xref: /linux/net/wireless/nl80211.c (revision 1cc3462159babb69c84c39cb1b4e262aef3ea325) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2024 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 static int validate_supported_selectors(const struct nlattr *attr,
298 					struct netlink_ext_ack *extack)
299 {
300 	const u8 *supported_selectors = nla_data(attr);
301 	u8 supported_selectors_len = nla_len(attr);
302 
303 	/* The top bit must not be set as it is not part of the selector */
304 	for (int i = 0; i < supported_selectors_len; i++) {
305 		if (supported_selectors[i] & 0x80)
306 			return -EINVAL;
307 	}
308 
309 	return 0;
310 }
311 
312 /* policy for the attributes */
313 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
314 
315 static const struct nla_policy
316 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
317 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
318 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
319 					.len = U8_MAX },
320 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
321 					     .len = U8_MAX },
322 };
323 
324 static const struct nla_policy
325 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
326 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
327 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
328 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
329 		NLA_POLICY_MAX(NLA_U8, 15),
330 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
331 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
332 		NLA_POLICY_MAX(NLA_U8, 15),
333 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
334 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
335 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
336 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
337 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
338 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
339 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
340 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
341 };
342 
343 static const struct nla_policy
344 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
345 	[NL80211_PMSR_TYPE_FTM] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
347 };
348 
349 static const struct nla_policy
350 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
351 	[NL80211_PMSR_REQ_ATTR_DATA] =
352 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
353 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
354 };
355 
356 static const struct nla_policy
357 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
358 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
359 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
360 	[NL80211_PMSR_PEER_ATTR_REQ] =
361 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
362 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
363 };
364 
365 static const struct nla_policy
366 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
367 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
368 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
369 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
370 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
371 	[NL80211_PMSR_ATTR_PEERS] =
372 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
373 };
374 
375 static const struct nla_policy
376 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
377 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
378 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
379 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
380 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
381 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
382 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
383 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
384 		NLA_POLICY_EXACT_LEN(8),
385 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
386 		NLA_POLICY_EXACT_LEN(8),
387 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
388 };
389 
390 static const struct nla_policy
391 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
392 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
393 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
394 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
395 };
396 
397 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
398 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
399 				    .len = NL80211_MAX_SUPP_RATES },
400 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
401 				.len = NL80211_MAX_SUPP_HT_RATES },
402 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
403 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
404 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
405 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
406 						   NL80211_RATE_INFO_HE_GI_0_8,
407 						   NL80211_RATE_INFO_HE_GI_3_2),
408 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
409 						   NL80211_RATE_INFO_HE_1XLTF,
410 						   NL80211_RATE_INFO_HE_4XLTF),
411 };
412 
413 static const struct nla_policy
414 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
415 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
416 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
417 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
418 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
419 	[NL80211_TID_CONFIG_ATTR_NOACK] =
420 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
421 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
422 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
423 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
424 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
425 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
426 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
427 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
428 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
429 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
430 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
431 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
432 			NLA_POLICY_NESTED(nl80211_txattr_policy),
433 };
434 
435 static const struct nla_policy
436 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
437 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
438 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
439 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
440 			NLA_POLICY_RANGE(NLA_BINARY,
441 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
442 					 IEEE80211_MAX_DATA_LEN),
443 };
444 
445 static const struct nla_policy
446 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
447 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
448 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
449 						       .len = IEEE80211_MAX_DATA_LEN }
450 };
451 
452 static const struct nla_policy
453 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
454 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
455 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
456 };
457 
458 static const struct nla_policy
459 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
460 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
461 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
462 };
463 
464 static const struct nla_policy
465 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
466 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
467 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
468 						NLA_POLICY_MIN(NLA_U8, 1),
469 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
470 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
471 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
472 };
473 
474 static const struct nla_policy
475 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
476 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
477 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
478 };
479 
480 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
481 	.min = 0,
482 	.max = 0xffff,
483 };
484 
485 static const struct netlink_range_validation q_range = {
486 	.max = INT_MAX,
487 };
488 
489 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
490 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
491 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
492 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
493 				      .len = 20-1 },
494 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
495 
496 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
497 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
498 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
499 						NL80211_EDMG_CHANNELS_MIN,
500 						NL80211_EDMG_CHANNELS_MAX),
501 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
502 						NL80211_EDMG_BW_CONFIG_MIN,
503 						NL80211_EDMG_BW_CONFIG_MAX),
504 
505 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
506 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
507 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
508 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
509 
510 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
511 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
512 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
513 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
514 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
515 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
516 
517 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
518 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
519 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
520 
521 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
522 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
523 
524 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
525 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
526 				    .len = WLAN_MAX_KEY_LEN },
527 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
528 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
529 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
530 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
531 	[NL80211_ATTR_KEY_TYPE] =
532 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
533 
534 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
535 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
536 	[NL80211_ATTR_BEACON_HEAD] =
537 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
538 				       IEEE80211_MAX_DATA_LEN),
539 	[NL80211_ATTR_BEACON_TAIL] =
540 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
541 				       IEEE80211_MAX_DATA_LEN),
542 	[NL80211_ATTR_STA_AID] =
543 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
544 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
545 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
546 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
547 					       .len = NL80211_MAX_SUPP_RATES },
548 	[NL80211_ATTR_STA_PLINK_ACTION] =
549 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
550 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
551 		NLA_POLICY_RANGE(NLA_U8,
552 				 NL80211_TX_POWER_AUTOMATIC,
553 				 NL80211_TX_POWER_FIXED),
554 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
555 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
556 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
557 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
558 				   .len = IEEE80211_MAX_MESH_ID_LEN },
559 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
560 
561 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
562 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
563 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
564 
565 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
566 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
567 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
568 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
569 					   .len = NL80211_MAX_SUPP_RATES },
570 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
571 
572 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
573 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
574 
575 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
576 
577 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
578 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
579 						   validate_ie_attr,
580 						   IEEE80211_MAX_DATA_LEN),
581 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
582 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
583 
584 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
585 				.len = IEEE80211_MAX_SSID_LEN },
586 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
587 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
588 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
589 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
590 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
591 						  NL80211_MFP_NO,
592 						  NL80211_MFP_OPTIONAL),
593 	[NL80211_ATTR_STA_FLAGS2] =
594 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
595 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
596 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
597 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
598 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
599 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
600 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
601 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
602 	[NL80211_ATTR_WPA_VERSIONS] =
603 		NLA_POLICY_RANGE(NLA_U32, 0,
604 				 NL80211_WPA_VERSION_1 |
605 				 NL80211_WPA_VERSION_2 |
606 				 NL80211_WPA_VERSION_3),
607 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
608 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
609 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
610 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
611 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
612 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
613 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
614 				 .len = IEEE80211_MAX_DATA_LEN },
615 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
616 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
617 						   NL80211_PS_DISABLED,
618 						   NL80211_PS_ENABLED),
619 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
620 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
621 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
622 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
623 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
624 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
625 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
626 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
627 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
628 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
629 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
630 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
631 	[NL80211_ATTR_STA_PLINK_STATE] =
632 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
633 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
634 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
635 	[NL80211_ATTR_MESH_PEER_AID] =
636 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
637 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
638 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
639 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
640 	[NL80211_ATTR_HIDDEN_SSID] =
641 		NLA_POLICY_RANGE(NLA_U32,
642 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
643 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
644 	[NL80211_ATTR_IE_PROBE_RESP] =
645 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
646 				       IEEE80211_MAX_DATA_LEN),
647 	[NL80211_ATTR_IE_ASSOC_RESP] =
648 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
649 				       IEEE80211_MAX_DATA_LEN),
650 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
651 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
652 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
653 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
654 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
655 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
656 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
657 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
658 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
659 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
660 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
661 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
662 				      .len = IEEE80211_MAX_DATA_LEN },
663 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
664 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
665 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
666 		.len = NL80211_HT_CAPABILITY_LEN
667 	},
668 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
669 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
670 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
671 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
672 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
673 
674 	/* need to include at least Auth Transaction and Status Code */
675 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
676 
677 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
678 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
679 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
680 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
681 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
682 		NLA_POLICY_RANGE(NLA_U32,
683 				 NL80211_MESH_POWER_UNKNOWN + 1,
684 				 NL80211_MESH_POWER_MAX),
685 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
686 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
687 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
688 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
689 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
690 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
691 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
692 		.len = NL80211_VHT_CAPABILITY_LEN,
693 	},
694 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
695 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
696 				  .len = IEEE80211_MAX_DATA_LEN },
697 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
698 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
699 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
700 	[NL80211_ATTR_PEER_AID] =
701 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
702 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
703 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
704 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
705 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
706 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
707 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
708 	/*
709 	 * The value of the Length field of the Supported Operating
710 	 * Classes element is between 2 and 253.
711 	 */
712 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
713 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
714 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
715 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
716 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
717 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
718 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
719 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
720 						  IEEE80211_QOS_MAP_LEN_MIN,
721 						  IEEE80211_QOS_MAP_LEN_MAX),
722 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
723 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
724 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
725 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
726 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
727 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
728 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
729 	[NL80211_ATTR_USER_PRIO] =
730 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
731 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
732 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
733 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
734 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
735 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
736 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
737 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
738 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
739 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
740 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
741 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
742 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
743 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
744 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
745 	},
746 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
747 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
748 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
749 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
750 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
751 				    .len = FILS_MAX_KEK_LEN },
752 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
753 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
754 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
755 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
756 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
757 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
758 	},
759 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
760 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
761 					     .len = FILS_ERP_MAX_USERNAME_LEN },
762 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
763 					  .len = FILS_ERP_MAX_REALM_LEN },
764 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
765 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
766 					.len = FILS_ERP_MAX_RRK_LEN },
767 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
768 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
769 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
770 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
771 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
772 
773 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
774 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
775 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
776 	[NL80211_ATTR_HE_CAPABILITY] =
777 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
778 				       NL80211_HE_MAX_CAPABILITY_LEN),
779 	[NL80211_ATTR_FTM_RESPONDER] =
780 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
781 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
782 	[NL80211_ATTR_PEER_MEASUREMENTS] =
783 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
784 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
785 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
786 					.len = SAE_PASSWORD_MAX_LEN },
787 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
788 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
789 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
790 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
791 	[NL80211_ATTR_TID_CONFIG] =
792 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
793 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
794 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
795 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
796 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
797 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
798 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
799 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
800 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
801 	[NL80211_ATTR_FILS_DISCOVERY] =
802 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
803 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
804 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
805 	[NL80211_ATTR_S1G_CAPABILITY] =
806 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
807 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
808 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
809 	[NL80211_ATTR_SAE_PWE] =
810 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
811 				 NL80211_SAE_PWE_BOTH),
812 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
813 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
814 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
815 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
816 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
817 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
818 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
819 	[NL80211_ATTR_MBSSID_CONFIG] =
820 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
821 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
822 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
823 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
824 	[NL80211_ATTR_EHT_CAPABILITY] =
825 		NLA_POLICY_RANGE(NLA_BINARY,
826 				 NL80211_EHT_MIN_CAPABILITY_LEN,
827 				 NL80211_EHT_MAX_CAPABILITY_LEN),
828 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
829 	[NL80211_ATTR_MLO_LINKS] =
830 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
831 	[NL80211_ATTR_MLO_LINK_ID] =
832 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
833 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
834 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
835 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
836 	[NL80211_ATTR_PUNCT_BITMAP] =
837 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
838 
839 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
840 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
841 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
842 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
843 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
844 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
845 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
846 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
847 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
848 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
849 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
850 				       NL80211_MAX_SUPP_SELECTORS),
851 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
852 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
853 };
854 
855 /* policy for the key attributes */
856 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
857 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
858 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
859 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
860 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
861 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
862 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
863 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
864 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
865 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
866 };
867 
868 /* policy for the key default flags */
869 static const struct nla_policy
870 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
871 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
872 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
873 };
874 
875 #ifdef CONFIG_PM
876 /* policy for WoWLAN attributes */
877 static const struct nla_policy
878 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
879 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
880 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
881 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
882 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
883 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
884 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
885 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
886 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
887 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
888 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
889 };
890 
891 static const struct nla_policy
892 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
893 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
894 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
895 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
896 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
897 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
898 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
899 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
900 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
901 	},
902 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
903 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
904 	},
905 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
906 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
907 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
908 };
909 #endif /* CONFIG_PM */
910 
911 /* policy for coalesce rule attributes */
912 static const struct nla_policy
913 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
914 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
915 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
916 		NLA_POLICY_RANGE(NLA_U32,
917 				 NL80211_COALESCE_CONDITION_MATCH,
918 				 NL80211_COALESCE_CONDITION_NO_MATCH),
919 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
920 };
921 
922 /* policy for GTK rekey offload attributes */
923 static const struct nla_policy
924 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
925 	[NL80211_REKEY_DATA_KEK] = {
926 		.type = NLA_BINARY,
927 		.len = NL80211_KEK_EXT_LEN
928 	},
929 	[NL80211_REKEY_DATA_KCK] = {
930 		.type = NLA_BINARY,
931 		.len = NL80211_KCK_EXT_LEN_32
932 	},
933 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
934 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
935 };
936 
937 static const struct nla_policy
938 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
939 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
940 						 .len = IEEE80211_MAX_SSID_LEN },
941 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
942 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
943 };
944 
945 static const struct nla_policy
946 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
947 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
948 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
949 };
950 
951 static const struct nla_policy
952 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
953 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
954 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
955 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
956 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
957 	},
958 };
959 
960 /* policy for NAN function attributes */
961 static const struct nla_policy
962 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
963 	[NL80211_NAN_FUNC_TYPE] =
964 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
965 	[NL80211_NAN_FUNC_SERVICE_ID] = {
966 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
967 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
968 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
969 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
970 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
971 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
972 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
973 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
974 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
975 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
976 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
977 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
978 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
979 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
980 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
981 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
982 };
983 
984 /* policy for Service Response Filter attributes */
985 static const struct nla_policy
986 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
987 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
988 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
989 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
990 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
991 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
992 };
993 
994 /* policy for packet pattern attributes */
995 static const struct nla_policy
996 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
997 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
998 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
999 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1000 };
1001 
1002 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1003 				     struct cfg80211_registered_device **rdev,
1004 				     struct wireless_dev **wdev,
1005 				     struct nlattr **attrbuf)
1006 {
1007 	int err;
1008 
1009 	if (!cb->args[0]) {
1010 		struct nlattr **attrbuf_free = NULL;
1011 
1012 		if (!attrbuf) {
1013 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
1014 					  GFP_KERNEL);
1015 			if (!attrbuf)
1016 				return -ENOMEM;
1017 			attrbuf_free = attrbuf;
1018 		}
1019 
1020 		err = nlmsg_parse_deprecated(cb->nlh,
1021 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1022 					     attrbuf, nl80211_fam.maxattr,
1023 					     nl80211_policy, NULL);
1024 		if (err) {
1025 			kfree(attrbuf_free);
1026 			return err;
1027 		}
1028 
1029 		rtnl_lock();
1030 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1031 						   attrbuf);
1032 		kfree(attrbuf_free);
1033 		if (IS_ERR(*wdev)) {
1034 			rtnl_unlock();
1035 			return PTR_ERR(*wdev);
1036 		}
1037 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1038 		mutex_lock(&(*rdev)->wiphy.mtx);
1039 		rtnl_unlock();
1040 		/* 0 is the first index - add 1 to parse only once */
1041 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1042 		cb->args[1] = (*wdev)->identifier;
1043 	} else {
1044 		/* subtract the 1 again here */
1045 		struct wiphy *wiphy;
1046 		struct wireless_dev *tmp;
1047 
1048 		rtnl_lock();
1049 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1050 		if (!wiphy) {
1051 			rtnl_unlock();
1052 			return -ENODEV;
1053 		}
1054 		*rdev = wiphy_to_rdev(wiphy);
1055 		*wdev = NULL;
1056 
1057 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1058 			if (tmp->identifier == cb->args[1]) {
1059 				*wdev = tmp;
1060 				break;
1061 			}
1062 		}
1063 
1064 		if (!*wdev) {
1065 			rtnl_unlock();
1066 			return -ENODEV;
1067 		}
1068 		mutex_lock(&(*rdev)->wiphy.mtx);
1069 		rtnl_unlock();
1070 	}
1071 
1072 	return 0;
1073 }
1074 
1075 /* message building helper */
1076 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1077 		     int flags, u8 cmd)
1078 {
1079 	/* since there is no private header just add the generic one */
1080 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1081 }
1082 
1083 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1084 				     const struct ieee80211_reg_rule *rule)
1085 {
1086 	int j;
1087 	struct nlattr *nl_wmm_rules =
1088 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1089 
1090 	if (!nl_wmm_rules)
1091 		goto nla_put_failure;
1092 
1093 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1094 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1095 
1096 		if (!nl_wmm_rule)
1097 			goto nla_put_failure;
1098 
1099 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1100 				rule->wmm_rule.client[j].cw_min) ||
1101 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1102 				rule->wmm_rule.client[j].cw_max) ||
1103 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1104 			       rule->wmm_rule.client[j].aifsn) ||
1105 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1106 			        rule->wmm_rule.client[j].cot))
1107 			goto nla_put_failure;
1108 
1109 		nla_nest_end(msg, nl_wmm_rule);
1110 	}
1111 	nla_nest_end(msg, nl_wmm_rules);
1112 
1113 	return 0;
1114 
1115 nla_put_failure:
1116 	return -ENOBUFS;
1117 }
1118 
1119 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1120 				   struct ieee80211_channel *chan,
1121 				   bool large)
1122 {
1123 	/* Some channels must be completely excluded from the
1124 	 * list to protect old user-space tools from breaking
1125 	 */
1126 	if (!large && chan->flags &
1127 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1128 		return 0;
1129 	if (!large && chan->freq_offset)
1130 		return 0;
1131 
1132 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1133 			chan->center_freq))
1134 		goto nla_put_failure;
1135 
1136 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1137 		goto nla_put_failure;
1138 
1139 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1140 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1141 		goto nla_put_failure;
1142 
1143 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1144 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1145 		goto nla_put_failure;
1146 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1147 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1148 			goto nla_put_failure;
1149 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1150 			goto nla_put_failure;
1151 	}
1152 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1153 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1154 			goto nla_put_failure;
1155 		if (large) {
1156 			u32 time;
1157 
1158 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1159 
1160 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1161 					chan->dfs_state))
1162 				goto nla_put_failure;
1163 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1164 					time))
1165 				goto nla_put_failure;
1166 			if (nla_put_u32(msg,
1167 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1168 					chan->dfs_cac_ms))
1169 				goto nla_put_failure;
1170 		}
1171 	}
1172 
1173 	if (large) {
1174 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1175 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1176 			goto nla_put_failure;
1177 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1178 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1179 			goto nla_put_failure;
1180 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1181 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1182 			goto nla_put_failure;
1183 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1184 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1185 			goto nla_put_failure;
1186 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1187 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1188 			goto nla_put_failure;
1189 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1190 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1191 			goto nla_put_failure;
1192 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1193 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1194 			goto nla_put_failure;
1195 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1196 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1197 			goto nla_put_failure;
1198 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1199 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1200 			goto nla_put_failure;
1201 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1202 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1203 			goto nla_put_failure;
1204 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1205 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1206 			goto nla_put_failure;
1207 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1208 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1209 			goto nla_put_failure;
1210 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1211 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1212 			goto nla_put_failure;
1213 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1214 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1215 			goto nla_put_failure;
1216 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1217 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1218 			goto nla_put_failure;
1219 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1220 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1221 			goto nla_put_failure;
1222 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1223 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1224 			goto nla_put_failure;
1225 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1226 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1227 			goto nla_put_failure;
1228 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1229 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1230 			goto nla_put_failure;
1231 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1232 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1233 			goto nla_put_failure;
1234 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1235 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1236 			goto nla_put_failure;
1237 	}
1238 
1239 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1240 			DBM_TO_MBM(chan->max_power)))
1241 		goto nla_put_failure;
1242 
1243 	if (large) {
1244 		const struct ieee80211_reg_rule *rule =
1245 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1246 
1247 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1248 			if (nl80211_msg_put_wmm_rules(msg, rule))
1249 				goto nla_put_failure;
1250 		}
1251 	}
1252 
1253 	return 0;
1254 
1255  nla_put_failure:
1256 	return -ENOBUFS;
1257 }
1258 
1259 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1260 				  struct cfg80211_txq_stats *txqstats,
1261 				  int attrtype)
1262 {
1263 	struct nlattr *txqattr;
1264 
1265 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1266 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1267 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1268 		return false;						  \
1269 	} while (0)
1270 
1271 	txqattr = nla_nest_start_noflag(msg, attrtype);
1272 	if (!txqattr)
1273 		return false;
1274 
1275 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1276 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1277 	PUT_TXQVAL_U32(FLOWS, flows);
1278 	PUT_TXQVAL_U32(DROPS, drops);
1279 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1280 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1281 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1282 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1283 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1284 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1285 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1286 	nla_nest_end(msg, txqattr);
1287 
1288 #undef PUT_TXQVAL_U32
1289 	return true;
1290 }
1291 
1292 /* netlink command implementations */
1293 
1294 /**
1295  * nl80211_link_id - return link ID
1296  * @attrs: attributes to look at
1297  *
1298  * Returns: the link ID or 0 if not given
1299  *
1300  * Note this function doesn't do any validation of the link
1301  * ID validity wrt. links that were actually added, so it must
1302  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1303  * or if additional validation is done.
