xref: /linux/net/wireless/nl80211.c (revision 163cc462dea7d5b75be4db49ca78a2b99c55375e) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2026 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	const struct ieee80211_ext *ext;
233 	unsigned int fixedlen, hdrlen;
234 	bool s1g_bcn;
235 
236 	if (len < offsetofend(typeof(*mgmt), frame_control))
237 		goto err;
238 
239 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
240 	if (s1g_bcn) {
241 		ext = (struct ieee80211_ext *)mgmt;
242 		fixedlen =
243 			offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +
244 			ieee80211_s1g_optional_len(ext->frame_control);
245 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
246 	} else {
247 		fixedlen = offsetof(struct ieee80211_mgmt,
248 				    u.beacon.variable);
249 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
250 	}
251 
252 	if (len < fixedlen)
253 		goto err;
254 
255 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
256 		goto err;
257 
258 	data += fixedlen;
259 	len -= fixedlen;
260 
261 	for_each_element(elem, data, len) {
262 		/* nothing */
263 	}
264 
265 	if (for_each_element_completed(elem, data, len))
266 		return 0;
267 
268 err:
269 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
270 	return -EINVAL;
271 }
272 
273 static int validate_ie_attr(const struct nlattr *attr,
274 			    struct netlink_ext_ack *extack)
275 {
276 	const u8 *data = nla_data(attr);
277 	unsigned int len = nla_len(attr);
278 	const struct element *elem;
279 
280 	for_each_element(elem, data, len) {
281 		/* nothing */
282 	}
283 
284 	if (for_each_element_completed(elem, data, len))
285 		return 0;
286 
287 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
288 	return -EINVAL;
289 }
290 
291 static int validate_he_capa(const struct nlattr *attr,
292 			    struct netlink_ext_ack *extack)
293 {
294 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
295 		return -EINVAL;
296 
297 	return 0;
298 }
299 
300 static int validate_supported_selectors(const struct nlattr *attr,
301 					struct netlink_ext_ack *extack)
302 {
303 	const u8 *supported_selectors = nla_data(attr);
304 	u8 supported_selectors_len = nla_len(attr);
305 
306 	/* The top bit must not be set as it is not part of the selector */
307 	for (int i = 0; i < supported_selectors_len; i++) {
308 		if (supported_selectors[i] & 0x80)
309 			return -EINVAL;
310 	}
311 
312 	return 0;
313 }
314 
315 static int validate_nan_cluster_id(const struct nlattr *attr,
316 				   struct netlink_ext_ack *extack)
317 {
318 	const u8 *data = nla_data(attr);
319 	unsigned int len = nla_len(attr);
320 	static const u8 cluster_id_prefix[4] = {0x50, 0x6f, 0x9a, 0x1};
321 
322 	if (len != ETH_ALEN) {
323 		NL_SET_ERR_MSG_ATTR(extack, attr, "bad cluster id length");
324 		return -EINVAL;
325 	}
326 
327 	if (memcmp(data, cluster_id_prefix, sizeof(cluster_id_prefix))) {
328 		NL_SET_ERR_MSG_ATTR(extack, attr, "invalid cluster id prefix");
329 		return -EINVAL;
330 	}
331 
332 	return 0;
333 }
334 
335 static int validate_uhr_capa(const struct nlattr *attr,
336 			     struct netlink_ext_ack *extack)
337 {
338 	const u8 *data = nla_data(attr);
339 	unsigned int len = nla_len(attr);
340 
341 	return ieee80211_uhr_capa_size_ok(data, len, false);
342 }
343 
344 /* policy for the attributes */
345 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
346 
347 static const struct nla_policy
348 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
349 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
350 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
351 					.len = U8_MAX },
352 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
353 					     .len = U8_MAX },
354 };
355 
356 static const struct nla_policy
357 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
358 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
359 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
360 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
361 		NLA_POLICY_MAX(NLA_U8, 15),
362 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
363 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
364 		NLA_POLICY_MAX(NLA_U8, 15),
365 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
366 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
367 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
368 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
369 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
370 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
371 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
372 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
373 	[NL80211_PMSR_FTM_REQ_ATTR_RSTA] = { .type = NLA_FLAG },
374 };
375 
376 static const struct nla_policy
377 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
378 	[NL80211_PMSR_TYPE_FTM] =
379 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
380 };
381 
382 static const struct nla_policy
383 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
384 	[NL80211_PMSR_REQ_ATTR_DATA] =
385 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
386 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
387 };
388 
389 static const struct nla_policy
390 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
391 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
392 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
393 	[NL80211_PMSR_PEER_ATTR_REQ] =
394 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
395 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
396 };
397 
398 static const struct nla_policy
399 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
400 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
401 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
402 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
403 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
404 	[NL80211_PMSR_ATTR_PEERS] =
405 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
406 };
407 
408 static const struct nla_policy
409 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
410 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
411 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
412 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
413 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
414 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
415 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
416 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
417 		NLA_POLICY_EXACT_LEN(8),
418 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
419 		NLA_POLICY_EXACT_LEN(8),
420 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
421 };
422 
423 static const struct nla_policy
424 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
425 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
426 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
427 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
428 };
429 
430 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
431 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
432 				    .len = NL80211_MAX_SUPP_RATES },
433 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
434 				.len = NL80211_MAX_SUPP_HT_RATES },
435 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
436 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
437 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
438 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
439 						   NL80211_RATE_INFO_HE_GI_0_8,
440 						   NL80211_RATE_INFO_HE_GI_3_2),
441 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
442 						   NL80211_RATE_INFO_HE_1XLTF,
443 						   NL80211_RATE_INFO_HE_4XLTF),
444 	[NL80211_TXRATE_EHT] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_eht)),
445 	[NL80211_TXRATE_EHT_GI] =  NLA_POLICY_RANGE(NLA_U8,
446 						   NL80211_RATE_INFO_EHT_GI_0_8,
447 						   NL80211_RATE_INFO_EHT_GI_3_2),
448 	[NL80211_TXRATE_EHT_LTF] = NLA_POLICY_RANGE(NLA_U8,
449 						   NL80211_RATE_INFO_EHT_1XLTF,
450 						   NL80211_RATE_INFO_EHT_8XLTF),
451 
452 };
453 
454 static const struct nla_policy
455 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
456 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
457 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
458 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
459 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
460 	[NL80211_TID_CONFIG_ATTR_NOACK] =
461 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
462 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
463 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
464 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
465 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
466 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
467 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
468 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
469 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
470 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
471 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
472 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
473 			NLA_POLICY_NESTED(nl80211_txattr_policy),
474 };
475 
476 static const struct nla_policy
477 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
478 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
479 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
480 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
481 			NLA_POLICY_RANGE(NLA_BINARY,
482 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
483 					 IEEE80211_MAX_DATA_LEN),
484 };
485 
486 static const struct nla_policy
487 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
488 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
489 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
490 						       .len = IEEE80211_MAX_DATA_LEN }
491 };
492 
493 static const struct nla_policy
494 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
495 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
496 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
497 };
498 
499 static const struct nla_policy
500 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
501 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
502 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
503 };
504 
505 static const struct nla_policy
506 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
507 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
508 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
509 						NLA_POLICY_MIN(NLA_U8, 1),
510 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
511 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
512 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
513 	[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID] =
514 		NLA_POLICY_MAX(NLA_U8, IEEE80211_MLD_MAX_NUM_LINKS),
515 };
516 
517 static const struct nla_policy
518 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
519 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
520 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
521 };
522 
523 static const struct nla_policy
524 nl80211_s1g_short_beacon[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1] = {
525 	[NL80211_S1G_SHORT_BEACON_ATTR_HEAD] =
526 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
527 				       IEEE80211_MAX_DATA_LEN),
528 	[NL80211_S1G_SHORT_BEACON_ATTR_TAIL] =
529 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
530 				       IEEE80211_MAX_DATA_LEN),
531 };
532 
533 static const struct nla_policy
534 nl80211_nan_band_conf_policy[NL80211_NAN_BAND_CONF_ATTR_MAX + 1] = {
535 	[NL80211_NAN_BAND_CONF_BAND] = NLA_POLICY_MAX(NLA_U8,
536 						      NUM_NL80211_BANDS - 1),
537 	[NL80211_NAN_BAND_CONF_FREQ] = { .type = NLA_U16 },
538 	[NL80211_NAN_BAND_CONF_RSSI_CLOSE] = NLA_POLICY_MIN(NLA_S8, -59),
539 	[NL80211_NAN_BAND_CONF_RSSI_MIDDLE] = NLA_POLICY_MIN(NLA_S8, -74),
540 	[NL80211_NAN_BAND_CONF_WAKE_DW] = NLA_POLICY_MAX(NLA_U8, 5),
541 	[NL80211_NAN_BAND_CONF_DISABLE_SCAN] = { .type = NLA_FLAG },
542 };
543 
544 static const struct nla_policy
545 nl80211_nan_conf_policy[NL80211_NAN_CONF_ATTR_MAX + 1] = {
546 	[NL80211_NAN_CONF_CLUSTER_ID] =
547 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_cluster_id,
548 				       ETH_ALEN),
549 	[NL80211_NAN_CONF_EXTRA_ATTRS] = { .type = NLA_BINARY,
550 					   .len = IEEE80211_MAX_DATA_LEN},
551 	[NL80211_NAN_CONF_VENDOR_ELEMS] =
552 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
553 				       IEEE80211_MAX_DATA_LEN),
554 	[NL80211_NAN_CONF_BAND_CONFIGS] =
555 		NLA_POLICY_NESTED_ARRAY(nl80211_nan_band_conf_policy),
556 	[NL80211_NAN_CONF_SCAN_PERIOD] = { .type = NLA_U16 },
557 	[NL80211_NAN_CONF_SCAN_DWELL_TIME] = NLA_POLICY_RANGE(NLA_U16, 50, 512),
558 	[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL] =
559 		NLA_POLICY_RANGE(NLA_U8, 50, 200),
560 	[NL80211_NAN_CONF_NOTIFY_DW] = { .type = NLA_FLAG },
561 };
562 
563 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
564 	.min = 0,
565 	.max = 0xffff,
566 };
567 
568 static const struct netlink_range_validation q_range = {
569 	.max = INT_MAX,
570 };
571 
572 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
573 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
574 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
575 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
576 				      .len = 20-1 },
577 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
578 
579 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
580 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
581 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
582 						NL80211_EDMG_CHANNELS_MIN,
583 						NL80211_EDMG_CHANNELS_MAX),
584 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
585 						NL80211_EDMG_BW_CONFIG_MIN,
586 						NL80211_EDMG_BW_CONFIG_MAX),
587 
588 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
589 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
590 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
591 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
592 
593 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
594 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
595 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
596 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
597 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
598 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
599 
600 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
601 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
602 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
603 
604 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
605 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
606 
607 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
608 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
609 				    .len = WLAN_MAX_KEY_LEN },
610 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
611 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
612 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
613 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
614 	[NL80211_ATTR_KEY_TYPE] =
615 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
616 
617 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
618 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
619 	[NL80211_ATTR_BEACON_HEAD] =
620 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
621 				       IEEE80211_MAX_DATA_LEN),
622 	[NL80211_ATTR_BEACON_TAIL] =
623 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
624 				       IEEE80211_MAX_DATA_LEN),
625 	[NL80211_ATTR_STA_AID] =
626 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
627 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
628 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
629 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
630 					       .len = NL80211_MAX_SUPP_RATES },
631 	[NL80211_ATTR_STA_PLINK_ACTION] =
632 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
633 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
634 		NLA_POLICY_RANGE(NLA_U8,
635 				 NL80211_TX_POWER_AUTOMATIC,
636 				 NL80211_TX_POWER_FIXED),
637 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
638 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
639 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
640 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
641 				   .len = IEEE80211_MAX_MESH_ID_LEN },
642 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
643 
644 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
645 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
646 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
647 
648 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
649 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
650 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
651 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
652 					   .len = NL80211_MAX_SUPP_RATES },
653 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
654 
655 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
656 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
657 
658 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
659 
660 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
661 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
662 						   validate_ie_attr,
663 						   IEEE80211_MAX_DATA_LEN),
664 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
665 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
666 
667 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
668 				.len = IEEE80211_MAX_SSID_LEN },
669 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
670 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
671 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
672 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
673 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
674 						  NL80211_MFP_NO,
675 						  NL80211_MFP_OPTIONAL),
676 	[NL80211_ATTR_STA_FLAGS2] =
677 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
678 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
679 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
680 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
681 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
682 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
683 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
684 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
685 	[NL80211_ATTR_WPA_VERSIONS] =
686 		NLA_POLICY_RANGE(NLA_U32, 0,
687 				 NL80211_WPA_VERSION_1 |
688 				 NL80211_WPA_VERSION_2 |
689 				 NL80211_WPA_VERSION_3),
690 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
691 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
692 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
693 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
694 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
695 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
696 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
697 				 .len = IEEE80211_MAX_DATA_LEN },
698 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
699 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
700 						   NL80211_PS_DISABLED,
701 						   NL80211_PS_ENABLED),
702 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
703 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
704 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
705 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
706 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
707 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
708 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
709 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
710 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
711 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
712 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
713 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
714 	[NL80211_ATTR_STA_PLINK_STATE] =
715 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
716 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
717 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
718 	[NL80211_ATTR_MESH_PEER_AID] =
719 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
720 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
721 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
722 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
723 	[NL80211_ATTR_HIDDEN_SSID] =
724 		NLA_POLICY_RANGE(NLA_U32,
725 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
726 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
727 	[NL80211_ATTR_IE_PROBE_RESP] =
728 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
729 				       IEEE80211_MAX_DATA_LEN),
730 	[NL80211_ATTR_IE_ASSOC_RESP] =
731 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
732 				       IEEE80211_MAX_DATA_LEN),
733 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
734 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
735 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
736 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
737 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
738 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
739 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
740 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
741 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
742 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
743 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
744 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
745 				      .len = IEEE80211_MAX_DATA_LEN },
746 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
747 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
748 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
749 		.len = NL80211_HT_CAPABILITY_LEN
750 	},
751 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
752 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
753 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
754 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
755 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
756 
757 	/* need to include at least Auth Transaction and Status Code */
758 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
759 
760 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
761 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
762 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
763 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
764 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
765 		NLA_POLICY_RANGE(NLA_U32,
766 				 NL80211_MESH_POWER_UNKNOWN + 1,
767 				 NL80211_MESH_POWER_MAX),
768 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
769 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
770 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
771 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
772 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
773 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
774 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
775 		.len = NL80211_VHT_CAPABILITY_LEN,
776 	},
777 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
778 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
779 				  .len = IEEE80211_MAX_DATA_LEN },
780 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
781 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
782 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
783 	[NL80211_ATTR_PEER_AID] =
784 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
785 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
786 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
787 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
788 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
789 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
790 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
791 	/*
792 	 * The value of the Length field of the Supported Operating
793 	 * Classes element is between 2 and 253.
794 	 */
795 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
796 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
797 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
798 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
799 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
800 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
801 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
802 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
803 						  IEEE80211_QOS_MAP_LEN_MIN,
804 						  IEEE80211_QOS_MAP_LEN_MAX),
805 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
806 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
807 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
808 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
809 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
810 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
811 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
812 	[NL80211_ATTR_USER_PRIO] =
813 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
814 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
815 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
816 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
817 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
818 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
819 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
820 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
821 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
822 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
823 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
824 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
825 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
826 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
827 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
828 	},
829 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
830 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
831 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
832 	[NL80211_ATTR_NAN_CONFIG] = NLA_POLICY_NESTED(nl80211_nan_conf_policy),
833 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
834 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
835 				    .len = FILS_MAX_KEK_LEN },
836 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
837 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
838 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
839 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
840 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
841 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
842 	},
843 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
844 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
845 					     .len = FILS_ERP_MAX_USERNAME_LEN },
846 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
847 					  .len = FILS_ERP_MAX_REALM_LEN },
848 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
849 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
850 					.len = FILS_ERP_MAX_RRK_LEN },
851 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
852 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
853 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
854 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
855 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
856 
857 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
858 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
859 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
860 	[NL80211_ATTR_HE_CAPABILITY] =
861 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
862 				       NL80211_HE_MAX_CAPABILITY_LEN),
863 	[NL80211_ATTR_FTM_RESPONDER] =
864 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
865 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
866 	[NL80211_ATTR_PEER_MEASUREMENTS] =
867 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
868 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
869 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
870 					.len = SAE_PASSWORD_MAX_LEN },
871 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
872 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
873 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
874 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
875 	[NL80211_ATTR_TID_CONFIG] =
876 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
877 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
878 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
879 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
880 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
881 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
882 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
883 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
884 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
885 	[NL80211_ATTR_FILS_DISCOVERY] =
886 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
887 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
888 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
889 	[NL80211_ATTR_S1G_CAPABILITY] =
890 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
891 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
892 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
893 	[NL80211_ATTR_SAE_PWE] =
894 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
895 				 NL80211_SAE_PWE_BOTH),
896 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
897 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
898 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
899 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
900 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
901 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
902 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
903 	[NL80211_ATTR_MBSSID_CONFIG] =
904 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
905 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
906 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
907 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
908 	[NL80211_ATTR_EHT_CAPABILITY] =
909 		NLA_POLICY_RANGE(NLA_BINARY,
910 				 NL80211_EHT_MIN_CAPABILITY_LEN,
911 				 NL80211_EHT_MAX_CAPABILITY_LEN),
912 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
913 	[NL80211_ATTR_MLO_LINKS] =
914 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
915 	[NL80211_ATTR_MLO_LINK_ID] =
916 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
917 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
918 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
919 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
920 	[NL80211_ATTR_EML_CAPABILITY] = { .type = NLA_U16 },
921 	[NL80211_ATTR_PUNCT_BITMAP] =
922 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
923 
924 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
925 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
926 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
927 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
928 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
929 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
930 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
931 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
932 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
933 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
934 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
935 				       NL80211_MAX_SUPP_SELECTORS),
936 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
937 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
938 	[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS] = { .type = NLA_U16 },
939 	[NL80211_ATTR_WIPHY_RADIO_INDEX] = { .type = NLA_U8 },
940 	[NL80211_ATTR_S1G_LONG_BEACON_PERIOD] = NLA_POLICY_MIN(NLA_U8, 2),
941 	[NL80211_ATTR_S1G_SHORT_BEACON] =
942 		NLA_POLICY_NESTED(nl80211_s1g_short_beacon),
943 	[NL80211_ATTR_BSS_PARAM] = { .type = NLA_FLAG },
944 	[NL80211_ATTR_S1G_PRIMARY_2MHZ] = { .type = NLA_FLAG },
945 	[NL80211_ATTR_EPP_PEER] = { .type = NLA_FLAG },
946 	[NL80211_ATTR_UHR_CAPABILITY] =
947 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_uhr_capa, 255),
948 	[NL80211_ATTR_DISABLE_UHR] = { .type = NLA_FLAG },
949 };
950 
951 /* policy for the key attributes */
952 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
953 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
954 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
955 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
956 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
957 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
958 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
959 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
960 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
961 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
962 };
963 
964 /* policy for the key default flags */
965 static const struct nla_policy
966 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
967 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
968 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
969 };
970 
971 #ifdef CONFIG_PM
972 /* policy for WoWLAN attributes */
973 static const struct nla_policy
974 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
975 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
976 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
977 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
978 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
979 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
980 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
981 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
982 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
983 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
984 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
985 };
986 
987 static const struct nla_policy
988 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
989 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
990 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
991 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
992 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
993 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
994 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
995 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
996 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
997 	},
998 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
999 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
1000 	},
1001 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
1002 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
1003 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
1004 };
1005 #endif /* CONFIG_PM */
1006 
1007 /* policy for coalesce rule attributes */
1008 static const struct nla_policy
1009 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
1010 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
1011 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
1012 		NLA_POLICY_RANGE(NLA_U32,
1013 				 NL80211_COALESCE_CONDITION_MATCH,
1014 				 NL80211_COALESCE_CONDITION_NO_MATCH),
1015 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
1016 };
1017 
1018 /* policy for GTK rekey offload attributes */
1019 static const struct nla_policy
1020 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
1021 	[NL80211_REKEY_DATA_KEK] = {
1022 		.type = NLA_BINARY,
1023 		.len = NL80211_KEK_EXT_LEN
1024 	},
1025 	[NL80211_REKEY_DATA_KCK] = {
1026 		.type = NLA_BINARY,
1027 		.len = NL80211_KCK_EXT_LEN_32
1028 	},
1029 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
1030 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
1031 };
1032 
1033 static const struct nla_policy
1034 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
1035 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
1036 						 .len = IEEE80211_MAX_SSID_LEN },
1037 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1038 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
1039 };
1040 
1041 static const struct nla_policy
1042 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
1043 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
1044 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
1045 };
1046 
1047 static const struct nla_policy
1048 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
1049 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
1050 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
1051 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
1052 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
1053 	},
1054 };
1055 
1056 /* policy for NAN function attributes */
1057 static const struct nla_policy
1058 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
1059 	[NL80211_NAN_FUNC_TYPE] =
1060 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
1061 	[NL80211_NAN_FUNC_SERVICE_ID] = {
1062 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
1063 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
1064 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
1065 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
1066 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
1067 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
1068 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1069 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
1070 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
1071 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
1072 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
1073 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
1074 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
1075 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
1076 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
1077 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
1078 };
1079 
1080 /* policy for Service Response Filter attributes */
1081 static const struct nla_policy
1082 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
1083 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
1084 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
1085 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
1086 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
1087 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
1088 };
1089 
1090 /* policy for packet pattern attributes */
1091 static const struct nla_policy
1092 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
1093 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
1094 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
1095 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1096 };
1097 
1098 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1099 				     struct cfg80211_registered_device **rdev,
1100 				     struct wireless_dev **wdev,
1101 				     struct nlattr **attrbuf)
1102 {
1103 	int err;
1104 
1105 	if (!cb->args[0]) {
1106 		struct nlattr **attrbuf_free = NULL;
1107 
1108 		if (!attrbuf) {
1109 			attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
1110 			if (!attrbuf)
1111 				return -ENOMEM;
1112 			attrbuf_free = attrbuf;
1113 		}
1114 
1115 		err = nlmsg_parse_deprecated(cb->nlh,
1116 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1117 					     attrbuf, nl80211_fam.maxattr,
1118 					     nl80211_policy, NULL);
1119 		if (err) {
1120 			kfree(attrbuf_free);
1121 			return err;
1122 		}
1123 
1124 		rtnl_lock();
1125 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1126 						   attrbuf);
1127 		kfree(attrbuf_free);
1128 		if (IS_ERR(*wdev)) {
1129 			rtnl_unlock();
1130 			return PTR_ERR(*wdev);
1131 		}
1132 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1133 		mutex_lock(&(*rdev)->wiphy.mtx);
1134 		rtnl_unlock();
1135 		/* 0 is the first index - add 1 to parse only once */
1136 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1137 		cb->args[1] = (*wdev)->identifier;
1138 	} else {
1139 		/* subtract the 1 again here */
1140 		struct wiphy *wiphy;
1141 		struct wireless_dev *tmp;
1142 
1143 		rtnl_lock();
1144 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1145 		if (!wiphy) {
1146 			rtnl_unlock();
1147 			return -ENODEV;
1148 		}
1149 		*rdev = wiphy_to_rdev(wiphy);
1150 		*wdev = NULL;
1151 
1152 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1153 			if (tmp->identifier == cb->args[1]) {
1154 				*wdev = tmp;
1155 				break;
1156 			}
1157 		}
1158 
1159 		if (!*wdev) {
1160 			rtnl_unlock();
1161 			return -ENODEV;
1162 		}
1163 		mutex_lock(&(*rdev)->wiphy.mtx);
1164 		rtnl_unlock();
1165 	}
1166 
1167 	return 0;
1168 }
1169 
1170 /* message building helper */
1171 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1172 		     int flags, u8 cmd)
1173 {
1174 	/* since there is no private header just add the generic one */
1175 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1176 }
1177 
1178 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1179 				     const struct ieee80211_reg_rule *rule)
1180 {
1181 	int j;
1182 	struct nlattr *nl_wmm_rules =
1183 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1184 
1185 	if (!nl_wmm_rules)
1186 		goto nla_put_failure;
1187 
1188 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1189 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1190 
1191 		if (!nl_wmm_rule)
1192 			goto nla_put_failure;
1193 
1194 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1195 				rule->wmm_rule.client[j].cw_min) ||
1196 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1197 				rule->wmm_rule.client[j].cw_max) ||
1198 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1199 			       rule->wmm_rule.client[j].aifsn) ||
1200 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1201 			        rule->wmm_rule.client[j].cot))
1202 			goto nla_put_failure;
1203 
1204 		nla_nest_end(msg, nl_wmm_rule);
1205 	}
1206 	nla_nest_end(msg, nl_wmm_rules);
1207 
1208 	return 0;
1209 
1210 nla_put_failure:
1211 	return -ENOBUFS;
1212 }
1213 
1214 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1215 				   struct ieee80211_channel *chan,
1216 				   bool large)
1217 {
1218 	/* Some channels must be completely excluded from the
1219 	 * list to protect old user-space tools from breaking
1220 	 */
1221 	if (!large && chan->flags &
1222 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1223 		return 0;
1224 	if (!large && chan->freq_offset)
1225 		return 0;
1226 
1227 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1228 			chan->center_freq))
1229 		goto nla_put_failure;
1230 
1231 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1232 		goto nla_put_failure;
1233 
1234 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1235 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1236 		goto nla_put_failure;
1237 
1238 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1239 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1240 		goto nla_put_failure;
1241 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1242 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1243 			goto nla_put_failure;
1244 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1245 			goto nla_put_failure;
1246 	}
1247 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1248 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1249 			goto nla_put_failure;
1250 		if (large) {
1251 			u32 time;
1252 
1253 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1254 
1255 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1256 					chan->dfs_state))
1257 				goto nla_put_failure;
1258 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1259 					time))
1260 				goto nla_put_failure;
1261 			if (nla_put_u32(msg,
1262 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1263 					chan->dfs_cac_ms))
1264 				goto nla_put_failure;
1265 		}
1266 	}
1267 
1268 	if (large) {
1269 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1270 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1271 			goto nla_put_failure;
1272 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1273 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1274 			goto nla_put_failure;
1275 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1276 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1277 			goto nla_put_failure;
1278 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1279 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1280 			goto nla_put_failure;
1281 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1282 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1283 			goto nla_put_failure;
1284 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1285 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1286 			goto nla_put_failure;
1287 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1288 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1289 			goto nla_put_failure;
1290 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1291 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1292 			goto nla_put_failure;
1293 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1294 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1295 			goto nla_put_failure;
1296 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1297 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1298 			goto nla_put_failure;
1299 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1300 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1301 			goto nla_put_failure;
1302 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1303 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1304 			goto nla_put_failure;
1305 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1306 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1307 			goto nla_put_failure;
1308 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1309 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1310 			goto nla_put_failure;
1311 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1312 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1313 			goto nla_put_failure;
1314 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1315 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1316 			goto nla_put_failure;
1317 		if ((chan->flags & IEEE80211_CHAN_ALLOW_20MHZ_ACTIVITY) &&
1318 		    nla_put_flag(msg,
1319 				 NL80211_FREQUENCY_ATTR_ALLOW_20MHZ_ACTIVITY))
1320 			goto nla_put_failure;
1321 		if ((chan->flags & IEEE80211_CHAN_NO_4MHZ) &&
1322 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_4MHZ))
1323 			goto nla_put_failure;
1324 		if ((chan->flags & IEEE80211_CHAN_NO_8MHZ) &&
1325 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_8MHZ))
1326 			goto nla_put_failure;
1327 		if ((chan->flags & IEEE80211_CHAN_NO_16MHZ) &&
1328 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_16MHZ))
1329 			goto nla_put_failure;
1330 		if ((chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY) &&
1331 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_S1G_NO_PRIMARY))
1332 			goto nla_put_failure;
1333 		if ((chan->flags & IEEE80211_CHAN_NO_UHR) &&
1334 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_UHR))
1335 			goto nla_put_failure;
1336 	}
1337 
1338 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1339 			DBM_TO_MBM(chan->max_power)))
1340 		goto nla_put_failure;
1341 
1342 	if (large) {
1343 		const struct ieee80211_reg_rule *rule =
1344 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1345 
1346 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1347 			if (nl80211_msg_put_wmm_rules(msg, rule))
1348 				goto nla_put_failure;
1349 		}
1350 	}
1351 
1352 	return 0;
1353 
1354  nla_put_failure:
1355 	return -ENOBUFS;
1356 }
1357 
1358 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1359 				  struct cfg80211_txq_stats *txqstats,
1360 				  int attrtype)
1361 {
1362 	struct nlattr *txqattr;
1363 
1364 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1365 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1366 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1367 		return false;						  \
1368 	} while (0)
1369 
1370 	txqattr = nla_nest_start_noflag(msg, attrtype);
1371 	if (!txqattr)
1372 		return false;
1373 
1374 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1375 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1376 	PUT_TXQVAL_U32(FLOWS, flows);
1377 	PUT_TXQVAL_U32(DROPS, drops);
1378 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1379 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1380 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1381 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1382 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1383 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1384 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1385 	nla_nest_end(msg, txqattr);
1386 
1387 #undef PUT_TXQVAL_U32
1388 	return true;
1389 }
1390 
1391 /* netlink command implementations */
1392 
1393 /**
1394  * nl80211_link_id - return link ID
1395  * @attrs: attributes to look at
1396  *
1397  * Returns: the link ID or 0 if not given
1398  *
1399  * Note this function doesn't do any validation of the link
1400  * ID validity wrt. links that were actually added, so it must
1401  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1402  * or if additional validation is done.
1403  */
1404 static unsigned int nl80211_link_id(struct nlattr **attrs)
1405 {
1406 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1407 
1408 	return nla_get_u8_default(linkid, 0);
1409 }
1410 
1411 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1412 {
1413 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1414 
1415 	if (!linkid)
1416 		return -1;
1417 
1418 	return nla_get_u8(linkid);
1419 }
1420 
1421 struct key_parse {
1422 	struct key_params p;
1423 	int idx;
1424 	int type;
1425 	bool def, defmgmt, defbeacon;
1426 	bool def_uni, def_multi;
1427 };
1428 
1429 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1430 				 struct key_parse *k)
1431 {
1432 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1433 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1434 					      nl80211_key_policy,
1435 					      info->extack);
1436 	if (err)
1437 		return err;
1438 
1439 	k->def = !!tb[NL80211_KEY_DEFAULT];
1440 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1441 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1442 
1443 	if (k->def) {
1444 		k->def_uni = true;
1445 		k->def_multi = true;
1446 	}
1447 	if (k->defmgmt || k->defbeacon)
1448 		k->def_multi = true;
1449 
1450 	if (tb[NL80211_KEY_IDX])
1451 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1452 
1453 	if (tb[NL80211_KEY_DATA]) {
1454 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1455 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1456 	}
1457 
1458 	if (tb[NL80211_KEY_SEQ]) {
1459 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1460 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1461 	}
1462 
1463 	if (tb[NL80211_KEY_CIPHER])
1464 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1465 
1466 	if (tb[NL80211_KEY_TYPE])
1467 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1468 
1469 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1470 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1471 
1472 		err = nla_parse_nested_deprecated(kdt,
1473 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1474 						  tb[NL80211_KEY_DEFAULT_TYPES],
1475 						  nl80211_key_default_policy,
1476 						  info->extack);
1477 		if (err)
1478 			return err;
1479 
1480 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1481 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1482 	}
1483 
1484 	if (tb[NL80211_KEY_MODE])
1485 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1486 
1487 	return 0;
1488 }
1489 
1490 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1491 {
1492 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1493 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1494 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1495 	}
1496 
1497 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1498 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1499 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1500 	}
1501 
1502 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1503 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1504 
1505 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1506 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1507 
1508 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1509 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1510 
1511 	if (k->def) {
1512 		k->def_uni = true;
1513 		k->def_multi = true;
1514 	}
1515 	if (k->defmgmt)
1516 		k->def_multi = true;
1517 
1518 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1519 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1520 
1521 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1522 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1523 		int err = nla_parse_nested_deprecated(kdt,
1524 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1525 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1526 						      nl80211_key_default_policy,
1527 						      info->extack);
1528 		if (err)
1529 			return err;
1530 
1531 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1532 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1533 	}
1534 
1535 	return 0;
1536 }
1537 
1538 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1539 {
1540 	int err;
1541 
1542 	memset(k, 0, sizeof(*k));
1543 	k->idx = -1;
1544 	k->type = -1;
1545 
1546 	if (info->attrs[NL80211_ATTR_KEY])
1547 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1548 	else
1549 		err = nl80211_parse_key_old(info, k);
1550 
1551 	if (err)
1552 		return err;
1553 
1554 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1555 	    (k->defbeacon ? 1 : 0) > 1) {
1556 		GENL_SET_ERR_MSG(info,
1557 				 "key with multiple default flags is invalid");
1558 		return -EINVAL;
1559 	}
1560 
1561 	if (k->defmgmt || k->defbeacon) {
1562 		if (k->def_uni || !k->def_multi) {
1563 			GENL_SET_ERR_MSG(info,
1564 					 "defmgmt/defbeacon key must be mcast");
1565 			return -EINVAL;
1566 		}
1567 	}
1568 
1569 	if (k->idx != -1) {
1570 		if (k->defmgmt) {
1571 			if (k->idx < 4 || k->idx > 5) {
1572 				GENL_SET_ERR_MSG(info,
1573 						 "defmgmt key idx not 4 or 5");
1574 				return -EINVAL;
1575 			}
1576 		} else if (k->defbeacon) {
1577 			if (k->idx < 6 || k->idx > 7) {
1578 				GENL_SET_ERR_MSG(info,
1579 						 "defbeacon key idx not 6 or 7");
1580 				return -EINVAL;
1581 			}
1582 		} else if (k->def) {
1583 			if (k->idx < 0 || k->idx > 3) {
1584 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1585 				return -EINVAL;
1586 			}
1587 		} else {
1588 			if (k->idx < 0 || k->idx > 7) {
1589 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1590 				return -EINVAL;
1591 			}
1592 		}
1593 	}
1594 
1595 	return 0;
1596 }
1597 
1598 static struct cfg80211_cached_keys *
1599 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1600 		       struct genl_info *info, bool *no_ht)
1601 {
1602 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1603 	struct key_parse parse;
1604 	struct nlattr *key;
1605 	struct cfg80211_cached_keys *result;
1606 	int rem, err, def = 0;
1607 	bool have_key = false;
1608 
1609 	nla_for_each_nested(key, keys, rem) {
1610 		have_key = true;
1611 		break;
1612 	}
1613 
1614 	if (!have_key)
1615 		return NULL;
1616 
1617 	result = kzalloc_obj(*result);
1618 	if (!result)
1619 		return ERR_PTR(-ENOMEM);
1620 
1621 	result->def = -1;
1622 
1623 	nla_for_each_nested(key, keys, rem) {
1624 		memset(&parse, 0, sizeof(parse));
1625 		parse.idx = -1;
1626 
1627 		err = nl80211_parse_key_new(info, key, &parse);
1628 		if (err)
1629 			goto error;
1630 		err = -EINVAL;
1631 		if (!parse.p.key)
1632 			goto error;
1633 		if (parse.idx < 0 || parse.idx > 3) {
1634 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1635 			goto error;
1636 		}
1637 		if (parse.def) {
1638 			if (def) {
1639 				GENL_SET_ERR_MSG(info,
1640 						 "only one key can be default");
1641 				goto error;
1642 			}
1643 			def = 1;
1644 			result->def = parse.idx;
1645 			if (!parse.def_uni || !parse.def_multi)
1646 				goto error;
1647 		} else if (parse.defmgmt)
1648 			goto error;
1649 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1650 						     parse.idx, false, NULL);
1651 		if (err)
1652 			goto error;
1653 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1654 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1655 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1656 			err = -EINVAL;
1657 			goto error;
1658 		}
1659 		result->params[parse.idx].cipher = parse.p.cipher;
1660 		result->params[parse.idx].key_len = parse.p.key_len;
1661 		result->params[parse.idx].key = result->data[parse.idx];
1662 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1663 
1664 		/* must be WEP key if we got here */
1665 		if (no_ht)
1666 			*no_ht = true;
1667 	}
1668 
1669 	if (result->def < 0) {
1670 		err = -EINVAL;
1671 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1672 		goto error;
1673 	}
1674 
1675 	return result;
1676  error:
1677 	kfree_sensitive(result);
1678 	return ERR_PTR(err);
1679 }
1680 
1681 static int nl80211_key_allowed(struct wireless_dev *wdev)
1682 {
1683 	lockdep_assert_wiphy(wdev->wiphy);
1684 
1685 	switch (wdev->iftype) {
1686 	case NL80211_IFTYPE_AP:
1687 	case NL80211_IFTYPE_AP_VLAN:
1688 	case NL80211_IFTYPE_P2P_GO:
1689 	case NL80211_IFTYPE_MESH_POINT:
1690 		break;
1691 	case NL80211_IFTYPE_ADHOC:
1692 		if (wdev->u.ibss.current_bss)
1693 			return 0;
1694 		return -ENOLINK;
1695 	case NL80211_IFTYPE_STATION:
1696 	case NL80211_IFTYPE_P2P_CLIENT:
1697 		if (wdev->connected ||
1698 		    (wiphy_ext_feature_isset(wdev->wiphy,
1699 					     NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION)))
1700 			return 0;
1701 		return -ENOLINK;
1702 	case NL80211_IFTYPE_NAN:
1703 		if (wiphy_ext_feature_isset(wdev->wiphy,
1704 					    NL80211_EXT_FEATURE_SECURE_NAN))
1705 			return 0;
1706 		return -EINVAL;
1707 	case NL80211_IFTYPE_UNSPECIFIED:
1708 	case NL80211_IFTYPE_OCB:
1709 	case NL80211_IFTYPE_MONITOR:
1710 	case NL80211_IFTYPE_P2P_DEVICE:
1711 	case NL80211_IFTYPE_WDS:
1712 	case NUM_NL80211_IFTYPES:
1713 		return -EINVAL;
1714 	}
1715 
1716 	return 0;
1717 }
1718 
1719 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1720 							u32 freq)
1721 {
1722 	struct ieee80211_channel *chan;
1723 
1724 	chan = ieee80211_get_channel_khz(wiphy, freq);
1725 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1726 		return NULL;
1727 	return chan;
1728 }
1729 
1730 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1731 {
1732 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1733 	int i;
1734 
1735 	if (!nl_modes)
1736 		goto nla_put_failure;
1737 
1738 	i = 0;
1739 	while (ifmodes) {
1740 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1741 			goto nla_put_failure;
1742 		ifmodes >>= 1;
1743 		i++;
1744 	}
1745 
1746 	nla_nest_end(msg, nl_modes);
1747 	return 0;
1748 
1749 nla_put_failure:
1750 	return -ENOBUFS;
1751 }
1752 
1753 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1754 				   const struct ieee80211_iface_combination *c,
1755 				   u16 nested)
1756 {
1757 	struct nlattr *nl_combi, *nl_limits;
1758 	int i;
1759 
1760 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1761 	if (!nl_combi)
1762 		goto nla_put_failure;
1763 
1764 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1765 					       nested);
1766 	if (!nl_limits)
1767 		goto nla_put_failure;
1768 
1769 	for (i = 0; i < c->n_limits; i++) {
1770 		struct nlattr *nl_limit;
1771 
1772 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1773 		if (!nl_limit)
1774 			goto nla_put_failure;
1775 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1776 			goto nla_put_failure;
1777 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1778 					c->limits[i].types))
1779 			goto nla_put_failure;
1780 		nla_nest_end(msg, nl_limit);
1781 	}
1782 
1783 	nla_nest_end(msg, nl_limits);
1784 
1785 	if (c->beacon_int_infra_match &&
1786 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1787 		goto nla_put_failure;
1788 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1789 			c->num_different_channels) ||
1790 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1791 			c->max_interfaces))
1792 		goto nla_put_failure;
1793 	if (large &&
1794 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1795 			c->radar_detect_widths) ||
1796 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1797 			c->radar_detect_regions)))
1798 		goto nla_put_failure;
1799 	if (c->beacon_int_min_gcd &&
1800 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1801 			c->beacon_int_min_gcd))
1802 		goto nla_put_failure;
1803 
1804 	nla_nest_end(msg, nl_combi);
1805 
1806 	return 0;
1807 nla_put_failure:
1808 	return -ENOBUFS;
1809 }
1810 
1811 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1812 					  struct sk_buff *msg,
1813 					  int attr, int radio,
1814 					  bool large, u16 nested)
1815 {
1816 	const struct ieee80211_iface_combination *c;
1817 	struct nlattr *nl_combis;
1818 	int i, n;
1819 
1820 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1821 	if (!nl_combis)
1822 		goto nla_put_failure;
1823 
1824 	if (radio >= 0) {
1825 		c = wiphy->radio[0].iface_combinations;
1826 		n = wiphy->radio[0].n_iface_combinations;
1827 	} else {
1828 		c = wiphy->iface_combinations;
1829 		n = wiphy->n_iface_combinations;
1830 	}
1831 	for (i = 0; i < n; i++)
1832 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1833 			goto nla_put_failure;
1834 
1835 	nla_nest_end(msg, nl_combis);
1836 
1837 	return 0;
1838 nla_put_failure:
1839 	return -ENOBUFS;
1840 }
1841 
1842 #ifdef CONFIG_PM
1843 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1844 					struct sk_buff *msg)
1845 {
1846 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1847 	struct nlattr *nl_tcp;
1848 
1849 	if (!tcp)
1850 		return 0;
1851 
1852 	nl_tcp = nla_nest_start_noflag(msg,
1853 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1854 	if (!nl_tcp)
1855 		return -ENOBUFS;
1856 
1857 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1858 			tcp->data_payload_max))
1859 		return -ENOBUFS;
1860 
1861 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1862 			tcp->data_payload_max))
1863 		return -ENOBUFS;
1864 
1865 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1866 		return -ENOBUFS;
1867 
1868 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1869 				sizeof(*tcp->tok), tcp->tok))
1870 		return -ENOBUFS;
1871 
1872 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1873 			tcp->data_interval_max))
1874 		return -ENOBUFS;
1875 
1876 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1877 			tcp->wake_payload_max))
1878 		return -ENOBUFS;
1879 
1880 	nla_nest_end(msg, nl_tcp);
1881 	return 0;
1882 }
1883 
1884 static int nl80211_send_wowlan(struct sk_buff *msg,
1885 			       struct cfg80211_registered_device *rdev,
1886 			       bool large)
1887 {
1888 	struct nlattr *nl_wowlan;
1889 
1890 	if (!rdev->wiphy.wowlan)
1891 		return 0;
1892 
1893 	nl_wowlan = nla_nest_start_noflag(msg,
1894 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1895 	if (!nl_wowlan)
1896 		return -ENOBUFS;
1897 
1898 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1899 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1900 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1901 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1902 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1903 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1904 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1905 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1906 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1907 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1908 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1909 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1910 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1911 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1912 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1913 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1914 		return -ENOBUFS;
1915 
1916 	if (rdev->wiphy.wowlan->n_patterns) {
1917 		struct nl80211_pattern_support pat = {
1918 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1919 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1920 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1921 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1922 		};
1923 
1924 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1925 			    sizeof(pat), &pat))
1926 			return -ENOBUFS;
1927 	}
1928 
1929 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1930 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1931 			rdev->wiphy.wowlan->max_nd_match_sets))
1932 		return -ENOBUFS;
1933 
1934 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1935 		return -ENOBUFS;
1936 
1937 	nla_nest_end(msg, nl_wowlan);
1938 
1939 	return 0;
1940 }
1941 #endif
1942 
1943 static int nl80211_send_coalesce(struct sk_buff *msg,
1944 				 struct cfg80211_registered_device *rdev)
1945 {
1946 	struct nl80211_coalesce_rule_support rule;
1947 
1948 	if (!rdev->wiphy.coalesce)
1949 		return 0;
1950 
1951 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1952 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1953 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1954 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1955 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1956 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1957 
1958 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1959 		return -ENOBUFS;
1960 
1961 	return 0;
1962 }
1963 
1964 static int
1965 nl80211_send_iftype_data(struct sk_buff *msg,
1966 			 const struct ieee80211_supported_band *sband,
1967 			 const struct ieee80211_sband_iftype_data *iftdata)
1968 {
1969 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1970 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1971 	const struct ieee80211_sta_uhr_cap *uhr_cap = &iftdata->uhr_cap;
1972 
1973 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1974 				iftdata->types_mask))
1975 		return -ENOBUFS;
1976 
1977 	if (he_cap->has_he) {
1978 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1979 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1980 			    he_cap->he_cap_elem.mac_cap_info) ||
1981 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1982 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1983 			    he_cap->he_cap_elem.phy_cap_info) ||
1984 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1985 			    sizeof(he_cap->he_mcs_nss_supp),
1986 			    &he_cap->he_mcs_nss_supp) ||
1987 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1988 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1989 			return -ENOBUFS;
1990 	}
1991 
1992 	if (eht_cap->has_eht && he_cap->has_he) {
1993 		u8 mcs_nss_size, ppe_thresh_size;
1994 		u16 ppe_thres_hdr;
1995 		bool is_ap;
1996 
1997 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1998 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1999 
2000 		mcs_nss_size =
2001 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
2002 						   &eht_cap->eht_cap_elem,
2003 						   is_ap);
2004 
2005 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
2006 		ppe_thresh_size =
2007 			ieee80211_eht_ppe_size(ppe_thres_hdr,
2008 					       eht_cap->eht_cap_elem.phy_cap_info);
2009 
2010 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
2011 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
2012 			    eht_cap->eht_cap_elem.mac_cap_info) ||
2013 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
2014 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
2015 			    eht_cap->eht_cap_elem.phy_cap_info) ||
2016 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
2017 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
2018 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
2019 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
2020 			return -ENOBUFS;
2021 	}
2022 
2023 	if (uhr_cap->has_uhr) {
2024 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_MAC,
2025 			    sizeof(uhr_cap->mac), &uhr_cap->mac) ||
2026 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_PHY,
2027 			    sizeof(uhr_cap->phy), &uhr_cap->phy))
2028 			return -ENOBUFS;
2029 	}
2030 
2031 	if (sband->band == NL80211_BAND_6GHZ &&
2032 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
2033 		    sizeof(iftdata->he_6ghz_capa),
2034 		    &iftdata->he_6ghz_capa))
2035 		return -ENOBUFS;
2036 
2037 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
2038 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
2039 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
2040 		return -ENOBUFS;
2041 
2042 	return 0;
2043 }
2044 
2045 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
2046 				      struct ieee80211_supported_band *sband,
2047 				      bool large)
2048 {
2049 	struct nlattr *nl_rates, *nl_rate;
2050 	struct ieee80211_rate *rate;
2051 	int i;
2052 
2053 	/* add HT info */
2054 	if (sband->ht_cap.ht_supported &&
2055 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
2056 		     sizeof(sband->ht_cap.mcs),
2057 		     &sband->ht_cap.mcs) ||
2058 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
2059 			 sband->ht_cap.cap) ||
2060 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
2061 			sband->ht_cap.ampdu_factor) ||
2062 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
2063 			sband->ht_cap.ampdu_density)))
2064 		return -ENOBUFS;
2065 
2066 	/* add VHT info */
2067 	if (sband->vht_cap.vht_supported &&
2068 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
2069 		     sizeof(sband->vht_cap.vht_mcs),
2070 		     &sband->vht_cap.vht_mcs) ||
2071 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
2072 			 sband->vht_cap.cap)))
2073 		return -ENOBUFS;
2074 
2075 	if (large && sband->n_iftype_data) {
2076 		struct nlattr *nl_iftype_data =
2077 			nla_nest_start_noflag(msg,
2078 					      NL80211_BAND_ATTR_IFTYPE_DATA);
2079 		const struct ieee80211_sband_iftype_data *iftd;
2080 		int err;
2081 
2082 		if (!nl_iftype_data)
2083 			return -ENOBUFS;
2084 
2085 		for_each_sband_iftype_data(sband, i, iftd) {
2086 			struct nlattr *iftdata;
2087 
2088 			iftdata = nla_nest_start_noflag(msg, i + 1);
2089 			if (!iftdata)
2090 				return -ENOBUFS;
2091 
2092 			err = nl80211_send_iftype_data(msg, sband, iftd);
2093 			if (err)
2094 				return err;
2095 
2096 			nla_nest_end(msg, iftdata);
2097 		}
2098 
2099 		nla_nest_end(msg, nl_iftype_data);
2100 	}
2101 
2102 	/* add EDMG info */
2103 	if (large && sband->edmg_cap.channels &&
2104 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
2105 		       sband->edmg_cap.channels) ||
2106 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
2107 		       sband->edmg_cap.bw_config)))
2108 
2109 		return -ENOBUFS;
2110 
2111 	/* add bitrates */
2112 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2113 	if (!nl_rates)
2114 		return -ENOBUFS;
2115 
2116 	for (i = 0; i < sband->n_bitrates; i++) {
2117 		nl_rate = nla_nest_start_noflag(msg, i);
2118 		if (!nl_rate)
2119 			return -ENOBUFS;
2120 
2121 		rate = &sband->bitrates[i];
2122 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2123 				rate->bitrate))
2124 			return -ENOBUFS;
2125 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2126 		    nla_put_flag(msg,
2127 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2128 			return -ENOBUFS;
2129 
2130 		nla_nest_end(msg, nl_rate);
2131 	}
2132 
2133 	nla_nest_end(msg, nl_rates);
2134 
2135 	/* S1G capabilities */
2136 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2137 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2138 		     sizeof(sband->s1g_cap.cap),
2139 		     sband->s1g_cap.cap) ||
2140 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2141 		     sizeof(sband->s1g_cap.nss_mcs),
2142 		     sband->s1g_cap.nss_mcs)))
2143 		return -ENOBUFS;
2144 
2145 	return 0;
2146 }
2147 
2148 static int
2149 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2150 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2151 {
2152 	u16 stypes;
2153 	struct nlattr *nl_ftypes, *nl_ifs;
2154 	enum nl80211_iftype ift;
2155 	int i;
2156 
2157 	if (!mgmt_stypes)
2158 		return 0;
2159 
2160 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2161 	if (!nl_ifs)
2162 		return -ENOBUFS;
2163 
2164 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2165 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2166 		if (!nl_ftypes)
2167 			return -ENOBUFS;
2168 		i = 0;
2169 		stypes = mgmt_stypes[ift].tx;
2170 		while (stypes) {
2171 			if ((stypes & 1) &&
2172 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2173 					(i << 4) | IEEE80211_FTYPE_MGMT))
2174 				return -ENOBUFS;
2175 			stypes >>= 1;
2176 			i++;
2177 		}
2178 		nla_nest_end(msg, nl_ftypes);
2179 	}
2180 
2181 	nla_nest_end(msg, nl_ifs);
2182 
2183 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2184 	if (!nl_ifs)
2185 		return -ENOBUFS;
2186 
2187 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2188 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2189 		if (!nl_ftypes)
2190 			return -ENOBUFS;
2191 		i = 0;
2192 		stypes = mgmt_stypes[ift].rx;
2193 		while (stypes) {
2194 			if ((stypes & 1) &&
2195 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2196 					(i << 4) | IEEE80211_FTYPE_MGMT))
2197 				return -ENOBUFS;
2198 			stypes >>= 1;
2199 			i++;
2200 		}
2201 		nla_nest_end(msg, nl_ftypes);
2202 	}
2203 	nla_nest_end(msg, nl_ifs);
2204 
2205 	return 0;
2206 }
2207 
2208 #define CMD(op, n)							\
2209 	 do {								\
2210 		if (rdev->ops->op) {					\
2211 			i++;						\
2212 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2213 				goto nla_put_failure;			\
2214 		}							\
2215 	} while (0)
2216 
2217 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2218 					struct sk_buff *msg)
2219 {
2220 	int i = 0;
2221 
2222 	/*
2223 	 * do *NOT* add anything into this function, new things need to be
2224 	 * advertised only to new versions of userspace that can deal with
2225 	 * the split (and they can't possibly care about new features...
2226 	 */
2227 	CMD(add_virtual_intf, NEW_INTERFACE);
2228 	CMD(change_virtual_intf, SET_INTERFACE);
2229 	CMD(add_key, NEW_KEY);
2230 	CMD(start_ap, START_AP);
2231 	CMD(add_station, NEW_STATION);
2232 	CMD(add_mpath, NEW_MPATH);
2233 	CMD(update_mesh_config, SET_MESH_CONFIG);
2234 	CMD(change_bss, SET_BSS);
2235 	CMD(auth, AUTHENTICATE);
2236 	CMD(assoc, ASSOCIATE);
2237 	CMD(deauth, DEAUTHENTICATE);
2238 	CMD(disassoc, DISASSOCIATE);
2239 	CMD(join_ibss, JOIN_IBSS);
2240 	CMD(join_mesh, JOIN_MESH);
2241 	CMD(set_pmksa, SET_PMKSA);
2242 	CMD(del_pmksa, DEL_PMKSA);
2243 	CMD(flush_pmksa, FLUSH_PMKSA);
2244 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2245 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2246 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2247 	CMD(mgmt_tx, FRAME);
2248 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2249 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2250 		i++;
2251 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2252 			goto nla_put_failure;
2253 	}
2254 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2255 	    rdev->ops->join_mesh) {
2256 		i++;
2257 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2258 			goto nla_put_failure;
2259 	}
2260 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2261 		CMD(tdls_mgmt, TDLS_MGMT);
2262 		CMD(tdls_oper, TDLS_OPER);
2263 	}
2264 	if (rdev->wiphy.max_sched_scan_reqs)
2265 		CMD(sched_scan_start, START_SCHED_SCAN);
2266 	CMD(probe_client, PROBE_CLIENT);
2267 	CMD(set_noack_map, SET_NOACK_MAP);
2268 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2269 		i++;
2270 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2271 			goto nla_put_failure;
2272 	}
2273 	CMD(start_p2p_device, START_P2P_DEVICE);
2274 	CMD(set_mcast_rate, SET_MCAST_RATE);
2275 #ifdef CONFIG_NL80211_TESTMODE
2276 	CMD(testmode_cmd, TESTMODE);
2277 #endif
2278 
2279 	if (rdev->ops->connect || rdev->ops->auth) {
2280 		i++;
2281 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2282 			goto nla_put_failure;
2283 	}
2284 
2285 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2286 		i++;
2287 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2288 			goto nla_put_failure;
2289 	}
2290 
2291 	return i;
2292  nla_put_failure:
2293 	return -ENOBUFS;
2294 }
2295 
2296 static int
2297 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2298 			   struct sk_buff *msg)
2299 {
2300 	struct nlattr *ftm;
2301 
2302 	if (!cap->ftm.supported)
2303 		return 0;
2304 
2305 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2306 	if (!ftm)
2307 		return -ENOBUFS;
2308 
2309 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2310 		return -ENOBUFS;
2311 	if (cap->ftm.non_asap &&
2312 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2313 		return -ENOBUFS;
2314 	if (cap->ftm.request_lci &&
2315 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2316 		return -ENOBUFS;
2317 	if (cap->ftm.request_civicloc &&
2318 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2319 		return -ENOBUFS;
2320 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2321 			cap->ftm.preambles))
2322 		return -ENOBUFS;
2323 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2324 			cap->ftm.bandwidths))
2325 		return -ENOBUFS;
2326 	if (cap->ftm.max_bursts_exponent >= 0 &&
2327 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2328 			cap->ftm.max_bursts_exponent))
2329 		return -ENOBUFS;
2330 	if (cap->ftm.max_ftms_per_burst &&
2331 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2332 			cap->ftm.max_ftms_per_burst))
2333 		return -ENOBUFS;
2334 	if (cap->ftm.trigger_based &&
2335 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2336 		return -ENOBUFS;
2337 	if (cap->ftm.non_trigger_based &&
2338 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2339 		return -ENOBUFS;
2340 	if (cap->ftm.support_6ghz &&
2341 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_6GHZ_SUPPORT))
2342 		return -ENOBUFS;
2343 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_LTF_REP,
2344 			cap->ftm.max_tx_ltf_rep))
2345 		return -ENOBUFS;
2346 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_LTF_REP,
2347 			cap->ftm.max_rx_ltf_rep))
2348 		return -ENOBUFS;
2349 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_STS,
2350 			cap->ftm.max_tx_sts))
2351 		return -ENOBUFS;
2352 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_STS,
2353 			cap->ftm.max_rx_sts))
2354 		return -ENOBUFS;
2355 	if (cap->ftm.max_total_ltf_tx > 0 &&
2356 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_TX,
2357 			cap->ftm.max_total_ltf_tx))
2358 		return -ENOBUFS;
2359 	if (cap->ftm.max_total_ltf_rx > 0 &&
2360 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_RX,
2361 			cap->ftm.max_total_ltf_rx))
2362 		return -ENOBUFS;
2363 	if (cap->ftm.support_rsta &&
2364 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_RSTA_SUPPORT))
2365 		return -ENOBUFS;
2366 
2367 	nla_nest_end(msg, ftm);
2368 	return 0;
2369 }
2370 
2371 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2372 				  struct sk_buff *msg)
2373 {
2374 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2375 	struct nlattr *pmsr, *caps;
2376 
2377 	if (!cap)
2378 		return 0;
2379 
2380 	/*
2381 	 * we don't need to clean up anything here since the caller
2382 	 * will genlmsg_cancel() if we fail
2383 	 */
2384 
2385 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2386 	if (!pmsr)
2387 		return -ENOBUFS;
2388 
2389 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2390 		return -ENOBUFS;
2391 
2392 	if (cap->report_ap_tsf &&
2393 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2394 		return -ENOBUFS;
2395 
2396 	if (cap->randomize_mac_addr &&
2397 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2398 		return -ENOBUFS;
2399 
2400 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2401 	if (!caps)
2402 		return -ENOBUFS;
2403 
2404 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2405 		return -ENOBUFS;
2406 
2407 	nla_nest_end(msg, caps);
2408 	nla_nest_end(msg, pmsr);
2409 
2410 	return 0;
2411 }
2412 
2413 static int
2414 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2415 			      struct sk_buff *msg)
2416 {
2417 	int i;
2418 	struct nlattr *nested, *nested_akms;
2419 	const struct wiphy_iftype_akm_suites *iftype_akms;
2420 
2421 	if (!rdev->wiphy.num_iftype_akm_suites ||
2422 	    !rdev->wiphy.iftype_akm_suites)
2423 		return 0;
2424 
2425 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2426 	if (!nested)
2427 		return -ENOBUFS;
2428 
2429 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2430 		nested_akms = nla_nest_start(msg, i + 1);
2431 		if (!nested_akms)
2432 			return -ENOBUFS;
2433 
2434 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2435 
2436 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2437 					iftype_akms->iftypes_mask))
2438 			return -ENOBUFS;
2439 
2440 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2441 			    sizeof(u32) * iftype_akms->n_akm_suites,
2442 			    iftype_akms->akm_suites)) {
2443 			return -ENOBUFS;
2444 		}
2445 		nla_nest_end(msg, nested_akms);
2446 	}
2447 
2448 	nla_nest_end(msg, nested);
2449 
2450 	return 0;
2451 }
2452 
2453 static int
2454 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2455 			       struct sk_buff *msg)
2456 {
2457 	struct nlattr *supp;
2458 
2459 	if (!rdev->wiphy.tid_config_support.vif &&
2460 	    !rdev->wiphy.tid_config_support.peer)
2461 		return 0;
2462 
2463 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2464 	if (!supp)
2465 		return -ENOSPC;
2466 
2467 	if (rdev->wiphy.tid_config_support.vif &&
2468 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2469 			      rdev->wiphy.tid_config_support.vif,
2470 			      NL80211_TID_CONFIG_ATTR_PAD))
2471 		goto fail;
2472 
2473 	if (rdev->wiphy.tid_config_support.peer &&
2474 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2475 			      rdev->wiphy.tid_config_support.peer,
2476 			      NL80211_TID_CONFIG_ATTR_PAD))
2477 		goto fail;
2478 
2479 	/* for now we just use the same value ... makes more sense */
2480 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2481 		       rdev->wiphy.tid_config_support.max_retry))
2482 		goto fail;
2483 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2484 		       rdev->wiphy.tid_config_support.max_retry))
2485 		goto fail;
2486 
2487 	nla_nest_end(msg, supp);
2488 
2489 	return 0;
2490 fail:
2491 	nla_nest_cancel(msg, supp);
2492 	return -ENOBUFS;
2493 }
2494 
2495 static int
2496 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2497 		      struct sk_buff *msg)
2498 {
2499 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2500 	u8 num_freq_ranges;
2501 	int i;
2502 
2503 	if (!rdev->wiphy.sar_capa)
2504 		return 0;
2505 
2506 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2507 
2508 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2509 	if (!sar_capa)
2510 		return -ENOSPC;
2511 
2512 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2513 		goto fail;
2514 
2515 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2516 	if (!specs)
2517 		goto fail;
2518 
2519 	/* report supported freq_ranges */
2520 	for (i = 0; i < num_freq_ranges; i++) {
2521 		sub_freq_range = nla_nest_start(msg, i + 1);
2522 		if (!sub_freq_range)
2523 			goto fail;
2524 
2525 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2526 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2527 			goto fail;
2528 
2529 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2530 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2531 			goto fail;
2532 
2533 		nla_nest_end(msg, sub_freq_range);
2534 	}
2535 
2536 	nla_nest_end(msg, specs);
2537 	nla_nest_end(msg, sar_capa);
2538 
2539 	return 0;
2540 fail:
2541 	nla_nest_cancel(msg, sar_capa);
2542 	return -ENOBUFS;
2543 }
2544 
2545 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2546 {
2547 	struct nlattr *config;
2548 
2549 	if (!wiphy->mbssid_max_interfaces)
2550 		return 0;
2551 
2552 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2553 	if (!config)
2554 		return -ENOBUFS;
2555 
2556 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2557 		       wiphy->mbssid_max_interfaces))
2558 		goto fail;
2559 
2560 	if (wiphy->ema_max_profile_periodicity &&
2561 	    nla_put_u8(msg,
2562 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2563 		       wiphy->ema_max_profile_periodicity))
2564 		goto fail;
2565 
2566 	nla_nest_end(msg, config);
2567 	return 0;
2568 
2569 fail:
2570 	nla_nest_cancel(msg, config);
2571 	return -ENOBUFS;
2572 }
2573 
2574 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2575 {
2576 	const struct wiphy_radio *r = &wiphy->radio[idx];
2577 	const struct wiphy_radio_cfg *rcfg = &wiphy->radio_cfg[idx];
2578 	struct nlattr *radio, *freq;
2579 	int i;
2580 
2581 	radio = nla_nest_start(msg, idx);
2582 	if (!radio)
2583 		return -ENOBUFS;
2584 
2585 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2586 		goto nla_put_failure;
2587 
2588 	if (rcfg->rts_threshold &&
2589 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_RTS_THRESHOLD,
2590 			rcfg->rts_threshold))
2591 		goto nla_put_failure;
2592 
2593 	if (r->antenna_mask &&
2594 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2595 			r->antenna_mask))
2596 		goto nla_put_failure;
2597 
2598 	for (i = 0; i < r->n_freq_range; i++) {
2599 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2600 
2601 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2602 		if (!freq)
2603 			goto nla_put_failure;
2604 
2605 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2606 				range->start_freq) ||
2607 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2608 				range->end_freq))
2609 			goto nla_put_failure;
2610 
2611 		nla_nest_end(msg, freq);
2612 	}
2613 
2614 	for (i = 0; i < r->n_iface_combinations; i++)
2615 		if (nl80211_put_ifcomb_data(msg, true,
2616 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2617 					    &r->iface_combinations[i],
2618 					    NLA_F_NESTED))
2619 			goto nla_put_failure;
2620 
2621 	nla_nest_end(msg, radio);
2622 
2623 	return 0;
2624 
2625 nla_put_failure:
2626 	return -ENOBUFS;
2627 }
2628 
2629 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2630 {
2631 	struct nlattr *radios;
2632 	int i;
2633 
2634 	if (!wiphy->n_radio)
2635 		return 0;
2636 
2637 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2638 	if (!radios)
2639 		return -ENOBUFS;
2640 
2641 	for (i = 0; i < wiphy->n_radio; i++)
2642 		if (nl80211_put_radio(wiphy, msg, i))
2643 			goto fail;
2644 
2645 	nla_nest_end(msg, radios);
2646 
2647 	if (nl80211_put_iface_combinations(wiphy, msg,
2648 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2649 					   -1, true, NLA_F_NESTED))
2650 		return -ENOBUFS;
2651 
2652 	return 0;
2653 
2654 fail:
2655 	nla_nest_cancel(msg, radios);
2656 	return -ENOBUFS;
2657 }
2658 
2659 static int nl80211_put_nan_capa(struct wiphy *wiphy, struct sk_buff *msg)
2660 {
2661 	struct nlattr *nan_caps;
2662 
2663 	nan_caps = nla_nest_start(msg, NL80211_ATTR_NAN_CAPABILITIES);
2664 	if (!nan_caps)
2665 		return -ENOBUFS;
2666 
2667 	if (wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_CONFIGURABLE_SYNC &&
2668 	    nla_put_flag(msg, NL80211_NAN_CAPA_CONFIGURABLE_SYNC))
2669 		goto fail;
2670 
2671 	if ((wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE) &&
2672 	    nla_put_flag(msg, NL80211_NAN_CAPA_USERSPACE_DE))
2673 		goto fail;
2674 
2675 	if (nla_put_u8(msg, NL80211_NAN_CAPA_OP_MODE,
2676 		       wiphy->nan_capa.op_mode) ||
2677 	    nla_put_u8(msg, NL80211_NAN_CAPA_NUM_ANTENNAS,
2678 		       wiphy->nan_capa.n_antennas) ||
2679 	    nla_put_u16(msg, NL80211_NAN_CAPA_MAX_CHANNEL_SWITCH_TIME,
2680 			wiphy->nan_capa.max_channel_switch_time) ||
2681 	    nla_put_u8(msg, NL80211_NAN_CAPA_CAPABILITIES,
2682 		       wiphy->nan_capa.dev_capabilities))
2683 		goto fail;
2684 
2685 	nla_nest_end(msg, nan_caps);
2686 
2687 	return 0;
2688 
2689 fail:
2690 	nla_nest_cancel(msg, nan_caps);
2691 	return -ENOBUFS;
2692 }
2693 
2694 struct nl80211_dump_wiphy_state {
2695 	s64 filter_wiphy;
2696 	long start;
2697 	long split_start, band_start, chan_start, capa_start;
2698 	bool split;
2699 };
2700 
2701 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2702 			      enum nl80211_commands cmd,
2703 			      struct sk_buff *msg, u32 portid, u32 seq,
2704 			      int flags, struct nl80211_dump_wiphy_state *state)
2705 {
2706 	void *hdr;
2707 	struct nlattr *nl_bands, *nl_band;
2708 	struct nlattr *nl_freqs, *nl_freq;
2709 	struct nlattr *nl_cmds;
2710 	enum nl80211_band band;
2711 	struct ieee80211_channel *chan;
2712 	int i;
2713 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2714 				rdev->wiphy.mgmt_stypes;
2715 	u32 features;
2716 
2717 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2718 	if (!hdr)
2719 		return -ENOBUFS;
2720 
2721 	if (WARN_ON(!state))
2722 		return -EINVAL;
2723 
2724 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2725 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2726 			   wiphy_name(&rdev->wiphy)) ||
2727 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2728 			cfg80211_rdev_list_generation))
2729 		goto nla_put_failure;
2730 
2731 	if (cmd != NL80211_CMD_NEW_WIPHY)
2732 		goto finish;
2733 
2734 	switch (state->split_start) {
2735 	case 0:
2736 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2737 			       rdev->wiphy.retry_short) ||
2738 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2739 			       rdev->wiphy.retry_long) ||
2740 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2741 				rdev->wiphy.frag_threshold) ||
2742 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2743 				rdev->wiphy.rts_threshold) ||
2744 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2745 			       rdev->wiphy.coverage_class) ||
2746 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2747 			       rdev->wiphy.max_scan_ssids) ||
2748 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2749 			       rdev->wiphy.max_sched_scan_ssids) ||
2750 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2751 				rdev->wiphy.max_scan_ie_len) ||
2752 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2753 				rdev->wiphy.max_sched_scan_ie_len) ||
2754 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2755 			       rdev->wiphy.max_match_sets))
2756 			goto nla_put_failure;
2757 
2758 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2759 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2760 			goto nla_put_failure;
2761 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2762 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2763 			goto nla_put_failure;
2764 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2765 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2766 			goto nla_put_failure;
2767 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2768 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2769 			goto nla_put_failure;
2770 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2771 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2772 			goto nla_put_failure;
2773 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2774 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2775 			goto nla_put_failure;
2776 		state->split_start++;
2777 		if (state->split)
2778 			break;
2779 		fallthrough;
2780 	case 1:
2781 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2782 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2783 			    rdev->wiphy.cipher_suites))
2784 			goto nla_put_failure;
2785 
2786 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2787 			       rdev->wiphy.max_num_pmkids))
2788 			goto nla_put_failure;
2789 
2790 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2791 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2792 			goto nla_put_failure;
2793 
2794 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2795 				rdev->wiphy.available_antennas_tx) ||
2796 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2797 				rdev->wiphy.available_antennas_rx))
2798 			goto nla_put_failure;
2799 
2800 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2801 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2802 				rdev->wiphy.probe_resp_offload))
2803 			goto nla_put_failure;
2804 
2805 		if ((rdev->wiphy.available_antennas_tx ||
2806 		     rdev->wiphy.available_antennas_rx) &&
2807 		    rdev->ops->get_antenna) {
2808 			u32 tx_ant = 0, rx_ant = 0;
2809 			int res;
2810 
2811 			res = rdev_get_antenna(rdev, -1, &tx_ant, &rx_ant);
2812 			if (!res) {
2813 				if (nla_put_u32(msg,
2814 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2815 						tx_ant) ||
2816 				    nla_put_u32(msg,
2817 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2818 						rx_ant))
2819 					goto nla_put_failure;
2820 			}
2821 		}
2822 
2823 		state->split_start++;
2824 		if (state->split)
2825 			break;
2826 		fallthrough;
2827 	case 2:
2828 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2829 					rdev->wiphy.interface_modes))
2830 				goto nla_put_failure;
2831 		state->split_start++;
2832 		if (state->split)
2833 			break;
2834 		fallthrough;
2835 	case 3:
2836 		nl_bands = nla_nest_start_noflag(msg,
2837 						 NL80211_ATTR_WIPHY_BANDS);
2838 		if (!nl_bands)
2839 			goto nla_put_failure;
2840 
2841 		for (band = state->band_start;
2842 		     band < (state->split ?
2843 				NUM_NL80211_BANDS :
2844 				NL80211_BAND_60GHZ + 1);
2845 		     band++) {
2846 			struct ieee80211_supported_band *sband;
2847 
2848 			/* omit higher bands for ancient software */
2849 			if (band > NL80211_BAND_5GHZ && !state->split)
2850 				break;
2851 
2852 			sband = rdev->wiphy.bands[band];
2853 
2854 			if (!sband)
2855 				continue;
2856 
2857 			nl_band = nla_nest_start_noflag(msg, band);
2858 			if (!nl_band)
2859 				goto nla_put_failure;
2860 
2861 			switch (state->chan_start) {
2862 			case 0:
2863 				if (nl80211_send_band_rateinfo(msg, sband,
2864 							       state->split))
2865 					goto nla_put_failure;
2866 				state->chan_start++;
2867 				if (state->split)
2868 					break;
2869 				fallthrough;
2870 			default:
2871 				/* add frequencies */
2872 				nl_freqs = nla_nest_start_noflag(msg,
2873 								 NL80211_BAND_ATTR_FREQS);
2874 				if (!nl_freqs)
2875 					goto nla_put_failure;
2876 
2877 				for (i = state->chan_start - 1;
2878 				     i < sband->n_channels;
2879 				     i++) {
2880 					nl_freq = nla_nest_start_noflag(msg,
2881 									i);
2882 					if (!nl_freq)
2883 						goto nla_put_failure;
2884 
2885 					chan = &sband->channels[i];
2886 
2887 					if (nl80211_msg_put_channel(
2888 							msg, &rdev->wiphy, chan,
2889 							state->split))
2890 						goto nla_put_failure;
2891 
2892 					nla_nest_end(msg, nl_freq);
2893 					if (state->split)
2894 						break;
2895 				}
2896 				if (i < sband->n_channels)
2897 					state->chan_start = i + 2;
2898 				else
2899 					state->chan_start = 0;
2900 				nla_nest_end(msg, nl_freqs);
2901 			}
2902 
2903 			nla_nest_end(msg, nl_band);
2904 
2905 			if (state->split) {
2906 				/* start again here */
2907 				if (state->chan_start)
2908 					band--;
2909 				break;
2910 			}
2911 		}
2912 		nla_nest_end(msg, nl_bands);
2913 
2914 		if (band < NUM_NL80211_BANDS)
2915 			state->band_start = band + 1;
2916 		else
2917 			state->band_start = 0;
2918 
2919 		/* if bands & channels are done, continue outside */
2920 		if (state->band_start == 0 && state->chan_start == 0)
2921 			state->split_start++;
2922 		if (state->split)
2923 			break;
2924 		fallthrough;
2925 	case 4:
2926 		nl_cmds = nla_nest_start_noflag(msg,
2927 						NL80211_ATTR_SUPPORTED_COMMANDS);
2928 		if (!nl_cmds)
2929 			goto nla_put_failure;
2930 
2931 		i = nl80211_add_commands_unsplit(rdev, msg);
2932 		if (i < 0)
2933 			goto nla_put_failure;
2934 		if (state->split) {
2935 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2936 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2937 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2938 				CMD(channel_switch, CHANNEL_SWITCH);
2939 			CMD(set_qos_map, SET_QOS_MAP);
2940 			if (rdev->wiphy.features &
2941 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2942 				CMD(add_tx_ts, ADD_TX_TS);
2943 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2944 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2945 			CMD(update_ft_ies, UPDATE_FT_IES);
2946 			if (rdev->wiphy.sar_capa)
2947 				CMD(set_sar_specs, SET_SAR_SPECS);
2948 			CMD(assoc_ml_reconf, ASSOC_MLO_RECONF);
2949 		}
2950 #undef CMD
2951 
2952 		nla_nest_end(msg, nl_cmds);
2953 		state->split_start++;
2954 		if (state->split)
2955 			break;
2956 		fallthrough;
2957 	case 5:
2958 		if (rdev->ops->remain_on_channel &&
2959 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2960 		    nla_put_u32(msg,
2961 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2962 				rdev->wiphy.max_remain_on_channel_duration))
2963 			goto nla_put_failure;
2964 
2965 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2966 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2967 			goto nla_put_failure;
2968 
2969 		state->split_start++;
2970 		if (state->split)
2971 			break;
2972 		fallthrough;
2973 	case 6:
2974 #ifdef CONFIG_PM
2975 		if (nl80211_send_wowlan(msg, rdev, state->split))
2976 			goto nla_put_failure;
2977 		state->split_start++;
2978 		if (state->split)
2979 			break;
2980 #else
2981 		state->split_start++;
2982 #endif
2983 		fallthrough;
2984 	case 7:
2985 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2986 					rdev->wiphy.software_iftypes))
2987 			goto nla_put_failure;
2988 
2989 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2990 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2991 						   rdev->wiphy.n_radio ? 0 : -1,
2992 						   state->split, 0))
2993 			goto nla_put_failure;
2994 
2995 		state->split_start++;
2996 		if (state->split)
2997 			break;
2998 		fallthrough;
2999 	case 8:
3000 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
3001 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
3002 				rdev->wiphy.ap_sme_capa))
3003 			goto nla_put_failure;
3004 
3005 		features = rdev->wiphy.features;
3006 		/*
3007 		 * We can only add the per-channel limit information if the
3008 		 * dump is split, otherwise it makes it too big. Therefore
3009 		 * only advertise it in that case.
