xref: /linux/net/wireless/nl80211.c (revision 0d2ab5f922e75d10162e7199826e14df9cfae5cc) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2025 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	const struct ieee80211_ext *ext;
233 	unsigned int fixedlen, hdrlen;
234 	bool s1g_bcn;
235 
236 	if (len < offsetofend(typeof(*mgmt), frame_control))
237 		goto err;
238 
239 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
240 	if (s1g_bcn) {
241 		ext = (struct ieee80211_ext *)mgmt;
242 		fixedlen =
243 			offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +
244 			ieee80211_s1g_optional_len(ext->frame_control);
245 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
246 	} else {
247 		fixedlen = offsetof(struct ieee80211_mgmt,
248 				    u.beacon.variable);
249 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
250 	}
251 
252 	if (len < fixedlen)
253 		goto err;
254 
255 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
256 		goto err;
257 
258 	data += fixedlen;
259 	len -= fixedlen;
260 
261 	for_each_element(elem, data, len) {
262 		/* nothing */
263 	}
264 
265 	if (for_each_element_completed(elem, data, len))
266 		return 0;
267 
268 err:
269 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
270 	return -EINVAL;
271 }
272 
273 static int validate_ie_attr(const struct nlattr *attr,
274 			    struct netlink_ext_ack *extack)
275 {
276 	const u8 *data = nla_data(attr);
277 	unsigned int len = nla_len(attr);
278 	const struct element *elem;
279 
280 	for_each_element(elem, data, len) {
281 		/* nothing */
282 	}
283 
284 	if (for_each_element_completed(elem, data, len))
285 		return 0;
286 
287 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
288 	return -EINVAL;
289 }
290 
291 static int validate_he_capa(const struct nlattr *attr,
292 			    struct netlink_ext_ack *extack)
293 {
294 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
295 		return -EINVAL;
296 
297 	return 0;
298 }
299 
300 static int validate_supported_selectors(const struct nlattr *attr,
301 					struct netlink_ext_ack *extack)
302 {
303 	const u8 *supported_selectors = nla_data(attr);
304 	u8 supported_selectors_len = nla_len(attr);
305 
306 	/* The top bit must not be set as it is not part of the selector */
307 	for (int i = 0; i < supported_selectors_len; i++) {
308 		if (supported_selectors[i] & 0x80)
309 			return -EINVAL;
310 	}
311 
312 	return 0;
313 }
314 
315 /* policy for the attributes */
316 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
317 
318 static const struct nla_policy
319 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
320 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
321 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
322 					.len = U8_MAX },
323 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
324 					     .len = U8_MAX },
325 };
326 
327 static const struct nla_policy
328 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
329 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
330 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
331 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
332 		NLA_POLICY_MAX(NLA_U8, 15),
333 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
334 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
335 		NLA_POLICY_MAX(NLA_U8, 15),
336 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
337 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
338 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
339 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
340 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
341 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
342 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
343 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
344 };
345 
346 static const struct nla_policy
347 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
348 	[NL80211_PMSR_TYPE_FTM] =
349 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
350 };
351 
352 static const struct nla_policy
353 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
354 	[NL80211_PMSR_REQ_ATTR_DATA] =
355 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
356 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
357 };
358 
359 static const struct nla_policy
360 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
361 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
362 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
363 	[NL80211_PMSR_PEER_ATTR_REQ] =
364 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
365 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
366 };
367 
368 static const struct nla_policy
369 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
370 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
371 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
372 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
373 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
374 	[NL80211_PMSR_ATTR_PEERS] =
375 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
376 };
377 
378 static const struct nla_policy
379 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
380 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
381 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
382 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
383 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
384 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
385 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
386 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
387 		NLA_POLICY_EXACT_LEN(8),
388 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
389 		NLA_POLICY_EXACT_LEN(8),
390 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
391 };
392 
393 static const struct nla_policy
394 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
395 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
396 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
397 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
398 };
399 
400 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
401 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
402 				    .len = NL80211_MAX_SUPP_RATES },
403 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
404 				.len = NL80211_MAX_SUPP_HT_RATES },
405 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
406 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
407 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
408 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
409 						   NL80211_RATE_INFO_HE_GI_0_8,
410 						   NL80211_RATE_INFO_HE_GI_3_2),
411 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
412 						   NL80211_RATE_INFO_HE_1XLTF,
413 						   NL80211_RATE_INFO_HE_4XLTF),
414 	[NL80211_TXRATE_EHT] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_eht)),
415 	[NL80211_TXRATE_EHT_GI] =  NLA_POLICY_RANGE(NLA_U8,
416 						   NL80211_RATE_INFO_EHT_GI_0_8,
417 						   NL80211_RATE_INFO_EHT_GI_3_2),
418 	[NL80211_TXRATE_EHT_LTF] = NLA_POLICY_RANGE(NLA_U8,
419 						   NL80211_RATE_INFO_EHT_1XLTF,
420 						   NL80211_RATE_INFO_EHT_8XLTF),
421 
422 };
423 
424 static const struct nla_policy
425 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
426 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
427 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
428 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
429 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
430 	[NL80211_TID_CONFIG_ATTR_NOACK] =
431 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
432 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
433 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
434 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
435 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
436 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
437 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
438 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
439 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
440 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
441 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
442 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
443 			NLA_POLICY_NESTED(nl80211_txattr_policy),
444 };
445 
446 static const struct nla_policy
447 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
448 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
449 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
450 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
451 			NLA_POLICY_RANGE(NLA_BINARY,
452 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
453 					 IEEE80211_MAX_DATA_LEN),
454 };
455 
456 static const struct nla_policy
457 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
458 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
459 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
460 						       .len = IEEE80211_MAX_DATA_LEN }
461 };
462 
463 static const struct nla_policy
464 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
465 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
466 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
467 };
468 
469 static const struct nla_policy
470 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
471 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
472 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
473 };
474 
475 static const struct nla_policy
476 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
477 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
478 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
479 						NLA_POLICY_MIN(NLA_U8, 1),
480 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
481 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
482 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
483 	[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID] =
484 		NLA_POLICY_MAX(NLA_U8, IEEE80211_MLD_MAX_NUM_LINKS),
485 };
486 
487 static const struct nla_policy
488 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
489 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
490 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
491 };
492 
493 static const struct nla_policy
494 nl80211_s1g_short_beacon[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1] = {
495 	[NL80211_S1G_SHORT_BEACON_ATTR_HEAD] =
496 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
497 				       IEEE80211_MAX_DATA_LEN),
498 	[NL80211_S1G_SHORT_BEACON_ATTR_TAIL] =
499 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
500 				       IEEE80211_MAX_DATA_LEN),
501 };
502 
503 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
504 	.min = 0,
505 	.max = 0xffff,
506 };
507 
508 static const struct netlink_range_validation q_range = {
509 	.max = INT_MAX,
510 };
511 
512 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
513 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
514 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
515 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
516 				      .len = 20-1 },
517 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
518 
519 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
520 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
521 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
522 						NL80211_EDMG_CHANNELS_MIN,
523 						NL80211_EDMG_CHANNELS_MAX),
524 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
525 						NL80211_EDMG_BW_CONFIG_MIN,
526 						NL80211_EDMG_BW_CONFIG_MAX),
527 
528 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
529 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
530 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
531 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
532 
533 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
534 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
535 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
536 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
537 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
538 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
539 
540 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
541 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
542 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
543 
544 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
545 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
546 
547 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
548 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
549 				    .len = WLAN_MAX_KEY_LEN },
550 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
551 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
552 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
553 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
554 	[NL80211_ATTR_KEY_TYPE] =
555 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
556 
557 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
558 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
559 	[NL80211_ATTR_BEACON_HEAD] =
560 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
561 				       IEEE80211_MAX_DATA_LEN),
562 	[NL80211_ATTR_BEACON_TAIL] =
563 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
564 				       IEEE80211_MAX_DATA_LEN),
565 	[NL80211_ATTR_STA_AID] =
566 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
567 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
568 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
569 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
570 					       .len = NL80211_MAX_SUPP_RATES },
571 	[NL80211_ATTR_STA_PLINK_ACTION] =
572 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
573 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
574 		NLA_POLICY_RANGE(NLA_U8,
575 				 NL80211_TX_POWER_AUTOMATIC,
576 				 NL80211_TX_POWER_FIXED),
577 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
578 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
579 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
580 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
581 				   .len = IEEE80211_MAX_MESH_ID_LEN },
582 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
583 
584 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
585 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
586 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
587 
588 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
589 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
590 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
591 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
592 					   .len = NL80211_MAX_SUPP_RATES },
593 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
594 
595 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
596 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
597 
598 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
599 
600 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
601 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
602 						   validate_ie_attr,
603 						   IEEE80211_MAX_DATA_LEN),
604 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
605 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
606 
607 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
608 				.len = IEEE80211_MAX_SSID_LEN },
609 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
610 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
611 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
612 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
613 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
614 						  NL80211_MFP_NO,
615 						  NL80211_MFP_OPTIONAL),
616 	[NL80211_ATTR_STA_FLAGS2] =
617 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
618 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
619 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
620 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
621 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
622 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
623 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
624 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
625 	[NL80211_ATTR_WPA_VERSIONS] =
626 		NLA_POLICY_RANGE(NLA_U32, 0,
627 				 NL80211_WPA_VERSION_1 |
628 				 NL80211_WPA_VERSION_2 |
629 				 NL80211_WPA_VERSION_3),
630 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
631 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
632 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
633 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
634 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
635 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
636 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
637 				 .len = IEEE80211_MAX_DATA_LEN },
638 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
639 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
640 						   NL80211_PS_DISABLED,
641 						   NL80211_PS_ENABLED),
642 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
643 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
644 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
645 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
646 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
647 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
648 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
649 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
650 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
651 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
652 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
653 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
654 	[NL80211_ATTR_STA_PLINK_STATE] =
655 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
656 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
657 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
658 	[NL80211_ATTR_MESH_PEER_AID] =
659 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
660 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
661 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
662 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
663 	[NL80211_ATTR_HIDDEN_SSID] =
664 		NLA_POLICY_RANGE(NLA_U32,
665 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
666 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
667 	[NL80211_ATTR_IE_PROBE_RESP] =
668 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
669 				       IEEE80211_MAX_DATA_LEN),
670 	[NL80211_ATTR_IE_ASSOC_RESP] =
671 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
672 				       IEEE80211_MAX_DATA_LEN),
673 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
674 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
675 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
676 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
677 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
678 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
679 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
680 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
681 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
682 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
683 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
684 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
685 				      .len = IEEE80211_MAX_DATA_LEN },
686 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
687 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
688 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
689 		.len = NL80211_HT_CAPABILITY_LEN
690 	},
691 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
692 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
693 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
694 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
695 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
696 
697 	/* need to include at least Auth Transaction and Status Code */
698 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
699 
700 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
701 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
702 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
703 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
704 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
705 		NLA_POLICY_RANGE(NLA_U32,
706 				 NL80211_MESH_POWER_UNKNOWN + 1,
707 				 NL80211_MESH_POWER_MAX),
708 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
709 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
710 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
711 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
712 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
713 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
714 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
715 		.len = NL80211_VHT_CAPABILITY_LEN,
716 	},
717 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
718 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
719 				  .len = IEEE80211_MAX_DATA_LEN },
720 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
721 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
722 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
723 	[NL80211_ATTR_PEER_AID] =
724 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
725 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
726 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
727 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
728 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
729 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
730 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
731 	/*
732 	 * The value of the Length field of the Supported Operating
733 	 * Classes element is between 2 and 253.
734 	 */
735 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
736 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
737 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
738 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
739 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
740 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
741 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
742 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
743 						  IEEE80211_QOS_MAP_LEN_MIN,
744 						  IEEE80211_QOS_MAP_LEN_MAX),
745 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
746 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
747 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
748 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
749 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
750 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
751 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
752 	[NL80211_ATTR_USER_PRIO] =
753 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
754 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
755 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
756 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
757 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
758 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
759 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
760 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
761 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
762 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
763 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
764 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
765 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
766 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
767 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
768 	},
769 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
770 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
771 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
772 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
773 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
774 				    .len = FILS_MAX_KEK_LEN },
775 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
776 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
777 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
778 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
779 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
780 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
781 	},
782 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
783 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
784 					     .len = FILS_ERP_MAX_USERNAME_LEN },
785 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
786 					  .len = FILS_ERP_MAX_REALM_LEN },
787 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
788 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
789 					.len = FILS_ERP_MAX_RRK_LEN },
790 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
791 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
792 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
793 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
794 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
795 
796 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
797 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
798 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
799 	[NL80211_ATTR_HE_CAPABILITY] =
800 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
801 				       NL80211_HE_MAX_CAPABILITY_LEN),
802 	[NL80211_ATTR_FTM_RESPONDER] =
803 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
804 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
805 	[NL80211_ATTR_PEER_MEASUREMENTS] =
806 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
807 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
808 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
809 					.len = SAE_PASSWORD_MAX_LEN },
810 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
811 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
812 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
813 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
814 	[NL80211_ATTR_TID_CONFIG] =
815 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
816 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
817 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
818 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
819 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
820 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
821 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
822 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
823 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
824 	[NL80211_ATTR_FILS_DISCOVERY] =
825 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
826 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
827 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
828 	[NL80211_ATTR_S1G_CAPABILITY] =
829 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
830 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
831 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
832 	[NL80211_ATTR_SAE_PWE] =
833 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
834 				 NL80211_SAE_PWE_BOTH),
835 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
836 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
837 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
838 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
839 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
840 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
841 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
842 	[NL80211_ATTR_MBSSID_CONFIG] =
843 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
844 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
845 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
846 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
847 	[NL80211_ATTR_EHT_CAPABILITY] =
848 		NLA_POLICY_RANGE(NLA_BINARY,
849 				 NL80211_EHT_MIN_CAPABILITY_LEN,
850 				 NL80211_EHT_MAX_CAPABILITY_LEN),
851 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
852 	[NL80211_ATTR_MLO_LINKS] =
853 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
854 	[NL80211_ATTR_MLO_LINK_ID] =
855 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
856 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
857 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
858 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
859 	[NL80211_ATTR_EML_CAPABILITY] = { .type = NLA_U16 },
860 	[NL80211_ATTR_PUNCT_BITMAP] =
861 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
862 
863 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
864 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
865 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
866 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
867 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
868 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
869 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
870 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
871 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
872 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
873 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
874 				       NL80211_MAX_SUPP_SELECTORS),
875 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
876 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
877 	[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS] = { .type = NLA_U16 },
878 	[NL80211_ATTR_WIPHY_RADIO_INDEX] = { .type = NLA_U8 },
879 	[NL80211_ATTR_S1G_LONG_BEACON_PERIOD] = NLA_POLICY_MIN(NLA_U8, 2),
880 	[NL80211_ATTR_S1G_SHORT_BEACON] =
881 		NLA_POLICY_NESTED(nl80211_s1g_short_beacon),
882 	[NL80211_ATTR_BSS_PARAM] = { .type = NLA_FLAG },
883 };
884 
885 /* policy for the key attributes */
886 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
887 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
888 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
889 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
890 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
891 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
892 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
893 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
894 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
895 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
896 };
897 
898 /* policy for the key default flags */
899 static const struct nla_policy
900 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
901 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
902 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
903 };
904 
905 #ifdef CONFIG_PM
906 /* policy for WoWLAN attributes */
907 static const struct nla_policy
908 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
909 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
910 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
911 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
912 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
913 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
914 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
915 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
916 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
917 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
918 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
919 };
920 
921 static const struct nla_policy
922 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
923 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
924 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
925 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
926 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
927 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
928 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
929 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
930 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
931 	},
932 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
933 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
934 	},
935 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
936 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
937 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
938 };
939 #endif /* CONFIG_PM */
940 
941 /* policy for coalesce rule attributes */
942 static const struct nla_policy
943 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
944 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
945 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
946 		NLA_POLICY_RANGE(NLA_U32,
947 				 NL80211_COALESCE_CONDITION_MATCH,
948 				 NL80211_COALESCE_CONDITION_NO_MATCH),
949 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
950 };
951 
952 /* policy for GTK rekey offload attributes */
953 static const struct nla_policy
954 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
955 	[NL80211_REKEY_DATA_KEK] = {
956 		.type = NLA_BINARY,
957 		.len = NL80211_KEK_EXT_LEN
958 	},
959 	[NL80211_REKEY_DATA_KCK] = {
960 		.type = NLA_BINARY,
961 		.len = NL80211_KCK_EXT_LEN_32
962 	},
963 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
964 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
965 };
966 
967 static const struct nla_policy
968 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
969 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
970 						 .len = IEEE80211_MAX_SSID_LEN },
971 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
972 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
973 };
974 
975 static const struct nla_policy
976 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
977 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
978 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
979 };
980 
981 static const struct nla_policy
982 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
983 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
984 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
985 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
986 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
987 	},
988 };
989 
990 /* policy for NAN function attributes */
991 static const struct nla_policy
992 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
993 	[NL80211_NAN_FUNC_TYPE] =
994 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
995 	[NL80211_NAN_FUNC_SERVICE_ID] = {
996 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
997 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
998 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
999 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
1000 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
1001 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
1002 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1003 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
1004 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
1005 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
1006 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
1007 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
1008 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
1009 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
1010 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
1011 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
1012 };
1013 
1014 /* policy for Service Response Filter attributes */
1015 static const struct nla_policy
1016 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
1017 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
1018 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
1019 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
1020 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
1021 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
1022 };
1023 
1024 /* policy for packet pattern attributes */
1025 static const struct nla_policy
1026 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
1027 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
1028 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
1029 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1030 };
1031 
1032 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1033 				     struct cfg80211_registered_device **rdev,
1034 				     struct wireless_dev **wdev,
1035 				     struct nlattr **attrbuf)
1036 {
1037 	int err;
1038 
1039 	if (!cb->args[0]) {
1040 		struct nlattr **attrbuf_free = NULL;
1041 
1042 		if (!attrbuf) {
1043 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
1044 					  GFP_KERNEL);
1045 			if (!attrbuf)
1046 				return -ENOMEM;
1047 			attrbuf_free = attrbuf;
1048 		}
1049 
1050 		err = nlmsg_parse_deprecated(cb->nlh,
1051 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1052 					     attrbuf, nl80211_fam.maxattr,
1053 					     nl80211_policy, NULL);
1054 		if (err) {
1055 			kfree(attrbuf_free);
1056 			return err;
1057 		}
1058 
1059 		rtnl_lock();
1060 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1061 						   attrbuf);
1062 		kfree(attrbuf_free);
1063 		if (IS_ERR(*wdev)) {
1064 			rtnl_unlock();
1065 			return PTR_ERR(*wdev);
1066 		}
1067 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1068 		mutex_lock(&(*rdev)->wiphy.mtx);
1069 		rtnl_unlock();
1070 		/* 0 is the first index - add 1 to parse only once */
1071 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1072 		cb->args[1] = (*wdev)->identifier;
1073 	} else {
1074 		/* subtract the 1 again here */
1075 		struct wiphy *wiphy;
1076 		struct wireless_dev *tmp;
1077 
1078 		rtnl_lock();
1079 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1080 		if (!wiphy) {
1081 			rtnl_unlock();
1082 			return -ENODEV;
1083 		}
1084 		*rdev = wiphy_to_rdev(wiphy);
1085 		*wdev = NULL;
1086 
1087 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1088 			if (tmp->identifier == cb->args[1]) {
1089 				*wdev = tmp;
1090 				break;
1091 			}
1092 		}
1093 
1094 		if (!*wdev) {
1095 			rtnl_unlock();
1096 			return -ENODEV;
1097 		}
1098 		mutex_lock(&(*rdev)->wiphy.mtx);
1099 		rtnl_unlock();
1100 	}
1101 
1102 	return 0;
1103 }
1104 
1105 /* message building helper */
1106 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1107 		     int flags, u8 cmd)
1108 {
1109 	/* since there is no private header just add the generic one */
1110 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1111 }
1112 
1113 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1114 				     const struct ieee80211_reg_rule *rule)
1115 {
1116 	int j;
1117 	struct nlattr *nl_wmm_rules =
1118 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1119 
1120 	if (!nl_wmm_rules)
1121 		goto nla_put_failure;
1122 
1123 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1124 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1125 
1126 		if (!nl_wmm_rule)
1127 			goto nla_put_failure;
1128 
1129 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1130 				rule->wmm_rule.client[j].cw_min) ||
1131 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1132 				rule->wmm_rule.client[j].cw_max) ||
1133 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1134 			       rule->wmm_rule.client[j].aifsn) ||
1135 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1136 			        rule->wmm_rule.client[j].cot))
1137 			goto nla_put_failure;
1138 
1139 		nla_nest_end(msg, nl_wmm_rule);
1140 	}
1141 	nla_nest_end(msg, nl_wmm_rules);
1142 
1143 	return 0;
1144 
1145 nla_put_failure:
1146 	return -ENOBUFS;
1147 }
1148 
1149 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1150 				   struct ieee80211_channel *chan,
1151 				   bool large)
1152 {
1153 	/* Some channels must be completely excluded from the
1154 	 * list to protect old user-space tools from breaking
1155 	 */
1156 	if (!large && chan->flags &
1157 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1158 		return 0;
1159 	if (!large && chan->freq_offset)
1160 		return 0;
1161 
1162 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1163 			chan->center_freq))
1164 		goto nla_put_failure;
1165 
1166 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1167 		goto nla_put_failure;
1168 
1169 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1170 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1171 		goto nla_put_failure;
1172 
1173 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1174 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1175 		goto nla_put_failure;
1176 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1177 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1178 			goto nla_put_failure;
1179 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1180 			goto nla_put_failure;
1181 	}
1182 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1183 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1184 			goto nla_put_failure;
1185 		if (large) {
1186 			u32 time;
1187 
1188 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1189 
1190 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1191 					chan->dfs_state))
1192 				goto nla_put_failure;
1193 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1194 					time))
1195 				goto nla_put_failure;
1196 			if (nla_put_u32(msg,
1197 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1198 					chan->dfs_cac_ms))
1199 				goto nla_put_failure;
1200 		}
1201 	}
1202 
1203 	if (large) {
1204 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1205 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1206 			goto nla_put_failure;
1207 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1208 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1209 			goto nla_put_failure;
1210 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1211 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1212 			goto nla_put_failure;
1213 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1214 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1215 			goto nla_put_failure;
1216 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1217 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1218 			goto nla_put_failure;
1219 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1220 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1221 			goto nla_put_failure;
1222 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1223 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1224 			goto nla_put_failure;
1225 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1226 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1227 			goto nla_put_failure;
1228 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1229 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1230 			goto nla_put_failure;
1231 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1232 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1233 			goto nla_put_failure;
1234 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1235 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1236 			goto nla_put_failure;
1237 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1238 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1239 			goto nla_put_failure;
1240 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1241 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1242 			goto nla_put_failure;
1243 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1244 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1245 			goto nla_put_failure;
1246 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1247 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1248 			goto nla_put_failure;
1249 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1250 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1251 			goto nla_put_failure;
1252 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1253 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1254 			goto nla_put_failure;
1255 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1256 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1257 			goto nla_put_failure;
1258 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1259 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1260 			goto nla_put_failure;
1261 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1262 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1263 			goto nla_put_failure;
1264 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1265 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1266 			goto nla_put_failure;
1267 		if ((chan->flags & IEEE80211_CHAN_ALLOW_20MHZ_ACTIVITY) &&
1268 		    nla_put_flag(msg,
1269 				 NL80211_FREQUENCY_ATTR_ALLOW_20MHZ_ACTIVITY))
1270 			goto nla_put_failure;
1271 	}
1272 
1273 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1274 			DBM_TO_MBM(chan->max_power)))
1275 		goto nla_put_failure;
1276 
1277 	if (large) {
1278 		const struct ieee80211_reg_rule *rule =
1279 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1280 
1281 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1282 			if (nl80211_msg_put_wmm_rules(msg, rule))
1283 				goto nla_put_failure;
1284 		}
1285 	}
1286 
1287 	return 0;
1288 
1289  nla_put_failure:
1290 	return -ENOBUFS;
1291 }
1292 
1293 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1294 				  struct cfg80211_txq_stats *txqstats,
1295 				  int attrtype)
1296 {
1297 	struct nlattr *txqattr;
1298 
1299 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1300 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1301 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1302 		return false;						  \
1303 	} while (0)
1304 
1305 	txqattr = nla_nest_start_noflag(msg, attrtype);
1306 	if (!txqattr)
1307 		return false;
1308 
1309 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1310 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1311 	PUT_TXQVAL_U32(FLOWS, flows);
1312 	PUT_TXQVAL_U32(DROPS, drops);
1313 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1314 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1315 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1316 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1317 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1318 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1319 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1320 	nla_nest_end(msg, txqattr);
1321 
1322 #undef PUT_TXQVAL_U32
1323 	return true;
1324 }
1325 
1326 /* netlink command implementations */
1327 
1328 /**
1329  * nl80211_link_id - return link ID
1330  * @attrs: attributes to look at
1331  *
1332  * Returns: the link ID or 0 if not given
1333  *
1334  * Note this function doesn't do any validation of the link
1335  * ID validity wrt. links that were actually added, so it must
1336  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1337  * or if additional validation is done.
1338  */
1339 static unsigned int nl80211_link_id(struct nlattr **attrs)
1340 {
1341 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1342 
1343 	return nla_get_u8_default(linkid, 0);
1344 }
1345 
1346 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1347 {
1348 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1349 
1350 	if (!linkid)
1351 		return -1;
1352 
1353 	return nla_get_u8(linkid);
1354 }
1355 
1356 struct key_parse {
1357 	struct key_params p;
1358 	int idx;
1359 	int type;
1360 	bool def, defmgmt, defbeacon;
1361 	bool def_uni, def_multi;
1362 };
1363 
1364 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1365 				 struct key_parse *k)
1366 {
1367 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1368 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1369 					      nl80211_key_policy,
1370 					      info->extack);
1371 	if (err)
1372 		return err;
1373 
1374 	k->def = !!tb[NL80211_KEY_DEFAULT];
1375 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1376 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1377 
1378 	if (k->def) {
1379 		k->def_uni = true;
1380 		k->def_multi = true;
1381 	}
1382 	if (k->defmgmt || k->defbeacon)
1383 		k->def_multi = true;
1384 
1385 	if (tb[NL80211_KEY_IDX])
1386 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1387 
1388 	if (tb[NL80211_KEY_DATA]) {
1389 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1390 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1391 	}
1392 
1393 	if (tb[NL80211_KEY_SEQ]) {
1394 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1395 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1396 	}
1397 
1398 	if (tb[NL80211_KEY_CIPHER])
1399 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1400 
1401 	if (tb[NL80211_KEY_TYPE])
1402 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1403 
1404 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1405 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1406 
1407 		err = nla_parse_nested_deprecated(kdt,
1408 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1409 						  tb[NL80211_KEY_DEFAULT_TYPES],
1410 						  nl80211_key_default_policy,
1411 						  info->extack);
1412 		if (err)
1413 			return err;
1414 
1415 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1416 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1417 	}
1418 
1419 	if (tb[NL80211_KEY_MODE])
1420 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1421 
1422 	return 0;
1423 }
1424 
1425 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1426 {
1427 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1428 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1429 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1430 	}
1431 
1432 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1433 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1434 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1435 	}
1436 
1437 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1438 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1439 
1440 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1441 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1442 
1443 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1444 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1445 
1446 	if (k->def) {
1447 		k->def_uni = true;
1448 		k->def_multi = true;
1449 	}
1450 	if (k->defmgmt)
1451 		k->def_multi = true;
1452 
1453 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1454 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1455 
1456 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1457 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1458 		int err = nla_parse_nested_deprecated(kdt,
1459 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1460 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1461 						      nl80211_key_default_policy,
1462 						      info->extack);
1463 		if (err)
1464 			return err;
1465 
1466 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1467 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1468 	}
1469 
1470 	return 0;
1471 }
1472 
1473 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1474 {
1475 	int err;
1476 
1477 	memset(k, 0, sizeof(*k));
1478 	k->idx = -1;
1479 	k->type = -1;
1480 
1481 	if (info->attrs[NL80211_ATTR_KEY])
1482 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1483 	else
1484 		err = nl80211_parse_key_old(info, k);
1485 
1486 	if (err)
1487 		return err;
1488 
1489 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1490 	    (k->defbeacon ? 1 : 0) > 1) {
1491 		GENL_SET_ERR_MSG(info,
1492 				 "key with multiple default flags is invalid");
1493 		return -EINVAL;
1494 	}
1495 
1496 	if (k->defmgmt || k->defbeacon) {
1497 		if (k->def_uni || !k->def_multi) {
1498 			GENL_SET_ERR_MSG(info,
1499 					 "defmgmt/defbeacon key must be mcast");
1500 			return -EINVAL;
1501 		}
1502 	}
1503 
1504 	if (k->idx != -1) {
1505 		if (k->defmgmt) {
1506 			if (k->idx < 4 || k->idx > 5) {
1507 				GENL_SET_ERR_MSG(info,
1508 						 "defmgmt key idx not 4 or 5");
1509 				return -EINVAL;
1510 			}
1511 		} else if (k->defbeacon) {
1512 			if (k->idx < 6 || k->idx > 7) {
1513 				GENL_SET_ERR_MSG(info,
1514 						 "defbeacon key idx not 6 or 7");
1515 				return -EINVAL;
1516 			}
1517 		} else if (k->def) {
1518 			if (k->idx < 0 || k->idx > 3) {
1519 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1520 				return -EINVAL;
1521 			}
1522 		} else {
1523 			if (k->idx < 0 || k->idx > 7) {
1524 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1525 				return -EINVAL;
1526 			}
1527 		}
1528 	}
1529 
1530 	return 0;
1531 }
1532 
1533 static struct cfg80211_cached_keys *
1534 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1535 		       struct genl_info *info, bool *no_ht)
1536 {
1537 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1538 	struct key_parse parse;
1539 	struct nlattr *key;
1540 	struct cfg80211_cached_keys *result;
1541 	int rem, err, def = 0;
1542 	bool have_key = false;
1543 
1544 	nla_for_each_nested(key, keys, rem) {
1545 		have_key = true;
1546 		break;
1547 	}
1548 
1549 	if (!have_key)
1550 		return NULL;
1551 
1552 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1553 	if (!result)
1554 		return ERR_PTR(-ENOMEM);
1555 
1556 	result->def = -1;
1557 
1558 	nla_for_each_nested(key, keys, rem) {
1559 		memset(&parse, 0, sizeof(parse));
1560 		parse.idx = -1;
1561 
1562 		err = nl80211_parse_key_new(info, key, &parse);
1563 		if (err)
1564 			goto error;
1565 		err = -EINVAL;
1566 		if (!parse.p.key)
1567 			goto error;
1568 		if (parse.idx < 0 || parse.idx > 3) {
1569 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1570 			goto error;
1571 		}
1572 		if (parse.def) {
1573 			if (def) {
1574 				GENL_SET_ERR_MSG(info,
1575 						 "only one key can be default");
1576 				goto error;
1577 			}
1578 			def = 1;
1579 			result->def = parse.idx;
1580 			if (!parse.def_uni || !parse.def_multi)
1581 				goto error;
1582 		} else if (parse.defmgmt)
1583 			goto error;
1584 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1585 						     parse.idx, false, NULL);
1586 		if (err)
1587 			goto error;
1588 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1589 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1590 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1591 			err = -EINVAL;
1592 			goto error;
1593 		}
1594 		result->params[parse.idx].cipher = parse.p.cipher;
1595 		result->params[parse.idx].key_len = parse.p.key_len;
1596 		result->params[parse.idx].key = result->data[parse.idx];
1597 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1598 
1599 		/* must be WEP key if we got here */
1600 		if (no_ht)
1601 			*no_ht = true;
1602 	}
1603 
1604 	if (result->def < 0) {
1605 		err = -EINVAL;
1606 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1607 		goto error;
1608 	}
1609 
1610 	return result;
1611  error:
1612 	kfree_sensitive(result);
1613 	return ERR_PTR(err);
1614 }
1615 
1616 static int nl80211_key_allowed(struct wireless_dev *wdev)
1617 {
1618 	lockdep_assert_wiphy(wdev->wiphy);
1619 
1620 	switch (wdev->iftype) {
1621 	case NL80211_IFTYPE_AP:
1622 	case NL80211_IFTYPE_AP_VLAN:
1623 	case NL80211_IFTYPE_P2P_GO:
1624 	case NL80211_IFTYPE_MESH_POINT:
1625 		break;
1626 	case NL80211_IFTYPE_ADHOC:
1627 		if (wdev->u.ibss.current_bss)
1628 			return 0;
1629 		return -ENOLINK;
1630 	case NL80211_IFTYPE_STATION:
1631 	case NL80211_IFTYPE_P2P_CLIENT:
1632 		if (wdev->connected)
1633 			return 0;
1634 		return -ENOLINK;
1635 	case NL80211_IFTYPE_NAN:
1636 		if (wiphy_ext_feature_isset(wdev->wiphy,
1637 					    NL80211_EXT_FEATURE_SECURE_NAN))
1638 			return 0;
1639 		return -EINVAL;
1640 	case NL80211_IFTYPE_UNSPECIFIED:
1641 	case NL80211_IFTYPE_OCB:
1642 	case NL80211_IFTYPE_MONITOR:
1643 	case NL80211_IFTYPE_P2P_DEVICE:
1644 	case NL80211_IFTYPE_WDS:
1645 	case NUM_NL80211_IFTYPES:
1646 		return -EINVAL;
1647 	}
1648 
1649 	return 0;
1650 }
1651 
1652 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1653 							u32 freq)
1654 {
1655 	struct ieee80211_channel *chan;
1656 
1657 	chan = ieee80211_get_channel_khz(wiphy, freq);
1658 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1659 		return NULL;
1660 	return chan;
1661 }
1662 
1663 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1664 {
1665 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1666 	int i;
1667 
1668 	if (!nl_modes)
1669 		goto nla_put_failure;
1670 
1671 	i = 0;
1672 	while (ifmodes) {
1673 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1674 			goto nla_put_failure;
1675 		ifmodes >>= 1;
1676 		i++;
1677 	}
1678 
1679 	nla_nest_end(msg, nl_modes);
1680 	return 0;
1681 
1682 nla_put_failure:
1683 	return -ENOBUFS;
1684 }
1685 
1686 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1687 				   const struct ieee80211_iface_combination *c,
1688 				   u16 nested)
1689 {
1690 	struct nlattr *nl_combi, *nl_limits;
1691 	int i;
1692 
1693 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1694 	if (!nl_combi)
1695 		goto nla_put_failure;
1696 
1697 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1698 					       nested);
1699 	if (!nl_limits)
1700 		goto nla_put_failure;
1701 
1702 	for (i = 0; i < c->n_limits; i++) {
1703 		struct nlattr *nl_limit;
1704 
1705 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1706 		if (!nl_limit)
1707 			goto nla_put_failure;
1708 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1709 			goto nla_put_failure;
1710 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1711 					c->limits[i].types))
1712 			goto nla_put_failure;
1713 		nla_nest_end(msg, nl_limit);
1714 	}
1715 
1716 	nla_nest_end(msg, nl_limits);
1717 
1718 	if (c->beacon_int_infra_match &&
1719 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1720 		goto nla_put_failure;
1721 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1722 			c->num_different_channels) ||
1723 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1724 			c->max_interfaces))
1725 		goto nla_put_failure;
1726 	if (large &&
1727 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1728 			c->radar_detect_widths) ||
1729 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1730 			c->radar_detect_regions)))
1731 		goto nla_put_failure;
1732 	if (c->beacon_int_min_gcd &&
1733 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1734 			c->beacon_int_min_gcd))
1735 		goto nla_put_failure;
1736 
1737 	nla_nest_end(msg, nl_combi);
1738 
1739 	return 0;
1740 nla_put_failure:
1741 	return -ENOBUFS;
1742 }
1743 
1744 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1745 					  struct sk_buff *msg,
1746 					  int attr, int radio,
1747 					  bool large, u16 nested)
1748 {
1749 	const struct ieee80211_iface_combination *c;
1750 	struct nlattr *nl_combis;
1751 	int i, n;
1752 
1753 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1754 	if (!nl_combis)
1755 		goto nla_put_failure;
1756 
1757 	if (radio >= 0) {
1758 		c = wiphy->radio[0].iface_combinations;
1759 		n = wiphy->radio[0].n_iface_combinations;
1760 	} else {
1761 		c = wiphy->iface_combinations;
1762 		n = wiphy->n_iface_combinations;
1763 	}
1764 	for (i = 0; i < n; i++)
1765 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1766 			goto nla_put_failure;
1767 
1768 	nla_nest_end(msg, nl_combis);
1769 
1770 	return 0;
1771 nla_put_failure:
1772 	return -ENOBUFS;
1773 }
1774 
1775 #ifdef CONFIG_PM
1776 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1777 					struct sk_buff *msg)
1778 {
1779 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1780 	struct nlattr *nl_tcp;
1781 
1782 	if (!tcp)
1783 		return 0;
1784 
1785 	nl_tcp = nla_nest_start_noflag(msg,
1786 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1787 	if (!nl_tcp)
1788 		return -ENOBUFS;
1789 
1790 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1791 			tcp->data_payload_max))
1792 		return -ENOBUFS;
1793 
1794 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1795 			tcp->data_payload_max))
1796 		return -ENOBUFS;
1797 
1798 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1799 		return -ENOBUFS;
1800 
1801 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1802 				sizeof(*tcp->tok), tcp->tok))
1803 		return -ENOBUFS;
1804 
1805 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1806 			tcp->data_interval_max))
1807 		return -ENOBUFS;
1808 
1809 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1810 			tcp->wake_payload_max))
1811 		return -ENOBUFS;
1812 
1813 	nla_nest_end(msg, nl_tcp);
1814 	return 0;
1815 }
1816 
1817 static int nl80211_send_wowlan(struct sk_buff *msg,
1818 			       struct cfg80211_registered_device *rdev,
1819 			       bool large)
1820 {
1821 	struct nlattr *nl_wowlan;
1822 
1823 	if (!rdev->wiphy.wowlan)
1824 		return 0;
1825 
1826 	nl_wowlan = nla_nest_start_noflag(msg,
1827 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1828 	if (!nl_wowlan)
1829 		return -ENOBUFS;
1830 
1831 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1832 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1833 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1834 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1835 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1836 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1837 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1838 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1839 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1840 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1841 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1842 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1843 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1844 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1845 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1846 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1847 		return -ENOBUFS;
1848 
1849 	if (rdev->wiphy.wowlan->n_patterns) {
1850 		struct nl80211_pattern_support pat = {
1851 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1852 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1853 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1854 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1855 		};
1856 
1857 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1858 			    sizeof(pat), &pat))
1859 			return -ENOBUFS;
1860 	}
1861 
1862 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1863 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1864 			rdev->wiphy.wowlan->max_nd_match_sets))
1865 		return -ENOBUFS;
1866 
1867 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1868 		return -ENOBUFS;
1869 
1870 	nla_nest_end(msg, nl_wowlan);
1871 
1872 	return 0;
1873 }
1874 #endif
1875 
1876 static int nl80211_send_coalesce(struct sk_buff *msg,
1877 				 struct cfg80211_registered_device *rdev)
1878 {
1879 	struct nl80211_coalesce_rule_support rule;
1880 
1881 	if (!rdev->wiphy.coalesce)
1882 		return 0;
1883 
1884 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1885 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1886 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1887 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1888 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1889 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1890 
1891 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1892 		return -ENOBUFS;
1893 
1894 	return 0;
1895 }
1896 
1897 static int
1898 nl80211_send_iftype_data(struct sk_buff *msg,
1899 			 const struct ieee80211_supported_band *sband,
1900 			 const struct ieee80211_sband_iftype_data *iftdata)
1901 {
1902 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1903 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1904 
1905 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1906 				iftdata->types_mask))
1907 		return -ENOBUFS;
1908 
1909 	if (he_cap->has_he) {
1910 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1911 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1912 			    he_cap->he_cap_elem.mac_cap_info) ||
1913 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1914 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1915 			    he_cap->he_cap_elem.phy_cap_info) ||
1916 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1917 			    sizeof(he_cap->he_mcs_nss_supp),
1918 			    &he_cap->he_mcs_nss_supp) ||
1919 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1920 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1921 			return -ENOBUFS;
1922 	}
1923 
1924 	if (eht_cap->has_eht && he_cap->has_he) {
1925 		u8 mcs_nss_size, ppe_thresh_size;
1926 		u16 ppe_thres_hdr;
1927 		bool is_ap;
1928 
1929 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1930 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1931 
1932 		mcs_nss_size =
1933 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1934 						   &eht_cap->eht_cap_elem,
1935 						   is_ap);
1936 
1937 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1938 		ppe_thresh_size =
1939 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1940 					       eht_cap->eht_cap_elem.phy_cap_info);
1941 
1942 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1943 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1944 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1945 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1946 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1947 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1948 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1949 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1950 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1951 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1952 			return -ENOBUFS;
1953 	}
1954 
1955 	if (sband->band == NL80211_BAND_6GHZ &&
1956 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1957 		    sizeof(iftdata->he_6ghz_capa),
1958 		    &iftdata->he_6ghz_capa))
1959 		return -ENOBUFS;
1960 
1961 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1962 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1963 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1964 		return -ENOBUFS;
1965 
1966 	return 0;
1967 }
1968 
1969 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1970 				      struct ieee80211_supported_band *sband,
1971 				      bool large)
1972 {
1973 	struct nlattr *nl_rates, *nl_rate;
1974 	struct ieee80211_rate *rate;
1975 	int i;
1976 
1977 	/* add HT info */
1978 	if (sband->ht_cap.ht_supported &&
1979 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1980 		     sizeof(sband->ht_cap.mcs),
1981 		     &sband->ht_cap.mcs) ||
1982 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1983 			 sband->ht_cap.cap) ||
1984 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1985 			sband->ht_cap.ampdu_factor) ||
1986 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1987 			sband->ht_cap.ampdu_density)))
1988 		return -ENOBUFS;
1989 
1990 	/* add VHT info */
1991 	if (sband->vht_cap.vht_supported &&
1992 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1993 		     sizeof(sband->vht_cap.vht_mcs),
1994 		     &sband->vht_cap.vht_mcs) ||
1995 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1996 			 sband->vht_cap.cap)))
1997 		return -ENOBUFS;
1998 
1999 	if (large && sband->n_iftype_data) {
2000 		struct nlattr *nl_iftype_data =
2001 			nla_nest_start_noflag(msg,
2002 					      NL80211_BAND_ATTR_IFTYPE_DATA);
2003 		const struct ieee80211_sband_iftype_data *iftd;
2004 		int err;
2005 
2006 		if (!nl_iftype_data)
2007 			return -ENOBUFS;
2008 
2009 		for_each_sband_iftype_data(sband, i, iftd) {
2010 			struct nlattr *iftdata;
2011 
2012 			iftdata = nla_nest_start_noflag(msg, i + 1);
2013 			if (!iftdata)
2014 				return -ENOBUFS;
2015 
2016 			err = nl80211_send_iftype_data(msg, sband, iftd);
2017 			if (err)
2018 				return err;
2019 
2020 			nla_nest_end(msg, iftdata);
2021 		}
2022 
2023 		nla_nest_end(msg, nl_iftype_data);
2024 	}
2025 
2026 	/* add EDMG info */
2027 	if (large && sband->edmg_cap.channels &&
2028 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
2029 		       sband->edmg_cap.channels) ||
2030 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
2031 		       sband->edmg_cap.bw_config)))
2032 
2033 		return -ENOBUFS;
2034 
2035 	/* add bitrates */
2036 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2037 	if (!nl_rates)
2038 		return -ENOBUFS;
2039 
2040 	for (i = 0; i < sband->n_bitrates; i++) {
2041 		nl_rate = nla_nest_start_noflag(msg, i);
2042 		if (!nl_rate)
2043 			return -ENOBUFS;
2044 
2045 		rate = &sband->bitrates[i];
2046 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2047 				rate->bitrate))
2048 			return -ENOBUFS;
2049 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2050 		    nla_put_flag(msg,
2051 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2052 			return -ENOBUFS;
2053 
2054 		nla_nest_end(msg, nl_rate);
2055 	}
2056 
2057 	nla_nest_end(msg, nl_rates);
2058 
2059 	/* S1G capabilities */
2060 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2061 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2062 		     sizeof(sband->s1g_cap.cap),
2063 		     sband->s1g_cap.cap) ||
2064 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2065 		     sizeof(sband->s1g_cap.nss_mcs),
2066 		     sband->s1g_cap.nss_mcs)))
2067 		return -ENOBUFS;
2068 
2069 	return 0;
2070 }
2071 
2072 static int
2073 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2074 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2075 {
2076 	u16 stypes;
2077 	struct nlattr *nl_ftypes, *nl_ifs;
2078 	enum nl80211_iftype ift;
2079 	int i;
2080 
2081 	if (!mgmt_stypes)
2082 		return 0;
2083 
2084 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2085 	if (!nl_ifs)
2086 		return -ENOBUFS;
2087 
2088 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2089 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2090 		if (!nl_ftypes)
2091 			return -ENOBUFS;
2092 		i = 0;
2093 		stypes = mgmt_stypes[ift].tx;
2094 		while (stypes) {
2095 			if ((stypes & 1) &&
2096 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2097 					(i << 4) | IEEE80211_FTYPE_MGMT))
2098 				return -ENOBUFS;
2099 			stypes >>= 1;
2100 			i++;
2101 		}
2102 		nla_nest_end(msg, nl_ftypes);
2103 	}
2104 
2105 	nla_nest_end(msg, nl_ifs);
2106 
2107 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2108 	if (!nl_ifs)
2109 		return -ENOBUFS;
2110 
2111 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2112 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2113 		if (!nl_ftypes)
2114 			return -ENOBUFS;
2115 		i = 0;
2116 		stypes = mgmt_stypes[ift].rx;
2117 		while (stypes) {
2118 			if ((stypes & 1) &&
2119 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2120 					(i << 4) | IEEE80211_FTYPE_MGMT))
2121 				return -ENOBUFS;
2122 			stypes >>= 1;
2123 			i++;
2124 		}
2125 		nla_nest_end(msg, nl_ftypes);
2126 	}
2127 	nla_nest_end(msg, nl_ifs);
2128 
2129 	return 0;
2130 }
2131 
2132 #define CMD(op, n)							\
2133 	 do {								\
2134 		if (rdev->ops->op) {					\
2135 			i++;						\
2136 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2137 				goto nla_put_failure;			\
2138 		}							\
2139 	} while (0)
2140 
2141 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2142 					struct sk_buff *msg)
2143 {
2144 	int i = 0;
2145 
2146 	/*
2147 	 * do *NOT* add anything into this function, new things need to be
2148 	 * advertised only to new versions of userspace that can deal with
2149 	 * the split (and they can't possibly care about new features...
2150 	 */
2151 	CMD(add_virtual_intf, NEW_INTERFACE);
2152 	CMD(change_virtual_intf, SET_INTERFACE);
2153 	CMD(add_key, NEW_KEY);
2154 	CMD(start_ap, START_AP);
2155 	CMD(add_station, NEW_STATION);
2156 	CMD(add_mpath, NEW_MPATH);
2157 	CMD(update_mesh_config, SET_MESH_CONFIG);
2158 	CMD(change_bss, SET_BSS);
2159 	CMD(auth, AUTHENTICATE);
2160 	CMD(assoc, ASSOCIATE);
2161 	CMD(deauth, DEAUTHENTICATE);
2162 	CMD(disassoc, DISASSOCIATE);
2163 	CMD(join_ibss, JOIN_IBSS);
2164 	CMD(join_mesh, JOIN_MESH);
2165 	CMD(set_pmksa, SET_PMKSA);
2166 	CMD(del_pmksa, DEL_PMKSA);
2167 	CMD(flush_pmksa, FLUSH_PMKSA);
2168 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2169 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2170 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2171 	CMD(mgmt_tx, FRAME);
2172 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2173 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2174 		i++;
2175 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2176 			goto nla_put_failure;
2177 	}
2178 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2179 	    rdev->ops->join_mesh) {
2180 		i++;
2181 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2182 			goto nla_put_failure;
2183 	}
2184 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2185 		CMD(tdls_mgmt, TDLS_MGMT);
2186 		CMD(tdls_oper, TDLS_OPER);
2187 	}
2188 	if (rdev->wiphy.max_sched_scan_reqs)
2189 		CMD(sched_scan_start, START_SCHED_SCAN);
2190 	CMD(probe_client, PROBE_CLIENT);
2191 	CMD(set_noack_map, SET_NOACK_MAP);
2192 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2193 		i++;
2194 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2195 			goto nla_put_failure;
2196 	}
2197 	CMD(start_p2p_device, START_P2P_DEVICE);
2198 	CMD(set_mcast_rate, SET_MCAST_RATE);
2199 #ifdef CONFIG_NL80211_TESTMODE
2200 	CMD(testmode_cmd, TESTMODE);
2201 #endif
2202 
2203 	if (rdev->ops->connect || rdev->ops->auth) {
2204 		i++;
2205 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2206 			goto nla_put_failure;
2207 	}
2208 
2209 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2210 		i++;
2211 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2212 			goto nla_put_failure;
2213 	}
2214 
2215 	return i;
2216  nla_put_failure:
2217 	return -ENOBUFS;
2218 }
2219 
2220 static int
2221 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2222 			   struct sk_buff *msg)
2223 {
2224 	struct nlattr *ftm;
2225 
2226 	if (!cap->ftm.supported)
2227 		return 0;
2228 
2229 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2230 	if (!ftm)
2231 		return -ENOBUFS;
2232 
2233 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2234 		return -ENOBUFS;
2235 	if (cap->ftm.non_asap &&
2236 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2237 		return -ENOBUFS;
2238 	if (cap->ftm.request_lci &&
2239 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2240 		return -ENOBUFS;
2241 	if (cap->ftm.request_civicloc &&
2242 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2243 		return -ENOBUFS;
2244 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2245 			cap->ftm.preambles))
2246 		return -ENOBUFS;
2247 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2248 			cap->ftm.bandwidths))
2249 		return -ENOBUFS;
2250 	if (cap->ftm.max_bursts_exponent >= 0 &&
2251 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2252 			cap->ftm.max_bursts_exponent))
2253 		return -ENOBUFS;
2254 	if (cap->ftm.max_ftms_per_burst &&
2255 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2256 			cap->ftm.max_ftms_per_burst))
2257 		return -ENOBUFS;
2258 	if (cap->ftm.trigger_based &&
2259 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2260 		return -ENOBUFS;
2261 	if (cap->ftm.non_trigger_based &&
2262 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2263 		return -ENOBUFS;
2264 
2265 	nla_nest_end(msg, ftm);
2266 	return 0;
2267 }
2268 
2269 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2270 				  struct sk_buff *msg)
2271 {
2272 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2273 	struct nlattr *pmsr, *caps;
2274 
2275 	if (!cap)
2276 		return 0;
2277 
2278 	/*
2279 	 * we don't need to clean up anything here since the caller
2280 	 * will genlmsg_cancel() if we fail
2281 	 */
2282 
2283 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2284 	if (!pmsr)
2285 		return -ENOBUFS;
2286 
2287 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2288 		return -ENOBUFS;
2289 
2290 	if (cap->report_ap_tsf &&
2291 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2292 		return -ENOBUFS;
2293 
2294 	if (cap->randomize_mac_addr &&
2295 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2296 		return -ENOBUFS;
2297 
2298 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2299 	if (!caps)
2300 		return -ENOBUFS;
2301 
2302 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2303 		return -ENOBUFS;
2304 
2305 	nla_nest_end(msg, caps);
2306 	nla_nest_end(msg, pmsr);
2307 
2308 	return 0;
2309 }
2310 
2311 static int
2312 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2313 			      struct sk_buff *msg)
2314 {
2315 	int i;
2316 	struct nlattr *nested, *nested_akms;
2317 	const struct wiphy_iftype_akm_suites *iftype_akms;
2318 
2319 	if (!rdev->wiphy.num_iftype_akm_suites ||
2320 	    !rdev->wiphy.iftype_akm_suites)
2321 		return 0;
2322 
2323 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2324 	if (!nested)
2325 		return -ENOBUFS;
2326 
2327 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2328 		nested_akms = nla_nest_start(msg, i + 1);
2329 		if (!nested_akms)
2330 			return -ENOBUFS;
2331 
2332 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2333 
2334 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2335 					iftype_akms->iftypes_mask))
2336 			return -ENOBUFS;
2337 
2338 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2339 			    sizeof(u32) * iftype_akms->n_akm_suites,
2340 			    iftype_akms->akm_suites)) {
2341 			return -ENOBUFS;
2342 		}
2343 		nla_nest_end(msg, nested_akms);
2344 	}
2345 
2346 	nla_nest_end(msg, nested);
2347 
2348 	return 0;
2349 }
2350 
2351 static int
2352 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2353 			       struct sk_buff *msg)
2354 {
2355 	struct nlattr *supp;
2356 
2357 	if (!rdev->wiphy.tid_config_support.vif &&
2358 	    !rdev->wiphy.tid_config_support.peer)
2359 		return 0;
2360 
2361 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2362 	if (!supp)
2363 		return -ENOSPC;
2364 
2365 	if (rdev->wiphy.tid_config_support.vif &&
2366 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2367 			      rdev->wiphy.tid_config_support.vif,
2368 			      NL80211_TID_CONFIG_ATTR_PAD))
2369 		goto fail;
2370 
2371 	if (rdev->wiphy.tid_config_support.peer &&
2372 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2373 			      rdev->wiphy.tid_config_support.peer,
2374 			      NL80211_TID_CONFIG_ATTR_PAD))
2375 		goto fail;
2376 
2377 	/* for now we just use the same value ... makes more sense */
2378 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2379 		       rdev->wiphy.tid_config_support.max_retry))
2380 		goto fail;
2381 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2382 		       rdev->wiphy.tid_config_support.max_retry))
2383 		goto fail;
2384 
2385 	nla_nest_end(msg, supp);
2386 
2387 	return 0;
2388 fail:
2389 	nla_nest_cancel(msg, supp);
2390 	return -ENOBUFS;
2391 }
2392 
2393 static int
2394 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2395 		      struct sk_buff *msg)
2396 {
2397 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2398 	u8 num_freq_ranges;
2399 	int i;
2400 
2401 	if (!rdev->wiphy.sar_capa)
2402 		return 0;
2403 
2404 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2405 
2406 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2407 	if (!sar_capa)
2408 		return -ENOSPC;
2409 
2410 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2411 		goto fail;
2412 
2413 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2414 	if (!specs)
2415 		goto fail;
2416 
2417 	/* report supported freq_ranges */
2418 	for (i = 0; i < num_freq_ranges; i++) {
2419 		sub_freq_range = nla_nest_start(msg, i + 1);
2420 		if (!sub_freq_range)
2421 			goto fail;
2422 
2423 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2424 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2425 			goto fail;
2426 
2427 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2428 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2429 			goto fail;
2430 
2431 		nla_nest_end(msg, sub_freq_range);
2432 	}
2433 
2434 	nla_nest_end(msg, specs);
2435 	nla_nest_end(msg, sar_capa);
2436 
2437 	return 0;
2438 fail:
2439 	nla_nest_cancel(msg, sar_capa);
2440 	return -ENOBUFS;
2441 }
2442 
2443 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2444 {
2445 	struct nlattr *config;
2446 
2447 	if (!wiphy->mbssid_max_interfaces)
2448 		return 0;
2449 
2450 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2451 	if (!config)
2452 		return -ENOBUFS;
2453 
2454 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2455 		       wiphy->mbssid_max_interfaces))
2456 		goto fail;
2457 
2458 	if (wiphy->ema_max_profile_periodicity &&
2459 	    nla_put_u8(msg,
2460 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2461 		       wiphy->ema_max_profile_periodicity))
2462 		goto fail;
2463 
2464 	nla_nest_end(msg, config);
2465 	return 0;
2466 
2467 fail:
2468 	nla_nest_cancel(msg, config);
2469 	return -ENOBUFS;
2470 }
2471 
2472 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2473 {
2474 	const struct wiphy_radio *r = &wiphy->radio[idx];
2475 	const struct wiphy_radio_cfg *rcfg = &wiphy->radio_cfg[idx];
2476 	struct nlattr *radio, *freq;
2477 	int i;
2478 
2479 	radio = nla_nest_start(msg, idx);
2480 	if (!radio)
2481 		return -ENOBUFS;
2482 
2483 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2484 		goto nla_put_failure;
2485 
2486 	if (rcfg->rts_threshold &&
2487 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_RTS_THRESHOLD,
2488 			rcfg->rts_threshold))
2489 		goto nla_put_failure;
2490 
2491 	if (r->antenna_mask &&
2492 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2493 			r->antenna_mask))
2494 		goto nla_put_failure;
2495 
2496 	for (i = 0; i < r->n_freq_range; i++) {
2497 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2498 
2499 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2500 		if (!freq)
2501 			goto nla_put_failure;
2502 
2503 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2504 				range->start_freq) ||
2505 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2506 				range->end_freq))
2507 			goto nla_put_failure;
2508 
2509 		nla_nest_end(msg, freq);
2510 	}
2511 
2512 	for (i = 0; i < r->n_iface_combinations; i++)
2513 		if (nl80211_put_ifcomb_data(msg, true,
2514 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2515 					    &r->iface_combinations[i],
2516 					    NLA_F_NESTED))
2517 			goto nla_put_failure;
2518 
2519 	nla_nest_end(msg, radio);
2520 
2521 	return 0;
2522 
2523 nla_put_failure:
2524 	return -ENOBUFS;
2525 }
2526 
2527 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2528 {
2529 	struct nlattr *radios;
2530 	int i;
2531 
2532 	if (!wiphy->n_radio)
2533 		return 0;
2534 
2535 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2536 	if (!radios)
2537 		return -ENOBUFS;
2538 
2539 	for (i = 0; i < wiphy->n_radio; i++)
2540 		if (nl80211_put_radio(wiphy, msg, i))
2541 			goto fail;
2542 
2543 	nla_nest_end(msg, radios);
2544 
2545 	if (nl80211_put_iface_combinations(wiphy, msg,
2546 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2547 					   -1, true, NLA_F_NESTED))
2548 		return -ENOBUFS;
2549 
2550 	return 0;
2551 
2552 fail:
2553 	nla_nest_cancel(msg, radios);
2554 	return -ENOBUFS;
2555 }
2556 
2557 struct nl80211_dump_wiphy_state {
2558 	s64 filter_wiphy;
2559 	long start;
2560 	long split_start, band_start, chan_start, capa_start;
2561 	bool split;
2562 };
2563 
2564 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2565 			      enum nl80211_commands cmd,
2566 			      struct sk_buff *msg, u32 portid, u32 seq,
2567 			      int flags, struct nl80211_dump_wiphy_state *state)
2568 {
2569 	void *hdr;
2570 	struct nlattr *nl_bands, *nl_band;
2571 	struct nlattr *nl_freqs, *nl_freq;
2572 	struct nlattr *nl_cmds;
2573 	enum nl80211_band band;
2574 	struct ieee80211_channel *chan;
2575 	int i;
2576 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2577 				rdev->wiphy.mgmt_stypes;
2578 	u32 features;
2579 
2580 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2581 	if (!hdr)
2582 		return -ENOBUFS;
2583 
2584 	if (WARN_ON(!state))
2585 		return -EINVAL;
2586 
2587 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2588 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2589 			   wiphy_name(&rdev->wiphy)) ||
2590 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2591 			cfg80211_rdev_list_generation))
2592 		goto nla_put_failure;
2593 
2594 	if (cmd != NL80211_CMD_NEW_WIPHY)
2595 		goto finish;
2596 
2597 	switch (state->split_start) {
2598 	case 0:
2599 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2600 			       rdev->wiphy.retry_short) ||
2601 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2602 			       rdev->wiphy.retry_long) ||
2603 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2604 				rdev->wiphy.frag_threshold) ||
2605 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2606 				rdev->wiphy.rts_threshold) ||
2607 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2608 			       rdev->wiphy.coverage_class) ||
2609 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2610 			       rdev->wiphy.max_scan_ssids) ||
2611 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2612 			       rdev->wiphy.max_sched_scan_ssids) ||
2613 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2614 				rdev->wiphy.max_scan_ie_len) ||
2615 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2616 				rdev->wiphy.max_sched_scan_ie_len) ||
2617 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2618 			       rdev->wiphy.max_match_sets))
2619 			goto nla_put_failure;
2620 
2621 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2622 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2623 			goto nla_put_failure;
2624 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2625 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2626 			goto nla_put_failure;
2627 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2628 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2629 			goto nla_put_failure;
2630 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2631 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2632 			goto nla_put_failure;
2633 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2634 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2635 			goto nla_put_failure;
2636 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2637 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2638 			goto nla_put_failure;
2639 		state->split_start++;
2640 		if (state->split)
2641 			break;
2642 		fallthrough;
2643 	case 1:
2644 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2645 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2646 			    rdev->wiphy.cipher_suites))
2647 			goto nla_put_failure;
2648 
2649 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2650 			       rdev->wiphy.max_num_pmkids))
2651 			goto nla_put_failure;
2652 
2653 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2654 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2655 			goto nla_put_failure;
2656 
2657 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2658 				rdev->wiphy.available_antennas_tx) ||
2659 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2660 				rdev->wiphy.available_antennas_rx))
2661 			goto nla_put_failure;
2662 
2663 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2664 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2665 				rdev->wiphy.probe_resp_offload))
2666 			goto nla_put_failure;
2667 
2668 		if ((rdev->wiphy.available_antennas_tx ||
2669 		     rdev->wiphy.available_antennas_rx) &&
2670 		    rdev->ops->get_antenna) {
2671 			u32 tx_ant = 0, rx_ant = 0;
2672 			int res;
2673 
2674 			res = rdev_get_antenna(rdev, -1, &tx_ant, &rx_ant);
2675 			if (!res) {
2676 				if (nla_put_u32(msg,
2677 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2678 						tx_ant) ||
2679 				    nla_put_u32(msg,
2680 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2681 						rx_ant))
2682 					goto nla_put_failure;
2683 			}
2684 		}
2685 
2686 		state->split_start++;
2687 		if (state->split)
2688 			break;
2689 		fallthrough;
2690 	case 2:
2691 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2692 					rdev->wiphy.interface_modes))
2693 				goto nla_put_failure;
2694 		state->split_start++;
2695 		if (state->split)
2696 			break;
2697 		fallthrough;
2698 	case 3:
2699 		nl_bands = nla_nest_start_noflag(msg,
2700 						 NL80211_ATTR_WIPHY_BANDS);
2701 		if (!nl_bands)
2702 			goto nla_put_failure;
2703 
2704 		for (band = state->band_start;
2705 		     band < (state->split ?
2706 				NUM_NL80211_BANDS :
2707 				NL80211_BAND_60GHZ + 1);
2708 		     band++) {
2709 			struct ieee80211_supported_band *sband;
2710 
2711 			/* omit higher bands for ancient software */
2712 			if (band > NL80211_BAND_5GHZ && !state->split)
2713 				break;
2714 
2715 			sband = rdev->wiphy.bands[band];
2716 
2717 			if (!sband)
2718 				continue;
2719 
2720 			nl_band = nla_nest_start_noflag(msg, band);
2721 			if (!nl_band)
2722 				goto nla_put_failure;
2723 
2724 			switch (state->chan_start) {
2725 			case 0:
2726 				if (nl80211_send_band_rateinfo(msg, sband,
2727 							       state->split))
2728 					goto nla_put_failure;
2729 				state->chan_start++;
2730 				if (state->split)
2731 					break;
2732 				fallthrough;
2733 			default:
2734 				/* add frequencies */
2735 				nl_freqs = nla_nest_start_noflag(msg,
2736 								 NL80211_BAND_ATTR_FREQS);
2737 				if (!nl_freqs)
2738 					goto nla_put_failure;
2739 
2740 				for (i = state->chan_start - 1;
2741 				     i < sband->n_channels;
2742 				     i++) {
2743 					nl_freq = nla_nest_start_noflag(msg,
2744 									i);
2745 					if (!nl_freq)
2746 						goto nla_put_failure;
2747 
2748 					chan = &sband->channels[i];
2749 
2750 					if (nl80211_msg_put_channel(
2751 							msg, &rdev->wiphy, chan,
2752 							state->split))
2753 						goto nla_put_failure;
2754 
2755 					nla_nest_end(msg, nl_freq);
2756 					if (state->split)
2757 						break;
2758 				}
2759 				if (i < sband->n_channels)
2760 					state->chan_start = i + 2;
2761 				else
2762 					state->chan_start = 0;
2763 				nla_nest_end(msg, nl_freqs);
2764 			}
2765 
2766 			nla_nest_end(msg, nl_band);
2767 
2768 			if (state->split) {
2769 				/* start again here */
2770 				if (state->chan_start)
2771 					band--;
2772 				break;
2773 			}
2774 		}
2775 		nla_nest_end(msg, nl_bands);
2776 
2777 		if (band < NUM_NL80211_BANDS)
2778 			state->band_start = band + 1;
2779 		else
2780 			state->band_start = 0;
2781 
2782 		/* if bands & channels are done, continue outside */
2783 		if (state->band_start == 0 && state->chan_start == 0)
2784 			state->split_start++;
2785 		if (state->split)
2786 			break;
2787 		fallthrough;
2788 	case 4:
2789 		nl_cmds = nla_nest_start_noflag(msg,
2790 						NL80211_ATTR_SUPPORTED_COMMANDS);
2791 		if (!nl_cmds)
2792 			goto nla_put_failure;
2793 
2794 		i = nl80211_add_commands_unsplit(rdev, msg);
2795 		if (i < 0)
2796 			goto nla_put_failure;
2797 		if (state->split) {
2798 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2799 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2800 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2801 				CMD(channel_switch, CHANNEL_SWITCH);
2802 			CMD(set_qos_map, SET_QOS_MAP);
2803 			if (rdev->wiphy.features &
2804 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2805 				CMD(add_tx_ts, ADD_TX_TS);
2806 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2807 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2808 			CMD(update_ft_ies, UPDATE_FT_IES);
2809 			if (rdev->wiphy.sar_capa)
2810 				CMD(set_sar_specs, SET_SAR_SPECS);
2811 			CMD(assoc_ml_reconf, ASSOC_MLO_RECONF);
2812 		}
2813 #undef CMD
2814 
2815 		nla_nest_end(msg, nl_cmds);
2816 		state->split_start++;
2817 		if (state->split)
2818 			break;
2819 		fallthrough;
2820 	case 5:
2821 		if (rdev->ops->remain_on_channel &&
2822 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2823 		    nla_put_u32(msg,
2824 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2825 				rdev->wiphy.max_remain_on_channel_duration))
2826 			goto nla_put_failure;
2827 
2828 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2829 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2830 			goto nla_put_failure;
2831 
2832 		state->split_start++;
2833 		if (state->split)
2834 			break;
2835 		fallthrough;
2836 	case 6:
2837 #ifdef CONFIG_PM
2838 		if (nl80211_send_wowlan(msg, rdev, state->split))
2839 			goto nla_put_failure;
2840 		state->split_start++;
2841 		if (state->split)
2842 			break;
2843 #else
2844 		state->split_start++;
2845 #endif
2846 		fallthrough;
2847 	case 7:
2848 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2849 					rdev->wiphy.software_iftypes))
2850 			goto nla_put_failure;
2851 
2852 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2853 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2854 						   rdev->wiphy.n_radio ? 0 : -1,
2855 						   state->split, 0))
2856 			goto nla_put_failure;
2857 
2858 		state->split_start++;
2859 		if (state->split)
2860 			break;
2861 		fallthrough;
2862 	case 8:
2863 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2864 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2865 				rdev->wiphy.ap_sme_capa))
2866 			goto nla_put_failure;
2867 
2868 		features = rdev->wiphy.features;
2869 		/*
2870 		 * We can only add the per-channel limit information if the
2871 		 * dump is split, otherwise it makes it too big. Therefore
2872 		 * only advertise it in that case.
2873 		 */
2874 		if (state->split)
2875 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2876 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2877 			goto nla_put_failure;
2878 
2879 		if (rdev->wiphy.ht_capa_mod_mask &&
2880 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2881 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2882 			    rdev->wiphy.ht_capa_mod_mask))
2883 			goto nla_put_failure;
2884 
2885 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2886 		    rdev->wiphy.max_acl_mac_addrs &&
2887 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2888 				rdev->wiphy.max_acl_mac_addrs))
2889 			goto nla_put_failure;
2890 
2891 		/*
2892 		 * Any information below this point is only available to
2893 		 * applications that can deal with it being split. This
2894 		 * helps ensure that newly added capabilities don't break
2895 		 * older tools by overrunning their buffers.
2896 		 *
2897 		 * We still increment split_start so that in the split
2898 		 * case we'll continue with more data in the next round,
2899 		 * but break unconditionally so unsplit data stops here.
