xref: /linux/net/wireless/nl80211.c (revision 072e6f7f416f5d17be71000b31fb108651ad360d) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2026 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	const struct ieee80211_ext *ext;
233 	unsigned int fixedlen, hdrlen;
234 	bool s1g_bcn;
235 
236 	if (len < offsetofend(typeof(*mgmt), frame_control))
237 		goto err;
238 
239 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
240 	if (s1g_bcn) {
241 		ext = (struct ieee80211_ext *)mgmt;
242 		fixedlen =
243 			offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +
244 			ieee80211_s1g_optional_len(ext->frame_control);
245 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
246 	} else {
247 		fixedlen = offsetof(struct ieee80211_mgmt,
248 				    u.beacon.variable);
249 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
250 	}
251 
252 	if (len < fixedlen)
253 		goto err;
254 
255 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
256 		goto err;
257 
258 	data += fixedlen;
259 	len -= fixedlen;
260 
261 	for_each_element(elem, data, len) {
262 		/* nothing */
263 	}
264 
265 	if (for_each_element_completed(elem, data, len))
266 		return 0;
267 
268 err:
269 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
270 	return -EINVAL;
271 }
272 
273 static int validate_ie_attr(const struct nlattr *attr,
274 			    struct netlink_ext_ack *extack)
275 {
276 	const u8 *data = nla_data(attr);
277 	unsigned int len = nla_len(attr);
278 	const struct element *elem;
279 
280 	for_each_element(elem, data, len) {
281 		/* nothing */
282 	}
283 
284 	if (for_each_element_completed(elem, data, len))
285 		return 0;
286 
287 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
288 	return -EINVAL;
289 }
290 
291 static int validate_he_capa(const struct nlattr *attr,
292 			    struct netlink_ext_ack *extack)
293 {
294 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
295 		return -EINVAL;
296 
297 	return 0;
298 }
299 
300 static int validate_supported_selectors(const struct nlattr *attr,
301 					struct netlink_ext_ack *extack)
302 {
303 	const u8 *supported_selectors = nla_data(attr);
304 	u8 supported_selectors_len = nla_len(attr);
305 
306 	/* The top bit must not be set as it is not part of the selector */
307 	for (int i = 0; i < supported_selectors_len; i++) {
308 		if (supported_selectors[i] & 0x80)
309 			return -EINVAL;
310 	}
311 
312 	return 0;
313 }
314 
315 static int validate_nan_cluster_id(const struct nlattr *attr,
316 				   struct netlink_ext_ack *extack)
317 {
318 	const u8 *data = nla_data(attr);
319 	unsigned int len = nla_len(attr);
320 	static const u8 cluster_id_prefix[4] = {0x50, 0x6f, 0x9a, 0x1};
321 
322 	if (len != ETH_ALEN) {
323 		NL_SET_ERR_MSG_ATTR(extack, attr, "bad cluster id length");
324 		return -EINVAL;
325 	}
326 
327 	if (memcmp(data, cluster_id_prefix, sizeof(cluster_id_prefix))) {
328 		NL_SET_ERR_MSG_ATTR(extack, attr, "invalid cluster id prefix");
329 		return -EINVAL;
330 	}
331 
332 	return 0;
333 }
334 
335 static int validate_uhr_capa(const struct nlattr *attr,
336 			     struct netlink_ext_ack *extack)
337 {
338 	const u8 *data = nla_data(attr);
339 	unsigned int len = nla_len(attr);
340 
341 	return ieee80211_uhr_capa_size_ok(data, len, false);
342 }
343 
344 /* policy for the attributes */
345 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
346 
347 static const struct nla_policy
348 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
349 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
350 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
351 					.len = U8_MAX },
352 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
353 					     .len = U8_MAX },
354 };
355 
356 static const struct nla_policy
357 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
358 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
359 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
360 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
361 		NLA_POLICY_MAX(NLA_U8, 15),
362 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
363 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
364 		NLA_POLICY_MAX(NLA_U8, 15),
365 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
366 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
367 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
368 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
369 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
370 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
371 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
372 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
373 	[NL80211_PMSR_FTM_REQ_ATTR_RSTA] = { .type = NLA_FLAG },
374 };
375 
376 static const struct nla_policy
377 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
378 	[NL80211_PMSR_TYPE_FTM] =
379 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
380 };
381 
382 static const struct nla_policy
383 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
384 	[NL80211_PMSR_REQ_ATTR_DATA] =
385 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
386 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
387 };
388 
389 static const struct nla_policy
390 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
391 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
392 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
393 	[NL80211_PMSR_PEER_ATTR_REQ] =
394 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
395 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
396 };
397 
398 static const struct nla_policy
399 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
400 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
401 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
402 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
403 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
404 	[NL80211_PMSR_ATTR_PEERS] =
405 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
406 };
407 
408 static const struct nla_policy
409 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
410 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
411 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
412 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
413 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
414 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
415 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
416 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
417 		NLA_POLICY_EXACT_LEN(8),
418 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
419 		NLA_POLICY_EXACT_LEN(8),
420 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
421 };
422 
423 static const struct nla_policy
424 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
425 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
426 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
427 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
428 };
429 
430 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
431 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
432 				    .len = NL80211_MAX_SUPP_RATES },
433 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
434 				.len = NL80211_MAX_SUPP_HT_RATES },
435 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
436 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
437 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
438 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
439 						   NL80211_RATE_INFO_HE_GI_0_8,
440 						   NL80211_RATE_INFO_HE_GI_3_2),
441 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
442 						   NL80211_RATE_INFO_HE_1XLTF,
443 						   NL80211_RATE_INFO_HE_4XLTF),
444 	[NL80211_TXRATE_EHT] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_eht)),
445 	[NL80211_TXRATE_EHT_GI] =  NLA_POLICY_RANGE(NLA_U8,
446 						   NL80211_RATE_INFO_EHT_GI_0_8,
447 						   NL80211_RATE_INFO_EHT_GI_3_2),
448 	[NL80211_TXRATE_EHT_LTF] = NLA_POLICY_RANGE(NLA_U8,
449 						   NL80211_RATE_INFO_EHT_1XLTF,
450 						   NL80211_RATE_INFO_EHT_8XLTF),
451 
452 };
453 
454 static const struct nla_policy
455 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
456 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
457 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
458 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
459 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
460 	[NL80211_TID_CONFIG_ATTR_NOACK] =
461 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
462 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
463 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
464 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
465 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
466 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
467 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
468 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
469 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
470 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
471 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
472 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
473 			NLA_POLICY_NESTED(nl80211_txattr_policy),
474 };
475 
476 static const struct nla_policy
477 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
478 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
479 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
480 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
481 			NLA_POLICY_RANGE(NLA_BINARY,
482 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
483 					 IEEE80211_MAX_DATA_LEN),
484 };
485 
486 static const struct nla_policy
487 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
488 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
489 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
490 						       .len = IEEE80211_MAX_DATA_LEN }
491 };
492 
493 static const struct nla_policy
494 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
495 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
496 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
497 };
498 
499 static const struct nla_policy
500 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
501 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
502 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
503 };
504 
505 static const struct nla_policy
506 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
507 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
508 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
509 						NLA_POLICY_MIN(NLA_U8, 1),
510 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
511 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
512 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
513 	[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID] =
514 		NLA_POLICY_MAX(NLA_U8, IEEE80211_MLD_MAX_NUM_LINKS),
515 };
516 
517 static const struct nla_policy
518 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
519 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
520 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
521 };
522 
523 static const struct nla_policy
524 nl80211_s1g_short_beacon[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1] = {
525 	[NL80211_S1G_SHORT_BEACON_ATTR_HEAD] =
526 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
527 				       IEEE80211_MAX_DATA_LEN),
528 	[NL80211_S1G_SHORT_BEACON_ATTR_TAIL] =
529 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
530 				       IEEE80211_MAX_DATA_LEN),
531 };
532 
533 static const struct nla_policy
534 nl80211_nan_band_conf_policy[NL80211_NAN_BAND_CONF_ATTR_MAX + 1] = {
535 	[NL80211_NAN_BAND_CONF_BAND] = NLA_POLICY_MAX(NLA_U8,
536 						      NUM_NL80211_BANDS - 1),
537 	[NL80211_NAN_BAND_CONF_FREQ] = { .type = NLA_U16 },
538 	[NL80211_NAN_BAND_CONF_RSSI_CLOSE] = NLA_POLICY_MIN(NLA_S8, -59),
539 	[NL80211_NAN_BAND_CONF_RSSI_MIDDLE] = NLA_POLICY_MIN(NLA_S8, -74),
540 	[NL80211_NAN_BAND_CONF_WAKE_DW] = NLA_POLICY_MAX(NLA_U8, 5),
541 	[NL80211_NAN_BAND_CONF_DISABLE_SCAN] = { .type = NLA_FLAG },
542 };
543 
544 static const struct nla_policy
545 nl80211_nan_conf_policy[NL80211_NAN_CONF_ATTR_MAX + 1] = {
546 	[NL80211_NAN_CONF_CLUSTER_ID] =
547 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_cluster_id,
548 				       ETH_ALEN),
549 	[NL80211_NAN_CONF_EXTRA_ATTRS] = { .type = NLA_BINARY,
550 					   .len = IEEE80211_MAX_DATA_LEN},
551 	[NL80211_NAN_CONF_VENDOR_ELEMS] =
552 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
553 				       IEEE80211_MAX_DATA_LEN),
554 	[NL80211_NAN_CONF_BAND_CONFIGS] =
555 		NLA_POLICY_NESTED_ARRAY(nl80211_nan_band_conf_policy),
556 	[NL80211_NAN_CONF_SCAN_PERIOD] = { .type = NLA_U16 },
557 	[NL80211_NAN_CONF_SCAN_DWELL_TIME] = NLA_POLICY_RANGE(NLA_U16, 50, 512),
558 	[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL] =
559 		NLA_POLICY_RANGE(NLA_U8, 50, 200),
560 	[NL80211_NAN_CONF_NOTIFY_DW] = { .type = NLA_FLAG },
561 };
562 
563 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
564 	.min = 0,
565 	.max = 0xffff,
566 };
567 
568 static const struct netlink_range_validation q_range = {
569 	.max = INT_MAX,
570 };
571 
572 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
573 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
574 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
575 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
576 				      .len = 20-1 },
577 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
578 
579 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
580 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
581 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
582 						NL80211_EDMG_CHANNELS_MIN,
583 						NL80211_EDMG_CHANNELS_MAX),
584 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
585 						NL80211_EDMG_BW_CONFIG_MIN,
586 						NL80211_EDMG_BW_CONFIG_MAX),
587 
588 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
589 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
590 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
591 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
592 
593 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
594 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
595 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
596 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
597 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
598 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
599 
600 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
601 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
602 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
603 
604 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
605 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
606 
607 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
608 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
609 				    .len = WLAN_MAX_KEY_LEN },
610 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
611 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
612 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
613 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
614 	[NL80211_ATTR_KEY_TYPE] =
615 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
616 
617 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
618 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
619 	[NL80211_ATTR_BEACON_HEAD] =
620 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
621 				       IEEE80211_MAX_DATA_LEN),
622 	[NL80211_ATTR_BEACON_TAIL] =
623 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
624 				       IEEE80211_MAX_DATA_LEN),
625 	[NL80211_ATTR_STA_AID] =
626 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
627 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
628 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
629 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
630 					       .len = NL80211_MAX_SUPP_RATES },
631 	[NL80211_ATTR_STA_PLINK_ACTION] =
632 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
633 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
634 		NLA_POLICY_RANGE(NLA_U8,
635 				 NL80211_TX_POWER_AUTOMATIC,
636 				 NL80211_TX_POWER_FIXED),
637 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
638 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
639 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
640 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
641 				   .len = IEEE80211_MAX_MESH_ID_LEN },
642 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
643 
644 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
645 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
646 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
647 
648 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
649 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
650 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
651 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
652 					   .len = NL80211_MAX_SUPP_RATES },
653 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
654 
655 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
656 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
657 
658 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
659 
660 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
661 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
662 						   validate_ie_attr,
663 						   IEEE80211_MAX_DATA_LEN),
664 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
665 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
666 
667 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
668 				.len = IEEE80211_MAX_SSID_LEN },
669 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
670 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
671 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
672 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
673 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
674 						  NL80211_MFP_NO,
675 						  NL80211_MFP_OPTIONAL),
676 	[NL80211_ATTR_STA_FLAGS2] =
677 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
678 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
679 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
680 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
681 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
682 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
683 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
684 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
685 	[NL80211_ATTR_WPA_VERSIONS] =
686 		NLA_POLICY_RANGE(NLA_U32, 0,
687 				 NL80211_WPA_VERSION_1 |
688 				 NL80211_WPA_VERSION_2 |
689 				 NL80211_WPA_VERSION_3),
690 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
691 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
692 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
693 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
694 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
695 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
696 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
697 				 .len = IEEE80211_MAX_DATA_LEN },
698 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
699 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
700 						   NL80211_PS_DISABLED,
701 						   NL80211_PS_ENABLED),
702 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
703 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
704 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
705 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
706 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
707 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
708 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
709 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
710 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
711 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
712 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
713 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
714 	[NL80211_ATTR_STA_PLINK_STATE] =
715 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
716 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
717 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
718 	[NL80211_ATTR_MESH_PEER_AID] =
719 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
720 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
721 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
722 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
723 	[NL80211_ATTR_HIDDEN_SSID] =
724 		NLA_POLICY_RANGE(NLA_U32,
725 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
726 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
727 	[NL80211_ATTR_IE_PROBE_RESP] =
728 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
729 				       IEEE80211_MAX_DATA_LEN),
730 	[NL80211_ATTR_IE_ASSOC_RESP] =
731 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
732 				       IEEE80211_MAX_DATA_LEN),
733 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
734 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
735 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
736 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
737 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
738 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
739 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
740 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
741 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
742 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
743 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
744 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
745 				      .len = IEEE80211_MAX_DATA_LEN },
746 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
747 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
748 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
749 		.len = NL80211_HT_CAPABILITY_LEN
750 	},
751 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
752 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
753 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
754 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
755 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
756 
757 	/* need to include at least Auth Transaction and Status Code */
758 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
759 
760 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
761 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
762 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
763 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
764 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
765 		NLA_POLICY_RANGE(NLA_U32,
766 				 NL80211_MESH_POWER_UNKNOWN + 1,
767 				 NL80211_MESH_POWER_MAX),
768 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
769 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
770 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
771 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
772 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
773 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
774 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
775 		.len = NL80211_VHT_CAPABILITY_LEN,
776 	},
777 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
778 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
779 				  .len = IEEE80211_MAX_DATA_LEN },
780 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
781 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
782 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
783 	[NL80211_ATTR_PEER_AID] =
784 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
785 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
786 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
787 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
788 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
789 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
790 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
791 	/*
792 	 * The value of the Length field of the Supported Operating
793 	 * Classes element is between 2 and 253.
794 	 */
795 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
796 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
797 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
798 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
799 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
800 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
801 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
802 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
803 						  IEEE80211_QOS_MAP_LEN_MIN,
804 						  IEEE80211_QOS_MAP_LEN_MAX),
805 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
806 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
807 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
808 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
809 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
810 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
811 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
812 	[NL80211_ATTR_USER_PRIO] =
813 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
814 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
815 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
816 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
817 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
818 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
819 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
820 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
821 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
822 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
823 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
824 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
825 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
826 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
827 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
828 	},
829 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
830 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
831 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
832 	[NL80211_ATTR_NAN_CONFIG] = NLA_POLICY_NESTED(nl80211_nan_conf_policy),
833 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
834 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
835 				    .len = FILS_MAX_KEK_LEN },
836 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
837 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
838 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
839 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
840 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
841 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
842 	},
843 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
844 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
845 					     .len = FILS_ERP_MAX_USERNAME_LEN },
846 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
847 					  .len = FILS_ERP_MAX_REALM_LEN },
848 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
849 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
850 					.len = FILS_ERP_MAX_RRK_LEN },
851 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
852 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
853 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
854 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
855 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
856 
857 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
858 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
859 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
860 	[NL80211_ATTR_HE_CAPABILITY] =
861 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
862 				       NL80211_HE_MAX_CAPABILITY_LEN),
863 	[NL80211_ATTR_FTM_RESPONDER] =
864 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
865 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
866 	[NL80211_ATTR_PEER_MEASUREMENTS] =
867 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
868 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
869 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
870 					.len = SAE_PASSWORD_MAX_LEN },
871 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
872 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
873 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
874 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
875 	[NL80211_ATTR_TID_CONFIG] =
876 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
877 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
878 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
879 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
880 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
881 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
882 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
883 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
884 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
885 	[NL80211_ATTR_FILS_DISCOVERY] =
886 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
887 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
888 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
889 	[NL80211_ATTR_S1G_CAPABILITY] =
890 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
891 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
892 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
893 	[NL80211_ATTR_SAE_PWE] =
894 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
895 				 NL80211_SAE_PWE_BOTH),
896 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
897 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
898 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
899 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
900 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
901 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
902 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
903 	[NL80211_ATTR_MBSSID_CONFIG] =
904 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
905 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
906 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
907 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
908 	[NL80211_ATTR_EHT_CAPABILITY] =
909 		NLA_POLICY_RANGE(NLA_BINARY,
910 				 NL80211_EHT_MIN_CAPABILITY_LEN,
911 				 NL80211_EHT_MAX_CAPABILITY_LEN),
912 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
913 	[NL80211_ATTR_MLO_LINKS] =
914 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
915 	[NL80211_ATTR_MLO_LINK_ID] =
916 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
917 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
918 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
919 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
920 	[NL80211_ATTR_EML_CAPABILITY] = { .type = NLA_U16 },
921 	[NL80211_ATTR_PUNCT_BITMAP] =
922 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
923 
924 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
925 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
926 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
927 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
928 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
929 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
930 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
931 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
932 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
933 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
934 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
935 				       NL80211_MAX_SUPP_SELECTORS),
936 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
937 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
938 	[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS] = { .type = NLA_U16 },
939 	[NL80211_ATTR_WIPHY_RADIO_INDEX] = { .type = NLA_U8 },
940 	[NL80211_ATTR_S1G_LONG_BEACON_PERIOD] = NLA_POLICY_MIN(NLA_U8, 2),
941 	[NL80211_ATTR_S1G_SHORT_BEACON] =
942 		NLA_POLICY_NESTED(nl80211_s1g_short_beacon),
943 	[NL80211_ATTR_BSS_PARAM] = { .type = NLA_FLAG },
944 	[NL80211_ATTR_S1G_PRIMARY_2MHZ] = { .type = NLA_FLAG },
945 	[NL80211_ATTR_EPP_PEER] = { .type = NLA_FLAG },
946 	[NL80211_ATTR_UHR_CAPABILITY] =
947 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_uhr_capa, 255),
948 	[NL80211_ATTR_DISABLE_UHR] = { .type = NLA_FLAG },
949 };
950 
951 /* policy for the key attributes */
952 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
953 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
954 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
955 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
956 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
957 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
958 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
959 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
960 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
961 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
962 };
963 
964 /* policy for the key default flags */
965 static const struct nla_policy
966 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
967 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
968 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
969 };
970 
971 #ifdef CONFIG_PM
972 /* policy for WoWLAN attributes */
973 static const struct nla_policy
974 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
975 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
976 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
977 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
978 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
979 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
980 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
981 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
982 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
983 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
984 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
985 };
986 
987 static const struct nla_policy
988 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
989 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
990 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
991 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
992 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
993 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
994 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
995 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
996 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
997 	},
998 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
999 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
1000 	},
1001 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
1002 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
1003 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
1004 };
1005 #endif /* CONFIG_PM */
1006 
1007 /* policy for coalesce rule attributes */
1008 static const struct nla_policy
1009 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
1010 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
1011 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
1012 		NLA_POLICY_RANGE(NLA_U32,
1013 				 NL80211_COALESCE_CONDITION_MATCH,
1014 				 NL80211_COALESCE_CONDITION_NO_MATCH),
1015 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
1016 };
1017 
1018 /* policy for GTK rekey offload attributes */
1019 static const struct nla_policy
1020 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
1021 	[NL80211_REKEY_DATA_KEK] = {
1022 		.type = NLA_BINARY,
1023 		.len = NL80211_KEK_EXT_LEN
1024 	},
1025 	[NL80211_REKEY_DATA_KCK] = {
1026 		.type = NLA_BINARY,
1027 		.len = NL80211_KCK_EXT_LEN_32
1028 	},
1029 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
1030 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
1031 };
1032 
1033 static const struct nla_policy
1034 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
1035 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
1036 						 .len = IEEE80211_MAX_SSID_LEN },
1037 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1038 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
1039 };
1040 
1041 static const struct nla_policy
1042 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
1043 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
1044 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
1045 };
1046 
1047 static const struct nla_policy
1048 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
1049 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
1050 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
1051 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
1052 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
1053 	},
1054 };
1055 
1056 /* policy for NAN function attributes */
1057 static const struct nla_policy
1058 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
1059 	[NL80211_NAN_FUNC_TYPE] =
1060 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
1061 	[NL80211_NAN_FUNC_SERVICE_ID] = {
1062 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
1063 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
1064 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
1065 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
1066 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
1067 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
1068 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1069 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
1070 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
1071 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
1072 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
1073 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
1074 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
1075 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
1076 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
1077 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
1078 };
1079 
1080 /* policy for Service Response Filter attributes */
1081 static const struct nla_policy
1082 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
1083 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
1084 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
1085 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
1086 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
1087 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
1088 };
1089 
1090 /* policy for packet pattern attributes */
1091 static const struct nla_policy
1092 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
1093 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
1094 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
1095 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1096 };
1097 
1098 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1099 				     struct cfg80211_registered_device **rdev,
1100 				     struct wireless_dev **wdev,
1101 				     struct nlattr **attrbuf)
1102 {
1103 	int err;
1104 
1105 	if (!cb->args[0]) {
1106 		struct nlattr **attrbuf_free = NULL;
1107 
1108 		if (!attrbuf) {
1109 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
1110 					  GFP_KERNEL);
1111 			if (!attrbuf)
1112 				return -ENOMEM;
1113 			attrbuf_free = attrbuf;
1114 		}
1115 
1116 		err = nlmsg_parse_deprecated(cb->nlh,
1117 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1118 					     attrbuf, nl80211_fam.maxattr,
1119 					     nl80211_policy, NULL);
1120 		if (err) {
1121 			kfree(attrbuf_free);
1122 			return err;
1123 		}
1124 
1125 		rtnl_lock();
1126 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1127 						   attrbuf);
1128 		kfree(attrbuf_free);
1129 		if (IS_ERR(*wdev)) {
1130 			rtnl_unlock();
1131 			return PTR_ERR(*wdev);
1132 		}
1133 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1134 		mutex_lock(&(*rdev)->wiphy.mtx);
1135 		rtnl_unlock();
1136 		/* 0 is the first index - add 1 to parse only once */
1137 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1138 		cb->args[1] = (*wdev)->identifier;
1139 	} else {
1140 		/* subtract the 1 again here */
1141 		struct wiphy *wiphy;
1142 		struct wireless_dev *tmp;
1143 
1144 		rtnl_lock();
1145 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1146 		if (!wiphy) {
1147 			rtnl_unlock();
1148 			return -ENODEV;
1149 		}
1150 		*rdev = wiphy_to_rdev(wiphy);
1151 		*wdev = NULL;
1152 
1153 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1154 			if (tmp->identifier == cb->args[1]) {
1155 				*wdev = tmp;
1156 				break;
1157 			}
1158 		}
1159 
1160 		if (!*wdev) {
1161 			rtnl_unlock();
1162 			return -ENODEV;
1163 		}
1164 		mutex_lock(&(*rdev)->wiphy.mtx);
1165 		rtnl_unlock();
1166 	}
1167 
1168 	return 0;
1169 }
1170 
1171 /* message building helper */
1172 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1173 		     int flags, u8 cmd)
1174 {
1175 	/* since there is no private header just add the generic one */
1176 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1177 }
1178 
1179 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1180 				     const struct ieee80211_reg_rule *rule)
1181 {
1182 	int j;
1183 	struct nlattr *nl_wmm_rules =
1184 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1185 
1186 	if (!nl_wmm_rules)
1187 		goto nla_put_failure;
1188 
1189 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1190 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1191 
1192 		if (!nl_wmm_rule)
1193 			goto nla_put_failure;
1194 
1195 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1196 				rule->wmm_rule.client[j].cw_min) ||
1197 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1198 				rule->wmm_rule.client[j].cw_max) ||
1199 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1200 			       rule->wmm_rule.client[j].aifsn) ||
1201 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1202 			        rule->wmm_rule.client[j].cot))
1203 			goto nla_put_failure;
1204 
1205 		nla_nest_end(msg, nl_wmm_rule);
1206 	}
1207 	nla_nest_end(msg, nl_wmm_rules);
1208 
1209 	return 0;
1210 
1211 nla_put_failure:
1212 	return -ENOBUFS;
1213 }
1214 
1215 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1216 				   struct ieee80211_channel *chan,
1217 				   bool large)
1218 {
1219 	/* Some channels must be completely excluded from the
1220 	 * list to protect old user-space tools from breaking
1221 	 */
1222 	if (!large && chan->flags &
1223 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1224 		return 0;
1225 	if (!large && chan->freq_offset)
1226 		return 0;
1227 
1228 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1229 			chan->center_freq))
1230 		goto nla_put_failure;
1231 
1232 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1233 		goto nla_put_failure;
1234 
1235 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1236 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1237 		goto nla_put_failure;
1238 
1239 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1240 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1241 		goto nla_put_failure;
1242 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1243 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1244 			goto nla_put_failure;
1245 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1246 			goto nla_put_failure;
1247 	}
1248 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1249 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1250 			goto nla_put_failure;
1251 		if (large) {
1252 			u32 time;
1253 
1254 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1255 
1256 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1257 					chan->dfs_state))
1258 				goto nla_put_failure;
1259 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1260 					time))
1261 				goto nla_put_failure;
1262 			if (nla_put_u32(msg,
1263 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1264 					chan->dfs_cac_ms))
1265 				goto nla_put_failure;
1266 		}
1267 	}
1268 
1269 	if (large) {
1270 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1271 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1272 			goto nla_put_failure;
1273 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1274 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1275 			goto nla_put_failure;
1276 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1277 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1278 			goto nla_put_failure;
1279 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1280 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1281 			goto nla_put_failure;
1282 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1283 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1284 			goto nla_put_failure;
1285 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1286 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1287 			goto nla_put_failure;
1288 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1289 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1290 			goto nla_put_failure;
1291 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1292 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1293 			goto nla_put_failure;
1294 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1295 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1296 			goto nla_put_failure;
1297 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1298 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1299 			goto nla_put_failure;
1300 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1301 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1302 			goto nla_put_failure;
1303 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1304 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1305 			goto nla_put_failure;
1306 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1307 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1308 			goto nla_put_failure;
1309 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1310 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1311 			goto nla_put_failure;
1312 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1313 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1314 			goto nla_put_failure;
1315 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1316 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1317 			goto nla_put_failure;
1318 		if ((chan->flags & IEEE80211_CHAN_ALLOW_20MHZ_ACTIVITY) &&
1319 		    nla_put_flag(msg,
1320 				 NL80211_FREQUENCY_ATTR_ALLOW_20MHZ_ACTIVITY))
1321 			goto nla_put_failure;
1322 		if ((chan->flags & IEEE80211_CHAN_NO_4MHZ) &&
1323 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_4MHZ))
1324 			goto nla_put_failure;
1325 		if ((chan->flags & IEEE80211_CHAN_NO_8MHZ) &&
1326 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_8MHZ))
1327 			goto nla_put_failure;
1328 		if ((chan->flags & IEEE80211_CHAN_NO_16MHZ) &&
1329 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_16MHZ))
1330 			goto nla_put_failure;
1331 		if ((chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY) &&
1332 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_S1G_NO_PRIMARY))
1333 			goto nla_put_failure;
1334 		if ((chan->flags & IEEE80211_CHAN_NO_UHR) &&
1335 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_UHR))
1336 			goto nla_put_failure;
1337 	}
1338 
1339 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1340 			DBM_TO_MBM(chan->max_power)))
1341 		goto nla_put_failure;
1342 
1343 	if (large) {
1344 		const struct ieee80211_reg_rule *rule =
1345 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1346 
1347 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1348 			if (nl80211_msg_put_wmm_rules(msg, rule))
1349 				goto nla_put_failure;
1350 		}
1351 	}
1352 
1353 	return 0;
1354 
1355  nla_put_failure:
1356 	return -ENOBUFS;
1357 }
1358 
1359 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1360 				  struct cfg80211_txq_stats *txqstats,
1361 				  int attrtype)
1362 {
1363 	struct nlattr *txqattr;
1364 
1365 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1366 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1367 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1368 		return false;						  \
1369 	} while (0)
1370 
1371 	txqattr = nla_nest_start_noflag(msg, attrtype);
1372 	if (!txqattr)
1373 		return false;
1374 
1375 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1376 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1377 	PUT_TXQVAL_U32(FLOWS, flows);
1378 	PUT_TXQVAL_U32(DROPS, drops);
1379 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1380 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1381 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1382 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1383 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1384 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1385 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1386 	nla_nest_end(msg, txqattr);
1387 
1388 #undef PUT_TXQVAL_U32
1389 	return true;
1390 }
1391 
1392 /* netlink command implementations */
1393 
1394 /**
1395  * nl80211_link_id - return link ID
1396  * @attrs: attributes to look at
1397  *
1398  * Returns: the link ID or 0 if not given
1399  *
1400  * Note this function doesn't do any validation of the link
1401  * ID validity wrt. links that were actually added, so it must
1402  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1403  * or if additional validation is done.
1404  */
1405 static unsigned int nl80211_link_id(struct nlattr **attrs)
1406 {
1407 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1408 
1409 	return nla_get_u8_default(linkid, 0);
1410 }
1411 
1412 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1413 {
1414 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1415 
1416 	if (!linkid)
1417 		return -1;
1418 
1419 	return nla_get_u8(linkid);
1420 }
1421 
1422 struct key_parse {
1423 	struct key_params p;
1424 	int idx;
1425 	int type;
1426 	bool def, defmgmt, defbeacon;
1427 	bool def_uni, def_multi;
1428 };
1429 
1430 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1431 				 struct key_parse *k)
1432 {
1433 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1434 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1435 					      nl80211_key_policy,
1436 					      info->extack);
1437 	if (err)
1438 		return err;
1439 
1440 	k->def = !!tb[NL80211_KEY_DEFAULT];
1441 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1442 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1443 
1444 	if (k->def) {
1445 		k->def_uni = true;
1446 		k->def_multi = true;
1447 	}
1448 	if (k->defmgmt || k->defbeacon)
1449 		k->def_multi = true;
1450 
1451 	if (tb[NL80211_KEY_IDX])
1452 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1453 
1454 	if (tb[NL80211_KEY_DATA]) {
1455 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1456 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1457 	}
1458 
1459 	if (tb[NL80211_KEY_SEQ]) {
1460 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1461 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1462 	}
1463 
1464 	if (tb[NL80211_KEY_CIPHER])
1465 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1466 
1467 	if (tb[NL80211_KEY_TYPE])
1468 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1469 
1470 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1471 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1472 
1473 		err = nla_parse_nested_deprecated(kdt,
1474 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1475 						  tb[NL80211_KEY_DEFAULT_TYPES],
1476 						  nl80211_key_default_policy,
1477 						  info->extack);
1478 		if (err)
1479 			return err;
1480 
1481 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1482 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1483 	}
1484 
1485 	if (tb[NL80211_KEY_MODE])
1486 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1487 
1488 	return 0;
1489 }
1490 
1491 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1492 {
1493 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1494 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1495 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1496 	}
1497 
1498 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1499 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1500 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1501 	}
1502 
1503 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1504 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1505 
1506 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1507 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1508 
1509 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1510 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1511 
1512 	if (k->def) {
1513 		k->def_uni = true;
1514 		k->def_multi = true;
1515 	}
1516 	if (k->defmgmt)
1517 		k->def_multi = true;
1518 
1519 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1520 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1521 
1522 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1523 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1524 		int err = nla_parse_nested_deprecated(kdt,
1525 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1526 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1527 						      nl80211_key_default_policy,
1528 						      info->extack);
1529 		if (err)
1530 			return err;
1531 
1532 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1533 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1534 	}
1535 
1536 	return 0;
1537 }
1538 
1539 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1540 {
1541 	int err;
1542 
1543 	memset(k, 0, sizeof(*k));
1544 	k->idx = -1;
1545 	k->type = -1;
1546 
1547 	if (info->attrs[NL80211_ATTR_KEY])
1548 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1549 	else
1550 		err = nl80211_parse_key_old(info, k);
1551 
1552 	if (err)
1553 		return err;
1554 
1555 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1556 	    (k->defbeacon ? 1 : 0) > 1) {
1557 		GENL_SET_ERR_MSG(info,
1558 				 "key with multiple default flags is invalid");
1559 		return -EINVAL;
1560 	}
1561 
1562 	if (k->defmgmt || k->defbeacon) {
1563 		if (k->def_uni || !k->def_multi) {
1564 			GENL_SET_ERR_MSG(info,
1565 					 "defmgmt/defbeacon key must be mcast");
1566 			return -EINVAL;
1567 		}
1568 	}
1569 
1570 	if (k->idx != -1) {
1571 		if (k->defmgmt) {
1572 			if (k->idx < 4 || k->idx > 5) {
1573 				GENL_SET_ERR_MSG(info,
1574 						 "defmgmt key idx not 4 or 5");
1575 				return -EINVAL;
1576 			}
1577 		} else if (k->defbeacon) {
1578 			if (k->idx < 6 || k->idx > 7) {
1579 				GENL_SET_ERR_MSG(info,
1580 						 "defbeacon key idx not 6 or 7");
1581 				return -EINVAL;
1582 			}
1583 		} else if (k->def) {
1584 			if (k->idx < 0 || k->idx > 3) {
1585 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1586 				return -EINVAL;
1587 			}
1588 		} else {
1589 			if (k->idx < 0 || k->idx > 7) {
1590 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1591 				return -EINVAL;
1592 			}
1593 		}
1594 	}
1595 
1596 	return 0;
1597 }
1598 
1599 static struct cfg80211_cached_keys *
1600 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1601 		       struct genl_info *info, bool *no_ht)
1602 {
1603 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1604 	struct key_parse parse;
1605 	struct nlattr *key;
1606 	struct cfg80211_cached_keys *result;
1607 	int rem, err, def = 0;
1608 	bool have_key = false;
1609 
1610 	nla_for_each_nested(key, keys, rem) {
1611 		have_key = true;
1612 		break;
1613 	}
1614 
1615 	if (!have_key)
1616 		return NULL;
1617 
1618 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1619 	if (!result)
1620 		return ERR_PTR(-ENOMEM);
1621 
1622 	result->def = -1;
1623 
1624 	nla_for_each_nested(key, keys, rem) {
1625 		memset(&parse, 0, sizeof(parse));
1626 		parse.idx = -1;
1627 
1628 		err = nl80211_parse_key_new(info, key, &parse);
1629 		if (err)
1630 			goto error;
1631 		err = -EINVAL;
1632 		if (!parse.p.key)
1633 			goto error;
1634 		if (parse.idx < 0 || parse.idx > 3) {
1635 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1636 			goto error;
1637 		}
1638 		if (parse.def) {
1639 			if (def) {
1640 				GENL_SET_ERR_MSG(info,
1641 						 "only one key can be default");
1642 				goto error;
1643 			}
1644 			def = 1;
1645 			result->def = parse.idx;
1646 			if (!parse.def_uni || !parse.def_multi)
1647 				goto error;
1648 		} else if (parse.defmgmt)
1649 			goto error;
1650 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1651 						     parse.idx, false, NULL);
1652 		if (err)
1653 			goto error;
1654 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1655 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1656 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1657 			err = -EINVAL;
1658 			goto error;
1659 		}
1660 		result->params[parse.idx].cipher = parse.p.cipher;
1661 		result->params[parse.idx].key_len = parse.p.key_len;
1662 		result->params[parse.idx].key = result->data[parse.idx];
1663 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1664 
1665 		/* must be WEP key if we got here */
1666 		if (no_ht)
1667 			*no_ht = true;
1668 	}
1669 
1670 	if (result->def < 0) {
1671 		err = -EINVAL;
1672 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1673 		goto error;
1674 	}
1675 
1676 	return result;
1677  error:
1678 	kfree_sensitive(result);
1679 	return ERR_PTR(err);
1680 }
1681 
1682 static int nl80211_key_allowed(struct wireless_dev *wdev)
1683 {
1684 	lockdep_assert_wiphy(wdev->wiphy);
1685 
1686 	switch (wdev->iftype) {
1687 	case NL80211_IFTYPE_AP:
1688 	case NL80211_IFTYPE_AP_VLAN:
1689 	case NL80211_IFTYPE_P2P_GO:
1690 	case NL80211_IFTYPE_MESH_POINT:
1691 		break;
1692 	case NL80211_IFTYPE_ADHOC:
1693 		if (wdev->u.ibss.current_bss)
1694 			return 0;
1695 		return -ENOLINK;
1696 	case NL80211_IFTYPE_STATION:
1697 	case NL80211_IFTYPE_P2P_CLIENT:
1698 		if (wdev->connected ||
1699 		    (wiphy_ext_feature_isset(wdev->wiphy,
1700 					     NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION)))
1701 			return 0;
1702 		return -ENOLINK;
1703 	case NL80211_IFTYPE_NAN:
1704 		if (wiphy_ext_feature_isset(wdev->wiphy,
1705 					    NL80211_EXT_FEATURE_SECURE_NAN))
1706 			return 0;
1707 		return -EINVAL;
1708 	case NL80211_IFTYPE_UNSPECIFIED:
1709 	case NL80211_IFTYPE_OCB:
1710 	case NL80211_IFTYPE_MONITOR:
1711 	case NL80211_IFTYPE_P2P_DEVICE:
1712 	case NL80211_IFTYPE_WDS:
1713 	case NUM_NL80211_IFTYPES:
1714 		return -EINVAL;
1715 	}
1716 
1717 	return 0;
1718 }
1719 
1720 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1721 							u32 freq)
1722 {
1723 	struct ieee80211_channel *chan;
1724 
1725 	chan = ieee80211_get_channel_khz(wiphy, freq);
1726 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1727 		return NULL;
1728 	return chan;
1729 }
1730 
1731 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1732 {
1733 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1734 	int i;
1735 
1736 	if (!nl_modes)
1737 		goto nla_put_failure;
1738 
1739 	i = 0;
1740 	while (ifmodes) {
1741 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1742 			goto nla_put_failure;
1743 		ifmodes >>= 1;
1744 		i++;
1745 	}
1746 
1747 	nla_nest_end(msg, nl_modes);
1748 	return 0;
1749 
1750 nla_put_failure:
1751 	return -ENOBUFS;
1752 }
1753 
1754 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1755 				   const struct ieee80211_iface_combination *c,
1756 				   u16 nested)
1757 {
1758 	struct nlattr *nl_combi, *nl_limits;
1759 	int i;
1760 
1761 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1762 	if (!nl_combi)
1763 		goto nla_put_failure;
1764 
1765 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1766 					       nested);
1767 	if (!nl_limits)
1768 		goto nla_put_failure;
1769 
1770 	for (i = 0; i < c->n_limits; i++) {
1771 		struct nlattr *nl_limit;
1772 
1773 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1774 		if (!nl_limit)
1775 			goto nla_put_failure;
1776 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1777 			goto nla_put_failure;
1778 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1779 					c->limits[i].types))
1780 			goto nla_put_failure;
1781 		nla_nest_end(msg, nl_limit);
1782 	}
1783 
1784 	nla_nest_end(msg, nl_limits);
1785 
1786 	if (c->beacon_int_infra_match &&
1787 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1788 		goto nla_put_failure;
1789 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1790 			c->num_different_channels) ||
1791 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1792 			c->max_interfaces))
1793 		goto nla_put_failure;
1794 	if (large &&
1795 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1796 			c->radar_detect_widths) ||
1797 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1798 			c->radar_detect_regions)))
1799 		goto nla_put_failure;
1800 	if (c->beacon_int_min_gcd &&
1801 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1802 			c->beacon_int_min_gcd))
1803 		goto nla_put_failure;
1804 
1805 	nla_nest_end(msg, nl_combi);
1806 
1807 	return 0;
1808 nla_put_failure:
1809 	return -ENOBUFS;
1810 }
1811 
1812 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1813 					  struct sk_buff *msg,
1814 					  int attr, int radio,
1815 					  bool large, u16 nested)
1816 {
1817 	const struct ieee80211_iface_combination *c;
1818 	struct nlattr *nl_combis;
1819 	int i, n;
1820 
1821 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1822 	if (!nl_combis)
1823 		goto nla_put_failure;
1824 
1825 	if (radio >= 0) {
1826 		c = wiphy->radio[0].iface_combinations;
1827 		n = wiphy->radio[0].n_iface_combinations;
1828 	} else {
1829 		c = wiphy->iface_combinations;
1830 		n = wiphy->n_iface_combinations;
1831 	}
1832 	for (i = 0; i < n; i++)
1833 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1834 			goto nla_put_failure;
1835 
1836 	nla_nest_end(msg, nl_combis);
1837 
1838 	return 0;
1839 nla_put_failure:
1840 	return -ENOBUFS;
1841 }
1842 
1843 #ifdef CONFIG_PM
1844 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1845 					struct sk_buff *msg)
1846 {
1847 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1848 	struct nlattr *nl_tcp;
1849 
1850 	if (!tcp)
1851 		return 0;
1852 
1853 	nl_tcp = nla_nest_start_noflag(msg,
1854 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1855 	if (!nl_tcp)
1856 		return -ENOBUFS;
1857 
1858 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1859 			tcp->data_payload_max))
1860 		return -ENOBUFS;
1861 
1862 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1863 			tcp->data_payload_max))
1864 		return -ENOBUFS;
1865 
1866 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1867 		return -ENOBUFS;
1868 
1869 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1870 				sizeof(*tcp->tok), tcp->tok))
1871 		return -ENOBUFS;
1872 
1873 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1874 			tcp->data_interval_max))
1875 		return -ENOBUFS;
1876 
1877 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1878 			tcp->wake_payload_max))
1879 		return -ENOBUFS;
1880 
1881 	nla_nest_end(msg, nl_tcp);
1882 	return 0;
1883 }
1884 
1885 static int nl80211_send_wowlan(struct sk_buff *msg,
1886 			       struct cfg80211_registered_device *rdev,
1887 			       bool large)
1888 {
1889 	struct nlattr *nl_wowlan;
1890 
1891 	if (!rdev->wiphy.wowlan)
1892 		return 0;
1893 
1894 	nl_wowlan = nla_nest_start_noflag(msg,
1895 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1896 	if (!nl_wowlan)
1897 		return -ENOBUFS;
1898 
1899 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1900 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1901 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1902 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1903 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1904 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1905 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1906 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1907 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1908 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1909 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1910 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1911 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1912 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1913 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1914 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1915 		return -ENOBUFS;
1916 
1917 	if (rdev->wiphy.wowlan->n_patterns) {
1918 		struct nl80211_pattern_support pat = {
1919 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1920 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1921 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1922 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1923 		};
1924 
1925 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1926 			    sizeof(pat), &pat))
1927 			return -ENOBUFS;
1928 	}
1929 
1930 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1931 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1932 			rdev->wiphy.wowlan->max_nd_match_sets))
1933 		return -ENOBUFS;
1934 
1935 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1936 		return -ENOBUFS;
1937 
1938 	nla_nest_end(msg, nl_wowlan);
1939 
1940 	return 0;
1941 }
1942 #endif
1943 
1944 static int nl80211_send_coalesce(struct sk_buff *msg,
1945 				 struct cfg80211_registered_device *rdev)
1946 {
1947 	struct nl80211_coalesce_rule_support rule;
1948 
1949 	if (!rdev->wiphy.coalesce)
1950 		return 0;
1951 
1952 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1953 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1954 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1955 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1956 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1957 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1958 
1959 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1960 		return -ENOBUFS;
1961 
1962 	return 0;
1963 }
1964 
1965 static int
1966 nl80211_send_iftype_data(struct sk_buff *msg,
1967 			 const struct ieee80211_supported_band *sband,
1968 			 const struct ieee80211_sband_iftype_data *iftdata)
1969 {
1970 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1971 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1972 	const struct ieee80211_sta_uhr_cap *uhr_cap = &iftdata->uhr_cap;
1973 
1974 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1975 				iftdata->types_mask))
1976 		return -ENOBUFS;
1977 
1978 	if (he_cap->has_he) {
1979 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1980 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1981 			    he_cap->he_cap_elem.mac_cap_info) ||
1982 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1983 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1984 			    he_cap->he_cap_elem.phy_cap_info) ||
1985 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1986 			    sizeof(he_cap->he_mcs_nss_supp),
1987 			    &he_cap->he_mcs_nss_supp) ||
1988 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1989 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1990 			return -ENOBUFS;
1991 	}
1992 
1993 	if (eht_cap->has_eht && he_cap->has_he) {
1994 		u8 mcs_nss_size, ppe_thresh_size;
1995 		u16 ppe_thres_hdr;
1996 		bool is_ap;
1997 
1998 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1999 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
2000 
2001 		mcs_nss_size =
2002 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
2003 						   &eht_cap->eht_cap_elem,
2004 						   is_ap);
2005 
2006 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
2007 		ppe_thresh_size =
2008 			ieee80211_eht_ppe_size(ppe_thres_hdr,
2009 					       eht_cap->eht_cap_elem.phy_cap_info);
2010 
2011 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
2012 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
2013 			    eht_cap->eht_cap_elem.mac_cap_info) ||
2014 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
2015 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
2016 			    eht_cap->eht_cap_elem.phy_cap_info) ||
2017 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
2018 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
2019 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
2020 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
2021 			return -ENOBUFS;
2022 	}
2023 
2024 	if (uhr_cap->has_uhr) {
2025 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_MAC,
2026 			    sizeof(uhr_cap->mac), &uhr_cap->mac) ||
2027 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_PHY,
2028 			    sizeof(uhr_cap->phy), &uhr_cap->phy))
2029 			return -ENOBUFS;
2030 	}
2031 
2032 	if (sband->band == NL80211_BAND_6GHZ &&
2033 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
2034 		    sizeof(iftdata->he_6ghz_capa),
2035 		    &iftdata->he_6ghz_capa))
2036 		return -ENOBUFS;
2037 
2038 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
2039 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
2040 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
2041 		return -ENOBUFS;
2042 
2043 	return 0;
2044 }
2045 
2046 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
2047 				      struct ieee80211_supported_band *sband,
2048 				      bool large)
2049 {
2050 	struct nlattr *nl_rates, *nl_rate;
2051 	struct ieee80211_rate *rate;
2052 	int i;
2053 
2054 	/* add HT info */
2055 	if (sband->ht_cap.ht_supported &&
2056 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
2057 		     sizeof(sband->ht_cap.mcs),
2058 		     &sband->ht_cap.mcs) ||
2059 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
2060 			 sband->ht_cap.cap) ||
2061 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
2062 			sband->ht_cap.ampdu_factor) ||
2063 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
2064 			sband->ht_cap.ampdu_density)))
2065 		return -ENOBUFS;
2066 
2067 	/* add VHT info */
2068 	if (sband->vht_cap.vht_supported &&
2069 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
2070 		     sizeof(sband->vht_cap.vht_mcs),
2071 		     &sband->vht_cap.vht_mcs) ||
2072 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
2073 			 sband->vht_cap.cap)))
2074 		return -ENOBUFS;
2075 
2076 	if (large && sband->n_iftype_data) {
2077 		struct nlattr *nl_iftype_data =
2078 			nla_nest_start_noflag(msg,
2079 					      NL80211_BAND_ATTR_IFTYPE_DATA);
2080 		const struct ieee80211_sband_iftype_data *iftd;
2081 		int err;
2082 
2083 		if (!nl_iftype_data)
2084 			return -ENOBUFS;
2085 
2086 		for_each_sband_iftype_data(sband, i, iftd) {
2087 			struct nlattr *iftdata;
2088 
2089 			iftdata = nla_nest_start_noflag(msg, i + 1);
2090 			if (!iftdata)
2091 				return -ENOBUFS;
2092 
2093 			err = nl80211_send_iftype_data(msg, sband, iftd);
2094 			if (err)
2095 				return err;
2096 
2097 			nla_nest_end(msg, iftdata);
2098 		}
2099 
2100 		nla_nest_end(msg, nl_iftype_data);
2101 	}
2102 
2103 	/* add EDMG info */
2104 	if (large && sband->edmg_cap.channels &&
2105 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
2106 		       sband->edmg_cap.channels) ||
2107 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
2108 		       sband->edmg_cap.bw_config)))
2109 
2110 		return -ENOBUFS;
2111 
2112 	/* add bitrates */
2113 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2114 	if (!nl_rates)
2115 		return -ENOBUFS;
2116 
2117 	for (i = 0; i < sband->n_bitrates; i++) {
2118 		nl_rate = nla_nest_start_noflag(msg, i);
2119 		if (!nl_rate)
2120 			return -ENOBUFS;
2121 
2122 		rate = &sband->bitrates[i];
2123 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2124 				rate->bitrate))
2125 			return -ENOBUFS;
2126 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2127 		    nla_put_flag(msg,
2128 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2129 			return -ENOBUFS;
2130 
2131 		nla_nest_end(msg, nl_rate);
2132 	}
2133 
2134 	nla_nest_end(msg, nl_rates);
2135 
2136 	/* S1G capabilities */
2137 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2138 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2139 		     sizeof(sband->s1g_cap.cap),
2140 		     sband->s1g_cap.cap) ||
2141 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2142 		     sizeof(sband->s1g_cap.nss_mcs),
2143 		     sband->s1g_cap.nss_mcs)))
2144 		return -ENOBUFS;
2145 
2146 	return 0;
2147 }
2148 
2149 static int
2150 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2151 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2152 {
2153 	u16 stypes;
2154 	struct nlattr *nl_ftypes, *nl_ifs;
2155 	enum nl80211_iftype ift;
2156 	int i;
2157 
2158 	if (!mgmt_stypes)
2159 		return 0;
2160 
2161 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2162 	if (!nl_ifs)
2163 		return -ENOBUFS;
2164 
2165 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2166 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2167 		if (!nl_ftypes)
2168 			return -ENOBUFS;
2169 		i = 0;
2170 		stypes = mgmt_stypes[ift].tx;
2171 		while (stypes) {
2172 			if ((stypes & 1) &&
2173 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2174 					(i << 4) | IEEE80211_FTYPE_MGMT))
2175 				return -ENOBUFS;
2176 			stypes >>= 1;
2177 			i++;
2178 		}
2179 		nla_nest_end(msg, nl_ftypes);
2180 	}
2181 
2182 	nla_nest_end(msg, nl_ifs);
2183 
2184 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2185 	if (!nl_ifs)
2186 		return -ENOBUFS;
2187 
2188 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2189 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2190 		if (!nl_ftypes)
2191 			return -ENOBUFS;
2192 		i = 0;
2193 		stypes = mgmt_stypes[ift].rx;
2194 		while (stypes) {
2195 			if ((stypes & 1) &&
2196 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2197 					(i << 4) | IEEE80211_FTYPE_MGMT))
2198 				return -ENOBUFS;
2199 			stypes >>= 1;
2200 			i++;
2201 		}
2202 		nla_nest_end(msg, nl_ftypes);
2203 	}
2204 	nla_nest_end(msg, nl_ifs);
2205 
2206 	return 0;
2207 }
2208 
2209 #define CMD(op, n)							\
2210 	 do {								\
2211 		if (rdev->ops->op) {					\
2212 			i++;						\
2213 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2214 				goto nla_put_failure;			\
2215 		}							\
2216 	} while (0)
2217 
2218 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2219 					struct sk_buff *msg)
2220 {
2221 	int i = 0;
2222 
2223 	/*
2224 	 * do *NOT* add anything into this function, new things need to be
2225 	 * advertised only to new versions of userspace that can deal with
2226 	 * the split (and they can't possibly care about new features...
2227 	 */
2228 	CMD(add_virtual_intf, NEW_INTERFACE);
2229 	CMD(change_virtual_intf, SET_INTERFACE);
2230 	CMD(add_key, NEW_KEY);
2231 	CMD(start_ap, START_AP);
2232 	CMD(add_station, NEW_STATION);
2233 	CMD(add_mpath, NEW_MPATH);
2234 	CMD(update_mesh_config, SET_MESH_CONFIG);
2235 	CMD(change_bss, SET_BSS);
2236 	CMD(auth, AUTHENTICATE);
2237 	CMD(assoc, ASSOCIATE);
2238 	CMD(deauth, DEAUTHENTICATE);
2239 	CMD(disassoc, DISASSOCIATE);
2240 	CMD(join_ibss, JOIN_IBSS);
2241 	CMD(join_mesh, JOIN_MESH);
2242 	CMD(set_pmksa, SET_PMKSA);
2243 	CMD(del_pmksa, DEL_PMKSA);
2244 	CMD(flush_pmksa, FLUSH_PMKSA);
2245 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2246 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2247 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2248 	CMD(mgmt_tx, FRAME);
2249 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2250 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2251 		i++;
2252 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2253 			goto nla_put_failure;
2254 	}
2255 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2256 	    rdev->ops->join_mesh) {
2257 		i++;
2258 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2259 			goto nla_put_failure;
2260 	}
2261 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2262 		CMD(tdls_mgmt, TDLS_MGMT);
2263 		CMD(tdls_oper, TDLS_OPER);
2264 	}
2265 	if (rdev->wiphy.max_sched_scan_reqs)
2266 		CMD(sched_scan_start, START_SCHED_SCAN);
2267 	CMD(probe_client, PROBE_CLIENT);
2268 	CMD(set_noack_map, SET_NOACK_MAP);
2269 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2270 		i++;
2271 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2272 			goto nla_put_failure;
2273 	}
2274 	CMD(start_p2p_device, START_P2P_DEVICE);
2275 	CMD(set_mcast_rate, SET_MCAST_RATE);
2276 #ifdef CONFIG_NL80211_TESTMODE
2277 	CMD(testmode_cmd, TESTMODE);
2278 #endif
2279 
2280 	if (rdev->ops->connect || rdev->ops->auth) {
2281 		i++;
2282 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2283 			goto nla_put_failure;
2284 	}
2285 
2286 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2287 		i++;
2288 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2289 			goto nla_put_failure;
2290 	}
2291 
2292 	return i;
2293  nla_put_failure:
2294 	return -ENOBUFS;
2295 }
2296 
2297 static int
2298 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2299 			   struct sk_buff *msg)
2300 {
2301 	struct nlattr *ftm;
2302 
2303 	if (!cap->ftm.supported)
2304 		return 0;
2305 
2306 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2307 	if (!ftm)
2308 		return -ENOBUFS;
2309 
2310 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2311 		return -ENOBUFS;
2312 	if (cap->ftm.non_asap &&
2313 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2314 		return -ENOBUFS;
2315 	if (cap->ftm.request_lci &&
2316 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2317 		return -ENOBUFS;
2318 	if (cap->ftm.request_civicloc &&
2319 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2320 		return -ENOBUFS;
2321 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2322 			cap->ftm.preambles))
2323 		return -ENOBUFS;
2324 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2325 			cap->ftm.bandwidths))
2326 		return -ENOBUFS;
2327 	if (cap->ftm.max_bursts_exponent >= 0 &&
2328 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2329 			cap->ftm.max_bursts_exponent))
2330 		return -ENOBUFS;
2331 	if (cap->ftm.max_ftms_per_burst &&
2332 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2333 			cap->ftm.max_ftms_per_burst))
2334 		return -ENOBUFS;
2335 	if (cap->ftm.trigger_based &&
2336 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2337 		return -ENOBUFS;
2338 	if (cap->ftm.non_trigger_based &&
2339 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2340 		return -ENOBUFS;
2341 	if (cap->ftm.support_6ghz &&
2342 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_6GHZ_SUPPORT))
2343 		return -ENOBUFS;
2344 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_LTF_REP,
2345 			cap->ftm.max_tx_ltf_rep))
2346 		return -ENOBUFS;
2347 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_LTF_REP,
2348 			cap->ftm.max_rx_ltf_rep))
2349 		return -ENOBUFS;
2350 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_STS,
2351 			cap->ftm.max_tx_sts))
2352 		return -ENOBUFS;
2353 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_STS,
2354 			cap->ftm.max_rx_sts))
2355 		return -ENOBUFS;
2356 	if (cap->ftm.max_total_ltf_tx > 0 &&
2357 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_TX,
2358 			cap->ftm.max_total_ltf_tx))
2359 		return -ENOBUFS;
2360 	if (cap->ftm.max_total_ltf_rx > 0 &&
2361 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_RX,
2362 			cap->ftm.max_total_ltf_rx))
2363 		return -ENOBUFS;
2364 	if (cap->ftm.support_rsta &&
2365 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_RSTA_SUPPORT))
2366 		return -ENOBUFS;
2367 
2368 	nla_nest_end(msg, ftm);
2369 	return 0;
2370 }
2371 
2372 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2373 				  struct sk_buff *msg)
2374 {
2375 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2376 	struct nlattr *pmsr, *caps;
2377 
2378 	if (!cap)
2379 		return 0;
2380 
2381 	/*
2382 	 * we don't need to clean up anything here since the caller
2383 	 * will genlmsg_cancel() if we fail
2384 	 */
2385 
2386 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2387 	if (!pmsr)
2388 		return -ENOBUFS;
2389 
2390 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2391 		return -ENOBUFS;
2392 
2393 	if (cap->report_ap_tsf &&
2394 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2395 		return -ENOBUFS;
2396 
2397 	if (cap->randomize_mac_addr &&
2398 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2399 		return -ENOBUFS;
2400 
2401 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2402 	if (!caps)
2403 		return -ENOBUFS;
2404 
2405 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2406 		return -ENOBUFS;
2407 
2408 	nla_nest_end(msg, caps);
2409 	nla_nest_end(msg, pmsr);
2410 
2411 	return 0;
2412 }
2413 
2414 static int
2415 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2416 			      struct sk_buff *msg)
2417 {
2418 	int i;
2419 	struct nlattr *nested, *nested_akms;
2420 	const struct wiphy_iftype_akm_suites *iftype_akms;
2421 
2422 	if (!rdev->wiphy.num_iftype_akm_suites ||
2423 	    !rdev->wiphy.iftype_akm_suites)
2424 		return 0;
2425 
2426 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2427 	if (!nested)
2428 		return -ENOBUFS;
2429 
2430 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2431 		nested_akms = nla_nest_start(msg, i + 1);
2432 		if (!nested_akms)
2433 			return -ENOBUFS;
2434 
2435 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2436 
2437 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2438 					iftype_akms->iftypes_mask))
2439 			return -ENOBUFS;
2440 
2441 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2442 			    sizeof(u32) * iftype_akms->n_akm_suites,
2443 			    iftype_akms->akm_suites)) {
2444 			return -ENOBUFS;
2445 		}
2446 		nla_nest_end(msg, nested_akms);
2447 	}
2448 
2449 	nla_nest_end(msg, nested);
2450 
2451 	return 0;
2452 }
2453 
2454 static int
2455 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2456 			       struct sk_buff *msg)
2457 {
2458 	struct nlattr *supp;
2459 
2460 	if (!rdev->wiphy.tid_config_support.vif &&
2461 	    !rdev->wiphy.tid_config_support.peer)
2462 		return 0;
2463 
2464 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2465 	if (!supp)
2466 		return -ENOSPC;
2467 
2468 	if (rdev->wiphy.tid_config_support.vif &&
2469 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2470 			      rdev->wiphy.tid_config_support.vif,
2471 			      NL80211_TID_CONFIG_ATTR_PAD))
2472 		goto fail;
2473 
2474 	if (rdev->wiphy.tid_config_support.peer &&
2475 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2476 			      rdev->wiphy.tid_config_support.peer,
2477 			      NL80211_TID_CONFIG_ATTR_PAD))
2478 		goto fail;
2479 
2480 	/* for now we just use the same value ... makes more sense */
2481 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2482 		       rdev->wiphy.tid_config_support.max_retry))
2483 		goto fail;
2484 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2485 		       rdev->wiphy.tid_config_support.max_retry))
2486 		goto fail;
2487 
2488 	nla_nest_end(msg, supp);
2489 
2490 	return 0;
2491 fail:
2492 	nla_nest_cancel(msg, supp);
2493 	return -ENOBUFS;
2494 }
2495 
2496 static int
2497 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2498 		      struct sk_buff *msg)
2499 {
2500 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2501 	u8 num_freq_ranges;
2502 	int i;
2503 
2504 	if (!rdev->wiphy.sar_capa)
2505 		return 0;
2506 
2507 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2508 
2509 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2510 	if (!sar_capa)
2511 		return -ENOSPC;
2512 
2513 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2514 		goto fail;
2515 
2516 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2517 	if (!specs)
2518 		goto fail;
2519 
2520 	/* report supported freq_ranges */
2521 	for (i = 0; i < num_freq_ranges; i++) {
2522 		sub_freq_range = nla_nest_start(msg, i + 1);
2523 		if (!sub_freq_range)
2524 			goto fail;
2525 
2526 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2527 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2528 			goto fail;
2529 
2530 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2531 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2532 			goto fail;
2533 
2534 		nla_nest_end(msg, sub_freq_range);
2535 	}
2536 
2537 	nla_nest_end(msg, specs);
2538 	nla_nest_end(msg, sar_capa);
2539 
2540 	return 0;
2541 fail:
2542 	nla_nest_cancel(msg, sar_capa);
2543 	return -ENOBUFS;
2544 }
2545 
2546 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2547 {
2548 	struct nlattr *config;
2549 
2550 	if (!wiphy->mbssid_max_interfaces)
2551 		return 0;
2552 
2553 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2554 	if (!config)
2555 		return -ENOBUFS;
2556 
2557 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2558 		       wiphy->mbssid_max_interfaces))
2559 		goto fail;
2560 
2561 	if (wiphy->ema_max_profile_periodicity &&
2562 	    nla_put_u8(msg,
2563 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2564 		       wiphy->ema_max_profile_periodicity))
2565 		goto fail;
2566 
2567 	nla_nest_end(msg, config);
2568 	return 0;
2569 
2570 fail:
2571 	nla_nest_cancel(msg, config);
2572 	return -ENOBUFS;
2573 }
2574 
2575 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2576 {
2577 	const struct wiphy_radio *r = &wiphy->radio[idx];
2578 	const struct wiphy_radio_cfg *rcfg = &wiphy->radio_cfg[idx];
2579 	struct nlattr *radio, *freq;
2580 	int i;
2581 
2582 	radio = nla_nest_start(msg, idx);
2583 	if (!radio)
2584 		return -ENOBUFS;
2585 
2586 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2587 		goto nla_put_failure;
2588 
2589 	if (rcfg->rts_threshold &&
2590 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_RTS_THRESHOLD,
2591 			rcfg->rts_threshold))
2592 		goto nla_put_failure;
2593 
2594 	if (r->antenna_mask &&
2595 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2596 			r->antenna_mask))
2597 		goto nla_put_failure;
2598 
2599 	for (i = 0; i < r->n_freq_range; i++) {
2600 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2601 
2602 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2603 		if (!freq)
2604 			goto nla_put_failure;
2605 
2606 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2607 				range->start_freq) ||
2608 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2609 				range->end_freq))
2610 			goto nla_put_failure;
2611 
2612 		nla_nest_end(msg, freq);
2613 	}
2614 
2615 	for (i = 0; i < r->n_iface_combinations; i++)
2616 		if (nl80211_put_ifcomb_data(msg, true,
2617 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2618 					    &r->iface_combinations[i],
2619 					    NLA_F_NESTED))
2620 			goto nla_put_failure;
2621 
2622 	nla_nest_end(msg, radio);
2623 
2624 	return 0;
2625 
2626 nla_put_failure:
2627 	return -ENOBUFS;
2628 }
2629 
2630 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2631 {
2632 	struct nlattr *radios;
2633 	int i;
2634 
2635 	if (!wiphy->n_radio)
2636 		return 0;
2637 
2638 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2639 	if (!radios)
2640 		return -ENOBUFS;
2641 
2642 	for (i = 0; i < wiphy->n_radio; i++)
2643 		if (nl80211_put_radio(wiphy, msg, i))
2644 			goto fail;
2645 
2646 	nla_nest_end(msg, radios);
2647 
2648 	if (nl80211_put_iface_combinations(wiphy, msg,
2649 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2650 					   -1, true, NLA_F_NESTED))
2651 		return -ENOBUFS;
2652 
2653 	return 0;
2654 
2655 fail:
2656 	nla_nest_cancel(msg, radios);
2657 	return -ENOBUFS;
2658 }
2659 
2660 static int nl80211_put_nan_capa(struct wiphy *wiphy, struct sk_buff *msg)
2661 {
2662 	struct nlattr *nan_caps;
2663 
2664 	nan_caps = nla_nest_start(msg, NL80211_ATTR_NAN_CAPABILITIES);
2665 	if (!nan_caps)
2666 		return -ENOBUFS;
2667 
2668 	if (wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_CONFIGURABLE_SYNC &&
2669 	    nla_put_flag(msg, NL80211_NAN_CAPA_CONFIGURABLE_SYNC))
2670 		goto fail;
2671 
2672 	if ((wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE) &&
2673 	    nla_put_flag(msg, NL80211_NAN_CAPA_USERSPACE_DE))
2674 		goto fail;
2675 
2676 	if (nla_put_u8(msg, NL80211_NAN_CAPA_OP_MODE,
2677 		       wiphy->nan_capa.op_mode) ||
2678 	    nla_put_u8(msg, NL80211_NAN_CAPA_NUM_ANTENNAS,
2679 		       wiphy->nan_capa.n_antennas) ||
2680 	    nla_put_u16(msg, NL80211_NAN_CAPA_MAX_CHANNEL_SWITCH_TIME,
2681 			wiphy->nan_capa.max_channel_switch_time) ||
2682 	    nla_put_u8(msg, NL80211_NAN_CAPA_CAPABILITIES,
2683 		       wiphy->nan_capa.dev_capabilities))
2684 		goto fail;
2685 
2686 	nla_nest_end(msg, nan_caps);
2687 
2688 	return 0;
2689 
2690 fail:
2691 	nla_nest_cancel(msg, nan_caps);
2692 	return -ENOBUFS;
2693 }
2694 
2695 struct nl80211_dump_wiphy_state {
2696 	s64 filter_wiphy;
2697 	long start;
2698 	long split_start, band_start, chan_start, capa_start;
2699 	bool split;
2700 };
2701 
2702 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2703 			      enum nl80211_commands cmd,
2704 			      struct sk_buff *msg, u32 portid, u32 seq,
2705 			      int flags, struct nl80211_dump_wiphy_state *state)
2706 {
2707 	void *hdr;
2708 	struct nlattr *nl_bands, *nl_band;
2709 	struct nlattr *nl_freqs, *nl_freq;
2710 	struct nlattr *nl_cmds;
2711 	enum nl80211_band band;
2712 	struct ieee80211_channel *chan;
2713 	int i;
2714 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2715 				rdev->wiphy.mgmt_stypes;
2716 	u32 features;
2717 
2718 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2719 	if (!hdr)
2720 		return -ENOBUFS;
2721 
2722 	if (WARN_ON(!state))
2723 		return -EINVAL;
2724 
2725 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2726 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2727 			   wiphy_name(&rdev->wiphy)) ||
2728 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2729 			cfg80211_rdev_list_generation))
2730 		goto nla_put_failure;
2731 
2732 	if (cmd != NL80211_CMD_NEW_WIPHY)
2733 		goto finish;
2734 
2735 	switch (state->split_start) {
2736 	case 0:
2737 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2738 			       rdev->wiphy.retry_short) ||
2739 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2740 			       rdev->wiphy.retry_long) ||
2741 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2742 				rdev->wiphy.frag_threshold) ||
2743 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2744 				rdev->wiphy.rts_threshold) ||
2745 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2746 			       rdev->wiphy.coverage_class) ||
2747 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2748 			       rdev->wiphy.max_scan_ssids) ||
2749 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2750 			       rdev->wiphy.max_sched_scan_ssids) ||
2751 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2752 				rdev->wiphy.max_scan_ie_len) ||
2753 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2754 				rdev->wiphy.max_sched_scan_ie_len) ||
2755 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2756 			       rdev->wiphy.max_match_sets))
2757 			goto nla_put_failure;
2758 
2759 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2760 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2761 			goto nla_put_failure;
2762 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2763 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2764 			goto nla_put_failure;
2765 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2766 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2767 			goto nla_put_failure;
2768 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2769 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2770 			goto nla_put_failure;
2771 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2772 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2773 			goto nla_put_failure;
2774 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2775 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2776 			goto nla_put_failure;
2777 		state->split_start++;
2778 		if (state->split)
2779 			break;
2780 		fallthrough;
2781 	case 1:
2782 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2783 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2784 			    rdev->wiphy.cipher_suites))
2785 			goto nla_put_failure;
2786 
2787 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2788 			       rdev->wiphy.max_num_pmkids))
2789 			goto nla_put_failure;
2790 
2791 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2792 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2793 			goto nla_put_failure;
2794 
2795 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2796 				rdev->wiphy.available_antennas_tx) ||
2797 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2798 				rdev->wiphy.available_antennas_rx))
2799 			goto nla_put_failure;
2800 
2801 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2802 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2803 				rdev->wiphy.probe_resp_offload))
2804 			goto nla_put_failure;
2805 
2806 		if ((rdev->wiphy.available_antennas_tx ||
2807 		     rdev->wiphy.available_antennas_rx) &&
2808 		    rdev->ops->get_antenna) {
2809 			u32 tx_ant = 0, rx_ant = 0;
2810 			int res;
2811 
2812 			res = rdev_get_antenna(rdev, -1, &tx_ant, &rx_ant);
2813 			if (!res) {
2814 				if (nla_put_u32(msg,
2815 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2816 						tx_ant) ||
2817 				    nla_put_u32(msg,
2818 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2819 						rx_ant))
2820 					goto nla_put_failure;
2821 			}
2822 		}
2823 
2824 		state->split_start++;
2825 		if (state->split)
2826 			break;
2827 		fallthrough;
2828 	case 2:
2829 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2830 					rdev->wiphy.interface_modes))
2831 				goto nla_put_failure;
2832 		state->split_start++;
2833 		if (state->split)
2834 			break;
2835 		fallthrough;
2836 	case 3:
2837 		nl_bands = nla_nest_start_noflag(msg,
2838 						 NL80211_ATTR_WIPHY_BANDS);
2839 		if (!nl_bands)
2840 			goto nla_put_failure;
2841 
2842 		for (band = state->band_start;
2843 		     band < (state->split ?
2844 				NUM_NL80211_BANDS :
2845 				NL80211_BAND_60GHZ + 1);
2846 		     band++) {
2847 			struct ieee80211_supported_band *sband;
2848 
2849 			/* omit higher bands for ancient software */
2850 			if (band > NL80211_BAND_5GHZ && !state->split)
2851 				break;
2852 
2853 			sband = rdev->wiphy.bands[band];
2854 
2855 			if (!sband)
2856 				continue;
2857 
2858 			nl_band = nla_nest_start_noflag(msg, band);
2859 			if (!nl_band)
2860 				goto nla_put_failure;
2861 
2862 			switch (state->chan_start) {
2863 			case 0:
2864 				if (nl80211_send_band_rateinfo(msg, sband,
2865 							       state->split))
2866 					goto nla_put_failure;
2867 				state->chan_start++;
2868 				if (state->split)
2869 					break;
2870 				fallthrough;
2871 			default:
2872 				/* add frequencies */
2873 				nl_freqs = nla_nest_start_noflag(msg,
2874 								 NL80211_BAND_ATTR_FREQS);
2875 				if (!nl_freqs)
2876 					goto nla_put_failure;
2877 
2878 				for (i = state->chan_start - 1;
2879 				     i < sband->n_channels;
2880 				     i++) {
2881 					nl_freq = nla_nest_start_noflag(msg,
2882 									i);
2883 					if (!nl_freq)
2884 						goto nla_put_failure;
2885 
2886 					chan = &sband->channels[i];
2887 
2888 					if (nl80211_msg_put_channel(
2889 							msg, &rdev->wiphy, chan,
2890 							state->split))
2891 						goto nla_put_failure;
2892 
2893 					nla_nest_end(msg, nl_freq);
2894 					if (state->split)
2895 						break;
2896 				}
2897 				if (i < sband->n_channels)
2898 					state->chan_start = i + 2;
2899 				else
2900 					state->chan_start = 0;
2901 				nla_nest_end(msg, nl_freqs);
2902 			}
2903 
2904 			nla_nest_end(msg, nl_band);
2905 
2906 			if (state->split) {
2907 				/* start again here */
2908 				if (state->chan_start)
2909 					band--;
2910 				break;
2911 			}
2912 		}
2913 		nla_nest_end(msg, nl_bands);
2914 
2915 		if (band < NUM_NL80211_BANDS)
2916 			state->band_start = band + 1;
2917 		else
2918 			state->band_start = 0;
2919 
2920 		/* if bands & channels are done, continue outside */
2921 		if (state->band_start == 0 && state->chan_start == 0)
2922 			state->split_start++;
2923 		if (state->split)
2924 			break;
2925 		fallthrough;
2926 	case 4:
2927 		nl_cmds = nla_nest_start_noflag(msg,
2928 						NL80211_ATTR_SUPPORTED_COMMANDS);
2929 		if (!nl_cmds)
2930 			goto nla_put_failure;
2931 
2932 		i = nl80211_add_commands_unsplit(rdev, msg);
2933 		if (i < 0)
2934 			goto nla_put_failure;
2935 		if (state->split) {
2936 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2937 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2938 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2939 				CMD(channel_switch, CHANNEL_SWITCH);
2940 			CMD(set_qos_map, SET_QOS_MAP);
2941 			if (rdev->wiphy.features &
2942 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2943 				CMD(add_tx_ts, ADD_TX_TS);
2944 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2945 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2946 			CMD(update_ft_ies, UPDATE_FT_IES);
2947 			if (rdev->wiphy.sar_capa)
2948 				CMD(set_sar_specs, SET_SAR_SPECS);
2949 			CMD(assoc_ml_reconf, ASSOC_MLO_RECONF);
2950 		}
2951 #undef CMD
2952 
2953 		nla_nest_end(msg, nl_cmds);
2954 		state->split_start++;
2955 		if (state->split)
2956 			break;
2957 		fallthrough;
2958 	case 5:
2959 		if (rdev->ops->remain_on_channel &&
2960 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2961 		    nla_put_u32(msg,
2962 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2963 				rdev->wiphy.max_remain_on_channel_duration))
2964 			goto nla_put_failure;
2965 
2966 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2967 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2968 			goto nla_put_failure;
2969 
2970 		state->split_start++;
2971 		if (state->split)
2972 			break;
2973 		fallthrough;
2974 	case 6:
2975 #ifdef CONFIG_PM
2976 		if (nl80211_send_wowlan(msg, rdev, state->split))
2977 			goto nla_put_failure;
2978 		state->split_start++;
2979 		if (state->split)
2980 			break;
2981 #else
2982 		state->split_start++;
2983 #endif
2984 		fallthrough;
2985 	case 7:
2986 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2987 					rdev->wiphy.software_iftypes))
2988 			goto nla_put_failure;
2989 
2990 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2991 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2992 						   rdev->wiphy.n_radio ? 0 : -1,
2993 						   state->split, 0))
2994 			goto nla_put_failure;
2995 
2996 		state->split_start++;
2997 		if (state->split)
2998 			break;
2999 		fallthrough;
3000 	case 8:
3001 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
3002 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
3003 				rdev->wiphy.ap_sme_capa))
3004 			goto nla_put_failure;
3005 
3006 		features = rdev->wiphy.features;
3007 		/*
3008 		 * We can only add the per-channel limit information if the
3009 		 * dump is split, otherwise it makes it too big. Therefore
3010 		 * only advertise it in that case.