3010 		 */
3011 		if (state->split)
3012 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
3013 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
3014 			goto nla_put_failure;
3015 
3016 		if (rdev->wiphy.ht_capa_mod_mask &&
3017 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
3018 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
3019 			    rdev->wiphy.ht_capa_mod_mask))
3020 			goto nla_put_failure;
3021 
3022 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
3023 		    rdev->wiphy.max_acl_mac_addrs &&
3024 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
3025 				rdev->wiphy.max_acl_mac_addrs))
3026 			goto nla_put_failure;
3027 
3028 		/*
3029 		 * Any information below this point is only available to
3030 		 * applications that can deal with it being split. This
3031 		 * helps ensure that newly added capabilities don't break
3032 		 * older tools by overrunning their buffers.
3033 		 *
3034 		 * We still increment split_start so that in the split
3035 		 * case we'll continue with more data in the next round,
3036 		 * but break unconditionally so unsplit data stops here.
3037 		 */
3038 		if (state->split)
3039 			state->split_start++;
3040 		else
3041 			state->split_start = 0;
3042 		break;
3043 	case 9:
3044 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
3045 			goto nla_put_failure;
3046 
3047 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
3048 				rdev->wiphy.max_sched_scan_plans) ||
3049 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
3050 				rdev->wiphy.max_sched_scan_plan_interval) ||
3051 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
3052 				rdev->wiphy.max_sched_scan_plan_iterations))
3053 			goto nla_put_failure;
3054 
3055 		if (rdev->wiphy.extended_capabilities &&
3056 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
3057 			     rdev->wiphy.extended_capabilities_len,
3058 			     rdev->wiphy.extended_capabilities) ||
3059 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3060 			     rdev->wiphy.extended_capabilities_len,
3061 			     rdev->wiphy.extended_capabilities_mask)))
3062 			goto nla_put_failure;
3063 
3064 		if (rdev->wiphy.vht_capa_mod_mask &&
3065 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
3066 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
3067 			    rdev->wiphy.vht_capa_mod_mask))
3068 			goto nla_put_failure;
3069 
3070 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3071 			    rdev->wiphy.perm_addr))
3072 			goto nla_put_failure;
3073 
3074 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
3075 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
3076 			    rdev->wiphy.addr_mask))
3077 			goto nla_put_failure;
3078 
3079 		if (rdev->wiphy.n_addresses > 1) {
3080 			void *attr;
3081 
3082 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
3083 			if (!attr)
3084 				goto nla_put_failure;
3085 
3086 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
3087 				if (nla_put(msg, i + 1, ETH_ALEN,
3088 					    rdev->wiphy.addresses[i].addr))
3089 					goto nla_put_failure;
3090 
3091 			nla_nest_end(msg, attr);
3092 		}
3093 
3094 		state->split_start++;
3095 		break;
3096 	case 10:
3097 		if (nl80211_send_coalesce(msg, rdev))
3098 			goto nla_put_failure;
3099 
3100 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
3101 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
3102 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
3103 			goto nla_put_failure;
3104 
3105 		if (rdev->wiphy.max_ap_assoc_sta &&
3106 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
3107 				rdev->wiphy.max_ap_assoc_sta))
3108 			goto nla_put_failure;
3109 
3110 		state->split_start++;
3111 		break;
3112 	case 11:
3113 		if (rdev->wiphy.n_vendor_commands) {
3114 			const struct nl80211_vendor_cmd_info *info;
3115 			struct nlattr *nested;
3116 
3117 			nested = nla_nest_start_noflag(msg,
3118 						       NL80211_ATTR_VENDOR_DATA);
3119 			if (!nested)
3120 				goto nla_put_failure;
3121 
3122 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
3123 				info = &rdev->wiphy.vendor_commands[i].info;
3124 				if (nla_put(msg, i + 1, sizeof(*info), info))
3125 					goto nla_put_failure;
3126 			}
3127 			nla_nest_end(msg, nested);
3128 		}
3129 
3130 		if (rdev->wiphy.n_vendor_events) {
3131 			const struct nl80211_vendor_cmd_info *info;
3132 			struct nlattr *nested;
3133 
3134 			nested = nla_nest_start_noflag(msg,
3135 						       NL80211_ATTR_VENDOR_EVENTS);
3136 			if (!nested)
3137 				goto nla_put_failure;
3138 
3139 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
3140 				info = &rdev->wiphy.vendor_events[i];
3141 				if (nla_put(msg, i + 1, sizeof(*info), info))
3142 					goto nla_put_failure;
3143 			}
3144 			nla_nest_end(msg, nested);
3145 		}
3146 		state->split_start++;
3147 		break;
3148 	case 12:
3149 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
3150 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
3151 			       rdev->wiphy.max_num_csa_counters))
3152 			goto nla_put_failure;
3153 
3154 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
3155 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
3156 			goto nla_put_failure;
3157 
3158 		if (rdev->wiphy.max_sched_scan_reqs &&
3159 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
3160 				rdev->wiphy.max_sched_scan_reqs))
3161 			goto nla_put_failure;
3162 
3163 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
3164 			    sizeof(rdev->wiphy.ext_features),
3165 			    rdev->wiphy.ext_features))
3166 			goto nla_put_failure;
3167 
3168 		if (rdev->wiphy.bss_param_support) {
3169 			struct nlattr *nested;
3170 			u32 parsup = rdev->wiphy.bss_param_support;
3171 
3172 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_PARAM);
3173 			if (!nested)
3174 				goto nla_put_failure;
3175 
3176 			if ((parsup & WIPHY_BSS_PARAM_CTS_PROT) &&
3177 			    nla_put_flag(msg, NL80211_ATTR_BSS_CTS_PROT))
3178 				goto nla_put_failure;
3179 			if ((parsup & WIPHY_BSS_PARAM_SHORT_PREAMBLE) &&
3180 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_PREAMBLE))
3181 				goto nla_put_failure;
3182 			if ((parsup & WIPHY_BSS_PARAM_SHORT_SLOT_TIME) &&
3183 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_SLOT_TIME))
3184 				goto nla_put_failure;
3185 			if ((parsup & WIPHY_BSS_PARAM_BASIC_RATES) &&
3186 			    nla_put_flag(msg, NL80211_ATTR_BSS_BASIC_RATES))
3187 				goto nla_put_failure;
3188 			if ((parsup & WIPHY_BSS_PARAM_AP_ISOLATE) &&
3189 			    nla_put_flag(msg, NL80211_ATTR_AP_ISOLATE))
3190 				goto nla_put_failure;
3191 			if ((parsup & WIPHY_BSS_PARAM_HT_OPMODE) &&
3192 			    nla_put_flag(msg, NL80211_ATTR_BSS_HT_OPMODE))
3193 				goto nla_put_failure;
3194 			if ((parsup & WIPHY_BSS_PARAM_P2P_CTWINDOW) &&
3195 			    nla_put_flag(msg, NL80211_ATTR_P2P_CTWINDOW))
3196 				goto nla_put_failure;
3197 			if ((parsup & WIPHY_BSS_PARAM_P2P_OPPPS) &&
3198 			    nla_put_flag(msg, NL80211_ATTR_P2P_OPPPS))
3199 				goto nla_put_failure;
3200 			nla_nest_end(msg, nested);
3201 		}
3202 		if (rdev->wiphy.bss_select_support) {
3203 			struct nlattr *nested;
3204 			u32 bss_select_support = rdev->wiphy.bss_select_support;
3205 
3206 			nested = nla_nest_start_noflag(msg,
3207 						       NL80211_ATTR_BSS_SELECT);
3208 			if (!nested)
3209 				goto nla_put_failure;
3210 
3211 			i = 0;
3212 			while (bss_select_support) {
3213 				if ((bss_select_support & 1) &&
3214 				    nla_put_flag(msg, i))
3215 					goto nla_put_failure;
3216 				i++;
3217 				bss_select_support >>= 1;
3218 			}
3219 			nla_nest_end(msg, nested);
3220 		}
3221 
3222 		state->split_start++;
3223 		break;
3224 	case 13:
3225 		if (rdev->wiphy.num_iftype_ext_capab &&
3226 		    rdev->wiphy.iftype_ext_capab) {
3227 			struct nlattr *nested_ext_capab, *nested;
3228 
3229 			nested = nla_nest_start_noflag(msg,
3230 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3231 			if (!nested)
3232 				goto nla_put_failure;
3233 
3234 			for (i = state->capa_start;
3235 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3236 				const struct wiphy_iftype_ext_capab *capab;
3237 
3238 				capab = &rdev->wiphy.iftype_ext_capab[i];
3239 
3240 				nested_ext_capab = nla_nest_start_noflag(msg,
3241 									 i);
3242 				if (!nested_ext_capab ||
3243 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3244 						capab->iftype) ||
3245 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3246 					    capab->extended_capabilities_len,
3247 					    capab->extended_capabilities) ||
3248 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3249 					    capab->extended_capabilities_len,
3250 					    capab->extended_capabilities_mask))
3251 					goto nla_put_failure;
3252 
3253 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3254 				    (nla_put_u16(msg,
3255 						 NL80211_ATTR_EML_CAPABILITY,
3256 						 capab->eml_capabilities) ||
3257 				     nla_put_u16(msg,
3258 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3259 						 capab->mld_capa_and_ops)))
3260 					goto nla_put_failure;
3261 
3262 				nla_nest_end(msg, nested_ext_capab);
3263 				if (state->split)
3264 					break;
3265 			}
3266 			nla_nest_end(msg, nested);
3267 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3268 				state->capa_start = i + 1;
3269 				break;
3270 			}
3271 		}
3272 
3273 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3274 				rdev->wiphy.nan_supported_bands))
3275 			goto nla_put_failure;
3276 
3277 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3278 					    NL80211_EXT_FEATURE_TXQS)) {
3279 			struct cfg80211_txq_stats txqstats = {};
3280 			int res;
3281 
3282 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3283 			if (!res &&
3284 			    !nl80211_put_txq_stats(msg, &txqstats,
3285 						   NL80211_ATTR_TXQ_STATS))
3286 				goto nla_put_failure;
3287 
3288 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3289 					rdev->wiphy.txq_limit))
3290 				goto nla_put_failure;
3291 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3292 					rdev->wiphy.txq_memory_limit))
3293 				goto nla_put_failure;
3294 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3295 					rdev->wiphy.txq_quantum))
3296 				goto nla_put_failure;
3297 		}
3298 
3299 		state->split_start++;
3300 		break;
3301 	case 14:
3302 		if (nl80211_send_pmsr_capa(rdev, msg))
3303 			goto nla_put_failure;
3304 
3305 		state->split_start++;
3306 		break;
3307 	case 15:
3308 		if (rdev->wiphy.akm_suites &&
3309 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3310 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3311 			    rdev->wiphy.akm_suites))
3312 			goto nla_put_failure;
3313 
3314 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3315 			goto nla_put_failure;
3316 
3317 		if (nl80211_put_tid_config_support(rdev, msg))
3318 			goto nla_put_failure;
3319 		state->split_start++;
3320 		break;
3321 	case 16:
3322 		if (nl80211_put_sar_specs(rdev, msg))
3323 			goto nla_put_failure;
3324 
3325 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3326 			goto nla_put_failure;
3327 
3328 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3329 				rdev->wiphy.max_num_akm_suites))
3330 			goto nla_put_failure;
3331 
3332 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3333 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3334 
3335 		if (rdev->wiphy.hw_timestamp_max_peers &&
3336 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3337 				rdev->wiphy.hw_timestamp_max_peers))
3338 			goto nla_put_failure;
3339 
3340 		state->split_start++;
3341 		break;
3342 	case 17:
3343 		if (nl80211_put_radios(&rdev->wiphy, msg))
3344 			goto nla_put_failure;
3345 
3346 		state->split_start++;
3347 		break;
3348 	case 18:
3349 		if (nl80211_put_nan_capa(&rdev->wiphy, msg))
3350 			goto nla_put_failure;
3351 
3352 		/* done */
3353 		state->split_start = 0;
3354 		break;
3355 	}
3356  finish:
3357 	genlmsg_end(msg, hdr);
3358 	return 0;
3359 
3360  nla_put_failure:
3361 	genlmsg_cancel(msg, hdr);
3362 	return -EMSGSIZE;
3363 }
3364 
3365 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3366 				    struct netlink_callback *cb,
3367 				    struct nl80211_dump_wiphy_state *state)
3368 {
3369 	struct nlattr **tb = kzalloc_objs(*tb, NUM_NL80211_ATTR);
3370 	int ret;
3371 
3372 	if (!tb)
3373 		return -ENOMEM;
3374 
3375 	ret = nlmsg_parse_deprecated(cb->nlh,
3376 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3377 				     tb, nl80211_fam.maxattr,
3378 				     nl80211_policy, NULL);
3379 	/* ignore parse errors for backward compatibility */
3380 	if (ret) {
3381 		ret = 0;
3382 		goto out;
3383 	}
3384 
3385 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3386 	if (tb[NL80211_ATTR_WIPHY])
3387 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3388 	if (tb[NL80211_ATTR_WDEV])
3389 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3390 	if (tb[NL80211_ATTR_IFINDEX]) {
3391 		struct net_device *netdev;
3392 		struct cfg80211_registered_device *rdev;
3393 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3394 
3395 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3396 		if (!netdev) {
3397 			ret = -ENODEV;
3398 			goto out;
3399 		}
3400 		if (netdev->ieee80211_ptr) {
3401 			rdev = wiphy_to_rdev(
3402 				netdev->ieee80211_ptr->wiphy);
3403 			state->filter_wiphy = rdev->wiphy_idx;
3404 		}
3405 	}
3406 
3407 	ret = 0;
3408 out:
3409 	kfree(tb);
3410 	return ret;
3411 }
3412 
3413 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3414 {
3415 	int idx = 0, ret;
3416 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3417 	struct cfg80211_registered_device *rdev;
3418 
3419 	rtnl_lock();
3420 	if (!state) {
3421 		state = kzalloc_obj(*state);
3422 		if (!state) {
3423 			rtnl_unlock();
3424 			return -ENOMEM;
3425 		}
3426 		state->filter_wiphy = -1;
3427 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3428 		if (ret) {
3429 			kfree(state);
3430 			rtnl_unlock();
3431 			return ret;
3432 		}
3433 		cb->args[0] = (long)state;
3434 	}
3435 
3436 	for_each_rdev(rdev) {
3437 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3438 			continue;
3439 		if (++idx <= state->start)
3440 			continue;
3441 		if (state->filter_wiphy != -1 &&
3442 		    state->filter_wiphy != rdev->wiphy_idx)
3443 			continue;
3444 		wiphy_lock(&rdev->wiphy);
3445 		/* attempt to fit multiple wiphy data chunks into the skb */
3446 		do {
3447 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3448 						 skb,
3449 						 NETLINK_CB(cb->skb).portid,
3450 						 cb->nlh->nlmsg_seq,
3451 						 NLM_F_MULTI, state);
3452 			if (ret < 0) {
3453 				/*
3454 				 * If sending the wiphy data didn't fit (ENOBUFS
3455 				 * or EMSGSIZE returned), this SKB is still
3456 				 * empty (so it's not too big because another
3457 				 * wiphy dataset is already in the skb) and
3458 				 * we've not tried to adjust the dump allocation
3459 				 * yet ... then adjust the alloc size to be
3460 				 * bigger, and return 1 but with the empty skb.
3461 				 * This results in an empty message being RX'ed
3462 				 * in userspace, but that is ignored.
3463 				 *
3464 				 * We can then retry with the larger buffer.
3465 				 */
3466 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3467 				    !skb->len && !state->split &&
3468 				    cb->min_dump_alloc < 4096) {
3469 					cb->min_dump_alloc = 4096;
3470 					state->split_start = 0;
3471 					wiphy_unlock(&rdev->wiphy);
3472 					rtnl_unlock();
3473 					return 1;
3474 				}
3475 				idx--;
3476 				break;
3477 			}
3478 		} while (state->split_start > 0);
3479 		wiphy_unlock(&rdev->wiphy);
3480 		break;
3481 	}
3482 	rtnl_unlock();
3483 
3484 	state->start = idx;
3485 
3486 	return skb->len;
3487 }
3488 
3489 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3490 {
3491 	kfree((void *)cb->args[0]);
3492 	return 0;
3493 }
3494 
3495 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3496 {
3497 	struct sk_buff *msg;
3498 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3499 	struct nl80211_dump_wiphy_state state = {};
3500 
3501 	msg = nlmsg_new(4096, GFP_KERNEL);
3502 	if (!msg)
3503 		return -ENOMEM;
3504 
3505 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3506 			       info->snd_portid, info->snd_seq, 0,
3507 			       &state) < 0) {
3508 		nlmsg_free(msg);
3509 		return -ENOBUFS;
3510 	}
3511 
3512 	return genlmsg_reply(msg, info);
3513 }
3514 
3515 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3516 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3517 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3518 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3519 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3520 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3521 };
3522 
3523 static int parse_txq_params(struct nlattr *tb[],
3524 			    struct ieee80211_txq_params *txq_params)
3525 {
3526 	u8 ac;
3527 
3528 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3529 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3530 	    !tb[NL80211_TXQ_ATTR_AIFS])
3531 		return -EINVAL;
3532 
3533 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3534 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3535 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3536 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3537 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3538 
3539 	if (ac >= NL80211_NUM_ACS)
3540 		return -EINVAL;
3541 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3542 	return 0;
3543 }
3544 
3545 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3546 {
3547 	/*
3548 	 * You can only set the channel explicitly for some interfaces,
3549 	 * most have their channel managed via their respective
3550 	 * "establish a connection" command (connect, join, ...)
3551 	 *
3552 	 * For AP/GO and mesh mode, the channel can be set with the
3553 	 * channel userspace API, but is only stored and passed to the
3554 	 * low-level driver when the AP starts or the mesh is joined.
3555 	 * This is for backward compatibility, userspace can also give
3556 	 * the channel in the start-ap or join-mesh commands instead.
3557 	 *
3558 	 * Monitors are special as they are normally slaved to
3559 	 * whatever else is going on, so they have their own special
3560 	 * operation to set the monitor channel if possible.
3561 	 */
3562 	return !wdev ||
3563 		wdev->iftype == NL80211_IFTYPE_AP ||
3564 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3565 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3566 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3567 }
3568 
3569 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3570 				  struct genl_info *info, bool monitor,
3571 				  struct cfg80211_chan_def *chandef)
3572 {
3573 	struct netlink_ext_ack *extack = info->extack;
3574 	struct nlattr **attrs = info->attrs;
3575 	u32 control_freq;
3576 
3577 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3578 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3579 				    "Frequency is missing");
3580 		return -EINVAL;
3581 	}
3582 
3583 	control_freq = MHZ_TO_KHZ(
3584 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3585 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3586 		control_freq +=
3587 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3588 
3589 	memset(chandef, 0, sizeof(*chandef));
3590 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3591 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3592 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3593 	chandef->freq1_offset = control_freq % 1000;
3594 	chandef->center_freq2 = 0;
3595 	chandef->s1g_primary_2mhz = false;
3596 
3597 	if (!chandef->chan) {
3598 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3599 				    "Unknown channel");
3600 		return -EINVAL;
3601 	}
3602 
3603 	if (cfg80211_chandef_is_s1g(chandef))
3604 		chandef->width = NL80211_CHAN_WIDTH_1;
3605 
3606 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3607 		enum nl80211_channel_type chantype;
3608 
3609 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3610 
3611 		switch (chantype) {
3612 		case NL80211_CHAN_NO_HT:
3613 		case NL80211_CHAN_HT20:
3614 		case NL80211_CHAN_HT40PLUS:
3615 		case NL80211_CHAN_HT40MINUS:
3616 			cfg80211_chandef_create(chandef, chandef->chan,
3617 						chantype);
3618 			/* user input for center_freq is incorrect */
3619 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3620 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3621 				NL_SET_ERR_MSG_ATTR(extack,
3622 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3623 						    "bad center frequency 1");
3624 				return -EINVAL;
3625 			}
3626 			/* center_freq2 must be zero */
3627 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3628 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3629 				NL_SET_ERR_MSG_ATTR(extack,
3630 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3631 						    "center frequency 2 can't be used");
3632 				return -EINVAL;
3633 			}
3634 			break;
3635 		default:
3636 			NL_SET_ERR_MSG_ATTR(extack,
3637 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3638 					    "invalid channel type");
3639 			return -EINVAL;
3640 		}
3641 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3642 		chandef->width = nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3643 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3644 			chandef->center_freq1 =
3645 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3646 			chandef->freq1_offset = nla_get_u32_default(
3647 				attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET], 0);
3648 		}
3649 
3650 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3651 			chandef->center_freq2 =
3652 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3653 
3654 		chandef->s1g_primary_2mhz = nla_get_flag(
3655 			attrs[NL80211_ATTR_S1G_PRIMARY_2MHZ]);
3656 	}
3657 
3658 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3659 		chandef->edmg.channels =
3660 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3661 
3662 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3663 			chandef->edmg.bw_config =
3664 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3665 	} else {
3666 		chandef->edmg.bw_config = 0;
3667 		chandef->edmg.channels = 0;
3668 	}
3669 
3670 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3671 		chandef->punctured =
3672 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3673 
3674 		if (chandef->punctured &&
3675 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3676 					     NL80211_EXT_FEATURE_PUNCT)) {
3677 			NL_SET_ERR_MSG(extack,
3678 				       "driver doesn't support puncturing");
3679 			return -EINVAL;
3680 		}
3681 	}
3682 
3683 	if (!cfg80211_chandef_valid(chandef)) {
3684 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3685 		return -EINVAL;
3686 	}
3687 
3688 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3689 				      IEEE80211_CHAN_DISABLED,
3690 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3691 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3692 		return -EINVAL;
3693 	}
3694 
3695 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3696 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3697 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3698 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3699 		return -EINVAL;
3700 	}
3701 
3702 	return 0;
3703 }
3704 
3705 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3706 			  struct genl_info *info,
3707 			  struct cfg80211_chan_def *chandef)
3708 {
3709 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3710 }
3711 
3712 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3713 				 struct net_device *dev,
3714 				 struct genl_info *info,
3715 				 int _link_id)
3716 {
3717 	struct cfg80211_chan_def chandef;
3718 	int result;
3719 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3720 	struct wireless_dev *wdev = NULL;
3721 	int link_id = _link_id;
3722 
3723 	if (dev)
3724 		wdev = dev->ieee80211_ptr;
3725 	if (!nl80211_can_set_dev_channel(wdev))
3726 		return -EOPNOTSUPP;
3727 	if (wdev)
3728 		iftype = wdev->iftype;
3729 
3730 	if (link_id < 0) {
3731 		if (wdev && wdev->valid_links)
3732 			return -EINVAL;
3733 		link_id = 0;
3734 	}
3735 
3736 	result = _nl80211_parse_chandef(rdev, info,
3737 					iftype == NL80211_IFTYPE_MONITOR,
3738 					&chandef);
3739 	if (result)
3740 		return result;
3741 
3742 	switch (iftype) {
3743 	case NL80211_IFTYPE_AP:
3744 	case NL80211_IFTYPE_P2P_GO:
3745 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3746 						   iftype))
3747 			return -EINVAL;
3748 		if (wdev->links[link_id].ap.beacon_interval) {
3749 			struct ieee80211_channel *cur_chan;
3750 
3751 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3752 			    !(rdev->wiphy.features &
3753 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3754 				return -EBUSY;
3755 
3756 			/* Only allow dynamic channel width changes */
3757 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3758 			if (chandef.chan != cur_chan)
3759 				return -EBUSY;
3760 
3761 			/* only allow this for regular channel widths */
3762 			switch (wdev->links[link_id].ap.chandef.width) {
3763 			case NL80211_CHAN_WIDTH_20_NOHT:
3764 			case NL80211_CHAN_WIDTH_20:
3765 			case NL80211_CHAN_WIDTH_40:
3766 			case NL80211_CHAN_WIDTH_80:
3767 			case NL80211_CHAN_WIDTH_80P80:
3768 			case NL80211_CHAN_WIDTH_160:
3769 			case NL80211_CHAN_WIDTH_320:
3770 				break;
3771 			default:
3772 				return -EINVAL;
3773 			}
3774 
3775 			switch (chandef.width) {
3776 			case NL80211_CHAN_WIDTH_20_NOHT:
3777 			case NL80211_CHAN_WIDTH_20:
3778 			case NL80211_CHAN_WIDTH_40:
3779 			case NL80211_CHAN_WIDTH_80:
3780 			case NL80211_CHAN_WIDTH_80P80:
3781 			case NL80211_CHAN_WIDTH_160:
3782 			case NL80211_CHAN_WIDTH_320:
3783 				break;
3784 			default:
3785 				return -EINVAL;
3786 			}
3787 
3788 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3789 						       &chandef);
3790 			if (result)
3791 				return result;
3792 			wdev->links[link_id].ap.chandef = chandef;
3793 		} else {
3794 			wdev->u.ap.preset_chandef = chandef;
3795 		}
3796 		return 0;
3797 	case NL80211_IFTYPE_MESH_POINT:
3798 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3799 	case NL80211_IFTYPE_MONITOR:
3800 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
3801 	default:
3802 		break;
3803 	}
3804 
3805 	return -EINVAL;
3806 }
3807 
3808 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3809 {
3810 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3811 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3812 	struct net_device *netdev = info->user_ptr[1];
3813 
3814 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3815 }
3816 
3817 static int nl80211_set_wiphy_radio(struct genl_info *info,
3818 				   struct cfg80211_registered_device *rdev,
3819 				   int radio_idx)
3820 {
3821 	u32 rts_threshold = 0, old_rts, changed = 0;
3822 	int result;
3823 
3824 	if (!rdev->ops->set_wiphy_params)
3825 		return -EOPNOTSUPP;
3826 
3827 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3828 		rts_threshold = nla_get_u32(
3829 				info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3830 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3831 	}
3832 
3833 	old_rts = rdev->wiphy.radio_cfg[radio_idx].rts_threshold;
3834 
3835 	rdev->wiphy.radio_cfg[radio_idx].rts_threshold = rts_threshold;
3836 
3837 	result = rdev_set_wiphy_params(rdev, radio_idx, changed);
3838 	if (result)
3839 		rdev->wiphy.radio_cfg[radio_idx].rts_threshold = old_rts;
3840 
3841 	return 0;
3842 }
3843 
3844 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3845 {
3846 	struct cfg80211_registered_device *rdev = NULL;
3847 	struct net_device *netdev = NULL;
3848 	struct wireless_dev *wdev;
3849 	int result = 0, rem_txq_params = 0;
3850 	struct nlattr *nl_txq_params;
3851 	u32 changed;
3852 	u8 retry_short = 0, retry_long = 0;
3853 	u32 frag_threshold = 0, rts_threshold = 0;
3854 	u8 coverage_class = 0;
3855 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3856 	int radio_idx = -1;
3857 
3858 	rtnl_lock();
3859 	/*
3860 	 * Try to find the wiphy and netdev. Normally this
3861 	 * function shouldn't need the netdev, but this is
3862 	 * done for backward compatibility -- previously
3863 	 * setting the channel was done per wiphy, but now
3864 	 * it is per netdev. Previous userland like hostapd
3865 	 * also passed a netdev to set_wiphy, so that it is
3866 	 * possible to let that go to the right netdev!
3867 	 */
3868 
3869 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3870 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3871 
3872 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3873 		if (netdev && netdev->ieee80211_ptr)
3874 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3875 		else
3876 			netdev = NULL;
3877 	}
3878 
3879 	if (!netdev) {
3880 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3881 						  info->attrs);
3882 		if (IS_ERR(rdev)) {
3883 			rtnl_unlock();
3884 			return PTR_ERR(rdev);
3885 		}
3886 		wdev = NULL;
3887 		netdev = NULL;
3888 		result = 0;
3889 	} else
3890 		wdev = netdev->ieee80211_ptr;
3891 
3892 	guard(wiphy)(&rdev->wiphy);
3893 
3894 	/*
3895 	 * end workaround code, by now the rdev is available
3896 	 * and locked, and wdev may or may not be NULL.
3897 	 */
3898 
3899 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3900 		result = cfg80211_dev_rename(
3901 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3902 	rtnl_unlock();
3903 
3904 	if (result)
3905 		return result;
3906 
3907 	if (info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]) {
3908 		/* Radio idx is not expected for non-multi radio wiphy */
3909 		if (rdev->wiphy.n_radio <= 0)
3910 			return -EINVAL;
3911 
3912 		radio_idx = nla_get_u8(
3913 				info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]);
3914 		if (radio_idx >= rdev->wiphy.n_radio)
3915 			return -EINVAL;
3916 
3917 		return nl80211_set_wiphy_radio(info, rdev, radio_idx);
3918 	}
3919 
3920 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3921 		struct ieee80211_txq_params txq_params;
3922 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3923 
3924 		if (!rdev->ops->set_txq_params)
3925 			return -EOPNOTSUPP;
3926 
3927 		if (!netdev)
3928 			return -EINVAL;
3929 
3930 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3931 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3932 			return -EINVAL;
3933 
3934 		if (!netif_running(netdev))
3935 			return -ENETDOWN;
3936 
3937 		nla_for_each_nested(nl_txq_params,
3938 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3939 				    rem_txq_params) {
3940 			result = nla_parse_nested_deprecated(tb,
3941 							     NL80211_TXQ_ATTR_MAX,
3942 							     nl_txq_params,
3943 							     txq_params_policy,
3944 							     info->extack);
3945 			if (result)
3946 				return result;
3947 
3948 			result = parse_txq_params(tb, &txq_params);
3949 			if (result)
3950 				return result;
3951 
3952 			txq_params.link_id =
3953 				nl80211_link_id_or_invalid(info->attrs);
3954 
3955 			if (txq_params.link_id >= 0 &&
3956 			    !(netdev->ieee80211_ptr->valid_links &
3957 			      BIT(txq_params.link_id)))
3958 				result = -ENOLINK;
3959 			else if (txq_params.link_id >= 0 &&
3960 				 !netdev->ieee80211_ptr->valid_links)
3961 				result = -EINVAL;
3962 			else
3963 				result = rdev_set_txq_params(rdev, netdev,
3964 							     &txq_params);
3965 			if (result)
3966 				return result;
3967 		}
3968 	}
3969 
3970 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3971 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3972 
3973 		if (wdev) {
3974 			result = __nl80211_set_channel(
3975 				rdev,
3976 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3977 				info, link_id);
3978 		} else {
3979 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3980 		}
3981 
3982 		if (result)
3983 			return result;
3984 	}
3985 
3986 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3987 		struct wireless_dev *txp_wdev = wdev;
3988 		enum nl80211_tx_power_setting type;
3989 		int idx, mbm = 0;
3990 
3991 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3992 			txp_wdev = NULL;
3993 
3994 		if (!rdev->ops->set_tx_power)
3995 			return -EOPNOTSUPP;
3996 
3997 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3998 		type = nla_get_u32(info->attrs[idx]);
3999 
4000 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
4001 		    (type != NL80211_TX_POWER_AUTOMATIC))
4002 			return -EINVAL;
4003 
4004 		if (type != NL80211_TX_POWER_AUTOMATIC) {
4005 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
4006 			mbm = nla_get_u32(info->attrs[idx]);
4007 		}
4008 
4009 		result = rdev_set_tx_power(rdev, txp_wdev, radio_idx, type,
4010 					   mbm);
4011 		if (result)
4012 			return result;
4013 	}
4014 
4015 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
4016 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
4017 		u32 tx_ant, rx_ant;
4018 
4019 		if ((!rdev->wiphy.available_antennas_tx &&
4020 		     !rdev->wiphy.available_antennas_rx) ||
4021 		    !rdev->ops->set_antenna)
4022 			return -EOPNOTSUPP;
4023 
4024 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
4025 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
4026 
4027 		/* reject antenna configurations which don't match the
4028 		 * available antenna masks, except for the "all" mask */
4029 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
4030 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
4031 			return -EINVAL;
4032 
4033 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
4034 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
4035 
4036 		result = rdev_set_antenna(rdev, radio_idx, tx_ant, rx_ant);
4037 		if (result)
4038 			return result;
4039 	}
4040 
4041 	changed = 0;
4042 
4043 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
4044 		retry_short = nla_get_u8(
4045 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
4046 
4047 		changed |= WIPHY_PARAM_RETRY_SHORT;
4048 	}
4049 
4050 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
4051 		retry_long = nla_get_u8(
4052 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
4053 
4054 		changed |= WIPHY_PARAM_RETRY_LONG;
4055 	}
4056 
4057 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
4058 		frag_threshold = nla_get_u32(
4059 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
4060 		if (frag_threshold < 256)
4061 			return -EINVAL;
4062 
4063 		if (frag_threshold != (u32) -1) {
4064 			/*
4065 			 * Fragments (apart from the last one) are required to
4066 			 * have even length. Make the fragmentation code
4067 			 * simpler by stripping LSB should someone try to use
4068 			 * odd threshold value.
4069 			 */
4070 			frag_threshold &= ~0x1;
4071 		}
4072 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
4073 	}
4074 
4075 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
4076 		rts_threshold = nla_get_u32(
4077 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
4078 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
4079 	}
4080 
4081 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
4082 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
4083 			return -EINVAL;
4084 
4085 		coverage_class = nla_get_u8(
4086 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
4087 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
4088 	}
4089 
4090 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
4091 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
4092 			return -EOPNOTSUPP;
4093 
4094 		changed |= WIPHY_PARAM_DYN_ACK;
4095 	}
4096 
4097 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
4098 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4099 					     NL80211_EXT_FEATURE_TXQS))
4100 			return -EOPNOTSUPP;
4101 
4102 		txq_limit = nla_get_u32(
4103 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
4104 		changed |= WIPHY_PARAM_TXQ_LIMIT;
4105 	}
4106 
4107 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
4108 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4109 					     NL80211_EXT_FEATURE_TXQS))
4110 			return -EOPNOTSUPP;
4111 
4112 		txq_memory_limit = nla_get_u32(
4113 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
4114 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
4115 	}
4116 
4117 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
4118 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4119 					     NL80211_EXT_FEATURE_TXQS))
4120 			return -EOPNOTSUPP;
4121 
4122 		txq_quantum = nla_get_u32(
4123 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
4124 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
4125 	}
4126 
4127 	if (changed) {
4128 		u8 old_retry_short, old_retry_long;
4129 		u32 old_frag_threshold, old_rts_threshold;
4130 		u8 old_coverage_class, i;
4131 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
4132 		u32 *old_radio_rts_threshold = NULL;
4133 
4134 		if (!rdev->ops->set_wiphy_params)
4135 			return -EOPNOTSUPP;
4136 
4137 		if (rdev->wiphy.n_radio) {
4138 			old_radio_rts_threshold = kcalloc(rdev->wiphy.n_radio,
4139 							  sizeof(u32),
4140 							  GFP_KERNEL);
4141 			if (!old_radio_rts_threshold)
4142 				return -ENOMEM;
4143 		}
4144 
4145 		old_retry_short = rdev->wiphy.retry_short;
4146 		old_retry_long = rdev->wiphy.retry_long;
4147 		old_frag_threshold = rdev->wiphy.frag_threshold;
4148 		old_rts_threshold = rdev->wiphy.rts_threshold;
4149 		if (old_radio_rts_threshold) {
4150 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4151 				old_radio_rts_threshold[i] =
4152 					rdev->wiphy.radio_cfg[i].rts_threshold;
4153 		}
4154 		old_coverage_class = rdev->wiphy.coverage_class;
4155 		old_txq_limit = rdev->wiphy.txq_limit;
4156 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
4157 		old_txq_quantum = rdev->wiphy.txq_quantum;
4158 
4159 		if (changed & WIPHY_PARAM_RETRY_SHORT)
4160 			rdev->wiphy.retry_short = retry_short;
4161 		if (changed & WIPHY_PARAM_RETRY_LONG)
4162 			rdev->wiphy.retry_long = retry_long;
4163 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
4164 			rdev->wiphy.frag_threshold = frag_threshold;
4165 		if ((changed & WIPHY_PARAM_RTS_THRESHOLD) &&
4166 		    old_radio_rts_threshold) {
4167 			rdev->wiphy.rts_threshold = rts_threshold;
4168 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4169 				rdev->wiphy.radio_cfg[i].rts_threshold =
4170 					rdev->wiphy.rts_threshold;
4171 		}
4172 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
4173 			rdev->wiphy.coverage_class = coverage_class;
4174 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
4175 			rdev->wiphy.txq_limit = txq_limit;
4176 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
4177 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
4178 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
4179 			rdev->wiphy.txq_quantum = txq_quantum;
4180 
4181 		result = rdev_set_wiphy_params(rdev, radio_idx, changed);
4182 		if (result) {
4183 			rdev->wiphy.retry_short = old_retry_short;
4184 			rdev->wiphy.retry_long = old_retry_long;
4185 			rdev->wiphy.frag_threshold = old_frag_threshold;
4186 			rdev->wiphy.rts_threshold = old_rts_threshold;
4187 			if (old_radio_rts_threshold) {
4188 				for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4189 					rdev->wiphy.radio_cfg[i].rts_threshold =
4190 						old_radio_rts_threshold[i];
4191 			}
4192 			rdev->wiphy.coverage_class = old_coverage_class;
4193 			rdev->wiphy.txq_limit = old_txq_limit;
4194 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
4195 			rdev->wiphy.txq_quantum = old_txq_quantum;
4196 		}
4197 
4198 		kfree(old_radio_rts_threshold);
4199 		return result;
4200 	}
4201 
4202 	return 0;
4203 }
4204 
4205 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
4206 {
4207 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
4208 		return -EINVAL;
4209 
4210 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
4211 			chandef->chan->center_freq))
4212 		return -ENOBUFS;
4213 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
4214 			chandef->chan->freq_offset))
4215 		return -ENOBUFS;
4216 	switch (chandef->width) {
4217 	case NL80211_CHAN_WIDTH_20_NOHT:
4218 	case NL80211_CHAN_WIDTH_20:
4219 	case NL80211_CHAN_WIDTH_40:
4220 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
4221 				cfg80211_get_chandef_type(chandef)))
4222 			return -ENOBUFS;
4223 		break;
4224 	default:
4225 		break;
4226 	}
4227 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
4228 		return -ENOBUFS;
4229 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
4230 		return -ENOBUFS;
4231 	if (chandef->center_freq2 &&
4232 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
4233 		return -ENOBUFS;
4234 	if (chandef->punctured &&
4235 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
4236 		return -ENOBUFS;
4237 	if (chandef->s1g_primary_2mhz &&
4238 	    nla_put_flag(msg, NL80211_ATTR_S1G_PRIMARY_2MHZ))
4239 		return -ENOBUFS;
4240 
4241 	return 0;
4242 }
4243 EXPORT_SYMBOL(nl80211_send_chandef);
4244 
4245 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
4246 			      struct cfg80211_registered_device *rdev,
4247 			      struct wireless_dev *wdev,
4248 			      enum nl80211_commands cmd)
4249 {
4250 	struct net_device *dev = wdev->netdev;
4251 	void *hdr;
4252 
4253 	lockdep_assert_wiphy(&rdev->wiphy);
4254 
4255 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
4256 		cmd != NL80211_CMD_DEL_INTERFACE &&
4257 		cmd != NL80211_CMD_SET_INTERFACE);
4258 
4259 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4260 	if (!hdr)
4261 		return -1;
4262 
4263 	if (dev &&
4264 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4265 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
4266 		goto nla_put_failure;
4267 
4268 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
4269 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
4270 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
4271 			      NL80211_ATTR_PAD) ||
4272 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
4273 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
4274 			rdev->devlist_generation ^
4275 			(cfg80211_rdev_list_generation << 2)) ||
4276 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
4277 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
4278 		goto nla_put_failure;
4279 
4280 	if (rdev->ops->get_channel && !wdev->valid_links) {
4281 		struct cfg80211_chan_def chandef = {};
4282 		int ret;
4283 
4284 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4285 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4286 			goto nla_put_failure;
4287 	}
4288 
4289 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4290 		int dbm, ret;
4291 
4292 		ret = rdev_get_tx_power(rdev, wdev, -1, 0, &dbm);
4293 		if (ret == 0 &&
4294 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4295 				DBM_TO_MBM(dbm)))
4296 			goto nla_put_failure;
4297 	}
4298 
4299 	switch (wdev->iftype) {
4300 	case NL80211_IFTYPE_AP:
4301 	case NL80211_IFTYPE_P2P_GO:
4302 		if (wdev->u.ap.ssid_len &&
4303 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4304 			    wdev->u.ap.ssid))
4305 			goto nla_put_failure;
4306 		break;
4307 	case NL80211_IFTYPE_STATION:
4308 	case NL80211_IFTYPE_P2P_CLIENT:
4309 		if (wdev->u.client.ssid_len &&
4310 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4311 			    wdev->u.client.ssid))
4312 			goto nla_put_failure;
4313 		break;
4314 	case NL80211_IFTYPE_ADHOC:
4315 		if (wdev->u.ibss.ssid_len &&
4316 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4317 			    wdev->u.ibss.ssid))
4318 			goto nla_put_failure;
4319 		break;
4320 	default:
4321 		/* nothing */
4322 		break;
4323 	}
4324 
4325 	if (rdev->ops->get_txq_stats) {
4326 		struct cfg80211_txq_stats txqstats = {};
4327 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4328 
4329 		if (ret == 0 &&
4330 		    !nl80211_put_txq_stats(msg, &txqstats,
4331 					   NL80211_ATTR_TXQ_STATS))
4332 			goto nla_put_failure;
4333 	}
4334 
4335 	if (wdev->valid_links) {
4336 		unsigned int link_id;
4337 		struct nlattr *links = nla_nest_start(msg,
4338 						      NL80211_ATTR_MLO_LINKS);
4339 
4340 		if (!links)
4341 			goto nla_put_failure;
4342 
4343 		for_each_valid_link(wdev, link_id) {
4344 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4345 			struct cfg80211_chan_def chandef = {};
4346 			int ret;
4347 
4348 			if (!link)
4349 				goto nla_put_failure;
4350 
4351 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4352 				goto nla_put_failure;
4353 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4354 				    wdev->links[link_id].addr))
4355 				goto nla_put_failure;
4356 
4357 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4358 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4359 				goto nla_put_failure;
4360 
4361 			if (rdev->ops->get_tx_power) {
4362 				int dbm, ret;
4363 
4364 				ret = rdev_get_tx_power(rdev, wdev, -1, link_id, &dbm);
4365 				if (ret == 0 &&
4366 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4367 						DBM_TO_MBM(dbm)))
4368 					goto nla_put_failure;
4369 			}
4370 			nla_nest_end(msg, link);
4371 		}
4372 
4373 		nla_nest_end(msg, links);
4374 	}
4375 
4376 	genlmsg_end(msg, hdr);
4377 	return 0;
4378 
4379  nla_put_failure:
4380 	genlmsg_cancel(msg, hdr);
4381 	return -EMSGSIZE;
4382 }
4383 
4384 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4385 {
4386 	int wp_idx = 0;
4387 	int if_idx = 0;
4388 	int wp_start = cb->args[0];
4389 	int if_start = cb->args[1];
4390 	int filter_wiphy = -1;
4391 	struct cfg80211_registered_device *rdev;
4392 	struct wireless_dev *wdev;
4393 	int ret;
4394 
4395 	rtnl_lock();
4396 	if (!cb->args[2]) {
4397 		struct nl80211_dump_wiphy_state state = {
4398 			.filter_wiphy = -1,
4399 		};
4400 
4401 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4402 		if (ret)
4403 			goto out_unlock;
4404 
4405 		filter_wiphy = state.filter_wiphy;
4406 
4407 		/*
4408 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4409 		 * value needed to determine that parsing is necessary.
4410 		 */
4411 		if (filter_wiphy >= 0)
4412 			cb->args[2] = filter_wiphy + 1;
4413 		else
4414 			cb->args[2] = -1;
4415 	} else if (cb->args[2] > 0) {
4416 		filter_wiphy = cb->args[2] - 1;
4417 	}
4418 
4419 	for_each_rdev(rdev) {
4420 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4421 			continue;
4422 		if (wp_idx < wp_start) {
4423 			wp_idx++;
4424 			continue;
4425 		}
4426 
4427 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4428 			continue;
4429 
4430 		if_idx = 0;
4431 
4432 		guard(wiphy)(&rdev->wiphy);
4433 
4434 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4435 			if (if_idx < if_start) {
4436 				if_idx++;
4437 				continue;
4438 			}
4439 
4440 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4441 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4442 					       rdev, wdev,
4443 					       NL80211_CMD_NEW_INTERFACE) < 0)
4444 				goto out;
4445 
4446 			if_idx++;
4447 		}
4448 
4449 		if_start = 0;
4450 		wp_idx++;
4451 	}
4452  out:
4453 	cb->args[0] = wp_idx;
4454 	cb->args[1] = if_idx;
4455 
4456 	ret = skb->len;
4457  out_unlock:
4458 	rtnl_unlock();
4459 
4460 	return ret;
4461 }
4462 
4463 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4464 {
4465 	struct sk_buff *msg;
4466 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4467 	struct wireless_dev *wdev = info->user_ptr[1];
4468 
4469 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4470 	if (!msg)
4471 		return -ENOMEM;
4472 
4473 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4474 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4475 		nlmsg_free(msg);
4476 		return -ENOBUFS;
4477 	}
4478 
4479 	return genlmsg_reply(msg, info);
4480 }
4481 
4482 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4483 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4484 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4485 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4486 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4487 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4488 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4489 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4490 };
4491 
4492 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4493 {
4494 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4495 	int flag;
4496 
4497 	*mntrflags = 0;
4498 
4499 	if (!nla)
4500 		return -EINVAL;
4501 
4502 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4503 		return -EINVAL;
4504 
4505 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4506 		if (flags[flag])
4507 			*mntrflags |= (1<<flag);
4508 
4509 	/* cooked monitor mode is incompatible with other modes */
4510 	if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
4511 	    *mntrflags != MONITOR_FLAG_COOK_FRAMES)
4512 		return -EOPNOTSUPP;
4513 
4514 	*mntrflags |= MONITOR_FLAG_CHANGED;
4515 
4516 	return 0;
4517 }
4518 
4519 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4520 				     enum nl80211_iftype type,
4521 				     struct genl_info *info,
4522 				     struct vif_params *params)
4523 {
4524 	bool change = false;
4525 	int err;
4526 
4527 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4528 		if (type != NL80211_IFTYPE_MONITOR)
4529 			return -EINVAL;
4530 
4531 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4532 					  &params->flags);
4533 		if (err)
4534 			return err;
4535 
4536 		change = true;
4537 	}
4538 
4539 	/* MONITOR_FLAG_COOK_FRAMES is deprecated, refuse cooperation */
4540 	if (params->flags & MONITOR_FLAG_COOK_FRAMES)
4541 		return -EOPNOTSUPP;
4542 
4543 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4544 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4545 		return -EOPNOTSUPP;
4546 
4547 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4548 		const u8 *mumimo_groups;
4549 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4550 
4551 		if (type != NL80211_IFTYPE_MONITOR)
4552 			return -EINVAL;
4553 
4554 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4555 			return -EOPNOTSUPP;
4556 
4557 		mumimo_groups =
4558 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4559 
4560 		/* bits 0 and 63 are reserved and must be zero */
4561 		if ((mumimo_groups[0] & BIT(0)) ||
4562 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4563 			return -EINVAL;
4564 
4565 		params->vht_mumimo_groups = mumimo_groups;
4566 		change = true;
4567 	}
4568 
4569 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4570 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4571 
4572 		if (type != NL80211_IFTYPE_MONITOR)
4573 			return -EINVAL;
4574 
4575 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4576 			return -EOPNOTSUPP;
4577 
4578 		params->vht_mumimo_follow_addr =
4579 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4580 		change = true;
4581 	}
4582 
4583 	return change ? 1 : 0;
4584 }
4585 
4586 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4587 			       struct net_device *netdev, u8 use_4addr,
4588 			       enum nl80211_iftype iftype)
4589 {
4590 	if (!use_4addr) {
4591 		if (netdev && netif_is_bridge_port(netdev))
4592 			return -EBUSY;
4593 		return 0;
4594 	}
4595 
4596 	switch (iftype) {
4597 	case NL80211_IFTYPE_AP_VLAN:
4598 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4599 			return 0;
4600 		break;
4601 	case NL80211_IFTYPE_STATION:
4602 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4603 			return 0;
4604 		break;
4605 	default:
4606 		break;
4607 	}
4608 
4609 	return -EOPNOTSUPP;
4610 }
4611 
4612 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4613 					u32 *radio_mask)
4614 {
4615 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4616 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4617 	u32 mask, allowed;
4618 
4619 	if (!attr) {
4620 		*radio_mask = 0;
4621 		return 0;
4622 	}
4623 
4624 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4625 	mask = nla_get_u32(attr);
4626 	if (mask & ~allowed)
4627 		return -EINVAL;
4628 	if (!mask)
4629 		mask = allowed;
4630 	*radio_mask = mask;
4631 
4632 	return 1;
4633 }
4634 
4635 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4636 {
4637 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4638 	struct vif_params params;
4639 	int err;
4640 	enum nl80211_iftype otype, ntype;
4641 	struct net_device *dev = info->user_ptr[1];
4642 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4643 	u32 radio_mask = 0;
4644 	bool change = false;
4645 
4646 	memset(&params, 0, sizeof(params));
4647 
4648 	otype = ntype = dev->ieee80211_ptr->iftype;
4649 
4650 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4651 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4652 		if (otype != ntype)
4653 			change = true;
4654 	}
4655 
4656 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4657 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4658 			return -EINVAL;
4659 		if (otype != NL80211_IFTYPE_MESH_POINT)
4660 			return -EINVAL;
4661 		if (netif_running(dev))
4662 			return -EBUSY;
4663 
4664 		wdev->u.mesh.id_up_len =
4665 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4666 		memcpy(wdev->u.mesh.id,
4667 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4668 		       wdev->u.mesh.id_up_len);
4669 	}
4670 
4671 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4672 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4673 		change = true;
4674 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4675 		if (err)
4676 			return err;
4677 	} else {
4678 		params.use_4addr = -1;
4679 	}
4680 
4681 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4682 	if (err < 0)
4683 		return err;
4684 	if (err > 0)
4685 		change = true;
4686 
4687 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4688 	if (err < 0)
4689 		return err;
4690 	if (err && netif_running(dev))
4691 		return -EBUSY;
4692 
4693 	if (change)
4694 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4695 	else
4696 		err = 0;
4697 
4698 	if (!err && params.use_4addr != -1)
4699 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4700 
4701 	if (radio_mask)
4702 		wdev->radio_mask = radio_mask;
4703 
4704 	if (change && !err)
4705 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4706 
4707 	return err;
4708 }
4709 
4710 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4711 {
4712 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4713 	struct vif_params params;
4714 	struct wireless_dev *wdev;
4715 	struct sk_buff *msg;
4716 	u32 radio_mask;
4717 	int err;
4718 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4719 
4720 	memset(&params, 0, sizeof(params));
4721 
4722 	if (!info->attrs[NL80211_ATTR_IFNAME])
4723 		return -EINVAL;
4724 
4725 	if (info->attrs[NL80211_ATTR_IFTYPE])
4726 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4727 
4728 	if (!rdev->ops->add_virtual_intf)
4729 		return -EOPNOTSUPP;
4730 
4731 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4732 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4733 	    info->attrs[NL80211_ATTR_MAC]) {
4734 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4735 			   ETH_ALEN);
4736 		if (!is_valid_ether_addr(params.macaddr))
4737 			return -EADDRNOTAVAIL;
4738 	}
4739 
4740 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4741 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4742 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4743 		if (err)
4744 			return err;
4745 	}
4746 
4747 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4748 		return -EOPNOTSUPP;
4749 
4750 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4751 	if (err < 0)
4752 		return err;
4753 
4754 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4755 	if (err < 0)
4756 		return err;
4757 
4758 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4759 	if (!msg)
4760 		return -ENOMEM;
4761 
4762 	wdev = rdev_add_virtual_intf(rdev,
4763 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4764 				NET_NAME_USER, type, &params);
4765 	if (WARN_ON(!wdev)) {
4766 		nlmsg_free(msg);
4767 		return -EPROTO;
4768 	} else if (IS_ERR(wdev)) {
4769 		nlmsg_free(msg);
4770 		return PTR_ERR(wdev);
4771 	}
4772 
4773 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4774 		wdev->owner_nlportid = info->snd_portid;
4775 
4776 	switch (type) {
4777 	case NL80211_IFTYPE_MESH_POINT:
4778 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4779 			break;
4780 		wdev->u.mesh.id_up_len =
4781 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4782 		memcpy(wdev->u.mesh.id,
4783 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4784 		       wdev->u.mesh.id_up_len);
4785 		break;
4786 	case NL80211_IFTYPE_NAN:
4787 	case NL80211_IFTYPE_P2P_DEVICE:
4788 		/*
4789 		 * P2P Device and NAN do not have a netdev, so don't go
4790 		 * through the netdev notifier and must be added here
4791 		 */
4792 		cfg80211_init_wdev(wdev);
4793 		cfg80211_register_wdev(rdev, wdev);
4794 		break;
4795 	default:
4796 		break;
4797 	}
4798 
4799 	if (radio_mask)
4800 		wdev->radio_mask = radio_mask;
4801 
4802 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4803 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4804 		nlmsg_free(msg);
4805 		return -ENOBUFS;
4806 	}
4807 
4808 	return genlmsg_reply(msg, info);
4809 }
4810 
4811 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4812 {
4813 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4814 
4815 	/* to avoid failing a new interface creation due to pending removal */
4816 	cfg80211_destroy_ifaces(rdev);
4817 
4818 	guard(wiphy)(&rdev->wiphy);
4819 
4820 	return _nl80211_new_interface(skb, info);
4821 }
4822 
4823 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4824 {
4825 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4826 	struct wireless_dev *wdev = info->user_ptr[1];
4827 
4828 	if (!rdev->ops->del_virtual_intf)
4829 		return -EOPNOTSUPP;
4830 
4831 	/*
4832 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4833 	 * reach 0, and thus the rdev cannot be deleted.
4834 	 *
4835 	 * We need to do it for the dev_close(), since that will call
4836 	 * the netdev notifiers, and we need to acquire the mutex there
4837 	 * but don't know if we get there from here or from some other
4838 	 * place (e.g. "ip link set ... down").
4839 	 */
4840 	mutex_unlock(&rdev->wiphy.mtx);
4841 
4842 	/*
4843 	 * If we remove a wireless device without a netdev then clear
4844 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4845 	 * to check if it needs to do dev_put(). Otherwise it crashes
4846 	 * since the wdev has been freed, unlike with a netdev where
4847 	 * we need the dev_put() for the netdev to really be freed.
4848 	 */
4849 	if (!wdev->netdev)
4850 		info->user_ptr[1] = NULL;
4851 	else
4852 		dev_close(wdev->netdev);
4853 
4854 	mutex_lock(&rdev->wiphy.mtx);
4855 
4856 	return cfg80211_remove_virtual_intf(rdev, wdev);
4857 }
4858 
4859 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4860 {
4861 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4862 	struct net_device *dev = info->user_ptr[1];
4863 	u16 noack_map;
4864 
4865 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4866 		return -EINVAL;
4867 
4868 	if (!rdev->ops->set_noack_map)
4869 		return -EOPNOTSUPP;
4870 
4871 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4872 
4873 	return rdev_set_noack_map(rdev, dev, noack_map);
4874 }
4875 
4876 static int nl80211_validate_key_link_id(struct genl_info *info,
4877 					struct wireless_dev *wdev,
4878 					int link_id, bool pairwise)
4879 {
4880 	if (pairwise) {
4881 		if (link_id != -1) {
4882 			GENL_SET_ERR_MSG(info,
4883 					 "link ID not allowed for pairwise key");
4884 			return -EINVAL;
4885 		}
4886 
4887 		return 0;
4888 	}
4889 
4890 	if (wdev->valid_links) {
4891 		if (link_id == -1) {
4892 			GENL_SET_ERR_MSG(info,
4893 					 "link ID must for MLO group key");
4894 			return -EINVAL;
4895 		}
4896 		if (!(wdev->valid_links & BIT(link_id))) {
4897 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4898 			return -EINVAL;
4899 		}
4900 	} else if (link_id != -1) {
4901 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4902 		return -EINVAL;
4903 	}
4904 
4905 	return 0;
4906 }
4907 
4908 struct get_key_cookie {
4909 	struct sk_buff *msg;
4910 	int error;
4911 	int idx;
4912 };
4913 
4914 static void get_key_callback(void *c, struct key_params *params)
4915 {
4916 	struct nlattr *key;
4917 	struct get_key_cookie *cookie = c;
4918 
4919 	if ((params->seq &&
4920 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4921 		     params->seq_len, params->seq)) ||
4922 	    (params->cipher &&
4923 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4924 			 params->cipher)))
4925 		goto nla_put_failure;
4926 
4927 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4928 	if (!key)
4929 		goto nla_put_failure;
4930 
4931 	if ((params->seq &&
4932 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4933 		     params->seq_len, params->seq)) ||
4934 	    (params->cipher &&
4935 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4936 			 params->cipher)))
4937 		goto nla_put_failure;
4938 
4939 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4940 		goto nla_put_failure;
4941 
4942 	nla_nest_end(cookie->msg, key);
4943 
4944 	return;
4945  nla_put_failure:
4946 	cookie->error = 1;
4947 }
4948 
4949 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4950 {
4951 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4952 	int err;
4953 	struct net_device *dev = info->user_ptr[1];
4954 	u8 key_idx = 0;
4955 	const u8 *mac_addr = NULL;
4956 	bool pairwise;
4957 	struct get_key_cookie cookie = {
4958 		.error = 0,
4959 	};
4960 	void *hdr;
4961 	struct sk_buff *msg;
4962 	bool bigtk_support = false;
4963 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4964 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4965 
4966 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4967 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4968 		bigtk_support = true;
4969 
4970 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4971 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4972 	    wiphy_ext_feature_isset(&rdev->wiphy,
4973 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4974 		bigtk_support = true;
4975 
4976 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4977 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4978 
4979 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4980 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4981 			return -EINVAL;
4982 		}
4983 	}
4984 
4985 	if (info->attrs[NL80211_ATTR_MAC])
4986 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4987 
4988 	pairwise = !!mac_addr;
4989 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4990 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4991 
4992 		if (kt != NL80211_KEYTYPE_GROUP &&
4993 		    kt != NL80211_KEYTYPE_PAIRWISE)
4994 			return -EINVAL;
4995 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4996 	}
4997 
4998 	if (!rdev->ops->get_key)
4999 		return -EOPNOTSUPP;
5000 
5001 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5002 		return -ENOENT;
5003 
5004 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5005 	if (!msg)
5006 		return -ENOMEM;
5007 
5008 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5009 			     NL80211_CMD_NEW_KEY);
5010 	if (!hdr)
5011 		goto nla_put_failure;
5012 
5013 	cookie.msg = msg;
5014 	cookie.idx = key_idx;
5015 
5016 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5017 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
5018 		goto nla_put_failure;
5019 	if (mac_addr &&
5020 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
5021 		goto nla_put_failure;
5022 
5023 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
5024 	if (err)
5025 		goto free_msg;
5026 
5027 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
5028 			   &cookie, get_key_callback);
5029 
5030 	if (err)
5031 		goto free_msg;
5032 
5033 	if (cookie.error)
5034 		goto nla_put_failure;
5035 
5036 	genlmsg_end(msg, hdr);
5037 	return genlmsg_reply(msg, info);
5038 
5039  nla_put_failure:
5040 	err = -ENOBUFS;
5041  free_msg:
5042 	nlmsg_free(msg);
5043 	return err;
5044 }
5045 
5046 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
5047 {
5048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5049 	struct key_parse key;
5050 	int err;
5051 	struct net_device *dev = info->user_ptr[1];
5052 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5053 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5054 
5055 	err = nl80211_parse_key(info, &key);
5056 	if (err)
5057 		return err;
5058 
5059 	if (key.idx < 0)
5060 		return -EINVAL;
5061 
5062 	/* Only support setting default key and
5063 	 * Extended Key ID action NL80211_KEY_SET_TX.
5064 	 */
5065 	if (!key.def && !key.defmgmt && !key.defbeacon &&
5066 	    !(key.p.mode == NL80211_KEY_SET_TX))
5067 		return -EINVAL;
5068 
5069 	if (key.def) {
5070 		if (!rdev->ops->set_default_key)
5071 			return -EOPNOTSUPP;
5072 
5073 		err = nl80211_key_allowed(wdev);
5074 		if (err)
5075 			return err;
5076 
5077 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5078 		if (err)
5079 			return err;
5080 
5081 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
5082 					   key.def_uni, key.def_multi);
5083 
5084 		if (err)
5085 			return err;
5086 
5087 #ifdef CONFIG_CFG80211_WEXT
5088 		wdev->wext.default_key = key.idx;
5089 #endif
5090 		return 0;
5091 	} else if (key.defmgmt) {
5092 		if (key.def_uni || !key.def_multi)
5093 			return -EINVAL;
5094 
5095 		if (!rdev->ops->set_default_mgmt_key)
5096 			return -EOPNOTSUPP;
5097 
5098 		err = nl80211_key_allowed(wdev);
5099 		if (err)
5100 			return err;
5101 
5102 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5103 		if (err)
5104 			return err;
5105 
5106 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
5107 		if (err)
5108 			return err;
5109 
5110 #ifdef CONFIG_CFG80211_WEXT
5111 		wdev->wext.default_mgmt_key = key.idx;
5112 #endif
5113 		return 0;
5114 	} else if (key.defbeacon) {
5115 		if (key.def_uni || !key.def_multi)
5116 			return -EINVAL;
5117 
5118 		if (!rdev->ops->set_default_beacon_key)
5119 			return -EOPNOTSUPP;
5120 
5121 		err = nl80211_key_allowed(wdev);
5122 		if (err)
5123 			return err;
5124 
5125 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5126 		if (err)
5127 			return err;
5128 
5129 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
5130 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
5131 		   wiphy_ext_feature_isset(&rdev->wiphy,
5132 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
5133 		u8 *mac_addr = NULL;
5134 
5135 		if (info->attrs[NL80211_ATTR_MAC])
5136 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5137 
5138 		if (!mac_addr || key.idx < 0 || key.idx > 1)
5139 			return -EINVAL;
5140 
5141 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
5142 		if (err)
5143 			return err;
5144 
5145 		return rdev_add_key(rdev, dev, link_id, key.idx,
5146 				    NL80211_KEYTYPE_PAIRWISE,
5147 				    mac_addr, &key.p);
5148 	}
5149 
5150 	return -EINVAL;
5151 }
5152 
5153 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
5154 {
5155 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5156 	int err;
5157 	struct net_device *dev = info->user_ptr[1];
5158 	struct key_parse key;
5159 	const u8 *mac_addr = NULL;
5160 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5161 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5162 
5163 	err = nl80211_parse_key(info, &key);
5164 	if (err)
5165 		return err;
5166 
5167 	if (!key.p.key) {
5168 		GENL_SET_ERR_MSG(info, "no key");
5169 		return -EINVAL;
5170 	}
5171 
5172 	if (info->attrs[NL80211_ATTR_MAC])
5173 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5174 
5175 	if (key.type == -1) {
5176 		if (mac_addr)
5177 			key.type = NL80211_KEYTYPE_PAIRWISE;
5178 		else
5179 			key.type = NL80211_KEYTYPE_GROUP;
5180 	}
5181 
5182 	/* for now */
5183 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5184 	    key.type != NL80211_KEYTYPE_GROUP) {
5185 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
5186 		return -EINVAL;
5187 	}
5188 
5189 	if (key.type == NL80211_KEYTYPE_GROUP &&
5190 	    info->attrs[NL80211_ATTR_VLAN_ID])
5191 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
5192 
5193 	if (!rdev->ops->add_key)
5194 		return -EOPNOTSUPP;
5195 
5196 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
5197 					   key.type == NL80211_KEYTYPE_PAIRWISE,
5198 					   mac_addr)) {
5199 		GENL_SET_ERR_MSG(info, "key setting validation failed");
5200 		return -EINVAL;
5201 	}
5202 
5203 	err = nl80211_key_allowed(wdev);
5204 	if (err)
5205 		GENL_SET_ERR_MSG(info, "key not allowed");
5206 
5207 	if (!err)
5208 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5209 				key.type == NL80211_KEYTYPE_PAIRWISE);
5210 
5211 	if (!err) {
5212 		err = rdev_add_key(rdev, dev, link_id, key.idx,
5213 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5214 				    mac_addr, &key.p);
5215 		if (err)
5216 			GENL_SET_ERR_MSG(info, "key addition failed");
5217 	}
5218 
5219 	return err;
5220 }
5221 
5222 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
5223 {
5224 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5225 	int err;
5226 	struct net_device *dev = info->user_ptr[1];
5227 	u8 *mac_addr = NULL;
5228 	struct key_parse key;
5229 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5230 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5231 
5232 	err = nl80211_parse_key(info, &key);
5233 	if (err)
5234 		return err;
5235 
5236 	if (info->attrs[NL80211_ATTR_MAC])
5237 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5238 
5239 	if (key.type == -1) {
5240 		if (mac_addr)
5241 			key.type = NL80211_KEYTYPE_PAIRWISE;
5242 		else
5243 			key.type = NL80211_KEYTYPE_GROUP;
5244 	}
5245 
5246 	/* for now */
5247 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5248 	    key.type != NL80211_KEYTYPE_GROUP)
5249 		return -EINVAL;
5250 
5251 	if (!cfg80211_valid_key_idx(rdev, key.idx,
5252 				    key.type == NL80211_KEYTYPE_PAIRWISE))
5253 		return -EINVAL;
5254 
5255 	if (!rdev->ops->del_key)
5256 		return -EOPNOTSUPP;
5257 
5258 	err = nl80211_key_allowed(wdev);
5259 
5260 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
5261 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5262 		err = -ENOENT;
5263 
5264 	if (!err)
5265 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5266 				key.type == NL80211_KEYTYPE_PAIRWISE);
5267 
5268 	if (!err)
5269 		err = rdev_del_key(rdev, dev, link_id, key.idx,
5270 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5271 				   mac_addr);
5272 
5273 #ifdef CONFIG_CFG80211_WEXT
5274 	if (!err) {
5275 		if (key.idx == wdev->wext.default_key)
5276 			wdev->wext.default_key = -1;
5277 		else if (key.idx == wdev->wext.default_mgmt_key)
5278 			wdev->wext.default_mgmt_key = -1;
5279 	}
5280 #endif
5281 
5282 	return err;
5283 }
5284 
5285 /* This function returns an error or the number of nested attributes */
5286 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
5287 {
5288 	struct nlattr *attr;
5289 	int n_entries = 0, tmp;
5290 
5291 	nla_for_each_nested(attr, nl_attr, tmp) {
5292 		if (nla_len(attr) != ETH_ALEN)
5293 			return -EINVAL;
5294 
5295 		n_entries++;
5296 	}
5297 
5298 	return n_entries;
5299 }
5300 
5301 /*
5302  * This function parses ACL information and allocates memory for ACL data.
5303  * On successful return, the calling function is responsible to free the
5304  * ACL buffer returned by this function.
5305  */
5306 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5307 						struct genl_info *info)
5308 {
5309 	enum nl80211_acl_policy acl_policy;
5310 	struct nlattr *attr;
5311 	struct cfg80211_acl_data *acl;
5312 	int i = 0, n_entries, tmp;
5313 
5314 	if (!wiphy->max_acl_mac_addrs)
5315 		return ERR_PTR(-EOPNOTSUPP);
5316 
5317 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5318 		return ERR_PTR(-EINVAL);
5319 
5320 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5321 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5322 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5323 		return ERR_PTR(-EINVAL);
5324 
5325 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5326 		return ERR_PTR(-EINVAL);
5327 
5328 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5329 	if (n_entries < 0)
5330 		return ERR_PTR(n_entries);
5331 
5332 	if (n_entries > wiphy->max_acl_mac_addrs)
5333 		return ERR_PTR(-EOPNOTSUPP);
5334 
5335 	acl = kzalloc_flex(*acl, mac_addrs, n_entries);
5336 	if (!acl)
5337 		return ERR_PTR(-ENOMEM);
5338 	acl->n_acl_entries = n_entries;
5339 
5340 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5341 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5342 		i++;
5343 	}
5344 	acl->acl_policy = acl_policy;
5345 
5346 	return acl;
5347 }
5348 
5349 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5350 {
5351 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5352 	struct net_device *dev = info->user_ptr[1];
5353 	struct cfg80211_acl_data *acl;
5354 	int err;
5355 
5356 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5357 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5358 		return -EOPNOTSUPP;
5359 
5360 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5361 		return -EINVAL;
5362 
5363 	acl = parse_acl_data(&rdev->wiphy, info);
5364 	if (IS_ERR(acl))
5365 		return PTR_ERR(acl);
5366 
5367 	err = rdev_set_mac_acl(rdev, dev, acl);
5368 
5369 	kfree(acl);
5370 
5371 	return err;
5372 }
5373 
5374 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5375 			   u8 *rates, u8 rates_len)
5376 {
5377 	u8 i;
5378 	u32 mask = 0;
5379 
5380 	for (i = 0; i < rates_len; i++) {
5381 		int rate = (rates[i] & 0x7f) * 5;
5382 		int ridx;
5383 
5384 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5385 			struct ieee80211_rate *srate =
5386 				&sband->bitrates[ridx];
5387 			if (rate == srate->bitrate) {
5388 				mask |= 1 << ridx;
5389 				break;
5390 			}
5391 		}
5392 		if (ridx == sband->n_bitrates)
5393 			return 0; /* rate not found */
5394 	}
5395 
5396 	return mask;
5397 }
5398 
5399 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5400 			       u8 *rates, u8 rates_len,
5401 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5402 {
5403 	u8 i;
5404 
5405 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5406 
5407 	for (i = 0; i < rates_len; i++) {
5408 		int ridx, rbit;
5409 
5410 		ridx = rates[i] / 8;
5411 		rbit = BIT(rates[i] % 8);
5412 
5413 		/* check validity */
5414 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5415 			return false;
5416 
5417 		/* check availability */
5418 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5419 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5420 			mcs[ridx] |= rbit;
5421 		else
5422 			return false;
5423 	}
5424 
5425 	return true;
5426 }
5427 
5428 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5429 {
5430 	u16 mcs_mask = 0;
5431 
5432 	switch (vht_mcs_map) {
5433 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5434 		break;
5435 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5436 		mcs_mask = 0x00FF;
5437 		break;
5438 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5439 		mcs_mask = 0x01FF;
5440 		break;
5441 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5442 		mcs_mask = 0x03FF;
5443 		break;
5444 	default:
5445 		break;
5446 	}
5447 
5448 	return mcs_mask;
5449 }
5450 
5451 static void vht_build_mcs_mask(u16 vht_mcs_map,
5452 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5453 {
5454 	u8 nss;
5455 
5456 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5457 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5458 		vht_mcs_map >>= 2;
5459 	}
5460 }
5461 
5462 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5463 			     struct nl80211_txrate_vht *txrate,
5464 			     u16 mcs[NL80211_VHT_NSS_MAX])
5465 {
5466 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5467 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5468 	u8 i;
5469 
5470 	if (!sband->vht_cap.vht_supported)
5471 		return false;
5472 
5473 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5474 
5475 	/* Build vht_mcs_mask from VHT capabilities */
5476 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5477 
5478 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5479 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5480 			mcs[i] = txrate->mcs[i];
5481 		else
5482 			return false;
5483 	}
5484 
5485 	return true;
5486 }
5487 
5488 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5489 {
5490 	switch (he_mcs_map) {
5491 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5492 		return 0;
5493 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5494 		return 0x00FF;
5495 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5496 		return 0x03FF;
5497 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5498 		return 0xFFF;
5499 	default:
5500 		break;
5501 	}
5502 	return 0;
5503 }
5504 
5505 static void he_build_mcs_mask(u16 he_mcs_map,
5506 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5507 {
5508 	u8 nss;
5509 
5510 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5511 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5512 		he_mcs_map >>= 2;
5513 	}
5514 }
5515 
5516 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5517 			   const struct ieee80211_sta_he_cap *he_cap)
5518 {
5519 	struct net_device *dev = info->user_ptr[1];
5520 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5521 	struct cfg80211_chan_def *chandef;
5522 	__le16 tx_mcs;
5523 
5524 	chandef = wdev_chandef(wdev, link_id);
5525 	if (!chandef) {
5526 		/*
5527 		 * This is probably broken, but we never maintained
5528 		 * a chandef in these cases, so it always was.
