xref: /linux/net/mac80211/mlme.c (revision aebc29dec67aa998a9ea6d34aacba7b5c6a74d33) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * BSS client mode implementation
4  * Copyright 2003-2008, Jouni Malinen <j@w1.fi>
5  * Copyright 2004, Instant802 Networks, Inc.
6  * Copyright 2005, Devicescape Software, Inc.
7  * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
8  * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
9  * Copyright 2013-2014  Intel Mobile Communications GmbH
10  * Copyright (C) 2015 - 2017 Intel Deutschland GmbH
11  * Copyright (C) 2018 - 2025 Intel Corporation
12  */
13 
14 #include <linux/delay.h>
15 #include <linux/fips.h>
16 #include <linux/if_ether.h>
17 #include <linux/skbuff.h>
18 #include <linux/if_arp.h>
19 #include <linux/etherdevice.h>
20 #include <linux/moduleparam.h>
21 #include <linux/rtnetlink.h>
22 #include <linux/crc32.h>
23 #include <linux/slab.h>
24 #include <linux/export.h>
25 #include <net/mac80211.h>
26 #include <linux/unaligned.h>
27 
28 #include "ieee80211_i.h"
29 #include "driver-ops.h"
30 #include "rate.h"
31 #include "led.h"
32 #include "fils_aead.h"
33 
34 #include <kunit/static_stub.h>
35 
36 #define IEEE80211_AUTH_TIMEOUT		(HZ / 5)
37 #define IEEE80211_AUTH_TIMEOUT_LONG	(HZ / 2)
38 #define IEEE80211_AUTH_TIMEOUT_SHORT	(HZ / 10)
39 #define IEEE80211_AUTH_TIMEOUT_SAE	(HZ * 2)
40 #define IEEE80211_AUTH_MAX_TRIES	3
41 #define IEEE80211_AUTH_WAIT_ASSOC	(HZ * 5)
42 #define IEEE80211_AUTH_WAIT_SAE_RETRY	(HZ * 2)
43 #define IEEE80211_ASSOC_TIMEOUT		(HZ / 5)
44 #define IEEE80211_ASSOC_TIMEOUT_LONG	(HZ / 2)
45 #define IEEE80211_ASSOC_TIMEOUT_SHORT	(HZ / 10)
46 #define IEEE80211_ASSOC_MAX_TRIES	3
47 
48 #define IEEE80211_ADV_TTLM_SAFETY_BUFFER_MS (100 * USEC_PER_MSEC)
49 #define IEEE80211_ADV_TTLM_ST_UNDERFLOW 0xff00
50 
51 #define IEEE80211_NEG_TTLM_REQ_TIMEOUT (HZ / 5)
52 
53 static int max_nullfunc_tries = 2;
54 module_param(max_nullfunc_tries, int, 0644);
55 MODULE_PARM_DESC(max_nullfunc_tries,
56 		 "Maximum nullfunc tx tries before disconnecting (reason 4).");
57 
58 static int max_probe_tries = 5;
59 module_param(max_probe_tries, int, 0644);
60 MODULE_PARM_DESC(max_probe_tries,
61 		 "Maximum probe tries before disconnecting (reason 4).");
62 
63 /*
64  * Beacon loss timeout is calculated as N frames times the
65  * advertised beacon interval.  This may need to be somewhat
66  * higher than what hardware might detect to account for
67  * delays in the host processing frames. But since we also
68  * probe on beacon miss before declaring the connection lost
69  * default to what we want.
70  */
71 static int beacon_loss_count = 7;
72 module_param(beacon_loss_count, int, 0644);
73 MODULE_PARM_DESC(beacon_loss_count,
74 		 "Number of beacon intervals before we decide beacon was lost.");
75 
76 /*
77  * Time the connection can be idle before we probe
78  * it to see if we can still talk to the AP.
79  */
80 #define IEEE80211_CONNECTION_IDLE_TIME	(30 * HZ)
81 /*
82  * Time we wait for a probe response after sending
83  * a probe request because of beacon loss or for
84  * checking the connection still works.
85  */
86 static int probe_wait_ms = 500;
87 module_param(probe_wait_ms, int, 0644);
88 MODULE_PARM_DESC(probe_wait_ms,
89 		 "Maximum time(ms) to wait for probe response"
90 		 " before disconnecting (reason 4).");
91 
92 /*
93  * How many Beacon frames need to have been used in average signal strength
94  * before starting to indicate signal change events.
95  */
96 #define IEEE80211_SIGNAL_AVE_MIN_COUNT	4
97 
98 /*
99  * We can have multiple work items (and connection probing)
100  * scheduling this timer, but we need to take care to only
101  * reschedule it when it should fire _earlier_ than it was
102  * asked for before, or if it's not pending right now. This
103  * function ensures that. Note that it then is required to
104  * run this function for all timeouts after the first one
105  * has happened -- the work that runs from this timer will
106  * do that.
107  */
108 static void run_again(struct ieee80211_sub_if_data *sdata,
109 		      unsigned long timeout)
110 {
111 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
112 
113 	if (!timer_pending(&sdata->u.mgd.timer) ||
114 	    time_before(timeout, sdata->u.mgd.timer.expires))
115 		mod_timer(&sdata->u.mgd.timer, timeout);
116 }
117 
118 void ieee80211_sta_reset_beacon_monitor(struct ieee80211_sub_if_data *sdata)
119 {
120 	if (sdata->vif.driver_flags & IEEE80211_VIF_BEACON_FILTER)
121 		return;
122 
123 	if (ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
124 		return;
125 
126 	mod_timer(&sdata->u.mgd.bcn_mon_timer,
127 		  round_jiffies_up(jiffies + sdata->u.mgd.beacon_timeout));
128 }
129 
130 void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata)
131 {
132 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
133 
134 	if (unlikely(!ifmgd->associated))
135 		return;
136 
137 	if (ifmgd->probe_send_count)
138 		ifmgd->probe_send_count = 0;
139 
140 	if (ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
141 		return;
142 
143 	mod_timer(&ifmgd->conn_mon_timer,
144 		  round_jiffies_up(jiffies + IEEE80211_CONNECTION_IDLE_TIME));
145 }
146 
147 static int ecw2cw(int ecw)
148 {
149 	return (1 << ecw) - 1;
150 }
151 
152 static enum ieee80211_conn_mode
153 ieee80211_determine_ap_chan(struct ieee80211_sub_if_data *sdata,
154 			    struct ieee80211_channel *channel,
155 			    u32 vht_cap_info,
156 			    const struct ieee802_11_elems *elems,
157 			    bool ignore_ht_channel_mismatch,
158 			    const struct ieee80211_conn_settings *conn,
159 			    struct cfg80211_chan_def *chandef)
160 {
161 	const struct ieee80211_ht_operation *ht_oper = elems->ht_operation;
162 	const struct ieee80211_vht_operation *vht_oper = elems->vht_operation;
163 	const struct ieee80211_he_operation *he_oper = elems->he_operation;
164 	const struct ieee80211_eht_operation *eht_oper = elems->eht_operation;
165 	struct ieee80211_supported_band *sband =
166 		sdata->local->hw.wiphy->bands[channel->band];
167 	struct cfg80211_chan_def vht_chandef;
168 	bool no_vht = false;
169 	u32 ht_cfreq;
170 
171 	if (ieee80211_hw_check(&sdata->local->hw, STRICT))
172 		ignore_ht_channel_mismatch = false;
173 
174 	*chandef = (struct cfg80211_chan_def) {
175 		.chan = channel,
176 		.width = NL80211_CHAN_WIDTH_20_NOHT,
177 		.center_freq1 = channel->center_freq,
178 		.freq1_offset = channel->freq_offset,
179 	};
180 
181 	/* get special S1G case out of the way */
182 	if (sband->band == NL80211_BAND_S1GHZ) {
183 		if (!ieee80211_chandef_s1g_oper(sdata->local, elems->s1g_oper,
184 						chandef)) {
185 			/* Fallback to default 1MHz */
186 			chandef->width = NL80211_CHAN_WIDTH_1;
187 			chandef->s1g_primary_2mhz = false;
188 		}
189 
190 		return IEEE80211_CONN_MODE_S1G;
191 	}
192 
193 	/* get special 6 GHz case out of the way */
194 	if (sband->band == NL80211_BAND_6GHZ) {
195 		enum ieee80211_conn_mode mode = IEEE80211_CONN_MODE_EHT;
196 
197 		/* this is an error */
198 		if (conn->mode < IEEE80211_CONN_MODE_HE)
199 			return IEEE80211_CONN_MODE_LEGACY;
200 
201 		if (!elems->he_6ghz_capa || !elems->he_cap) {
202 			sdata_info(sdata,
203 				   "HE 6 GHz AP is missing HE/HE 6 GHz band capability\n");
204 			return IEEE80211_CONN_MODE_LEGACY;
205 		}
206 
207 		if (!eht_oper || !elems->eht_cap) {
208 			eht_oper = NULL;
209 			mode = IEEE80211_CONN_MODE_HE;
210 		}
211 
212 		if (!ieee80211_chandef_he_6ghz_oper(sdata->local, he_oper,
213 						    eht_oper, chandef)) {
214 			sdata_info(sdata, "bad HE/EHT 6 GHz operation\n");
215 			return IEEE80211_CONN_MODE_LEGACY;
216 		}
217 
218 		return mode;
219 	}
220 
221 	/* now we have the progression HT, VHT, ... */
222 	if (conn->mode < IEEE80211_CONN_MODE_HT)
223 		return IEEE80211_CONN_MODE_LEGACY;
224 
225 	if (!ht_oper || !elems->ht_cap_elem)
226 		return IEEE80211_CONN_MODE_LEGACY;
227 
228 	chandef->width = NL80211_CHAN_WIDTH_20;
229 
230 	ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan,
231 						  channel->band);
232 	/* check that channel matches the right operating channel */
233 	if (!ignore_ht_channel_mismatch && channel->center_freq != ht_cfreq) {
234 		/*
235 		 * It's possible that some APs are confused here;
236 		 * Netgear WNDR3700 sometimes reports 4 higher than
237 		 * the actual channel in association responses, but
238 		 * since we look at probe response/beacon data here
239 		 * it should be OK.
240 		 */
241 		sdata_info(sdata,
242 			   "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n",
243 			   channel->center_freq, ht_cfreq,
244 			   ht_oper->primary_chan, channel->band);
245 		return IEEE80211_CONN_MODE_LEGACY;
246 	}
247 
248 	ieee80211_chandef_ht_oper(ht_oper, chandef);
249 
250 	if (conn->mode < IEEE80211_CONN_MODE_VHT)
251 		return IEEE80211_CONN_MODE_HT;
252 
253 	vht_chandef = *chandef;
254 
255 	/*
256 	 * having he_cap/he_oper parsed out implies we're at
257 	 * least operating as HE STA
258 	 */
259 	if (elems->he_cap && he_oper &&
260 	    he_oper->he_oper_params & cpu_to_le32(IEEE80211_HE_OPERATION_VHT_OPER_INFO)) {
261 		struct ieee80211_vht_operation he_oper_vht_cap;
262 
263 		/*
264 		 * Set only first 3 bytes (other 2 aren't used in
265 		 * ieee80211_chandef_vht_oper() anyway)
266 		 */
267 		memcpy(&he_oper_vht_cap, he_oper->optional, 3);
268 		he_oper_vht_cap.basic_mcs_set = cpu_to_le16(0);
269 
270 		if (!ieee80211_chandef_vht_oper(&sdata->local->hw, vht_cap_info,
271 						&he_oper_vht_cap, ht_oper,
272 						&vht_chandef)) {
273 			sdata_info(sdata,
274 				   "HE AP VHT information is invalid, disabling HE\n");
275 			/* this will cause us to re-parse as VHT STA */
276 			return IEEE80211_CONN_MODE_VHT;
277 		}
278 	} else if (!vht_oper || !elems->vht_cap_elem) {
279 		if (sband->band == NL80211_BAND_5GHZ)
280 			return IEEE80211_CONN_MODE_HT;
281 		no_vht = true;
282 	} else if (sband->band == NL80211_BAND_2GHZ) {
283 		no_vht = true;
284 	} else if (!ieee80211_chandef_vht_oper(&sdata->local->hw,
285 					       vht_cap_info,
286 					       vht_oper, ht_oper,
287 					       &vht_chandef)) {
288 		sdata_info(sdata,
289 			   "AP VHT information is invalid, disabling VHT\n");
290 		return IEEE80211_CONN_MODE_HT;
291 	}
292 
293 	if (!cfg80211_chandef_compatible(chandef, &vht_chandef)) {
294 		sdata_info(sdata,
295 			   "AP VHT information doesn't match HT, disabling VHT\n");
296 		return IEEE80211_CONN_MODE_HT;
297 	}
298 
299 	*chandef = vht_chandef;
300 
301 	/* stick to current max mode if we or the AP don't have HE */
302 	if (conn->mode < IEEE80211_CONN_MODE_HE ||
303 	    !elems->he_operation || !elems->he_cap) {
304 		if (no_vht)
305 			return IEEE80211_CONN_MODE_HT;
306 		return IEEE80211_CONN_MODE_VHT;
307 	}
308 
309 	/* stick to HE if we or the AP don't have EHT */
310 	if (conn->mode < IEEE80211_CONN_MODE_EHT ||
311 	    !eht_oper || !elems->eht_cap)
312 		return IEEE80211_CONN_MODE_HE;
313 
314 	/*
315 	 * handle the case that the EHT operation indicates that it holds EHT
316 	 * operation information (in case that the channel width differs from
317 	 * the channel width reported in HT/VHT/HE).
318 	 */
319 	if (eht_oper->params & IEEE80211_EHT_OPER_INFO_PRESENT) {
320 		struct cfg80211_chan_def eht_chandef = *chandef;
321 
322 		ieee80211_chandef_eht_oper((const void *)eht_oper->optional,
323 					   &eht_chandef);
324 
325 		eht_chandef.punctured =
326 			ieee80211_eht_oper_dis_subchan_bitmap(eht_oper);
327 
328 		if (!cfg80211_chandef_valid(&eht_chandef)) {
329 			sdata_info(sdata,
330 				   "AP EHT information is invalid, disabling EHT\n");
331 			return IEEE80211_CONN_MODE_HE;
332 		}
333 
334 		if (!cfg80211_chandef_compatible(chandef, &eht_chandef)) {
335 			sdata_info(sdata,
336 				   "AP EHT information doesn't match HT/VHT/HE, disabling EHT\n");
337 			return IEEE80211_CONN_MODE_HE;
338 		}
339 
340 		*chandef = eht_chandef;
341 	}
342 
343 	return IEEE80211_CONN_MODE_EHT;
344 }
345 
346 static bool
347 ieee80211_verify_sta_ht_mcs_support(struct ieee80211_sub_if_data *sdata,
348 				    struct ieee80211_supported_band *sband,
349 				    const struct ieee80211_ht_operation *ht_op)
350 {
351 	struct ieee80211_sta_ht_cap sta_ht_cap;
352 	int i;
353 
354 	if (sband->band == NL80211_BAND_6GHZ)
355 		return true;
356 
357 	if (!ht_op)
358 		return false;
359 
360 	memcpy(&sta_ht_cap, &sband->ht_cap, sizeof(sta_ht_cap));
361 	ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap);
362 
363 	/*
364 	 * P802.11REVme/D7.0 - 6.5.4.2.4
365 	 * ...
366 	 * If the MLME of an HT STA receives an MLME-JOIN.request primitive
367 	 * with the SelectedBSS parameter containing a Basic HT-MCS Set field
368 	 * in the HT Operation parameter that contains any unsupported MCSs,
369 	 * the MLME response in the resulting MLME-JOIN.confirm primitive shall
370 	 * contain a ResultCode parameter that is not set to the value SUCCESS.
371 	 * ...
372 	 */
373 
374 	/* Simply check that all basic rates are in the STA RX mask */
375 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
376 		if ((ht_op->basic_set[i] & sta_ht_cap.mcs.rx_mask[i]) !=
377 		    ht_op->basic_set[i])
378 			return false;
379 	}
380 
381 	return true;
382 }
383 
384 static bool
385 ieee80211_verify_sta_vht_mcs_support(struct ieee80211_sub_if_data *sdata,
386 				     int link_id,
387 				     struct ieee80211_supported_band *sband,
388 				     const struct ieee80211_vht_operation *vht_op)
389 {
390 	struct ieee80211_sta_vht_cap sta_vht_cap;
391 	u16 ap_min_req_set, sta_rx_mcs_map, sta_tx_mcs_map;
392 	int nss;
393 
394 	if (sband->band != NL80211_BAND_5GHZ)
395 		return true;
396 
397 	if (!vht_op)
398 		return false;
399 
400 	memcpy(&sta_vht_cap, &sband->vht_cap, sizeof(sta_vht_cap));
401 	ieee80211_apply_vhtcap_overrides(sdata, &sta_vht_cap);
402 
403 	ap_min_req_set = le16_to_cpu(vht_op->basic_mcs_set);
404 	sta_rx_mcs_map = le16_to_cpu(sta_vht_cap.vht_mcs.rx_mcs_map);
405 	sta_tx_mcs_map = le16_to_cpu(sta_vht_cap.vht_mcs.tx_mcs_map);
406 
407 	/*
408 	 * Many APs are incorrectly advertising an all-zero value here,
409 	 * which really means MCS 0-7 are required for 1-8 streams, but
410 	 * they don't really mean it that way.
411 	 * Some other APs are incorrectly advertising 3 spatial streams
412 	 * with MCS 0-7 are required, but don't really mean it that way
413 	 * and we'll connect only with HT, rather than even HE.
414 	 * As a result, unfortunately the VHT basic MCS/NSS set cannot
415 	 * be used at all, so check it only in strict mode.
416 	 */
417 	if (!ieee80211_hw_check(&sdata->local->hw, STRICT))
418 		return true;
419 
420 	/*
421 	 * P802.11REVme/D7.0 - 6.5.4.2.4
422 	 * ...
423 	 * If the MLME of a VHT STA receives an MLME-JOIN.request primitive
424 	 * with a SelectedBSS parameter containing a Basic VHT-MCS And NSS Set
425 	 * field in the VHT Operation parameter that contains any unsupported
426 	 * <VHT-MCS, NSS> tuple, the MLME response in the resulting
427 	 * MLME-JOIN.confirm primitive shall contain a ResultCode parameter
428 	 * that is not set to the value SUCCESS.
429 	 * ...
430 	 */
431 	for (nss = 8; nss > 0; nss--) {
432 		u8 ap_op_val = (ap_min_req_set >> (2 * (nss - 1))) & 3;
433 		u8 sta_rx_val;
434 		u8 sta_tx_val;
435 
436 		if (ap_op_val == IEEE80211_HE_MCS_NOT_SUPPORTED)
437 			continue;
438 
439 		sta_rx_val = (sta_rx_mcs_map >> (2 * (nss - 1))) & 3;
440 		sta_tx_val = (sta_tx_mcs_map >> (2 * (nss - 1))) & 3;
441 
442 		if (sta_rx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
443 		    sta_tx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
444 		    sta_rx_val < ap_op_val || sta_tx_val < ap_op_val) {
445 			link_id_info(sdata, link_id,
446 				     "Missing mandatory rates for %d Nss, rx %d, tx %d oper %d, disable VHT\n",
447 				     nss, sta_rx_val, sta_tx_val, ap_op_val);
448 			return false;
449 		}
450 	}
451 
452 	return true;
453 }
454 
455 static bool
456 ieee80211_verify_peer_he_mcs_support(struct ieee80211_sub_if_data *sdata,
457 				     int link_id,
458 				     const struct ieee80211_he_cap_elem *he_cap,
459 				     const struct ieee80211_he_operation *he_op)
460 {
461 	struct ieee80211_he_mcs_nss_supp *he_mcs_nss_supp;
462 	u16 mcs_80_map_tx, mcs_80_map_rx;
463 	u16 ap_min_req_set;
464 	int nss;
465 
466 	if (!he_cap)
467 		return false;
468 
469 	/* mcs_nss is right after he_cap info */
470 	he_mcs_nss_supp = (void *)(he_cap + 1);
471 
472 	mcs_80_map_tx = le16_to_cpu(he_mcs_nss_supp->tx_mcs_80);
473 	mcs_80_map_rx = le16_to_cpu(he_mcs_nss_supp->rx_mcs_80);
474 
475 	/* P802.11-REVme/D0.3
476 	 * 27.1.1 Introduction to the HE PHY
477 	 * ...
478 	 * An HE STA shall support the following features:
479 	 * ...
480 	 * Single spatial stream HE-MCSs 0 to 7 (transmit and receive) in all
481 	 * supported channel widths for HE SU PPDUs
482 	 */
483 	if ((mcs_80_map_tx & 0x3) == IEEE80211_HE_MCS_NOT_SUPPORTED ||
484 	    (mcs_80_map_rx & 0x3) == IEEE80211_HE_MCS_NOT_SUPPORTED) {
485 		link_id_info(sdata, link_id,
486 			     "Missing mandatory rates for 1 Nss, rx 0x%x, tx 0x%x, disable HE\n",
487 			     mcs_80_map_tx, mcs_80_map_rx);
488 		return false;
489 	}
490 
491 	if (!he_op)
492 		return true;
493 
494 	ap_min_req_set = le16_to_cpu(he_op->he_mcs_nss_set);
495 
496 	/*
497 	 * Apparently iPhone 13 (at least iOS version 15.3.1) sets this to all
498 	 * zeroes, which is nonsense, and completely inconsistent with itself
499 	 * (it doesn't have 8 streams). Accept the settings in this case anyway.
500 	 */
501 	if (!ieee80211_hw_check(&sdata->local->hw, STRICT) && !ap_min_req_set)
502 		return true;
503 
504 	/* make sure the AP is consistent with itself
505 	 *
506 	 * P802.11-REVme/D0.3
507 	 * 26.17.1 Basic HE BSS operation
508 	 *
509 	 * A STA that is operating in an HE BSS shall be able to receive and
510 	 * transmit at each of the <HE-MCS, NSS> tuple values indicated by the
511 	 * Basic HE-MCS And NSS Set field of the HE Operation parameter of the
512 	 * MLME-START.request primitive and shall be able to receive at each of
513 	 * the <HE-MCS, NSS> tuple values indicated by the Supported HE-MCS and
514 	 * NSS Set field in the HE Capabilities parameter of the MLMESTART.request
515 	 * primitive
516 	 */
517 	for (nss = 8; nss > 0; nss--) {
518 		u8 ap_op_val = (ap_min_req_set >> (2 * (nss - 1))) & 3;
519 		u8 ap_rx_val;
520 		u8 ap_tx_val;
521 
522 		if (ap_op_val == IEEE80211_HE_MCS_NOT_SUPPORTED)
523 			continue;
524 
525 		ap_rx_val = (mcs_80_map_rx >> (2 * (nss - 1))) & 3;
526 		ap_tx_val = (mcs_80_map_tx >> (2 * (nss - 1))) & 3;
527 
528 		if (ap_rx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
529 		    ap_tx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
530 		    ap_rx_val < ap_op_val || ap_tx_val < ap_op_val) {
531 			link_id_info(sdata, link_id,
532 				     "Invalid rates for %d Nss, rx %d, tx %d oper %d, disable HE\n",
533 				     nss, ap_rx_val, ap_tx_val, ap_op_val);
534 			return false;
535 		}
536 	}
537 
538 	return true;
539 }
540 
541 static bool
542 ieee80211_verify_sta_he_mcs_support(struct ieee80211_sub_if_data *sdata,
543 				    struct ieee80211_supported_band *sband,
544 				    const struct ieee80211_he_operation *he_op)
545 {
546 	const struct ieee80211_sta_he_cap *sta_he_cap =
547 		ieee80211_get_he_iftype_cap_vif(sband, &sdata->vif);
548 	u16 ap_min_req_set;
549 	int i;
550 
551 	if (!sta_he_cap || !he_op)
552 		return false;
553 
554 	ap_min_req_set = le16_to_cpu(he_op->he_mcs_nss_set);
555 
556 	/*
557 	 * Apparently iPhone 13 (at least iOS version 15.3.1) sets this to all
558 	 * zeroes, which is nonsense, and completely inconsistent with itself
559 	 * (it doesn't have 8 streams). Accept the settings in this case anyway.
560 	 */
561 	if (!ieee80211_hw_check(&sdata->local->hw, STRICT) && !ap_min_req_set)
562 		return true;
563 
564 	/* Need to go over for 80MHz, 160MHz and for 80+80 */
565 	for (i = 0; i < 3; i++) {
566 		const struct ieee80211_he_mcs_nss_supp *sta_mcs_nss_supp =
567 			&sta_he_cap->he_mcs_nss_supp;
568 		u16 sta_mcs_map_rx =
569 			le16_to_cpu(((__le16 *)sta_mcs_nss_supp)[2 * i]);
570 		u16 sta_mcs_map_tx =
571 			le16_to_cpu(((__le16 *)sta_mcs_nss_supp)[2 * i + 1]);
572 		u8 nss;
573 		bool verified = true;
574 
575 		/*
576 		 * For each band there is a maximum of 8 spatial streams
577 		 * possible. Each of the sta_mcs_map_* is a 16-bit struct built
578 		 * of 2 bits per NSS (1-8), with the values defined in enum
579 		 * ieee80211_he_mcs_support. Need to make sure STA TX and RX
580 		 * capabilities aren't less than the AP's minimum requirements
581 		 * for this HE BSS per SS.
582 		 * It is enough to find one such band that meets the reqs.
583 		 */
584 		for (nss = 8; nss > 0; nss--) {
585 			u8 sta_rx_val = (sta_mcs_map_rx >> (2 * (nss - 1))) & 3;
586 			u8 sta_tx_val = (sta_mcs_map_tx >> (2 * (nss - 1))) & 3;
587 			u8 ap_val = (ap_min_req_set >> (2 * (nss - 1))) & 3;
588 
589 			if (ap_val == IEEE80211_HE_MCS_NOT_SUPPORTED)
590 				continue;
591 
592 			/*
593 			 * Make sure the HE AP doesn't require MCSs that aren't
594 			 * supported by the client as required by spec
595 			 *
596 			 * P802.11-REVme/D0.3
597 			 * 26.17.1 Basic HE BSS operation
598 			 *
599 			 * An HE STA shall not attempt to join * (MLME-JOIN.request primitive)
600 			 * a BSS, unless it supports (i.e., is able to both transmit and
601 			 * receive using) all of the <HE-MCS, NSS> tuples in the basic
602 			 * HE-MCS and NSS set.
603 			 */
604 			if (sta_rx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
605 			    sta_tx_val == IEEE80211_HE_MCS_NOT_SUPPORTED ||
606 			    (ap_val > sta_rx_val) || (ap_val > sta_tx_val)) {
607 				verified = false;
608 				break;
609 			}
610 		}
611 
612 		if (verified)
613 			return true;
614 	}
615 
616 	/* If here, STA doesn't meet AP's HE min requirements */
617 	return false;
618 }
619 
620 static u8
621 ieee80211_get_eht_cap_mcs_nss(const struct ieee80211_sta_he_cap *sta_he_cap,
622 			      const struct ieee80211_sta_eht_cap *sta_eht_cap,
623 			      unsigned int idx, int bw)
624 {
625 	u8 he_phy_cap0 = sta_he_cap->he_cap_elem.phy_cap_info[0];
626 	u8 eht_phy_cap0 = sta_eht_cap->eht_cap_elem.phy_cap_info[0];
627 
628 	/* handle us being a 20 MHz-only EHT STA - with four values
629 	 * for MCS 0-7, 8-9, 10-11, 12-13.
630 	 */
631 	if (!(he_phy_cap0 & IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_MASK_ALL))
632 		return sta_eht_cap->eht_mcs_nss_supp.only_20mhz.rx_tx_max_nss[idx];
633 
634 	/* the others have MCS 0-9 together, rather than separately from 0-7 */
635 	if (idx > 0)
636 		idx--;
637 
638 	switch (bw) {
639 	case 0:
640 		return sta_eht_cap->eht_mcs_nss_supp.bw._80.rx_tx_max_nss[idx];
641 	case 1:
642 		if (!(he_phy_cap0 &
643 		      (IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G |
644 		       IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G)))
645 			return 0xff; /* pass check */
646 		return sta_eht_cap->eht_mcs_nss_supp.bw._160.rx_tx_max_nss[idx];
647 	case 2:
648 		if (!(eht_phy_cap0 & IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ))
649 			return 0xff; /* pass check */
650 		return sta_eht_cap->eht_mcs_nss_supp.bw._320.rx_tx_max_nss[idx];
651 	}
652 
653 	WARN_ON(1);
654 	return 0;
655 }
656 
657 static bool
658 ieee80211_verify_sta_eht_mcs_support(struct ieee80211_sub_if_data *sdata,
659 				     struct ieee80211_supported_band *sband,
660 				     const struct ieee80211_eht_operation *eht_op)
661 {
662 	const struct ieee80211_sta_he_cap *sta_he_cap =
663 		ieee80211_get_he_iftype_cap_vif(sband, &sdata->vif);
664 	const struct ieee80211_sta_eht_cap *sta_eht_cap =
665 		ieee80211_get_eht_iftype_cap_vif(sband, &sdata->vif);
666 	const struct ieee80211_eht_mcs_nss_supp_20mhz_only *req;
667 	unsigned int i;
668 
669 	if (!sta_he_cap || !sta_eht_cap || !eht_op)
670 		return false;
671 
672 	req = &eht_op->basic_mcs_nss;
673 
674 	for (i = 0; i < ARRAY_SIZE(req->rx_tx_max_nss); i++) {
675 		u8 req_rx_nss, req_tx_nss;
676 		unsigned int bw;
677 
678 		req_rx_nss = u8_get_bits(req->rx_tx_max_nss[i],
679 					 IEEE80211_EHT_MCS_NSS_RX);
680 		req_tx_nss = u8_get_bits(req->rx_tx_max_nss[i],
681 					 IEEE80211_EHT_MCS_NSS_TX);
682 
683 		for (bw = 0; bw < 3; bw++) {
684 			u8 have, have_rx_nss, have_tx_nss;
685 
686 			have = ieee80211_get_eht_cap_mcs_nss(sta_he_cap,
687 							     sta_eht_cap,
688 							     i, bw);
689 			have_rx_nss = u8_get_bits(have,
690 						  IEEE80211_EHT_MCS_NSS_RX);
691 			have_tx_nss = u8_get_bits(have,
692 						  IEEE80211_EHT_MCS_NSS_TX);
693 
694 			if (req_rx_nss > have_rx_nss ||
695 			    req_tx_nss > have_tx_nss)
696 				return false;
697 		}
698 	}
699 
700 	return true;
701 }
702 
703 static void ieee80211_get_rates(struct ieee80211_supported_band *sband,
704 				const u8 *supp_rates,
705 				unsigned int supp_rates_len,
706 				const u8 *ext_supp_rates,
707 				unsigned int ext_supp_rates_len,
708 				u32 *rates, u32 *basic_rates,
709 				unsigned long *unknown_rates_selectors,
710 				bool *have_higher_than_11mbit,
711 				int *min_rate, int *min_rate_index)
712 {
713 	int i, j;
714 
715 	for (i = 0; i < supp_rates_len + ext_supp_rates_len; i++) {
716 		u8 supp_rate = i < supp_rates_len ?
717 				supp_rates[i] :
718 				ext_supp_rates[i - supp_rates_len];
719 		int rate = supp_rate & 0x7f;
720 		bool is_basic = !!(supp_rate & 0x80);
721 
722 		if ((rate * 5) > 110 && have_higher_than_11mbit)
723 			*have_higher_than_11mbit = true;
724 
725 		/*
726 		 * Skip membership selectors since they're not rates.
727 		 *
728 		 * Note: Even though the membership selector and the basic
729 		 *	 rate flag share the same bit, they are not exactly
730 		 *	 the same.
731 		 */
732 		if (is_basic && rate >= BSS_MEMBERSHIP_SELECTOR_MIN) {
733 			if (unknown_rates_selectors)
734 				set_bit(rate, unknown_rates_selectors);
735 			continue;
736 		}
737 
738 		for (j = 0; j < sband->n_bitrates; j++) {
739 			struct ieee80211_rate *br;
740 			int brate;
741 
742 			br = &sband->bitrates[j];
743 
744 			brate = DIV_ROUND_UP(br->bitrate, 5);
745 			if (brate == rate) {
746 				if (rates)
747 					*rates |= BIT(j);
748 				if (is_basic && basic_rates)
749 					*basic_rates |= BIT(j);
750 				if (min_rate && (rate * 5) < *min_rate) {
751 					*min_rate = rate * 5;
752 					if (min_rate_index)
753 						*min_rate_index = j;
754 				}
755 				break;
756 			}
757 		}
758 
759 		/* Handle an unknown entry as if it is an unknown selector */
760 		if (is_basic && unknown_rates_selectors && j == sband->n_bitrates)
761 			set_bit(rate, unknown_rates_selectors);
762 	}
763 }
764 
765 static bool ieee80211_chandef_usable(struct ieee80211_sub_if_data *sdata,
766 				     const struct cfg80211_chan_def *chandef,
767 				     u32 prohibited_flags)
768 {
769 	if (!cfg80211_chandef_usable(sdata->local->hw.wiphy,
770 				     chandef, prohibited_flags))
771 		return false;
772 
773 	if (chandef->punctured &&
774 	    ieee80211_hw_check(&sdata->local->hw, DISALLOW_PUNCTURING))
775 		return false;
776 
777 	return true;
778 }
779 
780 static int ieee80211_chandef_num_subchans(const struct cfg80211_chan_def *c)
781 {
782 	if (c->width == NL80211_CHAN_WIDTH_80P80)
783 		return 4 + 4;
784 
785 	return cfg80211_chandef_get_width(c) / 20;
786 }
787 
788 static int ieee80211_chandef_num_widths(const struct cfg80211_chan_def *c)
789 {
790 	switch (c->width) {
791 	case NL80211_CHAN_WIDTH_20:
792 	case NL80211_CHAN_WIDTH_20_NOHT:
793 		return 1;
794 	case NL80211_CHAN_WIDTH_40:
795 		return 2;
796 	case NL80211_CHAN_WIDTH_80P80:
797 	case NL80211_CHAN_WIDTH_80:
798 		return 3;
799 	case NL80211_CHAN_WIDTH_160:
800 		return 4;
801 	case NL80211_CHAN_WIDTH_320:
802 		return 5;
803 	default:
804 		WARN_ON(1);
805 		return 0;
806 	}
807 }
808 
809 VISIBLE_IF_MAC80211_KUNIT int
810 ieee80211_calc_chandef_subchan_offset(const struct cfg80211_chan_def *ap,
811 				      u8 n_partial_subchans)
812 {
813 	int n = ieee80211_chandef_num_subchans(ap);
814 	struct cfg80211_chan_def tmp = *ap;
815 	int offset = 0;
816 
817 	/*
818 	 * Given a chandef (in this context, it's the AP's) and a number
819 	 * of subchannels that we want to look at ('n_partial_subchans'),
820 	 * calculate the offset in number of subchannels between the full
821 	 * and the subset with the desired width.
822 	 */
823 
824 	/* same number of subchannels means no offset, obviously */
825 	if (n == n_partial_subchans)
826 		return 0;
827 
828 	/* don't WARN - misconfigured APs could cause this if their N > width */
829 	if (n < n_partial_subchans)
830 		return 0;
831 
832 	while (ieee80211_chandef_num_subchans(&tmp) > n_partial_subchans) {
833 		u32 prev = tmp.center_freq1;
834 
835 		ieee80211_chandef_downgrade(&tmp, NULL);
836 
837 		/*
838 		 * if center_freq moved up, half the original channels
839 		 * are gone now but were below, so increase offset
840 		 */
841 		if (prev < tmp.center_freq1)
842 			offset += ieee80211_chandef_num_subchans(&tmp);
843 	}
844 
845 	/*
846 	 * 80+80 with secondary 80 below primary - four subchannels for it
847 	 * (we cannot downgrade *to* 80+80, so no need to consider 'tmp')
848 	 */
849 	if (ap->width == NL80211_CHAN_WIDTH_80P80 &&
850 	    ap->center_freq2 < ap->center_freq1)
851 		offset += 4;
852 
853 	return offset;
854 }
855 EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_calc_chandef_subchan_offset);
856 
857 VISIBLE_IF_MAC80211_KUNIT void
858 ieee80211_rearrange_tpe_psd(struct ieee80211_parsed_tpe_psd *psd,
859 			    const struct cfg80211_chan_def *ap,
860 			    const struct cfg80211_chan_def *used)
861 {
862 	u8 needed = ieee80211_chandef_num_subchans(used);
863 	u8 have = ieee80211_chandef_num_subchans(ap);
864 	u8 tmp[IEEE80211_TPE_PSD_ENTRIES_320MHZ];
865 	u8 offset;
866 
867 	if (!psd->valid)
868 		return;
869 
870 	/* if N is zero, all defaults were used, no point in rearranging */
871 	if (!psd->n)
872 		goto out;
873 
874 	BUILD_BUG_ON(sizeof(tmp) != sizeof(psd->power));
875 
876 	/*
877 	 * This assumes that 'N' is consistent with the HE channel, as
878 	 * it should be (otherwise the AP is broken).
879 	 *
880 	 * In psd->power we have values in the order 0..N, 0..K, where
881 	 * N+K should cover the entire channel per 'ap', but even if it
882 	 * doesn't then we've pre-filled 'unlimited' as defaults.
883 	 *
884 	 * But this is all the wrong order, we want to have them in the
885 	 * order of the 'used' channel.
886 	 *
887 	 * So for example, we could have a 320 MHz EHT AP, which has the
888 	 * HE channel as 80 MHz (e.g. due to puncturing, which doesn't
889 	 * seem to be considered for the TPE), as follows:
890 	 *
891 	 * EHT  320:   |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |
892 	 * HE    80:                           |  |  |  |  |
893 	 * used 160:                           |  |  |  |  |  |  |  |  |
894 	 *
895 	 * N entries:                          |--|--|--|--|
896 	 * K entries:  |--|--|--|--|--|--|--|--|           |--|--|--|--|
897 	 * power idx:   4  5  6  7  8  9  10 11 0  1  2  3  12 13 14 15
898 	 * full chan:   0  1  2  3  4  5  6  7  8  9  10 11 12 13 14 15
899 	 * used chan:                           0  1  2  3  4  5  6  7
900 	 *
901 	 * The idx in the power array ('power idx') is like this since it
902 	 * comes directly from the element's N and K entries in their
903 	 * element order, and those are this way for HE compatibility.
904 	 *
905 	 * Rearrange them as desired here, first by putting them into the
906 	 * 'full chan' order, and then selecting the necessary subset for
907 	 * the 'used chan'.
908 	 */
909 
910 	/* first reorder according to AP channel */
911 	offset = ieee80211_calc_chandef_subchan_offset(ap, psd->n);
912 	for (int i = 0; i < have; i++) {
913 		if (i < offset)
914 			tmp[i] = psd->power[i + psd->n];
915 		else if (i < offset + psd->n)
916 			tmp[i] = psd->power[i - offset];
917 		else
918 			tmp[i] = psd->power[i];
919 	}
920 
921 	/*
922 	 * and then select the subset for the used channel
923 	 * (set everything to defaults first in case a driver is confused)
924 	 */
925 	memset(psd->power, IEEE80211_TPE_PSD_NO_LIMIT, sizeof(psd->power));
926 	offset = ieee80211_calc_chandef_subchan_offset(ap, needed);
927 	for (int i = 0; i < needed; i++)
928 		psd->power[i] = tmp[offset + i];
929 
930 out:
931 	/* limit, but don't lie if there are defaults in the data */
932 	if (needed < psd->count)
933 		psd->count = needed;
934 }
935 EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_rearrange_tpe_psd);
936 
937 static void ieee80211_rearrange_tpe(struct ieee80211_parsed_tpe *tpe,
938 				    const struct cfg80211_chan_def *ap,
939 				    const struct cfg80211_chan_def *used)
940 {
941 	/* ignore this completely for narrow/invalid channels */
942 	if (!ieee80211_chandef_num_subchans(ap) ||
943 	    !ieee80211_chandef_num_subchans(used)) {
944 		ieee80211_clear_tpe(tpe);
945 		return;
946 	}
947 
948 	for (int i = 0; i < 2; i++) {
949 		int needed_pwr_count;
950 
951 		ieee80211_rearrange_tpe_psd(&tpe->psd_local[i], ap, used);
952 		ieee80211_rearrange_tpe_psd(&tpe->psd_reg_client[i], ap, used);
953 
954 		/* limit this to the widths we actually need */
955 		needed_pwr_count = ieee80211_chandef_num_widths(used);
956 		if (needed_pwr_count < tpe->max_local[i].count)
957 			tpe->max_local[i].count = needed_pwr_count;
958 		if (needed_pwr_count < tpe->max_reg_client[i].count)
959 			tpe->max_reg_client[i].count = needed_pwr_count;
960 	}
961 }
962 
963 /*
964  * The AP part of the channel request is used to distinguish settings
965  * to the device used for wider bandwidth OFDMA. This is used in the
966  * channel context code to assign two channel contexts even if they're
967  * both for the same channel, if the AP bandwidths are incompatible.
968  * If not EHT (or driver override) then ap.chan == NULL indicates that
969  * there's no wider BW OFDMA used.
970  */
971 static void ieee80211_set_chanreq_ap(struct ieee80211_sub_if_data *sdata,
972 				     struct ieee80211_chan_req *chanreq,
973 				     struct ieee80211_conn_settings *conn,
974 				     struct cfg80211_chan_def *ap_chandef)
975 {
976 	chanreq->ap.chan = NULL;
977 
978 	if (conn->mode < IEEE80211_CONN_MODE_EHT)
979 		return;
980 	if (sdata->vif.driver_flags & IEEE80211_VIF_IGNORE_OFDMA_WIDER_BW)
981 		return;
982 
983 	chanreq->ap = *ap_chandef;
984 }
985 
986 VISIBLE_IF_MAC80211_KUNIT struct ieee802_11_elems *
987 ieee80211_determine_chan_mode(struct ieee80211_sub_if_data *sdata,
988 			      struct ieee80211_conn_settings *conn,
989 			      struct cfg80211_bss *cbss, int link_id,
990 			      struct ieee80211_chan_req *chanreq,
991 			      struct cfg80211_chan_def *ap_chandef,
992 			      unsigned long *userspace_selectors)
993 {
994 	const struct cfg80211_bss_ies *ies = rcu_dereference(cbss->ies);
995 	struct ieee80211_bss *bss = (void *)cbss->priv;
996 	struct ieee80211_channel *channel = cbss->channel;
997 	struct ieee80211_elems_parse_params parse_params = {
998 		.link_id = -1,
999 		.from_ap = true,
1000 		.start = ies->data,
1001 		.len = ies->len,
1002 		.type = ies->from_beacon ?
1003 			IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON :
1004 			IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_RESP,
1005 	};
1006 	struct ieee802_11_elems *elems;
1007 	struct ieee80211_supported_band *sband;
1008 	enum ieee80211_conn_mode ap_mode;
1009 	unsigned long unknown_rates_selectors[BITS_TO_LONGS(128)] = {};
1010 	unsigned long sta_selectors[BITS_TO_LONGS(128)] = {};
1011 	int ret;
1012 
1013 again:
1014 	parse_params.mode = conn->mode;
1015 	elems = ieee802_11_parse_elems_full(&parse_params);
1016 	if (!elems)
1017 		return ERR_PTR(-ENOMEM);
1018 
1019 	ap_mode = ieee80211_determine_ap_chan(sdata, channel, bss->vht_cap_info,
1020 					      elems, false, conn, ap_chandef);
1021 
1022 	/* this should be impossible since parsing depends on our mode */
1023 	if (WARN_ON(ap_mode > conn->mode)) {
1024 		ret = -EINVAL;
1025 		goto free;
1026 	}
1027 
1028 	if (conn->mode != ap_mode) {
1029 		conn->mode = ap_mode;
1030 		kfree(elems);
1031 		goto again;
1032 	}
1033 
1034 	mlme_link_id_dbg(sdata, link_id, "determined AP %pM to be %s\n",
1035 			 cbss->bssid, ieee80211_conn_mode_str(ap_mode));
1036 
1037 	sband = sdata->local->hw.wiphy->bands[channel->band];
1038 
1039 	ieee80211_get_rates(sband, elems->supp_rates, elems->supp_rates_len,
1040 			    elems->ext_supp_rates, elems->ext_supp_rates_len,
1041 			    NULL, NULL, unknown_rates_selectors, NULL, NULL,
1042 			    NULL);
1043 
1044 	switch (channel->band) {
1045 	case NL80211_BAND_S1GHZ:
1046 		if (WARN_ON(ap_mode != IEEE80211_CONN_MODE_S1G)) {
1047 			ret = -EINVAL;
1048 			goto free;
1049 		}
1050 
1051 		chanreq->oper = *ap_chandef;
1052 		if (!cfg80211_chandef_usable(sdata->wdev.wiphy, &chanreq->oper,
1053 					     IEEE80211_CHAN_DISABLED)) {
1054 			ret = -EINVAL;
1055 			goto free;
1056 		}
1057 
1058 		return elems;
1059 	case NL80211_BAND_6GHZ:
1060 		if (ap_mode < IEEE80211_CONN_MODE_HE) {
1061 			link_id_info(sdata, link_id,
1062 				     "Rejecting non-HE 6/7 GHz connection");
1063 			ret = -EINVAL;
1064 			goto free;
1065 		}
1066 		break;
1067 	default:
1068 		if (WARN_ON(ap_mode == IEEE80211_CONN_MODE_S1G)) {
1069 			ret = -EINVAL;
1070 			goto free;
1071 		}
1072 	}
1073 
1074 	switch (ap_mode) {
1075 	case IEEE80211_CONN_MODE_S1G:
1076 		WARN_ON(1);
1077 		ret = -EINVAL;
1078 		goto free;
1079 	case IEEE80211_CONN_MODE_LEGACY:
1080 		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
1081 		break;
1082 	case IEEE80211_CONN_MODE_HT:
1083 		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1084 				       conn->bw_limit,
1085 				       IEEE80211_CONN_BW_LIMIT_40);
1086 		break;
1087 	case IEEE80211_CONN_MODE_VHT:
1088 	case IEEE80211_CONN_MODE_HE:
1089 		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1090 				       conn->bw_limit,
1091 				       IEEE80211_CONN_BW_LIMIT_160);
1092 		break;
1093 	case IEEE80211_CONN_MODE_EHT:
1094 		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1095 				       conn->bw_limit,
1096 				       IEEE80211_CONN_BW_LIMIT_320);
1097 		break;
1098 	}
1099 
1100 	chanreq->oper = *ap_chandef;
1101 
1102 	bitmap_copy(sta_selectors, userspace_selectors, 128);
1103 	if (conn->mode >= IEEE80211_CONN_MODE_HT)
1104 		set_bit(BSS_MEMBERSHIP_SELECTOR_HT_PHY, sta_selectors);
1105 	if (conn->mode >= IEEE80211_CONN_MODE_VHT)
1106 		set_bit(BSS_MEMBERSHIP_SELECTOR_VHT_PHY, sta_selectors);
1107 	if (conn->mode >= IEEE80211_CONN_MODE_HE)
1108 		set_bit(BSS_MEMBERSHIP_SELECTOR_HE_PHY, sta_selectors);
1109 	if (conn->mode >= IEEE80211_CONN_MODE_EHT)
1110 		set_bit(BSS_MEMBERSHIP_SELECTOR_EHT_PHY, sta_selectors);
1111 
1112 	/*
1113 	 * We do not support EPD or GLK so never add them.
1114 	 * SAE_H2E is handled through userspace_selectors.
1115 	 */
1116 
1117 	/* Check if we support all required features */
1118 	if (!bitmap_subset(unknown_rates_selectors, sta_selectors, 128)) {
1119 		link_id_info(sdata, link_id,
1120 			     "required basic rate or BSS membership selectors not supported or disabled, rejecting connection\n");
1121 		ret = -EINVAL;
1122 		goto free;
1123 	}
1124 
1125 	ieee80211_set_chanreq_ap(sdata, chanreq, conn, ap_chandef);
1126 
1127 	while (!ieee80211_chandef_usable(sdata, &chanreq->oper,
1128 					 IEEE80211_CHAN_DISABLED)) {
1129 		if (chanreq->oper.width == NL80211_CHAN_WIDTH_20_NOHT) {
1130 			link_id_info(sdata, link_id,
1131 				     "unusable channel (%d MHz) for connection\n",
1132 				     chanreq->oper.chan->center_freq);
1133 			ret = -EINVAL;
1134 			goto free;
1135 		}
1136 
1137 		ieee80211_chanreq_downgrade(chanreq, conn);
1138 	}
1139 
1140 	if (conn->mode >= IEEE80211_CONN_MODE_HE &&
1141 	    !cfg80211_chandef_usable(sdata->wdev.wiphy, &chanreq->oper,
1142 				     IEEE80211_CHAN_NO_HE)) {
1143 		conn->mode = IEEE80211_CONN_MODE_VHT;
1144 		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1145 				       conn->bw_limit,
1146 				       IEEE80211_CONN_BW_LIMIT_160);
1147 	}
1148 
1149 	if (conn->mode >= IEEE80211_CONN_MODE_EHT &&
1150 	    !cfg80211_chandef_usable(sdata->wdev.wiphy, &chanreq->oper,
1151 				     IEEE80211_CHAN_NO_EHT)) {
1152 		conn->mode = IEEE80211_CONN_MODE_HE;
1153 		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1154 				       conn->bw_limit,
1155 				       IEEE80211_CONN_BW_LIMIT_160);
1156 	}
1157 
1158 	if (chanreq->oper.width != ap_chandef->width || ap_mode != conn->mode)
1159 		link_id_info(sdata, link_id,
1160 			     "regulatory prevented using AP config, downgraded\n");
1161 
1162 	if (conn->mode >= IEEE80211_CONN_MODE_HT &&
1163 	    !ieee80211_verify_sta_ht_mcs_support(sdata, sband,
1164 						 elems->ht_operation)) {
1165 		conn->mode = IEEE80211_CONN_MODE_LEGACY;
1166 		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
1167 		link_id_info(sdata, link_id,
1168 			     "required MCSes not supported, disabling HT\n");
1169 	}
1170 
1171 	if (conn->mode >= IEEE80211_CONN_MODE_VHT &&
1172 	    !ieee80211_verify_sta_vht_mcs_support(sdata, link_id, sband,
1173 						  elems->vht_operation)) {
1174 		conn->mode = IEEE80211_CONN_MODE_HT;
1175 		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1176 				       conn->bw_limit,
1177 				       IEEE80211_CONN_BW_LIMIT_40);
1178 		link_id_info(sdata, link_id,
1179 			     "required MCSes not supported, disabling VHT\n");
1180 	}
1181 
1182 	if (conn->mode >= IEEE80211_CONN_MODE_HE &&
1183 	    (!ieee80211_verify_peer_he_mcs_support(sdata, link_id,
1184 						   (void *)elems->he_cap,
1185 						   elems->he_operation) ||
1186 	     !ieee80211_verify_sta_he_mcs_support(sdata, sband,
1187 						  elems->he_operation))) {
1188 		conn->mode = IEEE80211_CONN_MODE_VHT;
1189 		link_id_info(sdata, link_id,
1190 			     "required MCSes not supported, disabling HE\n");
1191 	}
1192 
1193 	if (conn->mode >= IEEE80211_CONN_MODE_EHT &&
1194 	    !ieee80211_verify_sta_eht_mcs_support(sdata, sband,
1195 						  elems->eht_operation)) {
1196 		conn->mode = IEEE80211_CONN_MODE_HE;
1197 		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
1198 				       conn->bw_limit,
1199 				       IEEE80211_CONN_BW_LIMIT_160);
1200 		link_id_info(sdata, link_id,
1201 			     "required MCSes not supported, disabling EHT\n");
1202 	}
1203 
1204 	if (conn->mode >= IEEE80211_CONN_MODE_EHT &&
1205 	    channel->band != NL80211_BAND_2GHZ &&
1206 	    conn->bw_limit == IEEE80211_CONN_BW_LIMIT_40) {
1207 		conn->mode = IEEE80211_CONN_MODE_HE;
1208 		link_id_info(sdata, link_id,
1209 			     "required bandwidth not supported, disabling EHT\n");
1210 	}
1211 
1212 	/* the mode can only decrease, so this must terminate */
1213 	if (ap_mode != conn->mode) {
1214 		kfree(elems);
1215 		goto again;
1216 	}
1217 
1218 	mlme_link_id_dbg(sdata, link_id,
1219 			 "connecting with %s mode, max bandwidth %d MHz\n",
1220 			 ieee80211_conn_mode_str(conn->mode),
1221 			 20 * (1 << conn->bw_limit));
1222 
1223 	if (WARN_ON_ONCE(!cfg80211_chandef_valid(&chanreq->oper))) {
1224 		ret = -EINVAL;
1225 		goto free;
1226 	}
1227 
1228 	return elems;
1229 free:
1230 	kfree(elems);
1231 	return ERR_PTR(ret);
1232 }
1233 EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_determine_chan_mode);
1234 
1235 static int ieee80211_config_bw(struct ieee80211_link_data *link,
1236 			       struct ieee802_11_elems *elems,
1237 			       bool update, u64 *changed, u16 stype)
1238 {
1239 	struct ieee80211_channel *channel = link->conf->chanreq.oper.chan;
1240 	struct ieee80211_sub_if_data *sdata = link->sdata;
1241 	struct ieee80211_chan_req chanreq = {};
1242 	struct cfg80211_chan_def ap_chandef;
1243 	enum ieee80211_conn_mode ap_mode;
1244 	const char *frame;
1245 	u32 vht_cap_info = 0;
1246 	u16 ht_opmode;
1247 	int ret;
1248 
1249 	switch (stype) {
1250 	case IEEE80211_STYPE_BEACON:
1251 		frame = "beacon";
1252 		break;
1253 	case IEEE80211_STYPE_ASSOC_RESP:
1254 		frame = "assoc response";
1255 		break;
1256 	case IEEE80211_STYPE_REASSOC_RESP:
1257 		frame = "reassoc response";
1258 		break;
1259 	case IEEE80211_STYPE_ACTION:
1260 		/* the only action frame that gets here */
1261 		frame = "ML reconf response";
1262 		break;
1263 	default:
1264 		return -EINVAL;
1265 	}
1266 
1267 	/* don't track any bandwidth changes in legacy/S1G modes */
1268 	if (link->u.mgd.conn.mode == IEEE80211_CONN_MODE_LEGACY ||
1269 	    link->u.mgd.conn.mode == IEEE80211_CONN_MODE_S1G)
1270 		return 0;
1271 
1272 	if (elems->vht_cap_elem)
1273 		vht_cap_info = le32_to_cpu(elems->vht_cap_elem->vht_cap_info);
1274 
1275 	ap_mode = ieee80211_determine_ap_chan(sdata, channel, vht_cap_info,
1276 					      elems, true, &link->u.mgd.conn,
1277 					      &ap_chandef);
1278 
1279 	if (ap_mode != link->u.mgd.conn.mode) {
1280 		link_info(link,
1281 			  "AP %pM appears to change mode (expected %s, found %s) in %s, disconnect\n",
1282 			  link->u.mgd.bssid,
1283 			  ieee80211_conn_mode_str(link->u.mgd.conn.mode),
1284 			  ieee80211_conn_mode_str(ap_mode), frame);
1285 		return -EINVAL;
1286 	}
1287 
1288 	chanreq.oper = ap_chandef;
1289 	ieee80211_set_chanreq_ap(sdata, &chanreq, &link->u.mgd.conn,
1290 				 &ap_chandef);
1291 
1292 	/*
1293 	 * if HT operation mode changed store the new one -
1294 	 * this may be applicable even if channel is identical
1295 	 */
1296 	if (elems->ht_operation) {
1297 		ht_opmode = le16_to_cpu(elems->ht_operation->operation_mode);
1298 		if (link->conf->ht_operation_mode != ht_opmode) {
1299 			*changed |= BSS_CHANGED_HT;
1300 			link->conf->ht_operation_mode = ht_opmode;
1301 		}
1302 	}
1303 
1304 	/*
1305 	 * Downgrade the new channel if we associated with restricted
1306 	 * bandwidth capabilities. For example, if we associated as a
1307 	 * 20 MHz STA to a 40 MHz AP (due to regulatory, capabilities
1308 	 * or config reasons) then switching to a 40 MHz channel now
1309 	 * won't do us any good -- we couldn't use it with the AP.
1310 	 */
1311 	while (link->u.mgd.conn.bw_limit <
1312 			ieee80211_min_bw_limit_from_chandef(&chanreq.oper))
1313 		ieee80211_chandef_downgrade(&chanreq.oper, NULL);
1314 
1315 	/* TPE element is not present in (re)assoc/ML reconfig response */
1316 	if (stype == IEEE80211_STYPE_BEACON &&
1317 	    ap_chandef.chan->band == NL80211_BAND_6GHZ &&
1318 	    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HE) {
1319 		ieee80211_rearrange_tpe(&elems->tpe, &ap_chandef,
1320 					&chanreq.oper);
1321 		if (memcmp(&link->conf->tpe, &elems->tpe, sizeof(elems->tpe))) {
1322 			link->conf->tpe = elems->tpe;
1323 			*changed |= BSS_CHANGED_TPE;
1324 		}
1325 	}
1326 
1327 	if (ieee80211_chanreq_identical(&chanreq, &link->conf->chanreq))
1328 		return 0;
1329 
1330 	link_info(link,
1331 		  "AP %pM changed bandwidth in %s, new used config is %d.%03d MHz, width %d (%d.%03d/%d MHz)\n",
1332 		  link->u.mgd.bssid, frame, chanreq.oper.chan->center_freq,
1333 		  chanreq.oper.chan->freq_offset, chanreq.oper.width,
1334 		  chanreq.oper.center_freq1, chanreq.oper.freq1_offset,
1335 		  chanreq.oper.center_freq2);
1336 
1337 	if (!cfg80211_chandef_valid(&chanreq.oper)) {
1338 		sdata_info(sdata,
1339 			   "AP %pM changed caps/bw in %s in a way we can't support - disconnect\n",
1340 			   link->u.mgd.bssid, frame);
1341 		return -EINVAL;
1342 	}
1343 
1344 	if (!update) {
1345 		link->conf->chanreq = chanreq;
1346 		return 0;
1347 	}
1348 
1349 	/*
1350 	 * We're tracking the current AP here, so don't do any further checks
1351 	 * here. This keeps us from playing ping-pong with regulatory, without
1352 	 * it the following can happen (for example):
1353 	 *  - connect to an AP with 80 MHz, world regdom allows 80 MHz
1354 	 *  - AP advertises regdom US
1355 	 *  - CRDA loads regdom US with 80 MHz prohibited (old database)
1356 	 *  - we detect an unsupported channel and disconnect
1357 	 *  - disconnect causes CRDA to reload world regdomain and the game
1358 	 *    starts anew.