1304  */
1305 static unsigned int nl80211_link_id(struct nlattr **attrs)
1306 {
1307 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1308 
1309 	return nla_get_u8_default(linkid, 0);
1310 }
1311 
1312 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1313 {
1314 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1315 
1316 	if (!linkid)
1317 		return -1;
1318 
1319 	return nla_get_u8(linkid);
1320 }
1321 
1322 struct key_parse {
1323 	struct key_params p;
1324 	int idx;
1325 	int type;
1326 	bool def, defmgmt, defbeacon;
1327 	bool def_uni, def_multi;
1328 };
1329 
1330 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1331 				 struct key_parse *k)
1332 {
1333 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1334 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1335 					      nl80211_key_policy,
1336 					      info->extack);
1337 	if (err)
1338 		return err;
1339 
1340 	k->def = !!tb[NL80211_KEY_DEFAULT];
1341 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1342 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1343 
1344 	if (k->def) {
1345 		k->def_uni = true;
1346 		k->def_multi = true;
1347 	}
1348 	if (k->defmgmt || k->defbeacon)
1349 		k->def_multi = true;
1350 
1351 	if (tb[NL80211_KEY_IDX])
1352 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1353 
1354 	if (tb[NL80211_KEY_DATA]) {
1355 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1356 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1357 	}
1358 
1359 	if (tb[NL80211_KEY_SEQ]) {
1360 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1361 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1362 	}
1363 
1364 	if (tb[NL80211_KEY_CIPHER])
1365 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1366 
1367 	if (tb[NL80211_KEY_TYPE])
1368 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1369 
1370 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1371 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1372 
1373 		err = nla_parse_nested_deprecated(kdt,
1374 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1375 						  tb[NL80211_KEY_DEFAULT_TYPES],
1376 						  nl80211_key_default_policy,
1377 						  info->extack);
1378 		if (err)
1379 			return err;
1380 
1381 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1382 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1383 	}
1384 
1385 	if (tb[NL80211_KEY_MODE])
1386 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1387 
1388 	return 0;
1389 }
1390 
1391 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1392 {
1393 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1394 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1395 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1396 	}
1397 
1398 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1399 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1400 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1401 	}
1402 
1403 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1404 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1405 
1406 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1407 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1408 
1409 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1410 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1411 
1412 	if (k->def) {
1413 		k->def_uni = true;
1414 		k->def_multi = true;
1415 	}
1416 	if (k->defmgmt)
1417 		k->def_multi = true;
1418 
1419 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1420 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1421 
1422 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1423 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1424 		int err = nla_parse_nested_deprecated(kdt,
1425 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1426 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1427 						      nl80211_key_default_policy,
1428 						      info->extack);
1429 		if (err)
1430 			return err;
1431 
1432 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1433 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1434 	}
1435 
1436 	return 0;
1437 }
1438 
1439 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1440 {
1441 	int err;
1442 
1443 	memset(k, 0, sizeof(*k));
1444 	k->idx = -1;
1445 	k->type = -1;
1446 
1447 	if (info->attrs[NL80211_ATTR_KEY])
1448 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1449 	else
1450 		err = nl80211_parse_key_old(info, k);
1451 
1452 	if (err)
1453 		return err;
1454 
1455 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1456 	    (k->defbeacon ? 1 : 0) > 1) {
1457 		GENL_SET_ERR_MSG(info,
1458 				 "key with multiple default flags is invalid");
1459 		return -EINVAL;
1460 	}
1461 
1462 	if (k->defmgmt || k->defbeacon) {
1463 		if (k->def_uni || !k->def_multi) {
1464 			GENL_SET_ERR_MSG(info,
1465 					 "defmgmt/defbeacon key must be mcast");
1466 			return -EINVAL;
1467 		}
1468 	}
1469 
1470 	if (k->idx != -1) {
1471 		if (k->defmgmt) {
1472 			if (k->idx < 4 || k->idx > 5) {
1473 				GENL_SET_ERR_MSG(info,
1474 						 "defmgmt key idx not 4 or 5");
1475 				return -EINVAL;
1476 			}
1477 		} else if (k->defbeacon) {
1478 			if (k->idx < 6 || k->idx > 7) {
1479 				GENL_SET_ERR_MSG(info,
1480 						 "defbeacon key idx not 6 or 7");
1481 				return -EINVAL;
1482 			}
1483 		} else if (k->def) {
1484 			if (k->idx < 0 || k->idx > 3) {
1485 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1486 				return -EINVAL;
1487 			}
1488 		} else {
1489 			if (k->idx < 0 || k->idx > 7) {
1490 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1491 				return -EINVAL;
1492 			}
1493 		}
1494 	}
1495 
1496 	return 0;
1497 }
1498 
1499 static struct cfg80211_cached_keys *
1500 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1501 		       struct genl_info *info, bool *no_ht)
1502 {
1503 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1504 	struct key_parse parse;
1505 	struct nlattr *key;
1506 	struct cfg80211_cached_keys *result;
1507 	int rem, err, def = 0;
1508 	bool have_key = false;
1509 
1510 	nla_for_each_nested(key, keys, rem) {
1511 		have_key = true;
1512 		break;
1513 	}
1514 
1515 	if (!have_key)
1516 		return NULL;
1517 
1518 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1519 	if (!result)
1520 		return ERR_PTR(-ENOMEM);
1521 
1522 	result->def = -1;
1523 
1524 	nla_for_each_nested(key, keys, rem) {
1525 		memset(&parse, 0, sizeof(parse));
1526 		parse.idx = -1;
1527 
1528 		err = nl80211_parse_key_new(info, key, &parse);
1529 		if (err)
1530 			goto error;
1531 		err = -EINVAL;
1532 		if (!parse.p.key)
1533 			goto error;
1534 		if (parse.idx < 0 || parse.idx > 3) {
1535 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1536 			goto error;
1537 		}
1538 		if (parse.def) {
1539 			if (def) {
1540 				GENL_SET_ERR_MSG(info,
1541 						 "only one key can be default");
1542 				goto error;
1543 			}
1544 			def = 1;
1545 			result->def = parse.idx;
1546 			if (!parse.def_uni || !parse.def_multi)
1547 				goto error;
1548 		} else if (parse.defmgmt)
1549 			goto error;
1550 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1551 						     parse.idx, false, NULL);
1552 		if (err)
1553 			goto error;
1554 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1555 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1556 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1557 			err = -EINVAL;
1558 			goto error;
1559 		}
1560 		result->params[parse.idx].cipher = parse.p.cipher;
1561 		result->params[parse.idx].key_len = parse.p.key_len;
1562 		result->params[parse.idx].key = result->data[parse.idx];
1563 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1564 
1565 		/* must be WEP key if we got here */
1566 		if (no_ht)
1567 			*no_ht = true;
1568 	}
1569 
1570 	if (result->def < 0) {
1571 		err = -EINVAL;
1572 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1573 		goto error;
1574 	}
1575 
1576 	return result;
1577  error:
1578 	kfree(result);
1579 	return ERR_PTR(err);
1580 }
1581 
1582 static int nl80211_key_allowed(struct wireless_dev *wdev)
1583 {
1584 	lockdep_assert_wiphy(wdev->wiphy);
1585 
1586 	switch (wdev->iftype) {
1587 	case NL80211_IFTYPE_AP:
1588 	case NL80211_IFTYPE_AP_VLAN:
1589 	case NL80211_IFTYPE_P2P_GO:
1590 	case NL80211_IFTYPE_MESH_POINT:
1591 		break;
1592 	case NL80211_IFTYPE_ADHOC:
1593 		if (wdev->u.ibss.current_bss)
1594 			return 0;
1595 		return -ENOLINK;
1596 	case NL80211_IFTYPE_STATION:
1597 	case NL80211_IFTYPE_P2P_CLIENT:
1598 		if (wdev->connected)
1599 			return 0;
1600 		return -ENOLINK;
1601 	case NL80211_IFTYPE_NAN:
1602 		if (wiphy_ext_feature_isset(wdev->wiphy,
1603 					    NL80211_EXT_FEATURE_SECURE_NAN))
1604 			return 0;
1605 		return -EINVAL;
1606 	case NL80211_IFTYPE_UNSPECIFIED:
1607 	case NL80211_IFTYPE_OCB:
1608 	case NL80211_IFTYPE_MONITOR:
1609 	case NL80211_IFTYPE_P2P_DEVICE:
1610 	case NL80211_IFTYPE_WDS:
1611 	case NUM_NL80211_IFTYPES:
1612 		return -EINVAL;
1613 	}
1614 
1615 	return 0;
1616 }
1617 
1618 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1619 							u32 freq)
1620 {
1621 	struct ieee80211_channel *chan;
1622 
1623 	chan = ieee80211_get_channel_khz(wiphy, freq);
1624 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1625 		return NULL;
1626 	return chan;
1627 }
1628 
1629 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1630 {
1631 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1632 	int i;
1633 
1634 	if (!nl_modes)
1635 		goto nla_put_failure;
1636 
1637 	i = 0;
1638 	while (ifmodes) {
1639 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1640 			goto nla_put_failure;
1641 		ifmodes >>= 1;
1642 		i++;
1643 	}
1644 
1645 	nla_nest_end(msg, nl_modes);
1646 	return 0;
1647 
1648 nla_put_failure:
1649 	return -ENOBUFS;
1650 }
1651 
1652 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1653 				   const struct ieee80211_iface_combination *c,
1654 				   u16 nested)
1655 {
1656 	struct nlattr *nl_combi, *nl_limits;
1657 	int i;
1658 
1659 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1660 	if (!nl_combi)
1661 		goto nla_put_failure;
1662 
1663 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1664 					       nested);
1665 	if (!nl_limits)
1666 		goto nla_put_failure;
1667 
1668 	for (i = 0; i < c->n_limits; i++) {
1669 		struct nlattr *nl_limit;
1670 
1671 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1672 		if (!nl_limit)
1673 			goto nla_put_failure;
1674 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1675 			goto nla_put_failure;
1676 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1677 					c->limits[i].types))
1678 			goto nla_put_failure;
1679 		nla_nest_end(msg, nl_limit);
1680 	}
1681 
1682 	nla_nest_end(msg, nl_limits);
1683 
1684 	if (c->beacon_int_infra_match &&
1685 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1686 		goto nla_put_failure;
1687 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1688 			c->num_different_channels) ||
1689 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1690 			c->max_interfaces))
1691 		goto nla_put_failure;
1692 	if (large &&
1693 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1694 			c->radar_detect_widths) ||
1695 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1696 			c->radar_detect_regions)))
1697 		goto nla_put_failure;
1698 	if (c->beacon_int_min_gcd &&
1699 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1700 			c->beacon_int_min_gcd))
1701 		goto nla_put_failure;
1702 
1703 	nla_nest_end(msg, nl_combi);
1704 
1705 	return 0;
1706 nla_put_failure:
1707 	return -ENOBUFS;
1708 }
1709 
1710 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1711 					  struct sk_buff *msg,
1712 					  int attr, int radio,
1713 					  bool large, u16 nested)
1714 {
1715 	const struct ieee80211_iface_combination *c;
1716 	struct nlattr *nl_combis;
1717 	int i, n;
1718 
1719 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1720 	if (!nl_combis)
1721 		goto nla_put_failure;
1722 
1723 	if (radio >= 0) {
1724 		c = wiphy->radio[0].iface_combinations;
1725 		n = wiphy->radio[0].n_iface_combinations;
1726 	} else {
1727 		c = wiphy->iface_combinations;
1728 		n = wiphy->n_iface_combinations;
1729 	}
1730 	for (i = 0; i < n; i++)
1731 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1732 			goto nla_put_failure;
1733 
1734 	nla_nest_end(msg, nl_combis);
1735 
1736 	return 0;
1737 nla_put_failure:
1738 	return -ENOBUFS;
1739 }
1740 
1741 #ifdef CONFIG_PM
1742 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1743 					struct sk_buff *msg)
1744 {
1745 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1746 	struct nlattr *nl_tcp;
1747 
1748 	if (!tcp)
1749 		return 0;
1750 
1751 	nl_tcp = nla_nest_start_noflag(msg,
1752 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1753 	if (!nl_tcp)
1754 		return -ENOBUFS;
1755 
1756 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1757 			tcp->data_payload_max))
1758 		return -ENOBUFS;
1759 
1760 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1761 			tcp->data_payload_max))
1762 		return -ENOBUFS;
1763 
1764 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1765 		return -ENOBUFS;
1766 
1767 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1768 				sizeof(*tcp->tok), tcp->tok))
1769 		return -ENOBUFS;
1770 
1771 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1772 			tcp->data_interval_max))
1773 		return -ENOBUFS;
1774 
1775 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1776 			tcp->wake_payload_max))
1777 		return -ENOBUFS;
1778 
1779 	nla_nest_end(msg, nl_tcp);
1780 	return 0;
1781 }
1782 
1783 static int nl80211_send_wowlan(struct sk_buff *msg,
1784 			       struct cfg80211_registered_device *rdev,
1785 			       bool large)
1786 {
1787 	struct nlattr *nl_wowlan;
1788 
1789 	if (!rdev->wiphy.wowlan)
1790 		return 0;
1791 
1792 	nl_wowlan = nla_nest_start_noflag(msg,
1793 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1794 	if (!nl_wowlan)
1795 		return -ENOBUFS;
1796 
1797 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1798 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1799 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1800 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1801 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1802 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1803 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1804 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1805 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1806 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1807 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1808 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1809 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1810 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1811 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1812 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1813 		return -ENOBUFS;
1814 
1815 	if (rdev->wiphy.wowlan->n_patterns) {
1816 		struct nl80211_pattern_support pat = {
1817 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1818 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1819 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1820 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1821 		};
1822 
1823 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1824 			    sizeof(pat), &pat))
1825 			return -ENOBUFS;
1826 	}
1827 
1828 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1829 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1830 			rdev->wiphy.wowlan->max_nd_match_sets))
1831 		return -ENOBUFS;
1832 
1833 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1834 		return -ENOBUFS;
1835 
1836 	nla_nest_end(msg, nl_wowlan);
1837 
1838 	return 0;
1839 }
1840 #endif
1841 
1842 static int nl80211_send_coalesce(struct sk_buff *msg,
1843 				 struct cfg80211_registered_device *rdev)
1844 {
1845 	struct nl80211_coalesce_rule_support rule;
1846 
1847 	if (!rdev->wiphy.coalesce)
1848 		return 0;
1849 
1850 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1851 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1852 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1853 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1854 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1855 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1856 
1857 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1858 		return -ENOBUFS;
1859 
1860 	return 0;
1861 }
1862 
1863 static int
1864 nl80211_send_iftype_data(struct sk_buff *msg,
1865 			 const struct ieee80211_supported_band *sband,
1866 			 const struct ieee80211_sband_iftype_data *iftdata)
1867 {
1868 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1869 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1870 
1871 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1872 				iftdata->types_mask))
1873 		return -ENOBUFS;
1874 
1875 	if (he_cap->has_he) {
1876 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1877 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1878 			    he_cap->he_cap_elem.mac_cap_info) ||
1879 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1880 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1881 			    he_cap->he_cap_elem.phy_cap_info) ||
1882 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1883 			    sizeof(he_cap->he_mcs_nss_supp),
1884 			    &he_cap->he_mcs_nss_supp) ||
1885 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1886 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1887 			return -ENOBUFS;
1888 	}
1889 
1890 	if (eht_cap->has_eht && he_cap->has_he) {
1891 		u8 mcs_nss_size, ppe_thresh_size;
1892 		u16 ppe_thres_hdr;
1893 		bool is_ap;
1894 
1895 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1896 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1897 
1898 		mcs_nss_size =
1899 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1900 						   &eht_cap->eht_cap_elem,
1901 						   is_ap);
1902 
1903 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1904 		ppe_thresh_size =
1905 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1906 					       eht_cap->eht_cap_elem.phy_cap_info);
1907 
1908 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1909 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1910 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1911 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1912 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1913 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1914 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1915 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1916 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1917 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1918 			return -ENOBUFS;
1919 	}
1920 
1921 	if (sband->band == NL80211_BAND_6GHZ &&
1922 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1923 		    sizeof(iftdata->he_6ghz_capa),
1924 		    &iftdata->he_6ghz_capa))
1925 		return -ENOBUFS;
1926 
1927 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1928 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1929 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1930 		return -ENOBUFS;
1931 
1932 	return 0;
1933 }
1934 
1935 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1936 				      struct ieee80211_supported_band *sband,
1937 				      bool large)
1938 {
1939 	struct nlattr *nl_rates, *nl_rate;
1940 	struct ieee80211_rate *rate;
1941 	int i;
1942 
1943 	/* add HT info */
1944 	if (sband->ht_cap.ht_supported &&
1945 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1946 		     sizeof(sband->ht_cap.mcs),
1947 		     &sband->ht_cap.mcs) ||
1948 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1949 			 sband->ht_cap.cap) ||
1950 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1951 			sband->ht_cap.ampdu_factor) ||
1952 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1953 			sband->ht_cap.ampdu_density)))
1954 		return -ENOBUFS;
1955 
1956 	/* add VHT info */
1957 	if (sband->vht_cap.vht_supported &&
1958 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1959 		     sizeof(sband->vht_cap.vht_mcs),
1960 		     &sband->vht_cap.vht_mcs) ||
1961 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1962 			 sband->vht_cap.cap)))
1963 		return -ENOBUFS;
1964 
1965 	if (large && sband->n_iftype_data) {
1966 		struct nlattr *nl_iftype_data =
1967 			nla_nest_start_noflag(msg,
1968 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1969 		const struct ieee80211_sband_iftype_data *iftd;
1970 		int err;
1971 
1972 		if (!nl_iftype_data)
1973 			return -ENOBUFS;
1974 
1975 		for_each_sband_iftype_data(sband, i, iftd) {
1976 			struct nlattr *iftdata;
1977 
1978 			iftdata = nla_nest_start_noflag(msg, i + 1);
1979 			if (!iftdata)
1980 				return -ENOBUFS;
1981 
1982 			err = nl80211_send_iftype_data(msg, sband, iftd);
1983 			if (err)
1984 				return err;
1985 
1986 			nla_nest_end(msg, iftdata);
1987 		}
1988 
1989 		nla_nest_end(msg, nl_iftype_data);
1990 	}
1991 
1992 	/* add EDMG info */
1993 	if (large && sband->edmg_cap.channels &&
1994 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1995 		       sband->edmg_cap.channels) ||
1996 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1997 		       sband->edmg_cap.bw_config)))
1998 
1999 		return -ENOBUFS;
2000 
2001 	/* add bitrates */
2002 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2003 	if (!nl_rates)
2004 		return -ENOBUFS;
2005 
2006 	for (i = 0; i < sband->n_bitrates; i++) {
2007 		nl_rate = nla_nest_start_noflag(msg, i);
2008 		if (!nl_rate)
2009 			return -ENOBUFS;
2010 
2011 		rate = &sband->bitrates[i];
2012 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2013 				rate->bitrate))
2014 			return -ENOBUFS;
2015 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2016 		    nla_put_flag(msg,
2017 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2018 			return -ENOBUFS;
2019 
2020 		nla_nest_end(msg, nl_rate);
2021 	}
2022 
2023 	nla_nest_end(msg, nl_rates);
2024 
2025 	/* S1G capabilities */
2026 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2027 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2028 		     sizeof(sband->s1g_cap.cap),
2029 		     sband->s1g_cap.cap) ||
2030 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2031 		     sizeof(sband->s1g_cap.nss_mcs),
2032 		     sband->s1g_cap.nss_mcs)))
2033 		return -ENOBUFS;
2034 
2035 	return 0;
2036 }
2037 
2038 static int
2039 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2040 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2041 {
2042 	u16 stypes;
2043 	struct nlattr *nl_ftypes, *nl_ifs;
2044 	enum nl80211_iftype ift;
2045 	int i;
2046 
2047 	if (!mgmt_stypes)
2048 		return 0;
2049 
2050 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2051 	if (!nl_ifs)
2052 		return -ENOBUFS;
2053 
2054 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2055 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2056 		if (!nl_ftypes)
2057 			return -ENOBUFS;
2058 		i = 0;
2059 		stypes = mgmt_stypes[ift].tx;
2060 		while (stypes) {
2061 			if ((stypes & 1) &&
2062 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2063 					(i << 4) | IEEE80211_FTYPE_MGMT))
2064 				return -ENOBUFS;
2065 			stypes >>= 1;
2066 			i++;
2067 		}
2068 		nla_nest_end(msg, nl_ftypes);
2069 	}
2070 
2071 	nla_nest_end(msg, nl_ifs);
2072 
2073 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2074 	if (!nl_ifs)
2075 		return -ENOBUFS;
2076 
2077 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2078 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2079 		if (!nl_ftypes)
2080 			return -ENOBUFS;
2081 		i = 0;
2082 		stypes = mgmt_stypes[ift].rx;
2083 		while (stypes) {
2084 			if ((stypes & 1) &&
2085 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2086 					(i << 4) | IEEE80211_FTYPE_MGMT))
2087 				return -ENOBUFS;
2088 			stypes >>= 1;
2089 			i++;
2090 		}
2091 		nla_nest_end(msg, nl_ftypes);
2092 	}
2093 	nla_nest_end(msg, nl_ifs);
2094 
2095 	return 0;
2096 }
2097 
2098 #define CMD(op, n)							\
2099 	 do {								\
2100 		if (rdev->ops->op) {					\
2101 			i++;						\
2102 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2103 				goto nla_put_failure;			\
2104 		}							\
2105 	} while (0)
2106 
2107 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2108 					struct sk_buff *msg)
2109 {
2110 	int i = 0;
2111 
2112 	/*
2113 	 * do *NOT* add anything into this function, new things need to be
2114 	 * advertised only to new versions of userspace that can deal with
2115 	 * the split (and they can't possibly care about new features...
