xref: /linux/net/wireless/nl80211.c (revision 79240f3f6d766b342b57c32397d643e1cfa26b81) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2026 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <linux/random.h>
25 #include <net/net_namespace.h>
26 #include <net/genetlink.h>
27 #include <net/cfg80211.h>
28 #include <net/sock.h>
29 #include <net/inet_connection_sock.h>
30 #include "core.h"
31 #include "nl80211.h"
32 #include "reg.h"
33 #include "rdev-ops.h"
34 
35 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
36 				   struct genl_info *info,
37 				   struct cfg80211_crypto_settings *settings,
38 				   int cipher_limit);
39 
40 /* the netlink family */
41 static struct genl_family nl80211_fam;
42 
43 /* multicast groups */
44 enum nl80211_multicast_groups {
45 	NL80211_MCGRP_CONFIG,
46 	NL80211_MCGRP_SCAN,
47 	NL80211_MCGRP_REGULATORY,
48 	NL80211_MCGRP_MLME,
49 	NL80211_MCGRP_VENDOR,
50 	NL80211_MCGRP_NAN,
51 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
52 };
53 
54 static const struct genl_multicast_group nl80211_mcgrps[] = {
55 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
56 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
57 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
58 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
59 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
60 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
61 #ifdef CONFIG_NL80211_TESTMODE
62 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
63 #endif
64 };
65 
66 /* returns ERR_PTR values */
67 static struct wireless_dev *
68 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
69 			   struct net *netns, struct nlattr **attrs)
70 {
71 	struct wireless_dev *result = NULL;
72 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
73 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
74 	u64 wdev_id = 0;
75 	int wiphy_idx = -1;
76 	int ifidx = -1;
77 
78 	if (!have_ifidx && !have_wdev_id)
79 		return ERR_PTR(-EINVAL);
80 
81 	if (have_ifidx)
82 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
83 	if (have_wdev_id) {
84 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
85 		wiphy_idx = wdev_id >> 32;
86 	}
87 
88 	if (rdev) {
89 		struct wireless_dev *wdev;
90 
91 		lockdep_assert_held(&rdev->wiphy.mtx);
92 
93 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
94 			if (have_ifidx && wdev->netdev &&
95 			    wdev->netdev->ifindex == ifidx) {
96 				result = wdev;
97 				break;
98 			}
99 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
100 				result = wdev;
101 				break;
102 			}
103 		}
104 
105 		return result ?: ERR_PTR(-ENODEV);
106 	}
107 
108 	ASSERT_RTNL();
109 
110 	for_each_rdev(rdev) {
111 		struct wireless_dev *wdev;
112 
113 		if (wiphy_net(&rdev->wiphy) != netns)
114 			continue;
115 
116 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
117 			continue;
118 
119 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
120 			if (have_ifidx && wdev->netdev &&
121 			    wdev->netdev->ifindex == ifidx) {
122 				result = wdev;
123 				break;
124 			}
125 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
126 				result = wdev;
127 				break;
128 			}
129 		}
130 
131 		if (result)
132 			break;
133 	}
134 
135 	if (result)
136 		return result;
137 	return ERR_PTR(-ENODEV);
138 }
139 
140 static struct cfg80211_registered_device *
141 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
142 {
143 	struct cfg80211_registered_device *rdev = NULL, *tmp;
144 	struct net_device *netdev;
145 
146 	ASSERT_RTNL();
147 
148 	if (!attrs[NL80211_ATTR_WIPHY] &&
149 	    !attrs[NL80211_ATTR_IFINDEX] &&
150 	    !attrs[NL80211_ATTR_WDEV])
151 		return ERR_PTR(-EINVAL);
152 
153 	if (attrs[NL80211_ATTR_WIPHY])
154 		rdev = cfg80211_rdev_by_wiphy_idx(
155 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
156 
157 	if (attrs[NL80211_ATTR_WDEV]) {
158 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
159 		struct wireless_dev *wdev;
160 		bool found = false;
161 
162 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
163 		if (tmp) {
164 			/* make sure wdev exists */
165 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
166 				if (wdev->identifier != (u32)wdev_id)
167 					continue;
168 				found = true;
169 				break;
170 			}
171 
172 			if (!found)
173 				tmp = NULL;
174 
175 			if (rdev && tmp != rdev)
176 				return ERR_PTR(-EINVAL);
177 			rdev = tmp;
178 		}
179 	}
180 
181 	if (attrs[NL80211_ATTR_IFINDEX]) {
182 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
183 
184 		netdev = __dev_get_by_index(netns, ifindex);
185 		if (netdev) {
186 			if (netdev->ieee80211_ptr)
187 				tmp = wiphy_to_rdev(
188 					netdev->ieee80211_ptr->wiphy);
189 			else
190 				tmp = NULL;
191 
192 			/* not wireless device -- return error */
193 			if (!tmp)
194 				return ERR_PTR(-EINVAL);
195 
196 			/* mismatch -- return error */
197 			if (rdev && tmp != rdev)
198 				return ERR_PTR(-EINVAL);
199 
200 			rdev = tmp;
201 		}
202 	}
203 
204 	if (!rdev)
205 		return ERR_PTR(-ENODEV);
206 
207 	if (netns != wiphy_net(&rdev->wiphy))
208 		return ERR_PTR(-ENODEV);
209 
210 	return rdev;
211 }
212 
213 /*
214  * This function returns a pointer to the driver
215  * that the genl_info item that is passed refers to.
216  *
217  * The result of this can be a PTR_ERR and hence must
218  * be checked with IS_ERR() for errors.
219  */
220 static struct cfg80211_registered_device *
221 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
222 {
223 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
224 }
225 
226 static int validate_beacon_head(const struct nlattr *attr,
227 				struct netlink_ext_ack *extack)
228 {
229 	const u8 *data = nla_data(attr);
230 	unsigned int len = nla_len(attr);
231 	const struct element *elem;
232 	const struct ieee80211_mgmt *mgmt = (void *)data;
233 	const struct ieee80211_ext *ext;
234 	unsigned int fixedlen, hdrlen;
235 	bool s1g_bcn;
236 
237 	if (len < offsetofend(typeof(*mgmt), frame_control))
238 		goto err;
239 
240 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
241 	if (s1g_bcn) {
242 		ext = (struct ieee80211_ext *)mgmt;
243 		fixedlen =
244 			offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +
245 			ieee80211_s1g_optional_len(ext->frame_control);
246 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
247 	} else {
248 		fixedlen = offsetof(struct ieee80211_mgmt,
249 				    u.beacon.variable);
250 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
251 	}
252 
253 	if (len < fixedlen)
254 		goto err;
255 
256 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
257 		goto err;
258 
259 	data += fixedlen;
260 	len -= fixedlen;
261 
262 	for_each_element(elem, data, len) {
263 		/* nothing */
264 	}
265 
266 	if (for_each_element_completed(elem, data, len))
267 		return 0;
268 
269 err:
270 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
271 	return -EINVAL;
272 }
273 
274 static int validate_ie_attr(const struct nlattr *attr,
275 			    struct netlink_ext_ack *extack)
276 {
277 	const u8 *data = nla_data(attr);
278 	unsigned int len = nla_len(attr);
279 	const struct element *elem;
280 
281 	for_each_element(elem, data, len) {
282 		/* nothing */
283 	}
284 
285 	if (for_each_element_completed(elem, data, len))
286 		return 0;
287 
288 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
289 	return -EINVAL;
290 }
291 
292 static int validate_he_capa(const struct nlattr *attr,
293 			    struct netlink_ext_ack *extack)
294 {
295 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
296 		return -EINVAL;
297 
298 	return 0;
299 }
300 
301 static int validate_supported_selectors(const struct nlattr *attr,
302 					struct netlink_ext_ack *extack)
303 {
304 	const u8 *supported_selectors = nla_data(attr);
305 	u8 supported_selectors_len = nla_len(attr);
306 
307 	/* The top bit must not be set as it is not part of the selector */
308 	for (int i = 0; i < supported_selectors_len; i++) {
309 		if (supported_selectors[i] & 0x80)
310 			return -EINVAL;
311 	}
312 
313 	return 0;
314 }
315 
316 static int validate_nan_cluster_id(const struct nlattr *attr,
317 				   struct netlink_ext_ack *extack)
318 {
319 	const u8 *data = nla_data(attr);
320 	unsigned int len = nla_len(attr);
321 	static const u8 cluster_id_prefix[4] = {0x50, 0x6f, 0x9a, 0x1};
322 
323 	if (len != ETH_ALEN) {
324 		NL_SET_ERR_MSG_ATTR(extack, attr, "bad cluster id length");
325 		return -EINVAL;
326 	}
327 
328 	if (memcmp(data, cluster_id_prefix, sizeof(cluster_id_prefix))) {
329 		NL_SET_ERR_MSG_ATTR(extack, attr, "invalid cluster id prefix");
330 		return -EINVAL;
331 	}
332 
333 	return 0;
334 }
335 
336 static int validate_nan_avail_blob(const struct nlattr *attr,
337 				   struct netlink_ext_ack *extack)
338 {
339 	const u8 *data = nla_data(attr);
340 	unsigned int len = nla_len(attr);
341 	u16 attr_len;
342 
343 	/* Need at least: Attr ID (1) + Length (2) */
344 	if (len < 3) {
345 		NL_SET_ERR_MSG_FMT(extack,
346 				   "NAN Availability: Too short (need at least 3 bytes, have %u)",
347 				   len);
348 		return -EINVAL;
349 	}
350 
351 	if (data[0] != 0x12) {
352 		NL_SET_ERR_MSG_FMT(extack,
353 				   "NAN Availability: Invalid Attribute ID 0x%02x (expected 0x12)",
354 				   data[0]);
355 		return -EINVAL;
356 	}
357 
358 	attr_len = get_unaligned_le16(&data[1]);
359 
360 	if (attr_len != len - 3) {
361 		NL_SET_ERR_MSG_FMT(extack,
362 				   "NAN Availability: Length field (%u) doesn't match data length (%u)",
363 				   attr_len, len - 3);
364 		return -EINVAL;
365 	}
366 
367 	return 0;
368 }
369 
370 static int validate_nan_ulw(const struct nlattr *attr,
371 			    struct netlink_ext_ack *extack)
372 {
373 	const u8 *data = nla_data(attr);
374 	unsigned int len = nla_len(attr);
375 	unsigned int pos = 0;
376 
377 	while (pos < len) {
378 		u16 attr_len;
379 
380 		/* Need at least: Attr ID (1) + Length (2) */
381 		if (pos + 3 > len) {
382 			NL_SET_ERR_MSG_FMT(extack,
383 					   "ULW: Incomplete header (need 3 bytes, have %u)",
384 					   len - pos);
385 			return -EINVAL;
386 		}
387 
388 		if (data[pos] != 0x17) {
389 			NL_SET_ERR_MSG_FMT(extack,
390 					   "ULW: Invalid Attribute ID 0x%02x (expected 0x17)",
391 					   data[pos]);
392 			return -EINVAL;
393 		}
394 		pos++;
395 
396 		/* Length is in little-endian format */
397 		attr_len = get_unaligned_le16(&data[pos]);
398 		pos += 2;
399 
400 		/*
401 		 * Check if length is one of the valid values: 16 (no
402 		 * channel/band entry included), 18 (band entry included),
403 		 * 21 (channel entry included without Auxiliary channel bitmap),
404 		 * or 23 (channel entry included with Auxiliary channel bitmap).
405 		 */
406 		if (attr_len != 16 && attr_len != 18 && attr_len != 21 &&
407 		    attr_len != 23) {
408 			NL_SET_ERR_MSG_FMT(extack,
409 					   "ULW: Invalid length %u (must be 16, 18, 21, or 23)",
410 					   attr_len);
411 			return -EINVAL;
412 		}
413 
414 		if (pos + attr_len > len) {
415 			NL_SET_ERR_MSG_FMT(extack,
416 					   "ULW: Length field (%u) exceeds remaining data (%u)",
417 					   attr_len, len - pos);
418 			return -EINVAL;
419 		}
420 
421 		pos += attr_len;
422 	}
423 
424 	return 0;
425 }
426 
427 static int validate_uhr_capa(const struct nlattr *attr,
428 			     struct netlink_ext_ack *extack)
429 {
430 	const u8 *data = nla_data(attr);
431 	unsigned int len = nla_len(attr);
432 
433 	if (!ieee80211_uhr_capa_size_ok(data, len, false))
434 		return -EINVAL;
435 	return 0;
436 }
437 
438 static int validate_uhr_operation(const struct nlattr *attr,
439 				  struct netlink_ext_ack *extack)
440 {
441 	const u8 *data = nla_data(attr);
442 	unsigned int len = nla_len(attr);
443 
444 	if (!ieee80211_uhr_oper_size_ok(data, len, false))
445 		return -EINVAL;
446 	return 0;
447 }
448 
449 /* policy for the attributes */
450 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
451 
452 static const struct nla_policy
453 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
454 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
455 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
456 					.len = U8_MAX },
457 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
458 					     .len = U8_MAX },
459 };
460 
461 static const struct nla_policy
462 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
463 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
464 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
465 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
466 		NLA_POLICY_MAX(NLA_U8, 15),
467 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
468 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
469 		NLA_POLICY_MAX(NLA_U8, 15),
470 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
471 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
472 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
473 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
474 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
475 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
476 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
477 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
478 	[NL80211_PMSR_FTM_REQ_ATTR_RSTA] = { .type = NLA_FLAG },
479 };
480 
481 static const struct nla_policy
482 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
483 	[NL80211_PMSR_TYPE_FTM] =
484 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
485 };
486 
487 static const struct nla_policy
488 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
489 	[NL80211_PMSR_REQ_ATTR_DATA] =
490 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
491 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
492 };
493 
494 static const struct nla_policy
495 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
496 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
497 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
498 	[NL80211_PMSR_PEER_ATTR_REQ] =
499 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
500 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
501 };
502 
503 static const struct nla_policy
504 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
505 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
506 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
507 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
508 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
509 	[NL80211_PMSR_ATTR_PEERS] =
510 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
511 };
512 
513 static const struct nla_policy
514 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
515 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
516 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
517 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
518 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
519 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
520 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
521 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
522 		NLA_POLICY_EXACT_LEN(8),
523 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
524 		NLA_POLICY_EXACT_LEN(8),
525 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
526 };
527 
528 static const struct nla_policy
529 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
530 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
531 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
532 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
533 };
534 
535 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
536 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
537 				    .len = NL80211_MAX_SUPP_RATES },
538 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
539 				.len = NL80211_MAX_SUPP_HT_RATES },
540 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
541 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
542 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
543 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
544 						   NL80211_RATE_INFO_HE_GI_0_8,
545 						   NL80211_RATE_INFO_HE_GI_3_2),
546 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
547 						   NL80211_RATE_INFO_HE_1XLTF,
548 						   NL80211_RATE_INFO_HE_4XLTF),
549 	[NL80211_TXRATE_EHT] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_eht)),
550 	[NL80211_TXRATE_EHT_GI] =  NLA_POLICY_RANGE(NLA_U8,
551 						   NL80211_RATE_INFO_EHT_GI_0_8,
552 						   NL80211_RATE_INFO_EHT_GI_3_2),
553 	[NL80211_TXRATE_EHT_LTF] = NLA_POLICY_RANGE(NLA_U8,
554 						   NL80211_RATE_INFO_EHT_1XLTF,
555 						   NL80211_RATE_INFO_EHT_8XLTF),
556 
557 };
558 
559 static const struct nla_policy
560 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
561 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
562 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
563 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
564 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
565 	[NL80211_TID_CONFIG_ATTR_NOACK] =
566 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
567 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
568 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
569 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
570 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
571 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
572 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
573 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
574 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
575 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
576 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
577 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
578 			NLA_POLICY_NESTED(nl80211_txattr_policy),
579 };
580 
581 static const struct nla_policy
582 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
583 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
584 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
585 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
586 			NLA_POLICY_RANGE(NLA_BINARY,
587 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
588 					 IEEE80211_MAX_DATA_LEN),
589 };
590 
591 static const struct nla_policy
592 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
593 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
594 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
595 						       .len = IEEE80211_MAX_DATA_LEN }
596 };
597 
598 static const struct nla_policy
599 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
600 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
601 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
602 };
603 
604 static const struct nla_policy
605 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
606 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
607 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
608 };
609 
610 static const struct nla_policy
611 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
612 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
613 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
614 						NLA_POLICY_MIN(NLA_U8, 1),
615 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
616 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
617 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
618 	[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID] =
619 		NLA_POLICY_MAX(NLA_U8, IEEE80211_MLD_MAX_NUM_LINKS),
620 };
621 
622 static const struct nla_policy
623 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
624 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
625 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
626 };
627 
628 static const struct nla_policy
629 nl80211_s1g_short_beacon[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1] = {
630 	[NL80211_S1G_SHORT_BEACON_ATTR_HEAD] =
631 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
632 				       IEEE80211_MAX_DATA_LEN),
633 	[NL80211_S1G_SHORT_BEACON_ATTR_TAIL] =
634 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
635 				       IEEE80211_MAX_DATA_LEN),
636 };
637 
638 static const struct nla_policy
639 nl80211_nan_band_conf_policy[NL80211_NAN_BAND_CONF_ATTR_MAX + 1] = {
640 	[NL80211_NAN_BAND_CONF_BAND] = NLA_POLICY_MAX(NLA_U8,
641 						      NUM_NL80211_BANDS - 1),
642 	[NL80211_NAN_BAND_CONF_FREQ] = { .type = NLA_U16 },
643 	[NL80211_NAN_BAND_CONF_RSSI_CLOSE] = NLA_POLICY_MIN(NLA_S8, -59),
644 	[NL80211_NAN_BAND_CONF_RSSI_MIDDLE] = NLA_POLICY_MIN(NLA_S8, -74),
645 	[NL80211_NAN_BAND_CONF_WAKE_DW] = NLA_POLICY_MAX(NLA_U8, 5),
646 	[NL80211_NAN_BAND_CONF_DISABLE_SCAN] = { .type = NLA_FLAG },
647 };
648 
649 static const struct nla_policy
650 nl80211_nan_peer_map_policy[NL80211_NAN_PEER_MAP_ATTR_MAX + 1] = {
651 	[NL80211_NAN_PEER_MAP_ATTR_MAP_ID] = NLA_POLICY_MAX(NLA_U8, 15),
652 	[NL80211_NAN_PEER_MAP_ATTR_TIME_SLOTS] =
653 		NLA_POLICY_EXACT_LEN(CFG80211_NAN_SCHED_NUM_TIME_SLOTS),
654 };
655 
656 static const struct nla_policy
657 nl80211_nan_conf_policy[NL80211_NAN_CONF_ATTR_MAX + 1] = {
658 	[NL80211_NAN_CONF_CLUSTER_ID] =
659 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_cluster_id,
660 				       ETH_ALEN),
661 	[NL80211_NAN_CONF_EXTRA_ATTRS] = { .type = NLA_BINARY,
662 					   .len = IEEE80211_MAX_DATA_LEN},
663 	[NL80211_NAN_CONF_VENDOR_ELEMS] =
664 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
665 				       IEEE80211_MAX_DATA_LEN),
666 	[NL80211_NAN_CONF_BAND_CONFIGS] =
667 		NLA_POLICY_NESTED_ARRAY(nl80211_nan_band_conf_policy),
668 	[NL80211_NAN_CONF_SCAN_PERIOD] = { .type = NLA_U16 },
669 	[NL80211_NAN_CONF_SCAN_DWELL_TIME] = NLA_POLICY_RANGE(NLA_U16, 50, 512),
670 	[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL] =
671 		NLA_POLICY_RANGE(NLA_U8, 50, 200),
672 	[NL80211_NAN_CONF_NOTIFY_DW] = { .type = NLA_FLAG },
673 };
674 
675 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
676 	.min = 0,
677 	.max = 0xffff,
678 };
679 
680 static const struct netlink_range_validation q_range = {
681 	.max = INT_MAX,
682 };
683 
684 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
685 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
686 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
687 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
688 				      .len = 20-1 },
689 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
690 
691 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
692 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
693 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
694 						NL80211_EDMG_CHANNELS_MIN,
695 						NL80211_EDMG_CHANNELS_MAX),
696 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
697 						NL80211_EDMG_BW_CONFIG_MIN,
698 						NL80211_EDMG_BW_CONFIG_MAX),
699 
700 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
701 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
702 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
703 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
704 
705 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
706 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
707 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
708 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
709 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
710 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
711 
712 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
713 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
714 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
715 
716 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
717 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
718 
719 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
720 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
721 				    .len = WLAN_MAX_KEY_LEN },
722 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
723 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
724 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
725 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
726 	[NL80211_ATTR_KEY_TYPE] =
727 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
728 
729 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
730 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
731 	[NL80211_ATTR_BEACON_HEAD] =
732 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
733 				       IEEE80211_MAX_DATA_LEN),
734 	[NL80211_ATTR_BEACON_TAIL] =
735 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
736 				       IEEE80211_MAX_DATA_LEN),
737 	[NL80211_ATTR_STA_AID] =
738 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
739 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
740 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
741 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
742 					       .len = NL80211_MAX_SUPP_RATES },
743 	[NL80211_ATTR_STA_PLINK_ACTION] =
744 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
745 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
746 		NLA_POLICY_RANGE(NLA_U8,
747 				 NL80211_TX_POWER_AUTOMATIC,
748 				 NL80211_TX_POWER_FIXED),
749 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
750 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
751 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
752 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
753 				   .len = IEEE80211_MAX_MESH_ID_LEN },
754 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
755 
756 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
757 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
758 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
759 
760 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
761 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
762 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
763 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
764 					   .len = NL80211_MAX_SUPP_RATES },
765 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
766 
767 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
768 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
769 
770 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
771 
772 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
773 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
774 						   validate_ie_attr,
775 						   IEEE80211_MAX_DATA_LEN),
776 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
777 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
778 
779 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
780 				.len = IEEE80211_MAX_SSID_LEN },
781 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
782 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
783 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
784 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
785 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
786 						  NL80211_MFP_NO,
787 						  NL80211_MFP_OPTIONAL),
788 	[NL80211_ATTR_STA_FLAGS2] =
789 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
790 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
791 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
792 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
793 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
794 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
795 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
796 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
797 	[NL80211_ATTR_WPA_VERSIONS] =
798 		NLA_POLICY_RANGE(NLA_U32, 0,
799 				 NL80211_WPA_VERSION_1 |
800 				 NL80211_WPA_VERSION_2 |
801 				 NL80211_WPA_VERSION_3),
802 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
803 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
804 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
805 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
806 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
807 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
808 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
809 				 .len = IEEE80211_MAX_DATA_LEN },
810 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
811 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
812 						   NL80211_PS_DISABLED,
813 						   NL80211_PS_ENABLED),
814 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
815 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
816 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
817 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
818 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
819 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
820 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
821 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
822 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
823 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
824 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
825 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
826 	[NL80211_ATTR_STA_PLINK_STATE] =
827 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
828 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
829 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
830 	[NL80211_ATTR_MESH_PEER_AID] =
831 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
832 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
833 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
834 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
835 	[NL80211_ATTR_HIDDEN_SSID] =
836 		NLA_POLICY_RANGE(NLA_U32,
837 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
838 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
839 	[NL80211_ATTR_IE_PROBE_RESP] =
840 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
841 				       IEEE80211_MAX_DATA_LEN),
842 	[NL80211_ATTR_IE_ASSOC_RESP] =
843 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
844 				       IEEE80211_MAX_DATA_LEN),
845 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
846 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
847 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
848 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
849 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
850 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
851 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
852 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
853 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
854 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
855 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
856 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
857 				      .len = IEEE80211_MAX_DATA_LEN },
858 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
859 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
860 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
861 		.len = NL80211_HT_CAPABILITY_LEN
862 	},
863 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
864 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
865 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
866 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
867 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
868 
869 	/* need to include at least Auth Transaction and Status Code */
870 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
871 
872 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
873 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
874 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
875 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
876 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
877 		NLA_POLICY_RANGE(NLA_U32,
878 				 NL80211_MESH_POWER_UNKNOWN + 1,
879 				 NL80211_MESH_POWER_MAX),
880 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
881 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
882 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
883 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
884 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
885 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
886 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
887 		.len = NL80211_VHT_CAPABILITY_LEN,
888 	},
889 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
890 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
891 				  .len = IEEE80211_MAX_DATA_LEN },
892 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
893 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
894 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
895 	[NL80211_ATTR_PEER_AID] =
896 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
897 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
898 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
899 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
900 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
901 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
902 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
903 	/*
904 	 * The value of the Length field of the Supported Operating
905 	 * Classes element is between 2 and 253.
906 	 */
907 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
908 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
909 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
910 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
911 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
912 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
913 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
914 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
915 						  IEEE80211_QOS_MAP_LEN_MIN,
916 						  IEEE80211_QOS_MAP_LEN_MAX),
917 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
918 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
919 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
920 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
921 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
922 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
923 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
924 	[NL80211_ATTR_USER_PRIO] =
925 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
926 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
927 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
928 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
929 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
930 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
931 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
932 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
933 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
934 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
935 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
936 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
937 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
938 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
939 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
940 	},
941 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
942 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
943 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
944 	[NL80211_ATTR_NAN_CONFIG] = NLA_POLICY_NESTED(nl80211_nan_conf_policy),
945 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
946 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
947 				    .len = FILS_MAX_KEK_LEN },
948 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
949 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
950 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
951 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
952 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
953 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
954 	},
955 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
956 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
957 					     .len = FILS_ERP_MAX_USERNAME_LEN },
958 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
959 					  .len = FILS_ERP_MAX_REALM_LEN },
960 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
961 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
962 					.len = FILS_ERP_MAX_RRK_LEN },
963 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
964 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
965 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
966 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
967 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
968 
969 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
970 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
971 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
972 	[NL80211_ATTR_HE_CAPABILITY] =
973 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
974 				       NL80211_HE_MAX_CAPABILITY_LEN),
975 	[NL80211_ATTR_FTM_RESPONDER] =
976 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
977 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
978 	[NL80211_ATTR_PEER_MEASUREMENTS] =
979 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
980 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
981 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
982 					.len = SAE_PASSWORD_MAX_LEN },
983 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
984 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
985 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
986 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
987 	[NL80211_ATTR_TID_CONFIG] =
988 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
989 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
990 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
991 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
992 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
993 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
994 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
995 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
996 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
997 	[NL80211_ATTR_FILS_DISCOVERY] =
998 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
999 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
1000 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
1001 	[NL80211_ATTR_S1G_CAPABILITY] =
1002 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
1003 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
1004 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
1005 	[NL80211_ATTR_SAE_PWE] =
1006 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
1007 				 NL80211_SAE_PWE_BOTH),
1008 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
1009 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
1010 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
1011 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
1012 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
1013 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
1014 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
1015 	[NL80211_ATTR_MBSSID_CONFIG] =
1016 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
1017 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
1018 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
1019 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
1020 	[NL80211_ATTR_EHT_CAPABILITY] =
1021 		NLA_POLICY_RANGE(NLA_BINARY,
1022 				 NL80211_EHT_MIN_CAPABILITY_LEN,
1023 				 NL80211_EHT_MAX_CAPABILITY_LEN),
1024 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
1025 	[NL80211_ATTR_MLO_LINKS] =
1026 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
1027 	[NL80211_ATTR_MLO_LINK_ID] =
1028 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
1029 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
1030 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
1031 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
1032 	[NL80211_ATTR_EML_CAPABILITY] = { .type = NLA_U16 },
1033 	[NL80211_ATTR_PUNCT_BITMAP] =
1034 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
1035 
1036 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
1037 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
1038 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
1039 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
1040 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
1041 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
1042 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
1043 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
1044 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
1045 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
1046 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
1047 				       NL80211_MAX_SUPP_SELECTORS),
1048 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
1049 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
1050 	[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS] = { .type = NLA_U16 },
1051 	[NL80211_ATTR_WIPHY_RADIO_INDEX] = { .type = NLA_U8 },
1052 	[NL80211_ATTR_S1G_LONG_BEACON_PERIOD] = NLA_POLICY_MIN(NLA_U8, 2),
1053 	[NL80211_ATTR_S1G_SHORT_BEACON] =
1054 		NLA_POLICY_NESTED(nl80211_s1g_short_beacon),
1055 	[NL80211_ATTR_BSS_PARAM] = { .type = NLA_FLAG },
1056 	[NL80211_ATTR_S1G_PRIMARY_2MHZ] = { .type = NLA_FLAG },
1057 	[NL80211_ATTR_EPP_PEER] = { .type = NLA_FLAG },
1058 	[NL80211_ATTR_UHR_CAPABILITY] =
1059 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_uhr_capa, 255),
1060 	[NL80211_ATTR_DISABLE_UHR] = { .type = NLA_FLAG },
1061 	[NL80211_ATTR_UHR_OPERATION] =
1062 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_uhr_operation),
1063 	[NL80211_ATTR_NAN_CHANNEL] = NLA_POLICY_NESTED(nl80211_policy),
1064 	[NL80211_ATTR_NAN_CHANNEL_ENTRY] = NLA_POLICY_EXACT_LEN(6),
1065 	[NL80211_ATTR_NAN_RX_NSS] = { .type = NLA_U8 },
1066 	[NL80211_ATTR_NAN_TIME_SLOTS] =
1067 		NLA_POLICY_EXACT_LEN(CFG80211_NAN_SCHED_NUM_TIME_SLOTS),
1068 	[NL80211_ATTR_NAN_AVAIL_BLOB] =
1069 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_avail_blob),
1070 	[NL80211_ATTR_NAN_SCHED_DEFERRED] = { .type = NLA_FLAG },
1071 	[NL80211_ATTR_NAN_NMI_MAC] = NLA_POLICY_ETH_ADDR,
1072 	[NL80211_ATTR_NAN_ULW] =
1073 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_ulw),
1074 	[NL80211_ATTR_NAN_COMMITTED_DW] = { .type = NLA_U16 },
1075 	[NL80211_ATTR_NAN_SEQ_ID] = { .type = NLA_U8 },
1076 	[NL80211_ATTR_NAN_MAX_CHAN_SWITCH_TIME] = { .type = NLA_U16 },
1077 	[NL80211_ATTR_NAN_PEER_MAPS] =
1078 		NLA_POLICY_NESTED_ARRAY(nl80211_nan_peer_map_policy),
1079 };
1080 
1081 /* policy for the key attributes */
1082 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
1083 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
1084 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
1085 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
1086 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
1087 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
1088 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
1089 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
1090 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
1091 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
1092 };
1093 
1094 /* policy for the key default flags */
1095 static const struct nla_policy
1096 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
1097 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
1098 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
1099 };
1100 
1101 #ifdef CONFIG_PM
1102 /* policy for WoWLAN attributes */
1103 static const struct nla_policy
1104 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
1105 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
1106 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
1107 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
1108 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
1109 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
1110 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
1111 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
1112 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
1113 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
1114 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
1115 };
1116 
1117 static const struct nla_policy
1118 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
1119 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
1120 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
1121 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1122 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
1123 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
1124 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
1125 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
1126 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
1127 	},
1128 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
1129 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
1130 	},
1131 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
1132 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
1133 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
1134 };
1135 #endif /* CONFIG_PM */
1136 
1137 /* policy for coalesce rule attributes */
1138 static const struct nla_policy
1139 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
1140 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
1141 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
1142 		NLA_POLICY_RANGE(NLA_U32,
1143 				 NL80211_COALESCE_CONDITION_MATCH,
1144 				 NL80211_COALESCE_CONDITION_NO_MATCH),
1145 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
1146 };
1147 
1148 /* policy for GTK rekey offload attributes */
1149 static const struct nla_policy
1150 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
1151 	[NL80211_REKEY_DATA_KEK] = {
1152 		.type = NLA_BINARY,
1153 		.len = NL80211_KEK_EXT_LEN
1154 	},
1155 	[NL80211_REKEY_DATA_KCK] = {
1156 		.type = NLA_BINARY,
1157 		.len = NL80211_KCK_EXT_LEN_32
1158 	},
1159 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
1160 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
1161 };
1162 
1163 static const struct nla_policy
1164 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
1165 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
1166 						 .len = IEEE80211_MAX_SSID_LEN },
1167 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1168 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
1169 };
1170 
1171 static const struct nla_policy
1172 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
1173 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
1174 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
1175 };
1176 
1177 static const struct nla_policy
1178 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
1179 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
1180 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
1181 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
1182 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
1183 	},
1184 };
1185 
1186 /* policy for NAN function attributes */
1187 static const struct nla_policy
1188 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
1189 	[NL80211_NAN_FUNC_TYPE] =
1190 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
1191 	[NL80211_NAN_FUNC_SERVICE_ID] = {
1192 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
1193 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
1194 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
1195 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
1196 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
1197 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
1198 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1199 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
1200 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
1201 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
1202 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
1203 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
1204 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
1205 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
1206 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
1207 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
1208 };
1209 
1210 /* policy for Service Response Filter attributes */
1211 static const struct nla_policy
1212 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
1213 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
1214 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
1215 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
1216 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
1217 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
1218 };
1219 
1220 /* policy for packet pattern attributes */
1221 static const struct nla_policy
1222 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
1223 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
1224 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
1225 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1226 };
1227 
1228 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1229 				     struct cfg80211_registered_device **rdev,
1230 				     struct wireless_dev **wdev,
1231 				     struct nlattr **attrbuf)
1232 {
1233 	int err;
1234 
1235 	if (!cb->args[0]) {
1236 		struct nlattr **attrbuf_free = NULL;
1237 
1238 		if (!attrbuf) {
1239 			attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
1240 			if (!attrbuf)
1241 				return -ENOMEM;
1242 			attrbuf_free = attrbuf;
1243 		}
1244 
1245 		err = nlmsg_parse_deprecated(cb->nlh,
1246 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1247 					     attrbuf, nl80211_fam.maxattr,
1248 					     nl80211_policy, NULL);
1249 		if (err) {
1250 			kfree(attrbuf_free);
1251 			return err;
1252 		}
1253 
1254 		rtnl_lock();
1255 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1256 						   attrbuf);
1257 		kfree(attrbuf_free);
1258 		if (IS_ERR(*wdev)) {
1259 			rtnl_unlock();
1260 			return PTR_ERR(*wdev);
1261 		}
1262 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1263 		mutex_lock(&(*rdev)->wiphy.mtx);
1264 		rtnl_unlock();
1265 		/* 0 is the first index - add 1 to parse only once */
1266 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1267 		cb->args[1] = (*wdev)->identifier;
1268 	} else {
1269 		/* subtract the 1 again here */
1270 		struct wiphy *wiphy;
1271 		struct wireless_dev *tmp;
1272 
1273 		rtnl_lock();
1274 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1275 		if (!wiphy) {
1276 			rtnl_unlock();
1277 			return -ENODEV;
1278 		}
1279 
1280 		/*
1281 		 * The first invocation validated the wdev's netns against
1282 		 * the caller via __cfg80211_wdev_from_attrs(). The wiphy
1283 		 * may have moved netns between dumpit invocations (via
1284 		 * NL80211_CMD_SET_WIPHY_NETNS), so re-check here.
1285 		 */
1286 		if (!net_eq(wiphy_net(wiphy), sock_net(cb->skb->sk))) {
1287 			rtnl_unlock();
1288 			return -ENODEV;
1289 		}
1290 
1291 		*rdev = wiphy_to_rdev(wiphy);
1292 		*wdev = NULL;
1293 
1294 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1295 			if (tmp->identifier == cb->args[1]) {
1296 				*wdev = tmp;
1297 				break;
1298 			}
1299 		}
1300 
1301 		if (!*wdev) {
1302 			rtnl_unlock();
1303 			return -ENODEV;
1304 		}
1305 		mutex_lock(&(*rdev)->wiphy.mtx);
1306 		rtnl_unlock();
1307 	}
1308 
1309 	return 0;
1310 }
1311 
1312 /* message building helper */
1313 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1314 		     int flags, u8 cmd)
1315 {
1316 	/* since there is no private header just add the generic one */
1317 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1318 }
1319 
1320 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1321 				     const struct ieee80211_reg_rule *rule)
1322 {
1323 	int j;
1324 	struct nlattr *nl_wmm_rules =
1325 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1326 
1327 	if (!nl_wmm_rules)
1328 		goto nla_put_failure;
1329 
1330 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1331 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1332 
1333 		if (!nl_wmm_rule)
1334 			goto nla_put_failure;
1335 
1336 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1337 				rule->wmm_rule.client[j].cw_min) ||
1338 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1339 				rule->wmm_rule.client[j].cw_max) ||
1340 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1341 			       rule->wmm_rule.client[j].aifsn) ||
1342 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1343 			        rule->wmm_rule.client[j].cot))
1344 			goto nla_put_failure;
1345 
1346 		nla_nest_end(msg, nl_wmm_rule);
1347 	}
1348 	nla_nest_end(msg, nl_wmm_rules);
1349 
1350 	return 0;
1351 
1352 nla_put_failure:
1353 	return -ENOBUFS;
1354 }
1355 
1356 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1357 				   struct ieee80211_channel *chan,
1358 				   bool large)
1359 {
1360 	/* Some channels must be completely excluded from the
1361 	 * list to protect old user-space tools from breaking
1362 	 */
1363 	if (!large && chan->flags &
1364 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1365 		return 0;
1366 	if (!large && chan->freq_offset)
1367 		return 0;
1368 
1369 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1370 			chan->center_freq))
1371 		goto nla_put_failure;
1372 
1373 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1374 		goto nla_put_failure;
1375 
1376 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1377 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1378 		goto nla_put_failure;
1379 
1380 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1381 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1382 		goto nla_put_failure;
1383 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1384 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1385 			goto nla_put_failure;
1386 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1387 			goto nla_put_failure;
1388 	}
1389 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1390 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1391 			goto nla_put_failure;
1392 		if (large) {
1393 			u32 time;
1394 
1395 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1396 
1397 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1398 					chan->dfs_state))
1399 				goto nla_put_failure;
1400 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1401 					time))
1402 				goto nla_put_failure;
1403 			if (nla_put_u32(msg,
1404 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1405 					chan->dfs_cac_ms))
1406 				goto nla_put_failure;
1407 		}
1408 	}
1409 
1410 	if (large) {
1411 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1412 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1413 			goto nla_put_failure;
1414 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1415 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1416 			goto nla_put_failure;
1417 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1418 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1419 			goto nla_put_failure;
1420 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1421 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1422 			goto nla_put_failure;
1423 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1424 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1425 			goto nla_put_failure;
1426 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1427 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1428 			goto nla_put_failure;
1429 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1430 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1431 			goto nla_put_failure;
1432 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1433 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1434 			goto nla_put_failure;
1435 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1436 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1437 			goto nla_put_failure;
1438 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1439 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1440 			goto nla_put_failure;
1441 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1442 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1443 			goto nla_put_failure;
1444 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1445 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1446 			goto nla_put_failure;
1447 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1448 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1449 			goto nla_put_failure;
1450 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1451 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1452 			goto nla_put_failure;
1453 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1454 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1455 			goto nla_put_failure;
1456 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1457 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1458 			goto nla_put_failure;
1459 		if ((chan->flags & IEEE80211_CHAN_ALLOW_20MHZ_ACTIVITY) &&
1460 		    nla_put_flag(msg,
1461 				 NL80211_FREQUENCY_ATTR_ALLOW_20MHZ_ACTIVITY))
1462 			goto nla_put_failure;
1463 		if ((chan->flags & IEEE80211_CHAN_NO_4MHZ) &&
1464 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_4MHZ))
1465 			goto nla_put_failure;
1466 		if ((chan->flags & IEEE80211_CHAN_NO_8MHZ) &&
1467 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_8MHZ))
1468 			goto nla_put_failure;
1469 		if ((chan->flags & IEEE80211_CHAN_NO_16MHZ) &&
1470 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_16MHZ))
1471 			goto nla_put_failure;
1472 		if ((chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY) &&
1473 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_S1G_NO_PRIMARY))
1474 			goto nla_put_failure;
1475 		if ((chan->flags & IEEE80211_CHAN_NO_UHR) &&
1476 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_UHR))
1477 			goto nla_put_failure;
1478 		if (chan->cac_start_time &&
1479 		    nla_put_u64_64bit(msg,
1480 				      NL80211_FREQUENCY_ATTR_CAC_START_TIME,
1481 				      chan->cac_start_time,
1482 				      NL80211_FREQUENCY_ATTR_PAD))
1483 			goto nla_put_failure;
1484 	}
1485 
1486 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1487 			DBM_TO_MBM(chan->max_power)))
1488 		goto nla_put_failure;
1489 
1490 	if (large) {
1491 		const struct ieee80211_reg_rule *rule =
1492 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1493 
1494 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1495 			if (nl80211_msg_put_wmm_rules(msg, rule))
1496 				goto nla_put_failure;
1497 		}
1498 	}
1499 
1500 	return 0;
1501 
1502  nla_put_failure:
1503 	return -ENOBUFS;
1504 }
1505 
1506 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1507 				  struct cfg80211_txq_stats *txqstats,
1508 				  int attrtype)
1509 {
1510 	struct nlattr *txqattr;
1511 
1512 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1513 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1514 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1515 		return false;						  \
1516 	} while (0)
1517 
1518 	txqattr = nla_nest_start_noflag(msg, attrtype);
1519 	if (!txqattr)
1520 		return false;
1521 
1522 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1523 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1524 	PUT_TXQVAL_U32(FLOWS, flows);
1525 	PUT_TXQVAL_U32(DROPS, drops);
1526 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1527 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1528 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1529 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1530 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1531 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1532 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1533 	nla_nest_end(msg, txqattr);
1534 
1535 #undef PUT_TXQVAL_U32
1536 	return true;
1537 }
1538 
1539 /* netlink command implementations */
1540 
1541 /**
1542  * nl80211_link_id - return link ID
1543  * @attrs: attributes to look at
1544  *
1545  * Returns: the link ID or 0 if not given
1546  *
1547  * Note this function doesn't do any validation of the link
1548  * ID validity wrt. links that were actually added, so it must
1549  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1550  * or if additional validation is done.
1551  */
1552 static unsigned int nl80211_link_id(struct nlattr **attrs)
1553 {
1554 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1555 
1556 	return nla_get_u8_default(linkid, 0);
1557 }
1558 
1559 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1560 {
1561 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1562 
1563 	if (!linkid)
1564 		return -1;
1565 
1566 	return nla_get_u8(linkid);
1567 }
1568 
1569 struct key_parse {
1570 	struct key_params p;
1571 	int idx;
1572 	int type;
1573 	bool def, defmgmt, defbeacon;
1574 	bool def_uni, def_multi;
1575 };
1576 
1577 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1578 				 struct key_parse *k)
1579 {
1580 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1581 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1582 					      nl80211_key_policy,
1583 					      info->extack);
1584 	if (err)
1585 		return err;
1586 
1587 	k->def = !!tb[NL80211_KEY_DEFAULT];
1588 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1589 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1590 
1591 	if (k->def) {
1592 		k->def_uni = true;
1593 		k->def_multi = true;
1594 	}
1595 	if (k->defmgmt || k->defbeacon)
1596 		k->def_multi = true;
1597 
1598 	if (tb[NL80211_KEY_IDX])
1599 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1600 
1601 	if (tb[NL80211_KEY_DATA]) {
1602 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1603 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1604 	}
1605 
1606 	if (tb[NL80211_KEY_SEQ]) {
1607 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1608 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1609 	}
1610 
1611 	if (tb[NL80211_KEY_CIPHER])
1612 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1613 
1614 	if (tb[NL80211_KEY_TYPE])
1615 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1616 
1617 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1618 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1619 
1620 		err = nla_parse_nested_deprecated(kdt,
1621 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1622 						  tb[NL80211_KEY_DEFAULT_TYPES],
1623 						  nl80211_key_default_policy,
1624 						  info->extack);
1625 		if (err)
1626 			return err;
1627 
1628 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1629 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1630 	}
1631 
1632 	if (tb[NL80211_KEY_MODE])
1633 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1634 
1635 	return 0;
1636 }
1637 
1638 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1639 {
1640 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1641 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1642 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1643 	}
1644 
1645 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1646 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1647 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1648 	}
1649 
1650 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1651 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1652 
1653 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1654 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1655 
1656 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1657 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1658 
1659 	if (k->def) {
1660 		k->def_uni = true;
1661 		k->def_multi = true;
1662 	}
1663 	if (k->defmgmt)
1664 		k->def_multi = true;
1665 
1666 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1667 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1668 
1669 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1670 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1671 		int err = nla_parse_nested_deprecated(kdt,
1672 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1673 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1674 						      nl80211_key_default_policy,
1675 						      info->extack);
1676 		if (err)
1677 			return err;
1678 
1679 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1680 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1681 	}
1682 
1683 	return 0;
1684 }
1685 
1686 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1687 {
1688 	int err;
1689 
1690 	memset(k, 0, sizeof(*k));
1691 	k->idx = -1;
1692 	k->type = -1;
1693 
1694 	if (info->attrs[NL80211_ATTR_KEY])
1695 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1696 	else
1697 		err = nl80211_parse_key_old(info, k);
1698 
1699 	if (err)
1700 		return err;
1701 
1702 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1703 	    (k->defbeacon ? 1 : 0) > 1) {
1704 		GENL_SET_ERR_MSG(info,
1705 				 "key with multiple default flags is invalid");
1706 		return -EINVAL;
1707 	}
1708 
1709 	if (k->defmgmt || k->defbeacon) {
1710 		if (k->def_uni || !k->def_multi) {
1711 			GENL_SET_ERR_MSG(info,
1712 					 "defmgmt/defbeacon key must be mcast");
1713 			return -EINVAL;
1714 		}
1715 	}
1716 
1717 	if (k->idx != -1) {
1718 		if (k->defmgmt) {
1719 			if (k->idx < 4 || k->idx > 5) {
1720 				GENL_SET_ERR_MSG(info,
1721 						 "defmgmt key idx not 4 or 5");
1722 				return -EINVAL;
1723 			}
1724 		} else if (k->defbeacon) {
1725 			if (k->idx < 6 || k->idx > 7) {
1726 				GENL_SET_ERR_MSG(info,
1727 						 "defbeacon key idx not 6 or 7");
1728 				return -EINVAL;
1729 			}
1730 		} else if (k->def) {
1731 			if (k->idx < 0 || k->idx > 3) {
1732 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1733 				return -EINVAL;
1734 			}
1735 		} else {
1736 			if (k->idx < 0 || k->idx > 7) {
1737 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1738 				return -EINVAL;
1739 			}
1740 		}
1741 	}
1742 
1743 	return 0;
1744 }
1745 
1746 static struct cfg80211_cached_keys *
1747 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1748 		       struct genl_info *info, bool *no_ht)
1749 {
1750 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1751 	struct key_parse parse;
1752 	struct nlattr *key;
1753 	struct cfg80211_cached_keys *result;
1754 	int rem, err, def = 0;
1755 	bool have_key = false;
1756 
1757 	nla_for_each_nested(key, keys, rem) {
1758 		have_key = true;
1759 		break;
1760 	}
1761 
1762 	if (!have_key)
1763 		return NULL;
1764 
1765 	result = kzalloc_obj(*result);
1766 	if (!result)
1767 		return ERR_PTR(-ENOMEM);
1768 
1769 	result->def = -1;
1770 
1771 	nla_for_each_nested(key, keys, rem) {
1772 		memset(&parse, 0, sizeof(parse));
1773 		parse.idx = -1;
1774 
1775 		err = nl80211_parse_key_new(info, key, &parse);
1776 		if (err)
1777 			goto error;
1778 		err = -EINVAL;
1779 		if (!parse.p.key)
1780 			goto error;
1781 		if (parse.idx < 0 || parse.idx > 3) {
1782 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1783 			goto error;
1784 		}
1785 		if (parse.def) {
1786 			if (def) {
1787 				GENL_SET_ERR_MSG(info,
1788 						 "only one key can be default");
1789 				goto error;
1790 			}
1791 			def = 1;
1792 			result->def = parse.idx;
1793 			if (!parse.def_uni || !parse.def_multi)
1794 				goto error;
1795 		} else if (parse.defmgmt)
1796 			goto error;
1797 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1798 						     parse.idx, false, NULL);
1799 		if (err)
1800 			goto error;
1801 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1802 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1803 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1804 			err = -EINVAL;
1805 			goto error;
1806 		}
1807 		result->params[parse.idx].cipher = parse.p.cipher;
1808 		result->params[parse.idx].key_len = parse.p.key_len;
1809 		result->params[parse.idx].key = result->data[parse.idx];
1810 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1811 
1812 		/* must be WEP key if we got here */
1813 		if (no_ht)
1814 			*no_ht = true;
1815 	}
1816 
1817 	if (result->def < 0) {
1818 		err = -EINVAL;
1819 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1820 		goto error;
1821 	}
1822 
1823 	return result;
1824  error:
1825 	kfree_sensitive(result);
1826 	return ERR_PTR(err);
1827 }
1828 
1829 static int nl80211_key_allowed(struct wireless_dev *wdev)
1830 {
1831 	lockdep_assert_wiphy(wdev->wiphy);
1832 
1833 	switch (wdev->iftype) {
1834 	case NL80211_IFTYPE_AP:
1835 	case NL80211_IFTYPE_AP_VLAN:
1836 	case NL80211_IFTYPE_P2P_GO:
1837 	case NL80211_IFTYPE_MESH_POINT:
1838 		break;
1839 	case NL80211_IFTYPE_ADHOC:
1840 		if (wdev->u.ibss.current_bss)
1841 			return 0;
1842 		return -ENOLINK;
1843 	case NL80211_IFTYPE_STATION:
1844 	case NL80211_IFTYPE_P2P_CLIENT:
1845 		if (wdev->connected ||
1846 		    (wiphy_ext_feature_isset(wdev->wiphy,
1847 					     NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION)))
1848 			return 0;
1849 		return -ENOLINK;
1850 	case NL80211_IFTYPE_NAN:
1851 	case NL80211_IFTYPE_NAN_DATA:
1852 		if (wiphy_ext_feature_isset(wdev->wiphy,
1853 					    NL80211_EXT_FEATURE_SECURE_NAN))
1854 			return 0;
1855 		return -EINVAL;
1856 	case NL80211_IFTYPE_UNSPECIFIED:
1857 	case NL80211_IFTYPE_OCB:
1858 	case NL80211_IFTYPE_MONITOR:
1859 	case NL80211_IFTYPE_P2P_DEVICE:
1860 	case NL80211_IFTYPE_WDS:
1861 	case NUM_NL80211_IFTYPES:
1862 		return -EINVAL;
1863 	}
1864 
1865 	return 0;
1866 }
1867 
1868 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1869 							u32 freq)
1870 {
1871 	struct ieee80211_channel *chan;
1872 
1873 	chan = ieee80211_get_channel_khz(wiphy, freq);
1874 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1875 		return NULL;
1876 	return chan;
1877 }
1878 
1879 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1880 {
1881 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1882 	int i;
1883 
1884 	if (!nl_modes)
1885 		goto nla_put_failure;
1886 
1887 	i = 0;
1888 	while (ifmodes) {
1889 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1890 			goto nla_put_failure;
1891 		ifmodes >>= 1;
1892 		i++;
1893 	}
1894 
1895 	nla_nest_end(msg, nl_modes);
1896 	return 0;
1897 
1898 nla_put_failure:
1899 	return -ENOBUFS;
1900 }
1901 
1902 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1903 				   const struct ieee80211_iface_combination *c,
1904 				   u16 nested)
1905 {
1906 	struct nlattr *nl_combi, *nl_limits;
1907 	int i;
1908 
1909 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1910 	if (!nl_combi)
1911 		goto nla_put_failure;
1912 
1913 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1914 					       nested);
1915 	if (!nl_limits)
1916 		goto nla_put_failure;
1917 
1918 	for (i = 0; i < c->n_limits; i++) {
1919 		struct nlattr *nl_limit;
1920 
1921 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1922 		if (!nl_limit)
1923 			goto nla_put_failure;
1924 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1925 			goto nla_put_failure;
1926 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1927 					c->limits[i].types))
1928 			goto nla_put_failure;
1929 		nla_nest_end(msg, nl_limit);
1930 	}
1931 
1932 	nla_nest_end(msg, nl_limits);
1933 
1934 	if (c->beacon_int_infra_match &&
1935 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1936 		goto nla_put_failure;
1937 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1938 			c->num_different_channels) ||
1939 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1940 			c->max_interfaces))
1941 		goto nla_put_failure;
1942 	if (large &&
1943 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1944 			c->radar_detect_widths) ||
1945 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1946 			c->radar_detect_regions)))
1947 		goto nla_put_failure;
1948 	if (c->beacon_int_min_gcd &&
1949 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1950 			c->beacon_int_min_gcd))
1951 		goto nla_put_failure;
1952 
1953 	nla_nest_end(msg, nl_combi);
1954 
1955 	return 0;
1956 nla_put_failure:
1957 	return -ENOBUFS;
1958 }
1959 
1960 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1961 					  struct sk_buff *msg,
1962 					  int attr, int radio,
1963 					  bool large, u16 nested)
1964 {
1965 	const struct ieee80211_iface_combination *c;
1966 	struct nlattr *nl_combis;
1967 	int i, n;
1968 
1969 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1970 	if (!nl_combis)
1971 		goto nla_put_failure;
1972 
1973 	if (radio >= 0) {
1974 		c = wiphy->radio[0].iface_combinations;
1975 		n = wiphy->radio[0].n_iface_combinations;
1976 	} else {
1977 		c = wiphy->iface_combinations;
1978 		n = wiphy->n_iface_combinations;
1979 	}
1980 	for (i = 0; i < n; i++)
1981 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1982 			goto nla_put_failure;
1983 
1984 	nla_nest_end(msg, nl_combis);
1985 
1986 	return 0;
1987 nla_put_failure:
1988 	return -ENOBUFS;
1989 }
1990 
1991 #ifdef CONFIG_PM
1992 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1993 					struct sk_buff *msg)
1994 {
1995 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1996 	struct nlattr *nl_tcp;
1997 
1998 	if (!tcp)
1999 		return 0;
2000 
2001 	nl_tcp = nla_nest_start_noflag(msg,
2002 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
2003 	if (!nl_tcp)
2004 		return -ENOBUFS;
2005 
2006 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
2007 			tcp->data_payload_max))
2008 		return -ENOBUFS;
2009 
2010 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
2011 			tcp->data_payload_max))
2012 		return -ENOBUFS;
2013 
2014 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
2015 		return -ENOBUFS;
2016 
2017 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
2018 				sizeof(*tcp->tok), tcp->tok))
2019 		return -ENOBUFS;
2020 
2021 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
2022 			tcp->data_interval_max))
2023 		return -ENOBUFS;
2024 
2025 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
2026 			tcp->wake_payload_max))
2027 		return -ENOBUFS;
2028 
2029 	nla_nest_end(msg, nl_tcp);
2030 	return 0;
2031 }
2032 
2033 static int nl80211_send_wowlan(struct sk_buff *msg,
2034 			       struct cfg80211_registered_device *rdev,
2035 			       bool large)
2036 {
2037 	struct nlattr *nl_wowlan;
2038 
2039 	if (!rdev->wiphy.wowlan)
2040 		return 0;
2041 
2042 	nl_wowlan = nla_nest_start_noflag(msg,
2043 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
2044 	if (!nl_wowlan)
2045 		return -ENOBUFS;
2046 
2047 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
2048 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
2049 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
2050 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
2051 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
2052 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
2053 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
2054 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
2055 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
2056 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
2057 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
2058 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
2059 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
2060 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
2061 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
2062 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
2063 		return -ENOBUFS;
2064 
2065 	if (rdev->wiphy.wowlan->n_patterns) {
2066 		struct nl80211_pattern_support pat = {
2067 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
2068 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
2069 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
2070 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
2071 		};
2072 
2073 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
2074 			    sizeof(pat), &pat))
2075 			return -ENOBUFS;
2076 	}
2077 
2078 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
2079 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
2080 			rdev->wiphy.wowlan->max_nd_match_sets))
2081 		return -ENOBUFS;
2082 
2083 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
2084 		return -ENOBUFS;
2085 
2086 	nla_nest_end(msg, nl_wowlan);
2087 
2088 	return 0;
2089 }
2090 #endif
2091 
2092 static int nl80211_send_coalesce(struct sk_buff *msg,
2093 				 struct cfg80211_registered_device *rdev)
2094 {
2095 	struct nl80211_coalesce_rule_support rule;
2096 
2097 	if (!rdev->wiphy.coalesce)
2098 		return 0;
2099 
2100 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
2101 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
2102 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
2103 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
2104 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
2105 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
2106 
2107 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
2108 		return -ENOBUFS;
2109 
2110 	return 0;
2111 }
2112 
2113 static int
2114 nl80211_send_iftype_data(struct sk_buff *msg,
2115 			 const struct ieee80211_supported_band *sband,
2116 			 const struct ieee80211_sband_iftype_data *iftdata)
2117 {
2118 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
2119 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
2120 	const struct ieee80211_sta_uhr_cap *uhr_cap = &iftdata->uhr_cap;
2121 
2122 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
2123 				iftdata->types_mask))
2124 		return -ENOBUFS;
2125 
2126 	if (he_cap->has_he) {
2127 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
2128 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
2129 			    he_cap->he_cap_elem.mac_cap_info) ||
2130 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
2131 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
2132 			    he_cap->he_cap_elem.phy_cap_info) ||
2133 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
2134 			    sizeof(he_cap->he_mcs_nss_supp),
2135 			    &he_cap->he_mcs_nss_supp) ||
2136 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
2137 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
2138 			return -ENOBUFS;
2139 	}
2140 
2141 	if (eht_cap->has_eht && he_cap->has_he) {
2142 		u8 mcs_nss_size, ppe_thresh_size;
2143 		u16 ppe_thres_hdr;
2144 		bool is_ap;
2145 
2146 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
2147 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
2148 
2149 		mcs_nss_size =
2150 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
2151 						   &eht_cap->eht_cap_elem,
2152 						   is_ap);
2153 
2154 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
2155 		ppe_thresh_size =
2156 			ieee80211_eht_ppe_size(ppe_thres_hdr,
2157 					       eht_cap->eht_cap_elem.phy_cap_info);
2158 
2159 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
2160 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
2161 			    eht_cap->eht_cap_elem.mac_cap_info) ||
2162 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
2163 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
2164 			    eht_cap->eht_cap_elem.phy_cap_info) ||
2165 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
2166 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
2167 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
2168 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
2169 			return -ENOBUFS;
2170 	}
2171 
2172 	if (uhr_cap->has_uhr) {
2173 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_MAC,
2174 			    sizeof(uhr_cap->mac), &uhr_cap->mac) ||
2175 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_PHY,
2176 			    sizeof(uhr_cap->phy), &uhr_cap->phy))
2177 			return -ENOBUFS;
2178 	}
2179 
2180 	if (sband->band == NL80211_BAND_6GHZ &&
2181 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
2182 		    sizeof(iftdata->he_6ghz_capa),
2183 		    &iftdata->he_6ghz_capa))
2184 		return -ENOBUFS;
2185 
2186 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
2187 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
2188 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
2189 		return -ENOBUFS;
2190 
2191 	return 0;
2192 }
2193 
2194 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
2195 				      struct ieee80211_supported_band *sband,
2196 				      bool large)
2197 {
2198 	struct nlattr *nl_rates, *nl_rate;
2199 	struct ieee80211_rate *rate;
2200 	int i;
2201 
2202 	/* add HT info */
2203 	if (sband->ht_cap.ht_supported &&
2204 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
2205 		     sizeof(sband->ht_cap.mcs),
2206 		     &sband->ht_cap.mcs) ||
2207 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
2208 			 sband->ht_cap.cap) ||
2209 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
2210 			sband->ht_cap.ampdu_factor) ||
2211 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
2212 			sband->ht_cap.ampdu_density)))
2213 		return -ENOBUFS;
2214 
2215 	/* add VHT info */
2216 	if (sband->vht_cap.vht_supported &&
2217 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
2218 		     sizeof(sband->vht_cap.vht_mcs),
2219 		     &sband->vht_cap.vht_mcs) ||
2220 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
2221 			 sband->vht_cap.cap)))
2222 		return -ENOBUFS;
2223 
2224 	if (large && sband->n_iftype_data) {
2225 		struct nlattr *nl_iftype_data =
2226 			nla_nest_start_noflag(msg,
2227 					      NL80211_BAND_ATTR_IFTYPE_DATA);
2228 		const struct ieee80211_sband_iftype_data *iftd;
2229 		int err;
2230 
2231 		if (!nl_iftype_data)
2232 			return -ENOBUFS;
2233 
2234 		for_each_sband_iftype_data(sband, i, iftd) {
2235 			struct nlattr *iftdata;
2236 
2237 			iftdata = nla_nest_start_noflag(msg, i + 1);
2238 			if (!iftdata)
2239 				return -ENOBUFS;
2240 
2241 			err = nl80211_send_iftype_data(msg, sband, iftd);
2242 			if (err)
2243 				return err;
2244 
2245 			nla_nest_end(msg, iftdata);
2246 		}
2247 
2248 		nla_nest_end(msg, nl_iftype_data);
2249 	}
2250 
2251 	/* add EDMG info */
2252 	if (large && sband->edmg_cap.channels &&
2253 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
2254 		       sband->edmg_cap.channels) ||
2255 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
2256 		       sband->edmg_cap.bw_config)))
2257 
2258 		return -ENOBUFS;
2259 
2260 	/* add bitrates */
2261 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2262 	if (!nl_rates)
2263 		return -ENOBUFS;
2264 
2265 	for (i = 0; i < sband->n_bitrates; i++) {
2266 		nl_rate = nla_nest_start_noflag(msg, i);
2267 		if (!nl_rate)
2268 			return -ENOBUFS;
2269 
2270 		rate = &sband->bitrates[i];
2271 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2272 				rate->bitrate))
2273 			return -ENOBUFS;
2274 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2275 		    nla_put_flag(msg,
2276 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2277 			return -ENOBUFS;
2278 
2279 		nla_nest_end(msg, nl_rate);
2280 	}
2281 
2282 	nla_nest_end(msg, nl_rates);
2283 
2284 	/* S1G capabilities */
2285 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2286 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2287 		     sizeof(sband->s1g_cap.cap),
2288 		     sband->s1g_cap.cap) ||
2289 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2290 		     sizeof(sband->s1g_cap.nss_mcs),
2291 		     sband->s1g_cap.nss_mcs)))
2292 		return -ENOBUFS;
2293 
2294 	return 0;
2295 }
2296 
2297 static int
2298 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2299 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2300 {
2301 	u16 stypes;
2302 	struct nlattr *nl_ftypes, *nl_ifs;
2303 	enum nl80211_iftype ift;
2304 	int i;
2305 
2306 	if (!mgmt_stypes)
2307 		return 0;
2308 
2309 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2310 	if (!nl_ifs)
2311 		return -ENOBUFS;
2312 
2313 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2314 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2315 		if (!nl_ftypes)
2316 			return -ENOBUFS;
2317 		i = 0;
2318 		stypes = mgmt_stypes[ift].tx;
2319 		while (stypes) {
2320 			if ((stypes & 1) &&
2321 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2322 					(i << 4) | IEEE80211_FTYPE_MGMT))
2323 				return -ENOBUFS;
2324 			stypes >>= 1;
2325 			i++;
2326 		}
2327 		nla_nest_end(msg, nl_ftypes);
2328 	}
2329 
2330 	nla_nest_end(msg, nl_ifs);
2331 
2332 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2333 	if (!nl_ifs)
2334 		return -ENOBUFS;
2335 
2336 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2337 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2338 		if (!nl_ftypes)
2339 			return -ENOBUFS;
2340 		i = 0;
2341 		stypes = mgmt_stypes[ift].rx;
2342 		while (stypes) {
2343 			if ((stypes & 1) &&
2344 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2345 					(i << 4) | IEEE80211_FTYPE_MGMT))
2346 				return -ENOBUFS;
2347 			stypes >>= 1;
2348 			i++;
2349 		}
2350 		nla_nest_end(msg, nl_ftypes);
2351 	}
2352 	nla_nest_end(msg, nl_ifs);
2353 
2354 	return 0;
2355 }
2356 
2357 #define CMD(op, n)							\
2358 	 do {								\
2359 		if (rdev->ops->op) {					\
2360 			i++;						\
2361 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2362 				goto nla_put_failure;			\
2363 		}							\
2364 	} while (0)
2365 
2366 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2367 					struct sk_buff *msg)
2368 {
2369 	int i = 0;
2370 
2371 	/*
2372 	 * do *NOT* add anything into this function, new things need to be
2373 	 * advertised only to new versions of userspace that can deal with
2374 	 * the split (and they can't possibly care about new features...
2375 	 */
2376 	CMD(add_virtual_intf, NEW_INTERFACE);
2377 	CMD(change_virtual_intf, SET_INTERFACE);
2378 	CMD(add_key, NEW_KEY);
2379 	CMD(start_ap, START_AP);
2380 	CMD(add_station, NEW_STATION);
2381 	CMD(add_mpath, NEW_MPATH);
2382 	CMD(update_mesh_config, SET_MESH_CONFIG);
2383 	CMD(change_bss, SET_BSS);
2384 	CMD(auth, AUTHENTICATE);
2385 	CMD(assoc, ASSOCIATE);
2386 	CMD(deauth, DEAUTHENTICATE);
2387 	CMD(disassoc, DISASSOCIATE);
2388 	CMD(join_ibss, JOIN_IBSS);
2389 	CMD(join_mesh, JOIN_MESH);
2390 	CMD(set_pmksa, SET_PMKSA);
2391 	CMD(del_pmksa, DEL_PMKSA);
2392 	CMD(flush_pmksa, FLUSH_PMKSA);
2393 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2394 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2395 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2396 	CMD(mgmt_tx, FRAME);
2397 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2398 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2399 		i++;
2400 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2401 			goto nla_put_failure;
2402 	}
2403 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2404 	    rdev->ops->join_mesh) {
2405 		i++;
2406 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2407 			goto nla_put_failure;
2408 	}
2409 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2410 		CMD(tdls_mgmt, TDLS_MGMT);
2411 		CMD(tdls_oper, TDLS_OPER);
2412 	}
2413 	if (rdev->wiphy.max_sched_scan_reqs)
2414 		CMD(sched_scan_start, START_SCHED_SCAN);
2415 	CMD(probe_client, PROBE_CLIENT);
2416 	CMD(set_noack_map, SET_NOACK_MAP);
2417 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2418 		i++;
2419 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2420 			goto nla_put_failure;
2421 	}
2422 	CMD(start_p2p_device, START_P2P_DEVICE);
2423 	CMD(set_mcast_rate, SET_MCAST_RATE);
2424 #ifdef CONFIG_NL80211_TESTMODE
2425 	CMD(testmode_cmd, TESTMODE);
2426 #endif
2427 
2428 	if (rdev->ops->connect || rdev->ops->auth) {
2429 		i++;
2430 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2431 			goto nla_put_failure;
2432 	}
2433 
2434 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2435 		i++;
2436 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2437 			goto nla_put_failure;
2438 	}
2439 
2440 	return i;
2441  nla_put_failure:
2442 	return -ENOBUFS;
2443 }
2444 
2445 static int
2446 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2447 			   struct sk_buff *msg)
2448 {
2449 	struct nlattr *ftm;
2450 
2451 	if (!cap->ftm.supported)
2452 		return 0;
2453 
2454 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2455 	if (!ftm)
2456 		return -ENOBUFS;
2457 
2458 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2459 		return -ENOBUFS;
2460 	if (cap->ftm.non_asap &&
2461 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2462 		return -ENOBUFS;
2463 	if (cap->ftm.request_lci &&
2464 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2465 		return -ENOBUFS;
2466 	if (cap->ftm.request_civicloc &&
2467 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2468 		return -ENOBUFS;
2469 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2470 			cap->ftm.preambles))
2471 		return -ENOBUFS;
2472 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2473 			cap->ftm.bandwidths))
2474 		return -ENOBUFS;
2475 	if (cap->ftm.max_bursts_exponent >= 0 &&
2476 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2477 			cap->ftm.max_bursts_exponent))
2478 		return -ENOBUFS;
2479 	if (cap->ftm.max_ftms_per_burst &&
2480 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2481 			cap->ftm.max_ftms_per_burst))
2482 		return -ENOBUFS;
2483 	if (cap->ftm.trigger_based &&
2484 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2485 		return -ENOBUFS;
2486 	if (cap->ftm.non_trigger_based &&
2487 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2488 		return -ENOBUFS;
2489 	if (cap->ftm.support_6ghz &&
2490 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_6GHZ_SUPPORT))
2491 		return -ENOBUFS;
2492 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_LTF_REP,
2493 			cap->ftm.max_tx_ltf_rep))
2494 		return -ENOBUFS;
2495 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_LTF_REP,
2496 			cap->ftm.max_rx_ltf_rep))
2497 		return -ENOBUFS;
2498 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_STS,
2499 			cap->ftm.max_tx_sts))
2500 		return -ENOBUFS;
2501 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_STS,
2502 			cap->ftm.max_rx_sts))
2503 		return -ENOBUFS;
2504 	if (cap->ftm.max_total_ltf_tx > 0 &&
2505 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_TX,
2506 			cap->ftm.max_total_ltf_tx))
2507 		return -ENOBUFS;
2508 	if (cap->ftm.max_total_ltf_rx > 0 &&
2509 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_RX,
2510 			cap->ftm.max_total_ltf_rx))
2511 		return -ENOBUFS;
2512 	if (cap->ftm.support_rsta &&
2513 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_RSTA_SUPPORT))
2514 		return -ENOBUFS;
2515 
2516 	nla_nest_end(msg, ftm);
2517 	return 0;
2518 }
2519 
2520 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2521 				  struct sk_buff *msg)
2522 {
2523 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2524 	struct nlattr *pmsr, *caps;
2525 
2526 	if (!cap)
2527 		return 0;
2528 
2529 	/*
2530 	 * we don't need to clean up anything here since the caller
2531 	 * will genlmsg_cancel() if we fail
2532 	 */
2533 
2534 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2535 	if (!pmsr)
2536 		return -ENOBUFS;
2537 
2538 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2539 		return -ENOBUFS;
2540 
2541 	if (cap->report_ap_tsf &&
2542 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2543 		return -ENOBUFS;
2544 
2545 	if (cap->randomize_mac_addr &&
2546 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2547 		return -ENOBUFS;
2548 
2549 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2550 	if (!caps)
2551 		return -ENOBUFS;
2552 
2553 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2554 		return -ENOBUFS;
2555 
2556 	nla_nest_end(msg, caps);
2557 	nla_nest_end(msg, pmsr);
2558 
2559 	return 0;
2560 }
2561 
2562 static int
2563 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2564 			      struct sk_buff *msg)
2565 {
2566 	int i;
2567 	struct nlattr *nested, *nested_akms;
2568 	const struct wiphy_iftype_akm_suites *iftype_akms;
2569 
2570 	if (!rdev->wiphy.num_iftype_akm_suites ||
2571 	    !rdev->wiphy.iftype_akm_suites)
2572 		return 0;
2573 
2574 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2575 	if (!nested)
2576 		return -ENOBUFS;
2577 
2578 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2579 		nested_akms = nla_nest_start(msg, i + 1);
2580 		if (!nested_akms)
2581 			return -ENOBUFS;
2582 
2583 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2584 
2585 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2586 					iftype_akms->iftypes_mask))
2587 			return -ENOBUFS;
2588 
2589 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2590 			    sizeof(u32) * iftype_akms->n_akm_suites,
2591 			    iftype_akms->akm_suites)) {
2592 			return -ENOBUFS;
2593 		}
2594 		nla_nest_end(msg, nested_akms);
2595 	}
2596 
2597 	nla_nest_end(msg, nested);
2598 
2599 	return 0;
2600 }
2601 
2602 static int
2603 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2604 			       struct sk_buff *msg)
2605 {
2606 	struct nlattr *supp;
2607 
2608 	if (!rdev->wiphy.tid_config_support.vif &&
2609 	    !rdev->wiphy.tid_config_support.peer)
2610 		return 0;
2611 
2612 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2613 	if (!supp)
2614 		return -ENOSPC;
2615 
2616 	if (rdev->wiphy.tid_config_support.vif &&
2617 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2618 			      rdev->wiphy.tid_config_support.vif,
2619 			      NL80211_TID_CONFIG_ATTR_PAD))
2620 		goto fail;
2621 
2622 	if (rdev->wiphy.tid_config_support.peer &&
2623 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2624 			      rdev->wiphy.tid_config_support.peer,
2625 			      NL80211_TID_CONFIG_ATTR_PAD))
2626 		goto fail;
2627 
2628 	/* for now we just use the same value ... makes more sense */
2629 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2630 		       rdev->wiphy.tid_config_support.max_retry))
2631 		goto fail;
2632 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2633 		       rdev->wiphy.tid_config_support.max_retry))
2634 		goto fail;
2635 
2636 	nla_nest_end(msg, supp);
2637 
2638 	return 0;
2639 fail:
2640 	nla_nest_cancel(msg, supp);
2641 	return -ENOBUFS;
2642 }
2643 
2644 static int
2645 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2646 		      struct sk_buff *msg)
2647 {
2648 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2649 	u8 num_freq_ranges;
2650 	int i;
2651 
2652 	if (!rdev->wiphy.sar_capa)
2653 		return 0;
2654 
2655 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2656 
2657 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2658 	if (!sar_capa)
2659 		return -ENOSPC;
2660 
2661 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2662 		goto fail;
2663 
2664 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2665 	if (!specs)
2666 		goto fail;
2667 
2668 	/* report supported freq_ranges */
2669 	for (i = 0; i < num_freq_ranges; i++) {
2670 		sub_freq_range = nla_nest_start(msg, i + 1);
2671 		if (!sub_freq_range)
2672 			goto fail;
2673 
2674 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2675 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2676 			goto fail;
2677 
2678 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2679 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2680 			goto fail;
2681 
2682 		nla_nest_end(msg, sub_freq_range);
2683 	}
2684 
2685 	nla_nest_end(msg, specs);
2686 	nla_nest_end(msg, sar_capa);
2687 
2688 	return 0;
2689 fail:
2690 	nla_nest_cancel(msg, sar_capa);
2691 	return -ENOBUFS;
2692 }
2693 
2694 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2695 {
2696 	struct nlattr *config;
2697 
2698 	if (!wiphy->mbssid_max_interfaces)
2699 		return 0;
2700 
2701 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2702 	if (!config)
2703 		return -ENOBUFS;
2704 
2705 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2706 		       wiphy->mbssid_max_interfaces))
2707 		goto fail;
2708 
2709 	if (wiphy->ema_max_profile_periodicity &&
2710 	    nla_put_u8(msg,
2711 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2712 		       wiphy->ema_max_profile_periodicity))
2713 		goto fail;
2714 
2715 	nla_nest_end(msg, config);
2716 	return 0;
2717 
2718 fail:
2719 	nla_nest_cancel(msg, config);
2720 	return -ENOBUFS;
2721 }
2722 
2723 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2724 {
2725 	const struct wiphy_radio *r = &wiphy->radio[idx];
2726 	const struct wiphy_radio_cfg *rcfg = &wiphy->radio_cfg[idx];
2727 	struct nlattr *radio, *freq;
2728 	int i;
2729 
2730 	radio = nla_nest_start(msg, idx);
2731 	if (!radio)
2732 		return -ENOBUFS;
2733 
2734 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2735 		goto nla_put_failure;
2736 
2737 	if (rcfg->rts_threshold &&
2738 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_RTS_THRESHOLD,
2739 			rcfg->rts_threshold))
2740 		goto nla_put_failure;
2741 
2742 	if (r->antenna_mask &&
2743 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2744 			r->antenna_mask))
2745 		goto nla_put_failure;
2746 
2747 	for (i = 0; i < r->n_freq_range; i++) {
2748 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2749 
2750 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2751 		if (!freq)
2752 			goto nla_put_failure;
2753 
2754 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2755 				range->start_freq) ||
2756 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2757 				range->end_freq))
2758 			goto nla_put_failure;
2759 
2760 		nla_nest_end(msg, freq);
2761 	}
2762 
2763 	for (i = 0; i < r->n_iface_combinations; i++)
2764 		if (nl80211_put_ifcomb_data(msg, true,
2765 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2766 					    &r->iface_combinations[i],
2767 					    NLA_F_NESTED))
2768 			goto nla_put_failure;
2769 
2770 	nla_nest_end(msg, radio);
2771 
2772 	return 0;
2773 
2774 nla_put_failure:
2775 	return -ENOBUFS;
2776 }
2777 
2778 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2779 {
2780 	struct nlattr *radios;
2781 	int i;
2782 
2783 	if (!wiphy->n_radio)
2784 		return 0;
2785 
2786 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2787 	if (!radios)
2788 		return -ENOBUFS;
2789 
2790 	for (i = 0; i < wiphy->n_radio; i++)
2791 		if (nl80211_put_radio(wiphy, msg, i))
2792 			goto fail;
2793 
2794 	nla_nest_end(msg, radios);
2795 
2796 	if (nl80211_put_iface_combinations(wiphy, msg,
2797 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2798 					   -1, true, NLA_F_NESTED))
2799 		return -ENOBUFS;
2800 
2801 	return 0;
2802 
2803 fail:
2804 	nla_nest_cancel(msg, radios);
2805 	return -ENOBUFS;
2806 }
2807 
2808 static int nl80211_put_nan_phy_cap(struct wiphy *wiphy, struct sk_buff *msg)
2809 {
2810 	struct nlattr *nl_phy_cap;
2811 	const struct ieee80211_sta_ht_cap *ht_cap;
2812 	const struct ieee80211_sta_vht_cap *vht_cap;
2813 	const struct ieee80211_sta_he_cap *he_cap;
2814 
2815 	if (!cfg80211_iftype_allowed(wiphy, NL80211_IFTYPE_NAN_DATA, false, 0))
2816 		return 0;
2817 
2818 	ht_cap = &wiphy->nan_capa.phy.ht;
2819 	vht_cap = &wiphy->nan_capa.phy.vht;
2820 	he_cap = &wiphy->nan_capa.phy.he;
2821 
2822 	/* HT is mandatory */
2823 	if (WARN_ON(!ht_cap->ht_supported))
2824 		return 0;
2825 
2826 	nl_phy_cap = nla_nest_start_noflag(msg, NL80211_NAN_CAPA_PHY);
2827 	if (!nl_phy_cap)
2828 		return -ENOBUFS;
2829 
2830 	if (nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HT_MCS_SET,
2831 		    sizeof(ht_cap->mcs), &ht_cap->mcs) ||
2832 	    nla_put_u16(msg, NL80211_NAN_PHY_CAP_ATTR_HT_CAPA, ht_cap->cap) ||
2833 	    nla_put_u8(msg, NL80211_NAN_PHY_CAP_ATTR_HT_AMPDU_FACTOR,
2834 		       ht_cap->ampdu_factor) ||
2835 	    nla_put_u8(msg, NL80211_NAN_PHY_CAP_ATTR_HT_AMPDU_DENSITY,
2836 		       ht_cap->ampdu_density))
2837 		goto fail;
2838 
2839 	if (vht_cap->vht_supported) {
2840 		if (nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_VHT_MCS_SET,
2841 			    sizeof(vht_cap->vht_mcs), &vht_cap->vht_mcs) ||
2842 		    nla_put_u32(msg, NL80211_NAN_PHY_CAP_ATTR_VHT_CAPA,
2843 				vht_cap->cap))
2844 			goto fail;
2845 	}
2846 
2847 	if (he_cap->has_he) {
2848 		if (nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HE_MAC,
2849 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
2850 			    he_cap->he_cap_elem.mac_cap_info) ||
2851 		    nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HE_PHY,
2852 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
2853 			    he_cap->he_cap_elem.phy_cap_info) ||
2854 		    nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HE_MCS_SET,
2855 			    sizeof(he_cap->he_mcs_nss_supp),
2856 			    &he_cap->he_mcs_nss_supp) ||
2857 		    nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HE_PPE,
2858 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
2859 			goto fail;
2860 	}
2861 
2862 	nla_nest_end(msg, nl_phy_cap);
2863 	return 0;
2864 
2865 fail:
2866 	nla_nest_cancel(msg, nl_phy_cap);
2867 	return -ENOBUFS;
2868 }
2869 
2870 static int nl80211_put_nan_capa(struct wiphy *wiphy, struct sk_buff *msg)
2871 {
2872 	struct nlattr *nan_caps;
2873 
2874 	nan_caps = nla_nest_start(msg, NL80211_ATTR_NAN_CAPABILITIES);
2875 	if (!nan_caps)
2876 		return -ENOBUFS;
2877 
2878 	if (wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_CONFIGURABLE_SYNC &&
2879 	    nla_put_flag(msg, NL80211_NAN_CAPA_CONFIGURABLE_SYNC))
2880 		goto fail;
2881 
2882 	if ((wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE) &&
2883 	    nla_put_flag(msg, NL80211_NAN_CAPA_USERSPACE_DE))
2884 		goto fail;
2885 
2886 	if (nla_put_u8(msg, NL80211_NAN_CAPA_OP_MODE,
2887 		       wiphy->nan_capa.op_mode) ||
2888 	    nla_put_u8(msg, NL80211_NAN_CAPA_NUM_ANTENNAS,
2889 		       wiphy->nan_capa.n_antennas) ||
2890 	    nla_put_u16(msg, NL80211_NAN_CAPA_MAX_CHANNEL_SWITCH_TIME,
2891 			wiphy->nan_capa.max_channel_switch_time) ||
2892 	    nla_put_u8(msg, NL80211_NAN_CAPA_CAPABILITIES,
2893 		       wiphy->nan_capa.dev_capabilities))
2894 		goto fail;
2895 
2896 	if (nl80211_put_nan_phy_cap(wiphy, msg))
2897 		goto fail;
2898 
2899 	nla_nest_end(msg, nan_caps);
2900 
2901 	return 0;
2902 
2903 fail:
2904 	nla_nest_cancel(msg, nan_caps);
2905 	return -ENOBUFS;
2906 }
2907 
2908 struct nl80211_dump_wiphy_state {
2909 	s64 filter_wiphy;
2910 	long start;
2911 	long split_start, band_start, chan_start, capa_start;
2912 	bool split;
2913 };
2914 
2915 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2916 			      enum nl80211_commands cmd,
2917 			      struct sk_buff *msg, u32 portid, u32 seq,
2918 			      int flags, struct nl80211_dump_wiphy_state *state)
2919 {
2920 	void *hdr;
2921 	struct nlattr *nl_bands, *nl_band;
2922 	struct nlattr *nl_freqs, *nl_freq;
2923 	struct nlattr *nl_cmds;
2924 	enum nl80211_band band;
2925 	struct ieee80211_channel *chan;
2926 	int i;
2927 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2928 				rdev->wiphy.mgmt_stypes;
2929 	u32 features;
2930 
2931 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2932 	if (!hdr)
2933 		return -ENOBUFS;
2934 
2935 	if (WARN_ON(!state))
2936 		return -EINVAL;
2937 
2938 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2939 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2940 			   wiphy_name(&rdev->wiphy)) ||
2941 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2942 			cfg80211_rdev_list_generation))
2943 		goto nla_put_failure;
2944 
2945 	if (cmd != NL80211_CMD_NEW_WIPHY)
2946 		goto finish;
2947 
2948 	switch (state->split_start) {
2949 	case 0:
2950 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2951 			       rdev->wiphy.retry_short) ||
2952 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2953 			       rdev->wiphy.retry_long) ||
2954 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2955 				rdev->wiphy.frag_threshold) ||
2956 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2957 				rdev->wiphy.rts_threshold) ||
2958 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2959 			       rdev->wiphy.coverage_class) ||
2960 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2961 			       rdev->wiphy.max_scan_ssids) ||
2962 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2963 			       rdev->wiphy.max_sched_scan_ssids) ||
2964 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2965 				rdev->wiphy.max_scan_ie_len) ||
2966 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2967 				rdev->wiphy.max_sched_scan_ie_len) ||
2968 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2969 			       rdev->wiphy.max_match_sets))
2970 			goto nla_put_failure;
2971 
2972 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2973 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2974 			goto nla_put_failure;
2975 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2976 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2977 			goto nla_put_failure;
2978 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2979 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2980 			goto nla_put_failure;
2981 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2982 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2983 			goto nla_put_failure;
2984 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2985 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2986 			goto nla_put_failure;
2987 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2988 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2989 			goto nla_put_failure;
2990 		state->split_start++;
2991 		if (state->split)
2992 			break;
2993 		fallthrough;
2994 	case 1:
2995 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2996 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2997 			    rdev->wiphy.cipher_suites))
2998 			goto nla_put_failure;
2999 
3000 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
3001 			       rdev->wiphy.max_num_pmkids))
3002 			goto nla_put_failure;
3003 
3004 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
3005 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
3006 			goto nla_put_failure;
3007 
3008 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
3009 				rdev->wiphy.available_antennas_tx) ||
3010 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
3011 				rdev->wiphy.available_antennas_rx))
3012 			goto nla_put_failure;
3013 
3014 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
3015 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
3016 				rdev->wiphy.probe_resp_offload))
3017 			goto nla_put_failure;
3018 
3019 		if ((rdev->wiphy.available_antennas_tx ||
3020 		     rdev->wiphy.available_antennas_rx) &&
3021 		    rdev->ops->get_antenna) {
3022 			u32 tx_ant = 0, rx_ant = 0;
3023 			int res;
3024 
3025 			res = rdev_get_antenna(rdev, -1, &tx_ant, &rx_ant);
3026 			if (!res) {
3027 				if (nla_put_u32(msg,
3028 						NL80211_ATTR_WIPHY_ANTENNA_TX,
3029 						tx_ant) ||
3030 				    nla_put_u32(msg,
3031 						NL80211_ATTR_WIPHY_ANTENNA_RX,
3032 						rx_ant))
3033 					goto nla_put_failure;
3034 			}
3035 		}
3036 
3037 		state->split_start++;
3038 		if (state->split)
3039 			break;
3040 		fallthrough;
3041 	case 2:
3042 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
3043 					rdev->wiphy.interface_modes))
3044 				goto nla_put_failure;
3045 		state->split_start++;
3046 		if (state->split)
3047 			break;
3048 		fallthrough;
3049 	case 3:
3050 		nl_bands = nla_nest_start_noflag(msg,
3051 						 NL80211_ATTR_WIPHY_BANDS);
3052 		if (!nl_bands)
3053 			goto nla_put_failure;
3054 
3055 		for (band = state->band_start;
3056 		     band < (state->split ?