1359 	 * (see https://bugzilla.kernel.org/show_bug.cgi?id=70881)
1360 	 *
1361 	 * It seems possible that there are still scenarios with CSA or real
1362 	 * bandwidth changes where a this could happen, but those cases are
1363 	 * less common and wouldn't completely prevent using the AP.
1364 	 */
1365 
1366 	ret = ieee80211_link_change_chanreq(link, &chanreq, changed);
1367 	if (ret) {
1368 		sdata_info(sdata,
1369 			   "AP %pM changed bandwidth in %s to incompatible one - disconnect\n",
1370 			   link->u.mgd.bssid, frame);
1371 		return ret;
1372 	}
1373 
1374 	cfg80211_schedule_channels_check(&sdata->wdev);
1375 	return 0;
1376 }
1377 
1378 /* frame sending functions */
1379 
1380 static void ieee80211_add_ht_ie(struct ieee80211_sub_if_data *sdata,
1381 				struct sk_buff *skb, u8 ap_ht_param,
1382 				struct ieee80211_supported_band *sband,
1383 				struct ieee80211_channel *channel,
1384 				enum ieee80211_smps_mode smps,
1385 				const struct ieee80211_conn_settings *conn)
1386 {
1387 	u8 *pos;
1388 	u32 flags = channel->flags;
1389 	u16 cap;
1390 	struct ieee80211_sta_ht_cap ht_cap;
1391 
1392 	BUILD_BUG_ON(sizeof(ht_cap) != sizeof(sband->ht_cap));
1393 
1394 	memcpy(&ht_cap, &sband->ht_cap, sizeof(ht_cap));
1395 	ieee80211_apply_htcap_overrides(sdata, &ht_cap);
1396 
1397 	/* determine capability flags */
1398 	cap = ht_cap.cap;
1399 
1400 	switch (ap_ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET) {
1401 	case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
1402 		if (flags & IEEE80211_CHAN_NO_HT40PLUS) {
1403 			cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
1404 			cap &= ~IEEE80211_HT_CAP_SGI_40;
1405 		}
1406 		break;
1407 	case IEEE80211_HT_PARAM_CHA_SEC_BELOW:
1408 		if (flags & IEEE80211_CHAN_NO_HT40MINUS) {
1409 			cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
1410 			cap &= ~IEEE80211_HT_CAP_SGI_40;
1411 		}
1412 		break;
1413 	}
1414 
1415 	/*
1416 	 * If 40 MHz was disabled associate as though we weren't
1417 	 * capable of 40 MHz -- some broken APs will never fall
1418 	 * back to trying to transmit in 20 MHz.
1419 	 */
1420 	if (conn->bw_limit <= IEEE80211_CONN_BW_LIMIT_20) {
1421 		cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
1422 		cap &= ~IEEE80211_HT_CAP_SGI_40;
1423 	}
1424 
1425 	/* set SM PS mode properly */
1426 	cap &= ~IEEE80211_HT_CAP_SM_PS;
1427 	switch (smps) {
1428 	case IEEE80211_SMPS_AUTOMATIC:
1429 	case IEEE80211_SMPS_NUM_MODES:
1430 		WARN_ON(1);
1431 		fallthrough;
1432 	case IEEE80211_SMPS_OFF:
1433 		cap |= WLAN_HT_CAP_SM_PS_DISABLED <<
1434 			IEEE80211_HT_CAP_SM_PS_SHIFT;
1435 		break;
1436 	case IEEE80211_SMPS_STATIC:
1437 		cap |= WLAN_HT_CAP_SM_PS_STATIC <<
1438 			IEEE80211_HT_CAP_SM_PS_SHIFT;
1439 		break;
1440 	case IEEE80211_SMPS_DYNAMIC:
1441 		cap |= WLAN_HT_CAP_SM_PS_DYNAMIC <<
1442 			IEEE80211_HT_CAP_SM_PS_SHIFT;
1443 		break;
1444 	}
1445 
1446 	/* reserve and fill IE */
1447 	pos = skb_put(skb, sizeof(struct ieee80211_ht_cap) + 2);
1448 	ieee80211_ie_build_ht_cap(pos, &ht_cap, cap);
1449 }
1450 
1451 /* This function determines vht capability flags for the association
1452  * and builds the IE.
1453  * Note - the function returns true to own the MU-MIMO capability
1454  */
1455 static bool ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
1456 				 struct sk_buff *skb,
1457 				 struct ieee80211_supported_band *sband,
1458 				 struct ieee80211_vht_cap *ap_vht_cap,
1459 				 const struct ieee80211_conn_settings *conn)
1460 {
1461 	struct ieee80211_local *local = sdata->local;
1462 	u8 *pos;
1463 	u32 cap;
1464 	struct ieee80211_sta_vht_cap vht_cap;
1465 	u32 mask, ap_bf_sts, our_bf_sts;
1466 	bool mu_mimo_owner = false;
1467 
1468 	BUILD_BUG_ON(sizeof(vht_cap) != sizeof(sband->vht_cap));
1469 
1470 	memcpy(&vht_cap, &sband->vht_cap, sizeof(vht_cap));
1471 	ieee80211_apply_vhtcap_overrides(sdata, &vht_cap);
1472 
1473 	/* determine capability flags */
1474 	cap = vht_cap.cap;
1475 
1476 	if (conn->bw_limit <= IEEE80211_CONN_BW_LIMIT_80) {
1477 		cap &= ~IEEE80211_VHT_CAP_SHORT_GI_160;
1478 		cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
1479 	}
1480 
1481 	/*
1482 	 * Some APs apparently get confused if our capabilities are better
1483 	 * than theirs, so restrict what we advertise in the assoc request.
1484 	 */
1485 	if (!ieee80211_hw_check(&local->hw, STRICT)) {
1486 		if (!(ap_vht_cap->vht_cap_info &
1487 				cpu_to_le32(IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE)))
1488 			cap &= ~(IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE |
1489 				 IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE);
1490 		else if (!(ap_vht_cap->vht_cap_info &
1491 				cpu_to_le32(IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE)))
1492 			cap &= ~IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE;
1493 	}
1494 
1495 	/*
1496 	 * If some other vif is using the MU-MIMO capability we cannot associate
1497 	 * using MU-MIMO - this will lead to contradictions in the group-id
1498 	 * mechanism.
1499 	 * Ownership is defined since association request, in order to avoid
1500 	 * simultaneous associations with MU-MIMO.
1501 	 */
1502 	if (cap & IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE) {
1503 		bool disable_mu_mimo = false;
1504 		struct ieee80211_sub_if_data *other;
1505 
1506 		list_for_each_entry(other, &local->interfaces, list) {
1507 			if (other->vif.bss_conf.mu_mimo_owner) {
1508 				disable_mu_mimo = true;
1509 				break;
1510 			}
1511 		}
1512 		if (disable_mu_mimo)
1513 			cap &= ~IEEE80211_VHT_CAP_MU_BEAMFORMEE_CAPABLE;
1514 		else
1515 			mu_mimo_owner = true;
1516 	}
1517 
1518 	mask = IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK;
1519 
1520 	ap_bf_sts = le32_to_cpu(ap_vht_cap->vht_cap_info) & mask;
1521 	our_bf_sts = cap & mask;
1522 
1523 	if (ap_bf_sts < our_bf_sts) {
1524 		cap &= ~mask;
1525 		cap |= ap_bf_sts;
1526 	}
1527 
1528 	/* reserve and fill IE */
1529 	pos = skb_put(skb, sizeof(struct ieee80211_vht_cap) + 2);
1530 	ieee80211_ie_build_vht_cap(pos, &vht_cap, cap);
1531 
1532 	return mu_mimo_owner;
1533 }
1534 
1535 static void ieee80211_assoc_add_rates(struct ieee80211_local *local,
1536 				      struct sk_buff *skb,
1537 				      enum nl80211_chan_width width,
1538 				      struct ieee80211_supported_band *sband,
1539 				      struct ieee80211_mgd_assoc_data *assoc_data)
1540 {
1541 	u32 rates;
1542 
1543 	if (assoc_data->supp_rates_len &&
1544 	    !ieee80211_hw_check(&local->hw, STRICT)) {
1545 		/*
1546 		 * Get all rates supported by the device and the AP as
1547 		 * some APs don't like getting a superset of their rates
1548 		 * in the association request (e.g. D-Link DAP 1353 in
1549 		 * b-only mode)...
1550 		 */
1551 		ieee80211_parse_bitrates(width, sband,
1552 					 assoc_data->supp_rates,
1553 					 assoc_data->supp_rates_len,
1554 					 &rates);
1555 	} else {
1556 		/*
1557 		 * In case AP not provide any supported rates information
1558 		 * before association, we send information element(s) with
1559 		 * all rates that we support.
1560 		 */
1561 		rates = ~0;
1562 	}
1563 
1564 	ieee80211_put_srates_elem(skb, sband, 0, ~rates,
1565 				  WLAN_EID_SUPP_RATES);
1566 	ieee80211_put_srates_elem(skb, sband, 0, ~rates,
1567 				  WLAN_EID_EXT_SUPP_RATES);
1568 }
1569 
1570 static size_t ieee80211_add_before_ht_elems(struct sk_buff *skb,
1571 					    const u8 *elems,
1572 					    size_t elems_len,
1573 					    size_t offset)
1574 {
1575 	size_t noffset;
1576 
1577 	static const u8 before_ht[] = {
1578 		WLAN_EID_SSID,
1579 		WLAN_EID_SUPP_RATES,
1580 		WLAN_EID_EXT_SUPP_RATES,
1581 		WLAN_EID_PWR_CAPABILITY,
1582 		WLAN_EID_SUPPORTED_CHANNELS,
1583 		WLAN_EID_RSN,
1584 		WLAN_EID_QOS_CAPA,
1585 		WLAN_EID_RRM_ENABLED_CAPABILITIES,
1586 		WLAN_EID_MOBILITY_DOMAIN,
1587 		WLAN_EID_FAST_BSS_TRANSITION,	/* reassoc only */
1588 		WLAN_EID_RIC_DATA,		/* reassoc only */
1589 		WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
1590 	};
1591 	static const u8 after_ric[] = {
1592 		WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
1593 		WLAN_EID_HT_CAPABILITY,
1594 		WLAN_EID_BSS_COEX_2040,
1595 		/* luckily this is almost always there */
1596 		WLAN_EID_EXT_CAPABILITY,
1597 		WLAN_EID_QOS_TRAFFIC_CAPA,
1598 		WLAN_EID_TIM_BCAST_REQ,
1599 		WLAN_EID_INTERWORKING,
1600 		/* 60 GHz (Multi-band, DMG, MMS) can't happen */
1601 		WLAN_EID_VHT_CAPABILITY,
1602 		WLAN_EID_OPMODE_NOTIF,
1603 	};
1604 
1605 	if (!elems_len)
1606 		return offset;
1607 
1608 	noffset = ieee80211_ie_split_ric(elems, elems_len,
1609 					 before_ht,
1610 					 ARRAY_SIZE(before_ht),
1611 					 after_ric,
1612 					 ARRAY_SIZE(after_ric),
1613 					 offset);
1614 	skb_put_data(skb, elems + offset, noffset - offset);
1615 
1616 	return noffset;
1617 }
1618 
1619 static size_t ieee80211_add_before_vht_elems(struct sk_buff *skb,
1620 					     const u8 *elems,
1621 					     size_t elems_len,
1622 					     size_t offset)
1623 {
1624 	static const u8 before_vht[] = {
1625 		/*
1626 		 * no need to list the ones split off before HT
1627 		 * or generated here
1628 		 */
1629 		WLAN_EID_BSS_COEX_2040,
1630 		WLAN_EID_EXT_CAPABILITY,
1631 		WLAN_EID_QOS_TRAFFIC_CAPA,
1632 		WLAN_EID_TIM_BCAST_REQ,
1633 		WLAN_EID_INTERWORKING,
1634 		/* 60 GHz (Multi-band, DMG, MMS) can't happen */
1635 	};
1636 	size_t noffset;
1637 
1638 	if (!elems_len)
1639 		return offset;
1640 
1641 	/* RIC already taken care of in ieee80211_add_before_ht_elems() */
1642 	noffset = ieee80211_ie_split(elems, elems_len,
1643 				     before_vht, ARRAY_SIZE(before_vht),
1644 				     offset);
1645 	skb_put_data(skb, elems + offset, noffset - offset);
1646 
1647 	return noffset;
1648 }
1649 
1650 static size_t ieee80211_add_before_he_elems(struct sk_buff *skb,
1651 					    const u8 *elems,
1652 					    size_t elems_len,
1653 					    size_t offset)
1654 {
1655 	static const u8 before_he[] = {
1656 		/*
1657 		 * no need to list the ones split off before VHT
1658 		 * or generated here
1659 		 */
1660 		WLAN_EID_OPMODE_NOTIF,
1661 		WLAN_EID_EXTENSION, WLAN_EID_EXT_FUTURE_CHAN_GUIDANCE,
1662 		/* 11ai elements */
1663 		WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_SESSION,
1664 		WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_PUBLIC_KEY,
1665 		WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_KEY_CONFIRM,
1666 		WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_HLP_CONTAINER,
1667 		WLAN_EID_EXTENSION, WLAN_EID_EXT_FILS_IP_ADDR_ASSIGN,
1668 		/* TODO: add 11ah/11aj/11ak elements */
1669 	};
1670 	size_t noffset;
1671 
1672 	if (!elems_len)
1673 		return offset;
1674 
1675 	/* RIC already taken care of in ieee80211_add_before_ht_elems() */
1676 	noffset = ieee80211_ie_split(elems, elems_len,
1677 				     before_he, ARRAY_SIZE(before_he),
1678 				     offset);
1679 	skb_put_data(skb, elems + offset, noffset - offset);
1680 
1681 	return noffset;
1682 }
1683 
1684 static size_t ieee80211_add_before_reg_conn(struct sk_buff *skb,
1685 					    const u8 *elems, size_t elems_len,
1686 					    size_t offset)
1687 {
1688 	static const u8 before_reg_conn[] = {
1689 		/*
1690 		 * no need to list the ones split off before HE
1691 		 * or generated here
1692 		 */
1693 		WLAN_EID_EXTENSION, WLAN_EID_EXT_DH_PARAMETER,
1694 		WLAN_EID_EXTENSION, WLAN_EID_EXT_KNOWN_STA_IDENTIFCATION,
1695 	};
1696 	size_t noffset;
1697 
1698 	if (!elems_len)
1699 		return offset;
1700 
1701 	noffset = ieee80211_ie_split(elems, elems_len, before_reg_conn,
1702 				     ARRAY_SIZE(before_reg_conn), offset);
1703 	skb_put_data(skb, elems + offset, noffset - offset);
1704 
1705 	return noffset;
1706 }
1707 
1708 #define PRESENT_ELEMS_MAX	8
1709 #define PRESENT_ELEM_EXT_OFFS	0x100
1710 
1711 static void
1712 ieee80211_assoc_add_ml_elem(struct ieee80211_sub_if_data *sdata,
1713 			    struct sk_buff *skb, u16 capab,
1714 			    const struct element *ext_capa,
1715 			    const u16 *present_elems,
1716 			    struct ieee80211_mgd_assoc_data *assoc_data);
1717 
1718 static size_t
1719 ieee80211_add_link_elems(struct ieee80211_sub_if_data *sdata,
1720 			 struct sk_buff *skb, u16 *capab,
1721 			 const struct element *ext_capa,
1722 			 const u8 *extra_elems,
1723 			 size_t extra_elems_len,
1724 			 unsigned int link_id,
1725 			 struct ieee80211_link_data *link,
1726 			 u16 *present_elems,
1727 			 struct ieee80211_mgd_assoc_data *assoc_data)
1728 {
1729 	enum nl80211_iftype iftype = ieee80211_vif_type_p2p(&sdata->vif);
1730 	struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
1731 	struct ieee80211_channel *chan = cbss->channel;
1732 	const struct ieee80211_sband_iftype_data *iftd;
1733 	struct ieee80211_local *local = sdata->local;
1734 	struct ieee80211_supported_band *sband;
1735 	enum nl80211_chan_width width = NL80211_CHAN_WIDTH_20;
1736 	struct ieee80211_chanctx_conf *chanctx_conf;
1737 	enum ieee80211_smps_mode smps_mode;
1738 	u16 orig_capab = *capab;
1739 	size_t offset = 0;
1740 	int present_elems_len = 0;
1741 	u8 *pos;
1742 	int i;
1743 
1744 #define ADD_PRESENT_ELEM(id) do {					\
1745 	/* need a last for termination - we use 0 == SSID */		\
1746 	if (!WARN_ON(present_elems_len >= PRESENT_ELEMS_MAX - 1))	\
1747 		present_elems[present_elems_len++] = (id);		\
1748 } while (0)
1749 #define ADD_PRESENT_EXT_ELEM(id) ADD_PRESENT_ELEM(PRESENT_ELEM_EXT_OFFS | (id))
1750 
1751 	if (link)
1752 		smps_mode = link->smps_mode;
1753 	else if (sdata->u.mgd.powersave)
1754 		smps_mode = IEEE80211_SMPS_DYNAMIC;
1755 	else
1756 		smps_mode = IEEE80211_SMPS_OFF;
1757 
1758 	if (link) {
1759 		/*
1760 		 * 5/10 MHz scenarios are only viable without MLO, in which
1761 		 * case this pointer should be used ... All of this is a bit
1762 		 * unclear though, not sure this even works at all.
1763 		 */
1764 		rcu_read_lock();
1765 		chanctx_conf = rcu_dereference(link->conf->chanctx_conf);
1766 		if (chanctx_conf)
1767 			width = chanctx_conf->def.width;
1768 		rcu_read_unlock();
1769 	}
1770 
1771 	sband = local->hw.wiphy->bands[chan->band];
1772 	iftd = ieee80211_get_sband_iftype_data(sband, iftype);
1773 
1774 	if (sband->band == NL80211_BAND_2GHZ) {
1775 		*capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME;
1776 		*capab |= WLAN_CAPABILITY_SHORT_PREAMBLE;
1777 	}
1778 
1779 	if ((cbss->capability & WLAN_CAPABILITY_SPECTRUM_MGMT) &&
1780 	    ieee80211_hw_check(&local->hw, SPECTRUM_MGMT))
1781 		*capab |= WLAN_CAPABILITY_SPECTRUM_MGMT;
1782 
1783 	if (sband->band != NL80211_BAND_S1GHZ)
1784 		ieee80211_assoc_add_rates(local, skb, width, sband, assoc_data);
1785 
1786 	if (*capab & WLAN_CAPABILITY_SPECTRUM_MGMT ||
1787 	    *capab & WLAN_CAPABILITY_RADIO_MEASURE) {
1788 		struct cfg80211_chan_def chandef = {
1789 			.width = width,
1790 			.chan = chan,
1791 		};
1792 
1793 		pos = skb_put(skb, 4);
1794 		*pos++ = WLAN_EID_PWR_CAPABILITY;
1795 		*pos++ = 2;
1796 		*pos++ = 0; /* min tx power */
1797 		 /* max tx power */
1798 		*pos++ = ieee80211_chandef_max_power(&chandef);
1799 		ADD_PRESENT_ELEM(WLAN_EID_PWR_CAPABILITY);
1800 	}
1801 
1802 	/*
1803 	 * Per spec, we shouldn't include the list of channels if we advertise
1804 	 * support for extended channel switching, but we've always done that;
1805 	 * (for now?) apply this restriction only on the (new) 6 GHz band.
1806 	 */
1807 	if (*capab & WLAN_CAPABILITY_SPECTRUM_MGMT &&
1808 	    (sband->band != NL80211_BAND_6GHZ ||
1809 	     !ext_capa || ext_capa->datalen < 1 ||
1810 	     !(ext_capa->data[0] & WLAN_EXT_CAPA1_EXT_CHANNEL_SWITCHING))) {
1811 		/* TODO: get this in reg domain format */
1812 		pos = skb_put(skb, 2 * sband->n_channels + 2);
1813 		*pos++ = WLAN_EID_SUPPORTED_CHANNELS;
1814 		*pos++ = 2 * sband->n_channels;
1815 		for (i = 0; i < sband->n_channels; i++) {
1816 			int cf = sband->channels[i].center_freq;
1817 
1818 			*pos++ = ieee80211_frequency_to_channel(cf);
1819 			*pos++ = 1; /* one channel in the subband*/
1820 		}
1821 		ADD_PRESENT_ELEM(WLAN_EID_SUPPORTED_CHANNELS);
1822 	}
1823 
1824 	/* if present, add any custom IEs that go before HT */
1825 	offset = ieee80211_add_before_ht_elems(skb, extra_elems,
1826 					       extra_elems_len,
1827 					       offset);
1828 
1829 	if (sband->band != NL80211_BAND_6GHZ &&
1830 	    assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_HT) {
1831 		ieee80211_add_ht_ie(sdata, skb,
1832 				    assoc_data->link[link_id].ap_ht_param,
1833 				    sband, chan, smps_mode,
1834 				    &assoc_data->link[link_id].conn);
1835 		ADD_PRESENT_ELEM(WLAN_EID_HT_CAPABILITY);
1836 	}
1837 
1838 	/* if present, add any custom IEs that go before VHT */
1839 	offset = ieee80211_add_before_vht_elems(skb, extra_elems,
1840 						extra_elems_len,
1841 						offset);
1842 
1843 	if (sband->band != NL80211_BAND_6GHZ &&
1844 	    assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_VHT &&
1845 	    sband->vht_cap.vht_supported) {
1846 		bool mu_mimo_owner =
1847 			ieee80211_add_vht_ie(sdata, skb, sband,
1848 					     &assoc_data->link[link_id].ap_vht_cap,
1849 					     &assoc_data->link[link_id].conn);
1850 
1851 		if (link)
1852 			link->conf->mu_mimo_owner = mu_mimo_owner;
1853 		ADD_PRESENT_ELEM(WLAN_EID_VHT_CAPABILITY);
1854 	}
1855 
1856 	/* if present, add any custom IEs that go before HE */
1857 	offset = ieee80211_add_before_he_elems(skb, extra_elems,
1858 					       extra_elems_len,
1859 					       offset);
1860 
1861 	if (assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_HE) {
1862 		ieee80211_put_he_cap(skb, sdata, sband,
1863 				     &assoc_data->link[link_id].conn);
1864 		ADD_PRESENT_EXT_ELEM(WLAN_EID_EXT_HE_CAPABILITY);
1865 		if (sband->band == NL80211_BAND_6GHZ)
1866 			ieee80211_put_he_6ghz_cap(skb, sdata, smps_mode);
1867 	}
1868 
1869 	/*
1870 	 * if present, add any custom IEs that go before regulatory
1871 	 * connectivity element
1872 	 */
1873 	offset = ieee80211_add_before_reg_conn(skb, extra_elems,
1874 					       extra_elems_len, offset);
1875 
1876 	if (sband->band == NL80211_BAND_6GHZ) {
1877 		/*
1878 		 * as per Section E.2.7 of IEEE 802.11 REVme D7.0, non-AP STA
1879 		 * capable of operating on the 6 GHz band shall transmit
1880 		 * regulatory connectivity element.
1881 		 */
1882 		ieee80211_put_reg_conn(skb, chan->flags);
1883 	}
1884 
1885 	/*
1886 	 * careful - need to know about all the present elems before
1887 	 * calling ieee80211_assoc_add_ml_elem(), so add this one if
1888 	 * we're going to put it after the ML element
1889 	 */
1890 	if (assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_EHT)
1891 		ADD_PRESENT_EXT_ELEM(WLAN_EID_EXT_EHT_CAPABILITY);
1892 
1893 	if (link_id == assoc_data->assoc_link_id)
1894 		ieee80211_assoc_add_ml_elem(sdata, skb, orig_capab, ext_capa,
1895 					    present_elems, assoc_data);
1896 
1897 	/* crash if somebody gets it wrong */
1898 	present_elems = NULL;
1899 
1900 	if (assoc_data->link[link_id].conn.mode >= IEEE80211_CONN_MODE_EHT)
1901 		ieee80211_put_eht_cap(skb, sdata, sband,
1902 				      &assoc_data->link[link_id].conn);
1903 
1904 	if (sband->band == NL80211_BAND_S1GHZ) {
1905 		ieee80211_add_aid_request_ie(sdata, skb);
1906 		ieee80211_add_s1g_capab_ie(sdata, &sband->s1g_cap, skb);
1907 	}
1908 
1909 	if (iftd && iftd->vendor_elems.data && iftd->vendor_elems.len)
1910 		skb_put_data(skb, iftd->vendor_elems.data, iftd->vendor_elems.len);
1911 
1912 	return offset;
1913 }
1914 
1915 static void ieee80211_add_non_inheritance_elem(struct sk_buff *skb,
1916 					       const u16 *outer,
1917 					       const u16 *inner)
1918 {
1919 	unsigned int skb_len = skb->len;
1920 	bool at_extension = false;
1921 	bool added = false;
1922 	int i, j;
1923 	u8 *len, *list_len = NULL;
1924 
1925 	skb_put_u8(skb, WLAN_EID_EXTENSION);
1926 	len = skb_put(skb, 1);
1927 	skb_put_u8(skb, WLAN_EID_EXT_NON_INHERITANCE);
1928 
1929 	for (i = 0; i < PRESENT_ELEMS_MAX && outer[i]; i++) {
1930 		u16 elem = outer[i];
1931 		bool have_inner = false;
1932 
1933 		/* should at least be sorted in the sense of normal -> ext */
1934 		WARN_ON(at_extension && elem < PRESENT_ELEM_EXT_OFFS);
1935 
1936 		/* switch to extension list */
1937 		if (!at_extension && elem >= PRESENT_ELEM_EXT_OFFS) {
1938 			at_extension = true;
1939 			if (!list_len)
1940 				skb_put_u8(skb, 0);
1941 			list_len = NULL;
1942 		}
1943 
1944 		for (j = 0; j < PRESENT_ELEMS_MAX && inner[j]; j++) {
1945 			if (elem == inner[j]) {
1946 				have_inner = true;
1947 				break;
1948 			}
1949 		}
1950 
1951 		if (have_inner)
1952 			continue;
1953 
1954 		if (!list_len) {
1955 			list_len = skb_put(skb, 1);
1956 			*list_len = 0;
1957 		}
1958 		*list_len += 1;
1959 		skb_put_u8(skb, (u8)elem);
1960 		added = true;
1961 	}
1962 
1963 	/* if we added a list but no extension list, make a zero-len one */
1964 	if (added && (!at_extension || !list_len))
1965 		skb_put_u8(skb, 0);
1966 
1967 	/* if nothing added remove extension element completely */
1968 	if (!added)
1969 		skb_trim(skb, skb_len);
1970 	else
1971 		*len = skb->len - skb_len - 2;
1972 }
1973 
1974 static void
1975 ieee80211_assoc_add_ml_elem(struct ieee80211_sub_if_data *sdata,
1976 			    struct sk_buff *skb, u16 capab,
1977 			    const struct element *ext_capa,
1978 			    const u16 *outer_present_elems,
1979 			    struct ieee80211_mgd_assoc_data *assoc_data)
1980 {
1981 	struct ieee80211_local *local = sdata->local;
1982 	struct ieee80211_multi_link_elem *ml_elem;
1983 	struct ieee80211_mle_basic_common_info *common;
1984 	const struct wiphy_iftype_ext_capab *ift_ext_capa;
1985 	__le16 eml_capa = 0, mld_capa_ops = 0;
1986 	unsigned int link_id;
1987 	u8 *ml_elem_len;
1988 	void *capab_pos;
1989 
1990 	if (!ieee80211_vif_is_mld(&sdata->vif))
1991 		return;
1992 
1993 	ift_ext_capa = cfg80211_get_iftype_ext_capa(local->hw.wiphy,
1994 						    ieee80211_vif_type_p2p(&sdata->vif));
1995 	if (ift_ext_capa) {
1996 		eml_capa = cpu_to_le16(ift_ext_capa->eml_capabilities);
1997 		mld_capa_ops = cpu_to_le16(ift_ext_capa->mld_capa_and_ops);
1998 	}
1999 
2000 	skb_put_u8(skb, WLAN_EID_EXTENSION);
2001 	ml_elem_len = skb_put(skb, 1);
2002 	skb_put_u8(skb, WLAN_EID_EXT_EHT_MULTI_LINK);
2003 	ml_elem = skb_put(skb, sizeof(*ml_elem));
2004 	ml_elem->control =
2005 		cpu_to_le16(IEEE80211_ML_CONTROL_TYPE_BASIC |
2006 			    IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP);
2007 	common = skb_put(skb, sizeof(*common));
2008 	common->len = sizeof(*common) +
2009 		      2;  /* MLD capa/ops */
2010 	memcpy(common->mld_mac_addr, sdata->vif.addr, ETH_ALEN);
2011 
2012 	/* add EML_CAPA only if needed, see Draft P802.11be_D2.1, 35.3.17 */
2013 	if (eml_capa &
2014 	    cpu_to_le16((IEEE80211_EML_CAP_EMLSR_SUPP |
2015 			 IEEE80211_EML_CAP_EMLMR_SUPPORT))) {
2016 		common->len += 2; /* EML capabilities */
2017 		ml_elem->control |=
2018 			cpu_to_le16(IEEE80211_MLC_BASIC_PRES_EML_CAPA);
2019 		skb_put_data(skb, &eml_capa, sizeof(eml_capa));
2020 	}
2021 	skb_put_data(skb, &mld_capa_ops, sizeof(mld_capa_ops));
2022 
2023 	if (assoc_data->ext_mld_capa_ops) {
2024 		ml_elem->control |=
2025 			cpu_to_le16(IEEE80211_MLC_BASIC_PRES_EXT_MLD_CAPA_OP);
2026 		common->len += 2;
2027 		skb_put_data(skb, &assoc_data->ext_mld_capa_ops,
2028 			     sizeof(assoc_data->ext_mld_capa_ops));
2029 	}
2030 
2031 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
2032 		u16 link_present_elems[PRESENT_ELEMS_MAX] = {};
2033 		const u8 *extra_elems;
2034 		size_t extra_elems_len;
2035 		size_t extra_used;
2036 		u8 *subelem_len = NULL;
2037 		__le16 ctrl;
2038 
2039 		if (!assoc_data->link[link_id].bss ||
2040 		    link_id == assoc_data->assoc_link_id)
2041 			continue;
2042 
2043 		extra_elems = assoc_data->link[link_id].elems;
2044 		extra_elems_len = assoc_data->link[link_id].elems_len;
2045 
2046 		skb_put_u8(skb, IEEE80211_MLE_SUBELEM_PER_STA_PROFILE);
2047 		subelem_len = skb_put(skb, 1);
2048 
2049 		ctrl = cpu_to_le16(link_id |
2050 				   IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE |
2051 				   IEEE80211_MLE_STA_CONTROL_STA_MAC_ADDR_PRESENT);
2052 		skb_put_data(skb, &ctrl, sizeof(ctrl));
2053 		skb_put_u8(skb, 1 + ETH_ALEN); /* STA Info Length */
2054 		skb_put_data(skb, assoc_data->link[link_id].addr,
2055 			     ETH_ALEN);
2056 		/*
2057 		 * Now add the contents of the (re)association request,
2058 		 * but the "listen interval" and "current AP address"
2059 		 * (if applicable) are skipped. So we only have
2060 		 * the capability field (remember the position and fill
2061 		 * later), followed by the elements added below by
2062 		 * calling ieee80211_add_link_elems().
2063 		 */
2064 		capab_pos = skb_put(skb, 2);
2065 
2066 		extra_used = ieee80211_add_link_elems(sdata, skb, &capab,
2067 						      ext_capa,
2068 						      extra_elems,
2069 						      extra_elems_len,
2070 						      link_id, NULL,
2071 						      link_present_elems,
2072 						      assoc_data);
2073 		if (extra_elems)
2074 			skb_put_data(skb, extra_elems + extra_used,
2075 				     extra_elems_len - extra_used);
2076 
2077 		put_unaligned_le16(capab, capab_pos);
2078 
2079 		ieee80211_add_non_inheritance_elem(skb, outer_present_elems,
2080 						   link_present_elems);
2081 
2082 		ieee80211_fragment_element(skb, subelem_len,
2083 					   IEEE80211_MLE_SUBELEM_FRAGMENT);
2084 	}
2085 
2086 	ieee80211_fragment_element(skb, ml_elem_len, WLAN_EID_FRAGMENT);
2087 }
2088 
2089 static int
2090 ieee80211_link_common_elems_size(struct ieee80211_sub_if_data *sdata,
2091 				 enum nl80211_iftype iftype,
2092 				 struct cfg80211_bss *cbss,
2093 				 size_t elems_len)
2094 {
2095 	struct ieee80211_local *local = sdata->local;
2096 	const struct ieee80211_sband_iftype_data *iftd;
2097 	struct ieee80211_supported_band *sband;
2098 	size_t size = 0;
2099 
2100 	if (!cbss)
2101 		return size;
2102 
2103 	sband = local->hw.wiphy->bands[cbss->channel->band];
2104 
2105 	/* add STA profile elements length */
2106 	size += elems_len;
2107 
2108 	/* and supported rates length */
2109 	size += 4 + sband->n_bitrates;
2110 
2111 	/* supported channels */
2112 	size += 2 + 2 * sband->n_channels;
2113 
2114 	iftd = ieee80211_get_sband_iftype_data(sband, iftype);
2115 	if (iftd)
2116 		size += iftd->vendor_elems.len;
2117 
2118 	/* power capability */
2119 	size += 4;
2120 
2121 	/* HT, VHT, HE, EHT */
2122 	size += 2 + sizeof(struct ieee80211_ht_cap);
2123 	size += 2 + sizeof(struct ieee80211_vht_cap);
2124 	size += 2 + 1 + sizeof(struct ieee80211_he_cap_elem) +
2125 		sizeof(struct ieee80211_he_mcs_nss_supp) +
2126 		IEEE80211_HE_PPE_THRES_MAX_LEN;
2127 
2128 	if (sband->band == NL80211_BAND_6GHZ) {
2129 		size += 2 + 1 + sizeof(struct ieee80211_he_6ghz_capa);
2130 		/* reg connection */
2131 		size += 4;
2132 	}
2133 
2134 	size += 2 + 1 + sizeof(struct ieee80211_eht_cap_elem) +
2135 		sizeof(struct ieee80211_eht_mcs_nss_supp) +
2136 		IEEE80211_EHT_PPE_THRES_MAX_LEN;
2137 
2138 	return size;
2139 }
2140 
2141 static int ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
2142 {
2143 	struct ieee80211_local *local = sdata->local;
2144 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2145 	struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
2146 	struct ieee80211_link_data *link;
2147 	struct sk_buff *skb;
2148 	struct ieee80211_mgmt *mgmt;
2149 	u8 *pos, qos_info, *ie_start;
2150 	size_t offset, noffset;
2151 	u16 capab = 0, link_capab;
2152 	__le16 listen_int;
2153 	struct element *ext_capa = NULL;
2154 	enum nl80211_iftype iftype = ieee80211_vif_type_p2p(&sdata->vif);
2155 	struct ieee80211_prep_tx_info info = {};
2156 	unsigned int link_id, n_links = 0;
2157 	u16 present_elems[PRESENT_ELEMS_MAX] = {};
2158 	void *capab_pos;
2159 	size_t size;
2160 	int ret;
2161 
2162 	/* we know it's writable, cast away the const */
2163 	if (assoc_data->ie_len)
2164 		ext_capa = (void *)cfg80211_find_elem(WLAN_EID_EXT_CAPABILITY,
2165 						      assoc_data->ie,
2166 						      assoc_data->ie_len);
2167 
2168 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
2169 
2170 	size = local->hw.extra_tx_headroom +
2171 	       sizeof(*mgmt) + /* bit too much but doesn't matter */
2172 	       2 + assoc_data->ssid_len + /* SSID */
2173 	       assoc_data->ie_len + /* extra IEs */
2174 	       (assoc_data->fils_kek_len ? 16 /* AES-SIV */ : 0) +
2175 	       9; /* WMM */
2176 
2177 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
2178 		struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
2179 		size_t elems_len = assoc_data->link[link_id].elems_len;
2180 
2181 		if (!cbss)
2182 			continue;
2183 
2184 		n_links++;
2185 
2186 		size += ieee80211_link_common_elems_size(sdata, iftype, cbss,
2187 							 elems_len);
2188 
2189 		/* non-inheritance element */
2190 		size += 2 + 2 + PRESENT_ELEMS_MAX;
2191 
2192 		/* should be the same across all BSSes */
2193 		if (cbss->capability & WLAN_CAPABILITY_PRIVACY)
2194 			capab |= WLAN_CAPABILITY_PRIVACY;
2195 	}
2196 
2197 	if (ieee80211_vif_is_mld(&sdata->vif)) {
2198 		/* consider the multi-link element with STA profile */
2199 		size += sizeof(struct ieee80211_multi_link_elem);
2200 		/* max common info field in basic multi-link element */
2201 		size += sizeof(struct ieee80211_mle_basic_common_info) +
2202 			2 + /* capa & op */
2203 			2 + /* ext capa & op */
2204 			2; /* EML capa */
2205 
2206 		/* The capability elements were already considered above */
2207 		size += (n_links - 1) *
2208 			(1 + 1 + /* subelement ID/length */
2209 			 2 + /* STA control */
2210 			 1 + ETH_ALEN + 2 /* STA Info field */);
2211 	}
2212 
2213 	link = sdata_dereference(sdata->link[assoc_data->assoc_link_id], sdata);
2214 	if (WARN_ON(!link))
2215 		return -EINVAL;
2216 
2217 	if (WARN_ON(!assoc_data->link[assoc_data->assoc_link_id].bss))
2218 		return -EINVAL;
2219 
2220 	skb = alloc_skb(size, GFP_KERNEL);
2221 	if (!skb)
2222 		return -ENOMEM;
2223 
2224 	skb_reserve(skb, local->hw.extra_tx_headroom);
2225 
2226 	if (ifmgd->flags & IEEE80211_STA_ENABLE_RRM)
2227 		capab |= WLAN_CAPABILITY_RADIO_MEASURE;
2228 
2229 	/* Set MBSSID support for HE AP if needed */
2230 	if (ieee80211_hw_check(&local->hw, SUPPORTS_ONLY_HE_MULTI_BSSID) &&
2231 	    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HE &&
2232 	    ext_capa && ext_capa->datalen >= 3)
2233 		ext_capa->data[2] |= WLAN_EXT_CAPA3_MULTI_BSSID_SUPPORT;
2234 
2235 	mgmt = skb_put_zero(skb, 24);
2236 	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
2237 	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
2238 	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
2239 
2240 	listen_int = cpu_to_le16(assoc_data->s1g ?
2241 			ieee80211_encode_usf(local->hw.conf.listen_interval) :
2242 			local->hw.conf.listen_interval);
2243 	if (!is_zero_ether_addr(assoc_data->prev_ap_addr)) {
2244 		skb_put(skb, 10);
2245 		mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
2246 						  IEEE80211_STYPE_REASSOC_REQ);
2247 		capab_pos = &mgmt->u.reassoc_req.capab_info;
2248 		mgmt->u.reassoc_req.listen_interval = listen_int;
2249 		memcpy(mgmt->u.reassoc_req.current_ap,
2250 		       assoc_data->prev_ap_addr, ETH_ALEN);
2251 		info.subtype = IEEE80211_STYPE_REASSOC_REQ;
2252 	} else {
2253 		skb_put(skb, 4);
2254 		mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
2255 						  IEEE80211_STYPE_ASSOC_REQ);
2256 		capab_pos = &mgmt->u.assoc_req.capab_info;
2257 		mgmt->u.assoc_req.listen_interval = listen_int;
2258 		info.subtype = IEEE80211_STYPE_ASSOC_REQ;
2259 	}
2260 
2261 	/* SSID */
2262 	pos = skb_put(skb, 2 + assoc_data->ssid_len);
2263 	ie_start = pos;
2264 	*pos++ = WLAN_EID_SSID;
2265 	*pos++ = assoc_data->ssid_len;
2266 	memcpy(pos, assoc_data->ssid, assoc_data->ssid_len);
2267 
2268 	/*
2269 	 * This bit is technically reserved, so it shouldn't matter for either
2270 	 * the AP or us, but it also means we shouldn't set it. However, we've
2271 	 * always set it in the past, and apparently some EHT APs check that
2272 	 * we don't set it. To avoid interoperability issues with old APs that
2273 	 * for some reason check it and want it to be set, set the bit for all
2274 	 * pre-EHT connections as we used to do.
2275 	 */
2276 	if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_EHT &&
2277 	    !ieee80211_hw_check(&local->hw, STRICT))
2278 		capab |= WLAN_CAPABILITY_ESS;
2279 
2280 	/* add the elements for the assoc (main) link */
2281 	link_capab = capab;
2282 	offset = ieee80211_add_link_elems(sdata, skb, &link_capab,
2283 					  ext_capa,
2284 					  assoc_data->ie,
2285 					  assoc_data->ie_len,
2286 					  assoc_data->assoc_link_id, link,
2287 					  present_elems, assoc_data);
2288 	put_unaligned_le16(link_capab, capab_pos);
2289 
2290 	/* if present, add any custom non-vendor IEs */
2291 	if (assoc_data->ie_len) {
2292 		noffset = ieee80211_ie_split_vendor(assoc_data->ie,
2293 						    assoc_data->ie_len,
2294 						    offset);
2295 		skb_put_data(skb, assoc_data->ie + offset, noffset - offset);
2296 		offset = noffset;
2297 	}
2298 
2299 	if (assoc_data->wmm) {
2300 		if (assoc_data->uapsd) {
2301 			qos_info = ifmgd->uapsd_queues;
2302 			qos_info |= (ifmgd->uapsd_max_sp_len <<
2303 				     IEEE80211_WMM_IE_STA_QOSINFO_SP_SHIFT);
2304 		} else {
2305 			qos_info = 0;
2306 		}
2307 
2308 		pos = ieee80211_add_wmm_info_ie(skb_put(skb, 9), qos_info);
2309 	}
2310 
2311 	/* add any remaining custom (i.e. vendor specific here) IEs */
2312 	if (assoc_data->ie_len) {
2313 		noffset = assoc_data->ie_len;
2314 		skb_put_data(skb, assoc_data->ie + offset, noffset - offset);
2315 	}
2316 
2317 	if (assoc_data->fils_kek_len) {
2318 		ret = fils_encrypt_assoc_req(skb, assoc_data);
2319 		if (ret < 0) {
2320 			dev_kfree_skb(skb);
2321 			return ret;
2322 		}
2323 	}
2324 
2325 	pos = skb_tail_pointer(skb);
2326 	kfree(ifmgd->assoc_req_ies);
2327 	ifmgd->assoc_req_ies = kmemdup(ie_start, pos - ie_start, GFP_ATOMIC);
2328 	if (!ifmgd->assoc_req_ies) {
2329 		dev_kfree_skb(skb);
2330 		return -ENOMEM;
2331 	}
2332 
2333 	ifmgd->assoc_req_ies_len = pos - ie_start;
2334 
2335 	info.link_id = assoc_data->assoc_link_id;
2336 	drv_mgd_prepare_tx(local, sdata, &info);
2337 
2338 	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2339 	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
2340 		IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS |
2341 						IEEE80211_TX_INTFL_MLME_CONN_TX;
2342 	ieee80211_tx_skb(sdata, skb);
2343 
2344 	return 0;
2345 }
2346 
2347 void ieee80211_send_pspoll(struct ieee80211_local *local,
2348 			   struct ieee80211_sub_if_data *sdata)
2349 {
2350 	struct ieee80211_pspoll *pspoll;
2351 	struct sk_buff *skb;
2352 
2353 	skb = ieee80211_pspoll_get(&local->hw, &sdata->vif);
2354 	if (!skb)
2355 		return;
2356 
2357 	pspoll = (struct ieee80211_pspoll *) skb->data;
2358 	pspoll->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
2359 
2360 	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2361 	ieee80211_tx_skb(sdata, skb);
2362 }
2363 
2364 void ieee80211_send_nullfunc(struct ieee80211_local *local,
2365 			     struct ieee80211_sub_if_data *sdata,
2366 			     bool powersave)
2367 {
2368 	struct sk_buff *skb;
2369 	struct ieee80211_hdr_3addr *nullfunc;
2370 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2371 
2372 	skb = ieee80211_nullfunc_get(&local->hw, &sdata->vif, -1,
2373 				     !ieee80211_hw_check(&local->hw,
2374 							 DOESNT_SUPPORT_QOS_NDP));
2375 	if (!skb)
2376 		return;
2377 
2378 	nullfunc = (struct ieee80211_hdr_3addr *) skb->data;
2379 	if (powersave)
2380 		nullfunc->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
2381 
2382 	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT |
2383 					IEEE80211_TX_INTFL_OFFCHAN_TX_OK;
2384 
2385 	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
2386 		IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS;
2387 
2388 	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL)
2389 		IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_USE_MINRATE;
2390 
2391 	ieee80211_tx_skb(sdata, skb);
2392 }
2393 
2394 void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local,
2395 				   struct ieee80211_sub_if_data *sdata)
2396 {
2397 	struct sk_buff *skb;
2398 	struct ieee80211_hdr *nullfunc;
2399 	__le16 fc;
2400 
2401 	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
2402 		return;
2403 
2404 	skb = dev_alloc_skb(local->hw.extra_tx_headroom + 30);
2405 	if (!skb)
2406 		return;
2407 
2408 	skb_reserve(skb, local->hw.extra_tx_headroom);
2409 
2410 	nullfunc = skb_put_zero(skb, 30);
2411 	fc = cpu_to_le16(IEEE80211_FTYPE_DATA | IEEE80211_STYPE_NULLFUNC |
2412 			 IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS);
2413 	nullfunc->frame_control = fc;
2414 	memcpy(nullfunc->addr1, sdata->deflink.u.mgd.bssid, ETH_ALEN);
2415 	memcpy(nullfunc->addr2, sdata->vif.addr, ETH_ALEN);
2416 	memcpy(nullfunc->addr3, sdata->deflink.u.mgd.bssid, ETH_ALEN);
2417 	memcpy(nullfunc->addr4, sdata->vif.addr, ETH_ALEN);
2418 
2419 	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2420 	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_USE_MINRATE;
2421 	ieee80211_tx_skb(sdata, skb);
2422 }
2423 
2424 /* spectrum management related things */
2425 static void ieee80211_csa_switch_work(struct wiphy *wiphy,
2426 				      struct wiphy_work *work)
2427 {
2428 	struct ieee80211_link_data *link =
2429 		container_of(work, struct ieee80211_link_data,
2430 			     u.mgd.csa.switch_work.work);
2431 	struct ieee80211_sub_if_data *sdata = link->sdata;
2432 	struct ieee80211_local *local = sdata->local;
2433 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2434 	int ret;
2435 
2436 	if (!ieee80211_sdata_running(sdata))
2437 		return;
2438 
2439 	lockdep_assert_wiphy(local->hw.wiphy);
2440 
2441 	if (!ifmgd->associated)
2442 		return;
2443 
2444 	if (!link->conf->csa_active)
2445 		return;
2446 
2447 	/*
2448 	 * If the link isn't active (now), we cannot wait for beacons, won't
2449 	 * have a reserved chanctx, etc. Just switch over the chandef and
2450 	 * update cfg80211 directly.
2451 	 */
2452 	if (!ieee80211_vif_link_active(&sdata->vif, link->link_id)) {
2453 		struct link_sta_info *link_sta;
2454 		struct sta_info *ap_sta;
2455 
2456 		link->conf->chanreq = link->csa.chanreq;
2457 		cfg80211_ch_switch_notify(sdata->dev, &link->csa.chanreq.oper,
2458 					  link->link_id);
2459 		link->conf->csa_active = false;
2460 
2461 		ap_sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
2462 		if (WARN_ON(!ap_sta))
2463 			return;
2464 
2465 		link_sta = wiphy_dereference(wiphy,
2466 					     ap_sta->link[link->link_id]);
2467 		if (WARN_ON(!link_sta))
2468 			return;
2469 
2470 		link_sta->pub->bandwidth =
2471 			_ieee80211_sta_cur_vht_bw(link_sta,
2472 						  &link->csa.chanreq.oper);
2473 		return;
2474 	}
2475 
2476 	/*
2477 	 * using reservation isn't immediate as it may be deferred until later
2478 	 * with multi-vif. once reservation is complete it will re-schedule the
2479 	 * work with no reserved_chanctx so verify chandef to check if it
2480 	 * completed successfully
2481 	 */
2482 
2483 	if (link->reserved_chanctx) {
2484 		/*
2485 		 * with multi-vif csa driver may call ieee80211_csa_finish()
2486 		 * many times while waiting for other interfaces to use their
2487 		 * reservations
2488 		 */
2489 		if (link->reserved_ready)
2490 			return;
2491 
2492 		ret = ieee80211_link_use_reserved_context(link);
2493 		if (ret) {
2494 			link_info(link,
2495 				  "failed to use reserved channel context, disconnecting (err=%d)\n",
2496 				  ret);
2497 			wiphy_work_queue(sdata->local->hw.wiphy,
2498 					 &ifmgd->csa_connection_drop_work);
2499 		}
2500 		return;
2501 	}
2502 
2503 	if (!ieee80211_chanreq_identical(&link->conf->chanreq,
2504 					 &link->csa.chanreq)) {
2505 		link_info(link,
2506 			  "failed to finalize channel switch, disconnecting\n");
2507 		wiphy_work_queue(sdata->local->hw.wiphy,
2508 				 &ifmgd->csa_connection_drop_work);
2509 		return;
2510 	}
2511 
2512 	link->u.mgd.csa.waiting_bcn = true;
2513 
2514 	/*
2515 	 * The next beacon really should always be different, so this should
2516 	 * have no effect whatsoever. However, some APs (we observed this in
2517 	 * an Asus AXE11000), the beacon after the CSA might be identical to
2518 	 * the last beacon on the old channel - in this case we'd ignore it.
2519 	 * Resetting the CRC will lead us to handle it better (albeit with a
2520 	 * disconnect, but clearly the AP is broken.)
2521 	 */
2522 	link->u.mgd.beacon_crc_valid = false;
2523 
2524 	/* apply new TPE restrictions immediately on the new channel */
2525 	if (link->u.mgd.csa.ap_chandef.chan->band == NL80211_BAND_6GHZ &&
2526 	    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HE) {
2527 		ieee80211_rearrange_tpe(&link->u.mgd.csa.tpe,
2528 					&link->u.mgd.csa.ap_chandef,
2529 					&link->conf->chanreq.oper);
2530 		if (memcmp(&link->conf->tpe, &link->u.mgd.csa.tpe,
2531 			   sizeof(link->u.mgd.csa.tpe))) {
2532 			link->conf->tpe = link->u.mgd.csa.tpe;
2533 			ieee80211_link_info_change_notify(sdata, link,
2534 							  BSS_CHANGED_TPE);
2535 		}
2536 	}
2537 
2538 	/*
2539 	 * It is not necessary to reset these timers if any link does not
2540 	 * have an active CSA and that link still receives the beacons
2541 	 * when other links have active CSA.
2542 	 */
2543 	for_each_link_data(sdata, link) {
2544 		if (!link->conf->csa_active)
2545 			return;
2546 	}
2547 
2548 	/*
2549 	 * Reset the beacon monitor and connection monitor timers when CSA
2550 	 * is active for all links in MLO when channel switch occurs in all
2551 	 * the links.
2552 	 */
2553 	ieee80211_sta_reset_beacon_monitor(sdata);
2554 	ieee80211_sta_reset_conn_monitor(sdata);
2555 }
2556 
2557 static void ieee80211_chswitch_post_beacon(struct ieee80211_link_data *link)
2558 {
2559 	struct ieee80211_sub_if_data *sdata = link->sdata;
2560 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2561 	int ret;
2562 
2563 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
2564 
2565 	WARN_ON(!link->conf->csa_active);
2566 
2567 	ieee80211_vif_unblock_queues_csa(sdata);
2568 
2569 	link->conf->csa_active = false;
2570 	link->u.mgd.csa.blocked_tx = false;
2571 	link->u.mgd.csa.waiting_bcn = false;
2572 
2573 	ret = drv_post_channel_switch(link);
2574 	if (ret) {
2575 		link_info(link,
2576 			  "driver post channel switch failed, disconnecting\n");
2577 		wiphy_work_queue(sdata->local->hw.wiphy,
2578 				 &ifmgd->csa_connection_drop_work);
2579 		return;
2580 	}
2581 
2582 	cfg80211_ch_switch_notify(sdata->dev, &link->conf->chanreq.oper,
2583 				  link->link_id);
2584 }
2585 
2586 void ieee80211_chswitch_done(struct ieee80211_vif *vif, bool success,
2587 			     unsigned int link_id)
2588 {
2589 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
2590 
2591 	trace_api_chswitch_done(sdata, success, link_id);
2592 
2593 	rcu_read_lock();
2594 
2595 	if (!success) {
2596 		sdata_info(sdata,
2597 			   "driver channel switch failed (link %d), disconnecting\n",
2598 			   link_id);
2599 		wiphy_work_queue(sdata->local->hw.wiphy,
2600 				 &sdata->u.mgd.csa_connection_drop_work);
2601 	} else {
2602 		struct ieee80211_link_data *link =
2603 			rcu_dereference(sdata->link[link_id]);
2604 
2605 		if (WARN_ON(!link)) {
2606 			rcu_read_unlock();
2607 			return;
2608 		}
2609 
2610 		wiphy_hrtimer_work_queue(sdata->local->hw.wiphy,
2611 					 &link->u.mgd.csa.switch_work, 0);
2612 	}
2613 
2614 	rcu_read_unlock();
2615 }
2616 EXPORT_SYMBOL(ieee80211_chswitch_done);
2617 
2618 static void
2619 ieee80211_sta_abort_chanswitch(struct ieee80211_link_data *link)
2620 {
2621 	struct ieee80211_sub_if_data *sdata = link->sdata;
2622 	struct ieee80211_local *local = sdata->local;
2623 
2624 	lockdep_assert_wiphy(local->hw.wiphy);
2625 
2626 	if (!local->ops->abort_channel_switch)
2627 		return;
2628 
2629 	if (rcu_access_pointer(link->conf->chanctx_conf))
2630 		ieee80211_link_unreserve_chanctx(link);
2631 
2632 	ieee80211_vif_unblock_queues_csa(sdata);
2633 
2634 	link->conf->csa_active = false;
2635 	link->u.mgd.csa.blocked_tx = false;
2636 
2637 	drv_abort_channel_switch(link);
2638 }
2639 
2640 struct sta_csa_rnr_iter_data {
2641 	struct ieee80211_link_data *link;
2642 	struct ieee80211_channel *chan;
2643 	u8 mld_id;
2644 };
2645 
2646 static enum cfg80211_rnr_iter_ret
2647 ieee80211_sta_csa_rnr_iter(void *_data, u8 type,
2648 			   const struct ieee80211_neighbor_ap_info *info,
2649 			   const u8 *tbtt_info, u8 tbtt_info_len)
2650 {
2651 	struct sta_csa_rnr_iter_data *data = _data;
2652 	struct ieee80211_link_data *link = data->link;
2653 	struct ieee80211_sub_if_data *sdata = link->sdata;
2654 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2655 	const struct ieee80211_tbtt_info_ge_11 *ti;
2656 	enum nl80211_band band;
2657 	unsigned int center_freq;
2658 	int link_id;
2659 
2660 	if (type != IEEE80211_TBTT_INFO_TYPE_TBTT)
2661 		return RNR_ITER_CONTINUE;
2662 
2663 	if (tbtt_info_len < sizeof(*ti))
2664 		return RNR_ITER_CONTINUE;
2665 
2666 	ti = (const void *)tbtt_info;
2667 
2668 	if (ti->mld_params.mld_id != data->mld_id)
2669 		return RNR_ITER_CONTINUE;
2670 
2671 	link_id = le16_get_bits(ti->mld_params.params,
2672 				IEEE80211_RNR_MLD_PARAMS_LINK_ID);
2673 	if (link_id != data->link->link_id)
2674 		return RNR_ITER_CONTINUE;
2675 
2676 	/* we found the entry for our link! */
2677 
2678 	/* this AP is confused, it had this right before ... just disconnect */
2679 	if (!ieee80211_operating_class_to_band(info->op_class, &band)) {
2680 		link_info(link,
2681 			  "AP now has invalid operating class in RNR, disconnect\n");
2682 		wiphy_work_queue(sdata->local->hw.wiphy,
2683 				 &ifmgd->csa_connection_drop_work);
2684 		return RNR_ITER_BREAK;
2685 	}
2686 
2687 	center_freq = ieee80211_channel_to_frequency(info->channel, band);
2688 	data->chan = ieee80211_get_channel(sdata->local->hw.wiphy, center_freq);
2689 
2690 	return RNR_ITER_BREAK;
2691 }
2692 
2693 static void
2694 ieee80211_sta_other_link_csa_disappeared(struct ieee80211_link_data *link,
2695 					 struct ieee802_11_elems *elems)
2696 {
2697 	struct ieee80211_sub_if_data *sdata = link->sdata;
2698 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2699 	struct sta_csa_rnr_iter_data data = {
2700 		.link = link,
2701 	};
2702 
2703 	/*
2704 	 * If we get here, we see a beacon from another link without
2705 	 * CSA still being reported for it, so now we have to check
2706 	 * if the CSA was aborted or completed. This may not even be
2707 	 * perfectly possible if the CSA was only done for changing
2708 	 * the puncturing, but in that case if the link in inactive
2709 	 * we don't really care, and if it's an active link (or when
2710 	 * it's activated later) we'll get a beacon and adjust.
2711 	 */
2712 
2713 	if (WARN_ON(!elems->ml_basic))
2714 		return;
2715 
2716 	data.mld_id = ieee80211_mle_get_mld_id((const void *)elems->ml_basic);
2717 
2718 	/*
2719 	 * So in order to do this, iterate the RNR element(s) and see
2720 	 * what channel is reported now.
2721 	 */
2722 	cfg80211_iter_rnr(elems->ie_start, elems->total_len,
2723 			  ieee80211_sta_csa_rnr_iter, &data);
2724 
2725 	if (!data.chan) {
2726 		link_info(link,
2727 			  "couldn't find (valid) channel in RNR for CSA, disconnect\n");
2728 		wiphy_work_queue(sdata->local->hw.wiphy,
2729 				 &ifmgd->csa_connection_drop_work);
2730 		return;
2731 	}
2732 
2733 	/*
2734 	 * If it doesn't match the CSA, then assume it aborted. This
2735 	 * may erroneously detect that it was _not_ aborted when it
2736 	 * was in fact aborted, but only changed the bandwidth or the
2737 	 * puncturing configuration, but we don't have enough data to
2738 	 * detect that.
