ttlm = neg_ttlm;
7720	sdata->vif.neg_ttlm.valid = true;
7721	}
7722
7723	static void ieee80211_neg_ttlm_timeout_work(struct wiphy *wiphy,
7724	struct wiphy_work *work)
7725	{
7726	struct ieee80211_sub_if_data *sdata =
7727	container_of(work, struct ieee80211_sub_if_data,
7728	u.mgd.neg_ttlm_timeout_work.work);
7729
7730	sdata_info(sdata,
7731	"No negotiated TTLM response from AP, disconnecting.\n");
7732
7733	__ieee80211_disconnect(sdata);
7734	}
7735
7736	static void
7737	ieee80211_neg_ttlm_add_suggested_map(struct sk_buff *skb,
7738	struct ieee80211_neg_ttlm *neg_ttlm)
7739	{
7740	u8 i, direction[IEEE80211_TTLM_MAX_CNT];
7741
7742	if (memcmp(p: neg_ttlm->downlink, q: neg_ttlm->uplink,
7743	size: sizeof(neg_ttlm->downlink))) {
7744	direction[0] = IEEE80211_TTLM_DIRECTION_DOWN;
7745	direction[1] = IEEE80211_TTLM_DIRECTION_UP;
7746	} else {
7747	direction[0] = IEEE80211_TTLM_DIRECTION_BOTH;
7748	}
7749
7750	for (i = 0; i < ARRAY_SIZE(direction); i++) {
7751	u8 tid, len, map_ind = 0, *len_pos, *map_ind_pos, *pos;
7752	__le16 map;
7753
7754	len = sizeof(struct ieee80211_ttlm_elem) + 1 + 1;
7755
7756	pos = skb_put(skb, len: len + 2);
7757	*pos++ = WLAN_EID_EXTENSION;
7758	len_pos = pos++;
7759	*pos++ = WLAN_EID_EXT_TID_TO_LINK_MAPPING;
7760	*pos++ = direction[i];
7761	map_ind_pos = pos++;
7762	for (tid = 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) {
7763	map = direction[i] == IEEE80211_TTLM_DIRECTION_UP ?
7764	cpu_to_le16(neg_ttlm->uplink[tid]) :
7765	cpu_to_le16(neg_ttlm->downlink[tid]);
7766	if (!map)
7767	continue;
7768
7769	len += 2;
7770	map_ind |= BIT(tid);
7771	skb_put_data(skb, data: &map, len: sizeof(map));
7772	}
7773
7774	*map_ind_pos = map_ind;
7775	*len_pos = len;
7776
7777	if (direction[i] == IEEE80211_TTLM_DIRECTION_BOTH)
7778	break;
7779	}
7780	}
7781
7782	static void
7783	ieee80211_send_neg_ttlm_req(struct ieee80211_sub_if_data *sdata,
7784	struct ieee80211_neg_ttlm *neg_ttlm,
7785	u8 dialog_token)
7786	{
7787	struct ieee80211_local *local = sdata->local;
7788	struct ieee80211_mgmt *mgmt;
7789	struct sk_buff *skb;
7790	int hdr_len = offsetofend(struct ieee80211_mgmt, u.action.u.ttlm_req);
7791	int ttlm_max_len = 2 + 1 + sizeof(struct ieee80211_ttlm_elem) + 1 +
7792	2 * 2 * IEEE80211_TTLM_NUM_TIDS;
7793
7794	skb = dev_alloc_skb(length: local->tx_headroom + hdr_len + ttlm_max_len);
7795	if (!skb)
7796	return;
7797
7798	skb_reserve(skb, len: local->tx_headroom);
7799	mgmt = skb_put_zero(skb, len: hdr_len);
7800	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
7801	IEEE80211_STYPE_ACTION);
7802	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
7803	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
7804	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
7805
7806	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
7807	mgmt->u.action.u.ttlm_req.action_code =
7808	WLAN_PROTECTED_EHT_ACTION_TTLM_REQ;
7809	mgmt->u.action.u.ttlm_req.dialog_token = dialog_token;
7810	ieee80211_neg_ttlm_add_suggested_map(skb, neg_ttlm);
7811	ieee80211_tx_skb(sdata, skb);
7812	}
7813
7814	int ieee80211_req_neg_ttlm(struct ieee80211_sub_if_data *sdata,
7815	struct cfg80211_ttlm_params *params)
7816	{
7817	struct ieee80211_neg_ttlm neg_ttlm = {};
7818	u8 i;
7819
7820	if (!ieee80211_vif_is_mld(vif: &sdata->vif) ||
7821	!(sdata->vif.cfg.mld_capa_op &
7822	IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_SUPP))
7823	return -EINVAL;
7824
7825	for (i = 0; i < IEEE80211_TTLM_NUM_TIDS; i++) {
7826	if ((params->dlink[i] & ~sdata->vif.valid_links) ||
7827	(params->ulink[i] & ~sdata->vif.valid_links))
7828	return -EINVAL;
7829
7830	neg_ttlm.downlink[i] = params->dlink[i];
7831	neg_ttlm.uplink[i] = params->ulink[i];
7832	}
7833
7834	if (drv_can_neg_ttlm(local: sdata->local, sdata, neg_ttlm: &neg_ttlm) !=
7835	NEG_TTLM_RES_ACCEPT)
7836	return -EINVAL;
7837
7838	ieee80211_apply_neg_ttlm(sdata, neg_ttlm);
7839	sdata->u.mgd.dialog_token_alloc++;
7840	ieee80211_send_neg_ttlm_req(sdata, neg_ttlm: &sdata->vif.neg_ttlm,
7841	dialog_token: sdata->u.mgd.dialog_token_alloc);
7842	wiphy_delayed_work_cancel(wiphy: sdata->local->hw.wiphy,
7843	dwork: &sdata->u.mgd.neg_ttlm_timeout_work);
7844	wiphy_delayed_work_queue(wiphy: sdata->local->hw.wiphy,
7845	dwork: &sdata->u.mgd.neg_ttlm_timeout_work,
7846	IEEE80211_NEG_TTLM_REQ_TIMEOUT);
7847	return 0;
7848	}
7849
7850	static void
7851	ieee80211_send_neg_ttlm_res(struct ieee80211_sub_if_data *sdata,
7852	enum ieee80211_neg_ttlm_res ttlm_res,
7853	u8 dialog_token,
7854	struct ieee80211_neg_ttlm *neg_ttlm)
7855	{
7856	struct ieee80211_local *local = sdata->local;
7857	struct ieee80211_mgmt *mgmt;
7858	struct sk_buff *skb;
7859	int hdr_len = offsetofend(struct ieee80211_mgmt, u.action.u.ttlm_res);
7860	int ttlm_max_len = 2 + 1 + sizeof(struct ieee80211_ttlm_elem) + 1 +
7861	2 * 2 * IEEE80211_TTLM_NUM_TIDS;
7862	u16 status_code;
7863
7864	skb = dev_alloc_skb(length: local->tx_headroom + hdr_len + ttlm_max_len);
7865	if (!skb)
7866	return;
7867
7868	skb_reserve(skb, len: local->tx_headroom);
7869	mgmt = skb_put_zero(skb, len: hdr_len);
7870	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
7871	IEEE80211_STYPE_ACTION);
7872	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
7873	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
7874	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
7875
7876	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
7877	mgmt->u.action.u.ttlm_res.action_code =
7878	WLAN_PROTECTED_EHT_ACTION_TTLM_RES;
7879	mgmt->u.action.u.ttlm_res.dialog_token = dialog_token;
7880	switch (ttlm_res) {
7881	default:
7882	WARN_ON(1);
7883	fallthrough;
7884	case NEG_TTLM_RES_REJECT:
7885	status_code = WLAN_STATUS_DENIED_TID_TO_LINK_MAPPING;
7886	break;
7887	case NEG_TTLM_RES_ACCEPT:
7888	status_code = WLAN_STATUS_SUCCESS;
7889	break;
7890	case NEG_TTLM_RES_SUGGEST_PREFERRED:
7891	status_code = WLAN_STATUS_PREF_TID_TO_LINK_MAPPING_SUGGESTED;
7892	ieee80211_neg_ttlm_add_suggested_map(skb, neg_ttlm);
7893	break;
7894	}
7895
7896	mgmt->u.action.u.ttlm_res.status_code = cpu_to_le16(status_code);
7897	ieee80211_tx_skb(sdata, skb);
7898	}
7899
7900	static int
7901	ieee80211_parse_neg_ttlm(struct ieee80211_sub_if_data *sdata,
7902	const struct ieee80211_ttlm_elem *ttlm,
7903	struct ieee80211_neg_ttlm *neg_ttlm,
7904	u8 *direction)
7905	{
7906	u8 control, link_map_presence, map_size, tid;
7907	u8 *pos;
7908
7909	/* The element size was already validated in
7910	* ieee80211_tid_to_link_map_size_ok()
7911	*/
7912	pos = (void *)ttlm->optional;
7913
7914	control = ttlm->control;
7915
7916	/* mapping switch time and expected duration fields are not expected
7917	* in case of negotiated TTLM
7918	*/
7919	if (control & (IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT |
7920	IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT)) {
7921	mlme_dbg(sdata,
7922	"Invalid TTLM element in negotiated TTLM request\n");
7923	return -EINVAL;
7924	}
7925
7926	if (control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) {
7927	for (tid = 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) {
7928	neg_ttlm->downlink[tid] = sdata->vif.valid_links;
7929	neg_ttlm->uplink[tid] = sdata->vif.valid_links;
7930	}
7931	*direction = IEEE80211_TTLM_DIRECTION_BOTH;
7932	return 0;
7933	}
7934
7935	*direction = u8_get_bits(v: control, IEEE80211_TTLM_CONTROL_DIRECTION);
7936	if (*direction != IEEE80211_TTLM_DIRECTION_DOWN &&
7937	*direction != IEEE80211_TTLM_DIRECTION_UP &&
7938	*direction != IEEE80211_TTLM_DIRECTION_BOTH)
7939	return -EINVAL;
7940
7941	link_map_presence = *pos;
7942	pos++;
7943
7944	if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE)
7945	map_size = 1;
7946	else
7947	map_size = 2;
7948
7949	for (tid = 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) {
7950	u16 map;
7951
7952	if (link_map_presence & BIT(tid)) {
7953	map = ieee80211_get_ttlm(bm_size: map_size, data: pos);
7954	if (!map) {
7955	mlme_dbg(sdata,
7956	"No active links for TID %d", tid);
7957	return -EINVAL;
7958	}
7959	} else {
7960	map = 0;
7961	}
7962
7963	switch (*direction) {
7964	case IEEE80211_TTLM_DIRECTION_BOTH:
7965	neg_ttlm->downlink[tid] = map;
7966	neg_ttlm->uplink[tid] = map;
7967	break;
7968	case IEEE80211_TTLM_DIRECTION_DOWN:
7969	neg_ttlm->downlink[tid] = map;
7970	break;
7971	case IEEE80211_TTLM_DIRECTION_UP:
7972	neg_ttlm->uplink[tid] = map;
7973	break;
7974	default:
7975	return -EINVAL;
7976	}
7977	pos += map_size;
7978	}
7979	return 0;
7980	}
7981
7982	void ieee80211_process_neg_ttlm_req(struct ieee80211_sub_if_data *sdata,
7983	struct ieee80211_mgmt *mgmt, size_t len)
7984	{
7985	u8 dialog_token, direction[IEEE80211_TTLM_MAX_CNT] = {}, i;
7986	size_t ies_len;
7987	enum ieee80211_neg_ttlm_res ttlm_res = NEG_TTLM_RES_ACCEPT;
7988	struct ieee802_11_elems *elems = NULL;
7989	struct ieee80211_neg_ttlm neg_ttlm = {};
7990
7991	BUILD_BUG_ON(ARRAY_SIZE(direction) != ARRAY_SIZE(elems->ttlm));
7992
7993	if (!ieee80211_vif_is_mld(vif: &sdata->vif))
7994	return;
7995
7996	dialog_token = mgmt->u.action.u.ttlm_req.dialog_token;
7997	ies_len = len - offsetof(struct ieee80211_mgmt,
7998	u.action.u.ttlm_req.variable);
7999	elems = ieee802_11_parse_elems(start: mgmt->u.action.u.ttlm_req.variable,
8000	len: ies_len,
8001	IEEE80211_FTYPE_MGMT |
8002	IEEE80211_STYPE_ACTION,
8003	NULL);
8004	if (!elems) {
8005	ttlm_res = NEG_TTLM_RES_REJECT;
8006	goto out;
8007	}
8008
8009	for (i = 0; i < elems->ttlm_num; i++) {
8010	if (ieee80211_parse_neg_ttlm(sdata, ttlm: elems->ttlm[i],
8011	neg_ttlm: &neg_ttlm, direction: &direction[i]) ||
8012	(direction[i] == IEEE80211_TTLM_DIRECTION_BOTH &&
8013	elems->ttlm_num != 1)) {
8014	ttlm_res = NEG_TTLM_RES_REJECT;
8015	goto out;
8016	}
8017	}
8018
8019	if (!elems->ttlm_num ||
8020	(elems->ttlm_num == 2 && direction[0] == direction[1])) {
8021	ttlm_res = NEG_TTLM_RES_REJECT;
8022	goto out;
8023	}
8024
8025	for (i = 0; i < IEEE80211_TTLM_NUM_TIDS; i++) {
8026	if ((neg_ttlm.downlink[i] &&
8027	(neg_ttlm.downlink[i] & ~sdata->vif.valid_links)) ||
8028	(neg_ttlm.uplink[i] &&
8029	(neg_ttlm.uplink[i] & ~sdata->vif.valid_links))) {
8030	ttlm_res = NEG_TTLM_RES_REJECT;
8031	goto out;
8032	}
8033	}
8034
8035	ttlm_res = drv_can_neg_ttlm(local: sdata->local, sdata, neg_ttlm: &neg_ttlm);
8036
8037	if (ttlm_res != NEG_TTLM_RES_ACCEPT)
8038	goto out;
8039
8040	ieee80211_apply_neg_ttlm(sdata, neg_ttlm);
8041	out:
8042	kfree(objp: elems);
8043	ieee80211_send_neg_ttlm_res(sdata, ttlm_res, dialog_token, neg_ttlm: &neg_ttlm);
8044	}
8045
8046	void ieee80211_process_neg_ttlm_res(struct ieee80211_sub_if_data *sdata,
8047	struct ieee80211_mgmt *mgmt, size_t len)
8048	{
8049	if (!ieee80211_vif_is_mld(vif: &sdata->vif) ||
8050	mgmt->u.action.u.ttlm_req.dialog_token !=
8051	sdata->u.mgd.dialog_token_alloc)
8052	return;
8053
8054	wiphy_delayed_work_cancel(wiphy: sdata->local->hw.wiphy,
8055	dwork: &sdata->u.mgd.neg_ttlm_timeout_work);
8056
8057	/* MLD station sends a TID to link mapping request, mainly to handle
8058	* BTM (BSS transition management) request, in which case it needs to
8059	* restrict the active links set.
8060	* In this case it's not expected that the MLD AP will reject the
8061	* negotiated TTLM request.
8062	* This can be better implemented in the future, to handle request
8063	* rejections.