3011 		 */
3012 		if (state->split)
3013 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
3014 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
3015 			goto nla_put_failure;
3016 
3017 		if (rdev->wiphy.ht_capa_mod_mask &&
3018 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
3019 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
3020 			    rdev->wiphy.ht_capa_mod_mask))
3021 			goto nla_put_failure;
3022 
3023 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
3024 		    rdev->wiphy.max_acl_mac_addrs &&
3025 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
3026 				rdev->wiphy.max_acl_mac_addrs))
3027 			goto nla_put_failure;
3028 
3029 		/*
3030 		 * Any information below this point is only available to
3031 		 * applications that can deal with it being split. This
3032 		 * helps ensure that newly added capabilities don't break
3033 		 * older tools by overrunning their buffers.
3034 		 *
3035 		 * We still increment split_start so that in the split
3036 		 * case we'll continue with more data in the next round,
3037 		 * but break unconditionally so unsplit data stops here.
3038 		 */
3039 		if (state->split)
3040 			state->split_start++;
3041 		else
3042 			state->split_start = 0;
3043 		break;
3044 	case 9:
3045 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
3046 			goto nla_put_failure;
3047 
3048 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
3049 				rdev->wiphy.max_sched_scan_plans) ||
3050 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
3051 				rdev->wiphy.max_sched_scan_plan_interval) ||
3052 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
3053 				rdev->wiphy.max_sched_scan_plan_iterations))
3054 			goto nla_put_failure;
3055 
3056 		if (rdev->wiphy.extended_capabilities &&
3057 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
3058 			     rdev->wiphy.extended_capabilities_len,
3059 			     rdev->wiphy.extended_capabilities) ||
3060 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3061 			     rdev->wiphy.extended_capabilities_len,
3062 			     rdev->wiphy.extended_capabilities_mask)))
3063 			goto nla_put_failure;
3064 
3065 		if (rdev->wiphy.vht_capa_mod_mask &&
3066 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
3067 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
3068 			    rdev->wiphy.vht_capa_mod_mask))
3069 			goto nla_put_failure;
3070 
3071 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3072 			    rdev->wiphy.perm_addr))
3073 			goto nla_put_failure;
3074 
3075 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
3076 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
3077 			    rdev->wiphy.addr_mask))
3078 			goto nla_put_failure;
3079 
3080 		if (rdev->wiphy.n_addresses > 1) {
3081 			void *attr;
3082 
3083 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
3084 			if (!attr)
3085 				goto nla_put_failure;
3086 
3087 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
3088 				if (nla_put(msg, i + 1, ETH_ALEN,
3089 					    rdev->wiphy.addresses[i].addr))
3090 					goto nla_put_failure;
3091 
3092 			nla_nest_end(msg, attr);
3093 		}
3094 
3095 		state->split_start++;
3096 		break;
3097 	case 10:
3098 		if (nl80211_send_coalesce(msg, rdev))
3099 			goto nla_put_failure;
3100 
3101 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
3102 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
3103 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
3104 			goto nla_put_failure;
3105 
3106 		if (rdev->wiphy.max_ap_assoc_sta &&
3107 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
3108 				rdev->wiphy.max_ap_assoc_sta))
3109 			goto nla_put_failure;
3110 
3111 		state->split_start++;
3112 		break;
3113 	case 11:
3114 		if (rdev->wiphy.n_vendor_commands) {
3115 			const struct nl80211_vendor_cmd_info *info;
3116 			struct nlattr *nested;
3117 
3118 			nested = nla_nest_start_noflag(msg,
3119 						       NL80211_ATTR_VENDOR_DATA);
3120 			if (!nested)
3121 				goto nla_put_failure;
3122 
3123 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
3124 				info = &rdev->wiphy.vendor_commands[i].info;
3125 				if (nla_put(msg, i + 1, sizeof(*info), info))
3126 					goto nla_put_failure;
3127 			}
3128 			nla_nest_end(msg, nested);
3129 		}
3130 
3131 		if (rdev->wiphy.n_vendor_events) {
3132 			const struct nl80211_vendor_cmd_info *info;
3133 			struct nlattr *nested;
3134 
3135 			nested = nla_nest_start_noflag(msg,
3136 						       NL80211_ATTR_VENDOR_EVENTS);
3137 			if (!nested)
3138 				goto nla_put_failure;
3139 
3140 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
3141 				info = &rdev->wiphy.vendor_events[i];
3142 				if (nla_put(msg, i + 1, sizeof(*info), info))
3143 					goto nla_put_failure;
3144 			}
3145 			nla_nest_end(msg, nested);
3146 		}
3147 		state->split_start++;
3148 		break;
3149 	case 12:
3150 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
3151 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
3152 			       rdev->wiphy.max_num_csa_counters))
3153 			goto nla_put_failure;
3154 
3155 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
3156 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
3157 			goto nla_put_failure;
3158 
3159 		if (rdev->wiphy.max_sched_scan_reqs &&
3160 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
3161 				rdev->wiphy.max_sched_scan_reqs))
3162 			goto nla_put_failure;
3163 
3164 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
3165 			    sizeof(rdev->wiphy.ext_features),
3166 			    rdev->wiphy.ext_features))
3167 			goto nla_put_failure;
3168 
3169 		if (rdev->wiphy.bss_param_support) {
3170 			struct nlattr *nested;
3171 			u32 parsup = rdev->wiphy.bss_param_support;
3172 
3173 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_PARAM);
3174 			if (!nested)
3175 				goto nla_put_failure;
3176 
3177 			if ((parsup & WIPHY_BSS_PARAM_CTS_PROT) &&
3178 			    nla_put_flag(msg, NL80211_ATTR_BSS_CTS_PROT))
3179 				goto nla_put_failure;
3180 			if ((parsup & WIPHY_BSS_PARAM_SHORT_PREAMBLE) &&
3181 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_PREAMBLE))
3182 				goto nla_put_failure;
3183 			if ((parsup & WIPHY_BSS_PARAM_SHORT_SLOT_TIME) &&
3184 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_SLOT_TIME))
3185 				goto nla_put_failure;
3186 			if ((parsup & WIPHY_BSS_PARAM_BASIC_RATES) &&
3187 			    nla_put_flag(msg, NL80211_ATTR_BSS_BASIC_RATES))
3188 				goto nla_put_failure;
3189 			if ((parsup & WIPHY_BSS_PARAM_AP_ISOLATE) &&
3190 			    nla_put_flag(msg, NL80211_ATTR_AP_ISOLATE))
3191 				goto nla_put_failure;
3192 			if ((parsup & WIPHY_BSS_PARAM_HT_OPMODE) &&
3193 			    nla_put_flag(msg, NL80211_ATTR_BSS_HT_OPMODE))
3194 				goto nla_put_failure;
3195 			if ((parsup & WIPHY_BSS_PARAM_P2P_CTWINDOW) &&
3196 			    nla_put_flag(msg, NL80211_ATTR_P2P_CTWINDOW))
3197 				goto nla_put_failure;
3198 			if ((parsup & WIPHY_BSS_PARAM_P2P_OPPPS) &&
3199 			    nla_put_flag(msg, NL80211_ATTR_P2P_OPPPS))
3200 				goto nla_put_failure;
3201 			nla_nest_end(msg, nested);
3202 		}
3203 		if (rdev->wiphy.bss_select_support) {
3204 			struct nlattr *nested;
3205 			u32 bss_select_support = rdev->wiphy.bss_select_support;
3206 
3207 			nested = nla_nest_start_noflag(msg,
3208 						       NL80211_ATTR_BSS_SELECT);
3209 			if (!nested)
3210 				goto nla_put_failure;
3211 
3212 			i = 0;
3213 			while (bss_select_support) {
3214 				if ((bss_select_support & 1) &&
3215 				    nla_put_flag(msg, i))
3216 					goto nla_put_failure;
3217 				i++;
3218 				bss_select_support >>= 1;
3219 			}
3220 			nla_nest_end(msg, nested);
3221 		}
3222 
3223 		state->split_start++;
3224 		break;
3225 	case 13:
3226 		if (rdev->wiphy.num_iftype_ext_capab &&
3227 		    rdev->wiphy.iftype_ext_capab) {
3228 			struct nlattr *nested_ext_capab, *nested;
3229 
3230 			nested = nla_nest_start_noflag(msg,
3231 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3232 			if (!nested)
3233 				goto nla_put_failure;
3234 
3235 			for (i = state->capa_start;
3236 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3237 				const struct wiphy_iftype_ext_capab *capab;
3238 
3239 				capab = &rdev->wiphy.iftype_ext_capab[i];
3240 
3241 				nested_ext_capab = nla_nest_start_noflag(msg,
3242 									 i);
3243 				if (!nested_ext_capab ||
3244 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3245 						capab->iftype) ||
3246 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3247 					    capab->extended_capabilities_len,
3248 					    capab->extended_capabilities) ||
3249 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3250 					    capab->extended_capabilities_len,
3251 					    capab->extended_capabilities_mask))
3252 					goto nla_put_failure;
3253 
3254 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3255 				    (nla_put_u16(msg,
3256 						 NL80211_ATTR_EML_CAPABILITY,
3257 						 capab->eml_capabilities) ||
3258 				     nla_put_u16(msg,
3259 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3260 						 capab->mld_capa_and_ops)))
3261 					goto nla_put_failure;
3262 
3263 				nla_nest_end(msg, nested_ext_capab);
3264 				if (state->split)
3265 					break;
3266 			}
3267 			nla_nest_end(msg, nested);
3268 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3269 				state->capa_start = i + 1;
3270 				break;
3271 			}
3272 		}
3273 
3274 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3275 				rdev->wiphy.nan_supported_bands))
3276 			goto nla_put_failure;
3277 
3278 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3279 					    NL80211_EXT_FEATURE_TXQS)) {
3280 			struct cfg80211_txq_stats txqstats = {};
3281 			int res;
3282 
3283 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3284 			if (!res &&
3285 			    !nl80211_put_txq_stats(msg, &txqstats,
3286 						   NL80211_ATTR_TXQ_STATS))
3287 				goto nla_put_failure;
3288 
3289 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3290 					rdev->wiphy.txq_limit))
3291 				goto nla_put_failure;
3292 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3293 					rdev->wiphy.txq_memory_limit))
3294 				goto nla_put_failure;
3295 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3296 					rdev->wiphy.txq_quantum))
3297 				goto nla_put_failure;
3298 		}
3299 
3300 		state->split_start++;
3301 		break;
3302 	case 14:
3303 		if (nl80211_send_pmsr_capa(rdev, msg))
3304 			goto nla_put_failure;
3305 
3306 		state->split_start++;
3307 		break;
3308 	case 15:
3309 		if (rdev->wiphy.akm_suites &&
3310 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3311 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3312 			    rdev->wiphy.akm_suites))
3313 			goto nla_put_failure;
3314 
3315 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3316 			goto nla_put_failure;
3317 
3318 		if (nl80211_put_tid_config_support(rdev, msg))
3319 			goto nla_put_failure;
3320 		state->split_start++;
3321 		break;
3322 	case 16:
3323 		if (nl80211_put_sar_specs(rdev, msg))
3324 			goto nla_put_failure;
3325 
3326 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3327 			goto nla_put_failure;
3328 
3329 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3330 				rdev->wiphy.max_num_akm_suites))
3331 			goto nla_put_failure;
3332 
3333 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3334 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3335 
3336 		if (rdev->wiphy.hw_timestamp_max_peers &&
3337 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3338 				rdev->wiphy.hw_timestamp_max_peers))
3339 			goto nla_put_failure;
3340 
3341 		state->split_start++;
3342 		break;
3343 	case 17:
3344 		if (nl80211_put_radios(&rdev->wiphy, msg))
3345 			goto nla_put_failure;
3346 
3347 		state->split_start++;
3348 		break;
3349 	case 18:
3350 		if (nl80211_put_nan_capa(&rdev->wiphy, msg))
3351 			goto nla_put_failure;
3352 
3353 		/* done */
3354 		state->split_start = 0;
3355 		break;
3356 	}
3357  finish:
3358 	genlmsg_end(msg, hdr);
3359 	return 0;
3360 
3361  nla_put_failure:
3362 	genlmsg_cancel(msg, hdr);
3363 	return -EMSGSIZE;
3364 }
3365 
3366 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3367 				    struct netlink_callback *cb,
3368 				    struct nl80211_dump_wiphy_state *state)
3369 {
3370 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3371 	int ret;
3372 
3373 	if (!tb)
3374 		return -ENOMEM;
3375 
3376 	ret = nlmsg_parse_deprecated(cb->nlh,
3377 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3378 				     tb, nl80211_fam.maxattr,
3379 				     nl80211_policy, NULL);
3380 	/* ignore parse errors for backward compatibility */
3381 	if (ret) {
3382 		ret = 0;
3383 		goto out;
3384 	}
3385 
3386 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3387 	if (tb[NL80211_ATTR_WIPHY])
3388 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3389 	if (tb[NL80211_ATTR_WDEV])
3390 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3391 	if (tb[NL80211_ATTR_IFINDEX]) {
3392 		struct net_device *netdev;
3393 		struct cfg80211_registered_device *rdev;
3394 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3395 
3396 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3397 		if (!netdev) {
3398 			ret = -ENODEV;
3399 			goto out;
3400 		}
3401 		if (netdev->ieee80211_ptr) {
3402 			rdev = wiphy_to_rdev(
3403 				netdev->ieee80211_ptr->wiphy);
3404 			state->filter_wiphy = rdev->wiphy_idx;
3405 		}
3406 	}
3407 
3408 	ret = 0;
3409 out:
3410 	kfree(tb);
3411 	return ret;
3412 }
3413 
3414 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3415 {
3416 	int idx = 0, ret;
3417 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3418 	struct cfg80211_registered_device *rdev;
3419 
3420 	rtnl_lock();
3421 	if (!state) {
3422 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3423 		if (!state) {
3424 			rtnl_unlock();
3425 			return -ENOMEM;
3426 		}
3427 		state->filter_wiphy = -1;
3428 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3429 		if (ret) {
3430 			kfree(state);
3431 			rtnl_unlock();
3432 			return ret;
3433 		}
3434 		cb->args[0] = (long)state;
3435 	}
3436 
3437 	for_each_rdev(rdev) {
3438 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3439 			continue;
3440 		if (++idx <= state->start)
3441 			continue;
3442 		if (state->filter_wiphy != -1 &&
3443 		    state->filter_wiphy != rdev->wiphy_idx)
3444 			continue;
3445 		wiphy_lock(&rdev->wiphy);
3446 		/* attempt to fit multiple wiphy data chunks into the skb */
3447 		do {
3448 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3449 						 skb,
3450 						 NETLINK_CB(cb->skb).portid,
3451 						 cb->nlh->nlmsg_seq,
3452 						 NLM_F_MULTI, state);
3453 			if (ret < 0) {
3454 				/*
3455 				 * If sending the wiphy data didn't fit (ENOBUFS
3456 				 * or EMSGSIZE returned), this SKB is still
3457 				 * empty (so it's not too big because another
3458 				 * wiphy dataset is already in the skb) and
3459 				 * we've not tried to adjust the dump allocation
3460 				 * yet ... then adjust the alloc size to be
3461 				 * bigger, and return 1 but with the empty skb.
3462 				 * This results in an empty message being RX'ed
3463 				 * in userspace, but that is ignored.
3464 				 *
3465 				 * We can then retry with the larger buffer.
3466 				 */
3467 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3468 				    !skb->len && !state->split &&
3469 				    cb->min_dump_alloc < 4096) {
3470 					cb->min_dump_alloc = 4096;
3471 					state->split_start = 0;
3472 					wiphy_unlock(&rdev->wiphy);
3473 					rtnl_unlock();
3474 					return 1;
3475 				}
3476 				idx--;
3477 				break;
3478 			}
3479 		} while (state->split_start > 0);
3480 		wiphy_unlock(&rdev->wiphy);
3481 		break;
3482 	}
3483 	rtnl_unlock();
3484 
3485 	state->start = idx;
3486 
3487 	return skb->len;
3488 }
3489 
3490 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3491 {
3492 	kfree((void *)cb->args[0]);
3493 	return 0;
3494 }
3495 
3496 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3497 {
3498 	struct sk_buff *msg;
3499 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3500 	struct nl80211_dump_wiphy_state state = {};
3501 
3502 	msg = nlmsg_new(4096, GFP_KERNEL);
3503 	if (!msg)
3504 		return -ENOMEM;
3505 
3506 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3507 			       info->snd_portid, info->snd_seq, 0,
3508 			       &state) < 0) {
3509 		nlmsg_free(msg);
3510 		return -ENOBUFS;
3511 	}
3512 
3513 	return genlmsg_reply(msg, info);
3514 }
3515 
3516 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3517 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3518 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3519 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3520 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3521 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3522 };
3523 
3524 static int parse_txq_params(struct nlattr *tb[],
3525 			    struct ieee80211_txq_params *txq_params)
3526 {
3527 	u8 ac;
3528 
3529 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3530 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3531 	    !tb[NL80211_TXQ_ATTR_AIFS])
3532 		return -EINVAL;
3533 
3534 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3535 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3536 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3537 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3538 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3539 
3540 	if (ac >= NL80211_NUM_ACS)
3541 		return -EINVAL;
3542 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3543 	return 0;
3544 }
3545 
3546 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3547 {
3548 	/*
3549 	 * You can only set the channel explicitly for some interfaces,
3550 	 * most have their channel managed via their respective
3551 	 * "establish a connection" command (connect, join, ...)
3552 	 *
3553 	 * For AP/GO and mesh mode, the channel can be set with the
3554 	 * channel userspace API, but is only stored and passed to the
3555 	 * low-level driver when the AP starts or the mesh is joined.
3556 	 * This is for backward compatibility, userspace can also give
3557 	 * the channel in the start-ap or join-mesh commands instead.
3558 	 *
3559 	 * Monitors are special as they are normally slaved to
3560 	 * whatever else is going on, so they have their own special
3561 	 * operation to set the monitor channel if possible.
3562 	 */
3563 	return !wdev ||
3564 		wdev->iftype == NL80211_IFTYPE_AP ||
3565 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3566 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3567 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3568 }
3569 
3570 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3571 				  struct genl_info *info, bool monitor,
3572 				  struct cfg80211_chan_def *chandef)
3573 {
3574 	struct netlink_ext_ack *extack = info->extack;
3575 	struct nlattr **attrs = info->attrs;
3576 	u32 control_freq;
3577 
3578 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3579 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3580 				    "Frequency is missing");
3581 		return -EINVAL;
3582 	}
3583 
3584 	control_freq = MHZ_TO_KHZ(
3585 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3586 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3587 		control_freq +=
3588 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3589 
3590 	memset(chandef, 0, sizeof(*chandef));
3591 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3592 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3593 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3594 	chandef->freq1_offset = control_freq % 1000;
3595 	chandef->center_freq2 = 0;
3596 	chandef->s1g_primary_2mhz = false;
3597 
3598 	if (!chandef->chan) {
3599 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3600 				    "Unknown channel");
3601 		return -EINVAL;
3602 	}
3603 
3604 	if (cfg80211_chandef_is_s1g(chandef))
3605 		chandef->width = NL80211_CHAN_WIDTH_1;
3606 
3607 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3608 		enum nl80211_channel_type chantype;
3609 
3610 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3611 
3612 		switch (chantype) {
3613 		case NL80211_CHAN_NO_HT:
3614 		case NL80211_CHAN_HT20:
3615 		case NL80211_CHAN_HT40PLUS:
3616 		case NL80211_CHAN_HT40MINUS:
3617 			cfg80211_chandef_create(chandef, chandef->chan,
3618 						chantype);
3619 			/* user input for center_freq is incorrect */
3620 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3621 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3622 				NL_SET_ERR_MSG_ATTR(extack,
3623 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3624 						    "bad center frequency 1");
3625 				return -EINVAL;
3626 			}
3627 			/* center_freq2 must be zero */
3628 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3629 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3630 				NL_SET_ERR_MSG_ATTR(extack,
3631 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3632 						    "center frequency 2 can't be used");
3633 				return -EINVAL;
3634 			}
3635 			break;
3636 		default:
3637 			NL_SET_ERR_MSG_ATTR(extack,
3638 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3639 					    "invalid channel type");
3640 			return -EINVAL;
3641 		}
3642 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3643 		chandef->width = nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3644 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3645 			chandef->center_freq1 =
3646 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3647 			chandef->freq1_offset = nla_get_u32_default(
3648 				attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET], 0);
3649 		}
3650 
3651 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3652 			chandef->center_freq2 =
3653 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3654 
3655 		chandef->s1g_primary_2mhz = nla_get_flag(
3656 			attrs[NL80211_ATTR_S1G_PRIMARY_2MHZ]);
3657 	}
3658 
3659 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3660 		chandef->edmg.channels =
3661 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3662 
3663 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3664 			chandef->edmg.bw_config =
3665 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3666 	} else {
3667 		chandef->edmg.bw_config = 0;
3668 		chandef->edmg.channels = 0;
3669 	}
3670 
3671 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3672 		chandef->punctured =
3673 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3674 
3675 		if (chandef->punctured &&
3676 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3677 					     NL80211_EXT_FEATURE_PUNCT)) {
3678 			NL_SET_ERR_MSG(extack,
3679 				       "driver doesn't support puncturing");
3680 			return -EINVAL;
3681 		}
3682 	}
3683 
3684 	if (!cfg80211_chandef_valid(chandef)) {
3685 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3686 		return -EINVAL;
3687 	}
3688 
3689 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3690 				      IEEE80211_CHAN_DISABLED,
3691 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3692 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3693 		return -EINVAL;
3694 	}
3695 
3696 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3697 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3698 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3699 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3700 		return -EINVAL;
3701 	}
3702 
3703 	return 0;
3704 }
3705 
3706 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3707 			  struct genl_info *info,
3708 			  struct cfg80211_chan_def *chandef)
3709 {
3710 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3711 }
3712 
3713 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3714 				 struct net_device *dev,
3715 				 struct genl_info *info,
3716 				 int _link_id)
3717 {
3718 	struct cfg80211_chan_def chandef;
3719 	int result;
3720 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3721 	struct wireless_dev *wdev = NULL;
3722 	int link_id = _link_id;
3723 
3724 	if (dev)
3725 		wdev = dev->ieee80211_ptr;
3726 	if (!nl80211_can_set_dev_channel(wdev))
3727 		return -EOPNOTSUPP;
3728 	if (wdev)
3729 		iftype = wdev->iftype;
3730 
3731 	if (link_id < 0) {
3732 		if (wdev && wdev->valid_links)
3733 			return -EINVAL;
3734 		link_id = 0;
3735 	}
3736 
3737 	result = _nl80211_parse_chandef(rdev, info,
3738 					iftype == NL80211_IFTYPE_MONITOR,
3739 					&chandef);
3740 	if (result)
3741 		return result;
3742 
3743 	switch (iftype) {
3744 	case NL80211_IFTYPE_AP:
3745 	case NL80211_IFTYPE_P2P_GO:
3746 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3747 						   iftype))
3748 			return -EINVAL;
3749 		if (wdev->links[link_id].ap.beacon_interval) {
3750 			struct ieee80211_channel *cur_chan;
3751 
3752 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3753 			    !(rdev->wiphy.features &
3754 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3755 				return -EBUSY;
3756 
3757 			/* Only allow dynamic channel width changes */
3758 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3759 			if (chandef.chan != cur_chan)
3760 				return -EBUSY;
3761 
3762 			/* only allow this for regular channel widths */
3763 			switch (wdev->links[link_id].ap.chandef.width) {
3764 			case NL80211_CHAN_WIDTH_20_NOHT:
3765 			case NL80211_CHAN_WIDTH_20:
3766 			case NL80211_CHAN_WIDTH_40:
3767 			case NL80211_CHAN_WIDTH_80:
3768 			case NL80211_CHAN_WIDTH_80P80:
3769 			case NL80211_CHAN_WIDTH_160:
3770 			case NL80211_CHAN_WIDTH_320:
3771 				break;
3772 			default:
3773 				return -EINVAL;
3774 			}
3775 
3776 			switch (chandef.width) {
3777 			case NL80211_CHAN_WIDTH_20_NOHT:
3778 			case NL80211_CHAN_WIDTH_20:
3779 			case NL80211_CHAN_WIDTH_40:
3780 			case NL80211_CHAN_WIDTH_80:
3781 			case NL80211_CHAN_WIDTH_80P80:
3782 			case NL80211_CHAN_WIDTH_160:
3783 			case NL80211_CHAN_WIDTH_320:
3784 				break;
3785 			default:
3786 				return -EINVAL;
3787 			}
3788 
3789 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3790 						       &chandef);
3791 			if (result)
3792 				return result;
3793 			wdev->links[link_id].ap.chandef = chandef;
3794 		} else {
3795 			wdev->u.ap.preset_chandef = chandef;
3796 		}
3797 		return 0;
3798 	case NL80211_IFTYPE_MESH_POINT:
3799 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3800 	case NL80211_IFTYPE_MONITOR:
3801 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
3802 	default:
3803 		break;
3804 	}
3805 
3806 	return -EINVAL;
3807 }
3808 
3809 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3810 {
3811 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3812 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3813 	struct net_device *netdev = info->user_ptr[1];
3814 
3815 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3816 }
3817 
3818 static int nl80211_set_wiphy_radio(struct genl_info *info,
3819 				   struct cfg80211_registered_device *rdev,
3820 				   int radio_idx)
3821 {
3822 	u32 rts_threshold = 0, old_rts, changed = 0;
3823 	int result;
3824 
3825 	if (!rdev->ops->set_wiphy_params)
3826 		return -EOPNOTSUPP;
3827 
3828 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3829 		rts_threshold = nla_get_u32(
3830 				info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3831 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3832 	}
3833 
3834 	old_rts = rdev->wiphy.radio_cfg[radio_idx].rts_threshold;
3835 
3836 	rdev->wiphy.radio_cfg[radio_idx].rts_threshold = rts_threshold;
3837 
3838 	result = rdev_set_wiphy_params(rdev, radio_idx, changed);
3839 	if (result)
3840 		rdev->wiphy.radio_cfg[radio_idx].rts_threshold = old_rts;
3841 
3842 	return 0;
3843 }
3844 
3845 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3846 {
3847 	struct cfg80211_registered_device *rdev = NULL;
3848 	struct net_device *netdev = NULL;
3849 	struct wireless_dev *wdev;
3850 	int result = 0, rem_txq_params = 0;
3851 	struct nlattr *nl_txq_params;
3852 	u32 changed;
3853 	u8 retry_short = 0, retry_long = 0;
3854 	u32 frag_threshold = 0, rts_threshold = 0;
3855 	u8 coverage_class = 0;
3856 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3857 	int radio_idx = -1;
3858 
3859 	rtnl_lock();
3860 	/*
3861 	 * Try to find the wiphy and netdev. Normally this
3862 	 * function shouldn't need the netdev, but this is
3863 	 * done for backward compatibility -- previously
3864 	 * setting the channel was done per wiphy, but now
3865 	 * it is per netdev. Previous userland like hostapd
3866 	 * also passed a netdev to set_wiphy, so that it is
3867 	 * possible to let that go to the right netdev!
3868 	 */
3869 
3870 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3871 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3872 
3873 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3874 		if (netdev && netdev->ieee80211_ptr)
3875 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3876 		else
3877 			netdev = NULL;
3878 	}
3879 
3880 	if (!netdev) {
3881 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3882 						  info->attrs);
3883 		if (IS_ERR(rdev)) {
3884 			rtnl_unlock();
3885 			return PTR_ERR(rdev);
3886 		}
3887 		wdev = NULL;
3888 		netdev = NULL;
3889 		result = 0;
3890 	} else
3891 		wdev = netdev->ieee80211_ptr;
3892 
3893 	guard(wiphy)(&rdev->wiphy);
3894 
3895 	/*
3896 	 * end workaround code, by now the rdev is available
3897 	 * and locked, and wdev may or may not be NULL.
3898 	 */
3899 
3900 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3901 		result = cfg80211_dev_rename(
3902 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3903 	rtnl_unlock();
3904 
3905 	if (result)
3906 		return result;
3907 
3908 	if (info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]) {
3909 		/* Radio idx is not expected for non-multi radio wiphy */
3910 		if (rdev->wiphy.n_radio <= 0)
3911 			return -EINVAL;
3912 
3913 		radio_idx = nla_get_u8(
3914 				info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]);
3915 		if (radio_idx >= rdev->wiphy.n_radio)
3916 			return -EINVAL;
3917 
3918 		return nl80211_set_wiphy_radio(info, rdev, radio_idx);
3919 	}
3920 
3921 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3922 		struct ieee80211_txq_params txq_params;
3923 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3924 
3925 		if (!rdev->ops->set_txq_params)
3926 			return -EOPNOTSUPP;
3927 
3928 		if (!netdev)
3929 			return -EINVAL;
3930 
3931 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3932 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3933 			return -EINVAL;
3934 
3935 		if (!netif_running(netdev))
3936 			return -ENETDOWN;
3937 
3938 		nla_for_each_nested(nl_txq_params,
3939 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3940 				    rem_txq_params) {
3941 			result = nla_parse_nested_deprecated(tb,
3942 							     NL80211_TXQ_ATTR_MAX,
3943 							     nl_txq_params,
3944 							     txq_params_policy,
3945 							     info->extack);
3946 			if (result)
3947 				return result;
3948 
3949 			result = parse_txq_params(tb, &txq_params);
3950 			if (result)
3951 				return result;
3952 
3953 			txq_params.link_id =
3954 				nl80211_link_id_or_invalid(info->attrs);
3955 
3956 			if (txq_params.link_id >= 0 &&
3957 			    !(netdev->ieee80211_ptr->valid_links &
3958 			      BIT(txq_params.link_id)))
3959 				result = -ENOLINK;
3960 			else if (txq_params.link_id >= 0 &&
3961 				 !netdev->ieee80211_ptr->valid_links)
3962 				result = -EINVAL;
3963 			else
3964 				result = rdev_set_txq_params(rdev, netdev,
3965 							     &txq_params);
3966 			if (result)
3967 				return result;
3968 		}
3969 	}
3970 
3971 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3972 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3973 
3974 		if (wdev) {
3975 			result = __nl80211_set_channel(
3976 				rdev,
3977 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3978 				info, link_id);
3979 		} else {
3980 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3981 		}
3982 
3983 		if (result)
3984 			return result;
3985 	}
3986 
3987 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3988 		struct wireless_dev *txp_wdev = wdev;
3989 		enum nl80211_tx_power_setting type;
3990 		int idx, mbm = 0;
3991 
3992 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3993 			txp_wdev = NULL;
3994 
3995 		if (!rdev->ops->set_tx_power)
3996 			return -EOPNOTSUPP;
3997 
3998 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3999 		type = nla_get_u32(info->attrs[idx]);
4000 
4001 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
4002 		    (type != NL80211_TX_POWER_AUTOMATIC))
4003 			return -EINVAL;
4004 
4005 		if (type != NL80211_TX_POWER_AUTOMATIC) {
4006 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
4007 			mbm = nla_get_u32(info->attrs[idx]);
4008 		}
4009 
4010 		result = rdev_set_tx_power(rdev, txp_wdev, radio_idx, type,
4011 					   mbm);
4012 		if (result)
4013 			return result;
4014 	}
4015 
4016 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
4017 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
4018 		u32 tx_ant, rx_ant;
4019 
4020 		if ((!rdev->wiphy.available_antennas_tx &&
4021 		     !rdev->wiphy.available_antennas_rx) ||
4022 		    !rdev->ops->set_antenna)
4023 			return -EOPNOTSUPP;
4024 
4025 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
4026 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
4027 
4028 		/* reject antenna configurations which don't match the
4029 		 * available antenna masks, except for the "all" mask */
4030 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
4031 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
4032 			return -EINVAL;
4033 
4034 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
4035 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
4036 
4037 		result = rdev_set_antenna(rdev, radio_idx, tx_ant, rx_ant);
4038 		if (result)
4039 			return result;
4040 	}
4041 
4042 	changed = 0;
4043 
4044 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
4045 		retry_short = nla_get_u8(
4046 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
4047 
4048 		changed |= WIPHY_PARAM_RETRY_SHORT;
4049 	}
4050 
4051 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
4052 		retry_long = nla_get_u8(
4053 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
4054 
4055 		changed |= WIPHY_PARAM_RETRY_LONG;
4056 	}
4057 
4058 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
4059 		frag_threshold = nla_get_u32(
4060 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
4061 		if (frag_threshold < 256)
4062 			return -EINVAL;
4063 
4064 		if (frag_threshold != (u32) -1) {
4065 			/*
4066 			 * Fragments (apart from the last one) are required to
4067 			 * have even length. Make the fragmentation code
4068 			 * simpler by stripping LSB should someone try to use
4069 			 * odd threshold value.
4070 			 */
4071 			frag_threshold &= ~0x1;
4072 		}
4073 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
4074 	}
4075 
4076 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
4077 		rts_threshold = nla_get_u32(
4078 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
4079 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
4080 	}
4081 
4082 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
4083 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
4084 			return -EINVAL;
4085 
4086 		coverage_class = nla_get_u8(
4087 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
4088 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
4089 	}
4090 
4091 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
4092 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
4093 			return -EOPNOTSUPP;
4094 
4095 		changed |= WIPHY_PARAM_DYN_ACK;
4096 	}
4097 
4098 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
4099 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4100 					     NL80211_EXT_FEATURE_TXQS))
4101 			return -EOPNOTSUPP;
4102 
4103 		txq_limit = nla_get_u32(
4104 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
4105 		changed |= WIPHY_PARAM_TXQ_LIMIT;
4106 	}
4107 
4108 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
4109 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4110 					     NL80211_EXT_FEATURE_TXQS))
4111 			return -EOPNOTSUPP;
4112 
4113 		txq_memory_limit = nla_get_u32(
4114 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
4115 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
4116 	}
4117 
4118 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
4119 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4120 					     NL80211_EXT_FEATURE_TXQS))
4121 			return -EOPNOTSUPP;
4122 
4123 		txq_quantum = nla_get_u32(
4124 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
4125 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
4126 	}
4127 
4128 	if (changed) {
4129 		u8 old_retry_short, old_retry_long;
4130 		u32 old_frag_threshold, old_rts_threshold;
4131 		u8 old_coverage_class, i;
4132 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
4133 		u32 *old_radio_rts_threshold = NULL;
4134 
4135 		if (!rdev->ops->set_wiphy_params)
4136 			return -EOPNOTSUPP;
4137 
4138 		if (rdev->wiphy.n_radio) {
4139 			old_radio_rts_threshold = kcalloc(rdev->wiphy.n_radio,
4140 							  sizeof(u32),
4141 							  GFP_KERNEL);
4142 			if (!old_radio_rts_threshold)
4143 				return -ENOMEM;
4144 		}
4145 
4146 		old_retry_short = rdev->wiphy.retry_short;
4147 		old_retry_long = rdev->wiphy.retry_long;
4148 		old_frag_threshold = rdev->wiphy.frag_threshold;
4149 		old_rts_threshold = rdev->wiphy.rts_threshold;
4150 		if (old_radio_rts_threshold) {
4151 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4152 				old_radio_rts_threshold[i] =
4153 					rdev->wiphy.radio_cfg[i].rts_threshold;
4154 		}
4155 		old_coverage_class = rdev->wiphy.coverage_class;
4156 		old_txq_limit = rdev->wiphy.txq_limit;
4157 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
4158 		old_txq_quantum = rdev->wiphy.txq_quantum;
4159 
4160 		if (changed & WIPHY_PARAM_RETRY_SHORT)
4161 			rdev->wiphy.retry_short = retry_short;
4162 		if (changed & WIPHY_PARAM_RETRY_LONG)
4163 			rdev->wiphy.retry_long = retry_long;
4164 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
4165 			rdev->wiphy.frag_threshold = frag_threshold;
4166 		if ((changed & WIPHY_PARAM_RTS_THRESHOLD) &&
4167 		    old_radio_rts_threshold) {
4168 			rdev->wiphy.rts_threshold = rts_threshold;
4169 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4170 				rdev->wiphy.radio_cfg[i].rts_threshold =
4171 					rdev->wiphy.rts_threshold;
4172 		}
4173 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
4174 			rdev->wiphy.coverage_class = coverage_class;
4175 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
4176 			rdev->wiphy.txq_limit = txq_limit;
4177 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
4178 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
4179 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
4180 			rdev->wiphy.txq_quantum = txq_quantum;
4181 
4182 		result = rdev_set_wiphy_params(rdev, radio_idx, changed);
4183 		if (result) {
4184 			rdev->wiphy.retry_short = old_retry_short;
4185 			rdev->wiphy.retry_long = old_retry_long;
4186 			rdev->wiphy.frag_threshold = old_frag_threshold;
4187 			rdev->wiphy.rts_threshold = old_rts_threshold;
4188 			if (old_radio_rts_threshold) {
4189 				for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4190 					rdev->wiphy.radio_cfg[i].rts_threshold =
4191 						old_radio_rts_threshold[i];
4192 			}
4193 			rdev->wiphy.coverage_class = old_coverage_class;
4194 			rdev->wiphy.txq_limit = old_txq_limit;
4195 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
4196 			rdev->wiphy.txq_quantum = old_txq_quantum;
4197 		}
4198 
4199 		kfree(old_radio_rts_threshold);
4200 		return result;
4201 	}
4202 
4203 	return 0;
4204 }
4205 
4206 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
4207 {
4208 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
4209 		return -EINVAL;
4210 
4211 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
4212 			chandef->chan->center_freq))
4213 		return -ENOBUFS;
4214 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
4215 			chandef->chan->freq_offset))
4216 		return -ENOBUFS;
4217 	switch (chandef->width) {
4218 	case NL80211_CHAN_WIDTH_20_NOHT:
4219 	case NL80211_CHAN_WIDTH_20:
4220 	case NL80211_CHAN_WIDTH_40:
4221 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
4222 				cfg80211_get_chandef_type(chandef)))
4223 			return -ENOBUFS;
4224 		break;
4225 	default:
4226 		break;
4227 	}
4228 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
4229 		return -ENOBUFS;
4230 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
4231 		return -ENOBUFS;
4232 	if (chandef->center_freq2 &&
4233 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
4234 		return -ENOBUFS;
4235 	if (chandef->punctured &&
4236 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
4237 		return -ENOBUFS;
4238 	if (chandef->s1g_primary_2mhz &&
4239 	    nla_put_flag(msg, NL80211_ATTR_S1G_PRIMARY_2MHZ))
4240 		return -ENOBUFS;
4241 
4242 	return 0;
4243 }
4244 EXPORT_SYMBOL(nl80211_send_chandef);
4245 
4246 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
4247 			      struct cfg80211_registered_device *rdev,
4248 			      struct wireless_dev *wdev,
4249 			      enum nl80211_commands cmd)
4250 {
4251 	struct net_device *dev = wdev->netdev;
4252 	void *hdr;
4253 
4254 	lockdep_assert_wiphy(&rdev->wiphy);
4255 
4256 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
4257 		cmd != NL80211_CMD_DEL_INTERFACE &&
4258 		cmd != NL80211_CMD_SET_INTERFACE);
4259 
4260 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4261 	if (!hdr)
4262 		return -1;
4263 
4264 	if (dev &&
4265 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4266 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
4267 		goto nla_put_failure;
4268 
4269 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
4270 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
4271 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
4272 			      NL80211_ATTR_PAD) ||
4273 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
4274 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
4275 			rdev->devlist_generation ^
4276 			(cfg80211_rdev_list_generation << 2)) ||
4277 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
4278 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
4279 		goto nla_put_failure;
4280 
4281 	if (rdev->ops->get_channel && !wdev->valid_links) {
4282 		struct cfg80211_chan_def chandef = {};
4283 		int ret;
4284 
4285 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4286 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4287 			goto nla_put_failure;
4288 	}
4289 
4290 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4291 		int dbm, ret;
4292 
4293 		ret = rdev_get_tx_power(rdev, wdev, -1, 0, &dbm);
4294 		if (ret == 0 &&
4295 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4296 				DBM_TO_MBM(dbm)))
4297 			goto nla_put_failure;
4298 	}
4299 
4300 	switch (wdev->iftype) {
4301 	case NL80211_IFTYPE_AP:
4302 	case NL80211_IFTYPE_P2P_GO:
4303 		if (wdev->u.ap.ssid_len &&
4304 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4305 			    wdev->u.ap.ssid))
4306 			goto nla_put_failure;
4307 		break;
4308 	case NL80211_IFTYPE_STATION:
4309 	case NL80211_IFTYPE_P2P_CLIENT:
4310 		if (wdev->u.client.ssid_len &&
4311 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4312 			    wdev->u.client.ssid))
4313 			goto nla_put_failure;
4314 		break;
4315 	case NL80211_IFTYPE_ADHOC:
4316 		if (wdev->u.ibss.ssid_len &&
4317 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4318 			    wdev->u.ibss.ssid))
4319 			goto nla_put_failure;
4320 		break;
4321 	default:
4322 		/* nothing */
4323 		break;
4324 	}
4325 
4326 	if (rdev->ops->get_txq_stats) {
4327 		struct cfg80211_txq_stats txqstats = {};
4328 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4329 
4330 		if (ret == 0 &&
4331 		    !nl80211_put_txq_stats(msg, &txqstats,
4332 					   NL80211_ATTR_TXQ_STATS))
4333 			goto nla_put_failure;
4334 	}
4335 
4336 	if (wdev->valid_links) {
4337 		unsigned int link_id;
4338 		struct nlattr *links = nla_nest_start(msg,
4339 						      NL80211_ATTR_MLO_LINKS);
4340 
4341 		if (!links)
4342 			goto nla_put_failure;
4343 
4344 		for_each_valid_link(wdev, link_id) {
4345 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4346 			struct cfg80211_chan_def chandef = {};
4347 			int ret;
4348 
4349 			if (!link)
4350 				goto nla_put_failure;
4351 
4352 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4353 				goto nla_put_failure;
4354 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4355 				    wdev->links[link_id].addr))
4356 				goto nla_put_failure;
4357 
4358 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4359 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4360 				goto nla_put_failure;
4361 
4362 			if (rdev->ops->get_tx_power) {
4363 				int dbm, ret;
4364 
4365 				ret = rdev_get_tx_power(rdev, wdev, -1, link_id, &dbm);
4366 				if (ret == 0 &&
4367 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4368 						DBM_TO_MBM(dbm)))
4369 					goto nla_put_failure;
4370 			}
4371 			nla_nest_end(msg, link);
4372 		}
4373 
4374 		nla_nest_end(msg, links);
4375 	}
4376 
4377 	genlmsg_end(msg, hdr);
4378 	return 0;
4379 
4380  nla_put_failure:
4381 	genlmsg_cancel(msg, hdr);
4382 	return -EMSGSIZE;
4383 }
4384 
4385 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4386 {
4387 	int wp_idx = 0;
4388 	int if_idx = 0;
4389 	int wp_start = cb->args[0];
4390 	int if_start = cb->args[1];
4391 	int filter_wiphy = -1;
4392 	struct cfg80211_registered_device *rdev;
4393 	struct wireless_dev *wdev;
4394 	int ret;
4395 
4396 	rtnl_lock();
4397 	if (!cb->args[2]) {
4398 		struct nl80211_dump_wiphy_state state = {
4399 			.filter_wiphy = -1,
4400 		};
4401 
4402 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4403 		if (ret)
4404 			goto out_unlock;
4405 
4406 		filter_wiphy = state.filter_wiphy;
4407 
4408 		/*
4409 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4410 		 * value needed to determine that parsing is necessary.
4411 		 */
4412 		if (filter_wiphy >= 0)
4413 			cb->args[2] = filter_wiphy + 1;
4414 		else
4415 			cb->args[2] = -1;
4416 	} else if (cb->args[2] > 0) {
4417 		filter_wiphy = cb->args[2] - 1;
4418 	}
4419 
4420 	for_each_rdev(rdev) {
4421 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4422 			continue;
4423 		if (wp_idx < wp_start) {
4424 			wp_idx++;
4425 			continue;
4426 		}
4427 
4428 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4429 			continue;
4430 
4431 		if_idx = 0;
4432 
4433 		guard(wiphy)(&rdev->wiphy);
4434 
4435 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4436 			if (if_idx < if_start) {
4437 				if_idx++;
4438 				continue;
4439 			}
4440 
4441 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4442 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4443 					       rdev, wdev,
4444 					       NL80211_CMD_NEW_INTERFACE) < 0)
4445 				goto out;
4446 
4447 			if_idx++;
4448 		}
4449 
4450 		if_start = 0;
4451 		wp_idx++;
4452 	}
4453  out:
4454 	cb->args[0] = wp_idx;
4455 	cb->args[1] = if_idx;
4456 
4457 	ret = skb->len;
4458  out_unlock:
4459 	rtnl_unlock();
4460 
4461 	return ret;
4462 }
4463 
4464 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4465 {
4466 	struct sk_buff *msg;
4467 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4468 	struct wireless_dev *wdev = info->user_ptr[1];
4469 
4470 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4471 	if (!msg)
4472 		return -ENOMEM;
4473 
4474 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4475 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4476 		nlmsg_free(msg);
4477 		return -ENOBUFS;
4478 	}
4479 
4480 	return genlmsg_reply(msg, info);
4481 }
4482 
4483 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4484 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4485 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4486 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4487 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4488 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4489 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4490 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4491 };
4492 
4493 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4494 {
4495 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4496 	int flag;
4497 
4498 	*mntrflags = 0;
4499 
4500 	if (!nla)
4501 		return -EINVAL;
4502 
4503 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4504 		return -EINVAL;
4505 
4506 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4507 		if (flags[flag])
4508 			*mntrflags |= (1<<flag);
4509 
4510 	/* cooked monitor mode is incompatible with other modes */
4511 	if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
4512 	    *mntrflags != MONITOR_FLAG_COOK_FRAMES)
4513 		return -EOPNOTSUPP;
4514 
4515 	*mntrflags |= MONITOR_FLAG_CHANGED;
4516 
4517 	return 0;
4518 }
4519 
4520 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4521 				     enum nl80211_iftype type,
4522 				     struct genl_info *info,
4523 				     struct vif_params *params)
4524 {
4525 	bool change = false;
4526 	int err;
4527 
4528 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4529 		if (type != NL80211_IFTYPE_MONITOR)
4530 			return -EINVAL;
4531 
4532 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4533 					  &params->flags);
4534 		if (err)
4535 			return err;
4536 
4537 		change = true;
4538 	}
4539 
4540 	/* MONITOR_FLAG_COOK_FRAMES is deprecated, refuse cooperation */
4541 	if (params->flags & MONITOR_FLAG_COOK_FRAMES)
4542 		return -EOPNOTSUPP;
4543 
4544 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4545 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4546 		return -EOPNOTSUPP;
4547 
4548 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4549 		const u8 *mumimo_groups;
4550 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4551 
4552 		if (type != NL80211_IFTYPE_MONITOR)
4553 			return -EINVAL;
4554 
4555 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4556 			return -EOPNOTSUPP;
4557 
4558 		mumimo_groups =
4559 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4560 
4561 		/* bits 0 and 63 are reserved and must be zero */
4562 		if ((mumimo_groups[0] & BIT(0)) ||
4563 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4564 			return -EINVAL;
4565 
4566 		params->vht_mumimo_groups = mumimo_groups;
4567 		change = true;
4568 	}
4569 
4570 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4571 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4572 
4573 		if (type != NL80211_IFTYPE_MONITOR)
4574 			return -EINVAL;
4575 
4576 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4577 			return -EOPNOTSUPP;
4578 
4579 		params->vht_mumimo_follow_addr =
4580 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4581 		change = true;
4582 	}
4583 
4584 	return change ? 1 : 0;
4585 }
4586 
4587 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4588 			       struct net_device *netdev, u8 use_4addr,
4589 			       enum nl80211_iftype iftype)
4590 {
4591 	if (!use_4addr) {
4592 		if (netdev && netif_is_bridge_port(netdev))
4593 			return -EBUSY;
4594 		return 0;
4595 	}
4596 
4597 	switch (iftype) {
4598 	case NL80211_IFTYPE_AP_VLAN:
4599 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4600 			return 0;
4601 		break;
4602 	case NL80211_IFTYPE_STATION:
4603 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4604 			return 0;
4605 		break;
4606 	default:
4607 		break;
4608 	}
4609 
4610 	return -EOPNOTSUPP;
4611 }
4612 
4613 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4614 					u32 *radio_mask)
4615 {
4616 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4617 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4618 	u32 mask, allowed;
4619 
4620 	if (!attr) {
4621 		*radio_mask = 0;
4622 		return 0;
4623 	}
4624 
4625 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4626 	mask = nla_get_u32(attr);
4627 	if (mask & ~allowed)
4628 		return -EINVAL;
4629 	if (!mask)
4630 		mask = allowed;
4631 	*radio_mask = mask;
4632 
4633 	return 1;
4634 }
4635 
4636 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4637 {
4638 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4639 	struct vif_params params;
4640 	int err;
4641 	enum nl80211_iftype otype, ntype;
4642 	struct net_device *dev = info->user_ptr[1];
4643 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4644 	u32 radio_mask = 0;
4645 	bool change = false;
4646 
4647 	memset(&params, 0, sizeof(params));
4648 
4649 	otype = ntype = dev->ieee80211_ptr->iftype;
4650 
4651 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4652 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4653 		if (otype != ntype)
4654 			change = true;
4655 	}
4656 
4657 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4658 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4659 			return -EINVAL;
4660 		if (otype != NL80211_IFTYPE_MESH_POINT)
4661 			return -EINVAL;
4662 		if (netif_running(dev))
4663 			return -EBUSY;
4664 
4665 		wdev->u.mesh.id_up_len =
4666 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4667 		memcpy(wdev->u.mesh.id,
4668 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4669 		       wdev->u.mesh.id_up_len);
4670 	}
4671 
4672 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4673 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4674 		change = true;
4675 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4676 		if (err)
4677 			return err;
4678 	} else {
4679 		params.use_4addr = -1;
4680 	}
4681 
4682 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4683 	if (err < 0)
4684 		return err;
4685 	if (err > 0)
4686 		change = true;
4687 
4688 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4689 	if (err < 0)
4690 		return err;
4691 	if (err && netif_running(dev))
4692 		return -EBUSY;
4693 
4694 	if (change)
4695 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4696 	else
4697 		err = 0;
4698 
4699 	if (!err && params.use_4addr != -1)
4700 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4701 
4702 	if (radio_mask)
4703 		wdev->radio_mask = radio_mask;
4704 
4705 	if (change && !err)
4706 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4707 
4708 	return err;
4709 }
4710 
4711 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4712 {
4713 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4714 	struct vif_params params;
4715 	struct wireless_dev *wdev;
4716 	struct sk_buff *msg;
4717 	u32 radio_mask;
4718 	int err;
4719 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4720 
4721 	memset(&params, 0, sizeof(params));
4722 
4723 	if (!info->attrs[NL80211_ATTR_IFNAME])
4724 		return -EINVAL;
4725 
4726 	if (info->attrs[NL80211_ATTR_IFTYPE])
4727 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4728 
4729 	if (!rdev->ops->add_virtual_intf)
4730 		return -EOPNOTSUPP;
4731 
4732 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4733 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4734 	    info->attrs[NL80211_ATTR_MAC]) {
4735 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4736 			   ETH_ALEN);
4737 		if (!is_valid_ether_addr(params.macaddr))
4738 			return -EADDRNOTAVAIL;
4739 	}
4740 
4741 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4742 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4743 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4744 		if (err)
4745 			return err;
4746 	}
4747 
4748 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4749 		return -EOPNOTSUPP;
4750 
4751 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4752 	if (err < 0)
4753 		return err;
4754 
4755 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4756 	if (err < 0)
4757 		return err;
4758 
4759 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4760 	if (!msg)
4761 		return -ENOMEM;
4762 
4763 	wdev = rdev_add_virtual_intf(rdev,
4764 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4765 				NET_NAME_USER, type, &params);
4766 	if (WARN_ON(!wdev)) {
4767 		nlmsg_free(msg);
4768 		return -EPROTO;
4769 	} else if (IS_ERR(wdev)) {
4770 		nlmsg_free(msg);
4771 		return PTR_ERR(wdev);
4772 	}
4773 
4774 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4775 		wdev->owner_nlportid = info->snd_portid;
4776 
4777 	switch (type) {
4778 	case NL80211_IFTYPE_MESH_POINT:
4779 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4780 			break;
4781 		wdev->u.mesh.id_up_len =
4782 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4783 		memcpy(wdev->u.mesh.id,
4784 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4785 		       wdev->u.mesh.id_up_len);
4786 		break;
4787 	case NL80211_IFTYPE_NAN:
4788 	case NL80211_IFTYPE_P2P_DEVICE:
4789 		/*
4790 		 * P2P Device and NAN do not have a netdev, so don't go
4791 		 * through the netdev notifier and must be added here
4792 		 */
4793 		cfg80211_init_wdev(wdev);
4794 		cfg80211_register_wdev(rdev, wdev);
4795 		break;
4796 	default:
4797 		break;
4798 	}
4799 
4800 	if (radio_mask)
4801 		wdev->radio_mask = radio_mask;
4802 
4803 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4804 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4805 		nlmsg_free(msg);
4806 		return -ENOBUFS;
4807 	}
4808 
4809 	return genlmsg_reply(msg, info);
4810 }
4811 
4812 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4813 {
4814 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4815 
4816 	/* to avoid failing a new interface creation due to pending removal */
4817 	cfg80211_destroy_ifaces(rdev);
4818 
4819 	guard(wiphy)(&rdev->wiphy);
4820 
4821 	return _nl80211_new_interface(skb, info);
4822 }
4823 
4824 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4825 {
4826 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4827 	struct wireless_dev *wdev = info->user_ptr[1];
4828 
4829 	if (!rdev->ops->del_virtual_intf)
4830 		return -EOPNOTSUPP;
4831 
4832 	/*
4833 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4834 	 * reach 0, and thus the rdev cannot be deleted.
4835 	 *
4836 	 * We need to do it for the dev_close(), since that will call
4837 	 * the netdev notifiers, and we need to acquire the mutex there
4838 	 * but don't know if we get there from here or from some other
4839 	 * place (e.g. "ip link set ... down").
4840 	 */
4841 	mutex_unlock(&rdev->wiphy.mtx);
4842 
4843 	/*
4844 	 * If we remove a wireless device without a netdev then clear
4845 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4846 	 * to check if it needs to do dev_put(). Otherwise it crashes
4847 	 * since the wdev has been freed, unlike with a netdev where
4848 	 * we need the dev_put() for the netdev to really be freed.
4849 	 */
4850 	if (!wdev->netdev)
4851 		info->user_ptr[1] = NULL;
4852 	else
4853 		dev_close(wdev->netdev);
4854 
4855 	mutex_lock(&rdev->wiphy.mtx);
4856 
4857 	return cfg80211_remove_virtual_intf(rdev, wdev);
4858 }
4859 
4860 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4861 {
4862 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4863 	struct net_device *dev = info->user_ptr[1];
4864 	u16 noack_map;
4865 
4866 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4867 		return -EINVAL;
4868 
4869 	if (!rdev->ops->set_noack_map)
4870 		return -EOPNOTSUPP;
4871 
4872 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4873 
4874 	return rdev_set_noack_map(rdev, dev, noack_map);
4875 }
4876 
4877 static int nl80211_validate_key_link_id(struct genl_info *info,
4878 					struct wireless_dev *wdev,
4879 					int link_id, bool pairwise)
4880 {
4881 	if (pairwise) {
4882 		if (link_id != -1) {
4883 			GENL_SET_ERR_MSG(info,
4884 					 "link ID not allowed for pairwise key");
4885 			return -EINVAL;
4886 		}
4887 
4888 		return 0;
4889 	}
4890 
4891 	if (wdev->valid_links) {
4892 		if (link_id == -1) {
4893 			GENL_SET_ERR_MSG(info,
4894 					 "link ID must for MLO group key");
4895 			return -EINVAL;
4896 		}
4897 		if (!(wdev->valid_links & BIT(link_id))) {
4898 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4899 			return -EINVAL;
4900 		}
4901 	} else if (link_id != -1) {
4902 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4903 		return -EINVAL;
4904 	}
4905 
4906 	return 0;
4907 }
4908 
4909 struct get_key_cookie {
4910 	struct sk_buff *msg;
4911 	int error;
4912 	int idx;
4913 };
4914 
4915 static void get_key_callback(void *c, struct key_params *params)
4916 {
4917 	struct nlattr *key;
4918 	struct get_key_cookie *cookie = c;
4919 
4920 	if ((params->seq &&
4921 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4922 		     params->seq_len, params->seq)) ||
4923 	    (params->cipher &&
4924 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4925 			 params->cipher)))
4926 		goto nla_put_failure;
4927 
4928 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4929 	if (!key)
4930 		goto nla_put_failure;
4931 
4932 	if ((params->seq &&
4933 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4934 		     params->seq_len, params->seq)) ||
4935 	    (params->cipher &&
4936 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4937 			 params->cipher)))
4938 		goto nla_put_failure;
4939 
4940 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4941 		goto nla_put_failure;
4942 
4943 	nla_nest_end(cookie->msg, key);
4944 
4945 	return;
4946  nla_put_failure:
4947 	cookie->error = 1;
4948 }
4949 
4950 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4951 {
4952 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4953 	int err;
4954 	struct net_device *dev = info->user_ptr[1];
4955 	u8 key_idx = 0;
4956 	const u8 *mac_addr = NULL;
4957 	bool pairwise;
4958 	struct get_key_cookie cookie = {
4959 		.error = 0,
4960 	};
4961 	void *hdr;
4962 	struct sk_buff *msg;
4963 	bool bigtk_support = false;
4964 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4965 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4966 
4967 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4968 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4969 		bigtk_support = true;
4970 
4971 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4972 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4973 	    wiphy_ext_feature_isset(&rdev->wiphy,
4974 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4975 		bigtk_support = true;
4976 
4977 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4978 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4979 
4980 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4981 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4982 			return -EINVAL;
4983 		}
4984 	}
4985 
4986 	if (info->attrs[NL80211_ATTR_MAC])
4987 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4988 
4989 	pairwise = !!mac_addr;
4990 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4991 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4992 
4993 		if (kt != NL80211_KEYTYPE_GROUP &&
4994 		    kt != NL80211_KEYTYPE_PAIRWISE)
4995 			return -EINVAL;
4996 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4997 	}
4998 
4999 	if (!rdev->ops->get_key)
5000 		return -EOPNOTSUPP;
5001 
5002 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5003 		return -ENOENT;
5004 
5005 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5006 	if (!msg)
5007 		return -ENOMEM;
5008 
5009 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5010 			     NL80211_CMD_NEW_KEY);
5011 	if (!hdr)
5012 		goto nla_put_failure;
5013 
5014 	cookie.msg = msg;
5015 	cookie.idx = key_idx;
5016 
5017 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5018 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
5019 		goto nla_put_failure;
5020 	if (mac_addr &&
5021 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
5022 		goto nla_put_failure;
5023 
5024 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
5025 	if (err)
5026 		goto free_msg;
5027 
5028 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
5029 			   &cookie, get_key_callback);
5030 
5031 	if (err)
5032 		goto free_msg;
5033 
5034 	if (cookie.error)
5035 		goto nla_put_failure;
5036 
5037 	genlmsg_end(msg, hdr);
5038 	return genlmsg_reply(msg, info);
5039 
5040  nla_put_failure:
5041 	err = -ENOBUFS;
5042  free_msg:
5043 	nlmsg_free(msg);
5044 	return err;
5045 }
5046 
5047 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
5048 {
5049 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5050 	struct key_parse key;
5051 	int err;
5052 	struct net_device *dev = info->user_ptr[1];
5053 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5054 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5055 
5056 	err = nl80211_parse_key(info, &key);
5057 	if (err)
5058 		return err;
5059 
5060 	if (key.idx < 0)
5061 		return -EINVAL;
5062 
5063 	/* Only support setting default key and
5064 	 * Extended Key ID action NL80211_KEY_SET_TX.
5065 	 */
5066 	if (!key.def && !key.defmgmt && !key.defbeacon &&
5067 	    !(key.p.mode == NL80211_KEY_SET_TX))
5068 		return -EINVAL;
5069 
5070 	if (key.def) {
5071 		if (!rdev->ops->set_default_key)
5072 			return -EOPNOTSUPP;
5073 
5074 		err = nl80211_key_allowed(wdev);
5075 		if (err)
5076 			return err;
5077 
5078 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5079 		if (err)
5080 			return err;
5081 
5082 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
5083 					   key.def_uni, key.def_multi);
5084 
5085 		if (err)
5086 			return err;
5087 
5088 #ifdef CONFIG_CFG80211_WEXT
5089 		wdev->wext.default_key = key.idx;
5090 #endif
5091 		return 0;
5092 	} else if (key.defmgmt) {
5093 		if (key.def_uni || !key.def_multi)
5094 			return -EINVAL;
5095 
5096 		if (!rdev->ops->set_default_mgmt_key)
5097 			return -EOPNOTSUPP;
5098 
5099 		err = nl80211_key_allowed(wdev);
5100 		if (err)
5101 			return err;
5102 
5103 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5104 		if (err)
5105 			return err;
5106 
5107 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
5108 		if (err)
5109 			return err;
5110 
5111 #ifdef CONFIG_CFG80211_WEXT
5112 		wdev->wext.default_mgmt_key = key.idx;
5113 #endif
5114 		return 0;
5115 	} else if (key.defbeacon) {
5116 		if (key.def_uni || !key.def_multi)
5117 			return -EINVAL;
5118 
5119 		if (!rdev->ops->set_default_beacon_key)
5120 			return -EOPNOTSUPP;
5121 
5122 		err = nl80211_key_allowed(wdev);
5123 		if (err)
5124 			return err;
5125 
5126 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5127 		if (err)
5128 			return err;
5129 
5130 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
5131 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
5132 		   wiphy_ext_feature_isset(&rdev->wiphy,
5133 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
5134 		u8 *mac_addr = NULL;
5135 
5136 		if (info->attrs[NL80211_ATTR_MAC])
5137 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5138 
5139 		if (!mac_addr || key.idx < 0 || key.idx > 1)
5140 			return -EINVAL;
5141 
5142 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
5143 		if (err)
5144 			return err;
5145 
5146 		return rdev_add_key(rdev, dev, link_id, key.idx,
5147 				    NL80211_KEYTYPE_PAIRWISE,
5148 				    mac_addr, &key.p);
5149 	}
5150 
5151 	return -EINVAL;
5152 }
5153 
5154 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
5155 {
5156 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5157 	int err;
5158 	struct net_device *dev = info->user_ptr[1];
5159 	struct key_parse key;
5160 	const u8 *mac_addr = NULL;
5161 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5162 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5163 
5164 	err = nl80211_parse_key(info, &key);
5165 	if (err)
5166 		return err;
5167 
5168 	if (!key.p.key) {
5169 		GENL_SET_ERR_MSG(info, "no key");
5170 		return -EINVAL;
5171 	}
5172 
5173 	if (info->attrs[NL80211_ATTR_MAC])
5174 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5175 
5176 	if (key.type == -1) {
5177 		if (mac_addr)
5178 			key.type = NL80211_KEYTYPE_PAIRWISE;
5179 		else
5180 			key.type = NL80211_KEYTYPE_GROUP;
5181 	}
5182 
5183 	/* for now */
5184 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5185 	    key.type != NL80211_KEYTYPE_GROUP) {
5186 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
5187 		return -EINVAL;
5188 	}
5189 
5190 	if (key.type == NL80211_KEYTYPE_GROUP &&
5191 	    info->attrs[NL80211_ATTR_VLAN_ID])
5192 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
5193 
5194 	if (!rdev->ops->add_key)
5195 		return -EOPNOTSUPP;
5196 
5197 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
5198 					   key.type == NL80211_KEYTYPE_PAIRWISE,
5199 					   mac_addr)) {
5200 		GENL_SET_ERR_MSG(info, "key setting validation failed");
5201 		return -EINVAL;
5202 	}
5203 
5204 	err = nl80211_key_allowed(wdev);
5205 	if (err)
5206 		GENL_SET_ERR_MSG(info, "key not allowed");
5207 
5208 	if (!err)
5209 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5210 				key.type == NL80211_KEYTYPE_PAIRWISE);
5211 
5212 	if (!err) {
5213 		err = rdev_add_key(rdev, dev, link_id, key.idx,
5214 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5215 				    mac_addr, &key.p);
5216 		if (err)
5217 			GENL_SET_ERR_MSG(info, "key addition failed");
5218 	}
5219 
5220 	return err;
5221 }
5222 
5223 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
5224 {
5225 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5226 	int err;
5227 	struct net_device *dev = info->user_ptr[1];
5228 	u8 *mac_addr = NULL;
5229 	struct key_parse key;
5230 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5231 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5232 
5233 	err = nl80211_parse_key(info, &key);
5234 	if (err)
5235 		return err;
5236 
5237 	if (info->attrs[NL80211_ATTR_MAC])
5238 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5239 
5240 	if (key.type == -1) {
5241 		if (mac_addr)
5242 			key.type = NL80211_KEYTYPE_PAIRWISE;
5243 		else
5244 			key.type = NL80211_KEYTYPE_GROUP;
5245 	}
5246 
5247 	/* for now */
5248 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5249 	    key.type != NL80211_KEYTYPE_GROUP)
5250 		return -EINVAL;
5251 
5252 	if (!cfg80211_valid_key_idx(rdev, key.idx,
5253 				    key.type == NL80211_KEYTYPE_PAIRWISE))
5254 		return -EINVAL;
5255 
5256 	if (!rdev->ops->del_key)
5257 		return -EOPNOTSUPP;
5258 
5259 	err = nl80211_key_allowed(wdev);
5260 
5261 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
5262 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5263 		err = -ENOENT;
5264 
5265 	if (!err)
5266 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5267 				key.type == NL80211_KEYTYPE_PAIRWISE);
5268 
5269 	if (!err)
5270 		err = rdev_del_key(rdev, dev, link_id, key.idx,
5271 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5272 				   mac_addr);
5273 
5274 #ifdef CONFIG_CFG80211_WEXT
5275 	if (!err) {
5276 		if (key.idx == wdev->wext.default_key)
5277 			wdev->wext.default_key = -1;
5278 		else if (key.idx == wdev->wext.default_mgmt_key)
5279 			wdev->wext.default_mgmt_key = -1;
5280 	}
5281 #endif
5282 
5283 	return err;
5284 }
5285 
5286 /* This function returns an error or the number of nested attributes */
5287 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
5288 {
5289 	struct nlattr *attr;
5290 	int n_entries = 0, tmp;
5291 
5292 	nla_for_each_nested(attr, nl_attr, tmp) {
5293 		if (nla_len(attr) != ETH_ALEN)
5294 			return -EINVAL;
5295 
5296 		n_entries++;
5297 	}
5298 
5299 	return n_entries;
5300 }
5301 
5302 /*
5303  * This function parses ACL information and allocates memory for ACL data.
5304  * On successful return, the calling function is responsible to free the
5305  * ACL buffer returned by this function.
5306  */
5307 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5308 						struct genl_info *info)
5309 {
5310 	enum nl80211_acl_policy acl_policy;
5311 	struct nlattr *attr;
5312 	struct cfg80211_acl_data *acl;
5313 	int i = 0, n_entries, tmp;
5314 
5315 	if (!wiphy->max_acl_mac_addrs)
5316 		return ERR_PTR(-EOPNOTSUPP);
5317 
5318 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5319 		return ERR_PTR(-EINVAL);
5320 
5321 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5322 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5323 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5324 		return ERR_PTR(-EINVAL);
5325 
5326 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5327 		return ERR_PTR(-EINVAL);
5328 
5329 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5330 	if (n_entries < 0)
5331 		return ERR_PTR(n_entries);
5332 
5333 	if (n_entries > wiphy->max_acl_mac_addrs)
5334 		return ERR_PTR(-EOPNOTSUPP);
5335 
5336 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
5337 	if (!acl)
5338 		return ERR_PTR(-ENOMEM);
5339 	acl->n_acl_entries = n_entries;
5340 
5341 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5342 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5343 		i++;
5344 	}
5345 	acl->acl_policy = acl_policy;
5346 
5347 	return acl;
5348 }
5349 
5350 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5351 {
5352 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5353 	struct net_device *dev = info->user_ptr[1];
5354 	struct cfg80211_acl_data *acl;
5355 	int err;
5356 
5357 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5358 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5359 		return -EOPNOTSUPP;
5360 
5361 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5362 		return -EINVAL;
5363 
5364 	acl = parse_acl_data(&rdev->wiphy, info);
5365 	if (IS_ERR(acl))
5366 		return PTR_ERR(acl);
5367 
5368 	err = rdev_set_mac_acl(rdev, dev, acl);
5369 
5370 	kfree(acl);
5371 
5372 	return err;
5373 }
5374 
5375 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5376 			   u8 *rates, u8 rates_len)
5377 {
5378 	u8 i;
5379 	u32 mask = 0;
5380 
5381 	for (i = 0; i < rates_len; i++) {
5382 		int rate = (rates[i] & 0x7f) * 5;
5383 		int ridx;
5384 
5385 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5386 			struct ieee80211_rate *srate =
5387 				&sband->bitrates[ridx];
5388 			if (rate == srate->bitrate) {
5389 				mask |= 1 << ridx;
5390 				break;
5391 			}
5392 		}
5393 		if (ridx == sband->n_bitrates)
5394 			return 0; /* rate not found */
5395 	}
5396 
5397 	return mask;
5398 }
5399 
5400 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5401 			       u8 *rates, u8 rates_len,
5402 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5403 {
5404 	u8 i;
5405 
5406 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5407 
5408 	for (i = 0; i < rates_len; i++) {
5409 		int ridx, rbit;
5410 
5411 		ridx = rates[i] / 8;
5412 		rbit = BIT(rates[i] % 8);
5413 
5414 		/* check validity */
5415 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5416 			return false;
5417 
5418 		/* check availability */
5419 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5420 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5421 			mcs[ridx] |= rbit;
5422 		else
5423 			return false;
5424 	}
5425 
5426 	return true;
5427 }
5428 
5429 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5430 {
5431 	u16 mcs_mask = 0;
5432 
5433 	switch (vht_mcs_map) {
5434 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5435 		break;
5436 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5437 		mcs_mask = 0x00FF;
5438 		break;
5439 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5440 		mcs_mask = 0x01FF;
5441 		break;
5442 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5443 		mcs_mask = 0x03FF;
5444 		break;
5445 	default:
5446 		break;
5447 	}
5448 
5449 	return mcs_mask;
5450 }
5451 
5452 static void vht_build_mcs_mask(u16 vht_mcs_map,
5453 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5454 {
5455 	u8 nss;
5456 
5457 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5458 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5459 		vht_mcs_map >>= 2;
5460 	}
5461 }
5462 
5463 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5464 			     struct nl80211_txrate_vht *txrate,
5465 			     u16 mcs[NL80211_VHT_NSS_MAX])
5466 {
5467 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5468 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5469 	u8 i;
5470 
5471 	if (!sband->vht_cap.vht_supported)
5472 		return false;
5473 
5474 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5475 
5476 	/* Build vht_mcs_mask from VHT capabilities */
5477 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5478 
5479 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5480 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5481 			mcs[i] = txrate->mcs[i];
5482 		else
5483 			return false;
5484 	}
5485 
5486 	return true;
5487 }
5488 
5489 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5490 {
5491 	switch (he_mcs_map) {
5492 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5493 		return 0;
5494 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5495 		return 0x00FF;
5496 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5497 		return 0x03FF;
5498 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5499 		return 0xFFF;
5500 	default:
5501 		break;
5502 	}
5503 	return 0;
5504 }
5505 
5506 static void he_build_mcs_mask(u16 he_mcs_map,
5507 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5508 {
5509 	u8 nss;
5510 
5511 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5512 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5513 		he_mcs_map >>= 2;
5514 	}
5515 }
5516 
5517 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5518 			   const struct ieee80211_sta_he_cap *he_cap)
5519 {
5520 	struct net_device *dev = info->user_ptr[1];
5521 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5522 	struct cfg80211_chan_def *chandef;
5523 	__le16 tx_mcs;
5524 
5525 	chandef = wdev_chandef(wdev, link_id);
5526 	if (!chandef) {
5527 		/*
5528 		 * This is probably broken, but we never maintained
5529 		 * a chandef in these cases, so it always was.