2739 	 */
2740 	if (data.chan != link->csa.chanreq.oper.chan)
2741 		ieee80211_sta_abort_chanswitch(link);
2742 }
2743 
2744 enum ieee80211_csa_source {
2745 	IEEE80211_CSA_SOURCE_BEACON,
2746 	IEEE80211_CSA_SOURCE_OTHER_LINK,
2747 	IEEE80211_CSA_SOURCE_PROT_ACTION,
2748 	IEEE80211_CSA_SOURCE_UNPROT_ACTION,
2749 };
2750 
2751 static void
2752 ieee80211_sta_process_chanswitch(struct ieee80211_link_data *link,
2753 				 u64 timestamp, u32 device_timestamp,
2754 				 struct ieee802_11_elems *full_elems,
2755 				 struct ieee802_11_elems *csa_elems,
2756 				 enum ieee80211_csa_source source)
2757 {
2758 	struct ieee80211_sub_if_data *sdata = link->sdata;
2759 	struct ieee80211_local *local = sdata->local;
2760 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
2761 	struct ieee80211_chanctx *chanctx = NULL;
2762 	struct ieee80211_chanctx_conf *conf;
2763 	struct ieee80211_csa_ie csa_ie = {};
2764 	struct ieee80211_channel_switch ch_switch = {
2765 		.link_id = link->link_id,
2766 		.timestamp = timestamp,
2767 		.device_timestamp = device_timestamp,
2768 	};
2769 	u32 csa_time_tu;
2770 	ktime_t now;
2771 	int res;
2772 
2773 	lockdep_assert_wiphy(local->hw.wiphy);
2774 
2775 	if (csa_elems) {
2776 		struct cfg80211_bss *cbss = link->conf->bss;
2777 		enum nl80211_band current_band;
2778 		struct ieee80211_bss *bss;
2779 
2780 		if (WARN_ON(!cbss))
2781 			return;
2782 
2783 		current_band = cbss->channel->band;
2784 		bss = (void *)cbss->priv;
2785 
2786 		res = ieee80211_parse_ch_switch_ie(sdata, csa_elems,
2787 						   current_band,
2788 						   bss->vht_cap_info,
2789 						   &link->u.mgd.conn,
2790 						   link->u.mgd.bssid,
2791 						   source == IEEE80211_CSA_SOURCE_UNPROT_ACTION,
2792 						   &csa_ie);
2793 		if (res == 0) {
2794 			ch_switch.block_tx = csa_ie.mode;
2795 			ch_switch.chandef = csa_ie.chanreq.oper;
2796 			ch_switch.count = csa_ie.count;
2797 			ch_switch.delay = csa_ie.max_switch_time;
2798 		}
2799 
2800 		link->u.mgd.csa.tpe = csa_elems->csa_tpe;
2801 	} else {
2802 		/*
2803 		 * If there was no per-STA profile for this link, we
2804 		 * get called with csa_elems == NULL. This of course means
2805 		 * there are no CSA elements, so set res=1 indicating
2806 		 * no more CSA.
2807 		 */
2808 		res = 1;
2809 	}
2810 
2811 	if (res < 0) {
2812 		/* ignore this case, not a protected frame */
2813 		if (source == IEEE80211_CSA_SOURCE_UNPROT_ACTION)
2814 			return;
2815 		goto drop_connection;
2816 	}
2817 
2818 	if (link->conf->csa_active) {
2819 		switch (source) {
2820 		case IEEE80211_CSA_SOURCE_PROT_ACTION:
2821 		case IEEE80211_CSA_SOURCE_UNPROT_ACTION:
2822 			/* already processing - disregard action frames */
2823 			return;
2824 		case IEEE80211_CSA_SOURCE_BEACON:
2825 			if (link->u.mgd.csa.waiting_bcn) {
2826 				ieee80211_chswitch_post_beacon(link);
2827 				/*
2828 				 * If the CSA is still present after the switch
2829 				 * we need to consider it as a new CSA (possibly
2830 				 * to self). This happens by not returning here
2831 				 * so we'll get to the check below.
2832 				 */
2833 			} else if (res) {
2834 				ieee80211_sta_abort_chanswitch(link);
2835 				return;
2836 			} else {
2837 				drv_channel_switch_rx_beacon(sdata, &ch_switch);
2838 				return;
2839 			}
2840 			break;
2841 		case IEEE80211_CSA_SOURCE_OTHER_LINK:
2842 			/* active link: we want to see the beacon to continue */
2843 			if (ieee80211_vif_link_active(&sdata->vif,
2844 						      link->link_id))
2845 				return;
2846 
2847 			/* switch work ran, so just complete the process */
2848 			if (link->u.mgd.csa.waiting_bcn) {
2849 				ieee80211_chswitch_post_beacon(link);
2850 				/*
2851 				 * If the CSA is still present after the switch
2852 				 * we need to consider it as a new CSA (possibly
2853 				 * to self). This happens by not returning here
2854 				 * so we'll get to the check below.
2855 				 */
2856 				break;
2857 			}
2858 
2859 			/* link still has CSA but we already know, do nothing */
2860 			if (!res)
2861 				return;
2862 
2863 			/* check in the RNR if the CSA aborted */
2864 			ieee80211_sta_other_link_csa_disappeared(link,
2865 								 full_elems);
2866 			return;
2867 		}
2868 	}
2869 
2870 	/* no active CSA nor a new one */
2871 	if (res) {
2872 		/*
2873 		 * However, we may have stopped queues when receiving a public
2874 		 * action frame that couldn't be protected, if it had the quiet
2875 		 * bit set. This is a trade-off, we want to be quiet as soon as
2876 		 * possible, but also don't trust the public action frame much,
2877 		 * as it can't be protected.
2878 		 */
2879 		if (unlikely(link->u.mgd.csa.blocked_tx)) {
2880 			link->u.mgd.csa.blocked_tx = false;
2881 			ieee80211_vif_unblock_queues_csa(sdata);
2882 		}
2883 		return;
2884 	}
2885 
2886 	/*
2887 	 * We don't really trust public action frames, but block queues (go to
2888 	 * quiet mode) for them anyway, we should get a beacon soon to either
2889 	 * know what the CSA really is, or figure out the public action frame
2890 	 * was actually an attack.
2891 	 */
2892 	if (source == IEEE80211_CSA_SOURCE_UNPROT_ACTION) {
2893 		if (csa_ie.mode) {
2894 			link->u.mgd.csa.blocked_tx = true;
2895 			ieee80211_vif_block_queues_csa(sdata);
2896 		}
2897 		return;
2898 	}
2899 
2900 	if (link->conf->chanreq.oper.chan->band !=
2901 	    csa_ie.chanreq.oper.chan->band) {
2902 		link_info(link,
2903 			  "AP %pM switches to different band (%d MHz, width:%d, CF1/2: %d/%d MHz), disconnecting\n",
2904 			  link->u.mgd.bssid,
2905 			  csa_ie.chanreq.oper.chan->center_freq,
2906 			  csa_ie.chanreq.oper.width,
2907 			  csa_ie.chanreq.oper.center_freq1,
2908 			  csa_ie.chanreq.oper.center_freq2);
2909 		goto drop_connection;
2910 	}
2911 
2912 	if (!cfg80211_chandef_usable(local->hw.wiphy, &csa_ie.chanreq.oper,
2913 				     IEEE80211_CHAN_DISABLED)) {
2914 		link_info(link,
2915 			  "AP %pM switches to unsupported channel (%d.%03d MHz, width:%d, CF1/2: %d.%03d/%d MHz), disconnecting\n",
2916 			  link->u.mgd.bssid,
2917 			  csa_ie.chanreq.oper.chan->center_freq,
2918 			  csa_ie.chanreq.oper.chan->freq_offset,
2919 			  csa_ie.chanreq.oper.width,
2920 			  csa_ie.chanreq.oper.center_freq1,
2921 			  csa_ie.chanreq.oper.freq1_offset,
2922 			  csa_ie.chanreq.oper.center_freq2);
2923 		goto drop_connection;
2924 	}
2925 
2926 	if (cfg80211_chandef_identical(&csa_ie.chanreq.oper,
2927 				       &link->conf->chanreq.oper) &&
2928 	    (!csa_ie.mode || source != IEEE80211_CSA_SOURCE_BEACON)) {
2929 		if (link->u.mgd.csa.ignored_same_chan)
2930 			return;
2931 		link_info(link,
2932 			  "AP %pM tries to chanswitch to same channel, ignore\n",
2933 			  link->u.mgd.bssid);
2934 		link->u.mgd.csa.ignored_same_chan = true;
2935 		return;
2936 	}
2937 
2938 	/*
2939 	 * Drop all TDLS peers on the affected link - either we disconnect or
2940 	 * move to a different channel from this point on. There's no telling
2941 	 * what our peer will do.
2942 	 * The TDLS WIDER_BW scenario is also problematic, as peers might now
2943 	 * have an incompatible wider chandef.
2944 	 */
2945 	ieee80211_teardown_tdls_peers(link);
2946 
2947 	conf = rcu_dereference_protected(link->conf->chanctx_conf,
2948 					 lockdep_is_held(&local->hw.wiphy->mtx));
2949 	if (ieee80211_vif_link_active(&sdata->vif, link->link_id) && !conf) {
2950 		link_info(link,
2951 			  "no channel context assigned to vif?, disconnecting\n");
2952 		goto drop_connection;
2953 	}
2954 
2955 	if (conf)
2956 		chanctx = container_of(conf, struct ieee80211_chanctx, conf);
2957 
2958 	if (!ieee80211_hw_check(&local->hw, CHANCTX_STA_CSA)) {
2959 		link_info(link,
2960 			  "driver doesn't support chan-switch with channel contexts\n");
2961 		goto drop_connection;
2962 	}
2963 
2964 	if (drv_pre_channel_switch(sdata, &ch_switch)) {
2965 		link_info(link,
2966 			  "preparing for channel switch failed, disconnecting\n");
2967 		goto drop_connection;
2968 	}
2969 
2970 	link->u.mgd.csa.ap_chandef = csa_ie.chanreq.ap;
2971 
2972 	link->csa.chanreq.oper = csa_ie.chanreq.oper;
2973 	ieee80211_set_chanreq_ap(sdata, &link->csa.chanreq, &link->u.mgd.conn,
2974 				 &csa_ie.chanreq.ap);
2975 
2976 	if (chanctx) {
2977 		res = ieee80211_link_reserve_chanctx(link, &link->csa.chanreq,
2978 						     chanctx->mode, false);
2979 		if (res) {
2980 			link_info(link,
2981 				  "failed to reserve channel context for channel switch, disconnecting (err=%d)\n",
2982 				  res);
2983 			goto drop_connection;
2984 		}
2985 	}
2986 
2987 	link->conf->csa_active = true;
2988 	link->u.mgd.csa.ignored_same_chan = false;
2989 	link->u.mgd.beacon_crc_valid = false;
2990 	link->u.mgd.csa.blocked_tx = csa_ie.mode;
2991 
2992 	if (csa_ie.mode)
2993 		ieee80211_vif_block_queues_csa(sdata);
2994 
2995 	cfg80211_ch_switch_started_notify(sdata->dev, &csa_ie.chanreq.oper,
2996 					  link->link_id, csa_ie.count,
2997 					  csa_ie.mode);
2998 
2999 	/* we may have to handle timeout for deactivated link in software */
3000 	now = ktime_get_boottime();
3001 	csa_time_tu = (max_t(int, csa_ie.count, 1) - 1) * link->conf->beacon_int;
3002 	link->u.mgd.csa.time = now + us_to_ktime(ieee80211_tu_to_usec(csa_time_tu));
3003 
3004 	if (ieee80211_vif_link_active(&sdata->vif, link->link_id) &&
3005 	    local->ops->channel_switch) {
3006 		/*
3007 		 * Use driver's channel switch callback, the driver will
3008 		 * later call ieee80211_chswitch_done(). It may deactivate
3009 		 * the link as well, we handle that elsewhere and queue
3010 		 * the csa.switch_work for the calculated time then.
3011 		 */
3012 		drv_channel_switch(local, sdata, &ch_switch);
3013 		return;
3014 	}
3015 
3016 	/* channel switch handled in software */
3017 	wiphy_hrtimer_work_queue(local->hw.wiphy,
3018 				 &link->u.mgd.csa.switch_work,
3019 				 link->u.mgd.csa.time - now);
3020 	return;
3021  drop_connection:
3022 	/*
3023 	 * This is just so that the disconnect flow will know that
3024 	 * we were trying to switch channel and failed. In case the
3025 	 * mode is 1 (we are not allowed to Tx), we will know not to
3026 	 * send a deauthentication frame. Those two fields will be
3027 	 * reset when the disconnection worker runs.
3028 	 */
3029 	link->conf->csa_active = true;
3030 	link->u.mgd.csa.blocked_tx = csa_ie.mode;
3031 
3032 	wiphy_work_queue(sdata->local->hw.wiphy,
3033 			 &ifmgd->csa_connection_drop_work);
3034 }
3035 
3036 struct sta_bss_param_ch_cnt_data {
3037 	struct ieee80211_sub_if_data *sdata;
3038 	u8 reporting_link_id;
3039 	u8 mld_id;
3040 };
3041 
3042 static enum cfg80211_rnr_iter_ret
3043 ieee80211_sta_bss_param_ch_cnt_iter(void *_data, u8 type,
3044 				    const struct ieee80211_neighbor_ap_info *info,
3045 				    const u8 *tbtt_info, u8 tbtt_info_len)
3046 {
3047 	struct sta_bss_param_ch_cnt_data *data = _data;
3048 	struct ieee80211_sub_if_data *sdata = data->sdata;
3049 	const struct ieee80211_tbtt_info_ge_11 *ti;
3050 	u8 bss_param_ch_cnt;
3051 	int link_id;
3052 
3053 	if (type != IEEE80211_TBTT_INFO_TYPE_TBTT)
3054 		return RNR_ITER_CONTINUE;
3055 
3056 	if (tbtt_info_len < sizeof(*ti))
3057 		return RNR_ITER_CONTINUE;
3058 
3059 	ti = (const void *)tbtt_info;
3060 
3061 	if (ti->mld_params.mld_id != data->mld_id)
3062 		return RNR_ITER_CONTINUE;
3063 
3064 	link_id = le16_get_bits(ti->mld_params.params,
3065 				IEEE80211_RNR_MLD_PARAMS_LINK_ID);
3066 	bss_param_ch_cnt =
3067 		le16_get_bits(ti->mld_params.params,
3068 			      IEEE80211_RNR_MLD_PARAMS_BSS_CHANGE_COUNT);
3069 
3070 	if (bss_param_ch_cnt != 255 &&
3071 	    link_id < ARRAY_SIZE(sdata->link)) {
3072 		struct ieee80211_link_data *link =
3073 			sdata_dereference(sdata->link[link_id], sdata);
3074 
3075 		if (link && link->conf->bss_param_ch_cnt != bss_param_ch_cnt) {
3076 			link->conf->bss_param_ch_cnt = bss_param_ch_cnt;
3077 			link->conf->bss_param_ch_cnt_link_id =
3078 				data->reporting_link_id;
3079 		}
3080 	}
3081 
3082 	return RNR_ITER_CONTINUE;
3083 }
3084 
3085 static void
3086 ieee80211_mgd_update_bss_param_ch_cnt(struct ieee80211_sub_if_data *sdata,
3087 				      struct ieee80211_bss_conf *bss_conf,
3088 				      struct ieee802_11_elems *elems)
3089 {
3090 	struct sta_bss_param_ch_cnt_data data = {
3091 		.reporting_link_id = bss_conf->link_id,
3092 		.sdata = sdata,
3093 	};
3094 	int bss_param_ch_cnt;
3095 
3096 	if (!elems->ml_basic)
3097 		return;
3098 
3099 	data.mld_id = ieee80211_mle_get_mld_id((const void *)elems->ml_basic);
3100 
3101 	cfg80211_iter_rnr(elems->ie_start, elems->total_len,
3102 			  ieee80211_sta_bss_param_ch_cnt_iter, &data);
3103 
3104 	bss_param_ch_cnt =
3105 		ieee80211_mle_get_bss_param_ch_cnt((const void *)elems->ml_basic);
3106 
3107 	/*
3108 	 * Update bss_param_ch_cnt_link_id even if bss_param_ch_cnt
3109 	 * didn't change to indicate that we got a beacon on our own
3110 	 * link.
3111 	 */
3112 	if (bss_param_ch_cnt >= 0 && bss_param_ch_cnt != 255) {
3113 		bss_conf->bss_param_ch_cnt = bss_param_ch_cnt;
3114 		bss_conf->bss_param_ch_cnt_link_id =
3115 			bss_conf->link_id;
3116 	}
3117 }
3118 
3119 static bool
3120 ieee80211_find_80211h_pwr_constr(struct ieee80211_channel *channel,
3121 				 const u8 *country_ie, u8 country_ie_len,
3122 				 const u8 *pwr_constr_elem,
3123 				 int *chan_pwr, int *pwr_reduction)
3124 {
3125 	struct ieee80211_country_ie_triplet *triplet;
3126 	int chan = ieee80211_frequency_to_channel(channel->center_freq);
3127 	int i, chan_increment;
3128 	bool have_chan_pwr = false;
3129 
3130 	/* Invalid IE */
3131 	if (country_ie_len % 2 || country_ie_len < IEEE80211_COUNTRY_IE_MIN_LEN)
3132 		return false;
3133 
3134 	triplet = (void *)(country_ie + 3);
3135 	country_ie_len -= 3;
3136 
3137 	switch (channel->band) {
3138 	default:
3139 		WARN_ON_ONCE(1);
3140 		fallthrough;
3141 	case NL80211_BAND_2GHZ:
3142 	case NL80211_BAND_60GHZ:
3143 	case NL80211_BAND_LC:
3144 		chan_increment = 1;
3145 		break;
3146 	case NL80211_BAND_5GHZ:
3147 		chan_increment = 4;
3148 		break;
3149 	case NL80211_BAND_6GHZ:
3150 		/*
3151 		 * In the 6 GHz band, the "maximum transmit power level"
3152 		 * field in the triplets is reserved, and thus will be
3153 		 * zero and we shouldn't use it to control TX power.
3154 		 * The actual TX power will be given in the transmit
3155 		 * power envelope element instead.
3156 		 */
3157 		return false;
3158 	}
3159 
3160 	/* find channel */
3161 	while (country_ie_len >= 3) {
3162 		u8 first_channel = triplet->chans.first_channel;
3163 
3164 		if (first_channel >= IEEE80211_COUNTRY_EXTENSION_ID)
3165 			goto next;
3166 
3167 		for (i = 0; i < triplet->chans.num_channels; i++) {
3168 			if (first_channel + i * chan_increment == chan) {
3169 				have_chan_pwr = true;
3170 				*chan_pwr = triplet->chans.max_power;
3171 				break;
3172 			}
3173 		}
3174 		if (have_chan_pwr)
3175 			break;
3176 
3177  next:
3178 		triplet++;
3179 		country_ie_len -= 3;
3180 	}
3181 
3182 	if (have_chan_pwr && pwr_constr_elem)
3183 		*pwr_reduction = *pwr_constr_elem;
3184 	else
3185 		*pwr_reduction = 0;
3186 
3187 	return have_chan_pwr;
3188 }
3189 
3190 static void ieee80211_find_cisco_dtpc(struct ieee80211_channel *channel,
3191 				      const u8 *cisco_dtpc_ie,
3192 				      int *pwr_level)
3193 {
3194 	/* From practical testing, the first data byte of the DTPC element
3195 	 * seems to contain the requested dBm level, and the CLI on Cisco
3196 	 * APs clearly state the range is -127 to 127 dBm, which indicates
3197 	 * a signed byte, although it seemingly never actually goes negative.
3198 	 * The other byte seems to always be zero.
3199 	 */
3200 	*pwr_level = (__s8)cisco_dtpc_ie[4];
3201 }
3202 
3203 static u64 ieee80211_handle_pwr_constr(struct ieee80211_link_data *link,
3204 				       struct ieee80211_channel *channel,
3205 				       struct ieee80211_mgmt *mgmt,
3206 				       const u8 *country_ie, u8 country_ie_len,
3207 				       const u8 *pwr_constr_ie,
3208 				       const u8 *cisco_dtpc_ie)
3209 {
3210 	struct ieee80211_sub_if_data *sdata = link->sdata;
3211 	bool has_80211h_pwr = false, has_cisco_pwr = false;
3212 	int chan_pwr = 0, pwr_reduction_80211h = 0;
3213 	int pwr_level_cisco, pwr_level_80211h;
3214 	int new_ap_level;
3215 	__le16 capab = mgmt->u.probe_resp.capab_info;
3216 
3217 	if (ieee80211_is_s1g_beacon(mgmt->frame_control))
3218 		return 0;	/* TODO */
3219 
3220 	if (country_ie &&
3221 	    (capab & cpu_to_le16(WLAN_CAPABILITY_SPECTRUM_MGMT) ||
3222 	     capab & cpu_to_le16(WLAN_CAPABILITY_RADIO_MEASURE))) {
3223 		has_80211h_pwr = ieee80211_find_80211h_pwr_constr(
3224 			channel, country_ie, country_ie_len,
3225 			pwr_constr_ie, &chan_pwr, &pwr_reduction_80211h);
3226 		pwr_level_80211h =
3227 			max_t(int, 0, chan_pwr - pwr_reduction_80211h);
3228 	}
3229 
3230 	if (cisco_dtpc_ie) {
3231 		ieee80211_find_cisco_dtpc(
3232 			channel, cisco_dtpc_ie, &pwr_level_cisco);
3233 		has_cisco_pwr = true;
3234 	}
3235 
3236 	if (!has_80211h_pwr && !has_cisco_pwr)
3237 		return 0;
3238 
3239 	/* If we have both 802.11h and Cisco DTPC, apply both limits
3240 	 * by picking the smallest of the two power levels advertised.
3241 	 */
3242 	if (has_80211h_pwr &&
3243 	    (!has_cisco_pwr || pwr_level_80211h <= pwr_level_cisco)) {
3244 		new_ap_level = pwr_level_80211h;
3245 
3246 		if (link->ap_power_level == new_ap_level)
3247 			return 0;
3248 
3249 		sdata_dbg(sdata,
3250 			  "Limiting TX power to %d (%d - %d) dBm as advertised by %pM\n",
3251 			  pwr_level_80211h, chan_pwr, pwr_reduction_80211h,
3252 			  link->u.mgd.bssid);
3253 	} else {  /* has_cisco_pwr is always true here. */
3254 		new_ap_level = pwr_level_cisco;
3255 
3256 		if (link->ap_power_level == new_ap_level)
3257 			return 0;
3258 
3259 		sdata_dbg(sdata,
3260 			  "Limiting TX power to %d dBm as advertised by %pM\n",
3261 			  pwr_level_cisco, link->u.mgd.bssid);
3262 	}
3263 
3264 	link->ap_power_level = new_ap_level;
3265 	if (__ieee80211_recalc_txpower(link))
3266 		return BSS_CHANGED_TXPOWER;
3267 	return 0;
3268 }
3269 
3270 /* powersave */
3271 static void ieee80211_enable_ps(struct ieee80211_local *local,
3272 				struct ieee80211_sub_if_data *sdata)
3273 {
3274 	struct ieee80211_conf *conf = &local->hw.conf;
3275 
3276 	/*
3277 	 * If we are scanning right now then the parameters will
3278 	 * take effect when scan finishes.
3279 	 */
3280 	if (local->scanning)
3281 		return;
3282 
3283 	if (conf->dynamic_ps_timeout > 0 &&
3284 	    !ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS)) {
3285 		mod_timer(&local->dynamic_ps_timer, jiffies +
3286 			  msecs_to_jiffies(conf->dynamic_ps_timeout));
3287 	} else {
3288 		if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK))
3289 			ieee80211_send_nullfunc(local, sdata, true);
3290 
3291 		if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
3292 		    ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
3293 			return;
3294 
3295 		conf->flags |= IEEE80211_CONF_PS;
3296 		ieee80211_hw_config(local, -1, IEEE80211_CONF_CHANGE_PS);
3297 	}
3298 }
3299 
3300 static void ieee80211_change_ps(struct ieee80211_local *local)
3301 {
3302 	struct ieee80211_conf *conf = &local->hw.conf;
3303 
3304 	if (local->ps_sdata) {
3305 		ieee80211_enable_ps(local, local->ps_sdata);
3306 	} else if (conf->flags & IEEE80211_CONF_PS) {
3307 		conf->flags &= ~IEEE80211_CONF_PS;
3308 		ieee80211_hw_config(local, -1, IEEE80211_CONF_CHANGE_PS);
3309 		timer_delete_sync(&local->dynamic_ps_timer);
3310 		wiphy_work_cancel(local->hw.wiphy,
3311 				  &local->dynamic_ps_enable_work);
3312 	}
3313 }
3314 
3315 static bool ieee80211_powersave_allowed(struct ieee80211_sub_if_data *sdata)
3316 {
3317 	struct ieee80211_local *local = sdata->local;
3318 	struct ieee80211_if_managed *mgd = &sdata->u.mgd;
3319 	struct sta_info *sta = NULL;
3320 	bool authorized = false;
3321 
3322 	if (!mgd->powersave)
3323 		return false;
3324 
3325 	if (mgd->broken_ap)
3326 		return false;
3327 
3328 	if (!mgd->associated)
3329 		return false;
3330 
3331 	if (mgd->flags & IEEE80211_STA_CONNECTION_POLL)
3332 		return false;
3333 
3334 	if (!(local->hw.wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO) &&
3335 	    !sdata->deflink.u.mgd.have_beacon)
3336 		return false;
3337 
3338 	rcu_read_lock();
3339 	sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
3340 	if (sta)
3341 		authorized = test_sta_flag(sta, WLAN_STA_AUTHORIZED);
3342 	rcu_read_unlock();
3343 
3344 	return authorized;
3345 }
3346 
3347 /* need to hold RTNL or interface lock */
3348 void ieee80211_recalc_ps(struct ieee80211_local *local)
3349 {
3350 	struct ieee80211_sub_if_data *sdata, *found = NULL;
3351 	int count = 0;
3352 	int timeout;
3353 
3354 	if (!ieee80211_hw_check(&local->hw, SUPPORTS_PS) ||
3355 	    ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS)) {
3356 		local->ps_sdata = NULL;
3357 		return;
3358 	}
3359 
3360 	list_for_each_entry(sdata, &local->interfaces, list) {
3361 		if (!ieee80211_sdata_running(sdata))
3362 			continue;
3363 		if (sdata->vif.type == NL80211_IFTYPE_AP) {
3364 			/* If an AP vif is found, then disable PS
3365 			 * by setting the count to zero thereby setting
3366 			 * ps_sdata to NULL.
3367 			 */
3368 			count = 0;
3369 			break;
3370 		}
3371 		if (sdata->vif.type != NL80211_IFTYPE_STATION)
3372 			continue;
3373 		found = sdata;
3374 		count++;
3375 	}
3376 
3377 	if (count == 1 && ieee80211_powersave_allowed(found)) {
3378 		u8 dtimper = found->deflink.u.mgd.dtim_period;
3379 
3380 		timeout = local->dynamic_ps_forced_timeout;
3381 		if (timeout < 0)
3382 			timeout = 100;
3383 		local->hw.conf.dynamic_ps_timeout = timeout;
3384 
3385 		/* If the TIM IE is invalid, pretend the value is 1 */
3386 		if (!dtimper)
3387 			dtimper = 1;
3388 
3389 		local->hw.conf.ps_dtim_period = dtimper;
3390 		local->ps_sdata = found;
3391 	} else {
3392 		local->ps_sdata = NULL;
3393 	}
3394 
3395 	ieee80211_change_ps(local);
3396 }
3397 
3398 void ieee80211_recalc_ps_vif(struct ieee80211_sub_if_data *sdata)
3399 {
3400 	bool ps_allowed = ieee80211_powersave_allowed(sdata);
3401 
3402 	if (sdata->vif.cfg.ps != ps_allowed) {
3403 		sdata->vif.cfg.ps = ps_allowed;
3404 		ieee80211_vif_cfg_change_notify(sdata, BSS_CHANGED_PS);
3405 	}
3406 }
3407 
3408 void ieee80211_dynamic_ps_disable_work(struct wiphy *wiphy,
3409 				       struct wiphy_work *work)
3410 {
3411 	struct ieee80211_local *local =
3412 		container_of(work, struct ieee80211_local,
3413 			     dynamic_ps_disable_work);
3414 
3415 	if (local->hw.conf.flags & IEEE80211_CONF_PS) {
3416 		local->hw.conf.flags &= ~IEEE80211_CONF_PS;
3417 		ieee80211_hw_config(local, -1, IEEE80211_CONF_CHANGE_PS);
3418 	}
3419 
3420 	ieee80211_wake_queues_by_reason(&local->hw,
3421 					IEEE80211_MAX_QUEUE_MAP,
3422 					IEEE80211_QUEUE_STOP_REASON_PS,
3423 					false);
3424 }
3425 
3426 void ieee80211_dynamic_ps_enable_work(struct wiphy *wiphy,
3427 				      struct wiphy_work *work)
3428 {
3429 	struct ieee80211_local *local =
3430 		container_of(work, struct ieee80211_local,
3431 			     dynamic_ps_enable_work);
3432 	struct ieee80211_sub_if_data *sdata = local->ps_sdata;
3433 	struct ieee80211_if_managed *ifmgd;
3434 	unsigned long flags;
3435 	int q;
3436 
3437 	/* can only happen when PS was just disabled anyway */
3438 	if (!sdata)
3439 		return;
3440 
3441 	ifmgd = &sdata->u.mgd;
3442 
3443 	if (local->hw.conf.flags & IEEE80211_CONF_PS)
3444 		return;
3445 
3446 	if (local->hw.conf.dynamic_ps_timeout > 0) {
3447 		/* don't enter PS if TX frames are pending */
3448 		if (drv_tx_frames_pending(local)) {
3449 			mod_timer(&local->dynamic_ps_timer, jiffies +
3450 				  msecs_to_jiffies(
3451 				  local->hw.conf.dynamic_ps_timeout));
3452 			return;
3453 		}
3454 
3455 		/*
3456 		 * transmission can be stopped by others which leads to
3457 		 * dynamic_ps_timer expiry. Postpone the ps timer if it
3458 		 * is not the actual idle state.
3459 		 */
3460 		spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
3461 		for (q = 0; q < local->hw.queues; q++) {
3462 			if (local->queue_stop_reasons[q]) {
3463 				spin_unlock_irqrestore(&local->queue_stop_reason_lock,
3464 						       flags);
3465 				mod_timer(&local->dynamic_ps_timer, jiffies +
3466 					  msecs_to_jiffies(
3467 					  local->hw.conf.dynamic_ps_timeout));
3468 				return;
3469 			}
3470 		}
3471 		spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
3472 	}
3473 
3474 	if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
3475 	    !(ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED)) {
3476 		if (drv_tx_frames_pending(local)) {
3477 			mod_timer(&local->dynamic_ps_timer, jiffies +
3478 				  msecs_to_jiffies(
3479 				  local->hw.conf.dynamic_ps_timeout));
3480 		} else {
3481 			ieee80211_send_nullfunc(local, sdata, true);
3482 			/* Flush to get the tx status of nullfunc frame */
3483 			ieee80211_flush_queues(local, sdata, false);
3484 		}
3485 	}
3486 
3487 	if (!(ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS) &&
3488 	      ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK)) ||
3489 	    (ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED)) {
3490 		ifmgd->flags &= ~IEEE80211_STA_NULLFUNC_ACKED;
3491 		local->hw.conf.flags |= IEEE80211_CONF_PS;
3492 		ieee80211_hw_config(local, -1, IEEE80211_CONF_CHANGE_PS);
3493 	}
3494 }
3495 
3496 void ieee80211_dynamic_ps_timer(struct timer_list *t)
3497 {
3498 	struct ieee80211_local *local = timer_container_of(local, t,
3499 							   dynamic_ps_timer);
3500 
3501 	wiphy_work_queue(local->hw.wiphy, &local->dynamic_ps_enable_work);
3502 }
3503 
3504 void ieee80211_dfs_cac_timer_work(struct wiphy *wiphy, struct wiphy_work *work)
3505 {
3506 	struct ieee80211_link_data *link =
3507 		container_of(work, struct ieee80211_link_data,
3508 			     dfs_cac_timer_work.work);
3509 	struct cfg80211_chan_def chandef = link->conf->chanreq.oper;
3510 	struct ieee80211_sub_if_data *sdata = link->sdata;
3511 
3512 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
3513 
3514 	if (sdata->wdev.links[link->link_id].cac_started) {
3515 		ieee80211_link_release_channel(link);
3516 		cfg80211_cac_event(sdata->dev, &chandef,
3517 				   NL80211_RADAR_CAC_FINISHED,
3518 				   GFP_KERNEL, link->link_id);
3519 	}
3520 }
3521 
3522 static bool
3523 __ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
3524 {
3525 	struct ieee80211_local *local = sdata->local;
3526 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3527 	bool ret = false;
3528 	int ac;
3529 
3530 	if (local->hw.queues < IEEE80211_NUM_ACS)
3531 		return false;
3532 
3533 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
3534 		struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
3535 		int non_acm_ac;
3536 		unsigned long now = jiffies;
3537 
3538 		if (tx_tspec->action == TX_TSPEC_ACTION_NONE &&
3539 		    tx_tspec->admitted_time &&
3540 		    time_after(now, tx_tspec->time_slice_start + HZ)) {
3541 			tx_tspec->consumed_tx_time = 0;
3542 			tx_tspec->time_slice_start = now;
3543 
3544 			if (tx_tspec->downgraded)
3545 				tx_tspec->action =
3546 					TX_TSPEC_ACTION_STOP_DOWNGRADE;
3547 		}
3548 
3549 		switch (tx_tspec->action) {
3550 		case TX_TSPEC_ACTION_STOP_DOWNGRADE:
3551 			/* take the original parameters */
3552 			if (drv_conf_tx(local, &sdata->deflink, ac,
3553 					&sdata->deflink.tx_conf[ac]))
3554 				link_err(&sdata->deflink,
3555 					 "failed to set TX queue parameters for queue %d\n",
3556 					 ac);
3557 			tx_tspec->action = TX_TSPEC_ACTION_NONE;
3558 			tx_tspec->downgraded = false;
3559 			ret = true;
3560 			break;
3561 		case TX_TSPEC_ACTION_DOWNGRADE:
3562 			if (time_after(now, tx_tspec->time_slice_start + HZ)) {
3563 				tx_tspec->action = TX_TSPEC_ACTION_NONE;
3564 				ret = true;
3565 				break;
3566 			}
3567 			/* downgrade next lower non-ACM AC */
3568 			for (non_acm_ac = ac + 1;
3569 			     non_acm_ac < IEEE80211_NUM_ACS;
3570 			     non_acm_ac++)
3571 				if (!(sdata->wmm_acm & BIT(7 - 2 * non_acm_ac)))
3572 					break;
3573 			/* Usually the loop will result in using BK even if it
3574 			 * requires admission control, but such a configuration
3575 			 * makes no sense and we have to transmit somehow - the
3576 			 * AC selection does the same thing.
3577 			 * If we started out trying to downgrade from BK, then
3578 			 * the extra condition here might be needed.
3579 			 */
3580 			if (non_acm_ac >= IEEE80211_NUM_ACS)
3581 				non_acm_ac = IEEE80211_AC_BK;
3582 			if (drv_conf_tx(local, &sdata->deflink, ac,
3583 					&sdata->deflink.tx_conf[non_acm_ac]))
3584 				link_err(&sdata->deflink,
3585 					 "failed to set TX queue parameters for queue %d\n",
3586 					 ac);
3587 			tx_tspec->action = TX_TSPEC_ACTION_NONE;
3588 			ret = true;
3589 			wiphy_delayed_work_queue(local->hw.wiphy,
3590 						 &ifmgd->tx_tspec_wk,
3591 						 tx_tspec->time_slice_start +
3592 						 HZ - now + 1);
3593 			break;
3594 		case TX_TSPEC_ACTION_NONE:
3595 			/* nothing now */
3596 			break;
3597 		}
3598 	}
3599 
3600 	return ret;
3601 }
3602 
3603 void ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
3604 {
3605 	if (__ieee80211_sta_handle_tspec_ac_params(sdata))
3606 		ieee80211_link_info_change_notify(sdata, &sdata->deflink,
3607 						  BSS_CHANGED_QOS);
3608 }
3609 
3610 static void ieee80211_sta_handle_tspec_ac_params_wk(struct wiphy *wiphy,
3611 						    struct wiphy_work *work)
3612 {
3613 	struct ieee80211_sub_if_data *sdata;
3614 
3615 	sdata = container_of(work, struct ieee80211_sub_if_data,
3616 			     u.mgd.tx_tspec_wk.work);
3617 	ieee80211_sta_handle_tspec_ac_params(sdata);
3618 }
3619 
3620 void ieee80211_mgd_set_link_qos_params(struct ieee80211_link_data *link)
3621 {
3622 	struct ieee80211_sub_if_data *sdata = link->sdata;
3623 	struct ieee80211_local *local = sdata->local;
3624 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3625 	struct ieee80211_tx_queue_params *params = link->tx_conf;
3626 	u8 ac;
3627 
3628 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
3629 		mlme_dbg(sdata,
3630 			 "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",
3631 			 ac, params[ac].acm,
3632 			 params[ac].aifs, params[ac].cw_min, params[ac].cw_max,
3633 			 params[ac].txop, params[ac].uapsd,
3634 			 ifmgd->tx_tspec[ac].downgraded);
3635 		if (!ifmgd->tx_tspec[ac].downgraded &&
3636 		    drv_conf_tx(local, link, ac, &params[ac]))
3637 			link_err(link,
3638 				 "failed to set TX queue parameters for AC %d\n",
3639 				 ac);
3640 	}
3641 }
3642 
3643 /* MLME */
3644 static bool
3645 _ieee80211_sta_wmm_params(struct ieee80211_local *local,
3646 			  struct ieee80211_link_data *link,
3647 			  const u8 *wmm_param, size_t wmm_param_len,
3648 			  const struct ieee80211_mu_edca_param_set *mu_edca)
3649 {
3650 	struct ieee80211_sub_if_data *sdata = link->sdata;
3651 	struct ieee80211_tx_queue_params params[IEEE80211_NUM_ACS];
3652 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3653 	size_t left;
3654 	int count, mu_edca_count, ac;
3655 	const u8 *pos;
3656 	u8 uapsd_queues = 0;
3657 
3658 	if (!local->ops->conf_tx)
3659 		return false;
3660 
3661 	if (local->hw.queues < IEEE80211_NUM_ACS)
3662 		return false;
3663 
3664 	if (!wmm_param)
3665 		return false;
3666 
3667 	if (wmm_param_len < 8 || wmm_param[5] /* version */ != 1)
3668 		return false;
3669 
3670 	if (ifmgd->flags & IEEE80211_STA_UAPSD_ENABLED)
3671 		uapsd_queues = ifmgd->uapsd_queues;
3672 
3673 	count = wmm_param[6] & 0x0f;
3674 	/* -1 is the initial value of ifmgd->mu_edca_last_param_set.
3675 	 * if mu_edca was preset before and now it disappeared tell
3676 	 * the driver about it.
3677 	 */
3678 	mu_edca_count = mu_edca ? mu_edca->mu_qos_info & 0x0f : -1;
3679 	if (count == link->u.mgd.wmm_last_param_set &&
3680 	    mu_edca_count == link->u.mgd.mu_edca_last_param_set)
3681 		return false;
3682 	link->u.mgd.wmm_last_param_set = count;
3683 	link->u.mgd.mu_edca_last_param_set = mu_edca_count;
3684 
3685 	pos = wmm_param + 8;
3686 	left = wmm_param_len - 8;
3687 
3688 	memset(&params, 0, sizeof(params));
3689 
3690 	sdata->wmm_acm = 0;
3691 	for (; left >= 4; left -= 4, pos += 4) {
3692 		int aci = (pos[0] >> 5) & 0x03;
3693 		int acm = (pos[0] >> 4) & 0x01;
3694 		bool uapsd = false;
3695 
3696 		switch (aci) {
3697 		case 1: /* AC_BK */
3698 			ac = IEEE80211_AC_BK;
3699 			if (acm)
3700 				sdata->wmm_acm |= BIT(1) | BIT(2); /* BK/- */
3701 			if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_BK)
3702 				uapsd = true;
3703 			params[ac].mu_edca = !!mu_edca;
3704 			if (mu_edca)
3705 				params[ac].mu_edca_param_rec = mu_edca->ac_bk;
3706 			break;
3707 		case 2: /* AC_VI */
3708 			ac = IEEE80211_AC_VI;
3709 			if (acm)
3710 				sdata->wmm_acm |= BIT(4) | BIT(5); /* CL/VI */
3711 			if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_VI)
3712 				uapsd = true;
3713 			params[ac].mu_edca = !!mu_edca;
3714 			if (mu_edca)
3715 				params[ac].mu_edca_param_rec = mu_edca->ac_vi;
3716 			break;
3717 		case 3: /* AC_VO */
3718 			ac = IEEE80211_AC_VO;
3719 			if (acm)
3720 				sdata->wmm_acm |= BIT(6) | BIT(7); /* VO/NC */
3721 			if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_VO)
3722 				uapsd = true;
3723 			params[ac].mu_edca = !!mu_edca;
3724 			if (mu_edca)
3725 				params[ac].mu_edca_param_rec = mu_edca->ac_vo;
3726 			break;
3727 		case 0: /* AC_BE */
3728 		default:
3729 			ac = IEEE80211_AC_BE;
3730 			if (acm)
3731 				sdata->wmm_acm |= BIT(0) | BIT(3); /* BE/EE */
3732 			if (uapsd_queues & IEEE80211_WMM_IE_STA_QOSINFO_AC_BE)
3733 				uapsd = true;
3734 			params[ac].mu_edca = !!mu_edca;
3735 			if (mu_edca)
3736 				params[ac].mu_edca_param_rec = mu_edca->ac_be;
3737 			break;
3738 		}
3739 
3740 		params[ac].aifs = pos[0] & 0x0f;
3741 
3742 		if (params[ac].aifs < 2) {
3743 			link_info(link,
3744 				  "AP has invalid WMM params (AIFSN=%d for ACI %d), will use 2\n",
3745 				  params[ac].aifs, aci);
3746 			params[ac].aifs = 2;
3747 		}
3748 		params[ac].cw_max = ecw2cw((pos[1] & 0xf0) >> 4);
3749 		params[ac].cw_min = ecw2cw(pos[1] & 0x0f);
3750 		params[ac].txop = get_unaligned_le16(pos + 2);
3751 		params[ac].acm = acm;
3752 		params[ac].uapsd = uapsd;
3753 
3754 		if (params[ac].cw_min == 0 ||
3755 		    params[ac].cw_min > params[ac].cw_max) {
3756 			link_info(link,
3757 				  "AP has invalid WMM params (CWmin/max=%d/%d for ACI %d), using defaults\n",
3758 				  params[ac].cw_min, params[ac].cw_max, aci);
3759 			return false;
3760 		}
3761 		ieee80211_regulatory_limit_wmm_params(sdata, &params[ac], ac);
3762 	}
3763 
3764 	/* WMM specification requires all 4 ACIs. */
3765 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
3766 		if (params[ac].cw_min == 0) {
3767 			link_info(link,
3768 				  "AP has invalid WMM params (missing AC %d), using defaults\n",
3769 				  ac);
3770 			return false;
3771 		}
3772 	}
3773 
3774 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++)
3775 		link->tx_conf[ac] = params[ac];
3776 
3777 	return true;
3778 }
3779 
3780 static bool
3781 ieee80211_sta_wmm_params(struct ieee80211_local *local,
3782 			 struct ieee80211_link_data *link,
3783 			 const u8 *wmm_param, size_t wmm_param_len,
3784 			 const struct ieee80211_mu_edca_param_set *mu_edca)
3785 {
3786 	if (!_ieee80211_sta_wmm_params(local, link, wmm_param, wmm_param_len,
3787 				       mu_edca))
3788 		return false;
3789 
3790 	ieee80211_mgd_set_link_qos_params(link);
3791 
3792 	/* enable WMM or activate new settings */
3793 	link->conf->qos = true;
3794 	return true;
3795 }
3796 
3797 static void __ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
3798 {
3799 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
3800 
3801 	sdata->u.mgd.flags &= ~IEEE80211_STA_CONNECTION_POLL;
3802 	ieee80211_run_deferred_scan(sdata->local);
3803 }
3804 
3805 static void ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
3806 {
3807 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
3808 
3809 	__ieee80211_stop_poll(sdata);
3810 }
3811 
3812 static u64 ieee80211_handle_bss_capability(struct ieee80211_link_data *link,
3813 					   u16 capab, bool erp_valid, u8 erp)
3814 {
3815 	struct ieee80211_bss_conf *bss_conf = link->conf;
3816 	struct ieee80211_supported_band *sband;
3817 	u64 changed = 0;
3818 	bool use_protection;
3819 	bool use_short_preamble;
3820 	bool use_short_slot;
3821 
3822 	sband = ieee80211_get_link_sband(link);
3823 	if (!sband)
3824 		return changed;
3825 
3826 	if (erp_valid) {
3827 		use_protection = (erp & WLAN_ERP_USE_PROTECTION) != 0;
3828 		use_short_preamble = (erp & WLAN_ERP_BARKER_PREAMBLE) == 0;
3829 	} else {
3830 		use_protection = false;
3831 		use_short_preamble = !!(capab & WLAN_CAPABILITY_SHORT_PREAMBLE);
3832 	}
3833 
3834 	use_short_slot = !!(capab & WLAN_CAPABILITY_SHORT_SLOT_TIME);
3835 	if (sband->band == NL80211_BAND_5GHZ ||
3836 	    sband->band == NL80211_BAND_6GHZ)
3837 		use_short_slot = true;
3838 
3839 	if (use_protection != bss_conf->use_cts_prot) {
3840 		bss_conf->use_cts_prot = use_protection;
3841 		changed |= BSS_CHANGED_ERP_CTS_PROT;
3842 	}
3843 
3844 	if (use_short_preamble != bss_conf->use_short_preamble) {
3845 		bss_conf->use_short_preamble = use_short_preamble;
3846 		changed |= BSS_CHANGED_ERP_PREAMBLE;
3847 	}
3848 
3849 	if (use_short_slot != bss_conf->use_short_slot) {
3850 		bss_conf->use_short_slot = use_short_slot;
3851 		changed |= BSS_CHANGED_ERP_SLOT;
3852 	}
3853 
3854 	return changed;
3855 }
3856 
3857 static u64 ieee80211_link_set_associated(struct ieee80211_link_data *link,
3858 					 struct cfg80211_bss *cbss)
3859 {
3860 	struct ieee80211_sub_if_data *sdata = link->sdata;
3861 	struct ieee80211_bss_conf *bss_conf = link->conf;
3862 	struct ieee80211_bss *bss = (void *)cbss->priv;
3863 	u64 changed = BSS_CHANGED_QOS;
3864 
3865 	/* not really used in MLO */
3866 	sdata->u.mgd.beacon_timeout =
3867 		usecs_to_jiffies(ieee80211_tu_to_usec(beacon_loss_count *
3868 						      bss_conf->beacon_int));
3869 
3870 	changed |= ieee80211_handle_bss_capability(link,
3871 						   bss_conf->assoc_capability,
3872 						   bss->has_erp_value,
3873 						   bss->erp_value);
3874 
3875 	ieee80211_check_rate_mask(link);
3876 
3877 	link->conf->bss = cbss;
3878 	memcpy(link->u.mgd.bssid, cbss->bssid, ETH_ALEN);
3879 
3880 	if (sdata->vif.p2p ||
3881 	    sdata->vif.driver_flags & IEEE80211_VIF_GET_NOA_UPDATE) {
3882 		const struct cfg80211_bss_ies *ies;
3883 
3884 		rcu_read_lock();
3885 		ies = rcu_dereference(cbss->ies);
3886 		if (ies) {
3887 			int ret;
3888 
3889 			ret = cfg80211_get_p2p_attr(
3890 					ies->data, ies->len,
3891 					IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
3892 					(u8 *) &bss_conf->p2p_noa_attr,
3893 					sizeof(bss_conf->p2p_noa_attr));
3894 			if (ret >= 2) {
3895 				link->u.mgd.p2p_noa_index =
3896 					bss_conf->p2p_noa_attr.index;
3897 				changed |= BSS_CHANGED_P2P_PS;
3898 			}
3899 		}
3900 		rcu_read_unlock();
3901 	}
3902 
3903 	if (link->u.mgd.have_beacon) {
3904 		bss_conf->beacon_rate = bss->beacon_rate;
3905 		changed |= BSS_CHANGED_BEACON_INFO;
3906 	} else {
3907 		bss_conf->beacon_rate = NULL;
3908 	}
3909 
3910 	/* Tell the driver to monitor connection quality (if supported) */
3911 	if (sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_CQM_RSSI &&
3912 	    bss_conf->cqm_rssi_thold)
3913 		changed |= BSS_CHANGED_CQM;
3914 
3915 	return changed;
3916 }
3917 
3918 static void ieee80211_set_associated(struct ieee80211_sub_if_data *sdata,
3919 				     struct ieee80211_mgd_assoc_data *assoc_data,
3920 				     u64 changed[IEEE80211_MLD_MAX_NUM_LINKS])
3921 {
3922 	struct ieee80211_local *local = sdata->local;
3923 	struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg;
3924 	u64 vif_changed = BSS_CHANGED_ASSOC;
3925 	unsigned int link_id;
3926 
3927 	lockdep_assert_wiphy(local->hw.wiphy);
3928 
3929 	sdata->u.mgd.associated = true;
3930 
3931 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
3932 		struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
3933 		struct ieee80211_link_data *link;
3934 
3935 		if (!cbss ||
3936 		    assoc_data->link[link_id].status != WLAN_STATUS_SUCCESS)
3937 			continue;
3938 
3939 		if (ieee80211_vif_is_mld(&sdata->vif) &&
3940 		    !(ieee80211_vif_usable_links(&sdata->vif) & BIT(link_id)))
3941 			continue;
3942 
3943 		link = sdata_dereference(sdata->link[link_id], sdata);
3944 		if (WARN_ON(!link))
3945 			return;
3946 
3947 		changed[link_id] |= ieee80211_link_set_associated(link, cbss);
3948 	}
3949 
3950 	/* just to be sure */
3951 	ieee80211_stop_poll(sdata);
3952 
3953 	ieee80211_led_assoc(local, 1);
3954 
3955 	vif_cfg->assoc = 1;
3956 
3957 	/* Enable ARP filtering */
3958 	if (vif_cfg->arp_addr_cnt)
3959 		vif_changed |= BSS_CHANGED_ARP_FILTER;
3960 
3961 	if (ieee80211_vif_is_mld(&sdata->vif)) {
3962 		for (link_id = 0;
3963 		     link_id < IEEE80211_MLD_MAX_NUM_LINKS;
3964 		     link_id++) {
3965 			struct ieee80211_link_data *link;
3966 			struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
3967 
3968 			if (!cbss ||
3969 			    !(BIT(link_id) &
3970 			      ieee80211_vif_usable_links(&sdata->vif)) ||
3971 			    assoc_data->link[link_id].status != WLAN_STATUS_SUCCESS)
3972 				continue;
3973 
3974 			link = sdata_dereference(sdata->link[link_id], sdata);
3975 			if (WARN_ON(!link))
3976 				return;
3977 
3978 			ieee80211_link_info_change_notify(sdata, link,
3979 							  changed[link_id]);
3980 
3981 			ieee80211_recalc_smps(sdata, link);
3982 		}
3983 
3984 		ieee80211_vif_cfg_change_notify(sdata, vif_changed);
3985 	} else {
3986 		ieee80211_bss_info_change_notify(sdata,
3987 						 vif_changed | changed[0]);
3988 	}
3989 
3990 	ieee80211_recalc_ps(local);
3991 
3992 	/* leave this here to not change ordering in non-MLO cases */
3993 	if (!ieee80211_vif_is_mld(&sdata->vif))
3994 		ieee80211_recalc_smps(sdata, &sdata->deflink);
3995 	ieee80211_recalc_ps_vif(sdata);
3996 
3997 	netif_carrier_on(sdata->dev);
3998 }
3999 
4000 static void ieee80211_ml_reconf_reset(struct ieee80211_sub_if_data *sdata)
4001 {
4002 	struct ieee80211_mgd_assoc_data *add_links_data =
4003 		sdata->u.mgd.reconf.add_links_data;
4004 
4005 	if (!ieee80211_vif_is_mld(&sdata->vif) ||
4006 	    !(sdata->u.mgd.reconf.added_links |
4007 	      sdata->u.mgd.reconf.removed_links))
4008 		return;
4009 
4010 	wiphy_delayed_work_cancel(sdata->local->hw.wiphy,
4011 				  &sdata->u.mgd.reconf.wk);
4012 	sdata->u.mgd.reconf.added_links = 0;
4013 	sdata->u.mgd.reconf.removed_links = 0;
4014 	sdata->u.mgd.reconf.dialog_token = 0;
4015 
4016 	if (add_links_data) {
4017 		struct cfg80211_mlo_reconf_done_data done_data = {};
4018 		u8 link_id;
4019 
4020 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
4021 		     link_id++)
4022 			done_data.links[link_id].bss =
4023 				add_links_data->link[link_id].bss;
4024 
4025 		cfg80211_mlo_reconf_add_done(sdata->dev, &done_data);
4026 
4027 		kfree(sdata->u.mgd.reconf.add_links_data);
4028 		sdata->u.mgd.reconf.add_links_data = NULL;
4029 	}
4030 }
4031 
4032 static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
4033 				   u16 stype, u16 reason, bool tx,
4034 				   u8 *frame_buf)
4035 {
4036 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4037 	struct ieee80211_local *local = sdata->local;
4038 	struct sta_info *ap_sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
4039 	unsigned int link_id;
4040 	u64 changed = 0;
4041 	struct ieee80211_prep_tx_info info = {
4042 		.subtype = stype,
4043 		.was_assoc = true,
4044 		.link_id = ffs(sdata->vif.active_links) - 1,
4045 	};
4046 
4047 	lockdep_assert_wiphy(local->hw.wiphy);
4048 
4049 	if (frame_buf)
4050 		memset(frame_buf, 0, IEEE80211_DEAUTH_FRAME_LEN);
4051 
4052 	if (WARN_ON(!ap_sta))
4053 		return;
4054 
4055 	if (WARN_ON_ONCE(tx && !frame_buf))
4056 		return;
4057 
4058 	if (WARN_ON(!ifmgd->associated))
4059 		return;
4060 
4061 	ieee80211_stop_poll(sdata);
4062 
4063 	ifmgd->associated = false;
4064 
4065 	if (tx) {
4066 		bool tx_link_found = false;
4067 
4068 		for (link_id = 0;
4069 		     link_id < ARRAY_SIZE(sdata->link);
4070 		     link_id++) {
4071 			struct ieee80211_link_data *link;
4072 
4073 			if (!ieee80211_vif_link_active(&sdata->vif, link_id))
4074 				continue;
4075 
4076 			link = sdata_dereference(sdata->link[link_id], sdata);
4077 			if (WARN_ON_ONCE(!link))
4078 				continue;
4079 
4080 			if (link->u.mgd.csa.blocked_tx)
4081 				continue;
4082 
4083 			tx_link_found = true;
4084 			break;
4085 		}
4086 
4087 		tx = tx_link_found;
4088 	}
4089 
4090 	/* other links will be destroyed */
4091 	sdata->deflink.conf->bss = NULL;
4092 	sdata->deflink.conf->epcs_support = false;
4093 	sdata->deflink.smps_mode = IEEE80211_SMPS_OFF;
4094 
4095 	netif_carrier_off(sdata->dev);
4096 
4097 	/*
4098 	 * if we want to get out of ps before disassoc (why?) we have
4099 	 * to do it before sending disassoc, as otherwise the null-packet
4100 	 * won't be valid.
4101 	 */
4102 	if (local->hw.conf.flags & IEEE80211_CONF_PS) {
4103 		local->hw.conf.flags &= ~IEEE80211_CONF_PS;
4104 		ieee80211_hw_config(local, -1, IEEE80211_CONF_CHANGE_PS);
4105 	}
4106 	local->ps_sdata = NULL;
4107 
4108 	/* disable per-vif ps */
4109 	ieee80211_recalc_ps_vif(sdata);
4110 
4111 	/* make sure ongoing transmission finishes */
4112 	synchronize_net();
4113 
4114 	/*
4115 	 * drop any frame before deauth/disassoc, this can be data or
4116 	 * management frame. Since we are disconnecting, we should not
4117 	 * insist sending these frames which can take time and delay
4118 	 * the disconnection and possible the roaming.