2116 	 */
2117 	CMD(add_virtual_intf, NEW_INTERFACE);
2118 	CMD(change_virtual_intf, SET_INTERFACE);
2119 	CMD(add_key, NEW_KEY);
2120 	CMD(start_ap, START_AP);
2121 	CMD(add_station, NEW_STATION);
2122 	CMD(add_mpath, NEW_MPATH);
2123 	CMD(update_mesh_config, SET_MESH_CONFIG);
2124 	CMD(change_bss, SET_BSS);
2125 	CMD(auth, AUTHENTICATE);
2126 	CMD(assoc, ASSOCIATE);
2127 	CMD(deauth, DEAUTHENTICATE);
2128 	CMD(disassoc, DISASSOCIATE);
2129 	CMD(join_ibss, JOIN_IBSS);
2130 	CMD(join_mesh, JOIN_MESH);
2131 	CMD(set_pmksa, SET_PMKSA);
2132 	CMD(del_pmksa, DEL_PMKSA);
2133 	CMD(flush_pmksa, FLUSH_PMKSA);
2134 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2135 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2136 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2137 	CMD(mgmt_tx, FRAME);
2138 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2139 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2140 		i++;
2141 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2142 			goto nla_put_failure;
2143 	}
2144 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2145 	    rdev->ops->join_mesh) {
2146 		i++;
2147 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2148 			goto nla_put_failure;
2149 	}
2150 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2151 		CMD(tdls_mgmt, TDLS_MGMT);
2152 		CMD(tdls_oper, TDLS_OPER);
2153 	}
2154 	if (rdev->wiphy.max_sched_scan_reqs)
2155 		CMD(sched_scan_start, START_SCHED_SCAN);
2156 	CMD(probe_client, PROBE_CLIENT);
2157 	CMD(set_noack_map, SET_NOACK_MAP);
2158 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2159 		i++;
2160 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2161 			goto nla_put_failure;
2162 	}
2163 	CMD(start_p2p_device, START_P2P_DEVICE);
2164 	CMD(set_mcast_rate, SET_MCAST_RATE);
2165 #ifdef CONFIG_NL80211_TESTMODE
2166 	CMD(testmode_cmd, TESTMODE);
2167 #endif
2168 
2169 	if (rdev->ops->connect || rdev->ops->auth) {
2170 		i++;
2171 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2172 			goto nla_put_failure;
2173 	}
2174 
2175 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2176 		i++;
2177 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2178 			goto nla_put_failure;
2179 	}
2180 
2181 	return i;
2182  nla_put_failure:
2183 	return -ENOBUFS;
2184 }
2185 
2186 static int
2187 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2188 			   struct sk_buff *msg)
2189 {
2190 	struct nlattr *ftm;
2191 
2192 	if (!cap->ftm.supported)
2193 		return 0;
2194 
2195 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2196 	if (!ftm)
2197 		return -ENOBUFS;
2198 
2199 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2200 		return -ENOBUFS;
2201 	if (cap->ftm.non_asap &&
2202 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2203 		return -ENOBUFS;
2204 	if (cap->ftm.request_lci &&
2205 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2206 		return -ENOBUFS;
2207 	if (cap->ftm.request_civicloc &&
2208 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2209 		return -ENOBUFS;
2210 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2211 			cap->ftm.preambles))
2212 		return -ENOBUFS;
2213 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2214 			cap->ftm.bandwidths))
2215 		return -ENOBUFS;
2216 	if (cap->ftm.max_bursts_exponent >= 0 &&
2217 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2218 			cap->ftm.max_bursts_exponent))
2219 		return -ENOBUFS;
2220 	if (cap->ftm.max_ftms_per_burst &&
2221 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2222 			cap->ftm.max_ftms_per_burst))
2223 		return -ENOBUFS;
2224 	if (cap->ftm.trigger_based &&
2225 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2226 		return -ENOBUFS;
2227 	if (cap->ftm.non_trigger_based &&
2228 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2229 		return -ENOBUFS;
2230 
2231 	nla_nest_end(msg, ftm);
2232 	return 0;
2233 }
2234 
2235 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2236 				  struct sk_buff *msg)
2237 {
2238 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2239 	struct nlattr *pmsr, *caps;
2240 
2241 	if (!cap)
2242 		return 0;
2243 
2244 	/*
2245 	 * we don't need to clean up anything here since the caller
2246 	 * will genlmsg_cancel() if we fail
2247 	 */
2248 
2249 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2250 	if (!pmsr)
2251 		return -ENOBUFS;
2252 
2253 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2254 		return -ENOBUFS;
2255 
2256 	if (cap->report_ap_tsf &&
2257 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2258 		return -ENOBUFS;
2259 
2260 	if (cap->randomize_mac_addr &&
2261 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2262 		return -ENOBUFS;
2263 
2264 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2265 	if (!caps)
2266 		return -ENOBUFS;
2267 
2268 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2269 		return -ENOBUFS;
2270 
2271 	nla_nest_end(msg, caps);
2272 	nla_nest_end(msg, pmsr);
2273 
2274 	return 0;
2275 }
2276 
2277 static int
2278 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2279 			      struct sk_buff *msg)
2280 {
2281 	int i;
2282 	struct nlattr *nested, *nested_akms;
2283 	const struct wiphy_iftype_akm_suites *iftype_akms;
2284 
2285 	if (!rdev->wiphy.num_iftype_akm_suites ||
2286 	    !rdev->wiphy.iftype_akm_suites)
2287 		return 0;
2288 
2289 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2290 	if (!nested)
2291 		return -ENOBUFS;
2292 
2293 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2294 		nested_akms = nla_nest_start(msg, i + 1);
2295 		if (!nested_akms)
2296 			return -ENOBUFS;
2297 
2298 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2299 
2300 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2301 					iftype_akms->iftypes_mask))
2302 			return -ENOBUFS;
2303 
2304 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2305 			    sizeof(u32) * iftype_akms->n_akm_suites,
2306 			    iftype_akms->akm_suites)) {
2307 			return -ENOBUFS;
2308 		}
2309 		nla_nest_end(msg, nested_akms);
2310 	}
2311 
2312 	nla_nest_end(msg, nested);
2313 
2314 	return 0;
2315 }
2316 
2317 static int
2318 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2319 			       struct sk_buff *msg)
2320 {
2321 	struct nlattr *supp;
2322 
2323 	if (!rdev->wiphy.tid_config_support.vif &&
2324 	    !rdev->wiphy.tid_config_support.peer)
2325 		return 0;
2326 
2327 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2328 	if (!supp)
2329 		return -ENOSPC;
2330 
2331 	if (rdev->wiphy.tid_config_support.vif &&
2332 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2333 			      rdev->wiphy.tid_config_support.vif,
2334 			      NL80211_TID_CONFIG_ATTR_PAD))
2335 		goto fail;
2336 
2337 	if (rdev->wiphy.tid_config_support.peer &&
2338 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2339 			      rdev->wiphy.tid_config_support.peer,
2340 			      NL80211_TID_CONFIG_ATTR_PAD))
2341 		goto fail;
2342 
2343 	/* for now we just use the same value ... makes more sense */
2344 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2345 		       rdev->wiphy.tid_config_support.max_retry))
2346 		goto fail;
2347 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2348 		       rdev->wiphy.tid_config_support.max_retry))
2349 		goto fail;
2350 
2351 	nla_nest_end(msg, supp);
2352 
2353 	return 0;
2354 fail:
2355 	nla_nest_cancel(msg, supp);
2356 	return -ENOBUFS;
2357 }
2358 
2359 static int
2360 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2361 		      struct sk_buff *msg)
2362 {
2363 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2364 	u8 num_freq_ranges;
2365 	int i;
2366 
2367 	if (!rdev->wiphy.sar_capa)
2368 		return 0;
2369 
2370 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2371 
2372 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2373 	if (!sar_capa)
2374 		return -ENOSPC;
2375 
2376 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2377 		goto fail;
2378 
2379 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2380 	if (!specs)
2381 		goto fail;
2382 
2383 	/* report supported freq_ranges */
2384 	for (i = 0; i < num_freq_ranges; i++) {
2385 		sub_freq_range = nla_nest_start(msg, i + 1);
2386 		if (!sub_freq_range)
2387 			goto fail;
2388 
2389 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2390 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2391 			goto fail;
2392 
2393 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2394 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2395 			goto fail;
2396 
2397 		nla_nest_end(msg, sub_freq_range);
2398 	}
2399 
2400 	nla_nest_end(msg, specs);
2401 	nla_nest_end(msg, sar_capa);
2402 
2403 	return 0;
2404 fail:
2405 	nla_nest_cancel(msg, sar_capa);
2406 	return -ENOBUFS;
2407 }
2408 
2409 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2410 {
2411 	struct nlattr *config;
2412 
2413 	if (!wiphy->mbssid_max_interfaces)
2414 		return 0;
2415 
2416 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2417 	if (!config)
2418 		return -ENOBUFS;
2419 
2420 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2421 		       wiphy->mbssid_max_interfaces))
2422 		goto fail;
2423 
2424 	if (wiphy->ema_max_profile_periodicity &&
2425 	    nla_put_u8(msg,
2426 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2427 		       wiphy->ema_max_profile_periodicity))
2428 		goto fail;
2429 
2430 	nla_nest_end(msg, config);
2431 	return 0;
2432 
2433 fail:
2434 	nla_nest_cancel(msg, config);
2435 	return -ENOBUFS;
2436 }
2437 
2438 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2439 {
2440 	const struct wiphy_radio *r = &wiphy->radio[idx];
2441 	struct nlattr *radio, *freq;
2442 	int i;
2443 
2444 	radio = nla_nest_start(msg, idx);
2445 	if (!radio)
2446 		return -ENOBUFS;
2447 
2448 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2449 		goto nla_put_failure;
2450 
2451 	if (r->antenna_mask &&
2452 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2453 			r->antenna_mask))
2454 		goto nla_put_failure;
2455 
2456 	for (i = 0; i < r->n_freq_range; i++) {
2457 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2458 
2459 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2460 		if (!freq)
2461 			goto nla_put_failure;
2462 
2463 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2464 				range->start_freq) ||
2465 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2466 				range->end_freq))
2467 			goto nla_put_failure;
2468 
2469 		nla_nest_end(msg, freq);
2470 	}
2471 
2472 	for (i = 0; i < r->n_iface_combinations; i++)
2473 		if (nl80211_put_ifcomb_data(msg, true,
2474 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2475 					    &r->iface_combinations[i],
2476 					    NLA_F_NESTED))
2477 			goto nla_put_failure;
2478 
2479 	nla_nest_end(msg, radio);
2480 
2481 	return 0;
2482 
2483 nla_put_failure:
2484 	return -ENOBUFS;
2485 }
2486 
2487 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2488 {
2489 	struct nlattr *radios;
2490 	int i;
2491 
2492 	if (!wiphy->n_radio)
2493 		return 0;
2494 
2495 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2496 	if (!radios)
2497 		return -ENOBUFS;
2498 
2499 	for (i = 0; i < wiphy->n_radio; i++)
2500 		if (nl80211_put_radio(wiphy, msg, i))
2501 			goto fail;
2502 
2503 	nla_nest_end(msg, radios);
2504 
2505 	if (nl80211_put_iface_combinations(wiphy, msg,
2506 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2507 					   -1, true, NLA_F_NESTED))
2508 		return -ENOBUFS;
2509 
2510 	return 0;
2511 
2512 fail:
2513 	nla_nest_cancel(msg, radios);
2514 	return -ENOBUFS;
2515 }
2516 
2517 struct nl80211_dump_wiphy_state {
2518 	s64 filter_wiphy;
2519 	long start;
2520 	long split_start, band_start, chan_start, capa_start;
2521 	bool split;
2522 };
2523 
2524 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2525 			      enum nl80211_commands cmd,
2526 			      struct sk_buff *msg, u32 portid, u32 seq,
2527 			      int flags, struct nl80211_dump_wiphy_state *state)
2528 {
2529 	void *hdr;
2530 	struct nlattr *nl_bands, *nl_band;
2531 	struct nlattr *nl_freqs, *nl_freq;
2532 	struct nlattr *nl_cmds;
2533 	enum nl80211_band band;
2534 	struct ieee80211_channel *chan;
2535 	int i;
2536 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2537 				rdev->wiphy.mgmt_stypes;
2538 	u32 features;
2539 
2540 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2541 	if (!hdr)
2542 		return -ENOBUFS;
2543 
2544 	if (WARN_ON(!state))
2545 		return -EINVAL;
2546 
2547 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2548 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2549 			   wiphy_name(&rdev->wiphy)) ||
2550 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2551 			cfg80211_rdev_list_generation))
2552 		goto nla_put_failure;
2553 
2554 	if (cmd != NL80211_CMD_NEW_WIPHY)
2555 		goto finish;
2556 
2557 	switch (state->split_start) {
2558 	case 0:
2559 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2560 			       rdev->wiphy.retry_short) ||
2561 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2562 			       rdev->wiphy.retry_long) ||
2563 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2564 				rdev->wiphy.frag_threshold) ||
2565 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2566 				rdev->wiphy.rts_threshold) ||
2567 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2568 			       rdev->wiphy.coverage_class) ||
2569 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2570 			       rdev->wiphy.max_scan_ssids) ||
2571 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2572 			       rdev->wiphy.max_sched_scan_ssids) ||
2573 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2574 				rdev->wiphy.max_scan_ie_len) ||
2575 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2576 				rdev->wiphy.max_sched_scan_ie_len) ||
2577 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2578 			       rdev->wiphy.max_match_sets))
2579 			goto nla_put_failure;
2580 
2581 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2582 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2583 			goto nla_put_failure;
2584 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2585 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2586 			goto nla_put_failure;
2587 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2588 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2589 			goto nla_put_failure;
2590 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2591 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2592 			goto nla_put_failure;
2593 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2594 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2595 			goto nla_put_failure;
2596 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2597 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2598 			goto nla_put_failure;
2599 		state->split_start++;
2600 		if (state->split)
2601 			break;
2602 		fallthrough;
2603 	case 1:
2604 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2605 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2606 			    rdev->wiphy.cipher_suites))
2607 			goto nla_put_failure;
2608 
2609 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2610 			       rdev->wiphy.max_num_pmkids))
2611 			goto nla_put_failure;
2612 
2613 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2614 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2615 			goto nla_put_failure;
2616 
2617 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2618 				rdev->wiphy.available_antennas_tx) ||
2619 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2620 				rdev->wiphy.available_antennas_rx))
2621 			goto nla_put_failure;
2622 
2623 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2624 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2625 				rdev->wiphy.probe_resp_offload))
2626 			goto nla_put_failure;
2627 
2628 		if ((rdev->wiphy.available_antennas_tx ||
2629 		     rdev->wiphy.available_antennas_rx) &&
2630 		    rdev->ops->get_antenna) {
2631 			u32 tx_ant = 0, rx_ant = 0;
2632 			int res;
2633 
2634 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2635 			if (!res) {
2636 				if (nla_put_u32(msg,
2637 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2638 						tx_ant) ||
2639 				    nla_put_u32(msg,
2640 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2641 						rx_ant))
2642 					goto nla_put_failure;
2643 			}
2644 		}
2645 
2646 		state->split_start++;
2647 		if (state->split)
2648 			break;
2649 		fallthrough;
2650 	case 2:
2651 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2652 					rdev->wiphy.interface_modes))
2653 				goto nla_put_failure;
2654 		state->split_start++;
2655 		if (state->split)
2656 			break;
2657 		fallthrough;
2658 	case 3:
2659 		nl_bands = nla_nest_start_noflag(msg,
2660 						 NL80211_ATTR_WIPHY_BANDS);
2661 		if (!nl_bands)
2662 			goto nla_put_failure;
2663 
2664 		for (band = state->band_start;
2665 		     band < (state->split ?
2666 				NUM_NL80211_BANDS :
2667 				NL80211_BAND_60GHZ + 1);
2668 		     band++) {
2669 			struct ieee80211_supported_band *sband;
2670 
2671 			/* omit higher bands for ancient software */
2672 			if (band > NL80211_BAND_5GHZ && !state->split)
2673 				break;
2674 
2675 			sband = rdev->wiphy.bands[band];
2676 
2677 			if (!sband)
2678 				continue;
2679 
2680 			nl_band = nla_nest_start_noflag(msg, band);
2681 			if (!nl_band)
2682 				goto nla_put_failure;
2683 
2684 			switch (state->chan_start) {
2685 			case 0:
2686 				if (nl80211_send_band_rateinfo(msg, sband,
2687 							       state->split))
2688 					goto nla_put_failure;
2689 				state->chan_start++;
2690 				if (state->split)
2691 					break;
2692 				fallthrough;
2693 			default:
2694 				/* add frequencies */
2695 				nl_freqs = nla_nest_start_noflag(msg,
2696 								 NL80211_BAND_ATTR_FREQS);
2697 				if (!nl_freqs)
2698 					goto nla_put_failure;
2699 
2700 				for (i = state->chan_start - 1;
2701 				     i < sband->n_channels;
2702 				     i++) {
2703 					nl_freq = nla_nest_start_noflag(msg,
2704 									i);
2705 					if (!nl_freq)
2706 						goto nla_put_failure;
2707 
2708 					chan = &sband->channels[i];
2709 
2710 					if (nl80211_msg_put_channel(
2711 							msg, &rdev->wiphy, chan,
2712 							state->split))
2713 						goto nla_put_failure;
2714 
2715 					nla_nest_end(msg, nl_freq);
2716 					if (state->split)
2717 						break;
2718 				}
2719 				if (i < sband->n_channels)
2720 					state->chan_start = i + 2;
2721 				else
2722 					state->chan_start = 0;
2723 				nla_nest_end(msg, nl_freqs);
2724 			}
2725 
2726 			nla_nest_end(msg, nl_band);
2727 
2728 			if (state->split) {
2729 				/* start again here */
2730 				if (state->chan_start)
2731 					band--;
2732 				break;
2733 			}
2734 		}
2735 		nla_nest_end(msg, nl_bands);
2736 
2737 		if (band < NUM_NL80211_BANDS)
2738 			state->band_start = band + 1;
2739 		else
2740 			state->band_start = 0;
2741 
2742 		/* if bands & channels are done, continue outside */
2743 		if (state->band_start == 0 && state->chan_start == 0)
2744 			state->split_start++;
2745 		if (state->split)
2746 			break;
2747 		fallthrough;
2748 	case 4:
2749 		nl_cmds = nla_nest_start_noflag(msg,
2750 						NL80211_ATTR_SUPPORTED_COMMANDS);
2751 		if (!nl_cmds)
2752 			goto nla_put_failure;
2753 
2754 		i = nl80211_add_commands_unsplit(rdev, msg);
2755 		if (i < 0)
2756 			goto nla_put_failure;
2757 		if (state->split) {
2758 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2759 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2760 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2761 				CMD(channel_switch, CHANNEL_SWITCH);
2762 			CMD(set_qos_map, SET_QOS_MAP);
2763 			if (rdev->wiphy.features &
2764 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2765 				CMD(add_tx_ts, ADD_TX_TS);
2766 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2767 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2768 			CMD(update_ft_ies, UPDATE_FT_IES);
2769 			if (rdev->wiphy.sar_capa)
2770 				CMD(set_sar_specs, SET_SAR_SPECS);
2771 		}
2772 #undef CMD
2773 
2774 		nla_nest_end(msg, nl_cmds);
2775 		state->split_start++;
2776 		if (state->split)
2777 			break;
2778 		fallthrough;
2779 	case 5:
2780 		if (rdev->ops->remain_on_channel &&
2781 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2782 		    nla_put_u32(msg,
2783 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2784 				rdev->wiphy.max_remain_on_channel_duration))
2785 			goto nla_put_failure;
2786 
2787 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2788 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2789 			goto nla_put_failure;
2790 
2791 		state->split_start++;
2792 		if (state->split)
2793 			break;
2794 		fallthrough;
2795 	case 6:
2796 #ifdef CONFIG_PM
2797 		if (nl80211_send_wowlan(msg, rdev, state->split))
2798 			goto nla_put_failure;
2799 		state->split_start++;
2800 		if (state->split)
2801 			break;
2802 #else
2803 		state->split_start++;
2804 #endif
2805 		fallthrough;
2806 	case 7:
2807 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2808 					rdev->wiphy.software_iftypes))
2809 			goto nla_put_failure;
2810 
2811 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2812 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2813 						   rdev->wiphy.n_radio ? 0 : -1,
2814 						   state->split, 0))
2815 			goto nla_put_failure;
2816 
2817 		state->split_start++;
2818 		if (state->split)
2819 			break;
2820 		fallthrough;
2821 	case 8:
2822 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2823 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2824 				rdev->wiphy.ap_sme_capa))
2825 			goto nla_put_failure;
2826 
2827 		features = rdev->wiphy.features;
2828 		/*
2829 		 * We can only add the per-channel limit information if the
2830 		 * dump is split, otherwise it makes it too big. Therefore
2831 		 * only advertise it in that case.