3057 				NUM_NL80211_BANDS :
3058 				NL80211_BAND_60GHZ + 1);
3059 		     band++) {
3060 			struct ieee80211_supported_band *sband;
3061 
3062 			/* omit higher bands for ancient software */
3063 			if (band > NL80211_BAND_5GHZ && !state->split)
3064 				break;
3065 
3066 			sband = rdev->wiphy.bands[band];
3067 
3068 			if (!sband)
3069 				continue;
3070 
3071 			nl_band = nla_nest_start_noflag(msg, band);
3072 			if (!nl_band)
3073 				goto nla_put_failure;
3074 
3075 			switch (state->chan_start) {
3076 			case 0:
3077 				if (nl80211_send_band_rateinfo(msg, sband,
3078 							       state->split))
3079 					goto nla_put_failure;
3080 				state->chan_start++;
3081 				if (state->split)
3082 					break;
3083 				fallthrough;
3084 			default:
3085 				/* add frequencies */
3086 				nl_freqs = nla_nest_start_noflag(msg,
3087 								 NL80211_BAND_ATTR_FREQS);
3088 				if (!nl_freqs)
3089 					goto nla_put_failure;
3090 
3091 				for (i = state->chan_start - 1;
3092 				     i < sband->n_channels;
3093 				     i++) {
3094 					nl_freq = nla_nest_start_noflag(msg,
3095 									i);
3096 					if (!nl_freq)
3097 						goto nla_put_failure;
3098 
3099 					chan = &sband->channels[i];
3100 
3101 					if (nl80211_msg_put_channel(
3102 							msg, &rdev->wiphy, chan,
3103 							state->split))
3104 						goto nla_put_failure;
3105 
3106 					nla_nest_end(msg, nl_freq);
3107 					if (state->split)
3108 						break;
3109 				}
3110 				if (i < sband->n_channels)
3111 					state->chan_start = i + 2;
3112 				else
3113 					state->chan_start = 0;
3114 				nla_nest_end(msg, nl_freqs);
3115 			}
3116 
3117 			nla_nest_end(msg, nl_band);
3118 
3119 			if (state->split) {
3120 				/* start again here */
3121 				if (state->chan_start)
3122 					band--;
3123 				break;
3124 			}
3125 		}
3126 		nla_nest_end(msg, nl_bands);
3127 
3128 		if (band < NUM_NL80211_BANDS)
3129 			state->band_start = band + 1;
3130 		else
3131 			state->band_start = 0;
3132 
3133 		/* if bands & channels are done, continue outside */
3134 		if (state->band_start == 0 && state->chan_start == 0)
3135 			state->split_start++;
3136 		if (state->split)
3137 			break;
3138 		fallthrough;
3139 	case 4:
3140 		nl_cmds = nla_nest_start_noflag(msg,
3141 						NL80211_ATTR_SUPPORTED_COMMANDS);
3142 		if (!nl_cmds)
3143 			goto nla_put_failure;
3144 
3145 		i = nl80211_add_commands_unsplit(rdev, msg);
3146 		if (i < 0)
3147 			goto nla_put_failure;
3148 		if (state->split) {
3149 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
3150 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
3151 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
3152 				CMD(channel_switch, CHANNEL_SWITCH);
3153 			CMD(set_qos_map, SET_QOS_MAP);
3154 			if (rdev->wiphy.features &
3155 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
3156 				CMD(add_tx_ts, ADD_TX_TS);
3157 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
3158 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
3159 			CMD(update_ft_ies, UPDATE_FT_IES);
3160 			if (rdev->wiphy.sar_capa)
3161 				CMD(set_sar_specs, SET_SAR_SPECS);
3162 			CMD(assoc_ml_reconf, ASSOC_MLO_RECONF);
3163 		}
3164 #undef CMD
3165 
3166 		nla_nest_end(msg, nl_cmds);
3167 		state->split_start++;
3168 		if (state->split)
3169 			break;
3170 		fallthrough;
3171 	case 5:
3172 		if (rdev->ops->remain_on_channel &&
3173 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
3174 		    nla_put_u32(msg,
3175 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
3176 				rdev->wiphy.max_remain_on_channel_duration))
3177 			goto nla_put_failure;
3178 
3179 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
3180 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
3181 			goto nla_put_failure;
3182 
3183 		state->split_start++;
3184 		if (state->split)
3185 			break;
3186 		fallthrough;
3187 	case 6:
3188 #ifdef CONFIG_PM
3189 		if (nl80211_send_wowlan(msg, rdev, state->split))
3190 			goto nla_put_failure;
3191 		state->split_start++;
3192 		if (state->split)
3193 			break;
3194 #else
3195 		state->split_start++;
3196 #endif
3197 		fallthrough;
3198 	case 7:
3199 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
3200 					rdev->wiphy.software_iftypes))
3201 			goto nla_put_failure;
3202 
3203 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
3204 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
3205 						   rdev->wiphy.n_radio ? 0 : -1,
3206 						   state->split, 0))
3207 			goto nla_put_failure;
3208 
3209 		state->split_start++;
3210 		if (state->split)
3211 			break;
3212 		fallthrough;
3213 	case 8:
3214 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
3215 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
3216 				rdev->wiphy.ap_sme_capa))
3217 			goto nla_put_failure;
3218 
3219 		features = rdev->wiphy.features;
3220 		/*
3221 		 * We can only add the per-channel limit information if the
3222 		 * dump is split, otherwise it makes it too big. Therefore
3223 		 * only advertise it in that case.
3224 		 */
3225 		if (state->split)
3226 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
3227 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
3228 			goto nla_put_failure;
3229 
3230 		if (rdev->wiphy.ht_capa_mod_mask &&
3231 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
3232 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
3233 			    rdev->wiphy.ht_capa_mod_mask))
3234 			goto nla_put_failure;
3235 
3236 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
3237 		    rdev->wiphy.max_acl_mac_addrs &&
3238 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
3239 				rdev->wiphy.max_acl_mac_addrs))
3240 			goto nla_put_failure;
3241 
3242 		/*
3243 		 * Any information below this point is only available to
3244 		 * applications that can deal with it being split. This
3245 		 * helps ensure that newly added capabilities don't break
3246 		 * older tools by overrunning their buffers.
3247 		 *
3248 		 * We still increment split_start so that in the split
3249 		 * case we'll continue with more data in the next round,
3250 		 * but break unconditionally so unsplit data stops here.
3251 		 */
3252 		if (state->split)
3253 			state->split_start++;
3254 		else
3255 			state->split_start = 0;
3256 		break;
3257 	case 9:
3258 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
3259 			goto nla_put_failure;
3260 
3261 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
3262 				rdev->wiphy.max_sched_scan_plans) ||
3263 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
3264 				rdev->wiphy.max_sched_scan_plan_interval) ||
3265 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
3266 				rdev->wiphy.max_sched_scan_plan_iterations))
3267 			goto nla_put_failure;
3268 
3269 		if (rdev->wiphy.extended_capabilities &&
3270 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
3271 			     rdev->wiphy.extended_capabilities_len,
3272 			     rdev->wiphy.extended_capabilities) ||
3273 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3274 			     rdev->wiphy.extended_capabilities_len,
3275 			     rdev->wiphy.extended_capabilities_mask)))
3276 			goto nla_put_failure;
3277 
3278 		if (rdev->wiphy.vht_capa_mod_mask &&
3279 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
3280 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
3281 			    rdev->wiphy.vht_capa_mod_mask))
3282 			goto nla_put_failure;
3283 
3284 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3285 			    rdev->wiphy.perm_addr))
3286 			goto nla_put_failure;
3287 
3288 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
3289 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
3290 			    rdev->wiphy.addr_mask))
3291 			goto nla_put_failure;
3292 
3293 		if (rdev->wiphy.n_addresses > 1) {
3294 			void *attr;
3295 
3296 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
3297 			if (!attr)
3298 				goto nla_put_failure;
3299 
3300 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
3301 				if (nla_put(msg, i + 1, ETH_ALEN,
3302 					    rdev->wiphy.addresses[i].addr))
3303 					goto nla_put_failure;
3304 
3305 			nla_nest_end(msg, attr);
3306 		}
3307 
3308 		state->split_start++;
3309 		break;
3310 	case 10:
3311 		if (nl80211_send_coalesce(msg, rdev))
3312 			goto nla_put_failure;
3313 
3314 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
3315 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
3316 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
3317 			goto nla_put_failure;
3318 
3319 		if (rdev->wiphy.max_ap_assoc_sta &&
3320 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
3321 				rdev->wiphy.max_ap_assoc_sta))
3322 			goto nla_put_failure;
3323 
3324 		state->split_start++;
3325 		break;
3326 	case 11:
3327 		if (rdev->wiphy.n_vendor_commands) {
3328 			const struct nl80211_vendor_cmd_info *info;
3329 			struct nlattr *nested;
3330 
3331 			nested = nla_nest_start_noflag(msg,
3332 						       NL80211_ATTR_VENDOR_DATA);
3333 			if (!nested)
3334 				goto nla_put_failure;
3335 
3336 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
3337 				info = &rdev->wiphy.vendor_commands[i].info;
3338 				if (nla_put(msg, i + 1, sizeof(*info), info))
3339 					goto nla_put_failure;
3340 			}
3341 			nla_nest_end(msg, nested);
3342 		}
3343 
3344 		if (rdev->wiphy.n_vendor_events) {
3345 			const struct nl80211_vendor_cmd_info *info;
3346 			struct nlattr *nested;
3347 
3348 			nested = nla_nest_start_noflag(msg,
3349 						       NL80211_ATTR_VENDOR_EVENTS);
3350 			if (!nested)
3351 				goto nla_put_failure;
3352 
3353 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
3354 				info = &rdev->wiphy.vendor_events[i];
3355 				if (nla_put(msg, i + 1, sizeof(*info), info))
3356 					goto nla_put_failure;
3357 			}
3358 			nla_nest_end(msg, nested);
3359 		}
3360 		state->split_start++;
3361 		break;
3362 	case 12:
3363 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
3364 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
3365 			       rdev->wiphy.max_num_csa_counters))
3366 			goto nla_put_failure;
3367 
3368 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
3369 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
3370 			goto nla_put_failure;
3371 
3372 		if (rdev->wiphy.max_sched_scan_reqs &&
3373 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
3374 				rdev->wiphy.max_sched_scan_reqs))
3375 			goto nla_put_failure;
3376 
3377 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
3378 			    sizeof(rdev->wiphy.ext_features),
3379 			    rdev->wiphy.ext_features))
3380 			goto nla_put_failure;
3381 
3382 		if (rdev->wiphy.bss_param_support) {
3383 			struct nlattr *nested;
3384 			u32 parsup = rdev->wiphy.bss_param_support;
3385 
3386 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_PARAM);
3387 			if (!nested)
3388 				goto nla_put_failure;
3389 
3390 			if ((parsup & WIPHY_BSS_PARAM_CTS_PROT) &&
3391 			    nla_put_flag(msg, NL80211_ATTR_BSS_CTS_PROT))
3392 				goto nla_put_failure;
3393 			if ((parsup & WIPHY_BSS_PARAM_SHORT_PREAMBLE) &&
3394 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_PREAMBLE))
3395 				goto nla_put_failure;
3396 			if ((parsup & WIPHY_BSS_PARAM_SHORT_SLOT_TIME) &&
3397 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_SLOT_TIME))
3398 				goto nla_put_failure;
3399 			if ((parsup & WIPHY_BSS_PARAM_BASIC_RATES) &&
3400 			    nla_put_flag(msg, NL80211_ATTR_BSS_BASIC_RATES))
3401 				goto nla_put_failure;
3402 			if ((parsup & WIPHY_BSS_PARAM_AP_ISOLATE) &&
3403 			    nla_put_flag(msg, NL80211_ATTR_AP_ISOLATE))
3404 				goto nla_put_failure;
3405 			if ((parsup & WIPHY_BSS_PARAM_HT_OPMODE) &&
3406 			    nla_put_flag(msg, NL80211_ATTR_BSS_HT_OPMODE))
3407 				goto nla_put_failure;
3408 			if ((parsup & WIPHY_BSS_PARAM_P2P_CTWINDOW) &&
3409 			    nla_put_flag(msg, NL80211_ATTR_P2P_CTWINDOW))
3410 				goto nla_put_failure;
3411 			if ((parsup & WIPHY_BSS_PARAM_P2P_OPPPS) &&
3412 			    nla_put_flag(msg, NL80211_ATTR_P2P_OPPPS))
3413 				goto nla_put_failure;
3414 			nla_nest_end(msg, nested);
3415 		}
3416 		if (rdev->wiphy.bss_select_support) {
3417 			struct nlattr *nested;
3418 			u32 bss_select_support = rdev->wiphy.bss_select_support;
3419 
3420 			nested = nla_nest_start_noflag(msg,
3421 						       NL80211_ATTR_BSS_SELECT);
3422 			if (!nested)
3423 				goto nla_put_failure;
3424 
3425 			i = 0;
3426 			while (bss_select_support) {
3427 				if ((bss_select_support & 1) &&
3428 				    nla_put_flag(msg, i))
3429 					goto nla_put_failure;
3430 				i++;
3431 				bss_select_support >>= 1;
3432 			}
3433 			nla_nest_end(msg, nested);
3434 		}
3435 
3436 		state->split_start++;
3437 		break;
3438 	case 13:
3439 		if (rdev->wiphy.num_iftype_ext_capab &&
3440 		    rdev->wiphy.iftype_ext_capab) {
3441 			struct nlattr *nested_ext_capab, *nested;
3442 
3443 			nested = nla_nest_start_noflag(msg,
3444 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3445 			if (!nested)
3446 				goto nla_put_failure;
3447 
3448 			for (i = state->capa_start;
3449 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3450 				const struct wiphy_iftype_ext_capab *capab;
3451 
3452 				capab = &rdev->wiphy.iftype_ext_capab[i];
3453 
3454 				nested_ext_capab = nla_nest_start_noflag(msg,
3455 									 i);
3456 				if (!nested_ext_capab ||
3457 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3458 						capab->iftype) ||
3459 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3460 					    capab->extended_capabilities_len,
3461 					    capab->extended_capabilities) ||
3462 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3463 					    capab->extended_capabilities_len,
3464 					    capab->extended_capabilities_mask))
3465 					goto nla_put_failure;
3466 
3467 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3468 				    (nla_put_u16(msg,
3469 						 NL80211_ATTR_EML_CAPABILITY,
3470 						 capab->eml_capabilities) ||
3471 				     nla_put_u16(msg,
3472 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3473 						 capab->mld_capa_and_ops)))
3474 					goto nla_put_failure;
3475 
3476 				nla_nest_end(msg, nested_ext_capab);
3477 				if (state->split)
3478 					break;
3479 			}
3480 			nla_nest_end(msg, nested);
3481 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3482 				state->capa_start = i + 1;
3483 				break;
3484 			}
3485 		}
3486 
3487 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3488 				rdev->wiphy.nan_supported_bands))
3489 			goto nla_put_failure;
3490 
3491 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3492 					    NL80211_EXT_FEATURE_TXQS)) {
3493 			struct cfg80211_txq_stats txqstats = {};
3494 			int res;
3495 
3496 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3497 			if (!res &&
3498 			    !nl80211_put_txq_stats(msg, &txqstats,
3499 						   NL80211_ATTR_TXQ_STATS))
3500 				goto nla_put_failure;
3501 
3502 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3503 					rdev->wiphy.txq_limit))
3504 				goto nla_put_failure;
3505 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3506 					rdev->wiphy.txq_memory_limit))
3507 				goto nla_put_failure;
3508 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3509 					rdev->wiphy.txq_quantum))
3510 				goto nla_put_failure;
3511 		}
3512 
3513 		state->split_start++;
3514 		break;
3515 	case 14:
3516 		if (nl80211_send_pmsr_capa(rdev, msg))
3517 			goto nla_put_failure;
3518 
3519 		state->split_start++;
3520 		break;
3521 	case 15:
3522 		if (rdev->wiphy.akm_suites &&
3523 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3524 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3525 			    rdev->wiphy.akm_suites))
3526 			goto nla_put_failure;
3527 
3528 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3529 			goto nla_put_failure;
3530 
3531 		if (nl80211_put_tid_config_support(rdev, msg))
3532 			goto nla_put_failure;
3533 		state->split_start++;
3534 		break;
3535 	case 16:
3536 		if (nl80211_put_sar_specs(rdev, msg))
3537 			goto nla_put_failure;
3538 
3539 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3540 			goto nla_put_failure;
3541 
3542 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3543 				rdev->wiphy.max_num_akm_suites))
3544 			goto nla_put_failure;
3545 
3546 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3547 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3548 
3549 		if (rdev->wiphy.hw_timestamp_max_peers &&
3550 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3551 				rdev->wiphy.hw_timestamp_max_peers))
3552 			goto nla_put_failure;
3553 
3554 		state->split_start++;
3555 		break;
3556 	case 17:
3557 		if (nl80211_put_radios(&rdev->wiphy, msg))
3558 			goto nla_put_failure;
3559 
3560 		state->split_start++;
3561 		break;
3562 	case 18:
3563 		if (nl80211_put_nan_capa(&rdev->wiphy, msg))
3564 			goto nla_put_failure;
3565 
3566 		/* done */
3567 		state->split_start = 0;
3568 		break;
3569 	}
3570  finish:
3571 	genlmsg_end(msg, hdr);
3572 	return 0;
3573 
3574  nla_put_failure:
3575 	genlmsg_cancel(msg, hdr);
3576 	return -EMSGSIZE;
3577 }
3578 
3579 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3580 				    struct netlink_callback *cb,
3581 				    struct nl80211_dump_wiphy_state *state)
3582 {
3583 	struct nlattr **tb = kzalloc_objs(*tb, NUM_NL80211_ATTR);
3584 	int ret;
3585 
3586 	if (!tb)
3587 		return -ENOMEM;
3588 
3589 	ret = nlmsg_parse_deprecated(cb->nlh,
3590 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3591 				     tb, nl80211_fam.maxattr,
3592 				     nl80211_policy, NULL);
3593 	/* ignore parse errors for backward compatibility */
3594 	if (ret) {
3595 		ret = 0;
3596 		goto out;
3597 	}
3598 
3599 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3600 	if (tb[NL80211_ATTR_WIPHY])
3601 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3602 	if (tb[NL80211_ATTR_WDEV])
3603 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3604 	if (tb[NL80211_ATTR_IFINDEX]) {
3605 		struct net_device *netdev;
3606 		struct cfg80211_registered_device *rdev;
3607 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3608 
3609 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3610 		if (!netdev) {
3611 			ret = -ENODEV;
3612 			goto out;
3613 		}
3614 		if (netdev->ieee80211_ptr) {
3615 			rdev = wiphy_to_rdev(
3616 				netdev->ieee80211_ptr->wiphy);
3617 			state->filter_wiphy = rdev->wiphy_idx;
3618 		}
3619 	}
3620 
3621 	ret = 0;
3622 out:
3623 	kfree(tb);
3624 	return ret;
3625 }
3626 
3627 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3628 {
3629 	int idx = 0, ret;
3630 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3631 	struct cfg80211_registered_device *rdev;
3632 
3633 	rtnl_lock();
3634 	if (!state) {
3635 		state = kzalloc_obj(*state);
3636 		if (!state) {
3637 			rtnl_unlock();
3638 			return -ENOMEM;
3639 		}
3640 		state->filter_wiphy = -1;
3641 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3642 		if (ret) {
3643 			kfree(state);
3644 			rtnl_unlock();
3645 			return ret;
3646 		}
3647 		cb->args[0] = (long)state;
3648 	}
3649 
3650 	for_each_rdev(rdev) {
3651 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3652 			continue;
3653 		if (++idx <= state->start)
3654 			continue;
3655 		if (state->filter_wiphy != -1 &&
3656 		    state->filter_wiphy != rdev->wiphy_idx)
3657 			continue;
3658 		wiphy_lock(&rdev->wiphy);
3659 		/* attempt to fit multiple wiphy data chunks into the skb */
3660 		do {
3661 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3662 						 skb,
3663 						 NETLINK_CB(cb->skb).portid,
3664 						 cb->nlh->nlmsg_seq,
3665 						 NLM_F_MULTI, state);
3666 			if (ret < 0) {
3667 				/*
3668 				 * If sending the wiphy data didn't fit (ENOBUFS
3669 				 * or EMSGSIZE returned), this SKB is still
3670 				 * empty (so it's not too big because another
3671 				 * wiphy dataset is already in the skb) and
3672 				 * we've not tried to adjust the dump allocation
3673 				 * yet ... then adjust the alloc size to be
3674 				 * bigger, and return 1 but with the empty skb.
3675 				 * This results in an empty message being RX'ed
3676 				 * in userspace, but that is ignored.
3677 				 *
3678 				 * We can then retry with the larger buffer.
3679 				 */
3680 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3681 				    !skb->len && !state->split &&
3682 				    cb->min_dump_alloc < 4096) {
3683 					cb->min_dump_alloc = 4096;
3684 					state->split_start = 0;
3685 					wiphy_unlock(&rdev->wiphy);
3686 					rtnl_unlock();
3687 					return 1;
3688 				}
3689 				idx--;
3690 				break;
3691 			}
3692 		} while (state->split_start > 0);
3693 		wiphy_unlock(&rdev->wiphy);
3694 		break;
3695 	}
3696 	rtnl_unlock();
3697 
3698 	state->start = idx;
3699 
3700 	return skb->len;
3701 }
3702 
3703 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3704 {
3705 	kfree((void *)cb->args[0]);
3706 	return 0;
3707 }
3708 
3709 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3710 {
3711 	struct sk_buff *msg;
3712 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3713 	struct nl80211_dump_wiphy_state state = {};
3714 
3715 	msg = nlmsg_new(4096, GFP_KERNEL);
3716 	if (!msg)
3717 		return -ENOMEM;
3718 
3719 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3720 			       info->snd_portid, info->snd_seq, 0,
3721 			       &state) < 0) {
3722 		nlmsg_free(msg);
3723 		return -ENOBUFS;
3724 	}
3725 
3726 	return genlmsg_reply(msg, info);
3727 }
3728 
3729 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3730 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3731 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3732 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3733 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3734 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3735 };
3736 
3737 static int parse_txq_params(struct nlattr *tb[],
3738 			    struct ieee80211_txq_params *txq_params)
3739 {
3740 	u8 ac;
3741 
3742 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3743 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3744 	    !tb[NL80211_TXQ_ATTR_AIFS])
3745 		return -EINVAL;
3746 
3747 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3748 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3749 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3750 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3751 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3752 
3753 	if (ac >= NL80211_NUM_ACS)
3754 		return -EINVAL;
3755 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3756 	return 0;
3757 }
3758 
3759 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3760 {
3761 	/*
3762 	 * You can only set the channel explicitly for some interfaces,
3763 	 * most have their channel managed via their respective
3764 	 * "establish a connection" command (connect, join, ...)
3765 	 *
3766 	 * For AP/GO and mesh mode, the channel can be set with the
3767 	 * channel userspace API, but is only stored and passed to the
3768 	 * low-level driver when the AP starts or the mesh is joined.
3769 	 * This is for backward compatibility, userspace can also give
3770 	 * the channel in the start-ap or join-mesh commands instead.
3771 	 *
3772 	 * Monitors are special as they are normally slaved to
3773 	 * whatever else is going on, so they have their own special
3774 	 * operation to set the monitor channel if possible.
3775 	 */
3776 	return !wdev ||
3777 		wdev->iftype == NL80211_IFTYPE_AP ||
3778 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3779 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3780 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3781 }
3782 
3783 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3784 				  struct netlink_ext_ack *extack,
3785 				  struct nlattr **attrs, bool monitor,
3786 				  struct cfg80211_chan_def *chandef)
3787 {
3788 	u32 control_freq;
3789 
3790 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3791 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3792 				    "Frequency is missing");
3793 		return -EINVAL;
3794 	}
3795 
3796 	control_freq = MHZ_TO_KHZ(
3797 			nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
3798 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3799 		control_freq +=
3800 		    nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3801 
3802 	memset(chandef, 0, sizeof(*chandef));
3803 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3804 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3805 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3806 	chandef->freq1_offset = control_freq % 1000;
3807 	chandef->center_freq2 = 0;
3808 	chandef->s1g_primary_2mhz = false;
3809 
3810 	if (!chandef->chan) {
3811 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3812 				    "Unknown channel");
3813 		return -EINVAL;
3814 	}
3815 
3816 	if (cfg80211_chandef_is_s1g(chandef))
3817 		chandef->width = NL80211_CHAN_WIDTH_1;
3818 
3819 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3820 		enum nl80211_channel_type chantype;
3821 
3822 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3823 
3824 		switch (chantype) {
3825 		case NL80211_CHAN_NO_HT:
3826 		case NL80211_CHAN_HT20:
3827 		case NL80211_CHAN_HT40PLUS:
3828 		case NL80211_CHAN_HT40MINUS:
3829 			if (chandef->chan->band == NL80211_BAND_60GHZ ||
3830 			    chandef->chan->band == NL80211_BAND_S1GHZ)
3831 				return -EINVAL;
3832 			cfg80211_chandef_create(chandef, chandef->chan,
3833 						chantype);
3834 			/* user input for center_freq is incorrect */
3835 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3836 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3837 				NL_SET_ERR_MSG_ATTR(extack,
3838 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3839 						    "bad center frequency 1");
3840 				return -EINVAL;
3841 			}
3842 			/* center_freq2 must be zero */
3843 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3844 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3845 				NL_SET_ERR_MSG_ATTR(extack,
3846 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3847 						    "center frequency 2 can't be used");
3848 				return -EINVAL;
3849 			}
3850 			break;
3851 		default:
3852 			NL_SET_ERR_MSG_ATTR(extack,
3853 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3854 					    "invalid channel type");
3855 			return -EINVAL;
3856 		}
3857 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3858 		chandef->width = nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3859 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3860 			chandef->center_freq1 =
3861 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3862 			chandef->freq1_offset = nla_get_u32_default(
3863 				attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET], 0);
3864 		}
3865 
3866 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3867 			chandef->center_freq2 =
3868 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3869 
3870 		chandef->s1g_primary_2mhz = nla_get_flag(
3871 			attrs[NL80211_ATTR_S1G_PRIMARY_2MHZ]);
3872 	}
3873 
3874 	if (attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3875 		chandef->edmg.channels =
3876 		      nla_get_u8(attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3877 
3878 		if (attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3879 			chandef->edmg.bw_config =
3880 		     nla_get_u8(attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3881 	} else {
3882 		chandef->edmg.bw_config = 0;
3883 		chandef->edmg.channels = 0;
3884 	}
3885 
3886 	if (attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3887 		chandef->punctured =
3888 			nla_get_u32(attrs[NL80211_ATTR_PUNCT_BITMAP]);
3889 
3890 		if (chandef->punctured &&
3891 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3892 					     NL80211_EXT_FEATURE_PUNCT)) {
3893 			NL_SET_ERR_MSG_ATTR(extack,
3894 					    attrs[NL80211_ATTR_WIPHY_FREQ],
3895 					    "driver doesn't support puncturing");
3896 			return -EINVAL;
3897 		}
3898 	}
3899 
3900 	if (!cfg80211_chandef_valid(chandef)) {
3901 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3902 				    "invalid channel definition");
3903 		return -EINVAL;
3904 	}
3905 
3906 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3907 				      IEEE80211_CHAN_DISABLED,
3908 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3909 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3910 				    "(extension) channel is disabled");
3911 		return -EINVAL;
3912 	}
3913 
3914 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3915 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3916 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3917 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3918 		return -EINVAL;
3919 	}
3920 
3921 	return 0;
3922 }
3923 
3924 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3925 			  struct netlink_ext_ack *extack,
3926 			  struct nlattr **attrs,
3927 			  struct cfg80211_chan_def *chandef)
3928 {
3929 	return _nl80211_parse_chandef(rdev, extack, attrs, false, chandef);
3930 }
3931 
3932 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3933 				 struct net_device *dev,
3934 				 struct genl_info *info,
3935 				 int _link_id)
3936 {
3937 	struct cfg80211_chan_def chandef;
3938 	int result;
3939 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3940 	struct wireless_dev *wdev = NULL;
3941 	int link_id = _link_id;
3942 
3943 	if (dev)
3944 		wdev = dev->ieee80211_ptr;
3945 	if (!nl80211_can_set_dev_channel(wdev))
3946 		return -EOPNOTSUPP;
3947 	if (wdev)
3948 		iftype = wdev->iftype;
3949 
3950 	if (link_id < 0) {
3951 		if (wdev && wdev->valid_links)
3952 			return -EINVAL;
3953 		link_id = 0;
3954 	}
3955 
3956 	result = _nl80211_parse_chandef(rdev, info->extack, info->attrs,
3957 					iftype == NL80211_IFTYPE_MONITOR,
3958 					&chandef);
3959 	if (result)
3960 		return result;
3961 
3962 	switch (iftype) {
3963 	case NL80211_IFTYPE_AP:
3964 	case NL80211_IFTYPE_P2P_GO:
3965 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3966 						   iftype))
3967 			return -EINVAL;
3968 		if (wdev->links[link_id].ap.beacon_interval) {
3969 			struct ieee80211_channel *cur_chan;
3970 
3971 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3972 			    !(rdev->wiphy.features &
3973 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3974 				return -EBUSY;
3975 
3976 			/* Only allow dynamic channel width changes */
3977 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3978 			if (chandef.chan != cur_chan)
3979 				return -EBUSY;
3980 
3981 			/* only allow this for regular channel widths */
3982 			switch (wdev->links[link_id].ap.chandef.width) {
3983 			case NL80211_CHAN_WIDTH_20_NOHT:
3984 			case NL80211_CHAN_WIDTH_20:
3985 			case NL80211_CHAN_WIDTH_40:
3986 			case NL80211_CHAN_WIDTH_80:
3987 			case NL80211_CHAN_WIDTH_80P80:
3988 			case NL80211_CHAN_WIDTH_160:
3989 			case NL80211_CHAN_WIDTH_320:
3990 				break;
3991 			default:
3992 				return -EINVAL;
3993 			}
3994 
3995 			switch (chandef.width) {
3996 			case NL80211_CHAN_WIDTH_20_NOHT:
3997 			case NL80211_CHAN_WIDTH_20:
3998 			case NL80211_CHAN_WIDTH_40:
3999 			case NL80211_CHAN_WIDTH_80:
4000 			case NL80211_CHAN_WIDTH_80P80:
4001 			case NL80211_CHAN_WIDTH_160:
4002 			case NL80211_CHAN_WIDTH_320:
4003 				break;
4004 			default:
4005 				return -EINVAL;
4006 			}
4007 
4008 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
4009 						       &chandef);
4010 			if (result)
4011 				return result;
4012 			wdev->links[link_id].ap.chandef = chandef;
4013 		} else {
4014 			wdev->u.ap.preset_chandef = chandef;
4015 		}
4016 		return 0;
4017 	case NL80211_IFTYPE_MESH_POINT:
4018 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
4019 	case NL80211_IFTYPE_MONITOR:
4020 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
4021 	default:
4022 		break;
4023 	}
4024 
4025 	return -EINVAL;
4026 }
4027 
4028 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
4029 {
4030 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4031 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4032 	struct net_device *netdev = info->user_ptr[1];
4033 
4034 	return __nl80211_set_channel(rdev, netdev, info, link_id);
4035 }
4036 
4037 static int nl80211_set_wiphy_radio(struct genl_info *info,
4038 				   struct cfg80211_registered_device *rdev,
4039 				   int radio_idx)
4040 {
4041 	u32 rts_threshold = 0, old_rts, changed = 0;
4042 	int result;
4043 
4044 	if (!rdev->ops->set_wiphy_params)
4045 		return -EOPNOTSUPP;
4046 
4047 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
4048 		rts_threshold = nla_get_u32(
4049 				info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
4050 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
4051 	}
4052 
4053 	old_rts = rdev->wiphy.radio_cfg[radio_idx].rts_threshold;
4054 
4055 	rdev->wiphy.radio_cfg[radio_idx].rts_threshold = rts_threshold;
4056 
4057 	result = rdev_set_wiphy_params(rdev, radio_idx, changed);
4058 	if (result)
4059 		rdev->wiphy.radio_cfg[radio_idx].rts_threshold = old_rts;
4060 
4061 	return 0;
4062 }
4063 
4064 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
4065 {
4066 	struct cfg80211_registered_device *rdev = NULL;
4067 	struct net_device *netdev = NULL;
4068 	struct wireless_dev *wdev;
4069 	int result = 0, rem_txq_params = 0;
4070 	struct nlattr *nl_txq_params;
4071 	u32 changed;
4072 	u8 retry_short = 0, retry_long = 0;
4073 	u32 frag_threshold = 0, rts_threshold = 0;
4074 	u8 coverage_class = 0;
4075 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
4076 	int radio_idx = -1;
4077 
4078 	rtnl_lock();
4079 	/*
4080 	 * Try to find the wiphy and netdev. Normally this
4081 	 * function shouldn't need the netdev, but this is
4082 	 * done for backward compatibility -- previously
4083 	 * setting the channel was done per wiphy, but now
4084 	 * it is per netdev. Previous userland like hostapd
4085 	 * also passed a netdev to set_wiphy, so that it is
4086 	 * possible to let that go to the right netdev!
4087 	 */
4088 
4089 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
4090 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
4091 
4092 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
4093 		if (netdev && netdev->ieee80211_ptr)
4094 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
4095 		else
4096 			netdev = NULL;
4097 	}
4098 
4099 	if (!netdev) {
4100 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
4101 						  info->attrs);
4102 		if (IS_ERR(rdev)) {
4103 			rtnl_unlock();
4104 			return PTR_ERR(rdev);
4105 		}
4106 		wdev = NULL;
4107 		netdev = NULL;
4108 		result = 0;
4109 	} else
4110 		wdev = netdev->ieee80211_ptr;
4111 
4112 	guard(wiphy)(&rdev->wiphy);
4113 
4114 	/*
4115 	 * end workaround code, by now the rdev is available
4116 	 * and locked, and wdev may or may not be NULL.
4117 	 */
4118 
4119 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
4120 		result = cfg80211_dev_rename(
4121 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
4122 	rtnl_unlock();
4123 
4124 	if (result)
4125 		return result;
4126 
4127 	if (info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]) {
4128 		/* Radio idx is not expected for non-multi radio wiphy */
4129 		if (rdev->wiphy.n_radio <= 0)
4130 			return -EINVAL;
4131 
4132 		radio_idx = nla_get_u8(
4133 				info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]);
4134 		if (radio_idx >= rdev->wiphy.n_radio)
4135 			return -EINVAL;
4136 
4137 		return nl80211_set_wiphy_radio(info, rdev, radio_idx);
4138 	}
4139 
4140 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
4141 		struct ieee80211_txq_params txq_params;
4142 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
4143 
4144 		if (!rdev->ops->set_txq_params)
4145 			return -EOPNOTSUPP;
4146 
4147 		if (!netdev)
4148 			return -EINVAL;
4149 
4150 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4151 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4152 			return -EINVAL;
4153 
4154 		if (!netif_running(netdev))
4155 			return -ENETDOWN;
4156 
4157 		nla_for_each_nested(nl_txq_params,
4158 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
4159 				    rem_txq_params) {
4160 			result = nla_parse_nested_deprecated(tb,
4161 							     NL80211_TXQ_ATTR_MAX,
4162 							     nl_txq_params,
4163 							     txq_params_policy,
4164 							     info->extack);
4165 			if (result)
4166 				return result;
4167 
4168 			result = parse_txq_params(tb, &txq_params);
4169 			if (result)
4170 				return result;
4171 
4172 			txq_params.link_id =
4173 				nl80211_link_id_or_invalid(info->attrs);
4174 
4175 			if (txq_params.link_id >= 0 &&
4176 			    !(netdev->ieee80211_ptr->valid_links &
4177 			      BIT(txq_params.link_id)))
4178 				result = -ENOLINK;
4179 			else if (txq_params.link_id >= 0 &&
4180 				 !netdev->ieee80211_ptr->valid_links)
4181 				result = -EINVAL;
4182 			else
4183 				result = rdev_set_txq_params(rdev, netdev,
4184 							     &txq_params);
4185 			if (result)
4186 				return result;
4187 		}
4188 	}
4189 
4190 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4191 		int link_id = nl80211_link_id_or_invalid(info->attrs);
4192 
4193 		if (wdev) {
4194 			result = __nl80211_set_channel(
4195 				rdev,
4196 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
4197 				info, link_id);
4198 		} else {
4199 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
4200 		}
4201 
4202 		if (result)
4203 			return result;
4204 	}
4205 
4206 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
4207 		struct wireless_dev *txp_wdev = wdev;
4208 		enum nl80211_tx_power_setting type;
4209 		int idx, mbm = 0;
4210 
4211 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
4212 			txp_wdev = NULL;
4213 
4214 		if (!rdev->ops->set_tx_power)
4215 			return -EOPNOTSUPP;
4216 
4217 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
4218 		type = nla_get_u32(info->attrs[idx]);
4219 
4220 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
4221 		    (type != NL80211_TX_POWER_AUTOMATIC))
4222 			return -EINVAL;
4223 
4224 		if (type != NL80211_TX_POWER_AUTOMATIC) {
4225 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
4226 			mbm = nla_get_u32(info->attrs[idx]);
4227 		}
4228 
4229 		result = rdev_set_tx_power(rdev, txp_wdev, radio_idx, type,
4230 					   mbm);
4231 		if (result)
4232 			return result;
4233 	}
4234 
4235 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
4236 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
4237 		u32 tx_ant, rx_ant;
4238 
4239 		if ((!rdev->wiphy.available_antennas_tx &&
4240 		     !rdev->wiphy.available_antennas_rx) ||
4241 		    !rdev->ops->set_antenna)
4242 			return -EOPNOTSUPP;
4243 
4244 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
4245 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
4246 
4247 		/* reject antenna configurations which don't match the
4248 		 * available antenna masks, except for the "all" mask */
4249 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
4250 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
4251 			return -EINVAL;
4252 
4253 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
4254 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
4255 
4256 		result = rdev_set_antenna(rdev, radio_idx, tx_ant, rx_ant);
4257 		if (result)
4258 			return result;
4259 	}
4260 
4261 	changed = 0;
4262 
4263 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
4264 		retry_short = nla_get_u8(
4265 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
4266 
4267 		changed |= WIPHY_PARAM_RETRY_SHORT;
4268 	}
4269 
4270 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
4271 		retry_long = nla_get_u8(
4272 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
4273 
4274 		changed |= WIPHY_PARAM_RETRY_LONG;
4275 	}
4276 
4277 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
4278 		frag_threshold = nla_get_u32(
4279 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
4280 		if (frag_threshold < 256)
4281 			return -EINVAL;
4282 
4283 		if (frag_threshold != (u32) -1) {
4284 			/*
4285 			 * Fragments (apart from the last one) are required to
4286 			 * have even length. Make the fragmentation code
4287 			 * simpler by stripping LSB should someone try to use
4288 			 * odd threshold value.
4289 			 */
4290 			frag_threshold &= ~0x1;
4291 		}
4292 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
4293 	}
4294 
4295 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
4296 		rts_threshold = nla_get_u32(
4297 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
4298 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
4299 	}
4300 
4301 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
4302 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
4303 			return -EINVAL;
4304 
4305 		coverage_class = nla_get_u8(
4306 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
4307 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
4308 	}
4309 
4310 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
4311 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
4312 			return -EOPNOTSUPP;
4313 
4314 		changed |= WIPHY_PARAM_DYN_ACK;
4315 	}
4316 
4317 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
4318 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4319 					     NL80211_EXT_FEATURE_TXQS))
4320 			return -EOPNOTSUPP;
4321 
4322 		txq_limit = nla_get_u32(
4323 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
4324 		changed |= WIPHY_PARAM_TXQ_LIMIT;
4325 	}
4326 
4327 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
4328 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4329 					     NL80211_EXT_FEATURE_TXQS))
4330 			return -EOPNOTSUPP;
4331 
4332 		txq_memory_limit = nla_get_u32(
4333 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
4334 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
4335 	}
4336 
4337 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
4338 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4339 					     NL80211_EXT_FEATURE_TXQS))
4340 			return -EOPNOTSUPP;
4341 
4342 		txq_quantum = nla_get_u32(
4343 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
4344 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
4345 	}
4346 
4347 	if (changed) {
4348 		u8 old_retry_short, old_retry_long;
4349 		u32 old_frag_threshold, old_rts_threshold;
4350 		u8 old_coverage_class, i;
4351 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
4352 		u32 *old_radio_rts_threshold = NULL;
4353 
4354 		if (!rdev->ops->set_wiphy_params)
4355 			return -EOPNOTSUPP;
4356 
4357 		if (rdev->wiphy.n_radio) {
4358 			old_radio_rts_threshold = kcalloc(rdev->wiphy.n_radio,
4359 							  sizeof(u32),
4360 							  GFP_KERNEL);
4361 			if (!old_radio_rts_threshold)
4362 				return -ENOMEM;
4363 		}
4364 
4365 		old_retry_short = rdev->wiphy.retry_short;
4366 		old_retry_long = rdev->wiphy.retry_long;
4367 		old_frag_threshold = rdev->wiphy.frag_threshold;
4368 		old_rts_threshold = rdev->wiphy.rts_threshold;
4369 		if (old_radio_rts_threshold) {
4370 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4371 				old_radio_rts_threshold[i] =
4372 					rdev->wiphy.radio_cfg[i].rts_threshold;
4373 		}
4374 		old_coverage_class = rdev->wiphy.coverage_class;
4375 		old_txq_limit = rdev->wiphy.txq_limit;
4376 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
4377 		old_txq_quantum = rdev->wiphy.txq_quantum;
4378 
4379 		if (changed & WIPHY_PARAM_RETRY_SHORT)
4380 			rdev->wiphy.retry_short = retry_short;
4381 		if (changed & WIPHY_PARAM_RETRY_LONG)
4382 			rdev->wiphy.retry_long = retry_long;
4383 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
4384 			rdev->wiphy.frag_threshold = frag_threshold;
4385 		if ((changed & WIPHY_PARAM_RTS_THRESHOLD) &&
4386 		    old_radio_rts_threshold) {
4387 			rdev->wiphy.rts_threshold = rts_threshold;
4388 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4389 				rdev->wiphy.radio_cfg[i].rts_threshold =
4390 					rdev->wiphy.rts_threshold;
4391 		}
4392 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
4393 			rdev->wiphy.coverage_class = coverage_class;
4394 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
4395 			rdev->wiphy.txq_limit = txq_limit;
4396 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
4397 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
4398 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
4399 			rdev->wiphy.txq_quantum = txq_quantum;
4400 
4401 		result = rdev_set_wiphy_params(rdev, radio_idx, changed);
4402 		if (result) {
4403 			rdev->wiphy.retry_short = old_retry_short;
4404 			rdev->wiphy.retry_long = old_retry_long;
4405 			rdev->wiphy.frag_threshold = old_frag_threshold;
4406 			rdev->wiphy.rts_threshold = old_rts_threshold;
4407 			if (old_radio_rts_threshold) {
4408 				for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4409 					rdev->wiphy.radio_cfg[i].rts_threshold =
4410 						old_radio_rts_threshold[i];
4411 			}
4412 			rdev->wiphy.coverage_class = old_coverage_class;
4413 			rdev->wiphy.txq_limit = old_txq_limit;
4414 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
4415 			rdev->wiphy.txq_quantum = old_txq_quantum;
4416 		}
4417 
4418 		kfree(old_radio_rts_threshold);
4419 		return result;
4420 	}
4421 
4422 	return 0;
4423 }
4424 
4425 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
4426 {
4427 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
4428 		return -EINVAL;
4429 
4430 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
4431 			chandef->chan->center_freq))
4432 		return -ENOBUFS;
4433 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
4434 			chandef->chan->freq_offset))
4435 		return -ENOBUFS;
4436 	switch (chandef->width) {
4437 	case NL80211_CHAN_WIDTH_20_NOHT:
4438 	case NL80211_CHAN_WIDTH_20:
4439 	case NL80211_CHAN_WIDTH_40:
4440 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
4441 				cfg80211_get_chandef_type(chandef)))
4442 			return -ENOBUFS;
4443 		break;
4444 	default:
4445 		break;
4446 	}
4447 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
4448 		return -ENOBUFS;
4449 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
4450 		return -ENOBUFS;
4451 	if (chandef->center_freq2 &&
4452 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
4453 		return -ENOBUFS;
4454 	if (chandef->punctured &&
4455 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
4456 		return -ENOBUFS;
4457 	if (chandef->s1g_primary_2mhz &&
4458 	    nla_put_flag(msg, NL80211_ATTR_S1G_PRIMARY_2MHZ))
4459 		return -ENOBUFS;
4460 
4461 	return 0;
4462 }
4463 EXPORT_SYMBOL(nl80211_send_chandef);
4464 
4465 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
4466 			      struct cfg80211_registered_device *rdev,
4467 			      struct wireless_dev *wdev,
4468 			      enum nl80211_commands cmd)
4469 {
4470 	struct net_device *dev = wdev->netdev;
4471 	void *hdr;
4472 
4473 	lockdep_assert_wiphy(&rdev->wiphy);
4474 
4475 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
4476 		cmd != NL80211_CMD_DEL_INTERFACE &&
4477 		cmd != NL80211_CMD_SET_INTERFACE);
4478 
4479 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4480 	if (!hdr)
4481 		return -1;
4482 
4483 	if (dev &&
4484 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4485 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
4486 		goto nla_put_failure;
4487 
4488 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
4489 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
4490 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
4491 			      NL80211_ATTR_PAD) ||
4492 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
4493 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
4494 			rdev->devlist_generation ^
4495 			(cfg80211_rdev_list_generation << 2)) ||
4496 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
4497 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
4498 		goto nla_put_failure;
4499 
4500 	if (rdev->ops->get_channel && !wdev->valid_links) {
4501 		struct cfg80211_chan_def chandef = {};
4502 		int ret;
4503 
4504 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4505 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4506 			goto nla_put_failure;
4507 	}
4508 
4509 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4510 		int dbm, ret;
4511 
4512 		ret = rdev_get_tx_power(rdev, wdev, -1, 0, &dbm);
4513 		if (ret == 0 &&
4514 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4515 				DBM_TO_MBM(dbm)))
4516 			goto nla_put_failure;
4517 	}
4518 
4519 	switch (wdev->iftype) {
4520 	case NL80211_IFTYPE_AP:
4521 	case NL80211_IFTYPE_P2P_GO:
4522 		if (wdev->u.ap.ssid_len &&
4523 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4524 			    wdev->u.ap.ssid))
4525 			goto nla_put_failure;
4526 		break;
4527 	case NL80211_IFTYPE_STATION:
4528 	case NL80211_IFTYPE_P2P_CLIENT:
4529 		if (wdev->u.client.ssid_len &&
4530 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4531 			    wdev->u.client.ssid))
4532 			goto nla_put_failure;
4533 		break;
4534 	case NL80211_IFTYPE_ADHOC:
4535 		if (wdev->u.ibss.ssid_len &&
4536 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4537 			    wdev->u.ibss.ssid))
4538 			goto nla_put_failure;
4539 		break;
4540 	default:
4541 		/* nothing */
4542 		break;
4543 	}
4544 
4545 	if (rdev->ops->get_txq_stats) {
4546 		struct cfg80211_txq_stats txqstats = {};
4547 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4548 
4549 		if (ret == 0 &&
4550 		    !nl80211_put_txq_stats(msg, &txqstats,
4551 					   NL80211_ATTR_TXQ_STATS))
4552 			goto nla_put_failure;
4553 	}
4554 
4555 	if (wdev->valid_links) {
4556 		unsigned int link_id;
4557 		struct nlattr *links = nla_nest_start(msg,
4558 						      NL80211_ATTR_MLO_LINKS);
4559 
4560 		if (!links)
4561 			goto nla_put_failure;
4562 
4563 		for_each_valid_link(wdev, link_id) {
4564 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4565 			struct cfg80211_chan_def chandef = {};
4566 			int ret;
4567 
4568 			if (!link)
4569 				goto nla_put_failure;
4570 
4571 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4572 				goto nla_put_failure;
4573 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4574 				    wdev->links[link_id].addr))
4575 				goto nla_put_failure;
4576 
4577 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4578 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4579 				goto nla_put_failure;
4580 
4581 			if (rdev->ops->get_tx_power) {
4582 				int dbm, ret;
4583 
4584 				ret = rdev_get_tx_power(rdev, wdev, -1, link_id, &dbm);
4585 				if (ret == 0 &&
4586 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4587 						DBM_TO_MBM(dbm)))
4588 					goto nla_put_failure;
4589 			}
4590 			nla_nest_end(msg, link);
4591 		}
4592 
4593 		nla_nest_end(msg, links);
4594 	}
4595 
4596 	genlmsg_end(msg, hdr);
4597 	return 0;
4598 
4599  nla_put_failure:
4600 	genlmsg_cancel(msg, hdr);
4601 	return -EMSGSIZE;
4602 }
4603 
4604 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4605 {
4606 	int wp_idx = 0;
4607 	int if_idx = 0;
4608 	int wp_start = cb->args[0];
4609 	int if_start = cb->args[1];
4610 	int filter_wiphy = -1;
4611 	struct cfg80211_registered_device *rdev;
4612 	struct wireless_dev *wdev;
4613 	int ret;
4614 
4615 	rtnl_lock();
4616 	if (!cb->args[2]) {
4617 		struct nl80211_dump_wiphy_state state = {
4618 			.filter_wiphy = -1,
4619 		};
4620 
4621 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4622 		if (ret)
4623 			goto out_unlock;
4624 
4625 		filter_wiphy = state.filter_wiphy;
4626 
4627 		/*
4628 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4629 		 * value needed to determine that parsing is necessary.
4630 		 */
4631 		if (filter_wiphy >= 0)
4632 			cb->args[2] = filter_wiphy + 1;
4633 		else
4634 			cb->args[2] = -1;
4635 	} else if (cb->args[2] > 0) {
4636 		filter_wiphy = cb->args[2] - 1;
4637 	}
4638 
4639 	for_each_rdev(rdev) {
4640 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4641 			continue;
4642 		if (wp_idx < wp_start) {
4643 			wp_idx++;
4644 			continue;
4645 		}
4646 
4647 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4648 			continue;
4649 
4650 		if_idx = 0;
4651 
4652 		guard(wiphy)(&rdev->wiphy);
4653 
4654 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4655 			if (if_idx < if_start) {
4656 				if_idx++;
4657 				continue;
4658 			}
4659 
4660 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4661 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4662 					       rdev, wdev,
4663 					       NL80211_CMD_NEW_INTERFACE) < 0)
4664 				goto out;
4665 
4666 			if_idx++;
4667 		}
4668 
4669 		if_start = 0;
4670 		wp_idx++;
4671 	}
4672  out:
4673 	cb->args[0] = wp_idx;
4674 	cb->args[1] = if_idx;
4675 
4676 	ret = skb->len;
4677  out_unlock:
4678 	rtnl_unlock();
4679 
4680 	return ret;
4681 }
4682 
4683 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4684 {
4685 	struct sk_buff *msg;
4686 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4687 	struct wireless_dev *wdev = info->user_ptr[1];
4688 
4689 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4690 	if (!msg)
4691 		return -ENOMEM;
4692 
4693 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4694 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4695 		nlmsg_free(msg);
4696 		return -ENOBUFS;
4697 	}
4698 
4699 	return genlmsg_reply(msg, info);
4700 }
4701 
4702 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4703 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4704 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4705 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4706 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4707 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4708 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4709 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4710 };
4711 
4712 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4713 {
4714 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4715 	int flag;
4716 
4717 	*mntrflags = 0;
4718 
4719 	if (!nla)
4720 		return -EINVAL;
4721 
4722 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4723 		return -EINVAL;
4724 
4725 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4726 		if (flags[flag])
4727 			*mntrflags |= (1<<flag);
4728 
4729 	/* cooked monitor mode is incompatible with other modes */
4730 	if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
4731 	    *mntrflags != MONITOR_FLAG_COOK_FRAMES)
4732 		return -EOPNOTSUPP;
4733 
4734 	*mntrflags |= MONITOR_FLAG_CHANGED;
4735 
4736 	return 0;
4737 }
4738 
4739 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4740 				     enum nl80211_iftype type,
4741 				     struct genl_info *info,
4742 				     struct vif_params *params)
4743 {
4744 	bool change = false;
4745 	int err;
4746 
4747 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4748 		if (type != NL80211_IFTYPE_MONITOR)
4749 			return -EINVAL;
4750 
4751 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4752 					  &params->flags);
4753 		if (err)
4754 			return err;
4755 
4756 		change = true;
4757 	}
4758 
4759 	/* MONITOR_FLAG_COOK_FRAMES is deprecated, refuse cooperation */
4760 	if (params->flags & MONITOR_FLAG_COOK_FRAMES)
4761 		return -EOPNOTSUPP;
4762 
4763 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4764 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4765 		return -EOPNOTSUPP;
4766 
4767 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4768 		const u8 *mumimo_groups;
4769 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4770 
4771 		if (type != NL80211_IFTYPE_MONITOR)
4772 			return -EINVAL;
4773 
4774 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4775 			return -EOPNOTSUPP;
4776 
4777 		mumimo_groups =
4778 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4779 
4780 		/* bits 0 and 63 are reserved and must be zero */
4781 		if ((mumimo_groups[0] & BIT(0)) ||
4782 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4783 			return -EINVAL;
4784 
4785 		params->vht_mumimo_groups = mumimo_groups;
4786 		change = true;
4787 	}
4788 
4789 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4790 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4791 
4792 		if (type != NL80211_IFTYPE_MONITOR)
4793 			return -EINVAL;
4794 
4795 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4796 			return -EOPNOTSUPP;
4797 
4798 		params->vht_mumimo_follow_addr =
4799 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4800 		change = true;
4801 	}
4802 
4803 	return change ? 1 : 0;
4804 }
4805 
4806 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4807 			       struct net_device *netdev, u8 use_4addr,
4808 			       enum nl80211_iftype iftype)
4809 {
4810 	if (!use_4addr) {
4811 		if (netdev && netif_is_bridge_port(netdev))
4812 			return -EBUSY;
4813 		return 0;
4814 	}
4815 
4816 	switch (iftype) {
4817 	case NL80211_IFTYPE_AP_VLAN:
4818 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4819 			return 0;
4820 		break;
4821 	case NL80211_IFTYPE_STATION:
4822 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4823 			return 0;
4824 		break;
4825 	default:
4826 		break;
4827 	}
4828 
4829 	return -EOPNOTSUPP;
4830 }
4831 
4832 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4833 					u32 *radio_mask)
4834 {
4835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4836 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4837 	u32 mask, allowed;
4838 
4839 	if (!attr) {
4840 		*radio_mask = 0;
4841 		return 0;
4842 	}
4843 
4844 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4845 	mask = nla_get_u32(attr);
4846 	if (mask & ~allowed)
4847 		return -EINVAL;
4848 	if (!mask)
4849 		mask = allowed;
4850 	*radio_mask = mask;
4851 
4852 	return 1;
4853 }
4854 
4855 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4856 {
4857 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4858 	struct vif_params params;
4859 	int err;
4860 	enum nl80211_iftype otype, ntype;
4861 	struct net_device *dev = info->user_ptr[1];
4862 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4863 	u32 radio_mask = 0;
4864 	bool change = false;
4865 
4866 	memset(&params, 0, sizeof(params));
4867 
4868 	otype = ntype = dev->ieee80211_ptr->iftype;
4869 
4870 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4871 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4872 		if (otype != ntype)
4873 			change = true;
4874 	}
4875 
4876 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4877 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4878 			return -EINVAL;
4879 		if (otype != NL80211_IFTYPE_MESH_POINT)
4880 			return -EINVAL;
4881 		if (netif_running(dev))
4882 			return -EBUSY;
4883 
4884 		wdev->u.mesh.id_up_len =
4885 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4886 		memcpy(wdev->u.mesh.id,
4887 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4888 		       wdev->u.mesh.id_up_len);
4889 	}
4890 
4891 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4892 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4893 		change = true;
4894 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4895 		if (err)
4896 			return err;
4897 	} else {
4898 		params.use_4addr = -1;
4899 	}
4900 
4901 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4902 	if (err < 0)
4903 		return err;
4904 	if (err > 0)
4905 		change = true;
4906 
4907 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4908 	if (err < 0)
4909 		return err;
4910 	if (err && netif_running(dev))
4911 		return -EBUSY;
4912 
4913 	if (change)
4914 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4915 	else
4916 		err = 0;
4917 
4918 	if (!err && params.use_4addr != -1)
4919 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4920 
4921 	if (radio_mask)
4922 		wdev->radio_mask = radio_mask;
4923 
4924 	if (change && !err)
4925 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4926 
4927 	return err;
4928 }
4929 
4930 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4931 {
4932 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4933 	struct vif_params params;
4934 	struct wireless_dev *wdev;
4935 	struct sk_buff *msg;
4936 	u32 radio_mask;
4937 	int err;
4938 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4939 
4940 	memset(&params, 0, sizeof(params));
4941 
4942 	if (!info->attrs[NL80211_ATTR_IFNAME])
4943 		return -EINVAL;
4944 
4945 	if (info->attrs[NL80211_ATTR_IFTYPE])
4946 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4947 
4948 	if (!rdev->ops->add_virtual_intf)
4949 		return -EOPNOTSUPP;
4950 
4951 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4952 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4953 	    info->attrs[NL80211_ATTR_MAC]) {
4954 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4955 			   ETH_ALEN);
4956 		if (!is_valid_ether_addr(params.macaddr))
4957 			return -EADDRNOTAVAIL;
4958 	}
4959 
4960 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4961 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4962 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4963 		if (err)
4964 			return err;
4965 	}
4966 
4967 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4968 		return -EOPNOTSUPP;
4969 
4970 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4971 	if (err < 0)
4972 		return err;
4973 
4974 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4975 	if (err < 0)
4976 		return err;
4977 
4978 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4979 	if (!msg)
4980 		return -ENOMEM;
4981 
4982 	wdev = rdev_add_virtual_intf(rdev,
4983 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4984 				NET_NAME_USER, type, &params);
4985 	if (WARN_ON(!wdev)) {
4986 		nlmsg_free(msg);
4987 		return -EPROTO;
4988 	} else if (IS_ERR(wdev)) {
4989 		nlmsg_free(msg);
4990 		return PTR_ERR(wdev);
4991 	}
4992 
4993 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4994 		wdev->owner_nlportid = info->snd_portid;
4995 
4996 	switch (type) {
4997 	case NL80211_IFTYPE_MESH_POINT:
4998 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4999 			break;
5000 		wdev->u.mesh.id_up_len =
5001 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
5002 		memcpy(wdev->u.mesh.id,
5003 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
5004 		       wdev->u.mesh.id_up_len);
5005 		break;
5006 	case NL80211_IFTYPE_NAN:
5007 	case NL80211_IFTYPE_P2P_DEVICE:
5008 		/*
5009 		 * P2P Device and NAN do not have a netdev, so don't go
5010 		 * through the netdev notifier and must be added here
5011 		 */
5012 		cfg80211_init_wdev(wdev);
5013 		cfg80211_register_wdev(rdev, wdev);
5014 		break;
5015 	default:
5016 		break;
5017 	}
5018 
5019 	if (radio_mask)
5020 		wdev->radio_mask = radio_mask;
5021 
5022 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
5023 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
5024 		nlmsg_free(msg);
5025 		return -ENOBUFS;
5026 	}
5027 
5028 	return genlmsg_reply(msg, info);
5029 }
5030 
5031 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
5032 {
5033 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5034 
5035 	/* to avoid failing a new interface creation due to pending removal */
5036 	cfg80211_destroy_ifaces(rdev);
5037 
5038 	guard(wiphy)(&rdev->wiphy);
5039 
5040 	return _nl80211_new_interface(skb, info);
5041 }
5042 
5043 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
5044 {
5045 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5046 	struct wireless_dev *wdev = info->user_ptr[1];
5047 
5048 	if (!rdev->ops->del_virtual_intf)
5049 		return -EOPNOTSUPP;
5050 
5051 	/*
5052 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
5053 	 * reach 0, and thus the rdev cannot be deleted.
5054 	 *
5055 	 * We need to do it for the dev_close(), since that will call
5056 	 * the netdev notifiers, and we need to acquire the mutex there
5057 	 * but don't know if we get there from here or from some other
5058 	 * place (e.g. "ip link set ... down").
5059 	 */
5060 	mutex_unlock(&rdev->wiphy.mtx);
5061 
5062 	/*
5063 	 * If we remove a wireless device without a netdev then clear
5064 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
5065 	 * to check if it needs to do dev_put(). Otherwise it crashes
5066 	 * since the wdev has been freed, unlike with a netdev where
5067 	 * we need the dev_put() for the netdev to really be freed.
5068 	 */
5069 	if (!wdev->netdev)
5070 		info->user_ptr[1] = NULL;
5071 	else
5072 		dev_close(wdev->netdev);
5073 
5074 	cfg80211_close_dependents(rdev, wdev);
5075 
5076 	mutex_lock(&rdev->wiphy.mtx);
5077 
5078 	return cfg80211_remove_virtual_intf(rdev, wdev);
5079 }
5080 
5081 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
5082 {
5083 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5084 	struct net_device *dev = info->user_ptr[1];
5085 	u16 noack_map;
5086 
5087 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
5088 		return -EINVAL;
5089 
5090 	if (!rdev->ops->set_noack_map)
5091 		return -EOPNOTSUPP;
5092 
5093 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
5094 
5095 	return rdev_set_noack_map(rdev, dev, noack_map);
5096 }
5097 
5098 static int nl80211_validate_key_link_id(struct genl_info *info,
5099 					struct wireless_dev *wdev,
5100 					int link_id, bool pairwise)
5101 {
5102 	if (pairwise) {
5103 		if (link_id != -1) {
5104 			GENL_SET_ERR_MSG(info,
5105 					 "link ID not allowed for pairwise key");
5106 			return -EINVAL;
5107 		}
5108 
5109 		return 0;
5110 	}
5111 
5112 	if (wdev->valid_links) {
5113 		if (link_id == -1) {
5114 			GENL_SET_ERR_MSG(info,
5115 					 "link ID must for MLO group key");
5116 			return -EINVAL;
5117 		}
5118 		if (!(wdev->valid_links & BIT(link_id))) {
5119 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
5120 			return -EINVAL;
5121 		}
5122 	} else if (link_id != -1) {
5123 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
5124 		return -EINVAL;
5125 	}
5126 
5127 	return 0;
5128 }
5129 
5130 struct get_key_cookie {
5131 	struct sk_buff *msg;
5132 	int error;
5133 	int idx;
5134 };
5135 
5136 static void get_key_callback(void *c, struct key_params *params)
5137 {
5138 	struct nlattr *key;
5139 	struct get_key_cookie *cookie = c;
5140 
5141 	if ((params->seq &&
5142 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
5143 		     params->seq_len, params->seq)) ||
5144 	    (params->cipher &&
5145 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
5146 			 params->cipher)))
5147 		goto nla_put_failure;
5148 
5149 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
5150 	if (!key)
5151 		goto nla_put_failure;
5152 
5153 	if ((params->seq &&
5154 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
5155 		     params->seq_len, params->seq)) ||
5156 	    (params->cipher &&
5157 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
5158 			 params->cipher)))
5159 		goto nla_put_failure;
5160 
5161 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
5162 		goto nla_put_failure;
5163 
5164 	nla_nest_end(cookie->msg, key);
5165 
5166 	return;
5167  nla_put_failure:
5168 	cookie->error = 1;
5169 }
5170 
5171 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
5172 {
5173 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5174 	int err;
5175 	struct wireless_dev *wdev = info->user_ptr[1];
5176 	u8 key_idx = 0;
5177 	const u8 *mac_addr = NULL;
5178 	bool pairwise;
5179 	struct get_key_cookie cookie = {
5180 		.error = 0,
5181 	};
5182 	void *hdr;
5183 	struct sk_buff *msg;
5184 	bool bigtk_support = false;
5185 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5186 
5187 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5188 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
5189 		bigtk_support = true;
5190 
5191 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
5192 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
5193 	    wiphy_ext_feature_isset(&rdev->wiphy,
5194 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
5195 		bigtk_support = true;
5196 
5197 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
5198 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
5199 
5200 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
5201 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
5202 			return -EINVAL;
5203 		}
5204 	}
5205 
5206 	if (info->attrs[NL80211_ATTR_MAC])
5207 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5208 
5209 	pairwise = !!mac_addr;
5210 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
5211 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
5212 
5213 		if (kt != NL80211_KEYTYPE_GROUP &&
5214 		    kt != NL80211_KEYTYPE_PAIRWISE)
5215 			return -EINVAL;
5216 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
5217 	}
5218 
5219 	if (!rdev->ops->get_key)
5220 		return -EOPNOTSUPP;
5221 
5222 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5223 		return -ENOENT;
5224 
5225 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5226 	if (!msg)
5227 		return -ENOMEM;
5228 
5229 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5230 			     NL80211_CMD_NEW_KEY);
5231 	if (!hdr)
5232 		goto nla_put_failure;
5233 
5234 	cookie.msg = msg;
5235 	cookie.idx = key_idx;
5236 
5237 	if ((wdev->netdev &&
5238 	     nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex)) ||
5239 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
5240 			      NL80211_ATTR_PAD) ||
5241 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
5242 		goto nla_put_failure;
5243 	if (mac_addr &&
5244 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
5245 		goto nla_put_failure;
5246 
5247 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
5248 	if (err)
5249 		goto free_msg;
5250 
5251 	err = rdev_get_key(rdev, wdev, link_id, key_idx, pairwise, mac_addr,
5252 			   &cookie, get_key_callback);
5253 
5254 	if (err)
5255 		goto free_msg;
5256 
5257 	if (cookie.error)
5258 		goto nla_put_failure;
5259 
5260 	genlmsg_end(msg, hdr);
5261 	return genlmsg_reply(msg, info);
5262 
5263  nla_put_failure:
5264 	err = -ENOBUFS;
5265  free_msg:
5266 	nlmsg_free(msg);
5267 	return err;
5268 }
5269 
5270 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
5271 {
5272 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5273 	struct key_parse key;
5274 	int err;
5275 	struct wireless_dev *wdev = info->user_ptr[1];
5276 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5277 
5278 	err = nl80211_parse_key(info, &key);
5279 	if (err)
5280 		return err;
5281 
5282 	if (key.idx < 0)
5283 		return -EINVAL;
5284 
5285 	/* Only support setting default key and
5286 	 * Extended Key ID action NL80211_KEY_SET_TX.
5287 	 */
5288 	if (!key.def && !key.defmgmt && !key.defbeacon &&
5289 	    !(key.p.mode == NL80211_KEY_SET_TX))
5290 		return -EINVAL;
5291 
5292 	if (key.def) {
5293 		if (!rdev->ops->set_default_key)
5294 			return -EOPNOTSUPP;
5295 
5296 		if (!wdev->netdev)
5297 			return -EINVAL;
5298 
5299 		err = nl80211_key_allowed(wdev);
5300 		if (err)
5301 			return err;
5302 
5303 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5304 		if (err)
5305 			return err;
5306 
5307 		err = rdev_set_default_key(rdev, wdev->netdev, link_id, key.idx,
5308 					   key.def_uni, key.def_multi);
5309 
5310 		if (err)
5311 			return err;
5312 
5313 #ifdef CONFIG_CFG80211_WEXT
5314 		wdev->wext.default_key = key.idx;
5315 #endif
5316 		return 0;
5317 	} else if (key.defmgmt) {
5318 		if (key.def_uni || !key.def_multi)
5319 			return -EINVAL;
5320 
5321 		if (!rdev->ops->set_default_mgmt_key)
5322 			return -EOPNOTSUPP;
5323 
5324 		err = nl80211_key_allowed(wdev);
5325 		if (err)
5326 			return err;
5327 
5328 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5329 		if (err)
5330 			return err;
5331 
5332 		err = rdev_set_default_mgmt_key(rdev, wdev, link_id, key.idx);
5333 		if (err)
5334 			return err;
5335 
5336 #ifdef CONFIG_CFG80211_WEXT
5337 		wdev->wext.default_mgmt_key = key.idx;
5338 #endif
5339 		return 0;
5340 	} else if (key.defbeacon) {
5341 		if (key.def_uni || !key.def_multi)
5342 			return -EINVAL;
5343 
5344 		if (!rdev->ops->set_default_beacon_key)
5345 			return -EOPNOTSUPP;
5346 
5347 		err = nl80211_key_allowed(wdev);
5348 		if (err)
5349 			return err;
5350 
5351 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5352 		if (err)
5353 			return err;
5354 
5355 		return rdev_set_default_beacon_key(rdev, wdev, link_id,
5356 						   key.idx);
5357 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
5358 		   wiphy_ext_feature_isset(&rdev->wiphy,
5359 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
5360 		u8 *mac_addr = NULL;
5361 
5362 		if (info->attrs[NL80211_ATTR_MAC])
5363 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5364 
5365 		if (!mac_addr || key.idx < 0 || key.idx > 1)
5366 			return -EINVAL;
5367 
5368 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
5369 		if (err)
5370 			return err;
5371 
5372 		return rdev_add_key(rdev, wdev, link_id, key.idx,
5373 				    NL80211_KEYTYPE_PAIRWISE,
5374 				    mac_addr, &key.p);
5375 	}
5376 
5377 	return -EINVAL;
5378 }
5379 
5380 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
5381 {
5382 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5383 	int err;
5384 	struct wireless_dev *wdev = info->user_ptr[1];
5385 	struct key_parse key;
5386 	const u8 *mac_addr = NULL;
5387 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5388 
5389 	err = nl80211_parse_key(info, &key);
5390 	if (err)
5391 		return err;
5392 
5393 	if (!key.p.key) {
5394 		GENL_SET_ERR_MSG(info, "no key");
5395 		return -EINVAL;
5396 	}
5397 
5398 	if (info->attrs[NL80211_ATTR_MAC])
5399 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5400 
5401 	if (key.type == -1) {
5402 		if (mac_addr)
5403 			key.type = NL80211_KEYTYPE_PAIRWISE;
5404 		else
5405 			key.type = NL80211_KEYTYPE_GROUP;
5406 	}
5407 
5408 	/* for now */
5409 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5410 	    key.type != NL80211_KEYTYPE_GROUP) {
5411 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
5412 		return -EINVAL;
5413 	}
5414 
5415 	if (key.type == NL80211_KEYTYPE_GROUP &&
5416 	    info->attrs[NL80211_ATTR_VLAN_ID])
5417 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
5418 
5419 	if (!rdev->ops->add_key)
5420 		return -EOPNOTSUPP;
5421 
5422 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
5423 					   key.type == NL80211_KEYTYPE_PAIRWISE,
5424 					   mac_addr)) {
5425 		GENL_SET_ERR_MSG(info, "key setting validation failed");
5426 		return -EINVAL;
5427 	}
5428 
5429 	err = nl80211_key_allowed(wdev);
5430 	if (err)
5431 		GENL_SET_ERR_MSG(info, "key not allowed");
5432 
5433 	if (!err)
5434 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5435 				key.type == NL80211_KEYTYPE_PAIRWISE);
5436 
5437 	if (!err) {
5438 		err = rdev_add_key(rdev, wdev, link_id, key.idx,
5439 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5440 				    mac_addr, &key.p);
5441 		if (err)
5442 			GENL_SET_ERR_MSG(info, "key addition failed");
5443 	}
5444 
5445 	return err;
5446 }
5447 
5448 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
5449 {
5450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5451 	int err;
5452 	struct wireless_dev *wdev = info->user_ptr[1];
5453 	u8 *mac_addr = NULL;
5454 	struct key_parse key;
5455 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5456 
5457 	err = nl80211_parse_key(info, &key);
5458 	if (err)
5459 		return err;
5460 
5461 	if (info->attrs[NL80211_ATTR_MAC])
5462 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5463 
5464 	if (key.type == -1) {
5465 		if (mac_addr)
5466 			key.type = NL80211_KEYTYPE_PAIRWISE;
5467 		else
5468 			key.type = NL80211_KEYTYPE_GROUP;
5469 	}
5470 
5471 	/* for now */
5472 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5473 	    key.type != NL80211_KEYTYPE_GROUP)
5474 		return -EINVAL;
5475 
5476 	if (!cfg80211_valid_key_idx(rdev, key.idx,
5477 				    key.type == NL80211_KEYTYPE_PAIRWISE))
5478 		return -EINVAL;
5479 
5480 	if (!rdev->ops->del_key)
5481 		return -EOPNOTSUPP;
5482 
5483 	err = nl80211_key_allowed(wdev);
5484 
5485 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
5486 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5487 		err = -ENOENT;
5488 
5489 	if (!err)
5490 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5491 				key.type == NL80211_KEYTYPE_PAIRWISE);
5492 
5493 	if (!err)
5494 		err = rdev_del_key(rdev, wdev, link_id, key.idx,
5495 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5496 				   mac_addr);
5497 
5498 #ifdef CONFIG_CFG80211_WEXT
5499 	if (!err) {
5500 		if (key.idx == wdev->wext.default_key)
5501 			wdev->wext.default_key = -1;
5502 		else if (key.idx == wdev->wext.default_mgmt_key)
5503 			wdev->wext.default_mgmt_key = -1;
5504 	}
5505 #endif
5506 
5507 	return err;
5508 }
5509 
5510 /* This function returns an error or the number of nested attributes */
5511 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
5512 {
5513 	struct nlattr *attr;
5514 	int n_entries = 0, tmp;
5515 
5516 	nla_for_each_nested(attr, nl_attr, tmp) {
5517 		if (nla_len(attr) != ETH_ALEN)
5518 			return -EINVAL;
5519 
5520 		n_entries++;
5521 	}
5522 
5523 	return n_entries;
5524 }
5525 
5526 /*
5527  * This function parses ACL information and allocates memory for ACL data.
5528  * On successful return, the calling function is responsible to free the
5529  * ACL buffer returned by this function.
5530  */
5531 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5532 						struct genl_info *info)
5533 {
5534 	enum nl80211_acl_policy acl_policy;
5535 	struct nlattr *attr;
5536 	struct cfg80211_acl_data *acl;
5537 	int i = 0, n_entries, tmp;
5538 
5539 	if (!wiphy->max_acl_mac_addrs)
5540 		return ERR_PTR(-EOPNOTSUPP);
5541 
5542 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5543 		return ERR_PTR(-EINVAL);
5544 
5545 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5546 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5547 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5548 		return ERR_PTR(-EINVAL);
5549 
5550 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5551 		return ERR_PTR(-EINVAL);
5552 
5553 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5554 	if (n_entries < 0)
5555 		return ERR_PTR(n_entries);
5556 
5557 	if (n_entries > wiphy->max_acl_mac_addrs)
5558 		return ERR_PTR(-EOPNOTSUPP);
5559 
5560 	acl = kzalloc_flex(*acl, mac_addrs, n_entries);
5561 	if (!acl)
5562 		return ERR_PTR(-ENOMEM);
5563 	acl->n_acl_entries = n_entries;
5564 
5565 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5566 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5567 		i++;
5568 	}
5569 	acl->acl_policy = acl_policy;
5570 
5571 	return acl;
5572 }
5573 
5574 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5575 {
5576 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5577 	struct net_device *dev = info->user_ptr[1];
5578 	struct cfg80211_acl_data *acl;
5579 	int err;
5580 
5581 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5582 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5583 		return -EOPNOTSUPP;
5584 
5585 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5586 		return -EINVAL;
5587 
5588 	acl = parse_acl_data(&rdev->wiphy, info);
5589 	if (IS_ERR(acl))
5590 		return PTR_ERR(acl);
5591 
5592 	err = rdev_set_mac_acl(rdev, dev, acl);
5593 
5594 	kfree(acl);
5595 
5596 	return err;
5597 }
5598 
5599 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5600 			   u8 *rates, u8 rates_len)
5601 {
5602 	u8 i;
5603 	u32 mask = 0;
5604 
5605 	for (i = 0; i < rates_len; i++) {
5606 		int rate = (rates[i] & 0x7f) * 5;
5607 		int ridx;
5608 
5609 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5610 			struct ieee80211_rate *srate =
5611 				&sband->bitrates[ridx];
5612 			if (rate == srate->bitrate) {
5613 				mask |= 1 << ridx;
5614 				break;
5615 			}
5616 		}
5617 		if (ridx == sband->n_bitrates)
5618 			return 0; /* rate not found */
5619 	}
5620 
5621 	return mask;
5622 }
5623 
5624 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5625 			       u8 *rates, u8 rates_len,
5626 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5627 {
5628 	u8 i;
5629 
5630 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5631 
5632 	for (i = 0; i < rates_len; i++) {
5633 		int ridx, rbit;
5634 
5635 		ridx = rates[i] / 8;
5636 		rbit = BIT(rates[i] % 8);
5637 
5638 		/* check validity */
5639 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5640 			return false;
5641 
5642 		/* check availability */
5643 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5644 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5645 			mcs[ridx] |= rbit;
5646 		else
5647 			return false;
5648 	}
5649 
5650 	return true;
5651 }
5652 
5653 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5654 {
5655 	u16 mcs_mask = 0;
5656 
5657 	switch (vht_mcs_map) {
5658 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5659 		break;
5660 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5661 		mcs_mask = 0x00FF;
5662 		break;
5663 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5664 		mcs_mask = 0x01FF;
5665 		break;
5666 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5667 		mcs_mask = 0x03FF;
5668 		break;
5669 	default:
5670 		break;
5671 	}
5672 
5673 	return mcs_mask;
5674 }
5675 
5676 static void vht_build_mcs_mask(u16 vht_mcs_map,
5677 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5678 {
5679 	u8 nss;
5680 
5681 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5682 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5683 		vht_mcs_map >>= 2;
5684 	}
5685 }
5686 
5687 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5688 			     struct nl80211_txrate_vht *txrate,
5689 			     u16 mcs[NL80211_VHT_NSS_MAX])
5690 {
5691 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5692 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5693 	u8 i;
5694 
5695 	if (!sband->vht_cap.vht_supported)
5696 		return false;
5697 
5698 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5699 
5700 	/* Build vht_mcs_mask from VHT capabilities */
5701 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5702 
5703 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5704 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5705 			mcs[i] = txrate->mcs[i];
5706 		else
5707 			return false;
5708 	}
5709 
5710 	return true;
5711 }
5712 
5713 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5714 {
5715 	switch (he_mcs_map) {
5716 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5717 		return 0;
5718 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5719 		return 0x00FF;
5720 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5721 		return 0x03FF;
5722 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5723 		return 0xFFF;
5724 	default:
5725 		break;
5726 	}
5727 	return 0;
5728 }
5729 
5730 static void he_build_mcs_mask(u16 he_mcs_map,
5731 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5732 {
5733 	u8 nss;
5734 
5735 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5736 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5737 		he_mcs_map >>= 2;
5738 	}
5739 }
5740 
5741 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5742 			   const struct ieee80211_sta_he_cap *he_cap)
5743 {
5744 	struct net_device *dev = info->user_ptr[1];
5745 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5746 	struct cfg80211_chan_def *chandef;
5747 	__le16 tx_mcs;
5748 
5749 	chandef = wdev_chandef(wdev, link_id);
5750 	if (!chandef) {
5751 		/*
5752 		 * This is probably broken, but we never maintained
5753 		 * a chandef in these cases, so it always was.