4119 	 */
4120 	ieee80211_flush_queues(local, sdata, true);
4121 
4122 	if (tx) {
4123 		drv_mgd_prepare_tx(sdata->local, sdata, &info);
4124 
4125 		ieee80211_send_deauth_disassoc(sdata, sdata->vif.cfg.ap_addr,
4126 					       sdata->vif.cfg.ap_addr, stype,
4127 					       reason, true, frame_buf);
4128 
4129 		/* flush out frame - make sure the deauth was actually sent */
4130 		ieee80211_flush_queues(local, sdata, false);
4131 
4132 		drv_mgd_complete_tx(sdata->local, sdata, &info);
4133 	} else if (frame_buf) {
4134 		ieee80211_send_deauth_disassoc(sdata, sdata->vif.cfg.ap_addr,
4135 					       sdata->vif.cfg.ap_addr, stype,
4136 					       reason, false, frame_buf);
4137 	}
4138 
4139 	/* clear AP addr only after building the needed mgmt frames */
4140 	eth_zero_addr(sdata->deflink.u.mgd.bssid);
4141 	eth_zero_addr(sdata->vif.cfg.ap_addr);
4142 
4143 	sdata->vif.cfg.ssid_len = 0;
4144 
4145 	/* Remove TDLS peers */
4146 	__sta_info_flush(sdata, false, -1, ap_sta);
4147 
4148 	if (sdata->vif.driver_flags & IEEE80211_VIF_REMOVE_AP_AFTER_DISASSOC) {
4149 		/* Only move the AP state */
4150 		sta_info_move_state(ap_sta, IEEE80211_STA_NONE);
4151 	} else {
4152 		/* Remove AP peer */
4153 		sta_info_flush(sdata, -1);
4154 	}
4155 
4156 	/* finally reset all BSS / config parameters */
4157 	if (!ieee80211_vif_is_mld(&sdata->vif))
4158 		changed |= ieee80211_reset_erp_info(sdata);
4159 
4160 	ieee80211_led_assoc(local, 0);
4161 	changed |= BSS_CHANGED_ASSOC;
4162 	sdata->vif.cfg.assoc = false;
4163 
4164 	sdata->deflink.u.mgd.p2p_noa_index = -1;
4165 	memset(&sdata->vif.bss_conf.p2p_noa_attr, 0,
4166 	       sizeof(sdata->vif.bss_conf.p2p_noa_attr));
4167 
4168 	/* on the next assoc, re-program HT/VHT parameters */
4169 	memset(&ifmgd->ht_capa, 0, sizeof(ifmgd->ht_capa));
4170 	memset(&ifmgd->ht_capa_mask, 0, sizeof(ifmgd->ht_capa_mask));
4171 	memset(&ifmgd->vht_capa, 0, sizeof(ifmgd->vht_capa));
4172 	memset(&ifmgd->vht_capa_mask, 0, sizeof(ifmgd->vht_capa_mask));
4173 
4174 	/*
4175 	 * reset MU-MIMO ownership and group data in default link,
4176 	 * if used, other links are destroyed
4177 	 */
4178 	memset(sdata->vif.bss_conf.mu_group.membership, 0,
4179 	       sizeof(sdata->vif.bss_conf.mu_group.membership));
4180 	memset(sdata->vif.bss_conf.mu_group.position, 0,
4181 	       sizeof(sdata->vif.bss_conf.mu_group.position));
4182 	if (!ieee80211_vif_is_mld(&sdata->vif))
4183 		changed |= BSS_CHANGED_MU_GROUPS;
4184 	sdata->vif.bss_conf.mu_mimo_owner = false;
4185 
4186 	sdata->deflink.ap_power_level = IEEE80211_UNSET_POWER_LEVEL;
4187 
4188 	timer_delete_sync(&local->dynamic_ps_timer);
4189 	wiphy_work_cancel(local->hw.wiphy, &local->dynamic_ps_enable_work);
4190 
4191 	/* Disable ARP filtering */
4192 	if (sdata->vif.cfg.arp_addr_cnt)
4193 		changed |= BSS_CHANGED_ARP_FILTER;
4194 
4195 	sdata->vif.bss_conf.qos = false;
4196 	if (!ieee80211_vif_is_mld(&sdata->vif)) {
4197 		changed |= BSS_CHANGED_QOS;
4198 		/* The BSSID (not really interesting) and HT changed */
4199 		changed |= BSS_CHANGED_BSSID | BSS_CHANGED_HT;
4200 		ieee80211_bss_info_change_notify(sdata, changed);
4201 	} else {
4202 		ieee80211_vif_cfg_change_notify(sdata, changed);
4203 	}
4204 
4205 	if (sdata->vif.driver_flags & IEEE80211_VIF_REMOVE_AP_AFTER_DISASSOC) {
4206 		/*
4207 		 * After notifying the driver about the disassoc,
4208 		 * remove the ap sta.
4209 		 */
4210 		sta_info_flush(sdata, -1);
4211 	}
4212 
4213 	/* disassociated - set to defaults now */
4214 	ieee80211_set_wmm_default(&sdata->deflink, false, false);
4215 
4216 	timer_delete_sync(&sdata->u.mgd.conn_mon_timer);
4217 	timer_delete_sync(&sdata->u.mgd.bcn_mon_timer);
4218 	timer_delete_sync(&sdata->u.mgd.timer);
4219 
4220 	sdata->vif.bss_conf.dtim_period = 0;
4221 	sdata->vif.bss_conf.beacon_rate = NULL;
4222 
4223 	sdata->deflink.u.mgd.have_beacon = false;
4224 	sdata->deflink.u.mgd.tracking_signal_avg = false;
4225 	sdata->deflink.u.mgd.disable_wmm_tracking = false;
4226 
4227 	ifmgd->flags = 0;
4228 
4229 	for (link_id = 0; link_id < ARRAY_SIZE(sdata->link); link_id++) {
4230 		struct ieee80211_link_data *link;
4231 
4232 		link = sdata_dereference(sdata->link[link_id], sdata);
4233 		if (!link)
4234 			continue;
4235 		ieee80211_link_release_channel(link);
4236 	}
4237 
4238 	sdata->vif.bss_conf.csa_active = false;
4239 	sdata->deflink.u.mgd.csa.blocked_tx = false;
4240 	sdata->deflink.u.mgd.csa.waiting_bcn = false;
4241 	sdata->deflink.u.mgd.csa.ignored_same_chan = false;
4242 	ieee80211_vif_unblock_queues_csa(sdata);
4243 
4244 	/* existing TX TSPEC sessions no longer exist */
4245 	memset(ifmgd->tx_tspec, 0, sizeof(ifmgd->tx_tspec));
4246 	wiphy_delayed_work_cancel(local->hw.wiphy, &ifmgd->tx_tspec_wk);
4247 
4248 	sdata->vif.bss_conf.power_type = IEEE80211_REG_UNSET_AP;
4249 	sdata->vif.bss_conf.pwr_reduction = 0;
4250 	ieee80211_clear_tpe(&sdata->vif.bss_conf.tpe);
4251 
4252 	sdata->vif.cfg.eml_cap = 0;
4253 	sdata->vif.cfg.eml_med_sync_delay = 0;
4254 	sdata->vif.cfg.mld_capa_op = 0;
4255 
4256 	memset(&sdata->u.mgd.ttlm_info, 0,
4257 	       sizeof(sdata->u.mgd.ttlm_info));
4258 	wiphy_hrtimer_work_cancel(sdata->local->hw.wiphy, &ifmgd->ttlm_work);
4259 
4260 	memset(&sdata->vif.neg_ttlm, 0, sizeof(sdata->vif.neg_ttlm));
4261 	wiphy_delayed_work_cancel(sdata->local->hw.wiphy,
4262 				  &ifmgd->neg_ttlm_timeout_work);
4263 
4264 	sdata->u.mgd.removed_links = 0;
4265 	wiphy_hrtimer_work_cancel(sdata->local->hw.wiphy,
4266 				  &sdata->u.mgd.ml_reconf_work);
4267 
4268 	wiphy_work_cancel(sdata->local->hw.wiphy,
4269 			  &ifmgd->teardown_ttlm_work);
4270 
4271 	/* if disconnection happens in the middle of the ML reconfiguration
4272 	 * flow, cfg80211 must called to release the BSS references obtained
4273 	 * when the flow started.
4274 	 */
4275 	ieee80211_ml_reconf_reset(sdata);
4276 
4277 	ieee80211_vif_set_links(sdata, 0, 0);
4278 
4279 	ifmgd->mcast_seq_last = IEEE80211_SN_MODULO;
4280 
4281 	ifmgd->epcs.enabled = false;
4282 	ifmgd->epcs.dialog_token = 0;
4283 
4284 	memset(ifmgd->userspace_selectors, 0,
4285 	       sizeof(ifmgd->userspace_selectors));
4286 }
4287 
4288 static void ieee80211_reset_ap_probe(struct ieee80211_sub_if_data *sdata)
4289 {
4290 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4291 	struct ieee80211_local *local = sdata->local;
4292 
4293 	lockdep_assert_wiphy(local->hw.wiphy);
4294 
4295 	if (!(ifmgd->flags & IEEE80211_STA_CONNECTION_POLL))
4296 		return;
4297 
4298 	__ieee80211_stop_poll(sdata);
4299 
4300 	ieee80211_recalc_ps(local);
4301 
4302 	if (ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
4303 		return;
4304 
4305 	/*
4306 	 * We've received a probe response, but are not sure whether
4307 	 * we have or will be receiving any beacons or data, so let's
4308 	 * schedule the timers again, just in case.
4309 	 */
4310 	ieee80211_sta_reset_beacon_monitor(sdata);
4311 
4312 	mod_timer(&ifmgd->conn_mon_timer,
4313 		  round_jiffies_up(jiffies +
4314 				   IEEE80211_CONNECTION_IDLE_TIME));
4315 }
4316 
4317 static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata,
4318 					   struct ieee80211_hdr *hdr,
4319 					   u16 tx_time)
4320 {
4321 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4322 	u16 tid;
4323 	int ac;
4324 	struct ieee80211_sta_tx_tspec *tx_tspec;
4325 	unsigned long now = jiffies;
4326 
4327 	if (!ieee80211_is_data_qos(hdr->frame_control))
4328 		return;
4329 
4330 	tid = ieee80211_get_tid(hdr);
4331 	ac = ieee80211_ac_from_tid(tid);
4332 	tx_tspec = &ifmgd->tx_tspec[ac];
4333 
4334 	if (likely(!tx_tspec->admitted_time))
4335 		return;
4336 
4337 	if (time_after(now, tx_tspec->time_slice_start + HZ)) {
4338 		tx_tspec->consumed_tx_time = 0;
4339 		tx_tspec->time_slice_start = now;
4340 
4341 		if (tx_tspec->downgraded) {
4342 			tx_tspec->action = TX_TSPEC_ACTION_STOP_DOWNGRADE;
4343 			wiphy_delayed_work_queue(sdata->local->hw.wiphy,
4344 						 &ifmgd->tx_tspec_wk, 0);
4345 		}
4346 	}
4347 
4348 	if (tx_tspec->downgraded)
4349 		return;
4350 
4351 	tx_tspec->consumed_tx_time += tx_time;
4352 
4353 	if (tx_tspec->consumed_tx_time >= tx_tspec->admitted_time) {
4354 		tx_tspec->downgraded = true;
4355 		tx_tspec->action = TX_TSPEC_ACTION_DOWNGRADE;
4356 		wiphy_delayed_work_queue(sdata->local->hw.wiphy,
4357 					 &ifmgd->tx_tspec_wk, 0);
4358 	}
4359 }
4360 
4361 void ieee80211_sta_tx_notify(struct ieee80211_sub_if_data *sdata,
4362 			     struct ieee80211_hdr *hdr, bool ack, u16 tx_time)
4363 {
4364 	ieee80211_sta_tx_wmm_ac_notify(sdata, hdr, tx_time);
4365 
4366 	if (!ieee80211_is_any_nullfunc(hdr->frame_control) ||
4367 	    !sdata->u.mgd.probe_send_count)
4368 		return;
4369 
4370 	if (ack)
4371 		sdata->u.mgd.probe_send_count = 0;
4372 	else
4373 		sdata->u.mgd.nullfunc_failed = true;
4374 	wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work);
4375 }
4376 
4377 static void ieee80211_mlme_send_probe_req(struct ieee80211_sub_if_data *sdata,
4378 					  const u8 *src, const u8 *dst,
4379 					  const u8 *ssid, size_t ssid_len,
4380 					  struct ieee80211_channel *channel)
4381 {
4382 	struct sk_buff *skb;
4383 
4384 	skb = ieee80211_build_probe_req(sdata, src, dst, (u32)-1, channel,
4385 					ssid, ssid_len, NULL, 0,
4386 					IEEE80211_PROBE_FLAG_DIRECTED);
4387 	if (skb)
4388 		ieee80211_tx_skb(sdata, skb);
4389 }
4390 
4391 static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
4392 {
4393 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4394 	u8 *dst = sdata->vif.cfg.ap_addr;
4395 	u8 unicast_limit = max(1, max_probe_tries - 3);
4396 	struct sta_info *sta;
4397 
4398 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4399 
4400 	/*
4401 	 * Try sending broadcast probe requests for the last three
4402 	 * probe requests after the first ones failed since some
4403 	 * buggy APs only support broadcast probe requests.
4404 	 */
4405 	if (ifmgd->probe_send_count >= unicast_limit)
4406 		dst = NULL;
4407 
4408 	/*
4409 	 * When the hardware reports an accurate Tx ACK status, it's
4410 	 * better to send a nullfunc frame instead of a probe request,
4411 	 * as it will kick us off the AP quickly if we aren't associated
4412 	 * anymore. The timeout will be reset if the frame is ACKed by
4413 	 * the AP.
4414 	 */
4415 	ifmgd->probe_send_count++;
4416 
4417 	if (dst) {
4418 		sta = sta_info_get(sdata, dst);
4419 		if (!WARN_ON(!sta))
4420 			ieee80211_check_fast_rx(sta);
4421 	}
4422 
4423 	if (ieee80211_hw_check(&sdata->local->hw, REPORTS_TX_ACK_STATUS)) {
4424 		ifmgd->nullfunc_failed = false;
4425 		ieee80211_send_nullfunc(sdata->local, sdata, false);
4426 	} else {
4427 		ieee80211_mlme_send_probe_req(sdata, sdata->vif.addr, dst,
4428 					      sdata->vif.cfg.ssid,
4429 					      sdata->vif.cfg.ssid_len,
4430 					      sdata->deflink.conf->bss->channel);
4431 	}
4432 
4433 	ifmgd->probe_timeout = jiffies + msecs_to_jiffies(probe_wait_ms);
4434 	run_again(sdata, ifmgd->probe_timeout);
4435 }
4436 
4437 static void ieee80211_mgd_probe_ap(struct ieee80211_sub_if_data *sdata,
4438 				   bool beacon)
4439 {
4440 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4441 	bool already = false;
4442 
4443 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4444 
4445 	if (!ieee80211_sdata_running(sdata))
4446 		return;
4447 
4448 	if (!ifmgd->associated)
4449 		return;
4450 
4451 	if (sdata->local->tmp_channel || sdata->local->scanning)
4452 		return;
4453 
4454 	if (sdata->local->suspending) {
4455 		/* reschedule after resume */
4456 		ieee80211_reset_ap_probe(sdata);
4457 		return;
4458 	}
4459 
4460 	if (beacon) {
4461 		mlme_dbg_ratelimited(sdata,
4462 				     "detected beacon loss from AP (missed %d beacons) - probing\n",
4463 				     beacon_loss_count);
4464 
4465 		ieee80211_cqm_beacon_loss_notify(&sdata->vif, GFP_KERNEL);
4466 	}
4467 
4468 	/*
4469 	 * The driver/our work has already reported this event or the
4470 	 * connection monitoring has kicked in and we have already sent
4471 	 * a probe request. Or maybe the AP died and the driver keeps
4472 	 * reporting until we disassociate...
4473 	 *
4474 	 * In either case we have to ignore the current call to this
4475 	 * function (except for setting the correct probe reason bit)
4476 	 * because otherwise we would reset the timer every time and
4477 	 * never check whether we received a probe response!
4478 	 */
4479 	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL)
4480 		already = true;
4481 
4482 	ifmgd->flags |= IEEE80211_STA_CONNECTION_POLL;
4483 
4484 	if (already)
4485 		return;
4486 
4487 	ieee80211_recalc_ps(sdata->local);
4488 
4489 	ifmgd->probe_send_count = 0;
4490 	ieee80211_mgd_probe_ap_send(sdata);
4491 }
4492 
4493 struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw,
4494 					  struct ieee80211_vif *vif)
4495 {
4496 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
4497 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4498 	struct cfg80211_bss *cbss;
4499 	struct sk_buff *skb;
4500 	const struct element *ssid;
4501 	int ssid_len;
4502 
4503 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4504 
4505 	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION ||
4506 		    ieee80211_vif_is_mld(&sdata->vif)))
4507 		return NULL;
4508 
4509 	if (ifmgd->associated)
4510 		cbss = sdata->deflink.conf->bss;
4511 	else if (ifmgd->auth_data)
4512 		cbss = ifmgd->auth_data->bss;
4513 	else if (ifmgd->assoc_data && ifmgd->assoc_data->link[0].bss)
4514 		cbss = ifmgd->assoc_data->link[0].bss;
4515 	else
4516 		return NULL;
4517 
4518 	rcu_read_lock();
4519 	ssid = ieee80211_bss_get_elem(cbss, WLAN_EID_SSID);
4520 	if (WARN_ONCE(!ssid || ssid->datalen > IEEE80211_MAX_SSID_LEN,
4521 		      "invalid SSID element (len=%d)",
4522 		      ssid ? ssid->datalen : -1))
4523 		ssid_len = 0;
4524 	else
4525 		ssid_len = ssid->datalen;
4526 
4527 	skb = ieee80211_build_probe_req(sdata, sdata->vif.addr, cbss->bssid,
4528 					(u32) -1, cbss->channel,
4529 					ssid->data, ssid_len,
4530 					NULL, 0, IEEE80211_PROBE_FLAG_DIRECTED);
4531 	rcu_read_unlock();
4532 
4533 	return skb;
4534 }
4535 EXPORT_SYMBOL(ieee80211_ap_probereq_get);
4536 
4537 static void ieee80211_report_disconnect(struct ieee80211_sub_if_data *sdata,
4538 					const u8 *buf, size_t len, bool tx,
4539 					u16 reason, bool reconnect)
4540 {
4541 	struct ieee80211_event event = {
4542 		.type = MLME_EVENT,
4543 		.u.mlme.data = tx ? DEAUTH_TX_EVENT : DEAUTH_RX_EVENT,
4544 		.u.mlme.reason = reason,
4545 	};
4546 
4547 	if (tx)
4548 		cfg80211_tx_mlme_mgmt(sdata->dev, buf, len, reconnect);
4549 	else
4550 		cfg80211_rx_mlme_mgmt(sdata->dev, buf, len);
4551 
4552 	drv_event_callback(sdata->local, sdata, &event);
4553 }
4554 
4555 static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
4556 {
4557 	struct ieee80211_local *local = sdata->local;
4558 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4559 	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
4560 
4561 	lockdep_assert_wiphy(local->hw.wiphy);
4562 
4563 	if (!ifmgd->associated)
4564 		return;
4565 
4566 	if (!ifmgd->driver_disconnect) {
4567 		unsigned int link_id;
4568 
4569 		/*
4570 		 * AP is probably out of range (or not reachable for another
4571 		 * reason) so remove the bss structs for that AP. In the case
4572 		 * of multi-link, it's not clear that all of them really are
4573 		 * out of range, but if they weren't the driver likely would
4574 		 * have switched to just have a single link active?
4575 		 */
4576 		for (link_id = 0;
4577 		     link_id < ARRAY_SIZE(sdata->link);
4578 		     link_id++) {
4579 			struct ieee80211_link_data *link;
4580 
4581 			link = sdata_dereference(sdata->link[link_id], sdata);
4582 			if (!link || !link->conf->bss)
4583 				continue;
4584 			cfg80211_unlink_bss(local->hw.wiphy, link->conf->bss);
4585 			link->conf->bss = NULL;
4586 		}
4587 	}
4588 
4589 	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
4590 			       ifmgd->driver_disconnect ?
4591 					WLAN_REASON_DEAUTH_LEAVING :
4592 					WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
4593 			       true, frame_buf);
4594 	/* the other links will be destroyed */
4595 	sdata->vif.bss_conf.csa_active = false;
4596 	sdata->deflink.u.mgd.csa.waiting_bcn = false;
4597 	sdata->deflink.u.mgd.csa.blocked_tx = false;
4598 	ieee80211_vif_unblock_queues_csa(sdata);
4599 
4600 	ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
4601 				    WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
4602 				    ifmgd->reconnect);
4603 	ifmgd->reconnect = false;
4604 }
4605 
4606 static void ieee80211_beacon_connection_loss_work(struct wiphy *wiphy,
4607 						  struct wiphy_work *work)
4608 {
4609 	struct ieee80211_sub_if_data *sdata =
4610 		container_of(work, struct ieee80211_sub_if_data,
4611 			     u.mgd.beacon_connection_loss_work);
4612 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4613 
4614 	if (ifmgd->connection_loss) {
4615 		sdata_info(sdata, "Connection to AP %pM lost\n",
4616 			   sdata->vif.cfg.ap_addr);
4617 		__ieee80211_disconnect(sdata);
4618 		ifmgd->connection_loss = false;
4619 	} else if (ifmgd->driver_disconnect) {
4620 		sdata_info(sdata,
4621 			   "Driver requested disconnection from AP %pM\n",
4622 			   sdata->vif.cfg.ap_addr);
4623 		__ieee80211_disconnect(sdata);
4624 		ifmgd->driver_disconnect = false;
4625 	} else {
4626 		if (ifmgd->associated)
4627 			sdata->deflink.u.mgd.beacon_loss_count++;
4628 		ieee80211_mgd_probe_ap(sdata, true);
4629 	}
4630 }
4631 
4632 static void ieee80211_csa_connection_drop_work(struct wiphy *wiphy,
4633 					       struct wiphy_work *work)
4634 {
4635 	struct ieee80211_sub_if_data *sdata =
4636 		container_of(work, struct ieee80211_sub_if_data,
4637 			     u.mgd.csa_connection_drop_work);
4638 
4639 	__ieee80211_disconnect(sdata);
4640 }
4641 
4642 void ieee80211_beacon_loss(struct ieee80211_vif *vif)
4643 {
4644 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
4645 	struct ieee80211_hw *hw = &sdata->local->hw;
4646 
4647 	trace_api_beacon_loss(sdata);
4648 
4649 	sdata->u.mgd.connection_loss = false;
4650 	wiphy_work_queue(hw->wiphy, &sdata->u.mgd.beacon_connection_loss_work);
4651 }
4652 EXPORT_SYMBOL(ieee80211_beacon_loss);
4653 
4654 void ieee80211_connection_loss(struct ieee80211_vif *vif)
4655 {
4656 	struct ieee80211_sub_if_data *sdata;
4657 	struct ieee80211_hw *hw;
4658 
4659 	KUNIT_STATIC_STUB_REDIRECT(ieee80211_connection_loss, vif);
4660 
4661 	sdata = vif_to_sdata(vif);
4662 	hw = &sdata->local->hw;
4663 
4664 	trace_api_connection_loss(sdata);
4665 
4666 	sdata->u.mgd.connection_loss = true;
4667 	wiphy_work_queue(hw->wiphy, &sdata->u.mgd.beacon_connection_loss_work);
4668 }
4669 EXPORT_SYMBOL(ieee80211_connection_loss);
4670 
4671 void ieee80211_disconnect(struct ieee80211_vif *vif, bool reconnect)
4672 {
4673 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
4674 	struct ieee80211_hw *hw = &sdata->local->hw;
4675 
4676 	trace_api_disconnect(sdata, reconnect);
4677 
4678 	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
4679 		return;
4680 
4681 	sdata->u.mgd.driver_disconnect = true;
4682 	sdata->u.mgd.reconnect = reconnect;
4683 	wiphy_work_queue(hw->wiphy, &sdata->u.mgd.beacon_connection_loss_work);
4684 }
4685 EXPORT_SYMBOL(ieee80211_disconnect);
4686 
4687 static void ieee80211_destroy_auth_data(struct ieee80211_sub_if_data *sdata,
4688 					bool assoc)
4689 {
4690 	struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
4691 
4692 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4693 
4694 	sdata->u.mgd.auth_data = NULL;
4695 
4696 	if (!assoc) {
4697 		/*
4698 		 * we are not authenticated yet, the only timer that could be
4699 		 * running is the timeout for the authentication response which
4700 		 * which is not relevant anymore.
4701 		 */
4702 		timer_delete_sync(&sdata->u.mgd.timer);
4703 		sta_info_destroy_addr(sdata, auth_data->ap_addr);
4704 
4705 		/* other links are destroyed */
4706 		eth_zero_addr(sdata->deflink.u.mgd.bssid);
4707 		ieee80211_link_info_change_notify(sdata, &sdata->deflink,
4708 						  BSS_CHANGED_BSSID);
4709 		sdata->u.mgd.flags = 0;
4710 
4711 		ieee80211_link_release_channel(&sdata->deflink);
4712 		ieee80211_vif_set_links(sdata, 0, 0);
4713 	}
4714 
4715 	cfg80211_put_bss(sdata->local->hw.wiphy, auth_data->bss);
4716 	kfree(auth_data);
4717 }
4718 
4719 enum assoc_status {
4720 	ASSOC_SUCCESS,
4721 	ASSOC_REJECTED,
4722 	ASSOC_TIMEOUT,
4723 	ASSOC_ABANDON,
4724 };
4725 
4726 static void ieee80211_destroy_assoc_data(struct ieee80211_sub_if_data *sdata,
4727 					 enum assoc_status status)
4728 {
4729 	struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data;
4730 
4731 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4732 
4733 	sdata->u.mgd.assoc_data = NULL;
4734 
4735 	if (status != ASSOC_SUCCESS) {
4736 		/*
4737 		 * we are not associated yet, the only timer that could be
4738 		 * running is the timeout for the association response which
4739 		 * which is not relevant anymore.
4740 		 */
4741 		timer_delete_sync(&sdata->u.mgd.timer);
4742 		sta_info_destroy_addr(sdata, assoc_data->ap_addr);
4743 
4744 		eth_zero_addr(sdata->deflink.u.mgd.bssid);
4745 		ieee80211_link_info_change_notify(sdata, &sdata->deflink,
4746 						  BSS_CHANGED_BSSID);
4747 		sdata->u.mgd.flags = 0;
4748 		sdata->vif.bss_conf.mu_mimo_owner = false;
4749 
4750 		if (status != ASSOC_REJECTED) {
4751 			struct cfg80211_assoc_failure data = {
4752 				.timeout = status == ASSOC_TIMEOUT,
4753 			};
4754 			int i;
4755 
4756 			BUILD_BUG_ON(ARRAY_SIZE(data.bss) !=
4757 				     ARRAY_SIZE(assoc_data->link));
4758 
4759 			for (i = 0; i < ARRAY_SIZE(data.bss); i++)
4760 				data.bss[i] = assoc_data->link[i].bss;
4761 
4762 			if (ieee80211_vif_is_mld(&sdata->vif))
4763 				data.ap_mld_addr = assoc_data->ap_addr;
4764 
4765 			cfg80211_assoc_failure(sdata->dev, &data);
4766 		}
4767 
4768 		ieee80211_link_release_channel(&sdata->deflink);
4769 		ieee80211_vif_set_links(sdata, 0, 0);
4770 	}
4771 
4772 	kfree(assoc_data);
4773 }
4774 
4775 static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
4776 				     struct ieee80211_mgmt *mgmt, size_t len)
4777 {
4778 	struct ieee80211_local *local = sdata->local;
4779 	struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
4780 	const struct element *challenge;
4781 	u8 *pos;
4782 	u32 tx_flags = 0;
4783 	struct ieee80211_prep_tx_info info = {
4784 		.subtype = IEEE80211_STYPE_AUTH,
4785 		.link_id = auth_data->link_id,
4786 	};
4787 
4788 	pos = mgmt->u.auth.variable;
4789 	challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos,
4790 				       len - (pos - (u8 *)mgmt));
4791 	if (!challenge)
4792 		return;
4793 	auth_data->expected_transaction = 4;
4794 	drv_mgd_prepare_tx(sdata->local, sdata, &info);
4795 	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
4796 		tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
4797 			   IEEE80211_TX_INTFL_MLME_CONN_TX;
4798 	ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0,
4799 			    (void *)challenge,
4800 			    challenge->datalen + sizeof(*challenge),
4801 			    auth_data->ap_addr, auth_data->ap_addr,
4802 			    auth_data->key, auth_data->key_len,
4803 			    auth_data->key_idx, tx_flags);
4804 }
4805 
4806 static bool ieee80211_mark_sta_auth(struct ieee80211_sub_if_data *sdata)
4807 {
4808 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4809 	const u8 *ap_addr = ifmgd->auth_data->ap_addr;
4810 	struct sta_info *sta;
4811 
4812 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4813 
4814 	sdata_info(sdata, "authenticated\n");
4815 	ifmgd->auth_data->done = true;
4816 	ifmgd->auth_data->timeout = jiffies + IEEE80211_AUTH_WAIT_ASSOC;
4817 	ifmgd->auth_data->timeout_started = true;
4818 	run_again(sdata, ifmgd->auth_data->timeout);
4819 
4820 	/* move station state to auth */
4821 	sta = sta_info_get(sdata, ap_addr);
4822 	if (!sta) {
4823 		WARN_ONCE(1, "%s: STA %pM not found", sdata->name, ap_addr);
4824 		return false;
4825 	}
4826 	if (sta_info_move_state(sta, IEEE80211_STA_AUTH)) {
4827 		sdata_info(sdata, "failed moving %pM to auth\n", ap_addr);
4828 		return false;
4829 	}
4830 
4831 	return true;
4832 }
4833 
4834 static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
4835 				   struct ieee80211_mgmt *mgmt, size_t len)
4836 {
4837 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
4838 	u16 auth_alg, auth_transaction, status_code;
4839 	struct ieee80211_event event = {
4840 		.type = MLME_EVENT,
4841 		.u.mlme.data = AUTH_EVENT,
4842 	};
4843 	struct ieee80211_prep_tx_info info = {
4844 		.subtype = IEEE80211_STYPE_AUTH,
4845 	};
4846 	bool sae_need_confirm = false;
4847 
4848 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
4849 
4850 	if (len < 24 + 6)
4851 		return;
4852 
4853 	if (!ifmgd->auth_data || ifmgd->auth_data->done)
4854 		return;
4855 
4856 	if (!ether_addr_equal(ifmgd->auth_data->ap_addr, mgmt->bssid))
4857 		return;
4858 
4859 	auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
4860 	auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
4861 	status_code = le16_to_cpu(mgmt->u.auth.status_code);
4862 
4863 	info.link_id = ifmgd->auth_data->link_id;
4864 
4865 	if (auth_alg != ifmgd->auth_data->algorithm ||
4866 	    (auth_alg != WLAN_AUTH_SAE &&
4867 	     auth_transaction != ifmgd->auth_data->expected_transaction) ||
4868 	    (auth_alg == WLAN_AUTH_SAE &&
4869 	     (auth_transaction < ifmgd->auth_data->expected_transaction ||
4870 	      auth_transaction > 2))) {
4871 		sdata_info(sdata, "%pM unexpected authentication state: alg %d (expected %d) transact %d (expected %d)\n",
4872 			   mgmt->sa, auth_alg, ifmgd->auth_data->algorithm,
4873 			   auth_transaction,
4874 			   ifmgd->auth_data->expected_transaction);
4875 		goto notify_driver;
4876 	}
4877 
4878 	if (status_code != WLAN_STATUS_SUCCESS) {
4879 		cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
4880 
4881 		if (auth_alg == WLAN_AUTH_SAE &&
4882 		    (status_code == WLAN_STATUS_ANTI_CLOG_REQUIRED ||
4883 		     (auth_transaction == 1 &&
4884 		      (status_code == WLAN_STATUS_SAE_HASH_TO_ELEMENT ||
4885 		       status_code == WLAN_STATUS_SAE_PK)))) {
4886 			/* waiting for userspace now */
4887 			ifmgd->auth_data->waiting = true;
4888 			ifmgd->auth_data->timeout =
4889 				jiffies + IEEE80211_AUTH_WAIT_SAE_RETRY;
4890 			ifmgd->auth_data->timeout_started = true;
4891 			run_again(sdata, ifmgd->auth_data->timeout);
4892 			if (auth_transaction == 1)
4893 				sae_need_confirm = true;
4894 			goto notify_driver;
4895 		}
4896 
4897 		sdata_info(sdata, "%pM denied authentication (status %d)\n",
4898 			   mgmt->sa, status_code);
4899 		ieee80211_destroy_auth_data(sdata, false);
4900 		event.u.mlme.status = MLME_DENIED;
4901 		event.u.mlme.reason = status_code;
4902 		drv_event_callback(sdata->local, sdata, &event);
4903 		goto notify_driver;
4904 	}
4905 
4906 	switch (ifmgd->auth_data->algorithm) {
4907 	case WLAN_AUTH_OPEN:
4908 	case WLAN_AUTH_LEAP:
4909 	case WLAN_AUTH_FT:
4910 	case WLAN_AUTH_SAE:
4911 	case WLAN_AUTH_FILS_SK:
4912 	case WLAN_AUTH_FILS_SK_PFS:
4913 	case WLAN_AUTH_FILS_PK:
4914 		break;
4915 	case WLAN_AUTH_SHARED_KEY:
4916 		if (ifmgd->auth_data->expected_transaction != 4) {
4917 			ieee80211_auth_challenge(sdata, mgmt, len);
4918 			/* need another frame */
4919 			return;
4920 		}
4921 		break;
4922 	default:
4923 		WARN_ONCE(1, "invalid auth alg %d",
4924 			  ifmgd->auth_data->algorithm);
4925 		goto notify_driver;
4926 	}
4927 
4928 	event.u.mlme.status = MLME_SUCCESS;
4929 	info.success = 1;
4930 	drv_event_callback(sdata->local, sdata, &event);
4931 	if (ifmgd->auth_data->algorithm != WLAN_AUTH_SAE ||
4932 	    (auth_transaction == 2 &&
4933 	     ifmgd->auth_data->expected_transaction == 2)) {
4934 		if (!ieee80211_mark_sta_auth(sdata))
4935 			return; /* ignore frame -- wait for timeout */
4936 	} else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
4937 		   auth_transaction == 1) {
4938 		sae_need_confirm = true;
4939 	} else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
4940 		   auth_transaction == 2) {
4941 		sdata_info(sdata, "SAE peer confirmed\n");
4942 		ifmgd->auth_data->peer_confirmed = true;
4943 	}
4944 
4945 	cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
4946 notify_driver:
4947 	if (!sae_need_confirm)
4948 		drv_mgd_complete_tx(sdata->local, sdata, &info);
4949 }
4950 
4951 #define case_WLAN(type) \
4952 	case WLAN_REASON_##type: return #type
4953 
4954 const char *ieee80211_get_reason_code_string(u16 reason_code)
4955 {
4956 	switch (reason_code) {
4957 	case_WLAN(UNSPECIFIED);
4958 	case_WLAN(PREV_AUTH_NOT_VALID);
4959 	case_WLAN(DEAUTH_LEAVING);
4960 	case_WLAN(DISASSOC_DUE_TO_INACTIVITY);
4961 	case_WLAN(DISASSOC_AP_BUSY);
4962 	case_WLAN(CLASS2_FRAME_FROM_NONAUTH_STA);
4963 	case_WLAN(CLASS3_FRAME_FROM_NONASSOC_STA);
4964 	case_WLAN(DISASSOC_STA_HAS_LEFT);
4965 	case_WLAN(STA_REQ_ASSOC_WITHOUT_AUTH);
4966 	case_WLAN(DISASSOC_BAD_POWER);
4967 	case_WLAN(DISASSOC_BAD_SUPP_CHAN);
4968 	case_WLAN(INVALID_IE);
4969 	case_WLAN(MIC_FAILURE);
4970 	case_WLAN(4WAY_HANDSHAKE_TIMEOUT);
4971 	case_WLAN(GROUP_KEY_HANDSHAKE_TIMEOUT);
4972 	case_WLAN(IE_DIFFERENT);
4973 	case_WLAN(INVALID_GROUP_CIPHER);
4974 	case_WLAN(INVALID_PAIRWISE_CIPHER);
4975 	case_WLAN(INVALID_AKMP);
4976 	case_WLAN(UNSUPP_RSN_VERSION);
4977 	case_WLAN(INVALID_RSN_IE_CAP);
4978 	case_WLAN(IEEE8021X_FAILED);
4979 	case_WLAN(CIPHER_SUITE_REJECTED);
4980 	case_WLAN(DISASSOC_UNSPECIFIED_QOS);
4981 	case_WLAN(DISASSOC_QAP_NO_BANDWIDTH);
4982 	case_WLAN(DISASSOC_LOW_ACK);
4983 	case_WLAN(DISASSOC_QAP_EXCEED_TXOP);
4984 	case_WLAN(QSTA_LEAVE_QBSS);
4985 	case_WLAN(QSTA_NOT_USE);
4986 	case_WLAN(QSTA_REQUIRE_SETUP);
4987 	case_WLAN(QSTA_TIMEOUT);
4988 	case_WLAN(QSTA_CIPHER_NOT_SUPP);
4989 	case_WLAN(MESH_PEER_CANCELED);
4990 	case_WLAN(MESH_MAX_PEERS);
4991 	case_WLAN(MESH_CONFIG);
4992 	case_WLAN(MESH_CLOSE);
4993 	case_WLAN(MESH_MAX_RETRIES);
4994 	case_WLAN(MESH_CONFIRM_TIMEOUT);
4995 	case_WLAN(MESH_INVALID_GTK);
4996 	case_WLAN(MESH_INCONSISTENT_PARAM);
4997 	case_WLAN(MESH_INVALID_SECURITY);
4998 	case_WLAN(MESH_PATH_ERROR);
4999 	case_WLAN(MESH_PATH_NOFORWARD);
5000 	case_WLAN(MESH_PATH_DEST_UNREACHABLE);
5001 	case_WLAN(MAC_EXISTS_IN_MBSS);
5002 	case_WLAN(MESH_CHAN_REGULATORY);
5003 	case_WLAN(MESH_CHAN);
5004 	default: return "<unknown>";
5005 	}
5006 }
5007 
5008 static void ieee80211_rx_mgmt_deauth(struct ieee80211_sub_if_data *sdata,
5009 				     struct ieee80211_mgmt *mgmt, size_t len)
5010 {
5011 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
5012 	u16 reason_code = le16_to_cpu(mgmt->u.deauth.reason_code);
5013 
5014 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
5015 
5016 	if (len < 24 + 2)
5017 		return;
5018 
5019 	if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
5020 		ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
5021 		return;
5022 	}
5023 
5024 	if (ifmgd->associated &&
5025 	    ether_addr_equal(mgmt->bssid, sdata->vif.cfg.ap_addr)) {
5026 		sdata_info(sdata, "deauthenticated from %pM (Reason: %u=%s)\n",
5027 			   sdata->vif.cfg.ap_addr, reason_code,
5028 			   ieee80211_get_reason_code_string(reason_code));
5029 
5030 		ieee80211_set_disassoc(sdata, 0, 0, false, NULL);
5031 
5032 		ieee80211_report_disconnect(sdata, (u8 *)mgmt, len, false,
5033 					    reason_code, false);
5034 		return;
5035 	}
5036 
5037 	if (ifmgd->assoc_data &&
5038 	    ether_addr_equal(mgmt->bssid, ifmgd->assoc_data->ap_addr)) {
5039 		sdata_info(sdata,
5040 			   "deauthenticated from %pM while associating (Reason: %u=%s)\n",
5041 			   ifmgd->assoc_data->ap_addr, reason_code,
5042 			   ieee80211_get_reason_code_string(reason_code));
5043 
5044 		ieee80211_destroy_assoc_data(sdata, ASSOC_ABANDON);
5045 
5046 		cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
5047 		return;
5048 	}
5049 }
5050 
5051 
5052 static void ieee80211_rx_mgmt_disassoc(struct ieee80211_sub_if_data *sdata,
5053 				       struct ieee80211_mgmt *mgmt, size_t len)
5054 {
5055 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
5056 	u16 reason_code;
5057 
5058 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
5059 
5060 	if (len < 24 + 2)
5061 		return;
5062 
5063 	if (!ifmgd->associated ||
5064 	    !ether_addr_equal(mgmt->bssid, sdata->vif.cfg.ap_addr))
5065 		return;
5066 
5067 	reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
5068 
5069 	if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
5070 		ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
5071 		return;
5072 	}
5073 
5074 	sdata_info(sdata, "disassociated from %pM (Reason: %u=%s)\n",
5075 		   sdata->vif.cfg.ap_addr, reason_code,
5076 		   ieee80211_get_reason_code_string(reason_code));
5077 
5078 	ieee80211_set_disassoc(sdata, 0, 0, false, NULL);
5079 
5080 	ieee80211_report_disconnect(sdata, (u8 *)mgmt, len, false, reason_code,
5081 				    false);
5082 }
5083 
5084 static bool ieee80211_twt_req_supported(struct ieee80211_sub_if_data *sdata,
5085 					struct ieee80211_supported_band *sband,
5086 					const struct link_sta_info *link_sta,
5087 					const struct ieee802_11_elems *elems)
5088 {
5089 	const struct ieee80211_sta_he_cap *own_he_cap =
5090 		ieee80211_get_he_iftype_cap_vif(sband, &sdata->vif);
5091 
5092 	if (elems->ext_capab_len < 10)
5093 		return false;
5094 
5095 	if (!(elems->ext_capab[9] & WLAN_EXT_CAPA10_TWT_RESPONDER_SUPPORT))
5096 		return false;
5097 
5098 	return link_sta->pub->he_cap.he_cap_elem.mac_cap_info[0] &
5099 		IEEE80211_HE_MAC_CAP0_TWT_RES &&
5100 		own_he_cap &&
5101 		(own_he_cap->he_cap_elem.mac_cap_info[0] &
5102 			IEEE80211_HE_MAC_CAP0_TWT_REQ);
5103 }
5104 
5105 static u64 ieee80211_recalc_twt_req(struct ieee80211_sub_if_data *sdata,
5106 				    struct ieee80211_supported_band *sband,
5107 				    struct ieee80211_link_data *link,
5108 				    struct link_sta_info *link_sta,
5109 				    struct ieee802_11_elems *elems)
5110 {
5111 	bool twt = ieee80211_twt_req_supported(sdata, sband, link_sta, elems);
5112 
5113 	if (link->conf->twt_requester != twt) {
5114 		link->conf->twt_requester = twt;
5115 		return BSS_CHANGED_TWT;
5116 	}
5117 	return 0;
5118 }
5119 
5120 static bool ieee80211_twt_bcast_support(struct ieee80211_sub_if_data *sdata,
5121 					struct ieee80211_bss_conf *bss_conf,
5122 					struct ieee80211_supported_band *sband,
5123 					struct link_sta_info *link_sta)
5124 {
5125 	const struct ieee80211_sta_he_cap *own_he_cap =
5126 		ieee80211_get_he_iftype_cap_vif(sband, &sdata->vif);
5127 
5128 	return bss_conf->he_support &&
5129 		(link_sta->pub->he_cap.he_cap_elem.mac_cap_info[2] &
5130 			IEEE80211_HE_MAC_CAP2_BCAST_TWT) &&
5131 		own_he_cap &&
5132 		(own_he_cap->he_cap_elem.mac_cap_info[2] &
5133 			IEEE80211_HE_MAC_CAP2_BCAST_TWT);
5134 }
5135 
5136 static void ieee80211_epcs_changed(struct ieee80211_sub_if_data *sdata,
5137 				   bool enabled)
5138 {
5139 	/* in any case this is called, dialog token should be reset */
5140 	sdata->u.mgd.epcs.dialog_token = 0;
5141 
5142 	if (sdata->u.mgd.epcs.enabled == enabled)
5143 		return;
5144 
5145 	sdata->u.mgd.epcs.enabled = enabled;
5146 	cfg80211_epcs_changed(sdata->dev, enabled);
5147 }
5148 
5149 static void ieee80211_epcs_teardown(struct ieee80211_sub_if_data *sdata)
5150 {
5151 	struct ieee80211_local *local = sdata->local;
5152 	u8 link_id;
5153 
5154 	if (!sdata->u.mgd.epcs.enabled)
5155 		return;
5156 
5157 	lockdep_assert_wiphy(local->hw.wiphy);
5158 
5159 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
5160 		struct ieee802_11_elems *elems;
5161 		struct ieee80211_link_data *link;
5162 		const struct cfg80211_bss_ies *ies;
5163 		bool ret;
5164 
5165 		rcu_read_lock();
5166 
5167 		link = sdata_dereference(sdata->link[link_id], sdata);
5168 		if (!link || !link->conf || !link->conf->bss) {
5169 			rcu_read_unlock();
5170 			continue;
5171 		}
5172 
5173 		if (link->u.mgd.disable_wmm_tracking) {
5174 			rcu_read_unlock();
5175 			ieee80211_set_wmm_default(link, false, false);
5176 			continue;
5177 		}
5178 
5179 		ies = rcu_dereference(link->conf->bss->beacon_ies);
5180 		if (!ies) {
5181 			rcu_read_unlock();
5182 			ieee80211_set_wmm_default(link, false, false);
5183 			continue;
5184 		}
5185 
5186 		elems = ieee802_11_parse_elems(ies->data, ies->len,
5187 					       IEEE80211_FTYPE_MGMT |
5188 					       IEEE80211_STYPE_BEACON,
5189 					       NULL);
5190 		if (!elems) {
5191 			rcu_read_unlock();
5192 			ieee80211_set_wmm_default(link, false, false);
5193 			continue;
5194 		}
5195 
5196 		ret = _ieee80211_sta_wmm_params(local, link,
5197 						elems->wmm_param,
5198 						elems->wmm_param_len,
5199 						elems->mu_edca_param_set);
5200 
5201 		kfree(elems);
5202 		rcu_read_unlock();
5203 
5204 		if (!ret) {
5205 			ieee80211_set_wmm_default(link, false, false);
5206 			continue;
5207 		}
5208 
5209 		ieee80211_mgd_set_link_qos_params(link);
5210 		ieee80211_link_info_change_notify(sdata, link, BSS_CHANGED_QOS);
5211 	}
5212 }
5213 
5214 static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
5215 					struct link_sta_info *link_sta,
5216 					struct cfg80211_bss *cbss,
5217 					struct ieee80211_mgmt *mgmt,
5218 					const u8 *elem_start,
5219 					unsigned int elem_len,
5220 					u64 *changed)
5221 {
5222 	struct ieee80211_sub_if_data *sdata = link->sdata;
5223 	struct ieee80211_mgd_assoc_data *assoc_data =
5224 		sdata->u.mgd.assoc_data ?: sdata->u.mgd.reconf.add_links_data;
5225 	struct ieee80211_bss_conf *bss_conf = link->conf;
5226 	struct ieee80211_local *local = sdata->local;
5227 	unsigned int link_id = link->link_id;
5228 	struct ieee80211_elems_parse_params parse_params = {
5229 		.mode = link->u.mgd.conn.mode,
5230 		.start = elem_start,
5231 		.len = elem_len,
5232 		.link_id = link_id == assoc_data->assoc_link_id ? -1 : link_id,
5233 		.from_ap = true,
5234 		.type = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_TYPE,
5235 	};
5236 	bool is_5ghz = cbss->channel->band == NL80211_BAND_5GHZ;
5237 	bool is_6ghz = cbss->channel->band == NL80211_BAND_6GHZ;
5238 	bool is_s1g = cbss->channel->band == NL80211_BAND_S1GHZ;
5239 	const struct cfg80211_bss_ies *bss_ies = NULL;
5240 	struct ieee80211_supported_band *sband;
5241 	struct ieee802_11_elems *elems;
5242 	const __le16 prof_bss_param_ch_present =
5243 		cpu_to_le16(IEEE80211_MLE_STA_CONTROL_BSS_PARAM_CHANGE_CNT_PRESENT);
5244 	u16 capab_info;
5245 	bool ret;
5246 
5247 	elems = ieee802_11_parse_elems_full(&parse_params);
5248 	if (!elems)
5249 		return false;
5250 
5251 	if (link_id == assoc_data->assoc_link_id) {
5252 		capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
5253 
5254 		/*
5255 		 * we should not get to this flow unless the association was
5256 		 * successful, so set the status directly to success
5257 		 */
5258 		assoc_data->link[link_id].status = WLAN_STATUS_SUCCESS;
5259 		if (elems->ml_basic) {
5260 			int bss_param_ch_cnt =
5261 				ieee80211_mle_get_bss_param_ch_cnt((const void *)elems->ml_basic);
5262 
5263 			if (bss_param_ch_cnt < 0) {
5264 				ret = false;
5265 				goto out;
5266 			}
5267 			bss_conf->bss_param_ch_cnt = bss_param_ch_cnt;
5268 			bss_conf->bss_param_ch_cnt_link_id = link_id;
5269 		}
5270 	} else if (elems->parse_error & IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC ||
5271 		   !elems->prof ||
5272 		   !(elems->prof->control & prof_bss_param_ch_present)) {
5273 		ret = false;
5274 		goto out;
5275 	} else {
5276 		const u8 *ptr = elems->prof->variable +
5277 				elems->prof->sta_info_len - 1;
5278 		int bss_param_ch_cnt;
5279 
5280 		/*
5281 		 * During parsing, we validated that these fields exist,
5282 		 * otherwise elems->prof would have been set to NULL.
5283 		 */
5284 		capab_info = get_unaligned_le16(ptr);
5285 		assoc_data->link[link_id].status = get_unaligned_le16(ptr + 2);
5286 		bss_param_ch_cnt =
5287 			ieee80211_mle_basic_sta_prof_bss_param_ch_cnt(elems->prof);
5288 		bss_conf->bss_param_ch_cnt = bss_param_ch_cnt;
5289 		bss_conf->bss_param_ch_cnt_link_id = link_id;
5290 
5291 		if (assoc_data->link[link_id].status != WLAN_STATUS_SUCCESS) {
5292 			link_info(link, "association response status code=%u\n",
5293 				  assoc_data->link[link_id].status);
5294 			ret = true;
5295 			goto out;
5296 		}
5297 	}
5298 
5299 	if (!is_s1g && !elems->supp_rates) {
5300 		sdata_info(sdata, "no SuppRates element in AssocResp\n");
5301 		ret = false;
5302 		goto out;
5303 	}
5304 
5305 	link->u.mgd.tdls_chan_switch_prohibited =
5306 		elems->ext_capab && elems->ext_capab_len >= 5 &&
5307 		(elems->ext_capab[4] & WLAN_EXT_CAPA5_TDLS_CH_SW_PROHIBITED);
5308 
5309 	/*
5310 	 * Some APs are erroneously not including some information in their
5311 	 * (re)association response frames. Try to recover by using the data
5312 	 * from the beacon or probe response. This seems to afflict mobile
5313 	 * 2G/3G/4G wifi routers, reported models include the "Onda PN51T",
5314 	 * "Vodafone PocketWiFi 2", "ZTE MF60" and a similar T-Mobile device.
5315 	 */
5316 	if (!ieee80211_hw_check(&local->hw, STRICT) && !is_6ghz &&
5317 	    ((assoc_data->wmm && !elems->wmm_param) ||
5318 	     (link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT &&
5319 	      (!elems->ht_cap_elem || !elems->ht_operation)) ||
5320 	     (is_5ghz && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT &&
5321 	      (!elems->vht_cap_elem || !elems->vht_operation)))) {
5322 		const struct cfg80211_bss_ies *ies;
5323 		struct ieee802_11_elems *bss_elems;
5324 
5325 		rcu_read_lock();
5326 		ies = rcu_dereference(cbss->ies);
5327 		if (ies)
5328 			bss_ies = kmemdup(ies, sizeof(*ies) + ies->len,
5329 					  GFP_ATOMIC);
5330 		rcu_read_unlock();
5331 		if (!bss_ies) {
5332 			ret = false;
5333 			goto out;
5334 		}
5335 
5336 		parse_params.start = bss_ies->data;
5337 		parse_params.len = bss_ies->len;
5338 		parse_params.bss = cbss;
5339 		parse_params.link_id = -1;
5340 		bss_elems = ieee802_11_parse_elems_full(&parse_params);
5341 		if (!bss_elems) {
5342 			ret = false;
5343 			goto out;
5344 		}
5345 
5346 		if (assoc_data->wmm &&
5347 		    !elems->wmm_param && bss_elems->wmm_param) {
5348 			elems->wmm_param = bss_elems->wmm_param;
5349 			sdata_info(sdata,
5350 				   "AP bug: WMM param missing from AssocResp\n");
5351 		}
5352 
5353 		/*
5354 		 * Also check if we requested HT/VHT, otherwise the AP doesn't
5355 		 * have to include the IEs in the (re)association response.
5356 		 */
5357 		if (!elems->ht_cap_elem && bss_elems->ht_cap_elem &&
5358 		    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT) {
5359 			elems->ht_cap_elem = bss_elems->ht_cap_elem;
5360 			sdata_info(sdata,
5361 				   "AP bug: HT capability missing from AssocResp\n");
5362 		}
5363 		if (!elems->ht_operation && bss_elems->ht_operation &&
5364 		    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT) {
5365 			elems->ht_operation = bss_elems->ht_operation;
5366 			sdata_info(sdata,
5367 				   "AP bug: HT operation missing from AssocResp\n");
5368 		}
5369 
5370 		if (is_5ghz) {
5371 			if (!elems->vht_cap_elem && bss_elems->vht_cap_elem &&
5372 			    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
5373 				elems->vht_cap_elem = bss_elems->vht_cap_elem;
5374 				sdata_info(sdata,
5375 					   "AP bug: VHT capa missing from AssocResp\n");
5376 			}
5377 
5378 			if (!elems->vht_operation && bss_elems->vht_operation &&
5379 			    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
5380 				elems->vht_operation = bss_elems->vht_operation;
5381 				sdata_info(sdata,
5382 					   "AP bug: VHT operation missing from AssocResp\n");
5383 			}
5384 		}
5385 		kfree(bss_elems);
5386 	}
5387 
5388 	/*
5389 	 * We previously checked these in the beacon/probe response, so
5390 	 * they should be present here. This is just a safety net.
5391 	 * Note that the ieee80211_config_bw() below would also check
5392 	 * for this (and more), but this has better error reporting.
5393 	 */
5394 	if (!is_6ghz && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT &&
5395 	    (!elems->wmm_param || !elems->ht_cap_elem || !elems->ht_operation)) {
5396 		sdata_info(sdata,
5397 			   "HT AP is missing WMM params or HT capability/operation\n");
5398 		ret = false;
5399 		goto out;
5400 	}
5401 
5402 	if (is_5ghz && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT &&
5403 	    (!elems->vht_cap_elem || !elems->vht_operation)) {
5404 		sdata_info(sdata,
5405 			   "VHT AP is missing VHT capability/operation\n");
5406 		ret = false;
5407 		goto out;
5408 	}
5409 
5410 	/* check/update if AP changed anything in assoc response vs. scan */
5411 	if (ieee80211_config_bw(link, elems,
5412 				link_id == assoc_data->assoc_link_id,
5413 				changed,
5414 				le16_to_cpu(mgmt->frame_control) &
5415 					IEEE80211_FCTL_STYPE)) {
5416 		ret = false;
5417 		goto out;
5418 	}
5419 
5420 	if (WARN_ON(!link->conf->chanreq.oper.chan)) {
5421 		ret = false;
5422 		goto out;
5423 	}
5424 	sband = local->hw.wiphy->bands[link->conf->chanreq.oper.chan->band];
5425 
5426 	/* Set up internal HT/VHT capabilities */
5427 	if (elems->ht_cap_elem && link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HT)
5428 		ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,
5429 						  elems->ht_cap_elem,
5430 						  link_sta);
5431 
5432 	if (elems->vht_cap_elem &&
5433 	    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_VHT) {
5434 		const struct ieee80211_vht_cap *bss_vht_cap = NULL;
5435 		const struct cfg80211_bss_ies *ies;
5436 
5437 		/*
5438 		 * Cisco AP module 9115 with FW 17.3 has a bug and sends a
5439 		 * too large maximum MPDU length in the association response
5440 		 * (indicating 12k) that it cannot actually process ...
5441 		 * Work around that.
5442 		 */
5443 		rcu_read_lock();
5444 		ies = rcu_dereference(cbss->ies);
5445 		if (ies) {
5446 			const struct element *elem;
5447 
5448 			elem = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY,
5449 						  ies->data, ies->len);
5450 			if (elem && elem->datalen >= sizeof(*bss_vht_cap))
5451 				bss_vht_cap = (const void *)elem->data;
5452 		}
5453 
5454 		if (ieee80211_hw_check(&local->hw, STRICT) &&
5455 		    (!bss_vht_cap || memcmp(bss_vht_cap, elems->vht_cap_elem,
5456 					    sizeof(*bss_vht_cap)))) {
5457 			rcu_read_unlock();
5458 			ret = false;
5459 			link_info(link, "VHT capabilities mismatch\n");
5460 			goto out;
5461 		}
5462 
5463 		ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
5464 						    elems->vht_cap_elem,
5465 						    bss_vht_cap, link_sta);
5466 		rcu_read_unlock();
5467 	}
5468 
5469 	if (elems->he_operation &&
5470 	    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_HE &&
5471 	    elems->he_cap) {
5472 		ieee80211_he_cap_ie_to_sta_he_cap(sdata, sband,
5473 						  elems->he_cap,
5474 						  elems->he_cap_len,
5475 						  elems->he_6ghz_capa,
5476 						  link_sta);
5477 
5478 		bss_conf->he_support = link_sta->pub->he_cap.has_he;
5479 		if (elems->rsnx && elems->rsnx_len &&
5480 		    (elems->rsnx[0] & WLAN_RSNX_CAPA_PROTECTED_TWT) &&
5481 		    wiphy_ext_feature_isset(local->hw.wiphy,
5482 					    NL80211_EXT_FEATURE_PROTECTED_TWT))
5483 			bss_conf->twt_protected = true;
5484 		else
5485 			bss_conf->twt_protected = false;
5486 
5487 		*changed |= ieee80211_recalc_twt_req(sdata, sband, link,
5488 						     link_sta, elems);
5489 
5490 		if (elems->eht_operation && elems->eht_cap &&
5491 		    link->u.mgd.conn.mode >= IEEE80211_CONN_MODE_EHT) {
5492 			ieee80211_eht_cap_ie_to_sta_eht_cap(sdata, sband,
5493 							    elems->he_cap,
5494 							    elems->he_cap_len,
5495 							    elems->eht_cap,
5496 							    elems->eht_cap_len,
5497 							    link_sta);
5498 
5499 			bss_conf->eht_support = link_sta->pub->eht_cap.has_eht;
5500 			bss_conf->epcs_support = bss_conf->eht_support &&
5501 				!!(elems->eht_cap->fixed.mac_cap_info[0] &
5502 				   IEEE80211_EHT_MAC_CAP0_EPCS_PRIO_ACCESS);
5503 
5504 			/* EPCS might be already enabled but a new added link
5505 			 * does not support EPCS. This should not really happen
5506 			 * in practice.