2900 		 */
2901 		if (state->split)
2902 			state->split_start++;
2903 		else
2904 			state->split_start = 0;
2905 		break;
2906 	case 9:
2907 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2908 			goto nla_put_failure;
2909 
2910 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2911 				rdev->wiphy.max_sched_scan_plans) ||
2912 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2913 				rdev->wiphy.max_sched_scan_plan_interval) ||
2914 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2915 				rdev->wiphy.max_sched_scan_plan_iterations))
2916 			goto nla_put_failure;
2917 
2918 		if (rdev->wiphy.extended_capabilities &&
2919 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2920 			     rdev->wiphy.extended_capabilities_len,
2921 			     rdev->wiphy.extended_capabilities) ||
2922 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2923 			     rdev->wiphy.extended_capabilities_len,
2924 			     rdev->wiphy.extended_capabilities_mask)))
2925 			goto nla_put_failure;
2926 
2927 		if (rdev->wiphy.vht_capa_mod_mask &&
2928 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2929 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2930 			    rdev->wiphy.vht_capa_mod_mask))
2931 			goto nla_put_failure;
2932 
2933 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2934 			    rdev->wiphy.perm_addr))
2935 			goto nla_put_failure;
2936 
2937 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2938 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2939 			    rdev->wiphy.addr_mask))
2940 			goto nla_put_failure;
2941 
2942 		if (rdev->wiphy.n_addresses > 1) {
2943 			void *attr;
2944 
2945 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2946 			if (!attr)
2947 				goto nla_put_failure;
2948 
2949 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2950 				if (nla_put(msg, i + 1, ETH_ALEN,
2951 					    rdev->wiphy.addresses[i].addr))
2952 					goto nla_put_failure;
2953 
2954 			nla_nest_end(msg, attr);
2955 		}
2956 
2957 		state->split_start++;
2958 		break;
2959 	case 10:
2960 		if (nl80211_send_coalesce(msg, rdev))
2961 			goto nla_put_failure;
2962 
2963 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2964 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2965 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2966 			goto nla_put_failure;
2967 
2968 		if (rdev->wiphy.max_ap_assoc_sta &&
2969 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2970 				rdev->wiphy.max_ap_assoc_sta))
2971 			goto nla_put_failure;
2972 
2973 		state->split_start++;
2974 		break;
2975 	case 11:
2976 		if (rdev->wiphy.n_vendor_commands) {
2977 			const struct nl80211_vendor_cmd_info *info;
2978 			struct nlattr *nested;
2979 
2980 			nested = nla_nest_start_noflag(msg,
2981 						       NL80211_ATTR_VENDOR_DATA);
2982 			if (!nested)
2983 				goto nla_put_failure;
2984 
2985 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2986 				info = &rdev->wiphy.vendor_commands[i].info;
2987 				if (nla_put(msg, i + 1, sizeof(*info), info))
2988 					goto nla_put_failure;
2989 			}
2990 			nla_nest_end(msg, nested);
2991 		}
2992 
2993 		if (rdev->wiphy.n_vendor_events) {
2994 			const struct nl80211_vendor_cmd_info *info;
2995 			struct nlattr *nested;
2996 
2997 			nested = nla_nest_start_noflag(msg,
2998 						       NL80211_ATTR_VENDOR_EVENTS);
2999 			if (!nested)
3000 				goto nla_put_failure;
3001 
3002 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
3003 				info = &rdev->wiphy.vendor_events[i];
3004 				if (nla_put(msg, i + 1, sizeof(*info), info))
3005 					goto nla_put_failure;
3006 			}
3007 			nla_nest_end(msg, nested);
3008 		}
3009 		state->split_start++;
3010 		break;
3011 	case 12:
3012 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
3013 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
3014 			       rdev->wiphy.max_num_csa_counters))
3015 			goto nla_put_failure;
3016 
3017 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
3018 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
3019 			goto nla_put_failure;
3020 
3021 		if (rdev->wiphy.max_sched_scan_reqs &&
3022 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
3023 				rdev->wiphy.max_sched_scan_reqs))
3024 			goto nla_put_failure;
3025 
3026 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
3027 			    sizeof(rdev->wiphy.ext_features),
3028 			    rdev->wiphy.ext_features))
3029 			goto nla_put_failure;
3030 
3031 		if (rdev->wiphy.bss_param_support) {
3032 			struct nlattr *nested;
3033 			u32 parsup = rdev->wiphy.bss_param_support;
3034 
3035 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_PARAM);
3036 			if (!nested)
3037 				goto nla_put_failure;
3038 
3039 			if ((parsup & WIPHY_BSS_PARAM_CTS_PROT) &&
3040 			    nla_put_flag(msg, NL80211_ATTR_BSS_CTS_PROT))
3041 				goto nla_put_failure;
3042 			if ((parsup & WIPHY_BSS_PARAM_SHORT_PREAMBLE) &&
3043 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_PREAMBLE))
3044 				goto nla_put_failure;
3045 			if ((parsup & WIPHY_BSS_PARAM_SHORT_SLOT_TIME) &&
3046 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_SLOT_TIME))
3047 				goto nla_put_failure;
3048 			if ((parsup & WIPHY_BSS_PARAM_BASIC_RATES) &&
3049 			    nla_put_flag(msg, NL80211_ATTR_BSS_BASIC_RATES))
3050 				goto nla_put_failure;
3051 			if ((parsup & WIPHY_BSS_PARAM_AP_ISOLATE) &&
3052 			    nla_put_flag(msg, NL80211_ATTR_AP_ISOLATE))
3053 				goto nla_put_failure;
3054 			if ((parsup & WIPHY_BSS_PARAM_HT_OPMODE) &&
3055 			    nla_put_flag(msg, NL80211_ATTR_BSS_HT_OPMODE))
3056 				goto nla_put_failure;
3057 			if ((parsup & WIPHY_BSS_PARAM_P2P_CTWINDOW) &&
3058 			    nla_put_flag(msg, NL80211_ATTR_P2P_CTWINDOW))
3059 				goto nla_put_failure;
3060 			if ((parsup & WIPHY_BSS_PARAM_P2P_OPPPS) &&
3061 			    nla_put_flag(msg, NL80211_ATTR_P2P_OPPPS))
3062 				goto nla_put_failure;
3063 			nla_nest_end(msg, nested);
3064 		}
3065 		if (rdev->wiphy.bss_select_support) {
3066 			struct nlattr *nested;
3067 			u32 bss_select_support = rdev->wiphy.bss_select_support;
3068 
3069 			nested = nla_nest_start_noflag(msg,
3070 						       NL80211_ATTR_BSS_SELECT);
3071 			if (!nested)
3072 				goto nla_put_failure;
3073 
3074 			i = 0;
3075 			while (bss_select_support) {
3076 				if ((bss_select_support & 1) &&
3077 				    nla_put_flag(msg, i))
3078 					goto nla_put_failure;
3079 				i++;
3080 				bss_select_support >>= 1;
3081 			}
3082 			nla_nest_end(msg, nested);
3083 		}
3084 
3085 		state->split_start++;
3086 		break;
3087 	case 13:
3088 		if (rdev->wiphy.num_iftype_ext_capab &&
3089 		    rdev->wiphy.iftype_ext_capab) {
3090 			struct nlattr *nested_ext_capab, *nested;
3091 
3092 			nested = nla_nest_start_noflag(msg,
3093 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3094 			if (!nested)
3095 				goto nla_put_failure;
3096 
3097 			for (i = state->capa_start;
3098 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3099 				const struct wiphy_iftype_ext_capab *capab;
3100 
3101 				capab = &rdev->wiphy.iftype_ext_capab[i];
3102 
3103 				nested_ext_capab = nla_nest_start_noflag(msg,
3104 									 i);
3105 				if (!nested_ext_capab ||
3106 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3107 						capab->iftype) ||
3108 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3109 					    capab->extended_capabilities_len,
3110 					    capab->extended_capabilities) ||
3111 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3112 					    capab->extended_capabilities_len,
3113 					    capab->extended_capabilities_mask))
3114 					goto nla_put_failure;
3115 
3116 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3117 				    (nla_put_u16(msg,
3118 						 NL80211_ATTR_EML_CAPABILITY,
3119 						 capab->eml_capabilities) ||
3120 				     nla_put_u16(msg,
3121 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3122 						 capab->mld_capa_and_ops)))
3123 					goto nla_put_failure;
3124 
3125 				nla_nest_end(msg, nested_ext_capab);
3126 				if (state->split)
3127 					break;
3128 			}
3129 			nla_nest_end(msg, nested);
3130 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3131 				state->capa_start = i + 1;
3132 				break;
3133 			}
3134 		}
3135 
3136 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3137 				rdev->wiphy.nan_supported_bands))
3138 			goto nla_put_failure;
3139 
3140 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3141 					    NL80211_EXT_FEATURE_TXQS)) {
3142 			struct cfg80211_txq_stats txqstats = {};
3143 			int res;
3144 
3145 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3146 			if (!res &&
3147 			    !nl80211_put_txq_stats(msg, &txqstats,
3148 						   NL80211_ATTR_TXQ_STATS))
3149 				goto nla_put_failure;
3150 
3151 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3152 					rdev->wiphy.txq_limit))
3153 				goto nla_put_failure;
3154 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3155 					rdev->wiphy.txq_memory_limit))
3156 				goto nla_put_failure;
3157 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3158 					rdev->wiphy.txq_quantum))
3159 				goto nla_put_failure;
3160 		}
3161 
3162 		state->split_start++;
3163 		break;
3164 	case 14:
3165 		if (nl80211_send_pmsr_capa(rdev, msg))
3166 			goto nla_put_failure;
3167 
3168 		state->split_start++;
3169 		break;
3170 	case 15:
3171 		if (rdev->wiphy.akm_suites &&
3172 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3173 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3174 			    rdev->wiphy.akm_suites))
3175 			goto nla_put_failure;
3176 
3177 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3178 			goto nla_put_failure;
3179 
3180 		if (nl80211_put_tid_config_support(rdev, msg))
3181 			goto nla_put_failure;
3182 		state->split_start++;
3183 		break;
3184 	case 16:
3185 		if (nl80211_put_sar_specs(rdev, msg))
3186 			goto nla_put_failure;
3187 
3188 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3189 			goto nla_put_failure;
3190 
3191 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3192 				rdev->wiphy.max_num_akm_suites))
3193 			goto nla_put_failure;
3194 
3195 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3196 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3197 
3198 		if (rdev->wiphy.hw_timestamp_max_peers &&
3199 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3200 				rdev->wiphy.hw_timestamp_max_peers))
3201 			goto nla_put_failure;
3202 
3203 		state->split_start++;
3204 		break;
3205 	case 17:
3206 		if (nl80211_put_radios(&rdev->wiphy, msg))
3207 			goto nla_put_failure;
3208 
3209 		/* done */
3210 		state->split_start = 0;
3211 		break;
3212 	}
3213  finish:
3214 	genlmsg_end(msg, hdr);
3215 	return 0;
3216 
3217  nla_put_failure:
3218 	genlmsg_cancel(msg, hdr);
3219 	return -EMSGSIZE;
3220 }
3221 
3222 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3223 				    struct netlink_callback *cb,
3224 				    struct nl80211_dump_wiphy_state *state)
3225 {
3226 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3227 	int ret;
3228 
3229 	if (!tb)
3230 		return -ENOMEM;
3231 
3232 	ret = nlmsg_parse_deprecated(cb->nlh,
3233 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3234 				     tb, nl80211_fam.maxattr,
3235 				     nl80211_policy, NULL);
3236 	/* ignore parse errors for backward compatibility */
3237 	if (ret) {
3238 		ret = 0;
3239 		goto out;
3240 	}
3241 
3242 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3243 	if (tb[NL80211_ATTR_WIPHY])
3244 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3245 	if (tb[NL80211_ATTR_WDEV])
3246 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3247 	if (tb[NL80211_ATTR_IFINDEX]) {
3248 		struct net_device *netdev;
3249 		struct cfg80211_registered_device *rdev;
3250 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3251 
3252 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3253 		if (!netdev) {
3254 			ret = -ENODEV;
3255 			goto out;
3256 		}
3257 		if (netdev->ieee80211_ptr) {
3258 			rdev = wiphy_to_rdev(
3259 				netdev->ieee80211_ptr->wiphy);
3260 			state->filter_wiphy = rdev->wiphy_idx;
3261 		}
3262 	}
3263 
3264 	ret = 0;
3265 out:
3266 	kfree(tb);
3267 	return ret;
3268 }
3269 
3270 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3271 {
3272 	int idx = 0, ret;
3273 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3274 	struct cfg80211_registered_device *rdev;
3275 
3276 	rtnl_lock();
3277 	if (!state) {
3278 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3279 		if (!state) {
3280 			rtnl_unlock();
3281 			return -ENOMEM;
3282 		}
3283 		state->filter_wiphy = -1;
3284 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3285 		if (ret) {
3286 			kfree(state);
3287 			rtnl_unlock();
3288 			return ret;
3289 		}
3290 		cb->args[0] = (long)state;
3291 	}
3292 
3293 	for_each_rdev(rdev) {
3294 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3295 			continue;
3296 		if (++idx <= state->start)
3297 			continue;
3298 		if (state->filter_wiphy != -1 &&
3299 		    state->filter_wiphy != rdev->wiphy_idx)
3300 			continue;
3301 		wiphy_lock(&rdev->wiphy);
3302 		/* attempt to fit multiple wiphy data chunks into the skb */
3303 		do {
3304 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3305 						 skb,
3306 						 NETLINK_CB(cb->skb).portid,
3307 						 cb->nlh->nlmsg_seq,
3308 						 NLM_F_MULTI, state);
3309 			if (ret < 0) {
3310 				/*
3311 				 * If sending the wiphy data didn't fit (ENOBUFS
3312 				 * or EMSGSIZE returned), this SKB is still
3313 				 * empty (so it's not too big because another
3314 				 * wiphy dataset is already in the skb) and
3315 				 * we've not tried to adjust the dump allocation
3316 				 * yet ... then adjust the alloc size to be
3317 				 * bigger, and return 1 but with the empty skb.
3318 				 * This results in an empty message being RX'ed
3319 				 * in userspace, but that is ignored.
3320 				 *
3321 				 * We can then retry with the larger buffer.
3322 				 */
3323 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3324 				    !skb->len && !state->split &&
3325 				    cb->min_dump_alloc < 4096) {
3326 					cb->min_dump_alloc = 4096;
3327 					state->split_start = 0;
3328 					wiphy_unlock(&rdev->wiphy);
3329 					rtnl_unlock();
3330 					return 1;
3331 				}
3332 				idx--;
3333 				break;
3334 			}
3335 		} while (state->split_start > 0);
3336 		wiphy_unlock(&rdev->wiphy);
3337 		break;
3338 	}
3339 	rtnl_unlock();
3340 
3341 	state->start = idx;
3342 
3343 	return skb->len;
3344 }
3345 
3346 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3347 {
3348 	kfree((void *)cb->args[0]);
3349 	return 0;
3350 }
3351 
3352 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3353 {
3354 	struct sk_buff *msg;
3355 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3356 	struct nl80211_dump_wiphy_state state = {};
3357 
3358 	msg = nlmsg_new(4096, GFP_KERNEL);
3359 	if (!msg)
3360 		return -ENOMEM;
3361 
3362 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3363 			       info->snd_portid, info->snd_seq, 0,
3364 			       &state) < 0) {
3365 		nlmsg_free(msg);
3366 		return -ENOBUFS;
3367 	}
3368 
3369 	return genlmsg_reply(msg, info);
3370 }
3371 
3372 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3373 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3374 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3375 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3376 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3377 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3378 };
3379 
3380 static int parse_txq_params(struct nlattr *tb[],
3381 			    struct ieee80211_txq_params *txq_params)
3382 {
3383 	u8 ac;
3384 
3385 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3386 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3387 	    !tb[NL80211_TXQ_ATTR_AIFS])
3388 		return -EINVAL;
3389 
3390 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3391 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3392 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3393 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3394 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3395 
3396 	if (ac >= NL80211_NUM_ACS)
3397 		return -EINVAL;
3398 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3399 	return 0;
3400 }
3401 
3402 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3403 {
3404 	/*
3405 	 * You can only set the channel explicitly for some interfaces,
3406 	 * most have their channel managed via their respective
3407 	 * "establish a connection" command (connect, join, ...)
3408 	 *
3409 	 * For AP/GO and mesh mode, the channel can be set with the
3410 	 * channel userspace API, but is only stored and passed to the
3411 	 * low-level driver when the AP starts or the mesh is joined.
3412 	 * This is for backward compatibility, userspace can also give
3413 	 * the channel in the start-ap or join-mesh commands instead.
3414 	 *
3415 	 * Monitors are special as they are normally slaved to
3416 	 * whatever else is going on, so they have their own special
3417 	 * operation to set the monitor channel if possible.
3418 	 */
3419 	return !wdev ||
3420 		wdev->iftype == NL80211_IFTYPE_AP ||
3421 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3422 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3423 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3424 }
3425 
3426 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3427 				  struct genl_info *info, bool monitor,
3428 				  struct cfg80211_chan_def *chandef)
3429 {
3430 	struct netlink_ext_ack *extack = info->extack;
3431 	struct nlattr **attrs = info->attrs;
3432 	u32 control_freq;
3433 
3434 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3435 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3436 				    "Frequency is missing");
3437 		return -EINVAL;
3438 	}
3439 
3440 	control_freq = MHZ_TO_KHZ(
3441 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3442 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3443 		control_freq +=
3444 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3445 
3446 	memset(chandef, 0, sizeof(*chandef));
3447 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3448 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3449 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3450 	chandef->freq1_offset = control_freq % 1000;
3451 	chandef->center_freq2 = 0;
3452 
3453 	if (!chandef->chan) {
3454 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3455 				    "Unknown channel");
3456 		return -EINVAL;
3457 	}
3458 
3459 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3460 		enum nl80211_channel_type chantype;
3461 
3462 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3463 
3464 		switch (chantype) {
3465 		case NL80211_CHAN_NO_HT:
3466 		case NL80211_CHAN_HT20:
3467 		case NL80211_CHAN_HT40PLUS:
3468 		case NL80211_CHAN_HT40MINUS:
3469 			cfg80211_chandef_create(chandef, chandef->chan,
3470 						chantype);
3471 			/* user input for center_freq is incorrect */
3472 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3473 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3474 				NL_SET_ERR_MSG_ATTR(extack,
3475 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3476 						    "bad center frequency 1");
3477 				return -EINVAL;
3478 			}
3479 			/* center_freq2 must be zero */
3480 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3481 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3482 				NL_SET_ERR_MSG_ATTR(extack,
3483 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3484 						    "center frequency 2 can't be used");
3485 				return -EINVAL;
3486 			}
3487 			break;
3488 		default:
3489 			NL_SET_ERR_MSG_ATTR(extack,
3490 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3491 					    "invalid channel type");
3492 			return -EINVAL;
3493 		}
3494 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3495 		chandef->width =
3496 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3497 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3498 			/* User input error for channel width doesn't match channel  */
3499 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3500 				NL_SET_ERR_MSG_ATTR(extack,
3501 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3502 						    "bad channel width");
3503 				return -EINVAL;
3504 			}
3505 		}
3506 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3507 			chandef->center_freq1 =
3508 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3509 			chandef->freq1_offset =
3510 				nla_get_u32_default(attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET],
3511 						    0);
3512 		}
3513 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3514 			chandef->center_freq2 =
3515 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3516 	}
3517 
3518 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3519 		chandef->edmg.channels =
3520 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3521 
3522 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3523 			chandef->edmg.bw_config =
3524 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3525 	} else {
3526 		chandef->edmg.bw_config = 0;
3527 		chandef->edmg.channels = 0;
3528 	}
3529 
3530 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3531 		chandef->punctured =
3532 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3533 
3534 		if (chandef->punctured &&
3535 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3536 					     NL80211_EXT_FEATURE_PUNCT)) {
3537 			NL_SET_ERR_MSG(extack,
3538 				       "driver doesn't support puncturing");
3539 			return -EINVAL;
3540 		}
3541 	}
3542 
3543 	if (!cfg80211_chandef_valid(chandef)) {
3544 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3545 		return -EINVAL;
3546 	}
3547 
3548 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3549 				      IEEE80211_CHAN_DISABLED,
3550 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3551 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3552 		return -EINVAL;
3553 	}
3554 
3555 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3556 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3557 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3558 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3559 		return -EINVAL;
3560 	}
3561 
3562 	return 0;
3563 }
3564 
3565 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3566 			  struct genl_info *info,
3567 			  struct cfg80211_chan_def *chandef)
3568 {
3569 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3570 }
3571 
3572 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3573 				 struct net_device *dev,
3574 				 struct genl_info *info,
3575 				 int _link_id)
3576 {
3577 	struct cfg80211_chan_def chandef;
3578 	int result;
3579 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3580 	struct wireless_dev *wdev = NULL;
3581 	int link_id = _link_id;
3582 
3583 	if (dev)
3584 		wdev = dev->ieee80211_ptr;
3585 	if (!nl80211_can_set_dev_channel(wdev))
3586 		return -EOPNOTSUPP;
3587 	if (wdev)
3588 		iftype = wdev->iftype;
3589 
3590 	if (link_id < 0) {
3591 		if (wdev && wdev->valid_links)
3592 			return -EINVAL;
3593 		link_id = 0;
3594 	}
3595 
3596 	result = _nl80211_parse_chandef(rdev, info,
3597 					iftype == NL80211_IFTYPE_MONITOR,
3598 					&chandef);
3599 	if (result)
3600 		return result;
3601 
3602 	switch (iftype) {
3603 	case NL80211_IFTYPE_AP:
3604 	case NL80211_IFTYPE_P2P_GO:
3605 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3606 						   iftype))
3607 			return -EINVAL;
3608 		if (wdev->links[link_id].ap.beacon_interval) {
3609 			struct ieee80211_channel *cur_chan;
3610 
3611 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3612 			    !(rdev->wiphy.features &
3613 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3614 				return -EBUSY;
3615 
3616 			/* Only allow dynamic channel width changes */
3617 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3618 			if (chandef.chan != cur_chan)
3619 				return -EBUSY;
3620 
3621 			/* only allow this for regular channel widths */
3622 			switch (wdev->links[link_id].ap.chandef.width) {
3623 			case NL80211_CHAN_WIDTH_20_NOHT:
3624 			case NL80211_CHAN_WIDTH_20:
3625 			case NL80211_CHAN_WIDTH_40:
3626 			case NL80211_CHAN_WIDTH_80:
3627 			case NL80211_CHAN_WIDTH_80P80:
3628 			case NL80211_CHAN_WIDTH_160:
3629 			case NL80211_CHAN_WIDTH_320:
3630 				break;
3631 			default:
3632 				return -EINVAL;
3633 			}
3634 
3635 			switch (chandef.width) {
3636 			case NL80211_CHAN_WIDTH_20_NOHT:
3637 			case NL80211_CHAN_WIDTH_20:
3638 			case NL80211_CHAN_WIDTH_40:
3639 			case NL80211_CHAN_WIDTH_80:
3640 			case NL80211_CHAN_WIDTH_80P80:
3641 			case NL80211_CHAN_WIDTH_160:
3642 			case NL80211_CHAN_WIDTH_320:
3643 				break;
3644 			default:
3645 				return -EINVAL;
3646 			}
3647 
3648 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3649 						       &chandef);
3650 			if (result)
3651 				return result;
3652 			wdev->links[link_id].ap.chandef = chandef;
3653 		} else {
3654 			wdev->u.ap.preset_chandef = chandef;
3655 		}
3656 		return 0;
3657 	case NL80211_IFTYPE_MESH_POINT:
3658 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3659 	case NL80211_IFTYPE_MONITOR:
3660 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
3661 	default:
3662 		break;
3663 	}
3664 
3665 	return -EINVAL;
3666 }
3667 
3668 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3669 {
3670 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3671 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3672 	struct net_device *netdev = info->user_ptr[1];
3673 
3674 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3675 }
3676 
3677 static int nl80211_set_wiphy_radio(struct genl_info *info,
3678 				   struct cfg80211_registered_device *rdev,
3679 				   int radio_idx)
3680 {
3681 	u32 rts_threshold = 0, old_rts, changed = 0;
3682 	int result;
3683 
3684 	if (!rdev->ops->set_wiphy_params)
3685 		return -EOPNOTSUPP;
3686 
3687 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3688 		rts_threshold = nla_get_u32(
3689 				info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3690 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3691 	}
3692 
3693 	old_rts = rdev->wiphy.radio_cfg[radio_idx].rts_threshold;
3694 
3695 	rdev->wiphy.radio_cfg[radio_idx].rts_threshold = rts_threshold;
3696 
3697 	result = rdev_set_wiphy_params(rdev, radio_idx, changed);
3698 	if (result)
3699 		rdev->wiphy.radio_cfg[radio_idx].rts_threshold = old_rts;
3700 
3701 	return 0;
3702 }
3703 
3704 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3705 {
3706 	struct cfg80211_registered_device *rdev = NULL;
3707 	struct net_device *netdev = NULL;
3708 	struct wireless_dev *wdev;
3709 	int result = 0, rem_txq_params = 0;
3710 	struct nlattr *nl_txq_params;
3711 	u32 changed;
3712 	u8 retry_short = 0, retry_long = 0;
3713 	u32 frag_threshold = 0, rts_threshold = 0;
3714 	u8 coverage_class = 0;
3715 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3716 	int radio_idx = -1;
3717 
3718 	rtnl_lock();
3719 	/*
3720 	 * Try to find the wiphy and netdev. Normally this
3721 	 * function shouldn't need the netdev, but this is
3722 	 * done for backward compatibility -- previously
3723 	 * setting the channel was done per wiphy, but now
3724 	 * it is per netdev. Previous userland like hostapd
3725 	 * also passed a netdev to set_wiphy, so that it is
3726 	 * possible to let that go to the right netdev!
3727 	 */
3728 
3729 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3730 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3731 
3732 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3733 		if (netdev && netdev->ieee80211_ptr)
3734 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3735 		else
3736 			netdev = NULL;
3737 	}
3738 
3739 	if (!netdev) {
3740 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3741 						  info->attrs);
3742 		if (IS_ERR(rdev)) {
3743 			rtnl_unlock();
3744 			return PTR_ERR(rdev);
3745 		}
3746 		wdev = NULL;
3747 		netdev = NULL;
3748 		result = 0;
3749 	} else
3750 		wdev = netdev->ieee80211_ptr;
3751 
3752 	guard(wiphy)(&rdev->wiphy);
3753 
3754 	/*
3755 	 * end workaround code, by now the rdev is available
3756 	 * and locked, and wdev may or may not be NULL.
3757 	 */
3758 
3759 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3760 		result = cfg80211_dev_rename(
3761 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3762 	rtnl_unlock();
3763 
3764 	if (result)
3765 		return result;
3766 
3767 	if (info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]) {
3768 		/* Radio idx is not expected for non-multi radio wiphy */
3769 		if (rdev->wiphy.n_radio <= 0)
3770 			return -EINVAL;
3771 
3772 		radio_idx = nla_get_u8(
3773 				info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]);
3774 		if (radio_idx >= rdev->wiphy.n_radio)
3775 			return -EINVAL;
3776 
3777 		return nl80211_set_wiphy_radio(info, rdev, radio_idx);
3778 	}
3779 
3780 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3781 		struct ieee80211_txq_params txq_params;
3782 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3783 
3784 		if (!rdev->ops->set_txq_params)
3785 			return -EOPNOTSUPP;
3786 
3787 		if (!netdev)
3788 			return -EINVAL;
3789 
3790 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3791 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3792 			return -EINVAL;
3793 
3794 		if (!netif_running(netdev))
3795 			return -ENETDOWN;
3796 
3797 		nla_for_each_nested(nl_txq_params,
3798 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3799 				    rem_txq_params) {
3800 			result = nla_parse_nested_deprecated(tb,
3801 							     NL80211_TXQ_ATTR_MAX,
3802 							     nl_txq_params,
3803 							     txq_params_policy,
3804 							     info->extack);
3805 			if (result)
3806 				return result;
3807 
3808 			result = parse_txq_params(tb, &txq_params);
3809 			if (result)
3810 				return result;
3811 
3812 			txq_params.link_id =
3813 				nl80211_link_id_or_invalid(info->attrs);
3814 
3815 			if (txq_params.link_id >= 0 &&
3816 			    !(netdev->ieee80211_ptr->valid_links &
3817 			      BIT(txq_params.link_id)))
3818 				result = -ENOLINK;
3819 			else if (txq_params.link_id >= 0 &&
3820 				 !netdev->ieee80211_ptr->valid_links)
3821 				result = -EINVAL;
3822 			else
3823 				result = rdev_set_txq_params(rdev, netdev,
3824 							     &txq_params);
3825 			if (result)
3826 				return result;
3827 		}
3828 	}
3829 
3830 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3831 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3832 
3833 		if (wdev) {
3834 			result = __nl80211_set_channel(
3835 				rdev,
3836 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3837 				info, link_id);
3838 		} else {
3839 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3840 		}
3841 
3842 		if (result)
3843 			return result;
3844 	}
3845 
3846 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3847 		struct wireless_dev *txp_wdev = wdev;
3848 		enum nl80211_tx_power_setting type;
3849 		int idx, mbm = 0;
3850 
3851 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3852 			txp_wdev = NULL;
3853 
3854 		if (!rdev->ops->set_tx_power)
3855 			return -EOPNOTSUPP;
3856 
3857 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3858 		type = nla_get_u32(info->attrs[idx]);
3859 
3860 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3861 		    (type != NL80211_TX_POWER_AUTOMATIC))
3862 			return -EINVAL;
3863 
3864 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3865 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3866 			mbm = nla_get_u32(info->attrs[idx]);
3867 		}
3868 
3869 		result = rdev_set_tx_power(rdev, txp_wdev, radio_idx, type,
3870 					   mbm);
3871 		if (result)
3872 			return result;
3873 	}
3874 
3875 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3876 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3877 		u32 tx_ant, rx_ant;
3878 
3879 		if ((!rdev->wiphy.available_antennas_tx &&
3880 		     !rdev->wiphy.available_antennas_rx) ||
3881 		    !rdev->ops->set_antenna)
3882 			return -EOPNOTSUPP;
3883 
3884 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3885 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3886 
3887 		/* reject antenna configurations which don't match the
3888 		 * available antenna masks, except for the "all" mask */
3889 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3890 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
3891 			return -EINVAL;
3892 
3893 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3894 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3895 
3896 		result = rdev_set_antenna(rdev, radio_idx, tx_ant, rx_ant);
3897 		if (result)
3898 			return result;
3899 	}
3900 
3901 	changed = 0;
3902 
3903 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3904 		retry_short = nla_get_u8(
3905 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3906 
3907 		changed |= WIPHY_PARAM_RETRY_SHORT;
3908 	}
3909 
3910 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3911 		retry_long = nla_get_u8(
3912 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3913 
3914 		changed |= WIPHY_PARAM_RETRY_LONG;
3915 	}
3916 
3917 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3918 		frag_threshold = nla_get_u32(
3919 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3920 		if (frag_threshold < 256)
3921 			return -EINVAL;
3922 
3923 		if (frag_threshold != (u32) -1) {
3924 			/*
3925 			 * Fragments (apart from the last one) are required to
3926 			 * have even length. Make the fragmentation code
3927 			 * simpler by stripping LSB should someone try to use
3928 			 * odd threshold value.
3929 			 */
3930 			frag_threshold &= ~0x1;
3931 		}
3932 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3933 	}
3934 
3935 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3936 		rts_threshold = nla_get_u32(
3937 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3938 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3939 	}
3940 
3941 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3942 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
3943 			return -EINVAL;
3944 
3945 		coverage_class = nla_get_u8(
3946 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3947 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3948 	}
3949 
3950 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3951 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
3952 			return -EOPNOTSUPP;
3953 
3954 		changed |= WIPHY_PARAM_DYN_ACK;
3955 	}
3956 
3957 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3958 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3959 					     NL80211_EXT_FEATURE_TXQS))
3960 			return -EOPNOTSUPP;
3961 
3962 		txq_limit = nla_get_u32(
3963 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3964 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3965 	}
3966 
3967 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3968 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3969 					     NL80211_EXT_FEATURE_TXQS))
3970 			return -EOPNOTSUPP;
3971 
3972 		txq_memory_limit = nla_get_u32(
3973 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3974 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3975 	}
3976 
3977 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3978 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3979 					     NL80211_EXT_FEATURE_TXQS))
3980 			return -EOPNOTSUPP;
3981 
3982 		txq_quantum = nla_get_u32(
3983 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3984 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3985 	}
3986 
3987 	if (changed) {
3988 		u8 old_retry_short, old_retry_long;
3989 		u32 old_frag_threshold, old_rts_threshold;
3990 		u8 old_coverage_class, i;
3991 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3992 		u32 *old_radio_rts_threshold = NULL;
3993 
3994 		if (!rdev->ops->set_wiphy_params)
3995 			return -EOPNOTSUPP;
3996 
3997 		if (rdev->wiphy.n_radio) {
3998 			old_radio_rts_threshold = kcalloc(rdev->wiphy.n_radio,
3999 							  sizeof(u32),
4000 							  GFP_KERNEL);
4001 			if (!old_radio_rts_threshold)
4002 				return -ENOMEM;
4003 		}
4004 
4005 		old_retry_short = rdev->wiphy.retry_short;
4006 		old_retry_long = rdev->wiphy.retry_long;
4007 		old_frag_threshold = rdev->wiphy.frag_threshold;
4008 		old_rts_threshold = rdev->wiphy.rts_threshold;
4009 		if (old_radio_rts_threshold) {
4010 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4011 				old_radio_rts_threshold[i] =
4012 					rdev->wiphy.radio_cfg[i].rts_threshold;
4013 		}
4014 		old_coverage_class = rdev->wiphy.coverage_class;
4015 		old_txq_limit = rdev->wiphy.txq_limit;
4016 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
4017 		old_txq_quantum = rdev->wiphy.txq_quantum;
4018 
4019 		if (changed & WIPHY_PARAM_RETRY_SHORT)
4020 			rdev->wiphy.retry_short = retry_short;
4021 		if (changed & WIPHY_PARAM_RETRY_LONG)
4022 			rdev->wiphy.retry_long = retry_long;
4023 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
4024 			rdev->wiphy.frag_threshold = frag_threshold;
4025 		if ((changed & WIPHY_PARAM_RTS_THRESHOLD) &&
4026 		    old_radio_rts_threshold) {
4027 			rdev->wiphy.rts_threshold = rts_threshold;
4028 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4029 				rdev->wiphy.radio_cfg[i].rts_threshold =
4030 					rdev->wiphy.rts_threshold;
4031 		}
4032 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
4033 			rdev->wiphy.coverage_class = coverage_class;
4034 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
4035 			rdev->wiphy.txq_limit = txq_limit;
4036 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
4037 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
4038 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
4039 			rdev->wiphy.txq_quantum = txq_quantum;
4040 
4041 		result = rdev_set_wiphy_params(rdev, radio_idx, changed);
4042 		if (result) {
4043 			rdev->wiphy.retry_short = old_retry_short;
4044 			rdev->wiphy.retry_long = old_retry_long;
4045 			rdev->wiphy.frag_threshold = old_frag_threshold;
4046 			rdev->wiphy.rts_threshold = old_rts_threshold;
4047 			if (old_radio_rts_threshold) {
4048 				for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4049 					rdev->wiphy.radio_cfg[i].rts_threshold =
4050 						old_radio_rts_threshold[i];
4051 			}
4052 			rdev->wiphy.coverage_class = old_coverage_class;
4053 			rdev->wiphy.txq_limit = old_txq_limit;
4054 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
4055 			rdev->wiphy.txq_quantum = old_txq_quantum;
4056 		}
4057 
4058 		if (old_rts_threshold)
4059 			kfree(old_radio_rts_threshold);
4060 		return result;
4061 	}
4062 
4063 	return 0;
4064 }
4065 
4066 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
4067 {
4068 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
4069 		return -EINVAL;
4070 
4071 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
4072 			chandef->chan->center_freq))
4073 		return -ENOBUFS;
4074 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
4075 			chandef->chan->freq_offset))
4076 		return -ENOBUFS;
4077 	switch (chandef->width) {
4078 	case NL80211_CHAN_WIDTH_20_NOHT:
4079 	case NL80211_CHAN_WIDTH_20:
4080 	case NL80211_CHAN_WIDTH_40:
4081 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
4082 				cfg80211_get_chandef_type(chandef)))
4083 			return -ENOBUFS;
4084 		break;
4085 	default:
4086 		break;
4087 	}
4088 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
4089 		return -ENOBUFS;
4090 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
4091 		return -ENOBUFS;
4092 	if (chandef->center_freq2 &&
4093 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
4094 		return -ENOBUFS;
4095 	if (chandef->punctured &&
4096 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
4097 		return -ENOBUFS;
4098 
4099 	return 0;
4100 }
4101 EXPORT_SYMBOL(nl80211_send_chandef);
4102 
4103 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
4104 			      struct cfg80211_registered_device *rdev,
4105 			      struct wireless_dev *wdev,
4106 			      enum nl80211_commands cmd)
4107 {
4108 	struct net_device *dev = wdev->netdev;
4109 	void *hdr;
4110 
4111 	lockdep_assert_wiphy(&rdev->wiphy);
4112 
4113 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
4114 		cmd != NL80211_CMD_DEL_INTERFACE &&
4115 		cmd != NL80211_CMD_SET_INTERFACE);
4116 
4117 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4118 	if (!hdr)
4119 		return -1;
4120 
4121 	if (dev &&
4122 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4123 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
4124 		goto nla_put_failure;
4125 
4126 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
4127 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
4128 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
4129 			      NL80211_ATTR_PAD) ||
4130 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
4131 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
4132 			rdev->devlist_generation ^
4133 			(cfg80211_rdev_list_generation << 2)) ||
4134 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
4135 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
4136 		goto nla_put_failure;
4137 
4138 	if (rdev->ops->get_channel && !wdev->valid_links) {
4139 		struct cfg80211_chan_def chandef = {};
4140 		int ret;
4141 
4142 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4143 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4144 			goto nla_put_failure;
4145 	}
4146 
4147 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4148 		int dbm, ret;
4149 
4150 		ret = rdev_get_tx_power(rdev, wdev, -1, 0, &dbm);
4151 		if (ret == 0 &&
4152 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4153 				DBM_TO_MBM(dbm)))
4154 			goto nla_put_failure;
4155 	}
4156 
4157 	switch (wdev->iftype) {
4158 	case NL80211_IFTYPE_AP:
4159 	case NL80211_IFTYPE_P2P_GO:
4160 		if (wdev->u.ap.ssid_len &&
4161 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4162 			    wdev->u.ap.ssid))
4163 			goto nla_put_failure;
4164 		break;
4165 	case NL80211_IFTYPE_STATION:
4166 	case NL80211_IFTYPE_P2P_CLIENT:
4167 		if (wdev->u.client.ssid_len &&
4168 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4169 			    wdev->u.client.ssid))
4170 			goto nla_put_failure;
4171 		break;
4172 	case NL80211_IFTYPE_ADHOC:
4173 		if (wdev->u.ibss.ssid_len &&
4174 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4175 			    wdev->u.ibss.ssid))
4176 			goto nla_put_failure;
4177 		break;
4178 	default:
4179 		/* nothing */
4180 		break;
4181 	}
4182 
4183 	if (rdev->ops->get_txq_stats) {
4184 		struct cfg80211_txq_stats txqstats = {};
4185 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4186 
4187 		if (ret == 0 &&
4188 		    !nl80211_put_txq_stats(msg, &txqstats,
4189 					   NL80211_ATTR_TXQ_STATS))
4190 			goto nla_put_failure;
4191 	}
4192 
4193 	if (wdev->valid_links) {
4194 		unsigned int link_id;
4195 		struct nlattr *links = nla_nest_start(msg,
4196 						      NL80211_ATTR_MLO_LINKS);
4197 
4198 		if (!links)
4199 			goto nla_put_failure;
4200 
4201 		for_each_valid_link(wdev, link_id) {
4202 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4203 			struct cfg80211_chan_def chandef = {};
4204 			int ret;
4205 
4206 			if (!link)
4207 				goto nla_put_failure;
4208 
4209 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4210 				goto nla_put_failure;
4211 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4212 				    wdev->links[link_id].addr))
4213 				goto nla_put_failure;
4214 
4215 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4216 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4217 				goto nla_put_failure;
4218 
4219 			if (rdev->ops->get_tx_power) {
4220 				int dbm, ret;
4221 
4222 				ret = rdev_get_tx_power(rdev, wdev, -1, link_id, &dbm);
4223 				if (ret == 0 &&
4224 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4225 						DBM_TO_MBM(dbm)))
4226 					goto nla_put_failure;
4227 			}
4228 			nla_nest_end(msg, link);
4229 		}
4230 
4231 		nla_nest_end(msg, links);
4232 	}
4233 
4234 	genlmsg_end(msg, hdr);
4235 	return 0;
4236 
4237  nla_put_failure:
4238 	genlmsg_cancel(msg, hdr);
4239 	return -EMSGSIZE;
4240 }
4241 
4242 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4243 {
4244 	int wp_idx = 0;
4245 	int if_idx = 0;
4246 	int wp_start = cb->args[0];
4247 	int if_start = cb->args[1];
4248 	int filter_wiphy = -1;
4249 	struct cfg80211_registered_device *rdev;
4250 	struct wireless_dev *wdev;
4251 	int ret;
4252 
4253 	rtnl_lock();
4254 	if (!cb->args[2]) {
4255 		struct nl80211_dump_wiphy_state state = {
4256 			.filter_wiphy = -1,
4257 		};
4258 
4259 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4260 		if (ret)
4261 			goto out_unlock;
4262 
4263 		filter_wiphy = state.filter_wiphy;
4264 
4265 		/*
4266 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4267 		 * value needed to determine that parsing is necessary.
4268 		 */
4269 		if (filter_wiphy >= 0)
4270 			cb->args[2] = filter_wiphy + 1;
4271 		else
4272 			cb->args[2] = -1;
4273 	} else if (cb->args[2] > 0) {
4274 		filter_wiphy = cb->args[2] - 1;
4275 	}
4276 
4277 	for_each_rdev(rdev) {
4278 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4279 			continue;
4280 		if (wp_idx < wp_start) {
4281 			wp_idx++;
4282 			continue;
4283 		}
4284 
4285 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4286 			continue;
4287 
4288 		if_idx = 0;
4289 
4290 		guard(wiphy)(&rdev->wiphy);
4291 
4292 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4293 			if (if_idx < if_start) {
4294 				if_idx++;
4295 				continue;
4296 			}
4297 
4298 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4299 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4300 					       rdev, wdev,
4301 					       NL80211_CMD_NEW_INTERFACE) < 0)
4302 				goto out;
4303 
4304 			if_idx++;
4305 		}
4306 
4307 		if_start = 0;
4308 		wp_idx++;
4309 	}
4310  out:
4311 	cb->args[0] = wp_idx;
4312 	cb->args[1] = if_idx;
4313 
4314 	ret = skb->len;
4315  out_unlock:
4316 	rtnl_unlock();
4317 
4318 	return ret;
4319 }
4320 
4321 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4322 {
4323 	struct sk_buff *msg;
4324 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4325 	struct wireless_dev *wdev = info->user_ptr[1];
4326 
4327 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4328 	if (!msg)
4329 		return -ENOMEM;
4330 
4331 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4332 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4333 		nlmsg_free(msg);
4334 		return -ENOBUFS;
4335 	}
4336 
4337 	return genlmsg_reply(msg, info);
4338 }
4339 
4340 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4341 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4342 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4343 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4344 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4345 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4346 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4347 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4348 };
4349 
4350 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4351 {
4352 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4353 	int flag;
4354 
4355 	*mntrflags = 0;
4356 
4357 	if (!nla)
4358 		return -EINVAL;
4359 
4360 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4361 		return -EINVAL;
4362 
4363 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4364 		if (flags[flag])
4365 			*mntrflags |= (1<<flag);
4366 
4367 	/* cooked monitor mode is incompatible with other modes */
4368 	if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
4369 	    *mntrflags != MONITOR_FLAG_COOK_FRAMES)
4370 		return -EOPNOTSUPP;
4371 
4372 	*mntrflags |= MONITOR_FLAG_CHANGED;
4373 
4374 	return 0;
4375 }
4376 
4377 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4378 				     enum nl80211_iftype type,
4379 				     struct genl_info *info,
4380 				     struct vif_params *params)
4381 {
4382 	bool change = false;
4383 	int err;
4384 
4385 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4386 		if (type != NL80211_IFTYPE_MONITOR)
4387 			return -EINVAL;
4388 
4389 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4390 					  &params->flags);
4391 		if (err)
4392 			return err;
4393 
4394 		change = true;
4395 	}
4396 
4397 	/* MONITOR_FLAG_COOK_FRAMES is deprecated, refuse cooperation */
4398 	if (params->flags & MONITOR_FLAG_COOK_FRAMES)
4399 		return -EOPNOTSUPP;
4400 
4401 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4402 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4403 		return -EOPNOTSUPP;
4404 
4405 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4406 		const u8 *mumimo_groups;
4407 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4408 
4409 		if (type != NL80211_IFTYPE_MONITOR)
4410 			return -EINVAL;
4411 
4412 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4413 			return -EOPNOTSUPP;
4414 
4415 		mumimo_groups =
4416 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4417 
4418 		/* bits 0 and 63 are reserved and must be zero */
4419 		if ((mumimo_groups[0] & BIT(0)) ||
4420 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4421 			return -EINVAL;
4422 
4423 		params->vht_mumimo_groups = mumimo_groups;
4424 		change = true;
4425 	}
4426 
4427 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4428 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4429 
4430 		if (type != NL80211_IFTYPE_MONITOR)
4431 			return -EINVAL;
4432 
4433 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4434 			return -EOPNOTSUPP;
4435 
4436 		params->vht_mumimo_follow_addr =
4437 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4438 		change = true;
4439 	}
4440 
4441 	return change ? 1 : 0;
4442 }
4443 
4444 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4445 			       struct net_device *netdev, u8 use_4addr,
4446 			       enum nl80211_iftype iftype)
4447 {
4448 	if (!use_4addr) {
4449 		if (netdev && netif_is_bridge_port(netdev))
4450 			return -EBUSY;
4451 		return 0;
4452 	}
4453 
4454 	switch (iftype) {
4455 	case NL80211_IFTYPE_AP_VLAN:
4456 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4457 			return 0;
4458 		break;
4459 	case NL80211_IFTYPE_STATION:
4460 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4461 			return 0;
4462 		break;
4463 	default:
4464 		break;
4465 	}
4466 
4467 	return -EOPNOTSUPP;
4468 }
4469 
4470 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4471 					u32 *radio_mask)
4472 {
4473 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4474 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4475 	u32 mask, allowed;
4476 
4477 	if (!attr) {
4478 		*radio_mask = 0;
4479 		return 0;
4480 	}
4481 
4482 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4483 	mask = nla_get_u32(attr);
4484 	if (mask & ~allowed)
4485 		return -EINVAL;
4486 	if (!mask)
4487 		mask = allowed;
4488 	*radio_mask = mask;
4489 
4490 	return 1;
4491 }
4492 
4493 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4494 {
4495 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4496 	struct vif_params params;
4497 	int err;
4498 	enum nl80211_iftype otype, ntype;
4499 	struct net_device *dev = info->user_ptr[1];
4500 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4501 	u32 radio_mask = 0;
4502 	bool change = false;
4503 
4504 	memset(&params, 0, sizeof(params));
4505 
4506 	otype = ntype = dev->ieee80211_ptr->iftype;
4507 
4508 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4509 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4510 		if (otype != ntype)
4511 			change = true;
4512 	}
4513 
4514 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4515 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4516 			return -EINVAL;
4517 		if (otype != NL80211_IFTYPE_MESH_POINT)
4518 			return -EINVAL;
4519 		if (netif_running(dev))
4520 			return -EBUSY;
4521 
4522 		wdev->u.mesh.id_up_len =
4523 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4524 		memcpy(wdev->u.mesh.id,
4525 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4526 		       wdev->u.mesh.id_up_len);
4527 	}
4528 
4529 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4530 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4531 		change = true;
4532 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4533 		if (err)
4534 			return err;
4535 	} else {
4536 		params.use_4addr = -1;
4537 	}
4538 
4539 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4540 	if (err < 0)
4541 		return err;
4542 	if (err > 0)
4543 		change = true;
4544 
4545 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4546 	if (err < 0)
4547 		return err;
4548 	if (err && netif_running(dev))
4549 		return -EBUSY;
4550 
4551 	if (change)
4552 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4553 	else
4554 		err = 0;
4555 
4556 	if (!err && params.use_4addr != -1)
4557 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4558 
4559 	if (radio_mask)
4560 		wdev->radio_mask = radio_mask;
4561 
4562 	if (change && !err)
4563 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4564 
4565 	return err;
4566 }
4567 
4568 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4569 {
4570 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4571 	struct vif_params params;
4572 	struct wireless_dev *wdev;
4573 	struct sk_buff *msg;
4574 	u32 radio_mask;
4575 	int err;
4576 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4577 
4578 	memset(&params, 0, sizeof(params));
4579 
4580 	if (!info->attrs[NL80211_ATTR_IFNAME])
4581 		return -EINVAL;
4582 
4583 	if (info->attrs[NL80211_ATTR_IFTYPE])
4584 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4585 
4586 	if (!rdev->ops->add_virtual_intf)
4587 		return -EOPNOTSUPP;
4588 
4589 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4590 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4591 	    info->attrs[NL80211_ATTR_MAC]) {
4592 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4593 			   ETH_ALEN);
4594 		if (!is_valid_ether_addr(params.macaddr))
4595 			return -EADDRNOTAVAIL;
4596 	}
4597 
4598 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4599 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4600 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4601 		if (err)
4602 			return err;
4603 	}
4604 
4605 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4606 		return -EOPNOTSUPP;
4607 
4608 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4609 	if (err < 0)
4610 		return err;
4611 
4612 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4613 	if (err < 0)
4614 		return err;
4615 
4616 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4617 	if (!msg)
4618 		return -ENOMEM;
4619 
4620 	wdev = rdev_add_virtual_intf(rdev,
4621 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4622 				NET_NAME_USER, type, &params);
4623 	if (WARN_ON(!wdev)) {
4624 		nlmsg_free(msg);
4625 		return -EPROTO;
4626 	} else if (IS_ERR(wdev)) {
4627 		nlmsg_free(msg);
4628 		return PTR_ERR(wdev);
4629 	}
4630 
4631 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4632 		wdev->owner_nlportid = info->snd_portid;
4633 
4634 	switch (type) {
4635 	case NL80211_IFTYPE_MESH_POINT:
4636 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4637 			break;
4638 		wdev->u.mesh.id_up_len =
4639 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4640 		memcpy(wdev->u.mesh.id,
4641 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4642 		       wdev->u.mesh.id_up_len);
4643 		break;
4644 	case NL80211_IFTYPE_NAN:
4645 	case NL80211_IFTYPE_P2P_DEVICE:
4646 		/*
4647 		 * P2P Device and NAN do not have a netdev, so don't go
4648 		 * through the netdev notifier and must be added here
4649 		 */
4650 		cfg80211_init_wdev(wdev);
4651 		cfg80211_register_wdev(rdev, wdev);
4652 		break;
4653 	default:
4654 		break;
4655 	}
4656 
4657 	if (radio_mask)
4658 		wdev->radio_mask = radio_mask;
4659 
4660 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4661 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4662 		nlmsg_free(msg);
4663 		return -ENOBUFS;
4664 	}
4665 
4666 	return genlmsg_reply(msg, info);
4667 }
4668 
4669 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4670 {
4671 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4672 
4673 	/* to avoid failing a new interface creation due to pending removal */
4674 	cfg80211_destroy_ifaces(rdev);
4675 
4676 	guard(wiphy)(&rdev->wiphy);
4677 
4678 	return _nl80211_new_interface(skb, info);
4679 }
4680 
4681 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4682 {
4683 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4684 	struct wireless_dev *wdev = info->user_ptr[1];
4685 
4686 	if (!rdev->ops->del_virtual_intf)
4687 		return -EOPNOTSUPP;
4688 
4689 	/*
4690 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4691 	 * reach 0, and thus the rdev cannot be deleted.
4692 	 *
4693 	 * We need to do it for the dev_close(), since that will call
4694 	 * the netdev notifiers, and we need to acquire the mutex there
4695 	 * but don't know if we get there from here or from some other
4696 	 * place (e.g. "ip link set ... down").
4697 	 */
4698 	mutex_unlock(&rdev->wiphy.mtx);
4699 
4700 	/*
4701 	 * If we remove a wireless device without a netdev then clear
4702 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4703 	 * to check if it needs to do dev_put(). Otherwise it crashes
4704 	 * since the wdev has been freed, unlike with a netdev where
4705 	 * we need the dev_put() for the netdev to really be freed.
4706 	 */
4707 	if (!wdev->netdev)
4708 		info->user_ptr[1] = NULL;
4709 	else
4710 		dev_close(wdev->netdev);
4711 
4712 	mutex_lock(&rdev->wiphy.mtx);
4713 
4714 	return cfg80211_remove_virtual_intf(rdev, wdev);
4715 }
4716 
4717 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4718 {
4719 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4720 	struct net_device *dev = info->user_ptr[1];
4721 	u16 noack_map;
4722 
4723 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4724 		return -EINVAL;
4725 
4726 	if (!rdev->ops->set_noack_map)
4727 		return -EOPNOTSUPP;
4728 
4729 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4730 
4731 	return rdev_set_noack_map(rdev, dev, noack_map);
4732 }
4733 
4734 static int nl80211_validate_key_link_id(struct genl_info *info,
4735 					struct wireless_dev *wdev,
4736 					int link_id, bool pairwise)
4737 {
4738 	if (pairwise) {
4739 		if (link_id != -1) {
4740 			GENL_SET_ERR_MSG(info,
4741 					 "link ID not allowed for pairwise key");
4742 			return -EINVAL;
4743 		}
4744 
4745 		return 0;
4746 	}
4747 
4748 	if (wdev->valid_links) {
4749 		if (link_id == -1) {
4750 			GENL_SET_ERR_MSG(info,
4751 					 "link ID must for MLO group key");
4752 			return -EINVAL;
4753 		}
4754 		if (!(wdev->valid_links & BIT(link_id))) {
4755 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4756 			return -EINVAL;
4757 		}
4758 	} else if (link_id != -1) {
4759 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4760 		return -EINVAL;
4761 	}
4762 
4763 	return 0;
4764 }
4765 
4766 struct get_key_cookie {
4767 	struct sk_buff *msg;
4768 	int error;
4769 	int idx;
4770 };
4771 
4772 static void get_key_callback(void *c, struct key_params *params)
4773 {
4774 	struct nlattr *key;
4775 	struct get_key_cookie *cookie = c;
4776 
4777 	if ((params->seq &&
4778 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4779 		     params->seq_len, params->seq)) ||
4780 	    (params->cipher &&
4781 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4782 			 params->cipher)))
4783 		goto nla_put_failure;
4784 
4785 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4786 	if (!key)
4787 		goto nla_put_failure;
4788 
4789 	if ((params->seq &&
4790 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4791 		     params->seq_len, params->seq)) ||
4792 	    (params->cipher &&
4793 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4794 			 params->cipher)))
4795 		goto nla_put_failure;
4796 
4797 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4798 		goto nla_put_failure;
4799 
4800 	nla_nest_end(cookie->msg, key);
4801 
4802 	return;
4803  nla_put_failure:
4804 	cookie->error = 1;
4805 }
4806 
4807 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4808 {
4809 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4810 	int err;
4811 	struct net_device *dev = info->user_ptr[1];
4812 	u8 key_idx = 0;
4813 	const u8 *mac_addr = NULL;
4814 	bool pairwise;
4815 	struct get_key_cookie cookie = {
4816 		.error = 0,
4817 	};
4818 	void *hdr;
4819 	struct sk_buff *msg;
4820 	bool bigtk_support = false;
4821 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4822 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4823 
4824 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4825 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4826 		bigtk_support = true;
4827 
4828 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4829 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4830 	    wiphy_ext_feature_isset(&rdev->wiphy,
4831 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4832 		bigtk_support = true;
4833 
4834 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4835 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4836 
4837 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4838 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4839 			return -EINVAL;
4840 		}
4841 	}
4842 
4843 	if (info->attrs[NL80211_ATTR_MAC])
4844 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4845 
4846 	pairwise = !!mac_addr;
4847 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4848 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4849 
4850 		if (kt != NL80211_KEYTYPE_GROUP &&
4851 		    kt != NL80211_KEYTYPE_PAIRWISE)
4852 			return -EINVAL;
4853 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4854 	}
4855 
4856 	if (!rdev->ops->get_key)
4857 		return -EOPNOTSUPP;
4858 
4859 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4860 		return -ENOENT;
4861 
4862 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4863 	if (!msg)
4864 		return -ENOMEM;
4865 
4866 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4867 			     NL80211_CMD_NEW_KEY);
4868 	if (!hdr)
4869 		goto nla_put_failure;
4870 
4871 	cookie.msg = msg;
4872 	cookie.idx = key_idx;
4873 
4874 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4875 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4876 		goto nla_put_failure;
4877 	if (mac_addr &&
4878 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4879 		goto nla_put_failure;
4880 
4881 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4882 	if (err)
4883 		goto free_msg;
4884 
4885 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4886 			   &cookie, get_key_callback);
4887 
4888 	if (err)
4889 		goto free_msg;
4890 
4891 	if (cookie.error)
4892 		goto nla_put_failure;
4893 
4894 	genlmsg_end(msg, hdr);
4895 	return genlmsg_reply(msg, info);
4896 
4897  nla_put_failure:
4898 	err = -ENOBUFS;
4899  free_msg:
4900 	nlmsg_free(msg);
4901 	return err;
4902 }
4903 
4904 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4905 {
4906 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4907 	struct key_parse key;
4908 	int err;
4909 	struct net_device *dev = info->user_ptr[1];
4910 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4911 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4912 
4913 	err = nl80211_parse_key(info, &key);
4914 	if (err)
4915 		return err;
4916 
4917 	if (key.idx < 0)
4918 		return -EINVAL;
4919 
4920 	/* Only support setting default key and
4921 	 * Extended Key ID action NL80211_KEY_SET_TX.
4922 	 */
4923 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4924 	    !(key.p.mode == NL80211_KEY_SET_TX))
4925 		return -EINVAL;
4926 
4927 	if (key.def) {
4928 		if (!rdev->ops->set_default_key)
4929 			return -EOPNOTSUPP;
4930 
4931 		err = nl80211_key_allowed(wdev);
4932 		if (err)
4933 			return err;
4934 
4935 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4936 		if (err)
4937 			return err;
4938 
4939 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4940 					   key.def_uni, key.def_multi);
4941 
4942 		if (err)
4943 			return err;
4944 
4945 #ifdef CONFIG_CFG80211_WEXT
4946 		wdev->wext.default_key = key.idx;
4947 #endif
4948 		return 0;
4949 	} else if (key.defmgmt) {
4950 		if (key.def_uni || !key.def_multi)
4951 			return -EINVAL;
4952 
4953 		if (!rdev->ops->set_default_mgmt_key)
4954 			return -EOPNOTSUPP;
4955 
4956 		err = nl80211_key_allowed(wdev);
4957 		if (err)
4958 			return err;
4959 
4960 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4961 		if (err)
4962 			return err;
4963 
4964 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4965 		if (err)
4966 			return err;
4967 
4968 #ifdef CONFIG_CFG80211_WEXT
4969 		wdev->wext.default_mgmt_key = key.idx;
4970 #endif
4971 		return 0;
4972 	} else if (key.defbeacon) {
4973 		if (key.def_uni || !key.def_multi)
4974 			return -EINVAL;
4975 
4976 		if (!rdev->ops->set_default_beacon_key)
4977 			return -EOPNOTSUPP;
4978 
4979 		err = nl80211_key_allowed(wdev);
4980 		if (err)
4981 			return err;
4982 
4983 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4984 		if (err)
4985 			return err;
4986 
4987 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4988 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4989 		   wiphy_ext_feature_isset(&rdev->wiphy,
4990 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4991 		u8 *mac_addr = NULL;
4992 
4993 		if (info->attrs[NL80211_ATTR_MAC])
4994 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4995 
4996 		if (!mac_addr || key.idx < 0 || key.idx > 1)
4997 			return -EINVAL;
4998 
4999 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
5000 		if (err)
5001 			return err;
5002 
5003 		return rdev_add_key(rdev, dev, link_id, key.idx,
5004 				    NL80211_KEYTYPE_PAIRWISE,
5005 				    mac_addr, &key.p);
5006 	}
5007 
5008 	return -EINVAL;
5009 }
5010 
5011 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
5012 {
5013 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5014 	int err;
5015 	struct net_device *dev = info->user_ptr[1];
5016 	struct key_parse key;
5017 	const u8 *mac_addr = NULL;
5018 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5019 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5020 
5021 	err = nl80211_parse_key(info, &key);
5022 	if (err)
5023 		return err;
5024 
5025 	if (!key.p.key) {
5026 		GENL_SET_ERR_MSG(info, "no key");
5027 		return -EINVAL;
5028 	}
5029 
5030 	if (info->attrs[NL80211_ATTR_MAC])
5031 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5032 
5033 	if (key.type == -1) {
5034 		if (mac_addr)
5035 			key.type = NL80211_KEYTYPE_PAIRWISE;
5036 		else
5037 			key.type = NL80211_KEYTYPE_GROUP;
5038 	}
5039 
5040 	/* for now */
5041 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5042 	    key.type != NL80211_KEYTYPE_GROUP) {
5043 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
5044 		return -EINVAL;
5045 	}
5046 
5047 	if (key.type == NL80211_KEYTYPE_GROUP &&
5048 	    info->attrs[NL80211_ATTR_VLAN_ID])
5049 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
5050 
5051 	if (!rdev->ops->add_key)
5052 		return -EOPNOTSUPP;
5053 
5054 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
5055 					   key.type == NL80211_KEYTYPE_PAIRWISE,
5056 					   mac_addr)) {
5057 		GENL_SET_ERR_MSG(info, "key setting validation failed");
5058 		return -EINVAL;
5059 	}
5060 
5061 	err = nl80211_key_allowed(wdev);
5062 	if (err)
5063 		GENL_SET_ERR_MSG(info, "key not allowed");
5064 
5065 	if (!err)
5066 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5067 				key.type == NL80211_KEYTYPE_PAIRWISE);
5068 
5069 	if (!err) {
5070 		err = rdev_add_key(rdev, dev, link_id, key.idx,
5071 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5072 				    mac_addr, &key.p);
5073 		if (err)
5074 			GENL_SET_ERR_MSG(info, "key addition failed");
5075 	}
5076 
5077 	return err;
5078 }
5079 
5080 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
5081 {
5082 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5083 	int err;
5084 	struct net_device *dev = info->user_ptr[1];
5085 	u8 *mac_addr = NULL;
5086 	struct key_parse key;
5087 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5088 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5089 
5090 	err = nl80211_parse_key(info, &key);
5091 	if (err)
5092 		return err;
5093 
5094 	if (info->attrs[NL80211_ATTR_MAC])
5095 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5096 
5097 	if (key.type == -1) {
5098 		if (mac_addr)
5099 			key.type = NL80211_KEYTYPE_PAIRWISE;
5100 		else
5101 			key.type = NL80211_KEYTYPE_GROUP;
5102 	}
5103 
5104 	/* for now */
5105 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5106 	    key.type != NL80211_KEYTYPE_GROUP)
5107 		return -EINVAL;
5108 
5109 	if (!cfg80211_valid_key_idx(rdev, key.idx,
5110 				    key.type == NL80211_KEYTYPE_PAIRWISE))
5111 		return -EINVAL;
5112 
5113 	if (!rdev->ops->del_key)
5114 		return -EOPNOTSUPP;
5115 
5116 	err = nl80211_key_allowed(wdev);
5117 
5118 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
5119 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5120 		err = -ENOENT;
5121 
5122 	if (!err)
5123 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5124 				key.type == NL80211_KEYTYPE_PAIRWISE);
5125 
5126 	if (!err)
5127 		err = rdev_del_key(rdev, dev, link_id, key.idx,
5128 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5129 				   mac_addr);
5130 
5131 #ifdef CONFIG_CFG80211_WEXT
5132 	if (!err) {
5133 		if (key.idx == wdev->wext.default_key)
5134 			wdev->wext.default_key = -1;
5135 		else if (key.idx == wdev->wext.default_mgmt_key)
5136 			wdev->wext.default_mgmt_key = -1;
5137 	}
5138 #endif
5139 
5140 	return err;
5141 }
5142 
5143 /* This function returns an error or the number of nested attributes */
5144 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
5145 {
5146 	struct nlattr *attr;
5147 	int n_entries = 0, tmp;
5148 
5149 	nla_for_each_nested(attr, nl_attr, tmp) {
5150 		if (nla_len(attr) != ETH_ALEN)
5151 			return -EINVAL;
5152 
5153 		n_entries++;
5154 	}
5155 
5156 	return n_entries;
5157 }
5158 
5159 /*
5160  * This function parses ACL information and allocates memory for ACL data.
5161  * On successful return, the calling function is responsible to free the
5162  * ACL buffer returned by this function.
5163  */
5164 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5165 						struct genl_info *info)
5166 {
5167 	enum nl80211_acl_policy acl_policy;
5168 	struct nlattr *attr;
5169 	struct cfg80211_acl_data *acl;
5170 	int i = 0, n_entries, tmp;
5171 
5172 	if (!wiphy->max_acl_mac_addrs)
5173 		return ERR_PTR(-EOPNOTSUPP);
5174 
5175 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5176 		return ERR_PTR(-EINVAL);
5177 
5178 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5179 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5180 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5181 		return ERR_PTR(-EINVAL);
5182 
5183 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5184 		return ERR_PTR(-EINVAL);
5185 
5186 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5187 	if (n_entries < 0)
5188 		return ERR_PTR(n_entries);
5189 
5190 	if (n_entries > wiphy->max_acl_mac_addrs)
5191 		return ERR_PTR(-EOPNOTSUPP);
5192 
5193 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
5194 	if (!acl)
5195 		return ERR_PTR(-ENOMEM);
5196 	acl->n_acl_entries = n_entries;
5197 
5198 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5199 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5200 		i++;
5201 	}
5202 	acl->acl_policy = acl_policy;
5203 
5204 	return acl;
5205 }
5206 
5207 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5208 {
5209 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5210 	struct net_device *dev = info->user_ptr[1];
5211 	struct cfg80211_acl_data *acl;
5212 	int err;
5213 
5214 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5215 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5216 		return -EOPNOTSUPP;
5217 
5218 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5219 		return -EINVAL;
5220 
5221 	acl = parse_acl_data(&rdev->wiphy, info);
5222 	if (IS_ERR(acl))
5223 		return PTR_ERR(acl);
5224 
5225 	err = rdev_set_mac_acl(rdev, dev, acl);
5226 
5227 	kfree(acl);
5228 
5229 	return err;
5230 }
5231 
5232 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5233 			   u8 *rates, u8 rates_len)
5234 {
5235 	u8 i;
5236 	u32 mask = 0;
5237 
5238 	for (i = 0; i < rates_len; i++) {
5239 		int rate = (rates[i] & 0x7f) * 5;
5240 		int ridx;
5241 
5242 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5243 			struct ieee80211_rate *srate =
5244 				&sband->bitrates[ridx];
5245 			if (rate == srate->bitrate) {
5246 				mask |= 1 << ridx;
5247 				break;
5248 			}
5249 		}
5250 		if (ridx == sband->n_bitrates)
5251 			return 0; /* rate not found */
5252 	}
5253 
5254 	return mask;
5255 }
5256 
5257 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5258 			       u8 *rates, u8 rates_len,
5259 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5260 {
5261 	u8 i;
5262 
5263 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5264 
5265 	for (i = 0; i < rates_len; i++) {
5266 		int ridx, rbit;
5267 
5268 		ridx = rates[i] / 8;
5269 		rbit = BIT(rates[i] % 8);
5270 
5271 		/* check validity */
5272 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5273 			return false;
5274 
5275 		/* check availability */
5276 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5277 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5278 			mcs[ridx] |= rbit;
5279 		else
5280 			return false;
5281 	}
5282 
5283 	return true;
5284 }
5285 
5286 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5287 {
5288 	u16 mcs_mask = 0;
5289 
5290 	switch (vht_mcs_map) {
5291 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5292 		break;
5293 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5294 		mcs_mask = 0x00FF;
5295 		break;
5296 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5297 		mcs_mask = 0x01FF;
5298 		break;
5299 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5300 		mcs_mask = 0x03FF;
5301 		break;
5302 	default:
5303 		break;
5304 	}
5305 
5306 	return mcs_mask;
5307 }
5308 
5309 static void vht_build_mcs_mask(u16 vht_mcs_map,
5310 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5311 {
5312 	u8 nss;
5313 
5314 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5315 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5316 		vht_mcs_map >>= 2;
5317 	}
5318 }
5319 
5320 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5321 			     struct nl80211_txrate_vht *txrate,
5322 			     u16 mcs[NL80211_VHT_NSS_MAX])
5323 {
5324 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5325 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5326 	u8 i;
5327 
5328 	if (!sband->vht_cap.vht_supported)
5329 		return false;
5330 
5331 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5332 
5333 	/* Build vht_mcs_mask from VHT capabilities */
5334 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5335 
5336 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5337 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5338 			mcs[i] = txrate->mcs[i];
5339 		else
5340 			return false;
5341 	}
5342 
5343 	return true;
5344 }
5345 
5346 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5347 {
5348 	switch (he_mcs_map) {
5349 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5350 		return 0;
5351 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5352 		return 0x00FF;
5353 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5354 		return 0x03FF;
5355 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5356 		return 0xFFF;
5357 	default:
5358 		break;
5359 	}
5360 	return 0;
5361 }
5362 
5363 static void he_build_mcs_mask(u16 he_mcs_map,
5364 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5365 {
5366 	u8 nss;
5367 
5368 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5369 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5370 		he_mcs_map >>= 2;
5371 	}
5372 }
5373 
5374 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5375 			   const struct ieee80211_sta_he_cap *he_cap)
5376 {
5377 	struct net_device *dev = info->user_ptr[1];
5378 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5379 	struct cfg80211_chan_def *chandef;
5380 	__le16 tx_mcs;
5381 
5382 	chandef = wdev_chandef(wdev, link_id);
5383 	if (!chandef) {
5384 		/*
5385 		 * This is probably broken, but we never maintained
5386 		 * a chandef in these cases, so it always was.
5387 		 */
5388 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5389 	}
5390 
5391 	switch (chandef->width) {
5392 	case NL80211_CHAN_WIDTH_80P80:
5393 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5394 		break;
5395 	case NL80211_CHAN_WIDTH_160:
5396 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5397 		break;
5398 	default:
5399 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5400 		break;
5401 	}
5402 
5403 	return le16_to_cpu(tx_mcs);
5404 }
5405 
5406 static bool he_set_mcs_mask(struct genl_info *info,
5407 			    struct wireless_dev *wdev,
5408 			    struct ieee80211_supported_band *sband,
5409 			    struct nl80211_txrate_he *txrate,
5410 			    u16 mcs[NL80211_HE_NSS_MAX],
5411 			    unsigned int link_id)
5412 {
5413 	const struct ieee80211_sta_he_cap *he_cap;
5414 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5415 	u16 tx_mcs_map = 0;
5416 	u8 i;
5417 
5418 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5419 	if (!he_cap)
5420 		return false;
5421 
5422 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5423 
5424 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5425 
5426 	/* Build he_mcs_mask from HE capabilities */
5427 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5428 
5429 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5430 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5431 			mcs[i] = txrate->mcs[i];
5432 		else
5433 			return false;
5434 	}
5435 
5436 	return true;
5437 }
5438 
5439 static void eht_build_mcs_mask(struct genl_info *info,
5440 			       const struct ieee80211_sta_eht_cap *eht_cap,
5441 			       u8 mcs_nss_len, u16 *mcs_mask)
5442 {
5443 	struct net_device *dev = info->user_ptr[1];
5444 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5445 	u8 nss, mcs_7 = 0, mcs_9 = 0, mcs_11 = 0, mcs_13 = 0;
5446 	unsigned int link_id = nl80211_link_id(info->attrs);
5447 
5448 	if (mcs_nss_len == 4) {
5449 		const struct ieee80211_eht_mcs_nss_supp_20mhz_only *mcs =
5450 					&eht_cap->eht_mcs_nss_supp.only_20mhz;
5451 
5452 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs7_max_nss,
5453 				    IEEE80211_EHT_MCS_NSS_TX);
5454 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5455 				    IEEE80211_EHT_MCS_NSS_TX);
5456 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5457 				     IEEE80211_EHT_MCS_NSS_TX);
5458 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5459 				     IEEE80211_EHT_MCS_NSS_TX);
5460 
5461 	} else {
5462 		const struct ieee80211_eht_mcs_nss_supp_bw *mcs;
5463 		enum nl80211_chan_width width;
5464 
5465 		switch (wdev->iftype) {
5466 		case NL80211_IFTYPE_ADHOC:
5467 			width = wdev->u.ibss.chandef.width;
5468 			break;
5469 		case NL80211_IFTYPE_MESH_POINT:
5470 			width = wdev->u.mesh.chandef.width;
5471 			break;
5472 		case NL80211_IFTYPE_OCB:
5473 			width = wdev->u.ocb.chandef.width;
5474 			break;
5475 		default:
5476 			if (wdev->valid_links)
5477 				width = wdev->links[link_id].ap.chandef.width;
5478 			else
5479 				width = wdev->u.ap.preset_chandef.width;
5480 			break;
5481 		}
5482 
5483 		switch (width) {
5484 		case NL80211_CHAN_WIDTH_320:
5485 			mcs = &eht_cap->eht_mcs_nss_supp.bw._320;
5486 			break;
5487 		case NL80211_CHAN_WIDTH_160:
5488 			mcs = &eht_cap->eht_mcs_nss_supp.bw._160;
5489 			break;
5490 		default:
5491 			mcs = &eht_cap->eht_mcs_nss_supp.bw._80;
5492 			break;
5493 		}
5494 
5495 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5496 				    IEEE80211_EHT_MCS_NSS_TX);
5497 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5498 				    IEEE80211_EHT_MCS_NSS_TX);
5499 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5500 				     IEEE80211_EHT_MCS_NSS_TX);
5501 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5502 				     IEEE80211_EHT_MCS_NSS_TX);
5503 	}
5504 
5505 	/* Enable MCS 14 for NSS 0 */
5506 	if (eht_cap->eht_cap_elem.phy_cap_info[6] &
5507 	    IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP)
5508 		mcs_mask[0] |= 0x4000;
5509 
5510 	/* Enable MCS 15 for NSS 0 */
5511 	mcs_mask[0] |= 0x8000;
5512 
5513 	for (nss = 0; nss < NL80211_EHT_NSS_MAX; nss++) {
5514 		if (!mcs_7)
5515 			continue;
5516 		mcs_mask[nss] |= 0x00FF;
5517 		mcs_7--;
5518 
5519 		if (!mcs_9)
5520 			continue;
5521 		mcs_mask[nss] |= 0x0300;
5522 		mcs_9--;
5523 
5524 		if (!mcs_11)
5525 			continue;
5526 		mcs_mask[nss] |= 0x0C00;
5527 		mcs_11--;
5528 
5529 		if (!mcs_13)
5530 			continue;
5531 		mcs_mask[nss] |= 0x3000;
5532 		mcs_13--;
5533 	}
5534 }
5535 
5536 static bool eht_set_mcs_mask(struct genl_info *info, struct wireless_dev *wdev,
5537 			     struct ieee80211_supported_band *sband,
5538 			     struct nl80211_txrate_eht *txrate,
5539 			     u16 mcs[NL80211_EHT_NSS_MAX])
5540 {
5541 	const struct ieee80211_sta_he_cap *he_cap;
5542 	const struct ieee80211_sta_eht_cap *eht_cap;
5543 	u16 tx_mcs_mask[NL80211_EHT_NSS_MAX] = { 0 };
5544 	u8 i, mcs_nss_len;
5545 
5546 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5547 	if (!he_cap)
5548 		return false;
5549 
5550 	eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5551 	if (!eht_cap)
5552 		return false;
5553 
5554 	/* Checks for MCS 14 */
5555 	if (txrate->mcs[0] & 0x4000) {
5556 		if (sband->band != NL80211_BAND_6GHZ)
5557 			return false;
5558 
5559 		if (!(eht_cap->eht_cap_elem.phy_cap_info[6] &
5560 		      IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP))
5561 			return false;
5562 	}
5563 
5564 	mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5565 						 &eht_cap->eht_cap_elem,
5566 						 wdev->iftype ==
5567 							NL80211_IFTYPE_STATION);
5568 
5569 	if (mcs_nss_len == 3) {
5570 		/* Supported iftypes for setting non-20 MHZ only EHT MCS */
5571 		switch (wdev->iftype) {
5572 		case NL80211_IFTYPE_ADHOC:
5573 		case NL80211_IFTYPE_AP:
5574 		case NL80211_IFTYPE_P2P_GO:
5575 		case NL80211_IFTYPE_MESH_POINT:
5576 		case NL80211_IFTYPE_OCB:
5577 			break;
5578 		default:
5579 			return false;
5580 		}
5581 	}
5582 
5583 	/* Build eht_mcs_mask from EHT and HE capabilities */
5584 	eht_build_mcs_mask(info, eht_cap, mcs_nss_len, tx_mcs_mask);
5585 
5586 	memset(mcs, 0, sizeof(u16) * NL80211_EHT_NSS_MAX);
5587 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5588 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5589 			mcs[i] = txrate->mcs[i];
5590 		else
5591 			return false;
5592 	}
5593 
5594 	return true;
5595 }
5596 
5597 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5598 					 struct nlattr *attrs[],
5599 					 enum nl80211_attrs attr,
5600 					 struct cfg80211_bitrate_mask *mask,
5601 					 struct net_device *dev,
5602 					 bool default_all_enabled,
5603 					 unsigned int link_id)
5604 {
5605 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5606 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5607 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5608 	int rem, i;
5609 	struct nlattr *tx_rates;
5610 	struct ieee80211_supported_band *sband;
5611 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5612 
5613 	memset(mask, 0, sizeof(*mask));
5614 	/* Default to all rates enabled */
5615 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5616 		const struct ieee80211_sta_he_cap *he_cap;
5617 		const struct ieee80211_sta_eht_cap *eht_cap;
5618 		u8 mcs_nss_len;
5619 
5620 		if (!default_all_enabled)
5621 			break;
5622 
5623 		sband = rdev->wiphy.bands[i];
5624 
5625 		if (!sband)
5626 			continue;
5627 
5628 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5629 		memcpy(mask->control[i].ht_mcs,
5630 		       sband->ht_cap.mcs.rx_mask,
5631 		       sizeof(mask->control[i].ht_mcs));
5632 
5633 		if (sband->vht_cap.vht_supported) {
5634 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5635 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5636 		}
5637 
5638 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5639 		if (!he_cap)
5640 			continue;
5641 
5642 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5643 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5644 
5645 		mask->control[i].he_gi = 0xFF;
5646 		mask->control[i].he_ltf = 0xFF;
5647 
5648 		eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5649 		if (!eht_cap)
5650 			continue;
5651 
5652 		mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5653 							 &eht_cap->eht_cap_elem,
5654 							 wdev->iftype ==
5655 							 NL80211_IFTYPE_STATION);
5656 
5657 		eht_build_mcs_mask(info, eht_cap, mcs_nss_len,
5658 				   mask->control[i].eht_mcs);
5659 
5660 		mask->control[i].eht_gi = 0xFF;
5661 		mask->control[i].eht_ltf = 0xFF;
5662 	}
5663 
5664 	/* if no rates are given set it back to the defaults */
5665 	if (!attrs[attr])
5666 		goto out;
5667 
5668 	/* The nested attribute uses enum nl80211_band as the index. This maps
5669 	 * directly to the enum nl80211_band values used in cfg80211.