5530 		 */
5531 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5532 	}
5533 
5534 	switch (chandef->width) {
5535 	case NL80211_CHAN_WIDTH_80P80:
5536 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5537 		break;
5538 	case NL80211_CHAN_WIDTH_160:
5539 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5540 		break;
5541 	default:
5542 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5543 		break;
5544 	}
5545 
5546 	return le16_to_cpu(tx_mcs);
5547 }
5548 
5549 static bool he_set_mcs_mask(struct genl_info *info,
5550 			    struct wireless_dev *wdev,
5551 			    struct ieee80211_supported_band *sband,
5552 			    struct nl80211_txrate_he *txrate,
5553 			    u16 mcs[NL80211_HE_NSS_MAX],
5554 			    unsigned int link_id)
5555 {
5556 	const struct ieee80211_sta_he_cap *he_cap;
5557 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5558 	u16 tx_mcs_map = 0;
5559 	u8 i;
5560 
5561 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5562 	if (!he_cap)
5563 		return false;
5564 
5565 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5566 
5567 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5568 
5569 	/* Build he_mcs_mask from HE capabilities */
5570 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5571 
5572 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5573 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5574 			mcs[i] = txrate->mcs[i];
5575 		else
5576 			return false;
5577 	}
5578 
5579 	return true;
5580 }
5581 
5582 static void eht_build_mcs_mask(struct genl_info *info,
5583 			       const struct ieee80211_sta_eht_cap *eht_cap,
5584 			       u8 mcs_nss_len, u16 *mcs_mask)
5585 {
5586 	struct net_device *dev = info->user_ptr[1];
5587 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5588 	u8 nss, mcs_7 = 0, mcs_9 = 0, mcs_11 = 0, mcs_13 = 0;
5589 	unsigned int link_id = nl80211_link_id(info->attrs);
5590 
5591 	if (mcs_nss_len == 4) {
5592 		const struct ieee80211_eht_mcs_nss_supp_20mhz_only *mcs =
5593 					&eht_cap->eht_mcs_nss_supp.only_20mhz;
5594 
5595 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs7_max_nss,
5596 				    IEEE80211_EHT_MCS_NSS_TX);
5597 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5598 				    IEEE80211_EHT_MCS_NSS_TX);
5599 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5600 				     IEEE80211_EHT_MCS_NSS_TX);
5601 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5602 				     IEEE80211_EHT_MCS_NSS_TX);
5603 
5604 	} else {
5605 		const struct ieee80211_eht_mcs_nss_supp_bw *mcs;
5606 		enum nl80211_chan_width width;
5607 
5608 		switch (wdev->iftype) {
5609 		case NL80211_IFTYPE_ADHOC:
5610 			width = wdev->u.ibss.chandef.width;
5611 			break;
5612 		case NL80211_IFTYPE_MESH_POINT:
5613 			width = wdev->u.mesh.chandef.width;
5614 			break;
5615 		case NL80211_IFTYPE_OCB:
5616 			width = wdev->u.ocb.chandef.width;
5617 			break;
5618 		default:
5619 			if (wdev->valid_links)
5620 				width = wdev->links[link_id].ap.chandef.width;
5621 			else
5622 				width = wdev->u.ap.preset_chandef.width;
5623 			break;
5624 		}
5625 
5626 		switch (width) {
5627 		case NL80211_CHAN_WIDTH_320:
5628 			mcs = &eht_cap->eht_mcs_nss_supp.bw._320;
5629 			break;
5630 		case NL80211_CHAN_WIDTH_160:
5631 			mcs = &eht_cap->eht_mcs_nss_supp.bw._160;
5632 			break;
5633 		default:
5634 			mcs = &eht_cap->eht_mcs_nss_supp.bw._80;
5635 			break;
5636 		}
5637 
5638 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5639 				    IEEE80211_EHT_MCS_NSS_TX);
5640 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5641 				    IEEE80211_EHT_MCS_NSS_TX);
5642 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5643 				     IEEE80211_EHT_MCS_NSS_TX);
5644 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5645 				     IEEE80211_EHT_MCS_NSS_TX);
5646 	}
5647 
5648 	/* Enable MCS 14 for NSS 0 */
5649 	if (eht_cap->eht_cap_elem.phy_cap_info[6] &
5650 	    IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP)
5651 		mcs_mask[0] |= 0x4000;
5652 
5653 	/* Enable MCS 15 for NSS 0 */
5654 	mcs_mask[0] |= 0x8000;
5655 
5656 	for (nss = 0; nss < NL80211_EHT_NSS_MAX; nss++) {
5657 		if (!mcs_7)
5658 			continue;
5659 		mcs_mask[nss] |= 0x00FF;
5660 		mcs_7--;
5661 
5662 		if (!mcs_9)
5663 			continue;
5664 		mcs_mask[nss] |= 0x0300;
5665 		mcs_9--;
5666 
5667 		if (!mcs_11)
5668 			continue;
5669 		mcs_mask[nss] |= 0x0C00;
5670 		mcs_11--;
5671 
5672 		if (!mcs_13)
5673 			continue;
5674 		mcs_mask[nss] |= 0x3000;
5675 		mcs_13--;
5676 	}
5677 }
5678 
5679 static bool eht_set_mcs_mask(struct genl_info *info, struct wireless_dev *wdev,
5680 			     struct ieee80211_supported_band *sband,
5681 			     struct nl80211_txrate_eht *txrate,
5682 			     u16 mcs[NL80211_EHT_NSS_MAX])
5683 {
5684 	const struct ieee80211_sta_he_cap *he_cap;
5685 	const struct ieee80211_sta_eht_cap *eht_cap;
5686 	u16 tx_mcs_mask[NL80211_EHT_NSS_MAX] = { 0 };
5687 	u8 i, mcs_nss_len;
5688 
5689 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5690 	if (!he_cap)
5691 		return false;
5692 
5693 	eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5694 	if (!eht_cap)
5695 		return false;
5696 
5697 	/* Checks for MCS 14 */
5698 	if (txrate->mcs[0] & 0x4000) {
5699 		if (sband->band != NL80211_BAND_6GHZ)
5700 			return false;
5701 
5702 		if (!(eht_cap->eht_cap_elem.phy_cap_info[6] &
5703 		      IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP))
5704 			return false;
5705 	}
5706 
5707 	mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5708 						 &eht_cap->eht_cap_elem,
5709 						 wdev->iftype ==
5710 							NL80211_IFTYPE_STATION);
5711 
5712 	if (mcs_nss_len == 3) {
5713 		/* Supported iftypes for setting non-20 MHZ only EHT MCS */
5714 		switch (wdev->iftype) {
5715 		case NL80211_IFTYPE_ADHOC:
5716 		case NL80211_IFTYPE_AP:
5717 		case NL80211_IFTYPE_P2P_GO:
5718 		case NL80211_IFTYPE_MESH_POINT:
5719 		case NL80211_IFTYPE_OCB:
5720 			break;
5721 		default:
5722 			return false;
5723 		}
5724 	}
5725 
5726 	/* Build eht_mcs_mask from EHT and HE capabilities */
5727 	eht_build_mcs_mask(info, eht_cap, mcs_nss_len, tx_mcs_mask);
5728 
5729 	memset(mcs, 0, sizeof(u16) * NL80211_EHT_NSS_MAX);
5730 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5731 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5732 			mcs[i] = txrate->mcs[i];
5733 		else
5734 			return false;
5735 	}
5736 
5737 	return true;
5738 }
5739 
5740 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5741 					 struct nlattr *attrs[],
5742 					 enum nl80211_attrs attr,
5743 					 struct cfg80211_bitrate_mask *mask,
5744 					 struct net_device *dev,
5745 					 bool default_all_enabled,
5746 					 unsigned int link_id)
5747 {
5748 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5749 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5750 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5751 	int rem, i;
5752 	struct nlattr *tx_rates;
5753 	struct ieee80211_supported_band *sband;
5754 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5755 
5756 	memset(mask, 0, sizeof(*mask));
5757 	/* Default to all rates enabled */
5758 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5759 		const struct ieee80211_sta_he_cap *he_cap;
5760 		const struct ieee80211_sta_eht_cap *eht_cap;
5761 		u8 mcs_nss_len;
5762 
5763 		if (!default_all_enabled)
5764 			break;
5765 
5766 		sband = rdev->wiphy.bands[i];
5767 
5768 		if (!sband)
5769 			continue;
5770 
5771 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5772 		memcpy(mask->control[i].ht_mcs,
5773 		       sband->ht_cap.mcs.rx_mask,
5774 		       sizeof(mask->control[i].ht_mcs));
5775 
5776 		if (sband->vht_cap.vht_supported) {
5777 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5778 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5779 		}
5780 
5781 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5782 		if (!he_cap)
5783 			continue;
5784 
5785 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5786 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5787 
5788 		mask->control[i].he_gi = 0xFF;
5789 		mask->control[i].he_ltf = 0xFF;
5790 
5791 		eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5792 		if (!eht_cap)
5793 			continue;
5794 
5795 		mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5796 							 &eht_cap->eht_cap_elem,
5797 							 wdev->iftype ==
5798 							 NL80211_IFTYPE_STATION);
5799 
5800 		eht_build_mcs_mask(info, eht_cap, mcs_nss_len,
5801 				   mask->control[i].eht_mcs);
5802 
5803 		mask->control[i].eht_gi = 0xFF;
5804 		mask->control[i].eht_ltf = 0xFF;
5805 	}
5806 
5807 	/* if no rates are given set it back to the defaults */
5808 	if (!attrs[attr])
5809 		goto out;
5810 
5811 	/* The nested attribute uses enum nl80211_band as the index. This maps
5812 	 * directly to the enum nl80211_band values used in cfg80211.
5813 	 */
5814 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5815 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5816 		enum nl80211_band band = nla_type(tx_rates);
5817 		int err;
5818 
5819 		if (band < 0 || band >= NUM_NL80211_BANDS)
5820 			return -EINVAL;
5821 		sband = rdev->wiphy.bands[band];
5822 		if (sband == NULL)
5823 			return -EINVAL;
5824 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5825 						  tx_rates,
5826 						  nl80211_txattr_policy,
5827 						  info->extack);
5828 		if (err)
5829 			return err;
5830 		if (tb[NL80211_TXRATE_LEGACY]) {
5831 			mask->control[band].legacy = rateset_to_mask(
5832 				sband,
5833 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5834 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5835 			if ((mask->control[band].legacy == 0) &&
5836 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5837 				return -EINVAL;
5838 		}
5839 		if (tb[NL80211_TXRATE_HT]) {
5840 			if (!ht_rateset_to_mask(
5841 					sband,
5842 					nla_data(tb[NL80211_TXRATE_HT]),
5843 					nla_len(tb[NL80211_TXRATE_HT]),
5844 					mask->control[band].ht_mcs))
5845 				return -EINVAL;
5846 		}
5847 
5848 		if (tb[NL80211_TXRATE_VHT]) {
5849 			if (!vht_set_mcs_mask(
5850 					sband,
5851 					nla_data(tb[NL80211_TXRATE_VHT]),
5852 					mask->control[band].vht_mcs))
5853 				return -EINVAL;
5854 		}
5855 
5856 		if (tb[NL80211_TXRATE_GI]) {
5857 			mask->control[band].gi =
5858 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5859 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5860 				return -EINVAL;
5861 		}
5862 		if (tb[NL80211_TXRATE_HE] &&
5863 		    !he_set_mcs_mask(info, wdev, sband,
5864 				     nla_data(tb[NL80211_TXRATE_HE]),
5865 				     mask->control[band].he_mcs,
5866 				     link_id))
5867 			return -EINVAL;
5868 
5869 		if (tb[NL80211_TXRATE_HE_GI])
5870 			mask->control[band].he_gi =
5871 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5872 		if (tb[NL80211_TXRATE_HE_LTF])
5873 			mask->control[band].he_ltf =
5874 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5875 
5876 		if (tb[NL80211_TXRATE_EHT] &&
5877 		    !eht_set_mcs_mask(info, wdev, sband,
5878 				      nla_data(tb[NL80211_TXRATE_EHT]),
5879 				      mask->control[band].eht_mcs))
5880 			return -EINVAL;
5881 
5882 		if (tb[NL80211_TXRATE_EHT_GI])
5883 			mask->control[band].eht_gi =
5884 				nla_get_u8(tb[NL80211_TXRATE_EHT_GI]);
5885 		if (tb[NL80211_TXRATE_EHT_LTF])
5886 			mask->control[band].eht_ltf =
5887 				nla_get_u8(tb[NL80211_TXRATE_EHT_LTF]);
5888 
5889 		if (mask->control[band].legacy == 0) {
5890 			/* don't allow empty legacy rates if HT, VHT, HE or EHT
5891 			 * are not even supported.
5892 			 */
5893 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5894 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5895 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype) ||
5896 			      ieee80211_get_eht_iftype_cap(sband, wdev->iftype)))
5897 				return -EINVAL;
5898 
5899 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5900 				if (mask->control[band].ht_mcs[i])
5901 					goto out;
5902 
5903 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5904 				if (mask->control[band].vht_mcs[i])
5905 					goto out;
5906 
5907 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5908 				if (mask->control[band].he_mcs[i])
5909 					goto out;
5910 
5911 			for (i = 0; i < NL80211_EHT_NSS_MAX; i++)
5912 				if (mask->control[band].eht_mcs[i])
5913 					goto out;
5914 
5915 			/* legacy and mcs rates may not be both empty */
5916 			return -EINVAL;
5917 		}
5918 	}
5919 
5920 out:
5921 	return 0;
5922 }
5923 
5924 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5925 				   enum nl80211_band band,
5926 				   struct cfg80211_bitrate_mask *beacon_rate)
5927 {
5928 	u32 count_ht, count_vht, count_he, count_eht, i;
5929 	u32 rate = beacon_rate->control[band].legacy;
5930 
5931 	/* Allow only one rate */
5932 	if (hweight32(rate) > 1)
5933 		return -EINVAL;
5934 
5935 	count_ht = 0;
5936 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5937 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5938 			return -EINVAL;
5939 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5940 			count_ht++;
5941 			if (count_ht > 1)
5942 				return -EINVAL;
5943 		}
5944 		if (count_ht && rate)
5945 			return -EINVAL;
5946 	}
5947 
5948 	count_vht = 0;
5949 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5950 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5951 			return -EINVAL;
5952 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5953 			count_vht++;
5954 			if (count_vht > 1)
5955 				return -EINVAL;
5956 		}
5957 		if (count_vht && rate)
5958 			return -EINVAL;
5959 	}
5960 
5961 	count_he = 0;
5962 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5963 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5964 			return -EINVAL;
5965 		} else if (beacon_rate->control[band].he_mcs[i]) {
5966 			count_he++;
5967 			if (count_he > 1)
5968 				return -EINVAL;
5969 		}
5970 		if (count_he && rate)
5971 			return -EINVAL;
5972 	}
5973 
5974 	count_eht = 0;
5975 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5976 		if (hweight16(beacon_rate->control[band].eht_mcs[i]) > 1) {
5977 			return -EINVAL;
5978 		} else if (beacon_rate->control[band].eht_mcs[i]) {
5979 			count_eht++;
5980 			if (count_eht > 1)
5981 				return -EINVAL;
5982 		}
5983 		if (count_eht && rate)
5984 			return -EINVAL;
5985 	}
5986 
5987 	if ((count_ht && count_vht && count_he && count_eht) ||
5988 	    (!rate && !count_ht && !count_vht && !count_he && !count_eht))
5989 		return -EINVAL;
5990 
5991 	if (rate &&
5992 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5993 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5994 		return -EINVAL;
5995 	if (count_ht &&
5996 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5997 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5998 		return -EINVAL;
5999 	if (count_vht &&
6000 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6001 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
6002 		return -EINVAL;
6003 	if (count_he &&
6004 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6005 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
6006 		return -EINVAL;
6007 
6008 	if (count_eht &&
6009 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6010 				     NL80211_EXT_FEATURE_BEACON_RATE_EHT))
6011 		return -EINVAL;
6012 
6013 	return 0;
6014 }
6015 
6016 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
6017 				       struct net_device *dev,
6018 				       unsigned int link_id,
6019 				       struct nlattr *attrs,
6020 				       struct cfg80211_mbssid_config *config,
6021 				       u8 num_elems)
6022 {
6023 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
6024 	int tx_link_id = -1;
6025 
6026 	if (!wiphy->mbssid_max_interfaces)
6027 		return -EOPNOTSUPP;
6028 
6029 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
6030 			     NULL) ||
6031 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
6032 		return -EINVAL;
6033 
6034 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
6035 	if (config->ema) {
6036 		if (!wiphy->ema_max_profile_periodicity)
6037 			return -EOPNOTSUPP;
6038 
6039 		if (num_elems > wiphy->ema_max_profile_periodicity)
6040 			return -EINVAL;
6041 	}
6042 
6043 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
6044 	if (config->index >= wiphy->mbssid_max_interfaces ||
6045 	    (!config->index && !num_elems))
6046 		return -EINVAL;
6047 
6048 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID])
6049 		tx_link_id = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID]);
6050 
6051 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
6052 		u32 tx_ifindex =
6053 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
6054 
6055 		if ((!config->index && tx_ifindex != dev->ifindex) ||
6056 		    (config->index && tx_ifindex == dev->ifindex))
6057 			return -EINVAL;
6058 
6059 		if (tx_ifindex != dev->ifindex) {
6060 			struct net_device *tx_netdev =
6061 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
6062 
6063 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
6064 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
6065 			    tx_netdev->ieee80211_ptr->iftype !=
6066 							NL80211_IFTYPE_AP) {
6067 				dev_put(tx_netdev);
6068 				return -EINVAL;
6069 			}
6070 
6071 			config->tx_wdev = tx_netdev->ieee80211_ptr;
6072 			/* Caller should call dev_put(config->tx_wdev) from this point */
6073 
6074 			if (config->tx_wdev->valid_links) {
6075 				if (tx_link_id == -1 ||
6076 				    !(config->tx_wdev->valid_links & BIT(tx_link_id)))
6077 					return -ENOLINK;
6078 
6079 				config->tx_link_id = tx_link_id;
6080 			}
6081 		} else {
6082 			if (tx_link_id >= 0 && tx_link_id != link_id)
6083 				return -EINVAL;
6084 
6085 			config->tx_wdev = dev->ieee80211_ptr;
6086 		}
6087 	} else if (!config->index) {
6088 		if (tx_link_id >= 0 && tx_link_id != link_id)
6089 			return -EINVAL;
6090 
6091 		config->tx_wdev = dev->ieee80211_ptr;
6092 	} else {
6093 		return -EINVAL;
6094 	}
6095 
6096 	return 0;
6097 }
6098 
6099 static struct cfg80211_mbssid_elems *
6100 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
6101 {
6102 	struct nlattr *nl_elems;
6103 	struct cfg80211_mbssid_elems *elems;
6104 	int rem_elems;
6105 	u8 i = 0, num_elems = 0;
6106 
6107 	if (!wiphy->mbssid_max_interfaces)
6108 		return ERR_PTR(-EINVAL);
6109 
6110 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6111 		if (num_elems >= 255)
6112 			return ERR_PTR(-EINVAL);
6113 		num_elems++;
6114 	}
6115 
6116 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
6117 	if (!elems)
6118 		return ERR_PTR(-ENOMEM);
6119 	elems->cnt = num_elems;
6120 
6121 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6122 		elems->elem[i].data = nla_data(nl_elems);
6123 		elems->elem[i].len = nla_len(nl_elems);
6124 		i++;
6125 	}
6126 	return elems;
6127 }
6128 
6129 static struct cfg80211_rnr_elems *
6130 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
6131 			struct netlink_ext_ack *extack)
6132 {
6133 	struct nlattr *nl_elems;
6134 	struct cfg80211_rnr_elems *elems;
6135 	int rem_elems;
6136 	u8 i = 0, num_elems = 0;
6137 
6138 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6139 		int ret;
6140 
6141 		ret = validate_ie_attr(nl_elems, extack);
6142 		if (ret)
6143 			return ERR_PTR(ret);
6144 
6145 		num_elems++;
6146 	}
6147 
6148 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
6149 	if (!elems)
6150 		return ERR_PTR(-ENOMEM);
6151 	elems->cnt = num_elems;
6152 
6153 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6154 		elems->elem[i].data = nla_data(nl_elems);
6155 		elems->elem[i].len = nla_len(nl_elems);
6156 		i++;
6157 	}
6158 	return elems;
6159 }
6160 
6161 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
6162 				      struct cfg80211_he_bss_color *he_bss_color)
6163 {
6164 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
6165 	int err;
6166 
6167 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
6168 			       he_bss_color_policy, NULL);
6169 	if (err)
6170 		return err;
6171 
6172 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
6173 		return -EINVAL;
6174 
6175 	he_bss_color->color =
6176 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
6177 	he_bss_color->enabled =
6178 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
6179 	he_bss_color->partial =
6180 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
6181 
6182 	return 0;
6183 }
6184 
6185 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
6186 				struct nlattr *attrs[],
6187 				struct cfg80211_beacon_data *bcn,
6188 				struct netlink_ext_ack *extack)
6189 {
6190 	bool haveinfo = false;
6191 	int err;
6192 
6193 	memset(bcn, 0, sizeof(*bcn));
6194 
6195 	bcn->link_id = nl80211_link_id(attrs);
6196 
6197 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
6198 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
6199 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
6200 		if (!bcn->head_len)
6201 			return -EINVAL;
6202 		haveinfo = true;
6203 	}
6204 
6205 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
6206 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
6207 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
6208 		haveinfo = true;
6209 	}
6210 
6211 	if (!haveinfo)
6212 		return -EINVAL;
6213 
6214 	if (attrs[NL80211_ATTR_IE]) {
6215 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
6216 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
6217 	}
6218 
6219 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
6220 		bcn->proberesp_ies =
6221 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6222 		bcn->proberesp_ies_len =
6223 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6224 	}
6225 
6226 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
6227 		bcn->assocresp_ies =
6228 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6229 		bcn->assocresp_ies_len =
6230 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6231 	}
6232 
6233 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
6234 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
6235 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
6236 	}
6237 
6238 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
6239 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
6240 
6241 		err = nla_parse_nested_deprecated(tb,
6242 						  NL80211_FTM_RESP_ATTR_MAX,
6243 						  attrs[NL80211_ATTR_FTM_RESPONDER],
6244 						  NULL, NULL);
6245 		if (err)
6246 			return err;
6247 
6248 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
6249 		    wiphy_ext_feature_isset(&rdev->wiphy,
6250 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
6251 			bcn->ftm_responder = 1;
6252 		else
6253 			return -EOPNOTSUPP;
6254 
6255 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
6256 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
6257 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
6258 		}
6259 
6260 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
6261 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6262 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6263 		}
6264 	} else {
6265 		bcn->ftm_responder = -1;
6266 	}
6267 
6268 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
6269 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
6270 						 &bcn->he_bss_color);
6271 		if (err)
6272 			return err;
6273 		bcn->he_bss_color_valid = true;
6274 	}
6275 
6276 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
6277 		struct cfg80211_mbssid_elems *mbssid =
6278 			nl80211_parse_mbssid_elems(&rdev->wiphy,
6279 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
6280 
6281 		if (IS_ERR(mbssid))
6282 			return PTR_ERR(mbssid);
6283 
6284 		bcn->mbssid_ies = mbssid;
6285 
6286 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
6287 			struct cfg80211_rnr_elems *rnr =
6288 				nl80211_parse_rnr_elems(&rdev->wiphy,
6289 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
6290 							extack);
6291 
6292 			if (IS_ERR(rnr))
6293 				return PTR_ERR(rnr);
6294 
6295 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
6296 				return -EINVAL;
6297 
6298 			bcn->rnr_ies = rnr;
6299 		}
6300 	}
6301 
6302 	return 0;
6303 }
6304 
6305 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
6306 				    struct ieee80211_he_obss_pd *he_obss_pd)
6307 {
6308 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
6309 	int err;
6310 
6311 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
6312 			       he_obss_pd_policy, NULL);
6313 	if (err)
6314 		return err;
6315 
6316 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
6317 		return -EINVAL;
6318 
6319 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
6320 
6321 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
6322 		he_obss_pd->min_offset =
6323 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
6324 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
6325 		he_obss_pd->max_offset =
6326 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
6327 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
6328 		he_obss_pd->non_srg_max_offset =
6329 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
6330 
6331 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
6332 		return -EINVAL;
6333 
6334 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
6335 		memcpy(he_obss_pd->bss_color_bitmap,
6336 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
6337 		       sizeof(he_obss_pd->bss_color_bitmap));
6338 
6339 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
6340 		memcpy(he_obss_pd->partial_bssid_bitmap,
6341 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
6342 		       sizeof(he_obss_pd->partial_bssid_bitmap));
6343 
6344 	he_obss_pd->enable = true;
6345 
6346 	return 0;
6347 }
6348 
6349 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
6350 					struct nlattr *attrs,
6351 					struct cfg80211_fils_discovery *fd)
6352 {
6353 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
6354 	int ret;
6355 
6356 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6357 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
6358 		return -EINVAL;
6359 
6360 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
6361 			       NULL, NULL);
6362 	if (ret)
6363 		return ret;
6364 
6365 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
6366 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
6367 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
6368 		fd->update = true;
6369 		return 0;
6370 	}
6371 
6372 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
6373 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
6374 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
6375 		return -EINVAL;
6376 
6377 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6378 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6379 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
6380 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
6381 	fd->update = true;
6382 	return 0;
6383 }
6384 
6385 static int
6386 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
6387 				     struct nlattr *attrs,
6388 				     struct cfg80211_unsol_bcast_probe_resp *presp)
6389 {
6390 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
6391 	int ret;
6392 
6393 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6394 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
6395 		return -EINVAL;
6396 
6397 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
6398 			       attrs, NULL, NULL);
6399 	if (ret)
6400 		return ret;
6401 
6402 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
6403 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
6404 		presp->update = true;
6405 		return 0;
6406 	}
6407 
6408 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
6409 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
6410 		return -EINVAL;
6411 
6412 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6413 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6414 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
6415 	presp->update = true;
6416 	return 0;
6417 }
6418 
6419 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
6420 					    const struct element *rates)
6421 {
6422 	int i;
6423 
6424 	if (!rates)
6425 		return;
6426 
6427 	for (i = 0; i < rates->datalen; i++) {
6428 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
6429 			params->ht_required = true;
6430 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
6431 			params->vht_required = true;
6432 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
6433 			params->he_required = true;
6434 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
6435 			params->sae_h2e_required = true;
6436 	}
6437 }
6438 
6439 /*
6440  * Since the nl80211 API didn't include, from the beginning, attributes about
6441  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
6442  * benefit of drivers that rebuild IEs in the firmware.
6443  */
6444 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
6445 {
6446 	const struct cfg80211_beacon_data *bcn = &params->beacon;
6447 	size_t ies_len = bcn->tail_len;
6448 	const u8 *ies = bcn->tail;
6449 	const struct element *rates;
6450 	const struct element *cap;
6451 
6452 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
6453 	nl80211_check_ap_rate_selectors(params, rates);
6454 
6455 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
6456 	nl80211_check_ap_rate_selectors(params, rates);
6457 
6458 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
6459 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
6460 		params->ht_cap = (void *)cap->data;
6461 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
6462 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
6463 		params->vht_cap = (void *)cap->data;
6464 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
6465 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
6466 		params->he_cap = (void *)(cap->data + 1);
6467 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
6468 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
6469 		params->he_oper = (void *)(cap->data + 1);
6470 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
6471 	if (cap) {
6472 		if (!cap->datalen)
6473 			return -EINVAL;
6474 		params->eht_cap = (void *)(cap->data + 1);
6475 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
6476 						(const u8 *)params->eht_cap,
6477 						cap->datalen - 1, true))
6478 			return -EINVAL;
6479 	}
6480 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
6481 	if (cap) {
6482 		if (!cap->datalen)
6483 			return -EINVAL;
6484 		params->eht_oper = (void *)(cap->data + 1);
6485 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
6486 						cap->datalen - 1))
6487 			return -EINVAL;
6488 	}
6489 
6490 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_UHR_OPER, ies, ies_len);
6491 	if (cap) {
6492 		if (!cap->datalen)
6493 			return -EINVAL;
6494 		params->uhr_oper = (void *)(cap->data + 1);
6495 		if (!ieee80211_uhr_oper_size_ok((const u8 *)params->uhr_oper,
6496 						cap->datalen - 1, true))
6497 			return -EINVAL;
6498 	}
6499 
6500 	return 0;
6501 }
6502 
6503 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
6504 				   struct cfg80211_ap_settings *params)
6505 {
6506 	struct wireless_dev *wdev;
6507 
6508 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
6509 		if (wdev->iftype != NL80211_IFTYPE_AP &&
6510 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
6511 			continue;
6512 
6513 		if (!wdev->u.ap.preset_chandef.chan)
6514 			continue;
6515 
6516 		params->chandef = wdev->u.ap.preset_chandef;
6517 		return true;
6518 	}
6519 
6520 	return false;
6521 }
6522 
6523 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
6524 				    enum nl80211_auth_type auth_type,
6525 				    enum nl80211_commands cmd)
6526 {
6527 	if (auth_type > NL80211_AUTHTYPE_MAX)
6528 		return false;
6529 
6530 	switch (cmd) {
6531 	case NL80211_CMD_AUTHENTICATE:
6532 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6533 		    auth_type == NL80211_AUTHTYPE_SAE)
6534 			return false;
6535 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6536 					     NL80211_EXT_FEATURE_FILS_STA) &&
6537 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6538 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6539 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6540 			return false;
6541 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6542 					     NL80211_EXT_FEATURE_EPPKE) &&
6543 		    auth_type == NL80211_AUTHTYPE_EPPKE)
6544 			return false;
6545 		return true;
6546 	case NL80211_CMD_CONNECT:
6547 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6548 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6549 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6550 		    auth_type == NL80211_AUTHTYPE_SAE)
6551 			return false;
6552 
6553 		/* FILS with SK PFS or PK not supported yet */
6554 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6555 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6556 			return false;
6557 		if (!wiphy_ext_feature_isset(
6558 			    &rdev->wiphy,
6559 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6560 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6561 			return false;
6562 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6563 					     NL80211_EXT_FEATURE_EPPKE) &&
6564 		    auth_type == NL80211_AUTHTYPE_EPPKE)
6565 			return false;
6566 		return true;
6567 	case NL80211_CMD_START_AP:
6568 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6569 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6570 		    auth_type == NL80211_AUTHTYPE_SAE)
6571 			return false;
6572 		/* FILS not supported yet */
6573 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6574 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6575 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6576 			return false;
6577 		return true;
6578 	default:
6579 		return false;
6580 	}
6581 }
6582 
6583 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6584 				    unsigned int link_id)
6585 {
6586 	struct wiphy *wiphy = wdev->wiphy;
6587 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6588 	struct sk_buff *msg;
6589 	void *hdr;
6590 
6591 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6592 	if (!msg)
6593 		return;
6594 
6595 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6596 	if (!hdr)
6597 		goto out;
6598 
6599 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6600 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6601 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6602 			      NL80211_ATTR_PAD) ||
6603 	    (wdev->u.ap.ssid_len &&
6604 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6605 		     wdev->u.ap.ssid)) ||
6606 	    (wdev->valid_links &&
6607 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6608 		goto out;
6609 
6610 	genlmsg_end(msg, hdr);
6611 
6612 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6613 				NL80211_MCGRP_MLME, GFP_KERNEL);
6614 	return;
6615 out:
6616 	nlmsg_free(msg);
6617 }
6618 
6619 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6620 {
6621 	struct ieee80211_channel *channel = params->chandef.chan;
6622 
6623 	if ((params->he_cap ||  params->he_oper) &&
6624 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6625 		return -EOPNOTSUPP;
6626 
6627 	if ((params->eht_cap || params->eht_oper) &&
6628 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6629 		return -EOPNOTSUPP;
6630 
6631 	if (params->uhr_oper && (channel->flags & IEEE80211_CHAN_NO_UHR))
6632 		return -EOPNOTSUPP;
6633 
6634 	return 0;
6635 }
6636 
6637 static int
6638 nl80211_parse_s1g_short_beacon(struct cfg80211_registered_device *rdev,
6639 			       struct nlattr *attrs,
6640 			       struct cfg80211_s1g_short_beacon *sb)
6641 {
6642 	struct nlattr *tb[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1];
6643 	int ret;
6644 
6645 	if (!rdev->wiphy.bands[NL80211_BAND_S1GHZ])
6646 		return -EINVAL;
6647 
6648 	ret = nla_parse_nested(tb, NL80211_S1G_SHORT_BEACON_ATTR_MAX, attrs,
6649 			       NULL, NULL);
6650 	if (ret)
6651 		return ret;
6652 
6653 	/* Short beacon tail is optional (i.e might only include the TIM) */
6654 	if (!tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD])
6655 		return -EINVAL;
6656 
6657 	sb->short_head = nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6658 	sb->short_head_len = nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6659 	sb->short_tail_len = 0;
6660 
6661 	if (tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]) {
6662 		sb->short_tail =
6663 			nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6664 		sb->short_tail_len =
6665 			nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6666 	}
6667 
6668 	sb->update = true;
6669 	return 0;
6670 }
6671 
6672 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6673 {
6674 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6675 	struct cfg80211_beaconing_check_config beacon_check = {};
6676 	unsigned int link_id = nl80211_link_id(info->attrs);
6677 	struct net_device *dev = info->user_ptr[1];
6678 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6679 	struct cfg80211_ap_settings *params;
6680 	int err;
6681 
6682 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6683 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6684 		return -EOPNOTSUPP;
6685 
6686 	if (!rdev->ops->start_ap)
6687 		return -EOPNOTSUPP;
6688 
6689 	if (wdev->links[link_id].cac_started)
6690 		return -EBUSY;
6691 
6692 	if (wdev->links[link_id].ap.beacon_interval)
6693 		return -EALREADY;
6694 
6695 	/* these are required for START_AP */
6696 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6697 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6698 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6699 		return -EINVAL;
6700 
6701 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6702 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6703 		return -EOPNOTSUPP;
6704 
6705 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6706 	if (!params)
6707 		return -ENOMEM;
6708 
6709 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6710 				   info->extack);
6711 	if (err)
6712 		goto out;
6713 
6714 	params->beacon_interval =
6715 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6716 	params->dtim_period =
6717 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6718 
6719 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6720 					   params->beacon_interval);
6721 	if (err)
6722 		goto out;
6723 
6724 	/*
6725 	 * In theory, some of these attributes should be required here
6726 	 * but since they were not used when the command was originally
6727 	 * added, keep them optional for old user space programs to let
6728 	 * them continue to work with drivers that do not need the
6729 	 * additional information -- drivers must check!
6730 	 */
6731 	if (info->attrs[NL80211_ATTR_SSID]) {
6732 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6733 		params->ssid_len =
6734 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6735 		if (params->ssid_len == 0) {
6736 			err = -EINVAL;
6737 			goto out;
6738 		}
6739 
6740 		if (wdev->u.ap.ssid_len &&
6741 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6742 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6743 			/* require identical SSID for MLO */
6744 			err = -EINVAL;
6745 			goto out;
6746 		}
6747 	} else if (wdev->valid_links) {
6748 		/* require SSID for MLO */
6749 		err = -EINVAL;
6750 		goto out;
6751 	}
6752 
6753 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6754 		params->hidden_ssid = nla_get_u32(
6755 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6756 
6757 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6758 
6759 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6760 		params->auth_type = nla_get_u32(
6761 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6762 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6763 					     NL80211_CMD_START_AP)) {
6764 			err = -EINVAL;
6765 			goto out;
6766 		}
6767 	} else
6768 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6769 
6770 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6771 				      NL80211_MAX_NR_CIPHER_SUITES);
6772 	if (err)
6773 		goto out;
6774 
6775 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6776 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6777 			err = -EOPNOTSUPP;
6778 			goto out;
6779 		}
6780 		params->inactivity_timeout = nla_get_u16(
6781 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6782 	}
6783 
6784 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6785 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6786 			err = -EINVAL;
6787 			goto out;
6788 		}
6789 		params->p2p_ctwindow =
6790 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6791 		if (params->p2p_ctwindow != 0 &&
6792 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6793 			err = -EINVAL;
6794 			goto out;
6795 		}
6796 	}
6797 
6798 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6799 		u8 tmp;
6800 
6801 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6802 			err = -EINVAL;
6803 			goto out;
6804 		}
6805 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6806 		params->p2p_opp_ps = tmp;
6807 		if (params->p2p_opp_ps != 0 &&
6808 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6809 			err = -EINVAL;
6810 			goto out;
6811 		}
6812 	}
6813 
6814 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6815 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6816 		if (err)
6817 			goto out;
6818 	} else if (wdev->valid_links) {
6819 		/* with MLD need to specify the channel configuration */
6820 		err = -EINVAL;
6821 		goto out;
6822 	} else if (wdev->u.ap.preset_chandef.chan) {
6823 		params->chandef = wdev->u.ap.preset_chandef;
6824 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6825 		err = -EINVAL;
6826 		goto out;
6827 	}
6828 
6829 	beacon_check.iftype = wdev->iftype;
6830 	beacon_check.relax = true;
6831 	beacon_check.reg_power =
6832 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6833 					     params->beacon.tail_len, 0);
6834 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6835 					  &beacon_check)) {
6836 		err = -EINVAL;
6837 		goto out;
6838 	}
6839 
6840 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6841 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6842 						    NL80211_ATTR_TX_RATES,
6843 						    &params->beacon_rate,
6844 						    dev, false, link_id);
6845 		if (err)
6846 			goto out;
6847 
6848 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6849 					      &params->beacon_rate);
6850 		if (err)
6851 			goto out;
6852 	}
6853 
6854 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6855 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6856 		err = -EOPNOTSUPP;
6857 		goto out;
6858 	}
6859 
6860 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6861 		params->acl = parse_acl_data(&rdev->wiphy, info);
6862 		if (IS_ERR(params->acl)) {
6863 			err = PTR_ERR(params->acl);
6864 			params->acl = NULL;
6865 			goto out;
6866 		}
6867 	}
6868 
6869 	params->twt_responder =
6870 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6871 
6872 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6873 		err = nl80211_parse_he_obss_pd(
6874 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6875 					&params->he_obss_pd);
6876 		if (err)
6877 			goto out;
6878 	}
6879 
6880 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6881 		err = nl80211_parse_fils_discovery(rdev,
6882 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6883 						   &params->fils_discovery);
6884 		if (err)
6885 			goto out;
6886 	}
6887 
6888 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6889 		err = nl80211_parse_unsol_bcast_probe_resp(
6890 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6891 			&params->unsol_bcast_probe_resp);
6892 		if (err)
6893 			goto out;
6894 	}
6895 
6896 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6897 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev, link_id,
6898 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6899 						  &params->mbssid_config,
6900 						  params->beacon.mbssid_ies ?
6901 							params->beacon.mbssid_ies->cnt :
6902 							0);
6903 		if (err)
6904 			goto out;
6905 	}
6906 
6907 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6908 		err = -EINVAL;
6909 		goto out;
6910 	}
6911 
6912 	if (info->attrs[NL80211_ATTR_S1G_SHORT_BEACON]) {
6913 		if (!info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]) {
6914 			err = -EINVAL;
6915 			goto out;
6916 		}
6917 
6918 		params->s1g_long_beacon_period = nla_get_u8(
6919 			info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]);
6920 
6921 		err = nl80211_parse_s1g_short_beacon(
6922 			rdev, info->attrs[NL80211_ATTR_S1G_SHORT_BEACON],
6923 			&params->s1g_short_beacon);
6924 		if (err)
6925 			goto out;
6926 	}
6927 
6928 	err = nl80211_calculate_ap_params(params);
6929 	if (err)
6930 		goto out;
6931 
6932 	err = nl80211_validate_ap_phy_operation(params);
6933 	if (err)
6934 		goto out;
6935 
6936 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6937 		params->flags = nla_get_u32(
6938 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6939 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6940 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6941 
6942 	if (wdev->conn_owner_nlportid &&
6943 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6944 	    wdev->conn_owner_nlportid != info->snd_portid) {
6945 		err = -EINVAL;
6946 		goto out;
6947 	}
6948 
6949 	/* FIXME: validate MLO/link-id against driver capabilities */
6950 
6951 	err = rdev_start_ap(rdev, dev, params);
6952 	if (!err) {
6953 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6954 		wdev->links[link_id].ap.chandef = params->chandef;
6955 		wdev->u.ap.ssid_len = params->ssid_len;
6956 		memcpy(wdev->u.ap.ssid, params->ssid,
6957 		       params->ssid_len);
6958 
6959 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6960 			wdev->conn_owner_nlportid = info->snd_portid;
6961 
6962 		nl80211_send_ap_started(wdev, link_id);
6963 	}
6964 out:
6965 	kfree(params->acl);
6966 	kfree(params->beacon.mbssid_ies);
6967 	if (params->mbssid_config.tx_wdev &&
6968 	    params->mbssid_config.tx_wdev->netdev &&
6969 	    params->mbssid_config.tx_wdev->netdev != dev)
6970 		dev_put(params->mbssid_config.tx_wdev->netdev);
6971 	kfree(params->beacon.rnr_ies);
6972 	kfree(params);
6973 
6974 	return err;
6975 }
6976 
6977 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6978 {
6979 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6980 	struct cfg80211_beaconing_check_config beacon_check = {};
6981 	unsigned int link_id = nl80211_link_id(info->attrs);
6982 	struct net_device *dev = info->user_ptr[1];
6983 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6984 	struct cfg80211_ap_update *params;
6985 	struct nlattr *attr;
6986 	int err;
6987 
6988 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6989 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6990 		return -EOPNOTSUPP;
6991 
6992 	if (!rdev->ops->change_beacon)
6993 		return -EOPNOTSUPP;
6994 
6995 	if (!wdev->links[link_id].ap.beacon_interval)
6996 		return -EINVAL;
6997 
6998 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6999 	if (!params)
7000 		return -ENOMEM;
7001 
7002 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
7003 				   info->extack);
7004 	if (err)
7005 		goto out;
7006 
7007 	/* recheck beaconing is permitted with possibly changed power type */
7008 	beacon_check.iftype = wdev->iftype;
7009 	beacon_check.relax = true;
7010 	beacon_check.reg_power =
7011 		cfg80211_get_6ghz_power_type(params->beacon.tail,
7012 					     params->beacon.tail_len, 0);
7013 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
7014 					  &wdev->links[link_id].ap.chandef,
7015 					  &beacon_check)) {
7016 		err = -EINVAL;
7017 		goto out;
7018 	}
7019 
7020 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
7021 	if (attr) {
7022 		err = nl80211_parse_fils_discovery(rdev, attr,
7023 						   &params->fils_discovery);
7024 		if (err)
7025 			goto out;
7026 	}
7027 
7028 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
7029 	if (attr) {
7030 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
7031 							   &params->unsol_bcast_probe_resp);
7032 		if (err)
7033 			goto out;
7034 	}
7035 
7036 	attr = info->attrs[NL80211_ATTR_S1G_SHORT_BEACON];
7037 	if (attr) {
7038 		err = nl80211_parse_s1g_short_beacon(rdev, attr,
7039 						     &params->s1g_short_beacon);
7040 		if (err)
7041 			goto out;
7042 	}
7043 
7044 	err = rdev_change_beacon(rdev, dev, params);
7045 
7046 out:
7047 	kfree(params->beacon.mbssid_ies);
7048 	kfree(params->beacon.rnr_ies);
7049 	kfree(params);
7050 	return err;
7051 }
7052 
7053 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
7054 {
7055 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7056 	unsigned int link_id = nl80211_link_id(info->attrs);
7057 	struct net_device *dev = info->user_ptr[1];
7058 
7059 	return cfg80211_stop_ap(rdev, dev, link_id, false);
7060 }
7061 
7062 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
7063 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
7064 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
7065 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
7066 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
7067 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
7068 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
7069 };
7070 
7071 static int parse_station_flags(struct genl_info *info,
7072 			       enum nl80211_iftype iftype,
7073 			       struct station_parameters *params)
7074 {
7075 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
7076 	struct nlattr *nla;
7077 	int flag;
7078 
7079 	/*
7080 	 * Try parsing the new attribute first so userspace
7081 	 * can specify both for older kernels.
7082 	 */
7083 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
7084 	if (nla) {
7085 		struct nl80211_sta_flag_update *sta_flags;
7086 
7087 		sta_flags = nla_data(nla);
7088 		params->sta_flags_mask = sta_flags->mask;
7089 		params->sta_flags_set = sta_flags->set;
7090 		params->sta_flags_set &= params->sta_flags_mask;
7091 		if ((params->sta_flags_mask |
7092 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
7093 			return -EINVAL;
7094 		return 0;
7095 	}
7096 
7097 	/* if present, parse the old attribute */
7098 
7099 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
7100 	if (!nla)
7101 		return 0;
7102 
7103 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
7104 		return -EINVAL;
7105 
7106 	/*
7107 	 * Only allow certain flags for interface types so that
7108 	 * other attributes are silently ignored. Remember that
7109 	 * this is backward compatibility code with old userspace
7110 	 * and shouldn't be hit in other cases anyway.
7111 	 */
7112 	switch (iftype) {
7113 	case NL80211_IFTYPE_AP:
7114 	case NL80211_IFTYPE_AP_VLAN:
7115 	case NL80211_IFTYPE_P2P_GO:
7116 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7117 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7118 					 BIT(NL80211_STA_FLAG_WME) |
7119 					 BIT(NL80211_STA_FLAG_MFP);
7120 		break;
7121 	case NL80211_IFTYPE_P2P_CLIENT:
7122 	case NL80211_IFTYPE_STATION:
7123 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7124 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
7125 		break;
7126 	case NL80211_IFTYPE_MESH_POINT:
7127 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7128 					 BIT(NL80211_STA_FLAG_MFP) |
7129 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
7130 		break;
7131 	default:
7132 		return -EINVAL;
7133 	}
7134 
7135 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
7136 		if (flags[flag]) {
7137 			params->sta_flags_set |= (1<<flag);
7138 
7139 			/* no longer support new API additions in old API */
7140 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
7141 				return -EINVAL;
7142 		}
7143 	}
7144 
7145 	return 0;
7146 }
7147 
7148 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
7149 {
7150 	struct nlattr *rate;
7151 	u32 bitrate;
7152 	u16 bitrate_compat;
7153 	enum nl80211_rate_info rate_flg;
7154 
7155 	rate = nla_nest_start_noflag(msg, attr);
7156 	if (!rate)
7157 		return false;
7158 
7159 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
7160 	bitrate = cfg80211_calculate_bitrate(info);
7161 	/* report 16-bit bitrate only if we can */
7162 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
7163 	if (bitrate > 0 &&
7164 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
7165 		return false;
7166 	if (bitrate_compat > 0 &&
7167 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
7168 		return false;
7169 
7170 	switch (info->bw) {
7171 	case RATE_INFO_BW_1:
7172 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
7173 		break;
7174 	case RATE_INFO_BW_2:
7175 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
7176 		break;
7177 	case RATE_INFO_BW_4:
7178 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
7179 		break;
7180 	case RATE_INFO_BW_5:
7181 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
7182 		break;
7183 	case RATE_INFO_BW_8:
7184 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
7185 		break;
7186 	case RATE_INFO_BW_10:
7187 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
7188 		break;
7189 	case RATE_INFO_BW_16:
7190 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
7191 		break;
7192 	default:
7193 		WARN_ON(1);
7194 		fallthrough;
7195 	case RATE_INFO_BW_20:
7196 		rate_flg = 0;
7197 		break;
7198 	case RATE_INFO_BW_40:
7199 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
7200 		break;
7201 	case RATE_INFO_BW_80:
7202 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
7203 		break;
7204 	case RATE_INFO_BW_160:
7205 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
7206 		break;
7207 	case RATE_INFO_BW_HE_RU:
7208 		rate_flg = 0;
7209 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
7210 		break;
7211 	case RATE_INFO_BW_320:
7212 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
7213 		break;
7214 	case RATE_INFO_BW_EHT_RU:
7215 		rate_flg = 0;
7216 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS) &&
7217 			!(info->flags & RATE_INFO_FLAGS_UHR_MCS));
7218 		break;
7219 	}
7220 
7221 	if (rate_flg && nla_put_flag(msg, rate_flg))
7222 		return false;
7223 
7224 	if (info->flags & RATE_INFO_FLAGS_MCS) {
7225 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
7226 			return false;
7227 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7228 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7229 			return false;
7230 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
7231 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
7232 			return false;
7233 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
7234 			return false;
7235 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7236 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7237 			return false;
7238 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
7239 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
7240 			return false;
7241 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
7242 			return false;
7243 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
7244 			return false;
7245 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
7246 			return false;
7247 		if (info->bw == RATE_INFO_BW_HE_RU &&
7248 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
7249 			       info->he_ru_alloc))
7250 			return false;
7251 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
7252 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
7253 			return false;
7254 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
7255 			return false;
7256 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7257 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7258 			return false;
7259 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
7260 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
7261 			return false;
7262 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7263 			return false;
7264 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7265 			return false;
7266 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7267 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7268 			       info->eht_ru_alloc))
7269 			return false;
7270 	} else if (info->flags & RATE_INFO_FLAGS_UHR_MCS) {
7271 		if (nla_put_u8(msg, NL80211_RATE_INFO_UHR_MCS, info->mcs))
7272 			return false;
7273 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7274 			return false;
7275 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7276 			return false;
7277 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7278 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7279 			       info->eht_ru_alloc))
7280 			return false;
7281 		if (info->flags & RATE_INFO_FLAGS_UHR_ELR_MCS &&
7282 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_ELR))
7283 			return false;
7284 		if (info->flags & RATE_INFO_FLAGS_UHR_IM &&
7285 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_IM))
7286 			return false;
7287 	}
7288 
7289 	nla_nest_end(msg, rate);
7290 	return true;
7291 }
7292 
7293 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
7294 			       int id)
7295 {
7296 	void *attr;
7297 	int i = 0;
7298 
7299 	if (!mask)
7300 		return true;
7301 
7302 	attr = nla_nest_start_noflag(msg, id);
7303 	if (!attr)
7304 		return false;
7305 
7306 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
7307 		if (!(mask & BIT(i)))
7308 			continue;
7309 
7310 		if (nla_put_u8(msg, i, signal[i]))
7311 			return false;
7312 	}
7313 
7314 	nla_nest_end(msg, attr);
7315 
7316 	return true;
7317 }
7318 
7319 static int nl80211_fill_link_station(struct sk_buff *msg,
7320 				     struct cfg80211_registered_device *rdev,
7321 				     struct link_station_info *link_sinfo)
7322 {
7323 	struct nlattr *bss_param, *link_sinfoattr;
7324 
7325 #define PUT_LINK_SINFO(attr, memb, type) do {				\
7326 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7327 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7328 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7329 			     link_sinfo->memb))				\
7330 		goto nla_put_failure;					\
7331 	} while (0)
7332 #define PUT_LINK_SINFO_U64(attr, memb) do {				\
7333 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7334 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7335 			      link_sinfo->memb, NL80211_STA_INFO_PAD))	\
7336 		goto nla_put_failure;					\
7337 	} while (0)
7338 
7339 	link_sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7340 	if (!link_sinfoattr)
7341 		goto nla_put_failure;
7342 
7343 	PUT_LINK_SINFO(INACTIVE_TIME, inactive_time, u32);
7344 
7345 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7346 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7347 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7348 			(u32)link_sinfo->rx_bytes))
7349 		goto nla_put_failure;
7350 
7351 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7352 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7353 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7354 			(u32)link_sinfo->tx_bytes))
7355 		goto nla_put_failure;
7356 
7357 	PUT_LINK_SINFO_U64(RX_BYTES64, rx_bytes);
7358 	PUT_LINK_SINFO_U64(TX_BYTES64, tx_bytes);
7359 	PUT_LINK_SINFO_U64(RX_DURATION, rx_duration);
7360 	PUT_LINK_SINFO_U64(TX_DURATION, tx_duration);
7361 
7362 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7363 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7364 		PUT_LINK_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7365 
7366 	switch (rdev->wiphy.signal_type) {
7367 	case CFG80211_SIGNAL_TYPE_MBM:
7368 		PUT_LINK_SINFO(SIGNAL, signal, u8);
7369 		PUT_LINK_SINFO(SIGNAL_AVG, signal_avg, u8);
7370 		break;
7371 	default:
7372 		break;
7373 	}
7374 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7375 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7376 					link_sinfo->chain_signal,
7377 					NL80211_STA_INFO_CHAIN_SIGNAL))
7378 			goto nla_put_failure;
7379 	}
7380 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7381 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7382 					link_sinfo->chain_signal_avg,
7383 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7384 			goto nla_put_failure;
7385 	}
7386 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7387 		if (!nl80211_put_sta_rate(msg, &link_sinfo->txrate,
7388 					  NL80211_STA_INFO_TX_BITRATE))
7389 			goto nla_put_failure;
7390 	}
7391 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7392 		if (!nl80211_put_sta_rate(msg, &link_sinfo->rxrate,
7393 					  NL80211_STA_INFO_RX_BITRATE))
7394 			goto nla_put_failure;
7395 	}
7396 
7397 	PUT_LINK_SINFO(RX_PACKETS, rx_packets, u32);
7398 	PUT_LINK_SINFO(TX_PACKETS, tx_packets, u32);
7399 	PUT_LINK_SINFO(TX_RETRIES, tx_retries, u32);
7400 	PUT_LINK_SINFO(TX_FAILED, tx_failed, u32);
7401 	PUT_LINK_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7402 	PUT_LINK_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7403 
7404 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7405 		bss_param = nla_nest_start_noflag(msg,
7406 						  NL80211_STA_INFO_BSS_PARAM);
7407 		if (!bss_param)
7408 			goto nla_put_failure;
7409 
7410 		if (((link_sinfo->bss_param.flags &
7411 		      BSS_PARAM_FLAGS_CTS_PROT) &&
7412 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7413 		    ((link_sinfo->bss_param.flags &
7414 		      BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7415 		     nla_put_flag(msg,
7416 				  NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7417 		    ((link_sinfo->bss_param.flags &
7418 		      BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7419 		     nla_put_flag(msg,
7420 				  NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7421 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7422 			       link_sinfo->bss_param.dtim_period) ||
7423 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7424 				link_sinfo->bss_param.beacon_interval))
7425 			goto nla_put_failure;
7426 
7427 		nla_nest_end(msg, bss_param);
7428 	}
7429 
7430 	PUT_LINK_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7431 	PUT_LINK_SINFO_U64(BEACON_RX, rx_beacon);
7432 	PUT_LINK_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7433 	PUT_LINK_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7434 	PUT_LINK_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7435 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7436 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7437 		PUT_LINK_SINFO(ACK_SIGNAL, ack_signal, u8);
7438 		PUT_LINK_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7439 	}
7440 
7441 #undef PUT_LINK_SINFO
7442 #undef PUT_LINK_SINFO_U64
7443 
7444 	if (link_sinfo->pertid) {
7445 		struct nlattr *tidsattr;
7446 		int tid;
7447 
7448 		tidsattr = nla_nest_start_noflag(msg,
7449 						 NL80211_STA_INFO_TID_STATS);
7450 		if (!tidsattr)
7451 			goto nla_put_failure;
7452 
7453 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7454 			struct cfg80211_tid_stats *tidstats;
7455 			struct nlattr *tidattr;
7456 
7457 			tidstats = &link_sinfo->pertid[tid];
7458 
7459 			if (!tidstats->filled)
7460 				continue;
7461 
7462 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7463 			if (!tidattr)
7464 				goto nla_put_failure;
7465 
7466 #define PUT_TIDVAL_U64(attr, memb) do {					\
7467 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7468 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7469 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7470 		goto nla_put_failure;					\
7471 	} while (0)
7472 
7473 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7474 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7475 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7476 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7477 
7478 #undef PUT_TIDVAL_U64
7479 			if ((tidstats->filled &
7480 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7481 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7482 						   NL80211_TID_STATS_TXQ_STATS))
7483 				goto nla_put_failure;
7484 
7485 			nla_nest_end(msg, tidattr);
7486 		}
7487 
7488 		nla_nest_end(msg, tidsattr);
7489 	}
7490 
7491 	nla_nest_end(msg, link_sinfoattr);
7492 	return 0;
7493 
7494 nla_put_failure:
7495 	return -EMSGSIZE;
7496 }
7497 
7498 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
7499 				u32 seq, int flags,
7500 				struct cfg80211_registered_device *rdev,
7501 				struct net_device *dev,
7502 				const u8 *mac_addr, struct station_info *sinfo,
7503 				bool link_stats)
7504 {
7505 	void *hdr;
7506 	struct nlattr *sinfoattr, *bss_param;
7507 	struct link_station_info *link_sinfo;
7508 	struct nlattr *links, *link;
7509 	int link_id;
7510 
7511 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
7512 	if (!hdr) {
7513 		cfg80211_sinfo_release_content(sinfo);
7514 		return -1;
7515 	}
7516 
7517 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7518 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
7519 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
7520 		goto nla_put_failure;
7521 
7522 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7523 	if (!sinfoattr)
7524 		goto nla_put_failure;
7525 
7526 #define PUT_SINFO(attr, memb, type) do {				\
7527 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7528 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7529 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7530 			     sinfo->memb))				\
7531 		goto nla_put_failure;					\
7532 	} while (0)
7533 #define PUT_SINFO_U64(attr, memb) do {					\
7534 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7535 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7536 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
7537 		goto nla_put_failure;					\
7538 	} while (0)
7539 
7540 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
7541 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
7542 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
7543 
7544 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7545 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7546 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7547 			(u32)sinfo->rx_bytes))
7548 		goto nla_put_failure;
7549 
7550 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7551 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7552 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7553 			(u32)sinfo->tx_bytes))
7554 		goto nla_put_failure;
7555 
7556 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
7557 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
7558 	PUT_SINFO_U64(RX_DURATION, rx_duration);
7559 	PUT_SINFO_U64(TX_DURATION, tx_duration);
7560 
7561 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7562 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7563 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7564 
7565 	switch (rdev->wiphy.signal_type) {
7566 	case CFG80211_SIGNAL_TYPE_MBM:
7567 		PUT_SINFO(SIGNAL, signal, u8);
7568 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
7569 		break;
7570 	default:
7571 		break;
7572 	}
7573 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7574 		if (!nl80211_put_signal(msg, sinfo->chains,
7575 					sinfo->chain_signal,
7576 					NL80211_STA_INFO_CHAIN_SIGNAL))
7577 			goto nla_put_failure;
7578 	}
7579 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7580 		if (!nl80211_put_signal(msg, sinfo->chains,
7581 					sinfo->chain_signal_avg,
7582 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7583 			goto nla_put_failure;
7584 	}
7585 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7586 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
7587 					  NL80211_STA_INFO_TX_BITRATE))
7588 			goto nla_put_failure;
7589 	}
7590 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7591 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
7592 					  NL80211_STA_INFO_RX_BITRATE))
7593 			goto nla_put_failure;
7594 	}
7595 
7596 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
7597 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
7598 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
7599 	PUT_SINFO(TX_FAILED, tx_failed, u32);
7600 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7601 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7602 
7603 	PUT_SINFO(LLID, llid, u16);
7604 	PUT_SINFO(PLID, plid, u16);
7605 	PUT_SINFO(PLINK_STATE, plink_state, u8);
7606 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
7607 	PUT_SINFO(LOCAL_PM, local_pm, u32);
7608 	PUT_SINFO(PEER_PM, peer_pm, u32);
7609 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
7610 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
7611 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
7612 	PUT_SINFO_U64(T_OFFSET, t_offset);
7613 
7614 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7615 		bss_param = nla_nest_start_noflag(msg,
7616 						  NL80211_STA_INFO_BSS_PARAM);
7617 		if (!bss_param)
7618 			goto nla_put_failure;
7619 
7620 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
7621 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7622 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7623 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7624 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7625 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7626 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7627 			       sinfo->bss_param.dtim_period) ||
7628 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7629 				sinfo->bss_param.beacon_interval))
7630 			goto nla_put_failure;
7631 
7632 		nla_nest_end(msg, bss_param);
7633 	}
7634 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
7635 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
7636 		    sizeof(struct nl80211_sta_flag_update),
7637 		    &sinfo->sta_flags))
7638 		goto nla_put_failure;
7639 
7640 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7641 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
7642 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7643 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7644 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7645 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7646 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7647 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
7648 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7649 	}
7650 
7651 #undef PUT_SINFO
7652 #undef PUT_SINFO_U64
7653 
7654 	if (sinfo->pertid) {
7655 		struct nlattr *tidsattr;
7656 		int tid;
7657 
7658 		tidsattr = nla_nest_start_noflag(msg,
7659 						 NL80211_STA_INFO_TID_STATS);
7660 		if (!tidsattr)
7661 			goto nla_put_failure;
7662 
7663 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7664 			struct cfg80211_tid_stats *tidstats;
7665 			struct nlattr *tidattr;
7666 
7667 			tidstats = &sinfo->pertid[tid];
7668 
7669 			if (!tidstats->filled)
7670 				continue;
7671 
7672 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7673 			if (!tidattr)
7674 				goto nla_put_failure;
7675 
7676 #define PUT_TIDVAL_U64(attr, memb) do {					\
7677 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7678 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7679 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7680 		goto nla_put_failure;					\
7681 	} while (0)
7682 
7683 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7684 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7685 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7686 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7687 
7688 #undef PUT_TIDVAL_U64
7689 			if ((tidstats->filled &
7690 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7691 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7692 						   NL80211_TID_STATS_TXQ_STATS))
7693 				goto nla_put_failure;
7694 
7695 			nla_nest_end(msg, tidattr);
7696 		}
7697 
7698 		nla_nest_end(msg, tidsattr);
7699 	}
7700 
7701 	nla_nest_end(msg, sinfoattr);
7702 
7703 	if (sinfo->assoc_req_ies_len &&
7704 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
7705 		    sinfo->assoc_req_ies))
7706 		goto nla_put_failure;
7707 
7708 	if (sinfo->assoc_resp_ies_len &&
7709 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
7710 		    sinfo->assoc_resp_ies))
7711 		goto nla_put_failure;
7712 
7713 	if (sinfo->mlo_params_valid) {
7714 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7715 			       sinfo->assoc_link_id))
7716 			goto nla_put_failure;
7717 
7718 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
7719 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
7720 			    sinfo->mld_addr))
7721 			goto nla_put_failure;
7722 	}
7723 
7724 	if (link_stats && sinfo->valid_links) {
7725 		links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
7726 		if (!links)
7727 			goto nla_put_failure;
7728 
7729 		for_each_valid_link(sinfo, link_id) {
7730 			link_sinfo = sinfo->links[link_id];
7731 
7732 			if (WARN_ON_ONCE(!link_sinfo))
7733 				continue;
7734 
7735 			if (!is_valid_ether_addr(link_sinfo->addr))
7736 				continue;
7737 
7738 			link = nla_nest_start(msg, link_id + 1);
7739 			if (!link)
7740 				goto nla_put_failure;
7741 
7742 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7743 				       link_id))
7744 				goto nla_put_failure;
7745 
7746 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
7747 				    link_sinfo->addr))
7748 				goto nla_put_failure;
7749 
7750 			if (nl80211_fill_link_station(msg, rdev, link_sinfo))
7751 				goto nla_put_failure;
7752 
7753 			nla_nest_end(msg, link);
7754 		}
7755 		nla_nest_end(msg, links);
7756 	}
7757 
7758 	cfg80211_sinfo_release_content(sinfo);
7759 	genlmsg_end(msg, hdr);
7760 	return 0;
7761 
7762  nla_put_failure:
7763 	cfg80211_sinfo_release_content(sinfo);
7764 	genlmsg_cancel(msg, hdr);
7765 	return -EMSGSIZE;
7766 }
7767 
7768 static void cfg80211_sta_set_mld_sinfo(struct station_info *sinfo)
7769 {
7770 	struct link_station_info *link_sinfo;
7771 	int link_id, init = 0;
7772 	u32 link_inactive_time;
7773 
7774 	sinfo->signal = -99;
7775 
7776 	for_each_valid_link(sinfo, link_id) {
7777 		link_sinfo = sinfo->links[link_id];
7778 		if (!link_sinfo)
7779 			continue;
7780 
7781 		if ((link_sinfo->filled &
7782 		     BIT_ULL(NL80211_STA_INFO_TX_PACKETS))) {
7783 			sinfo->tx_packets += link_sinfo->tx_packets;
7784 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_PACKETS);
7785 		}
7786 
7787 		if ((link_sinfo->filled &
7788 		     BIT_ULL(NL80211_STA_INFO_RX_PACKETS))) {
7789 			sinfo->rx_packets += link_sinfo->rx_packets;
7790 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_PACKETS);
7791 		}
7792 
7793 		if (link_sinfo->filled &
7794 		    (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7795 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7796 			sinfo->tx_bytes += link_sinfo->tx_bytes;
7797 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BYTES);
7798 		}
7799 
7800 		if (link_sinfo->filled &
7801 		    (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7802 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7803 			sinfo->rx_bytes += link_sinfo->rx_bytes;
7804 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BYTES);
7805 		}
7806 
7807 		if (link_sinfo->filled &
7808 		    BIT_ULL(NL80211_STA_INFO_TX_RETRIES)) {
7809 			sinfo->tx_retries += link_sinfo->tx_retries;
7810 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_RETRIES);
7811 		}
7812 
7813 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_FAILED)) {
7814 			sinfo->tx_failed += link_sinfo->tx_failed;
7815 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_FAILED);
7816 		}
7817 
7818 		if (link_sinfo->filled &
7819 		    BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC)) {
7820 			sinfo->rx_dropped_misc += link_sinfo->rx_dropped_misc;
7821 			sinfo->filled |=
7822 				BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC);
7823 		}
7824 
7825 		if (link_sinfo->filled &
7826 		    BIT_ULL(NL80211_STA_INFO_BEACON_LOSS)) {
7827 			sinfo->beacon_loss_count +=
7828 				link_sinfo->beacon_loss_count;
7829 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_LOSS);
7830 		}
7831 
7832 		if (link_sinfo->filled &
7833 		    BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) {
7834 			sinfo->expected_throughput +=
7835 				link_sinfo->expected_throughput;
7836 			sinfo->filled |=
7837 				BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT);
7838 		}
7839 
7840 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_MPDUS)) {
7841 			sinfo->rx_mpdu_count += link_sinfo->rx_mpdu_count;
7842 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_MPDUS);
7843 		}
7844 
7845 		if (link_sinfo->filled &
7846 		    BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT)) {
7847 			sinfo->fcs_err_count += link_sinfo->fcs_err_count;
7848 			sinfo->filled |=
7849 				BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT);
7850 		}
7851 
7852 		if (link_sinfo->filled &
7853 		    BIT_ULL(NL80211_STA_INFO_BEACON_RX)) {
7854 			sinfo->rx_beacon += link_sinfo->rx_beacon;
7855 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_RX);
7856 		}
7857 
7858 		/* Update MLO signal, signal_avg as best among links */
7859 		if ((link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_SIGNAL)) &&
7860 		    link_sinfo->signal > sinfo->signal) {
7861 			sinfo->signal = link_sinfo->signal;
7862 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL);
7863 		}
7864 
7865 		if ((link_sinfo->filled &
7866 			BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG)) &&
7867 		    link_sinfo->signal_avg > sinfo->signal_avg) {
7868 			sinfo->signal_avg = link_sinfo->signal_avg;
7869 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG);
7870 		}
7871 
7872 		/* Update MLO inactive_time, bss_param based on least
7873 		 * value for corresponding field of link.
7874 		 */
7875 		if ((link_sinfo->filled &
7876 		     BIT_ULL(NL80211_STA_INFO_INACTIVE_TIME)) &&
7877 		    (!init ||
7878 		     link_inactive_time > link_sinfo->inactive_time)) {
7879 			link_inactive_time = link_sinfo->inactive_time;
7880 			sinfo->inactive_time = link_sinfo->inactive_time;
7881 			sinfo->filled |= NL80211_STA_INFO_INACTIVE_TIME;
7882 		}
7883 
7884 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM) &&
7885 		    (!init ||
7886 		     sinfo->bss_param.dtim_period >
7887 		      link_sinfo->bss_param.dtim_period)) {
7888 			sinfo->bss_param.dtim_period =
7889 				link_sinfo->bss_param.dtim_period;
7890 			sinfo->filled |= NL80211_STA_BSS_PARAM_DTIM_PERIOD;
7891 			sinfo->bss_param.beacon_interval =
7892 				link_sinfo->bss_param.beacon_interval;
7893 			sinfo->filled |= NL80211_STA_BSS_PARAM_BEACON_INTERVAL;
7894 		}
7895 
7896 		/* Update MLO rates as per last updated link rate */
7897 		if ((link_sinfo->filled &
7898 		     BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) &&
7899 		    (!init ||
7900 		     link_inactive_time > link_sinfo->inactive_time)) {
7901 			sinfo->txrate = link_sinfo->txrate;
7902 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BITRATE);
7903 		}
7904 		if ((link_sinfo->filled &
7905 		     BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) &&
7906 		    (!init ||
7907 		     link_inactive_time > link_sinfo->inactive_time)) {
7908 			sinfo->rxrate = link_sinfo->rxrate;
7909 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BITRATE);
7910 		}
7911 
7912 		if (link_sinfo->filled &
7913 		    BIT_ULL(NL80211_STA_INFO_TX_DURATION) &&
7914 		    (!init ||
7915 		     link_inactive_time > link_sinfo->inactive_time)) {
7916 			sinfo->tx_duration += link_sinfo->tx_duration;
7917 			sinfo->filled |=
7918 				BIT_ULL(NL80211_STA_INFO_TX_DURATION);
7919 		}
7920 		if (link_sinfo->filled &
7921 		    BIT_ULL(NL80211_STA_INFO_RX_DURATION) &&
7922 		    (!init ||
7923 		     link_inactive_time > link_sinfo->inactive_time)) {
7924 			sinfo->rx_duration += link_sinfo->rx_duration;
7925 			sinfo->filled |=
7926 				BIT_ULL(NL80211_STA_INFO_RX_DURATION);
7927 		}
7928 		init++;
7929 
7930 		/* pertid stats accumulate for rx/tx fields */
7931 		if (sinfo->pertid) {
7932 			sinfo->pertid->rx_msdu +=
7933 				link_sinfo->pertid->rx_msdu;
7934 			sinfo->pertid->tx_msdu +=
7935 				link_sinfo->pertid->tx_msdu;
7936 			sinfo->pertid->tx_msdu_retries +=
7937 				link_sinfo->pertid->tx_msdu_retries;
7938 			sinfo->pertid->tx_msdu_failed +=
7939 				link_sinfo->pertid->tx_msdu_failed;
7940 
7941 			sinfo->pertid->filled |=
7942 				BIT(NL80211_TID_STATS_RX_MSDU) |
7943 				BIT(NL80211_TID_STATS_TX_MSDU) |
7944 				BIT(NL80211_TID_STATS_TX_MSDU_RETRIES) |
7945 				BIT(NL80211_TID_STATS_TX_MSDU_FAILED);
7946 		}
7947 	}
7948 
7949 	/* Reset sinfo->filled bits to exclude fields which don't make
7950 	 * much sense at the MLO level.
7951 	 */
7952 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
7953 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG);
7954 }
7955 
7956 static int nl80211_dump_station(struct sk_buff *skb,
7957 				struct netlink_callback *cb)
7958 {
7959 	struct station_info sinfo;
7960 	struct cfg80211_registered_device *rdev;
7961 	struct wireless_dev *wdev;
7962 	u8 mac_addr[ETH_ALEN];
7963 	int sta_idx = cb->args[2];
7964 	bool sinfo_alloc = false;
7965 	int err, i;
7966 
7967 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7968 	if (err)
7969 		return err;
7970 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7971 	__acquire(&rdev->wiphy.mtx);
7972 
7973 	if (!wdev->netdev) {
7974 		err = -EINVAL;
7975 		goto out_err;
7976 	}
7977 
7978 	if (!rdev->ops->dump_station) {
7979 		err = -EOPNOTSUPP;
7980 		goto out_err;
7981 	}
7982 
7983 	while (1) {
7984 		memset(&sinfo, 0, sizeof(sinfo));
7985 
7986 		for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
7987 			sinfo.links[i] =
7988 				kzalloc(sizeof(*sinfo.links[0]), GFP_KERNEL);
7989 			if (!sinfo.links[i]) {
7990 				err = -ENOMEM;
7991 				goto out_err;
7992 			}
7993 			sinfo_alloc = true;
7994 		}
7995 
7996 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
7997 					mac_addr, &sinfo);
7998 		if (err == -ENOENT)
7999 			break;
8000 		if (err)
8001 			goto out_err;
8002 
8003 		if (sinfo.valid_links)
8004 			cfg80211_sta_set_mld_sinfo(&sinfo);
8005 
8006 		/* reset the sinfo_alloc flag as nl80211_send_station()
8007 		 * always releases sinfo
8008 		 */
8009 		sinfo_alloc = false;
8010 
8011 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
8012 				NETLINK_CB(cb->skb).portid,
8013 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8014 				rdev, wdev->netdev, mac_addr,
8015 				&sinfo, false) < 0)
8016 			goto out;
8017 
8018 		sta_idx++;
8019 	}
8020 
8021  out:
8022 	cb->args[2] = sta_idx;
8023 	err = skb->len;
8024  out_err:
8025 	if (sinfo_alloc)
8026 		cfg80211_sinfo_release_content(&sinfo);
8027 	wiphy_unlock(&rdev->wiphy);
8028 
8029 	return err;
8030 }
8031 
8032 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
8033 {
8034 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8035 	struct net_device *dev = info->user_ptr[1];
8036 	struct station_info sinfo;
8037 	struct sk_buff *msg;
8038 	u8 *mac_addr = NULL;
8039 	int err, i;
8040 
8041 	memset(&sinfo, 0, sizeof(sinfo));
8042 
8043 	if (!info->attrs[NL80211_ATTR_MAC])
8044 		return -EINVAL;
8045 
8046 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8047 
8048 	if (!rdev->ops->get_station)
8049 		return -EOPNOTSUPP;
8050 
8051 	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
8052 		sinfo.links[i] = kzalloc(sizeof(*sinfo.links[0]), GFP_KERNEL);
8053 		if (!sinfo.links[i]) {
8054 			cfg80211_sinfo_release_content(&sinfo);
8055 			return -ENOMEM;
8056 		}
8057 	}
8058 
8059 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
8060 	if (err) {
8061 		cfg80211_sinfo_release_content(&sinfo);
8062 		return err;
8063 	}
8064 
8065 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8066 	if (!msg) {
8067 		cfg80211_sinfo_release_content(&sinfo);
8068 		return -ENOMEM;
8069 	}
8070 
8071 	if (sinfo.valid_links)
8072 		cfg80211_sta_set_mld_sinfo(&sinfo);
8073 
8074 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
8075 				 info->snd_portid, info->snd_seq, 0,
8076 				 rdev, dev, mac_addr, &sinfo, false) < 0) {
8077 		nlmsg_free(msg);
8078 		return -ENOBUFS;
8079 	}
8080 
8081 	return genlmsg_reply(msg, info);
8082 }
8083 
8084 int cfg80211_check_station_change(struct wiphy *wiphy,
8085 				  struct station_parameters *params,
8086 				  enum cfg80211_station_type statype)
8087 {
8088 	if (params->listen_interval != -1 &&
8089 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8090 		return -EINVAL;
8091 
8092 	if (params->support_p2p_ps != -1 &&
8093 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8094 		return -EINVAL;
8095 
8096 	if (params->aid &&
8097 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
8098 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8099 		return -EINVAL;
8100 
8101 	/* When you run into this, adjust the code below for the new flag */
8102 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8103 
8104 	switch (statype) {
8105 	case CFG80211_STA_MESH_PEER_KERNEL:
8106 	case CFG80211_STA_MESH_PEER_USER:
8107 		/*
8108 		 * No ignoring the TDLS flag here -- the userspace mesh
8109 		 * code doesn't have the bug of including TDLS in the
8110 		 * mask everywhere.
8111 		 */
8112 		if (params->sta_flags_mask &
8113 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8114 				  BIT(NL80211_STA_FLAG_MFP) |
8115 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
8116 			return -EINVAL;
8117 		break;
8118 	case CFG80211_STA_TDLS_PEER_SETUP:
8119 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8120 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8121 			return -EINVAL;
8122 		/* ignore since it can't change */
8123 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8124 		break;
8125 	default:
8126 		/* disallow mesh-specific things */
8127 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
8128 			return -EINVAL;
8129 		if (params->local_pm)
8130 			return -EINVAL;
8131 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8132 			return -EINVAL;
8133 	}
8134 
8135 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8136 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
8137 		/* TDLS can't be set, ... */
8138 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
8139 			return -EINVAL;
8140 		/*
8141 		 * ... but don't bother the driver with it. This works around
8142 		 * a hostapd/wpa_supplicant issue -- it always includes the
8143 		 * TLDS_PEER flag in the mask even for AP mode.
8144 		 */
8145 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8146 	}
8147 
8148 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8149 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8150 		/* reject other things that can't change */
8151 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
8152 			return -EINVAL;
8153 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
8154 			return -EINVAL;
8155 		if (params->link_sta_params.supported_rates)
8156 			return -EINVAL;
8157 		if (params->ext_capab || params->link_sta_params.ht_capa ||
8158 		    params->link_sta_params.vht_capa ||
8159 		    params->link_sta_params.he_capa ||
8160 		    params->link_sta_params.eht_capa ||
8161 		    params->link_sta_params.uhr_capa)
8162 			return -EINVAL;
8163 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8164 			return -EINVAL;
8165 	}
8166 
8167 	if (statype != CFG80211_STA_AP_CLIENT &&
8168 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8169 		if (params->vlan)
8170 			return -EINVAL;
8171 	}
8172 
8173 	/* Accept EMLSR capabilities only for AP client before association */
8174 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8175 	    params->eml_cap_present)
8176 		return -EINVAL;
8177 
8178 	switch (statype) {
8179 	case CFG80211_STA_AP_MLME_CLIENT:
8180 		/* Use this only for authorizing/unauthorizing a station */
8181 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
8182 			return -EOPNOTSUPP;
8183 		break;
8184 	case CFG80211_STA_AP_CLIENT:
8185 	case CFG80211_STA_AP_CLIENT_UNASSOC:
8186 		/* accept only the listed bits */
8187 		if (params->sta_flags_mask &
8188 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8189 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8190 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
8191 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
8192 				  BIT(NL80211_STA_FLAG_WME) |
8193 				  BIT(NL80211_STA_FLAG_MFP) |
8194 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
8195 			return -EINVAL;
8196 
8197 		/* but authenticated/associated only if driver handles it */
8198 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8199 		    params->sta_flags_mask &
8200 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8201 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
8202 			return -EINVAL;
8203 		break;
8204 	case CFG80211_STA_IBSS:
8205 	case CFG80211_STA_AP_STA:
8206 		/* reject any changes other than AUTHORIZED */
8207 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
8208 			return -EINVAL;
8209 		break;
8210 	case CFG80211_STA_TDLS_PEER_SETUP:
8211 		/* reject any changes other than AUTHORIZED or WME */
8212 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8213 					       BIT(NL80211_STA_FLAG_WME)))
8214 			return -EINVAL;
8215 		/* force (at least) rates when authorizing */
8216 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
8217 		    !params->link_sta_params.supported_rates)
8218 			return -EINVAL;
8219 		break;
8220 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8221 		/* reject any changes */
8222 		return -EINVAL;
8223 	case CFG80211_STA_MESH_PEER_KERNEL:
8224 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8225 			return -EINVAL;
8226 		break;
8227 	case CFG80211_STA_MESH_PEER_USER:
8228 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
8229 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
8230 			return -EINVAL;
8231 		break;
8232 	}
8233 
8234 	/*
8235 	 * Older kernel versions ignored this attribute entirely, so don't
8236 	 * reject attempts to update it but mark it as unused instead so the
8237 	 * driver won't look at the data.