5507 			 */
5508 			if (sdata->u.mgd.epcs.enabled &&
5509 			    !bss_conf->epcs_support)
5510 				ieee80211_epcs_teardown(sdata);
5511 		} else {
5512 			bss_conf->eht_support = false;
5513 			bss_conf->epcs_support = false;
5514 		}
5515 	} else {
5516 		bss_conf->he_support = false;
5517 		bss_conf->twt_requester = false;
5518 		bss_conf->twt_protected = false;
5519 		bss_conf->eht_support = false;
5520 		bss_conf->epcs_support = false;
5521 	}
5522 
5523 	if (elems->s1g_oper &&
5524 	    link->u.mgd.conn.mode == IEEE80211_CONN_MODE_S1G &&
5525 	    elems->s1g_capab)
5526 		ieee80211_s1g_cap_to_sta_s1g_cap(sdata, elems->s1g_capab,
5527 						 link_sta);
5528 
5529 	bss_conf->twt_broadcast =
5530 		ieee80211_twt_bcast_support(sdata, bss_conf, sband, link_sta);
5531 
5532 	if (bss_conf->he_support) {
5533 		bss_conf->he_bss_color.color =
5534 			le32_get_bits(elems->he_operation->he_oper_params,
5535 				      IEEE80211_HE_OPERATION_BSS_COLOR_MASK);
5536 		bss_conf->he_bss_color.partial =
5537 			le32_get_bits(elems->he_operation->he_oper_params,
5538 				      IEEE80211_HE_OPERATION_PARTIAL_BSS_COLOR);
5539 		bss_conf->he_bss_color.enabled =
5540 			!le32_get_bits(elems->he_operation->he_oper_params,
5541 				       IEEE80211_HE_OPERATION_BSS_COLOR_DISABLED);
5542 
5543 		if (bss_conf->he_bss_color.enabled)
5544 			*changed |= BSS_CHANGED_HE_BSS_COLOR;
5545 
5546 		bss_conf->htc_trig_based_pkt_ext =
5547 			le32_get_bits(elems->he_operation->he_oper_params,
5548 				      IEEE80211_HE_OPERATION_DFLT_PE_DURATION_MASK);
5549 		bss_conf->frame_time_rts_th =
5550 			le32_get_bits(elems->he_operation->he_oper_params,
5551 				      IEEE80211_HE_OPERATION_RTS_THRESHOLD_MASK);
5552 
5553 		bss_conf->uora_exists = !!elems->uora_element;
5554 		if (elems->uora_element)
5555 			bss_conf->uora_ocw_range = elems->uora_element[0];
5556 
5557 		ieee80211_he_op_ie_to_bss_conf(&sdata->vif, elems->he_operation);
5558 		ieee80211_he_spr_ie_to_bss_conf(&sdata->vif, elems->he_spr);
5559 		/* TODO: OPEN: what happens if BSS color disable is set? */
5560 	}
5561 
5562 	if (cbss->transmitted_bss) {
5563 		bss_conf->nontransmitted = true;
5564 		ether_addr_copy(bss_conf->transmitter_bssid,
5565 				cbss->transmitted_bss->bssid);
5566 		bss_conf->bssid_indicator = cbss->max_bssid_indicator;
5567 		bss_conf->bssid_index = cbss->bssid_index;
5568 	}
5569 
5570 	/*
5571 	 * Some APs, e.g. Netgear WNDR3700, report invalid HT operation data
5572 	 * in their association response, so ignore that data for our own
5573 	 * configuration. If it changed since the last beacon, we'll get the
5574 	 * next beacon and update then.
5575 	 */
5576 
5577 	/*
5578 	 * If an operating mode notification IE is present, override the
5579 	 * NSS calculation (that would be done in rate_control_rate_init())
5580 	 * and use the # of streams from that element.
5581 	 */
5582 	if (elems->opmode_notif &&
5583 	    !(*elems->opmode_notif & IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF)) {
5584 		u8 nss;
5585 
5586 		nss = *elems->opmode_notif & IEEE80211_OPMODE_NOTIF_RX_NSS_MASK;
5587 		nss >>= IEEE80211_OPMODE_NOTIF_RX_NSS_SHIFT;
5588 		nss += 1;
5589 		link_sta->pub->rx_nss = nss;
5590 	}
5591 
5592 	/*
5593 	 * Always handle WMM once after association regardless
5594 	 * of the first value the AP uses. Setting -1 here has
5595 	 * that effect because the AP values is an unsigned
5596 	 * 4-bit value.
5597 	 */
5598 	link->u.mgd.wmm_last_param_set = -1;
5599 	link->u.mgd.mu_edca_last_param_set = -1;
5600 
5601 	if (link->u.mgd.disable_wmm_tracking) {
5602 		ieee80211_set_wmm_default(link, false, false);
5603 	} else if (!ieee80211_sta_wmm_params(local, link, elems->wmm_param,
5604 					     elems->wmm_param_len,
5605 					     elems->mu_edca_param_set)) {
5606 		/* still enable QoS since we might have HT/VHT */
5607 		ieee80211_set_wmm_default(link, false, true);
5608 		/* disable WMM tracking in this case to disable
5609 		 * tracking WMM parameter changes in the beacon if
5610 		 * the parameters weren't actually valid. Doing so
5611 		 * avoids changing parameters very strangely when
5612 		 * the AP is going back and forth between valid and
5613 		 * invalid parameters.
5614 		 */
5615 		link->u.mgd.disable_wmm_tracking = true;
5616 	}
5617 
5618 	if (elems->max_idle_period_ie) {
5619 		bss_conf->max_idle_period =
5620 			le16_to_cpu(elems->max_idle_period_ie->max_idle_period);
5621 		bss_conf->protected_keep_alive =
5622 			!!(elems->max_idle_period_ie->idle_options &
5623 			   WLAN_IDLE_OPTIONS_PROTECTED_KEEP_ALIVE);
5624 		*changed |= BSS_CHANGED_KEEP_ALIVE;
5625 	} else {
5626 		bss_conf->max_idle_period = 0;
5627 		bss_conf->protected_keep_alive = false;
5628 	}
5629 
5630 	/* set assoc capability (AID was already set earlier),
5631 	 * ieee80211_set_associated() will tell the driver */
5632 	bss_conf->assoc_capability = capab_info;
5633 
5634 	ret = true;
5635 out:
5636 	kfree(elems);
5637 	kfree(bss_ies);
5638 	return ret;
5639 }
5640 
5641 static int ieee80211_mgd_setup_link_sta(struct ieee80211_link_data *link,
5642 					struct sta_info *sta,
5643 					struct link_sta_info *link_sta,
5644 					struct cfg80211_bss *cbss)
5645 {
5646 	struct ieee80211_sub_if_data *sdata = link->sdata;
5647 	struct ieee80211_local *local = sdata->local;
5648 	struct ieee80211_bss *bss = (void *)cbss->priv;
5649 	u32 rates = 0, basic_rates = 0;
5650 	bool have_higher_than_11mbit = false;
5651 	int min_rate = INT_MAX, min_rate_index = -1;
5652 	struct ieee80211_supported_band *sband;
5653 
5654 	memcpy(link_sta->addr, cbss->bssid, ETH_ALEN);
5655 	memcpy(link_sta->pub->addr, cbss->bssid, ETH_ALEN);
5656 
5657 	/* TODO: S1G Basic Rate Set is expressed elsewhere */
5658 	if (cbss->channel->band == NL80211_BAND_S1GHZ) {
5659 		ieee80211_s1g_sta_rate_init(sta);
5660 		return 0;
5661 	}
5662 
5663 	sband = local->hw.wiphy->bands[cbss->channel->band];
5664 
5665 	ieee80211_get_rates(sband, bss->supp_rates, bss->supp_rates_len,
5666 			    NULL, 0,
5667 			    &rates, &basic_rates, NULL,
5668 			    &have_higher_than_11mbit,
5669 			    &min_rate, &min_rate_index);
5670 
5671 	/*
5672 	 * This used to be a workaround for basic rates missing
5673 	 * in the association response frame. Now that we no
5674 	 * longer use the basic rates from there, it probably
5675 	 * doesn't happen any more, but keep the workaround so
5676 	 * in case some *other* APs are buggy in different ways
5677 	 * we can connect -- with a warning.
5678 	 * Allow this workaround only in case the AP provided at least
5679 	 * one rate.
5680 	 */
5681 	if (min_rate_index < 0) {
5682 		link_info(link, "No legacy rates in association response\n");
5683 		return -EINVAL;
5684 	} else if (!basic_rates) {
5685 		link_info(link, "No basic rates, using min rate instead\n");
5686 		basic_rates = BIT(min_rate_index);
5687 	}
5688 
5689 	if (rates)
5690 		link_sta->pub->supp_rates[cbss->channel->band] = rates;
5691 	else
5692 		link_info(link, "No rates found, keeping mandatory only\n");
5693 
5694 	link->conf->basic_rates = basic_rates;
5695 
5696 	/* cf. IEEE 802.11 9.2.12 */
5697 	link->operating_11g_mode = sband->band == NL80211_BAND_2GHZ &&
5698 				   have_higher_than_11mbit;
5699 
5700 	return 0;
5701 }
5702 
5703 static u8 ieee80211_max_rx_chains(struct ieee80211_link_data *link,
5704 				  struct cfg80211_bss *cbss)
5705 {
5706 	struct ieee80211_he_mcs_nss_supp *he_mcs_nss_supp;
5707 	const struct element *ht_cap_elem, *vht_cap_elem;
5708 	const struct cfg80211_bss_ies *ies;
5709 	const struct ieee80211_ht_cap *ht_cap;
5710 	const struct ieee80211_vht_cap *vht_cap;
5711 	const struct ieee80211_he_cap_elem *he_cap;
5712 	const struct element *he_cap_elem;
5713 	u16 mcs_80_map, mcs_160_map;
5714 	int i, mcs_nss_size;
5715 	bool support_160;
5716 	u8 chains = 1;
5717 
5718 	if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_HT)
5719 		return chains;
5720 
5721 	ht_cap_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_HT_CAPABILITY);
5722 	if (ht_cap_elem && ht_cap_elem->datalen >= sizeof(*ht_cap)) {
5723 		ht_cap = (void *)ht_cap_elem->data;
5724 		chains = ieee80211_mcs_to_chains(&ht_cap->mcs);
5725 		/*
5726 		 * TODO: use "Tx Maximum Number Spatial Streams Supported" and
5727 		 *	 "Tx Unequal Modulation Supported" fields.
5728 		 */
5729 	}
5730 
5731 	if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_VHT)
5732 		return chains;
5733 
5734 	vht_cap_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_VHT_CAPABILITY);
5735 	if (vht_cap_elem && vht_cap_elem->datalen >= sizeof(*vht_cap)) {
5736 		u8 nss;
5737 		u16 tx_mcs_map;
5738 
5739 		vht_cap = (void *)vht_cap_elem->data;
5740 		tx_mcs_map = le16_to_cpu(vht_cap->supp_mcs.tx_mcs_map);
5741 		for (nss = 8; nss > 0; nss--) {
5742 			if (((tx_mcs_map >> (2 * (nss - 1))) & 3) !=
5743 					IEEE80211_VHT_MCS_NOT_SUPPORTED)
5744 				break;
5745 		}
5746 		/* TODO: use "Tx Highest Supported Long GI Data Rate" field? */
5747 		chains = max(chains, nss);
5748 	}
5749 
5750 	if (link->u.mgd.conn.mode < IEEE80211_CONN_MODE_HE)
5751 		return chains;
5752 
5753 	ies = rcu_dereference(cbss->ies);
5754 	he_cap_elem = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY,
5755 					     ies->data, ies->len);
5756 
5757 	if (!he_cap_elem || he_cap_elem->datalen < sizeof(*he_cap) + 1)
5758 		return chains;
5759 
5760 	/* skip one byte ext_tag_id */
5761 	he_cap = (void *)(he_cap_elem->data + 1);
5762 	mcs_nss_size = ieee80211_he_mcs_nss_size(he_cap);
5763 
5764 	/* invalid HE IE */
5765 	if (he_cap_elem->datalen < 1 + mcs_nss_size + sizeof(*he_cap))
5766 		return chains;
5767 
5768 	/* mcs_nss is right after he_cap info */
5769 	he_mcs_nss_supp = (void *)(he_cap + 1);
5770 
5771 	mcs_80_map = le16_to_cpu(he_mcs_nss_supp->tx_mcs_80);
5772 
5773 	for (i = 7; i >= 0; i--) {
5774 		u8 mcs_80 = mcs_80_map >> (2 * i) & 3;
5775 
5776 		if (mcs_80 != IEEE80211_VHT_MCS_NOT_SUPPORTED) {
5777 			chains = max_t(u8, chains, i + 1);
5778 			break;
5779 		}
5780 	}
5781 
5782 	support_160 = he_cap->phy_cap_info[0] &
5783 		      IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G;
5784 
5785 	if (!support_160)
5786 		return chains;
5787 
5788 	mcs_160_map = le16_to_cpu(he_mcs_nss_supp->tx_mcs_160);
5789 	for (i = 7; i >= 0; i--) {
5790 		u8 mcs_160 = mcs_160_map >> (2 * i) & 3;
5791 
5792 		if (mcs_160 != IEEE80211_VHT_MCS_NOT_SUPPORTED) {
5793 			chains = max_t(u8, chains, i + 1);
5794 			break;
5795 		}
5796 	}
5797 
5798 	return chains;
5799 }
5800 
5801 static void
5802 ieee80211_determine_our_sta_mode(struct ieee80211_sub_if_data *sdata,
5803 				 struct ieee80211_supported_band *sband,
5804 				 struct cfg80211_assoc_request *req,
5805 				 bool wmm_used, int link_id,
5806 				 struct ieee80211_conn_settings *conn)
5807 {
5808 	struct ieee80211_sta_ht_cap sta_ht_cap = sband->ht_cap;
5809 	bool is_5ghz = sband->band == NL80211_BAND_5GHZ;
5810 	bool is_6ghz = sband->band == NL80211_BAND_6GHZ;
5811 	const struct ieee80211_sta_he_cap *he_cap;
5812 	const struct ieee80211_sta_eht_cap *eht_cap;
5813 	struct ieee80211_sta_vht_cap vht_cap;
5814 
5815 	if (sband->band == NL80211_BAND_S1GHZ) {
5816 		conn->mode = IEEE80211_CONN_MODE_S1G;
5817 		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
5818 		mlme_dbg(sdata, "operating as S1G STA\n");
5819 		return;
5820 	}
5821 
5822 	conn->mode = IEEE80211_CONN_MODE_LEGACY;
5823 	conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
5824 
5825 	ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap);
5826 
5827 	if (req && req->flags & ASSOC_REQ_DISABLE_HT) {
5828 		mlme_link_id_dbg(sdata, link_id,
5829 				 "HT disabled by flag, limiting to legacy\n");
5830 		goto out;
5831 	}
5832 
5833 	if (!wmm_used) {
5834 		mlme_link_id_dbg(sdata, link_id,
5835 				 "WMM/QoS not supported, limiting to legacy\n");
5836 		goto out;
5837 	}
5838 
5839 	if (req) {
5840 		unsigned int i;
5841 
5842 		for (i = 0; i < req->crypto.n_ciphers_pairwise; i++) {
5843 			if (req->crypto.ciphers_pairwise[i] == WLAN_CIPHER_SUITE_WEP40 ||
5844 			    req->crypto.ciphers_pairwise[i] == WLAN_CIPHER_SUITE_TKIP ||
5845 			    req->crypto.ciphers_pairwise[i] == WLAN_CIPHER_SUITE_WEP104) {
5846 				netdev_info(sdata->dev,
5847 					    "WEP/TKIP use, limiting to legacy\n");
5848 				goto out;
5849 			}
5850 		}
5851 	}
5852 
5853 	if (!sta_ht_cap.ht_supported && !is_6ghz) {
5854 		mlme_link_id_dbg(sdata, link_id,
5855 				 "HT not supported (and not on 6 GHz), limiting to legacy\n");
5856 		goto out;
5857 	}
5858 
5859 	/* HT is fine */
5860 	conn->mode = IEEE80211_CONN_MODE_HT;
5861 	conn->bw_limit = sta_ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40 ?
5862 		IEEE80211_CONN_BW_LIMIT_40 :
5863 		IEEE80211_CONN_BW_LIMIT_20;
5864 
5865 	memcpy(&vht_cap, &sband->vht_cap, sizeof(vht_cap));
5866 	ieee80211_apply_vhtcap_overrides(sdata, &vht_cap);
5867 
5868 	if (req && req->flags & ASSOC_REQ_DISABLE_VHT) {
5869 		mlme_link_id_dbg(sdata, link_id,
5870 				 "VHT disabled by flag, limiting to HT\n");
5871 		goto out;
5872 	}
5873 
5874 	if (vht_cap.vht_supported && is_5ghz) {
5875 		bool have_80mhz = false;
5876 		unsigned int i;
5877 
5878 		if (conn->bw_limit == IEEE80211_CONN_BW_LIMIT_20) {
5879 			mlme_link_id_dbg(sdata, link_id,
5880 					 "no 40 MHz support on 5 GHz, limiting to HT\n");
5881 			goto out;
5882 		}
5883 
5884 		/* Allow VHT if at least one channel on the sband supports 80 MHz */
5885 		for (i = 0; i < sband->n_channels; i++) {
5886 			if (sband->channels[i].flags & (IEEE80211_CHAN_DISABLED |
5887 							IEEE80211_CHAN_NO_80MHZ))
5888 				continue;
5889 
5890 			have_80mhz = true;
5891 			break;
5892 		}
5893 
5894 		if (!have_80mhz) {
5895 			mlme_link_id_dbg(sdata, link_id,
5896 					 "no 80 MHz channel support on 5 GHz, limiting to HT\n");
5897 			goto out;
5898 		}
5899 	} else if (is_5ghz) { /* !vht_supported but on 5 GHz */
5900 		mlme_link_id_dbg(sdata, link_id,
5901 				 "no VHT support on 5 GHz, limiting to HT\n");
5902 		goto out;
5903 	}
5904 
5905 	/* VHT - if we have - is fine, including 80 MHz, check 160 below again */
5906 	if (sband->band != NL80211_BAND_2GHZ) {
5907 		conn->mode = IEEE80211_CONN_MODE_VHT;
5908 		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_160;
5909 	}
5910 
5911 	if (is_5ghz &&
5912 	    !(vht_cap.cap & (IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ |
5913 			     IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ))) {
5914 		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_80;
5915 		mlme_link_id_dbg(sdata, link_id,
5916 				 "no VHT 160 MHz capability on 5 GHz, limiting to 80 MHz");
5917 	}
5918 
5919 	if (req && req->flags & ASSOC_REQ_DISABLE_HE) {
5920 		mlme_link_id_dbg(sdata, link_id,
5921 				 "HE disabled by flag, limiting to HT/VHT\n");
5922 		goto out;
5923 	}
5924 
5925 	he_cap = ieee80211_get_he_iftype_cap_vif(sband, &sdata->vif);
5926 	if (!he_cap) {
5927 		WARN_ON(is_6ghz);
5928 		mlme_link_id_dbg(sdata, link_id,
5929 				 "no HE support, limiting to HT/VHT\n");
5930 		goto out;
5931 	}
5932 
5933 	/* so we have HE */
5934 	conn->mode = IEEE80211_CONN_MODE_HE;
5935 
5936 	/* check bandwidth */
5937 	switch (sband->band) {
5938 	default:
5939 	case NL80211_BAND_2GHZ:
5940 		if (he_cap->he_cap_elem.phy_cap_info[0] &
5941 		    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_IN_2G)
5942 			break;
5943 		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
5944 		mlme_link_id_dbg(sdata, link_id,
5945 				 "no 40 MHz HE cap in 2.4 GHz, limiting to 20 MHz\n");
5946 		break;
5947 	case NL80211_BAND_5GHZ:
5948 		if (!(he_cap->he_cap_elem.phy_cap_info[0] &
5949 		      IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_40MHZ_80MHZ_IN_5G)) {
5950 			conn->bw_limit = IEEE80211_CONN_BW_LIMIT_20;
5951 			mlme_link_id_dbg(sdata, link_id,
5952 					 "no 40/80 MHz HE cap in 5 GHz, limiting to 20 MHz\n");
5953 			break;
5954 		}
5955 		if (!(he_cap->he_cap_elem.phy_cap_info[0] &
5956 		      IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G)) {
5957 			conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
5958 					       conn->bw_limit,
5959 					       IEEE80211_CONN_BW_LIMIT_80);
5960 			mlme_link_id_dbg(sdata, link_id,
5961 					 "no 160 MHz HE cap in 5 GHz, limiting to 80 MHz\n");
5962 		}
5963 		break;
5964 	case NL80211_BAND_6GHZ:
5965 		if (he_cap->he_cap_elem.phy_cap_info[0] &
5966 		    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G)
5967 			break;
5968 		conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
5969 				       conn->bw_limit,
5970 				       IEEE80211_CONN_BW_LIMIT_80);
5971 		mlme_link_id_dbg(sdata, link_id,
5972 				 "no 160 MHz HE cap in 6 GHz, limiting to 80 MHz\n");
5973 		break;
5974 	}
5975 
5976 	if (req && req->flags & ASSOC_REQ_DISABLE_EHT) {
5977 		mlme_link_id_dbg(sdata, link_id,
5978 				 "EHT disabled by flag, limiting to HE\n");
5979 		goto out;
5980 	}
5981 
5982 	eht_cap = ieee80211_get_eht_iftype_cap_vif(sband, &sdata->vif);
5983 	if (!eht_cap) {
5984 		mlme_link_id_dbg(sdata, link_id,
5985 				 "no EHT support, limiting to HE\n");
5986 		goto out;
5987 	}
5988 
5989 	/* we have EHT */
5990 
5991 	conn->mode = IEEE80211_CONN_MODE_EHT;
5992 
5993 	/* check bandwidth */
5994 	if (is_6ghz &&
5995 	    eht_cap->eht_cap_elem.phy_cap_info[0] & IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ)
5996 		conn->bw_limit = IEEE80211_CONN_BW_LIMIT_320;
5997 	else if (is_6ghz)
5998 		mlme_link_id_dbg(sdata, link_id,
5999 				 "no EHT 320 MHz cap in 6 GHz, limiting to 160 MHz\n");
6000 
6001 out:
6002 	mlme_link_id_dbg(sdata, link_id,
6003 			 "determined local STA to be %s, BW limited to %d MHz\n",
6004 			 ieee80211_conn_mode_str(conn->mode),
6005 			 20 * (1 << conn->bw_limit));
6006 }
6007 
6008 static void
6009 ieee80211_determine_our_sta_mode_auth(struct ieee80211_sub_if_data *sdata,
6010 				      struct ieee80211_supported_band *sband,
6011 				      struct cfg80211_auth_request *req,
6012 				      bool wmm_used,
6013 				      struct ieee80211_conn_settings *conn)
6014 {
6015 	ieee80211_determine_our_sta_mode(sdata, sband, NULL, wmm_used,
6016 					 req->link_id > 0 ? req->link_id : 0,
6017 					 conn);
6018 }
6019 
6020 static void
6021 ieee80211_determine_our_sta_mode_assoc(struct ieee80211_sub_if_data *sdata,
6022 				       struct ieee80211_supported_band *sband,
6023 				       struct cfg80211_assoc_request *req,
6024 				       bool wmm_used, int link_id,
6025 				       struct ieee80211_conn_settings *conn)
6026 {
6027 	struct ieee80211_conn_settings tmp;
6028 
6029 	WARN_ON(!req);
6030 
6031 	ieee80211_determine_our_sta_mode(sdata, sband, req, wmm_used, link_id,
6032 					 &tmp);
6033 
6034 	conn->mode = min_t(enum ieee80211_conn_mode,
6035 			   conn->mode, tmp.mode);
6036 	conn->bw_limit = min_t(enum ieee80211_conn_bw_limit,
6037 			       conn->bw_limit, tmp.bw_limit);
6038 }
6039 
6040 static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
6041 				  struct ieee80211_link_data *link,
6042 				  int link_id,
6043 				  struct cfg80211_bss *cbss, bool mlo,
6044 				  struct ieee80211_conn_settings *conn,
6045 				  unsigned long *userspace_selectors)
6046 {
6047 	struct ieee80211_local *local = sdata->local;
6048 	bool is_6ghz = cbss->channel->band == NL80211_BAND_6GHZ;
6049 	struct ieee80211_chan_req chanreq = {};
6050 	struct cfg80211_chan_def ap_chandef;
6051 	struct ieee802_11_elems *elems;
6052 	int ret;
6053 
6054 	lockdep_assert_wiphy(local->hw.wiphy);
6055 
6056 	rcu_read_lock();
6057 	elems = ieee80211_determine_chan_mode(sdata, conn, cbss, link_id,
6058 					      &chanreq, &ap_chandef,
6059 					      userspace_selectors);
6060 
6061 	if (IS_ERR(elems)) {
6062 		rcu_read_unlock();
6063 		return PTR_ERR(elems);
6064 	}
6065 
6066 	if (mlo && !elems->ml_basic) {
6067 		sdata_info(sdata, "Rejecting MLO as it is not supported by AP\n");
6068 		rcu_read_unlock();
6069 		kfree(elems);
6070 		return -EINVAL;
6071 	}
6072 
6073 	if (link && is_6ghz && conn->mode >= IEEE80211_CONN_MODE_HE) {
6074 		const struct ieee80211_he_6ghz_oper *he_6ghz_oper;
6075 
6076 		if (elems->pwr_constr_elem)
6077 			link->conf->pwr_reduction = *elems->pwr_constr_elem;
6078 
6079 		he_6ghz_oper = ieee80211_he_6ghz_oper(elems->he_operation);
6080 		if (he_6ghz_oper)
6081 			link->conf->power_type =
6082 				cfg80211_6ghz_power_type(he_6ghz_oper->control,
6083 							 cbss->channel->flags);
6084 		else
6085 			link_info(link,
6086 				  "HE 6 GHz operation missing (on %d MHz), expect issues\n",
6087 				  cbss->channel->center_freq);
6088 
6089 		link->conf->tpe = elems->tpe;
6090 		ieee80211_rearrange_tpe(&link->conf->tpe, &ap_chandef,
6091 					&chanreq.oper);
6092 	}
6093 	rcu_read_unlock();
6094 	/* the element data was RCU protected so no longer valid anyway */
6095 	kfree(elems);
6096 	elems = NULL;
6097 
6098 	if (!link)
6099 		return 0;
6100 
6101 	rcu_read_lock();
6102 	link->needed_rx_chains = min(ieee80211_max_rx_chains(link, cbss),
6103 				     local->rx_chains);
6104 	rcu_read_unlock();
6105 
6106 	/*
6107 	 * If this fails (possibly due to channel context sharing
6108 	 * on incompatible channels, e.g. 80+80 and 160 sharing the
6109 	 * same control channel) try to use a smaller bandwidth.
6110 	 */
6111 	ret = ieee80211_link_use_channel(link, &chanreq,
6112 					 IEEE80211_CHANCTX_SHARED);
6113 
6114 	/* don't downgrade for 5/10/S1G MHz channels, though. */
6115 	if (chanreq.oper.width == NL80211_CHAN_WIDTH_5 ||
6116 	    chanreq.oper.width == NL80211_CHAN_WIDTH_10 ||
6117 	    cfg80211_chandef_is_s1g(&chanreq.oper))
6118 		return ret;
6119 
6120 	while (ret && chanreq.oper.width != NL80211_CHAN_WIDTH_20_NOHT) {
6121 		ieee80211_chanreq_downgrade(&chanreq, conn);
6122 
6123 		ret = ieee80211_link_use_channel(link, &chanreq,
6124 						 IEEE80211_CHANCTX_SHARED);
6125 	}
6126 
6127 	return ret;
6128 }
6129 
6130 static bool ieee80211_get_dtim(const struct cfg80211_bss_ies *ies,
6131 			       u8 *dtim_count, u8 *dtim_period)
6132 {
6133 	const u8 *tim_ie = cfg80211_find_ie(WLAN_EID_TIM, ies->data, ies->len);
6134 	const u8 *idx_ie = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX, ies->data,
6135 					 ies->len);
6136 	const struct ieee80211_tim_ie *tim = NULL;
6137 	const struct ieee80211_bssid_index *idx;
6138 	bool valid = tim_ie && tim_ie[1] >= 2;
6139 
6140 	if (valid)
6141 		tim = (void *)(tim_ie + 2);
6142 
6143 	if (dtim_count)
6144 		*dtim_count = valid ? tim->dtim_count : 0;
6145 
6146 	if (dtim_period)
6147 		*dtim_period = valid ? tim->dtim_period : 0;
6148 
6149 	/* Check if value is overridden by non-transmitted profile */
6150 	if (!idx_ie || idx_ie[1] < 3)
6151 		return valid;
6152 
6153 	idx = (void *)(idx_ie + 2);
6154 
6155 	if (dtim_count)
6156 		*dtim_count = idx->dtim_count;
6157 
6158 	if (dtim_period)
6159 		*dtim_period = idx->dtim_period;
6160 
6161 	return true;
6162 }
6163 
6164 static u16 ieee80211_get_ttlm(u8 bm_size, u8 *data)
6165 {
6166 	if (bm_size == 1)
6167 		return *data;
6168 
6169 	return get_unaligned_le16(data);
6170 }
6171 
6172 static int
6173 ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata,
6174 			const struct ieee80211_ttlm_elem *ttlm,
6175 			struct ieee80211_adv_ttlm_info *ttlm_info)
6176 {
6177 	/* The element size was already validated in
6178 	 * ieee80211_tid_to_link_map_size_ok()
6179 	 */
6180 	u8 control, link_map_presence, map_size, tid;
6181 	u8 *pos;
6182 
6183 	memset(ttlm_info, 0, sizeof(*ttlm_info));
6184 	pos = (void *)ttlm->optional;
6185 	control	= ttlm->control;
6186 
6187 	if ((control & IEEE80211_TTLM_CONTROL_DIRECTION) !=
6188 	    IEEE80211_TTLM_DIRECTION_BOTH) {
6189 		sdata_info(sdata, "Invalid advertised T2L map direction\n");
6190 		return -EINVAL;
6191 	}
6192 
6193 	link_map_presence = *pos;
6194 	pos++;
6195 
6196 	if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) {
6197 		ttlm_info->switch_time = get_unaligned_le16(pos);
6198 
6199 		/* Since ttlm_info->switch_time == 0 means no switch time, bump
6200 		 * it by 1.
6201 		 */
6202 		if (!ttlm_info->switch_time)
6203 			ttlm_info->switch_time = 1;
6204 
6205 		pos += 2;
6206 	}
6207 
6208 	if (control & IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT) {
6209 		ttlm_info->duration = pos[0] | pos[1] << 8 | pos[2] << 16;
6210 		pos += 3;
6211 	}
6212 
6213 	if (control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) {
6214 		ttlm_info->map = 0xffff;
6215 		return 0;
6216 	}
6217 
6218 	if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE)
6219 		map_size = 1;
6220 	else
6221 		map_size = 2;
6222 
6223 	/* According to Draft P802.11be_D3.0 clause 35.3.7.1.7, an AP MLD shall
6224 	 * not advertise a TID-to-link mapping that does not map all TIDs to the
6225 	 * same link set, reject frame if not all links have mapping
6226 	 */
6227 	if (link_map_presence != 0xff) {
6228 		sdata_info(sdata,
6229 			   "Invalid advertised T2L mapping presence indicator\n");
6230 		return -EINVAL;
6231 	}
6232 
6233 	ttlm_info->map = ieee80211_get_ttlm(map_size, pos);
6234 	if (!ttlm_info->map) {
6235 		sdata_info(sdata,
6236 			   "Invalid advertised T2L map for TID 0\n");
6237 		return -EINVAL;
6238 	}
6239 
6240 	pos += map_size;
6241 
6242 	for (tid = 1; tid < 8; tid++) {
6243 		u16 map = ieee80211_get_ttlm(map_size, pos);
6244 
6245 		if (map != ttlm_info->map) {
6246 			sdata_info(sdata, "Invalid advertised T2L map for tid %d\n",
6247 				   tid);
6248 			return -EINVAL;
6249 		}
6250 
6251 		pos += map_size;
6252 	}
6253 	return 0;
6254 }
6255 
6256 static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
6257 				    struct ieee80211_mgmt *mgmt,
6258 				    struct ieee802_11_elems *elems,
6259 				    const u8 *elem_start, unsigned int elem_len)
6260 {
6261 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
6262 	struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
6263 	struct ieee80211_local *local = sdata->local;
6264 	unsigned int link_id;
6265 	struct sta_info *sta;
6266 	u64 changed[IEEE80211_MLD_MAX_NUM_LINKS] = {};
6267 	u16 valid_links = 0, dormant_links = 0;
6268 	int err;
6269 
6270 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
6271 	/*
6272 	 * station info was already allocated and inserted before
6273 	 * the association and should be available to us
6274 	 */
6275 	sta = sta_info_get(sdata, assoc_data->ap_addr);
6276 	if (WARN_ON(!sta))
6277 		goto out_err;
6278 
6279 	sta->sta.spp_amsdu = assoc_data->spp_amsdu;
6280 
6281 	if (ieee80211_vif_is_mld(&sdata->vif)) {
6282 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
6283 			if (!assoc_data->link[link_id].bss)
6284 				continue;
6285 
6286 			valid_links |= BIT(link_id);
6287 
6288 			if (link_id != assoc_data->assoc_link_id) {
6289 				err = ieee80211_sta_allocate_link(sta, link_id);
6290 				if (err)
6291 					goto out_err;
6292 			}
6293 		}
6294 
6295 		/*
6296 		 * We do not support setting a negotiated TTLM during
6297 		 * association. As such, we can assume that if there is a TTLM,
6298 		 * then it is the currently active advertised TTLM.
6299 		 * In that case, there must be exactly one TTLM that does not
6300 		 * have a switch time set. This mapping should also leave us
6301 		 * with at least one usable link.
6302 		 */
6303 		if (elems->ttlm_num > 1) {
6304 			sdata_info(sdata,
6305 				   "More than one advertised TTLM in association response\n");
6306 			goto out_err;
6307 		} else if (elems->ttlm_num == 1) {
6308 			if (ieee80211_parse_adv_t2l(sdata, elems->ttlm[0],
6309 						    &sdata->u.mgd.ttlm_info) ||
6310 			    sdata->u.mgd.ttlm_info.switch_time != 0 ||
6311 			    !(valid_links & sdata->u.mgd.ttlm_info.map)) {
6312 				sdata_info(sdata,
6313 					   "Invalid advertised TTLM in association response\n");
6314 				goto out_err;
6315 			}
6316 
6317 			sdata->u.mgd.ttlm_info.active = true;
6318 			dormant_links =
6319 				valid_links & ~sdata->u.mgd.ttlm_info.map;
6320 		}
6321 
6322 		ieee80211_vif_set_links(sdata, valid_links, dormant_links);
6323 	}
6324 
6325 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
6326 		struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
6327 		struct ieee80211_link_data *link;
6328 		struct link_sta_info *link_sta;
6329 
6330 		if (!cbss)
6331 			continue;
6332 
6333 		link = sdata_dereference(sdata->link[link_id], sdata);
6334 		if (WARN_ON(!link))
6335 			goto out_err;
6336 
6337 		if (ieee80211_vif_is_mld(&sdata->vif))
6338 			link_info(link,
6339 				  "local address %pM, AP link address %pM%s\n",
6340 				  link->conf->addr,
6341 				  assoc_data->link[link_id].bss->bssid,
6342 				  link_id == assoc_data->assoc_link_id ?
6343 					" (assoc)" : "");
6344 
6345 		link_sta = rcu_dereference_protected(sta->link[link_id],
6346 						     lockdep_is_held(&local->hw.wiphy->mtx));
6347 		if (WARN_ON(!link_sta))
6348 			goto out_err;
6349 
6350 		if (!link->u.mgd.have_beacon) {
6351 			const struct cfg80211_bss_ies *ies;
6352 
6353 			rcu_read_lock();
6354 			ies = rcu_dereference(cbss->beacon_ies);
6355 			if (ies)
6356 				link->u.mgd.have_beacon = true;
6357 			else
6358 				ies = rcu_dereference(cbss->ies);
6359 			ieee80211_get_dtim(ies,
6360 					   &link->conf->sync_dtim_count,
6361 					   &link->u.mgd.dtim_period);
6362 			link->conf->beacon_int = cbss->beacon_interval;
6363 			rcu_read_unlock();
6364 		}
6365 
6366 		link->conf->dtim_period = link->u.mgd.dtim_period ?: 1;
6367 
6368 		if (link_id != assoc_data->assoc_link_id) {
6369 			link->u.mgd.conn = assoc_data->link[link_id].conn;
6370 
6371 			err = ieee80211_prep_channel(sdata, link, link_id, cbss,
6372 						     true, &link->u.mgd.conn,
6373 						     sdata->u.mgd.userspace_selectors);
6374 			if (err) {
6375 				link_info(link, "prep_channel failed\n");
6376 				goto out_err;
6377 			}
6378 		}
6379 
6380 		err = ieee80211_mgd_setup_link_sta(link, sta, link_sta,
6381 						   assoc_data->link[link_id].bss);
6382 		if (err)
6383 			goto out_err;
6384 
6385 		if (!ieee80211_assoc_config_link(link, link_sta,
6386 						 assoc_data->link[link_id].bss,
6387 						 mgmt, elem_start, elem_len,
6388 						 &changed[link_id]))
6389 			goto out_err;
6390 
6391 		if (assoc_data->link[link_id].status != WLAN_STATUS_SUCCESS) {
6392 			valid_links &= ~BIT(link_id);
6393 			ieee80211_sta_remove_link(sta, link_id);
6394 			continue;
6395 		}
6396 
6397 		if (link_id != assoc_data->assoc_link_id) {
6398 			err = ieee80211_sta_activate_link(sta, link_id);
6399 			if (err)
6400 				goto out_err;
6401 		}
6402 	}
6403 
6404 	/* links might have changed due to rejected ones, set them again */
6405 	ieee80211_vif_set_links(sdata, valid_links, dormant_links);
6406 
6407 	rate_control_rate_init_all_links(sta);
6408 
6409 	if (ifmgd->flags & IEEE80211_STA_MFP_ENABLED) {
6410 		set_sta_flag(sta, WLAN_STA_MFP);
6411 		sta->sta.mfp = true;
6412 	} else {
6413 		sta->sta.mfp = false;
6414 	}
6415 
6416 	ieee80211_sta_set_max_amsdu_subframes(sta, elems->ext_capab,
6417 					      elems->ext_capab_len);
6418 
6419 	sta->sta.wme = (elems->wmm_param || elems->s1g_capab) &&
6420 		       local->hw.queues >= IEEE80211_NUM_ACS;
6421 
6422 	err = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
6423 	if (!err && !(ifmgd->flags & IEEE80211_STA_CONTROL_PORT))
6424 		err = sta_info_move_state(sta, IEEE80211_STA_AUTHORIZED);
6425 	if (err) {
6426 		sdata_info(sdata,
6427 			   "failed to move station %pM to desired state\n",
6428 			   sta->sta.addr);
6429 		WARN_ON(__sta_info_destroy(sta));
6430 		goto out_err;
6431 	}
6432 
6433 	if (sdata->wdev.use_4addr)
6434 		drv_sta_set_4addr(local, sdata, &sta->sta, true);
6435 
6436 	ieee80211_set_associated(sdata, assoc_data, changed);
6437 
6438 	/*
6439 	 * If we're using 4-addr mode, let the AP know that we're
6440 	 * doing so, so that it can create the STA VLAN on its side
6441 	 */
6442 	if (ifmgd->use_4addr)
6443 		ieee80211_send_4addr_nullfunc(local, sdata);
6444 
6445 	/*
6446 	 * Start timer to probe the connection to the AP now.
6447 	 * Also start the timer that will detect beacon loss.
6448 	 */
6449 	ieee80211_sta_reset_beacon_monitor(sdata);
6450 	ieee80211_sta_reset_conn_monitor(sdata);
6451 
6452 	return true;
6453 out_err:
6454 	eth_zero_addr(sdata->vif.cfg.ap_addr);
6455 	return false;
6456 }
6457 
6458 static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
6459 					 struct ieee80211_mgmt *mgmt,
6460 					 size_t len)
6461 {
6462 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
6463 	struct ieee80211_mgd_assoc_data *assoc_data = ifmgd->assoc_data;
6464 	u16 capab_info, status_code, aid;
6465 	struct ieee80211_elems_parse_params parse_params = {
6466 		.bss = NULL,
6467 		.link_id = -1,
6468 		.from_ap = true,
6469 		.type = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_TYPE,
6470 	};
6471 	struct ieee802_11_elems *elems;
6472 	int ac;
6473 	const u8 *elem_start;
6474 	unsigned int elem_len;
6475 	bool reassoc;
6476 	struct ieee80211_event event = {
6477 		.type = MLME_EVENT,
6478 		.u.mlme.data = ASSOC_EVENT,
6479 	};
6480 	struct ieee80211_prep_tx_info info = {};
6481 	struct cfg80211_rx_assoc_resp_data resp = {
6482 		.uapsd_queues = -1,
6483 	};
6484 	u8 ap_mld_addr[ETH_ALEN] __aligned(2);
6485 	unsigned int link_id;
6486 	u16 max_aid = IEEE80211_MAX_AID;
6487 
6488 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
6489 
6490 	if (!assoc_data)
6491 		return;
6492 
6493 	info.link_id = assoc_data->assoc_link_id;
6494 
6495 	parse_params.mode =
6496 		assoc_data->link[assoc_data->assoc_link_id].conn.mode;
6497 
6498 	if (!ether_addr_equal(assoc_data->ap_addr, mgmt->bssid) ||
6499 	    !ether_addr_equal(assoc_data->ap_addr, mgmt->sa))
6500 		return;
6501 
6502 	/*
6503 	 * AssocResp and ReassocResp have identical structure, so process both
6504 	 * of them in this function.
6505 	 */
6506 
6507 	if (len < 24 + 6)
6508 		return;
6509 
6510 	reassoc = ieee80211_is_reassoc_resp(mgmt->frame_control);
6511 	capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
6512 	status_code = le16_to_cpu(mgmt->u.assoc_resp.status_code);
6513 	if (assoc_data->s1g) {
6514 		elem_start = mgmt->u.s1g_assoc_resp.variable;
6515 		max_aid = IEEE80211_MAX_SUPPORTED_S1G_AID;
6516 	} else {
6517 		elem_start = mgmt->u.assoc_resp.variable;
6518 	}
6519 
6520 	/*
6521 	 * Note: this may not be perfect, AP might misbehave - if
6522 	 * anyone needs to rely on perfect complete notification
6523 	 * with the exact right subtype, then we need to track what
6524 	 * we actually transmitted.
6525 	 */
6526 	info.subtype = reassoc ? IEEE80211_STYPE_REASSOC_REQ :
6527 				 IEEE80211_STYPE_ASSOC_REQ;
6528 
6529 	if (assoc_data->fils_kek_len &&
6530 	    fils_decrypt_assoc_resp(sdata, (u8 *)mgmt, &len, assoc_data) < 0)
6531 		return;
6532 
6533 	elem_len = len - (elem_start - (u8 *)mgmt);
6534 	parse_params.start = elem_start;
6535 	parse_params.len = elem_len;
6536 	elems = ieee802_11_parse_elems_full(&parse_params);
6537 	if (!elems)
6538 		goto notify_driver;
6539 
6540 	if (elems->aid_resp)
6541 		aid = le16_to_cpu(elems->aid_resp->aid);
6542 	else
6543 		aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
6544 
6545 	/*
6546 	 * The 5 MSB of the AID field are reserved for a non-S1G STA. For
6547 	 * an S1G STA the 3 MSBs are reserved.
6548 	 * (802.11-2016 9.4.1.8 AID field).
6549 	 */
6550 	aid &= assoc_data->s1g ? 0x1fff : 0x7ff;
6551 
6552 	sdata_info(sdata,
6553 		   "RX %sssocResp from %pM (capab=0x%x status=%d aid=%d)\n",
6554 		   reassoc ? "Rea" : "A", assoc_data->ap_addr,
6555 		   capab_info, status_code, (u16)(aid & ~(BIT(15) | BIT(14))));
6556 
6557 	ifmgd->broken_ap = false;
6558 
6559 	if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
6560 	    elems->timeout_int &&
6561 	    elems->timeout_int->type == WLAN_TIMEOUT_ASSOC_COMEBACK) {
6562 		u32 tu, ms;
6563 
6564 		cfg80211_assoc_comeback(sdata->dev, assoc_data->ap_addr,
6565 					le32_to_cpu(elems->timeout_int->value));
6566 
6567 		tu = le32_to_cpu(elems->timeout_int->value);
6568 		ms = tu * 1024 / 1000;
6569 		sdata_info(sdata,
6570 			   "%pM rejected association temporarily; comeback duration %u TU (%u ms)\n",
6571 			   assoc_data->ap_addr, tu, ms);
6572 		assoc_data->timeout = jiffies + msecs_to_jiffies(ms);
6573 		assoc_data->timeout_started = true;
6574 		assoc_data->comeback = true;
6575 		if (ms > IEEE80211_ASSOC_TIMEOUT)
6576 			run_again(sdata, assoc_data->timeout);
6577 		goto notify_driver;
6578 	}
6579 
6580 	if (status_code != WLAN_STATUS_SUCCESS) {
6581 		sdata_info(sdata, "%pM denied association (code=%d)\n",
6582 			   assoc_data->ap_addr, status_code);
6583 		event.u.mlme.status = MLME_DENIED;
6584 		event.u.mlme.reason = status_code;
6585 		drv_event_callback(sdata->local, sdata, &event);
6586 	} else {
6587 		if (aid == 0 || aid > max_aid) {
6588 			sdata_info(sdata,
6589 				   "invalid AID value %d (out of range), turn off PS\n",
6590 				   aid);
6591 			aid = 0;
6592 			ifmgd->broken_ap = true;
6593 		}
6594 
6595 		if (ieee80211_vif_is_mld(&sdata->vif)) {
6596 			struct ieee80211_mle_basic_common_info *common;
6597 
6598 			if (!elems->ml_basic) {
6599 				sdata_info(sdata,
6600 					   "MLO association with %pM but no (basic) multi-link element in response!\n",
6601 					   assoc_data->ap_addr);
6602 				goto abandon_assoc;
6603 			}
6604 
6605 			common = (void *)elems->ml_basic->variable;
6606 
6607 			if (memcmp(assoc_data->ap_addr,
6608 				   common->mld_mac_addr, ETH_ALEN)) {
6609 				sdata_info(sdata,
6610 					   "AP MLD MAC address mismatch: got %pM expected %pM\n",
6611 					   common->mld_mac_addr,
6612 					   assoc_data->ap_addr);
6613 				goto abandon_assoc;
6614 			}
6615 
6616 			sdata->vif.cfg.eml_cap =
6617 				ieee80211_mle_get_eml_cap((const void *)elems->ml_basic);
6618 			sdata->vif.cfg.eml_med_sync_delay =
6619 				ieee80211_mle_get_eml_med_sync_delay((const void *)elems->ml_basic);
6620 			sdata->vif.cfg.mld_capa_op =
6621 				ieee80211_mle_get_mld_capa_op((const void *)elems->ml_basic);
6622 		}
6623 
6624 		sdata->vif.cfg.aid = aid;
6625 		sdata->vif.cfg.s1g = assoc_data->s1g;
6626 
6627 		if (!ieee80211_assoc_success(sdata, mgmt, elems,
6628 					     elem_start, elem_len)) {
6629 			/* oops -- internal error -- send timeout for now */
6630 			ieee80211_destroy_assoc_data(sdata, ASSOC_TIMEOUT);
6631 			goto notify_driver;
6632 		}
6633 		event.u.mlme.status = MLME_SUCCESS;
6634 		drv_event_callback(sdata->local, sdata, &event);
6635 		sdata_info(sdata, "associated\n");
6636 
6637 		info.success = 1;
6638 	}
6639 
6640 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
6641 		struct ieee80211_link_data *link;
6642 
6643 		if (!assoc_data->link[link_id].bss)
6644 			continue;
6645 
6646 		resp.links[link_id].bss = assoc_data->link[link_id].bss;
6647 		ether_addr_copy(resp.links[link_id].addr,
6648 				assoc_data->link[link_id].addr);
6649 		resp.links[link_id].status = assoc_data->link[link_id].status;
6650 
6651 		link = sdata_dereference(sdata->link[link_id], sdata);
6652 		if (!link)
6653 			continue;
6654 
6655 		/* get uapsd queues configuration - same for all links */
6656 		resp.uapsd_queues = 0;
6657 		for (ac = 0; ac < IEEE80211_NUM_ACS; ac++)
6658 			if (link->tx_conf[ac].uapsd)
6659 				resp.uapsd_queues |= ieee80211_ac_to_qos_mask[ac];
6660 	}
6661 
6662 	if (ieee80211_vif_is_mld(&sdata->vif)) {
6663 		ether_addr_copy(ap_mld_addr, sdata->vif.cfg.ap_addr);
6664 		resp.ap_mld_addr = ap_mld_addr;
6665 	}
6666 
6667 	ieee80211_destroy_assoc_data(sdata,
6668 				     status_code == WLAN_STATUS_SUCCESS ?
6669 					ASSOC_SUCCESS :
6670 					ASSOC_REJECTED);
6671 
6672 	resp.buf = (u8 *)mgmt;
6673 	resp.len = len;
6674 	resp.req_ies = ifmgd->assoc_req_ies;
6675 	resp.req_ies_len = ifmgd->assoc_req_ies_len;
6676 	cfg80211_rx_assoc_resp(sdata->dev, &resp);
6677 notify_driver:
6678 	drv_mgd_complete_tx(sdata->local, sdata, &info);
6679 	kfree(elems);
6680 	return;
6681 abandon_assoc:
6682 	ieee80211_destroy_assoc_data(sdata, ASSOC_ABANDON);
6683 	goto notify_driver;
6684 }
6685 
6686 static void ieee80211_rx_bss_info(struct ieee80211_link_data *link,
6687 				  struct ieee80211_mgmt *mgmt, size_t len,
6688 				  struct ieee80211_rx_status *rx_status)
6689 {
6690 	struct ieee80211_sub_if_data *sdata = link->sdata;
6691 	struct ieee80211_local *local = sdata->local;
6692 	struct ieee80211_bss *bss;
6693 	struct ieee80211_channel *channel;
6694 
6695 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
6696 
6697 	channel = ieee80211_get_channel_khz(local->hw.wiphy,
6698 					ieee80211_rx_status_to_khz(rx_status));
6699 	if (!channel)
6700 		return;
6701 
6702 	bss = ieee80211_bss_info_update(local, rx_status, mgmt, len, channel);
6703 	if (bss) {
6704 		link->conf->beacon_rate = bss->beacon_rate;
6705 		ieee80211_rx_bss_put(local, bss);
6706 	}
6707 }
6708 
6709 
6710 static void ieee80211_rx_mgmt_probe_resp(struct ieee80211_link_data *link,
6711 					 struct sk_buff *skb)
6712 {
6713 	struct ieee80211_sub_if_data *sdata = link->sdata;
6714 	struct ieee80211_mgmt *mgmt = (void *)skb->data;
6715 	struct ieee80211_if_managed *ifmgd;
6716 	struct ieee80211_rx_status *rx_status = (void *) skb->cb;
6717 	struct ieee80211_channel *channel;
6718 	size_t baselen, len = skb->len;
6719 
6720 	ifmgd = &sdata->u.mgd;
6721 
6722 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
6723 
6724 	/*
6725 	 * According to Draft P802.11ax D6.0 clause 26.17.2.3.2:
6726 	 * "If a 6 GHz AP receives a Probe Request frame  and responds with
6727 	 * a Probe Response frame [..], the Address 1 field of the Probe
6728 	 * Response frame shall be set to the broadcast address [..]"
6729 	 * So, on 6GHz band we should also accept broadcast responses.
6730 	 */
6731 	channel = ieee80211_get_channel_khz(sdata->local->hw.wiphy,
6732 					    ieee80211_rx_status_to_khz(rx_status));
6733 	if (!channel)
6734 		return;
6735 
6736 	if (!ether_addr_equal(mgmt->da, sdata->vif.addr) &&
6737 	    (channel->band != NL80211_BAND_6GHZ ||
6738 	     !is_broadcast_ether_addr(mgmt->da)))
6739 		return; /* ignore ProbeResp to foreign address */
6740 
6741 	baselen = (u8 *) mgmt->u.probe_resp.variable - (u8 *) mgmt;
6742 	if (baselen > len)
6743 		return;
6744 
6745 	ieee80211_rx_bss_info(link, mgmt, len, rx_status);
6746 
6747 	if (ifmgd->associated &&
6748 	    ether_addr_equal(mgmt->bssid, link->u.mgd.bssid))
6749 		ieee80211_reset_ap_probe(sdata);
6750 }
6751 
6752 /*
6753  * This is the canonical list of information elements we care about,
6754  * the filter code also gives us all changes to the Microsoft OUI
6755  * (00:50:F2) vendor IE which is used for WMM which we need to track,
6756  * as well as the DTPC IE (part of the Cisco OUI) used for signaling
6757  * changes to requested client power.
6758  *
6759  * We implement beacon filtering in software since that means we can
6760  * avoid processing the frame here and in cfg80211, and userspace
6761  * will not be able to tell whether the hardware supports it or not.
6762  *
6763  * XXX: This list needs to be dynamic -- userspace needs to be able to
6764  *	add items it requires. It also needs to be able to tell us to
6765  *	look out for other vendor IEs.
6766  */
6767 static const u64 care_about_ies =
6768 	(1ULL << WLAN_EID_COUNTRY) |
6769 	(1ULL << WLAN_EID_ERP_INFO) |
6770 	(1ULL << WLAN_EID_CHANNEL_SWITCH) |
6771 	(1ULL << WLAN_EID_PWR_CONSTRAINT) |
6772 	(1ULL << WLAN_EID_HT_CAPABILITY) |
6773 	(1ULL << WLAN_EID_HT_OPERATION) |
6774 	(1ULL << WLAN_EID_EXT_CHANSWITCH_ANN);
6775 
6776 static void ieee80211_handle_beacon_sig(struct ieee80211_link_data *link,
6777 					struct ieee80211_if_managed *ifmgd,
6778 					struct ieee80211_bss_conf *bss_conf,
6779 					struct ieee80211_local *local,
6780 					struct ieee80211_rx_status *rx_status)
6781 {
6782 	struct ieee80211_sub_if_data *sdata = link->sdata;
6783 
6784 	/* Track average RSSI from the Beacon frames of the current AP */
6785 
6786 	if (!link->u.mgd.tracking_signal_avg) {
6787 		link->u.mgd.tracking_signal_avg = true;
6788 		ewma_beacon_signal_init(&link->u.mgd.ave_beacon_signal);
6789 		link->u.mgd.last_cqm_event_signal = 0;
6790 		link->u.mgd.count_beacon_signal = 1;
6791 		link->u.mgd.last_ave_beacon_signal = 0;
6792 	} else {
6793 		link->u.mgd.count_beacon_signal++;
6794 	}
6795 
6796 	ewma_beacon_signal_add(&link->u.mgd.ave_beacon_signal,
6797 			       -rx_status->signal);
6798 
6799 	if (ifmgd->rssi_min_thold != ifmgd->rssi_max_thold &&
6800 	    link->u.mgd.count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
6801 		int sig = -ewma_beacon_signal_read(&link->u.mgd.ave_beacon_signal);
6802 		int last_sig = link->u.mgd.last_ave_beacon_signal;
6803 		struct ieee80211_event event = {
6804 			.type = RSSI_EVENT,
6805 		};
6806 
6807 		/*
6808 		 * if signal crosses either of the boundaries, invoke callback
6809 		 * with appropriate parameters
6810 		 */
6811 		if (sig > ifmgd->rssi_max_thold &&
6812 		    (last_sig <= ifmgd->rssi_min_thold || last_sig == 0)) {
6813 			link->u.mgd.last_ave_beacon_signal = sig;
6814 			event.u.rssi.data = RSSI_EVENT_HIGH;
6815 			drv_event_callback(local, sdata, &event);
6816 		} else if (sig < ifmgd->rssi_min_thold &&
6817 			   (last_sig >= ifmgd->rssi_max_thold ||
6818 			   last_sig == 0)) {
6819 			link->u.mgd.last_ave_beacon_signal = sig;
6820 			event.u.rssi.data = RSSI_EVENT_LOW;
6821 			drv_event_callback(local, sdata, &event);
6822 		}
6823 	}
6824 
6825 	if (bss_conf->cqm_rssi_thold &&
6826 	    link->u.mgd.count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT &&
6827 	    !(sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_CQM_RSSI)) {
6828 		int sig = -ewma_beacon_signal_read(&link->u.mgd.ave_beacon_signal);
6829 		int last_event = link->u.mgd.last_cqm_event_signal;
6830 		int thold = bss_conf->cqm_rssi_thold;
6831 		int hyst = bss_conf->cqm_rssi_hyst;
6832 
6833 		if (sig < thold &&
6834 		    (last_event == 0 || sig < last_event - hyst)) {
6835 			link->u.mgd.last_cqm_event_signal = sig;
6836 			ieee80211_cqm_rssi_notify(
6837 				&sdata->vif,
6838 				NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW,
6839 				sig, GFP_KERNEL);
6840 		} else if (sig > thold &&
6841 			   (last_event == 0 || sig > last_event + hyst)) {
6842 			link->u.mgd.last_cqm_event_signal = sig;
6843 			ieee80211_cqm_rssi_notify(
6844 				&sdata->vif,
6845 				NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH,
6846 				sig, GFP_KERNEL);
6847 		}
6848 	}
6849 
6850 	if (bss_conf->cqm_rssi_low &&
6851 	    link->u.mgd.count_beacon_signal >= IEEE80211_SIGNAL_AVE_MIN_COUNT) {
6852 		int sig = -ewma_beacon_signal_read(&link->u.mgd.ave_beacon_signal);
6853 		int last_event = link->u.mgd.last_cqm_event_signal;
6854 		int low = bss_conf->cqm_rssi_low;
6855 		int high = bss_conf->cqm_rssi_high;
6856 
6857 		if (sig < low &&
6858 		    (last_event == 0 || last_event >= low)) {
6859 			link->u.mgd.last_cqm_event_signal = sig;
6860 			ieee80211_cqm_rssi_notify(
6861 				&sdata->vif,
6862 				NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW,
6863 				sig, GFP_KERNEL);
6864 		} else if (sig > high &&
6865 			   (last_event == 0 || last_event <= high)) {
6866 			link->u.mgd.last_cqm_event_signal = sig;
6867 			ieee80211_cqm_rssi_notify(
6868 				&sdata->vif,
6869 				NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH,
6870 				sig, GFP_KERNEL);
6871 		}
6872 	}
6873 }
6874 
6875 static bool ieee80211_rx_our_beacon(const u8 *tx_bssid,
6876 				    struct cfg80211_bss *bss)
6877 {
6878 	if (ether_addr_equal(tx_bssid, bss->bssid))
6879 		return true;
6880 	if (!bss->transmitted_bss)
6881 		return false;
6882 	return ether_addr_equal(tx_bssid, bss->transmitted_bss->bssid);
6883 }
6884 
6885 static void ieee80211_ml_reconf_work(struct wiphy *wiphy,
6886 				     struct wiphy_work *work)
6887 {
6888 	struct ieee80211_sub_if_data *sdata =
6889 		container_of(work, struct ieee80211_sub_if_data,
6890 			     u.mgd.ml_reconf_work.work);
6891 	u16 new_valid_links, new_active_links, new_dormant_links;
6892 	int ret;
6893 
6894 	if (!sdata->u.mgd.removed_links)
6895 		return;
6896 
6897 	sdata_info(sdata,
6898 		   "MLO Reconfiguration: work: valid=0x%x, removed=0x%x\n",
6899 		   sdata->vif.valid_links, sdata->u.mgd.removed_links);
6900 
6901 	new_valid_links = sdata->vif.valid_links & ~sdata->u.mgd.removed_links;
6902 	if (new_valid_links == sdata->vif.valid_links)
6903 		return;
6904 
6905 	if (!new_valid_links ||
6906 	    !(new_valid_links & ~sdata->vif.dormant_links)) {
6907 		sdata_info(sdata, "No valid links after reconfiguration\n");
6908 		ret = -EINVAL;
6909 		goto out;
6910 	}
6911 
6912 	new_active_links = sdata->vif.active_links & ~sdata->u.mgd.removed_links;
6913 	if (new_active_links != sdata->vif.active_links) {
6914 		if (!new_active_links)
6915 			new_active_links =
6916 				BIT(ffs(new_valid_links &
6917 					~sdata->vif.dormant_links) - 1);
6918 
6919 		ret = ieee80211_set_active_links(&sdata->vif, new_active_links);
6920 		if (ret) {
6921 			sdata_info(sdata,
6922 				   "Failed setting active links\n");
6923 			goto out;
6924 		}
6925 	}
6926 
6927 	new_dormant_links = sdata->vif.dormant_links & ~sdata->u.mgd.removed_links;
6928 
6929 	ret = ieee80211_vif_set_links(sdata, new_valid_links,
6930 				      new_dormant_links);
6931 	if (ret)
6932 		sdata_info(sdata, "Failed setting valid links\n");
6933 
6934 	ieee80211_vif_cfg_change_notify(sdata, BSS_CHANGED_MLD_VALID_LINKS);
6935 
6936 out:
6937 	if (!ret)
6938 		cfg80211_links_removed(sdata->dev, sdata->u.mgd.removed_links);
6939 	else
6940 		__ieee80211_disconnect(sdata);
6941 
6942 	sdata->u.mgd.removed_links = 0;
6943 }
6944 
6945 static void ieee80211_ml_reconfiguration(struct ieee80211_sub_if_data *sdata,
6946 					 struct ieee802_11_elems *elems)
6947 {
6948 	const struct element *sub;
6949 	unsigned long removed_links = 0;
6950 	u16 link_removal_timeout[IEEE80211_MLD_MAX_NUM_LINKS] = {};
6951 	u8 link_id;
6952 	u32 delay;
6953 
6954 	if (!ieee80211_vif_is_mld(&sdata->vif) || !elems->ml_reconf)
6955 		return;
6956 
6957 	/* Directly parse the sub elements as the common information doesn't
6958 	 * hold any useful information.