5670 	 */
5671 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5672 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5673 		enum nl80211_band band = nla_type(tx_rates);
5674 		int err;
5675 
5676 		if (band < 0 || band >= NUM_NL80211_BANDS)
5677 			return -EINVAL;
5678 		sband = rdev->wiphy.bands[band];
5679 		if (sband == NULL)
5680 			return -EINVAL;
5681 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5682 						  tx_rates,
5683 						  nl80211_txattr_policy,
5684 						  info->extack);
5685 		if (err)
5686 			return err;
5687 		if (tb[NL80211_TXRATE_LEGACY]) {
5688 			mask->control[band].legacy = rateset_to_mask(
5689 				sband,
5690 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5691 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5692 			if ((mask->control[band].legacy == 0) &&
5693 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5694 				return -EINVAL;
5695 		}
5696 		if (tb[NL80211_TXRATE_HT]) {
5697 			if (!ht_rateset_to_mask(
5698 					sband,
5699 					nla_data(tb[NL80211_TXRATE_HT]),
5700 					nla_len(tb[NL80211_TXRATE_HT]),
5701 					mask->control[band].ht_mcs))
5702 				return -EINVAL;
5703 		}
5704 
5705 		if (tb[NL80211_TXRATE_VHT]) {
5706 			if (!vht_set_mcs_mask(
5707 					sband,
5708 					nla_data(tb[NL80211_TXRATE_VHT]),
5709 					mask->control[band].vht_mcs))
5710 				return -EINVAL;
5711 		}
5712 
5713 		if (tb[NL80211_TXRATE_GI]) {
5714 			mask->control[band].gi =
5715 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5716 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5717 				return -EINVAL;
5718 		}
5719 		if (tb[NL80211_TXRATE_HE] &&
5720 		    !he_set_mcs_mask(info, wdev, sband,
5721 				     nla_data(tb[NL80211_TXRATE_HE]),
5722 				     mask->control[band].he_mcs,
5723 				     link_id))
5724 			return -EINVAL;
5725 
5726 		if (tb[NL80211_TXRATE_HE_GI])
5727 			mask->control[band].he_gi =
5728 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5729 		if (tb[NL80211_TXRATE_HE_LTF])
5730 			mask->control[band].he_ltf =
5731 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5732 
5733 		if (tb[NL80211_TXRATE_EHT] &&
5734 		    !eht_set_mcs_mask(info, wdev, sband,
5735 				      nla_data(tb[NL80211_TXRATE_EHT]),
5736 				      mask->control[band].eht_mcs))
5737 			return -EINVAL;
5738 
5739 		if (tb[NL80211_TXRATE_EHT_GI])
5740 			mask->control[band].eht_gi =
5741 				nla_get_u8(tb[NL80211_TXRATE_EHT_GI]);
5742 		if (tb[NL80211_TXRATE_EHT_LTF])
5743 			mask->control[band].eht_ltf =
5744 				nla_get_u8(tb[NL80211_TXRATE_EHT_LTF]);
5745 
5746 		if (mask->control[band].legacy == 0) {
5747 			/* don't allow empty legacy rates if HT, VHT, HE or EHT
5748 			 * are not even supported.
5749 			 */
5750 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5751 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5752 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype) ||
5753 			      ieee80211_get_eht_iftype_cap(sband, wdev->iftype)))
5754 				return -EINVAL;
5755 
5756 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5757 				if (mask->control[band].ht_mcs[i])
5758 					goto out;
5759 
5760 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5761 				if (mask->control[band].vht_mcs[i])
5762 					goto out;
5763 
5764 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5765 				if (mask->control[band].he_mcs[i])
5766 					goto out;
5767 
5768 			for (i = 0; i < NL80211_EHT_NSS_MAX; i++)
5769 				if (mask->control[band].eht_mcs[i])
5770 					goto out;
5771 
5772 			/* legacy and mcs rates may not be both empty */
5773 			return -EINVAL;
5774 		}
5775 	}
5776 
5777 out:
5778 	return 0;
5779 }
5780 
5781 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5782 				   enum nl80211_band band,
5783 				   struct cfg80211_bitrate_mask *beacon_rate)
5784 {
5785 	u32 count_ht, count_vht, count_he, count_eht, i;
5786 	u32 rate = beacon_rate->control[band].legacy;
5787 
5788 	/* Allow only one rate */
5789 	if (hweight32(rate) > 1)
5790 		return -EINVAL;
5791 
5792 	count_ht = 0;
5793 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5794 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5795 			return -EINVAL;
5796 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5797 			count_ht++;
5798 			if (count_ht > 1)
5799 				return -EINVAL;
5800 		}
5801 		if (count_ht && rate)
5802 			return -EINVAL;
5803 	}
5804 
5805 	count_vht = 0;
5806 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5807 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5808 			return -EINVAL;
5809 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5810 			count_vht++;
5811 			if (count_vht > 1)
5812 				return -EINVAL;
5813 		}
5814 		if (count_vht && rate)
5815 			return -EINVAL;
5816 	}
5817 
5818 	count_he = 0;
5819 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5820 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5821 			return -EINVAL;
5822 		} else if (beacon_rate->control[band].he_mcs[i]) {
5823 			count_he++;
5824 			if (count_he > 1)
5825 				return -EINVAL;
5826 		}
5827 		if (count_he && rate)
5828 			return -EINVAL;
5829 	}
5830 
5831 	count_eht = 0;
5832 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5833 		if (hweight16(beacon_rate->control[band].eht_mcs[i]) > 1) {
5834 			return -EINVAL;
5835 		} else if (beacon_rate->control[band].eht_mcs[i]) {
5836 			count_eht++;
5837 			if (count_eht > 1)
5838 				return -EINVAL;
5839 		}
5840 		if (count_eht && rate)
5841 			return -EINVAL;
5842 	}
5843 
5844 	if ((count_ht && count_vht && count_he && count_eht) ||
5845 	    (!rate && !count_ht && !count_vht && !count_he && !count_eht))
5846 		return -EINVAL;
5847 
5848 	if (rate &&
5849 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5850 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5851 		return -EINVAL;
5852 	if (count_ht &&
5853 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5854 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5855 		return -EINVAL;
5856 	if (count_vht &&
5857 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5858 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5859 		return -EINVAL;
5860 	if (count_he &&
5861 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5862 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5863 		return -EINVAL;
5864 
5865 	if (count_eht &&
5866 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5867 				     NL80211_EXT_FEATURE_BEACON_RATE_EHT))
5868 		return -EINVAL;
5869 
5870 	return 0;
5871 }
5872 
5873 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5874 				       struct net_device *dev,
5875 				       unsigned int link_id,
5876 				       struct nlattr *attrs,
5877 				       struct cfg80211_mbssid_config *config,
5878 				       u8 num_elems)
5879 {
5880 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5881 	int tx_link_id = -1;
5882 
5883 	if (!wiphy->mbssid_max_interfaces)
5884 		return -EOPNOTSUPP;
5885 
5886 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5887 			     NULL) ||
5888 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5889 		return -EINVAL;
5890 
5891 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5892 	if (config->ema) {
5893 		if (!wiphy->ema_max_profile_periodicity)
5894 			return -EOPNOTSUPP;
5895 
5896 		if (num_elems > wiphy->ema_max_profile_periodicity)
5897 			return -EINVAL;
5898 	}
5899 
5900 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5901 	if (config->index >= wiphy->mbssid_max_interfaces ||
5902 	    (!config->index && !num_elems))
5903 		return -EINVAL;
5904 
5905 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID])
5906 		tx_link_id = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID]);
5907 
5908 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5909 		u32 tx_ifindex =
5910 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5911 
5912 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5913 		    (config->index && tx_ifindex == dev->ifindex))
5914 			return -EINVAL;
5915 
5916 		if (tx_ifindex != dev->ifindex) {
5917 			struct net_device *tx_netdev =
5918 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5919 
5920 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5921 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5922 			    tx_netdev->ieee80211_ptr->iftype !=
5923 							NL80211_IFTYPE_AP) {
5924 				dev_put(tx_netdev);
5925 				return -EINVAL;
5926 			}
5927 
5928 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5929 			/* Caller should call dev_put(config->tx_wdev) from this point */
5930 
5931 			if (config->tx_wdev->valid_links) {
5932 				if (tx_link_id == -1 ||
5933 				    !(config->tx_wdev->valid_links & BIT(tx_link_id)))
5934 					return -ENOLINK;
5935 
5936 				config->tx_link_id = tx_link_id;
5937 			}
5938 		} else {
5939 			if (tx_link_id >= 0 && tx_link_id != link_id)
5940 				return -EINVAL;
5941 
5942 			config->tx_wdev = dev->ieee80211_ptr;
5943 		}
5944 	} else if (!config->index) {
5945 		if (tx_link_id >= 0 && tx_link_id != link_id)
5946 			return -EINVAL;
5947 
5948 		config->tx_wdev = dev->ieee80211_ptr;
5949 	} else {
5950 		return -EINVAL;
5951 	}
5952 
5953 	return 0;
5954 }
5955 
5956 static struct cfg80211_mbssid_elems *
5957 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5958 {
5959 	struct nlattr *nl_elems;
5960 	struct cfg80211_mbssid_elems *elems;
5961 	int rem_elems;
5962 	u8 i = 0, num_elems = 0;
5963 
5964 	if (!wiphy->mbssid_max_interfaces)
5965 		return ERR_PTR(-EINVAL);
5966 
5967 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5968 		if (num_elems >= 255)
5969 			return ERR_PTR(-EINVAL);
5970 		num_elems++;
5971 	}
5972 
5973 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5974 	if (!elems)
5975 		return ERR_PTR(-ENOMEM);
5976 	elems->cnt = num_elems;
5977 
5978 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5979 		elems->elem[i].data = nla_data(nl_elems);
5980 		elems->elem[i].len = nla_len(nl_elems);
5981 		i++;
5982 	}
5983 	return elems;
5984 }
5985 
5986 static struct cfg80211_rnr_elems *
5987 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5988 			struct netlink_ext_ack *extack)
5989 {
5990 	struct nlattr *nl_elems;
5991 	struct cfg80211_rnr_elems *elems;
5992 	int rem_elems;
5993 	u8 i = 0, num_elems = 0;
5994 
5995 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5996 		int ret;
5997 
5998 		ret = validate_ie_attr(nl_elems, extack);
5999 		if (ret)
6000 			return ERR_PTR(ret);
6001 
6002 		num_elems++;
6003 	}
6004 
6005 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
6006 	if (!elems)
6007 		return ERR_PTR(-ENOMEM);
6008 	elems->cnt = num_elems;
6009 
6010 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6011 		elems->elem[i].data = nla_data(nl_elems);
6012 		elems->elem[i].len = nla_len(nl_elems);
6013 		i++;
6014 	}
6015 	return elems;
6016 }
6017 
6018 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
6019 				      struct cfg80211_he_bss_color *he_bss_color)
6020 {
6021 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
6022 	int err;
6023 
6024 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
6025 			       he_bss_color_policy, NULL);
6026 	if (err)
6027 		return err;
6028 
6029 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
6030 		return -EINVAL;
6031 
6032 	he_bss_color->color =
6033 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
6034 	he_bss_color->enabled =
6035 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
6036 	he_bss_color->partial =
6037 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
6038 
6039 	return 0;
6040 }
6041 
6042 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
6043 				struct nlattr *attrs[],
6044 				struct cfg80211_beacon_data *bcn,
6045 				struct netlink_ext_ack *extack)
6046 {
6047 	bool haveinfo = false;
6048 	int err;
6049 
6050 	memset(bcn, 0, sizeof(*bcn));
6051 
6052 	bcn->link_id = nl80211_link_id(attrs);
6053 
6054 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
6055 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
6056 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
6057 		if (!bcn->head_len)
6058 			return -EINVAL;
6059 		haveinfo = true;
6060 	}
6061 
6062 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
6063 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
6064 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
6065 		haveinfo = true;
6066 	}
6067 
6068 	if (!haveinfo)
6069 		return -EINVAL;
6070 
6071 	if (attrs[NL80211_ATTR_IE]) {
6072 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
6073 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
6074 	}
6075 
6076 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
6077 		bcn->proberesp_ies =
6078 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6079 		bcn->proberesp_ies_len =
6080 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6081 	}
6082 
6083 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
6084 		bcn->assocresp_ies =
6085 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6086 		bcn->assocresp_ies_len =
6087 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6088 	}
6089 
6090 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
6091 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
6092 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
6093 	}
6094 
6095 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
6096 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
6097 
6098 		err = nla_parse_nested_deprecated(tb,
6099 						  NL80211_FTM_RESP_ATTR_MAX,
6100 						  attrs[NL80211_ATTR_FTM_RESPONDER],
6101 						  NULL, NULL);
6102 		if (err)
6103 			return err;
6104 
6105 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
6106 		    wiphy_ext_feature_isset(&rdev->wiphy,
6107 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
6108 			bcn->ftm_responder = 1;
6109 		else
6110 			return -EOPNOTSUPP;
6111 
6112 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
6113 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
6114 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
6115 		}
6116 
6117 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
6118 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6119 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6120 		}
6121 	} else {
6122 		bcn->ftm_responder = -1;
6123 	}
6124 
6125 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
6126 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
6127 						 &bcn->he_bss_color);
6128 		if (err)
6129 			return err;
6130 		bcn->he_bss_color_valid = true;
6131 	}
6132 
6133 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
6134 		struct cfg80211_mbssid_elems *mbssid =
6135 			nl80211_parse_mbssid_elems(&rdev->wiphy,
6136 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
6137 
6138 		if (IS_ERR(mbssid))
6139 			return PTR_ERR(mbssid);
6140 
6141 		bcn->mbssid_ies = mbssid;
6142 
6143 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
6144 			struct cfg80211_rnr_elems *rnr =
6145 				nl80211_parse_rnr_elems(&rdev->wiphy,
6146 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
6147 							extack);
6148 
6149 			if (IS_ERR(rnr))
6150 				return PTR_ERR(rnr);
6151 
6152 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
6153 				return -EINVAL;
6154 
6155 			bcn->rnr_ies = rnr;
6156 		}
6157 	}
6158 
6159 	return 0;
6160 }
6161 
6162 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
6163 				    struct ieee80211_he_obss_pd *he_obss_pd)
6164 {
6165 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
6166 	int err;
6167 
6168 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
6169 			       he_obss_pd_policy, NULL);
6170 	if (err)
6171 		return err;
6172 
6173 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
6174 		return -EINVAL;
6175 
6176 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
6177 
6178 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
6179 		he_obss_pd->min_offset =
6180 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
6181 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
6182 		he_obss_pd->max_offset =
6183 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
6184 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
6185 		he_obss_pd->non_srg_max_offset =
6186 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
6187 
6188 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
6189 		return -EINVAL;
6190 
6191 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
6192 		memcpy(he_obss_pd->bss_color_bitmap,
6193 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
6194 		       sizeof(he_obss_pd->bss_color_bitmap));
6195 
6196 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
6197 		memcpy(he_obss_pd->partial_bssid_bitmap,
6198 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
6199 		       sizeof(he_obss_pd->partial_bssid_bitmap));
6200 
6201 	he_obss_pd->enable = true;
6202 
6203 	return 0;
6204 }
6205 
6206 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
6207 					struct nlattr *attrs,
6208 					struct cfg80211_fils_discovery *fd)
6209 {
6210 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
6211 	int ret;
6212 
6213 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6214 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
6215 		return -EINVAL;
6216 
6217 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
6218 			       NULL, NULL);
6219 	if (ret)
6220 		return ret;
6221 
6222 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
6223 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
6224 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
6225 		fd->update = true;
6226 		return 0;
6227 	}
6228 
6229 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
6230 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
6231 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
6232 		return -EINVAL;
6233 
6234 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6235 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6236 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
6237 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
6238 	fd->update = true;
6239 	return 0;
6240 }
6241 
6242 static int
6243 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
6244 				     struct nlattr *attrs,
6245 				     struct cfg80211_unsol_bcast_probe_resp *presp)
6246 {
6247 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
6248 	int ret;
6249 
6250 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6251 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
6252 		return -EINVAL;
6253 
6254 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
6255 			       attrs, NULL, NULL);
6256 	if (ret)
6257 		return ret;
6258 
6259 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
6260 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
6261 		presp->update = true;
6262 		return 0;
6263 	}
6264 
6265 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
6266 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
6267 		return -EINVAL;
6268 
6269 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6270 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6271 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
6272 	presp->update = true;
6273 	return 0;
6274 }
6275 
6276 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
6277 					    const struct element *rates)
6278 {
6279 	int i;
6280 
6281 	if (!rates)
6282 		return;
6283 
6284 	for (i = 0; i < rates->datalen; i++) {
6285 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
6286 			params->ht_required = true;
6287 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
6288 			params->vht_required = true;
6289 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
6290 			params->he_required = true;
6291 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
6292 			params->sae_h2e_required = true;
6293 	}
6294 }
6295 
6296 /*
6297  * Since the nl80211 API didn't include, from the beginning, attributes about
6298  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
6299  * benefit of drivers that rebuild IEs in the firmware.
6300  */
6301 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
6302 {
6303 	const struct cfg80211_beacon_data *bcn = &params->beacon;
6304 	size_t ies_len = bcn->tail_len;
6305 	const u8 *ies = bcn->tail;
6306 	const struct element *rates;
6307 	const struct element *cap;
6308 
6309 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
6310 	nl80211_check_ap_rate_selectors(params, rates);
6311 
6312 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
6313 	nl80211_check_ap_rate_selectors(params, rates);
6314 
6315 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
6316 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
6317 		params->ht_cap = (void *)cap->data;
6318 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
6319 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
6320 		params->vht_cap = (void *)cap->data;
6321 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
6322 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
6323 		params->he_cap = (void *)(cap->data + 1);
6324 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
6325 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
6326 		params->he_oper = (void *)(cap->data + 1);
6327 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
6328 	if (cap) {
6329 		if (!cap->datalen)
6330 			return -EINVAL;
6331 		params->eht_cap = (void *)(cap->data + 1);
6332 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
6333 						(const u8 *)params->eht_cap,
6334 						cap->datalen - 1, true))
6335 			return -EINVAL;
6336 	}
6337 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
6338 	if (cap) {
6339 		if (!cap->datalen)
6340 			return -EINVAL;
6341 		params->eht_oper = (void *)(cap->data + 1);
6342 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
6343 						cap->datalen - 1))
6344 			return -EINVAL;
6345 	}
6346 	return 0;
6347 }
6348 
6349 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
6350 				   struct cfg80211_ap_settings *params)
6351 {
6352 	struct wireless_dev *wdev;
6353 
6354 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
6355 		if (wdev->iftype != NL80211_IFTYPE_AP &&
6356 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
6357 			continue;
6358 
6359 		if (!wdev->u.ap.preset_chandef.chan)
6360 			continue;
6361 
6362 		params->chandef = wdev->u.ap.preset_chandef;
6363 		return true;
6364 	}
6365 
6366 	return false;
6367 }
6368 
6369 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
6370 				    enum nl80211_auth_type auth_type,
6371 				    enum nl80211_commands cmd)
6372 {
6373 	if (auth_type > NL80211_AUTHTYPE_MAX)
6374 		return false;
6375 
6376 	switch (cmd) {
6377 	case NL80211_CMD_AUTHENTICATE:
6378 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6379 		    auth_type == NL80211_AUTHTYPE_SAE)
6380 			return false;
6381 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6382 					     NL80211_EXT_FEATURE_FILS_STA) &&
6383 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6384 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6385 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6386 			return false;
6387 		return true;
6388 	case NL80211_CMD_CONNECT:
6389 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6390 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6391 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6392 		    auth_type == NL80211_AUTHTYPE_SAE)
6393 			return false;
6394 
6395 		/* FILS with SK PFS or PK not supported yet */
6396 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6397 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6398 			return false;
6399 		if (!wiphy_ext_feature_isset(
6400 			    &rdev->wiphy,
6401 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6402 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6403 			return false;
6404 		return true;
6405 	case NL80211_CMD_START_AP:
6406 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6407 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6408 		    auth_type == NL80211_AUTHTYPE_SAE)
6409 			return false;
6410 		/* FILS not supported yet */
6411 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6412 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6413 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6414 			return false;
6415 		return true;
6416 	default:
6417 		return false;
6418 	}
6419 }
6420 
6421 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6422 				    unsigned int link_id)
6423 {
6424 	struct wiphy *wiphy = wdev->wiphy;
6425 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6426 	struct sk_buff *msg;
6427 	void *hdr;
6428 
6429 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6430 	if (!msg)
6431 		return;
6432 
6433 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6434 	if (!hdr)
6435 		goto out;
6436 
6437 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6438 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6439 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6440 			      NL80211_ATTR_PAD) ||
6441 	    (wdev->u.ap.ssid_len &&
6442 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6443 		     wdev->u.ap.ssid)) ||
6444 	    (wdev->valid_links &&
6445 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6446 		goto out;
6447 
6448 	genlmsg_end(msg, hdr);
6449 
6450 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6451 				NL80211_MCGRP_MLME, GFP_KERNEL);
6452 	return;
6453 out:
6454 	nlmsg_free(msg);
6455 }
6456 
6457 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6458 {
6459 	struct ieee80211_channel *channel = params->chandef.chan;
6460 
6461 	if ((params->he_cap ||  params->he_oper) &&
6462 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6463 		return -EOPNOTSUPP;
6464 
6465 	if ((params->eht_cap || params->eht_oper) &&
6466 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6467 		return -EOPNOTSUPP;
6468 
6469 	return 0;
6470 }
6471 
6472 static int
6473 nl80211_parse_s1g_short_beacon(struct cfg80211_registered_device *rdev,
6474 			       struct nlattr *attrs,
6475 			       struct cfg80211_s1g_short_beacon *sb)
6476 {
6477 	struct nlattr *tb[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1];
6478 	int ret;
6479 
6480 	if (!rdev->wiphy.bands[NL80211_BAND_S1GHZ])
6481 		return -EINVAL;
6482 
6483 	ret = nla_parse_nested(tb, NL80211_S1G_SHORT_BEACON_ATTR_MAX, attrs,
6484 			       NULL, NULL);
6485 	if (ret)
6486 		return ret;
6487 
6488 	/* Short beacon tail is optional (i.e might only include the TIM) */
6489 	if (!tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD])
6490 		return -EINVAL;
6491 
6492 	sb->short_head = nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6493 	sb->short_head_len = nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6494 	sb->short_tail_len = 0;
6495 
6496 	if (tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]) {
6497 		sb->short_tail =
6498 			nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6499 		sb->short_tail_len =
6500 			nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6501 	}
6502 
6503 	sb->update = true;
6504 	return 0;
6505 }
6506 
6507 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6508 {
6509 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6510 	struct cfg80211_beaconing_check_config beacon_check = {};
6511 	unsigned int link_id = nl80211_link_id(info->attrs);
6512 	struct net_device *dev = info->user_ptr[1];
6513 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6514 	struct cfg80211_ap_settings *params;
6515 	int err;
6516 
6517 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6518 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6519 		return -EOPNOTSUPP;
6520 
6521 	if (!rdev->ops->start_ap)
6522 		return -EOPNOTSUPP;
6523 
6524 	if (wdev->links[link_id].cac_started)
6525 		return -EBUSY;
6526 
6527 	if (wdev->links[link_id].ap.beacon_interval)
6528 		return -EALREADY;
6529 
6530 	/* these are required for START_AP */
6531 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6532 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6533 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6534 		return -EINVAL;
6535 
6536 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6537 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6538 		return -EOPNOTSUPP;
6539 
6540 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6541 	if (!params)
6542 		return -ENOMEM;
6543 
6544 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6545 				   info->extack);
6546 	if (err)
6547 		goto out;
6548 
6549 	params->beacon_interval =
6550 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6551 	params->dtim_period =
6552 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6553 
6554 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6555 					   params->beacon_interval);
6556 	if (err)
6557 		goto out;
6558 
6559 	/*
6560 	 * In theory, some of these attributes should be required here
6561 	 * but since they were not used when the command was originally
6562 	 * added, keep them optional for old user space programs to let
6563 	 * them continue to work with drivers that do not need the
6564 	 * additional information -- drivers must check!
6565 	 */
6566 	if (info->attrs[NL80211_ATTR_SSID]) {
6567 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6568 		params->ssid_len =
6569 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6570 		if (params->ssid_len == 0) {
6571 			err = -EINVAL;
6572 			goto out;
6573 		}
6574 
6575 		if (wdev->u.ap.ssid_len &&
6576 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6577 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6578 			/* require identical SSID for MLO */
6579 			err = -EINVAL;
6580 			goto out;
6581 		}
6582 	} else if (wdev->valid_links) {
6583 		/* require SSID for MLO */
6584 		err = -EINVAL;
6585 		goto out;
6586 	}
6587 
6588 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6589 		params->hidden_ssid = nla_get_u32(
6590 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6591 
6592 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6593 
6594 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6595 		params->auth_type = nla_get_u32(
6596 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6597 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6598 					     NL80211_CMD_START_AP)) {
6599 			err = -EINVAL;
6600 			goto out;
6601 		}
6602 	} else
6603 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6604 
6605 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6606 				      NL80211_MAX_NR_CIPHER_SUITES);
6607 	if (err)
6608 		goto out;
6609 
6610 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6611 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6612 			err = -EOPNOTSUPP;
6613 			goto out;
6614 		}
6615 		params->inactivity_timeout = nla_get_u16(
6616 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6617 	}
6618 
6619 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6620 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6621 			err = -EINVAL;
6622 			goto out;
6623 		}
6624 		params->p2p_ctwindow =
6625 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6626 		if (params->p2p_ctwindow != 0 &&
6627 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6628 			err = -EINVAL;
6629 			goto out;
6630 		}
6631 	}
6632 
6633 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6634 		u8 tmp;
6635 
6636 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6637 			err = -EINVAL;
6638 			goto out;
6639 		}
6640 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6641 		params->p2p_opp_ps = tmp;
6642 		if (params->p2p_opp_ps != 0 &&
6643 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6644 			err = -EINVAL;
6645 			goto out;
6646 		}
6647 	}
6648 
6649 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6650 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6651 		if (err)
6652 			goto out;
6653 	} else if (wdev->valid_links) {
6654 		/* with MLD need to specify the channel configuration */
6655 		err = -EINVAL;
6656 		goto out;
6657 	} else if (wdev->u.ap.preset_chandef.chan) {
6658 		params->chandef = wdev->u.ap.preset_chandef;
6659 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6660 		err = -EINVAL;
6661 		goto out;
6662 	}
6663 
6664 	beacon_check.iftype = wdev->iftype;
6665 	beacon_check.relax = true;
6666 	beacon_check.reg_power =
6667 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6668 					     params->beacon.tail_len);
6669 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6670 					  &beacon_check)) {
6671 		err = -EINVAL;
6672 		goto out;
6673 	}
6674 
6675 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6676 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6677 						    NL80211_ATTR_TX_RATES,
6678 						    &params->beacon_rate,
6679 						    dev, false, link_id);
6680 		if (err)
6681 			goto out;
6682 
6683 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6684 					      &params->beacon_rate);
6685 		if (err)
6686 			goto out;
6687 	}
6688 
6689 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6690 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6691 		err = -EOPNOTSUPP;
6692 		goto out;
6693 	}
6694 
6695 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6696 		params->acl = parse_acl_data(&rdev->wiphy, info);
6697 		if (IS_ERR(params->acl)) {
6698 			err = PTR_ERR(params->acl);
6699 			params->acl = NULL;
6700 			goto out;
6701 		}
6702 	}
6703 
6704 	params->twt_responder =
6705 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6706 
6707 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6708 		err = nl80211_parse_he_obss_pd(
6709 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6710 					&params->he_obss_pd);
6711 		if (err)
6712 			goto out;
6713 	}
6714 
6715 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6716 		err = nl80211_parse_fils_discovery(rdev,
6717 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6718 						   &params->fils_discovery);
6719 		if (err)
6720 			goto out;
6721 	}
6722 
6723 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6724 		err = nl80211_parse_unsol_bcast_probe_resp(
6725 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6726 			&params->unsol_bcast_probe_resp);
6727 		if (err)
6728 			goto out;
6729 	}
6730 
6731 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6732 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev, link_id,
6733 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6734 						  &params->mbssid_config,
6735 						  params->beacon.mbssid_ies ?
6736 							params->beacon.mbssid_ies->cnt :
6737 							0);
6738 		if (err)
6739 			goto out;
6740 	}
6741 
6742 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6743 		err = -EINVAL;
6744 		goto out;
6745 	}
6746 
6747 	if (info->attrs[NL80211_ATTR_S1G_SHORT_BEACON]) {
6748 		if (!info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]) {
6749 			err = -EINVAL;
6750 			goto out;
6751 		}
6752 
6753 		params->s1g_long_beacon_period = nla_get_u8(
6754 			info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]);
6755 
6756 		err = nl80211_parse_s1g_short_beacon(
6757 			rdev, info->attrs[NL80211_ATTR_S1G_SHORT_BEACON],
6758 			&params->s1g_short_beacon);
6759 		if (err)
6760 			goto out;
6761 	}
6762 
6763 	err = nl80211_calculate_ap_params(params);
6764 	if (err)
6765 		goto out;
6766 
6767 	err = nl80211_validate_ap_phy_operation(params);
6768 	if (err)
6769 		goto out;
6770 
6771 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6772 		params->flags = nla_get_u32(
6773 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6774 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6775 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6776 
6777 	if (wdev->conn_owner_nlportid &&
6778 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6779 	    wdev->conn_owner_nlportid != info->snd_portid) {
6780 		err = -EINVAL;
6781 		goto out;
6782 	}
6783 
6784 	/* FIXME: validate MLO/link-id against driver capabilities */
6785 
6786 	err = rdev_start_ap(rdev, dev, params);
6787 	if (!err) {
6788 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6789 		wdev->links[link_id].ap.chandef = params->chandef;
6790 		wdev->u.ap.ssid_len = params->ssid_len;
6791 		memcpy(wdev->u.ap.ssid, params->ssid,
6792 		       params->ssid_len);
6793 
6794 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6795 			wdev->conn_owner_nlportid = info->snd_portid;
6796 
6797 		nl80211_send_ap_started(wdev, link_id);
6798 	}
6799 out:
6800 	kfree(params->acl);
6801 	kfree(params->beacon.mbssid_ies);
6802 	if (params->mbssid_config.tx_wdev &&
6803 	    params->mbssid_config.tx_wdev->netdev &&
6804 	    params->mbssid_config.tx_wdev->netdev != dev)
6805 		dev_put(params->mbssid_config.tx_wdev->netdev);
6806 	kfree(params->beacon.rnr_ies);
6807 	kfree(params);
6808 
6809 	return err;
6810 }
6811 
6812 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6813 {
6814 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6815 	struct cfg80211_beaconing_check_config beacon_check = {};
6816 	unsigned int link_id = nl80211_link_id(info->attrs);
6817 	struct net_device *dev = info->user_ptr[1];
6818 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6819 	struct cfg80211_ap_update *params;
6820 	struct nlattr *attr;
6821 	int err;
6822 
6823 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6824 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6825 		return -EOPNOTSUPP;
6826 
6827 	if (!rdev->ops->change_beacon)
6828 		return -EOPNOTSUPP;
6829 
6830 	if (!wdev->links[link_id].ap.beacon_interval)
6831 		return -EINVAL;
6832 
6833 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6834 	if (!params)
6835 		return -ENOMEM;
6836 
6837 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6838 				   info->extack);
6839 	if (err)
6840 		goto out;
6841 
6842 	/* recheck beaconing is permitted with possibly changed power type */
6843 	beacon_check.iftype = wdev->iftype;
6844 	beacon_check.relax = true;
6845 	beacon_check.reg_power =
6846 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6847 					     params->beacon.tail_len);
6848 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
6849 					  &wdev->links[link_id].ap.chandef,
6850 					  &beacon_check)) {
6851 		err = -EINVAL;
6852 		goto out;
6853 	}
6854 
6855 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
6856 	if (attr) {
6857 		err = nl80211_parse_fils_discovery(rdev, attr,
6858 						   &params->fils_discovery);
6859 		if (err)
6860 			goto out;
6861 	}
6862 
6863 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
6864 	if (attr) {
6865 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
6866 							   &params->unsol_bcast_probe_resp);
6867 		if (err)
6868 			goto out;
6869 	}
6870 
6871 	attr = info->attrs[NL80211_ATTR_S1G_SHORT_BEACON];
6872 	if (attr) {
6873 		err = nl80211_parse_s1g_short_beacon(rdev, attr,
6874 						     &params->s1g_short_beacon);
6875 		if (err)
6876 			goto out;
6877 	}
6878 
6879 	err = rdev_change_beacon(rdev, dev, params);
6880 
6881 out:
6882 	kfree(params->beacon.mbssid_ies);
6883 	kfree(params->beacon.rnr_ies);
6884 	kfree(params);
6885 	return err;
6886 }
6887 
6888 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6889 {
6890 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6891 	unsigned int link_id = nl80211_link_id(info->attrs);
6892 	struct net_device *dev = info->user_ptr[1];
6893 
6894 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6895 }
6896 
6897 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6898 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6899 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6900 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6901 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6902 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6903 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6904 };
6905 
6906 static int parse_station_flags(struct genl_info *info,
6907 			       enum nl80211_iftype iftype,
6908 			       struct station_parameters *params)
6909 {
6910 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6911 	struct nlattr *nla;
6912 	int flag;
6913 
6914 	/*
6915 	 * Try parsing the new attribute first so userspace
6916 	 * can specify both for older kernels.
6917 	 */
6918 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6919 	if (nla) {
6920 		struct nl80211_sta_flag_update *sta_flags;
6921 
6922 		sta_flags = nla_data(nla);
6923 		params->sta_flags_mask = sta_flags->mask;
6924 		params->sta_flags_set = sta_flags->set;
6925 		params->sta_flags_set &= params->sta_flags_mask;
6926 		if ((params->sta_flags_mask |
6927 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6928 			return -EINVAL;
6929 		return 0;
6930 	}
6931 
6932 	/* if present, parse the old attribute */
6933 
6934 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6935 	if (!nla)
6936 		return 0;
6937 
6938 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6939 		return -EINVAL;
6940 
6941 	/*
6942 	 * Only allow certain flags for interface types so that
6943 	 * other attributes are silently ignored. Remember that
6944 	 * this is backward compatibility code with old userspace
6945 	 * and shouldn't be hit in other cases anyway.
6946 	 */
6947 	switch (iftype) {
6948 	case NL80211_IFTYPE_AP:
6949 	case NL80211_IFTYPE_AP_VLAN:
6950 	case NL80211_IFTYPE_P2P_GO:
6951 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6952 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6953 					 BIT(NL80211_STA_FLAG_WME) |
6954 					 BIT(NL80211_STA_FLAG_MFP);
6955 		break;
6956 	case NL80211_IFTYPE_P2P_CLIENT:
6957 	case NL80211_IFTYPE_STATION:
6958 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6959 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6960 		break;
6961 	case NL80211_IFTYPE_MESH_POINT:
6962 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6963 					 BIT(NL80211_STA_FLAG_MFP) |
6964 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6965 		break;
6966 	default:
6967 		return -EINVAL;
6968 	}
6969 
6970 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6971 		if (flags[flag]) {
6972 			params->sta_flags_set |= (1<<flag);
6973 
6974 			/* no longer support new API additions in old API */
6975 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6976 				return -EINVAL;
6977 		}
6978 	}
6979 
6980 	return 0;
6981 }
6982 
6983 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6984 {
6985 	struct nlattr *rate;
6986 	u32 bitrate;
6987 	u16 bitrate_compat;
6988 	enum nl80211_rate_info rate_flg;
6989 
6990 	rate = nla_nest_start_noflag(msg, attr);
6991 	if (!rate)
6992 		return false;
6993 
6994 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6995 	bitrate = cfg80211_calculate_bitrate(info);
6996 	/* report 16-bit bitrate only if we can */
6997 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6998 	if (bitrate > 0 &&
6999 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
7000 		return false;
7001 	if (bitrate_compat > 0 &&
7002 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
7003 		return false;
7004 
7005 	switch (info->bw) {
7006 	case RATE_INFO_BW_1:
7007 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
7008 		break;
7009 	case RATE_INFO_BW_2:
7010 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
7011 		break;
7012 	case RATE_INFO_BW_4:
7013 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
7014 		break;
7015 	case RATE_INFO_BW_5:
7016 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
7017 		break;
7018 	case RATE_INFO_BW_8:
7019 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
7020 		break;
7021 	case RATE_INFO_BW_10:
7022 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
7023 		break;
7024 	case RATE_INFO_BW_16:
7025 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
7026 		break;
7027 	default:
7028 		WARN_ON(1);
7029 		fallthrough;
7030 	case RATE_INFO_BW_20:
7031 		rate_flg = 0;
7032 		break;
7033 	case RATE_INFO_BW_40:
7034 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
7035 		break;
7036 	case RATE_INFO_BW_80:
7037 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
7038 		break;
7039 	case RATE_INFO_BW_160:
7040 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
7041 		break;
7042 	case RATE_INFO_BW_HE_RU:
7043 		rate_flg = 0;
7044 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
7045 		break;
7046 	case RATE_INFO_BW_320:
7047 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
7048 		break;
7049 	case RATE_INFO_BW_EHT_RU:
7050 		rate_flg = 0;
7051 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
7052 		break;
7053 	}
7054 
7055 	if (rate_flg && nla_put_flag(msg, rate_flg))
7056 		return false;
7057 
7058 	if (info->flags & RATE_INFO_FLAGS_MCS) {
7059 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
7060 			return false;
7061 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7062 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7063 			return false;
7064 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
7065 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
7066 			return false;
7067 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
7068 			return false;
7069 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7070 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7071 			return false;
7072 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
7073 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
7074 			return false;
7075 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
7076 			return false;
7077 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
7078 			return false;
7079 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
7080 			return false;
7081 		if (info->bw == RATE_INFO_BW_HE_RU &&
7082 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
7083 			       info->he_ru_alloc))
7084 			return false;
7085 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
7086 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
7087 			return false;
7088 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
7089 			return false;
7090 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7091 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7092 			return false;
7093 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
7094 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
7095 			return false;
7096 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7097 			return false;
7098 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7099 			return false;
7100 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7101 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7102 			       info->eht_ru_alloc))
7103 			return false;
7104 	}
7105 
7106 	nla_nest_end(msg, rate);
7107 	return true;
7108 }
7109 
7110 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
7111 			       int id)
7112 {
7113 	void *attr;
7114 	int i = 0;
7115 
7116 	if (!mask)
7117 		return true;
7118 
7119 	attr = nla_nest_start_noflag(msg, id);
7120 	if (!attr)
7121 		return false;
7122 
7123 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
7124 		if (!(mask & BIT(i)))
7125 			continue;
7126 
7127 		if (nla_put_u8(msg, i, signal[i]))
7128 			return false;
7129 	}
7130 
7131 	nla_nest_end(msg, attr);
7132 
7133 	return true;
7134 }
7135 
7136 static int nl80211_fill_link_station(struct sk_buff *msg,
7137 				     struct cfg80211_registered_device *rdev,
7138 				     struct link_station_info *link_sinfo)
7139 {
7140 	struct nlattr *bss_param, *link_sinfoattr;
7141 
7142 #define PUT_LINK_SINFO(attr, memb, type) do {				\
7143 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7144 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7145 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7146 			     link_sinfo->memb))				\
7147 		goto nla_put_failure;					\
7148 	} while (0)
7149 #define PUT_LINK_SINFO_U64(attr, memb) do {				\
7150 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7151 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7152 			      link_sinfo->memb, NL80211_STA_INFO_PAD))	\
7153 		goto nla_put_failure;					\
7154 	} while (0)
7155 
7156 	link_sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7157 	if (!link_sinfoattr)
7158 		goto nla_put_failure;
7159 
7160 	PUT_LINK_SINFO(INACTIVE_TIME, inactive_time, u32);
7161 
7162 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7163 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7164 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7165 			(u32)link_sinfo->rx_bytes))
7166 		goto nla_put_failure;
7167 
7168 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7169 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7170 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7171 			(u32)link_sinfo->tx_bytes))
7172 		goto nla_put_failure;
7173 
7174 	PUT_LINK_SINFO_U64(RX_BYTES64, rx_bytes);
7175 	PUT_LINK_SINFO_U64(TX_BYTES64, tx_bytes);
7176 	PUT_LINK_SINFO_U64(RX_DURATION, rx_duration);
7177 	PUT_LINK_SINFO_U64(TX_DURATION, tx_duration);
7178 
7179 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7180 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7181 		PUT_LINK_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7182 
7183 	switch (rdev->wiphy.signal_type) {
7184 	case CFG80211_SIGNAL_TYPE_MBM:
7185 		PUT_LINK_SINFO(SIGNAL, signal, u8);
7186 		PUT_LINK_SINFO(SIGNAL_AVG, signal_avg, u8);
7187 		break;
7188 	default:
7189 		break;
7190 	}
7191 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7192 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7193 					link_sinfo->chain_signal,
7194 					NL80211_STA_INFO_CHAIN_SIGNAL))
7195 			goto nla_put_failure;
7196 	}
7197 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7198 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7199 					link_sinfo->chain_signal_avg,
7200 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7201 			goto nla_put_failure;
7202 	}
7203 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7204 		if (!nl80211_put_sta_rate(msg, &link_sinfo->txrate,
7205 					  NL80211_STA_INFO_TX_BITRATE))
7206 			goto nla_put_failure;
7207 	}
7208 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7209 		if (!nl80211_put_sta_rate(msg, &link_sinfo->rxrate,
7210 					  NL80211_STA_INFO_RX_BITRATE))
7211 			goto nla_put_failure;
7212 	}
7213 
7214 	PUT_LINK_SINFO(RX_PACKETS, rx_packets, u32);
7215 	PUT_LINK_SINFO(TX_PACKETS, tx_packets, u32);
7216 	PUT_LINK_SINFO(TX_RETRIES, tx_retries, u32);
7217 	PUT_LINK_SINFO(TX_FAILED, tx_failed, u32);
7218 	PUT_LINK_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7219 	PUT_LINK_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7220 
7221 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7222 		bss_param = nla_nest_start_noflag(msg,
7223 						  NL80211_STA_INFO_BSS_PARAM);
7224 		if (!bss_param)
7225 			goto nla_put_failure;
7226 
7227 		if (((link_sinfo->bss_param.flags &
7228 		      BSS_PARAM_FLAGS_CTS_PROT) &&
7229 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7230 		    ((link_sinfo->bss_param.flags &
7231 		      BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7232 		     nla_put_flag(msg,
7233 				  NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7234 		    ((link_sinfo->bss_param.flags &
7235 		      BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7236 		     nla_put_flag(msg,
7237 				  NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7238 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7239 			       link_sinfo->bss_param.dtim_period) ||
7240 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7241 				link_sinfo->bss_param.beacon_interval))
7242 			goto nla_put_failure;
7243 
7244 		nla_nest_end(msg, bss_param);
7245 	}
7246 
7247 	PUT_LINK_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7248 	PUT_LINK_SINFO_U64(BEACON_RX, rx_beacon);
7249 	PUT_LINK_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7250 	PUT_LINK_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7251 	PUT_LINK_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7252 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7253 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7254 		PUT_LINK_SINFO(ACK_SIGNAL, ack_signal, u8);
7255 		PUT_LINK_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7256 	}
7257 
7258 #undef PUT_LINK_SINFO
7259 #undef PUT_LINK_SINFO_U64
7260 
7261 	if (link_sinfo->pertid) {
7262 		struct nlattr *tidsattr;
7263 		int tid;
7264 
7265 		tidsattr = nla_nest_start_noflag(msg,
7266 						 NL80211_STA_INFO_TID_STATS);
7267 		if (!tidsattr)
7268 			goto nla_put_failure;
7269 
7270 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7271 			struct cfg80211_tid_stats *tidstats;
7272 			struct nlattr *tidattr;
7273 
7274 			tidstats = &link_sinfo->pertid[tid];
7275 
7276 			if (!tidstats->filled)
7277 				continue;
7278 
7279 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7280 			if (!tidattr)
7281 				goto nla_put_failure;
7282 
7283 #define PUT_TIDVAL_U64(attr, memb) do {					\
7284 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7285 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7286 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7287 		goto nla_put_failure;					\
7288 	} while (0)
7289 
7290 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7291 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7292 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7293 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7294 
7295 #undef PUT_TIDVAL_U64
7296 			if ((tidstats->filled &
7297 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7298 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7299 						   NL80211_TID_STATS_TXQ_STATS))
7300 				goto nla_put_failure;
7301 
7302 			nla_nest_end(msg, tidattr);
7303 		}
7304 
7305 		nla_nest_end(msg, tidsattr);
7306 	}
7307 
7308 	nla_nest_end(msg, link_sinfoattr);
7309 	return 0;
7310 
7311 nla_put_failure:
7312 	return -EMSGSIZE;
7313 }
7314 
7315 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
7316 				u32 seq, int flags,
7317 				struct cfg80211_registered_device *rdev,
7318 				struct net_device *dev,
7319 				const u8 *mac_addr, struct station_info *sinfo)
7320 {
7321 	void *hdr;
7322 	struct nlattr *sinfoattr, *bss_param;
7323 	struct link_station_info *link_sinfo;
7324 	struct nlattr *links, *link;
7325 	int link_id;
7326 
7327 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
7328 	if (!hdr) {
7329 		cfg80211_sinfo_release_content(sinfo);
7330 		return -1;
7331 	}
7332 
7333 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7334 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
7335 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
7336 		goto nla_put_failure;
7337 
7338 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7339 	if (!sinfoattr)
7340 		goto nla_put_failure;
7341 
7342 #define PUT_SINFO(attr, memb, type) do {				\
7343 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7344 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7345 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7346 			     sinfo->memb))				\
7347 		goto nla_put_failure;					\
7348 	} while (0)
7349 #define PUT_SINFO_U64(attr, memb) do {					\
7350 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7351 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7352 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
7353 		goto nla_put_failure;					\
7354 	} while (0)
7355 
7356 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
7357 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
7358 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
7359 
7360 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7361 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7362 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7363 			(u32)sinfo->rx_bytes))
7364 		goto nla_put_failure;
7365 
7366 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7367 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7368 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7369 			(u32)sinfo->tx_bytes))
7370 		goto nla_put_failure;
7371 
7372 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
7373 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
7374 	PUT_SINFO_U64(RX_DURATION, rx_duration);
7375 	PUT_SINFO_U64(TX_DURATION, tx_duration);
7376 
7377 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7378 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7379 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7380 
7381 	switch (rdev->wiphy.signal_type) {
7382 	case CFG80211_SIGNAL_TYPE_MBM:
7383 		PUT_SINFO(SIGNAL, signal, u8);
7384 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
7385 		break;
7386 	default:
7387 		break;
7388 	}
7389 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7390 		if (!nl80211_put_signal(msg, sinfo->chains,
7391 					sinfo->chain_signal,
7392 					NL80211_STA_INFO_CHAIN_SIGNAL))
7393 			goto nla_put_failure;
7394 	}
7395 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7396 		if (!nl80211_put_signal(msg, sinfo->chains,
7397 					sinfo->chain_signal_avg,
7398 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7399 			goto nla_put_failure;
7400 	}
7401 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7402 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
7403 					  NL80211_STA_INFO_TX_BITRATE))
7404 			goto nla_put_failure;
7405 	}
7406 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7407 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
7408 					  NL80211_STA_INFO_RX_BITRATE))
7409 			goto nla_put_failure;
7410 	}
7411 
7412 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
7413 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
7414 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
7415 	PUT_SINFO(TX_FAILED, tx_failed, u32);
7416 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7417 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7418 
7419 	PUT_SINFO(LLID, llid, u16);
7420 	PUT_SINFO(PLID, plid, u16);
7421 	PUT_SINFO(PLINK_STATE, plink_state, u8);
7422 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
7423 	PUT_SINFO(LOCAL_PM, local_pm, u32);
7424 	PUT_SINFO(PEER_PM, peer_pm, u32);
7425 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
7426 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
7427 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
7428 	PUT_SINFO_U64(T_OFFSET, t_offset);
7429 
7430 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7431 		bss_param = nla_nest_start_noflag(msg,
7432 						  NL80211_STA_INFO_BSS_PARAM);
7433 		if (!bss_param)
7434 			goto nla_put_failure;
7435 
7436 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
7437 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7438 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7439 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7440 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7441 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7442 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7443 			       sinfo->bss_param.dtim_period) ||
7444 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7445 				sinfo->bss_param.beacon_interval))
7446 			goto nla_put_failure;
7447 
7448 		nla_nest_end(msg, bss_param);
7449 	}
7450 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
7451 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
7452 		    sizeof(struct nl80211_sta_flag_update),
7453 		    &sinfo->sta_flags))
7454 		goto nla_put_failure;
7455 
7456 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7457 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
7458 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7459 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7460 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7461 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7462 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7463 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
7464 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7465 	}
7466 
7467 #undef PUT_SINFO
7468 #undef PUT_SINFO_U64
7469 
7470 	if (sinfo->pertid) {
7471 		struct nlattr *tidsattr;
7472 		int tid;
7473 
7474 		tidsattr = nla_nest_start_noflag(msg,
7475 						 NL80211_STA_INFO_TID_STATS);
7476 		if (!tidsattr)
7477 			goto nla_put_failure;
7478 
7479 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7480 			struct cfg80211_tid_stats *tidstats;
7481 			struct nlattr *tidattr;
7482 
7483 			tidstats = &sinfo->pertid[tid];
7484 
7485 			if (!tidstats->filled)
7486 				continue;
7487 
7488 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7489 			if (!tidattr)
7490 				goto nla_put_failure;
7491 
7492 #define PUT_TIDVAL_U64(attr, memb) do {					\
7493 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7494 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7495 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7496 		goto nla_put_failure;					\
7497 	} while (0)
7498 
7499 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7500 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7501 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7502 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7503 
7504 #undef PUT_TIDVAL_U64
7505 			if ((tidstats->filled &
7506 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7507 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7508 						   NL80211_TID_STATS_TXQ_STATS))
7509 				goto nla_put_failure;
7510 
7511 			nla_nest_end(msg, tidattr);
7512 		}
7513 
7514 		nla_nest_end(msg, tidsattr);
7515 	}
7516 
7517 	nla_nest_end(msg, sinfoattr);
7518 
7519 	if (sinfo->assoc_req_ies_len &&
7520 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
7521 		    sinfo->assoc_req_ies))
7522 		goto nla_put_failure;
7523 
7524 	if (sinfo->assoc_resp_ies_len &&
7525 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
7526 		    sinfo->assoc_resp_ies))
7527 		goto nla_put_failure;
7528 
7529 	if (sinfo->mlo_params_valid) {
7530 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7531 			       sinfo->assoc_link_id))
7532 			goto nla_put_failure;
7533 
7534 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
7535 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
7536 			    sinfo->mld_addr))
7537 			goto nla_put_failure;
7538 	}
7539 
7540 	if (sinfo->valid_links) {
7541 		links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
7542 		if (!links)
7543 			goto nla_put_failure;
7544 
7545 		for_each_valid_link(sinfo, link_id) {
7546 			link_sinfo = sinfo->links[link_id];
7547 
7548 			if (WARN_ON_ONCE(!link_sinfo))
7549 				continue;
7550 
7551 			if (!is_valid_ether_addr(link_sinfo->addr))
7552 				continue;
7553 
7554 			link = nla_nest_start(msg, link_id + 1);
7555 			if (!link)
7556 				goto nla_put_failure;
7557 
7558 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7559 				       link_id))
7560 				goto nla_put_failure;
7561 
7562 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
7563 				    link_sinfo->addr))
7564 				goto nla_put_failure;
7565 
7566 			if (nl80211_fill_link_station(msg, rdev, link_sinfo))
7567 				goto nla_put_failure;
7568 
7569 			nla_nest_end(msg, link);
7570 		}
7571 		nla_nest_end(msg, links);
7572 	}
7573 
7574 	cfg80211_sinfo_release_content(sinfo);
7575 	genlmsg_end(msg, hdr);
7576 	return 0;
7577 
7578  nla_put_failure:
7579 	cfg80211_sinfo_release_content(sinfo);
7580 	genlmsg_cancel(msg, hdr);
7581 	return -EMSGSIZE;
7582 }
7583 
7584 static void cfg80211_sta_set_mld_sinfo(struct station_info *sinfo)
7585 {
7586 	struct link_station_info *link_sinfo;
7587 	int link_id, init = 0;
7588 	u32 link_inactive_time;
7589 
7590 	sinfo->signal = -99;
7591 
7592 	for_each_valid_link(sinfo, link_id) {
7593 		link_sinfo = sinfo->links[link_id];
7594 		if (!link_sinfo)
7595 			continue;
7596 
7597 		if ((link_sinfo->filled &
7598 		     BIT_ULL(NL80211_STA_INFO_TX_PACKETS))) {
7599 			sinfo->tx_packets += link_sinfo->tx_packets;
7600 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_PACKETS);
7601 		}
7602 
7603 		if ((link_sinfo->filled &
7604 		     BIT_ULL(NL80211_STA_INFO_RX_PACKETS))) {
7605 			sinfo->rx_packets += link_sinfo->rx_packets;
7606 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_PACKETS);
7607 		}
7608 
7609 		if (link_sinfo->filled &
7610 		    (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7611 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7612 			sinfo->tx_bytes += link_sinfo->tx_bytes;
7613 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BYTES);
7614 		}
7615 
7616 		if (link_sinfo->filled &
7617 		    (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7618 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7619 			sinfo->rx_bytes += link_sinfo->rx_bytes;
7620 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BYTES);
7621 		}
7622 
7623 		if (link_sinfo->filled &
7624 		    BIT_ULL(NL80211_STA_INFO_TX_RETRIES)) {
7625 			sinfo->tx_retries += link_sinfo->tx_retries;
7626 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_RETRIES);
7627 		}
7628 
7629 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_FAILED)) {
7630 			sinfo->tx_failed += link_sinfo->tx_failed;
7631 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_FAILED);
7632 		}
7633 
7634 		if (link_sinfo->filled &
7635 		    BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC)) {
7636 			sinfo->rx_dropped_misc += link_sinfo->rx_dropped_misc;
7637 			sinfo->filled |=
7638 				BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC);
7639 		}
7640 
7641 		if (link_sinfo->filled &
7642 		    BIT_ULL(NL80211_STA_INFO_BEACON_LOSS)) {
7643 			sinfo->beacon_loss_count +=
7644 				link_sinfo->beacon_loss_count;
7645 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_LOSS);
7646 		}
7647 
7648 		if (link_sinfo->filled &
7649 		    BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) {
7650 			sinfo->expected_throughput +=
7651 				link_sinfo->expected_throughput;
7652 			sinfo->filled |=
7653 				BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT);
7654 		}
7655 
7656 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_MPDUS)) {
7657 			sinfo->rx_mpdu_count += link_sinfo->rx_mpdu_count;
7658 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_MPDUS);
7659 		}
7660 
7661 		if (link_sinfo->filled &
7662 		    BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT)) {
7663 			sinfo->fcs_err_count += link_sinfo->fcs_err_count;
7664 			sinfo->filled |=
7665 				BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT);
7666 		}
7667 
7668 		if (link_sinfo->filled &
7669 		    BIT_ULL(NL80211_STA_INFO_BEACON_RX)) {
7670 			sinfo->rx_beacon += link_sinfo->rx_beacon;
7671 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_RX);
7672 		}
7673 
7674 		/* Update MLO signal, signal_avg as best among links */
7675 		if ((link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_SIGNAL)) &&
7676 		    link_sinfo->signal > sinfo->signal) {
7677 			sinfo->signal = link_sinfo->signal;
7678 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL);
7679 		}
7680 
7681 		if ((link_sinfo->filled &
7682 			BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG)) &&
7683 		    link_sinfo->signal_avg > sinfo->signal_avg) {
7684 			sinfo->signal_avg = link_sinfo->signal_avg;
7685 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG);
7686 		}
7687 
7688 		/* Update MLO inactive_time, bss_param based on least
7689 		 * value for corresponding field of link.
7690 		 */
7691 		if ((link_sinfo->filled &
7692 		     BIT_ULL(NL80211_STA_INFO_INACTIVE_TIME)) &&
7693 		    (!init ||
7694 		     link_inactive_time > link_sinfo->inactive_time)) {
7695 			link_inactive_time = link_sinfo->inactive_time;
7696 			sinfo->inactive_time = link_sinfo->inactive_time;
7697 			sinfo->filled |= NL80211_STA_INFO_INACTIVE_TIME;
7698 		}
7699 
7700 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM) &&
7701 		    (!init ||
7702 		     sinfo->bss_param.dtim_period >
7703 		      link_sinfo->bss_param.dtim_period)) {
7704 			sinfo->bss_param.dtim_period =
7705 				link_sinfo->bss_param.dtim_period;
7706 			sinfo->filled |= NL80211_STA_BSS_PARAM_DTIM_PERIOD;
7707 			sinfo->bss_param.beacon_interval =
7708 				link_sinfo->bss_param.beacon_interval;
7709 			sinfo->filled |= NL80211_STA_BSS_PARAM_BEACON_INTERVAL;
7710 		}
7711 
7712 		/* Update MLO rates as per last updated link rate */
7713 		if ((link_sinfo->filled &
7714 		     BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) &&
7715 		    (!init ||
7716 		     link_inactive_time > link_sinfo->inactive_time)) {
7717 			sinfo->txrate = link_sinfo->txrate;
7718 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BITRATE);
7719 		}
7720 		if ((link_sinfo->filled &
7721 		     BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) &&
7722 		    (!init ||
7723 		     link_inactive_time > link_sinfo->inactive_time)) {
7724 			sinfo->rxrate = link_sinfo->rxrate;
7725 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BITRATE);
7726 		}
7727 
7728 		if (link_sinfo->filled &
7729 		    BIT_ULL(NL80211_STA_INFO_TX_DURATION) &&
7730 		    (!init ||
7731 		     link_inactive_time > link_sinfo->inactive_time)) {
7732 			sinfo->tx_duration += link_sinfo->tx_duration;
7733 			sinfo->filled |=
7734 				BIT_ULL(NL80211_STA_INFO_TX_DURATION);
7735 		}
7736 		if (link_sinfo->filled &
7737 		    BIT_ULL(NL80211_STA_INFO_RX_DURATION) &&
7738 		    (!init ||
7739 		     link_inactive_time > link_sinfo->inactive_time)) {
7740 			sinfo->rx_duration += link_sinfo->rx_duration;
7741 			sinfo->filled |=
7742 				BIT_ULL(NL80211_STA_INFO_RX_DURATION);
7743 		}
7744 		init++;
7745 
7746 		/* pertid stats accumulate for rx/tx fields */
7747 		if (sinfo->pertid) {
7748 			sinfo->pertid->rx_msdu +=
7749 				link_sinfo->pertid->rx_msdu;
7750 			sinfo->pertid->tx_msdu +=
7751 				link_sinfo->pertid->tx_msdu;
7752 			sinfo->pertid->tx_msdu_retries +=
7753 				link_sinfo->pertid->tx_msdu_retries;
7754 			sinfo->pertid->tx_msdu_failed +=
7755 				link_sinfo->pertid->tx_msdu_failed;
7756 
7757 			sinfo->pertid->filled |=
7758 				BIT(NL80211_TID_STATS_RX_MSDU) |
7759 				BIT(NL80211_TID_STATS_TX_MSDU) |
7760 				BIT(NL80211_TID_STATS_TX_MSDU_RETRIES) |
7761 				BIT(NL80211_TID_STATS_TX_MSDU_FAILED);
7762 		}
7763 	}
7764 
7765 	/* Reset sinfo->filled bits to exclude fields which don't make
7766 	 * much sense at the MLO level.
7767 	 */
7768 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
7769 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG);
7770 }
7771 
7772 static int nl80211_dump_station(struct sk_buff *skb,
7773 				struct netlink_callback *cb)
7774 {
7775 	struct station_info sinfo;
7776 	struct cfg80211_registered_device *rdev;
7777 	struct wireless_dev *wdev;
7778 	u8 mac_addr[ETH_ALEN];
7779 	int sta_idx = cb->args[2];
7780 	bool sinfo_alloc = false;
7781 	int err, i;
7782 
7783 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7784 	if (err)
7785 		return err;
7786 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7787 	__acquire(&rdev->wiphy.mtx);
7788 
7789 	if (!wdev->netdev) {
7790 		err = -EINVAL;
7791 		goto out_err;
7792 	}
7793 
7794 	if (!rdev->ops->dump_station) {
7795 		err = -EOPNOTSUPP;
7796 		goto out_err;
7797 	}
7798 
7799 	while (1) {
7800 		memset(&sinfo, 0, sizeof(sinfo));
7801 
7802 		for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
7803 			sinfo.links[i] =
7804 				kzalloc(sizeof(*sinfo.links[0]), GFP_KERNEL);
7805 			if (!sinfo.links[i]) {
7806 				err = -ENOMEM;
7807 				goto out_err;
7808 			}
7809 			sinfo_alloc = true;
7810 		}
7811 
7812 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
7813 					mac_addr, &sinfo);
7814 		if (err == -ENOENT)
7815 			break;
7816 		if (err)
7817 			goto out_err;
7818 
7819 		if (sinfo.valid_links)
7820 			cfg80211_sta_set_mld_sinfo(&sinfo);
7821 
7822 		/* reset the sinfo_alloc flag as nl80211_send_station()
7823 		 * always releases sinfo
7824 		 */
7825 		sinfo_alloc = false;
7826 
7827 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
7828 				NETLINK_CB(cb->skb).portid,
7829 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
7830 				rdev, wdev->netdev, mac_addr,
7831 				&sinfo) < 0)
7832 			goto out;
7833 
7834 		sta_idx++;
7835 	}
7836 
7837  out:
7838 	cb->args[2] = sta_idx;
7839 	err = skb->len;
7840  out_err:
7841 	if (sinfo_alloc)
7842 		cfg80211_sinfo_release_content(&sinfo);
7843 	wiphy_unlock(&rdev->wiphy);
7844 
7845 	return err;
7846 }
7847 
7848 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
7849 {
7850 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7851 	struct net_device *dev = info->user_ptr[1];
7852 	struct station_info sinfo;
7853 	struct sk_buff *msg;
7854 	u8 *mac_addr = NULL;
7855 	int err, i;
7856 
7857 	memset(&sinfo, 0, sizeof(sinfo));
7858 
7859 	if (!info->attrs[NL80211_ATTR_MAC])
7860 		return -EINVAL;
7861 
7862 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7863 
7864 	if (!rdev->ops->get_station)
7865 		return -EOPNOTSUPP;
7866 
7867 	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
7868 		sinfo.links[i] = kzalloc(sizeof(*sinfo.links[0]), GFP_KERNEL);
7869 		if (!sinfo.links[i]) {
7870 			cfg80211_sinfo_release_content(&sinfo);
7871 			return -ENOMEM;
7872 		}
7873 	}
7874 
7875 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
7876 	if (err) {
7877 		cfg80211_sinfo_release_content(&sinfo);
7878 		return err;
7879 	}
7880 
7881 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7882 	if (!msg) {
7883 		cfg80211_sinfo_release_content(&sinfo);
7884 		return -ENOMEM;
7885 	}
7886 
7887 	if (sinfo.valid_links)
7888 		cfg80211_sta_set_mld_sinfo(&sinfo);
7889 
7890 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
7891 				 info->snd_portid, info->snd_seq, 0,
7892 				 rdev, dev, mac_addr, &sinfo) < 0) {
7893 		nlmsg_free(msg);
7894 		return -ENOBUFS;
7895 	}
7896 
7897 	return genlmsg_reply(msg, info);
7898 }
7899 
7900 int cfg80211_check_station_change(struct wiphy *wiphy,
7901 				  struct station_parameters *params,
7902 				  enum cfg80211_station_type statype)
7903 {
7904 	if (params->listen_interval != -1 &&
7905 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7906 		return -EINVAL;
7907 
7908 	if (params->support_p2p_ps != -1 &&
7909 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7910 		return -EINVAL;
7911 
7912 	if (params->aid &&
7913 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
7914 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7915 		return -EINVAL;
7916 
7917 	/* When you run into this, adjust the code below for the new flag */
7918 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7919 
7920 	switch (statype) {
7921 	case CFG80211_STA_MESH_PEER_KERNEL:
7922 	case CFG80211_STA_MESH_PEER_USER:
7923 		/*
7924 		 * No ignoring the TDLS flag here -- the userspace mesh
7925 		 * code doesn't have the bug of including TDLS in the
7926 		 * mask everywhere.
7927 		 */
7928 		if (params->sta_flags_mask &
7929 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7930 				  BIT(NL80211_STA_FLAG_MFP) |
7931 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
7932 			return -EINVAL;
7933 		break;
7934 	case CFG80211_STA_TDLS_PEER_SETUP:
7935 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7936 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7937 			return -EINVAL;
7938 		/* ignore since it can't change */
7939 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7940 		break;
7941 	default:
7942 		/* disallow mesh-specific things */
7943 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
7944 			return -EINVAL;
7945 		if (params->local_pm)
7946 			return -EINVAL;
7947 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7948 			return -EINVAL;
7949 	}
7950 
7951 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7952 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
7953 		/* TDLS can't be set, ... */
7954 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
7955 			return -EINVAL;
7956 		/*
7957 		 * ... but don't bother the driver with it. This works around
7958 		 * a hostapd/wpa_supplicant issue -- it always includes the
7959 		 * TLDS_PEER flag in the mask even for AP mode.
7960 		 */
7961 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7962 	}
7963 
7964 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7965 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7966 		/* reject other things that can't change */
7967 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
7968 			return -EINVAL;
7969 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
7970 			return -EINVAL;
7971 		if (params->link_sta_params.supported_rates)
7972 			return -EINVAL;
7973 		if (params->ext_capab || params->link_sta_params.ht_capa ||
7974 		    params->link_sta_params.vht_capa ||
7975 		    params->link_sta_params.he_capa ||
7976 		    params->link_sta_params.eht_capa)
7977 			return -EINVAL;
7978 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7979 			return -EINVAL;
7980 	}
7981 
7982 	if (statype != CFG80211_STA_AP_CLIENT &&
7983 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7984 		if (params->vlan)
7985 			return -EINVAL;
7986 	}
7987 
7988 	/* Accept EMLSR capabilities only for AP client before association */
7989 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
7990 	    params->eml_cap_present)
7991 		return -EINVAL;
7992 
7993 	switch (statype) {
7994 	case CFG80211_STA_AP_MLME_CLIENT:
7995 		/* Use this only for authorizing/unauthorizing a station */
7996 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
7997 			return -EOPNOTSUPP;
7998 		break;
7999 	case CFG80211_STA_AP_CLIENT:
8000 	case CFG80211_STA_AP_CLIENT_UNASSOC:
8001 		/* accept only the listed bits */
8002 		if (params->sta_flags_mask &
8003 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8004 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8005 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
8006 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
8007 				  BIT(NL80211_STA_FLAG_WME) |
8008 				  BIT(NL80211_STA_FLAG_MFP) |
8009 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
8010 			return -EINVAL;
8011 
8012 		/* but authenticated/associated only if driver handles it */
8013 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8014 		    params->sta_flags_mask &
8015 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8016 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
8017 			return -EINVAL;
8018 		break;
8019 	case CFG80211_STA_IBSS:
8020 	case CFG80211_STA_AP_STA:
8021 		/* reject any changes other than AUTHORIZED */
8022 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
8023 			return -EINVAL;
8024 		break;
8025 	case CFG80211_STA_TDLS_PEER_SETUP:
8026 		/* reject any changes other than AUTHORIZED or WME */
8027 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8028 					       BIT(NL80211_STA_FLAG_WME)))
8029 			return -EINVAL;
8030 		/* force (at least) rates when authorizing */
8031 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
8032 		    !params->link_sta_params.supported_rates)
8033 			return -EINVAL;
8034 		break;
8035 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8036 		/* reject any changes */
8037 		return -EINVAL;
8038 	case CFG80211_STA_MESH_PEER_KERNEL:
8039 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8040 			return -EINVAL;
8041 		break;
8042 	case CFG80211_STA_MESH_PEER_USER:
8043 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
8044 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
8045 			return -EINVAL;
8046 		break;
8047 	}
8048 
8049 	/*
8050 	 * Older kernel versions ignored this attribute entirely, so don't
8051 	 * reject attempts to update it but mark it as unused instead so the
8052 	 * driver won't look at the data.
8053 	 */
8054 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8055 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
8056 		params->link_sta_params.opmode_notif_used = false;
8057 
8058 	return 0;
8059 }
8060 EXPORT_SYMBOL(cfg80211_check_station_change);
8061 
8062 /*
8063  * Get vlan interface making sure it is running and on the right wiphy.
8064  */
8065 static struct net_device *get_vlan(struct genl_info *info,
8066 				   struct cfg80211_registered_device *rdev)
8067 {
8068 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
8069 	struct net_device *v;
8070 	int ret;
8071 
8072 	if (!vlanattr)
8073 		return NULL;
8074 
8075 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
8076 	if (!v)
8077 		return ERR_PTR(-ENODEV);
8078 
8079 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
8080 		ret = -EINVAL;
8081 		goto error;
8082 	}
8083 
8084 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
8085 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8086 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
8087 		ret = -EINVAL;
8088 		goto error;
8089 	}
8090 
8091 	if (!netif_running(v)) {
8092 		ret = -ENETDOWN;
8093 		goto error;
8094 	}
8095 
8096 	return v;
8097  error:
8098 	dev_put(v);
8099 	return ERR_PTR(ret);
8100 }
8101 
8102 static int nl80211_parse_sta_wme(struct genl_info *info,
8103 				 struct station_parameters *params)
8104 {
8105 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
8106 	struct nlattr *nla;
8107 	int err;
8108 
8109 	/* parse WME attributes if present */
8110 	if (!info->attrs[NL80211_ATTR_STA_WME])
8111 		return 0;
8112 
8113 	nla = info->attrs[NL80211_ATTR_STA_WME];
8114 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
8115 					  nl80211_sta_wme_policy,
8116 					  info->extack);
8117 	if (err)
8118 		return err;
8119 
8120 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
8121 		params->uapsd_queues = nla_get_u8(
8122 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
8123 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
8124 		return -EINVAL;
8125 
8126 	if (tb[NL80211_STA_WME_MAX_SP])
8127 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
8128 
8129 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
8130 		return -EINVAL;
8131 
8132 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
8133 
8134 	return 0;
8135 }
8136 
8137 static int nl80211_parse_sta_channel_info(struct genl_info *info,
8138 				      struct station_parameters *params)
8139 {
8140 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
8141 		params->supported_channels =
8142 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8143 		params->supported_channels_len =
8144 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8145 		/*
8146 		 * Need to include at least one (first channel, number of
8147 		 * channels) tuple for each subband (checked in policy),
8148 		 * and must have proper tuples for the rest of the data as well.