8064	*/
8065	if (le16_to_cpu(mgmt->u.action.u.ttlm_res.status_code) != WLAN_STATUS_SUCCESS)
8066	__ieee80211_disconnect(sdata);
8067	}
8068
8069	void ieee80211_process_ttlm_teardown(struct ieee80211_sub_if_data *sdata)
8070	{
8071	u16 new_dormant_links;
8072
8073	if (!sdata->vif.neg_ttlm.valid)
8074	return;
8075
8076	memset(&sdata->vif.neg_ttlm, 0, sizeof(sdata->vif.neg_ttlm));
8077	new_dormant_links =
8078	sdata->vif.dormant_links & ~sdata->vif.suspended_links;
8079	sdata->vif.suspended_links = 0;
8080	ieee80211_vif_set_links(sdata, new_links: sdata->vif.valid_links,
8081	dormant_links: new_dormant_links);
8082	ieee80211_vif_cfg_change_notify(sdata, changed: BSS_CHANGED_MLD_TTLM |
8083	BSS_CHANGED_MLD_VALID_LINKS);
8084	}
8085
8086	static void ieee80211_teardown_ttlm_work(struct wiphy *wiphy,
8087	struct wiphy_work *work)
8088	{
8089	struct ieee80211_sub_if_data *sdata =
8090	container_of(work, struct ieee80211_sub_if_data,
8091	u.mgd.teardown_ttlm_work);
8092
8093	ieee80211_process_ttlm_teardown(sdata);
8094	}
8095
8096	void ieee80211_send_teardown_neg_ttlm(struct ieee80211_vif *vif)
8097	{
8098	struct ieee80211_sub_if_data *sdata = vif_to_sdata(p: vif);
8099	struct ieee80211_local *local = sdata->local;
8100	struct ieee80211_mgmt *mgmt;
8101	struct sk_buff *skb;
8102	int frame_len = offsetofend(struct ieee80211_mgmt,
8103	u.action.u.ttlm_tear_down);
8104	struct ieee80211_tx_info *info;
8105
8106	skb = dev_alloc_skb(length: local->hw.extra_tx_headroom + frame_len);
8107	if (!skb)
8108	return;
8109
8110	skb_reserve(skb, len: local->hw.extra_tx_headroom);
8111	mgmt = skb_put_zero(skb, len: frame_len);
8112	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
8113	IEEE80211_STYPE_ACTION);
8114	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
8115	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
8116	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
8117
8118	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
8119	mgmt->u.action.u.ttlm_tear_down.action_code =
8120	WLAN_PROTECTED_EHT_ACTION_TTLM_TEARDOWN;
8121
8122	info = IEEE80211_SKB_CB(skb);
8123	info->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS;
8124	info->status_data = IEEE80211_STATUS_TYPE_NEG_TTLM;
8125	ieee80211_tx_skb(sdata, skb);
8126	}
8127	EXPORT_SYMBOL(ieee80211_send_teardown_neg_ttlm);
8128
8129	void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata,
8130	struct sk_buff *skb)
8131	{
8132	struct ieee80211_link_data *link = &sdata->deflink;
8133	struct ieee80211_rx_status *rx_status;
8134	struct ieee80211_hdr *hdr;
8135	u16 fc;
8136
8137	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8138
8139	rx_status = (struct ieee80211_rx_status *) skb->cb;
8140	hdr = (struct ieee80211_hdr *) skb->data;
8141	fc = le16_to_cpu(hdr->frame_control);
8142
8143	switch (fc & IEEE80211_FCTL_STYPE) {
8144	case IEEE80211_STYPE_S1G_BEACON:
8145	ieee80211_rx_mgmt_beacon(link, hdr, len: skb->len, rx_status);
8146	break;
8147	}
8148	}
8149
8150	void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
8151	struct sk_buff *skb)
8152	{
8153	struct ieee80211_link_data *link = &sdata->deflink;
8154	struct ieee80211_rx_status *rx_status;
8155	struct ieee802_11_elems *elems;
8156	struct ieee80211_mgmt *mgmt;
8157	u16 fc;
8158	int ies_len;
8159
8160	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8161
8162	rx_status = (struct ieee80211_rx_status *) skb->cb;
8163	mgmt = (struct ieee80211_mgmt *) skb->data;
8164	fc = le16_to_cpu(mgmt->frame_control);
8165
8166	if (rx_status->link_valid) {
8167	link = sdata_dereference(sdata->link[rx_status->link_id],
8168	sdata);
8169	if (!link)
8170	return;
8171	}
8172
8173	switch (fc & IEEE80211_FCTL_STYPE) {
8174	case IEEE80211_STYPE_BEACON:
8175	ieee80211_rx_mgmt_beacon(link, hdr: (void *)mgmt,
8176	len: skb->len, rx_status);
8177	break;
8178	case IEEE80211_STYPE_PROBE_RESP:
8179	ieee80211_rx_mgmt_probe_resp(link, skb);
8180	break;
8181	case IEEE80211_STYPE_AUTH:
8182	ieee80211_rx_mgmt_auth(sdata, mgmt, len: skb->len);
8183	break;
8184	case IEEE80211_STYPE_DEAUTH:
8185	ieee80211_rx_mgmt_deauth(sdata, mgmt, len: skb->len);
8186	break;
8187	case IEEE80211_STYPE_DISASSOC:
8188	ieee80211_rx_mgmt_disassoc(sdata, mgmt, len: skb->len);
8189	break;
8190	case IEEE80211_STYPE_ASSOC_RESP:
8191	case IEEE80211_STYPE_REASSOC_RESP:
8192	ieee80211_rx_mgmt_assoc_resp(sdata, mgmt, len: skb->len);
8193	break;
8194	case IEEE80211_STYPE_ACTION:
8195	if (!sdata->u.mgd.associated ||
8196	!ether_addr_equal(addr1: mgmt->bssid, addr2: sdata->vif.cfg.ap_addr))
8197	break;
8198
8199	switch (mgmt->u.action.category) {
8200	case WLAN_CATEGORY_SPECTRUM_MGMT:
8201	ies_len = skb->len -
8202	offsetof(struct ieee80211_mgmt,
8203	u.action.u.chan_switch.variable);
8204
8205	if (ies_len < 0)
8206	break;
8207
8208	/* CSA IE cannot be overridden, no need for BSSID */
8209	elems = ieee802_11_parse_elems(start: mgmt->u.action.u.chan_switch.variable,
8210	len: ies_len,
8211	IEEE80211_FTYPE_MGMT |
8212	IEEE80211_STYPE_ACTION,
8213	NULL);
8214
8215	if (elems && !elems->parse_error) {
8216	enum ieee80211_csa_source src =
8217	IEEE80211_CSA_SOURCE_PROT_ACTION;
8218
8219	ieee80211_sta_process_chanswitch(link,
8220	timestamp: rx_status->mactime,
8221	device_timestamp: rx_status->device_timestamp,
8222	full_elems: elems, csa_elems: elems,
8223	source: src);
8224	}
8225	kfree(objp: elems);
8226	break;
8227	case WLAN_CATEGORY_PUBLIC:
8228	case WLAN_CATEGORY_PROTECTED_DUAL_OF_ACTION:
8229	ies_len = skb->len -
8230	offsetof(struct ieee80211_mgmt,
8231	u.action.u.ext_chan_switch.variable);
8232
8233	if (ies_len < 0)
8234	break;
8235
8236	/*
8237	* extended CSA IE can't be overridden, no need for
8238	* BSSID
8239	*/
8240	elems = ieee802_11_parse_elems(start: mgmt->u.action.u.ext_chan_switch.variable,
8241	len: ies_len,
8242	IEEE80211_FTYPE_MGMT |
8243	IEEE80211_STYPE_ACTION,
8244	NULL);
8245
8246	if (elems && !elems->parse_error) {
8247	enum ieee80211_csa_source src;
8248
8249	if (mgmt->u.action.category ==
8250	WLAN_CATEGORY_PROTECTED_DUAL_OF_ACTION)
8251	src = IEEE80211_CSA_SOURCE_PROT_ACTION;
8252	else
8253	src = IEEE80211_CSA_SOURCE_UNPROT_ACTION;
8254
8255	/* for the handling code pretend it was an IE */
8256	elems->ext_chansw_ie =
8257	&mgmt->u.action.u.ext_chan_switch.data;
8258
8259	ieee80211_sta_process_chanswitch(link,
8260	timestamp: rx_status->mactime,
8261	device_timestamp: rx_status->device_timestamp,
8262	full_elems: elems, csa_elems: elems,
8263	source: src);
8264	}
8265
8266	kfree(objp: elems);
8267	break;
8268	}
8269	break;
8270	}
8271	}
8272
8273	static void ieee80211_sta_timer(struct timer_list *t)
8274	{
8275	struct ieee80211_sub_if_data *sdata =
8276	timer_container_of(sdata, t, u.mgd.timer);
8277
8278	wiphy_work_queue(wiphy: sdata->local->hw.wiphy, work: &sdata->work);
8279	}
8280
8281	void ieee80211_sta_connection_lost(struct ieee80211_sub_if_data *sdata,
8282	u8 reason, bool tx)
8283	{
8284	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
8285
8286	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, reason,
8287	tx, frame_buf);
8288
8289	ieee80211_report_disconnect(sdata, buf: frame_buf, len: sizeof(frame_buf), tx: true,
8290	reason, reconnect: false);
8291	}
8292
8293	static int ieee80211_auth(struct ieee80211_sub_if_data *sdata)
8294	{
8295	struct ieee80211_local *local = sdata->local;
8296	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8297	struct ieee80211_mgd_auth_data *auth_data = ifmgd->auth_data;
8298	u32 tx_flags = 0;
8299	u16 trans = 1;
8300	u16 status = 0;
8301	struct ieee80211_prep_tx_info info = {
8302	.subtype = IEEE80211_STYPE_AUTH,
8303	};
8304
8305	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8306
8307	if (WARN_ON_ONCE(!auth_data))
8308	return -EINVAL;
8309
8310	auth_data->tries++;
8311
8312	if (auth_data->tries > IEEE80211_AUTH_MAX_TRIES) {
8313	sdata_info(sdata, "authentication with %pM timed out\n",
8314	auth_data->ap_addr);
8315
8316	/*
8317	* Most likely AP is not in the range so remove the
8318	* bss struct for that AP.
8319	*/
8320	cfg80211_unlink_bss(wiphy: local->hw.wiphy, bss: auth_data->bss);
8321
8322	return -ETIMEDOUT;
8323	}
8324
8325	if (auth_data->algorithm == WLAN_AUTH_SAE)
8326	info.duration = jiffies_to_msecs(IEEE80211_AUTH_TIMEOUT_SAE);
8327
8328	info.link_id = auth_data->link_id;
8329	drv_mgd_prepare_tx(local, sdata, info: &info);
8330
8331	sdata_info(sdata, "send auth to %pM (try %d/%d)\n",
8332	auth_data->ap_addr, auth_data->tries,
8333	IEEE80211_AUTH_MAX_TRIES);
8334
8335	auth_data->expected_transaction = 2;
8336
8337	if (auth_data->algorithm == WLAN_AUTH_SAE) {
8338	trans = auth_data->sae_trans;
8339	status = auth_data->sae_status;
8340	auth_data->expected_transaction = trans;
8341	}
8342
8343	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
8344	tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
8345	IEEE80211_TX_INTFL_MLME_CONN_TX;
8346
8347	ieee80211_send_auth(sdata, transaction: trans, auth_alg: auth_data->algorithm, status,
8348	extra: auth_data->data, extra_len: auth_data->data_len,
8349	bssid: auth_data->ap_addr, da: auth_data->ap_addr,
8350	NULL, key_len: 0, key_idx: 0, tx_flags);
8351
8352	if (tx_flags == 0) {
8353	if (auth_data->algorithm == WLAN_AUTH_SAE)
8354	auth_data->timeout = jiffies +
8355	IEEE80211_AUTH_TIMEOUT_SAE;
8356	else
8357	auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
8358	} else {
8359	auth_data->timeout =
8360	round_jiffies_up(j: jiffies + IEEE80211_AUTH_TIMEOUT_LONG);
8361	}
8362
8363	auth_data->timeout_started = true;
8364	run_again(sdata, timeout: auth_data->timeout);
8365
8366	return 0;
8367	}
8368
8369	static int ieee80211_do_assoc(struct ieee80211_sub_if_data *sdata)
8370	{
8371	struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data;
8372	struct ieee80211_local *local = sdata->local;
8373	int ret;
8374
8375	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8376
8377	assoc_data->tries++;
8378	assoc_data->comeback = false;
8379	if (assoc_data->tries > IEEE80211_ASSOC_MAX_TRIES) {
8380	sdata_info(sdata, "association with %pM timed out\n",
8381	assoc_data->ap_addr);
8382
8383	/*
8384	* Most likely AP is not in the range so remove the
8385	* bss struct for that AP.
8386	*/
8387	cfg80211_unlink_bss(wiphy: local->hw.wiphy,
8388	bss: assoc_data->link[assoc_data->assoc_link_id].bss);
8389
8390	return -ETIMEDOUT;
8391	}
8392
8393	sdata_info(sdata, "associate with %pM (try %d/%d)\n",
8394	assoc_data->ap_addr, assoc_data->tries,
8395	IEEE80211_ASSOC_MAX_TRIES);
8396	ret = ieee80211_send_assoc(sdata);
8397	if (ret)
8398	return ret;
8399
8400	if (!ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS)) {
8401	assoc_data->timeout = jiffies + IEEE80211_ASSOC_TIMEOUT;
8402	assoc_data->timeout_started = true;
8403	run_again(sdata, timeout: assoc_data->timeout);
8404	} else {
8405	assoc_data->timeout =
8406	round_jiffies_up(j: jiffies +
8407	IEEE80211_ASSOC_TIMEOUT_LONG);
8408	assoc_data->timeout_started = true;
8409	run_again(sdata, timeout: assoc_data->timeout);
8410	}
8411
8412	return 0;
8413	}
8414
8415	void ieee80211_mgd_conn_tx_status(struct ieee80211_sub_if_data *sdata,
8416	__le16 fc, bool acked)
8417	{
8418	struct ieee80211_local *local = sdata->local;
8419
8420	sdata->u.mgd.status_fc = fc;
8421	sdata->u.mgd.status_acked = acked;
8422	sdata->u.mgd.status_received = true;
8423
8424	wiphy_work_queue(wiphy: local->hw.wiphy, work: &sdata->work);
8425	}
8426
8427	void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata)
8428	{
8429	struct ieee80211_local *local = sdata->local;
8430	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8431
8432	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8433
8434	if (ifmgd->status_received) {
8435	__le16 fc = ifmgd->status_fc;
8436	bool status_acked = ifmgd->status_acked;
8437
8438	ifmgd->status_received = false;
8439	if (ifmgd->auth_data && ieee80211_is_auth(fc)) {
8440	if (status_acked) {
8441	if (ifmgd->auth_data->algorithm ==
8442	WLAN_AUTH_SAE)
8443	ifmgd->auth_data->timeout =
8444	jiffies +
8445	IEEE80211_AUTH_TIMEOUT_SAE;
8446	else
8447	ifmgd->auth_data->timeout =
8448	jiffies +
8449	IEEE80211_AUTH_TIMEOUT_SHORT;
8450	run_again(sdata, timeout: ifmgd->auth_data->timeout);
8451	} else {
8452	ifmgd->auth_data->timeout = jiffies - 1;
8453	}
8454	ifmgd->auth_data->timeout_started = true;
8455	} else if (ifmgd->assoc_data &&
8456	!ifmgd->assoc_data->comeback &&
8457	(ieee80211_is_assoc_req(fc) ||
8458	ieee80211_is_reassoc_req(fc))) {
8459	/*
8460	* Update association timeout based on the TX status
8461	* for the (Re)Association Request frame. Skip this if
8462	* we have already processed a (Re)Association Response
8463	* frame that indicated need for association comeback
8464	* at a specific time in the future. This could happen
8465	* if the TX status information is delayed enough for
8466	* the response to be received and processed first.
8467	*/
8468	if (status_acked) {
8469	ifmgd->assoc_data->timeout =
8470	jiffies + IEEE80211_ASSOC_TIMEOUT_SHORT;
8471	run_again(sdata, timeout: ifmgd->assoc_data->timeout);
8472	} else {
8473	ifmgd->assoc_data->timeout = jiffies - 1;
8474	}
8475	ifmgd->assoc_data->timeout_started = true;
8476	}
8477	}
8478
8479	if (ifmgd->auth_data && ifmgd->auth_data->timeout_started &&
8480	time_after(jiffies, ifmgd->auth_data->timeout)) {
8481	if (ifmgd->auth_data->done || ifmgd->auth_data->waiting) {
8482	/*
8483	* ok ... we waited for assoc or continuation but
8484	* userspace didn't do it, so kill the auth data
8485	*/
8486	ieee80211_destroy_auth_data(sdata, assoc: false);
8487	} else if (ieee80211_auth(sdata)) {
8488	u8 ap_addr[ETH_ALEN];
8489	struct ieee80211_event event = {
8490	.type = MLME_EVENT,
8491	.u.mlme.data = AUTH_EVENT,
8492	.u.mlme.status = MLME_TIMEOUT,
8493	};
8494
8495	memcpy(ap_addr, ifmgd->auth_data->ap_addr, ETH_ALEN);
8496
8497	ieee80211_destroy_auth_data(sdata, assoc: false);
8498
8499	cfg80211_auth_timeout(dev: sdata->dev, addr: ap_addr);
8500	drv_event_callback(local: sdata->local, sdata, event: &event);
8501	}
8502	} else if (ifmgd->auth_data && ifmgd->auth_data->timeout_started)
8503	run_again(sdata, timeout: ifmgd->auth_data->timeout);
8504
8505	if (ifmgd->assoc_data && ifmgd->assoc_data->timeout_started &&
8506	time_after(jiffies, ifmgd->assoc_data->timeout)) {
8507	if ((ifmgd->assoc_data->need_beacon &&
8508	!sdata->deflink.u.mgd.have_beacon) ||
8509	ieee80211_do_assoc(sdata)) {
8510	struct ieee80211_event event = {
8511	.type = MLME_EVENT,
8512	.u.mlme.data = ASSOC_EVENT,
8513	.u.mlme.status = MLME_TIMEOUT,
8514	};
8515
8516	ieee80211_destroy_assoc_data(sdata, status: ASSOC_TIMEOUT);
8517	drv_event_callback(local: sdata->local, sdata, event: &event);
8518	}
8519	} else if (ifmgd->assoc_data && ifmgd->assoc_data->timeout_started)
8520	run_again(sdata, timeout: ifmgd->assoc_data->timeout);
8521
8522	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL &&
8523	ifmgd->associated) {
8524	u8 *bssid = sdata->deflink.u.mgd.bssid;
8525	int max_tries;
8526
8527	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
8528	max_tries = max_nullfunc_tries;
8529	else
8530	max_tries = max_probe_tries;
8531
8532	/* ACK received for nullfunc probing frame */
8533	if (!ifmgd->probe_send_count)
8534	ieee80211_reset_ap_probe(sdata);
8535	else if (ifmgd->nullfunc_failed) {
8536	if (ifmgd->probe_send_count < max_tries) {
8537	mlme_dbg(sdata,
8538	"No ack for nullfunc frame to AP %pM, try %d/%i\n",
8539	bssid, ifmgd->probe_send_count,
8540	max_tries);
8541	ieee80211_mgd_probe_ap_send(sdata);
8542	} else {
8543	mlme_dbg(sdata,
8544	"No ack for nullfunc frame to AP %pM, disconnecting.\n",
8545	bssid);
8546	ieee80211_sta_connection_lost(sdata,
8547	reason: WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
8548	tx: false);
8549	}
8550	} else if (time_is_after_jiffies(ifmgd->probe_timeout))
8551	run_again(sdata, timeout: ifmgd->probe_timeout);
8552	else if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS)) {
8553	mlme_dbg(sdata,
8554	"Failed to send nullfunc to AP %pM after %dms, disconnecting\n",
8555	bssid, probe_wait_ms);
8556	ieee80211_sta_connection_lost(sdata,
8557	reason: WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, tx: false);
8558	} else if (ifmgd->probe_send_count < max_tries) {
8559	mlme_dbg(sdata,
8560	"No probe response from AP %pM after %dms, try %d/%i\n",
8561	bssid, probe_wait_ms,
8562	ifmgd->probe_send_count, max_tries);
8563	ieee80211_mgd_probe_ap_send(sdata);
8564	} else {
8565	/*
8566	* We actually lost the connection ... or did we?