6959 	 */
6960 	for_each_mle_subelement(sub, (const u8 *)elems->ml_reconf,
6961 				elems->ml_reconf_len) {
6962 		struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data;
6963 		u8 *pos = prof->variable;
6964 		u16 control;
6965 
6966 		if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
6967 			continue;
6968 
6969 		if (!ieee80211_mle_reconf_sta_prof_size_ok(sub->data,
6970 							   sub->datalen))
6971 			return;
6972 
6973 		control = le16_to_cpu(prof->control);
6974 		link_id = control & IEEE80211_MLE_STA_RECONF_CONTROL_LINK_ID;
6975 
6976 		removed_links |= BIT(link_id);
6977 
6978 		/* the MAC address should not be included, but handle it */
6979 		if (control &
6980 		    IEEE80211_MLE_STA_RECONF_CONTROL_STA_MAC_ADDR_PRESENT)
6981 			pos += 6;
6982 
6983 		/* According to Draft P802.11be_D3.0, the control should
6984 		 * include the AP Removal Timer present. If the AP Removal Timer
6985 		 * is not present assume immediate removal.
6986 		 */
6987 		if (control &
6988 		    IEEE80211_MLE_STA_RECONF_CONTROL_AP_REM_TIMER_PRESENT)
6989 			link_removal_timeout[link_id] = get_unaligned_le16(pos);
6990 	}
6991 
6992 	removed_links &= sdata->vif.valid_links;
6993 	if (!removed_links) {
6994 		/* In case the removal was cancelled, abort it */
6995 		if (sdata->u.mgd.removed_links) {
6996 			sdata->u.mgd.removed_links = 0;
6997 			wiphy_hrtimer_work_cancel(sdata->local->hw.wiphy,
6998 						  &sdata->u.mgd.ml_reconf_work);
6999 		}
7000 		return;
7001 	}
7002 
7003 	delay = 0;
7004 	for_each_set_bit(link_id, &removed_links, IEEE80211_MLD_MAX_NUM_LINKS) {
7005 		struct ieee80211_bss_conf *link_conf =
7006 			sdata_dereference(sdata->vif.link_conf[link_id], sdata);
7007 		u32 link_delay;
7008 
7009 		if (!link_conf) {
7010 			removed_links &= ~BIT(link_id);
7011 			continue;
7012 		}
7013 
7014 		if (link_removal_timeout[link_id] < 1)
7015 			link_delay = 0;
7016 		else
7017 			link_delay = link_conf->beacon_int *
7018 				(link_removal_timeout[link_id] - 1);
7019 
7020 		if (!delay)
7021 			delay = link_delay;
7022 		else
7023 			delay = min(delay, link_delay);
7024 	}
7025 
7026 	sdata->u.mgd.removed_links = removed_links;
7027 	wiphy_hrtimer_work_queue(sdata->local->hw.wiphy,
7028 				 &sdata->u.mgd.ml_reconf_work,
7029 				 us_to_ktime(ieee80211_tu_to_usec(delay)));
7030 }
7031 
7032 static int ieee80211_ttlm_set_links(struct ieee80211_sub_if_data *sdata,
7033 				    u16 active_links, u16 dormant_links,
7034 				    u16 suspended_links)
7035 {
7036 	u64 changed = 0;
7037 	int ret;
7038 
7039 	if (!active_links) {
7040 		ret = -EINVAL;
7041 		goto out;
7042 	}
7043 
7044 	/* If there is an active negotiated TTLM, it should be discarded by
7045 	 * the new negotiated/advertised TTLM.
7046 	 */
7047 	if (sdata->vif.neg_ttlm.valid) {
7048 		memset(&sdata->vif.neg_ttlm, 0, sizeof(sdata->vif.neg_ttlm));
7049 		sdata->vif.suspended_links = 0;
7050 		changed = BSS_CHANGED_MLD_TTLM;
7051 	}
7052 
7053 	if (sdata->vif.active_links != active_links) {
7054 		/* usable links are affected when active_links are changed,
7055 		 * so notify the driver about the status change
7056 		 */
7057 		changed |= BSS_CHANGED_MLD_VALID_LINKS;
7058 		active_links &= sdata->vif.active_links;
7059 		if (!active_links)
7060 			active_links =
7061 				BIT(__ffs(sdata->vif.valid_links &
7062 				    ~dormant_links));
7063 		ret = ieee80211_set_active_links(&sdata->vif, active_links);
7064 		if (ret) {
7065 			sdata_info(sdata, "Failed to set TTLM active links\n");
7066 			goto out;
7067 		}
7068 	}
7069 
7070 	ret = ieee80211_vif_set_links(sdata, sdata->vif.valid_links,
7071 				      dormant_links);
7072 	if (ret) {
7073 		sdata_info(sdata, "Failed to set TTLM dormant links\n");
7074 		goto out;
7075 	}
7076 
7077 	sdata->vif.suspended_links = suspended_links;
7078 	if (sdata->vif.suspended_links)
7079 		changed |= BSS_CHANGED_MLD_TTLM;
7080 
7081 	ieee80211_vif_cfg_change_notify(sdata, changed);
7082 
7083 out:
7084 	if (ret)
7085 		ieee80211_disconnect(&sdata->vif, false);
7086 
7087 	return ret;
7088 }
7089 
7090 static void ieee80211_tid_to_link_map_work(struct wiphy *wiphy,
7091 					   struct wiphy_work *work)
7092 {
7093 	u16 new_active_links, new_dormant_links;
7094 	struct ieee80211_sub_if_data *sdata =
7095 		container_of(work, struct ieee80211_sub_if_data,
7096 			     u.mgd.ttlm_work.work);
7097 
7098 	new_active_links = sdata->u.mgd.ttlm_info.map &
7099 			   sdata->vif.valid_links;
7100 	new_dormant_links = ~sdata->u.mgd.ttlm_info.map &
7101 			    sdata->vif.valid_links;
7102 
7103 	ieee80211_vif_set_links(sdata, sdata->vif.valid_links, 0);
7104 	if (ieee80211_ttlm_set_links(sdata, new_active_links, new_dormant_links,
7105 				     0))
7106 		return;
7107 
7108 	sdata->u.mgd.ttlm_info.active = true;
7109 	sdata->u.mgd.ttlm_info.switch_time = 0;
7110 }
7111 
7112 static void ieee80211_process_adv_ttlm(struct ieee80211_sub_if_data *sdata,
7113 					  struct ieee802_11_elems *elems,
7114 					  u64 beacon_ts)
7115 {
7116 	u8 i;
7117 	int ret;
7118 
7119 	if (!ieee80211_vif_is_mld(&sdata->vif))
7120 		return;
7121 
7122 	if (!elems->ttlm_num) {
7123 		if (sdata->u.mgd.ttlm_info.switch_time) {
7124 			/* if a planned TID-to-link mapping was cancelled -
7125 			 * abort it
7126 			 */
7127 			wiphy_hrtimer_work_cancel(sdata->local->hw.wiphy,
7128 						  &sdata->u.mgd.ttlm_work);
7129 		} else if (sdata->u.mgd.ttlm_info.active) {
7130 			/* if no TID-to-link element, set to default mapping in
7131 			 * which all TIDs are mapped to all setup links
7132 			 */
7133 			ret = ieee80211_vif_set_links(sdata,
7134 						      sdata->vif.valid_links,
7135 						      0);
7136 			if (ret) {
7137 				sdata_info(sdata, "Failed setting valid/dormant links\n");
7138 				return;
7139 			}
7140 			ieee80211_vif_cfg_change_notify(sdata,
7141 							BSS_CHANGED_MLD_VALID_LINKS);
7142 		}
7143 		memset(&sdata->u.mgd.ttlm_info, 0,
7144 		       sizeof(sdata->u.mgd.ttlm_info));
7145 		return;
7146 	}
7147 
7148 	for (i = 0; i < elems->ttlm_num; i++) {
7149 		struct ieee80211_adv_ttlm_info ttlm_info;
7150 		u32 res;
7151 
7152 		res = ieee80211_parse_adv_t2l(sdata, elems->ttlm[i],
7153 					      &ttlm_info);
7154 
7155 		if (res) {
7156 			__ieee80211_disconnect(sdata);
7157 			return;
7158 		}
7159 
7160 		if (ttlm_info.switch_time) {
7161 			u16 beacon_ts_tu, st_tu, delay;
7162 			u64 delay_usec;
7163 			u64 mask;
7164 
7165 			/* The t2l map switch time is indicated with a partial
7166 			 * TSF value (bits 10 to 25), get the partial beacon TS
7167 			 * as well, and calc the delay to the start time.
7168 			 */
7169 			mask = GENMASK_ULL(25, 10);
7170 			beacon_ts_tu = (beacon_ts & mask) >> 10;
7171 			st_tu = ttlm_info.switch_time;
7172 			delay = st_tu - beacon_ts_tu;
7173 
7174 			/*
7175 			 * If the switch time is far in the future, then it
7176 			 * could also be the previous switch still being
7177 			 * announced.
7178 			 * We can simply ignore it for now, if it is a future
7179 			 * switch the AP will continue to announce it anyway.
7180 			 */
7181 			if (delay > IEEE80211_ADV_TTLM_ST_UNDERFLOW)
7182 				return;
7183 
7184 			delay_usec = ieee80211_tu_to_usec(delay);
7185 
7186 			/* Link switching can take time, so schedule it
7187 			 * 100ms before to be ready on time
7188 			 */
7189 			if (delay_usec > IEEE80211_ADV_TTLM_SAFETY_BUFFER_MS)
7190 				delay_usec -=
7191 					IEEE80211_ADV_TTLM_SAFETY_BUFFER_MS;
7192 			else
7193 				delay_usec = 0;
7194 
7195 			sdata->u.mgd.ttlm_info = ttlm_info;
7196 			wiphy_hrtimer_work_cancel(sdata->local->hw.wiphy,
7197 						  &sdata->u.mgd.ttlm_work);
7198 			wiphy_hrtimer_work_queue(sdata->local->hw.wiphy,
7199 						 &sdata->u.mgd.ttlm_work,
7200 						 us_to_ktime(delay_usec));
7201 			return;
7202 		}
7203 	}
7204 }
7205 
7206 static void
7207 ieee80211_mgd_check_cross_link_csa(struct ieee80211_sub_if_data *sdata,
7208 				   int reporting_link_id,
7209 				   struct ieee802_11_elems *elems)
7210 {
7211 	const struct element *sta_profiles[IEEE80211_MLD_MAX_NUM_LINKS] = {};
7212 	ssize_t sta_profiles_len[IEEE80211_MLD_MAX_NUM_LINKS] = {};
7213 	const struct element *sub;
7214 	const u8 *subelems;
7215 	size_t subelems_len;
7216 	u8 common_size;
7217 	int link_id;
7218 
7219 	if (!ieee80211_mle_size_ok((u8 *)elems->ml_basic, elems->ml_basic_len))
7220 		return;
7221 
7222 	common_size = ieee80211_mle_common_size((u8 *)elems->ml_basic);
7223 	subelems = (u8 *)elems->ml_basic + common_size;
7224 	subelems_len = elems->ml_basic_len - common_size;
7225 
7226 	for_each_element_id(sub, IEEE80211_MLE_SUBELEM_PER_STA_PROFILE,
7227 			    subelems, subelems_len) {
7228 		struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data;
7229 		struct ieee80211_link_data *link;
7230 		ssize_t len;
7231 
7232 		if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data,
7233 							  sub->datalen))
7234 			continue;
7235 
7236 		link_id = le16_get_bits(prof->control,
7237 					IEEE80211_MLE_STA_CONTROL_LINK_ID);
7238 		/* need a valid link ID, but also not our own, both AP bugs */
7239 		if (link_id == reporting_link_id ||
7240 		    link_id >= IEEE80211_MLD_MAX_NUM_LINKS)
7241 			continue;
7242 
7243 		link = sdata_dereference(sdata->link[link_id], sdata);
7244 		if (!link)
7245 			continue;
7246 
7247 		len = cfg80211_defragment_element(sub, subelems, subelems_len,
7248 						  NULL, 0,
7249 						  IEEE80211_MLE_SUBELEM_FRAGMENT);
7250 		if (WARN_ON(len < 0))
7251 			continue;
7252 
7253 		sta_profiles[link_id] = sub;
7254 		sta_profiles_len[link_id] = len;
7255 	}
7256 
7257 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
7258 		struct ieee80211_mle_per_sta_profile *prof;
7259 		struct ieee802_11_elems *prof_elems;
7260 		struct ieee80211_link_data *link;
7261 		ssize_t len;
7262 
7263 		if (link_id == reporting_link_id)
7264 			continue;
7265 
7266 		link = sdata_dereference(sdata->link[link_id], sdata);
7267 		if (!link)
7268 			continue;
7269 
7270 		if (!sta_profiles[link_id]) {
7271 			prof_elems = NULL;
7272 			goto handle;
7273 		}
7274 
7275 		/* we can defragment in-place, won't use the buffer again */
7276 		len = cfg80211_defragment_element(sta_profiles[link_id],
7277 						  subelems, subelems_len,
7278 						  (void *)sta_profiles[link_id],
7279 						  sta_profiles_len[link_id],
7280 						  IEEE80211_MLE_SUBELEM_FRAGMENT);
7281 		if (WARN_ON(len != sta_profiles_len[link_id]))
7282 			continue;
7283 
7284 		prof = (void *)sta_profiles[link_id];
7285 		prof_elems = ieee802_11_parse_elems(prof->variable +
7286 						    (prof->sta_info_len - 1),
7287 						    len -
7288 						    (prof->sta_info_len - 1),
7289 						    IEEE80211_FTYPE_MGMT |
7290 						    IEEE80211_STYPE_BEACON,
7291 						    NULL);
7292 
7293 		/* memory allocation failed - let's hope that's transient */
7294 		if (!prof_elems)
7295 			continue;
7296 
7297 handle:
7298 		/*
7299 		 * FIXME: the timings here are obviously incorrect,
7300 		 * but only older Intel drivers seem to care, and
7301 		 * those don't have MLO. If you really need this,
7302 		 * the problem is having to calculate it with the
7303 		 * TSF offset etc. The device_timestamp is still
7304 		 * correct, of course.
7305 		 */
7306 		ieee80211_sta_process_chanswitch(link, 0, 0, elems, prof_elems,
7307 						 IEEE80211_CSA_SOURCE_OTHER_LINK);
7308 		kfree(prof_elems);
7309 	}
7310 }
7311 
7312 static bool ieee80211_mgd_ssid_mismatch(struct ieee80211_sub_if_data *sdata,
7313 					const struct ieee802_11_elems *elems)
7314 {
7315 	struct ieee80211_vif_cfg *cfg = &sdata->vif.cfg;
7316 	static u8 zero_ssid[IEEE80211_MAX_SSID_LEN];
7317 
7318 	if (!elems->ssid)
7319 		return false;
7320 
7321 	/* hidden SSID: zero length */
7322 	if (elems->ssid_len == 0)
7323 		return false;
7324 
7325 	if (elems->ssid_len != cfg->ssid_len)
7326 		return true;
7327 
7328 	/* hidden SSID: zeroed out */
7329 	if (!memcmp(elems->ssid, zero_ssid, elems->ssid_len))
7330 		return false;
7331 
7332 	return memcmp(elems->ssid, cfg->ssid, cfg->ssid_len);
7333 }
7334 
7335 static bool
7336 ieee80211_rx_beacon_freq_valid(struct ieee80211_local *local,
7337 			       struct ieee80211_mgmt *mgmt,
7338 			       struct ieee80211_rx_status *rx_status,
7339 			       struct ieee80211_chanctx_conf *chanctx)
7340 {
7341 	u32 pri_2mhz_khz;
7342 	struct ieee80211_channel *s1g_sibling_1mhz;
7343 	u32 pri_khz = ieee80211_channel_to_khz(chanctx->def.chan);
7344 	u32 rx_khz = ieee80211_rx_status_to_khz(rx_status);
7345 
7346 	if (rx_khz == pri_khz)
7347 		return true;
7348 
7349 	if (!chanctx->def.s1g_primary_2mhz)
7350 		return false;
7351 
7352 	/*
7353 	 * If we have an S1G interface with a 2MHz primary, beacons are
7354 	 * sent on the center frequency of the 2MHz primary. Find the sibling
7355 	 * 1MHz channel and calculate the 2MHz primary center frequency.
7356 	 */
7357 	s1g_sibling_1mhz = cfg80211_s1g_get_primary_sibling(local->hw.wiphy,
7358 							    &chanctx->def);
7359 	if (!s1g_sibling_1mhz)
7360 		return false;
7361 
7362 	pri_2mhz_khz =
7363 		(pri_khz + ieee80211_channel_to_khz(s1g_sibling_1mhz)) / 2;
7364 	return rx_khz == pri_2mhz_khz;
7365 }
7366 
7367 static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link,
7368 				     struct ieee80211_hdr *hdr, size_t len,
7369 				     struct ieee80211_rx_status *rx_status)
7370 {
7371 	struct ieee80211_sub_if_data *sdata = link->sdata;
7372 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
7373 	struct ieee80211_bss_conf *bss_conf = link->conf;
7374 	struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg;
7375 	struct ieee80211_mgmt *mgmt = (void *) hdr;
7376 	struct ieee80211_ext *ext = NULL;
7377 	size_t baselen;
7378 	struct ieee802_11_elems *elems;
7379 	struct ieee80211_local *local = sdata->local;
7380 	struct ieee80211_chanctx_conf *chanctx_conf;
7381 	struct ieee80211_supported_band *sband;
7382 	struct ieee80211_channel *chan;
7383 	struct link_sta_info *link_sta;
7384 	struct sta_info *sta;
7385 	u64 changed = 0;
7386 	bool erp_valid;
7387 	u8 erp_value = 0;
7388 	u32 ncrc = 0;
7389 	u8 *bssid, *variable = mgmt->u.beacon.variable;
7390 	u8 deauth_buf[IEEE80211_DEAUTH_FRAME_LEN];
7391 	struct ieee80211_elems_parse_params parse_params = {
7392 		.mode = link->u.mgd.conn.mode,
7393 		.link_id = -1,
7394 		.from_ap = true,
7395 		.type = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_TYPE,
7396 	};
7397 
7398 	lockdep_assert_wiphy(local->hw.wiphy);
7399 
7400 	/* Process beacon from the current BSS */
7401 	bssid = ieee80211_get_bssid(hdr, len, sdata->vif.type);
7402 	if (ieee80211_is_s1g_beacon(mgmt->frame_control)) {
7403 		ext = (void *)mgmt;
7404 		variable = ext->u.s1g_beacon.variable +
7405 			   ieee80211_s1g_optional_len(ext->frame_control);
7406 	}
7407 
7408 	baselen = (u8 *) variable - (u8 *) mgmt;
7409 	if (baselen > len)
7410 		return;
7411 
7412 	parse_params.start = variable;
7413 	parse_params.len = len - baselen;
7414 
7415 	rcu_read_lock();
7416 	chanctx_conf = rcu_dereference(bss_conf->chanctx_conf);
7417 	if (!chanctx_conf) {
7418 		rcu_read_unlock();
7419 		return;
7420 	}
7421 
7422 	if (!ieee80211_rx_beacon_freq_valid(local, mgmt, rx_status,
7423 					    chanctx_conf)) {
7424 		rcu_read_unlock();
7425 		return;
7426 	}
7427 	chan = chanctx_conf->def.chan;
7428 	rcu_read_unlock();
7429 
7430 	if (ifmgd->assoc_data && ifmgd->assoc_data->need_beacon &&
7431 	    !WARN_ON(ieee80211_vif_is_mld(&sdata->vif)) &&
7432 	    ieee80211_rx_our_beacon(bssid, ifmgd->assoc_data->link[0].bss)) {
7433 		parse_params.bss = ifmgd->assoc_data->link[0].bss;
7434 		elems = ieee802_11_parse_elems_full(&parse_params);
7435 		if (!elems)
7436 			return;
7437 
7438 		ieee80211_rx_bss_info(link, mgmt, len, rx_status);
7439 
7440 		if (elems->dtim_period)
7441 			link->u.mgd.dtim_period = elems->dtim_period;
7442 		link->u.mgd.have_beacon = true;
7443 		ifmgd->assoc_data->need_beacon = false;
7444 		if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY) &&
7445 		    !ieee80211_is_s1g_beacon(hdr->frame_control)) {
7446 			bss_conf->sync_tsf =
7447 				le64_to_cpu(mgmt->u.beacon.timestamp);
7448 			bss_conf->sync_device_ts =
7449 				rx_status->device_timestamp;
7450 			bss_conf->sync_dtim_count = elems->dtim_count;
7451 		}
7452 
7453 		if (elems->mbssid_config_ie)
7454 			bss_conf->profile_periodicity =
7455 				elems->mbssid_config_ie->profile_periodicity;
7456 		else
7457 			bss_conf->profile_periodicity = 0;
7458 
7459 		if (elems->ext_capab_len >= 11 &&
7460 		    (elems->ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
7461 			bss_conf->ema_ap = true;
7462 		else
7463 			bss_conf->ema_ap = false;
7464 
7465 		/* continue assoc process */
7466 		ifmgd->assoc_data->timeout = jiffies;
7467 		ifmgd->assoc_data->timeout_started = true;
7468 		run_again(sdata, ifmgd->assoc_data->timeout);
7469 		kfree(elems);
7470 		return;
7471 	}
7472 
7473 	if (!ifmgd->associated ||
7474 	    !ieee80211_rx_our_beacon(bssid, bss_conf->bss))
7475 		return;
7476 	bssid = link->u.mgd.bssid;
7477 
7478 	if (!(rx_status->flag & RX_FLAG_NO_SIGNAL_VAL))
7479 		ieee80211_handle_beacon_sig(link, ifmgd, bss_conf,
7480 					    local, rx_status);
7481 
7482 	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL) {
7483 		mlme_dbg_ratelimited(sdata,
7484 				     "cancelling AP probe due to a received beacon\n");
7485 		ieee80211_reset_ap_probe(sdata);
7486 	}
7487 
7488 	/*
7489 	 * Push the beacon loss detection into the future since
7490 	 * we are processing a beacon from the AP just now.
7491 	 */
7492 	ieee80211_sta_reset_beacon_monitor(sdata);
7493 
7494 	/* TODO: CRC urrently not calculated on S1G Beacon Compatibility
7495 	 * element (which carries the beacon interval). Don't forget to add a
7496 	 * bit to care_about_ies[] above if mac80211 is interested in a
7497 	 * changing S1G element.
7498 	 */
7499 	if (!ieee80211_is_s1g_beacon(hdr->frame_control))
7500 		ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
7501 	parse_params.bss = bss_conf->bss;
7502 	parse_params.filter = care_about_ies;
7503 	parse_params.crc = ncrc;
7504 	elems = ieee802_11_parse_elems_full(&parse_params);
7505 	if (!elems)
7506 		return;
7507 
7508 	if (rx_status->flag & RX_FLAG_DECRYPTED &&
7509 	    ieee80211_mgd_ssid_mismatch(sdata, elems)) {
7510 		sdata_info(sdata, "SSID mismatch for AP %pM, disconnect\n",
7511 			   sdata->vif.cfg.ap_addr);
7512 		__ieee80211_disconnect(sdata);
7513 		return;
7514 	}
7515 
7516 	ncrc = elems->crc;
7517 
7518 	if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK) &&
7519 	    ieee80211_check_tim(elems->tim, elems->tim_len, vif_cfg->aid,
7520 				vif_cfg->s1g)) {
7521 		if (local->hw.conf.dynamic_ps_timeout > 0) {
7522 			if (local->hw.conf.flags & IEEE80211_CONF_PS) {
7523 				local->hw.conf.flags &= ~IEEE80211_CONF_PS;
7524 				ieee80211_hw_config(local, -1,
7525 						    IEEE80211_CONF_CHANGE_PS);
7526 			}
7527 			ieee80211_send_nullfunc(local, sdata, false);
7528 		} else if (!local->pspolling && sdata->u.mgd.powersave) {
7529 			local->pspolling = true;
7530 
7531 			/*
7532 			 * Here is assumed that the driver will be
7533 			 * able to send ps-poll frame and receive a
7534 			 * response even though power save mode is
7535 			 * enabled, but some drivers might require
7536 			 * to disable power save here. This needs
7537 			 * to be investigated.
7538 			 */
7539 			ieee80211_send_pspoll(local, sdata);
7540 		}
7541 	}
7542 
7543 	if (sdata->vif.p2p ||
7544 	    sdata->vif.driver_flags & IEEE80211_VIF_GET_NOA_UPDATE) {
7545 		struct ieee80211_p2p_noa_attr noa = {};
7546 		int ret;
7547 
7548 		ret = cfg80211_get_p2p_attr(variable,
7549 					    len - baselen,
7550 					    IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
7551 					    (u8 *) &noa, sizeof(noa));
7552 		if (ret >= 2) {
7553 			if (link->u.mgd.p2p_noa_index != noa.index) {
7554 				/* valid noa_attr and index changed */
7555 				link->u.mgd.p2p_noa_index = noa.index;
7556 				memcpy(&bss_conf->p2p_noa_attr, &noa, sizeof(noa));
7557 				changed |= BSS_CHANGED_P2P_PS;
7558 				/*
7559 				 * make sure we update all information, the CRC
7560 				 * mechanism doesn't look at P2P attributes.
7561 				 */
7562 				link->u.mgd.beacon_crc_valid = false;
7563 			}
7564 		} else if (link->u.mgd.p2p_noa_index != -1) {
7565 			/* noa_attr not found and we had valid noa_attr before */
7566 			link->u.mgd.p2p_noa_index = -1;
7567 			memset(&bss_conf->p2p_noa_attr, 0, sizeof(bss_conf->p2p_noa_attr));
7568 			changed |= BSS_CHANGED_P2P_PS;
7569 			link->u.mgd.beacon_crc_valid = false;
7570 		}
7571 	}
7572 
7573 	/*
7574 	 * Update beacon timing and dtim count on every beacon appearance. This
7575 	 * will allow the driver to use the most updated values. Do it before
7576 	 * comparing this one with last received beacon.
7577 	 * IMPORTANT: These parameters would possibly be out of sync by the time
7578 	 * the driver will use them. The synchronized view is currently
7579 	 * guaranteed only in certain callbacks.
7580 	 */
7581 	if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY) &&
7582 	    !ieee80211_is_s1g_beacon(hdr->frame_control)) {
7583 		bss_conf->sync_tsf =
7584 			le64_to_cpu(mgmt->u.beacon.timestamp);
7585 		bss_conf->sync_device_ts =
7586 			rx_status->device_timestamp;
7587 		bss_conf->sync_dtim_count = elems->dtim_count;
7588 	}
7589 
7590 	if ((ncrc == link->u.mgd.beacon_crc && link->u.mgd.beacon_crc_valid) ||
7591 	    (ext && ieee80211_is_s1g_short_beacon(ext->frame_control,
7592 						  parse_params.start,
7593 						  parse_params.len)))
7594 		goto free;
7595 	link->u.mgd.beacon_crc = ncrc;
7596 	link->u.mgd.beacon_crc_valid = true;
7597 
7598 	ieee80211_rx_bss_info(link, mgmt, len, rx_status);
7599 
7600 	ieee80211_sta_process_chanswitch(link, rx_status->mactime,
7601 					 rx_status->device_timestamp,
7602 					 elems, elems,
7603 					 IEEE80211_CSA_SOURCE_BEACON);
7604 
7605 	/* note that after this elems->ml_basic can no longer be used fully */
7606 	ieee80211_mgd_check_cross_link_csa(sdata, rx_status->link_id, elems);
7607 
7608 	ieee80211_mgd_update_bss_param_ch_cnt(sdata, bss_conf, elems);
7609 
7610 	if (!sdata->u.mgd.epcs.enabled &&
7611 	    !link->u.mgd.disable_wmm_tracking &&
7612 	    ieee80211_sta_wmm_params(local, link, elems->wmm_param,
7613 				     elems->wmm_param_len,
7614 				     elems->mu_edca_param_set))
7615 		changed |= BSS_CHANGED_QOS;
7616 
7617 	/*
7618 	 * If we haven't had a beacon before, tell the driver about the
7619 	 * DTIM period (and beacon timing if desired) now.
7620 	 */
7621 	if (!link->u.mgd.have_beacon) {
7622 		/* a few bogus AP send dtim_period = 0 or no TIM IE */
7623 		bss_conf->dtim_period = elems->dtim_period ?: 1;
7624 
7625 		changed |= BSS_CHANGED_BEACON_INFO;
7626 		link->u.mgd.have_beacon = true;
7627 
7628 		ieee80211_recalc_ps(local);
7629 
7630 		ieee80211_recalc_ps_vif(sdata);
7631 	}
7632 
7633 	if (elems->erp_info) {
7634 		erp_valid = true;
7635 		erp_value = elems->erp_info[0];
7636 	} else {
7637 		erp_valid = false;
7638 	}
7639 
7640 	if (!ieee80211_is_s1g_beacon(hdr->frame_control))
7641 		changed |= ieee80211_handle_bss_capability(link,
7642 				le16_to_cpu(mgmt->u.beacon.capab_info),
7643 				erp_valid, erp_value);
7644 
7645 	sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
7646 	if (WARN_ON(!sta)) {
7647 		goto free;
7648 	}
7649 	link_sta = rcu_dereference_protected(sta->link[link->link_id],
7650 					     lockdep_is_held(&local->hw.wiphy->mtx));
7651 	if (WARN_ON(!link_sta)) {
7652 		goto free;
7653 	}
7654 
7655 	if (WARN_ON(!bss_conf->chanreq.oper.chan))
7656 		goto free;
7657 
7658 	sband = local->hw.wiphy->bands[bss_conf->chanreq.oper.chan->band];
7659 
7660 	changed |= ieee80211_recalc_twt_req(sdata, sband, link, link_sta, elems);
7661 
7662 	if (ieee80211_config_bw(link, elems, true, &changed,
7663 				IEEE80211_STYPE_BEACON)) {
7664 		ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
7665 				       WLAN_REASON_DEAUTH_LEAVING,
7666 				       true, deauth_buf);
7667 		ieee80211_report_disconnect(sdata, deauth_buf,
7668 					    sizeof(deauth_buf), true,
7669 					    WLAN_REASON_DEAUTH_LEAVING,
7670 					    false);
7671 		goto free;
7672 	}
7673 
7674 	if (elems->opmode_notif)
7675 		ieee80211_vht_handle_opmode(sdata, link_sta,
7676 					    *elems->opmode_notif,
7677 					    rx_status->band);
7678 
7679 	changed |= ieee80211_handle_pwr_constr(link, chan, mgmt,
7680 					       elems->country_elem,
7681 					       elems->country_elem_len,
7682 					       elems->pwr_constr_elem,
7683 					       elems->cisco_dtpc_elem);
7684 
7685 	ieee80211_ml_reconfiguration(sdata, elems);
7686 	ieee80211_process_adv_ttlm(sdata, elems,
7687 				      le64_to_cpu(mgmt->u.beacon.timestamp));
7688 
7689 	ieee80211_link_info_change_notify(sdata, link, changed);
7690 free:
7691 	kfree(elems);
7692 }
7693 
7694 static void ieee80211_apply_neg_ttlm(struct ieee80211_sub_if_data *sdata,
7695 				     struct ieee80211_neg_ttlm neg_ttlm)
7696 {
7697 	u16 new_active_links, new_dormant_links, new_suspended_links, map = 0;
7698 	u8 i;
7699 
7700 	for (i = 0; i < IEEE80211_TTLM_NUM_TIDS; i++)
7701 		map |= neg_ttlm.downlink[i] | neg_ttlm.uplink[i];
7702 
7703 	/* If there is an active TTLM, unset previously suspended links */
7704 	if (sdata->vif.neg_ttlm.valid)
7705 		sdata->vif.dormant_links &= ~sdata->vif.suspended_links;
7706 
7707 	/* exclude links that are already disabled by advertised TTLM */
7708 	new_active_links =
7709 		map & sdata->vif.valid_links & ~sdata->vif.dormant_links;
7710 	new_suspended_links =
7711 		(~map & sdata->vif.valid_links) & ~sdata->vif.dormant_links;
7712 	new_dormant_links = sdata->vif.dormant_links | new_suspended_links;
7713 	if (ieee80211_ttlm_set_links(sdata, new_active_links,
7714 				     new_dormant_links, new_suspended_links))
7715 		return;
7716 
7717 	sdata->vif.neg_ttlm = neg_ttlm;
7718 	sdata->vif.neg_ttlm.valid = true;
7719 }
7720 
7721 static void ieee80211_neg_ttlm_timeout_work(struct wiphy *wiphy,
7722 					    struct wiphy_work *work)
7723 {
7724 	struct ieee80211_sub_if_data *sdata =
7725 		container_of(work, struct ieee80211_sub_if_data,
7726 			     u.mgd.neg_ttlm_timeout_work.work);
7727 
7728 	sdata_info(sdata,
7729 		   "No negotiated TTLM response from AP, disconnecting.\n");
7730 
7731 	__ieee80211_disconnect(sdata);
7732 }
7733 
7734 static void
7735 ieee80211_neg_ttlm_add_suggested_map(struct sk_buff *skb,
7736 				     struct ieee80211_neg_ttlm *neg_ttlm)
7737 {
7738 	u8 i, direction[IEEE80211_TTLM_MAX_CNT];
7739 
7740 	if (memcmp(neg_ttlm->downlink, neg_ttlm->uplink,
7741 		   sizeof(neg_ttlm->downlink))) {
7742 		direction[0] = IEEE80211_TTLM_DIRECTION_DOWN;
7743 		direction[1] = IEEE80211_TTLM_DIRECTION_UP;
7744 	} else {
7745 		direction[0] = IEEE80211_TTLM_DIRECTION_BOTH;
7746 	}
7747 
7748 	for (i = 0; i < ARRAY_SIZE(direction); i++) {
7749 		u8 tid, len, map_ind = 0, *len_pos, *map_ind_pos, *pos;
7750 		__le16 map;
7751 
7752 		len = sizeof(struct ieee80211_ttlm_elem) + 1 + 1;
7753 
7754 		pos = skb_put(skb, len + 2);
7755 		*pos++ = WLAN_EID_EXTENSION;
7756 		len_pos = pos++;
7757 		*pos++ = WLAN_EID_EXT_TID_TO_LINK_MAPPING;
7758 		*pos++ = direction[i];
7759 		map_ind_pos = pos++;
7760 		for (tid = 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) {
7761 			map = direction[i] == IEEE80211_TTLM_DIRECTION_UP ?
7762 				cpu_to_le16(neg_ttlm->uplink[tid]) :
7763 				cpu_to_le16(neg_ttlm->downlink[tid]);
7764 			if (!map)
7765 				continue;
7766 
7767 			len += 2;
7768 			map_ind |= BIT(tid);
7769 			skb_put_data(skb, &map, sizeof(map));
7770 		}
7771 
7772 		*map_ind_pos = map_ind;
7773 		*len_pos = len;
7774 
7775 		if (direction[i] == IEEE80211_TTLM_DIRECTION_BOTH)
7776 			break;
7777 	}
7778 }
7779 
7780 static void
7781 ieee80211_send_neg_ttlm_req(struct ieee80211_sub_if_data *sdata,
7782 			    struct ieee80211_neg_ttlm *neg_ttlm,
7783 			    u8 dialog_token)
7784 {
7785 	struct ieee80211_local *local = sdata->local;
7786 	struct ieee80211_mgmt *mgmt;
7787 	struct sk_buff *skb;
7788 	int hdr_len = offsetofend(struct ieee80211_mgmt, u.action.u.ttlm_req);
7789 	int ttlm_max_len = 2 + 1 + sizeof(struct ieee80211_ttlm_elem) + 1 +
7790 		2 * 2 * IEEE80211_TTLM_NUM_TIDS;
7791 
7792 	skb = dev_alloc_skb(local->tx_headroom + hdr_len + ttlm_max_len);
7793 	if (!skb)
7794 		return;
7795 
7796 	skb_reserve(skb, local->tx_headroom);
7797 	mgmt = skb_put_zero(skb, hdr_len);
7798 	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
7799 					  IEEE80211_STYPE_ACTION);
7800 	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
7801 	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
7802 	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
7803 
7804 	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
7805 	mgmt->u.action.u.ttlm_req.action_code =
7806 		WLAN_PROTECTED_EHT_ACTION_TTLM_REQ;
7807 	mgmt->u.action.u.ttlm_req.dialog_token = dialog_token;
7808 	ieee80211_neg_ttlm_add_suggested_map(skb, neg_ttlm);
7809 	ieee80211_tx_skb(sdata, skb);
7810 }
7811 
7812 int ieee80211_req_neg_ttlm(struct ieee80211_sub_if_data *sdata,
7813 			   struct cfg80211_ttlm_params *params)
7814 {
7815 	struct ieee80211_neg_ttlm neg_ttlm = {};
7816 	u8 i;
7817 
7818 	if (!ieee80211_vif_is_mld(&sdata->vif) ||
7819 	    !(sdata->vif.cfg.mld_capa_op &
7820 	      IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_SUPP))
7821 		return -EINVAL;
7822 
7823 	for (i = 0; i < IEEE80211_TTLM_NUM_TIDS; i++) {
7824 		if ((params->dlink[i] & ~sdata->vif.valid_links) ||
7825 		    (params->ulink[i] & ~sdata->vif.valid_links))
7826 			return -EINVAL;
7827 
7828 		neg_ttlm.downlink[i] = params->dlink[i];
7829 		neg_ttlm.uplink[i] = params->ulink[i];
7830 	}
7831 
7832 	if (drv_can_neg_ttlm(sdata->local, sdata, &neg_ttlm) !=
7833 	    NEG_TTLM_RES_ACCEPT)
7834 		return -EINVAL;
7835 
7836 	ieee80211_apply_neg_ttlm(sdata, neg_ttlm);
7837 	sdata->u.mgd.dialog_token_alloc++;
7838 	ieee80211_send_neg_ttlm_req(sdata, &sdata->vif.neg_ttlm,
7839 				    sdata->u.mgd.dialog_token_alloc);
7840 	wiphy_delayed_work_cancel(sdata->local->hw.wiphy,
7841 				  &sdata->u.mgd.neg_ttlm_timeout_work);
7842 	wiphy_delayed_work_queue(sdata->local->hw.wiphy,
7843 				 &sdata->u.mgd.neg_ttlm_timeout_work,
7844 				 IEEE80211_NEG_TTLM_REQ_TIMEOUT);
7845 	return 0;
7846 }
7847 
7848 static void
7849 ieee80211_send_neg_ttlm_res(struct ieee80211_sub_if_data *sdata,
7850 			    enum ieee80211_neg_ttlm_res ttlm_res,
7851 			    u8 dialog_token,
7852 			    struct ieee80211_neg_ttlm *neg_ttlm)
7853 {
7854 	struct ieee80211_local *local = sdata->local;
7855 	struct ieee80211_mgmt *mgmt;
7856 	struct sk_buff *skb;
7857 	int hdr_len = offsetofend(struct ieee80211_mgmt, u.action.u.ttlm_res);
7858 	int ttlm_max_len = 2 + 1 + sizeof(struct ieee80211_ttlm_elem) + 1 +
7859 		2 * 2 * IEEE80211_TTLM_NUM_TIDS;
7860 	u16 status_code;
7861 
7862 	skb = dev_alloc_skb(local->tx_headroom + hdr_len + ttlm_max_len);
7863 	if (!skb)
7864 		return;
7865 
7866 	skb_reserve(skb, local->tx_headroom);
7867 	mgmt = skb_put_zero(skb, hdr_len);
7868 	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
7869 					  IEEE80211_STYPE_ACTION);
7870 	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
7871 	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
7872 	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
7873 
7874 	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
7875 	mgmt->u.action.u.ttlm_res.action_code =
7876 		WLAN_PROTECTED_EHT_ACTION_TTLM_RES;
7877 	mgmt->u.action.u.ttlm_res.dialog_token = dialog_token;
7878 	switch (ttlm_res) {
7879 	default:
7880 		WARN_ON(1);
7881 		fallthrough;
7882 	case NEG_TTLM_RES_REJECT:
7883 		status_code = WLAN_STATUS_DENIED_TID_TO_LINK_MAPPING;
7884 		break;
7885 	case NEG_TTLM_RES_ACCEPT:
7886 		status_code = WLAN_STATUS_SUCCESS;
7887 		break;
7888 	case NEG_TTLM_RES_SUGGEST_PREFERRED:
7889 		status_code = WLAN_STATUS_PREF_TID_TO_LINK_MAPPING_SUGGESTED;
7890 		ieee80211_neg_ttlm_add_suggested_map(skb, neg_ttlm);
7891 		break;
7892 	}
7893 
7894 	mgmt->u.action.u.ttlm_res.status_code = cpu_to_le16(status_code);
7895 	ieee80211_tx_skb(sdata, skb);
7896 }
7897 
7898 static int
7899 ieee80211_parse_neg_ttlm(struct ieee80211_sub_if_data *sdata,
7900 			 const struct ieee80211_ttlm_elem *ttlm,
7901 			 struct ieee80211_neg_ttlm *neg_ttlm,
7902 			 u8 *direction)
7903 {
7904 	u8 control, link_map_presence, map_size, tid;
7905 	u8 *pos;
7906 
7907 	/* The element size was already validated in
7908 	 * ieee80211_tid_to_link_map_size_ok()
7909 	 */
7910 	pos = (void *)ttlm->optional;
7911 
7912 	control = ttlm->control;
7913 
7914 	/* mapping switch time and expected duration fields are not expected
7915 	 * in case of negotiated TTLM
7916 	 */
7917 	if (control & (IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT |
7918 		       IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT)) {
7919 		mlme_dbg(sdata,
7920 			 "Invalid TTLM element in negotiated TTLM request\n");
7921 		return -EINVAL;
7922 	}
7923 
7924 	if (control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) {
7925 		for (tid = 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) {
7926 			neg_ttlm->downlink[tid] = sdata->vif.valid_links;
7927 			neg_ttlm->uplink[tid] = sdata->vif.valid_links;
7928 		}
7929 		*direction = IEEE80211_TTLM_DIRECTION_BOTH;
7930 		return 0;
7931 	}
7932 
7933 	*direction = u8_get_bits(control, IEEE80211_TTLM_CONTROL_DIRECTION);
7934 	if (*direction != IEEE80211_TTLM_DIRECTION_DOWN &&
7935 	    *direction != IEEE80211_TTLM_DIRECTION_UP &&
7936 	    *direction != IEEE80211_TTLM_DIRECTION_BOTH)
7937 		return -EINVAL;
7938 
7939 	link_map_presence = *pos;
7940 	pos++;
7941 
7942 	if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE)
7943 		map_size = 1;
7944 	else
7945 		map_size = 2;
7946 
7947 	for (tid = 0; tid < IEEE80211_TTLM_NUM_TIDS; tid++) {
7948 		u16 map;
7949 
7950 		if (link_map_presence & BIT(tid)) {
7951 			map = ieee80211_get_ttlm(map_size, pos);
7952 			if (!map) {
7953 				mlme_dbg(sdata,
7954 					 "No active links for TID %d", tid);
7955 				return -EINVAL;
7956 			}
7957 		} else {
7958 			map = 0;
7959 		}
7960 
7961 		switch (*direction) {
7962 		case IEEE80211_TTLM_DIRECTION_BOTH:
7963 			neg_ttlm->downlink[tid] = map;
7964 			neg_ttlm->uplink[tid] = map;
7965 			break;
7966 		case IEEE80211_TTLM_DIRECTION_DOWN:
7967 			neg_ttlm->downlink[tid] = map;
7968 			break;
7969 		case IEEE80211_TTLM_DIRECTION_UP:
7970 			neg_ttlm->uplink[tid] = map;
7971 			break;
7972 		default:
7973 			return -EINVAL;
7974 		}
7975 		pos += map_size;
7976 	}
7977 	return 0;
7978 }
7979 
7980 void ieee80211_process_neg_ttlm_req(struct ieee80211_sub_if_data *sdata,
7981 				    struct ieee80211_mgmt *mgmt, size_t len)
7982 {
7983 	u8 dialog_token, direction[IEEE80211_TTLM_MAX_CNT] = {}, i;
7984 	size_t ies_len;
7985 	enum ieee80211_neg_ttlm_res ttlm_res = NEG_TTLM_RES_ACCEPT;
7986 	struct ieee802_11_elems *elems = NULL;
7987 	struct ieee80211_neg_ttlm neg_ttlm = {};
7988 
7989 	BUILD_BUG_ON(ARRAY_SIZE(direction) != ARRAY_SIZE(elems->ttlm));
7990 
7991 	if (!ieee80211_vif_is_mld(&sdata->vif))
7992 		return;
7993 
7994 	dialog_token = mgmt->u.action.u.ttlm_req.dialog_token;
7995 	ies_len  = len - offsetof(struct ieee80211_mgmt,
7996 				  u.action.u.ttlm_req.variable);
7997 	elems = ieee802_11_parse_elems(mgmt->u.action.u.ttlm_req.variable,
7998 				       ies_len,
7999 				       IEEE80211_FTYPE_MGMT |
8000 				       IEEE80211_STYPE_ACTION,
8001 				       NULL);
8002 	if (!elems) {
8003 		ttlm_res = NEG_TTLM_RES_REJECT;
8004 		goto out;
8005 	}
8006 
8007 	for (i = 0; i < elems->ttlm_num; i++) {
8008 		if (ieee80211_parse_neg_ttlm(sdata, elems->ttlm[i],
8009 					     &neg_ttlm, &direction[i]) ||
8010 		    (direction[i] == IEEE80211_TTLM_DIRECTION_BOTH &&
8011 		     elems->ttlm_num != 1)) {
8012 			ttlm_res = NEG_TTLM_RES_REJECT;
8013 			goto out;
8014 		}
8015 	}
8016 
8017 	if (!elems->ttlm_num ||
8018 	    (elems->ttlm_num == 2 && direction[0] == direction[1])) {
8019 		ttlm_res = NEG_TTLM_RES_REJECT;
8020 		goto out;
8021 	}
8022 
8023 	for (i = 0; i < IEEE80211_TTLM_NUM_TIDS; i++) {
8024 		if ((neg_ttlm.downlink[i] &&
8025 		     (neg_ttlm.downlink[i] & ~sdata->vif.valid_links)) ||
8026 		    (neg_ttlm.uplink[i] &&
8027 		     (neg_ttlm.uplink[i] & ~sdata->vif.valid_links))) {
8028 			ttlm_res = NEG_TTLM_RES_REJECT;
8029 			goto out;
8030 		}
8031 	}
8032 
8033 	ttlm_res = drv_can_neg_ttlm(sdata->local, sdata, &neg_ttlm);
8034 
8035 	if (ttlm_res != NEG_TTLM_RES_ACCEPT)
8036 		goto out;
8037 
8038 	ieee80211_apply_neg_ttlm(sdata, neg_ttlm);
8039 out:
8040 	kfree(elems);
8041 	ieee80211_send_neg_ttlm_res(sdata, ttlm_res, dialog_token, &neg_ttlm);
8042 }
8043 
8044 void ieee80211_process_neg_ttlm_res(struct ieee80211_sub_if_data *sdata,
8045 				    struct ieee80211_mgmt *mgmt, size_t len)
8046 {
8047 	if (!ieee80211_vif_is_mld(&sdata->vif) ||
8048 	    mgmt->u.action.u.ttlm_req.dialog_token !=
8049 	    sdata->u.mgd.dialog_token_alloc)
8050 		return;
8051 
8052 	wiphy_delayed_work_cancel(sdata->local->hw.wiphy,
8053 				  &sdata->u.mgd.neg_ttlm_timeout_work);
8054 
8055 	/* MLD station sends a TID to link mapping request, mainly to handle
8056 	 * BTM (BSS transition management) request, in which case it needs to
8057 	 * restrict the active links set.
8058 	 * In this case it's not expected that the MLD AP will reject the
8059 	 * negotiated TTLM request.
8060 	 * This can be better implemented in the future, to handle request
8061 	 * rejections.
8062 	 */
8063 	if (le16_to_cpu(mgmt->u.action.u.ttlm_res.status_code) != WLAN_STATUS_SUCCESS)
8064 		__ieee80211_disconnect(sdata);
8065 }
8066 
8067 void ieee80211_process_ttlm_teardown(struct ieee80211_sub_if_data *sdata)
8068 {
8069 	u16 new_dormant_links;
8070 
8071 	if (!sdata->vif.neg_ttlm.valid)
8072 		return;
8073 
8074 	memset(&sdata->vif.neg_ttlm, 0, sizeof(sdata->vif.neg_ttlm));
8075 	new_dormant_links =
8076 		sdata->vif.dormant_links & ~sdata->vif.suspended_links;
8077 	sdata->vif.suspended_links = 0;
8078 	ieee80211_vif_set_links(sdata, sdata->vif.valid_links,
8079 				new_dormant_links);
8080 	ieee80211_vif_cfg_change_notify(sdata, BSS_CHANGED_MLD_TTLM |
8081 					       BSS_CHANGED_MLD_VALID_LINKS);
8082 }
8083 
8084 static void ieee80211_teardown_ttlm_work(struct wiphy *wiphy,
8085 					 struct wiphy_work *work)
8086 {
8087 	struct ieee80211_sub_if_data *sdata =
8088 		container_of(work, struct ieee80211_sub_if_data,
8089 			     u.mgd.teardown_ttlm_work);
8090 
8091 	ieee80211_process_ttlm_teardown(sdata);
8092 }
8093 
8094 void ieee80211_send_teardown_neg_ttlm(struct ieee80211_vif *vif)
8095 {
8096 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
8097 	struct ieee80211_local *local = sdata->local;
8098 	struct ieee80211_mgmt *mgmt;
8099 	struct sk_buff *skb;
8100 	int frame_len = offsetofend(struct ieee80211_mgmt,
8101 				  u.action.u.ttlm_tear_down);
8102 	struct ieee80211_tx_info *info;
8103 
8104 	skb = dev_alloc_skb(local->hw.extra_tx_headroom + frame_len);
8105 	if (!skb)
8106 		return;
8107 
8108 	skb_reserve(skb, local->hw.extra_tx_headroom);
8109 	mgmt = skb_put_zero(skb, frame_len);
8110 	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
8111 					  IEEE80211_STYPE_ACTION);
8112 	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
8113 	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
8114 	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
8115 
8116 	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
8117 	mgmt->u.action.u.ttlm_tear_down.action_code =
8118 		WLAN_PROTECTED_EHT_ACTION_TTLM_TEARDOWN;
8119 
8120 	info = IEEE80211_SKB_CB(skb);
8121 	info->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS;
8122 	info->status_data = IEEE80211_STATUS_TYPE_NEG_TTLM;
8123 	ieee80211_tx_skb(sdata, skb);
8124 }
8125 EXPORT_SYMBOL(ieee80211_send_teardown_neg_ttlm);
8126 
8127 void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata,
8128 				 struct sk_buff *skb)
8129 {
8130 	struct ieee80211_link_data *link = &sdata->deflink;
8131 	struct ieee80211_rx_status *rx_status;
8132 	struct ieee80211_hdr *hdr;
8133 	u16 fc;
8134 
8135 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8136 
8137 	rx_status = (struct ieee80211_rx_status *) skb->cb;
8138 	hdr = (struct ieee80211_hdr *) skb->data;
8139 	fc = le16_to_cpu(hdr->frame_control);
8140 
8141 	switch (fc & IEEE80211_FCTL_STYPE) {
8142 	case IEEE80211_STYPE_S1G_BEACON:
8143 		ieee80211_rx_mgmt_beacon(link, hdr, skb->len, rx_status);
8144 		break;
8145 	}
8146 }
8147 
8148 void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
8149 				  struct sk_buff *skb)
8150 {
8151 	struct ieee80211_link_data *link = &sdata->deflink;
8152 	struct ieee80211_rx_status *rx_status;
8153 	struct ieee802_11_elems *elems;
8154 	struct ieee80211_mgmt *mgmt;
8155 	u16 fc;
8156 	int ies_len;
8157 
8158 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8159 
8160 	rx_status = (struct ieee80211_rx_status *) skb->cb;
8161 	mgmt = (struct ieee80211_mgmt *) skb->data;
8162 	fc = le16_to_cpu(mgmt->frame_control);
8163 
8164 	if (rx_status->link_valid) {
8165 		link = sdata_dereference(sdata->link[rx_status->link_id],
8166 					 sdata);
8167 		if (!link)
8168 			return;
8169 	}
8170 
8171 	switch (fc & IEEE80211_FCTL_STYPE) {
8172 	case IEEE80211_STYPE_BEACON:
8173 		ieee80211_rx_mgmt_beacon(link, (void *)mgmt,
8174 					 skb->len, rx_status);
8175 		break;
8176 	case IEEE80211_STYPE_PROBE_RESP:
8177 		ieee80211_rx_mgmt_probe_resp(link, skb);
8178 		break;
8179 	case IEEE80211_STYPE_AUTH:
8180 		ieee80211_rx_mgmt_auth(sdata, mgmt, skb->len);
8181 		break;
8182 	case IEEE80211_STYPE_DEAUTH:
8183 		ieee80211_rx_mgmt_deauth(sdata, mgmt, skb->len);
8184 		break;
8185 	case IEEE80211_STYPE_DISASSOC:
8186 		ieee80211_rx_mgmt_disassoc(sdata, mgmt, skb->len);
8187 		break;
8188 	case IEEE80211_STYPE_ASSOC_RESP:
8189 	case IEEE80211_STYPE_REASSOC_RESP:
8190 		ieee80211_rx_mgmt_assoc_resp(sdata, mgmt, skb->len);
8191 		break;
8192 	case IEEE80211_STYPE_ACTION:
8193 		if (!sdata->u.mgd.associated ||
8194 		    !ether_addr_equal(mgmt->bssid, sdata->vif.cfg.ap_addr))
8195 			break;
8196 
8197 		switch (mgmt->u.action.category) {
8198 		case WLAN_CATEGORY_SPECTRUM_MGMT:
8199 			ies_len = skb->len -
8200 				  offsetof(struct ieee80211_mgmt,
8201 					   u.action.u.chan_switch.variable);
8202 
8203 			if (ies_len < 0)
8204 				break;
8205 
8206 			/* CSA IE cannot be overridden, no need for BSSID */
8207 			elems = ieee802_11_parse_elems(mgmt->u.action.u.chan_switch.variable,
8208 						       ies_len,
8209 						       IEEE80211_FTYPE_MGMT |
8210 						       IEEE80211_STYPE_ACTION,
8211 						       NULL);
8212 
8213 			if (elems && !elems->parse_error) {
8214 				enum ieee80211_csa_source src =
8215 					IEEE80211_CSA_SOURCE_PROT_ACTION;
8216 
8217 				ieee80211_sta_process_chanswitch(link,
8218 								 rx_status->mactime,
8219 								 rx_status->device_timestamp,
8220 								 elems, elems,
8221 								 src);
8222 			}
8223 			kfree(elems);
8224 			break;
8225 		case WLAN_CATEGORY_PUBLIC:
8226 		case WLAN_CATEGORY_PROTECTED_DUAL_OF_ACTION:
8227 			ies_len = skb->len -
8228 				  offsetof(struct ieee80211_mgmt,
8229 					   u.action.u.ext_chan_switch.variable);
8230 
8231 			if (ies_len < 0)
8232 				break;
8233 
8234 			/*
8235 			 * extended CSA IE can't be overridden, no need for
8236 			 * BSSID
8237 			 */
8238 			elems = ieee802_11_parse_elems(mgmt->u.action.u.ext_chan_switch.variable,
8239 						       ies_len,
8240 						       IEEE80211_FTYPE_MGMT |
8241 						       IEEE80211_STYPE_ACTION,
8242 						       NULL);
8243 
8244 			if (elems && !elems->parse_error) {
8245 				enum ieee80211_csa_source src;
8246 
8247 				if (mgmt->u.action.category ==
8248 						WLAN_CATEGORY_PROTECTED_DUAL_OF_ACTION)
8249 					src = IEEE80211_CSA_SOURCE_PROT_ACTION;
8250 				else
8251 					src = IEEE80211_CSA_SOURCE_UNPROT_ACTION;
8252 
8253 				/* for the handling code pretend it was an IE */
8254 				elems->ext_chansw_ie =
8255 					&mgmt->u.action.u.ext_chan_switch.data;
8256 
8257 				ieee80211_sta_process_chanswitch(link,
8258 								 rx_status->mactime,
8259 								 rx_status->device_timestamp,
8260 								 elems, elems,
8261 								 src);
8262 			}
8263 
8264 			kfree(elems);
8265 			break;
8266 		}
8267 		break;
8268 	}
8269 }
8270 
8271 static void ieee80211_sta_timer(struct timer_list *t)
8272 {
8273 	struct ieee80211_sub_if_data *sdata =
8274 		timer_container_of(sdata, t, u.mgd.timer);
8275 
8276 	wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work);
8277 }
8278 
8279 void ieee80211_sta_connection_lost(struct ieee80211_sub_if_data *sdata,
8280 				   u8 reason, bool tx)
8281 {
8282 	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
8283 
8284 	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, reason,
8285 			       tx, frame_buf);
8286 
8287 	ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
8288 				    reason, false);
8289 }
8290 
8291 static int ieee80211_auth(struct ieee80211_sub_if_data *sdata)
8292 {
8293 	struct ieee80211_local *local = sdata->local;
8294 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8295 	struct ieee80211_mgd_auth_data *auth_data = ifmgd->auth_data;
8296 	u32 tx_flags = 0;
8297 	u16 trans = 1;
8298 	u16 status = 0;
8299 	struct ieee80211_prep_tx_info info = {
8300 		.subtype = IEEE80211_STYPE_AUTH,
8301 	};
8302 
8303 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8304 
8305 	if (WARN_ON_ONCE(!auth_data))
8306 		return -EINVAL;
8307 
8308 	auth_data->tries++;
8309 
8310 	if (auth_data->tries > IEEE80211_AUTH_MAX_TRIES) {
8311 		sdata_info(sdata, "authentication with %pM timed out\n",
8312 			   auth_data->ap_addr);
8313 
8314 		/*
8315 		 * Most likely AP is not in the range so remove the
8316 		 * bss struct for that AP.