8149 		 */
8150 		if (params->supported_channels_len % 2)
8151 			return -EINVAL;
8152 	}
8153 
8154 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
8155 		params->supported_oper_classes =
8156 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8157 		params->supported_oper_classes_len =
8158 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8159 	}
8160 	return 0;
8161 }
8162 
8163 static int nl80211_set_station_tdls(struct genl_info *info,
8164 				    struct station_parameters *params)
8165 {
8166 	int err;
8167 	/* Dummy STA entry gets updated once the peer capabilities are known */
8168 	if (info->attrs[NL80211_ATTR_PEER_AID])
8169 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8170 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8171 		params->link_sta_params.ht_capa =
8172 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8173 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8174 		params->link_sta_params.vht_capa =
8175 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8176 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8177 		params->link_sta_params.he_capa =
8178 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8179 		params->link_sta_params.he_capa_len =
8180 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8181 
8182 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8183 			params->link_sta_params.eht_capa =
8184 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8185 			params->link_sta_params.eht_capa_len =
8186 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8187 
8188 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
8189 							(const u8 *)params->link_sta_params.eht_capa,
8190 							params->link_sta_params.eht_capa_len,
8191 							false))
8192 				return -EINVAL;
8193 		}
8194 	}
8195 
8196 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8197 		params->link_sta_params.s1g_capa =
8198 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8199 
8200 	err = nl80211_parse_sta_channel_info(info, params);
8201 	if (err)
8202 		return err;
8203 
8204 	return nl80211_parse_sta_wme(info, params);
8205 }
8206 
8207 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
8208 					     struct sta_txpwr *txpwr,
8209 					     bool *txpwr_set)
8210 {
8211 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8212 	int idx;
8213 
8214 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
8215 		if (!rdev->ops->set_tx_power ||
8216 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8217 					 NL80211_EXT_FEATURE_STA_TX_PWR))
8218 			return -EOPNOTSUPP;
8219 
8220 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
8221 		txpwr->type = nla_get_u8(info->attrs[idx]);
8222 
8223 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
8224 			idx = NL80211_ATTR_STA_TX_POWER;
8225 
8226 			if (info->attrs[idx])
8227 				txpwr->power = nla_get_s16(info->attrs[idx]);
8228 			else
8229 				return -EINVAL;
8230 		}
8231 
8232 		*txpwr_set = true;
8233 	} else {
8234 		*txpwr_set = false;
8235 	}
8236 
8237 	return 0;
8238 }
8239 
8240 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
8241 {
8242 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8243 	struct net_device *dev = info->user_ptr[1];
8244 	struct station_parameters params;
8245 	u8 *mac_addr;
8246 	int err;
8247 
8248 	memset(&params, 0, sizeof(params));
8249 
8250 	if (!rdev->ops->change_station)
8251 		return -EOPNOTSUPP;
8252 
8253 	/*
8254 	 * AID and listen_interval properties can be set only for unassociated
8255 	 * station. Include these parameters here and will check them in
8256 	 * cfg80211_check_station_change().
8257 	 */
8258 	if (info->attrs[NL80211_ATTR_STA_AID])
8259 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8260 
8261 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8262 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8263 
8264 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8265 		params.listen_interval =
8266 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8267 	else
8268 		params.listen_interval = -1;
8269 
8270 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
8271 		params.support_p2p_ps =
8272 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8273 	else
8274 		params.support_p2p_ps = -1;
8275 
8276 	if (!info->attrs[NL80211_ATTR_MAC])
8277 		return -EINVAL;
8278 
8279 	params.link_sta_params.link_id =
8280 		nl80211_link_id_or_invalid(info->attrs);
8281 
8282 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8283 		/* If MLD_ADDR attribute is set then this is an MLD station
8284 		 * and the MLD_ADDR attribute holds the MLD address and the
8285 		 * MAC attribute holds for the LINK address.
8286 		 * In that case, the link_id is also expected to be valid.
8287 		 */
8288 		if (params.link_sta_params.link_id < 0)
8289 			return -EINVAL;
8290 
8291 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8292 		params.link_sta_params.mld_mac = mac_addr;
8293 		params.link_sta_params.link_mac =
8294 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8295 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8296 			return -EINVAL;
8297 	} else {
8298 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8299 	}
8300 
8301 
8302 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
8303 		params.link_sta_params.supported_rates =
8304 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8305 		params.link_sta_params.supported_rates_len =
8306 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8307 	}
8308 
8309 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8310 		params.capability =
8311 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8312 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8313 	}
8314 
8315 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8316 		params.ext_capab =
8317 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8318 		params.ext_capab_len =
8319 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8320 	}
8321 
8322 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
8323 		return -EINVAL;
8324 
8325 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8326 		params.plink_action =
8327 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8328 
8329 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
8330 		params.plink_state =
8331 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
8332 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
8333 			params.peer_aid = nla_get_u16(
8334 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
8335 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
8336 	}
8337 
8338 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
8339 		params.local_pm = nla_get_u32(
8340 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
8341 
8342 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8343 		params.link_sta_params.opmode_notif_used = true;
8344 		params.link_sta_params.opmode_notif =
8345 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8346 	}
8347 
8348 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8349 		params.link_sta_params.he_6ghz_capa =
8350 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8351 
8352 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8353 		params.eml_cap_present = true;
8354 		params.eml_cap =
8355 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8356 	}
8357 
8358 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8359 		params.airtime_weight =
8360 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8361 
8362 	if (params.airtime_weight &&
8363 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8364 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8365 		return -EOPNOTSUPP;
8366 
8367 	err = nl80211_parse_sta_txpower_setting(info,
8368 						&params.link_sta_params.txpwr,
8369 						&params.link_sta_params.txpwr_set);
8370 	if (err)
8371 		return err;
8372 
8373 	/* Include parameters for TDLS peer (will check later) */
8374 	err = nl80211_set_station_tdls(info, &params);
8375 	if (err)
8376 		return err;
8377 
8378 	params.vlan = get_vlan(info, rdev);
8379 	if (IS_ERR(params.vlan))
8380 		return PTR_ERR(params.vlan);
8381 
8382 	switch (dev->ieee80211_ptr->iftype) {
8383 	case NL80211_IFTYPE_AP:
8384 	case NL80211_IFTYPE_AP_VLAN:
8385 	case NL80211_IFTYPE_P2P_GO:
8386 	case NL80211_IFTYPE_P2P_CLIENT:
8387 	case NL80211_IFTYPE_STATION:
8388 	case NL80211_IFTYPE_ADHOC:
8389 	case NL80211_IFTYPE_MESH_POINT:
8390 		break;
8391 	default:
8392 		err = -EOPNOTSUPP;
8393 		goto out_put_vlan;
8394 	}
8395 
8396 	/* driver will call cfg80211_check_station_change() */
8397 	err = rdev_change_station(rdev, dev, mac_addr, &params);
8398 
8399  out_put_vlan:
8400 	dev_put(params.vlan);
8401 
8402 	return err;
8403 }
8404 
8405 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
8406 {
8407 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8408 	int err;
8409 	struct net_device *dev = info->user_ptr[1];
8410 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8411 	struct station_parameters params;
8412 	u8 *mac_addr = NULL;
8413 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8414 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
8415 
8416 	memset(&params, 0, sizeof(params));
8417 
8418 	if (!rdev->ops->add_station)
8419 		return -EOPNOTSUPP;
8420 
8421 	if (!info->attrs[NL80211_ATTR_MAC])
8422 		return -EINVAL;
8423 
8424 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8425 		return -EINVAL;
8426 
8427 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
8428 		return -EINVAL;
8429 
8430 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
8431 	    !info->attrs[NL80211_ATTR_PEER_AID])
8432 		return -EINVAL;
8433 
8434 	params.link_sta_params.link_id =
8435 		nl80211_link_id_or_invalid(info->attrs);
8436 
8437 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8438 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8439 		params.link_sta_params.mld_mac = mac_addr;
8440 		params.link_sta_params.link_mac =
8441 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8442 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8443 			return -EINVAL;
8444 	} else {
8445 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8446 	}
8447 
8448 	params.link_sta_params.supported_rates =
8449 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8450 	params.link_sta_params.supported_rates_len =
8451 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8452 	params.listen_interval =
8453 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8454 
8455 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8456 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8457 
8458 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
8459 		params.support_p2p_ps =
8460 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8461 	} else {
8462 		/*
8463 		 * if not specified, assume it's supported for P2P GO interface,
8464 		 * and is NOT supported for AP interface
8465 		 */
8466 		params.support_p2p_ps =
8467 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
8468 	}
8469 
8470 	if (info->attrs[NL80211_ATTR_PEER_AID])
8471 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8472 	else
8473 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8474 
8475 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8476 		params.capability =
8477 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8478 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8479 	}
8480 
8481 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8482 		params.ext_capab =
8483 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8484 		params.ext_capab_len =
8485 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8486 	}
8487 
8488 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8489 		params.link_sta_params.ht_capa =
8490 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8491 
8492 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8493 		params.link_sta_params.vht_capa =
8494 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8495 
8496 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8497 		params.link_sta_params.he_capa =
8498 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8499 		params.link_sta_params.he_capa_len =
8500 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8501 
8502 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8503 			params.link_sta_params.eht_capa =
8504 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8505 			params.link_sta_params.eht_capa_len =
8506 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8507 
8508 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
8509 							(const u8 *)params.link_sta_params.eht_capa,
8510 							params.link_sta_params.eht_capa_len,
8511 							false))
8512 				return -EINVAL;
8513 		}
8514 	}
8515 
8516 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8517 		params.eml_cap_present = true;
8518 		params.eml_cap =
8519 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8520 	}
8521 
8522 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8523 		params.link_sta_params.he_6ghz_capa =
8524 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8525 
8526 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8527 		params.link_sta_params.s1g_capa =
8528 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8529 
8530 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8531 		params.link_sta_params.opmode_notif_used = true;
8532 		params.link_sta_params.opmode_notif =
8533 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8534 	}
8535 
8536 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8537 		params.plink_action =
8538 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8539 
8540 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8541 		params.airtime_weight =
8542 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8543 
8544 	if (params.airtime_weight &&
8545 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8546 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8547 		return -EOPNOTSUPP;
8548 
8549 	err = nl80211_parse_sta_txpower_setting(info,
8550 						&params.link_sta_params.txpwr,
8551 						&params.link_sta_params.txpwr_set);
8552 	if (err)
8553 		return err;
8554 
8555 	err = nl80211_parse_sta_channel_info(info, &params);
8556 	if (err)
8557 		return err;
8558 
8559 	err = nl80211_parse_sta_wme(info, &params);
8560 	if (err)
8561 		return err;
8562 
8563 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
8564 		return -EINVAL;
8565 
8566 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
8567 	 * as userspace might just pass through the capabilities from the IEs
8568 	 * directly, rather than enforcing this restriction and returning an
8569 	 * error in this case.
8570 	 */
8571 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
8572 		params.link_sta_params.ht_capa = NULL;
8573 		params.link_sta_params.vht_capa = NULL;
8574 
8575 		/* HE and EHT require WME */
8576 		if (params.link_sta_params.he_capa_len ||
8577 		    params.link_sta_params.he_6ghz_capa ||
8578 		    params.link_sta_params.eht_capa_len)
8579 			return -EINVAL;
8580 	}
8581 
8582 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
8583 	if (params.link_sta_params.he_6ghz_capa &&
8584 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
8585 		return -EINVAL;
8586 
8587 	/* When you run into this, adjust the code below for the new flag */
8588 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8589 
8590 	switch (dev->ieee80211_ptr->iftype) {
8591 	case NL80211_IFTYPE_AP:
8592 	case NL80211_IFTYPE_AP_VLAN:
8593 	case NL80211_IFTYPE_P2P_GO:
8594 		/* ignore WME attributes if iface/sta is not capable */
8595 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
8596 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
8597 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8598 
8599 		/* TDLS peers cannot be added */
8600 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8601 		    info->attrs[NL80211_ATTR_PEER_AID])
8602 			return -EINVAL;
8603 		/* but don't bother the driver with it */
8604 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8605 
8606 		/* allow authenticated/associated only if driver handles it */
8607 		if (!(rdev->wiphy.features &
8608 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8609 		    params.sta_flags_mask & auth_assoc)
8610 			return -EINVAL;
8611 
8612 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8613 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
8614 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8615 			return -EINVAL;
8616 
8617 		/* Older userspace, or userspace wanting to be compatible with
8618 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
8619 		 * and assoc flags in the mask, but assumes the station will be
8620 		 * added as associated anyway since this was the required driver
8621 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
8622 		 * introduced.
8623 		 * In order to not bother drivers with this quirk in the API
8624 		 * set the flags in both the mask and set for new stations in
8625 		 * this case.
8626 		 */
8627 		if (!(params.sta_flags_mask & auth_assoc)) {
8628 			params.sta_flags_mask |= auth_assoc;
8629 			params.sta_flags_set |= auth_assoc;
8630 		}
8631 
8632 		/* must be last in here for error handling */
8633 		params.vlan = get_vlan(info, rdev);
8634 		if (IS_ERR(params.vlan))
8635 			return PTR_ERR(params.vlan);
8636 		break;
8637 	case NL80211_IFTYPE_MESH_POINT:
8638 		/* ignore uAPSD data */
8639 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8640 
8641 		/* associated is disallowed */
8642 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
8643 			return -EINVAL;
8644 		/* TDLS peers cannot be added */
8645 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8646 		    info->attrs[NL80211_ATTR_PEER_AID])
8647 			return -EINVAL;
8648 		break;
8649 	case NL80211_IFTYPE_STATION:
8650 	case NL80211_IFTYPE_P2P_CLIENT:
8651 		/* ignore uAPSD data */
8652 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8653 
8654 		/* these are disallowed */
8655 		if (params.sta_flags_mask &
8656 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
8657 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
8658 			return -EINVAL;
8659 		/* Only TDLS peers can be added */
8660 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8661 			return -EINVAL;
8662 		/* Can only add if TDLS ... */
8663 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
8664 			return -EOPNOTSUPP;
8665 		/* ... with external setup is supported */
8666 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
8667 			return -EOPNOTSUPP;
8668 		/*
8669 		 * Older wpa_supplicant versions always mark the TDLS peer
8670 		 * as authorized, but it shouldn't yet be.
8671 		 */
8672 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
8673 		break;
8674 	default:
8675 		return -EOPNOTSUPP;
8676 	}
8677 
8678 	/* be aware of params.vlan when changing code here */
8679 
8680 	if (wdev->valid_links) {
8681 		if (params.link_sta_params.link_id < 0) {
8682 			err = -EINVAL;
8683 			goto out;
8684 		}
8685 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
8686 			err = -ENOLINK;
8687 			goto out;
8688 		}
8689 	} else {
8690 		if (params.link_sta_params.link_id >= 0) {
8691 			err = -EINVAL;
8692 			goto out;
8693 		}
8694 	}
8695 	err = rdev_add_station(rdev, dev, mac_addr, &params);
8696 out:
8697 	dev_put(params.vlan);
8698 	return err;
8699 }
8700 
8701 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
8702 {
8703 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8704 	struct net_device *dev = info->user_ptr[1];
8705 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8706 	struct station_del_parameters params;
8707 	int link_id = nl80211_link_id_or_invalid(info->attrs);
8708 
8709 	memset(&params, 0, sizeof(params));
8710 
8711 	if (info->attrs[NL80211_ATTR_MAC])
8712 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
8713 
8714 	switch (wdev->iftype) {
8715 	case NL80211_IFTYPE_AP:
8716 	case NL80211_IFTYPE_AP_VLAN:
8717 	case NL80211_IFTYPE_MESH_POINT:
8718 	case NL80211_IFTYPE_P2P_GO:
8719 		/* always accept these */
8720 		break;
8721 	case NL80211_IFTYPE_ADHOC:
8722 		/* conditionally accept */
8723 		if (wiphy_ext_feature_isset(&rdev->wiphy,
8724 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
8725 			break;
8726 		return -EINVAL;
8727 	default:
8728 		return -EINVAL;
8729 	}
8730 
8731 	if (!rdev->ops->del_station)
8732 		return -EOPNOTSUPP;
8733 
8734 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
8735 		params.subtype =
8736 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
8737 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
8738 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
8739 			return -EINVAL;
8740 	} else {
8741 		/* Default to Deauthentication frame */
8742 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
8743 	}
8744 
8745 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
8746 		params.reason_code =
8747 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8748 		if (params.reason_code == 0)
8749 			return -EINVAL; /* 0 is reserved */
8750 	} else {
8751 		/* Default to reason code 2 */
8752 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
8753 	}
8754 
8755 	/* Link ID not expected in case of non-ML operation */
8756 	if (!wdev->valid_links && link_id != -1)
8757 		return -EINVAL;
8758 
8759 	/* If given, a valid link ID should be passed during MLO */
8760 	if (wdev->valid_links && link_id >= 0 &&
8761 	    !(wdev->valid_links & BIT(link_id)))
8762 		return -EINVAL;
8763 
8764 	params.link_id = link_id;
8765 
8766 	return rdev_del_station(rdev, dev, &params);
8767 }
8768 
8769 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
8770 				int flags, struct net_device *dev,
8771 				u8 *dst, u8 *next_hop,
8772 				struct mpath_info *pinfo)
8773 {
8774 	void *hdr;
8775 	struct nlattr *pinfoattr;
8776 
8777 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
8778 	if (!hdr)
8779 		return -1;
8780 
8781 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8782 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
8783 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
8784 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
8785 		goto nla_put_failure;
8786 
8787 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
8788 	if (!pinfoattr)
8789 		goto nla_put_failure;
8790 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
8791 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
8792 			pinfo->frame_qlen))
8793 		goto nla_put_failure;
8794 	if (((pinfo->filled & MPATH_INFO_SN) &&
8795 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
8796 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
8797 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
8798 			 pinfo->metric)) ||
8799 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
8800 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
8801 			 pinfo->exptime)) ||
8802 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
8803 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
8804 			pinfo->flags)) ||
8805 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
8806 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
8807 			 pinfo->discovery_timeout)) ||
8808 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
8809 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
8810 			pinfo->discovery_retries)) ||
8811 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
8812 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
8813 			pinfo->hop_count)) ||
8814 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
8815 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
8816 			 pinfo->path_change_count)))
8817 		goto nla_put_failure;
8818 
8819 	nla_nest_end(msg, pinfoattr);
8820 
8821 	genlmsg_end(msg, hdr);
8822 	return 0;
8823 
8824  nla_put_failure:
8825 	genlmsg_cancel(msg, hdr);
8826 	return -EMSGSIZE;
8827 }
8828 
8829 static int nl80211_dump_mpath(struct sk_buff *skb,
8830 			      struct netlink_callback *cb)
8831 {
8832 	struct mpath_info pinfo;
8833 	struct cfg80211_registered_device *rdev;
8834 	struct wireless_dev *wdev;
8835 	u8 dst[ETH_ALEN];
8836 	u8 next_hop[ETH_ALEN];
8837 	int path_idx = cb->args[2];
8838 	int err;
8839 
8840 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8841 	if (err)
8842 		return err;
8843 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8844 	__acquire(&rdev->wiphy.mtx);
8845 
8846 	if (!rdev->ops->dump_mpath) {
8847 		err = -EOPNOTSUPP;
8848 		goto out_err;
8849 	}
8850 
8851 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
8852 		err = -EOPNOTSUPP;
8853 		goto out_err;
8854 	}
8855 
8856 	while (1) {
8857 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
8858 				      next_hop, &pinfo);
8859 		if (err == -ENOENT)
8860 			break;
8861 		if (err)
8862 			goto out_err;
8863 
8864 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8865 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8866 				       wdev->netdev, dst, next_hop,
8867 				       &pinfo) < 0)
8868 			goto out;
8869 
8870 		path_idx++;
8871 	}
8872 
8873  out:
8874 	cb->args[2] = path_idx;
8875 	err = skb->len;
8876  out_err:
8877 	wiphy_unlock(&rdev->wiphy);
8878 	return err;
8879 }
8880 
8881 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
8882 {
8883 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8884 	int err;
8885 	struct net_device *dev = info->user_ptr[1];
8886 	struct mpath_info pinfo;
8887 	struct sk_buff *msg;
8888 	u8 *dst = NULL;
8889 	u8 next_hop[ETH_ALEN];
8890 
8891 	memset(&pinfo, 0, sizeof(pinfo));
8892 
8893 	if (!info->attrs[NL80211_ATTR_MAC])
8894 		return -EINVAL;
8895 
8896 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8897 
8898 	if (!rdev->ops->get_mpath)
8899 		return -EOPNOTSUPP;
8900 
8901 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8902 		return -EOPNOTSUPP;
8903 
8904 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
8905 	if (err)
8906 		return err;
8907 
8908 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8909 	if (!msg)
8910 		return -ENOMEM;
8911 
8912 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8913 				 dev, dst, next_hop, &pinfo) < 0) {
8914 		nlmsg_free(msg);
8915 		return -ENOBUFS;
8916 	}
8917 
8918 	return genlmsg_reply(msg, info);
8919 }
8920 
8921 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
8922 {
8923 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8924 	struct net_device *dev = info->user_ptr[1];
8925 	u8 *dst = NULL;
8926 	u8 *next_hop = NULL;
8927 
8928 	if (!info->attrs[NL80211_ATTR_MAC])
8929 		return -EINVAL;
8930 
8931 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8932 		return -EINVAL;
8933 
8934 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8935 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8936 
8937 	if (!rdev->ops->change_mpath)
8938 		return -EOPNOTSUPP;
8939 
8940 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8941 		return -EOPNOTSUPP;
8942 
8943 	return rdev_change_mpath(rdev, dev, dst, next_hop);
8944 }
8945 
8946 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
8947 {
8948 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8949 	struct net_device *dev = info->user_ptr[1];
8950 	u8 *dst = NULL;
8951 	u8 *next_hop = NULL;
8952 
8953 	if (!info->attrs[NL80211_ATTR_MAC])
8954 		return -EINVAL;
8955 
8956 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8957 		return -EINVAL;
8958 
8959 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8960 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8961 
8962 	if (!rdev->ops->add_mpath)
8963 		return -EOPNOTSUPP;
8964 
8965 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8966 		return -EOPNOTSUPP;
8967 
8968 	return rdev_add_mpath(rdev, dev, dst, next_hop);
8969 }
8970 
8971 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
8972 {
8973 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8974 	struct net_device *dev = info->user_ptr[1];
8975 	u8 *dst = NULL;
8976 
8977 	if (info->attrs[NL80211_ATTR_MAC])
8978 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8979 
8980 	if (!rdev->ops->del_mpath)
8981 		return -EOPNOTSUPP;
8982 
8983 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8984 		return -EOPNOTSUPP;
8985 
8986 	return rdev_del_mpath(rdev, dev, dst);
8987 }
8988 
8989 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
8990 {
8991 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8992 	int err;
8993 	struct net_device *dev = info->user_ptr[1];
8994 	struct mpath_info pinfo;
8995 	struct sk_buff *msg;
8996 	u8 *dst = NULL;
8997 	u8 mpp[ETH_ALEN];
8998 
8999 	memset(&pinfo, 0, sizeof(pinfo));
9000 
9001 	if (!info->attrs[NL80211_ATTR_MAC])
9002 		return -EINVAL;
9003 
9004 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9005 
9006 	if (!rdev->ops->get_mpp)
9007 		return -EOPNOTSUPP;
9008 
9009 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9010 		return -EOPNOTSUPP;
9011 
9012 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
9013 	if (err)
9014 		return err;
9015 
9016 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9017 	if (!msg)
9018 		return -ENOMEM;
9019 
9020 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9021 			       dev, dst, mpp, &pinfo) < 0) {
9022 		nlmsg_free(msg);
9023 		return -ENOBUFS;
9024 	}
9025 
9026 	return genlmsg_reply(msg, info);
9027 }
9028 
9029 static int nl80211_dump_mpp(struct sk_buff *skb,
9030 			    struct netlink_callback *cb)
9031 {
9032 	struct mpath_info pinfo;
9033 	struct cfg80211_registered_device *rdev;
9034 	struct wireless_dev *wdev;
9035 	u8 dst[ETH_ALEN];
9036 	u8 mpp[ETH_ALEN];
9037 	int path_idx = cb->args[2];
9038 	int err;
9039 
9040 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9041 	if (err)
9042 		return err;
9043 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9044 	__acquire(&rdev->wiphy.mtx);
9045 
9046 	if (!rdev->ops->dump_mpp) {
9047 		err = -EOPNOTSUPP;
9048 		goto out_err;
9049 	}
9050 
9051 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9052 		err = -EOPNOTSUPP;
9053 		goto out_err;
9054 	}
9055 
9056 	while (1) {
9057 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
9058 				    mpp, &pinfo);
9059 		if (err == -ENOENT)
9060 			break;
9061 		if (err)
9062 			goto out_err;
9063 
9064 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9065 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9066 				       wdev->netdev, dst, mpp,
9067 				       &pinfo) < 0)
9068 			goto out;
9069 
9070 		path_idx++;
9071 	}
9072 
9073  out:
9074 	cb->args[2] = path_idx;
9075 	err = skb->len;
9076  out_err:
9077 	wiphy_unlock(&rdev->wiphy);
9078 	return err;
9079 }
9080 
9081 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
9082 {
9083 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9084 	struct net_device *dev = info->user_ptr[1];
9085 	struct bss_parameters params;
9086 	u32 bss_param_support = rdev->wiphy.bss_param_support;
9087 	u32 changed = 0;
9088 	bool strict;
9089 
9090 	memset(&params, 0, sizeof(params));
9091 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
9092 	/* default to not changing parameters */
9093 	params.use_cts_prot = -1;
9094 	params.use_short_preamble = -1;
9095 	params.use_short_slot_time = -1;
9096 	params.ap_isolate = -1;
9097 	params.ht_opmode = -1;
9098 	params.p2p_ctwindow = -1;
9099 	params.p2p_opp_ps = -1;
9100 
9101 	strict = nla_get_flag(info->attrs[NL80211_ATTR_BSS_PARAM]);
9102 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT]) {
9103 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_CTS_PROT))
9104 			return -EINVAL;
9105 		params.use_cts_prot =
9106 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
9107 		changed |= WIPHY_BSS_PARAM_CTS_PROT;
9108 	}
9109 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]) {
9110 		if (strict &&
9111 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_PREAMBLE))
9112 			return -EINVAL;
9113 		params.use_short_preamble =
9114 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
9115 		changed |= WIPHY_BSS_PARAM_SHORT_PREAMBLE;
9116 	}
9117 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]) {
9118 		if (strict &&
9119 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_SLOT_TIME))
9120 			return -EINVAL;
9121 		params.use_short_slot_time =
9122 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
9123 		changed |= WIPHY_BSS_PARAM_SHORT_SLOT_TIME;
9124 	}
9125 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9126 		if (strict &&
9127 		    !(bss_param_support & WIPHY_BSS_PARAM_BASIC_RATES))
9128 			return -EINVAL;
9129 		params.basic_rates =
9130 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9131 		params.basic_rates_len =
9132 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9133 		changed |= WIPHY_BSS_PARAM_BASIC_RATES;
9134 	}
9135 	if (info->attrs[NL80211_ATTR_AP_ISOLATE]) {
9136 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_AP_ISOLATE))
9137 			return -EINVAL;
9138 		params.ap_isolate =
9139 			!!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
9140 		changed |= WIPHY_BSS_PARAM_AP_ISOLATE;
9141 	}
9142 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE]) {
9143 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_HT_OPMODE))
9144 			return -EINVAL;
9145 		params.ht_opmode =
9146 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
9147 		changed |= WIPHY_BSS_PARAM_HT_OPMODE;
9148 	}
9149 
9150 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
9151 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9152 			return -EINVAL;
9153 		params.p2p_ctwindow =
9154 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
9155 		if (params.p2p_ctwindow != 0 &&
9156 		    !(bss_param_support & WIPHY_BSS_PARAM_P2P_CTWINDOW))
9157 			return -EINVAL;
9158 		changed |= WIPHY_BSS_PARAM_P2P_CTWINDOW;
9159 	}
9160 
9161 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
9162 		u8 tmp;
9163 
9164 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9165 			return -EINVAL;
9166 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
9167 		if (tmp && !(bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9168 			return -EINVAL;
9169 		params.p2p_opp_ps = tmp;
9170 		if (params.p2p_opp_ps &&
9171 		    !(rdev->wiphy.bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9172 			return -EINVAL;
9173 	}
9174 
9175 	if (!rdev->ops->change_bss)
9176 		return -EOPNOTSUPP;
9177 
9178 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
9179 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9180 		return -EOPNOTSUPP;
9181 
9182 	changed &= rdev->wiphy.bss_param_support;
9183 	if (!changed)
9184 		return 0;
9185 
9186 	return rdev_change_bss(rdev, dev, &params);
9187 }
9188 
9189 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
9190 {
9191 	char *data = NULL;
9192 	bool is_indoor;
9193 	enum nl80211_user_reg_hint_type user_reg_hint_type;
9194 	u32 owner_nlportid;
9195 
9196 	/*
9197 	 * You should only get this when cfg80211 hasn't yet initialized
9198 	 * completely when built-in to the kernel right between the time
9199 	 * window between nl80211_init() and regulatory_init(), if that is
9200 	 * even possible.
9201 	 */
9202 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
9203 		return -EINPROGRESS;
9204 
9205 	user_reg_hint_type =
9206 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
9207 				    NL80211_USER_REG_HINT_USER);
9208 
9209 	switch (user_reg_hint_type) {
9210 	case NL80211_USER_REG_HINT_USER:
9211 	case NL80211_USER_REG_HINT_CELL_BASE:
9212 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
9213 			return -EINVAL;
9214 
9215 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
9216 		return regulatory_hint_user(data, user_reg_hint_type);
9217 	case NL80211_USER_REG_HINT_INDOOR:
9218 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9219 			owner_nlportid = info->snd_portid;
9220 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
9221 		} else {
9222 			owner_nlportid = 0;
9223 			is_indoor = true;
9224 		}
9225 
9226 		regulatory_hint_indoor(is_indoor, owner_nlportid);
9227 		return 0;
9228 	default:
9229 		return -EINVAL;
9230 	}
9231 }
9232 
9233 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
9234 {
9235 	return reg_reload_regdb();
9236 }
9237 
9238 static int nl80211_get_mesh_config(struct sk_buff *skb,
9239 				   struct genl_info *info)
9240 {
9241 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9242 	struct net_device *dev = info->user_ptr[1];
9243 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9244 	struct mesh_config cur_params;
9245 	int err = 0;
9246 	void *hdr;
9247 	struct nlattr *pinfoattr;
9248 	struct sk_buff *msg;
9249 
9250 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9251 		return -EOPNOTSUPP;
9252 
9253 	if (!rdev->ops->get_mesh_config)
9254 		return -EOPNOTSUPP;
9255 
9256 	/* If not connected, get default parameters */
9257 	if (!wdev->u.mesh.id_len)
9258 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
9259 	else
9260 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
9261 
9262 	if (err)
9263 		return err;
9264 
9265 	/* Draw up a netlink message to send back */
9266 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9267 	if (!msg)
9268 		return -ENOMEM;
9269 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9270 			     NL80211_CMD_GET_MESH_CONFIG);
9271 	if (!hdr)
9272 		goto out;
9273 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
9274 	if (!pinfoattr)
9275 		goto nla_put_failure;
9276 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9277 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
9278 			cur_params.dot11MeshRetryTimeout) ||
9279 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
9280 			cur_params.dot11MeshConfirmTimeout) ||
9281 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
9282 			cur_params.dot11MeshHoldingTimeout) ||
9283 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
9284 			cur_params.dot11MeshMaxPeerLinks) ||
9285 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
9286 		       cur_params.dot11MeshMaxRetries) ||
9287 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
9288 		       cur_params.dot11MeshTTL) ||
9289 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
9290 		       cur_params.element_ttl) ||
9291 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9292 		       cur_params.auto_open_plinks) ||
9293 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9294 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
9295 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9296 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
9297 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
9298 			cur_params.path_refresh_time) ||
9299 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9300 			cur_params.min_discovery_timeout) ||
9301 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9302 			cur_params.dot11MeshHWMPactivePathTimeout) ||
9303 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9304 			cur_params.dot11MeshHWMPpreqMinInterval) ||
9305 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9306 			cur_params.dot11MeshHWMPperrMinInterval) ||
9307 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9308 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
9309 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
9310 		       cur_params.dot11MeshHWMPRootMode) ||
9311 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9312 			cur_params.dot11MeshHWMPRannInterval) ||
9313 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9314 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
9315 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
9316 		       cur_params.dot11MeshForwarding) ||
9317 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
9318 			cur_params.rssi_threshold) ||
9319 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
9320 			cur_params.ht_opmode) ||
9321 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9322 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
9323 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9324 			cur_params.dot11MeshHWMProotInterval) ||
9325 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9326 			cur_params.dot11MeshHWMPconfirmationInterval) ||
9327 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
9328 			cur_params.power_mode) ||
9329 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
9330 			cur_params.dot11MeshAwakeWindowDuration) ||
9331 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
9332 			cur_params.plink_timeout) ||
9333 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
9334 		       cur_params.dot11MeshConnectedToMeshGate) ||
9335 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
9336 		       cur_params.dot11MeshNolearn) ||
9337 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
9338 		       cur_params.dot11MeshConnectedToAuthServer))
9339 		goto nla_put_failure;
9340 	nla_nest_end(msg, pinfoattr);
9341 	genlmsg_end(msg, hdr);
9342 	return genlmsg_reply(msg, info);
9343 
9344  nla_put_failure:
9345  out:
9346 	nlmsg_free(msg);
9347 	return -ENOBUFS;
9348 }
9349 
9350 static const struct nla_policy
9351 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
9352 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
9353 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9354 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
9355 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9356 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
9357 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9358 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
9359 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
9360 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
9361 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9362 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9363 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
9364 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
9365 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
9366 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
9367 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
9368 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
9369 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
9370 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
9371 		NLA_POLICY_MIN(NLA_U16, 1),
9372 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
9373 		NLA_POLICY_MIN(NLA_U16, 1),
9374 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
9375 		NLA_POLICY_MIN(NLA_U16, 1),
9376 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
9377 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
9378 		NLA_POLICY_MIN(NLA_U16, 1),
9379 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
9380 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
9381 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
9382 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
9383 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
9384 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
9385 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
9386 		NLA_POLICY_MIN(NLA_U16, 1),
9387 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
9388 		NLA_POLICY_MIN(NLA_U16, 1),
9389 	[NL80211_MESHCONF_POWER_MODE] =
9390 		NLA_POLICY_RANGE(NLA_U32,
9391 				 NL80211_MESH_POWER_ACTIVE,
9392 				 NL80211_MESH_POWER_MAX),
9393 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
9394 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
9395 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9396 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9397 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9398 };
9399 
9400 static const struct nla_policy
9401 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
9402 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
9403 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
9404 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
9405 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
9406 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
9407 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
9408 	[NL80211_MESH_SETUP_IE] =
9409 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
9410 				       IEEE80211_MAX_DATA_LEN),
9411 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
9412 };
9413 
9414 static int nl80211_parse_mesh_config(struct genl_info *info,
9415 				     struct mesh_config *cfg,
9416 				     u32 *mask_out)
9417 {
9418 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
9419 	u32 mask = 0;
9420 	u16 ht_opmode;
9421 
9422 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
9423 do {									\
9424 	if (tb[attr]) {							\
9425 		cfg->param = fn(tb[attr]);				\
9426 		mask |= BIT((attr) - 1);				\
9427 	}								\
9428 } while (0)
9429 
9430 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
9431 		return -EINVAL;
9432 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
9433 		return -EINVAL;
9434 
9435 	/* This makes sure that there aren't more than 32 mesh config
9436 	 * parameters (otherwise our bitfield scheme would not work.) */
9437 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
9438 
9439 	/* Fill in the params struct */
9440 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
9441 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
9442 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
9443 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
9444 				  nla_get_u16);
9445 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
9446 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
9447 				  nla_get_u16);
9448 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
9449 				  NL80211_MESHCONF_MAX_PEER_LINKS,
9450 				  nla_get_u16);
9451 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
9452 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
9453 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
9454 				  NL80211_MESHCONF_TTL, nla_get_u8);
9455 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
9456 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
9457 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
9458 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9459 				  nla_get_u8);
9460 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
9461 				  mask,
9462 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9463 				  nla_get_u32);
9464 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
9465 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9466 				  nla_get_u8);
9467 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
9468 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
9469 				  nla_get_u32);
9470 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
9471 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
9472 		return -EINVAL;
9473 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
9474 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9475 				  nla_get_u16);
9476 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
9477 				  mask,
9478 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9479 				  nla_get_u32);
9480 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
9481 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
9482 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
9483 		return -EINVAL;
9484 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
9485 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9486 				  nla_get_u16);
9487 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
9488 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9489 				  nla_get_u16);
9490 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9491 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
9492 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9493 				  nla_get_u16);
9494 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
9495 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
9496 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
9497 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9498 				  nla_get_u16);
9499 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
9500 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9501 				  nla_get_u8);
9502 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
9503 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
9504 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
9505 				  NL80211_MESHCONF_RSSI_THRESHOLD,
9506 				  nla_get_s32);
9507 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
9508 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
9509 				  nla_get_u8);
9510 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
9511 				  NL80211_MESHCONF_CONNECTED_TO_AS,
9512 				  nla_get_u8);
9513 	/*
9514 	 * Check HT operation mode based on
9515 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
9516 	 */
9517 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
9518 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
9519 
9520 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
9521 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
9522 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
9523 			return -EINVAL;
9524 
9525 		/* NON_HT_STA bit is reserved, but some programs set it */
9526 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
9527 
9528 		cfg->ht_opmode = ht_opmode;
9529 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
9530 	}
9531 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9532 				  dot11MeshHWMPactivePathToRootTimeout, mask,
9533 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9534 				  nla_get_u32);
9535 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
9536 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
9537 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
9538 		return -EINVAL;
9539 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
9540 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9541 				  nla_get_u16);
9542 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
9543 				  mask,
9544 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9545 				  nla_get_u16);
9546 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
9547 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
9548 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
9549 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
9550 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
9551 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
9552 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
9553 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
9554 	if (mask_out)
9555 		*mask_out = mask;
9556 
9557 	return 0;
9558 
9559 #undef FILL_IN_MESH_PARAM_IF_SET
9560 }
9561 
9562 static int nl80211_parse_mesh_setup(struct genl_info *info,
9563 				     struct mesh_setup *setup)
9564 {
9565 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9566 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
9567 
9568 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
9569 		return -EINVAL;
9570 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
9571 		return -EINVAL;
9572 
9573 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
9574 		setup->sync_method =
9575 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
9576 		 IEEE80211_SYNC_METHOD_VENDOR :
9577 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
9578 
9579 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
9580 		setup->path_sel_proto =
9581 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
9582 		 IEEE80211_PATH_PROTOCOL_VENDOR :
9583 		 IEEE80211_PATH_PROTOCOL_HWMP;
9584 
9585 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
9586 		setup->path_metric =
9587 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
9588 		 IEEE80211_PATH_METRIC_VENDOR :
9589 		 IEEE80211_PATH_METRIC_AIRTIME;
9590 
9591 	if (tb[NL80211_MESH_SETUP_IE]) {
9592 		struct nlattr *ieattr =
9593 			tb[NL80211_MESH_SETUP_IE];
9594 		setup->ie = nla_data(ieattr);
9595 		setup->ie_len = nla_len(ieattr);
9596 	}
9597 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
9598 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
9599 		return -EINVAL;
9600 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
9601 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
9602 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
9603 	if (setup->is_secure)
9604 		setup->user_mpm = true;
9605 
9606 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
9607 		if (!setup->user_mpm)
9608 			return -EINVAL;
9609 		setup->auth_id =
9610 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
9611 	}
9612 
9613 	return 0;
9614 }
9615 
9616 static int nl80211_update_mesh_config(struct sk_buff *skb,
9617 				      struct genl_info *info)
9618 {
9619 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9620 	struct net_device *dev = info->user_ptr[1];
9621 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9622 	struct mesh_config cfg = {};
9623 	u32 mask;
9624 	int err;
9625 
9626 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9627 		return -EOPNOTSUPP;
9628 
9629 	if (!rdev->ops->update_mesh_config)
9630 		return -EOPNOTSUPP;
9631 
9632 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
9633 	if (err)
9634 		return err;
9635 
9636 	if (!wdev->u.mesh.id_len)
9637 		err = -ENOLINK;
9638 
9639 	if (!err)
9640 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
9641 
9642 	return err;
9643 }
9644 
9645 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
9646 			      struct sk_buff *msg)
9647 {
9648 	struct nlattr *nl_reg_rules;
9649 	unsigned int i;
9650 
9651 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
9652 	    (regdom->dfs_region &&
9653 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
9654 		goto nla_put_failure;
9655 
9656 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
9657 	if (!nl_reg_rules)
9658 		goto nla_put_failure;
9659 
9660 	for (i = 0; i < regdom->n_reg_rules; i++) {
9661 		struct nlattr *nl_reg_rule;
9662 		const struct ieee80211_reg_rule *reg_rule;
9663 		const struct ieee80211_freq_range *freq_range;
9664 		const struct ieee80211_power_rule *power_rule;
9665 		unsigned int max_bandwidth_khz;
9666 
9667 		reg_rule = &regdom->reg_rules[i];
9668 		freq_range = &reg_rule->freq_range;
9669 		power_rule = &reg_rule->power_rule;
9670 
9671 		nl_reg_rule = nla_nest_start_noflag(msg, i);
9672 		if (!nl_reg_rule)
9673 			goto nla_put_failure;
9674 
9675 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
9676 		if (!max_bandwidth_khz)
9677 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
9678 								  reg_rule);
9679 
9680 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
9681 				reg_rule->flags) ||
9682 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
9683 				freq_range->start_freq_khz) ||
9684 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
9685 				freq_range->end_freq_khz) ||
9686 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
9687 				max_bandwidth_khz) ||
9688 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
9689 				power_rule->max_antenna_gain) ||
9690 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
9691 				power_rule->max_eirp) ||
9692 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
9693 				reg_rule->dfs_cac_ms))
9694 			goto nla_put_failure;
9695 
9696 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
9697 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
9698 			       reg_rule->psd))
9699 			goto nla_put_failure;
9700 
9701 		nla_nest_end(msg, nl_reg_rule);
9702 	}
9703 
9704 	nla_nest_end(msg, nl_reg_rules);
9705 	return 0;
9706 
9707 nla_put_failure:
9708 	return -EMSGSIZE;
9709 }
9710 
9711 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
9712 {
9713 	const struct ieee80211_regdomain *regdom = NULL;
9714 	struct cfg80211_registered_device *rdev;
9715 	struct wiphy *wiphy = NULL;
9716 	struct sk_buff *msg;
9717 	int err = -EMSGSIZE;
9718 	void *hdr;
9719 
9720 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9721 	if (!msg)
9722 		return -ENOBUFS;
9723 
9724 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9725 			     NL80211_CMD_GET_REG);
9726 	if (!hdr)
9727 		goto put_failure;
9728 
9729 	rtnl_lock();
9730 
9731 	if (info->attrs[NL80211_ATTR_WIPHY]) {
9732 		bool self_managed;
9733 
9734 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
9735 		if (IS_ERR(rdev)) {
9736 			err = PTR_ERR(rdev);
9737 			goto nla_put_failure;
9738 		}
9739 
9740 		wiphy = &rdev->wiphy;
9741 		self_managed = wiphy->regulatory_flags &
9742 			       REGULATORY_WIPHY_SELF_MANAGED;
9743 
9744 		rcu_read_lock();
9745 
9746 		regdom = get_wiphy_regdom(wiphy);
9747 
9748 		/* a self-managed-reg device must have a private regdom */
9749 		if (WARN_ON(!regdom && self_managed)) {
9750 			err = -EINVAL;
9751 			goto nla_put_failure_rcu;
9752 		}
9753 
9754 		if (regdom &&
9755 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
9756 			goto nla_put_failure_rcu;
9757 	} else {
9758 		rcu_read_lock();
9759 	}
9760 
9761 	if (!wiphy && reg_last_request_cell_base() &&
9762 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
9763 			NL80211_USER_REG_HINT_CELL_BASE))
9764 		goto nla_put_failure_rcu;
9765 
9766 	if (!regdom)
9767 		regdom = rcu_dereference(cfg80211_regdomain);
9768 
9769 	if (nl80211_put_regdom(regdom, msg))
9770 		goto nla_put_failure_rcu;
9771 
9772 	rcu_read_unlock();
9773 
9774 	genlmsg_end(msg, hdr);
9775 	rtnl_unlock();
9776 	return genlmsg_reply(msg, info);
9777 
9778 nla_put_failure_rcu:
9779 	rcu_read_unlock();
9780 nla_put_failure:
9781 	rtnl_unlock();
9782 put_failure:
9783 	nlmsg_free(msg);
9784 	return err;
9785 }
9786 
9787 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
9788 			       u32 seq, int flags, struct wiphy *wiphy,
9789 			       const struct ieee80211_regdomain *regdom)
9790 {
9791 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9792 				   NL80211_CMD_GET_REG);
9793 
9794 	if (!hdr)
9795 		return -1;
9796 
9797 	genl_dump_check_consistent(cb, hdr);
9798 
9799 	if (nl80211_put_regdom(regdom, msg))
9800 		goto nla_put_failure;
9801 
9802 	if (!wiphy && reg_last_request_cell_base() &&
9803 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
9804 			NL80211_USER_REG_HINT_CELL_BASE))
9805 		goto nla_put_failure;
9806 
9807 	if (wiphy &&
9808 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
9809 		goto nla_put_failure;
9810 
9811 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
9812 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
9813 		goto nla_put_failure;
9814 
9815 	genlmsg_end(msg, hdr);
9816 	return 0;
9817 
9818 nla_put_failure:
9819 	genlmsg_cancel(msg, hdr);
9820 	return -EMSGSIZE;
9821 }
9822 
9823 static int nl80211_get_reg_dump(struct sk_buff *skb,
9824 				struct netlink_callback *cb)
9825 {
9826 	const struct ieee80211_regdomain *regdom = NULL;
9827 	struct cfg80211_registered_device *rdev;
9828 	int err, reg_idx, start = cb->args[2];
9829 
9830 	rcu_read_lock();
9831 
9832 	if (cfg80211_regdomain && start == 0) {
9833 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
9834 					  NLM_F_MULTI, NULL,
9835 					  rcu_dereference(cfg80211_regdomain));
9836 		if (err < 0)
9837 			goto out_err;
9838 	}
9839 
9840 	/* the global regdom is idx 0 */
9841 	reg_idx = 1;
9842 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
9843 		regdom = get_wiphy_regdom(&rdev->wiphy);
9844 		if (!regdom)
9845 			continue;
9846 
9847 		if (++reg_idx <= start)
9848 			continue;
9849 
9850 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
9851 					  NLM_F_MULTI, &rdev->wiphy, regdom);
9852 		if (err < 0) {
9853 			reg_idx--;
9854 			break;
9855 		}
9856 	}
9857 
9858 	cb->args[2] = reg_idx;
9859 	err = skb->len;
9860 out_err:
9861 	rcu_read_unlock();
9862 	return err;
9863 }
9864 
9865 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
9866 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
9867 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
9868 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
9869 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
9870 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
9871 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
9872 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
9873 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
9874 };
9875 
9876 static int parse_reg_rule(struct nlattr *tb[],
9877 	struct ieee80211_reg_rule *reg_rule)
9878 {
9879 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
9880 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
9881 
9882 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
9883 		return -EINVAL;
9884 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
9885 		return -EINVAL;
9886 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
9887 		return -EINVAL;
9888 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
9889 		return -EINVAL;
9890 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
9891 		return -EINVAL;
9892 
9893 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
9894 
9895 	freq_range->start_freq_khz =
9896 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
9897 	freq_range->end_freq_khz =
9898 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
9899 	freq_range->max_bandwidth_khz =
9900 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
9901 
9902 	power_rule->max_eirp =
9903 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
9904 
9905 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
9906 		power_rule->max_antenna_gain =
9907 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
9908 
9909 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
9910 		reg_rule->dfs_cac_ms =
9911 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
9912 
9913 	return 0;
9914 }
9915 
9916 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
9917 {
9918 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
9919 	struct nlattr *nl_reg_rule;
9920 	char *alpha2;
9921 	int rem_reg_rules, r;
9922 	u32 num_rules = 0, rule_idx = 0;
9923 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
9924 	struct ieee80211_regdomain *rd;
9925 
9926 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
9927 		return -EINVAL;
9928 
9929 	if (!info->attrs[NL80211_ATTR_REG_RULES])
9930 		return -EINVAL;
9931 
9932 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
9933 
9934 	if (info->attrs[NL80211_ATTR_DFS_REGION])
9935 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
9936 
9937 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9938 			    rem_reg_rules) {
9939 		num_rules++;
9940 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
9941 			return -EINVAL;
9942 	}
9943 
9944 	rtnl_lock();
9945 	if (!reg_is_valid_request(alpha2)) {
9946 		r = -EINVAL;
9947 		goto out;
9948 	}
9949 
9950 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
9951 	if (!rd) {
9952 		r = -ENOMEM;
9953 		goto out;
9954 	}
9955 
9956 	rd->n_reg_rules = num_rules;
9957 	rd->alpha2[0] = alpha2[0];
9958 	rd->alpha2[1] = alpha2[1];
9959 
9960 	/*
9961 	 * Disable DFS master mode if the DFS region was
9962 	 * not supported or known on this kernel.
9963 	 */
9964 	if (reg_supported_dfs_region(dfs_region))
9965 		rd->dfs_region = dfs_region;
9966 
9967 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9968 			    rem_reg_rules) {
9969 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
9970 						nl_reg_rule, reg_rule_policy,
9971 						info->extack);
9972 		if (r)
9973 			goto bad_reg;
9974 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
9975 		if (r)
9976 			goto bad_reg;
9977 
9978 		rule_idx++;
9979 
9980 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
9981 			r = -EINVAL;
9982 			goto bad_reg;
9983 		}
9984 	}
9985 
9986 	r = set_regdom(rd, REGD_SOURCE_CRDA);
9987 	/* set_regdom takes ownership of rd */
9988 	rd = NULL;
9989  bad_reg:
9990 	kfree(rd);
9991  out:
9992 	rtnl_unlock();
9993 	return r;
9994 }
9995 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
9996 
9997 static int validate_scan_freqs(struct nlattr *freqs)
9998 {
9999 	struct nlattr *attr1, *attr2;
10000 	int n_channels = 0, tmp1, tmp2;
10001 
10002 	nla_for_each_nested(attr1, freqs, tmp1)
10003 		if (nla_len(attr1) != sizeof(u32))
10004 			return 0;
10005 
10006 	nla_for_each_nested(attr1, freqs, tmp1) {
10007 		n_channels++;
10008 		/*
10009 		 * Some hardware has a limited channel list for
10010 		 * scanning, and it is pretty much nonsensical
10011 		 * to scan for a channel twice, so disallow that
10012 		 * and don't require drivers to check that the
10013 		 * channel list they get isn't longer than what
10014 		 * they can scan, as long as they can scan all
10015 		 * the channels they registered at once.
10016 		 */
10017 		nla_for_each_nested(attr2, freqs, tmp2)
10018 			if (attr1 != attr2 &&
10019 			    nla_get_u32(attr1) == nla_get_u32(attr2))
10020 				return 0;
10021 	}
10022 
10023 	return n_channels;
10024 }
10025 
10026 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
10027 {
10028 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
10029 }
10030 
10031 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
10032 			    struct cfg80211_bss_selection *bss_select)
10033 {
10034 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
10035 	struct nlattr *nest;
10036 	int err;
10037 	bool found = false;
10038 	int i;
10039 
10040 	/* only process one nested attribute */
10041 	nest = nla_data(nla);
10042 	if (!nla_ok(nest, nla_len(nest)))
10043 		return -EINVAL;
10044 
10045 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
10046 					  nest, nl80211_bss_select_policy,
10047 					  NULL);
10048 	if (err)
10049 		return err;
10050 
10051 	/* only one attribute may be given */
10052 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
10053 		if (attr[i]) {
10054 			if (found)
10055 				return -EINVAL;
10056 			found = true;
10057 		}
10058 	}
10059 
10060 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
10061 
10062 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
10063 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
10064 
10065 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
10066 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
10067 		bss_select->param.band_pref =
10068 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
10069 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
10070 			return -EINVAL;
10071 	}
10072 
10073 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
10074 		struct nl80211_bss_select_rssi_adjust *adj_param;
10075 
10076 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
10077 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
10078 		bss_select->param.adjust.band = adj_param->band;
10079 		bss_select->param.adjust.delta = adj_param->delta;
10080 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
10081 			return -EINVAL;
10082 	}
10083 
10084 	/* user-space did not provide behaviour attribute */
10085 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
10086 		return -EINVAL;
10087 
10088 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
10089 		return -EINVAL;
10090 
10091 	return 0;
10092 }
10093 
10094 int nl80211_parse_random_mac(struct nlattr **attrs,
10095 			     u8 *mac_addr, u8 *mac_addr_mask)
10096 {
10097 	int i;
10098 
10099 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
10100 		eth_zero_addr(mac_addr);
10101 		eth_zero_addr(mac_addr_mask);
10102 		mac_addr[0] = 0x2;
10103 		mac_addr_mask[0] = 0x3;
10104 
10105 		return 0;
10106 	}
10107 
10108 	/* need both or none */
10109 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
10110 		return -EINVAL;
10111 
10112 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
10113 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
10114 
10115 	/* don't allow or configure an mcast address */
10116 	if (!is_multicast_ether_addr(mac_addr_mask) ||
10117 	    is_multicast_ether_addr(mac_addr))
10118 		return -EINVAL;
10119 
10120 	/*
10121 	 * allow users to pass a MAC address that has bits set outside
10122 	 * of the mask, but don't bother drivers with having to deal
10123 	 * with such bits
10124 	 */
10125 	for (i = 0; i < ETH_ALEN; i++)
10126 		mac_addr[i] &= mac_addr_mask[i];
10127 
10128 	return 0;
10129 }
10130 
10131 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
10132 					      struct ieee80211_channel *chan)
10133 {
10134 	unsigned int link_id;
10135 	bool all_ok = true;
10136 	int radio_idx;
10137 
10138 	lockdep_assert_wiphy(wdev->wiphy);
10139 
10140 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
10141 		return false;
10142 
10143 	if (!cfg80211_beaconing_iface_active(wdev))
10144 		return true;
10145 
10146 	radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy, chan);
10147 
10148 	/*
10149 	 * FIXME: check if we have a free radio/link for chan
10150 	 *
10151 	 * This, as well as the FIXME below, requires knowing the link
10152 	 * capabilities of the hardware.
10153 	 */
10154 
10155 	/* we cannot leave radar channels */
10156 	for_each_valid_link(wdev, link_id) {
10157 		struct cfg80211_chan_def *chandef;
10158 		int link_radio_idx;
10159 
10160 		chandef = wdev_chandef(wdev, link_id);
10161 		if (!chandef || !chandef->chan)
10162 			continue;
10163 
10164 		if (!(chandef->chan->flags & IEEE80211_CHAN_RADAR))
10165 			continue;
10166 
10167 		/*
10168 		 * chandef->chan is a radar channel. If the radio/link onto
10169 		 * which this radar channel falls is the same radio/link onto
10170 		 * which the input 'chan' falls, off-channel operation should
10171 		 * not be allowed. Hence, set 'all_ok' to false.
10172 		 */
10173 
10174 		link_radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy,
10175 								chandef->chan);
10176 		if (link_radio_idx == radio_idx) {
10177 			all_ok = false;
10178 			break;
10179 		}
10180 	}
10181 
10182 	if (all_ok)
10183 		return true;
10184 
10185 	return regulatory_pre_cac_allowed(wdev->wiphy);
10186 }
10187 
10188 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
10189 				    enum nl80211_ext_feature_index feat)
10190 {
10191 	if (!(flags & flag))
10192 		return true;
10193 	if (wiphy_ext_feature_isset(wiphy, feat))
10194 		return true;
10195 	return false;
10196 }
10197 
10198 static int
10199 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
10200 			 struct nlattr **attrs, u8 *mac_addr, u8 *mac_addr_mask,
10201 			 u32 *flags, enum nl80211_feature_flags randomness_flag)
10202 {
10203 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
10204 		return 0;
10205 
10206 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
10207 
10208 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
10209 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
10210 	    !nl80211_check_scan_feat(wiphy, *flags,
10211 				     NL80211_SCAN_FLAG_LOW_SPAN,
10212 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
10213 	    !nl80211_check_scan_feat(wiphy, *flags,
10214 				     NL80211_SCAN_FLAG_LOW_POWER,
10215 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
10216 	    !nl80211_check_scan_feat(wiphy, *flags,
10217 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
10218 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
10219 	    !nl80211_check_scan_feat(wiphy, *flags,
10220 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
10221 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
10222 	    !nl80211_check_scan_feat(wiphy, *flags,
10223 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
10224 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
10225 	    !nl80211_check_scan_feat(wiphy, *flags,
10226 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
10227 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
10228 	    !nl80211_check_scan_feat(wiphy, *flags,
10229 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
10230 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
10231 	    !nl80211_check_scan_feat(wiphy, *flags,
10232 				     NL80211_SCAN_FLAG_RANDOM_SN,
10233 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
10234 	    !nl80211_check_scan_feat(wiphy, *flags,
10235 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
10236 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
10237 		return -EOPNOTSUPP;
10238 
10239 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
10240 		int err;
10241 
10242 		if (!(wiphy->features & randomness_flag) ||
10243 		    (wdev && wdev->connected))
10244 			return -EOPNOTSUPP;
10245 
10246 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
10247 		if (err)
10248 			return err;
10249 	}
10250 
10251 	return 0;
10252 }
10253 
10254 static int
10255 nl80211_check_scan_flags_sched(struct wiphy *wiphy, struct wireless_dev *wdev,
10256 			       struct nlattr **attrs,
10257 			       struct cfg80211_sched_scan_request *req)
10258 {
10259 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10260 					req->mac_addr, req->mac_addr_mask,
10261 					&req->flags,
10262 					wdev ? NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
10263 					       NL80211_FEATURE_ND_RANDOM_MAC_ADDR);
10264 }
10265 
10266 static int
10267 nl80211_check_scan_flags_reg(struct wiphy *wiphy, struct wireless_dev *wdev,
10268 			     struct nlattr **attrs,
10269 			     struct cfg80211_scan_request_int *req)
10270 {
10271 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10272 					req->req.mac_addr,
10273 					req->req.mac_addr_mask,
10274 					&req->req.flags,
10275 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR);
10276 }
10277 
10278 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
10279 {
10280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10281 	struct wireless_dev *wdev = info->user_ptr[1];
10282 	struct cfg80211_scan_request_int *request;
10283 	struct nlattr *scan_freqs = NULL;
10284 	bool scan_freqs_khz = false;
10285 	struct nlattr *attr;
10286 	struct wiphy *wiphy;
10287 	int err, tmp, n_ssids = 0, n_channels, i;
10288 	size_t ie_len, size;
10289 	size_t ssids_offset, ie_offset;
10290 
10291 	wiphy = &rdev->wiphy;
10292 
10293 	if (wdev->iftype == NL80211_IFTYPE_NAN)
10294 		return -EOPNOTSUPP;
10295 
10296 	if (!rdev->ops->scan)
10297 		return -EOPNOTSUPP;
10298 
10299 	if (rdev->scan_req || rdev->scan_msg)
10300 		return -EBUSY;
10301 
10302 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
10303 		if (!wiphy_ext_feature_isset(wiphy,
10304 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
10305 			return -EOPNOTSUPP;
10306 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
10307 		scan_freqs_khz = true;
10308 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
10309 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
10310 
10311 	if (scan_freqs) {
10312 		n_channels = validate_scan_freqs(scan_freqs);
10313 		if (!n_channels)
10314 			return -EINVAL;
10315 	} else {
10316 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10317 	}
10318 
10319 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
10320 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
10321 			n_ssids++;
10322 
10323 	if (n_ssids > wiphy->max_scan_ssids)
10324 		return -EINVAL;
10325 
10326 	if (info->attrs[NL80211_ATTR_IE])
10327 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10328 	else
10329 		ie_len = 0;
10330 
10331 	if (ie_len > wiphy->max_scan_ie_len)
10332 		return -EINVAL;
10333 
10334 	size = struct_size(request, req.channels, n_channels);
10335 	ssids_offset = size;
10336 	size = size_add(size, array_size(sizeof(*request->req.ssids), n_ssids));
10337 	ie_offset = size;
10338 	size = size_add(size, ie_len);
10339 	request = kzalloc(size, GFP_KERNEL);
10340 	if (!request)
10341 		return -ENOMEM;
10342 
10343 	if (n_ssids)
10344 		request->req.ssids = (void *)request + ssids_offset;
10345 	request->req.n_ssids = n_ssids;
10346 	if (ie_len)
10347 		request->req.ie = (void *)request + ie_offset;
10348 
10349 	i = 0;
10350 	if (scan_freqs) {
10351 		/* user specified, bail out if channel not found */
10352 		nla_for_each_nested(attr, scan_freqs, tmp) {
10353 			struct ieee80211_channel *chan;
10354 			int freq = nla_get_u32(attr);
10355 
10356 			if (!scan_freqs_khz)
10357 				freq = MHZ_TO_KHZ(freq);
10358 
10359 			chan = ieee80211_get_channel_khz(wiphy, freq);
10360 			if (!chan) {
10361 				err = -EINVAL;
10362 				goto out_free;
10363 			}
10364 
10365 			/* ignore disabled channels */
10366 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
10367 			    !cfg80211_wdev_channel_allowed(wdev, chan))
10368 				continue;
10369 
10370 			request->req.channels[i] = chan;
10371 			i++;
10372 		}
10373 	} else {
10374 		enum nl80211_band band;
10375 
10376 		/* all channels */
10377 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
10378 			int j;
10379 
10380 			if (!wiphy->bands[band])
10381 				continue;
10382 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
10383 				struct ieee80211_channel *chan;
10384 
10385 				chan = &wiphy->bands[band]->channels[j];
10386 
10387 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
10388 				    !cfg80211_wdev_channel_allowed(wdev, chan))
10389 					continue;
10390 
10391 				request->req.channels[i] = chan;
10392 				i++;
10393 			}
10394 		}
10395 	}
10396 
10397 	if (!i) {
10398 		err = -EINVAL;
10399 		goto out_free;
10400 	}
10401 
10402 	request->req.n_channels = i;
10403 
10404 	for (i = 0; i < request->req.n_channels; i++) {
10405 		struct ieee80211_channel *chan = request->req.channels[i];
10406 
10407 		/* if we can go off-channel to the target channel we're good */
10408 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
10409 			continue;
10410 
10411 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
10412 			err = -EBUSY;
10413 			goto out_free;
10414 		}
10415 	}
10416 
10417 	i = 0;
10418 	if (n_ssids) {
10419 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
10420 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
10421 				err = -EINVAL;
10422 				goto out_free;
10423 			}
10424 			request->req.ssids[i].ssid_len = nla_len(attr);
10425 			memcpy(request->req.ssids[i].ssid,
10426 			       nla_data(attr), nla_len(attr));
10427 			i++;
10428 		}
10429 	}
10430 
10431 	if (info->attrs[NL80211_ATTR_IE]) {
10432 		request->req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10433 		memcpy((void *)request->req.ie,
10434 		       nla_data(info->attrs[NL80211_ATTR_IE]),
10435 		       request->req.ie_len);
10436 	}
10437 
10438 	for (i = 0; i < NUM_NL80211_BANDS; i++)
10439 		if (wiphy->bands[i])
10440 			request->req.rates[i] =
10441 				(1 << wiphy->bands[i]->n_bitrates) - 1;
10442 
10443 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
10444 		nla_for_each_nested(attr,
10445 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
10446 				    tmp) {
10447 			enum nl80211_band band = nla_type(attr);
10448 
10449 			if (band < 0 || band >= NUM_NL80211_BANDS) {
10450 				err = -EINVAL;
10451 				goto out_free;
10452 			}
10453 
10454 			if (!wiphy->bands[band])
10455 				continue;
10456 
10457 			err = ieee80211_get_ratemask(wiphy->bands[band],
10458 						     nla_data(attr),
10459 						     nla_len(attr),
10460 						     &request->req.rates[band]);
10461 			if (err)
10462 				goto out_free;
10463 		}
10464 	}
10465 
10466 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
10467 		request->req.duration =
10468 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
10469 		request->req.duration_mandatory =
10470 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
10471 	}
10472 
10473 	err = nl80211_check_scan_flags_reg(wiphy, wdev, info->attrs, request);
10474 	if (err)
10475 		goto out_free;
10476 
10477 	request->req.no_cck =
10478 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10479 
10480 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
10481 	 * BSSID to scan for. This was problematic because that same attribute
10482 	 * was already used for another purpose (local random MAC address). The
10483 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
10484 	 * compatibility with older userspace components, also use the
10485 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
10486 	 * the specific BSSID use case instead of the random MAC address
10487 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
10488 	 */
10489 	if (info->attrs[NL80211_ATTR_BSSID])
10490 		memcpy(request->req.bssid,
10491 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
10492 	else if (!(request->req.flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
10493 		 info->attrs[NL80211_ATTR_MAC])
10494 		memcpy(request->req.bssid,
10495 		       nla_data(info->attrs[NL80211_ATTR_MAC]),
10496 		       ETH_ALEN);
10497 	else
10498 		eth_broadcast_addr(request->req.bssid);
10499 
10500 	request->req.tsf_report_link_id =
10501 		nl80211_link_id_or_invalid(info->attrs);
10502 	request->req.wdev = wdev;
10503 	request->req.wiphy = &rdev->wiphy;
10504 	request->req.scan_start = jiffies;
10505 
10506 	rdev->scan_req = request;
10507 	err = cfg80211_scan(rdev);
10508 
10509 	if (err)
10510 		goto out_free;
10511 
10512 	nl80211_send_scan_start(rdev, wdev);
10513 	dev_hold(wdev->netdev);
10514 
10515 	return 0;
10516 
10517  out_free:
10518 	rdev->scan_req = NULL;
10519 	kfree(request);
10520 
10521 	return err;
10522 }
10523 
10524 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
10525 {
10526 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10527 	struct wireless_dev *wdev = info->user_ptr[1];
10528 
10529 	if (!rdev->ops->abort_scan)
10530 		return -EOPNOTSUPP;
10531 
10532 	if (rdev->scan_msg)
10533 		return 0;
10534 
10535 	if (!rdev->scan_req)
10536 		return -ENOENT;
10537 
10538 	rdev_abort_scan(rdev, wdev);
10539 	return 0;
10540 }
10541 
10542 static int
10543 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
10544 			       struct cfg80211_sched_scan_request *request,
10545 			       struct nlattr **attrs)
10546 {
10547 	int tmp, err, i = 0;
10548 	struct nlattr *attr;
10549 
10550 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10551 		u32 interval;
10552 
10553 		/*
10554 		 * If scan plans are not specified,
10555 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
10556 		 * case one scan plan will be set with the specified scan
10557 		 * interval and infinite number of iterations.
10558 		 */
10559 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
10560 		if (!interval)
10561 			return -EINVAL;
10562 
10563 		request->scan_plans[0].interval =
10564 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
10565 		if (!request->scan_plans[0].interval)
10566 			return -EINVAL;
10567 
10568 		if (request->scan_plans[0].interval >
10569 		    wiphy->max_sched_scan_plan_interval)
10570 			request->scan_plans[0].interval =
10571 				wiphy->max_sched_scan_plan_interval;
10572 
10573 		return 0;
10574 	}
10575 
10576 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
10577 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
10578 
10579 		if (WARN_ON(i >= n_plans))
10580 			return -EINVAL;
10581 
10582 		err = nla_parse_nested_deprecated(plan,
10583 						  NL80211_SCHED_SCAN_PLAN_MAX,
10584 						  attr, nl80211_plan_policy,
10585 						  NULL);
10586 		if (err)
10587 			return err;
10588 
10589 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
10590 			return -EINVAL;
10591 
10592 		request->scan_plans[i].interval =
10593 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
10594 		if (!request->scan_plans[i].interval ||
10595 		    request->scan_plans[i].interval >
10596 		    wiphy->max_sched_scan_plan_interval)
10597 			return -EINVAL;
10598 
10599 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
10600 			request->scan_plans[i].iterations =
10601 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
10602 			if (!request->scan_plans[i].iterations ||
10603 			    (request->scan_plans[i].iterations >
10604 			     wiphy->max_sched_scan_plan_iterations))
10605 				return -EINVAL;
10606 		} else if (i < n_plans - 1) {
10607 			/*
10608 			 * All scan plans but the last one must specify
10609 			 * a finite number of iterations
10610 			 */
10611 			return -EINVAL;
10612 		}
10613 
10614 		i++;
10615 	}
10616 
10617 	/*
10618 	 * The last scan plan must not specify the number of
10619 	 * iterations, it is supposed to run infinitely
10620 	 */
10621 	if (request->scan_plans[n_plans - 1].iterations)
10622 		return  -EINVAL;
10623 
10624 	return 0;
10625 }
10626 
10627 static struct cfg80211_sched_scan_request *
10628 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
10629 			 struct nlattr **attrs, int max_match_sets)
10630 {
10631 	struct cfg80211_sched_scan_request *request;
10632 	struct nlattr *attr;
10633 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
10634 	enum nl80211_band band;
10635 	size_t ie_len, size;
10636 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
10637 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
10638 
10639 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
10640 		n_channels = validate_scan_freqs(
10641 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
10642 		if (!n_channels)
10643 			return ERR_PTR(-EINVAL);
10644 	} else {
10645 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10646 	}
10647 
10648 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
10649 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
10650 				    tmp)
10651 			n_ssids++;
10652 
10653 	if (n_ssids > wiphy->max_sched_scan_ssids)
10654 		return ERR_PTR(-EINVAL);
10655 
10656 	/*
10657 	 * First, count the number of 'real' matchsets. Due to an issue with
10658 	 * the old implementation, matchsets containing only the RSSI attribute
10659 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
10660 	 * RSSI for all matchsets, rather than their own matchset for reporting
10661 	 * all APs with a strong RSSI. This is needed to be compatible with
10662 	 * older userspace that treated a matchset with only the RSSI as the
10663 	 * global RSSI for all other matchsets - if there are other matchsets.
10664 	 */
10665 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
10666 		nla_for_each_nested(attr,
10667 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
10668 				    tmp) {
10669 			struct nlattr *rssi;
10670 
10671 			err = nla_parse_nested_deprecated(tb,
10672 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
10673 							  attr,
10674 							  nl80211_match_policy,
10675 							  NULL);
10676 			if (err)
10677 				return ERR_PTR(err);
10678 
10679 			/* SSID and BSSID are mutually exclusive */
10680 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
10681 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
10682 				return ERR_PTR(-EINVAL);
10683 
10684 			/* add other standalone attributes here */
10685 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
10686 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
10687 				n_match_sets++;
10688 				continue;
10689 			}
10690 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
10691 			if (rssi)
10692 				default_match_rssi = nla_get_s32(rssi);
10693 		}
10694 	}
10695 
10696 	/* However, if there's no other matchset, add the RSSI one */
10697 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
10698 		n_match_sets = 1;
10699 
10700 	if (n_match_sets > max_match_sets)
10701 		return ERR_PTR(-EINVAL);
10702 
10703 	if (attrs[NL80211_ATTR_IE])
10704 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
10705 	else
10706 		ie_len = 0;
10707 
10708 	if (ie_len > wiphy->max_sched_scan_ie_len)
10709 		return ERR_PTR(-EINVAL);
10710 
10711 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10712 		/*
10713 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
10714 		 * each scan plan already specifies its own interval
10715 		 */
10716 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10717 			return ERR_PTR(-EINVAL);
10718 
10719 		nla_for_each_nested(attr,
10720 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
10721 			n_plans++;
10722 	} else {
10723 		/*
10724 		 * The scan interval attribute is kept for backward
10725 		 * compatibility. If no scan plans are specified and sched scan
10726 		 * interval is specified, one scan plan will be set with this
10727 		 * scan interval and infinite number of iterations.