8238 	 */
8239 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8240 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
8241 		params->link_sta_params.opmode_notif_used = false;
8242 
8243 	return 0;
8244 }
8245 EXPORT_SYMBOL(cfg80211_check_station_change);
8246 
8247 /*
8248  * Get vlan interface making sure it is running and on the right wiphy.
8249  */
8250 static struct net_device *get_vlan(struct genl_info *info,
8251 				   struct cfg80211_registered_device *rdev)
8252 {
8253 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
8254 	struct net_device *v;
8255 	int ret;
8256 
8257 	if (!vlanattr)
8258 		return NULL;
8259 
8260 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
8261 	if (!v)
8262 		return ERR_PTR(-ENODEV);
8263 
8264 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
8265 		ret = -EINVAL;
8266 		goto error;
8267 	}
8268 
8269 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
8270 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8271 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
8272 		ret = -EINVAL;
8273 		goto error;
8274 	}
8275 
8276 	if (!netif_running(v)) {
8277 		ret = -ENETDOWN;
8278 		goto error;
8279 	}
8280 
8281 	return v;
8282  error:
8283 	dev_put(v);
8284 	return ERR_PTR(ret);
8285 }
8286 
8287 static int nl80211_parse_sta_wme(struct genl_info *info,
8288 				 struct station_parameters *params)
8289 {
8290 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
8291 	struct nlattr *nla;
8292 	int err;
8293 
8294 	/* parse WME attributes if present */
8295 	if (!info->attrs[NL80211_ATTR_STA_WME])
8296 		return 0;
8297 
8298 	nla = info->attrs[NL80211_ATTR_STA_WME];
8299 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
8300 					  nl80211_sta_wme_policy,
8301 					  info->extack);
8302 	if (err)
8303 		return err;
8304 
8305 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
8306 		params->uapsd_queues = nla_get_u8(
8307 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
8308 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
8309 		return -EINVAL;
8310 
8311 	if (tb[NL80211_STA_WME_MAX_SP])
8312 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
8313 
8314 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
8315 		return -EINVAL;
8316 
8317 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
8318 
8319 	return 0;
8320 }
8321 
8322 static int nl80211_parse_sta_channel_info(struct genl_info *info,
8323 				      struct station_parameters *params)
8324 {
8325 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
8326 		params->supported_channels =
8327 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8328 		params->supported_channels_len =
8329 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8330 		/*
8331 		 * Need to include at least one (first channel, number of
8332 		 * channels) tuple for each subband (checked in policy),
8333 		 * and must have proper tuples for the rest of the data as well.
8334 		 */
8335 		if (params->supported_channels_len % 2)
8336 			return -EINVAL;
8337 	}
8338 
8339 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
8340 		params->supported_oper_classes =
8341 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8342 		params->supported_oper_classes_len =
8343 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8344 	}
8345 	return 0;
8346 }
8347 
8348 static int nl80211_set_station_tdls(struct genl_info *info,
8349 				    struct station_parameters *params)
8350 {
8351 	int err;
8352 	/* Dummy STA entry gets updated once the peer capabilities are known */
8353 	if (info->attrs[NL80211_ATTR_PEER_AID])
8354 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8355 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8356 		params->link_sta_params.ht_capa =
8357 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8358 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8359 		params->link_sta_params.vht_capa =
8360 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8361 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8362 		params->link_sta_params.he_capa =
8363 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8364 		params->link_sta_params.he_capa_len =
8365 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8366 
8367 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8368 			params->link_sta_params.eht_capa =
8369 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8370 			params->link_sta_params.eht_capa_len =
8371 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8372 
8373 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
8374 							(const u8 *)params->link_sta_params.eht_capa,
8375 							params->link_sta_params.eht_capa_len,
8376 							false))
8377 				return -EINVAL;
8378 		}
8379 	}
8380 
8381 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
8382 		if (!params->link_sta_params.eht_capa)
8383 			return -EINVAL;
8384 
8385 		params->link_sta_params.uhr_capa =
8386 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8387 		params->link_sta_params.uhr_capa_len =
8388 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8389 	}
8390 
8391 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8392 		params->link_sta_params.s1g_capa =
8393 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8394 
8395 	err = nl80211_parse_sta_channel_info(info, params);
8396 	if (err)
8397 		return err;
8398 
8399 	return nl80211_parse_sta_wme(info, params);
8400 }
8401 
8402 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
8403 					     struct sta_txpwr *txpwr,
8404 					     bool *txpwr_set)
8405 {
8406 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8407 	int idx;
8408 
8409 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
8410 		if (!rdev->ops->set_tx_power ||
8411 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8412 					 NL80211_EXT_FEATURE_STA_TX_PWR))
8413 			return -EOPNOTSUPP;
8414 
8415 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
8416 		txpwr->type = nla_get_u8(info->attrs[idx]);
8417 
8418 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
8419 			idx = NL80211_ATTR_STA_TX_POWER;
8420 
8421 			if (info->attrs[idx])
8422 				txpwr->power = nla_get_s16(info->attrs[idx]);
8423 			else
8424 				return -EINVAL;
8425 		}
8426 
8427 		*txpwr_set = true;
8428 	} else {
8429 		*txpwr_set = false;
8430 	}
8431 
8432 	return 0;
8433 }
8434 
8435 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
8436 {
8437 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8438 	struct net_device *dev = info->user_ptr[1];
8439 	struct station_parameters params;
8440 	u8 *mac_addr;
8441 	int err;
8442 
8443 	memset(&params, 0, sizeof(params));
8444 
8445 	if (!rdev->ops->change_station)
8446 		return -EOPNOTSUPP;
8447 
8448 	/*
8449 	 * AID and listen_interval properties can be set only for unassociated
8450 	 * station. Include these parameters here and will check them in
8451 	 * cfg80211_check_station_change().
8452 	 */
8453 	if (info->attrs[NL80211_ATTR_STA_AID])
8454 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8455 
8456 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8457 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8458 
8459 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8460 		params.listen_interval =
8461 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8462 	else
8463 		params.listen_interval = -1;
8464 
8465 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
8466 		params.support_p2p_ps =
8467 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8468 	else
8469 		params.support_p2p_ps = -1;
8470 
8471 	if (!info->attrs[NL80211_ATTR_MAC])
8472 		return -EINVAL;
8473 
8474 	params.link_sta_params.link_id =
8475 		nl80211_link_id_or_invalid(info->attrs);
8476 
8477 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8478 		/* If MLD_ADDR attribute is set then this is an MLD station
8479 		 * and the MLD_ADDR attribute holds the MLD address and the
8480 		 * MAC attribute holds for the LINK address.
8481 		 * In that case, the link_id is also expected to be valid.
8482 		 */
8483 		if (params.link_sta_params.link_id < 0)
8484 			return -EINVAL;
8485 
8486 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8487 		params.link_sta_params.mld_mac = mac_addr;
8488 		params.link_sta_params.link_mac =
8489 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8490 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8491 			return -EINVAL;
8492 	} else {
8493 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8494 	}
8495 
8496 
8497 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
8498 		params.link_sta_params.supported_rates =
8499 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8500 		params.link_sta_params.supported_rates_len =
8501 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8502 	}
8503 
8504 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8505 		params.capability =
8506 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8507 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8508 	}
8509 
8510 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8511 		params.ext_capab =
8512 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8513 		params.ext_capab_len =
8514 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8515 	}
8516 
8517 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
8518 		return -EINVAL;
8519 
8520 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8521 		params.plink_action =
8522 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8523 
8524 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
8525 		params.plink_state =
8526 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
8527 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
8528 			params.peer_aid = nla_get_u16(
8529 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
8530 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
8531 	}
8532 
8533 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
8534 		params.local_pm = nla_get_u32(
8535 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
8536 
8537 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8538 		params.link_sta_params.opmode_notif_used = true;
8539 		params.link_sta_params.opmode_notif =
8540 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8541 	}
8542 
8543 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8544 		params.link_sta_params.he_6ghz_capa =
8545 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8546 
8547 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8548 		params.eml_cap_present = true;
8549 		params.eml_cap =
8550 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8551 	}
8552 
8553 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8554 		params.airtime_weight =
8555 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8556 
8557 	if (params.airtime_weight &&
8558 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8559 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8560 		return -EOPNOTSUPP;
8561 
8562 	err = nl80211_parse_sta_txpower_setting(info,
8563 						&params.link_sta_params.txpwr,
8564 						&params.link_sta_params.txpwr_set);
8565 	if (err)
8566 		return err;
8567 
8568 	/* Include parameters for TDLS peer (will check later) */
8569 	err = nl80211_set_station_tdls(info, &params);
8570 	if (err)
8571 		return err;
8572 
8573 	params.vlan = get_vlan(info, rdev);
8574 	if (IS_ERR(params.vlan))
8575 		return PTR_ERR(params.vlan);
8576 
8577 	switch (dev->ieee80211_ptr->iftype) {
8578 	case NL80211_IFTYPE_AP:
8579 	case NL80211_IFTYPE_AP_VLAN:
8580 	case NL80211_IFTYPE_P2P_GO:
8581 	case NL80211_IFTYPE_P2P_CLIENT:
8582 	case NL80211_IFTYPE_STATION:
8583 	case NL80211_IFTYPE_ADHOC:
8584 	case NL80211_IFTYPE_MESH_POINT:
8585 		break;
8586 	default:
8587 		err = -EOPNOTSUPP;
8588 		goto out_put_vlan;
8589 	}
8590 
8591 	/* driver will call cfg80211_check_station_change() */
8592 	err = rdev_change_station(rdev, dev, mac_addr, &params);
8593 
8594  out_put_vlan:
8595 	dev_put(params.vlan);
8596 
8597 	return err;
8598 }
8599 
8600 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
8601 {
8602 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8603 	int err;
8604 	struct net_device *dev = info->user_ptr[1];
8605 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8606 	struct station_parameters params;
8607 	u8 *mac_addr = NULL;
8608 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8609 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
8610 
8611 	memset(&params, 0, sizeof(params));
8612 
8613 	if (!rdev->ops->add_station)
8614 		return -EOPNOTSUPP;
8615 
8616 	if (!info->attrs[NL80211_ATTR_MAC])
8617 		return -EINVAL;
8618 
8619 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8620 		return -EINVAL;
8621 
8622 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
8623 		return -EINVAL;
8624 
8625 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
8626 	    !info->attrs[NL80211_ATTR_PEER_AID])
8627 		return -EINVAL;
8628 
8629 	params.link_sta_params.link_id =
8630 		nl80211_link_id_or_invalid(info->attrs);
8631 
8632 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8633 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8634 		params.link_sta_params.mld_mac = mac_addr;
8635 		params.link_sta_params.link_mac =
8636 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8637 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8638 			return -EINVAL;
8639 	} else {
8640 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8641 	}
8642 
8643 	params.link_sta_params.supported_rates =
8644 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8645 	params.link_sta_params.supported_rates_len =
8646 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8647 	params.listen_interval =
8648 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8649 
8650 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8651 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8652 
8653 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
8654 		params.support_p2p_ps =
8655 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8656 	} else {
8657 		/*
8658 		 * if not specified, assume it's supported for P2P GO interface,
8659 		 * and is NOT supported for AP interface
8660 		 */
8661 		params.support_p2p_ps =
8662 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
8663 	}
8664 
8665 	if (info->attrs[NL80211_ATTR_PEER_AID])
8666 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8667 	else
8668 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8669 
8670 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8671 		params.capability =
8672 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8673 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8674 	}
8675 
8676 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8677 		params.ext_capab =
8678 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8679 		params.ext_capab_len =
8680 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8681 	}
8682 
8683 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8684 		params.link_sta_params.ht_capa =
8685 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8686 
8687 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8688 		params.link_sta_params.vht_capa =
8689 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8690 
8691 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8692 		params.link_sta_params.he_capa =
8693 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8694 		params.link_sta_params.he_capa_len =
8695 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8696 
8697 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8698 			params.link_sta_params.eht_capa =
8699 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8700 			params.link_sta_params.eht_capa_len =
8701 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8702 
8703 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
8704 							(const u8 *)params.link_sta_params.eht_capa,
8705 							params.link_sta_params.eht_capa_len,
8706 							false))
8707 				return -EINVAL;
8708 		}
8709 	}
8710 
8711 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
8712 		if (!params.link_sta_params.eht_capa)
8713 			return -EINVAL;
8714 
8715 		params.link_sta_params.uhr_capa =
8716 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8717 		params.link_sta_params.uhr_capa_len =
8718 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8719 	}
8720 
8721 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8722 		params.eml_cap_present = true;
8723 		params.eml_cap =
8724 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8725 	}
8726 
8727 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8728 		params.link_sta_params.he_6ghz_capa =
8729 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8730 
8731 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8732 		params.link_sta_params.s1g_capa =
8733 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8734 
8735 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8736 		params.link_sta_params.opmode_notif_used = true;
8737 		params.link_sta_params.opmode_notif =
8738 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8739 	}
8740 
8741 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8742 		params.plink_action =
8743 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8744 
8745 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8746 		params.airtime_weight =
8747 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8748 
8749 	if (params.airtime_weight &&
8750 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8751 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8752 		return -EOPNOTSUPP;
8753 
8754 	err = nl80211_parse_sta_txpower_setting(info,
8755 						&params.link_sta_params.txpwr,
8756 						&params.link_sta_params.txpwr_set);
8757 	if (err)
8758 		return err;
8759 
8760 	err = nl80211_parse_sta_channel_info(info, &params);
8761 	if (err)
8762 		return err;
8763 
8764 	err = nl80211_parse_sta_wme(info, &params);
8765 	if (err)
8766 		return err;
8767 
8768 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
8769 		return -EINVAL;
8770 
8771 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
8772 	 * as userspace might just pass through the capabilities from the IEs
8773 	 * directly, rather than enforcing this restriction and returning an
8774 	 * error in this case.
8775 	 */
8776 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
8777 		params.link_sta_params.ht_capa = NULL;
8778 		params.link_sta_params.vht_capa = NULL;
8779 
8780 		/* HE, EHT and UHR require WME */
8781 		if (params.link_sta_params.he_capa_len ||
8782 		    params.link_sta_params.he_6ghz_capa ||
8783 		    params.link_sta_params.eht_capa_len ||
8784 		    params.link_sta_params.uhr_capa_len)
8785 			return -EINVAL;
8786 	}
8787 
8788 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
8789 	if (params.link_sta_params.he_6ghz_capa &&
8790 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
8791 		return -EINVAL;
8792 
8793 	/* When you run into this, adjust the code below for the new flag */
8794 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8795 
8796 	switch (dev->ieee80211_ptr->iftype) {
8797 	case NL80211_IFTYPE_AP:
8798 	case NL80211_IFTYPE_AP_VLAN:
8799 	case NL80211_IFTYPE_P2P_GO:
8800 		/* ignore WME attributes if iface/sta is not capable */
8801 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
8802 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
8803 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8804 
8805 		/* TDLS peers cannot be added */
8806 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8807 		    info->attrs[NL80211_ATTR_PEER_AID])
8808 			return -EINVAL;
8809 		/* but don't bother the driver with it */
8810 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8811 
8812 		/* allow authenticated/associated only if driver handles it */
8813 		if (!(rdev->wiphy.features &
8814 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8815 		    params.sta_flags_mask & auth_assoc)
8816 			return -EINVAL;
8817 
8818 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8819 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
8820 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8821 			return -EINVAL;
8822 
8823 		/* Older userspace, or userspace wanting to be compatible with
8824 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
8825 		 * and assoc flags in the mask, but assumes the station will be
8826 		 * added as associated anyway since this was the required driver
8827 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
8828 		 * introduced.
8829 		 * In order to not bother drivers with this quirk in the API
8830 		 * set the flags in both the mask and set for new stations in
8831 		 * this case.
8832 		 */
8833 		if (!(params.sta_flags_mask & auth_assoc)) {
8834 			params.sta_flags_mask |= auth_assoc;
8835 			params.sta_flags_set |= auth_assoc;
8836 		}
8837 
8838 		/* must be last in here for error handling */
8839 		params.vlan = get_vlan(info, rdev);
8840 		if (IS_ERR(params.vlan))
8841 			return PTR_ERR(params.vlan);
8842 		break;
8843 	case NL80211_IFTYPE_MESH_POINT:
8844 		/* ignore uAPSD data */
8845 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8846 
8847 		/* associated is disallowed */
8848 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
8849 			return -EINVAL;
8850 		/* TDLS peers cannot be added */
8851 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8852 		    info->attrs[NL80211_ATTR_PEER_AID])
8853 			return -EINVAL;
8854 		break;
8855 	case NL80211_IFTYPE_STATION:
8856 	case NL80211_IFTYPE_P2P_CLIENT:
8857 		/* ignore uAPSD data */
8858 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8859 
8860 		/* these are disallowed */
8861 		if (params.sta_flags_mask &
8862 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
8863 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
8864 			return -EINVAL;
8865 		/* Only TDLS peers can be added */
8866 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8867 			return -EINVAL;
8868 		/* Can only add if TDLS ... */
8869 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
8870 			return -EOPNOTSUPP;
8871 		/* ... with external setup is supported */
8872 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
8873 			return -EOPNOTSUPP;
8874 		/*
8875 		 * Older wpa_supplicant versions always mark the TDLS peer
8876 		 * as authorized, but it shouldn't yet be.
8877 		 */
8878 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
8879 		break;
8880 	default:
8881 		return -EOPNOTSUPP;
8882 	}
8883 
8884 	/* be aware of params.vlan when changing code here */
8885 
8886 	if (wdev->valid_links) {
8887 		if (params.link_sta_params.link_id < 0) {
8888 			err = -EINVAL;
8889 			goto out;
8890 		}
8891 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
8892 			err = -ENOLINK;
8893 			goto out;
8894 		}
8895 	} else {
8896 		if (params.link_sta_params.link_id >= 0) {
8897 			err = -EINVAL;
8898 			goto out;
8899 		}
8900 	}
8901 
8902 	params.epp_peer =
8903 		nla_get_flag(info->attrs[NL80211_ATTR_EPP_PEER]);
8904 
8905 	err = rdev_add_station(rdev, dev, mac_addr, &params);
8906 out:
8907 	dev_put(params.vlan);
8908 	return err;
8909 }
8910 
8911 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
8912 {
8913 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8914 	struct net_device *dev = info->user_ptr[1];
8915 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8916 	struct station_del_parameters params;
8917 	int link_id = nl80211_link_id_or_invalid(info->attrs);
8918 
8919 	memset(&params, 0, sizeof(params));
8920 
8921 	if (info->attrs[NL80211_ATTR_MAC])
8922 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
8923 
8924 	switch (wdev->iftype) {
8925 	case NL80211_IFTYPE_AP:
8926 	case NL80211_IFTYPE_AP_VLAN:
8927 	case NL80211_IFTYPE_MESH_POINT:
8928 	case NL80211_IFTYPE_P2P_GO:
8929 		/* always accept these */
8930 		break;
8931 	case NL80211_IFTYPE_ADHOC:
8932 		/* conditionally accept */
8933 		if (wiphy_ext_feature_isset(&rdev->wiphy,
8934 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
8935 			break;
8936 		return -EINVAL;
8937 	default:
8938 		return -EINVAL;
8939 	}
8940 
8941 	if (!rdev->ops->del_station)
8942 		return -EOPNOTSUPP;
8943 
8944 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
8945 		params.subtype =
8946 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
8947 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
8948 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
8949 			return -EINVAL;
8950 	} else {
8951 		/* Default to Deauthentication frame */
8952 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
8953 	}
8954 
8955 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
8956 		params.reason_code =
8957 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8958 		if (params.reason_code == 0)
8959 			return -EINVAL; /* 0 is reserved */
8960 	} else {
8961 		/* Default to reason code 2 */
8962 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
8963 	}
8964 
8965 	/* Link ID not expected in case of non-ML operation */
8966 	if (!wdev->valid_links && link_id != -1)
8967 		return -EINVAL;
8968 
8969 	/* If given, a valid link ID should be passed during MLO */
8970 	if (wdev->valid_links && link_id >= 0 &&
8971 	    !(wdev->valid_links & BIT(link_id)))
8972 		return -EINVAL;
8973 
8974 	params.link_id = link_id;
8975 
8976 	return rdev_del_station(rdev, dev, &params);
8977 }
8978 
8979 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
8980 				int flags, struct net_device *dev,
8981 				u8 *dst, u8 *next_hop,
8982 				struct mpath_info *pinfo)
8983 {
8984 	void *hdr;
8985 	struct nlattr *pinfoattr;
8986 
8987 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
8988 	if (!hdr)
8989 		return -1;
8990 
8991 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8992 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
8993 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
8994 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
8995 		goto nla_put_failure;
8996 
8997 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
8998 	if (!pinfoattr)
8999 		goto nla_put_failure;
9000 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
9001 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
9002 			pinfo->frame_qlen))
9003 		goto nla_put_failure;
9004 	if (((pinfo->filled & MPATH_INFO_SN) &&
9005 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
9006 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
9007 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
9008 			 pinfo->metric)) ||
9009 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
9010 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
9011 			 pinfo->exptime)) ||
9012 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
9013 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
9014 			pinfo->flags)) ||
9015 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
9016 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
9017 			 pinfo->discovery_timeout)) ||
9018 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
9019 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
9020 			pinfo->discovery_retries)) ||
9021 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
9022 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
9023 			pinfo->hop_count)) ||
9024 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
9025 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
9026 			 pinfo->path_change_count)))
9027 		goto nla_put_failure;
9028 
9029 	nla_nest_end(msg, pinfoattr);
9030 
9031 	genlmsg_end(msg, hdr);
9032 	return 0;
9033 
9034  nla_put_failure:
9035 	genlmsg_cancel(msg, hdr);
9036 	return -EMSGSIZE;
9037 }
9038 
9039 static int nl80211_dump_mpath(struct sk_buff *skb,
9040 			      struct netlink_callback *cb)
9041 {
9042 	struct mpath_info pinfo;
9043 	struct cfg80211_registered_device *rdev;
9044 	struct wireless_dev *wdev;
9045 	u8 dst[ETH_ALEN];
9046 	u8 next_hop[ETH_ALEN];
9047 	int path_idx = cb->args[2];
9048 	int err;
9049 
9050 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9051 	if (err)
9052 		return err;
9053 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9054 	__acquire(&rdev->wiphy.mtx);
9055 
9056 	if (!rdev->ops->dump_mpath) {
9057 		err = -EOPNOTSUPP;
9058 		goto out_err;
9059 	}
9060 
9061 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9062 		err = -EOPNOTSUPP;
9063 		goto out_err;
9064 	}
9065 
9066 	while (1) {
9067 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
9068 				      next_hop, &pinfo);
9069 		if (err == -ENOENT)
9070 			break;
9071 		if (err)
9072 			goto out_err;
9073 
9074 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9075 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9076 				       wdev->netdev, dst, next_hop,
9077 				       &pinfo) < 0)
9078 			goto out;
9079 
9080 		path_idx++;
9081 	}
9082 
9083  out:
9084 	cb->args[2] = path_idx;
9085 	err = skb->len;
9086  out_err:
9087 	wiphy_unlock(&rdev->wiphy);
9088 	return err;
9089 }
9090 
9091 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
9092 {
9093 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9094 	int err;
9095 	struct net_device *dev = info->user_ptr[1];
9096 	struct mpath_info pinfo;
9097 	struct sk_buff *msg;
9098 	u8 *dst = NULL;
9099 	u8 next_hop[ETH_ALEN];
9100 
9101 	memset(&pinfo, 0, sizeof(pinfo));
9102 
9103 	if (!info->attrs[NL80211_ATTR_MAC])
9104 		return -EINVAL;
9105 
9106 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9107 
9108 	if (!rdev->ops->get_mpath)
9109 		return -EOPNOTSUPP;
9110 
9111 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9112 		return -EOPNOTSUPP;
9113 
9114 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
9115 	if (err)
9116 		return err;
9117 
9118 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9119 	if (!msg)
9120 		return -ENOMEM;
9121 
9122 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9123 				 dev, dst, next_hop, &pinfo) < 0) {
9124 		nlmsg_free(msg);
9125 		return -ENOBUFS;
9126 	}
9127 
9128 	return genlmsg_reply(msg, info);
9129 }
9130 
9131 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
9132 {
9133 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9134 	struct net_device *dev = info->user_ptr[1];
9135 	u8 *dst = NULL;
9136 	u8 *next_hop = NULL;
9137 
9138 	if (!info->attrs[NL80211_ATTR_MAC])
9139 		return -EINVAL;
9140 
9141 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9142 		return -EINVAL;
9143 
9144 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9145 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9146 
9147 	if (!rdev->ops->change_mpath)
9148 		return -EOPNOTSUPP;
9149 
9150 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9151 		return -EOPNOTSUPP;
9152 
9153 	return rdev_change_mpath(rdev, dev, dst, next_hop);
9154 }
9155 
9156 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
9157 {
9158 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9159 	struct net_device *dev = info->user_ptr[1];
9160 	u8 *dst = NULL;
9161 	u8 *next_hop = NULL;
9162 
9163 	if (!info->attrs[NL80211_ATTR_MAC])
9164 		return -EINVAL;
9165 
9166 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9167 		return -EINVAL;
9168 
9169 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9170 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9171 
9172 	if (!rdev->ops->add_mpath)
9173 		return -EOPNOTSUPP;
9174 
9175 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9176 		return -EOPNOTSUPP;
9177 
9178 	return rdev_add_mpath(rdev, dev, dst, next_hop);
9179 }
9180 
9181 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
9182 {
9183 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9184 	struct net_device *dev = info->user_ptr[1];
9185 	u8 *dst = NULL;
9186 
9187 	if (info->attrs[NL80211_ATTR_MAC])
9188 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9189 
9190 	if (!rdev->ops->del_mpath)
9191 		return -EOPNOTSUPP;
9192 
9193 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9194 		return -EOPNOTSUPP;
9195 
9196 	return rdev_del_mpath(rdev, dev, dst);
9197 }
9198 
9199 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
9200 {
9201 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9202 	int err;
9203 	struct net_device *dev = info->user_ptr[1];
9204 	struct mpath_info pinfo;
9205 	struct sk_buff *msg;
9206 	u8 *dst = NULL;
9207 	u8 mpp[ETH_ALEN];
9208 
9209 	memset(&pinfo, 0, sizeof(pinfo));
9210 
9211 	if (!info->attrs[NL80211_ATTR_MAC])
9212 		return -EINVAL;
9213 
9214 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9215 
9216 	if (!rdev->ops->get_mpp)
9217 		return -EOPNOTSUPP;
9218 
9219 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9220 		return -EOPNOTSUPP;
9221 
9222 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
9223 	if (err)
9224 		return err;
9225 
9226 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9227 	if (!msg)
9228 		return -ENOMEM;
9229 
9230 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9231 			       dev, dst, mpp, &pinfo) < 0) {
9232 		nlmsg_free(msg);
9233 		return -ENOBUFS;
9234 	}
9235 
9236 	return genlmsg_reply(msg, info);
9237 }
9238 
9239 static int nl80211_dump_mpp(struct sk_buff *skb,
9240 			    struct netlink_callback *cb)
9241 {
9242 	struct mpath_info pinfo;
9243 	struct cfg80211_registered_device *rdev;
9244 	struct wireless_dev *wdev;
9245 	u8 dst[ETH_ALEN];
9246 	u8 mpp[ETH_ALEN];
9247 	int path_idx = cb->args[2];
9248 	int err;
9249 
9250 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9251 	if (err)
9252 		return err;
9253 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9254 	__acquire(&rdev->wiphy.mtx);
9255 
9256 	if (!rdev->ops->dump_mpp) {
9257 		err = -EOPNOTSUPP;
9258 		goto out_err;
9259 	}
9260 
9261 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9262 		err = -EOPNOTSUPP;
9263 		goto out_err;
9264 	}
9265 
9266 	while (1) {
9267 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
9268 				    mpp, &pinfo);
9269 		if (err == -ENOENT)
9270 			break;
9271 		if (err)
9272 			goto out_err;
9273 
9274 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9275 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9276 				       wdev->netdev, dst, mpp,
9277 				       &pinfo) < 0)
9278 			goto out;
9279 
9280 		path_idx++;
9281 	}
9282 
9283  out:
9284 	cb->args[2] = path_idx;
9285 	err = skb->len;
9286  out_err:
9287 	wiphy_unlock(&rdev->wiphy);
9288 	return err;
9289 }
9290 
9291 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
9292 {
9293 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9294 	struct net_device *dev = info->user_ptr[1];
9295 	struct bss_parameters params;
9296 	u32 bss_param_support = rdev->wiphy.bss_param_support;
9297 	u32 changed = 0;
9298 	bool strict;
9299 
9300 	memset(&params, 0, sizeof(params));
9301 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
9302 	/* default to not changing parameters */
9303 	params.use_cts_prot = -1;
9304 	params.use_short_preamble = -1;
9305 	params.use_short_slot_time = -1;
9306 	params.ap_isolate = -1;
9307 	params.ht_opmode = -1;
9308 	params.p2p_ctwindow = -1;
9309 	params.p2p_opp_ps = -1;
9310 
9311 	strict = nla_get_flag(info->attrs[NL80211_ATTR_BSS_PARAM]);
9312 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT]) {
9313 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_CTS_PROT))
9314 			return -EINVAL;
9315 		params.use_cts_prot =
9316 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
9317 		changed |= WIPHY_BSS_PARAM_CTS_PROT;
9318 	}
9319 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]) {
9320 		if (strict &&
9321 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_PREAMBLE))
9322 			return -EINVAL;
9323 		params.use_short_preamble =
9324 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
9325 		changed |= WIPHY_BSS_PARAM_SHORT_PREAMBLE;
9326 	}
9327 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]) {
9328 		if (strict &&
9329 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_SLOT_TIME))
9330 			return -EINVAL;
9331 		params.use_short_slot_time =
9332 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
9333 		changed |= WIPHY_BSS_PARAM_SHORT_SLOT_TIME;
9334 	}
9335 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9336 		if (strict &&
9337 		    !(bss_param_support & WIPHY_BSS_PARAM_BASIC_RATES))
9338 			return -EINVAL;
9339 		params.basic_rates =
9340 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9341 		params.basic_rates_len =
9342 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9343 		changed |= WIPHY_BSS_PARAM_BASIC_RATES;
9344 	}
9345 	if (info->attrs[NL80211_ATTR_AP_ISOLATE]) {
9346 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_AP_ISOLATE))
9347 			return -EINVAL;
9348 		params.ap_isolate =
9349 			!!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
9350 		changed |= WIPHY_BSS_PARAM_AP_ISOLATE;
9351 	}
9352 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE]) {
9353 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_HT_OPMODE))
9354 			return -EINVAL;
9355 		params.ht_opmode =
9356 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
9357 		changed |= WIPHY_BSS_PARAM_HT_OPMODE;
9358 	}
9359 
9360 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
9361 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9362 			return -EINVAL;
9363 		params.p2p_ctwindow =
9364 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
9365 		if (params.p2p_ctwindow != 0 &&
9366 		    !(bss_param_support & WIPHY_BSS_PARAM_P2P_CTWINDOW))
9367 			return -EINVAL;
9368 		changed |= WIPHY_BSS_PARAM_P2P_CTWINDOW;
9369 	}
9370 
9371 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
9372 		u8 tmp;
9373 
9374 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9375 			return -EINVAL;
9376 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
9377 		if (tmp && !(bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9378 			return -EINVAL;
9379 		params.p2p_opp_ps = tmp;
9380 		if (params.p2p_opp_ps &&
9381 		    !(rdev->wiphy.bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9382 			return -EINVAL;
9383 	}
9384 
9385 	if (!rdev->ops->change_bss)
9386 		return -EOPNOTSUPP;
9387 
9388 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
9389 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9390 		return -EOPNOTSUPP;
9391 
9392 	changed &= rdev->wiphy.bss_param_support;
9393 	if (!changed)
9394 		return 0;
9395 
9396 	return rdev_change_bss(rdev, dev, &params);
9397 }
9398 
9399 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
9400 {
9401 	char *data = NULL;
9402 	bool is_indoor;
9403 	enum nl80211_user_reg_hint_type user_reg_hint_type;
9404 	u32 owner_nlportid;
9405 
9406 	/*
9407 	 * You should only get this when cfg80211 hasn't yet initialized
9408 	 * completely when built-in to the kernel right between the time
9409 	 * window between nl80211_init() and regulatory_init(), if that is
9410 	 * even possible.
9411 	 */
9412 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
9413 		return -EINPROGRESS;
9414 
9415 	user_reg_hint_type =
9416 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
9417 				    NL80211_USER_REG_HINT_USER);
9418 
9419 	switch (user_reg_hint_type) {
9420 	case NL80211_USER_REG_HINT_USER:
9421 	case NL80211_USER_REG_HINT_CELL_BASE:
9422 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
9423 			return -EINVAL;
9424 
9425 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
9426 		return regulatory_hint_user(data, user_reg_hint_type);
9427 	case NL80211_USER_REG_HINT_INDOOR:
9428 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9429 			owner_nlportid = info->snd_portid;
9430 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
9431 		} else {
9432 			owner_nlportid = 0;
9433 			is_indoor = true;
9434 		}
9435 
9436 		regulatory_hint_indoor(is_indoor, owner_nlportid);
9437 		return 0;
9438 	default:
9439 		return -EINVAL;
9440 	}
9441 }
9442 
9443 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
9444 {
9445 	return reg_reload_regdb();
9446 }
9447 
9448 static int nl80211_get_mesh_config(struct sk_buff *skb,
9449 				   struct genl_info *info)
9450 {
9451 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9452 	struct net_device *dev = info->user_ptr[1];
9453 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9454 	struct mesh_config cur_params;
9455 	int err = 0;
9456 	void *hdr;
9457 	struct nlattr *pinfoattr;
9458 	struct sk_buff *msg;
9459 
9460 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9461 		return -EOPNOTSUPP;
9462 
9463 	if (!rdev->ops->get_mesh_config)
9464 		return -EOPNOTSUPP;
9465 
9466 	/* If not connected, get default parameters */
9467 	if (!wdev->u.mesh.id_len)
9468 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
9469 	else
9470 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
9471 
9472 	if (err)
9473 		return err;
9474 
9475 	/* Draw up a netlink message to send back */
9476 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9477 	if (!msg)
9478 		return -ENOMEM;
9479 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9480 			     NL80211_CMD_GET_MESH_CONFIG);
9481 	if (!hdr)
9482 		goto out;
9483 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
9484 	if (!pinfoattr)
9485 		goto nla_put_failure;
9486 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9487 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
9488 			cur_params.dot11MeshRetryTimeout) ||
9489 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
9490 			cur_params.dot11MeshConfirmTimeout) ||
9491 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
9492 			cur_params.dot11MeshHoldingTimeout) ||
9493 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
9494 			cur_params.dot11MeshMaxPeerLinks) ||
9495 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
9496 		       cur_params.dot11MeshMaxRetries) ||
9497 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
9498 		       cur_params.dot11MeshTTL) ||
9499 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
9500 		       cur_params.element_ttl) ||
9501 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9502 		       cur_params.auto_open_plinks) ||
9503 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9504 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
9505 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9506 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
9507 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
9508 			cur_params.path_refresh_time) ||
9509 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9510 			cur_params.min_discovery_timeout) ||
9511 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9512 			cur_params.dot11MeshHWMPactivePathTimeout) ||
9513 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9514 			cur_params.dot11MeshHWMPpreqMinInterval) ||
9515 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9516 			cur_params.dot11MeshHWMPperrMinInterval) ||
9517 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9518 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
9519 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
9520 		       cur_params.dot11MeshHWMPRootMode) ||
9521 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9522 			cur_params.dot11MeshHWMPRannInterval) ||
9523 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9524 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
9525 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
9526 		       cur_params.dot11MeshForwarding) ||
9527 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
9528 			cur_params.rssi_threshold) ||
9529 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
9530 			cur_params.ht_opmode) ||
9531 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9532 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
9533 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9534 			cur_params.dot11MeshHWMProotInterval) ||
9535 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9536 			cur_params.dot11MeshHWMPconfirmationInterval) ||
9537 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
9538 			cur_params.power_mode) ||
9539 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
9540 			cur_params.dot11MeshAwakeWindowDuration) ||
9541 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
9542 			cur_params.plink_timeout) ||
9543 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
9544 		       cur_params.dot11MeshConnectedToMeshGate) ||
9545 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
9546 		       cur_params.dot11MeshNolearn) ||
9547 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
9548 		       cur_params.dot11MeshConnectedToAuthServer))
9549 		goto nla_put_failure;
9550 	nla_nest_end(msg, pinfoattr);
9551 	genlmsg_end(msg, hdr);
9552 	return genlmsg_reply(msg, info);
9553 
9554  nla_put_failure:
9555  out:
9556 	nlmsg_free(msg);
9557 	return -ENOBUFS;
9558 }
9559 
9560 static const struct nla_policy
9561 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
9562 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
9563 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9564 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
9565 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9566 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
9567 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9568 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
9569 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
9570 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
9571 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9572 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9573 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
9574 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
9575 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
9576 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
9577 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
9578 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
9579 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
9580 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
9581 		NLA_POLICY_MIN(NLA_U16, 1),
9582 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
9583 		NLA_POLICY_MIN(NLA_U16, 1),
9584 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
9585 		NLA_POLICY_MIN(NLA_U16, 1),
9586 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
9587 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
9588 		NLA_POLICY_MIN(NLA_U16, 1),
9589 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
9590 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
9591 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
9592 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
9593 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
9594 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
9595 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
9596 		NLA_POLICY_MIN(NLA_U16, 1),
9597 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
9598 		NLA_POLICY_MIN(NLA_U16, 1),
9599 	[NL80211_MESHCONF_POWER_MODE] =
9600 		NLA_POLICY_RANGE(NLA_U32,
9601 				 NL80211_MESH_POWER_ACTIVE,
9602 				 NL80211_MESH_POWER_MAX),
9603 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
9604 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
9605 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9606 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9607 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9608 };
9609 
9610 static const struct nla_policy
9611 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
9612 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
9613 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
9614 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
9615 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
9616 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
9617 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
9618 	[NL80211_MESH_SETUP_IE] =
9619 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
9620 				       IEEE80211_MAX_DATA_LEN),
9621 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
9622 };
9623 
9624 static int nl80211_parse_mesh_config(struct genl_info *info,
9625 				     struct mesh_config *cfg,
9626 				     u32 *mask_out)
9627 {
9628 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
9629 	u32 mask = 0;
9630 	u16 ht_opmode;
9631 
9632 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
9633 do {									\
9634 	if (tb[attr]) {							\
9635 		cfg->param = fn(tb[attr]);				\
9636 		mask |= BIT((attr) - 1);				\
9637 	}								\
9638 } while (0)
9639 
9640 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
9641 		return -EINVAL;
9642 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
9643 		return -EINVAL;
9644 
9645 	/* This makes sure that there aren't more than 32 mesh config
9646 	 * parameters (otherwise our bitfield scheme would not work.) */
9647 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
9648 
9649 	/* Fill in the params struct */
9650 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
9651 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
9652 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
9653 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
9654 				  nla_get_u16);
9655 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
9656 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
9657 				  nla_get_u16);
9658 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
9659 				  NL80211_MESHCONF_MAX_PEER_LINKS,
9660 				  nla_get_u16);
9661 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
9662 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
9663 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
9664 				  NL80211_MESHCONF_TTL, nla_get_u8);
9665 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
9666 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
9667 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
9668 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9669 				  nla_get_u8);
9670 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
9671 				  mask,
9672 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9673 				  nla_get_u32);
9674 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
9675 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9676 				  nla_get_u8);
9677 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
9678 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
9679 				  nla_get_u32);
9680 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
9681 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
9682 		return -EINVAL;
9683 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
9684 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9685 				  nla_get_u16);
9686 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
9687 				  mask,
9688 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9689 				  nla_get_u32);
9690 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
9691 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
9692 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
9693 		return -EINVAL;
9694 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
9695 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9696 				  nla_get_u16);
9697 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
9698 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9699 				  nla_get_u16);
9700 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9701 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
9702 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9703 				  nla_get_u16);
9704 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
9705 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
9706 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
9707 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9708 				  nla_get_u16);
9709 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
9710 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9711 				  nla_get_u8);
9712 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
9713 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
9714 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
9715 				  NL80211_MESHCONF_RSSI_THRESHOLD,
9716 				  nla_get_s32);
9717 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
9718 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
9719 				  nla_get_u8);
9720 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
9721 				  NL80211_MESHCONF_CONNECTED_TO_AS,
9722 				  nla_get_u8);
9723 	/*
9724 	 * Check HT operation mode based on
9725 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
9726 	 */
9727 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
9728 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
9729 
9730 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
9731 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
9732 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
9733 			return -EINVAL;
9734 
9735 		/* NON_HT_STA bit is reserved, but some programs set it */
9736 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
9737 
9738 		cfg->ht_opmode = ht_opmode;
9739 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
9740 	}
9741 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9742 				  dot11MeshHWMPactivePathToRootTimeout, mask,
9743 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9744 				  nla_get_u32);
9745 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
9746 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
9747 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
9748 		return -EINVAL;
9749 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
9750 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9751 				  nla_get_u16);
9752 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
9753 				  mask,
9754 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9755 				  nla_get_u16);
9756 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
9757 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
9758 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
9759 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
9760 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
9761 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
9762 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
9763 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
9764 	if (mask_out)
9765 		*mask_out = mask;
9766 
9767 	return 0;
9768 
9769 #undef FILL_IN_MESH_PARAM_IF_SET
9770 }
9771 
9772 static int nl80211_parse_mesh_setup(struct genl_info *info,
9773 				     struct mesh_setup *setup)
9774 {
9775 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9776 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
9777 
9778 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
9779 		return -EINVAL;
9780 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
9781 		return -EINVAL;
9782 
9783 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
9784 		setup->sync_method =
9785 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
9786 		 IEEE80211_SYNC_METHOD_VENDOR :
9787 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
9788 
9789 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
9790 		setup->path_sel_proto =
9791 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
9792 		 IEEE80211_PATH_PROTOCOL_VENDOR :
9793 		 IEEE80211_PATH_PROTOCOL_HWMP;
9794 
9795 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
9796 		setup->path_metric =
9797 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
9798 		 IEEE80211_PATH_METRIC_VENDOR :
9799 		 IEEE80211_PATH_METRIC_AIRTIME;
9800 
9801 	if (tb[NL80211_MESH_SETUP_IE]) {
9802 		struct nlattr *ieattr =
9803 			tb[NL80211_MESH_SETUP_IE];
9804 		setup->ie = nla_data(ieattr);
9805 		setup->ie_len = nla_len(ieattr);
9806 	}
9807 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
9808 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
9809 		return -EINVAL;
9810 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
9811 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
9812 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
9813 	if (setup->is_secure)
9814 		setup->user_mpm = true;
9815 
9816 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
9817 		if (!setup->user_mpm)
9818 			return -EINVAL;
9819 		setup->auth_id =
9820 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
9821 	}
9822 
9823 	return 0;
9824 }
9825 
9826 static int nl80211_update_mesh_config(struct sk_buff *skb,
9827 				      struct genl_info *info)
9828 {
9829 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9830 	struct net_device *dev = info->user_ptr[1];
9831 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9832 	struct mesh_config cfg = {};
9833 	u32 mask;
9834 	int err;
9835 
9836 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9837 		return -EOPNOTSUPP;
9838 
9839 	if (!rdev->ops->update_mesh_config)
9840 		return -EOPNOTSUPP;
9841 
9842 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
9843 	if (err)
9844 		return err;
9845 
9846 	if (!wdev->u.mesh.id_len)
9847 		err = -ENOLINK;
9848 
9849 	if (!err)
9850 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
9851 
9852 	return err;
9853 }
9854 
9855 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
9856 			      struct sk_buff *msg)
9857 {
9858 	struct nlattr *nl_reg_rules;
9859 	unsigned int i;
9860 
9861 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
9862 	    (regdom->dfs_region &&
9863 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
9864 		goto nla_put_failure;
9865 
9866 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
9867 	if (!nl_reg_rules)
9868 		goto nla_put_failure;
9869 
9870 	for (i = 0; i < regdom->n_reg_rules; i++) {
9871 		struct nlattr *nl_reg_rule;
9872 		const struct ieee80211_reg_rule *reg_rule;
9873 		const struct ieee80211_freq_range *freq_range;
9874 		const struct ieee80211_power_rule *power_rule;
9875 		unsigned int max_bandwidth_khz;
9876 
9877 		reg_rule = &regdom->reg_rules[i];
9878 		freq_range = &reg_rule->freq_range;
9879 		power_rule = &reg_rule->power_rule;
9880 
9881 		nl_reg_rule = nla_nest_start_noflag(msg, i);
9882 		if (!nl_reg_rule)
9883 			goto nla_put_failure;
9884 
9885 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
9886 		if (!max_bandwidth_khz)
9887 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
9888 								  reg_rule);
9889 
9890 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
9891 				reg_rule->flags) ||
9892 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
9893 				freq_range->start_freq_khz) ||
9894 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
9895 				freq_range->end_freq_khz) ||
9896 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
9897 				max_bandwidth_khz) ||
9898 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
9899 				power_rule->max_antenna_gain) ||
9900 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
9901 				power_rule->max_eirp) ||
9902 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
9903 				reg_rule->dfs_cac_ms))
9904 			goto nla_put_failure;
9905 
9906 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
9907 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
9908 			       reg_rule->psd))
9909 			goto nla_put_failure;
9910 
9911 		nla_nest_end(msg, nl_reg_rule);
9912 	}
9913 
9914 	nla_nest_end(msg, nl_reg_rules);
9915 	return 0;
9916 
9917 nla_put_failure:
9918 	return -EMSGSIZE;
9919 }
9920 
9921 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
9922 {
9923 	const struct ieee80211_regdomain *regdom = NULL;
9924 	struct cfg80211_registered_device *rdev;
9925 	struct wiphy *wiphy = NULL;
9926 	struct sk_buff *msg;
9927 	int err = -EMSGSIZE;
9928 	void *hdr;
9929 
9930 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9931 	if (!msg)
9932 		return -ENOBUFS;
9933 
9934 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9935 			     NL80211_CMD_GET_REG);
9936 	if (!hdr)
9937 		goto put_failure;
9938 
9939 	rtnl_lock();
9940 
9941 	if (info->attrs[NL80211_ATTR_WIPHY]) {
9942 		bool self_managed;
9943 
9944 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
9945 		if (IS_ERR(rdev)) {
9946 			err = PTR_ERR(rdev);
9947 			goto nla_put_failure;
9948 		}
9949 
9950 		wiphy = &rdev->wiphy;
9951 		self_managed = wiphy->regulatory_flags &
9952 			       REGULATORY_WIPHY_SELF_MANAGED;
9953 
9954 		rcu_read_lock();
9955 
9956 		regdom = get_wiphy_regdom(wiphy);
9957 
9958 		/* a self-managed-reg device must have a private regdom */
9959 		if (WARN_ON(!regdom && self_managed)) {
9960 			err = -EINVAL;
9961 			goto nla_put_failure_rcu;
9962 		}
9963 
9964 		if (regdom &&
9965 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
9966 			goto nla_put_failure_rcu;
9967 	} else {
9968 		rcu_read_lock();
9969 	}
9970 
9971 	if (!wiphy && reg_last_request_cell_base() &&
9972 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
9973 			NL80211_USER_REG_HINT_CELL_BASE))
9974 		goto nla_put_failure_rcu;
9975 
9976 	if (!regdom)
9977 		regdom = rcu_dereference(cfg80211_regdomain);
9978 
9979 	if (nl80211_put_regdom(regdom, msg))
9980 		goto nla_put_failure_rcu;
9981 
9982 	rcu_read_unlock();
9983 
9984 	genlmsg_end(msg, hdr);
9985 	rtnl_unlock();
9986 	return genlmsg_reply(msg, info);
9987 
9988 nla_put_failure_rcu:
9989 	rcu_read_unlock();
9990 nla_put_failure:
9991 	rtnl_unlock();
9992 put_failure:
9993 	nlmsg_free(msg);
9994 	return err;
9995 }
9996 
9997 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
9998 			       u32 seq, int flags, struct wiphy *wiphy,
9999 			       const struct ieee80211_regdomain *regdom)
10000 {
10001 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10002 				   NL80211_CMD_GET_REG);
10003 
10004 	if (!hdr)
10005 		return -1;
10006 
10007 	genl_dump_check_consistent(cb, hdr);
10008 
10009 	if (nl80211_put_regdom(regdom, msg))
10010 		goto nla_put_failure;
10011 
10012 	if (!wiphy && reg_last_request_cell_base() &&
10013 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
10014 			NL80211_USER_REG_HINT_CELL_BASE))
10015 		goto nla_put_failure;
10016 
10017 	if (wiphy &&
10018 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10019 		goto nla_put_failure;
10020 
10021 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
10022 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
10023 		goto nla_put_failure;
10024 
10025 	genlmsg_end(msg, hdr);
10026 	return 0;
10027 
10028 nla_put_failure:
10029 	genlmsg_cancel(msg, hdr);
10030 	return -EMSGSIZE;
10031 }
10032 
10033 static int nl80211_get_reg_dump(struct sk_buff *skb,
10034 				struct netlink_callback *cb)
10035 {
10036 	const struct ieee80211_regdomain *regdom = NULL;
10037 	struct cfg80211_registered_device *rdev;
10038 	int err, reg_idx, start = cb->args[2];
10039 
10040 	rcu_read_lock();
10041 
10042 	if (cfg80211_regdomain && start == 0) {
10043 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10044 					  NLM_F_MULTI, NULL,
10045 					  rcu_dereference(cfg80211_regdomain));
10046 		if (err < 0)
10047 			goto out_err;
10048 	}
10049 
10050 	/* the global regdom is idx 0 */
10051 	reg_idx = 1;
10052 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
10053 		regdom = get_wiphy_regdom(&rdev->wiphy);
10054 		if (!regdom)
10055 			continue;
10056 
10057 		if (++reg_idx <= start)
10058 			continue;
10059 
10060 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10061 					  NLM_F_MULTI, &rdev->wiphy, regdom);
10062 		if (err < 0) {
10063 			reg_idx--;
10064 			break;
10065 		}
10066 	}
10067 
10068 	cb->args[2] = reg_idx;
10069 	err = skb->len;
10070 out_err:
10071 	rcu_read_unlock();
10072 	return err;
10073 }
10074 
10075 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
10076 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
10077 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
10078 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
10079 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
10080 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
10081 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
10082 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
10083 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
10084 };
10085 
10086 static int parse_reg_rule(struct nlattr *tb[],
10087 	struct ieee80211_reg_rule *reg_rule)
10088 {
10089 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
10090 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
10091 
10092 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
10093 		return -EINVAL;
10094 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
10095 		return -EINVAL;
10096 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
10097 		return -EINVAL;
10098 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
10099 		return -EINVAL;
10100 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
10101 		return -EINVAL;
10102 
10103 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
10104 
10105 	freq_range->start_freq_khz =
10106 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
10107 	freq_range->end_freq_khz =
10108 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
10109 	freq_range->max_bandwidth_khz =
10110 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
10111 
10112 	power_rule->max_eirp =
10113 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
10114 
10115 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
10116 		power_rule->max_antenna_gain =
10117 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
10118 
10119 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
10120 		reg_rule->dfs_cac_ms =
10121 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
10122 
10123 	return 0;
10124 }
10125 
10126 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
10127 {
10128 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
10129 	struct nlattr *nl_reg_rule;
10130 	char *alpha2;
10131 	int rem_reg_rules, r;
10132 	u32 num_rules = 0, rule_idx = 0;
10133 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
10134 	struct ieee80211_regdomain *rd;
10135 
10136 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
10137 		return -EINVAL;
10138 
10139 	if (!info->attrs[NL80211_ATTR_REG_RULES])
10140 		return -EINVAL;
10141 
10142 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
10143 
10144 	if (info->attrs[NL80211_ATTR_DFS_REGION])
10145 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
10146 
10147 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10148 			    rem_reg_rules) {
10149 		num_rules++;
10150 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
10151 			return -EINVAL;
10152 	}
10153 
10154 	rtnl_lock();
10155 	if (!reg_is_valid_request(alpha2)) {
10156 		r = -EINVAL;
10157 		goto out;
10158 	}
10159 
10160 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
10161 	if (!rd) {
10162 		r = -ENOMEM;
10163 		goto out;
10164 	}
10165 
10166 	rd->n_reg_rules = num_rules;
10167 	rd->alpha2[0] = alpha2[0];
10168 	rd->alpha2[1] = alpha2[1];
10169 
10170 	/*
10171 	 * Disable DFS master mode if the DFS region was
10172 	 * not supported or known on this kernel.
10173 	 */
10174 	if (reg_supported_dfs_region(dfs_region))
10175 		rd->dfs_region = dfs_region;
10176 
10177 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10178 			    rem_reg_rules) {
10179 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
10180 						nl_reg_rule, reg_rule_policy,
10181 						info->extack);
10182 		if (r)
10183 			goto bad_reg;
10184 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
10185 		if (r)
10186 			goto bad_reg;
10187 
10188 		rule_idx++;
10189 
10190 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
10191 			r = -EINVAL;
10192 			goto bad_reg;
10193 		}
10194 	}
10195 
10196 	r = set_regdom(rd, REGD_SOURCE_CRDA);
10197 	/* set_regdom takes ownership of rd */
10198 	rd = NULL;
10199  bad_reg:
10200 	kfree(rd);
10201  out:
10202 	rtnl_unlock();
10203 	return r;
10204 }
10205 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
10206 
10207 static int validate_scan_freqs(struct nlattr *freqs)
10208 {
10209 	struct nlattr *attr1, *attr2;
10210 	int n_channels = 0, tmp1, tmp2;
10211 
10212 	nla_for_each_nested(attr1, freqs, tmp1)
10213 		if (nla_len(attr1) != sizeof(u32))
10214 			return 0;
10215 
10216 	nla_for_each_nested(attr1, freqs, tmp1) {
10217 		n_channels++;
10218 		/*
10219 		 * Some hardware has a limited channel list for
10220 		 * scanning, and it is pretty much nonsensical
10221 		 * to scan for a channel twice, so disallow that
10222 		 * and don't require drivers to check that the
10223 		 * channel list they get isn't longer than what
10224 		 * they can scan, as long as they can scan all
10225 		 * the channels they registered at once.
10226 		 */
10227 		nla_for_each_nested(attr2, freqs, tmp2)
10228 			if (attr1 != attr2 &&
10229 			    nla_get_u32(attr1) == nla_get_u32(attr2))
10230 				return 0;
10231 	}
10232 
10233 	return n_channels;
10234 }
10235 
10236 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
10237 {
10238 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
10239 }
10240 
10241 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
10242 			    struct cfg80211_bss_selection *bss_select)
10243 {
10244 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
10245 	struct nlattr *nest;
10246 	int err;
10247 	bool found = false;
10248 	int i;
10249 
10250 	/* only process one nested attribute */
10251 	nest = nla_data(nla);
10252 	if (!nla_ok(nest, nla_len(nest)))
10253 		return -EINVAL;
10254 
10255 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
10256 					  nest, nl80211_bss_select_policy,
10257 					  NULL);
10258 	if (err)
10259 		return err;
10260 
10261 	/* only one attribute may be given */
10262 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
10263 		if (attr[i]) {
10264 			if (found)
10265 				return -EINVAL;
10266 			found = true;
10267 		}
10268 	}
10269 
10270 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
10271 
10272 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
10273 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
10274 
10275 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
10276 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
10277 		bss_select->param.band_pref =
10278 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
10279 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
10280 			return -EINVAL;
10281 	}
10282 
10283 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
10284 		struct nl80211_bss_select_rssi_adjust *adj_param;
10285 
10286 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
10287 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
10288 		bss_select->param.adjust.band = adj_param->band;
10289 		bss_select->param.adjust.delta = adj_param->delta;
10290 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
10291 			return -EINVAL;
10292 	}
10293 
10294 	/* user-space did not provide behaviour attribute */
10295 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
10296 		return -EINVAL;
10297 
10298 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
10299 		return -EINVAL;
10300 
10301 	return 0;
10302 }
10303 
10304 int nl80211_parse_random_mac(struct nlattr **attrs,
10305 			     u8 *mac_addr, u8 *mac_addr_mask)
10306 {
10307 	int i;
10308 
10309 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
10310 		eth_zero_addr(mac_addr);
10311 		eth_zero_addr(mac_addr_mask);
10312 		mac_addr[0] = 0x2;
10313 		mac_addr_mask[0] = 0x3;
10314 
10315 		return 0;
10316 	}
10317 
10318 	/* need both or none */
10319 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
10320 		return -EINVAL;
10321 
10322 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
10323 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
10324 
10325 	/* don't allow or configure an mcast address */
10326 	if (!is_multicast_ether_addr(mac_addr_mask) ||
10327 	    is_multicast_ether_addr(mac_addr))
10328 		return -EINVAL;
10329 
10330 	/*
10331 	 * allow users to pass a MAC address that has bits set outside
10332 	 * of the mask, but don't bother drivers with having to deal
10333 	 * with such bits
10334 	 */
10335 	for (i = 0; i < ETH_ALEN; i++)
10336 		mac_addr[i] &= mac_addr_mask[i];
10337 
10338 	return 0;
10339 }
10340 
10341 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
10342 					      struct ieee80211_channel *chan)
10343 {
10344 	unsigned int link_id;
10345 	bool all_ok = true;
10346 	int radio_idx;
10347 
10348 	lockdep_assert_wiphy(wdev->wiphy);
10349 
10350 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
10351 		return false;
10352 
10353 	if (!cfg80211_beaconing_iface_active(wdev))
10354 		return true;
10355 
10356 	radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy, chan);
10357 
10358 	/*
10359 	 * FIXME: check if we have a free radio/link for chan
10360 	 *
10361 	 * This, as well as the FIXME below, requires knowing the link
10362 	 * capabilities of the hardware.
10363 	 */
10364 
10365 	/* we cannot leave radar channels */
10366 	for_each_valid_link(wdev, link_id) {
10367 		struct cfg80211_chan_def *chandef;
10368 		int link_radio_idx;
10369 
10370 		chandef = wdev_chandef(wdev, link_id);
10371 		if (!chandef || !chandef->chan)
10372 			continue;
10373 
10374 		if (!(chandef->chan->flags & IEEE80211_CHAN_RADAR))
10375 			continue;
10376 
10377 		/*
10378 		 * chandef->chan is a radar channel. If the radio/link onto
10379 		 * which this radar channel falls is the same radio/link onto
10380 		 * which the input 'chan' falls, off-channel operation should
10381 		 * not be allowed. Hence, set 'all_ok' to false.
10382 		 */
10383 
10384 		link_radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy,
10385 								chandef->chan);
10386 		if (link_radio_idx == radio_idx) {
10387 			all_ok = false;
10388 			break;
10389 		}
10390 	}
10391 
10392 	if (all_ok)
10393 		return true;
10394 
10395 	return regulatory_pre_cac_allowed(wdev->wiphy);
10396 }
10397 
10398 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
10399 				    enum nl80211_ext_feature_index feat)
10400 {
10401 	if (!(flags & flag))
10402 		return true;
10403 	if (wiphy_ext_feature_isset(wiphy, feat))
10404 		return true;
10405 	return false;
10406 }
10407 
10408 static int
10409 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
10410 			 struct nlattr **attrs, u8 *mac_addr, u8 *mac_addr_mask,
10411 			 u32 *flags, enum nl80211_feature_flags randomness_flag)
10412 {
10413 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
10414 		return 0;
10415 
10416 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
10417 
10418 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
10419 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
10420 	    !nl80211_check_scan_feat(wiphy, *flags,
10421 				     NL80211_SCAN_FLAG_LOW_SPAN,
10422 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
10423 	    !nl80211_check_scan_feat(wiphy, *flags,
10424 				     NL80211_SCAN_FLAG_LOW_POWER,
10425 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
10426 	    !nl80211_check_scan_feat(wiphy, *flags,
10427 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
10428 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
10429 	    !nl80211_check_scan_feat(wiphy, *flags,
10430 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
10431 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
10432 	    !nl80211_check_scan_feat(wiphy, *flags,
10433 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
10434 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
10435 	    !nl80211_check_scan_feat(wiphy, *flags,
10436 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
10437 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
10438 	    !nl80211_check_scan_feat(wiphy, *flags,
10439 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
10440 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
10441 	    !nl80211_check_scan_feat(wiphy, *flags,
10442 				     NL80211_SCAN_FLAG_RANDOM_SN,
10443 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
10444 	    !nl80211_check_scan_feat(wiphy, *flags,
10445 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
10446 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
10447 		return -EOPNOTSUPP;
10448 
10449 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
10450 		int err;
10451 
10452 		if (!(wiphy->features & randomness_flag) ||
10453 		    (wdev && wdev->connected))
10454 			return -EOPNOTSUPP;
10455 
10456 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
10457 		if (err)
10458 			return err;
10459 	}
10460 
10461 	return 0;
10462 }
10463 
10464 static int
10465 nl80211_check_scan_flags_sched(struct wiphy *wiphy, struct wireless_dev *wdev,
10466 			       struct nlattr **attrs,
10467 			       struct cfg80211_sched_scan_request *req)
10468 {
10469 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10470 					req->mac_addr, req->mac_addr_mask,
10471 					&req->flags,
10472 					wdev ? NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
10473 					       NL80211_FEATURE_ND_RANDOM_MAC_ADDR);
10474 }
10475 
10476 static int
10477 nl80211_check_scan_flags_reg(struct wiphy *wiphy, struct wireless_dev *wdev,
10478 			     struct nlattr **attrs,
10479 			     struct cfg80211_scan_request_int *req)
10480 {
10481 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10482 					req->req.mac_addr,
10483 					req->req.mac_addr_mask,
10484 					&req->req.flags,
10485 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR);
10486 }
10487 
10488 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
10489 {
10490 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10491 	struct wireless_dev *wdev = info->user_ptr[1];
10492 	struct cfg80211_scan_request_int *request;
10493 	struct nlattr *scan_freqs = NULL;
10494 	bool scan_freqs_khz = false;
10495 	struct nlattr *attr;
10496 	struct wiphy *wiphy;
10497 	int err, tmp, n_ssids = 0, n_channels, i;
10498 	size_t ie_len, size;
10499 	size_t ssids_offset, ie_offset;
10500 
10501 	wiphy = &rdev->wiphy;
10502 
10503 	if (wdev->iftype == NL80211_IFTYPE_NAN)
10504 		return -EOPNOTSUPP;
10505 
10506 	if (!rdev->ops->scan)
10507 		return -EOPNOTSUPP;
10508 
10509 	if (rdev->scan_req || rdev->scan_msg)
10510 		return -EBUSY;
10511 
10512 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
10513 		if (!wiphy_ext_feature_isset(wiphy,
10514 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
10515 			return -EOPNOTSUPP;
10516 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
10517 		scan_freqs_khz = true;
10518 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
10519 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
10520 
10521 	if (scan_freqs) {
10522 		n_channels = validate_scan_freqs(scan_freqs);
10523 		if (!n_channels)
10524 			return -EINVAL;
10525 	} else {
10526 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10527 	}
10528 
10529 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
10530 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
10531 			n_ssids++;
10532 
10533 	if (n_ssids > wiphy->max_scan_ssids)
10534 		return -EINVAL;
10535 
10536 	if (info->attrs[NL80211_ATTR_IE])
10537 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10538 	else
10539 		ie_len = 0;
10540 
10541 	if (ie_len > wiphy->max_scan_ie_len)
10542 		return -EINVAL;
10543 
10544 	size = struct_size(request, req.channels, n_channels);
10545 	ssids_offset = size;
10546 	size = size_add(size, array_size(sizeof(*request->req.ssids), n_ssids));
10547 	ie_offset = size;
10548 	size = size_add(size, ie_len);
10549 	request = kzalloc(size, GFP_KERNEL);
10550 	if (!request)
10551 		return -ENOMEM;
10552 
10553 	if (n_ssids)
10554 		request->req.ssids = (void *)request + ssids_offset;
10555 	request->req.n_ssids = n_ssids;
10556 	if (ie_len)
10557 		request->req.ie = (void *)request + ie_offset;
10558 
10559 	i = 0;
10560 	if (scan_freqs) {
10561 		/* user specified, bail out if channel not found */
10562 		nla_for_each_nested(attr, scan_freqs, tmp) {
10563 			struct ieee80211_channel *chan;
10564 			int freq = nla_get_u32(attr);
10565 
10566 			if (!scan_freqs_khz)
10567 				freq = MHZ_TO_KHZ(freq);
10568 
10569 			chan = ieee80211_get_channel_khz(wiphy, freq);
10570 			if (!chan) {
10571 				err = -EINVAL;
10572 				goto out_free;
10573 			}
10574 
10575 			/* Ignore disabled / no primary channels */
10576 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
10577 			    chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY ||
10578 			    !cfg80211_wdev_channel_allowed(wdev, chan))
10579 				continue;
10580 
10581 			request->req.channels[i] = chan;
10582 			i++;
10583 		}
10584 	} else {
10585 		enum nl80211_band band;
10586 
10587 		/* all channels */
10588 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
10589 			int j;
10590 
10591 			if (!wiphy->bands[band])
10592 				continue;
10593 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
10594 				struct ieee80211_channel *chan;
10595 
10596 				chan = &wiphy->bands[band]->channels[j];
10597 
10598 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
10599 				    chan->flags &
10600 					    IEEE80211_CHAN_S1G_NO_PRIMARY ||
10601 				    !cfg80211_wdev_channel_allowed(wdev, chan))
10602 					continue;
10603 
10604 				request->req.channels[i] = chan;
10605 				i++;
10606 			}
10607 		}
10608 	}
10609 
10610 	if (!i) {
10611 		err = -EINVAL;
10612 		goto out_free;
10613 	}
10614 
10615 	request->req.n_channels = i;
10616 
10617 	for (i = 0; i < request->req.n_channels; i++) {
10618 		struct ieee80211_channel *chan = request->req.channels[i];
10619 
10620 		/* if we can go off-channel to the target channel we're good */
10621 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
10622 			continue;
10623 
10624 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
10625 			err = -EBUSY;
10626 			goto out_free;
10627 		}
10628 	}
10629 
10630 	i = 0;
10631 	if (n_ssids) {
10632 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
10633 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
10634 				err = -EINVAL;
10635 				goto out_free;
10636 			}
10637 			request->req.ssids[i].ssid_len = nla_len(attr);
10638 			memcpy(request->req.ssids[i].ssid,
10639 			       nla_data(attr), nla_len(attr));
10640 			i++;
10641 		}
10642 	}
10643 
10644 	if (info->attrs[NL80211_ATTR_IE]) {
10645 		request->req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10646 		memcpy((void *)request->req.ie,
10647 		       nla_data(info->attrs[NL80211_ATTR_IE]),
10648 		       request->req.ie_len);
10649 	}
10650 
10651 	for (i = 0; i < NUM_NL80211_BANDS; i++)
10652 		if (wiphy->bands[i])
10653 			request->req.rates[i] =
10654 				(1 << wiphy->bands[i]->n_bitrates) - 1;
10655 
10656 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
10657 		nla_for_each_nested(attr,
10658 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
10659 				    tmp) {
10660 			enum nl80211_band band = nla_type(attr);
10661 
10662 			if (band < 0 || band >= NUM_NL80211_BANDS) {
10663 				err = -EINVAL;
10664 				goto out_free;
10665 			}
10666 
10667 			if (!wiphy->bands[band])
10668 				continue;
10669 
10670 			err = ieee80211_get_ratemask(wiphy->bands[band],
10671 						     nla_data(attr),
10672 						     nla_len(attr),
10673 						     &request->req.rates[band]);
10674 			if (err)
10675 				goto out_free;
10676 		}
10677 	}
10678 
10679 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
10680 		request->req.duration =
10681 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
10682 		request->req.duration_mandatory =
10683 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
10684 	}
10685 
10686 	err = nl80211_check_scan_flags_reg(wiphy, wdev, info->attrs, request);
10687 	if (err)
10688 		goto out_free;
10689 
10690 	request->req.no_cck =
10691 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10692 
10693 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
10694 	 * BSSID to scan for. This was problematic because that same attribute
10695 	 * was already used for another purpose (local random MAC address). The
10696 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
10697 	 * compatibility with older userspace components, also use the
10698 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
10699 	 * the specific BSSID use case instead of the random MAC address
10700 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
10701 	 */
10702 	if (info->attrs[NL80211_ATTR_BSSID])
10703 		memcpy(request->req.bssid,
10704 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
10705 	else if (!(request->req.flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
10706 		 info->attrs[NL80211_ATTR_MAC])
10707 		memcpy(request->req.bssid,
10708 		       nla_data(info->attrs[NL80211_ATTR_MAC]),
10709 		       ETH_ALEN);
10710 	else
10711 		eth_broadcast_addr(request->req.bssid);
10712 
10713 	request->req.tsf_report_link_id =
10714 		nl80211_link_id_or_invalid(info->attrs);
10715 	request->req.wdev = wdev;
10716 	request->req.wiphy = &rdev->wiphy;
10717 	request->req.scan_start = jiffies;
10718 
10719 	rdev->scan_req = request;
10720 	err = cfg80211_scan(rdev);
10721 
10722 	if (err)
10723 		goto out_free;
10724 
10725 	nl80211_send_scan_start(rdev, wdev);
10726 	dev_hold(wdev->netdev);
10727 
10728 	return 0;
10729 
10730  out_free:
10731 	rdev->scan_req = NULL;
10732 	kfree(request);
10733 
10734 	return err;
10735 }
10736 
10737 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
10738 {
10739 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10740 	struct wireless_dev *wdev = info->user_ptr[1];
10741 
10742 	if (!rdev->ops->abort_scan)
10743 		return -EOPNOTSUPP;
10744 
10745 	if (rdev->scan_msg)
10746 		return 0;
10747 
10748 	if (!rdev->scan_req)
10749 		return -ENOENT;
10750 
10751 	rdev_abort_scan(rdev, wdev);
10752 	return 0;
10753 }
10754 
10755 static int
10756 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
10757 			       struct cfg80211_sched_scan_request *request,
10758 			       struct nlattr **attrs)
10759 {
10760 	int tmp, err, i = 0;
10761 	struct nlattr *attr;
10762 
10763 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10764 		u32 interval;
10765 
10766 		/*
10767 		 * If scan plans are not specified,
10768 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
10769 		 * case one scan plan will be set with the specified scan
10770 		 * interval and infinite number of iterations.
10771 		 */
10772 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
10773 		if (!interval)
10774 			return -EINVAL;
10775 
10776 		request->scan_plans[0].interval =
10777 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
10778 		if (!request->scan_plans[0].interval)
10779 			return -EINVAL;
10780 
10781 		if (request->scan_plans[0].interval >
10782 		    wiphy->max_sched_scan_plan_interval)
10783 			request->scan_plans[0].interval =
10784 				wiphy->max_sched_scan_plan_interval;
10785 
10786 		return 0;
10787 	}
10788 
10789 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
10790 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
10791 
10792 		if (WARN_ON(i >= n_plans))
10793 			return -EINVAL;
10794 
10795 		err = nla_parse_nested_deprecated(plan,
10796 						  NL80211_SCHED_SCAN_PLAN_MAX,
10797 						  attr, nl80211_plan_policy,
10798 						  NULL);
10799 		if (err)
10800 			return err;
10801 
10802 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
10803 			return -EINVAL;
10804 
10805 		request->scan_plans[i].interval =
10806 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
10807 		if (!request->scan_plans[i].interval ||
10808 		    request->scan_plans[i].interval >
10809 		    wiphy->max_sched_scan_plan_interval)
10810 			return -EINVAL;
10811 
10812 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
10813 			request->scan_plans[i].iterations =
10814 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
10815 			if (!request->scan_plans[i].iterations ||
10816 			    (request->scan_plans[i].iterations >
10817 			     wiphy->max_sched_scan_plan_iterations))
10818 				return -EINVAL;
10819 		} else if (i < n_plans - 1) {
10820 			/*
10821 			 * All scan plans but the last one must specify
10822 			 * a finite number of iterations
10823 			 */
10824 			return -EINVAL;
10825 		}
10826 
10827 		i++;
10828 	}
10829 
10830 	/*
10831 	 * The last scan plan must not specify the number of
10832 	 * iterations, it is supposed to run infinitely
10833 	 */
10834 	if (request->scan_plans[n_plans - 1].iterations)
10835 		return  -EINVAL;
10836 
10837 	return 0;
10838 }
10839 
10840 static struct cfg80211_sched_scan_request *
10841 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
10842 			 struct nlattr **attrs, int max_match_sets)
10843 {
10844 	struct cfg80211_sched_scan_request *request;
10845 	struct nlattr *attr;
10846 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
10847 	enum nl80211_band band;
10848 	size_t ie_len, size;
10849 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
10850 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
10851 
10852 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
10853 		n_channels = validate_scan_freqs(
10854 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
10855 		if (!n_channels)
10856 			return ERR_PTR(-EINVAL);
10857 	} else {
10858 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10859 	}
10860 
10861 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
10862 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
10863 				    tmp)
10864 			n_ssids++;
10865 
10866 	if (n_ssids > wiphy->max_sched_scan_ssids)
10867 		return ERR_PTR(-EINVAL);
10868 
10869 	/*
10870 	 * First, count the number of 'real' matchsets. Due to an issue with
10871 	 * the old implementation, matchsets containing only the RSSI attribute
10872 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
10873 	 * RSSI for all matchsets, rather than their own matchset for reporting
10874 	 * all APs with a strong RSSI. This is needed to be compatible with
10875 	 * older userspace that treated a matchset with only the RSSI as the
10876 	 * global RSSI for all other matchsets - if there are other matchsets.
10877 	 */
10878 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
10879 		nla_for_each_nested(attr,
10880 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
10881 				    tmp) {
10882 			struct nlattr *rssi;
10883 
10884 			err = nla_parse_nested_deprecated(tb,
10885 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
10886 							  attr,
10887 							  nl80211_match_policy,
10888 							  NULL);
10889 			if (err)
10890 				return ERR_PTR(err);
10891 
10892 			/* SSID and BSSID are mutually exclusive */
10893 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
10894 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
10895 				return ERR_PTR(-EINVAL);
10896 
10897 			/* add other standalone attributes here */
10898 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
10899 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
10900 				n_match_sets++;
10901 				continue;
10902 			}
10903 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
10904 			if (rssi)
10905 				default_match_rssi = nla_get_s32(rssi);
10906 		}
10907 	}
10908 
10909 	/* However, if there's no other matchset, add the RSSI one */
10910 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
10911 		n_match_sets = 1;
10912 
10913 	if (n_match_sets > max_match_sets)
10914 		return ERR_PTR(-EINVAL);
10915 
10916 	if (attrs[NL80211_ATTR_IE])
10917 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
10918 	else
10919 		ie_len = 0;
10920 
10921 	if (ie_len > wiphy->max_sched_scan_ie_len)
10922 		return ERR_PTR(-EINVAL);
10923 
10924 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10925 		/*
10926 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
10927 		 * each scan plan already specifies its own interval
10928 		 */
10929 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10930 			return ERR_PTR(-EINVAL);
10931 
10932 		nla_for_each_nested(attr,
10933 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
10934 			n_plans++;
10935 	} else {
10936 		/*
10937 		 * The scan interval attribute is kept for backward
10938 		 * compatibility. If no scan plans are specified and sched scan
10939 		 * interval is specified, one scan plan will be set with this
10940 		 * scan interval and infinite number of iterations.