2832 		 */
2833 		if (state->split)
2834 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2835 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2836 			goto nla_put_failure;
2837 
2838 		if (rdev->wiphy.ht_capa_mod_mask &&
2839 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2840 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2841 			    rdev->wiphy.ht_capa_mod_mask))
2842 			goto nla_put_failure;
2843 
2844 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2845 		    rdev->wiphy.max_acl_mac_addrs &&
2846 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2847 				rdev->wiphy.max_acl_mac_addrs))
2848 			goto nla_put_failure;
2849 
2850 		/*
2851 		 * Any information below this point is only available to
2852 		 * applications that can deal with it being split. This
2853 		 * helps ensure that newly added capabilities don't break
2854 		 * older tools by overrunning their buffers.
2855 		 *
2856 		 * We still increment split_start so that in the split
2857 		 * case we'll continue with more data in the next round,
2858 		 * but break unconditionally so unsplit data stops here.
2859 		 */
2860 		if (state->split)
2861 			state->split_start++;
2862 		else
2863 			state->split_start = 0;
2864 		break;
2865 	case 9:
2866 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2867 			goto nla_put_failure;
2868 
2869 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2870 				rdev->wiphy.max_sched_scan_plans) ||
2871 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2872 				rdev->wiphy.max_sched_scan_plan_interval) ||
2873 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2874 				rdev->wiphy.max_sched_scan_plan_iterations))
2875 			goto nla_put_failure;
2876 
2877 		if (rdev->wiphy.extended_capabilities &&
2878 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2879 			     rdev->wiphy.extended_capabilities_len,
2880 			     rdev->wiphy.extended_capabilities) ||
2881 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2882 			     rdev->wiphy.extended_capabilities_len,
2883 			     rdev->wiphy.extended_capabilities_mask)))
2884 			goto nla_put_failure;
2885 
2886 		if (rdev->wiphy.vht_capa_mod_mask &&
2887 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2888 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2889 			    rdev->wiphy.vht_capa_mod_mask))
2890 			goto nla_put_failure;
2891 
2892 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2893 			    rdev->wiphy.perm_addr))
2894 			goto nla_put_failure;
2895 
2896 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2897 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2898 			    rdev->wiphy.addr_mask))
2899 			goto nla_put_failure;
2900 
2901 		if (rdev->wiphy.n_addresses > 1) {
2902 			void *attr;
2903 
2904 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2905 			if (!attr)
2906 				goto nla_put_failure;
2907 
2908 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2909 				if (nla_put(msg, i + 1, ETH_ALEN,
2910 					    rdev->wiphy.addresses[i].addr))
2911 					goto nla_put_failure;
2912 
2913 			nla_nest_end(msg, attr);
2914 		}
2915 
2916 		state->split_start++;
2917 		break;
2918 	case 10:
2919 		if (nl80211_send_coalesce(msg, rdev))
2920 			goto nla_put_failure;
2921 
2922 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2923 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2924 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2925 			goto nla_put_failure;
2926 
2927 		if (rdev->wiphy.max_ap_assoc_sta &&
2928 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2929 				rdev->wiphy.max_ap_assoc_sta))
2930 			goto nla_put_failure;
2931 
2932 		state->split_start++;
2933 		break;
2934 	case 11:
2935 		if (rdev->wiphy.n_vendor_commands) {
2936 			const struct nl80211_vendor_cmd_info *info;
2937 			struct nlattr *nested;
2938 
2939 			nested = nla_nest_start_noflag(msg,
2940 						       NL80211_ATTR_VENDOR_DATA);
2941 			if (!nested)
2942 				goto nla_put_failure;
2943 
2944 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2945 				info = &rdev->wiphy.vendor_commands[i].info;
2946 				if (nla_put(msg, i + 1, sizeof(*info), info))
2947 					goto nla_put_failure;
2948 			}
2949 			nla_nest_end(msg, nested);
2950 		}
2951 
2952 		if (rdev->wiphy.n_vendor_events) {
2953 			const struct nl80211_vendor_cmd_info *info;
2954 			struct nlattr *nested;
2955 
2956 			nested = nla_nest_start_noflag(msg,
2957 						       NL80211_ATTR_VENDOR_EVENTS);
2958 			if (!nested)
2959 				goto nla_put_failure;
2960 
2961 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2962 				info = &rdev->wiphy.vendor_events[i];
2963 				if (nla_put(msg, i + 1, sizeof(*info), info))
2964 					goto nla_put_failure;
2965 			}
2966 			nla_nest_end(msg, nested);
2967 		}
2968 		state->split_start++;
2969 		break;
2970 	case 12:
2971 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2972 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2973 			       rdev->wiphy.max_num_csa_counters))
2974 			goto nla_put_failure;
2975 
2976 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2977 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2978 			goto nla_put_failure;
2979 
2980 		if (rdev->wiphy.max_sched_scan_reqs &&
2981 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2982 				rdev->wiphy.max_sched_scan_reqs))
2983 			goto nla_put_failure;
2984 
2985 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2986 			    sizeof(rdev->wiphy.ext_features),
2987 			    rdev->wiphy.ext_features))
2988 			goto nla_put_failure;
2989 
2990 		if (rdev->wiphy.bss_select_support) {
2991 			struct nlattr *nested;
2992 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2993 
2994 			nested = nla_nest_start_noflag(msg,
2995 						       NL80211_ATTR_BSS_SELECT);
2996 			if (!nested)
2997 				goto nla_put_failure;
2998 
2999 			i = 0;
3000 			while (bss_select_support) {
3001 				if ((bss_select_support & 1) &&
3002 				    nla_put_flag(msg, i))
3003 					goto nla_put_failure;
3004 				i++;
3005 				bss_select_support >>= 1;
3006 			}
3007 			nla_nest_end(msg, nested);
3008 		}
3009 
3010 		state->split_start++;
3011 		break;
3012 	case 13:
3013 		if (rdev->wiphy.num_iftype_ext_capab &&
3014 		    rdev->wiphy.iftype_ext_capab) {
3015 			struct nlattr *nested_ext_capab, *nested;
3016 
3017 			nested = nla_nest_start_noflag(msg,
3018 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3019 			if (!nested)
3020 				goto nla_put_failure;
3021 
3022 			for (i = state->capa_start;
3023 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3024 				const struct wiphy_iftype_ext_capab *capab;
3025 
3026 				capab = &rdev->wiphy.iftype_ext_capab[i];
3027 
3028 				nested_ext_capab = nla_nest_start_noflag(msg,
3029 									 i);
3030 				if (!nested_ext_capab ||
3031 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3032 						capab->iftype) ||
3033 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3034 					    capab->extended_capabilities_len,
3035 					    capab->extended_capabilities) ||
3036 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3037 					    capab->extended_capabilities_len,
3038 					    capab->extended_capabilities_mask))
3039 					goto nla_put_failure;
3040 
3041 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3042 				    (nla_put_u16(msg,
3043 						 NL80211_ATTR_EML_CAPABILITY,
3044 						 capab->eml_capabilities) ||
3045 				     nla_put_u16(msg,
3046 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3047 						 capab->mld_capa_and_ops)))
3048 					goto nla_put_failure;
3049 
3050 				nla_nest_end(msg, nested_ext_capab);
3051 				if (state->split)
3052 					break;
3053 			}
3054 			nla_nest_end(msg, nested);
3055 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3056 				state->capa_start = i + 1;
3057 				break;
3058 			}
3059 		}
3060 
3061 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3062 				rdev->wiphy.nan_supported_bands))
3063 			goto nla_put_failure;
3064 
3065 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3066 					    NL80211_EXT_FEATURE_TXQS)) {
3067 			struct cfg80211_txq_stats txqstats = {};
3068 			int res;
3069 
3070 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3071 			if (!res &&
3072 			    !nl80211_put_txq_stats(msg, &txqstats,
3073 						   NL80211_ATTR_TXQ_STATS))
3074 				goto nla_put_failure;
3075 
3076 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3077 					rdev->wiphy.txq_limit))
3078 				goto nla_put_failure;
3079 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3080 					rdev->wiphy.txq_memory_limit))
3081 				goto nla_put_failure;
3082 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3083 					rdev->wiphy.txq_quantum))
3084 				goto nla_put_failure;
3085 		}
3086 
3087 		state->split_start++;
3088 		break;
3089 	case 14:
3090 		if (nl80211_send_pmsr_capa(rdev, msg))
3091 			goto nla_put_failure;
3092 
3093 		state->split_start++;
3094 		break;
3095 	case 15:
3096 		if (rdev->wiphy.akm_suites &&
3097 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3098 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3099 			    rdev->wiphy.akm_suites))
3100 			goto nla_put_failure;
3101 
3102 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3103 			goto nla_put_failure;
3104 
3105 		if (nl80211_put_tid_config_support(rdev, msg))
3106 			goto nla_put_failure;
3107 		state->split_start++;
3108 		break;
3109 	case 16:
3110 		if (nl80211_put_sar_specs(rdev, msg))
3111 			goto nla_put_failure;
3112 
3113 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3114 			goto nla_put_failure;
3115 
3116 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3117 				rdev->wiphy.max_num_akm_suites))
3118 			goto nla_put_failure;
3119 
3120 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3121 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3122 
3123 		if (rdev->wiphy.hw_timestamp_max_peers &&
3124 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3125 				rdev->wiphy.hw_timestamp_max_peers))
3126 			goto nla_put_failure;
3127 
3128 		state->split_start++;
3129 		break;
3130 	case 17:
3131 		if (nl80211_put_radios(&rdev->wiphy, msg))
3132 			goto nla_put_failure;
3133 
3134 		/* done */
3135 		state->split_start = 0;
3136 		break;
3137 	}
3138  finish:
3139 	genlmsg_end(msg, hdr);
3140 	return 0;
3141 
3142  nla_put_failure:
3143 	genlmsg_cancel(msg, hdr);
3144 	return -EMSGSIZE;
3145 }
3146 
3147 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3148 				    struct netlink_callback *cb,
3149 				    struct nl80211_dump_wiphy_state *state)
3150 {
3151 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3152 	int ret;
3153 
3154 	if (!tb)
3155 		return -ENOMEM;
3156 
3157 	ret = nlmsg_parse_deprecated(cb->nlh,
3158 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3159 				     tb, nl80211_fam.maxattr,
3160 				     nl80211_policy, NULL);
3161 	/* ignore parse errors for backward compatibility */
3162 	if (ret) {
3163 		ret = 0;
3164 		goto out;
3165 	}
3166 
3167 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3168 	if (tb[NL80211_ATTR_WIPHY])
3169 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3170 	if (tb[NL80211_ATTR_WDEV])
3171 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3172 	if (tb[NL80211_ATTR_IFINDEX]) {
3173 		struct net_device *netdev;
3174 		struct cfg80211_registered_device *rdev;
3175 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3176 
3177 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3178 		if (!netdev) {
3179 			ret = -ENODEV;
3180 			goto out;
3181 		}
3182 		if (netdev->ieee80211_ptr) {
3183 			rdev = wiphy_to_rdev(
3184 				netdev->ieee80211_ptr->wiphy);
3185 			state->filter_wiphy = rdev->wiphy_idx;
3186 		}
3187 	}
3188 
3189 	ret = 0;
3190 out:
3191 	kfree(tb);
3192 	return ret;
3193 }
3194 
3195 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3196 {
3197 	int idx = 0, ret;
3198 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3199 	struct cfg80211_registered_device *rdev;
3200 
3201 	rtnl_lock();
3202 	if (!state) {
3203 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3204 		if (!state) {
3205 			rtnl_unlock();
3206 			return -ENOMEM;
3207 		}
3208 		state->filter_wiphy = -1;
3209 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3210 		if (ret) {
3211 			kfree(state);
3212 			rtnl_unlock();
3213 			return ret;
3214 		}
3215 		cb->args[0] = (long)state;
3216 	}
3217 
3218 	for_each_rdev(rdev) {
3219 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3220 			continue;
3221 		if (++idx <= state->start)
3222 			continue;
3223 		if (state->filter_wiphy != -1 &&
3224 		    state->filter_wiphy != rdev->wiphy_idx)
3225 			continue;
3226 		wiphy_lock(&rdev->wiphy);
3227 		/* attempt to fit multiple wiphy data chunks into the skb */
3228 		do {
3229 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3230 						 skb,
3231 						 NETLINK_CB(cb->skb).portid,
3232 						 cb->nlh->nlmsg_seq,
3233 						 NLM_F_MULTI, state);
3234 			if (ret < 0) {
3235 				/*
3236 				 * If sending the wiphy data didn't fit (ENOBUFS
3237 				 * or EMSGSIZE returned), this SKB is still
3238 				 * empty (so it's not too big because another
3239 				 * wiphy dataset is already in the skb) and
3240 				 * we've not tried to adjust the dump allocation
3241 				 * yet ... then adjust the alloc size to be
3242 				 * bigger, and return 1 but with the empty skb.
3243 				 * This results in an empty message being RX'ed
3244 				 * in userspace, but that is ignored.
3245 				 *
3246 				 * We can then retry with the larger buffer.
3247 				 */
3248 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3249 				    !skb->len && !state->split &&
3250 				    cb->min_dump_alloc < 4096) {
3251 					cb->min_dump_alloc = 4096;
3252 					state->split_start = 0;
3253 					wiphy_unlock(&rdev->wiphy);
3254 					rtnl_unlock();
3255 					return 1;
3256 				}
3257 				idx--;
3258 				break;
3259 			}
3260 		} while (state->split_start > 0);
3261 		wiphy_unlock(&rdev->wiphy);
3262 		break;
3263 	}
3264 	rtnl_unlock();
3265 
3266 	state->start = idx;
3267 
3268 	return skb->len;
3269 }
3270 
3271 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3272 {
3273 	kfree((void *)cb->args[0]);
3274 	return 0;
3275 }
3276 
3277 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3278 {
3279 	struct sk_buff *msg;
3280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3281 	struct nl80211_dump_wiphy_state state = {};
3282 
3283 	msg = nlmsg_new(4096, GFP_KERNEL);
3284 	if (!msg)
3285 		return -ENOMEM;
3286 
3287 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3288 			       info->snd_portid, info->snd_seq, 0,
3289 			       &state) < 0) {
3290 		nlmsg_free(msg);
3291 		return -ENOBUFS;
3292 	}
3293 
3294 	return genlmsg_reply(msg, info);
3295 }
3296 
3297 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3298 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3299 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3300 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3301 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3302 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3303 };
3304 
3305 static int parse_txq_params(struct nlattr *tb[],
3306 			    struct ieee80211_txq_params *txq_params)
3307 {
3308 	u8 ac;
3309 
3310 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3311 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3312 	    !tb[NL80211_TXQ_ATTR_AIFS])
3313 		return -EINVAL;
3314 
3315 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3316 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3317 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3318 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3319 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3320 
3321 	if (ac >= NL80211_NUM_ACS)
3322 		return -EINVAL;
3323 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3324 	return 0;
3325 }
3326 
3327 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3328 {
3329 	/*
3330 	 * You can only set the channel explicitly for some interfaces,
3331 	 * most have their channel managed via their respective
3332 	 * "establish a connection" command (connect, join, ...)
3333 	 *
3334 	 * For AP/GO and mesh mode, the channel can be set with the
3335 	 * channel userspace API, but is only stored and passed to the
3336 	 * low-level driver when the AP starts or the mesh is joined.
3337 	 * This is for backward compatibility, userspace can also give
3338 	 * the channel in the start-ap or join-mesh commands instead.
3339 	 *
3340 	 * Monitors are special as they are normally slaved to
3341 	 * whatever else is going on, so they have their own special
3342 	 * operation to set the monitor channel if possible.