5754 		 */
5755 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5756 	}
5757 
5758 	switch (chandef->width) {
5759 	case NL80211_CHAN_WIDTH_80P80:
5760 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5761 		break;
5762 	case NL80211_CHAN_WIDTH_160:
5763 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5764 		break;
5765 	default:
5766 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5767 		break;
5768 	}
5769 
5770 	return le16_to_cpu(tx_mcs);
5771 }
5772 
5773 static bool he_set_mcs_mask(struct genl_info *info,
5774 			    struct wireless_dev *wdev,
5775 			    struct ieee80211_supported_band *sband,
5776 			    struct nl80211_txrate_he *txrate,
5777 			    u16 mcs[NL80211_HE_NSS_MAX],
5778 			    unsigned int link_id)
5779 {
5780 	const struct ieee80211_sta_he_cap *he_cap;
5781 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5782 	u16 tx_mcs_map = 0;
5783 	u8 i;
5784 
5785 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5786 	if (!he_cap)
5787 		return false;
5788 
5789 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5790 
5791 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5792 
5793 	/* Build he_mcs_mask from HE capabilities */
5794 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5795 
5796 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5797 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5798 			mcs[i] = txrate->mcs[i];
5799 		else
5800 			return false;
5801 	}
5802 
5803 	return true;
5804 }
5805 
5806 static void eht_build_mcs_mask(struct genl_info *info,
5807 			       const struct ieee80211_sta_eht_cap *eht_cap,
5808 			       u8 mcs_nss_len, u16 *mcs_mask)
5809 {
5810 	struct net_device *dev = info->user_ptr[1];
5811 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5812 	u8 nss, mcs_7 = 0, mcs_9 = 0, mcs_11 = 0, mcs_13 = 0;
5813 	unsigned int link_id = nl80211_link_id(info->attrs);
5814 
5815 	if (mcs_nss_len == 4) {
5816 		const struct ieee80211_eht_mcs_nss_supp_20mhz_only *mcs =
5817 					&eht_cap->eht_mcs_nss_supp.only_20mhz;
5818 
5819 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs7_max_nss,
5820 				    IEEE80211_EHT_MCS_NSS_TX);
5821 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5822 				    IEEE80211_EHT_MCS_NSS_TX);
5823 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5824 				     IEEE80211_EHT_MCS_NSS_TX);
5825 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5826 				     IEEE80211_EHT_MCS_NSS_TX);
5827 
5828 	} else {
5829 		const struct ieee80211_eht_mcs_nss_supp_bw *mcs;
5830 		enum nl80211_chan_width width;
5831 
5832 		switch (wdev->iftype) {
5833 		case NL80211_IFTYPE_ADHOC:
5834 			width = wdev->u.ibss.chandef.width;
5835 			break;
5836 		case NL80211_IFTYPE_MESH_POINT:
5837 			width = wdev->u.mesh.chandef.width;
5838 			break;
5839 		case NL80211_IFTYPE_OCB:
5840 			width = wdev->u.ocb.chandef.width;
5841 			break;
5842 		default:
5843 			if (wdev->valid_links)
5844 				width = wdev->links[link_id].ap.chandef.width;
5845 			else
5846 				width = wdev->u.ap.preset_chandef.width;
5847 			break;
5848 		}
5849 
5850 		switch (width) {
5851 		case NL80211_CHAN_WIDTH_320:
5852 			mcs = &eht_cap->eht_mcs_nss_supp.bw._320;
5853 			break;
5854 		case NL80211_CHAN_WIDTH_160:
5855 			mcs = &eht_cap->eht_mcs_nss_supp.bw._160;
5856 			break;
5857 		default:
5858 			mcs = &eht_cap->eht_mcs_nss_supp.bw._80;
5859 			break;
5860 		}
5861 
5862 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5863 				    IEEE80211_EHT_MCS_NSS_TX);
5864 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5865 				    IEEE80211_EHT_MCS_NSS_TX);
5866 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5867 				     IEEE80211_EHT_MCS_NSS_TX);
5868 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5869 				     IEEE80211_EHT_MCS_NSS_TX);
5870 	}
5871 
5872 	/* Enable MCS 14 for NSS 0 */
5873 	if (eht_cap->eht_cap_elem.phy_cap_info[6] &
5874 	    IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP)
5875 		mcs_mask[0] |= 0x4000;
5876 
5877 	/* Enable MCS 15 for NSS 0 */
5878 	mcs_mask[0] |= 0x8000;
5879 
5880 	for (nss = 0; nss < NL80211_EHT_NSS_MAX; nss++) {
5881 		if (!mcs_7)
5882 			continue;
5883 		mcs_mask[nss] |= 0x00FF;
5884 		mcs_7--;
5885 
5886 		if (!mcs_9)
5887 			continue;
5888 		mcs_mask[nss] |= 0x0300;
5889 		mcs_9--;
5890 
5891 		if (!mcs_11)
5892 			continue;
5893 		mcs_mask[nss] |= 0x0C00;
5894 		mcs_11--;
5895 
5896 		if (!mcs_13)
5897 			continue;
5898 		mcs_mask[nss] |= 0x3000;
5899 		mcs_13--;
5900 	}
5901 }
5902 
5903 static bool eht_set_mcs_mask(struct genl_info *info, struct wireless_dev *wdev,
5904 			     struct ieee80211_supported_band *sband,
5905 			     struct nl80211_txrate_eht *txrate,
5906 			     u16 mcs[NL80211_EHT_NSS_MAX])
5907 {
5908 	const struct ieee80211_sta_he_cap *he_cap;
5909 	const struct ieee80211_sta_eht_cap *eht_cap;
5910 	u16 tx_mcs_mask[NL80211_EHT_NSS_MAX] = { 0 };
5911 	u8 i, mcs_nss_len;
5912 
5913 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5914 	if (!he_cap)
5915 		return false;
5916 
5917 	eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5918 	if (!eht_cap)
5919 		return false;
5920 
5921 	/* Checks for MCS 14 */
5922 	if (txrate->mcs[0] & 0x4000) {
5923 		if (sband->band != NL80211_BAND_6GHZ)
5924 			return false;
5925 
5926 		if (!(eht_cap->eht_cap_elem.phy_cap_info[6] &
5927 		      IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP))
5928 			return false;
5929 	}
5930 
5931 	mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5932 						 &eht_cap->eht_cap_elem,
5933 						 wdev->iftype ==
5934 							NL80211_IFTYPE_STATION);
5935 
5936 	if (mcs_nss_len == 3) {
5937 		/* Supported iftypes for setting non-20 MHZ only EHT MCS */
5938 		switch (wdev->iftype) {
5939 		case NL80211_IFTYPE_ADHOC:
5940 		case NL80211_IFTYPE_AP:
5941 		case NL80211_IFTYPE_P2P_GO:
5942 		case NL80211_IFTYPE_MESH_POINT:
5943 		case NL80211_IFTYPE_OCB:
5944 			break;
5945 		default:
5946 			return false;
5947 		}
5948 	}
5949 
5950 	/* Build eht_mcs_mask from EHT and HE capabilities */
5951 	eht_build_mcs_mask(info, eht_cap, mcs_nss_len, tx_mcs_mask);
5952 
5953 	memset(mcs, 0, sizeof(u16) * NL80211_EHT_NSS_MAX);
5954 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5955 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5956 			mcs[i] = txrate->mcs[i];
5957 		else
5958 			return false;
5959 	}
5960 
5961 	return true;
5962 }
5963 
5964 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5965 					 struct nlattr *attrs[],
5966 					 enum nl80211_attrs attr,
5967 					 struct cfg80211_bitrate_mask *mask,
5968 					 struct net_device *dev,
5969 					 bool default_all_enabled,
5970 					 unsigned int link_id)
5971 {
5972 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5973 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5974 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5975 	int rem, i;
5976 	struct nlattr *tx_rates;
5977 	struct ieee80211_supported_band *sband;
5978 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5979 
5980 	memset(mask, 0, sizeof(*mask));
5981 	/* Default to all rates enabled */
5982 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5983 		const struct ieee80211_sta_he_cap *he_cap;
5984 		const struct ieee80211_sta_eht_cap *eht_cap;
5985 		u8 mcs_nss_len;
5986 
5987 		if (!default_all_enabled)
5988 			break;
5989 
5990 		sband = rdev->wiphy.bands[i];
5991 
5992 		if (!sband)
5993 			continue;
5994 
5995 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5996 		memcpy(mask->control[i].ht_mcs,
5997 		       sband->ht_cap.mcs.rx_mask,
5998 		       sizeof(mask->control[i].ht_mcs));
5999 
6000 		if (sband->vht_cap.vht_supported) {
6001 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
6002 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
6003 		}
6004 
6005 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
6006 		if (!he_cap)
6007 			continue;
6008 
6009 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
6010 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
6011 
6012 		mask->control[i].he_gi = 0xFF;
6013 		mask->control[i].he_ltf = 0xFF;
6014 
6015 		eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
6016 		if (!eht_cap)
6017 			continue;
6018 
6019 		mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
6020 							 &eht_cap->eht_cap_elem,
6021 							 wdev->iftype ==
6022 							 NL80211_IFTYPE_STATION);
6023 
6024 		eht_build_mcs_mask(info, eht_cap, mcs_nss_len,
6025 				   mask->control[i].eht_mcs);
6026 
6027 		mask->control[i].eht_gi = 0xFF;
6028 		mask->control[i].eht_ltf = 0xFF;
6029 	}
6030 
6031 	/* if no rates are given set it back to the defaults */
6032 	if (!attrs[attr])
6033 		goto out;
6034 
6035 	/* The nested attribute uses enum nl80211_band as the index. This maps
6036 	 * directly to the enum nl80211_band values used in cfg80211.
6037 	 */
6038 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
6039 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
6040 		int band = nla_type(tx_rates);
6041 		int err;
6042 
6043 		if (band < 0 || band >= NUM_NL80211_BANDS)
6044 			return -EINVAL;
6045 		sband = rdev->wiphy.bands[band];
6046 		if (sband == NULL)
6047 			return -EINVAL;
6048 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
6049 						  tx_rates,
6050 						  nl80211_txattr_policy,
6051 						  info->extack);
6052 		if (err)
6053 			return err;
6054 		if (tb[NL80211_TXRATE_LEGACY]) {
6055 			mask->control[band].legacy = rateset_to_mask(
6056 				sband,
6057 				nla_data(tb[NL80211_TXRATE_LEGACY]),
6058 				nla_len(tb[NL80211_TXRATE_LEGACY]));
6059 			if ((mask->control[band].legacy == 0) &&
6060 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
6061 				return -EINVAL;
6062 		}
6063 		if (tb[NL80211_TXRATE_HT]) {
6064 			if (!ht_rateset_to_mask(
6065 					sband,
6066 					nla_data(tb[NL80211_TXRATE_HT]),
6067 					nla_len(tb[NL80211_TXRATE_HT]),
6068 					mask->control[band].ht_mcs))
6069 				return -EINVAL;
6070 		}
6071 
6072 		if (tb[NL80211_TXRATE_VHT]) {
6073 			if (!vht_set_mcs_mask(
6074 					sband,
6075 					nla_data(tb[NL80211_TXRATE_VHT]),
6076 					mask->control[band].vht_mcs))
6077 				return -EINVAL;
6078 		}
6079 
6080 		if (tb[NL80211_TXRATE_GI]) {
6081 			mask->control[band].gi =
6082 				nla_get_u8(tb[NL80211_TXRATE_GI]);
6083 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
6084 				return -EINVAL;
6085 		}
6086 		if (tb[NL80211_TXRATE_HE] &&
6087 		    !he_set_mcs_mask(info, wdev, sband,
6088 				     nla_data(tb[NL80211_TXRATE_HE]),
6089 				     mask->control[band].he_mcs,
6090 				     link_id))
6091 			return -EINVAL;
6092 
6093 		if (tb[NL80211_TXRATE_HE_GI])
6094 			mask->control[band].he_gi =
6095 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
6096 		if (tb[NL80211_TXRATE_HE_LTF])
6097 			mask->control[band].he_ltf =
6098 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
6099 
6100 		if (tb[NL80211_TXRATE_EHT] &&
6101 		    !eht_set_mcs_mask(info, wdev, sband,
6102 				      nla_data(tb[NL80211_TXRATE_EHT]),
6103 				      mask->control[band].eht_mcs))
6104 			return -EINVAL;
6105 
6106 		if (tb[NL80211_TXRATE_EHT_GI])
6107 			mask->control[band].eht_gi =
6108 				nla_get_u8(tb[NL80211_TXRATE_EHT_GI]);
6109 		if (tb[NL80211_TXRATE_EHT_LTF])
6110 			mask->control[band].eht_ltf =
6111 				nla_get_u8(tb[NL80211_TXRATE_EHT_LTF]);
6112 
6113 		if (mask->control[band].legacy == 0) {
6114 			/* don't allow empty legacy rates if HT, VHT, HE or EHT
6115 			 * are not even supported.
6116 			 */
6117 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
6118 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
6119 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype) ||
6120 			      ieee80211_get_eht_iftype_cap(sband, wdev->iftype)))
6121 				return -EINVAL;
6122 
6123 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
6124 				if (mask->control[band].ht_mcs[i])
6125 					goto out;
6126 
6127 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
6128 				if (mask->control[band].vht_mcs[i])
6129 					goto out;
6130 
6131 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
6132 				if (mask->control[band].he_mcs[i])
6133 					goto out;
6134 
6135 			for (i = 0; i < NL80211_EHT_NSS_MAX; i++)
6136 				if (mask->control[band].eht_mcs[i])
6137 					goto out;
6138 
6139 			/* legacy and mcs rates may not be both empty */
6140 			return -EINVAL;
6141 		}
6142 	}
6143 
6144 out:
6145 	return 0;
6146 }
6147 
6148 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
6149 				   enum nl80211_band band,
6150 				   struct cfg80211_bitrate_mask *beacon_rate)
6151 {
6152 	u32 count_ht, count_vht, count_he, count_eht, i;
6153 	u32 rate = beacon_rate->control[band].legacy;
6154 
6155 	/* Allow only one rate */
6156 	if (hweight32(rate) > 1)
6157 		return -EINVAL;
6158 
6159 	count_ht = 0;
6160 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
6161 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
6162 			return -EINVAL;
6163 		} else if (beacon_rate->control[band].ht_mcs[i]) {
6164 			count_ht++;
6165 			if (count_ht > 1)
6166 				return -EINVAL;
6167 		}
6168 		if (count_ht && rate)
6169 			return -EINVAL;
6170 	}
6171 
6172 	count_vht = 0;
6173 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
6174 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
6175 			return -EINVAL;
6176 		} else if (beacon_rate->control[band].vht_mcs[i]) {
6177 			count_vht++;
6178 			if (count_vht > 1)
6179 				return -EINVAL;
6180 		}
6181 		if (count_vht && rate)
6182 			return -EINVAL;
6183 	}
6184 
6185 	count_he = 0;
6186 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
6187 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
6188 			return -EINVAL;
6189 		} else if (beacon_rate->control[band].he_mcs[i]) {
6190 			count_he++;
6191 			if (count_he > 1)
6192 				return -EINVAL;
6193 		}
6194 		if (count_he && rate)
6195 			return -EINVAL;
6196 	}
6197 
6198 	count_eht = 0;
6199 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
6200 		if (hweight16(beacon_rate->control[band].eht_mcs[i]) > 1) {
6201 			return -EINVAL;
6202 		} else if (beacon_rate->control[band].eht_mcs[i]) {
6203 			count_eht++;
6204 			if (count_eht > 1)
6205 				return -EINVAL;
6206 		}
6207 		if (count_eht && rate)
6208 			return -EINVAL;
6209 	}
6210 
6211 	if ((count_ht && count_vht && count_he && count_eht) ||
6212 	    (!rate && !count_ht && !count_vht && !count_he && !count_eht))
6213 		return -EINVAL;
6214 
6215 	if (rate &&
6216 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6217 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
6218 		return -EINVAL;
6219 	if (count_ht &&
6220 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6221 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
6222 		return -EINVAL;
6223 	if (count_vht &&
6224 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6225 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
6226 		return -EINVAL;
6227 	if (count_he &&
6228 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6229 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
6230 		return -EINVAL;
6231 
6232 	if (count_eht &&
6233 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6234 				     NL80211_EXT_FEATURE_BEACON_RATE_EHT))
6235 		return -EINVAL;
6236 
6237 	return 0;
6238 }
6239 
6240 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
6241 				       struct net_device *dev,
6242 				       unsigned int link_id,
6243 				       struct nlattr *attrs,
6244 				       struct cfg80211_mbssid_config *config,
6245 				       u8 num_elems)
6246 {
6247 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
6248 	int tx_link_id = -1;
6249 
6250 	if (!wiphy->mbssid_max_interfaces)
6251 		return -EOPNOTSUPP;
6252 
6253 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
6254 			     NULL) ||
6255 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
6256 		return -EINVAL;
6257 
6258 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
6259 	if (config->ema) {
6260 		if (!wiphy->ema_max_profile_periodicity)
6261 			return -EOPNOTSUPP;
6262 
6263 		if (num_elems > wiphy->ema_max_profile_periodicity)
6264 			return -EINVAL;
6265 	}
6266 
6267 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
6268 	if (config->index >= wiphy->mbssid_max_interfaces ||
6269 	    (!config->index && !num_elems))
6270 		return -EINVAL;
6271 
6272 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID])
6273 		tx_link_id = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID]);
6274 
6275 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
6276 		u32 tx_ifindex =
6277 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
6278 
6279 		if ((!config->index && tx_ifindex != dev->ifindex) ||
6280 		    (config->index && tx_ifindex == dev->ifindex))
6281 			return -EINVAL;
6282 
6283 		if (tx_ifindex != dev->ifindex) {
6284 			struct net_device *tx_netdev =
6285 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
6286 
6287 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
6288 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
6289 			    tx_netdev->ieee80211_ptr->iftype !=
6290 							NL80211_IFTYPE_AP) {
6291 				dev_put(tx_netdev);
6292 				return -EINVAL;
6293 			}
6294 
6295 			config->tx_wdev = tx_netdev->ieee80211_ptr;
6296 			/* Caller should call dev_put(config->tx_wdev) from this point */
6297 
6298 			if (config->tx_wdev->valid_links) {
6299 				if (tx_link_id == -1 ||
6300 				    !(config->tx_wdev->valid_links & BIT(tx_link_id)))
6301 					return -ENOLINK;
6302 
6303 				config->tx_link_id = tx_link_id;
6304 			}
6305 		} else {
6306 			if (tx_link_id >= 0 && tx_link_id != link_id)
6307 				return -EINVAL;
6308 
6309 			config->tx_wdev = dev->ieee80211_ptr;
6310 		}
6311 	} else if (!config->index) {
6312 		if (tx_link_id >= 0 && tx_link_id != link_id)
6313 			return -EINVAL;
6314 
6315 		config->tx_wdev = dev->ieee80211_ptr;
6316 	} else {
6317 		return -EINVAL;
6318 	}
6319 
6320 	return 0;
6321 }
6322 
6323 static struct cfg80211_mbssid_elems *
6324 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
6325 {
6326 	struct nlattr *nl_elems;
6327 	struct cfg80211_mbssid_elems *elems;
6328 	int rem_elems;
6329 	u8 i = 0, num_elems = 0;
6330 
6331 	if (!wiphy->mbssid_max_interfaces)
6332 		return ERR_PTR(-EINVAL);
6333 
6334 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6335 		if (num_elems >= 255)
6336 			return ERR_PTR(-EINVAL);
6337 		num_elems++;
6338 	}
6339 
6340 	elems = kzalloc_flex(*elems, elem, num_elems);
6341 	if (!elems)
6342 		return ERR_PTR(-ENOMEM);
6343 	elems->cnt = num_elems;
6344 
6345 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6346 		elems->elem[i].data = nla_data(nl_elems);
6347 		elems->elem[i].len = nla_len(nl_elems);
6348 		i++;
6349 	}
6350 	return elems;
6351 }
6352 
6353 static struct cfg80211_rnr_elems *
6354 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
6355 			struct netlink_ext_ack *extack)
6356 {
6357 	struct nlattr *nl_elems;
6358 	struct cfg80211_rnr_elems *elems;
6359 	int rem_elems;
6360 	u8 i = 0, num_elems = 0;
6361 
6362 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6363 		int ret;
6364 
6365 		ret = validate_ie_attr(nl_elems, extack);
6366 		if (ret)
6367 			return ERR_PTR(ret);
6368 
6369 		num_elems++;
6370 	}
6371 
6372 	elems = kzalloc_flex(*elems, elem, num_elems);
6373 	if (!elems)
6374 		return ERR_PTR(-ENOMEM);
6375 	elems->cnt = num_elems;
6376 
6377 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6378 		elems->elem[i].data = nla_data(nl_elems);
6379 		elems->elem[i].len = nla_len(nl_elems);
6380 		i++;
6381 	}
6382 	return elems;
6383 }
6384 
6385 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
6386 				      struct cfg80211_he_bss_color *he_bss_color)
6387 {
6388 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
6389 	int err;
6390 
6391 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
6392 			       he_bss_color_policy, NULL);
6393 	if (err)
6394 		return err;
6395 
6396 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
6397 		return -EINVAL;
6398 
6399 	he_bss_color->color =
6400 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
6401 	he_bss_color->enabled =
6402 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
6403 	he_bss_color->partial =
6404 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
6405 
6406 	return 0;
6407 }
6408 
6409 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
6410 				struct nlattr *attrs[],
6411 				struct cfg80211_beacon_data *bcn,
6412 				struct netlink_ext_ack *extack)
6413 {
6414 	bool haveinfo = false;
6415 	int err;
6416 
6417 	memset(bcn, 0, sizeof(*bcn));
6418 
6419 	bcn->link_id = nl80211_link_id(attrs);
6420 
6421 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
6422 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
6423 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
6424 		if (!bcn->head_len)
6425 			return -EINVAL;
6426 		haveinfo = true;
6427 	}
6428 
6429 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
6430 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
6431 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
6432 		haveinfo = true;
6433 	}
6434 
6435 	if (!haveinfo)
6436 		return -EINVAL;
6437 
6438 	if (attrs[NL80211_ATTR_IE]) {
6439 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
6440 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
6441 	}
6442 
6443 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
6444 		bcn->proberesp_ies =
6445 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6446 		bcn->proberesp_ies_len =
6447 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6448 	}
6449 
6450 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
6451 		bcn->assocresp_ies =
6452 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6453 		bcn->assocresp_ies_len =
6454 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6455 	}
6456 
6457 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
6458 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
6459 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
6460 	}
6461 
6462 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
6463 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
6464 
6465 		err = nla_parse_nested_deprecated(tb,
6466 						  NL80211_FTM_RESP_ATTR_MAX,
6467 						  attrs[NL80211_ATTR_FTM_RESPONDER],
6468 						  NULL, NULL);
6469 		if (err)
6470 			return err;
6471 
6472 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
6473 		    wiphy_ext_feature_isset(&rdev->wiphy,
6474 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
6475 			bcn->ftm_responder = 1;
6476 		else
6477 			return -EOPNOTSUPP;
6478 
6479 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
6480 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
6481 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
6482 		}
6483 
6484 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
6485 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6486 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6487 		}
6488 	} else {
6489 		bcn->ftm_responder = -1;
6490 	}
6491 
6492 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
6493 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
6494 						 &bcn->he_bss_color);
6495 		if (err)
6496 			return err;
6497 		bcn->he_bss_color_valid = true;
6498 	}
6499 
6500 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
6501 		struct cfg80211_mbssid_elems *mbssid =
6502 			nl80211_parse_mbssid_elems(&rdev->wiphy,
6503 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
6504 
6505 		if (IS_ERR(mbssid))
6506 			return PTR_ERR(mbssid);
6507 
6508 		bcn->mbssid_ies = mbssid;
6509 
6510 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
6511 			struct cfg80211_rnr_elems *rnr =
6512 				nl80211_parse_rnr_elems(&rdev->wiphy,
6513 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
6514 							extack);
6515 
6516 			if (IS_ERR(rnr))
6517 				return PTR_ERR(rnr);
6518 
6519 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
6520 				return -EINVAL;
6521 
6522 			bcn->rnr_ies = rnr;
6523 		}
6524 	}
6525 
6526 	return 0;
6527 }
6528 
6529 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
6530 				    struct ieee80211_he_obss_pd *he_obss_pd)
6531 {
6532 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
6533 	int err;
6534 
6535 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
6536 			       he_obss_pd_policy, NULL);
6537 	if (err)
6538 		return err;
6539 
6540 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
6541 		return -EINVAL;
6542 
6543 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
6544 
6545 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
6546 		he_obss_pd->min_offset =
6547 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
6548 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
6549 		he_obss_pd->max_offset =
6550 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
6551 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
6552 		he_obss_pd->non_srg_max_offset =
6553 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
6554 
6555 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
6556 		return -EINVAL;
6557 
6558 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
6559 		memcpy(he_obss_pd->bss_color_bitmap,
6560 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
6561 		       sizeof(he_obss_pd->bss_color_bitmap));
6562 
6563 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
6564 		memcpy(he_obss_pd->partial_bssid_bitmap,
6565 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
6566 		       sizeof(he_obss_pd->partial_bssid_bitmap));
6567 
6568 	he_obss_pd->enable = true;
6569 
6570 	return 0;
6571 }
6572 
6573 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
6574 					struct nlattr *attrs,
6575 					struct cfg80211_fils_discovery *fd)
6576 {
6577 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
6578 	int ret;
6579 
6580 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6581 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
6582 		return -EINVAL;
6583 
6584 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
6585 			       NULL, NULL);
6586 	if (ret)
6587 		return ret;
6588 
6589 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
6590 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
6591 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
6592 		fd->update = true;
6593 		return 0;
6594 	}
6595 
6596 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
6597 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
6598 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
6599 		return -EINVAL;
6600 
6601 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6602 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6603 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
6604 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
6605 	fd->update = true;
6606 	return 0;
6607 }
6608 
6609 static int
6610 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
6611 				     struct nlattr *attrs,
6612 				     struct cfg80211_unsol_bcast_probe_resp *presp)
6613 {
6614 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
6615 	int ret;
6616 
6617 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6618 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
6619 		return -EINVAL;
6620 
6621 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
6622 			       attrs, NULL, NULL);
6623 	if (ret)
6624 		return ret;
6625 
6626 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
6627 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
6628 		presp->update = true;
6629 		return 0;
6630 	}
6631 
6632 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
6633 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
6634 		return -EINVAL;
6635 
6636 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6637 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6638 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
6639 	presp->update = true;
6640 	return 0;
6641 }
6642 
6643 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
6644 					    const struct element *rates)
6645 {
6646 	int i;
6647 
6648 	if (!rates)
6649 		return;
6650 
6651 	for (i = 0; i < rates->datalen; i++) {
6652 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
6653 			params->ht_required = true;
6654 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
6655 			params->vht_required = true;
6656 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
6657 			params->he_required = true;
6658 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
6659 			params->sae_h2e_required = true;
6660 	}
6661 }
6662 
6663 /*
6664  * Since the nl80211 API didn't include, from the beginning, attributes about
6665  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
6666  * benefit of drivers that rebuild IEs in the firmware.
6667  */
6668 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
6669 {
6670 	const struct cfg80211_beacon_data *bcn = &params->beacon;
6671 	size_t ies_len = bcn->tail_len;
6672 	const u8 *ies = bcn->tail;
6673 	const struct element *rates;
6674 	const struct element *cap;
6675 
6676 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
6677 	nl80211_check_ap_rate_selectors(params, rates);
6678 
6679 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
6680 	nl80211_check_ap_rate_selectors(params, rates);
6681 
6682 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
6683 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
6684 		params->ht_cap = (void *)cap->data;
6685 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
6686 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
6687 		params->vht_cap = (void *)cap->data;
6688 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
6689 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
6690 		params->he_cap = (void *)(cap->data + 1);
6691 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
6692 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
6693 		params->he_oper = (void *)(cap->data + 1);
6694 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
6695 	if (cap) {
6696 		if (!cap->datalen)
6697 			return -EINVAL;
6698 		params->eht_cap = (void *)(cap->data + 1);
6699 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
6700 						(const u8 *)params->eht_cap,
6701 						cap->datalen - 1, true))
6702 			return -EINVAL;
6703 	}
6704 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
6705 	if (cap) {
6706 		if (!cap->datalen)
6707 			return -EINVAL;
6708 		params->eht_oper = (void *)(cap->data + 1);
6709 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
6710 						cap->datalen - 1))
6711 			return -EINVAL;
6712 	}
6713 
6714 	return 0;
6715 }
6716 
6717 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
6718 				   struct cfg80211_ap_settings *params)
6719 {
6720 	struct wireless_dev *wdev;
6721 
6722 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
6723 		if (wdev->iftype != NL80211_IFTYPE_AP &&
6724 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
6725 			continue;
6726 
6727 		if (!wdev->u.ap.preset_chandef.chan)
6728 			continue;
6729 
6730 		params->chandef = wdev->u.ap.preset_chandef;
6731 		return true;
6732 	}
6733 
6734 	return false;
6735 }
6736 
6737 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
6738 				    enum nl80211_auth_type auth_type,
6739 				    enum nl80211_commands cmd)
6740 {
6741 	if (auth_type > NL80211_AUTHTYPE_MAX)
6742 		return false;
6743 
6744 	switch (cmd) {
6745 	case NL80211_CMD_AUTHENTICATE:
6746 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6747 		    auth_type == NL80211_AUTHTYPE_SAE)
6748 			return false;
6749 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6750 					     NL80211_EXT_FEATURE_FILS_STA) &&
6751 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6752 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6753 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6754 			return false;
6755 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6756 					     NL80211_EXT_FEATURE_EPPKE) &&
6757 		    auth_type == NL80211_AUTHTYPE_EPPKE)
6758 			return false;
6759 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6760 					     NL80211_EXT_FEATURE_IEEE8021X_AUTH) &&
6761 		    auth_type == NL80211_AUTHTYPE_IEEE8021X)
6762 			return false;
6763 		return true;
6764 	case NL80211_CMD_CONNECT:
6765 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6766 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6767 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6768 		    auth_type == NL80211_AUTHTYPE_SAE)
6769 			return false;
6770 
6771 		/* FILS with SK PFS or PK not supported yet */
6772 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6773 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6774 			return false;
6775 		if (!wiphy_ext_feature_isset(
6776 			    &rdev->wiphy,
6777 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6778 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6779 			return false;
6780 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6781 					     NL80211_EXT_FEATURE_EPPKE) &&
6782 		    auth_type == NL80211_AUTHTYPE_EPPKE)
6783 			return false;
6784 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6785 					     NL80211_EXT_FEATURE_IEEE8021X_AUTH) &&
6786 		    auth_type == NL80211_AUTHTYPE_IEEE8021X)
6787 			return false;
6788 		return true;
6789 	case NL80211_CMD_START_AP:
6790 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6791 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6792 		    auth_type == NL80211_AUTHTYPE_SAE)
6793 			return false;
6794 		/* FILS not supported yet */
6795 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6796 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6797 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6798 			return false;
6799 		return true;
6800 	default:
6801 		return false;
6802 	}
6803 }
6804 
6805 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6806 				    unsigned int link_id)
6807 {
6808 	struct wiphy *wiphy = wdev->wiphy;
6809 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6810 	struct sk_buff *msg;
6811 	void *hdr;
6812 
6813 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6814 	if (!msg)
6815 		return;
6816 
6817 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6818 	if (!hdr)
6819 		goto out;
6820 
6821 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6822 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6823 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6824 			      NL80211_ATTR_PAD) ||
6825 	    (wdev->u.ap.ssid_len &&
6826 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6827 		     wdev->u.ap.ssid)) ||
6828 	    (wdev->valid_links &&
6829 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6830 		goto out;
6831 
6832 	genlmsg_end(msg, hdr);
6833 
6834 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6835 				NL80211_MCGRP_MLME, GFP_KERNEL);
6836 	return;
6837 out:
6838 	nlmsg_free(msg);
6839 }
6840 
6841 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6842 {
6843 	struct ieee80211_channel *channel = params->chandef.chan;
6844 
6845 	if ((params->he_cap ||  params->he_oper) &&
6846 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6847 		return -EOPNOTSUPP;
6848 
6849 	if ((params->eht_cap || params->eht_oper) &&
6850 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6851 		return -EOPNOTSUPP;
6852 
6853 	if (params->uhr_oper && (channel->flags & IEEE80211_CHAN_NO_UHR))
6854 		return -EOPNOTSUPP;
6855 
6856 	return 0;
6857 }
6858 
6859 static int
6860 nl80211_parse_s1g_short_beacon(struct cfg80211_registered_device *rdev,
6861 			       struct nlattr *attrs,
6862 			       struct cfg80211_s1g_short_beacon *sb)
6863 {
6864 	struct nlattr *tb[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1];
6865 	int ret;
6866 
6867 	if (!rdev->wiphy.bands[NL80211_BAND_S1GHZ])
6868 		return -EINVAL;
6869 
6870 	ret = nla_parse_nested(tb, NL80211_S1G_SHORT_BEACON_ATTR_MAX, attrs,
6871 			       NULL, NULL);
6872 	if (ret)
6873 		return ret;
6874 
6875 	/* Short beacon tail is optional (i.e might only include the TIM) */
6876 	if (!tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD])
6877 		return -EINVAL;
6878 
6879 	sb->short_head = nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6880 	sb->short_head_len = nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6881 	sb->short_tail_len = 0;
6882 
6883 	if (tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]) {
6884 		sb->short_tail =
6885 			nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6886 		sb->short_tail_len =
6887 			nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6888 	}
6889 
6890 	sb->update = true;
6891 	return 0;
6892 }
6893 
6894 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6895 {
6896 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6897 	struct cfg80211_beaconing_check_config beacon_check = {};
6898 	unsigned int link_id = nl80211_link_id(info->attrs);
6899 	struct net_device *dev = info->user_ptr[1];
6900 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6901 	struct cfg80211_ap_settings *params;
6902 	int err;
6903 
6904 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6905 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6906 		return -EOPNOTSUPP;
6907 
6908 	if (!rdev->ops->start_ap)
6909 		return -EOPNOTSUPP;
6910 
6911 	if (wdev->links[link_id].cac_started)
6912 		return -EBUSY;
6913 
6914 	if (wdev->links[link_id].ap.beacon_interval)
6915 		return -EALREADY;
6916 
6917 	/* these are required for START_AP */
6918 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6919 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6920 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6921 		return -EINVAL;
6922 
6923 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6924 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6925 		return -EOPNOTSUPP;
6926 
6927 	params = kzalloc_obj(*params);
6928 	if (!params)
6929 		return -ENOMEM;
6930 
6931 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6932 				   info->extack);
6933 	if (err)
6934 		goto out;
6935 
6936 	params->beacon_interval =
6937 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6938 	params->dtim_period =
6939 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6940 
6941 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6942 					   params->beacon_interval);
6943 	if (err)
6944 		goto out;
6945 
6946 	/*
6947 	 * In theory, some of these attributes should be required here
6948 	 * but since they were not used when the command was originally
6949 	 * added, keep them optional for old user space programs to let
6950 	 * them continue to work with drivers that do not need the
6951 	 * additional information -- drivers must check!
6952 	 */
6953 	if (info->attrs[NL80211_ATTR_SSID]) {
6954 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6955 		params->ssid_len =
6956 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6957 		if (params->ssid_len == 0) {
6958 			err = -EINVAL;
6959 			goto out;
6960 		}
6961 
6962 		if (wdev->u.ap.ssid_len &&
6963 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6964 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6965 			/* require identical SSID for MLO */
6966 			err = -EINVAL;
6967 			goto out;
6968 		}
6969 	} else if (wdev->valid_links) {
6970 		/* require SSID for MLO */
6971 		err = -EINVAL;
6972 		goto out;
6973 	}
6974 
6975 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6976 		params->hidden_ssid = nla_get_u32(
6977 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6978 
6979 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6980 
6981 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6982 		params->auth_type = nla_get_u32(
6983 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6984 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6985 					     NL80211_CMD_START_AP)) {
6986 			err = -EINVAL;
6987 			goto out;
6988 		}
6989 	} else
6990 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6991 
6992 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6993 				      NL80211_MAX_NR_CIPHER_SUITES);
6994 	if (err)
6995 		goto out;
6996 
6997 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6998 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6999 			err = -EOPNOTSUPP;
7000 			goto out;
7001 		}
7002 		params->inactivity_timeout = nla_get_u16(
7003 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
7004 	}
7005 
7006 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7007 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7008 			err = -EINVAL;
7009 			goto out;
7010 		}
7011 		params->p2p_ctwindow =
7012 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7013 		if (params->p2p_ctwindow != 0 &&
7014 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
7015 			err = -EINVAL;
7016 			goto out;
7017 		}
7018 	}
7019 
7020 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7021 		u8 tmp;
7022 
7023 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7024 			err = -EINVAL;
7025 			goto out;
7026 		}
7027 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7028 		params->p2p_opp_ps = tmp;
7029 		if (params->p2p_opp_ps != 0 &&
7030 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
7031 			err = -EINVAL;
7032 			goto out;
7033 		}
7034 	}
7035 
7036 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7037 		err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
7038 					    &params->chandef);
7039 		if (err)
7040 			goto out;
7041 	} else if (wdev->valid_links) {
7042 		/* with MLD need to specify the channel configuration */
7043 		err = -EINVAL;
7044 		goto out;
7045 	} else if (wdev->u.ap.preset_chandef.chan) {
7046 		params->chandef = wdev->u.ap.preset_chandef;
7047 	} else if (!nl80211_get_ap_channel(rdev, params)) {
7048 		err = -EINVAL;
7049 		goto out;
7050 	}
7051 
7052 	beacon_check.iftype = wdev->iftype;
7053 	beacon_check.relax = true;
7054 	beacon_check.reg_power =
7055 		cfg80211_get_6ghz_power_type(params->beacon.tail,
7056 					     params->beacon.tail_len, 0);
7057 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
7058 					  &beacon_check)) {
7059 		err = -EINVAL;
7060 		goto out;
7061 	}
7062 
7063 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
7064 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
7065 						    NL80211_ATTR_TX_RATES,
7066 						    &params->beacon_rate,
7067 						    dev, false, link_id);
7068 		if (err)
7069 			goto out;
7070 
7071 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
7072 					      &params->beacon_rate);
7073 		if (err)
7074 			goto out;
7075 	}
7076 
7077 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
7078 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
7079 		err = -EOPNOTSUPP;
7080 		goto out;
7081 	}
7082 
7083 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
7084 		params->acl = parse_acl_data(&rdev->wiphy, info);
7085 		if (IS_ERR(params->acl)) {
7086 			err = PTR_ERR(params->acl);
7087 			params->acl = NULL;
7088 			goto out;
7089 		}
7090 	}
7091 
7092 	params->twt_responder =
7093 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
7094 
7095 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
7096 		err = nl80211_parse_he_obss_pd(
7097 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
7098 					&params->he_obss_pd);
7099 		if (err)
7100 			goto out;
7101 	}
7102 
7103 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
7104 		err = nl80211_parse_fils_discovery(rdev,
7105 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
7106 						   &params->fils_discovery);
7107 		if (err)
7108 			goto out;
7109 	}
7110 
7111 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
7112 		err = nl80211_parse_unsol_bcast_probe_resp(
7113 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
7114 			&params->unsol_bcast_probe_resp);
7115 		if (err)
7116 			goto out;
7117 	}
7118 
7119 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
7120 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev, link_id,
7121 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
7122 						  &params->mbssid_config,
7123 						  params->beacon.mbssid_ies ?
7124 							params->beacon.mbssid_ies->cnt :
7125 							0);
7126 		if (err)
7127 			goto out;
7128 	}
7129 
7130 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
7131 		err = -EINVAL;
7132 		goto out;
7133 	}
7134 
7135 	if (info->attrs[NL80211_ATTR_S1G_SHORT_BEACON]) {
7136 		if (!info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]) {
7137 			err = -EINVAL;
7138 			goto out;
7139 		}
7140 
7141 		params->s1g_long_beacon_period = nla_get_u8(
7142 			info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]);
7143 
7144 		err = nl80211_parse_s1g_short_beacon(
7145 			rdev, info->attrs[NL80211_ATTR_S1G_SHORT_BEACON],
7146 			&params->s1g_short_beacon);
7147 		if (err)
7148 			goto out;
7149 	}
7150 
7151 	err = nl80211_calculate_ap_params(params);
7152 	if (err)
7153 		goto out;
7154 
7155 	if (info->attrs[NL80211_ATTR_UHR_OPERATION])
7156 		params->uhr_oper = nla_data(info->attrs[NL80211_ATTR_UHR_OPERATION]);
7157 
7158 	err = nl80211_validate_ap_phy_operation(params);
7159 	if (err)
7160 		goto out;
7161 
7162 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
7163 		params->flags = nla_get_u32(
7164 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
7165 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
7166 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
7167 
7168 	if (wdev->conn_owner_nlportid &&
7169 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
7170 	    wdev->conn_owner_nlportid != info->snd_portid) {
7171 		err = -EINVAL;
7172 		goto out;
7173 	}
7174 
7175 	/* FIXME: validate MLO/link-id against driver capabilities */
7176 
7177 	err = rdev_start_ap(rdev, dev, params);
7178 	if (!err) {
7179 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
7180 		wdev->links[link_id].ap.chandef = params->chandef;
7181 		wdev->u.ap.ssid_len = params->ssid_len;
7182 		memcpy(wdev->u.ap.ssid, params->ssid,
7183 		       params->ssid_len);
7184 
7185 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
7186 			wdev->conn_owner_nlportid = info->snd_portid;
7187 
7188 		nl80211_send_ap_started(wdev, link_id);
7189 	}
7190 out:
7191 	kfree(params->acl);
7192 	kfree(params->beacon.mbssid_ies);
7193 	if (params->mbssid_config.tx_wdev &&
7194 	    params->mbssid_config.tx_wdev->netdev &&
7195 	    params->mbssid_config.tx_wdev->netdev != dev)
7196 		dev_put(params->mbssid_config.tx_wdev->netdev);
7197 	kfree(params->beacon.rnr_ies);
7198 	kfree(params);
7199 
7200 	return err;
7201 }
7202 
7203 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
7204 {
7205 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7206 	struct cfg80211_beaconing_check_config beacon_check = {};
7207 	unsigned int link_id = nl80211_link_id(info->attrs);
7208 	struct net_device *dev = info->user_ptr[1];
7209 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7210 	struct cfg80211_ap_update *params;
7211 	struct nlattr *attr;
7212 	int err;
7213 
7214 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7215 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7216 		return -EOPNOTSUPP;
7217 
7218 	if (!rdev->ops->change_beacon)
7219 		return -EOPNOTSUPP;
7220 
7221 	if (!wdev->links[link_id].ap.beacon_interval)
7222 		return -EINVAL;
7223 
7224 	params = kzalloc_obj(*params);
7225 	if (!params)
7226 		return -ENOMEM;
7227 
7228 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
7229 				   info->extack);
7230 	if (err)
7231 		goto out;
7232 
7233 	/* recheck beaconing is permitted with possibly changed power type */
7234 	beacon_check.iftype = wdev->iftype;
7235 	beacon_check.relax = true;
7236 	beacon_check.reg_power =
7237 		cfg80211_get_6ghz_power_type(params->beacon.tail,
7238 					     params->beacon.tail_len, 0);
7239 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
7240 					  &wdev->links[link_id].ap.chandef,
7241 					  &beacon_check)) {
7242 		err = -EINVAL;
7243 		goto out;
7244 	}
7245 
7246 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
7247 	if (attr) {
7248 		err = nl80211_parse_fils_discovery(rdev, attr,
7249 						   &params->fils_discovery);
7250 		if (err)
7251 			goto out;
7252 	}
7253 
7254 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
7255 	if (attr) {
7256 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
7257 							   &params->unsol_bcast_probe_resp);
7258 		if (err)
7259 			goto out;
7260 	}
7261 
7262 	attr = info->attrs[NL80211_ATTR_S1G_SHORT_BEACON];
7263 	if (attr) {
7264 		err = nl80211_parse_s1g_short_beacon(rdev, attr,
7265 						     &params->s1g_short_beacon);
7266 		if (err)
7267 			goto out;
7268 	}
7269 
7270 	err = rdev_change_beacon(rdev, dev, params);
7271 
7272 out:
7273 	kfree(params->beacon.mbssid_ies);
7274 	kfree(params->beacon.rnr_ies);
7275 	kfree(params);
7276 	return err;
7277 }
7278 
7279 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
7280 {
7281 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7282 	unsigned int link_id = nl80211_link_id(info->attrs);
7283 	struct net_device *dev = info->user_ptr[1];
7284 
7285 	return cfg80211_stop_ap(rdev, dev, link_id, false);
7286 }
7287 
7288 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
7289 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
7290 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
7291 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
7292 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
7293 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
7294 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
7295 };
7296 
7297 static int parse_station_flags(struct genl_info *info,
7298 			       enum nl80211_iftype iftype,
7299 			       struct station_parameters *params)
7300 {
7301 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
7302 	struct nlattr *nla;
7303 	int flag;
7304 
7305 	/*
7306 	 * Try parsing the new attribute first so userspace
7307 	 * can specify both for older kernels.
7308 	 */
7309 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
7310 	if (nla) {
7311 		struct nl80211_sta_flag_update *sta_flags;
7312 
7313 		sta_flags = nla_data(nla);
7314 		params->sta_flags_mask = sta_flags->mask;
7315 		params->sta_flags_set = sta_flags->set;
7316 		params->sta_flags_set &= params->sta_flags_mask;
7317 		if ((params->sta_flags_mask |
7318 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
7319 			return -EINVAL;
7320 
7321 		if ((iftype == NL80211_IFTYPE_NAN ||
7322 		     iftype == NL80211_IFTYPE_NAN_DATA) &&
7323 		    params->sta_flags_mask &
7324 		    ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7325 		      BIT(NL80211_STA_FLAG_ASSOCIATED) |
7326 		      BIT(NL80211_STA_FLAG_AUTHORIZED) |
7327 		      BIT(NL80211_STA_FLAG_MFP)))
7328 				return -EINVAL;
7329 
7330 		/* WME is always used in NAN */
7331 		if (iftype == NL80211_IFTYPE_NAN_DATA) {
7332 			/* but don't let userspace control it */
7333 			if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_WME))
7334 				return -EINVAL;
7335 
7336 			params->sta_flags_mask |= BIT(NL80211_STA_FLAG_WME);
7337 			params->sta_flags_set |= BIT(NL80211_STA_FLAG_WME);
7338 		}
7339 
7340 		return 0;
7341 	}
7342 
7343 	/* if present, parse the old attribute */
7344 
7345 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
7346 	if (!nla)
7347 		return 0;
7348 
7349 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
7350 		return -EINVAL;
7351 
7352 	/*
7353 	 * Only allow certain flags for interface types so that
7354 	 * other attributes are silently ignored. Remember that
7355 	 * this is backward compatibility code with old userspace
7356 	 * and shouldn't be hit in other cases anyway.
7357 	 */
7358 	switch (iftype) {
7359 	case NL80211_IFTYPE_AP:
7360 	case NL80211_IFTYPE_AP_VLAN:
7361 	case NL80211_IFTYPE_P2P_GO:
7362 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7363 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7364 					 BIT(NL80211_STA_FLAG_WME) |
7365 					 BIT(NL80211_STA_FLAG_MFP);
7366 		break;
7367 	case NL80211_IFTYPE_P2P_CLIENT:
7368 	case NL80211_IFTYPE_STATION:
7369 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7370 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
7371 		break;
7372 	case NL80211_IFTYPE_MESH_POINT:
7373 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7374 					 BIT(NL80211_STA_FLAG_MFP) |
7375 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
7376 		break;
7377 	default:
7378 		return -EINVAL;
7379 	}
7380 
7381 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
7382 		if (flags[flag]) {
7383 			params->sta_flags_set |= (1<<flag);
7384 
7385 			/* no longer support new API additions in old API */
7386 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
7387 				return -EINVAL;
7388 		}
7389 	}
7390 
7391 	return 0;
7392 }
7393 
7394 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
7395 {
7396 	struct nlattr *rate;
7397 	u32 bitrate;
7398 	u16 bitrate_compat;
7399 	enum nl80211_rate_info rate_flg;
7400 
7401 	rate = nla_nest_start_noflag(msg, attr);
7402 	if (!rate)
7403 		return false;
7404 
7405 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
7406 	bitrate = cfg80211_calculate_bitrate(info);
7407 	/* report 16-bit bitrate only if we can */
7408 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
7409 	if (bitrate > 0 &&
7410 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
7411 		return false;
7412 	if (bitrate_compat > 0 &&
7413 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
7414 		return false;
7415 
7416 	switch (info->bw) {
7417 	case RATE_INFO_BW_1:
7418 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
7419 		break;
7420 	case RATE_INFO_BW_2:
7421 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
7422 		break;
7423 	case RATE_INFO_BW_4:
7424 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
7425 		break;
7426 	case RATE_INFO_BW_5:
7427 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
7428 		break;
7429 	case RATE_INFO_BW_8:
7430 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
7431 		break;
7432 	case RATE_INFO_BW_10:
7433 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
7434 		break;
7435 	case RATE_INFO_BW_16:
7436 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
7437 		break;
7438 	default:
7439 		WARN_ON(1);
7440 		fallthrough;
7441 	case RATE_INFO_BW_20:
7442 		rate_flg = 0;
7443 		break;
7444 	case RATE_INFO_BW_40:
7445 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
7446 		break;
7447 	case RATE_INFO_BW_80:
7448 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
7449 		break;
7450 	case RATE_INFO_BW_160:
7451 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
7452 		break;
7453 	case RATE_INFO_BW_HE_RU:
7454 		rate_flg = 0;
7455 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
7456 		break;
7457 	case RATE_INFO_BW_320:
7458 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
7459 		break;
7460 	case RATE_INFO_BW_EHT_RU:
7461 		rate_flg = 0;
7462 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS) &&
7463 			!(info->flags & RATE_INFO_FLAGS_UHR_MCS));
7464 		break;
7465 	}
7466 
7467 	if (rate_flg && nla_put_flag(msg, rate_flg))
7468 		return false;
7469 
7470 	if (info->flags & RATE_INFO_FLAGS_MCS) {
7471 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
7472 			return false;
7473 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7474 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7475 			return false;
7476 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
7477 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
7478 			return false;
7479 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
7480 			return false;
7481 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7482 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7483 			return false;
7484 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
7485 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
7486 			return false;
7487 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
7488 			return false;
7489 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
7490 			return false;
7491 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
7492 			return false;
7493 		if (info->bw == RATE_INFO_BW_HE_RU &&
7494 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
7495 			       info->he_ru_alloc))
7496 			return false;
7497 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
7498 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
7499 			return false;
7500 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
7501 			return false;
7502 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7503 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7504 			return false;
7505 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
7506 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
7507 			return false;
7508 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7509 			return false;
7510 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7511 			return false;
7512 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7513 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7514 			       info->eht_ru_alloc))
7515 			return false;
7516 	} else if (info->flags & RATE_INFO_FLAGS_UHR_MCS) {
7517 		if (nla_put_u8(msg, NL80211_RATE_INFO_UHR_MCS, info->mcs))
7518 			return false;
7519 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7520 			return false;
7521 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7522 			return false;
7523 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7524 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7525 			       info->eht_ru_alloc))
7526 			return false;
7527 		if (info->flags & RATE_INFO_FLAGS_UHR_ELR_MCS &&
7528 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_ELR))
7529 			return false;
7530 		if (info->flags & RATE_INFO_FLAGS_UHR_IM &&
7531 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_IM))
7532 			return false;
7533 	}
7534 
7535 	nla_nest_end(msg, rate);
7536 	return true;
7537 }
7538 
7539 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
7540 			       int id)
7541 {
7542 	void *attr;
7543 	int i = 0;
7544 
7545 	if (!mask)
7546 		return true;
7547 
7548 	attr = nla_nest_start_noflag(msg, id);
7549 	if (!attr)
7550 		return false;
7551 
7552 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
7553 		if (!(mask & BIT(i)))
7554 			continue;
7555 
7556 		if (nla_put_u8(msg, i, signal[i]))
7557 			return false;
7558 	}
7559 
7560 	nla_nest_end(msg, attr);
7561 
7562 	return true;
7563 }
7564 
7565 static int nl80211_fill_link_station(struct sk_buff *msg,
7566 				     struct cfg80211_registered_device *rdev,
7567 				     struct link_station_info *link_sinfo)
7568 {
7569 	struct nlattr *bss_param, *link_sinfoattr;
7570 
7571 #define PUT_LINK_SINFO(attr, memb, type) do {				\
7572 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7573 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7574 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7575 			     link_sinfo->memb))				\
7576 		goto nla_put_failure;					\
7577 	} while (0)
7578 #define PUT_LINK_SINFO_U64(attr, memb) do {				\
7579 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7580 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7581 			      link_sinfo->memb, NL80211_STA_INFO_PAD))	\
7582 		goto nla_put_failure;					\
7583 	} while (0)
7584 
7585 	link_sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7586 	if (!link_sinfoattr)
7587 		goto nla_put_failure;
7588 
7589 	PUT_LINK_SINFO(INACTIVE_TIME, inactive_time, u32);
7590 
7591 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7592 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7593 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7594 			(u32)link_sinfo->rx_bytes))
7595 		goto nla_put_failure;
7596 
7597 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7598 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7599 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7600 			(u32)link_sinfo->tx_bytes))
7601 		goto nla_put_failure;
7602 
7603 	PUT_LINK_SINFO_U64(RX_BYTES64, rx_bytes);
7604 	PUT_LINK_SINFO_U64(TX_BYTES64, tx_bytes);
7605 	PUT_LINK_SINFO_U64(RX_DURATION, rx_duration);
7606 	PUT_LINK_SINFO_U64(TX_DURATION, tx_duration);
7607 
7608 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7609 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7610 		PUT_LINK_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7611 
7612 	switch (rdev->wiphy.signal_type) {
7613 	case CFG80211_SIGNAL_TYPE_MBM:
7614 		PUT_LINK_SINFO(SIGNAL, signal, u8);
7615 		PUT_LINK_SINFO(SIGNAL_AVG, signal_avg, u8);
7616 		break;
7617 	default:
7618 		break;
7619 	}
7620 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7621 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7622 					link_sinfo->chain_signal,
7623 					NL80211_STA_INFO_CHAIN_SIGNAL))
7624 			goto nla_put_failure;
7625 	}
7626 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7627 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7628 					link_sinfo->chain_signal_avg,
7629 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7630 			goto nla_put_failure;
7631 	}
7632 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7633 		if (!nl80211_put_sta_rate(msg, &link_sinfo->txrate,
7634 					  NL80211_STA_INFO_TX_BITRATE))
7635 			goto nla_put_failure;
7636 	}
7637 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7638 		if (!nl80211_put_sta_rate(msg, &link_sinfo->rxrate,
7639 					  NL80211_STA_INFO_RX_BITRATE))
7640 			goto nla_put_failure;
7641 	}
7642 
7643 	PUT_LINK_SINFO(RX_PACKETS, rx_packets, u32);
7644 	PUT_LINK_SINFO(TX_PACKETS, tx_packets, u32);
7645 	PUT_LINK_SINFO(TX_RETRIES, tx_retries, u32);
7646 	PUT_LINK_SINFO(TX_FAILED, tx_failed, u32);
7647 	PUT_LINK_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7648 	PUT_LINK_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7649 
7650 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7651 		bss_param = nla_nest_start_noflag(msg,
7652 						  NL80211_STA_INFO_BSS_PARAM);
7653 		if (!bss_param)
7654 			goto nla_put_failure;
7655 
7656 		if (((link_sinfo->bss_param.flags &
7657 		      BSS_PARAM_FLAGS_CTS_PROT) &&
7658 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7659 		    ((link_sinfo->bss_param.flags &
7660 		      BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7661 		     nla_put_flag(msg,
7662 				  NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7663 		    ((link_sinfo->bss_param.flags &
7664 		      BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7665 		     nla_put_flag(msg,
7666 				  NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7667 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7668 			       link_sinfo->bss_param.dtim_period) ||
7669 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7670 				link_sinfo->bss_param.beacon_interval))
7671 			goto nla_put_failure;
7672 
7673 		nla_nest_end(msg, bss_param);
7674 	}
7675 
7676 	PUT_LINK_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7677 	PUT_LINK_SINFO_U64(BEACON_RX, rx_beacon);
7678 	PUT_LINK_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7679 	PUT_LINK_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7680 	PUT_LINK_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7681 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7682 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7683 		PUT_LINK_SINFO(ACK_SIGNAL, ack_signal, u8);
7684 		PUT_LINK_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7685 	}
7686 
7687 #undef PUT_LINK_SINFO
7688 #undef PUT_LINK_SINFO_U64
7689 
7690 	if (link_sinfo->pertid) {
7691 		struct nlattr *tidsattr;
7692 		int tid;
7693 
7694 		tidsattr = nla_nest_start_noflag(msg,
7695 						 NL80211_STA_INFO_TID_STATS);
7696 		if (!tidsattr)
7697 			goto nla_put_failure;
7698 
7699 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7700 			struct cfg80211_tid_stats *tidstats;
7701 			struct nlattr *tidattr;
7702 
7703 			tidstats = &link_sinfo->pertid[tid];
7704 
7705 			if (!tidstats->filled)
7706 				continue;
7707 
7708 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7709 			if (!tidattr)
7710 				goto nla_put_failure;
7711 
7712 #define PUT_TIDVAL_U64(attr, memb) do {					\
7713 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7714 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7715 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7716 		goto nla_put_failure;					\
7717 	} while (0)
7718 
7719 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7720 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7721 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7722 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7723 
7724 #undef PUT_TIDVAL_U64
7725 			if ((tidstats->filled &
7726 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7727 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7728 						   NL80211_TID_STATS_TXQ_STATS))
7729 				goto nla_put_failure;
7730 
7731 			nla_nest_end(msg, tidattr);
7732 		}
7733 
7734 		nla_nest_end(msg, tidsattr);
7735 	}
7736 
7737 	nla_nest_end(msg, link_sinfoattr);
7738 	return 0;
7739 
7740 nla_put_failure:
7741 	return -EMSGSIZE;
7742 }
7743 
7744 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
7745 				u32 seq, int flags,
7746 				struct cfg80211_registered_device *rdev,
7747 				struct wireless_dev *wdev,
7748 				const u8 *mac_addr, struct station_info *sinfo,
7749 				bool link_stats)
7750 {
7751 	void *hdr;
7752 	struct nlattr *sinfoattr, *bss_param;
7753 	struct link_station_info *link_sinfo;
7754 	struct nlattr *links, *link;
7755 	int link_id;
7756 
7757 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
7758 	if (!hdr) {
7759 		cfg80211_sinfo_release_content(sinfo);
7760 		return -1;
7761 	}
7762 
7763 	if ((wdev->netdev &&
7764 	     nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex)) ||
7765 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
7766 			      NL80211_ATTR_PAD) ||
7767 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
7768 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
7769 		goto nla_put_failure;
7770 
7771 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7772 	if (!sinfoattr)
7773 		goto nla_put_failure;
7774 
7775 #define PUT_SINFO(attr, memb, type) do {				\
7776 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7777 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7778 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7779 			     sinfo->memb))				\
7780 		goto nla_put_failure;					\
7781 	} while (0)
7782 #define PUT_SINFO_U64(attr, memb) do {					\
7783 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7784 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7785 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
7786 		goto nla_put_failure;					\
7787 	} while (0)
7788 
7789 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
7790 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
7791 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
7792 
7793 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7794 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7795 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7796 			(u32)sinfo->rx_bytes))
7797 		goto nla_put_failure;
7798 
7799 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7800 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7801 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7802 			(u32)sinfo->tx_bytes))
7803 		goto nla_put_failure;
7804 
7805 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
7806 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
7807 	PUT_SINFO_U64(RX_DURATION, rx_duration);
7808 	PUT_SINFO_U64(TX_DURATION, tx_duration);
7809 
7810 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7811 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7812 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7813 
7814 	switch (rdev->wiphy.signal_type) {
7815 	case CFG80211_SIGNAL_TYPE_MBM:
7816 		PUT_SINFO(SIGNAL, signal, u8);
7817 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
7818 		break;
7819 	default:
7820 		break;
7821 	}
7822 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7823 		if (!nl80211_put_signal(msg, sinfo->chains,
7824 					sinfo->chain_signal,
7825 					NL80211_STA_INFO_CHAIN_SIGNAL))
7826 			goto nla_put_failure;
7827 	}
7828 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7829 		if (!nl80211_put_signal(msg, sinfo->chains,
7830 					sinfo->chain_signal_avg,
7831 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7832 			goto nla_put_failure;
7833 	}
7834 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7835 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
7836 					  NL80211_STA_INFO_TX_BITRATE))
7837 			goto nla_put_failure;
7838 	}
7839 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7840 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
7841 					  NL80211_STA_INFO_RX_BITRATE))
7842 			goto nla_put_failure;
7843 	}
7844 
7845 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
7846 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
7847 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
7848 	PUT_SINFO(TX_FAILED, tx_failed, u32);
7849 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7850 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7851 
7852 	PUT_SINFO(LLID, llid, u16);
7853 	PUT_SINFO(PLID, plid, u16);
7854 	PUT_SINFO(PLINK_STATE, plink_state, u8);
7855 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
7856 	PUT_SINFO(LOCAL_PM, local_pm, u32);
7857 	PUT_SINFO(PEER_PM, peer_pm, u32);
7858 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
7859 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
7860 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
7861 	PUT_SINFO_U64(T_OFFSET, t_offset);
7862 
7863 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7864 		bss_param = nla_nest_start_noflag(msg,
7865 						  NL80211_STA_INFO_BSS_PARAM);
7866 		if (!bss_param)
7867 			goto nla_put_failure;
7868 
7869 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
7870 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7871 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7872 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7873 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7874 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7875 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7876 			       sinfo->bss_param.dtim_period) ||
7877 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7878 				sinfo->bss_param.beacon_interval))
7879 			goto nla_put_failure;
7880 
7881 		nla_nest_end(msg, bss_param);
7882 	}
7883 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
7884 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
7885 		    sizeof(struct nl80211_sta_flag_update),
7886 		    &sinfo->sta_flags))
7887 		goto nla_put_failure;
7888 
7889 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7890 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
7891 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7892 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7893 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7894 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7895 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7896 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
7897 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7898 	}
7899 
7900 #undef PUT_SINFO
7901 #undef PUT_SINFO_U64
7902 
7903 	if (sinfo->pertid) {
7904 		struct nlattr *tidsattr;
7905 		int tid;
7906 
7907 		tidsattr = nla_nest_start_noflag(msg,
7908 						 NL80211_STA_INFO_TID_STATS);
7909 		if (!tidsattr)
7910 			goto nla_put_failure;
7911 
7912 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7913 			struct cfg80211_tid_stats *tidstats;
7914 			struct nlattr *tidattr;
7915 
7916 			tidstats = &sinfo->pertid[tid];
7917 
7918 			if (!tidstats->filled)
7919 				continue;
7920 
7921 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7922 			if (!tidattr)
7923 				goto nla_put_failure;
7924 
7925 #define PUT_TIDVAL_U64(attr, memb) do {					\
7926 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7927 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7928 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7929 		goto nla_put_failure;					\
7930 	} while (0)
7931 
7932 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7933 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7934 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7935 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7936 
7937 #undef PUT_TIDVAL_U64
7938 			if ((tidstats->filled &
7939 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7940 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7941 						   NL80211_TID_STATS_TXQ_STATS))
7942 				goto nla_put_failure;
7943 
7944 			nla_nest_end(msg, tidattr);
7945 		}
7946 
7947 		nla_nest_end(msg, tidsattr);
7948 	}
7949 
7950 	nla_nest_end(msg, sinfoattr);
7951 
7952 	if (sinfo->assoc_req_ies_len &&
7953 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
7954 		    sinfo->assoc_req_ies))
7955 		goto nla_put_failure;
7956 
7957 	if (sinfo->assoc_resp_ies_len &&
7958 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
7959 		    sinfo->assoc_resp_ies))
7960 		goto nla_put_failure;
7961 
7962 	if (sinfo->mlo_params_valid) {
7963 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7964 			       sinfo->assoc_link_id))
7965 			goto nla_put_failure;
7966 
7967 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
7968 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
7969 			    sinfo->mld_addr))
7970 			goto nla_put_failure;
7971 	}
7972 
7973 	if (link_stats && sinfo->valid_links) {
7974 		links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
7975 		if (!links)
7976 			goto nla_put_failure;
7977 
7978 		for_each_valid_link(sinfo, link_id) {
7979 			link_sinfo = sinfo->links[link_id];
7980 
7981 			if (WARN_ON_ONCE(!link_sinfo))
7982 				continue;
7983 
7984 			if (!is_valid_ether_addr(link_sinfo->addr))
7985 				continue;
7986 
7987 			link = nla_nest_start(msg, link_id + 1);
7988 			if (!link)
7989 				goto nla_put_failure;
7990 
7991 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7992 				       link_id))
7993 				goto nla_put_failure;
7994 
7995 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
7996 				    link_sinfo->addr))
7997 				goto nla_put_failure;
7998 
7999 			if (nl80211_fill_link_station(msg, rdev, link_sinfo))
8000 				goto nla_put_failure;
8001 
8002 			nla_nest_end(msg, link);
8003 		}
8004 		nla_nest_end(msg, links);
8005 	}
8006 
8007 	cfg80211_sinfo_release_content(sinfo);
8008 	genlmsg_end(msg, hdr);
8009 	return 0;
8010 
8011  nla_put_failure:
8012 	cfg80211_sinfo_release_content(sinfo);
8013 	genlmsg_cancel(msg, hdr);
8014 	return -EMSGSIZE;
8015 }
8016 
8017 static void cfg80211_sta_set_mld_sinfo(struct station_info *sinfo)
8018 {
8019 	struct link_station_info *link_sinfo;
8020 	int link_id, init = 0;
8021 	u32 link_inactive_time;
8022 
8023 	sinfo->signal = -99;
8024 
8025 	for_each_valid_link(sinfo, link_id) {
8026 		link_sinfo = sinfo->links[link_id];
8027 		if (!link_sinfo)
8028 			continue;
8029 
8030 		if ((link_sinfo->filled &
8031 		     BIT_ULL(NL80211_STA_INFO_TX_PACKETS))) {
8032 			sinfo->tx_packets += link_sinfo->tx_packets;
8033 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_PACKETS);
8034 		}
8035 
8036 		if ((link_sinfo->filled &
8037 		     BIT_ULL(NL80211_STA_INFO_RX_PACKETS))) {
8038 			sinfo->rx_packets += link_sinfo->rx_packets;
8039 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_PACKETS);
8040 		}
8041 
8042 		if (link_sinfo->filled &
8043 		    (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
8044 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
8045 			sinfo->tx_bytes += link_sinfo->tx_bytes;
8046 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BYTES);
8047 		}
8048 
8049 		if (link_sinfo->filled &
8050 		    (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
8051 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
8052 			sinfo->rx_bytes += link_sinfo->rx_bytes;
8053 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BYTES);
8054 		}
8055 
8056 		if (link_sinfo->filled &
8057 		    BIT_ULL(NL80211_STA_INFO_TX_RETRIES)) {
8058 			sinfo->tx_retries += link_sinfo->tx_retries;
8059 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_RETRIES);
8060 		}
8061 
8062 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_FAILED)) {
8063 			sinfo->tx_failed += link_sinfo->tx_failed;
8064 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_FAILED);
8065 		}
8066 
8067 		if (link_sinfo->filled &
8068 		    BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC)) {
8069 			sinfo->rx_dropped_misc += link_sinfo->rx_dropped_misc;
8070 			sinfo->filled |=
8071 				BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC);
8072 		}
8073 
8074 		if (link_sinfo->filled &
8075 		    BIT_ULL(NL80211_STA_INFO_BEACON_LOSS)) {
8076 			sinfo->beacon_loss_count +=
8077 				link_sinfo->beacon_loss_count;
8078 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_LOSS);
8079 		}
8080 
8081 		if (link_sinfo->filled &
8082 		    BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) {
8083 			sinfo->expected_throughput +=
8084 				link_sinfo->expected_throughput;
8085 			sinfo->filled |=
8086 				BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT);
8087 		}
8088 
8089 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_MPDUS)) {
8090 			sinfo->rx_mpdu_count += link_sinfo->rx_mpdu_count;
8091 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_MPDUS);
8092 		}
8093 
8094 		if (link_sinfo->filled &
8095 		    BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT)) {
8096 			sinfo->fcs_err_count += link_sinfo->fcs_err_count;
8097 			sinfo->filled |=
8098 				BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT);
8099 		}
8100 
8101 		if (link_sinfo->filled &
8102 		    BIT_ULL(NL80211_STA_INFO_BEACON_RX)) {
8103 			sinfo->rx_beacon += link_sinfo->rx_beacon;
8104 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_RX);
8105 		}
8106 
8107 		/* Update MLO signal, signal_avg as best among links */
8108 		if ((link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_SIGNAL)) &&
8109 		    link_sinfo->signal > sinfo->signal) {
8110 			sinfo->signal = link_sinfo->signal;
8111 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL);
8112 		}
8113 
8114 		if ((link_sinfo->filled &
8115 			BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG)) &&
8116 		    link_sinfo->signal_avg > sinfo->signal_avg) {
8117 			sinfo->signal_avg = link_sinfo->signal_avg;
8118 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG);
8119 		}
8120 
8121 		/* Update MLO inactive_time, bss_param based on least
8122 		 * value for corresponding field of link.
8123 		 */
8124 		if ((link_sinfo->filled &
8125 		     BIT_ULL(NL80211_STA_INFO_INACTIVE_TIME)) &&
8126 		    (!init ||
8127 		     link_inactive_time > link_sinfo->inactive_time)) {
8128 			link_inactive_time = link_sinfo->inactive_time;
8129 			sinfo->inactive_time = link_sinfo->inactive_time;
8130 			sinfo->filled |= NL80211_STA_INFO_INACTIVE_TIME;
8131 		}
8132 
8133 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM) &&
8134 		    (!init ||
8135 		     sinfo->bss_param.dtim_period >
8136 		      link_sinfo->bss_param.dtim_period)) {
8137 			sinfo->bss_param.dtim_period =
8138 				link_sinfo->bss_param.dtim_period;
8139 			sinfo->filled |= NL80211_STA_BSS_PARAM_DTIM_PERIOD;
8140 			sinfo->bss_param.beacon_interval =
8141 				link_sinfo->bss_param.beacon_interval;
8142 			sinfo->filled |= NL80211_STA_BSS_PARAM_BEACON_INTERVAL;
8143 		}
8144 
8145 		/* Update MLO rates as per last updated link rate */
8146 		if ((link_sinfo->filled &
8147 		     BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) &&
8148 		    (!init ||
8149 		     link_inactive_time > link_sinfo->inactive_time)) {
8150 			sinfo->txrate = link_sinfo->txrate;
8151 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BITRATE);
8152 		}
8153 		if ((link_sinfo->filled &
8154 		     BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) &&
8155 		    (!init ||
8156 		     link_inactive_time > link_sinfo->inactive_time)) {
8157 			sinfo->rxrate = link_sinfo->rxrate;
8158 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BITRATE);
8159 		}
8160 
8161 		if (link_sinfo->filled &
8162 		    BIT_ULL(NL80211_STA_INFO_TX_DURATION) &&
8163 		    (!init ||
8164 		     link_inactive_time > link_sinfo->inactive_time)) {
8165 			sinfo->tx_duration += link_sinfo->tx_duration;
8166 			sinfo->filled |=
8167 				BIT_ULL(NL80211_STA_INFO_TX_DURATION);
8168 		}
8169 		if (link_sinfo->filled &
8170 		    BIT_ULL(NL80211_STA_INFO_RX_DURATION) &&
8171 		    (!init ||
8172 		     link_inactive_time > link_sinfo->inactive_time)) {
8173 			sinfo->rx_duration += link_sinfo->rx_duration;
8174 			sinfo->filled |=
8175 				BIT_ULL(NL80211_STA_INFO_RX_DURATION);
8176 		}
8177 		init++;
8178 
8179 		/* pertid stats accumulate for rx/tx fields */
8180 		if (sinfo->pertid) {
8181 			sinfo->pertid->rx_msdu +=
8182 				link_sinfo->pertid->rx_msdu;
8183 			sinfo->pertid->tx_msdu +=
8184 				link_sinfo->pertid->tx_msdu;
8185 			sinfo->pertid->tx_msdu_retries +=
8186 				link_sinfo->pertid->tx_msdu_retries;
8187 			sinfo->pertid->tx_msdu_failed +=
8188 				link_sinfo->pertid->tx_msdu_failed;
8189 
8190 			sinfo->pertid->filled |=
8191 				BIT(NL80211_TID_STATS_RX_MSDU) |
8192 				BIT(NL80211_TID_STATS_TX_MSDU) |
8193 				BIT(NL80211_TID_STATS_TX_MSDU_RETRIES) |
8194 				BIT(NL80211_TID_STATS_TX_MSDU_FAILED);
8195 		}
8196 	}
8197 
8198 	/* Reset sinfo->filled bits to exclude fields which don't make
8199 	 * much sense at the MLO level.
8200 	 */
8201 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
8202 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG);
8203 }
8204 
8205 static int nl80211_dump_station(struct sk_buff *skb,
8206 				struct netlink_callback *cb)
8207 {
8208 	struct station_info sinfo;
8209 	struct cfg80211_registered_device *rdev;
8210 	struct wireless_dev *wdev;
8211 	u8 mac_addr[ETH_ALEN];
8212 	int sta_idx = cb->args[2];
8213 	bool sinfo_alloc = false;
8214 	int err, i;
8215 
8216 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8217 	if (err)
8218 		return err;
8219 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8220 	__acquire(&rdev->wiphy.mtx);
8221 
8222 	if (!wdev->netdev && wdev->iftype != NL80211_IFTYPE_NAN) {
8223 		err = -EINVAL;
8224 		goto out_err;
8225 	}
8226 
8227 	if (!rdev->ops->dump_station) {
8228 		err = -EOPNOTSUPP;
8229 		goto out_err;
8230 	}
8231 
8232 	while (1) {
8233 		memset(&sinfo, 0, sizeof(sinfo));
8234 
8235 		for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
8236 			sinfo.links[i] =
8237 				kzalloc_obj(*sinfo.links[0]);
8238 			if (!sinfo.links[i]) {
8239 				err = -ENOMEM;
8240 				goto out_err;
8241 			}
8242 			sinfo_alloc = true;
8243 		}
8244 
8245 		err = rdev_dump_station(rdev, wdev, sta_idx,
8246 					mac_addr, &sinfo);
8247 		if (err == -ENOENT)
8248 			break;
8249 		if (err)
8250 			goto out_err;
8251 
8252 		if (sinfo.valid_links)
8253 			cfg80211_sta_set_mld_sinfo(&sinfo);
8254 
8255 		/* reset the sinfo_alloc flag as nl80211_send_station()
8256 		 * always releases sinfo
8257 		 */
8258 		sinfo_alloc = false;
8259 
8260 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
8261 				NETLINK_CB(cb->skb).portid,
8262 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8263 				rdev, wdev, mac_addr,
8264 				&sinfo, false) < 0)
8265 			goto out;
8266 
8267 		sta_idx++;
8268 	}
8269 
8270  out:
8271 	cb->args[2] = sta_idx;
8272 	err = skb->len;
8273  out_err:
8274 	if (sinfo_alloc)
8275 		cfg80211_sinfo_release_content(&sinfo);
8276 	wiphy_unlock(&rdev->wiphy);
8277 
8278 	return err;
8279 }
8280 
8281 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
8282 {
8283 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8284 	struct wireless_dev *wdev = info->user_ptr[1];
8285 	struct station_info sinfo;
8286 	struct sk_buff *msg;
8287 	u8 *mac_addr = NULL;
8288 	int err, i;
8289 
8290 	memset(&sinfo, 0, sizeof(sinfo));
8291 
8292 	if (!wdev->netdev)
8293 		return -EINVAL;
8294 
8295 	if (!info->attrs[NL80211_ATTR_MAC])
8296 		return -EINVAL;
8297 
8298 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8299 
8300 	if (!rdev->ops->get_station)
8301 		return -EOPNOTSUPP;
8302 
8303 	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
8304 		sinfo.links[i] = kzalloc_obj(*sinfo.links[0]);
8305 		if (!sinfo.links[i]) {
8306 			cfg80211_sinfo_release_content(&sinfo);
8307 			return -ENOMEM;
8308 		}
8309 	}
8310 
8311 	err = rdev_get_station(rdev, wdev, mac_addr, &sinfo);
8312 	if (err) {
8313 		cfg80211_sinfo_release_content(&sinfo);
8314 		return err;
8315 	}
8316 
8317 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8318 	if (!msg) {
8319 		cfg80211_sinfo_release_content(&sinfo);
8320 		return -ENOMEM;
8321 	}
8322 
8323 	if (sinfo.valid_links)
8324 		cfg80211_sta_set_mld_sinfo(&sinfo);
8325 
8326 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
8327 				 info->snd_portid, info->snd_seq, 0,
8328 				 rdev, wdev, mac_addr, &sinfo, false) < 0) {
8329 		nlmsg_free(msg);
8330 		return -ENOBUFS;
8331 	}
8332 
8333 	return genlmsg_reply(msg, info);
8334 }
8335 
8336 int cfg80211_check_station_change(struct wiphy *wiphy,
8337 				  struct station_parameters *params,
8338 				  enum cfg80211_station_type statype)
8339 {
8340 	if (params->listen_interval != -1 &&
8341 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8342 		return -EINVAL;
8343 
8344 	if (params->support_p2p_ps != -1 &&
8345 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8346 		return -EINVAL;
8347 
8348 	if (params->aid &&
8349 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
8350 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8351 		return -EINVAL;
8352 
8353 	/* When you run into this, adjust the code below for the new flag */
8354 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8355 
8356 	switch (statype) {
8357 	case CFG80211_STA_MESH_PEER_KERNEL:
8358 	case CFG80211_STA_MESH_PEER_USER:
8359 		/*
8360 		 * No ignoring the TDLS flag here -- the userspace mesh
8361 		 * code doesn't have the bug of including TDLS in the
8362 		 * mask everywhere.
8363 		 */
8364 		if (params->sta_flags_mask &
8365 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8366 				  BIT(NL80211_STA_FLAG_MFP) |
8367 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
8368 			return -EINVAL;
8369 		break;
8370 	case CFG80211_STA_TDLS_PEER_SETUP:
8371 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8372 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8373 			return -EINVAL;
8374 		/* ignore since it can't change */
8375 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8376 		break;
8377 	default:
8378 		/* disallow mesh-specific things */
8379 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
8380 			return -EINVAL;
8381 		if (params->local_pm)
8382 			return -EINVAL;
8383 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8384 			return -EINVAL;
8385 	}
8386 
8387 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8388 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
8389 		/* TDLS can't be set, ... */
8390 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
8391 			return -EINVAL;
8392 		/*
8393 		 * ... but don't bother the driver with it. This works around
8394 		 * a hostapd/wpa_supplicant issue -- it always includes the
8395 		 * TLDS_PEER flag in the mask even for AP mode.
8396 		 */
8397 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8398 	}
8399 
8400 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8401 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8402 		/* reject other things that can't change */
8403 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
8404 			return -EINVAL;
8405 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
8406 			return -EINVAL;
8407 		if (params->link_sta_params.supported_rates)
8408 			return -EINVAL;
8409 		if (statype != CFG80211_STA_NAN_MGMT &&
8410 		    (params->link_sta_params.ht_capa ||
8411 		     params->link_sta_params.vht_capa ||
8412 		     params->link_sta_params.he_capa))
8413 			return -EINVAL;
8414 		if (params->ext_capab || params->link_sta_params.eht_capa ||
8415 		    params->link_sta_params.uhr_capa)
8416 			return -EINVAL;
8417 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8418 			return -EINVAL;
8419 	}
8420 
8421 	if (statype != CFG80211_STA_AP_CLIENT &&
8422 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8423 		if (params->vlan)
8424 			return -EINVAL;
8425 	}
8426 
8427 	/* Accept EMLSR capabilities only for AP client before association */
8428 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8429 	    params->eml_cap_present)
8430 		return -EINVAL;
8431 
8432 	switch (statype) {
8433 	case CFG80211_STA_AP_MLME_CLIENT:
8434 		/* Use this only for authorizing/unauthorizing a station */
8435 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
8436 			return -EOPNOTSUPP;
8437 		break;
8438 	case CFG80211_STA_AP_CLIENT:
8439 	case CFG80211_STA_AP_CLIENT_UNASSOC:
8440 		/* accept only the listed bits */
8441 		if (params->sta_flags_mask &
8442 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8443 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8444 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
8445 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
8446 				  BIT(NL80211_STA_FLAG_WME) |
8447 				  BIT(NL80211_STA_FLAG_MFP) |
8448 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
8449 			return -EINVAL;
8450 
8451 		/* but authenticated/associated only if driver handles it */
8452 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8453 		    params->sta_flags_mask &
8454 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8455 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
8456 			return -EINVAL;
8457 		break;
8458 	case CFG80211_STA_IBSS:
8459 	case CFG80211_STA_AP_STA:
8460 		/* reject any changes other than AUTHORIZED */
8461 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
8462 			return -EINVAL;
8463 		break;
8464 	case CFG80211_STA_TDLS_PEER_SETUP:
8465 		/* reject any changes other than AUTHORIZED or WME */
8466 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8467 					       BIT(NL80211_STA_FLAG_WME)))
8468 			return -EINVAL;
8469 		/* force (at least) rates when authorizing */
8470 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
8471 		    !params->link_sta_params.supported_rates)
8472 			return -EINVAL;
8473 		break;
8474 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8475 		/* reject any changes */
8476 		return -EINVAL;
8477 	case CFG80211_STA_MESH_PEER_KERNEL:
8478 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8479 			return -EINVAL;
8480 		break;
8481 	case CFG80211_STA_MESH_PEER_USER:
8482 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
8483 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
8484 			return -EINVAL;
8485 		break;
8486 	case CFG80211_STA_NAN_MGMT:
8487 		if (params->sta_flags_mask &
8488 		    ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8489 		      BIT(NL80211_STA_FLAG_MFP)))
8490 			return -EINVAL;
8491 		break;
8492 	case CFG80211_STA_NAN_DATA:
8493 		if (params->sta_flags_mask &
8494 		    ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8495 		      BIT(NL80211_STA_FLAG_MFP) |
8496 		      BIT(NL80211_STA_FLAG_WME)))
8497 			return -EINVAL;
8498 		break;
8499 	}
8500 
8501 	/*
8502 	 * Older kernel versions ignored this attribute entirely, so don't
8503 	 * reject attempts to update it but mark it as unused instead so the
8504 	 * driver won't look at the data.