8317 		 */
8318 		cfg80211_unlink_bss(local->hw.wiphy, auth_data->bss);
8319 
8320 		return -ETIMEDOUT;
8321 	}
8322 
8323 	if (auth_data->algorithm == WLAN_AUTH_SAE)
8324 		info.duration = jiffies_to_msecs(IEEE80211_AUTH_TIMEOUT_SAE);
8325 
8326 	info.link_id = auth_data->link_id;
8327 	drv_mgd_prepare_tx(local, sdata, &info);
8328 
8329 	sdata_info(sdata, "send auth to %pM (try %d/%d)\n",
8330 		   auth_data->ap_addr, auth_data->tries,
8331 		   IEEE80211_AUTH_MAX_TRIES);
8332 
8333 	auth_data->expected_transaction = 2;
8334 
8335 	if (auth_data->algorithm == WLAN_AUTH_SAE) {
8336 		trans = auth_data->sae_trans;
8337 		status = auth_data->sae_status;
8338 		auth_data->expected_transaction = trans;
8339 	}
8340 
8341 	if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
8342 		tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
8343 			   IEEE80211_TX_INTFL_MLME_CONN_TX;
8344 
8345 	ieee80211_send_auth(sdata, trans, auth_data->algorithm, status,
8346 			    auth_data->data, auth_data->data_len,
8347 			    auth_data->ap_addr, auth_data->ap_addr,
8348 			    NULL, 0, 0, tx_flags);
8349 
8350 	if (tx_flags == 0) {
8351 		if (auth_data->algorithm == WLAN_AUTH_SAE)
8352 			auth_data->timeout = jiffies +
8353 				IEEE80211_AUTH_TIMEOUT_SAE;
8354 		else
8355 			auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
8356 	} else {
8357 		auth_data->timeout =
8358 			round_jiffies_up(jiffies + IEEE80211_AUTH_TIMEOUT_LONG);
8359 	}
8360 
8361 	auth_data->timeout_started = true;
8362 	run_again(sdata, auth_data->timeout);
8363 
8364 	return 0;
8365 }
8366 
8367 static int ieee80211_do_assoc(struct ieee80211_sub_if_data *sdata)
8368 {
8369 	struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data;
8370 	struct ieee80211_local *local = sdata->local;
8371 	int ret;
8372 
8373 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8374 
8375 	assoc_data->tries++;
8376 	assoc_data->comeback = false;
8377 	if (assoc_data->tries > IEEE80211_ASSOC_MAX_TRIES) {
8378 		sdata_info(sdata, "association with %pM timed out\n",
8379 			   assoc_data->ap_addr);
8380 
8381 		/*
8382 		 * Most likely AP is not in the range so remove the
8383 		 * bss struct for that AP.
8384 		 */
8385 		cfg80211_unlink_bss(local->hw.wiphy,
8386 				    assoc_data->link[assoc_data->assoc_link_id].bss);
8387 
8388 		return -ETIMEDOUT;
8389 	}
8390 
8391 	sdata_info(sdata, "associate with %pM (try %d/%d)\n",
8392 		   assoc_data->ap_addr, assoc_data->tries,
8393 		   IEEE80211_ASSOC_MAX_TRIES);
8394 	ret = ieee80211_send_assoc(sdata);
8395 	if (ret)
8396 		return ret;
8397 
8398 	if (!ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS)) {
8399 		assoc_data->timeout = jiffies + IEEE80211_ASSOC_TIMEOUT;
8400 		assoc_data->timeout_started = true;
8401 		run_again(sdata, assoc_data->timeout);
8402 	} else {
8403 		assoc_data->timeout =
8404 			round_jiffies_up(jiffies +
8405 					 IEEE80211_ASSOC_TIMEOUT_LONG);
8406 		assoc_data->timeout_started = true;
8407 		run_again(sdata, assoc_data->timeout);
8408 	}
8409 
8410 	return 0;
8411 }
8412 
8413 void ieee80211_mgd_conn_tx_status(struct ieee80211_sub_if_data *sdata,
8414 				  __le16 fc, bool acked)
8415 {
8416 	struct ieee80211_local *local = sdata->local;
8417 
8418 	sdata->u.mgd.status_fc = fc;
8419 	sdata->u.mgd.status_acked = acked;
8420 	sdata->u.mgd.status_received = true;
8421 
8422 	wiphy_work_queue(local->hw.wiphy, &sdata->work);
8423 }
8424 
8425 void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata)
8426 {
8427 	struct ieee80211_local *local = sdata->local;
8428 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8429 
8430 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8431 
8432 	if (ifmgd->status_received) {
8433 		__le16 fc = ifmgd->status_fc;
8434 		bool status_acked = ifmgd->status_acked;
8435 
8436 		ifmgd->status_received = false;
8437 		if (ifmgd->auth_data && ieee80211_is_auth(fc)) {
8438 			if (status_acked) {
8439 				if (ifmgd->auth_data->algorithm ==
8440 				    WLAN_AUTH_SAE)
8441 					ifmgd->auth_data->timeout =
8442 						jiffies +
8443 						IEEE80211_AUTH_TIMEOUT_SAE;
8444 				else
8445 					ifmgd->auth_data->timeout =
8446 						jiffies +
8447 						IEEE80211_AUTH_TIMEOUT_SHORT;
8448 				run_again(sdata, ifmgd->auth_data->timeout);
8449 			} else {
8450 				ifmgd->auth_data->timeout = jiffies - 1;
8451 			}
8452 			ifmgd->auth_data->timeout_started = true;
8453 		} else if (ifmgd->assoc_data &&
8454 			   !ifmgd->assoc_data->comeback &&
8455 			   (ieee80211_is_assoc_req(fc) ||
8456 			    ieee80211_is_reassoc_req(fc))) {
8457 			/*
8458 			 * Update association timeout based on the TX status
8459 			 * for the (Re)Association Request frame. Skip this if
8460 			 * we have already processed a (Re)Association Response
8461 			 * frame that indicated need for association comeback
8462 			 * at a specific time in the future. This could happen
8463 			 * if the TX status information is delayed enough for
8464 			 * the response to be received and processed first.
8465 			 */
8466 			if (status_acked) {
8467 				ifmgd->assoc_data->timeout =
8468 					jiffies + IEEE80211_ASSOC_TIMEOUT_SHORT;
8469 				run_again(sdata, ifmgd->assoc_data->timeout);
8470 			} else {
8471 				ifmgd->assoc_data->timeout = jiffies - 1;
8472 			}
8473 			ifmgd->assoc_data->timeout_started = true;
8474 		}
8475 	}
8476 
8477 	if (ifmgd->auth_data && ifmgd->auth_data->timeout_started &&
8478 	    time_after(jiffies, ifmgd->auth_data->timeout)) {
8479 		if (ifmgd->auth_data->done || ifmgd->auth_data->waiting) {
8480 			/*
8481 			 * ok ... we waited for assoc or continuation but
8482 			 * userspace didn't do it, so kill the auth data
8483 			 */
8484 			ieee80211_destroy_auth_data(sdata, false);
8485 		} else if (ieee80211_auth(sdata)) {
8486 			u8 ap_addr[ETH_ALEN];
8487 			struct ieee80211_event event = {
8488 				.type = MLME_EVENT,
8489 				.u.mlme.data = AUTH_EVENT,
8490 				.u.mlme.status = MLME_TIMEOUT,
8491 			};
8492 
8493 			memcpy(ap_addr, ifmgd->auth_data->ap_addr, ETH_ALEN);
8494 
8495 			ieee80211_destroy_auth_data(sdata, false);
8496 
8497 			cfg80211_auth_timeout(sdata->dev, ap_addr);
8498 			drv_event_callback(sdata->local, sdata, &event);
8499 		}
8500 	} else if (ifmgd->auth_data && ifmgd->auth_data->timeout_started)
8501 		run_again(sdata, ifmgd->auth_data->timeout);
8502 
8503 	if (ifmgd->assoc_data && ifmgd->assoc_data->timeout_started &&
8504 	    time_after(jiffies, ifmgd->assoc_data->timeout)) {
8505 		if ((ifmgd->assoc_data->need_beacon &&
8506 		     !sdata->deflink.u.mgd.have_beacon) ||
8507 		    ieee80211_do_assoc(sdata)) {
8508 			struct ieee80211_event event = {
8509 				.type = MLME_EVENT,
8510 				.u.mlme.data = ASSOC_EVENT,
8511 				.u.mlme.status = MLME_TIMEOUT,
8512 			};
8513 
8514 			ieee80211_destroy_assoc_data(sdata, ASSOC_TIMEOUT);
8515 			drv_event_callback(sdata->local, sdata, &event);
8516 		}
8517 	} else if (ifmgd->assoc_data && ifmgd->assoc_data->timeout_started)
8518 		run_again(sdata, ifmgd->assoc_data->timeout);
8519 
8520 	if (ifmgd->flags & IEEE80211_STA_CONNECTION_POLL &&
8521 	    ifmgd->associated) {
8522 		u8 *bssid = sdata->deflink.u.mgd.bssid;
8523 		int max_tries;
8524 
8525 		if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS))
8526 			max_tries = max_nullfunc_tries;
8527 		else
8528 			max_tries = max_probe_tries;
8529 
8530 		/* ACK received for nullfunc probing frame */
8531 		if (!ifmgd->probe_send_count)
8532 			ieee80211_reset_ap_probe(sdata);
8533 		else if (ifmgd->nullfunc_failed) {
8534 			if (ifmgd->probe_send_count < max_tries) {
8535 				mlme_dbg(sdata,
8536 					 "No ack for nullfunc frame to AP %pM, try %d/%i\n",
8537 					 bssid, ifmgd->probe_send_count,
8538 					 max_tries);
8539 				ieee80211_mgd_probe_ap_send(sdata);
8540 			} else {
8541 				mlme_dbg(sdata,
8542 					 "No ack for nullfunc frame to AP %pM, disconnecting.\n",
8543 					 bssid);
8544 				ieee80211_sta_connection_lost(sdata,
8545 					WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
8546 					false);
8547 			}
8548 		} else if (time_is_after_jiffies(ifmgd->probe_timeout))
8549 			run_again(sdata, ifmgd->probe_timeout);
8550 		else if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS)) {
8551 			mlme_dbg(sdata,
8552 				 "Failed to send nullfunc to AP %pM after %dms, disconnecting\n",
8553 				 bssid, probe_wait_ms);
8554 			ieee80211_sta_connection_lost(sdata,
8555 				WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, false);
8556 		} else if (ifmgd->probe_send_count < max_tries) {
8557 			mlme_dbg(sdata,
8558 				 "No probe response from AP %pM after %dms, try %d/%i\n",
8559 				 bssid, probe_wait_ms,
8560 				 ifmgd->probe_send_count, max_tries);
8561 			ieee80211_mgd_probe_ap_send(sdata);
8562 		} else {
8563 			/*
8564 			 * We actually lost the connection ... or did we?
8565 			 * Let's make sure!
8566 			 */
8567 			mlme_dbg(sdata,
8568 				 "No probe response from AP %pM after %dms, disconnecting.\n",
8569 				 bssid, probe_wait_ms);
8570 
8571 			ieee80211_sta_connection_lost(sdata,
8572 				WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, false);
8573 		}
8574 	}
8575 }
8576 
8577 static bool
8578 ieee80211_is_csa_in_progress(struct ieee80211_sub_if_data *sdata)
8579 {
8580 	/*
8581 	 * In MLO, check the CSA flags 'active' and 'waiting_bcn' for all
8582 	 * the links.
8583 	 */
8584 	struct ieee80211_link_data *link;
8585 
8586 	guard(rcu)();
8587 
8588 	for_each_link_data_rcu(sdata, link) {
8589 		if (!(link->conf->csa_active &&
8590 		      !link->u.mgd.csa.waiting_bcn))
8591 			return false;
8592 	}
8593 
8594 	return true;
8595 }
8596 
8597 static void ieee80211_sta_bcn_mon_timer(struct timer_list *t)
8598 {
8599 	struct ieee80211_sub_if_data *sdata =
8600 		timer_container_of(sdata, t, u.mgd.bcn_mon_timer);
8601 
8602 	if (ieee80211_is_csa_in_progress(sdata))
8603 		return;
8604 
8605 	if (sdata->vif.driver_flags & IEEE80211_VIF_BEACON_FILTER)
8606 		return;
8607 
8608 	sdata->u.mgd.connection_loss = false;
8609 	wiphy_work_queue(sdata->local->hw.wiphy,
8610 			 &sdata->u.mgd.beacon_connection_loss_work);
8611 }
8612 
8613 static unsigned long
8614 ieee80211_latest_active_link_conn_timeout(struct ieee80211_sub_if_data *sdata)
8615 {
8616 	unsigned long latest_timeout = jiffies;
8617 	unsigned int link_id;
8618 	struct sta_info *sta;
8619 
8620 	guard(rcu)();
8621 
8622 	sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
8623 	if (!sta)
8624 		return 0;
8625 
8626 	for (link_id = 0; link_id < ARRAY_SIZE(sta->link);
8627 	     link_id++) {
8628 		struct link_sta_info *link_sta;
8629 		unsigned long timeout;
8630 
8631 		link_sta = rcu_dereference(sta->link[link_id]);
8632 		if (!link_sta)
8633 			continue;
8634 
8635 		timeout = link_sta->status_stats.last_ack;
8636 		if (time_before(timeout, link_sta->rx_stats.last_rx))
8637 			timeout = link_sta->rx_stats.last_rx;
8638 
8639 		timeout += IEEE80211_CONNECTION_IDLE_TIME;
8640 
8641 		/*
8642 		 * latest_timeout holds the timeout of the link
8643 		 * that will expire last among all links in an
8644 		 * non-AP MLD STA. This ensures that the connection
8645 		 * monitor timer is only reset if at least one link
8646 		 * is still active, and it is scheduled to fire at
8647 		 * the latest possible timeout.
8648 		 */
8649 		if (time_after(timeout, latest_timeout))
8650 			latest_timeout = timeout;
8651 	}
8652 
8653 	return latest_timeout;
8654 }
8655 
8656 static void ieee80211_sta_conn_mon_timer(struct timer_list *t)
8657 {
8658 	struct ieee80211_sub_if_data *sdata =
8659 		timer_container_of(sdata, t, u.mgd.conn_mon_timer);
8660 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8661 	struct ieee80211_local *local = sdata->local;
8662 	unsigned long latest_timeout;
8663 
8664 	if (ieee80211_is_csa_in_progress(sdata))
8665 		return;
8666 
8667 	latest_timeout = ieee80211_latest_active_link_conn_timeout(sdata);
8668 
8669 	/*
8670 	 * If latest timeout is after now, then update timer to fire at
8671 	 * the later date, but do not actually probe at this time.
8672 	 */
8673 	if (time_is_after_jiffies(latest_timeout)) {
8674 		mod_timer(&ifmgd->conn_mon_timer,
8675 			  round_jiffies_up(latest_timeout));
8676 		return;
8677 	}
8678 
8679 	wiphy_work_queue(local->hw.wiphy, &sdata->u.mgd.monitor_work);
8680 }
8681 
8682 static void ieee80211_sta_monitor_work(struct wiphy *wiphy,
8683 				       struct wiphy_work *work)
8684 {
8685 	struct ieee80211_sub_if_data *sdata =
8686 		container_of(work, struct ieee80211_sub_if_data,
8687 			     u.mgd.monitor_work);
8688 
8689 	ieee80211_mgd_probe_ap(sdata, false);
8690 }
8691 
8692 static void ieee80211_restart_sta_timer(struct ieee80211_sub_if_data *sdata)
8693 {
8694 	if (sdata->vif.type == NL80211_IFTYPE_STATION) {
8695 		__ieee80211_stop_poll(sdata);
8696 
8697 		/* let's probe the connection once */
8698 		if (!ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
8699 			wiphy_work_queue(sdata->local->hw.wiphy,
8700 					 &sdata->u.mgd.monitor_work);
8701 	}
8702 }
8703 
8704 #ifdef CONFIG_PM
8705 void ieee80211_mgd_quiesce(struct ieee80211_sub_if_data *sdata)
8706 {
8707 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8708 	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
8709 
8710 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8711 
8712 	if (ifmgd->auth_data || ifmgd->assoc_data) {
8713 		const u8 *ap_addr = ifmgd->auth_data ?
8714 				ifmgd->auth_data->ap_addr :
8715 				ifmgd->assoc_data->ap_addr;
8716 
8717 		/*
8718 		 * If we are trying to authenticate / associate while suspending,
8719 		 * cfg80211 won't know and won't actually abort those attempts,
8720 		 * thus we need to do that ourselves.
8721 		 */
8722 		ieee80211_send_deauth_disassoc(sdata, ap_addr, ap_addr,
8723 					       IEEE80211_STYPE_DEAUTH,
8724 					       WLAN_REASON_DEAUTH_LEAVING,
8725 					       false, frame_buf);
8726 		if (ifmgd->assoc_data)
8727 			ieee80211_destroy_assoc_data(sdata, ASSOC_ABANDON);
8728 		if (ifmgd->auth_data)
8729 			ieee80211_destroy_auth_data(sdata, false);
8730 		cfg80211_tx_mlme_mgmt(sdata->dev, frame_buf,
8731 				      IEEE80211_DEAUTH_FRAME_LEN,
8732 				      false);
8733 	}
8734 
8735 	/* This is a bit of a hack - we should find a better and more generic
8736 	 * solution to this. Normally when suspending, cfg80211 will in fact
8737 	 * deauthenticate. However, it doesn't (and cannot) stop an ongoing
8738 	 * auth (not so important) or assoc (this is the problem) process.
8739 	 *
8740 	 * As a consequence, it can happen that we are in the process of both
8741 	 * associating and suspending, and receive an association response
8742 	 * after cfg80211 has checked if it needs to disconnect, but before
8743 	 * we actually set the flag to drop incoming frames. This will then
8744 	 * cause the workqueue flush to process the association response in
8745 	 * the suspend, resulting in a successful association just before it
8746 	 * tries to remove the interface from the driver, which now though
8747 	 * has a channel context assigned ... this results in issues.
8748 	 *
8749 	 * To work around this (for now) simply deauth here again if we're
8750 	 * now connected.
8751 	 */
8752 	if (ifmgd->associated && !sdata->local->wowlan) {
8753 		u8 bssid[ETH_ALEN];
8754 		struct cfg80211_deauth_request req = {
8755 			.reason_code = WLAN_REASON_DEAUTH_LEAVING,
8756 			.bssid = bssid,
8757 		};
8758 
8759 		memcpy(bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
8760 		ieee80211_mgd_deauth(sdata, &req);
8761 	}
8762 }
8763 #endif
8764 
8765 void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata)
8766 {
8767 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8768 
8769 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
8770 
8771 	if (!ifmgd->associated)
8772 		return;
8773 
8774 	if (sdata->flags & IEEE80211_SDATA_DISCONNECT_RESUME) {
8775 		sdata->flags &= ~IEEE80211_SDATA_DISCONNECT_RESUME;
8776 		mlme_dbg(sdata, "driver requested disconnect after resume\n");
8777 		ieee80211_sta_connection_lost(sdata,
8778 					      WLAN_REASON_UNSPECIFIED,
8779 					      true);
8780 		return;
8781 	}
8782 
8783 	if (sdata->flags & IEEE80211_SDATA_DISCONNECT_HW_RESTART) {
8784 		sdata->flags &= ~IEEE80211_SDATA_DISCONNECT_HW_RESTART;
8785 		mlme_dbg(sdata, "driver requested disconnect after hardware restart\n");
8786 		ieee80211_sta_connection_lost(sdata,
8787 					      WLAN_REASON_UNSPECIFIED,
8788 					      true);
8789 		return;
8790 	}
8791 }
8792 
8793 static void ieee80211_request_smps_mgd_work(struct wiphy *wiphy,
8794 					    struct wiphy_work *work)
8795 {
8796 	struct ieee80211_link_data *link =
8797 		container_of(work, struct ieee80211_link_data,
8798 			     u.mgd.request_smps_work);
8799 
8800 	__ieee80211_request_smps_mgd(link->sdata, link,
8801 				     link->u.mgd.driver_smps_mode);
8802 }
8803 
8804 static void ieee80211_ml_sta_reconf_timeout(struct wiphy *wiphy,
8805 					    struct wiphy_work *work)
8806 {
8807 	struct ieee80211_sub_if_data *sdata =
8808 		container_of(work, struct ieee80211_sub_if_data,
8809 			     u.mgd.reconf.wk.work);
8810 
8811 	if (!sdata->u.mgd.reconf.added_links &&
8812 	    !sdata->u.mgd.reconf.removed_links)
8813 		return;
8814 
8815 	sdata_info(sdata,
8816 		   "mlo: reconf: timeout: added=0x%x, removed=0x%x\n",
8817 		   sdata->u.mgd.reconf.added_links,
8818 		   sdata->u.mgd.reconf.removed_links);
8819 
8820 	__ieee80211_disconnect(sdata);
8821 }
8822 
8823 /* interface setup */
8824 void ieee80211_sta_setup_sdata(struct ieee80211_sub_if_data *sdata)
8825 {
8826 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8827 
8828 	wiphy_work_init(&ifmgd->monitor_work, ieee80211_sta_monitor_work);
8829 	wiphy_work_init(&ifmgd->beacon_connection_loss_work,
8830 			ieee80211_beacon_connection_loss_work);
8831 	wiphy_work_init(&ifmgd->csa_connection_drop_work,
8832 			ieee80211_csa_connection_drop_work);
8833 	wiphy_delayed_work_init(&ifmgd->tdls_peer_del_work,
8834 				ieee80211_tdls_peer_del_work);
8835 	wiphy_hrtimer_work_init(&ifmgd->ml_reconf_work,
8836 				ieee80211_ml_reconf_work);
8837 	wiphy_delayed_work_init(&ifmgd->reconf.wk,
8838 				ieee80211_ml_sta_reconf_timeout);
8839 	timer_setup(&ifmgd->timer, ieee80211_sta_timer, 0);
8840 	timer_setup(&ifmgd->bcn_mon_timer, ieee80211_sta_bcn_mon_timer, 0);
8841 	timer_setup(&ifmgd->conn_mon_timer, ieee80211_sta_conn_mon_timer, 0);
8842 	wiphy_delayed_work_init(&ifmgd->tx_tspec_wk,
8843 				ieee80211_sta_handle_tspec_ac_params_wk);
8844 	wiphy_hrtimer_work_init(&ifmgd->ttlm_work,
8845 				ieee80211_tid_to_link_map_work);
8846 	wiphy_delayed_work_init(&ifmgd->neg_ttlm_timeout_work,
8847 				ieee80211_neg_ttlm_timeout_work);
8848 	wiphy_work_init(&ifmgd->teardown_ttlm_work,
8849 			ieee80211_teardown_ttlm_work);
8850 
8851 	ifmgd->flags = 0;
8852 	ifmgd->powersave = sdata->wdev.ps;
8853 	ifmgd->uapsd_queues = sdata->local->hw.uapsd_queues;
8854 	ifmgd->uapsd_max_sp_len = sdata->local->hw.uapsd_max_sp_len;
8855 	/* Setup TDLS data */
8856 	spin_lock_init(&ifmgd->teardown_lock);
8857 	ifmgd->teardown_skb = NULL;
8858 	ifmgd->orig_teardown_skb = NULL;
8859 	ifmgd->mcast_seq_last = IEEE80211_SN_MODULO;
8860 }
8861 
8862 static void ieee80211_recalc_smps_work(struct wiphy *wiphy,
8863 				       struct wiphy_work *work)
8864 {
8865 	struct ieee80211_link_data *link =
8866 		container_of(work, struct ieee80211_link_data,
8867 			     u.mgd.recalc_smps);
8868 
8869 	ieee80211_recalc_smps(link->sdata, link);
8870 }
8871 
8872 void ieee80211_mgd_setup_link(struct ieee80211_link_data *link)
8873 {
8874 	struct ieee80211_sub_if_data *sdata = link->sdata;
8875 	struct ieee80211_local *local = sdata->local;
8876 	unsigned int link_id = link->link_id;
8877 
8878 	link->u.mgd.p2p_noa_index = -1;
8879 	link->conf->bssid = link->u.mgd.bssid;
8880 	link->smps_mode = IEEE80211_SMPS_OFF;
8881 
8882 	wiphy_work_init(&link->u.mgd.request_smps_work,
8883 			ieee80211_request_smps_mgd_work);
8884 	wiphy_work_init(&link->u.mgd.recalc_smps,
8885 			ieee80211_recalc_smps_work);
8886 	if (local->hw.wiphy->features & NL80211_FEATURE_DYNAMIC_SMPS)
8887 		link->u.mgd.req_smps = IEEE80211_SMPS_AUTOMATIC;
8888 	else
8889 		link->u.mgd.req_smps = IEEE80211_SMPS_OFF;
8890 
8891 	wiphy_hrtimer_work_init(&link->u.mgd.csa.switch_work,
8892 				ieee80211_csa_switch_work);
8893 
8894 	ieee80211_clear_tpe(&link->conf->tpe);
8895 
8896 	if (sdata->u.mgd.assoc_data)
8897 		ether_addr_copy(link->conf->addr,
8898 				sdata->u.mgd.assoc_data->link[link_id].addr);
8899 	else if (sdata->u.mgd.reconf.add_links_data)
8900 		ether_addr_copy(link->conf->addr,
8901 				sdata->u.mgd.reconf.add_links_data->link[link_id].addr);
8902 	else if (!is_valid_ether_addr(link->conf->addr))
8903 		eth_random_addr(link->conf->addr);
8904 }
8905 
8906 /* scan finished notification */
8907 void ieee80211_mlme_notify_scan_completed(struct ieee80211_local *local)
8908 {
8909 	struct ieee80211_sub_if_data *sdata;
8910 
8911 	/* Restart STA timers */
8912 	rcu_read_lock();
8913 	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
8914 		if (ieee80211_sdata_running(sdata))
8915 			ieee80211_restart_sta_timer(sdata);
8916 	}
8917 	rcu_read_unlock();
8918 }
8919 
8920 static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
8921 				     struct cfg80211_bss *cbss, s8 link_id,
8922 				     const u8 *ap_mld_addr, bool assoc,
8923 				     struct ieee80211_conn_settings *conn,
8924 				     bool override,
8925 				     unsigned long *userspace_selectors)
8926 {
8927 	struct ieee80211_local *local = sdata->local;
8928 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
8929 	struct ieee80211_bss *bss = (void *)cbss->priv;
8930 	struct sta_info *new_sta = NULL;
8931 	struct ieee80211_link_data *link;
8932 	bool have_sta = false;
8933 	bool mlo;
8934 	int err;
8935 	u16 new_links;
8936 
8937 	if (link_id >= 0) {
8938 		mlo = true;
8939 		if (WARN_ON(!ap_mld_addr))
8940 			return -EINVAL;
8941 		new_links = BIT(link_id);
8942 	} else {
8943 		if (WARN_ON(ap_mld_addr))
8944 			return -EINVAL;
8945 		ap_mld_addr = cbss->bssid;
8946 		new_links = 0;
8947 		link_id = 0;
8948 		mlo = false;
8949 	}
8950 
8951 	if (assoc) {
8952 		rcu_read_lock();
8953 		have_sta = sta_info_get(sdata, ap_mld_addr);
8954 		rcu_read_unlock();
8955 	}
8956 
8957 	if (mlo && !have_sta &&
8958 	    WARN_ON(sdata->vif.valid_links || sdata->vif.active_links))
8959 		return -EINVAL;
8960 
8961 	err = ieee80211_vif_set_links(sdata, new_links, 0);
8962 	if (err)
8963 		return err;
8964 
8965 	link = sdata_dereference(sdata->link[link_id], sdata);
8966 	if (WARN_ON(!link)) {
8967 		err = -ENOLINK;
8968 		goto out_err;
8969 	}
8970 
8971 	if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data)) {
8972 		err = -EINVAL;
8973 		goto out_err;
8974 	}
8975 
8976 	/* If a reconfig is happening, bail out */
8977 	if (local->in_reconfig) {
8978 		err = -EBUSY;
8979 		goto out_err;
8980 	}
8981 
8982 	if (!have_sta) {
8983 		if (mlo)
8984 			new_sta = sta_info_alloc_with_link(sdata, ap_mld_addr,
8985 							   link_id, cbss->bssid,
8986 							   GFP_KERNEL);
8987 		else
8988 			new_sta = sta_info_alloc(sdata, ap_mld_addr, GFP_KERNEL);
8989 
8990 		if (!new_sta) {
8991 			err = -ENOMEM;
8992 			goto out_err;
8993 		}
8994 
8995 		new_sta->sta.mlo = mlo;
8996 	}
8997 
8998 	/*
8999 	 * Set up the information for the new channel before setting the
9000 	 * new channel. We can't - completely race-free - change the basic
9001 	 * rates bitmap and the channel (sband) that it refers to, but if
9002 	 * we set it up before we at least avoid calling into the driver's
9003 	 * bss_info_changed() method with invalid information (since we do
9004 	 * call that from changing the channel - only for IDLE and perhaps
9005 	 * some others, but ...).
9006 	 *
9007 	 * So to avoid that, just set up all the new information before the
9008 	 * channel, but tell the driver to apply it only afterwards, since
9009 	 * it might need the new channel for that.
9010 	 */
9011 	if (new_sta) {
9012 		const struct cfg80211_bss_ies *ies;
9013 		struct link_sta_info *link_sta;
9014 
9015 		rcu_read_lock();
9016 		link_sta = rcu_dereference(new_sta->link[link_id]);
9017 		if (WARN_ON(!link_sta)) {
9018 			rcu_read_unlock();
9019 			sta_info_free(local, new_sta);
9020 			err = -EINVAL;
9021 			goto out_err;
9022 		}
9023 
9024 		err = ieee80211_mgd_setup_link_sta(link, new_sta,
9025 						   link_sta, cbss);
9026 		if (err) {
9027 			rcu_read_unlock();
9028 			sta_info_free(local, new_sta);
9029 			goto out_err;
9030 		}
9031 
9032 		memcpy(link->u.mgd.bssid, cbss->bssid, ETH_ALEN);
9033 
9034 		/* set timing information */
9035 		link->conf->beacon_int = cbss->beacon_interval;
9036 		ies = rcu_dereference(cbss->beacon_ies);
9037 		if (ies) {
9038 			link->conf->sync_tsf = ies->tsf;
9039 			link->conf->sync_device_ts =
9040 				bss->device_ts_beacon;
9041 
9042 			ieee80211_get_dtim(ies,
9043 					   &link->conf->sync_dtim_count,
9044 					   NULL);
9045 		} else if (!ieee80211_hw_check(&sdata->local->hw,
9046 					       TIMING_BEACON_ONLY)) {
9047 			ies = rcu_dereference(cbss->proberesp_ies);
9048 			/* must be non-NULL since beacon IEs were NULL */
9049 			link->conf->sync_tsf = ies->tsf;
9050 			link->conf->sync_device_ts =
9051 				bss->device_ts_presp;
9052 			link->conf->sync_dtim_count = 0;
9053 		} else {
9054 			link->conf->sync_tsf = 0;
9055 			link->conf->sync_device_ts = 0;
9056 			link->conf->sync_dtim_count = 0;
9057 		}
9058 		rcu_read_unlock();
9059 	}
9060 
9061 	if (new_sta || override) {
9062 		/*
9063 		 * Only set this if we're also going to calculate the AP
9064 		 * settings etc., otherwise this was set before in a
9065 		 * previous call. Note override is set to %true in assoc
9066 		 * if the settings were changed.
9067 		 */
9068 		link->u.mgd.conn = *conn;
9069 		err = ieee80211_prep_channel(sdata, link, link->link_id, cbss,
9070 					     mlo, &link->u.mgd.conn,
9071 					     userspace_selectors);
9072 		if (err) {
9073 			if (new_sta)
9074 				sta_info_free(local, new_sta);
9075 			goto out_err;
9076 		}
9077 		/* pass out for use in assoc */
9078 		*conn = link->u.mgd.conn;
9079 	}
9080 
9081 	if (new_sta) {
9082 		/*
9083 		 * tell driver about BSSID, basic rates and timing
9084 		 * this was set up above, before setting the channel
9085 		 */
9086 		ieee80211_link_info_change_notify(sdata, link,
9087 						  BSS_CHANGED_BSSID |
9088 						  BSS_CHANGED_BASIC_RATES |
9089 						  BSS_CHANGED_BEACON_INT);
9090 
9091 		if (assoc)
9092 			sta_info_pre_move_state(new_sta, IEEE80211_STA_AUTH);
9093 
9094 		err = sta_info_insert(new_sta);
9095 		new_sta = NULL;
9096 		if (err) {
9097 			sdata_info(sdata,
9098 				   "failed to insert STA entry for the AP (error %d)\n",
9099 				   err);
9100 			goto out_release_chan;
9101 		}
9102 	} else
9103 		WARN_ON_ONCE(!ether_addr_equal(link->u.mgd.bssid, cbss->bssid));
9104 
9105 	/* Cancel scan to ensure that nothing interferes with connection */
9106 	if (local->scanning)
9107 		ieee80211_scan_cancel(local);
9108 
9109 	return 0;
9110 
9111 out_release_chan:
9112 	ieee80211_link_release_channel(link);
9113 out_err:
9114 	ieee80211_vif_set_links(sdata, 0, 0);
9115 	return err;
9116 }
9117 
9118 static bool ieee80211_mgd_csa_present(struct ieee80211_sub_if_data *sdata,
9119 				      const struct cfg80211_bss_ies *ies,
9120 				      u8 cur_channel, bool ignore_ecsa)
9121 {
9122 	const struct element *csa_elem, *ecsa_elem;
9123 	struct ieee80211_channel_sw_ie *csa = NULL;
9124 	struct ieee80211_ext_chansw_ie *ecsa = NULL;
9125 
9126 	if (!ies)
9127 		return false;
9128 
9129 	csa_elem = cfg80211_find_elem(WLAN_EID_CHANNEL_SWITCH,
9130 				      ies->data, ies->len);
9131 	if (csa_elem && csa_elem->datalen == sizeof(*csa))
9132 		csa = (void *)csa_elem->data;
9133 
9134 	ecsa_elem = cfg80211_find_elem(WLAN_EID_EXT_CHANSWITCH_ANN,
9135 				       ies->data, ies->len);
9136 	if (ecsa_elem && ecsa_elem->datalen == sizeof(*ecsa))
9137 		ecsa = (void *)ecsa_elem->data;
9138 
9139 	if (csa && csa->count == 0)
9140 		csa = NULL;
9141 	if (csa && !csa->mode && csa->new_ch_num == cur_channel)
9142 		csa = NULL;
9143 
9144 	if (ecsa && ecsa->count == 0)
9145 		ecsa = NULL;
9146 	if (ecsa && !ecsa->mode && ecsa->new_ch_num == cur_channel)
9147 		ecsa = NULL;
9148 
9149 	if (ignore_ecsa && ecsa) {
9150 		sdata_info(sdata,
9151 			   "Ignoring ECSA in probe response - was considered stuck!\n");
9152 		return csa;
9153 	}
9154 
9155 	return csa || ecsa;
9156 }
9157 
9158 static bool ieee80211_mgd_csa_in_process(struct ieee80211_sub_if_data *sdata,
9159 					 struct cfg80211_bss *bss)
9160 {
9161 	u8 cur_channel;
9162 	bool ret;
9163 
9164 	cur_channel = ieee80211_frequency_to_channel(bss->channel->center_freq);
9165 
9166 	rcu_read_lock();
9167 	if (ieee80211_mgd_csa_present(sdata,
9168 				      rcu_dereference(bss->beacon_ies),
9169 				      cur_channel, false)) {
9170 		ret = true;
9171 		goto out;
9172 	}
9173 
9174 	if (ieee80211_mgd_csa_present(sdata,
9175 				      rcu_dereference(bss->proberesp_ies),
9176 				      cur_channel, bss->proberesp_ecsa_stuck)) {
9177 		ret = true;
9178 		goto out;
9179 	}
9180 
9181 	ret = false;
9182 out:
9183 	rcu_read_unlock();
9184 	return ret;
9185 }
9186 
9187 static void ieee80211_parse_cfg_selectors(unsigned long *userspace_selectors,
9188 					  const u8 *supported_selectors,
9189 					  u8 supported_selectors_len)
9190 {
9191 	if (supported_selectors) {
9192 		for (int i = 0; i < supported_selectors_len; i++) {
9193 			set_bit(supported_selectors[i],
9194 				userspace_selectors);
9195 		}
9196 	} else {
9197 		/* Assume SAE_H2E support for backward compatibility. */
9198 		set_bit(BSS_MEMBERSHIP_SELECTOR_SAE_H2E,
9199 			userspace_selectors);
9200 	}
9201 }
9202 
9203 /* config hooks */
9204 int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
9205 		       struct cfg80211_auth_request *req)
9206 {
9207 	struct ieee80211_local *local = sdata->local;
9208 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
9209 	struct ieee80211_mgd_auth_data *auth_data;
9210 	struct ieee80211_conn_settings conn;
9211 	struct ieee80211_link_data *link;
9212 	struct ieee80211_supported_band *sband;
9213 	struct ieee80211_bss *bss;
9214 	u16 auth_alg;
9215 	int err;
9216 	bool cont_auth, wmm_used;
9217 
9218 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
9219 
9220 	/* prepare auth data structure */
9221 
9222 	switch (req->auth_type) {
9223 	case NL80211_AUTHTYPE_OPEN_SYSTEM:
9224 		auth_alg = WLAN_AUTH_OPEN;
9225 		break;
9226 	case NL80211_AUTHTYPE_SHARED_KEY:
9227 		if (fips_enabled)
9228 			return -EOPNOTSUPP;
9229 		auth_alg = WLAN_AUTH_SHARED_KEY;
9230 		break;
9231 	case NL80211_AUTHTYPE_FT:
9232 		auth_alg = WLAN_AUTH_FT;
9233 		break;
9234 	case NL80211_AUTHTYPE_NETWORK_EAP:
9235 		auth_alg = WLAN_AUTH_LEAP;
9236 		break;
9237 	case NL80211_AUTHTYPE_SAE:
9238 		auth_alg = WLAN_AUTH_SAE;
9239 		break;
9240 	case NL80211_AUTHTYPE_FILS_SK:
9241 		auth_alg = WLAN_AUTH_FILS_SK;
9242 		break;
9243 	case NL80211_AUTHTYPE_FILS_SK_PFS:
9244 		auth_alg = WLAN_AUTH_FILS_SK_PFS;
9245 		break;
9246 	case NL80211_AUTHTYPE_FILS_PK:
9247 		auth_alg = WLAN_AUTH_FILS_PK;
9248 		break;
9249 	default:
9250 		return -EOPNOTSUPP;
9251 	}
9252 
9253 	if (ifmgd->assoc_data)
9254 		return -EBUSY;
9255 
9256 	if (ieee80211_mgd_csa_in_process(sdata, req->bss)) {
9257 		sdata_info(sdata, "AP is in CSA process, reject auth\n");
9258 		return -EINVAL;
9259 	}
9260 
9261 	auth_data = kzalloc(sizeof(*auth_data) + req->auth_data_len +
9262 			    req->ie_len, GFP_KERNEL);
9263 	if (!auth_data)
9264 		return -ENOMEM;
9265 
9266 	memcpy(auth_data->ap_addr,
9267 	       req->ap_mld_addr ?: req->bss->bssid,
9268 	       ETH_ALEN);
9269 	auth_data->bss = req->bss;
9270 	auth_data->link_id = req->link_id;
9271 
9272 	if (req->auth_data_len >= 4) {
9273 		if (req->auth_type == NL80211_AUTHTYPE_SAE) {
9274 			__le16 *pos = (__le16 *) req->auth_data;
9275 
9276 			auth_data->sae_trans = le16_to_cpu(pos[0]);
9277 			auth_data->sae_status = le16_to_cpu(pos[1]);
9278 		}
9279 		memcpy(auth_data->data, req->auth_data + 4,
9280 		       req->auth_data_len - 4);
9281 		auth_data->data_len += req->auth_data_len - 4;
9282 	}
9283 
9284 	/* Check if continuing authentication or trying to authenticate with the
9285 	 * same BSS that we were in the process of authenticating with and avoid
9286 	 * removal and re-addition of the STA entry in
9287 	 * ieee80211_prep_connection().
9288 	 */
9289 	cont_auth = ifmgd->auth_data && req->bss == ifmgd->auth_data->bss &&
9290 		    ifmgd->auth_data->link_id == req->link_id;
9291 
9292 	if (req->ie && req->ie_len) {
9293 		memcpy(&auth_data->data[auth_data->data_len],
9294 		       req->ie, req->ie_len);
9295 		auth_data->data_len += req->ie_len;
9296 	}
9297 
9298 	if (req->key && req->key_len) {
9299 		auth_data->key_len = req->key_len;
9300 		auth_data->key_idx = req->key_idx;
9301 		memcpy(auth_data->key, req->key, req->key_len);
9302 	}
9303 
9304 	ieee80211_parse_cfg_selectors(auth_data->userspace_selectors,
9305 				      req->supported_selectors,
9306 				      req->supported_selectors_len);
9307 
9308 	auth_data->algorithm = auth_alg;
9309 
9310 	/* try to authenticate/probe */
9311 
9312 	if (ifmgd->auth_data) {
9313 		if (cont_auth && req->auth_type == NL80211_AUTHTYPE_SAE) {
9314 			auth_data->peer_confirmed =
9315 				ifmgd->auth_data->peer_confirmed;
9316 		}
9317 		ieee80211_destroy_auth_data(sdata, cont_auth);
9318 	}
9319 
9320 	/* prep auth_data so we don't go into idle on disassoc */
9321 	ifmgd->auth_data = auth_data;
9322 
9323 	/* If this is continuation of an ongoing SAE authentication exchange
9324 	 * (i.e., request to send SAE Confirm) and the peer has already
9325 	 * confirmed, mark authentication completed since we are about to send
9326 	 * out SAE Confirm.
9327 	 */
9328 	if (cont_auth && req->auth_type == NL80211_AUTHTYPE_SAE &&
9329 	    auth_data->peer_confirmed && auth_data->sae_trans == 2)
9330 		ieee80211_mark_sta_auth(sdata);
9331 
9332 	if (ifmgd->associated) {
9333 		u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
9334 
9335 		sdata_info(sdata,
9336 			   "disconnect from AP %pM for new auth to %pM\n",
9337 			   sdata->vif.cfg.ap_addr, auth_data->ap_addr);
9338 		ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
9339 				       WLAN_REASON_UNSPECIFIED,
9340 				       false, frame_buf);
9341 
9342 		ieee80211_report_disconnect(sdata, frame_buf,
9343 					    sizeof(frame_buf), true,
9344 					    WLAN_REASON_UNSPECIFIED,
9345 					    false);
9346 	}
9347 
9348 	/* needed for transmitting the auth frame(s) properly */
9349 	memcpy(sdata->vif.cfg.ap_addr, auth_data->ap_addr, ETH_ALEN);
9350 
9351 	bss = (void *)req->bss->priv;
9352 	wmm_used = bss->wmm_used && (local->hw.queues >= IEEE80211_NUM_ACS);
9353 
9354 	sband = local->hw.wiphy->bands[req->bss->channel->band];
9355 
9356 	ieee80211_determine_our_sta_mode_auth(sdata, sband, req, wmm_used,
9357 					      &conn);
9358 
9359 	err = ieee80211_prep_connection(sdata, req->bss, req->link_id,
9360 					req->ap_mld_addr, cont_auth,
9361 					&conn, false,
9362 					auth_data->userspace_selectors);
9363 	if (err)
9364 		goto err_clear;
9365 
9366 	if (req->link_id >= 0)
9367 		link = sdata_dereference(sdata->link[req->link_id], sdata);
9368 	else
9369 		link = &sdata->deflink;
9370 
9371 	if (WARN_ON(!link)) {
9372 		err = -ENOLINK;
9373 		goto err_clear;
9374 	}
9375 
9376 	sdata_info(sdata, "authenticate with %pM (local address=%pM)\n",
9377 		   auth_data->ap_addr, link->conf->addr);
9378 
9379 	err = ieee80211_auth(sdata);
9380 	if (err) {
9381 		sta_info_destroy_addr(sdata, auth_data->ap_addr);
9382 		goto err_clear;
9383 	}
9384 
9385 	/* hold our own reference */
9386 	cfg80211_ref_bss(local->hw.wiphy, auth_data->bss);
9387 	return 0;
9388 
9389  err_clear:
9390 	if (!ieee80211_vif_is_mld(&sdata->vif)) {
9391 		eth_zero_addr(sdata->deflink.u.mgd.bssid);
9392 		ieee80211_link_info_change_notify(sdata, &sdata->deflink,
9393 						  BSS_CHANGED_BSSID);
9394 		ieee80211_link_release_channel(&sdata->deflink);
9395 	}
9396 	ifmgd->auth_data = NULL;
9397 	kfree(auth_data);
9398 	return err;
9399 }
9400 
9401 static void
9402 ieee80211_setup_assoc_link(struct ieee80211_sub_if_data *sdata,
9403 			   struct ieee80211_mgd_assoc_data *assoc_data,
9404 			   struct cfg80211_assoc_request *req,
9405 			   struct ieee80211_conn_settings *conn,
9406 			   unsigned int link_id)
9407 {
9408 	struct ieee80211_local *local = sdata->local;
9409 	const struct cfg80211_bss_ies *bss_ies;
9410 	struct ieee80211_supported_band *sband;
9411 	struct ieee80211_link_data *link;
9412 	struct cfg80211_bss *cbss;
9413 	struct ieee80211_bss *bss;
9414 
9415 	cbss = assoc_data->link[link_id].bss;
9416 	if (WARN_ON(!cbss))
9417 		return;
9418 
9419 	bss = (void *)cbss->priv;
9420 
9421 	sband = local->hw.wiphy->bands[cbss->channel->band];
9422 	if (WARN_ON(!sband))
9423 		return;
9424 
9425 	link = sdata_dereference(sdata->link[link_id], sdata);
9426 	if (WARN_ON(!link))
9427 		return;
9428 
9429 	/* for MLO connections assume advertising all rates is OK */
9430 	if (!req->ap_mld_addr) {
9431 		assoc_data->supp_rates = bss->supp_rates;
9432 		assoc_data->supp_rates_len = bss->supp_rates_len;
9433 	}
9434 
9435 	/* copy and link elems for the STA profile */
9436 	if (req->links[link_id].elems_len) {
9437 		memcpy(assoc_data->ie_pos, req->links[link_id].elems,
9438 		       req->links[link_id].elems_len);
9439 		assoc_data->link[link_id].elems = assoc_data->ie_pos;
9440 		assoc_data->link[link_id].elems_len = req->links[link_id].elems_len;
9441 		assoc_data->ie_pos += req->links[link_id].elems_len;
9442 	}
9443 
9444 	link->u.mgd.beacon_crc_valid = false;
9445 	link->u.mgd.dtim_period = 0;
9446 	link->u.mgd.have_beacon = false;
9447 
9448 	/* override HT configuration only if the AP and we support it */
9449 	if (conn->mode >= IEEE80211_CONN_MODE_HT) {
9450 		struct ieee80211_sta_ht_cap sta_ht_cap;
9451 
9452 		memcpy(&sta_ht_cap, &sband->ht_cap, sizeof(sta_ht_cap));
9453 		ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap);
9454 	}
9455 
9456 	rcu_read_lock();
9457 	bss_ies = rcu_dereference(cbss->beacon_ies);
9458 	if (bss_ies) {
9459 		u8 dtim_count = 0;
9460 
9461 		ieee80211_get_dtim(bss_ies, &dtim_count,
9462 				   &link->u.mgd.dtim_period);
9463 
9464 		sdata->deflink.u.mgd.have_beacon = true;
9465 
9466 		if (ieee80211_hw_check(&local->hw, TIMING_BEACON_ONLY)) {
9467 			link->conf->sync_tsf = bss_ies->tsf;
9468 			link->conf->sync_device_ts = bss->device_ts_beacon;
9469 			link->conf->sync_dtim_count = dtim_count;
9470 		}
9471 	} else {
9472 		bss_ies = rcu_dereference(cbss->ies);
9473 	}
9474 
9475 	if (bss_ies) {
9476 		const struct element *elem;
9477 
9478 		elem = cfg80211_find_ext_elem(WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION,
9479 					      bss_ies->data, bss_ies->len);
9480 		if (elem && elem->datalen >= 3)
9481 			link->conf->profile_periodicity = elem->data[2];
9482 		else
9483 			link->conf->profile_periodicity = 0;
9484 
9485 		elem = cfg80211_find_elem(WLAN_EID_EXT_CAPABILITY,
9486 					  bss_ies->data, bss_ies->len);
9487 		if (elem && elem->datalen >= 11 &&
9488 		    (elem->data[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
9489 			link->conf->ema_ap = true;
9490 		else
9491 			link->conf->ema_ap = false;
9492 	}
9493 	rcu_read_unlock();
9494 
9495 	if (bss->corrupt_data) {
9496 		char *corrupt_type = "data";
9497 
9498 		if (bss->corrupt_data & IEEE80211_BSS_CORRUPT_BEACON) {
9499 			if (bss->corrupt_data & IEEE80211_BSS_CORRUPT_PROBE_RESP)
9500 				corrupt_type = "beacon and probe response";
9501 			else
9502 				corrupt_type = "beacon";
9503 		} else if (bss->corrupt_data & IEEE80211_BSS_CORRUPT_PROBE_RESP) {
9504 			corrupt_type = "probe response";
9505 		}
9506 		sdata_info(sdata, "associating to AP %pM with corrupt %s\n",
9507 			   cbss->bssid, corrupt_type);
9508 	}
9509 
9510 	if (link->u.mgd.req_smps == IEEE80211_SMPS_AUTOMATIC) {
9511 		if (sdata->u.mgd.powersave)
9512 			link->smps_mode = IEEE80211_SMPS_DYNAMIC;
9513 		else
9514 			link->smps_mode = IEEE80211_SMPS_OFF;
9515 	} else {
9516 		link->smps_mode = link->u.mgd.req_smps;
9517 	}
9518 }
9519 
9520 static int
9521 ieee80211_mgd_get_ap_ht_vht_capa(struct ieee80211_sub_if_data *sdata,
9522 				 struct ieee80211_mgd_assoc_data *assoc_data,
9523 				 int link_id)
9524 {
9525 	struct cfg80211_bss *cbss = assoc_data->link[link_id].bss;
9526 	enum nl80211_band band = cbss->channel->band;
9527 	struct ieee80211_supported_band *sband;
9528 	const struct element *elem;
9529 	int err;
9530 
9531 	/* neither HT nor VHT elements used on 6 GHz */
9532 	if (band == NL80211_BAND_6GHZ)
9533 		return 0;
9534 
9535 	if (assoc_data->link[link_id].conn.mode < IEEE80211_CONN_MODE_HT)
9536 		return 0;
9537 
9538 	rcu_read_lock();
9539 	elem = ieee80211_bss_get_elem(cbss, WLAN_EID_HT_OPERATION);
9540 	if (!elem || elem->datalen < sizeof(struct ieee80211_ht_operation)) {
9541 		mlme_link_id_dbg(sdata, link_id, "no HT operation on BSS %pM\n",
9542 				 cbss->bssid);
9543 		err = -EINVAL;
9544 		goto out_rcu;
9545 	}
9546 	assoc_data->link[link_id].ap_ht_param =
9547 		((struct ieee80211_ht_operation *)(elem->data))->ht_param;
9548 	rcu_read_unlock();
9549 
9550 	if (assoc_data->link[link_id].conn.mode < IEEE80211_CONN_MODE_VHT)
9551 		return 0;
9552 
9553 	/* some drivers want to support VHT on 2.4 GHz even */
9554 	sband = sdata->local->hw.wiphy->bands[band];
9555 	if (!sband->vht_cap.vht_supported)
9556 		return 0;
9557 
9558 	rcu_read_lock();
9559 	elem = ieee80211_bss_get_elem(cbss, WLAN_EID_VHT_CAPABILITY);
9560 	/* but even then accept it not being present on the AP */
9561 	if (!elem && band == NL80211_BAND_2GHZ) {
9562 		err = 0;
9563 		goto out_rcu;
9564 	}
9565 	if (!elem || elem->datalen < sizeof(struct ieee80211_vht_cap)) {
9566 		mlme_link_id_dbg(sdata, link_id, "no VHT capa on BSS %pM\n",
9567 				 cbss->bssid);
9568 		err = -EINVAL;
9569 		goto out_rcu;
9570 	}
9571 	memcpy(&assoc_data->link[link_id].ap_vht_cap, elem->data,
9572 	       sizeof(struct ieee80211_vht_cap));
9573 	rcu_read_unlock();
9574 
9575 	return 0;
9576 out_rcu:
9577 	rcu_read_unlock();
9578 	return err;
9579 }
9580 
9581 static bool
9582 ieee80211_mgd_assoc_bss_has_mld_ext_capa_ops(struct cfg80211_assoc_request *req)
9583 {
9584 	const struct cfg80211_bss_ies *ies;
9585 	struct cfg80211_bss *bss;
9586 	const struct element *ml;
9587 
9588 	/* not an MLO connection if link_id < 0, so irrelevant */
9589 	if (req->link_id < 0)
9590 		return false;
9591 
9592 	bss = req->links[req->link_id].bss;
9593 
9594 	guard(rcu)();
9595 	ies = rcu_dereference(bss->ies);
9596 	for_each_element_extid(ml, WLAN_EID_EXT_EHT_MULTI_LINK,
9597 			       ies->data, ies->len) {
9598 		const struct ieee80211_multi_link_elem *mle;
9599 
9600 		if (!ieee80211_mle_type_ok(ml->data + 1,
9601 					   IEEE80211_ML_CONTROL_TYPE_BASIC,
9602 					   ml->datalen - 1))
9603 			continue;
9604 
9605 		mle = (void *)(ml->data + 1);
9606 		if (mle->control & cpu_to_le16(IEEE80211_MLC_BASIC_PRES_EXT_MLD_CAPA_OP))
9607 			return true;
9608 	}
9609 
9610 	return false;
9611 
9612 }
9613 
9614 int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
9615 			struct cfg80211_assoc_request *req)
9616 {
9617 	unsigned int assoc_link_id = req->link_id < 0 ? 0 : req->link_id;
9618 	struct ieee80211_local *local = sdata->local;
9619 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
9620 	struct ieee80211_mgd_assoc_data *assoc_data;
9621 	const struct element *ssid_elem;
9622 	struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg;
9623 	struct ieee80211_link_data *link;
9624 	struct cfg80211_bss *cbss;
9625 	bool override, uapsd_supported;
9626 	bool match_auth;
9627 	int i, err;
9628 	size_t size = sizeof(*assoc_data) + req->ie_len;
9629 
9630 	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++)
9631 		size += req->links[i].elems_len;
9632 
9633 	/* FIXME: no support for 4-addr MLO yet */
9634 	if (sdata->u.mgd.use_4addr && req->link_id >= 0)
9635 		return -EOPNOTSUPP;
9636 
9637 	assoc_data = kzalloc(size, GFP_KERNEL);
9638 	if (!assoc_data)
9639 		return -ENOMEM;
9640 
9641 	cbss = req->link_id < 0 ? req->bss : req->links[req->link_id].bss;
9642 
9643 	if (ieee80211_mgd_csa_in_process(sdata, cbss)) {
9644 		sdata_info(sdata, "AP is in CSA process, reject assoc\n");
9645 		err = -EINVAL;
9646 		goto err_free;
9647 	}
9648 
9649 	rcu_read_lock();
9650 	ssid_elem = ieee80211_bss_get_elem(cbss, WLAN_EID_SSID);
9651 	if (!ssid_elem || ssid_elem->datalen > sizeof(assoc_data->ssid)) {
9652 		rcu_read_unlock();
9653 		err = -EINVAL;
9654 		goto err_free;
9655 	}
9656 
9657 	memcpy(assoc_data->ssid, ssid_elem->data, ssid_elem->datalen);
9658 	assoc_data->ssid_len = ssid_elem->datalen;
9659 	rcu_read_unlock();
9660 
9661 	if (req->ap_mld_addr)
9662 		memcpy(assoc_data->ap_addr, req->ap_mld_addr, ETH_ALEN);
9663 	else
9664 		memcpy(assoc_data->ap_addr, cbss->bssid, ETH_ALEN);
9665 
9666 	/*
9667 	 * Many APs have broken parsing of the extended MLD capa/ops field,
9668 	 * dropping (re-)association request frames or replying with association
9669 	 * response with a failure status if it's present.
9670 	 * Set our value from the userspace request only in strict mode or if
9671 	 * the AP also had that field present.