5529 		 */
5530 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5531 	}
5532 
5533 	switch (chandef->width) {
5534 	case NL80211_CHAN_WIDTH_80P80:
5535 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5536 		break;
5537 	case NL80211_CHAN_WIDTH_160:
5538 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5539 		break;
5540 	default:
5541 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5542 		break;
5543 	}
5544 
5545 	return le16_to_cpu(tx_mcs);
5546 }
5547 
5548 static bool he_set_mcs_mask(struct genl_info *info,
5549 			    struct wireless_dev *wdev,
5550 			    struct ieee80211_supported_band *sband,
5551 			    struct nl80211_txrate_he *txrate,
5552 			    u16 mcs[NL80211_HE_NSS_MAX],
5553 			    unsigned int link_id)
5554 {
5555 	const struct ieee80211_sta_he_cap *he_cap;
5556 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5557 	u16 tx_mcs_map = 0;
5558 	u8 i;
5559 
5560 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5561 	if (!he_cap)
5562 		return false;
5563 
5564 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5565 
5566 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5567 
5568 	/* Build he_mcs_mask from HE capabilities */
5569 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5570 
5571 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5572 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5573 			mcs[i] = txrate->mcs[i];
5574 		else
5575 			return false;
5576 	}
5577 
5578 	return true;
5579 }
5580 
5581 static void eht_build_mcs_mask(struct genl_info *info,
5582 			       const struct ieee80211_sta_eht_cap *eht_cap,
5583 			       u8 mcs_nss_len, u16 *mcs_mask)
5584 {
5585 	struct net_device *dev = info->user_ptr[1];
5586 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5587 	u8 nss, mcs_7 = 0, mcs_9 = 0, mcs_11 = 0, mcs_13 = 0;
5588 	unsigned int link_id = nl80211_link_id(info->attrs);
5589 
5590 	if (mcs_nss_len == 4) {
5591 		const struct ieee80211_eht_mcs_nss_supp_20mhz_only *mcs =
5592 					&eht_cap->eht_mcs_nss_supp.only_20mhz;
5593 
5594 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs7_max_nss,
5595 				    IEEE80211_EHT_MCS_NSS_TX);
5596 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5597 				    IEEE80211_EHT_MCS_NSS_TX);
5598 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5599 				     IEEE80211_EHT_MCS_NSS_TX);
5600 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5601 				     IEEE80211_EHT_MCS_NSS_TX);
5602 
5603 	} else {
5604 		const struct ieee80211_eht_mcs_nss_supp_bw *mcs;
5605 		enum nl80211_chan_width width;
5606 
5607 		switch (wdev->iftype) {
5608 		case NL80211_IFTYPE_ADHOC:
5609 			width = wdev->u.ibss.chandef.width;
5610 			break;
5611 		case NL80211_IFTYPE_MESH_POINT:
5612 			width = wdev->u.mesh.chandef.width;
5613 			break;
5614 		case NL80211_IFTYPE_OCB:
5615 			width = wdev->u.ocb.chandef.width;
5616 			break;
5617 		default:
5618 			if (wdev->valid_links)
5619 				width = wdev->links[link_id].ap.chandef.width;
5620 			else
5621 				width = wdev->u.ap.preset_chandef.width;
5622 			break;
5623 		}
5624 
5625 		switch (width) {
5626 		case NL80211_CHAN_WIDTH_320:
5627 			mcs = &eht_cap->eht_mcs_nss_supp.bw._320;
5628 			break;
5629 		case NL80211_CHAN_WIDTH_160:
5630 			mcs = &eht_cap->eht_mcs_nss_supp.bw._160;
5631 			break;
5632 		default:
5633 			mcs = &eht_cap->eht_mcs_nss_supp.bw._80;
5634 			break;
5635 		}
5636 
5637 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5638 				    IEEE80211_EHT_MCS_NSS_TX);
5639 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5640 				    IEEE80211_EHT_MCS_NSS_TX);
5641 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5642 				     IEEE80211_EHT_MCS_NSS_TX);
5643 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5644 				     IEEE80211_EHT_MCS_NSS_TX);
5645 	}
5646 
5647 	/* Enable MCS 14 for NSS 0 */
5648 	if (eht_cap->eht_cap_elem.phy_cap_info[6] &
5649 	    IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP)
5650 		mcs_mask[0] |= 0x4000;
5651 
5652 	/* Enable MCS 15 for NSS 0 */
5653 	mcs_mask[0] |= 0x8000;
5654 
5655 	for (nss = 0; nss < NL80211_EHT_NSS_MAX; nss++) {
5656 		if (!mcs_7)
5657 			continue;
5658 		mcs_mask[nss] |= 0x00FF;
5659 		mcs_7--;
5660 
5661 		if (!mcs_9)
5662 			continue;
5663 		mcs_mask[nss] |= 0x0300;
5664 		mcs_9--;
5665 
5666 		if (!mcs_11)
5667 			continue;
5668 		mcs_mask[nss] |= 0x0C00;
5669 		mcs_11--;
5670 
5671 		if (!mcs_13)
5672 			continue;
5673 		mcs_mask[nss] |= 0x3000;
5674 		mcs_13--;
5675 	}
5676 }
5677 
5678 static bool eht_set_mcs_mask(struct genl_info *info, struct wireless_dev *wdev,
5679 			     struct ieee80211_supported_band *sband,
5680 			     struct nl80211_txrate_eht *txrate,
5681 			     u16 mcs[NL80211_EHT_NSS_MAX])
5682 {
5683 	const struct ieee80211_sta_he_cap *he_cap;
5684 	const struct ieee80211_sta_eht_cap *eht_cap;
5685 	u16 tx_mcs_mask[NL80211_EHT_NSS_MAX] = { 0 };
5686 	u8 i, mcs_nss_len;
5687 
5688 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5689 	if (!he_cap)
5690 		return false;
5691 
5692 	eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5693 	if (!eht_cap)
5694 		return false;
5695 
5696 	/* Checks for MCS 14 */
5697 	if (txrate->mcs[0] & 0x4000) {
5698 		if (sband->band != NL80211_BAND_6GHZ)
5699 			return false;
5700 
5701 		if (!(eht_cap->eht_cap_elem.phy_cap_info[6] &
5702 		      IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP))
5703 			return false;
5704 	}
5705 
5706 	mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5707 						 &eht_cap->eht_cap_elem,
5708 						 wdev->iftype ==
5709 							NL80211_IFTYPE_STATION);
5710 
5711 	if (mcs_nss_len == 3) {
5712 		/* Supported iftypes for setting non-20 MHZ only EHT MCS */
5713 		switch (wdev->iftype) {
5714 		case NL80211_IFTYPE_ADHOC:
5715 		case NL80211_IFTYPE_AP:
5716 		case NL80211_IFTYPE_P2P_GO:
5717 		case NL80211_IFTYPE_MESH_POINT:
5718 		case NL80211_IFTYPE_OCB:
5719 			break;
5720 		default:
5721 			return false;
5722 		}
5723 	}
5724 
5725 	/* Build eht_mcs_mask from EHT and HE capabilities */
5726 	eht_build_mcs_mask(info, eht_cap, mcs_nss_len, tx_mcs_mask);
5727 
5728 	memset(mcs, 0, sizeof(u16) * NL80211_EHT_NSS_MAX);
5729 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5730 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5731 			mcs[i] = txrate->mcs[i];
5732 		else
5733 			return false;
5734 	}
5735 
5736 	return true;
5737 }
5738 
5739 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5740 					 struct nlattr *attrs[],
5741 					 enum nl80211_attrs attr,
5742 					 struct cfg80211_bitrate_mask *mask,
5743 					 struct net_device *dev,
5744 					 bool default_all_enabled,
5745 					 unsigned int link_id)
5746 {
5747 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5748 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5749 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5750 	int rem, i;
5751 	struct nlattr *tx_rates;
5752 	struct ieee80211_supported_band *sband;
5753 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5754 
5755 	memset(mask, 0, sizeof(*mask));
5756 	/* Default to all rates enabled */
5757 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5758 		const struct ieee80211_sta_he_cap *he_cap;
5759 		const struct ieee80211_sta_eht_cap *eht_cap;
5760 		u8 mcs_nss_len;
5761 
5762 		if (!default_all_enabled)
5763 			break;
5764 
5765 		sband = rdev->wiphy.bands[i];
5766 
5767 		if (!sband)
5768 			continue;
5769 
5770 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5771 		memcpy(mask->control[i].ht_mcs,
5772 		       sband->ht_cap.mcs.rx_mask,
5773 		       sizeof(mask->control[i].ht_mcs));
5774 
5775 		if (sband->vht_cap.vht_supported) {
5776 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5777 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5778 		}
5779 
5780 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5781 		if (!he_cap)
5782 			continue;
5783 
5784 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5785 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5786 
5787 		mask->control[i].he_gi = 0xFF;
5788 		mask->control[i].he_ltf = 0xFF;
5789 
5790 		eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5791 		if (!eht_cap)
5792 			continue;
5793 
5794 		mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5795 							 &eht_cap->eht_cap_elem,
5796 							 wdev->iftype ==
5797 							 NL80211_IFTYPE_STATION);
5798 
5799 		eht_build_mcs_mask(info, eht_cap, mcs_nss_len,
5800 				   mask->control[i].eht_mcs);
5801 
5802 		mask->control[i].eht_gi = 0xFF;
5803 		mask->control[i].eht_ltf = 0xFF;
5804 	}
5805 
5806 	/* if no rates are given set it back to the defaults */
5807 	if (!attrs[attr])
5808 		goto out;
5809 
5810 	/* The nested attribute uses enum nl80211_band as the index. This maps
5811 	 * directly to the enum nl80211_band values used in cfg80211.
5812 	 */
5813 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5814 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5815 		enum nl80211_band band = nla_type(tx_rates);
5816 		int err;
5817 
5818 		if (band < 0 || band >= NUM_NL80211_BANDS)
5819 			return -EINVAL;
5820 		sband = rdev->wiphy.bands[band];
5821 		if (sband == NULL)
5822 			return -EINVAL;
5823 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5824 						  tx_rates,
5825 						  nl80211_txattr_policy,
5826 						  info->extack);
5827 		if (err)
5828 			return err;
5829 		if (tb[NL80211_TXRATE_LEGACY]) {
5830 			mask->control[band].legacy = rateset_to_mask(
5831 				sband,
5832 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5833 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5834 			if ((mask->control[band].legacy == 0) &&
5835 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5836 				return -EINVAL;
5837 		}
5838 		if (tb[NL80211_TXRATE_HT]) {
5839 			if (!ht_rateset_to_mask(
5840 					sband,
5841 					nla_data(tb[NL80211_TXRATE_HT]),
5842 					nla_len(tb[NL80211_TXRATE_HT]),
5843 					mask->control[band].ht_mcs))
5844 				return -EINVAL;
5845 		}
5846 
5847 		if (tb[NL80211_TXRATE_VHT]) {
5848 			if (!vht_set_mcs_mask(
5849 					sband,
5850 					nla_data(tb[NL80211_TXRATE_VHT]),
5851 					mask->control[band].vht_mcs))
5852 				return -EINVAL;
5853 		}
5854 
5855 		if (tb[NL80211_TXRATE_GI]) {
5856 			mask->control[band].gi =
5857 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5858 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5859 				return -EINVAL;
5860 		}
5861 		if (tb[NL80211_TXRATE_HE] &&
5862 		    !he_set_mcs_mask(info, wdev, sband,
5863 				     nla_data(tb[NL80211_TXRATE_HE]),
5864 				     mask->control[band].he_mcs,
5865 				     link_id))
5866 			return -EINVAL;
5867 
5868 		if (tb[NL80211_TXRATE_HE_GI])
5869 			mask->control[band].he_gi =
5870 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5871 		if (tb[NL80211_TXRATE_HE_LTF])
5872 			mask->control[band].he_ltf =
5873 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5874 
5875 		if (tb[NL80211_TXRATE_EHT] &&
5876 		    !eht_set_mcs_mask(info, wdev, sband,
5877 				      nla_data(tb[NL80211_TXRATE_EHT]),
5878 				      mask->control[band].eht_mcs))
5879 			return -EINVAL;
5880 
5881 		if (tb[NL80211_TXRATE_EHT_GI])
5882 			mask->control[band].eht_gi =
5883 				nla_get_u8(tb[NL80211_TXRATE_EHT_GI]);
5884 		if (tb[NL80211_TXRATE_EHT_LTF])
5885 			mask->control[band].eht_ltf =
5886 				nla_get_u8(tb[NL80211_TXRATE_EHT_LTF]);
5887 
5888 		if (mask->control[band].legacy == 0) {
5889 			/* don't allow empty legacy rates if HT, VHT, HE or EHT
5890 			 * are not even supported.
5891 			 */
5892 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5893 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5894 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype) ||
5895 			      ieee80211_get_eht_iftype_cap(sband, wdev->iftype)))
5896 				return -EINVAL;
5897 
5898 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5899 				if (mask->control[band].ht_mcs[i])
5900 					goto out;
5901 
5902 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5903 				if (mask->control[band].vht_mcs[i])
5904 					goto out;
5905 
5906 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5907 				if (mask->control[band].he_mcs[i])
5908 					goto out;
5909 
5910 			for (i = 0; i < NL80211_EHT_NSS_MAX; i++)
5911 				if (mask->control[band].eht_mcs[i])
5912 					goto out;
5913 
5914 			/* legacy and mcs rates may not be both empty */
5915 			return -EINVAL;
5916 		}
5917 	}
5918 
5919 out:
5920 	return 0;
5921 }
5922 
5923 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5924 				   enum nl80211_band band,
5925 				   struct cfg80211_bitrate_mask *beacon_rate)
5926 {
5927 	u32 count_ht, count_vht, count_he, count_eht, i;
5928 	u32 rate = beacon_rate->control[band].legacy;
5929 
5930 	/* Allow only one rate */
5931 	if (hweight32(rate) > 1)
5932 		return -EINVAL;
5933 
5934 	count_ht = 0;
5935 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5936 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5937 			return -EINVAL;
5938 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5939 			count_ht++;
5940 			if (count_ht > 1)
5941 				return -EINVAL;
5942 		}
5943 		if (count_ht && rate)
5944 			return -EINVAL;
5945 	}
5946 
5947 	count_vht = 0;
5948 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5949 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5950 			return -EINVAL;
5951 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5952 			count_vht++;
5953 			if (count_vht > 1)
5954 				return -EINVAL;
5955 		}
5956 		if (count_vht && rate)
5957 			return -EINVAL;
5958 	}
5959 
5960 	count_he = 0;
5961 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5962 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5963 			return -EINVAL;
5964 		} else if (beacon_rate->control[band].he_mcs[i]) {
5965 			count_he++;
5966 			if (count_he > 1)
5967 				return -EINVAL;
5968 		}
5969 		if (count_he && rate)
5970 			return -EINVAL;
5971 	}
5972 
5973 	count_eht = 0;
5974 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5975 		if (hweight16(beacon_rate->control[band].eht_mcs[i]) > 1) {
5976 			return -EINVAL;
5977 		} else if (beacon_rate->control[band].eht_mcs[i]) {
5978 			count_eht++;
5979 			if (count_eht > 1)
5980 				return -EINVAL;
5981 		}
5982 		if (count_eht && rate)
5983 			return -EINVAL;
5984 	}
5985 
5986 	if ((count_ht && count_vht && count_he && count_eht) ||
5987 	    (!rate && !count_ht && !count_vht && !count_he && !count_eht))
5988 		return -EINVAL;
5989 
5990 	if (rate &&
5991 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5992 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5993 		return -EINVAL;
5994 	if (count_ht &&
5995 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5996 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5997 		return -EINVAL;
5998 	if (count_vht &&
5999 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6000 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
6001 		return -EINVAL;
6002 	if (count_he &&
6003 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6004 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
6005 		return -EINVAL;
6006 
6007 	if (count_eht &&
6008 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6009 				     NL80211_EXT_FEATURE_BEACON_RATE_EHT))
6010 		return -EINVAL;
6011 
6012 	return 0;
6013 }
6014 
6015 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
6016 				       struct net_device *dev,
6017 				       unsigned int link_id,
6018 				       struct nlattr *attrs,
6019 				       struct cfg80211_mbssid_config *config,
6020 				       u8 num_elems)
6021 {
6022 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
6023 	int tx_link_id = -1;
6024 
6025 	if (!wiphy->mbssid_max_interfaces)
6026 		return -EOPNOTSUPP;
6027 
6028 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
6029 			     NULL) ||
6030 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
6031 		return -EINVAL;
6032 
6033 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
6034 	if (config->ema) {
6035 		if (!wiphy->ema_max_profile_periodicity)
6036 			return -EOPNOTSUPP;
6037 
6038 		if (num_elems > wiphy->ema_max_profile_periodicity)
6039 			return -EINVAL;
6040 	}
6041 
6042 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
6043 	if (config->index >= wiphy->mbssid_max_interfaces ||
6044 	    (!config->index && !num_elems))
6045 		return -EINVAL;
6046 
6047 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID])
6048 		tx_link_id = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID]);
6049 
6050 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
6051 		u32 tx_ifindex =
6052 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
6053 
6054 		if ((!config->index && tx_ifindex != dev->ifindex) ||
6055 		    (config->index && tx_ifindex == dev->ifindex))
6056 			return -EINVAL;
6057 
6058 		if (tx_ifindex != dev->ifindex) {
6059 			struct net_device *tx_netdev =
6060 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
6061 
6062 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
6063 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
6064 			    tx_netdev->ieee80211_ptr->iftype !=
6065 							NL80211_IFTYPE_AP) {
6066 				dev_put(tx_netdev);
6067 				return -EINVAL;
6068 			}
6069 
6070 			config->tx_wdev = tx_netdev->ieee80211_ptr;
6071 			/* Caller should call dev_put(config->tx_wdev) from this point */
6072 
6073 			if (config->tx_wdev->valid_links) {
6074 				if (tx_link_id == -1 ||
6075 				    !(config->tx_wdev->valid_links & BIT(tx_link_id)))
6076 					return -ENOLINK;
6077 
6078 				config->tx_link_id = tx_link_id;
6079 			}
6080 		} else {
6081 			if (tx_link_id >= 0 && tx_link_id != link_id)
6082 				return -EINVAL;
6083 
6084 			config->tx_wdev = dev->ieee80211_ptr;
6085 		}
6086 	} else if (!config->index) {
6087 		if (tx_link_id >= 0 && tx_link_id != link_id)
6088 			return -EINVAL;
6089 
6090 		config->tx_wdev = dev->ieee80211_ptr;
6091 	} else {
6092 		return -EINVAL;
6093 	}
6094 
6095 	return 0;
6096 }
6097 
6098 static struct cfg80211_mbssid_elems *
6099 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
6100 {
6101 	struct nlattr *nl_elems;
6102 	struct cfg80211_mbssid_elems *elems;
6103 	int rem_elems;
6104 	u8 i = 0, num_elems = 0;
6105 
6106 	if (!wiphy->mbssid_max_interfaces)
6107 		return ERR_PTR(-EINVAL);
6108 
6109 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6110 		if (num_elems >= 255)
6111 			return ERR_PTR(-EINVAL);
6112 		num_elems++;
6113 	}
6114 
6115 	elems = kzalloc_flex(*elems, elem, num_elems);
6116 	if (!elems)
6117 		return ERR_PTR(-ENOMEM);
6118 	elems->cnt = num_elems;
6119 
6120 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6121 		elems->elem[i].data = nla_data(nl_elems);
6122 		elems->elem[i].len = nla_len(nl_elems);
6123 		i++;
6124 	}
6125 	return elems;
6126 }
6127 
6128 static struct cfg80211_rnr_elems *
6129 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
6130 			struct netlink_ext_ack *extack)
6131 {
6132 	struct nlattr *nl_elems;
6133 	struct cfg80211_rnr_elems *elems;
6134 	int rem_elems;
6135 	u8 i = 0, num_elems = 0;
6136 
6137 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6138 		int ret;
6139 
6140 		ret = validate_ie_attr(nl_elems, extack);
6141 		if (ret)
6142 			return ERR_PTR(ret);
6143 
6144 		num_elems++;
6145 	}
6146 
6147 	elems = kzalloc_flex(*elems, elem, num_elems);
6148 	if (!elems)
6149 		return ERR_PTR(-ENOMEM);
6150 	elems->cnt = num_elems;
6151 
6152 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6153 		elems->elem[i].data = nla_data(nl_elems);
6154 		elems->elem[i].len = nla_len(nl_elems);
6155 		i++;
6156 	}
6157 	return elems;
6158 }
6159 
6160 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
6161 				      struct cfg80211_he_bss_color *he_bss_color)
6162 {
6163 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
6164 	int err;
6165 
6166 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
6167 			       he_bss_color_policy, NULL);
6168 	if (err)
6169 		return err;
6170 
6171 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
6172 		return -EINVAL;
6173 
6174 	he_bss_color->color =
6175 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
6176 	he_bss_color->enabled =
6177 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
6178 	he_bss_color->partial =
6179 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
6180 
6181 	return 0;
6182 }
6183 
6184 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
6185 				struct nlattr *attrs[],
6186 				struct cfg80211_beacon_data *bcn,
6187 				struct netlink_ext_ack *extack)
6188 {
6189 	bool haveinfo = false;
6190 	int err;
6191 
6192 	memset(bcn, 0, sizeof(*bcn));
6193 
6194 	bcn->link_id = nl80211_link_id(attrs);
6195 
6196 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
6197 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
6198 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
6199 		if (!bcn->head_len)
6200 			return -EINVAL;
6201 		haveinfo = true;
6202 	}
6203 
6204 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
6205 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
6206 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
6207 		haveinfo = true;
6208 	}
6209 
6210 	if (!haveinfo)
6211 		return -EINVAL;
6212 
6213 	if (attrs[NL80211_ATTR_IE]) {
6214 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
6215 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
6216 	}
6217 
6218 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
6219 		bcn->proberesp_ies =
6220 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6221 		bcn->proberesp_ies_len =
6222 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6223 	}
6224 
6225 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
6226 		bcn->assocresp_ies =
6227 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6228 		bcn->assocresp_ies_len =
6229 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6230 	}
6231 
6232 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
6233 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
6234 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
6235 	}
6236 
6237 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
6238 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
6239 
6240 		err = nla_parse_nested_deprecated(tb,
6241 						  NL80211_FTM_RESP_ATTR_MAX,
6242 						  attrs[NL80211_ATTR_FTM_RESPONDER],
6243 						  NULL, NULL);
6244 		if (err)
6245 			return err;
6246 
6247 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
6248 		    wiphy_ext_feature_isset(&rdev->wiphy,
6249 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
6250 			bcn->ftm_responder = 1;
6251 		else
6252 			return -EOPNOTSUPP;
6253 
6254 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
6255 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
6256 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
6257 		}
6258 
6259 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
6260 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6261 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6262 		}
6263 	} else {
6264 		bcn->ftm_responder = -1;
6265 	}
6266 
6267 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
6268 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
6269 						 &bcn->he_bss_color);
6270 		if (err)
6271 			return err;
6272 		bcn->he_bss_color_valid = true;
6273 	}
6274 
6275 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
6276 		struct cfg80211_mbssid_elems *mbssid =
6277 			nl80211_parse_mbssid_elems(&rdev->wiphy,
6278 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
6279 
6280 		if (IS_ERR(mbssid))
6281 			return PTR_ERR(mbssid);
6282 
6283 		bcn->mbssid_ies = mbssid;
6284 
6285 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
6286 			struct cfg80211_rnr_elems *rnr =
6287 				nl80211_parse_rnr_elems(&rdev->wiphy,
6288 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
6289 							extack);
6290 
6291 			if (IS_ERR(rnr))
6292 				return PTR_ERR(rnr);
6293 
6294 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
6295 				return -EINVAL;
6296 
6297 			bcn->rnr_ies = rnr;
6298 		}
6299 	}
6300 
6301 	return 0;
6302 }
6303 
6304 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
6305 				    struct ieee80211_he_obss_pd *he_obss_pd)
6306 {
6307 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
6308 	int err;
6309 
6310 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
6311 			       he_obss_pd_policy, NULL);
6312 	if (err)
6313 		return err;
6314 
6315 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
6316 		return -EINVAL;
6317 
6318 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
6319 
6320 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
6321 		he_obss_pd->min_offset =
6322 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
6323 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
6324 		he_obss_pd->max_offset =
6325 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
6326 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
6327 		he_obss_pd->non_srg_max_offset =
6328 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
6329 
6330 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
6331 		return -EINVAL;
6332 
6333 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
6334 		memcpy(he_obss_pd->bss_color_bitmap,
6335 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
6336 		       sizeof(he_obss_pd->bss_color_bitmap));
6337 
6338 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
6339 		memcpy(he_obss_pd->partial_bssid_bitmap,
6340 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
6341 		       sizeof(he_obss_pd->partial_bssid_bitmap));
6342 
6343 	he_obss_pd->enable = true;
6344 
6345 	return 0;
6346 }
6347 
6348 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
6349 					struct nlattr *attrs,
6350 					struct cfg80211_fils_discovery *fd)
6351 {
6352 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
6353 	int ret;
6354 
6355 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6356 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
6357 		return -EINVAL;
6358 
6359 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
6360 			       NULL, NULL);
6361 	if (ret)
6362 		return ret;
6363 
6364 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
6365 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
6366 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
6367 		fd->update = true;
6368 		return 0;
6369 	}
6370 
6371 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
6372 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
6373 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
6374 		return -EINVAL;
6375 
6376 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6377 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6378 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
6379 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
6380 	fd->update = true;
6381 	return 0;
6382 }
6383 
6384 static int
6385 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
6386 				     struct nlattr *attrs,
6387 				     struct cfg80211_unsol_bcast_probe_resp *presp)
6388 {
6389 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
6390 	int ret;
6391 
6392 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6393 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
6394 		return -EINVAL;
6395 
6396 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
6397 			       attrs, NULL, NULL);
6398 	if (ret)
6399 		return ret;
6400 
6401 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
6402 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
6403 		presp->update = true;
6404 		return 0;
6405 	}
6406 
6407 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
6408 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
6409 		return -EINVAL;
6410 
6411 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6412 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6413 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
6414 	presp->update = true;
6415 	return 0;
6416 }
6417 
6418 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
6419 					    const struct element *rates)
6420 {
6421 	int i;
6422 
6423 	if (!rates)
6424 		return;
6425 
6426 	for (i = 0; i < rates->datalen; i++) {
6427 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
6428 			params->ht_required = true;
6429 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
6430 			params->vht_required = true;
6431 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
6432 			params->he_required = true;
6433 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
6434 			params->sae_h2e_required = true;
6435 	}
6436 }
6437 
6438 /*
6439  * Since the nl80211 API didn't include, from the beginning, attributes about
6440  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
6441  * benefit of drivers that rebuild IEs in the firmware.
6442  */
6443 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
6444 {
6445 	const struct cfg80211_beacon_data *bcn = &params->beacon;
6446 	size_t ies_len = bcn->tail_len;
6447 	const u8 *ies = bcn->tail;
6448 	const struct element *rates;
6449 	const struct element *cap;
6450 
6451 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
6452 	nl80211_check_ap_rate_selectors(params, rates);
6453 
6454 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
6455 	nl80211_check_ap_rate_selectors(params, rates);
6456 
6457 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
6458 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
6459 		params->ht_cap = (void *)cap->data;
6460 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
6461 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
6462 		params->vht_cap = (void *)cap->data;
6463 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
6464 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
6465 		params->he_cap = (void *)(cap->data + 1);
6466 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
6467 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
6468 		params->he_oper = (void *)(cap->data + 1);
6469 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
6470 	if (cap) {
6471 		if (!cap->datalen)
6472 			return -EINVAL;
6473 		params->eht_cap = (void *)(cap->data + 1);
6474 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
6475 						(const u8 *)params->eht_cap,
6476 						cap->datalen - 1, true))
6477 			return -EINVAL;
6478 	}
6479 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
6480 	if (cap) {
6481 		if (!cap->datalen)
6482 			return -EINVAL;
6483 		params->eht_oper = (void *)(cap->data + 1);
6484 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
6485 						cap->datalen - 1))
6486 			return -EINVAL;
6487 	}
6488 
6489 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_UHR_OPER, ies, ies_len);
6490 	if (cap) {
6491 		if (!cap->datalen)
6492 			return -EINVAL;
6493 		params->uhr_oper = (void *)(cap->data + 1);
6494 		if (!ieee80211_uhr_oper_size_ok((const u8 *)params->uhr_oper,
6495 						cap->datalen - 1, true))
6496 			return -EINVAL;
6497 	}
6498 
6499 	return 0;
6500 }
6501 
6502 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
6503 				   struct cfg80211_ap_settings *params)
6504 {
6505 	struct wireless_dev *wdev;
6506 
6507 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
6508 		if (wdev->iftype != NL80211_IFTYPE_AP &&
6509 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
6510 			continue;
6511 
6512 		if (!wdev->u.ap.preset_chandef.chan)
6513 			continue;
6514 
6515 		params->chandef = wdev->u.ap.preset_chandef;
6516 		return true;
6517 	}
6518 
6519 	return false;
6520 }
6521 
6522 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
6523 				    enum nl80211_auth_type auth_type,
6524 				    enum nl80211_commands cmd)
6525 {
6526 	if (auth_type > NL80211_AUTHTYPE_MAX)
6527 		return false;
6528 
6529 	switch (cmd) {
6530 	case NL80211_CMD_AUTHENTICATE:
6531 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6532 		    auth_type == NL80211_AUTHTYPE_SAE)
6533 			return false;
6534 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6535 					     NL80211_EXT_FEATURE_FILS_STA) &&
6536 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6537 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6538 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6539 			return false;
6540 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6541 					     NL80211_EXT_FEATURE_EPPKE) &&
6542 		    auth_type == NL80211_AUTHTYPE_EPPKE)
6543 			return false;
6544 		return true;
6545 	case NL80211_CMD_CONNECT:
6546 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6547 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6548 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6549 		    auth_type == NL80211_AUTHTYPE_SAE)
6550 			return false;
6551 
6552 		/* FILS with SK PFS or PK not supported yet */
6553 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6554 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6555 			return false;
6556 		if (!wiphy_ext_feature_isset(
6557 			    &rdev->wiphy,
6558 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6559 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6560 			return false;
6561 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6562 					     NL80211_EXT_FEATURE_EPPKE) &&
6563 		    auth_type == NL80211_AUTHTYPE_EPPKE)
6564 			return false;
6565 		return true;
6566 	case NL80211_CMD_START_AP:
6567 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6568 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6569 		    auth_type == NL80211_AUTHTYPE_SAE)
6570 			return false;
6571 		/* FILS not supported yet */
6572 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6573 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6574 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6575 			return false;
6576 		return true;
6577 	default:
6578 		return false;
6579 	}
6580 }
6581 
6582 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6583 				    unsigned int link_id)
6584 {
6585 	struct wiphy *wiphy = wdev->wiphy;
6586 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6587 	struct sk_buff *msg;
6588 	void *hdr;
6589 
6590 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6591 	if (!msg)
6592 		return;
6593 
6594 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6595 	if (!hdr)
6596 		goto out;
6597 
6598 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6599 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6600 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6601 			      NL80211_ATTR_PAD) ||
6602 	    (wdev->u.ap.ssid_len &&
6603 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6604 		     wdev->u.ap.ssid)) ||
6605 	    (wdev->valid_links &&
6606 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6607 		goto out;
6608 
6609 	genlmsg_end(msg, hdr);
6610 
6611 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6612 				NL80211_MCGRP_MLME, GFP_KERNEL);
6613 	return;
6614 out:
6615 	nlmsg_free(msg);
6616 }
6617 
6618 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6619 {
6620 	struct ieee80211_channel *channel = params->chandef.chan;
6621 
6622 	if ((params->he_cap ||  params->he_oper) &&
6623 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6624 		return -EOPNOTSUPP;
6625 
6626 	if ((params->eht_cap || params->eht_oper) &&
6627 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6628 		return -EOPNOTSUPP;
6629 
6630 	if (params->uhr_oper && (channel->flags & IEEE80211_CHAN_NO_UHR))
6631 		return -EOPNOTSUPP;
6632 
6633 	return 0;
6634 }
6635 
6636 static int
6637 nl80211_parse_s1g_short_beacon(struct cfg80211_registered_device *rdev,
6638 			       struct nlattr *attrs,
6639 			       struct cfg80211_s1g_short_beacon *sb)
6640 {
6641 	struct nlattr *tb[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1];
6642 	int ret;
6643 
6644 	if (!rdev->wiphy.bands[NL80211_BAND_S1GHZ])
6645 		return -EINVAL;
6646 
6647 	ret = nla_parse_nested(tb, NL80211_S1G_SHORT_BEACON_ATTR_MAX, attrs,
6648 			       NULL, NULL);
6649 	if (ret)
6650 		return ret;
6651 
6652 	/* Short beacon tail is optional (i.e might only include the TIM) */
6653 	if (!tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD])
6654 		return -EINVAL;
6655 
6656 	sb->short_head = nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6657 	sb->short_head_len = nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6658 	sb->short_tail_len = 0;
6659 
6660 	if (tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]) {
6661 		sb->short_tail =
6662 			nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6663 		sb->short_tail_len =
6664 			nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6665 	}
6666 
6667 	sb->update = true;
6668 	return 0;
6669 }
6670 
6671 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6672 {
6673 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6674 	struct cfg80211_beaconing_check_config beacon_check = {};
6675 	unsigned int link_id = nl80211_link_id(info->attrs);
6676 	struct net_device *dev = info->user_ptr[1];
6677 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6678 	struct cfg80211_ap_settings *params;
6679 	int err;
6680 
6681 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6682 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6683 		return -EOPNOTSUPP;
6684 
6685 	if (!rdev->ops->start_ap)
6686 		return -EOPNOTSUPP;
6687 
6688 	if (wdev->links[link_id].cac_started)
6689 		return -EBUSY;
6690 
6691 	if (wdev->links[link_id].ap.beacon_interval)
6692 		return -EALREADY;
6693 
6694 	/* these are required for START_AP */
6695 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6696 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6697 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6698 		return -EINVAL;
6699 
6700 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6701 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6702 		return -EOPNOTSUPP;
6703 
6704 	params = kzalloc_obj(*params);
6705 	if (!params)
6706 		return -ENOMEM;
6707 
6708 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6709 				   info->extack);
6710 	if (err)
6711 		goto out;
6712 
6713 	params->beacon_interval =
6714 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6715 	params->dtim_period =
6716 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6717 
6718 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6719 					   params->beacon_interval);
6720 	if (err)
6721 		goto out;
6722 
6723 	/*
6724 	 * In theory, some of these attributes should be required here
6725 	 * but since they were not used when the command was originally
6726 	 * added, keep them optional for old user space programs to let
6727 	 * them continue to work with drivers that do not need the
6728 	 * additional information -- drivers must check!
6729 	 */
6730 	if (info->attrs[NL80211_ATTR_SSID]) {
6731 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6732 		params->ssid_len =
6733 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6734 		if (params->ssid_len == 0) {
6735 			err = -EINVAL;
6736 			goto out;
6737 		}
6738 
6739 		if (wdev->u.ap.ssid_len &&
6740 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6741 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6742 			/* require identical SSID for MLO */
6743 			err = -EINVAL;
6744 			goto out;
6745 		}
6746 	} else if (wdev->valid_links) {
6747 		/* require SSID for MLO */
6748 		err = -EINVAL;
6749 		goto out;
6750 	}
6751 
6752 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6753 		params->hidden_ssid = nla_get_u32(
6754 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6755 
6756 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6757 
6758 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6759 		params->auth_type = nla_get_u32(
6760 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6761 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6762 					     NL80211_CMD_START_AP)) {
6763 			err = -EINVAL;
6764 			goto out;
6765 		}
6766 	} else
6767 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6768 
6769 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6770 				      NL80211_MAX_NR_CIPHER_SUITES);
6771 	if (err)
6772 		goto out;
6773 
6774 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6775 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6776 			err = -EOPNOTSUPP;
6777 			goto out;
6778 		}
6779 		params->inactivity_timeout = nla_get_u16(
6780 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6781 	}
6782 
6783 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6784 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6785 			err = -EINVAL;
6786 			goto out;
6787 		}
6788 		params->p2p_ctwindow =
6789 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6790 		if (params->p2p_ctwindow != 0 &&
6791 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6792 			err = -EINVAL;
6793 			goto out;
6794 		}
6795 	}
6796 
6797 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6798 		u8 tmp;
6799 
6800 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6801 			err = -EINVAL;
6802 			goto out;
6803 		}
6804 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6805 		params->p2p_opp_ps = tmp;
6806 		if (params->p2p_opp_ps != 0 &&
6807 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6808 			err = -EINVAL;
6809 			goto out;
6810 		}
6811 	}
6812 
6813 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6814 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6815 		if (err)
6816 			goto out;
6817 	} else if (wdev->valid_links) {
6818 		/* with MLD need to specify the channel configuration */
6819 		err = -EINVAL;
6820 		goto out;
6821 	} else if (wdev->u.ap.preset_chandef.chan) {
6822 		params->chandef = wdev->u.ap.preset_chandef;
6823 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6824 		err = -EINVAL;
6825 		goto out;
6826 	}
6827 
6828 	beacon_check.iftype = wdev->iftype;
6829 	beacon_check.relax = true;
6830 	beacon_check.reg_power =
6831 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6832 					     params->beacon.tail_len, 0);
6833 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6834 					  &beacon_check)) {
6835 		err = -EINVAL;
6836 		goto out;
6837 	}
6838 
6839 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6840 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6841 						    NL80211_ATTR_TX_RATES,
6842 						    &params->beacon_rate,
6843 						    dev, false, link_id);
6844 		if (err)
6845 			goto out;
6846 
6847 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6848 					      &params->beacon_rate);
6849 		if (err)
6850 			goto out;
6851 	}
6852 
6853 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6854 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6855 		err = -EOPNOTSUPP;
6856 		goto out;
6857 	}
6858 
6859 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6860 		params->acl = parse_acl_data(&rdev->wiphy, info);
6861 		if (IS_ERR(params->acl)) {
6862 			err = PTR_ERR(params->acl);
6863 			params->acl = NULL;
6864 			goto out;
6865 		}
6866 	}
6867 
6868 	params->twt_responder =
6869 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6870 
6871 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6872 		err = nl80211_parse_he_obss_pd(
6873 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6874 					&params->he_obss_pd);
6875 		if (err)
6876 			goto out;
6877 	}
6878 
6879 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6880 		err = nl80211_parse_fils_discovery(rdev,
6881 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6882 						   &params->fils_discovery);
6883 		if (err)
6884 			goto out;
6885 	}
6886 
6887 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6888 		err = nl80211_parse_unsol_bcast_probe_resp(
6889 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6890 			&params->unsol_bcast_probe_resp);
6891 		if (err)
6892 			goto out;
6893 	}
6894 
6895 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6896 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev, link_id,
6897 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6898 						  &params->mbssid_config,
6899 						  params->beacon.mbssid_ies ?
6900 							params->beacon.mbssid_ies->cnt :
6901 							0);
6902 		if (err)
6903 			goto out;
6904 	}
6905 
6906 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6907 		err = -EINVAL;
6908 		goto out;
6909 	}
6910 
6911 	if (info->attrs[NL80211_ATTR_S1G_SHORT_BEACON]) {
6912 		if (!info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]) {
6913 			err = -EINVAL;
6914 			goto out;
6915 		}
6916 
6917 		params->s1g_long_beacon_period = nla_get_u8(
6918 			info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]);
6919 
6920 		err = nl80211_parse_s1g_short_beacon(
6921 			rdev, info->attrs[NL80211_ATTR_S1G_SHORT_BEACON],
6922 			&params->s1g_short_beacon);
6923 		if (err)
6924 			goto out;
6925 	}
6926 
6927 	err = nl80211_calculate_ap_params(params);
6928 	if (err)
6929 		goto out;
6930 
6931 	err = nl80211_validate_ap_phy_operation(params);
6932 	if (err)
6933 		goto out;
6934 
6935 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6936 		params->flags = nla_get_u32(
6937 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6938 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6939 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6940 
6941 	if (wdev->conn_owner_nlportid &&
6942 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6943 	    wdev->conn_owner_nlportid != info->snd_portid) {
6944 		err = -EINVAL;
6945 		goto out;
6946 	}
6947 
6948 	/* FIXME: validate MLO/link-id against driver capabilities */
6949 
6950 	err = rdev_start_ap(rdev, dev, params);
6951 	if (!err) {
6952 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6953 		wdev->links[link_id].ap.chandef = params->chandef;
6954 		wdev->u.ap.ssid_len = params->ssid_len;
6955 		memcpy(wdev->u.ap.ssid, params->ssid,
6956 		       params->ssid_len);
6957 
6958 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6959 			wdev->conn_owner_nlportid = info->snd_portid;
6960 
6961 		nl80211_send_ap_started(wdev, link_id);
6962 	}
6963 out:
6964 	kfree(params->acl);
6965 	kfree(params->beacon.mbssid_ies);
6966 	if (params->mbssid_config.tx_wdev &&
6967 	    params->mbssid_config.tx_wdev->netdev &&
6968 	    params->mbssid_config.tx_wdev->netdev != dev)
6969 		dev_put(params->mbssid_config.tx_wdev->netdev);
6970 	kfree(params->beacon.rnr_ies);
6971 	kfree(params);
6972 
6973 	return err;
6974 }
6975 
6976 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6977 {
6978 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6979 	struct cfg80211_beaconing_check_config beacon_check = {};
6980 	unsigned int link_id = nl80211_link_id(info->attrs);
6981 	struct net_device *dev = info->user_ptr[1];
6982 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6983 	struct cfg80211_ap_update *params;
6984 	struct nlattr *attr;
6985 	int err;
6986 
6987 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6988 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6989 		return -EOPNOTSUPP;
6990 
6991 	if (!rdev->ops->change_beacon)
6992 		return -EOPNOTSUPP;
6993 
6994 	if (!wdev->links[link_id].ap.beacon_interval)
6995 		return -EINVAL;
6996 
6997 	params = kzalloc_obj(*params);
6998 	if (!params)
6999 		return -ENOMEM;
7000 
7001 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
7002 				   info->extack);
7003 	if (err)
7004 		goto out;
7005 
7006 	/* recheck beaconing is permitted with possibly changed power type */
7007 	beacon_check.iftype = wdev->iftype;
7008 	beacon_check.relax = true;
7009 	beacon_check.reg_power =
7010 		cfg80211_get_6ghz_power_type(params->beacon.tail,
7011 					     params->beacon.tail_len, 0);
7012 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
7013 					  &wdev->links[link_id].ap.chandef,
7014 					  &beacon_check)) {
7015 		err = -EINVAL;
7016 		goto out;
7017 	}
7018 
7019 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
7020 	if (attr) {
7021 		err = nl80211_parse_fils_discovery(rdev, attr,
7022 						   &params->fils_discovery);
7023 		if (err)
7024 			goto out;
7025 	}
7026 
7027 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
7028 	if (attr) {
7029 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
7030 							   &params->unsol_bcast_probe_resp);
7031 		if (err)
7032 			goto out;
7033 	}
7034 
7035 	attr = info->attrs[NL80211_ATTR_S1G_SHORT_BEACON];
7036 	if (attr) {
7037 		err = nl80211_parse_s1g_short_beacon(rdev, attr,
7038 						     &params->s1g_short_beacon);
7039 		if (err)
7040 			goto out;
7041 	}
7042 
7043 	err = rdev_change_beacon(rdev, dev, params);
7044 
7045 out:
7046 	kfree(params->beacon.mbssid_ies);
7047 	kfree(params->beacon.rnr_ies);
7048 	kfree(params);
7049 	return err;
7050 }
7051 
7052 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
7053 {
7054 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7055 	unsigned int link_id = nl80211_link_id(info->attrs);
7056 	struct net_device *dev = info->user_ptr[1];
7057 
7058 	return cfg80211_stop_ap(rdev, dev, link_id, false);
7059 }
7060 
7061 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
7062 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
7063 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
7064 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
7065 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
7066 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
7067 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
7068 };
7069 
7070 static int parse_station_flags(struct genl_info *info,
7071 			       enum nl80211_iftype iftype,
7072 			       struct station_parameters *params)
7073 {
7074 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
7075 	struct nlattr *nla;
7076 	int flag;
7077 
7078 	/*
7079 	 * Try parsing the new attribute first so userspace
7080 	 * can specify both for older kernels.
7081 	 */
7082 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
7083 	if (nla) {
7084 		struct nl80211_sta_flag_update *sta_flags;
7085 
7086 		sta_flags = nla_data(nla);
7087 		params->sta_flags_mask = sta_flags->mask;
7088 		params->sta_flags_set = sta_flags->set;
7089 		params->sta_flags_set &= params->sta_flags_mask;
7090 		if ((params->sta_flags_mask |
7091 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
7092 			return -EINVAL;
7093 		return 0;
7094 	}
7095 
7096 	/* if present, parse the old attribute */
7097 
7098 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
7099 	if (!nla)
7100 		return 0;
7101 
7102 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
7103 		return -EINVAL;
7104 
7105 	/*
7106 	 * Only allow certain flags for interface types so that
7107 	 * other attributes are silently ignored. Remember that
7108 	 * this is backward compatibility code with old userspace
7109 	 * and shouldn't be hit in other cases anyway.
7110 	 */
7111 	switch (iftype) {
7112 	case NL80211_IFTYPE_AP:
7113 	case NL80211_IFTYPE_AP_VLAN:
7114 	case NL80211_IFTYPE_P2P_GO:
7115 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7116 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7117 					 BIT(NL80211_STA_FLAG_WME) |
7118 					 BIT(NL80211_STA_FLAG_MFP);
7119 		break;
7120 	case NL80211_IFTYPE_P2P_CLIENT:
7121 	case NL80211_IFTYPE_STATION:
7122 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7123 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
7124 		break;
7125 	case NL80211_IFTYPE_MESH_POINT:
7126 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7127 					 BIT(NL80211_STA_FLAG_MFP) |
7128 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
7129 		break;
7130 	default:
7131 		return -EINVAL;
7132 	}
7133 
7134 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
7135 		if (flags[flag]) {
7136 			params->sta_flags_set |= (1<<flag);
7137 
7138 			/* no longer support new API additions in old API */
7139 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
7140 				return -EINVAL;
7141 		}
7142 	}
7143 
7144 	return 0;
7145 }
7146 
7147 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
7148 {
7149 	struct nlattr *rate;
7150 	u32 bitrate;
7151 	u16 bitrate_compat;
7152 	enum nl80211_rate_info rate_flg;
7153 
7154 	rate = nla_nest_start_noflag(msg, attr);
7155 	if (!rate)
7156 		return false;
7157 
7158 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
7159 	bitrate = cfg80211_calculate_bitrate(info);
7160 	/* report 16-bit bitrate only if we can */
7161 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
7162 	if (bitrate > 0 &&
7163 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
7164 		return false;
7165 	if (bitrate_compat > 0 &&
7166 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
7167 		return false;
7168 
7169 	switch (info->bw) {
7170 	case RATE_INFO_BW_1:
7171 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
7172 		break;
7173 	case RATE_INFO_BW_2:
7174 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
7175 		break;
7176 	case RATE_INFO_BW_4:
7177 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
7178 		break;
7179 	case RATE_INFO_BW_5:
7180 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
7181 		break;
7182 	case RATE_INFO_BW_8:
7183 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
7184 		break;
7185 	case RATE_INFO_BW_10:
7186 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
7187 		break;
7188 	case RATE_INFO_BW_16:
7189 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
7190 		break;
7191 	default:
7192 		WARN_ON(1);
7193 		fallthrough;
7194 	case RATE_INFO_BW_20:
7195 		rate_flg = 0;
7196 		break;
7197 	case RATE_INFO_BW_40:
7198 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
7199 		break;
7200 	case RATE_INFO_BW_80:
7201 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
7202 		break;
7203 	case RATE_INFO_BW_160:
7204 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
7205 		break;
7206 	case RATE_INFO_BW_HE_RU:
7207 		rate_flg = 0;
7208 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
7209 		break;
7210 	case RATE_INFO_BW_320:
7211 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
7212 		break;
7213 	case RATE_INFO_BW_EHT_RU:
7214 		rate_flg = 0;
7215 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS) &&
7216 			!(info->flags & RATE_INFO_FLAGS_UHR_MCS));
7217 		break;
7218 	}
7219 
7220 	if (rate_flg && nla_put_flag(msg, rate_flg))
7221 		return false;
7222 
7223 	if (info->flags & RATE_INFO_FLAGS_MCS) {
7224 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
7225 			return false;
7226 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7227 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7228 			return false;
7229 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
7230 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
7231 			return false;
7232 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
7233 			return false;
7234 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7235 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7236 			return false;
7237 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
7238 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
7239 			return false;
7240 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
7241 			return false;
7242 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
7243 			return false;
7244 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
7245 			return false;
7246 		if (info->bw == RATE_INFO_BW_HE_RU &&
7247 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
7248 			       info->he_ru_alloc))
7249 			return false;
7250 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
7251 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
7252 			return false;
7253 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
7254 			return false;
7255 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7256 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7257 			return false;
7258 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
7259 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
7260 			return false;
7261 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7262 			return false;
7263 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7264 			return false;
7265 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7266 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7267 			       info->eht_ru_alloc))
7268 			return false;
7269 	} else if (info->flags & RATE_INFO_FLAGS_UHR_MCS) {
7270 		if (nla_put_u8(msg, NL80211_RATE_INFO_UHR_MCS, info->mcs))
7271 			return false;
7272 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7273 			return false;
7274 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7275 			return false;
7276 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7277 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7278 			       info->eht_ru_alloc))
7279 			return false;
7280 		if (info->flags & RATE_INFO_FLAGS_UHR_ELR_MCS &&
7281 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_ELR))
7282 			return false;
7283 		if (info->flags & RATE_INFO_FLAGS_UHR_IM &&
7284 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_IM))
7285 			return false;
7286 	}
7287 
7288 	nla_nest_end(msg, rate);
7289 	return true;
7290 }
7291 
7292 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
7293 			       int id)
7294 {
7295 	void *attr;
7296 	int i = 0;
7297 
7298 	if (!mask)
7299 		return true;
7300 
7301 	attr = nla_nest_start_noflag(msg, id);
7302 	if (!attr)
7303 		return false;
7304 
7305 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
7306 		if (!(mask & BIT(i)))
7307 			continue;
7308 
7309 		if (nla_put_u8(msg, i, signal[i]))
7310 			return false;
7311 	}
7312 
7313 	nla_nest_end(msg, attr);
7314 
7315 	return true;
7316 }
7317 
7318 static int nl80211_fill_link_station(struct sk_buff *msg,
7319 				     struct cfg80211_registered_device *rdev,
7320 				     struct link_station_info *link_sinfo)
7321 {
7322 	struct nlattr *bss_param, *link_sinfoattr;
7323 
7324 #define PUT_LINK_SINFO(attr, memb, type) do {				\
7325 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7326 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7327 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7328 			     link_sinfo->memb))				\
7329 		goto nla_put_failure;					\
7330 	} while (0)
7331 #define PUT_LINK_SINFO_U64(attr, memb) do {				\
7332 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7333 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7334 			      link_sinfo->memb, NL80211_STA_INFO_PAD))	\
7335 		goto nla_put_failure;					\
7336 	} while (0)
7337 
7338 	link_sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7339 	if (!link_sinfoattr)
7340 		goto nla_put_failure;
7341 
7342 	PUT_LINK_SINFO(INACTIVE_TIME, inactive_time, u32);
7343 
7344 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7345 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7346 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7347 			(u32)link_sinfo->rx_bytes))
7348 		goto nla_put_failure;
7349 
7350 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7351 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7352 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7353 			(u32)link_sinfo->tx_bytes))
7354 		goto nla_put_failure;
7355 
7356 	PUT_LINK_SINFO_U64(RX_BYTES64, rx_bytes);
7357 	PUT_LINK_SINFO_U64(TX_BYTES64, tx_bytes);
7358 	PUT_LINK_SINFO_U64(RX_DURATION, rx_duration);
7359 	PUT_LINK_SINFO_U64(TX_DURATION, tx_duration);
7360 
7361 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7362 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7363 		PUT_LINK_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7364 
7365 	switch (rdev->wiphy.signal_type) {
7366 	case CFG80211_SIGNAL_TYPE_MBM:
7367 		PUT_LINK_SINFO(SIGNAL, signal, u8);
7368 		PUT_LINK_SINFO(SIGNAL_AVG, signal_avg, u8);
7369 		break;
7370 	default:
7371 		break;
7372 	}
7373 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7374 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7375 					link_sinfo->chain_signal,
7376 					NL80211_STA_INFO_CHAIN_SIGNAL))
7377 			goto nla_put_failure;
7378 	}
7379 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7380 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7381 					link_sinfo->chain_signal_avg,
7382 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7383 			goto nla_put_failure;
7384 	}
7385 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7386 		if (!nl80211_put_sta_rate(msg, &link_sinfo->txrate,
7387 					  NL80211_STA_INFO_TX_BITRATE))
7388 			goto nla_put_failure;
7389 	}
7390 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7391 		if (!nl80211_put_sta_rate(msg, &link_sinfo->rxrate,
7392 					  NL80211_STA_INFO_RX_BITRATE))
7393 			goto nla_put_failure;
7394 	}
7395 
7396 	PUT_LINK_SINFO(RX_PACKETS, rx_packets, u32);
7397 	PUT_LINK_SINFO(TX_PACKETS, tx_packets, u32);
7398 	PUT_LINK_SINFO(TX_RETRIES, tx_retries, u32);
7399 	PUT_LINK_SINFO(TX_FAILED, tx_failed, u32);
7400 	PUT_LINK_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7401 	PUT_LINK_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7402 
7403 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7404 		bss_param = nla_nest_start_noflag(msg,
7405 						  NL80211_STA_INFO_BSS_PARAM);
7406 		if (!bss_param)
7407 			goto nla_put_failure;
7408 
7409 		if (((link_sinfo->bss_param.flags &
7410 		      BSS_PARAM_FLAGS_CTS_PROT) &&
7411 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7412 		    ((link_sinfo->bss_param.flags &
7413 		      BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7414 		     nla_put_flag(msg,
7415 				  NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7416 		    ((link_sinfo->bss_param.flags &
7417 		      BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7418 		     nla_put_flag(msg,
7419 				  NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7420 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7421 			       link_sinfo->bss_param.dtim_period) ||
7422 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7423 				link_sinfo->bss_param.beacon_interval))
7424 			goto nla_put_failure;
7425 
7426 		nla_nest_end(msg, bss_param);
7427 	}
7428 
7429 	PUT_LINK_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7430 	PUT_LINK_SINFO_U64(BEACON_RX, rx_beacon);
7431 	PUT_LINK_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7432 	PUT_LINK_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7433 	PUT_LINK_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7434 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7435 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7436 		PUT_LINK_SINFO(ACK_SIGNAL, ack_signal, u8);
7437 		PUT_LINK_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7438 	}
7439 
7440 #undef PUT_LINK_SINFO
7441 #undef PUT_LINK_SINFO_U64
7442 
7443 	if (link_sinfo->pertid) {
7444 		struct nlattr *tidsattr;
7445 		int tid;
7446 
7447 		tidsattr = nla_nest_start_noflag(msg,
7448 						 NL80211_STA_INFO_TID_STATS);
7449 		if (!tidsattr)
7450 			goto nla_put_failure;
7451 
7452 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7453 			struct cfg80211_tid_stats *tidstats;
7454 			struct nlattr *tidattr;
7455 
7456 			tidstats = &link_sinfo->pertid[tid];
7457 
7458 			if (!tidstats->filled)
7459 				continue;
7460 
7461 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7462 			if (!tidattr)
7463 				goto nla_put_failure;
7464 
7465 #define PUT_TIDVAL_U64(attr, memb) do {					\
7466 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7467 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7468 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7469 		goto nla_put_failure;					\
7470 	} while (0)
7471 
7472 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7473 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7474 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7475 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7476 
7477 #undef PUT_TIDVAL_U64
7478 			if ((tidstats->filled &
7479 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7480 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7481 						   NL80211_TID_STATS_TXQ_STATS))
7482 				goto nla_put_failure;
7483 
7484 			nla_nest_end(msg, tidattr);
7485 		}
7486 
7487 		nla_nest_end(msg, tidsattr);
7488 	}
7489 
7490 	nla_nest_end(msg, link_sinfoattr);
7491 	return 0;
7492 
7493 nla_put_failure:
7494 	return -EMSGSIZE;
7495 }
7496 
7497 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
7498 				u32 seq, int flags,
7499 				struct cfg80211_registered_device *rdev,
7500 				struct net_device *dev,
7501 				const u8 *mac_addr, struct station_info *sinfo,
7502 				bool link_stats)
7503 {
7504 	void *hdr;
7505 	struct nlattr *sinfoattr, *bss_param;
7506 	struct link_station_info *link_sinfo;
7507 	struct nlattr *links, *link;
7508 	int link_id;
7509 
7510 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
7511 	if (!hdr) {
7512 		cfg80211_sinfo_release_content(sinfo);
7513 		return -1;
7514 	}
7515 
7516 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7517 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
7518 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
7519 		goto nla_put_failure;
7520 
7521 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7522 	if (!sinfoattr)
7523 		goto nla_put_failure;
7524 
7525 #define PUT_SINFO(attr, memb, type) do {				\
7526 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7527 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7528 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7529 			     sinfo->memb))				\
7530 		goto nla_put_failure;					\
7531 	} while (0)
7532 #define PUT_SINFO_U64(attr, memb) do {					\
7533 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7534 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7535 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
7536 		goto nla_put_failure;					\
7537 	} while (0)
7538 
7539 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
7540 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
7541 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
7542 
7543 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7544 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7545 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7546 			(u32)sinfo->rx_bytes))
7547 		goto nla_put_failure;
7548 
7549 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7550 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7551 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7552 			(u32)sinfo->tx_bytes))
7553 		goto nla_put_failure;
7554 
7555 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
7556 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
7557 	PUT_SINFO_U64(RX_DURATION, rx_duration);
7558 	PUT_SINFO_U64(TX_DURATION, tx_duration);
7559 
7560 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7561 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7562 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7563 
7564 	switch (rdev->wiphy.signal_type) {
7565 	case CFG80211_SIGNAL_TYPE_MBM:
7566 		PUT_SINFO(SIGNAL, signal, u8);
7567 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
7568 		break;
7569 	default:
7570 		break;
7571 	}
7572 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7573 		if (!nl80211_put_signal(msg, sinfo->chains,
7574 					sinfo->chain_signal,
7575 					NL80211_STA_INFO_CHAIN_SIGNAL))
7576 			goto nla_put_failure;
7577 	}
7578 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7579 		if (!nl80211_put_signal(msg, sinfo->chains,
7580 					sinfo->chain_signal_avg,
7581 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7582 			goto nla_put_failure;
7583 	}
7584 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7585 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
7586 					  NL80211_STA_INFO_TX_BITRATE))
7587 			goto nla_put_failure;
7588 	}
7589 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7590 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
7591 					  NL80211_STA_INFO_RX_BITRATE))
7592 			goto nla_put_failure;
7593 	}
7594 
7595 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
7596 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
7597 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
7598 	PUT_SINFO(TX_FAILED, tx_failed, u32);
7599 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7600 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7601 
7602 	PUT_SINFO(LLID, llid, u16);
7603 	PUT_SINFO(PLID, plid, u16);
7604 	PUT_SINFO(PLINK_STATE, plink_state, u8);
7605 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
7606 	PUT_SINFO(LOCAL_PM, local_pm, u32);
7607 	PUT_SINFO(PEER_PM, peer_pm, u32);
7608 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
7609 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
7610 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
7611 	PUT_SINFO_U64(T_OFFSET, t_offset);
7612 
7613 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7614 		bss_param = nla_nest_start_noflag(msg,
7615 						  NL80211_STA_INFO_BSS_PARAM);
7616 		if (!bss_param)
7617 			goto nla_put_failure;
7618 
7619 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
7620 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7621 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7622 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7623 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7624 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7625 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7626 			       sinfo->bss_param.dtim_period) ||
7627 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7628 				sinfo->bss_param.beacon_interval))
7629 			goto nla_put_failure;
7630 
7631 		nla_nest_end(msg, bss_param);
7632 	}
7633 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
7634 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
7635 		    sizeof(struct nl80211_sta_flag_update),
7636 		    &sinfo->sta_flags))
7637 		goto nla_put_failure;
7638 
7639 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7640 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
7641 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7642 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7643 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7644 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7645 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7646 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
7647 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7648 	}
7649 
7650 #undef PUT_SINFO
7651 #undef PUT_SINFO_U64
7652 
7653 	if (sinfo->pertid) {
7654 		struct nlattr *tidsattr;
7655 		int tid;
7656 
7657 		tidsattr = nla_nest_start_noflag(msg,
7658 						 NL80211_STA_INFO_TID_STATS);
7659 		if (!tidsattr)
7660 			goto nla_put_failure;
7661 
7662 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7663 			struct cfg80211_tid_stats *tidstats;
7664 			struct nlattr *tidattr;
7665 
7666 			tidstats = &sinfo->pertid[tid];
7667 
7668 			if (!tidstats->filled)
7669 				continue;
7670 
7671 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7672 			if (!tidattr)
7673 				goto nla_put_failure;
7674 
7675 #define PUT_TIDVAL_U64(attr, memb) do {					\
7676 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7677 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7678 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7679 		goto nla_put_failure;					\
7680 	} while (0)
7681 
7682 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7683 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7684 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7685 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7686 
7687 #undef PUT_TIDVAL_U64
7688 			if ((tidstats->filled &
7689 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7690 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7691 						   NL80211_TID_STATS_TXQ_STATS))
7692 				goto nla_put_failure;
7693 
7694 			nla_nest_end(msg, tidattr);
7695 		}
7696 
7697 		nla_nest_end(msg, tidsattr);
7698 	}
7699 
7700 	nla_nest_end(msg, sinfoattr);
7701 
7702 	if (sinfo->assoc_req_ies_len &&
7703 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
7704 		    sinfo->assoc_req_ies))
7705 		goto nla_put_failure;
7706 
7707 	if (sinfo->assoc_resp_ies_len &&
7708 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
7709 		    sinfo->assoc_resp_ies))
7710 		goto nla_put_failure;
7711 
7712 	if (sinfo->mlo_params_valid) {
7713 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7714 			       sinfo->assoc_link_id))
7715 			goto nla_put_failure;
7716 
7717 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
7718 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
7719 			    sinfo->mld_addr))
7720 			goto nla_put_failure;
7721 	}
7722 
7723 	if (link_stats && sinfo->valid_links) {
7724 		links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
7725 		if (!links)
7726 			goto nla_put_failure;
7727 
7728 		for_each_valid_link(sinfo, link_id) {
7729 			link_sinfo = sinfo->links[link_id];
7730 
7731 			if (WARN_ON_ONCE(!link_sinfo))
7732 				continue;
7733 
7734 			if (!is_valid_ether_addr(link_sinfo->addr))
7735 				continue;
7736 
7737 			link = nla_nest_start(msg, link_id + 1);
7738 			if (!link)
7739 				goto nla_put_failure;
7740 
7741 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7742 				       link_id))
7743 				goto nla_put_failure;
7744 
7745 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
7746 				    link_sinfo->addr))
7747 				goto nla_put_failure;
7748 
7749 			if (nl80211_fill_link_station(msg, rdev, link_sinfo))
7750 				goto nla_put_failure;
7751 
7752 			nla_nest_end(msg, link);
7753 		}
7754 		nla_nest_end(msg, links);
7755 	}
7756 
7757 	cfg80211_sinfo_release_content(sinfo);
7758 	genlmsg_end(msg, hdr);
7759 	return 0;
7760 
7761  nla_put_failure:
7762 	cfg80211_sinfo_release_content(sinfo);
7763 	genlmsg_cancel(msg, hdr);
7764 	return -EMSGSIZE;
7765 }
7766 
7767 static void cfg80211_sta_set_mld_sinfo(struct station_info *sinfo)
7768 {
7769 	struct link_station_info *link_sinfo;
7770 	int link_id, init = 0;
7771 	u32 link_inactive_time;
7772 
7773 	sinfo->signal = -99;
7774 
7775 	for_each_valid_link(sinfo, link_id) {
7776 		link_sinfo = sinfo->links[link_id];
7777 		if (!link_sinfo)
7778 			continue;
7779 
7780 		if ((link_sinfo->filled &
7781 		     BIT_ULL(NL80211_STA_INFO_TX_PACKETS))) {
7782 			sinfo->tx_packets += link_sinfo->tx_packets;
7783 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_PACKETS);
7784 		}
7785 
7786 		if ((link_sinfo->filled &
7787 		     BIT_ULL(NL80211_STA_INFO_RX_PACKETS))) {
7788 			sinfo->rx_packets += link_sinfo->rx_packets;
7789 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_PACKETS);
7790 		}
7791 
7792 		if (link_sinfo->filled &
7793 		    (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7794 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7795 			sinfo->tx_bytes += link_sinfo->tx_bytes;
7796 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BYTES);
7797 		}
7798 
7799 		if (link_sinfo->filled &
7800 		    (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7801 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7802 			sinfo->rx_bytes += link_sinfo->rx_bytes;
7803 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BYTES);
7804 		}
7805 
7806 		if (link_sinfo->filled &
7807 		    BIT_ULL(NL80211_STA_INFO_TX_RETRIES)) {
7808 			sinfo->tx_retries += link_sinfo->tx_retries;
7809 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_RETRIES);
7810 		}
7811 
7812 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_FAILED)) {
7813 			sinfo->tx_failed += link_sinfo->tx_failed;
7814 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_FAILED);
7815 		}
7816 
7817 		if (link_sinfo->filled &
7818 		    BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC)) {
7819 			sinfo->rx_dropped_misc += link_sinfo->rx_dropped_misc;
7820 			sinfo->filled |=
7821 				BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC);
7822 		}
7823 
7824 		if (link_sinfo->filled &
7825 		    BIT_ULL(NL80211_STA_INFO_BEACON_LOSS)) {
7826 			sinfo->beacon_loss_count +=
7827 				link_sinfo->beacon_loss_count;
7828 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_LOSS);
7829 		}
7830 
7831 		if (link_sinfo->filled &
7832 		    BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) {
7833 			sinfo->expected_throughput +=
7834 				link_sinfo->expected_throughput;
7835 			sinfo->filled |=
7836 				BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT);
7837 		}
7838 
7839 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_MPDUS)) {
7840 			sinfo->rx_mpdu_count += link_sinfo->rx_mpdu_count;
7841 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_MPDUS);
7842 		}
7843 
7844 		if (link_sinfo->filled &
7845 		    BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT)) {
7846 			sinfo->fcs_err_count += link_sinfo->fcs_err_count;
7847 			sinfo->filled |=
7848 				BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT);
7849 		}
7850 
7851 		if (link_sinfo->filled &
7852 		    BIT_ULL(NL80211_STA_INFO_BEACON_RX)) {
7853 			sinfo->rx_beacon += link_sinfo->rx_beacon;
7854 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_RX);
7855 		}
7856 
7857 		/* Update MLO signal, signal_avg as best among links */
7858 		if ((link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_SIGNAL)) &&
7859 		    link_sinfo->signal > sinfo->signal) {
7860 			sinfo->signal = link_sinfo->signal;
7861 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL);
7862 		}
7863 
7864 		if ((link_sinfo->filled &
7865 			BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG)) &&
7866 		    link_sinfo->signal_avg > sinfo->signal_avg) {
7867 			sinfo->signal_avg = link_sinfo->signal_avg;
7868 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG);
7869 		}
7870 
7871 		/* Update MLO inactive_time, bss_param based on least
7872 		 * value for corresponding field of link.
7873 		 */
7874 		if ((link_sinfo->filled &
7875 		     BIT_ULL(NL80211_STA_INFO_INACTIVE_TIME)) &&
7876 		    (!init ||
7877 		     link_inactive_time > link_sinfo->inactive_time)) {
7878 			link_inactive_time = link_sinfo->inactive_time;
7879 			sinfo->inactive_time = link_sinfo->inactive_time;
7880 			sinfo->filled |= NL80211_STA_INFO_INACTIVE_TIME;
7881 		}
7882 
7883 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM) &&
7884 		    (!init ||
7885 		     sinfo->bss_param.dtim_period >
7886 		      link_sinfo->bss_param.dtim_period)) {
7887 			sinfo->bss_param.dtim_period =
7888 				link_sinfo->bss_param.dtim_period;
7889 			sinfo->filled |= NL80211_STA_BSS_PARAM_DTIM_PERIOD;
7890 			sinfo->bss_param.beacon_interval =
7891 				link_sinfo->bss_param.beacon_interval;
7892 			sinfo->filled |= NL80211_STA_BSS_PARAM_BEACON_INTERVAL;
7893 		}
7894 
7895 		/* Update MLO rates as per last updated link rate */
7896 		if ((link_sinfo->filled &
7897 		     BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) &&
7898 		    (!init ||
7899 		     link_inactive_time > link_sinfo->inactive_time)) {
7900 			sinfo->txrate = link_sinfo->txrate;
7901 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BITRATE);
7902 		}
7903 		if ((link_sinfo->filled &
7904 		     BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) &&
7905 		    (!init ||
7906 		     link_inactive_time > link_sinfo->inactive_time)) {
7907 			sinfo->rxrate = link_sinfo->rxrate;
7908 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BITRATE);
7909 		}
7910 
7911 		if (link_sinfo->filled &
7912 		    BIT_ULL(NL80211_STA_INFO_TX_DURATION) &&
7913 		    (!init ||
7914 		     link_inactive_time > link_sinfo->inactive_time)) {
7915 			sinfo->tx_duration += link_sinfo->tx_duration;
7916 			sinfo->filled |=
7917 				BIT_ULL(NL80211_STA_INFO_TX_DURATION);
7918 		}
7919 		if (link_sinfo->filled &
7920 		    BIT_ULL(NL80211_STA_INFO_RX_DURATION) &&
7921 		    (!init ||
7922 		     link_inactive_time > link_sinfo->inactive_time)) {
7923 			sinfo->rx_duration += link_sinfo->rx_duration;
7924 			sinfo->filled |=
7925 				BIT_ULL(NL80211_STA_INFO_RX_DURATION);
7926 		}
7927 		init++;
7928 
7929 		/* pertid stats accumulate for rx/tx fields */
7930 		if (sinfo->pertid) {
7931 			sinfo->pertid->rx_msdu +=
7932 				link_sinfo->pertid->rx_msdu;
7933 			sinfo->pertid->tx_msdu +=
7934 				link_sinfo->pertid->tx_msdu;
7935 			sinfo->pertid->tx_msdu_retries +=
7936 				link_sinfo->pertid->tx_msdu_retries;
7937 			sinfo->pertid->tx_msdu_failed +=
7938 				link_sinfo->pertid->tx_msdu_failed;
7939 
7940 			sinfo->pertid->filled |=
7941 				BIT(NL80211_TID_STATS_RX_MSDU) |
7942 				BIT(NL80211_TID_STATS_TX_MSDU) |
7943 				BIT(NL80211_TID_STATS_TX_MSDU_RETRIES) |
7944 				BIT(NL80211_TID_STATS_TX_MSDU_FAILED);
7945 		}
7946 	}
7947 
7948 	/* Reset sinfo->filled bits to exclude fields which don't make
7949 	 * much sense at the MLO level.
7950 	 */
7951 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
7952 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG);
7953 }
7954 
7955 static int nl80211_dump_station(struct sk_buff *skb,
7956 				struct netlink_callback *cb)
7957 {
7958 	struct station_info sinfo;
7959 	struct cfg80211_registered_device *rdev;
7960 	struct wireless_dev *wdev;
7961 	u8 mac_addr[ETH_ALEN];
7962 	int sta_idx = cb->args[2];
7963 	bool sinfo_alloc = false;
7964 	int err, i;
7965 
7966 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7967 	if (err)
7968 		return err;
7969 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7970 	__acquire(&rdev->wiphy.mtx);
7971 
7972 	if (!wdev->netdev) {
7973 		err = -EINVAL;
7974 		goto out_err;
7975 	}
7976 
7977 	if (!rdev->ops->dump_station) {
7978 		err = -EOPNOTSUPP;
7979 		goto out_err;
7980 	}
7981 
7982 	while (1) {
7983 		memset(&sinfo, 0, sizeof(sinfo));
7984 
7985 		for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
7986 			sinfo.links[i] =
7987 				kzalloc_obj(*sinfo.links[0]);
7988 			if (!sinfo.links[i]) {
7989 				err = -ENOMEM;
7990 				goto out_err;
7991 			}
7992 			sinfo_alloc = true;
7993 		}
7994 
7995 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
7996 					mac_addr, &sinfo);
7997 		if (err == -ENOENT)
7998 			break;
7999 		if (err)
8000 			goto out_err;
8001 
8002 		if (sinfo.valid_links)
8003 			cfg80211_sta_set_mld_sinfo(&sinfo);
8004 
8005 		/* reset the sinfo_alloc flag as nl80211_send_station()
8006 		 * always releases sinfo
8007 		 */
8008 		sinfo_alloc = false;
8009 
8010 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
8011 				NETLINK_CB(cb->skb).portid,
8012 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8013 				rdev, wdev->netdev, mac_addr,
8014 				&sinfo, false) < 0)
8015 			goto out;
8016 
8017 		sta_idx++;
8018 	}
8019 
8020  out:
8021 	cb->args[2] = sta_idx;
8022 	err = skb->len;
8023  out_err:
8024 	if (sinfo_alloc)
8025 		cfg80211_sinfo_release_content(&sinfo);
8026 	wiphy_unlock(&rdev->wiphy);
8027 
8028 	return err;
8029 }
8030 
8031 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
8032 {
8033 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8034 	struct net_device *dev = info->user_ptr[1];
8035 	struct station_info sinfo;
8036 	struct sk_buff *msg;
8037 	u8 *mac_addr = NULL;
8038 	int err, i;
8039 
8040 	memset(&sinfo, 0, sizeof(sinfo));
8041 
8042 	if (!info->attrs[NL80211_ATTR_MAC])
8043 		return -EINVAL;
8044 
8045 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8046 
8047 	if (!rdev->ops->get_station)
8048 		return -EOPNOTSUPP;
8049 
8050 	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
8051 		sinfo.links[i] = kzalloc_obj(*sinfo.links[0]);
8052 		if (!sinfo.links[i]) {
8053 			cfg80211_sinfo_release_content(&sinfo);
8054 			return -ENOMEM;
8055 		}
8056 	}
8057 
8058 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
8059 	if (err) {
8060 		cfg80211_sinfo_release_content(&sinfo);
8061 		return err;
8062 	}
8063 
8064 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8065 	if (!msg) {
8066 		cfg80211_sinfo_release_content(&sinfo);
8067 		return -ENOMEM;
8068 	}
8069 
8070 	if (sinfo.valid_links)
8071 		cfg80211_sta_set_mld_sinfo(&sinfo);
8072 
8073 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
8074 				 info->snd_portid, info->snd_seq, 0,
8075 				 rdev, dev, mac_addr, &sinfo, false) < 0) {
8076 		nlmsg_free(msg);
8077 		return -ENOBUFS;
8078 	}
8079 
8080 	return genlmsg_reply(msg, info);
8081 }
8082 
8083 int cfg80211_check_station_change(struct wiphy *wiphy,
8084 				  struct station_parameters *params,
8085 				  enum cfg80211_station_type statype)
8086 {
8087 	if (params->listen_interval != -1 &&
8088 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8089 		return -EINVAL;
8090 
8091 	if (params->support_p2p_ps != -1 &&
8092 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8093 		return -EINVAL;
8094 
8095 	if (params->aid &&
8096 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
8097 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8098 		return -EINVAL;
8099 
8100 	/* When you run into this, adjust the code below for the new flag */
8101 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8102 
8103 	switch (statype) {
8104 	case CFG80211_STA_MESH_PEER_KERNEL:
8105 	case CFG80211_STA_MESH_PEER_USER:
8106 		/*
8107 		 * No ignoring the TDLS flag here -- the userspace mesh
8108 		 * code doesn't have the bug of including TDLS in the
8109 		 * mask everywhere.
8110 		 */
8111 		if (params->sta_flags_mask &
8112 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8113 				  BIT(NL80211_STA_FLAG_MFP) |
8114 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
8115 			return -EINVAL;
8116 		break;
8117 	case CFG80211_STA_TDLS_PEER_SETUP:
8118 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8119 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8120 			return -EINVAL;
8121 		/* ignore since it can't change */
8122 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8123 		break;
8124 	default:
8125 		/* disallow mesh-specific things */
8126 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
8127 			return -EINVAL;
8128 		if (params->local_pm)
8129 			return -EINVAL;
8130 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8131 			return -EINVAL;
8132 	}
8133 
8134 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8135 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
8136 		/* TDLS can't be set, ... */
8137 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
8138 			return -EINVAL;
8139 		/*
8140 		 * ... but don't bother the driver with it. This works around
8141 		 * a hostapd/wpa_supplicant issue -- it always includes the
8142 		 * TLDS_PEER flag in the mask even for AP mode.
8143 		 */
8144 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8145 	}
8146 
8147 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8148 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8149 		/* reject other things that can't change */
8150 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
8151 			return -EINVAL;
8152 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
8153 			return -EINVAL;
8154 		if (params->link_sta_params.supported_rates)
8155 			return -EINVAL;
8156 		if (params->ext_capab || params->link_sta_params.ht_capa ||
8157 		    params->link_sta_params.vht_capa ||
8158 		    params->link_sta_params.he_capa ||
8159 		    params->link_sta_params.eht_capa ||
8160 		    params->link_sta_params.uhr_capa)
8161 			return -EINVAL;
8162 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8163 			return -EINVAL;
8164 	}
8165 
8166 	if (statype != CFG80211_STA_AP_CLIENT &&
8167 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8168 		if (params->vlan)
8169 			return -EINVAL;
8170 	}
8171 
8172 	/* Accept EMLSR capabilities only for AP client before association */
8173 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8174 	    params->eml_cap_present)
8175 		return -EINVAL;
8176 
8177 	switch (statype) {
8178 	case CFG80211_STA_AP_MLME_CLIENT:
8179 		/* Use this only for authorizing/unauthorizing a station */
8180 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
8181 			return -EOPNOTSUPP;
8182 		break;
8183 	case CFG80211_STA_AP_CLIENT:
8184 	case CFG80211_STA_AP_CLIENT_UNASSOC:
8185 		/* accept only the listed bits */
8186 		if (params->sta_flags_mask &
8187 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8188 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8189 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
8190 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
8191 				  BIT(NL80211_STA_FLAG_WME) |
8192 				  BIT(NL80211_STA_FLAG_MFP) |
8193 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
8194 			return -EINVAL;
8195 
8196 		/* but authenticated/associated only if driver handles it */
8197 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8198 		    params->sta_flags_mask &
8199 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8200 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
8201 			return -EINVAL;
8202 		break;
8203 	case CFG80211_STA_IBSS:
8204 	case CFG80211_STA_AP_STA:
8205 		/* reject any changes other than AUTHORIZED */
8206 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
8207 			return -EINVAL;
8208 		break;
8209 	case CFG80211_STA_TDLS_PEER_SETUP:
8210 		/* reject any changes other than AUTHORIZED or WME */
8211 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8212 					       BIT(NL80211_STA_FLAG_WME)))
8213 			return -EINVAL;
8214 		/* force (at least) rates when authorizing */
8215 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
8216 		    !params->link_sta_params.supported_rates)
8217 			return -EINVAL;
8218 		break;
8219 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8220 		/* reject any changes */
8221 		return -EINVAL;
8222 	case CFG80211_STA_MESH_PEER_KERNEL:
8223 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8224 			return -EINVAL;
8225 		break;
8226 	case CFG80211_STA_MESH_PEER_USER:
8227 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
8228 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
8229 			return -EINVAL;
8230 		break;
8231 	}
8232 
8233 	/*
8234 	 * Older kernel versions ignored this attribute entirely, so don't
8235 	 * reject attempts to update it but mark it as unused instead so the
8236 	 * driver won't look at the data.