8505 	 */
8506 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8507 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
8508 		params->link_sta_params.opmode_notif_used = false;
8509 
8510 	return 0;
8511 }
8512 EXPORT_SYMBOL(cfg80211_check_station_change);
8513 
8514 /*
8515  * Get vlan interface making sure it is running and on the right wiphy.
8516  */
8517 static struct net_device *get_vlan(struct genl_info *info,
8518 				   struct cfg80211_registered_device *rdev)
8519 {
8520 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
8521 	struct net_device *v;
8522 	int ret;
8523 
8524 	if (!vlanattr)
8525 		return NULL;
8526 
8527 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
8528 	if (!v)
8529 		return ERR_PTR(-ENODEV);
8530 
8531 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
8532 		ret = -EINVAL;
8533 		goto error;
8534 	}
8535 
8536 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
8537 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8538 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
8539 		ret = -EINVAL;
8540 		goto error;
8541 	}
8542 
8543 	if (!netif_running(v)) {
8544 		ret = -ENETDOWN;
8545 		goto error;
8546 	}
8547 
8548 	return v;
8549  error:
8550 	dev_put(v);
8551 	return ERR_PTR(ret);
8552 }
8553 
8554 static int nl80211_parse_sta_wme(struct genl_info *info,
8555 				 struct station_parameters *params)
8556 {
8557 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
8558 	struct nlattr *nla;
8559 	int err;
8560 
8561 	/* parse WME attributes if present */
8562 	if (!info->attrs[NL80211_ATTR_STA_WME])
8563 		return 0;
8564 
8565 	nla = info->attrs[NL80211_ATTR_STA_WME];
8566 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
8567 					  nl80211_sta_wme_policy,
8568 					  info->extack);
8569 	if (err)
8570 		return err;
8571 
8572 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
8573 		params->uapsd_queues = nla_get_u8(
8574 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
8575 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
8576 		return -EINVAL;
8577 
8578 	if (tb[NL80211_STA_WME_MAX_SP])
8579 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
8580 
8581 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
8582 		return -EINVAL;
8583 
8584 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
8585 
8586 	return 0;
8587 }
8588 
8589 static int nl80211_parse_sta_channel_info(struct genl_info *info,
8590 				      struct station_parameters *params)
8591 {
8592 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
8593 		params->supported_channels =
8594 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8595 		params->supported_channels_len =
8596 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8597 		/*
8598 		 * Need to include at least one (first channel, number of
8599 		 * channels) tuple for each subband (checked in policy),
8600 		 * and must have proper tuples for the rest of the data as well.
8601 		 */
8602 		if (params->supported_channels_len % 2)
8603 			return -EINVAL;
8604 	}
8605 
8606 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
8607 		params->supported_oper_classes =
8608 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8609 		params->supported_oper_classes_len =
8610 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8611 	}
8612 	return 0;
8613 }
8614 
8615 static int nl80211_set_station_tdls(struct genl_info *info,
8616 				    struct station_parameters *params)
8617 {
8618 	int err;
8619 	/* Dummy STA entry gets updated once the peer capabilities are known */
8620 	if (info->attrs[NL80211_ATTR_PEER_AID])
8621 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8622 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8623 		params->link_sta_params.ht_capa =
8624 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8625 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8626 		params->link_sta_params.vht_capa =
8627 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8628 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8629 		params->link_sta_params.he_capa =
8630 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8631 		params->link_sta_params.he_capa_len =
8632 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8633 
8634 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8635 			params->link_sta_params.eht_capa =
8636 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8637 			params->link_sta_params.eht_capa_len =
8638 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8639 
8640 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
8641 							(const u8 *)params->link_sta_params.eht_capa,
8642 							params->link_sta_params.eht_capa_len,
8643 							false))
8644 				return -EINVAL;
8645 		}
8646 	}
8647 
8648 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
8649 		if (!params->link_sta_params.eht_capa)
8650 			return -EINVAL;
8651 
8652 		params->link_sta_params.uhr_capa =
8653 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8654 		params->link_sta_params.uhr_capa_len =
8655 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8656 	}
8657 
8658 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8659 		params->link_sta_params.s1g_capa =
8660 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8661 
8662 	err = nl80211_parse_sta_channel_info(info, params);
8663 	if (err)
8664 		return err;
8665 
8666 	return nl80211_parse_sta_wme(info, params);
8667 }
8668 
8669 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
8670 					     struct sta_txpwr *txpwr,
8671 					     bool *txpwr_set)
8672 {
8673 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8674 	int idx;
8675 
8676 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
8677 		if (!rdev->ops->set_tx_power ||
8678 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8679 					 NL80211_EXT_FEATURE_STA_TX_PWR))
8680 			return -EOPNOTSUPP;
8681 
8682 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
8683 		txpwr->type = nla_get_u8(info->attrs[idx]);
8684 
8685 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
8686 			idx = NL80211_ATTR_STA_TX_POWER;
8687 
8688 			if (info->attrs[idx])
8689 				txpwr->power = nla_get_s16(info->attrs[idx]);
8690 			else
8691 				return -EINVAL;
8692 		}
8693 
8694 		*txpwr_set = true;
8695 	} else {
8696 		*txpwr_set = false;
8697 	}
8698 
8699 	return 0;
8700 }
8701 
8702 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
8703 {
8704 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8705 	struct wireless_dev *wdev = info->user_ptr[1];
8706 	struct net_device *dev = wdev->netdev;
8707 	struct station_parameters params;
8708 	u8 *mac_addr;
8709 	int err;
8710 
8711 	memset(&params, 0, sizeof(params));
8712 
8713 	if (!dev && wdev->iftype != NL80211_IFTYPE_NAN &&
8714 	    wdev->iftype != NL80211_IFTYPE_NAN_DATA)
8715 		return -EINVAL;
8716 
8717 	if (!rdev->ops->change_station)
8718 		return -EOPNOTSUPP;
8719 
8720 	/*
8721 	 * AID and listen_interval properties can be set only for unassociated
8722 	 * station. Include these parameters here and will check them in
8723 	 * cfg80211_check_station_change().
8724 	 */
8725 	if (info->attrs[NL80211_ATTR_STA_AID])
8726 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8727 
8728 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8729 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8730 
8731 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8732 		params.listen_interval =
8733 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8734 	else
8735 		params.listen_interval = -1;
8736 
8737 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
8738 		params.support_p2p_ps =
8739 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8740 	else
8741 		params.support_p2p_ps = -1;
8742 
8743 	if (!info->attrs[NL80211_ATTR_MAC])
8744 		return -EINVAL;
8745 
8746 	params.link_sta_params.link_id =
8747 		nl80211_link_id_or_invalid(info->attrs);
8748 
8749 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8750 		/* If MLD_ADDR attribute is set then this is an MLD station
8751 		 * and the MLD_ADDR attribute holds the MLD address and the
8752 		 * MAC attribute holds for the LINK address.
8753 		 * In that case, the link_id is also expected to be valid.
8754 		 */
8755 		if (params.link_sta_params.link_id < 0)
8756 			return -EINVAL;
8757 
8758 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8759 		params.link_sta_params.mld_mac = mac_addr;
8760 		params.link_sta_params.link_mac =
8761 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8762 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8763 			return -EINVAL;
8764 	} else {
8765 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8766 	}
8767 
8768 
8769 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
8770 		params.link_sta_params.supported_rates =
8771 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8772 		params.link_sta_params.supported_rates_len =
8773 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8774 	}
8775 
8776 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8777 		params.capability =
8778 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8779 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8780 	}
8781 
8782 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8783 		params.ext_capab =
8784 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8785 		params.ext_capab_len =
8786 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8787 	}
8788 
8789 	if (parse_station_flags(info, wdev->iftype, &params))
8790 		return -EINVAL;
8791 
8792 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8793 		params.plink_action =
8794 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8795 
8796 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
8797 		params.plink_state =
8798 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
8799 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
8800 			params.peer_aid = nla_get_u16(
8801 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
8802 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
8803 	}
8804 
8805 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
8806 		params.local_pm = nla_get_u32(
8807 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
8808 
8809 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8810 		params.link_sta_params.opmode_notif_used = true;
8811 		params.link_sta_params.opmode_notif =
8812 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8813 	}
8814 
8815 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8816 		params.link_sta_params.he_6ghz_capa =
8817 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8818 
8819 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8820 		params.eml_cap_present = true;
8821 		params.eml_cap =
8822 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8823 	}
8824 
8825 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8826 		params.airtime_weight =
8827 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8828 
8829 	if (params.airtime_weight &&
8830 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8831 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8832 		return -EOPNOTSUPP;
8833 
8834 	err = nl80211_parse_sta_txpower_setting(info,
8835 						&params.link_sta_params.txpwr,
8836 						&params.link_sta_params.txpwr_set);
8837 	if (err)
8838 		return err;
8839 
8840 	/* Include parameters for TDLS peer (will check later) */
8841 	err = nl80211_set_station_tdls(info, &params);
8842 	if (err)
8843 		return err;
8844 
8845 	params.vlan = get_vlan(info, rdev);
8846 	if (IS_ERR(params.vlan))
8847 		return PTR_ERR(params.vlan);
8848 
8849 	switch (wdev->iftype) {
8850 	case NL80211_IFTYPE_AP:
8851 	case NL80211_IFTYPE_AP_VLAN:
8852 	case NL80211_IFTYPE_P2P_GO:
8853 	case NL80211_IFTYPE_P2P_CLIENT:
8854 	case NL80211_IFTYPE_STATION:
8855 	case NL80211_IFTYPE_ADHOC:
8856 	case NL80211_IFTYPE_MESH_POINT:
8857 	case NL80211_IFTYPE_NAN:
8858 	case NL80211_IFTYPE_NAN_DATA:
8859 		break;
8860 	default:
8861 		err = -EOPNOTSUPP;
8862 		goto out_put_vlan;
8863 	}
8864 
8865 	/* driver will call cfg80211_check_station_change() */
8866 	err = rdev_change_station(rdev, wdev, mac_addr, &params);
8867 
8868  out_put_vlan:
8869 	dev_put(params.vlan);
8870 
8871 	return err;
8872 }
8873 
8874 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
8875 {
8876 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8877 	int err;
8878 	struct wireless_dev *wdev = info->user_ptr[1];
8879 	struct net_device *dev = wdev->netdev;
8880 	struct station_parameters params;
8881 	u8 *mac_addr = NULL;
8882 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8883 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
8884 
8885 	memset(&params, 0, sizeof(params));
8886 
8887 	if (!dev && wdev->iftype != NL80211_IFTYPE_NAN)
8888 		return -EINVAL;
8889 
8890 	if (!rdev->ops->add_station)
8891 		return -EOPNOTSUPP;
8892 
8893 	if (!info->attrs[NL80211_ATTR_MAC])
8894 		return -EINVAL;
8895 
8896 	if (wdev->iftype == NL80211_IFTYPE_NAN ||
8897 	    wdev->iftype == NL80211_IFTYPE_NAN_DATA) {
8898 		if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
8899 			return -EINVAL;
8900 		if (wdev->iftype == NL80211_IFTYPE_NAN_DATA) {
8901 			if (!info->attrs[NL80211_ATTR_NAN_NMI_MAC])
8902 				return -EINVAL;
8903 
8904 			/* Only NMI stations receive the HT/VHT/HE capabilities */
8905 			if (info->attrs[NL80211_ATTR_HT_CAPABILITY] ||
8906 			    info->attrs[NL80211_ATTR_VHT_CAPABILITY] ||
8907 			    info->attrs[NL80211_ATTR_HE_CAPABILITY])
8908 				return -EINVAL;
8909 		}
8910 	} else {
8911 		if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8912 			return -EINVAL;
8913 
8914 		if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
8915 			return -EINVAL;
8916 
8917 		if (!info->attrs[NL80211_ATTR_STA_AID] &&
8918 		    !info->attrs[NL80211_ATTR_PEER_AID])
8919 			return -EINVAL;
8920 	}
8921 
8922 	params.link_sta_params.link_id =
8923 		nl80211_link_id_or_invalid(info->attrs);
8924 
8925 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8926 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8927 		params.link_sta_params.mld_mac = mac_addr;
8928 		params.link_sta_params.link_mac =
8929 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8930 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8931 			return -EINVAL;
8932 	} else {
8933 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8934 	}
8935 
8936 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
8937 		params.link_sta_params.supported_rates =
8938 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8939 		params.link_sta_params.supported_rates_len =
8940 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8941 	}
8942 
8943 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8944 		params.listen_interval =
8945 			nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8946 
8947 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8948 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8949 
8950 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
8951 		params.support_p2p_ps =
8952 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8953 	} else {
8954 		/*
8955 		 * if not specified, assume it's supported for P2P GO interface,
8956 		 * and is NOT supported for AP interface
8957 		 */
8958 		params.support_p2p_ps =
8959 			wdev->iftype == NL80211_IFTYPE_P2P_GO;
8960 	}
8961 
8962 	if (info->attrs[NL80211_ATTR_PEER_AID])
8963 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8964 	else if (info->attrs[NL80211_ATTR_STA_AID])
8965 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8966 
8967 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8968 		params.capability =
8969 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8970 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8971 	}
8972 
8973 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8974 		params.ext_capab =
8975 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8976 		params.ext_capab_len =
8977 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8978 	}
8979 
8980 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8981 		params.link_sta_params.ht_capa =
8982 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8983 
8984 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8985 		params.link_sta_params.vht_capa =
8986 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8987 
8988 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8989 		params.link_sta_params.he_capa =
8990 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8991 		params.link_sta_params.he_capa_len =
8992 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8993 
8994 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8995 			params.link_sta_params.eht_capa =
8996 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8997 			params.link_sta_params.eht_capa_len =
8998 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8999 
9000 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
9001 							(const u8 *)params.link_sta_params.eht_capa,
9002 							params.link_sta_params.eht_capa_len,
9003 							false))
9004 				return -EINVAL;
9005 		}
9006 	}
9007 
9008 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
9009 		if (!params.link_sta_params.eht_capa)
9010 			return -EINVAL;
9011 
9012 		params.link_sta_params.uhr_capa =
9013 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
9014 		params.link_sta_params.uhr_capa_len =
9015 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
9016 	}
9017 
9018 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
9019 		params.eml_cap_present = true;
9020 		params.eml_cap =
9021 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
9022 	}
9023 
9024 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
9025 		params.link_sta_params.he_6ghz_capa =
9026 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
9027 
9028 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
9029 		params.link_sta_params.s1g_capa =
9030 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
9031 
9032 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
9033 		params.link_sta_params.opmode_notif_used = true;
9034 		params.link_sta_params.opmode_notif =
9035 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
9036 	}
9037 
9038 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
9039 		params.plink_action =
9040 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
9041 
9042 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
9043 		params.airtime_weight =
9044 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
9045 
9046 	if (params.airtime_weight &&
9047 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9048 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
9049 		return -EOPNOTSUPP;
9050 
9051 	err = nl80211_parse_sta_txpower_setting(info,
9052 						&params.link_sta_params.txpwr,
9053 						&params.link_sta_params.txpwr_set);
9054 	if (err)
9055 		return err;
9056 
9057 	err = nl80211_parse_sta_channel_info(info, &params);
9058 	if (err)
9059 		return err;
9060 
9061 	err = nl80211_parse_sta_wme(info, &params);
9062 	if (err)
9063 		return err;
9064 
9065 	if (parse_station_flags(info, wdev->iftype, &params))
9066 		return -EINVAL;
9067 
9068 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
9069 	 * as userspace might just pass through the capabilities from the IEs
9070 	 * directly, rather than enforcing this restriction and returning an
9071 	 * error in this case.
9072 	 */
9073 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
9074 		params.link_sta_params.ht_capa = NULL;
9075 		params.link_sta_params.vht_capa = NULL;
9076 
9077 		/* HE, EHT and UHR require WME */
9078 		if (params.link_sta_params.he_capa_len ||
9079 		    params.link_sta_params.he_6ghz_capa ||
9080 		    params.link_sta_params.eht_capa_len ||
9081 		    params.link_sta_params.uhr_capa_len)
9082 			return -EINVAL;
9083 	}
9084 
9085 	if (wdev->iftype == NL80211_IFTYPE_NAN ||
9086 	    wdev->iftype == NL80211_IFTYPE_NAN_DATA) {
9087 		if (params.sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
9088 			return -EINVAL;
9089 		/* NAN NMI station must be added in associated or authorized state */
9090 		if (!(params.sta_flags_set & (BIT(NL80211_STA_FLAG_ASSOCIATED) |
9091 					      BIT(NL80211_STA_FLAG_AUTHENTICATED))))
9092 			return -EINVAL;
9093 	}
9094 
9095 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
9096 	if (params.link_sta_params.he_6ghz_capa &&
9097 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
9098 		return -EINVAL;
9099 
9100 	/* When you run into this, adjust the code below for the new flag */
9101 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
9102 
9103 	switch (wdev->iftype) {
9104 	case NL80211_IFTYPE_AP:
9105 	case NL80211_IFTYPE_AP_VLAN:
9106 	case NL80211_IFTYPE_P2P_GO:
9107 		/* ignore WME attributes if iface/sta is not capable */
9108 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
9109 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
9110 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
9111 
9112 		/* TDLS peers cannot be added */
9113 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
9114 		    info->attrs[NL80211_ATTR_PEER_AID])
9115 			return -EINVAL;
9116 		/* but don't bother the driver with it */
9117 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
9118 
9119 		/* allow authenticated/associated only if driver handles it */
9120 		if (!(rdev->wiphy.features &
9121 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
9122 		    params.sta_flags_mask & auth_assoc)
9123 			return -EINVAL;
9124 
9125 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9126 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
9127 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
9128 			return -EINVAL;
9129 
9130 		/* Older userspace, or userspace wanting to be compatible with
9131 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
9132 		 * and assoc flags in the mask, but assumes the station will be
9133 		 * added as associated anyway since this was the required driver
9134 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
9135 		 * introduced.
9136 		 * In order to not bother drivers with this quirk in the API
9137 		 * set the flags in both the mask and set for new stations in
9138 		 * this case.
9139 		 */
9140 		if (!(params.sta_flags_mask & auth_assoc)) {
9141 			params.sta_flags_mask |= auth_assoc;
9142 			params.sta_flags_set |= auth_assoc;
9143 		}
9144 
9145 		/* must be last in here for error handling */
9146 		params.vlan = get_vlan(info, rdev);
9147 		if (IS_ERR(params.vlan))
9148 			return PTR_ERR(params.vlan);
9149 		break;
9150 	case NL80211_IFTYPE_MESH_POINT:
9151 		/* ignore uAPSD data */
9152 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
9153 
9154 		/* associated is disallowed */
9155 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
9156 			return -EINVAL;
9157 		/* TDLS peers cannot be added */
9158 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
9159 		    info->attrs[NL80211_ATTR_PEER_AID])
9160 			return -EINVAL;
9161 		break;
9162 	case NL80211_IFTYPE_STATION:
9163 	case NL80211_IFTYPE_P2P_CLIENT:
9164 		/* ignore uAPSD data */
9165 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
9166 
9167 		/* these are disallowed */
9168 		if (params.sta_flags_mask &
9169 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
9170 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
9171 			return -EINVAL;
9172 		/* Only TDLS peers can be added */
9173 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
9174 			return -EINVAL;
9175 		/* Can only add if TDLS ... */
9176 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
9177 			return -EOPNOTSUPP;
9178 		/* ... with external setup is supported */
9179 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
9180 			return -EOPNOTSUPP;
9181 		/*
9182 		 * Older wpa_supplicant versions always mark the TDLS peer
9183 		 * as authorized, but it shouldn't yet be.
9184 		 */
9185 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
9186 		break;
9187 	case NL80211_IFTYPE_NAN:
9188 		break;
9189 	case NL80211_IFTYPE_NAN_DATA:
9190 		params.nmi_mac = nla_data(info->attrs[NL80211_ATTR_NAN_NMI_MAC]);
9191 		break;
9192 	default:
9193 		return -EOPNOTSUPP;
9194 	}
9195 
9196 	/* be aware of params.vlan when changing code here */
9197 
9198 	if (wdev->valid_links) {
9199 		if (params.link_sta_params.link_id < 0) {
9200 			err = -EINVAL;
9201 			goto out;
9202 		}
9203 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
9204 			err = -ENOLINK;
9205 			goto out;
9206 		}
9207 	} else {
9208 		if (params.link_sta_params.link_id >= 0) {
9209 			err = -EINVAL;
9210 			goto out;
9211 		}
9212 	}
9213 
9214 	params.epp_peer =
9215 		nla_get_flag(info->attrs[NL80211_ATTR_EPP_PEER]);
9216 
9217 	err = rdev_add_station(rdev, wdev, mac_addr, &params);
9218 out:
9219 	dev_put(params.vlan);
9220 	return err;
9221 }
9222 
9223 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
9224 {
9225 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9226 	struct wireless_dev *wdev = info->user_ptr[1];
9227 	struct net_device *dev = wdev->netdev;
9228 	struct station_del_parameters params;
9229 	int link_id = nl80211_link_id_or_invalid(info->attrs);
9230 
9231 	memset(&params, 0, sizeof(params));
9232 
9233 	if (!dev && wdev->iftype != NL80211_IFTYPE_NAN)
9234 		return -EINVAL;
9235 
9236 	if (info->attrs[NL80211_ATTR_MAC])
9237 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
9238 
9239 	switch (wdev->iftype) {
9240 	case NL80211_IFTYPE_AP:
9241 	case NL80211_IFTYPE_AP_VLAN:
9242 	case NL80211_IFTYPE_MESH_POINT:
9243 	case NL80211_IFTYPE_P2P_GO:
9244 	case NL80211_IFTYPE_NAN:
9245 	case NL80211_IFTYPE_NAN_DATA:
9246 		/* always accept these */
9247 		break;
9248 	case NL80211_IFTYPE_ADHOC:
9249 		/* conditionally accept */
9250 		if (wiphy_ext_feature_isset(&rdev->wiphy,
9251 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
9252 			break;
9253 		return -EINVAL;
9254 	default:
9255 		return -EINVAL;
9256 	}
9257 
9258 	if (!rdev->ops->del_station)
9259 		return -EOPNOTSUPP;
9260 
9261 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
9262 		params.subtype =
9263 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
9264 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
9265 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
9266 			return -EINVAL;
9267 	} else {
9268 		/* Default to Deauthentication frame */
9269 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
9270 	}
9271 
9272 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
9273 		params.reason_code =
9274 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9275 		if (params.reason_code == 0)
9276 			return -EINVAL; /* 0 is reserved */
9277 	} else {
9278 		/* Default to reason code 2 */
9279 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
9280 	}
9281 
9282 	/* Link ID not expected in case of non-ML operation */
9283 	if (!wdev->valid_links && link_id != -1)
9284 		return -EINVAL;
9285 
9286 	/* If given, a valid link ID should be passed during MLO */
9287 	if (wdev->valid_links && link_id >= 0 &&
9288 	    !(wdev->valid_links & BIT(link_id)))
9289 		return -EINVAL;
9290 
9291 	params.link_id = link_id;
9292 
9293 	return rdev_del_station(rdev, wdev, &params);
9294 }
9295 
9296 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
9297 				int flags, struct net_device *dev,
9298 				u8 *dst, u8 *next_hop,
9299 				struct mpath_info *pinfo)
9300 {
9301 	void *hdr;
9302 	struct nlattr *pinfoattr;
9303 
9304 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
9305 	if (!hdr)
9306 		return -1;
9307 
9308 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9309 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
9310 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
9311 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
9312 		goto nla_put_failure;
9313 
9314 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
9315 	if (!pinfoattr)
9316 		goto nla_put_failure;
9317 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
9318 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
9319 			pinfo->frame_qlen))
9320 		goto nla_put_failure;
9321 	if (((pinfo->filled & MPATH_INFO_SN) &&
9322 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
9323 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
9324 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
9325 			 pinfo->metric)) ||
9326 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
9327 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
9328 			 pinfo->exptime)) ||
9329 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
9330 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
9331 			pinfo->flags)) ||
9332 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
9333 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
9334 			 pinfo->discovery_timeout)) ||
9335 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
9336 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
9337 			pinfo->discovery_retries)) ||
9338 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
9339 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
9340 			pinfo->hop_count)) ||
9341 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
9342 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
9343 			 pinfo->path_change_count)))
9344 		goto nla_put_failure;
9345 
9346 	nla_nest_end(msg, pinfoattr);
9347 
9348 	genlmsg_end(msg, hdr);
9349 	return 0;
9350 
9351  nla_put_failure:
9352 	genlmsg_cancel(msg, hdr);
9353 	return -EMSGSIZE;
9354 }
9355 
9356 static int nl80211_dump_mpath(struct sk_buff *skb,
9357 			      struct netlink_callback *cb)
9358 {
9359 	struct mpath_info pinfo;
9360 	struct cfg80211_registered_device *rdev;
9361 	struct wireless_dev *wdev;
9362 	u8 dst[ETH_ALEN];
9363 	u8 next_hop[ETH_ALEN];
9364 	int path_idx = cb->args[2];
9365 	int err;
9366 
9367 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9368 	if (err)
9369 		return err;
9370 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9371 	__acquire(&rdev->wiphy.mtx);
9372 
9373 	if (!rdev->ops->dump_mpath) {
9374 		err = -EOPNOTSUPP;
9375 		goto out_err;
9376 	}
9377 
9378 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9379 		err = -EOPNOTSUPP;
9380 		goto out_err;
9381 	}
9382 
9383 	while (1) {
9384 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
9385 				      next_hop, &pinfo);
9386 		if (err == -ENOENT)
9387 			break;
9388 		if (err)
9389 			goto out_err;
9390 
9391 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9392 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9393 				       wdev->netdev, dst, next_hop,
9394 				       &pinfo) < 0)
9395 			goto out;
9396 
9397 		path_idx++;
9398 	}
9399 
9400  out:
9401 	cb->args[2] = path_idx;
9402 	err = skb->len;
9403  out_err:
9404 	wiphy_unlock(&rdev->wiphy);
9405 	return err;
9406 }
9407 
9408 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
9409 {
9410 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9411 	int err;
9412 	struct net_device *dev = info->user_ptr[1];
9413 	struct mpath_info pinfo;
9414 	struct sk_buff *msg;
9415 	u8 *dst = NULL;
9416 	u8 next_hop[ETH_ALEN];
9417 
9418 	memset(&pinfo, 0, sizeof(pinfo));
9419 
9420 	if (!info->attrs[NL80211_ATTR_MAC])
9421 		return -EINVAL;
9422 
9423 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9424 
9425 	if (!rdev->ops->get_mpath)
9426 		return -EOPNOTSUPP;
9427 
9428 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9429 		return -EOPNOTSUPP;
9430 
9431 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
9432 	if (err)
9433 		return err;
9434 
9435 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9436 	if (!msg)
9437 		return -ENOMEM;
9438 
9439 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9440 				 dev, dst, next_hop, &pinfo) < 0) {
9441 		nlmsg_free(msg);
9442 		return -ENOBUFS;
9443 	}
9444 
9445 	return genlmsg_reply(msg, info);
9446 }
9447 
9448 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
9449 {
9450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9451 	struct net_device *dev = info->user_ptr[1];
9452 	u8 *dst = NULL;
9453 	u8 *next_hop = NULL;
9454 
9455 	if (!info->attrs[NL80211_ATTR_MAC])
9456 		return -EINVAL;
9457 
9458 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9459 		return -EINVAL;
9460 
9461 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9462 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9463 
9464 	if (!rdev->ops->change_mpath)
9465 		return -EOPNOTSUPP;
9466 
9467 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9468 		return -EOPNOTSUPP;
9469 
9470 	return rdev_change_mpath(rdev, dev, dst, next_hop);
9471 }
9472 
9473 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
9474 {
9475 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9476 	struct net_device *dev = info->user_ptr[1];
9477 	u8 *dst = NULL;
9478 	u8 *next_hop = NULL;
9479 
9480 	if (!info->attrs[NL80211_ATTR_MAC])
9481 		return -EINVAL;
9482 
9483 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9484 		return -EINVAL;
9485 
9486 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9487 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9488 
9489 	if (!rdev->ops->add_mpath)
9490 		return -EOPNOTSUPP;
9491 
9492 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9493 		return -EOPNOTSUPP;
9494 
9495 	return rdev_add_mpath(rdev, dev, dst, next_hop);
9496 }
9497 
9498 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
9499 {
9500 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9501 	struct net_device *dev = info->user_ptr[1];
9502 	u8 *dst = NULL;
9503 
9504 	if (info->attrs[NL80211_ATTR_MAC])
9505 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9506 
9507 	if (!rdev->ops->del_mpath)
9508 		return -EOPNOTSUPP;
9509 
9510 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9511 		return -EOPNOTSUPP;
9512 
9513 	return rdev_del_mpath(rdev, dev, dst);
9514 }
9515 
9516 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
9517 {
9518 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9519 	int err;
9520 	struct net_device *dev = info->user_ptr[1];
9521 	struct mpath_info pinfo;
9522 	struct sk_buff *msg;
9523 	u8 *dst = NULL;
9524 	u8 mpp[ETH_ALEN];
9525 
9526 	memset(&pinfo, 0, sizeof(pinfo));
9527 
9528 	if (!info->attrs[NL80211_ATTR_MAC])
9529 		return -EINVAL;
9530 
9531 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9532 
9533 	if (!rdev->ops->get_mpp)
9534 		return -EOPNOTSUPP;
9535 
9536 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9537 		return -EOPNOTSUPP;
9538 
9539 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
9540 	if (err)
9541 		return err;
9542 
9543 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9544 	if (!msg)
9545 		return -ENOMEM;
9546 
9547 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9548 			       dev, dst, mpp, &pinfo) < 0) {
9549 		nlmsg_free(msg);
9550 		return -ENOBUFS;
9551 	}
9552 
9553 	return genlmsg_reply(msg, info);
9554 }
9555 
9556 static int nl80211_dump_mpp(struct sk_buff *skb,
9557 			    struct netlink_callback *cb)
9558 {
9559 	struct mpath_info pinfo;
9560 	struct cfg80211_registered_device *rdev;
9561 	struct wireless_dev *wdev;
9562 	u8 dst[ETH_ALEN];
9563 	u8 mpp[ETH_ALEN];
9564 	int path_idx = cb->args[2];
9565 	int err;
9566 
9567 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9568 	if (err)
9569 		return err;
9570 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9571 	__acquire(&rdev->wiphy.mtx);
9572 
9573 	if (!rdev->ops->dump_mpp) {
9574 		err = -EOPNOTSUPP;
9575 		goto out_err;
9576 	}
9577 
9578 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9579 		err = -EOPNOTSUPP;
9580 		goto out_err;
9581 	}
9582 
9583 	while (1) {
9584 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
9585 				    mpp, &pinfo);
9586 		if (err == -ENOENT)
9587 			break;
9588 		if (err)
9589 			goto out_err;
9590 
9591 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9592 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9593 				       wdev->netdev, dst, mpp,
9594 				       &pinfo) < 0)
9595 			goto out;
9596 
9597 		path_idx++;
9598 	}
9599 
9600  out:
9601 	cb->args[2] = path_idx;
9602 	err = skb->len;
9603  out_err:
9604 	wiphy_unlock(&rdev->wiphy);
9605 	return err;
9606 }
9607 
9608 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
9609 {
9610 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9611 	struct net_device *dev = info->user_ptr[1];
9612 	struct bss_parameters params;
9613 	u32 bss_param_support = rdev->wiphy.bss_param_support;
9614 	u32 changed = 0;
9615 	bool strict;
9616 
9617 	memset(&params, 0, sizeof(params));
9618 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
9619 	/* default to not changing parameters */
9620 	params.use_cts_prot = -1;
9621 	params.use_short_preamble = -1;
9622 	params.use_short_slot_time = -1;
9623 	params.ap_isolate = -1;
9624 	params.ht_opmode = -1;
9625 	params.p2p_ctwindow = -1;
9626 	params.p2p_opp_ps = -1;
9627 
9628 	strict = nla_get_flag(info->attrs[NL80211_ATTR_BSS_PARAM]);
9629 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT]) {
9630 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_CTS_PROT))
9631 			return -EINVAL;
9632 		params.use_cts_prot =
9633 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
9634 		changed |= WIPHY_BSS_PARAM_CTS_PROT;
9635 	}
9636 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]) {
9637 		if (strict &&
9638 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_PREAMBLE))
9639 			return -EINVAL;
9640 		params.use_short_preamble =
9641 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
9642 		changed |= WIPHY_BSS_PARAM_SHORT_PREAMBLE;
9643 	}
9644 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]) {
9645 		if (strict &&
9646 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_SLOT_TIME))
9647 			return -EINVAL;
9648 		params.use_short_slot_time =
9649 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
9650 		changed |= WIPHY_BSS_PARAM_SHORT_SLOT_TIME;
9651 	}
9652 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9653 		if (strict &&
9654 		    !(bss_param_support & WIPHY_BSS_PARAM_BASIC_RATES))
9655 			return -EINVAL;
9656 		params.basic_rates =
9657 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9658 		params.basic_rates_len =
9659 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9660 		changed |= WIPHY_BSS_PARAM_BASIC_RATES;
9661 	}
9662 	if (info->attrs[NL80211_ATTR_AP_ISOLATE]) {
9663 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_AP_ISOLATE))
9664 			return -EINVAL;
9665 		params.ap_isolate =
9666 			!!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
9667 		changed |= WIPHY_BSS_PARAM_AP_ISOLATE;
9668 	}
9669 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE]) {
9670 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_HT_OPMODE))
9671 			return -EINVAL;
9672 		params.ht_opmode =
9673 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
9674 		changed |= WIPHY_BSS_PARAM_HT_OPMODE;
9675 	}
9676 
9677 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
9678 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9679 			return -EINVAL;
9680 		params.p2p_ctwindow =
9681 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
9682 		if (params.p2p_ctwindow != 0 &&
9683 		    !(bss_param_support & WIPHY_BSS_PARAM_P2P_CTWINDOW))
9684 			return -EINVAL;
9685 		changed |= WIPHY_BSS_PARAM_P2P_CTWINDOW;
9686 	}
9687 
9688 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
9689 		u8 tmp;
9690 
9691 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9692 			return -EINVAL;
9693 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
9694 		if (tmp && !(bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9695 			return -EINVAL;
9696 		params.p2p_opp_ps = tmp;
9697 		if (params.p2p_opp_ps &&
9698 		    !(rdev->wiphy.bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9699 			return -EINVAL;
9700 	}
9701 
9702 	if (!rdev->ops->change_bss)
9703 		return -EOPNOTSUPP;
9704 
9705 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
9706 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9707 		return -EOPNOTSUPP;
9708 
9709 	changed &= rdev->wiphy.bss_param_support;
9710 	if (!changed)
9711 		return 0;
9712 
9713 	return rdev_change_bss(rdev, dev, &params);
9714 }
9715 
9716 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
9717 {
9718 	char *data = NULL;
9719 	bool is_indoor;
9720 	enum nl80211_user_reg_hint_type user_reg_hint_type;
9721 	u32 owner_nlportid;
9722 
9723 	/*
9724 	 * You should only get this when cfg80211 hasn't yet initialized
9725 	 * completely when built-in to the kernel right between the time
9726 	 * window between nl80211_init() and regulatory_init(), if that is
9727 	 * even possible.
9728 	 */
9729 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
9730 		return -EINPROGRESS;
9731 
9732 	user_reg_hint_type =
9733 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
9734 				    NL80211_USER_REG_HINT_USER);
9735 
9736 	switch (user_reg_hint_type) {
9737 	case NL80211_USER_REG_HINT_USER:
9738 	case NL80211_USER_REG_HINT_CELL_BASE:
9739 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
9740 			return -EINVAL;
9741 
9742 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
9743 		return regulatory_hint_user(data, user_reg_hint_type);
9744 	case NL80211_USER_REG_HINT_INDOOR:
9745 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9746 			owner_nlportid = info->snd_portid;
9747 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
9748 		} else {
9749 			owner_nlportid = 0;
9750 			is_indoor = true;
9751 		}
9752 
9753 		regulatory_hint_indoor(is_indoor, owner_nlportid);
9754 		return 0;
9755 	default:
9756 		return -EINVAL;
9757 	}
9758 }
9759 
9760 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
9761 {
9762 	return reg_reload_regdb();
9763 }
9764 
9765 static int nl80211_get_mesh_config(struct sk_buff *skb,
9766 				   struct genl_info *info)
9767 {
9768 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9769 	struct net_device *dev = info->user_ptr[1];
9770 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9771 	struct mesh_config cur_params;
9772 	int err = 0;
9773 	void *hdr;
9774 	struct nlattr *pinfoattr;
9775 	struct sk_buff *msg;
9776 
9777 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9778 		return -EOPNOTSUPP;
9779 
9780 	if (!rdev->ops->get_mesh_config)
9781 		return -EOPNOTSUPP;
9782 
9783 	/* If not connected, get default parameters */
9784 	if (!wdev->u.mesh.id_len)
9785 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
9786 	else
9787 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
9788 
9789 	if (err)
9790 		return err;
9791 
9792 	/* Draw up a netlink message to send back */
9793 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9794 	if (!msg)
9795 		return -ENOMEM;
9796 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9797 			     NL80211_CMD_GET_MESH_CONFIG);
9798 	if (!hdr)
9799 		goto out;
9800 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
9801 	if (!pinfoattr)
9802 		goto nla_put_failure;
9803 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9804 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
9805 			cur_params.dot11MeshRetryTimeout) ||
9806 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
9807 			cur_params.dot11MeshConfirmTimeout) ||
9808 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
9809 			cur_params.dot11MeshHoldingTimeout) ||
9810 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
9811 			cur_params.dot11MeshMaxPeerLinks) ||
9812 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
9813 		       cur_params.dot11MeshMaxRetries) ||
9814 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
9815 		       cur_params.dot11MeshTTL) ||
9816 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
9817 		       cur_params.element_ttl) ||
9818 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9819 		       cur_params.auto_open_plinks) ||
9820 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9821 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
9822 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9823 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
9824 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
9825 			cur_params.path_refresh_time) ||
9826 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9827 			cur_params.min_discovery_timeout) ||
9828 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9829 			cur_params.dot11MeshHWMPactivePathTimeout) ||
9830 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9831 			cur_params.dot11MeshHWMPpreqMinInterval) ||
9832 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9833 			cur_params.dot11MeshHWMPperrMinInterval) ||
9834 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9835 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
9836 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
9837 		       cur_params.dot11MeshHWMPRootMode) ||
9838 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9839 			cur_params.dot11MeshHWMPRannInterval) ||
9840 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9841 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
9842 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
9843 		       cur_params.dot11MeshForwarding) ||
9844 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
9845 			cur_params.rssi_threshold) ||
9846 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
9847 			cur_params.ht_opmode) ||
9848 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9849 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
9850 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9851 			cur_params.dot11MeshHWMProotInterval) ||
9852 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9853 			cur_params.dot11MeshHWMPconfirmationInterval) ||
9854 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
9855 			cur_params.power_mode) ||
9856 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
9857 			cur_params.dot11MeshAwakeWindowDuration) ||
9858 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
9859 			cur_params.plink_timeout) ||
9860 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
9861 		       cur_params.dot11MeshConnectedToMeshGate) ||
9862 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
9863 		       cur_params.dot11MeshNolearn) ||
9864 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
9865 		       cur_params.dot11MeshConnectedToAuthServer))
9866 		goto nla_put_failure;
9867 	nla_nest_end(msg, pinfoattr);
9868 	genlmsg_end(msg, hdr);
9869 	return genlmsg_reply(msg, info);
9870 
9871  nla_put_failure:
9872  out:
9873 	nlmsg_free(msg);
9874 	return -ENOBUFS;
9875 }
9876 
9877 static const struct nla_policy
9878 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
9879 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
9880 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9881 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
9882 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9883 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
9884 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9885 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
9886 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
9887 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
9888 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9889 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9890 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
9891 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
9892 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
9893 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
9894 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
9895 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
9896 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
9897 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
9898 		NLA_POLICY_MIN(NLA_U16, 1),
9899 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
9900 		NLA_POLICY_MIN(NLA_U16, 1),
9901 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
9902 		NLA_POLICY_MIN(NLA_U16, 1),
9903 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
9904 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
9905 		NLA_POLICY_MIN(NLA_U16, 1),
9906 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
9907 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
9908 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
9909 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
9910 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
9911 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
9912 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
9913 		NLA_POLICY_MIN(NLA_U16, 1),
9914 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
9915 		NLA_POLICY_MIN(NLA_U16, 1),
9916 	[NL80211_MESHCONF_POWER_MODE] =
9917 		NLA_POLICY_RANGE(NLA_U32,
9918 				 NL80211_MESH_POWER_ACTIVE,
9919 				 NL80211_MESH_POWER_MAX),
9920 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
9921 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
9922 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9923 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9924 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9925 };
9926 
9927 static const struct nla_policy
9928 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
9929 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
9930 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
9931 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
9932 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
9933 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
9934 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
9935 	[NL80211_MESH_SETUP_IE] =
9936 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
9937 				       IEEE80211_MAX_DATA_LEN),
9938 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
9939 };
9940 
9941 static int nl80211_parse_mesh_config(struct genl_info *info,
9942 				     struct mesh_config *cfg,
9943 				     u32 *mask_out)
9944 {
9945 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
9946 	u32 mask = 0;
9947 	u16 ht_opmode;
9948 
9949 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
9950 do {									\
9951 	if (tb[attr]) {							\
9952 		cfg->param = fn(tb[attr]);				\
9953 		mask |= BIT((attr) - 1);				\
9954 	}								\
9955 } while (0)
9956 
9957 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
9958 		return -EINVAL;
9959 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
9960 		return -EINVAL;
9961 
9962 	/* This makes sure that there aren't more than 32 mesh config
9963 	 * parameters (otherwise our bitfield scheme would not work.) */
9964 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
9965 
9966 	/* Fill in the params struct */
9967 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
9968 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
9969 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
9970 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
9971 				  nla_get_u16);
9972 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
9973 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
9974 				  nla_get_u16);
9975 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
9976 				  NL80211_MESHCONF_MAX_PEER_LINKS,
9977 				  nla_get_u16);
9978 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
9979 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
9980 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
9981 				  NL80211_MESHCONF_TTL, nla_get_u8);
9982 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
9983 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
9984 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
9985 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9986 				  nla_get_u8);
9987 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
9988 				  mask,
9989 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9990 				  nla_get_u32);
9991 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
9992 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9993 				  nla_get_u8);
9994 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
9995 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
9996 				  nla_get_u32);
9997 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
9998 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
9999 		return -EINVAL;
10000 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
10001 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
10002 				  nla_get_u16);
10003 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
10004 				  mask,
10005 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
10006 				  nla_get_u32);
10007 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
10008 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
10009 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
10010 		return -EINVAL;
10011 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
10012 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
10013 				  nla_get_u16);
10014 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
10015 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
10016 				  nla_get_u16);
10017 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
10018 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
10019 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
10020 				  nla_get_u16);
10021 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
10022 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
10023 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
10024 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
10025 				  nla_get_u16);
10026 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
10027 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
10028 				  nla_get_u8);
10029 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
10030 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
10031 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
10032 				  NL80211_MESHCONF_RSSI_THRESHOLD,
10033 				  nla_get_s32);
10034 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
10035 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
10036 				  nla_get_u8);
10037 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
10038 				  NL80211_MESHCONF_CONNECTED_TO_AS,
10039 				  nla_get_u8);
10040 	/*
10041 	 * Check HT operation mode based on
10042 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
10043 	 */
10044 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
10045 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
10046 
10047 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
10048 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
10049 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
10050 			return -EINVAL;
10051 
10052 		/* NON_HT_STA bit is reserved, but some programs set it */
10053 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
10054 
10055 		cfg->ht_opmode = ht_opmode;
10056 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
10057 	}
10058 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
10059 				  dot11MeshHWMPactivePathToRootTimeout, mask,
10060 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
10061 				  nla_get_u32);
10062 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
10063 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
10064 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
10065 		return -EINVAL;
10066 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
10067 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
10068 				  nla_get_u16);
10069 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
10070 				  mask,
10071 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
10072 				  nla_get_u16);
10073 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
10074 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
10075 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
10076 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
10077 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
10078 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
10079 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
10080 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
10081 	if (mask_out)
10082 		*mask_out = mask;
10083 
10084 	return 0;
10085 
10086 #undef FILL_IN_MESH_PARAM_IF_SET
10087 }
10088 
10089 static int nl80211_parse_mesh_setup(struct genl_info *info,
10090 				     struct mesh_setup *setup)
10091 {
10092 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10093 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
10094 
10095 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
10096 		return -EINVAL;
10097 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
10098 		return -EINVAL;
10099 
10100 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
10101 		setup->sync_method =
10102 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
10103 		 IEEE80211_SYNC_METHOD_VENDOR :
10104 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
10105 
10106 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
10107 		setup->path_sel_proto =
10108 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
10109 		 IEEE80211_PATH_PROTOCOL_VENDOR :
10110 		 IEEE80211_PATH_PROTOCOL_HWMP;
10111 
10112 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
10113 		setup->path_metric =
10114 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
10115 		 IEEE80211_PATH_METRIC_VENDOR :
10116 		 IEEE80211_PATH_METRIC_AIRTIME;
10117 
10118 	if (tb[NL80211_MESH_SETUP_IE]) {
10119 		struct nlattr *ieattr =
10120 			tb[NL80211_MESH_SETUP_IE];
10121 		setup->ie = nla_data(ieattr);
10122 		setup->ie_len = nla_len(ieattr);
10123 	}
10124 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
10125 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
10126 		return -EINVAL;
10127 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
10128 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
10129 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
10130 	if (setup->is_secure)
10131 		setup->user_mpm = true;
10132 
10133 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
10134 		if (!setup->user_mpm)
10135 			return -EINVAL;
10136 		setup->auth_id =
10137 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
10138 	}
10139 
10140 	return 0;
10141 }
10142 
10143 static int nl80211_update_mesh_config(struct sk_buff *skb,
10144 				      struct genl_info *info)
10145 {
10146 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10147 	struct net_device *dev = info->user_ptr[1];
10148 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10149 	struct mesh_config cfg = {};
10150 	u32 mask;
10151 	int err;
10152 
10153 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
10154 		return -EOPNOTSUPP;
10155 
10156 	if (!rdev->ops->update_mesh_config)
10157 		return -EOPNOTSUPP;
10158 
10159 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
10160 	if (err)
10161 		return err;
10162 
10163 	if (!wdev->u.mesh.id_len)
10164 		err = -ENOLINK;
10165 
10166 	if (!err)
10167 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
10168 
10169 	return err;
10170 }
10171 
10172 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
10173 			      struct sk_buff *msg)
10174 {
10175 	struct nlattr *nl_reg_rules;
10176 	unsigned int i;
10177 
10178 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
10179 	    (regdom->dfs_region &&
10180 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
10181 		goto nla_put_failure;
10182 
10183 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
10184 	if (!nl_reg_rules)
10185 		goto nla_put_failure;
10186 
10187 	for (i = 0; i < regdom->n_reg_rules; i++) {
10188 		struct nlattr *nl_reg_rule;
10189 		const struct ieee80211_reg_rule *reg_rule;
10190 		const struct ieee80211_freq_range *freq_range;
10191 		const struct ieee80211_power_rule *power_rule;
10192 		unsigned int max_bandwidth_khz;
10193 
10194 		reg_rule = &regdom->reg_rules[i];
10195 		freq_range = &reg_rule->freq_range;
10196 		power_rule = &reg_rule->power_rule;
10197 
10198 		nl_reg_rule = nla_nest_start_noflag(msg, i);
10199 		if (!nl_reg_rule)
10200 			goto nla_put_failure;
10201 
10202 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
10203 		if (!max_bandwidth_khz)
10204 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
10205 								  reg_rule);
10206 
10207 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
10208 				reg_rule->flags) ||
10209 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
10210 				freq_range->start_freq_khz) ||
10211 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
10212 				freq_range->end_freq_khz) ||
10213 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
10214 				max_bandwidth_khz) ||
10215 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
10216 				power_rule->max_antenna_gain) ||
10217 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
10218 				power_rule->max_eirp) ||
10219 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
10220 				reg_rule->dfs_cac_ms))
10221 			goto nla_put_failure;
10222 
10223 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
10224 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
10225 			       reg_rule->psd))
10226 			goto nla_put_failure;
10227 
10228 		nla_nest_end(msg, nl_reg_rule);
10229 	}
10230 
10231 	nla_nest_end(msg, nl_reg_rules);
10232 	return 0;
10233 
10234 nla_put_failure:
10235 	return -EMSGSIZE;
10236 }
10237 
10238 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
10239 {
10240 	const struct ieee80211_regdomain *regdom = NULL;
10241 	struct cfg80211_registered_device *rdev;
10242 	struct wiphy *wiphy = NULL;
10243 	struct sk_buff *msg;
10244 	int err = -EMSGSIZE;
10245 	void *hdr;
10246 
10247 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10248 	if (!msg)
10249 		return -ENOBUFS;
10250 
10251 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10252 			     NL80211_CMD_GET_REG);
10253 	if (!hdr)
10254 		goto put_failure;
10255 
10256 	rtnl_lock();
10257 
10258 	if (info->attrs[NL80211_ATTR_WIPHY]) {
10259 		bool self_managed;
10260 
10261 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
10262 		if (IS_ERR(rdev)) {
10263 			err = PTR_ERR(rdev);
10264 			goto nla_put_failure;
10265 		}
10266 
10267 		wiphy = &rdev->wiphy;
10268 		self_managed = wiphy->regulatory_flags &
10269 			       REGULATORY_WIPHY_SELF_MANAGED;
10270 
10271 		rcu_read_lock();
10272 
10273 		regdom = get_wiphy_regdom(wiphy);
10274 
10275 		/* a self-managed-reg device must have a private regdom */
10276 		if (WARN_ON(!regdom && self_managed)) {
10277 			err = -EINVAL;
10278 			goto nla_put_failure_rcu;
10279 		}
10280 
10281 		if (regdom &&
10282 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10283 			goto nla_put_failure_rcu;
10284 	} else {
10285 		rcu_read_lock();
10286 	}
10287 
10288 	if (!wiphy && reg_last_request_cell_base() &&
10289 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
10290 			NL80211_USER_REG_HINT_CELL_BASE))
10291 		goto nla_put_failure_rcu;
10292 
10293 	if (!regdom)
10294 		regdom = rcu_dereference(cfg80211_regdomain);
10295 
10296 	if (nl80211_put_regdom(regdom, msg))
10297 		goto nla_put_failure_rcu;
10298 
10299 	rcu_read_unlock();
10300 
10301 	genlmsg_end(msg, hdr);
10302 	rtnl_unlock();
10303 	return genlmsg_reply(msg, info);
10304 
10305 nla_put_failure_rcu:
10306 	rcu_read_unlock();
10307 nla_put_failure:
10308 	rtnl_unlock();
10309 put_failure:
10310 	nlmsg_free(msg);
10311 	return err;
10312 }
10313 
10314 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
10315 			       u32 seq, int flags, struct wiphy *wiphy,
10316 			       const struct ieee80211_regdomain *regdom)
10317 {
10318 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10319 				   NL80211_CMD_GET_REG);
10320 
10321 	if (!hdr)
10322 		return -1;
10323 
10324 	genl_dump_check_consistent(cb, hdr);
10325 
10326 	if (nl80211_put_regdom(regdom, msg))
10327 		goto nla_put_failure;
10328 
10329 	if (!wiphy && reg_last_request_cell_base() &&
10330 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
10331 			NL80211_USER_REG_HINT_CELL_BASE))
10332 		goto nla_put_failure;
10333 
10334 	if (wiphy &&
10335 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10336 		goto nla_put_failure;
10337 
10338 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
10339 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
10340 		goto nla_put_failure;
10341 
10342 	genlmsg_end(msg, hdr);
10343 	return 0;
10344 
10345 nla_put_failure:
10346 	genlmsg_cancel(msg, hdr);
10347 	return -EMSGSIZE;
10348 }
10349 
10350 static int nl80211_get_reg_dump(struct sk_buff *skb,
10351 				struct netlink_callback *cb)
10352 {
10353 	const struct ieee80211_regdomain *regdom = NULL;
10354 	struct cfg80211_registered_device *rdev;
10355 	int err, reg_idx, start = cb->args[2];
10356 
10357 	rcu_read_lock();
10358 
10359 	if (cfg80211_regdomain && start == 0) {
10360 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10361 					  NLM_F_MULTI, NULL,
10362 					  rcu_dereference(cfg80211_regdomain));
10363 		if (err < 0)
10364 			goto out_err;
10365 	}
10366 
10367 	/* the global regdom is idx 0 */
10368 	reg_idx = 1;
10369 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
10370 		regdom = get_wiphy_regdom(&rdev->wiphy);
10371 		if (!regdom)
10372 			continue;
10373 
10374 		if (++reg_idx <= start)
10375 			continue;
10376 
10377 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10378 					  NLM_F_MULTI, &rdev->wiphy, regdom);
10379 		if (err < 0) {
10380 			reg_idx--;
10381 			break;
10382 		}
10383 	}
10384 
10385 	cb->args[2] = reg_idx;
10386 	err = skb->len;
10387 out_err:
10388 	rcu_read_unlock();
10389 	return err;
10390 }
10391 
10392 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
10393 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
10394 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
10395 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
10396 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
10397 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
10398 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
10399 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
10400 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
10401 };
10402 
10403 static int parse_reg_rule(struct nlattr *tb[],
10404 	struct ieee80211_reg_rule *reg_rule)
10405 {
10406 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
10407 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
10408 
10409 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
10410 		return -EINVAL;
10411 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
10412 		return -EINVAL;
10413 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
10414 		return -EINVAL;
10415 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
10416 		return -EINVAL;
10417 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
10418 		return -EINVAL;
10419 
10420 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
10421 
10422 	freq_range->start_freq_khz =
10423 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
10424 	freq_range->end_freq_khz =
10425 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
10426 	freq_range->max_bandwidth_khz =
10427 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
10428 
10429 	power_rule->max_eirp =
10430 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
10431 
10432 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
10433 		power_rule->max_antenna_gain =
10434 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
10435 
10436 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
10437 		reg_rule->dfs_cac_ms =
10438 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
10439 
10440 	return 0;
10441 }
10442 
10443 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
10444 {
10445 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
10446 	struct nlattr *nl_reg_rule;
10447 	char *alpha2;
10448 	int rem_reg_rules, r;
10449 	u32 num_rules = 0, rule_idx = 0;
10450 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
10451 	struct ieee80211_regdomain *rd;
10452 
10453 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
10454 		return -EINVAL;
10455 
10456 	if (!info->attrs[NL80211_ATTR_REG_RULES])
10457 		return -EINVAL;
10458 
10459 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
10460 
10461 	if (info->attrs[NL80211_ATTR_DFS_REGION])
10462 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
10463 
10464 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10465 			    rem_reg_rules) {
10466 		num_rules++;
10467 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
10468 			return -EINVAL;
10469 	}
10470 
10471 	rtnl_lock();
10472 	if (!reg_is_valid_request(alpha2)) {
10473 		r = -EINVAL;
10474 		goto out;
10475 	}
10476 
10477 	rd = kzalloc_flex(*rd, reg_rules, num_rules);
10478 	if (!rd) {
10479 		r = -ENOMEM;
10480 		goto out;
10481 	}
10482 
10483 	rd->n_reg_rules = num_rules;
10484 	rd->alpha2[0] = alpha2[0];
10485 	rd->alpha2[1] = alpha2[1];
10486 
10487 	/*
10488 	 * Disable DFS master mode if the DFS region was
10489 	 * not supported or known on this kernel.
10490 	 */
10491 	if (reg_supported_dfs_region(dfs_region))
10492 		rd->dfs_region = dfs_region;
10493 
10494 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10495 			    rem_reg_rules) {
10496 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
10497 						nl_reg_rule, reg_rule_policy,
10498 						info->extack);
10499 		if (r)
10500 			goto bad_reg;
10501 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
10502 		if (r)
10503 			goto bad_reg;
10504 
10505 		rule_idx++;
10506 
10507 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
10508 			r = -EINVAL;
10509 			goto bad_reg;
10510 		}
10511 	}
10512 
10513 	r = set_regdom(rd, REGD_SOURCE_CRDA);
10514 	/* set_regdom takes ownership of rd */
10515 	rd = NULL;
10516  bad_reg:
10517 	kfree(rd);
10518  out:
10519 	rtnl_unlock();
10520 	return r;
10521 }
10522 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
10523 
10524 static int validate_scan_freqs(struct nlattr *freqs)
10525 {
10526 	struct nlattr *attr1, *attr2;
10527 	int n_channels = 0, tmp1, tmp2;
10528 
10529 	nla_for_each_nested(attr1, freqs, tmp1)
10530 		if (nla_len(attr1) != sizeof(u32))
10531 			return 0;
10532 
10533 	nla_for_each_nested(attr1, freqs, tmp1) {
10534 		n_channels++;
10535 		/*
10536 		 * Some hardware has a limited channel list for
10537 		 * scanning, and it is pretty much nonsensical
10538 		 * to scan for a channel twice, so disallow that
10539 		 * and don't require drivers to check that the
10540 		 * channel list they get isn't longer than what
10541 		 * they can scan, as long as they can scan all
10542 		 * the channels they registered at once.
10543 		 */
10544 		nla_for_each_nested(attr2, freqs, tmp2)
10545 			if (attr1 != attr2 &&
10546 			    nla_get_u32(attr1) == nla_get_u32(attr2))
10547 				return 0;
10548 	}
10549 
10550 	return n_channels;
10551 }
10552 
10553 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
10554 {
10555 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
10556 }
10557 
10558 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
10559 			    struct cfg80211_bss_selection *bss_select)
10560 {
10561 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
10562 	struct nlattr *nest;
10563 	int err;
10564 	bool found = false;
10565 	int i;
10566 
10567 	/* only process one nested attribute */
10568 	nest = nla_data(nla);
10569 	if (!nla_ok(nest, nla_len(nest)))
10570 		return -EINVAL;
10571 
10572 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
10573 					  nest, nl80211_bss_select_policy,
10574 					  NULL);
10575 	if (err)
10576 		return err;
10577 
10578 	/* only one attribute may be given */
10579 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
10580 		if (attr[i]) {
10581 			if (found)
10582 				return -EINVAL;
10583 			found = true;
10584 		}
10585 	}
10586 
10587 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
10588 
10589 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
10590 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
10591 
10592 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
10593 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
10594 		bss_select->param.band_pref =
10595 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
10596 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
10597 			return -EINVAL;
10598 	}
10599 
10600 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
10601 		struct nl80211_bss_select_rssi_adjust *adj_param;
10602 
10603 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
10604 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
10605 		bss_select->param.adjust.band = adj_param->band;
10606 		bss_select->param.adjust.delta = adj_param->delta;
10607 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
10608 			return -EINVAL;
10609 	}
10610 
10611 	/* user-space did not provide behaviour attribute */
10612 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
10613 		return -EINVAL;
10614 
10615 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
10616 		return -EINVAL;
10617 
10618 	return 0;
10619 }
10620 
10621 int nl80211_parse_random_mac(struct nlattr **attrs,
10622 			     u8 *mac_addr, u8 *mac_addr_mask)
10623 {
10624 	int i;
10625 
10626 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
10627 		eth_zero_addr(mac_addr);
10628 		eth_zero_addr(mac_addr_mask);
10629 		mac_addr[0] = 0x2;
10630 		mac_addr_mask[0] = 0x3;
10631 
10632 		return 0;
10633 	}
10634 
10635 	/* need both or none */
10636 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
10637 		return -EINVAL;
10638 
10639 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
10640 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
10641 
10642 	/* don't allow or configure an mcast address */
10643 	if (!is_multicast_ether_addr(mac_addr_mask) ||
10644 	    is_multicast_ether_addr(mac_addr))
10645 		return -EINVAL;
10646 
10647 	/*
10648 	 * allow users to pass a MAC address that has bits set outside
10649 	 * of the mask, but don't bother drivers with having to deal
10650 	 * with such bits
10651 	 */
10652 	for (i = 0; i < ETH_ALEN; i++)
10653 		mac_addr[i] &= mac_addr_mask[i];
10654 
10655 	return 0;
10656 }
10657 
10658 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
10659 					      struct ieee80211_channel *chan)
10660 {
10661 	unsigned int link_id;
10662 	bool all_ok = true;
10663 	int radio_idx;
10664 
10665 	lockdep_assert_wiphy(wdev->wiphy);
10666 
10667 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
10668 		return false;
10669 
10670 	if (!cfg80211_beaconing_iface_active(wdev))
10671 		return true;
10672 
10673 	radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy, chan);
10674 
10675 	/*
10676 	 * FIXME: check if we have a free radio/link for chan
10677 	 *
10678 	 * This, as well as the FIXME below, requires knowing the link
10679 	 * capabilities of the hardware.
10680 	 */
10681 
10682 	/* we cannot leave radar channels */
10683 	for_each_valid_link(wdev, link_id) {
10684 		struct cfg80211_chan_def *chandef;
10685 		int link_radio_idx;
10686 
10687 		chandef = wdev_chandef(wdev, link_id);
10688 		if (!chandef || !chandef->chan)
10689 			continue;
10690 
10691 		if (!(chandef->chan->flags & IEEE80211_CHAN_RADAR))
10692 			continue;
10693 
10694 		/*
10695 		 * chandef->chan is a radar channel. If the radio/link onto
10696 		 * which this radar channel falls is the same radio/link onto
10697 		 * which the input 'chan' falls, off-channel operation should
10698 		 * not be allowed. Hence, set 'all_ok' to false.
10699 		 */
10700 
10701 		link_radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy,
10702 								chandef->chan);
10703 		if (link_radio_idx == radio_idx) {
10704 			all_ok = false;
10705 			break;
10706 		}
10707 	}
10708 
10709 	if (all_ok)
10710 		return true;
10711 
10712 	return regulatory_pre_cac_allowed(wdev->wiphy);
10713 }
10714 
10715 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
10716 				    enum nl80211_ext_feature_index feat)
10717 {
10718 	if (!(flags & flag))
10719 		return true;
10720 	if (wiphy_ext_feature_isset(wiphy, feat))
10721 		return true;
10722 	return false;
10723 }
10724 
10725 static int
10726 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
10727 			 struct nlattr **attrs, u8 *mac_addr, u8 *mac_addr_mask,
10728 			 u32 *flags, enum nl80211_feature_flags randomness_flag)
10729 {
10730 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
10731 		return 0;
10732 
10733 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
10734 
10735 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
10736 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
10737 	    !nl80211_check_scan_feat(wiphy, *flags,
10738 				     NL80211_SCAN_FLAG_LOW_SPAN,
10739 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
10740 	    !nl80211_check_scan_feat(wiphy, *flags,
10741 				     NL80211_SCAN_FLAG_LOW_POWER,
10742 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
10743 	    !nl80211_check_scan_feat(wiphy, *flags,
10744 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
10745 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
10746 	    !nl80211_check_scan_feat(wiphy, *flags,
10747 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
10748 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
10749 	    !nl80211_check_scan_feat(wiphy, *flags,
10750 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
10751 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
10752 	    !nl80211_check_scan_feat(wiphy, *flags,
10753 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
10754 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
10755 	    !nl80211_check_scan_feat(wiphy, *flags,
10756 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
10757 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
10758 	    !nl80211_check_scan_feat(wiphy, *flags,
10759 				     NL80211_SCAN_FLAG_RANDOM_SN,
10760 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
10761 	    !nl80211_check_scan_feat(wiphy, *flags,
10762 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
10763 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
10764 		return -EOPNOTSUPP;
10765 
10766 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
10767 		int err;
10768 
10769 		if (!(wiphy->features & randomness_flag) ||
10770 		    (wdev && wdev->connected))
10771 			return -EOPNOTSUPP;
10772 
10773 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
10774 		if (err)
10775 			return err;
10776 	}
10777 
10778 	return 0;
10779 }
10780 
10781 static int
10782 nl80211_check_scan_flags_sched(struct wiphy *wiphy, struct wireless_dev *wdev,
10783 			       struct nlattr **attrs,
10784 			       struct cfg80211_sched_scan_request *req)
10785 {
10786 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10787 					req->mac_addr, req->mac_addr_mask,
10788 					&req->flags,
10789 					wdev ? NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
10790 					       NL80211_FEATURE_ND_RANDOM_MAC_ADDR);
10791 }
10792 
10793 static int
10794 nl80211_check_scan_flags_reg(struct wiphy *wiphy, struct wireless_dev *wdev,
10795 			     struct nlattr **attrs,
10796 			     struct cfg80211_scan_request_int *req)
10797 {
10798 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10799 					req->req.mac_addr,
10800 					req->req.mac_addr_mask,
10801 					&req->req.flags,
10802 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR);
10803 }
10804 
10805 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
10806 {
10807 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10808 	struct wireless_dev *wdev = info->user_ptr[1];
10809 	struct cfg80211_scan_request_int *request;
10810 	struct nlattr *scan_freqs = NULL;
10811 	bool scan_freqs_khz = false;
10812 	struct nlattr *attr;
10813 	struct wiphy *wiphy;
10814 	int err, tmp, n_ssids = 0, n_channels, i;
10815 	size_t ie_len, size;
10816 	size_t ssids_offset, ie_offset;
10817 
10818 	wiphy = &rdev->wiphy;
10819 
10820 	if (wdev->iftype == NL80211_IFTYPE_NAN)
10821 		return -EOPNOTSUPP;
10822 
10823 	if (!rdev->ops->scan)
10824 		return -EOPNOTSUPP;
10825 
10826 	if (rdev->scan_req || rdev->scan_msg)
10827 		return -EBUSY;
10828 
10829 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
10830 		if (!wiphy_ext_feature_isset(wiphy,
10831 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
10832 			return -EOPNOTSUPP;
10833 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
10834 		scan_freqs_khz = true;
10835 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
10836 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
10837 
10838 	if (scan_freqs) {
10839 		n_channels = validate_scan_freqs(scan_freqs);
10840 		if (!n_channels)
10841 			return -EINVAL;
10842 	} else {
10843 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10844 	}
10845 
10846 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
10847 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
10848 			n_ssids++;
10849 
10850 	if (n_ssids > wiphy->max_scan_ssids)
10851 		return -EINVAL;
10852 
10853 	if (info->attrs[NL80211_ATTR_IE])
10854 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10855 	else
10856 		ie_len = 0;
10857 
10858 	if (ie_len > wiphy->max_scan_ie_len)
10859 		return -EINVAL;
10860 
10861 	size = struct_size(request, req.channels, n_channels);
10862 	ssids_offset = size;
10863 	size = size_add(size, array_size(sizeof(*request->req.ssids), n_ssids));
10864 	ie_offset = size;
10865 	size = size_add(size, ie_len);
10866 	request = kzalloc(size, GFP_KERNEL);
10867 	if (!request)
10868 		return -ENOMEM;
10869 
10870 	if (n_ssids)
10871 		request->req.ssids = (void *)request + ssids_offset;
10872 	request->req.n_ssids = n_ssids;
10873 	if (ie_len)
10874 		request->req.ie = (void *)request + ie_offset;
10875 
10876 	i = 0;
10877 	if (scan_freqs) {
10878 		/* user specified, bail out if channel not found */
10879 		nla_for_each_nested(attr, scan_freqs, tmp) {
10880 			struct ieee80211_channel *chan;
10881 			int freq = nla_get_u32(attr);
10882 
10883 			if (!scan_freqs_khz)
10884 				freq = MHZ_TO_KHZ(freq);
10885 
10886 			chan = ieee80211_get_channel_khz(wiphy, freq);
10887 			if (!chan) {
10888 				err = -EINVAL;
10889 				goto out_free;
10890 			}
10891 
10892 			/* Ignore disabled / no primary channels */
10893 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
10894 			    chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY ||
10895 			    !cfg80211_wdev_channel_allowed(wdev, chan))
10896 				continue;
10897 
10898 			request->req.channels[i] = chan;
10899 			i++;
10900 		}
10901 	} else {
10902 		enum nl80211_band band;
10903 
10904 		/* all channels */
10905 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
10906 			int j;
10907 
10908 			if (!wiphy->bands[band])
10909 				continue;
10910 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
10911 				struct ieee80211_channel *chan;
10912 
10913 				chan = &wiphy->bands[band]->channels[j];
10914 
10915 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
10916 				    chan->flags &
10917 					    IEEE80211_CHAN_S1G_NO_PRIMARY ||
10918 				    !cfg80211_wdev_channel_allowed(wdev, chan))
10919 					continue;
10920 
10921 				request->req.channels[i] = chan;
10922 				i++;
10923 			}
10924 		}
10925 	}
10926 
10927 	if (!i) {
10928 		err = -EINVAL;
10929 		goto out_free;
10930 	}
10931 
10932 	request->req.n_channels = i;
10933 
10934 	for (i = 0; i < request->req.n_channels; i++) {
10935 		struct ieee80211_channel *chan = request->req.channels[i];
10936 
10937 		/* if we can go off-channel to the target channel we're good */
10938 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
10939 			continue;
10940 
10941 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
10942 			err = -EBUSY;
10943 			goto out_free;
10944 		}
10945 	}
10946 
10947 	i = 0;
10948 	if (n_ssids) {
10949 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
10950 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
10951 				err = -EINVAL;
10952 				goto out_free;
10953 			}
10954 			request->req.ssids[i].ssid_len = nla_len(attr);
10955 			memcpy(request->req.ssids[i].ssid,
10956 			       nla_data(attr), nla_len(attr));
10957 			i++;
10958 		}
10959 	}
10960 
10961 	if (info->attrs[NL80211_ATTR_IE]) {
10962 		request->req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10963 		memcpy((void *)request->req.ie,
10964 		       nla_data(info->attrs[NL80211_ATTR_IE]),
10965 		       request->req.ie_len);
10966 	}
10967 
10968 	for (i = 0; i < NUM_NL80211_BANDS; i++)
10969 		if (wiphy->bands[i])
10970 			request->req.rates[i] =
10971 				(1 << wiphy->bands[i]->n_bitrates) - 1;
10972 
10973 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
10974 		nla_for_each_nested(attr,
10975 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
10976 				    tmp) {
10977 			int band = nla_type(attr);
10978 
10979 			if (band < 0 || band >= NUM_NL80211_BANDS) {
10980 				err = -EINVAL;
10981 				goto out_free;
10982 			}
10983 
10984 			if (!wiphy->bands[band])
10985 				continue;
10986 
10987 			err = ieee80211_get_ratemask(wiphy->bands[band],
10988 						     nla_data(attr),
10989 						     nla_len(attr),
10990 						     &request->req.rates[band]);
10991 			if (err)
10992 				goto out_free;
10993 		}
10994 	}
10995 
10996 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
10997 		request->req.duration =
10998 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
10999 		request->req.duration_mandatory =
11000 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
11001 	}
11002 
11003 	err = nl80211_check_scan_flags_reg(wiphy, wdev, info->attrs, request);
11004 	if (err)
11005 		goto out_free;
11006 
11007 	request->req.no_cck =
11008 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11009 
11010 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
11011 	 * BSSID to scan for. This was problematic because that same attribute
11012 	 * was already used for another purpose (local random MAC address). The
11013 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
11014 	 * compatibility with older userspace components, also use the
11015 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
11016 	 * the specific BSSID use case instead of the random MAC address
11017 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
11018 	 */
11019 	if (info->attrs[NL80211_ATTR_BSSID])
11020 		memcpy(request->req.bssid,
11021 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
11022 	else if (!(request->req.flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
11023 		 info->attrs[NL80211_ATTR_MAC])
11024 		memcpy(request->req.bssid,
11025 		       nla_data(info->attrs[NL80211_ATTR_MAC]),
11026 		       ETH_ALEN);
11027 	else
11028 		eth_broadcast_addr(request->req.bssid);
11029 
11030 	request->req.tsf_report_link_id =
11031 		nl80211_link_id_or_invalid(info->attrs);
11032 	request->req.wdev = wdev;
11033 	request->req.wiphy = &rdev->wiphy;
11034 	request->req.scan_start = jiffies;
11035 
11036 	rdev->scan_req = request;
11037 	err = cfg80211_scan(rdev);
11038 
11039 	if (err)
11040 		goto out_free;
11041 
11042 	nl80211_send_scan_start(rdev, wdev);
11043 	dev_hold(wdev->netdev);
11044 
11045 	return 0;
11046 
11047  out_free:
11048 	rdev->scan_req = NULL;
11049 	kfree(request);
11050 
11051 	return err;
11052 }
11053 
11054 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
11055 {
11056 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11057 	struct wireless_dev *wdev = info->user_ptr[1];
11058 
11059 	if (!rdev->ops->abort_scan)
11060 		return -EOPNOTSUPP;
11061 
11062 	if (rdev->scan_msg)
11063 		return 0;
11064 
11065 	if (!rdev->scan_req)
11066 		return -ENOENT;
11067 
11068 	rdev_abort_scan(rdev, wdev);
11069 	return 0;
11070 }
11071 
11072 static int
11073 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
11074 			       struct cfg80211_sched_scan_request *request,
11075 			       struct nlattr **attrs)
11076 {
11077 	int tmp, err, i = 0;
11078 	struct nlattr *attr;
11079 
11080 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
11081 		u32 interval;
11082 
11083 		/*
11084 		 * If scan plans are not specified,
11085 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
11086 		 * case one scan plan will be set with the specified scan
11087 		 * interval and infinite number of iterations.
11088 		 */
11089 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
11090 		if (!interval)
11091 			return -EINVAL;
11092 
11093 		request->scan_plans[0].interval =
11094 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
11095 		if (!request->scan_plans[0].interval)
11096 			return -EINVAL;
11097 
11098 		if (request->scan_plans[0].interval >
11099 		    wiphy->max_sched_scan_plan_interval)
11100 			request->scan_plans[0].interval =
11101 				wiphy->max_sched_scan_plan_interval;
11102 
11103 		return 0;
11104 	}
11105 
11106 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
11107 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
11108 
11109 		if (WARN_ON(i >= n_plans))
11110 			return -EINVAL;
11111 
11112 		err = nla_parse_nested_deprecated(plan,
11113 						  NL80211_SCHED_SCAN_PLAN_MAX,
11114 						  attr, nl80211_plan_policy,
11115 						  NULL);
11116 		if (err)
11117 			return err;
11118 
11119 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
11120 			return -EINVAL;
11121 
11122 		request->scan_plans[i].interval =
11123 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
11124 		if (!request->scan_plans[i].interval ||
11125 		    request->scan_plans[i].interval >
11126 		    wiphy->max_sched_scan_plan_interval)
11127 			return -EINVAL;
11128 
11129 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
11130 			request->scan_plans[i].iterations =
11131 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
11132 			if (!request->scan_plans[i].iterations ||
11133 			    (request->scan_plans[i].iterations >
11134 			     wiphy->max_sched_scan_plan_iterations))
11135 				return -EINVAL;
11136 		} else if (i < n_plans - 1) {
11137 			/*
11138 			 * All scan plans but the last one must specify
11139 			 * a finite number of iterations
11140 			 */
11141 			return -EINVAL;
11142 		}
11143 
11144 		i++;
11145 	}
11146 
11147 	/*
11148 	 * The last scan plan must not specify the number of
11149 	 * iterations, it is supposed to run infinitely
11150 	 */
11151 	if (request->scan_plans[n_plans - 1].iterations)
11152 		return  -EINVAL;
11153 
11154 	return 0;
11155 }
11156 
11157 static struct cfg80211_sched_scan_request *
11158 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
11159 			 struct nlattr **attrs, int max_match_sets)
11160 {
11161 	struct cfg80211_sched_scan_request *request;
11162 	struct nlattr *attr;
11163 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
11164 	enum nl80211_band band;
11165 	size_t ie_len, size;
11166 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
11167 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
11168 
11169 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
11170 		n_channels = validate_scan_freqs(
11171 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
11172 		if (!n_channels)
11173 			return ERR_PTR(-EINVAL);
11174 	} else {
11175 		n_channels = ieee80211_get_num_supported_channels(wiphy);
11176 	}
11177 
11178 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
11179 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
11180 				    tmp)
11181 			n_ssids++;
11182 
11183 	if (n_ssids > wiphy->max_sched_scan_ssids)
11184 		return ERR_PTR(-EINVAL);
11185 
11186 	/*
11187 	 * First, count the number of 'real' matchsets. Due to an issue with
11188 	 * the old implementation, matchsets containing only the RSSI attribute
11189 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
11190 	 * RSSI for all matchsets, rather than their own matchset for reporting
11191 	 * all APs with a strong RSSI. This is needed to be compatible with
11192 	 * older userspace that treated a matchset with only the RSSI as the
11193 	 * global RSSI for all other matchsets - if there are other matchsets.
11194 	 */
11195 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
11196 		nla_for_each_nested(attr,
11197 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
11198 				    tmp) {
11199 			struct nlattr *rssi;
11200 
11201 			err = nla_parse_nested_deprecated(tb,
11202 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
11203 							  attr,
11204 							  nl80211_match_policy,
11205 							  NULL);
11206 			if (err)
11207 				return ERR_PTR(err);
11208 
11209 			/* SSID and BSSID are mutually exclusive */
11210 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
11211 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
11212 				return ERR_PTR(-EINVAL);
11213 
11214 			/* add other standalone attributes here */
11215 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
11216 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
11217 				n_match_sets++;
11218 				continue;
11219 			}
11220 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
11221 			if (rssi)
11222 				default_match_rssi = nla_get_s32(rssi);
11223 		}
11224 	}
11225 
11226 	/* However, if there's no other matchset, add the RSSI one */
11227 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
11228 		n_match_sets = 1;
11229 
11230 	if (n_match_sets > max_match_sets)
11231 		return ERR_PTR(-EINVAL);
11232 
11233 	if (attrs[NL80211_ATTR_IE])
11234 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
11235 	else
11236 		ie_len = 0;
11237 
11238 	if (ie_len > wiphy->max_sched_scan_ie_len)
11239 		return ERR_PTR(-EINVAL);
11240 
11241 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
11242 		/*
11243 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
11244 		 * each scan plan already specifies its own interval
11245 		 */
11246 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
11247 			return ERR_PTR(-EINVAL);
11248 
11249 		nla_for_each_nested(attr,
11250 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
11251 			n_plans++;
11252 	} else {
11253 		/*
11254 		 * The scan interval attribute is kept for backward
11255 		 * compatibility. If no scan plans are specified and sched scan
11256 		 * interval is specified, one scan plan will be set with this
11257 		 * scan interval and infinite number of iterations.