10941 		 */
10942 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10943 			return ERR_PTR(-EINVAL);
10944 
10945 		n_plans = 1;
10946 	}
10947 
10948 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
10949 		return ERR_PTR(-EINVAL);
10950 
10951 	if (!wiphy_ext_feature_isset(
10952 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
10953 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
10954 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
10955 		return ERR_PTR(-EINVAL);
10956 
10957 	size = struct_size(request, channels, n_channels);
10958 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
10959 	size = size_add(size, array_size(sizeof(*request->match_sets),
10960 					 n_match_sets));
10961 	size = size_add(size, array_size(sizeof(*request->scan_plans),
10962 					 n_plans));
10963 	size = size_add(size, ie_len);
10964 	request = kzalloc(size, GFP_KERNEL);
10965 	if (!request)
10966 		return ERR_PTR(-ENOMEM);
10967 	request->n_channels = n_channels;
10968 
10969 	if (n_ssids)
10970 		request->ssids = (void *)request +
10971 			struct_size(request, channels, n_channels);
10972 	request->n_ssids = n_ssids;
10973 	if (ie_len) {
10974 		if (n_ssids)
10975 			request->ie = (void *)(request->ssids + n_ssids);
10976 		else
10977 			request->ie = (void *)(request->channels + n_channels);
10978 	}
10979 
10980 	if (n_match_sets) {
10981 		if (request->ie)
10982 			request->match_sets = (void *)(request->ie + ie_len);
10983 		else if (n_ssids)
10984 			request->match_sets =
10985 				(void *)(request->ssids + n_ssids);
10986 		else
10987 			request->match_sets =
10988 				(void *)(request->channels + n_channels);
10989 	}
10990 	request->n_match_sets = n_match_sets;
10991 
10992 	if (n_match_sets)
10993 		request->scan_plans = (void *)(request->match_sets +
10994 					       n_match_sets);
10995 	else if (request->ie)
10996 		request->scan_plans = (void *)(request->ie + ie_len);
10997 	else if (n_ssids)
10998 		request->scan_plans = (void *)(request->ssids + n_ssids);
10999 	else
11000 		request->scan_plans = (void *)(request->channels + n_channels);
11001 
11002 	request->n_scan_plans = n_plans;
11003 
11004 	i = 0;
11005 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
11006 		/* user specified, bail out if channel not found */
11007 		nla_for_each_nested(attr,
11008 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
11009 				    tmp) {
11010 			struct ieee80211_channel *chan;
11011 
11012 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
11013 
11014 			if (!chan) {
11015 				err = -EINVAL;
11016 				goto out_free;
11017 			}
11018 
11019 			/* ignore disabled channels */
11020 			if (chan->flags & IEEE80211_CHAN_DISABLED)
11021 				continue;
11022 
11023 			request->channels[i] = chan;
11024 			i++;
11025 		}
11026 	} else {
11027 		/* all channels */
11028 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
11029 			int j;
11030 
11031 			if (!wiphy->bands[band])
11032 				continue;
11033 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
11034 				struct ieee80211_channel *chan;
11035 
11036 				chan = &wiphy->bands[band]->channels[j];
11037 
11038 				if (chan->flags & IEEE80211_CHAN_DISABLED)
11039 					continue;
11040 
11041 				request->channels[i] = chan;
11042 				i++;
11043 			}
11044 		}
11045 	}
11046 
11047 	if (!i) {
11048 		err = -EINVAL;
11049 		goto out_free;
11050 	}
11051 
11052 	request->n_channels = i;
11053 
11054 	i = 0;
11055 	if (n_ssids) {
11056 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
11057 				    tmp) {
11058 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
11059 				err = -EINVAL;
11060 				goto out_free;
11061 			}
11062 			request->ssids[i].ssid_len = nla_len(attr);
11063 			memcpy(request->ssids[i].ssid, nla_data(attr),
11064 			       nla_len(attr));
11065 			i++;
11066 		}
11067 	}
11068 
11069 	i = 0;
11070 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
11071 		nla_for_each_nested(attr,
11072 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
11073 				    tmp) {
11074 			struct nlattr *ssid, *bssid, *rssi;
11075 
11076 			err = nla_parse_nested_deprecated(tb,
11077 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
11078 							  attr,
11079 							  nl80211_match_policy,
11080 							  NULL);
11081 			if (err)
11082 				goto out_free;
11083 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
11084 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
11085 
11086 			if (!ssid && !bssid) {
11087 				i++;
11088 				continue;
11089 			}
11090 
11091 			if (WARN_ON(i >= n_match_sets)) {
11092 				/* this indicates a programming error,
11093 				 * the loop above should have verified
11094 				 * things properly
11095 				 */
11096 				err = -EINVAL;
11097 				goto out_free;
11098 			}
11099 
11100 			if (ssid) {
11101 				memcpy(request->match_sets[i].ssid.ssid,
11102 				       nla_data(ssid), nla_len(ssid));
11103 				request->match_sets[i].ssid.ssid_len =
11104 					nla_len(ssid);
11105 			}
11106 			if (bssid)
11107 				memcpy(request->match_sets[i].bssid,
11108 				       nla_data(bssid), ETH_ALEN);
11109 
11110 			/* special attribute - old implementation w/a */
11111 			request->match_sets[i].rssi_thold = default_match_rssi;
11112 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
11113 			if (rssi)
11114 				request->match_sets[i].rssi_thold =
11115 					nla_get_s32(rssi);
11116 			i++;
11117 		}
11118 
11119 		/* there was no other matchset, so the RSSI one is alone */
11120 		if (i == 0 && n_match_sets)
11121 			request->match_sets[0].rssi_thold = default_match_rssi;
11122 
11123 		request->min_rssi_thold = INT_MAX;
11124 		for (i = 0; i < n_match_sets; i++)
11125 			request->min_rssi_thold =
11126 				min(request->match_sets[i].rssi_thold,
11127 				    request->min_rssi_thold);
11128 	} else {
11129 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
11130 	}
11131 
11132 	if (ie_len) {
11133 		request->ie_len = ie_len;
11134 		memcpy((void *)request->ie,
11135 		       nla_data(attrs[NL80211_ATTR_IE]),
11136 		       request->ie_len);
11137 	}
11138 
11139 	err = nl80211_check_scan_flags_sched(wiphy, wdev, attrs, request);
11140 	if (err)
11141 		goto out_free;
11142 
11143 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
11144 		request->delay =
11145 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
11146 
11147 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
11148 		request->relative_rssi = nla_get_s8(
11149 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
11150 		request->relative_rssi_set = true;
11151 	}
11152 
11153 	if (request->relative_rssi_set &&
11154 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
11155 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
11156 
11157 		rssi_adjust = nla_data(
11158 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
11159 		request->rssi_adjust.band = rssi_adjust->band;
11160 		request->rssi_adjust.delta = rssi_adjust->delta;
11161 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
11162 			err = -EINVAL;
11163 			goto out_free;
11164 		}
11165 	}
11166 
11167 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
11168 	if (err)
11169 		goto out_free;
11170 
11171 	request->scan_start = jiffies;
11172 
11173 	return request;
11174 
11175 out_free:
11176 	kfree(request);
11177 	return ERR_PTR(err);
11178 }
11179 
11180 static int nl80211_start_sched_scan(struct sk_buff *skb,
11181 				    struct genl_info *info)
11182 {
11183 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11184 	struct net_device *dev = info->user_ptr[1];
11185 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11186 	struct cfg80211_sched_scan_request *sched_scan_req;
11187 	bool want_multi;
11188 	int err;
11189 
11190 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
11191 		return -EOPNOTSUPP;
11192 
11193 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
11194 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
11195 	if (err)
11196 		return err;
11197 
11198 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
11199 						  info->attrs,
11200 						  rdev->wiphy.max_match_sets);
11201 
11202 	err = PTR_ERR_OR_ZERO(sched_scan_req);
11203 	if (err)
11204 		goto out_err;
11205 
11206 	/* leave request id zero for legacy request
11207 	 * or if driver does not support multi-scheduled scan
11208 	 */
11209 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
11210 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
11211 
11212 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
11213 	if (err)
11214 		goto out_free;
11215 
11216 	sched_scan_req->dev = dev;
11217 	sched_scan_req->wiphy = &rdev->wiphy;
11218 
11219 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11220 		sched_scan_req->owner_nlportid = info->snd_portid;
11221 
11222 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
11223 
11224 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
11225 	return 0;
11226 
11227 out_free:
11228 	kfree(sched_scan_req);
11229 out_err:
11230 	return err;
11231 }
11232 
11233 static int nl80211_stop_sched_scan(struct sk_buff *skb,
11234 				   struct genl_info *info)
11235 {
11236 	struct cfg80211_sched_scan_request *req;
11237 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11238 	u64 cookie;
11239 
11240 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
11241 		return -EOPNOTSUPP;
11242 
11243 	if (info->attrs[NL80211_ATTR_COOKIE]) {
11244 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11245 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
11246 	}
11247 
11248 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
11249 				     struct cfg80211_sched_scan_request,
11250 				     list);
11251 	if (!req || req->reqid ||
11252 	    (req->owner_nlportid &&
11253 	     req->owner_nlportid != info->snd_portid))
11254 		return -ENOENT;
11255 
11256 	return cfg80211_stop_sched_scan_req(rdev, req, false);
11257 }
11258 
11259 static int nl80211_start_radar_detection(struct sk_buff *skb,
11260 					 struct genl_info *info)
11261 {
11262 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11263 	struct net_device *dev = info->user_ptr[1];
11264 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11265 	int link_id = nl80211_link_id(info->attrs);
11266 	struct wiphy *wiphy = wdev->wiphy;
11267 	struct cfg80211_chan_def chandef;
11268 	enum nl80211_dfs_regions dfs_region;
11269 	unsigned int cac_time_ms;
11270 	int err;
11271 
11272 	flush_delayed_work(&rdev->dfs_update_channels_wk);
11273 
11274 	switch (wdev->iftype) {
11275 	case NL80211_IFTYPE_AP:
11276 	case NL80211_IFTYPE_P2P_GO:
11277 	case NL80211_IFTYPE_MESH_POINT:
11278 	case NL80211_IFTYPE_ADHOC:
11279 		break;
11280 	default:
11281 		/* caution - see cfg80211_beaconing_iface_active() below */
11282 		return -EINVAL;
11283 	}
11284 
11285 	guard(wiphy)(wiphy);
11286 
11287 	dfs_region = reg_get_dfs_region(wiphy);
11288 	if (dfs_region == NL80211_DFS_UNSET)
11289 		return -EINVAL;
11290 
11291 	err = nl80211_parse_chandef(rdev, info, &chandef);
11292 	if (err)
11293 		return err;
11294 
11295 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11296 	if (err < 0)
11297 		return err;
11298 
11299 	if (err == 0)
11300 		return -EINVAL;
11301 
11302 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
11303 		return -EINVAL;
11304 
11305 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
11306 		return cfg80211_start_background_radar_detection(rdev, wdev,
11307 								 &chandef);
11308 
11309 	if (cfg80211_beaconing_iface_active(wdev)) {
11310 		/* During MLO other link(s) can beacon, only the current link
11311 		 * can not already beacon
11312 		 */
11313 		if (wdev->valid_links &&
11314 		    !wdev->links[link_id].ap.beacon_interval) {
11315 			/* nothing */
11316 		} else {
11317 			return -EBUSY;
11318 		}
11319 	}
11320 
11321 	if (wdev->links[link_id].cac_started)
11322 		return -EBUSY;
11323 
11324 	/* CAC start is offloaded to HW and can't be started manually */
11325 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
11326 		return -EOPNOTSUPP;
11327 
11328 	if (!rdev->ops->start_radar_detection)
11329 		return -EOPNOTSUPP;
11330 
11331 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
11332 	if (WARN_ON(!cac_time_ms))
11333 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
11334 
11335 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
11336 					 link_id);
11337 	if (err)
11338 		return err;
11339 
11340 	switch (wdev->iftype) {
11341 	case NL80211_IFTYPE_AP:
11342 	case NL80211_IFTYPE_P2P_GO:
11343 		wdev->links[link_id].ap.chandef = chandef;
11344 		break;
11345 	case NL80211_IFTYPE_ADHOC:
11346 		wdev->u.ibss.chandef = chandef;
11347 		break;
11348 	case NL80211_IFTYPE_MESH_POINT:
11349 		wdev->u.mesh.chandef = chandef;
11350 		break;
11351 	default:
11352 		break;
11353 	}
11354 	wdev->links[link_id].cac_started = true;
11355 	wdev->links[link_id].cac_start_time = jiffies;
11356 	wdev->links[link_id].cac_time_ms = cac_time_ms;
11357 
11358 	return 0;
11359 }
11360 
11361 static int nl80211_notify_radar_detection(struct sk_buff *skb,
11362 					  struct genl_info *info)
11363 {
11364 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11365 	struct net_device *dev = info->user_ptr[1];
11366 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11367 	struct wiphy *wiphy = wdev->wiphy;
11368 	struct cfg80211_chan_def chandef;
11369 	enum nl80211_dfs_regions dfs_region;
11370 	int err;
11371 
11372 	dfs_region = reg_get_dfs_region(wiphy);
11373 	if (dfs_region == NL80211_DFS_UNSET) {
11374 		GENL_SET_ERR_MSG(info,
11375 				 "DFS Region is not set. Unexpected Radar indication");
11376 		return -EINVAL;
11377 	}
11378 
11379 	err = nl80211_parse_chandef(rdev, info, &chandef);
11380 	if (err) {
11381 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
11382 		return err;
11383 	}
11384 
11385 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11386 	if (err < 0) {
11387 		GENL_SET_ERR_MSG(info, "chandef is invalid");
11388 		return err;
11389 	}
11390 
11391 	if (err == 0) {
11392 		GENL_SET_ERR_MSG(info,
11393 				 "Unexpected Radar indication for chandef/iftype");
11394 		return -EINVAL;
11395 	}
11396 
11397 	/* Do not process this notification if radar is already detected
11398 	 * by kernel on this channel, and return success.
11399 	 */
11400 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
11401 		return 0;
11402 
11403 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
11404 
11405 	cfg80211_sched_dfs_chan_update(rdev);
11406 
11407 	rdev->radar_chandef = chandef;
11408 
11409 	/* Propagate this notification to other radios as well */
11410 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
11411 
11412 	return 0;
11413 }
11414 
11415 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
11416 					 const u8 *data, size_t datalen,
11417 					 int first_count, struct nlattr *attr,
11418 					 const u16 **offsets, unsigned int *n_offsets)
11419 {
11420 	int i;
11421 
11422 	*n_offsets = 0;
11423 
11424 	if (!attr)
11425 		return 0;
11426 
11427 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
11428 		return -EINVAL;
11429 
11430 	*n_offsets = nla_len(attr) / sizeof(u16);
11431 	if (rdev->wiphy.max_num_csa_counters &&
11432 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
11433 		return -EINVAL;
11434 
11435 	*offsets = nla_data(attr);
11436 
11437 	/* sanity checks - counters should fit and be the same */
11438 	for (i = 0; i < *n_offsets; i++) {
11439 		u16 offset = (*offsets)[i];
11440 
11441 		if (offset >= datalen)
11442 			return -EINVAL;
11443 
11444 		if (first_count != -1 && data[offset] != first_count)
11445 			return -EINVAL;
11446 	}
11447 
11448 	return 0;
11449 }
11450 
11451 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
11452 {
11453 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11454 	unsigned int link_id = nl80211_link_id(info->attrs);
11455 	struct net_device *dev = info->user_ptr[1];
11456 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11457 	struct cfg80211_csa_settings params;
11458 	struct nlattr **csa_attrs = NULL;
11459 	int err;
11460 	bool need_new_beacon = false;
11461 	bool need_handle_dfs_flag = true;
11462 	u32 cs_count;
11463 
11464 	if (!rdev->ops->channel_switch ||
11465 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
11466 		return -EOPNOTSUPP;
11467 
11468 	switch (dev->ieee80211_ptr->iftype) {
11469 	case NL80211_IFTYPE_AP:
11470 	case NL80211_IFTYPE_P2P_GO:
11471 		need_new_beacon = true;
11472 		/* For all modes except AP the handle_dfs flag needs to be
11473 		 * supplied to tell the kernel that userspace will handle radar
11474 		 * events when they happen. Otherwise a switch to a channel
11475 		 * requiring DFS will be rejected.
11476 		 */
11477 		need_handle_dfs_flag = false;
11478 
11479 		/* useless if AP is not running */
11480 		if (!wdev->links[link_id].ap.beacon_interval)
11481 			return -ENOTCONN;
11482 		break;
11483 	case NL80211_IFTYPE_ADHOC:
11484 		if (!wdev->u.ibss.ssid_len)
11485 			return -ENOTCONN;
11486 		break;
11487 	case NL80211_IFTYPE_MESH_POINT:
11488 		if (!wdev->u.mesh.id_len)
11489 			return -ENOTCONN;
11490 		break;
11491 	default:
11492 		return -EOPNOTSUPP;
11493 	}
11494 
11495 	memset(&params, 0, sizeof(params));
11496 	params.beacon_csa.ftm_responder = -1;
11497 
11498 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11499 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
11500 		return -EINVAL;
11501 
11502 	/* only important for AP, IBSS and mesh create IEs internally */
11503 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
11504 		return -EINVAL;
11505 
11506 	/* Even though the attribute is u32, the specification says
11507 	 * u8, so let's make sure we don't overflow.
11508 	 */
11509 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
11510 	if (cs_count > 255)
11511 		return -EINVAL;
11512 
11513 	params.count = cs_count;
11514 
11515 	if (!need_new_beacon)
11516 		goto skip_beacons;
11517 
11518 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
11519 				   info->extack);
11520 	if (err)
11521 		goto free;
11522 
11523 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
11524 			    GFP_KERNEL);
11525 	if (!csa_attrs) {
11526 		err = -ENOMEM;
11527 		goto free;
11528 	}
11529 
11530 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
11531 					  info->attrs[NL80211_ATTR_CSA_IES],
11532 					  nl80211_policy, info->extack);
11533 	if (err)
11534 		goto free;
11535 
11536 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
11537 				   info->extack);
11538 	if (err)
11539 		goto free;
11540 
11541 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
11542 		err = -EINVAL;
11543 		goto free;
11544 	}
11545 
11546 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
11547 					    params.beacon_csa.tail_len,
11548 					    params.count,
11549 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
11550 					    &params.counter_offsets_beacon,
11551 					    &params.n_counter_offsets_beacon);
11552 	if (err)
11553 		goto free;
11554 
11555 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
11556 					    params.beacon_csa.probe_resp_len,
11557 					    params.count,
11558 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
11559 					    &params.counter_offsets_presp,
11560 					    &params.n_counter_offsets_presp);
11561 	if (err)
11562 		goto free;
11563 
11564 skip_beacons:
11565 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
11566 	if (err)
11567 		goto free;
11568 
11569 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
11570 					   wdev->iftype)) {
11571 		err = -EINVAL;
11572 		goto free;
11573 	}
11574 
11575 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
11576 					    &params.chandef,
11577 					    wdev->iftype);
11578 	if (err < 0)
11579 		goto free;
11580 
11581 	if (err > 0) {
11582 		params.radar_required = true;
11583 		if (need_handle_dfs_flag &&
11584 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
11585 			err = -EINVAL;
11586 			goto free;
11587 		}
11588 	}
11589 
11590 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
11591 		params.block_tx = true;
11592 
11593 	if ((wdev->iftype == NL80211_IFTYPE_AP ||
11594 	     wdev->iftype == NL80211_IFTYPE_P2P_GO) &&
11595 	    info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
11596 		err = nl80211_parse_unsol_bcast_probe_resp(
11597 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
11598 			&params.unsol_bcast_probe_resp);
11599 		if (err)
11600 			goto free;
11601 	}
11602 
11603 	params.link_id = link_id;
11604 	err = rdev_channel_switch(rdev, dev, &params);
11605 
11606 free:
11607 	kfree(params.beacon_after.mbssid_ies);
11608 	kfree(params.beacon_csa.mbssid_ies);
11609 	kfree(params.beacon_after.rnr_ies);
11610 	kfree(params.beacon_csa.rnr_ies);
11611 	kfree(csa_attrs);
11612 	return err;
11613 }
11614 
11615 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
11616 			    u32 seq, int flags,
11617 			    struct cfg80211_registered_device *rdev,
11618 			    struct wireless_dev *wdev,
11619 			    struct cfg80211_internal_bss *intbss)
11620 {
11621 	struct cfg80211_bss *res = &intbss->pub;
11622 	const struct cfg80211_bss_ies *ies;
11623 	unsigned int link_id;
11624 	void *hdr;
11625 	struct nlattr *bss;
11626 
11627 	lockdep_assert_wiphy(wdev->wiphy);
11628 
11629 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
11630 			     NL80211_CMD_NEW_SCAN_RESULTS);
11631 	if (!hdr)
11632 		return -1;
11633 
11634 	genl_dump_check_consistent(cb, hdr);
11635 
11636 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
11637 		goto nla_put_failure;
11638 	if (wdev->netdev &&
11639 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
11640 		goto nla_put_failure;
11641 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11642 			      NL80211_ATTR_PAD))
11643 		goto nla_put_failure;
11644 
11645 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
11646 	if (!bss)
11647 		goto nla_put_failure;
11648 	if ((!is_zero_ether_addr(res->bssid) &&
11649 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
11650 		goto nla_put_failure;
11651 
11652 	rcu_read_lock();
11653 	/* indicate whether we have probe response data or not */
11654 	if (rcu_access_pointer(res->proberesp_ies) &&
11655 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
11656 		goto fail_unlock_rcu;
11657 
11658 	/* this pointer prefers to be pointed to probe response data
11659 	 * but is always valid
11660 	 */
11661 	ies = rcu_dereference(res->ies);
11662 	if (ies) {
11663 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
11664 				      NL80211_BSS_PAD))
11665 			goto fail_unlock_rcu;
11666 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
11667 					ies->len, ies->data))
11668 			goto fail_unlock_rcu;
11669 	}
11670 
11671 	/* and this pointer is always (unless driver didn't know) beacon data */
11672 	ies = rcu_dereference(res->beacon_ies);
11673 	if (ies && ies->from_beacon) {
11674 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
11675 				      NL80211_BSS_PAD))
11676 			goto fail_unlock_rcu;
11677 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
11678 					ies->len, ies->data))
11679 			goto fail_unlock_rcu;
11680 	}
11681 	rcu_read_unlock();
11682 
11683 	if (res->beacon_interval &&
11684 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
11685 		goto nla_put_failure;
11686 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
11687 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
11688 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
11689 			res->channel->freq_offset) ||
11690 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
11691 			jiffies_to_msecs(jiffies - intbss->ts)))
11692 		goto nla_put_failure;
11693 
11694 	if (intbss->parent_tsf &&
11695 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
11696 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
11697 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
11698 		     intbss->parent_bssid)))
11699 		goto nla_put_failure;
11700 
11701 	if (res->ts_boottime &&
11702 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
11703 			      res->ts_boottime, NL80211_BSS_PAD))
11704 		goto nla_put_failure;
11705 
11706 	if (!nl80211_put_signal(msg, intbss->pub.chains,
11707 				intbss->pub.chain_signal,
11708 				NL80211_BSS_CHAIN_SIGNAL))
11709 		goto nla_put_failure;
11710 
11711 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
11712 		switch (rdev->wiphy.signal_type) {
11713 		case CFG80211_SIGNAL_TYPE_MBM:
11714 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
11715 					res->signal))
11716 				goto nla_put_failure;
11717 			break;
11718 		case CFG80211_SIGNAL_TYPE_UNSPEC:
11719 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
11720 				       res->signal))
11721 				goto nla_put_failure;
11722 			break;
11723 		default:
11724 			break;
11725 		}
11726 	}
11727 
11728 	switch (wdev->iftype) {
11729 	case NL80211_IFTYPE_P2P_CLIENT:
11730 	case NL80211_IFTYPE_STATION:
11731 		for_each_valid_link(wdev, link_id) {
11732 			if (intbss == wdev->links[link_id].client.current_bss &&
11733 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
11734 					 NL80211_BSS_STATUS_ASSOCIATED) ||
11735 			     (wdev->valid_links &&
11736 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
11737 					  link_id) ||
11738 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
11739 				       wdev->u.client.connected_addr)))))
11740 				goto nla_put_failure;
11741 		}
11742 		break;
11743 	case NL80211_IFTYPE_ADHOC:
11744 		if (intbss == wdev->u.ibss.current_bss &&
11745 		    nla_put_u32(msg, NL80211_BSS_STATUS,
11746 				NL80211_BSS_STATUS_IBSS_JOINED))
11747 			goto nla_put_failure;
11748 		break;
11749 	default:
11750 		break;
11751 	}
11752 
11753 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
11754 		goto nla_put_failure;
11755 
11756 	if (res->cannot_use_reasons &&
11757 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
11758 			      res->cannot_use_reasons,
11759 			      NL80211_BSS_PAD))
11760 		goto nla_put_failure;
11761 
11762 	nla_nest_end(msg, bss);
11763 
11764 	genlmsg_end(msg, hdr);
11765 	return 0;
11766 
11767  fail_unlock_rcu:
11768 	rcu_read_unlock();
11769  nla_put_failure:
11770 	genlmsg_cancel(msg, hdr);
11771 	return -EMSGSIZE;
11772 }
11773 
11774 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
11775 {
11776 	struct cfg80211_registered_device *rdev;
11777 	struct cfg80211_internal_bss *scan;
11778 	struct wireless_dev *wdev;
11779 	struct nlattr **attrbuf;
11780 	int start = cb->args[2], idx = 0;
11781 	bool dump_include_use_data;
11782 	int err;
11783 
11784 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
11785 	if (!attrbuf)
11786 		return -ENOMEM;
11787 
11788 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11789 	if (err) {
11790 		kfree(attrbuf);
11791 		return err;
11792 	}
11793 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11794 	__acquire(&rdev->wiphy.mtx);
11795 
11796 	dump_include_use_data =
11797 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
11798 	kfree(attrbuf);
11799 
11800 	spin_lock_bh(&rdev->bss_lock);
11801 
11802 	/*
11803 	 * dump_scan will be called multiple times to break up the scan results
11804 	 * into multiple messages.  It is unlikely that any more bss-es will be
11805 	 * expired after the first call, so only call only call this on the
11806 	 * first dump_scan invocation.
11807 	 */
11808 	if (start == 0)
11809 		cfg80211_bss_expire(rdev);
11810 
11811 	cb->seq = rdev->bss_generation;
11812 
11813 	list_for_each_entry(scan, &rdev->bss_list, list) {
11814 		if (++idx <= start)
11815 			continue;
11816 		if (!dump_include_use_data &&
11817 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
11818 			continue;
11819 		if (nl80211_send_bss(skb, cb,
11820 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11821 				rdev, wdev, scan) < 0) {
11822 			idx--;
11823 			break;
11824 		}
11825 	}
11826 
11827 	spin_unlock_bh(&rdev->bss_lock);
11828 
11829 	cb->args[2] = idx;
11830 	wiphy_unlock(&rdev->wiphy);
11831 
11832 	return skb->len;
11833 }
11834 
11835 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
11836 			       int flags, struct net_device *dev,
11837 			       bool allow_radio_stats,
11838 			       struct survey_info *survey)
11839 {
11840 	void *hdr;
11841 	struct nlattr *infoattr;
11842 
11843 	/* skip radio stats if userspace didn't request them */
11844 	if (!survey->channel && !allow_radio_stats)
11845 		return 0;
11846 
11847 	hdr = nl80211hdr_put(msg, portid, seq, flags,
11848 			     NL80211_CMD_NEW_SURVEY_RESULTS);
11849 	if (!hdr)
11850 		return -ENOMEM;
11851 
11852 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
11853 		goto nla_put_failure;
11854 
11855 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
11856 	if (!infoattr)
11857 		goto nla_put_failure;
11858 
11859 	if (survey->channel &&
11860 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
11861 			survey->channel->center_freq))
11862 		goto nla_put_failure;
11863 
11864 	if (survey->channel && survey->channel->freq_offset &&
11865 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
11866 			survey->channel->freq_offset))
11867 		goto nla_put_failure;
11868 
11869 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
11870 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
11871 		goto nla_put_failure;
11872 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
11873 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
11874 		goto nla_put_failure;
11875 	if ((survey->filled & SURVEY_INFO_TIME) &&
11876 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
11877 			survey->time, NL80211_SURVEY_INFO_PAD))
11878 		goto nla_put_failure;
11879 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
11880 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
11881 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
11882 		goto nla_put_failure;
11883 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
11884 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
11885 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
11886 		goto nla_put_failure;
11887 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
11888 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
11889 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
11890 		goto nla_put_failure;
11891 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
11892 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
11893 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
11894 		goto nla_put_failure;
11895 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
11896 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
11897 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
11898 		goto nla_put_failure;
11899 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
11900 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
11901 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
11902 		goto nla_put_failure;
11903 
11904 	nla_nest_end(msg, infoattr);
11905 
11906 	genlmsg_end(msg, hdr);
11907 	return 0;
11908 
11909  nla_put_failure:
11910 	genlmsg_cancel(msg, hdr);
11911 	return -EMSGSIZE;
11912 }
11913 
11914 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
11915 {
11916 	struct nlattr **attrbuf;
11917 	struct survey_info survey;
11918 	struct cfg80211_registered_device *rdev;
11919 	struct wireless_dev *wdev;
11920 	int survey_idx = cb->args[2];
11921 	int res;
11922 	bool radio_stats;
11923 
11924 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
11925 	if (!attrbuf)
11926 		return -ENOMEM;
11927 
11928 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11929 	if (res) {
11930 		kfree(attrbuf);
11931 		return res;
11932 	}
11933 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11934 	__acquire(&rdev->wiphy.mtx);
11935 
11936 	/* prepare_wdev_dump parsed the attributes */
11937 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
11938 
11939 	if (!wdev->netdev) {
11940 		res = -EINVAL;
11941 		goto out_err;
11942 	}
11943 
11944 	if (!rdev->ops->dump_survey) {
11945 		res = -EOPNOTSUPP;
11946 		goto out_err;
11947 	}
11948 
11949 	while (1) {
11950 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
11951 		if (res == -ENOENT)
11952 			break;
11953 		if (res)
11954 			goto out_err;
11955 
11956 		/* don't send disabled channels, but do send non-channel data */
11957 		if (survey.channel &&
11958 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
11959 			survey_idx++;
11960 			continue;
11961 		}
11962 
11963 		if (nl80211_send_survey(skb,
11964 				NETLINK_CB(cb->skb).portid,
11965 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11966 				wdev->netdev, radio_stats, &survey) < 0)
11967 			goto out;
11968 		survey_idx++;
11969 	}
11970 
11971  out:
11972 	cb->args[2] = survey_idx;
11973 	res = skb->len;
11974  out_err:
11975 	kfree(attrbuf);
11976 	wiphy_unlock(&rdev->wiphy);
11977 	return res;
11978 }
11979 
11980 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
11981 {
11982 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11983 	struct net_device *dev = info->user_ptr[1];
11984 	struct ieee80211_channel *chan;
11985 	const u8 *bssid, *ssid;
11986 	int err, ssid_len;
11987 	enum nl80211_auth_type auth_type;
11988 	struct key_parse key;
11989 	bool local_state_change;
11990 	struct cfg80211_auth_request req = {};
11991 	u32 freq;
11992 
11993 	if (!info->attrs[NL80211_ATTR_MAC])
11994 		return -EINVAL;
11995 
11996 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
11997 		return -EINVAL;
11998 
11999 	if (!info->attrs[NL80211_ATTR_SSID])
12000 		return -EINVAL;
12001 
12002 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12003 		return -EINVAL;
12004 
12005 	err = nl80211_parse_key(info, &key);
12006 	if (err)
12007 		return err;
12008 
12009 	if (key.idx >= 0) {
12010 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
12011 			return -EINVAL;
12012 		if (!key.p.key || !key.p.key_len)
12013 			return -EINVAL;
12014 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
12015 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
12016 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
12017 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
12018 			return -EINVAL;
12019 		if (key.idx > 3)
12020 			return -EINVAL;
12021 	} else {
12022 		key.p.key_len = 0;
12023 		key.p.key = NULL;
12024 	}
12025 
12026 	if (key.idx >= 0) {
12027 		int i;
12028 		bool ok = false;
12029 
12030 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
12031 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
12032 				ok = true;
12033 				break;
12034 			}
12035 		}
12036 		if (!ok)
12037 			return -EINVAL;
12038 	}
12039 
12040 	if (!rdev->ops->auth)
12041 		return -EOPNOTSUPP;
12042 
12043 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12044 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12045 		return -EOPNOTSUPP;
12046 
12047 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12048 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12049 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12050 		freq +=
12051 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12052 
12053 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12054 	if (!chan)
12055 		return -EINVAL;
12056 
12057 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12058 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12059 
12060 	if (info->attrs[NL80211_ATTR_IE]) {
12061 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12062 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12063 	}
12064 
12065 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12066 		req.supported_selectors =
12067 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12068 		req.supported_selectors_len =
12069 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12070 	}
12071 
12072 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12073 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
12074 		return -EINVAL;
12075 
12076 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
12077 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
12078 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
12079 	     auth_type == NL80211_AUTHTYPE_FILS_PK ||
12080 	     auth_type == NL80211_AUTHTYPE_EPPKE) &&
12081 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
12082 		return -EINVAL;
12083 
12084 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
12085 		if (auth_type != NL80211_AUTHTYPE_SAE &&
12086 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
12087 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
12088 		    auth_type != NL80211_AUTHTYPE_FILS_PK &&
12089 		    auth_type != NL80211_AUTHTYPE_EPPKE)
12090 			return -EINVAL;
12091 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
12092 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
12093 	}
12094 
12095 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12096 
12097 	/*
12098 	 * Since we no longer track auth state, ignore
12099 	 * requests to only change local state.
12100 	 */
12101 	if (local_state_change)
12102 		return 0;
12103 
12104 	req.auth_type = auth_type;
12105 	req.key = key.p.key;
12106 	req.key_len = key.p.key_len;
12107 	req.key_idx = key.idx;
12108 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12109 	if (req.link_id >= 0) {
12110 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12111 			return -EINVAL;
12112 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
12113 			return -EINVAL;
12114 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12115 		if (!is_valid_ether_addr(req.ap_mld_addr))
12116 			return -EINVAL;
12117 	}
12118 
12119 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
12120 				   IEEE80211_BSS_TYPE_ESS,
12121 				   IEEE80211_PRIVACY_ANY);
12122 	if (!req.bss)
12123 		return -ENOENT;
12124 
12125 	err = cfg80211_mlme_auth(rdev, dev, &req);
12126 
12127 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12128 
12129 	return err;
12130 }
12131 
12132 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
12133 				     struct genl_info *info)
12134 {
12135 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12136 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
12137 		return -EINVAL;
12138 	}
12139 
12140 	if (!rdev->ops->tx_control_port ||
12141 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12142 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
12143 		return -EOPNOTSUPP;
12144 
12145 	return 0;
12146 }
12147 
12148 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
12149 				   struct genl_info *info,
12150 				   struct cfg80211_crypto_settings *settings,
12151 				   int cipher_limit)
12152 {
12153 	memset(settings, 0, sizeof(*settings));
12154 
12155 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
12156 
12157 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
12158 		u16 proto;
12159 
12160 		proto = nla_get_u16(
12161 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
12162 		settings->control_port_ethertype = cpu_to_be16(proto);
12163 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
12164 		    proto != ETH_P_PAE)
12165 			return -EINVAL;
12166 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
12167 			settings->control_port_no_encrypt = true;
12168 	} else
12169 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
12170 
12171 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12172 		int r = validate_pae_over_nl80211(rdev, info);
12173 
12174 		if (r < 0)
12175 			return r;
12176 
12177 		settings->control_port_over_nl80211 = true;
12178 
12179 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
12180 			settings->control_port_no_preauth = true;
12181 	}
12182 
12183 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
12184 		void *data;
12185 		int len, i;
12186 
12187 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12188 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12189 		settings->n_ciphers_pairwise = len / sizeof(u32);
12190 
12191 		if (len % sizeof(u32))
12192 			return -EINVAL;
12193 
12194 		if (settings->n_ciphers_pairwise > cipher_limit)
12195 			return -EINVAL;
12196 
12197 		memcpy(settings->ciphers_pairwise, data, len);
12198 
12199 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
12200 			if (!cfg80211_supported_cipher_suite(
12201 					&rdev->wiphy,
12202 					settings->ciphers_pairwise[i]))
12203 				return -EINVAL;
12204 	}
12205 
12206 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
12207 		settings->cipher_group =
12208 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
12209 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
12210 						     settings->cipher_group))
12211 			return -EINVAL;
12212 	}
12213 
12214 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
12215 		settings->wpa_versions =
12216 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
12217 
12218 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
12219 		void *data;
12220 		int len;
12221 
12222 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
12223 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
12224 		settings->n_akm_suites = len / sizeof(u32);
12225 
12226 		if (len % sizeof(u32))
12227 			return -EINVAL;
12228 
12229 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
12230 			return -EINVAL;
12231 
12232 		memcpy(settings->akm_suites, data, len);
12233 	}
12234 
12235 	if (info->attrs[NL80211_ATTR_PMK]) {
12236 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
12237 			return -EINVAL;
12238 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12239 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
12240 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12241 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
12242 			return -EINVAL;
12243 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12244 	}
12245 
12246 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
12247 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12248 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
12249 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12250 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
12251 			return -EINVAL;
12252 		settings->sae_pwd =
12253 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12254 		settings->sae_pwd_len =
12255 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12256 	}
12257 
12258 	settings->sae_pwe =
12259 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
12260 				   NL80211_SAE_PWE_UNSPECIFIED);
12261 
12262 	return 0;
12263 }
12264 
12265 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
12266 					      const u8 *ssid, int ssid_len,
12267 					      struct nlattr **attrs,
12268 					      int assoc_link_id, int link_id)
12269 {
12270 	struct ieee80211_channel *chan;
12271 	struct cfg80211_bss *bss;
12272 	const u8 *bssid;
12273 	u32 freq, use_for = 0;
12274 
12275 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
12276 		return ERR_PTR(-EINVAL);
12277 
12278 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
12279 
12280 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
12281 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12282 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12283 
12284 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12285 	if (!chan)
12286 		return ERR_PTR(-EINVAL);
12287 
12288 	if (assoc_link_id >= 0)
12289 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
12290 	if (assoc_link_id == link_id)
12291 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
12292 
12293 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
12294 				 ssid, ssid_len,
12295 				 IEEE80211_BSS_TYPE_ESS,
12296 				 IEEE80211_PRIVACY_ANY,
12297 				 use_for);
12298 	if (!bss)
12299 		return ERR_PTR(-ENOENT);
12300 
12301 	return bss;
12302 }
12303 
12304 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
12305 				 struct cfg80211_assoc_link *links,
12306 				 int assoc_link_id,
12307 				 const u8 *ssid, int ssid_len,
12308 				 struct genl_info *info)
12309 {
12310 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
12311 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
12312 	struct nlattr *link;
12313 	unsigned int link_id;
12314 	int rem, err;
12315 
12316 	if (!attrs)
12317 		return -ENOMEM;
12318 
12319 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
12320 		memset(attrs, 0, attrsize);
12321 
12322 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
12323 
12324 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
12325 			NL_SET_BAD_ATTR(info->extack, link);
12326 			return -EINVAL;
12327 		}
12328 
12329 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
12330 		/* cannot use the same link ID again */
12331 		if (links[link_id].bss) {
12332 			NL_SET_BAD_ATTR(info->extack, link);
12333 			return -EINVAL;
12334 		}
12335 		links[link_id].bss =
12336 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
12337 					  assoc_link_id, link_id);
12338 		if (IS_ERR(links[link_id].bss)) {
12339 			err = PTR_ERR(links[link_id].bss);
12340 			links[link_id].bss = NULL;
12341 			NL_SET_ERR_MSG_ATTR(info->extack, link,
12342 					    "Error fetching BSS for link");
12343 			return err;
12344 		}
12345 
12346 		if (attrs[NL80211_ATTR_IE]) {
12347 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
12348 			links[link_id].elems_len =
12349 				nla_len(attrs[NL80211_ATTR_IE]);
12350 
12351 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
12352 					       links[link_id].elems,
12353 					       links[link_id].elems_len)) {
12354 				NL_SET_ERR_MSG_ATTR(info->extack,
12355 						    attrs[NL80211_ATTR_IE],
12356 						    "cannot deal with fragmentation");
12357 				return -EINVAL;
12358 			}
12359 
12360 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12361 						   links[link_id].elems,
12362 						   links[link_id].elems_len)) {
12363 				NL_SET_ERR_MSG_ATTR(info->extack,
12364 						    attrs[NL80211_ATTR_IE],
12365 						    "cannot deal with non-inheritance");
12366 				return -EINVAL;
12367 			}
12368 		}
12369 	}
12370 
12371 	return 0;
12372 }
12373 
12374 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
12375 {
12376 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12377 	struct net_device *dev = info->user_ptr[1];
12378 	struct cfg80211_assoc_request req = {};
12379 	const u8 *ap_addr, *ssid;
12380 	unsigned int link_id;
12381 	int err, ssid_len;
12382 
12383 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12384 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12385 		return -EPERM;
12386 
12387 	if (!info->attrs[NL80211_ATTR_SSID])
12388 		return -EINVAL;
12389 
12390 	if (!rdev->ops->assoc)
12391 		return -EOPNOTSUPP;
12392 
12393 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12394 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12395 		return -EOPNOTSUPP;
12396 
12397 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12398 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12399 
12400 	if (info->attrs[NL80211_ATTR_IE]) {
12401 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12402 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12403 
12404 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12405 					   req.ie, req.ie_len)) {
12406 			NL_SET_ERR_MSG_ATTR(info->extack,
12407 					    info->attrs[NL80211_ATTR_IE],
12408 					    "non-inheritance makes no sense");
12409 			return -EINVAL;
12410 		}
12411 	}
12412 
12413 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12414 		enum nl80211_mfp mfp =
12415 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12416 		if (mfp == NL80211_MFP_REQUIRED)
12417 			req.use_mfp = true;
12418 		else if (mfp != NL80211_MFP_NO)
12419 			return -EINVAL;
12420 	}
12421 
12422 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12423 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12424 
12425 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12426 		req.supported_selectors =
12427 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12428 		req.supported_selectors_len =
12429 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12430 	}
12431 
12432 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12433 		req.flags |= ASSOC_REQ_DISABLE_HT;
12434 
12435 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12436 		memcpy(&req.ht_capa_mask,
12437 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12438 		       sizeof(req.ht_capa_mask));
12439 
12440 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12441 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12442 			return -EINVAL;
12443 		memcpy(&req.ht_capa,
12444 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12445 		       sizeof(req.ht_capa));
12446 	}
12447 
12448 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12449 		req.flags |= ASSOC_REQ_DISABLE_VHT;
12450 
12451 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12452 		req.flags |= ASSOC_REQ_DISABLE_HE;
12453 
12454 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12455 		req.flags |= ASSOC_REQ_DISABLE_EHT;
12456 
12457 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
12458 		req.flags |= ASSOC_REQ_DISABLE_UHR;
12459 
12460 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12461 		memcpy(&req.vht_capa_mask,
12462 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12463 		       sizeof(req.vht_capa_mask));
12464 
12465 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12466 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12467 			return -EINVAL;
12468 		memcpy(&req.vht_capa,
12469 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12470 		       sizeof(req.vht_capa));
12471 	}
12472 
12473 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12474 		if (!((rdev->wiphy.features &
12475 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12476 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12477 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12478 					     NL80211_EXT_FEATURE_RRM))
12479 			return -EINVAL;
12480 		req.flags |= ASSOC_REQ_USE_RRM;
12481 	}
12482 
12483 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
12484 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
12485 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
12486 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
12487 			return -EINVAL;
12488 		req.fils_nonces =
12489 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
12490 	}
12491 
12492 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
12493 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
12494 			return -EINVAL;
12495 		memcpy(&req.s1g_capa_mask,
12496 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
12497 		       sizeof(req.s1g_capa_mask));
12498 	}
12499 
12500 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
12501 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
12502 			return -EINVAL;
12503 		memcpy(&req.s1g_capa,
12504 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
12505 		       sizeof(req.s1g_capa));
12506 	}
12507 
12508 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
12509 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12510 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
12511 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
12512 			return -EINVAL;
12513 		}
12514 		req.flags |= ASSOC_REQ_SPP_AMSDU;
12515 	}
12516 
12517 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12518 
12519 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12520 		if (req.link_id < 0)
12521 			return -EINVAL;
12522 
12523 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12524 			return -EINVAL;
12525 
12526 		if (info->attrs[NL80211_ATTR_MAC] ||
12527 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12528 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
12529 			return -EINVAL;
12530 
12531 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12532 		ap_addr = req.ap_mld_addr;
12533 
12534 		err = nl80211_process_links(rdev, req.links, req.link_id,
12535 					    ssid, ssid_len, info);
12536 		if (err)
12537 			goto free;
12538 
12539 		if (!req.links[req.link_id].bss) {
12540 			err = -EINVAL;
12541 			goto free;
12542 		}
12543 
12544 		if (req.links[req.link_id].elems_len) {
12545 			GENL_SET_ERR_MSG(info,
12546 					 "cannot have per-link elems on assoc link");
12547 			err = -EINVAL;
12548 			goto free;
12549 		}
12550 
12551 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12552 			req.ext_mld_capa_ops =
12553 				nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
12554 	} else {
12555 		if (req.link_id >= 0)
12556 			return -EINVAL;
12557 
12558 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
12559 					    -1, -1);
12560 		if (IS_ERR(req.bss))
12561 			return PTR_ERR(req.bss);
12562 		ap_addr = req.bss->bssid;
12563 
12564 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12565 			return -EINVAL;
12566 	}
12567 
12568 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
12569 	if (!err) {
12570 		struct nlattr *link;
12571 		int rem = 0;
12572 
12573 		err = cfg80211_mlme_assoc(rdev, dev, &req,
12574 					  info->extack);
12575 
12576 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12577 			dev->ieee80211_ptr->conn_owner_nlportid =
12578 				info->snd_portid;
12579 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12580 			       ap_addr, ETH_ALEN);
12581 		}
12582 
12583 		/* Report error from first problematic link */
12584 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12585 			nla_for_each_nested(link,
12586 					    info->attrs[NL80211_ATTR_MLO_LINKS],
12587 					    rem) {
12588 				struct nlattr *link_id_attr =
12589 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
12590 
12591 				if (!link_id_attr)
12592 					continue;
12593 
12594 				link_id = nla_get_u8(link_id_attr);
12595 
12596 				if (link_id == req.link_id)
12597 					continue;
12598 
12599 				if (!req.links[link_id].error ||
12600 				    WARN_ON(req.links[link_id].error > 0))
12601 					continue;
12602 
12603 				WARN_ON(err >= 0);
12604 
12605 				NL_SET_BAD_ATTR(info->extack, link);
12606 				err = req.links[link_id].error;
12607 				break;
12608 			}
12609 		}
12610 	}
12611 
12612 free:
12613 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
12614 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
12615 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12616 
12617 	return err;
12618 }
12619 
12620 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
12621 {
12622 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12623 	struct net_device *dev = info->user_ptr[1];
12624 	const u8 *ie = NULL, *bssid;
12625 	int ie_len = 0;
12626 	u16 reason_code;
12627 	bool local_state_change;
12628 
12629 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12630 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12631 		return -EPERM;
12632 
12633 	if (!info->attrs[NL80211_ATTR_MAC])
12634 		return -EINVAL;
12635 
12636 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12637 		return -EINVAL;
12638 
12639 	if (!rdev->ops->deauth)
12640 		return -EOPNOTSUPP;
12641 
12642 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12643 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12644 		return -EOPNOTSUPP;
12645 
12646 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12647 
12648 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12649 	if (reason_code == 0) {
12650 		/* Reason Code 0 is reserved */
12651 		return -EINVAL;
12652 	}
12653 
12654 	if (info->attrs[NL80211_ATTR_IE]) {
12655 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12656 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12657 	}
12658 
12659 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12660 
12661 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
12662 				    local_state_change);
12663 }
12664 
12665 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
12666 {
12667 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12668 	struct net_device *dev = info->user_ptr[1];
12669 	const u8 *ie = NULL, *bssid;
12670 	int ie_len = 0;
12671 	u16 reason_code;
12672 	bool local_state_change;
12673 
12674 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12675 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12676 		return -EPERM;
12677 
12678 	if (!info->attrs[NL80211_ATTR_MAC])
12679 		return -EINVAL;
12680 
12681 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12682 		return -EINVAL;
12683 
12684 	if (!rdev->ops->disassoc)
12685 		return -EOPNOTSUPP;
12686 
12687 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12688 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12689 		return -EOPNOTSUPP;
12690 
12691 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12692 
12693 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12694 	if (reason_code == 0) {
12695 		/* Reason Code 0 is reserved */
12696 		return -EINVAL;
12697 	}
12698 
12699 	if (info->attrs[NL80211_ATTR_IE]) {
12700 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12701 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12702 	}
12703 
12704 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12705 
12706 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
12707 				      local_state_change);
12708 }
12709 
12710 static bool
12711 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
12712 			 int mcast_rate[NUM_NL80211_BANDS],
12713 			 int rateval)
12714 {
12715 	struct wiphy *wiphy = &rdev->wiphy;
12716 	bool found = false;
12717 	int band, i;
12718 
12719 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
12720 		struct ieee80211_supported_band *sband;
12721 
12722 		sband = wiphy->bands[band];
12723 		if (!sband)
12724 			continue;
12725 
12726 		for (i = 0; i < sband->n_bitrates; i++) {
12727 			if (sband->bitrates[i].bitrate == rateval) {
12728 				mcast_rate[band] = i + 1;
12729 				found = true;
12730 				break;
12731 			}
12732 		}
12733 	}
12734 
12735 	return found;
12736 }
12737 
12738 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
12739 {
12740 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12741 	struct net_device *dev = info->user_ptr[1];
12742 	struct cfg80211_ibss_params ibss;
12743 	struct wiphy *wiphy;
12744 	struct cfg80211_cached_keys *connkeys = NULL;
12745 	int err;
12746 
12747 	memset(&ibss, 0, sizeof(ibss));
12748 
12749 	if (!info->attrs[NL80211_ATTR_SSID] ||
12750 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12751 		return -EINVAL;
12752 
12753 	ibss.beacon_interval = 100;
12754 
12755 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
12756 		ibss.beacon_interval =
12757 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12758 
12759 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
12760 					   ibss.beacon_interval);
12761 	if (err)
12762 		return err;
12763 
12764 	if (!rdev->ops->join_ibss)
12765 		return -EOPNOTSUPP;
12766 
12767 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12768 		return -EOPNOTSUPP;
12769 
12770 	wiphy = &rdev->wiphy;
12771 
12772 	if (info->attrs[NL80211_ATTR_MAC]) {
12773 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12774 
12775 		if (!is_valid_ether_addr(ibss.bssid))
12776 			return -EINVAL;
12777 	}
12778 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12779 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12780 
12781 	if (info->attrs[NL80211_ATTR_IE]) {
12782 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12783 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12784 	}
12785 
12786 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
12787 	if (err)
12788 		return err;
12789 
12790 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
12791 				     NL80211_IFTYPE_ADHOC))
12792 		return -EINVAL;
12793 
12794 	switch (ibss.chandef.width) {
12795 	case NL80211_CHAN_WIDTH_5:
12796 	case NL80211_CHAN_WIDTH_10:
12797 	case NL80211_CHAN_WIDTH_20_NOHT:
12798 		break;
12799 	case NL80211_CHAN_WIDTH_20:
12800 	case NL80211_CHAN_WIDTH_40:
12801 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12802 			return -EINVAL;
12803 		break;
12804 	case NL80211_CHAN_WIDTH_80:
12805 	case NL80211_CHAN_WIDTH_80P80:
12806 	case NL80211_CHAN_WIDTH_160:
12807 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12808 			return -EINVAL;
12809 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12810 					     NL80211_EXT_FEATURE_VHT_IBSS))
12811 			return -EINVAL;
12812 		break;
12813 	case NL80211_CHAN_WIDTH_320:
12814 		return -EINVAL;
12815 	default:
12816 		return -EINVAL;
12817 	}
12818 
12819 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
12820 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
12821 
12822 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12823 		u8 *rates =
12824 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12825 		int n_rates =
12826 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12827 		struct ieee80211_supported_band *sband =
12828 			wiphy->bands[ibss.chandef.chan->band];
12829 
12830 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12831 					     &ibss.basic_rates);
12832 		if (err)
12833 			return err;
12834 	}
12835 
12836 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12837 		memcpy(&ibss.ht_capa_mask,
12838 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12839 		       sizeof(ibss.ht_capa_mask));
12840 
12841 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12842 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12843 			return -EINVAL;
12844 		memcpy(&ibss.ht_capa,
12845 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12846 		       sizeof(ibss.ht_capa));
12847 	}
12848 
12849 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12850 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
12851 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12852 		return -EINVAL;
12853 
12854 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12855 		bool no_ht = false;
12856 
12857 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
12858 		if (IS_ERR(connkeys))
12859 			return PTR_ERR(connkeys);
12860 
12861 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
12862 		    no_ht) {
12863 			kfree_sensitive(connkeys);
12864 			return -EINVAL;
12865 		}
12866 	}
12867 
12868 	ibss.control_port =
12869 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
12870 
12871 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12872 		int r = validate_pae_over_nl80211(rdev, info);
12873 
12874 		if (r < 0) {
12875 			kfree_sensitive(connkeys);
12876 			return r;
12877 		}
12878 
12879 		ibss.control_port_over_nl80211 = true;
12880 	}
12881 
12882 	ibss.userspace_handles_dfs =
12883 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12884 
12885 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
12886 	if (err)
12887 		kfree_sensitive(connkeys);
12888 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
12889 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12890 
12891 	return err;
12892 }
12893 
12894 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
12895 {
12896 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12897 	struct net_device *dev = info->user_ptr[1];
12898 
12899 	if (!rdev->ops->leave_ibss)
12900 		return -EOPNOTSUPP;
12901 
12902 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12903 		return -EOPNOTSUPP;
12904 
12905 	return cfg80211_leave_ibss(rdev, dev, false);
12906 }
12907 
12908 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
12909 {
12910 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12911 	struct net_device *dev = info->user_ptr[1];
12912 	int mcast_rate[NUM_NL80211_BANDS];
12913 	u32 nla_rate;
12914 
12915 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
12916 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
12917 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
12918 		return -EOPNOTSUPP;
12919 
12920 	if (!rdev->ops->set_mcast_rate)
12921 		return -EOPNOTSUPP;
12922 
12923 	memset(mcast_rate, 0, sizeof(mcast_rate));
12924 
12925 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
12926 		return -EINVAL;
12927 
12928 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
12929 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
12930 		return -EINVAL;
12931 
12932 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
12933 }
12934 
12935 static struct sk_buff *
12936 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
12937 			    struct wireless_dev *wdev, int approxlen,
12938 			    u32 portid, u32 seq, enum nl80211_commands cmd,
12939 			    enum nl80211_attrs attr,
12940 			    const struct nl80211_vendor_cmd_info *info,
12941 			    gfp_t gfp)
12942 {
12943 	struct sk_buff *skb;
12944 	void *hdr;
12945 	struct nlattr *data;
12946 
12947 	skb = nlmsg_new(approxlen + 100, gfp);
12948 	if (!skb)
12949 		return NULL;
12950 
12951 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
12952 	if (!hdr) {
12953 		kfree_skb(skb);
12954 		return NULL;
12955 	}
12956 
12957 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
12958 		goto nla_put_failure;
12959 
12960 	if (info) {
12961 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
12962 				info->vendor_id))
12963 			goto nla_put_failure;
12964 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
12965 				info->subcmd))
12966 			goto nla_put_failure;
12967 	}
12968 
12969 	if (wdev) {
12970 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
12971 				      wdev_id(wdev), NL80211_ATTR_PAD))
12972 			goto nla_put_failure;
12973 		if (wdev->netdev &&
12974 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
12975 				wdev->netdev->ifindex))
12976 			goto nla_put_failure;
12977 	}
12978 
12979 	data = nla_nest_start_noflag(skb, attr);
12980 	if (!data)
12981 		goto nla_put_failure;
12982 
12983 	((void **)skb->cb)[0] = rdev;
12984 	((void **)skb->cb)[1] = hdr;
12985 	((void **)skb->cb)[2] = data;
12986 
12987 	return skb;
12988 
12989  nla_put_failure:
12990 	kfree_skb(skb);
12991 	return NULL;
12992 }
12993 
12994 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
12995 					   struct wireless_dev *wdev,
12996 					   enum nl80211_commands cmd,
12997 					   enum nl80211_attrs attr,
12998 					   unsigned int portid,
12999 					   int vendor_event_idx,
13000 					   int approxlen, gfp_t gfp)
13001 {
13002 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13003 	const struct nl80211_vendor_cmd_info *info;
13004 
13005 	switch (cmd) {
13006 	case NL80211_CMD_TESTMODE:
13007 		if (WARN_ON(vendor_event_idx != -1))
13008 			return NULL;
13009 		info = NULL;
13010 		break;
13011 	case NL80211_CMD_VENDOR:
13012 		if (WARN_ON(vendor_event_idx < 0 ||
13013 			    vendor_event_idx >= wiphy->n_vendor_events))
13014 			return NULL;
13015 		info = &wiphy->vendor_events[vendor_event_idx];
13016 		break;
13017 	default:
13018 		WARN_ON(1);
13019 		return NULL;
13020 	}
13021 
13022 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
13023 					   cmd, attr, info, gfp);
13024 }
13025 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
13026 
13027 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
13028 {
13029 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13030 	void *hdr = ((void **)skb->cb)[1];
13031 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
13032 	struct nlattr *data = ((void **)skb->cb)[2];
13033 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
13034 
13035 	/* clear CB data for netlink core to own from now on */
13036 	memset(skb->cb, 0, sizeof(skb->cb));
13037 
13038 	nla_nest_end(skb, data);
13039 	genlmsg_end(skb, hdr);
13040 
13041 	if (nlhdr->nlmsg_pid) {
13042 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
13043 				nlhdr->nlmsg_pid);
13044 	} else {
13045 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
13046 			mcgrp = NL80211_MCGRP_VENDOR;
13047 
13048 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13049 					skb, 0, mcgrp, gfp);
13050 	}
13051 }
13052 EXPORT_SYMBOL(__cfg80211_send_event_skb);
13053 
13054 #ifdef CONFIG_NL80211_TESTMODE
13055 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
13056 {
13057 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13058 	struct wireless_dev *wdev;
13059 	int err;
13060 
13061 	lockdep_assert_held(&rdev->wiphy.mtx);
13062 
13063 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
13064 					  info->attrs);
13065 
13066 	if (!rdev->ops->testmode_cmd)
13067 		return -EOPNOTSUPP;
13068 
13069 	if (IS_ERR(wdev)) {
13070 		err = PTR_ERR(wdev);
13071 		if (err != -EINVAL)
13072 			return err;
13073 		wdev = NULL;
13074 	} else if (wdev->wiphy != &rdev->wiphy) {
13075 		return -EINVAL;
13076 	}
13077 
13078 	if (!info->attrs[NL80211_ATTR_TESTDATA])
13079 		return -EINVAL;
13080 
13081 	rdev->cur_cmd_info = info;
13082 	err = rdev_testmode_cmd(rdev, wdev,
13083 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
13084 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
13085 	rdev->cur_cmd_info = NULL;
13086 
13087 	return err;
13088 }
13089 
13090 static int nl80211_testmode_dump(struct sk_buff *skb,
13091 				 struct netlink_callback *cb)
13092 {
13093 	struct cfg80211_registered_device *rdev;
13094 	struct nlattr **attrbuf = NULL;
13095 	int err;
13096 	long phy_idx;
13097 	void *data = NULL;
13098 	int data_len = 0;
13099 
13100 	rtnl_lock();
13101 
13102 	if (cb->args[0]) {
13103 		/*
13104 		 * 0 is a valid index, but not valid for args[0],
13105 		 * so we need to offset by 1.
13106 		 */
13107 		phy_idx = cb->args[0] - 1;
13108 
13109 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
13110 		if (!rdev) {
13111 			err = -ENOENT;
13112 			goto out_err;
13113 		}
13114 	} else {
13115 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
13116 				  GFP_KERNEL);
13117 		if (!attrbuf) {
13118 			err = -ENOMEM;
13119 			goto out_err;
13120 		}
13121 
13122 		err = nlmsg_parse_deprecated(cb->nlh,
13123 					     GENL_HDRLEN + nl80211_fam.hdrsize,
13124 					     attrbuf, nl80211_fam.maxattr,
13125 					     nl80211_policy, NULL);
13126 		if (err)
13127 			goto out_err;
13128 
13129 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13130 		if (IS_ERR(rdev)) {
13131 			err = PTR_ERR(rdev);
13132 			goto out_err;
13133 		}
13134 		phy_idx = rdev->wiphy_idx;
13135 
13136 		if (attrbuf[NL80211_ATTR_TESTDATA])
13137 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
13138 	}
13139 
13140 	if (cb->args[1]) {
13141 		data = nla_data((void *)cb->args[1]);
13142 		data_len = nla_len((void *)cb->args[1]);
13143 	}
13144 
13145 	if (!rdev->ops->testmode_dump) {
13146 		err = -EOPNOTSUPP;
13147 		goto out_err;
13148 	}
13149 
13150 	while (1) {
13151 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13152 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13153 					   NL80211_CMD_TESTMODE);
13154 		struct nlattr *tmdata;
13155 
13156 		if (!hdr)
13157 			break;
13158 
13159 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
13160 			genlmsg_cancel(skb, hdr);
13161 			break;
13162 		}
13163 
13164 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
13165 		if (!tmdata) {
13166 			genlmsg_cancel(skb, hdr);
13167 			break;
13168 		}
13169 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
13170 		nla_nest_end(skb, tmdata);
13171 
13172 		if (err == -ENOBUFS || err == -ENOENT) {
13173 			genlmsg_cancel(skb, hdr);
13174 			break;
13175 		} else if (err) {
13176 			genlmsg_cancel(skb, hdr);
13177 			goto out_err;
13178 		}
13179 
13180 		genlmsg_end(skb, hdr);
13181 	}
13182 
13183 	err = skb->len;
13184 	/* see above */
13185 	cb->args[0] = phy_idx + 1;
13186  out_err:
13187 	kfree(attrbuf);
13188 	rtnl_unlock();
13189 	return err;
13190 }
13191 #endif
13192 
13193 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
13194 {
13195 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13196 	struct net_device *dev = info->user_ptr[1];
13197 	struct cfg80211_connect_params connect;
13198 	struct wiphy *wiphy;
13199 	struct cfg80211_cached_keys *connkeys = NULL;
13200 	u32 freq = 0;
13201 	int err;
13202 
13203 	memset(&connect, 0, sizeof(connect));
13204 
13205 	if (!info->attrs[NL80211_ATTR_SSID] ||
13206 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
13207 		return -EINVAL;
13208 
13209 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13210 		connect.auth_type =
13211 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13212 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
13213 					     NL80211_CMD_CONNECT))
13214 			return -EINVAL;
13215 	} else
13216 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
13217 
13218 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
13219 
13220 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
13221 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13222 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13223 		return -EINVAL;
13224 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
13225 
13226 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
13227 				      NL80211_MAX_NR_CIPHER_SUITES);
13228 	if (err)
13229 		return err;
13230 
13231 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13232 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13233 		return -EOPNOTSUPP;
13234 
13235 	wiphy = &rdev->wiphy;
13236 
13237 	connect.bg_scan_period = -1;
13238 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
13239 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
13240 		connect.bg_scan_period =
13241 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
13242 	}
13243 
13244 	if (info->attrs[NL80211_ATTR_MAC])
13245 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13246 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
13247 		connect.bssid_hint =
13248 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
13249 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13250 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13251 
13252 	if (info->attrs[NL80211_ATTR_IE]) {
13253 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13254 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13255 	}
13256 
13257 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
13258 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
13259 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
13260 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13261 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
13262 			return -EOPNOTSUPP;
13263 	} else {
13264 		connect.mfp = NL80211_MFP_NO;
13265 	}
13266 
13267 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
13268 		connect.prev_bssid =
13269 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
13270 
13271 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
13272 		freq = MHZ_TO_KHZ(nla_get_u32(
13273 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
13274 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
13275 		freq +=
13276 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
13277 
13278 	if (freq) {
13279 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
13280 		if (!connect.channel)
13281 			return -EINVAL;
13282 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
13283 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
13284 		freq = MHZ_TO_KHZ(freq);
13285 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
13286 		if (!connect.channel_hint)
13287 			return -EINVAL;
13288 	}
13289 
13290 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
13291 		connect.edmg.channels =
13292 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
13293 
13294 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
13295 			connect.edmg.bw_config =
13296 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
13297 	}
13298 
13299 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
13300 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
13301 		if (IS_ERR(connkeys))
13302 			return PTR_ERR(connkeys);
13303 	}
13304 
13305 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
13306 		connect.flags |= ASSOC_REQ_DISABLE_HT;
13307 
13308 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13309 		memcpy(&connect.ht_capa_mask,
13310 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13311 		       sizeof(connect.ht_capa_mask));
13312 
13313 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13314 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
13315 			kfree_sensitive(connkeys);
13316 			return -EINVAL;
13317 		}
13318 		memcpy(&connect.ht_capa,
13319 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13320 		       sizeof(connect.ht_capa));
13321 	}
13322 
13323 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
13324 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
13325 
13326 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
13327 		connect.flags |= ASSOC_REQ_DISABLE_HE;
13328 
13329 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
13330 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
13331 
13332 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
13333 		connect.flags |= ASSOC_REQ_DISABLE_UHR;
13334 
13335 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
13336 		memcpy(&connect.vht_capa_mask,
13337 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
13338 		       sizeof(connect.vht_capa_mask));
13339 
13340 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
13341 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
13342 			kfree_sensitive(connkeys);
13343 			return -EINVAL;
13344 		}
13345 		memcpy(&connect.vht_capa,
13346 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
13347 		       sizeof(connect.vht_capa));
13348 	}
13349 
13350 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
13351 		if (!((rdev->wiphy.features &
13352 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
13353 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
13354 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13355 					     NL80211_EXT_FEATURE_RRM)) {
13356 			kfree_sensitive(connkeys);
13357 			return -EINVAL;
13358 		}
13359 		connect.flags |= ASSOC_REQ_USE_RRM;
13360 	}
13361 
13362 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
13363 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
13364 		kfree_sensitive(connkeys);
13365 		return -EOPNOTSUPP;
13366 	}
13367 
13368 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
13369 		/* bss selection makes no sense if bssid is set */
13370 		if (connect.bssid) {
13371 			kfree_sensitive(connkeys);
13372 			return -EINVAL;
13373 		}
13374 
13375 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
13376 				       wiphy, &connect.bss_select);
13377 		if (err) {
13378 			kfree_sensitive(connkeys);
13379 			return err;
13380 		}
13381 	}
13382 
13383 	if (wiphy_ext_feature_isset(&rdev->wiphy,
13384 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
13385 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13386 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13387 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13388 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13389 		connect.fils_erp_username =
13390 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13391 		connect.fils_erp_username_len =
13392 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13393 		connect.fils_erp_realm =
13394 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13395 		connect.fils_erp_realm_len =
13396 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13397 		connect.fils_erp_next_seq_num =
13398 			nla_get_u16(
13399 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13400 		connect.fils_erp_rrk =
13401 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13402 		connect.fils_erp_rrk_len =
13403 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13404 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13405 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13406 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13407 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13408 		kfree_sensitive(connkeys);
13409 		return -EINVAL;
13410 	}
13411 
13412 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
13413 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13414 			kfree_sensitive(connkeys);
13415 			GENL_SET_ERR_MSG(info,
13416 					 "external auth requires connection ownership");
13417 			return -EINVAL;
13418 		}
13419 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
13420 	}
13421 
13422 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
13423 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
13424 
13425 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
13426 			       connect.prev_bssid);
13427 	if (err)
13428 		kfree_sensitive(connkeys);
13429 
13430 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13431 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13432 		if (connect.bssid)
13433 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
13434 			       connect.bssid, ETH_ALEN);
13435 		else
13436 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
13437 	}
13438 
13439 	return err;
13440 }
13441 
13442 static int nl80211_update_connect_params(struct sk_buff *skb,
13443 					 struct genl_info *info)
13444 {
13445 	struct cfg80211_connect_params connect = {};
13446 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13447 	struct net_device *dev = info->user_ptr[1];
13448 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13449 	bool fils_sk_offload;
13450 	u32 auth_type;
13451 	u32 changed = 0;
13452 
13453 	if (!rdev->ops->update_connect_params)
13454 		return -EOPNOTSUPP;
13455 
13456 	if (info->attrs[NL80211_ATTR_IE]) {
13457 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13458 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13459 		changed |= UPDATE_ASSOC_IES;
13460 	}
13461 
13462 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
13463 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
13464 
13465 	/*
13466 	 * when driver supports fils-sk offload all attributes must be
13467 	 * provided. So the else covers "fils-sk-not-all" and
13468 	 * "no-fils-sk-any".
13469 	 */
13470 	if (fils_sk_offload &&
13471 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13472 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13473 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13474 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13475 		connect.fils_erp_username =
13476 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13477 		connect.fils_erp_username_len =
13478 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13479 		connect.fils_erp_realm =
13480 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13481 		connect.fils_erp_realm_len =
13482 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13483 		connect.fils_erp_next_seq_num =
13484 			nla_get_u16(
13485 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13486 		connect.fils_erp_rrk =
13487 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13488 		connect.fils_erp_rrk_len =
13489 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13490 		changed |= UPDATE_FILS_ERP_INFO;
13491 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13492 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13493 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13494 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13495 		return -EINVAL;
13496 	}
13497 
13498 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13499 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13500 		if (!nl80211_valid_auth_type(rdev, auth_type,
13501 					     NL80211_CMD_CONNECT))
13502 			return -EINVAL;
13503 
13504 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
13505 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
13506 			return -EINVAL;
13507 
13508 		connect.auth_type = auth_type;
13509 		changed |= UPDATE_AUTH_TYPE;
13510 	}
13511 
13512 	if (!wdev->connected)
13513 		return -ENOLINK;
13514 
13515 	return rdev_update_connect_params(rdev, dev, &connect, changed);
13516 }
13517 
13518 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
13519 {
13520 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13521 	struct net_device *dev = info->user_ptr[1];
13522 	u16 reason;
13523 
13524 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
13525 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
13526 		return -EPERM;
13527 
13528 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
13529 				     WLAN_REASON_DEAUTH_LEAVING);
13530 
13531 	if (reason == 0)
13532 		return -EINVAL;
13533 
13534 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13535 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13536 		return -EOPNOTSUPP;
13537 
13538 	return cfg80211_disconnect(rdev, dev, reason, true);
13539 }
13540 
13541 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
13542 {
13543 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13544 	struct net *net;
13545 	int err;
13546 
13547 	if (info->attrs[NL80211_ATTR_PID]) {
13548 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
13549 
13550 		net = get_net_ns_by_pid(pid);
13551 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
13552 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
13553 
13554 		net = get_net_ns_by_fd(fd);
13555 	} else {
13556 		return -EINVAL;
13557 	}
13558 
13559 	if (IS_ERR(net))
13560 		return PTR_ERR(net);
13561 
13562 	err = 0;
13563 
13564 	/* check if anything to do */
13565 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
13566 		err = cfg80211_switch_netns(rdev, net);
13567 
13568 	put_net(net);
13569 	return err;
13570 }
13571 
13572 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
13573 {
13574 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13575 	struct net_device *dev = info->user_ptr[1];
13576 	struct cfg80211_pmksa pmksa;
13577 	bool ap_pmksa_caching_support = false;
13578 
13579 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13580 
13581 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13582 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13583 
13584 	if (!info->attrs[NL80211_ATTR_PMKID])
13585 		return -EINVAL;
13586 
13587 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13588 
13589 	if (info->attrs[NL80211_ATTR_MAC]) {
13590 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13591 	} else if (info->attrs[NL80211_ATTR_SSID] &&
13592 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13593 	           info->attrs[NL80211_ATTR_PMK]) {
13594 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13595 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13596 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13597 	} else {
13598 		return -EINVAL;
13599 	}
13600 
13601 	if (info->attrs[NL80211_ATTR_PMK]) {
13602 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13603 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13604 	}
13605 
13606 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
13607 		pmksa.pmk_lifetime =
13608 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
13609 
13610 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
13611 		pmksa.pmk_reauth_threshold =
13612 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
13613 
13614 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13615 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13616 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13617 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13618 	       ap_pmksa_caching_support))
13619 		return -EOPNOTSUPP;
13620 
13621 	if (!rdev->ops->set_pmksa)
13622 		return -EOPNOTSUPP;
13623 
13624 	return rdev_set_pmksa(rdev, dev, &pmksa);
13625 }
13626 
13627 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
13628 {
13629 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13630 	struct net_device *dev = info->user_ptr[1];
13631 	struct cfg80211_pmksa pmksa;
13632 	bool sae_offload_support = false;
13633 	bool owe_offload_support = false;
13634 	bool ap_pmksa_caching_support = false;
13635 
13636 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13637 
13638 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13639 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
13640 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13641 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
13642 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13643 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13644 
13645 	if (info->attrs[NL80211_ATTR_PMKID])
13646 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13647 
13648 	if (info->attrs[NL80211_ATTR_MAC]) {
13649 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13650 	} else if (info->attrs[NL80211_ATTR_SSID]) {
13651 		/* SSID based pmksa flush supported only for FILS,
13652 		 * OWE/SAE OFFLOAD cases
13653 		 */
13654 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13655 		    info->attrs[NL80211_ATTR_PMK]) {
13656 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13657 		} else if (!sae_offload_support && !owe_offload_support) {
13658 			return -EINVAL;
13659 		}
13660 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13661 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13662 	} else {
13663 		return -EINVAL;
13664 	}
13665 
13666 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13667 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13668 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13669 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13670 	       ap_pmksa_caching_support))
13671 		return -EOPNOTSUPP;
13672 
13673 	if (!rdev->ops->del_pmksa)
13674 		return -EOPNOTSUPP;
13675 
13676 	return rdev_del_pmksa(rdev, dev, &pmksa);
13677 }
13678 
13679 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
13680 {
13681 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13682 	struct net_device *dev = info->user_ptr[1];
13683 
13684 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13685 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13686 		return -EOPNOTSUPP;
13687 
13688 	if (!rdev->ops->flush_pmksa)
13689 		return -EOPNOTSUPP;
13690 
13691 	return rdev_flush_pmksa(rdev, dev);
13692 }
13693 
13694 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
13695 {
13696 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13697 	struct net_device *dev = info->user_ptr[1];
13698 	u8 action_code, dialog_token;
13699 	u32 peer_capability = 0;
13700 	u16 status_code;
13701 	u8 *peer;
13702 	int link_id;
13703 	bool initiator;
13704 
13705 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13706 	    !rdev->ops->tdls_mgmt)
13707 		return -EOPNOTSUPP;
13708 
13709 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
13710 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
13711 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
13712 	    !info->attrs[NL80211_ATTR_IE] ||
13713 	    !info->attrs[NL80211_ATTR_MAC])
13714 		return -EINVAL;
13715 
13716 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13717 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
13718 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13719 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
13720 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
13721 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
13722 		peer_capability =
13723 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
13724 	link_id = nl80211_link_id_or_invalid(info->attrs);
13725 
13726 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
13727 			      dialog_token, status_code, peer_capability,
13728 			      initiator,
13729 			      nla_data(info->attrs[NL80211_ATTR_IE]),
13730 			      nla_len(info->attrs[NL80211_ATTR_IE]));
13731 }
13732 
13733 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
13734 {
13735 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13736 	struct net_device *dev = info->user_ptr[1];
13737 	enum nl80211_tdls_operation operation;
13738 	u8 *peer;
13739 
13740 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13741 	    !rdev->ops->tdls_oper)
13742 		return -EOPNOTSUPP;
13743 
13744 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
13745 	    !info->attrs[NL80211_ATTR_MAC])
13746 		return -EINVAL;
13747 
13748 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
13749 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13750 
13751 	return rdev_tdls_oper(rdev, dev, peer, operation);
13752 }
13753 
13754 static int nl80211_remain_on_channel(struct sk_buff *skb,
13755 				     struct genl_info *info)
13756 {
13757 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13758 	unsigned int link_id = nl80211_link_id(info->attrs);
13759 	struct wireless_dev *wdev = info->user_ptr[1];
13760 	struct cfg80211_chan_def chandef;
13761 	struct sk_buff *msg;
13762 	void *hdr;
13763 	u64 cookie;
13764 	u32 duration;
13765 	int err;
13766 
13767 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
13768 	    !info->attrs[NL80211_ATTR_DURATION])
13769 		return -EINVAL;
13770 
13771 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13772 
13773 	if (!rdev->ops->remain_on_channel ||
13774 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
13775 		return -EOPNOTSUPP;
13776 
13777 	/*
13778 	 * We should be on that channel for at least a minimum amount of
13779 	 * time (10ms) but no longer than the driver supports.