3343 	 */
3344 	return !wdev ||
3345 		wdev->iftype == NL80211_IFTYPE_AP ||
3346 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3347 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3348 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3349 }
3350 
3351 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3352 				  struct genl_info *info, bool monitor,
3353 				  struct cfg80211_chan_def *chandef)
3354 {
3355 	struct netlink_ext_ack *extack = info->extack;
3356 	struct nlattr **attrs = info->attrs;
3357 	u32 control_freq;
3358 
3359 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3360 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3361 				    "Frequency is missing");
3362 		return -EINVAL;
3363 	}
3364 
3365 	control_freq = MHZ_TO_KHZ(
3366 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3367 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3368 		control_freq +=
3369 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3370 
3371 	memset(chandef, 0, sizeof(*chandef));
3372 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3373 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3374 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3375 	chandef->freq1_offset = control_freq % 1000;
3376 	chandef->center_freq2 = 0;
3377 
3378 	if (!chandef->chan) {
3379 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3380 				    "Unknown channel");
3381 		return -EINVAL;
3382 	}
3383 
3384 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3385 		enum nl80211_channel_type chantype;
3386 
3387 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3388 
3389 		switch (chantype) {
3390 		case NL80211_CHAN_NO_HT:
3391 		case NL80211_CHAN_HT20:
3392 		case NL80211_CHAN_HT40PLUS:
3393 		case NL80211_CHAN_HT40MINUS:
3394 			cfg80211_chandef_create(chandef, chandef->chan,
3395 						chantype);
3396 			/* user input for center_freq is incorrect */
3397 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3398 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3399 				NL_SET_ERR_MSG_ATTR(extack,
3400 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3401 						    "bad center frequency 1");
3402 				return -EINVAL;
3403 			}
3404 			/* center_freq2 must be zero */
3405 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3406 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3407 				NL_SET_ERR_MSG_ATTR(extack,
3408 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3409 						    "center frequency 2 can't be used");
3410 				return -EINVAL;
3411 			}
3412 			break;
3413 		default:
3414 			NL_SET_ERR_MSG_ATTR(extack,
3415 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3416 					    "invalid channel type");
3417 			return -EINVAL;
3418 		}
3419 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3420 		chandef->width =
3421 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3422 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3423 			/* User input error for channel width doesn't match channel  */
3424 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3425 				NL_SET_ERR_MSG_ATTR(extack,
3426 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3427 						    "bad channel width");
3428 				return -EINVAL;
3429 			}
3430 		}
3431 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3432 			chandef->center_freq1 =
3433 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3434 			chandef->freq1_offset =
3435 				nla_get_u32_default(attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET],
3436 						    0);
3437 		}
3438 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3439 			chandef->center_freq2 =
3440 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3441 	}
3442 
3443 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3444 		chandef->edmg.channels =
3445 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3446 
3447 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3448 			chandef->edmg.bw_config =
3449 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3450 	} else {
3451 		chandef->edmg.bw_config = 0;
3452 		chandef->edmg.channels = 0;
3453 	}
3454 
3455 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3456 		chandef->punctured =
3457 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3458 
3459 		if (chandef->punctured &&
3460 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3461 					     NL80211_EXT_FEATURE_PUNCT)) {
3462 			NL_SET_ERR_MSG(extack,
3463 				       "driver doesn't support puncturing");
3464 			return -EINVAL;
3465 		}
3466 	}
3467 
3468 	if (!cfg80211_chandef_valid(chandef)) {
3469 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3470 		return -EINVAL;
3471 	}
3472 
3473 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3474 				      IEEE80211_CHAN_DISABLED,
3475 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3476 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3477 		return -EINVAL;
3478 	}
3479 
3480 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3481 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3482 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3483 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3484 		return -EINVAL;
3485 	}
3486 
3487 	return 0;
3488 }
3489 
3490 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3491 			  struct genl_info *info,
3492 			  struct cfg80211_chan_def *chandef)
3493 {
3494 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3495 }
3496 
3497 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3498 				 struct net_device *dev,
3499 				 struct genl_info *info,
3500 				 int _link_id)
3501 {
3502 	struct cfg80211_chan_def chandef;
3503 	int result;
3504 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3505 	struct wireless_dev *wdev = NULL;
3506 	int link_id = _link_id;
3507 
3508 	if (dev)
3509 		wdev = dev->ieee80211_ptr;
3510 	if (!nl80211_can_set_dev_channel(wdev))
3511 		return -EOPNOTSUPP;
3512 	if (wdev)
3513 		iftype = wdev->iftype;
3514 
3515 	if (link_id < 0) {
3516 		if (wdev && wdev->valid_links)
3517 			return -EINVAL;
3518 		link_id = 0;
3519 	}
3520 
3521 	result = _nl80211_parse_chandef(rdev, info,
3522 					iftype == NL80211_IFTYPE_MONITOR,
3523 					&chandef);
3524 	if (result)
3525 		return result;
3526 
3527 	switch (iftype) {
3528 	case NL80211_IFTYPE_AP:
3529 	case NL80211_IFTYPE_P2P_GO:
3530 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3531 						   iftype))
3532 			return -EINVAL;
3533 		if (wdev->links[link_id].ap.beacon_interval) {
3534 			struct ieee80211_channel *cur_chan;
3535 
3536 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3537 			    !(rdev->wiphy.features &
3538 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3539 				return -EBUSY;
3540 
3541 			/* Only allow dynamic channel width changes */
3542 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3543 			if (chandef.chan != cur_chan)
3544 				return -EBUSY;
3545 
3546 			/* only allow this for regular channel widths */
3547 			switch (wdev->links[link_id].ap.chandef.width) {
3548 			case NL80211_CHAN_WIDTH_20_NOHT:
3549 			case NL80211_CHAN_WIDTH_20:
3550 			case NL80211_CHAN_WIDTH_40:
3551 			case NL80211_CHAN_WIDTH_80:
3552 			case NL80211_CHAN_WIDTH_80P80:
3553 			case NL80211_CHAN_WIDTH_160:
3554 			case NL80211_CHAN_WIDTH_320:
3555 				break;
3556 			default:
3557 				return -EINVAL;
3558 			}
3559 
3560 			switch (chandef.width) {
3561 			case NL80211_CHAN_WIDTH_20_NOHT:
3562 			case NL80211_CHAN_WIDTH_20:
3563 			case NL80211_CHAN_WIDTH_40:
3564 			case NL80211_CHAN_WIDTH_80:
3565 			case NL80211_CHAN_WIDTH_80P80:
3566 			case NL80211_CHAN_WIDTH_160:
3567 			case NL80211_CHAN_WIDTH_320:
3568 				break;
3569 			default:
3570 				return -EINVAL;
3571 			}
3572 
3573 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3574 						       &chandef);
3575 			if (result)
3576 				return result;
3577 			wdev->links[link_id].ap.chandef = chandef;
3578 		} else {
3579 			wdev->u.ap.preset_chandef = chandef;
3580 		}
3581 		return 0;
3582 	case NL80211_IFTYPE_MESH_POINT:
3583 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3584 	case NL80211_IFTYPE_MONITOR:
3585 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
3586 	default:
3587 		break;
3588 	}
3589 
3590 	return -EINVAL;
3591 }
3592 
3593 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3594 {
3595 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3596 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3597 	struct net_device *netdev = info->user_ptr[1];
3598 
3599 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3600 }
3601 
3602 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3603 {
3604 	struct cfg80211_registered_device *rdev = NULL;
3605 	struct net_device *netdev = NULL;
3606 	struct wireless_dev *wdev;
3607 	int result = 0, rem_txq_params = 0;
3608 	struct nlattr *nl_txq_params;
3609 	u32 changed;
3610 	u8 retry_short = 0, retry_long = 0;
3611 	u32 frag_threshold = 0, rts_threshold = 0;
3612 	u8 coverage_class = 0;
3613 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3614 
3615 	rtnl_lock();
3616 	/*
3617 	 * Try to find the wiphy and netdev. Normally this
3618 	 * function shouldn't need the netdev, but this is
3619 	 * done for backward compatibility -- previously
3620 	 * setting the channel was done per wiphy, but now
3621 	 * it is per netdev. Previous userland like hostapd
3622 	 * also passed a netdev to set_wiphy, so that it is
3623 	 * possible to let that go to the right netdev!
3624 	 */
3625 
3626 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3627 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3628 
3629 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3630 		if (netdev && netdev->ieee80211_ptr)
3631 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3632 		else
3633 			netdev = NULL;
3634 	}
3635 
3636 	if (!netdev) {
3637 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3638 						  info->attrs);
3639 		if (IS_ERR(rdev)) {
3640 			rtnl_unlock();
3641 			return PTR_ERR(rdev);
3642 		}
3643 		wdev = NULL;
3644 		netdev = NULL;
3645 		result = 0;
3646 	} else
3647 		wdev = netdev->ieee80211_ptr;
3648 
3649 	guard(wiphy)(&rdev->wiphy);
3650 
3651 	/*
3652 	 * end workaround code, by now the rdev is available
3653 	 * and locked, and wdev may or may not be NULL.
3654 	 */
3655 
3656 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3657 		result = cfg80211_dev_rename(
3658 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3659 	rtnl_unlock();
3660 
3661 	if (result)
3662 		return result;
3663 
3664 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3665 		struct ieee80211_txq_params txq_params;
3666 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3667 
3668 		if (!rdev->ops->set_txq_params)
3669 			return -EOPNOTSUPP;
3670 
3671 		if (!netdev)
3672 			return -EINVAL;
3673 
3674 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3675 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3676 			return -EINVAL;
3677 
3678 		if (!netif_running(netdev))
3679 			return -ENETDOWN;
3680 
3681 		nla_for_each_nested(nl_txq_params,
3682 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3683 				    rem_txq_params) {
3684 			result = nla_parse_nested_deprecated(tb,
3685 							     NL80211_TXQ_ATTR_MAX,
3686 							     nl_txq_params,
3687 							     txq_params_policy,
3688 							     info->extack);
3689 			if (result)
3690 				return result;
3691 
3692 			result = parse_txq_params(tb, &txq_params);
3693 			if (result)
3694 				return result;
3695 
3696 			txq_params.link_id =
3697 				nl80211_link_id_or_invalid(info->attrs);
3698 
3699 			if (txq_params.link_id >= 0 &&
3700 			    !(netdev->ieee80211_ptr->valid_links &
3701 			      BIT(txq_params.link_id)))
3702 				result = -ENOLINK;
3703 			else if (txq_params.link_id >= 0 &&
3704 				 !netdev->ieee80211_ptr->valid_links)
3705 				result = -EINVAL;
3706 			else
3707 				result = rdev_set_txq_params(rdev, netdev,
3708 							     &txq_params);
3709 			if (result)
3710 				return result;
3711 		}
3712 	}
3713 
3714 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3715 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3716 
3717 		if (wdev) {
3718 			result = __nl80211_set_channel(
3719 				rdev,
3720 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3721 				info, link_id);
3722 		} else {
3723 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3724 		}
3725 
3726 		if (result)
3727 			return result;
3728 	}
3729 
3730 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3731 		struct wireless_dev *txp_wdev = wdev;
3732 		enum nl80211_tx_power_setting type;
3733 		int idx, mbm = 0;
3734 
3735 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3736 			txp_wdev = NULL;
3737 
3738 		if (!rdev->ops->set_tx_power)
3739 			return -EOPNOTSUPP;
3740 
3741 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3742 		type = nla_get_u32(info->attrs[idx]);
3743 
3744 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3745 		    (type != NL80211_TX_POWER_AUTOMATIC))
3746 			return -EINVAL;
3747 
3748 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3749 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3750 			mbm = nla_get_u32(info->attrs[idx]);
3751 		}
3752 
3753 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3754 		if (result)
3755 			return result;
3756 	}
3757 
3758 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3759 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3760 		u32 tx_ant, rx_ant;
3761 
3762 		if ((!rdev->wiphy.available_antennas_tx &&
3763 		     !rdev->wiphy.available_antennas_rx) ||
3764 		    !rdev->ops->set_antenna)
3765 			return -EOPNOTSUPP;
3766 
3767 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3768 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3769 
3770 		/* reject antenna configurations which don't match the
3771 		 * available antenna masks, except for the "all" mask */
3772 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3773 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
3774 			return -EINVAL;
3775 
3776 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3777 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3778 
3779 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3780 		if (result)
3781 			return result;
3782 	}
3783 
3784 	changed = 0;
3785 
3786 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3787 		retry_short = nla_get_u8(
3788 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3789 
3790 		changed |= WIPHY_PARAM_RETRY_SHORT;
3791 	}
3792 
3793 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3794 		retry_long = nla_get_u8(
3795 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3796 
3797 		changed |= WIPHY_PARAM_RETRY_LONG;
3798 	}
3799 
3800 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3801 		frag_threshold = nla_get_u32(
3802 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3803 		if (frag_threshold < 256)
3804 			return -EINVAL;
3805 
3806 		if (frag_threshold != (u32) -1) {
3807 			/*
3808 			 * Fragments (apart from the last one) are required to
3809 			 * have even length. Make the fragmentation code
3810 			 * simpler by stripping LSB should someone try to use
3811 			 * odd threshold value.
3812 			 */
3813 			frag_threshold &= ~0x1;
3814 		}
3815 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3816 	}
3817 
3818 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3819 		rts_threshold = nla_get_u32(
3820 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3821 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3822 	}
3823 
3824 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3825 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
3826 			return -EINVAL;
3827 
3828 		coverage_class = nla_get_u8(
3829 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3830 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3831 	}
3832 
3833 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3834 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
3835 			return -EOPNOTSUPP;
3836 
3837 		changed |= WIPHY_PARAM_DYN_ACK;
3838 	}
3839 
3840 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3841 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3842 					     NL80211_EXT_FEATURE_TXQS))
3843 			return -EOPNOTSUPP;
3844 
3845 		txq_limit = nla_get_u32(
3846 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3847 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3848 	}
3849 
3850 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3851 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3852 					     NL80211_EXT_FEATURE_TXQS))
3853 			return -EOPNOTSUPP;
3854 
3855 		txq_memory_limit = nla_get_u32(
3856 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3857 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3858 	}
3859 
3860 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3861 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3862 					     NL80211_EXT_FEATURE_TXQS))
3863 			return -EOPNOTSUPP;
3864 
3865 		txq_quantum = nla_get_u32(
3866 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3867 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3868 	}
3869 
3870 	if (changed) {
3871 		u8 old_retry_short, old_retry_long;
3872 		u32 old_frag_threshold, old_rts_threshold;
3873 		u8 old_coverage_class;
3874 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3875 
3876 		if (!rdev->ops->set_wiphy_params)
3877 			return -EOPNOTSUPP;
3878 
3879 		old_retry_short = rdev->wiphy.retry_short;
3880 		old_retry_long = rdev->wiphy.retry_long;
3881 		old_frag_threshold = rdev->wiphy.frag_threshold;
3882 		old_rts_threshold = rdev->wiphy.rts_threshold;
3883 		old_coverage_class = rdev->wiphy.coverage_class;
3884 		old_txq_limit = rdev->wiphy.txq_limit;
3885 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3886 		old_txq_quantum = rdev->wiphy.txq_quantum;
3887 
3888 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3889 			rdev->wiphy.retry_short = retry_short;
3890 		if (changed & WIPHY_PARAM_RETRY_LONG)
3891 			rdev->wiphy.retry_long = retry_long;
3892 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3893 			rdev->wiphy.frag_threshold = frag_threshold;
3894 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3895 			rdev->wiphy.rts_threshold = rts_threshold;
3896 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3897 			rdev->wiphy.coverage_class = coverage_class;
3898 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3899 			rdev->wiphy.txq_limit = txq_limit;
3900 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3901 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3902 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3903 			rdev->wiphy.txq_quantum = txq_quantum;
3904 
3905 		result = rdev_set_wiphy_params(rdev, changed);
3906 		if (result) {
3907 			rdev->wiphy.retry_short = old_retry_short;
3908 			rdev->wiphy.retry_long = old_retry_long;
3909 			rdev->wiphy.frag_threshold = old_frag_threshold;
3910 			rdev->wiphy.rts_threshold = old_rts_threshold;
3911 			rdev->wiphy.coverage_class = old_coverage_class;
3912 			rdev->wiphy.txq_limit = old_txq_limit;
3913 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3914 			rdev->wiphy.txq_quantum = old_txq_quantum;
3915 			return result;
3916 		}
3917 	}
3918 
3919 	return 0;
3920 }
3921 
3922 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3923 {
3924 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3925 		return -EINVAL;
3926 
3927 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3928 			chandef->chan->center_freq))
3929 		return -ENOBUFS;
3930 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3931 			chandef->chan->freq_offset))
3932 		return -ENOBUFS;
3933 	switch (chandef->width) {
3934 	case NL80211_CHAN_WIDTH_20_NOHT:
3935 	case NL80211_CHAN_WIDTH_20:
3936 	case NL80211_CHAN_WIDTH_40:
3937 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3938 				cfg80211_get_chandef_type(chandef)))
3939 			return -ENOBUFS;
3940 		break;
3941 	default:
3942 		break;
3943 	}
3944 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3945 		return -ENOBUFS;
3946 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3947 		return -ENOBUFS;
3948 	if (chandef->center_freq2 &&
3949 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3950 		return -ENOBUFS;
3951 	if (chandef->punctured &&
3952 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
3953 		return -ENOBUFS;
3954 
3955 	return 0;
3956 }
3957 EXPORT_SYMBOL(nl80211_send_chandef);
3958 
3959 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3960 			      struct cfg80211_registered_device *rdev,
3961 			      struct wireless_dev *wdev,
3962 			      enum nl80211_commands cmd)
3963 {
3964 	struct net_device *dev = wdev->netdev;
3965 	void *hdr;
3966 
3967 	lockdep_assert_wiphy(&rdev->wiphy);
3968 
3969 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3970 		cmd != NL80211_CMD_DEL_INTERFACE &&
3971 		cmd != NL80211_CMD_SET_INTERFACE);
3972 
3973 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3974 	if (!hdr)
3975 		return -1;
3976 
3977 	if (dev &&
3978 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3979 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3980 		goto nla_put_failure;
3981 
3982 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3983 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3984 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3985 			      NL80211_ATTR_PAD) ||
3986 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3987 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3988 			rdev->devlist_generation ^
3989 			(cfg80211_rdev_list_generation << 2)) ||
3990 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
3991 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
3992 		goto nla_put_failure;
3993 
3994 	if (rdev->ops->get_channel && !wdev->valid_links) {
3995 		struct cfg80211_chan_def chandef = {};
3996 		int ret;
3997 
3998 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3999 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4000 			goto nla_put_failure;
4001 	}
4002 
4003 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4004 		int dbm, ret;
4005 
4006 		ret = rdev_get_tx_power(rdev, wdev, 0, &dbm);
4007 		if (ret == 0 &&
4008 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4009 				DBM_TO_MBM(dbm)))
4010 			goto nla_put_failure;
4011 	}
4012 
4013 	switch (wdev->iftype) {
4014 	case NL80211_IFTYPE_AP:
4015 	case NL80211_IFTYPE_P2P_GO:
4016 		if (wdev->u.ap.ssid_len &&
4017 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4018 			    wdev->u.ap.ssid))
4019 			goto nla_put_failure;
4020 		break;
4021 	case NL80211_IFTYPE_STATION:
4022 	case NL80211_IFTYPE_P2P_CLIENT:
4023 		if (wdev->u.client.ssid_len &&
4024 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4025 			    wdev->u.client.ssid))
4026 			goto nla_put_failure;
4027 		break;
4028 	case NL80211_IFTYPE_ADHOC:
4029 		if (wdev->u.ibss.ssid_len &&
4030 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4031 			    wdev->u.ibss.ssid))
4032 			goto nla_put_failure;
4033 		break;
4034 	default:
4035 		/* nothing */
4036 		break;
4037 	}
4038 
4039 	if (rdev->ops->get_txq_stats) {
4040 		struct cfg80211_txq_stats txqstats = {};
4041 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4042 
4043 		if (ret == 0 &&
4044 		    !nl80211_put_txq_stats(msg, &txqstats,
4045 					   NL80211_ATTR_TXQ_STATS))
4046 			goto nla_put_failure;
4047 	}
4048 
4049 	if (wdev->valid_links) {
4050 		unsigned int link_id;
4051 		struct nlattr *links = nla_nest_start(msg,
4052 						      NL80211_ATTR_MLO_LINKS);
4053 
4054 		if (!links)
4055 			goto nla_put_failure;
4056 
4057 		for_each_valid_link(wdev, link_id) {
4058 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4059 			struct cfg80211_chan_def chandef = {};
4060 			int ret;
4061 
4062 			if (!link)
4063 				goto nla_put_failure;
4064 
4065 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4066 				goto nla_put_failure;
4067 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4068 				    wdev->links[link_id].addr))
4069 				goto nla_put_failure;
4070 
4071 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4072 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4073 				goto nla_put_failure;
4074 
4075 			if (rdev->ops->get_tx_power) {
4076 				int dbm, ret;
4077 
4078 				ret = rdev_get_tx_power(rdev, wdev, link_id, &dbm);
4079 				if (ret == 0 &&
4080 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4081 						DBM_TO_MBM(dbm)))
4082 					goto nla_put_failure;
4083 			}
4084 			nla_nest_end(msg, link);
4085 		}
4086 
4087 		nla_nest_end(msg, links);
4088 	}
4089 
4090 	genlmsg_end(msg, hdr);
4091 	return 0;
4092 
4093  nla_put_failure:
4094 	genlmsg_cancel(msg, hdr);
4095 	return -EMSGSIZE;
4096 }
4097 
4098 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4099 {
4100 	int wp_idx = 0;
4101 	int if_idx = 0;
4102 	int wp_start = cb->args[0];
4103 	int if_start = cb->args[1];
4104 	int filter_wiphy = -1;
4105 	struct cfg80211_registered_device *rdev;
4106 	struct wireless_dev *wdev;
4107 	int ret;
4108 
4109 	rtnl_lock();
4110 	if (!cb->args[2]) {
4111 		struct nl80211_dump_wiphy_state state = {
4112 			.filter_wiphy = -1,
4113 		};
4114 
4115 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4116 		if (ret)
4117 			goto out_unlock;
4118 
4119 		filter_wiphy = state.filter_wiphy;
4120 
4121 		/*
4122 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4123 		 * value needed to determine that parsing is necessary.