11258 		 */
11259 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
11260 			return ERR_PTR(-EINVAL);
11261 
11262 		n_plans = 1;
11263 	}
11264 
11265 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
11266 		return ERR_PTR(-EINVAL);
11267 
11268 	if (!wiphy_ext_feature_isset(
11269 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
11270 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
11271 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
11272 		return ERR_PTR(-EINVAL);
11273 
11274 	size = struct_size(request, channels, n_channels);
11275 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
11276 	size = size_add(size, array_size(sizeof(*request->match_sets),
11277 					 n_match_sets));
11278 	size = size_add(size, array_size(sizeof(*request->scan_plans),
11279 					 n_plans));
11280 	size = size_add(size, ie_len);
11281 	request = kzalloc(size, GFP_KERNEL);
11282 	if (!request)
11283 		return ERR_PTR(-ENOMEM);
11284 	request->n_channels = n_channels;
11285 
11286 	if (n_ssids)
11287 		request->ssids = (void *)request +
11288 			struct_size(request, channels, n_channels);
11289 	request->n_ssids = n_ssids;
11290 	if (ie_len) {
11291 		if (n_ssids)
11292 			request->ie = (void *)(request->ssids + n_ssids);
11293 		else
11294 			request->ie = (void *)(request->channels + n_channels);
11295 	}
11296 
11297 	if (n_match_sets) {
11298 		if (request->ie)
11299 			request->match_sets = (void *)(request->ie + ie_len);
11300 		else if (n_ssids)
11301 			request->match_sets =
11302 				(void *)(request->ssids + n_ssids);
11303 		else
11304 			request->match_sets =
11305 				(void *)(request->channels + n_channels);
11306 	}
11307 	request->n_match_sets = n_match_sets;
11308 
11309 	if (n_match_sets)
11310 		request->scan_plans = (void *)(request->match_sets +
11311 					       n_match_sets);
11312 	else if (request->ie)
11313 		request->scan_plans = (void *)(request->ie + ie_len);
11314 	else if (n_ssids)
11315 		request->scan_plans = (void *)(request->ssids + n_ssids);
11316 	else
11317 		request->scan_plans = (void *)(request->channels + n_channels);
11318 
11319 	request->n_scan_plans = n_plans;
11320 
11321 	i = 0;
11322 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
11323 		/* user specified, bail out if channel not found */
11324 		nla_for_each_nested(attr,
11325 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
11326 				    tmp) {
11327 			struct ieee80211_channel *chan;
11328 
11329 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
11330 
11331 			if (!chan) {
11332 				err = -EINVAL;
11333 				goto out_free;
11334 			}
11335 
11336 			/* ignore disabled channels */
11337 			if (chan->flags & IEEE80211_CHAN_DISABLED)
11338 				continue;
11339 
11340 			request->channels[i] = chan;
11341 			i++;
11342 		}
11343 	} else {
11344 		/* all channels */
11345 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
11346 			int j;
11347 
11348 			if (!wiphy->bands[band])
11349 				continue;
11350 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
11351 				struct ieee80211_channel *chan;
11352 
11353 				chan = &wiphy->bands[band]->channels[j];
11354 
11355 				if (chan->flags & IEEE80211_CHAN_DISABLED)
11356 					continue;
11357 
11358 				request->channels[i] = chan;
11359 				i++;
11360 			}
11361 		}
11362 	}
11363 
11364 	if (!i) {
11365 		err = -EINVAL;
11366 		goto out_free;
11367 	}
11368 
11369 	request->n_channels = i;
11370 
11371 	i = 0;
11372 	if (n_ssids) {
11373 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
11374 				    tmp) {
11375 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
11376 				err = -EINVAL;
11377 				goto out_free;
11378 			}
11379 			request->ssids[i].ssid_len = nla_len(attr);
11380 			memcpy(request->ssids[i].ssid, nla_data(attr),
11381 			       nla_len(attr));
11382 			i++;
11383 		}
11384 	}
11385 
11386 	i = 0;
11387 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
11388 		nla_for_each_nested(attr,
11389 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
11390 				    tmp) {
11391 			struct nlattr *ssid, *bssid, *rssi;
11392 
11393 			err = nla_parse_nested_deprecated(tb,
11394 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
11395 							  attr,
11396 							  nl80211_match_policy,
11397 							  NULL);
11398 			if (err)
11399 				goto out_free;
11400 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
11401 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
11402 
11403 			if (!ssid && !bssid) {
11404 				i++;
11405 				continue;
11406 			}
11407 
11408 			if (WARN_ON(i >= n_match_sets)) {
11409 				/* this indicates a programming error,
11410 				 * the loop above should have verified
11411 				 * things properly
11412 				 */
11413 				err = -EINVAL;
11414 				goto out_free;
11415 			}
11416 
11417 			if (ssid) {
11418 				memcpy(request->match_sets[i].ssid.ssid,
11419 				       nla_data(ssid), nla_len(ssid));
11420 				request->match_sets[i].ssid.ssid_len =
11421 					nla_len(ssid);
11422 			}
11423 			if (bssid)
11424 				memcpy(request->match_sets[i].bssid,
11425 				       nla_data(bssid), ETH_ALEN);
11426 
11427 			/* special attribute - old implementation w/a */
11428 			request->match_sets[i].rssi_thold = default_match_rssi;
11429 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
11430 			if (rssi)
11431 				request->match_sets[i].rssi_thold =
11432 					nla_get_s32(rssi);
11433 			i++;
11434 		}
11435 
11436 		/* there was no other matchset, so the RSSI one is alone */
11437 		if (i == 0 && n_match_sets)
11438 			request->match_sets[0].rssi_thold = default_match_rssi;
11439 
11440 		request->min_rssi_thold = INT_MAX;
11441 		for (i = 0; i < n_match_sets; i++)
11442 			request->min_rssi_thold =
11443 				min(request->match_sets[i].rssi_thold,
11444 				    request->min_rssi_thold);
11445 	} else {
11446 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
11447 	}
11448 
11449 	if (ie_len) {
11450 		request->ie_len = ie_len;
11451 		memcpy((void *)request->ie,
11452 		       nla_data(attrs[NL80211_ATTR_IE]),
11453 		       request->ie_len);
11454 	}
11455 
11456 	err = nl80211_check_scan_flags_sched(wiphy, wdev, attrs, request);
11457 	if (err)
11458 		goto out_free;
11459 
11460 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
11461 		request->delay =
11462 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
11463 
11464 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
11465 		request->relative_rssi = nla_get_s8(
11466 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
11467 		request->relative_rssi_set = true;
11468 	}
11469 
11470 	if (request->relative_rssi_set &&
11471 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
11472 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
11473 
11474 		rssi_adjust = nla_data(
11475 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
11476 		request->rssi_adjust.band = rssi_adjust->band;
11477 		request->rssi_adjust.delta = rssi_adjust->delta;
11478 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
11479 			err = -EINVAL;
11480 			goto out_free;
11481 		}
11482 	}
11483 
11484 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
11485 	if (err)
11486 		goto out_free;
11487 
11488 	request->scan_start = jiffies;
11489 
11490 	return request;
11491 
11492 out_free:
11493 	kfree(request);
11494 	return ERR_PTR(err);
11495 }
11496 
11497 static int nl80211_start_sched_scan(struct sk_buff *skb,
11498 				    struct genl_info *info)
11499 {
11500 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11501 	struct net_device *dev = info->user_ptr[1];
11502 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11503 	struct cfg80211_sched_scan_request *sched_scan_req;
11504 	bool want_multi;
11505 	int err;
11506 
11507 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
11508 		return -EOPNOTSUPP;
11509 
11510 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
11511 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
11512 	if (err)
11513 		return err;
11514 
11515 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
11516 						  info->attrs,
11517 						  rdev->wiphy.max_match_sets);
11518 
11519 	err = PTR_ERR_OR_ZERO(sched_scan_req);
11520 	if (err)
11521 		goto out_err;
11522 
11523 	/* leave request id zero for legacy request
11524 	 * or if driver does not support multi-scheduled scan
11525 	 */
11526 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
11527 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
11528 
11529 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
11530 	if (err)
11531 		goto out_free;
11532 
11533 	sched_scan_req->dev = dev;
11534 	sched_scan_req->wiphy = &rdev->wiphy;
11535 
11536 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11537 		sched_scan_req->owner_nlportid = info->snd_portid;
11538 
11539 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
11540 
11541 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
11542 	return 0;
11543 
11544 out_free:
11545 	kfree(sched_scan_req);
11546 out_err:
11547 	return err;
11548 }
11549 
11550 static int nl80211_stop_sched_scan(struct sk_buff *skb,
11551 				   struct genl_info *info)
11552 {
11553 	struct cfg80211_sched_scan_request *req;
11554 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11555 	u64 cookie;
11556 
11557 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
11558 		return -EOPNOTSUPP;
11559 
11560 	if (info->attrs[NL80211_ATTR_COOKIE]) {
11561 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11562 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
11563 	}
11564 
11565 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
11566 				     struct cfg80211_sched_scan_request,
11567 				     list);
11568 	if (!req || req->reqid ||
11569 	    (req->owner_nlportid &&
11570 	     req->owner_nlportid != info->snd_portid))
11571 		return -ENOENT;
11572 
11573 	return cfg80211_stop_sched_scan_req(rdev, req, false);
11574 }
11575 
11576 static int nl80211_start_radar_detection(struct sk_buff *skb,
11577 					 struct genl_info *info)
11578 {
11579 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11580 	struct net_device *dev = info->user_ptr[1];
11581 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11582 	int link_id = nl80211_link_id(info->attrs);
11583 	struct wiphy *wiphy = wdev->wiphy;
11584 	struct cfg80211_chan_def chandef;
11585 	enum nl80211_dfs_regions dfs_region;
11586 	unsigned int cac_time_ms;
11587 	int err;
11588 
11589 	flush_delayed_work(&rdev->dfs_update_channels_wk);
11590 
11591 	switch (wdev->iftype) {
11592 	case NL80211_IFTYPE_AP:
11593 	case NL80211_IFTYPE_P2P_GO:
11594 	case NL80211_IFTYPE_MESH_POINT:
11595 	case NL80211_IFTYPE_ADHOC:
11596 		break;
11597 	default:
11598 		/* caution - see cfg80211_beaconing_iface_active() below */
11599 		return -EINVAL;
11600 	}
11601 
11602 	guard(wiphy)(wiphy);
11603 
11604 	dfs_region = reg_get_dfs_region(wiphy);
11605 	if (dfs_region == NL80211_DFS_UNSET)
11606 		return -EINVAL;
11607 
11608 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef);
11609 	if (err)
11610 		return err;
11611 
11612 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11613 	if (err < 0)
11614 		return err;
11615 
11616 	if (err == 0)
11617 		return -EINVAL;
11618 
11619 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
11620 		return -EINVAL;
11621 
11622 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
11623 		return cfg80211_start_background_radar_detection(rdev, wdev,
11624 								 &chandef);
11625 
11626 	if (cfg80211_beaconing_iface_active(wdev)) {
11627 		/* During MLO other link(s) can beacon, only the current link
11628 		 * can not already beacon
11629 		 */
11630 		if (wdev->valid_links &&
11631 		    !wdev->links[link_id].ap.beacon_interval) {
11632 			/* nothing */
11633 		} else {
11634 			return -EBUSY;
11635 		}
11636 	}
11637 
11638 	if (wdev->links[link_id].cac_started)
11639 		return -EBUSY;
11640 
11641 	/* CAC start is offloaded to HW and can't be started manually */
11642 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
11643 		return -EOPNOTSUPP;
11644 
11645 	if (!rdev->ops->start_radar_detection)
11646 		return -EOPNOTSUPP;
11647 
11648 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
11649 	if (WARN_ON(!cac_time_ms))
11650 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
11651 
11652 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
11653 					 link_id);
11654 	if (err)
11655 		return err;
11656 
11657 	switch (wdev->iftype) {
11658 	case NL80211_IFTYPE_AP:
11659 	case NL80211_IFTYPE_P2P_GO:
11660 		wdev->links[link_id].ap.chandef = chandef;
11661 		break;
11662 	case NL80211_IFTYPE_ADHOC:
11663 		wdev->u.ibss.chandef = chandef;
11664 		break;
11665 	case NL80211_IFTYPE_MESH_POINT:
11666 		wdev->u.mesh.chandef = chandef;
11667 		break;
11668 	default:
11669 		break;
11670 	}
11671 	wdev->links[link_id].cac_started = true;
11672 	wdev->links[link_id].cac_start_time = jiffies;
11673 	wdev->links[link_id].cac_time_ms = cac_time_ms;
11674 	cfg80211_set_cac_state(wiphy, &chandef, true);
11675 
11676 	return 0;
11677 }
11678 
11679 static int nl80211_notify_radar_detection(struct sk_buff *skb,
11680 					  struct genl_info *info)
11681 {
11682 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11683 	struct net_device *dev = info->user_ptr[1];
11684 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11685 	struct wiphy *wiphy = wdev->wiphy;
11686 	struct cfg80211_chan_def chandef;
11687 	enum nl80211_dfs_regions dfs_region;
11688 	int err;
11689 
11690 	dfs_region = reg_get_dfs_region(wiphy);
11691 	if (dfs_region == NL80211_DFS_UNSET) {
11692 		GENL_SET_ERR_MSG(info,
11693 				 "DFS Region is not set. Unexpected Radar indication");
11694 		return -EINVAL;
11695 	}
11696 
11697 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef);
11698 	if (err) {
11699 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
11700 		return err;
11701 	}
11702 
11703 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11704 	if (err < 0) {
11705 		GENL_SET_ERR_MSG(info, "chandef is invalid");
11706 		return err;
11707 	}
11708 
11709 	if (err == 0) {
11710 		GENL_SET_ERR_MSG(info,
11711 				 "Unexpected Radar indication for chandef/iftype");
11712 		return -EINVAL;
11713 	}
11714 
11715 	/* Do not process this notification if radar is already detected
11716 	 * by kernel on this channel, and return success.
11717 	 */
11718 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
11719 		return 0;
11720 
11721 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
11722 
11723 	cfg80211_sched_dfs_chan_update(rdev);
11724 
11725 	rdev->radar_chandef = chandef;
11726 
11727 	/* Propagate this notification to other radios as well */
11728 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
11729 
11730 	return 0;
11731 }
11732 
11733 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
11734 					 const u8 *data, size_t datalen,
11735 					 int first_count, struct nlattr *attr,
11736 					 const u16 **offsets, unsigned int *n_offsets)
11737 {
11738 	int i;
11739 
11740 	*n_offsets = 0;
11741 
11742 	if (!attr)
11743 		return 0;
11744 
11745 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
11746 		return -EINVAL;
11747 
11748 	*n_offsets = nla_len(attr) / sizeof(u16);
11749 	if (rdev->wiphy.max_num_csa_counters &&
11750 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
11751 		return -EINVAL;
11752 
11753 	*offsets = nla_data(attr);
11754 
11755 	/* sanity checks - counters should fit and be the same */
11756 	for (i = 0; i < *n_offsets; i++) {
11757 		u16 offset = (*offsets)[i];
11758 
11759 		if (offset >= datalen)
11760 			return -EINVAL;
11761 
11762 		if (first_count != -1 && data[offset] != first_count)
11763 			return -EINVAL;
11764 	}
11765 
11766 	return 0;
11767 }
11768 
11769 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
11770 {
11771 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11772 	unsigned int link_id = nl80211_link_id(info->attrs);
11773 	struct net_device *dev = info->user_ptr[1];
11774 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11775 	struct cfg80211_csa_settings params;
11776 	struct nlattr **csa_attrs = NULL;
11777 	int err;
11778 	bool need_new_beacon = false;
11779 	bool need_handle_dfs_flag = true;
11780 	u32 cs_count;
11781 
11782 	if (!rdev->ops->channel_switch ||
11783 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
11784 		return -EOPNOTSUPP;
11785 
11786 	switch (dev->ieee80211_ptr->iftype) {
11787 	case NL80211_IFTYPE_AP:
11788 	case NL80211_IFTYPE_P2P_GO:
11789 		need_new_beacon = true;
11790 		/* For all modes except AP the handle_dfs flag needs to be
11791 		 * supplied to tell the kernel that userspace will handle radar
11792 		 * events when they happen. Otherwise a switch to a channel
11793 		 * requiring DFS will be rejected.
11794 		 */
11795 		need_handle_dfs_flag = false;
11796 
11797 		/* useless if AP is not running */
11798 		if (!wdev->links[link_id].ap.beacon_interval)
11799 			return -ENOTCONN;
11800 		break;
11801 	case NL80211_IFTYPE_ADHOC:
11802 		if (!wdev->u.ibss.ssid_len)
11803 			return -ENOTCONN;
11804 		break;
11805 	case NL80211_IFTYPE_MESH_POINT:
11806 		if (!wdev->u.mesh.id_len)
11807 			return -ENOTCONN;
11808 		break;
11809 	default:
11810 		return -EOPNOTSUPP;
11811 	}
11812 
11813 	memset(&params, 0, sizeof(params));
11814 	params.beacon_csa.ftm_responder = -1;
11815 
11816 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11817 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
11818 		return -EINVAL;
11819 
11820 	/* only important for AP, IBSS and mesh create IEs internally */
11821 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
11822 		return -EINVAL;
11823 
11824 	/* Even though the attribute is u32, the specification says
11825 	 * u8, so let's make sure we don't overflow.
11826 	 */
11827 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
11828 	if (cs_count > 255)
11829 		return -EINVAL;
11830 
11831 	params.count = cs_count;
11832 
11833 	if (!need_new_beacon)
11834 		goto skip_beacons;
11835 
11836 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
11837 				   info->extack);
11838 	if (err)
11839 		goto free;
11840 
11841 	csa_attrs = kzalloc_objs(*csa_attrs, NL80211_ATTR_MAX + 1);
11842 	if (!csa_attrs) {
11843 		err = -ENOMEM;
11844 		goto free;
11845 	}
11846 
11847 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
11848 					  info->attrs[NL80211_ATTR_CSA_IES],
11849 					  nl80211_policy, info->extack);
11850 	if (err)
11851 		goto free;
11852 
11853 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
11854 				   info->extack);
11855 	if (err)
11856 		goto free;
11857 
11858 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
11859 		err = -EINVAL;
11860 		goto free;
11861 	}
11862 
11863 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
11864 					    params.beacon_csa.tail_len,
11865 					    params.count,
11866 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
11867 					    &params.counter_offsets_beacon,
11868 					    &params.n_counter_offsets_beacon);
11869 	if (err)
11870 		goto free;
11871 
11872 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
11873 					    params.beacon_csa.probe_resp_len,
11874 					    params.count,
11875 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
11876 					    &params.counter_offsets_presp,
11877 					    &params.n_counter_offsets_presp);
11878 	if (err)
11879 		goto free;
11880 
11881 skip_beacons:
11882 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
11883 				    &params.chandef);
11884 	if (err)
11885 		goto free;
11886 
11887 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
11888 					   wdev->iftype)) {
11889 		err = -EINVAL;
11890 		goto free;
11891 	}
11892 
11893 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
11894 					    &params.chandef,
11895 					    wdev->iftype);
11896 	if (err < 0)
11897 		goto free;
11898 
11899 	if (err > 0) {
11900 		params.radar_required = true;
11901 		if (need_handle_dfs_flag &&
11902 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
11903 			err = -EINVAL;
11904 			goto free;
11905 		}
11906 	}
11907 
11908 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
11909 		params.block_tx = true;
11910 
11911 	if ((wdev->iftype == NL80211_IFTYPE_AP ||
11912 	     wdev->iftype == NL80211_IFTYPE_P2P_GO) &&
11913 	    info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
11914 		err = nl80211_parse_unsol_bcast_probe_resp(
11915 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
11916 			&params.unsol_bcast_probe_resp);
11917 		if (err)
11918 			goto free;
11919 	}
11920 
11921 	params.link_id = link_id;
11922 	err = rdev_channel_switch(rdev, dev, &params);
11923 
11924 free:
11925 	kfree(params.beacon_after.mbssid_ies);
11926 	kfree(params.beacon_csa.mbssid_ies);
11927 	kfree(params.beacon_after.rnr_ies);
11928 	kfree(params.beacon_csa.rnr_ies);
11929 	kfree(csa_attrs);
11930 	return err;
11931 }
11932 
11933 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
11934 			    u32 seq, int flags,
11935 			    struct cfg80211_registered_device *rdev,
11936 			    struct wireless_dev *wdev,
11937 			    struct cfg80211_internal_bss *intbss)
11938 {
11939 	struct cfg80211_bss *res = &intbss->pub;
11940 	const struct cfg80211_bss_ies *ies;
11941 	unsigned int link_id;
11942 	void *hdr;
11943 	struct nlattr *bss;
11944 
11945 	lockdep_assert_wiphy(wdev->wiphy);
11946 
11947 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
11948 			     NL80211_CMD_NEW_SCAN_RESULTS);
11949 	if (!hdr)
11950 		return -1;
11951 
11952 	genl_dump_check_consistent(cb, hdr);
11953 
11954 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
11955 		goto nla_put_failure;
11956 	if (wdev->netdev &&
11957 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
11958 		goto nla_put_failure;
11959 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11960 			      NL80211_ATTR_PAD))
11961 		goto nla_put_failure;
11962 
11963 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
11964 	if (!bss)
11965 		goto nla_put_failure;
11966 	if ((!is_zero_ether_addr(res->bssid) &&
11967 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
11968 		goto nla_put_failure;
11969 
11970 	rcu_read_lock();
11971 	/* indicate whether we have probe response data or not */
11972 	if (rcu_access_pointer(res->proberesp_ies) &&
11973 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
11974 		goto fail_unlock_rcu;
11975 
11976 	/* this pointer prefers to be pointed to probe response data
11977 	 * but is always valid
11978 	 */
11979 	ies = rcu_dereference(res->ies);
11980 	if (ies) {
11981 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
11982 				      NL80211_BSS_PAD))
11983 			goto fail_unlock_rcu;
11984 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
11985 					ies->len, ies->data))
11986 			goto fail_unlock_rcu;
11987 	}
11988 
11989 	/* and this pointer is always (unless driver didn't know) beacon data */
11990 	ies = rcu_dereference(res->beacon_ies);
11991 	if (ies && ies->from_beacon) {
11992 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
11993 				      NL80211_BSS_PAD))
11994 			goto fail_unlock_rcu;
11995 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
11996 					ies->len, ies->data))
11997 			goto fail_unlock_rcu;
11998 	}
11999 	rcu_read_unlock();
12000 
12001 	if (res->beacon_interval &&
12002 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
12003 		goto nla_put_failure;
12004 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
12005 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
12006 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
12007 			res->channel->freq_offset) ||
12008 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
12009 			jiffies_to_msecs(jiffies - intbss->ts)))
12010 		goto nla_put_failure;
12011 
12012 	if (intbss->parent_tsf &&
12013 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
12014 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
12015 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
12016 		     intbss->parent_bssid)))
12017 		goto nla_put_failure;
12018 
12019 	if (res->ts_boottime &&
12020 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
12021 			      res->ts_boottime, NL80211_BSS_PAD))
12022 		goto nla_put_failure;
12023 
12024 	if (!nl80211_put_signal(msg, intbss->pub.chains,
12025 				intbss->pub.chain_signal,
12026 				NL80211_BSS_CHAIN_SIGNAL))
12027 		goto nla_put_failure;
12028 
12029 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
12030 		switch (rdev->wiphy.signal_type) {
12031 		case CFG80211_SIGNAL_TYPE_MBM:
12032 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
12033 					res->signal))
12034 				goto nla_put_failure;
12035 			break;
12036 		case CFG80211_SIGNAL_TYPE_UNSPEC:
12037 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
12038 				       res->signal))
12039 				goto nla_put_failure;
12040 			break;
12041 		default:
12042 			break;
12043 		}
12044 	}
12045 
12046 	switch (wdev->iftype) {
12047 	case NL80211_IFTYPE_P2P_CLIENT:
12048 	case NL80211_IFTYPE_STATION:
12049 		for_each_valid_link(wdev, link_id) {
12050 			if (intbss == wdev->links[link_id].client.current_bss &&
12051 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
12052 					 NL80211_BSS_STATUS_ASSOCIATED) ||
12053 			     (wdev->valid_links &&
12054 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
12055 					  link_id) ||
12056 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
12057 				       wdev->u.client.connected_addr)))))
12058 				goto nla_put_failure;
12059 		}
12060 		break;
12061 	case NL80211_IFTYPE_ADHOC:
12062 		if (intbss == wdev->u.ibss.current_bss &&
12063 		    nla_put_u32(msg, NL80211_BSS_STATUS,
12064 				NL80211_BSS_STATUS_IBSS_JOINED))
12065 			goto nla_put_failure;
12066 		break;
12067 	default:
12068 		break;
12069 	}
12070 
12071 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
12072 		goto nla_put_failure;
12073 
12074 	if (res->cannot_use_reasons &&
12075 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
12076 			      res->cannot_use_reasons,
12077 			      NL80211_BSS_PAD))
12078 		goto nla_put_failure;
12079 
12080 	nla_nest_end(msg, bss);
12081 
12082 	genlmsg_end(msg, hdr);
12083 	return 0;
12084 
12085  fail_unlock_rcu:
12086 	rcu_read_unlock();
12087  nla_put_failure:
12088 	genlmsg_cancel(msg, hdr);
12089 	return -EMSGSIZE;
12090 }
12091 
12092 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
12093 {
12094 	struct cfg80211_registered_device *rdev;
12095 	struct cfg80211_internal_bss *scan;
12096 	struct wireless_dev *wdev;
12097 	struct nlattr **attrbuf;
12098 	int start = cb->args[2], idx = 0;
12099 	bool dump_include_use_data;
12100 	int err;
12101 
12102 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
12103 	if (!attrbuf)
12104 		return -ENOMEM;
12105 
12106 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
12107 	if (err) {
12108 		kfree(attrbuf);
12109 		return err;
12110 	}
12111 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
12112 	__acquire(&rdev->wiphy.mtx);
12113 
12114 	dump_include_use_data =
12115 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
12116 	kfree(attrbuf);
12117 
12118 	spin_lock_bh(&rdev->bss_lock);
12119 
12120 	/*
12121 	 * dump_scan will be called multiple times to break up the scan results
12122 	 * into multiple messages.  It is unlikely that any more bss-es will be
12123 	 * expired after the first call, so only call only call this on the
12124 	 * first dump_scan invocation.
12125 	 */
12126 	if (start == 0)
12127 		cfg80211_bss_expire(rdev);
12128 
12129 	cb->seq = rdev->bss_generation;
12130 
12131 	list_for_each_entry(scan, &rdev->bss_list, list) {
12132 		if (++idx <= start)
12133 			continue;
12134 		if (!dump_include_use_data &&
12135 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
12136 			continue;
12137 		if (nl80211_send_bss(skb, cb,
12138 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
12139 				rdev, wdev, scan) < 0) {
12140 			idx--;
12141 			break;
12142 		}
12143 	}
12144 
12145 	spin_unlock_bh(&rdev->bss_lock);
12146 
12147 	cb->args[2] = idx;
12148 	wiphy_unlock(&rdev->wiphy);
12149 
12150 	return skb->len;
12151 }
12152 
12153 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
12154 			       int flags, struct net_device *dev,
12155 			       bool allow_radio_stats,
12156 			       struct survey_info *survey)
12157 {
12158 	void *hdr;
12159 	struct nlattr *infoattr;
12160 
12161 	/* skip radio stats if userspace didn't request them */
12162 	if (!survey->channel && !allow_radio_stats)
12163 		return 0;
12164 
12165 	hdr = nl80211hdr_put(msg, portid, seq, flags,
12166 			     NL80211_CMD_NEW_SURVEY_RESULTS);
12167 	if (!hdr)
12168 		return -ENOMEM;
12169 
12170 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
12171 		goto nla_put_failure;
12172 
12173 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
12174 	if (!infoattr)
12175 		goto nla_put_failure;
12176 
12177 	if (survey->channel &&
12178 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
12179 			survey->channel->center_freq))
12180 		goto nla_put_failure;
12181 
12182 	if (survey->channel && survey->channel->freq_offset &&
12183 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
12184 			survey->channel->freq_offset))
12185 		goto nla_put_failure;
12186 
12187 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
12188 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
12189 		goto nla_put_failure;
12190 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
12191 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
12192 		goto nla_put_failure;
12193 	if ((survey->filled & SURVEY_INFO_TIME) &&
12194 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
12195 			survey->time, NL80211_SURVEY_INFO_PAD))
12196 		goto nla_put_failure;
12197 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
12198 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
12199 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
12200 		goto nla_put_failure;
12201 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
12202 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
12203 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
12204 		goto nla_put_failure;
12205 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
12206 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
12207 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
12208 		goto nla_put_failure;
12209 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
12210 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
12211 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
12212 		goto nla_put_failure;
12213 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
12214 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
12215 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
12216 		goto nla_put_failure;
12217 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
12218 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
12219 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
12220 		goto nla_put_failure;
12221 
12222 	nla_nest_end(msg, infoattr);
12223 
12224 	genlmsg_end(msg, hdr);
12225 	return 0;
12226 
12227  nla_put_failure:
12228 	genlmsg_cancel(msg, hdr);
12229 	return -EMSGSIZE;
12230 }
12231 
12232 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
12233 {
12234 	struct nlattr **attrbuf;
12235 	struct survey_info survey;
12236 	struct cfg80211_registered_device *rdev;
12237 	struct wireless_dev *wdev;
12238 	int survey_idx = cb->args[2];
12239 	int res;
12240 	bool radio_stats;
12241 
12242 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
12243 	if (!attrbuf)
12244 		return -ENOMEM;
12245 
12246 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
12247 	if (res) {
12248 		kfree(attrbuf);
12249 		return res;
12250 	}
12251 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
12252 	__acquire(&rdev->wiphy.mtx);
12253 
12254 	/* prepare_wdev_dump parsed the attributes */
12255 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
12256 
12257 	if (!wdev->netdev) {
12258 		res = -EINVAL;
12259 		goto out_err;
12260 	}
12261 
12262 	if (!rdev->ops->dump_survey) {
12263 		res = -EOPNOTSUPP;
12264 		goto out_err;
12265 	}
12266 
12267 	while (1) {
12268 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
12269 		if (res == -ENOENT)
12270 			break;
12271 		if (res)
12272 			goto out_err;
12273 
12274 		/* don't send disabled channels, but do send non-channel data */
12275 		if (survey.channel &&
12276 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
12277 			survey_idx++;
12278 			continue;
12279 		}
12280 
12281 		if (nl80211_send_survey(skb,
12282 				NETLINK_CB(cb->skb).portid,
12283 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
12284 				wdev->netdev, radio_stats, &survey) < 0)
12285 			goto out;
12286 		survey_idx++;
12287 	}
12288 
12289  out:
12290 	cb->args[2] = survey_idx;
12291 	res = skb->len;
12292  out_err:
12293 	kfree(attrbuf);
12294 	wiphy_unlock(&rdev->wiphy);
12295 	return res;
12296 }
12297 
12298 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
12299 {
12300 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12301 	struct net_device *dev = info->user_ptr[1];
12302 	struct ieee80211_channel *chan;
12303 	const u8 *bssid, *ssid;
12304 	int err, ssid_len;
12305 	enum nl80211_auth_type auth_type;
12306 	struct key_parse key;
12307 	bool local_state_change;
12308 	struct cfg80211_auth_request req = {};
12309 	u32 freq;
12310 
12311 	if (!info->attrs[NL80211_ATTR_MAC])
12312 		return -EINVAL;
12313 
12314 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
12315 		return -EINVAL;
12316 
12317 	if (!info->attrs[NL80211_ATTR_SSID])
12318 		return -EINVAL;
12319 
12320 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12321 		return -EINVAL;
12322 
12323 	err = nl80211_parse_key(info, &key);
12324 	if (err)
12325 		return err;
12326 
12327 	if (key.idx >= 0) {
12328 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
12329 			return -EINVAL;
12330 		if (!key.p.key || !key.p.key_len)
12331 			return -EINVAL;
12332 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
12333 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
12334 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
12335 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
12336 			return -EINVAL;
12337 		if (key.idx > 3)
12338 			return -EINVAL;
12339 	} else {
12340 		key.p.key_len = 0;
12341 		key.p.key = NULL;
12342 	}
12343 
12344 	if (key.idx >= 0) {
12345 		int i;
12346 		bool ok = false;
12347 
12348 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
12349 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
12350 				ok = true;
12351 				break;
12352 			}
12353 		}
12354 		if (!ok)
12355 			return -EINVAL;
12356 	}
12357 
12358 	if (!rdev->ops->auth)
12359 		return -EOPNOTSUPP;
12360 
12361 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12362 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12363 		return -EOPNOTSUPP;
12364 
12365 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12366 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12367 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12368 		freq +=
12369 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12370 
12371 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12372 	if (!chan)
12373 		return -EINVAL;
12374 
12375 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12376 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12377 
12378 	if (info->attrs[NL80211_ATTR_IE]) {
12379 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12380 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12381 	}
12382 
12383 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12384 		req.supported_selectors =
12385 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12386 		req.supported_selectors_len =
12387 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12388 	}
12389 
12390 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12391 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
12392 		return -EINVAL;
12393 
12394 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
12395 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
12396 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
12397 	     auth_type == NL80211_AUTHTYPE_FILS_PK ||
12398 	     auth_type == NL80211_AUTHTYPE_EPPKE ||
12399 	     auth_type == NL80211_AUTHTYPE_IEEE8021X) &&
12400 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
12401 		return -EINVAL;
12402 
12403 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
12404 		if (auth_type != NL80211_AUTHTYPE_SAE &&
12405 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
12406 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
12407 		    auth_type != NL80211_AUTHTYPE_FILS_PK &&
12408 		    auth_type != NL80211_AUTHTYPE_EPPKE &&
12409 		    auth_type != NL80211_AUTHTYPE_IEEE8021X)
12410 			return -EINVAL;
12411 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
12412 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
12413 	}
12414 
12415 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12416 
12417 	/*
12418 	 * Since we no longer track auth state, ignore
12419 	 * requests to only change local state.
12420 	 */
12421 	if (local_state_change)
12422 		return 0;
12423 
12424 	req.auth_type = auth_type;
12425 	req.key = key.p.key;
12426 	req.key_len = key.p.key_len;
12427 	req.key_idx = key.idx;
12428 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12429 	if (req.link_id >= 0) {
12430 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12431 			return -EINVAL;
12432 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
12433 			return -EINVAL;
12434 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12435 		if (!is_valid_ether_addr(req.ap_mld_addr))
12436 			return -EINVAL;
12437 	}
12438 
12439 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
12440 				   IEEE80211_BSS_TYPE_ESS,
12441 				   IEEE80211_PRIVACY_ANY);
12442 	if (!req.bss)
12443 		return -ENOENT;
12444 
12445 	err = cfg80211_mlme_auth(rdev, dev, &req);
12446 
12447 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12448 
12449 	return err;
12450 }
12451 
12452 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
12453 				     struct genl_info *info)
12454 {
12455 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12456 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
12457 		return -EINVAL;
12458 	}
12459 
12460 	if (!rdev->ops->tx_control_port ||
12461 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12462 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
12463 		return -EOPNOTSUPP;
12464 
12465 	return 0;
12466 }
12467 
12468 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
12469 				   struct genl_info *info,
12470 				   struct cfg80211_crypto_settings *settings,
12471 				   int cipher_limit)
12472 {
12473 	memset(settings, 0, sizeof(*settings));
12474 
12475 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
12476 
12477 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
12478 		u16 proto;
12479 
12480 		proto = nla_get_u16(
12481 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
12482 		settings->control_port_ethertype = cpu_to_be16(proto);
12483 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
12484 		    proto != ETH_P_PAE)
12485 			return -EINVAL;
12486 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
12487 			settings->control_port_no_encrypt = true;
12488 	} else
12489 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
12490 
12491 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12492 		int r = validate_pae_over_nl80211(rdev, info);
12493 
12494 		if (r < 0)
12495 			return r;
12496 
12497 		settings->control_port_over_nl80211 = true;
12498 
12499 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
12500 			settings->control_port_no_preauth = true;
12501 	}
12502 
12503 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
12504 		void *data;
12505 		int len, i;
12506 
12507 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12508 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12509 		settings->n_ciphers_pairwise = len / sizeof(u32);
12510 
12511 		if (len % sizeof(u32))
12512 			return -EINVAL;
12513 
12514 		if (settings->n_ciphers_pairwise > cipher_limit)
12515 			return -EINVAL;
12516 
12517 		memcpy(settings->ciphers_pairwise, data, len);
12518 
12519 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
12520 			if (!cfg80211_supported_cipher_suite(
12521 					&rdev->wiphy,
12522 					settings->ciphers_pairwise[i]))
12523 				return -EINVAL;
12524 	}
12525 
12526 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
12527 		settings->cipher_group =
12528 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
12529 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
12530 						     settings->cipher_group))
12531 			return -EINVAL;
12532 	}
12533 
12534 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
12535 		settings->wpa_versions =
12536 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
12537 
12538 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
12539 		void *data;
12540 		int len;
12541 
12542 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
12543 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
12544 		settings->n_akm_suites = len / sizeof(u32);
12545 
12546 		if (len % sizeof(u32))
12547 			return -EINVAL;
12548 
12549 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
12550 			return -EINVAL;
12551 
12552 		memcpy(settings->akm_suites, data, len);
12553 	}
12554 
12555 	if (info->attrs[NL80211_ATTR_PMK]) {
12556 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
12557 			return -EINVAL;
12558 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12559 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
12560 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12561 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
12562 			return -EINVAL;
12563 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12564 	}
12565 
12566 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
12567 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12568 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
12569 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12570 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
12571 			return -EINVAL;
12572 		settings->sae_pwd =
12573 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12574 		settings->sae_pwd_len =
12575 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12576 	}
12577 
12578 	settings->sae_pwe =
12579 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
12580 				   NL80211_SAE_PWE_UNSPECIFIED);
12581 
12582 	return 0;
12583 }
12584 
12585 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
12586 					      const u8 *ssid, int ssid_len,
12587 					      struct nlattr **attrs,
12588 					      int assoc_link_id, int link_id)
12589 {
12590 	struct ieee80211_channel *chan;
12591 	struct cfg80211_bss *bss;
12592 	const u8 *bssid;
12593 	u32 freq, use_for = 0;
12594 
12595 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
12596 		return ERR_PTR(-EINVAL);
12597 
12598 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
12599 
12600 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
12601 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12602 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12603 
12604 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12605 	if (!chan)
12606 		return ERR_PTR(-EINVAL);
12607 
12608 	if (assoc_link_id >= 0)
12609 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
12610 	if (assoc_link_id == link_id)
12611 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
12612 
12613 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
12614 				 ssid, ssid_len,
12615 				 IEEE80211_BSS_TYPE_ESS,
12616 				 IEEE80211_PRIVACY_ANY,
12617 				 use_for);
12618 	if (!bss)
12619 		return ERR_PTR(-ENOENT);
12620 
12621 	return bss;
12622 }
12623 
12624 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
12625 				 struct cfg80211_assoc_link *links,
12626 				 int assoc_link_id,
12627 				 const u8 *ssid, int ssid_len,
12628 				 struct genl_info *info)
12629 {
12630 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
12631 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
12632 	struct nlattr *link;
12633 	unsigned int link_id;
12634 	int rem, err;
12635 
12636 	if (!attrs)
12637 		return -ENOMEM;
12638 
12639 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
12640 		memset(attrs, 0, attrsize);
12641 
12642 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
12643 
12644 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
12645 			NL_SET_BAD_ATTR(info->extack, link);
12646 			return -EINVAL;
12647 		}
12648 
12649 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
12650 		/* cannot use the same link ID again */
12651 		if (links[link_id].bss) {
12652 			NL_SET_BAD_ATTR(info->extack, link);
12653 			return -EINVAL;
12654 		}
12655 		links[link_id].bss =
12656 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
12657 					  assoc_link_id, link_id);
12658 		if (IS_ERR(links[link_id].bss)) {
12659 			err = PTR_ERR(links[link_id].bss);
12660 			links[link_id].bss = NULL;
12661 			NL_SET_ERR_MSG_ATTR(info->extack, link,
12662 					    "Error fetching BSS for link");
12663 			return err;
12664 		}
12665 
12666 		if (attrs[NL80211_ATTR_IE]) {
12667 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
12668 			links[link_id].elems_len =
12669 				nla_len(attrs[NL80211_ATTR_IE]);
12670 
12671 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
12672 					       links[link_id].elems,
12673 					       links[link_id].elems_len)) {
12674 				NL_SET_ERR_MSG_ATTR(info->extack,
12675 						    attrs[NL80211_ATTR_IE],
12676 						    "cannot deal with fragmentation");
12677 				return -EINVAL;
12678 			}
12679 
12680 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12681 						   links[link_id].elems,
12682 						   links[link_id].elems_len)) {
12683 				NL_SET_ERR_MSG_ATTR(info->extack,
12684 						    attrs[NL80211_ATTR_IE],
12685 						    "cannot deal with non-inheritance");
12686 				return -EINVAL;
12687 			}
12688 		}
12689 	}
12690 
12691 	return 0;
12692 }
12693 
12694 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
12695 {
12696 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12697 	struct net_device *dev = info->user_ptr[1];
12698 	struct cfg80211_assoc_request req = {};
12699 	const u8 *ap_addr, *ssid;
12700 	unsigned int link_id;
12701 	int err, ssid_len;
12702 
12703 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12704 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12705 		return -EPERM;
12706 
12707 	if (!info->attrs[NL80211_ATTR_SSID])
12708 		return -EINVAL;
12709 
12710 	if (!rdev->ops->assoc)
12711 		return -EOPNOTSUPP;
12712 
12713 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12714 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12715 		return -EOPNOTSUPP;
12716 
12717 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12718 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12719 
12720 	if (info->attrs[NL80211_ATTR_IE]) {
12721 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12722 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12723 
12724 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12725 					   req.ie, req.ie_len)) {
12726 			NL_SET_ERR_MSG_ATTR(info->extack,
12727 					    info->attrs[NL80211_ATTR_IE],
12728 					    "non-inheritance makes no sense");
12729 			return -EINVAL;
12730 		}
12731 	}
12732 
12733 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12734 		enum nl80211_mfp mfp =
12735 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12736 		if (mfp == NL80211_MFP_REQUIRED)
12737 			req.use_mfp = true;
12738 		else if (mfp != NL80211_MFP_NO)
12739 			return -EINVAL;
12740 	}
12741 
12742 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12743 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12744 
12745 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12746 		req.supported_selectors =
12747 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12748 		req.supported_selectors_len =
12749 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12750 	}
12751 
12752 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12753 		req.flags |= ASSOC_REQ_DISABLE_HT;
12754 
12755 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12756 		memcpy(&req.ht_capa_mask,
12757 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12758 		       sizeof(req.ht_capa_mask));
12759 
12760 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12761 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12762 			return -EINVAL;
12763 		memcpy(&req.ht_capa,
12764 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12765 		       sizeof(req.ht_capa));
12766 	}
12767 
12768 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12769 		req.flags |= ASSOC_REQ_DISABLE_VHT;
12770 
12771 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12772 		req.flags |= ASSOC_REQ_DISABLE_HE;
12773 
12774 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12775 		req.flags |= ASSOC_REQ_DISABLE_EHT;
12776 
12777 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
12778 		req.flags |= ASSOC_REQ_DISABLE_UHR;
12779 
12780 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12781 		memcpy(&req.vht_capa_mask,
12782 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12783 		       sizeof(req.vht_capa_mask));
12784 
12785 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12786 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12787 			return -EINVAL;
12788 		memcpy(&req.vht_capa,
12789 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12790 		       sizeof(req.vht_capa));
12791 	}
12792 
12793 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12794 		if (!((rdev->wiphy.features &
12795 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12796 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12797 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12798 					     NL80211_EXT_FEATURE_RRM))
12799 			return -EINVAL;
12800 		req.flags |= ASSOC_REQ_USE_RRM;
12801 	}
12802 
12803 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
12804 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
12805 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
12806 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
12807 			return -EINVAL;
12808 		req.fils_nonces =
12809 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
12810 	}
12811 
12812 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
12813 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
12814 			return -EINVAL;
12815 		memcpy(&req.s1g_capa_mask,
12816 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
12817 		       sizeof(req.s1g_capa_mask));
12818 	}
12819 
12820 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
12821 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
12822 			return -EINVAL;
12823 		memcpy(&req.s1g_capa,
12824 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
12825 		       sizeof(req.s1g_capa));
12826 	}
12827 
12828 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
12829 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12830 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
12831 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
12832 			return -EINVAL;
12833 		}
12834 		req.flags |= ASSOC_REQ_SPP_AMSDU;
12835 	}
12836 
12837 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12838 
12839 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12840 		if (req.link_id < 0)
12841 			return -EINVAL;
12842 
12843 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12844 			return -EINVAL;
12845 
12846 		if (info->attrs[NL80211_ATTR_MAC] ||
12847 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12848 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
12849 			return -EINVAL;
12850 
12851 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12852 		ap_addr = req.ap_mld_addr;
12853 
12854 		err = nl80211_process_links(rdev, req.links, req.link_id,
12855 					    ssid, ssid_len, info);
12856 		if (err)
12857 			goto free;
12858 
12859 		if (!req.links[req.link_id].bss) {
12860 			err = -EINVAL;
12861 			goto free;
12862 		}
12863 
12864 		if (req.links[req.link_id].elems_len) {
12865 			GENL_SET_ERR_MSG(info,
12866 					 "cannot have per-link elems on assoc link");
12867 			err = -EINVAL;
12868 			goto free;
12869 		}
12870 
12871 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12872 			req.ext_mld_capa_ops =
12873 				nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
12874 	} else {
12875 		if (req.link_id >= 0)
12876 			return -EINVAL;
12877 
12878 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
12879 					    -1, -1);
12880 		if (IS_ERR(req.bss))
12881 			return PTR_ERR(req.bss);
12882 		ap_addr = req.bss->bssid;
12883 
12884 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12885 			return -EINVAL;
12886 	}
12887 
12888 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
12889 	if (!err) {
12890 		struct nlattr *link;
12891 		int rem = 0;
12892 
12893 		err = cfg80211_mlme_assoc(rdev, dev, &req,
12894 					  info->extack);
12895 
12896 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12897 			dev->ieee80211_ptr->conn_owner_nlportid =
12898 				info->snd_portid;
12899 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12900 			       ap_addr, ETH_ALEN);
12901 		}
12902 
12903 		/* Report error from first problematic link */
12904 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12905 			nla_for_each_nested(link,
12906 					    info->attrs[NL80211_ATTR_MLO_LINKS],
12907 					    rem) {
12908 				struct nlattr *link_id_attr =
12909 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
12910 
12911 				if (!link_id_attr)
12912 					continue;
12913 
12914 				link_id = nla_get_u8(link_id_attr);
12915 
12916 				if (link_id == req.link_id)
12917 					continue;
12918 
12919 				if (!req.links[link_id].error ||
12920 				    WARN_ON(req.links[link_id].error > 0))
12921 					continue;
12922 
12923 				WARN_ON(err >= 0);
12924 
12925 				NL_SET_BAD_ATTR(info->extack, link);
12926 				err = req.links[link_id].error;
12927 				break;
12928 			}
12929 		}
12930 	}
12931 
12932 free:
12933 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
12934 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
12935 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12936 
12937 	return err;
12938 }
12939 
12940 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
12941 {
12942 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12943 	struct net_device *dev = info->user_ptr[1];
12944 	const u8 *ie = NULL, *bssid;
12945 	int ie_len = 0;
12946 	u16 reason_code;
12947 	bool local_state_change;
12948 
12949 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12950 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12951 		return -EPERM;
12952 
12953 	if (!info->attrs[NL80211_ATTR_MAC])
12954 		return -EINVAL;
12955 
12956 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12957 		return -EINVAL;
12958 
12959 	if (!rdev->ops->deauth)
12960 		return -EOPNOTSUPP;
12961 
12962 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12963 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12964 		return -EOPNOTSUPP;
12965 
12966 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12967 
12968 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12969 	if (reason_code == 0) {
12970 		/* Reason Code 0 is reserved */
12971 		return -EINVAL;
12972 	}
12973 
12974 	if (info->attrs[NL80211_ATTR_IE]) {
12975 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12976 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12977 	}
12978 
12979 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12980 
12981 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
12982 				    local_state_change);
12983 }
12984 
12985 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
12986 {
12987 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12988 	struct net_device *dev = info->user_ptr[1];
12989 	const u8 *ie = NULL, *bssid;
12990 	int ie_len = 0;
12991 	u16 reason_code;
12992 	bool local_state_change;
12993 
12994 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12995 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12996 		return -EPERM;
12997 
12998 	if (!info->attrs[NL80211_ATTR_MAC])
12999 		return -EINVAL;
13000 
13001 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
13002 		return -EINVAL;
13003 
13004 	if (!rdev->ops->disassoc)
13005 		return -EOPNOTSUPP;
13006 
13007 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13008 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13009 		return -EOPNOTSUPP;
13010 
13011 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13012 
13013 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
13014 	if (reason_code == 0) {
13015 		/* Reason Code 0 is reserved */
13016 		return -EINVAL;
13017 	}
13018 
13019 	if (info->attrs[NL80211_ATTR_IE]) {
13020 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13021 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13022 	}
13023 
13024 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
13025 
13026 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
13027 				      local_state_change);
13028 }
13029 
13030 static bool
13031 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
13032 			 int mcast_rate[NUM_NL80211_BANDS],
13033 			 int rateval)
13034 {
13035 	struct wiphy *wiphy = &rdev->wiphy;
13036 	bool found = false;
13037 	int band, i;
13038 
13039 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
13040 		struct ieee80211_supported_band *sband;
13041 
13042 		sband = wiphy->bands[band];
13043 		if (!sband)
13044 			continue;
13045 
13046 		for (i = 0; i < sband->n_bitrates; i++) {
13047 			if (sband->bitrates[i].bitrate == rateval) {
13048 				mcast_rate[band] = i + 1;
13049 				found = true;
13050 				break;
13051 			}
13052 		}
13053 	}
13054 
13055 	return found;
13056 }
13057 
13058 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
13059 {
13060 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13061 	struct net_device *dev = info->user_ptr[1];
13062 	struct cfg80211_ibss_params ibss;
13063 	struct wiphy *wiphy;
13064 	struct cfg80211_cached_keys *connkeys = NULL;
13065 	int err;
13066 
13067 	memset(&ibss, 0, sizeof(ibss));
13068 
13069 	if (!info->attrs[NL80211_ATTR_SSID] ||
13070 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
13071 		return -EINVAL;
13072 
13073 	ibss.beacon_interval = 100;
13074 
13075 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
13076 		ibss.beacon_interval =
13077 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13078 
13079 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
13080 					   ibss.beacon_interval);
13081 	if (err)
13082 		return err;
13083 
13084 	if (!rdev->ops->join_ibss)
13085 		return -EOPNOTSUPP;
13086 
13087 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
13088 		return -EOPNOTSUPP;
13089 
13090 	wiphy = &rdev->wiphy;
13091 
13092 	if (info->attrs[NL80211_ATTR_MAC]) {
13093 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13094 
13095 		if (!is_valid_ether_addr(ibss.bssid))
13096 			return -EINVAL;
13097 	}
13098 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13099 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13100 
13101 	if (info->attrs[NL80211_ATTR_IE]) {
13102 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13103 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13104 	}
13105 
13106 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
13107 				    &ibss.chandef);
13108 	if (err)
13109 		return err;
13110 
13111 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
13112 				     NL80211_IFTYPE_ADHOC))
13113 		return -EINVAL;
13114 
13115 	switch (ibss.chandef.width) {
13116 	case NL80211_CHAN_WIDTH_5:
13117 	case NL80211_CHAN_WIDTH_10:
13118 	case NL80211_CHAN_WIDTH_20_NOHT:
13119 		break;
13120 	case NL80211_CHAN_WIDTH_20:
13121 	case NL80211_CHAN_WIDTH_40:
13122 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
13123 			return -EINVAL;
13124 		break;
13125 	case NL80211_CHAN_WIDTH_80:
13126 	case NL80211_CHAN_WIDTH_80P80:
13127 	case NL80211_CHAN_WIDTH_160:
13128 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
13129 			return -EINVAL;
13130 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
13131 					     NL80211_EXT_FEATURE_VHT_IBSS))
13132 			return -EINVAL;
13133 		break;
13134 	case NL80211_CHAN_WIDTH_320:
13135 		return -EINVAL;
13136 	default:
13137 		return -EINVAL;
13138 	}
13139 
13140 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
13141 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
13142 
13143 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13144 		u8 *rates =
13145 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13146 		int n_rates =
13147 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13148 		struct ieee80211_supported_band *sband =
13149 			wiphy->bands[ibss.chandef.chan->band];
13150 
13151 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13152 					     &ibss.basic_rates);
13153 		if (err)
13154 			return err;
13155 	}
13156 
13157 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13158 		memcpy(&ibss.ht_capa_mask,
13159 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13160 		       sizeof(ibss.ht_capa_mask));
13161 
13162 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13163 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13164 			return -EINVAL;
13165 		memcpy(&ibss.ht_capa,
13166 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13167 		       sizeof(ibss.ht_capa));
13168 	}
13169 
13170 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13171 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
13172 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13173 		return -EINVAL;
13174 
13175 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
13176 		bool no_ht = false;
13177 
13178 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
13179 		if (IS_ERR(connkeys))
13180 			return PTR_ERR(connkeys);
13181 
13182 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
13183 		    no_ht) {
13184 			kfree_sensitive(connkeys);
13185 			return -EINVAL;
13186 		}
13187 	}
13188 
13189 	ibss.control_port =
13190 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
13191 
13192 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13193 		int r = validate_pae_over_nl80211(rdev, info);
13194 
13195 		if (r < 0) {
13196 			kfree_sensitive(connkeys);
13197 			return r;
13198 		}
13199 
13200 		ibss.control_port_over_nl80211 = true;
13201 	}
13202 
13203 	ibss.userspace_handles_dfs =
13204 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13205 
13206 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
13207 	if (err)
13208 		kfree_sensitive(connkeys);
13209 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
13210 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13211 
13212 	return err;
13213 }
13214 
13215 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
13216 {
13217 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13218 	struct net_device *dev = info->user_ptr[1];
13219 
13220 	if (!rdev->ops->leave_ibss)
13221 		return -EOPNOTSUPP;
13222 
13223 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
13224 		return -EOPNOTSUPP;
13225 
13226 	return cfg80211_leave_ibss(rdev, dev, false);
13227 }
13228 
13229 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
13230 {
13231 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13232 	struct net_device *dev = info->user_ptr[1];
13233 	int mcast_rate[NUM_NL80211_BANDS];
13234 	u32 nla_rate;
13235 
13236 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
13237 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
13238 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
13239 		return -EOPNOTSUPP;
13240 
13241 	if (!rdev->ops->set_mcast_rate)
13242 		return -EOPNOTSUPP;
13243 
13244 	memset(mcast_rate, 0, sizeof(mcast_rate));
13245 
13246 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
13247 		return -EINVAL;
13248 
13249 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
13250 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
13251 		return -EINVAL;
13252 
13253 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
13254 }
13255 
13256 static struct sk_buff *
13257 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
13258 			    struct wireless_dev *wdev, int approxlen,
13259 			    u32 portid, u32 seq, enum nl80211_commands cmd,
13260 			    enum nl80211_attrs attr,
13261 			    const struct nl80211_vendor_cmd_info *info,
13262 			    gfp_t gfp)
13263 {
13264 	struct sk_buff *skb;
13265 	void *hdr;
13266 	struct nlattr *data;
13267 
13268 	skb = nlmsg_new(approxlen + 100, gfp);
13269 	if (!skb)
13270 		return NULL;
13271 
13272 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
13273 	if (!hdr) {
13274 		kfree_skb(skb);
13275 		return NULL;
13276 	}
13277 
13278 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
13279 		goto nla_put_failure;
13280 
13281 	if (info) {
13282 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
13283 				info->vendor_id))
13284 			goto nla_put_failure;
13285 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
13286 				info->subcmd))
13287 			goto nla_put_failure;
13288 	}
13289 
13290 	if (wdev) {
13291 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
13292 				      wdev_id(wdev), NL80211_ATTR_PAD))
13293 			goto nla_put_failure;
13294 		if (wdev->netdev &&
13295 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
13296 				wdev->netdev->ifindex))
13297 			goto nla_put_failure;
13298 	}
13299 
13300 	data = nla_nest_start_noflag(skb, attr);
13301 	if (!data)
13302 		goto nla_put_failure;
13303 
13304 	((void **)skb->cb)[0] = rdev;
13305 	((void **)skb->cb)[1] = hdr;
13306 	((void **)skb->cb)[2] = data;
13307 
13308 	return skb;
13309 
13310  nla_put_failure:
13311 	kfree_skb(skb);
13312 	return NULL;
13313 }
13314 
13315 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
13316 					   struct wireless_dev *wdev,
13317 					   enum nl80211_commands cmd,
13318 					   enum nl80211_attrs attr,
13319 					   unsigned int portid,
13320 					   int vendor_event_idx,
13321 					   int approxlen, gfp_t gfp)
13322 {
13323 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13324 	const struct nl80211_vendor_cmd_info *info;
13325 
13326 	switch (cmd) {
13327 	case NL80211_CMD_TESTMODE:
13328 		if (WARN_ON(vendor_event_idx != -1))
13329 			return NULL;
13330 		info = NULL;
13331 		break;
13332 	case NL80211_CMD_VENDOR:
13333 		if (WARN_ON(vendor_event_idx < 0 ||
13334 			    vendor_event_idx >= wiphy->n_vendor_events))
13335 			return NULL;
13336 		info = &wiphy->vendor_events[vendor_event_idx];
13337 		break;
13338 	default:
13339 		WARN_ON(1);
13340 		return NULL;
13341 	}
13342 
13343 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
13344 					   cmd, attr, info, gfp);
13345 }
13346 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
13347 
13348 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
13349 {
13350 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13351 	void *hdr = ((void **)skb->cb)[1];
13352 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
13353 	struct nlattr *data = ((void **)skb->cb)[2];
13354 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
13355 
13356 	/* clear CB data for netlink core to own from now on */
13357 	memset(skb->cb, 0, sizeof(skb->cb));
13358 
13359 	nla_nest_end(skb, data);
13360 	genlmsg_end(skb, hdr);
13361 
13362 	if (nlhdr->nlmsg_pid) {
13363 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
13364 				nlhdr->nlmsg_pid);
13365 	} else {
13366 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
13367 			mcgrp = NL80211_MCGRP_VENDOR;
13368 
13369 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13370 					skb, 0, mcgrp, gfp);
13371 	}
13372 }
13373 EXPORT_SYMBOL(__cfg80211_send_event_skb);
13374 
13375 #ifdef CONFIG_NL80211_TESTMODE
13376 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
13377 {
13378 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13379 	struct wireless_dev *wdev;
13380 	int err;
13381 
13382 	lockdep_assert_held(&rdev->wiphy.mtx);
13383 
13384 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
13385 					  info->attrs);
13386 
13387 	if (!rdev->ops->testmode_cmd)
13388 		return -EOPNOTSUPP;
13389 
13390 	if (IS_ERR(wdev)) {
13391 		err = PTR_ERR(wdev);
13392 		if (err != -EINVAL)
13393 			return err;
13394 		wdev = NULL;
13395 	} else if (wdev->wiphy != &rdev->wiphy) {
13396 		return -EINVAL;
13397 	}
13398 
13399 	if (!info->attrs[NL80211_ATTR_TESTDATA])
13400 		return -EINVAL;
13401 
13402 	rdev->cur_cmd_info = info;
13403 	err = rdev_testmode_cmd(rdev, wdev,
13404 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
13405 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
13406 	rdev->cur_cmd_info = NULL;
13407 
13408 	return err;
13409 }
13410 
13411 static int nl80211_testmode_dump(struct sk_buff *skb,
13412 				 struct netlink_callback *cb)
13413 {
13414 	struct cfg80211_registered_device *rdev;
13415 	struct nlattr **attrbuf = NULL;
13416 	int err;
13417 	long phy_idx;
13418 	void *data = NULL;
13419 	int data_len = 0;
13420 
13421 	rtnl_lock();
13422 
13423 	if (cb->args[0]) {
13424 		/*
13425 		 * 0 is a valid index, but not valid for args[0],
13426 		 * so we need to offset by 1.
13427 		 */
13428 		phy_idx = cb->args[0] - 1;
13429 
13430 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
13431 		if (!rdev) {
13432 			err = -ENOENT;
13433 			goto out_err;
13434 		}
13435 	} else {
13436 		attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
13437 		if (!attrbuf) {
13438 			err = -ENOMEM;
13439 			goto out_err;
13440 		}
13441 
13442 		err = nlmsg_parse_deprecated(cb->nlh,
13443 					     GENL_HDRLEN + nl80211_fam.hdrsize,
13444 					     attrbuf, nl80211_fam.maxattr,
13445 					     nl80211_policy, NULL);
13446 		if (err)
13447 			goto out_err;
13448 
13449 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13450 		if (IS_ERR(rdev)) {
13451 			err = PTR_ERR(rdev);
13452 			goto out_err;
13453 		}
13454 		phy_idx = rdev->wiphy_idx;
13455 
13456 		if (attrbuf[NL80211_ATTR_TESTDATA])
13457 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
13458 	}
13459 
13460 	if (cb->args[1]) {
13461 		data = nla_data((void *)cb->args[1]);
13462 		data_len = nla_len((void *)cb->args[1]);
13463 	}
13464 
13465 	if (!rdev->ops->testmode_dump) {
13466 		err = -EOPNOTSUPP;
13467 		goto out_err;
13468 	}
13469 
13470 	while (1) {
13471 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13472 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13473 					   NL80211_CMD_TESTMODE);
13474 		struct nlattr *tmdata;
13475 
13476 		if (!hdr)
13477 			break;
13478 
13479 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
13480 			genlmsg_cancel(skb, hdr);
13481 			break;
13482 		}
13483 
13484 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
13485 		if (!tmdata) {
13486 			genlmsg_cancel(skb, hdr);
13487 			break;
13488 		}
13489 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
13490 		nla_nest_end(skb, tmdata);
13491 
13492 		if (err == -ENOBUFS || err == -ENOENT) {
13493 			genlmsg_cancel(skb, hdr);
13494 			break;
13495 		} else if (err) {
13496 			genlmsg_cancel(skb, hdr);
13497 			goto out_err;
13498 		}
13499 
13500 		genlmsg_end(skb, hdr);
13501 	}
13502 
13503 	err = skb->len;
13504 	/* see above */
13505 	cb->args[0] = phy_idx + 1;
13506  out_err:
13507 	kfree(attrbuf);
13508 	rtnl_unlock();
13509 	return err;
13510 }
13511 #endif
13512 
13513 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
13514 {
13515 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13516 	struct net_device *dev = info->user_ptr[1];
13517 	struct cfg80211_connect_params connect;
13518 	struct wiphy *wiphy;
13519 	struct cfg80211_cached_keys *connkeys = NULL;
13520 	u32 freq = 0;
13521 	int err;
13522 
13523 	memset(&connect, 0, sizeof(connect));
13524 
13525 	if (!info->attrs[NL80211_ATTR_SSID] ||
13526 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
13527 		return -EINVAL;
13528 
13529 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13530 		connect.auth_type =
13531 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13532 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
13533 					     NL80211_CMD_CONNECT))
13534 			return -EINVAL;
13535 	} else
13536 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
13537 
13538 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
13539 
13540 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
13541 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13542 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13543 		return -EINVAL;
13544 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
13545 
13546 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
13547 				      NL80211_MAX_NR_CIPHER_SUITES);
13548 	if (err)
13549 		return err;
13550 
13551 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13552 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13553 		return -EOPNOTSUPP;
13554 
13555 	wiphy = &rdev->wiphy;
13556 
13557 	connect.bg_scan_period = -1;
13558 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
13559 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
13560 		connect.bg_scan_period =
13561 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
13562 	}
13563 
13564 	if (info->attrs[NL80211_ATTR_MAC])
13565 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13566 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
13567 		connect.bssid_hint =
13568 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
13569 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13570 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13571 
13572 	if (info->attrs[NL80211_ATTR_IE]) {
13573 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13574 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13575 	}
13576 
13577 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
13578 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
13579 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
13580 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13581 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
13582 			return -EOPNOTSUPP;
13583 	} else {
13584 		connect.mfp = NL80211_MFP_NO;
13585 	}
13586 
13587 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
13588 		connect.prev_bssid =
13589 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
13590 
13591 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
13592 		freq = MHZ_TO_KHZ(nla_get_u32(
13593 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
13594 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
13595 		freq +=
13596 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
13597 
13598 	if (freq) {
13599 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
13600 		if (!connect.channel)
13601 			return -EINVAL;
13602 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
13603 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
13604 		freq = MHZ_TO_KHZ(freq);
13605 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
13606 		if (!connect.channel_hint)
13607 			return -EINVAL;
13608 	}
13609 
13610 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
13611 		connect.edmg.channels =
13612 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
13613 
13614 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
13615 			connect.edmg.bw_config =
13616 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
13617 	}
13618 
13619 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
13620 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
13621 		if (IS_ERR(connkeys))
13622 			return PTR_ERR(connkeys);
13623 	}
13624 
13625 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
13626 		connect.flags |= ASSOC_REQ_DISABLE_HT;
13627 
13628 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13629 		memcpy(&connect.ht_capa_mask,
13630 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13631 		       sizeof(connect.ht_capa_mask));
13632 
13633 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13634 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
13635 			kfree_sensitive(connkeys);
13636 			return -EINVAL;
13637 		}
13638 		memcpy(&connect.ht_capa,
13639 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13640 		       sizeof(connect.ht_capa));
13641 	}
13642 
13643 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
13644 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
13645 
13646 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
13647 		connect.flags |= ASSOC_REQ_DISABLE_HE;
13648 
13649 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
13650 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
13651 
13652 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
13653 		connect.flags |= ASSOC_REQ_DISABLE_UHR;
13654 
13655 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
13656 		memcpy(&connect.vht_capa_mask,
13657 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
13658 		       sizeof(connect.vht_capa_mask));
13659 
13660 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
13661 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
13662 			kfree_sensitive(connkeys);
13663 			return -EINVAL;
13664 		}
13665 		memcpy(&connect.vht_capa,
13666 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
13667 		       sizeof(connect.vht_capa));
13668 	}
13669 
13670 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
13671 		if (!((rdev->wiphy.features &
13672 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
13673 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
13674 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13675 					     NL80211_EXT_FEATURE_RRM)) {
13676 			kfree_sensitive(connkeys);
13677 			return -EINVAL;
13678 		}
13679 		connect.flags |= ASSOC_REQ_USE_RRM;
13680 	}
13681 
13682 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
13683 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
13684 		kfree_sensitive(connkeys);
13685 		return -EOPNOTSUPP;
13686 	}
13687 
13688 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
13689 		/* bss selection makes no sense if bssid is set */
13690 		if (connect.bssid) {
13691 			kfree_sensitive(connkeys);
13692 			return -EINVAL;
13693 		}
13694 
13695 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
13696 				       wiphy, &connect.bss_select);
13697 		if (err) {
13698 			kfree_sensitive(connkeys);
13699 			return err;
13700 		}
13701 	}
13702 
13703 	if (wiphy_ext_feature_isset(&rdev->wiphy,
13704 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
13705 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13706 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13707 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13708 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13709 		connect.fils_erp_username =
13710 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13711 		connect.fils_erp_username_len =
13712 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13713 		connect.fils_erp_realm =
13714 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13715 		connect.fils_erp_realm_len =
13716 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13717 		connect.fils_erp_next_seq_num =
13718 			nla_get_u16(
13719 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13720 		connect.fils_erp_rrk =
13721 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13722 		connect.fils_erp_rrk_len =
13723 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13724 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13725 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13726 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13727 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13728 		kfree_sensitive(connkeys);
13729 		return -EINVAL;
13730 	}
13731 
13732 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
13733 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13734 			kfree_sensitive(connkeys);
13735 			GENL_SET_ERR_MSG(info,
13736 					 "external auth requires connection ownership");
13737 			return -EINVAL;
13738 		}
13739 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
13740 	}
13741 
13742 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
13743 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
13744 
13745 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
13746 			       connect.prev_bssid);
13747 	if (err)
13748 		kfree_sensitive(connkeys);
13749 
13750 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13751 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13752 		if (connect.bssid)
13753 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
13754 			       connect.bssid, ETH_ALEN);
13755 		else
13756 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
13757 	}
13758 
13759 	return err;
13760 }
13761 
13762 static int nl80211_update_connect_params(struct sk_buff *skb,
13763 					 struct genl_info *info)
13764 {
13765 	struct cfg80211_connect_params connect = {};
13766 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13767 	struct net_device *dev = info->user_ptr[1];
13768 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13769 	bool fils_sk_offload;
13770 	u32 auth_type;
13771 	u32 changed = 0;
13772 
13773 	if (!rdev->ops->update_connect_params)
13774 		return -EOPNOTSUPP;
13775 
13776 	if (info->attrs[NL80211_ATTR_IE]) {
13777 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13778 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13779 		changed |= UPDATE_ASSOC_IES;
13780 	}
13781 
13782 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
13783 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
13784 
13785 	/*
13786 	 * when driver supports fils-sk offload all attributes must be
13787 	 * provided. So the else covers "fils-sk-not-all" and
13788 	 * "no-fils-sk-any".
13789 	 */
13790 	if (fils_sk_offload &&
13791 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13792 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13793 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13794 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13795 		connect.fils_erp_username =
13796 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13797 		connect.fils_erp_username_len =
13798 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13799 		connect.fils_erp_realm =
13800 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13801 		connect.fils_erp_realm_len =
13802 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13803 		connect.fils_erp_next_seq_num =
13804 			nla_get_u16(
13805 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13806 		connect.fils_erp_rrk =
13807 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13808 		connect.fils_erp_rrk_len =
13809 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13810 		changed |= UPDATE_FILS_ERP_INFO;
13811 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13812 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13813 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13814 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13815 		return -EINVAL;
13816 	}
13817 
13818 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13819 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13820 		if (!nl80211_valid_auth_type(rdev, auth_type,
13821 					     NL80211_CMD_CONNECT))
13822 			return -EINVAL;
13823 
13824 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
13825 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
13826 			return -EINVAL;
13827 
13828 		connect.auth_type = auth_type;
13829 		changed |= UPDATE_AUTH_TYPE;
13830 	}
13831 
13832 	if (!wdev->connected)
13833 		return -ENOLINK;
13834 
13835 	return rdev_update_connect_params(rdev, dev, &connect, changed);
13836 }
13837 
13838 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
13839 {
13840 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13841 	struct net_device *dev = info->user_ptr[1];
13842 	u16 reason;
13843 
13844 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
13845 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
13846 		return -EPERM;
13847 
13848 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
13849 				     WLAN_REASON_DEAUTH_LEAVING);
13850 
13851 	if (reason == 0)
13852 		return -EINVAL;
13853 
13854 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13855 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13856 		return -EOPNOTSUPP;
13857 
13858 	return cfg80211_disconnect(rdev, dev, reason, true);
13859 }
13860 
13861 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
13862 {
13863 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13864 	struct net *net;
13865 	int err;
13866 
13867 	if (info->attrs[NL80211_ATTR_PID]) {
13868 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
13869 
13870 		net = get_net_ns_by_pid(pid);
13871 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
13872 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
13873 
13874 		net = get_net_ns_by_fd(fd);
13875 	} else {
13876 		return -EINVAL;
13877 	}
13878 
13879 	if (IS_ERR(net))
13880 		return PTR_ERR(net);
13881 
13882 	/*
13883 	 * The caller already has CAP_NET_ADMIN over the source netns
13884 	 * (enforced by GENL_UNS_ADMIN_PERM on the genl op). Mirror the
13885 	 * convention used by net/core/rtnetlink.c::rtnl_get_net_ns_capable()
13886 	 * and require CAP_NET_ADMIN over the target netns as well, so that
13887 	 * a caller that is privileged in their own user namespace cannot
13888 	 * push a wiphy into a netns where they have no privilege.
13889 	 */
13890 	if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
13891 		put_net(net);
13892 		return -EPERM;
13893 	}
13894 
13895 	err = 0;
13896 
13897 	/* check if anything to do */
13898 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
13899 		err = cfg80211_switch_netns(rdev, net);
13900 
13901 	put_net(net);
13902 	return err;
13903 }
13904 
13905 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
13906 {
13907 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13908 	struct net_device *dev = info->user_ptr[1];
13909 	struct cfg80211_pmksa pmksa;
13910 	bool ap_pmksa_caching_support = false;
13911 
13912 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13913 
13914 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13915 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13916 
13917 	if (!info->attrs[NL80211_ATTR_PMKID])
13918 		return -EINVAL;
13919 
13920 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13921 
13922 	if (info->attrs[NL80211_ATTR_MAC]) {
13923 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13924 	} else if (info->attrs[NL80211_ATTR_SSID] &&
13925 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13926 	           info->attrs[NL80211_ATTR_PMK]) {
13927 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13928 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13929 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13930 	} else {
13931 		return -EINVAL;
13932 	}
13933 
13934 	if (info->attrs[NL80211_ATTR_PMK]) {
13935 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13936 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13937 	}
13938 
13939 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
13940 		pmksa.pmk_lifetime =
13941 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
13942 
13943 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
13944 		pmksa.pmk_reauth_threshold =
13945 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
13946 
13947 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13948 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13949 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13950 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13951 	       ap_pmksa_caching_support))
13952 		return -EOPNOTSUPP;
13953 
13954 	if (!rdev->ops->set_pmksa)
13955 		return -EOPNOTSUPP;
13956 
13957 	return rdev_set_pmksa(rdev, dev, &pmksa);
13958 }
13959 
13960 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
13961 {
13962 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13963 	struct net_device *dev = info->user_ptr[1];
13964 	struct cfg80211_pmksa pmksa;
13965 	bool sae_offload_support = false;
13966 	bool owe_offload_support = false;
13967 	bool ap_pmksa_caching_support = false;
13968 
13969 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13970 
13971 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13972 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
13973 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13974 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
13975 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13976 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13977 
13978 	if (info->attrs[NL80211_ATTR_PMKID])
13979 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13980 
13981 	if (info->attrs[NL80211_ATTR_MAC]) {
13982 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13983 	} else if (info->attrs[NL80211_ATTR_SSID]) {
13984 		/* SSID based pmksa flush supported only for FILS,
13985 		 * OWE/SAE OFFLOAD cases
13986 		 */
13987 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13988 		    info->attrs[NL80211_ATTR_PMK]) {
13989 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13990 		} else if (!sae_offload_support && !owe_offload_support) {
13991 			return -EINVAL;
13992 		}
13993 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13994 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13995 	} else {
13996 		return -EINVAL;
13997 	}
13998 
13999 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
14000 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
14001 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
14002 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
14003 	       ap_pmksa_caching_support))
14004 		return -EOPNOTSUPP;
14005 
14006 	if (!rdev->ops->del_pmksa)
14007 		return -EOPNOTSUPP;
14008 
14009 	return rdev_del_pmksa(rdev, dev, &pmksa);
14010 }
14011 
14012 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
14013 {
14014 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14015 	struct net_device *dev = info->user_ptr[1];
14016 
14017 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
14018 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
14019 		return -EOPNOTSUPP;
14020 
14021 	if (!rdev->ops->flush_pmksa)
14022 		return -EOPNOTSUPP;
14023 
14024 	return rdev_flush_pmksa(rdev, dev);
14025 }
14026 
14027 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
14028 {
14029 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14030 	struct net_device *dev = info->user_ptr[1];
14031 	u8 action_code, dialog_token;
14032 	u32 peer_capability = 0;
14033 	u16 status_code;
14034 	u8 *peer;
14035 	int link_id;
14036 	bool initiator;
14037 
14038 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
14039 	    !rdev->ops->tdls_mgmt)
14040 		return -EOPNOTSUPP;
14041 
14042 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
14043 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
14044 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
14045 	    !info->attrs[NL80211_ATTR_IE] ||
14046 	    !info->attrs[NL80211_ATTR_MAC])
14047 		return -EINVAL;
14048 
14049 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14050 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
14051 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14052 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
14053 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
14054 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
14055 		peer_capability =
14056 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
14057 	link_id = nl80211_link_id_or_invalid(info->attrs);
14058 
14059 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
14060 			      dialog_token, status_code, peer_capability,
14061 			      initiator,
14062 			      nla_data(info->attrs[NL80211_ATTR_IE]),
14063 			      nla_len(info->attrs[NL80211_ATTR_IE]));
14064 }
14065 
14066 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
14067 {
14068 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14069 	struct net_device *dev = info->user_ptr[1];
14070 	enum nl80211_tdls_operation operation;
14071 	u8 *peer;
14072 
14073 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
14074 	    !rdev->ops->tdls_oper)
14075 		return -EOPNOTSUPP;
14076 
14077 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
14078 	    !info->attrs[NL80211_ATTR_MAC])
14079 		return -EINVAL;
14080 
14081 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
14082 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14083 
14084 	return rdev_tdls_oper(rdev, dev, peer, operation);
14085 }
14086 
14087 static int nl80211_remain_on_channel(struct sk_buff *skb,
14088 				     struct genl_info *info)
14089 {
14090 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14091 	unsigned int link_id = nl80211_link_id(info->attrs);
14092 	struct wireless_dev *wdev = info->user_ptr[1];
14093 	struct cfg80211_chan_def chandef;
14094 	struct sk_buff *msg;
14095 	void *hdr;
14096 	u64 cookie;
14097 	u32 duration;
14098 	int err;
14099 
14100 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
14101 	    !info->attrs[NL80211_ATTR_DURATION])
14102 		return -EINVAL;
14103 
14104 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
14105 
14106 	if (!rdev->ops->remain_on_channel ||
14107 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
14108 		return -EOPNOTSUPP;
14109 
14110 	/*
14111 	 * We should be on that channel for at least a minimum amount of
14112 	 * time (10ms) but no longer than the driver supports.
14113 	 */
14114 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
14115 	    duration > rdev->wiphy.max_remain_on_channel_duration)
14116 		return -EINVAL;
14117 
14118 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef);
14119 	if (err)
14120 		return err;
14121 
14122 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
14123 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
14124 
14125 		oper_chandef = wdev_chandef(wdev, link_id);
14126 
14127 		if (WARN_ON(!oper_chandef)) {
14128 			/* cannot happen since we must beacon to get here */
14129 			WARN_ON(1);
14130 			return -EBUSY;
14131 		}
14132 
14133 		/* note: returns first one if identical chandefs */
14134 		compat_chandef = cfg80211_chandef_compatible(&chandef,
14135 							     oper_chandef);
14136 
14137 		if (compat_chandef != &chandef)
14138 			return -EBUSY;
14139 	}
14140 
14141 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14142 	if (!msg)
14143 		return -ENOMEM;
14144 
14145 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14146 			     NL80211_CMD_REMAIN_ON_CHANNEL);
14147 	if (!hdr) {
14148 		err = -ENOBUFS;
14149 		goto free_msg;
14150 	}
14151 
14152 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
14153 				     duration, &cookie);
14154 
14155 	if (err)
14156 		goto free_msg;
14157 
14158 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14159 			      NL80211_ATTR_PAD))
14160 		goto nla_put_failure;
14161 
14162 	genlmsg_end(msg, hdr);
14163 
14164 	return genlmsg_reply(msg, info);
14165 
14166  nla_put_failure:
14167 	err = -ENOBUFS;
14168  free_msg:
14169 	nlmsg_free(msg);
14170 	return err;
14171 }
14172 
14173 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
14174 					    struct genl_info *info)
14175 {
14176 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14177 	struct wireless_dev *wdev = info->user_ptr[1];
14178 	u64 cookie;
14179 
14180 	if (!info->attrs[NL80211_ATTR_COOKIE])
14181 		return -EINVAL;
14182 
14183 	if (!rdev->ops->cancel_remain_on_channel)
14184 		return -EOPNOTSUPP;
14185 
14186 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14187 
14188 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
14189 }
14190 
14191 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
14192 				       struct genl_info *info)
14193 {
14194 	struct cfg80211_bitrate_mask mask;
14195 	unsigned int link_id = nl80211_link_id(info->attrs);
14196 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14197 	struct net_device *dev = info->user_ptr[1];
14198 	int err;
14199 
14200 	if (!rdev->ops->set_bitrate_mask)
14201 		return -EOPNOTSUPP;
14202 
14203 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
14204 					    NL80211_ATTR_TX_RATES, &mask,
14205 					    dev, true, link_id);
14206 	if (err)
14207 		return err;
14208 
14209 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
14210 }
14211 
14212 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
14213 {
14214 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14215 	struct wireless_dev *wdev = info->user_ptr[1];
14216 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
14217 
14218 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
14219 		return -EINVAL;
14220 
14221 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
14222 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
14223 
14224 	switch (wdev->iftype) {
14225 	case NL80211_IFTYPE_STATION:
14226 	case NL80211_IFTYPE_ADHOC:
14227 	case NL80211_IFTYPE_P2P_CLIENT:
14228 	case NL80211_IFTYPE_AP:
14229 	case NL80211_IFTYPE_AP_VLAN:
14230 	case NL80211_IFTYPE_MESH_POINT:
14231 	case NL80211_IFTYPE_P2P_GO:
14232 	case NL80211_IFTYPE_P2P_DEVICE:
14233 		break;
14234 	case NL80211_IFTYPE_NAN:
14235 	case NL80211_IFTYPE_NAN_DATA:
14236 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14237 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
14238 		    !(wdev->wiphy->nan_capa.flags &
14239 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
14240 			return -EOPNOTSUPP;
14241 		break;
14242 	default:
14243 		return -EOPNOTSUPP;
14244 	}
14245 
14246 	/* not much point in registering if we can't reply */
14247 	if (!rdev->ops->mgmt_tx)
14248 		return -EOPNOTSUPP;
14249 
14250 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
14251 	    !wiphy_ext_feature_isset(&rdev->wiphy,
14252 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
14253 		GENL_SET_ERR_MSG(info,
14254 				 "multicast RX registrations are not supported");
14255 		return -EOPNOTSUPP;
14256 	}
14257 
14258 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
14259 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
14260 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
14261 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
14262 					   info->extack);
14263 }
14264 
14265 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
14266 {
14267 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14268 	struct wireless_dev *wdev = info->user_ptr[1];
14269 	struct cfg80211_chan_def chandef;
14270 	int err;
14271 	void *hdr = NULL;
14272 	u64 cookie;
14273 	struct sk_buff *msg = NULL;
14274 	struct cfg80211_mgmt_tx_params params = {
14275 		.dont_wait_for_ack =
14276 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
14277 	};
14278 
14279 	if (!info->attrs[NL80211_ATTR_FRAME])
14280 		return -EINVAL;
14281 
14282 	if (!rdev->ops->mgmt_tx)
14283 		return -EOPNOTSUPP;
14284 
14285 	switch (wdev->iftype) {
14286 	case NL80211_IFTYPE_P2P_DEVICE:
14287 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
14288 			return -EINVAL;
14289 		break;
14290 	case NL80211_IFTYPE_STATION:
14291 	case NL80211_IFTYPE_ADHOC:
14292 	case NL80211_IFTYPE_P2P_CLIENT:
14293 	case NL80211_IFTYPE_AP:
14294 	case NL80211_IFTYPE_AP_VLAN:
14295 	case NL80211_IFTYPE_MESH_POINT:
14296 	case NL80211_IFTYPE_P2P_GO:
14297 		break;
14298 	case NL80211_IFTYPE_NAN:
14299 	case NL80211_IFTYPE_NAN_DATA:
14300 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14301 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
14302 		    !(wdev->wiphy->nan_capa.flags &
14303 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
14304 			return -EOPNOTSUPP;
14305 		break;
14306 	default:
14307 		return -EOPNOTSUPP;
14308 	}
14309 
14310 	if (info->attrs[NL80211_ATTR_DURATION]) {
14311 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
14312 			return -EINVAL;
14313 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
14314 
14315 		/*
14316 		 * We should wait on the channel for at least a minimum amount
14317 		 * of time (10ms) but no longer than the driver supports.
14318 		 */
14319 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
14320 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
14321 			return -EINVAL;
14322 	}
14323 
14324 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
14325 
14326 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
14327 		return -EINVAL;
14328 
14329 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
14330 
14331 	/* get the channel if any has been specified, otherwise pass NULL to
14332 	 * the driver. The latter will use the current one
14333 	 */
14334 	chandef.chan = NULL;
14335 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14336 		err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
14337 					    &chandef);
14338 		if (err)
14339 			return err;
14340 	}
14341 
14342 	if (!chandef.chan && params.offchan)
14343 		return -EINVAL;
14344 
14345 	if (params.offchan &&
14346 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
14347 		return -EBUSY;
14348 
14349 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
14350 	/*
14351 	 * This now races due to the unlock, but we cannot check
14352 	 * the valid links for the _station_ anyway, so that's up
14353 	 * to the driver.