8567	* Let's make sure!
8568	*/
8569	mlme_dbg(sdata,
8570	"No probe response from AP %pM after %dms, disconnecting.\n",
8571	bssid, probe_wait_ms);
8572
8573	ieee80211_sta_connection_lost(sdata,
8574	reason: WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, tx: false);
8575	}
8576	}
8577	}
8578
8579	static bool
8580	ieee80211_is_csa_in_progress(struct ieee80211_sub_if_data *sdata)
8581	{
8582	/*
8583	* In MLO, check the CSA flags 'active' and 'waiting_bcn' for all
8584	* the links.
8585	*/
8586	struct ieee80211_link_data *link;
8587
8588	guard(rcu)();
8589
8590	for_each_link_data_rcu(sdata, link) {
8591	if (!(link->conf->csa_active &&
8592	!link->u.mgd.csa.waiting_bcn))
8593	return false;
8594	}
8595
8596	return true;
8597	}
8598
8599	static void ieee80211_sta_bcn_mon_timer(struct timer_list *t)
8600	{
8601	struct ieee80211_sub_if_data *sdata =
8602	timer_container_of(sdata, t, u.mgd.bcn_mon_timer);
8603
8604	if (ieee80211_is_csa_in_progress(sdata))
8605	return;
8606
8607	if (sdata->vif.driver_flags & IEEE80211_VIF_BEACON_FILTER)
8608	return;
8609
8610	sdata->u.mgd.connection_loss = false;
8611	wiphy_work_queue(wiphy: sdata->local->hw.wiphy,
8612	work: &sdata->u.mgd.beacon_connection_loss_work);
8613	}
8614
8615	static unsigned long
8616	ieee80211_latest_active_link_conn_timeout(struct ieee80211_sub_if_data *sdata)
8617	{
8618	unsigned long latest_timeout = jiffies;
8619	unsigned int link_id;
8620	struct sta_info *sta;
8621
8622	guard(rcu)();
8623
8624	sta = sta_info_get(sdata, addr: sdata->vif.cfg.ap_addr);
8625	if (!sta)
8626	return 0;
8627
8628	for (link_id = 0; link_id < ARRAY_SIZE(sta->link);
8629	link_id++) {
8630	struct link_sta_info *link_sta;
8631	unsigned long timeout;
8632
8633	link_sta = rcu_dereference(sta->link[link_id]);
8634	if (!link_sta)
8635	continue;
8636
8637	timeout = link_sta->status_stats.last_ack;
8638	if (time_before(timeout, link_sta->rx_stats.last_rx))
8639	timeout = link_sta->rx_stats.last_rx;
8640
8641	timeout += IEEE80211_CONNECTION_IDLE_TIME;
8642
8643	/*
8644	* latest_timeout holds the timeout of the link
8645	* that will expire last among all links in an
8646	* non-AP MLD STA. This ensures that the connection
8647	* monitor timer is only reset if at least one link
8648	* is still active, and it is scheduled to fire at
8649	* the latest possible timeout.
8650	*/
8651	if (time_after(timeout, latest_timeout))
8652	latest_timeout = timeout;
8653	}
8654
8655	return latest_timeout;
8656	}
8657
8658	static void ieee80211_sta_conn_mon_timer(struct timer_list *t)
8659	{
8660	struct ieee80211_sub_if_data *sdata =
8661	timer_container_of(sdata, t, u.mgd.conn_mon_timer);
8662	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8663	struct ieee80211_local *local = sdata->local;
8664	unsigned long latest_timeout;
8665
8666	if (ieee80211_is_csa_in_progress(sdata))
8667	return;
8668
8669	latest_timeout = ieee80211_latest_active_link_conn_timeout(sdata);
8670
8671	/*
8672	* If latest timeout is after now, then update timer to fire at
8673	* the later date, but do not actually probe at this time.
8674	*/
8675	if (time_is_after_jiffies(latest_timeout)) {
8676	mod_timer(timer: &ifmgd->conn_mon_timer,
8677	expires: round_jiffies_up(j: latest_timeout));
8678	return;
8679	}
8680
8681	wiphy_work_queue(wiphy: local->hw.wiphy, work: &sdata->u.mgd.monitor_work);
8682	}
8683
8684	static void ieee80211_sta_monitor_work(struct wiphy *wiphy,
8685	struct wiphy_work *work)
8686	{
8687	struct ieee80211_sub_if_data *sdata =
8688	container_of(work, struct ieee80211_sub_if_data,
8689	u.mgd.monitor_work);
8690
8691	ieee80211_mgd_probe_ap(sdata, beacon: false);
8692	}
8693
8694	static void ieee80211_restart_sta_timer(struct ieee80211_sub_if_data *sdata)
8695	{
8696	if (sdata->vif.type == NL80211_IFTYPE_STATION) {
8697	__ieee80211_stop_poll(sdata);
8698
8699	/* let's probe the connection once */
8700	if (!ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
8701	wiphy_work_queue(wiphy: sdata->local->hw.wiphy,
8702	work: &sdata->u.mgd.monitor_work);
8703	}
8704	}
8705
8706	#ifdef CONFIG_PM
8707	void ieee80211_mgd_quiesce(struct ieee80211_sub_if_data *sdata)
8708	{
8709	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8710	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
8711
8712	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8713
8714	if (ifmgd->auth_data || ifmgd->assoc_data) {
8715	const u8 *ap_addr = ifmgd->auth_data ?
8716	ifmgd->auth_data->ap_addr :
8717	ifmgd->assoc_data->ap_addr;
8718
8719	/*
8720	* If we are trying to authenticate / associate while suspending,
8721	* cfg80211 won't know and won't actually abort those attempts,
8722	* thus we need to do that ourselves.
8723	*/
8724	ieee80211_send_deauth_disassoc(sdata, da: ap_addr, bssid: ap_addr,
8725	IEEE80211_STYPE_DEAUTH,
8726	reason: WLAN_REASON_DEAUTH_LEAVING,
8727	send_frame: false, frame_buf);
8728	if (ifmgd->assoc_data)
8729	ieee80211_destroy_assoc_data(sdata, status: ASSOC_ABANDON);
8730	if (ifmgd->auth_data)
8731	ieee80211_destroy_auth_data(sdata, assoc: false);
8732	cfg80211_tx_mlme_mgmt(dev: sdata->dev, buf: frame_buf,
8733	IEEE80211_DEAUTH_FRAME_LEN,
8734	reconnect: false);
8735	}
8736
8737	/* This is a bit of a hack - we should find a better and more generic
8738	* solution to this. Normally when suspending, cfg80211 will in fact
8739	* deauthenticate. However, it doesn't (and cannot) stop an ongoing
8740	* auth (not so important) or assoc (this is the problem) process.
8741	*
8742	* As a consequence, it can happen that we are in the process of both
8743	* associating and suspending, and receive an association response
8744	* after cfg80211 has checked if it needs to disconnect, but before
8745	* we actually set the flag to drop incoming frames. This will then
8746	* cause the workqueue flush to process the association response in
8747	* the suspend, resulting in a successful association just before it
8748	* tries to remove the interface from the driver, which now though
8749	* has a channel context assigned ... this results in issues.
8750	*
8751	* To work around this (for now) simply deauth here again if we're
8752	* now connected.
8753	*/
8754	if (ifmgd->associated && !sdata->local->wowlan) {
8755	u8 bssid[ETH_ALEN];
8756	struct cfg80211_deauth_request req = {
8757	.reason_code = WLAN_REASON_DEAUTH_LEAVING,
8758	.bssid = bssid,
8759	};
8760
8761	memcpy(bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
8762	ieee80211_mgd_deauth(sdata, req: &req);
8763	}
8764	}
8765	#endif
8766
8767	void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata)
8768	{
8769	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8770
8771	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8772
8773	if (!ifmgd->associated)
8774	return;
8775
8776	if (sdata->flags & IEEE80211_SDATA_DISCONNECT_RESUME) {
8777	sdata->flags &= ~IEEE80211_SDATA_DISCONNECT_RESUME;
8778	mlme_dbg(sdata, "driver requested disconnect after resume\n");
8779	ieee80211_sta_connection_lost(sdata,
8780	reason: WLAN_REASON_UNSPECIFIED,
8781	tx: true);
8782	return;
8783	}
8784
8785	if (sdata->flags & IEEE80211_SDATA_DISCONNECT_HW_RESTART) {
8786	sdata->flags &= ~IEEE80211_SDATA_DISCONNECT_HW_RESTART;
8787	mlme_dbg(sdata, "driver requested disconnect after hardware restart\n");
8788	ieee80211_sta_connection_lost(sdata,
8789	reason: WLAN_REASON_UNSPECIFIED,
8790	tx: true);
8791	return;
8792	}
8793	}
8794
8795	static void ieee80211_request_smps_mgd_work(struct wiphy *wiphy,
8796	struct wiphy_work *work)
8797	{
8798	struct ieee80211_link_data *link =
8799	container_of(work, struct ieee80211_link_data,
8800	u.mgd.request_smps_work);
8801
8802	__ieee80211_request_smps_mgd(sdata: link->sdata, link,
8803	smps_mode: link->u.mgd.driver_smps_mode);
8804	}
8805
8806	static void ieee80211_ml_sta_reconf_timeout(struct wiphy *wiphy,
8807	struct wiphy_work *work)
8808	{
8809	struct ieee80211_sub_if_data *sdata =
8810	container_of(work, struct ieee80211_sub_if_data,
8811	u.mgd.reconf.wk.work);
8812
8813	if (!sdata->u.mgd.reconf.added_links &&
8814	!sdata->u.mgd.reconf.removed_links)
8815	return;
8816
8817	sdata_info(sdata,
8818	"mlo: reconf: timeout: added=0x%x, removed=0x%x\n",
8819	sdata->u.mgd.reconf.added_links,
8820	sdata->u.mgd.reconf.removed_links);
8821
8822	__ieee80211_disconnect(sdata);
8823	}
8824
8825	/* interface setup */
8826	void ieee80211_sta_setup_sdata(struct ieee80211_sub_if_data *sdata)
8827	{
8828	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8829
8830	wiphy_work_init(work: &ifmgd->monitor_work, func: ieee80211_sta_monitor_work);
8831	wiphy_work_init(work: &ifmgd->beacon_connection_loss_work,
8832	func: ieee80211_beacon_connection_loss_work);
8833	wiphy_work_init(work: &ifmgd->csa_connection_drop_work,
8834	func: ieee80211_csa_connection_drop_work);
8835	wiphy_delayed_work_init(dwork: &ifmgd->tdls_peer_del_work,
8836	func: ieee80211_tdls_peer_del_work);
8837	wiphy_hrtimer_work_init(hrwork: &ifmgd->ml_reconf_work,
8838	func: ieee80211_ml_reconf_work);
8839	wiphy_delayed_work_init(dwork: &ifmgd->reconf.wk,
8840	func: ieee80211_ml_sta_reconf_timeout);
8841	timer_setup(&ifmgd->timer, ieee80211_sta_timer, 0);
8842	timer_setup(&ifmgd->bcn_mon_timer, ieee80211_sta_bcn_mon_timer, 0);
8843	timer_setup(&ifmgd->conn_mon_timer, ieee80211_sta_conn_mon_timer, 0);
8844	wiphy_delayed_work_init(dwork: &ifmgd->tx_tspec_wk,
8845	func: ieee80211_sta_handle_tspec_ac_params_wk);
8846	wiphy_hrtimer_work_init(hrwork: &ifmgd->ttlm_work,
8847	func: ieee80211_tid_to_link_map_work);
8848	wiphy_delayed_work_init(dwork: &ifmgd->neg_ttlm_timeout_work,
8849	func: ieee80211_neg_ttlm_timeout_work);
8850	wiphy_work_init(work: &ifmgd->teardown_ttlm_work,
8851	func: ieee80211_teardown_ttlm_work);
8852
8853	ifmgd->flags = 0;
8854	ifmgd->powersave = sdata->wdev.ps;
8855	ifmgd->uapsd_queues = sdata->local->hw.uapsd_queues;
8856	ifmgd->uapsd_max_sp_len = sdata->local->hw.uapsd_max_sp_len;
8857	/* Setup TDLS data */
8858	spin_lock_init(&ifmgd->teardown_lock);
8859	ifmgd->teardown_skb = NULL;
8860	ifmgd->orig_teardown_skb = NULL;
8861	ifmgd->mcast_seq_last = IEEE80211_SN_MODULO;
8862	}
8863
8864	static void ieee80211_recalc_smps_work(struct wiphy *wiphy,
8865	struct wiphy_work *work)
8866	{
8867	struct ieee80211_link_data *link =
8868	container_of(work, struct ieee80211_link_data,
8869	u.mgd.recalc_smps);
8870
8871	ieee80211_recalc_smps(sdata: link->sdata, link);
8872	}
8873
8874	void ieee80211_mgd_setup_link(struct ieee80211_link_data *link)
8875	{
8876	struct ieee80211_sub_if_data *sdata = link->sdata;
8877	struct ieee80211_local *local = sdata->local;
8878	unsigned int link_id = link->link_id;
8879
8880	link->u.mgd.p2p_noa_index = -1;
8881	link->conf->bssid = link->u.mgd.bssid;
8882	link->smps_mode = IEEE80211_SMPS_OFF;
8883
8884	wiphy_work_init(work: &link->u.mgd.request_smps_work,
8885	func: ieee80211_request_smps_mgd_work);
8886	wiphy_work_init(work: &link->u.mgd.recalc_smps,
8887	func: ieee80211_recalc_smps_work);
8888	if (local->hw.wiphy->features & NL80211_FEATURE_DYNAMIC_SMPS)
8889	link->u.mgd.req_smps = IEEE80211_SMPS_AUTOMATIC;
8890	else
8891	link->u.mgd.req_smps = IEEE80211_SMPS_OFF;
8892
8893	wiphy_hrtimer_work_init(hrwork: &link->u.mgd.csa.switch_work,
8894	func: ieee80211_csa_switch_work);
8895
8896	ieee80211_clear_tpe(tpe: &link->conf->tpe);
8897
8898	if (sdata->u.mgd.assoc_data)
8899	ether_addr_copy(dst: link->conf->addr,
8900	src: sdata->u.mgd.assoc_data->link[link_id].addr);
8901	else if (sdata->u.mgd.reconf.add_links_data)
8902	ether_addr_copy(dst: link->conf->addr,
8903	src: sdata->u.mgd.reconf.add_links_data->link[link_id].addr);
8904	else if (!is_valid_ether_addr(addr: link->conf->addr))
8905	eth_random_addr(addr: link->conf->addr);
8906	}
8907
8908	/* scan finished notification */
8909	void ieee80211_mlme_notify_scan_completed(struct ieee80211_local *local)
8910	{
8911	struct ieee80211_sub_if_data *sdata;
8912
8913	/* Restart STA timers */
8914	rcu_read_lock();
8915	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
8916	if (ieee80211_sdata_running(sdata))
8917	ieee80211_restart_sta_timer(sdata);
8918	}
8919	rcu_read_unlock();
8920	}
8921
8922	static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
8923	struct cfg80211_bss *cbss, s8 link_id,
8924	const u8 *ap_mld_addr, bool assoc,
8925	struct ieee80211_conn_settings *conn,
8926	bool override,
8927	unsigned long *userspace_selectors)
8928	{
8929	struct ieee80211_local *local = sdata->local;
8930	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8931	struct ieee80211_bss *bss = (void *)cbss->priv;
8932	struct sta_info *new_sta = NULL;
8933	struct ieee80211_link_data *link;
8934	bool have_sta = false;
8935	bool mlo;
8936	int err;
8937	u16 new_links;
8938
8939	if (link_id >= 0) {
8940	mlo = true;
8941	if (WARN_ON(!ap_mld_addr))
8942	return -EINVAL;
8943	new_links = BIT(link_id);
8944	} else {
8945	if (WARN_ON(ap_mld_addr))
8946	return -EINVAL;
8947	ap_mld_addr = cbss->bssid;
8948	new_links = 0;
8949	link_id = 0;
8950	mlo = false;
8951	}
8952
8953	if (assoc) {
8954	rcu_read_lock();
8955	have_sta = sta_info_get(sdata, addr: ap_mld_addr);
8956	rcu_read_unlock();
8957	}
8958
8959	if (mlo && !have_sta &&
8960	WARN_ON(sdata->vif.valid_links || sdata->vif.active_links))
8961	return -EINVAL;
8962
8963	err = ieee80211_vif_set_links(sdata, new_links, dormant_links: 0);
8964	if (err)
8965	return err;
8966
8967	link = sdata_dereference(sdata->link[link_id], sdata);
8968	if (WARN_ON(!link)) {
8969	err = -ENOLINK;
8970	goto out_err;
8971	}
8972
8973	if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data)) {
8974	err = -EINVAL;
8975	goto out_err;
8976	}
8977
8978	/* If a reconfig is happening, bail out */
8979	if (local->in_reconfig) {
8980	err = -EBUSY;
8981	goto out_err;
8982	}
8983
8984	if (!have_sta) {
8985	if (mlo)
8986	new_sta = sta_info_alloc_with_link(sdata, mld_addr: ap_mld_addr,
8987	link_id, link_addr: cbss->bssid,
8988	GFP_KERNEL);
8989	else
8990	new_sta = sta_info_alloc(sdata, addr: ap_mld_addr, GFP_KERNEL);
8991
8992	if (!new_sta) {
8993	err = -ENOMEM;
8994	goto out_err;
8995	}
8996
8997	new_sta->sta.mlo = mlo;
8998	}
8999
9000	/*
9001	* Set up the information for the new channel before setting the
9002	* new channel. We can't - completely race-free - change the basic
9003	* rates bitmap and the channel (sband) that it refers to, but if
9004	* we set it up before we at least avoid calling into the driver's
9005	* bss_info_changed() method with invalid information (since we do
9006	* call that from changing the channel - only for IDLE and perhaps
9007	* some others, but ...).