10728 		 */
10729 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10730 			return ERR_PTR(-EINVAL);
10731 
10732 		n_plans = 1;
10733 	}
10734 
10735 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
10736 		return ERR_PTR(-EINVAL);
10737 
10738 	if (!wiphy_ext_feature_isset(
10739 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
10740 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
10741 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
10742 		return ERR_PTR(-EINVAL);
10743 
10744 	size = struct_size(request, channels, n_channels);
10745 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
10746 	size = size_add(size, array_size(sizeof(*request->match_sets),
10747 					 n_match_sets));
10748 	size = size_add(size, array_size(sizeof(*request->scan_plans),
10749 					 n_plans));
10750 	size = size_add(size, ie_len);
10751 	request = kzalloc(size, GFP_KERNEL);
10752 	if (!request)
10753 		return ERR_PTR(-ENOMEM);
10754 	request->n_channels = n_channels;
10755 
10756 	if (n_ssids)
10757 		request->ssids = (void *)request +
10758 			struct_size(request, channels, n_channels);
10759 	request->n_ssids = n_ssids;
10760 	if (ie_len) {
10761 		if (n_ssids)
10762 			request->ie = (void *)(request->ssids + n_ssids);
10763 		else
10764 			request->ie = (void *)(request->channels + n_channels);
10765 	}
10766 
10767 	if (n_match_sets) {
10768 		if (request->ie)
10769 			request->match_sets = (void *)(request->ie + ie_len);
10770 		else if (n_ssids)
10771 			request->match_sets =
10772 				(void *)(request->ssids + n_ssids);
10773 		else
10774 			request->match_sets =
10775 				(void *)(request->channels + n_channels);
10776 	}
10777 	request->n_match_sets = n_match_sets;
10778 
10779 	if (n_match_sets)
10780 		request->scan_plans = (void *)(request->match_sets +
10781 					       n_match_sets);
10782 	else if (request->ie)
10783 		request->scan_plans = (void *)(request->ie + ie_len);
10784 	else if (n_ssids)
10785 		request->scan_plans = (void *)(request->ssids + n_ssids);
10786 	else
10787 		request->scan_plans = (void *)(request->channels + n_channels);
10788 
10789 	request->n_scan_plans = n_plans;
10790 
10791 	i = 0;
10792 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
10793 		/* user specified, bail out if channel not found */
10794 		nla_for_each_nested(attr,
10795 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
10796 				    tmp) {
10797 			struct ieee80211_channel *chan;
10798 
10799 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
10800 
10801 			if (!chan) {
10802 				err = -EINVAL;
10803 				goto out_free;
10804 			}
10805 
10806 			/* ignore disabled channels */
10807 			if (chan->flags & IEEE80211_CHAN_DISABLED)
10808 				continue;
10809 
10810 			request->channels[i] = chan;
10811 			i++;
10812 		}
10813 	} else {
10814 		/* all channels */
10815 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
10816 			int j;
10817 
10818 			if (!wiphy->bands[band])
10819 				continue;
10820 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
10821 				struct ieee80211_channel *chan;
10822 
10823 				chan = &wiphy->bands[band]->channels[j];
10824 
10825 				if (chan->flags & IEEE80211_CHAN_DISABLED)
10826 					continue;
10827 
10828 				request->channels[i] = chan;
10829 				i++;
10830 			}
10831 		}
10832 	}
10833 
10834 	if (!i) {
10835 		err = -EINVAL;
10836 		goto out_free;
10837 	}
10838 
10839 	request->n_channels = i;
10840 
10841 	i = 0;
10842 	if (n_ssids) {
10843 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
10844 				    tmp) {
10845 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
10846 				err = -EINVAL;
10847 				goto out_free;
10848 			}
10849 			request->ssids[i].ssid_len = nla_len(attr);
10850 			memcpy(request->ssids[i].ssid, nla_data(attr),
10851 			       nla_len(attr));
10852 			i++;
10853 		}
10854 	}
10855 
10856 	i = 0;
10857 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
10858 		nla_for_each_nested(attr,
10859 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
10860 				    tmp) {
10861 			struct nlattr *ssid, *bssid, *rssi;
10862 
10863 			err = nla_parse_nested_deprecated(tb,
10864 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
10865 							  attr,
10866 							  nl80211_match_policy,
10867 							  NULL);
10868 			if (err)
10869 				goto out_free;
10870 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
10871 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
10872 
10873 			if (!ssid && !bssid) {
10874 				i++;
10875 				continue;
10876 			}
10877 
10878 			if (WARN_ON(i >= n_match_sets)) {
10879 				/* this indicates a programming error,
10880 				 * the loop above should have verified
10881 				 * things properly
10882 				 */
10883 				err = -EINVAL;
10884 				goto out_free;
10885 			}
10886 
10887 			if (ssid) {
10888 				memcpy(request->match_sets[i].ssid.ssid,
10889 				       nla_data(ssid), nla_len(ssid));
10890 				request->match_sets[i].ssid.ssid_len =
10891 					nla_len(ssid);
10892 			}
10893 			if (bssid)
10894 				memcpy(request->match_sets[i].bssid,
10895 				       nla_data(bssid), ETH_ALEN);
10896 
10897 			/* special attribute - old implementation w/a */
10898 			request->match_sets[i].rssi_thold = default_match_rssi;
10899 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
10900 			if (rssi)
10901 				request->match_sets[i].rssi_thold =
10902 					nla_get_s32(rssi);
10903 			i++;
10904 		}
10905 
10906 		/* there was no other matchset, so the RSSI one is alone */
10907 		if (i == 0 && n_match_sets)
10908 			request->match_sets[0].rssi_thold = default_match_rssi;
10909 
10910 		request->min_rssi_thold = INT_MAX;
10911 		for (i = 0; i < n_match_sets; i++)
10912 			request->min_rssi_thold =
10913 				min(request->match_sets[i].rssi_thold,
10914 				    request->min_rssi_thold);
10915 	} else {
10916 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
10917 	}
10918 
10919 	if (ie_len) {
10920 		request->ie_len = ie_len;
10921 		memcpy((void *)request->ie,
10922 		       nla_data(attrs[NL80211_ATTR_IE]),
10923 		       request->ie_len);
10924 	}
10925 
10926 	err = nl80211_check_scan_flags_sched(wiphy, wdev, attrs, request);
10927 	if (err)
10928 		goto out_free;
10929 
10930 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
10931 		request->delay =
10932 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
10933 
10934 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
10935 		request->relative_rssi = nla_get_s8(
10936 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
10937 		request->relative_rssi_set = true;
10938 	}
10939 
10940 	if (request->relative_rssi_set &&
10941 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
10942 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
10943 
10944 		rssi_adjust = nla_data(
10945 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
10946 		request->rssi_adjust.band = rssi_adjust->band;
10947 		request->rssi_adjust.delta = rssi_adjust->delta;
10948 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
10949 			err = -EINVAL;
10950 			goto out_free;
10951 		}
10952 	}
10953 
10954 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
10955 	if (err)
10956 		goto out_free;
10957 
10958 	request->scan_start = jiffies;
10959 
10960 	return request;
10961 
10962 out_free:
10963 	kfree(request);
10964 	return ERR_PTR(err);
10965 }
10966 
10967 static int nl80211_start_sched_scan(struct sk_buff *skb,
10968 				    struct genl_info *info)
10969 {
10970 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10971 	struct net_device *dev = info->user_ptr[1];
10972 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10973 	struct cfg80211_sched_scan_request *sched_scan_req;
10974 	bool want_multi;
10975 	int err;
10976 
10977 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
10978 		return -EOPNOTSUPP;
10979 
10980 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
10981 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
10982 	if (err)
10983 		return err;
10984 
10985 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
10986 						  info->attrs,
10987 						  rdev->wiphy.max_match_sets);
10988 
10989 	err = PTR_ERR_OR_ZERO(sched_scan_req);
10990 	if (err)
10991 		goto out_err;
10992 
10993 	/* leave request id zero for legacy request
10994 	 * or if driver does not support multi-scheduled scan
10995 	 */
10996 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
10997 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
10998 
10999 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
11000 	if (err)
11001 		goto out_free;
11002 
11003 	sched_scan_req->dev = dev;
11004 	sched_scan_req->wiphy = &rdev->wiphy;
11005 
11006 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11007 		sched_scan_req->owner_nlportid = info->snd_portid;
11008 
11009 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
11010 
11011 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
11012 	return 0;
11013 
11014 out_free:
11015 	kfree(sched_scan_req);
11016 out_err:
11017 	return err;
11018 }
11019 
11020 static int nl80211_stop_sched_scan(struct sk_buff *skb,
11021 				   struct genl_info *info)
11022 {
11023 	struct cfg80211_sched_scan_request *req;
11024 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11025 	u64 cookie;
11026 
11027 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
11028 		return -EOPNOTSUPP;
11029 
11030 	if (info->attrs[NL80211_ATTR_COOKIE]) {
11031 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11032 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
11033 	}
11034 
11035 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
11036 				     struct cfg80211_sched_scan_request,
11037 				     list);
11038 	if (!req || req->reqid ||
11039 	    (req->owner_nlportid &&
11040 	     req->owner_nlportid != info->snd_portid))
11041 		return -ENOENT;
11042 
11043 	return cfg80211_stop_sched_scan_req(rdev, req, false);
11044 }
11045 
11046 static int nl80211_start_radar_detection(struct sk_buff *skb,
11047 					 struct genl_info *info)
11048 {
11049 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11050 	struct net_device *dev = info->user_ptr[1];
11051 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11052 	int link_id = nl80211_link_id(info->attrs);
11053 	struct wiphy *wiphy = wdev->wiphy;
11054 	struct cfg80211_chan_def chandef;
11055 	enum nl80211_dfs_regions dfs_region;
11056 	unsigned int cac_time_ms;
11057 	int err;
11058 
11059 	flush_delayed_work(&rdev->dfs_update_channels_wk);
11060 
11061 	switch (wdev->iftype) {
11062 	case NL80211_IFTYPE_AP:
11063 	case NL80211_IFTYPE_P2P_GO:
11064 	case NL80211_IFTYPE_MESH_POINT:
11065 	case NL80211_IFTYPE_ADHOC:
11066 		break;
11067 	default:
11068 		/* caution - see cfg80211_beaconing_iface_active() below */
11069 		return -EINVAL;
11070 	}
11071 
11072 	guard(wiphy)(wiphy);
11073 
11074 	dfs_region = reg_get_dfs_region(wiphy);
11075 	if (dfs_region == NL80211_DFS_UNSET)
11076 		return -EINVAL;
11077 
11078 	err = nl80211_parse_chandef(rdev, info, &chandef);
11079 	if (err)
11080 		return err;
11081 
11082 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11083 	if (err < 0)
11084 		return err;
11085 
11086 	if (err == 0)
11087 		return -EINVAL;
11088 
11089 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
11090 		return -EINVAL;
11091 
11092 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
11093 		return cfg80211_start_background_radar_detection(rdev, wdev,
11094 								 &chandef);
11095 
11096 	if (cfg80211_beaconing_iface_active(wdev)) {
11097 		/* During MLO other link(s) can beacon, only the current link
11098 		 * can not already beacon
11099 		 */
11100 		if (wdev->valid_links &&
11101 		    !wdev->links[link_id].ap.beacon_interval) {
11102 			/* nothing */
11103 		} else {
11104 			return -EBUSY;
11105 		}
11106 	}
11107 
11108 	if (wdev->links[link_id].cac_started)
11109 		return -EBUSY;
11110 
11111 	/* CAC start is offloaded to HW and can't be started manually */
11112 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
11113 		return -EOPNOTSUPP;
11114 
11115 	if (!rdev->ops->start_radar_detection)
11116 		return -EOPNOTSUPP;
11117 
11118 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
11119 	if (WARN_ON(!cac_time_ms))
11120 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
11121 
11122 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
11123 					 link_id);
11124 	if (err)
11125 		return err;
11126 
11127 	switch (wdev->iftype) {
11128 	case NL80211_IFTYPE_AP:
11129 	case NL80211_IFTYPE_P2P_GO:
11130 		wdev->links[link_id].ap.chandef = chandef;
11131 		break;
11132 	case NL80211_IFTYPE_ADHOC:
11133 		wdev->u.ibss.chandef = chandef;
11134 		break;
11135 	case NL80211_IFTYPE_MESH_POINT:
11136 		wdev->u.mesh.chandef = chandef;
11137 		break;
11138 	default:
11139 		break;
11140 	}
11141 	wdev->links[link_id].cac_started = true;
11142 	wdev->links[link_id].cac_start_time = jiffies;
11143 	wdev->links[link_id].cac_time_ms = cac_time_ms;
11144 
11145 	return 0;
11146 }
11147 
11148 static int nl80211_notify_radar_detection(struct sk_buff *skb,
11149 					  struct genl_info *info)
11150 {
11151 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11152 	struct net_device *dev = info->user_ptr[1];
11153 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11154 	struct wiphy *wiphy = wdev->wiphy;
11155 	struct cfg80211_chan_def chandef;
11156 	enum nl80211_dfs_regions dfs_region;
11157 	int err;
11158 
11159 	dfs_region = reg_get_dfs_region(wiphy);
11160 	if (dfs_region == NL80211_DFS_UNSET) {
11161 		GENL_SET_ERR_MSG(info,
11162 				 "DFS Region is not set. Unexpected Radar indication");
11163 		return -EINVAL;
11164 	}
11165 
11166 	err = nl80211_parse_chandef(rdev, info, &chandef);
11167 	if (err) {
11168 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
11169 		return err;
11170 	}
11171 
11172 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11173 	if (err < 0) {
11174 		GENL_SET_ERR_MSG(info, "chandef is invalid");
11175 		return err;
11176 	}
11177 
11178 	if (err == 0) {
11179 		GENL_SET_ERR_MSG(info,
11180 				 "Unexpected Radar indication for chandef/iftype");
11181 		return -EINVAL;
11182 	}
11183 
11184 	/* Do not process this notification if radar is already detected
11185 	 * by kernel on this channel, and return success.
11186 	 */
11187 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
11188 		return 0;
11189 
11190 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
11191 
11192 	cfg80211_sched_dfs_chan_update(rdev);
11193 
11194 	rdev->radar_chandef = chandef;
11195 
11196 	/* Propagate this notification to other radios as well */
11197 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
11198 
11199 	return 0;
11200 }
11201 
11202 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
11203 					 const u8 *data, size_t datalen,
11204 					 int first_count, struct nlattr *attr,
11205 					 const u16 **offsets, unsigned int *n_offsets)
11206 {
11207 	int i;
11208 
11209 	*n_offsets = 0;
11210 
11211 	if (!attr)
11212 		return 0;
11213 
11214 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
11215 		return -EINVAL;
11216 
11217 	*n_offsets = nla_len(attr) / sizeof(u16);
11218 	if (rdev->wiphy.max_num_csa_counters &&
11219 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
11220 		return -EINVAL;
11221 
11222 	*offsets = nla_data(attr);
11223 
11224 	/* sanity checks - counters should fit and be the same */
11225 	for (i = 0; i < *n_offsets; i++) {
11226 		u16 offset = (*offsets)[i];
11227 
11228 		if (offset >= datalen)
11229 			return -EINVAL;
11230 
11231 		if (first_count != -1 && data[offset] != first_count)
11232 			return -EINVAL;
11233 	}
11234 
11235 	return 0;
11236 }
11237 
11238 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
11239 {
11240 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11241 	unsigned int link_id = nl80211_link_id(info->attrs);
11242 	struct net_device *dev = info->user_ptr[1];
11243 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11244 	struct cfg80211_csa_settings params;
11245 	struct nlattr **csa_attrs = NULL;
11246 	int err;
11247 	bool need_new_beacon = false;
11248 	bool need_handle_dfs_flag = true;
11249 	u32 cs_count;
11250 
11251 	if (!rdev->ops->channel_switch ||
11252 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
11253 		return -EOPNOTSUPP;
11254 
11255 	switch (dev->ieee80211_ptr->iftype) {
11256 	case NL80211_IFTYPE_AP:
11257 	case NL80211_IFTYPE_P2P_GO:
11258 		need_new_beacon = true;
11259 		/* For all modes except AP the handle_dfs flag needs to be
11260 		 * supplied to tell the kernel that userspace will handle radar
11261 		 * events when they happen. Otherwise a switch to a channel
11262 		 * requiring DFS will be rejected.
11263 		 */
11264 		need_handle_dfs_flag = false;
11265 
11266 		/* useless if AP is not running */
11267 		if (!wdev->links[link_id].ap.beacon_interval)
11268 			return -ENOTCONN;
11269 		break;
11270 	case NL80211_IFTYPE_ADHOC:
11271 		if (!wdev->u.ibss.ssid_len)
11272 			return -ENOTCONN;
11273 		break;
11274 	case NL80211_IFTYPE_MESH_POINT:
11275 		if (!wdev->u.mesh.id_len)
11276 			return -ENOTCONN;
11277 		break;
11278 	default:
11279 		return -EOPNOTSUPP;
11280 	}
11281 
11282 	memset(&params, 0, sizeof(params));
11283 	params.beacon_csa.ftm_responder = -1;
11284 
11285 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11286 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
11287 		return -EINVAL;
11288 
11289 	/* only important for AP, IBSS and mesh create IEs internally */
11290 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
11291 		return -EINVAL;
11292 
11293 	/* Even though the attribute is u32, the specification says
11294 	 * u8, so let's make sure we don't overflow.
11295 	 */
11296 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
11297 	if (cs_count > 255)
11298 		return -EINVAL;
11299 
11300 	params.count = cs_count;
11301 
11302 	if (!need_new_beacon)
11303 		goto skip_beacons;
11304 
11305 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
11306 				   info->extack);
11307 	if (err)
11308 		goto free;
11309 
11310 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
11311 			    GFP_KERNEL);
11312 	if (!csa_attrs) {
11313 		err = -ENOMEM;
11314 		goto free;
11315 	}
11316 
11317 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
11318 					  info->attrs[NL80211_ATTR_CSA_IES],
11319 					  nl80211_policy, info->extack);
11320 	if (err)
11321 		goto free;
11322 
11323 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
11324 				   info->extack);
11325 	if (err)
11326 		goto free;
11327 
11328 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
11329 		err = -EINVAL;
11330 		goto free;
11331 	}
11332 
11333 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
11334 					    params.beacon_csa.tail_len,
11335 					    params.count,
11336 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
11337 					    &params.counter_offsets_beacon,
11338 					    &params.n_counter_offsets_beacon);
11339 	if (err)
11340 		goto free;
11341 
11342 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
11343 					    params.beacon_csa.probe_resp_len,
11344 					    params.count,
11345 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
11346 					    &params.counter_offsets_presp,
11347 					    &params.n_counter_offsets_presp);
11348 	if (err)
11349 		goto free;
11350 
11351 skip_beacons:
11352 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
11353 	if (err)
11354 		goto free;
11355 
11356 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
11357 					   wdev->iftype)) {
11358 		err = -EINVAL;
11359 		goto free;
11360 	}
11361 
11362 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
11363 					    &params.chandef,
11364 					    wdev->iftype);
11365 	if (err < 0)
11366 		goto free;
11367 
11368 	if (err > 0) {
11369 		params.radar_required = true;
11370 		if (need_handle_dfs_flag &&
11371 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
11372 			err = -EINVAL;
11373 			goto free;
11374 		}
11375 	}
11376 
11377 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
11378 		params.block_tx = true;
11379 
11380 	if ((wdev->iftype == NL80211_IFTYPE_AP ||
11381 	     wdev->iftype == NL80211_IFTYPE_P2P_GO) &&
11382 	    info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
11383 		err = nl80211_parse_unsol_bcast_probe_resp(
11384 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
11385 			&params.unsol_bcast_probe_resp);
11386 		if (err)
11387 			goto free;
11388 	}
11389 
11390 	params.link_id = link_id;
11391 	err = rdev_channel_switch(rdev, dev, &params);
11392 
11393 free:
11394 	kfree(params.beacon_after.mbssid_ies);
11395 	kfree(params.beacon_csa.mbssid_ies);
11396 	kfree(params.beacon_after.rnr_ies);
11397 	kfree(params.beacon_csa.rnr_ies);
11398 	kfree(csa_attrs);
11399 	return err;
11400 }
11401 
11402 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
11403 			    u32 seq, int flags,
11404 			    struct cfg80211_registered_device *rdev,
11405 			    struct wireless_dev *wdev,
11406 			    struct cfg80211_internal_bss *intbss)
11407 {
11408 	struct cfg80211_bss *res = &intbss->pub;
11409 	const struct cfg80211_bss_ies *ies;
11410 	unsigned int link_id;
11411 	void *hdr;
11412 	struct nlattr *bss;
11413 
11414 	lockdep_assert_wiphy(wdev->wiphy);
11415 
11416 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
11417 			     NL80211_CMD_NEW_SCAN_RESULTS);
11418 	if (!hdr)
11419 		return -1;
11420 
11421 	genl_dump_check_consistent(cb, hdr);
11422 
11423 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
11424 		goto nla_put_failure;
11425 	if (wdev->netdev &&
11426 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
11427 		goto nla_put_failure;
11428 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11429 			      NL80211_ATTR_PAD))
11430 		goto nla_put_failure;
11431 
11432 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
11433 	if (!bss)
11434 		goto nla_put_failure;
11435 	if ((!is_zero_ether_addr(res->bssid) &&
11436 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
11437 		goto nla_put_failure;
11438 
11439 	rcu_read_lock();
11440 	/* indicate whether we have probe response data or not */
11441 	if (rcu_access_pointer(res->proberesp_ies) &&
11442 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
11443 		goto fail_unlock_rcu;
11444 
11445 	/* this pointer prefers to be pointed to probe response data
11446 	 * but is always valid
11447 	 */
11448 	ies = rcu_dereference(res->ies);
11449 	if (ies) {
11450 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
11451 				      NL80211_BSS_PAD))
11452 			goto fail_unlock_rcu;
11453 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
11454 					ies->len, ies->data))
11455 			goto fail_unlock_rcu;
11456 	}
11457 
11458 	/* and this pointer is always (unless driver didn't know) beacon data */
11459 	ies = rcu_dereference(res->beacon_ies);
11460 	if (ies && ies->from_beacon) {
11461 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
11462 				      NL80211_BSS_PAD))
11463 			goto fail_unlock_rcu;
11464 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
11465 					ies->len, ies->data))
11466 			goto fail_unlock_rcu;
11467 	}
11468 	rcu_read_unlock();
11469 
11470 	if (res->beacon_interval &&
11471 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
11472 		goto nla_put_failure;
11473 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
11474 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
11475 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
11476 			res->channel->freq_offset) ||
11477 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
11478 			jiffies_to_msecs(jiffies - intbss->ts)))
11479 		goto nla_put_failure;
11480 
11481 	if (intbss->parent_tsf &&
11482 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
11483 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
11484 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
11485 		     intbss->parent_bssid)))
11486 		goto nla_put_failure;
11487 
11488 	if (res->ts_boottime &&
11489 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
11490 			      res->ts_boottime, NL80211_BSS_PAD))
11491 		goto nla_put_failure;
11492 
11493 	if (!nl80211_put_signal(msg, intbss->pub.chains,
11494 				intbss->pub.chain_signal,
11495 				NL80211_BSS_CHAIN_SIGNAL))
11496 		goto nla_put_failure;
11497 
11498 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
11499 		switch (rdev->wiphy.signal_type) {
11500 		case CFG80211_SIGNAL_TYPE_MBM:
11501 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
11502 					res->signal))
11503 				goto nla_put_failure;
11504 			break;
11505 		case CFG80211_SIGNAL_TYPE_UNSPEC:
11506 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
11507 				       res->signal))
11508 				goto nla_put_failure;
11509 			break;
11510 		default:
11511 			break;
11512 		}
11513 	}
11514 
11515 	switch (wdev->iftype) {
11516 	case NL80211_IFTYPE_P2P_CLIENT:
11517 	case NL80211_IFTYPE_STATION:
11518 		for_each_valid_link(wdev, link_id) {
11519 			if (intbss == wdev->links[link_id].client.current_bss &&
11520 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
11521 					 NL80211_BSS_STATUS_ASSOCIATED) ||
11522 			     (wdev->valid_links &&
11523 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
11524 					  link_id) ||
11525 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
11526 				       wdev->u.client.connected_addr)))))
11527 				goto nla_put_failure;
11528 		}
11529 		break;
11530 	case NL80211_IFTYPE_ADHOC:
11531 		if (intbss == wdev->u.ibss.current_bss &&
11532 		    nla_put_u32(msg, NL80211_BSS_STATUS,
11533 				NL80211_BSS_STATUS_IBSS_JOINED))
11534 			goto nla_put_failure;
11535 		break;
11536 	default:
11537 		break;
11538 	}
11539 
11540 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
11541 		goto nla_put_failure;
11542 
11543 	if (res->cannot_use_reasons &&
11544 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
11545 			      res->cannot_use_reasons,
11546 			      NL80211_BSS_PAD))
11547 		goto nla_put_failure;
11548 
11549 	nla_nest_end(msg, bss);
11550 
11551 	genlmsg_end(msg, hdr);
11552 	return 0;
11553 
11554  fail_unlock_rcu:
11555 	rcu_read_unlock();
11556  nla_put_failure:
11557 	genlmsg_cancel(msg, hdr);
11558 	return -EMSGSIZE;
11559 }
11560 
11561 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
11562 {
11563 	struct cfg80211_registered_device *rdev;
11564 	struct cfg80211_internal_bss *scan;
11565 	struct wireless_dev *wdev;
11566 	struct nlattr **attrbuf;
11567 	int start = cb->args[2], idx = 0;
11568 	bool dump_include_use_data;
11569 	int err;
11570 
11571 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
11572 	if (!attrbuf)
11573 		return -ENOMEM;
11574 
11575 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11576 	if (err) {
11577 		kfree(attrbuf);
11578 		return err;
11579 	}
11580 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11581 	__acquire(&rdev->wiphy.mtx);
11582 
11583 	dump_include_use_data =
11584 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
11585 	kfree(attrbuf);
11586 
11587 	spin_lock_bh(&rdev->bss_lock);
11588 
11589 	/*
11590 	 * dump_scan will be called multiple times to break up the scan results
11591 	 * into multiple messages.  It is unlikely that any more bss-es will be
11592 	 * expired after the first call, so only call only call this on the
11593 	 * first dump_scan invocation.
11594 	 */
11595 	if (start == 0)
11596 		cfg80211_bss_expire(rdev);
11597 
11598 	cb->seq = rdev->bss_generation;
11599 
11600 	list_for_each_entry(scan, &rdev->bss_list, list) {
11601 		if (++idx <= start)
11602 			continue;
11603 		if (!dump_include_use_data &&
11604 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
11605 			continue;
11606 		if (nl80211_send_bss(skb, cb,
11607 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11608 				rdev, wdev, scan) < 0) {
11609 			idx--;
11610 			break;
11611 		}
11612 	}
11613 
11614 	spin_unlock_bh(&rdev->bss_lock);
11615 
11616 	cb->args[2] = idx;
11617 	wiphy_unlock(&rdev->wiphy);
11618 
11619 	return skb->len;
11620 }
11621 
11622 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
11623 			       int flags, struct net_device *dev,
11624 			       bool allow_radio_stats,
11625 			       struct survey_info *survey)
11626 {
11627 	void *hdr;
11628 	struct nlattr *infoattr;
11629 
11630 	/* skip radio stats if userspace didn't request them */
11631 	if (!survey->channel && !allow_radio_stats)
11632 		return 0;
11633 
11634 	hdr = nl80211hdr_put(msg, portid, seq, flags,
11635 			     NL80211_CMD_NEW_SURVEY_RESULTS);
11636 	if (!hdr)
11637 		return -ENOMEM;
11638 
11639 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
11640 		goto nla_put_failure;
11641 
11642 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
11643 	if (!infoattr)
11644 		goto nla_put_failure;
11645 
11646 	if (survey->channel &&
11647 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
11648 			survey->channel->center_freq))
11649 		goto nla_put_failure;
11650 
11651 	if (survey->channel && survey->channel->freq_offset &&
11652 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
11653 			survey->channel->freq_offset))
11654 		goto nla_put_failure;
11655 
11656 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
11657 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
11658 		goto nla_put_failure;
11659 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
11660 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
11661 		goto nla_put_failure;
11662 	if ((survey->filled & SURVEY_INFO_TIME) &&
11663 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
11664 			survey->time, NL80211_SURVEY_INFO_PAD))
11665 		goto nla_put_failure;
11666 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
11667 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
11668 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
11669 		goto nla_put_failure;
11670 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
11671 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
11672 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
11673 		goto nla_put_failure;
11674 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
11675 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
11676 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
11677 		goto nla_put_failure;
11678 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
11679 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
11680 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
11681 		goto nla_put_failure;
11682 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
11683 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
11684 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
11685 		goto nla_put_failure;
11686 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
11687 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
11688 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
11689 		goto nla_put_failure;
11690 
11691 	nla_nest_end(msg, infoattr);
11692 
11693 	genlmsg_end(msg, hdr);
11694 	return 0;
11695 
11696  nla_put_failure:
11697 	genlmsg_cancel(msg, hdr);
11698 	return -EMSGSIZE;
11699 }
11700 
11701 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
11702 {
11703 	struct nlattr **attrbuf;
11704 	struct survey_info survey;
11705 	struct cfg80211_registered_device *rdev;
11706 	struct wireless_dev *wdev;
11707 	int survey_idx = cb->args[2];
11708 	int res;
11709 	bool radio_stats;
11710 
11711 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
11712 	if (!attrbuf)
11713 		return -ENOMEM;
11714 
11715 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11716 	if (res) {
11717 		kfree(attrbuf);
11718 		return res;
11719 	}
11720 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11721 	__acquire(&rdev->wiphy.mtx);
11722 
11723 	/* prepare_wdev_dump parsed the attributes */
11724 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
11725 
11726 	if (!wdev->netdev) {
11727 		res = -EINVAL;
11728 		goto out_err;
11729 	}
11730 
11731 	if (!rdev->ops->dump_survey) {
11732 		res = -EOPNOTSUPP;
11733 		goto out_err;
11734 	}
11735 
11736 	while (1) {
11737 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
11738 		if (res == -ENOENT)
11739 			break;
11740 		if (res)
11741 			goto out_err;
11742 
11743 		/* don't send disabled channels, but do send non-channel data */
11744 		if (survey.channel &&
11745 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
11746 			survey_idx++;
11747 			continue;
11748 		}
11749 
11750 		if (nl80211_send_survey(skb,
11751 				NETLINK_CB(cb->skb).portid,
11752 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11753 				wdev->netdev, radio_stats, &survey) < 0)
11754 			goto out;
11755 		survey_idx++;
11756 	}
11757 
11758  out:
11759 	cb->args[2] = survey_idx;
11760 	res = skb->len;
11761  out_err:
11762 	kfree(attrbuf);
11763 	wiphy_unlock(&rdev->wiphy);
11764 	return res;
11765 }
11766 
11767 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
11768 {
11769 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11770 	struct net_device *dev = info->user_ptr[1];
11771 	struct ieee80211_channel *chan;
11772 	const u8 *bssid, *ssid;
11773 	int err, ssid_len;
11774 	enum nl80211_auth_type auth_type;
11775 	struct key_parse key;
11776 	bool local_state_change;
11777 	struct cfg80211_auth_request req = {};
11778 	u32 freq;
11779 
11780 	if (!info->attrs[NL80211_ATTR_MAC])
11781 		return -EINVAL;
11782 
11783 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
11784 		return -EINVAL;
11785 
11786 	if (!info->attrs[NL80211_ATTR_SSID])
11787 		return -EINVAL;
11788 
11789 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11790 		return -EINVAL;
11791 
11792 	err = nl80211_parse_key(info, &key);
11793 	if (err)
11794 		return err;
11795 
11796 	if (key.idx >= 0) {
11797 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
11798 			return -EINVAL;
11799 		if (!key.p.key || !key.p.key_len)
11800 			return -EINVAL;
11801 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
11802 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
11803 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
11804 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
11805 			return -EINVAL;
11806 		if (key.idx > 3)
11807 			return -EINVAL;
11808 	} else {
11809 		key.p.key_len = 0;
11810 		key.p.key = NULL;
11811 	}
11812 
11813 	if (key.idx >= 0) {
11814 		int i;
11815 		bool ok = false;
11816 
11817 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
11818 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
11819 				ok = true;
11820 				break;
11821 			}
11822 		}
11823 		if (!ok)
11824 			return -EINVAL;
11825 	}
11826 
11827 	if (!rdev->ops->auth)
11828 		return -EOPNOTSUPP;
11829 
11830 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11831 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11832 		return -EOPNOTSUPP;
11833 
11834 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11835 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11836 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11837 		freq +=
11838 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11839 
11840 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
11841 	if (!chan)
11842 		return -EINVAL;
11843 
11844 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11845 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11846 
11847 	if (info->attrs[NL80211_ATTR_IE]) {
11848 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11849 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11850 	}
11851 
11852 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
11853 		req.supported_selectors =
11854 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11855 		req.supported_selectors_len =
11856 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11857 	}
11858 
11859 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11860 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
11861 		return -EINVAL;
11862 
11863 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
11864 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
11865 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
11866 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
11867 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
11868 		return -EINVAL;
11869 
11870 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
11871 		if (auth_type != NL80211_AUTHTYPE_SAE &&
11872 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
11873 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
11874 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
11875 			return -EINVAL;
11876 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
11877 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
11878 	}
11879 
11880 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11881 
11882 	/*
11883 	 * Since we no longer track auth state, ignore
11884 	 * requests to only change local state.
11885 	 */
11886 	if (local_state_change)
11887 		return 0;
11888 
11889 	req.auth_type = auth_type;
11890 	req.key = key.p.key;
11891 	req.key_len = key.p.key_len;
11892 	req.key_idx = key.idx;
11893 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11894 	if (req.link_id >= 0) {
11895 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11896 			return -EINVAL;
11897 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
11898 			return -EINVAL;
11899 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11900 		if (!is_valid_ether_addr(req.ap_mld_addr))
11901 			return -EINVAL;
11902 	}
11903 
11904 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
11905 				   IEEE80211_BSS_TYPE_ESS,
11906 				   IEEE80211_PRIVACY_ANY);
11907 	if (!req.bss)
11908 		return -ENOENT;
11909 
11910 	err = cfg80211_mlme_auth(rdev, dev, &req);
11911 
11912 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11913 
11914 	return err;
11915 }
11916 
11917 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
11918 				     struct genl_info *info)
11919 {
11920 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11921 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
11922 		return -EINVAL;
11923 	}
11924 
11925 	if (!rdev->ops->tx_control_port ||
11926 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11927 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
11928 		return -EOPNOTSUPP;
11929 
11930 	return 0;
11931 }
11932 
11933 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
11934 				   struct genl_info *info,
11935 				   struct cfg80211_crypto_settings *settings,
11936 				   int cipher_limit)
11937 {
11938 	memset(settings, 0, sizeof(*settings));
11939 
11940 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
11941 
11942 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
11943 		u16 proto;
11944 
11945 		proto = nla_get_u16(
11946 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
11947 		settings->control_port_ethertype = cpu_to_be16(proto);
11948 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
11949 		    proto != ETH_P_PAE)
11950 			return -EINVAL;
11951 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
11952 			settings->control_port_no_encrypt = true;
11953 	} else
11954 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
11955 
11956 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11957 		int r = validate_pae_over_nl80211(rdev, info);
11958 
11959 		if (r < 0)
11960 			return r;
11961 
11962 		settings->control_port_over_nl80211 = true;
11963 
11964 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
11965 			settings->control_port_no_preauth = true;
11966 	}
11967 
11968 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
11969 		void *data;
11970 		int len, i;
11971 
11972 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
11973 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
11974 		settings->n_ciphers_pairwise = len / sizeof(u32);
11975 
11976 		if (len % sizeof(u32))
11977 			return -EINVAL;
11978 
11979 		if (settings->n_ciphers_pairwise > cipher_limit)
11980 			return -EINVAL;
11981 
11982 		memcpy(settings->ciphers_pairwise, data, len);
11983 
11984 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
11985 			if (!cfg80211_supported_cipher_suite(
11986 					&rdev->wiphy,
11987 					settings->ciphers_pairwise[i]))
11988 				return -EINVAL;
11989 	}
11990 
11991 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
11992 		settings->cipher_group =
11993 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
11994 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
11995 						     settings->cipher_group))
11996 			return -EINVAL;
11997 	}
11998 
11999 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
12000 		settings->wpa_versions =
12001 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
12002 
12003 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
12004 		void *data;
12005 		int len;
12006 
12007 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
12008 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
12009 		settings->n_akm_suites = len / sizeof(u32);
12010 
12011 		if (len % sizeof(u32))
12012 			return -EINVAL;
12013 
12014 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
12015 			return -EINVAL;
12016 
12017 		memcpy(settings->akm_suites, data, len);
12018 	}
12019 
12020 	if (info->attrs[NL80211_ATTR_PMK]) {
12021 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
12022 			return -EINVAL;
12023 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12024 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
12025 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12026 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
12027 			return -EINVAL;
12028 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12029 	}
12030 
12031 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
12032 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12033 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
12034 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12035 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
12036 			return -EINVAL;
12037 		settings->sae_pwd =
12038 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12039 		settings->sae_pwd_len =
12040 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12041 	}
12042 
12043 	settings->sae_pwe =
12044 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
12045 				   NL80211_SAE_PWE_UNSPECIFIED);
12046 
12047 	return 0;
12048 }
12049 
12050 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
12051 					      const u8 *ssid, int ssid_len,
12052 					      struct nlattr **attrs,
12053 					      int assoc_link_id, int link_id)
12054 {
12055 	struct ieee80211_channel *chan;
12056 	struct cfg80211_bss *bss;
12057 	const u8 *bssid;
12058 	u32 freq, use_for = 0;
12059 
12060 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
12061 		return ERR_PTR(-EINVAL);
12062 
12063 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
12064 
12065 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
12066 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12067 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12068 
12069 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12070 	if (!chan)
12071 		return ERR_PTR(-EINVAL);
12072 
12073 	if (assoc_link_id >= 0)
12074 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
12075 	if (assoc_link_id == link_id)
12076 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
12077 
12078 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
12079 				 ssid, ssid_len,
12080 				 IEEE80211_BSS_TYPE_ESS,
12081 				 IEEE80211_PRIVACY_ANY,
12082 				 use_for);
12083 	if (!bss)
12084 		return ERR_PTR(-ENOENT);
12085 
12086 	return bss;
12087 }
12088 
12089 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
12090 				 struct cfg80211_assoc_link *links,
12091 				 int assoc_link_id,
12092 				 const u8 *ssid, int ssid_len,
12093 				 struct genl_info *info)
12094 {
12095 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
12096 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
12097 	struct nlattr *link;
12098 	unsigned int link_id;
12099 	int rem, err;
12100 
12101 	if (!attrs)
12102 		return -ENOMEM;
12103 
12104 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
12105 		memset(attrs, 0, attrsize);
12106 
12107 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
12108 
12109 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
12110 			NL_SET_BAD_ATTR(info->extack, link);
12111 			return -EINVAL;
12112 		}
12113 
12114 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
12115 		/* cannot use the same link ID again */
12116 		if (links[link_id].bss) {
12117 			NL_SET_BAD_ATTR(info->extack, link);
12118 			return -EINVAL;
12119 		}
12120 		links[link_id].bss =
12121 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
12122 					  assoc_link_id, link_id);
12123 		if (IS_ERR(links[link_id].bss)) {
12124 			err = PTR_ERR(links[link_id].bss);
12125 			links[link_id].bss = NULL;
12126 			NL_SET_ERR_MSG_ATTR(info->extack, link,
12127 					    "Error fetching BSS for link");
12128 			return err;
12129 		}
12130 
12131 		if (attrs[NL80211_ATTR_IE]) {
12132 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
12133 			links[link_id].elems_len =
12134 				nla_len(attrs[NL80211_ATTR_IE]);
12135 
12136 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
12137 					       links[link_id].elems,
12138 					       links[link_id].elems_len)) {
12139 				NL_SET_ERR_MSG_ATTR(info->extack,
12140 						    attrs[NL80211_ATTR_IE],
12141 						    "cannot deal with fragmentation");
12142 				return -EINVAL;
12143 			}
12144 
12145 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12146 						   links[link_id].elems,
12147 						   links[link_id].elems_len)) {
12148 				NL_SET_ERR_MSG_ATTR(info->extack,
12149 						    attrs[NL80211_ATTR_IE],
12150 						    "cannot deal with non-inheritance");
12151 				return -EINVAL;
12152 			}
12153 		}
12154 
12155 		links[link_id].disabled =
12156 			nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
12157 	}
12158 
12159 	return 0;
12160 }
12161 
12162 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
12163 {
12164 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12165 	struct net_device *dev = info->user_ptr[1];
12166 	struct cfg80211_assoc_request req = {};
12167 	const u8 *ap_addr, *ssid;
12168 	unsigned int link_id;
12169 	int err, ssid_len;
12170 
12171 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12172 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12173 		return -EPERM;
12174 
12175 	if (!info->attrs[NL80211_ATTR_SSID])
12176 		return -EINVAL;
12177 
12178 	if (!rdev->ops->assoc)
12179 		return -EOPNOTSUPP;
12180 
12181 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12182 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12183 		return -EOPNOTSUPP;
12184 
12185 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12186 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12187 
12188 	if (info->attrs[NL80211_ATTR_IE]) {
12189 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12190 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12191 
12192 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12193 					   req.ie, req.ie_len)) {
12194 			NL_SET_ERR_MSG_ATTR(info->extack,
12195 					    info->attrs[NL80211_ATTR_IE],
12196 					    "non-inheritance makes no sense");
12197 			return -EINVAL;
12198 		}
12199 	}
12200 
12201 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12202 		enum nl80211_mfp mfp =
12203 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12204 		if (mfp == NL80211_MFP_REQUIRED)
12205 			req.use_mfp = true;
12206 		else if (mfp != NL80211_MFP_NO)
12207 			return -EINVAL;
12208 	}
12209 
12210 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12211 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12212 
12213 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12214 		req.supported_selectors =
12215 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12216 		req.supported_selectors_len =
12217 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12218 	}
12219 
12220 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12221 		req.flags |= ASSOC_REQ_DISABLE_HT;
12222 
12223 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12224 		memcpy(&req.ht_capa_mask,
12225 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12226 		       sizeof(req.ht_capa_mask));
12227 
12228 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12229 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12230 			return -EINVAL;
12231 		memcpy(&req.ht_capa,
12232 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12233 		       sizeof(req.ht_capa));
12234 	}
12235 
12236 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12237 		req.flags |= ASSOC_REQ_DISABLE_VHT;
12238 
12239 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12240 		req.flags |= ASSOC_REQ_DISABLE_HE;
12241 
12242 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12243 		req.flags |= ASSOC_REQ_DISABLE_EHT;
12244 
12245 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12246 		memcpy(&req.vht_capa_mask,
12247 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12248 		       sizeof(req.vht_capa_mask));
12249 
12250 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12251 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12252 			return -EINVAL;
12253 		memcpy(&req.vht_capa,
12254 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12255 		       sizeof(req.vht_capa));
12256 	}
12257 
12258 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12259 		if (!((rdev->wiphy.features &
12260 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12261 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12262 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12263 					     NL80211_EXT_FEATURE_RRM))
12264 			return -EINVAL;
12265 		req.flags |= ASSOC_REQ_USE_RRM;
12266 	}
12267 
12268 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
12269 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
12270 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
12271 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
12272 			return -EINVAL;
12273 		req.fils_nonces =
12274 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
12275 	}
12276 
12277 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
12278 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
12279 			return -EINVAL;
12280 		memcpy(&req.s1g_capa_mask,
12281 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
12282 		       sizeof(req.s1g_capa_mask));
12283 	}
12284 
12285 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
12286 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
12287 			return -EINVAL;
12288 		memcpy(&req.s1g_capa,
12289 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
12290 		       sizeof(req.s1g_capa));
12291 	}
12292 
12293 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
12294 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12295 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
12296 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
12297 			return -EINVAL;
12298 		}
12299 		req.flags |= ASSOC_REQ_SPP_AMSDU;
12300 	}
12301 
12302 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12303 
12304 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12305 		if (req.link_id < 0)
12306 			return -EINVAL;
12307 
12308 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12309 			return -EINVAL;
12310 
12311 		if (info->attrs[NL80211_ATTR_MAC] ||
12312 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12313 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
12314 			return -EINVAL;
12315 
12316 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12317 		ap_addr = req.ap_mld_addr;
12318 
12319 		err = nl80211_process_links(rdev, req.links, req.link_id,
12320 					    ssid, ssid_len, info);
12321 		if (err)
12322 			goto free;
12323 
12324 		if (!req.links[req.link_id].bss) {
12325 			err = -EINVAL;
12326 			goto free;
12327 		}
12328 
12329 		if (req.links[req.link_id].elems_len) {
12330 			GENL_SET_ERR_MSG(info,
12331 					 "cannot have per-link elems on assoc link");
12332 			err = -EINVAL;
12333 			goto free;
12334 		}
12335 
12336 		if (req.links[req.link_id].disabled) {
12337 			GENL_SET_ERR_MSG(info,
12338 					 "cannot have assoc link disabled");
12339 			err = -EINVAL;
12340 			goto free;
12341 		}
12342 
12343 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12344 			req.ext_mld_capa_ops =
12345 				nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
12346 	} else {
12347 		if (req.link_id >= 0)
12348 			return -EINVAL;
12349 
12350 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
12351 					    -1, -1);
12352 		if (IS_ERR(req.bss))
12353 			return PTR_ERR(req.bss);
12354 		ap_addr = req.bss->bssid;
12355 
12356 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12357 			return -EINVAL;
12358 	}
12359 
12360 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
12361 	if (!err) {
12362 		struct nlattr *link;
12363 		int rem = 0;
12364 
12365 		err = cfg80211_mlme_assoc(rdev, dev, &req,
12366 					  info->extack);
12367 
12368 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12369 			dev->ieee80211_ptr->conn_owner_nlportid =
12370 				info->snd_portid;
12371 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12372 			       ap_addr, ETH_ALEN);
12373 		}
12374 
12375 		/* Report error from first problematic link */
12376 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12377 			nla_for_each_nested(link,
12378 					    info->attrs[NL80211_ATTR_MLO_LINKS],
12379 					    rem) {
12380 				struct nlattr *link_id_attr =
12381 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
12382 
12383 				if (!link_id_attr)
12384 					continue;
12385 
12386 				link_id = nla_get_u8(link_id_attr);
12387 
12388 				if (link_id == req.link_id)
12389 					continue;
12390 
12391 				if (!req.links[link_id].error ||
12392 				    WARN_ON(req.links[link_id].error > 0))
12393 					continue;
12394 
12395 				WARN_ON(err >= 0);
12396 
12397 				NL_SET_BAD_ATTR(info->extack, link);
12398 				err = req.links[link_id].error;
12399 				break;
12400 			}
12401 		}
12402 	}
12403 
12404 free:
12405 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
12406 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
12407 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12408 
12409 	return err;
12410 }
12411 
12412 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
12413 {
12414 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12415 	struct net_device *dev = info->user_ptr[1];
12416 	const u8 *ie = NULL, *bssid;
12417 	int ie_len = 0;
12418 	u16 reason_code;
12419 	bool local_state_change;
12420 
12421 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12422 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12423 		return -EPERM;
12424 
12425 	if (!info->attrs[NL80211_ATTR_MAC])
12426 		return -EINVAL;
12427 
12428 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12429 		return -EINVAL;
12430 
12431 	if (!rdev->ops->deauth)
12432 		return -EOPNOTSUPP;
12433 
12434 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12435 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12436 		return -EOPNOTSUPP;
12437 
12438 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12439 
12440 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12441 	if (reason_code == 0) {
12442 		/* Reason Code 0 is reserved */
12443 		return -EINVAL;
12444 	}
12445 
12446 	if (info->attrs[NL80211_ATTR_IE]) {
12447 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12448 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12449 	}
12450 
12451 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12452 
12453 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
12454 				    local_state_change);
12455 }
12456 
12457 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
12458 {
12459 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12460 	struct net_device *dev = info->user_ptr[1];
12461 	const u8 *ie = NULL, *bssid;
12462 	int ie_len = 0;
12463 	u16 reason_code;
12464 	bool local_state_change;
12465 
12466 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12467 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12468 		return -EPERM;
12469 
12470 	if (!info->attrs[NL80211_ATTR_MAC])
12471 		return -EINVAL;
12472 
12473 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12474 		return -EINVAL;
12475 
12476 	if (!rdev->ops->disassoc)
12477 		return -EOPNOTSUPP;
12478 
12479 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12480 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12481 		return -EOPNOTSUPP;
12482 
12483 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12484 
12485 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12486 	if (reason_code == 0) {
12487 		/* Reason Code 0 is reserved */
12488 		return -EINVAL;
12489 	}
12490 
12491 	if (info->attrs[NL80211_ATTR_IE]) {
12492 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12493 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12494 	}
12495 
12496 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12497 
12498 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
12499 				      local_state_change);
12500 }
12501 
12502 static bool
12503 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
12504 			 int mcast_rate[NUM_NL80211_BANDS],
12505 			 int rateval)
12506 {
12507 	struct wiphy *wiphy = &rdev->wiphy;
12508 	bool found = false;
12509 	int band, i;
12510 
12511 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
12512 		struct ieee80211_supported_band *sband;
12513 
12514 		sband = wiphy->bands[band];
12515 		if (!sband)
12516 			continue;
12517 
12518 		for (i = 0; i < sband->n_bitrates; i++) {
12519 			if (sband->bitrates[i].bitrate == rateval) {
12520 				mcast_rate[band] = i + 1;
12521 				found = true;
12522 				break;
12523 			}
12524 		}
12525 	}
12526 
12527 	return found;
12528 }
12529 
12530 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
12531 {
12532 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12533 	struct net_device *dev = info->user_ptr[1];
12534 	struct cfg80211_ibss_params ibss;
12535 	struct wiphy *wiphy;
12536 	struct cfg80211_cached_keys *connkeys = NULL;
12537 	int err;
12538 
12539 	memset(&ibss, 0, sizeof(ibss));
12540 
12541 	if (!info->attrs[NL80211_ATTR_SSID] ||
12542 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12543 		return -EINVAL;
12544 
12545 	ibss.beacon_interval = 100;
12546 
12547 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
12548 		ibss.beacon_interval =
12549 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12550 
12551 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
12552 					   ibss.beacon_interval);
12553 	if (err)
12554 		return err;
12555 
12556 	if (!rdev->ops->join_ibss)
12557 		return -EOPNOTSUPP;
12558 
12559 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12560 		return -EOPNOTSUPP;
12561 
12562 	wiphy = &rdev->wiphy;
12563 
12564 	if (info->attrs[NL80211_ATTR_MAC]) {
12565 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12566 
12567 		if (!is_valid_ether_addr(ibss.bssid))
12568 			return -EINVAL;
12569 	}
12570 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12571 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12572 
12573 	if (info->attrs[NL80211_ATTR_IE]) {
12574 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12575 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12576 	}
12577 
12578 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
12579 	if (err)
12580 		return err;
12581 
12582 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
12583 				     NL80211_IFTYPE_ADHOC))
12584 		return -EINVAL;
12585 
12586 	switch (ibss.chandef.width) {
12587 	case NL80211_CHAN_WIDTH_5:
12588 	case NL80211_CHAN_WIDTH_10:
12589 	case NL80211_CHAN_WIDTH_20_NOHT:
12590 		break;
12591 	case NL80211_CHAN_WIDTH_20:
12592 	case NL80211_CHAN_WIDTH_40:
12593 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12594 			return -EINVAL;
12595 		break;
12596 	case NL80211_CHAN_WIDTH_80:
12597 	case NL80211_CHAN_WIDTH_80P80:
12598 	case NL80211_CHAN_WIDTH_160:
12599 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12600 			return -EINVAL;
12601 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12602 					     NL80211_EXT_FEATURE_VHT_IBSS))
12603 			return -EINVAL;
12604 		break;
12605 	case NL80211_CHAN_WIDTH_320:
12606 		return -EINVAL;
12607 	default:
12608 		return -EINVAL;
12609 	}
12610 
12611 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
12612 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
12613 
12614 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12615 		u8 *rates =
12616 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12617 		int n_rates =
12618 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12619 		struct ieee80211_supported_band *sband =
12620 			wiphy->bands[ibss.chandef.chan->band];
12621 
12622 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12623 					     &ibss.basic_rates);
12624 		if (err)
12625 			return err;
12626 	}
12627 
12628 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12629 		memcpy(&ibss.ht_capa_mask,
12630 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12631 		       sizeof(ibss.ht_capa_mask));
12632 
12633 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12634 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12635 			return -EINVAL;
12636 		memcpy(&ibss.ht_capa,
12637 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12638 		       sizeof(ibss.ht_capa));
12639 	}
12640 
12641 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12642 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
12643 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12644 		return -EINVAL;
12645 
12646 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12647 		bool no_ht = false;
12648 
12649 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
12650 		if (IS_ERR(connkeys))
12651 			return PTR_ERR(connkeys);
12652 
12653 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
12654 		    no_ht) {
12655 			kfree_sensitive(connkeys);
12656 			return -EINVAL;
12657 		}
12658 	}
12659 
12660 	ibss.control_port =
12661 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
12662 
12663 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12664 		int r = validate_pae_over_nl80211(rdev, info);
12665 
12666 		if (r < 0) {
12667 			kfree_sensitive(connkeys);
12668 			return r;
12669 		}
12670 
12671 		ibss.control_port_over_nl80211 = true;
12672 	}
12673 
12674 	ibss.userspace_handles_dfs =
12675 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12676 
12677 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
12678 	if (err)
12679 		kfree_sensitive(connkeys);
12680 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
12681 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12682 
12683 	return err;
12684 }
12685 
12686 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
12687 {
12688 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12689 	struct net_device *dev = info->user_ptr[1];
12690 
12691 	if (!rdev->ops->leave_ibss)
12692 		return -EOPNOTSUPP;
12693 
12694 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12695 		return -EOPNOTSUPP;
12696 
12697 	return cfg80211_leave_ibss(rdev, dev, false);
12698 }
12699 
12700 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
12701 {
12702 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12703 	struct net_device *dev = info->user_ptr[1];
12704 	int mcast_rate[NUM_NL80211_BANDS];
12705 	u32 nla_rate;
12706 
12707 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
12708 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
12709 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
12710 		return -EOPNOTSUPP;
12711 
12712 	if (!rdev->ops->set_mcast_rate)
12713 		return -EOPNOTSUPP;
12714 
12715 	memset(mcast_rate, 0, sizeof(mcast_rate));
12716 
12717 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
12718 		return -EINVAL;
12719 
12720 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
12721 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
12722 		return -EINVAL;
12723 
12724 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
12725 }
12726 
12727 static struct sk_buff *
12728 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
12729 			    struct wireless_dev *wdev, int approxlen,
12730 			    u32 portid, u32 seq, enum nl80211_commands cmd,
12731 			    enum nl80211_attrs attr,
12732 			    const struct nl80211_vendor_cmd_info *info,
12733 			    gfp_t gfp)
12734 {
12735 	struct sk_buff *skb;
12736 	void *hdr;
12737 	struct nlattr *data;
12738 
12739 	skb = nlmsg_new(approxlen + 100, gfp);
12740 	if (!skb)
12741 		return NULL;
12742 
12743 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
12744 	if (!hdr) {
12745 		kfree_skb(skb);
12746 		return NULL;
12747 	}
12748 
12749 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
12750 		goto nla_put_failure;
12751 
12752 	if (info) {
12753 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
12754 				info->vendor_id))
12755 			goto nla_put_failure;
12756 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
12757 				info->subcmd))
12758 			goto nla_put_failure;
12759 	}
12760 
12761 	if (wdev) {
12762 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
12763 				      wdev_id(wdev), NL80211_ATTR_PAD))
12764 			goto nla_put_failure;
12765 		if (wdev->netdev &&
12766 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
12767 				wdev->netdev->ifindex))
12768 			goto nla_put_failure;
12769 	}
12770 
12771 	data = nla_nest_start_noflag(skb, attr);
12772 	if (!data)
12773 		goto nla_put_failure;
12774 
12775 	((void **)skb->cb)[0] = rdev;
12776 	((void **)skb->cb)[1] = hdr;
12777 	((void **)skb->cb)[2] = data;
12778 
12779 	return skb;
12780 
12781  nla_put_failure:
12782 	kfree_skb(skb);
12783 	return NULL;
12784 }
12785 
12786 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
12787 					   struct wireless_dev *wdev,
12788 					   enum nl80211_commands cmd,
12789 					   enum nl80211_attrs attr,
12790 					   unsigned int portid,
12791 					   int vendor_event_idx,
12792 					   int approxlen, gfp_t gfp)
12793 {
12794 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12795 	const struct nl80211_vendor_cmd_info *info;
12796 
12797 	switch (cmd) {
12798 	case NL80211_CMD_TESTMODE:
12799 		if (WARN_ON(vendor_event_idx != -1))
12800 			return NULL;
12801 		info = NULL;
12802 		break;
12803 	case NL80211_CMD_VENDOR:
12804 		if (WARN_ON(vendor_event_idx < 0 ||
12805 			    vendor_event_idx >= wiphy->n_vendor_events))
12806 			return NULL;
12807 		info = &wiphy->vendor_events[vendor_event_idx];
12808 		break;
12809 	default:
12810 		WARN_ON(1);
12811 		return NULL;
12812 	}
12813 
12814 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
12815 					   cmd, attr, info, gfp);
12816 }
12817 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
12818 
12819 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
12820 {
12821 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
12822 	void *hdr = ((void **)skb->cb)[1];
12823 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
12824 	struct nlattr *data = ((void **)skb->cb)[2];
12825 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
12826 
12827 	/* clear CB data for netlink core to own from now on */
12828 	memset(skb->cb, 0, sizeof(skb->cb));
12829 
12830 	nla_nest_end(skb, data);
12831 	genlmsg_end(skb, hdr);
12832 
12833 	if (nlhdr->nlmsg_pid) {
12834 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
12835 				nlhdr->nlmsg_pid);
12836 	} else {
12837 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
12838 			mcgrp = NL80211_MCGRP_VENDOR;
12839 
12840 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12841 					skb, 0, mcgrp, gfp);
12842 	}
12843 }
12844 EXPORT_SYMBOL(__cfg80211_send_event_skb);
12845 
12846 #ifdef CONFIG_NL80211_TESTMODE
12847 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
12848 {
12849 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12850 	struct wireless_dev *wdev;
12851 	int err;
12852 
12853 	lockdep_assert_held(&rdev->wiphy.mtx);
12854 
12855 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
12856 					  info->attrs);
12857 
12858 	if (!rdev->ops->testmode_cmd)
12859 		return -EOPNOTSUPP;
12860 
12861 	if (IS_ERR(wdev)) {
12862 		err = PTR_ERR(wdev);
12863 		if (err != -EINVAL)
12864 			return err;
12865 		wdev = NULL;
12866 	} else if (wdev->wiphy != &rdev->wiphy) {
12867 		return -EINVAL;
12868 	}
12869 
12870 	if (!info->attrs[NL80211_ATTR_TESTDATA])
12871 		return -EINVAL;
12872 
12873 	rdev->cur_cmd_info = info;
12874 	err = rdev_testmode_cmd(rdev, wdev,
12875 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
12876 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
12877 	rdev->cur_cmd_info = NULL;
12878 
12879 	return err;
12880 }
12881 
12882 static int nl80211_testmode_dump(struct sk_buff *skb,
12883 				 struct netlink_callback *cb)
12884 {
12885 	struct cfg80211_registered_device *rdev;
12886 	struct nlattr **attrbuf = NULL;
12887 	int err;
12888 	long phy_idx;
12889 	void *data = NULL;
12890 	int data_len = 0;
12891 
12892 	rtnl_lock();
12893 
12894 	if (cb->args[0]) {
12895 		/*
12896 		 * 0 is a valid index, but not valid for args[0],
12897 		 * so we need to offset by 1.
12898 		 */
12899 		phy_idx = cb->args[0] - 1;
12900 
12901 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
12902 		if (!rdev) {
12903 			err = -ENOENT;
12904 			goto out_err;
12905 		}
12906 	} else {
12907 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
12908 				  GFP_KERNEL);
12909 		if (!attrbuf) {
12910 			err = -ENOMEM;
12911 			goto out_err;
12912 		}
12913 
12914 		err = nlmsg_parse_deprecated(cb->nlh,
12915 					     GENL_HDRLEN + nl80211_fam.hdrsize,
12916 					     attrbuf, nl80211_fam.maxattr,
12917 					     nl80211_policy, NULL);
12918 		if (err)
12919 			goto out_err;
12920 
12921 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
12922 		if (IS_ERR(rdev)) {
12923 			err = PTR_ERR(rdev);
12924 			goto out_err;
12925 		}
12926 		phy_idx = rdev->wiphy_idx;
12927 
12928 		if (attrbuf[NL80211_ATTR_TESTDATA])
12929 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
12930 	}
12931 
12932 	if (cb->args[1]) {
12933 		data = nla_data((void *)cb->args[1]);
12934 		data_len = nla_len((void *)cb->args[1]);
12935 	}
12936 
12937 	if (!rdev->ops->testmode_dump) {
12938 		err = -EOPNOTSUPP;
12939 		goto out_err;
12940 	}
12941 
12942 	while (1) {
12943 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
12944 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
12945 					   NL80211_CMD_TESTMODE);
12946 		struct nlattr *tmdata;
12947 
12948 		if (!hdr)
12949 			break;
12950 
12951 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
12952 			genlmsg_cancel(skb, hdr);
12953 			break;
12954 		}
12955 
12956 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
12957 		if (!tmdata) {
12958 			genlmsg_cancel(skb, hdr);
12959 			break;
12960 		}
12961 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
12962 		nla_nest_end(skb, tmdata);
12963 
12964 		if (err == -ENOBUFS || err == -ENOENT) {
12965 			genlmsg_cancel(skb, hdr);
12966 			break;
12967 		} else if (err) {
12968 			genlmsg_cancel(skb, hdr);
12969 			goto out_err;
12970 		}
12971 
12972 		genlmsg_end(skb, hdr);
12973 	}
12974 
12975 	err = skb->len;
12976 	/* see above */
12977 	cb->args[0] = phy_idx + 1;
12978  out_err:
12979 	kfree(attrbuf);
12980 	rtnl_unlock();
12981 	return err;
12982 }
12983 #endif
12984 
12985 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
12986 {
12987 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12988 	struct net_device *dev = info->user_ptr[1];
12989 	struct cfg80211_connect_params connect;
12990 	struct wiphy *wiphy;
12991 	struct cfg80211_cached_keys *connkeys = NULL;
12992 	u32 freq = 0;
12993 	int err;
12994 
12995 	memset(&connect, 0, sizeof(connect));
12996 
12997 	if (!info->attrs[NL80211_ATTR_SSID] ||
12998 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12999 		return -EINVAL;
13000 
13001 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13002 		connect.auth_type =
13003 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13004 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
13005 					     NL80211_CMD_CONNECT))
13006 			return -EINVAL;
13007 	} else
13008 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
13009 
13010 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
13011 
13012 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
13013 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13014 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13015 		return -EINVAL;
13016 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
13017 
13018 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
13019 				      NL80211_MAX_NR_CIPHER_SUITES);
13020 	if (err)
13021 		return err;
13022 
13023 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13024 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13025 		return -EOPNOTSUPP;
13026 
13027 	wiphy = &rdev->wiphy;
13028 
13029 	connect.bg_scan_period = -1;
13030 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
13031 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
13032 		connect.bg_scan_period =
13033 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
13034 	}
13035 
13036 	if (info->attrs[NL80211_ATTR_MAC])
13037 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13038 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
13039 		connect.bssid_hint =
13040 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
13041 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13042 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13043 
13044 	if (info->attrs[NL80211_ATTR_IE]) {
13045 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13046 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13047 	}
13048 
13049 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
13050 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
13051 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
13052 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13053 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
13054 			return -EOPNOTSUPP;
13055 	} else {
13056 		connect.mfp = NL80211_MFP_NO;
13057 	}
13058 
13059 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
13060 		connect.prev_bssid =
13061 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
13062 
13063 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
13064 		freq = MHZ_TO_KHZ(nla_get_u32(
13065 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
13066 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
13067 		freq +=
13068 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
13069 
13070 	if (freq) {
13071 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
13072 		if (!connect.channel)
13073 			return -EINVAL;
13074 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
13075 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
13076 		freq = MHZ_TO_KHZ(freq);
13077 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
13078 		if (!connect.channel_hint)
13079 			return -EINVAL;
13080 	}
13081 
13082 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
13083 		connect.edmg.channels =
13084 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
13085 
13086 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
13087 			connect.edmg.bw_config =
13088 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
13089 	}
13090 
13091 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
13092 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
13093 		if (IS_ERR(connkeys))
13094 			return PTR_ERR(connkeys);
13095 	}
13096 
13097 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
13098 		connect.flags |= ASSOC_REQ_DISABLE_HT;
13099 
13100 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13101 		memcpy(&connect.ht_capa_mask,
13102 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13103 		       sizeof(connect.ht_capa_mask));
13104 
13105 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13106 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
13107 			kfree_sensitive(connkeys);
13108 			return -EINVAL;
13109 		}
13110 		memcpy(&connect.ht_capa,
13111 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13112 		       sizeof(connect.ht_capa));
13113 	}
13114 
13115 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
13116 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
13117 
13118 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
13119 		connect.flags |= ASSOC_REQ_DISABLE_HE;
13120 
13121 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
13122 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
13123 
13124 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
13125 		memcpy(&connect.vht_capa_mask,
13126 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
13127 		       sizeof(connect.vht_capa_mask));
13128 
13129 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
13130 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
13131 			kfree_sensitive(connkeys);
13132 			return -EINVAL;
13133 		}
13134 		memcpy(&connect.vht_capa,
13135 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
13136 		       sizeof(connect.vht_capa));
13137 	}
13138 
13139 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
13140 		if (!((rdev->wiphy.features &
13141 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
13142 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
13143 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13144 					     NL80211_EXT_FEATURE_RRM)) {
13145 			kfree_sensitive(connkeys);
13146 			return -EINVAL;
13147 		}
13148 		connect.flags |= ASSOC_REQ_USE_RRM;
13149 	}
13150 
13151 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
13152 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
13153 		kfree_sensitive(connkeys);
13154 		return -EOPNOTSUPP;
13155 	}
13156 
13157 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
13158 		/* bss selection makes no sense if bssid is set */
13159 		if (connect.bssid) {
13160 			kfree_sensitive(connkeys);
13161 			return -EINVAL;
13162 		}
13163 
13164 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
13165 				       wiphy, &connect.bss_select);
13166 		if (err) {
13167 			kfree_sensitive(connkeys);
13168 			return err;
13169 		}
13170 	}
13171 
13172 	if (wiphy_ext_feature_isset(&rdev->wiphy,
13173 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
13174 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13175 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13176 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13177 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13178 		connect.fils_erp_username =
13179 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13180 		connect.fils_erp_username_len =
13181 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13182 		connect.fils_erp_realm =
13183 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13184 		connect.fils_erp_realm_len =
13185 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13186 		connect.fils_erp_next_seq_num =
13187 			nla_get_u16(
13188 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13189 		connect.fils_erp_rrk =
13190 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13191 		connect.fils_erp_rrk_len =
13192 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13193 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13194 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13195 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13196 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13197 		kfree_sensitive(connkeys);
13198 		return -EINVAL;
13199 	}
13200 
13201 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
13202 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13203 			kfree_sensitive(connkeys);
13204 			GENL_SET_ERR_MSG(info,
13205 					 "external auth requires connection ownership");
13206 			return -EINVAL;
13207 		}
13208 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
13209 	}
13210 
13211 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
13212 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
13213 
13214 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
13215 			       connect.prev_bssid);
13216 	if (err)
13217 		kfree_sensitive(connkeys);
13218 
13219 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13220 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13221 		if (connect.bssid)
13222 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
13223 			       connect.bssid, ETH_ALEN);
13224 		else
13225 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
13226 	}
13227 
13228 	return err;
13229 }
13230 
13231 static int nl80211_update_connect_params(struct sk_buff *skb,
13232 					 struct genl_info *info)
13233 {
13234 	struct cfg80211_connect_params connect = {};
13235 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13236 	struct net_device *dev = info->user_ptr[1];
13237 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13238 	bool fils_sk_offload;
13239 	u32 auth_type;
13240 	u32 changed = 0;
13241 
13242 	if (!rdev->ops->update_connect_params)
13243 		return -EOPNOTSUPP;
13244 
13245 	if (info->attrs[NL80211_ATTR_IE]) {
13246 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13247 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13248 		changed |= UPDATE_ASSOC_IES;
13249 	}
13250 
13251 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
13252 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
13253 
13254 	/*
13255 	 * when driver supports fils-sk offload all attributes must be
13256 	 * provided. So the else covers "fils-sk-not-all" and
13257 	 * "no-fils-sk-any".
13258 	 */
13259 	if (fils_sk_offload &&
13260 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13261 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13262 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13263 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13264 		connect.fils_erp_username =
13265 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13266 		connect.fils_erp_username_len =
13267 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13268 		connect.fils_erp_realm =
13269 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13270 		connect.fils_erp_realm_len =
13271 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13272 		connect.fils_erp_next_seq_num =
13273 			nla_get_u16(
13274 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13275 		connect.fils_erp_rrk =
13276 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13277 		connect.fils_erp_rrk_len =
13278 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13279 		changed |= UPDATE_FILS_ERP_INFO;
13280 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13281 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13282 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13283 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13284 		return -EINVAL;
13285 	}
13286 
13287 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13288 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13289 		if (!nl80211_valid_auth_type(rdev, auth_type,
13290 					     NL80211_CMD_CONNECT))
13291 			return -EINVAL;
13292 
13293 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
13294 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
13295 			return -EINVAL;
13296 
13297 		connect.auth_type = auth_type;
13298 		changed |= UPDATE_AUTH_TYPE;
13299 	}
13300 
13301 	if (!wdev->connected)
13302 		return -ENOLINK;
13303 
13304 	return rdev_update_connect_params(rdev, dev, &connect, changed);
13305 }
13306 
13307 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
13308 {
13309 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13310 	struct net_device *dev = info->user_ptr[1];
13311 	u16 reason;
13312 
13313 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
13314 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
13315 		return -EPERM;
13316 
13317 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
13318 				     WLAN_REASON_DEAUTH_LEAVING);
13319 
13320 	if (reason == 0)
13321 		return -EINVAL;
13322 
13323 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13324 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13325 		return -EOPNOTSUPP;
13326 
13327 	return cfg80211_disconnect(rdev, dev, reason, true);
13328 }
13329 
13330 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
13331 {
13332 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13333 	struct net *net;
13334 	int err;
13335 
13336 	if (info->attrs[NL80211_ATTR_PID]) {
13337 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
13338 
13339 		net = get_net_ns_by_pid(pid);
13340 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
13341 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
13342 
13343 		net = get_net_ns_by_fd(fd);
13344 	} else {
13345 		return -EINVAL;
13346 	}
13347 
13348 	if (IS_ERR(net))
13349 		return PTR_ERR(net);
13350 
13351 	err = 0;
13352 
13353 	/* check if anything to do */
13354 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
13355 		err = cfg80211_switch_netns(rdev, net);
13356 
13357 	put_net(net);
13358 	return err;
13359 }
13360 
13361 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
13362 {
13363 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13364 	struct net_device *dev = info->user_ptr[1];
13365 	struct cfg80211_pmksa pmksa;
13366 	bool ap_pmksa_caching_support = false;
13367 
13368 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13369 
13370 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13371 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13372 
13373 	if (!info->attrs[NL80211_ATTR_PMKID])
13374 		return -EINVAL;
13375 
13376 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13377 
13378 	if (info->attrs[NL80211_ATTR_MAC]) {
13379 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13380 	} else if (info->attrs[NL80211_ATTR_SSID] &&
13381 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13382 	           info->attrs[NL80211_ATTR_PMK]) {
13383 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13384 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13385 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13386 	} else {
13387 		return -EINVAL;
13388 	}
13389 
13390 	if (info->attrs[NL80211_ATTR_PMK]) {
13391 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13392 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13393 	}
13394 
13395 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
13396 		pmksa.pmk_lifetime =
13397 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
13398 
13399 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
13400 		pmksa.pmk_reauth_threshold =
13401 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
13402 
13403 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13404 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13405 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13406 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13407 	       ap_pmksa_caching_support))
13408 		return -EOPNOTSUPP;
13409 
13410 	if (!rdev->ops->set_pmksa)
13411 		return -EOPNOTSUPP;
13412 
13413 	return rdev_set_pmksa(rdev, dev, &pmksa);
13414 }
13415 
13416 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
13417 {
13418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13419 	struct net_device *dev = info->user_ptr[1];
13420 	struct cfg80211_pmksa pmksa;
13421 	bool sae_offload_support = false;
13422 	bool owe_offload_support = false;
13423 	bool ap_pmksa_caching_support = false;
13424 
13425 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13426 
13427 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13428 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
13429 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13430 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
13431 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13432 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13433 
13434 	if (info->attrs[NL80211_ATTR_PMKID])
13435 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13436 
13437 	if (info->attrs[NL80211_ATTR_MAC]) {
13438 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13439 	} else if (info->attrs[NL80211_ATTR_SSID]) {
13440 		/* SSID based pmksa flush supported only for FILS,
13441 		 * OWE/SAE OFFLOAD cases
13442 		 */
13443 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13444 		    info->attrs[NL80211_ATTR_PMK]) {
13445 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13446 		} else if (!sae_offload_support && !owe_offload_support) {
13447 			return -EINVAL;
13448 		}
13449 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13450 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13451 	} else {
13452 		return -EINVAL;
13453 	}
13454 
13455 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13456 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13457 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13458 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13459 	       ap_pmksa_caching_support))
13460 		return -EOPNOTSUPP;
13461 
13462 	if (!rdev->ops->del_pmksa)
13463 		return -EOPNOTSUPP;
13464 
13465 	return rdev_del_pmksa(rdev, dev, &pmksa);
13466 }
13467 
13468 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
13469 {
13470 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13471 	struct net_device *dev = info->user_ptr[1];
13472 
13473 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13474 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13475 		return -EOPNOTSUPP;
13476 
13477 	if (!rdev->ops->flush_pmksa)
13478 		return -EOPNOTSUPP;
13479 
13480 	return rdev_flush_pmksa(rdev, dev);
13481 }
13482 
13483 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
13484 {
13485 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13486 	struct net_device *dev = info->user_ptr[1];
13487 	u8 action_code, dialog_token;
13488 	u32 peer_capability = 0;
13489 	u16 status_code;
13490 	u8 *peer;
13491 	int link_id;
13492 	bool initiator;
13493 
13494 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13495 	    !rdev->ops->tdls_mgmt)
13496 		return -EOPNOTSUPP;
13497 
13498 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
13499 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
13500 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
13501 	    !info->attrs[NL80211_ATTR_IE] ||
13502 	    !info->attrs[NL80211_ATTR_MAC])
13503 		return -EINVAL;
13504 
13505 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13506 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
13507 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13508 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
13509 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
13510 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
13511 		peer_capability =
13512 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
13513 	link_id = nl80211_link_id_or_invalid(info->attrs);
13514 
13515 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
13516 			      dialog_token, status_code, peer_capability,
13517 			      initiator,
13518 			      nla_data(info->attrs[NL80211_ATTR_IE]),
13519 			      nla_len(info->attrs[NL80211_ATTR_IE]));
13520 }
13521 
13522 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
13523 {
13524 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13525 	struct net_device *dev = info->user_ptr[1];
13526 	enum nl80211_tdls_operation operation;
13527 	u8 *peer;
13528 
13529 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13530 	    !rdev->ops->tdls_oper)
13531 		return -EOPNOTSUPP;
13532 
13533 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
13534 	    !info->attrs[NL80211_ATTR_MAC])
13535 		return -EINVAL;
13536 
13537 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
13538 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13539 
13540 	return rdev_tdls_oper(rdev, dev, peer, operation);
13541 }
13542 
13543 static int nl80211_remain_on_channel(struct sk_buff *skb,
13544 				     struct genl_info *info)
13545 {
13546 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13547 	unsigned int link_id = nl80211_link_id(info->attrs);
13548 	struct wireless_dev *wdev = info->user_ptr[1];
13549 	struct cfg80211_chan_def chandef;
13550 	struct sk_buff *msg;
13551 	void *hdr;
13552 	u64 cookie;
13553 	u32 duration;
13554 	int err;
13555 
13556 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
13557 	    !info->attrs[NL80211_ATTR_DURATION])
13558 		return -EINVAL;
13559 
13560 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13561 
13562 	if (!rdev->ops->remain_on_channel ||
13563 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
13564 		return -EOPNOTSUPP;
13565 
13566 	/*
13567 	 * We should be on that channel for at least a minimum amount of
13568 	 * time (10ms) but no longer than the driver supports.