4124 		 */
4125 		if (filter_wiphy >= 0)
4126 			cb->args[2] = filter_wiphy + 1;
4127 		else
4128 			cb->args[2] = -1;
4129 	} else if (cb->args[2] > 0) {
4130 		filter_wiphy = cb->args[2] - 1;
4131 	}
4132 
4133 	for_each_rdev(rdev) {
4134 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4135 			continue;
4136 		if (wp_idx < wp_start) {
4137 			wp_idx++;
4138 			continue;
4139 		}
4140 
4141 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4142 			continue;
4143 
4144 		if_idx = 0;
4145 
4146 		guard(wiphy)(&rdev->wiphy);
4147 
4148 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4149 			if (if_idx < if_start) {
4150 				if_idx++;
4151 				continue;
4152 			}
4153 
4154 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4155 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4156 					       rdev, wdev,
4157 					       NL80211_CMD_NEW_INTERFACE) < 0)
4158 				goto out;
4159 
4160 			if_idx++;
4161 		}
4162 
4163 		if_start = 0;
4164 		wp_idx++;
4165 	}
4166  out:
4167 	cb->args[0] = wp_idx;
4168 	cb->args[1] = if_idx;
4169 
4170 	ret = skb->len;
4171  out_unlock:
4172 	rtnl_unlock();
4173 
4174 	return ret;
4175 }
4176 
4177 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4178 {
4179 	struct sk_buff *msg;
4180 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4181 	struct wireless_dev *wdev = info->user_ptr[1];
4182 
4183 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4184 	if (!msg)
4185 		return -ENOMEM;
4186 
4187 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4188 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4189 		nlmsg_free(msg);
4190 		return -ENOBUFS;
4191 	}
4192 
4193 	return genlmsg_reply(msg, info);
4194 }
4195 
4196 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4197 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4198 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4199 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4200 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4201 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4202 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4203 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4204 };
4205 
4206 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4207 {
4208 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4209 	int flag;
4210 
4211 	*mntrflags = 0;
4212 
4213 	if (!nla)
4214 		return -EINVAL;
4215 
4216 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4217 		return -EINVAL;
4218 
4219 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4220 		if (flags[flag])
4221 			*mntrflags |= (1<<flag);
4222 
4223 	/* cooked monitor mode is incompatible with other modes */
4224 	if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
4225 	    *mntrflags != MONITOR_FLAG_COOK_FRAMES)
4226 		return -EOPNOTSUPP;
4227 
4228 	*mntrflags |= MONITOR_FLAG_CHANGED;
4229 
4230 	return 0;
4231 }
4232 
4233 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4234 				     enum nl80211_iftype type,
4235 				     struct genl_info *info,
4236 				     struct vif_params *params)
4237 {
4238 	bool change = false;
4239 	int err;
4240 
4241 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4242 		if (type != NL80211_IFTYPE_MONITOR)
4243 			return -EINVAL;
4244 
4245 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4246 					  &params->flags);
4247 		if (err)
4248 			return err;
4249 
4250 		change = true;
4251 	}
4252 
4253 	/* MONITOR_FLAG_COOK_FRAMES is deprecated, refuse cooperation */
4254 	if (params->flags & MONITOR_FLAG_COOK_FRAMES)
4255 		return -EOPNOTSUPP;
4256 
4257 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4258 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4259 		return -EOPNOTSUPP;
4260 
4261 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4262 		const u8 *mumimo_groups;
4263 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4264 
4265 		if (type != NL80211_IFTYPE_MONITOR)
4266 			return -EINVAL;
4267 
4268 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4269 			return -EOPNOTSUPP;
4270 
4271 		mumimo_groups =
4272 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4273 
4274 		/* bits 0 and 63 are reserved and must be zero */
4275 		if ((mumimo_groups[0] & BIT(0)) ||
4276 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4277 			return -EINVAL;
4278 
4279 		params->vht_mumimo_groups = mumimo_groups;
4280 		change = true;
4281 	}
4282 
4283 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4284 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4285 
4286 		if (type != NL80211_IFTYPE_MONITOR)
4287 			return -EINVAL;
4288 
4289 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4290 			return -EOPNOTSUPP;
4291 
4292 		params->vht_mumimo_follow_addr =
4293 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4294 		change = true;
4295 	}
4296 
4297 	return change ? 1 : 0;
4298 }
4299 
4300 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4301 			       struct net_device *netdev, u8 use_4addr,
4302 			       enum nl80211_iftype iftype)
4303 {
4304 	if (!use_4addr) {
4305 		if (netdev && netif_is_bridge_port(netdev))
4306 			return -EBUSY;
4307 		return 0;
4308 	}
4309 
4310 	switch (iftype) {
4311 	case NL80211_IFTYPE_AP_VLAN:
4312 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4313 			return 0;
4314 		break;
4315 	case NL80211_IFTYPE_STATION:
4316 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4317 			return 0;
4318 		break;
4319 	default:
4320 		break;
4321 	}
4322 
4323 	return -EOPNOTSUPP;
4324 }
4325 
4326 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4327 					u32 *radio_mask)
4328 {
4329 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4330 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4331 	u32 mask, allowed;
4332 
4333 	if (!attr) {
4334 		*radio_mask = 0;
4335 		return 0;
4336 	}
4337 
4338 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4339 	mask = nla_get_u32(attr);
4340 	if (mask & ~allowed)
4341 		return -EINVAL;
4342 	if (!mask)
4343 		mask = allowed;
4344 	*radio_mask = mask;
4345 
4346 	return 1;
4347 }
4348 
4349 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4350 {
4351 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4352 	struct vif_params params;
4353 	int err;
4354 	enum nl80211_iftype otype, ntype;
4355 	struct net_device *dev = info->user_ptr[1];
4356 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4357 	u32 radio_mask = 0;
4358 	bool change = false;
4359 
4360 	memset(&params, 0, sizeof(params));
4361 
4362 	otype = ntype = dev->ieee80211_ptr->iftype;
4363 
4364 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4365 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4366 		if (otype != ntype)
4367 			change = true;
4368 	}
4369 
4370 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4371 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4372 			return -EINVAL;
4373 		if (otype != NL80211_IFTYPE_MESH_POINT)
4374 			return -EINVAL;
4375 		if (netif_running(dev))
4376 			return -EBUSY;
4377 
4378 		wdev->u.mesh.id_up_len =
4379 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4380 		memcpy(wdev->u.mesh.id,
4381 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4382 		       wdev->u.mesh.id_up_len);
4383 	}
4384 
4385 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4386 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4387 		change = true;
4388 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4389 		if (err)
4390 			return err;
4391 	} else {
4392 		params.use_4addr = -1;
4393 	}
4394 
4395 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4396 	if (err < 0)
4397 		return err;
4398 	if (err > 0)
4399 		change = true;
4400 
4401 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4402 	if (err < 0)
4403 		return err;
4404 	if (err && netif_running(dev))
4405 		return -EBUSY;
4406 
4407 	if (change)
4408 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4409 	else
4410 		err = 0;
4411 
4412 	if (!err && params.use_4addr != -1)
4413 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4414 
4415 	if (radio_mask)
4416 		wdev->radio_mask = radio_mask;
4417 
4418 	if (change && !err)
4419 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4420 
4421 	return err;
4422 }
4423 
4424 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4425 {
4426 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4427 	struct vif_params params;
4428 	struct wireless_dev *wdev;
4429 	struct sk_buff *msg;
4430 	u32 radio_mask;
4431 	int err;
4432 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4433 
4434 	memset(&params, 0, sizeof(params));
4435 
4436 	if (!info->attrs[NL80211_ATTR_IFNAME])
4437 		return -EINVAL;
4438 
4439 	if (info->attrs[NL80211_ATTR_IFTYPE])
4440 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4441 
4442 	if (!rdev->ops->add_virtual_intf)
4443 		return -EOPNOTSUPP;
4444 
4445 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4446 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4447 	    info->attrs[NL80211_ATTR_MAC]) {
4448 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4449 			   ETH_ALEN);
4450 		if (!is_valid_ether_addr(params.macaddr))
4451 			return -EADDRNOTAVAIL;
4452 	}
4453 
4454 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4455 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4456 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4457 		if (err)
4458 			return err;
4459 	}
4460 
4461 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4462 		return -EOPNOTSUPP;
4463 
4464 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4465 	if (err < 0)
4466 		return err;
4467 
4468 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4469 	if (err < 0)
4470 		return err;
4471 
4472 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4473 	if (!msg)
4474 		return -ENOMEM;
4475 
4476 	wdev = rdev_add_virtual_intf(rdev,
4477 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4478 				NET_NAME_USER, type, &params);
4479 	if (WARN_ON(!wdev)) {
4480 		nlmsg_free(msg);
4481 		return -EPROTO;
4482 	} else if (IS_ERR(wdev)) {
4483 		nlmsg_free(msg);
4484 		return PTR_ERR(wdev);
4485 	}
4486 
4487 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4488 		wdev->owner_nlportid = info->snd_portid;
4489 
4490 	switch (type) {
4491 	case NL80211_IFTYPE_MESH_POINT:
4492 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4493 			break;
4494 		wdev->u.mesh.id_up_len =
4495 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4496 		memcpy(wdev->u.mesh.id,
4497 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4498 		       wdev->u.mesh.id_up_len);
4499 		break;
4500 	case NL80211_IFTYPE_NAN:
4501 	case NL80211_IFTYPE_P2P_DEVICE:
4502 		/*
4503 		 * P2P Device and NAN do not have a netdev, so don't go
4504 		 * through the netdev notifier and must be added here
4505 		 */
4506 		cfg80211_init_wdev(wdev);
4507 		cfg80211_register_wdev(rdev, wdev);
4508 		break;
4509 	default:
4510 		break;
4511 	}
4512 
4513 	if (radio_mask)
4514 		wdev->radio_mask = radio_mask;
4515 
4516 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4517 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4518 		nlmsg_free(msg);
4519 		return -ENOBUFS;
4520 	}
4521 
4522 	return genlmsg_reply(msg, info);
4523 }
4524 
4525 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4526 {
4527 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4528 
4529 	/* to avoid failing a new interface creation due to pending removal */
4530 	cfg80211_destroy_ifaces(rdev);
4531 
4532 	guard(wiphy)(&rdev->wiphy);
4533 
4534 	return _nl80211_new_interface(skb, info);
4535 }
4536 
4537 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4538 {
4539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4540 	struct wireless_dev *wdev = info->user_ptr[1];
4541 
4542 	if (!rdev->ops->del_virtual_intf)
4543 		return -EOPNOTSUPP;
4544 
4545 	/*
4546 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4547 	 * reach 0, and thus the rdev cannot be deleted.
4548 	 *
4549 	 * We need to do it for the dev_close(), since that will call
4550 	 * the netdev notifiers, and we need to acquire the mutex there
4551 	 * but don't know if we get there from here or from some other
4552 	 * place (e.g. "ip link set ... down").
4553 	 */
4554 	mutex_unlock(&rdev->wiphy.mtx);
4555 
4556 	/*
4557 	 * If we remove a wireless device without a netdev then clear
4558 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4559 	 * to check if it needs to do dev_put(). Otherwise it crashes
4560 	 * since the wdev has been freed, unlike with a netdev where
4561 	 * we need the dev_put() for the netdev to really be freed.
4562 	 */
4563 	if (!wdev->netdev)
4564 		info->user_ptr[1] = NULL;
4565 	else
4566 		dev_close(wdev->netdev);
4567 
4568 	mutex_lock(&rdev->wiphy.mtx);
4569 
4570 	return cfg80211_remove_virtual_intf(rdev, wdev);
4571 }
4572 
4573 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4574 {
4575 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4576 	struct net_device *dev = info->user_ptr[1];
4577 	u16 noack_map;
4578 
4579 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4580 		return -EINVAL;
4581 
4582 	if (!rdev->ops->set_noack_map)
4583 		return -EOPNOTSUPP;
4584 
4585 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4586 
4587 	return rdev_set_noack_map(rdev, dev, noack_map);
4588 }
4589 
4590 static int nl80211_validate_key_link_id(struct genl_info *info,
4591 					struct wireless_dev *wdev,
4592 					int link_id, bool pairwise)
4593 {
4594 	if (pairwise) {
4595 		if (link_id != -1) {
4596 			GENL_SET_ERR_MSG(info,
4597 					 "link ID not allowed for pairwise key");
4598 			return -EINVAL;
4599 		}
4600 
4601 		return 0;
4602 	}
4603 
4604 	if (wdev->valid_links) {
4605 		if (link_id == -1) {
4606 			GENL_SET_ERR_MSG(info,
4607 					 "link ID must for MLO group key");
4608 			return -EINVAL;
4609 		}
4610 		if (!(wdev->valid_links & BIT(link_id))) {
4611 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4612 			return -EINVAL;
4613 		}
4614 	} else if (link_id != -1) {
4615 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4616 		return -EINVAL;
4617 	}
4618 
4619 	return 0;
4620 }
4621 
4622 struct get_key_cookie {
4623 	struct sk_buff *msg;
4624 	int error;
4625 	int idx;
4626 };
4627 
4628 static void get_key_callback(void *c, struct key_params *params)
4629 {
4630 	struct nlattr *key;
4631 	struct get_key_cookie *cookie = c;
4632 
4633 	if ((params->seq &&
4634 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4635 		     params->seq_len, params->seq)) ||
4636 	    (params->cipher &&
4637 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4638 			 params->cipher)))
4639 		goto nla_put_failure;
4640 
4641 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4642 	if (!key)
4643 		goto nla_put_failure;
4644 
4645 	if ((params->seq &&
4646 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4647 		     params->seq_len, params->seq)) ||
4648 	    (params->cipher &&
4649 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4650 			 params->cipher)))
4651 		goto nla_put_failure;
4652 
4653 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4654 		goto nla_put_failure;
4655 
4656 	nla_nest_end(cookie->msg, key);
4657 
4658 	return;
4659  nla_put_failure:
4660 	cookie->error = 1;
4661 }
4662 
4663 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4664 {
4665 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4666 	int err;
4667 	struct net_device *dev = info->user_ptr[1];
4668 	u8 key_idx = 0;
4669 	const u8 *mac_addr = NULL;
4670 	bool pairwise;
4671 	struct get_key_cookie cookie = {
4672 		.error = 0,
4673 	};
4674 	void *hdr;
4675 	struct sk_buff *msg;
4676 	bool bigtk_support = false;
4677 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4678 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4679 
4680 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4681 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4682 		bigtk_support = true;
4683 
4684 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4685 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4686 	    wiphy_ext_feature_isset(&rdev->wiphy,
4687 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4688 		bigtk_support = true;
4689 
4690 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4691 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4692 
4693 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4694 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4695 			return -EINVAL;
4696 		}
4697 	}
4698 
4699 	if (info->attrs[NL80211_ATTR_MAC])
4700 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4701 
4702 	pairwise = !!mac_addr;
4703 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4704 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4705 
4706 		if (kt != NL80211_KEYTYPE_GROUP &&
4707 		    kt != NL80211_KEYTYPE_PAIRWISE)
4708 			return -EINVAL;
4709 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4710 	}
4711 
4712 	if (!rdev->ops->get_key)
4713 		return -EOPNOTSUPP;
4714 
4715 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4716 		return -ENOENT;
4717 
4718 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4719 	if (!msg)
4720 		return -ENOMEM;
4721 
4722 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4723 			     NL80211_CMD_NEW_KEY);
4724 	if (!hdr)
4725 		goto nla_put_failure;
4726 
4727 	cookie.msg = msg;
4728 	cookie.idx = key_idx;
4729 
4730 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4731 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4732 		goto nla_put_failure;
4733 	if (mac_addr &&
4734 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4735 		goto nla_put_failure;
4736 
4737 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4738 	if (err)
4739 		goto free_msg;
4740 
4741 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4742 			   &cookie, get_key_callback);
4743 
4744 	if (err)
4745 		goto free_msg;
4746 
4747 	if (cookie.error)
4748 		goto nla_put_failure;
4749 
4750 	genlmsg_end(msg, hdr);
4751 	return genlmsg_reply(msg, info);
4752 
4753  nla_put_failure:
4754 	err = -ENOBUFS;
4755  free_msg:
4756 	nlmsg_free(msg);
4757 	return err;
4758 }
4759 
4760 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4761 {
4762 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4763 	struct key_parse key;
4764 	int err;
4765 	struct net_device *dev = info->user_ptr[1];
4766 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4767 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4768 
4769 	err = nl80211_parse_key(info, &key);
4770 	if (err)
4771 		return err;
4772 
4773 	if (key.idx < 0)
4774 		return -EINVAL;
4775 
4776 	/* Only support setting default key and
4777 	 * Extended Key ID action NL80211_KEY_SET_TX.
4778 	 */
4779 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4780 	    !(key.p.mode == NL80211_KEY_SET_TX))
4781 		return -EINVAL;
4782 
4783 	if (key.def) {
4784 		if (!rdev->ops->set_default_key)
4785 			return -EOPNOTSUPP;
4786 
4787 		err = nl80211_key_allowed(wdev);
4788 		if (err)
4789 			return err;
4790 
4791 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4792 		if (err)
4793 			return err;
4794 
4795 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4796 					   key.def_uni, key.def_multi);
4797 
4798 		if (err)
4799 			return err;
4800 
4801 #ifdef CONFIG_CFG80211_WEXT
4802 		wdev->wext.default_key = key.idx;
4803 #endif
4804 		return 0;
4805 	} else if (key.defmgmt) {
4806 		if (key.def_uni || !key.def_multi)
4807 			return -EINVAL;
4808 
4809 		if (!rdev->ops->set_default_mgmt_key)
4810 			return -EOPNOTSUPP;
4811 
4812 		err = nl80211_key_allowed(wdev);
4813 		if (err)
4814 			return err;
4815 
4816 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4817 		if (err)
4818 			return err;
4819 
4820 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4821 		if (err)
4822 			return err;
4823 
4824 #ifdef CONFIG_CFG80211_WEXT
4825 		wdev->wext.default_mgmt_key = key.idx;
4826 #endif
4827 		return 0;
4828 	} else if (key.defbeacon) {
4829 		if (key.def_uni || !key.def_multi)
4830 			return -EINVAL;
4831 
4832 		if (!rdev->ops->set_default_beacon_key)
4833 			return -EOPNOTSUPP;
4834 
4835 		err = nl80211_key_allowed(wdev);
4836 		if (err)
4837 			return err;
4838 
4839 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4840 		if (err)
4841 			return err;
4842 
4843 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4844 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4845 		   wiphy_ext_feature_isset(&rdev->wiphy,
4846 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4847 		u8 *mac_addr = NULL;
4848 
4849 		if (info->attrs[NL80211_ATTR_MAC])
4850 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4851 
4852 		if (!mac_addr || key.idx < 0 || key.idx > 1)
4853 			return -EINVAL;
4854 
4855 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4856 		if (err)
4857 			return err;
4858 
4859 		return rdev_add_key(rdev, dev, link_id, key.idx,
4860 				    NL80211_KEYTYPE_PAIRWISE,
4861 				    mac_addr, &key.p);
4862 	}
4863 
4864 	return -EINVAL;
4865 }
4866 
4867 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4868 {
4869 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4870 	int err;
4871 	struct net_device *dev = info->user_ptr[1];
4872 	struct key_parse key;
4873 	const u8 *mac_addr = NULL;
4874 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4875 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4876 
4877 	err = nl80211_parse_key(info, &key);
4878 	if (err)
4879 		return err;
4880 
4881 	if (!key.p.key) {
4882 		GENL_SET_ERR_MSG(info, "no key");
4883 		return -EINVAL;
4884 	}
4885 
4886 	if (info->attrs[NL80211_ATTR_MAC])
4887 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4888 
4889 	if (key.type == -1) {
4890 		if (mac_addr)
4891 			key.type = NL80211_KEYTYPE_PAIRWISE;
4892 		else
4893 			key.type = NL80211_KEYTYPE_GROUP;
4894 	}
4895 
4896 	/* for now */
4897 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4898 	    key.type != NL80211_KEYTYPE_GROUP) {
4899 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4900 		return -EINVAL;
4901 	}
4902 
4903 	if (key.type == NL80211_KEYTYPE_GROUP &&
4904 	    info->attrs[NL80211_ATTR_VLAN_ID])
4905 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4906 
4907 	if (!rdev->ops->add_key)
4908 		return -EOPNOTSUPP;
4909 
4910 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4911 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4912 					   mac_addr)) {
4913 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4914 		return -EINVAL;
4915 	}
4916 
4917 	err = nl80211_key_allowed(wdev);
4918 	if (err)
4919 		GENL_SET_ERR_MSG(info, "key not allowed");
4920 
4921 	if (!err)
4922 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4923 				key.type == NL80211_KEYTYPE_PAIRWISE);
4924 
4925 	if (!err) {
4926 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4927 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4928 				    mac_addr, &key.p);
4929 		if (err)
4930 			GENL_SET_ERR_MSG(info, "key addition failed");
4931 	}
4932 
4933 	return err;
4934 }
4935 
4936 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4937 {
4938 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4939 	int err;
4940 	struct net_device *dev = info->user_ptr[1];
4941 	u8 *mac_addr = NULL;
4942 	struct key_parse key;
4943 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4944 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4945 
4946 	err = nl80211_parse_key(info, &key);
4947 	if (err)
4948 		return err;
4949 
4950 	if (info->attrs[NL80211_ATTR_MAC])
4951 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4952 
4953 	if (key.type == -1) {
4954 		if (mac_addr)
4955 			key.type = NL80211_KEYTYPE_PAIRWISE;
4956 		else
4957 			key.type = NL80211_KEYTYPE_GROUP;
4958 	}
4959 
4960 	/* for now */
4961 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4962 	    key.type != NL80211_KEYTYPE_GROUP)
4963 		return -EINVAL;
4964 
4965 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4966 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4967 		return -EINVAL;
4968 
4969 	if (!rdev->ops->del_key)
4970 		return -EOPNOTSUPP;
4971 
4972 	err = nl80211_key_allowed(wdev);
4973 
4974 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4975 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4976 		err = -ENOENT;
4977 
4978 	if (!err)
4979 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4980 				key.type == NL80211_KEYTYPE_PAIRWISE);
4981 
4982 	if (!err)
4983 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4984 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4985 				   mac_addr);
4986 
4987 #ifdef CONFIG_CFG80211_WEXT
4988 	if (!err) {
4989 		if (key.idx == wdev->wext.default_key)
4990 			wdev->wext.default_key = -1;
4991 		else if (key.idx == wdev->wext.default_mgmt_key)
4992 			wdev->wext.default_mgmt_key = -1;
4993 	}
4994 #endif
4995 
4996 	return err;
4997 }
4998 
4999 /* This function returns an error or the number of nested attributes */
5000 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
5001 {
5002 	struct nlattr *attr;
5003 	int n_entries = 0, tmp;
5004 
5005 	nla_for_each_nested(attr, nl_attr, tmp) {
5006 		if (nla_len(attr) != ETH_ALEN)
5007 			return -EINVAL;
5008 
5009 		n_entries++;
5010 	}
5011 
5012 	return n_entries;
5013 }
5014 
5015 /*
5016  * This function parses ACL information and allocates memory for ACL data.