9008	*
9009	* So to avoid that, just set up all the new information before the
9010	* channel, but tell the driver to apply it only afterwards, since
9011	* it might need the new channel for that.
9012	*/
9013	if (new_sta) {
9014	const struct cfg80211_bss_ies *ies;
9015	struct link_sta_info *link_sta;
9016
9017	rcu_read_lock();
9018	link_sta = rcu_dereference(new_sta->link[link_id]);
9019	if (WARN_ON(!link_sta)) {
9020	rcu_read_unlock();
9021	sta_info_free(local, sta: new_sta);
9022	err = -EINVAL;
9023	goto out_err;
9024	}
9025
9026	err = ieee80211_mgd_setup_link_sta(link, sta: new_sta,
9027	link_sta, cbss);
9028	if (err) {
9029	rcu_read_unlock();
9030	sta_info_free(local, sta: new_sta);
9031	goto out_err;
9032	}
9033
9034	memcpy(link->u.mgd.bssid, cbss->bssid, ETH_ALEN);
9035
9036	/* set timing information */
9037	link->conf->beacon_int = cbss->beacon_interval;
9038	ies = rcu_dereference(cbss->beacon_ies);
9039	if (ies) {
9040	link->conf->sync_tsf = ies->tsf;
9041	link->conf->sync_device_ts =
9042	bss->device_ts_beacon;
9043
9044	ieee80211_get_dtim(ies,
9045	dtim_count: &link->conf->sync_dtim_count,
9046	NULL);
9047	} else if (!ieee80211_hw_check(&sdata->local->hw,
9048	TIMING_BEACON_ONLY)) {
9049	ies = rcu_dereference(cbss->proberesp_ies);
9050	/* must be non-NULL since beacon IEs were NULL */
9051	link->conf->sync_tsf = ies->tsf;
9052	link->conf->sync_device_ts =
9053	bss->device_ts_presp;
9054	link->conf->sync_dtim_count = 0;
9055	} else {
9056	link->conf->sync_tsf = 0;
9057	link->conf->sync_device_ts = 0;
9058	link->conf->sync_dtim_count = 0;
9059	}
9060	rcu_read_unlock();
9061	}
9062
9063	if (new_sta || override) {
9064	/*
9065	* Only set this if we're also going to calculate the AP
9066	* settings etc., otherwise this was set before in a
9067	* previous call. Note override is set to %true in assoc
9068	* if the settings were changed.
9069	*/
9070	link->u.mgd.conn = *conn;
9071	err = ieee80211_prep_channel(sdata, link, link_id: link->link_id, cbss,
9072	mlo, conn: &link->u.mgd.conn,
9073	userspace_selectors);
9074	if (err) {
9075	if (new_sta)
9076	sta_info_free(local, sta: new_sta);
9077	goto out_err;
9078	}
9079	/* pass out for use in assoc */
9080	*conn = link->u.mgd.conn;
9081	}
9082
9083	if (new_sta) {
9084	/*
9085	* tell driver about BSSID, basic rates and timing
9086	* this was set up above, before setting the channel
9087	*/
9088	ieee80211_link_info_change_notify(sdata, link,
9089	changed: BSS_CHANGED_BSSID |
9090	BSS_CHANGED_BASIC_RATES |
9091	BSS_CHANGED_BEACON_INT);
9092
9093	if (assoc)
9094	sta_info_pre_move_state(sta: new_sta, new_state: IEEE80211_STA_AUTH);
9095
9096	err = sta_info_insert(sta: new_sta);
9097	new_sta = NULL;
9098	if (err) {
9099	sdata_info(sdata,
9100	"failed to insert STA entry for the AP (error %d)\n",
9101	err);
9102	goto out_release_chan;
9103	}
9104	} else
9105	WARN_ON_ONCE(!ether_addr_equal(link->u.mgd.bssid, cbss->bssid));
9106
9107	/* Cancel scan to ensure that nothing interferes with connection */
9108	if (local->scanning)
9109	ieee80211_scan_cancel(local);
9110
9111	return 0;
9112
9113	out_release_chan:
9114	ieee80211_link_release_channel(link);
9115	out_err:
9116	ieee80211_vif_set_links(sdata, new_links: 0, dormant_links: 0);
9117	return err;
9118	}
9119
9120	static bool ieee80211_mgd_csa_present(struct ieee80211_sub_if_data *sdata,
9121	const struct cfg80211_bss_ies *ies,
9122	u8 cur_channel, bool ignore_ecsa)
9123	{
9124	const struct element *csa_elem, *ecsa_elem;
9125	struct ieee80211_channel_sw_ie *csa = NULL;
9126	struct ieee80211_ext_chansw_ie *ecsa = NULL;
9127
9128	if (!ies)
9129	return false;
9130
9131	csa_elem = cfg80211_find_elem(eid: WLAN_EID_CHANNEL_SWITCH,
9132	ies: ies->data, len: ies->len);
9133	if (csa_elem && csa_elem->datalen == sizeof(*csa))
9134	csa = (void *)csa_elem->data;
9135
9136	ecsa_elem = cfg80211_find_elem(eid: WLAN_EID_EXT_CHANSWITCH_ANN,
9137	ies: ies->data, len: ies->len);
9138	if (ecsa_elem && ecsa_elem->datalen == sizeof(*ecsa))
9139	ecsa = (void *)ecsa_elem->data;
9140
9141	if (csa && csa->count == 0)
9142	csa = NULL;
9143	if (csa && !csa->mode && csa->new_ch_num == cur_channel)
9144	csa = NULL;
9145
9146	if (ecsa && ecsa->count == 0)
9147	ecsa = NULL;
9148	if (ecsa && !ecsa->mode && ecsa->new_ch_num == cur_channel)
9149	ecsa = NULL;
9150
9151	if (ignore_ecsa && ecsa) {
9152	sdata_info(sdata,
9153	"Ignoring ECSA in probe response - was considered stuck!\n");
9154	return csa;
9155	}
9156
9157	return csa || ecsa;
9158	}
9159
9160	static bool ieee80211_mgd_csa_in_process(struct ieee80211_sub_if_data *sdata,
9161	struct cfg80211_bss *bss)
9162	{
9163	u8 cur_channel;
9164	bool ret;
9165
9166	cur_channel = ieee80211_frequency_to_channel(freq: bss->channel->center_freq);
9167
9168	rcu_read_lock();
9169	if (ieee80211_mgd_csa_present(sdata,
9170	rcu_dereference(bss->beacon_ies),
9171	cur_channel, ignore_ecsa: false)) {
9172	ret = true;
9173	goto out;
9174	}
9175
9176	if (ieee80211_mgd_csa_present(sdata,
9177	rcu_dereference(bss->proberesp_ies),
9178	cur_channel, ignore_ecsa: bss->proberesp_ecsa_stuck)) {
9179	ret = true;
9180	goto out;
9181	}
9182
9183	ret = false;
9184	out:
9185	rcu_read_unlock();
9186	return ret;
9187	}
9188
9189	static void ieee80211_parse_cfg_selectors(unsigned long *userspace_selectors,
9190	const u8 *supported_selectors,
9191	u8 supported_selectors_len)
9192	{
9193	if (supported_selectors) {
9194	for (int i = 0; i < supported_selectors_len; i++) {
9195	set_bit(nr: supported_selectors[i],
9196	addr: userspace_selectors);
9197	}
9198	} else {
9199	/* Assume SAE_H2E support for backward compatibility. */
9200	set_bit(BSS_MEMBERSHIP_SELECTOR_SAE_H2E,
9201	addr: userspace_selectors);
9202	}
9203	}
9204
9205	/* config hooks */
9206	int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
9207	struct cfg80211_auth_request *req)
9208	{
9209	struct ieee80211_local *local = sdata->local;
9210	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
9211	struct ieee80211_mgd_auth_data *auth_data;
9212	struct ieee80211_conn_settings conn;
9213	struct ieee80211_link_data *link;
9214	struct ieee80211_supported_band *sband;
9215	struct ieee80211_bss *bss;
9216	u16 auth_alg;
9217	int err;
9218	bool cont_auth, wmm_used;
9219
9220	lockdep_assert_wiphy(sdata->local->hw.wiphy);
9221
9222	/* prepare auth data structure */
9223
9224	switch (req->auth_type) {
9225	case NL80211_AUTHTYPE_OPEN_SYSTEM:
9226	auth_alg = WLAN_AUTH_OPEN;
9227	break;
9228	case NL80211_AUTHTYPE_SHARED_KEY:
9229	if (fips_enabled)
9230	return -EOPNOTSUPP;
9231	auth_alg = WLAN_AUTH_SHARED_KEY;
9232	break;
9233	case NL80211_AUTHTYPE_FT:
9234	auth_alg = WLAN_AUTH_FT;
9235	break;
9236	case NL80211_AUTHTYPE_NETWORK_EAP:
9237	auth_alg = WLAN_AUTH_LEAP;
9238	break;
9239	case NL80211_AUTHTYPE_SAE:
9240	auth_alg = WLAN_AUTH_SAE;
9241	break;
9242	case NL80211_AUTHTYPE_FILS_SK:
9243	auth_alg = WLAN_AUTH_FILS_SK;
9244	break;
9245	case NL80211_AUTHTYPE_FILS_SK_PFS:
9246	auth_alg = WLAN_AUTH_FILS_SK_PFS;
9247	break;
9248	case NL80211_AUTHTYPE_FILS_PK:
9249	auth_alg = WLAN_AUTH_FILS_PK;
9250	break;
9251	default:
9252	return -EOPNOTSUPP;
9253	}
9254
9255	if (ifmgd->assoc_data)
9256	return -EBUSY;
9257
9258	if (ieee80211_mgd_csa_in_process(sdata, bss: req->bss)) {
9259	sdata_info(sdata, "AP is in CSA process, reject auth\n");
9260	return -EINVAL;
9261	}
9262
9263	auth_data = kzalloc(sizeof(*auth_data) + req->auth_data_len +
9264	req->ie_len, GFP_KERNEL);
9265	if (!auth_data)
9266	return -ENOMEM;
9267
9268	memcpy(auth_data->ap_addr,
9269	req->ap_mld_addr ?: req->bss->bssid,
9270	ETH_ALEN);
9271	auth_data->bss = req->bss;
9272	auth_data->link_id = req->link_id;
9273
9274	if (req->auth_data_len >= 4) {
9275	if (req->auth_type == NL80211_AUTHTYPE_SAE) {
9276	__le16 *pos = (__le16 *) req->auth_data;
9277
9278	auth_data->sae_trans = le16_to_cpu(pos[0]);
9279	auth_data->sae_status = le16_to_cpu(pos[1]);
9280	}
9281	memcpy(auth_data->data, req->auth_data + 4,
9282	req->auth_data_len - 4);
9283	auth_data->data_len += req->auth_data_len - 4;
9284	}
9285
9286	/* Check if continuing authentication or trying to authenticate with the
9287	* same BSS that we were in the process of authenticating with and avoid
9288	* removal and re-addition of the STA entry in
9289	* ieee80211_prep_connection().
9290	*/
9291	cont_auth = ifmgd->auth_data && req->bss == ifmgd->auth_data->bss &&
9292	ifmgd->auth_data->link_id == req->link_id;
9293
9294	if (req->ie && req->ie_len) {
9295	memcpy(&auth_data->data[auth_data->data_len],
9296	req->ie, req->ie_len);
9297	auth_data->data_len += req->ie_len;
9298	}
9299
9300	if (req->key && req->key_len) {
9301	auth_data->key_len = req->key_len;
9302	auth_data->key_idx = req->key_idx;
9303	memcpy(auth_data->key, req->key, req->key_len);
9304	}
9305
9306	ieee80211_parse_cfg_selectors(userspace_selectors: auth_data->userspace_selectors,
9307	supported_selectors: req->supported_selectors,
9308	supported_selectors_len: req->supported_selectors_len);
9309
9310	auth_data->algorithm = auth_alg;
9311
9312	/* try to authenticate/probe */
9313
9314	if (ifmgd->auth_data) {
9315	if (cont_auth && req->auth_type == NL80211_AUTHTYPE_SAE) {
9316	auth_data->peer_confirmed =
9317	ifmgd->auth_data->peer_confirmed;
9318	}
9319	ieee80211_destroy_auth_data(sdata, assoc: cont_auth);
9320	}
9321
9322	/* prep auth_data so we don't go into idle on disassoc */
9323	ifmgd->auth_data = auth_data;
9324
9325	/* If this is continuation of an ongoing SAE authentication exchange
9326	* (i.e., request to send SAE Confirm) and the peer has already
9327	* confirmed, mark authentication completed since we are about to send
9328	* out SAE Confirm.