8237 	 */
8238 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8239 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
8240 		params->link_sta_params.opmode_notif_used = false;
8241 
8242 	return 0;
8243 }
8244 EXPORT_SYMBOL(cfg80211_check_station_change);
8245 
8246 /*
8247  * Get vlan interface making sure it is running and on the right wiphy.
8248  */
8249 static struct net_device *get_vlan(struct genl_info *info,
8250 				   struct cfg80211_registered_device *rdev)
8251 {
8252 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
8253 	struct net_device *v;
8254 	int ret;
8255 
8256 	if (!vlanattr)
8257 		return NULL;
8258 
8259 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
8260 	if (!v)
8261 		return ERR_PTR(-ENODEV);
8262 
8263 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
8264 		ret = -EINVAL;
8265 		goto error;
8266 	}
8267 
8268 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
8269 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8270 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
8271 		ret = -EINVAL;
8272 		goto error;
8273 	}
8274 
8275 	if (!netif_running(v)) {
8276 		ret = -ENETDOWN;
8277 		goto error;
8278 	}
8279 
8280 	return v;
8281  error:
8282 	dev_put(v);
8283 	return ERR_PTR(ret);
8284 }
8285 
8286 static int nl80211_parse_sta_wme(struct genl_info *info,
8287 				 struct station_parameters *params)
8288 {
8289 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
8290 	struct nlattr *nla;
8291 	int err;
8292 
8293 	/* parse WME attributes if present */
8294 	if (!info->attrs[NL80211_ATTR_STA_WME])
8295 		return 0;
8296 
8297 	nla = info->attrs[NL80211_ATTR_STA_WME];
8298 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
8299 					  nl80211_sta_wme_policy,
8300 					  info->extack);
8301 	if (err)
8302 		return err;
8303 
8304 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
8305 		params->uapsd_queues = nla_get_u8(
8306 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
8307 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
8308 		return -EINVAL;
8309 
8310 	if (tb[NL80211_STA_WME_MAX_SP])
8311 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
8312 
8313 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
8314 		return -EINVAL;
8315 
8316 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
8317 
8318 	return 0;
8319 }
8320 
8321 static int nl80211_parse_sta_channel_info(struct genl_info *info,
8322 				      struct station_parameters *params)
8323 {
8324 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
8325 		params->supported_channels =
8326 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8327 		params->supported_channels_len =
8328 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8329 		/*
8330 		 * Need to include at least one (first channel, number of
8331 		 * channels) tuple for each subband (checked in policy),
8332 		 * and must have proper tuples for the rest of the data as well.
8333 		 */
8334 		if (params->supported_channels_len % 2)
8335 			return -EINVAL;
8336 	}
8337 
8338 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
8339 		params->supported_oper_classes =
8340 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8341 		params->supported_oper_classes_len =
8342 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8343 	}
8344 	return 0;
8345 }
8346 
8347 static int nl80211_set_station_tdls(struct genl_info *info,
8348 				    struct station_parameters *params)
8349 {
8350 	int err;
8351 	/* Dummy STA entry gets updated once the peer capabilities are known */
8352 	if (info->attrs[NL80211_ATTR_PEER_AID])
8353 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8354 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8355 		params->link_sta_params.ht_capa =
8356 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8357 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8358 		params->link_sta_params.vht_capa =
8359 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8360 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8361 		params->link_sta_params.he_capa =
8362 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8363 		params->link_sta_params.he_capa_len =
8364 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8365 
8366 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8367 			params->link_sta_params.eht_capa =
8368 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8369 			params->link_sta_params.eht_capa_len =
8370 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8371 
8372 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
8373 							(const u8 *)params->link_sta_params.eht_capa,
8374 							params->link_sta_params.eht_capa_len,
8375 							false))
8376 				return -EINVAL;
8377 		}
8378 	}
8379 
8380 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
8381 		if (!params->link_sta_params.eht_capa)
8382 			return -EINVAL;
8383 
8384 		params->link_sta_params.uhr_capa =
8385 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8386 		params->link_sta_params.uhr_capa_len =
8387 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8388 	}
8389 
8390 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8391 		params->link_sta_params.s1g_capa =
8392 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8393 
8394 	err = nl80211_parse_sta_channel_info(info, params);
8395 	if (err)
8396 		return err;
8397 
8398 	return nl80211_parse_sta_wme(info, params);
8399 }
8400 
8401 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
8402 					     struct sta_txpwr *txpwr,
8403 					     bool *txpwr_set)
8404 {
8405 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8406 	int idx;
8407 
8408 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
8409 		if (!rdev->ops->set_tx_power ||
8410 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8411 					 NL80211_EXT_FEATURE_STA_TX_PWR))
8412 			return -EOPNOTSUPP;
8413 
8414 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
8415 		txpwr->type = nla_get_u8(info->attrs[idx]);
8416 
8417 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
8418 			idx = NL80211_ATTR_STA_TX_POWER;
8419 
8420 			if (info->attrs[idx])
8421 				txpwr->power = nla_get_s16(info->attrs[idx]);
8422 			else
8423 				return -EINVAL;
8424 		}
8425 
8426 		*txpwr_set = true;
8427 	} else {
8428 		*txpwr_set = false;
8429 	}
8430 
8431 	return 0;
8432 }
8433 
8434 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
8435 {
8436 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8437 	struct net_device *dev = info->user_ptr[1];
8438 	struct station_parameters params;
8439 	u8 *mac_addr;
8440 	int err;
8441 
8442 	memset(&params, 0, sizeof(params));
8443 
8444 	if (!rdev->ops->change_station)
8445 		return -EOPNOTSUPP;
8446 
8447 	/*
8448 	 * AID and listen_interval properties can be set only for unassociated
8449 	 * station. Include these parameters here and will check them in
8450 	 * cfg80211_check_station_change().
8451 	 */
8452 	if (info->attrs[NL80211_ATTR_STA_AID])
8453 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8454 
8455 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8456 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8457 
8458 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8459 		params.listen_interval =
8460 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8461 	else
8462 		params.listen_interval = -1;
8463 
8464 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
8465 		params.support_p2p_ps =
8466 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8467 	else
8468 		params.support_p2p_ps = -1;
8469 
8470 	if (!info->attrs[NL80211_ATTR_MAC])
8471 		return -EINVAL;
8472 
8473 	params.link_sta_params.link_id =
8474 		nl80211_link_id_or_invalid(info->attrs);
8475 
8476 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8477 		/* If MLD_ADDR attribute is set then this is an MLD station
8478 		 * and the MLD_ADDR attribute holds the MLD address and the
8479 		 * MAC attribute holds for the LINK address.
8480 		 * In that case, the link_id is also expected to be valid.
8481 		 */
8482 		if (params.link_sta_params.link_id < 0)
8483 			return -EINVAL;
8484 
8485 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8486 		params.link_sta_params.mld_mac = mac_addr;
8487 		params.link_sta_params.link_mac =
8488 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8489 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8490 			return -EINVAL;
8491 	} else {
8492 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8493 	}
8494 
8495 
8496 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
8497 		params.link_sta_params.supported_rates =
8498 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8499 		params.link_sta_params.supported_rates_len =
8500 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8501 	}
8502 
8503 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8504 		params.capability =
8505 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8506 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8507 	}
8508 
8509 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8510 		params.ext_capab =
8511 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8512 		params.ext_capab_len =
8513 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8514 	}
8515 
8516 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
8517 		return -EINVAL;
8518 
8519 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8520 		params.plink_action =
8521 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8522 
8523 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
8524 		params.plink_state =
8525 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
8526 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
8527 			params.peer_aid = nla_get_u16(
8528 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
8529 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
8530 	}
8531 
8532 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
8533 		params.local_pm = nla_get_u32(
8534 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
8535 
8536 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8537 		params.link_sta_params.opmode_notif_used = true;
8538 		params.link_sta_params.opmode_notif =
8539 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8540 	}
8541 
8542 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8543 		params.link_sta_params.he_6ghz_capa =
8544 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8545 
8546 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8547 		params.eml_cap_present = true;
8548 		params.eml_cap =
8549 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8550 	}
8551 
8552 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8553 		params.airtime_weight =
8554 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8555 
8556 	if (params.airtime_weight &&
8557 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8558 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8559 		return -EOPNOTSUPP;
8560 
8561 	err = nl80211_parse_sta_txpower_setting(info,
8562 						&params.link_sta_params.txpwr,
8563 						&params.link_sta_params.txpwr_set);
8564 	if (err)
8565 		return err;
8566 
8567 	/* Include parameters for TDLS peer (will check later) */
8568 	err = nl80211_set_station_tdls(info, &params);
8569 	if (err)
8570 		return err;
8571 
8572 	params.vlan = get_vlan(info, rdev);
8573 	if (IS_ERR(params.vlan))
8574 		return PTR_ERR(params.vlan);
8575 
8576 	switch (dev->ieee80211_ptr->iftype) {
8577 	case NL80211_IFTYPE_AP:
8578 	case NL80211_IFTYPE_AP_VLAN:
8579 	case NL80211_IFTYPE_P2P_GO:
8580 	case NL80211_IFTYPE_P2P_CLIENT:
8581 	case NL80211_IFTYPE_STATION:
8582 	case NL80211_IFTYPE_ADHOC:
8583 	case NL80211_IFTYPE_MESH_POINT:
8584 		break;
8585 	default:
8586 		err = -EOPNOTSUPP;
8587 		goto out_put_vlan;
8588 	}
8589 
8590 	/* driver will call cfg80211_check_station_change() */
8591 	err = rdev_change_station(rdev, dev, mac_addr, &params);
8592 
8593  out_put_vlan:
8594 	dev_put(params.vlan);
8595 
8596 	return err;
8597 }
8598 
8599 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
8600 {
8601 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8602 	int err;
8603 	struct net_device *dev = info->user_ptr[1];
8604 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8605 	struct station_parameters params;
8606 	u8 *mac_addr = NULL;
8607 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8608 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
8609 
8610 	memset(&params, 0, sizeof(params));
8611 
8612 	if (!rdev->ops->add_station)
8613 		return -EOPNOTSUPP;
8614 
8615 	if (!info->attrs[NL80211_ATTR_MAC])
8616 		return -EINVAL;
8617 
8618 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8619 		return -EINVAL;
8620 
8621 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
8622 		return -EINVAL;
8623 
8624 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
8625 	    !info->attrs[NL80211_ATTR_PEER_AID])
8626 		return -EINVAL;
8627 
8628 	params.link_sta_params.link_id =
8629 		nl80211_link_id_or_invalid(info->attrs);
8630 
8631 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8632 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8633 		params.link_sta_params.mld_mac = mac_addr;
8634 		params.link_sta_params.link_mac =
8635 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8636 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8637 			return -EINVAL;
8638 	} else {
8639 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8640 	}
8641 
8642 	params.link_sta_params.supported_rates =
8643 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8644 	params.link_sta_params.supported_rates_len =
8645 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8646 	params.listen_interval =
8647 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8648 
8649 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8650 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8651 
8652 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
8653 		params.support_p2p_ps =
8654 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8655 	} else {
8656 		/*
8657 		 * if not specified, assume it's supported for P2P GO interface,
8658 		 * and is NOT supported for AP interface
8659 		 */
8660 		params.support_p2p_ps =
8661 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
8662 	}
8663 
8664 	if (info->attrs[NL80211_ATTR_PEER_AID])
8665 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8666 	else
8667 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8668 
8669 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8670 		params.capability =
8671 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8672 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8673 	}
8674 
8675 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8676 		params.ext_capab =
8677 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8678 		params.ext_capab_len =
8679 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8680 	}
8681 
8682 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8683 		params.link_sta_params.ht_capa =
8684 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8685 
8686 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8687 		params.link_sta_params.vht_capa =
8688 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8689 
8690 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8691 		params.link_sta_params.he_capa =
8692 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8693 		params.link_sta_params.he_capa_len =
8694 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8695 
8696 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8697 			params.link_sta_params.eht_capa =
8698 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8699 			params.link_sta_params.eht_capa_len =
8700 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8701 
8702 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
8703 							(const u8 *)params.link_sta_params.eht_capa,
8704 							params.link_sta_params.eht_capa_len,
8705 							false))
8706 				return -EINVAL;
8707 		}
8708 	}
8709 
8710 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
8711 		if (!params.link_sta_params.eht_capa)
8712 			return -EINVAL;
8713 
8714 		params.link_sta_params.uhr_capa =
8715 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8716 		params.link_sta_params.uhr_capa_len =
8717 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8718 	}
8719 
8720 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8721 		params.eml_cap_present = true;
8722 		params.eml_cap =
8723 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8724 	}
8725 
8726 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8727 		params.link_sta_params.he_6ghz_capa =
8728 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8729 
8730 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8731 		params.link_sta_params.s1g_capa =
8732 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8733 
8734 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8735 		params.link_sta_params.opmode_notif_used = true;
8736 		params.link_sta_params.opmode_notif =
8737 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8738 	}
8739 
8740 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8741 		params.plink_action =
8742 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8743 
8744 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8745 		params.airtime_weight =
8746 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8747 
8748 	if (params.airtime_weight &&
8749 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8750 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8751 		return -EOPNOTSUPP;
8752 
8753 	err = nl80211_parse_sta_txpower_setting(info,
8754 						&params.link_sta_params.txpwr,
8755 						&params.link_sta_params.txpwr_set);
8756 	if (err)
8757 		return err;
8758 
8759 	err = nl80211_parse_sta_channel_info(info, &params);
8760 	if (err)
8761 		return err;
8762 
8763 	err = nl80211_parse_sta_wme(info, &params);
8764 	if (err)
8765 		return err;
8766 
8767 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
8768 		return -EINVAL;
8769 
8770 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
8771 	 * as userspace might just pass through the capabilities from the IEs
8772 	 * directly, rather than enforcing this restriction and returning an
8773 	 * error in this case.
8774 	 */
8775 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
8776 		params.link_sta_params.ht_capa = NULL;
8777 		params.link_sta_params.vht_capa = NULL;
8778 
8779 		/* HE, EHT and UHR require WME */
8780 		if (params.link_sta_params.he_capa_len ||
8781 		    params.link_sta_params.he_6ghz_capa ||
8782 		    params.link_sta_params.eht_capa_len ||
8783 		    params.link_sta_params.uhr_capa_len)
8784 			return -EINVAL;
8785 	}
8786 
8787 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
8788 	if (params.link_sta_params.he_6ghz_capa &&
8789 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
8790 		return -EINVAL;
8791 
8792 	/* When you run into this, adjust the code below for the new flag */
8793 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8794 
8795 	switch (dev->ieee80211_ptr->iftype) {
8796 	case NL80211_IFTYPE_AP:
8797 	case NL80211_IFTYPE_AP_VLAN:
8798 	case NL80211_IFTYPE_P2P_GO:
8799 		/* ignore WME attributes if iface/sta is not capable */
8800 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
8801 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
8802 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8803 
8804 		/* TDLS peers cannot be added */
8805 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8806 		    info->attrs[NL80211_ATTR_PEER_AID])
8807 			return -EINVAL;
8808 		/* but don't bother the driver with it */
8809 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8810 
8811 		/* allow authenticated/associated only if driver handles it */
8812 		if (!(rdev->wiphy.features &
8813 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8814 		    params.sta_flags_mask & auth_assoc)
8815 			return -EINVAL;
8816 
8817 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8818 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
8819 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8820 			return -EINVAL;
8821 
8822 		/* Older userspace, or userspace wanting to be compatible with
8823 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
8824 		 * and assoc flags in the mask, but assumes the station will be
8825 		 * added as associated anyway since this was the required driver
8826 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
8827 		 * introduced.
8828 		 * In order to not bother drivers with this quirk in the API
8829 		 * set the flags in both the mask and set for new stations in
8830 		 * this case.
8831 		 */
8832 		if (!(params.sta_flags_mask & auth_assoc)) {
8833 			params.sta_flags_mask |= auth_assoc;
8834 			params.sta_flags_set |= auth_assoc;
8835 		}
8836 
8837 		/* must be last in here for error handling */
8838 		params.vlan = get_vlan(info, rdev);
8839 		if (IS_ERR(params.vlan))
8840 			return PTR_ERR(params.vlan);
8841 		break;
8842 	case NL80211_IFTYPE_MESH_POINT:
8843 		/* ignore uAPSD data */
8844 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8845 
8846 		/* associated is disallowed */
8847 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
8848 			return -EINVAL;
8849 		/* TDLS peers cannot be added */
8850 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8851 		    info->attrs[NL80211_ATTR_PEER_AID])
8852 			return -EINVAL;
8853 		break;
8854 	case NL80211_IFTYPE_STATION:
8855 	case NL80211_IFTYPE_P2P_CLIENT:
8856 		/* ignore uAPSD data */
8857 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8858 
8859 		/* these are disallowed */
8860 		if (params.sta_flags_mask &
8861 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
8862 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
8863 			return -EINVAL;
8864 		/* Only TDLS peers can be added */
8865 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8866 			return -EINVAL;
8867 		/* Can only add if TDLS ... */
8868 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
8869 			return -EOPNOTSUPP;
8870 		/* ... with external setup is supported */
8871 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
8872 			return -EOPNOTSUPP;
8873 		/*
8874 		 * Older wpa_supplicant versions always mark the TDLS peer
8875 		 * as authorized, but it shouldn't yet be.
8876 		 */
8877 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
8878 		break;
8879 	default:
8880 		return -EOPNOTSUPP;
8881 	}
8882 
8883 	/* be aware of params.vlan when changing code here */
8884 
8885 	if (wdev->valid_links) {
8886 		if (params.link_sta_params.link_id < 0) {
8887 			err = -EINVAL;
8888 			goto out;
8889 		}
8890 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
8891 			err = -ENOLINK;
8892 			goto out;
8893 		}
8894 	} else {
8895 		if (params.link_sta_params.link_id >= 0) {
8896 			err = -EINVAL;
8897 			goto out;
8898 		}
8899 	}
8900 
8901 	params.epp_peer =
8902 		nla_get_flag(info->attrs[NL80211_ATTR_EPP_PEER]);
8903 
8904 	err = rdev_add_station(rdev, dev, mac_addr, &params);
8905 out:
8906 	dev_put(params.vlan);
8907 	return err;
8908 }
8909 
8910 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
8911 {
8912 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8913 	struct net_device *dev = info->user_ptr[1];
8914 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8915 	struct station_del_parameters params;
8916 	int link_id = nl80211_link_id_or_invalid(info->attrs);
8917 
8918 	memset(&params, 0, sizeof(params));
8919 
8920 	if (info->attrs[NL80211_ATTR_MAC])
8921 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
8922 
8923 	switch (wdev->iftype) {
8924 	case NL80211_IFTYPE_AP:
8925 	case NL80211_IFTYPE_AP_VLAN:
8926 	case NL80211_IFTYPE_MESH_POINT:
8927 	case NL80211_IFTYPE_P2P_GO:
8928 		/* always accept these */
8929 		break;
8930 	case NL80211_IFTYPE_ADHOC:
8931 		/* conditionally accept */
8932 		if (wiphy_ext_feature_isset(&rdev->wiphy,
8933 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
8934 			break;
8935 		return -EINVAL;
8936 	default:
8937 		return -EINVAL;
8938 	}
8939 
8940 	if (!rdev->ops->del_station)
8941 		return -EOPNOTSUPP;
8942 
8943 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
8944 		params.subtype =
8945 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
8946 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
8947 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
8948 			return -EINVAL;
8949 	} else {
8950 		/* Default to Deauthentication frame */
8951 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
8952 	}
8953 
8954 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
8955 		params.reason_code =
8956 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8957 		if (params.reason_code == 0)
8958 			return -EINVAL; /* 0 is reserved */
8959 	} else {
8960 		/* Default to reason code 2 */
8961 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
8962 	}
8963 
8964 	/* Link ID not expected in case of non-ML operation */
8965 	if (!wdev->valid_links && link_id != -1)
8966 		return -EINVAL;
8967 
8968 	/* If given, a valid link ID should be passed during MLO */
8969 	if (wdev->valid_links && link_id >= 0 &&
8970 	    !(wdev->valid_links & BIT(link_id)))
8971 		return -EINVAL;
8972 
8973 	params.link_id = link_id;
8974 
8975 	return rdev_del_station(rdev, dev, &params);
8976 }
8977 
8978 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
8979 				int flags, struct net_device *dev,
8980 				u8 *dst, u8 *next_hop,
8981 				struct mpath_info *pinfo)
8982 {
8983 	void *hdr;
8984 	struct nlattr *pinfoattr;
8985 
8986 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
8987 	if (!hdr)
8988 		return -1;
8989 
8990 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8991 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
8992 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
8993 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
8994 		goto nla_put_failure;
8995 
8996 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
8997 	if (!pinfoattr)
8998 		goto nla_put_failure;
8999 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
9000 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
9001 			pinfo->frame_qlen))
9002 		goto nla_put_failure;
9003 	if (((pinfo->filled & MPATH_INFO_SN) &&
9004 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
9005 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
9006 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
9007 			 pinfo->metric)) ||
9008 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
9009 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
9010 			 pinfo->exptime)) ||
9011 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
9012 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
9013 			pinfo->flags)) ||
9014 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
9015 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
9016 			 pinfo->discovery_timeout)) ||
9017 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
9018 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
9019 			pinfo->discovery_retries)) ||
9020 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
9021 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
9022 			pinfo->hop_count)) ||
9023 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
9024 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
9025 			 pinfo->path_change_count)))
9026 		goto nla_put_failure;
9027 
9028 	nla_nest_end(msg, pinfoattr);
9029 
9030 	genlmsg_end(msg, hdr);
9031 	return 0;
9032 
9033  nla_put_failure:
9034 	genlmsg_cancel(msg, hdr);
9035 	return -EMSGSIZE;
9036 }
9037 
9038 static int nl80211_dump_mpath(struct sk_buff *skb,
9039 			      struct netlink_callback *cb)
9040 {
9041 	struct mpath_info pinfo;
9042 	struct cfg80211_registered_device *rdev;
9043 	struct wireless_dev *wdev;
9044 	u8 dst[ETH_ALEN];
9045 	u8 next_hop[ETH_ALEN];
9046 	int path_idx = cb->args[2];
9047 	int err;
9048 
9049 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9050 	if (err)
9051 		return err;
9052 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9053 	__acquire(&rdev->wiphy.mtx);
9054 
9055 	if (!rdev->ops->dump_mpath) {
9056 		err = -EOPNOTSUPP;
9057 		goto out_err;
9058 	}
9059 
9060 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9061 		err = -EOPNOTSUPP;
9062 		goto out_err;
9063 	}
9064 
9065 	while (1) {
9066 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
9067 				      next_hop, &pinfo);
9068 		if (err == -ENOENT)
9069 			break;
9070 		if (err)
9071 			goto out_err;
9072 
9073 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9074 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9075 				       wdev->netdev, dst, next_hop,
9076 				       &pinfo) < 0)
9077 			goto out;
9078 
9079 		path_idx++;
9080 	}
9081 
9082  out:
9083 	cb->args[2] = path_idx;
9084 	err = skb->len;
9085  out_err:
9086 	wiphy_unlock(&rdev->wiphy);
9087 	return err;
9088 }
9089 
9090 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
9091 {
9092 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9093 	int err;
9094 	struct net_device *dev = info->user_ptr[1];
9095 	struct mpath_info pinfo;
9096 	struct sk_buff *msg;
9097 	u8 *dst = NULL;
9098 	u8 next_hop[ETH_ALEN];
9099 
9100 	memset(&pinfo, 0, sizeof(pinfo));
9101 
9102 	if (!info->attrs[NL80211_ATTR_MAC])
9103 		return -EINVAL;
9104 
9105 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9106 
9107 	if (!rdev->ops->get_mpath)
9108 		return -EOPNOTSUPP;
9109 
9110 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9111 		return -EOPNOTSUPP;
9112 
9113 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
9114 	if (err)
9115 		return err;
9116 
9117 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9118 	if (!msg)
9119 		return -ENOMEM;
9120 
9121 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9122 				 dev, dst, next_hop, &pinfo) < 0) {
9123 		nlmsg_free(msg);
9124 		return -ENOBUFS;
9125 	}
9126 
9127 	return genlmsg_reply(msg, info);
9128 }
9129 
9130 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
9131 {
9132 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9133 	struct net_device *dev = info->user_ptr[1];
9134 	u8 *dst = NULL;
9135 	u8 *next_hop = NULL;
9136 
9137 	if (!info->attrs[NL80211_ATTR_MAC])
9138 		return -EINVAL;
9139 
9140 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9141 		return -EINVAL;
9142 
9143 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9144 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9145 
9146 	if (!rdev->ops->change_mpath)
9147 		return -EOPNOTSUPP;
9148 
9149 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9150 		return -EOPNOTSUPP;
9151 
9152 	return rdev_change_mpath(rdev, dev, dst, next_hop);
9153 }
9154 
9155 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
9156 {
9157 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9158 	struct net_device *dev = info->user_ptr[1];
9159 	u8 *dst = NULL;
9160 	u8 *next_hop = NULL;
9161 
9162 	if (!info->attrs[NL80211_ATTR_MAC])
9163 		return -EINVAL;
9164 
9165 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9166 		return -EINVAL;
9167 
9168 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9169 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9170 
9171 	if (!rdev->ops->add_mpath)
9172 		return -EOPNOTSUPP;
9173 
9174 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9175 		return -EOPNOTSUPP;
9176 
9177 	return rdev_add_mpath(rdev, dev, dst, next_hop);
9178 }
9179 
9180 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
9181 {
9182 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9183 	struct net_device *dev = info->user_ptr[1];
9184 	u8 *dst = NULL;
9185 
9186 	if (info->attrs[NL80211_ATTR_MAC])
9187 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9188 
9189 	if (!rdev->ops->del_mpath)
9190 		return -EOPNOTSUPP;
9191 
9192 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9193 		return -EOPNOTSUPP;
9194 
9195 	return rdev_del_mpath(rdev, dev, dst);
9196 }
9197 
9198 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
9199 {
9200 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9201 	int err;
9202 	struct net_device *dev = info->user_ptr[1];
9203 	struct mpath_info pinfo;
9204 	struct sk_buff *msg;
9205 	u8 *dst = NULL;
9206 	u8 mpp[ETH_ALEN];
9207 
9208 	memset(&pinfo, 0, sizeof(pinfo));
9209 
9210 	if (!info->attrs[NL80211_ATTR_MAC])
9211 		return -EINVAL;
9212 
9213 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9214 
9215 	if (!rdev->ops->get_mpp)
9216 		return -EOPNOTSUPP;
9217 
9218 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9219 		return -EOPNOTSUPP;
9220 
9221 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
9222 	if (err)
9223 		return err;
9224 
9225 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9226 	if (!msg)
9227 		return -ENOMEM;
9228 
9229 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9230 			       dev, dst, mpp, &pinfo) < 0) {
9231 		nlmsg_free(msg);
9232 		return -ENOBUFS;
9233 	}
9234 
9235 	return genlmsg_reply(msg, info);
9236 }
9237 
9238 static int nl80211_dump_mpp(struct sk_buff *skb,
9239 			    struct netlink_callback *cb)
9240 {
9241 	struct mpath_info pinfo;
9242 	struct cfg80211_registered_device *rdev;
9243 	struct wireless_dev *wdev;
9244 	u8 dst[ETH_ALEN];
9245 	u8 mpp[ETH_ALEN];
9246 	int path_idx = cb->args[2];
9247 	int err;
9248 
9249 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9250 	if (err)
9251 		return err;
9252 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9253 	__acquire(&rdev->wiphy.mtx);
9254 
9255 	if (!rdev->ops->dump_mpp) {
9256 		err = -EOPNOTSUPP;
9257 		goto out_err;
9258 	}
9259 
9260 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9261 		err = -EOPNOTSUPP;
9262 		goto out_err;
9263 	}
9264 
9265 	while (1) {
9266 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
9267 				    mpp, &pinfo);
9268 		if (err == -ENOENT)
9269 			break;
9270 		if (err)
9271 			goto out_err;
9272 
9273 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9274 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9275 				       wdev->netdev, dst, mpp,
9276 				       &pinfo) < 0)
9277 			goto out;
9278 
9279 		path_idx++;
9280 	}
9281 
9282  out:
9283 	cb->args[2] = path_idx;
9284 	err = skb->len;
9285  out_err:
9286 	wiphy_unlock(&rdev->wiphy);
9287 	return err;
9288 }
9289 
9290 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
9291 {
9292 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9293 	struct net_device *dev = info->user_ptr[1];
9294 	struct bss_parameters params;
9295 	u32 bss_param_support = rdev->wiphy.bss_param_support;
9296 	u32 changed = 0;
9297 	bool strict;
9298 
9299 	memset(&params, 0, sizeof(params));
9300 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
9301 	/* default to not changing parameters */
9302 	params.use_cts_prot = -1;
9303 	params.use_short_preamble = -1;
9304 	params.use_short_slot_time = -1;
9305 	params.ap_isolate = -1;
9306 	params.ht_opmode = -1;
9307 	params.p2p_ctwindow = -1;
9308 	params.p2p_opp_ps = -1;
9309 
9310 	strict = nla_get_flag(info->attrs[NL80211_ATTR_BSS_PARAM]);
9311 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT]) {
9312 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_CTS_PROT))
9313 			return -EINVAL;
9314 		params.use_cts_prot =
9315 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
9316 		changed |= WIPHY_BSS_PARAM_CTS_PROT;
9317 	}
9318 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]) {
9319 		if (strict &&
9320 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_PREAMBLE))
9321 			return -EINVAL;
9322 		params.use_short_preamble =
9323 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
9324 		changed |= WIPHY_BSS_PARAM_SHORT_PREAMBLE;
9325 	}
9326 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]) {
9327 		if (strict &&
9328 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_SLOT_TIME))
9329 			return -EINVAL;
9330 		params.use_short_slot_time =
9331 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
9332 		changed |= WIPHY_BSS_PARAM_SHORT_SLOT_TIME;
9333 	}
9334 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9335 		if (strict &&
9336 		    !(bss_param_support & WIPHY_BSS_PARAM_BASIC_RATES))
9337 			return -EINVAL;
9338 		params.basic_rates =
9339 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9340 		params.basic_rates_len =
9341 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9342 		changed |= WIPHY_BSS_PARAM_BASIC_RATES;
9343 	}
9344 	if (info->attrs[NL80211_ATTR_AP_ISOLATE]) {
9345 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_AP_ISOLATE))
9346 			return -EINVAL;
9347 		params.ap_isolate =
9348 			!!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
9349 		changed |= WIPHY_BSS_PARAM_AP_ISOLATE;
9350 	}
9351 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE]) {
9352 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_HT_OPMODE))
9353 			return -EINVAL;
9354 		params.ht_opmode =
9355 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
9356 		changed |= WIPHY_BSS_PARAM_HT_OPMODE;
9357 	}
9358 
9359 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
9360 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9361 			return -EINVAL;
9362 		params.p2p_ctwindow =
9363 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
9364 		if (params.p2p_ctwindow != 0 &&
9365 		    !(bss_param_support & WIPHY_BSS_PARAM_P2P_CTWINDOW))
9366 			return -EINVAL;
9367 		changed |= WIPHY_BSS_PARAM_P2P_CTWINDOW;
9368 	}
9369 
9370 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
9371 		u8 tmp;
9372 
9373 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9374 			return -EINVAL;
9375 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
9376 		if (tmp && !(bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9377 			return -EINVAL;
9378 		params.p2p_opp_ps = tmp;
9379 		if (params.p2p_opp_ps &&
9380 		    !(rdev->wiphy.bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9381 			return -EINVAL;
9382 	}
9383 
9384 	if (!rdev->ops->change_bss)
9385 		return -EOPNOTSUPP;
9386 
9387 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
9388 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9389 		return -EOPNOTSUPP;
9390 
9391 	changed &= rdev->wiphy.bss_param_support;
9392 	if (!changed)
9393 		return 0;
9394 
9395 	return rdev_change_bss(rdev, dev, &params);
9396 }
9397 
9398 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
9399 {
9400 	char *data = NULL;
9401 	bool is_indoor;
9402 	enum nl80211_user_reg_hint_type user_reg_hint_type;
9403 	u32 owner_nlportid;
9404 
9405 	/*
9406 	 * You should only get this when cfg80211 hasn't yet initialized
9407 	 * completely when built-in to the kernel right between the time
9408 	 * window between nl80211_init() and regulatory_init(), if that is
9409 	 * even possible.
9410 	 */
9411 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
9412 		return -EINPROGRESS;
9413 
9414 	user_reg_hint_type =
9415 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
9416 				    NL80211_USER_REG_HINT_USER);
9417 
9418 	switch (user_reg_hint_type) {
9419 	case NL80211_USER_REG_HINT_USER:
9420 	case NL80211_USER_REG_HINT_CELL_BASE:
9421 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
9422 			return -EINVAL;
9423 
9424 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
9425 		return regulatory_hint_user(data, user_reg_hint_type);
9426 	case NL80211_USER_REG_HINT_INDOOR:
9427 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9428 			owner_nlportid = info->snd_portid;
9429 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
9430 		} else {
9431 			owner_nlportid = 0;
9432 			is_indoor = true;
9433 		}
9434 
9435 		regulatory_hint_indoor(is_indoor, owner_nlportid);
9436 		return 0;
9437 	default:
9438 		return -EINVAL;
9439 	}
9440 }
9441 
9442 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
9443 {
9444 	return reg_reload_regdb();
9445 }
9446 
9447 static int nl80211_get_mesh_config(struct sk_buff *skb,
9448 				   struct genl_info *info)
9449 {
9450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9451 	struct net_device *dev = info->user_ptr[1];
9452 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9453 	struct mesh_config cur_params;
9454 	int err = 0;
9455 	void *hdr;
9456 	struct nlattr *pinfoattr;
9457 	struct sk_buff *msg;
9458 
9459 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9460 		return -EOPNOTSUPP;
9461 
9462 	if (!rdev->ops->get_mesh_config)
9463 		return -EOPNOTSUPP;
9464 
9465 	/* If not connected, get default parameters */
9466 	if (!wdev->u.mesh.id_len)
9467 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
9468 	else
9469 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
9470 
9471 	if (err)
9472 		return err;
9473 
9474 	/* Draw up a netlink message to send back */
9475 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9476 	if (!msg)
9477 		return -ENOMEM;
9478 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9479 			     NL80211_CMD_GET_MESH_CONFIG);
9480 	if (!hdr)
9481 		goto out;
9482 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
9483 	if (!pinfoattr)
9484 		goto nla_put_failure;
9485 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9486 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
9487 			cur_params.dot11MeshRetryTimeout) ||
9488 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
9489 			cur_params.dot11MeshConfirmTimeout) ||
9490 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
9491 			cur_params.dot11MeshHoldingTimeout) ||
9492 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
9493 			cur_params.dot11MeshMaxPeerLinks) ||
9494 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
9495 		       cur_params.dot11MeshMaxRetries) ||
9496 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
9497 		       cur_params.dot11MeshTTL) ||
9498 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
9499 		       cur_params.element_ttl) ||
9500 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9501 		       cur_params.auto_open_plinks) ||
9502 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9503 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
9504 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9505 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
9506 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
9507 			cur_params.path_refresh_time) ||
9508 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9509 			cur_params.min_discovery_timeout) ||
9510 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9511 			cur_params.dot11MeshHWMPactivePathTimeout) ||
9512 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9513 			cur_params.dot11MeshHWMPpreqMinInterval) ||
9514 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9515 			cur_params.dot11MeshHWMPperrMinInterval) ||
9516 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9517 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
9518 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
9519 		       cur_params.dot11MeshHWMPRootMode) ||
9520 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9521 			cur_params.dot11MeshHWMPRannInterval) ||
9522 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9523 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
9524 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
9525 		       cur_params.dot11MeshForwarding) ||
9526 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
9527 			cur_params.rssi_threshold) ||
9528 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
9529 			cur_params.ht_opmode) ||
9530 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9531 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
9532 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9533 			cur_params.dot11MeshHWMProotInterval) ||
9534 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9535 			cur_params.dot11MeshHWMPconfirmationInterval) ||
9536 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
9537 			cur_params.power_mode) ||
9538 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
9539 			cur_params.dot11MeshAwakeWindowDuration) ||
9540 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
9541 			cur_params.plink_timeout) ||
9542 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
9543 		       cur_params.dot11MeshConnectedToMeshGate) ||
9544 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
9545 		       cur_params.dot11MeshNolearn) ||
9546 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
9547 		       cur_params.dot11MeshConnectedToAuthServer))
9548 		goto nla_put_failure;
9549 	nla_nest_end(msg, pinfoattr);
9550 	genlmsg_end(msg, hdr);
9551 	return genlmsg_reply(msg, info);
9552 
9553  nla_put_failure:
9554  out:
9555 	nlmsg_free(msg);
9556 	return -ENOBUFS;
9557 }
9558 
9559 static const struct nla_policy
9560 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
9561 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
9562 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9563 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
9564 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9565 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
9566 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9567 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
9568 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
9569 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
9570 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9571 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9572 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
9573 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
9574 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
9575 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
9576 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
9577 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
9578 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
9579 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
9580 		NLA_POLICY_MIN(NLA_U16, 1),
9581 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
9582 		NLA_POLICY_MIN(NLA_U16, 1),
9583 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
9584 		NLA_POLICY_MIN(NLA_U16, 1),
9585 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
9586 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
9587 		NLA_POLICY_MIN(NLA_U16, 1),
9588 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
9589 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
9590 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
9591 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
9592 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
9593 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
9594 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
9595 		NLA_POLICY_MIN(NLA_U16, 1),
9596 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
9597 		NLA_POLICY_MIN(NLA_U16, 1),
9598 	[NL80211_MESHCONF_POWER_MODE] =
9599 		NLA_POLICY_RANGE(NLA_U32,
9600 				 NL80211_MESH_POWER_ACTIVE,
9601 				 NL80211_MESH_POWER_MAX),
9602 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
9603 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
9604 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9605 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9606 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9607 };
9608 
9609 static const struct nla_policy
9610 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
9611 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
9612 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
9613 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
9614 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
9615 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
9616 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
9617 	[NL80211_MESH_SETUP_IE] =
9618 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
9619 				       IEEE80211_MAX_DATA_LEN),
9620 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
9621 };
9622 
9623 static int nl80211_parse_mesh_config(struct genl_info *info,
9624 				     struct mesh_config *cfg,
9625 				     u32 *mask_out)
9626 {
9627 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
9628 	u32 mask = 0;
9629 	u16 ht_opmode;
9630 
9631 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
9632 do {									\
9633 	if (tb[attr]) {							\
9634 		cfg->param = fn(tb[attr]);				\
9635 		mask |= BIT((attr) - 1);				\
9636 	}								\
9637 } while (0)
9638 
9639 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
9640 		return -EINVAL;
9641 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
9642 		return -EINVAL;
9643 
9644 	/* This makes sure that there aren't more than 32 mesh config
9645 	 * parameters (otherwise our bitfield scheme would not work.) */
9646 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
9647 
9648 	/* Fill in the params struct */
9649 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
9650 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
9651 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
9652 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
9653 				  nla_get_u16);
9654 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
9655 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
9656 				  nla_get_u16);
9657 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
9658 				  NL80211_MESHCONF_MAX_PEER_LINKS,
9659 				  nla_get_u16);
9660 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
9661 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
9662 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
9663 				  NL80211_MESHCONF_TTL, nla_get_u8);
9664 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
9665 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
9666 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
9667 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9668 				  nla_get_u8);
9669 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
9670 				  mask,
9671 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9672 				  nla_get_u32);
9673 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
9674 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9675 				  nla_get_u8);
9676 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
9677 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
9678 				  nla_get_u32);
9679 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
9680 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
9681 		return -EINVAL;
9682 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
9683 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9684 				  nla_get_u16);
9685 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
9686 				  mask,
9687 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9688 				  nla_get_u32);
9689 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
9690 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
9691 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
9692 		return -EINVAL;
9693 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
9694 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9695 				  nla_get_u16);
9696 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
9697 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9698 				  nla_get_u16);
9699 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9700 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
9701 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9702 				  nla_get_u16);
9703 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
9704 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
9705 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
9706 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9707 				  nla_get_u16);
9708 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
9709 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9710 				  nla_get_u8);
9711 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
9712 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
9713 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
9714 				  NL80211_MESHCONF_RSSI_THRESHOLD,
9715 				  nla_get_s32);
9716 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
9717 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
9718 				  nla_get_u8);
9719 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
9720 				  NL80211_MESHCONF_CONNECTED_TO_AS,
9721 				  nla_get_u8);
9722 	/*
9723 	 * Check HT operation mode based on
9724 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
9725 	 */
9726 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
9727 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
9728 
9729 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
9730 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
9731 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
9732 			return -EINVAL;
9733 
9734 		/* NON_HT_STA bit is reserved, but some programs set it */
9735 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
9736 
9737 		cfg->ht_opmode = ht_opmode;
9738 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
9739 	}
9740 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9741 				  dot11MeshHWMPactivePathToRootTimeout, mask,
9742 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9743 				  nla_get_u32);
9744 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
9745 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
9746 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
9747 		return -EINVAL;
9748 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
9749 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9750 				  nla_get_u16);
9751 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
9752 				  mask,
9753 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9754 				  nla_get_u16);
9755 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
9756 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
9757 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
9758 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
9759 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
9760 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
9761 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
9762 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
9763 	if (mask_out)
9764 		*mask_out = mask;
9765 
9766 	return 0;
9767 
9768 #undef FILL_IN_MESH_PARAM_IF_SET
9769 }
9770 
9771 static int nl80211_parse_mesh_setup(struct genl_info *info,
9772 				     struct mesh_setup *setup)
9773 {
9774 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9775 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
9776 
9777 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
9778 		return -EINVAL;
9779 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
9780 		return -EINVAL;
9781 
9782 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
9783 		setup->sync_method =
9784 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
9785 		 IEEE80211_SYNC_METHOD_VENDOR :
9786 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
9787 
9788 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
9789 		setup->path_sel_proto =
9790 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
9791 		 IEEE80211_PATH_PROTOCOL_VENDOR :
9792 		 IEEE80211_PATH_PROTOCOL_HWMP;
9793 
9794 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
9795 		setup->path_metric =
9796 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
9797 		 IEEE80211_PATH_METRIC_VENDOR :
9798 		 IEEE80211_PATH_METRIC_AIRTIME;
9799 
9800 	if (tb[NL80211_MESH_SETUP_IE]) {
9801 		struct nlattr *ieattr =
9802 			tb[NL80211_MESH_SETUP_IE];
9803 		setup->ie = nla_data(ieattr);
9804 		setup->ie_len = nla_len(ieattr);
9805 	}
9806 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
9807 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
9808 		return -EINVAL;
9809 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
9810 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
9811 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
9812 	if (setup->is_secure)
9813 		setup->user_mpm = true;
9814 
9815 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
9816 		if (!setup->user_mpm)
9817 			return -EINVAL;
9818 		setup->auth_id =
9819 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
9820 	}
9821 
9822 	return 0;
9823 }
9824 
9825 static int nl80211_update_mesh_config(struct sk_buff *skb,
9826 				      struct genl_info *info)
9827 {
9828 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9829 	struct net_device *dev = info->user_ptr[1];
9830 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9831 	struct mesh_config cfg = {};
9832 	u32 mask;
9833 	int err;
9834 
9835 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9836 		return -EOPNOTSUPP;
9837 
9838 	if (!rdev->ops->update_mesh_config)
9839 		return -EOPNOTSUPP;
9840 
9841 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
9842 	if (err)
9843 		return err;
9844 
9845 	if (!wdev->u.mesh.id_len)
9846 		err = -ENOLINK;
9847 
9848 	if (!err)
9849 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
9850 
9851 	return err;
9852 }
9853 
9854 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
9855 			      struct sk_buff *msg)
9856 {
9857 	struct nlattr *nl_reg_rules;
9858 	unsigned int i;
9859 
9860 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
9861 	    (regdom->dfs_region &&
9862 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
9863 		goto nla_put_failure;
9864 
9865 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
9866 	if (!nl_reg_rules)
9867 		goto nla_put_failure;
9868 
9869 	for (i = 0; i < regdom->n_reg_rules; i++) {
9870 		struct nlattr *nl_reg_rule;
9871 		const struct ieee80211_reg_rule *reg_rule;
9872 		const struct ieee80211_freq_range *freq_range;
9873 		const struct ieee80211_power_rule *power_rule;
9874 		unsigned int max_bandwidth_khz;
9875 
9876 		reg_rule = &regdom->reg_rules[i];
9877 		freq_range = &reg_rule->freq_range;
9878 		power_rule = &reg_rule->power_rule;
9879 
9880 		nl_reg_rule = nla_nest_start_noflag(msg, i);
9881 		if (!nl_reg_rule)
9882 			goto nla_put_failure;
9883 
9884 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
9885 		if (!max_bandwidth_khz)
9886 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
9887 								  reg_rule);
9888 
9889 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
9890 				reg_rule->flags) ||
9891 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
9892 				freq_range->start_freq_khz) ||
9893 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
9894 				freq_range->end_freq_khz) ||
9895 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
9896 				max_bandwidth_khz) ||
9897 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
9898 				power_rule->max_antenna_gain) ||
9899 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
9900 				power_rule->max_eirp) ||
9901 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
9902 				reg_rule->dfs_cac_ms))
9903 			goto nla_put_failure;
9904 
9905 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
9906 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
9907 			       reg_rule->psd))
9908 			goto nla_put_failure;
9909 
9910 		nla_nest_end(msg, nl_reg_rule);
9911 	}
9912 
9913 	nla_nest_end(msg, nl_reg_rules);
9914 	return 0;
9915 
9916 nla_put_failure:
9917 	return -EMSGSIZE;
9918 }
9919 
9920 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
9921 {
9922 	const struct ieee80211_regdomain *regdom = NULL;
9923 	struct cfg80211_registered_device *rdev;
9924 	struct wiphy *wiphy = NULL;
9925 	struct sk_buff *msg;
9926 	int err = -EMSGSIZE;
9927 	void *hdr;
9928 
9929 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9930 	if (!msg)
9931 		return -ENOBUFS;
9932 
9933 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9934 			     NL80211_CMD_GET_REG);
9935 	if (!hdr)
9936 		goto put_failure;
9937 
9938 	rtnl_lock();
9939 
9940 	if (info->attrs[NL80211_ATTR_WIPHY]) {
9941 		bool self_managed;
9942 
9943 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
9944 		if (IS_ERR(rdev)) {
9945 			err = PTR_ERR(rdev);
9946 			goto nla_put_failure;
9947 		}
9948 
9949 		wiphy = &rdev->wiphy;
9950 		self_managed = wiphy->regulatory_flags &
9951 			       REGULATORY_WIPHY_SELF_MANAGED;
9952 
9953 		rcu_read_lock();
9954 
9955 		regdom = get_wiphy_regdom(wiphy);
9956 
9957 		/* a self-managed-reg device must have a private regdom */
9958 		if (WARN_ON(!regdom && self_managed)) {
9959 			err = -EINVAL;
9960 			goto nla_put_failure_rcu;
9961 		}
9962 
9963 		if (regdom &&
9964 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
9965 			goto nla_put_failure_rcu;
9966 	} else {
9967 		rcu_read_lock();
9968 	}
9969 
9970 	if (!wiphy && reg_last_request_cell_base() &&
9971 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
9972 			NL80211_USER_REG_HINT_CELL_BASE))
9973 		goto nla_put_failure_rcu;
9974 
9975 	if (!regdom)
9976 		regdom = rcu_dereference(cfg80211_regdomain);
9977 
9978 	if (nl80211_put_regdom(regdom, msg))
9979 		goto nla_put_failure_rcu;
9980 
9981 	rcu_read_unlock();
9982 
9983 	genlmsg_end(msg, hdr);
9984 	rtnl_unlock();
9985 	return genlmsg_reply(msg, info);
9986 
9987 nla_put_failure_rcu:
9988 	rcu_read_unlock();
9989 nla_put_failure:
9990 	rtnl_unlock();
9991 put_failure:
9992 	nlmsg_free(msg);
9993 	return err;
9994 }
9995 
9996 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
9997 			       u32 seq, int flags, struct wiphy *wiphy,
9998 			       const struct ieee80211_regdomain *regdom)
9999 {
10000 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10001 				   NL80211_CMD_GET_REG);
10002 
10003 	if (!hdr)
10004 		return -1;
10005 
10006 	genl_dump_check_consistent(cb, hdr);
10007 
10008 	if (nl80211_put_regdom(regdom, msg))
10009 		goto nla_put_failure;
10010 
10011 	if (!wiphy && reg_last_request_cell_base() &&
10012 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
10013 			NL80211_USER_REG_HINT_CELL_BASE))
10014 		goto nla_put_failure;
10015 
10016 	if (wiphy &&
10017 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10018 		goto nla_put_failure;
10019 
10020 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
10021 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
10022 		goto nla_put_failure;
10023 
10024 	genlmsg_end(msg, hdr);
10025 	return 0;
10026 
10027 nla_put_failure:
10028 	genlmsg_cancel(msg, hdr);
10029 	return -EMSGSIZE;
10030 }
10031 
10032 static int nl80211_get_reg_dump(struct sk_buff *skb,
10033 				struct netlink_callback *cb)
10034 {
10035 	const struct ieee80211_regdomain *regdom = NULL;
10036 	struct cfg80211_registered_device *rdev;
10037 	int err, reg_idx, start = cb->args[2];
10038 
10039 	rcu_read_lock();
10040 
10041 	if (cfg80211_regdomain && start == 0) {
10042 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10043 					  NLM_F_MULTI, NULL,
10044 					  rcu_dereference(cfg80211_regdomain));
10045 		if (err < 0)
10046 			goto out_err;
10047 	}
10048 
10049 	/* the global regdom is idx 0 */
10050 	reg_idx = 1;
10051 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
10052 		regdom = get_wiphy_regdom(&rdev->wiphy);
10053 		if (!regdom)
10054 			continue;
10055 
10056 		if (++reg_idx <= start)
10057 			continue;
10058 
10059 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10060 					  NLM_F_MULTI, &rdev->wiphy, regdom);
10061 		if (err < 0) {
10062 			reg_idx--;
10063 			break;
10064 		}
10065 	}
10066 
10067 	cb->args[2] = reg_idx;
10068 	err = skb->len;
10069 out_err:
10070 	rcu_read_unlock();
10071 	return err;
10072 }
10073 
10074 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
10075 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
10076 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
10077 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
10078 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
10079 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
10080 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
10081 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
10082 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
10083 };
10084 
10085 static int parse_reg_rule(struct nlattr *tb[],
10086 	struct ieee80211_reg_rule *reg_rule)
10087 {
10088 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
10089 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
10090 
10091 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
10092 		return -EINVAL;
10093 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
10094 		return -EINVAL;
10095 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
10096 		return -EINVAL;
10097 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
10098 		return -EINVAL;
10099 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
10100 		return -EINVAL;
10101 
10102 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
10103 
10104 	freq_range->start_freq_khz =
10105 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
10106 	freq_range->end_freq_khz =
10107 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
10108 	freq_range->max_bandwidth_khz =
10109 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
10110 
10111 	power_rule->max_eirp =
10112 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
10113 
10114 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
10115 		power_rule->max_antenna_gain =
10116 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
10117 
10118 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
10119 		reg_rule->dfs_cac_ms =
10120 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
10121 
10122 	return 0;
10123 }
10124 
10125 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
10126 {
10127 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
10128 	struct nlattr *nl_reg_rule;
10129 	char *alpha2;
10130 	int rem_reg_rules, r;
10131 	u32 num_rules = 0, rule_idx = 0;
10132 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
10133 	struct ieee80211_regdomain *rd;
10134 
10135 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
10136 		return -EINVAL;
10137 
10138 	if (!info->attrs[NL80211_ATTR_REG_RULES])
10139 		return -EINVAL;
10140 
10141 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
10142 
10143 	if (info->attrs[NL80211_ATTR_DFS_REGION])
10144 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
10145 
10146 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10147 			    rem_reg_rules) {
10148 		num_rules++;
10149 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
10150 			return -EINVAL;
10151 	}
10152 
10153 	rtnl_lock();
10154 	if (!reg_is_valid_request(alpha2)) {
10155 		r = -EINVAL;
10156 		goto out;
10157 	}
10158 
10159 	rd = kzalloc_flex(*rd, reg_rules, num_rules);
10160 	if (!rd) {
10161 		r = -ENOMEM;
10162 		goto out;
10163 	}
10164 
10165 	rd->n_reg_rules = num_rules;
10166 	rd->alpha2[0] = alpha2[0];
10167 	rd->alpha2[1] = alpha2[1];
10168 
10169 	/*
10170 	 * Disable DFS master mode if the DFS region was
10171 	 * not supported or known on this kernel.
10172 	 */
10173 	if (reg_supported_dfs_region(dfs_region))
10174 		rd->dfs_region = dfs_region;
10175 
10176 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10177 			    rem_reg_rules) {
10178 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
10179 						nl_reg_rule, reg_rule_policy,
10180 						info->extack);
10181 		if (r)
10182 			goto bad_reg;
10183 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
10184 		if (r)
10185 			goto bad_reg;
10186 
10187 		rule_idx++;
10188 
10189 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
10190 			r = -EINVAL;
10191 			goto bad_reg;
10192 		}
10193 	}
10194 
10195 	r = set_regdom(rd, REGD_SOURCE_CRDA);
10196 	/* set_regdom takes ownership of rd */
10197 	rd = NULL;
10198  bad_reg:
10199 	kfree(rd);
10200  out:
10201 	rtnl_unlock();
10202 	return r;
10203 }
10204 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
10205 
10206 static int validate_scan_freqs(struct nlattr *freqs)
10207 {
10208 	struct nlattr *attr1, *attr2;
10209 	int n_channels = 0, tmp1, tmp2;
10210 
10211 	nla_for_each_nested(attr1, freqs, tmp1)
10212 		if (nla_len(attr1) != sizeof(u32))
10213 			return 0;
10214 
10215 	nla_for_each_nested(attr1, freqs, tmp1) {
10216 		n_channels++;
10217 		/*
10218 		 * Some hardware has a limited channel list for
10219 		 * scanning, and it is pretty much nonsensical
10220 		 * to scan for a channel twice, so disallow that
10221 		 * and don't require drivers to check that the
10222 		 * channel list they get isn't longer than what
10223 		 * they can scan, as long as they can scan all
10224 		 * the channels they registered at once.
10225 		 */
10226 		nla_for_each_nested(attr2, freqs, tmp2)
10227 			if (attr1 != attr2 &&
10228 			    nla_get_u32(attr1) == nla_get_u32(attr2))
10229 				return 0;
10230 	}
10231 
10232 	return n_channels;
10233 }
10234 
10235 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
10236 {
10237 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
10238 }
10239 
10240 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
10241 			    struct cfg80211_bss_selection *bss_select)
10242 {
10243 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
10244 	struct nlattr *nest;
10245 	int err;
10246 	bool found = false;
10247 	int i;
10248 
10249 	/* only process one nested attribute */
10250 	nest = nla_data(nla);
10251 	if (!nla_ok(nest, nla_len(nest)))
10252 		return -EINVAL;
10253 
10254 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
10255 					  nest, nl80211_bss_select_policy,
10256 					  NULL);
10257 	if (err)
10258 		return err;
10259 
10260 	/* only one attribute may be given */
10261 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
10262 		if (attr[i]) {
10263 			if (found)
10264 				return -EINVAL;
10265 			found = true;
10266 		}
10267 	}
10268 
10269 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
10270 
10271 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
10272 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
10273 
10274 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
10275 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
10276 		bss_select->param.band_pref =
10277 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
10278 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
10279 			return -EINVAL;
10280 	}
10281 
10282 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
10283 		struct nl80211_bss_select_rssi_adjust *adj_param;
10284 
10285 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
10286 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
10287 		bss_select->param.adjust.band = adj_param->band;
10288 		bss_select->param.adjust.delta = adj_param->delta;
10289 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
10290 			return -EINVAL;
10291 	}
10292 
10293 	/* user-space did not provide behaviour attribute */
10294 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
10295 		return -EINVAL;
10296 
10297 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
10298 		return -EINVAL;
10299 
10300 	return 0;
10301 }
10302 
10303 int nl80211_parse_random_mac(struct nlattr **attrs,
10304 			     u8 *mac_addr, u8 *mac_addr_mask)
10305 {
10306 	int i;
10307 
10308 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
10309 		eth_zero_addr(mac_addr);
10310 		eth_zero_addr(mac_addr_mask);
10311 		mac_addr[0] = 0x2;
10312 		mac_addr_mask[0] = 0x3;
10313 
10314 		return 0;
10315 	}
10316 
10317 	/* need both or none */
10318 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
10319 		return -EINVAL;
10320 
10321 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
10322 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
10323 
10324 	/* don't allow or configure an mcast address */
10325 	if (!is_multicast_ether_addr(mac_addr_mask) ||
10326 	    is_multicast_ether_addr(mac_addr))
10327 		return -EINVAL;
10328 
10329 	/*
10330 	 * allow users to pass a MAC address that has bits set outside
10331 	 * of the mask, but don't bother drivers with having to deal
10332 	 * with such bits
10333 	 */
10334 	for (i = 0; i < ETH_ALEN; i++)
10335 		mac_addr[i] &= mac_addr_mask[i];
10336 
10337 	return 0;
10338 }
10339 
10340 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
10341 					      struct ieee80211_channel *chan)
10342 {
10343 	unsigned int link_id;
10344 	bool all_ok = true;
10345 	int radio_idx;
10346 
10347 	lockdep_assert_wiphy(wdev->wiphy);
10348 
10349 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
10350 		return false;
10351 
10352 	if (!cfg80211_beaconing_iface_active(wdev))
10353 		return true;
10354 
10355 	radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy, chan);
10356 
10357 	/*
10358 	 * FIXME: check if we have a free radio/link for chan
10359 	 *
10360 	 * This, as well as the FIXME below, requires knowing the link
10361 	 * capabilities of the hardware.
10362 	 */
10363 
10364 	/* we cannot leave radar channels */
10365 	for_each_valid_link(wdev, link_id) {
10366 		struct cfg80211_chan_def *chandef;
10367 		int link_radio_idx;
10368 
10369 		chandef = wdev_chandef(wdev, link_id);
10370 		if (!chandef || !chandef->chan)
10371 			continue;
10372 
10373 		if (!(chandef->chan->flags & IEEE80211_CHAN_RADAR))
10374 			continue;
10375 
10376 		/*
10377 		 * chandef->chan is a radar channel. If the radio/link onto
10378 		 * which this radar channel falls is the same radio/link onto
10379 		 * which the input 'chan' falls, off-channel operation should
10380 		 * not be allowed. Hence, set 'all_ok' to false.
10381 		 */
10382 
10383 		link_radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy,
10384 								chandef->chan);
10385 		if (link_radio_idx == radio_idx) {
10386 			all_ok = false;
10387 			break;
10388 		}
10389 	}
10390 
10391 	if (all_ok)
10392 		return true;
10393 
10394 	return regulatory_pre_cac_allowed(wdev->wiphy);
10395 }
10396 
10397 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
10398 				    enum nl80211_ext_feature_index feat)
10399 {
10400 	if (!(flags & flag))
10401 		return true;
10402 	if (wiphy_ext_feature_isset(wiphy, feat))
10403 		return true;
10404 	return false;
10405 }
10406 
10407 static int
10408 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
10409 			 struct nlattr **attrs, u8 *mac_addr, u8 *mac_addr_mask,
10410 			 u32 *flags, enum nl80211_feature_flags randomness_flag)
10411 {
10412 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
10413 		return 0;
10414 
10415 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
10416 
10417 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
10418 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
10419 	    !nl80211_check_scan_feat(wiphy, *flags,
10420 				     NL80211_SCAN_FLAG_LOW_SPAN,
10421 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
10422 	    !nl80211_check_scan_feat(wiphy, *flags,
10423 				     NL80211_SCAN_FLAG_LOW_POWER,
10424 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
10425 	    !nl80211_check_scan_feat(wiphy, *flags,
10426 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
10427 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
10428 	    !nl80211_check_scan_feat(wiphy, *flags,
10429 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
10430 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
10431 	    !nl80211_check_scan_feat(wiphy, *flags,
10432 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
10433 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
10434 	    !nl80211_check_scan_feat(wiphy, *flags,
10435 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
10436 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
10437 	    !nl80211_check_scan_feat(wiphy, *flags,
10438 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
10439 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
10440 	    !nl80211_check_scan_feat(wiphy, *flags,
10441 				     NL80211_SCAN_FLAG_RANDOM_SN,
10442 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
10443 	    !nl80211_check_scan_feat(wiphy, *flags,
10444 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
10445 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
10446 		return -EOPNOTSUPP;
10447 
10448 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
10449 		int err;
10450 
10451 		if (!(wiphy->features & randomness_flag) ||
10452 		    (wdev && wdev->connected))
10453 			return -EOPNOTSUPP;
10454 
10455 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
10456 		if (err)
10457 			return err;
10458 	}
10459 
10460 	return 0;
10461 }
10462 
10463 static int
10464 nl80211_check_scan_flags_sched(struct wiphy *wiphy, struct wireless_dev *wdev,
10465 			       struct nlattr **attrs,
10466 			       struct cfg80211_sched_scan_request *req)
10467 {
10468 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10469 					req->mac_addr, req->mac_addr_mask,
10470 					&req->flags,
10471 					wdev ? NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
10472 					       NL80211_FEATURE_ND_RANDOM_MAC_ADDR);
10473 }
10474 
10475 static int
10476 nl80211_check_scan_flags_reg(struct wiphy *wiphy, struct wireless_dev *wdev,
10477 			     struct nlattr **attrs,
10478 			     struct cfg80211_scan_request_int *req)
10479 {
10480 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10481 					req->req.mac_addr,
10482 					req->req.mac_addr_mask,
10483 					&req->req.flags,
10484 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR);
10485 }
10486 
10487 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
10488 {
10489 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10490 	struct wireless_dev *wdev = info->user_ptr[1];
10491 	struct cfg80211_scan_request_int *request;
10492 	struct nlattr *scan_freqs = NULL;
10493 	bool scan_freqs_khz = false;
10494 	struct nlattr *attr;
10495 	struct wiphy *wiphy;
10496 	int err, tmp, n_ssids = 0, n_channels, i;
10497 	size_t ie_len, size;
10498 	size_t ssids_offset, ie_offset;
10499 
10500 	wiphy = &rdev->wiphy;
10501 
10502 	if (wdev->iftype == NL80211_IFTYPE_NAN)
10503 		return -EOPNOTSUPP;
10504 
10505 	if (!rdev->ops->scan)
10506 		return -EOPNOTSUPP;
10507 
10508 	if (rdev->scan_req || rdev->scan_msg)
10509 		return -EBUSY;
10510 
10511 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
10512 		if (!wiphy_ext_feature_isset(wiphy,
10513 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
10514 			return -EOPNOTSUPP;
10515 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
10516 		scan_freqs_khz = true;
10517 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
10518 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
10519 
10520 	if (scan_freqs) {
10521 		n_channels = validate_scan_freqs(scan_freqs);
10522 		if (!n_channels)
10523 			return -EINVAL;
10524 	} else {
10525 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10526 	}
10527 
10528 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
10529 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
10530 			n_ssids++;
10531 
10532 	if (n_ssids > wiphy->max_scan_ssids)
10533 		return -EINVAL;
10534 
10535 	if (info->attrs[NL80211_ATTR_IE])
10536 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10537 	else
10538 		ie_len = 0;
10539 
10540 	if (ie_len > wiphy->max_scan_ie_len)
10541 		return -EINVAL;
10542 
10543 	size = struct_size(request, req.channels, n_channels);
10544 	ssids_offset = size;
10545 	size = size_add(size, array_size(sizeof(*request->req.ssids), n_ssids));
10546 	ie_offset = size;
10547 	size = size_add(size, ie_len);
10548 	request = kzalloc(size, GFP_KERNEL);
10549 	if (!request)
10550 		return -ENOMEM;
10551 
10552 	if (n_ssids)
10553 		request->req.ssids = (void *)request + ssids_offset;
10554 	request->req.n_ssids = n_ssids;
10555 	if (ie_len)
10556 		request->req.ie = (void *)request + ie_offset;
10557 
10558 	i = 0;
10559 	if (scan_freqs) {
10560 		/* user specified, bail out if channel not found */
10561 		nla_for_each_nested(attr, scan_freqs, tmp) {
10562 			struct ieee80211_channel *chan;
10563 			int freq = nla_get_u32(attr);
10564 
10565 			if (!scan_freqs_khz)
10566 				freq = MHZ_TO_KHZ(freq);
10567 
10568 			chan = ieee80211_get_channel_khz(wiphy, freq);
10569 			if (!chan) {
10570 				err = -EINVAL;
10571 				goto out_free;
10572 			}
10573 
10574 			/* Ignore disabled / no primary channels */
10575 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
10576 			    chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY ||
10577 			    !cfg80211_wdev_channel_allowed(wdev, chan))
10578 				continue;
10579 
10580 			request->req.channels[i] = chan;
10581 			i++;
10582 		}
10583 	} else {
10584 		enum nl80211_band band;
10585 
10586 		/* all channels */
10587 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
10588 			int j;
10589 
10590 			if (!wiphy->bands[band])
10591 				continue;
10592 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
10593 				struct ieee80211_channel *chan;
10594 
10595 				chan = &wiphy->bands[band]->channels[j];
10596 
10597 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
10598 				    chan->flags &
10599 					    IEEE80211_CHAN_S1G_NO_PRIMARY ||
10600 				    !cfg80211_wdev_channel_allowed(wdev, chan))
10601 					continue;
10602 
10603 				request->req.channels[i] = chan;
10604 				i++;
10605 			}
10606 		}
10607 	}
10608 
10609 	if (!i) {
10610 		err = -EINVAL;
10611 		goto out_free;
10612 	}
10613 
10614 	request->req.n_channels = i;
10615 
10616 	for (i = 0; i < request->req.n_channels; i++) {
10617 		struct ieee80211_channel *chan = request->req.channels[i];
10618 
10619 		/* if we can go off-channel to the target channel we're good */
10620 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
10621 			continue;
10622 
10623 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
10624 			err = -EBUSY;
10625 			goto out_free;
10626 		}
10627 	}
10628 
10629 	i = 0;
10630 	if (n_ssids) {
10631 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
10632 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
10633 				err = -EINVAL;
10634 				goto out_free;
10635 			}
10636 			request->req.ssids[i].ssid_len = nla_len(attr);
10637 			memcpy(request->req.ssids[i].ssid,
10638 			       nla_data(attr), nla_len(attr));
10639 			i++;
10640 		}
10641 	}
10642 
10643 	if (info->attrs[NL80211_ATTR_IE]) {
10644 		request->req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10645 		memcpy((void *)request->req.ie,
10646 		       nla_data(info->attrs[NL80211_ATTR_IE]),
10647 		       request->req.ie_len);
10648 	}
10649 
10650 	for (i = 0; i < NUM_NL80211_BANDS; i++)
10651 		if (wiphy->bands[i])
10652 			request->req.rates[i] =
10653 				(1 << wiphy->bands[i]->n_bitrates) - 1;
10654 
10655 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
10656 		nla_for_each_nested(attr,
10657 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
10658 				    tmp) {
10659 			enum nl80211_band band = nla_type(attr);
10660 
10661 			if (band < 0 || band >= NUM_NL80211_BANDS) {
10662 				err = -EINVAL;
10663 				goto out_free;
10664 			}
10665 
10666 			if (!wiphy->bands[band])
10667 				continue;
10668 
10669 			err = ieee80211_get_ratemask(wiphy->bands[band],
10670 						     nla_data(attr),
10671 						     nla_len(attr),
10672 						     &request->req.rates[band]);
10673 			if (err)
10674 				goto out_free;
10675 		}
10676 	}
10677 
10678 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
10679 		request->req.duration =
10680 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
10681 		request->req.duration_mandatory =
10682 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
10683 	}
10684 
10685 	err = nl80211_check_scan_flags_reg(wiphy, wdev, info->attrs, request);
10686 	if (err)
10687 		goto out_free;
10688 
10689 	request->req.no_cck =
10690 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10691 
10692 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
10693 	 * BSSID to scan for. This was problematic because that same attribute
10694 	 * was already used for another purpose (local random MAC address). The
10695 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
10696 	 * compatibility with older userspace components, also use the
10697 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
10698 	 * the specific BSSID use case instead of the random MAC address
10699 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
10700 	 */
10701 	if (info->attrs[NL80211_ATTR_BSSID])
10702 		memcpy(request->req.bssid,
10703 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
10704 	else if (!(request->req.flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
10705 		 info->attrs[NL80211_ATTR_MAC])
10706 		memcpy(request->req.bssid,
10707 		       nla_data(info->attrs[NL80211_ATTR_MAC]),
10708 		       ETH_ALEN);
10709 	else
10710 		eth_broadcast_addr(request->req.bssid);
10711 
10712 	request->req.tsf_report_link_id =
10713 		nl80211_link_id_or_invalid(info->attrs);
10714 	request->req.wdev = wdev;
10715 	request->req.wiphy = &rdev->wiphy;
10716 	request->req.scan_start = jiffies;
10717 
10718 	rdev->scan_req = request;
10719 	err = cfg80211_scan(rdev);
10720 
10721 	if (err)
10722 		goto out_free;
10723 
10724 	nl80211_send_scan_start(rdev, wdev);
10725 	dev_hold(wdev->netdev);
10726 
10727 	return 0;
10728 
10729  out_free:
10730 	rdev->scan_req = NULL;
10731 	kfree(request);
10732 
10733 	return err;
10734 }
10735 
10736 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
10737 {
10738 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10739 	struct wireless_dev *wdev = info->user_ptr[1];
10740 
10741 	if (!rdev->ops->abort_scan)
10742 		return -EOPNOTSUPP;
10743 
10744 	if (rdev->scan_msg)
10745 		return 0;
10746 
10747 	if (!rdev->scan_req)
10748 		return -ENOENT;
10749 
10750 	rdev_abort_scan(rdev, wdev);
10751 	return 0;
10752 }
10753 
10754 static int
10755 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
10756 			       struct cfg80211_sched_scan_request *request,
10757 			       struct nlattr **attrs)
10758 {
10759 	int tmp, err, i = 0;
10760 	struct nlattr *attr;
10761 
10762 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10763 		u32 interval;
10764 
10765 		/*
10766 		 * If scan plans are not specified,
10767 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
10768 		 * case one scan plan will be set with the specified scan
10769 		 * interval and infinite number of iterations.
10770 		 */
10771 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
10772 		if (!interval)
10773 			return -EINVAL;
10774 
10775 		request->scan_plans[0].interval =
10776 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
10777 		if (!request->scan_plans[0].interval)
10778 			return -EINVAL;
10779 
10780 		if (request->scan_plans[0].interval >
10781 		    wiphy->max_sched_scan_plan_interval)
10782 			request->scan_plans[0].interval =
10783 				wiphy->max_sched_scan_plan_interval;
10784 
10785 		return 0;
10786 	}
10787 
10788 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
10789 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
10790 
10791 		if (WARN_ON(i >= n_plans))
10792 			return -EINVAL;
10793 
10794 		err = nla_parse_nested_deprecated(plan,
10795 						  NL80211_SCHED_SCAN_PLAN_MAX,
10796 						  attr, nl80211_plan_policy,
10797 						  NULL);
10798 		if (err)
10799 			return err;
10800 
10801 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
10802 			return -EINVAL;
10803 
10804 		request->scan_plans[i].interval =
10805 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
10806 		if (!request->scan_plans[i].interval ||
10807 		    request->scan_plans[i].interval >
10808 		    wiphy->max_sched_scan_plan_interval)
10809 			return -EINVAL;
10810 
10811 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
10812 			request->scan_plans[i].iterations =
10813 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
10814 			if (!request->scan_plans[i].iterations ||
10815 			    (request->scan_plans[i].iterations >
10816 			     wiphy->max_sched_scan_plan_iterations))
10817 				return -EINVAL;
10818 		} else if (i < n_plans - 1) {
10819 			/*
10820 			 * All scan plans but the last one must specify
10821 			 * a finite number of iterations
10822 			 */
10823 			return -EINVAL;
10824 		}
10825 
10826 		i++;
10827 	}
10828 
10829 	/*
10830 	 * The last scan plan must not specify the number of
10831 	 * iterations, it is supposed to run infinitely
10832 	 */
10833 	if (request->scan_plans[n_plans - 1].iterations)
10834 		return  -EINVAL;
10835 
10836 	return 0;
10837 }
10838 
10839 static struct cfg80211_sched_scan_request *
10840 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
10841 			 struct nlattr **attrs, int max_match_sets)
10842 {
10843 	struct cfg80211_sched_scan_request *request;
10844 	struct nlattr *attr;
10845 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
10846 	enum nl80211_band band;
10847 	size_t ie_len, size;
10848 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
10849 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
10850 
10851 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
10852 		n_channels = validate_scan_freqs(
10853 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
10854 		if (!n_channels)
10855 			return ERR_PTR(-EINVAL);
10856 	} else {
10857 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10858 	}
10859 
10860 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
10861 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
10862 				    tmp)
10863 			n_ssids++;
10864 
10865 	if (n_ssids > wiphy->max_sched_scan_ssids)
10866 		return ERR_PTR(-EINVAL);
10867 
10868 	/*
10869 	 * First, count the number of 'real' matchsets. Due to an issue with
10870 	 * the old implementation, matchsets containing only the RSSI attribute
10871 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
10872 	 * RSSI for all matchsets, rather than their own matchset for reporting
10873 	 * all APs with a strong RSSI. This is needed to be compatible with
10874 	 * older userspace that treated a matchset with only the RSSI as the
10875 	 * global RSSI for all other matchsets - if there are other matchsets.
10876 	 */
10877 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
10878 		nla_for_each_nested(attr,
10879 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
10880 				    tmp) {
10881 			struct nlattr *rssi;
10882 
10883 			err = nla_parse_nested_deprecated(tb,
10884 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
10885 							  attr,
10886 							  nl80211_match_policy,
10887 							  NULL);
10888 			if (err)
10889 				return ERR_PTR(err);
10890 
10891 			/* SSID and BSSID are mutually exclusive */
10892 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
10893 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
10894 				return ERR_PTR(-EINVAL);
10895 
10896 			/* add other standalone attributes here */
10897 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
10898 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
10899 				n_match_sets++;
10900 				continue;
10901 			}
10902 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
10903 			if (rssi)
10904 				default_match_rssi = nla_get_s32(rssi);
10905 		}
10906 	}
10907 
10908 	/* However, if there's no other matchset, add the RSSI one */
10909 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
10910 		n_match_sets = 1;
10911 
10912 	if (n_match_sets > max_match_sets)
10913 		return ERR_PTR(-EINVAL);
10914 
10915 	if (attrs[NL80211_ATTR_IE])
10916 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
10917 	else
10918 		ie_len = 0;
10919 
10920 	if (ie_len > wiphy->max_sched_scan_ie_len)
10921 		return ERR_PTR(-EINVAL);
10922 
10923 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10924 		/*
10925 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
10926 		 * each scan plan already specifies its own interval
10927 		 */
10928 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10929 			return ERR_PTR(-EINVAL);
10930 
10931 		nla_for_each_nested(attr,
10932 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
10933 			n_plans++;
10934 	} else {
10935 		/*
10936 		 * The scan interval attribute is kept for backward
10937 		 * compatibility. If no scan plans are specified and sched scan
10938 		 * interval is specified, one scan plan will be set with this
10939 		 * scan interval and infinite number of iterations.