5017  * On successful return, the calling function is responsible to free the
5018  * ACL buffer returned by this function.
5019  */
5020 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5021 						struct genl_info *info)
5022 {
5023 	enum nl80211_acl_policy acl_policy;
5024 	struct nlattr *attr;
5025 	struct cfg80211_acl_data *acl;
5026 	int i = 0, n_entries, tmp;
5027 
5028 	if (!wiphy->max_acl_mac_addrs)
5029 		return ERR_PTR(-EOPNOTSUPP);
5030 
5031 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5032 		return ERR_PTR(-EINVAL);
5033 
5034 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5035 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5036 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5037 		return ERR_PTR(-EINVAL);
5038 
5039 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5040 		return ERR_PTR(-EINVAL);
5041 
5042 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5043 	if (n_entries < 0)
5044 		return ERR_PTR(n_entries);
5045 
5046 	if (n_entries > wiphy->max_acl_mac_addrs)
5047 		return ERR_PTR(-EOPNOTSUPP);
5048 
5049 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
5050 	if (!acl)
5051 		return ERR_PTR(-ENOMEM);
5052 	acl->n_acl_entries = n_entries;
5053 
5054 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5055 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5056 		i++;
5057 	}
5058 	acl->acl_policy = acl_policy;
5059 
5060 	return acl;
5061 }
5062 
5063 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5064 {
5065 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5066 	struct net_device *dev = info->user_ptr[1];
5067 	struct cfg80211_acl_data *acl;
5068 	int err;
5069 
5070 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5071 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5072 		return -EOPNOTSUPP;
5073 
5074 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5075 		return -EINVAL;
5076 
5077 	acl = parse_acl_data(&rdev->wiphy, info);
5078 	if (IS_ERR(acl))
5079 		return PTR_ERR(acl);
5080 
5081 	err = rdev_set_mac_acl(rdev, dev, acl);
5082 
5083 	kfree(acl);
5084 
5085 	return err;
5086 }
5087 
5088 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5089 			   u8 *rates, u8 rates_len)
5090 {
5091 	u8 i;
5092 	u32 mask = 0;
5093 
5094 	for (i = 0; i < rates_len; i++) {
5095 		int rate = (rates[i] & 0x7f) * 5;
5096 		int ridx;
5097 
5098 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5099 			struct ieee80211_rate *srate =
5100 				&sband->bitrates[ridx];
5101 			if (rate == srate->bitrate) {
5102 				mask |= 1 << ridx;
5103 				break;
5104 			}
5105 		}
5106 		if (ridx == sband->n_bitrates)
5107 			return 0; /* rate not found */
5108 	}
5109 
5110 	return mask;
5111 }
5112 
5113 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5114 			       u8 *rates, u8 rates_len,
5115 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5116 {
5117 	u8 i;
5118 
5119 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5120 
5121 	for (i = 0; i < rates_len; i++) {
5122 		int ridx, rbit;
5123 
5124 		ridx = rates[i] / 8;
5125 		rbit = BIT(rates[i] % 8);
5126 
5127 		/* check validity */
5128 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5129 			return false;
5130 
5131 		/* check availability */
5132 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5133 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5134 			mcs[ridx] |= rbit;
5135 		else
5136 			return false;
5137 	}
5138 
5139 	return true;
5140 }
5141 
5142 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5143 {
5144 	u16 mcs_mask = 0;
5145 
5146 	switch (vht_mcs_map) {
5147 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5148 		break;
5149 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5150 		mcs_mask = 0x00FF;
5151 		break;
5152 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5153 		mcs_mask = 0x01FF;
5154 		break;
5155 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5156 		mcs_mask = 0x03FF;
5157 		break;
5158 	default:
5159 		break;
5160 	}
5161 
5162 	return mcs_mask;
5163 }
5164 
5165 static void vht_build_mcs_mask(u16 vht_mcs_map,
5166 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5167 {
5168 	u8 nss;
5169 
5170 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5171 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5172 		vht_mcs_map >>= 2;
5173 	}
5174 }
5175 
5176 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5177 			     struct nl80211_txrate_vht *txrate,
5178 			     u16 mcs[NL80211_VHT_NSS_MAX])
5179 {
5180 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5181 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5182 	u8 i;
5183 
5184 	if (!sband->vht_cap.vht_supported)
5185 		return false;
5186 
5187 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5188 
5189 	/* Build vht_mcs_mask from VHT capabilities */
5190 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5191 
5192 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5193 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5194 			mcs[i] = txrate->mcs[i];
5195 		else
5196 			return false;
5197 	}
5198 
5199 	return true;
5200 }
5201 
5202 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5203 {
5204 	switch (he_mcs_map) {
5205 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5206 		return 0;
5207 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5208 		return 0x00FF;
5209 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5210 		return 0x03FF;
5211 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5212 		return 0xFFF;
5213 	default:
5214 		break;
5215 	}
5216 	return 0;
5217 }
5218 
5219 static void he_build_mcs_mask(u16 he_mcs_map,
5220 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5221 {
5222 	u8 nss;
5223 
5224 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5225 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5226 		he_mcs_map >>= 2;
5227 	}
5228 }
5229 
5230 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5231 			   const struct ieee80211_sta_he_cap *he_cap)
5232 {
5233 	struct net_device *dev = info->user_ptr[1];
5234 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5235 	struct cfg80211_chan_def *chandef;
5236 	__le16 tx_mcs;
5237 
5238 	chandef = wdev_chandef(wdev, link_id);
5239 	if (!chandef) {
5240 		/*
5241 		 * This is probably broken, but we never maintained
5242 		 * a chandef in these cases, so it always was.
5243 		 */
5244 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5245 	}
5246 
5247 	switch (chandef->width) {
5248 	case NL80211_CHAN_WIDTH_80P80:
5249 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5250 		break;
5251 	case NL80211_CHAN_WIDTH_160:
5252 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5253 		break;
5254 	default:
5255 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5256 		break;
5257 	}
5258 
5259 	return le16_to_cpu(tx_mcs);
5260 }
5261 
5262 static bool he_set_mcs_mask(struct genl_info *info,
5263 			    struct wireless_dev *wdev,
5264 			    struct ieee80211_supported_band *sband,
5265 			    struct nl80211_txrate_he *txrate,
5266 			    u16 mcs[NL80211_HE_NSS_MAX],
5267 			    unsigned int link_id)
5268 {
5269 	const struct ieee80211_sta_he_cap *he_cap;
5270 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5271 	u16 tx_mcs_map = 0;
5272 	u8 i;
5273 
5274 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5275 	if (!he_cap)
5276 		return false;
5277 
5278 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5279 
5280 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5281 
5282 	/* Build he_mcs_mask from HE capabilities */
5283 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5284 
5285 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5286 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5287 			mcs[i] = txrate->mcs[i];
5288 		else
5289 			return false;
5290 	}
5291 
5292 	return true;
5293 }
5294 
5295 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5296 					 struct nlattr *attrs[],
5297 					 enum nl80211_attrs attr,
5298 					 struct cfg80211_bitrate_mask *mask,
5299 					 struct net_device *dev,
5300 					 bool default_all_enabled,
5301 					 unsigned int link_id)
5302 {
5303 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5304 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5305 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5306 	int rem, i;
5307 	struct nlattr *tx_rates;
5308 	struct ieee80211_supported_band *sband;
5309 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5310 
5311 	memset(mask, 0, sizeof(*mask));
5312 	/* Default to all rates enabled */
5313 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5314 		const struct ieee80211_sta_he_cap *he_cap;
5315 
5316 		if (!default_all_enabled)
5317 			break;
5318 
5319 		sband = rdev->wiphy.bands[i];
5320 
5321 		if (!sband)
5322 			continue;
5323 
5324 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5325 		memcpy(mask->control[i].ht_mcs,
5326 		       sband->ht_cap.mcs.rx_mask,
5327 		       sizeof(mask->control[i].ht_mcs));
5328 
5329 		if (sband->vht_cap.vht_supported) {
5330 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5331 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5332 		}
5333 
5334 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5335 		if (!he_cap)
5336 			continue;
5337 
5338 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5339 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5340 
5341 		mask->control[i].he_gi = 0xFF;
5342 		mask->control[i].he_ltf = 0xFF;
5343 	}
5344 
5345 	/* if no rates are given set it back to the defaults */
5346 	if (!attrs[attr])
5347 		goto out;
5348 
5349 	/* The nested attribute uses enum nl80211_band as the index. This maps
5350 	 * directly to the enum nl80211_band values used in cfg80211.
5351 	 */
5352 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5353 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5354 		enum nl80211_band band = nla_type(tx_rates);
5355 		int err;
5356 
5357 		if (band < 0 || band >= NUM_NL80211_BANDS)
5358 			return -EINVAL;
5359 		sband = rdev->wiphy.bands[band];
5360 		if (sband == NULL)
5361 			return -EINVAL;
5362 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5363 						  tx_rates,
5364 						  nl80211_txattr_policy,
5365 						  info->extack);
5366 		if (err)
5367 			return err;
5368 		if (tb[NL80211_TXRATE_LEGACY]) {
5369 			mask->control[band].legacy = rateset_to_mask(
5370 				sband,
5371 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5372 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5373 			if ((mask->control[band].legacy == 0) &&
5374 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5375 				return -EINVAL;
5376 		}
5377 		if (tb[NL80211_TXRATE_HT]) {
5378 			if (!ht_rateset_to_mask(
5379 					sband,
5380 					nla_data(tb[NL80211_TXRATE_HT]),
5381 					nla_len(tb[NL80211_TXRATE_HT]),
5382 					mask->control[band].ht_mcs))
5383 				return -EINVAL;
5384 		}
5385 
5386 		if (tb[NL80211_TXRATE_VHT]) {
5387 			if (!vht_set_mcs_mask(
5388 					sband,
5389 					nla_data(tb[NL80211_TXRATE_VHT]),
5390 					mask->control[band].vht_mcs))
5391 				return -EINVAL;
5392 		}
5393 
5394 		if (tb[NL80211_TXRATE_GI]) {
5395 			mask->control[band].gi =
5396 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5397 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5398 				return -EINVAL;
5399 		}
5400 		if (tb[NL80211_TXRATE_HE] &&
5401 		    !he_set_mcs_mask(info, wdev, sband,
5402 				     nla_data(tb[NL80211_TXRATE_HE]),
5403 				     mask->control[band].he_mcs,
5404 				     link_id))
5405 			return -EINVAL;
5406 
5407 		if (tb[NL80211_TXRATE_HE_GI])
5408 			mask->control[band].he_gi =
5409 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5410 		if (tb[NL80211_TXRATE_HE_LTF])
5411 			mask->control[band].he_ltf =
5412 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5413 
5414 		if (mask->control[band].legacy == 0) {
5415 			/* don't allow empty legacy rates if HT, VHT or HE
5416 			 * are not even supported.
5417 			 */
5418 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5419 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5420 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5421 				return -EINVAL;
5422 
5423 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5424 				if (mask->control[band].ht_mcs[i])
5425 					goto out;
5426 
5427 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5428 				if (mask->control[band].vht_mcs[i])
5429 					goto out;
5430 
5431 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5432 				if (mask->control[band].he_mcs[i])
5433 					goto out;
5434 
5435 			/* legacy and mcs rates may not be both empty */
5436 			return -EINVAL;
5437 		}
5438 	}
5439 
5440 out:
5441 	return 0;
5442 }
5443 
5444 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5445 				   enum nl80211_band band,
5446 				   struct cfg80211_bitrate_mask *beacon_rate)
5447 {
5448 	u32 count_ht, count_vht, count_he, i;
5449 	u32 rate = beacon_rate->control[band].legacy;
5450 
5451 	/* Allow only one rate */
5452 	if (hweight32(rate) > 1)
5453 		return -EINVAL;
5454 
5455 	count_ht = 0;
5456 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5457 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5458 			return -EINVAL;
5459 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5460 			count_ht++;
5461 			if (count_ht > 1)
5462 				return -EINVAL;
5463 		}
5464 		if (count_ht && rate)
5465 			return -EINVAL;
5466 	}
5467 
5468 	count_vht = 0;
5469 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5470 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5471 			return -EINVAL;
5472 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5473 			count_vht++;
5474 			if (count_vht > 1)
5475 				return -EINVAL;
5476 		}
5477 		if (count_vht && rate)
5478 			return -EINVAL;
5479 	}
5480 
5481 	count_he = 0;
5482 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5483 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5484 			return -EINVAL;
5485 		} else if (beacon_rate->control[band].he_mcs[i]) {
5486 			count_he++;
5487 			if (count_he > 1)
5488 				return -EINVAL;
5489 		}
5490 		if (count_he && rate)
5491 			return -EINVAL;
5492 	}
5493 
5494 	if ((count_ht && count_vht && count_he) ||
5495 	    (!rate && !count_ht && !count_vht && !count_he))
5496 		return -EINVAL;
5497 
5498 	if (rate &&
5499 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5500 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5501 		return -EINVAL;
5502 	if (count_ht &&
5503 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5504 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5505 		return -EINVAL;
5506 	if (count_vht &&
5507 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5508 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5509 		return -EINVAL;
5510 	if (count_he &&
5511 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5512 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5513 		return -EINVAL;
5514 
5515 	return 0;
5516 }
5517 
5518 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5519 				       struct net_device *dev,
5520 				       struct nlattr *attrs,
5521 				       struct cfg80211_mbssid_config *config,
5522 				       u8 num_elems)
5523 {
5524 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5525 
5526 	if (!wiphy->mbssid_max_interfaces)
5527 		return -EOPNOTSUPP;
5528 
5529 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5530 			     NULL) ||
5531 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5532 		return -EINVAL;
5533 
5534 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5535 	if (config->ema) {
5536 		if (!wiphy->ema_max_profile_periodicity)
5537 			return -EOPNOTSUPP;
5538 
5539 		if (num_elems > wiphy->ema_max_profile_periodicity)
5540 			return -EINVAL;
5541 	}
5542 
5543 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5544 	if (config->index >= wiphy->mbssid_max_interfaces ||
5545 	    (!config->index && !num_elems))
5546 		return -EINVAL;
5547 
5548 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5549 		u32 tx_ifindex =
5550 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5551 
5552 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5553 		    (config->index && tx_ifindex == dev->ifindex))
5554 			return -EINVAL;
5555 
5556 		if (tx_ifindex != dev->ifindex) {
5557 			struct net_device *tx_netdev =
5558 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5559 
5560 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5561 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5562 			    tx_netdev->ieee80211_ptr->iftype !=
5563 							NL80211_IFTYPE_AP) {
5564 				dev_put(tx_netdev);
5565 				return -EINVAL;
5566 			}
5567 
5568 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5569 		} else {
5570 			config->tx_wdev = dev->ieee80211_ptr;
5571 		}
5572 	} else if (!config->index) {
5573 		config->tx_wdev = dev->ieee80211_ptr;
5574 	} else {
5575 		return -EINVAL;
5576 	}
5577 
5578 	return 0;
5579 }
5580 
5581 static struct cfg80211_mbssid_elems *
5582 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5583 {
5584 	struct nlattr *nl_elems;
5585 	struct cfg80211_mbssid_elems *elems;
5586 	int rem_elems;
5587 	u8 i = 0, num_elems = 0;
5588 
5589 	if (!wiphy->mbssid_max_interfaces)
5590 		return ERR_PTR(-EINVAL);
5591 
5592 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5593 		if (num_elems >= 255)
5594 			return ERR_PTR(-EINVAL);
5595 		num_elems++;
5596 	}
5597 
5598 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5599 	if (!elems)
5600 		return ERR_PTR(-ENOMEM);
5601 	elems->cnt = num_elems;
5602 
5603 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5604 		elems->elem[i].data = nla_data(nl_elems);
5605 		elems->elem[i].len = nla_len(nl_elems);
5606 		i++;
5607 	}
5608 	return elems;
5609 }
5610 
5611 static struct cfg80211_rnr_elems *
5612 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5613 			struct netlink_ext_ack *extack)
5614 {
5615 	struct nlattr *nl_elems;
5616 	struct cfg80211_rnr_elems *elems;
5617 	int rem_elems;
5618 	u8 i = 0, num_elems = 0;
5619 
5620 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5621 		int ret;
5622 
5623 		ret = validate_ie_attr(nl_elems, extack);
5624 		if (ret)
5625 			return ERR_PTR(ret);
5626 
5627 		num_elems++;
5628 	}
5629 
5630 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5631 	if (!elems)
5632 		return ERR_PTR(-ENOMEM);
5633 	elems->cnt = num_elems;
5634 
5635 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5636 		elems->elem[i].data = nla_data(nl_elems);
5637 		elems->elem[i].len = nla_len(nl_elems);
5638 		i++;
5639 	}
5640 	return elems;
5641 }
5642 
5643 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5644 				      struct cfg80211_he_bss_color *he_bss_color)
5645 {
5646 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5647 	int err;
5648 
5649 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5650 			       he_bss_color_policy, NULL);
5651 	if (err)
5652 		return err;
5653 
5654 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5655 		return -EINVAL;
5656 
5657 	he_bss_color->color =
5658 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5659 	he_bss_color->enabled =
5660 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5661 	he_bss_color->partial =
5662 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5663 
5664 	return 0;
5665 }
5666 
5667 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5668 				struct nlattr *attrs[],
5669 				struct cfg80211_beacon_data *bcn,
5670 				struct netlink_ext_ack *extack)
5671 {
5672 	bool haveinfo = false;
5673 	int err;
5674 
5675 	memset(bcn, 0, sizeof(*bcn));
5676 
5677 	bcn->link_id = nl80211_link_id(attrs);
5678 
5679 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5680 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5681 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5682 		if (!bcn->head_len)
5683 			return -EINVAL;
5684 		haveinfo = true;
5685 	}
5686 
5687 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5688 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5689 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5690 		haveinfo = true;
5691 	}
5692 
5693 	if (!haveinfo)
5694 		return -EINVAL;
5695 
5696 	if (attrs[NL80211_ATTR_IE]) {
5697 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5698 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5699 	}
5700 
5701 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5702 		bcn->proberesp_ies =
5703 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5704 		bcn->proberesp_ies_len =
5705 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5706 	}
5707 
5708 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5709 		bcn->assocresp_ies =
5710 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5711 		bcn->assocresp_ies_len =
5712 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5713 	}
5714 
5715 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5716 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5717 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5718 	}
5719 
5720 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5721 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5722 
5723 		err = nla_parse_nested_deprecated(tb,
5724 						  NL80211_FTM_RESP_ATTR_MAX,
5725 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5726 						  NULL, NULL);
5727 		if (err)
5728 			return err;
5729 
5730 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5731 		    wiphy_ext_feature_isset(&rdev->wiphy,
5732 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5733 			bcn->ftm_responder = 1;
5734 		else
5735 			return -EOPNOTSUPP;
5736 
5737 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5738 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5739 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5740 		}
5741 
5742 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5743 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5744 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5745 		}
5746 	} else {
5747 		bcn->ftm_responder = -1;
5748 	}
5749 
5750 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5751 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5752 						 &bcn->he_bss_color);
5753 		if (err)
5754 			return err;
5755 		bcn->he_bss_color_valid = true;
5756 	}
5757 
5758 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5759 		struct cfg80211_mbssid_elems *mbssid =
5760 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5761 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5762 
5763 		if (IS_ERR(mbssid))
5764 			return PTR_ERR(mbssid);
5765 
5766 		bcn->mbssid_ies = mbssid;
5767 
5768 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5769 			struct cfg80211_rnr_elems *rnr =
5770 				nl80211_parse_rnr_elems(&rdev->wiphy,
5771 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5772 							extack);
5773 
5774 			if (IS_ERR(rnr))
5775 				return PTR_ERR(rnr);
5776 
5777 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5778 				return -EINVAL;
5779 
5780 			bcn->rnr_ies = rnr;
5781 		}
5782 	}
5783 
5784 	return 0;
5785 }
5786 
5787 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5788 				    struct ieee80211_he_obss_pd *he_obss_pd)
5789 {
5790 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5791 	int err;
5792 
5793 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5794 			       he_obss_pd_policy, NULL);
5795 	if (err)
5796 		return err;
5797 
5798 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5799 		return -EINVAL;
5800 
5801 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5802 
5803 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5804 		he_obss_pd->min_offset =
5805 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5806 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5807 		he_obss_pd->max_offset =
5808 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5809 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5810 		he_obss_pd->non_srg_max_offset =
5811 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5812 
5813 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5814 		return -EINVAL;
5815 
5816 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5817 		memcpy(he_obss_pd->bss_color_bitmap,
5818 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5819 		       sizeof(he_obss_pd->bss_color_bitmap));
5820 
5821 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5822 		memcpy(he_obss_pd->partial_bssid_bitmap,
5823 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5824 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5825 
5826 	he_obss_pd->enable = true;
5827 
5828 	return 0;
5829 }
5830 
5831 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5832 					struct nlattr *attrs,
5833 					struct cfg80211_fils_discovery *fd)
5834 {
5835 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5836 	int ret;
5837 
5838 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5839 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5840 		return -EINVAL;
5841 
5842 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5843 			       NULL, NULL);
5844 	if (ret)
5845 		return ret;
5846 
5847 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
5848 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
5849 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
5850 		fd->update = true;
5851 		return 0;
5852 	}
5853 
5854 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5855 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5856 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5857 		return -EINVAL;
5858 
5859 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5860 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5861 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5862 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5863 	fd->update = true;
5864 	return 0;
5865 }
5866 
5867 static int
5868 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5869 				     struct nlattr *attrs,
5870 				     struct cfg80211_unsol_bcast_probe_resp *presp)
5871 {
5872 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5873 	int ret;
5874 
5875 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5876 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5877 		return -EINVAL;
5878 
5879 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5880 			       attrs, NULL, NULL);
5881 	if (ret)
5882 		return ret;
5883 
5884 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
5885 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
5886 		presp->update = true;
5887 		return 0;
5888 	}
5889 
5890 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5891 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5892 		return -EINVAL;
5893 
5894 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5895 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5896 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5897 	presp->update = true;
5898 	return 0;
5899 }
5900 
5901 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5902 					    const struct element *rates)
5903 {
5904 	int i;
5905 
5906 	if (!rates)
5907 		return;
5908 
5909 	for (i = 0; i < rates->datalen; i++) {
5910 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5911 			params->ht_required = true;
5912 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5913 			params->vht_required = true;
5914 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5915 			params->he_required = true;
5916 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5917 			params->sae_h2e_required = true;
5918 	}
5919 }
5920 
5921 /*
5922  * Since the nl80211 API didn't include, from the beginning, attributes about
5923  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5924  * benefit of drivers that rebuild IEs in the firmware.