13569 	 */
13570 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13571 	    duration > rdev->wiphy.max_remain_on_channel_duration)
13572 		return -EINVAL;
13573 
13574 	err = nl80211_parse_chandef(rdev, info, &chandef);
13575 	if (err)
13576 		return err;
13577 
13578 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
13579 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
13580 
13581 		oper_chandef = wdev_chandef(wdev, link_id);
13582 
13583 		if (WARN_ON(!oper_chandef)) {
13584 			/* cannot happen since we must beacon to get here */
13585 			WARN_ON(1);
13586 			return -EBUSY;
13587 		}
13588 
13589 		/* note: returns first one if identical chandefs */
13590 		compat_chandef = cfg80211_chandef_compatible(&chandef,
13591 							     oper_chandef);
13592 
13593 		if (compat_chandef != &chandef)
13594 			return -EBUSY;
13595 	}
13596 
13597 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13598 	if (!msg)
13599 		return -ENOMEM;
13600 
13601 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13602 			     NL80211_CMD_REMAIN_ON_CHANNEL);
13603 	if (!hdr) {
13604 		err = -ENOBUFS;
13605 		goto free_msg;
13606 	}
13607 
13608 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
13609 				     duration, &cookie);
13610 
13611 	if (err)
13612 		goto free_msg;
13613 
13614 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13615 			      NL80211_ATTR_PAD))
13616 		goto nla_put_failure;
13617 
13618 	genlmsg_end(msg, hdr);
13619 
13620 	return genlmsg_reply(msg, info);
13621 
13622  nla_put_failure:
13623 	err = -ENOBUFS;
13624  free_msg:
13625 	nlmsg_free(msg);
13626 	return err;
13627 }
13628 
13629 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
13630 					    struct genl_info *info)
13631 {
13632 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13633 	struct wireless_dev *wdev = info->user_ptr[1];
13634 	u64 cookie;
13635 
13636 	if (!info->attrs[NL80211_ATTR_COOKIE])
13637 		return -EINVAL;
13638 
13639 	if (!rdev->ops->cancel_remain_on_channel)
13640 		return -EOPNOTSUPP;
13641 
13642 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13643 
13644 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
13645 }
13646 
13647 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
13648 				       struct genl_info *info)
13649 {
13650 	struct cfg80211_bitrate_mask mask;
13651 	unsigned int link_id = nl80211_link_id(info->attrs);
13652 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13653 	struct net_device *dev = info->user_ptr[1];
13654 	int err;
13655 
13656 	if (!rdev->ops->set_bitrate_mask)
13657 		return -EOPNOTSUPP;
13658 
13659 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13660 					    NL80211_ATTR_TX_RATES, &mask,
13661 					    dev, true, link_id);
13662 	if (err)
13663 		return err;
13664 
13665 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
13666 }
13667 
13668 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
13669 {
13670 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13671 	struct wireless_dev *wdev = info->user_ptr[1];
13672 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
13673 
13674 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
13675 		return -EINVAL;
13676 
13677 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
13678 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
13679 
13680 	switch (wdev->iftype) {
13681 	case NL80211_IFTYPE_STATION:
13682 	case NL80211_IFTYPE_ADHOC:
13683 	case NL80211_IFTYPE_P2P_CLIENT:
13684 	case NL80211_IFTYPE_AP:
13685 	case NL80211_IFTYPE_AP_VLAN:
13686 	case NL80211_IFTYPE_MESH_POINT:
13687 	case NL80211_IFTYPE_P2P_GO:
13688 	case NL80211_IFTYPE_P2P_DEVICE:
13689 		break;
13690 	case NL80211_IFTYPE_NAN:
13691 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13692 					     NL80211_EXT_FEATURE_SECURE_NAN))
13693 			return -EOPNOTSUPP;
13694 		break;
13695 	default:
13696 		return -EOPNOTSUPP;
13697 	}
13698 
13699 	/* not much point in registering if we can't reply */
13700 	if (!rdev->ops->mgmt_tx)
13701 		return -EOPNOTSUPP;
13702 
13703 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
13704 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13705 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
13706 		GENL_SET_ERR_MSG(info,
13707 				 "multicast RX registrations are not supported");
13708 		return -EOPNOTSUPP;
13709 	}
13710 
13711 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
13712 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13713 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13714 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
13715 					   info->extack);
13716 }
13717 
13718 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
13719 {
13720 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13721 	struct wireless_dev *wdev = info->user_ptr[1];
13722 	struct cfg80211_chan_def chandef;
13723 	int err;
13724 	void *hdr = NULL;
13725 	u64 cookie;
13726 	struct sk_buff *msg = NULL;
13727 	struct cfg80211_mgmt_tx_params params = {
13728 		.dont_wait_for_ack =
13729 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
13730 	};
13731 
13732 	if (!info->attrs[NL80211_ATTR_FRAME])
13733 		return -EINVAL;
13734 
13735 	if (!rdev->ops->mgmt_tx)
13736 		return -EOPNOTSUPP;
13737 
13738 	switch (wdev->iftype) {
13739 	case NL80211_IFTYPE_P2P_DEVICE:
13740 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
13741 			return -EINVAL;
13742 		break;
13743 	case NL80211_IFTYPE_STATION:
13744 	case NL80211_IFTYPE_ADHOC:
13745 	case NL80211_IFTYPE_P2P_CLIENT:
13746 	case NL80211_IFTYPE_AP:
13747 	case NL80211_IFTYPE_AP_VLAN:
13748 	case NL80211_IFTYPE_MESH_POINT:
13749 	case NL80211_IFTYPE_P2P_GO:
13750 		break;
13751 	case NL80211_IFTYPE_NAN:
13752 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13753 					     NL80211_EXT_FEATURE_SECURE_NAN))
13754 			return -EOPNOTSUPP;
13755 		break;
13756 	default:
13757 		return -EOPNOTSUPP;
13758 	}
13759 
13760 	if (info->attrs[NL80211_ATTR_DURATION]) {
13761 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
13762 			return -EINVAL;
13763 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13764 
13765 		/*
13766 		 * We should wait on the channel for at least a minimum amount
13767 		 * of time (10ms) but no longer than the driver supports.
13768 		 */
13769 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13770 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
13771 			return -EINVAL;
13772 	}
13773 
13774 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
13775 
13776 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
13777 		return -EINVAL;
13778 
13779 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
13780 
13781 	/* get the channel if any has been specified, otherwise pass NULL to
13782 	 * the driver. The latter will use the current one
13783 	 */
13784 	chandef.chan = NULL;
13785 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13786 		err = nl80211_parse_chandef(rdev, info, &chandef);
13787 		if (err)
13788 			return err;
13789 	}
13790 
13791 	if (!chandef.chan && params.offchan)
13792 		return -EINVAL;
13793 
13794 	if (params.offchan &&
13795 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
13796 		return -EBUSY;
13797 
13798 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
13799 	/*
13800 	 * This now races due to the unlock, but we cannot check
13801 	 * the valid links for the _station_ anyway, so that's up
13802 	 * to the driver.
13803 	 */
13804 	if (params.link_id >= 0 &&
13805 	    !(wdev->valid_links & BIT(params.link_id)))
13806 		return -EINVAL;
13807 
13808 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13809 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13810 
13811 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
13812 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
13813 					    &params.csa_offsets,
13814 					    &params.n_csa_offsets);
13815 	if (err)
13816 		return err;
13817 
13818 	if (!params.dont_wait_for_ack) {
13819 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13820 		if (!msg)
13821 			return -ENOMEM;
13822 
13823 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13824 				     NL80211_CMD_FRAME);
13825 		if (!hdr) {
13826 			err = -ENOBUFS;
13827 			goto free_msg;
13828 		}
13829 	}
13830 
13831 	params.chan = chandef.chan;
13832 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
13833 	if (err)
13834 		goto free_msg;
13835 
13836 	if (msg) {
13837 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13838 				      NL80211_ATTR_PAD))
13839 			goto nla_put_failure;
13840 
13841 		genlmsg_end(msg, hdr);
13842 		return genlmsg_reply(msg, info);
13843 	}
13844 
13845 	return 0;
13846 
13847  nla_put_failure:
13848 	err = -ENOBUFS;
13849  free_msg:
13850 	nlmsg_free(msg);
13851 	return err;
13852 }
13853 
13854 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
13855 {
13856 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13857 	struct wireless_dev *wdev = info->user_ptr[1];
13858 	u64 cookie;
13859 
13860 	if (!info->attrs[NL80211_ATTR_COOKIE])
13861 		return -EINVAL;
13862 
13863 	if (!rdev->ops->mgmt_tx_cancel_wait)
13864 		return -EOPNOTSUPP;
13865 
13866 	switch (wdev->iftype) {
13867 	case NL80211_IFTYPE_STATION:
13868 	case NL80211_IFTYPE_ADHOC:
13869 	case NL80211_IFTYPE_P2P_CLIENT:
13870 	case NL80211_IFTYPE_AP:
13871 	case NL80211_IFTYPE_AP_VLAN:
13872 	case NL80211_IFTYPE_P2P_GO:
13873 	case NL80211_IFTYPE_P2P_DEVICE:
13874 		break;
13875 	case NL80211_IFTYPE_NAN:
13876 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13877 					     NL80211_EXT_FEATURE_SECURE_NAN))
13878 			return -EOPNOTSUPP;
13879 		break;
13880 	default:
13881 		return -EOPNOTSUPP;
13882 	}
13883 
13884 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13885 
13886 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
13887 }
13888 
13889 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
13890 {
13891 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13892 	struct wireless_dev *wdev;
13893 	struct net_device *dev = info->user_ptr[1];
13894 	u8 ps_state;
13895 	bool state;
13896 	int err;
13897 
13898 	if (!info->attrs[NL80211_ATTR_PS_STATE])
13899 		return -EINVAL;
13900 
13901 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
13902 
13903 	wdev = dev->ieee80211_ptr;
13904 
13905 	if (!rdev->ops->set_power_mgmt)
13906 		return -EOPNOTSUPP;
13907 
13908 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
13909 
13910 	if (state == wdev->ps)
13911 		return 0;
13912 
13913 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
13914 	if (!err)
13915 		wdev->ps = state;
13916 	return err;
13917 }
13918 
13919 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
13920 {
13921 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13922 	enum nl80211_ps_state ps_state;
13923 	struct wireless_dev *wdev;
13924 	struct net_device *dev = info->user_ptr[1];
13925 	struct sk_buff *msg;
13926 	void *hdr;
13927 	int err;
13928 
13929 	wdev = dev->ieee80211_ptr;
13930 
13931 	if (!rdev->ops->set_power_mgmt)
13932 		return -EOPNOTSUPP;
13933 
13934 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13935 	if (!msg)
13936 		return -ENOMEM;
13937 
13938 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13939 			     NL80211_CMD_GET_POWER_SAVE);
13940 	if (!hdr) {
13941 		err = -ENOBUFS;
13942 		goto free_msg;
13943 	}
13944 
13945 	if (wdev->ps)
13946 		ps_state = NL80211_PS_ENABLED;
13947 	else
13948 		ps_state = NL80211_PS_DISABLED;
13949 
13950 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
13951 		goto nla_put_failure;
13952 
13953 	genlmsg_end(msg, hdr);
13954 	return genlmsg_reply(msg, info);
13955 
13956  nla_put_failure:
13957 	err = -ENOBUFS;
13958  free_msg:
13959 	nlmsg_free(msg);
13960 	return err;
13961 }
13962 
13963 static const struct nla_policy
13964 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
13965 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
13966 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
13967 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
13968 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
13969 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
13970 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
13971 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
13972 };
13973 
13974 static int nl80211_set_cqm_txe(struct genl_info *info,
13975 			       u32 rate, u32 pkts, u32 intvl)
13976 {
13977 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13978 	struct net_device *dev = info->user_ptr[1];
13979 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13980 
13981 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
13982 		return -EINVAL;
13983 
13984 	if (!rdev->ops->set_cqm_txe_config)
13985 		return -EOPNOTSUPP;
13986 
13987 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13988 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13989 		return -EOPNOTSUPP;
13990 
13991 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
13992 }
13993 
13994 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
13995 				    struct net_device *dev,
13996 				    struct cfg80211_cqm_config *cqm_config)
13997 {
13998 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13999 	s32 last, low, high;
14000 	u32 hyst;
14001 	int i, n, low_index;
14002 	int err;
14003 
14004 	/*
14005 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
14006 	 * event has been received yet, we should receive an event after a
14007 	 * connection is established and enough beacons received to calculate
14008 	 * the average.
14009 	 */
14010 	if (!cqm_config->last_rssi_event_value &&
14011 	    wdev->links[0].client.current_bss &&
14012 	    rdev->ops->get_station) {
14013 		struct station_info sinfo = {};
14014 		u8 *mac_addr;
14015 
14016 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
14017 
14018 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
14019 		if (err)
14020 			return err;
14021 
14022 		cfg80211_sinfo_release_content(&sinfo);
14023 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
14024 			cqm_config->last_rssi_event_value =
14025 				(s8) sinfo.rx_beacon_signal_avg;
14026 	}
14027 
14028 	last = cqm_config->last_rssi_event_value;
14029 	hyst = cqm_config->rssi_hyst;
14030 	n = cqm_config->n_rssi_thresholds;
14031 
14032 	for (i = 0; i < n; i++) {
14033 		i = array_index_nospec(i, n);
14034 		if (last < cqm_config->rssi_thresholds[i])
14035 			break;
14036 	}
14037 
14038 	low_index = i - 1;
14039 	if (low_index >= 0) {
14040 		low_index = array_index_nospec(low_index, n);
14041 		low = cqm_config->rssi_thresholds[low_index] - hyst;
14042 	} else {
14043 		low = S32_MIN;
14044 	}
14045 	if (i < n) {
14046 		i = array_index_nospec(i, n);
14047 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
14048 	} else {
14049 		high = S32_MAX;
14050 	}
14051 
14052 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
14053 }
14054 
14055 static int nl80211_set_cqm_rssi(struct genl_info *info,
14056 				const s32 *thresholds, int n_thresholds,
14057 				u32 hysteresis)
14058 {
14059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14060 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
14061 	struct net_device *dev = info->user_ptr[1];
14062 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14063 	s32 prev = S32_MIN;
14064 	int i, err;
14065 
14066 	/* Check all values negative and sorted */
14067 	for (i = 0; i < n_thresholds; i++) {
14068 		if (thresholds[i] > 0 || thresholds[i] <= prev)
14069 			return -EINVAL;
14070 
14071 		prev = thresholds[i];
14072 	}
14073 
14074 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14075 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14076 		return -EOPNOTSUPP;
14077 
14078 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
14079 		n_thresholds = 0;
14080 
14081 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
14082 
14083 	/* if already disabled just succeed */
14084 	if (!n_thresholds && !old)
14085 		return 0;
14086 
14087 	if (n_thresholds > 1) {
14088 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
14089 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
14090 		    !rdev->ops->set_cqm_rssi_range_config)
14091 			return -EOPNOTSUPP;
14092 	} else {
14093 		if (!rdev->ops->set_cqm_rssi_config)
14094 			return -EOPNOTSUPP;
14095 	}
14096 
14097 	if (n_thresholds) {
14098 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
14099 						 n_thresholds),
14100 				     GFP_KERNEL);
14101 		if (!cqm_config)
14102 			return -ENOMEM;
14103 
14104 		cqm_config->rssi_hyst = hysteresis;
14105 		cqm_config->n_rssi_thresholds = n_thresholds;
14106 		memcpy(cqm_config->rssi_thresholds, thresholds,
14107 		       flex_array_size(cqm_config, rssi_thresholds,
14108 				       n_thresholds));
14109 		cqm_config->use_range_api = n_thresholds > 1 ||
14110 					    !rdev->ops->set_cqm_rssi_config;
14111 
14112 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
14113 
14114 		if (cqm_config->use_range_api)
14115 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
14116 		else
14117 			err = rdev_set_cqm_rssi_config(rdev, dev,
14118 						       thresholds[0],
14119 						       hysteresis);
14120 	} else {
14121 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
14122 		/* if enabled as range also disable via range */
14123 		if (old->use_range_api)
14124 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
14125 		else
14126 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
14127 	}
14128 
14129 	if (err) {
14130 		rcu_assign_pointer(wdev->cqm_config, old);
14131 		kfree_rcu(cqm_config, rcu_head);
14132 	} else {
14133 		kfree_rcu(old, rcu_head);
14134 	}
14135 
14136 	return err;
14137 }
14138 
14139 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
14140 {
14141 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
14142 	struct nlattr *cqm;
14143 	int err;
14144 
14145 	cqm = info->attrs[NL80211_ATTR_CQM];
14146 	if (!cqm)
14147 		return -EINVAL;
14148 
14149 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
14150 					  nl80211_attr_cqm_policy,
14151 					  info->extack);
14152 	if (err)
14153 		return err;
14154 
14155 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
14156 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
14157 		const s32 *thresholds =
14158 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14159 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14160 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
14161 
14162 		if (len % 4)
14163 			return -EINVAL;
14164 
14165 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
14166 					    hysteresis);
14167 	}
14168 
14169 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
14170 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
14171 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
14172 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
14173 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
14174 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
14175 
14176 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
14177 	}
14178 
14179 	return -EINVAL;
14180 }
14181 
14182 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
14183 {
14184 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14185 	struct net_device *dev = info->user_ptr[1];
14186 	struct ocb_setup setup = {};
14187 	int err;
14188 
14189 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
14190 	if (err)
14191 		return err;
14192 
14193 	return cfg80211_join_ocb(rdev, dev, &setup);
14194 }
14195 
14196 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
14197 {
14198 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14199 	struct net_device *dev = info->user_ptr[1];
14200 
14201 	return cfg80211_leave_ocb(rdev, dev);
14202 }
14203 
14204 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
14205 {
14206 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14207 	struct net_device *dev = info->user_ptr[1];
14208 	struct mesh_config cfg;
14209 	struct mesh_setup setup;
14210 	int err;
14211 
14212 	/* start with default */
14213 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
14214 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
14215 
14216 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
14217 		/* and parse parameters if given */
14218 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
14219 		if (err)
14220 			return err;
14221 	}
14222 
14223 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
14224 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
14225 		return -EINVAL;
14226 
14227 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
14228 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
14229 
14230 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
14231 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
14232 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
14233 			return -EINVAL;
14234 
14235 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
14236 		setup.beacon_interval =
14237 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
14238 
14239 		err = cfg80211_validate_beacon_int(rdev,
14240 						   NL80211_IFTYPE_MESH_POINT,
14241 						   setup.beacon_interval);
14242 		if (err)
14243 			return err;
14244 	}
14245 
14246 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
14247 		setup.dtim_period =
14248 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
14249 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
14250 			return -EINVAL;
14251 	}
14252 
14253 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
14254 		/* parse additional setup parameters if given */
14255 		err = nl80211_parse_mesh_setup(info, &setup);
14256 		if (err)
14257 			return err;
14258 	}
14259 
14260 	if (setup.user_mpm)
14261 		cfg.auto_open_plinks = false;
14262 
14263 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14264 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
14265 		if (err)
14266 			return err;
14267 	} else {
14268 		/* __cfg80211_join_mesh() will sort it out */
14269 		setup.chandef.chan = NULL;
14270 	}
14271 
14272 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
14273 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14274 		int n_rates =
14275 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14276 		struct ieee80211_supported_band *sband;
14277 
14278 		if (!setup.chandef.chan)
14279 			return -EINVAL;
14280 
14281 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
14282 
14283 		err = ieee80211_get_ratemask(sband, rates, n_rates,
14284 					     &setup.basic_rates);
14285 		if (err)
14286 			return err;
14287 	}
14288 
14289 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
14290 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
14291 						    NL80211_ATTR_TX_RATES,
14292 						    &setup.beacon_rate,
14293 						    dev, false, 0);
14294 		if (err)
14295 			return err;
14296 
14297 		if (!setup.chandef.chan)
14298 			return -EINVAL;
14299 
14300 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
14301 					      &setup.beacon_rate);
14302 		if (err)
14303 			return err;
14304 	}
14305 
14306 	setup.userspace_handles_dfs =
14307 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
14308 
14309 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
14310 		int r = validate_pae_over_nl80211(rdev, info);
14311 
14312 		if (r < 0)
14313 			return r;
14314 
14315 		setup.control_port_over_nl80211 = true;
14316 	}
14317 
14318 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
14319 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
14320 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
14321 
14322 	return err;
14323 }
14324 
14325 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
14326 {
14327 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14328 	struct net_device *dev = info->user_ptr[1];
14329 
14330 	return cfg80211_leave_mesh(rdev, dev);
14331 }
14332 
14333 #ifdef CONFIG_PM
14334 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
14335 					struct cfg80211_registered_device *rdev)
14336 {
14337 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
14338 	struct nlattr *nl_pats, *nl_pat;
14339 	int i, pat_len;
14340 
14341 	if (!wowlan->n_patterns)
14342 		return 0;
14343 
14344 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
14345 	if (!nl_pats)
14346 		return -ENOBUFS;
14347 
14348 	for (i = 0; i < wowlan->n_patterns; i++) {
14349 		nl_pat = nla_nest_start_noflag(msg, i + 1);
14350 		if (!nl_pat)
14351 			return -ENOBUFS;
14352 		pat_len = wowlan->patterns[i].pattern_len;
14353 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
14354 			    wowlan->patterns[i].mask) ||
14355 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14356 			    wowlan->patterns[i].pattern) ||
14357 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14358 				wowlan->patterns[i].pkt_offset))
14359 			return -ENOBUFS;
14360 		nla_nest_end(msg, nl_pat);
14361 	}
14362 	nla_nest_end(msg, nl_pats);
14363 
14364 	return 0;
14365 }
14366 
14367 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
14368 				   struct cfg80211_wowlan_tcp *tcp)
14369 {
14370 	struct nlattr *nl_tcp;
14371 
14372 	if (!tcp)
14373 		return 0;
14374 
14375 	nl_tcp = nla_nest_start_noflag(msg,
14376 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
14377 	if (!nl_tcp)
14378 		return -ENOBUFS;
14379 
14380 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
14381 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
14382 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
14383 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
14384 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
14385 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
14386 		    tcp->payload_len, tcp->payload) ||
14387 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
14388 			tcp->data_interval) ||
14389 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
14390 		    tcp->wake_len, tcp->wake_data) ||
14391 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
14392 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
14393 		return -ENOBUFS;
14394 
14395 	if (tcp->payload_seq.len &&
14396 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
14397 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
14398 		return -ENOBUFS;
14399 
14400 	if (tcp->payload_tok.len &&
14401 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
14402 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
14403 		    &tcp->payload_tok))
14404 		return -ENOBUFS;
14405 
14406 	nla_nest_end(msg, nl_tcp);
14407 
14408 	return 0;
14409 }
14410 
14411 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
14412 				  struct cfg80211_sched_scan_request *req)
14413 {
14414 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
14415 	int i;
14416 
14417 	if (!req)
14418 		return 0;
14419 
14420 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
14421 	if (!nd)
14422 		return -ENOBUFS;
14423 
14424 	if (req->n_scan_plans == 1 &&
14425 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
14426 			req->scan_plans[0].interval * 1000))
14427 		return -ENOBUFS;
14428 
14429 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
14430 		return -ENOBUFS;
14431 
14432 	if (req->relative_rssi_set) {
14433 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
14434 
14435 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
14436 			       req->relative_rssi))
14437 			return -ENOBUFS;
14438 
14439 		rssi_adjust.band = req->rssi_adjust.band;
14440 		rssi_adjust.delta = req->rssi_adjust.delta;
14441 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
14442 			    sizeof(rssi_adjust), &rssi_adjust))
14443 			return -ENOBUFS;
14444 	}
14445 
14446 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14447 	if (!freqs)
14448 		return -ENOBUFS;
14449 
14450 	for (i = 0; i < req->n_channels; i++) {
14451 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14452 			return -ENOBUFS;
14453 	}
14454 
14455 	nla_nest_end(msg, freqs);
14456 
14457 	if (req->n_match_sets) {
14458 		matches = nla_nest_start_noflag(msg,
14459 						NL80211_ATTR_SCHED_SCAN_MATCH);
14460 		if (!matches)
14461 			return -ENOBUFS;
14462 
14463 		for (i = 0; i < req->n_match_sets; i++) {
14464 			match = nla_nest_start_noflag(msg, i);
14465 			if (!match)
14466 				return -ENOBUFS;
14467 
14468 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
14469 				    req->match_sets[i].ssid.ssid_len,
14470 				    req->match_sets[i].ssid.ssid))
14471 				return -ENOBUFS;
14472 			nla_nest_end(msg, match);
14473 		}
14474 		nla_nest_end(msg, matches);
14475 	}
14476 
14477 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
14478 	if (!scan_plans)
14479 		return -ENOBUFS;
14480 
14481 	for (i = 0; i < req->n_scan_plans; i++) {
14482 		scan_plan = nla_nest_start_noflag(msg, i + 1);
14483 		if (!scan_plan)
14484 			return -ENOBUFS;
14485 
14486 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
14487 				req->scan_plans[i].interval) ||
14488 		    (req->scan_plans[i].iterations &&
14489 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
14490 				 req->scan_plans[i].iterations)))
14491 			return -ENOBUFS;
14492 		nla_nest_end(msg, scan_plan);
14493 	}
14494 	nla_nest_end(msg, scan_plans);
14495 
14496 	nla_nest_end(msg, nd);
14497 
14498 	return 0;
14499 }
14500 
14501 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
14502 {
14503 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14504 	struct sk_buff *msg;
14505 	void *hdr;
14506 	u32 size = NLMSG_DEFAULT_SIZE;
14507 
14508 	if (!rdev->wiphy.wowlan)
14509 		return -EOPNOTSUPP;
14510 
14511 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
14512 		/* adjust size to have room for all the data */
14513 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
14514 			rdev->wiphy.wowlan_config->tcp->payload_len +
14515 			rdev->wiphy.wowlan_config->tcp->wake_len +
14516 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
14517 	}
14518 
14519 	msg = nlmsg_new(size, GFP_KERNEL);
14520 	if (!msg)
14521 		return -ENOMEM;
14522 
14523 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14524 			     NL80211_CMD_GET_WOWLAN);
14525 	if (!hdr)
14526 		goto nla_put_failure;
14527 
14528 	if (rdev->wiphy.wowlan_config) {
14529 		struct nlattr *nl_wowlan;
14530 
14531 		nl_wowlan = nla_nest_start_noflag(msg,
14532 						  NL80211_ATTR_WOWLAN_TRIGGERS);
14533 		if (!nl_wowlan)
14534 			goto nla_put_failure;
14535 
14536 		if ((rdev->wiphy.wowlan_config->any &&
14537 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
14538 		    (rdev->wiphy.wowlan_config->disconnect &&
14539 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
14540 		    (rdev->wiphy.wowlan_config->magic_pkt &&
14541 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
14542 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
14543 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
14544 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
14545 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
14546 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
14547 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
14548 		    (rdev->wiphy.wowlan_config->rfkill_release &&
14549 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
14550 			goto nla_put_failure;
14551 
14552 		if (nl80211_send_wowlan_patterns(msg, rdev))
14553 			goto nla_put_failure;
14554 
14555 		if (nl80211_send_wowlan_tcp(msg,
14556 					    rdev->wiphy.wowlan_config->tcp))
14557 			goto nla_put_failure;
14558 
14559 		if (nl80211_send_wowlan_nd(
14560 			    msg,
14561 			    rdev->wiphy.wowlan_config->nd_config))
14562 			goto nla_put_failure;
14563 
14564 		nla_nest_end(msg, nl_wowlan);
14565 	}
14566 
14567 	genlmsg_end(msg, hdr);
14568 	return genlmsg_reply(msg, info);
14569 
14570 nla_put_failure:
14571 	nlmsg_free(msg);
14572 	return -ENOBUFS;
14573 }
14574 
14575 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
14576 				    struct nlattr *attr,
14577 				    struct cfg80211_wowlan *trig)
14578 {
14579 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
14580 	struct cfg80211_wowlan_tcp *cfg;
14581 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
14582 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
14583 	u32 size;
14584 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
14585 	int err, port;
14586 
14587 	if (!rdev->wiphy.wowlan->tcp)
14588 		return -EINVAL;
14589 
14590 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
14591 					  nl80211_wowlan_tcp_policy, NULL);
14592 	if (err)
14593 		return err;
14594 
14595 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
14596 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
14597 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
14598 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
14599 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
14600 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
14601 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
14602 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
14603 		return -EINVAL;
14604 
14605 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
14606 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
14607 		return -EINVAL;
14608 
14609 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
14610 			rdev->wiphy.wowlan->tcp->data_interval_max ||
14611 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
14612 		return -EINVAL;
14613 
14614 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
14615 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
14616 		return -EINVAL;
14617 
14618 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
14619 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
14620 		return -EINVAL;
14621 
14622 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
14623 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14624 
14625 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14626 		tokens_size = tokln - sizeof(*tok);
14627 
14628 		if (!tok->len || tokens_size % tok->len)
14629 			return -EINVAL;
14630 		if (!rdev->wiphy.wowlan->tcp->tok)
14631 			return -EINVAL;
14632 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
14633 			return -EINVAL;
14634 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
14635 			return -EINVAL;
14636 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
14637 			return -EINVAL;
14638 		if (tok->offset + tok->len > data_size)
14639 			return -EINVAL;
14640 	}
14641 
14642 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
14643 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
14644 		if (!rdev->wiphy.wowlan->tcp->seq)
14645 			return -EINVAL;
14646 		if (seq->len == 0 || seq->len > 4)
14647 			return -EINVAL;
14648 		if (seq->len + seq->offset > data_size)
14649 			return -EINVAL;
14650 	}
14651 
14652 	size = sizeof(*cfg);
14653 	size += data_size;
14654 	size += wake_size + wake_mask_size;
14655 	size += tokens_size;
14656 
14657 	cfg = kzalloc(size, GFP_KERNEL);
14658 	if (!cfg)
14659 		return -ENOMEM;
14660 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
14661 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
14662 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
14663 	       ETH_ALEN);
14664 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
14665 #ifdef CONFIG_INET
14666 	/* allocate a socket and port for it and use it */
14667 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
14668 			    IPPROTO_TCP, &cfg->sock, 1);
14669 	if (err) {
14670 		kfree(cfg);
14671 		return err;
14672 	}
14673 	if (inet_csk_get_port(cfg->sock->sk, port)) {
14674 		sock_release(cfg->sock);
14675 		kfree(cfg);
14676 		return -EADDRINUSE;
14677 	}
14678 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
14679 #else
14680 	if (!port) {
14681 		kfree(cfg);
14682 		return -EINVAL;
14683 	}
14684 	cfg->src_port = port;
14685 #endif
14686 
14687 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
14688 	cfg->payload_len = data_size;
14689 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
14690 	memcpy((void *)cfg->payload,
14691 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
14692 	       data_size);
14693 	if (seq)
14694 		cfg->payload_seq = *seq;
14695 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
14696 	cfg->wake_len = wake_size;
14697 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
14698 	memcpy((void *)cfg->wake_data,
14699 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
14700 	       wake_size);
14701 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
14702 			 data_size + wake_size;
14703 	memcpy((void *)cfg->wake_mask,
14704 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
14705 	       wake_mask_size);
14706 	if (tok) {
14707 		cfg->tokens_size = tokens_size;
14708 		cfg->payload_tok = *tok;
14709 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
14710 		       tokens_size);
14711 	}
14712 
14713 	trig->tcp = cfg;
14714 
14715 	return 0;
14716 }
14717 
14718 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
14719 				   const struct wiphy_wowlan_support *wowlan,
14720 				   struct nlattr *attr,
14721 				   struct cfg80211_wowlan *trig)
14722 {
14723 	struct nlattr **tb;
14724 	int err;
14725 
14726 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
14727 	if (!tb)
14728 		return -ENOMEM;
14729 
14730 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
14731 		err = -EOPNOTSUPP;
14732 		goto out;
14733 	}
14734 
14735 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
14736 					  nl80211_policy, NULL);
14737 	if (err)
14738 		goto out;
14739 
14740 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
14741 						   wowlan->max_nd_match_sets);
14742 	err = PTR_ERR_OR_ZERO(trig->nd_config);
14743 	if (err)
14744 		trig->nd_config = NULL;
14745 
14746 out:
14747 	kfree(tb);
14748 	return err;
14749 }
14750 
14751 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
14752 {
14753 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14754 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
14755 	struct cfg80211_wowlan new_triggers = {};
14756 	struct cfg80211_wowlan *ntrig;
14757 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
14758 	int err, i;
14759 	bool prev_enabled = rdev->wiphy.wowlan_config;
14760 	bool regular = false;
14761 
14762 	if (!wowlan)
14763 		return -EOPNOTSUPP;
14764 
14765 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
14766 		cfg80211_rdev_free_wowlan(rdev);
14767 		rdev->wiphy.wowlan_config = NULL;
14768 		goto set_wakeup;
14769 	}
14770 
14771 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
14772 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
14773 					  nl80211_wowlan_policy, info->extack);
14774 	if (err)
14775 		return err;
14776 
14777 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
14778 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
14779 			return -EINVAL;
14780 		new_triggers.any = true;
14781 	}
14782 
14783 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
14784 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
14785 			return -EINVAL;
14786 		new_triggers.disconnect = true;
14787 		regular = true;
14788 	}
14789 
14790 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
14791 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
14792 			return -EINVAL;
14793 		new_triggers.magic_pkt = true;
14794 		regular = true;
14795 	}
14796 
14797 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
14798 		return -EINVAL;
14799 
14800 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
14801 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
14802 			return -EINVAL;
14803 		new_triggers.gtk_rekey_failure = true;
14804 		regular = true;
14805 	}
14806 
14807 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
14808 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
14809 			return -EINVAL;
14810 		new_triggers.eap_identity_req = true;
14811 		regular = true;
14812 	}
14813 
14814 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
14815 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
14816 			return -EINVAL;
14817 		new_triggers.four_way_handshake = true;
14818 		regular = true;
14819 	}
14820 
14821 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
14822 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
14823 			return -EINVAL;
14824 		new_triggers.rfkill_release = true;
14825 		regular = true;
14826 	}
14827 
14828 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
14829 		struct nlattr *pat;
14830 		int n_patterns = 0;
14831 		int rem, pat_len, mask_len, pkt_offset;
14832 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
14833 
14834 		regular = true;
14835 
14836 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
14837 				    rem)
14838 			n_patterns++;
14839 		if (n_patterns > wowlan->n_patterns)
14840 			return -EINVAL;
14841 
14842 		new_triggers.patterns = kcalloc(n_patterns,
14843 						sizeof(new_triggers.patterns[0]),
14844 						GFP_KERNEL);
14845 		if (!new_triggers.patterns)
14846 			return -ENOMEM;
14847 
14848 		new_triggers.n_patterns = n_patterns;
14849 		i = 0;
14850 
14851 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
14852 				    rem) {
14853 			u8 *mask_pat;
14854 
14855 			err = nla_parse_nested_deprecated(pat_tb,
14856 							  MAX_NL80211_PKTPAT,
14857 							  pat,
14858 							  nl80211_packet_pattern_policy,
14859 							  info->extack);
14860 			if (err)
14861 				goto error;
14862 
14863 			err = -EINVAL;
14864 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
14865 			    !pat_tb[NL80211_PKTPAT_PATTERN])
14866 				goto error;
14867 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
14868 			mask_len = DIV_ROUND_UP(pat_len, 8);
14869 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
14870 				goto error;
14871 			if (pat_len > wowlan->pattern_max_len ||
14872 			    pat_len < wowlan->pattern_min_len)
14873 				goto error;
14874 
14875 			pkt_offset =
14876 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
14877 						    0);
14878 			if (pkt_offset > wowlan->max_pkt_offset)
14879 				goto error;
14880 			new_triggers.patterns[i].pkt_offset = pkt_offset;
14881 
14882 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
14883 			if (!mask_pat) {
14884 				err = -ENOMEM;
14885 				goto error;
14886 			}
14887 			new_triggers.patterns[i].mask = mask_pat;
14888 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14889 			       mask_len);
14890 			mask_pat += mask_len;
14891 			new_triggers.patterns[i].pattern = mask_pat;
14892 			new_triggers.patterns[i].pattern_len = pat_len;
14893 			memcpy(mask_pat,
14894 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14895 			       pat_len);
14896 			i++;
14897 		}
14898 	}
14899 
14900 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
14901 		regular = true;
14902 		err = nl80211_parse_wowlan_tcp(
14903 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
14904 			&new_triggers);
14905 		if (err)
14906 			goto error;
14907 	}
14908 
14909 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
14910 		regular = true;
14911 		err = nl80211_parse_wowlan_nd(
14912 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
14913 			&new_triggers);
14914 		if (err)
14915 			goto error;
14916 	}
14917 
14918 	/* The 'any' trigger means the device continues operating more or less
14919 	 * as in its normal operation mode and wakes up the host on most of the
14920 	 * normal interrupts (like packet RX, ...)
14921 	 * It therefore makes little sense to combine with the more constrained
14922 	 * wakeup trigger modes.
14923 	 */
14924 	if (new_triggers.any && regular) {
14925 		err = -EINVAL;
14926 		goto error;
14927 	}
14928 
14929 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
14930 	if (!ntrig) {
14931 		err = -ENOMEM;
14932 		goto error;
14933 	}
14934 	cfg80211_rdev_free_wowlan(rdev);
14935 	rdev->wiphy.wowlan_config = ntrig;
14936 
14937  set_wakeup:
14938 	if (rdev->ops->set_wakeup &&
14939 	    prev_enabled != !!rdev->wiphy.wowlan_config)
14940 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
14941 
14942 	return 0;
14943  error:
14944 	for (i = 0; i < new_triggers.n_patterns; i++)
14945 		kfree(new_triggers.patterns[i].mask);
14946 	kfree(new_triggers.patterns);
14947 	if (new_triggers.tcp && new_triggers.tcp->sock)
14948 		sock_release(new_triggers.tcp->sock);
14949 	kfree(new_triggers.tcp);
14950 	kfree(new_triggers.nd_config);
14951 	return err;
14952 }
14953 #endif
14954 
14955 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
14956 				       struct cfg80211_registered_device *rdev)
14957 {
14958 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
14959 	int i, j, pat_len;
14960 	struct cfg80211_coalesce_rules *rule;
14961 
14962 	if (!rdev->coalesce->n_rules)
14963 		return 0;
14964 
14965 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
14966 	if (!nl_rules)
14967 		return -ENOBUFS;
14968 
14969 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
14970 		nl_rule = nla_nest_start_noflag(msg, i + 1);
14971 		if (!nl_rule)
14972 			return -ENOBUFS;
14973 
14974 		rule = &rdev->coalesce->rules[i];
14975 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
14976 				rule->delay))
14977 			return -ENOBUFS;
14978 
14979 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
14980 				rule->condition))
14981 			return -ENOBUFS;
14982 
14983 		nl_pats = nla_nest_start_noflag(msg,
14984 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
14985 		if (!nl_pats)
14986 			return -ENOBUFS;
14987 
14988 		for (j = 0; j < rule->n_patterns; j++) {
14989 			nl_pat = nla_nest_start_noflag(msg, j + 1);
14990 			if (!nl_pat)
14991 				return -ENOBUFS;
14992 			pat_len = rule->patterns[j].pattern_len;
14993 			if (nla_put(msg, NL80211_PKTPAT_MASK,
14994 				    DIV_ROUND_UP(pat_len, 8),
14995 				    rule->patterns[j].mask) ||
14996 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14997 				    rule->patterns[j].pattern) ||
14998 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14999 					rule->patterns[j].pkt_offset))
15000 				return -ENOBUFS;
15001 			nla_nest_end(msg, nl_pat);
15002 		}
15003 		nla_nest_end(msg, nl_pats);
15004 		nla_nest_end(msg, nl_rule);
15005 	}
15006 	nla_nest_end(msg, nl_rules);
15007 
15008 	return 0;
15009 }
15010 
15011 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
15012 {
15013 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15014 	struct sk_buff *msg;
15015 	void *hdr;
15016 
15017 	if (!rdev->wiphy.coalesce)
15018 		return -EOPNOTSUPP;
15019 
15020 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15021 	if (!msg)
15022 		return -ENOMEM;
15023 
15024 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15025 			     NL80211_CMD_GET_COALESCE);
15026 	if (!hdr)
15027 		goto nla_put_failure;
15028 
15029 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
15030 		goto nla_put_failure;
15031 
15032 	genlmsg_end(msg, hdr);
15033 	return genlmsg_reply(msg, info);
15034 
15035 nla_put_failure:
15036 	nlmsg_free(msg);
15037 	return -ENOBUFS;
15038 }
15039 
15040 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
15041 {
15042 	int i, j;
15043 	struct cfg80211_coalesce_rules *rule;
15044 
15045 	if (!coalesce)
15046 		return;
15047 
15048 	for (i = 0; i < coalesce->n_rules; i++) {
15049 		rule = &coalesce->rules[i];
15050 		for (j = 0; j < rule->n_patterns; j++)
15051 			kfree(rule->patterns[j].mask);
15052 		kfree(rule->patterns);
15053 	}
15054 	kfree(coalesce);
15055 }
15056 
15057 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
15058 				       struct nlattr *rule,
15059 				       struct cfg80211_coalesce_rules *new_rule)
15060 {
15061 	int err, i;
15062 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15063 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
15064 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
15065 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15066 
15067 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
15068 					  rule, nl80211_coalesce_policy, NULL);
15069 	if (err)
15070 		return err;
15071 
15072 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
15073 		new_rule->delay =
15074 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
15075 	if (new_rule->delay > coalesce->max_delay)
15076 		return -EINVAL;
15077 
15078 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
15079 		new_rule->condition =
15080 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
15081 
15082 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
15083 		return -EINVAL;
15084 
15085 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15086 			    rem)
15087 		n_patterns++;
15088 	if (n_patterns > coalesce->n_patterns)
15089 		return -EINVAL;
15090 
15091 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
15092 				     GFP_KERNEL);
15093 	if (!new_rule->patterns)
15094 		return -ENOMEM;
15095 
15096 	new_rule->n_patterns = n_patterns;
15097 	i = 0;
15098 
15099 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15100 			    rem) {
15101 		u8 *mask_pat;
15102 
15103 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
15104 						  pat,
15105 						  nl80211_packet_pattern_policy,
15106 						  NULL);
15107 		if (err)
15108 			return err;
15109 
15110 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
15111 		    !pat_tb[NL80211_PKTPAT_PATTERN])
15112 			return -EINVAL;
15113 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15114 		mask_len = DIV_ROUND_UP(pat_len, 8);
15115 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15116 			return -EINVAL;
15117 		if (pat_len > coalesce->pattern_max_len ||
15118 		    pat_len < coalesce->pattern_min_len)
15119 			return -EINVAL;
15120 
15121 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15122 						 0);
15123 		if (pkt_offset > coalesce->max_pkt_offset)
15124 			return -EINVAL;
15125 		new_rule->patterns[i].pkt_offset = pkt_offset;
15126 
15127 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15128 		if (!mask_pat)
15129 			return -ENOMEM;
15130 
15131 		new_rule->patterns[i].mask = mask_pat;
15132 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15133 		       mask_len);
15134 
15135 		mask_pat += mask_len;
15136 		new_rule->patterns[i].pattern = mask_pat;
15137 		new_rule->patterns[i].pattern_len = pat_len;
15138 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15139 		       pat_len);
15140 		i++;
15141 	}
15142 
15143 	return 0;
15144 }
15145 
15146 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
15147 {
15148 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15149 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15150 	struct cfg80211_coalesce *new_coalesce;
15151 	int err, rem_rule, n_rules = 0, i;
15152 	struct nlattr *rule;
15153 
15154 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
15155 		return -EOPNOTSUPP;
15156 
15157 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
15158 		cfg80211_free_coalesce(rdev->coalesce);
15159 		rdev->coalesce = NULL;
15160 		rdev_set_coalesce(rdev, NULL);
15161 		return 0;
15162 	}
15163 
15164 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15165 			    rem_rule)
15166 		n_rules++;
15167 	if (n_rules > coalesce->n_rules)
15168 		return -EINVAL;
15169 
15170 	new_coalesce = kzalloc(struct_size(new_coalesce, rules, n_rules),
15171 			       GFP_KERNEL);
15172 	if (!new_coalesce)
15173 		return -ENOMEM;
15174 
15175 	new_coalesce->n_rules = n_rules;
15176 	i = 0;
15177 
15178 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15179 			    rem_rule) {
15180 		err = nl80211_parse_coalesce_rule(rdev, rule,
15181 						  &new_coalesce->rules[i]);
15182 		if (err)
15183 			goto error;
15184 
15185 		i++;
15186 	}
15187 
15188 	err = rdev_set_coalesce(rdev, new_coalesce);
15189 	if (err)
15190 		goto error;
15191 
15192 	cfg80211_free_coalesce(rdev->coalesce);
15193 	rdev->coalesce = new_coalesce;
15194 
15195 	return 0;
15196 error:
15197 	cfg80211_free_coalesce(new_coalesce);
15198 
15199 	return err;
15200 }
15201 
15202 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
15203 {
15204 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15205 	struct net_device *dev = info->user_ptr[1];
15206 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15207 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
15208 	struct cfg80211_gtk_rekey_data rekey_data = {};
15209 	int err;
15210 
15211 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
15212 		return -EINVAL;
15213 
15214 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
15215 					  info->attrs[NL80211_ATTR_REKEY_DATA],
15216 					  nl80211_rekey_policy, info->extack);
15217 	if (err)
15218 		return err;
15219 
15220 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
15221 	    !tb[NL80211_REKEY_DATA_KCK])
15222 		return -EINVAL;
15223 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
15224 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15225 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
15226 		return -ERANGE;
15227 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
15228 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15229 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
15230 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
15231 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
15232 		return -ERANGE;
15233 
15234 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
15235 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
15236 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
15237 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
15238 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
15239 	if (tb[NL80211_REKEY_DATA_AKM])
15240 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
15241 
15242 	if (!wdev->connected)
15243 		return -ENOTCONN;
15244 
15245 	if (!rdev->ops->set_rekey_data)
15246 		return -EOPNOTSUPP;
15247 
15248 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
15249 }
15250 
15251 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
15252 					     struct genl_info *info)
15253 {
15254 	struct net_device *dev = info->user_ptr[1];
15255 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15256 
15257 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15258 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15259 		return -EINVAL;
15260 
15261 	if (wdev->ap_unexpected_nlportid)
15262 		return -EBUSY;
15263 
15264 	wdev->ap_unexpected_nlportid = info->snd_portid;
15265 	return 0;
15266 }
15267 
15268 static int nl80211_probe_client(struct sk_buff *skb,
15269 				struct genl_info *info)
15270 {
15271 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15272 	struct net_device *dev = info->user_ptr[1];
15273 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15274 	struct sk_buff *msg;
15275 	void *hdr;
15276 	const u8 *addr;
15277 	u64 cookie;
15278 	int err;
15279 
15280 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15281 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15282 		return -EOPNOTSUPP;
15283 
15284 	if (!info->attrs[NL80211_ATTR_MAC])
15285 		return -EINVAL;
15286 
15287 	if (!rdev->ops->probe_client)
15288 		return -EOPNOTSUPP;
15289 
15290 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15291 	if (!msg)
15292 		return -ENOMEM;
15293 
15294 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15295 			     NL80211_CMD_PROBE_CLIENT);
15296 	if (!hdr) {
15297 		err = -ENOBUFS;
15298 		goto free_msg;
15299 	}
15300 
15301 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15302 
15303 	err = rdev_probe_client(rdev, dev, addr, &cookie);
15304 	if (err)
15305 		goto free_msg;
15306 
15307 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15308 			      NL80211_ATTR_PAD))
15309 		goto nla_put_failure;
15310 
15311 	genlmsg_end(msg, hdr);
15312 
15313 	return genlmsg_reply(msg, info);
15314 
15315  nla_put_failure:
15316 	err = -ENOBUFS;
15317  free_msg:
15318 	nlmsg_free(msg);
15319 	return err;
15320 }
15321 
15322 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
15323 {
15324 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15325 	struct cfg80211_beacon_registration *reg, *nreg;
15326 	int rv;
15327 
15328 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
15329 		return -EOPNOTSUPP;
15330 
15331 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
15332 	if (!nreg)
15333 		return -ENOMEM;
15334 
15335 	/* First, check if already registered. */
15336 	spin_lock_bh(&rdev->beacon_registrations_lock);
15337 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
15338 		if (reg->nlportid == info->snd_portid) {
15339 			rv = -EALREADY;
15340 			goto out_err;
15341 		}
15342 	}
15343 	/* Add it to the list */
15344 	nreg->nlportid = info->snd_portid;
15345 	list_add(&nreg->list, &rdev->beacon_registrations);
15346 
15347 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15348 
15349 	return 0;
15350 out_err:
15351 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15352 	kfree(nreg);
15353 	return rv;
15354 }
15355 
15356 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
15357 {
15358 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15359 	struct wireless_dev *wdev = info->user_ptr[1];
15360 	int err;
15361 
15362 	if (!rdev->ops->start_p2p_device)
15363 		return -EOPNOTSUPP;
15364 
15365 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15366 		return -EOPNOTSUPP;
15367 
15368 	if (wdev_running(wdev))
15369 		return 0;
15370 
15371 	if (rfkill_blocked(rdev->wiphy.rfkill))
15372 		return -ERFKILL;
15373 
15374 	err = rdev_start_p2p_device(rdev, wdev);
15375 	if (err)
15376 		return err;
15377 
15378 	wdev->is_running = true;
15379 	rdev->opencount++;
15380 
15381 	return 0;
15382 }
15383 
15384 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
15385 {
15386 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15387 	struct wireless_dev *wdev = info->user_ptr[1];
15388 
15389 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15390 		return -EOPNOTSUPP;
15391 
15392 	if (!rdev->ops->stop_p2p_device)
15393 		return -EOPNOTSUPP;
15394 
15395 	cfg80211_stop_p2p_device(rdev, wdev);
15396 
15397 	return 0;
15398 }
15399 
15400 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
15401 {
15402 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15403 	struct wireless_dev *wdev = info->user_ptr[1];
15404 	struct cfg80211_nan_conf conf = {};
15405 	int err;
15406 
15407 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15408 		return -EOPNOTSUPP;
15409 
15410 	if (wdev_running(wdev))
15411 		return -EEXIST;
15412 
15413 	if (rfkill_blocked(rdev->wiphy.rfkill))
15414 		return -ERFKILL;
15415 
15416 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
15417 		return -EINVAL;
15418 
15419 	conf.master_pref =
15420 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
15421 
15422 	if (info->attrs[NL80211_ATTR_BANDS]) {
15423 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
15424 
15425 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
15426 			return -EOPNOTSUPP;
15427 
15428 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
15429 			return -EINVAL;
15430 
15431 		conf.bands = bands;
15432 	}
15433 
15434 	err = rdev_start_nan(rdev, wdev, &conf);
15435 	if (err)
15436 		return err;
15437 
15438 	wdev->is_running = true;
15439 	rdev->opencount++;
15440 
15441 	return 0;
15442 }
15443 
15444 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
15445 {
15446 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15447 	struct wireless_dev *wdev = info->user_ptr[1];
15448 
15449 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15450 		return -EOPNOTSUPP;
15451 
15452 	cfg80211_stop_nan(rdev, wdev);
15453 
15454 	return 0;
15455 }
15456 
15457 static int validate_nan_filter(struct nlattr *filter_attr)
15458 {
15459 	struct nlattr *attr;
15460 	int len = 0, n_entries = 0, rem;
15461 
15462 	nla_for_each_nested(attr, filter_attr, rem) {
15463 		len += nla_len(attr);
15464 		n_entries++;
15465 	}
15466 
15467 	if (len >= U8_MAX)
15468 		return -EINVAL;
15469 
15470 	return n_entries;
15471 }
15472 
15473 static int handle_nan_filter(struct nlattr *attr_filter,
15474 			     struct cfg80211_nan_func *func,
15475 			     bool tx)
15476 {
15477 	struct nlattr *attr;
15478 	int n_entries, rem, i;
15479 	struct cfg80211_nan_func_filter *filter;
15480 
15481 	n_entries = validate_nan_filter(attr_filter);
15482 	if (n_entries < 0)
15483 		return n_entries;
15484 
15485 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
15486 
15487 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
15488 	if (!filter)
15489 		return -ENOMEM;
15490 
15491 	i = 0;
15492 	nla_for_each_nested(attr, attr_filter, rem) {
15493 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
15494 		if (!filter[i].filter)
15495 			goto err;
15496 
15497 		filter[i].len = nla_len(attr);
15498 		i++;
15499 	}
15500 	if (tx) {
15501 		func->num_tx_filters = n_entries;
15502 		func->tx_filters = filter;
15503 	} else {
15504 		func->num_rx_filters = n_entries;
15505 		func->rx_filters = filter;
15506 	}
15507 
15508 	return 0;
15509 
15510 err:
15511 	i = 0;
15512 	nla_for_each_nested(attr, attr_filter, rem) {
15513 		kfree(filter[i].filter);
15514 		i++;
15515 	}
15516 	kfree(filter);
15517 	return -ENOMEM;
15518 }
15519 
15520 static int nl80211_nan_add_func(struct sk_buff *skb,
15521 				struct genl_info *info)
15522 {
15523 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15524 	struct wireless_dev *wdev = info->user_ptr[1];
15525 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
15526 	struct cfg80211_nan_func *func;
15527 	struct sk_buff *msg = NULL;
15528 	void *hdr = NULL;
15529 	int err = 0;
15530 
15531 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15532 		return -EOPNOTSUPP;
15533 
15534 	if (!wdev_running(wdev))
15535 		return -ENOTCONN;
15536 
15537 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
15538 		return -EINVAL;
15539 
15540 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
15541 					  info->attrs[NL80211_ATTR_NAN_FUNC],
15542 					  nl80211_nan_func_policy,
15543 					  info->extack);
15544 	if (err)
15545 		return err;
15546 
15547 	func = kzalloc(sizeof(*func), GFP_KERNEL);
15548 	if (!func)
15549 		return -ENOMEM;
15550 
15551 	func->cookie = cfg80211_assign_cookie(rdev);
15552 
15553 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
15554 		err = -EINVAL;
15555 		goto out;
15556 	}
15557 
15558 
15559 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
15560 
15561 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
15562 		err = -EINVAL;
15563 		goto out;
15564 	}
15565 
15566 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
15567 	       sizeof(func->service_id));
15568 
15569 	func->close_range =
15570 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
15571 
15572 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
15573 		func->serv_spec_info_len =
15574 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
15575 		func->serv_spec_info =
15576 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
15577 				func->serv_spec_info_len,
15578 				GFP_KERNEL);
15579 		if (!func->serv_spec_info) {
15580 			err = -ENOMEM;
15581 			goto out;
15582 		}
15583 	}
15584 
15585 	if (tb[NL80211_NAN_FUNC_TTL])
15586 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
15587 
15588 	switch (func->type) {
15589 	case NL80211_NAN_FUNC_PUBLISH:
15590 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
15591 			err = -EINVAL;
15592 			goto out;
15593 		}
15594 
15595 		func->publish_type =
15596 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
15597 		func->publish_bcast =
15598 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
15599 
15600 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
15601 			func->publish_bcast) {
15602 			err = -EINVAL;
15603 			goto out;
15604 		}
15605 		break;
15606 	case NL80211_NAN_FUNC_SUBSCRIBE:
15607 		func->subscribe_active =
15608 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
15609 		break;
15610 	case NL80211_NAN_FUNC_FOLLOW_UP:
15611 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
15612 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
15613 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
15614 			err = -EINVAL;
15615 			goto out;
15616 		}
15617 
15618 		func->followup_id =
15619 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
15620 		func->followup_reqid =
15621 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
15622 		memcpy(func->followup_dest.addr,
15623 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
15624 		       sizeof(func->followup_dest.addr));
15625 		if (func->ttl) {
15626 			err = -EINVAL;
15627 			goto out;
15628 		}
15629 		break;
15630 	default:
15631 		err = -EINVAL;
15632 		goto out;
15633 	}
15634 
15635 	if (tb[NL80211_NAN_FUNC_SRF]) {
15636 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
15637 
15638 		err = nla_parse_nested_deprecated(srf_tb,
15639 						  NL80211_NAN_SRF_ATTR_MAX,
15640 						  tb[NL80211_NAN_FUNC_SRF],
15641 						  nl80211_nan_srf_policy,
15642 						  info->extack);
15643 		if (err)
15644 			goto out;
15645 
15646 		func->srf_include =
15647 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
15648 
15649 		if (srf_tb[NL80211_NAN_SRF_BF]) {
15650 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
15651 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
15652 				err = -EINVAL;
15653 				goto out;
15654 			}
15655 
15656 			func->srf_bf_len =
15657 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
15658 			func->srf_bf =
15659 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
15660 					func->srf_bf_len, GFP_KERNEL);
15661 			if (!func->srf_bf) {
15662 				err = -ENOMEM;
15663 				goto out;
15664 			}
15665 
15666 			func->srf_bf_idx =
15667 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
15668 		} else {
15669 			struct nlattr *attr, *mac_attr =
15670 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
15671 			int n_entries, rem, i = 0;
15672 
15673 			if (!mac_attr) {
15674 				err = -EINVAL;
15675 				goto out;
15676 			}
15677 
15678 			n_entries = validate_acl_mac_addrs(mac_attr);
15679 			if (n_entries <= 0) {
15680 				err = -EINVAL;
15681 				goto out;
15682 			}
15683 
15684 			func->srf_num_macs = n_entries;
15685 			func->srf_macs =
15686 				kcalloc(n_entries, sizeof(*func->srf_macs),
15687 					GFP_KERNEL);
15688 			if (!func->srf_macs) {
15689 				err = -ENOMEM;
15690 				goto out;
15691 			}
15692 
15693 			nla_for_each_nested(attr, mac_attr, rem)
15694 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
15695 				       sizeof(*func->srf_macs));
15696 		}
15697 	}
15698 
15699 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
15700 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
15701 					func, true);
15702 		if (err)
15703 			goto out;
15704 	}
15705 
15706 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
15707 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
15708 					func, false);
15709 		if (err)
15710 			goto out;
15711 	}
15712 
15713 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15714 	if (!msg) {
15715 		err = -ENOMEM;
15716 		goto out;
15717 	}
15718 
15719 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15720 			     NL80211_CMD_ADD_NAN_FUNCTION);
15721 	/* This can't really happen - we just allocated 4KB */
15722 	if (WARN_ON(!hdr)) {
15723 		err = -ENOMEM;
15724 		goto out;
15725 	}
15726 
15727 	err = rdev_add_nan_func(rdev, wdev, func);
15728 out:
15729 	if (err < 0) {
15730 		cfg80211_free_nan_func(func);
15731 		nlmsg_free(msg);
15732 		return err;
15733 	}
15734 
15735 	/* propagate the instance id and cookie to userspace  */
15736 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
15737 			      NL80211_ATTR_PAD))
15738 		goto nla_put_failure;
15739 
15740 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
15741 	if (!func_attr)
15742 		goto nla_put_failure;
15743 
15744 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
15745 		       func->instance_id))
15746 		goto nla_put_failure;
15747 
15748 	nla_nest_end(msg, func_attr);
15749 
15750 	genlmsg_end(msg, hdr);
15751 	return genlmsg_reply(msg, info);
15752 
15753 nla_put_failure:
15754 	nlmsg_free(msg);
15755 	return -ENOBUFS;
15756 }
15757 
15758 static int nl80211_nan_del_func(struct sk_buff *skb,
15759 			       struct genl_info *info)
15760 {
15761 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15762 	struct wireless_dev *wdev = info->user_ptr[1];
15763 	u64 cookie;
15764 
15765 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15766 		return -EOPNOTSUPP;
15767 
15768 	if (!wdev_running(wdev))
15769 		return -ENOTCONN;
15770 
15771 	if (!info->attrs[NL80211_ATTR_COOKIE])
15772 		return -EINVAL;
15773 
15774 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
15775 
15776 	rdev_del_nan_func(rdev, wdev, cookie);
15777 
15778 	return 0;
15779 }
15780 
15781 static int nl80211_nan_change_config(struct sk_buff *skb,
15782 				     struct genl_info *info)
15783 {
15784 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15785 	struct wireless_dev *wdev = info->user_ptr[1];
15786 	struct cfg80211_nan_conf conf = {};
15787 	u32 changed = 0;
15788 
15789 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15790 		return -EOPNOTSUPP;
15791 
15792 	if (!wdev_running(wdev))
15793 		return -ENOTCONN;
15794 
15795 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
15796 		conf.master_pref =
15797 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
15798 		if (conf.master_pref <= 1 || conf.master_pref == 255)
15799 			return -EINVAL;
15800 
15801 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
15802 	}
15803 
15804 	if (info->attrs[NL80211_ATTR_BANDS]) {
15805 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
15806 
15807 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
15808 			return -EOPNOTSUPP;
15809 
15810 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
15811 			return -EINVAL;
15812 
15813 		conf.bands = bands;
15814 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
15815 	}
15816 
15817 	if (!changed)
15818 		return -EINVAL;
15819 
15820 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
15821 }
15822 
15823 void cfg80211_nan_match(struct wireless_dev *wdev,
15824 			struct cfg80211_nan_match_params *match, gfp_t gfp)
15825 {
15826 	struct wiphy *wiphy = wdev->wiphy;
15827 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15828 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
15829 	struct sk_buff *msg;
15830 	void *hdr;
15831 
15832 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
15833 		return;
15834 
15835 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15836 	if (!msg)
15837 		return;
15838 
15839 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
15840 	if (!hdr) {
15841 		nlmsg_free(msg);
15842 		return;
15843 	}
15844 
15845 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15846 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15847 					 wdev->netdev->ifindex)) ||
15848 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15849 			      NL80211_ATTR_PAD))
15850 		goto nla_put_failure;
15851 
15852 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
15853 			      NL80211_ATTR_PAD) ||
15854 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
15855 		goto nla_put_failure;
15856 
15857 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
15858 	if (!match_attr)
15859 		goto nla_put_failure;
15860 
15861 	local_func_attr = nla_nest_start_noflag(msg,
15862 						NL80211_NAN_MATCH_FUNC_LOCAL);
15863 	if (!local_func_attr)
15864 		goto nla_put_failure;
15865 
15866 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
15867 		goto nla_put_failure;
15868 
15869 	nla_nest_end(msg, local_func_attr);
15870 
15871 	peer_func_attr = nla_nest_start_noflag(msg,
15872 					       NL80211_NAN_MATCH_FUNC_PEER);
15873 	if (!peer_func_attr)
15874 		goto nla_put_failure;
15875 
15876 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
15877 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
15878 		goto nla_put_failure;
15879 
15880 	if (match->info && match->info_len &&
15881 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
15882 		    match->info))
15883 		goto nla_put_failure;
15884 
15885 	nla_nest_end(msg, peer_func_attr);
15886 	nla_nest_end(msg, match_attr);
15887 	genlmsg_end(msg, hdr);
15888 
15889 	if (!wdev->owner_nlportid)
15890 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
15891 					msg, 0, NL80211_MCGRP_NAN, gfp);
15892 	else
15893 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
15894 				wdev->owner_nlportid);
15895 
15896 	return;
15897 
15898 nla_put_failure:
15899 	nlmsg_free(msg);
15900 }
15901 EXPORT_SYMBOL(cfg80211_nan_match);
15902 
15903 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
15904 				  u8 inst_id,
15905 				  enum nl80211_nan_func_term_reason reason,
15906 				  u64 cookie, gfp_t gfp)
15907 {
15908 	struct wiphy *wiphy = wdev->wiphy;
15909 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15910 	struct sk_buff *msg;
15911 	struct nlattr *func_attr;
15912 	void *hdr;
15913 
15914 	if (WARN_ON(!inst_id))
15915 		return;
15916 
15917 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15918 	if (!msg)
15919 		return;
15920 
15921 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
15922 	if (!hdr) {
15923 		nlmsg_free(msg);
15924 		return;
15925 	}
15926 
15927 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15928 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15929 					 wdev->netdev->ifindex)) ||
15930 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15931 			      NL80211_ATTR_PAD))
15932 		goto nla_put_failure;
15933 
15934 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15935 			      NL80211_ATTR_PAD))
15936 		goto nla_put_failure;
15937 
15938 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
15939 	if (!func_attr)
15940 		goto nla_put_failure;
15941 
15942 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
15943 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
15944 		goto nla_put_failure;
15945 
15946 	nla_nest_end(msg, func_attr);
15947 	genlmsg_end(msg, hdr);
15948 
15949 	if (!wdev->owner_nlportid)
15950 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
15951 					msg, 0, NL80211_MCGRP_NAN, gfp);
15952 	else
15953 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
15954 				wdev->owner_nlportid);
15955 
15956 	return;
15957 
15958 nla_put_failure:
15959 	nlmsg_free(msg);
15960 }
15961 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
15962 
15963 static int nl80211_get_protocol_features(struct sk_buff *skb,
15964 					 struct genl_info *info)
15965 {
15966 	void *hdr;
15967 	struct sk_buff *msg;
15968 
15969 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15970 	if (!msg)
15971 		return -ENOMEM;
15972 
15973 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15974 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
15975 	if (!hdr)
15976 		goto nla_put_failure;
15977 
15978 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
15979 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
15980 		goto nla_put_failure;
15981 
15982 	genlmsg_end(msg, hdr);
15983 	return genlmsg_reply(msg, info);
15984 
15985  nla_put_failure:
15986 	kfree_skb(msg);
15987 	return -ENOBUFS;
15988 }
15989 
15990 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
15991 {
15992 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15993 	struct cfg80211_update_ft_ies_params ft_params;
15994 	struct net_device *dev = info->user_ptr[1];
15995 
15996 	if (!rdev->ops->update_ft_ies)
15997 		return -EOPNOTSUPP;
15998 
15999 	if (!info->attrs[NL80211_ATTR_MDID] ||
16000 	    !info->attrs[NL80211_ATTR_IE])
16001 		return -EINVAL;
16002 
16003 	memset(&ft_params, 0, sizeof(ft_params));
16004 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
16005 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
16006 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
16007 
16008 	return rdev_update_ft_ies(rdev, dev, &ft_params);
16009 }
16010 
16011 static int nl80211_crit_protocol_start(struct sk_buff *skb,
16012 				       struct genl_info *info)
16013 {
16014 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16015 	struct wireless_dev *wdev = info->user_ptr[1];
16016 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
16017 	u16 duration;
16018 	int ret;
16019 
16020 	if (!rdev->ops->crit_proto_start)
16021 		return -EOPNOTSUPP;
16022 
16023 	if (WARN_ON(!rdev->ops->crit_proto_stop))
16024 		return -EINVAL;
16025 
16026 	if (rdev->crit_proto_nlportid)
16027 		return -EBUSY;
16028 
16029 	/* determine protocol if provided */
16030 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
16031 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
16032 
16033 	if (proto >= NUM_NL80211_CRIT_PROTO)
16034 		return -EINVAL;
16035 
16036 	/* timeout must be provided */
16037 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
16038 		return -EINVAL;
16039 
16040 	duration =
16041 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
16042 
16043 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
16044 	if (!ret)
16045 		rdev->crit_proto_nlportid = info->snd_portid;
16046 
16047 	return ret;
16048 }
16049 
16050 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
16051 				      struct genl_info *info)
16052 {
16053 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16054 	struct wireless_dev *wdev = info->user_ptr[1];
16055 
16056 	if (!rdev->ops->crit_proto_stop)
16057 		return -EOPNOTSUPP;
16058 
16059 	if (rdev->crit_proto_nlportid) {
16060 		rdev->crit_proto_nlportid = 0;
16061 		rdev_crit_proto_stop(rdev, wdev);
16062 	}
16063 	return 0;
16064 }
16065 
16066 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
16067 				       struct nlattr *attr,
16068 				       struct netlink_ext_ack *extack)
16069 {
16070 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
16071 		if (attr->nla_type & NLA_F_NESTED) {
16072 			NL_SET_ERR_MSG_ATTR(extack, attr,
16073 					    "unexpected nested data");
16074 			return -EINVAL;
16075 		}
16076 
16077 		return 0;
16078 	}
16079 
16080 	if (!(attr->nla_type & NLA_F_NESTED)) {
16081 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
16082 		return -EINVAL;
16083 	}
16084 
16085 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
16086 }
16087 
16088 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
16089 {
16090 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16091 	struct wireless_dev *wdev =
16092 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
16093 					   info->attrs);
16094 	int i, err;
16095 	u32 vid, subcmd;
16096 
16097 	if (!rdev->wiphy.vendor_commands)
16098 		return -EOPNOTSUPP;
16099 
16100 	if (IS_ERR(wdev)) {
16101 		err = PTR_ERR(wdev);
16102 		if (err != -EINVAL)
16103 			return err;
16104 		wdev = NULL;
16105 	} else if (wdev->wiphy != &rdev->wiphy) {
16106 		return -EINVAL;
16107 	}
16108 
16109 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
16110 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
16111 		return -EINVAL;
16112 
16113 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
16114 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
16115 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
16116 		const struct wiphy_vendor_command *vcmd;
16117 		void *data = NULL;
16118 		int len = 0;
16119 
16120 		vcmd = &rdev->wiphy.vendor_commands[i];
16121 
16122 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
16123 			continue;
16124 
16125 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
16126 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
16127 			if (!wdev)
16128 				return -EINVAL;
16129 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
16130 			    !wdev->netdev)
16131 				return -EINVAL;
16132 
16133 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
16134 				if (!wdev_running(wdev))
16135 					return -ENETDOWN;
16136 			}
16137 		} else {
16138 			wdev = NULL;
16139 		}
16140 
16141 		if (!vcmd->doit)
16142 			return -EOPNOTSUPP;
16143 
16144 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
16145 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
16146 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
16147 
16148 			err = nl80211_vendor_check_policy(vcmd,
16149 					info->attrs[NL80211_ATTR_VENDOR_DATA],
16150 					info->extack);
16151 			if (err)
16152 				return err;
16153 		}
16154 
16155 		rdev->cur_cmd_info = info;
16156 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
16157 		rdev->cur_cmd_info = NULL;
16158 		return err;
16159 	}
16160 
16161 	return -EOPNOTSUPP;
16162 }
16163 
16164 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
16165 				       struct netlink_callback *cb,
16166 				       struct cfg80211_registered_device **rdev,
16167 				       struct wireless_dev **wdev)
16168 {
16169 	struct nlattr **attrbuf;
16170 	u32 vid, subcmd;
16171 	unsigned int i;
16172 	int vcmd_idx = -1;
16173 	int err;
16174 	void *data = NULL;
16175 	unsigned int data_len = 0;
16176 
16177 	if (cb->args[0]) {
16178 		/* subtract the 1 again here */
16179 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
16180 		struct wireless_dev *tmp;
16181 
16182 		if (!wiphy)
16183 			return -ENODEV;
16184 		*rdev = wiphy_to_rdev(wiphy);
16185 		*wdev = NULL;
16186 
16187 		if (cb->args[1]) {
16188 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
16189 				if (tmp->identifier == cb->args[1] - 1) {
16190 					*wdev = tmp;
16191 					break;
16192 				}
16193 			}
16194 		}
16195 
16196 		/* keep rtnl locked in successful case */
16197 		return 0;
16198 	}
16199 
16200 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
16201 	if (!attrbuf)
16202 		return -ENOMEM;
16203 
16204 	err = nlmsg_parse_deprecated(cb->nlh,
16205 				     GENL_HDRLEN + nl80211_fam.hdrsize,
16206 				     attrbuf, nl80211_fam.maxattr,
16207 				     nl80211_policy, NULL);
16208 	if (err)
16209 		goto out;
16210 
16211 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
16212 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
16213 		err = -EINVAL;
16214 		goto out;
16215 	}
16216 
16217 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
16218 	if (IS_ERR(*wdev))
16219 		*wdev = NULL;
16220 
16221 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
16222 	if (IS_ERR(*rdev)) {
16223 		err = PTR_ERR(*rdev);
16224 		goto out;
16225 	}
16226 
16227 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
16228 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
16229 
16230 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
16231 		const struct wiphy_vendor_command *vcmd;
16232 
16233 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
16234 
16235 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
16236 			continue;
16237 
16238 		if (!vcmd->dumpit) {
16239 			err = -EOPNOTSUPP;
16240 			goto out;
16241 		}
16242 
16243 		vcmd_idx = i;
16244 		break;
16245 	}
16246 
16247 	if (vcmd_idx < 0) {
16248 		err = -EOPNOTSUPP;
16249 		goto out;
16250 	}
16251 
16252 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
16253 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
16254 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
16255 
16256 		err = nl80211_vendor_check_policy(
16257 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
16258 				attrbuf[NL80211_ATTR_VENDOR_DATA],
16259 				cb->extack);
16260 		if (err)
16261 			goto out;
16262 	}
16263 
16264 	/* 0 is the first index - add 1 to parse only once */
16265 	cb->args[0] = (*rdev)->wiphy_idx + 1;
16266 	/* add 1 to know if it was NULL */
16267 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
16268 	cb->args[2] = vcmd_idx;
16269 	cb->args[3] = (unsigned long)data;
16270 	cb->args[4] = data_len;
16271 
16272 	/* keep rtnl locked in successful case */
16273 	err = 0;
16274 out:
16275 	kfree(attrbuf);
16276 	return err;
16277 }
16278 
16279 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
16280 				   struct netlink_callback *cb)
16281 {
16282 	struct cfg80211_registered_device *rdev;
16283 	struct wireless_dev *wdev;
16284 	unsigned int vcmd_idx;
16285 	const struct wiphy_vendor_command *vcmd;
16286 	void *data;
16287 	int data_len;
16288 	int err;
16289 	struct nlattr *vendor_data;
16290 
16291 	rtnl_lock();
16292 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
16293 	if (err)
16294 		goto out;
16295 
16296 	vcmd_idx = cb->args[2];
16297 	data = (void *)cb->args[3];
16298 	data_len = cb->args[4];
16299 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
16300 
16301 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
16302 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
16303 		if (!wdev) {
16304 			err = -EINVAL;
16305 			goto out;
16306 		}
16307 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
16308 		    !wdev->netdev) {
16309 			err = -EINVAL;
16310 			goto out;
16311 		}
16312 
16313 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
16314 			if (!wdev_running(wdev)) {
16315 				err = -ENETDOWN;
16316 				goto out;
16317 			}
16318 		}
16319 	}
16320 
16321 	while (1) {
16322 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
16323 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
16324 					   NL80211_CMD_VENDOR);
16325 		if (!hdr)
16326 			break;
16327 
16328 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16329 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
16330 					       wdev_id(wdev),
16331 					       NL80211_ATTR_PAD))) {
16332 			genlmsg_cancel(skb, hdr);
16333 			break;
16334 		}
16335 
16336 		vendor_data = nla_nest_start_noflag(skb,
16337 						    NL80211_ATTR_VENDOR_DATA);
16338 		if (!vendor_data) {
16339 			genlmsg_cancel(skb, hdr);
16340 			break;
16341 		}
16342 
16343 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
16344 				   (unsigned long *)&cb->args[5]);
16345 		nla_nest_end(skb, vendor_data);
16346 
16347 		if (err == -ENOBUFS || err == -ENOENT) {
16348 			genlmsg_cancel(skb, hdr);
16349 			break;
16350 		} else if (err <= 0) {
16351 			genlmsg_cancel(skb, hdr);
16352 			goto out;
16353 		}
16354 
16355 		genlmsg_end(skb, hdr);
16356 	}
16357 
16358 	err = skb->len;
16359  out:
16360 	rtnl_unlock();
16361 	return err;
16362 }
16363 
16364 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
16365 					   enum nl80211_commands cmd,
16366 					   enum nl80211_attrs attr,
16367 					   int approxlen)
16368 {
16369 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16370 
16371 	if (WARN_ON(!rdev->cur_cmd_info))
16372 		return NULL;
16373 
16374 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
16375 					   rdev->cur_cmd_info->snd_portid,
16376 					   rdev->cur_cmd_info->snd_seq,
16377 					   cmd, attr, NULL, GFP_KERNEL);
16378 }
16379 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
16380 
16381 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
16382 {
16383 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
16384 	void *hdr = ((void **)skb->cb)[1];
16385 	struct nlattr *data = ((void **)skb->cb)[2];
16386 
16387 	/* clear CB data for netlink core to own from now on */
16388 	memset(skb->cb, 0, sizeof(skb->cb));
16389 
16390 	if (WARN_ON(!rdev->cur_cmd_info)) {
16391 		kfree_skb(skb);
16392 		return -EINVAL;
16393 	}
16394 
16395 	nla_nest_end(skb, data);
16396 	genlmsg_end(skb, hdr);
16397 	return genlmsg_reply(skb, rdev->cur_cmd_info);
16398 }
16399 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
16400 
16401 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
16402 {
16403 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16404 
16405 	if (WARN_ON(!rdev->cur_cmd_info))
16406 		return 0;
16407 
16408 	return rdev->cur_cmd_info->snd_portid;
16409 }
16410 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
16411 
16412 static int nl80211_set_qos_map(struct sk_buff *skb,
16413 			       struct genl_info *info)
16414 {
16415 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16416 	struct cfg80211_qos_map *qos_map = NULL;
16417 	struct net_device *dev = info->user_ptr[1];
16418 	u8 *pos, len, num_des, des_len, des;
16419 	int ret;
16420 
16421 	if (!rdev->ops->set_qos_map)
16422 		return -EOPNOTSUPP;
16423 
16424 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
16425 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
16426 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
16427 
16428 		if (len % 2)
16429 			return -EINVAL;
16430 
16431 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
16432 		if (!qos_map)
16433 			return -ENOMEM;
16434 
16435 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
16436 		if (num_des) {
16437 			des_len = num_des *
16438 				sizeof(struct cfg80211_dscp_exception);
16439 			memcpy(qos_map->dscp_exception, pos, des_len);
16440 			qos_map->num_des = num_des;
16441 			for (des = 0; des < num_des; des++) {
16442 				if (qos_map->dscp_exception[des].up > 7) {
16443 					kfree(qos_map);
16444 					return -EINVAL;
16445 				}
16446 			}
16447 			pos += des_len;
16448 		}
16449 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
16450 	}
16451 
16452 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
16453 	if (!ret)
16454 		ret = rdev_set_qos_map(rdev, dev, qos_map);
16455 
16456 	kfree(qos_map);
16457 	return ret;
16458 }
16459 
16460 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
16461 {
16462 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16463 	struct net_device *dev = info->user_ptr[1];
16464 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16465 	const u8 *peer;
16466 	u8 tsid, up;
16467 	u16 admitted_time = 0;
16468 
16469 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
16470 		return -EOPNOTSUPP;
16471 
16472 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
16473 	    !info->attrs[NL80211_ATTR_USER_PRIO])
16474 		return -EINVAL;
16475 
16476 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16477 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
16478 
16479 	/* WMM uses TIDs 0-7 even for TSPEC */
16480 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
16481 		/* TODO: handle 802.11 TSPEC/admission control
16482 		 * need more attributes for that (e.g. BA session requirement);
16483 		 * change the WMM admission test above to allow both then
16484 		 */
16485 		return -EINVAL;
16486 	}
16487 
16488 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16489 
16490 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
16491 		admitted_time =
16492 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
16493 		if (!admitted_time)
16494 			return -EINVAL;
16495 	}
16496 
16497 	switch (wdev->iftype) {
16498 	case NL80211_IFTYPE_STATION:
16499 	case NL80211_IFTYPE_P2P_CLIENT:
16500 		if (wdev->connected)
16501 			break;
16502 		return -ENOTCONN;
16503 	default:
16504 		return -EOPNOTSUPP;
16505 	}
16506 
16507 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
16508 }
16509 
16510 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
16511 {
16512 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16513 	struct net_device *dev = info->user_ptr[1];
16514 	const u8 *peer;
16515 	u8 tsid;
16516 
16517 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
16518 		return -EINVAL;
16519 
16520 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16521 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16522 
16523 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
16524 }
16525 
16526 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
16527 				       struct genl_info *info)
16528 {
16529 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16530 	struct net_device *dev = info->user_ptr[1];
16531 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16532 	struct cfg80211_chan_def chandef = {};
16533 	const u8 *addr;
16534 	u8 oper_class;
16535 	int err;
16536 
16537 	if (!rdev->ops->tdls_channel_switch ||
16538 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16539 		return -EOPNOTSUPP;
16540 
16541 	switch (dev->ieee80211_ptr->iftype) {
16542 	case NL80211_IFTYPE_STATION:
16543 	case NL80211_IFTYPE_P2P_CLIENT:
16544 		break;
16545 	default:
16546 		return -EOPNOTSUPP;
16547 	}
16548 
16549 	if (!info->attrs[NL80211_ATTR_MAC] ||
16550 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
16551 		return -EINVAL;
16552 
16553 	err = nl80211_parse_chandef(rdev, info, &chandef);
16554 	if (err)
16555 		return err;
16556 
16557 	/*
16558 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
16559 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
16560 	 * specification is not defined for them.