10940 		 */
10941 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10942 			return ERR_PTR(-EINVAL);
10943 
10944 		n_plans = 1;
10945 	}
10946 
10947 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
10948 		return ERR_PTR(-EINVAL);
10949 
10950 	if (!wiphy_ext_feature_isset(
10951 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
10952 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
10953 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
10954 		return ERR_PTR(-EINVAL);
10955 
10956 	size = struct_size(request, channels, n_channels);
10957 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
10958 	size = size_add(size, array_size(sizeof(*request->match_sets),
10959 					 n_match_sets));
10960 	size = size_add(size, array_size(sizeof(*request->scan_plans),
10961 					 n_plans));
10962 	size = size_add(size, ie_len);
10963 	request = kzalloc(size, GFP_KERNEL);
10964 	if (!request)
10965 		return ERR_PTR(-ENOMEM);
10966 	request->n_channels = n_channels;
10967 
10968 	if (n_ssids)
10969 		request->ssids = (void *)request +
10970 			struct_size(request, channels, n_channels);
10971 	request->n_ssids = n_ssids;
10972 	if (ie_len) {
10973 		if (n_ssids)
10974 			request->ie = (void *)(request->ssids + n_ssids);
10975 		else
10976 			request->ie = (void *)(request->channels + n_channels);
10977 	}
10978 
10979 	if (n_match_sets) {
10980 		if (request->ie)
10981 			request->match_sets = (void *)(request->ie + ie_len);
10982 		else if (n_ssids)
10983 			request->match_sets =
10984 				(void *)(request->ssids + n_ssids);
10985 		else
10986 			request->match_sets =
10987 				(void *)(request->channels + n_channels);
10988 	}
10989 	request->n_match_sets = n_match_sets;
10990 
10991 	if (n_match_sets)
10992 		request->scan_plans = (void *)(request->match_sets +
10993 					       n_match_sets);
10994 	else if (request->ie)
10995 		request->scan_plans = (void *)(request->ie + ie_len);
10996 	else if (n_ssids)
10997 		request->scan_plans = (void *)(request->ssids + n_ssids);
10998 	else
10999 		request->scan_plans = (void *)(request->channels + n_channels);
11000 
11001 	request->n_scan_plans = n_plans;
11002 
11003 	i = 0;
11004 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
11005 		/* user specified, bail out if channel not found */
11006 		nla_for_each_nested(attr,
11007 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
11008 				    tmp) {
11009 			struct ieee80211_channel *chan;
11010 
11011 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
11012 
11013 			if (!chan) {
11014 				err = -EINVAL;
11015 				goto out_free;
11016 			}
11017 
11018 			/* ignore disabled channels */
11019 			if (chan->flags & IEEE80211_CHAN_DISABLED)
11020 				continue;
11021 
11022 			request->channels[i] = chan;
11023 			i++;
11024 		}
11025 	} else {
11026 		/* all channels */
11027 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
11028 			int j;
11029 
11030 			if (!wiphy->bands[band])
11031 				continue;
11032 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
11033 				struct ieee80211_channel *chan;
11034 
11035 				chan = &wiphy->bands[band]->channels[j];
11036 
11037 				if (chan->flags & IEEE80211_CHAN_DISABLED)
11038 					continue;
11039 
11040 				request->channels[i] = chan;
11041 				i++;
11042 			}
11043 		}
11044 	}
11045 
11046 	if (!i) {
11047 		err = -EINVAL;
11048 		goto out_free;
11049 	}
11050 
11051 	request->n_channels = i;
11052 
11053 	i = 0;
11054 	if (n_ssids) {
11055 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
11056 				    tmp) {
11057 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
11058 				err = -EINVAL;
11059 				goto out_free;
11060 			}
11061 			request->ssids[i].ssid_len = nla_len(attr);
11062 			memcpy(request->ssids[i].ssid, nla_data(attr),
11063 			       nla_len(attr));
11064 			i++;
11065 		}
11066 	}
11067 
11068 	i = 0;
11069 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
11070 		nla_for_each_nested(attr,
11071 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
11072 				    tmp) {
11073 			struct nlattr *ssid, *bssid, *rssi;
11074 
11075 			err = nla_parse_nested_deprecated(tb,
11076 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
11077 							  attr,
11078 							  nl80211_match_policy,
11079 							  NULL);
11080 			if (err)
11081 				goto out_free;
11082 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
11083 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
11084 
11085 			if (!ssid && !bssid) {
11086 				i++;
11087 				continue;
11088 			}
11089 
11090 			if (WARN_ON(i >= n_match_sets)) {
11091 				/* this indicates a programming error,
11092 				 * the loop above should have verified
11093 				 * things properly
11094 				 */
11095 				err = -EINVAL;
11096 				goto out_free;
11097 			}
11098 
11099 			if (ssid) {
11100 				memcpy(request->match_sets[i].ssid.ssid,
11101 				       nla_data(ssid), nla_len(ssid));
11102 				request->match_sets[i].ssid.ssid_len =
11103 					nla_len(ssid);
11104 			}
11105 			if (bssid)
11106 				memcpy(request->match_sets[i].bssid,
11107 				       nla_data(bssid), ETH_ALEN);
11108 
11109 			/* special attribute - old implementation w/a */
11110 			request->match_sets[i].rssi_thold = default_match_rssi;
11111 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
11112 			if (rssi)
11113 				request->match_sets[i].rssi_thold =
11114 					nla_get_s32(rssi);
11115 			i++;
11116 		}
11117 
11118 		/* there was no other matchset, so the RSSI one is alone */
11119 		if (i == 0 && n_match_sets)
11120 			request->match_sets[0].rssi_thold = default_match_rssi;
11121 
11122 		request->min_rssi_thold = INT_MAX;
11123 		for (i = 0; i < n_match_sets; i++)
11124 			request->min_rssi_thold =
11125 				min(request->match_sets[i].rssi_thold,
11126 				    request->min_rssi_thold);
11127 	} else {
11128 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
11129 	}
11130 
11131 	if (ie_len) {
11132 		request->ie_len = ie_len;
11133 		memcpy((void *)request->ie,
11134 		       nla_data(attrs[NL80211_ATTR_IE]),
11135 		       request->ie_len);
11136 	}
11137 
11138 	err = nl80211_check_scan_flags_sched(wiphy, wdev, attrs, request);
11139 	if (err)
11140 		goto out_free;
11141 
11142 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
11143 		request->delay =
11144 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
11145 
11146 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
11147 		request->relative_rssi = nla_get_s8(
11148 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
11149 		request->relative_rssi_set = true;
11150 	}
11151 
11152 	if (request->relative_rssi_set &&
11153 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
11154 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
11155 
11156 		rssi_adjust = nla_data(
11157 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
11158 		request->rssi_adjust.band = rssi_adjust->band;
11159 		request->rssi_adjust.delta = rssi_adjust->delta;
11160 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
11161 			err = -EINVAL;
11162 			goto out_free;
11163 		}
11164 	}
11165 
11166 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
11167 	if (err)
11168 		goto out_free;
11169 
11170 	request->scan_start = jiffies;
11171 
11172 	return request;
11173 
11174 out_free:
11175 	kfree(request);
11176 	return ERR_PTR(err);
11177 }
11178 
11179 static int nl80211_start_sched_scan(struct sk_buff *skb,
11180 				    struct genl_info *info)
11181 {
11182 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11183 	struct net_device *dev = info->user_ptr[1];
11184 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11185 	struct cfg80211_sched_scan_request *sched_scan_req;
11186 	bool want_multi;
11187 	int err;
11188 
11189 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
11190 		return -EOPNOTSUPP;
11191 
11192 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
11193 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
11194 	if (err)
11195 		return err;
11196 
11197 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
11198 						  info->attrs,
11199 						  rdev->wiphy.max_match_sets);
11200 
11201 	err = PTR_ERR_OR_ZERO(sched_scan_req);
11202 	if (err)
11203 		goto out_err;
11204 
11205 	/* leave request id zero for legacy request
11206 	 * or if driver does not support multi-scheduled scan
11207 	 */
11208 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
11209 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
11210 
11211 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
11212 	if (err)
11213 		goto out_free;
11214 
11215 	sched_scan_req->dev = dev;
11216 	sched_scan_req->wiphy = &rdev->wiphy;
11217 
11218 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11219 		sched_scan_req->owner_nlportid = info->snd_portid;
11220 
11221 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
11222 
11223 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
11224 	return 0;
11225 
11226 out_free:
11227 	kfree(sched_scan_req);
11228 out_err:
11229 	return err;
11230 }
11231 
11232 static int nl80211_stop_sched_scan(struct sk_buff *skb,
11233 				   struct genl_info *info)
11234 {
11235 	struct cfg80211_sched_scan_request *req;
11236 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11237 	u64 cookie;
11238 
11239 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
11240 		return -EOPNOTSUPP;
11241 
11242 	if (info->attrs[NL80211_ATTR_COOKIE]) {
11243 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11244 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
11245 	}
11246 
11247 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
11248 				     struct cfg80211_sched_scan_request,
11249 				     list);
11250 	if (!req || req->reqid ||
11251 	    (req->owner_nlportid &&
11252 	     req->owner_nlportid != info->snd_portid))
11253 		return -ENOENT;
11254 
11255 	return cfg80211_stop_sched_scan_req(rdev, req, false);
11256 }
11257 
11258 static int nl80211_start_radar_detection(struct sk_buff *skb,
11259 					 struct genl_info *info)
11260 {
11261 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11262 	struct net_device *dev = info->user_ptr[1];
11263 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11264 	int link_id = nl80211_link_id(info->attrs);
11265 	struct wiphy *wiphy = wdev->wiphy;
11266 	struct cfg80211_chan_def chandef;
11267 	enum nl80211_dfs_regions dfs_region;
11268 	unsigned int cac_time_ms;
11269 	int err;
11270 
11271 	flush_delayed_work(&rdev->dfs_update_channels_wk);
11272 
11273 	switch (wdev->iftype) {
11274 	case NL80211_IFTYPE_AP:
11275 	case NL80211_IFTYPE_P2P_GO:
11276 	case NL80211_IFTYPE_MESH_POINT:
11277 	case NL80211_IFTYPE_ADHOC:
11278 		break;
11279 	default:
11280 		/* caution - see cfg80211_beaconing_iface_active() below */
11281 		return -EINVAL;
11282 	}
11283 
11284 	guard(wiphy)(wiphy);
11285 
11286 	dfs_region = reg_get_dfs_region(wiphy);
11287 	if (dfs_region == NL80211_DFS_UNSET)
11288 		return -EINVAL;
11289 
11290 	err = nl80211_parse_chandef(rdev, info, &chandef);
11291 	if (err)
11292 		return err;
11293 
11294 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11295 	if (err < 0)
11296 		return err;
11297 
11298 	if (err == 0)
11299 		return -EINVAL;
11300 
11301 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
11302 		return -EINVAL;
11303 
11304 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
11305 		return cfg80211_start_background_radar_detection(rdev, wdev,
11306 								 &chandef);
11307 
11308 	if (cfg80211_beaconing_iface_active(wdev)) {
11309 		/* During MLO other link(s) can beacon, only the current link
11310 		 * can not already beacon
11311 		 */
11312 		if (wdev->valid_links &&
11313 		    !wdev->links[link_id].ap.beacon_interval) {
11314 			/* nothing */
11315 		} else {
11316 			return -EBUSY;
11317 		}
11318 	}
11319 
11320 	if (wdev->links[link_id].cac_started)
11321 		return -EBUSY;
11322 
11323 	/* CAC start is offloaded to HW and can't be started manually */
11324 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
11325 		return -EOPNOTSUPP;
11326 
11327 	if (!rdev->ops->start_radar_detection)
11328 		return -EOPNOTSUPP;
11329 
11330 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
11331 	if (WARN_ON(!cac_time_ms))
11332 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
11333 
11334 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
11335 					 link_id);
11336 	if (err)
11337 		return err;
11338 
11339 	switch (wdev->iftype) {
11340 	case NL80211_IFTYPE_AP:
11341 	case NL80211_IFTYPE_P2P_GO:
11342 		wdev->links[link_id].ap.chandef = chandef;
11343 		break;
11344 	case NL80211_IFTYPE_ADHOC:
11345 		wdev->u.ibss.chandef = chandef;
11346 		break;
11347 	case NL80211_IFTYPE_MESH_POINT:
11348 		wdev->u.mesh.chandef = chandef;
11349 		break;
11350 	default:
11351 		break;
11352 	}
11353 	wdev->links[link_id].cac_started = true;
11354 	wdev->links[link_id].cac_start_time = jiffies;
11355 	wdev->links[link_id].cac_time_ms = cac_time_ms;
11356 
11357 	return 0;
11358 }
11359 
11360 static int nl80211_notify_radar_detection(struct sk_buff *skb,
11361 					  struct genl_info *info)
11362 {
11363 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11364 	struct net_device *dev = info->user_ptr[1];
11365 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11366 	struct wiphy *wiphy = wdev->wiphy;
11367 	struct cfg80211_chan_def chandef;
11368 	enum nl80211_dfs_regions dfs_region;
11369 	int err;
11370 
11371 	dfs_region = reg_get_dfs_region(wiphy);
11372 	if (dfs_region == NL80211_DFS_UNSET) {
11373 		GENL_SET_ERR_MSG(info,
11374 				 "DFS Region is not set. Unexpected Radar indication");
11375 		return -EINVAL;
11376 	}
11377 
11378 	err = nl80211_parse_chandef(rdev, info, &chandef);
11379 	if (err) {
11380 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
11381 		return err;
11382 	}
11383 
11384 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11385 	if (err < 0) {
11386 		GENL_SET_ERR_MSG(info, "chandef is invalid");
11387 		return err;
11388 	}
11389 
11390 	if (err == 0) {
11391 		GENL_SET_ERR_MSG(info,
11392 				 "Unexpected Radar indication for chandef/iftype");
11393 		return -EINVAL;
11394 	}
11395 
11396 	/* Do not process this notification if radar is already detected
11397 	 * by kernel on this channel, and return success.
11398 	 */
11399 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
11400 		return 0;
11401 
11402 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
11403 
11404 	cfg80211_sched_dfs_chan_update(rdev);
11405 
11406 	rdev->radar_chandef = chandef;
11407 
11408 	/* Propagate this notification to other radios as well */
11409 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
11410 
11411 	return 0;
11412 }
11413 
11414 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
11415 					 const u8 *data, size_t datalen,
11416 					 int first_count, struct nlattr *attr,
11417 					 const u16 **offsets, unsigned int *n_offsets)
11418 {
11419 	int i;
11420 
11421 	*n_offsets = 0;
11422 
11423 	if (!attr)
11424 		return 0;
11425 
11426 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
11427 		return -EINVAL;
11428 
11429 	*n_offsets = nla_len(attr) / sizeof(u16);
11430 	if (rdev->wiphy.max_num_csa_counters &&
11431 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
11432 		return -EINVAL;
11433 
11434 	*offsets = nla_data(attr);
11435 
11436 	/* sanity checks - counters should fit and be the same */
11437 	for (i = 0; i < *n_offsets; i++) {
11438 		u16 offset = (*offsets)[i];
11439 
11440 		if (offset >= datalen)
11441 			return -EINVAL;
11442 
11443 		if (first_count != -1 && data[offset] != first_count)
11444 			return -EINVAL;
11445 	}
11446 
11447 	return 0;
11448 }
11449 
11450 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
11451 {
11452 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11453 	unsigned int link_id = nl80211_link_id(info->attrs);
11454 	struct net_device *dev = info->user_ptr[1];
11455 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11456 	struct cfg80211_csa_settings params;
11457 	struct nlattr **csa_attrs = NULL;
11458 	int err;
11459 	bool need_new_beacon = false;
11460 	bool need_handle_dfs_flag = true;
11461 	u32 cs_count;
11462 
11463 	if (!rdev->ops->channel_switch ||
11464 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
11465 		return -EOPNOTSUPP;
11466 
11467 	switch (dev->ieee80211_ptr->iftype) {
11468 	case NL80211_IFTYPE_AP:
11469 	case NL80211_IFTYPE_P2P_GO:
11470 		need_new_beacon = true;
11471 		/* For all modes except AP the handle_dfs flag needs to be
11472 		 * supplied to tell the kernel that userspace will handle radar
11473 		 * events when they happen. Otherwise a switch to a channel
11474 		 * requiring DFS will be rejected.
11475 		 */
11476 		need_handle_dfs_flag = false;
11477 
11478 		/* useless if AP is not running */
11479 		if (!wdev->links[link_id].ap.beacon_interval)
11480 			return -ENOTCONN;
11481 		break;
11482 	case NL80211_IFTYPE_ADHOC:
11483 		if (!wdev->u.ibss.ssid_len)
11484 			return -ENOTCONN;
11485 		break;
11486 	case NL80211_IFTYPE_MESH_POINT:
11487 		if (!wdev->u.mesh.id_len)
11488 			return -ENOTCONN;
11489 		break;
11490 	default:
11491 		return -EOPNOTSUPP;
11492 	}
11493 
11494 	memset(&params, 0, sizeof(params));
11495 	params.beacon_csa.ftm_responder = -1;
11496 
11497 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11498 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
11499 		return -EINVAL;
11500 
11501 	/* only important for AP, IBSS and mesh create IEs internally */
11502 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
11503 		return -EINVAL;
11504 
11505 	/* Even though the attribute is u32, the specification says
11506 	 * u8, so let's make sure we don't overflow.
11507 	 */
11508 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
11509 	if (cs_count > 255)
11510 		return -EINVAL;
11511 
11512 	params.count = cs_count;
11513 
11514 	if (!need_new_beacon)
11515 		goto skip_beacons;
11516 
11517 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
11518 				   info->extack);
11519 	if (err)
11520 		goto free;
11521 
11522 	csa_attrs = kzalloc_objs(*csa_attrs, NL80211_ATTR_MAX + 1);
11523 	if (!csa_attrs) {
11524 		err = -ENOMEM;
11525 		goto free;
11526 	}
11527 
11528 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
11529 					  info->attrs[NL80211_ATTR_CSA_IES],
11530 					  nl80211_policy, info->extack);
11531 	if (err)
11532 		goto free;
11533 
11534 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
11535 				   info->extack);
11536 	if (err)
11537 		goto free;
11538 
11539 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
11540 		err = -EINVAL;
11541 		goto free;
11542 	}
11543 
11544 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
11545 					    params.beacon_csa.tail_len,
11546 					    params.count,
11547 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
11548 					    &params.counter_offsets_beacon,
11549 					    &params.n_counter_offsets_beacon);
11550 	if (err)
11551 		goto free;
11552 
11553 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
11554 					    params.beacon_csa.probe_resp_len,
11555 					    params.count,
11556 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
11557 					    &params.counter_offsets_presp,
11558 					    &params.n_counter_offsets_presp);
11559 	if (err)
11560 		goto free;
11561 
11562 skip_beacons:
11563 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
11564 	if (err)
11565 		goto free;
11566 
11567 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
11568 					   wdev->iftype)) {
11569 		err = -EINVAL;
11570 		goto free;
11571 	}
11572 
11573 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
11574 					    &params.chandef,
11575 					    wdev->iftype);
11576 	if (err < 0)
11577 		goto free;
11578 
11579 	if (err > 0) {
11580 		params.radar_required = true;
11581 		if (need_handle_dfs_flag &&
11582 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
11583 			err = -EINVAL;
11584 			goto free;
11585 		}
11586 	}
11587 
11588 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
11589 		params.block_tx = true;
11590 
11591 	if ((wdev->iftype == NL80211_IFTYPE_AP ||
11592 	     wdev->iftype == NL80211_IFTYPE_P2P_GO) &&
11593 	    info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
11594 		err = nl80211_parse_unsol_bcast_probe_resp(
11595 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
11596 			&params.unsol_bcast_probe_resp);
11597 		if (err)
11598 			goto free;
11599 	}
11600 
11601 	params.link_id = link_id;
11602 	err = rdev_channel_switch(rdev, dev, &params);
11603 
11604 free:
11605 	kfree(params.beacon_after.mbssid_ies);
11606 	kfree(params.beacon_csa.mbssid_ies);
11607 	kfree(params.beacon_after.rnr_ies);
11608 	kfree(params.beacon_csa.rnr_ies);
11609 	kfree(csa_attrs);
11610 	return err;
11611 }
11612 
11613 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
11614 			    u32 seq, int flags,
11615 			    struct cfg80211_registered_device *rdev,
11616 			    struct wireless_dev *wdev,
11617 			    struct cfg80211_internal_bss *intbss)
11618 {
11619 	struct cfg80211_bss *res = &intbss->pub;
11620 	const struct cfg80211_bss_ies *ies;
11621 	unsigned int link_id;
11622 	void *hdr;
11623 	struct nlattr *bss;
11624 
11625 	lockdep_assert_wiphy(wdev->wiphy);
11626 
11627 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
11628 			     NL80211_CMD_NEW_SCAN_RESULTS);
11629 	if (!hdr)
11630 		return -1;
11631 
11632 	genl_dump_check_consistent(cb, hdr);
11633 
11634 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
11635 		goto nla_put_failure;
11636 	if (wdev->netdev &&
11637 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
11638 		goto nla_put_failure;
11639 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11640 			      NL80211_ATTR_PAD))
11641 		goto nla_put_failure;
11642 
11643 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
11644 	if (!bss)
11645 		goto nla_put_failure;
11646 	if ((!is_zero_ether_addr(res->bssid) &&
11647 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
11648 		goto nla_put_failure;
11649 
11650 	rcu_read_lock();
11651 	/* indicate whether we have probe response data or not */
11652 	if (rcu_access_pointer(res->proberesp_ies) &&
11653 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
11654 		goto fail_unlock_rcu;
11655 
11656 	/* this pointer prefers to be pointed to probe response data
11657 	 * but is always valid
11658 	 */
11659 	ies = rcu_dereference(res->ies);
11660 	if (ies) {
11661 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
11662 				      NL80211_BSS_PAD))
11663 			goto fail_unlock_rcu;
11664 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
11665 					ies->len, ies->data))
11666 			goto fail_unlock_rcu;
11667 	}
11668 
11669 	/* and this pointer is always (unless driver didn't know) beacon data */
11670 	ies = rcu_dereference(res->beacon_ies);
11671 	if (ies && ies->from_beacon) {
11672 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
11673 				      NL80211_BSS_PAD))
11674 			goto fail_unlock_rcu;
11675 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
11676 					ies->len, ies->data))
11677 			goto fail_unlock_rcu;
11678 	}
11679 	rcu_read_unlock();
11680 
11681 	if (res->beacon_interval &&
11682 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
11683 		goto nla_put_failure;
11684 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
11685 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
11686 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
11687 			res->channel->freq_offset) ||
11688 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
11689 			jiffies_to_msecs(jiffies - intbss->ts)))
11690 		goto nla_put_failure;
11691 
11692 	if (intbss->parent_tsf &&
11693 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
11694 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
11695 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
11696 		     intbss->parent_bssid)))
11697 		goto nla_put_failure;
11698 
11699 	if (res->ts_boottime &&
11700 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
11701 			      res->ts_boottime, NL80211_BSS_PAD))
11702 		goto nla_put_failure;
11703 
11704 	if (!nl80211_put_signal(msg, intbss->pub.chains,
11705 				intbss->pub.chain_signal,
11706 				NL80211_BSS_CHAIN_SIGNAL))
11707 		goto nla_put_failure;
11708 
11709 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
11710 		switch (rdev->wiphy.signal_type) {
11711 		case CFG80211_SIGNAL_TYPE_MBM:
11712 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
11713 					res->signal))
11714 				goto nla_put_failure;
11715 			break;
11716 		case CFG80211_SIGNAL_TYPE_UNSPEC:
11717 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
11718 				       res->signal))
11719 				goto nla_put_failure;
11720 			break;
11721 		default:
11722 			break;
11723 		}
11724 	}
11725 
11726 	switch (wdev->iftype) {
11727 	case NL80211_IFTYPE_P2P_CLIENT:
11728 	case NL80211_IFTYPE_STATION:
11729 		for_each_valid_link(wdev, link_id) {
11730 			if (intbss == wdev->links[link_id].client.current_bss &&
11731 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
11732 					 NL80211_BSS_STATUS_ASSOCIATED) ||
11733 			     (wdev->valid_links &&
11734 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
11735 					  link_id) ||
11736 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
11737 				       wdev->u.client.connected_addr)))))
11738 				goto nla_put_failure;
11739 		}
11740 		break;
11741 	case NL80211_IFTYPE_ADHOC:
11742 		if (intbss == wdev->u.ibss.current_bss &&
11743 		    nla_put_u32(msg, NL80211_BSS_STATUS,
11744 				NL80211_BSS_STATUS_IBSS_JOINED))
11745 			goto nla_put_failure;
11746 		break;
11747 	default:
11748 		break;
11749 	}
11750 
11751 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
11752 		goto nla_put_failure;
11753 
11754 	if (res->cannot_use_reasons &&
11755 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
11756 			      res->cannot_use_reasons,
11757 			      NL80211_BSS_PAD))
11758 		goto nla_put_failure;
11759 
11760 	nla_nest_end(msg, bss);
11761 
11762 	genlmsg_end(msg, hdr);
11763 	return 0;
11764 
11765  fail_unlock_rcu:
11766 	rcu_read_unlock();
11767  nla_put_failure:
11768 	genlmsg_cancel(msg, hdr);
11769 	return -EMSGSIZE;
11770 }
11771 
11772 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
11773 {
11774 	struct cfg80211_registered_device *rdev;
11775 	struct cfg80211_internal_bss *scan;
11776 	struct wireless_dev *wdev;
11777 	struct nlattr **attrbuf;
11778 	int start = cb->args[2], idx = 0;
11779 	bool dump_include_use_data;
11780 	int err;
11781 
11782 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
11783 	if (!attrbuf)
11784 		return -ENOMEM;
11785 
11786 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11787 	if (err) {
11788 		kfree(attrbuf);
11789 		return err;
11790 	}
11791 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11792 	__acquire(&rdev->wiphy.mtx);
11793 
11794 	dump_include_use_data =
11795 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
11796 	kfree(attrbuf);
11797 
11798 	spin_lock_bh(&rdev->bss_lock);
11799 
11800 	/*
11801 	 * dump_scan will be called multiple times to break up the scan results
11802 	 * into multiple messages.  It is unlikely that any more bss-es will be
11803 	 * expired after the first call, so only call only call this on the
11804 	 * first dump_scan invocation.
11805 	 */
11806 	if (start == 0)
11807 		cfg80211_bss_expire(rdev);
11808 
11809 	cb->seq = rdev->bss_generation;
11810 
11811 	list_for_each_entry(scan, &rdev->bss_list, list) {
11812 		if (++idx <= start)
11813 			continue;
11814 		if (!dump_include_use_data &&
11815 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
11816 			continue;
11817 		if (nl80211_send_bss(skb, cb,
11818 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11819 				rdev, wdev, scan) < 0) {
11820 			idx--;
11821 			break;
11822 		}
11823 	}
11824 
11825 	spin_unlock_bh(&rdev->bss_lock);
11826 
11827 	cb->args[2] = idx;
11828 	wiphy_unlock(&rdev->wiphy);
11829 
11830 	return skb->len;
11831 }
11832 
11833 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
11834 			       int flags, struct net_device *dev,
11835 			       bool allow_radio_stats,
11836 			       struct survey_info *survey)
11837 {
11838 	void *hdr;
11839 	struct nlattr *infoattr;
11840 
11841 	/* skip radio stats if userspace didn't request them */
11842 	if (!survey->channel && !allow_radio_stats)
11843 		return 0;
11844 
11845 	hdr = nl80211hdr_put(msg, portid, seq, flags,
11846 			     NL80211_CMD_NEW_SURVEY_RESULTS);
11847 	if (!hdr)
11848 		return -ENOMEM;
11849 
11850 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
11851 		goto nla_put_failure;
11852 
11853 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
11854 	if (!infoattr)
11855 		goto nla_put_failure;
11856 
11857 	if (survey->channel &&
11858 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
11859 			survey->channel->center_freq))
11860 		goto nla_put_failure;
11861 
11862 	if (survey->channel && survey->channel->freq_offset &&
11863 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
11864 			survey->channel->freq_offset))
11865 		goto nla_put_failure;
11866 
11867 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
11868 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
11869 		goto nla_put_failure;
11870 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
11871 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
11872 		goto nla_put_failure;
11873 	if ((survey->filled & SURVEY_INFO_TIME) &&
11874 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
11875 			survey->time, NL80211_SURVEY_INFO_PAD))
11876 		goto nla_put_failure;
11877 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
11878 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
11879 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
11880 		goto nla_put_failure;
11881 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
11882 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
11883 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
11884 		goto nla_put_failure;
11885 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
11886 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
11887 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
11888 		goto nla_put_failure;
11889 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
11890 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
11891 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
11892 		goto nla_put_failure;
11893 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
11894 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
11895 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
11896 		goto nla_put_failure;
11897 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
11898 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
11899 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
11900 		goto nla_put_failure;
11901 
11902 	nla_nest_end(msg, infoattr);
11903 
11904 	genlmsg_end(msg, hdr);
11905 	return 0;
11906 
11907  nla_put_failure:
11908 	genlmsg_cancel(msg, hdr);
11909 	return -EMSGSIZE;
11910 }
11911 
11912 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
11913 {
11914 	struct nlattr **attrbuf;
11915 	struct survey_info survey;
11916 	struct cfg80211_registered_device *rdev;
11917 	struct wireless_dev *wdev;
11918 	int survey_idx = cb->args[2];
11919 	int res;
11920 	bool radio_stats;
11921 
11922 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
11923 	if (!attrbuf)
11924 		return -ENOMEM;
11925 
11926 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11927 	if (res) {
11928 		kfree(attrbuf);
11929 		return res;
11930 	}
11931 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11932 	__acquire(&rdev->wiphy.mtx);
11933 
11934 	/* prepare_wdev_dump parsed the attributes */
11935 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
11936 
11937 	if (!wdev->netdev) {
11938 		res = -EINVAL;
11939 		goto out_err;
11940 	}
11941 
11942 	if (!rdev->ops->dump_survey) {
11943 		res = -EOPNOTSUPP;
11944 		goto out_err;
11945 	}
11946 
11947 	while (1) {
11948 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
11949 		if (res == -ENOENT)
11950 			break;
11951 		if (res)
11952 			goto out_err;
11953 
11954 		/* don't send disabled channels, but do send non-channel data */
11955 		if (survey.channel &&
11956 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
11957 			survey_idx++;
11958 			continue;
11959 		}
11960 
11961 		if (nl80211_send_survey(skb,
11962 				NETLINK_CB(cb->skb).portid,
11963 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11964 				wdev->netdev, radio_stats, &survey) < 0)
11965 			goto out;
11966 		survey_idx++;
11967 	}
11968 
11969  out:
11970 	cb->args[2] = survey_idx;
11971 	res = skb->len;
11972  out_err:
11973 	kfree(attrbuf);
11974 	wiphy_unlock(&rdev->wiphy);
11975 	return res;
11976 }
11977 
11978 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
11979 {
11980 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11981 	struct net_device *dev = info->user_ptr[1];
11982 	struct ieee80211_channel *chan;
11983 	const u8 *bssid, *ssid;
11984 	int err, ssid_len;
11985 	enum nl80211_auth_type auth_type;
11986 	struct key_parse key;
11987 	bool local_state_change;
11988 	struct cfg80211_auth_request req = {};
11989 	u32 freq;
11990 
11991 	if (!info->attrs[NL80211_ATTR_MAC])
11992 		return -EINVAL;
11993 
11994 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
11995 		return -EINVAL;
11996 
11997 	if (!info->attrs[NL80211_ATTR_SSID])
11998 		return -EINVAL;
11999 
12000 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12001 		return -EINVAL;
12002 
12003 	err = nl80211_parse_key(info, &key);
12004 	if (err)
12005 		return err;
12006 
12007 	if (key.idx >= 0) {
12008 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
12009 			return -EINVAL;
12010 		if (!key.p.key || !key.p.key_len)
12011 			return -EINVAL;
12012 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
12013 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
12014 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
12015 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
12016 			return -EINVAL;
12017 		if (key.idx > 3)
12018 			return -EINVAL;
12019 	} else {
12020 		key.p.key_len = 0;
12021 		key.p.key = NULL;
12022 	}
12023 
12024 	if (key.idx >= 0) {
12025 		int i;
12026 		bool ok = false;
12027 
12028 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
12029 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
12030 				ok = true;
12031 				break;
12032 			}
12033 		}
12034 		if (!ok)
12035 			return -EINVAL;
12036 	}
12037 
12038 	if (!rdev->ops->auth)
12039 		return -EOPNOTSUPP;
12040 
12041 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12042 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12043 		return -EOPNOTSUPP;
12044 
12045 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12046 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12047 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12048 		freq +=
12049 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12050 
12051 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12052 	if (!chan)
12053 		return -EINVAL;
12054 
12055 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12056 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12057 
12058 	if (info->attrs[NL80211_ATTR_IE]) {
12059 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12060 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12061 	}
12062 
12063 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12064 		req.supported_selectors =
12065 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12066 		req.supported_selectors_len =
12067 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12068 	}
12069 
12070 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12071 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
12072 		return -EINVAL;
12073 
12074 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
12075 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
12076 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
12077 	     auth_type == NL80211_AUTHTYPE_FILS_PK ||
12078 	     auth_type == NL80211_AUTHTYPE_EPPKE) &&
12079 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
12080 		return -EINVAL;
12081 
12082 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
12083 		if (auth_type != NL80211_AUTHTYPE_SAE &&
12084 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
12085 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
12086 		    auth_type != NL80211_AUTHTYPE_FILS_PK &&
12087 		    auth_type != NL80211_AUTHTYPE_EPPKE)
12088 			return -EINVAL;
12089 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
12090 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
12091 	}
12092 
12093 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12094 
12095 	/*
12096 	 * Since we no longer track auth state, ignore
12097 	 * requests to only change local state.
12098 	 */
12099 	if (local_state_change)
12100 		return 0;
12101 
12102 	req.auth_type = auth_type;
12103 	req.key = key.p.key;
12104 	req.key_len = key.p.key_len;
12105 	req.key_idx = key.idx;
12106 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12107 	if (req.link_id >= 0) {
12108 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12109 			return -EINVAL;
12110 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
12111 			return -EINVAL;
12112 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12113 		if (!is_valid_ether_addr(req.ap_mld_addr))
12114 			return -EINVAL;
12115 	}
12116 
12117 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
12118 				   IEEE80211_BSS_TYPE_ESS,
12119 				   IEEE80211_PRIVACY_ANY);
12120 	if (!req.bss)
12121 		return -ENOENT;
12122 
12123 	err = cfg80211_mlme_auth(rdev, dev, &req);
12124 
12125 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12126 
12127 	return err;
12128 }
12129 
12130 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
12131 				     struct genl_info *info)
12132 {
12133 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12134 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
12135 		return -EINVAL;
12136 	}
12137 
12138 	if (!rdev->ops->tx_control_port ||
12139 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12140 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
12141 		return -EOPNOTSUPP;
12142 
12143 	return 0;
12144 }
12145 
12146 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
12147 				   struct genl_info *info,
12148 				   struct cfg80211_crypto_settings *settings,
12149 				   int cipher_limit)
12150 {
12151 	memset(settings, 0, sizeof(*settings));
12152 
12153 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
12154 
12155 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
12156 		u16 proto;
12157 
12158 		proto = nla_get_u16(
12159 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
12160 		settings->control_port_ethertype = cpu_to_be16(proto);
12161 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
12162 		    proto != ETH_P_PAE)
12163 			return -EINVAL;
12164 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
12165 			settings->control_port_no_encrypt = true;
12166 	} else
12167 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
12168 
12169 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12170 		int r = validate_pae_over_nl80211(rdev, info);
12171 
12172 		if (r < 0)
12173 			return r;
12174 
12175 		settings->control_port_over_nl80211 = true;
12176 
12177 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
12178 			settings->control_port_no_preauth = true;
12179 	}
12180 
12181 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
12182 		void *data;
12183 		int len, i;
12184 
12185 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12186 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12187 		settings->n_ciphers_pairwise = len / sizeof(u32);
12188 
12189 		if (len % sizeof(u32))
12190 			return -EINVAL;
12191 
12192 		if (settings->n_ciphers_pairwise > cipher_limit)
12193 			return -EINVAL;
12194 
12195 		memcpy(settings->ciphers_pairwise, data, len);
12196 
12197 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
12198 			if (!cfg80211_supported_cipher_suite(
12199 					&rdev->wiphy,
12200 					settings->ciphers_pairwise[i]))
12201 				return -EINVAL;
12202 	}
12203 
12204 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
12205 		settings->cipher_group =
12206 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
12207 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
12208 						     settings->cipher_group))
12209 			return -EINVAL;
12210 	}
12211 
12212 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
12213 		settings->wpa_versions =
12214 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
12215 
12216 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
12217 		void *data;
12218 		int len;
12219 
12220 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
12221 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
12222 		settings->n_akm_suites = len / sizeof(u32);
12223 
12224 		if (len % sizeof(u32))
12225 			return -EINVAL;
12226 
12227 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
12228 			return -EINVAL;
12229 
12230 		memcpy(settings->akm_suites, data, len);
12231 	}
12232 
12233 	if (info->attrs[NL80211_ATTR_PMK]) {
12234 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
12235 			return -EINVAL;
12236 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12237 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
12238 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12239 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
12240 			return -EINVAL;
12241 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12242 	}
12243 
12244 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
12245 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12246 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
12247 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12248 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
12249 			return -EINVAL;
12250 		settings->sae_pwd =
12251 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12252 		settings->sae_pwd_len =
12253 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12254 	}
12255 
12256 	settings->sae_pwe =
12257 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
12258 				   NL80211_SAE_PWE_UNSPECIFIED);
12259 
12260 	return 0;
12261 }
12262 
12263 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
12264 					      const u8 *ssid, int ssid_len,
12265 					      struct nlattr **attrs,
12266 					      int assoc_link_id, int link_id)
12267 {
12268 	struct ieee80211_channel *chan;
12269 	struct cfg80211_bss *bss;
12270 	const u8 *bssid;
12271 	u32 freq, use_for = 0;
12272 
12273 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
12274 		return ERR_PTR(-EINVAL);
12275 
12276 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
12277 
12278 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
12279 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12280 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12281 
12282 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12283 	if (!chan)
12284 		return ERR_PTR(-EINVAL);
12285 
12286 	if (assoc_link_id >= 0)
12287 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
12288 	if (assoc_link_id == link_id)
12289 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
12290 
12291 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
12292 				 ssid, ssid_len,
12293 				 IEEE80211_BSS_TYPE_ESS,
12294 				 IEEE80211_PRIVACY_ANY,
12295 				 use_for);
12296 	if (!bss)
12297 		return ERR_PTR(-ENOENT);
12298 
12299 	return bss;
12300 }
12301 
12302 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
12303 				 struct cfg80211_assoc_link *links,
12304 				 int assoc_link_id,
12305 				 const u8 *ssid, int ssid_len,
12306 				 struct genl_info *info)
12307 {
12308 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
12309 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
12310 	struct nlattr *link;
12311 	unsigned int link_id;
12312 	int rem, err;
12313 
12314 	if (!attrs)
12315 		return -ENOMEM;
12316 
12317 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
12318 		memset(attrs, 0, attrsize);
12319 
12320 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
12321 
12322 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
12323 			NL_SET_BAD_ATTR(info->extack, link);
12324 			return -EINVAL;
12325 		}
12326 
12327 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
12328 		/* cannot use the same link ID again */
12329 		if (links[link_id].bss) {
12330 			NL_SET_BAD_ATTR(info->extack, link);
12331 			return -EINVAL;
12332 		}
12333 		links[link_id].bss =
12334 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
12335 					  assoc_link_id, link_id);
12336 		if (IS_ERR(links[link_id].bss)) {
12337 			err = PTR_ERR(links[link_id].bss);
12338 			links[link_id].bss = NULL;
12339 			NL_SET_ERR_MSG_ATTR(info->extack, link,
12340 					    "Error fetching BSS for link");
12341 			return err;
12342 		}
12343 
12344 		if (attrs[NL80211_ATTR_IE]) {
12345 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
12346 			links[link_id].elems_len =
12347 				nla_len(attrs[NL80211_ATTR_IE]);
12348 
12349 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
12350 					       links[link_id].elems,
12351 					       links[link_id].elems_len)) {
12352 				NL_SET_ERR_MSG_ATTR(info->extack,
12353 						    attrs[NL80211_ATTR_IE],
12354 						    "cannot deal with fragmentation");
12355 				return -EINVAL;
12356 			}
12357 
12358 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12359 						   links[link_id].elems,
12360 						   links[link_id].elems_len)) {
12361 				NL_SET_ERR_MSG_ATTR(info->extack,
12362 						    attrs[NL80211_ATTR_IE],
12363 						    "cannot deal with non-inheritance");
12364 				return -EINVAL;
12365 			}
12366 		}
12367 	}
12368 
12369 	return 0;
12370 }
12371 
12372 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
12373 {
12374 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12375 	struct net_device *dev = info->user_ptr[1];
12376 	struct cfg80211_assoc_request req = {};
12377 	const u8 *ap_addr, *ssid;
12378 	unsigned int link_id;
12379 	int err, ssid_len;
12380 
12381 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12382 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12383 		return -EPERM;
12384 
12385 	if (!info->attrs[NL80211_ATTR_SSID])
12386 		return -EINVAL;
12387 
12388 	if (!rdev->ops->assoc)
12389 		return -EOPNOTSUPP;
12390 
12391 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12392 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12393 		return -EOPNOTSUPP;
12394 
12395 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12396 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12397 
12398 	if (info->attrs[NL80211_ATTR_IE]) {
12399 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12400 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12401 
12402 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12403 					   req.ie, req.ie_len)) {
12404 			NL_SET_ERR_MSG_ATTR(info->extack,
12405 					    info->attrs[NL80211_ATTR_IE],
12406 					    "non-inheritance makes no sense");
12407 			return -EINVAL;
12408 		}
12409 	}
12410 
12411 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12412 		enum nl80211_mfp mfp =
12413 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12414 		if (mfp == NL80211_MFP_REQUIRED)
12415 			req.use_mfp = true;
12416 		else if (mfp != NL80211_MFP_NO)
12417 			return -EINVAL;
12418 	}
12419 
12420 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12421 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12422 
12423 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12424 		req.supported_selectors =
12425 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12426 		req.supported_selectors_len =
12427 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12428 	}
12429 
12430 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12431 		req.flags |= ASSOC_REQ_DISABLE_HT;
12432 
12433 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12434 		memcpy(&req.ht_capa_mask,
12435 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12436 		       sizeof(req.ht_capa_mask));
12437 
12438 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12439 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12440 			return -EINVAL;
12441 		memcpy(&req.ht_capa,
12442 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12443 		       sizeof(req.ht_capa));
12444 	}
12445 
12446 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12447 		req.flags |= ASSOC_REQ_DISABLE_VHT;
12448 
12449 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12450 		req.flags |= ASSOC_REQ_DISABLE_HE;
12451 
12452 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12453 		req.flags |= ASSOC_REQ_DISABLE_EHT;
12454 
12455 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
12456 		req.flags |= ASSOC_REQ_DISABLE_UHR;
12457 
12458 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12459 		memcpy(&req.vht_capa_mask,
12460 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12461 		       sizeof(req.vht_capa_mask));
12462 
12463 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12464 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12465 			return -EINVAL;
12466 		memcpy(&req.vht_capa,
12467 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12468 		       sizeof(req.vht_capa));
12469 	}
12470 
12471 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12472 		if (!((rdev->wiphy.features &
12473 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12474 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12475 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12476 					     NL80211_EXT_FEATURE_RRM))
12477 			return -EINVAL;
12478 		req.flags |= ASSOC_REQ_USE_RRM;
12479 	}
12480 
12481 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
12482 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
12483 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
12484 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
12485 			return -EINVAL;
12486 		req.fils_nonces =
12487 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
12488 	}
12489 
12490 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
12491 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
12492 			return -EINVAL;
12493 		memcpy(&req.s1g_capa_mask,
12494 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
12495 		       sizeof(req.s1g_capa_mask));
12496 	}
12497 
12498 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
12499 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
12500 			return -EINVAL;
12501 		memcpy(&req.s1g_capa,
12502 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
12503 		       sizeof(req.s1g_capa));
12504 	}
12505 
12506 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
12507 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12508 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
12509 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
12510 			return -EINVAL;
12511 		}
12512 		req.flags |= ASSOC_REQ_SPP_AMSDU;
12513 	}
12514 
12515 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12516 
12517 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12518 		if (req.link_id < 0)
12519 			return -EINVAL;
12520 
12521 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12522 			return -EINVAL;
12523 
12524 		if (info->attrs[NL80211_ATTR_MAC] ||
12525 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12526 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
12527 			return -EINVAL;
12528 
12529 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12530 		ap_addr = req.ap_mld_addr;
12531 
12532 		err = nl80211_process_links(rdev, req.links, req.link_id,
12533 					    ssid, ssid_len, info);
12534 		if (err)
12535 			goto free;
12536 
12537 		if (!req.links[req.link_id].bss) {
12538 			err = -EINVAL;
12539 			goto free;
12540 		}
12541 
12542 		if (req.links[req.link_id].elems_len) {
12543 			GENL_SET_ERR_MSG(info,
12544 					 "cannot have per-link elems on assoc link");
12545 			err = -EINVAL;
12546 			goto free;
12547 		}
12548 
12549 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12550 			req.ext_mld_capa_ops =
12551 				nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
12552 	} else {
12553 		if (req.link_id >= 0)
12554 			return -EINVAL;
12555 
12556 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
12557 					    -1, -1);
12558 		if (IS_ERR(req.bss))
12559 			return PTR_ERR(req.bss);
12560 		ap_addr = req.bss->bssid;
12561 
12562 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12563 			return -EINVAL;
12564 	}
12565 
12566 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
12567 	if (!err) {
12568 		struct nlattr *link;
12569 		int rem = 0;
12570 
12571 		err = cfg80211_mlme_assoc(rdev, dev, &req,
12572 					  info->extack);
12573 
12574 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12575 			dev->ieee80211_ptr->conn_owner_nlportid =
12576 				info->snd_portid;
12577 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12578 			       ap_addr, ETH_ALEN);
12579 		}
12580 
12581 		/* Report error from first problematic link */
12582 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12583 			nla_for_each_nested(link,
12584 					    info->attrs[NL80211_ATTR_MLO_LINKS],
12585 					    rem) {
12586 				struct nlattr *link_id_attr =
12587 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
12588 
12589 				if (!link_id_attr)
12590 					continue;
12591 
12592 				link_id = nla_get_u8(link_id_attr);
12593 
12594 				if (link_id == req.link_id)
12595 					continue;
12596 
12597 				if (!req.links[link_id].error ||
12598 				    WARN_ON(req.links[link_id].error > 0))
12599 					continue;
12600 
12601 				WARN_ON(err >= 0);
12602 
12603 				NL_SET_BAD_ATTR(info->extack, link);
12604 				err = req.links[link_id].error;
12605 				break;
12606 			}
12607 		}
12608 	}
12609 
12610 free:
12611 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
12612 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
12613 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12614 
12615 	return err;
12616 }
12617 
12618 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
12619 {
12620 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12621 	struct net_device *dev = info->user_ptr[1];
12622 	const u8 *ie = NULL, *bssid;
12623 	int ie_len = 0;
12624 	u16 reason_code;
12625 	bool local_state_change;
12626 
12627 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12628 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12629 		return -EPERM;
12630 
12631 	if (!info->attrs[NL80211_ATTR_MAC])
12632 		return -EINVAL;
12633 
12634 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12635 		return -EINVAL;
12636 
12637 	if (!rdev->ops->deauth)
12638 		return -EOPNOTSUPP;
12639 
12640 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12641 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12642 		return -EOPNOTSUPP;
12643 
12644 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12645 
12646 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12647 	if (reason_code == 0) {
12648 		/* Reason Code 0 is reserved */
12649 		return -EINVAL;
12650 	}
12651 
12652 	if (info->attrs[NL80211_ATTR_IE]) {
12653 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12654 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12655 	}
12656 
12657 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12658 
12659 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
12660 				    local_state_change);
12661 }
12662 
12663 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
12664 {
12665 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12666 	struct net_device *dev = info->user_ptr[1];
12667 	const u8 *ie = NULL, *bssid;
12668 	int ie_len = 0;
12669 	u16 reason_code;
12670 	bool local_state_change;
12671 
12672 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12673 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12674 		return -EPERM;
12675 
12676 	if (!info->attrs[NL80211_ATTR_MAC])
12677 		return -EINVAL;
12678 
12679 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12680 		return -EINVAL;
12681 
12682 	if (!rdev->ops->disassoc)
12683 		return -EOPNOTSUPP;
12684 
12685 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12686 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12687 		return -EOPNOTSUPP;
12688 
12689 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12690 
12691 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12692 	if (reason_code == 0) {
12693 		/* Reason Code 0 is reserved */
12694 		return -EINVAL;
12695 	}
12696 
12697 	if (info->attrs[NL80211_ATTR_IE]) {
12698 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12699 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12700 	}
12701 
12702 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12703 
12704 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
12705 				      local_state_change);
12706 }
12707 
12708 static bool
12709 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
12710 			 int mcast_rate[NUM_NL80211_BANDS],
12711 			 int rateval)
12712 {
12713 	struct wiphy *wiphy = &rdev->wiphy;
12714 	bool found = false;
12715 	int band, i;
12716 
12717 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
12718 		struct ieee80211_supported_band *sband;
12719 
12720 		sband = wiphy->bands[band];
12721 		if (!sband)
12722 			continue;
12723 
12724 		for (i = 0; i < sband->n_bitrates; i++) {
12725 			if (sband->bitrates[i].bitrate == rateval) {
12726 				mcast_rate[band] = i + 1;
12727 				found = true;
12728 				break;
12729 			}
12730 		}
12731 	}
12732 
12733 	return found;
12734 }
12735 
12736 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
12737 {
12738 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12739 	struct net_device *dev = info->user_ptr[1];
12740 	struct cfg80211_ibss_params ibss;
12741 	struct wiphy *wiphy;
12742 	struct cfg80211_cached_keys *connkeys = NULL;
12743 	int err;
12744 
12745 	memset(&ibss, 0, sizeof(ibss));
12746 
12747 	if (!info->attrs[NL80211_ATTR_SSID] ||
12748 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12749 		return -EINVAL;
12750 
12751 	ibss.beacon_interval = 100;
12752 
12753 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
12754 		ibss.beacon_interval =
12755 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12756 
12757 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
12758 					   ibss.beacon_interval);
12759 	if (err)
12760 		return err;
12761 
12762 	if (!rdev->ops->join_ibss)
12763 		return -EOPNOTSUPP;
12764 
12765 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12766 		return -EOPNOTSUPP;
12767 
12768 	wiphy = &rdev->wiphy;
12769 
12770 	if (info->attrs[NL80211_ATTR_MAC]) {
12771 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12772 
12773 		if (!is_valid_ether_addr(ibss.bssid))
12774 			return -EINVAL;
12775 	}
12776 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12777 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12778 
12779 	if (info->attrs[NL80211_ATTR_IE]) {
12780 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12781 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12782 	}
12783 
12784 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
12785 	if (err)
12786 		return err;
12787 
12788 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
12789 				     NL80211_IFTYPE_ADHOC))
12790 		return -EINVAL;
12791 
12792 	switch (ibss.chandef.width) {
12793 	case NL80211_CHAN_WIDTH_5:
12794 	case NL80211_CHAN_WIDTH_10:
12795 	case NL80211_CHAN_WIDTH_20_NOHT:
12796 		break;
12797 	case NL80211_CHAN_WIDTH_20:
12798 	case NL80211_CHAN_WIDTH_40:
12799 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12800 			return -EINVAL;
12801 		break;
12802 	case NL80211_CHAN_WIDTH_80:
12803 	case NL80211_CHAN_WIDTH_80P80:
12804 	case NL80211_CHAN_WIDTH_160:
12805 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12806 			return -EINVAL;
12807 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12808 					     NL80211_EXT_FEATURE_VHT_IBSS))
12809 			return -EINVAL;
12810 		break;
12811 	case NL80211_CHAN_WIDTH_320:
12812 		return -EINVAL;
12813 	default:
12814 		return -EINVAL;
12815 	}
12816 
12817 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
12818 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
12819 
12820 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12821 		u8 *rates =
12822 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12823 		int n_rates =
12824 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12825 		struct ieee80211_supported_band *sband =
12826 			wiphy->bands[ibss.chandef.chan->band];
12827 
12828 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12829 					     &ibss.basic_rates);
12830 		if (err)
12831 			return err;
12832 	}
12833 
12834 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12835 		memcpy(&ibss.ht_capa_mask,
12836 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12837 		       sizeof(ibss.ht_capa_mask));
12838 
12839 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12840 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12841 			return -EINVAL;
12842 		memcpy(&ibss.ht_capa,
12843 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12844 		       sizeof(ibss.ht_capa));
12845 	}
12846 
12847 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12848 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
12849 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12850 		return -EINVAL;
12851 
12852 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12853 		bool no_ht = false;
12854 
12855 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
12856 		if (IS_ERR(connkeys))
12857 			return PTR_ERR(connkeys);
12858 
12859 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
12860 		    no_ht) {
12861 			kfree_sensitive(connkeys);
12862 			return -EINVAL;
12863 		}
12864 	}
12865 
12866 	ibss.control_port =
12867 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
12868 
12869 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12870 		int r = validate_pae_over_nl80211(rdev, info);
12871 
12872 		if (r < 0) {
12873 			kfree_sensitive(connkeys);
12874 			return r;
12875 		}
12876 
12877 		ibss.control_port_over_nl80211 = true;
12878 	}
12879 
12880 	ibss.userspace_handles_dfs =
12881 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12882 
12883 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
12884 	if (err)
12885 		kfree_sensitive(connkeys);
12886 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
12887 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12888 
12889 	return err;
12890 }
12891 
12892 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
12893 {
12894 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12895 	struct net_device *dev = info->user_ptr[1];
12896 
12897 	if (!rdev->ops->leave_ibss)
12898 		return -EOPNOTSUPP;
12899 
12900 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12901 		return -EOPNOTSUPP;
12902 
12903 	return cfg80211_leave_ibss(rdev, dev, false);
12904 }
12905 
12906 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
12907 {
12908 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12909 	struct net_device *dev = info->user_ptr[1];
12910 	int mcast_rate[NUM_NL80211_BANDS];
12911 	u32 nla_rate;
12912 
12913 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
12914 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
12915 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
12916 		return -EOPNOTSUPP;
12917 
12918 	if (!rdev->ops->set_mcast_rate)
12919 		return -EOPNOTSUPP;
12920 
12921 	memset(mcast_rate, 0, sizeof(mcast_rate));
12922 
12923 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
12924 		return -EINVAL;
12925 
12926 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
12927 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
12928 		return -EINVAL;
12929 
12930 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
12931 }
12932 
12933 static struct sk_buff *
12934 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
12935 			    struct wireless_dev *wdev, int approxlen,
12936 			    u32 portid, u32 seq, enum nl80211_commands cmd,
12937 			    enum nl80211_attrs attr,
12938 			    const struct nl80211_vendor_cmd_info *info,
12939 			    gfp_t gfp)
12940 {
12941 	struct sk_buff *skb;
12942 	void *hdr;
12943 	struct nlattr *data;
12944 
12945 	skb = nlmsg_new(approxlen + 100, gfp);
12946 	if (!skb)
12947 		return NULL;
12948 
12949 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
12950 	if (!hdr) {
12951 		kfree_skb(skb);
12952 		return NULL;
12953 	}
12954 
12955 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
12956 		goto nla_put_failure;
12957 
12958 	if (info) {
12959 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
12960 				info->vendor_id))
12961 			goto nla_put_failure;
12962 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
12963 				info->subcmd))
12964 			goto nla_put_failure;
12965 	}
12966 
12967 	if (wdev) {
12968 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
12969 				      wdev_id(wdev), NL80211_ATTR_PAD))
12970 			goto nla_put_failure;
12971 		if (wdev->netdev &&
12972 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
12973 				wdev->netdev->ifindex))
12974 			goto nla_put_failure;
12975 	}
12976 
12977 	data = nla_nest_start_noflag(skb, attr);
12978 	if (!data)
12979 		goto nla_put_failure;
12980 
12981 	((void **)skb->cb)[0] = rdev;
12982 	((void **)skb->cb)[1] = hdr;
12983 	((void **)skb->cb)[2] = data;
12984 
12985 	return skb;
12986 
12987  nla_put_failure:
12988 	kfree_skb(skb);
12989 	return NULL;
12990 }
12991 
12992 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
12993 					   struct wireless_dev *wdev,
12994 					   enum nl80211_commands cmd,
12995 					   enum nl80211_attrs attr,
12996 					   unsigned int portid,
12997 					   int vendor_event_idx,
12998 					   int approxlen, gfp_t gfp)
12999 {
13000 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13001 	const struct nl80211_vendor_cmd_info *info;
13002 
13003 	switch (cmd) {
13004 	case NL80211_CMD_TESTMODE:
13005 		if (WARN_ON(vendor_event_idx != -1))
13006 			return NULL;
13007 		info = NULL;
13008 		break;
13009 	case NL80211_CMD_VENDOR:
13010 		if (WARN_ON(vendor_event_idx < 0 ||
13011 			    vendor_event_idx >= wiphy->n_vendor_events))
13012 			return NULL;
13013 		info = &wiphy->vendor_events[vendor_event_idx];
13014 		break;
13015 	default:
13016 		WARN_ON(1);
13017 		return NULL;
13018 	}
13019 
13020 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
13021 					   cmd, attr, info, gfp);
13022 }
13023 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
13024 
13025 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
13026 {
13027 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13028 	void *hdr = ((void **)skb->cb)[1];
13029 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
13030 	struct nlattr *data = ((void **)skb->cb)[2];
13031 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
13032 
13033 	/* clear CB data for netlink core to own from now on */
13034 	memset(skb->cb, 0, sizeof(skb->cb));
13035 
13036 	nla_nest_end(skb, data);
13037 	genlmsg_end(skb, hdr);
13038 
13039 	if (nlhdr->nlmsg_pid) {
13040 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
13041 				nlhdr->nlmsg_pid);
13042 	} else {
13043 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
13044 			mcgrp = NL80211_MCGRP_VENDOR;
13045 
13046 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13047 					skb, 0, mcgrp, gfp);
13048 	}
13049 }
13050 EXPORT_SYMBOL(__cfg80211_send_event_skb);
13051 
13052 #ifdef CONFIG_NL80211_TESTMODE
13053 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
13054 {
13055 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13056 	struct wireless_dev *wdev;
13057 	int err;
13058 
13059 	lockdep_assert_held(&rdev->wiphy.mtx);
13060 
13061 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
13062 					  info->attrs);
13063 
13064 	if (!rdev->ops->testmode_cmd)
13065 		return -EOPNOTSUPP;
13066 
13067 	if (IS_ERR(wdev)) {
13068 		err = PTR_ERR(wdev);
13069 		if (err != -EINVAL)
13070 			return err;
13071 		wdev = NULL;
13072 	} else if (wdev->wiphy != &rdev->wiphy) {
13073 		return -EINVAL;
13074 	}
13075 
13076 	if (!info->attrs[NL80211_ATTR_TESTDATA])
13077 		return -EINVAL;
13078 
13079 	rdev->cur_cmd_info = info;
13080 	err = rdev_testmode_cmd(rdev, wdev,
13081 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
13082 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
13083 	rdev->cur_cmd_info = NULL;
13084 
13085 	return err;
13086 }
13087 
13088 static int nl80211_testmode_dump(struct sk_buff *skb,
13089 				 struct netlink_callback *cb)
13090 {
13091 	struct cfg80211_registered_device *rdev;
13092 	struct nlattr **attrbuf = NULL;
13093 	int err;
13094 	long phy_idx;
13095 	void *data = NULL;
13096 	int data_len = 0;
13097 
13098 	rtnl_lock();
13099 
13100 	if (cb->args[0]) {
13101 		/*
13102 		 * 0 is a valid index, but not valid for args[0],
13103 		 * so we need to offset by 1.
13104 		 */
13105 		phy_idx = cb->args[0] - 1;
13106 
13107 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
13108 		if (!rdev) {
13109 			err = -ENOENT;
13110 			goto out_err;
13111 		}
13112 	} else {
13113 		attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
13114 		if (!attrbuf) {
13115 			err = -ENOMEM;
13116 			goto out_err;
13117 		}
13118 
13119 		err = nlmsg_parse_deprecated(cb->nlh,
13120 					     GENL_HDRLEN + nl80211_fam.hdrsize,
13121 					     attrbuf, nl80211_fam.maxattr,
13122 					     nl80211_policy, NULL);
13123 		if (err)
13124 			goto out_err;
13125 
13126 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13127 		if (IS_ERR(rdev)) {
13128 			err = PTR_ERR(rdev);
13129 			goto out_err;
13130 		}
13131 		phy_idx = rdev->wiphy_idx;
13132 
13133 		if (attrbuf[NL80211_ATTR_TESTDATA])
13134 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
13135 	}
13136 
13137 	if (cb->args[1]) {
13138 		data = nla_data((void *)cb->args[1]);
13139 		data_len = nla_len((void *)cb->args[1]);
13140 	}
13141 
13142 	if (!rdev->ops->testmode_dump) {
13143 		err = -EOPNOTSUPP;
13144 		goto out_err;
13145 	}
13146 
13147 	while (1) {
13148 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13149 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13150 					   NL80211_CMD_TESTMODE);
13151 		struct nlattr *tmdata;
13152 
13153 		if (!hdr)
13154 			break;
13155 
13156 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
13157 			genlmsg_cancel(skb, hdr);
13158 			break;
13159 		}
13160 
13161 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
13162 		if (!tmdata) {
13163 			genlmsg_cancel(skb, hdr);
13164 			break;
13165 		}
13166 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
13167 		nla_nest_end(skb, tmdata);
13168 
13169 		if (err == -ENOBUFS || err == -ENOENT) {
13170 			genlmsg_cancel(skb, hdr);
13171 			break;
13172 		} else if (err) {
13173 			genlmsg_cancel(skb, hdr);
13174 			goto out_err;
13175 		}
13176 
13177 		genlmsg_end(skb, hdr);
13178 	}
13179 
13180 	err = skb->len;
13181 	/* see above */
13182 	cb->args[0] = phy_idx + 1;
13183  out_err:
13184 	kfree(attrbuf);
13185 	rtnl_unlock();
13186 	return err;
13187 }
13188 #endif
13189 
13190 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
13191 {
13192 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13193 	struct net_device *dev = info->user_ptr[1];
13194 	struct cfg80211_connect_params connect;
13195 	struct wiphy *wiphy;
13196 	struct cfg80211_cached_keys *connkeys = NULL;
13197 	u32 freq = 0;
13198 	int err;
13199 
13200 	memset(&connect, 0, sizeof(connect));
13201 
13202 	if (!info->attrs[NL80211_ATTR_SSID] ||
13203 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
13204 		return -EINVAL;
13205 
13206 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13207 		connect.auth_type =
13208 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13209 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
13210 					     NL80211_CMD_CONNECT))
13211 			return -EINVAL;
13212 	} else
13213 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
13214 
13215 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
13216 
13217 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
13218 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13219 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13220 		return -EINVAL;
13221 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
13222 
13223 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
13224 				      NL80211_MAX_NR_CIPHER_SUITES);
13225 	if (err)
13226 		return err;
13227 
13228 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13229 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13230 		return -EOPNOTSUPP;
13231 
13232 	wiphy = &rdev->wiphy;
13233 
13234 	connect.bg_scan_period = -1;
13235 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
13236 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
13237 		connect.bg_scan_period =
13238 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
13239 	}
13240 
13241 	if (info->attrs[NL80211_ATTR_MAC])
13242 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13243 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
13244 		connect.bssid_hint =
13245 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
13246 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13247 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13248 
13249 	if (info->attrs[NL80211_ATTR_IE]) {
13250 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13251 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13252 	}
13253 
13254 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
13255 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
13256 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
13257 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13258 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
13259 			return -EOPNOTSUPP;
13260 	} else {
13261 		connect.mfp = NL80211_MFP_NO;
13262 	}
13263 
13264 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
13265 		connect.prev_bssid =
13266 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
13267 
13268 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
13269 		freq = MHZ_TO_KHZ(nla_get_u32(
13270 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
13271 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
13272 		freq +=
13273 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
13274 
13275 	if (freq) {
13276 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
13277 		if (!connect.channel)
13278 			return -EINVAL;
13279 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
13280 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
13281 		freq = MHZ_TO_KHZ(freq);
13282 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
13283 		if (!connect.channel_hint)
13284 			return -EINVAL;
13285 	}
13286 
13287 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
13288 		connect.edmg.channels =
13289 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
13290 
13291 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
13292 			connect.edmg.bw_config =
13293 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
13294 	}
13295 
13296 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
13297 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
13298 		if (IS_ERR(connkeys))
13299 			return PTR_ERR(connkeys);
13300 	}
13301 
13302 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
13303 		connect.flags |= ASSOC_REQ_DISABLE_HT;
13304 
13305 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13306 		memcpy(&connect.ht_capa_mask,
13307 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13308 		       sizeof(connect.ht_capa_mask));
13309 
13310 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13311 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
13312 			kfree_sensitive(connkeys);
13313 			return -EINVAL;
13314 		}
13315 		memcpy(&connect.ht_capa,
13316 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13317 		       sizeof(connect.ht_capa));
13318 	}
13319 
13320 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
13321 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
13322 
13323 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
13324 		connect.flags |= ASSOC_REQ_DISABLE_HE;
13325 
13326 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
13327 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
13328 
13329 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
13330 		connect.flags |= ASSOC_REQ_DISABLE_UHR;
13331 
13332 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
13333 		memcpy(&connect.vht_capa_mask,
13334 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
13335 		       sizeof(connect.vht_capa_mask));
13336 
13337 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
13338 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
13339 			kfree_sensitive(connkeys);
13340 			return -EINVAL;
13341 		}
13342 		memcpy(&connect.vht_capa,
13343 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
13344 		       sizeof(connect.vht_capa));
13345 	}
13346 
13347 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
13348 		if (!((rdev->wiphy.features &
13349 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
13350 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
13351 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13352 					     NL80211_EXT_FEATURE_RRM)) {
13353 			kfree_sensitive(connkeys);
13354 			return -EINVAL;
13355 		}
13356 		connect.flags |= ASSOC_REQ_USE_RRM;
13357 	}
13358 
13359 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
13360 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
13361 		kfree_sensitive(connkeys);
13362 		return -EOPNOTSUPP;
13363 	}
13364 
13365 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
13366 		/* bss selection makes no sense if bssid is set */
13367 		if (connect.bssid) {
13368 			kfree_sensitive(connkeys);
13369 			return -EINVAL;
13370 		}
13371 
13372 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
13373 				       wiphy, &connect.bss_select);
13374 		if (err) {
13375 			kfree_sensitive(connkeys);
13376 			return err;
13377 		}
13378 	}
13379 
13380 	if (wiphy_ext_feature_isset(&rdev->wiphy,
13381 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
13382 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13383 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13384 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13385 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13386 		connect.fils_erp_username =
13387 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13388 		connect.fils_erp_username_len =
13389 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13390 		connect.fils_erp_realm =
13391 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13392 		connect.fils_erp_realm_len =
13393 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13394 		connect.fils_erp_next_seq_num =
13395 			nla_get_u16(
13396 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13397 		connect.fils_erp_rrk =
13398 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13399 		connect.fils_erp_rrk_len =
13400 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13401 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13402 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13403 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13404 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13405 		kfree_sensitive(connkeys);
13406 		return -EINVAL;
13407 	}
13408 
13409 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
13410 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13411 			kfree_sensitive(connkeys);
13412 			GENL_SET_ERR_MSG(info,
13413 					 "external auth requires connection ownership");
13414 			return -EINVAL;
13415 		}
13416 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
13417 	}
13418 
13419 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
13420 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
13421 
13422 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
13423 			       connect.prev_bssid);
13424 	if (err)
13425 		kfree_sensitive(connkeys);
13426 
13427 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13428 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13429 		if (connect.bssid)
13430 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
13431 			       connect.bssid, ETH_ALEN);
13432 		else
13433 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
13434 	}
13435 
13436 	return err;
13437 }
13438 
13439 static int nl80211_update_connect_params(struct sk_buff *skb,
13440 					 struct genl_info *info)
13441 {
13442 	struct cfg80211_connect_params connect = {};
13443 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13444 	struct net_device *dev = info->user_ptr[1];
13445 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13446 	bool fils_sk_offload;
13447 	u32 auth_type;
13448 	u32 changed = 0;
13449 
13450 	if (!rdev->ops->update_connect_params)
13451 		return -EOPNOTSUPP;
13452 
13453 	if (info->attrs[NL80211_ATTR_IE]) {
13454 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13455 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13456 		changed |= UPDATE_ASSOC_IES;
13457 	}
13458 
13459 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
13460 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
13461 
13462 	/*
13463 	 * when driver supports fils-sk offload all attributes must be
13464 	 * provided. So the else covers "fils-sk-not-all" and
13465 	 * "no-fils-sk-any".
13466 	 */
13467 	if (fils_sk_offload &&
13468 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13469 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13470 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13471 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13472 		connect.fils_erp_username =
13473 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13474 		connect.fils_erp_username_len =
13475 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13476 		connect.fils_erp_realm =
13477 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13478 		connect.fils_erp_realm_len =
13479 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13480 		connect.fils_erp_next_seq_num =
13481 			nla_get_u16(
13482 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13483 		connect.fils_erp_rrk =
13484 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13485 		connect.fils_erp_rrk_len =
13486 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13487 		changed |= UPDATE_FILS_ERP_INFO;
13488 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13489 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13490 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13491 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13492 		return -EINVAL;
13493 	}
13494 
13495 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13496 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13497 		if (!nl80211_valid_auth_type(rdev, auth_type,
13498 					     NL80211_CMD_CONNECT))
13499 			return -EINVAL;
13500 
13501 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
13502 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
13503 			return -EINVAL;
13504 
13505 		connect.auth_type = auth_type;
13506 		changed |= UPDATE_AUTH_TYPE;
13507 	}
13508 
13509 	if (!wdev->connected)
13510 		return -ENOLINK;
13511 
13512 	return rdev_update_connect_params(rdev, dev, &connect, changed);
13513 }
13514 
13515 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
13516 {
13517 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13518 	struct net_device *dev = info->user_ptr[1];
13519 	u16 reason;
13520 
13521 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
13522 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
13523 		return -EPERM;
13524 
13525 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
13526 				     WLAN_REASON_DEAUTH_LEAVING);
13527 
13528 	if (reason == 0)
13529 		return -EINVAL;
13530 
13531 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13532 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13533 		return -EOPNOTSUPP;
13534 
13535 	return cfg80211_disconnect(rdev, dev, reason, true);
13536 }
13537 
13538 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
13539 {
13540 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13541 	struct net *net;
13542 	int err;
13543 
13544 	if (info->attrs[NL80211_ATTR_PID]) {
13545 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
13546 
13547 		net = get_net_ns_by_pid(pid);
13548 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
13549 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
13550 
13551 		net = get_net_ns_by_fd(fd);
13552 	} else {
13553 		return -EINVAL;
13554 	}
13555 
13556 	if (IS_ERR(net))
13557 		return PTR_ERR(net);
13558 
13559 	err = 0;
13560 
13561 	/* check if anything to do */
13562 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
13563 		err = cfg80211_switch_netns(rdev, net);
13564 
13565 	put_net(net);
13566 	return err;
13567 }
13568 
13569 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
13570 {
13571 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13572 	struct net_device *dev = info->user_ptr[1];
13573 	struct cfg80211_pmksa pmksa;
13574 	bool ap_pmksa_caching_support = false;
13575 
13576 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13577 
13578 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13579 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13580 
13581 	if (!info->attrs[NL80211_ATTR_PMKID])
13582 		return -EINVAL;
13583 
13584 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13585 
13586 	if (info->attrs[NL80211_ATTR_MAC]) {
13587 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13588 	} else if (info->attrs[NL80211_ATTR_SSID] &&
13589 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13590 	           info->attrs[NL80211_ATTR_PMK]) {
13591 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13592 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13593 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13594 	} else {
13595 		return -EINVAL;
13596 	}
13597 
13598 	if (info->attrs[NL80211_ATTR_PMK]) {
13599 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13600 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13601 	}
13602 
13603 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
13604 		pmksa.pmk_lifetime =
13605 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
13606 
13607 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
13608 		pmksa.pmk_reauth_threshold =
13609 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
13610 
13611 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13612 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13613 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13614 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13615 	       ap_pmksa_caching_support))
13616 		return -EOPNOTSUPP;
13617 
13618 	if (!rdev->ops->set_pmksa)
13619 		return -EOPNOTSUPP;
13620 
13621 	return rdev_set_pmksa(rdev, dev, &pmksa);
13622 }
13623 
13624 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
13625 {
13626 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13627 	struct net_device *dev = info->user_ptr[1];
13628 	struct cfg80211_pmksa pmksa;
13629 	bool sae_offload_support = false;
13630 	bool owe_offload_support = false;
13631 	bool ap_pmksa_caching_support = false;
13632 
13633 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13634 
13635 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13636 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
13637 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13638 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
13639 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13640 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13641 
13642 	if (info->attrs[NL80211_ATTR_PMKID])
13643 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13644 
13645 	if (info->attrs[NL80211_ATTR_MAC]) {
13646 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13647 	} else if (info->attrs[NL80211_ATTR_SSID]) {
13648 		/* SSID based pmksa flush supported only for FILS,
13649 		 * OWE/SAE OFFLOAD cases
13650 		 */
13651 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13652 		    info->attrs[NL80211_ATTR_PMK]) {
13653 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13654 		} else if (!sae_offload_support && !owe_offload_support) {
13655 			return -EINVAL;
13656 		}
13657 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13658 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13659 	} else {
13660 		return -EINVAL;
13661 	}
13662 
13663 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13664 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13665 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13666 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13667 	       ap_pmksa_caching_support))
13668 		return -EOPNOTSUPP;
13669 
13670 	if (!rdev->ops->del_pmksa)
13671 		return -EOPNOTSUPP;
13672 
13673 	return rdev_del_pmksa(rdev, dev, &pmksa);
13674 }
13675 
13676 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
13677 {
13678 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13679 	struct net_device *dev = info->user_ptr[1];
13680 
13681 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13682 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13683 		return -EOPNOTSUPP;
13684 
13685 	if (!rdev->ops->flush_pmksa)
13686 		return -EOPNOTSUPP;
13687 
13688 	return rdev_flush_pmksa(rdev, dev);
13689 }
13690 
13691 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
13692 {
13693 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13694 	struct net_device *dev = info->user_ptr[1];
13695 	u8 action_code, dialog_token;
13696 	u32 peer_capability = 0;
13697 	u16 status_code;
13698 	u8 *peer;
13699 	int link_id;
13700 	bool initiator;
13701 
13702 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13703 	    !rdev->ops->tdls_mgmt)
13704 		return -EOPNOTSUPP;
13705 
13706 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
13707 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
13708 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
13709 	    !info->attrs[NL80211_ATTR_IE] ||
13710 	    !info->attrs[NL80211_ATTR_MAC])
13711 		return -EINVAL;
13712 
13713 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13714 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
13715 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13716 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
13717 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
13718 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
13719 		peer_capability =
13720 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
13721 	link_id = nl80211_link_id_or_invalid(info->attrs);
13722 
13723 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
13724 			      dialog_token, status_code, peer_capability,
13725 			      initiator,
13726 			      nla_data(info->attrs[NL80211_ATTR_IE]),
13727 			      nla_len(info->attrs[NL80211_ATTR_IE]));
13728 }
13729 
13730 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
13731 {
13732 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13733 	struct net_device *dev = info->user_ptr[1];
13734 	enum nl80211_tdls_operation operation;
13735 	u8 *peer;
13736 
13737 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13738 	    !rdev->ops->tdls_oper)
13739 		return -EOPNOTSUPP;
13740 
13741 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
13742 	    !info->attrs[NL80211_ATTR_MAC])
13743 		return -EINVAL;
13744 
13745 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
13746 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13747 
13748 	return rdev_tdls_oper(rdev, dev, peer, operation);
13749 }
13750 
13751 static int nl80211_remain_on_channel(struct sk_buff *skb,
13752 				     struct genl_info *info)
13753 {
13754 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13755 	unsigned int link_id = nl80211_link_id(info->attrs);
13756 	struct wireless_dev *wdev = info->user_ptr[1];
13757 	struct cfg80211_chan_def chandef;
13758 	struct sk_buff *msg;
13759 	void *hdr;
13760 	u64 cookie;
13761 	u32 duration;
13762 	int err;
13763 
13764 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
13765 	    !info->attrs[NL80211_ATTR_DURATION])
13766 		return -EINVAL;
13767 
13768 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13769 
13770 	if (!rdev->ops->remain_on_channel ||
13771 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
13772 		return -EOPNOTSUPP;
13773 
13774 	/*
13775 	 * We should be on that channel for at least a minimum amount of
13776 	 * time (10ms) but no longer than the driver supports.