9329	*/
9330	if (cont_auth && req->auth_type == NL80211_AUTHTYPE_SAE &&
9331	auth_data->peer_confirmed && auth_data->sae_trans == 2)
9332	ieee80211_mark_sta_auth(sdata);
9333
9334	if (ifmgd->associated) {
9335	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
9336
9337	sdata_info(sdata,
9338	"disconnect from AP %pM for new auth to %pM\n",
9339	sdata->vif.cfg.ap_addr, auth_data->ap_addr);
9340	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
9341	reason: WLAN_REASON_UNSPECIFIED,
9342	tx: false, frame_buf);
9343
9344	ieee80211_report_disconnect(sdata, buf: frame_buf,
9345	len: sizeof(frame_buf), tx: true,
9346	reason: WLAN_REASON_UNSPECIFIED,
9347	reconnect: false);
9348	}
9349
9350	/* needed for transmitting the auth frame(s) properly */
9351	memcpy(sdata->vif.cfg.ap_addr, auth_data->ap_addr, ETH_ALEN);
9352
9353	bss = (void *)req->bss->priv;
9354	wmm_used = bss->wmm_used && (local->hw.queues >= IEEE80211_NUM_ACS);
9355
9356	sband = local->hw.wiphy->bands[req->bss->channel->band];
9357
9358	ieee80211_determine_our_sta_mode_auth(sdata, sband, req, wmm_used,
9359	conn: &conn);
9360
9361	err = ieee80211_prep_connection(sdata, cbss: req->bss, link_id: req->link_id,
9362	ap_mld_addr: req->ap_mld_addr, assoc: cont_auth,
9363	conn: &conn, override: false,
9364	userspace_selectors: auth_data->userspace_selectors);
9365	if (err)
9366	goto err_clear;
9367
9368	if (req->link_id >= 0)
9369	link = sdata_dereference(sdata->link[req->link_id], sdata);
9370	else
9371	link = &sdata->deflink;
9372
9373	if (WARN_ON(!link)) {
9374	err = -ENOLINK;
9375	goto err_clear;
9376	}
9377
9378	sdata_info(sdata, "authenticate with %pM (local address=%pM)\n",
9379	auth_data->ap_addr, link->conf->addr);
9380
9381	err = ieee80211_auth(sdata);
9382	if (err) {
9383	sta_info_destroy_addr(sdata, addr: auth_data->ap_addr);
9384	goto err_clear;
9385	}
9386
9387	/* hold our own reference */
9388	cfg80211_ref_bss(wiphy: local->hw.wiphy, bss: auth_data->bss);
9389	return 0;
9390
9391	err_clear:
9392	if (!ieee80211_vif_is_mld(vif: &sdata->vif)) {
9393	eth_zero_addr(addr: sdata->deflink.u.mgd.bssid);
9394	ieee80211_link_info_change_notify(sdata, link: &sdata->deflink,
9395	changed: BSS_CHANGED_BSSID);
9396	ieee80211_link_release_channel(link: &sdata->deflink);
9397	}
9398	ifmgd->auth_data = NULL;
9399	kfree(objp: auth_data);
9400	return err;
9401	}
9402
9403	static void
9404	ieee80211_setup_assoc_link(struct ieee80211_sub_if_data *sdata,
9405	struct ieee80211_mgd_assoc_data *assoc_data,
9406	struct cfg80211_assoc_request *req,
9407	struct ieee80211_conn_settings *conn,
9408	unsigned int link_id)
9409	{
9410	struct ieee80211_local *local = sdata->local;
9411	const struct cfg80211_bss_ies *bss_ies;
9412	struct ieee80211_supported_band *sband;
9413	struct ieee80211_link_data *link;
9414	struct cfg80211_bss *cbss;
9415	struct ieee80211_bss *bss;
9416
9417	cbss = assoc_data->link[link_id].bss;
9418	if (WARN_ON(!cbss))
9419	return;
9420
9421	bss = (void *)cbss->priv;
9422
9423	sband = local->hw.wiphy->bands[cbss->channel->band];
9424	if (WARN_ON(!sband))
9425	return;
9426
9427	link = sdata_dereference(sdata->link[link_id], sdata);
9428	if (WARN_ON(!link))
9429	return;
9430
9431	/* for MLO connections assume advertising all rates is OK */
9432	if (!req->ap_mld_addr) {
9433	assoc_data->supp_rates = bss->supp_rates;
9434	assoc_data->supp_rates_len = bss->supp_rates_len;
9435	}
9436
9437	/* copy and link elems for the STA profile */
9438	if (req->links[link_id].elems_len) {
9439	memcpy(assoc_data->ie_pos, req->links[link_id].elems,
9440	req->links[link_id].elems_len);
9441	assoc_data->link[link_id].elems = assoc_data->ie_pos;
9442	assoc_data->link[link_id].elems_len = req->links[link_id].elems_len;
9443	assoc_data->ie_pos += req->links[link_id].elems_len;
9444	}
9445
9446	link->u.mgd.beacon_crc_valid = false;
9447	link->u.mgd.dtim_period = 0;
9448	link->u.mgd.have_beacon = false;
9449
9450	/* override HT configuration only if the AP and we support it */
9451	if (conn->mode >= IEEE80211_CONN_MODE_HT) {
9452	struct ieee80211_sta_ht_cap sta_ht_cap;
9453
9454	memcpy(&sta_ht_cap, &sband->ht_cap, sizeof(sta_ht_cap));
9455	ieee80211_apply_htcap_overrides(sdata, ht_cap: &sta_ht_cap);
9456	}
9457
9458	rcu_read_lock();
9459	bss_ies = rcu_dereference(cbss->beacon_ies);
9460	if (bss_ies) {
9461	u8 dtim_count = 0;
9462
9463	ieee80211_get_dtim(ies: bss_ies, dtim_count: &dtim_count,
9464	dtim_period: &link->u.mgd.dtim_period);
9465
9466	sdata->deflink.u.mgd.have_beacon = true;
9467
9468	if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY)) {
9469	link->conf->sync_tsf = bss_ies->tsf;
9470	link->conf->sync_device_ts = bss->device_ts_beacon;
9471	link->conf->sync_dtim_count = dtim_count;
9472	}
9473	} else {
9474	bss_ies = rcu_dereference(cbss->ies);
9475	}
9476
9477	if (bss_ies) {
9478	const struct element *elem;
9479
9480	elem = cfg80211_find_ext_elem(ext_eid: WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION,
9481	ies: bss_ies->data, len: bss_ies->len);
9482	if (elem && elem->datalen >= 3)
9483	link->conf->profile_periodicity = elem->data[2];
9484	else
9485	link->conf->profile_periodicity = 0;
9486
9487	elem = cfg80211_find_elem(eid: WLAN_EID_EXT_CAPABILITY,
9488	ies: bss_ies->data, len: bss_ies->len);
9489	if (elem && elem->datalen >= 11 &&
9490	(elem->data[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
9491	link->conf->ema_ap = true;
9492	else
9493	link->conf->ema_ap = false;
9494	}
9495	rcu_read_unlock();
9496
9497	if (bss->corrupt_data) {
9498	char *corrupt_type = "data";
9499
9500	if (bss->corrupt_data & IEEE80211_BSS_CORRUPT_BEACON) {
9501	if (bss->corrupt_data & IEEE80211_BSS_CORRUPT_PROBE_RESP)
9502	corrupt_type = "beacon and probe response";
9503	else
9504	corrupt_type = "beacon";
9505	} else if (bss->corrupt_data & IEEE80211_BSS_CORRUPT_PROBE_RESP) {
9506	corrupt_type = "probe response";
9507	}
9508	sdata_info(sdata, "associating to AP %pM with corrupt %s\n",
9509	cbss->bssid, corrupt_type);
9510	}
9511
9512	if (link->u.mgd.req_smps == IEEE80211_SMPS_AUTOMATIC) {
9513	if (sdata->u.mgd.powersave)
9514	link->smps_mode = IEEE80211_SMPS_DYNAMIC;
9515	else
9516	link->smps_mode = IEEE80211_SMPS_OFF;
9517	} else {
9518	link->smps_mode = link->u.mgd.req_smps;
9519	}
9520	}
9521
9522	static int
9523	ieee80211_mgd_get_ap_ht_vht_capa(struct ieee80211_sub_if_data *sdata,
9524	struct ieee80211_mgd_assoc_data *assoc_data,
9525	int link_id)
9526	{
9527	struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
9528	enum nl80211_band band = cbss->channel->band;
9529	struct ieee80211_supported_band *sband;
9530	const struct element *elem;
9531	int err;
9532
9533	/* neither HT nor VHT elements used on 6 GHz */
9534	if (band == NL80211_BAND_6GHZ)
9535	return 0;
9536
9537	if (assoc_data->link[link_id].conn.mode < IEEE80211_CONN_MODE_HT)
9538	return 0;
9539
9540	rcu_read_lock();
9541	elem = ieee80211_bss_get_elem(bss: cbss, id: WLAN_EID_HT_OPERATION);
9542	if (!elem || elem->datalen < sizeof(struct ieee80211_ht_operation)) {
9543	mlme_link_id_dbg(sdata, link_id, "no HT operation on BSS %pM\n",
9544	cbss->bssid);
9545	err = -EINVAL;
9546	goto out_rcu;
9547	}
9548	assoc_data->link[link_id].ap_ht_param =
9549	((struct ieee80211_ht_operation *)(elem->data))->ht_param;
9550	rcu_read_unlock();
9551
9552	if (assoc_data->link[link_id].conn.mode < IEEE80211_CONN_MODE_VHT)
9553	return 0;
9554
9555	/* some drivers want to support VHT on 2.4 GHz even */
9556	sband = sdata->local->hw.wiphy->bands[band];
9557	if (!sband->vht_cap.vht_supported)
9558	return 0;
9559
9560	rcu_read_lock();
9561	elem = ieee80211_bss_get_elem(bss: cbss, id: WLAN_EID_VHT_CAPABILITY);
9562	/* but even then accept it not being present on the AP */
9563	if (!elem && band == NL80211_BAND_2GHZ) {
9564	err = 0;
9565	goto out_rcu;
9566	}
9567	if (!elem || elem->datalen < sizeof(struct ieee80211_vht_cap)) {
9568	mlme_link_id_dbg(sdata, link_id, "no VHT capa on BSS %pM\n",
9569	cbss->bssid);
9570	err = -EINVAL;
9571	goto out_rcu;
9572	}
9573	memcpy(&assoc_data->link[link_id].ap_vht_cap, elem->data,
9574	sizeof(struct ieee80211_vht_cap));
9575	rcu_read_unlock();
9576
9577	return 0;
9578	out_rcu:
9579	rcu_read_unlock();
9580	return err;
9581	}
9582
9583	static bool
9584	ieee80211_mgd_assoc_bss_has_mld_ext_capa_ops(struct cfg80211_assoc_request *req)
9585	{
9586	const struct cfg80211_bss_ies *ies;
9587	struct cfg80211_bss *bss;
9588	const struct element *ml;
9589
9590	/* not an MLO connection if link_id < 0, so irrelevant */
9591	if (req->link_id < 0)
9592	return false;
9593
9594	bss = req->links[req->link_id].bss;
9595
9596	guard(rcu)();
9597	ies = rcu_dereference(bss->ies);
9598	for_each_element_extid(ml, WLAN_EID_EXT_EHT_MULTI_LINK,
9599	ies->data, ies->len) {
9600	const struct ieee80211_multi_link_elem *mle;
9601
9602	if (!ieee80211_mle_type_ok(data: ml->data + 1,
9603	IEEE80211_ML_CONTROL_TYPE_BASIC,
9604	len: ml->datalen - 1))
9605	continue;
9606
9607	mle = (void *)(ml->data + 1);
9608	if (mle->control & cpu_to_le16(IEEE80211_MLC_BASIC_PRES_EXT_MLD_CAPA_OP))
9609	return true;
9610	}
9611
9612	return false;
9613
9614	}
9615
9616	int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
9617	struct cfg80211_assoc_request *req)
9618	{
9619	unsigned int assoc_link_id = req->link_id < 0 ? 0 : req->link_id;
9620	struct ieee80211_local *local = sdata->local;
9621	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
9622	struct ieee80211_mgd_assoc_data *assoc_data;
9623	const struct element *ssid_elem;
9624	struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg;
9625	struct ieee80211_link_data *link;
9626	struct cfg80211_bss *cbss;
9627	bool override, uapsd_supported;
9628	bool match_auth;
9629	int i, err;
9630	size_t size = sizeof(*assoc_data) + req->ie_len;
9631
9632	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++)
9633	size += req->links[i].elems_len;
9634
9635	/* FIXME: no support for 4-addr MLO yet */
9636	if (sdata->u.mgd.use_4addr && req->link_id >= 0)
9637	return -EOPNOTSUPP;
9638
9639	assoc_data = kzalloc(size, GFP_KERNEL);
9640	if (!assoc_data)
9641	return -ENOMEM;
9642
9643	cbss = req->link_id < 0 ? req->bss : req->links[req->link_id].bss;
9644
9645	if (ieee80211_mgd_csa_in_process(sdata, bss: cbss)) {
9646	sdata_info(sdata, "AP is in CSA process, reject assoc\n");
9647	err = -EINVAL;
9648	goto err_free;
9649	}
9650
9651	rcu_read_lock();
9652	ssid_elem = ieee80211_bss_get_elem(bss: cbss, id: WLAN_EID_SSID);
9653	if (!ssid_elem || ssid_elem->datalen > sizeof(assoc_data->ssid)) {
9654	rcu_read_unlock();
9655	err = -EINVAL;
9656	goto err_free;
9657	}
9658
9659	memcpy(assoc_data->ssid, ssid_elem->data, ssid_elem->datalen);
9660	assoc_data->ssid_len = ssid_elem->datalen;
9661	rcu_read_unlock();
9662
9663	if (req->ap_mld_addr)
9664	memcpy(assoc_data->ap_addr, req->ap_mld_addr, ETH_ALEN);
9665	else
9666	memcpy(assoc_data->ap_addr, cbss->bssid, ETH_ALEN);
9667
9668	/*
9669	* Many APs have broken parsing of the extended MLD capa/ops field,
9670	* dropping (re-)association request frames or replying with association
9671	* response with a failure status if it's present.
9672	* Set our value from the userspace request only in strict mode or if
9673	* the AP also had that field present.
9674	*/
9675	if (ieee80211_hw_check(&local->hw, STRICT) ||
9676	ieee80211_mgd_assoc_bss_has_mld_ext_capa_ops(req))
9677	assoc_data->ext_mld_capa_ops =
9678	cpu_to_le16(req->ext_mld_capa_ops);
9679
9680	if (ifmgd->associated) {
9681	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
9682
9683	sdata_info(sdata,
9684	"disconnect from AP %pM for new assoc to %pM\n",
9685	sdata->vif.cfg.ap_addr, assoc_data->ap_addr);
9686	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
9687	reason: WLAN_REASON_UNSPECIFIED,
9688	tx: false, frame_buf);
9689
9690	ieee80211_report_disconnect(sdata, buf: frame_buf,
9691	len: sizeof(frame_buf), tx: true,
9692	reason: WLAN_REASON_UNSPECIFIED,
9693	reconnect: false);
9694	}
9695
9696	memset(sdata->u.mgd.userspace_selectors, 0,
9697	sizeof(sdata->u.mgd.userspace_selectors));
9698	ieee80211_parse_cfg_selectors(userspace_selectors: sdata->u.mgd.userspace_selectors,
9699	supported_selectors: req->supported_selectors,
9700	supported_selectors_len: req->supported_selectors_len);
9701
9702	memcpy(&ifmgd->ht_capa, &req->ht_capa, sizeof(ifmgd->ht_capa));
9703	memcpy(&ifmgd->ht_capa_mask, &req->ht_capa_mask,
9704	sizeof(ifmgd->ht_capa_mask));
9705
9706	memcpy(&ifmgd->vht_capa, &req->vht_capa, sizeof(ifmgd->vht_capa));
9707	memcpy(&ifmgd->vht_capa_mask, &req->vht_capa_mask,
9708	sizeof(ifmgd->vht_capa_mask));
9709
9710	memcpy(&ifmgd->s1g_capa, &req->s1g_capa, sizeof(ifmgd->s1g_capa));
9711	memcpy(&ifmgd->s1g_capa_mask, &req->s1g_capa_mask,
9712	sizeof(ifmgd->s1g_capa_mask));
9713
9714	/* keep some setup (AP STA, channel, ...) if matching */
9715	match_auth = ifmgd->auth_data &&
9716	ether_addr_equal(addr1: ifmgd->auth_data->ap_addr,
9717	addr2: assoc_data->ap_addr) &&
9718	ifmgd->auth_data->link_id == req->link_id;
9719
9720	if (req->ap_mld_addr) {
9721	uapsd_supported = true;
9722
9723	if (req->flags & (ASSOC_REQ_DISABLE_HT |
9724	ASSOC_REQ_DISABLE_VHT |
9725	ASSOC_REQ_DISABLE_HE |
9726	ASSOC_REQ_DISABLE_EHT)) {
9727	err = -EINVAL;
9728	goto err_free;
9729	}
9730
9731	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
9732	struct ieee80211_supported_band *sband;
9733	struct cfg80211_bss *link_cbss = req->links[i].bss;
9734	struct ieee80211_bss *bss;
9735
9736	if (!link_cbss)
9737	continue;
9738
9739	bss = (void *)link_cbss->priv;
9740
9741	if (!bss->wmm_used) {
9742	err = -EINVAL;
9743	req->links[i].error = err;
9744	goto err_free;
9745	}
9746
9747	if (link_cbss->channel->band == NL80211_BAND_S1GHZ) {
9748	err = -EINVAL;
9749	req->links[i].error = err;
9750	goto err_free;
9751	}
9752
9753	link = sdata_dereference(sdata->link[i], sdata);
9754	if (link)
9755	ether_addr_copy(dst: assoc_data->link[i].addr,
9756	src: link->conf->addr);
9757	else
9758	eth_random_addr(addr: assoc_data->link[i].addr);
9759	sband = local->hw.wiphy->bands[link_cbss->channel->band];
9760
9761	if (match_auth && i == assoc_link_id && link)
9762	assoc_data->link[i].conn = link->u.mgd.conn;
9763	else
9764	assoc_data->link[i].conn =
9765	ieee80211_conn_settings_unlimited;