9672 	 */
9673 	if (ieee80211_hw_check(&local->hw, STRICT) ||
9674 	    ieee80211_mgd_assoc_bss_has_mld_ext_capa_ops(req))
9675 		assoc_data->ext_mld_capa_ops =
9676 			cpu_to_le16(req->ext_mld_capa_ops);
9677 
9678 	if (ifmgd->associated) {
9679 		u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
9680 
9681 		sdata_info(sdata,
9682 			   "disconnect from AP %pM for new assoc to %pM\n",
9683 			   sdata->vif.cfg.ap_addr, assoc_data->ap_addr);
9684 		ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
9685 				       WLAN_REASON_UNSPECIFIED,
9686 				       false, frame_buf);
9687 
9688 		ieee80211_report_disconnect(sdata, frame_buf,
9689 					    sizeof(frame_buf), true,
9690 					    WLAN_REASON_UNSPECIFIED,
9691 					    false);
9692 	}
9693 
9694 	memset(sdata->u.mgd.userspace_selectors, 0,
9695 	       sizeof(sdata->u.mgd.userspace_selectors));
9696 	ieee80211_parse_cfg_selectors(sdata->u.mgd.userspace_selectors,
9697 				      req->supported_selectors,
9698 				      req->supported_selectors_len);
9699 
9700 	memcpy(&ifmgd->ht_capa, &req->ht_capa, sizeof(ifmgd->ht_capa));
9701 	memcpy(&ifmgd->ht_capa_mask, &req->ht_capa_mask,
9702 	       sizeof(ifmgd->ht_capa_mask));
9703 
9704 	memcpy(&ifmgd->vht_capa, &req->vht_capa, sizeof(ifmgd->vht_capa));
9705 	memcpy(&ifmgd->vht_capa_mask, &req->vht_capa_mask,
9706 	       sizeof(ifmgd->vht_capa_mask));
9707 
9708 	memcpy(&ifmgd->s1g_capa, &req->s1g_capa, sizeof(ifmgd->s1g_capa));
9709 	memcpy(&ifmgd->s1g_capa_mask, &req->s1g_capa_mask,
9710 	       sizeof(ifmgd->s1g_capa_mask));
9711 
9712 	/* keep some setup (AP STA, channel, ...) if matching */
9713 	match_auth = ifmgd->auth_data &&
9714 		     ether_addr_equal(ifmgd->auth_data->ap_addr,
9715 				      assoc_data->ap_addr) &&
9716 		     ifmgd->auth_data->link_id == req->link_id;
9717 
9718 	if (req->ap_mld_addr) {
9719 		uapsd_supported = true;
9720 
9721 		if (req->flags & (ASSOC_REQ_DISABLE_HT |
9722 				  ASSOC_REQ_DISABLE_VHT |
9723 				  ASSOC_REQ_DISABLE_HE |
9724 				  ASSOC_REQ_DISABLE_EHT)) {
9725 			err = -EINVAL;
9726 			goto err_free;
9727 		}
9728 
9729 		for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
9730 			struct ieee80211_supported_band *sband;
9731 			struct cfg80211_bss *link_cbss = req->links[i].bss;
9732 			struct ieee80211_bss *bss;
9733 
9734 			if (!link_cbss)
9735 				continue;
9736 
9737 			bss = (void *)link_cbss->priv;
9738 
9739 			if (!bss->wmm_used) {
9740 				err = -EINVAL;
9741 				req->links[i].error = err;
9742 				goto err_free;
9743 			}
9744 
9745 			if (link_cbss->channel->band == NL80211_BAND_S1GHZ) {
9746 				err = -EINVAL;
9747 				req->links[i].error = err;
9748 				goto err_free;
9749 			}
9750 
9751 			link = sdata_dereference(sdata->link[i], sdata);
9752 			if (link)
9753 				ether_addr_copy(assoc_data->link[i].addr,
9754 						link->conf->addr);
9755 			else
9756 				eth_random_addr(assoc_data->link[i].addr);
9757 			sband = local->hw.wiphy->bands[link_cbss->channel->band];
9758 
9759 			if (match_auth && i == assoc_link_id && link)
9760 				assoc_data->link[i].conn = link->u.mgd.conn;
9761 			else
9762 				assoc_data->link[i].conn =
9763 					ieee80211_conn_settings_unlimited;
9764 			ieee80211_determine_our_sta_mode_assoc(sdata, sband,
9765 							       req, true, i,
9766 							       &assoc_data->link[i].conn);
9767 			assoc_data->link[i].bss = link_cbss;
9768 
9769 			if (!bss->uapsd_supported)
9770 				uapsd_supported = false;
9771 
9772 			if (assoc_data->link[i].conn.mode < IEEE80211_CONN_MODE_EHT) {
9773 				err = -EINVAL;
9774 				req->links[i].error = err;
9775 				goto err_free;
9776 			}
9777 
9778 			err = ieee80211_mgd_get_ap_ht_vht_capa(sdata,
9779 							       assoc_data, i);
9780 			if (err) {
9781 				err = -EINVAL;
9782 				req->links[i].error = err;
9783 				goto err_free;
9784 			}
9785 		}
9786 
9787 		assoc_data->wmm = true;
9788 	} else {
9789 		struct ieee80211_supported_band *sband;
9790 		struct ieee80211_bss *bss = (void *)cbss->priv;
9791 
9792 		memcpy(assoc_data->link[0].addr, sdata->vif.addr, ETH_ALEN);
9793 		assoc_data->s1g = cbss->channel->band == NL80211_BAND_S1GHZ;
9794 
9795 		assoc_data->wmm = bss->wmm_used &&
9796 				  (local->hw.queues >= IEEE80211_NUM_ACS);
9797 
9798 		if (cbss->channel->band == NL80211_BAND_6GHZ &&
9799 		    req->flags & (ASSOC_REQ_DISABLE_HT |
9800 				  ASSOC_REQ_DISABLE_VHT |
9801 				  ASSOC_REQ_DISABLE_HE)) {
9802 			err = -EINVAL;
9803 			goto err_free;
9804 		}
9805 
9806 		sband = local->hw.wiphy->bands[cbss->channel->band];
9807 
9808 		assoc_data->link[0].bss = cbss;
9809 
9810 		if (match_auth)
9811 			assoc_data->link[0].conn = sdata->deflink.u.mgd.conn;
9812 		else
9813 			assoc_data->link[0].conn =
9814 				ieee80211_conn_settings_unlimited;
9815 		ieee80211_determine_our_sta_mode_assoc(sdata, sband, req,
9816 						       assoc_data->wmm, 0,
9817 						       &assoc_data->link[0].conn);
9818 
9819 		uapsd_supported = bss->uapsd_supported;
9820 
9821 		err = ieee80211_mgd_get_ap_ht_vht_capa(sdata, assoc_data, 0);
9822 		if (err)
9823 			goto err_free;
9824 	}
9825 
9826 	assoc_data->spp_amsdu = req->flags & ASSOC_REQ_SPP_AMSDU;
9827 
9828 	if (ifmgd->auth_data && !ifmgd->auth_data->done) {
9829 		err = -EBUSY;
9830 		goto err_free;
9831 	}
9832 
9833 	if (ifmgd->assoc_data) {
9834 		err = -EBUSY;
9835 		goto err_free;
9836 	}
9837 
9838 	/* Cleanup is delayed if auth_data matches */
9839 	if (ifmgd->auth_data && !match_auth)
9840 		ieee80211_destroy_auth_data(sdata, false);
9841 
9842 	if (req->ie && req->ie_len) {
9843 		memcpy(assoc_data->ie, req->ie, req->ie_len);
9844 		assoc_data->ie_len = req->ie_len;
9845 		assoc_data->ie_pos = assoc_data->ie + assoc_data->ie_len;
9846 	} else {
9847 		assoc_data->ie_pos = assoc_data->ie;
9848 	}
9849 
9850 	if (req->fils_kek) {
9851 		/* should already be checked in cfg80211 - so warn */
9852 		if (WARN_ON(req->fils_kek_len > FILS_MAX_KEK_LEN)) {
9853 			err = -EINVAL;
9854 			goto err_free;
9855 		}
9856 		memcpy(assoc_data->fils_kek, req->fils_kek,
9857 		       req->fils_kek_len);
9858 		assoc_data->fils_kek_len = req->fils_kek_len;
9859 	}
9860 
9861 	if (req->fils_nonces)
9862 		memcpy(assoc_data->fils_nonces, req->fils_nonces,
9863 		       2 * FILS_NONCE_LEN);
9864 
9865 	/* default timeout */
9866 	assoc_data->timeout = jiffies;
9867 	assoc_data->timeout_started = true;
9868 
9869 	assoc_data->assoc_link_id = assoc_link_id;
9870 
9871 	if (req->ap_mld_addr) {
9872 		/* if there was no authentication, set up the link */
9873 		err = ieee80211_vif_set_links(sdata, BIT(assoc_link_id), 0);
9874 		if (err)
9875 			goto err_clear;
9876 	}
9877 
9878 	link = sdata_dereference(sdata->link[assoc_link_id], sdata);
9879 	if (WARN_ON(!link)) {
9880 		err = -EINVAL;
9881 		goto err_clear;
9882 	}
9883 
9884 	override = link->u.mgd.conn.mode !=
9885 			assoc_data->link[assoc_link_id].conn.mode ||
9886 		   link->u.mgd.conn.bw_limit !=
9887 			assoc_data->link[assoc_link_id].conn.bw_limit;
9888 	link->u.mgd.conn = assoc_data->link[assoc_link_id].conn;
9889 
9890 	ieee80211_setup_assoc_link(sdata, assoc_data, req, &link->u.mgd.conn,
9891 				   assoc_link_id);
9892 
9893 	if (WARN((sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_UAPSD) &&
9894 		 ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK),
9895 	     "U-APSD not supported with HW_PS_NULLFUNC_STACK\n"))
9896 		sdata->vif.driver_flags &= ~IEEE80211_VIF_SUPPORTS_UAPSD;
9897 
9898 	if (assoc_data->wmm && uapsd_supported &&
9899 	    (sdata->vif.driver_flags & IEEE80211_VIF_SUPPORTS_UAPSD)) {
9900 		assoc_data->uapsd = true;
9901 		ifmgd->flags |= IEEE80211_STA_UAPSD_ENABLED;
9902 	} else {
9903 		assoc_data->uapsd = false;
9904 		ifmgd->flags &= ~IEEE80211_STA_UAPSD_ENABLED;
9905 	}
9906 
9907 	if (req->prev_bssid)
9908 		memcpy(assoc_data->prev_ap_addr, req->prev_bssid, ETH_ALEN);
9909 
9910 	if (req->use_mfp) {
9911 		ifmgd->mfp = IEEE80211_MFP_REQUIRED;
9912 		ifmgd->flags |= IEEE80211_STA_MFP_ENABLED;
9913 	} else {
9914 		ifmgd->mfp = IEEE80211_MFP_DISABLED;
9915 		ifmgd->flags &= ~IEEE80211_STA_MFP_ENABLED;
9916 	}
9917 
9918 	if (req->flags & ASSOC_REQ_USE_RRM)
9919 		ifmgd->flags |= IEEE80211_STA_ENABLE_RRM;
9920 	else
9921 		ifmgd->flags &= ~IEEE80211_STA_ENABLE_RRM;
9922 
9923 	if (req->crypto.control_port)
9924 		ifmgd->flags |= IEEE80211_STA_CONTROL_PORT;
9925 	else
9926 		ifmgd->flags &= ~IEEE80211_STA_CONTROL_PORT;
9927 
9928 	sdata->control_port_protocol = req->crypto.control_port_ethertype;
9929 	sdata->control_port_no_encrypt = req->crypto.control_port_no_encrypt;
9930 	sdata->control_port_over_nl80211 =
9931 					req->crypto.control_port_over_nl80211;
9932 	sdata->control_port_no_preauth = req->crypto.control_port_no_preauth;
9933 
9934 	/* kick off associate process */
9935 	ifmgd->assoc_data = assoc_data;
9936 
9937 	for (i = 0; i < ARRAY_SIZE(assoc_data->link); i++) {
9938 		if (!assoc_data->link[i].bss)
9939 			continue;
9940 		if (i == assoc_data->assoc_link_id)
9941 			continue;
9942 		/* only calculate the mode, hence link == NULL */
9943 		err = ieee80211_prep_channel(sdata, NULL, i,
9944 					     assoc_data->link[i].bss, true,
9945 					     &assoc_data->link[i].conn,
9946 					     sdata->u.mgd.userspace_selectors);
9947 		if (err) {
9948 			req->links[i].error = err;
9949 			goto err_clear;
9950 		}
9951 	}
9952 
9953 	memcpy(vif_cfg->ssid, assoc_data->ssid, assoc_data->ssid_len);
9954 	vif_cfg->ssid_len = assoc_data->ssid_len;
9955 
9956 	/* needed for transmitting the assoc frames properly */
9957 	memcpy(sdata->vif.cfg.ap_addr, assoc_data->ap_addr, ETH_ALEN);
9958 
9959 	err = ieee80211_prep_connection(sdata, cbss, req->link_id,
9960 					req->ap_mld_addr, true,
9961 					&assoc_data->link[assoc_link_id].conn,
9962 					override,
9963 					sdata->u.mgd.userspace_selectors);
9964 	if (err)
9965 		goto err_clear;
9966 
9967 	if (ieee80211_hw_check(&sdata->local->hw, NEED_DTIM_BEFORE_ASSOC)) {
9968 		const struct cfg80211_bss_ies *beacon_ies;
9969 
9970 		rcu_read_lock();
9971 		beacon_ies = rcu_dereference(req->bss->beacon_ies);
9972 		if (!beacon_ies) {
9973 			/*
9974 			 * Wait up to one beacon interval ...
9975 			 * should this be more if we miss one?
9976 			 */
9977 			sdata_info(sdata, "waiting for beacon from %pM\n",
9978 				   link->u.mgd.bssid);
9979 			assoc_data->timeout = TU_TO_EXP_TIME(req->bss->beacon_interval);
9980 			assoc_data->timeout_started = true;
9981 			assoc_data->need_beacon = true;
9982 		}
9983 		rcu_read_unlock();
9984 	}
9985 
9986 	run_again(sdata, assoc_data->timeout);
9987 
9988 	/* We are associating, clean up auth_data */
9989 	if (ifmgd->auth_data)
9990 		ieee80211_destroy_auth_data(sdata, true);
9991 
9992 	return 0;
9993  err_clear:
9994 	if (!ifmgd->auth_data) {
9995 		eth_zero_addr(sdata->deflink.u.mgd.bssid);
9996 		ieee80211_link_info_change_notify(sdata, &sdata->deflink,
9997 						  BSS_CHANGED_BSSID);
9998 	}
9999 	ifmgd->assoc_data = NULL;
10000  err_free:
10001 	kfree(assoc_data);
10002 	return err;
10003 }
10004 
10005 int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
10006 			 struct cfg80211_deauth_request *req)
10007 {
10008 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
10009 	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
10010 	bool tx = !req->local_state_change;
10011 	struct ieee80211_prep_tx_info info = {
10012 		.subtype = IEEE80211_STYPE_DEAUTH,
10013 	};
10014 
10015 	if (ifmgd->auth_data &&
10016 	    ether_addr_equal(ifmgd->auth_data->ap_addr, req->bssid)) {
10017 		sdata_info(sdata,
10018 			   "aborting authentication with %pM by local choice (Reason: %u=%s)\n",
10019 			   req->bssid, req->reason_code,
10020 			   ieee80211_get_reason_code_string(req->reason_code));
10021 
10022 		info.link_id = ifmgd->auth_data->link_id;
10023 		drv_mgd_prepare_tx(sdata->local, sdata, &info);
10024 		ieee80211_send_deauth_disassoc(sdata, req->bssid, req->bssid,
10025 					       IEEE80211_STYPE_DEAUTH,
10026 					       req->reason_code, tx,
10027 					       frame_buf);
10028 		ieee80211_destroy_auth_data(sdata, false);
10029 		ieee80211_report_disconnect(sdata, frame_buf,
10030 					    sizeof(frame_buf), true,
10031 					    req->reason_code, false);
10032 		drv_mgd_complete_tx(sdata->local, sdata, &info);
10033 		return 0;
10034 	}
10035 
10036 	if (ifmgd->assoc_data &&
10037 	    ether_addr_equal(ifmgd->assoc_data->ap_addr, req->bssid)) {
10038 		sdata_info(sdata,
10039 			   "aborting association with %pM by local choice (Reason: %u=%s)\n",
10040 			   req->bssid, req->reason_code,
10041 			   ieee80211_get_reason_code_string(req->reason_code));
10042 
10043 		info.link_id = ifmgd->assoc_data->assoc_link_id;
10044 		drv_mgd_prepare_tx(sdata->local, sdata, &info);
10045 		ieee80211_send_deauth_disassoc(sdata, req->bssid, req->bssid,
10046 					       IEEE80211_STYPE_DEAUTH,
10047 					       req->reason_code, tx,
10048 					       frame_buf);
10049 		ieee80211_destroy_assoc_data(sdata, ASSOC_ABANDON);
10050 		ieee80211_report_disconnect(sdata, frame_buf,
10051 					    sizeof(frame_buf), true,
10052 					    req->reason_code, false);
10053 		drv_mgd_complete_tx(sdata->local, sdata, &info);
10054 		return 0;
10055 	}
10056 
10057 	if (ifmgd->associated &&
10058 	    ether_addr_equal(sdata->vif.cfg.ap_addr, req->bssid)) {
10059 		sdata_info(sdata,
10060 			   "deauthenticating from %pM by local choice (Reason: %u=%s)\n",
10061 			   req->bssid, req->reason_code,
10062 			   ieee80211_get_reason_code_string(req->reason_code));
10063 
10064 		ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
10065 				       req->reason_code, tx, frame_buf);
10066 		ieee80211_report_disconnect(sdata, frame_buf,
10067 					    sizeof(frame_buf), true,
10068 					    req->reason_code, false);
10069 		return 0;
10070 	}
10071 
10072 	return -ENOTCONN;
10073 }
10074 
10075 int ieee80211_mgd_disassoc(struct ieee80211_sub_if_data *sdata,
10076 			   struct cfg80211_disassoc_request *req)
10077 {
10078 	u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
10079 
10080 	if (!sdata->u.mgd.associated ||
10081 	    memcmp(sdata->vif.cfg.ap_addr, req->ap_addr, ETH_ALEN))
10082 		return -ENOTCONN;
10083 
10084 	sdata_info(sdata,
10085 		   "disassociating from %pM by local choice (Reason: %u=%s)\n",
10086 		   req->ap_addr, req->reason_code,
10087 		   ieee80211_get_reason_code_string(req->reason_code));
10088 
10089 	ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DISASSOC,
10090 			       req->reason_code, !req->local_state_change,
10091 			       frame_buf);
10092 
10093 	ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
10094 				    req->reason_code, false);
10095 
10096 	return 0;
10097 }
10098 
10099 void ieee80211_mgd_stop_link(struct ieee80211_link_data *link)
10100 {
10101 	wiphy_work_cancel(link->sdata->local->hw.wiphy,
10102 			  &link->u.mgd.request_smps_work);
10103 	wiphy_work_cancel(link->sdata->local->hw.wiphy,
10104 			  &link->u.mgd.recalc_smps);
10105 	wiphy_hrtimer_work_cancel(link->sdata->local->hw.wiphy,
10106 				  &link->u.mgd.csa.switch_work);
10107 }
10108 
10109 void ieee80211_mgd_stop(struct ieee80211_sub_if_data *sdata)
10110 {
10111 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
10112 
10113 	/*
10114 	 * Make sure some work items will not run after this,
10115 	 * they will not do anything but might not have been
10116 	 * cancelled when disconnecting.
10117 	 */
10118 	wiphy_work_cancel(sdata->local->hw.wiphy,
10119 			  &ifmgd->monitor_work);
10120 	wiphy_work_cancel(sdata->local->hw.wiphy,
10121 			  &ifmgd->beacon_connection_loss_work);
10122 	wiphy_work_cancel(sdata->local->hw.wiphy,
10123 			  &ifmgd->csa_connection_drop_work);
10124 	wiphy_delayed_work_cancel(sdata->local->hw.wiphy,
10125 				  &ifmgd->tdls_peer_del_work);
10126 
10127 	if (ifmgd->assoc_data)
10128 		ieee80211_destroy_assoc_data(sdata, ASSOC_TIMEOUT);
10129 	if (ifmgd->auth_data)
10130 		ieee80211_destroy_auth_data(sdata, false);
10131 	spin_lock_bh(&ifmgd->teardown_lock);
10132 	if (ifmgd->teardown_skb) {
10133 		kfree_skb(ifmgd->teardown_skb);
10134 		ifmgd->teardown_skb = NULL;
10135 		ifmgd->orig_teardown_skb = NULL;
10136 	}
10137 	kfree(ifmgd->assoc_req_ies);
10138 	ifmgd->assoc_req_ies = NULL;
10139 	ifmgd->assoc_req_ies_len = 0;
10140 	spin_unlock_bh(&ifmgd->teardown_lock);
10141 	timer_delete_sync(&ifmgd->timer);
10142 }
10143 
10144 void ieee80211_cqm_rssi_notify(struct ieee80211_vif *vif,
10145 			       enum nl80211_cqm_rssi_threshold_event rssi_event,
10146 			       s32 rssi_level,
10147 			       gfp_t gfp)
10148 {
10149 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
10150 
10151 	trace_api_cqm_rssi_notify(sdata, rssi_event, rssi_level);
10152 
10153 	cfg80211_cqm_rssi_notify(sdata->dev, rssi_event, rssi_level, gfp);
10154 }
10155 EXPORT_SYMBOL(ieee80211_cqm_rssi_notify);
10156 
10157 void ieee80211_cqm_beacon_loss_notify(struct ieee80211_vif *vif, gfp_t gfp)
10158 {
10159 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
10160 
10161 	trace_api_cqm_beacon_loss_notify(sdata->local, sdata);
10162 
10163 	cfg80211_cqm_beacon_loss_notify(sdata->dev, gfp);
10164 }
10165 EXPORT_SYMBOL(ieee80211_cqm_beacon_loss_notify);
10166 
10167 static void _ieee80211_enable_rssi_reports(struct ieee80211_sub_if_data *sdata,
10168 					    int rssi_min_thold,
10169 					    int rssi_max_thold)
10170 {
10171 	trace_api_enable_rssi_reports(sdata, rssi_min_thold, rssi_max_thold);
10172 
10173 	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
10174 		return;
10175 
10176 	/*
10177 	 * Scale up threshold values before storing it, as the RSSI averaging
10178 	 * algorithm uses a scaled up value as well. Change this scaling
10179 	 * factor if the RSSI averaging algorithm changes.
10180 	 */
10181 	sdata->u.mgd.rssi_min_thold = rssi_min_thold*16;
10182 	sdata->u.mgd.rssi_max_thold = rssi_max_thold*16;
10183 }
10184 
10185 void ieee80211_enable_rssi_reports(struct ieee80211_vif *vif,
10186 				    int rssi_min_thold,
10187 				    int rssi_max_thold)
10188 {
10189 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
10190 
10191 	WARN_ON(rssi_min_thold == rssi_max_thold ||
10192 		rssi_min_thold > rssi_max_thold);
10193 
10194 	_ieee80211_enable_rssi_reports(sdata, rssi_min_thold,
10195 				       rssi_max_thold);
10196 }
10197 EXPORT_SYMBOL(ieee80211_enable_rssi_reports);
10198 
10199 void ieee80211_disable_rssi_reports(struct ieee80211_vif *vif)
10200 {
10201 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
10202 
10203 	_ieee80211_enable_rssi_reports(sdata, 0, 0);
10204 }
10205 EXPORT_SYMBOL(ieee80211_disable_rssi_reports);
10206 
10207 void ieee80211_process_ml_reconf_resp(struct ieee80211_sub_if_data *sdata,
10208 				      struct ieee80211_mgmt *mgmt, size_t len)
10209 {
10210 	struct ieee80211_local *local = sdata->local;
10211 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
10212 	struct ieee80211_mgd_assoc_data *add_links_data =
10213 		ifmgd->reconf.add_links_data;
10214 	struct sta_info *sta;
10215 	struct cfg80211_mlo_reconf_done_data done_data = {};
10216 	u16 sta_changed_links = sdata->u.mgd.reconf.added_links |
10217 		                sdata->u.mgd.reconf.removed_links;
10218 	u16 link_mask, valid_links;
10219 	unsigned int link_id;
10220 	size_t orig_len = len;
10221 	u8 i, group_key_data_len;
10222 	u8 *pos;
10223 
10224 	if (!ieee80211_vif_is_mld(&sdata->vif) ||
10225 	    len < offsetofend(typeof(*mgmt), u.action.u.ml_reconf_resp) ||
10226 	    mgmt->u.action.u.ml_reconf_resp.dialog_token !=
10227 	    sdata->u.mgd.reconf.dialog_token ||
10228 	    !sta_changed_links)
10229 		return;
10230 
10231 	pos = mgmt->u.action.u.ml_reconf_resp.variable;
10232 	len -= offsetofend(typeof(*mgmt), u.action.u.ml_reconf_resp);
10233 
10234 	/* each status duple is 3 octets */
10235 	if (len < mgmt->u.action.u.ml_reconf_resp.count * 3) {
10236 		sdata_info(sdata,
10237 			   "mlo: reconf: unexpected len=%zu, count=%u\n",
10238 			   len, mgmt->u.action.u.ml_reconf_resp.count);
10239 		goto disconnect;
10240 	}
10241 
10242 	link_mask = sta_changed_links;
10243 	for (i = 0; i < mgmt->u.action.u.ml_reconf_resp.count; i++) {
10244 		u16 status = get_unaligned_le16(pos + 1);
10245 
10246 		link_id = *pos;
10247 
10248 		if (!(link_mask & BIT(link_id))) {
10249 			sdata_info(sdata,
10250 				   "mlo: reconf: unexpected link: %u, changed=0x%x\n",
10251 				   link_id, sta_changed_links);
10252 			goto disconnect;
10253 		}
10254 
10255 		/* clear the corresponding link, to detect the case that
10256 		 * the same link was included more than one time
10257 		 */
10258 		link_mask &= ~BIT(link_id);
10259 
10260 		/* Handle failure to remove links here. Failure to remove added
10261 		 * links will be done later in the flow.
10262 		 */
10263 		if (status != WLAN_STATUS_SUCCESS) {
10264 			sdata_info(sdata,
10265 				   "mlo: reconf: failed on link=%u, status=%u\n",
10266 				   link_id, status);
10267 
10268 			/* The AP MLD failed to remove a link that was already
10269 			 * removed locally. As this is not expected behavior,
10270 			 * disconnect
10271 			 */
10272 			if (sdata->u.mgd.reconf.removed_links & BIT(link_id))
10273 				goto disconnect;
10274 
10275 			/* The AP MLD failed to add a link. Remove it from the
10276 			 * added links.
10277 			 */
10278 			sdata->u.mgd.reconf.added_links &= ~BIT(link_id);
10279 		}
10280 
10281 		pos += 3;
10282 		len -= 3;
10283 	}
10284 
10285 	if (link_mask) {
10286 		sdata_info(sdata,
10287 			   "mlo: reconf: no response for links=0x%x\n",
10288 			   link_mask);
10289 		goto disconnect;
10290 	}
10291 
10292 	if (!sdata->u.mgd.reconf.added_links)
10293 		goto out;
10294 
10295 	if (len < 1 || len < 1 + *pos) {
10296 		sdata_info(sdata,
10297 			   "mlo: reconf: invalid group key data length");
10298 		goto disconnect;
10299 	}
10300 
10301 	/* The Group Key Data field must be present when links are added. This
10302 	 * field should be processed by userland.
10303 	 */
10304 	group_key_data_len = *pos++;
10305 
10306 	pos += group_key_data_len;
10307 	len -= group_key_data_len + 1;
10308 
10309 	/* Process the information for the added links */
10310 	sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
10311 	if (WARN_ON(!sta))
10312 		goto disconnect;
10313 
10314 	valid_links = sdata->vif.valid_links;
10315 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10316 		if (!add_links_data->link[link_id].bss ||
10317 		    !(sdata->u.mgd.reconf.added_links & BIT(link_id)))
10318 			continue;
10319 
10320 		valid_links |= BIT(link_id);
10321 		if (ieee80211_sta_allocate_link(sta, link_id))
10322 			goto disconnect;
10323 	}
10324 
10325 	ieee80211_vif_set_links(sdata, valid_links, sdata->vif.dormant_links);
10326 	link_mask = 0;
10327 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10328 		struct cfg80211_bss *cbss = add_links_data->link[link_id].bss;
10329 		struct ieee80211_link_data *link;
10330 		struct link_sta_info *link_sta;
10331 		u64 changed = 0;
10332 
10333 		if (!cbss)
10334 			continue;
10335 
10336 		link = sdata_dereference(sdata->link[link_id], sdata);
10337 		if (WARN_ON(!link))
10338 			goto disconnect;
10339 
10340 		link_info(link,
10341 			  "mlo: reconf: local address %pM, AP link address %pM\n",
10342 			  add_links_data->link[link_id].addr,
10343 			  add_links_data->link[link_id].bss->bssid);
10344 
10345 		link_sta = rcu_dereference_protected(sta->link[link_id],
10346 						     lockdep_is_held(&local->hw.wiphy->mtx));
10347 		if (WARN_ON(!link_sta))
10348 			goto disconnect;
10349 
10350 		if (!link->u.mgd.have_beacon) {
10351 			const struct cfg80211_bss_ies *ies;
10352 
10353 			rcu_read_lock();
10354 			ies = rcu_dereference(cbss->beacon_ies);
10355 			if (ies)
10356 				link->u.mgd.have_beacon = true;
10357 			else
10358 				ies = rcu_dereference(cbss->ies);
10359 			ieee80211_get_dtim(ies,
10360 					   &link->conf->sync_dtim_count,
10361 					   &link->u.mgd.dtim_period);
10362 			link->conf->beacon_int = cbss->beacon_interval;
10363 			rcu_read_unlock();
10364 		}
10365 
10366 		link->conf->dtim_period = link->u.mgd.dtim_period ?: 1;
10367 
10368 		link->u.mgd.conn = add_links_data->link[link_id].conn;
10369 		if (ieee80211_prep_channel(sdata, link, link_id, cbss,
10370 					   true, &link->u.mgd.conn,
10371 					   sdata->u.mgd.userspace_selectors)) {
10372 			link_info(link, "mlo: reconf: prep_channel failed\n");
10373 			goto disconnect;
10374 		}
10375 
10376 		if (ieee80211_mgd_setup_link_sta(link, sta, link_sta,
10377 						 add_links_data->link[link_id].bss))
10378 			goto disconnect;
10379 
10380 		if (!ieee80211_assoc_config_link(link, link_sta,
10381 						 add_links_data->link[link_id].bss,
10382 						 mgmt, pos, len,
10383 						 &changed))
10384 			goto disconnect;
10385 
10386 		/* The AP MLD indicated success for this link, but the station
10387 		 * profile status indicated otherwise. Since there is an
10388 		 * inconsistency in the ML reconfiguration response, disconnect
10389 		 */
10390 		if (add_links_data->link[link_id].status != WLAN_STATUS_SUCCESS)
10391 			goto disconnect;
10392 
10393 		ieee80211_sta_init_nss(link_sta);
10394 		if (ieee80211_sta_activate_link(sta, link_id))
10395 			goto disconnect;
10396 
10397 		changed |= ieee80211_link_set_associated(link, cbss);
10398 		ieee80211_link_info_change_notify(sdata, link, changed);
10399 
10400 		ieee80211_recalc_smps(sdata, link);
10401 		link_mask |= BIT(link_id);
10402 	}
10403 
10404 	sdata_info(sdata,
10405 		   "mlo: reconf: current valid_links=0x%x, added=0x%x\n",
10406 		   valid_links, link_mask);
10407 
10408 	/* links might have changed due to rejected ones, set them again */
10409 	ieee80211_vif_set_links(sdata, valid_links, sdata->vif.dormant_links);
10410 	ieee80211_vif_cfg_change_notify(sdata, BSS_CHANGED_MLD_VALID_LINKS);
10411 
10412 	ieee80211_recalc_ps(local);
10413 	ieee80211_recalc_ps_vif(sdata);
10414 
10415 	done_data.buf = (const u8 *)mgmt;
10416 	done_data.len = orig_len;
10417 	done_data.added_links = link_mask;
10418 
10419 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10420 		done_data.links[link_id].bss = add_links_data->link[link_id].bss;
10421 		done_data.links[link_id].addr =
10422 			add_links_data->link[link_id].addr;
10423 	}
10424 
10425 	cfg80211_mlo_reconf_add_done(sdata->dev, &done_data);
10426 	kfree(sdata->u.mgd.reconf.add_links_data);
10427 	sdata->u.mgd.reconf.add_links_data = NULL;
10428 out:
10429 	ieee80211_ml_reconf_reset(sdata);
10430 	return;
10431 
10432 disconnect:
10433 	__ieee80211_disconnect(sdata);
10434 }
10435 
10436 static struct sk_buff *
10437 ieee80211_build_ml_reconf_req(struct ieee80211_sub_if_data *sdata,
10438 			      struct ieee80211_mgd_assoc_data *add_links_data,
10439 			      u16 removed_links, __le16 ext_mld_capa_ops)
10440 {
10441 	struct ieee80211_local *local = sdata->local;
10442 	struct ieee80211_mgmt *mgmt;
10443 	struct ieee80211_multi_link_elem *ml_elem;
10444 	struct ieee80211_mle_basic_common_info *common;
10445 	enum nl80211_iftype iftype = ieee80211_vif_type_p2p(&sdata->vif);
10446 	struct sk_buff *skb;
10447 	size_t size;
10448 	unsigned int link_id;
10449 	__le16 eml_capa = 0, mld_capa_ops = 0;
10450 	struct ieee80211_tx_info *info;
10451 	u8 common_size, var_common_size;
10452 	u8 *ml_elem_len;
10453 	u16 capab = 0;
10454 
10455 	size = local->hw.extra_tx_headroom + sizeof(*mgmt);
10456 
10457 	/* Consider the maximal length of the reconfiguration ML element */
10458 	size += sizeof(struct ieee80211_multi_link_elem);
10459 
10460 	/* The Basic ML element and the Reconfiguration ML element have the same
10461 	 * fixed common information fields in the context of ML reconfiguration
10462 	 * action frame. The AP MLD MAC address must always be present
10463 	 */
10464 	common_size = sizeof(*common);
10465 
10466 	/* when adding links, the MLD capabilities must be present */
10467 	var_common_size = 0;
10468 	if (add_links_data) {
10469 		const struct wiphy_iftype_ext_capab *ift_ext_capa =
10470 			cfg80211_get_iftype_ext_capa(local->hw.wiphy,
10471 						     ieee80211_vif_type_p2p(&sdata->vif));
10472 
10473 		if (ift_ext_capa) {
10474 			eml_capa = cpu_to_le16(ift_ext_capa->eml_capabilities);
10475 			mld_capa_ops =
10476 				cpu_to_le16(ift_ext_capa->mld_capa_and_ops);
10477 		}
10478 
10479 		/* MLD capabilities and operation */
10480 		var_common_size += 2;
10481 
10482 		/* EML capabilities */
10483 		if (eml_capa & cpu_to_le16((IEEE80211_EML_CAP_EMLSR_SUPP |
10484 					    IEEE80211_EML_CAP_EMLMR_SUPPORT)))
10485 			var_common_size += 2;
10486 	}
10487 
10488 	if (ext_mld_capa_ops)
10489 		var_common_size += 2;
10490 
10491 	/* Add the common information length */
10492 	size += common_size + var_common_size;
10493 
10494 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10495 		struct cfg80211_bss *cbss;
10496 		size_t elems_len;
10497 
10498 		if (removed_links & BIT(link_id)) {
10499 			size += sizeof(struct ieee80211_mle_per_sta_profile) +
10500 				ETH_ALEN;
10501 			continue;
10502 		}
10503 
10504 		if (!add_links_data || !add_links_data->link[link_id].bss)
10505 			continue;
10506 
10507 		elems_len = add_links_data->link[link_id].elems_len;
10508 		cbss = add_links_data->link[link_id].bss;
10509 
10510 		/* should be the same across all BSSes */
10511 		if (cbss->capability & WLAN_CAPABILITY_PRIVACY)
10512 			capab |= WLAN_CAPABILITY_PRIVACY;
10513 
10514 		size += 2 + sizeof(struct ieee80211_mle_per_sta_profile) +
10515 			ETH_ALEN;
10516 
10517 		/* WMM */
10518 		size += 9;
10519 		size += ieee80211_link_common_elems_size(sdata, iftype, cbss,
10520 							 elems_len);
10521 	}
10522 
10523 	skb = alloc_skb(size, GFP_KERNEL);
10524 	if (!skb)
10525 		return NULL;
10526 
10527 	skb_reserve(skb, local->hw.extra_tx_headroom);
10528 	mgmt = skb_put_zero(skb, offsetofend(struct ieee80211_mgmt,
10529 					     u.action.u.ml_reconf_req));
10530 
10531 	/* Add the MAC header */
10532 	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
10533 					  IEEE80211_STYPE_ACTION);
10534 	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
10535 	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
10536 	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
10537 
10538 	/* Add the action frame fixed fields */
10539 	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
10540 	mgmt->u.action.u.ml_reconf_req.action_code =
10541 		WLAN_PROTECTED_EHT_ACTION_LINK_RECONFIG_REQ;
10542 
10543 	/* allocate a dialog token and store it */
10544 	sdata->u.mgd.reconf.dialog_token = ++sdata->u.mgd.dialog_token_alloc;
10545 	mgmt->u.action.u.ml_reconf_req.dialog_token =
10546 		sdata->u.mgd.reconf.dialog_token;
10547 
10548 	/* Add the ML reconfiguration element and the common information  */
10549 	skb_put_u8(skb, WLAN_EID_EXTENSION);
10550 	ml_elem_len = skb_put(skb, 1);
10551 	skb_put_u8(skb, WLAN_EID_EXT_EHT_MULTI_LINK);
10552 	ml_elem = skb_put(skb, sizeof(*ml_elem));
10553 	ml_elem->control =
10554 		cpu_to_le16(IEEE80211_ML_CONTROL_TYPE_RECONF |
10555 			    IEEE80211_MLC_RECONF_PRES_MLD_MAC_ADDR);
10556 	common = skb_put(skb, common_size);
10557 	common->len = common_size + var_common_size;
10558 	memcpy(common->mld_mac_addr, sdata->vif.addr, ETH_ALEN);
10559 
10560 	if (add_links_data) {
10561 		if (eml_capa &
10562 		    cpu_to_le16((IEEE80211_EML_CAP_EMLSR_SUPP |
10563 				 IEEE80211_EML_CAP_EMLMR_SUPPORT))) {
10564 			ml_elem->control |=
10565 				cpu_to_le16(IEEE80211_MLC_RECONF_PRES_EML_CAPA);
10566 			skb_put_data(skb, &eml_capa, sizeof(eml_capa));
10567 		}
10568 
10569 		ml_elem->control |=
10570 			cpu_to_le16(IEEE80211_MLC_RECONF_PRES_MLD_CAPA_OP);
10571 
10572 		skb_put_data(skb, &mld_capa_ops, sizeof(mld_capa_ops));
10573 	}
10574 
10575 	if (ext_mld_capa_ops) {
10576 		ml_elem->control |=
10577 			cpu_to_le16(IEEE80211_MLC_RECONF_PRES_EXT_MLD_CAPA_OP);
10578 		skb_put_data(skb, &ext_mld_capa_ops, sizeof(ext_mld_capa_ops));
10579 	}
10580 
10581 	if (sdata->u.mgd.flags & IEEE80211_STA_ENABLE_RRM)
10582 		capab |= WLAN_CAPABILITY_RADIO_MEASURE;
10583 
10584 	/* Add the per station profile */
10585 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10586 		u8 *subelem_len = NULL;
10587 		u16 ctrl;
10588 		const u8 *addr;
10589 
10590 		/* Skip links that are not changing */
10591 		if (!(removed_links & BIT(link_id)) &&
10592 		    (!add_links_data || !add_links_data->link[link_id].bss))
10593 			continue;
10594 
10595 		ctrl = link_id |
10596 		       IEEE80211_MLE_STA_RECONF_CONTROL_STA_MAC_ADDR_PRESENT;
10597 
10598 		if (removed_links & BIT(link_id)) {
10599 			struct ieee80211_bss_conf *conf =
10600 				sdata_dereference(sdata->vif.link_conf[link_id],
10601 						  sdata);
10602 			if (!conf)
10603 				continue;
10604 
10605 			addr = conf->addr;
10606 			ctrl |= u16_encode_bits(IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_DEL_LINK,
10607 						IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE);
10608 		} else {
10609 			addr = add_links_data->link[link_id].addr;
10610 			ctrl |= IEEE80211_MLE_STA_RECONF_CONTROL_COMPLETE_PROFILE |
10611 				u16_encode_bits(IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE_ADD_LINK,
10612 						IEEE80211_MLE_STA_RECONF_CONTROL_OPERATION_TYPE);
10613 		}
10614 
10615 		skb_put_u8(skb, IEEE80211_MLE_SUBELEM_PER_STA_PROFILE);
10616 		subelem_len = skb_put(skb, 1);
10617 
10618 		put_unaligned_le16(ctrl, skb_put(skb, sizeof(ctrl)));
10619 		skb_put_u8(skb, 1 + ETH_ALEN);
10620 		skb_put_data(skb, addr, ETH_ALEN);
10621 
10622 		if (!(removed_links & BIT(link_id))) {
10623 			u16 link_present_elems[PRESENT_ELEMS_MAX] = {};
10624 			size_t extra_used;
10625 			void *capab_pos;
10626 			u8 qos_info;
10627 
10628 			capab_pos = skb_put(skb, 2);
10629 
10630 			extra_used =
10631 				ieee80211_add_link_elems(sdata, skb, &capab, NULL,
10632 							 add_links_data->link[link_id].elems,
10633 							 add_links_data->link[link_id].elems_len,
10634 							 link_id, NULL,
10635 							 link_present_elems,
10636 							 add_links_data);
10637 
10638 			if (add_links_data->link[link_id].elems)
10639 				skb_put_data(skb,
10640 					     add_links_data->link[link_id].elems +
10641 					     extra_used,
10642 					     add_links_data->link[link_id].elems_len -
10643 					     extra_used);
10644 			if (sdata->u.mgd.flags & IEEE80211_STA_UAPSD_ENABLED) {
10645 				qos_info = sdata->u.mgd.uapsd_queues;
10646 				qos_info |= (sdata->u.mgd.uapsd_max_sp_len <<
10647 					     IEEE80211_WMM_IE_STA_QOSINFO_SP_SHIFT);
10648 			} else {
10649 				qos_info = 0;
10650 			}
10651 
10652 			ieee80211_add_wmm_info_ie(skb_put(skb, 9), qos_info);
10653 			put_unaligned_le16(capab, capab_pos);
10654 		}
10655 
10656 		ieee80211_fragment_element(skb, subelem_len,
10657 					   IEEE80211_MLE_SUBELEM_FRAGMENT);
10658 	}
10659 
10660 	ieee80211_fragment_element(skb, ml_elem_len, WLAN_EID_FRAGMENT);
10661 
10662 	info = IEEE80211_SKB_CB(skb);
10663 	info->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS;
10664 
10665 	return skb;
10666 }
10667 
10668 int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata,
10669 				  struct cfg80211_ml_reconf_req *req)
10670 {
10671 	struct ieee80211_local *local = sdata->local;
10672 	struct ieee80211_mgd_assoc_data *data = NULL;
10673 	struct sta_info *sta;
10674 	struct sk_buff *skb;
10675 	u16 added_links, new_valid_links;
10676 	int link_id, err;
10677 
10678 	if (!ieee80211_vif_is_mld(&sdata->vif) ||
10679 	    !(sdata->vif.cfg.mld_capa_op &
10680 	      IEEE80211_MLD_CAP_OP_LINK_RECONF_SUPPORT))
10681 		return -EINVAL;
10682 
10683 	/* No support for concurrent ML reconfiguration operation */
10684 	if (sdata->u.mgd.reconf.added_links ||
10685 	    sdata->u.mgd.reconf.removed_links)
10686 		return -EBUSY;
10687 
10688 	added_links = 0;
10689 	for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
10690 		if (!req->add_links[link_id].bss)
10691 			continue;
10692 
10693 		added_links |= BIT(link_id);
10694 	}
10695 
10696 	sta = sta_info_get(sdata, sdata->vif.cfg.ap_addr);
10697 	if (WARN_ON(!sta))
10698 		return -ENOLINK;
10699 
10700 	/* Adding links to the set of valid link is done only after a successful
10701 	 * ML reconfiguration frame exchange. Here prepare the data for the ML
10702 	 * reconfiguration frame construction and allocate the required
10703 	 * resources
10704 	 */
10705 	if (added_links) {
10706 		bool uapsd_supported;
10707 
10708 		data = kzalloc(sizeof(*data), GFP_KERNEL);
10709 		if (!data)
10710 			return -ENOMEM;
10711 
10712 		data->assoc_link_id = -1;
10713 		data->wmm = true;
10714 
10715 		uapsd_supported = true;
10716 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
10717 		     link_id++) {
10718 			struct ieee80211_supported_band *sband;
10719 			struct cfg80211_bss *link_cbss =
10720 				req->add_links[link_id].bss;
10721 			struct ieee80211_bss *bss;
10722 
10723 			if (!link_cbss)
10724 				continue;
10725 
10726 			bss = (void *)link_cbss->priv;
10727 
10728 			if (!bss->wmm_used) {
10729 				err = -EINVAL;
10730 				goto err_free;
10731 			}
10732 
10733 			if (link_cbss->channel->band == NL80211_BAND_S1GHZ) {
10734 				err = -EINVAL;
10735 				goto err_free;
10736 			}
10737 
10738 			eth_random_addr(data->link[link_id].addr);
10739 			data->link[link_id].conn =
10740 				ieee80211_conn_settings_unlimited;
10741 			sband =
10742 				local->hw.wiphy->bands[link_cbss->channel->band];
10743 
10744 			ieee80211_determine_our_sta_mode(sdata, sband,
10745 							 NULL, true, link_id,
10746 							 &data->link[link_id].conn);
10747 
10748 			data->link[link_id].bss = link_cbss;
10749 			data->link[link_id].elems =
10750 				(u8 *)req->add_links[link_id].elems;
10751 			data->link[link_id].elems_len =
10752 				req->add_links[link_id].elems_len;
10753 
10754 			if (!bss->uapsd_supported)
10755 				uapsd_supported = false;
10756 
10757 			if (data->link[link_id].conn.mode <
10758 			    IEEE80211_CONN_MODE_EHT) {
10759 				err = -EINVAL;
10760 				goto err_free;
10761 			}
10762 
10763 			err = ieee80211_mgd_get_ap_ht_vht_capa(sdata, data,
10764 							       link_id);
10765 			if (err) {
10766 				err = -EINVAL;
10767 				goto err_free;
10768 			}
10769 		}
10770 
10771 		/* Require U-APSD support if we enabled it */
10772 		if (sdata->u.mgd.flags & IEEE80211_STA_UAPSD_ENABLED &&
10773 		    !uapsd_supported) {
10774 			err = -EINVAL;
10775 			sdata_info(sdata, "U-APSD on but not available on (all) new links\n");
10776 			goto err_free;
10777 		}
10778 
10779 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
10780 		     link_id++) {
10781 			if (!data->link[link_id].bss)
10782 				continue;
10783 
10784 			/* only used to verify the mode, nothing is allocated */
10785 			err = ieee80211_prep_channel(sdata, NULL, link_id,
10786 						     data->link[link_id].bss,
10787 						     true,
10788 						     &data->link[link_id].conn,
10789 						     sdata->u.mgd.userspace_selectors);
10790 			if (err)
10791 				goto err_free;
10792 		}
10793 	}
10794 
10795 	/* link removal is done before the ML reconfiguration frame exchange so
10796 	 * that these links will not be used between their removal by the AP MLD
10797 	 * and before the station got the ML reconfiguration response. Based on
10798 	 * Section 35.3.6.4 in Draft P802.11be_D7.0 the AP MLD should accept the
10799 	 * link removal request.
10800 	 */
10801 	if (req->rem_links) {
10802 		u16 new_active_links =
10803 			sdata->vif.active_links & ~req->rem_links;
10804 
10805 		new_valid_links = sdata->vif.valid_links & ~req->rem_links;
10806 
10807 		/* Should not be left with no valid links to perform the
10808 		 * ML reconfiguration
10809 		 */
10810 		if (!new_valid_links ||
10811 		    !(new_valid_links & ~sdata->vif.dormant_links)) {
10812 			sdata_info(sdata, "mlo: reconf: no valid links\n");
10813 			err = -EINVAL;
10814 			goto err_free;
10815 		}
10816 
10817 		if (new_active_links != sdata->vif.active_links) {
10818 			if (!new_active_links)
10819 				new_active_links =
10820 					BIT(__ffs(new_valid_links &
10821 						  ~sdata->vif.dormant_links));
10822 
10823 			err = ieee80211_set_active_links(&sdata->vif,
10824 							 new_active_links);
10825 			if (err) {
10826 				sdata_info(sdata,
10827 					   "mlo: reconf: failed set active links\n");
10828 				goto err_free;
10829 			}
10830 		}
10831 	}
10832 
10833 	/* Build the SKB before the link removal as the construction of the
10834 	 * station info for removed links requires the local address.
10835 	 * Invalidate the removed links, so that the transmission of the ML
10836 	 * reconfiguration request frame would not be done using them, as the AP
10837 	 * is expected to send the ML reconfiguration response frame on the link
10838 	 * on which the request was received.
10839 	 */
10840 	skb = ieee80211_build_ml_reconf_req(sdata, data, req->rem_links,
10841 					    cpu_to_le16(req->ext_mld_capa_ops));
10842 	if (!skb) {
10843 		err = -ENOMEM;
10844 		goto err_free;
10845 	}
10846 
10847 	if (req->rem_links) {
10848 		u16 new_dormant_links =
10849 			sdata->vif.dormant_links & ~req->rem_links;
10850 
10851 		err = ieee80211_vif_set_links(sdata, new_valid_links,
10852 					      new_dormant_links);
10853 		if (err) {
10854 			sdata_info(sdata,
10855 				   "mlo: reconf: failed set valid links\n");
10856 			kfree_skb(skb);
10857 			goto err_free;
10858 		}
10859 
10860 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
10861 		     link_id++) {
10862 			if (!(req->rem_links & BIT(link_id)))
10863 				continue;
10864 
10865 			ieee80211_sta_remove_link(sta, link_id);
10866 		}
10867 
10868 		/* notify the driver and upper layers */
10869 		ieee80211_vif_cfg_change_notify(sdata,
10870 						BSS_CHANGED_MLD_VALID_LINKS);
10871 		cfg80211_links_removed(sdata->dev, req->rem_links);
10872 	}
10873 
10874 	sdata_info(sdata, "mlo: reconf: adding=0x%x, removed=0x%x\n",
10875 		   added_links, req->rem_links);
10876 
10877 	ieee80211_tx_skb(sdata, skb);
10878 
10879 	sdata->u.mgd.reconf.added_links = added_links;
10880 	sdata->u.mgd.reconf.add_links_data = data;
10881 	sdata->u.mgd.reconf.removed_links = req->rem_links;
10882 	wiphy_delayed_work_queue(sdata->local->hw.wiphy,
10883 				 &sdata->u.mgd.reconf.wk,
10884 				 IEEE80211_ASSOC_TIMEOUT_SHORT);
10885 	return 0;
10886 
10887  err_free:
10888 	kfree(data);
10889 	return err;
10890 }
10891 
10892 static bool ieee80211_mgd_epcs_supp(struct ieee80211_sub_if_data *sdata)
10893 {
10894 	unsigned long valid_links = sdata->vif.valid_links;
10895 	u8 link_id;
10896 
10897 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
10898 
10899 	if (!ieee80211_vif_is_mld(&sdata->vif))
10900 		return false;
10901 
10902 	for_each_set_bit(link_id, &valid_links, IEEE80211_MLD_MAX_NUM_LINKS) {
10903 		struct ieee80211_bss_conf *bss_conf =
10904 			sdata_dereference(sdata->vif.link_conf[link_id], sdata);
10905 
10906 		if (WARN_ON(!bss_conf) || !bss_conf->epcs_support)
10907 			return false;
10908 	}
10909 
10910 	return true;
10911 }
10912 
10913 int ieee80211_mgd_set_epcs(struct ieee80211_sub_if_data *sdata, bool enable)
10914 {
10915 	struct ieee80211_local *local = sdata->local;
10916 	struct ieee80211_mgmt *mgmt;
10917 	struct sk_buff *skb;
10918 	int frame_len = offsetofend(struct ieee80211_mgmt,
10919 				    u.action.u.epcs) + (enable ? 1 : 0);
10920 
10921 	if (!ieee80211_mgd_epcs_supp(sdata))
10922 		return -EINVAL;
10923 
10924 	if (sdata->u.mgd.epcs.enabled == enable &&
10925 	    !sdata->u.mgd.epcs.dialog_token)
10926 		return 0;
10927 
10928 	/* Do not allow enabling EPCS if the AP didn't respond yet.
10929 	 * However, allow disabling EPCS in such a case.
10930 	 */
10931 	if (sdata->u.mgd.epcs.dialog_token && enable)
10932 		return -EALREADY;
10933 
10934 	skb = dev_alloc_skb(local->hw.extra_tx_headroom + frame_len);
10935 	if (!skb)
10936 		return -ENOBUFS;
10937 
10938 	skb_reserve(skb, local->hw.extra_tx_headroom);
10939 	mgmt = skb_put_zero(skb, frame_len);
10940 	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
10941 					  IEEE80211_STYPE_ACTION);
10942 	memcpy(mgmt->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
10943 	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
10944 	memcpy(mgmt->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
10945 
10946 	mgmt->u.action.category = WLAN_CATEGORY_PROTECTED_EHT;
10947 	if (enable) {
10948 		u8 *pos = mgmt->u.action.u.epcs.variable;
10949 
10950 		mgmt->u.action.u.epcs.action_code =
10951 			WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_REQ;
10952 
10953 		*pos = ++sdata->u.mgd.dialog_token_alloc;
10954 		sdata->u.mgd.epcs.dialog_token = *pos;
10955 	} else {
10956 		mgmt->u.action.u.epcs.action_code =
10957 			WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_TEARDOWN;
10958 
10959 		ieee80211_epcs_teardown(sdata);
10960 		ieee80211_epcs_changed(sdata, false);
10961 	}
10962 
10963 	ieee80211_tx_skb(sdata, skb);
10964 	return 0;
10965 }
10966 
10967 static void ieee80211_ml_epcs(struct ieee80211_sub_if_data *sdata,
10968 			      struct ieee802_11_elems *elems)
10969 {
10970 	const struct element *sub;
10971 	size_t scratch_len = elems->ml_epcs_len;
10972 	u8 *scratch __free(kfree) = kzalloc(scratch_len, GFP_KERNEL);
10973 
10974 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
10975 
10976 	if (!ieee80211_vif_is_mld(&sdata->vif) || !elems->ml_epcs)
10977 		return;
10978 
10979 	if (WARN_ON(!scratch))
10980 		return;
10981 
10982 	/* Directly parse the sub elements as the common information doesn't
10983 	 * hold any useful information.
10984 	 */
10985 	for_each_mle_subelement(sub, (const u8 *)elems->ml_epcs,
10986 				elems->ml_epcs_len) {
10987 		struct ieee802_11_elems *link_elems __free(kfree) = NULL;
10988 		struct ieee80211_link_data *link;
10989 		u8 *pos = (void *)sub->data;
10990 		u16 control;
10991 		ssize_t len;
10992 		u8 link_id;
10993 
10994 		if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE)
10995 			continue;
10996 
10997 		if (sub->datalen < sizeof(control))
10998 			break;
10999 
11000 		control = get_unaligned_le16(pos);
11001 		link_id = control & IEEE80211_MLE_STA_EPCS_CONTROL_LINK_ID;
11002 
11003 		link = sdata_dereference(sdata->link[link_id], sdata);
11004 		if (!link)
11005 			continue;
11006 
11007 		len = cfg80211_defragment_element(sub, (u8 *)elems->ml_epcs,
11008 						  elems->ml_epcs_len,
11009 						  scratch, scratch_len,
11010 						  IEEE80211_MLE_SUBELEM_FRAGMENT);
11011 		if (len < (ssize_t)sizeof(control))
11012 			continue;
11013 
11014 		pos = scratch + sizeof(control);
11015 		len -= sizeof(control);
11016 
11017 		link_elems = ieee802_11_parse_elems(pos, len,
11018 						    IEEE80211_FTYPE_MGMT |
11019 						    IEEE80211_STYPE_ACTION,
11020 						    NULL);
11021 		if (!link_elems)
11022 			continue;
11023 
11024 		if (ieee80211_sta_wmm_params(sdata->local, link,
11025 					     link_elems->wmm_param,
11026 					     link_elems->wmm_param_len,
11027 					     link_elems->mu_edca_param_set))
11028 			ieee80211_link_info_change_notify(sdata, link,
11029 							  BSS_CHANGED_QOS);
11030 	}
11031 }
11032 
11033 void ieee80211_process_epcs_ena_resp(struct ieee80211_sub_if_data *sdata,
11034 				     struct ieee80211_mgmt *mgmt, size_t len)
11035 {
11036 	struct ieee802_11_elems *elems __free(kfree) = NULL;
11037 	size_t ies_len;
11038 	u16 status_code;
11039 	u8 *pos, dialog_token;
11040 
11041 	if (!ieee80211_mgd_epcs_supp(sdata))
11042 		return;
11043 
11044 	/* Handle dialog token and status code */
11045 	pos = mgmt->u.action.u.epcs.variable;
11046 	dialog_token = *pos;
11047 	status_code = get_unaligned_le16(pos + 1);
11048 
11049 	/* An EPCS enable response with dialog token == 0 is an unsolicited
11050 	 * notification from the AP MLD. In such a case, EPCS should already be
11051 	 * enabled and status must be success
11052 	 */
11053 	if (!dialog_token &&
11054 	    (!sdata->u.mgd.epcs.enabled ||
11055 	     status_code != WLAN_STATUS_SUCCESS))
11056 		return;
11057 
11058 	if (sdata->u.mgd.epcs.dialog_token != dialog_token)
11059 		return;
11060 
11061 	sdata->u.mgd.epcs.dialog_token = 0;
11062 
11063 	if (status_code != WLAN_STATUS_SUCCESS)
11064 		return;
11065 
11066 	pos += IEEE80211_EPCS_ENA_RESP_BODY_LEN;
11067 	ies_len = len - offsetof(struct ieee80211_mgmt,
11068 				 u.action.u.epcs.variable) -
11069 		IEEE80211_EPCS_ENA_RESP_BODY_LEN;
11070 
11071 	elems = ieee802_11_parse_elems(pos, ies_len,
11072 				       IEEE80211_FTYPE_MGMT |
11073 				       IEEE80211_STYPE_ACTION,
11074 				       NULL);
11075 	if (!elems)
11076 		return;
11077 
11078 	ieee80211_ml_epcs(sdata, elems);
11079 	ieee80211_epcs_changed(sdata, true);
11080 }
11081 
11082 void ieee80211_process_epcs_teardown(struct ieee80211_sub_if_data *sdata,
11083 				     struct ieee80211_mgmt *mgmt, size_t len)
11084 {
11085 	if (!ieee80211_vif_is_mld(&sdata->vif) ||
11086 	    !sdata->u.mgd.epcs.enabled)
11087 		return;
11088 
11089 	ieee80211_epcs_teardown(sdata);
11090 	ieee80211_epcs_changed(sdata, false);
11091 }
11092