13777 	 */
13778 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13779 	    duration > rdev->wiphy.max_remain_on_channel_duration)
13780 		return -EINVAL;
13781 
13782 	err = nl80211_parse_chandef(rdev, info, &chandef);
13783 	if (err)
13784 		return err;
13785 
13786 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
13787 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
13788 
13789 		oper_chandef = wdev_chandef(wdev, link_id);
13790 
13791 		if (WARN_ON(!oper_chandef)) {
13792 			/* cannot happen since we must beacon to get here */
13793 			WARN_ON(1);
13794 			return -EBUSY;
13795 		}
13796 
13797 		/* note: returns first one if identical chandefs */
13798 		compat_chandef = cfg80211_chandef_compatible(&chandef,
13799 							     oper_chandef);
13800 
13801 		if (compat_chandef != &chandef)
13802 			return -EBUSY;
13803 	}
13804 
13805 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13806 	if (!msg)
13807 		return -ENOMEM;
13808 
13809 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13810 			     NL80211_CMD_REMAIN_ON_CHANNEL);
13811 	if (!hdr) {
13812 		err = -ENOBUFS;
13813 		goto free_msg;
13814 	}
13815 
13816 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
13817 				     duration, &cookie);
13818 
13819 	if (err)
13820 		goto free_msg;
13821 
13822 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13823 			      NL80211_ATTR_PAD))
13824 		goto nla_put_failure;
13825 
13826 	genlmsg_end(msg, hdr);
13827 
13828 	return genlmsg_reply(msg, info);
13829 
13830  nla_put_failure:
13831 	err = -ENOBUFS;
13832  free_msg:
13833 	nlmsg_free(msg);
13834 	return err;
13835 }
13836 
13837 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
13838 					    struct genl_info *info)
13839 {
13840 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13841 	struct wireless_dev *wdev = info->user_ptr[1];
13842 	u64 cookie;
13843 
13844 	if (!info->attrs[NL80211_ATTR_COOKIE])
13845 		return -EINVAL;
13846 
13847 	if (!rdev->ops->cancel_remain_on_channel)
13848 		return -EOPNOTSUPP;
13849 
13850 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13851 
13852 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
13853 }
13854 
13855 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
13856 				       struct genl_info *info)
13857 {
13858 	struct cfg80211_bitrate_mask mask;
13859 	unsigned int link_id = nl80211_link_id(info->attrs);
13860 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13861 	struct net_device *dev = info->user_ptr[1];
13862 	int err;
13863 
13864 	if (!rdev->ops->set_bitrate_mask)
13865 		return -EOPNOTSUPP;
13866 
13867 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13868 					    NL80211_ATTR_TX_RATES, &mask,
13869 					    dev, true, link_id);
13870 	if (err)
13871 		return err;
13872 
13873 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
13874 }
13875 
13876 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
13877 {
13878 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13879 	struct wireless_dev *wdev = info->user_ptr[1];
13880 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
13881 
13882 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
13883 		return -EINVAL;
13884 
13885 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
13886 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
13887 
13888 	switch (wdev->iftype) {
13889 	case NL80211_IFTYPE_STATION:
13890 	case NL80211_IFTYPE_ADHOC:
13891 	case NL80211_IFTYPE_P2P_CLIENT:
13892 	case NL80211_IFTYPE_AP:
13893 	case NL80211_IFTYPE_AP_VLAN:
13894 	case NL80211_IFTYPE_MESH_POINT:
13895 	case NL80211_IFTYPE_P2P_GO:
13896 	case NL80211_IFTYPE_P2P_DEVICE:
13897 		break;
13898 	case NL80211_IFTYPE_NAN:
13899 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13900 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
13901 		    !(wdev->wiphy->nan_capa.flags &
13902 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
13903 			return -EOPNOTSUPP;
13904 		break;
13905 	default:
13906 		return -EOPNOTSUPP;
13907 	}
13908 
13909 	/* not much point in registering if we can't reply */
13910 	if (!rdev->ops->mgmt_tx)
13911 		return -EOPNOTSUPP;
13912 
13913 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
13914 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13915 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
13916 		GENL_SET_ERR_MSG(info,
13917 				 "multicast RX registrations are not supported");
13918 		return -EOPNOTSUPP;
13919 	}
13920 
13921 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
13922 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13923 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13924 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
13925 					   info->extack);
13926 }
13927 
13928 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
13929 {
13930 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13931 	struct wireless_dev *wdev = info->user_ptr[1];
13932 	struct cfg80211_chan_def chandef;
13933 	int err;
13934 	void *hdr = NULL;
13935 	u64 cookie;
13936 	struct sk_buff *msg = NULL;
13937 	struct cfg80211_mgmt_tx_params params = {
13938 		.dont_wait_for_ack =
13939 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
13940 	};
13941 
13942 	if (!info->attrs[NL80211_ATTR_FRAME])
13943 		return -EINVAL;
13944 
13945 	if (!rdev->ops->mgmt_tx)
13946 		return -EOPNOTSUPP;
13947 
13948 	switch (wdev->iftype) {
13949 	case NL80211_IFTYPE_P2P_DEVICE:
13950 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
13951 			return -EINVAL;
13952 		break;
13953 	case NL80211_IFTYPE_STATION:
13954 	case NL80211_IFTYPE_ADHOC:
13955 	case NL80211_IFTYPE_P2P_CLIENT:
13956 	case NL80211_IFTYPE_AP:
13957 	case NL80211_IFTYPE_AP_VLAN:
13958 	case NL80211_IFTYPE_MESH_POINT:
13959 	case NL80211_IFTYPE_P2P_GO:
13960 		break;
13961 	case NL80211_IFTYPE_NAN:
13962 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13963 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
13964 		    !(wdev->wiphy->nan_capa.flags &
13965 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
13966 			return -EOPNOTSUPP;
13967 		break;
13968 	default:
13969 		return -EOPNOTSUPP;
13970 	}
13971 
13972 	if (info->attrs[NL80211_ATTR_DURATION]) {
13973 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
13974 			return -EINVAL;
13975 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13976 
13977 		/*
13978 		 * We should wait on the channel for at least a minimum amount
13979 		 * of time (10ms) but no longer than the driver supports.
13980 		 */
13981 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13982 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
13983 			return -EINVAL;
13984 	}
13985 
13986 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
13987 
13988 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
13989 		return -EINVAL;
13990 
13991 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
13992 
13993 	/* get the channel if any has been specified, otherwise pass NULL to
13994 	 * the driver. The latter will use the current one
13995 	 */
13996 	chandef.chan = NULL;
13997 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13998 		err = nl80211_parse_chandef(rdev, info, &chandef);
13999 		if (err)
14000 			return err;
14001 	}
14002 
14003 	if (!chandef.chan && params.offchan)
14004 		return -EINVAL;
14005 
14006 	if (params.offchan &&
14007 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
14008 		return -EBUSY;
14009 
14010 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
14011 	/*
14012 	 * This now races due to the unlock, but we cannot check
14013 	 * the valid links for the _station_ anyway, so that's up
14014 	 * to the driver.
14015 	 */
14016 	if (params.link_id >= 0 &&
14017 	    !(wdev->valid_links & BIT(params.link_id)))
14018 		return -EINVAL;
14019 
14020 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14021 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14022 
14023 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
14024 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
14025 					    &params.csa_offsets,
14026 					    &params.n_csa_offsets);
14027 	if (err)
14028 		return err;
14029 
14030 	if (!params.dont_wait_for_ack) {
14031 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14032 		if (!msg)
14033 			return -ENOMEM;
14034 
14035 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14036 				     NL80211_CMD_FRAME);
14037 		if (!hdr) {
14038 			err = -ENOBUFS;
14039 			goto free_msg;
14040 		}
14041 	}
14042 
14043 	params.chan = chandef.chan;
14044 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
14045 	if (err)
14046 		goto free_msg;
14047 
14048 	if (msg) {
14049 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14050 				      NL80211_ATTR_PAD))
14051 			goto nla_put_failure;
14052 
14053 		genlmsg_end(msg, hdr);
14054 		return genlmsg_reply(msg, info);
14055 	}
14056 
14057 	return 0;
14058 
14059  nla_put_failure:
14060 	err = -ENOBUFS;
14061  free_msg:
14062 	nlmsg_free(msg);
14063 	return err;
14064 }
14065 
14066 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
14067 {
14068 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14069 	struct wireless_dev *wdev = info->user_ptr[1];
14070 	u64 cookie;
14071 
14072 	if (!info->attrs[NL80211_ATTR_COOKIE])
14073 		return -EINVAL;
14074 
14075 	if (!rdev->ops->mgmt_tx_cancel_wait)
14076 		return -EOPNOTSUPP;
14077 
14078 	switch (wdev->iftype) {
14079 	case NL80211_IFTYPE_STATION:
14080 	case NL80211_IFTYPE_ADHOC:
14081 	case NL80211_IFTYPE_P2P_CLIENT:
14082 	case NL80211_IFTYPE_AP:
14083 	case NL80211_IFTYPE_AP_VLAN:
14084 	case NL80211_IFTYPE_P2P_GO:
14085 	case NL80211_IFTYPE_P2P_DEVICE:
14086 		break;
14087 	case NL80211_IFTYPE_NAN:
14088 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14089 					     NL80211_EXT_FEATURE_SECURE_NAN))
14090 			return -EOPNOTSUPP;
14091 		break;
14092 	default:
14093 		return -EOPNOTSUPP;
14094 	}
14095 
14096 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14097 
14098 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
14099 }
14100 
14101 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
14102 {
14103 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14104 	struct wireless_dev *wdev;
14105 	struct net_device *dev = info->user_ptr[1];
14106 	u8 ps_state;
14107 	bool state;
14108 	int err;
14109 
14110 	if (!info->attrs[NL80211_ATTR_PS_STATE])
14111 		return -EINVAL;
14112 
14113 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
14114 
14115 	wdev = dev->ieee80211_ptr;
14116 
14117 	if (!rdev->ops->set_power_mgmt)
14118 		return -EOPNOTSUPP;
14119 
14120 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
14121 
14122 	if (state == wdev->ps)
14123 		return 0;
14124 
14125 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
14126 	if (!err)
14127 		wdev->ps = state;
14128 	return err;
14129 }
14130 
14131 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
14132 {
14133 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14134 	enum nl80211_ps_state ps_state;
14135 	struct wireless_dev *wdev;
14136 	struct net_device *dev = info->user_ptr[1];
14137 	struct sk_buff *msg;
14138 	void *hdr;
14139 	int err;
14140 
14141 	wdev = dev->ieee80211_ptr;
14142 
14143 	if (!rdev->ops->set_power_mgmt)
14144 		return -EOPNOTSUPP;
14145 
14146 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14147 	if (!msg)
14148 		return -ENOMEM;
14149 
14150 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14151 			     NL80211_CMD_GET_POWER_SAVE);
14152 	if (!hdr) {
14153 		err = -ENOBUFS;
14154 		goto free_msg;
14155 	}
14156 
14157 	if (wdev->ps)
14158 		ps_state = NL80211_PS_ENABLED;
14159 	else
14160 		ps_state = NL80211_PS_DISABLED;
14161 
14162 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
14163 		goto nla_put_failure;
14164 
14165 	genlmsg_end(msg, hdr);
14166 	return genlmsg_reply(msg, info);
14167 
14168  nla_put_failure:
14169 	err = -ENOBUFS;
14170  free_msg:
14171 	nlmsg_free(msg);
14172 	return err;
14173 }
14174 
14175 static const struct nla_policy
14176 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
14177 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
14178 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
14179 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
14180 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
14181 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
14182 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
14183 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
14184 };
14185 
14186 static int nl80211_set_cqm_txe(struct genl_info *info,
14187 			       u32 rate, u32 pkts, u32 intvl)
14188 {
14189 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14190 	struct net_device *dev = info->user_ptr[1];
14191 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14192 
14193 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
14194 		return -EINVAL;
14195 
14196 	if (!rdev->ops->set_cqm_txe_config)
14197 		return -EOPNOTSUPP;
14198 
14199 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14200 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14201 		return -EOPNOTSUPP;
14202 
14203 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
14204 }
14205 
14206 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
14207 				    struct net_device *dev,
14208 				    struct cfg80211_cqm_config *cqm_config)
14209 {
14210 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14211 	s32 last, low, high;
14212 	u32 hyst;
14213 	int i, n, low_index;
14214 	int err;
14215 
14216 	/*
14217 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
14218 	 * event has been received yet, we should receive an event after a
14219 	 * connection is established and enough beacons received to calculate
14220 	 * the average.
14221 	 */
14222 	if (!cqm_config->last_rssi_event_value &&
14223 	    wdev->links[0].client.current_bss &&
14224 	    rdev->ops->get_station) {
14225 		struct station_info sinfo = {};
14226 		u8 *mac_addr;
14227 
14228 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
14229 
14230 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
14231 		if (err)
14232 			return err;
14233 
14234 		cfg80211_sinfo_release_content(&sinfo);
14235 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
14236 			cqm_config->last_rssi_event_value =
14237 				(s8) sinfo.rx_beacon_signal_avg;
14238 	}
14239 
14240 	last = cqm_config->last_rssi_event_value;
14241 	hyst = cqm_config->rssi_hyst;
14242 	n = cqm_config->n_rssi_thresholds;
14243 
14244 	for (i = 0; i < n; i++) {
14245 		i = array_index_nospec(i, n);
14246 		if (last < cqm_config->rssi_thresholds[i])
14247 			break;
14248 	}
14249 
14250 	low_index = i - 1;
14251 	if (low_index >= 0) {
14252 		low_index = array_index_nospec(low_index, n);
14253 		low = cqm_config->rssi_thresholds[low_index] - hyst;
14254 	} else {
14255 		low = S32_MIN;
14256 	}
14257 	if (i < n) {
14258 		i = array_index_nospec(i, n);
14259 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
14260 	} else {
14261 		high = S32_MAX;
14262 	}
14263 
14264 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
14265 }
14266 
14267 static int nl80211_set_cqm_rssi(struct genl_info *info,
14268 				const s32 *thresholds, int n_thresholds,
14269 				u32 hysteresis)
14270 {
14271 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14272 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
14273 	struct net_device *dev = info->user_ptr[1];
14274 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14275 	s32 prev = S32_MIN;
14276 	int i, err;
14277 
14278 	/* Check all values negative and sorted */
14279 	for (i = 0; i < n_thresholds; i++) {
14280 		if (thresholds[i] > 0 || thresholds[i] <= prev)
14281 			return -EINVAL;
14282 
14283 		prev = thresholds[i];
14284 	}
14285 
14286 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14287 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14288 		return -EOPNOTSUPP;
14289 
14290 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
14291 		n_thresholds = 0;
14292 
14293 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
14294 
14295 	/* if already disabled just succeed */
14296 	if (!n_thresholds && !old)
14297 		return 0;
14298 
14299 	if (n_thresholds > 1) {
14300 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
14301 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
14302 		    !rdev->ops->set_cqm_rssi_range_config)
14303 			return -EOPNOTSUPP;
14304 	} else {
14305 		if (!rdev->ops->set_cqm_rssi_config)
14306 			return -EOPNOTSUPP;
14307 	}
14308 
14309 	if (n_thresholds) {
14310 		cqm_config = kzalloc_flex(*cqm_config, rssi_thresholds,
14311 					  n_thresholds);
14312 		if (!cqm_config)
14313 			return -ENOMEM;
14314 
14315 		cqm_config->rssi_hyst = hysteresis;
14316 		cqm_config->n_rssi_thresholds = n_thresholds;
14317 		memcpy(cqm_config->rssi_thresholds, thresholds,
14318 		       flex_array_size(cqm_config, rssi_thresholds,
14319 				       n_thresholds));
14320 		cqm_config->use_range_api = n_thresholds > 1 ||
14321 					    !rdev->ops->set_cqm_rssi_config;
14322 
14323 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
14324 
14325 		if (cqm_config->use_range_api)
14326 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
14327 		else
14328 			err = rdev_set_cqm_rssi_config(rdev, dev,
14329 						       thresholds[0],
14330 						       hysteresis);
14331 	} else {
14332 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
14333 		/* if enabled as range also disable via range */
14334 		if (old->use_range_api)
14335 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
14336 		else
14337 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
14338 	}
14339 
14340 	if (err) {
14341 		rcu_assign_pointer(wdev->cqm_config, old);
14342 		kfree_rcu(cqm_config, rcu_head);
14343 	} else {
14344 		kfree_rcu(old, rcu_head);
14345 	}
14346 
14347 	return err;
14348 }
14349 
14350 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
14351 {
14352 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
14353 	struct nlattr *cqm;
14354 	int err;
14355 
14356 	cqm = info->attrs[NL80211_ATTR_CQM];
14357 	if (!cqm)
14358 		return -EINVAL;
14359 
14360 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
14361 					  nl80211_attr_cqm_policy,
14362 					  info->extack);
14363 	if (err)
14364 		return err;
14365 
14366 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
14367 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
14368 		const s32 *thresholds =
14369 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14370 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14371 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
14372 
14373 		if (len % 4)
14374 			return -EINVAL;
14375 
14376 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
14377 					    hysteresis);
14378 	}
14379 
14380 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
14381 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
14382 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
14383 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
14384 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
14385 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
14386 
14387 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
14388 	}
14389 
14390 	return -EINVAL;
14391 }
14392 
14393 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
14394 {
14395 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14396 	struct net_device *dev = info->user_ptr[1];
14397 	struct ocb_setup setup = {};
14398 	int err;
14399 
14400 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
14401 	if (err)
14402 		return err;
14403 
14404 	return cfg80211_join_ocb(rdev, dev, &setup);
14405 }
14406 
14407 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
14408 {
14409 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14410 	struct net_device *dev = info->user_ptr[1];
14411 
14412 	return cfg80211_leave_ocb(rdev, dev);
14413 }
14414 
14415 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
14416 {
14417 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14418 	struct net_device *dev = info->user_ptr[1];
14419 	struct mesh_config cfg;
14420 	struct mesh_setup setup;
14421 	int err;
14422 
14423 	/* start with default */
14424 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
14425 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
14426 
14427 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
14428 		/* and parse parameters if given */
14429 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
14430 		if (err)
14431 			return err;
14432 	}
14433 
14434 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
14435 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
14436 		return -EINVAL;
14437 
14438 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
14439 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
14440 
14441 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
14442 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
14443 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
14444 			return -EINVAL;
14445 
14446 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
14447 		setup.beacon_interval =
14448 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
14449 
14450 		err = cfg80211_validate_beacon_int(rdev,
14451 						   NL80211_IFTYPE_MESH_POINT,
14452 						   setup.beacon_interval);
14453 		if (err)
14454 			return err;
14455 	}
14456 
14457 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
14458 		setup.dtim_period =
14459 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
14460 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
14461 			return -EINVAL;
14462 	}
14463 
14464 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
14465 		/* parse additional setup parameters if given */
14466 		err = nl80211_parse_mesh_setup(info, &setup);
14467 		if (err)
14468 			return err;
14469 	}
14470 
14471 	if (setup.user_mpm)
14472 		cfg.auto_open_plinks = false;
14473 
14474 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14475 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
14476 		if (err)
14477 			return err;
14478 	} else {
14479 		/* __cfg80211_join_mesh() will sort it out */
14480 		setup.chandef.chan = NULL;
14481 	}
14482 
14483 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
14484 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14485 		int n_rates =
14486 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14487 		struct ieee80211_supported_band *sband;
14488 
14489 		if (!setup.chandef.chan)
14490 			return -EINVAL;
14491 
14492 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
14493 
14494 		err = ieee80211_get_ratemask(sband, rates, n_rates,
14495 					     &setup.basic_rates);
14496 		if (err)
14497 			return err;
14498 	}
14499 
14500 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
14501 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
14502 						    NL80211_ATTR_TX_RATES,
14503 						    &setup.beacon_rate,
14504 						    dev, false, 0);
14505 		if (err)
14506 			return err;
14507 
14508 		if (!setup.chandef.chan)
14509 			return -EINVAL;
14510 
14511 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
14512 					      &setup.beacon_rate);
14513 		if (err)
14514 			return err;
14515 	}
14516 
14517 	setup.userspace_handles_dfs =
14518 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
14519 
14520 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
14521 		int r = validate_pae_over_nl80211(rdev, info);
14522 
14523 		if (r < 0)
14524 			return r;
14525 
14526 		setup.control_port_over_nl80211 = true;
14527 	}
14528 
14529 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
14530 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
14531 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
14532 
14533 	return err;
14534 }
14535 
14536 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
14537 {
14538 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14539 	struct net_device *dev = info->user_ptr[1];
14540 
14541 	return cfg80211_leave_mesh(rdev, dev);
14542 }
14543 
14544 #ifdef CONFIG_PM
14545 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
14546 					struct cfg80211_registered_device *rdev)
14547 {
14548 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
14549 	struct nlattr *nl_pats, *nl_pat;
14550 	int i, pat_len;
14551 
14552 	if (!wowlan->n_patterns)
14553 		return 0;
14554 
14555 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
14556 	if (!nl_pats)
14557 		return -ENOBUFS;
14558 
14559 	for (i = 0; i < wowlan->n_patterns; i++) {
14560 		nl_pat = nla_nest_start_noflag(msg, i + 1);
14561 		if (!nl_pat)
14562 			return -ENOBUFS;
14563 		pat_len = wowlan->patterns[i].pattern_len;
14564 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
14565 			    wowlan->patterns[i].mask) ||
14566 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14567 			    wowlan->patterns[i].pattern) ||
14568 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14569 				wowlan->patterns[i].pkt_offset))
14570 			return -ENOBUFS;
14571 		nla_nest_end(msg, nl_pat);
14572 	}
14573 	nla_nest_end(msg, nl_pats);
14574 
14575 	return 0;
14576 }
14577 
14578 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
14579 				   struct cfg80211_wowlan_tcp *tcp)
14580 {
14581 	struct nlattr *nl_tcp;
14582 
14583 	if (!tcp)
14584 		return 0;
14585 
14586 	nl_tcp = nla_nest_start_noflag(msg,
14587 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
14588 	if (!nl_tcp)
14589 		return -ENOBUFS;
14590 
14591 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
14592 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
14593 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
14594 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
14595 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
14596 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
14597 		    tcp->payload_len, tcp->payload) ||
14598 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
14599 			tcp->data_interval) ||
14600 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
14601 		    tcp->wake_len, tcp->wake_data) ||
14602 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
14603 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
14604 		return -ENOBUFS;
14605 
14606 	if (tcp->payload_seq.len &&
14607 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
14608 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
14609 		return -ENOBUFS;
14610 
14611 	if (tcp->payload_tok.len &&
14612 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
14613 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
14614 		    &tcp->payload_tok))
14615 		return -ENOBUFS;
14616 
14617 	nla_nest_end(msg, nl_tcp);
14618 
14619 	return 0;
14620 }
14621 
14622 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
14623 				  struct cfg80211_sched_scan_request *req)
14624 {
14625 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
14626 	int i;
14627 
14628 	if (!req)
14629 		return 0;
14630 
14631 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
14632 	if (!nd)
14633 		return -ENOBUFS;
14634 
14635 	if (req->n_scan_plans == 1 &&
14636 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
14637 			req->scan_plans[0].interval * 1000))
14638 		return -ENOBUFS;
14639 
14640 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
14641 		return -ENOBUFS;
14642 
14643 	if (req->relative_rssi_set) {
14644 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
14645 
14646 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
14647 			       req->relative_rssi))
14648 			return -ENOBUFS;
14649 
14650 		rssi_adjust.band = req->rssi_adjust.band;
14651 		rssi_adjust.delta = req->rssi_adjust.delta;
14652 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
14653 			    sizeof(rssi_adjust), &rssi_adjust))
14654 			return -ENOBUFS;
14655 	}
14656 
14657 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14658 	if (!freqs)
14659 		return -ENOBUFS;
14660 
14661 	for (i = 0; i < req->n_channels; i++) {
14662 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14663 			return -ENOBUFS;
14664 	}
14665 
14666 	nla_nest_end(msg, freqs);
14667 
14668 	if (req->n_match_sets) {
14669 		matches = nla_nest_start_noflag(msg,
14670 						NL80211_ATTR_SCHED_SCAN_MATCH);
14671 		if (!matches)
14672 			return -ENOBUFS;
14673 
14674 		for (i = 0; i < req->n_match_sets; i++) {
14675 			match = nla_nest_start_noflag(msg, i);
14676 			if (!match)
14677 				return -ENOBUFS;
14678 
14679 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
14680 				    req->match_sets[i].ssid.ssid_len,
14681 				    req->match_sets[i].ssid.ssid))
14682 				return -ENOBUFS;
14683 			nla_nest_end(msg, match);
14684 		}
14685 		nla_nest_end(msg, matches);
14686 	}
14687 
14688 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
14689 	if (!scan_plans)
14690 		return -ENOBUFS;
14691 
14692 	for (i = 0; i < req->n_scan_plans; i++) {
14693 		scan_plan = nla_nest_start_noflag(msg, i + 1);
14694 		if (!scan_plan)
14695 			return -ENOBUFS;
14696 
14697 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
14698 				req->scan_plans[i].interval) ||
14699 		    (req->scan_plans[i].iterations &&
14700 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
14701 				 req->scan_plans[i].iterations)))
14702 			return -ENOBUFS;
14703 		nla_nest_end(msg, scan_plan);
14704 	}
14705 	nla_nest_end(msg, scan_plans);
14706 
14707 	nla_nest_end(msg, nd);
14708 
14709 	return 0;
14710 }
14711 
14712 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
14713 {
14714 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14715 	struct sk_buff *msg;
14716 	void *hdr;
14717 	u32 size = NLMSG_DEFAULT_SIZE;
14718 
14719 	if (!rdev->wiphy.wowlan)
14720 		return -EOPNOTSUPP;
14721 
14722 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
14723 		/* adjust size to have room for all the data */
14724 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
14725 			rdev->wiphy.wowlan_config->tcp->payload_len +
14726 			rdev->wiphy.wowlan_config->tcp->wake_len +
14727 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
14728 	}
14729 
14730 	msg = nlmsg_new(size, GFP_KERNEL);
14731 	if (!msg)
14732 		return -ENOMEM;
14733 
14734 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14735 			     NL80211_CMD_GET_WOWLAN);
14736 	if (!hdr)
14737 		goto nla_put_failure;
14738 
14739 	if (rdev->wiphy.wowlan_config) {
14740 		struct nlattr *nl_wowlan;
14741 
14742 		nl_wowlan = nla_nest_start_noflag(msg,
14743 						  NL80211_ATTR_WOWLAN_TRIGGERS);
14744 		if (!nl_wowlan)
14745 			goto nla_put_failure;
14746 
14747 		if ((rdev->wiphy.wowlan_config->any &&
14748 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
14749 		    (rdev->wiphy.wowlan_config->disconnect &&
14750 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
14751 		    (rdev->wiphy.wowlan_config->magic_pkt &&
14752 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
14753 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
14754 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
14755 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
14756 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
14757 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
14758 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
14759 		    (rdev->wiphy.wowlan_config->rfkill_release &&
14760 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
14761 			goto nla_put_failure;
14762 
14763 		if (nl80211_send_wowlan_patterns(msg, rdev))
14764 			goto nla_put_failure;
14765 
14766 		if (nl80211_send_wowlan_tcp(msg,
14767 					    rdev->wiphy.wowlan_config->tcp))
14768 			goto nla_put_failure;
14769 
14770 		if (nl80211_send_wowlan_nd(
14771 			    msg,
14772 			    rdev->wiphy.wowlan_config->nd_config))
14773 			goto nla_put_failure;
14774 
14775 		nla_nest_end(msg, nl_wowlan);
14776 	}
14777 
14778 	genlmsg_end(msg, hdr);
14779 	return genlmsg_reply(msg, info);
14780 
14781 nla_put_failure:
14782 	nlmsg_free(msg);
14783 	return -ENOBUFS;
14784 }
14785 
14786 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
14787 				    struct nlattr *attr,
14788 				    struct cfg80211_wowlan *trig)
14789 {
14790 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
14791 	struct cfg80211_wowlan_tcp *cfg;
14792 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
14793 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
14794 	u32 size;
14795 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
14796 	int err, port;
14797 
14798 	if (!rdev->wiphy.wowlan->tcp)
14799 		return -EINVAL;
14800 
14801 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
14802 					  nl80211_wowlan_tcp_policy, NULL);
14803 	if (err)
14804 		return err;
14805 
14806 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
14807 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
14808 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
14809 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
14810 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
14811 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
14812 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
14813 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
14814 		return -EINVAL;
14815 
14816 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
14817 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
14818 		return -EINVAL;
14819 
14820 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
14821 			rdev->wiphy.wowlan->tcp->data_interval_max ||
14822 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
14823 		return -EINVAL;
14824 
14825 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
14826 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
14827 		return -EINVAL;
14828 
14829 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
14830 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
14831 		return -EINVAL;
14832 
14833 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
14834 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14835 
14836 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14837 		tokens_size = tokln - sizeof(*tok);
14838 
14839 		if (!tok->len || tokens_size % tok->len)
14840 			return -EINVAL;
14841 		if (!rdev->wiphy.wowlan->tcp->tok)
14842 			return -EINVAL;
14843 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
14844 			return -EINVAL;
14845 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
14846 			return -EINVAL;
14847 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
14848 			return -EINVAL;
14849 		if (tok->offset + tok->len > data_size)
14850 			return -EINVAL;
14851 	}
14852 
14853 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
14854 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
14855 		if (!rdev->wiphy.wowlan->tcp->seq)
14856 			return -EINVAL;
14857 		if (seq->len == 0 || seq->len > 4)
14858 			return -EINVAL;
14859 		if (seq->len + seq->offset > data_size)
14860 			return -EINVAL;
14861 	}
14862 
14863 	size = sizeof(*cfg);
14864 	size += data_size;
14865 	size += wake_size + wake_mask_size;
14866 	size += tokens_size;
14867 
14868 	cfg = kzalloc(size, GFP_KERNEL);
14869 	if (!cfg)
14870 		return -ENOMEM;
14871 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
14872 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
14873 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
14874 	       ETH_ALEN);
14875 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
14876 #ifdef CONFIG_INET
14877 	/* allocate a socket and port for it and use it */
14878 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
14879 			    IPPROTO_TCP, &cfg->sock, 1);
14880 	if (err) {
14881 		kfree(cfg);
14882 		return err;
14883 	}
14884 	if (inet_csk_get_port(cfg->sock->sk, port)) {
14885 		sock_release(cfg->sock);
14886 		kfree(cfg);
14887 		return -EADDRINUSE;
14888 	}
14889 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
14890 #else
14891 	if (!port) {
14892 		kfree(cfg);
14893 		return -EINVAL;
14894 	}
14895 	cfg->src_port = port;
14896 #endif
14897 
14898 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
14899 	cfg->payload_len = data_size;
14900 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
14901 	memcpy((void *)cfg->payload,
14902 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
14903 	       data_size);
14904 	if (seq)
14905 		cfg->payload_seq = *seq;
14906 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
14907 	cfg->wake_len = wake_size;
14908 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
14909 	memcpy((void *)cfg->wake_data,
14910 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
14911 	       wake_size);
14912 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
14913 			 data_size + wake_size;
14914 	memcpy((void *)cfg->wake_mask,
14915 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
14916 	       wake_mask_size);
14917 	if (tok) {
14918 		cfg->tokens_size = tokens_size;
14919 		cfg->payload_tok = *tok;
14920 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
14921 		       tokens_size);
14922 	}
14923 
14924 	trig->tcp = cfg;
14925 
14926 	return 0;
14927 }
14928 
14929 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
14930 				   const struct wiphy_wowlan_support *wowlan,
14931 				   struct nlattr *attr,
14932 				   struct cfg80211_wowlan *trig)
14933 {
14934 	struct nlattr **tb;
14935 	int err;
14936 
14937 	tb = kzalloc_objs(*tb, NUM_NL80211_ATTR);
14938 	if (!tb)
14939 		return -ENOMEM;
14940 
14941 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
14942 		err = -EOPNOTSUPP;
14943 		goto out;
14944 	}
14945 
14946 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
14947 					  nl80211_policy, NULL);
14948 	if (err)
14949 		goto out;
14950 
14951 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
14952 						   wowlan->max_nd_match_sets);
14953 	err = PTR_ERR_OR_ZERO(trig->nd_config);
14954 	if (err)
14955 		trig->nd_config = NULL;
14956 
14957 out:
14958 	kfree(tb);
14959 	return err;
14960 }
14961 
14962 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
14963 {
14964 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14965 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
14966 	struct cfg80211_wowlan new_triggers = {};
14967 	struct cfg80211_wowlan *ntrig;
14968 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
14969 	int err, i;
14970 	bool prev_enabled = rdev->wiphy.wowlan_config;
14971 	bool regular = false;
14972 
14973 	if (!wowlan)
14974 		return -EOPNOTSUPP;
14975 
14976 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
14977 		cfg80211_rdev_free_wowlan(rdev);
14978 		rdev->wiphy.wowlan_config = NULL;
14979 		goto set_wakeup;
14980 	}
14981 
14982 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
14983 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
14984 					  nl80211_wowlan_policy, info->extack);
14985 	if (err)
14986 		return err;
14987 
14988 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
14989 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
14990 			return -EINVAL;
14991 		new_triggers.any = true;
14992 	}
14993 
14994 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
14995 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
14996 			return -EINVAL;
14997 		new_triggers.disconnect = true;
14998 		regular = true;
14999 	}
15000 
15001 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
15002 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
15003 			return -EINVAL;
15004 		new_triggers.magic_pkt = true;
15005 		regular = true;
15006 	}
15007 
15008 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
15009 		return -EINVAL;
15010 
15011 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
15012 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
15013 			return -EINVAL;
15014 		new_triggers.gtk_rekey_failure = true;
15015 		regular = true;
15016 	}
15017 
15018 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
15019 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
15020 			return -EINVAL;
15021 		new_triggers.eap_identity_req = true;
15022 		regular = true;
15023 	}
15024 
15025 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
15026 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
15027 			return -EINVAL;
15028 		new_triggers.four_way_handshake = true;
15029 		regular = true;
15030 	}
15031 
15032 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
15033 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
15034 			return -EINVAL;
15035 		new_triggers.rfkill_release = true;
15036 		regular = true;
15037 	}
15038 
15039 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
15040 		struct nlattr *pat;
15041 		int n_patterns = 0;
15042 		int rem, pat_len, mask_len, pkt_offset;
15043 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15044 
15045 		regular = true;
15046 
15047 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15048 				    rem)
15049 			n_patterns++;
15050 		if (n_patterns > wowlan->n_patterns)
15051 			return -EINVAL;
15052 
15053 		new_triggers.patterns = kzalloc_objs(new_triggers.patterns[0],
15054 						     n_patterns);
15055 		if (!new_triggers.patterns)
15056 			return -ENOMEM;
15057 
15058 		new_triggers.n_patterns = n_patterns;
15059 		i = 0;
15060 
15061 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15062 				    rem) {
15063 			u8 *mask_pat;
15064 
15065 			err = nla_parse_nested_deprecated(pat_tb,
15066 							  MAX_NL80211_PKTPAT,
15067 							  pat,
15068 							  nl80211_packet_pattern_policy,
15069 							  info->extack);
15070 			if (err)
15071 				goto error;
15072 
15073 			err = -EINVAL;
15074 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
15075 			    !pat_tb[NL80211_PKTPAT_PATTERN])
15076 				goto error;
15077 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15078 			mask_len = DIV_ROUND_UP(pat_len, 8);
15079 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15080 				goto error;
15081 			if (pat_len > wowlan->pattern_max_len ||
15082 			    pat_len < wowlan->pattern_min_len)
15083 				goto error;
15084 
15085 			pkt_offset =
15086 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15087 						    0);
15088 			if (pkt_offset > wowlan->max_pkt_offset)
15089 				goto error;
15090 			new_triggers.patterns[i].pkt_offset = pkt_offset;
15091 
15092 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15093 			if (!mask_pat) {
15094 				err = -ENOMEM;
15095 				goto error;
15096 			}
15097 			new_triggers.patterns[i].mask = mask_pat;
15098 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15099 			       mask_len);
15100 			mask_pat += mask_len;
15101 			new_triggers.patterns[i].pattern = mask_pat;
15102 			new_triggers.patterns[i].pattern_len = pat_len;
15103 			memcpy(mask_pat,
15104 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15105 			       pat_len);
15106 			i++;
15107 		}
15108 	}
15109 
15110 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
15111 		regular = true;
15112 		err = nl80211_parse_wowlan_tcp(
15113 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
15114 			&new_triggers);
15115 		if (err)
15116 			goto error;
15117 	}
15118 
15119 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
15120 		regular = true;
15121 		err = nl80211_parse_wowlan_nd(
15122 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
15123 			&new_triggers);
15124 		if (err)
15125 			goto error;
15126 	}
15127 
15128 	/* The 'any' trigger means the device continues operating more or less
15129 	 * as in its normal operation mode and wakes up the host on most of the
15130 	 * normal interrupts (like packet RX, ...)
15131 	 * It therefore makes little sense to combine with the more constrained
15132 	 * wakeup trigger modes.
15133 	 */
15134 	if (new_triggers.any && regular) {
15135 		err = -EINVAL;
15136 		goto error;
15137 	}
15138 
15139 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
15140 	if (!ntrig) {
15141 		err = -ENOMEM;
15142 		goto error;
15143 	}
15144 	cfg80211_rdev_free_wowlan(rdev);
15145 	rdev->wiphy.wowlan_config = ntrig;
15146 
15147  set_wakeup:
15148 	if (rdev->ops->set_wakeup &&
15149 	    prev_enabled != !!rdev->wiphy.wowlan_config)
15150 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
15151 
15152 	return 0;
15153  error:
15154 	for (i = 0; i < new_triggers.n_patterns; i++)
15155 		kfree(new_triggers.patterns[i].mask);
15156 	kfree(new_triggers.patterns);
15157 	if (new_triggers.tcp && new_triggers.tcp->sock)
15158 		sock_release(new_triggers.tcp->sock);
15159 	kfree(new_triggers.tcp);
15160 	kfree(new_triggers.nd_config);
15161 	return err;
15162 }
15163 #endif
15164 
15165 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
15166 				       struct cfg80211_registered_device *rdev)
15167 {
15168 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
15169 	int i, j, pat_len;
15170 	struct cfg80211_coalesce_rules *rule;
15171 
15172 	if (!rdev->coalesce->n_rules)
15173 		return 0;
15174 
15175 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
15176 	if (!nl_rules)
15177 		return -ENOBUFS;
15178 
15179 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
15180 		nl_rule = nla_nest_start_noflag(msg, i + 1);
15181 		if (!nl_rule)
15182 			return -ENOBUFS;
15183 
15184 		rule = &rdev->coalesce->rules[i];
15185 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
15186 				rule->delay))
15187 			return -ENOBUFS;
15188 
15189 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
15190 				rule->condition))
15191 			return -ENOBUFS;
15192 
15193 		nl_pats = nla_nest_start_noflag(msg,
15194 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
15195 		if (!nl_pats)
15196 			return -ENOBUFS;
15197 
15198 		for (j = 0; j < rule->n_patterns; j++) {
15199 			nl_pat = nla_nest_start_noflag(msg, j + 1);
15200 			if (!nl_pat)
15201 				return -ENOBUFS;
15202 			pat_len = rule->patterns[j].pattern_len;
15203 			if (nla_put(msg, NL80211_PKTPAT_MASK,
15204 				    DIV_ROUND_UP(pat_len, 8),
15205 				    rule->patterns[j].mask) ||
15206 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
15207 				    rule->patterns[j].pattern) ||
15208 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
15209 					rule->patterns[j].pkt_offset))
15210 				return -ENOBUFS;
15211 			nla_nest_end(msg, nl_pat);
15212 		}
15213 		nla_nest_end(msg, nl_pats);
15214 		nla_nest_end(msg, nl_rule);
15215 	}
15216 	nla_nest_end(msg, nl_rules);
15217 
15218 	return 0;
15219 }
15220 
15221 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
15222 {
15223 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15224 	struct sk_buff *msg;
15225 	void *hdr;
15226 
15227 	if (!rdev->wiphy.coalesce)
15228 		return -EOPNOTSUPP;
15229 
15230 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15231 	if (!msg)
15232 		return -ENOMEM;
15233 
15234 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15235 			     NL80211_CMD_GET_COALESCE);
15236 	if (!hdr)
15237 		goto nla_put_failure;
15238 
15239 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
15240 		goto nla_put_failure;
15241 
15242 	genlmsg_end(msg, hdr);
15243 	return genlmsg_reply(msg, info);
15244 
15245 nla_put_failure:
15246 	nlmsg_free(msg);
15247 	return -ENOBUFS;
15248 }
15249 
15250 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
15251 {
15252 	int i, j;
15253 	struct cfg80211_coalesce_rules *rule;
15254 
15255 	if (!coalesce)
15256 		return;
15257 
15258 	for (i = 0; i < coalesce->n_rules; i++) {
15259 		rule = &coalesce->rules[i];
15260 		for (j = 0; j < rule->n_patterns; j++)
15261 			kfree(rule->patterns[j].mask);
15262 		kfree(rule->patterns);
15263 	}
15264 	kfree(coalesce);
15265 }
15266 
15267 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
15268 				       struct nlattr *rule,
15269 				       struct cfg80211_coalesce_rules *new_rule)
15270 {
15271 	int err, i;
15272 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15273 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
15274 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
15275 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15276 
15277 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
15278 					  rule, nl80211_coalesce_policy, NULL);
15279 	if (err)
15280 		return err;
15281 
15282 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
15283 		new_rule->delay =
15284 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
15285 	if (new_rule->delay > coalesce->max_delay)
15286 		return -EINVAL;
15287 
15288 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
15289 		new_rule->condition =
15290 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
15291 
15292 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
15293 		return -EINVAL;
15294 
15295 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15296 			    rem)
15297 		n_patterns++;
15298 	if (n_patterns > coalesce->n_patterns)
15299 		return -EINVAL;
15300 
15301 	new_rule->patterns = kzalloc_objs(new_rule->patterns[0], n_patterns);
15302 	if (!new_rule->patterns)
15303 		return -ENOMEM;
15304 
15305 	new_rule->n_patterns = n_patterns;
15306 	i = 0;
15307 
15308 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15309 			    rem) {
15310 		u8 *mask_pat;
15311 
15312 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
15313 						  pat,
15314 						  nl80211_packet_pattern_policy,
15315 						  NULL);
15316 		if (err)
15317 			return err;
15318 
15319 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
15320 		    !pat_tb[NL80211_PKTPAT_PATTERN])
15321 			return -EINVAL;
15322 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15323 		mask_len = DIV_ROUND_UP(pat_len, 8);
15324 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15325 			return -EINVAL;
15326 		if (pat_len > coalesce->pattern_max_len ||
15327 		    pat_len < coalesce->pattern_min_len)
15328 			return -EINVAL;
15329 
15330 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15331 						 0);
15332 		if (pkt_offset > coalesce->max_pkt_offset)
15333 			return -EINVAL;
15334 		new_rule->patterns[i].pkt_offset = pkt_offset;
15335 
15336 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15337 		if (!mask_pat)
15338 			return -ENOMEM;
15339 
15340 		new_rule->patterns[i].mask = mask_pat;
15341 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15342 		       mask_len);
15343 
15344 		mask_pat += mask_len;
15345 		new_rule->patterns[i].pattern = mask_pat;
15346 		new_rule->patterns[i].pattern_len = pat_len;
15347 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15348 		       pat_len);
15349 		i++;
15350 	}
15351 
15352 	return 0;
15353 }
15354 
15355 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
15356 {
15357 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15358 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15359 	struct cfg80211_coalesce *new_coalesce;
15360 	int err, rem_rule, n_rules = 0, i;
15361 	struct nlattr *rule;
15362 
15363 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
15364 		return -EOPNOTSUPP;
15365 
15366 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
15367 		cfg80211_free_coalesce(rdev->coalesce);
15368 		rdev->coalesce = NULL;
15369 		rdev_set_coalesce(rdev, NULL);
15370 		return 0;
15371 	}
15372 
15373 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15374 			    rem_rule)
15375 		n_rules++;
15376 	if (n_rules > coalesce->n_rules)
15377 		return -EINVAL;
15378 
15379 	new_coalesce = kzalloc_flex(*new_coalesce, rules, n_rules);
15380 	if (!new_coalesce)
15381 		return -ENOMEM;
15382 
15383 	new_coalesce->n_rules = n_rules;
15384 	i = 0;
15385 
15386 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15387 			    rem_rule) {
15388 		err = nl80211_parse_coalesce_rule(rdev, rule,
15389 						  &new_coalesce->rules[i]);
15390 		if (err)
15391 			goto error;
15392 
15393 		i++;
15394 	}
15395 
15396 	err = rdev_set_coalesce(rdev, new_coalesce);
15397 	if (err)
15398 		goto error;
15399 
15400 	cfg80211_free_coalesce(rdev->coalesce);
15401 	rdev->coalesce = new_coalesce;
15402 
15403 	return 0;
15404 error:
15405 	cfg80211_free_coalesce(new_coalesce);
15406 
15407 	return err;
15408 }
15409 
15410 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
15411 {
15412 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15413 	struct net_device *dev = info->user_ptr[1];
15414 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15415 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
15416 	struct cfg80211_gtk_rekey_data rekey_data = {};
15417 	int err;
15418 
15419 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
15420 		return -EINVAL;
15421 
15422 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
15423 					  info->attrs[NL80211_ATTR_REKEY_DATA],
15424 					  nl80211_rekey_policy, info->extack);
15425 	if (err)
15426 		return err;
15427 
15428 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
15429 	    !tb[NL80211_REKEY_DATA_KCK])
15430 		return -EINVAL;
15431 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
15432 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15433 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
15434 		return -ERANGE;
15435 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
15436 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15437 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
15438 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
15439 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
15440 		return -ERANGE;
15441 
15442 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
15443 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
15444 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
15445 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
15446 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
15447 	if (tb[NL80211_REKEY_DATA_AKM])
15448 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
15449 
15450 	if (!wdev->connected)
15451 		return -ENOTCONN;
15452 
15453 	if (!rdev->ops->set_rekey_data)
15454 		return -EOPNOTSUPP;
15455 
15456 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
15457 }
15458 
15459 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
15460 					     struct genl_info *info)
15461 {
15462 	struct net_device *dev = info->user_ptr[1];
15463 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15464 
15465 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15466 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15467 		return -EINVAL;
15468 
15469 	if (wdev->ap_unexpected_nlportid)
15470 		return -EBUSY;
15471 
15472 	wdev->ap_unexpected_nlportid = info->snd_portid;
15473 	return 0;
15474 }
15475 
15476 static int nl80211_probe_client(struct sk_buff *skb,
15477 				struct genl_info *info)
15478 {
15479 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15480 	struct net_device *dev = info->user_ptr[1];
15481 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15482 	struct sk_buff *msg;
15483 	void *hdr;
15484 	const u8 *addr;
15485 	u64 cookie;
15486 	int err;
15487 
15488 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15489 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15490 		return -EOPNOTSUPP;
15491 
15492 	if (!info->attrs[NL80211_ATTR_MAC])
15493 		return -EINVAL;
15494 
15495 	if (!rdev->ops->probe_client)
15496 		return -EOPNOTSUPP;
15497 
15498 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15499 	if (!msg)
15500 		return -ENOMEM;
15501 
15502 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15503 			     NL80211_CMD_PROBE_CLIENT);
15504 	if (!hdr) {
15505 		err = -ENOBUFS;
15506 		goto free_msg;
15507 	}
15508 
15509 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15510 
15511 	err = rdev_probe_client(rdev, dev, addr, &cookie);
15512 	if (err)
15513 		goto free_msg;
15514 
15515 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15516 			      NL80211_ATTR_PAD))
15517 		goto nla_put_failure;
15518 
15519 	genlmsg_end(msg, hdr);
15520 
15521 	return genlmsg_reply(msg, info);
15522 
15523  nla_put_failure:
15524 	err = -ENOBUFS;
15525  free_msg:
15526 	nlmsg_free(msg);
15527 	return err;
15528 }
15529 
15530 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
15531 {
15532 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15533 	struct cfg80211_beacon_registration *reg, *nreg;
15534 	int rv;
15535 
15536 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
15537 		return -EOPNOTSUPP;
15538 
15539 	nreg = kzalloc_obj(*nreg);
15540 	if (!nreg)
15541 		return -ENOMEM;
15542 
15543 	/* First, check if already registered. */
15544 	spin_lock_bh(&rdev->beacon_registrations_lock);
15545 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
15546 		if (reg->nlportid == info->snd_portid) {
15547 			rv = -EALREADY;
15548 			goto out_err;
15549 		}
15550 	}
15551 	/* Add it to the list */
15552 	nreg->nlportid = info->snd_portid;
15553 	list_add(&nreg->list, &rdev->beacon_registrations);
15554 
15555 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15556 
15557 	return 0;
15558 out_err:
15559 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15560 	kfree(nreg);
15561 	return rv;
15562 }
15563 
15564 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
15565 {
15566 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15567 	struct wireless_dev *wdev = info->user_ptr[1];
15568 	int err;
15569 
15570 	if (!rdev->ops->start_p2p_device)
15571 		return -EOPNOTSUPP;
15572 
15573 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15574 		return -EOPNOTSUPP;
15575 
15576 	if (wdev_running(wdev))
15577 		return 0;
15578 
15579 	if (rfkill_blocked(rdev->wiphy.rfkill))
15580 		return -ERFKILL;
15581 
15582 	err = rdev_start_p2p_device(rdev, wdev);
15583 	if (err)
15584 		return err;
15585 
15586 	wdev->is_running = true;
15587 	rdev->opencount++;
15588 
15589 	return 0;
15590 }
15591 
15592 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
15593 {
15594 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15595 	struct wireless_dev *wdev = info->user_ptr[1];
15596 
15597 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15598 		return -EOPNOTSUPP;
15599 
15600 	if (!rdev->ops->stop_p2p_device)
15601 		return -EOPNOTSUPP;
15602 
15603 	cfg80211_stop_p2p_device(rdev, wdev);
15604 
15605 	return 0;
15606 }
15607 
15608 static struct ieee80211_channel *nl80211_get_nan_channel(struct wiphy *wiphy,
15609 							 int freq)
15610 {
15611 	struct ieee80211_channel *chan;
15612 	struct cfg80211_chan_def def;
15613 
15614 	/* Check if the frequency is valid for NAN */
15615 	if (freq != 5220 && freq != 5745 && freq != 2437)
15616 		return NULL;
15617 
15618 	chan = ieee80211_get_channel(wiphy, freq);
15619 	if (!chan)
15620 		return NULL;
15621 
15622 	cfg80211_chandef_create(&def, chan, NL80211_CHAN_NO_HT);
15623 
15624 	/* Check if the channel is allowed */
15625 	if (cfg80211_reg_can_beacon(wiphy, &def, NL80211_IFTYPE_NAN))
15626 		return chan;
15627 
15628 	return NULL;
15629 }
15630 
15631 static int nl80211_parse_nan_band_config(struct wiphy *wiphy,
15632 					 struct nlattr **tb,
15633 					 struct cfg80211_nan_band_config *cfg,
15634 					 enum nl80211_band band)
15635 {
15636 	if (BIT(band) & ~(u32)wiphy->nan_supported_bands)
15637 		return -EINVAL;
15638 
15639 	if (tb[NL80211_NAN_BAND_CONF_FREQ]) {
15640 		u16 freq = nla_get_u16(tb[NL80211_NAN_BAND_CONF_FREQ]);
15641 
15642 		if (band != NL80211_BAND_5GHZ)
15643 			return -EINVAL;
15644 
15645 		cfg->chan = nl80211_get_nan_channel(wiphy, freq);
15646 		if (!cfg->chan)
15647 			return -EINVAL;
15648 	}
15649 
15650 	if (tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]) {
15651 		cfg->rssi_close =
15652 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]);
15653 		if (!tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE])
15654 			return -EINVAL;
15655 	}
15656 
15657 	if (tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]) {
15658 		cfg->rssi_middle =
15659 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]);
15660 		if (!cfg->rssi_close || cfg->rssi_middle >= cfg->rssi_close)
15661 			return -EINVAL;
15662 	}
15663 
15664 	if (tb[NL80211_NAN_BAND_CONF_WAKE_DW]) {
15665 		cfg->awake_dw_interval =
15666 			nla_get_u8(tb[NL80211_NAN_BAND_CONF_WAKE_DW]);
15667 
15668 		if (band == NL80211_BAND_2GHZ && cfg->awake_dw_interval == 0)
15669 			return -EINVAL;
15670 	}
15671 
15672 	cfg->disable_scan =
15673 		nla_get_flag(tb[NL80211_NAN_BAND_CONF_DISABLE_SCAN]);
15674 	return 0;
15675 }
15676 
15677 static int nl80211_parse_nan_conf(struct wiphy *wiphy,
15678 				  struct genl_info *info,
15679 				  struct cfg80211_nan_conf *conf,
15680 				  u32 *changed_flags,
15681 				  bool start)
15682 {
15683 	struct nlattr *attrs[NL80211_NAN_CONF_ATTR_MAX + 1];
15684 	int err, rem;
15685 	u32 changed = 0;
15686 	struct nlattr *band_config;
15687 
15688 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
15689 		conf->master_pref =
15690 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
15691 
15692 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
15693 	}
15694 
15695 	if (info->attrs[NL80211_ATTR_BANDS]) {
15696 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
15697 
15698 		if (bands & ~(u32)wiphy->nan_supported_bands)
15699 			return -EOPNOTSUPP;
15700 
15701 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
15702 			return -EINVAL;
15703 
15704 		conf->bands = bands;
15705 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
15706 	}
15707 
15708 	conf->band_cfgs[NL80211_BAND_2GHZ].awake_dw_interval = 1;
15709 	if (conf->bands & BIT(NL80211_BAND_5GHZ) || !conf->bands)
15710 		conf->band_cfgs[NL80211_BAND_5GHZ].awake_dw_interval = 1;
15711 
15712 	/* On 2.4 GHz band use channel 6 */
15713 	conf->band_cfgs[NL80211_BAND_2GHZ].chan =
15714 		nl80211_get_nan_channel(wiphy, 2437);
15715 	if (!conf->band_cfgs[NL80211_BAND_2GHZ].chan)
15716 		return -EINVAL;
15717 
15718 	if (!info->attrs[NL80211_ATTR_NAN_CONFIG])
15719 		goto out;
15720 
15721 	err = nla_parse_nested(attrs, NL80211_NAN_CONF_ATTR_MAX,
15722 			       info->attrs[NL80211_ATTR_NAN_CONFIG], NULL,
15723 			       info->extack);
15724 	if (err)
15725 		return err;
15726 
15727 	changed |= CFG80211_NAN_CONF_CHANGED_CONFIG;
15728 	if (attrs[NL80211_NAN_CONF_CLUSTER_ID] && start)
15729 		conf->cluster_id =
15730 			nla_data(attrs[NL80211_NAN_CONF_CLUSTER_ID]);
15731 
15732 	if (attrs[NL80211_NAN_CONF_EXTRA_ATTRS]) {
15733 		conf->extra_nan_attrs =
15734 			nla_data(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
15735 		conf->extra_nan_attrs_len =
15736 			nla_len(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
15737 	}
15738 
15739 	if (attrs[NL80211_NAN_CONF_VENDOR_ELEMS]) {
15740 		conf->vendor_elems =
15741 			nla_data(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
15742 		conf->vendor_elems_len =
15743 			nla_len(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
15744 	}
15745 
15746 	if (attrs[NL80211_NAN_CONF_BAND_CONFIGS]) {
15747 		nla_for_each_nested(band_config,
15748 				    attrs[NL80211_NAN_CONF_BAND_CONFIGS],
15749 				    rem) {
15750 			enum nl80211_band band;
15751 			struct cfg80211_nan_band_config *cfg;
15752 			struct nlattr *tb[NL80211_NAN_BAND_CONF_ATTR_MAX + 1];
15753 
15754 			err = nla_parse_nested(tb,
15755 					       NL80211_NAN_BAND_CONF_ATTR_MAX,
15756 					       band_config, NULL,
15757 					       info->extack);
15758 			if (err)
15759 				return err;
15760 
15761 			if (!tb[NL80211_NAN_BAND_CONF_BAND])
15762 				return -EINVAL;
15763 
15764 			band = nla_get_u8(tb[NL80211_NAN_BAND_CONF_BAND]);
15765 			if (conf->bands && !(conf->bands & BIT(band)))
15766 				return -EINVAL;
15767 
15768 			cfg = &conf->band_cfgs[band];
15769 
15770 			err = nl80211_parse_nan_band_config(wiphy, tb, cfg,
15771 							    band);
15772 			if (err)
15773 				return err;
15774 		}
15775 	}
15776 
15777 	if (attrs[NL80211_NAN_CONF_SCAN_PERIOD])
15778 		conf->scan_period =
15779 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_PERIOD]);
15780 
15781 	if (attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME])
15782 		conf->scan_dwell_time =
15783 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME]);
15784 
15785 	if (attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL])
15786 		conf->discovery_beacon_interval =
15787 			nla_get_u8(attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL]);
15788 
15789 	if (attrs[NL80211_NAN_CONF_NOTIFY_DW])
15790 		conf->enable_dw_notification =
15791 			nla_get_flag(attrs[NL80211_NAN_CONF_NOTIFY_DW]);
15792 
15793 out:
15794 	if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
15795 	    (!conf->bands || conf->bands & BIT(NL80211_BAND_5GHZ))) {
15796 		/* If no 5GHz channel is specified use default, if possible */
15797 		conf->band_cfgs[NL80211_BAND_5GHZ].chan =
15798 				nl80211_get_nan_channel(wiphy, 5745);
15799 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan)
15800 			conf->band_cfgs[NL80211_BAND_5GHZ].chan =
15801 					nl80211_get_nan_channel(wiphy, 5220);
15802 
15803 		/* Return error if user space asked explicitly for 5 GHz */
15804 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
15805 		    conf->bands & BIT(NL80211_BAND_5GHZ)) {
15806 			NL_SET_ERR_MSG_ATTR(info->extack,
15807 					    info->attrs[NL80211_ATTR_BANDS],
15808 					    "5 GHz band operation is not allowed");
15809 			return -EINVAL;
15810 		}
15811 	}
15812 
15813 	if (changed_flags)
15814 		*changed_flags = changed;
15815 
15816 	return 0;
15817 }
15818 
15819 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
15820 {
15821 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15822 	struct wireless_dev *wdev = info->user_ptr[1];
15823 	struct cfg80211_nan_conf conf = {};
15824 	int err;
15825 
15826 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15827 		return -EOPNOTSUPP;
15828 
15829 	if (wdev_running(wdev))
15830 		return -EEXIST;
15831 
15832 	if (rfkill_blocked(rdev->wiphy.rfkill))
15833 		return -ERFKILL;
15834 
15835 	/* Master preference is mandatory for START_NAN */
15836 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
15837 		return -EINVAL;
15838 
15839 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, NULL, true);
15840 	if (err)
15841 		return err;
15842 
15843 	err = rdev_start_nan(rdev, wdev, &conf);
15844 	if (err)
15845 		return err;
15846 
15847 	wdev->is_running = true;
15848 	rdev->opencount++;
15849 
15850 	return 0;
15851 }
15852 
15853 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
15854 {
15855 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15856 	struct wireless_dev *wdev = info->user_ptr[1];
15857 
15858 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15859 		return -EOPNOTSUPP;
15860 
15861 	cfg80211_stop_nan(rdev, wdev);
15862 
15863 	return 0;
15864 }
15865 
15866 static int validate_nan_filter(struct nlattr *filter_attr)
15867 {
15868 	struct nlattr *attr;
15869 	int len = 0, n_entries = 0, rem;
15870 
15871 	nla_for_each_nested(attr, filter_attr, rem) {
15872 		len += nla_len(attr);
15873 		n_entries++;
15874 	}
15875 
15876 	if (len >= U8_MAX)
15877 		return -EINVAL;
15878 
15879 	return n_entries;
15880 }
15881 
15882 static int handle_nan_filter(struct nlattr *attr_filter,
15883 			     struct cfg80211_nan_func *func,
15884 			     bool tx)
15885 {
15886 	struct nlattr *attr;
15887 	int n_entries, rem, i;
15888 	struct cfg80211_nan_func_filter *filter;
15889 
15890 	n_entries = validate_nan_filter(attr_filter);
15891 	if (n_entries < 0)
15892 		return n_entries;
15893 
15894 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
15895 
15896 	filter = kzalloc_objs(*func->rx_filters, n_entries);
15897 	if (!filter)
15898 		return -ENOMEM;
15899 
15900 	i = 0;
15901 	nla_for_each_nested(attr, attr_filter, rem) {
15902 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
15903 		if (!filter[i].filter)
15904 			goto err;
15905 
15906 		filter[i].len = nla_len(attr);
15907 		i++;
15908 	}
15909 	if (tx) {
15910 		func->num_tx_filters = n_entries;
15911 		func->tx_filters = filter;
15912 	} else {
15913 		func->num_rx_filters = n_entries;
15914 		func->rx_filters = filter;
15915 	}
15916 
15917 	return 0;
15918 
15919 err:
15920 	i = 0;
15921 	nla_for_each_nested(attr, attr_filter, rem) {
15922 		kfree(filter[i].filter);
15923 		i++;
15924 	}
15925 	kfree(filter);
15926 	return -ENOMEM;
15927 }
15928 
15929 static int nl80211_nan_add_func(struct sk_buff *skb,
15930 				struct genl_info *info)
15931 {
15932 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15933 	struct wireless_dev *wdev = info->user_ptr[1];
15934 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
15935 	struct cfg80211_nan_func *func;
15936 	struct sk_buff *msg = NULL;
15937 	void *hdr = NULL;
15938 	int err = 0;
15939 
15940 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15941 		return -EOPNOTSUPP;
15942 
15943 	if (!wdev_running(wdev))
15944 		return -ENOTCONN;
15945 
15946 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
15947 		return -EINVAL;
15948 
15949 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
15950 					  info->attrs[NL80211_ATTR_NAN_FUNC],
15951 					  nl80211_nan_func_policy,
15952 					  info->extack);
15953 	if (err)
15954 		return err;
15955 
15956 	func = kzalloc_obj(*func);
15957 	if (!func)
15958 		return -ENOMEM;
15959 
15960 	func->cookie = cfg80211_assign_cookie(rdev);
15961 
15962 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
15963 		err = -EINVAL;
15964 		goto out;
15965 	}
15966 
15967 
15968 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
15969 
15970 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
15971 		err = -EINVAL;
15972 		goto out;
15973 	}
15974 
15975 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
15976 	       sizeof(func->service_id));
15977 
15978 	func->close_range =
15979 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
15980 
15981 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
15982 		func->serv_spec_info_len =
15983 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
15984 		func->serv_spec_info =
15985 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
15986 				func->serv_spec_info_len,
15987 				GFP_KERNEL);
15988 		if (!func->serv_spec_info) {
15989 			err = -ENOMEM;
15990 			goto out;
15991 		}
15992 	}
15993 
15994 	if (tb[NL80211_NAN_FUNC_TTL])
15995 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
15996 
15997 	switch (func->type) {
15998 	case NL80211_NAN_FUNC_PUBLISH:
15999 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
16000 			err = -EINVAL;
16001 			goto out;
16002 		}
16003 
16004 		func->publish_type =
16005 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
16006 		func->publish_bcast =
16007 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
16008 
16009 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
16010 			func->publish_bcast) {
16011 			err = -EINVAL;
16012 			goto out;
16013 		}
16014 		break;
16015 	case NL80211_NAN_FUNC_SUBSCRIBE:
16016 		func->subscribe_active =
16017 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
16018 		break;
16019 	case NL80211_NAN_FUNC_FOLLOW_UP:
16020 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
16021 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
16022 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
16023 			err = -EINVAL;
16024 			goto out;
16025 		}
16026 
16027 		func->followup_id =
16028 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
16029 		func->followup_reqid =
16030 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
16031 		memcpy(func->followup_dest.addr,
16032 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
16033 		       sizeof(func->followup_dest.addr));
16034 		if (func->ttl) {
16035 			err = -EINVAL;
16036 			goto out;
16037 		}
16038 		break;
16039 	default:
16040 		err = -EINVAL;
16041 		goto out;
16042 	}
16043 
16044 	if (tb[NL80211_NAN_FUNC_SRF]) {
16045 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
16046 
16047 		err = nla_parse_nested_deprecated(srf_tb,
16048 						  NL80211_NAN_SRF_ATTR_MAX,
16049 						  tb[NL80211_NAN_FUNC_SRF],
16050 						  nl80211_nan_srf_policy,
16051 						  info->extack);
16052 		if (err)
16053 			goto out;
16054 
16055 		func->srf_include =
16056 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
16057 
16058 		if (srf_tb[NL80211_NAN_SRF_BF]) {
16059 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
16060 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
16061 				err = -EINVAL;
16062 				goto out;
16063 			}
16064 
16065 			func->srf_bf_len =
16066 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
16067 			func->srf_bf =
16068 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
16069 					func->srf_bf_len, GFP_KERNEL);
16070 			if (!func->srf_bf) {
16071 				err = -ENOMEM;
16072 				goto out;
16073 			}
16074 
16075 			func->srf_bf_idx =
16076 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
16077 		} else {
16078 			struct nlattr *attr, *mac_attr =
16079 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
16080 			int n_entries, rem, i = 0;
16081 
16082 			if (!mac_attr) {
16083 				err = -EINVAL;
16084 				goto out;
16085 			}
16086 
16087 			n_entries = validate_acl_mac_addrs(mac_attr);
16088 			if (n_entries <= 0) {
16089 				err = -EINVAL;
16090 				goto out;
16091 			}
16092 
16093 			func->srf_num_macs = n_entries;
16094 			func->srf_macs =
16095 				kzalloc_objs(*func->srf_macs, n_entries);
16096 			if (!func->srf_macs) {
16097 				err = -ENOMEM;
16098 				goto out;
16099 			}
16100 
16101 			nla_for_each_nested(attr, mac_attr, rem)
16102 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
16103 				       sizeof(*func->srf_macs));
16104 		}
16105 	}
16106 
16107 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
16108 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
16109 					func, true);
16110 		if (err)
16111 			goto out;
16112 	}
16113 
16114 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
16115 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
16116 					func, false);
16117 		if (err)
16118 			goto out;
16119 	}
16120 
16121 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16122 	if (!msg) {
16123 		err = -ENOMEM;
16124 		goto out;
16125 	}
16126 
16127 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16128 			     NL80211_CMD_ADD_NAN_FUNCTION);
16129 	/* This can't really happen - we just allocated 4KB */
16130 	if (WARN_ON(!hdr)) {
16131 		err = -ENOMEM;
16132 		goto out;
16133 	}
16134 
16135 	err = rdev_add_nan_func(rdev, wdev, func);
16136 out:
16137 	if (err < 0) {
16138 		cfg80211_free_nan_func(func);
16139 		nlmsg_free(msg);
16140 		return err;
16141 	}
16142 
16143 	/* propagate the instance id and cookie to userspace  */
16144 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
16145 			      NL80211_ATTR_PAD))
16146 		goto nla_put_failure;
16147 
16148 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16149 	if (!func_attr)
16150 		goto nla_put_failure;
16151 
16152 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
16153 		       func->instance_id))
16154 		goto nla_put_failure;
16155 
16156 	nla_nest_end(msg, func_attr);
16157 
16158 	genlmsg_end(msg, hdr);
16159 	return genlmsg_reply(msg, info);
16160 
16161 nla_put_failure:
16162 	nlmsg_free(msg);
16163 	return -ENOBUFS;
16164 }
16165 
16166 static int nl80211_nan_del_func(struct sk_buff *skb,
16167 			       struct genl_info *info)
16168 {
16169 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16170 	struct wireless_dev *wdev = info->user_ptr[1];
16171 	u64 cookie;
16172 
16173 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16174 		return -EOPNOTSUPP;
16175 
16176 	if (!wdev_running(wdev))
16177 		return -ENOTCONN;
16178 
16179 	if (!info->attrs[NL80211_ATTR_COOKIE])
16180 		return -EINVAL;
16181 
16182 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
16183 
16184 	rdev_del_nan_func(rdev, wdev, cookie);
16185 
16186 	return 0;
16187 }
16188 
16189 static int nl80211_nan_change_config(struct sk_buff *skb,
16190 				     struct genl_info *info)
16191 {
16192 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16193 	struct wireless_dev *wdev = info->user_ptr[1];
16194 	struct cfg80211_nan_conf conf = {};
16195 	u32 changed = 0;
16196 	int err;
16197 
16198 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16199 		return -EOPNOTSUPP;
16200 
16201 	if (!wdev_running(wdev))
16202 		return -ENOTCONN;
16203 
16204 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, &changed, false);
16205 	if (err)
16206 		return err;
16207 
16208 	if (!changed)
16209 		return -EINVAL;
16210 
16211 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
16212 }
16213 
16214 void cfg80211_nan_match(struct wireless_dev *wdev,
16215 			struct cfg80211_nan_match_params *match, gfp_t gfp)
16216 {
16217 	struct wiphy *wiphy = wdev->wiphy;
16218 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16219 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
16220 	struct sk_buff *msg;
16221 	void *hdr;
16222 
16223 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16224 		return;
16225 
16226 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
16227 		return;
16228 
16229 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16230 	if (!msg)
16231 		return;
16232 
16233 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
16234 	if (!hdr) {
16235 		nlmsg_free(msg);
16236 		return;
16237 	}
16238 
16239 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16240 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16241 					 wdev->netdev->ifindex)) ||
16242 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16243 			      NL80211_ATTR_PAD))
16244 		goto nla_put_failure;
16245 
16246 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
16247 			      NL80211_ATTR_PAD) ||
16248 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
16249 		goto nla_put_failure;
16250 
16251 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
16252 	if (!match_attr)
16253 		goto nla_put_failure;
16254 
16255 	local_func_attr = nla_nest_start_noflag(msg,
16256 						NL80211_NAN_MATCH_FUNC_LOCAL);
16257 	if (!local_func_attr)
16258 		goto nla_put_failure;
16259 
16260 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
16261 		goto nla_put_failure;
16262 
16263 	nla_nest_end(msg, local_func_attr);
16264 
16265 	peer_func_attr = nla_nest_start_noflag(msg,
16266 					       NL80211_NAN_MATCH_FUNC_PEER);
16267 	if (!peer_func_attr)
16268 		goto nla_put_failure;
16269 
16270 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
16271 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
16272 		goto nla_put_failure;
16273 
16274 	if (match->info && match->info_len &&
16275 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
16276 		    match->info))
16277 		goto nla_put_failure;
16278 
16279 	nla_nest_end(msg, peer_func_attr);
16280 	nla_nest_end(msg, match_attr);
16281 	genlmsg_end(msg, hdr);
16282 
16283 	if (!wdev->owner_nlportid)
16284 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16285 					msg, 0, NL80211_MCGRP_NAN, gfp);
16286 	else
16287 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16288 				wdev->owner_nlportid);
16289 
16290 	return;
16291 
16292 nla_put_failure:
16293 	nlmsg_free(msg);
16294 }
16295 EXPORT_SYMBOL(cfg80211_nan_match);
16296 
16297 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
16298 				  u8 inst_id,
16299 				  enum nl80211_nan_func_term_reason reason,
16300 				  u64 cookie, gfp_t gfp)
16301 {
16302 	struct wiphy *wiphy = wdev->wiphy;
16303 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16304 	struct sk_buff *msg;
16305 	struct nlattr *func_attr;
16306 	void *hdr;
16307 
16308 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16309 		return;
16310 
16311 	if (WARN_ON(!inst_id))
16312 		return;
16313 
16314 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16315 	if (!msg)
16316 		return;
16317 
16318 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
16319 	if (!hdr) {
16320 		nlmsg_free(msg);
16321 		return;
16322 	}
16323 
16324 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16325 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16326 					 wdev->netdev->ifindex)) ||
16327 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16328 			      NL80211_ATTR_PAD))
16329 		goto nla_put_failure;
16330 
16331 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16332 			      NL80211_ATTR_PAD))
16333 		goto nla_put_failure;
16334 
16335 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16336 	if (!func_attr)
16337 		goto nla_put_failure;
16338 
16339 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
16340 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
16341 		goto nla_put_failure;
16342 
16343 	nla_nest_end(msg, func_attr);
16344 	genlmsg_end(msg, hdr);
16345 
16346 	if (!wdev->owner_nlportid)
16347 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16348 					msg, 0, NL80211_MCGRP_NAN, gfp);
16349 	else
16350 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16351 				wdev->owner_nlportid);
16352 
16353 	return;
16354 
16355 nla_put_failure:
16356 	nlmsg_free(msg);
16357 }
16358 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
16359 
16360 static int nl80211_get_protocol_features(struct sk_buff *skb,
16361 					 struct genl_info *info)
16362 {
16363 	void *hdr;
16364 	struct sk_buff *msg;
16365 
16366 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16367 	if (!msg)
16368 		return -ENOMEM;
16369 
16370 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16371 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
16372 	if (!hdr)
16373 		goto nla_put_failure;
16374 
16375 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
16376 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
16377 		goto nla_put_failure;
16378 
16379 	genlmsg_end(msg, hdr);
16380 	return genlmsg_reply(msg, info);
16381 
16382  nla_put_failure:
16383 	kfree_skb(msg);
16384 	return -ENOBUFS;
16385 }
16386 
16387 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
16388 {
16389 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16390 	struct cfg80211_update_ft_ies_params ft_params;
16391 	struct net_device *dev = info->user_ptr[1];
16392 
16393 	if (!rdev->ops->update_ft_ies)
16394 		return -EOPNOTSUPP;
16395 
16396 	if (!info->attrs[NL80211_ATTR_MDID] ||
16397 	    !info->attrs[NL80211_ATTR_IE])
16398 		return -EINVAL;
16399 
16400 	memset(&ft_params, 0, sizeof(ft_params));
16401 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
16402 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
16403 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
16404 
16405 	return rdev_update_ft_ies(rdev, dev, &ft_params);
16406 }
16407 
16408 static int nl80211_crit_protocol_start(struct sk_buff *skb,
16409 				       struct genl_info *info)
16410 {
16411 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16412 	struct wireless_dev *wdev = info->user_ptr[1];
16413 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
16414 	u16 duration;
16415 	int ret;
16416 
16417 	if (!rdev->ops->crit_proto_start)
16418 		return -EOPNOTSUPP;
16419 
16420 	if (WARN_ON(!rdev->ops->crit_proto_stop))
16421 		return -EINVAL;
16422 
16423 	if (rdev->crit_proto_nlportid)
16424 		return -EBUSY;
16425 
16426 	/* determine protocol if provided */
16427 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
16428 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
16429 
16430 	if (proto >= NUM_NL80211_CRIT_PROTO)
16431 		return -EINVAL;
16432 
16433 	/* timeout must be provided */
16434 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
16435 		return -EINVAL;
16436 
16437 	duration =
16438 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
16439 
16440 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
16441 	if (!ret)
16442 		rdev->crit_proto_nlportid = info->snd_portid;
16443 
16444 	return ret;
16445 }
16446 
16447 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
16448 				      struct genl_info *info)
16449 {
16450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16451 	struct wireless_dev *wdev = info->user_ptr[1];
16452 
16453 	if (!rdev->ops->crit_proto_stop)
16454 		return -EOPNOTSUPP;
16455 
16456 	if (rdev->crit_proto_nlportid) {
16457 		rdev->crit_proto_nlportid = 0;
16458 		rdev_crit_proto_stop(rdev, wdev);
16459 	}
16460 	return 0;
16461 }
16462 
16463 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
16464 				       struct nlattr *attr,
16465 				       struct netlink_ext_ack *extack)
16466 {
16467 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
16468 		if (attr->nla_type & NLA_F_NESTED) {
16469 			NL_SET_ERR_MSG_ATTR(extack, attr,
16470 					    "unexpected nested data");
16471 			return -EINVAL;
16472 		}
16473 
16474 		return 0;
16475 	}
16476 
16477 	if (!(attr->nla_type & NLA_F_NESTED)) {
16478 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
16479 		return -EINVAL;
16480 	}
16481 
16482 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
16483 }
16484 
16485 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
16486 {
16487 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16488 	struct wireless_dev *wdev =
16489 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
16490 					   info->attrs);
16491 	int i, err;
16492 	u32 vid, subcmd;
16493 
16494 	if (!rdev->wiphy.vendor_commands)
16495 		return -EOPNOTSUPP;
16496 
16497 	if (IS_ERR(wdev)) {
16498 		err = PTR_ERR(wdev);
16499 		if (err != -EINVAL)
16500 			return err;
16501 		wdev = NULL;
16502 	} else if (wdev->wiphy != &rdev->wiphy) {
16503 		return -EINVAL;
16504 	}
16505 
16506 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
16507 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
16508 		return -EINVAL;
16509 
16510 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
16511 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
16512 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
16513 		const struct wiphy_vendor_command *vcmd;
16514 		void *data = NULL;
16515 		int len = 0;
16516 
16517 		vcmd = &rdev->wiphy.vendor_commands[i];
16518 
16519 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
16520 			continue;
16521 
16522 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
16523 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
16524 			if (!wdev)
16525 				return -EINVAL;
16526 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
16527 			    !wdev->netdev)
16528 				return -EINVAL;
16529 
16530 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
16531 				if (!wdev_running(wdev))
16532 					return -ENETDOWN;
16533 			}
16534 		} else {
16535 			wdev = NULL;
16536 		}
16537 
16538 		if (!vcmd->doit)
16539 			return -EOPNOTSUPP;
16540 
16541 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
16542 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
16543 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
16544 
16545 			err = nl80211_vendor_check_policy(vcmd,
16546 					info->attrs[NL80211_ATTR_VENDOR_DATA],
16547 					info->extack);
16548 			if (err)
16549 				return err;
16550 		}
16551 
16552 		rdev->cur_cmd_info = info;
16553 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
16554 		rdev->cur_cmd_info = NULL;
16555 		return err;
16556 	}
16557 
16558 	return -EOPNOTSUPP;
16559 }
16560 
16561 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
16562 				       struct netlink_callback *cb,
16563 				       struct cfg80211_registered_device **rdev,
16564 				       struct wireless_dev **wdev)
16565 {
16566 	struct nlattr **attrbuf;
16567 	u32 vid, subcmd;
16568 	unsigned int i;
16569 	int vcmd_idx = -1;
16570 	int err;
16571 	void *data = NULL;
16572 	unsigned int data_len = 0;
16573 
16574 	if (cb->args[0]) {
16575 		/* subtract the 1 again here */
16576 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
16577 		struct wireless_dev *tmp;
16578 
16579 		if (!wiphy)
16580 			return -ENODEV;
16581 		*rdev = wiphy_to_rdev(wiphy);
16582 		*wdev = NULL;
16583 
16584 		if (cb->args[1]) {
16585 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
16586 				if (tmp->identifier == cb->args[1] - 1) {
16587 					*wdev = tmp;
16588 					break;
16589 				}
16590 			}
16591 		}
16592 
16593 		/* keep rtnl locked in successful case */
16594 		return 0;
16595 	}
16596 
16597 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
16598 	if (!attrbuf)
16599 		return -ENOMEM;
16600 
16601 	err = nlmsg_parse_deprecated(cb->nlh,
16602 				     GENL_HDRLEN + nl80211_fam.hdrsize,
16603 				     attrbuf, nl80211_fam.maxattr,
16604 				     nl80211_policy, NULL);
16605 	if (err)
16606 		goto out;
16607 
16608 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
16609 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
16610 		err = -EINVAL;
16611 		goto out;
16612 	}
16613 
16614 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
16615 	if (IS_ERR(*wdev))
16616 		*wdev = NULL;
16617 
16618 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
16619 	if (IS_ERR(*rdev)) {
16620 		err = PTR_ERR(*rdev);
16621 		goto out;
16622 	}
16623 
16624 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
16625 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
16626 
16627 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
16628 		const struct wiphy_vendor_command *vcmd;
16629 
16630 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
16631 
16632 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
16633 			continue;
16634 
16635 		if (!vcmd->dumpit) {
16636 			err = -EOPNOTSUPP;
16637 			goto out;
16638 		}
16639 
16640 		vcmd_idx = i;
16641 		break;
16642 	}
16643 
16644 	if (vcmd_idx < 0) {
16645 		err = -EOPNOTSUPP;
16646 		goto out;
16647 	}
16648 
16649 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
16650 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
16651 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
16652 
16653 		err = nl80211_vendor_check_policy(
16654 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
16655 				attrbuf[NL80211_ATTR_VENDOR_DATA],
16656 				cb->extack);
16657 		if (err)
16658 			goto out;
16659 	}
16660 
16661 	/* 0 is the first index - add 1 to parse only once */
16662 	cb->args[0] = (*rdev)->wiphy_idx + 1;
16663 	/* add 1 to know if it was NULL */
16664 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
16665 	cb->args[2] = vcmd_idx;
16666 	cb->args[3] = (unsigned long)data;
16667 	cb->args[4] = data_len;
16668 
16669 	/* keep rtnl locked in successful case */
16670 	err = 0;
16671 out:
16672 	kfree(attrbuf);
16673 	return err;
16674 }
16675 
16676 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
16677 				   struct netlink_callback *cb)
16678 {
16679 	struct cfg80211_registered_device *rdev;
16680 	struct wireless_dev *wdev;
16681 	unsigned int vcmd_idx;
16682 	const struct wiphy_vendor_command *vcmd;
16683 	void *data;
16684 	int data_len;
16685 	int err;
16686 	struct nlattr *vendor_data;
16687 
16688 	rtnl_lock();
16689 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
16690 	if (err)
16691 		goto out;
16692 
16693 	vcmd_idx = cb->args[2];
16694 	data = (void *)cb->args[3];
16695 	data_len = cb->args[4];
16696 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
16697 
16698 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
16699 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
16700 		if (!wdev) {
16701 			err = -EINVAL;
16702 			goto out;
16703 		}
16704 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
16705 		    !wdev->netdev) {
16706 			err = -EINVAL;
16707 			goto out;
16708 		}
16709 
16710 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
16711 			if (!wdev_running(wdev)) {
16712 				err = -ENETDOWN;
16713 				goto out;
16714 			}
16715 		}
16716 	}
16717 
16718 	while (1) {
16719 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
16720 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
16721 					   NL80211_CMD_VENDOR);
16722 		if (!hdr)
16723 			break;
16724 
16725 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16726 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
16727 					       wdev_id(wdev),
16728 					       NL80211_ATTR_PAD))) {
16729 			genlmsg_cancel(skb, hdr);
16730 			break;
16731 		}
16732 
16733 		vendor_data = nla_nest_start_noflag(skb,
16734 						    NL80211_ATTR_VENDOR_DATA);
16735 		if (!vendor_data) {
16736 			genlmsg_cancel(skb, hdr);
16737 			break;
16738 		}
16739 
16740 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
16741 				   (unsigned long *)&cb->args[5]);
16742 		nla_nest_end(skb, vendor_data);
16743 
16744 		if (err == -ENOBUFS || err == -ENOENT) {
16745 			genlmsg_cancel(skb, hdr);
16746 			break;
16747 		} else if (err <= 0) {
16748 			genlmsg_cancel(skb, hdr);
16749 			goto out;
16750 		}
16751 
16752 		genlmsg_end(skb, hdr);
16753 	}
16754 
16755 	err = skb->len;
16756  out:
16757 	rtnl_unlock();
16758 	return err;
16759 }
16760 
16761 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
16762 					   enum nl80211_commands cmd,
16763 					   enum nl80211_attrs attr,
16764 					   int approxlen)
16765 {
16766 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16767 
16768 	if (WARN_ON(!rdev->cur_cmd_info))
16769 		return NULL;
16770 
16771 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
16772 					   rdev->cur_cmd_info->snd_portid,
16773 					   rdev->cur_cmd_info->snd_seq,
16774 					   cmd, attr, NULL, GFP_KERNEL);
16775 }
16776 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
16777 
16778 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
16779 {
16780 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
16781 	void *hdr = ((void **)skb->cb)[1];
16782 	struct nlattr *data = ((void **)skb->cb)[2];
16783 
16784 	/* clear CB data for netlink core to own from now on */
16785 	memset(skb->cb, 0, sizeof(skb->cb));
16786 
16787 	if (WARN_ON(!rdev->cur_cmd_info)) {
16788 		kfree_skb(skb);
16789 		return -EINVAL;
16790 	}
16791 
16792 	nla_nest_end(skb, data);
16793 	genlmsg_end(skb, hdr);
16794 	return genlmsg_reply(skb, rdev->cur_cmd_info);
16795 }
16796 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
16797 
16798 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
16799 {
16800 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16801 
16802 	if (WARN_ON(!rdev->cur_cmd_info))
16803 		return 0;
16804 
16805 	return rdev->cur_cmd_info->snd_portid;
16806 }
16807 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
16808 
16809 static int nl80211_set_qos_map(struct sk_buff *skb,
16810 			       struct genl_info *info)
16811 {
16812 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16813 	struct cfg80211_qos_map *qos_map = NULL;
16814 	struct net_device *dev = info->user_ptr[1];
16815 	u8 *pos, len, num_des, des_len, des;
16816 	int ret;
16817 
16818 	if (!rdev->ops->set_qos_map)
16819 		return -EOPNOTSUPP;
16820 
16821 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
16822 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
16823 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
16824 
16825 		if (len % 2)
16826 			return -EINVAL;
16827 
16828 		qos_map = kzalloc_obj(struct cfg80211_qos_map);
16829 		if (!qos_map)
16830 			return -ENOMEM;
16831 
16832 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
16833 		if (num_des) {
16834 			des_len = num_des *
16835 				sizeof(struct cfg80211_dscp_exception);
16836 			memcpy(qos_map->dscp_exception, pos, des_len);
16837 			qos_map->num_des = num_des;
16838 			for (des = 0; des < num_des; des++) {
16839 				if (qos_map->dscp_exception[des].up > 7) {
16840 					kfree(qos_map);
16841 					return -EINVAL;
16842 				}
16843 			}
16844 			pos += des_len;
16845 		}
16846 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
16847 	}
16848 
16849 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
16850 	if (!ret)
16851 		ret = rdev_set_qos_map(rdev, dev, qos_map);
16852 
16853 	kfree(qos_map);
16854 	return ret;
16855 }
16856 
16857 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
16858 {
16859 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16860 	struct net_device *dev = info->user_ptr[1];
16861 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16862 	const u8 *peer;
16863 	u8 tsid, up;
16864 	u16 admitted_time = 0;
16865 
16866 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
16867 		return -EOPNOTSUPP;
16868 
16869 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
16870 	    !info->attrs[NL80211_ATTR_USER_PRIO])
16871 		return -EINVAL;
16872 
16873 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16874 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
16875 
16876 	/* WMM uses TIDs 0-7 even for TSPEC */
16877 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
16878 		/* TODO: handle 802.11 TSPEC/admission control
16879 		 * need more attributes for that (e.g. BA session requirement);
16880 		 * change the WMM admission test above to allow both then
16881 		 */
16882 		return -EINVAL;
16883 	}
16884 
16885 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16886 
16887 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
16888 		admitted_time =
16889 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
16890 		if (!admitted_time)
16891 			return -EINVAL;
16892 	}
16893 
16894 	switch (wdev->iftype) {
16895 	case NL80211_IFTYPE_STATION:
16896 	case NL80211_IFTYPE_P2P_CLIENT:
16897 		if (wdev->connected)
16898 			break;
16899 		return -ENOTCONN;
16900 	default:
16901 		return -EOPNOTSUPP;
16902 	}
16903 
16904 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
16905 }
16906 
16907 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
16908 {
16909 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16910 	struct net_device *dev = info->user_ptr[1];
16911 	const u8 *peer;
16912 	u8 tsid;
16913 
16914 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
16915 		return -EINVAL;
16916 
16917 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16918 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16919 
16920 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
16921 }
16922 
16923 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
16924 				       struct genl_info *info)
16925 {
16926 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16927 	struct net_device *dev = info->user_ptr[1];
16928 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16929 	struct cfg80211_chan_def chandef = {};
16930 	const u8 *addr;
16931 	u8 oper_class;
16932 	int err;
16933 
16934 	if (!rdev->ops->tdls_channel_switch ||
16935 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16936 		return -EOPNOTSUPP;
16937 
16938 	switch (dev->ieee80211_ptr->iftype) {
16939 	case NL80211_IFTYPE_STATION:
16940 	case NL80211_IFTYPE_P2P_CLIENT:
16941 		break;
16942 	default:
16943 		return -EOPNOTSUPP;
16944 	}
16945 
16946 	if (!info->attrs[NL80211_ATTR_MAC] ||
16947 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
16948 		return -EINVAL;
16949 
16950 	err = nl80211_parse_chandef(rdev, info, &chandef);
16951 	if (err)
16952 		return err;
16953 
16954 	/*
16955 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
16956 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
16957 	 * specification is not defined for them.