16561 	 */
16562 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
16563 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
16564 	    chandef.width != NL80211_CHAN_WIDTH_20)
16565 		return -EINVAL;
16566 
16567 	/* we will be active on the TDLS link */
16568 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
16569 					   wdev->iftype))
16570 		return -EINVAL;
16571 
16572 	/* don't allow switching to DFS channels */
16573 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
16574 		return -EINVAL;
16575 
16576 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16577 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
16578 
16579 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
16580 }
16581 
16582 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
16583 					      struct genl_info *info)
16584 {
16585 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16586 	struct net_device *dev = info->user_ptr[1];
16587 	const u8 *addr;
16588 
16589 	if (!rdev->ops->tdls_channel_switch ||
16590 	    !rdev->ops->tdls_cancel_channel_switch ||
16591 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16592 		return -EOPNOTSUPP;
16593 
16594 	switch (dev->ieee80211_ptr->iftype) {
16595 	case NL80211_IFTYPE_STATION:
16596 	case NL80211_IFTYPE_P2P_CLIENT:
16597 		break;
16598 	default:
16599 		return -EOPNOTSUPP;
16600 	}
16601 
16602 	if (!info->attrs[NL80211_ATTR_MAC])
16603 		return -EINVAL;
16604 
16605 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16606 
16607 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
16608 
16609 	return 0;
16610 }
16611 
16612 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
16613 					    struct genl_info *info)
16614 {
16615 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16616 	struct net_device *dev = info->user_ptr[1];
16617 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16618 	const struct nlattr *nla;
16619 	bool enabled;
16620 
16621 	if (!rdev->ops->set_multicast_to_unicast)
16622 		return -EOPNOTSUPP;
16623 
16624 	if (wdev->iftype != NL80211_IFTYPE_AP &&
16625 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
16626 		return -EOPNOTSUPP;
16627 
16628 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
16629 	enabled = nla_get_flag(nla);
16630 
16631 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
16632 }
16633 
16634 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
16635 {
16636 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16637 	struct net_device *dev = info->user_ptr[1];
16638 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16639 	struct cfg80211_pmk_conf pmk_conf = {};
16640 
16641 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16642 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16643 		return -EOPNOTSUPP;
16644 
16645 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16646 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
16647 		return -EOPNOTSUPP;
16648 
16649 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
16650 		return -EINVAL;
16651 
16652 	if (!wdev->connected)
16653 		return -ENOTCONN;
16654 
16655 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
16656 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
16657 		return -EINVAL;
16658 
16659 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
16660 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
16661 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
16662 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
16663 		return -EINVAL;
16664 
16665 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
16666 		pmk_conf.pmk_r0_name =
16667 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
16668 
16669 	return rdev_set_pmk(rdev, dev, &pmk_conf);
16670 }
16671 
16672 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
16673 {
16674 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16675 	struct net_device *dev = info->user_ptr[1];
16676 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16677 	const u8 *aa;
16678 
16679 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16680 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16681 		return -EOPNOTSUPP;
16682 
16683 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16684 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
16685 		return -EOPNOTSUPP;
16686 
16687 	if (!info->attrs[NL80211_ATTR_MAC])
16688 		return -EINVAL;
16689 
16690 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
16691 	return rdev_del_pmk(rdev, dev, aa);
16692 }
16693 
16694 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
16695 {
16696 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16697 	struct net_device *dev = info->user_ptr[1];
16698 	struct cfg80211_external_auth_params params;
16699 
16700 	if (!rdev->ops->external_auth)
16701 		return -EOPNOTSUPP;
16702 
16703 	if (!info->attrs[NL80211_ATTR_SSID] &&
16704 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
16705 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
16706 		return -EINVAL;
16707 
16708 	if (!info->attrs[NL80211_ATTR_BSSID])
16709 		return -EINVAL;
16710 
16711 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
16712 		return -EINVAL;
16713 
16714 	memset(&params, 0, sizeof(params));
16715 
16716 	if (info->attrs[NL80211_ATTR_SSID]) {
16717 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
16718 		if (params.ssid.ssid_len == 0)
16719 			return -EINVAL;
16720 		memcpy(params.ssid.ssid,
16721 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
16722 		       params.ssid.ssid_len);
16723 	}
16724 
16725 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
16726 	       ETH_ALEN);
16727 
16728 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
16729 
16730 	if (info->attrs[NL80211_ATTR_PMKID])
16731 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
16732 
16733 	return rdev_external_auth(rdev, dev, &params);
16734 }
16735 
16736 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
16737 {
16738 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
16739 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16740 	struct net_device *dev = info->user_ptr[1];
16741 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16742 	const u8 *buf;
16743 	size_t len;
16744 	u8 *dest;
16745 	u16 proto;
16746 	bool noencrypt;
16747 	u64 cookie = 0;
16748 	int link_id;
16749 	int err;
16750 
16751 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16752 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
16753 		return -EOPNOTSUPP;
16754 
16755 	if (!rdev->ops->tx_control_port)
16756 		return -EOPNOTSUPP;
16757 
16758 	if (!info->attrs[NL80211_ATTR_FRAME] ||
16759 	    !info->attrs[NL80211_ATTR_MAC] ||
16760 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
16761 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
16762 		return -EINVAL;
16763 	}
16764 
16765 	switch (wdev->iftype) {
16766 	case NL80211_IFTYPE_AP:
16767 	case NL80211_IFTYPE_P2P_GO:
16768 	case NL80211_IFTYPE_MESH_POINT:
16769 		break;
16770 	case NL80211_IFTYPE_ADHOC:
16771 		if (wdev->u.ibss.current_bss)
16772 			break;
16773 		return -ENOTCONN;
16774 	case NL80211_IFTYPE_STATION:
16775 	case NL80211_IFTYPE_P2P_CLIENT:
16776 		if (wdev->connected)
16777 			break;
16778 		return -ENOTCONN;
16779 	default:
16780 		return -EOPNOTSUPP;
16781 	}
16782 
16783 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
16784 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
16785 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
16786 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
16787 	noencrypt =
16788 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
16789 
16790 	link_id = nl80211_link_id_or_invalid(info->attrs);
16791 
16792 	err = rdev_tx_control_port(rdev, dev, buf, len,
16793 				   dest, cpu_to_be16(proto), noencrypt, link_id,
16794 				   dont_wait_for_ack ? NULL : &cookie);
16795 	if (!err && !dont_wait_for_ack)
16796 		nl_set_extack_cookie_u64(info->extack, cookie);
16797 	return err;
16798 }
16799 
16800 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
16801 					   struct genl_info *info)
16802 {
16803 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16804 	struct net_device *dev = info->user_ptr[1];
16805 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16806 	struct cfg80211_ftm_responder_stats ftm_stats = {};
16807 	unsigned int link_id = nl80211_link_id(info->attrs);
16808 	struct sk_buff *msg;
16809 	void *hdr;
16810 	struct nlattr *ftm_stats_attr;
16811 	int err;
16812 
16813 	if (wdev->iftype != NL80211_IFTYPE_AP ||
16814 	    !wdev->links[link_id].ap.beacon_interval)
16815 		return -EOPNOTSUPP;
16816 
16817 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
16818 	if (err)
16819 		return err;
16820 
16821 	if (!ftm_stats.filled)
16822 		return -ENODATA;
16823 
16824 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16825 	if (!msg)
16826 		return -ENOMEM;
16827 
16828 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16829 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
16830 	if (!hdr)
16831 		goto nla_put_failure;
16832 
16833 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16834 		goto nla_put_failure;
16835 
16836 	ftm_stats_attr = nla_nest_start_noflag(msg,
16837 					       NL80211_ATTR_FTM_RESPONDER_STATS);
16838 	if (!ftm_stats_attr)
16839 		goto nla_put_failure;
16840 
16841 #define SET_FTM(field, name, type)					 \
16842 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
16843 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
16844 			     ftm_stats.field))				 \
16845 		goto nla_put_failure; } while (0)
16846 #define SET_FTM_U64(field, name)					 \
16847 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
16848 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
16849 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
16850 		goto nla_put_failure; } while (0)
16851 
16852 	SET_FTM(success_num, SUCCESS_NUM, u32);
16853 	SET_FTM(partial_num, PARTIAL_NUM, u32);
16854 	SET_FTM(failed_num, FAILED_NUM, u32);
16855 	SET_FTM(asap_num, ASAP_NUM, u32);
16856 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
16857 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
16858 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
16859 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
16860 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
16861 #undef SET_FTM
16862 
16863 	nla_nest_end(msg, ftm_stats_attr);
16864 
16865 	genlmsg_end(msg, hdr);
16866 	return genlmsg_reply(msg, info);
16867 
16868 nla_put_failure:
16869 	nlmsg_free(msg);
16870 	return -ENOBUFS;
16871 }
16872 
16873 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
16874 {
16875 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16876 	struct cfg80211_update_owe_info owe_info;
16877 	struct net_device *dev = info->user_ptr[1];
16878 
16879 	if (!rdev->ops->update_owe_info)
16880 		return -EOPNOTSUPP;
16881 
16882 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
16883 	    !info->attrs[NL80211_ATTR_MAC])
16884 		return -EINVAL;
16885 
16886 	memset(&owe_info, 0, sizeof(owe_info));
16887 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
16888 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
16889 
16890 	if (info->attrs[NL80211_ATTR_IE]) {
16891 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
16892 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
16893 	}
16894 
16895 	return rdev_update_owe_info(rdev, dev, &owe_info);
16896 }
16897 
16898 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
16899 {
16900 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16901 	struct net_device *dev = info->user_ptr[1];
16902 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16903 	struct station_info sinfo = {};
16904 	const u8 *buf;
16905 	size_t len;
16906 	u8 *dest;
16907 	int err;
16908 
16909 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
16910 		return -EOPNOTSUPP;
16911 
16912 	if (!info->attrs[NL80211_ATTR_MAC] ||
16913 	    !info->attrs[NL80211_ATTR_FRAME]) {
16914 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
16915 		return -EINVAL;
16916 	}
16917 
16918 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
16919 		return -EOPNOTSUPP;
16920 
16921 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
16922 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
16923 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
16924 
16925 	if (len < sizeof(struct ethhdr))
16926 		return -EINVAL;
16927 
16928 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
16929 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
16930 		return -EINVAL;
16931 
16932 	err = rdev_get_station(rdev, dev, dest, &sinfo);
16933 	if (err)
16934 		return err;
16935 
16936 	cfg80211_sinfo_release_content(&sinfo);
16937 
16938 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
16939 }
16940 
16941 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
16942 			  struct nlattr *attrs[], struct net_device *dev,
16943 			  struct cfg80211_tid_cfg *tid_conf,
16944 			  struct genl_info *info, const u8 *peer,
16945 			  unsigned int link_id)
16946 {
16947 	struct netlink_ext_ack *extack = info->extack;
16948 	u64 mask;
16949 	int err;
16950 
16951 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
16952 		return -EINVAL;
16953 
16954 	tid_conf->config_override =
16955 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
16956 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
16957 
16958 	if (tid_conf->config_override) {
16959 		if (rdev->ops->reset_tid_config) {
16960 			err = rdev_reset_tid_config(rdev, dev, peer,
16961 						    tid_conf->tids);
16962 			if (err)
16963 				return err;
16964 		} else {
16965 			return -EINVAL;
16966 		}
16967 	}
16968 
16969 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
16970 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
16971 		tid_conf->noack =
16972 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
16973 	}
16974 
16975 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
16976 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
16977 		tid_conf->retry_short =
16978 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
16979 
16980 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
16981 			return -EINVAL;
16982 	}
16983 
16984 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
16985 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
16986 		tid_conf->retry_long =
16987 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
16988 
16989 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
16990 			return -EINVAL;
16991 	}
16992 
16993 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
16994 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
16995 		tid_conf->ampdu =
16996 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
16997 	}
16998 
16999 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
17000 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
17001 		tid_conf->rtscts =
17002 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
17003 	}
17004 
17005 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
17006 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
17007 		tid_conf->amsdu =
17008 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
17009 	}
17010 
17011 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
17012 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
17013 
17014 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
17015 
17016 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
17017 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
17018 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
17019 						    &tid_conf->txrate_mask, dev,
17020 						    true, link_id);
17021 			if (err)
17022 				return err;
17023 
17024 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
17025 		}
17026 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
17027 	}
17028 
17029 	if (peer)
17030 		mask = rdev->wiphy.tid_config_support.peer;
17031 	else
17032 		mask = rdev->wiphy.tid_config_support.vif;
17033 
17034 	if (tid_conf->mask & ~mask) {
17035 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
17036 		return -EOPNOTSUPP;
17037 	}
17038 
17039 	return 0;
17040 }
17041 
17042 static int nl80211_set_tid_config(struct sk_buff *skb,
17043 				  struct genl_info *info)
17044 {
17045 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17046 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
17047 	unsigned int link_id = nl80211_link_id(info->attrs);
17048 	struct net_device *dev = info->user_ptr[1];
17049 	struct cfg80211_tid_config *tid_config;
17050 	struct nlattr *tid;
17051 	int conf_idx = 0, rem_conf;
17052 	int ret = -EINVAL;
17053 	u32 num_conf = 0;
17054 
17055 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
17056 		return -EINVAL;
17057 
17058 	if (!rdev->ops->set_tid_config)
17059 		return -EOPNOTSUPP;
17060 
17061 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
17062 			    rem_conf)
17063 		num_conf++;
17064 
17065 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
17066 			     GFP_KERNEL);
17067 	if (!tid_config)
17068 		return -ENOMEM;
17069 
17070 	tid_config->n_tid_conf = num_conf;
17071 
17072 	if (info->attrs[NL80211_ATTR_MAC])
17073 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
17074 
17075 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
17076 			    rem_conf) {
17077 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
17078 				       tid, NULL, NULL);
17079 
17080 		if (ret)
17081 			goto bad_tid_conf;
17082 
17083 		ret = parse_tid_conf(rdev, attrs, dev,
17084 				     &tid_config->tid_conf[conf_idx],
17085 				     info, tid_config->peer, link_id);
17086 		if (ret)
17087 			goto bad_tid_conf;
17088 
17089 		conf_idx++;
17090 	}
17091 
17092 	ret = rdev_set_tid_config(rdev, dev, tid_config);
17093 
17094 bad_tid_conf:
17095 	kfree(tid_config);
17096 	return ret;
17097 }
17098 
17099 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
17100 {
17101 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17102 	struct cfg80211_color_change_settings params = {};
17103 	struct net_device *dev = info->user_ptr[1];
17104 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17105 	struct nlattr **tb;
17106 	u16 offset;
17107 	int err;
17108 
17109 	if (!rdev->ops->color_change)
17110 		return -EOPNOTSUPP;
17111 
17112 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17113 				     NL80211_EXT_FEATURE_BSS_COLOR))
17114 		return -EOPNOTSUPP;
17115 
17116 	if (wdev->iftype != NL80211_IFTYPE_AP)
17117 		return -EOPNOTSUPP;
17118 
17119 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
17120 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
17121 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
17122 		return -EINVAL;
17123 
17124 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
17125 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
17126 
17127 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
17128 				   info->extack);
17129 	if (err)
17130 		return err;
17131 
17132 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
17133 	if (!tb)
17134 		return -ENOMEM;
17135 
17136 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
17137 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
17138 			       nl80211_policy, info->extack);
17139 	if (err)
17140 		goto out;
17141 
17142 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
17143 				   info->extack);
17144 	if (err)
17145 		goto out;
17146 
17147 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
17148 		err = -EINVAL;
17149 		goto out;
17150 	}
17151 
17152 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
17153 		err = -EINVAL;
17154 		goto out;
17155 	}
17156 
17157 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
17158 	if (offset >= params.beacon_color_change.tail_len) {
17159 		err = -EINVAL;
17160 		goto out;
17161 	}
17162 
17163 	if (params.beacon_color_change.tail[offset] != params.count) {
17164 		err = -EINVAL;
17165 		goto out;
17166 	}
17167 
17168 	params.counter_offset_beacon = offset;
17169 
17170 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
17171 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
17172 		    sizeof(u16)) {
17173 			err = -EINVAL;
17174 			goto out;
17175 		}
17176 
17177 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
17178 		if (offset >= params.beacon_color_change.probe_resp_len) {
17179 			err = -EINVAL;
17180 			goto out;
17181 		}
17182 
17183 		if (params.beacon_color_change.probe_resp[offset] !=
17184 		    params.count) {
17185 			err = -EINVAL;
17186 			goto out;
17187 		}
17188 
17189 		params.counter_offset_presp = offset;
17190 	}
17191 
17192 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
17193 		err = nl80211_parse_unsol_bcast_probe_resp(
17194 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
17195 			&params.unsol_bcast_probe_resp);
17196 		if (err)
17197 			goto out;
17198 	}
17199 
17200 	params.link_id = nl80211_link_id(info->attrs);
17201 	err = rdev_color_change(rdev, dev, &params);
17202 
17203 out:
17204 	kfree(params.beacon_next.mbssid_ies);
17205 	kfree(params.beacon_color_change.mbssid_ies);
17206 	kfree(params.beacon_next.rnr_ies);
17207 	kfree(params.beacon_color_change.rnr_ies);
17208 	kfree(tb);
17209 	return err;
17210 }
17211 
17212 static int nl80211_set_fils_aad(struct sk_buff *skb,
17213 				struct genl_info *info)
17214 {
17215 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17216 	struct net_device *dev = info->user_ptr[1];
17217 	struct cfg80211_fils_aad fils_aad = {};
17218 	u8 *nonces;
17219 
17220 	if (!info->attrs[NL80211_ATTR_MAC] ||
17221 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
17222 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
17223 		return -EINVAL;
17224 
17225 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17226 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
17227 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
17228 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
17229 	fils_aad.snonce = nonces;
17230 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
17231 
17232 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
17233 }
17234 
17235 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
17236 {
17237 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17238 	unsigned int link_id = nl80211_link_id(info->attrs);
17239 	struct net_device *dev = info->user_ptr[1];
17240 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17241 	int ret;
17242 
17243 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
17244 		return -EINVAL;
17245 
17246 	switch (wdev->iftype) {
17247 	case NL80211_IFTYPE_AP:
17248 		break;
17249 	default:
17250 		return -EINVAL;
17251 	}
17252 
17253 	if (!info->attrs[NL80211_ATTR_MAC] ||
17254 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
17255 		return -EINVAL;
17256 
17257 	wdev->valid_links |= BIT(link_id);
17258 	ether_addr_copy(wdev->links[link_id].addr,
17259 			nla_data(info->attrs[NL80211_ATTR_MAC]));
17260 
17261 	ret = rdev_add_intf_link(rdev, wdev, link_id);
17262 	if (ret) {
17263 		wdev->valid_links &= ~BIT(link_id);
17264 		eth_zero_addr(wdev->links[link_id].addr);
17265 	}
17266 
17267 	return ret;
17268 }
17269 
17270 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
17271 {
17272 	unsigned int link_id = nl80211_link_id(info->attrs);
17273 	struct net_device *dev = info->user_ptr[1];
17274 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17275 
17276 	/* cannot remove if there's no link */
17277 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
17278 		return -EINVAL;
17279 
17280 	switch (wdev->iftype) {
17281 	case NL80211_IFTYPE_AP:
17282 		break;
17283 	default:
17284 		return -EINVAL;
17285 	}
17286 
17287 	cfg80211_remove_link(wdev, link_id);
17288 
17289 	return 0;
17290 }
17291 
17292 static int
17293 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
17294 			     bool add)
17295 {
17296 	struct link_station_parameters params = {};
17297 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17298 	struct net_device *dev = info->user_ptr[1];
17299 	int err;
17300 
17301 	if ((add && !rdev->ops->add_link_station) ||
17302 	    (!add && !rdev->ops->mod_link_station))
17303 		return -EOPNOTSUPP;
17304 
17305 	if (add && !info->attrs[NL80211_ATTR_MAC])
17306 		return -EINVAL;
17307 
17308 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
17309 		return -EINVAL;
17310 
17311 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
17312 		return -EINVAL;
17313 
17314 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17315 
17316 	if (info->attrs[NL80211_ATTR_MAC]) {
17317 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
17318 		if (!is_valid_ether_addr(params.link_mac))
17319 			return -EINVAL;
17320 	}
17321 
17322 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
17323 		return -EINVAL;
17324 
17325 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17326 
17327 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
17328 		params.supported_rates =
17329 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
17330 		params.supported_rates_len =
17331 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
17332 	}
17333 
17334 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
17335 		params.ht_capa =
17336 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
17337 
17338 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
17339 		params.vht_capa =
17340 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
17341 
17342 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
17343 		params.he_capa =
17344 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
17345 		params.he_capa_len =
17346 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
17347 
17348 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
17349 			params.eht_capa =
17350 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
17351 			params.eht_capa_len =
17352 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
17353 
17354 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
17355 							(const u8 *)params.eht_capa,
17356 							params.eht_capa_len,
17357 							false))
17358 				return -EINVAL;
17359 		}
17360 	}
17361 
17362 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
17363 		params.he_6ghz_capa =
17364 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
17365 
17366 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
17367 		params.opmode_notif_used = true;
17368 		params.opmode_notif =
17369 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
17370 	}
17371 
17372 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
17373 						&params.txpwr_set);
17374 	if (err)
17375 		return err;
17376 
17377 	if (add)
17378 		return rdev_add_link_station(rdev, dev, &params);
17379 
17380 	return rdev_mod_link_station(rdev, dev, &params);
17381 }
17382 
17383 static int
17384 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
17385 {
17386 	return nl80211_add_mod_link_station(skb, info, true);
17387 }
17388 
17389 static int
17390 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
17391 {
17392 	return nl80211_add_mod_link_station(skb, info, false);
17393 }
17394 
17395 static int
17396 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
17397 {
17398 	struct link_station_del_parameters params = {};
17399 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17400 	struct net_device *dev = info->user_ptr[1];
17401 
17402 	if (!rdev->ops->del_link_station)
17403 		return -EOPNOTSUPP;
17404 
17405 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
17406 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
17407 		return -EINVAL;
17408 
17409 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17410 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17411 
17412 	return rdev_del_link_station(rdev, dev, &params);
17413 }
17414 
17415 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
17416 				    struct genl_info *info)
17417 {
17418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17419 	struct net_device *dev = info->user_ptr[1];
17420 	struct cfg80211_set_hw_timestamp hwts = {};
17421 
17422 	if (!rdev->wiphy.hw_timestamp_max_peers)
17423 		return -EOPNOTSUPP;
17424 
17425 	if (!info->attrs[NL80211_ATTR_MAC] &&
17426 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
17427 		return -EOPNOTSUPP;
17428 
17429 	if (info->attrs[NL80211_ATTR_MAC])
17430 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17431 
17432 	hwts.enable =
17433 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
17434 
17435 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
17436 }
17437 
17438 static int
17439 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
17440 {
17441 	struct cfg80211_ttlm_params params = {};
17442 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17443 	struct net_device *dev = info->user_ptr[1];
17444 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17445 
17446 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17447 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17448 		return -EOPNOTSUPP;
17449 
17450 	if (!wdev->connected)
17451 		return -ENOLINK;
17452 
17453 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
17454 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
17455 		return -EINVAL;
17456 
17457 	nla_memcpy(params.dlink,
17458 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
17459 		   sizeof(params.dlink));
17460 	nla_memcpy(params.ulink,
17461 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
17462 		   sizeof(params.ulink));
17463 
17464 	return rdev_set_ttlm(rdev, dev, &params);
17465 }
17466 
17467 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
17468 {
17469 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17470 	struct net_device *dev = info->user_ptr[1];
17471 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17472 	struct cfg80211_ml_reconf_req req = {};
17473 	unsigned int link_id;
17474 	u16 add_links;
17475 	int err;
17476 
17477 	if (!wdev->valid_links)
17478 		return -EINVAL;
17479 
17480 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
17481 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
17482 		return -EPERM;
17483 
17484 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
17485 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
17486 		return -EOPNOTSUPP;
17487 
17488 	add_links = 0;
17489 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
17490 		err = nl80211_process_links(rdev, req.add_links,
17491 					    /* mark as MLO, but not assoc */
17492 					    IEEE80211_MLD_MAX_NUM_LINKS,
17493 					    NULL, 0, info);
17494 		if (err)
17495 			return err;
17496 
17497 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
17498 		     link_id++) {
17499 			if (!req.add_links[link_id].bss)
17500 				continue;
17501 			add_links |= BIT(link_id);
17502 		}
17503 	}
17504 
17505 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
17506 		req.rem_links =
17507 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
17508 
17509 	/* Validate that existing links are not added, removed links are valid
17510 	 * and don't allow adding and removing the same links
17511 	 */
17512 	if ((add_links & req.rem_links) || !(add_links | req.rem_links) ||
17513 	    (wdev->valid_links & add_links) ||
17514 	    ((wdev->valid_links & req.rem_links) != req.rem_links)) {
17515 		err = -EINVAL;
17516 		goto out;
17517 	}
17518 
17519 	if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
17520 		req.ext_mld_capa_ops =
17521 			nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
17522 
17523 	err = cfg80211_assoc_ml_reconf(rdev, dev, &req);
17524 
17525 out:
17526 	for (link_id = 0; link_id < ARRAY_SIZE(req.add_links); link_id++)
17527 		cfg80211_put_bss(&rdev->wiphy, req.add_links[link_id].bss);
17528 
17529 	return err;
17530 }
17531 
17532 static int
17533 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
17534 {
17535 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17536 	struct net_device *dev = info->user_ptr[1];
17537 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17538 	bool val;
17539 
17540 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17541 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17542 		return -EOPNOTSUPP;
17543 
17544 	if (!wdev->connected)
17545 		return -ENOLINK;
17546 
17547 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
17548 
17549 	return rdev_set_epcs(rdev, dev, val);
17550 }
17551 
17552 #define NL80211_FLAG_NEED_WIPHY		0x01
17553 #define NL80211_FLAG_NEED_NETDEV	0x02
17554 #define NL80211_FLAG_NEED_RTNL		0x04
17555 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
17556 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
17557 					 NL80211_FLAG_CHECK_NETDEV_UP)
17558 #define NL80211_FLAG_NEED_WDEV		0x10
17559 /* If a netdev is associated, it must be UP, P2P must be started */
17560 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
17561 					 NL80211_FLAG_CHECK_NETDEV_UP)
17562 #define NL80211_FLAG_CLEAR_SKB		0x20
17563 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
17564 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
17565 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
17566 
17567 #define INTERNAL_FLAG_SELECTORS(__sel)			\
17568 	SELECTOR(__sel, NONE, 0) /* must be first */	\
17569 	SELECTOR(__sel, WIPHY,				\
17570 		 NL80211_FLAG_NEED_WIPHY)		\
17571 	SELECTOR(__sel, WDEV,				\
17572 		 NL80211_FLAG_NEED_WDEV)		\
17573 	SELECTOR(__sel, NETDEV,				\
17574 		 NL80211_FLAG_NEED_NETDEV)		\
17575 	SELECTOR(__sel, NETDEV_LINK,			\
17576 		 NL80211_FLAG_NEED_NETDEV |		\
17577 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17578 	SELECTOR(__sel, NETDEV_NO_MLO,			\
17579 		 NL80211_FLAG_NEED_NETDEV |		\
17580 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
17581 	SELECTOR(__sel, WIPHY_RTNL,			\
17582 		 NL80211_FLAG_NEED_WIPHY |		\
17583 		 NL80211_FLAG_NEED_RTNL)		\
17584 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
17585 		 NL80211_FLAG_NEED_WIPHY |		\
17586 		 NL80211_FLAG_NEED_RTNL |		\
17587 		 NL80211_FLAG_NO_WIPHY_MTX)		\
17588 	SELECTOR(__sel, WDEV_RTNL,			\
17589 		 NL80211_FLAG_NEED_WDEV |		\
17590 		 NL80211_FLAG_NEED_RTNL)		\
17591 	SELECTOR(__sel, NETDEV_RTNL,			\
17592 		 NL80211_FLAG_NEED_NETDEV |		\
17593 		 NL80211_FLAG_NEED_RTNL)		\
17594 	SELECTOR(__sel, NETDEV_UP,			\
17595 		 NL80211_FLAG_NEED_NETDEV_UP)		\
17596 	SELECTOR(__sel, NETDEV_UP_LINK,			\
17597 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17598 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17599 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
17600 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17601 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
17602 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
17603 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17604 		 NL80211_FLAG_CLEAR_SKB |		\
17605 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
17606 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
17607 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17608 		 NL80211_FLAG_NO_WIPHY_MTX)		\
17609 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
17610 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17611 		 NL80211_FLAG_NO_WIPHY_MTX |		\
17612 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17613 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
17614 		 NL80211_FLAG_NEED_NETDEV_UP |		\
17615 		 NL80211_FLAG_CLEAR_SKB)		\
17616 	SELECTOR(__sel, WDEV_UP,			\
17617 		 NL80211_FLAG_NEED_WDEV_UP)		\
17618 	SELECTOR(__sel, WDEV_UP_LINK,			\
17619 		 NL80211_FLAG_NEED_WDEV_UP |		\
17620 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17621 	SELECTOR(__sel, WDEV_UP_RTNL,			\
17622 		 NL80211_FLAG_NEED_WDEV_UP |		\
17623 		 NL80211_FLAG_NEED_RTNL)		\
17624 	SELECTOR(__sel, WIPHY_CLEAR,			\
17625 		 NL80211_FLAG_NEED_WIPHY |		\
17626 		 NL80211_FLAG_CLEAR_SKB)
17627 
17628 enum nl80211_internal_flags_selector {
17629 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
17630 	INTERNAL_FLAG_SELECTORS(_)
17631 #undef SELECTOR
17632 };
17633 
17634 static u32 nl80211_internal_flags[] = {
17635 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
17636 	INTERNAL_FLAG_SELECTORS(_)
17637 #undef SELECTOR
17638 };
17639 
17640 static int nl80211_pre_doit(const struct genl_split_ops *ops,
17641 			    struct sk_buff *skb,
17642 			    struct genl_info *info)
17643 {
17644 	struct cfg80211_registered_device *rdev = NULL;
17645 	struct wireless_dev *wdev = NULL;
17646 	struct net_device *dev = NULL;
17647 	u32 internal_flags;
17648 	int err;
17649 
17650 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
17651 		return -EINVAL;
17652 
17653 	internal_flags = nl80211_internal_flags[ops->internal_flags];
17654 
17655 	rtnl_lock();
17656 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
17657 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
17658 		if (IS_ERR(rdev)) {
17659 			err = PTR_ERR(rdev);
17660 			goto out_unlock;
17661 		}
17662 		info->user_ptr[0] = rdev;
17663 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
17664 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
17665 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
17666 						  info->attrs);
17667 		if (IS_ERR(wdev)) {
17668 			err = PTR_ERR(wdev);
17669 			goto out_unlock;
17670 		}
17671 
17672 		dev = wdev->netdev;
17673 		dev_hold(dev);
17674 		rdev = wiphy_to_rdev(wdev->wiphy);
17675 
17676 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
17677 			if (!dev) {
17678 				err = -EINVAL;
17679 				goto out_unlock;
17680 			}
17681 
17682 			info->user_ptr[1] = dev;
17683 		} else {
17684 			info->user_ptr[1] = wdev;
17685 		}
17686 
17687 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
17688 		    !wdev_running(wdev)) {
17689 			err = -ENETDOWN;
17690 			goto out_unlock;
17691 		}
17692 
17693 		info->user_ptr[0] = rdev;
17694 	}
17695 
17696 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
17697 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
17698 
17699 		if (!wdev) {
17700 			err = -EINVAL;
17701 			goto out_unlock;
17702 		}
17703 
17704 		/* MLO -> require valid link ID */
17705 		if (wdev->valid_links &&
17706 		    (!link_id ||
17707 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
17708 			err = -EINVAL;
17709 			goto out_unlock;
17710 		}
17711 
17712 		/* non-MLO -> no link ID attribute accepted */
17713 		if (!wdev->valid_links && link_id) {
17714 			err = -EINVAL;
17715 			goto out_unlock;
17716 		}
17717 	}
17718 
17719 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
17720 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
17721 		    (wdev && wdev->valid_links)) {
17722 			err = -EINVAL;
17723 			goto out_unlock;
17724 		}
17725 	}
17726 
17727 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
17728 		wiphy_lock(&rdev->wiphy);
17729 		/* we keep the mutex locked until post_doit */
17730 		__release(&rdev->wiphy.mtx);
17731 	}
17732 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
17733 		rtnl_unlock();
17734 
17735 	return 0;
17736 out_unlock:
17737 	rtnl_unlock();
17738 	dev_put(dev);
17739 	return err;
17740 }
17741 
17742 static void nl80211_post_doit(const struct genl_split_ops *ops,
17743 			      struct sk_buff *skb,
17744 			      struct genl_info *info)
17745 {
17746 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
17747 
17748 	if (info->user_ptr[1]) {
17749 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
17750 			struct wireless_dev *wdev = info->user_ptr[1];
17751 
17752 			dev_put(wdev->netdev);
17753 		} else {
17754 			dev_put(info->user_ptr[1]);
17755 		}
17756 	}
17757 
17758 	if (info->user_ptr[0] &&
17759 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
17760 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
17761 
17762 		/* we kept the mutex locked since pre_doit */
17763 		__acquire(&rdev->wiphy.mtx);
17764 		wiphy_unlock(&rdev->wiphy);
17765 	}
17766 
17767 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
17768 		rtnl_unlock();
17769 
17770 	/* If needed, clear the netlink message payload from the SKB
17771 	 * as it might contain key data that shouldn't stick around on
17772 	 * the heap after the SKB is freed. The netlink message header
17773 	 * is still needed for further processing, so leave it intact.
17774 	 */
17775 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
17776 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
17777 
17778 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
17779 	}
17780 }
17781 
17782 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
17783 				     struct cfg80211_sar_specs *sar_specs,
17784 				     struct nlattr *spec[], int index)
17785 {
17786 	u32 range_index, i;
17787 
17788 	if (!sar_specs || !spec)
17789 		return -EINVAL;
17790 
17791 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
17792 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
17793 		return -EINVAL;
17794 
17795 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
17796 
17797 	/* check if range_index exceeds num_freq_ranges */
17798 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
17799 		return -EINVAL;
17800 
17801 	/* check if range_index duplicates */
17802 	for (i = 0; i < index; i++) {
17803 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
17804 			return -EINVAL;
17805 	}
17806 
17807 	sar_specs->sub_specs[index].power =
17808 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
17809 
17810 	sar_specs->sub_specs[index].freq_range_index = range_index;
17811 
17812 	return 0;
17813 }
17814 
17815 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
17816 {
17817 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17818 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
17819 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
17820 	struct cfg80211_sar_specs *sar_spec;
17821 	enum nl80211_sar_type type;
17822 	struct nlattr *spec_list;
17823 	u32 specs;
17824 	int rem, err;
17825 
17826 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
17827 		return -EOPNOTSUPP;
17828 
17829 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
17830 		return -EINVAL;
17831 
17832 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
17833 			 info->attrs[NL80211_ATTR_SAR_SPEC],
17834 			 NULL, NULL);
17835 
17836 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
17837 		return -EINVAL;
17838 
17839 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
17840 	if (type != rdev->wiphy.sar_capa->type)
17841 		return -EINVAL;
17842 
17843 	specs = 0;
17844 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
17845 		specs++;
17846 
17847 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
17848 		return -EINVAL;
17849 
17850 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
17851 	if (!sar_spec)
17852 		return -ENOMEM;
17853 
17854 	sar_spec->num_sub_specs = specs;
17855 	sar_spec->type = type;
17856 	specs = 0;
17857 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
17858 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
17859 				 spec_list, NULL, NULL);
17860 
17861 		switch (type) {
17862 		case NL80211_SAR_TYPE_POWER:
17863 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
17864 						      spec, specs)) {
17865 				err = -EINVAL;
17866 				goto error;
17867 			}
17868 			break;
17869 		default:
17870 			err = -EINVAL;
17871 			goto error;
17872 		}
17873 		specs++;
17874 	}
17875 
17876 	sar_spec->num_sub_specs = specs;
17877 
17878 	rdev->cur_cmd_info = info;
17879 	err = rdev_set_sar_specs(rdev, sar_spec);
17880 	rdev->cur_cmd_info = NULL;
17881 error:
17882 	kfree(sar_spec);
17883 	return err;
17884 }
17885 
17886 #define SELECTOR(__sel, name, value) \
17887 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
17888 int __missing_selector(void);
17889 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
17890 
17891 static const struct genl_ops nl80211_ops[] = {
17892 	{
17893 		.cmd = NL80211_CMD_GET_WIPHY,
17894 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17895 		.doit = nl80211_get_wiphy,
17896 		.dumpit = nl80211_dump_wiphy,
17897 		.done = nl80211_dump_wiphy_done,
17898 		/* can be retrieved by unprivileged users */
17899 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17900 	},
17901 };
17902 
17903 static const struct genl_small_ops nl80211_small_ops[] = {
17904 	{
17905 		.cmd = NL80211_CMD_SET_WIPHY,
17906 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17907 		.doit = nl80211_set_wiphy,
17908 		.flags = GENL_UNS_ADMIN_PERM,
17909 	},
17910 	{
17911 		.cmd = NL80211_CMD_GET_INTERFACE,
17912 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17913 		.doit = nl80211_get_interface,
17914 		.dumpit = nl80211_dump_interface,
17915 		/* can be retrieved by unprivileged users */
17916 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17917 	},
17918 	{
17919 		.cmd = NL80211_CMD_SET_INTERFACE,
17920 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17921 		.doit = nl80211_set_interface,
17922 		.flags = GENL_UNS_ADMIN_PERM,
17923 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17924 					 NL80211_FLAG_NEED_RTNL),
17925 	},
17926 	{
17927 		.cmd = NL80211_CMD_NEW_INTERFACE,
17928 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17929 		.doit = nl80211_new_interface,
17930 		.flags = GENL_UNS_ADMIN_PERM,
17931 		.internal_flags =
17932 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
17933 			       NL80211_FLAG_NEED_RTNL |
17934 			       /* we take the wiphy mutex later ourselves */
17935 			       NL80211_FLAG_NO_WIPHY_MTX),
17936 	},
17937 	{
17938 		.cmd = NL80211_CMD_DEL_INTERFACE,
17939 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17940 		.doit = nl80211_del_interface,
17941 		.flags = GENL_UNS_ADMIN_PERM,
17942 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17943 					 NL80211_FLAG_NEED_RTNL),
17944 	},
17945 	{
17946 		.cmd = NL80211_CMD_GET_KEY,
17947 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17948 		.doit = nl80211_get_key,
17949 		.flags = GENL_UNS_ADMIN_PERM,
17950 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17951 	},
17952 	{
17953 		.cmd = NL80211_CMD_SET_KEY,
17954 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17955 		.doit = nl80211_set_key,
17956 		.flags = GENL_UNS_ADMIN_PERM,
17957 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
17958 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17959 					 NL80211_FLAG_CLEAR_SKB),
17960 	},
17961 	{
17962 		.cmd = NL80211_CMD_NEW_KEY,
17963 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17964 		.doit = nl80211_new_key,
17965 		.flags = GENL_UNS_ADMIN_PERM,
17966 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17967 					 NL80211_FLAG_CLEAR_SKB),
17968 	},
17969 	{
17970 		.cmd = NL80211_CMD_DEL_KEY,
17971 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17972 		.doit = nl80211_del_key,
17973 		.flags = GENL_UNS_ADMIN_PERM,
17974 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17975 	},
17976 	{
17977 		.cmd = NL80211_CMD_SET_BEACON,
17978 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17979 		.flags = GENL_UNS_ADMIN_PERM,
17980 		.doit = nl80211_set_beacon,
17981 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17982 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17983 	},
17984 	{
17985 		.cmd = NL80211_CMD_START_AP,
17986 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17987 		.flags = GENL_UNS_ADMIN_PERM,
17988 		.doit = nl80211_start_ap,
17989 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17990 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17991 	},
17992 	{
17993 		.cmd = NL80211_CMD_STOP_AP,
17994 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17995 		.flags = GENL_UNS_ADMIN_PERM,
17996 		.doit = nl80211_stop_ap,
17997 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17998 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17999 	},
18000 	{
18001 		.cmd = NL80211_CMD_GET_STATION,
18002 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18003 		.doit = nl80211_get_station,
18004 		.dumpit = nl80211_dump_station,
18005 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18006 	},
18007 	{
18008 		.cmd = NL80211_CMD_SET_STATION,
18009 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18010 		.doit = nl80211_set_station,
18011 		.flags = GENL_UNS_ADMIN_PERM,
18012 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18013 	},
18014 	{
18015 		.cmd = NL80211_CMD_NEW_STATION,
18016 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18017 		.doit = nl80211_new_station,
18018 		.flags = GENL_UNS_ADMIN_PERM,
18019 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18020 	},
18021 	{
18022 		.cmd = NL80211_CMD_DEL_STATION,
18023 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18024 		.doit = nl80211_del_station,
18025 		.flags = GENL_UNS_ADMIN_PERM,
18026 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
18027 		 * whether MAC address is passed or not. If MAC address is
18028 		 * passed, then even during MLO, link ID is not required.
18029 		 */
18030 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18031 	},
18032 	{
18033 		.cmd = NL80211_CMD_GET_MPATH,
18034 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18035 		.doit = nl80211_get_mpath,
18036 		.dumpit = nl80211_dump_mpath,
18037 		.flags = GENL_UNS_ADMIN_PERM,
18038 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18039 	},
18040 	{
18041 		.cmd = NL80211_CMD_GET_MPP,
18042 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18043 		.doit = nl80211_get_mpp,
18044 		.dumpit = nl80211_dump_mpp,
18045 		.flags = GENL_UNS_ADMIN_PERM,
18046 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18047 	},
18048 	{
18049 		.cmd = NL80211_CMD_SET_MPATH,
18050 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18051 		.doit = nl80211_set_mpath,
18052 		.flags = GENL_UNS_ADMIN_PERM,
18053 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18054 	},
18055 	{
18056 		.cmd = NL80211_CMD_NEW_MPATH,
18057 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18058 		.doit = nl80211_new_mpath,
18059 		.flags = GENL_UNS_ADMIN_PERM,
18060 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18061 	},
18062 	{
18063 		.cmd = NL80211_CMD_DEL_MPATH,
18064 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18065 		.doit = nl80211_del_mpath,
18066 		.flags = GENL_UNS_ADMIN_PERM,
18067 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18068 	},
18069 	{
18070 		.cmd = NL80211_CMD_SET_BSS,
18071 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18072 		.doit = nl80211_set_bss,
18073 		.flags = GENL_UNS_ADMIN_PERM,
18074 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18075 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18076 	},
18077 	{
18078 		.cmd = NL80211_CMD_GET_REG,
18079 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18080 		.doit = nl80211_get_reg_do,
18081 		.dumpit = nl80211_get_reg_dump,
18082 		/* can be retrieved by unprivileged users */
18083 	},
18084 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
18085 	{
18086 		.cmd = NL80211_CMD_SET_REG,
18087 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18088 		.doit = nl80211_set_reg,
18089 		.flags = GENL_ADMIN_PERM,
18090 	},
18091 #endif
18092 	{
18093 		.cmd = NL80211_CMD_REQ_SET_REG,
18094 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18095 		.doit = nl80211_req_set_reg,
18096 		.flags = GENL_ADMIN_PERM,
18097 	},
18098 	{
18099 		.cmd = NL80211_CMD_RELOAD_REGDB,
18100 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18101 		.doit = nl80211_reload_regdb,
18102 		.flags = GENL_ADMIN_PERM,
18103 	},
18104 	{
18105 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
18106 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18107 		.doit = nl80211_get_mesh_config,
18108 		/* can be retrieved by unprivileged users */
18109 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18110 	},
18111 	{
18112 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
18113 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18114 		.doit = nl80211_update_mesh_config,
18115 		.flags = GENL_UNS_ADMIN_PERM,
18116 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18117 	},
18118 	{
18119 		.cmd = NL80211_CMD_TRIGGER_SCAN,
18120 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18121 		.doit = nl80211_trigger_scan,
18122 		.flags = GENL_UNS_ADMIN_PERM,
18123 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18124 	},
18125 	{
18126 		.cmd = NL80211_CMD_ABORT_SCAN,
18127 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18128 		.doit = nl80211_abort_scan,
18129 		.flags = GENL_UNS_ADMIN_PERM,
18130 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18131 	},
18132 	{
18133 		.cmd = NL80211_CMD_GET_SCAN,
18134 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18135 		.dumpit = nl80211_dump_scan,
18136 	},
18137 	{
18138 		.cmd = NL80211_CMD_START_SCHED_SCAN,
18139 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18140 		.doit = nl80211_start_sched_scan,
18141 		.flags = GENL_UNS_ADMIN_PERM,
18142 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18143 	},
18144 	{
18145 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
18146 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18147 		.doit = nl80211_stop_sched_scan,
18148 		.flags = GENL_UNS_ADMIN_PERM,
18149 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18150 	},
18151 	{
18152 		.cmd = NL80211_CMD_AUTHENTICATE,
18153 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18154 		.doit = nl80211_authenticate,
18155 		.flags = GENL_UNS_ADMIN_PERM,
18156 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18157 					 NL80211_FLAG_CLEAR_SKB),
18158 	},
18159 	{
18160 		.cmd = NL80211_CMD_ASSOCIATE,
18161 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18162 		.doit = nl80211_associate,
18163 		.flags = GENL_UNS_ADMIN_PERM,
18164 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18165 					 NL80211_FLAG_CLEAR_SKB),
18166 	},
18167 	{
18168 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18169 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18170 		.doit = nl80211_deauthenticate,
18171 		.flags = GENL_UNS_ADMIN_PERM,
18172 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18173 	},
18174 	{
18175 		.cmd = NL80211_CMD_DISASSOCIATE,
18176 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18177 		.doit = nl80211_disassociate,
18178 		.flags = GENL_UNS_ADMIN_PERM,
18179 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18180 	},
18181 	{
18182 		.cmd = NL80211_CMD_JOIN_IBSS,
18183 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18184 		.doit = nl80211_join_ibss,
18185 		.flags = GENL_UNS_ADMIN_PERM,
18186 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18187 	},
18188 	{
18189 		.cmd = NL80211_CMD_LEAVE_IBSS,
18190 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18191 		.doit = nl80211_leave_ibss,
18192 		.flags = GENL_UNS_ADMIN_PERM,
18193 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18194 	},
18195 #ifdef CONFIG_NL80211_TESTMODE
18196 	{
18197 		.cmd = NL80211_CMD_TESTMODE,
18198 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18199 		.doit = nl80211_testmode_do,
18200 		.dumpit = nl80211_testmode_dump,
18201 		.flags = GENL_UNS_ADMIN_PERM,
18202 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18203 	},
18204 #endif
18205 	{
18206 		.cmd = NL80211_CMD_CONNECT,
18207 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18208 		.doit = nl80211_connect,
18209 		.flags = GENL_UNS_ADMIN_PERM,
18210 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18211 					 NL80211_FLAG_CLEAR_SKB),
18212 	},
18213 	{
18214 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
18215 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18216 		.doit = nl80211_update_connect_params,
18217 		.flags = GENL_ADMIN_PERM,
18218 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18219 					 NL80211_FLAG_CLEAR_SKB),
18220 	},
18221 	{
18222 		.cmd = NL80211_CMD_DISCONNECT,
18223 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18224 		.doit = nl80211_disconnect,
18225 		.flags = GENL_UNS_ADMIN_PERM,
18226 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18227 	},
18228 	{
18229 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
18230 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18231 		.doit = nl80211_wiphy_netns,
18232 		.flags = GENL_UNS_ADMIN_PERM,
18233 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18234 					 NL80211_FLAG_NEED_RTNL |
18235 					 NL80211_FLAG_NO_WIPHY_MTX),
18236 	},
18237 	{
18238 		.cmd = NL80211_CMD_GET_SURVEY,
18239 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18240 		.dumpit = nl80211_dump_survey,
18241 	},
18242 	{
18243 		.cmd = NL80211_CMD_SET_PMKSA,
18244 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18245 		.doit = nl80211_set_pmksa,
18246 		.flags = GENL_UNS_ADMIN_PERM,
18247 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18248 					 NL80211_FLAG_CLEAR_SKB),
18249 	},
18250 	{
18251 		.cmd = NL80211_CMD_DEL_PMKSA,
18252 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18253 		.doit = nl80211_del_pmksa,
18254 		.flags = GENL_UNS_ADMIN_PERM,
18255 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18256 	},
18257 	{
18258 		.cmd = NL80211_CMD_FLUSH_PMKSA,
18259 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18260 		.doit = nl80211_flush_pmksa,
18261 		.flags = GENL_UNS_ADMIN_PERM,
18262 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18263 	},
18264 	{
18265 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
18266 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18267 		.doit = nl80211_remain_on_channel,
18268 		.flags = GENL_UNS_ADMIN_PERM,
18269 		/* FIXME: requiring a link ID here is probably not good */
18270 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18271 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18272 	},
18273 	{
18274 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18275 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18276 		.doit = nl80211_cancel_remain_on_channel,
18277 		.flags = GENL_UNS_ADMIN_PERM,
18278 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18279 	},
18280 	{
18281 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
18282 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18283 		.doit = nl80211_set_tx_bitrate_mask,
18284 		.flags = GENL_UNS_ADMIN_PERM,
18285 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18286 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18287 	},
18288 	{
18289 		.cmd = NL80211_CMD_REGISTER_FRAME,
18290 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18291 		.doit = nl80211_register_mgmt,
18292 		.flags = GENL_UNS_ADMIN_PERM,
18293 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
18294 	},
18295 	{
18296 		.cmd = NL80211_CMD_FRAME,
18297 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18298 		.doit = nl80211_tx_mgmt,
18299 		.flags = GENL_UNS_ADMIN_PERM,
18300 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18301 	},
18302 	{
18303 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
18304 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18305 		.doit = nl80211_tx_mgmt_cancel_wait,
18306 		.flags = GENL_UNS_ADMIN_PERM,
18307 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18308 	},
18309 	{
18310 		.cmd = NL80211_CMD_SET_POWER_SAVE,
18311 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18312 		.doit = nl80211_set_power_save,
18313 		.flags = GENL_UNS_ADMIN_PERM,
18314 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18315 	},
18316 	{
18317 		.cmd = NL80211_CMD_GET_POWER_SAVE,
18318 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18319 		.doit = nl80211_get_power_save,
18320 		/* can be retrieved by unprivileged users */
18321 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18322 	},
18323 	{
18324 		.cmd = NL80211_CMD_SET_CQM,
18325 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18326 		.doit = nl80211_set_cqm,
18327 		.flags = GENL_UNS_ADMIN_PERM,
18328 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18329 	},
18330 	{
18331 		.cmd = NL80211_CMD_SET_CHANNEL,
18332 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18333 		.doit = nl80211_set_channel,
18334 		.flags = GENL_UNS_ADMIN_PERM,
18335 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18336 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18337 	},
18338 	{
18339 		.cmd = NL80211_CMD_JOIN_MESH,
18340 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18341 		.doit = nl80211_join_mesh,
18342 		.flags = GENL_UNS_ADMIN_PERM,
18343 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18344 	},
18345 	{
18346 		.cmd = NL80211_CMD_LEAVE_MESH,
18347 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18348 		.doit = nl80211_leave_mesh,
18349 		.flags = GENL_UNS_ADMIN_PERM,
18350 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18351 	},
18352 	{
18353 		.cmd = NL80211_CMD_JOIN_OCB,
18354 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18355 		.doit = nl80211_join_ocb,
18356 		.flags = GENL_UNS_ADMIN_PERM,
18357 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18358 	},
18359 	{
18360 		.cmd = NL80211_CMD_LEAVE_OCB,
18361 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18362 		.doit = nl80211_leave_ocb,
18363 		.flags = GENL_UNS_ADMIN_PERM,
18364 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18365 	},
18366 #ifdef CONFIG_PM
18367 	{
18368 		.cmd = NL80211_CMD_GET_WOWLAN,
18369 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18370 		.doit = nl80211_get_wowlan,
18371 		/* can be retrieved by unprivileged users */
18372 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18373 	},
18374 	{
18375 		.cmd = NL80211_CMD_SET_WOWLAN,
18376 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18377 		.doit = nl80211_set_wowlan,
18378 		.flags = GENL_UNS_ADMIN_PERM,
18379 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18380 	},
18381 #endif
18382 	{
18383 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
18384 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18385 		.doit = nl80211_set_rekey_data,
18386 		.flags = GENL_UNS_ADMIN_PERM,
18387 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18388 					 NL80211_FLAG_CLEAR_SKB),
18389 	},
18390 	{
18391 		.cmd = NL80211_CMD_TDLS_MGMT,
18392 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18393 		.doit = nl80211_tdls_mgmt,
18394 		.flags = GENL_UNS_ADMIN_PERM,
18395 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18396 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18397 	},
18398 	{
18399 		.cmd = NL80211_CMD_TDLS_OPER,
18400 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18401 		.doit = nl80211_tdls_oper,
18402 		.flags = GENL_UNS_ADMIN_PERM,
18403 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18404 	},
18405 	{
18406 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
18407 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18408 		.doit = nl80211_register_unexpected_frame,
18409 		.flags = GENL_UNS_ADMIN_PERM,
18410 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18411 	},
18412 	{
18413 		.cmd = NL80211_CMD_PROBE_CLIENT,
18414 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18415 		.doit = nl80211_probe_client,
18416 		.flags = GENL_UNS_ADMIN_PERM,
18417 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18418 	},
18419 	{
18420 		.cmd = NL80211_CMD_REGISTER_BEACONS,
18421 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18422 		.doit = nl80211_register_beacons,
18423 		.flags = GENL_UNS_ADMIN_PERM,
18424 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18425 	},
18426 	{
18427 		.cmd = NL80211_CMD_SET_NOACK_MAP,
18428 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18429 		.doit = nl80211_set_noack_map,
18430 		.flags = GENL_UNS_ADMIN_PERM,
18431 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18432 	},
18433 	{
18434 		.cmd = NL80211_CMD_START_P2P_DEVICE,
18435 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18436 		.doit = nl80211_start_p2p_device,
18437 		.flags = GENL_UNS_ADMIN_PERM,
18438 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18439 					 NL80211_FLAG_NEED_RTNL),
18440 	},
18441 	{
18442 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
18443 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18444 		.doit = nl80211_stop_p2p_device,
18445 		.flags = GENL_UNS_ADMIN_PERM,
18446 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18447 					 NL80211_FLAG_NEED_RTNL),
18448 	},
18449 	{
18450 		.cmd = NL80211_CMD_START_NAN,
18451 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18452 		.doit = nl80211_start_nan,
18453 		.flags = GENL_ADMIN_PERM,
18454 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18455 					 NL80211_FLAG_NEED_RTNL),
18456 	},
18457 	{
18458 		.cmd = NL80211_CMD_STOP_NAN,
18459 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18460 		.doit = nl80211_stop_nan,
18461 		.flags = GENL_ADMIN_PERM,
18462 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18463 					 NL80211_FLAG_NEED_RTNL),
18464 	},
18465 	{
18466 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
18467 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18468 		.doit = nl80211_nan_add_func,
18469 		.flags = GENL_ADMIN_PERM,
18470 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18471 	},
18472 	{
18473 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
18474 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18475 		.doit = nl80211_nan_del_func,
18476 		.flags = GENL_ADMIN_PERM,
18477 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18478 	},
18479 	{
18480 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
18481 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18482 		.doit = nl80211_nan_change_config,
18483 		.flags = GENL_ADMIN_PERM,
18484 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18485 	},
18486 	{
18487 		.cmd = NL80211_CMD_SET_MCAST_RATE,
18488 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18489 		.doit = nl80211_set_mcast_rate,
18490 		.flags = GENL_UNS_ADMIN_PERM,
18491 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18492 	},
18493 	{
18494 		.cmd = NL80211_CMD_SET_MAC_ACL,
18495 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18496 		.doit = nl80211_set_mac_acl,
18497 		.flags = GENL_UNS_ADMIN_PERM,
18498 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18499 					 NL80211_FLAG_MLO_UNSUPPORTED),
18500 	},
18501 	{
18502 		.cmd = NL80211_CMD_RADAR_DETECT,
18503 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18504 		.doit = nl80211_start_radar_detection,
18505 		.flags = GENL_UNS_ADMIN_PERM,
18506 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18507 					 NL80211_FLAG_NO_WIPHY_MTX |
18508 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18509 	},
18510 	{
18511 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
18512 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18513 		.doit = nl80211_get_protocol_features,
18514 	},
18515 	{
18516 		.cmd = NL80211_CMD_UPDATE_FT_IES,
18517 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18518 		.doit = nl80211_update_ft_ies,
18519 		.flags = GENL_UNS_ADMIN_PERM,
18520 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18521 	},
18522 	{
18523 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
18524 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18525 		.doit = nl80211_crit_protocol_start,
18526 		.flags = GENL_UNS_ADMIN_PERM,
18527 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18528 	},
18529 	{
18530 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
18531 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18532 		.doit = nl80211_crit_protocol_stop,
18533 		.flags = GENL_UNS_ADMIN_PERM,
18534 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18535 	},
18536 	{
18537 		.cmd = NL80211_CMD_GET_COALESCE,
18538 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18539 		.doit = nl80211_get_coalesce,
18540 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18541 	},
18542 	{
18543 		.cmd = NL80211_CMD_SET_COALESCE,
18544 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18545 		.doit = nl80211_set_coalesce,
18546 		.flags = GENL_UNS_ADMIN_PERM,
18547 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18548 	},
18549 	{
18550 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
18551 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18552 		.doit = nl80211_channel_switch,
18553 		.flags = GENL_UNS_ADMIN_PERM,
18554 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18555 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18556 	},
18557 	{
18558 		.cmd = NL80211_CMD_VENDOR,
18559 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18560 		.doit = nl80211_vendor_cmd,
18561 		.dumpit = nl80211_vendor_cmd_dump,
18562 		.flags = GENL_UNS_ADMIN_PERM,
18563 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18564 					 NL80211_FLAG_CLEAR_SKB),
18565 	},
18566 	{
18567 		.cmd = NL80211_CMD_SET_QOS_MAP,
18568 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18569 		.doit = nl80211_set_qos_map,
18570 		.flags = GENL_UNS_ADMIN_PERM,
18571 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18572 	},
18573 	{
18574 		.cmd = NL80211_CMD_ADD_TX_TS,
18575 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18576 		.doit = nl80211_add_tx_ts,
18577 		.flags = GENL_UNS_ADMIN_PERM,
18578 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18579 					 NL80211_FLAG_MLO_UNSUPPORTED),
18580 	},
18581 	{
18582 		.cmd = NL80211_CMD_DEL_TX_TS,
18583 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18584 		.doit = nl80211_del_tx_ts,
18585 		.flags = GENL_UNS_ADMIN_PERM,
18586 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18587 	},
18588 	{
18589 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
18590 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18591 		.doit = nl80211_tdls_channel_switch,
18592 		.flags = GENL_UNS_ADMIN_PERM,
18593 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18594 	},
18595 	{
18596 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
18597 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18598 		.doit = nl80211_tdls_cancel_channel_switch,
18599 		.flags = GENL_UNS_ADMIN_PERM,
18600 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18601 	},
18602 	{
18603 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
18604 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18605 		.doit = nl80211_set_multicast_to_unicast,
18606 		.flags = GENL_UNS_ADMIN_PERM,
18607 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18608 	},
18609 	{
18610 		.cmd = NL80211_CMD_SET_PMK,
18611 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18612 		.doit = nl80211_set_pmk,
18613 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18614 					 NL80211_FLAG_CLEAR_SKB),
18615 	},
18616 	{
18617 		.cmd = NL80211_CMD_DEL_PMK,
18618 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18619 		.doit = nl80211_del_pmk,
18620 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18621 	},
18622 	{
18623 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
18624 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18625 		.doit = nl80211_external_auth,
18626 		.flags = GENL_ADMIN_PERM,
18627 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18628 	},
18629 	{
18630 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
18631 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18632 		.doit = nl80211_tx_control_port,
18633 		.flags = GENL_UNS_ADMIN_PERM,
18634 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18635 	},
18636 	{
18637 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
18638 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18639 		.doit = nl80211_get_ftm_responder_stats,
18640 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18641 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18642 	},
18643 	{
18644 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
18645 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18646 		.doit = nl80211_pmsr_start,
18647 		.flags = GENL_UNS_ADMIN_PERM,
18648 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18649 	},
18650 	{
18651 		.cmd = NL80211_CMD_NOTIFY_RADAR,
18652 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18653 		.doit = nl80211_notify_radar_detection,
18654 		.flags = GENL_UNS_ADMIN_PERM,
18655 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18656 	},
18657 	{
18658 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
18659 		.doit = nl80211_update_owe_info,
18660 		.flags = GENL_ADMIN_PERM,
18661 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18662 	},
18663 	{
18664 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
18665 		.doit = nl80211_probe_mesh_link,
18666 		.flags = GENL_UNS_ADMIN_PERM,
18667 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18668 	},
18669 	{
18670 		.cmd = NL80211_CMD_SET_TID_CONFIG,
18671 		.doit = nl80211_set_tid_config,
18672 		.flags = GENL_UNS_ADMIN_PERM,
18673 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18674 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18675 	},
18676 	{
18677 		.cmd = NL80211_CMD_SET_SAR_SPECS,
18678 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18679 		.doit = nl80211_set_sar_specs,
18680 		.flags = GENL_UNS_ADMIN_PERM,
18681 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18682 					 NL80211_FLAG_NEED_RTNL),
18683 	},
18684 	{
18685 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
18686 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18687 		.doit = nl80211_color_change,
18688 		.flags = GENL_UNS_ADMIN_PERM,
18689 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18690 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18691 	},
18692 	{
18693 		.cmd = NL80211_CMD_SET_FILS_AAD,
18694 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18695 		.doit = nl80211_set_fils_aad,
18696 		.flags = GENL_UNS_ADMIN_PERM,
18697 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18698 	},
18699 	{
18700 		.cmd = NL80211_CMD_ADD_LINK,
18701 		.doit = nl80211_add_link,
18702 		.flags = GENL_UNS_ADMIN_PERM,
18703 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18704 	},
18705 	{
18706 		.cmd = NL80211_CMD_REMOVE_LINK,
18707 		.doit = nl80211_remove_link,
18708 		.flags = GENL_UNS_ADMIN_PERM,
18709 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18710 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18711 	},
18712 	{
18713 		.cmd = NL80211_CMD_ADD_LINK_STA,
18714 		.doit = nl80211_add_link_station,
18715 		.flags = GENL_UNS_ADMIN_PERM,
18716 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18717 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18718 	},
18719 	{
18720 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
18721 		.doit = nl80211_modify_link_station,
18722 		.flags = GENL_UNS_ADMIN_PERM,
18723 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18724 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18725 	},
18726 	{
18727 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
18728 		.doit = nl80211_remove_link_station,
18729 		.flags = GENL_UNS_ADMIN_PERM,
18730 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18731 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18732 	},
18733 	{
18734 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
18735 		.doit = nl80211_set_hw_timestamp,
18736 		.flags = GENL_UNS_ADMIN_PERM,
18737 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18738 	},
18739 	{
18740 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
18741 		.doit = nl80211_set_ttlm,
18742 		.flags = GENL_UNS_ADMIN_PERM,
18743 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18744 	},
18745 	{
18746 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
18747 		.doit = nl80211_assoc_ml_reconf,
18748 		.flags = GENL_UNS_ADMIN_PERM,
18749 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18750 	},
18751 	{
18752 		.cmd = NL80211_CMD_EPCS_CFG,
18753 		.doit = nl80211_epcs_cfg,
18754 		.flags = GENL_UNS_ADMIN_PERM,
18755 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18756 	},
18757 };
18758 
18759 static struct genl_family nl80211_fam __ro_after_init = {
18760 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
18761 	.hdrsize = 0,			/* no private header */
18762 	.version = 1,			/* no particular meaning now */
18763 	.maxattr = NL80211_ATTR_MAX,
18764 	.policy = nl80211_policy,
18765 	.netnsok = true,
18766 	.pre_doit = nl80211_pre_doit,
18767 	.post_doit = nl80211_post_doit,
18768 	.module = THIS_MODULE,
18769 	.ops = nl80211_ops,
18770 	.n_ops = ARRAY_SIZE(nl80211_ops),
18771 	.small_ops = nl80211_small_ops,
18772 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
18773 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
18774 	.mcgrps = nl80211_mcgrps,
18775 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
18776 	.parallel_ops = true,
18777 };
18778 
18779 /* notification functions */
18780 
18781 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
18782 			  enum nl80211_commands cmd)
18783 {
18784 	struct sk_buff *msg;
18785 	struct nl80211_dump_wiphy_state state = {};
18786 
18787 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
18788 		cmd != NL80211_CMD_DEL_WIPHY);
18789 
18790 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18791 	if (!msg)
18792 		return;
18793 
18794 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
18795 		nlmsg_free(msg);
18796 		return;
18797 	}
18798 
18799 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18800 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
18801 }
18802 
18803 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
18804 				struct wireless_dev *wdev,
18805 				enum nl80211_commands cmd)
18806 {
18807 	struct sk_buff *msg;
18808 
18809 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18810 	if (!msg)
18811 		return;
18812 
18813 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
18814 		nlmsg_free(msg);
18815 		return;
18816 	}
18817 
18818 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18819 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
18820 }
18821 
18822 static int nl80211_add_scan_req(struct sk_buff *msg,
18823 				struct cfg80211_registered_device *rdev)
18824 {
18825 	struct cfg80211_scan_request_int *req = rdev->scan_req;
18826 	struct nlattr *nest;
18827 	int i;
18828 	struct cfg80211_scan_info *info;
18829 
18830 	if (WARN_ON(!req))
18831 		return 0;
18832 
18833 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
18834 	if (!nest)
18835 		goto nla_put_failure;
18836 	for (i = 0; i < req->req.n_ssids; i++) {
18837 		if (nla_put(msg, i, req->req.ssids[i].ssid_len,
18838 			    req->req.ssids[i].ssid))
18839 			goto nla_put_failure;
18840 	}
18841 	nla_nest_end(msg, nest);
18842 
18843 	if (req->req.flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
18844 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
18845 		if (!nest)
18846 			goto nla_put_failure;
18847 		for (i = 0; i < req->req.n_channels; i++) {
18848 			if (nla_put_u32(msg, i,
18849 					ieee80211_channel_to_khz(req->req.channels[i])))
18850 				goto nla_put_failure;
18851 		}
18852 		nla_nest_end(msg, nest);
18853 	} else {
18854 		nest = nla_nest_start_noflag(msg,
18855 					     NL80211_ATTR_SCAN_FREQUENCIES);
18856 		if (!nest)
18857 			goto nla_put_failure;
18858 		for (i = 0; i < req->req.n_channels; i++) {
18859 			if (nla_put_u32(msg, i,
18860 					req->req.channels[i]->center_freq))
18861 				goto nla_put_failure;
18862 		}
18863 		nla_nest_end(msg, nest);
18864 	}
18865 
18866 	if (req->req.ie &&
18867 	    nla_put(msg, NL80211_ATTR_IE, req->req.ie_len, req->req.ie))
18868 		goto nla_put_failure;
18869 
18870 	if (req->req.flags &&
18871 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->req.flags))
18872 		goto nla_put_failure;
18873 
18874 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
18875 		&rdev->scan_req->info;
18876 	if (info->scan_start_tsf &&
18877 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
18878 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
18879 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
18880 		     info->tsf_bssid)))
18881 		goto nla_put_failure;
18882 
18883 	return 0;
18884  nla_put_failure:
18885 	return -ENOBUFS;
18886 }
18887 
18888 static int nl80211_prep_scan_msg(struct sk_buff *msg,
18889 				 struct cfg80211_registered_device *rdev,
18890 				 struct wireless_dev *wdev,
18891 				 u32 portid, u32 seq, int flags,
18892 				 u32 cmd)
18893 {
18894 	void *hdr;
18895 
18896 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
18897 	if (!hdr)
18898 		return -1;
18899 
18900 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18901 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18902 					 wdev->netdev->ifindex)) ||
18903 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18904 			      NL80211_ATTR_PAD))
18905 		goto nla_put_failure;
18906 
18907 	/* ignore errors and send incomplete event anyway */
18908 	nl80211_add_scan_req(msg, rdev);
18909 
18910 	genlmsg_end(msg, hdr);
18911 	return 0;
18912 
18913  nla_put_failure:
18914 	genlmsg_cancel(msg, hdr);
18915 	return -EMSGSIZE;
18916 }
18917 
18918 static int
18919 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
18920 			    struct cfg80211_sched_scan_request *req, u32 cmd)
18921 {
18922 	void *hdr;
18923 
18924 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18925 	if (!hdr)
18926 		return -1;
18927 
18928 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
18929 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
18930 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
18931 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
18932 			      NL80211_ATTR_PAD))
18933 		goto nla_put_failure;
18934 
18935 	genlmsg_end(msg, hdr);
18936 	return 0;
18937 
18938  nla_put_failure:
18939 	genlmsg_cancel(msg, hdr);
18940 	return -EMSGSIZE;
18941 }
18942 
18943 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
18944 			     struct wireless_dev *wdev)
18945 {
18946 	struct sk_buff *msg;
18947 
18948 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18949 	if (!msg)
18950 		return;
18951 
18952 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
18953 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
18954 		nlmsg_free(msg);
18955 		return;
18956 	}
18957 
18958 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18959 				NL80211_MCGRP_SCAN, GFP_KERNEL);
18960 }
18961 
18962 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
18963 				       struct wireless_dev *wdev, bool aborted)
18964 {
18965 	struct sk_buff *msg;
18966 
18967 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18968 	if (!msg)
18969 		return NULL;
18970 
18971 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
18972 				  aborted ? NL80211_CMD_SCAN_ABORTED :
18973 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
18974 		nlmsg_free(msg);
18975 		return NULL;
18976 	}
18977 
18978 	return msg;
18979 }
18980 
18981 /* send message created by nl80211_build_scan_msg() */
18982 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
18983 			   struct sk_buff *msg)
18984 {
18985 	if (!msg)
18986 		return;
18987 
18988 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18989 				NL80211_MCGRP_SCAN, GFP_KERNEL);
18990 }
18991 
18992 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
18993 {
18994 	struct sk_buff *msg;
18995 
18996 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18997 	if (!msg)
18998 		return;
18999 
19000 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
19001 		nlmsg_free(msg);
19002 		return;
19003 	}
19004 
19005 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
19006 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19007 }
19008 
19009 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
19010 					  struct regulatory_request *request)
19011 {
19012 	/* Userspace can always count this one always being set */
19013 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
19014 		goto nla_put_failure;
19015 
19016 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
19017 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19018 			       NL80211_REGDOM_TYPE_WORLD))
19019 			goto nla_put_failure;
19020 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
19021 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19022 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
19023 			goto nla_put_failure;
19024 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
19025 		   request->intersect) {
19026 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19027 			       NL80211_REGDOM_TYPE_INTERSECTION))
19028 			goto nla_put_failure;
19029 	} else {
19030 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19031 			       NL80211_REGDOM_TYPE_COUNTRY) ||
19032 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
19033 				   request->alpha2))
19034 			goto nla_put_failure;
19035 	}
19036 
19037 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
19038 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
19039 
19040 		if (wiphy &&
19041 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
19042 			goto nla_put_failure;
19043 
19044 		if (wiphy &&
19045 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
19046 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
19047 			goto nla_put_failure;
19048 	}
19049 
19050 	return true;
19051 
19052 nla_put_failure:
19053 	return false;
19054 }
19055 
19056 /*
19057  * This can happen on global regulatory changes or device specific settings
19058  * based on custom regulatory domains.