9766	ieee80211_determine_our_sta_mode_assoc(sdata, sband,
9767	req, wmm_used: true, link_id: i,
9768	conn: &assoc_data->link[i].conn);
9769	assoc_data->link[i].bss = link_cbss;
9770
9771	if (!bss->uapsd_supported)
9772	uapsd_supported = false;
9773
9774	if (assoc_data->link[i].conn.mode < IEEE80211_CONN_MODE_EHT) {
9775	err = -EINVAL;
9776	req->links[i].error = err;
9777	goto err_free;
9778	}
9779
9780	err = ieee80211_mgd_get_ap_ht_vht_capa(sdata,
9781	assoc_data, link_id: i);
9782	if (err) {
9783	err = -EINVAL;
9784	req->links[i].error = err;
9785	goto err_free;
9786	}
9787	}
9788
9789	assoc_data->wmm = true;
9790	} else {
9791	struct ieee80211_supported_band *sband;
9792	struct ieee80211_bss *bss = (void *)cbss->priv;
9793
9794	memcpy(assoc_data->link[0].addr, sdata->vif.addr, ETH_ALEN);
9795	assoc_data->s1g = cbss->channel->band == NL80211_BAND_S1GHZ;
9796
9797	assoc_data->wmm = bss->wmm_used &&
9798	(local->hw.queues >= IEEE80211_NUM_ACS);
9799
9800	if (cbss->channel->band == NL80211_BAND_6GHZ &&
9801	req->flags & (ASSOC_REQ_DISABLE_HT |
9802	ASSOC_REQ_DISABLE_VHT |
9803	ASSOC_REQ_DISABLE_HE)) {
9804	err = -EINVAL;
9805	goto err_free;
9806	}
9807
9808	sband = local->hw.wiphy->bands[cbss->channel->band];
9809
9810	assoc_data->link[0].bss = cbss;
9811
9812	if (match_auth)
9813	assoc_data->link[0].conn = sdata->deflink.u.mgd.conn;
9814	else
9815	assoc_data->link[0].conn =
9816	ieee80211_conn_settings_unlimited;
9817	ieee80211_determine_our_sta_mode_assoc(sdata, sband, req,
9818	wmm_used: assoc_data->wmm, link_id: 0,
9819	conn: &assoc_data->link[0].conn);
9820
9821	uapsd_supported = bss->uapsd_supported;
9822
9823	err = ieee80211_mgd_get_ap_ht_vht_capa(sdata, assoc_data, link_id: 0);
9824	if (err)
9825	goto err_free;
9826	}
9827
9828	assoc_data->spp_amsdu = req->flags & ASSOC_REQ_SPP_AMSDU;
9829
9830	if (ifmgd->auth_data && !ifmgd->auth_data->done) {
9831	err = -EBUSY;
9832	goto err_free;
9833	}
9834
9835	if (ifmgd->assoc_data) {
9836	err = -EBUSY;
9837	goto err_free;
9838	}
9839
9840	/* Cleanup is delayed if auth_data matches */
9841	if (ifmgd->auth_data && !match_auth)
9842	ieee80211_destroy_auth_data(sdata, assoc: false);
9843
9844	if (req->ie && req->ie_len) {
9845	memcpy(assoc_data->ie, req->ie, req->ie_len);
9846	assoc_data->ie_len = req->ie_len;
9847	assoc_data->ie_pos = assoc_data->ie + assoc_data->ie_len;
9848	} else {
9849	assoc_data->ie_pos = assoc_data->ie;
9850	}
9851
9852	if (req->fils_kek) {
9853	/* should already be checked in cfg80211 - so warn */
9854	if (WARN_ON(req->fils_kek_len > FILS_MAX_KEK_LEN)) {
9855	err = -EINVAL;
9856	goto err_free;
9857	}
9858	memcpy(assoc_data->fils_kek, req->fils_kek,
9859	req->fils_kek_len);
9860	assoc_data->fils_kek_len = req->fils_kek_len;
9861	}
9862
9863	if (req->fils_nonces)
9864	memcpy(assoc_data->fils_nonces, req->fils_nonces,
9865	2 * FILS_NONCE_LEN);
9866
9867	/* default timeout */
9868	assoc_data->timeout = jiffies;
9869	assoc_data->timeout_started = true;
9870
9871	assoc_data->assoc_link_id = assoc_link_id;
9872
9873	if (req->ap_mld_addr) {
9874	/* if there was no authentication, set up the link */
9875	err = ieee80211_vif_set_links(sdata, BIT(assoc_link_id), dormant_links: 0);
9876	if (err)
9877	goto err_clear;
9878	}
9879
9880	link = sdata_dereference(sdata->link[assoc_link_id], sdata);
9881	if (WARN_ON(!link)) {
9882	err = -EINVAL;
9883	goto err_clear;
9884	}
9885
9886	override = link->u.mgd.conn.mode !=
9887	assoc_data->link[assoc_link_id].conn.mode ||
9888	link->u.mgd.conn.bw_limit !=
9889	assoc_data->link[assoc_link_id].conn.bw_limit;
9890	link->u.mgd.conn = assoc_data->link[assoc_link_id].conn;
9891
9892	ieee80211_setup_assoc_link(sdata, assoc_data, req, conn: &link->u.mgd.conn,
9893	link_id: assoc_link_id);
9894
9895	if (WARN((sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_UAPSD) &&
9896	ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK),
9897	"U-APSD not supported with HW_PS_NULLFUNC_STACK\n"))
9898	sdata->vif.driver_flags &= ~IEEE80211_VIF_SUPPORTS_UAPSD;
9899
9900	if (assoc_data->wmm && uapsd_supported &&
9901	(sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_UAPSD)) {
9902	assoc_data->uapsd = true;
9903	ifmgd->flags |= IEEE80211_STA_UAPSD_ENABLED;
9904	} else {
9905	assoc_data->uapsd = false;
9906	ifmgd->flags &= ~IEEE80211_STA_UAPSD_ENABLED;
9907	}
9908
9909	if (req->prev_bssid)
9910	memcpy(assoc_data->prev_ap_addr, req->prev_bssid, ETH_ALEN);
9911
9912	if (req->use_mfp) {
9913	ifmgd->mfp = IEEE80211_MFP_REQUIRED;
9914	ifmgd->flags |= IEEE80211_STA_MFP_ENABLED;
9915	} else {
9916	ifmgd->mfp = IEEE80211_MFP_DISABLED;
9917	ifmgd->flags &= ~IEEE80211_STA_MFP_ENABLED;
9918	}
9919
9920	if (req->flags & ASSOC_REQ_USE_RRM)
9921	ifmgd->flags |= IEEE80211_STA_ENABLE_RRM;
9922	else
9923	ifmgd->flags &= ~IEEE80211_STA_ENABLE_RRM;
9924
9925	if (req->crypto.control_port)
9926	ifmgd->flags |= IEEE80211_STA_CONTROL_PORT;
9927	else
9928	ifmgd->flags &= ~IEEE80211_STA_CONTROL_PORT;
9929
9930	sdata->control_port_protocol = req->crypto.control_port_ethertype;
9931	sdata->control_port_no_encrypt = req->crypto.control_port_no_encrypt;
9932	sdata->control_port_over_nl80211 =
9933	req->crypto.control_port_over_nl80211;
9934	sdata->control_port_no_preauth = req->crypto.control_port_no_preauth;
9935
9936	/* kick off associate process */
9937	ifmgd->assoc_data = assoc_data;
9938
9939	for (i = 0; i < ARRAY_SIZE(assoc_data->link); i++) {
9940	if (!assoc_data->link[i].bss)
9941	continue;
9942	if (i == assoc_data->assoc_link_id)
9943	continue;
9944	/* only calculate the mode, hence link == NULL */
9945	err = ieee80211_prep_channel(sdata, NULL, link_id: i,
9946	cbss: assoc_data->link[i].bss, mlo: true,
9947	conn: &assoc_data->link[i].conn,
9948	userspace_selectors: sdata->u.mgd.userspace_selectors);
9949	if (err) {
9950	req->links[i].error = err;
9951	goto err_clear;
9952	}
9953	}
9954
9955	memcpy(vif_cfg->ssid, assoc_data->ssid, assoc_data->ssid_len);
9956	vif_cfg->ssid_len = assoc_data->ssid_len;
9957
9958	/* needed for transmitting the assoc frames properly */
9959	memcpy(sdata->vif.cfg.ap_addr, assoc_data->ap_addr, ETH_ALEN);
9960
9961	err = ieee80211_prep_connection(sdata, cbss, link_id: req->link_id,
9962	ap_mld_addr: req->ap_mld_addr, assoc: true,
9963	conn: &assoc_data->link[assoc_link_id].conn,
9964	override,
9965	userspace_selectors: sdata->u.mgd.userspace_selectors);
9966	if (err)
9967	goto err_clear;
9968
9969	if (ieee80211_hw_check(&sdata->local->hw, NEED_DTIM_BEFORE_ASSOC)) {
9970	const struct cfg80211_bss_ies *beacon_ies;
9971
9972	rcu_read_lock();
9973	beacon_ies = rcu_dereference(req->bss->beacon_ies);
9974	if (!beacon_ies) {
9975	/*
9976	* Wait up to one beacon interval ...
9977	* should this be more if we miss one?
9978	*/
9979	sdata_info(sdata, "waiting for beacon from %pM\n",
9980	link->u.mgd.bssid);
9981	assoc_data->timeout = TU_TO_EXP_TIME(req->bss->beacon_interval);
9982	assoc_data->timeout_started = true;
9983	assoc_data->need_beacon = true;
9984	}
9985	rcu_read_unlock();
9986	}
9987
9988	run_again(sdata, timeout: assoc_data->timeout);
9989
9990	/* We are associating, clean up auth_data */
9991	if (ifmgd->auth_data)
9992	ieee80211_destroy_auth_data(sdata, assoc: true);
9993
9994	return 0;
9995	err_clear:
9996	if (!ifmgd->auth_data) {
9997	eth_zero_addr(addr: sdata->deflink.u.mgd.bssid);
9998	ieee80211_link_info_change_notify(sdata, link: &sdata->deflink,
9999	changed: BSS_CHANGED_BSSID);
10000	}
10001	ifmgd->assoc_data = NULL;
10002	err_free:
10003	kfree(objp: assoc_data);
10004	return err;
10005	}
10006
10007	int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
10008	struct cfg80211_deauth_request *req)
10009	{
10010	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
10011	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
10012	bool tx = !req->local_state_change;
10013	struct ieee80211_prep_tx_info info = {
10014	.subtype = IEEE80211_STYPE_DEAUTH,
10015	};
10016
10017	if (ifmgd->auth_data &&
10018	ether_addr_equal(addr1: ifmgd->auth_data->ap_addr, addr2: req->bssid)) {
10019	sdata_info(sdata,
10020	"aborting authentication with %pM by local choice (Reason: %u=%s)\n",
10021	req->bssid, req->reason_code,
10022	ieee80211_get_reason_code_string(req->reason_code));
10023
10024	info.link_id = ifmgd->auth_data->link_id;
10025	drv_mgd_prepare_tx(local: sdata->local, sdata, info: &info);
10026	ieee80211_send_deauth_disassoc(sdata, da: req->bssid, bssid: req->bssid,
10027	IEEE80211_STYPE_DEAUTH,
10028	reason: req->reason_code, send_frame: tx,
10029	frame_buf);
10030	ieee80211_destroy_auth_data(sdata, assoc: false);
10031	ieee80211_report_disconnect(sdata, buf: frame_buf,
10032	len: sizeof(frame_buf), tx: true,
10033	reason: req->reason_code, reconnect: false);
10034	drv_mgd_complete_tx(local: sdata->local, sdata, info: &info);
10035	return 0;
10036	}
10037
10038	if (ifmgd->assoc_data &&
10039	ether_addr_equal(addr1: ifmgd->assoc_data->ap_addr, addr2: req->bssid)) {
10040	sdata_info(sdata,
10041	"aborting association with %pM by local choice (Reason: %u=%s)\n",
10042	req->bssid, req->reason_code,
10043	ieee80211_get_reason_code_string(req->reason_code));
10044
10045	info.link_id = ifmgd->assoc_data->assoc_link_id;
10046	drv_mgd_prepare_tx(local: sdata->local, sdata, info: &info);
10047	ieee80211_send_deauth_disassoc(sdata, da: req->bssid, bssid: req->bssid,
10048	IEEE80211_STYPE_DEAUTH,
10049	reason: req->reason_code, send_frame: tx,
10050	frame_buf);
10051	ieee80211_destroy_assoc_data(sdata, status: ASSOC_ABANDON);
10052	ieee80211_report_disconnect(sdata, buf: frame_buf,
10053	len: sizeof(frame_buf), tx: true,
10054	reason: req->reason_code, reconnect: false);
10055	drv_mgd_complete_tx(local: sdata->local, sdata, info: &info);
10056	return 0;
10057	}
10058
10059	if (ifmgd->associated &&
10060	ether_addr_equal(addr1: sdata->vif.cfg.ap_addr, addr2: req->bssid)) {
10061	sdata_info(sdata,
10062	"deauthenticating from %pM by local choice (Reason: %u=%s)\n",
10063	req->bssid, req->reason_code,
10064	ieee80211_get_reason_code_string(req->reason_code));
10065
10066	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
10067	reason: req->reason_code, tx, frame_buf);
10068	ieee80211_report_disconnect(sdata, buf: frame_buf,
10069	len: sizeof(frame_buf), tx: true,
10070	reason: req->reason_code, reconnect: false);
10071	return 0;
10072	}
10073
10074	return -ENOTCONN;
10075	}
10076
10077	int ieee80211_mgd_disassoc(struct ieee80211_sub_if_data *sdata,
10078	struct cfg80211_disassoc_request *req)
10079	{
10080	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
10081
10082	if (!sdata->u.mgd.associated ||
10083	memcmp(p: sdata->vif.cfg.ap_addr, q: req->ap_addr, ETH_ALEN))
10084	return -ENOTCONN;
10085
10086	sdata_info(sdata,
10087	"disassociating from %pM by local choice (Reason: %u=%s)\n",
10088	req->ap_addr, req->reason_code,
10089	ieee80211_get_reason_code_string(req->reason_code));
10090
10091	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DISASSOC,
10092	reason: req->reason_code, tx: !req->local_state_change,
10093	frame_buf);
10094
10095	ieee80211_report_disconnect(sdata, buf: frame_buf, len: sizeof(frame_buf), tx: true,
10096	reason: req->reason_code, reconnect: false);
10097
10098	return 0;
10099	}
10100
10101	void ieee80211_mgd_stop_link(struct ieee80211_link_data *link)
10102	{
10103	wiphy_work_cancel(wiphy: link->sdata->local->hw.wiphy,
10104	work: &link->u.mgd.request_smps_work);
10105	wiphy_work_cancel(wiphy: link->sdata->local->hw.wiphy,
10106	work: &link->u.mgd.recalc_smps);
10107	wiphy_hrtimer_work_cancel(wiphy: link->sdata->local->hw.wiphy,
10108	hrtimer: &link->u.mgd.csa.switch_work);
10109	}
10110
10111	void ieee80211_mgd_stop(struct ieee80211_sub_if_data *sdata)
10112	{
10113	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
10114
10115	/*
10116	* Make sure some work items will not run after this,
10117	* they will not do anything but might not have been
10118	* cancelled when disconnecting.
10119	*/
10120	wiphy_work_cancel(wiphy: sdata->local->hw.wiphy,
10121	work: &ifmgd->monitor_work);
10122	wiphy_work_cancel(wiphy: sdata->local->hw.wiphy,
10123	work: &ifmgd->beacon_connection_loss_work);
10124	wiphy_work_cancel(wiphy: sdata->local->hw.wiphy,
10125	work: &ifmgd->csa_connection_drop_work);
10126	wiphy_delayed_work_cancel(wiphy: sdata->local->hw.wiphy,
10127	dwork: &ifmgd->tdls_peer_del_work);
10128
10129	if (ifmgd->assoc_data)
10130	ieee80211_destroy_assoc_data(sdata, status: ASSOC_TIMEOUT);
10131	if (ifmgd->auth_data)
10132	ieee80211_destroy_auth_data(sdata, assoc: false);
10133	spin_lock_bh(lock: &ifmgd->teardown_lock);
10134	if (ifmgd->teardown_skb) {
10135	kfree_skb(skb: ifmgd->teardown_skb);
10136	ifmgd->teardown_skb = NULL;
10137	ifmgd->orig_teardown_skb = NULL;
10138	}
10139	kfree(objp: ifmgd->assoc_req_ies);
10140	ifmgd->assoc_req_ies = NULL;
10141	ifmgd->assoc_req_ies_len = 0;
10142	spin_unlock_bh(lock: &ifmgd->teardown_lock);
10143	timer_delete_sync(timer: &ifmgd->timer);
10144	}
10145
10146	void ieee80211_cqm_rssi_notify(struct ieee80211_vif *vif,
10147	enum nl80211_cqm_rssi_threshold_event rssi_event,
10148	s32 rssi_level,
10149	gfp_t gfp)
10150	{
10151	struct ieee80211_sub_if_data *sdata = vif_to_sdata(p: vif);
10152
10153	trace_api_cqm_rssi_notify(sdata, rssi_event, rssi_level);
10154
10155	cfg80211_cqm_rssi_notify(dev: sdata->dev, rssi_event, rssi_level, gfp);
10156	}
10157	EXPORT_SYMBOL(ieee80211_cqm_rssi_notify);
10158
10159	void ieee80211_cqm_beacon_loss_notify(struct ieee80211_vif *vif, gfp_t gfp)
10160	{
10161	struct ieee80211_sub_if_data *sdata = vif_to_sdata(p: vif);
10162
10163	trace_api_cqm_beacon_loss_notify(local: sdata->local, sdata);
10164
10165	cfg80211_cqm_beacon_loss_notify(dev: sdata->dev, gfp);
10166	}
10167	EXPORT_SYMBOL(ieee80211_cqm_beacon_loss_notify);
10168
10169	static void _ieee80211_enable_rssi_reports(struct ieee80211_sub_if_data *sdata,
10170	int rssi_min_thold,
10171	int rssi_max_thold)
10172	{
10173	trace_api_enable_rssi_reports(sdata, rssi_min_thold, rssi_max_thold);
10174
10175	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
10176	return;
10177
10178	/*
10179	* Scale up threshold values before storing it, as the RSSI averaging
10180	* algorithm uses a scaled up value as well. Change this scaling
10181	* factor if the RSSI averaging algorithm changes.