16958 	 */
16959 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
16960 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
16961 	    chandef.width != NL80211_CHAN_WIDTH_20)
16962 		return -EINVAL;
16963 
16964 	/* we will be active on the TDLS link */
16965 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
16966 					   wdev->iftype))
16967 		return -EINVAL;
16968 
16969 	/* don't allow switching to DFS channels */
16970 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
16971 		return -EINVAL;
16972 
16973 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16974 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
16975 
16976 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
16977 }
16978 
16979 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
16980 					      struct genl_info *info)
16981 {
16982 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16983 	struct net_device *dev = info->user_ptr[1];
16984 	const u8 *addr;
16985 
16986 	if (!rdev->ops->tdls_channel_switch ||
16987 	    !rdev->ops->tdls_cancel_channel_switch ||
16988 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16989 		return -EOPNOTSUPP;
16990 
16991 	switch (dev->ieee80211_ptr->iftype) {
16992 	case NL80211_IFTYPE_STATION:
16993 	case NL80211_IFTYPE_P2P_CLIENT:
16994 		break;
16995 	default:
16996 		return -EOPNOTSUPP;
16997 	}
16998 
16999 	if (!info->attrs[NL80211_ATTR_MAC])
17000 		return -EINVAL;
17001 
17002 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17003 
17004 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
17005 
17006 	return 0;
17007 }
17008 
17009 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
17010 					    struct genl_info *info)
17011 {
17012 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17013 	struct net_device *dev = info->user_ptr[1];
17014 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17015 	const struct nlattr *nla;
17016 	bool enabled;
17017 
17018 	if (!rdev->ops->set_multicast_to_unicast)
17019 		return -EOPNOTSUPP;
17020 
17021 	if (wdev->iftype != NL80211_IFTYPE_AP &&
17022 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
17023 		return -EOPNOTSUPP;
17024 
17025 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
17026 	enabled = nla_get_flag(nla);
17027 
17028 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
17029 }
17030 
17031 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
17032 {
17033 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17034 	struct net_device *dev = info->user_ptr[1];
17035 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17036 	struct cfg80211_pmk_conf pmk_conf = {};
17037 
17038 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17039 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17040 		return -EOPNOTSUPP;
17041 
17042 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17043 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
17044 		return -EOPNOTSUPP;
17045 
17046 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
17047 		return -EINVAL;
17048 
17049 	if (!wdev->connected)
17050 		return -ENOTCONN;
17051 
17052 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
17053 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
17054 		return -EINVAL;
17055 
17056 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
17057 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
17058 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
17059 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
17060 		return -EINVAL;
17061 
17062 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
17063 		pmk_conf.pmk_r0_name =
17064 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
17065 
17066 	return rdev_set_pmk(rdev, dev, &pmk_conf);
17067 }
17068 
17069 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
17070 {
17071 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17072 	struct net_device *dev = info->user_ptr[1];
17073 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17074 	const u8 *aa;
17075 
17076 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17077 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17078 		return -EOPNOTSUPP;
17079 
17080 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17081 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
17082 		return -EOPNOTSUPP;
17083 
17084 	if (!info->attrs[NL80211_ATTR_MAC])
17085 		return -EINVAL;
17086 
17087 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
17088 	return rdev_del_pmk(rdev, dev, aa);
17089 }
17090 
17091 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
17092 {
17093 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17094 	struct net_device *dev = info->user_ptr[1];
17095 	struct cfg80211_external_auth_params params;
17096 
17097 	if (!rdev->ops->external_auth)
17098 		return -EOPNOTSUPP;
17099 
17100 	if (!info->attrs[NL80211_ATTR_SSID] &&
17101 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
17102 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
17103 		return -EINVAL;
17104 
17105 	if (!info->attrs[NL80211_ATTR_BSSID])
17106 		return -EINVAL;
17107 
17108 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
17109 		return -EINVAL;
17110 
17111 	memset(&params, 0, sizeof(params));
17112 
17113 	if (info->attrs[NL80211_ATTR_SSID]) {
17114 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
17115 		if (params.ssid.ssid_len == 0)
17116 			return -EINVAL;
17117 		memcpy(params.ssid.ssid,
17118 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
17119 		       params.ssid.ssid_len);
17120 	}
17121 
17122 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
17123 	       ETH_ALEN);
17124 
17125 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
17126 
17127 	if (info->attrs[NL80211_ATTR_PMKID])
17128 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
17129 
17130 	return rdev_external_auth(rdev, dev, &params);
17131 }
17132 
17133 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
17134 {
17135 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
17136 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17137 	struct net_device *dev = info->user_ptr[1];
17138 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17139 	const u8 *buf;
17140 	size_t len;
17141 	u8 *dest;
17142 	u16 proto;
17143 	bool noencrypt;
17144 	u64 cookie = 0;
17145 	int link_id;
17146 	int err;
17147 
17148 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17149 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
17150 		return -EOPNOTSUPP;
17151 
17152 	if (!rdev->ops->tx_control_port)
17153 		return -EOPNOTSUPP;
17154 
17155 	if (!info->attrs[NL80211_ATTR_FRAME] ||
17156 	    !info->attrs[NL80211_ATTR_MAC] ||
17157 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
17158 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
17159 		return -EINVAL;
17160 	}
17161 
17162 	switch (wdev->iftype) {
17163 	case NL80211_IFTYPE_AP:
17164 	case NL80211_IFTYPE_P2P_GO:
17165 	case NL80211_IFTYPE_MESH_POINT:
17166 		break;
17167 	case NL80211_IFTYPE_ADHOC:
17168 		if (wdev->u.ibss.current_bss)
17169 			break;
17170 		return -ENOTCONN;
17171 	case NL80211_IFTYPE_STATION:
17172 	case NL80211_IFTYPE_P2P_CLIENT:
17173 		if (wdev->connected)
17174 			break;
17175 		return -ENOTCONN;
17176 	default:
17177 		return -EOPNOTSUPP;
17178 	}
17179 
17180 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
17181 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
17182 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
17183 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
17184 	noencrypt =
17185 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
17186 
17187 	link_id = nl80211_link_id_or_invalid(info->attrs);
17188 
17189 	err = rdev_tx_control_port(rdev, dev, buf, len,
17190 				   dest, cpu_to_be16(proto), noencrypt, link_id,
17191 				   dont_wait_for_ack ? NULL : &cookie);
17192 	if (!err && !dont_wait_for_ack)
17193 		nl_set_extack_cookie_u64(info->extack, cookie);
17194 	return err;
17195 }
17196 
17197 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
17198 					   struct genl_info *info)
17199 {
17200 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17201 	struct net_device *dev = info->user_ptr[1];
17202 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17203 	struct cfg80211_ftm_responder_stats ftm_stats = {};
17204 	unsigned int link_id = nl80211_link_id(info->attrs);
17205 	struct sk_buff *msg;
17206 	void *hdr;
17207 	struct nlattr *ftm_stats_attr;
17208 	int err;
17209 
17210 	if (wdev->iftype != NL80211_IFTYPE_AP ||
17211 	    !wdev->links[link_id].ap.beacon_interval)
17212 		return -EOPNOTSUPP;
17213 
17214 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
17215 	if (err)
17216 		return err;
17217 
17218 	if (!ftm_stats.filled)
17219 		return -ENODATA;
17220 
17221 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17222 	if (!msg)
17223 		return -ENOMEM;
17224 
17225 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
17226 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
17227 	if (!hdr)
17228 		goto nla_put_failure;
17229 
17230 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17231 		goto nla_put_failure;
17232 
17233 	ftm_stats_attr = nla_nest_start_noflag(msg,
17234 					       NL80211_ATTR_FTM_RESPONDER_STATS);
17235 	if (!ftm_stats_attr)
17236 		goto nla_put_failure;
17237 
17238 #define SET_FTM(field, name, type)					 \
17239 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
17240 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
17241 			     ftm_stats.field))				 \
17242 		goto nla_put_failure; } while (0)
17243 #define SET_FTM_U64(field, name)					 \
17244 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
17245 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
17246 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
17247 		goto nla_put_failure; } while (0)
17248 
17249 	SET_FTM(success_num, SUCCESS_NUM, u32);
17250 	SET_FTM(partial_num, PARTIAL_NUM, u32);
17251 	SET_FTM(failed_num, FAILED_NUM, u32);
17252 	SET_FTM(asap_num, ASAP_NUM, u32);
17253 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
17254 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
17255 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
17256 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
17257 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
17258 #undef SET_FTM
17259 
17260 	nla_nest_end(msg, ftm_stats_attr);
17261 
17262 	genlmsg_end(msg, hdr);
17263 	return genlmsg_reply(msg, info);
17264 
17265 nla_put_failure:
17266 	nlmsg_free(msg);
17267 	return -ENOBUFS;
17268 }
17269 
17270 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
17271 {
17272 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17273 	struct cfg80211_update_owe_info owe_info;
17274 	struct net_device *dev = info->user_ptr[1];
17275 
17276 	if (!rdev->ops->update_owe_info)
17277 		return -EOPNOTSUPP;
17278 
17279 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
17280 	    !info->attrs[NL80211_ATTR_MAC])
17281 		return -EINVAL;
17282 
17283 	memset(&owe_info, 0, sizeof(owe_info));
17284 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
17285 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
17286 
17287 	if (info->attrs[NL80211_ATTR_IE]) {
17288 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
17289 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
17290 	}
17291 
17292 	return rdev_update_owe_info(rdev, dev, &owe_info);
17293 }
17294 
17295 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
17296 {
17297 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17298 	struct net_device *dev = info->user_ptr[1];
17299 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17300 	struct station_info sinfo = {};
17301 	const u8 *buf;
17302 	size_t len;
17303 	u8 *dest;
17304 	int err;
17305 
17306 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
17307 		return -EOPNOTSUPP;
17308 
17309 	if (!info->attrs[NL80211_ATTR_MAC] ||
17310 	    !info->attrs[NL80211_ATTR_FRAME]) {
17311 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
17312 		return -EINVAL;
17313 	}
17314 
17315 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
17316 		return -EOPNOTSUPP;
17317 
17318 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
17319 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
17320 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
17321 
17322 	if (len < sizeof(struct ethhdr))
17323 		return -EINVAL;
17324 
17325 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
17326 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
17327 		return -EINVAL;
17328 
17329 	err = rdev_get_station(rdev, dev, dest, &sinfo);
17330 	if (err)
17331 		return err;
17332 
17333 	cfg80211_sinfo_release_content(&sinfo);
17334 
17335 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
17336 }
17337 
17338 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
17339 			  struct nlattr *attrs[], struct net_device *dev,
17340 			  struct cfg80211_tid_cfg *tid_conf,
17341 			  struct genl_info *info, const u8 *peer,
17342 			  unsigned int link_id)
17343 {
17344 	struct netlink_ext_ack *extack = info->extack;
17345 	u64 mask;
17346 	int err;
17347 
17348 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
17349 		return -EINVAL;
17350 
17351 	tid_conf->config_override =
17352 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
17353 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
17354 
17355 	if (tid_conf->config_override) {
17356 		if (rdev->ops->reset_tid_config) {
17357 			err = rdev_reset_tid_config(rdev, dev, peer,
17358 						    tid_conf->tids);
17359 			if (err)
17360 				return err;
17361 		} else {
17362 			return -EINVAL;
17363 		}
17364 	}
17365 
17366 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
17367 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
17368 		tid_conf->noack =
17369 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
17370 	}
17371 
17372 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
17373 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
17374 		tid_conf->retry_short =
17375 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
17376 
17377 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
17378 			return -EINVAL;
17379 	}
17380 
17381 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
17382 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
17383 		tid_conf->retry_long =
17384 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
17385 
17386 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
17387 			return -EINVAL;
17388 	}
17389 
17390 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
17391 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
17392 		tid_conf->ampdu =
17393 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
17394 	}
17395 
17396 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
17397 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
17398 		tid_conf->rtscts =
17399 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
17400 	}
17401 
17402 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
17403 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
17404 		tid_conf->amsdu =
17405 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
17406 	}
17407 
17408 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
17409 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
17410 
17411 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
17412 
17413 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
17414 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
17415 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
17416 						    &tid_conf->txrate_mask, dev,
17417 						    true, link_id);
17418 			if (err)
17419 				return err;
17420 
17421 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
17422 		}
17423 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
17424 	}
17425 
17426 	if (peer)
17427 		mask = rdev->wiphy.tid_config_support.peer;
17428 	else
17429 		mask = rdev->wiphy.tid_config_support.vif;
17430 
17431 	if (tid_conf->mask & ~mask) {
17432 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
17433 		return -EOPNOTSUPP;
17434 	}
17435 
17436 	return 0;
17437 }
17438 
17439 static int nl80211_set_tid_config(struct sk_buff *skb,
17440 				  struct genl_info *info)
17441 {
17442 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17443 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
17444 	unsigned int link_id = nl80211_link_id(info->attrs);
17445 	struct net_device *dev = info->user_ptr[1];
17446 	struct cfg80211_tid_config *tid_config;
17447 	struct nlattr *tid;
17448 	int conf_idx = 0, rem_conf;
17449 	int ret = -EINVAL;
17450 	u32 num_conf = 0;
17451 
17452 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
17453 		return -EINVAL;
17454 
17455 	if (!rdev->ops->set_tid_config)
17456 		return -EOPNOTSUPP;
17457 
17458 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
17459 			    rem_conf)
17460 		num_conf++;
17461 
17462 	tid_config = kzalloc_flex(*tid_config, tid_conf, num_conf);
17463 	if (!tid_config)
17464 		return -ENOMEM;
17465 
17466 	tid_config->n_tid_conf = num_conf;
17467 
17468 	if (info->attrs[NL80211_ATTR_MAC])
17469 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
17470 
17471 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
17472 			    rem_conf) {
17473 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
17474 				       tid, NULL, NULL);
17475 
17476 		if (ret)
17477 			goto bad_tid_conf;
17478 
17479 		ret = parse_tid_conf(rdev, attrs, dev,
17480 				     &tid_config->tid_conf[conf_idx],
17481 				     info, tid_config->peer, link_id);
17482 		if (ret)
17483 			goto bad_tid_conf;
17484 
17485 		conf_idx++;
17486 	}
17487 
17488 	ret = rdev_set_tid_config(rdev, dev, tid_config);
17489 
17490 bad_tid_conf:
17491 	kfree(tid_config);
17492 	return ret;
17493 }
17494 
17495 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
17496 {
17497 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17498 	struct cfg80211_color_change_settings params = {};
17499 	struct net_device *dev = info->user_ptr[1];
17500 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17501 	struct nlattr **tb;
17502 	u16 offset;
17503 	int err;
17504 
17505 	if (!rdev->ops->color_change)
17506 		return -EOPNOTSUPP;
17507 
17508 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17509 				     NL80211_EXT_FEATURE_BSS_COLOR))
17510 		return -EOPNOTSUPP;
17511 
17512 	if (wdev->iftype != NL80211_IFTYPE_AP)
17513 		return -EOPNOTSUPP;
17514 
17515 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
17516 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
17517 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
17518 		return -EINVAL;
17519 
17520 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
17521 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
17522 
17523 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
17524 				   info->extack);
17525 	if (err)
17526 		return err;
17527 
17528 	tb = kzalloc_objs(*tb, NL80211_ATTR_MAX + 1);
17529 	if (!tb)
17530 		return -ENOMEM;
17531 
17532 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
17533 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
17534 			       nl80211_policy, info->extack);
17535 	if (err)
17536 		goto out;
17537 
17538 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
17539 				   info->extack);
17540 	if (err)
17541 		goto out;
17542 
17543 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
17544 		err = -EINVAL;
17545 		goto out;
17546 	}
17547 
17548 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
17549 		err = -EINVAL;
17550 		goto out;
17551 	}
17552 
17553 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
17554 	if (offset >= params.beacon_color_change.tail_len) {
17555 		err = -EINVAL;
17556 		goto out;
17557 	}
17558 
17559 	if (params.beacon_color_change.tail[offset] != params.count) {
17560 		err = -EINVAL;
17561 		goto out;
17562 	}
17563 
17564 	params.counter_offset_beacon = offset;
17565 
17566 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
17567 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
17568 		    sizeof(u16)) {
17569 			err = -EINVAL;
17570 			goto out;
17571 		}
17572 
17573 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
17574 		if (offset >= params.beacon_color_change.probe_resp_len) {
17575 			err = -EINVAL;
17576 			goto out;
17577 		}
17578 
17579 		if (params.beacon_color_change.probe_resp[offset] !=
17580 		    params.count) {
17581 			err = -EINVAL;
17582 			goto out;
17583 		}
17584 
17585 		params.counter_offset_presp = offset;
17586 	}
17587 
17588 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
17589 		err = nl80211_parse_unsol_bcast_probe_resp(
17590 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
17591 			&params.unsol_bcast_probe_resp);
17592 		if (err)
17593 			goto out;
17594 	}
17595 
17596 	params.link_id = nl80211_link_id(info->attrs);
17597 	err = rdev_color_change(rdev, dev, &params);
17598 
17599 out:
17600 	kfree(params.beacon_next.mbssid_ies);
17601 	kfree(params.beacon_color_change.mbssid_ies);
17602 	kfree(params.beacon_next.rnr_ies);
17603 	kfree(params.beacon_color_change.rnr_ies);
17604 	kfree(tb);
17605 	return err;
17606 }
17607 
17608 static int nl80211_set_fils_aad(struct sk_buff *skb,
17609 				struct genl_info *info)
17610 {
17611 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17612 	struct net_device *dev = info->user_ptr[1];
17613 	struct cfg80211_fils_aad fils_aad = {};
17614 	u8 *nonces;
17615 
17616 	if (!info->attrs[NL80211_ATTR_MAC] ||
17617 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
17618 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
17619 		return -EINVAL;
17620 
17621 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17622 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
17623 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
17624 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
17625 	fils_aad.snonce = nonces;
17626 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
17627 
17628 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
17629 }
17630 
17631 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
17632 {
17633 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17634 	unsigned int link_id = nl80211_link_id(info->attrs);
17635 	struct net_device *dev = info->user_ptr[1];
17636 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17637 	int ret;
17638 
17639 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
17640 		return -EINVAL;
17641 
17642 	switch (wdev->iftype) {
17643 	case NL80211_IFTYPE_AP:
17644 		break;
17645 	default:
17646 		return -EINVAL;
17647 	}
17648 
17649 	if (!info->attrs[NL80211_ATTR_MAC] ||
17650 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
17651 		return -EINVAL;
17652 
17653 	wdev->valid_links |= BIT(link_id);
17654 	ether_addr_copy(wdev->links[link_id].addr,
17655 			nla_data(info->attrs[NL80211_ATTR_MAC]));
17656 
17657 	ret = rdev_add_intf_link(rdev, wdev, link_id);
17658 	if (ret) {
17659 		wdev->valid_links &= ~BIT(link_id);
17660 		eth_zero_addr(wdev->links[link_id].addr);
17661 	}
17662 
17663 	return ret;
17664 }
17665 
17666 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
17667 {
17668 	unsigned int link_id = nl80211_link_id(info->attrs);
17669 	struct net_device *dev = info->user_ptr[1];
17670 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17671 
17672 	/* cannot remove if there's no link */
17673 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
17674 		return -EINVAL;
17675 
17676 	switch (wdev->iftype) {
17677 	case NL80211_IFTYPE_AP:
17678 		break;
17679 	default:
17680 		return -EINVAL;
17681 	}
17682 
17683 	cfg80211_remove_link(wdev, link_id);
17684 
17685 	return 0;
17686 }
17687 
17688 static int
17689 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
17690 			     bool add)
17691 {
17692 	struct link_station_parameters params = {};
17693 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17694 	struct net_device *dev = info->user_ptr[1];
17695 	int err;
17696 
17697 	if ((add && !rdev->ops->add_link_station) ||
17698 	    (!add && !rdev->ops->mod_link_station))
17699 		return -EOPNOTSUPP;
17700 
17701 	if (add && !info->attrs[NL80211_ATTR_MAC])
17702 		return -EINVAL;
17703 
17704 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
17705 		return -EINVAL;
17706 
17707 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
17708 		return -EINVAL;
17709 
17710 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17711 
17712 	if (info->attrs[NL80211_ATTR_MAC]) {
17713 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
17714 		if (!is_valid_ether_addr(params.link_mac))
17715 			return -EINVAL;
17716 	}
17717 
17718 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
17719 		return -EINVAL;
17720 
17721 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17722 
17723 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
17724 		params.supported_rates =
17725 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
17726 		params.supported_rates_len =
17727 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
17728 	}
17729 
17730 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
17731 		params.ht_capa =
17732 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
17733 
17734 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
17735 		params.vht_capa =
17736 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
17737 
17738 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
17739 		params.he_capa =
17740 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
17741 		params.he_capa_len =
17742 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
17743 
17744 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
17745 			params.eht_capa =
17746 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
17747 			params.eht_capa_len =
17748 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
17749 
17750 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
17751 							(const u8 *)params.eht_capa,
17752 							params.eht_capa_len,
17753 							false))
17754 				return -EINVAL;
17755 		}
17756 	}
17757 
17758 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
17759 		if (!params.eht_capa)
17760 			return -EINVAL;
17761 
17762 		params.uhr_capa =
17763 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
17764 		params.uhr_capa_len =
17765 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
17766 	}
17767 
17768 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
17769 		params.he_6ghz_capa =
17770 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
17771 
17772 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
17773 		params.opmode_notif_used = true;
17774 		params.opmode_notif =
17775 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
17776 	}
17777 
17778 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
17779 						&params.txpwr_set);
17780 	if (err)
17781 		return err;
17782 
17783 	if (add)
17784 		return rdev_add_link_station(rdev, dev, &params);
17785 
17786 	return rdev_mod_link_station(rdev, dev, &params);
17787 }
17788 
17789 static int
17790 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
17791 {
17792 	return nl80211_add_mod_link_station(skb, info, true);
17793 }
17794 
17795 static int
17796 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
17797 {
17798 	return nl80211_add_mod_link_station(skb, info, false);
17799 }
17800 
17801 static int
17802 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
17803 {
17804 	struct link_station_del_parameters params = {};
17805 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17806 	struct net_device *dev = info->user_ptr[1];
17807 
17808 	if (!rdev->ops->del_link_station)
17809 		return -EOPNOTSUPP;
17810 
17811 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
17812 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
17813 		return -EINVAL;
17814 
17815 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17816 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17817 
17818 	return rdev_del_link_station(rdev, dev, &params);
17819 }
17820 
17821 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
17822 				    struct genl_info *info)
17823 {
17824 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17825 	struct net_device *dev = info->user_ptr[1];
17826 	struct cfg80211_set_hw_timestamp hwts = {};
17827 
17828 	if (!rdev->wiphy.hw_timestamp_max_peers)
17829 		return -EOPNOTSUPP;
17830 
17831 	if (!info->attrs[NL80211_ATTR_MAC] &&
17832 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
17833 		return -EOPNOTSUPP;
17834 
17835 	if (info->attrs[NL80211_ATTR_MAC])
17836 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17837 
17838 	hwts.enable =
17839 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
17840 
17841 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
17842 }
17843 
17844 static int
17845 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
17846 {
17847 	struct cfg80211_ttlm_params params = {};
17848 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17849 	struct net_device *dev = info->user_ptr[1];
17850 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17851 
17852 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17853 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17854 		return -EOPNOTSUPP;
17855 
17856 	if (!wdev->connected)
17857 		return -ENOLINK;
17858 
17859 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
17860 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
17861 		return -EINVAL;
17862 
17863 	nla_memcpy(params.dlink,
17864 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
17865 		   sizeof(params.dlink));
17866 	nla_memcpy(params.ulink,
17867 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
17868 		   sizeof(params.ulink));
17869 
17870 	return rdev_set_ttlm(rdev, dev, &params);
17871 }
17872 
17873 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
17874 {
17875 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17876 	struct net_device *dev = info->user_ptr[1];
17877 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17878 	struct cfg80211_ml_reconf_req req = {};
17879 	unsigned int link_id;
17880 	u16 add_links;
17881 	int err;
17882 
17883 	if (!wdev->valid_links)
17884 		return -EINVAL;
17885 
17886 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
17887 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
17888 		return -EPERM;
17889 
17890 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
17891 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
17892 		return -EOPNOTSUPP;
17893 
17894 	add_links = 0;
17895 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
17896 		err = nl80211_process_links(rdev, req.add_links,
17897 					    /* mark as MLO, but not assoc */
17898 					    IEEE80211_MLD_MAX_NUM_LINKS,
17899 					    NULL, 0, info);
17900 		if (err)
17901 			return err;
17902 
17903 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
17904 		     link_id++) {
17905 			if (!req.add_links[link_id].bss)
17906 				continue;
17907 			add_links |= BIT(link_id);
17908 		}
17909 	}
17910 
17911 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
17912 		req.rem_links =
17913 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
17914 
17915 	/* Validate that existing links are not added, removed links are valid
17916 	 * and don't allow adding and removing the same links
17917 	 */
17918 	if ((add_links & req.rem_links) || !(add_links | req.rem_links) ||
17919 	    (wdev->valid_links & add_links) ||
17920 	    ((wdev->valid_links & req.rem_links) != req.rem_links)) {
17921 		err = -EINVAL;
17922 		goto out;
17923 	}
17924 
17925 	if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
17926 		req.ext_mld_capa_ops =
17927 			nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
17928 
17929 	err = cfg80211_assoc_ml_reconf(rdev, dev, &req);
17930 
17931 out:
17932 	for (link_id = 0; link_id < ARRAY_SIZE(req.add_links); link_id++)
17933 		cfg80211_put_bss(&rdev->wiphy, req.add_links[link_id].bss);
17934 
17935 	return err;
17936 }
17937 
17938 static int
17939 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
17940 {
17941 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17942 	struct net_device *dev = info->user_ptr[1];
17943 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17944 	bool val;
17945 
17946 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17947 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17948 		return -EOPNOTSUPP;
17949 
17950 	if (!wdev->connected)
17951 		return -ENOLINK;
17952 
17953 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
17954 
17955 	return rdev_set_epcs(rdev, dev, val);
17956 }
17957 
17958 #define NL80211_FLAG_NEED_WIPHY		0x01
17959 #define NL80211_FLAG_NEED_NETDEV	0x02
17960 #define NL80211_FLAG_NEED_RTNL		0x04
17961 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
17962 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
17963 					 NL80211_FLAG_CHECK_NETDEV_UP)
17964 #define NL80211_FLAG_NEED_WDEV		0x10
17965 /* If a netdev is associated, it must be UP, P2P must be started */
17966 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
17967 					 NL80211_FLAG_CHECK_NETDEV_UP)
17968 #define NL80211_FLAG_CLEAR_SKB		0x20
17969 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
17970 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
17971 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
17972 
17973 #define INTERNAL_FLAG_SELECTORS(__sel)			\
17974 	SELECTOR(__sel, NONE, 0) /* must be first */	\
17975 	SELECTOR(__sel, WIPHY,				\
17976 		 NL80211_FLAG_NEED_WIPHY)		\
17977 	SELECTOR(__sel, WDEV,				\
17978 		 NL80211_FLAG_NEED_WDEV)		\
17979 	SELECTOR(__sel, NETDEV,				\
17980 		 NL80211_FLAG_NEED_NETDEV)		\
17981 	SELECTOR(__sel, NETDEV_LINK,			\
17982 		 NL80211_FLAG_NEED_NETDEV |		\
17983 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17984 	SELECTOR(__sel, NETDEV_NO_MLO,			\
17985 		 NL80211_FLAG_NEED_NETDEV |		\
17986 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
17987 	SELECTOR(__sel, WIPHY_RTNL,			\
17988 		 NL80211_FLAG_NEED_WIPHY |		\
17989 		 NL80211_FLAG_NEED_RTNL)		\
17990 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
17991 		 NL80211_FLAG_NEED_WIPHY |		\
17992 		 NL80211_FLAG_NEED_RTNL |		\
17993 		 NL80211_FLAG_NO_WIPHY_MTX)		\
17994 	SELECTOR(__sel, WDEV_RTNL,			\
17995 		 NL80211_FLAG_NEED_WDEV |		\
17996 		 NL80211_FLAG_NEED_RTNL)		\
17997 	SELECTOR(__sel, NETDEV_RTNL,			\
17998 		 NL80211_FLAG_NEED_NETDEV |		\
17999 		 NL80211_FLAG_NEED_RTNL)		\
18000 	SELECTOR(__sel, NETDEV_UP,			\
18001 		 NL80211_FLAG_NEED_NETDEV_UP)		\
18002 	SELECTOR(__sel, NETDEV_UP_LINK,			\
18003 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18004 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18005 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
18006 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18007 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
18008 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
18009 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18010 		 NL80211_FLAG_CLEAR_SKB |		\
18011 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
18012 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
18013 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18014 		 NL80211_FLAG_NO_WIPHY_MTX)		\
18015 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
18016 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18017 		 NL80211_FLAG_NO_WIPHY_MTX |		\
18018 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18019 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
18020 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18021 		 NL80211_FLAG_CLEAR_SKB)		\
18022 	SELECTOR(__sel, WDEV_UP,			\
18023 		 NL80211_FLAG_NEED_WDEV_UP)		\
18024 	SELECTOR(__sel, WDEV_UP_LINK,			\
18025 		 NL80211_FLAG_NEED_WDEV_UP |		\
18026 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18027 	SELECTOR(__sel, WDEV_UP_RTNL,			\
18028 		 NL80211_FLAG_NEED_WDEV_UP |		\
18029 		 NL80211_FLAG_NEED_RTNL)		\
18030 	SELECTOR(__sel, WIPHY_CLEAR,			\
18031 		 NL80211_FLAG_NEED_WIPHY |		\
18032 		 NL80211_FLAG_CLEAR_SKB)
18033 
18034 enum nl80211_internal_flags_selector {
18035 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
18036 	INTERNAL_FLAG_SELECTORS(_)
18037 #undef SELECTOR
18038 };
18039 
18040 static u32 nl80211_internal_flags[] = {
18041 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
18042 	INTERNAL_FLAG_SELECTORS(_)
18043 #undef SELECTOR
18044 };
18045 
18046 static int nl80211_pre_doit(const struct genl_split_ops *ops,
18047 			    struct sk_buff *skb,
18048 			    struct genl_info *info)
18049 {
18050 	struct cfg80211_registered_device *rdev = NULL;
18051 	struct wireless_dev *wdev = NULL;
18052 	struct net_device *dev = NULL;
18053 	u32 internal_flags;
18054 	int err;
18055 
18056 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
18057 		return -EINVAL;
18058 
18059 	internal_flags = nl80211_internal_flags[ops->internal_flags];
18060 
18061 	rtnl_lock();
18062 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
18063 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
18064 		if (IS_ERR(rdev)) {
18065 			err = PTR_ERR(rdev);
18066 			goto out_unlock;
18067 		}
18068 		info->user_ptr[0] = rdev;
18069 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
18070 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
18071 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
18072 						  info->attrs);
18073 		if (IS_ERR(wdev)) {
18074 			err = PTR_ERR(wdev);
18075 			goto out_unlock;
18076 		}
18077 
18078 		dev = wdev->netdev;
18079 		dev_hold(dev);
18080 		rdev = wiphy_to_rdev(wdev->wiphy);
18081 
18082 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
18083 			if (!dev) {
18084 				err = -EINVAL;
18085 				goto out_unlock;
18086 			}
18087 
18088 			info->user_ptr[1] = dev;
18089 		} else {
18090 			info->user_ptr[1] = wdev;
18091 		}
18092 
18093 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
18094 		    !wdev_running(wdev)) {
18095 			err = -ENETDOWN;
18096 			goto out_unlock;
18097 		}
18098 
18099 		info->user_ptr[0] = rdev;
18100 	}
18101 
18102 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
18103 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
18104 
18105 		if (!wdev) {
18106 			err = -EINVAL;
18107 			goto out_unlock;
18108 		}
18109 
18110 		/* MLO -> require valid link ID */
18111 		if (wdev->valid_links &&
18112 		    (!link_id ||
18113 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
18114 			err = -EINVAL;
18115 			goto out_unlock;
18116 		}
18117 
18118 		/* non-MLO -> no link ID attribute accepted */
18119 		if (!wdev->valid_links && link_id) {
18120 			err = -EINVAL;
18121 			goto out_unlock;
18122 		}
18123 	}
18124 
18125 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
18126 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
18127 		    (wdev && wdev->valid_links)) {
18128 			err = -EINVAL;
18129 			goto out_unlock;
18130 		}
18131 	}
18132 
18133 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18134 		wiphy_lock(&rdev->wiphy);
18135 		/* we keep the mutex locked until post_doit */
18136 		__release(&rdev->wiphy.mtx);
18137 	}
18138 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
18139 		rtnl_unlock();
18140 
18141 	return 0;
18142 out_unlock:
18143 	rtnl_unlock();
18144 	dev_put(dev);
18145 	return err;
18146 }
18147 
18148 static void nl80211_post_doit(const struct genl_split_ops *ops,
18149 			      struct sk_buff *skb,
18150 			      struct genl_info *info)
18151 {
18152 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
18153 
18154 	if (info->user_ptr[1]) {
18155 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
18156 			struct wireless_dev *wdev = info->user_ptr[1];
18157 
18158 			dev_put(wdev->netdev);
18159 		} else {
18160 			dev_put(info->user_ptr[1]);
18161 		}
18162 	}
18163 
18164 	if (info->user_ptr[0] &&
18165 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18166 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
18167 
18168 		/* we kept the mutex locked since pre_doit */
18169 		__acquire(&rdev->wiphy.mtx);
18170 		wiphy_unlock(&rdev->wiphy);
18171 	}
18172 
18173 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
18174 		rtnl_unlock();
18175 
18176 	/* If needed, clear the netlink message payload from the SKB
18177 	 * as it might contain key data that shouldn't stick around on
18178 	 * the heap after the SKB is freed. The netlink message header
18179 	 * is still needed for further processing, so leave it intact.
18180 	 */
18181 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
18182 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
18183 
18184 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
18185 	}
18186 }
18187 
18188 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
18189 				     struct cfg80211_sar_specs *sar_specs,
18190 				     struct nlattr *spec[], int index)
18191 {
18192 	u32 range_index, i;
18193 
18194 	if (!sar_specs || !spec)
18195 		return -EINVAL;
18196 
18197 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
18198 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
18199 		return -EINVAL;
18200 
18201 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
18202 
18203 	/* check if range_index exceeds num_freq_ranges */
18204 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
18205 		return -EINVAL;
18206 
18207 	/* check if range_index duplicates */
18208 	for (i = 0; i < index; i++) {
18209 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
18210 			return -EINVAL;
18211 	}
18212 
18213 	sar_specs->sub_specs[index].power =
18214 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
18215 
18216 	sar_specs->sub_specs[index].freq_range_index = range_index;
18217 
18218 	return 0;
18219 }
18220 
18221 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
18222 {
18223 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18224 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
18225 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
18226 	struct cfg80211_sar_specs *sar_spec;
18227 	enum nl80211_sar_type type;
18228 	struct nlattr *spec_list;
18229 	u32 specs;
18230 	int rem, err;
18231 
18232 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
18233 		return -EOPNOTSUPP;
18234 
18235 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
18236 		return -EINVAL;
18237 
18238 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
18239 			 info->attrs[NL80211_ATTR_SAR_SPEC],
18240 			 NULL, NULL);
18241 
18242 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
18243 		return -EINVAL;
18244 
18245 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
18246 	if (type != rdev->wiphy.sar_capa->type)
18247 		return -EINVAL;
18248 
18249 	specs = 0;
18250 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
18251 		specs++;
18252 
18253 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
18254 		return -EINVAL;
18255 
18256 	sar_spec = kzalloc_flex(*sar_spec, sub_specs, specs);
18257 	if (!sar_spec)
18258 		return -ENOMEM;
18259 
18260 	sar_spec->num_sub_specs = specs;
18261 	sar_spec->type = type;
18262 	specs = 0;
18263 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
18264 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
18265 				 spec_list, NULL, NULL);
18266 
18267 		switch (type) {
18268 		case NL80211_SAR_TYPE_POWER:
18269 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
18270 						      spec, specs)) {
18271 				err = -EINVAL;
18272 				goto error;
18273 			}
18274 			break;
18275 		default:
18276 			err = -EINVAL;
18277 			goto error;
18278 		}
18279 		specs++;
18280 	}
18281 
18282 	sar_spec->num_sub_specs = specs;
18283 
18284 	rdev->cur_cmd_info = info;
18285 	err = rdev_set_sar_specs(rdev, sar_spec);
18286 	rdev->cur_cmd_info = NULL;
18287 error:
18288 	kfree(sar_spec);
18289 	return err;
18290 }
18291 
18292 #define SELECTOR(__sel, name, value) \
18293 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
18294 int __missing_selector(void);
18295 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
18296 
18297 static const struct genl_ops nl80211_ops[] = {
18298 	{
18299 		.cmd = NL80211_CMD_GET_WIPHY,
18300 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18301 		.doit = nl80211_get_wiphy,
18302 		.dumpit = nl80211_dump_wiphy,
18303 		.done = nl80211_dump_wiphy_done,
18304 		/* can be retrieved by unprivileged users */
18305 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18306 	},
18307 };
18308 
18309 static const struct genl_small_ops nl80211_small_ops[] = {
18310 	{
18311 		.cmd = NL80211_CMD_SET_WIPHY,
18312 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18313 		.doit = nl80211_set_wiphy,
18314 		.flags = GENL_UNS_ADMIN_PERM,
18315 	},
18316 	{
18317 		.cmd = NL80211_CMD_GET_INTERFACE,
18318 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18319 		.doit = nl80211_get_interface,
18320 		.dumpit = nl80211_dump_interface,
18321 		/* can be retrieved by unprivileged users */
18322 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
18323 	},
18324 	{
18325 		.cmd = NL80211_CMD_SET_INTERFACE,
18326 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18327 		.doit = nl80211_set_interface,
18328 		.flags = GENL_UNS_ADMIN_PERM,
18329 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18330 					 NL80211_FLAG_NEED_RTNL),
18331 	},
18332 	{
18333 		.cmd = NL80211_CMD_NEW_INTERFACE,
18334 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18335 		.doit = nl80211_new_interface,
18336 		.flags = GENL_UNS_ADMIN_PERM,
18337 		.internal_flags =
18338 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
18339 			       NL80211_FLAG_NEED_RTNL |
18340 			       /* we take the wiphy mutex later ourselves */
18341 			       NL80211_FLAG_NO_WIPHY_MTX),
18342 	},
18343 	{
18344 		.cmd = NL80211_CMD_DEL_INTERFACE,
18345 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18346 		.doit = nl80211_del_interface,
18347 		.flags = GENL_UNS_ADMIN_PERM,
18348 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18349 					 NL80211_FLAG_NEED_RTNL),
18350 	},
18351 	{
18352 		.cmd = NL80211_CMD_GET_KEY,
18353 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18354 		.doit = nl80211_get_key,
18355 		.flags = GENL_UNS_ADMIN_PERM,
18356 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18357 	},
18358 	{
18359 		.cmd = NL80211_CMD_SET_KEY,
18360 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18361 		.doit = nl80211_set_key,
18362 		.flags = GENL_UNS_ADMIN_PERM,
18363 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
18364 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18365 					 NL80211_FLAG_CLEAR_SKB),
18366 	},
18367 	{
18368 		.cmd = NL80211_CMD_NEW_KEY,
18369 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18370 		.doit = nl80211_new_key,
18371 		.flags = GENL_UNS_ADMIN_PERM,
18372 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18373 					 NL80211_FLAG_CLEAR_SKB),
18374 	},
18375 	{
18376 		.cmd = NL80211_CMD_DEL_KEY,
18377 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18378 		.doit = nl80211_del_key,
18379 		.flags = GENL_UNS_ADMIN_PERM,
18380 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18381 	},
18382 	{
18383 		.cmd = NL80211_CMD_SET_BEACON,
18384 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18385 		.flags = GENL_UNS_ADMIN_PERM,
18386 		.doit = nl80211_set_beacon,
18387 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18388 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18389 	},
18390 	{
18391 		.cmd = NL80211_CMD_START_AP,
18392 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18393 		.flags = GENL_UNS_ADMIN_PERM,
18394 		.doit = nl80211_start_ap,
18395 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18396 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18397 	},
18398 	{
18399 		.cmd = NL80211_CMD_STOP_AP,
18400 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18401 		.flags = GENL_UNS_ADMIN_PERM,
18402 		.doit = nl80211_stop_ap,
18403 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18404 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18405 	},
18406 	{
18407 		.cmd = NL80211_CMD_GET_STATION,
18408 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18409 		.doit = nl80211_get_station,
18410 		.dumpit = nl80211_dump_station,
18411 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18412 	},
18413 	{
18414 		.cmd = NL80211_CMD_SET_STATION,
18415 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18416 		.doit = nl80211_set_station,
18417 		.flags = GENL_UNS_ADMIN_PERM,
18418 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18419 	},
18420 	{
18421 		.cmd = NL80211_CMD_NEW_STATION,
18422 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18423 		.doit = nl80211_new_station,
18424 		.flags = GENL_UNS_ADMIN_PERM,
18425 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18426 	},
18427 	{
18428 		.cmd = NL80211_CMD_DEL_STATION,
18429 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18430 		.doit = nl80211_del_station,
18431 		.flags = GENL_UNS_ADMIN_PERM,
18432 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
18433 		 * whether MAC address is passed or not. If MAC address is
18434 		 * passed, then even during MLO, link ID is not required.
18435 		 */
18436 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18437 	},
18438 	{
18439 		.cmd = NL80211_CMD_GET_MPATH,
18440 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18441 		.doit = nl80211_get_mpath,
18442 		.dumpit = nl80211_dump_mpath,
18443 		.flags = GENL_UNS_ADMIN_PERM,
18444 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18445 	},
18446 	{
18447 		.cmd = NL80211_CMD_GET_MPP,
18448 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18449 		.doit = nl80211_get_mpp,
18450 		.dumpit = nl80211_dump_mpp,
18451 		.flags = GENL_UNS_ADMIN_PERM,
18452 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18453 	},
18454 	{
18455 		.cmd = NL80211_CMD_SET_MPATH,
18456 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18457 		.doit = nl80211_set_mpath,
18458 		.flags = GENL_UNS_ADMIN_PERM,
18459 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18460 	},
18461 	{
18462 		.cmd = NL80211_CMD_NEW_MPATH,
18463 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18464 		.doit = nl80211_new_mpath,
18465 		.flags = GENL_UNS_ADMIN_PERM,
18466 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18467 	},
18468 	{
18469 		.cmd = NL80211_CMD_DEL_MPATH,
18470 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18471 		.doit = nl80211_del_mpath,
18472 		.flags = GENL_UNS_ADMIN_PERM,
18473 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18474 	},
18475 	{
18476 		.cmd = NL80211_CMD_SET_BSS,
18477 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18478 		.doit = nl80211_set_bss,
18479 		.flags = GENL_UNS_ADMIN_PERM,
18480 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18481 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18482 	},
18483 	{
18484 		.cmd = NL80211_CMD_GET_REG,
18485 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18486 		.doit = nl80211_get_reg_do,
18487 		.dumpit = nl80211_get_reg_dump,
18488 		/* can be retrieved by unprivileged users */
18489 	},
18490 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
18491 	{
18492 		.cmd = NL80211_CMD_SET_REG,
18493 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18494 		.doit = nl80211_set_reg,
18495 		.flags = GENL_ADMIN_PERM,
18496 	},
18497 #endif
18498 	{
18499 		.cmd = NL80211_CMD_REQ_SET_REG,
18500 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18501 		.doit = nl80211_req_set_reg,
18502 		.flags = GENL_ADMIN_PERM,
18503 	},
18504 	{
18505 		.cmd = NL80211_CMD_RELOAD_REGDB,
18506 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18507 		.doit = nl80211_reload_regdb,
18508 		.flags = GENL_ADMIN_PERM,
18509 	},
18510 	{
18511 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
18512 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18513 		.doit = nl80211_get_mesh_config,
18514 		/* can be retrieved by unprivileged users */
18515 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18516 	},
18517 	{
18518 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
18519 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18520 		.doit = nl80211_update_mesh_config,
18521 		.flags = GENL_UNS_ADMIN_PERM,
18522 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18523 	},
18524 	{
18525 		.cmd = NL80211_CMD_TRIGGER_SCAN,
18526 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18527 		.doit = nl80211_trigger_scan,
18528 		.flags = GENL_UNS_ADMIN_PERM,
18529 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18530 	},
18531 	{
18532 		.cmd = NL80211_CMD_ABORT_SCAN,
18533 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18534 		.doit = nl80211_abort_scan,
18535 		.flags = GENL_UNS_ADMIN_PERM,
18536 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18537 	},
18538 	{
18539 		.cmd = NL80211_CMD_GET_SCAN,
18540 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18541 		.dumpit = nl80211_dump_scan,
18542 	},
18543 	{
18544 		.cmd = NL80211_CMD_START_SCHED_SCAN,
18545 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18546 		.doit = nl80211_start_sched_scan,
18547 		.flags = GENL_UNS_ADMIN_PERM,
18548 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18549 	},
18550 	{
18551 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
18552 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18553 		.doit = nl80211_stop_sched_scan,
18554 		.flags = GENL_UNS_ADMIN_PERM,
18555 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18556 	},
18557 	{
18558 		.cmd = NL80211_CMD_AUTHENTICATE,
18559 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18560 		.doit = nl80211_authenticate,
18561 		.flags = GENL_UNS_ADMIN_PERM,
18562 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18563 					 NL80211_FLAG_CLEAR_SKB),
18564 	},
18565 	{
18566 		.cmd = NL80211_CMD_ASSOCIATE,
18567 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18568 		.doit = nl80211_associate,
18569 		.flags = GENL_UNS_ADMIN_PERM,
18570 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18571 					 NL80211_FLAG_CLEAR_SKB),
18572 	},
18573 	{
18574 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18575 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18576 		.doit = nl80211_deauthenticate,
18577 		.flags = GENL_UNS_ADMIN_PERM,
18578 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18579 	},
18580 	{
18581 		.cmd = NL80211_CMD_DISASSOCIATE,
18582 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18583 		.doit = nl80211_disassociate,
18584 		.flags = GENL_UNS_ADMIN_PERM,
18585 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18586 	},
18587 	{
18588 		.cmd = NL80211_CMD_JOIN_IBSS,
18589 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18590 		.doit = nl80211_join_ibss,
18591 		.flags = GENL_UNS_ADMIN_PERM,
18592 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18593 	},
18594 	{
18595 		.cmd = NL80211_CMD_LEAVE_IBSS,
18596 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18597 		.doit = nl80211_leave_ibss,
18598 		.flags = GENL_UNS_ADMIN_PERM,
18599 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18600 	},
18601 #ifdef CONFIG_NL80211_TESTMODE
18602 	{
18603 		.cmd = NL80211_CMD_TESTMODE,
18604 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18605 		.doit = nl80211_testmode_do,
18606 		.dumpit = nl80211_testmode_dump,
18607 		.flags = GENL_UNS_ADMIN_PERM,
18608 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18609 	},
18610 #endif
18611 	{
18612 		.cmd = NL80211_CMD_CONNECT,
18613 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18614 		.doit = nl80211_connect,
18615 		.flags = GENL_UNS_ADMIN_PERM,
18616 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18617 					 NL80211_FLAG_CLEAR_SKB),
18618 	},
18619 	{
18620 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
18621 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18622 		.doit = nl80211_update_connect_params,
18623 		.flags = GENL_ADMIN_PERM,
18624 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18625 					 NL80211_FLAG_CLEAR_SKB),
18626 	},
18627 	{
18628 		.cmd = NL80211_CMD_DISCONNECT,
18629 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18630 		.doit = nl80211_disconnect,
18631 		.flags = GENL_UNS_ADMIN_PERM,
18632 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18633 	},
18634 	{
18635 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
18636 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18637 		.doit = nl80211_wiphy_netns,
18638 		.flags = GENL_UNS_ADMIN_PERM,
18639 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18640 					 NL80211_FLAG_NEED_RTNL |
18641 					 NL80211_FLAG_NO_WIPHY_MTX),
18642 	},
18643 	{
18644 		.cmd = NL80211_CMD_GET_SURVEY,
18645 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18646 		.dumpit = nl80211_dump_survey,
18647 	},
18648 	{
18649 		.cmd = NL80211_CMD_SET_PMKSA,
18650 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18651 		.doit = nl80211_set_pmksa,
18652 		.flags = GENL_UNS_ADMIN_PERM,
18653 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18654 					 NL80211_FLAG_CLEAR_SKB),
18655 	},
18656 	{
18657 		.cmd = NL80211_CMD_DEL_PMKSA,
18658 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18659 		.doit = nl80211_del_pmksa,
18660 		.flags = GENL_UNS_ADMIN_PERM,
18661 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18662 	},
18663 	{
18664 		.cmd = NL80211_CMD_FLUSH_PMKSA,
18665 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18666 		.doit = nl80211_flush_pmksa,
18667 		.flags = GENL_UNS_ADMIN_PERM,
18668 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18669 	},
18670 	{
18671 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
18672 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18673 		.doit = nl80211_remain_on_channel,
18674 		.flags = GENL_UNS_ADMIN_PERM,
18675 		/* FIXME: requiring a link ID here is probably not good */
18676 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18677 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18678 	},
18679 	{
18680 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18681 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18682 		.doit = nl80211_cancel_remain_on_channel,
18683 		.flags = GENL_UNS_ADMIN_PERM,
18684 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18685 	},
18686 	{
18687 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
18688 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18689 		.doit = nl80211_set_tx_bitrate_mask,
18690 		.flags = GENL_UNS_ADMIN_PERM,
18691 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18692 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18693 	},
18694 	{
18695 		.cmd = NL80211_CMD_REGISTER_FRAME,
18696 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18697 		.doit = nl80211_register_mgmt,
18698 		.flags = GENL_UNS_ADMIN_PERM,
18699 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
18700 	},
18701 	{
18702 		.cmd = NL80211_CMD_FRAME,
18703 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18704 		.doit = nl80211_tx_mgmt,
18705 		.flags = GENL_UNS_ADMIN_PERM,
18706 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18707 	},
18708 	{
18709 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
18710 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18711 		.doit = nl80211_tx_mgmt_cancel_wait,
18712 		.flags = GENL_UNS_ADMIN_PERM,
18713 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18714 	},
18715 	{
18716 		.cmd = NL80211_CMD_SET_POWER_SAVE,
18717 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18718 		.doit = nl80211_set_power_save,
18719 		.flags = GENL_UNS_ADMIN_PERM,
18720 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18721 	},
18722 	{
18723 		.cmd = NL80211_CMD_GET_POWER_SAVE,
18724 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18725 		.doit = nl80211_get_power_save,
18726 		/* can be retrieved by unprivileged users */
18727 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18728 	},
18729 	{
18730 		.cmd = NL80211_CMD_SET_CQM,
18731 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18732 		.doit = nl80211_set_cqm,
18733 		.flags = GENL_UNS_ADMIN_PERM,
18734 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18735 	},
18736 	{
18737 		.cmd = NL80211_CMD_SET_CHANNEL,
18738 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18739 		.doit = nl80211_set_channel,
18740 		.flags = GENL_UNS_ADMIN_PERM,
18741 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18742 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18743 	},
18744 	{
18745 		.cmd = NL80211_CMD_JOIN_MESH,
18746 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18747 		.doit = nl80211_join_mesh,
18748 		.flags = GENL_UNS_ADMIN_PERM,
18749 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18750 	},
18751 	{
18752 		.cmd = NL80211_CMD_LEAVE_MESH,
18753 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18754 		.doit = nl80211_leave_mesh,
18755 		.flags = GENL_UNS_ADMIN_PERM,
18756 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18757 	},
18758 	{
18759 		.cmd = NL80211_CMD_JOIN_OCB,
18760 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18761 		.doit = nl80211_join_ocb,
18762 		.flags = GENL_UNS_ADMIN_PERM,
18763 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18764 	},
18765 	{
18766 		.cmd = NL80211_CMD_LEAVE_OCB,
18767 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18768 		.doit = nl80211_leave_ocb,
18769 		.flags = GENL_UNS_ADMIN_PERM,
18770 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18771 	},
18772 #ifdef CONFIG_PM
18773 	{
18774 		.cmd = NL80211_CMD_GET_WOWLAN,
18775 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18776 		.doit = nl80211_get_wowlan,
18777 		/* can be retrieved by unprivileged users */
18778 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18779 	},
18780 	{
18781 		.cmd = NL80211_CMD_SET_WOWLAN,
18782 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18783 		.doit = nl80211_set_wowlan,
18784 		.flags = GENL_UNS_ADMIN_PERM,
18785 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18786 	},
18787 #endif
18788 	{
18789 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
18790 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18791 		.doit = nl80211_set_rekey_data,
18792 		.flags = GENL_UNS_ADMIN_PERM,
18793 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18794 					 NL80211_FLAG_CLEAR_SKB),
18795 	},
18796 	{
18797 		.cmd = NL80211_CMD_TDLS_MGMT,
18798 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18799 		.doit = nl80211_tdls_mgmt,
18800 		.flags = GENL_UNS_ADMIN_PERM,
18801 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18802 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18803 	},
18804 	{
18805 		.cmd = NL80211_CMD_TDLS_OPER,
18806 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18807 		.doit = nl80211_tdls_oper,
18808 		.flags = GENL_UNS_ADMIN_PERM,
18809 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18810 	},
18811 	{
18812 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
18813 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18814 		.doit = nl80211_register_unexpected_frame,
18815 		.flags = GENL_UNS_ADMIN_PERM,
18816 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18817 	},
18818 	{
18819 		.cmd = NL80211_CMD_PROBE_CLIENT,
18820 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18821 		.doit = nl80211_probe_client,
18822 		.flags = GENL_UNS_ADMIN_PERM,
18823 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18824 	},
18825 	{
18826 		.cmd = NL80211_CMD_REGISTER_BEACONS,
18827 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18828 		.doit = nl80211_register_beacons,
18829 		.flags = GENL_UNS_ADMIN_PERM,
18830 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18831 	},
18832 	{
18833 		.cmd = NL80211_CMD_SET_NOACK_MAP,
18834 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18835 		.doit = nl80211_set_noack_map,
18836 		.flags = GENL_UNS_ADMIN_PERM,
18837 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18838 	},
18839 	{
18840 		.cmd = NL80211_CMD_START_P2P_DEVICE,
18841 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18842 		.doit = nl80211_start_p2p_device,
18843 		.flags = GENL_UNS_ADMIN_PERM,
18844 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18845 					 NL80211_FLAG_NEED_RTNL),
18846 	},
18847 	{
18848 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
18849 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18850 		.doit = nl80211_stop_p2p_device,
18851 		.flags = GENL_UNS_ADMIN_PERM,
18852 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18853 					 NL80211_FLAG_NEED_RTNL),
18854 	},
18855 	{
18856 		.cmd = NL80211_CMD_START_NAN,
18857 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18858 		.doit = nl80211_start_nan,
18859 		.flags = GENL_ADMIN_PERM,
18860 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18861 					 NL80211_FLAG_NEED_RTNL),
18862 	},
18863 	{
18864 		.cmd = NL80211_CMD_STOP_NAN,
18865 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18866 		.doit = nl80211_stop_nan,
18867 		.flags = GENL_ADMIN_PERM,
18868 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18869 					 NL80211_FLAG_NEED_RTNL),
18870 	},
18871 	{
18872 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
18873 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18874 		.doit = nl80211_nan_add_func,
18875 		.flags = GENL_ADMIN_PERM,
18876 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18877 	},
18878 	{
18879 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
18880 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18881 		.doit = nl80211_nan_del_func,
18882 		.flags = GENL_ADMIN_PERM,
18883 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18884 	},
18885 	{
18886 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
18887 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18888 		.doit = nl80211_nan_change_config,
18889 		.flags = GENL_ADMIN_PERM,
18890 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18891 	},
18892 	{
18893 		.cmd = NL80211_CMD_SET_MCAST_RATE,
18894 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18895 		.doit = nl80211_set_mcast_rate,
18896 		.flags = GENL_UNS_ADMIN_PERM,
18897 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18898 	},
18899 	{
18900 		.cmd = NL80211_CMD_SET_MAC_ACL,
18901 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18902 		.doit = nl80211_set_mac_acl,
18903 		.flags = GENL_UNS_ADMIN_PERM,
18904 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18905 					 NL80211_FLAG_MLO_UNSUPPORTED),
18906 	},
18907 	{
18908 		.cmd = NL80211_CMD_RADAR_DETECT,
18909 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18910 		.doit = nl80211_start_radar_detection,
18911 		.flags = GENL_UNS_ADMIN_PERM,
18912 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18913 					 NL80211_FLAG_NO_WIPHY_MTX |
18914 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18915 	},
18916 	{
18917 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
18918 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18919 		.doit = nl80211_get_protocol_features,
18920 	},
18921 	{
18922 		.cmd = NL80211_CMD_UPDATE_FT_IES,
18923 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18924 		.doit = nl80211_update_ft_ies,
18925 		.flags = GENL_UNS_ADMIN_PERM,
18926 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18927 	},
18928 	{
18929 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
18930 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18931 		.doit = nl80211_crit_protocol_start,
18932 		.flags = GENL_UNS_ADMIN_PERM,
18933 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18934 	},
18935 	{
18936 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
18937 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18938 		.doit = nl80211_crit_protocol_stop,
18939 		.flags = GENL_UNS_ADMIN_PERM,
18940 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18941 	},
18942 	{
18943 		.cmd = NL80211_CMD_GET_COALESCE,
18944 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18945 		.doit = nl80211_get_coalesce,
18946 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18947 	},
18948 	{
18949 		.cmd = NL80211_CMD_SET_COALESCE,
18950 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18951 		.doit = nl80211_set_coalesce,
18952 		.flags = GENL_UNS_ADMIN_PERM,
18953 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18954 	},
18955 	{
18956 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
18957 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18958 		.doit = nl80211_channel_switch,
18959 		.flags = GENL_UNS_ADMIN_PERM,
18960 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18961 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18962 	},
18963 	{
18964 		.cmd = NL80211_CMD_VENDOR,
18965 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18966 		.doit = nl80211_vendor_cmd,
18967 		.dumpit = nl80211_vendor_cmd_dump,
18968 		.flags = GENL_UNS_ADMIN_PERM,
18969 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18970 					 NL80211_FLAG_CLEAR_SKB),
18971 	},
18972 	{
18973 		.cmd = NL80211_CMD_SET_QOS_MAP,
18974 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18975 		.doit = nl80211_set_qos_map,
18976 		.flags = GENL_UNS_ADMIN_PERM,
18977 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18978 	},
18979 	{
18980 		.cmd = NL80211_CMD_ADD_TX_TS,
18981 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18982 		.doit = nl80211_add_tx_ts,
18983 		.flags = GENL_UNS_ADMIN_PERM,
18984 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18985 					 NL80211_FLAG_MLO_UNSUPPORTED),
18986 	},
18987 	{
18988 		.cmd = NL80211_CMD_DEL_TX_TS,
18989 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18990 		.doit = nl80211_del_tx_ts,
18991 		.flags = GENL_UNS_ADMIN_PERM,
18992 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18993 	},
18994 	{
18995 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
18996 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18997 		.doit = nl80211_tdls_channel_switch,
18998 		.flags = GENL_UNS_ADMIN_PERM,
18999 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19000 	},
19001 	{
19002 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
19003 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19004 		.doit = nl80211_tdls_cancel_channel_switch,
19005 		.flags = GENL_UNS_ADMIN_PERM,
19006 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19007 	},
19008 	{
19009 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
19010 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19011 		.doit = nl80211_set_multicast_to_unicast,
19012 		.flags = GENL_UNS_ADMIN_PERM,
19013 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19014 	},
19015 	{
19016 		.cmd = NL80211_CMD_SET_PMK,
19017 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19018 		.doit = nl80211_set_pmk,
19019 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19020 					 NL80211_FLAG_CLEAR_SKB),
19021 	},
19022 	{
19023 		.cmd = NL80211_CMD_DEL_PMK,
19024 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19025 		.doit = nl80211_del_pmk,
19026 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19027 	},
19028 	{
19029 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
19030 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19031 		.doit = nl80211_external_auth,
19032 		.flags = GENL_ADMIN_PERM,
19033 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19034 	},
19035 	{
19036 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
19037 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19038 		.doit = nl80211_tx_control_port,
19039 		.flags = GENL_UNS_ADMIN_PERM,
19040 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19041 	},
19042 	{
19043 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
19044 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19045 		.doit = nl80211_get_ftm_responder_stats,
19046 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19047 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19048 	},
19049 	{
19050 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
19051 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19052 		.doit = nl80211_pmsr_start,
19053 		.flags = GENL_UNS_ADMIN_PERM,
19054 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19055 	},
19056 	{
19057 		.cmd = NL80211_CMD_NOTIFY_RADAR,
19058 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19059 		.doit = nl80211_notify_radar_detection,
19060 		.flags = GENL_UNS_ADMIN_PERM,
19061 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19062 	},
19063 	{
19064 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
19065 		.doit = nl80211_update_owe_info,
19066 		.flags = GENL_ADMIN_PERM,
19067 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19068 	},
19069 	{
19070 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
19071 		.doit = nl80211_probe_mesh_link,
19072 		.flags = GENL_UNS_ADMIN_PERM,
19073 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19074 	},
19075 	{
19076 		.cmd = NL80211_CMD_SET_TID_CONFIG,
19077 		.doit = nl80211_set_tid_config,
19078 		.flags = GENL_UNS_ADMIN_PERM,
19079 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19080 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19081 	},
19082 	{
19083 		.cmd = NL80211_CMD_SET_SAR_SPECS,
19084 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19085 		.doit = nl80211_set_sar_specs,
19086 		.flags = GENL_UNS_ADMIN_PERM,
19087 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
19088 					 NL80211_FLAG_NEED_RTNL),
19089 	},
19090 	{
19091 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
19092 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19093 		.doit = nl80211_color_change,
19094 		.flags = GENL_UNS_ADMIN_PERM,
19095 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19096 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19097 	},
19098 	{
19099 		.cmd = NL80211_CMD_SET_FILS_AAD,
19100 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19101 		.doit = nl80211_set_fils_aad,
19102 		.flags = GENL_UNS_ADMIN_PERM,
19103 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19104 	},
19105 	{
19106 		.cmd = NL80211_CMD_ADD_LINK,
19107 		.doit = nl80211_add_link,
19108 		.flags = GENL_UNS_ADMIN_PERM,
19109 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19110 	},
19111 	{
19112 		.cmd = NL80211_CMD_REMOVE_LINK,
19113 		.doit = nl80211_remove_link,
19114 		.flags = GENL_UNS_ADMIN_PERM,
19115 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19116 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19117 	},
19118 	{
19119 		.cmd = NL80211_CMD_ADD_LINK_STA,
19120 		.doit = nl80211_add_link_station,
19121 		.flags = GENL_UNS_ADMIN_PERM,
19122 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19123 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19124 	},
19125 	{
19126 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
19127 		.doit = nl80211_modify_link_station,
19128 		.flags = GENL_UNS_ADMIN_PERM,
19129 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19130 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19131 	},
19132 	{
19133 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
19134 		.doit = nl80211_remove_link_station,
19135 		.flags = GENL_UNS_ADMIN_PERM,
19136 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19137 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19138 	},
19139 	{
19140 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
19141 		.doit = nl80211_set_hw_timestamp,
19142 		.flags = GENL_UNS_ADMIN_PERM,
19143 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19144 	},
19145 	{
19146 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
19147 		.doit = nl80211_set_ttlm,
19148 		.flags = GENL_UNS_ADMIN_PERM,
19149 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19150 	},
19151 	{
19152 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
19153 		.doit = nl80211_assoc_ml_reconf,
19154 		.flags = GENL_UNS_ADMIN_PERM,
19155 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19156 	},
19157 	{
19158 		.cmd = NL80211_CMD_EPCS_CFG,
19159 		.doit = nl80211_epcs_cfg,
19160 		.flags = GENL_UNS_ADMIN_PERM,
19161 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19162 	},
19163 };
19164 
19165 static struct genl_family nl80211_fam __ro_after_init = {
19166 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
19167 	.hdrsize = 0,			/* no private header */
19168 	.version = 1,			/* no particular meaning now */
19169 	.maxattr = NL80211_ATTR_MAX,
19170 	.policy = nl80211_policy,
19171 	.netnsok = true,
19172 	.pre_doit = nl80211_pre_doit,
19173 	.post_doit = nl80211_post_doit,
19174 	.module = THIS_MODULE,
19175 	.ops = nl80211_ops,
19176 	.n_ops = ARRAY_SIZE(nl80211_ops),
19177 	.small_ops = nl80211_small_ops,
19178 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
19179 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
19180 	.mcgrps = nl80211_mcgrps,
19181 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
19182 	.parallel_ops = true,
19183 };
19184 
19185 /* notification functions */
19186 
19187 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
19188 			  enum nl80211_commands cmd)
19189 {
19190 	struct sk_buff *msg;
19191 	struct nl80211_dump_wiphy_state state = {};
19192 
19193 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
19194 		cmd != NL80211_CMD_DEL_WIPHY);
19195 
19196 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19197 	if (!msg)
19198 		return;
19199 
19200 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
19201 		nlmsg_free(msg);
19202 		return;
19203 	}
19204 
19205 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19206 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
19207 }
19208 
19209 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
19210 				struct wireless_dev *wdev,
19211 				enum nl80211_commands cmd)
19212 {
19213 	struct sk_buff *msg;
19214 
19215 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19216 	if (!msg)
19217 		return;
19218 
19219 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
19220 		nlmsg_free(msg);
19221 		return;
19222 	}
19223 
19224 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19225 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
19226 }
19227 
19228 static int nl80211_add_scan_req(struct sk_buff *msg,
19229 				struct cfg80211_registered_device *rdev)
19230 {
19231 	struct cfg80211_scan_request_int *req = rdev->scan_req;
19232 	struct nlattr *nest;
19233 	int i;
19234 	struct cfg80211_scan_info *info;
19235 
19236 	if (WARN_ON(!req))
19237 		return 0;
19238 
19239 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
19240 	if (!nest)
19241 		goto nla_put_failure;
19242 	for (i = 0; i < req->req.n_ssids; i++) {
19243 		if (nla_put(msg, i, req->req.ssids[i].ssid_len,
19244 			    req->req.ssids[i].ssid))
19245 			goto nla_put_failure;
19246 	}
19247 	nla_nest_end(msg, nest);
19248 
19249 	if (req->req.flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
19250 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
19251 		if (!nest)
19252 			goto nla_put_failure;
19253 		for (i = 0; i < req->req.n_channels; i++) {
19254 			if (nla_put_u32(msg, i,
19255 					ieee80211_channel_to_khz(req->req.channels[i])))
19256 				goto nla_put_failure;
19257 		}
19258 		nla_nest_end(msg, nest);
19259 	} else {
19260 		nest = nla_nest_start_noflag(msg,
19261 					     NL80211_ATTR_SCAN_FREQUENCIES);
19262 		if (!nest)
19263 			goto nla_put_failure;
19264 		for (i = 0; i < req->req.n_channels; i++) {
19265 			if (nla_put_u32(msg, i,
19266 					req->req.channels[i]->center_freq))
19267 				goto nla_put_failure;
19268 		}
19269 		nla_nest_end(msg, nest);
19270 	}
19271 
19272 	if (req->req.ie &&
19273 	    nla_put(msg, NL80211_ATTR_IE, req->req.ie_len, req->req.ie))
19274 		goto nla_put_failure;
19275 
19276 	if (req->req.flags &&
19277 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->req.flags))
19278 		goto nla_put_failure;
19279 
19280 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
19281 		&rdev->scan_req->info;
19282 	if (info->scan_start_tsf &&
19283 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
19284 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
19285 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
19286 		     info->tsf_bssid)))
19287 		goto nla_put_failure;
19288 
19289 	return 0;
19290  nla_put_failure:
19291 	return -ENOBUFS;
19292 }
19293 
19294 static int nl80211_prep_scan_msg(struct sk_buff *msg,
19295 				 struct cfg80211_registered_device *rdev,
19296 				 struct wireless_dev *wdev,
19297 				 u32 portid, u32 seq, int flags,
19298 				 u32 cmd)
19299 {
19300 	void *hdr;
19301 
19302 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
19303 	if (!hdr)
19304 		return -1;
19305 
19306 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19307 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19308 					 wdev->netdev->ifindex)) ||
19309 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19310 			      NL80211_ATTR_PAD))
19311 		goto nla_put_failure;
19312 
19313 	/* ignore errors and send incomplete event anyway */
19314 	nl80211_add_scan_req(msg, rdev);
19315 
19316 	genlmsg_end(msg, hdr);
19317 	return 0;
19318 
19319  nla_put_failure:
19320 	genlmsg_cancel(msg, hdr);
19321 	return -EMSGSIZE;
19322 }
19323 
19324 static int
19325 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
19326 			    struct cfg80211_sched_scan_request *req, u32 cmd)
19327 {
19328 	void *hdr;
19329 
19330 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19331 	if (!hdr)
19332 		return -1;
19333 
19334 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
19335 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
19336 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
19337 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
19338 			      NL80211_ATTR_PAD))
19339 		goto nla_put_failure;
19340 
19341 	genlmsg_end(msg, hdr);
19342 	return 0;
19343 
19344  nla_put_failure:
19345 	genlmsg_cancel(msg, hdr);
19346 	return -EMSGSIZE;
19347 }
19348 
19349 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
19350 			     struct wireless_dev *wdev)
19351 {
19352 	struct sk_buff *msg;
19353 
19354 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19355 	if (!msg)
19356 		return;
19357 
19358 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
19359 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
19360 		nlmsg_free(msg);
19361 		return;
19362 	}
19363 
19364 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19365 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19366 }
19367 
19368 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
19369 				       struct wireless_dev *wdev, bool aborted)
19370 {
19371 	struct sk_buff *msg;
19372 
19373 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19374 	if (!msg)
19375 		return NULL;
19376 
19377 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
19378 				  aborted ? NL80211_CMD_SCAN_ABORTED :
19379 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
19380 		nlmsg_free(msg);
19381 		return NULL;
19382 	}
19383 
19384 	return msg;
19385 }
19386 
19387 /* send message created by nl80211_build_scan_msg() */
19388 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
19389 			   struct sk_buff *msg)
19390 {
19391 	if (!msg)
19392 		return;
19393 
19394 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19395 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19396 }
19397 
19398 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
19399 {
19400 	struct sk_buff *msg;
19401 
19402 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19403 	if (!msg)
19404 		return;
19405 
19406 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
19407 		nlmsg_free(msg);
19408 		return;
19409 	}
19410 
19411 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
19412 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19413 }
19414 
19415 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
19416 					  struct regulatory_request *request)
19417 {
19418 	/* Userspace can always count this one always being set */
19419 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
19420 		goto nla_put_failure;
19421 
19422 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
19423 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19424 			       NL80211_REGDOM_TYPE_WORLD))
19425 			goto nla_put_failure;
19426 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
19427 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19428 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
19429 			goto nla_put_failure;
19430 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
19431 		   request->intersect) {
19432 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19433 			       NL80211_REGDOM_TYPE_INTERSECTION))
19434 			goto nla_put_failure;
19435 	} else {
19436 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19437 			       NL80211_REGDOM_TYPE_COUNTRY) ||
19438 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
19439 				   request->alpha2))
19440 			goto nla_put_failure;
19441 	}
19442 
19443 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
19444 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
19445 
19446 		if (wiphy &&
19447 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
19448 			goto nla_put_failure;
19449 
19450 		if (wiphy &&
19451 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
19452 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
19453 			goto nla_put_failure;
19454 	}
19455 
19456 	return true;
19457 
19458 nla_put_failure:
19459 	return false;
19460 }
19461 
19462 /*
19463  * This can happen on global regulatory changes or device specific settings
19464  * based on custom regulatory domains.