13780 	 */
13781 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13782 	    duration > rdev->wiphy.max_remain_on_channel_duration)
13783 		return -EINVAL;
13784 
13785 	err = nl80211_parse_chandef(rdev, info, &chandef);
13786 	if (err)
13787 		return err;
13788 
13789 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
13790 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
13791 
13792 		oper_chandef = wdev_chandef(wdev, link_id);
13793 
13794 		if (WARN_ON(!oper_chandef)) {
13795 			/* cannot happen since we must beacon to get here */
13796 			WARN_ON(1);
13797 			return -EBUSY;
13798 		}
13799 
13800 		/* note: returns first one if identical chandefs */
13801 		compat_chandef = cfg80211_chandef_compatible(&chandef,
13802 							     oper_chandef);
13803 
13804 		if (compat_chandef != &chandef)
13805 			return -EBUSY;
13806 	}
13807 
13808 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13809 	if (!msg)
13810 		return -ENOMEM;
13811 
13812 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13813 			     NL80211_CMD_REMAIN_ON_CHANNEL);
13814 	if (!hdr) {
13815 		err = -ENOBUFS;
13816 		goto free_msg;
13817 	}
13818 
13819 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
13820 				     duration, &cookie);
13821 
13822 	if (err)
13823 		goto free_msg;
13824 
13825 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13826 			      NL80211_ATTR_PAD))
13827 		goto nla_put_failure;
13828 
13829 	genlmsg_end(msg, hdr);
13830 
13831 	return genlmsg_reply(msg, info);
13832 
13833  nla_put_failure:
13834 	err = -ENOBUFS;
13835  free_msg:
13836 	nlmsg_free(msg);
13837 	return err;
13838 }
13839 
13840 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
13841 					    struct genl_info *info)
13842 {
13843 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13844 	struct wireless_dev *wdev = info->user_ptr[1];
13845 	u64 cookie;
13846 
13847 	if (!info->attrs[NL80211_ATTR_COOKIE])
13848 		return -EINVAL;
13849 
13850 	if (!rdev->ops->cancel_remain_on_channel)
13851 		return -EOPNOTSUPP;
13852 
13853 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13854 
13855 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
13856 }
13857 
13858 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
13859 				       struct genl_info *info)
13860 {
13861 	struct cfg80211_bitrate_mask mask;
13862 	unsigned int link_id = nl80211_link_id(info->attrs);
13863 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13864 	struct net_device *dev = info->user_ptr[1];
13865 	int err;
13866 
13867 	if (!rdev->ops->set_bitrate_mask)
13868 		return -EOPNOTSUPP;
13869 
13870 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13871 					    NL80211_ATTR_TX_RATES, &mask,
13872 					    dev, true, link_id);
13873 	if (err)
13874 		return err;
13875 
13876 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
13877 }
13878 
13879 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
13880 {
13881 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13882 	struct wireless_dev *wdev = info->user_ptr[1];
13883 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
13884 
13885 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
13886 		return -EINVAL;
13887 
13888 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
13889 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
13890 
13891 	switch (wdev->iftype) {
13892 	case NL80211_IFTYPE_STATION:
13893 	case NL80211_IFTYPE_ADHOC:
13894 	case NL80211_IFTYPE_P2P_CLIENT:
13895 	case NL80211_IFTYPE_AP:
13896 	case NL80211_IFTYPE_AP_VLAN:
13897 	case NL80211_IFTYPE_MESH_POINT:
13898 	case NL80211_IFTYPE_P2P_GO:
13899 	case NL80211_IFTYPE_P2P_DEVICE:
13900 		break;
13901 	case NL80211_IFTYPE_NAN:
13902 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13903 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
13904 		    !(wdev->wiphy->nan_capa.flags &
13905 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
13906 			return -EOPNOTSUPP;
13907 		break;
13908 	default:
13909 		return -EOPNOTSUPP;
13910 	}
13911 
13912 	/* not much point in registering if we can't reply */
13913 	if (!rdev->ops->mgmt_tx)
13914 		return -EOPNOTSUPP;
13915 
13916 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
13917 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13918 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
13919 		GENL_SET_ERR_MSG(info,
13920 				 "multicast RX registrations are not supported");
13921 		return -EOPNOTSUPP;
13922 	}
13923 
13924 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
13925 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13926 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13927 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
13928 					   info->extack);
13929 }
13930 
13931 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
13932 {
13933 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13934 	struct wireless_dev *wdev = info->user_ptr[1];
13935 	struct cfg80211_chan_def chandef;
13936 	int err;
13937 	void *hdr = NULL;
13938 	u64 cookie;
13939 	struct sk_buff *msg = NULL;
13940 	struct cfg80211_mgmt_tx_params params = {
13941 		.dont_wait_for_ack =
13942 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
13943 	};
13944 
13945 	if (!info->attrs[NL80211_ATTR_FRAME])
13946 		return -EINVAL;
13947 
13948 	if (!rdev->ops->mgmt_tx)
13949 		return -EOPNOTSUPP;
13950 
13951 	switch (wdev->iftype) {
13952 	case NL80211_IFTYPE_P2P_DEVICE:
13953 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
13954 			return -EINVAL;
13955 		break;
13956 	case NL80211_IFTYPE_STATION:
13957 	case NL80211_IFTYPE_ADHOC:
13958 	case NL80211_IFTYPE_P2P_CLIENT:
13959 	case NL80211_IFTYPE_AP:
13960 	case NL80211_IFTYPE_AP_VLAN:
13961 	case NL80211_IFTYPE_MESH_POINT:
13962 	case NL80211_IFTYPE_P2P_GO:
13963 		break;
13964 	case NL80211_IFTYPE_NAN:
13965 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13966 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
13967 		    !(wdev->wiphy->nan_capa.flags &
13968 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
13969 			return -EOPNOTSUPP;
13970 		break;
13971 	default:
13972 		return -EOPNOTSUPP;
13973 	}
13974 
13975 	if (info->attrs[NL80211_ATTR_DURATION]) {
13976 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
13977 			return -EINVAL;
13978 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13979 
13980 		/*
13981 		 * We should wait on the channel for at least a minimum amount
13982 		 * of time (10ms) but no longer than the driver supports.
13983 		 */
13984 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13985 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
13986 			return -EINVAL;
13987 	}
13988 
13989 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
13990 
13991 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
13992 		return -EINVAL;
13993 
13994 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
13995 
13996 	/* get the channel if any has been specified, otherwise pass NULL to
13997 	 * the driver. The latter will use the current one
13998 	 */
13999 	chandef.chan = NULL;
14000 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14001 		err = nl80211_parse_chandef(rdev, info, &chandef);
14002 		if (err)
14003 			return err;
14004 	}
14005 
14006 	if (!chandef.chan && params.offchan)
14007 		return -EINVAL;
14008 
14009 	if (params.offchan &&
14010 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
14011 		return -EBUSY;
14012 
14013 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
14014 	/*
14015 	 * This now races due to the unlock, but we cannot check
14016 	 * the valid links for the _station_ anyway, so that's up
14017 	 * to the driver.
14018 	 */
14019 	if (params.link_id >= 0 &&
14020 	    !(wdev->valid_links & BIT(params.link_id)))
14021 		return -EINVAL;
14022 
14023 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14024 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14025 
14026 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
14027 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
14028 					    &params.csa_offsets,
14029 					    &params.n_csa_offsets);
14030 	if (err)
14031 		return err;
14032 
14033 	if (!params.dont_wait_for_ack) {
14034 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14035 		if (!msg)
14036 			return -ENOMEM;
14037 
14038 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14039 				     NL80211_CMD_FRAME);
14040 		if (!hdr) {
14041 			err = -ENOBUFS;
14042 			goto free_msg;
14043 		}
14044 	}
14045 
14046 	params.chan = chandef.chan;
14047 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
14048 	if (err)
14049 		goto free_msg;
14050 
14051 	if (msg) {
14052 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14053 				      NL80211_ATTR_PAD))
14054 			goto nla_put_failure;
14055 
14056 		genlmsg_end(msg, hdr);
14057 		return genlmsg_reply(msg, info);
14058 	}
14059 
14060 	return 0;
14061 
14062  nla_put_failure:
14063 	err = -ENOBUFS;
14064  free_msg:
14065 	nlmsg_free(msg);
14066 	return err;
14067 }
14068 
14069 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
14070 {
14071 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14072 	struct wireless_dev *wdev = info->user_ptr[1];
14073 	u64 cookie;
14074 
14075 	if (!info->attrs[NL80211_ATTR_COOKIE])
14076 		return -EINVAL;
14077 
14078 	if (!rdev->ops->mgmt_tx_cancel_wait)
14079 		return -EOPNOTSUPP;
14080 
14081 	switch (wdev->iftype) {
14082 	case NL80211_IFTYPE_STATION:
14083 	case NL80211_IFTYPE_ADHOC:
14084 	case NL80211_IFTYPE_P2P_CLIENT:
14085 	case NL80211_IFTYPE_AP:
14086 	case NL80211_IFTYPE_AP_VLAN:
14087 	case NL80211_IFTYPE_P2P_GO:
14088 	case NL80211_IFTYPE_P2P_DEVICE:
14089 		break;
14090 	case NL80211_IFTYPE_NAN:
14091 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14092 					     NL80211_EXT_FEATURE_SECURE_NAN))
14093 			return -EOPNOTSUPP;
14094 		break;
14095 	default:
14096 		return -EOPNOTSUPP;
14097 	}
14098 
14099 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14100 
14101 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
14102 }
14103 
14104 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
14105 {
14106 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14107 	struct wireless_dev *wdev;
14108 	struct net_device *dev = info->user_ptr[1];
14109 	u8 ps_state;
14110 	bool state;
14111 	int err;
14112 
14113 	if (!info->attrs[NL80211_ATTR_PS_STATE])
14114 		return -EINVAL;
14115 
14116 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
14117 
14118 	wdev = dev->ieee80211_ptr;
14119 
14120 	if (!rdev->ops->set_power_mgmt)
14121 		return -EOPNOTSUPP;
14122 
14123 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
14124 
14125 	if (state == wdev->ps)
14126 		return 0;
14127 
14128 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
14129 	if (!err)
14130 		wdev->ps = state;
14131 	return err;
14132 }
14133 
14134 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
14135 {
14136 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14137 	enum nl80211_ps_state ps_state;
14138 	struct wireless_dev *wdev;
14139 	struct net_device *dev = info->user_ptr[1];
14140 	struct sk_buff *msg;
14141 	void *hdr;
14142 	int err;
14143 
14144 	wdev = dev->ieee80211_ptr;
14145 
14146 	if (!rdev->ops->set_power_mgmt)
14147 		return -EOPNOTSUPP;
14148 
14149 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14150 	if (!msg)
14151 		return -ENOMEM;
14152 
14153 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14154 			     NL80211_CMD_GET_POWER_SAVE);
14155 	if (!hdr) {
14156 		err = -ENOBUFS;
14157 		goto free_msg;
14158 	}
14159 
14160 	if (wdev->ps)
14161 		ps_state = NL80211_PS_ENABLED;
14162 	else
14163 		ps_state = NL80211_PS_DISABLED;
14164 
14165 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
14166 		goto nla_put_failure;
14167 
14168 	genlmsg_end(msg, hdr);
14169 	return genlmsg_reply(msg, info);
14170 
14171  nla_put_failure:
14172 	err = -ENOBUFS;
14173  free_msg:
14174 	nlmsg_free(msg);
14175 	return err;
14176 }
14177 
14178 static const struct nla_policy
14179 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
14180 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
14181 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
14182 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
14183 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
14184 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
14185 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
14186 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
14187 };
14188 
14189 static int nl80211_set_cqm_txe(struct genl_info *info,
14190 			       u32 rate, u32 pkts, u32 intvl)
14191 {
14192 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14193 	struct net_device *dev = info->user_ptr[1];
14194 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14195 
14196 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
14197 		return -EINVAL;
14198 
14199 	if (!rdev->ops->set_cqm_txe_config)
14200 		return -EOPNOTSUPP;
14201 
14202 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14203 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14204 		return -EOPNOTSUPP;
14205 
14206 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
14207 }
14208 
14209 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
14210 				    struct net_device *dev,
14211 				    struct cfg80211_cqm_config *cqm_config)
14212 {
14213 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14214 	s32 last, low, high;
14215 	u32 hyst;
14216 	int i, n, low_index;
14217 	int err;
14218 
14219 	/*
14220 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
14221 	 * event has been received yet, we should receive an event after a
14222 	 * connection is established and enough beacons received to calculate
14223 	 * the average.
14224 	 */
14225 	if (!cqm_config->last_rssi_event_value &&
14226 	    wdev->links[0].client.current_bss &&
14227 	    rdev->ops->get_station) {
14228 		struct station_info sinfo = {};
14229 		u8 *mac_addr;
14230 
14231 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
14232 
14233 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
14234 		if (err)
14235 			return err;
14236 
14237 		cfg80211_sinfo_release_content(&sinfo);
14238 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
14239 			cqm_config->last_rssi_event_value =
14240 				(s8) sinfo.rx_beacon_signal_avg;
14241 	}
14242 
14243 	last = cqm_config->last_rssi_event_value;
14244 	hyst = cqm_config->rssi_hyst;
14245 	n = cqm_config->n_rssi_thresholds;
14246 
14247 	for (i = 0; i < n; i++) {
14248 		i = array_index_nospec(i, n);
14249 		if (last < cqm_config->rssi_thresholds[i])
14250 			break;
14251 	}
14252 
14253 	low_index = i - 1;
14254 	if (low_index >= 0) {
14255 		low_index = array_index_nospec(low_index, n);
14256 		low = cqm_config->rssi_thresholds[low_index] - hyst;
14257 	} else {
14258 		low = S32_MIN;
14259 	}
14260 	if (i < n) {
14261 		i = array_index_nospec(i, n);
14262 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
14263 	} else {
14264 		high = S32_MAX;
14265 	}
14266 
14267 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
14268 }
14269 
14270 static int nl80211_set_cqm_rssi(struct genl_info *info,
14271 				const s32 *thresholds, int n_thresholds,
14272 				u32 hysteresis)
14273 {
14274 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14275 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
14276 	struct net_device *dev = info->user_ptr[1];
14277 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14278 	s32 prev = S32_MIN;
14279 	int i, err;
14280 
14281 	/* Check all values negative and sorted */
14282 	for (i = 0; i < n_thresholds; i++) {
14283 		if (thresholds[i] > 0 || thresholds[i] <= prev)
14284 			return -EINVAL;
14285 
14286 		prev = thresholds[i];
14287 	}
14288 
14289 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14290 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14291 		return -EOPNOTSUPP;
14292 
14293 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
14294 		n_thresholds = 0;
14295 
14296 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
14297 
14298 	/* if already disabled just succeed */
14299 	if (!n_thresholds && !old)
14300 		return 0;
14301 
14302 	if (n_thresholds > 1) {
14303 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
14304 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
14305 		    !rdev->ops->set_cqm_rssi_range_config)
14306 			return -EOPNOTSUPP;
14307 	} else {
14308 		if (!rdev->ops->set_cqm_rssi_config)
14309 			return -EOPNOTSUPP;
14310 	}
14311 
14312 	if (n_thresholds) {
14313 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
14314 						 n_thresholds),
14315 				     GFP_KERNEL);
14316 		if (!cqm_config)
14317 			return -ENOMEM;
14318 
14319 		cqm_config->rssi_hyst = hysteresis;
14320 		cqm_config->n_rssi_thresholds = n_thresholds;
14321 		memcpy(cqm_config->rssi_thresholds, thresholds,
14322 		       flex_array_size(cqm_config, rssi_thresholds,
14323 				       n_thresholds));
14324 		cqm_config->use_range_api = n_thresholds > 1 ||
14325 					    !rdev->ops->set_cqm_rssi_config;
14326 
14327 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
14328 
14329 		if (cqm_config->use_range_api)
14330 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
14331 		else
14332 			err = rdev_set_cqm_rssi_config(rdev, dev,
14333 						       thresholds[0],
14334 						       hysteresis);
14335 	} else {
14336 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
14337 		/* if enabled as range also disable via range */
14338 		if (old->use_range_api)
14339 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
14340 		else
14341 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
14342 	}
14343 
14344 	if (err) {
14345 		rcu_assign_pointer(wdev->cqm_config, old);
14346 		kfree_rcu(cqm_config, rcu_head);
14347 	} else {
14348 		kfree_rcu(old, rcu_head);
14349 	}
14350 
14351 	return err;
14352 }
14353 
14354 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
14355 {
14356 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
14357 	struct nlattr *cqm;
14358 	int err;
14359 
14360 	cqm = info->attrs[NL80211_ATTR_CQM];
14361 	if (!cqm)
14362 		return -EINVAL;
14363 
14364 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
14365 					  nl80211_attr_cqm_policy,
14366 					  info->extack);
14367 	if (err)
14368 		return err;
14369 
14370 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
14371 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
14372 		const s32 *thresholds =
14373 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14374 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14375 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
14376 
14377 		if (len % 4)
14378 			return -EINVAL;
14379 
14380 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
14381 					    hysteresis);
14382 	}
14383 
14384 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
14385 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
14386 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
14387 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
14388 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
14389 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
14390 
14391 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
14392 	}
14393 
14394 	return -EINVAL;
14395 }
14396 
14397 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
14398 {
14399 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14400 	struct net_device *dev = info->user_ptr[1];
14401 	struct ocb_setup setup = {};
14402 	int err;
14403 
14404 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
14405 	if (err)
14406 		return err;
14407 
14408 	return cfg80211_join_ocb(rdev, dev, &setup);
14409 }
14410 
14411 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
14412 {
14413 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14414 	struct net_device *dev = info->user_ptr[1];
14415 
14416 	return cfg80211_leave_ocb(rdev, dev);
14417 }
14418 
14419 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
14420 {
14421 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14422 	struct net_device *dev = info->user_ptr[1];
14423 	struct mesh_config cfg;
14424 	struct mesh_setup setup;
14425 	int err;
14426 
14427 	/* start with default */
14428 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
14429 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
14430 
14431 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
14432 		/* and parse parameters if given */
14433 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
14434 		if (err)
14435 			return err;
14436 	}
14437 
14438 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
14439 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
14440 		return -EINVAL;
14441 
14442 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
14443 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
14444 
14445 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
14446 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
14447 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
14448 			return -EINVAL;
14449 
14450 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
14451 		setup.beacon_interval =
14452 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
14453 
14454 		err = cfg80211_validate_beacon_int(rdev,
14455 						   NL80211_IFTYPE_MESH_POINT,
14456 						   setup.beacon_interval);
14457 		if (err)
14458 			return err;
14459 	}
14460 
14461 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
14462 		setup.dtim_period =
14463 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
14464 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
14465 			return -EINVAL;
14466 	}
14467 
14468 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
14469 		/* parse additional setup parameters if given */
14470 		err = nl80211_parse_mesh_setup(info, &setup);
14471 		if (err)
14472 			return err;
14473 	}
14474 
14475 	if (setup.user_mpm)
14476 		cfg.auto_open_plinks = false;
14477 
14478 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14479 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
14480 		if (err)
14481 			return err;
14482 	} else {
14483 		/* __cfg80211_join_mesh() will sort it out */
14484 		setup.chandef.chan = NULL;
14485 	}
14486 
14487 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
14488 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14489 		int n_rates =
14490 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14491 		struct ieee80211_supported_band *sband;
14492 
14493 		if (!setup.chandef.chan)
14494 			return -EINVAL;
14495 
14496 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
14497 
14498 		err = ieee80211_get_ratemask(sband, rates, n_rates,
14499 					     &setup.basic_rates);
14500 		if (err)
14501 			return err;
14502 	}
14503 
14504 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
14505 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
14506 						    NL80211_ATTR_TX_RATES,
14507 						    &setup.beacon_rate,
14508 						    dev, false, 0);
14509 		if (err)
14510 			return err;
14511 
14512 		if (!setup.chandef.chan)
14513 			return -EINVAL;
14514 
14515 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
14516 					      &setup.beacon_rate);
14517 		if (err)
14518 			return err;
14519 	}
14520 
14521 	setup.userspace_handles_dfs =
14522 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
14523 
14524 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
14525 		int r = validate_pae_over_nl80211(rdev, info);
14526 
14527 		if (r < 0)
14528 			return r;
14529 
14530 		setup.control_port_over_nl80211 = true;
14531 	}
14532 
14533 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
14534 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
14535 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
14536 
14537 	return err;
14538 }
14539 
14540 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
14541 {
14542 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14543 	struct net_device *dev = info->user_ptr[1];
14544 
14545 	return cfg80211_leave_mesh(rdev, dev);
14546 }
14547 
14548 #ifdef CONFIG_PM
14549 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
14550 					struct cfg80211_registered_device *rdev)
14551 {
14552 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
14553 	struct nlattr *nl_pats, *nl_pat;
14554 	int i, pat_len;
14555 
14556 	if (!wowlan->n_patterns)
14557 		return 0;
14558 
14559 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
14560 	if (!nl_pats)
14561 		return -ENOBUFS;
14562 
14563 	for (i = 0; i < wowlan->n_patterns; i++) {
14564 		nl_pat = nla_nest_start_noflag(msg, i + 1);
14565 		if (!nl_pat)
14566 			return -ENOBUFS;
14567 		pat_len = wowlan->patterns[i].pattern_len;
14568 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
14569 			    wowlan->patterns[i].mask) ||
14570 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14571 			    wowlan->patterns[i].pattern) ||
14572 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14573 				wowlan->patterns[i].pkt_offset))
14574 			return -ENOBUFS;
14575 		nla_nest_end(msg, nl_pat);
14576 	}
14577 	nla_nest_end(msg, nl_pats);
14578 
14579 	return 0;
14580 }
14581 
14582 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
14583 				   struct cfg80211_wowlan_tcp *tcp)
14584 {
14585 	struct nlattr *nl_tcp;
14586 
14587 	if (!tcp)
14588 		return 0;
14589 
14590 	nl_tcp = nla_nest_start_noflag(msg,
14591 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
14592 	if (!nl_tcp)
14593 		return -ENOBUFS;
14594 
14595 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
14596 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
14597 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
14598 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
14599 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
14600 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
14601 		    tcp->payload_len, tcp->payload) ||
14602 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
14603 			tcp->data_interval) ||
14604 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
14605 		    tcp->wake_len, tcp->wake_data) ||
14606 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
14607 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
14608 		return -ENOBUFS;
14609 
14610 	if (tcp->payload_seq.len &&
14611 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
14612 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
14613 		return -ENOBUFS;
14614 
14615 	if (tcp->payload_tok.len &&
14616 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
14617 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
14618 		    &tcp->payload_tok))
14619 		return -ENOBUFS;
14620 
14621 	nla_nest_end(msg, nl_tcp);
14622 
14623 	return 0;
14624 }
14625 
14626 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
14627 				  struct cfg80211_sched_scan_request *req)
14628 {
14629 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
14630 	int i;
14631 
14632 	if (!req)
14633 		return 0;
14634 
14635 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
14636 	if (!nd)
14637 		return -ENOBUFS;
14638 
14639 	if (req->n_scan_plans == 1 &&
14640 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
14641 			req->scan_plans[0].interval * 1000))
14642 		return -ENOBUFS;
14643 
14644 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
14645 		return -ENOBUFS;
14646 
14647 	if (req->relative_rssi_set) {
14648 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
14649 
14650 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
14651 			       req->relative_rssi))
14652 			return -ENOBUFS;
14653 
14654 		rssi_adjust.band = req->rssi_adjust.band;
14655 		rssi_adjust.delta = req->rssi_adjust.delta;
14656 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
14657 			    sizeof(rssi_adjust), &rssi_adjust))
14658 			return -ENOBUFS;
14659 	}
14660 
14661 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14662 	if (!freqs)
14663 		return -ENOBUFS;
14664 
14665 	for (i = 0; i < req->n_channels; i++) {
14666 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14667 			return -ENOBUFS;
14668 	}
14669 
14670 	nla_nest_end(msg, freqs);
14671 
14672 	if (req->n_match_sets) {
14673 		matches = nla_nest_start_noflag(msg,
14674 						NL80211_ATTR_SCHED_SCAN_MATCH);
14675 		if (!matches)
14676 			return -ENOBUFS;
14677 
14678 		for (i = 0; i < req->n_match_sets; i++) {
14679 			match = nla_nest_start_noflag(msg, i);
14680 			if (!match)
14681 				return -ENOBUFS;
14682 
14683 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
14684 				    req->match_sets[i].ssid.ssid_len,
14685 				    req->match_sets[i].ssid.ssid))
14686 				return -ENOBUFS;
14687 			nla_nest_end(msg, match);
14688 		}
14689 		nla_nest_end(msg, matches);
14690 	}
14691 
14692 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
14693 	if (!scan_plans)
14694 		return -ENOBUFS;
14695 
14696 	for (i = 0; i < req->n_scan_plans; i++) {
14697 		scan_plan = nla_nest_start_noflag(msg, i + 1);
14698 		if (!scan_plan)
14699 			return -ENOBUFS;
14700 
14701 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
14702 				req->scan_plans[i].interval) ||
14703 		    (req->scan_plans[i].iterations &&
14704 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
14705 				 req->scan_plans[i].iterations)))
14706 			return -ENOBUFS;
14707 		nla_nest_end(msg, scan_plan);
14708 	}
14709 	nla_nest_end(msg, scan_plans);
14710 
14711 	nla_nest_end(msg, nd);
14712 
14713 	return 0;
14714 }
14715 
14716 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
14717 {
14718 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14719 	struct sk_buff *msg;
14720 	void *hdr;
14721 	u32 size = NLMSG_DEFAULT_SIZE;
14722 
14723 	if (!rdev->wiphy.wowlan)
14724 		return -EOPNOTSUPP;
14725 
14726 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
14727 		/* adjust size to have room for all the data */
14728 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
14729 			rdev->wiphy.wowlan_config->tcp->payload_len +
14730 			rdev->wiphy.wowlan_config->tcp->wake_len +
14731 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
14732 	}
14733 
14734 	msg = nlmsg_new(size, GFP_KERNEL);
14735 	if (!msg)
14736 		return -ENOMEM;
14737 
14738 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14739 			     NL80211_CMD_GET_WOWLAN);
14740 	if (!hdr)
14741 		goto nla_put_failure;
14742 
14743 	if (rdev->wiphy.wowlan_config) {
14744 		struct nlattr *nl_wowlan;
14745 
14746 		nl_wowlan = nla_nest_start_noflag(msg,
14747 						  NL80211_ATTR_WOWLAN_TRIGGERS);
14748 		if (!nl_wowlan)
14749 			goto nla_put_failure;
14750 
14751 		if ((rdev->wiphy.wowlan_config->any &&
14752 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
14753 		    (rdev->wiphy.wowlan_config->disconnect &&
14754 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
14755 		    (rdev->wiphy.wowlan_config->magic_pkt &&
14756 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
14757 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
14758 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
14759 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
14760 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
14761 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
14762 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
14763 		    (rdev->wiphy.wowlan_config->rfkill_release &&
14764 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
14765 			goto nla_put_failure;
14766 
14767 		if (nl80211_send_wowlan_patterns(msg, rdev))
14768 			goto nla_put_failure;
14769 
14770 		if (nl80211_send_wowlan_tcp(msg,
14771 					    rdev->wiphy.wowlan_config->tcp))
14772 			goto nla_put_failure;
14773 
14774 		if (nl80211_send_wowlan_nd(
14775 			    msg,
14776 			    rdev->wiphy.wowlan_config->nd_config))
14777 			goto nla_put_failure;
14778 
14779 		nla_nest_end(msg, nl_wowlan);
14780 	}
14781 
14782 	genlmsg_end(msg, hdr);
14783 	return genlmsg_reply(msg, info);
14784 
14785 nla_put_failure:
14786 	nlmsg_free(msg);
14787 	return -ENOBUFS;
14788 }
14789 
14790 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
14791 				    struct nlattr *attr,
14792 				    struct cfg80211_wowlan *trig)
14793 {
14794 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
14795 	struct cfg80211_wowlan_tcp *cfg;
14796 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
14797 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
14798 	u32 size;
14799 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
14800 	int err, port;
14801 
14802 	if (!rdev->wiphy.wowlan->tcp)
14803 		return -EINVAL;
14804 
14805 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
14806 					  nl80211_wowlan_tcp_policy, NULL);
14807 	if (err)
14808 		return err;
14809 
14810 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
14811 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
14812 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
14813 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
14814 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
14815 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
14816 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
14817 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
14818 		return -EINVAL;
14819 
14820 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
14821 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
14822 		return -EINVAL;
14823 
14824 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
14825 			rdev->wiphy.wowlan->tcp->data_interval_max ||
14826 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
14827 		return -EINVAL;
14828 
14829 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
14830 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
14831 		return -EINVAL;
14832 
14833 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
14834 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
14835 		return -EINVAL;
14836 
14837 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
14838 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14839 
14840 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14841 		tokens_size = tokln - sizeof(*tok);
14842 
14843 		if (!tok->len || tokens_size % tok->len)
14844 			return -EINVAL;
14845 		if (!rdev->wiphy.wowlan->tcp->tok)
14846 			return -EINVAL;
14847 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
14848 			return -EINVAL;
14849 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
14850 			return -EINVAL;
14851 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
14852 			return -EINVAL;
14853 		if (tok->offset + tok->len > data_size)
14854 			return -EINVAL;
14855 	}
14856 
14857 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
14858 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
14859 		if (!rdev->wiphy.wowlan->tcp->seq)
14860 			return -EINVAL;
14861 		if (seq->len == 0 || seq->len > 4)
14862 			return -EINVAL;
14863 		if (seq->len + seq->offset > data_size)
14864 			return -EINVAL;
14865 	}
14866 
14867 	size = sizeof(*cfg);
14868 	size += data_size;
14869 	size += wake_size + wake_mask_size;
14870 	size += tokens_size;
14871 
14872 	cfg = kzalloc(size, GFP_KERNEL);
14873 	if (!cfg)
14874 		return -ENOMEM;
14875 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
14876 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
14877 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
14878 	       ETH_ALEN);
14879 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
14880 #ifdef CONFIG_INET
14881 	/* allocate a socket and port for it and use it */
14882 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
14883 			    IPPROTO_TCP, &cfg->sock, 1);
14884 	if (err) {
14885 		kfree(cfg);
14886 		return err;
14887 	}
14888 	if (inet_csk_get_port(cfg->sock->sk, port)) {
14889 		sock_release(cfg->sock);
14890 		kfree(cfg);
14891 		return -EADDRINUSE;
14892 	}
14893 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
14894 #else
14895 	if (!port) {
14896 		kfree(cfg);
14897 		return -EINVAL;
14898 	}
14899 	cfg->src_port = port;
14900 #endif
14901 
14902 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
14903 	cfg->payload_len = data_size;
14904 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
14905 	memcpy((void *)cfg->payload,
14906 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
14907 	       data_size);
14908 	if (seq)
14909 		cfg->payload_seq = *seq;
14910 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
14911 	cfg->wake_len = wake_size;
14912 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
14913 	memcpy((void *)cfg->wake_data,
14914 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
14915 	       wake_size);
14916 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
14917 			 data_size + wake_size;
14918 	memcpy((void *)cfg->wake_mask,
14919 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
14920 	       wake_mask_size);
14921 	if (tok) {
14922 		cfg->tokens_size = tokens_size;
14923 		cfg->payload_tok = *tok;
14924 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
14925 		       tokens_size);
14926 	}
14927 
14928 	trig->tcp = cfg;
14929 
14930 	return 0;
14931 }
14932 
14933 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
14934 				   const struct wiphy_wowlan_support *wowlan,
14935 				   struct nlattr *attr,
14936 				   struct cfg80211_wowlan *trig)
14937 {
14938 	struct nlattr **tb;
14939 	int err;
14940 
14941 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
14942 	if (!tb)
14943 		return -ENOMEM;
14944 
14945 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
14946 		err = -EOPNOTSUPP;
14947 		goto out;
14948 	}
14949 
14950 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
14951 					  nl80211_policy, NULL);
14952 	if (err)
14953 		goto out;
14954 
14955 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
14956 						   wowlan->max_nd_match_sets);
14957 	err = PTR_ERR_OR_ZERO(trig->nd_config);
14958 	if (err)
14959 		trig->nd_config = NULL;
14960 
14961 out:
14962 	kfree(tb);
14963 	return err;
14964 }
14965 
14966 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
14967 {
14968 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14969 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
14970 	struct cfg80211_wowlan new_triggers = {};
14971 	struct cfg80211_wowlan *ntrig;
14972 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
14973 	int err, i;
14974 	bool prev_enabled = rdev->wiphy.wowlan_config;
14975 	bool regular = false;
14976 
14977 	if (!wowlan)
14978 		return -EOPNOTSUPP;
14979 
14980 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
14981 		cfg80211_rdev_free_wowlan(rdev);
14982 		rdev->wiphy.wowlan_config = NULL;
14983 		goto set_wakeup;
14984 	}
14985 
14986 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
14987 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
14988 					  nl80211_wowlan_policy, info->extack);
14989 	if (err)
14990 		return err;
14991 
14992 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
14993 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
14994 			return -EINVAL;
14995 		new_triggers.any = true;
14996 	}
14997 
14998 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
14999 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
15000 			return -EINVAL;
15001 		new_triggers.disconnect = true;
15002 		regular = true;
15003 	}
15004 
15005 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
15006 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
15007 			return -EINVAL;
15008 		new_triggers.magic_pkt = true;
15009 		regular = true;
15010 	}
15011 
15012 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
15013 		return -EINVAL;
15014 
15015 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
15016 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
15017 			return -EINVAL;
15018 		new_triggers.gtk_rekey_failure = true;
15019 		regular = true;
15020 	}
15021 
15022 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
15023 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
15024 			return -EINVAL;
15025 		new_triggers.eap_identity_req = true;
15026 		regular = true;
15027 	}
15028 
15029 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
15030 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
15031 			return -EINVAL;
15032 		new_triggers.four_way_handshake = true;
15033 		regular = true;
15034 	}
15035 
15036 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
15037 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
15038 			return -EINVAL;
15039 		new_triggers.rfkill_release = true;
15040 		regular = true;
15041 	}
15042 
15043 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
15044 		struct nlattr *pat;
15045 		int n_patterns = 0;
15046 		int rem, pat_len, mask_len, pkt_offset;
15047 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15048 
15049 		regular = true;
15050 
15051 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15052 				    rem)
15053 			n_patterns++;
15054 		if (n_patterns > wowlan->n_patterns)
15055 			return -EINVAL;
15056 
15057 		new_triggers.patterns = kcalloc(n_patterns,
15058 						sizeof(new_triggers.patterns[0]),
15059 						GFP_KERNEL);
15060 		if (!new_triggers.patterns)
15061 			return -ENOMEM;
15062 
15063 		new_triggers.n_patterns = n_patterns;
15064 		i = 0;
15065 
15066 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15067 				    rem) {
15068 			u8 *mask_pat;
15069 
15070 			err = nla_parse_nested_deprecated(pat_tb,
15071 							  MAX_NL80211_PKTPAT,
15072 							  pat,
15073 							  nl80211_packet_pattern_policy,
15074 							  info->extack);
15075 			if (err)
15076 				goto error;
15077 
15078 			err = -EINVAL;
15079 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
15080 			    !pat_tb[NL80211_PKTPAT_PATTERN])
15081 				goto error;
15082 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15083 			mask_len = DIV_ROUND_UP(pat_len, 8);
15084 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15085 				goto error;
15086 			if (pat_len > wowlan->pattern_max_len ||
15087 			    pat_len < wowlan->pattern_min_len)
15088 				goto error;
15089 
15090 			pkt_offset =
15091 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15092 						    0);
15093 			if (pkt_offset > wowlan->max_pkt_offset)
15094 				goto error;
15095 			new_triggers.patterns[i].pkt_offset = pkt_offset;
15096 
15097 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15098 			if (!mask_pat) {
15099 				err = -ENOMEM;
15100 				goto error;
15101 			}
15102 			new_triggers.patterns[i].mask = mask_pat;
15103 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15104 			       mask_len);
15105 			mask_pat += mask_len;
15106 			new_triggers.patterns[i].pattern = mask_pat;
15107 			new_triggers.patterns[i].pattern_len = pat_len;
15108 			memcpy(mask_pat,
15109 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15110 			       pat_len);
15111 			i++;
15112 		}
15113 	}
15114 
15115 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
15116 		regular = true;
15117 		err = nl80211_parse_wowlan_tcp(
15118 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
15119 			&new_triggers);
15120 		if (err)
15121 			goto error;
15122 	}
15123 
15124 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
15125 		regular = true;
15126 		err = nl80211_parse_wowlan_nd(
15127 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
15128 			&new_triggers);
15129 		if (err)
15130 			goto error;
15131 	}
15132 
15133 	/* The 'any' trigger means the device continues operating more or less
15134 	 * as in its normal operation mode and wakes up the host on most of the
15135 	 * normal interrupts (like packet RX, ...)
15136 	 * It therefore makes little sense to combine with the more constrained
15137 	 * wakeup trigger modes.
15138 	 */
15139 	if (new_triggers.any && regular) {
15140 		err = -EINVAL;
15141 		goto error;
15142 	}
15143 
15144 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
15145 	if (!ntrig) {
15146 		err = -ENOMEM;
15147 		goto error;
15148 	}
15149 	cfg80211_rdev_free_wowlan(rdev);
15150 	rdev->wiphy.wowlan_config = ntrig;
15151 
15152  set_wakeup:
15153 	if (rdev->ops->set_wakeup &&
15154 	    prev_enabled != !!rdev->wiphy.wowlan_config)
15155 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
15156 
15157 	return 0;
15158  error:
15159 	for (i = 0; i < new_triggers.n_patterns; i++)
15160 		kfree(new_triggers.patterns[i].mask);
15161 	kfree(new_triggers.patterns);
15162 	if (new_triggers.tcp && new_triggers.tcp->sock)
15163 		sock_release(new_triggers.tcp->sock);
15164 	kfree(new_triggers.tcp);
15165 	kfree(new_triggers.nd_config);
15166 	return err;
15167 }
15168 #endif
15169 
15170 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
15171 				       struct cfg80211_registered_device *rdev)
15172 {
15173 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
15174 	int i, j, pat_len;
15175 	struct cfg80211_coalesce_rules *rule;
15176 
15177 	if (!rdev->coalesce->n_rules)
15178 		return 0;
15179 
15180 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
15181 	if (!nl_rules)
15182 		return -ENOBUFS;
15183 
15184 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
15185 		nl_rule = nla_nest_start_noflag(msg, i + 1);
15186 		if (!nl_rule)
15187 			return -ENOBUFS;
15188 
15189 		rule = &rdev->coalesce->rules[i];
15190 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
15191 				rule->delay))
15192 			return -ENOBUFS;
15193 
15194 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
15195 				rule->condition))
15196 			return -ENOBUFS;
15197 
15198 		nl_pats = nla_nest_start_noflag(msg,
15199 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
15200 		if (!nl_pats)
15201 			return -ENOBUFS;
15202 
15203 		for (j = 0; j < rule->n_patterns; j++) {
15204 			nl_pat = nla_nest_start_noflag(msg, j + 1);
15205 			if (!nl_pat)
15206 				return -ENOBUFS;
15207 			pat_len = rule->patterns[j].pattern_len;
15208 			if (nla_put(msg, NL80211_PKTPAT_MASK,
15209 				    DIV_ROUND_UP(pat_len, 8),
15210 				    rule->patterns[j].mask) ||
15211 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
15212 				    rule->patterns[j].pattern) ||
15213 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
15214 					rule->patterns[j].pkt_offset))
15215 				return -ENOBUFS;
15216 			nla_nest_end(msg, nl_pat);
15217 		}
15218 		nla_nest_end(msg, nl_pats);
15219 		nla_nest_end(msg, nl_rule);
15220 	}
15221 	nla_nest_end(msg, nl_rules);
15222 
15223 	return 0;
15224 }
15225 
15226 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
15227 {
15228 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15229 	struct sk_buff *msg;
15230 	void *hdr;
15231 
15232 	if (!rdev->wiphy.coalesce)
15233 		return -EOPNOTSUPP;
15234 
15235 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15236 	if (!msg)
15237 		return -ENOMEM;
15238 
15239 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15240 			     NL80211_CMD_GET_COALESCE);
15241 	if (!hdr)
15242 		goto nla_put_failure;
15243 
15244 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
15245 		goto nla_put_failure;
15246 
15247 	genlmsg_end(msg, hdr);
15248 	return genlmsg_reply(msg, info);
15249 
15250 nla_put_failure:
15251 	nlmsg_free(msg);
15252 	return -ENOBUFS;
15253 }
15254 
15255 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
15256 {
15257 	int i, j;
15258 	struct cfg80211_coalesce_rules *rule;
15259 
15260 	if (!coalesce)
15261 		return;
15262 
15263 	for (i = 0; i < coalesce->n_rules; i++) {
15264 		rule = &coalesce->rules[i];
15265 		for (j = 0; j < rule->n_patterns; j++)
15266 			kfree(rule->patterns[j].mask);
15267 		kfree(rule->patterns);
15268 	}
15269 	kfree(coalesce);
15270 }
15271 
15272 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
15273 				       struct nlattr *rule,
15274 				       struct cfg80211_coalesce_rules *new_rule)
15275 {
15276 	int err, i;
15277 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15278 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
15279 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
15280 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15281 
15282 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
15283 					  rule, nl80211_coalesce_policy, NULL);
15284 	if (err)
15285 		return err;
15286 
15287 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
15288 		new_rule->delay =
15289 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
15290 	if (new_rule->delay > coalesce->max_delay)
15291 		return -EINVAL;
15292 
15293 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
15294 		new_rule->condition =
15295 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
15296 
15297 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
15298 		return -EINVAL;
15299 
15300 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15301 			    rem)
15302 		n_patterns++;
15303 	if (n_patterns > coalesce->n_patterns)
15304 		return -EINVAL;
15305 
15306 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
15307 				     GFP_KERNEL);
15308 	if (!new_rule->patterns)
15309 		return -ENOMEM;
15310 
15311 	new_rule->n_patterns = n_patterns;
15312 	i = 0;
15313 
15314 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15315 			    rem) {
15316 		u8 *mask_pat;
15317 
15318 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
15319 						  pat,
15320 						  nl80211_packet_pattern_policy,
15321 						  NULL);
15322 		if (err)
15323 			return err;
15324 
15325 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
15326 		    !pat_tb[NL80211_PKTPAT_PATTERN])
15327 			return -EINVAL;
15328 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15329 		mask_len = DIV_ROUND_UP(pat_len, 8);
15330 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15331 			return -EINVAL;
15332 		if (pat_len > coalesce->pattern_max_len ||
15333 		    pat_len < coalesce->pattern_min_len)
15334 			return -EINVAL;
15335 
15336 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15337 						 0);
15338 		if (pkt_offset > coalesce->max_pkt_offset)
15339 			return -EINVAL;
15340 		new_rule->patterns[i].pkt_offset = pkt_offset;
15341 
15342 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15343 		if (!mask_pat)
15344 			return -ENOMEM;
15345 
15346 		new_rule->patterns[i].mask = mask_pat;
15347 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15348 		       mask_len);
15349 
15350 		mask_pat += mask_len;
15351 		new_rule->patterns[i].pattern = mask_pat;
15352 		new_rule->patterns[i].pattern_len = pat_len;
15353 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15354 		       pat_len);
15355 		i++;
15356 	}
15357 
15358 	return 0;
15359 }
15360 
15361 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
15362 {
15363 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15364 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15365 	struct cfg80211_coalesce *new_coalesce;
15366 	int err, rem_rule, n_rules = 0, i;
15367 	struct nlattr *rule;
15368 
15369 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
15370 		return -EOPNOTSUPP;
15371 
15372 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
15373 		cfg80211_free_coalesce(rdev->coalesce);
15374 		rdev->coalesce = NULL;
15375 		rdev_set_coalesce(rdev, NULL);
15376 		return 0;
15377 	}
15378 
15379 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15380 			    rem_rule)
15381 		n_rules++;
15382 	if (n_rules > coalesce->n_rules)
15383 		return -EINVAL;
15384 
15385 	new_coalesce = kzalloc(struct_size(new_coalesce, rules, n_rules),
15386 			       GFP_KERNEL);
15387 	if (!new_coalesce)
15388 		return -ENOMEM;
15389 
15390 	new_coalesce->n_rules = n_rules;
15391 	i = 0;
15392 
15393 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15394 			    rem_rule) {
15395 		err = nl80211_parse_coalesce_rule(rdev, rule,
15396 						  &new_coalesce->rules[i]);
15397 		if (err)
15398 			goto error;
15399 
15400 		i++;
15401 	}
15402 
15403 	err = rdev_set_coalesce(rdev, new_coalesce);
15404 	if (err)
15405 		goto error;
15406 
15407 	cfg80211_free_coalesce(rdev->coalesce);
15408 	rdev->coalesce = new_coalesce;
15409 
15410 	return 0;
15411 error:
15412 	cfg80211_free_coalesce(new_coalesce);
15413 
15414 	return err;
15415 }
15416 
15417 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
15418 {
15419 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15420 	struct net_device *dev = info->user_ptr[1];
15421 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15422 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
15423 	struct cfg80211_gtk_rekey_data rekey_data = {};
15424 	int err;
15425 
15426 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
15427 		return -EINVAL;
15428 
15429 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
15430 					  info->attrs[NL80211_ATTR_REKEY_DATA],
15431 					  nl80211_rekey_policy, info->extack);
15432 	if (err)
15433 		return err;
15434 
15435 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
15436 	    !tb[NL80211_REKEY_DATA_KCK])
15437 		return -EINVAL;
15438 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
15439 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15440 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
15441 		return -ERANGE;
15442 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
15443 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15444 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
15445 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
15446 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
15447 		return -ERANGE;
15448 
15449 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
15450 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
15451 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
15452 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
15453 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
15454 	if (tb[NL80211_REKEY_DATA_AKM])
15455 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
15456 
15457 	if (!wdev->connected)
15458 		return -ENOTCONN;
15459 
15460 	if (!rdev->ops->set_rekey_data)
15461 		return -EOPNOTSUPP;
15462 
15463 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
15464 }
15465 
15466 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
15467 					     struct genl_info *info)
15468 {
15469 	struct net_device *dev = info->user_ptr[1];
15470 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15471 
15472 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15473 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15474 		return -EINVAL;
15475 
15476 	if (wdev->ap_unexpected_nlportid)
15477 		return -EBUSY;
15478 
15479 	wdev->ap_unexpected_nlportid = info->snd_portid;
15480 	return 0;
15481 }
15482 
15483 static int nl80211_probe_client(struct sk_buff *skb,
15484 				struct genl_info *info)
15485 {
15486 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15487 	struct net_device *dev = info->user_ptr[1];
15488 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15489 	struct sk_buff *msg;
15490 	void *hdr;
15491 	const u8 *addr;
15492 	u64 cookie;
15493 	int err;
15494 
15495 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15496 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15497 		return -EOPNOTSUPP;
15498 
15499 	if (!info->attrs[NL80211_ATTR_MAC])
15500 		return -EINVAL;
15501 
15502 	if (!rdev->ops->probe_client)
15503 		return -EOPNOTSUPP;
15504 
15505 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15506 	if (!msg)
15507 		return -ENOMEM;
15508 
15509 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15510 			     NL80211_CMD_PROBE_CLIENT);
15511 	if (!hdr) {
15512 		err = -ENOBUFS;
15513 		goto free_msg;
15514 	}
15515 
15516 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15517 
15518 	err = rdev_probe_client(rdev, dev, addr, &cookie);
15519 	if (err)
15520 		goto free_msg;
15521 
15522 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15523 			      NL80211_ATTR_PAD))
15524 		goto nla_put_failure;
15525 
15526 	genlmsg_end(msg, hdr);
15527 
15528 	return genlmsg_reply(msg, info);
15529 
15530  nla_put_failure:
15531 	err = -ENOBUFS;
15532  free_msg:
15533 	nlmsg_free(msg);
15534 	return err;
15535 }
15536 
15537 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
15538 {
15539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15540 	struct cfg80211_beacon_registration *reg, *nreg;
15541 	int rv;
15542 
15543 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
15544 		return -EOPNOTSUPP;
15545 
15546 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
15547 	if (!nreg)
15548 		return -ENOMEM;
15549 
15550 	/* First, check if already registered. */
15551 	spin_lock_bh(&rdev->beacon_registrations_lock);
15552 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
15553 		if (reg->nlportid == info->snd_portid) {
15554 			rv = -EALREADY;
15555 			goto out_err;
15556 		}
15557 	}
15558 	/* Add it to the list */
15559 	nreg->nlportid = info->snd_portid;
15560 	list_add(&nreg->list, &rdev->beacon_registrations);
15561 
15562 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15563 
15564 	return 0;
15565 out_err:
15566 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15567 	kfree(nreg);
15568 	return rv;
15569 }
15570 
15571 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
15572 {
15573 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15574 	struct wireless_dev *wdev = info->user_ptr[1];
15575 	int err;
15576 
15577 	if (!rdev->ops->start_p2p_device)
15578 		return -EOPNOTSUPP;
15579 
15580 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15581 		return -EOPNOTSUPP;
15582 
15583 	if (wdev_running(wdev))
15584 		return 0;
15585 
15586 	if (rfkill_blocked(rdev->wiphy.rfkill))
15587 		return -ERFKILL;
15588 
15589 	err = rdev_start_p2p_device(rdev, wdev);
15590 	if (err)
15591 		return err;
15592 
15593 	wdev->is_running = true;
15594 	rdev->opencount++;
15595 
15596 	return 0;
15597 }
15598 
15599 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
15600 {
15601 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15602 	struct wireless_dev *wdev = info->user_ptr[1];
15603 
15604 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15605 		return -EOPNOTSUPP;
15606 
15607 	if (!rdev->ops->stop_p2p_device)
15608 		return -EOPNOTSUPP;
15609 
15610 	cfg80211_stop_p2p_device(rdev, wdev);
15611 
15612 	return 0;
15613 }
15614 
15615 static struct ieee80211_channel *nl80211_get_nan_channel(struct wiphy *wiphy,
15616 							 int freq)
15617 {
15618 	struct ieee80211_channel *chan;
15619 	struct cfg80211_chan_def def;
15620 
15621 	/* Check if the frequency is valid for NAN */
15622 	if (freq != 5220 && freq != 5745 && freq != 2437)
15623 		return NULL;
15624 
15625 	chan = ieee80211_get_channel(wiphy, freq);
15626 	if (!chan)
15627 		return NULL;
15628 
15629 	cfg80211_chandef_create(&def, chan, NL80211_CHAN_NO_HT);
15630 
15631 	/* Check if the channel is allowed */
15632 	if (cfg80211_reg_can_beacon(wiphy, &def, NL80211_IFTYPE_NAN))
15633 		return chan;
15634 
15635 	return NULL;
15636 }
15637 
15638 static int nl80211_parse_nan_band_config(struct wiphy *wiphy,
15639 					 struct nlattr **tb,
15640 					 struct cfg80211_nan_band_config *cfg,
15641 					 enum nl80211_band band)
15642 {
15643 	if (BIT(band) & ~(u32)wiphy->nan_supported_bands)
15644 		return -EINVAL;
15645 
15646 	if (tb[NL80211_NAN_BAND_CONF_FREQ]) {
15647 		u16 freq = nla_get_u16(tb[NL80211_NAN_BAND_CONF_FREQ]);
15648 
15649 		if (band != NL80211_BAND_5GHZ)
15650 			return -EINVAL;
15651 
15652 		cfg->chan = nl80211_get_nan_channel(wiphy, freq);
15653 		if (!cfg->chan)
15654 			return -EINVAL;
15655 	}
15656 
15657 	if (tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]) {
15658 		cfg->rssi_close =
15659 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]);
15660 		if (!tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE])
15661 			return -EINVAL;
15662 	}
15663 
15664 	if (tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]) {
15665 		cfg->rssi_middle =
15666 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]);
15667 		if (!cfg->rssi_close || cfg->rssi_middle >= cfg->rssi_close)
15668 			return -EINVAL;
15669 	}
15670 
15671 	if (tb[NL80211_NAN_BAND_CONF_WAKE_DW]) {
15672 		cfg->awake_dw_interval =
15673 			nla_get_u8(tb[NL80211_NAN_BAND_CONF_WAKE_DW]);
15674 
15675 		if (band == NL80211_BAND_2GHZ && cfg->awake_dw_interval == 0)
15676 			return -EINVAL;
15677 	}
15678 
15679 	cfg->disable_scan =
15680 		nla_get_flag(tb[NL80211_NAN_BAND_CONF_DISABLE_SCAN]);
15681 	return 0;
15682 }
15683 
15684 static int nl80211_parse_nan_conf(struct wiphy *wiphy,
15685 				  struct genl_info *info,
15686 				  struct cfg80211_nan_conf *conf,
15687 				  u32 *changed_flags,
15688 				  bool start)
15689 {
15690 	struct nlattr *attrs[NL80211_NAN_CONF_ATTR_MAX + 1];
15691 	int err, rem;
15692 	u32 changed = 0;
15693 	struct nlattr *band_config;
15694 
15695 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
15696 		conf->master_pref =
15697 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
15698 
15699 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
15700 	}
15701 
15702 	if (info->attrs[NL80211_ATTR_BANDS]) {
15703 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
15704 
15705 		if (bands & ~(u32)wiphy->nan_supported_bands)
15706 			return -EOPNOTSUPP;
15707 
15708 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
15709 			return -EINVAL;
15710 
15711 		conf->bands = bands;
15712 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
15713 	}
15714 
15715 	conf->band_cfgs[NL80211_BAND_2GHZ].awake_dw_interval = 1;
15716 	if (conf->bands & BIT(NL80211_BAND_5GHZ) || !conf->bands)
15717 		conf->band_cfgs[NL80211_BAND_5GHZ].awake_dw_interval = 1;
15718 
15719 	/* On 2.4 GHz band use channel 6 */
15720 	conf->band_cfgs[NL80211_BAND_2GHZ].chan =
15721 		nl80211_get_nan_channel(wiphy, 2437);
15722 	if (!conf->band_cfgs[NL80211_BAND_2GHZ].chan)
15723 		return -EINVAL;
15724 
15725 	if (!info->attrs[NL80211_ATTR_NAN_CONFIG])
15726 		goto out;
15727 
15728 	err = nla_parse_nested(attrs, NL80211_NAN_CONF_ATTR_MAX,
15729 			       info->attrs[NL80211_ATTR_NAN_CONFIG], NULL,
15730 			       info->extack);
15731 	if (err)
15732 		return err;
15733 
15734 	changed |= CFG80211_NAN_CONF_CHANGED_CONFIG;
15735 	if (attrs[NL80211_NAN_CONF_CLUSTER_ID] && start)
15736 		conf->cluster_id =
15737 			nla_data(attrs[NL80211_NAN_CONF_CLUSTER_ID]);
15738 
15739 	if (attrs[NL80211_NAN_CONF_EXTRA_ATTRS]) {
15740 		conf->extra_nan_attrs =
15741 			nla_data(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
15742 		conf->extra_nan_attrs_len =
15743 			nla_len(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
15744 	}
15745 
15746 	if (attrs[NL80211_NAN_CONF_VENDOR_ELEMS]) {
15747 		conf->vendor_elems =
15748 			nla_data(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
15749 		conf->vendor_elems_len =
15750 			nla_len(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
15751 	}
15752 
15753 	if (attrs[NL80211_NAN_CONF_BAND_CONFIGS]) {
15754 		nla_for_each_nested(band_config,
15755 				    attrs[NL80211_NAN_CONF_BAND_CONFIGS],
15756 				    rem) {
15757 			enum nl80211_band band;
15758 			struct cfg80211_nan_band_config *cfg;
15759 			struct nlattr *tb[NL80211_NAN_BAND_CONF_ATTR_MAX + 1];
15760 
15761 			err = nla_parse_nested(tb,
15762 					       NL80211_NAN_BAND_CONF_ATTR_MAX,
15763 					       band_config, NULL,
15764 					       info->extack);
15765 			if (err)
15766 				return err;
15767 
15768 			if (!tb[NL80211_NAN_BAND_CONF_BAND])
15769 				return -EINVAL;
15770 
15771 			band = nla_get_u8(tb[NL80211_NAN_BAND_CONF_BAND]);
15772 			if (conf->bands && !(conf->bands & BIT(band)))
15773 				return -EINVAL;
15774 
15775 			cfg = &conf->band_cfgs[band];
15776 
15777 			err = nl80211_parse_nan_band_config(wiphy, tb, cfg,
15778 							    band);
15779 			if (err)
15780 				return err;
15781 		}
15782 	}
15783 
15784 	if (attrs[NL80211_NAN_CONF_SCAN_PERIOD])
15785 		conf->scan_period =
15786 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_PERIOD]);
15787 
15788 	if (attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME])
15789 		conf->scan_dwell_time =
15790 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME]);
15791 
15792 	if (attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL])
15793 		conf->discovery_beacon_interval =
15794 			nla_get_u8(attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL]);
15795 
15796 	if (attrs[NL80211_NAN_CONF_NOTIFY_DW])
15797 		conf->enable_dw_notification =
15798 			nla_get_flag(attrs[NL80211_NAN_CONF_NOTIFY_DW]);
15799 
15800 out:
15801 	if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
15802 	    (!conf->bands || conf->bands & BIT(NL80211_BAND_5GHZ))) {
15803 		/* If no 5GHz channel is specified use default, if possible */
15804 		conf->band_cfgs[NL80211_BAND_5GHZ].chan =
15805 				nl80211_get_nan_channel(wiphy, 5745);
15806 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan)
15807 			conf->band_cfgs[NL80211_BAND_5GHZ].chan =
15808 					nl80211_get_nan_channel(wiphy, 5220);
15809 
15810 		/* Return error if user space asked explicitly for 5 GHz */
15811 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
15812 		    conf->bands & BIT(NL80211_BAND_5GHZ)) {
15813 			NL_SET_ERR_MSG_ATTR(info->extack,
15814 					    info->attrs[NL80211_ATTR_BANDS],
15815 					    "5 GHz band operation is not allowed");
15816 			return -EINVAL;
15817 		}
15818 	}
15819 
15820 	if (changed_flags)
15821 		*changed_flags = changed;
15822 
15823 	return 0;
15824 }
15825 
15826 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
15827 {
15828 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15829 	struct wireless_dev *wdev = info->user_ptr[1];
15830 	struct cfg80211_nan_conf conf = {};
15831 	int err;
15832 
15833 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15834 		return -EOPNOTSUPP;
15835 
15836 	if (wdev_running(wdev))
15837 		return -EEXIST;
15838 
15839 	if (rfkill_blocked(rdev->wiphy.rfkill))
15840 		return -ERFKILL;
15841 
15842 	/* Master preference is mandatory for START_NAN */
15843 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
15844 		return -EINVAL;
15845 
15846 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, NULL, true);
15847 	if (err)
15848 		return err;
15849 
15850 	err = rdev_start_nan(rdev, wdev, &conf);
15851 	if (err)
15852 		return err;
15853 
15854 	wdev->is_running = true;
15855 	rdev->opencount++;
15856 
15857 	return 0;
15858 }
15859 
15860 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
15861 {
15862 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15863 	struct wireless_dev *wdev = info->user_ptr[1];
15864 
15865 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15866 		return -EOPNOTSUPP;
15867 
15868 	cfg80211_stop_nan(rdev, wdev);
15869 
15870 	return 0;
15871 }
15872 
15873 static int validate_nan_filter(struct nlattr *filter_attr)
15874 {
15875 	struct nlattr *attr;
15876 	int len = 0, n_entries = 0, rem;
15877 
15878 	nla_for_each_nested(attr, filter_attr, rem) {
15879 		len += nla_len(attr);
15880 		n_entries++;
15881 	}
15882 
15883 	if (len >= U8_MAX)
15884 		return -EINVAL;
15885 
15886 	return n_entries;
15887 }
15888 
15889 static int handle_nan_filter(struct nlattr *attr_filter,
15890 			     struct cfg80211_nan_func *func,
15891 			     bool tx)
15892 {
15893 	struct nlattr *attr;
15894 	int n_entries, rem, i;
15895 	struct cfg80211_nan_func_filter *filter;
15896 
15897 	n_entries = validate_nan_filter(attr_filter);
15898 	if (n_entries < 0)
15899 		return n_entries;
15900 
15901 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
15902 
15903 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
15904 	if (!filter)
15905 		return -ENOMEM;
15906 
15907 	i = 0;
15908 	nla_for_each_nested(attr, attr_filter, rem) {
15909 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
15910 		if (!filter[i].filter)
15911 			goto err;
15912 
15913 		filter[i].len = nla_len(attr);
15914 		i++;
15915 	}
15916 	if (tx) {
15917 		func->num_tx_filters = n_entries;
15918 		func->tx_filters = filter;
15919 	} else {
15920 		func->num_rx_filters = n_entries;
15921 		func->rx_filters = filter;
15922 	}
15923 
15924 	return 0;
15925 
15926 err:
15927 	i = 0;
15928 	nla_for_each_nested(attr, attr_filter, rem) {
15929 		kfree(filter[i].filter);
15930 		i++;
15931 	}
15932 	kfree(filter);
15933 	return -ENOMEM;
15934 }
15935 
15936 static int nl80211_nan_add_func(struct sk_buff *skb,
15937 				struct genl_info *info)
15938 {
15939 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15940 	struct wireless_dev *wdev = info->user_ptr[1];
15941 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
15942 	struct cfg80211_nan_func *func;
15943 	struct sk_buff *msg = NULL;
15944 	void *hdr = NULL;
15945 	int err = 0;
15946 
15947 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15948 		return -EOPNOTSUPP;
15949 
15950 	if (!wdev_running(wdev))
15951 		return -ENOTCONN;
15952 
15953 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
15954 		return -EINVAL;
15955 
15956 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
15957 					  info->attrs[NL80211_ATTR_NAN_FUNC],
15958 					  nl80211_nan_func_policy,
15959 					  info->extack);
15960 	if (err)
15961 		return err;
15962 
15963 	func = kzalloc(sizeof(*func), GFP_KERNEL);
15964 	if (!func)
15965 		return -ENOMEM;
15966 
15967 	func->cookie = cfg80211_assign_cookie(rdev);
15968 
15969 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
15970 		err = -EINVAL;
15971 		goto out;
15972 	}
15973 
15974 
15975 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
15976 
15977 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
15978 		err = -EINVAL;
15979 		goto out;
15980 	}
15981 
15982 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
15983 	       sizeof(func->service_id));
15984 
15985 	func->close_range =
15986 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
15987 
15988 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
15989 		func->serv_spec_info_len =
15990 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
15991 		func->serv_spec_info =
15992 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
15993 				func->serv_spec_info_len,
15994 				GFP_KERNEL);
15995 		if (!func->serv_spec_info) {
15996 			err = -ENOMEM;
15997 			goto out;
15998 		}
15999 	}
16000 
16001 	if (tb[NL80211_NAN_FUNC_TTL])
16002 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
16003 
16004 	switch (func->type) {
16005 	case NL80211_NAN_FUNC_PUBLISH:
16006 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
16007 			err = -EINVAL;
16008 			goto out;
16009 		}
16010 
16011 		func->publish_type =
16012 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
16013 		func->publish_bcast =
16014 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
16015 
16016 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
16017 			func->publish_bcast) {
16018 			err = -EINVAL;
16019 			goto out;
16020 		}
16021 		break;
16022 	case NL80211_NAN_FUNC_SUBSCRIBE:
16023 		func->subscribe_active =
16024 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
16025 		break;
16026 	case NL80211_NAN_FUNC_FOLLOW_UP:
16027 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
16028 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
16029 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
16030 			err = -EINVAL;
16031 			goto out;
16032 		}
16033 
16034 		func->followup_id =
16035 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
16036 		func->followup_reqid =
16037 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
16038 		memcpy(func->followup_dest.addr,
16039 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
16040 		       sizeof(func->followup_dest.addr));
16041 		if (func->ttl) {
16042 			err = -EINVAL;
16043 			goto out;
16044 		}
16045 		break;
16046 	default:
16047 		err = -EINVAL;
16048 		goto out;
16049 	}
16050 
16051 	if (tb[NL80211_NAN_FUNC_SRF]) {
16052 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
16053 
16054 		err = nla_parse_nested_deprecated(srf_tb,
16055 						  NL80211_NAN_SRF_ATTR_MAX,
16056 						  tb[NL80211_NAN_FUNC_SRF],
16057 						  nl80211_nan_srf_policy,
16058 						  info->extack);
16059 		if (err)
16060 			goto out;
16061 
16062 		func->srf_include =
16063 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
16064 
16065 		if (srf_tb[NL80211_NAN_SRF_BF]) {
16066 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
16067 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
16068 				err = -EINVAL;
16069 				goto out;
16070 			}
16071 
16072 			func->srf_bf_len =
16073 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
16074 			func->srf_bf =
16075 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
16076 					func->srf_bf_len, GFP_KERNEL);
16077 			if (!func->srf_bf) {
16078 				err = -ENOMEM;
16079 				goto out;
16080 			}
16081 
16082 			func->srf_bf_idx =
16083 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
16084 		} else {
16085 			struct nlattr *attr, *mac_attr =
16086 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
16087 			int n_entries, rem, i = 0;
16088 
16089 			if (!mac_attr) {
16090 				err = -EINVAL;
16091 				goto out;
16092 			}
16093 
16094 			n_entries = validate_acl_mac_addrs(mac_attr);
16095 			if (n_entries <= 0) {
16096 				err = -EINVAL;
16097 				goto out;
16098 			}
16099 
16100 			func->srf_num_macs = n_entries;
16101 			func->srf_macs =
16102 				kcalloc(n_entries, sizeof(*func->srf_macs),
16103 					GFP_KERNEL);
16104 			if (!func->srf_macs) {
16105 				err = -ENOMEM;
16106 				goto out;
16107 			}
16108 
16109 			nla_for_each_nested(attr, mac_attr, rem)
16110 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
16111 				       sizeof(*func->srf_macs));
16112 		}
16113 	}
16114 
16115 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
16116 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
16117 					func, true);
16118 		if (err)
16119 			goto out;
16120 	}
16121 
16122 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
16123 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
16124 					func, false);
16125 		if (err)
16126 			goto out;
16127 	}
16128 
16129 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16130 	if (!msg) {
16131 		err = -ENOMEM;
16132 		goto out;
16133 	}
16134 
16135 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16136 			     NL80211_CMD_ADD_NAN_FUNCTION);
16137 	/* This can't really happen - we just allocated 4KB */
16138 	if (WARN_ON(!hdr)) {
16139 		err = -ENOMEM;
16140 		goto out;
16141 	}
16142 
16143 	err = rdev_add_nan_func(rdev, wdev, func);
16144 out:
16145 	if (err < 0) {
16146 		cfg80211_free_nan_func(func);
16147 		nlmsg_free(msg);
16148 		return err;
16149 	}
16150 
16151 	/* propagate the instance id and cookie to userspace  */
16152 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
16153 			      NL80211_ATTR_PAD))
16154 		goto nla_put_failure;
16155 
16156 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16157 	if (!func_attr)
16158 		goto nla_put_failure;
16159 
16160 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
16161 		       func->instance_id))
16162 		goto nla_put_failure;
16163 
16164 	nla_nest_end(msg, func_attr);
16165 
16166 	genlmsg_end(msg, hdr);
16167 	return genlmsg_reply(msg, info);
16168 
16169 nla_put_failure:
16170 	nlmsg_free(msg);
16171 	return -ENOBUFS;
16172 }
16173 
16174 static int nl80211_nan_del_func(struct sk_buff *skb,
16175 			       struct genl_info *info)
16176 {
16177 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16178 	struct wireless_dev *wdev = info->user_ptr[1];
16179 	u64 cookie;
16180 
16181 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16182 		return -EOPNOTSUPP;
16183 
16184 	if (!wdev_running(wdev))
16185 		return -ENOTCONN;
16186 
16187 	if (!info->attrs[NL80211_ATTR_COOKIE])
16188 		return -EINVAL;
16189 
16190 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
16191 
16192 	rdev_del_nan_func(rdev, wdev, cookie);
16193 
16194 	return 0;
16195 }
16196 
16197 static int nl80211_nan_change_config(struct sk_buff *skb,
16198 				     struct genl_info *info)
16199 {
16200 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16201 	struct wireless_dev *wdev = info->user_ptr[1];
16202 	struct cfg80211_nan_conf conf = {};
16203 	u32 changed = 0;
16204 	int err;
16205 
16206 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16207 		return -EOPNOTSUPP;
16208 
16209 	if (!wdev_running(wdev))
16210 		return -ENOTCONN;
16211 
16212 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, &changed, false);
16213 	if (err)
16214 		return err;
16215 
16216 	if (!changed)
16217 		return -EINVAL;
16218 
16219 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
16220 }
16221 
16222 void cfg80211_nan_match(struct wireless_dev *wdev,
16223 			struct cfg80211_nan_match_params *match, gfp_t gfp)
16224 {
16225 	struct wiphy *wiphy = wdev->wiphy;
16226 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16227 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
16228 	struct sk_buff *msg;
16229 	void *hdr;
16230 
16231 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16232 		return;
16233 
16234 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
16235 		return;
16236 
16237 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16238 	if (!msg)
16239 		return;
16240 
16241 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
16242 	if (!hdr) {
16243 		nlmsg_free(msg);
16244 		return;
16245 	}
16246 
16247 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16248 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16249 					 wdev->netdev->ifindex)) ||
16250 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16251 			      NL80211_ATTR_PAD))
16252 		goto nla_put_failure;
16253 
16254 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
16255 			      NL80211_ATTR_PAD) ||
16256 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
16257 		goto nla_put_failure;
16258 
16259 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
16260 	if (!match_attr)
16261 		goto nla_put_failure;
16262 
16263 	local_func_attr = nla_nest_start_noflag(msg,
16264 						NL80211_NAN_MATCH_FUNC_LOCAL);
16265 	if (!local_func_attr)
16266 		goto nla_put_failure;
16267 
16268 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
16269 		goto nla_put_failure;
16270 
16271 	nla_nest_end(msg, local_func_attr);
16272 
16273 	peer_func_attr = nla_nest_start_noflag(msg,
16274 					       NL80211_NAN_MATCH_FUNC_PEER);
16275 	if (!peer_func_attr)
16276 		goto nla_put_failure;
16277 
16278 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
16279 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
16280 		goto nla_put_failure;
16281 
16282 	if (match->info && match->info_len &&
16283 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
16284 		    match->info))
16285 		goto nla_put_failure;
16286 
16287 	nla_nest_end(msg, peer_func_attr);
16288 	nla_nest_end(msg, match_attr);
16289 	genlmsg_end(msg, hdr);
16290 
16291 	if (!wdev->owner_nlportid)
16292 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16293 					msg, 0, NL80211_MCGRP_NAN, gfp);
16294 	else
16295 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16296 				wdev->owner_nlportid);
16297 
16298 	return;
16299 
16300 nla_put_failure:
16301 	nlmsg_free(msg);
16302 }
16303 EXPORT_SYMBOL(cfg80211_nan_match);
16304 
16305 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
16306 				  u8 inst_id,
16307 				  enum nl80211_nan_func_term_reason reason,
16308 				  u64 cookie, gfp_t gfp)
16309 {
16310 	struct wiphy *wiphy = wdev->wiphy;
16311 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16312 	struct sk_buff *msg;
16313 	struct nlattr *func_attr;
16314 	void *hdr;
16315 
16316 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16317 		return;
16318 
16319 	if (WARN_ON(!inst_id))
16320 		return;
16321 
16322 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16323 	if (!msg)
16324 		return;
16325 
16326 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
16327 	if (!hdr) {
16328 		nlmsg_free(msg);
16329 		return;
16330 	}
16331 
16332 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16333 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16334 					 wdev->netdev->ifindex)) ||
16335 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16336 			      NL80211_ATTR_PAD))
16337 		goto nla_put_failure;
16338 
16339 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16340 			      NL80211_ATTR_PAD))
16341 		goto nla_put_failure;
16342 
16343 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16344 	if (!func_attr)
16345 		goto nla_put_failure;
16346 
16347 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
16348 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
16349 		goto nla_put_failure;
16350 
16351 	nla_nest_end(msg, func_attr);
16352 	genlmsg_end(msg, hdr);
16353 
16354 	if (!wdev->owner_nlportid)
16355 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16356 					msg, 0, NL80211_MCGRP_NAN, gfp);
16357 	else
16358 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16359 				wdev->owner_nlportid);
16360 
16361 	return;
16362 
16363 nla_put_failure:
16364 	nlmsg_free(msg);
16365 }
16366 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
16367 
16368 static int nl80211_get_protocol_features(struct sk_buff *skb,
16369 					 struct genl_info *info)
16370 {
16371 	void *hdr;
16372 	struct sk_buff *msg;
16373 
16374 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16375 	if (!msg)
16376 		return -ENOMEM;
16377 
16378 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16379 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
16380 	if (!hdr)
16381 		goto nla_put_failure;
16382 
16383 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
16384 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
16385 		goto nla_put_failure;
16386 
16387 	genlmsg_end(msg, hdr);
16388 	return genlmsg_reply(msg, info);
16389 
16390  nla_put_failure:
16391 	kfree_skb(msg);
16392 	return -ENOBUFS;
16393 }
16394 
16395 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
16396 {
16397 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16398 	struct cfg80211_update_ft_ies_params ft_params;
16399 	struct net_device *dev = info->user_ptr[1];
16400 
16401 	if (!rdev->ops->update_ft_ies)
16402 		return -EOPNOTSUPP;
16403 
16404 	if (!info->attrs[NL80211_ATTR_MDID] ||
16405 	    !info->attrs[NL80211_ATTR_IE])
16406 		return -EINVAL;
16407 
16408 	memset(&ft_params, 0, sizeof(ft_params));
16409 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
16410 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
16411 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
16412 
16413 	return rdev_update_ft_ies(rdev, dev, &ft_params);
16414 }
16415 
16416 static int nl80211_crit_protocol_start(struct sk_buff *skb,
16417 				       struct genl_info *info)
16418 {
16419 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16420 	struct wireless_dev *wdev = info->user_ptr[1];
16421 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
16422 	u16 duration;
16423 	int ret;
16424 
16425 	if (!rdev->ops->crit_proto_start)
16426 		return -EOPNOTSUPP;
16427 
16428 	if (WARN_ON(!rdev->ops->crit_proto_stop))
16429 		return -EINVAL;
16430 
16431 	if (rdev->crit_proto_nlportid)
16432 		return -EBUSY;
16433 
16434 	/* determine protocol if provided */
16435 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
16436 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
16437 
16438 	if (proto >= NUM_NL80211_CRIT_PROTO)
16439 		return -EINVAL;
16440 
16441 	/* timeout must be provided */
16442 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
16443 		return -EINVAL;
16444 
16445 	duration =
16446 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
16447 
16448 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
16449 	if (!ret)
16450 		rdev->crit_proto_nlportid = info->snd_portid;
16451 
16452 	return ret;
16453 }
16454 
16455 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
16456 				      struct genl_info *info)
16457 {
16458 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16459 	struct wireless_dev *wdev = info->user_ptr[1];
16460 
16461 	if (!rdev->ops->crit_proto_stop)
16462 		return -EOPNOTSUPP;
16463 
16464 	if (rdev->crit_proto_nlportid) {
16465 		rdev->crit_proto_nlportid = 0;
16466 		rdev_crit_proto_stop(rdev, wdev);
16467 	}
16468 	return 0;
16469 }
16470 
16471 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
16472 				       struct nlattr *attr,
16473 				       struct netlink_ext_ack *extack)
16474 {
16475 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
16476 		if (attr->nla_type & NLA_F_NESTED) {
16477 			NL_SET_ERR_MSG_ATTR(extack, attr,
16478 					    "unexpected nested data");
16479 			return -EINVAL;
16480 		}
16481 
16482 		return 0;
16483 	}
16484 
16485 	if (!(attr->nla_type & NLA_F_NESTED)) {
16486 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
16487 		return -EINVAL;
16488 	}
16489 
16490 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
16491 }
16492 
16493 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
16494 {
16495 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16496 	struct wireless_dev *wdev =
16497 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
16498 					   info->attrs);
16499 	int i, err;
16500 	u32 vid, subcmd;
16501 
16502 	if (!rdev->wiphy.vendor_commands)
16503 		return -EOPNOTSUPP;
16504 
16505 	if (IS_ERR(wdev)) {
16506 		err = PTR_ERR(wdev);
16507 		if (err != -EINVAL)
16508 			return err;
16509 		wdev = NULL;
16510 	} else if (wdev->wiphy != &rdev->wiphy) {
16511 		return -EINVAL;
16512 	}
16513 
16514 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
16515 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
16516 		return -EINVAL;
16517 
16518 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
16519 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
16520 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
16521 		const struct wiphy_vendor_command *vcmd;
16522 		void *data = NULL;
16523 		int len = 0;
16524 
16525 		vcmd = &rdev->wiphy.vendor_commands[i];
16526 
16527 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
16528 			continue;
16529 
16530 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
16531 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
16532 			if (!wdev)
16533 				return -EINVAL;
16534 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
16535 			    !wdev->netdev)
16536 				return -EINVAL;
16537 
16538 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
16539 				if (!wdev_running(wdev))
16540 					return -ENETDOWN;
16541 			}
16542 		} else {
16543 			wdev = NULL;
16544 		}
16545 
16546 		if (!vcmd->doit)
16547 			return -EOPNOTSUPP;
16548 
16549 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
16550 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
16551 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
16552 
16553 			err = nl80211_vendor_check_policy(vcmd,
16554 					info->attrs[NL80211_ATTR_VENDOR_DATA],
16555 					info->extack);
16556 			if (err)
16557 				return err;
16558 		}
16559 
16560 		rdev->cur_cmd_info = info;
16561 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
16562 		rdev->cur_cmd_info = NULL;
16563 		return err;
16564 	}
16565 
16566 	return -EOPNOTSUPP;
16567 }
16568 
16569 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
16570 				       struct netlink_callback *cb,
16571 				       struct cfg80211_registered_device **rdev,
16572 				       struct wireless_dev **wdev)
16573 {
16574 	struct nlattr **attrbuf;
16575 	u32 vid, subcmd;
16576 	unsigned int i;
16577 	int vcmd_idx = -1;
16578 	int err;
16579 	void *data = NULL;
16580 	unsigned int data_len = 0;
16581 
16582 	if (cb->args[0]) {
16583 		/* subtract the 1 again here */
16584 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
16585 		struct wireless_dev *tmp;
16586 
16587 		if (!wiphy)
16588 			return -ENODEV;
16589 		*rdev = wiphy_to_rdev(wiphy);
16590 		*wdev = NULL;
16591 
16592 		if (cb->args[1]) {
16593 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
16594 				if (tmp->identifier == cb->args[1] - 1) {
16595 					*wdev = tmp;
16596 					break;
16597 				}
16598 			}
16599 		}
16600 
16601 		/* keep rtnl locked in successful case */
16602 		return 0;
16603 	}
16604 
16605 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
16606 	if (!attrbuf)
16607 		return -ENOMEM;
16608 
16609 	err = nlmsg_parse_deprecated(cb->nlh,
16610 				     GENL_HDRLEN + nl80211_fam.hdrsize,
16611 				     attrbuf, nl80211_fam.maxattr,
16612 				     nl80211_policy, NULL);
16613 	if (err)
16614 		goto out;
16615 
16616 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
16617 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
16618 		err = -EINVAL;
16619 		goto out;
16620 	}
16621 
16622 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
16623 	if (IS_ERR(*wdev))
16624 		*wdev = NULL;
16625 
16626 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
16627 	if (IS_ERR(*rdev)) {
16628 		err = PTR_ERR(*rdev);
16629 		goto out;
16630 	}
16631 
16632 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
16633 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
16634 
16635 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
16636 		const struct wiphy_vendor_command *vcmd;
16637 
16638 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
16639 
16640 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
16641 			continue;
16642 
16643 		if (!vcmd->dumpit) {
16644 			err = -EOPNOTSUPP;
16645 			goto out;
16646 		}
16647 
16648 		vcmd_idx = i;
16649 		break;
16650 	}
16651 
16652 	if (vcmd_idx < 0) {
16653 		err = -EOPNOTSUPP;
16654 		goto out;
16655 	}
16656 
16657 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
16658 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
16659 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
16660 
16661 		err = nl80211_vendor_check_policy(
16662 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
16663 				attrbuf[NL80211_ATTR_VENDOR_DATA],
16664 				cb->extack);
16665 		if (err)
16666 			goto out;
16667 	}
16668 
16669 	/* 0 is the first index - add 1 to parse only once */
16670 	cb->args[0] = (*rdev)->wiphy_idx + 1;
16671 	/* add 1 to know if it was NULL */
16672 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
16673 	cb->args[2] = vcmd_idx;
16674 	cb->args[3] = (unsigned long)data;
16675 	cb->args[4] = data_len;
16676 
16677 	/* keep rtnl locked in successful case */
16678 	err = 0;
16679 out:
16680 	kfree(attrbuf);
16681 	return err;
16682 }
16683 
16684 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
16685 				   struct netlink_callback *cb)
16686 {
16687 	struct cfg80211_registered_device *rdev;
16688 	struct wireless_dev *wdev;
16689 	unsigned int vcmd_idx;
16690 	const struct wiphy_vendor_command *vcmd;
16691 	void *data;
16692 	int data_len;
16693 	int err;
16694 	struct nlattr *vendor_data;
16695 
16696 	rtnl_lock();
16697 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
16698 	if (err)
16699 		goto out;
16700 
16701 	vcmd_idx = cb->args[2];
16702 	data = (void *)cb->args[3];
16703 	data_len = cb->args[4];
16704 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
16705 
16706 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
16707 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
16708 		if (!wdev) {
16709 			err = -EINVAL;
16710 			goto out;
16711 		}
16712 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
16713 		    !wdev->netdev) {
16714 			err = -EINVAL;
16715 			goto out;
16716 		}
16717 
16718 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
16719 			if (!wdev_running(wdev)) {
16720 				err = -ENETDOWN;
16721 				goto out;
16722 			}
16723 		}
16724 	}
16725 
16726 	while (1) {
16727 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
16728 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
16729 					   NL80211_CMD_VENDOR);
16730 		if (!hdr)
16731 			break;
16732 
16733 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16734 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
16735 					       wdev_id(wdev),
16736 					       NL80211_ATTR_PAD))) {
16737 			genlmsg_cancel(skb, hdr);
16738 			break;
16739 		}
16740 
16741 		vendor_data = nla_nest_start_noflag(skb,
16742 						    NL80211_ATTR_VENDOR_DATA);
16743 		if (!vendor_data) {
16744 			genlmsg_cancel(skb, hdr);
16745 			break;
16746 		}
16747 
16748 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
16749 				   (unsigned long *)&cb->args[5]);
16750 		nla_nest_end(skb, vendor_data);
16751 
16752 		if (err == -ENOBUFS || err == -ENOENT) {
16753 			genlmsg_cancel(skb, hdr);
16754 			break;
16755 		} else if (err <= 0) {
16756 			genlmsg_cancel(skb, hdr);
16757 			goto out;
16758 		}
16759 
16760 		genlmsg_end(skb, hdr);
16761 	}
16762 
16763 	err = skb->len;
16764  out:
16765 	rtnl_unlock();
16766 	return err;
16767 }
16768 
16769 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
16770 					   enum nl80211_commands cmd,
16771 					   enum nl80211_attrs attr,
16772 					   int approxlen)
16773 {
16774 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16775 
16776 	if (WARN_ON(!rdev->cur_cmd_info))
16777 		return NULL;
16778 
16779 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
16780 					   rdev->cur_cmd_info->snd_portid,
16781 					   rdev->cur_cmd_info->snd_seq,
16782 					   cmd, attr, NULL, GFP_KERNEL);
16783 }
16784 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
16785 
16786 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
16787 {
16788 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
16789 	void *hdr = ((void **)skb->cb)[1];
16790 	struct nlattr *data = ((void **)skb->cb)[2];
16791 
16792 	/* clear CB data for netlink core to own from now on */
16793 	memset(skb->cb, 0, sizeof(skb->cb));
16794 
16795 	if (WARN_ON(!rdev->cur_cmd_info)) {
16796 		kfree_skb(skb);
16797 		return -EINVAL;
16798 	}
16799 
16800 	nla_nest_end(skb, data);
16801 	genlmsg_end(skb, hdr);
16802 	return genlmsg_reply(skb, rdev->cur_cmd_info);
16803 }
16804 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
16805 
16806 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
16807 {
16808 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16809 
16810 	if (WARN_ON(!rdev->cur_cmd_info))
16811 		return 0;
16812 
16813 	return rdev->cur_cmd_info->snd_portid;
16814 }
16815 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
16816 
16817 static int nl80211_set_qos_map(struct sk_buff *skb,
16818 			       struct genl_info *info)
16819 {
16820 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16821 	struct cfg80211_qos_map *qos_map = NULL;
16822 	struct net_device *dev = info->user_ptr[1];
16823 	u8 *pos, len, num_des, des_len, des;
16824 	int ret;
16825 
16826 	if (!rdev->ops->set_qos_map)
16827 		return -EOPNOTSUPP;
16828 
16829 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
16830 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
16831 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
16832 
16833 		if (len % 2)
16834 			return -EINVAL;
16835 
16836 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
16837 		if (!qos_map)
16838 			return -ENOMEM;
16839 
16840 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
16841 		if (num_des) {
16842 			des_len = num_des *
16843 				sizeof(struct cfg80211_dscp_exception);
16844 			memcpy(qos_map->dscp_exception, pos, des_len);
16845 			qos_map->num_des = num_des;
16846 			for (des = 0; des < num_des; des++) {
16847 				if (qos_map->dscp_exception[des].up > 7) {
16848 					kfree(qos_map);
16849 					return -EINVAL;
16850 				}
16851 			}
16852 			pos += des_len;
16853 		}
16854 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
16855 	}
16856 
16857 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
16858 	if (!ret)
16859 		ret = rdev_set_qos_map(rdev, dev, qos_map);
16860 
16861 	kfree(qos_map);
16862 	return ret;
16863 }
16864 
16865 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
16866 {
16867 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16868 	struct net_device *dev = info->user_ptr[1];
16869 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16870 	const u8 *peer;
16871 	u8 tsid, up;
16872 	u16 admitted_time = 0;
16873 
16874 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
16875 		return -EOPNOTSUPP;
16876 
16877 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
16878 	    !info->attrs[NL80211_ATTR_USER_PRIO])
16879 		return -EINVAL;
16880 
16881 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16882 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
16883 
16884 	/* WMM uses TIDs 0-7 even for TSPEC */
16885 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
16886 		/* TODO: handle 802.11 TSPEC/admission control
16887 		 * need more attributes for that (e.g. BA session requirement);
16888 		 * change the WMM admission test above to allow both then
16889 		 */
16890 		return -EINVAL;
16891 	}
16892 
16893 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16894 
16895 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
16896 		admitted_time =
16897 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
16898 		if (!admitted_time)
16899 			return -EINVAL;
16900 	}
16901 
16902 	switch (wdev->iftype) {
16903 	case NL80211_IFTYPE_STATION:
16904 	case NL80211_IFTYPE_P2P_CLIENT:
16905 		if (wdev->connected)
16906 			break;
16907 		return -ENOTCONN;
16908 	default:
16909 		return -EOPNOTSUPP;
16910 	}
16911 
16912 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
16913 }
16914 
16915 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
16916 {
16917 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16918 	struct net_device *dev = info->user_ptr[1];
16919 	const u8 *peer;
16920 	u8 tsid;
16921 
16922 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
16923 		return -EINVAL;
16924 
16925 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16926 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16927 
16928 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
16929 }
16930 
16931 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
16932 				       struct genl_info *info)
16933 {
16934 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16935 	struct net_device *dev = info->user_ptr[1];
16936 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16937 	struct cfg80211_chan_def chandef = {};
16938 	const u8 *addr;
16939 	u8 oper_class;
16940 	int err;
16941 
16942 	if (!rdev->ops->tdls_channel_switch ||
16943 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16944 		return -EOPNOTSUPP;
16945 
16946 	switch (dev->ieee80211_ptr->iftype) {
16947 	case NL80211_IFTYPE_STATION:
16948 	case NL80211_IFTYPE_P2P_CLIENT:
16949 		break;
16950 	default:
16951 		return -EOPNOTSUPP;
16952 	}
16953 
16954 	if (!info->attrs[NL80211_ATTR_MAC] ||
16955 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
16956 		return -EINVAL;
16957 
16958 	err = nl80211_parse_chandef(rdev, info, &chandef);
16959 	if (err)
16960 		return err;
16961 
16962 	/*
16963 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
16964 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
16965 	 * specification is not defined for them.