10182	*/
10183	sdata->u.mgd.rssi_min_thold = rssi_min_thold*16;
10184	sdata->u.mgd.rssi_max_thold = rssi_max_thold*16;
10185	}
10186
10187	void ieee80211_enable_rssi_reports(struct ieee80211_vif *vif,
10188	int rssi_min_thold,
10189	int rssi_max_thold)
10190	{
10191	struct ieee80211_sub_if_data *sdata = vif_to_sdata(p: vif);
10192
10193	WARN_ON(rssi_min_thold == rssi_max_thold ||
10194	rssi_min_thold > rssi_max_thold);
10195
10196	_ieee80211_enable_rssi_reports(sdata, rssi_min_thold,
10197	rssi_max_thold);
10198	}
10199	EXPORT_SYMBOL(ieee80211_enable_rssi_reports);
10200
10201	void ieee80211_disable_rssi_reports(struct ieee80211_vif *vif)
10202	{
10203	struct ieee80211_sub_if_data *sdata = vif_to_sdata(p: vif);
10204
10205	_ieee80211_enable_rssi_reports(sdata, rssi_min_thold: 0, rssi_max_thold: 0);
10206	}
10207	EXPORT_SYMBOL(ieee80211_disable_rssi_reports);
10208
10209	void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
10210	struct ieee80211_mgmt *mgmt, size_t len)
10211	{
10212	struct ieee80211_local *local = sdata->local;
10213	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
10214	struct ieee80211_mgd_assoc_data *add_links_data =
10215	ifmgd->reconf.add_links_data;
10216	struct sta_info *sta;
10217	struct cfg80211_mlo_reconf_done_data done_data = {};
10218	u16 sta_changed_links = sdata->u.mgd.reconf.added_links |
10219	sdata->u.mgd.reconf.removed_links;
10220	u16 link_mask, valid_links;
10221	unsigned int link_id;
10222	size_t orig_len = len;
10223	u8 i, group_key_data_len;
10224	u8 *pos;
10225
10226	if (!ieee80211_vif_is_mld(vif: &sdata->vif) ||
10227	len < offsetofend(typeof(*mgmt), u.action.u.ml_reconf_resp) ||
10228	mgmt->u.action.u.ml_reconf_resp.dialog_token !=
10229	sdata->u.mgd.reconf.dialog_token ||
10230	!sta_changed_links)
10231	return;
10232
10233	pos = mgmt->u.action.u.ml_reconf_resp.variable;
10234	len -= offsetofend(typeof(*mgmt), u.action.u.ml_reconf_resp);
10235
10236	/* each status duple is 3 octets */
10237	if (len < mgmt->u.action.u.ml_reconf_resp.count * 3) {
10238	sdata_info(sdata,
10239	"mlo: reconf: unexpected len=%zu, count=%u\n",
10240	len, mgmt->u.action.u.ml_reconf_resp.count);
10241	goto disconnect;
10242	}
10243
10244	link_mask = sta_changed_links;
10245	for (i = 0; i < mgmt->u.action.u.ml_reconf_resp.count; i++) {
10246	u16 status = get_unaligned_le16(p: pos + 1);
10247
10248	link_id = *pos;
10249
10250	if (!(link_mask & BIT(link_id))) {
10251	sdata_info(sdata,
10252	"mlo: reconf: unexpected link: %u, changed=0x%x\n",
10253	link_id, sta_changed_links);
10254	goto disconnect;
10255	}
10256
10257	/* clear the corresponding link, to detect the case that
10258	* the same link was included more than one time
10259	*/
10260	link_mask &= ~BIT(link_id);
10261
10262	/* Handle failure to remove links here. Failure to remove added
10263	* links will be done later in the flow.
10264	*/
10265	if (status != WLAN_STATUS_SUCCESS) {
10266	sdata_info(sdata,
10267	"mlo: reconf: failed on link=%u, status=%u\n",
10268	link_id, status);
10269
10270	/* The AP MLD failed to remove a link that was already
10271	* removed locally. As this is not expected behavior,
10272	* disconnect
10273	*/
10274	if (sdata->u.mgd.reconf.removed_links & BIT(link_id))
10275	goto disconnect;
10276
10277	/* The AP MLD failed to add a link. Remove it from the
10278	* added links.
10279	*/
10280	sdata->u.mgd.reconf.added_links &= ~BIT(link_id);
10281	}
10282
10283	pos += 3;
10284	len -= 3;
10285	}
10286
10287	if (link_mask) {
10288	sdata_info(sdata,
10289	"mlo: reconf: no response for links=0x%x\n",
10290	link_mask);
10291	goto disconnect;
10292	}
10293
10294	if (!sdata->u.mgd.reconf.added_links)
10295	goto out;
10296
10297	if (len < 1 || len < 1 + *pos) {
10298	sdata_info(sdata,
10299	"mlo: reconf: invalid group key data length");
10300	goto disconnect;
10301	}
10302
10303	/* The Group Key Data field must be present when links are added. This
10304	* field should be processed by userland.
10305	*/
10306	group_key_data_len = *pos++;
10307
10308	pos += group_key_data_len;
10309	len -= group_key_data_len + 1;
10310
10311	/* Process the information for the added links */
10312	sta = sta_info_get(sdata, addr: sdata->vif.cfg.ap_addr);
10313	if (WARN_ON(!sta))
10314	goto disconnect;
10315
10316	valid_links = sdata->vif.valid_links;
10317	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10318	if (!add_links_data->link[link_id].bss ||
10319	!(sdata->u.mgd.reconf.added_links & BIT(link_id)))
10320	continue;
10321
10322	valid_links |= BIT(link_id);
10323	if (ieee80211_sta_allocate_link(sta, link_id))
10324	goto disconnect;
10325	}
10326
10327	ieee80211_vif_set_links(sdata, new_links: valid_links, dormant_links: sdata->vif.dormant_links);
10328	link_mask = 0;
10329	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10330	struct cfg80211_bss *cbss = add_links_data->link[link_id].bss;
10331	struct ieee80211_link_data *link;
10332	struct link_sta_info *link_sta;
10333	u64 changed = 0;
10334
10335	if (!cbss)
10336	continue;
10337
10338	link = sdata_dereference(sdata->link[link_id], sdata);
10339	if (WARN_ON(!link))
10340	goto disconnect;
10341
10342	link_info(link,
10343	"mlo: reconf: local address %pM, AP link address %pM\n",
10344	add_links_data->link[link_id].addr,
10345	add_links_data->link[link_id].bss->bssid);
10346
10347	link_sta = rcu_dereference_protected(sta->link[link_id],
10348	lockdep_is_held(&local->hw.wiphy->mtx));
10349	if (WARN_ON(!link_sta))
10350	goto disconnect;
10351
10352	if (!link->u.mgd.have_beacon) {
10353	const struct cfg80211_bss_ies *ies;
10354
10355	rcu_read_lock();
10356	ies = rcu_dereference(cbss->beacon_ies);
10357	if (ies)
10358	link->u.mgd.have_beacon = true;
10359	else
10360	ies = rcu_dereference(cbss->ies);
10361	ieee80211_get_dtim(ies,
10362	dtim_count: &link->conf->sync_dtim_count,
10363	dtim_period: &link->u.mgd.dtim_period);
10364	link->conf->beacon_int = cbss->beacon_interval;
10365	rcu_read_unlock();
10366	}
10367
10368	link->conf->dtim_period = link->u.mgd.dtim_period ?: 1;
10369
10370	link->u.mgd.conn = add_links_data->link[link_id].conn;
10371	if (ieee80211_prep_channel(sdata, link, link_id, cbss,
10372	mlo: true, conn: &link->u.mgd.conn,
10373	userspace_selectors: sdata->u.mgd.userspace_selectors)) {
10374	link_info(link, "mlo: reconf: prep_channel failed\n");
10375	goto disconnect;
10376	}
10377
10378	if (ieee80211_mgd_setup_link_sta(link, sta, link_sta,
10379	cbss: add_links_data->link[link_id].bss))
10380	goto disconnect;
10381
10382	if (!ieee80211_assoc_config_link(link, link_sta,
10383	cbss: add_links_data->link[link_id].bss,
10384	mgmt, elem_start: pos, elem_len: len,
10385	changed: &changed))
10386	goto disconnect;
10387
10388	/* The AP MLD indicated success for this link, but the station
10389	* profile status indicated otherwise. Since there is an
10390	* inconsistency in the ML reconfiguration response, disconnect
10391	*/
10392	if (add_links_data->link[link_id].status != WLAN_STATUS_SUCCESS)
10393	goto disconnect;
10394
10395	ieee80211_sta_init_nss(link_sta);
10396	if (ieee80211_sta_activate_link(sta, link_id))
10397	goto disconnect;
10398
10399	changed |= ieee80211_link_set_associated(link, cbss);
10400	ieee80211_link_info_change_notify(sdata, link, changed);
10401
10402	ieee80211_recalc_smps(sdata, link);
10403	link_mask |= BIT(link_id);
10404	}
10405
10406	sdata_info(sdata,
10407	"mlo: reconf: current valid_links=0x%x, added=0x%x\n",
10408	valid_links, link_mask);
10409
10410	/* links might have changed due to rejected ones, set them again */
10411	ieee80211_vif_set_links(sdata, new_links: valid_links, dormant_links: sdata->vif.dormant_links);
10412	ieee80211_vif_cfg_change_notify(sdata, changed: BSS_CHANGED_MLD_VALID_LINKS);
10413
10414	ieee80211_recalc_ps(local);
10415	ieee80211_recalc_ps_vif(sdata);
10416
10417	done_data.buf = (const u8 *)mgmt;
10418	done_data.len = orig_len;
10419	done_data.added_links = link_mask;
10420
10421	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10422	done_data.links[link_id].bss = add_links_data->link[link_id].bss;
10423	done_data.links[link_id].addr =
10424	add_links_data->link[link_id].addr;
10425	}
10426
10427	cfg80211_mlo_reconf_add_done(dev: sdata->dev, data: &done_data);
10428	kfree(objp: sdata->u.mgd.reconf.add_links_data);
10429	sdata->u.mgd.reconf.add_links_data = NULL;
10430	out:
10431	ieee80211_ml_reconf_reset(sdata);
10432	return;
10433
10434	disconnect:
10435	__ieee80211_disconnect(sdata);
10436	}
10437
10438	static struct sk_buff *
10439	ieee80211_build_ml_reconf_req(struct ieee80211_sub_if_data *sdata,
10440	struct ieee80211_mgd_assoc_data *add_links_data,
10441	u16 removed_links, __le16 ext_mld_capa_ops)
10442	{
10443	struct ieee80211_local *local = sdata->local;
10444	struct ieee80211_mgmt *mgmt;
10445	struct ieee80211_multi_link_elem *ml_elem;
10446	struct ieee80211_mle_basic_common_info *common;
10447	enum nl80211_iftype iftype = ieee80211_vif_type_p2p(vif: &sdata->vif);
10448	struct sk_buff *skb;
10449	size_t size;
10450	unsigned int link_id;
10451	__le16 eml_capa = 0, mld_capa_ops = 0;
10452	struct ieee80211_tx_info *info;
10453	u8 common_size, var_common_size;
10454	u8 *ml_elem_len;
10455	u16 capab = 0;
10456
10457	size = local->hw.extra_tx_headroom + sizeof(*mgmt);
10458
10459	/* Consider the maximal length of the reconfiguration ML element */
10460	size += sizeof(struct ieee80211_multi_link_elem);
10461
10462	/* The Basic ML element and the Reconfiguration ML element have the same
10463	* fixed common information fields in the context of ML reconfiguration
10464	* action frame. The AP MLD MAC address must always be present
10465	*/
10466	common_size = sizeof(*common);
10467
10468	/* when adding links, the MLD capabilities must be present */
10469	var_common_size = 0;
10470	if (add_links_data) {
10471	const struct wiphy_iftype_ext_capab *ift_ext_capa =
10472	cfg80211_get_iftype_ext_capa(wiphy: local->hw.wiphy,
10473	type: ieee80211_vif_type_p2p(vif: &sdata->vif));
10474
10475	if (ift_ext_capa) {
10476	eml_capa = cpu_to_le16(ift_ext_capa->eml_capabilities);
10477	mld_capa_ops =
10478	cpu_to_le16(ift_ext_capa->mld_capa_and_ops);
10479	}
10480
10481	/* MLD capabilities and operation */
10482	var_common_size += 2;
10483
10484	/* EML capabilities */
10485	if (eml_capa & cpu_to_le16((IEEE80211_EML_CAP_EMLSR_SUPP |
10486	IEEE80211_EML_CAP_EMLMR_SUPPORT)))
10487	var_common_size += 2;
10488	}
10489
10490	if (ext_mld_capa_ops)
10491	var_common_size += 2;
10492
10493	/* Add the common information length */
10494	size += common_size + var_common_size;
10495
10496	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10497	struct cfg80211_bss *cbss;
10498	size_t elems_len;
10499
10500	if (removed_links & BIT(link_id)) {
10501	size += sizeof(struct ieee80211_mle_per_sta_profile) +
10502	ETH_ALEN;
10503	continue;
10504	}
10505
10506	if (!add_links_data || !add_links_data->link[link_id].bss)
10507	continue;
10508
10509	elems_len = add_links_data->link[link_id].elems_len;
10510	cbss = add_links_data->link[link_id].bss;
10511
10512	/* should be the same across all BSSes */
10513	if (cbss->capability & WLAN_CAPABILITY_PRIVACY)
10514	capab |= WLAN_CAPABILITY_PRIVACY;
10515
10516	size += 2 + sizeof(struct ieee80211_mle_per_sta_profile) +
10517	ETH_ALEN;
10518
10519	/* WMM */
10520	size += 9;
10521	size += ieee80211_link_common_elems_size(sdata, iftype, cbss,
10522	elems_len);
10523	}
10524
10525	skb = alloc_skb(size, GFP_KERNEL);
10526	if (!skb)
10527	return NULL;
10528
10529	skb_reserve(skb, len: local->hw.extra_tx_headroom);
10530	mgmt = skb_put_zero(skb, offsetofend(struct ieee80211_mgmt,
10531	u.action.u.ml_reconf_req));
10532
10533	/* Add the MAC header */
10534	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
10535	IEEE80211_STYPE_ACTION);
10536	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
10537	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
10538	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
10539
10540	/* Add the action frame fixed fields */
10541	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
10542	mgmt->u.action.u.ml_reconf_req.action_code =
10543	WLAN_PROTECTED_EHT_ACTION_LINK_RECONFIG_REQ;
10544
10545	/* allocate a dialog token and store it */
10546	sdata->u.mgd.reconf.dialog_token = ++sdata->u.mgd.dialog_token_alloc;
10547	mgmt->u.action.u.ml_reconf_req.dialog_token =
10548	sdata->u.mgd.reconf.dialog_token;
10549
10550	/* Add the ML reconfiguration element and the common information */
10551	skb_put_u8(skb, val: WLAN_EID_EXTENSION);
10552	ml_elem_len = skb_put(skb, len: 1);
10553	skb_put_u8(skb, val: WLAN_EID_EXT_EHT_MULTI_LINK);
10554	ml_elem = skb_put(skb, len: sizeof(*ml_elem));
10555	ml_elem->control =
10556	cpu_to_le16(IEEE80211_ML_CONTROL_TYPE_RECONF |
10557	IEEE80211_MLC_RECONF_PRES_MLD_MAC_ADDR);
10558	common = skb_put(skb, len: common_size);
10559	common->len = common_size + var_common_size;
10560	memcpy(common->mld_mac_addr, sdata->vif.addr, ETH_ALEN);
10561
10562	if (add_links_data) {
10563	if (eml_capa &
10564	cpu_to_le16((IEEE80211_EML_CAP_EMLSR_SUPP |
10565	IEEE80211_EML_CAP_EMLMR_SUPPORT))) {
10566	ml_elem->control |=
10567	cpu_to_le16(IEEE80211_MLC_RECONF_PRES_EML_CAPA);
10568	skb_put_data(skb, data: &eml_capa, len: sizeof(eml_capa));
10569	}
10570
10571	ml_elem->control |=
10572	cpu_to_le16(IEEE80211_MLC_RECONF_PRES_MLD_CAPA_OP);
10573
10574	skb_put_data(skb, data: &mld_capa_ops, len: sizeof(mld_capa_ops));
10575	}
10576
10577	if (ext_mld_capa_ops) {
10578	ml_elem->control |=
10579	cpu_to_le16(IEEE80211_MLC_RECONF_PRES_EXT_MLD_CAPA_OP);
10580	skb_put_data(skb, data: &ext_mld_capa_ops, len: sizeof(ext_mld_capa_ops));
10581	}
10582
10583	if (sdata->u.mgd.flags & IEEE80211_STA_ENABLE_RRM)
10584	capab |= WLAN_CAPABILITY_RADIO_MEASURE;
10585
10586	/* Add the per station profile */
10587	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10588	u8 *subelem_len = NULL;
10589	u16 ctrl;
10590	const u8 *addr;
10591
10592	/* Skip links that are not changing */
10593	if (!(removed_links & BIT(link_id)) &&
10594	(!add_links_data || !add_links_data->link[link_id].bss))
10595	continue;
10596
10597	ctrl = link_id |
10598	IEEE80211_MLE_STA_RECONF_CONTROL_STA_MAC_ADDR_PRESENT;
10599
10600	if (removed_links & BIT(link_id)) {
10601	struct ieee80211_bss_conf *conf =
10602	sdata_dereference(sdata->vif.link_conf[link_id],
10603	sdata);
10604	if (!conf)
10605	continue;
10606
10607	addr = conf->addr;
10608	ctrl |= u16_encode_bits(IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_DEL_LINK,
10609	IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE);
10610	} else {
10611	addr = add_links_data->link[link_id].addr;
10612	ctrl |= IEEE80211_MLE_STA_RECONF_CONTROL_COMPLETE_PROFILE |
10613	u16_encode_bits(IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_ADD_LINK,
10614	IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE);
10615	}
10616
10617	skb_put_u8(skb, val: IEEE80211_MLE_SUBELEM_PER_STA_PROFILE);
10618	subelem_len = skb_put(skb, len: 1);