14354 	 */
14355 	if (params.link_id >= 0 &&
14356 	    !(wdev->valid_links & BIT(params.link_id)))
14357 		return -EINVAL;
14358 
14359 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14360 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14361 
14362 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
14363 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
14364 					    &params.csa_offsets,
14365 					    &params.n_csa_offsets);
14366 	if (err)
14367 		return err;
14368 
14369 	if (!params.dont_wait_for_ack) {
14370 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14371 		if (!msg)
14372 			return -ENOMEM;
14373 
14374 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14375 				     NL80211_CMD_FRAME);
14376 		if (!hdr) {
14377 			err = -ENOBUFS;
14378 			goto free_msg;
14379 		}
14380 	}
14381 
14382 	params.chan = chandef.chan;
14383 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
14384 	if (err)
14385 		goto free_msg;
14386 
14387 	if (msg) {
14388 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14389 				      NL80211_ATTR_PAD))
14390 			goto nla_put_failure;
14391 
14392 		genlmsg_end(msg, hdr);
14393 		return genlmsg_reply(msg, info);
14394 	}
14395 
14396 	return 0;
14397 
14398  nla_put_failure:
14399 	err = -ENOBUFS;
14400  free_msg:
14401 	nlmsg_free(msg);
14402 	return err;
14403 }
14404 
14405 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
14406 {
14407 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14408 	struct wireless_dev *wdev = info->user_ptr[1];
14409 	u64 cookie;
14410 
14411 	if (!info->attrs[NL80211_ATTR_COOKIE])
14412 		return -EINVAL;
14413 
14414 	if (!rdev->ops->mgmt_tx_cancel_wait)
14415 		return -EOPNOTSUPP;
14416 
14417 	switch (wdev->iftype) {
14418 	case NL80211_IFTYPE_STATION:
14419 	case NL80211_IFTYPE_ADHOC:
14420 	case NL80211_IFTYPE_P2P_CLIENT:
14421 	case NL80211_IFTYPE_AP:
14422 	case NL80211_IFTYPE_AP_VLAN:
14423 	case NL80211_IFTYPE_P2P_GO:
14424 	case NL80211_IFTYPE_P2P_DEVICE:
14425 		break;
14426 	case NL80211_IFTYPE_NAN:
14427 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14428 					     NL80211_EXT_FEATURE_SECURE_NAN))
14429 			return -EOPNOTSUPP;
14430 		break;
14431 	default:
14432 		return -EOPNOTSUPP;
14433 	}
14434 
14435 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14436 
14437 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
14438 }
14439 
14440 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
14441 {
14442 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14443 	struct wireless_dev *wdev;
14444 	struct net_device *dev = info->user_ptr[1];
14445 	u8 ps_state;
14446 	bool state;
14447 	int err;
14448 
14449 	if (!info->attrs[NL80211_ATTR_PS_STATE])
14450 		return -EINVAL;
14451 
14452 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
14453 
14454 	wdev = dev->ieee80211_ptr;
14455 
14456 	if (!rdev->ops->set_power_mgmt)
14457 		return -EOPNOTSUPP;
14458 
14459 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
14460 
14461 	if (state == wdev->ps)
14462 		return 0;
14463 
14464 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
14465 	if (!err)
14466 		wdev->ps = state;
14467 	return err;
14468 }
14469 
14470 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
14471 {
14472 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14473 	enum nl80211_ps_state ps_state;
14474 	struct wireless_dev *wdev;
14475 	struct net_device *dev = info->user_ptr[1];
14476 	struct sk_buff *msg;
14477 	void *hdr;
14478 	int err;
14479 
14480 	wdev = dev->ieee80211_ptr;
14481 
14482 	if (!rdev->ops->set_power_mgmt)
14483 		return -EOPNOTSUPP;
14484 
14485 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14486 	if (!msg)
14487 		return -ENOMEM;
14488 
14489 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14490 			     NL80211_CMD_GET_POWER_SAVE);
14491 	if (!hdr) {
14492 		err = -ENOBUFS;
14493 		goto free_msg;
14494 	}
14495 
14496 	if (wdev->ps)
14497 		ps_state = NL80211_PS_ENABLED;
14498 	else
14499 		ps_state = NL80211_PS_DISABLED;
14500 
14501 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
14502 		goto nla_put_failure;
14503 
14504 	genlmsg_end(msg, hdr);
14505 	return genlmsg_reply(msg, info);
14506 
14507  nla_put_failure:
14508 	err = -ENOBUFS;
14509  free_msg:
14510 	nlmsg_free(msg);
14511 	return err;
14512 }
14513 
14514 static const struct nla_policy
14515 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
14516 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
14517 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
14518 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
14519 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
14520 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
14521 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
14522 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
14523 };
14524 
14525 static int nl80211_set_cqm_txe(struct genl_info *info,
14526 			       u32 rate, u32 pkts, u32 intvl)
14527 {
14528 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14529 	struct net_device *dev = info->user_ptr[1];
14530 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14531 
14532 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
14533 		return -EINVAL;
14534 
14535 	if (!rdev->ops->set_cqm_txe_config)
14536 		return -EOPNOTSUPP;
14537 
14538 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14539 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14540 		return -EOPNOTSUPP;
14541 
14542 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
14543 }
14544 
14545 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
14546 				    struct net_device *dev,
14547 				    struct cfg80211_cqm_config *cqm_config)
14548 {
14549 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14550 	s32 last, low, high;
14551 	u32 hyst;
14552 	int i, n, low_index;
14553 	int err;
14554 
14555 	/*
14556 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
14557 	 * event has been received yet, we should receive an event after a
14558 	 * connection is established and enough beacons received to calculate
14559 	 * the average.
14560 	 */
14561 	if (!cqm_config->last_rssi_event_value &&
14562 	    wdev->links[0].client.current_bss &&
14563 	    rdev->ops->get_station) {
14564 		struct station_info sinfo = {};
14565 		u8 *mac_addr;
14566 
14567 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
14568 
14569 		err = rdev_get_station(rdev, wdev, mac_addr, &sinfo);
14570 		if (err)
14571 			return err;
14572 
14573 		cfg80211_sinfo_release_content(&sinfo);
14574 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
14575 			cqm_config->last_rssi_event_value =
14576 				(s8) sinfo.rx_beacon_signal_avg;
14577 	}
14578 
14579 	last = cqm_config->last_rssi_event_value;
14580 	hyst = cqm_config->rssi_hyst;
14581 	n = cqm_config->n_rssi_thresholds;
14582 
14583 	for (i = 0; i < n; i++) {
14584 		i = array_index_nospec(i, n);
14585 		if (last < cqm_config->rssi_thresholds[i])
14586 			break;
14587 	}
14588 
14589 	low_index = i - 1;
14590 	if (low_index >= 0) {
14591 		low_index = array_index_nospec(low_index, n);
14592 		low = cqm_config->rssi_thresholds[low_index] - hyst;
14593 	} else {
14594 		low = S32_MIN;
14595 	}
14596 	if (i < n) {
14597 		i = array_index_nospec(i, n);
14598 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
14599 	} else {
14600 		high = S32_MAX;
14601 	}
14602 
14603 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
14604 }
14605 
14606 static int nl80211_set_cqm_rssi(struct genl_info *info,
14607 				const s32 *thresholds, int n_thresholds,
14608 				u32 hysteresis)
14609 {
14610 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14611 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
14612 	struct net_device *dev = info->user_ptr[1];
14613 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14614 	s32 prev = S32_MIN;
14615 	int i, err;
14616 
14617 	/* Check all values negative and sorted */
14618 	for (i = 0; i < n_thresholds; i++) {
14619 		if (thresholds[i] > 0 || thresholds[i] <= prev)
14620 			return -EINVAL;
14621 
14622 		prev = thresholds[i];
14623 	}
14624 
14625 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14626 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14627 		return -EOPNOTSUPP;
14628 
14629 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
14630 		n_thresholds = 0;
14631 
14632 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
14633 
14634 	/* if already disabled just succeed */
14635 	if (!n_thresholds && !old)
14636 		return 0;
14637 
14638 	if (n_thresholds > 1) {
14639 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
14640 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
14641 		    !rdev->ops->set_cqm_rssi_range_config)
14642 			return -EOPNOTSUPP;
14643 	} else {
14644 		if (!rdev->ops->set_cqm_rssi_config)
14645 			return -EOPNOTSUPP;
14646 	}
14647 
14648 	if (n_thresholds) {
14649 		cqm_config = kzalloc_flex(*cqm_config, rssi_thresholds,
14650 					  n_thresholds);
14651 		if (!cqm_config)
14652 			return -ENOMEM;
14653 
14654 		cqm_config->rssi_hyst = hysteresis;
14655 		cqm_config->n_rssi_thresholds = n_thresholds;
14656 		memcpy(cqm_config->rssi_thresholds, thresholds,
14657 		       flex_array_size(cqm_config, rssi_thresholds,
14658 				       n_thresholds));
14659 		cqm_config->use_range_api = n_thresholds > 1 ||
14660 					    !rdev->ops->set_cqm_rssi_config;
14661 
14662 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
14663 
14664 		if (cqm_config->use_range_api)
14665 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
14666 		else
14667 			err = rdev_set_cqm_rssi_config(rdev, dev,
14668 						       thresholds[0],
14669 						       hysteresis);
14670 	} else {
14671 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
14672 		/* if enabled as range also disable via range */
14673 		if (old->use_range_api)
14674 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
14675 		else
14676 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
14677 	}
14678 
14679 	if (err) {
14680 		rcu_assign_pointer(wdev->cqm_config, old);
14681 		kfree_rcu(cqm_config, rcu_head);
14682 	} else {
14683 		kfree_rcu(old, rcu_head);
14684 	}
14685 
14686 	return err;
14687 }
14688 
14689 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
14690 {
14691 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
14692 	struct nlattr *cqm;
14693 	int err;
14694 
14695 	cqm = info->attrs[NL80211_ATTR_CQM];
14696 	if (!cqm)
14697 		return -EINVAL;
14698 
14699 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
14700 					  nl80211_attr_cqm_policy,
14701 					  info->extack);
14702 	if (err)
14703 		return err;
14704 
14705 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
14706 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
14707 		const s32 *thresholds =
14708 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14709 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14710 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
14711 
14712 		if (len % 4)
14713 			return -EINVAL;
14714 
14715 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
14716 					    hysteresis);
14717 	}
14718 
14719 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
14720 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
14721 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
14722 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
14723 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
14724 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
14725 
14726 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
14727 	}
14728 
14729 	return -EINVAL;
14730 }
14731 
14732 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
14733 {
14734 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14735 	struct net_device *dev = info->user_ptr[1];
14736 	struct ocb_setup setup = {};
14737 	int err;
14738 
14739 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
14740 				    &setup.chandef);
14741 	if (err)
14742 		return err;
14743 
14744 	return cfg80211_join_ocb(rdev, dev, &setup);
14745 }
14746 
14747 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
14748 {
14749 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14750 	struct net_device *dev = info->user_ptr[1];
14751 
14752 	return cfg80211_leave_ocb(rdev, dev);
14753 }
14754 
14755 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
14756 {
14757 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14758 	struct net_device *dev = info->user_ptr[1];
14759 	struct mesh_config cfg;
14760 	struct mesh_setup setup;
14761 	int err;
14762 
14763 	/* start with default */
14764 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
14765 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
14766 
14767 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
14768 		/* and parse parameters if given */
14769 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
14770 		if (err)
14771 			return err;
14772 	}
14773 
14774 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
14775 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
14776 		return -EINVAL;
14777 
14778 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
14779 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
14780 
14781 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
14782 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
14783 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
14784 			return -EINVAL;
14785 
14786 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
14787 		setup.beacon_interval =
14788 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
14789 
14790 		err = cfg80211_validate_beacon_int(rdev,
14791 						   NL80211_IFTYPE_MESH_POINT,
14792 						   setup.beacon_interval);
14793 		if (err)
14794 			return err;
14795 	}
14796 
14797 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
14798 		setup.dtim_period =
14799 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
14800 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
14801 			return -EINVAL;
14802 	}
14803 
14804 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
14805 		/* parse additional setup parameters if given */
14806 		err = nl80211_parse_mesh_setup(info, &setup);
14807 		if (err)
14808 			return err;
14809 	}
14810 
14811 	if (setup.user_mpm)
14812 		cfg.auto_open_plinks = false;
14813 
14814 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14815 		err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
14816 					    &setup.chandef);
14817 		if (err)
14818 			return err;
14819 	} else {
14820 		/* __cfg80211_join_mesh() will sort it out */
14821 		setup.chandef.chan = NULL;
14822 	}
14823 
14824 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
14825 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14826 		int n_rates =
14827 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14828 		struct ieee80211_supported_band *sband;
14829 
14830 		if (!setup.chandef.chan)
14831 			return -EINVAL;
14832 
14833 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
14834 
14835 		err = ieee80211_get_ratemask(sband, rates, n_rates,
14836 					     &setup.basic_rates);
14837 		if (err)
14838 			return err;
14839 	}
14840 
14841 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
14842 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
14843 						    NL80211_ATTR_TX_RATES,
14844 						    &setup.beacon_rate,
14845 						    dev, false, 0);
14846 		if (err)
14847 			return err;
14848 
14849 		if (!setup.chandef.chan)
14850 			return -EINVAL;
14851 
14852 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
14853 					      &setup.beacon_rate);
14854 		if (err)
14855 			return err;
14856 	}
14857 
14858 	setup.userspace_handles_dfs =
14859 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
14860 
14861 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
14862 		int r = validate_pae_over_nl80211(rdev, info);
14863 
14864 		if (r < 0)
14865 			return r;
14866 
14867 		setup.control_port_over_nl80211 = true;
14868 	}
14869 
14870 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
14871 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
14872 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
14873 
14874 	return err;
14875 }
14876 
14877 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
14878 {
14879 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14880 	struct net_device *dev = info->user_ptr[1];
14881 
14882 	return cfg80211_leave_mesh(rdev, dev);
14883 }
14884 
14885 #ifdef CONFIG_PM
14886 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
14887 					struct cfg80211_registered_device *rdev)
14888 {
14889 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
14890 	struct nlattr *nl_pats, *nl_pat;
14891 	int i, pat_len;
14892 
14893 	if (!wowlan->n_patterns)
14894 		return 0;
14895 
14896 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
14897 	if (!nl_pats)
14898 		return -ENOBUFS;
14899 
14900 	for (i = 0; i < wowlan->n_patterns; i++) {
14901 		nl_pat = nla_nest_start_noflag(msg, i + 1);
14902 		if (!nl_pat)
14903 			return -ENOBUFS;
14904 		pat_len = wowlan->patterns[i].pattern_len;
14905 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
14906 			    wowlan->patterns[i].mask) ||
14907 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14908 			    wowlan->patterns[i].pattern) ||
14909 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14910 				wowlan->patterns[i].pkt_offset))
14911 			return -ENOBUFS;
14912 		nla_nest_end(msg, nl_pat);
14913 	}
14914 	nla_nest_end(msg, nl_pats);
14915 
14916 	return 0;
14917 }
14918 
14919 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
14920 				   struct cfg80211_wowlan_tcp *tcp)
14921 {
14922 	struct nlattr *nl_tcp;
14923 
14924 	if (!tcp)
14925 		return 0;
14926 
14927 	nl_tcp = nla_nest_start_noflag(msg,
14928 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
14929 	if (!nl_tcp)
14930 		return -ENOBUFS;
14931 
14932 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
14933 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
14934 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
14935 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
14936 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
14937 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
14938 		    tcp->payload_len, tcp->payload) ||
14939 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
14940 			tcp->data_interval) ||
14941 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
14942 		    tcp->wake_len, tcp->wake_data) ||
14943 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
14944 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
14945 		return -ENOBUFS;
14946 
14947 	if (tcp->payload_seq.len &&
14948 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
14949 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
14950 		return -ENOBUFS;
14951 
14952 	if (tcp->payload_tok.len &&
14953 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
14954 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
14955 		    &tcp->payload_tok))
14956 		return -ENOBUFS;
14957 
14958 	nla_nest_end(msg, nl_tcp);
14959 
14960 	return 0;
14961 }
14962 
14963 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
14964 				  struct cfg80211_sched_scan_request *req)
14965 {
14966 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
14967 	int i;
14968 
14969 	if (!req)
14970 		return 0;
14971 
14972 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
14973 	if (!nd)
14974 		return -ENOBUFS;
14975 
14976 	if (req->n_scan_plans == 1 &&
14977 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
14978 			req->scan_plans[0].interval * 1000))
14979 		return -ENOBUFS;
14980 
14981 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
14982 		return -ENOBUFS;
14983 
14984 	if (req->relative_rssi_set) {
14985 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
14986 
14987 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
14988 			       req->relative_rssi))
14989 			return -ENOBUFS;
14990 
14991 		rssi_adjust.band = req->rssi_adjust.band;
14992 		rssi_adjust.delta = req->rssi_adjust.delta;
14993 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
14994 			    sizeof(rssi_adjust), &rssi_adjust))
14995 			return -ENOBUFS;
14996 	}
14997 
14998 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14999 	if (!freqs)
15000 		return -ENOBUFS;
15001 
15002 	for (i = 0; i < req->n_channels; i++) {
15003 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
15004 			return -ENOBUFS;
15005 	}
15006 
15007 	nla_nest_end(msg, freqs);
15008 
15009 	if (req->n_match_sets) {
15010 		matches = nla_nest_start_noflag(msg,
15011 						NL80211_ATTR_SCHED_SCAN_MATCH);
15012 		if (!matches)
15013 			return -ENOBUFS;
15014 
15015 		for (i = 0; i < req->n_match_sets; i++) {
15016 			match = nla_nest_start_noflag(msg, i);
15017 			if (!match)
15018 				return -ENOBUFS;
15019 
15020 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
15021 				    req->match_sets[i].ssid.ssid_len,
15022 				    req->match_sets[i].ssid.ssid))
15023 				return -ENOBUFS;
15024 			nla_nest_end(msg, match);
15025 		}
15026 		nla_nest_end(msg, matches);
15027 	}
15028 
15029 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
15030 	if (!scan_plans)
15031 		return -ENOBUFS;
15032 
15033 	for (i = 0; i < req->n_scan_plans; i++) {
15034 		scan_plan = nla_nest_start_noflag(msg, i + 1);
15035 		if (!scan_plan)
15036 			return -ENOBUFS;
15037 
15038 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
15039 				req->scan_plans[i].interval) ||
15040 		    (req->scan_plans[i].iterations &&
15041 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
15042 				 req->scan_plans[i].iterations)))
15043 			return -ENOBUFS;
15044 		nla_nest_end(msg, scan_plan);
15045 	}
15046 	nla_nest_end(msg, scan_plans);
15047 
15048 	nla_nest_end(msg, nd);
15049 
15050 	return 0;
15051 }
15052 
15053 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
15054 {
15055 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15056 	struct sk_buff *msg;
15057 	void *hdr;
15058 	u32 size = NLMSG_DEFAULT_SIZE;
15059 
15060 	if (!rdev->wiphy.wowlan)
15061 		return -EOPNOTSUPP;
15062 
15063 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
15064 		/* adjust size to have room for all the data */
15065 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
15066 			rdev->wiphy.wowlan_config->tcp->payload_len +
15067 			rdev->wiphy.wowlan_config->tcp->wake_len +
15068 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
15069 	}
15070 
15071 	msg = nlmsg_new(size, GFP_KERNEL);
15072 	if (!msg)
15073 		return -ENOMEM;
15074 
15075 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15076 			     NL80211_CMD_GET_WOWLAN);
15077 	if (!hdr)
15078 		goto nla_put_failure;
15079 
15080 	if (rdev->wiphy.wowlan_config) {
15081 		struct nlattr *nl_wowlan;
15082 
15083 		nl_wowlan = nla_nest_start_noflag(msg,
15084 						  NL80211_ATTR_WOWLAN_TRIGGERS);
15085 		if (!nl_wowlan)
15086 			goto nla_put_failure;
15087 
15088 		if ((rdev->wiphy.wowlan_config->any &&
15089 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
15090 		    (rdev->wiphy.wowlan_config->disconnect &&
15091 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
15092 		    (rdev->wiphy.wowlan_config->magic_pkt &&
15093 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
15094 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
15095 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
15096 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
15097 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
15098 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
15099 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
15100 		    (rdev->wiphy.wowlan_config->rfkill_release &&
15101 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
15102 			goto nla_put_failure;
15103 
15104 		if (nl80211_send_wowlan_patterns(msg, rdev))
15105 			goto nla_put_failure;
15106 
15107 		if (nl80211_send_wowlan_tcp(msg,
15108 					    rdev->wiphy.wowlan_config->tcp))
15109 			goto nla_put_failure;
15110 
15111 		if (nl80211_send_wowlan_nd(
15112 			    msg,
15113 			    rdev->wiphy.wowlan_config->nd_config))
15114 			goto nla_put_failure;
15115 
15116 		nla_nest_end(msg, nl_wowlan);
15117 	}
15118 
15119 	genlmsg_end(msg, hdr);
15120 	return genlmsg_reply(msg, info);
15121 
15122 nla_put_failure:
15123 	nlmsg_free(msg);
15124 	return -ENOBUFS;
15125 }
15126 
15127 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
15128 				    struct nlattr *attr,
15129 				    struct cfg80211_wowlan *trig)
15130 {
15131 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
15132 	struct cfg80211_wowlan_tcp *cfg;
15133 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
15134 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
15135 	u32 size;
15136 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
15137 	int err, port;
15138 
15139 	if (!rdev->wiphy.wowlan->tcp)
15140 		return -EINVAL;
15141 
15142 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
15143 					  nl80211_wowlan_tcp_policy, NULL);
15144 	if (err)
15145 		return err;
15146 
15147 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
15148 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
15149 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
15150 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
15151 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
15152 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
15153 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
15154 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
15155 		return -EINVAL;
15156 
15157 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
15158 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
15159 		return -EINVAL;
15160 
15161 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
15162 			rdev->wiphy.wowlan->tcp->data_interval_max ||
15163 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
15164 		return -EINVAL;
15165 
15166 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
15167 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
15168 		return -EINVAL;
15169 
15170 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
15171 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
15172 		return -EINVAL;
15173 
15174 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
15175 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
15176 
15177 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
15178 		tokens_size = tokln - sizeof(*tok);
15179 
15180 		if (!tok->len || tokens_size % tok->len)
15181 			return -EINVAL;
15182 		if (!rdev->wiphy.wowlan->tcp->tok)
15183 			return -EINVAL;
15184 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
15185 			return -EINVAL;
15186 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
15187 			return -EINVAL;
15188 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
15189 			return -EINVAL;
15190 		if (tok->offset + tok->len > data_size)
15191 			return -EINVAL;
15192 	}
15193 
15194 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
15195 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
15196 		if (!rdev->wiphy.wowlan->tcp->seq)
15197 			return -EINVAL;
15198 		if (seq->len == 0 || seq->len > 4)
15199 			return -EINVAL;
15200 		if (seq->len + seq->offset > data_size)
15201 			return -EINVAL;
15202 	}
15203 
15204 	size = sizeof(*cfg);
15205 	size += data_size;
15206 	size += wake_size + wake_mask_size;
15207 	size += tokens_size;
15208 
15209 	cfg = kzalloc(size, GFP_KERNEL);
15210 	if (!cfg)
15211 		return -ENOMEM;
15212 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
15213 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
15214 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
15215 	       ETH_ALEN);
15216 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
15217 #ifdef CONFIG_INET
15218 	/* allocate a socket and port for it and use it */
15219 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
15220 			    IPPROTO_TCP, &cfg->sock, 1);
15221 	if (err) {
15222 		kfree(cfg);
15223 		return err;
15224 	}
15225 	if (inet_csk_get_port(cfg->sock->sk, port)) {
15226 		sock_release(cfg->sock);
15227 		kfree(cfg);
15228 		return -EADDRINUSE;
15229 	}
15230 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
15231 #else
15232 	if (!port) {
15233 		kfree(cfg);
15234 		return -EINVAL;
15235 	}
15236 	cfg->src_port = port;
15237 #endif
15238 
15239 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
15240 	cfg->payload_len = data_size;
15241 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
15242 	memcpy((void *)cfg->payload,
15243 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
15244 	       data_size);
15245 	if (seq)
15246 		cfg->payload_seq = *seq;
15247 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
15248 	cfg->wake_len = wake_size;
15249 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
15250 	memcpy((void *)cfg->wake_data,
15251 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
15252 	       wake_size);
15253 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
15254 			 data_size + wake_size;
15255 	memcpy((void *)cfg->wake_mask,
15256 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
15257 	       wake_mask_size);
15258 	if (tok) {
15259 		cfg->tokens_size = tokens_size;
15260 		cfg->payload_tok = *tok;
15261 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
15262 		       tokens_size);
15263 	}
15264 
15265 	trig->tcp = cfg;
15266 
15267 	return 0;
15268 }
15269 
15270 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
15271 				   const struct wiphy_wowlan_support *wowlan,
15272 				   struct nlattr *attr,
15273 				   struct cfg80211_wowlan *trig)
15274 {
15275 	struct nlattr **tb;
15276 	int err;
15277 
15278 	tb = kzalloc_objs(*tb, NUM_NL80211_ATTR);
15279 	if (!tb)
15280 		return -ENOMEM;
15281 
15282 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
15283 		err = -EOPNOTSUPP;
15284 		goto out;
15285 	}
15286 
15287 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
15288 					  nl80211_policy, NULL);
15289 	if (err)
15290 		goto out;
15291 
15292 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
15293 						   wowlan->max_nd_match_sets);
15294 	err = PTR_ERR_OR_ZERO(trig->nd_config);
15295 	if (err)
15296 		trig->nd_config = NULL;
15297 
15298 out:
15299 	kfree(tb);
15300 	return err;
15301 }
15302 
15303 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
15304 {
15305 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15306 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
15307 	struct cfg80211_wowlan new_triggers = {};
15308 	struct cfg80211_wowlan *ntrig;
15309 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
15310 	int err, i;
15311 	bool prev_enabled = rdev->wiphy.wowlan_config;
15312 	bool regular = false;
15313 
15314 	if (!wowlan)
15315 		return -EOPNOTSUPP;
15316 
15317 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
15318 		cfg80211_rdev_free_wowlan(rdev);
15319 		rdev->wiphy.wowlan_config = NULL;
15320 		goto set_wakeup;
15321 	}
15322 
15323 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
15324 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
15325 					  nl80211_wowlan_policy, info->extack);
15326 	if (err)
15327 		return err;
15328 
15329 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
15330 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
15331 			return -EINVAL;
15332 		new_triggers.any = true;
15333 	}
15334 
15335 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
15336 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
15337 			return -EINVAL;
15338 		new_triggers.disconnect = true;
15339 		regular = true;
15340 	}
15341 
15342 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
15343 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
15344 			return -EINVAL;
15345 		new_triggers.magic_pkt = true;
15346 		regular = true;
15347 	}
15348 
15349 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
15350 		return -EINVAL;
15351 
15352 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
15353 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
15354 			return -EINVAL;
15355 		new_triggers.gtk_rekey_failure = true;
15356 		regular = true;
15357 	}
15358 
15359 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
15360 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
15361 			return -EINVAL;
15362 		new_triggers.eap_identity_req = true;
15363 		regular = true;
15364 	}
15365 
15366 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
15367 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
15368 			return -EINVAL;
15369 		new_triggers.four_way_handshake = true;
15370 		regular = true;
15371 	}
15372 
15373 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
15374 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
15375 			return -EINVAL;
15376 		new_triggers.rfkill_release = true;
15377 		regular = true;
15378 	}
15379 
15380 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
15381 		struct nlattr *pat;
15382 		int n_patterns = 0;
15383 		int rem, pat_len, mask_len, pkt_offset;
15384 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15385 
15386 		regular = true;
15387 
15388 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15389 				    rem)
15390 			n_patterns++;
15391 		if (n_patterns > wowlan->n_patterns)
15392 			return -EINVAL;
15393 
15394 		new_triggers.patterns = kzalloc_objs(new_triggers.patterns[0],
15395 						     n_patterns);
15396 		if (!new_triggers.patterns)
15397 			return -ENOMEM;
15398 
15399 		new_triggers.n_patterns = n_patterns;
15400 		i = 0;
15401 
15402 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15403 				    rem) {
15404 			u8 *mask_pat;
15405 
15406 			err = nla_parse_nested_deprecated(pat_tb,
15407 							  MAX_NL80211_PKTPAT,
15408 							  pat,
15409 							  nl80211_packet_pattern_policy,
15410 							  info->extack);
15411 			if (err)
15412 				goto error;
15413 
15414 			err = -EINVAL;
15415 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
15416 			    !pat_tb[NL80211_PKTPAT_PATTERN])
15417 				goto error;
15418 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15419 			mask_len = DIV_ROUND_UP(pat_len, 8);
15420 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15421 				goto error;
15422 			if (pat_len > wowlan->pattern_max_len ||
15423 			    pat_len < wowlan->pattern_min_len)
15424 				goto error;
15425 
15426 			pkt_offset =
15427 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15428 						    0);
15429 			if (pkt_offset > wowlan->max_pkt_offset)
15430 				goto error;
15431 			new_triggers.patterns[i].pkt_offset = pkt_offset;
15432 
15433 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15434 			if (!mask_pat) {
15435 				err = -ENOMEM;
15436 				goto error;
15437 			}
15438 			new_triggers.patterns[i].mask = mask_pat;
15439 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15440 			       mask_len);
15441 			mask_pat += mask_len;
15442 			new_triggers.patterns[i].pattern = mask_pat;
15443 			new_triggers.patterns[i].pattern_len = pat_len;
15444 			memcpy(mask_pat,
15445 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15446 			       pat_len);
15447 			i++;
15448 		}
15449 	}
15450 
15451 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
15452 		regular = true;
15453 		err = nl80211_parse_wowlan_tcp(
15454 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
15455 			&new_triggers);
15456 		if (err)
15457 			goto error;
15458 	}
15459 
15460 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
15461 		regular = true;
15462 		err = nl80211_parse_wowlan_nd(
15463 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
15464 			&new_triggers);
15465 		if (err)
15466 			goto error;
15467 	}
15468 
15469 	/* The 'any' trigger means the device continues operating more or less
15470 	 * as in its normal operation mode and wakes up the host on most of the
15471 	 * normal interrupts (like packet RX, ...)
15472 	 * It therefore makes little sense to combine with the more constrained
15473 	 * wakeup trigger modes.
15474 	 */
15475 	if (new_triggers.any && regular) {
15476 		err = -EINVAL;
15477 		goto error;
15478 	}
15479 
15480 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
15481 	if (!ntrig) {
15482 		err = -ENOMEM;
15483 		goto error;
15484 	}
15485 	cfg80211_rdev_free_wowlan(rdev);
15486 	rdev->wiphy.wowlan_config = ntrig;
15487 
15488  set_wakeup:
15489 	if (rdev->ops->set_wakeup &&
15490 	    prev_enabled != !!rdev->wiphy.wowlan_config)
15491 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
15492 
15493 	return 0;
15494  error:
15495 	for (i = 0; i < new_triggers.n_patterns; i++)
15496 		kfree(new_triggers.patterns[i].mask);
15497 	kfree(new_triggers.patterns);
15498 	if (new_triggers.tcp && new_triggers.tcp->sock)
15499 		sock_release(new_triggers.tcp->sock);
15500 	kfree(new_triggers.tcp);
15501 	kfree(new_triggers.nd_config);
15502 	return err;
15503 }
15504 #endif
15505 
15506 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
15507 				       struct cfg80211_registered_device *rdev)
15508 {
15509 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
15510 	int i, j, pat_len;
15511 	struct cfg80211_coalesce_rules *rule;
15512 
15513 	if (!rdev->coalesce->n_rules)
15514 		return 0;
15515 
15516 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
15517 	if (!nl_rules)
15518 		return -ENOBUFS;
15519 
15520 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
15521 		nl_rule = nla_nest_start_noflag(msg, i + 1);
15522 		if (!nl_rule)
15523 			return -ENOBUFS;
15524 
15525 		rule = &rdev->coalesce->rules[i];
15526 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
15527 				rule->delay))
15528 			return -ENOBUFS;
15529 
15530 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
15531 				rule->condition))
15532 			return -ENOBUFS;
15533 
15534 		nl_pats = nla_nest_start_noflag(msg,
15535 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
15536 		if (!nl_pats)
15537 			return -ENOBUFS;
15538 
15539 		for (j = 0; j < rule->n_patterns; j++) {
15540 			nl_pat = nla_nest_start_noflag(msg, j + 1);
15541 			if (!nl_pat)
15542 				return -ENOBUFS;
15543 			pat_len = rule->patterns[j].pattern_len;
15544 			if (nla_put(msg, NL80211_PKTPAT_MASK,
15545 				    DIV_ROUND_UP(pat_len, 8),
15546 				    rule->patterns[j].mask) ||
15547 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
15548 				    rule->patterns[j].pattern) ||
15549 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
15550 					rule->patterns[j].pkt_offset))
15551 				return -ENOBUFS;
15552 			nla_nest_end(msg, nl_pat);
15553 		}
15554 		nla_nest_end(msg, nl_pats);
15555 		nla_nest_end(msg, nl_rule);
15556 	}
15557 	nla_nest_end(msg, nl_rules);
15558 
15559 	return 0;
15560 }
15561 
15562 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
15563 {
15564 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15565 	struct sk_buff *msg;
15566 	void *hdr;
15567 
15568 	if (!rdev->wiphy.coalesce)
15569 		return -EOPNOTSUPP;
15570 
15571 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15572 	if (!msg)
15573 		return -ENOMEM;
15574 
15575 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15576 			     NL80211_CMD_GET_COALESCE);
15577 	if (!hdr)
15578 		goto nla_put_failure;
15579 
15580 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
15581 		goto nla_put_failure;
15582 
15583 	genlmsg_end(msg, hdr);
15584 	return genlmsg_reply(msg, info);
15585 
15586 nla_put_failure:
15587 	nlmsg_free(msg);
15588 	return -ENOBUFS;
15589 }
15590 
15591 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
15592 {
15593 	int i, j;
15594 	struct cfg80211_coalesce_rules *rule;
15595 
15596 	if (!coalesce)
15597 		return;
15598 
15599 	for (i = 0; i < coalesce->n_rules; i++) {
15600 		rule = &coalesce->rules[i];
15601 		for (j = 0; j < rule->n_patterns; j++)
15602 			kfree(rule->patterns[j].mask);
15603 		kfree(rule->patterns);
15604 	}
15605 	kfree(coalesce);
15606 }
15607 
15608 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
15609 				       struct nlattr *rule,
15610 				       struct cfg80211_coalesce_rules *new_rule)
15611 {
15612 	int err, i;
15613 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15614 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
15615 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
15616 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15617 
15618 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
15619 					  rule, nl80211_coalesce_policy, NULL);
15620 	if (err)
15621 		return err;
15622 
15623 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
15624 		new_rule->delay =
15625 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
15626 	if (new_rule->delay > coalesce->max_delay)
15627 		return -EINVAL;
15628 
15629 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
15630 		new_rule->condition =
15631 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
15632 
15633 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
15634 		return -EINVAL;
15635 
15636 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15637 			    rem)
15638 		n_patterns++;
15639 	if (n_patterns > coalesce->n_patterns)
15640 		return -EINVAL;
15641 
15642 	new_rule->patterns = kzalloc_objs(new_rule->patterns[0], n_patterns);
15643 	if (!new_rule->patterns)
15644 		return -ENOMEM;
15645 
15646 	new_rule->n_patterns = n_patterns;
15647 	i = 0;
15648 
15649 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15650 			    rem) {
15651 		u8 *mask_pat;
15652 
15653 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
15654 						  pat,
15655 						  nl80211_packet_pattern_policy,
15656 						  NULL);
15657 		if (err)
15658 			return err;
15659 
15660 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
15661 		    !pat_tb[NL80211_PKTPAT_PATTERN])
15662 			return -EINVAL;
15663 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15664 		mask_len = DIV_ROUND_UP(pat_len, 8);
15665 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15666 			return -EINVAL;
15667 		if (pat_len > coalesce->pattern_max_len ||
15668 		    pat_len < coalesce->pattern_min_len)
15669 			return -EINVAL;
15670 
15671 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15672 						 0);
15673 		if (pkt_offset > coalesce->max_pkt_offset)
15674 			return -EINVAL;
15675 		new_rule->patterns[i].pkt_offset = pkt_offset;
15676 
15677 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15678 		if (!mask_pat)
15679 			return -ENOMEM;
15680 
15681 		new_rule->patterns[i].mask = mask_pat;
15682 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15683 		       mask_len);
15684 
15685 		mask_pat += mask_len;
15686 		new_rule->patterns[i].pattern = mask_pat;
15687 		new_rule->patterns[i].pattern_len = pat_len;
15688 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15689 		       pat_len);
15690 		i++;
15691 	}
15692 
15693 	return 0;
15694 }
15695 
15696 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
15697 {
15698 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15699 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15700 	struct cfg80211_coalesce *new_coalesce;
15701 	int err, rem_rule, n_rules = 0, i;
15702 	struct nlattr *rule;
15703 
15704 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
15705 		return -EOPNOTSUPP;
15706 
15707 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
15708 		cfg80211_free_coalesce(rdev->coalesce);
15709 		rdev->coalesce = NULL;
15710 		rdev_set_coalesce(rdev, NULL);
15711 		return 0;
15712 	}
15713 
15714 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15715 			    rem_rule)
15716 		n_rules++;
15717 	if (n_rules > coalesce->n_rules)
15718 		return -EINVAL;
15719 
15720 	new_coalesce = kzalloc_flex(*new_coalesce, rules, n_rules);
15721 	if (!new_coalesce)
15722 		return -ENOMEM;
15723 
15724 	new_coalesce->n_rules = n_rules;
15725 	i = 0;
15726 
15727 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15728 			    rem_rule) {
15729 		err = nl80211_parse_coalesce_rule(rdev, rule,
15730 						  &new_coalesce->rules[i]);
15731 		if (err)
15732 			goto error;
15733 
15734 		i++;
15735 	}
15736 
15737 	err = rdev_set_coalesce(rdev, new_coalesce);
15738 	if (err)
15739 		goto error;
15740 
15741 	cfg80211_free_coalesce(rdev->coalesce);
15742 	rdev->coalesce = new_coalesce;
15743 
15744 	return 0;
15745 error:
15746 	cfg80211_free_coalesce(new_coalesce);
15747 
15748 	return err;
15749 }
15750 
15751 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
15752 {
15753 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15754 	struct net_device *dev = info->user_ptr[1];
15755 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15756 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
15757 	struct cfg80211_gtk_rekey_data rekey_data = {};
15758 	int err;
15759 
15760 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
15761 		return -EINVAL;
15762 
15763 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
15764 					  info->attrs[NL80211_ATTR_REKEY_DATA],
15765 					  nl80211_rekey_policy, info->extack);
15766 	if (err)
15767 		return err;
15768 
15769 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
15770 	    !tb[NL80211_REKEY_DATA_KCK])
15771 		return -EINVAL;
15772 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
15773 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15774 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
15775 		return -ERANGE;
15776 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
15777 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15778 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
15779 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
15780 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
15781 		return -ERANGE;
15782 
15783 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
15784 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
15785 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
15786 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
15787 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
15788 	if (tb[NL80211_REKEY_DATA_AKM])
15789 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
15790 
15791 	if (!wdev->connected)
15792 		return -ENOTCONN;
15793 
15794 	if (!rdev->ops->set_rekey_data)
15795 		return -EOPNOTSUPP;
15796 
15797 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
15798 }
15799 
15800 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
15801 					     struct genl_info *info)
15802 {
15803 	struct net_device *dev = info->user_ptr[1];
15804 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15805 
15806 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15807 	    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
15808 	    wdev->iftype != NL80211_IFTYPE_NAN_DATA)
15809 		return -EINVAL;
15810 
15811 	if (wdev->unexpected_nlportid)
15812 		return -EBUSY;
15813 
15814 	wdev->unexpected_nlportid = info->snd_portid;
15815 	return 0;
15816 }
15817 
15818 static int nl80211_probe_client(struct sk_buff *skb,
15819 				struct genl_info *info)
15820 {
15821 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15822 	struct net_device *dev = info->user_ptr[1];
15823 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15824 	struct sk_buff *msg;
15825 	void *hdr;
15826 	const u8 *addr;
15827 	u64 cookie;
15828 	int err;
15829 
15830 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15831 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15832 		return -EOPNOTSUPP;
15833 
15834 	if (!info->attrs[NL80211_ATTR_MAC])
15835 		return -EINVAL;
15836 
15837 	if (!rdev->ops->probe_client)
15838 		return -EOPNOTSUPP;
15839 
15840 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15841 	if (!msg)
15842 		return -ENOMEM;
15843 
15844 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15845 			     NL80211_CMD_PROBE_CLIENT);
15846 	if (!hdr) {
15847 		err = -ENOBUFS;
15848 		goto free_msg;
15849 	}
15850 
15851 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15852 
15853 	err = rdev_probe_client(rdev, dev, addr, &cookie);
15854 	if (err)
15855 		goto free_msg;
15856 
15857 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15858 			      NL80211_ATTR_PAD))
15859 		goto nla_put_failure;
15860 
15861 	genlmsg_end(msg, hdr);
15862 
15863 	return genlmsg_reply(msg, info);
15864 
15865  nla_put_failure:
15866 	err = -ENOBUFS;
15867  free_msg:
15868 	nlmsg_free(msg);
15869 	return err;
15870 }
15871 
15872 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
15873 {
15874 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15875 	struct cfg80211_beacon_registration *reg, *nreg;
15876 	int rv;
15877 
15878 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
15879 		return -EOPNOTSUPP;
15880 
15881 	nreg = kzalloc_obj(*nreg);
15882 	if (!nreg)
15883 		return -ENOMEM;
15884 
15885 	/* First, check if already registered. */
15886 	spin_lock_bh(&rdev->beacon_registrations_lock);
15887 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
15888 		if (reg->nlportid == info->snd_portid) {
15889 			rv = -EALREADY;
15890 			goto out_err;
15891 		}
15892 	}
15893 	/* Add it to the list */
15894 	nreg->nlportid = info->snd_portid;
15895 	list_add(&nreg->list, &rdev->beacon_registrations);
15896 
15897 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15898 
15899 	return 0;
15900 out_err:
15901 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15902 	kfree(nreg);
15903 	return rv;
15904 }
15905 
15906 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
15907 {
15908 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15909 	struct wireless_dev *wdev = info->user_ptr[1];
15910 	int err;
15911 
15912 	if (!rdev->ops->start_p2p_device)
15913 		return -EOPNOTSUPP;
15914 
15915 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15916 		return -EOPNOTSUPP;
15917 
15918 	if (wdev_running(wdev))
15919 		return 0;
15920 
15921 	if (rfkill_blocked(rdev->wiphy.rfkill))
15922 		return -ERFKILL;
15923 
15924 	err = rdev_start_p2p_device(rdev, wdev);
15925 	if (err)
15926 		return err;
15927 
15928 	wdev->is_running = true;
15929 	rdev->opencount++;
15930 
15931 	return 0;
15932 }
15933 
15934 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
15935 {
15936 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15937 	struct wireless_dev *wdev = info->user_ptr[1];
15938 
15939 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15940 		return -EOPNOTSUPP;
15941 
15942 	if (!rdev->ops->stop_p2p_device)
15943 		return -EOPNOTSUPP;
15944 
15945 	cfg80211_stop_p2p_device(rdev, wdev);
15946 
15947 	return 0;
15948 }
15949 
15950 static struct ieee80211_channel *nl80211_get_nan_channel(struct wiphy *wiphy,
15951 							 int freq)
15952 {
15953 	struct ieee80211_channel *chan;
15954 	struct cfg80211_chan_def def;
15955 
15956 	/* Check if the frequency is valid for NAN */
15957 	if (freq != 5220 && freq != 5745 && freq != 2437)
15958 		return NULL;
15959 
15960 	chan = ieee80211_get_channel(wiphy, freq);
15961 	if (!chan)
15962 		return NULL;
15963 
15964 	cfg80211_chandef_create(&def, chan, NL80211_CHAN_NO_HT);
15965 
15966 	/* Check if the channel is allowed */
15967 	if (cfg80211_reg_can_beacon(wiphy, &def, NL80211_IFTYPE_NAN))
15968 		return chan;
15969 
15970 	return NULL;
15971 }
15972 
15973 static int nl80211_parse_nan_band_config(struct wiphy *wiphy,
15974 					 struct nlattr **tb,
15975 					 struct cfg80211_nan_band_config *cfg,
15976 					 enum nl80211_band band)
15977 {
15978 	if (BIT(band) & ~(u32)wiphy->nan_supported_bands)
15979 		return -EINVAL;
15980 
15981 	if (tb[NL80211_NAN_BAND_CONF_FREQ]) {
15982 		u16 freq = nla_get_u16(tb[NL80211_NAN_BAND_CONF_FREQ]);
15983 
15984 		if (band != NL80211_BAND_5GHZ)
15985 			return -EINVAL;
15986 
15987 		cfg->chan = nl80211_get_nan_channel(wiphy, freq);
15988 		if (!cfg->chan)
15989 			return -EINVAL;
15990 	}
15991 
15992 	if (tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]) {
15993 		cfg->rssi_close =
15994 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]);
15995 		if (!tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE])
15996 			return -EINVAL;
15997 	}
15998 
15999 	if (tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]) {
16000 		cfg->rssi_middle =
16001 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]);
16002 		if (!cfg->rssi_close || cfg->rssi_middle >= cfg->rssi_close)
16003 			return -EINVAL;
16004 	}
16005 
16006 	if (tb[NL80211_NAN_BAND_CONF_WAKE_DW]) {
16007 		cfg->awake_dw_interval =
16008 			nla_get_u8(tb[NL80211_NAN_BAND_CONF_WAKE_DW]);
16009 
16010 		if (band == NL80211_BAND_2GHZ && cfg->awake_dw_interval == 0)
16011 			return -EINVAL;
16012 	}
16013 
16014 	cfg->disable_scan =
16015 		nla_get_flag(tb[NL80211_NAN_BAND_CONF_DISABLE_SCAN]);
16016 	return 0;
16017 }
16018 
16019 static int nl80211_parse_nan_conf(struct wiphy *wiphy,
16020 				  struct genl_info *info,
16021 				  struct cfg80211_nan_conf *conf,
16022 				  u32 *changed_flags,
16023 				  bool start)
16024 {
16025 	struct nlattr *attrs[NL80211_NAN_CONF_ATTR_MAX + 1];
16026 	int err, rem;
16027 	u32 changed = 0;
16028 	struct nlattr *band_config;
16029 
16030 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
16031 		conf->master_pref =
16032 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
16033 
16034 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
16035 	}
16036 
16037 	if (info->attrs[NL80211_ATTR_BANDS]) {
16038 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
16039 
16040 		if (bands & ~(u32)wiphy->nan_supported_bands)
16041 			return -EOPNOTSUPP;
16042 
16043 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
16044 			return -EINVAL;
16045 
16046 		conf->bands = bands;
16047 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
16048 	}
16049 
16050 	conf->band_cfgs[NL80211_BAND_2GHZ].awake_dw_interval = 1;
16051 	if (conf->bands & BIT(NL80211_BAND_5GHZ) || !conf->bands)
16052 		conf->band_cfgs[NL80211_BAND_5GHZ].awake_dw_interval = 1;
16053 
16054 	/* On 2.4 GHz band use channel 6 */
16055 	conf->band_cfgs[NL80211_BAND_2GHZ].chan =
16056 		nl80211_get_nan_channel(wiphy, 2437);
16057 	if (!conf->band_cfgs[NL80211_BAND_2GHZ].chan)
16058 		return -EINVAL;
16059 
16060 	if (!info->attrs[NL80211_ATTR_NAN_CONFIG])
16061 		goto out;
16062 
16063 	err = nla_parse_nested(attrs, NL80211_NAN_CONF_ATTR_MAX,
16064 			       info->attrs[NL80211_ATTR_NAN_CONFIG], NULL,
16065 			       info->extack);
16066 	if (err)
16067 		return err;
16068 
16069 	changed |= CFG80211_NAN_CONF_CHANGED_CONFIG;
16070 	if (attrs[NL80211_NAN_CONF_CLUSTER_ID] && start) {
16071 		ether_addr_copy(conf->cluster_id,
16072 				nla_data(attrs[NL80211_NAN_CONF_CLUSTER_ID]));
16073 	} else if (start) {
16074 		conf->cluster_id[0] = 0x50;
16075 		conf->cluster_id[1] = 0x6f;
16076 		conf->cluster_id[2] = 0x9a;
16077 		conf->cluster_id[3] = 0x01;
16078 		get_random_bytes(&conf->cluster_id[4], 2);
16079 	}
16080 
16081 	if (attrs[NL80211_NAN_CONF_EXTRA_ATTRS]) {
16082 		conf->extra_nan_attrs =
16083 			nla_data(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
16084 		conf->extra_nan_attrs_len =
16085 			nla_len(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
16086 	}
16087 
16088 	if (attrs[NL80211_NAN_CONF_VENDOR_ELEMS]) {
16089 		conf->vendor_elems =
16090 			nla_data(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
16091 		conf->vendor_elems_len =
16092 			nla_len(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
16093 	}
16094 
16095 	if (attrs[NL80211_NAN_CONF_BAND_CONFIGS]) {
16096 		nla_for_each_nested(band_config,
16097 				    attrs[NL80211_NAN_CONF_BAND_CONFIGS],
16098 				    rem) {
16099 			enum nl80211_band band;
16100 			struct cfg80211_nan_band_config *cfg;
16101 			struct nlattr *tb[NL80211_NAN_BAND_CONF_ATTR_MAX + 1];
16102 
16103 			err = nla_parse_nested(tb,
16104 					       NL80211_NAN_BAND_CONF_ATTR_MAX,
16105 					       band_config, NULL,
16106 					       info->extack);
16107 			if (err)
16108 				return err;
16109 
16110 			if (!tb[NL80211_NAN_BAND_CONF_BAND])
16111 				return -EINVAL;
16112 
16113 			band = nla_get_u8(tb[NL80211_NAN_BAND_CONF_BAND]);
16114 			if (conf->bands && !(conf->bands & BIT(band)))
16115 				return -EINVAL;
16116 
16117 			cfg = &conf->band_cfgs[band];
16118 
16119 			err = nl80211_parse_nan_band_config(wiphy, tb, cfg,
16120 							    band);
16121 			if (err)
16122 				return err;
16123 		}
16124 	}
16125 
16126 	if (attrs[NL80211_NAN_CONF_SCAN_PERIOD])
16127 		conf->scan_period =
16128 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_PERIOD]);
16129 
16130 	if (attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME])
16131 		conf->scan_dwell_time =
16132 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME]);
16133 
16134 	if (attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL])
16135 		conf->discovery_beacon_interval =
16136 			nla_get_u8(attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL]);
16137 
16138 	if (attrs[NL80211_NAN_CONF_NOTIFY_DW])
16139 		conf->enable_dw_notification =
16140 			nla_get_flag(attrs[NL80211_NAN_CONF_NOTIFY_DW]);
16141 
16142 out:
16143 	if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
16144 	    (!conf->bands || conf->bands & BIT(NL80211_BAND_5GHZ))) {
16145 		/* If no 5GHz channel is specified use default, if possible */
16146 		conf->band_cfgs[NL80211_BAND_5GHZ].chan =
16147 				nl80211_get_nan_channel(wiphy, 5745);
16148 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan)
16149 			conf->band_cfgs[NL80211_BAND_5GHZ].chan =
16150 					nl80211_get_nan_channel(wiphy, 5220);
16151 
16152 		/* Return error if user space asked explicitly for 5 GHz */
16153 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
16154 		    conf->bands & BIT(NL80211_BAND_5GHZ)) {
16155 			NL_SET_ERR_MSG_ATTR(info->extack,
16156 					    info->attrs[NL80211_ATTR_BANDS],
16157 					    "5 GHz band operation is not allowed");
16158 			return -EINVAL;
16159 		}
16160 	}
16161 
16162 	if (changed_flags)
16163 		*changed_flags = changed;
16164 
16165 	return 0;
16166 }
16167 
16168 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
16169 {
16170 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16171 	struct wireless_dev *wdev = info->user_ptr[1];
16172 	struct cfg80211_nan_conf conf = {};
16173 	int err;
16174 
16175 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16176 		return -EOPNOTSUPP;
16177 
16178 	if (wdev_running(wdev))
16179 		return -EEXIST;
16180 
16181 	if (rfkill_blocked(rdev->wiphy.rfkill))
16182 		return -ERFKILL;
16183 
16184 	/* Master preference is mandatory for START_NAN */
16185 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
16186 		return -EINVAL;
16187 
16188 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, NULL, true);
16189 	if (err)
16190 		return err;
16191 
16192 	err = rdev_start_nan(rdev, wdev, &conf);
16193 	if (err)
16194 		return err;
16195 
16196 	wdev->is_running = true;
16197 	rdev->opencount++;
16198 
16199 	return 0;
16200 }
16201 
16202 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
16203 {
16204 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16205 	struct wireless_dev *wdev = info->user_ptr[1];
16206 
16207 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16208 		return -EOPNOTSUPP;
16209 
16210 	cfg80211_close_dependents(rdev, wdev);
16211 
16212 	guard(wiphy)(&rdev->wiphy);
16213 
16214 	cfg80211_stop_nan(rdev, wdev);
16215 
16216 	return 0;
16217 }
16218 
16219 static int validate_nan_filter(struct nlattr *filter_attr)
16220 {
16221 	struct nlattr *attr;
16222 	int len = 0, n_entries = 0, rem;
16223 
16224 	nla_for_each_nested(attr, filter_attr, rem) {
16225 		len += nla_len(attr);
16226 		n_entries++;
16227 	}
16228 
16229 	if (len >= U8_MAX)
16230 		return -EINVAL;
16231 
16232 	return n_entries;
16233 }
16234 
16235 static int handle_nan_filter(struct nlattr *attr_filter,
16236 			     struct cfg80211_nan_func *func,
16237 			     bool tx)
16238 {
16239 	struct nlattr *attr;
16240 	int n_entries, rem, i;
16241 	struct cfg80211_nan_func_filter *filter;
16242 
16243 	n_entries = validate_nan_filter(attr_filter);
16244 	if (n_entries < 0)
16245 		return n_entries;
16246 
16247 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
16248 
16249 	filter = kzalloc_objs(*func->rx_filters, n_entries);
16250 	if (!filter)
16251 		return -ENOMEM;
16252 
16253 	i = 0;
16254 	nla_for_each_nested(attr, attr_filter, rem) {
16255 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
16256 		if (!filter[i].filter)
16257 			goto err;
16258 
16259 		filter[i].len = nla_len(attr);
16260 		i++;
16261 	}
16262 	if (tx) {
16263 		func->num_tx_filters = n_entries;
16264 		func->tx_filters = filter;
16265 	} else {
16266 		func->num_rx_filters = n_entries;
16267 		func->rx_filters = filter;
16268 	}
16269 
16270 	return 0;
16271 
16272 err:
16273 	i = 0;
16274 	nla_for_each_nested(attr, attr_filter, rem) {
16275 		kfree(filter[i].filter);
16276 		i++;
16277 	}
16278 	kfree(filter);
16279 	return -ENOMEM;
16280 }
16281 
16282 static int nl80211_nan_add_func(struct sk_buff *skb,
16283 				struct genl_info *info)
16284 {
16285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16286 	struct wireless_dev *wdev = info->user_ptr[1];
16287 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
16288 	struct cfg80211_nan_func *func;
16289 	struct sk_buff *msg = NULL;
16290 	void *hdr = NULL;
16291 	int err = 0;
16292 
16293 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16294 		return -EOPNOTSUPP;
16295 
16296 	if (!wdev_running(wdev))
16297 		return -ENOTCONN;
16298 
16299 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
16300 		return -EINVAL;
16301 
16302 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
16303 					  info->attrs[NL80211_ATTR_NAN_FUNC],
16304 					  nl80211_nan_func_policy,
16305 					  info->extack);
16306 	if (err)
16307 		return err;
16308 
16309 	func = kzalloc_obj(*func);
16310 	if (!func)
16311 		return -ENOMEM;
16312 
16313 	func->cookie = cfg80211_assign_cookie(rdev);
16314 
16315 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
16316 		err = -EINVAL;
16317 		goto out;
16318 	}
16319 
16320 
16321 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
16322 
16323 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
16324 		err = -EINVAL;
16325 		goto out;
16326 	}
16327 
16328 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
16329 	       sizeof(func->service_id));
16330 
16331 	func->close_range =
16332 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
16333 
16334 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
16335 		func->serv_spec_info_len =
16336 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
16337 		func->serv_spec_info =
16338 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
16339 				func->serv_spec_info_len,
16340 				GFP_KERNEL);
16341 		if (!func->serv_spec_info) {
16342 			err = -ENOMEM;
16343 			goto out;
16344 		}
16345 	}
16346 
16347 	if (tb[NL80211_NAN_FUNC_TTL])
16348 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
16349 
16350 	switch (func->type) {
16351 	case NL80211_NAN_FUNC_PUBLISH:
16352 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
16353 			err = -EINVAL;
16354 			goto out;
16355 		}
16356 
16357 		func->publish_type =
16358 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
16359 		func->publish_bcast =
16360 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
16361 
16362 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
16363 			func->publish_bcast) {
16364 			err = -EINVAL;
16365 			goto out;
16366 		}
16367 		break;
16368 	case NL80211_NAN_FUNC_SUBSCRIBE:
16369 		func->subscribe_active =
16370 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
16371 		break;
16372 	case NL80211_NAN_FUNC_FOLLOW_UP:
16373 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
16374 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
16375 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
16376 			err = -EINVAL;
16377 			goto out;
16378 		}
16379 
16380 		func->followup_id =
16381 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
16382 		func->followup_reqid =
16383 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
16384 		memcpy(func->followup_dest.addr,
16385 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
16386 		       sizeof(func->followup_dest.addr));
16387 		if (func->ttl) {
16388 			err = -EINVAL;
16389 			goto out;
16390 		}
16391 		break;
16392 	default:
16393 		err = -EINVAL;
16394 		goto out;
16395 	}
16396 
16397 	if (tb[NL80211_NAN_FUNC_SRF]) {
16398 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
16399 
16400 		err = nla_parse_nested_deprecated(srf_tb,
16401 						  NL80211_NAN_SRF_ATTR_MAX,
16402 						  tb[NL80211_NAN_FUNC_SRF],
16403 						  nl80211_nan_srf_policy,
16404 						  info->extack);
16405 		if (err)
16406 			goto out;
16407 
16408 		func->srf_include =
16409 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
16410 
16411 		if (srf_tb[NL80211_NAN_SRF_BF]) {
16412 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
16413 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
16414 				err = -EINVAL;
16415 				goto out;
16416 			}
16417 
16418 			func->srf_bf_len =
16419 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
16420 			func->srf_bf =
16421 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
16422 					func->srf_bf_len, GFP_KERNEL);
16423 			if (!func->srf_bf) {
16424 				err = -ENOMEM;
16425 				goto out;
16426 			}
16427 
16428 			func->srf_bf_idx =
16429 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
16430 		} else {
16431 			struct nlattr *attr, *mac_attr =
16432 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
16433 			int n_entries, rem, i = 0;
16434 
16435 			if (!mac_attr) {
16436 				err = -EINVAL;
16437 				goto out;
16438 			}
16439 
16440 			n_entries = validate_acl_mac_addrs(mac_attr);
16441 			if (n_entries <= 0) {
16442 				err = -EINVAL;
16443 				goto out;
16444 			}
16445 
16446 			func->srf_num_macs = n_entries;
16447 			func->srf_macs =
16448 				kzalloc_objs(*func->srf_macs, n_entries);
16449 			if (!func->srf_macs) {
16450 				err = -ENOMEM;
16451 				goto out;
16452 			}
16453 
16454 			nla_for_each_nested(attr, mac_attr, rem)
16455 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
16456 				       sizeof(*func->srf_macs));
16457 		}
16458 	}
16459 
16460 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
16461 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
16462 					func, true);
16463 		if (err)
16464 			goto out;
16465 	}
16466 
16467 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
16468 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
16469 					func, false);
16470 		if (err)
16471 			goto out;
16472 	}
16473 
16474 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16475 	if (!msg) {
16476 		err = -ENOMEM;
16477 		goto out;
16478 	}
16479 
16480 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16481 			     NL80211_CMD_ADD_NAN_FUNCTION);
16482 	/* This can't really happen - we just allocated 4KB */
16483 	if (WARN_ON(!hdr)) {
16484 		err = -ENOMEM;
16485 		goto out;
16486 	}
16487 
16488 	err = rdev_add_nan_func(rdev, wdev, func);
16489 out:
16490 	if (err < 0) {
16491 		cfg80211_free_nan_func(func);
16492 		nlmsg_free(msg);
16493 		return err;
16494 	}
16495 
16496 	/* propagate the instance id and cookie to userspace  */
16497 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
16498 			      NL80211_ATTR_PAD))
16499 		goto nla_put_failure;
16500 
16501 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16502 	if (!func_attr)
16503 		goto nla_put_failure;
16504 
16505 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
16506 		       func->instance_id))
16507 		goto nla_put_failure;
16508 
16509 	nla_nest_end(msg, func_attr);
16510 
16511 	genlmsg_end(msg, hdr);
16512 	return genlmsg_reply(msg, info);
16513 
16514 nla_put_failure:
16515 	nlmsg_free(msg);
16516 	return -ENOBUFS;
16517 }
16518 
16519 static int nl80211_nan_del_func(struct sk_buff *skb,
16520 			       struct genl_info *info)
16521 {
16522 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16523 	struct wireless_dev *wdev = info->user_ptr[1];
16524 	u64 cookie;
16525 
16526 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16527 		return -EOPNOTSUPP;
16528 
16529 	if (!wdev_running(wdev))
16530 		return -ENOTCONN;
16531 
16532 	if (!info->attrs[NL80211_ATTR_COOKIE])
16533 		return -EINVAL;
16534 
16535 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
16536 
16537 	rdev_del_nan_func(rdev, wdev, cookie);
16538 
16539 	return 0;
16540 }
16541 
16542 static int nl80211_nan_change_config(struct sk_buff *skb,
16543 				     struct genl_info *info)
16544 {
16545 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16546 	struct wireless_dev *wdev = info->user_ptr[1];
16547 	struct cfg80211_nan_conf conf = {};
16548 	u32 changed = 0;
16549 	int err;
16550 
16551 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16552 		return -EOPNOTSUPP;
16553 
16554 	if (!wdev_running(wdev))
16555 		return -ENOTCONN;
16556 
16557 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, &changed, false);
16558 	if (err)
16559 		return err;
16560 
16561 	if (!changed)
16562 		return -EINVAL;
16563 
16564 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
16565 }
16566 
16567 void cfg80211_nan_match(struct wireless_dev *wdev,
16568 			struct cfg80211_nan_match_params *match, gfp_t gfp)
16569 {
16570 	struct wiphy *wiphy = wdev->wiphy;
16571 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16572 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
16573 	struct sk_buff *msg;
16574 	void *hdr;
16575 
16576 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16577 		return;
16578 
16579 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
16580 		return;
16581 
16582 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16583 	if (!msg)
16584 		return;
16585 
16586 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
16587 	if (!hdr) {
16588 		nlmsg_free(msg);
16589 		return;
16590 	}
16591 
16592 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16593 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16594 					 wdev->netdev->ifindex)) ||
16595 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16596 			      NL80211_ATTR_PAD))
16597 		goto nla_put_failure;
16598 
16599 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
16600 			      NL80211_ATTR_PAD) ||
16601 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
16602 		goto nla_put_failure;
16603 
16604 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
16605 	if (!match_attr)
16606 		goto nla_put_failure;
16607 
16608 	local_func_attr = nla_nest_start_noflag(msg,
16609 						NL80211_NAN_MATCH_FUNC_LOCAL);
16610 	if (!local_func_attr)
16611 		goto nla_put_failure;
16612 
16613 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
16614 		goto nla_put_failure;
16615 
16616 	nla_nest_end(msg, local_func_attr);
16617 
16618 	peer_func_attr = nla_nest_start_noflag(msg,
16619 					       NL80211_NAN_MATCH_FUNC_PEER);
16620 	if (!peer_func_attr)
16621 		goto nla_put_failure;
16622 
16623 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
16624 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
16625 		goto nla_put_failure;
16626 
16627 	if (match->info && match->info_len &&
16628 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
16629 		    match->info))
16630 		goto nla_put_failure;
16631 
16632 	nla_nest_end(msg, peer_func_attr);
16633 	nla_nest_end(msg, match_attr);
16634 	genlmsg_end(msg, hdr);
16635 
16636 	if (!wdev->owner_nlportid)
16637 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16638 					msg, 0, NL80211_MCGRP_NAN, gfp);
16639 	else
16640 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16641 				wdev->owner_nlportid);
16642 
16643 	return;
16644 
16645 nla_put_failure:
16646 	nlmsg_free(msg);
16647 }
16648 EXPORT_SYMBOL(cfg80211_nan_match);
16649 
16650 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
16651 				  u8 inst_id,
16652 				  enum nl80211_nan_func_term_reason reason,
16653 				  u64 cookie, gfp_t gfp)
16654 {
16655 	struct wiphy *wiphy = wdev->wiphy;
16656 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16657 	struct sk_buff *msg;
16658 	struct nlattr *func_attr;
16659 	void *hdr;
16660 
16661 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16662 		return;
16663 
16664 	if (WARN_ON(!inst_id))
16665 		return;
16666 
16667 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16668 	if (!msg)
16669 		return;
16670 
16671 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
16672 	if (!hdr) {
16673 		nlmsg_free(msg);
16674 		return;
16675 	}
16676 
16677 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16678 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16679 					 wdev->netdev->ifindex)) ||
16680 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16681 			      NL80211_ATTR_PAD))
16682 		goto nla_put_failure;
16683 
16684 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16685 			      NL80211_ATTR_PAD))
16686 		goto nla_put_failure;
16687 
16688 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16689 	if (!func_attr)
16690 		goto nla_put_failure;
16691 
16692 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
16693 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
16694 		goto nla_put_failure;
16695 
16696 	nla_nest_end(msg, func_attr);
16697 	genlmsg_end(msg, hdr);
16698 
16699 	if (!wdev->owner_nlportid)
16700 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16701 					msg, 0, NL80211_MCGRP_NAN, gfp);
16702 	else
16703 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16704 				wdev->owner_nlportid);
16705 
16706 	return;
16707 
16708 nla_put_failure:
16709 	nlmsg_free(msg);
16710 }
16711 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
16712 
16713 void cfg80211_nan_sched_update_done(struct wireless_dev *wdev, bool success,
16714 				    gfp_t gfp)
16715 {
16716 	struct wiphy *wiphy = wdev->wiphy;
16717 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16718 	struct sk_buff *msg;
16719 	void *hdr;
16720 
16721 	trace_cfg80211_nan_sched_update_done(wiphy, wdev, success);
16722 
16723 	/* Can happen if we stopped NAN */
16724 	if (!wdev->u.nan.sched_update_pending)
16725 		return;
16726 
16727 	wdev->u.nan.sched_update_pending = false;
16728 
16729 	if (!wdev->owner_nlportid)
16730 		return;
16731 
16732 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16733 	if (!msg)
16734 		return;
16735 
16736 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_SCHED_UPDATE_DONE);
16737 	if (!hdr)
16738 		goto nla_put_failure;
16739 
16740 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16741 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16742 			      NL80211_ATTR_PAD) ||
16743 	    (success &&
16744 	     nla_put_flag(msg, NL80211_ATTR_NAN_SCHED_UPDATE_SUCCESS)))
16745 		goto nla_put_failure;
16746 
16747 	genlmsg_end(msg, hdr);
16748 
16749 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
16750 
16751 	return;
16752 
16753 nla_put_failure:
16754 	nlmsg_free(msg);
16755 }
16756 EXPORT_SYMBOL(cfg80211_nan_sched_update_done);
16757 
16758 static int nl80211_parse_nan_channel(struct cfg80211_registered_device *rdev,
16759 				     struct nlattr *channel,
16760 				     struct genl_info *info,
16761 				     struct cfg80211_nan_channel *nan_channels,
16762 				     u8 index, bool local)
16763 {
16764 	struct nlattr **channel_parsed __free(kfree) = NULL;
16765 	struct cfg80211_chan_def chandef;
16766 	u8 n_rx_nss;
16767 	int ret;
16768 
16769 	channel_parsed = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*channel_parsed),
16770 				 GFP_KERNEL);
16771 	if (!channel_parsed)
16772 		return -ENOMEM;
16773 
16774 	ret = nla_parse_nested(channel_parsed, NL80211_ATTR_MAX, channel, NULL,
16775 			       info->extack);
16776 	if (ret)
16777 		return ret;
16778 
16779 	ret = nl80211_parse_chandef(rdev, info->extack, channel_parsed,
16780 				    &chandef);
16781 	if (ret)
16782 		return ret;
16783 
16784 	if (chandef.chan->band == NL80211_BAND_6GHZ) {
16785 		NL_SET_ERR_MSG(info->extack,
16786 			       "6 GHz band is not supported");
16787 		return -EOPNOTSUPP;
16788 	}
16789 
16790 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef,
16791 				     NL80211_IFTYPE_NAN)) {
16792 		NL_SET_ERR_MSG_ATTR(info->extack, channel,
16793 				    "Channel in NAN schedule is not allowed for NAN operation");
16794 		return -EINVAL;
16795 	}
16796 
16797 	if (local) {
16798 		for (int i = 0; i < index; i++) {
16799 			if (cfg80211_chandef_compatible(&nan_channels[i].chandef,
16800 							&chandef)) {
16801 				NL_SET_ERR_MSG_ATTR(info->extack, channel,
16802 						    "Channels in NAN schedule must be mutually incompatible");
16803 				return -EINVAL;
16804 			}
16805 		}
16806 	}
16807 
16808 	if (!channel_parsed[NL80211_ATTR_NAN_CHANNEL_ENTRY]) {
16809 		NL_SET_ERR_MSG(info->extack,
16810 			       "Missing NAN channel entry attribute");
16811 		return -EINVAL;
16812 	}
16813 
16814 	nan_channels[index].channel_entry =
16815 		nla_data(channel_parsed[NL80211_ATTR_NAN_CHANNEL_ENTRY]);
16816 
16817 	if (!channel_parsed[NL80211_ATTR_NAN_RX_NSS]) {
16818 		NL_SET_ERR_MSG(info->extack,
16819 			       "Missing NAN RX NSS attribute");
16820 		return -EINVAL;
16821 	}
16822 
16823 	nan_channels[index].rx_nss =
16824 		nla_get_u8(channel_parsed[NL80211_ATTR_NAN_RX_NSS]);
16825 
16826 	n_rx_nss = u8_get_bits(rdev->wiphy.nan_capa.n_antennas, 0x03);
16827 	if ((local && nan_channels[index].rx_nss > n_rx_nss) ||
16828 	    !nan_channels[index].rx_nss) {
16829 		NL_SET_ERR_MSG_ATTR(info->extack, channel,
16830 				    "Invalid RX NSS in NAN channel definition");
16831 		return -EINVAL;
16832 	}
16833 
16834 	nan_channels[index].chandef = chandef;
16835 
16836 	return 0;
16837 }
16838 
16839 static int
16840 nl80211_parse_nan_schedule(struct genl_info *info, struct nlattr *slots_attr,
16841 			   u8 schedule[CFG80211_NAN_SCHED_NUM_TIME_SLOTS],
16842 			   u8 n_channels)
16843 {
16844 	if (WARN_ON(nla_len(slots_attr) != CFG80211_NAN_SCHED_NUM_TIME_SLOTS))
16845 		return -EINVAL;
16846 
16847 	memcpy(schedule, nla_data(slots_attr), nla_len(slots_attr));
16848 
16849 	for (int slot = 0; slot < CFG80211_NAN_SCHED_NUM_TIME_SLOTS; slot++) {
16850 		if (schedule[slot] != NL80211_NAN_SCHED_NOT_AVAIL_SLOT &&
16851 		    schedule[slot] >= n_channels) {
16852 			NL_SET_ERR_MSG_FMT(info->extack,
16853 					   "Invalid time slot: slot %d refers to channel index %d, n_channels=%d",
16854 					   slot, schedule[slot], n_channels);
16855 			return -EINVAL;
16856 		}
16857 	}
16858 
16859 	return 0;
16860 }
16861 
16862 static int
16863 nl80211_parse_nan_peer_map(struct genl_info *info, struct nlattr *map_attr,
16864 			   struct cfg80211_nan_peer_map *map, u8 n_channels)
16865 {
16866 	struct nlattr *tb[NL80211_NAN_PEER_MAP_ATTR_MAX + 1];
16867 	int ret;
16868 
16869 	ret = nla_parse_nested(tb, NL80211_NAN_PEER_MAP_ATTR_MAX, map_attr,
16870 			       nl80211_nan_peer_map_policy, info->extack);
16871 	if (ret)
16872 		return ret;
16873 
16874 	if (!tb[NL80211_NAN_PEER_MAP_ATTR_MAP_ID] ||
16875 	    !tb[NL80211_NAN_PEER_MAP_ATTR_TIME_SLOTS]) {
16876 		NL_SET_ERR_MSG(info->extack,
16877 			       "Missing required peer map attributes");
16878 		return -EINVAL;
16879 	}
16880 
16881 	map->map_id = nla_get_u8(tb[NL80211_NAN_PEER_MAP_ATTR_MAP_ID]);
16882 
16883 	/* Parse schedule */
16884 	return nl80211_parse_nan_schedule(info,
16885 					  tb[NL80211_NAN_PEER_MAP_ATTR_TIME_SLOTS],
16886 					  map->schedule, n_channels);
16887 }
16888 
16889 static int nl80211_nan_validate_map_pair(struct wiphy *wiphy,
16890 					 struct genl_info *info,
16891 					 const struct cfg80211_nan_peer_map *map1,
16892 					 const struct cfg80211_nan_peer_map *map2,
16893 					 struct cfg80211_nan_channel *nan_channels)
16894 {
16895 	/* Check for duplicate map_id */
16896 	if (map1->map_id == map2->map_id) {
16897 		NL_SET_ERR_MSG_FMT(info->extack, "Duplicate map_id %u",
16898 				   map1->map_id);
16899 		return -EINVAL;
16900 	}
16901 
16902 	/* Check for compatible channels between maps */
16903 	for (int i = 0; i < ARRAY_SIZE(map1->schedule); i++) {
16904 		if (map1->schedule[i] == NL80211_NAN_SCHED_NOT_AVAIL_SLOT)
16905 			continue;
16906 
16907 		for (int j = 0; j < ARRAY_SIZE(map2->schedule); j++) {
16908 			u8 ch1 = map1->schedule[i];
16909 			u8 ch2 = map2->schedule[j];
16910 
16911 			if (ch2 == NL80211_NAN_SCHED_NOT_AVAIL_SLOT)
16912 				continue;
16913 
16914 			if (cfg80211_chandef_compatible(&nan_channels[ch1].chandef,
16915 							&nan_channels[ch2].chandef)) {
16916 				NL_SET_ERR_MSG_FMT(info->extack,
16917 						   "Maps %u and %u have compatible channels %d and %d",
16918 						   map1->map_id, map2->map_id,
16919 						   ch1, ch2);
16920 				return -EINVAL;
16921 			}
16922 		}
16923 	}
16924 
16925 	/*
16926 	 * Check for conflicting time slots between maps.
16927 	 * Only check for single-radio devices (n_radio <= 1) which cannot
16928 	 * operate on multiple channels simultaneously.