16966 	 */
16967 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
16968 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
16969 	    chandef.width != NL80211_CHAN_WIDTH_20)
16970 		return -EINVAL;
16971 
16972 	/* we will be active on the TDLS link */
16973 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
16974 					   wdev->iftype))
16975 		return -EINVAL;
16976 
16977 	/* don't allow switching to DFS channels */
16978 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
16979 		return -EINVAL;
16980 
16981 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16982 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
16983 
16984 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
16985 }
16986 
16987 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
16988 					      struct genl_info *info)
16989 {
16990 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16991 	struct net_device *dev = info->user_ptr[1];
16992 	const u8 *addr;
16993 
16994 	if (!rdev->ops->tdls_channel_switch ||
16995 	    !rdev->ops->tdls_cancel_channel_switch ||
16996 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16997 		return -EOPNOTSUPP;
16998 
16999 	switch (dev->ieee80211_ptr->iftype) {
17000 	case NL80211_IFTYPE_STATION:
17001 	case NL80211_IFTYPE_P2P_CLIENT:
17002 		break;
17003 	default:
17004 		return -EOPNOTSUPP;
17005 	}
17006 
17007 	if (!info->attrs[NL80211_ATTR_MAC])
17008 		return -EINVAL;
17009 
17010 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17011 
17012 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
17013 
17014 	return 0;
17015 }
17016 
17017 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
17018 					    struct genl_info *info)
17019 {
17020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17021 	struct net_device *dev = info->user_ptr[1];
17022 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17023 	const struct nlattr *nla;
17024 	bool enabled;
17025 
17026 	if (!rdev->ops->set_multicast_to_unicast)
17027 		return -EOPNOTSUPP;
17028 
17029 	if (wdev->iftype != NL80211_IFTYPE_AP &&
17030 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
17031 		return -EOPNOTSUPP;
17032 
17033 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
17034 	enabled = nla_get_flag(nla);
17035 
17036 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
17037 }
17038 
17039 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
17040 {
17041 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17042 	struct net_device *dev = info->user_ptr[1];
17043 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17044 	struct cfg80211_pmk_conf pmk_conf = {};
17045 
17046 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17047 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17048 		return -EOPNOTSUPP;
17049 
17050 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17051 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
17052 		return -EOPNOTSUPP;
17053 
17054 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
17055 		return -EINVAL;
17056 
17057 	if (!wdev->connected)
17058 		return -ENOTCONN;
17059 
17060 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
17061 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
17062 		return -EINVAL;
17063 
17064 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
17065 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
17066 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
17067 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
17068 		return -EINVAL;
17069 
17070 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
17071 		pmk_conf.pmk_r0_name =
17072 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
17073 
17074 	return rdev_set_pmk(rdev, dev, &pmk_conf);
17075 }
17076 
17077 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
17078 {
17079 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17080 	struct net_device *dev = info->user_ptr[1];
17081 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17082 	const u8 *aa;
17083 
17084 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17085 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17086 		return -EOPNOTSUPP;
17087 
17088 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17089 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
17090 		return -EOPNOTSUPP;
17091 
17092 	if (!info->attrs[NL80211_ATTR_MAC])
17093 		return -EINVAL;
17094 
17095 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
17096 	return rdev_del_pmk(rdev, dev, aa);
17097 }
17098 
17099 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
17100 {
17101 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17102 	struct net_device *dev = info->user_ptr[1];
17103 	struct cfg80211_external_auth_params params;
17104 
17105 	if (!rdev->ops->external_auth)
17106 		return -EOPNOTSUPP;
17107 
17108 	if (!info->attrs[NL80211_ATTR_SSID] &&
17109 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
17110 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
17111 		return -EINVAL;
17112 
17113 	if (!info->attrs[NL80211_ATTR_BSSID])
17114 		return -EINVAL;
17115 
17116 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
17117 		return -EINVAL;
17118 
17119 	memset(&params, 0, sizeof(params));
17120 
17121 	if (info->attrs[NL80211_ATTR_SSID]) {
17122 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
17123 		if (params.ssid.ssid_len == 0)
17124 			return -EINVAL;
17125 		memcpy(params.ssid.ssid,
17126 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
17127 		       params.ssid.ssid_len);
17128 	}
17129 
17130 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
17131 	       ETH_ALEN);
17132 
17133 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
17134 
17135 	if (info->attrs[NL80211_ATTR_PMKID])
17136 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
17137 
17138 	return rdev_external_auth(rdev, dev, &params);
17139 }
17140 
17141 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
17142 {
17143 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
17144 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17145 	struct net_device *dev = info->user_ptr[1];
17146 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17147 	const u8 *buf;
17148 	size_t len;
17149 	u8 *dest;
17150 	u16 proto;
17151 	bool noencrypt;
17152 	u64 cookie = 0;
17153 	int link_id;
17154 	int err;
17155 
17156 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17157 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
17158 		return -EOPNOTSUPP;
17159 
17160 	if (!rdev->ops->tx_control_port)
17161 		return -EOPNOTSUPP;
17162 
17163 	if (!info->attrs[NL80211_ATTR_FRAME] ||
17164 	    !info->attrs[NL80211_ATTR_MAC] ||
17165 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
17166 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
17167 		return -EINVAL;
17168 	}
17169 
17170 	switch (wdev->iftype) {
17171 	case NL80211_IFTYPE_AP:
17172 	case NL80211_IFTYPE_P2P_GO:
17173 	case NL80211_IFTYPE_MESH_POINT:
17174 		break;
17175 	case NL80211_IFTYPE_ADHOC:
17176 		if (wdev->u.ibss.current_bss)
17177 			break;
17178 		return -ENOTCONN;
17179 	case NL80211_IFTYPE_STATION:
17180 	case NL80211_IFTYPE_P2P_CLIENT:
17181 		if (wdev->connected)
17182 			break;
17183 		return -ENOTCONN;
17184 	default:
17185 		return -EOPNOTSUPP;
17186 	}
17187 
17188 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
17189 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
17190 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
17191 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
17192 	noencrypt =
17193 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
17194 
17195 	link_id = nl80211_link_id_or_invalid(info->attrs);
17196 
17197 	err = rdev_tx_control_port(rdev, dev, buf, len,
17198 				   dest, cpu_to_be16(proto), noencrypt, link_id,
17199 				   dont_wait_for_ack ? NULL : &cookie);
17200 	if (!err && !dont_wait_for_ack)
17201 		nl_set_extack_cookie_u64(info->extack, cookie);
17202 	return err;
17203 }
17204 
17205 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
17206 					   struct genl_info *info)
17207 {
17208 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17209 	struct net_device *dev = info->user_ptr[1];
17210 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17211 	struct cfg80211_ftm_responder_stats ftm_stats = {};
17212 	unsigned int link_id = nl80211_link_id(info->attrs);
17213 	struct sk_buff *msg;
17214 	void *hdr;
17215 	struct nlattr *ftm_stats_attr;
17216 	int err;
17217 
17218 	if (wdev->iftype != NL80211_IFTYPE_AP ||
17219 	    !wdev->links[link_id].ap.beacon_interval)
17220 		return -EOPNOTSUPP;
17221 
17222 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
17223 	if (err)
17224 		return err;
17225 
17226 	if (!ftm_stats.filled)
17227 		return -ENODATA;
17228 
17229 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17230 	if (!msg)
17231 		return -ENOMEM;
17232 
17233 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
17234 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
17235 	if (!hdr)
17236 		goto nla_put_failure;
17237 
17238 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17239 		goto nla_put_failure;
17240 
17241 	ftm_stats_attr = nla_nest_start_noflag(msg,
17242 					       NL80211_ATTR_FTM_RESPONDER_STATS);
17243 	if (!ftm_stats_attr)
17244 		goto nla_put_failure;
17245 
17246 #define SET_FTM(field, name, type)					 \
17247 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
17248 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
17249 			     ftm_stats.field))				 \
17250 		goto nla_put_failure; } while (0)
17251 #define SET_FTM_U64(field, name)					 \
17252 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
17253 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
17254 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
17255 		goto nla_put_failure; } while (0)
17256 
17257 	SET_FTM(success_num, SUCCESS_NUM, u32);
17258 	SET_FTM(partial_num, PARTIAL_NUM, u32);
17259 	SET_FTM(failed_num, FAILED_NUM, u32);
17260 	SET_FTM(asap_num, ASAP_NUM, u32);
17261 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
17262 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
17263 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
17264 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
17265 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
17266 #undef SET_FTM
17267 
17268 	nla_nest_end(msg, ftm_stats_attr);
17269 
17270 	genlmsg_end(msg, hdr);
17271 	return genlmsg_reply(msg, info);
17272 
17273 nla_put_failure:
17274 	nlmsg_free(msg);
17275 	return -ENOBUFS;
17276 }
17277 
17278 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
17279 {
17280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17281 	struct cfg80211_update_owe_info owe_info;
17282 	struct net_device *dev = info->user_ptr[1];
17283 
17284 	if (!rdev->ops->update_owe_info)
17285 		return -EOPNOTSUPP;
17286 
17287 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
17288 	    !info->attrs[NL80211_ATTR_MAC])
17289 		return -EINVAL;
17290 
17291 	memset(&owe_info, 0, sizeof(owe_info));
17292 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
17293 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
17294 
17295 	if (info->attrs[NL80211_ATTR_IE]) {
17296 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
17297 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
17298 	}
17299 
17300 	return rdev_update_owe_info(rdev, dev, &owe_info);
17301 }
17302 
17303 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
17304 {
17305 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17306 	struct net_device *dev = info->user_ptr[1];
17307 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17308 	struct station_info sinfo = {};
17309 	const u8 *buf;
17310 	size_t len;
17311 	u8 *dest;
17312 	int err;
17313 
17314 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
17315 		return -EOPNOTSUPP;
17316 
17317 	if (!info->attrs[NL80211_ATTR_MAC] ||
17318 	    !info->attrs[NL80211_ATTR_FRAME]) {
17319 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
17320 		return -EINVAL;
17321 	}
17322 
17323 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
17324 		return -EOPNOTSUPP;
17325 
17326 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
17327 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
17328 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
17329 
17330 	if (len < sizeof(struct ethhdr))
17331 		return -EINVAL;
17332 
17333 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
17334 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
17335 		return -EINVAL;
17336 
17337 	err = rdev_get_station(rdev, dev, dest, &sinfo);
17338 	if (err)
17339 		return err;
17340 
17341 	cfg80211_sinfo_release_content(&sinfo);
17342 
17343 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
17344 }
17345 
17346 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
17347 			  struct nlattr *attrs[], struct net_device *dev,
17348 			  struct cfg80211_tid_cfg *tid_conf,
17349 			  struct genl_info *info, const u8 *peer,
17350 			  unsigned int link_id)
17351 {
17352 	struct netlink_ext_ack *extack = info->extack;
17353 	u64 mask;
17354 	int err;
17355 
17356 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
17357 		return -EINVAL;
17358 
17359 	tid_conf->config_override =
17360 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
17361 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
17362 
17363 	if (tid_conf->config_override) {
17364 		if (rdev->ops->reset_tid_config) {
17365 			err = rdev_reset_tid_config(rdev, dev, peer,
17366 						    tid_conf->tids);
17367 			if (err)
17368 				return err;
17369 		} else {
17370 			return -EINVAL;
17371 		}
17372 	}
17373 
17374 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
17375 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
17376 		tid_conf->noack =
17377 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
17378 	}
17379 
17380 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
17381 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
17382 		tid_conf->retry_short =
17383 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
17384 
17385 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
17386 			return -EINVAL;
17387 	}
17388 
17389 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
17390 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
17391 		tid_conf->retry_long =
17392 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
17393 
17394 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
17395 			return -EINVAL;
17396 	}
17397 
17398 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
17399 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
17400 		tid_conf->ampdu =
17401 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
17402 	}
17403 
17404 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
17405 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
17406 		tid_conf->rtscts =
17407 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
17408 	}
17409 
17410 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
17411 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
17412 		tid_conf->amsdu =
17413 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
17414 	}
17415 
17416 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
17417 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
17418 
17419 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
17420 
17421 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
17422 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
17423 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
17424 						    &tid_conf->txrate_mask, dev,
17425 						    true, link_id);
17426 			if (err)
17427 				return err;
17428 
17429 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
17430 		}
17431 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
17432 	}
17433 
17434 	if (peer)
17435 		mask = rdev->wiphy.tid_config_support.peer;
17436 	else
17437 		mask = rdev->wiphy.tid_config_support.vif;
17438 
17439 	if (tid_conf->mask & ~mask) {
17440 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
17441 		return -EOPNOTSUPP;
17442 	}
17443 
17444 	return 0;
17445 }
17446 
17447 static int nl80211_set_tid_config(struct sk_buff *skb,
17448 				  struct genl_info *info)
17449 {
17450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17451 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
17452 	unsigned int link_id = nl80211_link_id(info->attrs);
17453 	struct net_device *dev = info->user_ptr[1];
17454 	struct cfg80211_tid_config *tid_config;
17455 	struct nlattr *tid;
17456 	int conf_idx = 0, rem_conf;
17457 	int ret = -EINVAL;
17458 	u32 num_conf = 0;
17459 
17460 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
17461 		return -EINVAL;
17462 
17463 	if (!rdev->ops->set_tid_config)
17464 		return -EOPNOTSUPP;
17465 
17466 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
17467 			    rem_conf)
17468 		num_conf++;
17469 
17470 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
17471 			     GFP_KERNEL);
17472 	if (!tid_config)
17473 		return -ENOMEM;
17474 
17475 	tid_config->n_tid_conf = num_conf;
17476 
17477 	if (info->attrs[NL80211_ATTR_MAC])
17478 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
17479 
17480 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
17481 			    rem_conf) {
17482 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
17483 				       tid, NULL, NULL);
17484 
17485 		if (ret)
17486 			goto bad_tid_conf;
17487 
17488 		ret = parse_tid_conf(rdev, attrs, dev,
17489 				     &tid_config->tid_conf[conf_idx],
17490 				     info, tid_config->peer, link_id);
17491 		if (ret)
17492 			goto bad_tid_conf;
17493 
17494 		conf_idx++;
17495 	}
17496 
17497 	ret = rdev_set_tid_config(rdev, dev, tid_config);
17498 
17499 bad_tid_conf:
17500 	kfree(tid_config);
17501 	return ret;
17502 }
17503 
17504 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
17505 {
17506 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17507 	struct cfg80211_color_change_settings params = {};
17508 	struct net_device *dev = info->user_ptr[1];
17509 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17510 	struct nlattr **tb;
17511 	u16 offset;
17512 	int err;
17513 
17514 	if (!rdev->ops->color_change)
17515 		return -EOPNOTSUPP;
17516 
17517 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17518 				     NL80211_EXT_FEATURE_BSS_COLOR))
17519 		return -EOPNOTSUPP;
17520 
17521 	if (wdev->iftype != NL80211_IFTYPE_AP)
17522 		return -EOPNOTSUPP;
17523 
17524 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
17525 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
17526 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
17527 		return -EINVAL;
17528 
17529 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
17530 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
17531 
17532 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
17533 				   info->extack);
17534 	if (err)
17535 		return err;
17536 
17537 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
17538 	if (!tb)
17539 		return -ENOMEM;
17540 
17541 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
17542 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
17543 			       nl80211_policy, info->extack);
17544 	if (err)
17545 		goto out;
17546 
17547 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
17548 				   info->extack);
17549 	if (err)
17550 		goto out;
17551 
17552 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
17553 		err = -EINVAL;
17554 		goto out;
17555 	}
17556 
17557 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
17558 		err = -EINVAL;
17559 		goto out;
17560 	}
17561 
17562 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
17563 	if (offset >= params.beacon_color_change.tail_len) {
17564 		err = -EINVAL;
17565 		goto out;
17566 	}
17567 
17568 	if (params.beacon_color_change.tail[offset] != params.count) {
17569 		err = -EINVAL;
17570 		goto out;
17571 	}
17572 
17573 	params.counter_offset_beacon = offset;
17574 
17575 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
17576 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
17577 		    sizeof(u16)) {
17578 			err = -EINVAL;
17579 			goto out;
17580 		}
17581 
17582 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
17583 		if (offset >= params.beacon_color_change.probe_resp_len) {
17584 			err = -EINVAL;
17585 			goto out;
17586 		}
17587 
17588 		if (params.beacon_color_change.probe_resp[offset] !=
17589 		    params.count) {
17590 			err = -EINVAL;
17591 			goto out;
17592 		}
17593 
17594 		params.counter_offset_presp = offset;
17595 	}
17596 
17597 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
17598 		err = nl80211_parse_unsol_bcast_probe_resp(
17599 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
17600 			&params.unsol_bcast_probe_resp);
17601 		if (err)
17602 			goto out;
17603 	}
17604 
17605 	params.link_id = nl80211_link_id(info->attrs);
17606 	err = rdev_color_change(rdev, dev, &params);
17607 
17608 out:
17609 	kfree(params.beacon_next.mbssid_ies);
17610 	kfree(params.beacon_color_change.mbssid_ies);
17611 	kfree(params.beacon_next.rnr_ies);
17612 	kfree(params.beacon_color_change.rnr_ies);
17613 	kfree(tb);
17614 	return err;
17615 }
17616 
17617 static int nl80211_set_fils_aad(struct sk_buff *skb,
17618 				struct genl_info *info)
17619 {
17620 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17621 	struct net_device *dev = info->user_ptr[1];
17622 	struct cfg80211_fils_aad fils_aad = {};
17623 	u8 *nonces;
17624 
17625 	if (!info->attrs[NL80211_ATTR_MAC] ||
17626 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
17627 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
17628 		return -EINVAL;
17629 
17630 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17631 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
17632 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
17633 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
17634 	fils_aad.snonce = nonces;
17635 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
17636 
17637 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
17638 }
17639 
17640 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
17641 {
17642 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17643 	unsigned int link_id = nl80211_link_id(info->attrs);
17644 	struct net_device *dev = info->user_ptr[1];
17645 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17646 	int ret;
17647 
17648 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
17649 		return -EINVAL;
17650 
17651 	switch (wdev->iftype) {
17652 	case NL80211_IFTYPE_AP:
17653 		break;
17654 	default:
17655 		return -EINVAL;
17656 	}
17657 
17658 	if (!info->attrs[NL80211_ATTR_MAC] ||
17659 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
17660 		return -EINVAL;
17661 
17662 	wdev->valid_links |= BIT(link_id);
17663 	ether_addr_copy(wdev->links[link_id].addr,
17664 			nla_data(info->attrs[NL80211_ATTR_MAC]));
17665 
17666 	ret = rdev_add_intf_link(rdev, wdev, link_id);
17667 	if (ret) {
17668 		wdev->valid_links &= ~BIT(link_id);
17669 		eth_zero_addr(wdev->links[link_id].addr);
17670 	}
17671 
17672 	return ret;
17673 }
17674 
17675 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
17676 {
17677 	unsigned int link_id = nl80211_link_id(info->attrs);
17678 	struct net_device *dev = info->user_ptr[1];
17679 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17680 
17681 	/* cannot remove if there's no link */
17682 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
17683 		return -EINVAL;
17684 
17685 	switch (wdev->iftype) {
17686 	case NL80211_IFTYPE_AP:
17687 		break;
17688 	default:
17689 		return -EINVAL;
17690 	}
17691 
17692 	cfg80211_remove_link(wdev, link_id);
17693 
17694 	return 0;
17695 }
17696 
17697 static int
17698 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
17699 			     bool add)
17700 {
17701 	struct link_station_parameters params = {};
17702 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17703 	struct net_device *dev = info->user_ptr[1];
17704 	int err;
17705 
17706 	if ((add && !rdev->ops->add_link_station) ||
17707 	    (!add && !rdev->ops->mod_link_station))
17708 		return -EOPNOTSUPP;
17709 
17710 	if (add && !info->attrs[NL80211_ATTR_MAC])
17711 		return -EINVAL;
17712 
17713 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
17714 		return -EINVAL;
17715 
17716 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
17717 		return -EINVAL;
17718 
17719 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17720 
17721 	if (info->attrs[NL80211_ATTR_MAC]) {
17722 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
17723 		if (!is_valid_ether_addr(params.link_mac))
17724 			return -EINVAL;
17725 	}
17726 
17727 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
17728 		return -EINVAL;
17729 
17730 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17731 
17732 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
17733 		params.supported_rates =
17734 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
17735 		params.supported_rates_len =
17736 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
17737 	}
17738 
17739 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
17740 		params.ht_capa =
17741 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
17742 
17743 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
17744 		params.vht_capa =
17745 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
17746 
17747 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
17748 		params.he_capa =
17749 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
17750 		params.he_capa_len =
17751 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
17752 
17753 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
17754 			params.eht_capa =
17755 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
17756 			params.eht_capa_len =
17757 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
17758 
17759 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
17760 							(const u8 *)params.eht_capa,
17761 							params.eht_capa_len,
17762 							false))
17763 				return -EINVAL;
17764 		}
17765 	}
17766 
17767 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
17768 		if (!params.eht_capa)
17769 			return -EINVAL;
17770 
17771 		params.uhr_capa =
17772 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
17773 		params.uhr_capa_len =
17774 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
17775 	}
17776 
17777 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
17778 		params.he_6ghz_capa =
17779 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
17780 
17781 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
17782 		params.opmode_notif_used = true;
17783 		params.opmode_notif =
17784 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
17785 	}
17786 
17787 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
17788 						&params.txpwr_set);
17789 	if (err)
17790 		return err;
17791 
17792 	if (add)
17793 		return rdev_add_link_station(rdev, dev, &params);
17794 
17795 	return rdev_mod_link_station(rdev, dev, &params);
17796 }
17797 
17798 static int
17799 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
17800 {
17801 	return nl80211_add_mod_link_station(skb, info, true);
17802 }
17803 
17804 static int
17805 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
17806 {
17807 	return nl80211_add_mod_link_station(skb, info, false);
17808 }
17809 
17810 static int
17811 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
17812 {
17813 	struct link_station_del_parameters params = {};
17814 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17815 	struct net_device *dev = info->user_ptr[1];
17816 
17817 	if (!rdev->ops->del_link_station)
17818 		return -EOPNOTSUPP;
17819 
17820 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
17821 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
17822 		return -EINVAL;
17823 
17824 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17825 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17826 
17827 	return rdev_del_link_station(rdev, dev, &params);
17828 }
17829 
17830 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
17831 				    struct genl_info *info)
17832 {
17833 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17834 	struct net_device *dev = info->user_ptr[1];
17835 	struct cfg80211_set_hw_timestamp hwts = {};
17836 
17837 	if (!rdev->wiphy.hw_timestamp_max_peers)
17838 		return -EOPNOTSUPP;
17839 
17840 	if (!info->attrs[NL80211_ATTR_MAC] &&
17841 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
17842 		return -EOPNOTSUPP;
17843 
17844 	if (info->attrs[NL80211_ATTR_MAC])
17845 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17846 
17847 	hwts.enable =
17848 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
17849 
17850 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
17851 }
17852 
17853 static int
17854 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
17855 {
17856 	struct cfg80211_ttlm_params params = {};
17857 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17858 	struct net_device *dev = info->user_ptr[1];
17859 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17860 
17861 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17862 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17863 		return -EOPNOTSUPP;
17864 
17865 	if (!wdev->connected)
17866 		return -ENOLINK;
17867 
17868 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
17869 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
17870 		return -EINVAL;
17871 
17872 	nla_memcpy(params.dlink,
17873 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
17874 		   sizeof(params.dlink));
17875 	nla_memcpy(params.ulink,
17876 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
17877 		   sizeof(params.ulink));
17878 
17879 	return rdev_set_ttlm(rdev, dev, &params);
17880 }
17881 
17882 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
17883 {
17884 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17885 	struct net_device *dev = info->user_ptr[1];
17886 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17887 	struct cfg80211_ml_reconf_req req = {};
17888 	unsigned int link_id;
17889 	u16 add_links;
17890 	int err;
17891 
17892 	if (!wdev->valid_links)
17893 		return -EINVAL;
17894 
17895 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
17896 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
17897 		return -EPERM;
17898 
17899 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
17900 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
17901 		return -EOPNOTSUPP;
17902 
17903 	add_links = 0;
17904 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
17905 		err = nl80211_process_links(rdev, req.add_links,
17906 					    /* mark as MLO, but not assoc */
17907 					    IEEE80211_MLD_MAX_NUM_LINKS,
17908 					    NULL, 0, info);
17909 		if (err)
17910 			return err;
17911 
17912 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
17913 		     link_id++) {
17914 			if (!req.add_links[link_id].bss)
17915 				continue;
17916 			add_links |= BIT(link_id);
17917 		}
17918 	}
17919 
17920 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
17921 		req.rem_links =
17922 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
17923 
17924 	/* Validate that existing links are not added, removed links are valid
17925 	 * and don't allow adding and removing the same links
17926 	 */
17927 	if ((add_links & req.rem_links) || !(add_links | req.rem_links) ||
17928 	    (wdev->valid_links & add_links) ||
17929 	    ((wdev->valid_links & req.rem_links) != req.rem_links)) {
17930 		err = -EINVAL;
17931 		goto out;
17932 	}
17933 
17934 	if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
17935 		req.ext_mld_capa_ops =
17936 			nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
17937 
17938 	err = cfg80211_assoc_ml_reconf(rdev, dev, &req);
17939 
17940 out:
17941 	for (link_id = 0; link_id < ARRAY_SIZE(req.add_links); link_id++)
17942 		cfg80211_put_bss(&rdev->wiphy, req.add_links[link_id].bss);
17943 
17944 	return err;
17945 }
17946 
17947 static int
17948 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
17949 {
17950 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17951 	struct net_device *dev = info->user_ptr[1];
17952 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17953 	bool val;
17954 
17955 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17956 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17957 		return -EOPNOTSUPP;
17958 
17959 	if (!wdev->connected)
17960 		return -ENOLINK;
17961 
17962 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
17963 
17964 	return rdev_set_epcs(rdev, dev, val);
17965 }
17966 
17967 #define NL80211_FLAG_NEED_WIPHY		0x01
17968 #define NL80211_FLAG_NEED_NETDEV	0x02
17969 #define NL80211_FLAG_NEED_RTNL		0x04
17970 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
17971 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
17972 					 NL80211_FLAG_CHECK_NETDEV_UP)
17973 #define NL80211_FLAG_NEED_WDEV		0x10
17974 /* If a netdev is associated, it must be UP, P2P must be started */
17975 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
17976 					 NL80211_FLAG_CHECK_NETDEV_UP)
17977 #define NL80211_FLAG_CLEAR_SKB		0x20
17978 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
17979 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
17980 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
17981 
17982 #define INTERNAL_FLAG_SELECTORS(__sel)			\
17983 	SELECTOR(__sel, NONE, 0) /* must be first */	\
17984 	SELECTOR(__sel, WIPHY,				\
17985 		 NL80211_FLAG_NEED_WIPHY)		\
17986 	SELECTOR(__sel, WDEV,				\
17987 		 NL80211_FLAG_NEED_WDEV)		\
17988 	SELECTOR(__sel, NETDEV,				\
17989 		 NL80211_FLAG_NEED_NETDEV)		\
17990 	SELECTOR(__sel, NETDEV_LINK,			\
17991 		 NL80211_FLAG_NEED_NETDEV |		\
17992 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17993 	SELECTOR(__sel, NETDEV_NO_MLO,			\
17994 		 NL80211_FLAG_NEED_NETDEV |		\
17995 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
17996 	SELECTOR(__sel, WIPHY_RTNL,			\
17997 		 NL80211_FLAG_NEED_WIPHY |		\
17998 		 NL80211_FLAG_NEED_RTNL)		\
17999 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
18000 		 NL80211_FLAG_NEED_WIPHY |		\
18001 		 NL80211_FLAG_NEED_RTNL |		\
18002 		 NL80211_FLAG_NO_WIPHY_MTX)		\
18003 	SELECTOR(__sel, WDEV_RTNL,			\
18004 		 NL80211_FLAG_NEED_WDEV |		\
18005 		 NL80211_FLAG_NEED_RTNL)		\
18006 	SELECTOR(__sel, NETDEV_RTNL,			\
18007 		 NL80211_FLAG_NEED_NETDEV |		\
18008 		 NL80211_FLAG_NEED_RTNL)		\
18009 	SELECTOR(__sel, NETDEV_UP,			\
18010 		 NL80211_FLAG_NEED_NETDEV_UP)		\
18011 	SELECTOR(__sel, NETDEV_UP_LINK,			\
18012 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18013 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18014 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
18015 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18016 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
18017 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
18018 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18019 		 NL80211_FLAG_CLEAR_SKB |		\
18020 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
18021 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
18022 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18023 		 NL80211_FLAG_NO_WIPHY_MTX)		\
18024 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
18025 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18026 		 NL80211_FLAG_NO_WIPHY_MTX |		\
18027 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18028 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
18029 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18030 		 NL80211_FLAG_CLEAR_SKB)		\
18031 	SELECTOR(__sel, WDEV_UP,			\
18032 		 NL80211_FLAG_NEED_WDEV_UP)		\
18033 	SELECTOR(__sel, WDEV_UP_LINK,			\
18034 		 NL80211_FLAG_NEED_WDEV_UP |		\
18035 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18036 	SELECTOR(__sel, WDEV_UP_RTNL,			\
18037 		 NL80211_FLAG_NEED_WDEV_UP |		\
18038 		 NL80211_FLAG_NEED_RTNL)		\
18039 	SELECTOR(__sel, WIPHY_CLEAR,			\
18040 		 NL80211_FLAG_NEED_WIPHY |		\
18041 		 NL80211_FLAG_CLEAR_SKB)
18042 
18043 enum nl80211_internal_flags_selector {
18044 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
18045 	INTERNAL_FLAG_SELECTORS(_)
18046 #undef SELECTOR
18047 };
18048 
18049 static u32 nl80211_internal_flags[] = {
18050 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
18051 	INTERNAL_FLAG_SELECTORS(_)
18052 #undef SELECTOR
18053 };
18054 
18055 static int nl80211_pre_doit(const struct genl_split_ops *ops,
18056 			    struct sk_buff *skb,
18057 			    struct genl_info *info)
18058 {
18059 	struct cfg80211_registered_device *rdev = NULL;
18060 	struct wireless_dev *wdev = NULL;
18061 	struct net_device *dev = NULL;
18062 	u32 internal_flags;
18063 	int err;
18064 
18065 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
18066 		return -EINVAL;
18067 
18068 	internal_flags = nl80211_internal_flags[ops->internal_flags];
18069 
18070 	rtnl_lock();
18071 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
18072 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
18073 		if (IS_ERR(rdev)) {
18074 			err = PTR_ERR(rdev);
18075 			goto out_unlock;
18076 		}
18077 		info->user_ptr[0] = rdev;
18078 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
18079 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
18080 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
18081 						  info->attrs);
18082 		if (IS_ERR(wdev)) {
18083 			err = PTR_ERR(wdev);
18084 			goto out_unlock;
18085 		}
18086 
18087 		dev = wdev->netdev;
18088 		dev_hold(dev);
18089 		rdev = wiphy_to_rdev(wdev->wiphy);
18090 
18091 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
18092 			if (!dev) {
18093 				err = -EINVAL;
18094 				goto out_unlock;
18095 			}
18096 
18097 			info->user_ptr[1] = dev;
18098 		} else {
18099 			info->user_ptr[1] = wdev;
18100 		}
18101 
18102 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
18103 		    !wdev_running(wdev)) {
18104 			err = -ENETDOWN;
18105 			goto out_unlock;
18106 		}
18107 
18108 		info->user_ptr[0] = rdev;
18109 	}
18110 
18111 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
18112 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
18113 
18114 		if (!wdev) {
18115 			err = -EINVAL;
18116 			goto out_unlock;
18117 		}
18118 
18119 		/* MLO -> require valid link ID */
18120 		if (wdev->valid_links &&
18121 		    (!link_id ||
18122 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
18123 			err = -EINVAL;
18124 			goto out_unlock;
18125 		}
18126 
18127 		/* non-MLO -> no link ID attribute accepted */
18128 		if (!wdev->valid_links && link_id) {
18129 			err = -EINVAL;
18130 			goto out_unlock;
18131 		}
18132 	}
18133 
18134 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
18135 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
18136 		    (wdev && wdev->valid_links)) {
18137 			err = -EINVAL;
18138 			goto out_unlock;
18139 		}
18140 	}
18141 
18142 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18143 		wiphy_lock(&rdev->wiphy);
18144 		/* we keep the mutex locked until post_doit */
18145 		__release(&rdev->wiphy.mtx);
18146 	}
18147 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
18148 		rtnl_unlock();
18149 
18150 	return 0;
18151 out_unlock:
18152 	rtnl_unlock();
18153 	dev_put(dev);
18154 	return err;
18155 }
18156 
18157 static void nl80211_post_doit(const struct genl_split_ops *ops,
18158 			      struct sk_buff *skb,
18159 			      struct genl_info *info)
18160 {
18161 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
18162 
18163 	if (info->user_ptr[1]) {
18164 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
18165 			struct wireless_dev *wdev = info->user_ptr[1];
18166 
18167 			dev_put(wdev->netdev);
18168 		} else {
18169 			dev_put(info->user_ptr[1]);
18170 		}
18171 	}
18172 
18173 	if (info->user_ptr[0] &&
18174 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18175 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
18176 
18177 		/* we kept the mutex locked since pre_doit */
18178 		__acquire(&rdev->wiphy.mtx);
18179 		wiphy_unlock(&rdev->wiphy);
18180 	}
18181 
18182 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
18183 		rtnl_unlock();
18184 
18185 	/* If needed, clear the netlink message payload from the SKB
18186 	 * as it might contain key data that shouldn't stick around on
18187 	 * the heap after the SKB is freed. The netlink message header
18188 	 * is still needed for further processing, so leave it intact.
18189 	 */
18190 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
18191 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
18192 
18193 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
18194 	}
18195 }
18196 
18197 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
18198 				     struct cfg80211_sar_specs *sar_specs,
18199 				     struct nlattr *spec[], int index)
18200 {
18201 	u32 range_index, i;
18202 
18203 	if (!sar_specs || !spec)
18204 		return -EINVAL;
18205 
18206 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
18207 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
18208 		return -EINVAL;
18209 
18210 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
18211 
18212 	/* check if range_index exceeds num_freq_ranges */
18213 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
18214 		return -EINVAL;
18215 
18216 	/* check if range_index duplicates */
18217 	for (i = 0; i < index; i++) {
18218 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
18219 			return -EINVAL;
18220 	}
18221 
18222 	sar_specs->sub_specs[index].power =
18223 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
18224 
18225 	sar_specs->sub_specs[index].freq_range_index = range_index;
18226 
18227 	return 0;
18228 }
18229 
18230 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
18231 {
18232 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18233 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
18234 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
18235 	struct cfg80211_sar_specs *sar_spec;
18236 	enum nl80211_sar_type type;
18237 	struct nlattr *spec_list;
18238 	u32 specs;
18239 	int rem, err;
18240 
18241 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
18242 		return -EOPNOTSUPP;
18243 
18244 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
18245 		return -EINVAL;
18246 
18247 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
18248 			 info->attrs[NL80211_ATTR_SAR_SPEC],
18249 			 NULL, NULL);
18250 
18251 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
18252 		return -EINVAL;
18253 
18254 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
18255 	if (type != rdev->wiphy.sar_capa->type)
18256 		return -EINVAL;
18257 
18258 	specs = 0;
18259 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
18260 		specs++;
18261 
18262 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
18263 		return -EINVAL;
18264 
18265 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
18266 	if (!sar_spec)
18267 		return -ENOMEM;
18268 
18269 	sar_spec->num_sub_specs = specs;
18270 	sar_spec->type = type;
18271 	specs = 0;
18272 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
18273 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
18274 				 spec_list, NULL, NULL);
18275 
18276 		switch (type) {
18277 		case NL80211_SAR_TYPE_POWER:
18278 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
18279 						      spec, specs)) {
18280 				err = -EINVAL;
18281 				goto error;
18282 			}
18283 			break;
18284 		default:
18285 			err = -EINVAL;
18286 			goto error;
18287 		}
18288 		specs++;
18289 	}
18290 
18291 	sar_spec->num_sub_specs = specs;
18292 
18293 	rdev->cur_cmd_info = info;
18294 	err = rdev_set_sar_specs(rdev, sar_spec);
18295 	rdev->cur_cmd_info = NULL;
18296 error:
18297 	kfree(sar_spec);
18298 	return err;
18299 }
18300 
18301 #define SELECTOR(__sel, name, value) \
18302 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
18303 int __missing_selector(void);
18304 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
18305 
18306 static const struct genl_ops nl80211_ops[] = {
18307 	{
18308 		.cmd = NL80211_CMD_GET_WIPHY,
18309 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18310 		.doit = nl80211_get_wiphy,
18311 		.dumpit = nl80211_dump_wiphy,
18312 		.done = nl80211_dump_wiphy_done,
18313 		/* can be retrieved by unprivileged users */
18314 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18315 	},
18316 };
18317 
18318 static const struct genl_small_ops nl80211_small_ops[] = {
18319 	{
18320 		.cmd = NL80211_CMD_SET_WIPHY,
18321 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18322 		.doit = nl80211_set_wiphy,
18323 		.flags = GENL_UNS_ADMIN_PERM,
18324 	},
18325 	{
18326 		.cmd = NL80211_CMD_GET_INTERFACE,
18327 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18328 		.doit = nl80211_get_interface,
18329 		.dumpit = nl80211_dump_interface,
18330 		/* can be retrieved by unprivileged users */
18331 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
18332 	},
18333 	{
18334 		.cmd = NL80211_CMD_SET_INTERFACE,
18335 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18336 		.doit = nl80211_set_interface,
18337 		.flags = GENL_UNS_ADMIN_PERM,
18338 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18339 					 NL80211_FLAG_NEED_RTNL),
18340 	},
18341 	{
18342 		.cmd = NL80211_CMD_NEW_INTERFACE,
18343 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18344 		.doit = nl80211_new_interface,
18345 		.flags = GENL_UNS_ADMIN_PERM,
18346 		.internal_flags =
18347 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
18348 			       NL80211_FLAG_NEED_RTNL |
18349 			       /* we take the wiphy mutex later ourselves */
18350 			       NL80211_FLAG_NO_WIPHY_MTX),
18351 	},
18352 	{
18353 		.cmd = NL80211_CMD_DEL_INTERFACE,
18354 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18355 		.doit = nl80211_del_interface,
18356 		.flags = GENL_UNS_ADMIN_PERM,
18357 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18358 					 NL80211_FLAG_NEED_RTNL),
18359 	},
18360 	{
18361 		.cmd = NL80211_CMD_GET_KEY,
18362 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18363 		.doit = nl80211_get_key,
18364 		.flags = GENL_UNS_ADMIN_PERM,
18365 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18366 	},
18367 	{
18368 		.cmd = NL80211_CMD_SET_KEY,
18369 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18370 		.doit = nl80211_set_key,
18371 		.flags = GENL_UNS_ADMIN_PERM,
18372 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
18373 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18374 					 NL80211_FLAG_CLEAR_SKB),
18375 	},
18376 	{
18377 		.cmd = NL80211_CMD_NEW_KEY,
18378 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18379 		.doit = nl80211_new_key,
18380 		.flags = GENL_UNS_ADMIN_PERM,
18381 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18382 					 NL80211_FLAG_CLEAR_SKB),
18383 	},
18384 	{
18385 		.cmd = NL80211_CMD_DEL_KEY,
18386 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18387 		.doit = nl80211_del_key,
18388 		.flags = GENL_UNS_ADMIN_PERM,
18389 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18390 	},
18391 	{
18392 		.cmd = NL80211_CMD_SET_BEACON,
18393 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18394 		.flags = GENL_UNS_ADMIN_PERM,
18395 		.doit = nl80211_set_beacon,
18396 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18397 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18398 	},
18399 	{
18400 		.cmd = NL80211_CMD_START_AP,
18401 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18402 		.flags = GENL_UNS_ADMIN_PERM,
18403 		.doit = nl80211_start_ap,
18404 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18405 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18406 	},
18407 	{
18408 		.cmd = NL80211_CMD_STOP_AP,
18409 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18410 		.flags = GENL_UNS_ADMIN_PERM,
18411 		.doit = nl80211_stop_ap,
18412 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18413 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18414 	},
18415 	{
18416 		.cmd = NL80211_CMD_GET_STATION,
18417 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18418 		.doit = nl80211_get_station,
18419 		.dumpit = nl80211_dump_station,
18420 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18421 	},
18422 	{
18423 		.cmd = NL80211_CMD_SET_STATION,
18424 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18425 		.doit = nl80211_set_station,
18426 		.flags = GENL_UNS_ADMIN_PERM,
18427 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18428 	},
18429 	{
18430 		.cmd = NL80211_CMD_NEW_STATION,
18431 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18432 		.doit = nl80211_new_station,
18433 		.flags = GENL_UNS_ADMIN_PERM,
18434 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18435 	},
18436 	{
18437 		.cmd = NL80211_CMD_DEL_STATION,
18438 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18439 		.doit = nl80211_del_station,
18440 		.flags = GENL_UNS_ADMIN_PERM,
18441 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
18442 		 * whether MAC address is passed or not. If MAC address is
18443 		 * passed, then even during MLO, link ID is not required.
18444 		 */
18445 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18446 	},
18447 	{
18448 		.cmd = NL80211_CMD_GET_MPATH,
18449 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18450 		.doit = nl80211_get_mpath,
18451 		.dumpit = nl80211_dump_mpath,
18452 		.flags = GENL_UNS_ADMIN_PERM,
18453 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18454 	},
18455 	{
18456 		.cmd = NL80211_CMD_GET_MPP,
18457 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18458 		.doit = nl80211_get_mpp,
18459 		.dumpit = nl80211_dump_mpp,
18460 		.flags = GENL_UNS_ADMIN_PERM,
18461 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18462 	},
18463 	{
18464 		.cmd = NL80211_CMD_SET_MPATH,
18465 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18466 		.doit = nl80211_set_mpath,
18467 		.flags = GENL_UNS_ADMIN_PERM,
18468 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18469 	},
18470 	{
18471 		.cmd = NL80211_CMD_NEW_MPATH,
18472 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18473 		.doit = nl80211_new_mpath,
18474 		.flags = GENL_UNS_ADMIN_PERM,
18475 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18476 	},
18477 	{
18478 		.cmd = NL80211_CMD_DEL_MPATH,
18479 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18480 		.doit = nl80211_del_mpath,
18481 		.flags = GENL_UNS_ADMIN_PERM,
18482 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18483 	},
18484 	{
18485 		.cmd = NL80211_CMD_SET_BSS,
18486 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18487 		.doit = nl80211_set_bss,
18488 		.flags = GENL_UNS_ADMIN_PERM,
18489 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18490 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18491 	},
18492 	{
18493 		.cmd = NL80211_CMD_GET_REG,
18494 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18495 		.doit = nl80211_get_reg_do,
18496 		.dumpit = nl80211_get_reg_dump,
18497 		/* can be retrieved by unprivileged users */
18498 	},
18499 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
18500 	{
18501 		.cmd = NL80211_CMD_SET_REG,
18502 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18503 		.doit = nl80211_set_reg,
18504 		.flags = GENL_ADMIN_PERM,
18505 	},
18506 #endif
18507 	{
18508 		.cmd = NL80211_CMD_REQ_SET_REG,
18509 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18510 		.doit = nl80211_req_set_reg,
18511 		.flags = GENL_ADMIN_PERM,
18512 	},
18513 	{
18514 		.cmd = NL80211_CMD_RELOAD_REGDB,
18515 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18516 		.doit = nl80211_reload_regdb,
18517 		.flags = GENL_ADMIN_PERM,
18518 	},
18519 	{
18520 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
18521 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18522 		.doit = nl80211_get_mesh_config,
18523 		/* can be retrieved by unprivileged users */
18524 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18525 	},
18526 	{
18527 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
18528 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18529 		.doit = nl80211_update_mesh_config,
18530 		.flags = GENL_UNS_ADMIN_PERM,
18531 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18532 	},
18533 	{
18534 		.cmd = NL80211_CMD_TRIGGER_SCAN,
18535 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18536 		.doit = nl80211_trigger_scan,
18537 		.flags = GENL_UNS_ADMIN_PERM,
18538 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18539 	},
18540 	{
18541 		.cmd = NL80211_CMD_ABORT_SCAN,
18542 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18543 		.doit = nl80211_abort_scan,
18544 		.flags = GENL_UNS_ADMIN_PERM,
18545 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18546 	},
18547 	{
18548 		.cmd = NL80211_CMD_GET_SCAN,
18549 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18550 		.dumpit = nl80211_dump_scan,
18551 	},
18552 	{
18553 		.cmd = NL80211_CMD_START_SCHED_SCAN,
18554 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18555 		.doit = nl80211_start_sched_scan,
18556 		.flags = GENL_UNS_ADMIN_PERM,
18557 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18558 	},
18559 	{
18560 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
18561 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18562 		.doit = nl80211_stop_sched_scan,
18563 		.flags = GENL_UNS_ADMIN_PERM,
18564 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18565 	},
18566 	{
18567 		.cmd = NL80211_CMD_AUTHENTICATE,
18568 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18569 		.doit = nl80211_authenticate,
18570 		.flags = GENL_UNS_ADMIN_PERM,
18571 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18572 					 NL80211_FLAG_CLEAR_SKB),
18573 	},
18574 	{
18575 		.cmd = NL80211_CMD_ASSOCIATE,
18576 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18577 		.doit = nl80211_associate,
18578 		.flags = GENL_UNS_ADMIN_PERM,
18579 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18580 					 NL80211_FLAG_CLEAR_SKB),
18581 	},
18582 	{
18583 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18584 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18585 		.doit = nl80211_deauthenticate,
18586 		.flags = GENL_UNS_ADMIN_PERM,
18587 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18588 	},
18589 	{
18590 		.cmd = NL80211_CMD_DISASSOCIATE,
18591 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18592 		.doit = nl80211_disassociate,
18593 		.flags = GENL_UNS_ADMIN_PERM,
18594 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18595 	},
18596 	{
18597 		.cmd = NL80211_CMD_JOIN_IBSS,
18598 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18599 		.doit = nl80211_join_ibss,
18600 		.flags = GENL_UNS_ADMIN_PERM,
18601 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18602 	},
18603 	{
18604 		.cmd = NL80211_CMD_LEAVE_IBSS,
18605 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18606 		.doit = nl80211_leave_ibss,
18607 		.flags = GENL_UNS_ADMIN_PERM,
18608 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18609 	},
18610 #ifdef CONFIG_NL80211_TESTMODE
18611 	{
18612 		.cmd = NL80211_CMD_TESTMODE,
18613 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18614 		.doit = nl80211_testmode_do,
18615 		.dumpit = nl80211_testmode_dump,
18616 		.flags = GENL_UNS_ADMIN_PERM,
18617 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18618 	},
18619 #endif
18620 	{
18621 		.cmd = NL80211_CMD_CONNECT,
18622 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18623 		.doit = nl80211_connect,
18624 		.flags = GENL_UNS_ADMIN_PERM,
18625 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18626 					 NL80211_FLAG_CLEAR_SKB),
18627 	},
18628 	{
18629 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
18630 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18631 		.doit = nl80211_update_connect_params,
18632 		.flags = GENL_ADMIN_PERM,
18633 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18634 					 NL80211_FLAG_CLEAR_SKB),
18635 	},
18636 	{
18637 		.cmd = NL80211_CMD_DISCONNECT,
18638 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18639 		.doit = nl80211_disconnect,
18640 		.flags = GENL_UNS_ADMIN_PERM,
18641 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18642 	},
18643 	{
18644 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
18645 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18646 		.doit = nl80211_wiphy_netns,
18647 		.flags = GENL_UNS_ADMIN_PERM,
18648 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18649 					 NL80211_FLAG_NEED_RTNL |
18650 					 NL80211_FLAG_NO_WIPHY_MTX),
18651 	},
18652 	{
18653 		.cmd = NL80211_CMD_GET_SURVEY,
18654 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18655 		.dumpit = nl80211_dump_survey,
18656 	},
18657 	{
18658 		.cmd = NL80211_CMD_SET_PMKSA,
18659 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18660 		.doit = nl80211_set_pmksa,
18661 		.flags = GENL_UNS_ADMIN_PERM,
18662 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18663 					 NL80211_FLAG_CLEAR_SKB),
18664 	},
18665 	{
18666 		.cmd = NL80211_CMD_DEL_PMKSA,
18667 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18668 		.doit = nl80211_del_pmksa,
18669 		.flags = GENL_UNS_ADMIN_PERM,
18670 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18671 	},
18672 	{
18673 		.cmd = NL80211_CMD_FLUSH_PMKSA,
18674 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18675 		.doit = nl80211_flush_pmksa,
18676 		.flags = GENL_UNS_ADMIN_PERM,
18677 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18678 	},
18679 	{
18680 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
18681 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18682 		.doit = nl80211_remain_on_channel,
18683 		.flags = GENL_UNS_ADMIN_PERM,
18684 		/* FIXME: requiring a link ID here is probably not good */
18685 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18686 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18687 	},
18688 	{
18689 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18690 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18691 		.doit = nl80211_cancel_remain_on_channel,
18692 		.flags = GENL_UNS_ADMIN_PERM,
18693 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18694 	},
18695 	{
18696 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
18697 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18698 		.doit = nl80211_set_tx_bitrate_mask,
18699 		.flags = GENL_UNS_ADMIN_PERM,
18700 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18701 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18702 	},
18703 	{
18704 		.cmd = NL80211_CMD_REGISTER_FRAME,
18705 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18706 		.doit = nl80211_register_mgmt,
18707 		.flags = GENL_UNS_ADMIN_PERM,
18708 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
18709 	},
18710 	{
18711 		.cmd = NL80211_CMD_FRAME,
18712 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18713 		.doit = nl80211_tx_mgmt,
18714 		.flags = GENL_UNS_ADMIN_PERM,
18715 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18716 	},
18717 	{
18718 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
18719 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18720 		.doit = nl80211_tx_mgmt_cancel_wait,
18721 		.flags = GENL_UNS_ADMIN_PERM,
18722 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18723 	},
18724 	{
18725 		.cmd = NL80211_CMD_SET_POWER_SAVE,
18726 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18727 		.doit = nl80211_set_power_save,
18728 		.flags = GENL_UNS_ADMIN_PERM,
18729 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18730 	},
18731 	{
18732 		.cmd = NL80211_CMD_GET_POWER_SAVE,
18733 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18734 		.doit = nl80211_get_power_save,
18735 		/* can be retrieved by unprivileged users */
18736 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18737 	},
18738 	{
18739 		.cmd = NL80211_CMD_SET_CQM,
18740 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18741 		.doit = nl80211_set_cqm,
18742 		.flags = GENL_UNS_ADMIN_PERM,
18743 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18744 	},
18745 	{
18746 		.cmd = NL80211_CMD_SET_CHANNEL,
18747 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18748 		.doit = nl80211_set_channel,
18749 		.flags = GENL_UNS_ADMIN_PERM,
18750 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18751 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18752 	},
18753 	{
18754 		.cmd = NL80211_CMD_JOIN_MESH,
18755 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18756 		.doit = nl80211_join_mesh,
18757 		.flags = GENL_UNS_ADMIN_PERM,
18758 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18759 	},
18760 	{
18761 		.cmd = NL80211_CMD_LEAVE_MESH,
18762 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18763 		.doit = nl80211_leave_mesh,
18764 		.flags = GENL_UNS_ADMIN_PERM,
18765 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18766 	},
18767 	{
18768 		.cmd = NL80211_CMD_JOIN_OCB,
18769 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18770 		.doit = nl80211_join_ocb,
18771 		.flags = GENL_UNS_ADMIN_PERM,
18772 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18773 	},
18774 	{
18775 		.cmd = NL80211_CMD_LEAVE_OCB,
18776 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18777 		.doit = nl80211_leave_ocb,
18778 		.flags = GENL_UNS_ADMIN_PERM,
18779 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18780 	},
18781 #ifdef CONFIG_PM
18782 	{
18783 		.cmd = NL80211_CMD_GET_WOWLAN,
18784 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18785 		.doit = nl80211_get_wowlan,
18786 		/* can be retrieved by unprivileged users */
18787 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18788 	},
18789 	{
18790 		.cmd = NL80211_CMD_SET_WOWLAN,
18791 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18792 		.doit = nl80211_set_wowlan,
18793 		.flags = GENL_UNS_ADMIN_PERM,
18794 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18795 	},
18796 #endif
18797 	{
18798 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
18799 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18800 		.doit = nl80211_set_rekey_data,
18801 		.flags = GENL_UNS_ADMIN_PERM,
18802 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18803 					 NL80211_FLAG_CLEAR_SKB),
18804 	},
18805 	{
18806 		.cmd = NL80211_CMD_TDLS_MGMT,
18807 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18808 		.doit = nl80211_tdls_mgmt,
18809 		.flags = GENL_UNS_ADMIN_PERM,
18810 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18811 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18812 	},
18813 	{
18814 		.cmd = NL80211_CMD_TDLS_OPER,
18815 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18816 		.doit = nl80211_tdls_oper,
18817 		.flags = GENL_UNS_ADMIN_PERM,
18818 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18819 	},
18820 	{
18821 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
18822 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18823 		.doit = nl80211_register_unexpected_frame,
18824 		.flags = GENL_UNS_ADMIN_PERM,
18825 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18826 	},
18827 	{
18828 		.cmd = NL80211_CMD_PROBE_CLIENT,
18829 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18830 		.doit = nl80211_probe_client,
18831 		.flags = GENL_UNS_ADMIN_PERM,
18832 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18833 	},
18834 	{
18835 		.cmd = NL80211_CMD_REGISTER_BEACONS,
18836 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18837 		.doit = nl80211_register_beacons,
18838 		.flags = GENL_UNS_ADMIN_PERM,
18839 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18840 	},
18841 	{
18842 		.cmd = NL80211_CMD_SET_NOACK_MAP,
18843 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18844 		.doit = nl80211_set_noack_map,
18845 		.flags = GENL_UNS_ADMIN_PERM,
18846 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18847 	},
18848 	{
18849 		.cmd = NL80211_CMD_START_P2P_DEVICE,
18850 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18851 		.doit = nl80211_start_p2p_device,
18852 		.flags = GENL_UNS_ADMIN_PERM,
18853 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18854 					 NL80211_FLAG_NEED_RTNL),
18855 	},
18856 	{
18857 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
18858 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18859 		.doit = nl80211_stop_p2p_device,
18860 		.flags = GENL_UNS_ADMIN_PERM,
18861 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18862 					 NL80211_FLAG_NEED_RTNL),
18863 	},
18864 	{
18865 		.cmd = NL80211_CMD_START_NAN,
18866 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18867 		.doit = nl80211_start_nan,
18868 		.flags = GENL_ADMIN_PERM,
18869 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18870 					 NL80211_FLAG_NEED_RTNL),
18871 	},
18872 	{
18873 		.cmd = NL80211_CMD_STOP_NAN,
18874 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18875 		.doit = nl80211_stop_nan,
18876 		.flags = GENL_ADMIN_PERM,
18877 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18878 					 NL80211_FLAG_NEED_RTNL),
18879 	},
18880 	{
18881 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
18882 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18883 		.doit = nl80211_nan_add_func,
18884 		.flags = GENL_ADMIN_PERM,
18885 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18886 	},
18887 	{
18888 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
18889 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18890 		.doit = nl80211_nan_del_func,
18891 		.flags = GENL_ADMIN_PERM,
18892 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18893 	},
18894 	{
18895 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
18896 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18897 		.doit = nl80211_nan_change_config,
18898 		.flags = GENL_ADMIN_PERM,
18899 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18900 	},
18901 	{
18902 		.cmd = NL80211_CMD_SET_MCAST_RATE,
18903 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18904 		.doit = nl80211_set_mcast_rate,
18905 		.flags = GENL_UNS_ADMIN_PERM,
18906 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18907 	},
18908 	{
18909 		.cmd = NL80211_CMD_SET_MAC_ACL,
18910 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18911 		.doit = nl80211_set_mac_acl,
18912 		.flags = GENL_UNS_ADMIN_PERM,
18913 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18914 					 NL80211_FLAG_MLO_UNSUPPORTED),
18915 	},
18916 	{
18917 		.cmd = NL80211_CMD_RADAR_DETECT,
18918 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18919 		.doit = nl80211_start_radar_detection,
18920 		.flags = GENL_UNS_ADMIN_PERM,
18921 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18922 					 NL80211_FLAG_NO_WIPHY_MTX |
18923 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18924 	},
18925 	{
18926 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
18927 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18928 		.doit = nl80211_get_protocol_features,
18929 	},
18930 	{
18931 		.cmd = NL80211_CMD_UPDATE_FT_IES,
18932 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18933 		.doit = nl80211_update_ft_ies,
18934 		.flags = GENL_UNS_ADMIN_PERM,
18935 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18936 	},
18937 	{
18938 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
18939 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18940 		.doit = nl80211_crit_protocol_start,
18941 		.flags = GENL_UNS_ADMIN_PERM,
18942 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18943 	},
18944 	{
18945 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
18946 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18947 		.doit = nl80211_crit_protocol_stop,
18948 		.flags = GENL_UNS_ADMIN_PERM,
18949 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18950 	},
18951 	{
18952 		.cmd = NL80211_CMD_GET_COALESCE,
18953 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18954 		.doit = nl80211_get_coalesce,
18955 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18956 	},
18957 	{
18958 		.cmd = NL80211_CMD_SET_COALESCE,
18959 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18960 		.doit = nl80211_set_coalesce,
18961 		.flags = GENL_UNS_ADMIN_PERM,
18962 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18963 	},
18964 	{
18965 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
18966 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18967 		.doit = nl80211_channel_switch,
18968 		.flags = GENL_UNS_ADMIN_PERM,
18969 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18970 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18971 	},
18972 	{
18973 		.cmd = NL80211_CMD_VENDOR,
18974 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18975 		.doit = nl80211_vendor_cmd,
18976 		.dumpit = nl80211_vendor_cmd_dump,
18977 		.flags = GENL_UNS_ADMIN_PERM,
18978 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18979 					 NL80211_FLAG_CLEAR_SKB),
18980 	},
18981 	{
18982 		.cmd = NL80211_CMD_SET_QOS_MAP,
18983 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18984 		.doit = nl80211_set_qos_map,
18985 		.flags = GENL_UNS_ADMIN_PERM,
18986 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18987 	},
18988 	{
18989 		.cmd = NL80211_CMD_ADD_TX_TS,
18990 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18991 		.doit = nl80211_add_tx_ts,
18992 		.flags = GENL_UNS_ADMIN_PERM,
18993 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18994 					 NL80211_FLAG_MLO_UNSUPPORTED),
18995 	},
18996 	{
18997 		.cmd = NL80211_CMD_DEL_TX_TS,
18998 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18999 		.doit = nl80211_del_tx_ts,
19000 		.flags = GENL_UNS_ADMIN_PERM,
19001 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19002 	},
19003 	{
19004 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
19005 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19006 		.doit = nl80211_tdls_channel_switch,
19007 		.flags = GENL_UNS_ADMIN_PERM,
19008 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19009 	},
19010 	{
19011 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
19012 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19013 		.doit = nl80211_tdls_cancel_channel_switch,
19014 		.flags = GENL_UNS_ADMIN_PERM,
19015 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19016 	},
19017 	{
19018 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
19019 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19020 		.doit = nl80211_set_multicast_to_unicast,
19021 		.flags = GENL_UNS_ADMIN_PERM,
19022 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19023 	},
19024 	{
19025 		.cmd = NL80211_CMD_SET_PMK,
19026 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19027 		.doit = nl80211_set_pmk,
19028 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19029 					 NL80211_FLAG_CLEAR_SKB),
19030 	},
19031 	{
19032 		.cmd = NL80211_CMD_DEL_PMK,
19033 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19034 		.doit = nl80211_del_pmk,
19035 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19036 	},
19037 	{
19038 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
19039 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19040 		.doit = nl80211_external_auth,
19041 		.flags = GENL_ADMIN_PERM,
19042 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19043 	},
19044 	{
19045 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
19046 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19047 		.doit = nl80211_tx_control_port,
19048 		.flags = GENL_UNS_ADMIN_PERM,
19049 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19050 	},
19051 	{
19052 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
19053 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19054 		.doit = nl80211_get_ftm_responder_stats,
19055 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19056 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19057 	},
19058 	{
19059 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
19060 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19061 		.doit = nl80211_pmsr_start,
19062 		.flags = GENL_UNS_ADMIN_PERM,
19063 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19064 	},
19065 	{
19066 		.cmd = NL80211_CMD_NOTIFY_RADAR,
19067 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19068 		.doit = nl80211_notify_radar_detection,
19069 		.flags = GENL_UNS_ADMIN_PERM,
19070 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19071 	},
19072 	{
19073 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
19074 		.doit = nl80211_update_owe_info,
19075 		.flags = GENL_ADMIN_PERM,
19076 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19077 	},
19078 	{
19079 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
19080 		.doit = nl80211_probe_mesh_link,
19081 		.flags = GENL_UNS_ADMIN_PERM,
19082 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19083 	},
19084 	{
19085 		.cmd = NL80211_CMD_SET_TID_CONFIG,
19086 		.doit = nl80211_set_tid_config,
19087 		.flags = GENL_UNS_ADMIN_PERM,
19088 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19089 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19090 	},
19091 	{
19092 		.cmd = NL80211_CMD_SET_SAR_SPECS,
19093 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19094 		.doit = nl80211_set_sar_specs,
19095 		.flags = GENL_UNS_ADMIN_PERM,
19096 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
19097 					 NL80211_FLAG_NEED_RTNL),
19098 	},
19099 	{
19100 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
19101 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19102 		.doit = nl80211_color_change,
19103 		.flags = GENL_UNS_ADMIN_PERM,
19104 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19105 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19106 	},
19107 	{
19108 		.cmd = NL80211_CMD_SET_FILS_AAD,
19109 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19110 		.doit = nl80211_set_fils_aad,
19111 		.flags = GENL_UNS_ADMIN_PERM,
19112 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19113 	},
19114 	{
19115 		.cmd = NL80211_CMD_ADD_LINK,
19116 		.doit = nl80211_add_link,
19117 		.flags = GENL_UNS_ADMIN_PERM,
19118 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19119 	},
19120 	{
19121 		.cmd = NL80211_CMD_REMOVE_LINK,
19122 		.doit = nl80211_remove_link,
19123 		.flags = GENL_UNS_ADMIN_PERM,
19124 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19125 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19126 	},
19127 	{
19128 		.cmd = NL80211_CMD_ADD_LINK_STA,
19129 		.doit = nl80211_add_link_station,
19130 		.flags = GENL_UNS_ADMIN_PERM,
19131 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19132 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19133 	},
19134 	{
19135 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
19136 		.doit = nl80211_modify_link_station,
19137 		.flags = GENL_UNS_ADMIN_PERM,
19138 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19139 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19140 	},
19141 	{
19142 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
19143 		.doit = nl80211_remove_link_station,
19144 		.flags = GENL_UNS_ADMIN_PERM,
19145 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19146 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19147 	},
19148 	{
19149 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
19150 		.doit = nl80211_set_hw_timestamp,
19151 		.flags = GENL_UNS_ADMIN_PERM,
19152 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19153 	},
19154 	{
19155 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
19156 		.doit = nl80211_set_ttlm,
19157 		.flags = GENL_UNS_ADMIN_PERM,
19158 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19159 	},
19160 	{
19161 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
19162 		.doit = nl80211_assoc_ml_reconf,
19163 		.flags = GENL_UNS_ADMIN_PERM,
19164 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19165 	},
19166 	{
19167 		.cmd = NL80211_CMD_EPCS_CFG,
19168 		.doit = nl80211_epcs_cfg,
19169 		.flags = GENL_UNS_ADMIN_PERM,
19170 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19171 	},
19172 };
19173 
19174 static struct genl_family nl80211_fam __ro_after_init = {
19175 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
19176 	.hdrsize = 0,			/* no private header */
19177 	.version = 1,			/* no particular meaning now */
19178 	.maxattr = NL80211_ATTR_MAX,
19179 	.policy = nl80211_policy,
19180 	.netnsok = true,
19181 	.pre_doit = nl80211_pre_doit,
19182 	.post_doit = nl80211_post_doit,
19183 	.module = THIS_MODULE,
19184 	.ops = nl80211_ops,
19185 	.n_ops = ARRAY_SIZE(nl80211_ops),
19186 	.small_ops = nl80211_small_ops,
19187 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
19188 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
19189 	.mcgrps = nl80211_mcgrps,
19190 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
19191 	.parallel_ops = true,
19192 };
19193 
19194 /* notification functions */
19195 
19196 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
19197 			  enum nl80211_commands cmd)
19198 {
19199 	struct sk_buff *msg;
19200 	struct nl80211_dump_wiphy_state state = {};
19201 
19202 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
19203 		cmd != NL80211_CMD_DEL_WIPHY);
19204 
19205 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19206 	if (!msg)
19207 		return;
19208 
19209 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
19210 		nlmsg_free(msg);
19211 		return;
19212 	}
19213 
19214 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19215 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
19216 }
19217 
19218 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
19219 				struct wireless_dev *wdev,
19220 				enum nl80211_commands cmd)
19221 {
19222 	struct sk_buff *msg;
19223 
19224 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19225 	if (!msg)
19226 		return;
19227 
19228 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
19229 		nlmsg_free(msg);
19230 		return;
19231 	}
19232 
19233 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19234 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
19235 }
19236 
19237 static int nl80211_add_scan_req(struct sk_buff *msg,
19238 				struct cfg80211_registered_device *rdev)
19239 {
19240 	struct cfg80211_scan_request_int *req = rdev->scan_req;
19241 	struct nlattr *nest;
19242 	int i;
19243 	struct cfg80211_scan_info *info;
19244 
19245 	if (WARN_ON(!req))
19246 		return 0;
19247 
19248 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
19249 	if (!nest)
19250 		goto nla_put_failure;
19251 	for (i = 0; i < req->req.n_ssids; i++) {
19252 		if (nla_put(msg, i, req->req.ssids[i].ssid_len,
19253 			    req->req.ssids[i].ssid))
19254 			goto nla_put_failure;
19255 	}
19256 	nla_nest_end(msg, nest);
19257 
19258 	if (req->req.flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
19259 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
19260 		if (!nest)
19261 			goto nla_put_failure;
19262 		for (i = 0; i < req->req.n_channels; i++) {
19263 			if (nla_put_u32(msg, i,
19264 					ieee80211_channel_to_khz(req->req.channels[i])))
19265 				goto nla_put_failure;
19266 		}
19267 		nla_nest_end(msg, nest);
19268 	} else {
19269 		nest = nla_nest_start_noflag(msg,
19270 					     NL80211_ATTR_SCAN_FREQUENCIES);
19271 		if (!nest)
19272 			goto nla_put_failure;
19273 		for (i = 0; i < req->req.n_channels; i++) {
19274 			if (nla_put_u32(msg, i,
19275 					req->req.channels[i]->center_freq))
19276 				goto nla_put_failure;
19277 		}
19278 		nla_nest_end(msg, nest);
19279 	}
19280 
19281 	if (req->req.ie &&
19282 	    nla_put(msg, NL80211_ATTR_IE, req->req.ie_len, req->req.ie))
19283 		goto nla_put_failure;
19284 
19285 	if (req->req.flags &&
19286 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->req.flags))
19287 		goto nla_put_failure;
19288 
19289 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
19290 		&rdev->scan_req->info;
19291 	if (info->scan_start_tsf &&
19292 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
19293 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
19294 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
19295 		     info->tsf_bssid)))
19296 		goto nla_put_failure;
19297 
19298 	return 0;
19299  nla_put_failure:
19300 	return -ENOBUFS;
19301 }
19302 
19303 static int nl80211_prep_scan_msg(struct sk_buff *msg,
19304 				 struct cfg80211_registered_device *rdev,
19305 				 struct wireless_dev *wdev,
19306 				 u32 portid, u32 seq, int flags,
19307 				 u32 cmd)
19308 {
19309 	void *hdr;
19310 
19311 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
19312 	if (!hdr)
19313 		return -1;
19314 
19315 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19316 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19317 					 wdev->netdev->ifindex)) ||
19318 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19319 			      NL80211_ATTR_PAD))
19320 		goto nla_put_failure;
19321 
19322 	/* ignore errors and send incomplete event anyway */
19323 	nl80211_add_scan_req(msg, rdev);
19324 
19325 	genlmsg_end(msg, hdr);
19326 	return 0;
19327 
19328  nla_put_failure:
19329 	genlmsg_cancel(msg, hdr);
19330 	return -EMSGSIZE;
19331 }
19332 
19333 static int
19334 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
19335 			    struct cfg80211_sched_scan_request *req, u32 cmd)
19336 {
19337 	void *hdr;
19338 
19339 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19340 	if (!hdr)
19341 		return -1;
19342 
19343 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
19344 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
19345 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
19346 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
19347 			      NL80211_ATTR_PAD))
19348 		goto nla_put_failure;
19349 
19350 	genlmsg_end(msg, hdr);
19351 	return 0;
19352 
19353  nla_put_failure:
19354 	genlmsg_cancel(msg, hdr);
19355 	return -EMSGSIZE;
19356 }
19357 
19358 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
19359 			     struct wireless_dev *wdev)
19360 {
19361 	struct sk_buff *msg;
19362 
19363 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19364 	if (!msg)
19365 		return;
19366 
19367 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
19368 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
19369 		nlmsg_free(msg);
19370 		return;
19371 	}
19372 
19373 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19374 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19375 }
19376 
19377 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
19378 				       struct wireless_dev *wdev, bool aborted)
19379 {
19380 	struct sk_buff *msg;
19381 
19382 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19383 	if (!msg)
19384 		return NULL;
19385 
19386 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
19387 				  aborted ? NL80211_CMD_SCAN_ABORTED :
19388 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
19389 		nlmsg_free(msg);
19390 		return NULL;
19391 	}
19392 
19393 	return msg;
19394 }
19395 
19396 /* send message created by nl80211_build_scan_msg() */
19397 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
19398 			   struct sk_buff *msg)
19399 {
19400 	if (!msg)
19401 		return;
19402 
19403 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19404 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19405 }
19406 
19407 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
19408 {
19409 	struct sk_buff *msg;
19410 
19411 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19412 	if (!msg)
19413 		return;
19414 
19415 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
19416 		nlmsg_free(msg);
19417 		return;
19418 	}
19419 
19420 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
19421 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19422 }
19423 
19424 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
19425 					  struct regulatory_request *request)
19426 {
19427 	/* Userspace can always count this one always being set */
19428 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
19429 		goto nla_put_failure;
19430 
19431 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
19432 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19433 			       NL80211_REGDOM_TYPE_WORLD))
19434 			goto nla_put_failure;
19435 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
19436 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19437 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
19438 			goto nla_put_failure;
19439 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
19440 		   request->intersect) {
19441 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19442 			       NL80211_REGDOM_TYPE_INTERSECTION))
19443 			goto nla_put_failure;
19444 	} else {
19445 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19446 			       NL80211_REGDOM_TYPE_COUNTRY) ||
19447 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
19448 				   request->alpha2))
19449 			goto nla_put_failure;
19450 	}
19451 
19452 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
19453 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
19454 
19455 		if (wiphy &&
19456 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
19457 			goto nla_put_failure;
19458 
19459 		if (wiphy &&
19460 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
19461 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
19462 			goto nla_put_failure;
19463 	}
19464 
19465 	return true;
19466 
19467 nla_put_failure:
19468 	return false;
19469 }
19470 
19471 /*
19472  * This can happen on global regulatory changes or device specific settings
19473  * based on custom regulatory domains.