19465  */
19466 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
19467 				     struct regulatory_request *request)
19468 {
19469 	struct sk_buff *msg;
19470 	void *hdr;
19471 
19472 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19473 	if (!msg)
19474 		return;
19475 
19476 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
19477 	if (!hdr)
19478 		goto nla_put_failure;
19479 
19480 	if (!nl80211_reg_change_event_fill(msg, request))
19481 		goto nla_put_failure;
19482 
19483 	genlmsg_end(msg, hdr);
19484 
19485 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
19486 				NL80211_MCGRP_REGULATORY);
19487 
19488 	return;
19489 
19490 nla_put_failure:
19491 	nlmsg_free(msg);
19492 }
19493 
19494 struct nl80211_mlme_event {
19495 	enum nl80211_commands cmd;
19496 	const u8 *buf;
19497 	size_t buf_len;
19498 	int uapsd_queues;
19499 	const u8 *req_ies;
19500 	size_t req_ies_len;
19501 	bool reconnect;
19502 };
19503 
19504 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
19505 				    struct net_device *netdev,
19506 				    const struct nl80211_mlme_event *event,
19507 				    gfp_t gfp)
19508 {
19509 	struct sk_buff *msg;
19510 	void *hdr;
19511 
19512 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
19513 	if (!msg)
19514 		return;
19515 
19516 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
19517 	if (!hdr) {
19518 		nlmsg_free(msg);
19519 		return;
19520 	}
19521 
19522 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19523 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19524 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
19525 	    (event->req_ies &&
19526 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
19527 		     event->req_ies)))
19528 		goto nla_put_failure;
19529 
19530 	if (event->reconnect &&
19531 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
19532 		goto nla_put_failure;
19533 
19534 	if (event->uapsd_queues >= 0) {
19535 		struct nlattr *nla_wmm =
19536 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
19537 		if (!nla_wmm)
19538 			goto nla_put_failure;
19539 
19540 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
19541 			       event->uapsd_queues))
19542 			goto nla_put_failure;
19543 
19544 		nla_nest_end(msg, nla_wmm);
19545 	}
19546 
19547 	genlmsg_end(msg, hdr);
19548 
19549 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19550 				NL80211_MCGRP_MLME, gfp);
19551 	return;
19552 
19553  nla_put_failure:
19554 	nlmsg_free(msg);
19555 }
19556 
19557 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
19558 			  struct net_device *netdev, const u8 *buf,
19559 			  size_t len, gfp_t gfp)
19560 {
19561 	struct nl80211_mlme_event event = {
19562 		.cmd = NL80211_CMD_AUTHENTICATE,
19563 		.buf = buf,
19564 		.buf_len = len,
19565 		.uapsd_queues = -1,
19566 	};
19567 
19568 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19569 }
19570 
19571 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
19572 			   struct net_device *netdev,
19573 			   const struct cfg80211_rx_assoc_resp_data *data)
19574 {
19575 	struct nl80211_mlme_event event = {
19576 		.cmd = NL80211_CMD_ASSOCIATE,
19577 		.buf = data->buf,
19578 		.buf_len = data->len,
19579 		.uapsd_queues = data->uapsd_queues,
19580 		.req_ies = data->req_ies,
19581 		.req_ies_len = data->req_ies_len,
19582 	};
19583 
19584 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
19585 }
19586 
19587 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
19588 			 struct net_device *netdev, const u8 *buf,
19589 			 size_t len, bool reconnect, gfp_t gfp)
19590 {
19591 	struct nl80211_mlme_event event = {
19592 		.cmd = NL80211_CMD_DEAUTHENTICATE,
19593 		.buf = buf,
19594 		.buf_len = len,
19595 		.reconnect = reconnect,
19596 		.uapsd_queues = -1,
19597 	};
19598 
19599 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19600 }
19601 
19602 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
19603 			   struct net_device *netdev, const u8 *buf,
19604 			   size_t len, bool reconnect, gfp_t gfp)
19605 {
19606 	struct nl80211_mlme_event event = {
19607 		.cmd = NL80211_CMD_DISASSOCIATE,
19608 		.buf = buf,
19609 		.buf_len = len,
19610 		.reconnect = reconnect,
19611 		.uapsd_queues = -1,
19612 	};
19613 
19614 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19615 }
19616 
19617 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
19618 				  size_t len)
19619 {
19620 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19621 	struct wiphy *wiphy = wdev->wiphy;
19622 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19623 	const struct ieee80211_mgmt *mgmt = (void *)buf;
19624 	struct nl80211_mlme_event event = {
19625 		.buf = buf,
19626 		.buf_len = len,
19627 		.uapsd_queues = -1,
19628 	};
19629 
19630 	if (WARN_ON(len < 2))
19631 		return;
19632 
19633 	if (ieee80211_is_deauth(mgmt->frame_control)) {
19634 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
19635 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
19636 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
19637 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
19638 		if (wdev->unprot_beacon_reported &&
19639 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
19640 			return;
19641 		event.cmd = NL80211_CMD_UNPROT_BEACON;
19642 		wdev->unprot_beacon_reported = jiffies;
19643 	} else {
19644 		return;
19645 	}
19646 
19647 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
19648 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
19649 }
19650 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
19651 
19652 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
19653 				      struct net_device *netdev, int cmd,
19654 				      const u8 *addr, gfp_t gfp)
19655 {
19656 	struct sk_buff *msg;
19657 	void *hdr;
19658 
19659 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19660 	if (!msg)
19661 		return;
19662 
19663 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19664 	if (!hdr) {
19665 		nlmsg_free(msg);
19666 		return;
19667 	}
19668 
19669 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19670 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19671 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
19672 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
19673 		goto nla_put_failure;
19674 
19675 	genlmsg_end(msg, hdr);
19676 
19677 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19678 				NL80211_MCGRP_MLME, gfp);
19679 	return;
19680 
19681  nla_put_failure:
19682 	nlmsg_free(msg);
19683 }
19684 
19685 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
19686 			       struct net_device *netdev, const u8 *addr,
19687 			       gfp_t gfp)
19688 {
19689 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
19690 				  addr, gfp);
19691 }
19692 
19693 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
19694 				struct net_device *netdev, const u8 *addr,
19695 				gfp_t gfp)
19696 {
19697 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
19698 				  addr, gfp);
19699 }
19700 
19701 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
19702 				 struct net_device *netdev,
19703 				 struct cfg80211_connect_resp_params *cr,
19704 				 gfp_t gfp)
19705 {
19706 	struct sk_buff *msg;
19707 	void *hdr;
19708 	unsigned int link;
19709 	size_t link_info_size = 0;
19710 	const u8 *connected_addr = cr->valid_links ?
19711 				   cr->ap_mld_addr : cr->links[0].bssid;
19712 
19713 	if (cr->valid_links) {
19714 		for_each_valid_link(cr, link) {
19715 			/* Nested attribute header */
19716 			link_info_size += NLA_HDRLEN;
19717 			/* Link ID */
19718 			link_info_size += nla_total_size(sizeof(u8));
19719 			link_info_size += cr->links[link].addr ?
19720 					  nla_total_size(ETH_ALEN) : 0;
19721 			link_info_size += (cr->links[link].bssid ||
19722 					   cr->links[link].bss) ?
19723 					  nla_total_size(ETH_ALEN) : 0;
19724 			link_info_size += nla_total_size(sizeof(u16));
19725 		}
19726 	}
19727 
19728 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
19729 			cr->fils.kek_len + cr->fils.pmk_len +
19730 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
19731 			gfp);
19732 	if (!msg)
19733 		return;
19734 
19735 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
19736 	if (!hdr) {
19737 		nlmsg_free(msg);
19738 		return;
19739 	}
19740 
19741 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19742 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19743 	    (connected_addr &&
19744 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
19745 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19746 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
19747 			cr->status) ||
19748 	    (cr->status < 0 &&
19749 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
19750 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
19751 			  cr->timeout_reason))) ||
19752 	    (cr->req_ie &&
19753 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
19754 	    (cr->resp_ie &&
19755 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
19756 		     cr->resp_ie)) ||
19757 	    (cr->fils.update_erp_next_seq_num &&
19758 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19759 			 cr->fils.erp_next_seq_num)) ||
19760 	    (cr->status == WLAN_STATUS_SUCCESS &&
19761 	     ((cr->fils.kek &&
19762 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
19763 		       cr->fils.kek)) ||
19764 	      (cr->fils.pmk &&
19765 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
19766 	      (cr->fils.pmkid &&
19767 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
19768 		goto nla_put_failure;
19769 
19770 	if (cr->valid_links) {
19771 		int i = 1;
19772 		struct nlattr *nested;
19773 
19774 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19775 		if (!nested)
19776 			goto nla_put_failure;
19777 
19778 		for_each_valid_link(cr, link) {
19779 			struct nlattr *nested_mlo_links;
19780 			const u8 *bssid = cr->links[link].bss ?
19781 					  cr->links[link].bss->bssid :
19782 					  cr->links[link].bssid;
19783 
19784 			nested_mlo_links = nla_nest_start(msg, i);
19785 			if (!nested_mlo_links)
19786 				goto nla_put_failure;
19787 
19788 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19789 			    (bssid &&
19790 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19791 			    (cr->links[link].addr &&
19792 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19793 				     cr->links[link].addr)) ||
19794 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19795 					cr->links[link].status))
19796 				goto nla_put_failure;
19797 
19798 			nla_nest_end(msg, nested_mlo_links);
19799 			i++;
19800 		}
19801 		nla_nest_end(msg, nested);
19802 	}
19803 
19804 	genlmsg_end(msg, hdr);
19805 
19806 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19807 				NL80211_MCGRP_MLME, gfp);
19808 	return;
19809 
19810  nla_put_failure:
19811 	nlmsg_free(msg);
19812 }
19813 
19814 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
19815 			 struct net_device *netdev,
19816 			 struct cfg80211_roam_info *info, gfp_t gfp)
19817 {
19818 	struct sk_buff *msg;
19819 	void *hdr;
19820 	size_t link_info_size = 0;
19821 	unsigned int link;
19822 	const u8 *connected_addr = info->ap_mld_addr ?
19823 				   info->ap_mld_addr :
19824 				   (info->links[0].bss ?
19825 				    info->links[0].bss->bssid :
19826 				    info->links[0].bssid);
19827 
19828 	if (info->valid_links) {
19829 		for_each_valid_link(info, link) {
19830 			/* Nested attribute header */
19831 			link_info_size += NLA_HDRLEN;
19832 			/* Link ID */
19833 			link_info_size += nla_total_size(sizeof(u8));
19834 			link_info_size += info->links[link].addr ?
19835 					  nla_total_size(ETH_ALEN) : 0;
19836 			link_info_size += (info->links[link].bssid ||
19837 					   info->links[link].bss) ?
19838 					  nla_total_size(ETH_ALEN) : 0;
19839 		}
19840 	}
19841 
19842 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
19843 			info->fils.kek_len + info->fils.pmk_len +
19844 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
19845 			link_info_size, gfp);
19846 	if (!msg)
19847 		return;
19848 
19849 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
19850 	if (!hdr) {
19851 		nlmsg_free(msg);
19852 		return;
19853 	}
19854 
19855 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19856 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19857 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
19858 	    (info->req_ie &&
19859 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
19860 		     info->req_ie)) ||
19861 	    (info->resp_ie &&
19862 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
19863 		     info->resp_ie)) ||
19864 	    (info->fils.update_erp_next_seq_num &&
19865 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19866 			 info->fils.erp_next_seq_num)) ||
19867 	    (info->fils.kek &&
19868 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
19869 		     info->fils.kek)) ||
19870 	    (info->fils.pmk &&
19871 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
19872 	    (info->fils.pmkid &&
19873 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
19874 		goto nla_put_failure;
19875 
19876 	if (info->valid_links) {
19877 		int i = 1;
19878 		struct nlattr *nested;
19879 
19880 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19881 		if (!nested)
19882 			goto nla_put_failure;
19883 
19884 		for_each_valid_link(info, link) {
19885 			struct nlattr *nested_mlo_links;
19886 			const u8 *bssid = info->links[link].bss ?
19887 					  info->links[link].bss->bssid :
19888 					  info->links[link].bssid;
19889 
19890 			nested_mlo_links = nla_nest_start(msg, i);
19891 			if (!nested_mlo_links)
19892 				goto nla_put_failure;
19893 
19894 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19895 			    (bssid &&
19896 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19897 			    (info->links[link].addr &&
19898 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19899 				     info->links[link].addr)))
19900 				goto nla_put_failure;
19901 
19902 			nla_nest_end(msg, nested_mlo_links);
19903 			i++;
19904 		}
19905 		nla_nest_end(msg, nested);
19906 	}
19907 
19908 	genlmsg_end(msg, hdr);
19909 
19910 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19911 				NL80211_MCGRP_MLME, gfp);
19912 	return;
19913 
19914  nla_put_failure:
19915 	nlmsg_free(msg);
19916 }
19917 
19918 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
19919 				  struct net_device *netdev, const u8 *peer_addr,
19920 				  const u8 *td_bitmap, u8 td_bitmap_len)
19921 {
19922 	struct sk_buff *msg;
19923 	void *hdr;
19924 
19925 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19926 	if (!msg)
19927 		return;
19928 
19929 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
19930 	if (!hdr) {
19931 		nlmsg_free(msg);
19932 		return;
19933 	}
19934 
19935 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19936 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19937 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
19938 		goto nla_put_failure;
19939 
19940 	if (td_bitmap_len > 0 && td_bitmap &&
19941 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
19942 		goto nla_put_failure;
19943 
19944 	genlmsg_end(msg, hdr);
19945 
19946 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19947 				NL80211_MCGRP_MLME, GFP_KERNEL);
19948 	return;
19949 
19950  nla_put_failure:
19951 	nlmsg_free(msg);
19952 }
19953 
19954 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
19955 			       struct net_device *netdev, u16 reason,
19956 			       const u8 *ie, size_t ie_len, bool from_ap)
19957 {
19958 	struct sk_buff *msg;
19959 	void *hdr;
19960 
19961 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
19962 	if (!msg)
19963 		return;
19964 
19965 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
19966 	if (!hdr) {
19967 		nlmsg_free(msg);
19968 		return;
19969 	}
19970 
19971 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19972 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19973 	    (reason &&
19974 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
19975 	    (from_ap &&
19976 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
19977 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
19978 		goto nla_put_failure;
19979 
19980 	genlmsg_end(msg, hdr);
19981 
19982 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19983 				NL80211_MCGRP_MLME, GFP_KERNEL);
19984 	return;
19985 
19986  nla_put_failure:
19987 	nlmsg_free(msg);
19988 }
19989 
19990 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
19991 {
19992 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19993 	struct wiphy *wiphy = wdev->wiphy;
19994 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19995 	struct sk_buff *msg;
19996 	struct nlattr *links;
19997 	void *hdr;
19998 
19999 	lockdep_assert_wiphy(wdev->wiphy);
20000 	trace_cfg80211_links_removed(dev, link_mask);
20001 
20002 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
20003 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
20004 		return;
20005 
20006 	if (WARN_ON(!wdev->valid_links || !link_mask ||
20007 		    (wdev->valid_links & link_mask) != link_mask ||
20008 		    wdev->valid_links == link_mask))
20009 		return;
20010 
20011 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
20012 	wdev->valid_links &= ~link_mask;
20013 
20014 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20015 	if (!msg)
20016 		return;
20017 
20018 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
20019 	if (!hdr) {
20020 		nlmsg_free(msg);
20021 		return;
20022 	}
20023 
20024 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20025 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20026 		goto nla_put_failure;
20027 
20028 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
20029 	if (!links)
20030 		goto nla_put_failure;
20031 
20032 	while (link_mask) {
20033 		struct nlattr *link;
20034 		int link_id = __ffs(link_mask);
20035 
20036 		link = nla_nest_start(msg, link_id + 1);
20037 		if (!link)
20038 			goto nla_put_failure;
20039 
20040 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
20041 			goto nla_put_failure;
20042 
20043 		nla_nest_end(msg, link);
20044 		link_mask &= ~(1 << link_id);
20045 	}
20046 
20047 	nla_nest_end(msg, links);
20048 
20049 	genlmsg_end(msg, hdr);
20050 
20051 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20052 				NL80211_MCGRP_MLME, GFP_KERNEL);
20053 	return;
20054 
20055  nla_put_failure:
20056 	nlmsg_free(msg);
20057 }
20058 EXPORT_SYMBOL(cfg80211_links_removed);
20059 
20060 void nl80211_mlo_reconf_add_done(struct net_device *dev,
20061 				 struct cfg80211_mlo_reconf_done_data *data)
20062 {
20063 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20064 	struct wiphy *wiphy = wdev->wiphy;
20065 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20066 	struct nl80211_mlme_event event = {
20067 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
20068 		.buf = data->buf,
20069 		.buf_len = data->len,
20070 		.uapsd_queues = -1,
20071 	};
20072 
20073 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
20074 }
20075 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
20076 
20077 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
20078 			     struct net_device *netdev, const u8 *bssid,
20079 			     gfp_t gfp)
20080 {
20081 	struct sk_buff *msg;
20082 	void *hdr;
20083 
20084 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20085 	if (!msg)
20086 		return;
20087 
20088 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
20089 	if (!hdr) {
20090 		nlmsg_free(msg);
20091 		return;
20092 	}
20093 
20094 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20095 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20096 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20097 		goto nla_put_failure;
20098 
20099 	genlmsg_end(msg, hdr);
20100 
20101 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20102 				NL80211_MCGRP_MLME, gfp);
20103 	return;
20104 
20105  nla_put_failure:
20106 	nlmsg_free(msg);
20107 }
20108 
20109 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
20110 					const u8 *ie, u8 ie_len,
20111 					int sig_dbm, gfp_t gfp)
20112 {
20113 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20114 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20115 	struct sk_buff *msg;
20116 	void *hdr;
20117 
20118 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
20119 		return;
20120 
20121 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
20122 
20123 	msg = nlmsg_new(100 + ie_len, gfp);
20124 	if (!msg)
20125 		return;
20126 
20127 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
20128 	if (!hdr) {
20129 		nlmsg_free(msg);
20130 		return;
20131 	}
20132 
20133 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20134 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20135 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20136 	    (ie_len && ie &&
20137 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
20138 	    (sig_dbm &&
20139 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
20140 		goto nla_put_failure;
20141 
20142 	genlmsg_end(msg, hdr);
20143 
20144 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20145 				NL80211_MCGRP_MLME, gfp);
20146 	return;
20147 
20148  nla_put_failure:
20149 	nlmsg_free(msg);
20150 }
20151 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
20152 
20153 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
20154 				 struct net_device *netdev, const u8 *addr,
20155 				 enum nl80211_key_type key_type, int key_id,
20156 				 const u8 *tsc, gfp_t gfp)
20157 {
20158 	struct sk_buff *msg;
20159 	void *hdr;
20160 
20161 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20162 	if (!msg)
20163 		return;
20164 
20165 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
20166 	if (!hdr) {
20167 		nlmsg_free(msg);
20168 		return;
20169 	}
20170 
20171 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20172 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20173 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
20174 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
20175 	    (key_id != -1 &&
20176 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
20177 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
20178 		goto nla_put_failure;
20179 
20180 	genlmsg_end(msg, hdr);
20181 
20182 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20183 				NL80211_MCGRP_MLME, gfp);
20184 	return;
20185 
20186  nla_put_failure:
20187 	nlmsg_free(msg);
20188 }
20189 
20190 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
20191 				    struct ieee80211_channel *channel_before,
20192 				    struct ieee80211_channel *channel_after)
20193 {
20194 	struct sk_buff *msg;
20195 	void *hdr;
20196 	struct nlattr *nl_freq;
20197 
20198 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
20199 	if (!msg)
20200 		return;
20201 
20202 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
20203 	if (!hdr) {
20204 		nlmsg_free(msg);
20205 		return;
20206 	}
20207 
20208 	/*
20209 	 * Since we are applying the beacon hint to a wiphy we know its
20210 	 * wiphy_idx is valid
20211 	 */
20212 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
20213 		goto nla_put_failure;
20214 
20215 	/* Before */
20216 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
20217 	if (!nl_freq)
20218 		goto nla_put_failure;
20219 
20220 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
20221 		goto nla_put_failure;
20222 	nla_nest_end(msg, nl_freq);
20223 
20224 	/* After */
20225 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
20226 	if (!nl_freq)
20227 		goto nla_put_failure;
20228 
20229 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
20230 		goto nla_put_failure;
20231 	nla_nest_end(msg, nl_freq);
20232 
20233 	genlmsg_end(msg, hdr);
20234 
20235 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
20236 				NL80211_MCGRP_REGULATORY);
20237 
20238 	return;
20239 
20240 nla_put_failure:
20241 	nlmsg_free(msg);
20242 }
20243 
20244 static void nl80211_send_remain_on_chan_event(
20245 	int cmd, struct cfg80211_registered_device *rdev,
20246 	struct wireless_dev *wdev, u64 cookie,
20247 	struct ieee80211_channel *chan,
20248 	unsigned int duration, gfp_t gfp)
20249 {
20250 	struct sk_buff *msg;
20251 	void *hdr;
20252 
20253 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20254 	if (!msg)
20255 		return;
20256 
20257 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20258 	if (!hdr) {
20259 		nlmsg_free(msg);
20260 		return;
20261 	}
20262 
20263 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20264 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20265 					 wdev->netdev->ifindex)) ||
20266 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20267 			      NL80211_ATTR_PAD) ||
20268 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
20269 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
20270 			NL80211_CHAN_NO_HT) ||
20271 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
20272 			      NL80211_ATTR_PAD))
20273 		goto nla_put_failure;
20274 
20275 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
20276 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
20277 		goto nla_put_failure;
20278 
20279 	genlmsg_end(msg, hdr);
20280 
20281 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20282 				NL80211_MCGRP_MLME, gfp);
20283 	return;
20284 
20285  nla_put_failure:
20286 	nlmsg_free(msg);
20287 }
20288 
20289 void cfg80211_assoc_comeback(struct net_device *netdev,
20290 			     const u8 *ap_addr, u32 timeout)
20291 {
20292 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
20293 	struct wiphy *wiphy = wdev->wiphy;
20294 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20295 	struct sk_buff *msg;
20296 	void *hdr;
20297 
20298 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
20299 
20300 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20301 	if (!msg)
20302 		return;
20303 
20304 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
20305 	if (!hdr) {
20306 		nlmsg_free(msg);
20307 		return;
20308 	}
20309 
20310 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20311 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20312 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
20313 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
20314 		goto nla_put_failure;
20315 
20316 	genlmsg_end(msg, hdr);
20317 
20318 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20319 				NL80211_MCGRP_MLME, GFP_KERNEL);
20320 	return;
20321 
20322  nla_put_failure:
20323 	nlmsg_free(msg);
20324 }
20325 EXPORT_SYMBOL(cfg80211_assoc_comeback);
20326 
20327 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
20328 			       struct ieee80211_channel *chan,
20329 			       unsigned int duration, gfp_t gfp)
20330 {
20331 	struct wiphy *wiphy = wdev->wiphy;
20332 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20333 
20334 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
20335 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
20336 					  rdev, wdev, cookie, chan,
20337 					  duration, gfp);
20338 }
20339 EXPORT_SYMBOL(cfg80211_ready_on_channel);
20340 
20341 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
20342 					struct ieee80211_channel *chan,
20343 					gfp_t gfp)
20344 {
20345 	struct wiphy *wiphy = wdev->wiphy;
20346 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20347 
20348 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
20349 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
20350 					  rdev, wdev, cookie, chan, 0, gfp);
20351 }
20352 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
20353 
20354 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
20355 					struct ieee80211_channel *chan,
20356 					gfp_t gfp)
20357 {
20358 	struct wiphy *wiphy = wdev->wiphy;
20359 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20360 
20361 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
20362 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
20363 					  rdev, wdev, cookie, chan, 0, gfp);
20364 }
20365 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
20366 
20367 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
20368 		      struct station_info *sinfo, gfp_t gfp)
20369 {
20370 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20371 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20372 	struct sk_buff *msg;
20373 
20374 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
20375 
20376 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20377 	if (!msg)
20378 		return;
20379 
20380 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
20381 				 rdev, dev, mac_addr, sinfo, false) < 0) {
20382 		nlmsg_free(msg);
20383 		return;
20384 	}
20385 
20386 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20387 				NL80211_MCGRP_MLME, gfp);
20388 }
20389 EXPORT_SYMBOL(cfg80211_new_sta);
20390 
20391 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
20392 			    struct station_info *sinfo, gfp_t gfp)
20393 {
20394 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20395 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20396 	struct sk_buff *msg;
20397 	struct station_info empty_sinfo = {};
20398 
20399 	if (!sinfo)
20400 		sinfo = &empty_sinfo;
20401 
20402 	trace_cfg80211_del_sta(dev, mac_addr);
20403 
20404 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20405 	if (!msg) {
20406 		cfg80211_sinfo_release_content(sinfo);
20407 		return;
20408 	}
20409 
20410 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
20411 				 rdev, dev, mac_addr, sinfo, false) < 0) {
20412 		nlmsg_free(msg);
20413 		return;
20414 	}
20415 
20416 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20417 				NL80211_MCGRP_MLME, gfp);
20418 }
20419 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
20420 
20421 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
20422 			  enum nl80211_connect_failed_reason reason,
20423 			  gfp_t gfp)
20424 {
20425 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20426 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20427 	struct sk_buff *msg;
20428 	void *hdr;
20429 
20430 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
20431 	if (!msg)
20432 		return;
20433 
20434 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
20435 	if (!hdr) {
20436 		nlmsg_free(msg);
20437 		return;
20438 	}
20439 
20440 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20441 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
20442 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
20443 		goto nla_put_failure;
20444 
20445 	genlmsg_end(msg, hdr);
20446 
20447 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20448 				NL80211_MCGRP_MLME, gfp);
20449 	return;
20450 
20451  nla_put_failure:
20452 	nlmsg_free(msg);
20453 }
20454 EXPORT_SYMBOL(cfg80211_conn_failed);
20455 
20456 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
20457 				       const u8 *addr, int link_id, gfp_t gfp)
20458 {
20459 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20460 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20461 	struct sk_buff *msg;
20462 	void *hdr;
20463 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
20464 
20465 	if (!nlportid)
20466 		return false;
20467 
20468 	msg = nlmsg_new(100, gfp);
20469 	if (!msg)
20470 		return true;
20471 
20472 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20473 	if (!hdr) {
20474 		nlmsg_free(msg);
20475 		return true;
20476 	}
20477 
20478 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20479 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20480 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20481 	    (link_id >= 0 &&
20482 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20483 		goto nla_put_failure;
20484 
20485 	genlmsg_end(msg, hdr);
20486 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20487 	return true;
20488 
20489  nla_put_failure:
20490 	nlmsg_free(msg);
20491 	return true;
20492 }
20493 
20494 bool cfg80211_rx_spurious_frame(struct net_device *dev, const u8 *addr,
20495 				int link_id, gfp_t gfp)
20496 {
20497 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20498 	bool ret;
20499 
20500 	trace_cfg80211_rx_spurious_frame(dev, addr, link_id);
20501 
20502 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
20503 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
20504 		trace_cfg80211_return_bool(false);
20505 		return false;
20506 	}
20507 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
20508 					 addr, link_id, gfp);
20509 	trace_cfg80211_return_bool(ret);
20510 	return ret;
20511 }
20512 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
20513 
20514 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev, const u8 *addr,
20515 					int link_id, gfp_t gfp)
20516 {
20517 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20518 	bool ret;
20519 
20520 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr, link_id);
20521 
20522 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
20523 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
20524 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
20525 		trace_cfg80211_return_bool(false);
20526 		return false;
20527 	}
20528 	ret = __nl80211_unexpected_frame(dev,
20529 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
20530 					 addr, link_id, gfp);
20531 	trace_cfg80211_return_bool(ret);
20532 	return ret;
20533 }
20534 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
20535 
20536 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
20537 		      struct wireless_dev *wdev, u32 nlportid,
20538 		      struct cfg80211_rx_info *info, gfp_t gfp)
20539 {
20540 	struct net_device *netdev = wdev->netdev;
20541 	struct sk_buff *msg;
20542 	void *hdr;
20543 
20544 	msg = nlmsg_new(100 + info->len, gfp);
20545 	if (!msg)
20546 		return -ENOMEM;
20547 
20548 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
20549 	if (!hdr) {
20550 		nlmsg_free(msg);
20551 		return -ENOMEM;
20552 	}
20553 
20554 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20555 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20556 					netdev->ifindex)) ||
20557 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20558 			      NL80211_ATTR_PAD) ||
20559 	    (info->have_link_id &&
20560 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
20561 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
20562 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
20563 	    (info->sig_dbm &&
20564 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
20565 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
20566 	    (info->flags &&
20567 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
20568 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
20569 						  NL80211_ATTR_RX_HW_TIMESTAMP,
20570 						  info->rx_tstamp,
20571 						  NL80211_ATTR_PAD)) ||
20572 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
20573 						   NL80211_ATTR_TX_HW_TIMESTAMP,
20574 						   info->ack_tstamp,
20575 						   NL80211_ATTR_PAD)))
20576 		goto nla_put_failure;
20577 
20578 	genlmsg_end(msg, hdr);
20579 
20580 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20581 
20582  nla_put_failure:
20583 	nlmsg_free(msg);
20584 	return -ENOBUFS;
20585 }
20586 
20587 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
20588 				    struct cfg80211_tx_status *status,
20589 				    gfp_t gfp, enum nl80211_commands command)
20590 {
20591 	struct wiphy *wiphy = wdev->wiphy;
20592 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20593 	struct net_device *netdev = wdev->netdev;
20594 	struct sk_buff *msg;
20595 	void *hdr;
20596 
20597 	if (command == NL80211_CMD_FRAME_TX_STATUS)
20598 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
20599 					      status->ack);
20600 	else
20601 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
20602 						      status->ack);
20603 
20604 	msg = nlmsg_new(100 + status->len, gfp);
20605 	if (!msg)
20606 		return;
20607 
20608 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
20609 	if (!hdr) {
20610 		nlmsg_free(msg);
20611 		return;
20612 	}
20613 
20614 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20615 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20616 				   netdev->ifindex)) ||
20617 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20618 			      NL80211_ATTR_PAD) ||
20619 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
20620 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
20621 			      NL80211_ATTR_PAD) ||
20622 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
20623 	    (status->tx_tstamp &&
20624 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
20625 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
20626 	    (status->ack_tstamp &&
20627 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
20628 			       status->ack_tstamp, NL80211_ATTR_PAD)))
20629 		goto nla_put_failure;
20630 
20631 	genlmsg_end(msg, hdr);
20632 
20633 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20634 				NL80211_MCGRP_MLME, gfp);
20635 	return;
20636 
20637 nla_put_failure:
20638 	nlmsg_free(msg);
20639 }
20640 
20641 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
20642 				     const u8 *buf, size_t len, bool ack,
20643 				     gfp_t gfp)
20644 {
20645 	struct cfg80211_tx_status status = {
20646 		.cookie = cookie,
20647 		.buf = buf,
20648 		.len = len,
20649 		.ack = ack
20650 	};
20651 
20652 	nl80211_frame_tx_status(wdev, &status, gfp,
20653 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
20654 }
20655 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
20656 
20657 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
20658 				 struct cfg80211_tx_status *status, gfp_t gfp)
20659 {
20660 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
20661 }
20662 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
20663 
20664 static int __nl80211_rx_control_port(struct net_device *dev,
20665 				     struct sk_buff *skb,
20666 				     bool unencrypted,
20667 				     int link_id,
20668 				     gfp_t gfp)
20669 {
20670 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20671 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20672 	struct ethhdr *ehdr = eth_hdr(skb);
20673 	const u8 *addr = ehdr->h_source;
20674 	u16 proto = be16_to_cpu(skb->protocol);
20675 	struct sk_buff *msg;
20676 	void *hdr;
20677 	struct nlattr *frame;
20678 
20679 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
20680 
20681 	if (!nlportid)
20682 		return -ENOENT;
20683 
20684 	msg = nlmsg_new(100 + skb->len, gfp);
20685 	if (!msg)
20686 		return -ENOMEM;
20687 
20688 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
20689 	if (!hdr) {
20690 		nlmsg_free(msg);
20691 		return -ENOBUFS;
20692 	}
20693 
20694 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20695 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20696 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20697 			      NL80211_ATTR_PAD) ||
20698 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20699 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
20700 	    (link_id >= 0 &&
20701 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
20702 	    (unencrypted && nla_put_flag(msg,
20703 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
20704 		goto nla_put_failure;
20705 
20706 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
20707 	if (!frame)
20708 		goto nla_put_failure;
20709 
20710 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
20711 	genlmsg_end(msg, hdr);
20712 
20713 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20714 
20715  nla_put_failure:
20716 	nlmsg_free(msg);
20717 	return -ENOBUFS;
20718 }
20719 
20720 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
20721 			      bool unencrypted, int link_id)
20722 {
20723 	int ret;
20724 
20725 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
20726 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
20727 					GFP_ATOMIC);
20728 	trace_cfg80211_return_bool(ret == 0);
20729 	return ret == 0;
20730 }
20731 EXPORT_SYMBOL(cfg80211_rx_control_port);
20732 
20733 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
20734 					    const char *mac, gfp_t gfp)
20735 {
20736 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20737 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20738 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20739 	void **cb;
20740 
20741 	if (!msg)
20742 		return NULL;
20743 
20744 	cb = (void **)msg->cb;
20745 
20746 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
20747 	if (!cb[0]) {
20748 		nlmsg_free(msg);
20749 		return NULL;
20750 	}
20751 
20752 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20753 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20754 		goto nla_put_failure;
20755 
20756 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
20757 		goto nla_put_failure;
20758 
20759 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
20760 	if (!cb[1])
20761 		goto nla_put_failure;
20762 
20763 	cb[2] = rdev;
20764 
20765 	return msg;
20766  nla_put_failure:
20767 	nlmsg_free(msg);
20768 	return NULL;
20769 }
20770 
20771 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
20772 {
20773 	void **cb = (void **)msg->cb;
20774 	struct cfg80211_registered_device *rdev = cb[2];
20775 
20776 	nla_nest_end(msg, cb[1]);
20777 	genlmsg_end(msg, cb[0]);
20778 
20779 	memset(msg->cb, 0, sizeof(msg->cb));
20780 
20781 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20782 				NL80211_MCGRP_MLME, gfp);
20783 }
20784 
20785 void cfg80211_cqm_rssi_notify(struct net_device *dev,
20786 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
20787 			      s32 rssi_level, gfp_t gfp)
20788 {
20789 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20790 	struct cfg80211_cqm_config *cqm_config;
20791 
20792 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
20793 
20794 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
20795 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
20796 		return;
20797 
20798 	rcu_read_lock();
20799 	cqm_config = rcu_dereference(wdev->cqm_config);
20800 	if (cqm_config) {
20801 		cqm_config->last_rssi_event_value = rssi_level;
20802 		cqm_config->last_rssi_event_type = rssi_event;
20803 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
20804 	}
20805 	rcu_read_unlock();
20806 }
20807 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
20808 
20809 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
20810 {
20811 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
20812 						 cqm_rssi_work);
20813 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20814 	enum nl80211_cqm_rssi_threshold_event rssi_event;
20815 	struct cfg80211_cqm_config *cqm_config;
20816 	struct sk_buff *msg;
20817 	s32 rssi_level;
20818 
20819 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
20820 	if (!cqm_config)
20821 		return;
20822 
20823 	if (cqm_config->use_range_api)
20824 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
20825 
20826 	rssi_level = cqm_config->last_rssi_event_value;
20827 	rssi_event = cqm_config->last_rssi_event_type;
20828 
20829 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
20830 	if (!msg)
20831 		return;
20832 
20833 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
20834 			rssi_event))
20835 		goto nla_put_failure;
20836 
20837 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
20838 				      rssi_level))
20839 		goto nla_put_failure;
20840 
20841 	cfg80211_send_cqm(msg, GFP_KERNEL);
20842 
20843 	return;
20844 
20845  nla_put_failure:
20846 	nlmsg_free(msg);
20847 }
20848 
20849 void cfg80211_cqm_txe_notify(struct net_device *dev,
20850 			     const u8 *peer, u32 num_packets,
20851 			     u32 rate, u32 intvl, gfp_t gfp)
20852 {
20853 	struct sk_buff *msg;
20854 
20855 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20856 	if (!msg)
20857 		return;
20858 
20859 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
20860 		goto nla_put_failure;
20861 
20862 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
20863 		goto nla_put_failure;
20864 
20865 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
20866 		goto nla_put_failure;
20867 
20868 	cfg80211_send_cqm(msg, gfp);
20869 	return;
20870 
20871  nla_put_failure:
20872 	nlmsg_free(msg);
20873 }
20874 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
20875 
20876 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
20877 				 const u8 *peer, u32 num_packets, gfp_t gfp)
20878 {
20879 	struct sk_buff *msg;
20880 
20881 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
20882 
20883 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20884 	if (!msg)
20885 		return;
20886 
20887 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
20888 		goto nla_put_failure;
20889 
20890 	cfg80211_send_cqm(msg, gfp);
20891 	return;
20892 
20893  nla_put_failure:
20894 	nlmsg_free(msg);
20895 }
20896 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
20897 
20898 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
20899 {
20900 	struct sk_buff *msg;
20901 
20902 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
20903 	if (!msg)
20904 		return;
20905 
20906 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
20907 		goto nla_put_failure;
20908 
20909 	cfg80211_send_cqm(msg, gfp);
20910 	return;
20911 
20912  nla_put_failure:
20913 	nlmsg_free(msg);
20914 }
20915 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
20916 
20917 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
20918 				     struct net_device *netdev, const u8 *bssid,
20919 				     const u8 *replay_ctr, gfp_t gfp)
20920 {
20921 	struct sk_buff *msg;
20922 	struct nlattr *rekey_attr;
20923 	void *hdr;
20924 
20925 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20926 	if (!msg)
20927 		return;
20928 
20929 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
20930 	if (!hdr) {
20931 		nlmsg_free(msg);
20932 		return;
20933 	}
20934 
20935 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20936 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20937 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20938 		goto nla_put_failure;
20939 
20940 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
20941 	if (!rekey_attr)
20942 		goto nla_put_failure;
20943 
20944 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
20945 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
20946 		goto nla_put_failure;
20947 
20948 	nla_nest_end(msg, rekey_attr);
20949 
20950 	genlmsg_end(msg, hdr);
20951 
20952 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20953 				NL80211_MCGRP_MLME, gfp);
20954 	return;
20955 
20956  nla_put_failure:
20957 	nlmsg_free(msg);
20958 }
20959 
20960 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
20961 			       const u8 *replay_ctr, gfp_t gfp)
20962 {
20963 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20964 	struct wiphy *wiphy = wdev->wiphy;
20965 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20966 
20967 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
20968 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
20969 }
20970 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
20971 
20972 static void
20973 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
20974 			       struct net_device *netdev, int index,
20975 			       const u8 *bssid, bool preauth, gfp_t gfp)
20976 {
20977 	struct sk_buff *msg;
20978 	struct nlattr *attr;
20979 	void *hdr;
20980 
20981 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20982 	if (!msg)
20983 		return;
20984 
20985 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
20986 	if (!hdr) {
20987 		nlmsg_free(msg);
20988 		return;
20989 	}
20990 
20991 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20992 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
20993 		goto nla_put_failure;
20994 
20995 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
20996 	if (!attr)
20997 		goto nla_put_failure;
20998 
20999 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
21000 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
21001 	    (preauth &&
21002 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
21003 		goto nla_put_failure;
21004 
21005 	nla_nest_end(msg, attr);
21006 
21007 	genlmsg_end(msg, hdr);
21008 
21009 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21010 				NL80211_MCGRP_MLME, gfp);
21011 	return;
21012 
21013  nla_put_failure:
21014 	nlmsg_free(msg);
21015 }
21016 
21017 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
21018 				     const u8 *bssid, bool preauth, gfp_t gfp)
21019 {
21020 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21021 	struct wiphy *wiphy = wdev->wiphy;
21022 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21023 
21024 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
21025 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
21026 }
21027 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
21028 
21029 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
21030 				     struct net_device *netdev,
21031 				     unsigned int link_id,
21032 				     struct cfg80211_chan_def *chandef,
21033 				     gfp_t gfp,
21034 				     enum nl80211_commands notif,
21035 				     u8 count, bool quiet)
21036 {
21037 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21038 	struct sk_buff *msg;
21039 	void *hdr;
21040 
21041 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21042 	if (!msg)
21043 		return;
21044 
21045 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
21046 	if (!hdr) {
21047 		nlmsg_free(msg);
21048 		return;
21049 	}
21050 
21051 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
21052 		goto nla_put_failure;
21053 
21054 	if (wdev->valid_links &&
21055 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
21056 		goto nla_put_failure;
21057 
21058 	if (nl80211_send_chandef(msg, chandef))
21059 		goto nla_put_failure;
21060 
21061 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
21062 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
21063 			goto nla_put_failure;
21064 		if (quiet &&
21065 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
21066 			goto nla_put_failure;
21067 	}
21068 
21069 	genlmsg_end(msg, hdr);
21070 
21071 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21072 				NL80211_MCGRP_MLME, gfp);
21073 	return;
21074 
21075  nla_put_failure:
21076 	nlmsg_free(msg);
21077 }
21078 
21079 void cfg80211_ch_switch_notify(struct net_device *dev,
21080 			       struct cfg80211_chan_def *chandef,
21081 			       unsigned int link_id)
21082 {
21083 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21084 	struct wiphy *wiphy = wdev->wiphy;
21085 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21086 
21087 	lockdep_assert_wiphy(wdev->wiphy);
21088 	WARN_INVALID_LINK_ID(wdev, link_id);
21089 
21090 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
21091 
21092 	switch (wdev->iftype) {
21093 	case NL80211_IFTYPE_STATION:
21094 	case NL80211_IFTYPE_P2P_CLIENT:
21095 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
21096 			cfg80211_update_assoc_bss_entry(wdev, link_id,
21097 							chandef->chan);
21098 		break;
21099 	case NL80211_IFTYPE_MESH_POINT:
21100 		wdev->u.mesh.chandef = *chandef;
21101 		wdev->u.mesh.preset_chandef = *chandef;
21102 		break;
21103 	case NL80211_IFTYPE_AP:
21104 	case NL80211_IFTYPE_P2P_GO:
21105 		wdev->links[link_id].ap.chandef = *chandef;
21106 		break;
21107 	case NL80211_IFTYPE_ADHOC:
21108 		wdev->u.ibss.chandef = *chandef;
21109 		break;
21110 	default:
21111 		WARN_ON(1);
21112 		break;
21113 	}
21114 
21115 	cfg80211_schedule_channels_check(wdev);
21116 	cfg80211_sched_dfs_chan_update(rdev);
21117 
21118 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
21119 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
21120 }
21121 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
21122 
21123 void cfg80211_ch_switch_started_notify(struct net_device *dev,
21124 				       struct cfg80211_chan_def *chandef,
21125 				       unsigned int link_id, u8 count,
21126 				       bool quiet)
21127 {
21128 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21129 	struct wiphy *wiphy = wdev->wiphy;
21130 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21131 
21132 	lockdep_assert_wiphy(wdev->wiphy);
21133 	WARN_INVALID_LINK_ID(wdev, link_id);
21134 
21135 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
21136 
21137 
21138 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
21139 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
21140 				 count, quiet);
21141 }
21142 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
21143 
21144 int cfg80211_bss_color_notify(struct net_device *dev,
21145 			      enum nl80211_commands cmd, u8 count,
21146 			      u64 color_bitmap, u8 link_id)
21147 {
21148 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21149 	struct wiphy *wiphy = wdev->wiphy;
21150 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21151 	struct sk_buff *msg;
21152 	void *hdr;
21153 
21154 	lockdep_assert_wiphy(wdev->wiphy);
21155 
21156 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
21157 
21158 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21159 	if (!msg)
21160 		return -ENOMEM;
21161 
21162 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
21163 	if (!hdr)
21164 		goto nla_put_failure;
21165 
21166 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21167 		goto nla_put_failure;
21168 
21169 	if (wdev->valid_links &&
21170 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
21171 		goto nla_put_failure;
21172 
21173 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
21174 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
21175 		goto nla_put_failure;
21176 
21177 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
21178 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
21179 			      color_bitmap, NL80211_ATTR_PAD))
21180 		goto nla_put_failure;
21181 
21182 	genlmsg_end(msg, hdr);
21183 
21184 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
21185 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
21186 
21187 nla_put_failure:
21188 	nlmsg_free(msg);
21189 	return -EINVAL;
21190 }
21191 EXPORT_SYMBOL(cfg80211_bss_color_notify);
21192 
21193 void
21194 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
21195 		     const struct cfg80211_chan_def *chandef,
21196 		     enum nl80211_radar_event event,
21197 		     struct net_device *netdev, gfp_t gfp)
21198 {
21199 	struct sk_buff *msg;
21200 	void *hdr;
21201 
21202 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21203 	if (!msg)
21204 		return;
21205 
21206 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
21207 	if (!hdr) {
21208 		nlmsg_free(msg);
21209 		return;
21210 	}
21211 
21212 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21213 		goto nla_put_failure;
21214 
21215 	/* NOP and radar events don't need a netdev parameter */
21216 	if (netdev) {
21217 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
21218 
21219 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21220 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21221 				      NL80211_ATTR_PAD))
21222 			goto nla_put_failure;
21223 	}
21224 
21225 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
21226 		goto nla_put_failure;
21227 
21228 	if (nl80211_send_chandef(msg, chandef))
21229 		goto nla_put_failure;
21230 
21231 	genlmsg_end(msg, hdr);
21232 
21233 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21234 				NL80211_MCGRP_MLME, gfp);
21235 	return;
21236 
21237  nla_put_failure:
21238 	nlmsg_free(msg);
21239 }
21240 
21241 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
21242 				       struct sta_opmode_info *sta_opmode,
21243 				       gfp_t gfp)
21244 {
21245 	struct sk_buff *msg;
21246 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21247 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21248 	void *hdr;
21249 
21250 	if (WARN_ON(!mac))
21251 		return;
21252 
21253 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21254 	if (!msg)
21255 		return;
21256 
21257 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
21258 	if (!hdr) {
21259 		nlmsg_free(msg);
21260 		return;
21261 	}
21262 
21263 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21264 		goto nla_put_failure;
21265 
21266 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21267 		goto nla_put_failure;
21268 
21269 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
21270 		goto nla_put_failure;
21271 
21272 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
21273 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
21274 		goto nla_put_failure;
21275 
21276 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
21277 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
21278 		goto nla_put_failure;
21279 
21280 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
21281 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
21282 		goto nla_put_failure;
21283 
21284 	genlmsg_end(msg, hdr);
21285 
21286 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21287 				NL80211_MCGRP_MLME, gfp);
21288 
21289 	return;
21290 
21291 nla_put_failure:
21292 	nlmsg_free(msg);
21293 }
21294 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
21295 
21296 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
21297 			   u64 cookie, bool acked, s32 ack_signal,
21298 			   bool is_valid_ack_signal, gfp_t gfp)
21299 {
21300 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21301 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21302 	struct sk_buff *msg;
21303 	void *hdr;
21304 
21305 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
21306 
21307 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21308 
21309 	if (!msg)
21310 		return;
21311 
21312 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
21313 	if (!hdr) {
21314 		nlmsg_free(msg);
21315 		return;
21316 	}
21317 
21318 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21319 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21320 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
21321 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
21322 			      NL80211_ATTR_PAD) ||
21323 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
21324 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
21325 						ack_signal)))
21326 		goto nla_put_failure;
21327 
21328 	genlmsg_end(msg, hdr);
21329 
21330 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21331 				NL80211_MCGRP_MLME, gfp);
21332 	return;
21333 
21334  nla_put_failure:
21335 	nlmsg_free(msg);
21336 }
21337 EXPORT_SYMBOL(cfg80211_probe_status);
21338 
21339 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
21340 				     size_t len, int freq, int sig_dbm)
21341 {
21342 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21343 	struct sk_buff *msg;
21344 	void *hdr;
21345 	struct cfg80211_beacon_registration *reg;
21346 
21347 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
21348 
21349 	spin_lock_bh(&rdev->beacon_registrations_lock);
21350 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
21351 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
21352 		if (!msg) {
21353 			spin_unlock_bh(&rdev->beacon_registrations_lock);
21354 			return;
21355 		}
21356 
21357 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
21358 		if (!hdr)
21359 			goto nla_put_failure;
21360 
21361 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21362 		    (freq &&
21363 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
21364 				  KHZ_TO_MHZ(freq)) ||
21365 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
21366 				  freq % 1000))) ||
21367 		    (sig_dbm &&
21368 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
21369 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
21370 			goto nla_put_failure;
21371 
21372 		genlmsg_end(msg, hdr);
21373 
21374 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
21375 	}
21376 	spin_unlock_bh(&rdev->beacon_registrations_lock);
21377 	return;
21378 
21379  nla_put_failure:
21380 	spin_unlock_bh(&rdev->beacon_registrations_lock);
21381 	nlmsg_free(msg);
21382 }
21383 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
21384 
21385 #ifdef CONFIG_PM
21386 static int cfg80211_net_detect_results(struct sk_buff *msg,
21387 				       struct cfg80211_wowlan_wakeup *wakeup)
21388 {
21389 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
21390 	struct nlattr *nl_results, *nl_match, *nl_freqs;
21391 	int i, j;
21392 
21393 	nl_results = nla_nest_start_noflag(msg,
21394 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
21395 	if (!nl_results)
21396 		return -EMSGSIZE;
21397 
21398 	for (i = 0; i < nd->n_matches; i++) {
21399 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
21400 
21401 		nl_match = nla_nest_start_noflag(msg, i);
21402 		if (!nl_match)
21403 			break;
21404 
21405 		/* The SSID attribute is optional in nl80211, but for
21406 		 * simplicity reasons it's always present in the
21407 		 * cfg80211 structure.  If a driver can't pass the
21408 		 * SSID, that needs to be changed.  A zero length SSID
21409 		 * is still a valid SSID (wildcard), so it cannot be
21410 		 * used for this purpose.
21411 		 */
21412 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
21413 			    match->ssid.ssid)) {
21414 			nla_nest_cancel(msg, nl_match);
21415 			goto out;
21416 		}
21417 
21418 		if (match->n_channels) {
21419 			nl_freqs = nla_nest_start_noflag(msg,
21420 							 NL80211_ATTR_SCAN_FREQUENCIES);
21421 			if (!nl_freqs) {
21422 				nla_nest_cancel(msg, nl_match);
21423 				goto out;
21424 			}
21425 
21426 			for (j = 0; j < match->n_channels; j++) {
21427 				if (nla_put_u32(msg, j, match->channels[j])) {
21428 					nla_nest_cancel(msg, nl_freqs);
21429 					nla_nest_cancel(msg, nl_match);
21430 					goto out;
21431 				}
21432 			}
21433 
21434 			nla_nest_end(msg, nl_freqs);
21435 		}
21436 
21437 		nla_nest_end(msg, nl_match);
21438 	}
21439 
21440 out:
21441 	nla_nest_end(msg, nl_results);
21442 	return 0;
21443 }
21444 
21445 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
21446 				   struct cfg80211_wowlan_wakeup *wakeup,
21447 				   gfp_t gfp)
21448 {
21449 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21450 	struct sk_buff *msg;
21451 	void *hdr;
21452 	int size = 200;
21453 
21454 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
21455 
21456 	if (wakeup)
21457 		size += wakeup->packet_present_len;
21458 
21459 	msg = nlmsg_new(size, gfp);
21460 	if (!msg)
21461 		return;
21462 
21463 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
21464 	if (!hdr)
21465 		goto free_msg;
21466 
21467 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21468 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21469 			      NL80211_ATTR_PAD))
21470 		goto free_msg;
21471 
21472 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21473 					wdev->netdev->ifindex))
21474 		goto free_msg;
21475 
21476 	if (wakeup) {
21477 		struct nlattr *reasons;
21478 
21479 		reasons = nla_nest_start_noflag(msg,
21480 						NL80211_ATTR_WOWLAN_TRIGGERS);
21481 		if (!reasons)
21482 			goto free_msg;
21483 
21484 		if (wakeup->disconnect &&
21485 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
21486 			goto free_msg;
21487 		if (wakeup->magic_pkt &&
21488 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
21489 			goto free_msg;
21490 		if (wakeup->gtk_rekey_failure &&
21491 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
21492 			goto free_msg;
21493 		if (wakeup->eap_identity_req &&
21494 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
21495 			goto free_msg;
21496 		if (wakeup->four_way_handshake &&
21497 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
21498 			goto free_msg;
21499 		if (wakeup->rfkill_release &&
21500 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
21501 			goto free_msg;
21502 
21503 		if (wakeup->pattern_idx >= 0 &&
21504 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
21505 				wakeup->pattern_idx))
21506 			goto free_msg;
21507 
21508 		if (wakeup->tcp_match &&
21509 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
21510 			goto free_msg;
21511 
21512 		if (wakeup->tcp_connlost &&
21513 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
21514 			goto free_msg;
21515 
21516 		if (wakeup->tcp_nomoretokens &&
21517 		    nla_put_flag(msg,
21518 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
21519 			goto free_msg;
21520 
21521 		if (wakeup->unprot_deauth_disassoc &&
21522 		    nla_put_flag(msg,
21523 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
21524 			goto free_msg;
21525 
21526 		if (wakeup->packet) {
21527 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
21528 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
21529 
21530 			if (!wakeup->packet_80211) {
21531 				pkt_attr =
21532 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
21533 				len_attr =
21534 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
21535 			}
21536 
21537 			if (wakeup->packet_len &&
21538 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
21539 				goto free_msg;
21540 
21541 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
21542 				    wakeup->packet))
21543 				goto free_msg;
21544 		}
21545 
21546 		if (wakeup->net_detect &&
21547 		    cfg80211_net_detect_results(msg, wakeup))
21548 				goto free_msg;
21549 
21550 		nla_nest_end(msg, reasons);
21551 	}
21552 
21553 	genlmsg_end(msg, hdr);
21554 
21555 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21556 				NL80211_MCGRP_MLME, gfp);
21557 	return;
21558 
21559  free_msg:
21560 	nlmsg_free(msg);
21561 }
21562 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
21563 #endif
21564 
21565 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
21566 				enum nl80211_tdls_operation oper,
21567 				u16 reason_code, gfp_t gfp)
21568 {
21569 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21570 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21571 	struct sk_buff *msg;
21572 	void *hdr;
21573 
21574 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
21575 					 reason_code);
21576 
21577 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21578 	if (!msg)
21579 		return;
21580 
21581 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
21582 	if (!hdr) {
21583 		nlmsg_free(msg);
21584 		return;
21585 	}
21586 
21587 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21588 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21589 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
21590 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
21591 	    (reason_code > 0 &&
21592 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
21593 		goto nla_put_failure;
21594 
21595 	genlmsg_end(msg, hdr);
21596 
21597 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21598 				NL80211_MCGRP_MLME, gfp);
21599 	return;
21600 
21601  nla_put_failure:
21602 	nlmsg_free(msg);
21603 }
21604 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
21605 
21606 static int nl80211_netlink_notify(struct notifier_block * nb,
21607 				  unsigned long state,
21608 				  void *_notify)
21609 {
21610 	struct netlink_notify *notify = _notify;
21611 	struct cfg80211_registered_device *rdev;
21612 	struct wireless_dev *wdev;
21613 	struct cfg80211_beacon_registration *reg, *tmp;
21614 
21615 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
21616 		return NOTIFY_DONE;
21617 
21618 	rcu_read_lock();
21619 
21620 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
21621 		struct cfg80211_sched_scan_request *sched_scan_req;
21622 
21623 		list_for_each_entry_rcu(sched_scan_req,
21624 					&rdev->sched_scan_req_list,
21625 					list) {
21626 			if (sched_scan_req->owner_nlportid == notify->portid) {
21627 				sched_scan_req->nl_owner_dead = true;
21628 				wiphy_work_queue(&rdev->wiphy,
21629 						 &rdev->sched_scan_stop_wk);
21630 			}
21631 		}
21632 
21633 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
21634 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
21635 
21636 			if (wdev->owner_nlportid == notify->portid) {
21637 				wdev->nl_owner_dead = true;
21638 				schedule_work(&rdev->destroy_work);
21639 			} else if (wdev->conn_owner_nlportid == notify->portid) {
21640 				schedule_work(&wdev->disconnect_wk);
21641 			}
21642 
21643 			cfg80211_release_pmsr(wdev, notify->portid);
21644 		}
21645 
21646 		spin_lock_bh(&rdev->beacon_registrations_lock);
21647 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
21648 					 list) {
21649 			if (reg->nlportid == notify->portid) {
21650 				list_del(&reg->list);
21651 				kfree(reg);
21652 				break;
21653 			}
21654 		}
21655 		spin_unlock_bh(&rdev->beacon_registrations_lock);
21656 	}
21657 
21658 	rcu_read_unlock();
21659 
21660 	/*
21661 	 * It is possible that the user space process that is controlling the
21662 	 * indoor setting disappeared, so notify the regulatory core.
21663 	 */
21664 	regulatory_netlink_notify(notify->portid);
21665 	return NOTIFY_OK;
21666 }
21667 
21668 static struct notifier_block nl80211_netlink_notifier = {
21669 	.notifier_call = nl80211_netlink_notify,
21670 };
21671 
21672 void cfg80211_ft_event(struct net_device *netdev,
21673 		       struct cfg80211_ft_event_params *ft_event)
21674 {
21675 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21676 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21677 	struct sk_buff *msg;
21678 	void *hdr;
21679 
21680 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
21681 
21682 	if (!ft_event->target_ap)
21683 		return;
21684 
21685 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
21686 			GFP_KERNEL);
21687 	if (!msg)
21688 		return;
21689 
21690 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
21691 	if (!hdr)
21692 		goto out;
21693 
21694 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21695 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21696 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
21697 		goto out;
21698 
21699 	if (ft_event->ies &&
21700 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
21701 		goto out;
21702 	if (ft_event->ric_ies &&
21703 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
21704 		    ft_event->ric_ies))
21705 		goto out;
21706 
21707 	genlmsg_end(msg, hdr);
21708 
21709 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21710 				NL80211_MCGRP_MLME, GFP_KERNEL);
21711 	return;
21712  out:
21713 	nlmsg_free(msg);
21714 }
21715 EXPORT_SYMBOL(cfg80211_ft_event);
21716 
21717 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
21718 {
21719 	struct cfg80211_registered_device *rdev;
21720 	struct sk_buff *msg;
21721 	void *hdr;
21722 	u32 nlportid;
21723 
21724 	rdev = wiphy_to_rdev(wdev->wiphy);
21725 	if (!rdev->crit_proto_nlportid)
21726 		return;
21727 
21728 	nlportid = rdev->crit_proto_nlportid;
21729 	rdev->crit_proto_nlportid = 0;
21730 
21731 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21732 	if (!msg)
21733 		return;
21734 
21735 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
21736 	if (!hdr)
21737 		goto nla_put_failure;
21738 
21739 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21740 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21741 			      NL80211_ATTR_PAD))
21742 		goto nla_put_failure;
21743 
21744 	genlmsg_end(msg, hdr);
21745 
21746 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21747 	return;
21748 
21749  nla_put_failure:
21750 	nlmsg_free(msg);
21751 }
21752 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
21753 
21754 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
21755 {
21756 	struct wiphy *wiphy = wdev->wiphy;
21757 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21758 	struct sk_buff *msg;
21759 	void *hdr;
21760 
21761 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21762 	if (!msg)
21763 		return;
21764 
21765 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
21766 	if (!hdr)
21767 		goto out;
21768 
21769 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21770 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
21771 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21772 			      NL80211_ATTR_PAD) ||
21773 	    (wdev->valid_links &&
21774 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
21775 		goto out;
21776 
21777 	genlmsg_end(msg, hdr);
21778 
21779 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
21780 				NL80211_MCGRP_MLME, GFP_KERNEL);
21781 	return;
21782  out:
21783 	nlmsg_free(msg);
21784 }
21785 
21786 int cfg80211_external_auth_request(struct net_device *dev,
21787 				   struct cfg80211_external_auth_params *params,
21788 				   gfp_t gfp)
21789 {
21790 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21791 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21792 	struct sk_buff *msg;
21793 	void *hdr;
21794 
21795 	if (!wdev->conn_owner_nlportid)
21796 		return -EINVAL;
21797 
21798 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21799 	if (!msg)
21800 		return -ENOMEM;
21801 
21802 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
21803 	if (!hdr)
21804 		goto nla_put_failure;
21805 
21806 	/* Some historical mistakes in drivers <-> userspace interface (notably
21807 	 * between drivers and wpa_supplicant) led to a big-endian conversion
21808 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
21809 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
21810 	 * benefit of older wpa_supplicant versions, send this particular value
21811 	 * in big-endian. Note that newer wpa_supplicant will also detect this
21812 	 * particular value in big endian still, so it all continues to work.
21813 	 */
21814 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
21815 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
21816 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
21817 			goto nla_put_failure;
21818 	} else {
21819 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
21820 				params->key_mgmt_suite))
21821 			goto nla_put_failure;
21822 	}
21823 
21824 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21825 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21826 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
21827 			params->action) ||
21828 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
21829 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
21830 		    params->ssid.ssid) ||
21831 	    (!is_zero_ether_addr(params->mld_addr) &&
21832 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
21833 		goto nla_put_failure;
21834 
21835 	genlmsg_end(msg, hdr);
21836 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
21837 			wdev->conn_owner_nlportid);
21838 	return 0;
21839 
21840  nla_put_failure:
21841 	nlmsg_free(msg);
21842 	return -ENOBUFS;
21843 }
21844 EXPORT_SYMBOL(cfg80211_external_auth_request);
21845 
21846 void cfg80211_update_owe_info_event(struct net_device *netdev,
21847 				    struct cfg80211_update_owe_info *owe_info,
21848 				    gfp_t gfp)
21849 {
21850 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21851 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21852 	struct sk_buff *msg;
21853 	void *hdr;
21854 
21855 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
21856 
21857 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21858 	if (!msg)
21859 		return;
21860 
21861 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
21862 	if (!hdr)
21863 		goto nla_put_failure;
21864 
21865 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21866 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21867 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
21868 		goto nla_put_failure;
21869 
21870 	if (!owe_info->ie_len ||
21871 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
21872 		goto nla_put_failure;
21873 
21874 	if (owe_info->assoc_link_id != -1) {
21875 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
21876 			       owe_info->assoc_link_id))
21877 			goto nla_put_failure;
21878 
21879 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
21880 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
21881 			    owe_info->peer_mld_addr))
21882 			goto nla_put_failure;
21883 	}
21884 
21885 	genlmsg_end(msg, hdr);
21886 
21887 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21888 				NL80211_MCGRP_MLME, gfp);
21889 	return;
21890 
21891 nla_put_failure:
21892 	genlmsg_cancel(msg, hdr);
21893 	nlmsg_free(msg);
21894 }
21895 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
21896 
21897 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
21898 {
21899 	struct wiphy *wiphy = wdev->wiphy;
21900 
21901 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
21902 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
21903 	    (wiphy_ext_feature_isset(wiphy,
21904 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
21905 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
21906 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
21907 		reg_check_channels();
21908 }
21909 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
21910 
21911 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
21912 {
21913 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21914 	struct wiphy *wiphy = wdev->wiphy;
21915 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21916 	struct sk_buff *msg;
21917 	void *hdr;
21918 
21919 	trace_cfg80211_epcs_changed(wdev, enabled);
21920 
21921 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21922 	if (!msg)
21923 		return;
21924 
21925 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
21926 	if (!hdr) {
21927 		nlmsg_free(msg);
21928 		return;
21929 	}
21930 
21931 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
21932 		goto nla_put_failure;
21933 
21934 	genlmsg_end(msg, hdr);
21935 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21936 				NL80211_MCGRP_MLME, GFP_KERNEL);
21937 	return;
21938 
21939  nla_put_failure:
21940 	nlmsg_free(msg);
21941 }
21942 EXPORT_SYMBOL(cfg80211_epcs_changed);
21943 
21944 void cfg80211_next_nan_dw_notif(struct wireless_dev *wdev,
21945 				struct ieee80211_channel *chan, gfp_t gfp)
21946 {
21947 	struct wiphy *wiphy = wdev->wiphy;
21948 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21949 	struct sk_buff *msg;
21950 	void *hdr;
21951 
21952 	trace_cfg80211_next_nan_dw_notif(wdev, chan);
21953 
21954 	if (!wdev->owner_nlportid)
21955 		return;
21956 
21957 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21958 	if (!msg)
21959 		return;
21960 
21961 	hdr = nl80211hdr_put(msg, 0, 0, 0,
21962 			     NL80211_CMD_NAN_NEXT_DW_NOTIFICATION);
21963 	if (!hdr)
21964 		goto nla_put_failure;
21965 
21966 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21967 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21968 			      NL80211_ATTR_PAD) ||
21969 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq))
21970 		goto nla_put_failure;
21971 
21972 	genlmsg_end(msg, hdr);
21973 
21974 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
21975 
21976 	return;
21977 
21978  nla_put_failure:
21979 	nlmsg_free(msg);
21980 }
21981 EXPORT_SYMBOL(cfg80211_next_nan_dw_notif);
21982 
21983 void cfg80211_nan_cluster_joined(struct wireless_dev *wdev,
21984 				 const u8 *cluster_id, bool new_cluster,
21985 				 gfp_t gfp)
21986 {
21987 	struct wiphy *wiphy = wdev->wiphy;
21988 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21989 	struct sk_buff *msg;
21990 	void *hdr;
21991 
21992 	trace_cfg80211_nan_cluster_joined(wdev, cluster_id, new_cluster);
21993 
21994 	memcpy(wdev->u.nan.cluster_id, cluster_id, ETH_ALEN);
21995 
21996 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21997 	if (!msg)
21998 		return;
21999 
22000 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_CLUSTER_JOINED);
22001 	if (!hdr)
22002 		goto nla_put_failure;
22003 
22004 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22005 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22006 			      NL80211_ATTR_PAD) ||
22007 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cluster_id) ||
22008 	    (new_cluster && nla_put_flag(msg, NL80211_ATTR_NAN_NEW_CLUSTER)))
22009 		goto nla_put_failure;
22010 
22011 	genlmsg_end(msg, hdr);
22012 
22013 	if (!wdev->owner_nlportid)
22014 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy),
22015 					msg, 0, NL80211_MCGRP_NAN, gfp);
22016 	else
22017 		genlmsg_unicast(wiphy_net(wiphy), msg,
22018 				wdev->owner_nlportid);
22019 	return;
22020 
22021  nla_put_failure:
22022 	nlmsg_free(msg);
22023 }
22024 EXPORT_SYMBOL(cfg80211_nan_cluster_joined);
22025 
22026 /* initialisation/exit functions */
22027 
22028 int __init nl80211_init(void)
22029 {
22030 	int err;
22031 
22032 	err = genl_register_family(&nl80211_fam);
22033 	if (err)
22034 		return err;
22035 
22036 	err = netlink_register_notifier(&nl80211_netlink_notifier);
22037 	if (err)
22038 		goto err_out;
22039 
22040 	return 0;
22041  err_out:
22042 	genl_unregister_family(&nl80211_fam);
22043 	return err;
22044 }
22045 
22046 void nl80211_exit(void)
22047 {
22048 	netlink_unregister_notifier(&nl80211_netlink_notifier);
22049 	genl_unregister_family(&nl80211_fam);
22050 }
22051