16929 	 */
16930 	if (wiphy->n_radio > 1)
16931 		return 0;
16932 
16933 	for (int i = 0; i < ARRAY_SIZE(map1->schedule); i++) {
16934 		if (map1->schedule[i] != NL80211_NAN_SCHED_NOT_AVAIL_SLOT &&
16935 		    map2->schedule[i] != NL80211_NAN_SCHED_NOT_AVAIL_SLOT) {
16936 			NL_SET_ERR_MSG_FMT(info->extack,
16937 					   "Maps %u and %u both schedule slot %d",
16938 					   map1->map_id, map2->map_id, i);
16939 			return -EINVAL;
16940 		}
16941 	}
16942 
16943 	return 0;
16944 }
16945 
16946 static int nl80211_nan_set_peer_sched(struct sk_buff *skb,
16947 				      struct genl_info *info)
16948 {
16949 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16950 	struct cfg80211_nan_channel *nan_channels __free(kfree) = NULL;
16951 	struct cfg80211_nan_peer_sched sched = {};
16952 	struct wireless_dev *wdev = info->user_ptr[1];
16953 	struct nlattr *map_attr, *channel;
16954 	int ret, n_maps = 0, n_channels = 0, i = 0, rem;
16955 
16956 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16957 		return -EOPNOTSUPP;
16958 
16959 	if (!info->attrs[NL80211_ATTR_MAC] ||
16960 	    !info->attrs[NL80211_ATTR_NAN_COMMITTED_DW]) {
16961 		NL_SET_ERR_MSG(info->extack,
16962 			       "Required NAN peer schedule attributes are missing");
16963 		return -EINVAL;
16964 	}
16965 
16966 	/* First count how many channel attributes we got */
16967 	nlmsg_for_each_attr_type(channel, NL80211_ATTR_NAN_CHANNEL,
16968 				 info->nlhdr, GENL_HDRLEN, rem)
16969 		n_channels++;
16970 
16971 	if (!((info->attrs[NL80211_ATTR_NAN_SEQ_ID] &&
16972 	       info->attrs[NL80211_ATTR_NAN_PEER_MAPS] && n_channels) ||
16973 	      ((!info->attrs[NL80211_ATTR_NAN_SEQ_ID] &&
16974 		!info->attrs[NL80211_ATTR_NAN_PEER_MAPS] && !n_channels)))) {
16975 		NL_SET_ERR_MSG(info->extack,
16976 			       "Either provide all of: seq id, channels and maps, or none");
16977 		return -EINVAL;
16978 	}
16979 
16980 	/*
16981 	 * Limit the number of peer channels to:
16982 	 * local_channels * 4 (possible BWs) * 2 (possible NSS values)
16983 	 */
16984 	if (n_channels && n_channels > wdev->u.nan.n_channels * 4 * 2) {
16985 		NL_SET_ERR_MSG_FMT(info->extack,
16986 				   "Too many peer channels: %d (max %d)",
16987 				   n_channels,
16988 				   wdev->u.nan.n_channels * 4 * 2);
16989 		return -EINVAL;
16990 	}
16991 
16992 	if (n_channels) {
16993 		nan_channels = kcalloc(n_channels, sizeof(*nan_channels),
16994 				       GFP_KERNEL);
16995 		if (!nan_channels)
16996 			return -ENOMEM;
16997 	}
16998 
16999 	/* Parse peer channels */
17000 	nlmsg_for_each_attr_type(channel, NL80211_ATTR_NAN_CHANNEL,
17001 				 info->nlhdr, GENL_HDRLEN, rem) {
17002 		bool compatible = false;
17003 
17004 		ret = nl80211_parse_nan_channel(rdev, channel, info,
17005 						nan_channels, i, false);
17006 		if (ret)
17007 			return ret;
17008 
17009 		/* Verify channel is compatible with at least one local channel */
17010 		for (int j = 0; j < wdev->u.nan.n_channels; j++) {
17011 			if (cfg80211_chandef_compatible(&nan_channels[i].chandef,
17012 							&wdev->u.nan.chandefs[j])) {
17013 				compatible = true;
17014 				break;
17015 			}
17016 		}
17017 		if (!compatible) {
17018 			NL_SET_ERR_MSG_FMT(info->extack,
17019 					   "Channel %d not compatible with any local channel",
17020 					   i);
17021 			return -EINVAL;
17022 		}
17023 		i++;
17024 	}
17025 
17026 	sched.n_channels = n_channels;
17027 	sched.nan_channels = nan_channels;
17028 	sched.peer_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17029 	sched.seq_id = nla_get_u8_default(info->attrs[NL80211_ATTR_NAN_SEQ_ID], 0);
17030 	sched.committed_dw = nla_get_u16(info->attrs[NL80211_ATTR_NAN_COMMITTED_DW]);
17031 	sched.max_chan_switch =
17032 		nla_get_u16_default(info->attrs[NL80211_ATTR_NAN_MAX_CHAN_SWITCH_TIME], 0);
17033 
17034 	if (info->attrs[NL80211_ATTR_NAN_ULW]) {
17035 		sched.ulw_size = nla_len(info->attrs[NL80211_ATTR_NAN_ULW]);
17036 		sched.init_ulw = nla_data(info->attrs[NL80211_ATTR_NAN_ULW]);
17037 	}
17038 
17039 	/* Initialize all maps as invalid */
17040 	for (int j = 0; j < ARRAY_SIZE(sched.maps); j++)
17041 		sched.maps[j].map_id = CFG80211_NAN_INVALID_MAP_ID;
17042 
17043 	if (info->attrs[NL80211_ATTR_NAN_PEER_MAPS]) {
17044 		/* Parse each map */
17045 		nla_for_each_nested(map_attr, info->attrs[NL80211_ATTR_NAN_PEER_MAPS],
17046 				    rem) {
17047 			if (n_maps >= ARRAY_SIZE(sched.maps)) {
17048 				NL_SET_ERR_MSG(info->extack, "Too many peer maps");
17049 				return -EINVAL;
17050 			}
17051 
17052 			ret = nl80211_parse_nan_peer_map(info, map_attr,
17053 							 &sched.maps[n_maps],
17054 							 n_channels);
17055 			if (ret)
17056 				return ret;
17057 
17058 			/* Validate against previous maps */
17059 			for (int j = 0; j < n_maps; j++) {
17060 				ret = nl80211_nan_validate_map_pair(&rdev->wiphy, info,
17061 								    &sched.maps[j],
17062 								    &sched.maps[n_maps],
17063 								    nan_channels);
17064 				if (ret)
17065 					return ret;
17066 			}
17067 
17068 			n_maps++;
17069 		}
17070 	}
17071 
17072 	/* Verify each channel is scheduled at least once */
17073 	for (int ch = 0; ch < n_channels; ch++) {
17074 		bool scheduled = false;
17075 
17076 		for (int m = 0; m < n_maps && !scheduled; m++) {
17077 			for (int s = 0; s < ARRAY_SIZE(sched.maps[m].schedule); s++) {
17078 				if (sched.maps[m].schedule[s] == ch) {
17079 					scheduled = true;
17080 					break;
17081 				}
17082 			}
17083 		}
17084 		if (!scheduled) {
17085 			NL_SET_ERR_MSG_FMT(info->extack,
17086 					   "Channel %d is not scheduled in any map",
17087 					   ch);
17088 			return -EINVAL;
17089 		}
17090 	}
17091 
17092 	return rdev_nan_set_peer_sched(rdev, wdev, &sched);
17093 }
17094 
17095 static bool nl80211_nan_is_sched_empty(struct cfg80211_nan_local_sched *sched)
17096 {
17097 	if (!sched->n_channels)
17098 		return true;
17099 
17100 	for (int i = 0; i < ARRAY_SIZE(sched->schedule); i++) {
17101 		if (sched->schedule[i] != NL80211_NAN_SCHED_NOT_AVAIL_SLOT)
17102 			return false;
17103 	}
17104 
17105 	return true;
17106 }
17107 
17108 static int nl80211_nan_set_local_sched(struct sk_buff *skb,
17109 				       struct genl_info *info)
17110 {
17111 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17112 	struct cfg80211_nan_local_sched *sched __free(kfree) = NULL;
17113 	struct wireless_dev *wdev = info->user_ptr[1];
17114 	int rem, i = 0, n_channels = 0, ret;
17115 	struct nlattr *channel;
17116 	bool sched_empty;
17117 
17118 	if (wdev->iftype != NL80211_IFTYPE_NAN)
17119 		return -EOPNOTSUPP;
17120 
17121 	if (!wdev_running(wdev))
17122 		return -ENOTCONN;
17123 
17124 	if (!info->attrs[NL80211_ATTR_NAN_TIME_SLOTS])
17125 		return -EINVAL;
17126 
17127 	/* First count how many channel attributes we got */
17128 	nlmsg_for_each_attr_type(channel, NL80211_ATTR_NAN_CHANNEL,
17129 				 info->nlhdr, GENL_HDRLEN, rem)
17130 		n_channels++;
17131 
17132 	sched = kzalloc(struct_size(sched, nan_channels, n_channels),
17133 			GFP_KERNEL);
17134 	if (!sched)
17135 		return -ENOMEM;
17136 
17137 	sched->n_channels = n_channels;
17138 
17139 	nlmsg_for_each_attr_type(channel, NL80211_ATTR_NAN_CHANNEL,
17140 				 info->nlhdr, GENL_HDRLEN, rem) {
17141 		ret = nl80211_parse_nan_channel(rdev, channel, info,
17142 						sched->nan_channels, i, true);
17143 
17144 		if (ret)
17145 			return ret;
17146 		i++;
17147 	}
17148 
17149 	/* Parse and validate schedule */
17150 	ret = nl80211_parse_nan_schedule(info,
17151 					 info->attrs[NL80211_ATTR_NAN_TIME_SLOTS],
17152 					 sched->schedule, sched->n_channels);
17153 	if (ret)
17154 		return ret;
17155 
17156 	sched_empty = nl80211_nan_is_sched_empty(sched);
17157 
17158 	sched->deferred =
17159 		nla_get_flag(info->attrs[NL80211_ATTR_NAN_SCHED_DEFERRED]);
17160 
17161 	if (sched_empty) {
17162 		if (sched->deferred) {
17163 			NL_SET_ERR_MSG(info->extack,
17164 				       "Schedule cannot be deferred if all time slots are unavailable");
17165 			return -EINVAL;
17166 		}
17167 
17168 		if (info->attrs[NL80211_ATTR_NAN_AVAIL_BLOB]) {
17169 			NL_SET_ERR_MSG(info->extack,
17170 				       "NAN Availability blob must be empty if all time slots are unavailable");
17171 			return -EINVAL;
17172 		}
17173 	} else {
17174 		if (!info->attrs[NL80211_ATTR_NAN_AVAIL_BLOB]) {
17175 			NL_SET_ERR_MSG(info->extack,
17176 				       "NAN Availability blob attribute is required");
17177 			return -EINVAL;
17178 		}
17179 
17180 		sched->nan_avail_blob =
17181 			nla_data(info->attrs[NL80211_ATTR_NAN_AVAIL_BLOB]);
17182 		sched->nan_avail_blob_len =
17183 			nla_len(info->attrs[NL80211_ATTR_NAN_AVAIL_BLOB]);
17184 	}
17185 
17186 	return cfg80211_nan_set_local_schedule(rdev, wdev, sched);
17187 }
17188 
17189 static int nl80211_get_protocol_features(struct sk_buff *skb,
17190 					 struct genl_info *info)
17191 {
17192 	void *hdr;
17193 	struct sk_buff *msg;
17194 
17195 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17196 	if (!msg)
17197 		return -ENOMEM;
17198 
17199 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
17200 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
17201 	if (!hdr)
17202 		goto nla_put_failure;
17203 
17204 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
17205 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
17206 		goto nla_put_failure;
17207 
17208 	genlmsg_end(msg, hdr);
17209 	return genlmsg_reply(msg, info);
17210 
17211  nla_put_failure:
17212 	kfree_skb(msg);
17213 	return -ENOBUFS;
17214 }
17215 
17216 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
17217 {
17218 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17219 	struct cfg80211_update_ft_ies_params ft_params;
17220 	struct net_device *dev = info->user_ptr[1];
17221 
17222 	if (!rdev->ops->update_ft_ies)
17223 		return -EOPNOTSUPP;
17224 
17225 	if (!info->attrs[NL80211_ATTR_MDID] ||
17226 	    !info->attrs[NL80211_ATTR_IE])
17227 		return -EINVAL;
17228 
17229 	memset(&ft_params, 0, sizeof(ft_params));
17230 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
17231 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
17232 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
17233 
17234 	return rdev_update_ft_ies(rdev, dev, &ft_params);
17235 }
17236 
17237 static int nl80211_crit_protocol_start(struct sk_buff *skb,
17238 				       struct genl_info *info)
17239 {
17240 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17241 	struct wireless_dev *wdev = info->user_ptr[1];
17242 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
17243 	u16 duration;
17244 	int ret;
17245 
17246 	if (!rdev->ops->crit_proto_start)
17247 		return -EOPNOTSUPP;
17248 
17249 	if (WARN_ON(!rdev->ops->crit_proto_stop))
17250 		return -EINVAL;
17251 
17252 	if (rdev->crit_proto_nlportid)
17253 		return -EBUSY;
17254 
17255 	/* determine protocol if provided */
17256 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
17257 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
17258 
17259 	if (proto >= NUM_NL80211_CRIT_PROTO)
17260 		return -EINVAL;
17261 
17262 	/* timeout must be provided */
17263 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
17264 		return -EINVAL;
17265 
17266 	duration =
17267 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
17268 
17269 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
17270 	if (!ret)
17271 		rdev->crit_proto_nlportid = info->snd_portid;
17272 
17273 	return ret;
17274 }
17275 
17276 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
17277 				      struct genl_info *info)
17278 {
17279 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17280 	struct wireless_dev *wdev = info->user_ptr[1];
17281 
17282 	if (!rdev->ops->crit_proto_stop)
17283 		return -EOPNOTSUPP;
17284 
17285 	if (rdev->crit_proto_nlportid) {
17286 		rdev->crit_proto_nlportid = 0;
17287 		rdev_crit_proto_stop(rdev, wdev);
17288 	}
17289 	return 0;
17290 }
17291 
17292 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
17293 				       struct nlattr *attr,
17294 				       struct netlink_ext_ack *extack)
17295 {
17296 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
17297 		if (attr->nla_type & NLA_F_NESTED) {
17298 			NL_SET_ERR_MSG_ATTR(extack, attr,
17299 					    "unexpected nested data");
17300 			return -EINVAL;
17301 		}
17302 
17303 		return 0;
17304 	}
17305 
17306 	if (!(attr->nla_type & NLA_F_NESTED)) {
17307 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
17308 		return -EINVAL;
17309 	}
17310 
17311 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
17312 }
17313 
17314 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
17315 {
17316 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17317 	struct wireless_dev *wdev =
17318 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
17319 					   info->attrs);
17320 	int i, err;
17321 	u32 vid, subcmd;
17322 
17323 	if (!rdev->wiphy.vendor_commands)
17324 		return -EOPNOTSUPP;
17325 
17326 	if (IS_ERR(wdev)) {
17327 		err = PTR_ERR(wdev);
17328 		if (err != -EINVAL)
17329 			return err;
17330 		wdev = NULL;
17331 	} else if (wdev->wiphy != &rdev->wiphy) {
17332 		return -EINVAL;
17333 	}
17334 
17335 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
17336 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
17337 		return -EINVAL;
17338 
17339 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
17340 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
17341 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
17342 		const struct wiphy_vendor_command *vcmd;
17343 		void *data = NULL;
17344 		int len = 0;
17345 
17346 		vcmd = &rdev->wiphy.vendor_commands[i];
17347 
17348 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
17349 			continue;
17350 
17351 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
17352 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
17353 			if (!wdev)
17354 				return -EINVAL;
17355 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
17356 			    !wdev->netdev)
17357 				return -EINVAL;
17358 
17359 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
17360 				if (!wdev_running(wdev))
17361 					return -ENETDOWN;
17362 			}
17363 		} else {
17364 			wdev = NULL;
17365 		}
17366 
17367 		if (!vcmd->doit)
17368 			return -EOPNOTSUPP;
17369 
17370 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
17371 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
17372 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
17373 
17374 			err = nl80211_vendor_check_policy(vcmd,
17375 					info->attrs[NL80211_ATTR_VENDOR_DATA],
17376 					info->extack);
17377 			if (err)
17378 				return err;
17379 		}
17380 
17381 		rdev->cur_cmd_info = info;
17382 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
17383 		rdev->cur_cmd_info = NULL;
17384 		return err;
17385 	}
17386 
17387 	return -EOPNOTSUPP;
17388 }
17389 
17390 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
17391 				       struct netlink_callback *cb,
17392 				       struct cfg80211_registered_device **rdev,
17393 				       struct wireless_dev **wdev)
17394 {
17395 	struct nlattr **attrbuf;
17396 	u32 vid, subcmd;
17397 	unsigned int i;
17398 	int vcmd_idx = -1;
17399 	int err;
17400 	void *data = NULL;
17401 	unsigned int data_len = 0;
17402 
17403 	if (cb->args[0]) {
17404 		/* subtract the 1 again here */
17405 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
17406 		struct wireless_dev *tmp;
17407 
17408 		if (!wiphy)
17409 			return -ENODEV;
17410 		*rdev = wiphy_to_rdev(wiphy);
17411 		*wdev = NULL;
17412 
17413 		if (cb->args[1]) {
17414 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
17415 				if (tmp->identifier == cb->args[1] - 1) {
17416 					*wdev = tmp;
17417 					break;
17418 				}
17419 			}
17420 		}
17421 
17422 		/* keep rtnl locked in successful case */
17423 		return 0;
17424 	}
17425 
17426 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
17427 	if (!attrbuf)
17428 		return -ENOMEM;
17429 
17430 	err = nlmsg_parse_deprecated(cb->nlh,
17431 				     GENL_HDRLEN + nl80211_fam.hdrsize,
17432 				     attrbuf, nl80211_fam.maxattr,
17433 				     nl80211_policy, NULL);
17434 	if (err)
17435 		goto out;
17436 
17437 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
17438 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
17439 		err = -EINVAL;
17440 		goto out;
17441 	}
17442 
17443 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
17444 	if (IS_ERR(*wdev))
17445 		*wdev = NULL;
17446 
17447 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
17448 	if (IS_ERR(*rdev)) {
17449 		err = PTR_ERR(*rdev);
17450 		goto out;
17451 	}
17452 
17453 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
17454 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
17455 
17456 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
17457 		const struct wiphy_vendor_command *vcmd;
17458 
17459 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
17460 
17461 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
17462 			continue;
17463 
17464 		if (!vcmd->dumpit) {
17465 			err = -EOPNOTSUPP;
17466 			goto out;
17467 		}
17468 
17469 		vcmd_idx = i;
17470 		break;
17471 	}
17472 
17473 	if (vcmd_idx < 0) {
17474 		err = -EOPNOTSUPP;
17475 		goto out;
17476 	}
17477 
17478 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
17479 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
17480 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
17481 
17482 		err = nl80211_vendor_check_policy(
17483 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
17484 				attrbuf[NL80211_ATTR_VENDOR_DATA],
17485 				cb->extack);
17486 		if (err)
17487 			goto out;
17488 	}
17489 
17490 	/* 0 is the first index - add 1 to parse only once */
17491 	cb->args[0] = (*rdev)->wiphy_idx + 1;
17492 	/* add 1 to know if it was NULL */
17493 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
17494 	cb->args[2] = vcmd_idx;
17495 	cb->args[3] = (unsigned long)data;
17496 	cb->args[4] = data_len;
17497 
17498 	/* keep rtnl locked in successful case */
17499 	err = 0;
17500 out:
17501 	kfree(attrbuf);
17502 	return err;
17503 }
17504 
17505 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
17506 				   struct netlink_callback *cb)
17507 {
17508 	struct cfg80211_registered_device *rdev;
17509 	struct wireless_dev *wdev;
17510 	unsigned int vcmd_idx;
17511 	const struct wiphy_vendor_command *vcmd;
17512 	void *data;
17513 	int data_len;
17514 	int err;
17515 	struct nlattr *vendor_data;
17516 
17517 	rtnl_lock();
17518 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
17519 	if (err)
17520 		goto out;
17521 
17522 	vcmd_idx = cb->args[2];
17523 	data = (void *)cb->args[3];
17524 	data_len = cb->args[4];
17525 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
17526 
17527 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
17528 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
17529 		if (!wdev) {
17530 			err = -EINVAL;
17531 			goto out;
17532 		}
17533 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
17534 		    !wdev->netdev) {
17535 			err = -EINVAL;
17536 			goto out;
17537 		}
17538 
17539 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
17540 			if (!wdev_running(wdev)) {
17541 				err = -ENETDOWN;
17542 				goto out;
17543 			}
17544 		}
17545 	}
17546 
17547 	while (1) {
17548 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
17549 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
17550 					   NL80211_CMD_VENDOR);
17551 		if (!hdr)
17552 			break;
17553 
17554 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17555 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
17556 					       wdev_id(wdev),
17557 					       NL80211_ATTR_PAD))) {
17558 			genlmsg_cancel(skb, hdr);
17559 			break;
17560 		}
17561 
17562 		vendor_data = nla_nest_start_noflag(skb,
17563 						    NL80211_ATTR_VENDOR_DATA);
17564 		if (!vendor_data) {
17565 			genlmsg_cancel(skb, hdr);
17566 			break;
17567 		}
17568 
17569 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
17570 				   (unsigned long *)&cb->args[5]);
17571 		nla_nest_end(skb, vendor_data);
17572 
17573 		if (err == -ENOBUFS || err == -ENOENT) {
17574 			genlmsg_cancel(skb, hdr);
17575 			break;
17576 		} else if (err <= 0) {
17577 			genlmsg_cancel(skb, hdr);
17578 			goto out;
17579 		}
17580 
17581 		genlmsg_end(skb, hdr);
17582 	}
17583 
17584 	err = skb->len;
17585  out:
17586 	rtnl_unlock();
17587 	return err;
17588 }
17589 
17590 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
17591 					   enum nl80211_commands cmd,
17592 					   enum nl80211_attrs attr,
17593 					   int approxlen)
17594 {
17595 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17596 
17597 	if (WARN_ON(!rdev->cur_cmd_info))
17598 		return NULL;
17599 
17600 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
17601 					   rdev->cur_cmd_info->snd_portid,
17602 					   rdev->cur_cmd_info->snd_seq,
17603 					   cmd, attr, NULL, GFP_KERNEL);
17604 }
17605 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
17606 
17607 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
17608 {
17609 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
17610 	void *hdr = ((void **)skb->cb)[1];
17611 	struct nlattr *data = ((void **)skb->cb)[2];
17612 
17613 	/* clear CB data for netlink core to own from now on */
17614 	memset(skb->cb, 0, sizeof(skb->cb));
17615 
17616 	if (WARN_ON(!rdev->cur_cmd_info)) {
17617 		kfree_skb(skb);
17618 		return -EINVAL;
17619 	}
17620 
17621 	nla_nest_end(skb, data);
17622 	genlmsg_end(skb, hdr);
17623 	return genlmsg_reply(skb, rdev->cur_cmd_info);
17624 }
17625 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
17626 
17627 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
17628 {
17629 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17630 
17631 	if (WARN_ON(!rdev->cur_cmd_info))
17632 		return 0;
17633 
17634 	return rdev->cur_cmd_info->snd_portid;
17635 }
17636 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
17637 
17638 static int nl80211_set_qos_map(struct sk_buff *skb,
17639 			       struct genl_info *info)
17640 {
17641 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17642 	struct cfg80211_qos_map *qos_map = NULL;
17643 	struct net_device *dev = info->user_ptr[1];
17644 	u8 *pos, len, num_des, des_len, des;
17645 	int ret;
17646 
17647 	if (!rdev->ops->set_qos_map)
17648 		return -EOPNOTSUPP;
17649 
17650 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
17651 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
17652 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
17653 
17654 		if (len % 2)
17655 			return -EINVAL;
17656 
17657 		qos_map = kzalloc_obj(struct cfg80211_qos_map);
17658 		if (!qos_map)
17659 			return -ENOMEM;
17660 
17661 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
17662 		if (num_des) {
17663 			des_len = num_des *
17664 				sizeof(struct cfg80211_dscp_exception);
17665 			memcpy(qos_map->dscp_exception, pos, des_len);
17666 			qos_map->num_des = num_des;
17667 			for (des = 0; des < num_des; des++) {
17668 				if (qos_map->dscp_exception[des].up > 7) {
17669 					kfree(qos_map);
17670 					return -EINVAL;
17671 				}
17672 			}
17673 			pos += des_len;
17674 		}
17675 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
17676 	}
17677 
17678 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
17679 	if (!ret)
17680 		ret = rdev_set_qos_map(rdev, dev, qos_map);
17681 
17682 	kfree(qos_map);
17683 	return ret;
17684 }
17685 
17686 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
17687 {
17688 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17689 	struct net_device *dev = info->user_ptr[1];
17690 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17691 	const u8 *peer;
17692 	u8 tsid, up;
17693 	u16 admitted_time = 0;
17694 
17695 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
17696 		return -EOPNOTSUPP;
17697 
17698 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
17699 	    !info->attrs[NL80211_ATTR_USER_PRIO])
17700 		return -EINVAL;
17701 
17702 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
17703 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
17704 
17705 	/* WMM uses TIDs 0-7 even for TSPEC */
17706 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
17707 		/* TODO: handle 802.11 TSPEC/admission control
17708 		 * need more attributes for that (e.g. BA session requirement);
17709 		 * change the WMM admission test above to allow both then
17710 		 */
17711 		return -EINVAL;
17712 	}
17713 
17714 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
17715 
17716 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
17717 		admitted_time =
17718 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
17719 		if (!admitted_time)
17720 			return -EINVAL;
17721 	}
17722 
17723 	switch (wdev->iftype) {
17724 	case NL80211_IFTYPE_STATION:
17725 	case NL80211_IFTYPE_P2P_CLIENT:
17726 		if (wdev->connected)
17727 			break;
17728 		return -ENOTCONN;
17729 	default:
17730 		return -EOPNOTSUPP;
17731 	}
17732 
17733 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
17734 }
17735 
17736 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
17737 {
17738 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17739 	struct net_device *dev = info->user_ptr[1];
17740 	const u8 *peer;
17741 	u8 tsid;
17742 
17743 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
17744 		return -EINVAL;
17745 
17746 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
17747 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
17748 
17749 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
17750 }
17751 
17752 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
17753 				       struct genl_info *info)
17754 {
17755 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17756 	struct net_device *dev = info->user_ptr[1];
17757 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17758 	struct cfg80211_chan_def chandef = {};
17759 	const u8 *addr;
17760 	u8 oper_class;
17761 	int err;
17762 
17763 	if (!rdev->ops->tdls_channel_switch ||
17764 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
17765 		return -EOPNOTSUPP;
17766 
17767 	switch (dev->ieee80211_ptr->iftype) {
17768 	case NL80211_IFTYPE_STATION:
17769 	case NL80211_IFTYPE_P2P_CLIENT:
17770 		break;
17771 	default:
17772 		return -EOPNOTSUPP;
17773 	}
17774 
17775 	if (!info->attrs[NL80211_ATTR_MAC] ||
17776 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
17777 		return -EINVAL;
17778 
17779 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef);
17780 	if (err)
17781 		return err;
17782 
17783 	/*
17784 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
17785 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
17786 	 * specification is not defined for them.
17787 	 */
17788 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
17789 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
17790 	    chandef.width != NL80211_CHAN_WIDTH_20)
17791 		return -EINVAL;
17792 
17793 	/* we will be active on the TDLS link */
17794 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
17795 					   wdev->iftype))
17796 		return -EINVAL;
17797 
17798 	/* don't allow switching to DFS channels */
17799 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
17800 		return -EINVAL;
17801 
17802 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17803 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
17804 
17805 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
17806 }
17807 
17808 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
17809 					      struct genl_info *info)
17810 {
17811 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17812 	struct net_device *dev = info->user_ptr[1];
17813 	const u8 *addr;
17814 
17815 	if (!rdev->ops->tdls_channel_switch ||
17816 	    !rdev->ops->tdls_cancel_channel_switch ||
17817 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
17818 		return -EOPNOTSUPP;
17819 
17820 	switch (dev->ieee80211_ptr->iftype) {
17821 	case NL80211_IFTYPE_STATION:
17822 	case NL80211_IFTYPE_P2P_CLIENT:
17823 		break;
17824 	default:
17825 		return -EOPNOTSUPP;
17826 	}
17827 
17828 	if (!info->attrs[NL80211_ATTR_MAC])
17829 		return -EINVAL;
17830 
17831 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17832 
17833 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
17834 
17835 	return 0;
17836 }
17837 
17838 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
17839 					    struct genl_info *info)
17840 {
17841 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17842 	struct net_device *dev = info->user_ptr[1];
17843 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17844 	const struct nlattr *nla;
17845 	bool enabled;
17846 
17847 	if (!rdev->ops->set_multicast_to_unicast)
17848 		return -EOPNOTSUPP;
17849 
17850 	if (wdev->iftype != NL80211_IFTYPE_AP &&
17851 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
17852 		return -EOPNOTSUPP;
17853 
17854 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
17855 	enabled = nla_get_flag(nla);
17856 
17857 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
17858 }
17859 
17860 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
17861 {
17862 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17863 	struct net_device *dev = info->user_ptr[1];
17864 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17865 	struct cfg80211_pmk_conf pmk_conf = {};
17866 
17867 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17868 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17869 		return -EOPNOTSUPP;
17870 
17871 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17872 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
17873 		return -EOPNOTSUPP;
17874 
17875 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
17876 		return -EINVAL;
17877 
17878 	if (!wdev->connected)
17879 		return -ENOTCONN;
17880 
17881 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
17882 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
17883 		return -EINVAL;
17884 
17885 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
17886 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
17887 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
17888 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
17889 		return -EINVAL;
17890 
17891 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
17892 		pmk_conf.pmk_r0_name =
17893 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
17894 
17895 	return rdev_set_pmk(rdev, dev, &pmk_conf);
17896 }
17897 
17898 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
17899 {
17900 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17901 	struct net_device *dev = info->user_ptr[1];
17902 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17903 	const u8 *aa;
17904 
17905 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17906 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17907 		return -EOPNOTSUPP;
17908 
17909 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17910 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
17911 		return -EOPNOTSUPP;
17912 
17913 	if (!info->attrs[NL80211_ATTR_MAC])
17914 		return -EINVAL;
17915 
17916 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
17917 	return rdev_del_pmk(rdev, dev, aa);
17918 }
17919 
17920 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
17921 {
17922 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17923 	struct net_device *dev = info->user_ptr[1];
17924 	struct cfg80211_external_auth_params params;
17925 
17926 	if (!rdev->ops->external_auth)
17927 		return -EOPNOTSUPP;
17928 
17929 	if (!info->attrs[NL80211_ATTR_SSID] &&
17930 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
17931 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
17932 		return -EINVAL;
17933 
17934 	if (!info->attrs[NL80211_ATTR_BSSID])
17935 		return -EINVAL;
17936 
17937 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
17938 		return -EINVAL;
17939 
17940 	memset(&params, 0, sizeof(params));
17941 
17942 	if (info->attrs[NL80211_ATTR_SSID]) {
17943 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
17944 		if (params.ssid.ssid_len == 0)
17945 			return -EINVAL;
17946 		memcpy(params.ssid.ssid,
17947 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
17948 		       params.ssid.ssid_len);
17949 	}
17950 
17951 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
17952 	       ETH_ALEN);
17953 
17954 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
17955 
17956 	if (info->attrs[NL80211_ATTR_PMKID])
17957 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
17958 
17959 	return rdev_external_auth(rdev, dev, &params);
17960 }
17961 
17962 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
17963 {
17964 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
17965 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17966 	struct net_device *dev = info->user_ptr[1];
17967 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17968 	const u8 *buf;
17969 	size_t len;
17970 	u8 *dest;
17971 	u16 proto;
17972 	bool noencrypt;
17973 	u64 cookie = 0;
17974 	int link_id;
17975 	int err;
17976 
17977 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17978 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
17979 		return -EOPNOTSUPP;
17980 
17981 	if (!rdev->ops->tx_control_port)
17982 		return -EOPNOTSUPP;
17983 
17984 	if (!info->attrs[NL80211_ATTR_FRAME] ||
17985 	    !info->attrs[NL80211_ATTR_MAC] ||
17986 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
17987 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
17988 		return -EINVAL;
17989 	}
17990 
17991 	switch (wdev->iftype) {
17992 	case NL80211_IFTYPE_AP:
17993 	case NL80211_IFTYPE_P2P_GO:
17994 	case NL80211_IFTYPE_MESH_POINT:
17995 		break;
17996 	case NL80211_IFTYPE_ADHOC:
17997 		if (wdev->u.ibss.current_bss)
17998 			break;
17999 		return -ENOTCONN;
18000 	case NL80211_IFTYPE_STATION:
18001 	case NL80211_IFTYPE_P2P_CLIENT:
18002 		if (wdev->connected)
18003 			break;
18004 		return -ENOTCONN;
18005 	default:
18006 		return -EOPNOTSUPP;
18007 	}
18008 
18009 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
18010 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
18011 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
18012 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
18013 	noencrypt =
18014 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
18015 
18016 	link_id = nl80211_link_id_or_invalid(info->attrs);
18017 
18018 	err = rdev_tx_control_port(rdev, dev, buf, len,
18019 				   dest, cpu_to_be16(proto), noencrypt, link_id,
18020 				   dont_wait_for_ack ? NULL : &cookie);
18021 	if (!err && !dont_wait_for_ack)
18022 		nl_set_extack_cookie_u64(info->extack, cookie);
18023 	return err;
18024 }
18025 
18026 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
18027 					   struct genl_info *info)
18028 {
18029 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18030 	struct net_device *dev = info->user_ptr[1];
18031 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18032 	struct cfg80211_ftm_responder_stats ftm_stats = {};
18033 	unsigned int link_id = nl80211_link_id(info->attrs);
18034 	struct sk_buff *msg;
18035 	void *hdr;
18036 	struct nlattr *ftm_stats_attr;
18037 	int err;
18038 
18039 	if (wdev->iftype != NL80211_IFTYPE_AP ||
18040 	    !wdev->links[link_id].ap.beacon_interval)
18041 		return -EOPNOTSUPP;
18042 
18043 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
18044 	if (err)
18045 		return err;
18046 
18047 	if (!ftm_stats.filled)
18048 		return -ENODATA;
18049 
18050 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18051 	if (!msg)
18052 		return -ENOMEM;
18053 
18054 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
18055 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
18056 	if (!hdr)
18057 		goto nla_put_failure;
18058 
18059 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18060 		goto nla_put_failure;
18061 
18062 	ftm_stats_attr = nla_nest_start_noflag(msg,
18063 					       NL80211_ATTR_FTM_RESPONDER_STATS);
18064 	if (!ftm_stats_attr)
18065 		goto nla_put_failure;
18066 
18067 #define SET_FTM(field, name, type)					 \
18068 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
18069 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
18070 			     ftm_stats.field))				 \
18071 		goto nla_put_failure; } while (0)
18072 #define SET_FTM_U64(field, name)					 \
18073 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
18074 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
18075 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
18076 		goto nla_put_failure; } while (0)
18077 
18078 	SET_FTM(success_num, SUCCESS_NUM, u32);
18079 	SET_FTM(partial_num, PARTIAL_NUM, u32);
18080 	SET_FTM(failed_num, FAILED_NUM, u32);
18081 	SET_FTM(asap_num, ASAP_NUM, u32);
18082 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
18083 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
18084 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
18085 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
18086 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
18087 #undef SET_FTM
18088 
18089 	nla_nest_end(msg, ftm_stats_attr);
18090 
18091 	genlmsg_end(msg, hdr);
18092 	return genlmsg_reply(msg, info);
18093 
18094 nla_put_failure:
18095 	nlmsg_free(msg);
18096 	return -ENOBUFS;
18097 }
18098 
18099 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
18100 {
18101 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18102 	struct cfg80211_update_owe_info owe_info;
18103 	struct net_device *dev = info->user_ptr[1];
18104 
18105 	if (!rdev->ops->update_owe_info)
18106 		return -EOPNOTSUPP;
18107 
18108 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
18109 	    !info->attrs[NL80211_ATTR_MAC])
18110 		return -EINVAL;
18111 
18112 	memset(&owe_info, 0, sizeof(owe_info));
18113 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
18114 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
18115 
18116 	if (info->attrs[NL80211_ATTR_IE]) {
18117 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
18118 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
18119 	}
18120 
18121 	return rdev_update_owe_info(rdev, dev, &owe_info);
18122 }
18123 
18124 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
18125 {
18126 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18127 	struct net_device *dev = info->user_ptr[1];
18128 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18129 	struct station_info sinfo = {};
18130 	const u8 *buf;
18131 	size_t len;
18132 	u8 *dest;
18133 	int err;
18134 
18135 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
18136 		return -EOPNOTSUPP;
18137 
18138 	if (!info->attrs[NL80211_ATTR_MAC] ||
18139 	    !info->attrs[NL80211_ATTR_FRAME]) {
18140 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
18141 		return -EINVAL;
18142 	}
18143 
18144 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
18145 		return -EOPNOTSUPP;
18146 
18147 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
18148 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
18149 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
18150 
18151 	if (len < sizeof(struct ethhdr))
18152 		return -EINVAL;
18153 
18154 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
18155 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
18156 		return -EINVAL;
18157 
18158 	err = rdev_get_station(rdev, wdev, dest, &sinfo);
18159 	if (err)
18160 		return err;
18161 
18162 	cfg80211_sinfo_release_content(&sinfo);
18163 
18164 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
18165 }
18166 
18167 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
18168 			  struct nlattr *attrs[], struct net_device *dev,
18169 			  struct cfg80211_tid_cfg *tid_conf,
18170 			  struct genl_info *info, const u8 *peer,
18171 			  unsigned int link_id)
18172 {
18173 	struct netlink_ext_ack *extack = info->extack;
18174 	u64 mask;
18175 	int err;
18176 
18177 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
18178 		return -EINVAL;
18179 
18180 	tid_conf->config_override =
18181 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
18182 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
18183 
18184 	if (tid_conf->config_override) {
18185 		if (rdev->ops->reset_tid_config) {
18186 			err = rdev_reset_tid_config(rdev, dev, peer,
18187 						    tid_conf->tids);
18188 			if (err)
18189 				return err;
18190 		} else {
18191 			return -EINVAL;
18192 		}
18193 	}
18194 
18195 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
18196 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
18197 		tid_conf->noack =
18198 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
18199 	}
18200 
18201 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
18202 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
18203 		tid_conf->retry_short =
18204 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
18205 
18206 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
18207 			return -EINVAL;
18208 	}
18209 
18210 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
18211 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
18212 		tid_conf->retry_long =
18213 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
18214 
18215 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
18216 			return -EINVAL;
18217 	}
18218 
18219 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
18220 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
18221 		tid_conf->ampdu =
18222 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
18223 	}
18224 
18225 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
18226 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
18227 		tid_conf->rtscts =
18228 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
18229 	}
18230 
18231 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
18232 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
18233 		tid_conf->amsdu =
18234 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
18235 	}
18236 
18237 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
18238 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
18239 
18240 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
18241 
18242 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
18243 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
18244 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
18245 						    &tid_conf->txrate_mask, dev,
18246 						    true, link_id);
18247 			if (err)
18248 				return err;
18249 
18250 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
18251 		}
18252 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
18253 	}
18254 
18255 	if (peer)
18256 		mask = rdev->wiphy.tid_config_support.peer;
18257 	else
18258 		mask = rdev->wiphy.tid_config_support.vif;
18259 
18260 	if (tid_conf->mask & ~mask) {
18261 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
18262 		return -EOPNOTSUPP;
18263 	}
18264 
18265 	return 0;
18266 }
18267 
18268 static int nl80211_set_tid_config(struct sk_buff *skb,
18269 				  struct genl_info *info)
18270 {
18271 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18272 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
18273 	unsigned int link_id = nl80211_link_id(info->attrs);
18274 	struct net_device *dev = info->user_ptr[1];
18275 	struct cfg80211_tid_config *tid_config;
18276 	struct nlattr *tid;
18277 	int conf_idx = 0, rem_conf;
18278 	int ret = -EINVAL;
18279 	u32 num_conf = 0;
18280 
18281 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
18282 		return -EINVAL;
18283 
18284 	if (!rdev->ops->set_tid_config)
18285 		return -EOPNOTSUPP;
18286 
18287 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
18288 			    rem_conf)
18289 		num_conf++;
18290 
18291 	tid_config = kzalloc_flex(*tid_config, tid_conf, num_conf);
18292 	if (!tid_config)
18293 		return -ENOMEM;
18294 
18295 	tid_config->n_tid_conf = num_conf;
18296 
18297 	if (info->attrs[NL80211_ATTR_MAC])
18298 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
18299 
18300 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
18301 			    rem_conf) {
18302 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
18303 				       tid, NULL, NULL);
18304 
18305 		if (ret)
18306 			goto bad_tid_conf;
18307 
18308 		ret = parse_tid_conf(rdev, attrs, dev,
18309 				     &tid_config->tid_conf[conf_idx],
18310 				     info, tid_config->peer, link_id);
18311 		if (ret)
18312 			goto bad_tid_conf;
18313 
18314 		conf_idx++;
18315 	}
18316 
18317 	ret = rdev_set_tid_config(rdev, dev, tid_config);
18318 
18319 bad_tid_conf:
18320 	kfree(tid_config);
18321 	return ret;
18322 }
18323 
18324 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
18325 {
18326 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18327 	struct cfg80211_color_change_settings params = {};
18328 	struct net_device *dev = info->user_ptr[1];
18329 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18330 	struct nlattr **tb;
18331 	u16 offset;
18332 	int err;
18333 
18334 	if (!rdev->ops->color_change)
18335 		return -EOPNOTSUPP;
18336 
18337 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
18338 				     NL80211_EXT_FEATURE_BSS_COLOR))
18339 		return -EOPNOTSUPP;
18340 
18341 	if (wdev->iftype != NL80211_IFTYPE_AP)
18342 		return -EOPNOTSUPP;
18343 
18344 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
18345 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
18346 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
18347 		return -EINVAL;
18348 
18349 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
18350 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
18351 
18352 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
18353 				   info->extack);
18354 	if (err)
18355 		return err;
18356 
18357 	tb = kzalloc_objs(*tb, NL80211_ATTR_MAX + 1);
18358 	if (!tb)
18359 		return -ENOMEM;
18360 
18361 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
18362 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
18363 			       nl80211_policy, info->extack);
18364 	if (err)
18365 		goto out;
18366 
18367 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
18368 				   info->extack);
18369 	if (err)
18370 		goto out;
18371 
18372 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
18373 		err = -EINVAL;
18374 		goto out;
18375 	}
18376 
18377 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
18378 		err = -EINVAL;
18379 		goto out;
18380 	}
18381 
18382 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
18383 	if (offset >= params.beacon_color_change.tail_len) {
18384 		err = -EINVAL;
18385 		goto out;
18386 	}
18387 
18388 	if (params.beacon_color_change.tail[offset] != params.count) {
18389 		err = -EINVAL;
18390 		goto out;
18391 	}
18392 
18393 	params.counter_offset_beacon = offset;
18394 
18395 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
18396 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
18397 		    sizeof(u16)) {
18398 			err = -EINVAL;
18399 			goto out;
18400 		}
18401 
18402 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
18403 		if (offset >= params.beacon_color_change.probe_resp_len) {
18404 			err = -EINVAL;
18405 			goto out;
18406 		}
18407 
18408 		if (params.beacon_color_change.probe_resp[offset] !=
18409 		    params.count) {
18410 			err = -EINVAL;
18411 			goto out;
18412 		}
18413 
18414 		params.counter_offset_presp = offset;
18415 	}
18416 
18417 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
18418 		err = nl80211_parse_unsol_bcast_probe_resp(
18419 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
18420 			&params.unsol_bcast_probe_resp);
18421 		if (err)
18422 			goto out;
18423 	}
18424 
18425 	params.link_id = nl80211_link_id(info->attrs);
18426 	err = rdev_color_change(rdev, dev, &params);
18427 
18428 out:
18429 	kfree(params.beacon_next.mbssid_ies);
18430 	kfree(params.beacon_color_change.mbssid_ies);
18431 	kfree(params.beacon_next.rnr_ies);
18432 	kfree(params.beacon_color_change.rnr_ies);
18433 	kfree(tb);
18434 	return err;
18435 }
18436 
18437 static int nl80211_set_fils_aad(struct sk_buff *skb,
18438 				struct genl_info *info)
18439 {
18440 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18441 	struct net_device *dev = info->user_ptr[1];
18442 	struct cfg80211_fils_aad fils_aad = {};
18443 	u8 *nonces;
18444 
18445 	if (!info->attrs[NL80211_ATTR_MAC] ||
18446 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
18447 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
18448 		return -EINVAL;
18449 
18450 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
18451 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
18452 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
18453 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
18454 	fils_aad.snonce = nonces;
18455 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
18456 
18457 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
18458 }
18459 
18460 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
18461 {
18462 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18463 	unsigned int link_id = nl80211_link_id(info->attrs);
18464 	struct net_device *dev = info->user_ptr[1];
18465 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18466 	int ret;
18467 
18468 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
18469 		return -EINVAL;
18470 
18471 	switch (wdev->iftype) {
18472 	case NL80211_IFTYPE_AP:
18473 		break;
18474 	default:
18475 		return -EINVAL;
18476 	}
18477 
18478 	if (!info->attrs[NL80211_ATTR_MAC] ||
18479 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
18480 		return -EINVAL;
18481 
18482 	wdev->valid_links |= BIT(link_id);
18483 	ether_addr_copy(wdev->links[link_id].addr,
18484 			nla_data(info->attrs[NL80211_ATTR_MAC]));
18485 
18486 	ret = rdev_add_intf_link(rdev, wdev, link_id);
18487 	if (ret) {
18488 		wdev->valid_links &= ~BIT(link_id);
18489 		eth_zero_addr(wdev->links[link_id].addr);
18490 	}
18491 
18492 	return ret;
18493 }
18494 
18495 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
18496 {
18497 	unsigned int link_id = nl80211_link_id(info->attrs);
18498 	struct net_device *dev = info->user_ptr[1];
18499 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18500 
18501 	/* cannot remove if there's no link */
18502 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
18503 		return -EINVAL;
18504 
18505 	switch (wdev->iftype) {
18506 	case NL80211_IFTYPE_AP:
18507 		break;
18508 	default:
18509 		return -EINVAL;
18510 	}
18511 
18512 	cfg80211_remove_link(wdev, link_id);
18513 
18514 	return 0;
18515 }
18516 
18517 static int
18518 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
18519 			     bool add)
18520 {
18521 	struct link_station_parameters params = {};
18522 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18523 	struct net_device *dev = info->user_ptr[1];
18524 	int err;
18525 
18526 	if ((add && !rdev->ops->add_link_station) ||
18527 	    (!add && !rdev->ops->mod_link_station))
18528 		return -EOPNOTSUPP;
18529 
18530 	if (add && !info->attrs[NL80211_ATTR_MAC])
18531 		return -EINVAL;
18532 
18533 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
18534 		return -EINVAL;
18535 
18536 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
18537 		return -EINVAL;
18538 
18539 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
18540 
18541 	if (info->attrs[NL80211_ATTR_MAC]) {
18542 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
18543 		if (!is_valid_ether_addr(params.link_mac))
18544 			return -EINVAL;
18545 	}
18546 
18547 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
18548 		return -EINVAL;
18549 
18550 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
18551 
18552 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
18553 		params.supported_rates =
18554 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
18555 		params.supported_rates_len =
18556 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
18557 	}
18558 
18559 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
18560 		params.ht_capa =
18561 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
18562 
18563 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
18564 		params.vht_capa =
18565 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
18566 
18567 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
18568 		params.he_capa =
18569 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
18570 		params.he_capa_len =
18571 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
18572 
18573 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
18574 			params.eht_capa =
18575 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
18576 			params.eht_capa_len =
18577 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
18578 
18579 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
18580 							(const u8 *)params.eht_capa,
18581 							params.eht_capa_len,
18582 							false))
18583 				return -EINVAL;
18584 		}
18585 	}
18586 
18587 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
18588 		if (!params.eht_capa)
18589 			return -EINVAL;
18590 
18591 		params.uhr_capa =
18592 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
18593 		params.uhr_capa_len =
18594 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
18595 	}
18596 
18597 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
18598 		params.he_6ghz_capa =
18599 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
18600 
18601 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
18602 		params.opmode_notif_used = true;
18603 		params.opmode_notif =
18604 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
18605 	}
18606 
18607 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
18608 						&params.txpwr_set);
18609 	if (err)
18610 		return err;
18611 
18612 	if (add)
18613 		return rdev_add_link_station(rdev, dev, &params);
18614 
18615 	return rdev_mod_link_station(rdev, dev, &params);
18616 }
18617 
18618 static int
18619 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
18620 {
18621 	return nl80211_add_mod_link_station(skb, info, true);
18622 }
18623 
18624 static int
18625 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
18626 {
18627 	return nl80211_add_mod_link_station(skb, info, false);
18628 }
18629 
18630 static int
18631 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
18632 {
18633 	struct link_station_del_parameters params = {};
18634 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18635 	struct net_device *dev = info->user_ptr[1];
18636 
18637 	if (!rdev->ops->del_link_station)
18638 		return -EOPNOTSUPP;
18639 
18640 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
18641 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
18642 		return -EINVAL;
18643 
18644 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
18645 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
18646 
18647 	return rdev_del_link_station(rdev, dev, &params);
18648 }
18649 
18650 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
18651 				    struct genl_info *info)
18652 {
18653 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18654 	struct net_device *dev = info->user_ptr[1];
18655 	struct cfg80211_set_hw_timestamp hwts = {};
18656 
18657 	if (!rdev->wiphy.hw_timestamp_max_peers)
18658 		return -EOPNOTSUPP;
18659 
18660 	if (!info->attrs[NL80211_ATTR_MAC] &&
18661 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
18662 		return -EOPNOTSUPP;
18663 
18664 	if (info->attrs[NL80211_ATTR_MAC])
18665 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
18666 
18667 	hwts.enable =
18668 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
18669 
18670 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
18671 }
18672 
18673 static int
18674 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
18675 {
18676 	struct cfg80211_ttlm_params params = {};
18677 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18678 	struct net_device *dev = info->user_ptr[1];
18679 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18680 
18681 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
18682 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
18683 		return -EOPNOTSUPP;
18684 
18685 	if (!wdev->connected)
18686 		return -ENOLINK;
18687 
18688 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
18689 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
18690 		return -EINVAL;
18691 
18692 	nla_memcpy(params.dlink,
18693 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
18694 		   sizeof(params.dlink));
18695 	nla_memcpy(params.ulink,
18696 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
18697 		   sizeof(params.ulink));
18698 
18699 	return rdev_set_ttlm(rdev, dev, &params);
18700 }
18701 
18702 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
18703 {
18704 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18705 	struct net_device *dev = info->user_ptr[1];
18706 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18707 	struct cfg80211_ml_reconf_req req = {};
18708 	unsigned int link_id;
18709 	u16 add_links;
18710 	int err;
18711 
18712 	if (!wdev->valid_links)
18713 		return -EINVAL;
18714 
18715 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
18716 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
18717 		return -EPERM;
18718 
18719 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
18720 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
18721 		return -EOPNOTSUPP;
18722 
18723 	add_links = 0;
18724 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
18725 		err = nl80211_process_links(rdev, req.add_links,
18726 					    /* mark as MLO, but not assoc */
18727 					    IEEE80211_MLD_MAX_NUM_LINKS,
18728 					    NULL, 0, info);
18729 		if (err)
18730 			return err;
18731 
18732 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
18733 		     link_id++) {
18734 			if (!req.add_links[link_id].bss)
18735 				continue;
18736 			add_links |= BIT(link_id);
18737 		}
18738 	}
18739 
18740 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
18741 		req.rem_links =
18742 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
18743 
18744 	/* Validate that existing links are not added, removed links are valid
18745 	 * and don't allow adding and removing the same links
18746 	 */
18747 	if ((add_links & req.rem_links) || !(add_links | req.rem_links) ||
18748 	    (wdev->valid_links & add_links) ||
18749 	    ((wdev->valid_links & req.rem_links) != req.rem_links)) {
18750 		err = -EINVAL;
18751 		goto out;
18752 	}
18753 
18754 	if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
18755 		req.ext_mld_capa_ops =
18756 			nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
18757 
18758 	err = cfg80211_assoc_ml_reconf(rdev, dev, &req);
18759 
18760 out:
18761 	for (link_id = 0; link_id < ARRAY_SIZE(req.add_links); link_id++)
18762 		cfg80211_put_bss(&rdev->wiphy, req.add_links[link_id].bss);
18763 
18764 	return err;
18765 }
18766 
18767 static int
18768 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
18769 {
18770 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18771 	struct net_device *dev = info->user_ptr[1];
18772 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18773 	bool val;
18774 
18775 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
18776 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
18777 		return -EOPNOTSUPP;
18778 
18779 	if (!wdev->connected)
18780 		return -ENOLINK;
18781 
18782 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
18783 
18784 	return rdev_set_epcs(rdev, dev, val);
18785 }
18786 
18787 #define NL80211_FLAG_NEED_WIPHY		0x01
18788 #define NL80211_FLAG_NEED_NETDEV	0x02
18789 #define NL80211_FLAG_NEED_RTNL		0x04
18790 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
18791 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
18792 					 NL80211_FLAG_CHECK_NETDEV_UP)
18793 #define NL80211_FLAG_NEED_WDEV		0x10
18794 /* If a netdev is associated, it must be UP, P2P must be started */
18795 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
18796 					 NL80211_FLAG_CHECK_NETDEV_UP)
18797 #define NL80211_FLAG_CLEAR_SKB		0x20
18798 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
18799 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
18800 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
18801 
18802 #define INTERNAL_FLAG_SELECTORS(__sel)			\
18803 	SELECTOR(__sel, NONE, 0) /* must be first */	\
18804 	SELECTOR(__sel, WIPHY,				\
18805 		 NL80211_FLAG_NEED_WIPHY)		\
18806 	SELECTOR(__sel, WDEV,				\
18807 		 NL80211_FLAG_NEED_WDEV)		\
18808 	SELECTOR(__sel, NETDEV,				\
18809 		 NL80211_FLAG_NEED_NETDEV)		\
18810 	SELECTOR(__sel, NETDEV_LINK,			\
18811 		 NL80211_FLAG_NEED_NETDEV |		\
18812 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18813 	SELECTOR(__sel, NETDEV_NO_MLO,			\
18814 		 NL80211_FLAG_NEED_NETDEV |		\
18815 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
18816 	SELECTOR(__sel, WIPHY_RTNL,			\
18817 		 NL80211_FLAG_NEED_WIPHY |		\
18818 		 NL80211_FLAG_NEED_RTNL)		\
18819 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
18820 		 NL80211_FLAG_NEED_WIPHY |		\
18821 		 NL80211_FLAG_NEED_RTNL |		\
18822 		 NL80211_FLAG_NO_WIPHY_MTX)		\
18823 	SELECTOR(__sel, WDEV_RTNL,			\
18824 		 NL80211_FLAG_NEED_WDEV |		\
18825 		 NL80211_FLAG_NEED_RTNL)		\
18826 	SELECTOR(__sel, NETDEV_RTNL,			\
18827 		 NL80211_FLAG_NEED_NETDEV |		\
18828 		 NL80211_FLAG_NEED_RTNL)		\
18829 	SELECTOR(__sel, NETDEV_UP,			\
18830 		 NL80211_FLAG_NEED_NETDEV_UP)		\
18831 	SELECTOR(__sel, NETDEV_UP_LINK,			\
18832 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18833 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18834 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
18835 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18836 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
18837 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
18838 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18839 		 NL80211_FLAG_CLEAR_SKB |		\
18840 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
18841 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
18842 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18843 		 NL80211_FLAG_NO_WIPHY_MTX)		\
18844 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
18845 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18846 		 NL80211_FLAG_NO_WIPHY_MTX |		\
18847 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18848 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
18849 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18850 		 NL80211_FLAG_CLEAR_SKB)		\
18851 	SELECTOR(__sel, WDEV_UP,			\
18852 		 NL80211_FLAG_NEED_WDEV_UP)		\
18853 	SELECTOR(__sel, WDEV_UP_CLEAR,			\
18854 		 NL80211_FLAG_NEED_WDEV_UP |		\
18855 		 NL80211_FLAG_CLEAR_SKB)		\
18856 	SELECTOR(__sel, WDEV_UP_LINK,			\
18857 		 NL80211_FLAG_NEED_WDEV_UP |		\
18858 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18859 	SELECTOR(__sel, WDEV_UP_RTNL,			\
18860 		 NL80211_FLAG_NEED_WDEV_UP |		\
18861 		 NL80211_FLAG_NEED_RTNL)		\
18862 	SELECTOR(__sel, WIPHY_CLEAR,			\
18863 		 NL80211_FLAG_NEED_WIPHY |		\
18864 		 NL80211_FLAG_CLEAR_SKB)		\
18865 	SELECTOR(__sel, WDEV_UP_RTNL_NOMTX,		\
18866 		 NL80211_FLAG_NEED_WDEV_UP |		\
18867 		 NL80211_FLAG_NO_WIPHY_MTX |		\
18868 		 NL80211_FLAG_NEED_RTNL)
18869 
18870 enum nl80211_internal_flags_selector {
18871 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
18872 	INTERNAL_FLAG_SELECTORS(_)
18873 #undef SELECTOR
18874 };
18875 
18876 static u32 nl80211_internal_flags[] = {
18877 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
18878 	INTERNAL_FLAG_SELECTORS(_)
18879 #undef SELECTOR
18880 };
18881 
18882 static int nl80211_pre_doit(const struct genl_split_ops *ops,
18883 			    struct sk_buff *skb,
18884 			    struct genl_info *info)
18885 {
18886 	struct cfg80211_registered_device *rdev = NULL;
18887 	struct wireless_dev *wdev = NULL;
18888 	struct net_device *dev = NULL;
18889 	u32 internal_flags;
18890 	int err;
18891 
18892 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
18893 		return -EINVAL;
18894 
18895 	internal_flags = nl80211_internal_flags[ops->internal_flags];
18896 
18897 	rtnl_lock();
18898 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
18899 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
18900 		if (IS_ERR(rdev)) {
18901 			err = PTR_ERR(rdev);
18902 			goto out_unlock;
18903 		}
18904 		info->user_ptr[0] = rdev;
18905 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
18906 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
18907 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
18908 						  info->attrs);
18909 		if (IS_ERR(wdev)) {
18910 			err = PTR_ERR(wdev);
18911 			goto out_unlock;
18912 		}
18913 
18914 		dev = wdev->netdev;
18915 		dev_hold(dev);
18916 		rdev = wiphy_to_rdev(wdev->wiphy);
18917 
18918 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
18919 			if (!dev) {
18920 				err = -EINVAL;
18921 				goto out_unlock;
18922 			}
18923 
18924 			info->user_ptr[1] = dev;
18925 		} else {
18926 			info->user_ptr[1] = wdev;
18927 		}
18928 
18929 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
18930 		    !wdev_running(wdev)) {
18931 			err = -ENETDOWN;
18932 			goto out_unlock;
18933 		}
18934 
18935 		info->user_ptr[0] = rdev;
18936 	}
18937 
18938 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
18939 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
18940 
18941 		if (!wdev) {
18942 			err = -EINVAL;
18943 			goto out_unlock;
18944 		}
18945 
18946 		/* MLO -> require valid link ID */
18947 		if (wdev->valid_links &&
18948 		    (!link_id ||
18949 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
18950 			err = -EINVAL;
18951 			goto out_unlock;
18952 		}
18953 
18954 		/* non-MLO -> no link ID attribute accepted */
18955 		if (!wdev->valid_links && link_id) {
18956 			err = -EINVAL;
18957 			goto out_unlock;
18958 		}
18959 	}
18960 
18961 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
18962 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
18963 		    (wdev && wdev->valid_links)) {
18964 			err = -EINVAL;
18965 			goto out_unlock;
18966 		}
18967 	}
18968 
18969 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18970 		wiphy_lock(&rdev->wiphy);
18971 		/* we keep the mutex locked until post_doit */
18972 		__release(&rdev->wiphy.mtx);
18973 	}
18974 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
18975 		rtnl_unlock();
18976 
18977 	return 0;
18978 out_unlock:
18979 	rtnl_unlock();
18980 	dev_put(dev);
18981 	return err;
18982 }
18983 
18984 static void nl80211_post_doit(const struct genl_split_ops *ops,
18985 			      struct sk_buff *skb,
18986 			      struct genl_info *info)
18987 {
18988 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
18989 
18990 	if (info->user_ptr[1]) {
18991 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
18992 			struct wireless_dev *wdev = info->user_ptr[1];
18993 
18994 			dev_put(wdev->netdev);
18995 		} else {
18996 			dev_put(info->user_ptr[1]);
18997 		}
18998 	}
18999 
19000 	if (info->user_ptr[0] &&
19001 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
19002 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
19003 
19004 		/* we kept the mutex locked since pre_doit */
19005 		__acquire(&rdev->wiphy.mtx);
19006 		wiphy_unlock(&rdev->wiphy);
19007 	}
19008 
19009 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
19010 		rtnl_unlock();
19011 
19012 	/* If needed, clear the netlink message payload from the SKB
19013 	 * as it might contain key data that shouldn't stick around on
19014 	 * the heap after the SKB is freed. The netlink message header
19015 	 * is still needed for further processing, so leave it intact.
19016 	 */
19017 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
19018 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
19019 
19020 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
19021 	}
19022 }
19023 
19024 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
19025 				     struct cfg80211_sar_specs *sar_specs,
19026 				     struct nlattr *spec[], int index)
19027 {
19028 	u32 range_index, i;
19029 
19030 	if (!sar_specs || !spec)
19031 		return -EINVAL;
19032 
19033 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
19034 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
19035 		return -EINVAL;
19036 
19037 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
19038 
19039 	/* check if range_index exceeds num_freq_ranges */
19040 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
19041 		return -EINVAL;
19042 
19043 	/* check if range_index duplicates */
19044 	for (i = 0; i < index; i++) {
19045 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
19046 			return -EINVAL;
19047 	}
19048 
19049 	sar_specs->sub_specs[index].power =
19050 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
19051 
19052 	sar_specs->sub_specs[index].freq_range_index = range_index;
19053 
19054 	return 0;
19055 }
19056 
19057 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
19058 {
19059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
19060 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
19061 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
19062 	struct cfg80211_sar_specs *sar_spec;
19063 	enum nl80211_sar_type type;
19064 	struct nlattr *spec_list;
19065 	u32 specs;
19066 	int rem, err;
19067 
19068 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
19069 		return -EOPNOTSUPP;
19070 
19071 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
19072 		return -EINVAL;
19073 
19074 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
19075 			 info->attrs[NL80211_ATTR_SAR_SPEC],
19076 			 NULL, NULL);
19077 
19078 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
19079 		return -EINVAL;
19080 
19081 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
19082 	if (type != rdev->wiphy.sar_capa->type)
19083 		return -EINVAL;
19084 
19085 	specs = 0;
19086 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
19087 		specs++;
19088 
19089 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
19090 		return -EINVAL;
19091 
19092 	sar_spec = kzalloc_flex(*sar_spec, sub_specs, specs);
19093 	if (!sar_spec)
19094 		return -ENOMEM;
19095 
19096 	sar_spec->num_sub_specs = specs;
19097 	sar_spec->type = type;
19098 	specs = 0;
19099 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
19100 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
19101 				 spec_list, NULL, NULL);
19102 
19103 		switch (type) {
19104 		case NL80211_SAR_TYPE_POWER:
19105 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
19106 						      spec, specs)) {
19107 				err = -EINVAL;
19108 				goto error;
19109 			}
19110 			break;
19111 		default:
19112 			err = -EINVAL;
19113 			goto error;
19114 		}
19115 		specs++;
19116 	}
19117 
19118 	sar_spec->num_sub_specs = specs;
19119 
19120 	rdev->cur_cmd_info = info;
19121 	err = rdev_set_sar_specs(rdev, sar_spec);
19122 	rdev->cur_cmd_info = NULL;
19123 error:
19124 	kfree(sar_spec);
19125 	return err;
19126 }
19127 
19128 #define SELECTOR(__sel, name, value) \
19129 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
19130 int __missing_selector(void);
19131 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
19132 
19133 static const struct genl_ops nl80211_ops[] = {
19134 	{
19135 		.cmd = NL80211_CMD_GET_WIPHY,
19136 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19137 		.doit = nl80211_get_wiphy,
19138 		.dumpit = nl80211_dump_wiphy,
19139 		.done = nl80211_dump_wiphy_done,
19140 		/* can be retrieved by unprivileged users */
19141 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19142 	},
19143 };
19144 
19145 static const struct genl_small_ops nl80211_small_ops[] = {
19146 	{
19147 		.cmd = NL80211_CMD_SET_WIPHY,
19148 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19149 		.doit = nl80211_set_wiphy,
19150 		.flags = GENL_UNS_ADMIN_PERM,
19151 	},
19152 	{
19153 		.cmd = NL80211_CMD_GET_INTERFACE,
19154 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19155 		.doit = nl80211_get_interface,
19156 		.dumpit = nl80211_dump_interface,
19157 		/* can be retrieved by unprivileged users */
19158 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
19159 	},
19160 	{
19161 		.cmd = NL80211_CMD_SET_INTERFACE,
19162 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19163 		.doit = nl80211_set_interface,
19164 		.flags = GENL_UNS_ADMIN_PERM,
19165 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19166 					 NL80211_FLAG_NEED_RTNL),
19167 	},
19168 	{
19169 		.cmd = NL80211_CMD_NEW_INTERFACE,
19170 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19171 		.doit = nl80211_new_interface,
19172 		.flags = GENL_UNS_ADMIN_PERM,
19173 		.internal_flags =
19174 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
19175 			       NL80211_FLAG_NEED_RTNL |
19176 			       /* we take the wiphy mutex later ourselves */
19177 			       NL80211_FLAG_NO_WIPHY_MTX),
19178 	},
19179 	{
19180 		.cmd = NL80211_CMD_DEL_INTERFACE,
19181 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19182 		.doit = nl80211_del_interface,
19183 		.flags = GENL_UNS_ADMIN_PERM,
19184 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
19185 					 NL80211_FLAG_NEED_RTNL),
19186 	},
19187 	{
19188 		.cmd = NL80211_CMD_GET_KEY,
19189 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19190 		.doit = nl80211_get_key,
19191 		.flags = GENL_UNS_ADMIN_PERM,
19192 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19193 	},
19194 	{
19195 		.cmd = NL80211_CMD_SET_KEY,
19196 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19197 		.doit = nl80211_set_key,
19198 		.flags = GENL_UNS_ADMIN_PERM,
19199 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
19200 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19201 					 NL80211_FLAG_CLEAR_SKB),
19202 	},
19203 	{
19204 		.cmd = NL80211_CMD_NEW_KEY,
19205 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19206 		.doit = nl80211_new_key,
19207 		.flags = GENL_UNS_ADMIN_PERM,
19208 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19209 					 NL80211_FLAG_CLEAR_SKB),
19210 	},
19211 	{
19212 		.cmd = NL80211_CMD_DEL_KEY,
19213 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19214 		.doit = nl80211_del_key,
19215 		.flags = GENL_UNS_ADMIN_PERM,
19216 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19217 	},
19218 	{
19219 		.cmd = NL80211_CMD_SET_BEACON,
19220 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19221 		.flags = GENL_UNS_ADMIN_PERM,
19222 		.doit = nl80211_set_beacon,
19223 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19224 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19225 	},
19226 	{
19227 		.cmd = NL80211_CMD_START_AP,
19228 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19229 		.flags = GENL_UNS_ADMIN_PERM,
19230 		.doit = nl80211_start_ap,
19231 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19232 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19233 	},
19234 	{
19235 		.cmd = NL80211_CMD_STOP_AP,
19236 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19237 		.flags = GENL_UNS_ADMIN_PERM,
19238 		.doit = nl80211_stop_ap,
19239 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19240 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19241 	},
19242 	{
19243 		.cmd = NL80211_CMD_GET_STATION,
19244 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19245 		.doit = nl80211_get_station,
19246 		.dumpit = nl80211_dump_station,
19247 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
19248 	},
19249 	{
19250 		.cmd = NL80211_CMD_SET_STATION,
19251 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19252 		.doit = nl80211_set_station,
19253 		.flags = GENL_UNS_ADMIN_PERM,
19254 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19255 	},
19256 	{
19257 		.cmd = NL80211_CMD_NEW_STATION,
19258 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19259 		.doit = nl80211_new_station,
19260 		.flags = GENL_UNS_ADMIN_PERM,
19261 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19262 	},
19263 	{
19264 		.cmd = NL80211_CMD_DEL_STATION,
19265 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19266 		.doit = nl80211_del_station,
19267 		.flags = GENL_UNS_ADMIN_PERM,
19268 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
19269 		 * whether MAC address is passed or not. If MAC address is
19270 		 * passed, then even during MLO, link ID is not required.
19271 		 */
19272 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19273 	},
19274 	{
19275 		.cmd = NL80211_CMD_GET_MPATH,
19276 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19277 		.doit = nl80211_get_mpath,
19278 		.dumpit = nl80211_dump_mpath,
19279 		.flags = GENL_UNS_ADMIN_PERM,
19280 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19281 	},
19282 	{
19283 		.cmd = NL80211_CMD_GET_MPP,
19284 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19285 		.doit = nl80211_get_mpp,
19286 		.dumpit = nl80211_dump_mpp,
19287 		.flags = GENL_UNS_ADMIN_PERM,
19288 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19289 	},
19290 	{
19291 		.cmd = NL80211_CMD_SET_MPATH,
19292 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19293 		.doit = nl80211_set_mpath,
19294 		.flags = GENL_UNS_ADMIN_PERM,
19295 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19296 	},
19297 	{
19298 		.cmd = NL80211_CMD_NEW_MPATH,
19299 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19300 		.doit = nl80211_new_mpath,
19301 		.flags = GENL_UNS_ADMIN_PERM,
19302 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19303 	},
19304 	{
19305 		.cmd = NL80211_CMD_DEL_MPATH,
19306 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19307 		.doit = nl80211_del_mpath,
19308 		.flags = GENL_UNS_ADMIN_PERM,
19309 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19310 	},
19311 	{
19312 		.cmd = NL80211_CMD_SET_BSS,
19313 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19314 		.doit = nl80211_set_bss,
19315 		.flags = GENL_UNS_ADMIN_PERM,
19316 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19317 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19318 	},
19319 	{
19320 		.cmd = NL80211_CMD_GET_REG,
19321 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19322 		.doit = nl80211_get_reg_do,
19323 		.dumpit = nl80211_get_reg_dump,
19324 		/* can be retrieved by unprivileged users */
19325 	},
19326 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
19327 	{
19328 		.cmd = NL80211_CMD_SET_REG,
19329 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19330 		.doit = nl80211_set_reg,
19331 		.flags = GENL_ADMIN_PERM,
19332 	},
19333 #endif
19334 	{
19335 		.cmd = NL80211_CMD_REQ_SET_REG,
19336 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19337 		.doit = nl80211_req_set_reg,
19338 		.flags = GENL_ADMIN_PERM,
19339 	},
19340 	{
19341 		.cmd = NL80211_CMD_RELOAD_REGDB,
19342 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19343 		.doit = nl80211_reload_regdb,
19344 		.flags = GENL_ADMIN_PERM,
19345 	},
19346 	{
19347 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
19348 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19349 		.doit = nl80211_get_mesh_config,
19350 		/* can be retrieved by unprivileged users */
19351 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19352 	},
19353 	{
19354 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
19355 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19356 		.doit = nl80211_update_mesh_config,
19357 		.flags = GENL_UNS_ADMIN_PERM,
19358 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19359 	},
19360 	{
19361 		.cmd = NL80211_CMD_TRIGGER_SCAN,
19362 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19363 		.doit = nl80211_trigger_scan,
19364 		.flags = GENL_UNS_ADMIN_PERM,
19365 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19366 	},
19367 	{
19368 		.cmd = NL80211_CMD_ABORT_SCAN,
19369 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19370 		.doit = nl80211_abort_scan,
19371 		.flags = GENL_UNS_ADMIN_PERM,
19372 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19373 	},
19374 	{
19375 		.cmd = NL80211_CMD_GET_SCAN,
19376 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19377 		.dumpit = nl80211_dump_scan,
19378 	},
19379 	{
19380 		.cmd = NL80211_CMD_START_SCHED_SCAN,
19381 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19382 		.doit = nl80211_start_sched_scan,
19383 		.flags = GENL_UNS_ADMIN_PERM,
19384 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19385 	},
19386 	{
19387 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
19388 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19389 		.doit = nl80211_stop_sched_scan,
19390 		.flags = GENL_UNS_ADMIN_PERM,
19391 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19392 	},
19393 	{
19394 		.cmd = NL80211_CMD_AUTHENTICATE,
19395 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19396 		.doit = nl80211_authenticate,
19397 		.flags = GENL_UNS_ADMIN_PERM,
19398 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19399 					 NL80211_FLAG_CLEAR_SKB),
19400 	},
19401 	{
19402 		.cmd = NL80211_CMD_ASSOCIATE,
19403 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19404 		.doit = nl80211_associate,
19405 		.flags = GENL_UNS_ADMIN_PERM,
19406 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19407 					 NL80211_FLAG_CLEAR_SKB),
19408 	},
19409 	{
19410 		.cmd = NL80211_CMD_DEAUTHENTICATE,
19411 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19412 		.doit = nl80211_deauthenticate,
19413 		.flags = GENL_UNS_ADMIN_PERM,
19414 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19415 	},
19416 	{
19417 		.cmd = NL80211_CMD_DISASSOCIATE,
19418 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19419 		.doit = nl80211_disassociate,
19420 		.flags = GENL_UNS_ADMIN_PERM,
19421 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19422 	},
19423 	{
19424 		.cmd = NL80211_CMD_JOIN_IBSS,
19425 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19426 		.doit = nl80211_join_ibss,
19427 		.flags = GENL_UNS_ADMIN_PERM,
19428 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19429 	},
19430 	{
19431 		.cmd = NL80211_CMD_LEAVE_IBSS,
19432 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19433 		.doit = nl80211_leave_ibss,
19434 		.flags = GENL_UNS_ADMIN_PERM,
19435 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19436 	},
19437 #ifdef CONFIG_NL80211_TESTMODE
19438 	{
19439 		.cmd = NL80211_CMD_TESTMODE,
19440 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19441 		.doit = nl80211_testmode_do,
19442 		.dumpit = nl80211_testmode_dump,
19443 		.flags = GENL_UNS_ADMIN_PERM,
19444 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19445 	},
19446 #endif
19447 	{
19448 		.cmd = NL80211_CMD_CONNECT,
19449 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19450 		.doit = nl80211_connect,
19451 		.flags = GENL_UNS_ADMIN_PERM,
19452 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19453 					 NL80211_FLAG_CLEAR_SKB),
19454 	},
19455 	{
19456 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
19457 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19458 		.doit = nl80211_update_connect_params,
19459 		.flags = GENL_ADMIN_PERM,
19460 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19461 					 NL80211_FLAG_CLEAR_SKB),
19462 	},
19463 	{
19464 		.cmd = NL80211_CMD_DISCONNECT,
19465 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19466 		.doit = nl80211_disconnect,
19467 		.flags = GENL_UNS_ADMIN_PERM,
19468 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19469 	},
19470 	{
19471 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
19472 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19473 		.doit = nl80211_wiphy_netns,
19474 		.flags = GENL_UNS_ADMIN_PERM,
19475 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
19476 					 NL80211_FLAG_NEED_RTNL |
19477 					 NL80211_FLAG_NO_WIPHY_MTX),
19478 	},
19479 	{
19480 		.cmd = NL80211_CMD_GET_SURVEY,
19481 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19482 		.dumpit = nl80211_dump_survey,
19483 	},
19484 	{
19485 		.cmd = NL80211_CMD_SET_PMKSA,
19486 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19487 		.doit = nl80211_set_pmksa,
19488 		.flags = GENL_UNS_ADMIN_PERM,
19489 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19490 					 NL80211_FLAG_CLEAR_SKB),
19491 	},
19492 	{
19493 		.cmd = NL80211_CMD_DEL_PMKSA,
19494 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19495 		.doit = nl80211_del_pmksa,
19496 		.flags = GENL_UNS_ADMIN_PERM,
19497 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19498 	},
19499 	{
19500 		.cmd = NL80211_CMD_FLUSH_PMKSA,
19501 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19502 		.doit = nl80211_flush_pmksa,
19503 		.flags = GENL_UNS_ADMIN_PERM,
19504 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19505 	},
19506 	{
19507 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
19508 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19509 		.doit = nl80211_remain_on_channel,
19510 		.flags = GENL_UNS_ADMIN_PERM,
19511 		/* FIXME: requiring a link ID here is probably not good */
19512 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19513 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19514 	},
19515 	{
19516 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
19517 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19518 		.doit = nl80211_cancel_remain_on_channel,
19519 		.flags = GENL_UNS_ADMIN_PERM,
19520 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19521 	},
19522 	{
19523 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
19524 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19525 		.doit = nl80211_set_tx_bitrate_mask,
19526 		.flags = GENL_UNS_ADMIN_PERM,
19527 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19528 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19529 	},
19530 	{
19531 		.cmd = NL80211_CMD_REGISTER_FRAME,
19532 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19533 		.doit = nl80211_register_mgmt,
19534 		.flags = GENL_UNS_ADMIN_PERM,
19535 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
19536 	},
19537 	{
19538 		.cmd = NL80211_CMD_FRAME,
19539 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19540 		.doit = nl80211_tx_mgmt,
19541 		.flags = GENL_UNS_ADMIN_PERM,
19542 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19543 	},
19544 	{
19545 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
19546 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19547 		.doit = nl80211_tx_mgmt_cancel_wait,
19548 		.flags = GENL_UNS_ADMIN_PERM,
19549 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19550 	},
19551 	{
19552 		.cmd = NL80211_CMD_SET_POWER_SAVE,
19553 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19554 		.doit = nl80211_set_power_save,
19555 		.flags = GENL_UNS_ADMIN_PERM,
19556 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19557 	},
19558 	{
19559 		.cmd = NL80211_CMD_GET_POWER_SAVE,
19560 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19561 		.doit = nl80211_get_power_save,
19562 		/* can be retrieved by unprivileged users */
19563 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19564 	},
19565 	{
19566 		.cmd = NL80211_CMD_SET_CQM,
19567 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19568 		.doit = nl80211_set_cqm,
19569 		.flags = GENL_UNS_ADMIN_PERM,
19570 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19571 	},
19572 	{
19573 		.cmd = NL80211_CMD_SET_CHANNEL,
19574 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19575 		.doit = nl80211_set_channel,
19576 		.flags = GENL_UNS_ADMIN_PERM,
19577 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19578 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19579 	},
19580 	{
19581 		.cmd = NL80211_CMD_JOIN_MESH,
19582 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19583 		.doit = nl80211_join_mesh,
19584 		.flags = GENL_UNS_ADMIN_PERM,
19585 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19586 	},
19587 	{
19588 		.cmd = NL80211_CMD_LEAVE_MESH,
19589 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19590 		.doit = nl80211_leave_mesh,
19591 		.flags = GENL_UNS_ADMIN_PERM,
19592 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19593 	},
19594 	{
19595 		.cmd = NL80211_CMD_JOIN_OCB,
19596 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19597 		.doit = nl80211_join_ocb,
19598 		.flags = GENL_UNS_ADMIN_PERM,
19599 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19600 	},
19601 	{
19602 		.cmd = NL80211_CMD_LEAVE_OCB,
19603 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19604 		.doit = nl80211_leave_ocb,
19605 		.flags = GENL_UNS_ADMIN_PERM,
19606 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19607 	},
19608 #ifdef CONFIG_PM
19609 	{
19610 		.cmd = NL80211_CMD_GET_WOWLAN,
19611 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19612 		.doit = nl80211_get_wowlan,
19613 		/* can be retrieved by unprivileged users */
19614 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19615 	},
19616 	{
19617 		.cmd = NL80211_CMD_SET_WOWLAN,
19618 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19619 		.doit = nl80211_set_wowlan,
19620 		.flags = GENL_UNS_ADMIN_PERM,
19621 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19622 	},
19623 #endif
19624 	{
19625 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
19626 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19627 		.doit = nl80211_set_rekey_data,
19628 		.flags = GENL_UNS_ADMIN_PERM,
19629 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19630 					 NL80211_FLAG_CLEAR_SKB),
19631 	},
19632 	{
19633 		.cmd = NL80211_CMD_TDLS_MGMT,
19634 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19635 		.doit = nl80211_tdls_mgmt,
19636 		.flags = GENL_UNS_ADMIN_PERM,
19637 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19638 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19639 	},
19640 	{
19641 		.cmd = NL80211_CMD_TDLS_OPER,
19642 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19643 		.doit = nl80211_tdls_oper,
19644 		.flags = GENL_UNS_ADMIN_PERM,
19645 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19646 	},
19647 	{
19648 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
19649 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19650 		.doit = nl80211_register_unexpected_frame,
19651 		.flags = GENL_UNS_ADMIN_PERM,
19652 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19653 	},
19654 	{
19655 		.cmd = NL80211_CMD_PROBE_CLIENT,
19656 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19657 		.doit = nl80211_probe_client,
19658 		.flags = GENL_UNS_ADMIN_PERM,
19659 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19660 	},
19661 	{
19662 		.cmd = NL80211_CMD_REGISTER_BEACONS,
19663 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19664 		.doit = nl80211_register_beacons,
19665 		.flags = GENL_UNS_ADMIN_PERM,
19666 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19667 	},
19668 	{
19669 		.cmd = NL80211_CMD_SET_NOACK_MAP,
19670 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19671 		.doit = nl80211_set_noack_map,
19672 		.flags = GENL_UNS_ADMIN_PERM,
19673 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19674 	},
19675 	{
19676 		.cmd = NL80211_CMD_START_P2P_DEVICE,
19677 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19678 		.doit = nl80211_start_p2p_device,
19679 		.flags = GENL_UNS_ADMIN_PERM,
19680 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
19681 					 NL80211_FLAG_NEED_RTNL),
19682 	},
19683 	{
19684 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
19685 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19686 		.doit = nl80211_stop_p2p_device,
19687 		.flags = GENL_UNS_ADMIN_PERM,
19688 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19689 					 NL80211_FLAG_NEED_RTNL),
19690 	},
19691 	{
19692 		.cmd = NL80211_CMD_START_NAN,
19693 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19694 		.doit = nl80211_start_nan,
19695 		.flags = GENL_ADMIN_PERM,
19696 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
19697 					 NL80211_FLAG_NEED_RTNL),
19698 	},
19699 	{
19700 		.cmd = NL80211_CMD_STOP_NAN,
19701 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19702 		.doit = nl80211_stop_nan,
19703 		.flags = GENL_ADMIN_PERM,
19704 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19705 					 NL80211_FLAG_NO_WIPHY_MTX |
19706 					 NL80211_FLAG_NEED_RTNL),
19707 	},
19708 	{
19709 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
19710 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19711 		.doit = nl80211_nan_add_func,
19712 		.flags = GENL_ADMIN_PERM,
19713 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19714 	},
19715 	{
19716 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
19717 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19718 		.doit = nl80211_nan_del_func,
19719 		.flags = GENL_ADMIN_PERM,
19720 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19721 	},
19722 	{
19723 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
19724 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19725 		.doit = nl80211_nan_change_config,
19726 		.flags = GENL_ADMIN_PERM,
19727 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19728 	},
19729 	{
19730 		.cmd = NL80211_CMD_SET_MCAST_RATE,
19731 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19732 		.doit = nl80211_set_mcast_rate,
19733 		.flags = GENL_UNS_ADMIN_PERM,
19734 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19735 	},
19736 	{
19737 		.cmd = NL80211_CMD_SET_MAC_ACL,
19738 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19739 		.doit = nl80211_set_mac_acl,
19740 		.flags = GENL_UNS_ADMIN_PERM,
19741 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19742 					 NL80211_FLAG_MLO_UNSUPPORTED),
19743 	},
19744 	{
19745 		.cmd = NL80211_CMD_RADAR_DETECT,
19746 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19747 		.doit = nl80211_start_radar_detection,
19748 		.flags = GENL_UNS_ADMIN_PERM,
19749 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19750 					 NL80211_FLAG_NO_WIPHY_MTX |
19751 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19752 	},
19753 	{
19754 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
19755 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19756 		.doit = nl80211_get_protocol_features,
19757 	},
19758 	{
19759 		.cmd = NL80211_CMD_UPDATE_FT_IES,
19760 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19761 		.doit = nl80211_update_ft_ies,
19762 		.flags = GENL_UNS_ADMIN_PERM,
19763 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19764 	},
19765 	{
19766 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
19767 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19768 		.doit = nl80211_crit_protocol_start,
19769 		.flags = GENL_UNS_ADMIN_PERM,
19770 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19771 	},
19772 	{
19773 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
19774 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19775 		.doit = nl80211_crit_protocol_stop,
19776 		.flags = GENL_UNS_ADMIN_PERM,
19777 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19778 	},
19779 	{
19780 		.cmd = NL80211_CMD_GET_COALESCE,
19781 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19782 		.doit = nl80211_get_coalesce,
19783 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19784 	},
19785 	{
19786 		.cmd = NL80211_CMD_SET_COALESCE,
19787 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19788 		.doit = nl80211_set_coalesce,
19789 		.flags = GENL_UNS_ADMIN_PERM,
19790 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19791 	},
19792 	{
19793 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
19794 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19795 		.doit = nl80211_channel_switch,
19796 		.flags = GENL_UNS_ADMIN_PERM,
19797 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19798 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19799 	},
19800 	{
19801 		.cmd = NL80211_CMD_VENDOR,
19802 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19803 		.doit = nl80211_vendor_cmd,
19804 		.dumpit = nl80211_vendor_cmd_dump,
19805 		.flags = GENL_UNS_ADMIN_PERM,
19806 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
19807 					 NL80211_FLAG_CLEAR_SKB),
19808 	},
19809 	{
19810 		.cmd = NL80211_CMD_SET_QOS_MAP,
19811 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19812 		.doit = nl80211_set_qos_map,
19813 		.flags = GENL_UNS_ADMIN_PERM,
19814 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19815 	},
19816 	{
19817 		.cmd = NL80211_CMD_ADD_TX_TS,
19818 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19819 		.doit = nl80211_add_tx_ts,
19820 		.flags = GENL_UNS_ADMIN_PERM,
19821 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19822 					 NL80211_FLAG_MLO_UNSUPPORTED),
19823 	},
19824 	{
19825 		.cmd = NL80211_CMD_DEL_TX_TS,
19826 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19827 		.doit = nl80211_del_tx_ts,
19828 		.flags = GENL_UNS_ADMIN_PERM,
19829 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19830 	},
19831 	{
19832 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
19833 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19834 		.doit = nl80211_tdls_channel_switch,
19835 		.flags = GENL_UNS_ADMIN_PERM,
19836 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19837 	},
19838 	{
19839 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
19840 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19841 		.doit = nl80211_tdls_cancel_channel_switch,
19842 		.flags = GENL_UNS_ADMIN_PERM,
19843 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19844 	},
19845 	{
19846 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
19847 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19848 		.doit = nl80211_set_multicast_to_unicast,
19849 		.flags = GENL_UNS_ADMIN_PERM,
19850 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19851 	},
19852 	{
19853 		.cmd = NL80211_CMD_SET_PMK,
19854 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19855 		.doit = nl80211_set_pmk,
19856 		.flags = GENL_UNS_ADMIN_PERM,
19857 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19858 					 NL80211_FLAG_CLEAR_SKB),
19859 	},
19860 	{
19861 		.cmd = NL80211_CMD_DEL_PMK,
19862 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19863 		.doit = nl80211_del_pmk,
19864 		.flags = GENL_UNS_ADMIN_PERM,
19865 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19866 	},
19867 	{
19868 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
19869 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19870 		.doit = nl80211_external_auth,
19871 		.flags = GENL_ADMIN_PERM,
19872 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19873 	},
19874 	{
19875 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
19876 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19877 		.doit = nl80211_tx_control_port,
19878 		.flags = GENL_UNS_ADMIN_PERM,
19879 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19880 	},
19881 	{
19882 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
19883 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19884 		.doit = nl80211_get_ftm_responder_stats,
19885 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19886 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19887 	},
19888 	{
19889 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
19890 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19891 		.doit = nl80211_pmsr_start,
19892 		.flags = GENL_UNS_ADMIN_PERM,
19893 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19894 	},
19895 	{
19896 		.cmd = NL80211_CMD_NOTIFY_RADAR,
19897 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19898 		.doit = nl80211_notify_radar_detection,
19899 		.flags = GENL_UNS_ADMIN_PERM,
19900 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19901 	},
19902 	{
19903 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
19904 		.doit = nl80211_update_owe_info,
19905 		.flags = GENL_ADMIN_PERM,
19906 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19907 	},
19908 	{
19909 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
19910 		.doit = nl80211_probe_mesh_link,
19911 		.flags = GENL_UNS_ADMIN_PERM,
19912 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19913 	},
19914 	{
19915 		.cmd = NL80211_CMD_SET_TID_CONFIG,
19916 		.doit = nl80211_set_tid_config,
19917 		.flags = GENL_UNS_ADMIN_PERM,
19918 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19919 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19920 	},
19921 	{
19922 		.cmd = NL80211_CMD_SET_SAR_SPECS,
19923 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19924 		.doit = nl80211_set_sar_specs,
19925 		.flags = GENL_UNS_ADMIN_PERM,
19926 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
19927 					 NL80211_FLAG_NEED_RTNL),
19928 	},
19929 	{
19930 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
19931 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19932 		.doit = nl80211_color_change,
19933 		.flags = GENL_UNS_ADMIN_PERM,
19934 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19935 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19936 	},
19937 	{
19938 		.cmd = NL80211_CMD_SET_FILS_AAD,
19939 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19940 		.doit = nl80211_set_fils_aad,
19941 		.flags = GENL_UNS_ADMIN_PERM,
19942 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19943 	},
19944 	{
19945 		.cmd = NL80211_CMD_ADD_LINK,
19946 		.doit = nl80211_add_link,
19947 		.flags = GENL_UNS_ADMIN_PERM,
19948 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19949 	},
19950 	{
19951 		.cmd = NL80211_CMD_REMOVE_LINK,
19952 		.doit = nl80211_remove_link,
19953 		.flags = GENL_UNS_ADMIN_PERM,
19954 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19955 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19956 	},
19957 	{
19958 		.cmd = NL80211_CMD_ADD_LINK_STA,
19959 		.doit = nl80211_add_link_station,
19960 		.flags = GENL_UNS_ADMIN_PERM,
19961 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19962 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19963 	},
19964 	{
19965 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
19966 		.doit = nl80211_modify_link_station,
19967 		.flags = GENL_UNS_ADMIN_PERM,
19968 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19969 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19970 	},
19971 	{
19972 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
19973 		.doit = nl80211_remove_link_station,
19974 		.flags = GENL_UNS_ADMIN_PERM,
19975 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19976 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19977 	},
19978 	{
19979 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
19980 		.doit = nl80211_set_hw_timestamp,
19981 		.flags = GENL_UNS_ADMIN_PERM,
19982 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19983 	},
19984 	{
19985 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
19986 		.doit = nl80211_set_ttlm,
19987 		.flags = GENL_UNS_ADMIN_PERM,
19988 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19989 	},
19990 	{
19991 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
19992 		.doit = nl80211_assoc_ml_reconf,
19993 		.flags = GENL_UNS_ADMIN_PERM,
19994 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19995 	},
19996 	{
19997 		.cmd = NL80211_CMD_EPCS_CFG,
19998 		.doit = nl80211_epcs_cfg,
19999 		.flags = GENL_UNS_ADMIN_PERM,
20000 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20001 	},
20002 	{
20003 		.cmd = NL80211_CMD_NAN_SET_LOCAL_SCHED,
20004 		.doit = nl80211_nan_set_local_sched,
20005 		.flags = GENL_ADMIN_PERM,
20006 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
20007 	},
20008 	{
20009 		.cmd = NL80211_CMD_NAN_SET_PEER_SCHED,
20010 		.doit = nl80211_nan_set_peer_sched,
20011 		.flags = GENL_ADMIN_PERM,
20012 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
20013 	},
20014 };
20015 
20016 static struct genl_family nl80211_fam __ro_after_init = {
20017 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
20018 	.hdrsize = 0,			/* no private header */
20019 	.version = 1,			/* no particular meaning now */
20020 	.maxattr = NL80211_ATTR_MAX,
20021 	.policy = nl80211_policy,
20022 	.netnsok = true,
20023 	.pre_doit = nl80211_pre_doit,
20024 	.post_doit = nl80211_post_doit,
20025 	.module = THIS_MODULE,
20026 	.ops = nl80211_ops,
20027 	.n_ops = ARRAY_SIZE(nl80211_ops),
20028 	.small_ops = nl80211_small_ops,
20029 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
20030 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
20031 	.mcgrps = nl80211_mcgrps,
20032 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
20033 	.parallel_ops = true,
20034 };
20035 
20036 /* notification functions */
20037 
20038 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
20039 			  enum nl80211_commands cmd)
20040 {
20041 	struct sk_buff *msg;
20042 	struct nl80211_dump_wiphy_state state = {};
20043 
20044 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
20045 		cmd != NL80211_CMD_DEL_WIPHY);
20046 
20047 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20048 	if (!msg)
20049 		return;
20050 
20051 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
20052 		nlmsg_free(msg);
20053 		return;
20054 	}
20055 
20056 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20057 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
20058 }
20059 
20060 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
20061 				struct wireless_dev *wdev,
20062 				enum nl80211_commands cmd)
20063 {
20064 	struct sk_buff *msg;
20065 
20066 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20067 	if (!msg)
20068 		return;
20069 
20070 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
20071 		nlmsg_free(msg);
20072 		return;
20073 	}
20074 
20075 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20076 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
20077 }
20078 
20079 static int nl80211_add_scan_req(struct sk_buff *msg,
20080 				struct cfg80211_registered_device *rdev)
20081 {
20082 	struct cfg80211_scan_request_int *req = rdev->scan_req;
20083 	struct nlattr *nest;
20084 	int i;
20085 	struct cfg80211_scan_info *info;
20086 
20087 	if (WARN_ON(!req))
20088 		return 0;
20089 
20090 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
20091 	if (!nest)
20092 		goto nla_put_failure;
20093 	for (i = 0; i < req->req.n_ssids; i++) {
20094 		if (nla_put(msg, i, req->req.ssids[i].ssid_len,
20095 			    req->req.ssids[i].ssid))
20096 			goto nla_put_failure;
20097 	}
20098 	nla_nest_end(msg, nest);
20099 
20100 	if (req->req.flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
20101 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
20102 		if (!nest)
20103 			goto nla_put_failure;
20104 		for (i = 0; i < req->req.n_channels; i++) {
20105 			if (nla_put_u32(msg, i,
20106 					ieee80211_channel_to_khz(req->req.channels[i])))
20107 				goto nla_put_failure;
20108 		}
20109 		nla_nest_end(msg, nest);
20110 	} else {
20111 		nest = nla_nest_start_noflag(msg,
20112 					     NL80211_ATTR_SCAN_FREQUENCIES);
20113 		if (!nest)
20114 			goto nla_put_failure;
20115 		for (i = 0; i < req->req.n_channels; i++) {
20116 			if (nla_put_u32(msg, i,
20117 					req->req.channels[i]->center_freq))
20118 				goto nla_put_failure;
20119 		}
20120 		nla_nest_end(msg, nest);
20121 	}
20122 
20123 	if (req->req.ie &&
20124 	    nla_put(msg, NL80211_ATTR_IE, req->req.ie_len, req->req.ie))
20125 		goto nla_put_failure;
20126 
20127 	if (req->req.flags &&
20128 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->req.flags))
20129 		goto nla_put_failure;
20130 
20131 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
20132 		&rdev->scan_req->info;
20133 	if (info->scan_start_tsf &&
20134 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
20135 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
20136 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
20137 		     info->tsf_bssid)))
20138 		goto nla_put_failure;
20139 
20140 	return 0;
20141  nla_put_failure:
20142 	return -ENOBUFS;
20143 }
20144 
20145 static int nl80211_prep_scan_msg(struct sk_buff *msg,
20146 				 struct cfg80211_registered_device *rdev,
20147 				 struct wireless_dev *wdev,
20148 				 u32 portid, u32 seq, int flags,
20149 				 u32 cmd)
20150 {
20151 	void *hdr;
20152 
20153 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
20154 	if (!hdr)
20155 		return -1;
20156 
20157 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20158 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20159 					 wdev->netdev->ifindex)) ||
20160 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20161 			      NL80211_ATTR_PAD))
20162 		goto nla_put_failure;
20163 
20164 	/* ignore errors and send incomplete event anyway */
20165 	nl80211_add_scan_req(msg, rdev);
20166 
20167 	genlmsg_end(msg, hdr);
20168 	return 0;
20169 
20170  nla_put_failure:
20171 	genlmsg_cancel(msg, hdr);
20172 	return -EMSGSIZE;
20173 }
20174 
20175 static int
20176 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
20177 			    struct cfg80211_sched_scan_request *req, u32 cmd)
20178 {
20179 	void *hdr;
20180 
20181 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20182 	if (!hdr)
20183 		return -1;
20184 
20185 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
20186 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
20187 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
20188 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
20189 			      NL80211_ATTR_PAD))
20190 		goto nla_put_failure;
20191 
20192 	genlmsg_end(msg, hdr);
20193 	return 0;
20194 
20195  nla_put_failure:
20196 	genlmsg_cancel(msg, hdr);
20197 	return -EMSGSIZE;
20198 }
20199 
20200 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
20201 			     struct wireless_dev *wdev)
20202 {
20203 	struct sk_buff *msg;
20204 
20205 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20206 	if (!msg)
20207 		return;
20208 
20209 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
20210 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
20211 		nlmsg_free(msg);
20212 		return;
20213 	}
20214 
20215 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20216 				NL80211_MCGRP_SCAN, GFP_KERNEL);
20217 }
20218 
20219 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
20220 				       struct wireless_dev *wdev, bool aborted)
20221 {
20222 	struct sk_buff *msg;
20223 
20224 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20225 	if (!msg)
20226 		return NULL;
20227 
20228 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
20229 				  aborted ? NL80211_CMD_SCAN_ABORTED :
20230 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
20231 		nlmsg_free(msg);
20232 		return NULL;
20233 	}
20234 
20235 	return msg;
20236 }
20237 
20238 /* send message created by nl80211_build_scan_msg() */
20239 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
20240 			   struct sk_buff *msg)
20241 {
20242 	if (!msg)
20243 		return;
20244 
20245 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20246 				NL80211_MCGRP_SCAN, GFP_KERNEL);
20247 }
20248 
20249 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
20250 {
20251 	struct sk_buff *msg;
20252 
20253 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20254 	if (!msg)
20255 		return;
20256 
20257 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
20258 		nlmsg_free(msg);
20259 		return;
20260 	}
20261 
20262 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
20263 				NL80211_MCGRP_SCAN, GFP_KERNEL);
20264 }
20265 
20266 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
20267 					  struct regulatory_request *request)
20268 {
20269 	/* Userspace can always count this one always being set */
20270 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
20271 		goto nla_put_failure;
20272 
20273 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
20274 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
20275 			       NL80211_REGDOM_TYPE_WORLD))
20276 			goto nla_put_failure;
20277 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
20278 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
20279 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
20280 			goto nla_put_failure;
20281 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
20282 		   request->intersect) {
20283 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
20284 			       NL80211_REGDOM_TYPE_INTERSECTION))
20285 			goto nla_put_failure;
20286 	} else {
20287 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
20288 			       NL80211_REGDOM_TYPE_COUNTRY) ||
20289 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
20290 				   request->alpha2))
20291 			goto nla_put_failure;
20292 	}
20293 
20294 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
20295 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
20296 
20297 		if (wiphy &&
20298 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
20299 			goto nla_put_failure;
20300 
20301 		if (wiphy &&
20302 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
20303 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
20304 			goto nla_put_failure;
20305 	}
20306 
20307 	return true;
20308 
20309 nla_put_failure:
20310 	return false;
20311 }
20312 
20313 /*
20314  * This can happen on global regulatory changes or device specific settings
20315  * based on custom regulatory domains.