19474  */
19475 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
19476 				     struct regulatory_request *request)
19477 {
19478 	struct sk_buff *msg;
19479 	void *hdr;
19480 
19481 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19482 	if (!msg)
19483 		return;
19484 
19485 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
19486 	if (!hdr)
19487 		goto nla_put_failure;
19488 
19489 	if (!nl80211_reg_change_event_fill(msg, request))
19490 		goto nla_put_failure;
19491 
19492 	genlmsg_end(msg, hdr);
19493 
19494 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
19495 				NL80211_MCGRP_REGULATORY);
19496 
19497 	return;
19498 
19499 nla_put_failure:
19500 	nlmsg_free(msg);
19501 }
19502 
19503 struct nl80211_mlme_event {
19504 	enum nl80211_commands cmd;
19505 	const u8 *buf;
19506 	size_t buf_len;
19507 	int uapsd_queues;
19508 	const u8 *req_ies;
19509 	size_t req_ies_len;
19510 	bool reconnect;
19511 };
19512 
19513 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
19514 				    struct net_device *netdev,
19515 				    const struct nl80211_mlme_event *event,
19516 				    gfp_t gfp)
19517 {
19518 	struct sk_buff *msg;
19519 	void *hdr;
19520 
19521 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
19522 	if (!msg)
19523 		return;
19524 
19525 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
19526 	if (!hdr) {
19527 		nlmsg_free(msg);
19528 		return;
19529 	}
19530 
19531 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19532 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19533 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
19534 	    (event->req_ies &&
19535 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
19536 		     event->req_ies)))
19537 		goto nla_put_failure;
19538 
19539 	if (event->reconnect &&
19540 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
19541 		goto nla_put_failure;
19542 
19543 	if (event->uapsd_queues >= 0) {
19544 		struct nlattr *nla_wmm =
19545 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
19546 		if (!nla_wmm)
19547 			goto nla_put_failure;
19548 
19549 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
19550 			       event->uapsd_queues))
19551 			goto nla_put_failure;
19552 
19553 		nla_nest_end(msg, nla_wmm);
19554 	}
19555 
19556 	genlmsg_end(msg, hdr);
19557 
19558 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19559 				NL80211_MCGRP_MLME, gfp);
19560 	return;
19561 
19562  nla_put_failure:
19563 	nlmsg_free(msg);
19564 }
19565 
19566 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
19567 			  struct net_device *netdev, const u8 *buf,
19568 			  size_t len, gfp_t gfp)
19569 {
19570 	struct nl80211_mlme_event event = {
19571 		.cmd = NL80211_CMD_AUTHENTICATE,
19572 		.buf = buf,
19573 		.buf_len = len,
19574 		.uapsd_queues = -1,
19575 	};
19576 
19577 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19578 }
19579 
19580 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
19581 			   struct net_device *netdev,
19582 			   const struct cfg80211_rx_assoc_resp_data *data)
19583 {
19584 	struct nl80211_mlme_event event = {
19585 		.cmd = NL80211_CMD_ASSOCIATE,
19586 		.buf = data->buf,
19587 		.buf_len = data->len,
19588 		.uapsd_queues = data->uapsd_queues,
19589 		.req_ies = data->req_ies,
19590 		.req_ies_len = data->req_ies_len,
19591 	};
19592 
19593 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
19594 }
19595 
19596 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
19597 			 struct net_device *netdev, const u8 *buf,
19598 			 size_t len, bool reconnect, gfp_t gfp)
19599 {
19600 	struct nl80211_mlme_event event = {
19601 		.cmd = NL80211_CMD_DEAUTHENTICATE,
19602 		.buf = buf,
19603 		.buf_len = len,
19604 		.reconnect = reconnect,
19605 		.uapsd_queues = -1,
19606 	};
19607 
19608 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19609 }
19610 
19611 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
19612 			   struct net_device *netdev, const u8 *buf,
19613 			   size_t len, bool reconnect, gfp_t gfp)
19614 {
19615 	struct nl80211_mlme_event event = {
19616 		.cmd = NL80211_CMD_DISASSOCIATE,
19617 		.buf = buf,
19618 		.buf_len = len,
19619 		.reconnect = reconnect,
19620 		.uapsd_queues = -1,
19621 	};
19622 
19623 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19624 }
19625 
19626 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
19627 				  size_t len)
19628 {
19629 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19630 	struct wiphy *wiphy = wdev->wiphy;
19631 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19632 	const struct ieee80211_mgmt *mgmt = (void *)buf;
19633 	struct nl80211_mlme_event event = {
19634 		.buf = buf,
19635 		.buf_len = len,
19636 		.uapsd_queues = -1,
19637 	};
19638 
19639 	if (WARN_ON(len < 2))
19640 		return;
19641 
19642 	if (ieee80211_is_deauth(mgmt->frame_control)) {
19643 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
19644 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
19645 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
19646 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
19647 		if (wdev->unprot_beacon_reported &&
19648 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
19649 			return;
19650 		event.cmd = NL80211_CMD_UNPROT_BEACON;
19651 		wdev->unprot_beacon_reported = jiffies;
19652 	} else {
19653 		return;
19654 	}
19655 
19656 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
19657 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
19658 }
19659 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
19660 
19661 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
19662 				      struct net_device *netdev, int cmd,
19663 				      const u8 *addr, gfp_t gfp)
19664 {
19665 	struct sk_buff *msg;
19666 	void *hdr;
19667 
19668 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19669 	if (!msg)
19670 		return;
19671 
19672 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19673 	if (!hdr) {
19674 		nlmsg_free(msg);
19675 		return;
19676 	}
19677 
19678 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19679 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19680 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
19681 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
19682 		goto nla_put_failure;
19683 
19684 	genlmsg_end(msg, hdr);
19685 
19686 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19687 				NL80211_MCGRP_MLME, gfp);
19688 	return;
19689 
19690  nla_put_failure:
19691 	nlmsg_free(msg);
19692 }
19693 
19694 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
19695 			       struct net_device *netdev, const u8 *addr,
19696 			       gfp_t gfp)
19697 {
19698 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
19699 				  addr, gfp);
19700 }
19701 
19702 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
19703 				struct net_device *netdev, const u8 *addr,
19704 				gfp_t gfp)
19705 {
19706 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
19707 				  addr, gfp);
19708 }
19709 
19710 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
19711 				 struct net_device *netdev,
19712 				 struct cfg80211_connect_resp_params *cr,
19713 				 gfp_t gfp)
19714 {
19715 	struct sk_buff *msg;
19716 	void *hdr;
19717 	unsigned int link;
19718 	size_t link_info_size = 0;
19719 	const u8 *connected_addr = cr->valid_links ?
19720 				   cr->ap_mld_addr : cr->links[0].bssid;
19721 
19722 	if (cr->valid_links) {
19723 		for_each_valid_link(cr, link) {
19724 			/* Nested attribute header */
19725 			link_info_size += NLA_HDRLEN;
19726 			/* Link ID */
19727 			link_info_size += nla_total_size(sizeof(u8));
19728 			link_info_size += cr->links[link].addr ?
19729 					  nla_total_size(ETH_ALEN) : 0;
19730 			link_info_size += (cr->links[link].bssid ||
19731 					   cr->links[link].bss) ?
19732 					  nla_total_size(ETH_ALEN) : 0;
19733 			link_info_size += nla_total_size(sizeof(u16));
19734 		}
19735 	}
19736 
19737 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
19738 			cr->fils.kek_len + cr->fils.pmk_len +
19739 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
19740 			gfp);
19741 	if (!msg)
19742 		return;
19743 
19744 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
19745 	if (!hdr) {
19746 		nlmsg_free(msg);
19747 		return;
19748 	}
19749 
19750 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19751 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19752 	    (connected_addr &&
19753 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
19754 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19755 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
19756 			cr->status) ||
19757 	    (cr->status < 0 &&
19758 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
19759 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
19760 			  cr->timeout_reason))) ||
19761 	    (cr->req_ie &&
19762 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
19763 	    (cr->resp_ie &&
19764 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
19765 		     cr->resp_ie)) ||
19766 	    (cr->fils.update_erp_next_seq_num &&
19767 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19768 			 cr->fils.erp_next_seq_num)) ||
19769 	    (cr->status == WLAN_STATUS_SUCCESS &&
19770 	     ((cr->fils.kek &&
19771 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
19772 		       cr->fils.kek)) ||
19773 	      (cr->fils.pmk &&
19774 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
19775 	      (cr->fils.pmkid &&
19776 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
19777 		goto nla_put_failure;
19778 
19779 	if (cr->valid_links) {
19780 		int i = 1;
19781 		struct nlattr *nested;
19782 
19783 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19784 		if (!nested)
19785 			goto nla_put_failure;
19786 
19787 		for_each_valid_link(cr, link) {
19788 			struct nlattr *nested_mlo_links;
19789 			const u8 *bssid = cr->links[link].bss ?
19790 					  cr->links[link].bss->bssid :
19791 					  cr->links[link].bssid;
19792 
19793 			nested_mlo_links = nla_nest_start(msg, i);
19794 			if (!nested_mlo_links)
19795 				goto nla_put_failure;
19796 
19797 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19798 			    (bssid &&
19799 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19800 			    (cr->links[link].addr &&
19801 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19802 				     cr->links[link].addr)) ||
19803 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19804 					cr->links[link].status))
19805 				goto nla_put_failure;
19806 
19807 			nla_nest_end(msg, nested_mlo_links);
19808 			i++;
19809 		}
19810 		nla_nest_end(msg, nested);
19811 	}
19812 
19813 	genlmsg_end(msg, hdr);
19814 
19815 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19816 				NL80211_MCGRP_MLME, gfp);
19817 	return;
19818 
19819  nla_put_failure:
19820 	nlmsg_free(msg);
19821 }
19822 
19823 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
19824 			 struct net_device *netdev,
19825 			 struct cfg80211_roam_info *info, gfp_t gfp)
19826 {
19827 	struct sk_buff *msg;
19828 	void *hdr;
19829 	size_t link_info_size = 0;
19830 	unsigned int link;
19831 	const u8 *connected_addr = info->ap_mld_addr ?
19832 				   info->ap_mld_addr :
19833 				   (info->links[0].bss ?
19834 				    info->links[0].bss->bssid :
19835 				    info->links[0].bssid);
19836 
19837 	if (info->valid_links) {
19838 		for_each_valid_link(info, link) {
19839 			/* Nested attribute header */
19840 			link_info_size += NLA_HDRLEN;
19841 			/* Link ID */
19842 			link_info_size += nla_total_size(sizeof(u8));
19843 			link_info_size += info->links[link].addr ?
19844 					  nla_total_size(ETH_ALEN) : 0;
19845 			link_info_size += (info->links[link].bssid ||
19846 					   info->links[link].bss) ?
19847 					  nla_total_size(ETH_ALEN) : 0;
19848 		}
19849 	}
19850 
19851 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
19852 			info->fils.kek_len + info->fils.pmk_len +
19853 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
19854 			link_info_size, gfp);
19855 	if (!msg)
19856 		return;
19857 
19858 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
19859 	if (!hdr) {
19860 		nlmsg_free(msg);
19861 		return;
19862 	}
19863 
19864 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19865 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19866 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
19867 	    (info->req_ie &&
19868 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
19869 		     info->req_ie)) ||
19870 	    (info->resp_ie &&
19871 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
19872 		     info->resp_ie)) ||
19873 	    (info->fils.update_erp_next_seq_num &&
19874 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19875 			 info->fils.erp_next_seq_num)) ||
19876 	    (info->fils.kek &&
19877 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
19878 		     info->fils.kek)) ||
19879 	    (info->fils.pmk &&
19880 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
19881 	    (info->fils.pmkid &&
19882 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
19883 		goto nla_put_failure;
19884 
19885 	if (info->valid_links) {
19886 		int i = 1;
19887 		struct nlattr *nested;
19888 
19889 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19890 		if (!nested)
19891 			goto nla_put_failure;
19892 
19893 		for_each_valid_link(info, link) {
19894 			struct nlattr *nested_mlo_links;
19895 			const u8 *bssid = info->links[link].bss ?
19896 					  info->links[link].bss->bssid :
19897 					  info->links[link].bssid;
19898 
19899 			nested_mlo_links = nla_nest_start(msg, i);
19900 			if (!nested_mlo_links)
19901 				goto nla_put_failure;
19902 
19903 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19904 			    (bssid &&
19905 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19906 			    (info->links[link].addr &&
19907 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19908 				     info->links[link].addr)))
19909 				goto nla_put_failure;
19910 
19911 			nla_nest_end(msg, nested_mlo_links);
19912 			i++;
19913 		}
19914 		nla_nest_end(msg, nested);
19915 	}
19916 
19917 	genlmsg_end(msg, hdr);
19918 
19919 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19920 				NL80211_MCGRP_MLME, gfp);
19921 	return;
19922 
19923  nla_put_failure:
19924 	nlmsg_free(msg);
19925 }
19926 
19927 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
19928 				  struct net_device *netdev, const u8 *peer_addr,
19929 				  const u8 *td_bitmap, u8 td_bitmap_len)
19930 {
19931 	struct sk_buff *msg;
19932 	void *hdr;
19933 
19934 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19935 	if (!msg)
19936 		return;
19937 
19938 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
19939 	if (!hdr) {
19940 		nlmsg_free(msg);
19941 		return;
19942 	}
19943 
19944 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19945 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19946 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
19947 		goto nla_put_failure;
19948 
19949 	if (td_bitmap_len > 0 && td_bitmap &&
19950 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
19951 		goto nla_put_failure;
19952 
19953 	genlmsg_end(msg, hdr);
19954 
19955 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19956 				NL80211_MCGRP_MLME, GFP_KERNEL);
19957 	return;
19958 
19959  nla_put_failure:
19960 	nlmsg_free(msg);
19961 }
19962 
19963 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
19964 			       struct net_device *netdev, u16 reason,
19965 			       const u8 *ie, size_t ie_len, bool from_ap)
19966 {
19967 	struct sk_buff *msg;
19968 	void *hdr;
19969 
19970 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
19971 	if (!msg)
19972 		return;
19973 
19974 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
19975 	if (!hdr) {
19976 		nlmsg_free(msg);
19977 		return;
19978 	}
19979 
19980 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19981 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19982 	    (reason &&
19983 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
19984 	    (from_ap &&
19985 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
19986 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
19987 		goto nla_put_failure;
19988 
19989 	genlmsg_end(msg, hdr);
19990 
19991 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19992 				NL80211_MCGRP_MLME, GFP_KERNEL);
19993 	return;
19994 
19995  nla_put_failure:
19996 	nlmsg_free(msg);
19997 }
19998 
19999 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
20000 {
20001 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20002 	struct wiphy *wiphy = wdev->wiphy;
20003 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20004 	struct sk_buff *msg;
20005 	struct nlattr *links;
20006 	void *hdr;
20007 
20008 	lockdep_assert_wiphy(wdev->wiphy);
20009 	trace_cfg80211_links_removed(dev, link_mask);
20010 
20011 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
20012 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
20013 		return;
20014 
20015 	if (WARN_ON(!wdev->valid_links || !link_mask ||
20016 		    (wdev->valid_links & link_mask) != link_mask ||
20017 		    wdev->valid_links == link_mask))
20018 		return;
20019 
20020 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
20021 	wdev->valid_links &= ~link_mask;
20022 
20023 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20024 	if (!msg)
20025 		return;
20026 
20027 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
20028 	if (!hdr) {
20029 		nlmsg_free(msg);
20030 		return;
20031 	}
20032 
20033 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20034 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20035 		goto nla_put_failure;
20036 
20037 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
20038 	if (!links)
20039 		goto nla_put_failure;
20040 
20041 	while (link_mask) {
20042 		struct nlattr *link;
20043 		int link_id = __ffs(link_mask);
20044 
20045 		link = nla_nest_start(msg, link_id + 1);
20046 		if (!link)
20047 			goto nla_put_failure;
20048 
20049 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
20050 			goto nla_put_failure;
20051 
20052 		nla_nest_end(msg, link);
20053 		link_mask &= ~(1 << link_id);
20054 	}
20055 
20056 	nla_nest_end(msg, links);
20057 
20058 	genlmsg_end(msg, hdr);
20059 
20060 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20061 				NL80211_MCGRP_MLME, GFP_KERNEL);
20062 	return;
20063 
20064  nla_put_failure:
20065 	nlmsg_free(msg);
20066 }
20067 EXPORT_SYMBOL(cfg80211_links_removed);
20068 
20069 void nl80211_mlo_reconf_add_done(struct net_device *dev,
20070 				 struct cfg80211_mlo_reconf_done_data *data)
20071 {
20072 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20073 	struct wiphy *wiphy = wdev->wiphy;
20074 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20075 	struct nl80211_mlme_event event = {
20076 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
20077 		.buf = data->buf,
20078 		.buf_len = data->len,
20079 		.uapsd_queues = -1,
20080 	};
20081 
20082 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
20083 }
20084 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
20085 
20086 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
20087 			     struct net_device *netdev, const u8 *bssid,
20088 			     gfp_t gfp)
20089 {
20090 	struct sk_buff *msg;
20091 	void *hdr;
20092 
20093 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20094 	if (!msg)
20095 		return;
20096 
20097 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
20098 	if (!hdr) {
20099 		nlmsg_free(msg);
20100 		return;
20101 	}
20102 
20103 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20104 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20105 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20106 		goto nla_put_failure;
20107 
20108 	genlmsg_end(msg, hdr);
20109 
20110 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20111 				NL80211_MCGRP_MLME, gfp);
20112 	return;
20113 
20114  nla_put_failure:
20115 	nlmsg_free(msg);
20116 }
20117 
20118 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
20119 					const u8 *ie, u8 ie_len,
20120 					int sig_dbm, gfp_t gfp)
20121 {
20122 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20123 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20124 	struct sk_buff *msg;
20125 	void *hdr;
20126 
20127 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
20128 		return;
20129 
20130 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
20131 
20132 	msg = nlmsg_new(100 + ie_len, gfp);
20133 	if (!msg)
20134 		return;
20135 
20136 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
20137 	if (!hdr) {
20138 		nlmsg_free(msg);
20139 		return;
20140 	}
20141 
20142 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20143 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20144 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20145 	    (ie_len && ie &&
20146 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
20147 	    (sig_dbm &&
20148 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
20149 		goto nla_put_failure;
20150 
20151 	genlmsg_end(msg, hdr);
20152 
20153 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20154 				NL80211_MCGRP_MLME, gfp);
20155 	return;
20156 
20157  nla_put_failure:
20158 	nlmsg_free(msg);
20159 }
20160 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
20161 
20162 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
20163 				 struct net_device *netdev, const u8 *addr,
20164 				 enum nl80211_key_type key_type, int key_id,
20165 				 const u8 *tsc, gfp_t gfp)
20166 {
20167 	struct sk_buff *msg;
20168 	void *hdr;
20169 
20170 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20171 	if (!msg)
20172 		return;
20173 
20174 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
20175 	if (!hdr) {
20176 		nlmsg_free(msg);
20177 		return;
20178 	}
20179 
20180 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20181 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20182 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
20183 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
20184 	    (key_id != -1 &&
20185 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
20186 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
20187 		goto nla_put_failure;
20188 
20189 	genlmsg_end(msg, hdr);
20190 
20191 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20192 				NL80211_MCGRP_MLME, gfp);
20193 	return;
20194 
20195  nla_put_failure:
20196 	nlmsg_free(msg);
20197 }
20198 
20199 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
20200 				    struct ieee80211_channel *channel_before,
20201 				    struct ieee80211_channel *channel_after)
20202 {
20203 	struct sk_buff *msg;
20204 	void *hdr;
20205 	struct nlattr *nl_freq;
20206 
20207 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
20208 	if (!msg)
20209 		return;
20210 
20211 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
20212 	if (!hdr) {
20213 		nlmsg_free(msg);
20214 		return;
20215 	}
20216 
20217 	/*
20218 	 * Since we are applying the beacon hint to a wiphy we know its
20219 	 * wiphy_idx is valid
20220 	 */
20221 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
20222 		goto nla_put_failure;
20223 
20224 	/* Before */
20225 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
20226 	if (!nl_freq)
20227 		goto nla_put_failure;
20228 
20229 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
20230 		goto nla_put_failure;
20231 	nla_nest_end(msg, nl_freq);
20232 
20233 	/* After */
20234 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
20235 	if (!nl_freq)
20236 		goto nla_put_failure;
20237 
20238 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
20239 		goto nla_put_failure;
20240 	nla_nest_end(msg, nl_freq);
20241 
20242 	genlmsg_end(msg, hdr);
20243 
20244 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
20245 				NL80211_MCGRP_REGULATORY);
20246 
20247 	return;
20248 
20249 nla_put_failure:
20250 	nlmsg_free(msg);
20251 }
20252 
20253 static void nl80211_send_remain_on_chan_event(
20254 	int cmd, struct cfg80211_registered_device *rdev,
20255 	struct wireless_dev *wdev, u64 cookie,
20256 	struct ieee80211_channel *chan,
20257 	unsigned int duration, gfp_t gfp)
20258 {
20259 	struct sk_buff *msg;
20260 	void *hdr;
20261 
20262 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20263 	if (!msg)
20264 		return;
20265 
20266 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20267 	if (!hdr) {
20268 		nlmsg_free(msg);
20269 		return;
20270 	}
20271 
20272 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20273 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20274 					 wdev->netdev->ifindex)) ||
20275 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20276 			      NL80211_ATTR_PAD) ||
20277 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
20278 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
20279 			NL80211_CHAN_NO_HT) ||
20280 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
20281 			      NL80211_ATTR_PAD))
20282 		goto nla_put_failure;
20283 
20284 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
20285 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
20286 		goto nla_put_failure;
20287 
20288 	genlmsg_end(msg, hdr);
20289 
20290 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20291 				NL80211_MCGRP_MLME, gfp);
20292 	return;
20293 
20294  nla_put_failure:
20295 	nlmsg_free(msg);
20296 }
20297 
20298 void cfg80211_assoc_comeback(struct net_device *netdev,
20299 			     const u8 *ap_addr, u32 timeout)
20300 {
20301 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
20302 	struct wiphy *wiphy = wdev->wiphy;
20303 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20304 	struct sk_buff *msg;
20305 	void *hdr;
20306 
20307 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
20308 
20309 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20310 	if (!msg)
20311 		return;
20312 
20313 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
20314 	if (!hdr) {
20315 		nlmsg_free(msg);
20316 		return;
20317 	}
20318 
20319 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20320 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20321 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
20322 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
20323 		goto nla_put_failure;
20324 
20325 	genlmsg_end(msg, hdr);
20326 
20327 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20328 				NL80211_MCGRP_MLME, GFP_KERNEL);
20329 	return;
20330 
20331  nla_put_failure:
20332 	nlmsg_free(msg);
20333 }
20334 EXPORT_SYMBOL(cfg80211_assoc_comeback);
20335 
20336 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
20337 			       struct ieee80211_channel *chan,
20338 			       unsigned int duration, gfp_t gfp)
20339 {
20340 	struct wiphy *wiphy = wdev->wiphy;
20341 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20342 
20343 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
20344 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
20345 					  rdev, wdev, cookie, chan,
20346 					  duration, gfp);
20347 }
20348 EXPORT_SYMBOL(cfg80211_ready_on_channel);
20349 
20350 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
20351 					struct ieee80211_channel *chan,
20352 					gfp_t gfp)
20353 {
20354 	struct wiphy *wiphy = wdev->wiphy;
20355 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20356 
20357 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
20358 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
20359 					  rdev, wdev, cookie, chan, 0, gfp);
20360 }
20361 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
20362 
20363 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
20364 					struct ieee80211_channel *chan,
20365 					gfp_t gfp)
20366 {
20367 	struct wiphy *wiphy = wdev->wiphy;
20368 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20369 
20370 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
20371 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
20372 					  rdev, wdev, cookie, chan, 0, gfp);
20373 }
20374 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
20375 
20376 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
20377 		      struct station_info *sinfo, gfp_t gfp)
20378 {
20379 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20380 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20381 	struct sk_buff *msg;
20382 
20383 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
20384 
20385 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20386 	if (!msg)
20387 		return;
20388 
20389 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
20390 				 rdev, dev, mac_addr, sinfo, false) < 0) {
20391 		nlmsg_free(msg);
20392 		return;
20393 	}
20394 
20395 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20396 				NL80211_MCGRP_MLME, gfp);
20397 }
20398 EXPORT_SYMBOL(cfg80211_new_sta);
20399 
20400 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
20401 			    struct station_info *sinfo, gfp_t gfp)
20402 {
20403 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20404 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20405 	struct sk_buff *msg;
20406 	struct station_info empty_sinfo = {};
20407 
20408 	if (!sinfo)
20409 		sinfo = &empty_sinfo;
20410 
20411 	trace_cfg80211_del_sta(dev, mac_addr);
20412 
20413 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20414 	if (!msg) {
20415 		cfg80211_sinfo_release_content(sinfo);
20416 		return;
20417 	}
20418 
20419 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
20420 				 rdev, dev, mac_addr, sinfo, false) < 0) {
20421 		nlmsg_free(msg);
20422 		return;
20423 	}
20424 
20425 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20426 				NL80211_MCGRP_MLME, gfp);
20427 }
20428 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
20429 
20430 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
20431 			  enum nl80211_connect_failed_reason reason,
20432 			  gfp_t gfp)
20433 {
20434 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20435 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20436 	struct sk_buff *msg;
20437 	void *hdr;
20438 
20439 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
20440 	if (!msg)
20441 		return;
20442 
20443 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
20444 	if (!hdr) {
20445 		nlmsg_free(msg);
20446 		return;
20447 	}
20448 
20449 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20450 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
20451 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
20452 		goto nla_put_failure;
20453 
20454 	genlmsg_end(msg, hdr);
20455 
20456 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20457 				NL80211_MCGRP_MLME, gfp);
20458 	return;
20459 
20460  nla_put_failure:
20461 	nlmsg_free(msg);
20462 }
20463 EXPORT_SYMBOL(cfg80211_conn_failed);
20464 
20465 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
20466 				       const u8 *addr, int link_id, gfp_t gfp)
20467 {
20468 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20469 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20470 	struct sk_buff *msg;
20471 	void *hdr;
20472 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
20473 
20474 	if (!nlportid)
20475 		return false;
20476 
20477 	msg = nlmsg_new(100, gfp);
20478 	if (!msg)
20479 		return true;
20480 
20481 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20482 	if (!hdr) {
20483 		nlmsg_free(msg);
20484 		return true;
20485 	}
20486 
20487 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20488 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20489 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20490 	    (link_id >= 0 &&
20491 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20492 		goto nla_put_failure;
20493 
20494 	genlmsg_end(msg, hdr);
20495 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20496 	return true;
20497 
20498  nla_put_failure:
20499 	nlmsg_free(msg);
20500 	return true;
20501 }
20502 
20503 bool cfg80211_rx_spurious_frame(struct net_device *dev, const u8 *addr,
20504 				int link_id, gfp_t gfp)
20505 {
20506 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20507 	bool ret;
20508 
20509 	trace_cfg80211_rx_spurious_frame(dev, addr, link_id);
20510 
20511 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
20512 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
20513 		trace_cfg80211_return_bool(false);
20514 		return false;
20515 	}
20516 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
20517 					 addr, link_id, gfp);
20518 	trace_cfg80211_return_bool(ret);
20519 	return ret;
20520 }
20521 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
20522 
20523 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev, const u8 *addr,
20524 					int link_id, gfp_t gfp)
20525 {
20526 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20527 	bool ret;
20528 
20529 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr, link_id);
20530 
20531 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
20532 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
20533 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
20534 		trace_cfg80211_return_bool(false);
20535 		return false;
20536 	}
20537 	ret = __nl80211_unexpected_frame(dev,
20538 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
20539 					 addr, link_id, gfp);
20540 	trace_cfg80211_return_bool(ret);
20541 	return ret;
20542 }
20543 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
20544 
20545 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
20546 		      struct wireless_dev *wdev, u32 nlportid,
20547 		      struct cfg80211_rx_info *info, gfp_t gfp)
20548 {
20549 	struct net_device *netdev = wdev->netdev;
20550 	struct sk_buff *msg;
20551 	void *hdr;
20552 
20553 	msg = nlmsg_new(100 + info->len, gfp);
20554 	if (!msg)
20555 		return -ENOMEM;
20556 
20557 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
20558 	if (!hdr) {
20559 		nlmsg_free(msg);
20560 		return -ENOMEM;
20561 	}
20562 
20563 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20564 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20565 					netdev->ifindex)) ||
20566 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20567 			      NL80211_ATTR_PAD) ||
20568 	    (info->have_link_id &&
20569 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
20570 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
20571 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
20572 	    (info->sig_dbm &&
20573 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
20574 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
20575 	    (info->flags &&
20576 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
20577 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
20578 						  NL80211_ATTR_RX_HW_TIMESTAMP,
20579 						  info->rx_tstamp,
20580 						  NL80211_ATTR_PAD)) ||
20581 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
20582 						   NL80211_ATTR_TX_HW_TIMESTAMP,
20583 						   info->ack_tstamp,
20584 						   NL80211_ATTR_PAD)))
20585 		goto nla_put_failure;
20586 
20587 	genlmsg_end(msg, hdr);
20588 
20589 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20590 
20591  nla_put_failure:
20592 	nlmsg_free(msg);
20593 	return -ENOBUFS;
20594 }
20595 
20596 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
20597 				    struct cfg80211_tx_status *status,
20598 				    gfp_t gfp, enum nl80211_commands command)
20599 {
20600 	struct wiphy *wiphy = wdev->wiphy;
20601 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20602 	struct net_device *netdev = wdev->netdev;
20603 	struct sk_buff *msg;
20604 	void *hdr;
20605 
20606 	if (command == NL80211_CMD_FRAME_TX_STATUS)
20607 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
20608 					      status->ack);
20609 	else
20610 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
20611 						      status->ack);
20612 
20613 	msg = nlmsg_new(100 + status->len, gfp);
20614 	if (!msg)
20615 		return;
20616 
20617 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
20618 	if (!hdr) {
20619 		nlmsg_free(msg);
20620 		return;
20621 	}
20622 
20623 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20624 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20625 				   netdev->ifindex)) ||
20626 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20627 			      NL80211_ATTR_PAD) ||
20628 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
20629 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
20630 			      NL80211_ATTR_PAD) ||
20631 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
20632 	    (status->tx_tstamp &&
20633 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
20634 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
20635 	    (status->ack_tstamp &&
20636 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
20637 			       status->ack_tstamp, NL80211_ATTR_PAD)))
20638 		goto nla_put_failure;
20639 
20640 	genlmsg_end(msg, hdr);
20641 
20642 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20643 				NL80211_MCGRP_MLME, gfp);
20644 	return;
20645 
20646 nla_put_failure:
20647 	nlmsg_free(msg);
20648 }
20649 
20650 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
20651 				     const u8 *buf, size_t len, bool ack,
20652 				     gfp_t gfp)
20653 {
20654 	struct cfg80211_tx_status status = {
20655 		.cookie = cookie,
20656 		.buf = buf,
20657 		.len = len,
20658 		.ack = ack
20659 	};
20660 
20661 	nl80211_frame_tx_status(wdev, &status, gfp,
20662 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
20663 }
20664 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
20665 
20666 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
20667 				 struct cfg80211_tx_status *status, gfp_t gfp)
20668 {
20669 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
20670 }
20671 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
20672 
20673 static int __nl80211_rx_control_port(struct net_device *dev,
20674 				     struct sk_buff *skb,
20675 				     bool unencrypted,
20676 				     int link_id,
20677 				     gfp_t gfp)
20678 {
20679 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20680 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20681 	struct ethhdr *ehdr = eth_hdr(skb);
20682 	const u8 *addr = ehdr->h_source;
20683 	u16 proto = be16_to_cpu(skb->protocol);
20684 	struct sk_buff *msg;
20685 	void *hdr;
20686 	struct nlattr *frame;
20687 
20688 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
20689 
20690 	if (!nlportid)
20691 		return -ENOENT;
20692 
20693 	msg = nlmsg_new(100 + skb->len, gfp);
20694 	if (!msg)
20695 		return -ENOMEM;
20696 
20697 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
20698 	if (!hdr) {
20699 		nlmsg_free(msg);
20700 		return -ENOBUFS;
20701 	}
20702 
20703 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20704 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20705 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20706 			      NL80211_ATTR_PAD) ||
20707 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20708 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
20709 	    (link_id >= 0 &&
20710 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
20711 	    (unencrypted && nla_put_flag(msg,
20712 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
20713 		goto nla_put_failure;
20714 
20715 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
20716 	if (!frame)
20717 		goto nla_put_failure;
20718 
20719 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
20720 	genlmsg_end(msg, hdr);
20721 
20722 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20723 
20724  nla_put_failure:
20725 	nlmsg_free(msg);
20726 	return -ENOBUFS;
20727 }
20728 
20729 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
20730 			      bool unencrypted, int link_id)
20731 {
20732 	int ret;
20733 
20734 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
20735 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
20736 					GFP_ATOMIC);
20737 	trace_cfg80211_return_bool(ret == 0);
20738 	return ret == 0;
20739 }
20740 EXPORT_SYMBOL(cfg80211_rx_control_port);
20741 
20742 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
20743 					    const char *mac, gfp_t gfp)
20744 {
20745 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20746 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20747 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20748 	void **cb;
20749 
20750 	if (!msg)
20751 		return NULL;
20752 
20753 	cb = (void **)msg->cb;
20754 
20755 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
20756 	if (!cb[0]) {
20757 		nlmsg_free(msg);
20758 		return NULL;
20759 	}
20760 
20761 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20762 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20763 		goto nla_put_failure;
20764 
20765 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
20766 		goto nla_put_failure;
20767 
20768 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
20769 	if (!cb[1])
20770 		goto nla_put_failure;
20771 
20772 	cb[2] = rdev;
20773 
20774 	return msg;
20775  nla_put_failure:
20776 	nlmsg_free(msg);
20777 	return NULL;
20778 }
20779 
20780 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
20781 {
20782 	void **cb = (void **)msg->cb;
20783 	struct cfg80211_registered_device *rdev = cb[2];
20784 
20785 	nla_nest_end(msg, cb[1]);
20786 	genlmsg_end(msg, cb[0]);
20787 
20788 	memset(msg->cb, 0, sizeof(msg->cb));
20789 
20790 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20791 				NL80211_MCGRP_MLME, gfp);
20792 }
20793 
20794 void cfg80211_cqm_rssi_notify(struct net_device *dev,
20795 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
20796 			      s32 rssi_level, gfp_t gfp)
20797 {
20798 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20799 	struct cfg80211_cqm_config *cqm_config;
20800 
20801 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
20802 
20803 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
20804 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
20805 		return;
20806 
20807 	rcu_read_lock();
20808 	cqm_config = rcu_dereference(wdev->cqm_config);
20809 	if (cqm_config) {
20810 		cqm_config->last_rssi_event_value = rssi_level;
20811 		cqm_config->last_rssi_event_type = rssi_event;
20812 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
20813 	}
20814 	rcu_read_unlock();
20815 }
20816 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
20817 
20818 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
20819 {
20820 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
20821 						 cqm_rssi_work);
20822 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20823 	enum nl80211_cqm_rssi_threshold_event rssi_event;
20824 	struct cfg80211_cqm_config *cqm_config;
20825 	struct sk_buff *msg;
20826 	s32 rssi_level;
20827 
20828 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
20829 	if (!cqm_config)
20830 		return;
20831 
20832 	if (cqm_config->use_range_api)
20833 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
20834 
20835 	rssi_level = cqm_config->last_rssi_event_value;
20836 	rssi_event = cqm_config->last_rssi_event_type;
20837 
20838 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
20839 	if (!msg)
20840 		return;
20841 
20842 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
20843 			rssi_event))
20844 		goto nla_put_failure;
20845 
20846 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
20847 				      rssi_level))
20848 		goto nla_put_failure;
20849 
20850 	cfg80211_send_cqm(msg, GFP_KERNEL);
20851 
20852 	return;
20853 
20854  nla_put_failure:
20855 	nlmsg_free(msg);
20856 }
20857 
20858 void cfg80211_cqm_txe_notify(struct net_device *dev,
20859 			     const u8 *peer, u32 num_packets,
20860 			     u32 rate, u32 intvl, gfp_t gfp)
20861 {
20862 	struct sk_buff *msg;
20863 
20864 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20865 	if (!msg)
20866 		return;
20867 
20868 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
20869 		goto nla_put_failure;
20870 
20871 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
20872 		goto nla_put_failure;
20873 
20874 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
20875 		goto nla_put_failure;
20876 
20877 	cfg80211_send_cqm(msg, gfp);
20878 	return;
20879 
20880  nla_put_failure:
20881 	nlmsg_free(msg);
20882 }
20883 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
20884 
20885 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
20886 				 const u8 *peer, u32 num_packets, gfp_t gfp)
20887 {
20888 	struct sk_buff *msg;
20889 
20890 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
20891 
20892 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20893 	if (!msg)
20894 		return;
20895 
20896 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
20897 		goto nla_put_failure;
20898 
20899 	cfg80211_send_cqm(msg, gfp);
20900 	return;
20901 
20902  nla_put_failure:
20903 	nlmsg_free(msg);
20904 }
20905 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
20906 
20907 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
20908 {
20909 	struct sk_buff *msg;
20910 
20911 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
20912 	if (!msg)
20913 		return;
20914 
20915 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
20916 		goto nla_put_failure;
20917 
20918 	cfg80211_send_cqm(msg, gfp);
20919 	return;
20920 
20921  nla_put_failure:
20922 	nlmsg_free(msg);
20923 }
20924 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
20925 
20926 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
20927 				     struct net_device *netdev, const u8 *bssid,
20928 				     const u8 *replay_ctr, gfp_t gfp)
20929 {
20930 	struct sk_buff *msg;
20931 	struct nlattr *rekey_attr;
20932 	void *hdr;
20933 
20934 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20935 	if (!msg)
20936 		return;
20937 
20938 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
20939 	if (!hdr) {
20940 		nlmsg_free(msg);
20941 		return;
20942 	}
20943 
20944 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20945 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20946 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20947 		goto nla_put_failure;
20948 
20949 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
20950 	if (!rekey_attr)
20951 		goto nla_put_failure;
20952 
20953 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
20954 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
20955 		goto nla_put_failure;
20956 
20957 	nla_nest_end(msg, rekey_attr);
20958 
20959 	genlmsg_end(msg, hdr);
20960 
20961 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20962 				NL80211_MCGRP_MLME, gfp);
20963 	return;
20964 
20965  nla_put_failure:
20966 	nlmsg_free(msg);
20967 }
20968 
20969 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
20970 			       const u8 *replay_ctr, gfp_t gfp)
20971 {
20972 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20973 	struct wiphy *wiphy = wdev->wiphy;
20974 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20975 
20976 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
20977 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
20978 }
20979 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
20980 
20981 static void
20982 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
20983 			       struct net_device *netdev, int index,
20984 			       const u8 *bssid, bool preauth, gfp_t gfp)
20985 {
20986 	struct sk_buff *msg;
20987 	struct nlattr *attr;
20988 	void *hdr;
20989 
20990 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20991 	if (!msg)
20992 		return;
20993 
20994 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
20995 	if (!hdr) {
20996 		nlmsg_free(msg);
20997 		return;
20998 	}
20999 
21000 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21001 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
21002 		goto nla_put_failure;
21003 
21004 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
21005 	if (!attr)
21006 		goto nla_put_failure;
21007 
21008 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
21009 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
21010 	    (preauth &&
21011 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
21012 		goto nla_put_failure;
21013 
21014 	nla_nest_end(msg, attr);
21015 
21016 	genlmsg_end(msg, hdr);
21017 
21018 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21019 				NL80211_MCGRP_MLME, gfp);
21020 	return;
21021 
21022  nla_put_failure:
21023 	nlmsg_free(msg);
21024 }
21025 
21026 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
21027 				     const u8 *bssid, bool preauth, gfp_t gfp)
21028 {
21029 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21030 	struct wiphy *wiphy = wdev->wiphy;
21031 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21032 
21033 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
21034 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
21035 }
21036 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
21037 
21038 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
21039 				     struct net_device *netdev,
21040 				     unsigned int link_id,
21041 				     struct cfg80211_chan_def *chandef,
21042 				     gfp_t gfp,
21043 				     enum nl80211_commands notif,
21044 				     u8 count, bool quiet)
21045 {
21046 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21047 	struct sk_buff *msg;
21048 	void *hdr;
21049 
21050 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21051 	if (!msg)
21052 		return;
21053 
21054 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
21055 	if (!hdr) {
21056 		nlmsg_free(msg);
21057 		return;
21058 	}
21059 
21060 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
21061 		goto nla_put_failure;
21062 
21063 	if (wdev->valid_links &&
21064 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
21065 		goto nla_put_failure;
21066 
21067 	if (nl80211_send_chandef(msg, chandef))
21068 		goto nla_put_failure;
21069 
21070 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
21071 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
21072 			goto nla_put_failure;
21073 		if (quiet &&
21074 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
21075 			goto nla_put_failure;
21076 	}
21077 
21078 	genlmsg_end(msg, hdr);
21079 
21080 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21081 				NL80211_MCGRP_MLME, gfp);
21082 	return;
21083 
21084  nla_put_failure:
21085 	nlmsg_free(msg);
21086 }
21087 
21088 void cfg80211_ch_switch_notify(struct net_device *dev,
21089 			       struct cfg80211_chan_def *chandef,
21090 			       unsigned int link_id)
21091 {
21092 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21093 	struct wiphy *wiphy = wdev->wiphy;
21094 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21095 
21096 	lockdep_assert_wiphy(wdev->wiphy);
21097 	WARN_INVALID_LINK_ID(wdev, link_id);
21098 
21099 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
21100 
21101 	switch (wdev->iftype) {
21102 	case NL80211_IFTYPE_STATION:
21103 	case NL80211_IFTYPE_P2P_CLIENT:
21104 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
21105 			cfg80211_update_assoc_bss_entry(wdev, link_id,
21106 							chandef->chan);
21107 		break;
21108 	case NL80211_IFTYPE_MESH_POINT:
21109 		wdev->u.mesh.chandef = *chandef;
21110 		wdev->u.mesh.preset_chandef = *chandef;
21111 		break;
21112 	case NL80211_IFTYPE_AP:
21113 	case NL80211_IFTYPE_P2P_GO:
21114 		wdev->links[link_id].ap.chandef = *chandef;
21115 		break;
21116 	case NL80211_IFTYPE_ADHOC:
21117 		wdev->u.ibss.chandef = *chandef;
21118 		break;
21119 	default:
21120 		WARN_ON(1);
21121 		break;
21122 	}
21123 
21124 	cfg80211_schedule_channels_check(wdev);
21125 	cfg80211_sched_dfs_chan_update(rdev);
21126 
21127 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
21128 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
21129 }
21130 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
21131 
21132 void cfg80211_ch_switch_started_notify(struct net_device *dev,
21133 				       struct cfg80211_chan_def *chandef,
21134 				       unsigned int link_id, u8 count,
21135 				       bool quiet)
21136 {
21137 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21138 	struct wiphy *wiphy = wdev->wiphy;
21139 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21140 
21141 	lockdep_assert_wiphy(wdev->wiphy);
21142 	WARN_INVALID_LINK_ID(wdev, link_id);
21143 
21144 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
21145 
21146 
21147 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
21148 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
21149 				 count, quiet);
21150 }
21151 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
21152 
21153 int cfg80211_bss_color_notify(struct net_device *dev,
21154 			      enum nl80211_commands cmd, u8 count,
21155 			      u64 color_bitmap, u8 link_id)
21156 {
21157 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21158 	struct wiphy *wiphy = wdev->wiphy;
21159 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21160 	struct sk_buff *msg;
21161 	void *hdr;
21162 
21163 	lockdep_assert_wiphy(wdev->wiphy);
21164 
21165 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
21166 
21167 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21168 	if (!msg)
21169 		return -ENOMEM;
21170 
21171 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
21172 	if (!hdr)
21173 		goto nla_put_failure;
21174 
21175 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21176 		goto nla_put_failure;
21177 
21178 	if (wdev->valid_links &&
21179 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
21180 		goto nla_put_failure;
21181 
21182 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
21183 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
21184 		goto nla_put_failure;
21185 
21186 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
21187 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
21188 			      color_bitmap, NL80211_ATTR_PAD))
21189 		goto nla_put_failure;
21190 
21191 	genlmsg_end(msg, hdr);
21192 
21193 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
21194 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
21195 
21196 nla_put_failure:
21197 	nlmsg_free(msg);
21198 	return -EINVAL;
21199 }
21200 EXPORT_SYMBOL(cfg80211_bss_color_notify);
21201 
21202 void
21203 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
21204 		     const struct cfg80211_chan_def *chandef,
21205 		     enum nl80211_radar_event event,
21206 		     struct net_device *netdev, gfp_t gfp)
21207 {
21208 	struct sk_buff *msg;
21209 	void *hdr;
21210 
21211 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21212 	if (!msg)
21213 		return;
21214 
21215 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
21216 	if (!hdr) {
21217 		nlmsg_free(msg);
21218 		return;
21219 	}
21220 
21221 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21222 		goto nla_put_failure;
21223 
21224 	/* NOP and radar events don't need a netdev parameter */
21225 	if (netdev) {
21226 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
21227 
21228 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21229 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21230 				      NL80211_ATTR_PAD))
21231 			goto nla_put_failure;
21232 	}
21233 
21234 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
21235 		goto nla_put_failure;
21236 
21237 	if (nl80211_send_chandef(msg, chandef))
21238 		goto nla_put_failure;
21239 
21240 	genlmsg_end(msg, hdr);
21241 
21242 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21243 				NL80211_MCGRP_MLME, gfp);
21244 	return;
21245 
21246  nla_put_failure:
21247 	nlmsg_free(msg);
21248 }
21249 
21250 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
21251 				       struct sta_opmode_info *sta_opmode,
21252 				       gfp_t gfp)
21253 {
21254 	struct sk_buff *msg;
21255 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21256 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21257 	void *hdr;
21258 
21259 	if (WARN_ON(!mac))
21260 		return;
21261 
21262 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21263 	if (!msg)
21264 		return;
21265 
21266 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
21267 	if (!hdr) {
21268 		nlmsg_free(msg);
21269 		return;
21270 	}
21271 
21272 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21273 		goto nla_put_failure;
21274 
21275 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21276 		goto nla_put_failure;
21277 
21278 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
21279 		goto nla_put_failure;
21280 
21281 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
21282 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
21283 		goto nla_put_failure;
21284 
21285 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
21286 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
21287 		goto nla_put_failure;
21288 
21289 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
21290 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
21291 		goto nla_put_failure;
21292 
21293 	genlmsg_end(msg, hdr);
21294 
21295 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21296 				NL80211_MCGRP_MLME, gfp);
21297 
21298 	return;
21299 
21300 nla_put_failure:
21301 	nlmsg_free(msg);
21302 }
21303 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
21304 
21305 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
21306 			   u64 cookie, bool acked, s32 ack_signal,
21307 			   bool is_valid_ack_signal, gfp_t gfp)
21308 {
21309 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21310 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21311 	struct sk_buff *msg;
21312 	void *hdr;
21313 
21314 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
21315 
21316 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21317 
21318 	if (!msg)
21319 		return;
21320 
21321 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
21322 	if (!hdr) {
21323 		nlmsg_free(msg);
21324 		return;
21325 	}
21326 
21327 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21328 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21329 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
21330 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
21331 			      NL80211_ATTR_PAD) ||
21332 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
21333 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
21334 						ack_signal)))
21335 		goto nla_put_failure;
21336 
21337 	genlmsg_end(msg, hdr);
21338 
21339 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21340 				NL80211_MCGRP_MLME, gfp);
21341 	return;
21342 
21343  nla_put_failure:
21344 	nlmsg_free(msg);
21345 }
21346 EXPORT_SYMBOL(cfg80211_probe_status);
21347 
21348 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
21349 				     size_t len, int freq, int sig_dbm)
21350 {
21351 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21352 	struct sk_buff *msg;
21353 	void *hdr;
21354 	struct cfg80211_beacon_registration *reg;
21355 
21356 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
21357 
21358 	spin_lock_bh(&rdev->beacon_registrations_lock);
21359 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
21360 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
21361 		if (!msg) {
21362 			spin_unlock_bh(&rdev->beacon_registrations_lock);
21363 			return;
21364 		}
21365 
21366 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
21367 		if (!hdr)
21368 			goto nla_put_failure;
21369 
21370 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21371 		    (freq &&
21372 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
21373 				  KHZ_TO_MHZ(freq)) ||
21374 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
21375 				  freq % 1000))) ||
21376 		    (sig_dbm &&
21377 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
21378 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
21379 			goto nla_put_failure;
21380 
21381 		genlmsg_end(msg, hdr);
21382 
21383 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
21384 	}
21385 	spin_unlock_bh(&rdev->beacon_registrations_lock);
21386 	return;
21387 
21388  nla_put_failure:
21389 	spin_unlock_bh(&rdev->beacon_registrations_lock);
21390 	nlmsg_free(msg);
21391 }
21392 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
21393 
21394 #ifdef CONFIG_PM
21395 static int cfg80211_net_detect_results(struct sk_buff *msg,
21396 				       struct cfg80211_wowlan_wakeup *wakeup)
21397 {
21398 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
21399 	struct nlattr *nl_results, *nl_match, *nl_freqs;
21400 	int i, j;
21401 
21402 	nl_results = nla_nest_start_noflag(msg,
21403 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
21404 	if (!nl_results)
21405 		return -EMSGSIZE;
21406 
21407 	for (i = 0; i < nd->n_matches; i++) {
21408 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
21409 
21410 		nl_match = nla_nest_start_noflag(msg, i);
21411 		if (!nl_match)
21412 			break;
21413 
21414 		/* The SSID attribute is optional in nl80211, but for
21415 		 * simplicity reasons it's always present in the
21416 		 * cfg80211 structure.  If a driver can't pass the
21417 		 * SSID, that needs to be changed.  A zero length SSID
21418 		 * is still a valid SSID (wildcard), so it cannot be
21419 		 * used for this purpose.
21420 		 */
21421 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
21422 			    match->ssid.ssid)) {
21423 			nla_nest_cancel(msg, nl_match);
21424 			goto out;
21425 		}
21426 
21427 		if (match->n_channels) {
21428 			nl_freqs = nla_nest_start_noflag(msg,
21429 							 NL80211_ATTR_SCAN_FREQUENCIES);
21430 			if (!nl_freqs) {
21431 				nla_nest_cancel(msg, nl_match);
21432 				goto out;
21433 			}
21434 
21435 			for (j = 0; j < match->n_channels; j++) {
21436 				if (nla_put_u32(msg, j, match->channels[j])) {
21437 					nla_nest_cancel(msg, nl_freqs);
21438 					nla_nest_cancel(msg, nl_match);
21439 					goto out;
21440 				}
21441 			}
21442 
21443 			nla_nest_end(msg, nl_freqs);
21444 		}
21445 
21446 		nla_nest_end(msg, nl_match);
21447 	}
21448 
21449 out:
21450 	nla_nest_end(msg, nl_results);
21451 	return 0;
21452 }
21453 
21454 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
21455 				   struct cfg80211_wowlan_wakeup *wakeup,
21456 				   gfp_t gfp)
21457 {
21458 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21459 	struct sk_buff *msg;
21460 	void *hdr;
21461 	int size = 200;
21462 
21463 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
21464 
21465 	if (wakeup)
21466 		size += wakeup->packet_present_len;
21467 
21468 	msg = nlmsg_new(size, gfp);
21469 	if (!msg)
21470 		return;
21471 
21472 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
21473 	if (!hdr)
21474 		goto free_msg;
21475 
21476 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21477 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21478 			      NL80211_ATTR_PAD))
21479 		goto free_msg;
21480 
21481 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21482 					wdev->netdev->ifindex))
21483 		goto free_msg;
21484 
21485 	if (wakeup) {
21486 		struct nlattr *reasons;
21487 
21488 		reasons = nla_nest_start_noflag(msg,
21489 						NL80211_ATTR_WOWLAN_TRIGGERS);
21490 		if (!reasons)
21491 			goto free_msg;
21492 
21493 		if (wakeup->disconnect &&
21494 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
21495 			goto free_msg;
21496 		if (wakeup->magic_pkt &&
21497 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
21498 			goto free_msg;
21499 		if (wakeup->gtk_rekey_failure &&
21500 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
21501 			goto free_msg;
21502 		if (wakeup->eap_identity_req &&
21503 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
21504 			goto free_msg;
21505 		if (wakeup->four_way_handshake &&
21506 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
21507 			goto free_msg;
21508 		if (wakeup->rfkill_release &&
21509 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
21510 			goto free_msg;
21511 
21512 		if (wakeup->pattern_idx >= 0 &&
21513 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
21514 				wakeup->pattern_idx))
21515 			goto free_msg;
21516 
21517 		if (wakeup->tcp_match &&
21518 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
21519 			goto free_msg;
21520 
21521 		if (wakeup->tcp_connlost &&
21522 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
21523 			goto free_msg;
21524 
21525 		if (wakeup->tcp_nomoretokens &&
21526 		    nla_put_flag(msg,
21527 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
21528 			goto free_msg;
21529 
21530 		if (wakeup->unprot_deauth_disassoc &&
21531 		    nla_put_flag(msg,
21532 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
21533 			goto free_msg;
21534 
21535 		if (wakeup->packet) {
21536 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
21537 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
21538 
21539 			if (!wakeup->packet_80211) {
21540 				pkt_attr =
21541 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
21542 				len_attr =
21543 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
21544 			}
21545 
21546 			if (wakeup->packet_len &&
21547 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
21548 				goto free_msg;
21549 
21550 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
21551 				    wakeup->packet))
21552 				goto free_msg;
21553 		}
21554 
21555 		if (wakeup->net_detect &&
21556 		    cfg80211_net_detect_results(msg, wakeup))
21557 				goto free_msg;
21558 
21559 		nla_nest_end(msg, reasons);
21560 	}
21561 
21562 	genlmsg_end(msg, hdr);
21563 
21564 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21565 				NL80211_MCGRP_MLME, gfp);
21566 	return;
21567 
21568  free_msg:
21569 	nlmsg_free(msg);
21570 }
21571 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
21572 #endif
21573 
21574 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
21575 				enum nl80211_tdls_operation oper,
21576 				u16 reason_code, gfp_t gfp)
21577 {
21578 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21579 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21580 	struct sk_buff *msg;
21581 	void *hdr;
21582 
21583 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
21584 					 reason_code);
21585 
21586 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21587 	if (!msg)
21588 		return;
21589 
21590 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
21591 	if (!hdr) {
21592 		nlmsg_free(msg);
21593 		return;
21594 	}
21595 
21596 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21597 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21598 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
21599 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
21600 	    (reason_code > 0 &&
21601 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
21602 		goto nla_put_failure;
21603 
21604 	genlmsg_end(msg, hdr);
21605 
21606 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21607 				NL80211_MCGRP_MLME, gfp);
21608 	return;
21609 
21610  nla_put_failure:
21611 	nlmsg_free(msg);
21612 }
21613 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
21614 
21615 static int nl80211_netlink_notify(struct notifier_block * nb,
21616 				  unsigned long state,
21617 				  void *_notify)
21618 {
21619 	struct netlink_notify *notify = _notify;
21620 	struct cfg80211_registered_device *rdev;
21621 	struct wireless_dev *wdev;
21622 	struct cfg80211_beacon_registration *reg, *tmp;
21623 
21624 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
21625 		return NOTIFY_DONE;
21626 
21627 	rcu_read_lock();
21628 
21629 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
21630 		struct cfg80211_sched_scan_request *sched_scan_req;
21631 
21632 		list_for_each_entry_rcu(sched_scan_req,
21633 					&rdev->sched_scan_req_list,
21634 					list) {
21635 			if (sched_scan_req->owner_nlportid == notify->portid) {
21636 				sched_scan_req->nl_owner_dead = true;
21637 				wiphy_work_queue(&rdev->wiphy,
21638 						 &rdev->sched_scan_stop_wk);
21639 			}
21640 		}
21641 
21642 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
21643 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
21644 
21645 			if (wdev->owner_nlportid == notify->portid) {
21646 				wdev->nl_owner_dead = true;
21647 				schedule_work(&rdev->destroy_work);
21648 			} else if (wdev->conn_owner_nlportid == notify->portid) {
21649 				schedule_work(&wdev->disconnect_wk);
21650 			}
21651 
21652 			cfg80211_release_pmsr(wdev, notify->portid);
21653 		}
21654 
21655 		spin_lock_bh(&rdev->beacon_registrations_lock);
21656 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
21657 					 list) {
21658 			if (reg->nlportid == notify->portid) {
21659 				list_del(&reg->list);
21660 				kfree(reg);
21661 				break;
21662 			}
21663 		}
21664 		spin_unlock_bh(&rdev->beacon_registrations_lock);
21665 	}
21666 
21667 	rcu_read_unlock();
21668 
21669 	/*
21670 	 * It is possible that the user space process that is controlling the
21671 	 * indoor setting disappeared, so notify the regulatory core.
21672 	 */
21673 	regulatory_netlink_notify(notify->portid);
21674 	return NOTIFY_OK;
21675 }
21676 
21677 static struct notifier_block nl80211_netlink_notifier = {
21678 	.notifier_call = nl80211_netlink_notify,
21679 };
21680 
21681 void cfg80211_ft_event(struct net_device *netdev,
21682 		       struct cfg80211_ft_event_params *ft_event)
21683 {
21684 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21685 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21686 	struct sk_buff *msg;
21687 	void *hdr;
21688 
21689 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
21690 
21691 	if (!ft_event->target_ap)
21692 		return;
21693 
21694 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
21695 			GFP_KERNEL);
21696 	if (!msg)
21697 		return;
21698 
21699 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
21700 	if (!hdr)
21701 		goto out;
21702 
21703 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21704 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21705 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
21706 		goto out;
21707 
21708 	if (ft_event->ies &&
21709 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
21710 		goto out;
21711 	if (ft_event->ric_ies &&
21712 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
21713 		    ft_event->ric_ies))
21714 		goto out;
21715 
21716 	genlmsg_end(msg, hdr);
21717 
21718 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21719 				NL80211_MCGRP_MLME, GFP_KERNEL);
21720 	return;
21721  out:
21722 	nlmsg_free(msg);
21723 }
21724 EXPORT_SYMBOL(cfg80211_ft_event);
21725 
21726 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
21727 {
21728 	struct cfg80211_registered_device *rdev;
21729 	struct sk_buff *msg;
21730 	void *hdr;
21731 	u32 nlportid;
21732 
21733 	rdev = wiphy_to_rdev(wdev->wiphy);
21734 	if (!rdev->crit_proto_nlportid)
21735 		return;
21736 
21737 	nlportid = rdev->crit_proto_nlportid;
21738 	rdev->crit_proto_nlportid = 0;
21739 
21740 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21741 	if (!msg)
21742 		return;
21743 
21744 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
21745 	if (!hdr)
21746 		goto nla_put_failure;
21747 
21748 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21749 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21750 			      NL80211_ATTR_PAD))
21751 		goto nla_put_failure;
21752 
21753 	genlmsg_end(msg, hdr);
21754 
21755 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21756 	return;
21757 
21758  nla_put_failure:
21759 	nlmsg_free(msg);
21760 }
21761 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
21762 
21763 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
21764 {
21765 	struct wiphy *wiphy = wdev->wiphy;
21766 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21767 	struct sk_buff *msg;
21768 	void *hdr;
21769 
21770 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21771 	if (!msg)
21772 		return;
21773 
21774 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
21775 	if (!hdr)
21776 		goto out;
21777 
21778 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21779 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
21780 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21781 			      NL80211_ATTR_PAD) ||
21782 	    (wdev->valid_links &&
21783 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
21784 		goto out;
21785 
21786 	genlmsg_end(msg, hdr);
21787 
21788 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
21789 				NL80211_MCGRP_MLME, GFP_KERNEL);
21790 	return;
21791  out:
21792 	nlmsg_free(msg);
21793 }
21794 
21795 int cfg80211_external_auth_request(struct net_device *dev,
21796 				   struct cfg80211_external_auth_params *params,
21797 				   gfp_t gfp)
21798 {
21799 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21800 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21801 	struct sk_buff *msg;
21802 	void *hdr;
21803 
21804 	if (!wdev->conn_owner_nlportid)
21805 		return -EINVAL;
21806 
21807 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21808 	if (!msg)
21809 		return -ENOMEM;
21810 
21811 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
21812 	if (!hdr)
21813 		goto nla_put_failure;
21814 
21815 	/* Some historical mistakes in drivers <-> userspace interface (notably
21816 	 * between drivers and wpa_supplicant) led to a big-endian conversion
21817 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
21818 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
21819 	 * benefit of older wpa_supplicant versions, send this particular value
21820 	 * in big-endian. Note that newer wpa_supplicant will also detect this
21821 	 * particular value in big endian still, so it all continues to work.
21822 	 */
21823 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
21824 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
21825 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
21826 			goto nla_put_failure;
21827 	} else {
21828 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
21829 				params->key_mgmt_suite))
21830 			goto nla_put_failure;
21831 	}
21832 
21833 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21834 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21835 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
21836 			params->action) ||
21837 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
21838 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
21839 		    params->ssid.ssid) ||
21840 	    (!is_zero_ether_addr(params->mld_addr) &&
21841 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
21842 		goto nla_put_failure;
21843 
21844 	genlmsg_end(msg, hdr);
21845 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
21846 			wdev->conn_owner_nlportid);
21847 	return 0;
21848 
21849  nla_put_failure:
21850 	nlmsg_free(msg);
21851 	return -ENOBUFS;
21852 }
21853 EXPORT_SYMBOL(cfg80211_external_auth_request);
21854 
21855 void cfg80211_update_owe_info_event(struct net_device *netdev,
21856 				    struct cfg80211_update_owe_info *owe_info,
21857 				    gfp_t gfp)
21858 {
21859 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21860 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21861 	struct sk_buff *msg;
21862 	void *hdr;
21863 
21864 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
21865 
21866 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21867 	if (!msg)
21868 		return;
21869 
21870 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
21871 	if (!hdr)
21872 		goto nla_put_failure;
21873 
21874 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21875 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21876 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
21877 		goto nla_put_failure;
21878 
21879 	if (!owe_info->ie_len ||
21880 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
21881 		goto nla_put_failure;
21882 
21883 	if (owe_info->assoc_link_id != -1) {
21884 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
21885 			       owe_info->assoc_link_id))
21886 			goto nla_put_failure;
21887 
21888 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
21889 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
21890 			    owe_info->peer_mld_addr))
21891 			goto nla_put_failure;
21892 	}
21893 
21894 	genlmsg_end(msg, hdr);
21895 
21896 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21897 				NL80211_MCGRP_MLME, gfp);
21898 	return;
21899 
21900 nla_put_failure:
21901 	genlmsg_cancel(msg, hdr);
21902 	nlmsg_free(msg);
21903 }
21904 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
21905 
21906 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
21907 {
21908 	struct wiphy *wiphy = wdev->wiphy;
21909 
21910 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
21911 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
21912 	    (wiphy_ext_feature_isset(wiphy,
21913 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
21914 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
21915 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
21916 		reg_check_channels();
21917 }
21918 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
21919 
21920 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
21921 {
21922 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21923 	struct wiphy *wiphy = wdev->wiphy;
21924 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21925 	struct sk_buff *msg;
21926 	void *hdr;
21927 
21928 	trace_cfg80211_epcs_changed(wdev, enabled);
21929 
21930 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21931 	if (!msg)
21932 		return;
21933 
21934 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
21935 	if (!hdr) {
21936 		nlmsg_free(msg);
21937 		return;
21938 	}
21939 
21940 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
21941 		goto nla_put_failure;
21942 
21943 	genlmsg_end(msg, hdr);
21944 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21945 				NL80211_MCGRP_MLME, GFP_KERNEL);
21946 	return;
21947 
21948  nla_put_failure:
21949 	nlmsg_free(msg);
21950 }
21951 EXPORT_SYMBOL(cfg80211_epcs_changed);
21952 
21953 void cfg80211_next_nan_dw_notif(struct wireless_dev *wdev,
21954 				struct ieee80211_channel *chan, gfp_t gfp)
21955 {
21956 	struct wiphy *wiphy = wdev->wiphy;
21957 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21958 	struct sk_buff *msg;
21959 	void *hdr;
21960 
21961 	trace_cfg80211_next_nan_dw_notif(wdev, chan);
21962 
21963 	if (!wdev->owner_nlportid)
21964 		return;
21965 
21966 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21967 	if (!msg)
21968 		return;
21969 
21970 	hdr = nl80211hdr_put(msg, 0, 0, 0,
21971 			     NL80211_CMD_NAN_NEXT_DW_NOTIFICATION);
21972 	if (!hdr)
21973 		goto nla_put_failure;
21974 
21975 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21976 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21977 			      NL80211_ATTR_PAD) ||
21978 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq))
21979 		goto nla_put_failure;
21980 
21981 	genlmsg_end(msg, hdr);
21982 
21983 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
21984 
21985 	return;
21986 
21987  nla_put_failure:
21988 	nlmsg_free(msg);
21989 }
21990 EXPORT_SYMBOL(cfg80211_next_nan_dw_notif);
21991 
21992 void cfg80211_nan_cluster_joined(struct wireless_dev *wdev,
21993 				 const u8 *cluster_id, bool new_cluster,
21994 				 gfp_t gfp)
21995 {
21996 	struct wiphy *wiphy = wdev->wiphy;
21997 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21998 	struct sk_buff *msg;
21999 	void *hdr;
22000 
22001 	trace_cfg80211_nan_cluster_joined(wdev, cluster_id, new_cluster);
22002 
22003 	memcpy(wdev->u.nan.cluster_id, cluster_id, ETH_ALEN);
22004 
22005 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22006 	if (!msg)
22007 		return;
22008 
22009 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_CLUSTER_JOINED);
22010 	if (!hdr)
22011 		goto nla_put_failure;
22012 
22013 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22014 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22015 			      NL80211_ATTR_PAD) ||
22016 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cluster_id) ||
22017 	    (new_cluster && nla_put_flag(msg, NL80211_ATTR_NAN_NEW_CLUSTER)))
22018 		goto nla_put_failure;
22019 
22020 	genlmsg_end(msg, hdr);
22021 
22022 	if (!wdev->owner_nlportid)
22023 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy),
22024 					msg, 0, NL80211_MCGRP_NAN, gfp);
22025 	else
22026 		genlmsg_unicast(wiphy_net(wiphy), msg,
22027 				wdev->owner_nlportid);
22028 	return;
22029 
22030  nla_put_failure:
22031 	nlmsg_free(msg);
22032 }
22033 EXPORT_SYMBOL(cfg80211_nan_cluster_joined);
22034 
22035 /* initialisation/exit functions */
22036 
22037 int __init nl80211_init(void)
22038 {
22039 	int err;
22040 
22041 	err = genl_register_family(&nl80211_fam);
22042 	if (err)
22043 		return err;
22044 
22045 	err = netlink_register_notifier(&nl80211_netlink_notifier);
22046 	if (err)
22047 		goto err_out;
22048 
22049 	return 0;
22050  err_out:
22051 	genl_unregister_family(&nl80211_fam);
22052 	return err;
22053 }
22054 
22055 void nl80211_exit(void)
22056 {
22057 	netlink_unregister_notifier(&nl80211_netlink_notifier);
22058 	genl_unregister_family(&nl80211_fam);
22059 }
22060