10619
10620	put_unaligned_le16(val: ctrl, p: skb_put(skb, len: sizeof(ctrl)));
10621	skb_put_u8(skb, val: 1 + ETH_ALEN);
10622	skb_put_data(skb, data: addr, ETH_ALEN);
10623
10624	if (!(removed_links & BIT(link_id))) {
10625	u16 link_present_elems[PRESENT_ELEMS_MAX] = {};
10626	size_t extra_used;
10627	void *capab_pos;
10628	u8 qos_info;
10629
10630	capab_pos = skb_put(skb, len: 2);
10631
10632	extra_used =
10633	ieee80211_add_link_elems(sdata, skb, capab: &capab, NULL,
10634	extra_elems: add_links_data->link[link_id].elems,
10635	extra_elems_len: add_links_data->link[link_id].elems_len,
10636	link_id, NULL,
10637	present_elems: link_present_elems,
10638	assoc_data: add_links_data);
10639
10640	if (add_links_data->link[link_id].elems)
10641	skb_put_data(skb,
10642	data: add_links_data->link[link_id].elems +
10643	extra_used,
10644	len: add_links_data->link[link_id].elems_len -
10645	extra_used);
10646	if (sdata->u.mgd.flags & IEEE80211_STA_UAPSD_ENABLED) {
10647	qos_info = sdata->u.mgd.uapsd_queues;
10648	qos_info |= (sdata->u.mgd.uapsd_max_sp_len <<
10649	IEEE80211_WMM_IE_STA_QOSINFO_SP_SHIFT);
10650	} else {
10651	qos_info = 0;
10652	}
10653
10654	ieee80211_add_wmm_info_ie(buf: skb_put(skb, len: 9), qosinfo: qos_info);
10655	put_unaligned_le16(val: capab, p: capab_pos);
10656	}
10657
10658	ieee80211_fragment_element(skb, len_pos: subelem_len,
10659	frag_id: IEEE80211_MLE_SUBELEM_FRAGMENT);
10660	}
10661
10662	ieee80211_fragment_element(skb, len_pos: ml_elem_len, frag_id: WLAN_EID_FRAGMENT);
10663
10664	info = IEEE80211_SKB_CB(skb);
10665	info->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS;
10666
10667	return skb;
10668	}
10669
10670	int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata,
10671	struct cfg80211_ml_reconf_req *req)
10672	{
10673	struct ieee80211_local *local = sdata->local;
10674	struct ieee80211_mgd_assoc_data *data = NULL;
10675	struct sta_info *sta;
10676	struct sk_buff *skb;
10677	u16 added_links, new_valid_links;
10678	int link_id, err;
10679
10680	if (!ieee80211_vif_is_mld(vif: &sdata->vif) ||
10681	!(sdata->vif.cfg.mld_capa_op &
10682	IEEE80211_MLD_CAP_OP_LINK_RECONF_SUPPORT))
10683	return -EINVAL;
10684
10685	/* No support for concurrent ML reconfiguration operation */
10686	if (sdata->u.mgd.reconf.added_links ||
10687	sdata->u.mgd.reconf.removed_links)
10688	return -EBUSY;
10689
10690	added_links = 0;
10691	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10692	if (!req->add_links[link_id].bss)
10693	continue;
10694
10695	added_links |= BIT(link_id);
10696	}
10697
10698	sta = sta_info_get(sdata, addr: sdata->vif.cfg.ap_addr);
10699	if (WARN_ON(!sta))
10700	return -ENOLINK;
10701
10702	/* Adding links to the set of valid link is done only after a successful
10703	* ML reconfiguration frame exchange. Here prepare the data for the ML
10704	* reconfiguration frame construction and allocate the required
10705	* resources
10706	*/
10707	if (added_links) {
10708	bool uapsd_supported;
10709
10710	data = kzalloc(sizeof(*data), GFP_KERNEL);
10711	if (!data)
10712	return -ENOMEM;
10713
10714	data->assoc_link_id = -1;
10715	data->wmm = true;
10716
10717	uapsd_supported = true;
10718	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
10719	link_id++) {
10720	struct ieee80211_supported_band *sband;
10721	struct cfg80211_bss *link_cbss =
10722	req->add_links[link_id].bss;
10723	struct ieee80211_bss *bss;
10724
10725	if (!link_cbss)
10726	continue;
10727
10728	bss = (void *)link_cbss->priv;
10729
10730	if (!bss->wmm_used) {
10731	err = -EINVAL;
10732	goto err_free;
10733	}
10734
10735	if (link_cbss->channel->band == NL80211_BAND_S1GHZ) {
10736	err = -EINVAL;
10737	goto err_free;
10738	}
10739
10740	eth_random_addr(addr: data->link[link_id].addr);
10741	data->link[link_id].conn =
10742	ieee80211_conn_settings_unlimited;
10743	sband =
10744	local->hw.wiphy->bands[link_cbss->channel->band];
10745
10746	ieee80211_determine_our_sta_mode(sdata, sband,
10747	NULL, wmm_used: true, link_id,
10748	conn: &data->link[link_id].conn);
10749
10750	data->link[link_id].bss = link_cbss;
10751	data->link[link_id].elems =
10752	(u8 *)req->add_links[link_id].elems;
10753	data->link[link_id].elems_len =
10754	req->add_links[link_id].elems_len;
10755
10756	if (!bss->uapsd_supported)
10757	uapsd_supported = false;
10758
10759	if (data->link[link_id].conn.mode <
10760	IEEE80211_CONN_MODE_EHT) {
10761	err = -EINVAL;
10762	goto err_free;
10763	}
10764
10765	err = ieee80211_mgd_get_ap_ht_vht_capa(sdata, assoc_data: data,
10766	link_id);
10767	if (err) {
10768	err = -EINVAL;
10769	goto err_free;
10770	}
10771	}
10772
10773	/* Require U-APSD support if we enabled it */
10774	if (sdata->u.mgd.flags & IEEE80211_STA_UAPSD_ENABLED &&
10775	!uapsd_supported) {
10776	err = -EINVAL;
10777	sdata_info(sdata, "U-APSD on but not available on (all) new links\n");
10778	goto err_free;
10779	}
10780
10781	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
10782	link_id++) {
10783	if (!data->link[link_id].bss)
10784	continue;
10785
10786	/* only used to verify the mode, nothing is allocated */
10787	err = ieee80211_prep_channel(sdata, NULL, link_id,
10788	cbss: data->link[link_id].bss,
10789	mlo: true,
10790	conn: &data->link[link_id].conn,
10791	userspace_selectors: sdata->u.mgd.userspace_selectors);
10792	if (err)
10793	goto err_free;
10794	}
10795	}
10796
10797	/* link removal is done before the ML reconfiguration frame exchange so
10798	* that these links will not be used between their removal by the AP MLD
10799	* and before the station got the ML reconfiguration response. Based on
10800	* Section 35.3.6.4 in Draft P802.11be_D7.0 the AP MLD should accept the
10801	* link removal request.
10802	*/
10803	if (req->rem_links) {
10804	u16 new_active_links =
10805	sdata->vif.active_links & ~req->rem_links;
10806
10807	new_valid_links = sdata->vif.valid_links & ~req->rem_links;
10808
10809	/* Should not be left with no valid links to perform the
10810	* ML reconfiguration
10811	*/
10812	if (!new_valid_links ||
10813	!(new_valid_links & ~sdata->vif.dormant_links)) {
10814	sdata_info(sdata, "mlo: reconf: no valid links\n");
10815	err = -EINVAL;
10816	goto err_free;
10817	}
10818
10819	if (new_active_links != sdata->vif.active_links) {
10820	if (!new_active_links)
10821	new_active_links =
10822	BIT(__ffs(new_valid_links &
10823	~sdata->vif.dormant_links));
10824
10825	err = ieee80211_set_active_links(vif: &sdata->vif,
10826	active_links: new_active_links);
10827	if (err) {
10828	sdata_info(sdata,
10829	"mlo: reconf: failed set active links\n");
10830	goto err_free;
10831	}
10832	}
10833	}
10834
10835	/* Build the SKB before the link removal as the construction of the
10836	* station info for removed links requires the local address.
10837	* Invalidate the removed links, so that the transmission of the ML
10838	* reconfiguration request frame would not be done using them, as the AP
10839	* is expected to send the ML reconfiguration response frame on the link
10840	* on which the request was received.
10841	*/
10842	skb = ieee80211_build_ml_reconf_req(sdata, add_links_data: data, removed_links: req->rem_links,
10843	cpu_to_le16(req->ext_mld_capa_ops));
10844	if (!skb) {
10845	err = -ENOMEM;
10846	goto err_free;
10847	}
10848
10849	if (req->rem_links) {
10850	u16 new_dormant_links =
10851	sdata->vif.dormant_links & ~req->rem_links;
10852
10853	err = ieee80211_vif_set_links(sdata, new_links: new_valid_links,
10854	dormant_links: new_dormant_links);
10855	if (err) {
10856	sdata_info(sdata,
10857	"mlo: reconf: failed set valid links\n");
10858	kfree_skb(skb);
10859	goto err_free;
10860	}
10861
10862	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
10863	link_id++) {
10864	if (!(req->rem_links & BIT(link_id)))
10865	continue;
10866
10867	ieee80211_sta_remove_link(sta, link_id);
10868	}
10869
10870	/* notify the driver and upper layers */
10871	ieee80211_vif_cfg_change_notify(sdata,
10872	changed: BSS_CHANGED_MLD_VALID_LINKS);
10873	cfg80211_links_removed(dev: sdata->dev, link_mask: req->rem_links);
10874	}
10875
10876	sdata_info(sdata, "mlo: reconf: adding=0x%x, removed=0x%x\n",
10877	added_links, req->rem_links);
10878
10879	ieee80211_tx_skb(sdata, skb);
10880
10881	sdata->u.mgd.reconf.added_links = added_links;
10882	sdata->u.mgd.reconf.add_links_data = data;
10883	sdata->u.mgd.reconf.removed_links = req->rem_links;
10884	wiphy_delayed_work_queue(wiphy: sdata->local->hw.wiphy,
10885	dwork: &sdata->u.mgd.reconf.wk,
10886	IEEE80211_ASSOC_TIMEOUT_SHORT);
10887	return 0;
10888
10889	err_free:
10890	kfree(objp: data);
10891	return err;
10892	}
10893
10894	static bool ieee80211_mgd_epcs_supp(struct ieee80211_sub_if_data *sdata)
10895	{
10896	unsigned long valid_links = sdata->vif.valid_links;
10897	u8 link_id;
10898
10899	lockdep_assert_wiphy(sdata->local->hw.wiphy);
10900
10901	if (!ieee80211_vif_is_mld(vif: &sdata->vif))
10902	return false;
10903
10904	for_each_set_bit(link_id, &valid_links, IEEE80211_MLD_MAX_NUM_LINKS) {
10905	struct ieee80211_bss_conf *bss_conf =
10906	sdata_dereference(sdata->vif.link_conf[link_id], sdata);
10907
10908	if (WARN_ON(!bss_conf) || !bss_conf->epcs_support)
10909	return false;
10910	}
10911
10912	return true;
10913	}
10914
10915	int ieee80211_mgd_set_epcs(struct ieee80211_sub_if_data *sdata, bool enable)
10916	{
10917	struct ieee80211_local *local = sdata->local;
10918	struct ieee80211_mgmt *mgmt;
10919	struct sk_buff *skb;
10920	int frame_len = offsetofend(struct ieee80211_mgmt,
10921	u.action.u.epcs) + (enable ? 1 : 0);
10922
10923	if (!ieee80211_mgd_epcs_supp(sdata))
10924	return -EINVAL;
10925
10926	if (sdata->u.mgd.epcs.enabled == enable &&
10927	!sdata->u.mgd.epcs.dialog_token)
10928	return 0;
10929
10930	/* Do not allow enabling EPCS if the AP didn't respond yet.
10931	* However, allow disabling EPCS in such a case.
10932	*/
10933	if (sdata->u.mgd.epcs.dialog_token && enable)
10934	return -EALREADY;
10935
10936	skb = dev_alloc_skb(length: local->hw.extra_tx_headroom + frame_len);
10937	if (!skb)
10938	return -ENOBUFS;
10939
10940	skb_reserve(skb, len: local->hw.extra_tx_headroom);
10941	mgmt = skb_put_zero(skb, len: frame_len);
10942	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
10943	IEEE80211_STYPE_ACTION);
10944	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
10945	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
10946	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
10947
10948	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
10949	if (enable) {
10950	u8 *pos = mgmt->u.action.u.epcs.variable;
10951
10952	mgmt->u.action.u.epcs.action_code =
10953	WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_REQ;
10954
10955	*pos = ++sdata->u.mgd.dialog_token_alloc;
10956	sdata->u.mgd.epcs.dialog_token = *pos;
10957	} else {
10958	mgmt->u.action.u.epcs.action_code =
10959	WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_TEARDOWN;
10960
10961	ieee80211_epcs_teardown(sdata);
10962	ieee80211_epcs_changed(sdata, enabled: false);
10963	}
10964
10965	ieee80211_tx_skb(sdata, skb);
10966	return 0;
10967	}
10968
10969	static void ieee80211_ml_epcs(struct ieee80211_sub_if_data *sdata,
10970	struct ieee802_11_elems *elems)
10971	{
10972	const struct element *sub;
10973	size_t scratch_len = elems->ml_epcs_len;
10974	u8 *scratch __free(kfree) = kzalloc(scratch_len, GFP_KERNEL);
10975
10976	lockdep_assert_wiphy(sdata->local->hw.wiphy);
10977
10978	if (!ieee80211_vif_is_mld(vif: &sdata->vif) || !elems->ml_epcs)
10979	return;
10980
10981	if (WARN_ON(!scratch))
10982	return;
10983
10984	/* Directly parse the sub elements as the common information doesn't
10985	* hold any useful information.
10986	*/
10987	for_each_mle_subelement(sub, (const u8 *)elems->ml_epcs,
10988	elems->ml_epcs_len) {
10989	struct ieee802_11_elems *link_elems __free(kfree) = NULL;
10990	struct ieee80211_link_data *link;
10991	u8 *pos = (void *)sub->data;
10992	u16 control;
10993	ssize_t len;
10994	u8 link_id;
10995
10996	if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
10997	continue;
10998
10999	if (sub->datalen < sizeof(control))
11000	break;
11001
11002	control = get_unaligned_le16(p: pos);
11003	link_id = control & IEEE80211_MLE_STA_EPCS_CONTROL_LINK_ID;
11004
11005	link = sdata_dereference(sdata->link[link_id], sdata);
11006	if (!link)
11007	continue;
11008
11009	len = cfg80211_defragment_element(elem: sub, ies: (u8 *)elems->ml_epcs,
11010	ieslen: elems->ml_epcs_len,
11011	data: scratch, data_len: scratch_len,
11012	frag_id: IEEE80211_MLE_SUBELEM_FRAGMENT);
11013	if (len < (ssize_t)sizeof(control))
11014	continue;
11015
11016	pos = scratch + sizeof(control);
11017	len -= sizeof(control);
11018
11019	link_elems = ieee802_11_parse_elems(start: pos, len,
11020	IEEE80211_FTYPE_MGMT |
11021	IEEE80211_STYPE_ACTION,
11022	NULL);
11023	if (!link_elems)
11024	continue;
11025
11026	if (ieee80211_sta_wmm_params(local: sdata->local, link,
11027	wmm_param: link_elems->wmm_param,
11028	wmm_param_len: link_elems->wmm_param_len,
11029	mu_edca: link_elems->mu_edca_param_set))
11030	ieee80211_link_info_change_notify(sdata, link,
11031	changed: BSS_CHANGED_QOS);
11032	}
11033	}
11034
11035	void ieee80211_process_epcs_ena_resp(struct ieee80211_sub_if_data *sdata,
11036	struct ieee80211_mgmt *mgmt, size_t len)
11037	{
11038	struct ieee802_11_elems *elems __free(kfree) = NULL;
11039	size_t ies_len;
11040	u16 status_code;
11041	u8 *pos, dialog_token;
11042
11043	if (!ieee80211_mgd_epcs_supp(sdata))
11044	return;
11045
11046	/* Handle dialog token and status code */
11047	pos = mgmt->u.action.u.epcs.variable;
11048	dialog_token = *pos;
11049	status_code = get_unaligned_le16(p: pos + 1);
11050
11051	/* An EPCS enable response with dialog token == 0 is an unsolicited
11052	* notification from the AP MLD. In such a case, EPCS should already be
11053	* enabled and status must be success
11054	*/
11055	if (!dialog_token &&
11056	(!sdata->u.mgd.epcs.enabled ||
11057	status_code != WLAN_STATUS_SUCCESS))
11058	return;
11059
11060	if (sdata->u.mgd.epcs.dialog_token != dialog_token)
11061	return;
11062
11063	sdata->u.mgd.epcs.dialog_token = 0;
11064
11065	if (status_code != WLAN_STATUS_SUCCESS)
11066	return;
11067
11068	pos += IEEE80211_EPCS_ENA_RESP_BODY_LEN;
11069	ies_len = len - offsetof(struct ieee80211_mgmt,
11070	u.action.u.epcs.variable) -
11071	IEEE80211_EPCS_ENA_RESP_BODY_LEN;
11072
11073	elems = ieee802_11_parse_elems(start: pos, len: ies_len,
11074	IEEE80211_FTYPE_MGMT |
11075	IEEE80211_STYPE_ACTION,
11076	NULL);
11077	if (!elems)
11078	return;
11079
11080	ieee80211_ml_epcs(sdata, elems);
11081	ieee80211_epcs_changed(sdata, enabled: true);
11082	}
11083
11084	void ieee80211_process_epcs_teardown(struct ieee80211_sub_if_data *sdata,
11085	struct ieee80211_mgmt *mgmt, size_t len)
11086	{
11087	if (!ieee80211_vif_is_mld(vif: &sdata->vif) ||
11088	!sdata->u.mgd.epcs.enabled)
11089	return;
11090
11091	ieee80211_epcs_teardown(sdata);
11092	ieee80211_epcs_changed(sdata, enabled: false);
11093	}
11094