20316  */
20317 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
20318 				     struct regulatory_request *request)
20319 {
20320 	struct sk_buff *msg;
20321 	void *hdr;
20322 
20323 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20324 	if (!msg)
20325 		return;
20326 
20327 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
20328 	if (!hdr)
20329 		goto nla_put_failure;
20330 
20331 	if (!nl80211_reg_change_event_fill(msg, request))
20332 		goto nla_put_failure;
20333 
20334 	genlmsg_end(msg, hdr);
20335 
20336 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
20337 				NL80211_MCGRP_REGULATORY);
20338 
20339 	return;
20340 
20341 nla_put_failure:
20342 	nlmsg_free(msg);
20343 }
20344 
20345 struct nl80211_mlme_event {
20346 	enum nl80211_commands cmd;
20347 	const u8 *buf;
20348 	size_t buf_len;
20349 	int uapsd_queues;
20350 	const u8 *req_ies;
20351 	size_t req_ies_len;
20352 	bool reconnect;
20353 };
20354 
20355 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
20356 				    struct net_device *netdev,
20357 				    const struct nl80211_mlme_event *event,
20358 				    gfp_t gfp)
20359 {
20360 	struct sk_buff *msg;
20361 	void *hdr;
20362 
20363 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
20364 	if (!msg)
20365 		return;
20366 
20367 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
20368 	if (!hdr) {
20369 		nlmsg_free(msg);
20370 		return;
20371 	}
20372 
20373 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20374 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20375 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
20376 	    (event->req_ies &&
20377 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
20378 		     event->req_ies)))
20379 		goto nla_put_failure;
20380 
20381 	if (event->reconnect &&
20382 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
20383 		goto nla_put_failure;
20384 
20385 	if (event->uapsd_queues >= 0) {
20386 		struct nlattr *nla_wmm =
20387 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
20388 		if (!nla_wmm)
20389 			goto nla_put_failure;
20390 
20391 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
20392 			       event->uapsd_queues))
20393 			goto nla_put_failure;
20394 
20395 		nla_nest_end(msg, nla_wmm);
20396 	}
20397 
20398 	genlmsg_end(msg, hdr);
20399 
20400 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20401 				NL80211_MCGRP_MLME, gfp);
20402 	return;
20403 
20404  nla_put_failure:
20405 	nlmsg_free(msg);
20406 }
20407 
20408 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
20409 			  struct net_device *netdev, const u8 *buf,
20410 			  size_t len, gfp_t gfp)
20411 {
20412 	struct nl80211_mlme_event event = {
20413 		.cmd = NL80211_CMD_AUTHENTICATE,
20414 		.buf = buf,
20415 		.buf_len = len,
20416 		.uapsd_queues = -1,
20417 	};
20418 
20419 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
20420 }
20421 
20422 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
20423 			   struct net_device *netdev,
20424 			   const struct cfg80211_rx_assoc_resp_data *data)
20425 {
20426 	struct nl80211_mlme_event event = {
20427 		.cmd = NL80211_CMD_ASSOCIATE,
20428 		.buf = data->buf,
20429 		.buf_len = data->len,
20430 		.uapsd_queues = data->uapsd_queues,
20431 		.req_ies = data->req_ies,
20432 		.req_ies_len = data->req_ies_len,
20433 	};
20434 
20435 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
20436 }
20437 
20438 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
20439 			 struct net_device *netdev, const u8 *buf,
20440 			 size_t len, bool reconnect, gfp_t gfp)
20441 {
20442 	struct nl80211_mlme_event event = {
20443 		.cmd = NL80211_CMD_DEAUTHENTICATE,
20444 		.buf = buf,
20445 		.buf_len = len,
20446 		.reconnect = reconnect,
20447 		.uapsd_queues = -1,
20448 	};
20449 
20450 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
20451 }
20452 
20453 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
20454 			   struct net_device *netdev, const u8 *buf,
20455 			   size_t len, bool reconnect, gfp_t gfp)
20456 {
20457 	struct nl80211_mlme_event event = {
20458 		.cmd = NL80211_CMD_DISASSOCIATE,
20459 		.buf = buf,
20460 		.buf_len = len,
20461 		.reconnect = reconnect,
20462 		.uapsd_queues = -1,
20463 	};
20464 
20465 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
20466 }
20467 
20468 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
20469 				  size_t len)
20470 {
20471 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20472 	struct wiphy *wiphy = wdev->wiphy;
20473 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20474 	const struct ieee80211_mgmt *mgmt = (void *)buf;
20475 	struct nl80211_mlme_event event = {
20476 		.buf = buf,
20477 		.buf_len = len,
20478 		.uapsd_queues = -1,
20479 	};
20480 
20481 	if (WARN_ON(len < 2))
20482 		return;
20483 
20484 	if (ieee80211_is_deauth(mgmt->frame_control)) {
20485 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
20486 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
20487 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
20488 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
20489 		if (wdev->unprot_beacon_reported &&
20490 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
20491 			return;
20492 		event.cmd = NL80211_CMD_UNPROT_BEACON;
20493 		wdev->unprot_beacon_reported = jiffies;
20494 	} else {
20495 		return;
20496 	}
20497 
20498 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
20499 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
20500 }
20501 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
20502 
20503 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
20504 				      struct net_device *netdev, int cmd,
20505 				      const u8 *addr, gfp_t gfp)
20506 {
20507 	struct sk_buff *msg;
20508 	void *hdr;
20509 
20510 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20511 	if (!msg)
20512 		return;
20513 
20514 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20515 	if (!hdr) {
20516 		nlmsg_free(msg);
20517 		return;
20518 	}
20519 
20520 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20521 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20522 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
20523 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
20524 		goto nla_put_failure;
20525 
20526 	genlmsg_end(msg, hdr);
20527 
20528 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20529 				NL80211_MCGRP_MLME, gfp);
20530 	return;
20531 
20532  nla_put_failure:
20533 	nlmsg_free(msg);
20534 }
20535 
20536 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
20537 			       struct net_device *netdev, const u8 *addr,
20538 			       gfp_t gfp)
20539 {
20540 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
20541 				  addr, gfp);
20542 }
20543 
20544 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
20545 				struct net_device *netdev, const u8 *addr,
20546 				gfp_t gfp)
20547 {
20548 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
20549 				  addr, gfp);
20550 }
20551 
20552 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
20553 				 struct net_device *netdev,
20554 				 struct cfg80211_connect_resp_params *cr,
20555 				 gfp_t gfp)
20556 {
20557 	struct sk_buff *msg;
20558 	void *hdr;
20559 	unsigned int link;
20560 	size_t link_info_size = 0;
20561 	const u8 *connected_addr = cr->valid_links ?
20562 				   cr->ap_mld_addr : cr->links[0].bssid;
20563 
20564 	if (cr->valid_links) {
20565 		for_each_valid_link(cr, link) {
20566 			/* Nested attribute header */
20567 			link_info_size += NLA_HDRLEN;
20568 			/* Link ID */
20569 			link_info_size += nla_total_size(sizeof(u8));
20570 			link_info_size += cr->links[link].addr ?
20571 					  nla_total_size(ETH_ALEN) : 0;
20572 			link_info_size += (cr->links[link].bssid ||
20573 					   cr->links[link].bss) ?
20574 					  nla_total_size(ETH_ALEN) : 0;
20575 			link_info_size += nla_total_size(sizeof(u16));
20576 		}
20577 	}
20578 
20579 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
20580 			cr->fils.kek_len + cr->fils.pmk_len +
20581 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
20582 			gfp);
20583 	if (!msg)
20584 		return;
20585 
20586 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
20587 	if (!hdr) {
20588 		nlmsg_free(msg);
20589 		return;
20590 	}
20591 
20592 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20593 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20594 	    (connected_addr &&
20595 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
20596 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
20597 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
20598 			cr->status) ||
20599 	    (cr->status < 0 &&
20600 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
20601 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
20602 			  cr->timeout_reason))) ||
20603 	    (cr->req_ie &&
20604 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
20605 	    (cr->resp_ie &&
20606 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
20607 		     cr->resp_ie)) ||
20608 	    (cr->fils.update_erp_next_seq_num &&
20609 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
20610 			 cr->fils.erp_next_seq_num)) ||
20611 	    (cr->status == WLAN_STATUS_SUCCESS &&
20612 	     ((cr->fils.kek &&
20613 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
20614 		       cr->fils.kek)) ||
20615 	      (cr->fils.pmk &&
20616 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
20617 	      (cr->fils.pmkid &&
20618 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
20619 		goto nla_put_failure;
20620 
20621 	if (cr->valid_links) {
20622 		int i = 1;
20623 		struct nlattr *nested;
20624 
20625 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
20626 		if (!nested)
20627 			goto nla_put_failure;
20628 
20629 		for_each_valid_link(cr, link) {
20630 			struct nlattr *nested_mlo_links;
20631 			const u8 *bssid = cr->links[link].bss ?
20632 					  cr->links[link].bss->bssid :
20633 					  cr->links[link].bssid;
20634 
20635 			nested_mlo_links = nla_nest_start(msg, i);
20636 			if (!nested_mlo_links)
20637 				goto nla_put_failure;
20638 
20639 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
20640 			    (bssid &&
20641 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
20642 			    (cr->links[link].addr &&
20643 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
20644 				     cr->links[link].addr)) ||
20645 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
20646 					cr->links[link].status))
20647 				goto nla_put_failure;
20648 
20649 			nla_nest_end(msg, nested_mlo_links);
20650 			i++;
20651 		}
20652 		nla_nest_end(msg, nested);
20653 	}
20654 
20655 	genlmsg_end(msg, hdr);
20656 
20657 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20658 				NL80211_MCGRP_MLME, gfp);
20659 	return;
20660 
20661  nla_put_failure:
20662 	nlmsg_free(msg);
20663 }
20664 
20665 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
20666 			 struct net_device *netdev,
20667 			 struct cfg80211_roam_info *info, gfp_t gfp)
20668 {
20669 	struct sk_buff *msg;
20670 	void *hdr;
20671 	size_t link_info_size = 0;
20672 	unsigned int link;
20673 	const u8 *connected_addr = info->ap_mld_addr ?
20674 				   info->ap_mld_addr :
20675 				   (info->links[0].bss ?
20676 				    info->links[0].bss->bssid :
20677 				    info->links[0].bssid);
20678 
20679 	if (info->valid_links) {
20680 		for_each_valid_link(info, link) {
20681 			/* Nested attribute header */
20682 			link_info_size += NLA_HDRLEN;
20683 			/* Link ID */
20684 			link_info_size += nla_total_size(sizeof(u8));
20685 			link_info_size += info->links[link].addr ?
20686 					  nla_total_size(ETH_ALEN) : 0;
20687 			link_info_size += (info->links[link].bssid ||
20688 					   info->links[link].bss) ?
20689 					  nla_total_size(ETH_ALEN) : 0;
20690 		}
20691 	}
20692 
20693 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
20694 			info->fils.kek_len + info->fils.pmk_len +
20695 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
20696 			link_info_size, gfp);
20697 	if (!msg)
20698 		return;
20699 
20700 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
20701 	if (!hdr) {
20702 		nlmsg_free(msg);
20703 		return;
20704 	}
20705 
20706 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20707 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20708 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
20709 	    (info->req_ie &&
20710 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
20711 		     info->req_ie)) ||
20712 	    (info->resp_ie &&
20713 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
20714 		     info->resp_ie)) ||
20715 	    (info->fils.update_erp_next_seq_num &&
20716 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
20717 			 info->fils.erp_next_seq_num)) ||
20718 	    (info->fils.kek &&
20719 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
20720 		     info->fils.kek)) ||
20721 	    (info->fils.pmk &&
20722 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
20723 	    (info->fils.pmkid &&
20724 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
20725 		goto nla_put_failure;
20726 
20727 	if (info->valid_links) {
20728 		int i = 1;
20729 		struct nlattr *nested;
20730 
20731 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
20732 		if (!nested)
20733 			goto nla_put_failure;
20734 
20735 		for_each_valid_link(info, link) {
20736 			struct nlattr *nested_mlo_links;
20737 			const u8 *bssid = info->links[link].bss ?
20738 					  info->links[link].bss->bssid :
20739 					  info->links[link].bssid;
20740 
20741 			nested_mlo_links = nla_nest_start(msg, i);
20742 			if (!nested_mlo_links)
20743 				goto nla_put_failure;
20744 
20745 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
20746 			    (bssid &&
20747 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
20748 			    (info->links[link].addr &&
20749 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
20750 				     info->links[link].addr)))
20751 				goto nla_put_failure;
20752 
20753 			nla_nest_end(msg, nested_mlo_links);
20754 			i++;
20755 		}
20756 		nla_nest_end(msg, nested);
20757 	}
20758 
20759 	genlmsg_end(msg, hdr);
20760 
20761 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20762 				NL80211_MCGRP_MLME, gfp);
20763 	return;
20764 
20765  nla_put_failure:
20766 	nlmsg_free(msg);
20767 }
20768 
20769 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
20770 				  struct net_device *netdev, const u8 *peer_addr,
20771 				  const u8 *td_bitmap, u8 td_bitmap_len)
20772 {
20773 	struct sk_buff *msg;
20774 	void *hdr;
20775 
20776 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20777 	if (!msg)
20778 		return;
20779 
20780 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
20781 	if (!hdr) {
20782 		nlmsg_free(msg);
20783 		return;
20784 	}
20785 
20786 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20787 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20788 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
20789 		goto nla_put_failure;
20790 
20791 	if (td_bitmap_len > 0 && td_bitmap &&
20792 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
20793 		goto nla_put_failure;
20794 
20795 	genlmsg_end(msg, hdr);
20796 
20797 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20798 				NL80211_MCGRP_MLME, GFP_KERNEL);
20799 	return;
20800 
20801  nla_put_failure:
20802 	nlmsg_free(msg);
20803 }
20804 
20805 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
20806 			       struct net_device *netdev, u16 reason,
20807 			       const u8 *ie, size_t ie_len, bool from_ap)
20808 {
20809 	struct sk_buff *msg;
20810 	void *hdr;
20811 
20812 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
20813 	if (!msg)
20814 		return;
20815 
20816 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
20817 	if (!hdr) {
20818 		nlmsg_free(msg);
20819 		return;
20820 	}
20821 
20822 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20823 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20824 	    (reason &&
20825 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
20826 	    (from_ap &&
20827 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
20828 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
20829 		goto nla_put_failure;
20830 
20831 	genlmsg_end(msg, hdr);
20832 
20833 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20834 				NL80211_MCGRP_MLME, GFP_KERNEL);
20835 	return;
20836 
20837  nla_put_failure:
20838 	nlmsg_free(msg);
20839 }
20840 
20841 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
20842 {
20843 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20844 	struct wiphy *wiphy = wdev->wiphy;
20845 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20846 	struct sk_buff *msg;
20847 	struct nlattr *links;
20848 	void *hdr;
20849 
20850 	lockdep_assert_wiphy(wdev->wiphy);
20851 	trace_cfg80211_links_removed(dev, link_mask);
20852 
20853 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
20854 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
20855 		return;
20856 
20857 	if (WARN_ON(!wdev->valid_links || !link_mask ||
20858 		    (wdev->valid_links & link_mask) != link_mask ||
20859 		    wdev->valid_links == link_mask))
20860 		return;
20861 
20862 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
20863 	wdev->valid_links &= ~link_mask;
20864 
20865 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20866 	if (!msg)
20867 		return;
20868 
20869 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
20870 	if (!hdr) {
20871 		nlmsg_free(msg);
20872 		return;
20873 	}
20874 
20875 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20876 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20877 		goto nla_put_failure;
20878 
20879 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
20880 	if (!links)
20881 		goto nla_put_failure;
20882 
20883 	while (link_mask) {
20884 		struct nlattr *link;
20885 		int link_id = __ffs(link_mask);
20886 
20887 		link = nla_nest_start(msg, link_id + 1);
20888 		if (!link)
20889 			goto nla_put_failure;
20890 
20891 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
20892 			goto nla_put_failure;
20893 
20894 		nla_nest_end(msg, link);
20895 		link_mask &= ~(1 << link_id);
20896 	}
20897 
20898 	nla_nest_end(msg, links);
20899 
20900 	genlmsg_end(msg, hdr);
20901 
20902 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20903 				NL80211_MCGRP_MLME, GFP_KERNEL);
20904 	return;
20905 
20906  nla_put_failure:
20907 	nlmsg_free(msg);
20908 }
20909 EXPORT_SYMBOL(cfg80211_links_removed);
20910 
20911 void nl80211_mlo_reconf_add_done(struct net_device *dev,
20912 				 struct cfg80211_mlo_reconf_done_data *data)
20913 {
20914 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20915 	struct wiphy *wiphy = wdev->wiphy;
20916 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20917 	struct nl80211_mlme_event event = {
20918 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
20919 		.buf = data->buf,
20920 		.buf_len = data->len,
20921 		.uapsd_queues = -1,
20922 	};
20923 
20924 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
20925 }
20926 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
20927 
20928 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
20929 			     struct net_device *netdev, const u8 *bssid,
20930 			     gfp_t gfp)
20931 {
20932 	struct sk_buff *msg;
20933 	void *hdr;
20934 
20935 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20936 	if (!msg)
20937 		return;
20938 
20939 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
20940 	if (!hdr) {
20941 		nlmsg_free(msg);
20942 		return;
20943 	}
20944 
20945 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20946 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20947 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20948 		goto nla_put_failure;
20949 
20950 	genlmsg_end(msg, hdr);
20951 
20952 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20953 				NL80211_MCGRP_MLME, gfp);
20954 	return;
20955 
20956  nla_put_failure:
20957 	nlmsg_free(msg);
20958 }
20959 
20960 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
20961 					const u8 *ie, u8 ie_len,
20962 					int sig_dbm, gfp_t gfp)
20963 {
20964 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20965 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20966 	struct sk_buff *msg;
20967 	void *hdr;
20968 
20969 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
20970 		return;
20971 
20972 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
20973 
20974 	msg = nlmsg_new(100 + ie_len, gfp);
20975 	if (!msg)
20976 		return;
20977 
20978 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
20979 	if (!hdr) {
20980 		nlmsg_free(msg);
20981 		return;
20982 	}
20983 
20984 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20985 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20986 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20987 	    (ie_len && ie &&
20988 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
20989 	    (sig_dbm &&
20990 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
20991 		goto nla_put_failure;
20992 
20993 	genlmsg_end(msg, hdr);
20994 
20995 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20996 				NL80211_MCGRP_MLME, gfp);
20997 	return;
20998 
20999  nla_put_failure:
21000 	nlmsg_free(msg);
21001 }
21002 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
21003 
21004 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
21005 				 struct net_device *netdev, const u8 *addr,
21006 				 enum nl80211_key_type key_type, int key_id,
21007 				 const u8 *tsc, gfp_t gfp)
21008 {
21009 	struct sk_buff *msg;
21010 	void *hdr;
21011 
21012 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21013 	if (!msg)
21014 		return;
21015 
21016 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
21017 	if (!hdr) {
21018 		nlmsg_free(msg);
21019 		return;
21020 	}
21021 
21022 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21023 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21024 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
21025 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
21026 	    (key_id != -1 &&
21027 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
21028 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
21029 		goto nla_put_failure;
21030 
21031 	genlmsg_end(msg, hdr);
21032 
21033 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21034 				NL80211_MCGRP_MLME, gfp);
21035 	return;
21036 
21037  nla_put_failure:
21038 	nlmsg_free(msg);
21039 }
21040 
21041 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
21042 				    struct ieee80211_channel *channel_before,
21043 				    struct ieee80211_channel *channel_after)
21044 {
21045 	struct sk_buff *msg;
21046 	void *hdr;
21047 	struct nlattr *nl_freq;
21048 
21049 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
21050 	if (!msg)
21051 		return;
21052 
21053 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
21054 	if (!hdr) {
21055 		nlmsg_free(msg);
21056 		return;
21057 	}
21058 
21059 	/*
21060 	 * Since we are applying the beacon hint to a wiphy we know its
21061 	 * wiphy_idx is valid
21062 	 */
21063 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
21064 		goto nla_put_failure;
21065 
21066 	/* Before */
21067 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
21068 	if (!nl_freq)
21069 		goto nla_put_failure;
21070 
21071 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
21072 		goto nla_put_failure;
21073 	nla_nest_end(msg, nl_freq);
21074 
21075 	/* After */
21076 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
21077 	if (!nl_freq)
21078 		goto nla_put_failure;
21079 
21080 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
21081 		goto nla_put_failure;
21082 	nla_nest_end(msg, nl_freq);
21083 
21084 	genlmsg_end(msg, hdr);
21085 
21086 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
21087 				NL80211_MCGRP_REGULATORY);
21088 
21089 	return;
21090 
21091 nla_put_failure:
21092 	nlmsg_free(msg);
21093 }
21094 
21095 static void nl80211_send_remain_on_chan_event(
21096 	int cmd, struct cfg80211_registered_device *rdev,
21097 	struct wireless_dev *wdev, u64 cookie,
21098 	struct ieee80211_channel *chan,
21099 	unsigned int duration, gfp_t gfp)
21100 {
21101 	struct sk_buff *msg;
21102 	void *hdr;
21103 
21104 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21105 	if (!msg)
21106 		return;
21107 
21108 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
21109 	if (!hdr) {
21110 		nlmsg_free(msg);
21111 		return;
21112 	}
21113 
21114 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21115 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21116 					 wdev->netdev->ifindex)) ||
21117 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21118 			      NL80211_ATTR_PAD) ||
21119 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
21120 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
21121 			NL80211_CHAN_NO_HT) ||
21122 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
21123 			      NL80211_ATTR_PAD))
21124 		goto nla_put_failure;
21125 
21126 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
21127 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
21128 		goto nla_put_failure;
21129 
21130 	genlmsg_end(msg, hdr);
21131 
21132 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21133 				NL80211_MCGRP_MLME, gfp);
21134 	return;
21135 
21136  nla_put_failure:
21137 	nlmsg_free(msg);
21138 }
21139 
21140 void cfg80211_assoc_comeback(struct net_device *netdev,
21141 			     const u8 *ap_addr, u32 timeout)
21142 {
21143 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21144 	struct wiphy *wiphy = wdev->wiphy;
21145 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21146 	struct sk_buff *msg;
21147 	void *hdr;
21148 
21149 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
21150 
21151 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21152 	if (!msg)
21153 		return;
21154 
21155 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
21156 	if (!hdr) {
21157 		nlmsg_free(msg);
21158 		return;
21159 	}
21160 
21161 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21162 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21163 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
21164 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
21165 		goto nla_put_failure;
21166 
21167 	genlmsg_end(msg, hdr);
21168 
21169 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21170 				NL80211_MCGRP_MLME, GFP_KERNEL);
21171 	return;
21172 
21173  nla_put_failure:
21174 	nlmsg_free(msg);
21175 }
21176 EXPORT_SYMBOL(cfg80211_assoc_comeback);
21177 
21178 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
21179 			       struct ieee80211_channel *chan,
21180 			       unsigned int duration, gfp_t gfp)
21181 {
21182 	struct wiphy *wiphy = wdev->wiphy;
21183 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21184 
21185 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
21186 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
21187 					  rdev, wdev, cookie, chan,
21188 					  duration, gfp);
21189 }
21190 EXPORT_SYMBOL(cfg80211_ready_on_channel);
21191 
21192 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
21193 					struct ieee80211_channel *chan,
21194 					gfp_t gfp)
21195 {
21196 	struct wiphy *wiphy = wdev->wiphy;
21197 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21198 
21199 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
21200 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
21201 					  rdev, wdev, cookie, chan, 0, gfp);
21202 }
21203 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
21204 
21205 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
21206 					struct ieee80211_channel *chan,
21207 					gfp_t gfp)
21208 {
21209 	struct wiphy *wiphy = wdev->wiphy;
21210 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21211 
21212 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
21213 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
21214 					  rdev, wdev, cookie, chan, 0, gfp);
21215 }
21216 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
21217 
21218 void cfg80211_new_sta(struct wireless_dev *wdev, const u8 *mac_addr,
21219 		      struct station_info *sinfo, gfp_t gfp)
21220 {
21221 	struct wiphy *wiphy = wdev->wiphy;
21222 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21223 	struct sk_buff *msg;
21224 
21225 	trace_cfg80211_new_sta(wdev, mac_addr, sinfo);
21226 
21227 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21228 	if (!msg)
21229 		return;
21230 
21231 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
21232 				 rdev, wdev, mac_addr, sinfo, false) < 0) {
21233 		nlmsg_free(msg);
21234 		return;
21235 	}
21236 
21237 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21238 				NL80211_MCGRP_MLME, gfp);
21239 }
21240 EXPORT_SYMBOL(cfg80211_new_sta);
21241 
21242 void cfg80211_del_sta_sinfo(struct wireless_dev *wdev, const u8 *mac_addr,
21243 			    struct station_info *sinfo, gfp_t gfp)
21244 {
21245 	struct wiphy *wiphy = wdev->wiphy;
21246 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21247 	struct sk_buff *msg;
21248 	struct station_info empty_sinfo = {};
21249 
21250 	if (!sinfo)
21251 		sinfo = &empty_sinfo;
21252 
21253 	trace_cfg80211_del_sta(wdev, mac_addr);
21254 
21255 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21256 	if (!msg) {
21257 		cfg80211_sinfo_release_content(sinfo);
21258 		return;
21259 	}
21260 
21261 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
21262 				 rdev, wdev, mac_addr, sinfo, false) < 0) {
21263 		nlmsg_free(msg);
21264 		return;
21265 	}
21266 
21267 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21268 				NL80211_MCGRP_MLME, gfp);
21269 }
21270 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
21271 
21272 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
21273 			  enum nl80211_connect_failed_reason reason,
21274 			  gfp_t gfp)
21275 {
21276 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
21277 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21278 	struct sk_buff *msg;
21279 	void *hdr;
21280 
21281 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
21282 	if (!msg)
21283 		return;
21284 
21285 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
21286 	if (!hdr) {
21287 		nlmsg_free(msg);
21288 		return;
21289 	}
21290 
21291 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21292 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
21293 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
21294 		goto nla_put_failure;
21295 
21296 	genlmsg_end(msg, hdr);
21297 
21298 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21299 				NL80211_MCGRP_MLME, gfp);
21300 	return;
21301 
21302  nla_put_failure:
21303 	nlmsg_free(msg);
21304 }
21305 EXPORT_SYMBOL(cfg80211_conn_failed);
21306 
21307 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
21308 				       const u8 *addr, int link_id, gfp_t gfp)
21309 {
21310 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21311 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21312 	struct sk_buff *msg;
21313 	void *hdr;
21314 	u32 nlportid = READ_ONCE(wdev->unexpected_nlportid);
21315 
21316 	if (!nlportid)
21317 		return false;
21318 
21319 	msg = nlmsg_new(100, gfp);
21320 	if (!msg)
21321 		return true;
21322 
21323 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
21324 	if (!hdr) {
21325 		nlmsg_free(msg);
21326 		return true;
21327 	}
21328 
21329 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21330 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21331 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
21332 	    (link_id >= 0 &&
21333 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
21334 		goto nla_put_failure;
21335 
21336 	genlmsg_end(msg, hdr);
21337 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21338 	return true;
21339 
21340  nla_put_failure:
21341 	nlmsg_free(msg);
21342 	return true;
21343 }
21344 
21345 bool cfg80211_rx_spurious_frame(struct net_device *dev, const u8 *addr,
21346 				int link_id, gfp_t gfp)
21347 {
21348 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21349 	bool ret;
21350 
21351 	trace_cfg80211_rx_spurious_frame(dev, addr, link_id);
21352 
21353 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
21354 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
21355 		    wdev->iftype != NL80211_IFTYPE_NAN_DATA)) {
21356 		trace_cfg80211_return_bool(false);
21357 		return false;
21358 	}
21359 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
21360 					 addr, link_id, gfp);
21361 	trace_cfg80211_return_bool(ret);
21362 	return ret;
21363 }
21364 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
21365 
21366 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev, const u8 *addr,
21367 					int link_id, gfp_t gfp)
21368 {
21369 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21370 	bool ret;
21371 
21372 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr, link_id);
21373 
21374 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
21375 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
21376 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
21377 		trace_cfg80211_return_bool(false);
21378 		return false;
21379 	}
21380 	ret = __nl80211_unexpected_frame(dev,
21381 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
21382 					 addr, link_id, gfp);
21383 	trace_cfg80211_return_bool(ret);
21384 	return ret;
21385 }
21386 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
21387 
21388 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
21389 		      struct wireless_dev *wdev, u32 nlportid,
21390 		      struct cfg80211_rx_info *info, gfp_t gfp)
21391 {
21392 	struct net_device *netdev = wdev->netdev;
21393 	struct sk_buff *msg;
21394 	void *hdr;
21395 
21396 	msg = nlmsg_new(100 + info->len, gfp);
21397 	if (!msg)
21398 		return -ENOMEM;
21399 
21400 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
21401 	if (!hdr) {
21402 		nlmsg_free(msg);
21403 		return -ENOMEM;
21404 	}
21405 
21406 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21407 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21408 					netdev->ifindex)) ||
21409 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21410 			      NL80211_ATTR_PAD) ||
21411 	    (info->have_link_id &&
21412 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
21413 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
21414 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
21415 	    (info->sig_dbm &&
21416 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
21417 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
21418 	    (info->flags &&
21419 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
21420 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
21421 						  NL80211_ATTR_RX_HW_TIMESTAMP,
21422 						  info->rx_tstamp,
21423 						  NL80211_ATTR_PAD)) ||
21424 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
21425 						   NL80211_ATTR_TX_HW_TIMESTAMP,
21426 						   info->ack_tstamp,
21427 						   NL80211_ATTR_PAD)))
21428 		goto nla_put_failure;
21429 
21430 	genlmsg_end(msg, hdr);
21431 
21432 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21433 
21434  nla_put_failure:
21435 	nlmsg_free(msg);
21436 	return -ENOBUFS;
21437 }
21438 
21439 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
21440 				    struct cfg80211_tx_status *status,
21441 				    gfp_t gfp, enum nl80211_commands command)
21442 {
21443 	struct wiphy *wiphy = wdev->wiphy;
21444 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21445 	struct net_device *netdev = wdev->netdev;
21446 	struct sk_buff *msg;
21447 	void *hdr;
21448 
21449 	if (command == NL80211_CMD_FRAME_TX_STATUS)
21450 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
21451 					      status->ack);
21452 	else
21453 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
21454 						      status->ack);
21455 
21456 	msg = nlmsg_new(100 + status->len, gfp);
21457 	if (!msg)
21458 		return;
21459 
21460 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
21461 	if (!hdr) {
21462 		nlmsg_free(msg);
21463 		return;
21464 	}
21465 
21466 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21467 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21468 				   netdev->ifindex)) ||
21469 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21470 			      NL80211_ATTR_PAD) ||
21471 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
21472 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
21473 			      NL80211_ATTR_PAD) ||
21474 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
21475 	    (status->tx_tstamp &&
21476 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
21477 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
21478 	    (status->ack_tstamp &&
21479 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
21480 			       status->ack_tstamp, NL80211_ATTR_PAD)))
21481 		goto nla_put_failure;
21482 
21483 	genlmsg_end(msg, hdr);
21484 
21485 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21486 				NL80211_MCGRP_MLME, gfp);
21487 	return;
21488 
21489 nla_put_failure:
21490 	nlmsg_free(msg);
21491 }
21492 
21493 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
21494 				     const u8 *buf, size_t len, bool ack,
21495 				     gfp_t gfp)
21496 {
21497 	struct cfg80211_tx_status status = {
21498 		.cookie = cookie,
21499 		.buf = buf,
21500 		.len = len,
21501 		.ack = ack
21502 	};
21503 
21504 	nl80211_frame_tx_status(wdev, &status, gfp,
21505 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
21506 }
21507 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
21508 
21509 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
21510 				 struct cfg80211_tx_status *status, gfp_t gfp)
21511 {
21512 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
21513 }
21514 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
21515 
21516 static int __nl80211_rx_control_port(struct net_device *dev,
21517 				     struct sk_buff *skb,
21518 				     bool unencrypted,
21519 				     int link_id,
21520 				     gfp_t gfp)
21521 {
21522 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21523 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21524 	struct ethhdr *ehdr = eth_hdr(skb);
21525 	const u8 *addr = ehdr->h_source;
21526 	u16 proto = be16_to_cpu(skb->protocol);
21527 	struct sk_buff *msg;
21528 	void *hdr;
21529 	struct nlattr *frame;
21530 
21531 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
21532 
21533 	if (!nlportid)
21534 		return -ENOENT;
21535 
21536 	msg = nlmsg_new(100 + skb->len, gfp);
21537 	if (!msg)
21538 		return -ENOMEM;
21539 
21540 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
21541 	if (!hdr) {
21542 		nlmsg_free(msg);
21543 		return -ENOBUFS;
21544 	}
21545 
21546 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21547 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21548 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21549 			      NL80211_ATTR_PAD) ||
21550 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
21551 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
21552 	    (link_id >= 0 &&
21553 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
21554 	    (unencrypted && nla_put_flag(msg,
21555 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
21556 		goto nla_put_failure;
21557 
21558 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
21559 	if (!frame)
21560 		goto nla_put_failure;
21561 
21562 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
21563 	genlmsg_end(msg, hdr);
21564 
21565 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21566 
21567  nla_put_failure:
21568 	nlmsg_free(msg);
21569 	return -ENOBUFS;
21570 }
21571 
21572 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
21573 			      bool unencrypted, int link_id)
21574 {
21575 	int ret;
21576 
21577 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
21578 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
21579 					GFP_ATOMIC);
21580 	trace_cfg80211_return_bool(ret == 0);
21581 	return ret == 0;
21582 }
21583 EXPORT_SYMBOL(cfg80211_rx_control_port);
21584 
21585 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
21586 					    const char *mac, gfp_t gfp)
21587 {
21588 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21589 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21590 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21591 	void **cb;
21592 
21593 	if (!msg)
21594 		return NULL;
21595 
21596 	cb = (void **)msg->cb;
21597 
21598 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
21599 	if (!cb[0]) {
21600 		nlmsg_free(msg);
21601 		return NULL;
21602 	}
21603 
21604 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21605 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21606 		goto nla_put_failure;
21607 
21608 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
21609 		goto nla_put_failure;
21610 
21611 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
21612 	if (!cb[1])
21613 		goto nla_put_failure;
21614 
21615 	cb[2] = rdev;
21616 
21617 	return msg;
21618  nla_put_failure:
21619 	nlmsg_free(msg);
21620 	return NULL;
21621 }
21622 
21623 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
21624 {
21625 	void **cb = (void **)msg->cb;
21626 	struct cfg80211_registered_device *rdev = cb[2];
21627 
21628 	nla_nest_end(msg, cb[1]);
21629 	genlmsg_end(msg, cb[0]);
21630 
21631 	memset(msg->cb, 0, sizeof(msg->cb));
21632 
21633 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21634 				NL80211_MCGRP_MLME, gfp);
21635 }
21636 
21637 void cfg80211_cqm_rssi_notify(struct net_device *dev,
21638 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
21639 			      s32 rssi_level, gfp_t gfp)
21640 {
21641 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21642 	struct cfg80211_cqm_config *cqm_config;
21643 
21644 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
21645 
21646 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
21647 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
21648 		return;
21649 
21650 	rcu_read_lock();
21651 	cqm_config = rcu_dereference(wdev->cqm_config);
21652 	if (cqm_config) {
21653 		cqm_config->last_rssi_event_value = rssi_level;
21654 		cqm_config->last_rssi_event_type = rssi_event;
21655 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
21656 	}
21657 	rcu_read_unlock();
21658 }
21659 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
21660 
21661 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
21662 {
21663 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
21664 						 cqm_rssi_work);
21665 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21666 	enum nl80211_cqm_rssi_threshold_event rssi_event;
21667 	struct cfg80211_cqm_config *cqm_config;
21668 	struct sk_buff *msg;
21669 	s32 rssi_level;
21670 
21671 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
21672 	if (!cqm_config)
21673 		return;
21674 
21675 	if (cqm_config->use_range_api)
21676 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
21677 
21678 	rssi_level = cqm_config->last_rssi_event_value;
21679 	rssi_event = cqm_config->last_rssi_event_type;
21680 
21681 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
21682 	if (!msg)
21683 		return;
21684 
21685 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
21686 			rssi_event))
21687 		goto nla_put_failure;
21688 
21689 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
21690 				      rssi_level))
21691 		goto nla_put_failure;
21692 
21693 	cfg80211_send_cqm(msg, GFP_KERNEL);
21694 
21695 	return;
21696 
21697  nla_put_failure:
21698 	nlmsg_free(msg);
21699 }
21700 
21701 void cfg80211_cqm_txe_notify(struct net_device *dev,
21702 			     const u8 *peer, u32 num_packets,
21703 			     u32 rate, u32 intvl, gfp_t gfp)
21704 {
21705 	struct sk_buff *msg;
21706 
21707 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
21708 	if (!msg)
21709 		return;
21710 
21711 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
21712 		goto nla_put_failure;
21713 
21714 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
21715 		goto nla_put_failure;
21716 
21717 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
21718 		goto nla_put_failure;
21719 
21720 	cfg80211_send_cqm(msg, gfp);
21721 	return;
21722 
21723  nla_put_failure:
21724 	nlmsg_free(msg);
21725 }
21726 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
21727 
21728 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
21729 				 const u8 *peer, u32 num_packets, gfp_t gfp)
21730 {
21731 	struct sk_buff *msg;
21732 
21733 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
21734 
21735 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
21736 	if (!msg)
21737 		return;
21738 
21739 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
21740 		goto nla_put_failure;
21741 
21742 	cfg80211_send_cqm(msg, gfp);
21743 	return;
21744 
21745  nla_put_failure:
21746 	nlmsg_free(msg);
21747 }
21748 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
21749 
21750 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
21751 {
21752 	struct sk_buff *msg;
21753 
21754 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
21755 	if (!msg)
21756 		return;
21757 
21758 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
21759 		goto nla_put_failure;
21760 
21761 	cfg80211_send_cqm(msg, gfp);
21762 	return;
21763 
21764  nla_put_failure:
21765 	nlmsg_free(msg);
21766 }
21767 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
21768 
21769 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
21770 				     struct net_device *netdev, const u8 *bssid,
21771 				     const u8 *replay_ctr, gfp_t gfp)
21772 {
21773 	struct sk_buff *msg;
21774 	struct nlattr *rekey_attr;
21775 	void *hdr;
21776 
21777 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21778 	if (!msg)
21779 		return;
21780 
21781 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
21782 	if (!hdr) {
21783 		nlmsg_free(msg);
21784 		return;
21785 	}
21786 
21787 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21788 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21789 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
21790 		goto nla_put_failure;
21791 
21792 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
21793 	if (!rekey_attr)
21794 		goto nla_put_failure;
21795 
21796 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
21797 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
21798 		goto nla_put_failure;
21799 
21800 	nla_nest_end(msg, rekey_attr);
21801 
21802 	genlmsg_end(msg, hdr);
21803 
21804 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21805 				NL80211_MCGRP_MLME, gfp);
21806 	return;
21807 
21808  nla_put_failure:
21809 	nlmsg_free(msg);
21810 }
21811 
21812 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
21813 			       const u8 *replay_ctr, gfp_t gfp)
21814 {
21815 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21816 	struct wiphy *wiphy = wdev->wiphy;
21817 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21818 
21819 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
21820 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
21821 }
21822 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
21823 
21824 static void
21825 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
21826 			       struct net_device *netdev, int index,
21827 			       const u8 *bssid, bool preauth, gfp_t gfp)
21828 {
21829 	struct sk_buff *msg;
21830 	struct nlattr *attr;
21831 	void *hdr;
21832 
21833 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21834 	if (!msg)
21835 		return;
21836 
21837 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
21838 	if (!hdr) {
21839 		nlmsg_free(msg);
21840 		return;
21841 	}
21842 
21843 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21844 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
21845 		goto nla_put_failure;
21846 
21847 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
21848 	if (!attr)
21849 		goto nla_put_failure;
21850 
21851 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
21852 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
21853 	    (preauth &&
21854 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
21855 		goto nla_put_failure;
21856 
21857 	nla_nest_end(msg, attr);
21858 
21859 	genlmsg_end(msg, hdr);
21860 
21861 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21862 				NL80211_MCGRP_MLME, gfp);
21863 	return;
21864 
21865  nla_put_failure:
21866 	nlmsg_free(msg);
21867 }
21868 
21869 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
21870 				     const u8 *bssid, bool preauth, gfp_t gfp)
21871 {
21872 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21873 	struct wiphy *wiphy = wdev->wiphy;
21874 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21875 
21876 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
21877 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
21878 }
21879 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
21880 
21881 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
21882 				     struct net_device *netdev,
21883 				     unsigned int link_id,
21884 				     struct cfg80211_chan_def *chandef,
21885 				     gfp_t gfp,
21886 				     enum nl80211_commands notif,
21887 				     u8 count, bool quiet)
21888 {
21889 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21890 	struct sk_buff *msg;
21891 	void *hdr;
21892 
21893 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21894 	if (!msg)
21895 		return;
21896 
21897 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
21898 	if (!hdr) {
21899 		nlmsg_free(msg);
21900 		return;
21901 	}
21902 
21903 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
21904 		goto nla_put_failure;
21905 
21906 	if (wdev->valid_links &&
21907 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
21908 		goto nla_put_failure;
21909 
21910 	if (nl80211_send_chandef(msg, chandef))
21911 		goto nla_put_failure;
21912 
21913 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
21914 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
21915 			goto nla_put_failure;
21916 		if (quiet &&
21917 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
21918 			goto nla_put_failure;
21919 	}
21920 
21921 	genlmsg_end(msg, hdr);
21922 
21923 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21924 				NL80211_MCGRP_MLME, gfp);
21925 	return;
21926 
21927  nla_put_failure:
21928 	nlmsg_free(msg);
21929 }
21930 
21931 void cfg80211_ch_switch_notify(struct net_device *dev,
21932 			       struct cfg80211_chan_def *chandef,
21933 			       unsigned int link_id)
21934 {
21935 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21936 	struct wiphy *wiphy = wdev->wiphy;
21937 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21938 
21939 	lockdep_assert_wiphy(wdev->wiphy);
21940 	WARN_INVALID_LINK_ID(wdev, link_id);
21941 
21942 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
21943 
21944 	switch (wdev->iftype) {
21945 	case NL80211_IFTYPE_STATION:
21946 	case NL80211_IFTYPE_P2P_CLIENT:
21947 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
21948 			cfg80211_update_assoc_bss_entry(wdev, link_id,
21949 							chandef->chan);
21950 		break;
21951 	case NL80211_IFTYPE_MESH_POINT:
21952 		wdev->u.mesh.chandef = *chandef;
21953 		wdev->u.mesh.preset_chandef = *chandef;
21954 		break;
21955 	case NL80211_IFTYPE_AP:
21956 	case NL80211_IFTYPE_P2P_GO:
21957 		wdev->links[link_id].ap.chandef = *chandef;
21958 		break;
21959 	case NL80211_IFTYPE_ADHOC:
21960 		wdev->u.ibss.chandef = *chandef;
21961 		break;
21962 	default:
21963 		WARN_ON(1);
21964 		break;
21965 	}
21966 
21967 	cfg80211_schedule_channels_check(wdev);
21968 	cfg80211_sched_dfs_chan_update(rdev);
21969 
21970 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
21971 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
21972 }
21973 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
21974 
21975 void cfg80211_incumbent_signal_notify(struct wiphy *wiphy,
21976 				      const struct cfg80211_chan_def *chandef,
21977 				      u32 signal_interference_bitmap,
21978 				      gfp_t gfp)
21979 {
21980 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21981 	struct sk_buff *msg;
21982 	void *hdr;
21983 
21984 	trace_cfg80211_incumbent_signal_notify(wiphy, chandef, signal_interference_bitmap);
21985 
21986 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21987 	if (!msg)
21988 		return;
21989 
21990 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_INCUMBENT_SIGNAL_DETECT);
21991 	if (!hdr)
21992 		goto nla_put_failure;
21993 
21994 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21995 		goto nla_put_failure;
21996 
21997 	if (nl80211_send_chandef(msg, chandef))
21998 		goto nla_put_failure;
21999 
22000 	if (nla_put_u32(msg, NL80211_ATTR_INCUMBENT_SIGNAL_INTERFERENCE_BITMAP,
22001 			signal_interference_bitmap))
22002 		goto nla_put_failure;
22003 
22004 	genlmsg_end(msg, hdr);
22005 
22006 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22007 				NL80211_MCGRP_MLME, gfp);
22008 	return;
22009 
22010 nla_put_failure:
22011 	nlmsg_free(msg);
22012 }
22013 EXPORT_SYMBOL(cfg80211_incumbent_signal_notify);
22014 
22015 void cfg80211_ch_switch_started_notify(struct net_device *dev,
22016 				       struct cfg80211_chan_def *chandef,
22017 				       unsigned int link_id, u8 count,
22018 				       bool quiet)
22019 {
22020 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22021 	struct wiphy *wiphy = wdev->wiphy;
22022 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22023 
22024 	lockdep_assert_wiphy(wdev->wiphy);
22025 	WARN_INVALID_LINK_ID(wdev, link_id);
22026 
22027 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
22028 
22029 
22030 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
22031 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
22032 				 count, quiet);
22033 }
22034 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
22035 
22036 int cfg80211_bss_color_notify(struct net_device *dev,
22037 			      enum nl80211_commands cmd, u8 count,
22038 			      u64 color_bitmap, u8 link_id)
22039 {
22040 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22041 	struct wiphy *wiphy = wdev->wiphy;
22042 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22043 	struct sk_buff *msg;
22044 	void *hdr;
22045 
22046 	lockdep_assert_wiphy(wdev->wiphy);
22047 
22048 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
22049 
22050 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
22051 	if (!msg)
22052 		return -ENOMEM;
22053 
22054 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
22055 	if (!hdr)
22056 		goto nla_put_failure;
22057 
22058 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
22059 		goto nla_put_failure;
22060 
22061 	if (wdev->valid_links &&
22062 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
22063 		goto nla_put_failure;
22064 
22065 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
22066 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
22067 		goto nla_put_failure;
22068 
22069 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
22070 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
22071 			      color_bitmap, NL80211_ATTR_PAD))
22072 		goto nla_put_failure;
22073 
22074 	genlmsg_end(msg, hdr);
22075 
22076 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
22077 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
22078 
22079 nla_put_failure:
22080 	nlmsg_free(msg);
22081 	return -EINVAL;
22082 }
22083 EXPORT_SYMBOL(cfg80211_bss_color_notify);
22084 
22085 void
22086 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
22087 		     const struct cfg80211_chan_def *chandef,
22088 		     enum nl80211_radar_event event,
22089 		     struct net_device *netdev, gfp_t gfp)
22090 {
22091 	struct sk_buff *msg;
22092 	void *hdr;
22093 
22094 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22095 	if (!msg)
22096 		return;
22097 
22098 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
22099 	if (!hdr) {
22100 		nlmsg_free(msg);
22101 		return;
22102 	}
22103 
22104 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
22105 		goto nla_put_failure;
22106 
22107 	/* NOP and radar events don't need a netdev parameter */
22108 	if (netdev) {
22109 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
22110 
22111 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
22112 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22113 				      NL80211_ATTR_PAD))
22114 			goto nla_put_failure;
22115 	}
22116 
22117 	if (rdev->background_radar_wdev &&
22118 	    cfg80211_chandef_identical(&rdev->background_radar_chandef,
22119 				       chandef)) {
22120 		if (nla_put_flag(msg, NL80211_ATTR_RADAR_BACKGROUND))
22121 			goto nla_put_failure;
22122 	}
22123 
22124 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
22125 		goto nla_put_failure;
22126 
22127 	if (nl80211_send_chandef(msg, chandef))
22128 		goto nla_put_failure;
22129 
22130 	genlmsg_end(msg, hdr);
22131 
22132 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22133 				NL80211_MCGRP_MLME, gfp);
22134 	return;
22135 
22136  nla_put_failure:
22137 	nlmsg_free(msg);
22138 }
22139 
22140 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
22141 				       struct sta_opmode_info *sta_opmode,
22142 				       gfp_t gfp)
22143 {
22144 	struct sk_buff *msg;
22145 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22146 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22147 	void *hdr;
22148 
22149 	if (WARN_ON(!mac))
22150 		return;
22151 
22152 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22153 	if (!msg)
22154 		return;
22155 
22156 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
22157 	if (!hdr) {
22158 		nlmsg_free(msg);
22159 		return;
22160 	}
22161 
22162 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
22163 		goto nla_put_failure;
22164 
22165 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
22166 		goto nla_put_failure;
22167 
22168 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
22169 		goto nla_put_failure;
22170 
22171 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
22172 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
22173 		goto nla_put_failure;
22174 
22175 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
22176 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
22177 		goto nla_put_failure;
22178 
22179 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
22180 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
22181 		goto nla_put_failure;
22182 
22183 	genlmsg_end(msg, hdr);
22184 
22185 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22186 				NL80211_MCGRP_MLME, gfp);
22187 
22188 	return;
22189 
22190 nla_put_failure:
22191 	nlmsg_free(msg);
22192 }
22193 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
22194 
22195 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
22196 			   u64 cookie, bool acked, s32 ack_signal,
22197 			   bool is_valid_ack_signal, gfp_t gfp)
22198 {
22199 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22200 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22201 	struct sk_buff *msg;
22202 	void *hdr;
22203 
22204 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
22205 
22206 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22207 
22208 	if (!msg)
22209 		return;
22210 
22211 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
22212 	if (!hdr) {
22213 		nlmsg_free(msg);
22214 		return;
22215 	}
22216 
22217 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22218 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
22219 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
22220 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
22221 			      NL80211_ATTR_PAD) ||
22222 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
22223 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
22224 						ack_signal)))
22225 		goto nla_put_failure;
22226 
22227 	genlmsg_end(msg, hdr);
22228 
22229 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22230 				NL80211_MCGRP_MLME, gfp);
22231 	return;
22232 
22233  nla_put_failure:
22234 	nlmsg_free(msg);
22235 }
22236 EXPORT_SYMBOL(cfg80211_probe_status);
22237 
22238 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
22239 				     size_t len, int freq, int sig_dbm)
22240 {
22241 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22242 	struct sk_buff *msg;
22243 	void *hdr;
22244 	struct cfg80211_beacon_registration *reg;
22245 
22246 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
22247 
22248 	spin_lock_bh(&rdev->beacon_registrations_lock);
22249 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
22250 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
22251 		if (!msg) {
22252 			spin_unlock_bh(&rdev->beacon_registrations_lock);
22253 			return;
22254 		}
22255 
22256 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
22257 		if (!hdr)
22258 			goto nla_put_failure;
22259 
22260 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22261 		    (freq &&
22262 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
22263 				  KHZ_TO_MHZ(freq)) ||
22264 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
22265 				  freq % 1000))) ||
22266 		    (sig_dbm &&
22267 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
22268 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
22269 			goto nla_put_failure;
22270 
22271 		genlmsg_end(msg, hdr);
22272 
22273 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
22274 	}
22275 	spin_unlock_bh(&rdev->beacon_registrations_lock);
22276 	return;
22277 
22278  nla_put_failure:
22279 	spin_unlock_bh(&rdev->beacon_registrations_lock);
22280 	nlmsg_free(msg);
22281 }
22282 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
22283 
22284 #ifdef CONFIG_PM
22285 static int cfg80211_net_detect_results(struct sk_buff *msg,
22286 				       struct cfg80211_wowlan_wakeup *wakeup)
22287 {
22288 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
22289 	struct nlattr *nl_results, *nl_match, *nl_freqs;
22290 	int i, j;
22291 
22292 	nl_results = nla_nest_start_noflag(msg,
22293 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
22294 	if (!nl_results)
22295 		return -EMSGSIZE;
22296 
22297 	for (i = 0; i < nd->n_matches; i++) {
22298 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
22299 
22300 		nl_match = nla_nest_start_noflag(msg, i);
22301 		if (!nl_match)
22302 			break;
22303 
22304 		/* The SSID attribute is optional in nl80211, but for
22305 		 * simplicity reasons it's always present in the
22306 		 * cfg80211 structure.  If a driver can't pass the
22307 		 * SSID, that needs to be changed.  A zero length SSID
22308 		 * is still a valid SSID (wildcard), so it cannot be
22309 		 * used for this purpose.
22310 		 */
22311 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
22312 			    match->ssid.ssid)) {
22313 			nla_nest_cancel(msg, nl_match);
22314 			goto out;
22315 		}
22316 
22317 		if (match->n_channels) {
22318 			nl_freqs = nla_nest_start_noflag(msg,
22319 							 NL80211_ATTR_SCAN_FREQUENCIES);
22320 			if (!nl_freqs) {
22321 				nla_nest_cancel(msg, nl_match);
22322 				goto out;
22323 			}
22324 
22325 			for (j = 0; j < match->n_channels; j++) {
22326 				if (nla_put_u32(msg, j, match->channels[j])) {
22327 					nla_nest_cancel(msg, nl_freqs);
22328 					nla_nest_cancel(msg, nl_match);
22329 					goto out;
22330 				}
22331 			}
22332 
22333 			nla_nest_end(msg, nl_freqs);
22334 		}
22335 
22336 		nla_nest_end(msg, nl_match);
22337 	}
22338 
22339 out:
22340 	nla_nest_end(msg, nl_results);
22341 	return 0;
22342 }
22343 
22344 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
22345 				   struct cfg80211_wowlan_wakeup *wakeup,
22346 				   gfp_t gfp)
22347 {
22348 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22349 	struct sk_buff *msg;
22350 	void *hdr;
22351 	int size = 200;
22352 
22353 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
22354 
22355 	if (wakeup)
22356 		size += wakeup->packet_present_len;
22357 
22358 	msg = nlmsg_new(size, gfp);
22359 	if (!msg)
22360 		return;
22361 
22362 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
22363 	if (!hdr)
22364 		goto free_msg;
22365 
22366 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22367 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22368 			      NL80211_ATTR_PAD))
22369 		goto free_msg;
22370 
22371 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
22372 					wdev->netdev->ifindex))
22373 		goto free_msg;
22374 
22375 	if (wakeup) {
22376 		struct nlattr *reasons;
22377 
22378 		reasons = nla_nest_start_noflag(msg,
22379 						NL80211_ATTR_WOWLAN_TRIGGERS);
22380 		if (!reasons)
22381 			goto free_msg;
22382 
22383 		if (wakeup->disconnect &&
22384 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
22385 			goto free_msg;
22386 		if (wakeup->magic_pkt &&
22387 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
22388 			goto free_msg;
22389 		if (wakeup->gtk_rekey_failure &&
22390 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
22391 			goto free_msg;
22392 		if (wakeup->eap_identity_req &&
22393 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
22394 			goto free_msg;
22395 		if (wakeup->four_way_handshake &&
22396 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
22397 			goto free_msg;
22398 		if (wakeup->rfkill_release &&
22399 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
22400 			goto free_msg;
22401 
22402 		if (wakeup->pattern_idx >= 0 &&
22403 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
22404 				wakeup->pattern_idx))
22405 			goto free_msg;
22406 
22407 		if (wakeup->tcp_match &&
22408 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
22409 			goto free_msg;
22410 
22411 		if (wakeup->tcp_connlost &&
22412 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
22413 			goto free_msg;
22414 
22415 		if (wakeup->tcp_nomoretokens &&
22416 		    nla_put_flag(msg,
22417 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
22418 			goto free_msg;
22419 
22420 		if (wakeup->unprot_deauth_disassoc &&
22421 		    nla_put_flag(msg,
22422 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
22423 			goto free_msg;
22424 
22425 		if (wakeup->packet) {
22426 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
22427 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
22428 
22429 			if (!wakeup->packet_80211) {
22430 				pkt_attr =
22431 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
22432 				len_attr =
22433 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
22434 			}
22435 
22436 			if (wakeup->packet_len &&
22437 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
22438 				goto free_msg;
22439 
22440 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
22441 				    wakeup->packet))
22442 				goto free_msg;
22443 		}
22444 
22445 		if (wakeup->net_detect &&
22446 		    cfg80211_net_detect_results(msg, wakeup))
22447 				goto free_msg;
22448 
22449 		nla_nest_end(msg, reasons);
22450 	}
22451 
22452 	genlmsg_end(msg, hdr);
22453 
22454 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22455 				NL80211_MCGRP_MLME, gfp);
22456 	return;
22457 
22458  free_msg:
22459 	nlmsg_free(msg);
22460 }
22461 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
22462 #endif
22463 
22464 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
22465 				enum nl80211_tdls_operation oper,
22466 				u16 reason_code, gfp_t gfp)
22467 {
22468 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22469 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22470 	struct sk_buff *msg;
22471 	void *hdr;
22472 
22473 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
22474 					 reason_code);
22475 
22476 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22477 	if (!msg)
22478 		return;
22479 
22480 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
22481 	if (!hdr) {
22482 		nlmsg_free(msg);
22483 		return;
22484 	}
22485 
22486 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22487 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
22488 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
22489 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
22490 	    (reason_code > 0 &&
22491 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
22492 		goto nla_put_failure;
22493 
22494 	genlmsg_end(msg, hdr);
22495 
22496 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22497 				NL80211_MCGRP_MLME, gfp);
22498 	return;
22499 
22500  nla_put_failure:
22501 	nlmsg_free(msg);
22502 }
22503 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
22504 
22505 static int nl80211_netlink_notify(struct notifier_block * nb,
22506 				  unsigned long state,
22507 				  void *_notify)
22508 {
22509 	struct netlink_notify *notify = _notify;
22510 	struct cfg80211_registered_device *rdev;
22511 	struct wireless_dev *wdev;
22512 	struct cfg80211_beacon_registration *reg, *tmp;
22513 
22514 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
22515 		return NOTIFY_DONE;
22516 
22517 	rcu_read_lock();
22518 
22519 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
22520 		struct cfg80211_sched_scan_request *sched_scan_req;
22521 
22522 		list_for_each_entry_rcu(sched_scan_req,
22523 					&rdev->sched_scan_req_list,
22524 					list) {
22525 			if (sched_scan_req->owner_nlportid == notify->portid) {
22526 				sched_scan_req->nl_owner_dead = true;
22527 				wiphy_work_queue(&rdev->wiphy,
22528 						 &rdev->sched_scan_stop_wk);
22529 			}
22530 		}
22531 
22532 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
22533 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
22534 
22535 			if (wdev->owner_nlportid == notify->portid) {
22536 				wdev->nl_owner_dead = true;
22537 				schedule_work(&rdev->destroy_work);
22538 			} else if (wdev->conn_owner_nlportid == notify->portid) {
22539 				schedule_work(&wdev->disconnect_wk);
22540 			}
22541 
22542 			cfg80211_release_pmsr(wdev, notify->portid);
22543 		}
22544 
22545 		spin_lock_bh(&rdev->beacon_registrations_lock);
22546 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
22547 					 list) {
22548 			if (reg->nlportid == notify->portid) {
22549 				list_del(&reg->list);
22550 				kfree(reg);
22551 				break;
22552 			}
22553 		}
22554 		spin_unlock_bh(&rdev->beacon_registrations_lock);
22555 	}
22556 
22557 	rcu_read_unlock();
22558 
22559 	/*
22560 	 * It is possible that the user space process that is controlling the
22561 	 * indoor setting disappeared, so notify the regulatory core.
22562 	 */
22563 	regulatory_netlink_notify(notify->portid);
22564 	return NOTIFY_OK;
22565 }
22566 
22567 static struct notifier_block nl80211_netlink_notifier = {
22568 	.notifier_call = nl80211_netlink_notify,
22569 };
22570 
22571 void cfg80211_ft_event(struct net_device *netdev,
22572 		       struct cfg80211_ft_event_params *ft_event)
22573 {
22574 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
22575 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22576 	struct sk_buff *msg;
22577 	void *hdr;
22578 
22579 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
22580 
22581 	if (!ft_event->target_ap)
22582 		return;
22583 
22584 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
22585 			GFP_KERNEL);
22586 	if (!msg)
22587 		return;
22588 
22589 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
22590 	if (!hdr)
22591 		goto out;
22592 
22593 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22594 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
22595 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
22596 		goto out;
22597 
22598 	if (ft_event->ies &&
22599 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
22600 		goto out;
22601 	if (ft_event->ric_ies &&
22602 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
22603 		    ft_event->ric_ies))
22604 		goto out;
22605 
22606 	genlmsg_end(msg, hdr);
22607 
22608 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22609 				NL80211_MCGRP_MLME, GFP_KERNEL);
22610 	return;
22611  out:
22612 	nlmsg_free(msg);
22613 }
22614 EXPORT_SYMBOL(cfg80211_ft_event);
22615 
22616 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
22617 {
22618 	struct cfg80211_registered_device *rdev;
22619 	struct sk_buff *msg;
22620 	void *hdr;
22621 	u32 nlportid;
22622 
22623 	rdev = wiphy_to_rdev(wdev->wiphy);
22624 	if (!rdev->crit_proto_nlportid)
22625 		return;
22626 
22627 	nlportid = rdev->crit_proto_nlportid;
22628 	rdev->crit_proto_nlportid = 0;
22629 
22630 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22631 	if (!msg)
22632 		return;
22633 
22634 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
22635 	if (!hdr)
22636 		goto nla_put_failure;
22637 
22638 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22639 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22640 			      NL80211_ATTR_PAD))
22641 		goto nla_put_failure;
22642 
22643 	genlmsg_end(msg, hdr);
22644 
22645 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
22646 	return;
22647 
22648  nla_put_failure:
22649 	nlmsg_free(msg);
22650 }
22651 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
22652 
22653 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
22654 {
22655 	struct wiphy *wiphy = wdev->wiphy;
22656 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22657 	struct sk_buff *msg;
22658 	void *hdr;
22659 
22660 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
22661 	if (!msg)
22662 		return;
22663 
22664 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
22665 	if (!hdr)
22666 		goto out;
22667 
22668 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22669 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
22670 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22671 			      NL80211_ATTR_PAD) ||
22672 	    (wdev->valid_links &&
22673 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
22674 		goto out;
22675 
22676 	genlmsg_end(msg, hdr);
22677 
22678 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
22679 				NL80211_MCGRP_MLME, GFP_KERNEL);
22680 	return;
22681  out:
22682 	nlmsg_free(msg);
22683 }
22684 
22685 int cfg80211_external_auth_request(struct net_device *dev,
22686 				   struct cfg80211_external_auth_params *params,
22687 				   gfp_t gfp)
22688 {
22689 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22690 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22691 	struct sk_buff *msg;
22692 	void *hdr;
22693 
22694 	if (!wdev->conn_owner_nlportid)
22695 		return -EINVAL;
22696 
22697 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22698 	if (!msg)
22699 		return -ENOMEM;
22700 
22701 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
22702 	if (!hdr)
22703 		goto nla_put_failure;
22704 
22705 	/* Some historical mistakes in drivers <-> userspace interface (notably
22706 	 * between drivers and wpa_supplicant) led to a big-endian conversion
22707 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
22708 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
22709 	 * benefit of older wpa_supplicant versions, send this particular value
22710 	 * in big-endian. Note that newer wpa_supplicant will also detect this
22711 	 * particular value in big endian still, so it all continues to work.
22712 	 */
22713 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
22714 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
22715 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
22716 			goto nla_put_failure;
22717 	} else {
22718 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
22719 				params->key_mgmt_suite))
22720 			goto nla_put_failure;
22721 	}
22722 
22723 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22724 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
22725 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
22726 			params->action) ||
22727 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
22728 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
22729 		    params->ssid.ssid) ||
22730 	    (!is_zero_ether_addr(params->mld_addr) &&
22731 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
22732 		goto nla_put_failure;
22733 
22734 	genlmsg_end(msg, hdr);
22735 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
22736 			wdev->conn_owner_nlportid);
22737 	return 0;
22738 
22739  nla_put_failure:
22740 	nlmsg_free(msg);
22741 	return -ENOBUFS;
22742 }
22743 EXPORT_SYMBOL(cfg80211_external_auth_request);
22744 
22745 void cfg80211_update_owe_info_event(struct net_device *netdev,
22746 				    struct cfg80211_update_owe_info *owe_info,
22747 				    gfp_t gfp)
22748 {
22749 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
22750 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22751 	struct sk_buff *msg;
22752 	void *hdr;
22753 
22754 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
22755 
22756 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22757 	if (!msg)
22758 		return;
22759 
22760 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
22761 	if (!hdr)
22762 		goto nla_put_failure;
22763 
22764 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22765 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
22766 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
22767 		goto nla_put_failure;
22768 
22769 	if (!owe_info->ie_len ||
22770 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
22771 		goto nla_put_failure;
22772 
22773 	if (owe_info->assoc_link_id != -1) {
22774 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
22775 			       owe_info->assoc_link_id))
22776 			goto nla_put_failure;
22777 
22778 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
22779 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
22780 			    owe_info->peer_mld_addr))
22781 			goto nla_put_failure;
22782 	}
22783 
22784 	genlmsg_end(msg, hdr);
22785 
22786 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22787 				NL80211_MCGRP_MLME, gfp);
22788 	return;
22789 
22790 nla_put_failure:
22791 	genlmsg_cancel(msg, hdr);
22792 	nlmsg_free(msg);
22793 }
22794 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
22795 
22796 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
22797 {
22798 	struct wiphy *wiphy = wdev->wiphy;
22799 
22800 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
22801 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
22802 	    (wiphy_ext_feature_isset(wiphy,
22803 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
22804 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
22805 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
22806 		reg_check_channels();
22807 }
22808 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
22809 
22810 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
22811 {
22812 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
22813 	struct wiphy *wiphy = wdev->wiphy;
22814 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22815 	struct sk_buff *msg;
22816 	void *hdr;
22817 
22818 	trace_cfg80211_epcs_changed(wdev, enabled);
22819 
22820 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
22821 	if (!msg)
22822 		return;
22823 
22824 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
22825 	if (!hdr) {
22826 		nlmsg_free(msg);
22827 		return;
22828 	}
22829 
22830 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
22831 		goto nla_put_failure;
22832 
22833 	genlmsg_end(msg, hdr);
22834 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22835 				NL80211_MCGRP_MLME, GFP_KERNEL);
22836 	return;
22837 
22838  nla_put_failure:
22839 	nlmsg_free(msg);
22840 }
22841 EXPORT_SYMBOL(cfg80211_epcs_changed);
22842 
22843 void cfg80211_next_nan_dw_notif(struct wireless_dev *wdev,
22844 				struct ieee80211_channel *chan, gfp_t gfp)
22845 {
22846 	struct wiphy *wiphy = wdev->wiphy;
22847 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22848 	struct sk_buff *msg;
22849 	void *hdr;
22850 
22851 	trace_cfg80211_next_nan_dw_notif(wdev, chan);
22852 
22853 	if (!wdev->owner_nlportid)
22854 		return;
22855 
22856 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22857 	if (!msg)
22858 		return;
22859 
22860 	hdr = nl80211hdr_put(msg, 0, 0, 0,
22861 			     NL80211_CMD_NAN_NEXT_DW_NOTIFICATION);
22862 	if (!hdr)
22863 		goto nla_put_failure;
22864 
22865 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22866 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22867 			      NL80211_ATTR_PAD) ||
22868 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq))
22869 		goto nla_put_failure;
22870 
22871 	genlmsg_end(msg, hdr);
22872 
22873 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
22874 
22875 	return;
22876 
22877  nla_put_failure:
22878 	nlmsg_free(msg);
22879 }
22880 EXPORT_SYMBOL(cfg80211_next_nan_dw_notif);
22881 
22882 void cfg80211_nan_cluster_joined(struct wireless_dev *wdev,
22883 				 const u8 *cluster_id, bool new_cluster,
22884 				 gfp_t gfp)
22885 {
22886 	struct wiphy *wiphy = wdev->wiphy;
22887 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22888 	struct sk_buff *msg;
22889 	void *hdr;
22890 
22891 	trace_cfg80211_nan_cluster_joined(wdev, cluster_id, new_cluster);
22892 
22893 	memcpy(wdev->u.nan.cluster_id, cluster_id, ETH_ALEN);
22894 
22895 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22896 	if (!msg)
22897 		return;
22898 
22899 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_CLUSTER_JOINED);
22900 	if (!hdr)
22901 		goto nla_put_failure;
22902 
22903 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22904 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22905 			      NL80211_ATTR_PAD) ||
22906 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cluster_id) ||
22907 	    (new_cluster && nla_put_flag(msg, NL80211_ATTR_NAN_NEW_CLUSTER)))
22908 		goto nla_put_failure;
22909 
22910 	genlmsg_end(msg, hdr);
22911 
22912 	if (!wdev->owner_nlportid)
22913 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy),
22914 					msg, 0, NL80211_MCGRP_NAN, gfp);
22915 	else
22916 		genlmsg_unicast(wiphy_net(wiphy), msg,
22917 				wdev->owner_nlportid);
22918 	return;
22919 
22920  nla_put_failure:
22921 	nlmsg_free(msg);
22922 }
22923 EXPORT_SYMBOL(cfg80211_nan_cluster_joined);
22924 
22925 void cfg80211_nan_ulw_update(struct wireless_dev *wdev,
22926 			     const u8 *ulw, size_t ulw_len, gfp_t gfp)
22927 {
22928 	struct wiphy *wiphy = wdev->wiphy;
22929 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22930 	struct sk_buff *msg;
22931 	void *hdr;
22932 
22933 	trace_cfg80211_nan_ulw_update(wiphy, wdev, ulw, ulw_len);
22934 
22935 	if (!wdev->owner_nlportid)
22936 		return;
22937 
22938 	/* 32 for the wiphy idx, 64 for the wdev id, 100 for padding */
22939 	msg = nlmsg_new(nla_total_size(sizeof(u32)) +
22940 			nla_total_size(ulw_len) +
22941 			nla_total_size(sizeof(u64)) + 100,
22942 			gfp);
22943 	if (!msg)
22944 		return;
22945 
22946 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_ULW_UPDATE);
22947 	if (!hdr)
22948 		goto nla_put_failure;
22949 
22950 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22951 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22952 			      NL80211_ATTR_PAD) ||
22953 	    (ulw && ulw_len &&
22954 	     nla_put(msg, NL80211_ATTR_NAN_ULW, ulw_len, ulw)))
22955 		goto nla_put_failure;
22956 
22957 	genlmsg_end(msg, hdr);
22958 
22959 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
22960 
22961 	return;
22962 
22963  nla_put_failure:
22964 	nlmsg_free(msg);
22965 }
22966 EXPORT_SYMBOL(cfg80211_nan_ulw_update);
22967 
22968 void cfg80211_nan_channel_evac(struct wireless_dev *wdev,
22969 			       const struct cfg80211_chan_def *chandef,
22970 			       gfp_t gfp)
22971 {
22972 	struct wiphy *wiphy = wdev->wiphy;
22973 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22974 	struct sk_buff *msg;
22975 	struct nlattr *chan_attr;
22976 	void *hdr;
22977 
22978 	trace_cfg80211_nan_channel_evac(wiphy, wdev, chandef);
22979 
22980 	if (!wdev->owner_nlportid)
22981 		return;
22982 
22983 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22984 	if (!msg)
22985 		return;
22986 
22987 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_CHANNEL_EVAC);
22988 	if (!hdr)
22989 		goto nla_put_failure;
22990 
22991 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22992 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22993 			      NL80211_ATTR_PAD))
22994 		goto nla_put_failure;
22995 
22996 	chan_attr = nla_nest_start(msg, NL80211_ATTR_NAN_CHANNEL);
22997 	if (!chan_attr)
22998 		goto nla_put_failure;
22999 
23000 	if (nl80211_send_chandef(msg, chandef))
23001 		goto nla_put_failure;
23002 
23003 	nla_nest_end(msg, chan_attr);
23004 
23005 	genlmsg_end(msg, hdr);
23006 
23007 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
23008 
23009 	return;
23010 
23011  nla_put_failure:
23012 	nlmsg_free(msg);
23013 }
23014 EXPORT_SYMBOL(cfg80211_nan_channel_evac);
23015 
23016 /* initialisation/exit functions */
23017 
23018 int __init nl80211_init(void)
23019 {
23020 	int err;
23021 
23022 	err = genl_register_family(&nl80211_fam);
23023 	if (err)
23024 		return err;
23025 
23026 	err = netlink_register_notifier(&nl80211_netlink_notifier);
23027 	if (err)
23028 		goto err_out;
23029 
23030 	return 0;
23031  err_out:
23032 	genl_unregister_family(&nl80211_fam);
23033 	return err;
23034 }
23035 
23036 void nl80211_exit(void)
23037 {
23038 	netlink_unregister_notifier(&nl80211_netlink_notifier);
23039 	genl_unregister_family(&nl80211_fam);
23040 }
23041