19059  */
19060 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
19061 				     struct regulatory_request *request)
19062 {
19063 	struct sk_buff *msg;
19064 	void *hdr;
19065 
19066 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19067 	if (!msg)
19068 		return;
19069 
19070 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
19071 	if (!hdr)
19072 		goto nla_put_failure;
19073 
19074 	if (!nl80211_reg_change_event_fill(msg, request))
19075 		goto nla_put_failure;
19076 
19077 	genlmsg_end(msg, hdr);
19078 
19079 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
19080 				NL80211_MCGRP_REGULATORY);
19081 
19082 	return;
19083 
19084 nla_put_failure:
19085 	nlmsg_free(msg);
19086 }
19087 
19088 struct nl80211_mlme_event {
19089 	enum nl80211_commands cmd;
19090 	const u8 *buf;
19091 	size_t buf_len;
19092 	int uapsd_queues;
19093 	const u8 *req_ies;
19094 	size_t req_ies_len;
19095 	bool reconnect;
19096 };
19097 
19098 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
19099 				    struct net_device *netdev,
19100 				    const struct nl80211_mlme_event *event,
19101 				    gfp_t gfp)
19102 {
19103 	struct sk_buff *msg;
19104 	void *hdr;
19105 
19106 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
19107 	if (!msg)
19108 		return;
19109 
19110 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
19111 	if (!hdr) {
19112 		nlmsg_free(msg);
19113 		return;
19114 	}
19115 
19116 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19117 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19118 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
19119 	    (event->req_ies &&
19120 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
19121 		     event->req_ies)))
19122 		goto nla_put_failure;
19123 
19124 	if (event->reconnect &&
19125 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
19126 		goto nla_put_failure;
19127 
19128 	if (event->uapsd_queues >= 0) {
19129 		struct nlattr *nla_wmm =
19130 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
19131 		if (!nla_wmm)
19132 			goto nla_put_failure;
19133 
19134 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
19135 			       event->uapsd_queues))
19136 			goto nla_put_failure;
19137 
19138 		nla_nest_end(msg, nla_wmm);
19139 	}
19140 
19141 	genlmsg_end(msg, hdr);
19142 
19143 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19144 				NL80211_MCGRP_MLME, gfp);
19145 	return;
19146 
19147  nla_put_failure:
19148 	nlmsg_free(msg);
19149 }
19150 
19151 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
19152 			  struct net_device *netdev, const u8 *buf,
19153 			  size_t len, gfp_t gfp)
19154 {
19155 	struct nl80211_mlme_event event = {
19156 		.cmd = NL80211_CMD_AUTHENTICATE,
19157 		.buf = buf,
19158 		.buf_len = len,
19159 		.uapsd_queues = -1,
19160 	};
19161 
19162 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19163 }
19164 
19165 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
19166 			   struct net_device *netdev,
19167 			   const struct cfg80211_rx_assoc_resp_data *data)
19168 {
19169 	struct nl80211_mlme_event event = {
19170 		.cmd = NL80211_CMD_ASSOCIATE,
19171 		.buf = data->buf,
19172 		.buf_len = data->len,
19173 		.uapsd_queues = data->uapsd_queues,
19174 		.req_ies = data->req_ies,
19175 		.req_ies_len = data->req_ies_len,
19176 	};
19177 
19178 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
19179 }
19180 
19181 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
19182 			 struct net_device *netdev, const u8 *buf,
19183 			 size_t len, bool reconnect, gfp_t gfp)
19184 {
19185 	struct nl80211_mlme_event event = {
19186 		.cmd = NL80211_CMD_DEAUTHENTICATE,
19187 		.buf = buf,
19188 		.buf_len = len,
19189 		.reconnect = reconnect,
19190 		.uapsd_queues = -1,
19191 	};
19192 
19193 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19194 }
19195 
19196 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
19197 			   struct net_device *netdev, const u8 *buf,
19198 			   size_t len, bool reconnect, gfp_t gfp)
19199 {
19200 	struct nl80211_mlme_event event = {
19201 		.cmd = NL80211_CMD_DISASSOCIATE,
19202 		.buf = buf,
19203 		.buf_len = len,
19204 		.reconnect = reconnect,
19205 		.uapsd_queues = -1,
19206 	};
19207 
19208 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19209 }
19210 
19211 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
19212 				  size_t len)
19213 {
19214 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19215 	struct wiphy *wiphy = wdev->wiphy;
19216 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19217 	const struct ieee80211_mgmt *mgmt = (void *)buf;
19218 	struct nl80211_mlme_event event = {
19219 		.buf = buf,
19220 		.buf_len = len,
19221 		.uapsd_queues = -1,
19222 	};
19223 
19224 	if (WARN_ON(len < 2))
19225 		return;
19226 
19227 	if (ieee80211_is_deauth(mgmt->frame_control)) {
19228 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
19229 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
19230 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
19231 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
19232 		if (wdev->unprot_beacon_reported &&
19233 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
19234 			return;
19235 		event.cmd = NL80211_CMD_UNPROT_BEACON;
19236 		wdev->unprot_beacon_reported = jiffies;
19237 	} else {
19238 		return;
19239 	}
19240 
19241 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
19242 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
19243 }
19244 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
19245 
19246 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
19247 				      struct net_device *netdev, int cmd,
19248 				      const u8 *addr, gfp_t gfp)
19249 {
19250 	struct sk_buff *msg;
19251 	void *hdr;
19252 
19253 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19254 	if (!msg)
19255 		return;
19256 
19257 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19258 	if (!hdr) {
19259 		nlmsg_free(msg);
19260 		return;
19261 	}
19262 
19263 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19264 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19265 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
19266 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
19267 		goto nla_put_failure;
19268 
19269 	genlmsg_end(msg, hdr);
19270 
19271 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19272 				NL80211_MCGRP_MLME, gfp);
19273 	return;
19274 
19275  nla_put_failure:
19276 	nlmsg_free(msg);
19277 }
19278 
19279 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
19280 			       struct net_device *netdev, const u8 *addr,
19281 			       gfp_t gfp)
19282 {
19283 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
19284 				  addr, gfp);
19285 }
19286 
19287 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
19288 				struct net_device *netdev, const u8 *addr,
19289 				gfp_t gfp)
19290 {
19291 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
19292 				  addr, gfp);
19293 }
19294 
19295 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
19296 				 struct net_device *netdev,
19297 				 struct cfg80211_connect_resp_params *cr,
19298 				 gfp_t gfp)
19299 {
19300 	struct sk_buff *msg;
19301 	void *hdr;
19302 	unsigned int link;
19303 	size_t link_info_size = 0;
19304 	const u8 *connected_addr = cr->valid_links ?
19305 				   cr->ap_mld_addr : cr->links[0].bssid;
19306 
19307 	if (cr->valid_links) {
19308 		for_each_valid_link(cr, link) {
19309 			/* Nested attribute header */
19310 			link_info_size += NLA_HDRLEN;
19311 			/* Link ID */
19312 			link_info_size += nla_total_size(sizeof(u8));
19313 			link_info_size += cr->links[link].addr ?
19314 					  nla_total_size(ETH_ALEN) : 0;
19315 			link_info_size += (cr->links[link].bssid ||
19316 					   cr->links[link].bss) ?
19317 					  nla_total_size(ETH_ALEN) : 0;
19318 			link_info_size += nla_total_size(sizeof(u16));
19319 		}
19320 	}
19321 
19322 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
19323 			cr->fils.kek_len + cr->fils.pmk_len +
19324 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
19325 			gfp);
19326 	if (!msg)
19327 		return;
19328 
19329 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
19330 	if (!hdr) {
19331 		nlmsg_free(msg);
19332 		return;
19333 	}
19334 
19335 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19336 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19337 	    (connected_addr &&
19338 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
19339 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19340 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
19341 			cr->status) ||
19342 	    (cr->status < 0 &&
19343 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
19344 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
19345 			  cr->timeout_reason))) ||
19346 	    (cr->req_ie &&
19347 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
19348 	    (cr->resp_ie &&
19349 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
19350 		     cr->resp_ie)) ||
19351 	    (cr->fils.update_erp_next_seq_num &&
19352 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19353 			 cr->fils.erp_next_seq_num)) ||
19354 	    (cr->status == WLAN_STATUS_SUCCESS &&
19355 	     ((cr->fils.kek &&
19356 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
19357 		       cr->fils.kek)) ||
19358 	      (cr->fils.pmk &&
19359 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
19360 	      (cr->fils.pmkid &&
19361 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
19362 		goto nla_put_failure;
19363 
19364 	if (cr->valid_links) {
19365 		int i = 1;
19366 		struct nlattr *nested;
19367 
19368 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19369 		if (!nested)
19370 			goto nla_put_failure;
19371 
19372 		for_each_valid_link(cr, link) {
19373 			struct nlattr *nested_mlo_links;
19374 			const u8 *bssid = cr->links[link].bss ?
19375 					  cr->links[link].bss->bssid :
19376 					  cr->links[link].bssid;
19377 
19378 			nested_mlo_links = nla_nest_start(msg, i);
19379 			if (!nested_mlo_links)
19380 				goto nla_put_failure;
19381 
19382 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19383 			    (bssid &&
19384 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19385 			    (cr->links[link].addr &&
19386 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19387 				     cr->links[link].addr)) ||
19388 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19389 					cr->links[link].status))
19390 				goto nla_put_failure;
19391 
19392 			nla_nest_end(msg, nested_mlo_links);
19393 			i++;
19394 		}
19395 		nla_nest_end(msg, nested);
19396 	}
19397 
19398 	genlmsg_end(msg, hdr);
19399 
19400 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19401 				NL80211_MCGRP_MLME, gfp);
19402 	return;
19403 
19404  nla_put_failure:
19405 	nlmsg_free(msg);
19406 }
19407 
19408 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
19409 			 struct net_device *netdev,
19410 			 struct cfg80211_roam_info *info, gfp_t gfp)
19411 {
19412 	struct sk_buff *msg;
19413 	void *hdr;
19414 	size_t link_info_size = 0;
19415 	unsigned int link;
19416 	const u8 *connected_addr = info->ap_mld_addr ?
19417 				   info->ap_mld_addr :
19418 				   (info->links[0].bss ?
19419 				    info->links[0].bss->bssid :
19420 				    info->links[0].bssid);
19421 
19422 	if (info->valid_links) {
19423 		for_each_valid_link(info, link) {
19424 			/* Nested attribute header */
19425 			link_info_size += NLA_HDRLEN;
19426 			/* Link ID */
19427 			link_info_size += nla_total_size(sizeof(u8));
19428 			link_info_size += info->links[link].addr ?
19429 					  nla_total_size(ETH_ALEN) : 0;
19430 			link_info_size += (info->links[link].bssid ||
19431 					   info->links[link].bss) ?
19432 					  nla_total_size(ETH_ALEN) : 0;
19433 		}
19434 	}
19435 
19436 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
19437 			info->fils.kek_len + info->fils.pmk_len +
19438 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
19439 			link_info_size, gfp);
19440 	if (!msg)
19441 		return;
19442 
19443 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
19444 	if (!hdr) {
19445 		nlmsg_free(msg);
19446 		return;
19447 	}
19448 
19449 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19450 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19451 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
19452 	    (info->req_ie &&
19453 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
19454 		     info->req_ie)) ||
19455 	    (info->resp_ie &&
19456 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
19457 		     info->resp_ie)) ||
19458 	    (info->fils.update_erp_next_seq_num &&
19459 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19460 			 info->fils.erp_next_seq_num)) ||
19461 	    (info->fils.kek &&
19462 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
19463 		     info->fils.kek)) ||
19464 	    (info->fils.pmk &&
19465 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
19466 	    (info->fils.pmkid &&
19467 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
19468 		goto nla_put_failure;
19469 
19470 	if (info->valid_links) {
19471 		int i = 1;
19472 		struct nlattr *nested;
19473 
19474 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19475 		if (!nested)
19476 			goto nla_put_failure;
19477 
19478 		for_each_valid_link(info, link) {
19479 			struct nlattr *nested_mlo_links;
19480 			const u8 *bssid = info->links[link].bss ?
19481 					  info->links[link].bss->bssid :
19482 					  info->links[link].bssid;
19483 
19484 			nested_mlo_links = nla_nest_start(msg, i);
19485 			if (!nested_mlo_links)
19486 				goto nla_put_failure;
19487 
19488 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19489 			    (bssid &&
19490 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19491 			    (info->links[link].addr &&
19492 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19493 				     info->links[link].addr)))
19494 				goto nla_put_failure;
19495 
19496 			nla_nest_end(msg, nested_mlo_links);
19497 			i++;
19498 		}
19499 		nla_nest_end(msg, nested);
19500 	}
19501 
19502 	genlmsg_end(msg, hdr);
19503 
19504 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19505 				NL80211_MCGRP_MLME, gfp);
19506 	return;
19507 
19508  nla_put_failure:
19509 	nlmsg_free(msg);
19510 }
19511 
19512 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
19513 				  struct net_device *netdev, const u8 *peer_addr,
19514 				  const u8 *td_bitmap, u8 td_bitmap_len)
19515 {
19516 	struct sk_buff *msg;
19517 	void *hdr;
19518 
19519 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19520 	if (!msg)
19521 		return;
19522 
19523 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
19524 	if (!hdr) {
19525 		nlmsg_free(msg);
19526 		return;
19527 	}
19528 
19529 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19530 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19531 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
19532 		goto nla_put_failure;
19533 
19534 	if (td_bitmap_len > 0 && td_bitmap &&
19535 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
19536 		goto nla_put_failure;
19537 
19538 	genlmsg_end(msg, hdr);
19539 
19540 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19541 				NL80211_MCGRP_MLME, GFP_KERNEL);
19542 	return;
19543 
19544  nla_put_failure:
19545 	nlmsg_free(msg);
19546 }
19547 
19548 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
19549 			       struct net_device *netdev, u16 reason,
19550 			       const u8 *ie, size_t ie_len, bool from_ap)
19551 {
19552 	struct sk_buff *msg;
19553 	void *hdr;
19554 
19555 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
19556 	if (!msg)
19557 		return;
19558 
19559 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
19560 	if (!hdr) {
19561 		nlmsg_free(msg);
19562 		return;
19563 	}
19564 
19565 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19566 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19567 	    (reason &&
19568 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
19569 	    (from_ap &&
19570 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
19571 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
19572 		goto nla_put_failure;
19573 
19574 	genlmsg_end(msg, hdr);
19575 
19576 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19577 				NL80211_MCGRP_MLME, GFP_KERNEL);
19578 	return;
19579 
19580  nla_put_failure:
19581 	nlmsg_free(msg);
19582 }
19583 
19584 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
19585 {
19586 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19587 	struct wiphy *wiphy = wdev->wiphy;
19588 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19589 	struct sk_buff *msg;
19590 	struct nlattr *links;
19591 	void *hdr;
19592 
19593 	lockdep_assert_wiphy(wdev->wiphy);
19594 	trace_cfg80211_links_removed(dev, link_mask);
19595 
19596 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
19597 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
19598 		return;
19599 
19600 	if (WARN_ON(!wdev->valid_links || !link_mask ||
19601 		    (wdev->valid_links & link_mask) != link_mask ||
19602 		    wdev->valid_links == link_mask))
19603 		return;
19604 
19605 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
19606 	wdev->valid_links &= ~link_mask;
19607 
19608 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19609 	if (!msg)
19610 		return;
19611 
19612 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
19613 	if (!hdr) {
19614 		nlmsg_free(msg);
19615 		return;
19616 	}
19617 
19618 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19619 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19620 		goto nla_put_failure;
19621 
19622 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19623 	if (!links)
19624 		goto nla_put_failure;
19625 
19626 	while (link_mask) {
19627 		struct nlattr *link;
19628 		int link_id = __ffs(link_mask);
19629 
19630 		link = nla_nest_start(msg, link_id + 1);
19631 		if (!link)
19632 			goto nla_put_failure;
19633 
19634 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19635 			goto nla_put_failure;
19636 
19637 		nla_nest_end(msg, link);
19638 		link_mask &= ~(1 << link_id);
19639 	}
19640 
19641 	nla_nest_end(msg, links);
19642 
19643 	genlmsg_end(msg, hdr);
19644 
19645 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19646 				NL80211_MCGRP_MLME, GFP_KERNEL);
19647 	return;
19648 
19649  nla_put_failure:
19650 	nlmsg_free(msg);
19651 }
19652 EXPORT_SYMBOL(cfg80211_links_removed);
19653 
19654 void nl80211_mlo_reconf_add_done(struct net_device *dev,
19655 				 struct cfg80211_mlo_reconf_done_data *data)
19656 {
19657 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19658 	struct wiphy *wiphy = wdev->wiphy;
19659 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19660 	struct nl80211_mlme_event event = {
19661 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
19662 		.buf = data->buf,
19663 		.buf_len = data->len,
19664 		.uapsd_queues = -1,
19665 	};
19666 
19667 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
19668 }
19669 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
19670 
19671 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
19672 			     struct net_device *netdev, const u8 *bssid,
19673 			     gfp_t gfp)
19674 {
19675 	struct sk_buff *msg;
19676 	void *hdr;
19677 
19678 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19679 	if (!msg)
19680 		return;
19681 
19682 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
19683 	if (!hdr) {
19684 		nlmsg_free(msg);
19685 		return;
19686 	}
19687 
19688 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19689 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19690 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19691 		goto nla_put_failure;
19692 
19693 	genlmsg_end(msg, hdr);
19694 
19695 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19696 				NL80211_MCGRP_MLME, gfp);
19697 	return;
19698 
19699  nla_put_failure:
19700 	nlmsg_free(msg);
19701 }
19702 
19703 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
19704 					const u8 *ie, u8 ie_len,
19705 					int sig_dbm, gfp_t gfp)
19706 {
19707 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19708 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19709 	struct sk_buff *msg;
19710 	void *hdr;
19711 
19712 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
19713 		return;
19714 
19715 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
19716 
19717 	msg = nlmsg_new(100 + ie_len, gfp);
19718 	if (!msg)
19719 		return;
19720 
19721 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
19722 	if (!hdr) {
19723 		nlmsg_free(msg);
19724 		return;
19725 	}
19726 
19727 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19728 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19729 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19730 	    (ie_len && ie &&
19731 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
19732 	    (sig_dbm &&
19733 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
19734 		goto nla_put_failure;
19735 
19736 	genlmsg_end(msg, hdr);
19737 
19738 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19739 				NL80211_MCGRP_MLME, gfp);
19740 	return;
19741 
19742  nla_put_failure:
19743 	nlmsg_free(msg);
19744 }
19745 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
19746 
19747 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
19748 				 struct net_device *netdev, const u8 *addr,
19749 				 enum nl80211_key_type key_type, int key_id,
19750 				 const u8 *tsc, gfp_t gfp)
19751 {
19752 	struct sk_buff *msg;
19753 	void *hdr;
19754 
19755 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19756 	if (!msg)
19757 		return;
19758 
19759 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
19760 	if (!hdr) {
19761 		nlmsg_free(msg);
19762 		return;
19763 	}
19764 
19765 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19766 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19767 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
19768 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
19769 	    (key_id != -1 &&
19770 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
19771 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
19772 		goto nla_put_failure;
19773 
19774 	genlmsg_end(msg, hdr);
19775 
19776 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19777 				NL80211_MCGRP_MLME, gfp);
19778 	return;
19779 
19780  nla_put_failure:
19781 	nlmsg_free(msg);
19782 }
19783 
19784 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
19785 				    struct ieee80211_channel *channel_before,
19786 				    struct ieee80211_channel *channel_after)
19787 {
19788 	struct sk_buff *msg;
19789 	void *hdr;
19790 	struct nlattr *nl_freq;
19791 
19792 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
19793 	if (!msg)
19794 		return;
19795 
19796 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
19797 	if (!hdr) {
19798 		nlmsg_free(msg);
19799 		return;
19800 	}
19801 
19802 	/*
19803 	 * Since we are applying the beacon hint to a wiphy we know its
19804 	 * wiphy_idx is valid
19805 	 */
19806 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
19807 		goto nla_put_failure;
19808 
19809 	/* Before */
19810 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
19811 	if (!nl_freq)
19812 		goto nla_put_failure;
19813 
19814 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
19815 		goto nla_put_failure;
19816 	nla_nest_end(msg, nl_freq);
19817 
19818 	/* After */
19819 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
19820 	if (!nl_freq)
19821 		goto nla_put_failure;
19822 
19823 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
19824 		goto nla_put_failure;
19825 	nla_nest_end(msg, nl_freq);
19826 
19827 	genlmsg_end(msg, hdr);
19828 
19829 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
19830 				NL80211_MCGRP_REGULATORY);
19831 
19832 	return;
19833 
19834 nla_put_failure:
19835 	nlmsg_free(msg);
19836 }
19837 
19838 static void nl80211_send_remain_on_chan_event(
19839 	int cmd, struct cfg80211_registered_device *rdev,
19840 	struct wireless_dev *wdev, u64 cookie,
19841 	struct ieee80211_channel *chan,
19842 	unsigned int duration, gfp_t gfp)
19843 {
19844 	struct sk_buff *msg;
19845 	void *hdr;
19846 
19847 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19848 	if (!msg)
19849 		return;
19850 
19851 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19852 	if (!hdr) {
19853 		nlmsg_free(msg);
19854 		return;
19855 	}
19856 
19857 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19858 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19859 					 wdev->netdev->ifindex)) ||
19860 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19861 			      NL80211_ATTR_PAD) ||
19862 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
19863 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
19864 			NL80211_CHAN_NO_HT) ||
19865 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19866 			      NL80211_ATTR_PAD))
19867 		goto nla_put_failure;
19868 
19869 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
19870 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
19871 		goto nla_put_failure;
19872 
19873 	genlmsg_end(msg, hdr);
19874 
19875 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19876 				NL80211_MCGRP_MLME, gfp);
19877 	return;
19878 
19879  nla_put_failure:
19880 	nlmsg_free(msg);
19881 }
19882 
19883 void cfg80211_assoc_comeback(struct net_device *netdev,
19884 			     const u8 *ap_addr, u32 timeout)
19885 {
19886 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19887 	struct wiphy *wiphy = wdev->wiphy;
19888 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19889 	struct sk_buff *msg;
19890 	void *hdr;
19891 
19892 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
19893 
19894 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19895 	if (!msg)
19896 		return;
19897 
19898 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
19899 	if (!hdr) {
19900 		nlmsg_free(msg);
19901 		return;
19902 	}
19903 
19904 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19905 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19906 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
19907 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
19908 		goto nla_put_failure;
19909 
19910 	genlmsg_end(msg, hdr);
19911 
19912 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19913 				NL80211_MCGRP_MLME, GFP_KERNEL);
19914 	return;
19915 
19916  nla_put_failure:
19917 	nlmsg_free(msg);
19918 }
19919 EXPORT_SYMBOL(cfg80211_assoc_comeback);
19920 
19921 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
19922 			       struct ieee80211_channel *chan,
19923 			       unsigned int duration, gfp_t gfp)
19924 {
19925 	struct wiphy *wiphy = wdev->wiphy;
19926 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19927 
19928 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
19929 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
19930 					  rdev, wdev, cookie, chan,
19931 					  duration, gfp);
19932 }
19933 EXPORT_SYMBOL(cfg80211_ready_on_channel);
19934 
19935 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
19936 					struct ieee80211_channel *chan,
19937 					gfp_t gfp)
19938 {
19939 	struct wiphy *wiphy = wdev->wiphy;
19940 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19941 
19942 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
19943 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
19944 					  rdev, wdev, cookie, chan, 0, gfp);
19945 }
19946 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
19947 
19948 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
19949 					struct ieee80211_channel *chan,
19950 					gfp_t gfp)
19951 {
19952 	struct wiphy *wiphy = wdev->wiphy;
19953 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19954 
19955 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
19956 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
19957 					  rdev, wdev, cookie, chan, 0, gfp);
19958 }
19959 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
19960 
19961 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
19962 		      struct station_info *sinfo, gfp_t gfp)
19963 {
19964 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
19965 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19966 	struct sk_buff *msg;
19967 
19968 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
19969 
19970 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19971 	if (!msg)
19972 		return;
19973 
19974 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
19975 				 rdev, dev, mac_addr, sinfo) < 0) {
19976 		nlmsg_free(msg);
19977 		return;
19978 	}
19979 
19980 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19981 				NL80211_MCGRP_MLME, gfp);
19982 }
19983 EXPORT_SYMBOL(cfg80211_new_sta);
19984 
19985 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
19986 			    struct station_info *sinfo, gfp_t gfp)
19987 {
19988 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
19989 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19990 	struct sk_buff *msg;
19991 	struct station_info empty_sinfo = {};
19992 
19993 	if (!sinfo)
19994 		sinfo = &empty_sinfo;
19995 
19996 	trace_cfg80211_del_sta(dev, mac_addr);
19997 
19998 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19999 	if (!msg) {
20000 		cfg80211_sinfo_release_content(sinfo);
20001 		return;
20002 	}
20003 
20004 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
20005 				 rdev, dev, mac_addr, sinfo) < 0) {
20006 		nlmsg_free(msg);
20007 		return;
20008 	}
20009 
20010 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20011 				NL80211_MCGRP_MLME, gfp);
20012 }
20013 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
20014 
20015 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
20016 			  enum nl80211_connect_failed_reason reason,
20017 			  gfp_t gfp)
20018 {
20019 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20020 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20021 	struct sk_buff *msg;
20022 	void *hdr;
20023 
20024 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
20025 	if (!msg)
20026 		return;
20027 
20028 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
20029 	if (!hdr) {
20030 		nlmsg_free(msg);
20031 		return;
20032 	}
20033 
20034 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20035 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
20036 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
20037 		goto nla_put_failure;
20038 
20039 	genlmsg_end(msg, hdr);
20040 
20041 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20042 				NL80211_MCGRP_MLME, gfp);
20043 	return;
20044 
20045  nla_put_failure:
20046 	nlmsg_free(msg);
20047 }
20048 EXPORT_SYMBOL(cfg80211_conn_failed);
20049 
20050 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
20051 				       const u8 *addr, int link_id, gfp_t gfp)
20052 {
20053 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20054 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20055 	struct sk_buff *msg;
20056 	void *hdr;
20057 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
20058 
20059 	if (!nlportid)
20060 		return false;
20061 
20062 	msg = nlmsg_new(100, gfp);
20063 	if (!msg)
20064 		return true;
20065 
20066 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20067 	if (!hdr) {
20068 		nlmsg_free(msg);
20069 		return true;
20070 	}
20071 
20072 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20073 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20074 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20075 	    (link_id >= 0 &&
20076 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20077 		goto nla_put_failure;
20078 
20079 	genlmsg_end(msg, hdr);
20080 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20081 	return true;
20082 
20083  nla_put_failure:
20084 	nlmsg_free(msg);
20085 	return true;
20086 }
20087 
20088 bool cfg80211_rx_spurious_frame(struct net_device *dev, const u8 *addr,
20089 				int link_id, gfp_t gfp)
20090 {
20091 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20092 	bool ret;
20093 
20094 	trace_cfg80211_rx_spurious_frame(dev, addr, link_id);
20095 
20096 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
20097 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
20098 		trace_cfg80211_return_bool(false);
20099 		return false;
20100 	}
20101 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
20102 					 addr, link_id, gfp);
20103 	trace_cfg80211_return_bool(ret);
20104 	return ret;
20105 }
20106 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
20107 
20108 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev, const u8 *addr,
20109 					int link_id, gfp_t gfp)
20110 {
20111 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20112 	bool ret;
20113 
20114 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr, link_id);
20115 
20116 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
20117 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
20118 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
20119 		trace_cfg80211_return_bool(false);
20120 		return false;
20121 	}
20122 	ret = __nl80211_unexpected_frame(dev,
20123 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
20124 					 addr, link_id, gfp);
20125 	trace_cfg80211_return_bool(ret);
20126 	return ret;
20127 }
20128 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
20129 
20130 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
20131 		      struct wireless_dev *wdev, u32 nlportid,
20132 		      struct cfg80211_rx_info *info, gfp_t gfp)
20133 {
20134 	struct net_device *netdev = wdev->netdev;
20135 	struct sk_buff *msg;
20136 	void *hdr;
20137 
20138 	msg = nlmsg_new(100 + info->len, gfp);
20139 	if (!msg)
20140 		return -ENOMEM;
20141 
20142 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
20143 	if (!hdr) {
20144 		nlmsg_free(msg);
20145 		return -ENOMEM;
20146 	}
20147 
20148 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20149 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20150 					netdev->ifindex)) ||
20151 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20152 			      NL80211_ATTR_PAD) ||
20153 	    (info->have_link_id &&
20154 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
20155 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
20156 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
20157 	    (info->sig_dbm &&
20158 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
20159 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
20160 	    (info->flags &&
20161 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
20162 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
20163 						  NL80211_ATTR_RX_HW_TIMESTAMP,
20164 						  info->rx_tstamp,
20165 						  NL80211_ATTR_PAD)) ||
20166 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
20167 						   NL80211_ATTR_TX_HW_TIMESTAMP,
20168 						   info->ack_tstamp,
20169 						   NL80211_ATTR_PAD)))
20170 		goto nla_put_failure;
20171 
20172 	genlmsg_end(msg, hdr);
20173 
20174 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20175 
20176  nla_put_failure:
20177 	nlmsg_free(msg);
20178 	return -ENOBUFS;
20179 }
20180 
20181 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
20182 				    struct cfg80211_tx_status *status,
20183 				    gfp_t gfp, enum nl80211_commands command)
20184 {
20185 	struct wiphy *wiphy = wdev->wiphy;
20186 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20187 	struct net_device *netdev = wdev->netdev;
20188 	struct sk_buff *msg;
20189 	void *hdr;
20190 
20191 	if (command == NL80211_CMD_FRAME_TX_STATUS)
20192 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
20193 					      status->ack);
20194 	else
20195 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
20196 						      status->ack);
20197 
20198 	msg = nlmsg_new(100 + status->len, gfp);
20199 	if (!msg)
20200 		return;
20201 
20202 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
20203 	if (!hdr) {
20204 		nlmsg_free(msg);
20205 		return;
20206 	}
20207 
20208 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20209 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20210 				   netdev->ifindex)) ||
20211 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20212 			      NL80211_ATTR_PAD) ||
20213 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
20214 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
20215 			      NL80211_ATTR_PAD) ||
20216 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
20217 	    (status->tx_tstamp &&
20218 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
20219 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
20220 	    (status->ack_tstamp &&
20221 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
20222 			       status->ack_tstamp, NL80211_ATTR_PAD)))
20223 		goto nla_put_failure;
20224 
20225 	genlmsg_end(msg, hdr);
20226 
20227 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20228 				NL80211_MCGRP_MLME, gfp);
20229 	return;
20230 
20231 nla_put_failure:
20232 	nlmsg_free(msg);
20233 }
20234 
20235 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
20236 				     const u8 *buf, size_t len, bool ack,
20237 				     gfp_t gfp)
20238 {
20239 	struct cfg80211_tx_status status = {
20240 		.cookie = cookie,
20241 		.buf = buf,
20242 		.len = len,
20243 		.ack = ack
20244 	};
20245 
20246 	nl80211_frame_tx_status(wdev, &status, gfp,
20247 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
20248 }
20249 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
20250 
20251 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
20252 				 struct cfg80211_tx_status *status, gfp_t gfp)
20253 {
20254 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
20255 }
20256 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
20257 
20258 static int __nl80211_rx_control_port(struct net_device *dev,
20259 				     struct sk_buff *skb,
20260 				     bool unencrypted,
20261 				     int link_id,
20262 				     gfp_t gfp)
20263 {
20264 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20265 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20266 	struct ethhdr *ehdr = eth_hdr(skb);
20267 	const u8 *addr = ehdr->h_source;
20268 	u16 proto = be16_to_cpu(skb->protocol);
20269 	struct sk_buff *msg;
20270 	void *hdr;
20271 	struct nlattr *frame;
20272 
20273 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
20274 
20275 	if (!nlportid)
20276 		return -ENOENT;
20277 
20278 	msg = nlmsg_new(100 + skb->len, gfp);
20279 	if (!msg)
20280 		return -ENOMEM;
20281 
20282 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
20283 	if (!hdr) {
20284 		nlmsg_free(msg);
20285 		return -ENOBUFS;
20286 	}
20287 
20288 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20289 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20290 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20291 			      NL80211_ATTR_PAD) ||
20292 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20293 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
20294 	    (link_id >= 0 &&
20295 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
20296 	    (unencrypted && nla_put_flag(msg,
20297 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
20298 		goto nla_put_failure;
20299 
20300 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
20301 	if (!frame)
20302 		goto nla_put_failure;
20303 
20304 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
20305 	genlmsg_end(msg, hdr);
20306 
20307 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20308 
20309  nla_put_failure:
20310 	nlmsg_free(msg);
20311 	return -ENOBUFS;
20312 }
20313 
20314 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
20315 			      bool unencrypted, int link_id)
20316 {
20317 	int ret;
20318 
20319 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
20320 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
20321 					GFP_ATOMIC);
20322 	trace_cfg80211_return_bool(ret == 0);
20323 	return ret == 0;
20324 }
20325 EXPORT_SYMBOL(cfg80211_rx_control_port);
20326 
20327 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
20328 					    const char *mac, gfp_t gfp)
20329 {
20330 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20331 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20332 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20333 	void **cb;
20334 
20335 	if (!msg)
20336 		return NULL;
20337 
20338 	cb = (void **)msg->cb;
20339 
20340 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
20341 	if (!cb[0]) {
20342 		nlmsg_free(msg);
20343 		return NULL;
20344 	}
20345 
20346 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20347 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20348 		goto nla_put_failure;
20349 
20350 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
20351 		goto nla_put_failure;
20352 
20353 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
20354 	if (!cb[1])
20355 		goto nla_put_failure;
20356 
20357 	cb[2] = rdev;
20358 
20359 	return msg;
20360  nla_put_failure:
20361 	nlmsg_free(msg);
20362 	return NULL;
20363 }
20364 
20365 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
20366 {
20367 	void **cb = (void **)msg->cb;
20368 	struct cfg80211_registered_device *rdev = cb[2];
20369 
20370 	nla_nest_end(msg, cb[1]);
20371 	genlmsg_end(msg, cb[0]);
20372 
20373 	memset(msg->cb, 0, sizeof(msg->cb));
20374 
20375 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20376 				NL80211_MCGRP_MLME, gfp);
20377 }
20378 
20379 void cfg80211_cqm_rssi_notify(struct net_device *dev,
20380 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
20381 			      s32 rssi_level, gfp_t gfp)
20382 {
20383 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20384 	struct cfg80211_cqm_config *cqm_config;
20385 
20386 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
20387 
20388 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
20389 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
20390 		return;
20391 
20392 	rcu_read_lock();
20393 	cqm_config = rcu_dereference(wdev->cqm_config);
20394 	if (cqm_config) {
20395 		cqm_config->last_rssi_event_value = rssi_level;
20396 		cqm_config->last_rssi_event_type = rssi_event;
20397 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
20398 	}
20399 	rcu_read_unlock();
20400 }
20401 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
20402 
20403 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
20404 {
20405 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
20406 						 cqm_rssi_work);
20407 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20408 	enum nl80211_cqm_rssi_threshold_event rssi_event;
20409 	struct cfg80211_cqm_config *cqm_config;
20410 	struct sk_buff *msg;
20411 	s32 rssi_level;
20412 
20413 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
20414 	if (!cqm_config)
20415 		return;
20416 
20417 	if (cqm_config->use_range_api)
20418 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
20419 
20420 	rssi_level = cqm_config->last_rssi_event_value;
20421 	rssi_event = cqm_config->last_rssi_event_type;
20422 
20423 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
20424 	if (!msg)
20425 		return;
20426 
20427 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
20428 			rssi_event))
20429 		goto nla_put_failure;
20430 
20431 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
20432 				      rssi_level))
20433 		goto nla_put_failure;
20434 
20435 	cfg80211_send_cqm(msg, GFP_KERNEL);
20436 
20437 	return;
20438 
20439  nla_put_failure:
20440 	nlmsg_free(msg);
20441 }
20442 
20443 void cfg80211_cqm_txe_notify(struct net_device *dev,
20444 			     const u8 *peer, u32 num_packets,
20445 			     u32 rate, u32 intvl, gfp_t gfp)
20446 {
20447 	struct sk_buff *msg;
20448 
20449 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20450 	if (!msg)
20451 		return;
20452 
20453 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
20454 		goto nla_put_failure;
20455 
20456 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
20457 		goto nla_put_failure;
20458 
20459 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
20460 		goto nla_put_failure;
20461 
20462 	cfg80211_send_cqm(msg, gfp);
20463 	return;
20464 
20465  nla_put_failure:
20466 	nlmsg_free(msg);
20467 }
20468 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
20469 
20470 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
20471 				 const u8 *peer, u32 num_packets, gfp_t gfp)
20472 {
20473 	struct sk_buff *msg;
20474 
20475 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
20476 
20477 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20478 	if (!msg)
20479 		return;
20480 
20481 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
20482 		goto nla_put_failure;
20483 
20484 	cfg80211_send_cqm(msg, gfp);
20485 	return;
20486 
20487  nla_put_failure:
20488 	nlmsg_free(msg);
20489 }
20490 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
20491 
20492 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
20493 {
20494 	struct sk_buff *msg;
20495 
20496 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
20497 	if (!msg)
20498 		return;
20499 
20500 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
20501 		goto nla_put_failure;
20502 
20503 	cfg80211_send_cqm(msg, gfp);
20504 	return;
20505 
20506  nla_put_failure:
20507 	nlmsg_free(msg);
20508 }
20509 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
20510 
20511 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
20512 				     struct net_device *netdev, const u8 *bssid,
20513 				     const u8 *replay_ctr, gfp_t gfp)
20514 {
20515 	struct sk_buff *msg;
20516 	struct nlattr *rekey_attr;
20517 	void *hdr;
20518 
20519 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20520 	if (!msg)
20521 		return;
20522 
20523 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
20524 	if (!hdr) {
20525 		nlmsg_free(msg);
20526 		return;
20527 	}
20528 
20529 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20530 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20531 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20532 		goto nla_put_failure;
20533 
20534 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
20535 	if (!rekey_attr)
20536 		goto nla_put_failure;
20537 
20538 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
20539 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
20540 		goto nla_put_failure;
20541 
20542 	nla_nest_end(msg, rekey_attr);
20543 
20544 	genlmsg_end(msg, hdr);
20545 
20546 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20547 				NL80211_MCGRP_MLME, gfp);
20548 	return;
20549 
20550  nla_put_failure:
20551 	nlmsg_free(msg);
20552 }
20553 
20554 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
20555 			       const u8 *replay_ctr, gfp_t gfp)
20556 {
20557 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20558 	struct wiphy *wiphy = wdev->wiphy;
20559 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20560 
20561 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
20562 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
20563 }
20564 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
20565 
20566 static void
20567 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
20568 			       struct net_device *netdev, int index,
20569 			       const u8 *bssid, bool preauth, gfp_t gfp)
20570 {
20571 	struct sk_buff *msg;
20572 	struct nlattr *attr;
20573 	void *hdr;
20574 
20575 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20576 	if (!msg)
20577 		return;
20578 
20579 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
20580 	if (!hdr) {
20581 		nlmsg_free(msg);
20582 		return;
20583 	}
20584 
20585 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20586 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
20587 		goto nla_put_failure;
20588 
20589 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
20590 	if (!attr)
20591 		goto nla_put_failure;
20592 
20593 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
20594 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
20595 	    (preauth &&
20596 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
20597 		goto nla_put_failure;
20598 
20599 	nla_nest_end(msg, attr);
20600 
20601 	genlmsg_end(msg, hdr);
20602 
20603 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20604 				NL80211_MCGRP_MLME, gfp);
20605 	return;
20606 
20607  nla_put_failure:
20608 	nlmsg_free(msg);
20609 }
20610 
20611 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
20612 				     const u8 *bssid, bool preauth, gfp_t gfp)
20613 {
20614 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20615 	struct wiphy *wiphy = wdev->wiphy;
20616 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20617 
20618 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
20619 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
20620 }
20621 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
20622 
20623 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
20624 				     struct net_device *netdev,
20625 				     unsigned int link_id,
20626 				     struct cfg80211_chan_def *chandef,
20627 				     gfp_t gfp,
20628 				     enum nl80211_commands notif,
20629 				     u8 count, bool quiet)
20630 {
20631 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
20632 	struct sk_buff *msg;
20633 	void *hdr;
20634 
20635 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20636 	if (!msg)
20637 		return;
20638 
20639 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
20640 	if (!hdr) {
20641 		nlmsg_free(msg);
20642 		return;
20643 	}
20644 
20645 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
20646 		goto nla_put_failure;
20647 
20648 	if (wdev->valid_links &&
20649 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
20650 		goto nla_put_failure;
20651 
20652 	if (nl80211_send_chandef(msg, chandef))
20653 		goto nla_put_failure;
20654 
20655 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
20656 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
20657 			goto nla_put_failure;
20658 		if (quiet &&
20659 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
20660 			goto nla_put_failure;
20661 	}
20662 
20663 	genlmsg_end(msg, hdr);
20664 
20665 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20666 				NL80211_MCGRP_MLME, gfp);
20667 	return;
20668 
20669  nla_put_failure:
20670 	nlmsg_free(msg);
20671 }
20672 
20673 void cfg80211_ch_switch_notify(struct net_device *dev,
20674 			       struct cfg80211_chan_def *chandef,
20675 			       unsigned int link_id)
20676 {
20677 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20678 	struct wiphy *wiphy = wdev->wiphy;
20679 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20680 
20681 	lockdep_assert_wiphy(wdev->wiphy);
20682 	WARN_INVALID_LINK_ID(wdev, link_id);
20683 
20684 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
20685 
20686 	switch (wdev->iftype) {
20687 	case NL80211_IFTYPE_STATION:
20688 	case NL80211_IFTYPE_P2P_CLIENT:
20689 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
20690 			cfg80211_update_assoc_bss_entry(wdev, link_id,
20691 							chandef->chan);
20692 		break;
20693 	case NL80211_IFTYPE_MESH_POINT:
20694 		wdev->u.mesh.chandef = *chandef;
20695 		wdev->u.mesh.preset_chandef = *chandef;
20696 		break;
20697 	case NL80211_IFTYPE_AP:
20698 	case NL80211_IFTYPE_P2P_GO:
20699 		wdev->links[link_id].ap.chandef = *chandef;
20700 		break;
20701 	case NL80211_IFTYPE_ADHOC:
20702 		wdev->u.ibss.chandef = *chandef;
20703 		break;
20704 	default:
20705 		WARN_ON(1);
20706 		break;
20707 	}
20708 
20709 	cfg80211_schedule_channels_check(wdev);
20710 	cfg80211_sched_dfs_chan_update(rdev);
20711 
20712 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
20713 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
20714 }
20715 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
20716 
20717 void cfg80211_ch_switch_started_notify(struct net_device *dev,
20718 				       struct cfg80211_chan_def *chandef,
20719 				       unsigned int link_id, u8 count,
20720 				       bool quiet)
20721 {
20722 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20723 	struct wiphy *wiphy = wdev->wiphy;
20724 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20725 
20726 	lockdep_assert_wiphy(wdev->wiphy);
20727 	WARN_INVALID_LINK_ID(wdev, link_id);
20728 
20729 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
20730 
20731 
20732 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
20733 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
20734 				 count, quiet);
20735 }
20736 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
20737 
20738 int cfg80211_bss_color_notify(struct net_device *dev,
20739 			      enum nl80211_commands cmd, u8 count,
20740 			      u64 color_bitmap, u8 link_id)
20741 {
20742 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20743 	struct wiphy *wiphy = wdev->wiphy;
20744 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20745 	struct sk_buff *msg;
20746 	void *hdr;
20747 
20748 	lockdep_assert_wiphy(wdev->wiphy);
20749 
20750 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
20751 
20752 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20753 	if (!msg)
20754 		return -ENOMEM;
20755 
20756 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20757 	if (!hdr)
20758 		goto nla_put_failure;
20759 
20760 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20761 		goto nla_put_failure;
20762 
20763 	if (wdev->valid_links &&
20764 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
20765 		goto nla_put_failure;
20766 
20767 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
20768 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
20769 		goto nla_put_failure;
20770 
20771 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
20772 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
20773 			      color_bitmap, NL80211_ATTR_PAD))
20774 		goto nla_put_failure;
20775 
20776 	genlmsg_end(msg, hdr);
20777 
20778 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
20779 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
20780 
20781 nla_put_failure:
20782 	nlmsg_free(msg);
20783 	return -EINVAL;
20784 }
20785 EXPORT_SYMBOL(cfg80211_bss_color_notify);
20786 
20787 void
20788 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
20789 		     const struct cfg80211_chan_def *chandef,
20790 		     enum nl80211_radar_event event,
20791 		     struct net_device *netdev, gfp_t gfp)
20792 {
20793 	struct sk_buff *msg;
20794 	void *hdr;
20795 
20796 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20797 	if (!msg)
20798 		return;
20799 
20800 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
20801 	if (!hdr) {
20802 		nlmsg_free(msg);
20803 		return;
20804 	}
20805 
20806 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
20807 		goto nla_put_failure;
20808 
20809 	/* NOP and radar events don't need a netdev parameter */
20810 	if (netdev) {
20811 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
20812 
20813 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20814 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20815 				      NL80211_ATTR_PAD))
20816 			goto nla_put_failure;
20817 	}
20818 
20819 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
20820 		goto nla_put_failure;
20821 
20822 	if (nl80211_send_chandef(msg, chandef))
20823 		goto nla_put_failure;
20824 
20825 	genlmsg_end(msg, hdr);
20826 
20827 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20828 				NL80211_MCGRP_MLME, gfp);
20829 	return;
20830 
20831  nla_put_failure:
20832 	nlmsg_free(msg);
20833 }
20834 
20835 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
20836 				       struct sta_opmode_info *sta_opmode,
20837 				       gfp_t gfp)
20838 {
20839 	struct sk_buff *msg;
20840 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20841 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20842 	void *hdr;
20843 
20844 	if (WARN_ON(!mac))
20845 		return;
20846 
20847 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20848 	if (!msg)
20849 		return;
20850 
20851 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
20852 	if (!hdr) {
20853 		nlmsg_free(msg);
20854 		return;
20855 	}
20856 
20857 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
20858 		goto nla_put_failure;
20859 
20860 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20861 		goto nla_put_failure;
20862 
20863 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
20864 		goto nla_put_failure;
20865 
20866 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
20867 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
20868 		goto nla_put_failure;
20869 
20870 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
20871 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
20872 		goto nla_put_failure;
20873 
20874 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
20875 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
20876 		goto nla_put_failure;
20877 
20878 	genlmsg_end(msg, hdr);
20879 
20880 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20881 				NL80211_MCGRP_MLME, gfp);
20882 
20883 	return;
20884 
20885 nla_put_failure:
20886 	nlmsg_free(msg);
20887 }
20888 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
20889 
20890 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
20891 			   u64 cookie, bool acked, s32 ack_signal,
20892 			   bool is_valid_ack_signal, gfp_t gfp)
20893 {
20894 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20895 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20896 	struct sk_buff *msg;
20897 	void *hdr;
20898 
20899 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
20900 
20901 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20902 
20903 	if (!msg)
20904 		return;
20905 
20906 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
20907 	if (!hdr) {
20908 		nlmsg_free(msg);
20909 		return;
20910 	}
20911 
20912 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20913 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20914 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20915 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
20916 			      NL80211_ATTR_PAD) ||
20917 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
20918 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
20919 						ack_signal)))
20920 		goto nla_put_failure;
20921 
20922 	genlmsg_end(msg, hdr);
20923 
20924 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20925 				NL80211_MCGRP_MLME, gfp);
20926 	return;
20927 
20928  nla_put_failure:
20929 	nlmsg_free(msg);
20930 }
20931 EXPORT_SYMBOL(cfg80211_probe_status);
20932 
20933 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
20934 				     size_t len, int freq, int sig_dbm)
20935 {
20936 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20937 	struct sk_buff *msg;
20938 	void *hdr;
20939 	struct cfg80211_beacon_registration *reg;
20940 
20941 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
20942 
20943 	spin_lock_bh(&rdev->beacon_registrations_lock);
20944 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
20945 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
20946 		if (!msg) {
20947 			spin_unlock_bh(&rdev->beacon_registrations_lock);
20948 			return;
20949 		}
20950 
20951 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
20952 		if (!hdr)
20953 			goto nla_put_failure;
20954 
20955 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20956 		    (freq &&
20957 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
20958 				  KHZ_TO_MHZ(freq)) ||
20959 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
20960 				  freq % 1000))) ||
20961 		    (sig_dbm &&
20962 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
20963 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
20964 			goto nla_put_failure;
20965 
20966 		genlmsg_end(msg, hdr);
20967 
20968 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
20969 	}
20970 	spin_unlock_bh(&rdev->beacon_registrations_lock);
20971 	return;
20972 
20973  nla_put_failure:
20974 	spin_unlock_bh(&rdev->beacon_registrations_lock);
20975 	nlmsg_free(msg);
20976 }
20977 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
20978 
20979 #ifdef CONFIG_PM
20980 static int cfg80211_net_detect_results(struct sk_buff *msg,
20981 				       struct cfg80211_wowlan_wakeup *wakeup)
20982 {
20983 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
20984 	struct nlattr *nl_results, *nl_match, *nl_freqs;
20985 	int i, j;
20986 
20987 	nl_results = nla_nest_start_noflag(msg,
20988 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
20989 	if (!nl_results)
20990 		return -EMSGSIZE;
20991 
20992 	for (i = 0; i < nd->n_matches; i++) {
20993 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
20994 
20995 		nl_match = nla_nest_start_noflag(msg, i);
20996 		if (!nl_match)
20997 			break;
20998 
20999 		/* The SSID attribute is optional in nl80211, but for
21000 		 * simplicity reasons it's always present in the
21001 		 * cfg80211 structure.  If a driver can't pass the
21002 		 * SSID, that needs to be changed.  A zero length SSID
21003 		 * is still a valid SSID (wildcard), so it cannot be
21004 		 * used for this purpose.
21005 		 */
21006 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
21007 			    match->ssid.ssid)) {
21008 			nla_nest_cancel(msg, nl_match);
21009 			goto out;
21010 		}
21011 
21012 		if (match->n_channels) {
21013 			nl_freqs = nla_nest_start_noflag(msg,
21014 							 NL80211_ATTR_SCAN_FREQUENCIES);
21015 			if (!nl_freqs) {
21016 				nla_nest_cancel(msg, nl_match);
21017 				goto out;
21018 			}
21019 
21020 			for (j = 0; j < match->n_channels; j++) {
21021 				if (nla_put_u32(msg, j, match->channels[j])) {
21022 					nla_nest_cancel(msg, nl_freqs);
21023 					nla_nest_cancel(msg, nl_match);
21024 					goto out;
21025 				}
21026 			}
21027 
21028 			nla_nest_end(msg, nl_freqs);
21029 		}
21030 
21031 		nla_nest_end(msg, nl_match);
21032 	}
21033 
21034 out:
21035 	nla_nest_end(msg, nl_results);
21036 	return 0;
21037 }
21038 
21039 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
21040 				   struct cfg80211_wowlan_wakeup *wakeup,
21041 				   gfp_t gfp)
21042 {
21043 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21044 	struct sk_buff *msg;
21045 	void *hdr;
21046 	int size = 200;
21047 
21048 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
21049 
21050 	if (wakeup)
21051 		size += wakeup->packet_present_len;
21052 
21053 	msg = nlmsg_new(size, gfp);
21054 	if (!msg)
21055 		return;
21056 
21057 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
21058 	if (!hdr)
21059 		goto free_msg;
21060 
21061 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21062 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21063 			      NL80211_ATTR_PAD))
21064 		goto free_msg;
21065 
21066 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21067 					wdev->netdev->ifindex))
21068 		goto free_msg;
21069 
21070 	if (wakeup) {
21071 		struct nlattr *reasons;
21072 
21073 		reasons = nla_nest_start_noflag(msg,
21074 						NL80211_ATTR_WOWLAN_TRIGGERS);
21075 		if (!reasons)
21076 			goto free_msg;
21077 
21078 		if (wakeup->disconnect &&
21079 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
21080 			goto free_msg;
21081 		if (wakeup->magic_pkt &&
21082 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
21083 			goto free_msg;
21084 		if (wakeup->gtk_rekey_failure &&
21085 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
21086 			goto free_msg;
21087 		if (wakeup->eap_identity_req &&
21088 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
21089 			goto free_msg;
21090 		if (wakeup->four_way_handshake &&
21091 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
21092 			goto free_msg;
21093 		if (wakeup->rfkill_release &&
21094 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
21095 			goto free_msg;
21096 
21097 		if (wakeup->pattern_idx >= 0 &&
21098 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
21099 				wakeup->pattern_idx))
21100 			goto free_msg;
21101 
21102 		if (wakeup->tcp_match &&
21103 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
21104 			goto free_msg;
21105 
21106 		if (wakeup->tcp_connlost &&
21107 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
21108 			goto free_msg;
21109 
21110 		if (wakeup->tcp_nomoretokens &&
21111 		    nla_put_flag(msg,
21112 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
21113 			goto free_msg;
21114 
21115 		if (wakeup->unprot_deauth_disassoc &&
21116 		    nla_put_flag(msg,
21117 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
21118 			goto free_msg;
21119 
21120 		if (wakeup->packet) {
21121 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
21122 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
21123 
21124 			if (!wakeup->packet_80211) {
21125 				pkt_attr =
21126 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
21127 				len_attr =
21128 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
21129 			}
21130 
21131 			if (wakeup->packet_len &&
21132 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
21133 				goto free_msg;
21134 
21135 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
21136 				    wakeup->packet))
21137 				goto free_msg;
21138 		}
21139 
21140 		if (wakeup->net_detect &&
21141 		    cfg80211_net_detect_results(msg, wakeup))
21142 				goto free_msg;
21143 
21144 		nla_nest_end(msg, reasons);
21145 	}
21146 
21147 	genlmsg_end(msg, hdr);
21148 
21149 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21150 				NL80211_MCGRP_MLME, gfp);
21151 	return;
21152 
21153  free_msg:
21154 	nlmsg_free(msg);
21155 }
21156 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
21157 #endif
21158 
21159 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
21160 				enum nl80211_tdls_operation oper,
21161 				u16 reason_code, gfp_t gfp)
21162 {
21163 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21164 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21165 	struct sk_buff *msg;
21166 	void *hdr;
21167 
21168 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
21169 					 reason_code);
21170 
21171 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21172 	if (!msg)
21173 		return;
21174 
21175 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
21176 	if (!hdr) {
21177 		nlmsg_free(msg);
21178 		return;
21179 	}
21180 
21181 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21182 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21183 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
21184 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
21185 	    (reason_code > 0 &&
21186 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
21187 		goto nla_put_failure;
21188 
21189 	genlmsg_end(msg, hdr);
21190 
21191 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21192 				NL80211_MCGRP_MLME, gfp);
21193 	return;
21194 
21195  nla_put_failure:
21196 	nlmsg_free(msg);
21197 }
21198 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
21199 
21200 static int nl80211_netlink_notify(struct notifier_block * nb,
21201 				  unsigned long state,
21202 				  void *_notify)
21203 {
21204 	struct netlink_notify *notify = _notify;
21205 	struct cfg80211_registered_device *rdev;
21206 	struct wireless_dev *wdev;
21207 	struct cfg80211_beacon_registration *reg, *tmp;
21208 
21209 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
21210 		return NOTIFY_DONE;
21211 
21212 	rcu_read_lock();
21213 
21214 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
21215 		struct cfg80211_sched_scan_request *sched_scan_req;
21216 
21217 		list_for_each_entry_rcu(sched_scan_req,
21218 					&rdev->sched_scan_req_list,
21219 					list) {
21220 			if (sched_scan_req->owner_nlportid == notify->portid) {
21221 				sched_scan_req->nl_owner_dead = true;
21222 				wiphy_work_queue(&rdev->wiphy,
21223 						 &rdev->sched_scan_stop_wk);
21224 			}
21225 		}
21226 
21227 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
21228 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
21229 
21230 			if (wdev->owner_nlportid == notify->portid) {
21231 				wdev->nl_owner_dead = true;
21232 				schedule_work(&rdev->destroy_work);
21233 			} else if (wdev->conn_owner_nlportid == notify->portid) {
21234 				schedule_work(&wdev->disconnect_wk);
21235 			}
21236 
21237 			cfg80211_release_pmsr(wdev, notify->portid);
21238 		}
21239 
21240 		spin_lock_bh(&rdev->beacon_registrations_lock);
21241 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
21242 					 list) {
21243 			if (reg->nlportid == notify->portid) {
21244 				list_del(&reg->list);
21245 				kfree(reg);
21246 				break;
21247 			}
21248 		}
21249 		spin_unlock_bh(&rdev->beacon_registrations_lock);
21250 	}
21251 
21252 	rcu_read_unlock();
21253 
21254 	/*
21255 	 * It is possible that the user space process that is controlling the
21256 	 * indoor setting disappeared, so notify the regulatory core.
21257 	 */
21258 	regulatory_netlink_notify(notify->portid);
21259 	return NOTIFY_OK;
21260 }
21261 
21262 static struct notifier_block nl80211_netlink_notifier = {
21263 	.notifier_call = nl80211_netlink_notify,
21264 };
21265 
21266 void cfg80211_ft_event(struct net_device *netdev,
21267 		       struct cfg80211_ft_event_params *ft_event)
21268 {
21269 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21270 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21271 	struct sk_buff *msg;
21272 	void *hdr;
21273 
21274 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
21275 
21276 	if (!ft_event->target_ap)
21277 		return;
21278 
21279 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
21280 			GFP_KERNEL);
21281 	if (!msg)
21282 		return;
21283 
21284 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
21285 	if (!hdr)
21286 		goto out;
21287 
21288 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21289 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21290 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
21291 		goto out;
21292 
21293 	if (ft_event->ies &&
21294 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
21295 		goto out;
21296 	if (ft_event->ric_ies &&
21297 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
21298 		    ft_event->ric_ies))
21299 		goto out;
21300 
21301 	genlmsg_end(msg, hdr);
21302 
21303 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21304 				NL80211_MCGRP_MLME, GFP_KERNEL);
21305 	return;
21306  out:
21307 	nlmsg_free(msg);
21308 }
21309 EXPORT_SYMBOL(cfg80211_ft_event);
21310 
21311 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
21312 {
21313 	struct cfg80211_registered_device *rdev;
21314 	struct sk_buff *msg;
21315 	void *hdr;
21316 	u32 nlportid;
21317 
21318 	rdev = wiphy_to_rdev(wdev->wiphy);
21319 	if (!rdev->crit_proto_nlportid)
21320 		return;
21321 
21322 	nlportid = rdev->crit_proto_nlportid;
21323 	rdev->crit_proto_nlportid = 0;
21324 
21325 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21326 	if (!msg)
21327 		return;
21328 
21329 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
21330 	if (!hdr)
21331 		goto nla_put_failure;
21332 
21333 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21334 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21335 			      NL80211_ATTR_PAD))
21336 		goto nla_put_failure;
21337 
21338 	genlmsg_end(msg, hdr);
21339 
21340 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21341 	return;
21342 
21343  nla_put_failure:
21344 	nlmsg_free(msg);
21345 }
21346 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
21347 
21348 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
21349 {
21350 	struct wiphy *wiphy = wdev->wiphy;
21351 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21352 	struct sk_buff *msg;
21353 	void *hdr;
21354 
21355 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21356 	if (!msg)
21357 		return;
21358 
21359 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
21360 	if (!hdr)
21361 		goto out;
21362 
21363 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21364 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
21365 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21366 			      NL80211_ATTR_PAD) ||
21367 	    (wdev->valid_links &&
21368 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
21369 		goto out;
21370 
21371 	genlmsg_end(msg, hdr);
21372 
21373 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
21374 				NL80211_MCGRP_MLME, GFP_KERNEL);
21375 	return;
21376  out:
21377 	nlmsg_free(msg);
21378 }
21379 
21380 int cfg80211_external_auth_request(struct net_device *dev,
21381 				   struct cfg80211_external_auth_params *params,
21382 				   gfp_t gfp)
21383 {
21384 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21385 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21386 	struct sk_buff *msg;
21387 	void *hdr;
21388 
21389 	if (!wdev->conn_owner_nlportid)
21390 		return -EINVAL;
21391 
21392 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21393 	if (!msg)
21394 		return -ENOMEM;
21395 
21396 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
21397 	if (!hdr)
21398 		goto nla_put_failure;
21399 
21400 	/* Some historical mistakes in drivers <-> userspace interface (notably
21401 	 * between drivers and wpa_supplicant) led to a big-endian conversion
21402 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
21403 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
21404 	 * benefit of older wpa_supplicant versions, send this particular value
21405 	 * in big-endian. Note that newer wpa_supplicant will also detect this
21406 	 * particular value in big endian still, so it all continues to work.
21407 	 */
21408 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
21409 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
21410 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
21411 			goto nla_put_failure;
21412 	} else {
21413 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
21414 				params->key_mgmt_suite))
21415 			goto nla_put_failure;
21416 	}
21417 
21418 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21419 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21420 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
21421 			params->action) ||
21422 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
21423 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
21424 		    params->ssid.ssid) ||
21425 	    (!is_zero_ether_addr(params->mld_addr) &&
21426 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
21427 		goto nla_put_failure;
21428 
21429 	genlmsg_end(msg, hdr);
21430 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
21431 			wdev->conn_owner_nlportid);
21432 	return 0;
21433 
21434  nla_put_failure:
21435 	nlmsg_free(msg);
21436 	return -ENOBUFS;
21437 }
21438 EXPORT_SYMBOL(cfg80211_external_auth_request);
21439 
21440 void cfg80211_update_owe_info_event(struct net_device *netdev,
21441 				    struct cfg80211_update_owe_info *owe_info,
21442 				    gfp_t gfp)
21443 {
21444 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21445 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21446 	struct sk_buff *msg;
21447 	void *hdr;
21448 
21449 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
21450 
21451 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21452 	if (!msg)
21453 		return;
21454 
21455 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
21456 	if (!hdr)
21457 		goto nla_put_failure;
21458 
21459 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21460 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21461 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
21462 		goto nla_put_failure;
21463 
21464 	if (!owe_info->ie_len ||
21465 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
21466 		goto nla_put_failure;
21467 
21468 	if (owe_info->assoc_link_id != -1) {
21469 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
21470 			       owe_info->assoc_link_id))
21471 			goto nla_put_failure;
21472 
21473 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
21474 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
21475 			    owe_info->peer_mld_addr))
21476 			goto nla_put_failure;
21477 	}
21478 
21479 	genlmsg_end(msg, hdr);
21480 
21481 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21482 				NL80211_MCGRP_MLME, gfp);
21483 	return;
21484 
21485 nla_put_failure:
21486 	genlmsg_cancel(msg, hdr);
21487 	nlmsg_free(msg);
21488 }
21489 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
21490 
21491 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
21492 {
21493 	struct wiphy *wiphy = wdev->wiphy;
21494 
21495 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
21496 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
21497 	    (wiphy_ext_feature_isset(wiphy,
21498 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
21499 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
21500 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
21501 		reg_check_channels();
21502 }
21503 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
21504 
21505 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
21506 {
21507 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21508 	struct wiphy *wiphy = wdev->wiphy;
21509 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21510 	struct sk_buff *msg;
21511 	void *hdr;
21512 
21513 	trace_cfg80211_epcs_changed(wdev, enabled);
21514 
21515 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21516 	if (!msg)
21517 		return;
21518 
21519 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
21520 	if (!hdr) {
21521 		nlmsg_free(msg);
21522 		return;
21523 	}
21524 
21525 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
21526 		goto nla_put_failure;
21527 
21528 	genlmsg_end(msg, hdr);
21529 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21530 				NL80211_MCGRP_MLME, GFP_KERNEL);
21531 	return;
21532 
21533  nla_put_failure:
21534 	nlmsg_free(msg);
21535 }
21536 EXPORT_SYMBOL(cfg80211_epcs_changed);
21537 
21538 /* initialisation/exit functions */
21539 
21540 int __init nl80211_init(void)
21541 {
21542 	int err;
21543 
21544 	err = genl_register_family(&nl80211_fam);
21545 	if (err)
21546 		return err;
21547 
21548 	err = netlink_register_notifier(&nl80211_netlink_notifier);
21549 	if (err)
21550 		goto err_out;
21551 
21552 	return 0;
21553  err_out:
21554 	genl_unregister_family(&nl80211_fam);
21555 	return err;
21556 }
21557 
21558 void nl80211_exit(void)
21559 {
21560 	netlink_unregister_notifier(&nl80211_netlink_notifier);
21561 	genl_unregister_family(&nl80211_fam);
21562 }
21563