5925  */
5926 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5927 {
5928 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5929 	size_t ies_len = bcn->tail_len;
5930 	const u8 *ies = bcn->tail;
5931 	const struct element *rates;
5932 	const struct element *cap;
5933 
5934 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5935 	nl80211_check_ap_rate_selectors(params, rates);
5936 
5937 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5938 	nl80211_check_ap_rate_selectors(params, rates);
5939 
5940 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5941 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5942 		params->ht_cap = (void *)cap->data;
5943 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5944 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5945 		params->vht_cap = (void *)cap->data;
5946 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5947 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5948 		params->he_cap = (void *)(cap->data + 1);
5949 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5950 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5951 		params->he_oper = (void *)(cap->data + 1);
5952 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5953 	if (cap) {
5954 		if (!cap->datalen)
5955 			return -EINVAL;
5956 		params->eht_cap = (void *)(cap->data + 1);
5957 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5958 						(const u8 *)params->eht_cap,
5959 						cap->datalen - 1, true))
5960 			return -EINVAL;
5961 	}
5962 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5963 	if (cap) {
5964 		if (!cap->datalen)
5965 			return -EINVAL;
5966 		params->eht_oper = (void *)(cap->data + 1);
5967 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5968 						cap->datalen - 1))
5969 			return -EINVAL;
5970 	}
5971 	return 0;
5972 }
5973 
5974 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5975 				   struct cfg80211_ap_settings *params)
5976 {
5977 	struct wireless_dev *wdev;
5978 
5979 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5980 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5981 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5982 			continue;
5983 
5984 		if (!wdev->u.ap.preset_chandef.chan)
5985 			continue;
5986 
5987 		params->chandef = wdev->u.ap.preset_chandef;
5988 		return true;
5989 	}
5990 
5991 	return false;
5992 }
5993 
5994 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5995 				    enum nl80211_auth_type auth_type,
5996 				    enum nl80211_commands cmd)
5997 {
5998 	if (auth_type > NL80211_AUTHTYPE_MAX)
5999 		return false;
6000 
6001 	switch (cmd) {
6002 	case NL80211_CMD_AUTHENTICATE:
6003 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6004 		    auth_type == NL80211_AUTHTYPE_SAE)
6005 			return false;
6006 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6007 					     NL80211_EXT_FEATURE_FILS_STA) &&
6008 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6009 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6010 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6011 			return false;
6012 		return true;
6013 	case NL80211_CMD_CONNECT:
6014 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6015 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6016 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6017 		    auth_type == NL80211_AUTHTYPE_SAE)
6018 			return false;
6019 
6020 		/* FILS with SK PFS or PK not supported yet */
6021 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6022 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6023 			return false;
6024 		if (!wiphy_ext_feature_isset(
6025 			    &rdev->wiphy,
6026 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6027 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6028 			return false;
6029 		return true;
6030 	case NL80211_CMD_START_AP:
6031 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6032 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6033 		    auth_type == NL80211_AUTHTYPE_SAE)
6034 			return false;
6035 		/* FILS not supported yet */
6036 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6037 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6038 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6039 			return false;
6040 		return true;
6041 	default:
6042 		return false;
6043 	}
6044 }
6045 
6046 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6047 				    unsigned int link_id)
6048 {
6049 	struct wiphy *wiphy = wdev->wiphy;
6050 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6051 	struct sk_buff *msg;
6052 	void *hdr;
6053 
6054 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6055 	if (!msg)
6056 		return;
6057 
6058 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6059 	if (!hdr)
6060 		goto out;
6061 
6062 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6063 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6064 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6065 			      NL80211_ATTR_PAD) ||
6066 	    (wdev->u.ap.ssid_len &&
6067 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6068 		     wdev->u.ap.ssid)) ||
6069 	    (wdev->valid_links &&
6070 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6071 		goto out;
6072 
6073 	genlmsg_end(msg, hdr);
6074 
6075 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6076 				NL80211_MCGRP_MLME, GFP_KERNEL);
6077 	return;
6078 out:
6079 	nlmsg_free(msg);
6080 }
6081 
6082 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6083 {
6084 	struct ieee80211_channel *channel = params->chandef.chan;
6085 
6086 	if ((params->he_cap ||  params->he_oper) &&
6087 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6088 		return -EOPNOTSUPP;
6089 
6090 	if ((params->eht_cap || params->eht_oper) &&
6091 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6092 		return -EOPNOTSUPP;
6093 
6094 	return 0;
6095 }
6096 
6097 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6098 {
6099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6100 	struct cfg80211_beaconing_check_config beacon_check = {};
6101 	unsigned int link_id = nl80211_link_id(info->attrs);
6102 	struct net_device *dev = info->user_ptr[1];
6103 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6104 	struct cfg80211_ap_settings *params;
6105 	int err;
6106 
6107 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6108 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6109 		return -EOPNOTSUPP;
6110 
6111 	if (!rdev->ops->start_ap)
6112 		return -EOPNOTSUPP;
6113 
6114 	if (wdev->links[link_id].cac_started)
6115 		return -EBUSY;
6116 
6117 	if (wdev->links[link_id].ap.beacon_interval)
6118 		return -EALREADY;
6119 
6120 	/* these are required for START_AP */
6121 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6122 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6123 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6124 		return -EINVAL;
6125 
6126 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6127 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6128 		return -EOPNOTSUPP;
6129 
6130 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6131 	if (!params)
6132 		return -ENOMEM;
6133 
6134 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6135 				   info->extack);
6136 	if (err)
6137 		goto out;
6138 
6139 	params->beacon_interval =
6140 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6141 	params->dtim_period =
6142 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6143 
6144 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6145 					   params->beacon_interval);
6146 	if (err)
6147 		goto out;
6148 
6149 	/*
6150 	 * In theory, some of these attributes should be required here
6151 	 * but since they were not used when the command was originally
6152 	 * added, keep them optional for old user space programs to let
6153 	 * them continue to work with drivers that do not need the
6154 	 * additional information -- drivers must check!
6155 	 */
6156 	if (info->attrs[NL80211_ATTR_SSID]) {
6157 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6158 		params->ssid_len =
6159 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6160 		if (params->ssid_len == 0) {
6161 			err = -EINVAL;
6162 			goto out;
6163 		}
6164 
6165 		if (wdev->u.ap.ssid_len &&
6166 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6167 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6168 			/* require identical SSID for MLO */
6169 			err = -EINVAL;
6170 			goto out;
6171 		}
6172 	} else if (wdev->valid_links) {
6173 		/* require SSID for MLO */
6174 		err = -EINVAL;
6175 		goto out;
6176 	}
6177 
6178 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6179 		params->hidden_ssid = nla_get_u32(
6180 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6181 
6182 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6183 
6184 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6185 		params->auth_type = nla_get_u32(
6186 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6187 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6188 					     NL80211_CMD_START_AP)) {
6189 			err = -EINVAL;
6190 			goto out;
6191 		}
6192 	} else
6193 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6194 
6195 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6196 				      NL80211_MAX_NR_CIPHER_SUITES);
6197 	if (err)
6198 		goto out;
6199 
6200 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6201 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6202 			err = -EOPNOTSUPP;
6203 			goto out;
6204 		}
6205 		params->inactivity_timeout = nla_get_u16(
6206 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6207 	}
6208 
6209 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6210 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6211 			err = -EINVAL;
6212 			goto out;
6213 		}
6214 		params->p2p_ctwindow =
6215 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6216 		if (params->p2p_ctwindow != 0 &&
6217 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6218 			err = -EINVAL;
6219 			goto out;
6220 		}
6221 	}
6222 
6223 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6224 		u8 tmp;
6225 
6226 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6227 			err = -EINVAL;
6228 			goto out;
6229 		}
6230 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6231 		params->p2p_opp_ps = tmp;
6232 		if (params->p2p_opp_ps != 0 &&
6233 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6234 			err = -EINVAL;
6235 			goto out;
6236 		}
6237 	}
6238 
6239 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6240 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6241 		if (err)
6242 			goto out;
6243 	} else if (wdev->valid_links) {
6244 		/* with MLD need to specify the channel configuration */
6245 		err = -EINVAL;
6246 		goto out;
6247 	} else if (wdev->u.ap.preset_chandef.chan) {
6248 		params->chandef = wdev->u.ap.preset_chandef;
6249 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6250 		err = -EINVAL;
6251 		goto out;
6252 	}
6253 
6254 	beacon_check.iftype = wdev->iftype;
6255 	beacon_check.relax = true;
6256 	beacon_check.reg_power =
6257 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6258 					     params->beacon.tail_len);
6259 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6260 					  &beacon_check)) {
6261 		err = -EINVAL;
6262 		goto out;
6263 	}
6264 
6265 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6266 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6267 						    NL80211_ATTR_TX_RATES,
6268 						    &params->beacon_rate,
6269 						    dev, false, link_id);
6270 		if (err)
6271 			goto out;
6272 
6273 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6274 					      &params->beacon_rate);
6275 		if (err)
6276 			goto out;
6277 	}
6278 
6279 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6280 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6281 		err = -EOPNOTSUPP;
6282 		goto out;
6283 	}
6284 
6285 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6286 		params->acl = parse_acl_data(&rdev->wiphy, info);
6287 		if (IS_ERR(params->acl)) {
6288 			err = PTR_ERR(params->acl);
6289 			params->acl = NULL;
6290 			goto out;
6291 		}
6292 	}
6293 
6294 	params->twt_responder =
6295 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6296 
6297 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6298 		err = nl80211_parse_he_obss_pd(
6299 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6300 					&params->he_obss_pd);
6301 		if (err)
6302 			goto out;
6303 	}
6304 
6305 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6306 		err = nl80211_parse_fils_discovery(rdev,
6307 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6308 						   &params->fils_discovery);
6309 		if (err)
6310 			goto out;
6311 	}
6312 
6313 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6314 		err = nl80211_parse_unsol_bcast_probe_resp(
6315 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6316 			&params->unsol_bcast_probe_resp);
6317 		if (err)
6318 			goto out;
6319 	}
6320 
6321 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6322 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6323 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6324 						  &params->mbssid_config,
6325 						  params->beacon.mbssid_ies ?
6326 							params->beacon.mbssid_ies->cnt :
6327 							0);
6328 		if (err)
6329 			goto out;
6330 	}
6331 
6332 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6333 		err = -EINVAL;
6334 		goto out;
6335 	}
6336 
6337 	err = nl80211_calculate_ap_params(params);
6338 	if (err)
6339 		goto out;
6340 
6341 	err = nl80211_validate_ap_phy_operation(params);
6342 	if (err)
6343 		goto out;
6344 
6345 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6346 		params->flags = nla_get_u32(
6347 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6348 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6349 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6350 
6351 	if (wdev->conn_owner_nlportid &&
6352 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6353 	    wdev->conn_owner_nlportid != info->snd_portid) {
6354 		err = -EINVAL;
6355 		goto out;
6356 	}
6357 
6358 	/* FIXME: validate MLO/link-id against driver capabilities */
6359 
6360 	err = rdev_start_ap(rdev, dev, params);
6361 	if (!err) {
6362 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6363 		wdev->links[link_id].ap.chandef = params->chandef;
6364 		wdev->u.ap.ssid_len = params->ssid_len;
6365 		memcpy(wdev->u.ap.ssid, params->ssid,
6366 		       params->ssid_len);
6367 
6368 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6369 			wdev->conn_owner_nlportid = info->snd_portid;
6370 
6371 		nl80211_send_ap_started(wdev, link_id);
6372 	}
6373 out:
6374 	kfree(params->acl);
6375 	kfree(params->beacon.mbssid_ies);
6376 	if (params->mbssid_config.tx_wdev &&
6377 	    params->mbssid_config.tx_wdev->netdev &&
6378 	    params->mbssid_config.tx_wdev->netdev != dev)
6379 		dev_put(params->mbssid_config.tx_wdev->netdev);
6380 	kfree(params->beacon.rnr_ies);
6381 	kfree(params);
6382 
6383 	return err;
6384 }
6385 
6386 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6387 {
6388 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6389 	struct cfg80211_beaconing_check_config beacon_check = {};
6390 	unsigned int link_id = nl80211_link_id(info->attrs);
6391 	struct net_device *dev = info->user_ptr[1];
6392 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6393 	struct cfg80211_ap_update *params;
6394 	struct nlattr *attr;
6395 	int err;
6396 
6397 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6398 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6399 		return -EOPNOTSUPP;
6400 
6401 	if (!rdev->ops->change_beacon)
6402 		return -EOPNOTSUPP;
6403 
6404 	if (!wdev->links[link_id].ap.beacon_interval)
6405 		return -EINVAL;
6406 
6407 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6408 	if (!params)
6409 		return -ENOMEM;
6410 
6411 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6412 				   info->extack);
6413 	if (err)
6414 		goto out;
6415 
6416 	/* recheck beaconing is permitted with possibly changed power type */
6417 	beacon_check.iftype = wdev->iftype;
6418 	beacon_check.relax = true;
6419 	beacon_check.reg_power =
6420 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6421 					     params->beacon.tail_len);
6422 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
6423 					  &wdev->links[link_id].ap.chandef,
6424 					  &beacon_check)) {
6425 		err = -EINVAL;
6426 		goto out;
6427 	}
6428 
6429 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
6430 	if (attr) {
6431 		err = nl80211_parse_fils_discovery(rdev, attr,
6432 						   &params->fils_discovery);
6433 		if (err)
6434 			goto out;
6435 	}
6436 
6437 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
6438 	if (attr) {
6439 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
6440 							   &params->unsol_bcast_probe_resp);
6441 		if (err)
6442 			goto out;
6443 	}
6444 
6445 	err = rdev_change_beacon(rdev, dev, params);
6446 
6447 out:
6448 	kfree(params->beacon.mbssid_ies);
6449 	kfree(params->beacon.rnr_ies);
6450 	kfree(params);
6451 	return err;
6452 }
6453 
6454 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6455 {
6456 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6457 	unsigned int link_id = nl80211_link_id(info->attrs);
6458 	struct net_device *dev = info->user_ptr[1];
6459 
6460 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6461 }
6462 
6463 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6464 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6465 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6466 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6467 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6468 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6469 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6470 };
6471 
6472 static int parse_station_flags(struct genl_info *info,
6473 			       enum nl80211_iftype iftype,
6474 			       struct station_parameters *params)
6475 {
6476 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6477 	struct nlattr *nla;
6478 	int flag;
6479 
6480 	/*
6481 	 * Try parsing the new attribute first so userspace
6482 	 * can specify both for older kernels.
6483 	 */
6484 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6485 	if (nla) {
6486 		struct nl80211_sta_flag_update *sta_flags;
6487 
6488 		sta_flags = nla_data(nla);
6489 		params->sta_flags_mask = sta_flags->mask;
6490 		params->sta_flags_set = sta_flags->set;
6491 		params->sta_flags_set &= params->sta_flags_mask;
6492 		if ((params->sta_flags_mask |
6493 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6494 			return -EINVAL;
6495 		return 0;
6496 	}
6497 
6498 	/* if present, parse the old attribute */
6499 
6500 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6501 	if (!nla)
6502 		return 0;
6503 
6504 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6505 		return -EINVAL;
6506 
6507 	/*
6508 	 * Only allow certain flags for interface types so that
6509 	 * other attributes are silently ignored. Remember that
6510 	 * this is backward compatibility code with old userspace
6511 	 * and shouldn't be hit in other cases anyway.
6512 	 */
6513 	switch (iftype) {
6514 	case NL80211_IFTYPE_AP:
6515 	case NL80211_IFTYPE_AP_VLAN:
6516 	case NL80211_IFTYPE_P2P_GO:
6517 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6518 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6519 					 BIT(NL80211_STA_FLAG_WME) |
6520 					 BIT(NL80211_STA_FLAG_MFP);
6521 		break;
6522 	case NL80211_IFTYPE_P2P_CLIENT:
6523 	case NL80211_IFTYPE_STATION:
6524 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6525 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6526 		break;
6527 	case NL80211_IFTYPE_MESH_POINT:
6528 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6529 					 BIT(NL80211_STA_FLAG_MFP) |
6530 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6531 		break;
6532 	default:
6533 		return -EINVAL;
6534 	}
6535 
6536 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6537 		if (flags[flag]) {
6538 			params->sta_flags_set |= (1<<flag);
6539 
6540 			/* no longer support new API additions in old API */
6541 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6542 				return -EINVAL;
6543 		}
6544 	}
6545 
6546 	return 0;
6547 }
6548 
6549 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6550 {
6551 	struct nlattr *rate;
6552 	u32 bitrate;
6553 	u16 bitrate_compat;
6554 	enum nl80211_rate_info rate_flg;
6555 
6556 	rate = nla_nest_start_noflag(msg, attr);
6557 	if (!rate)
6558 		return false;
6559 
6560 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6561 	bitrate = cfg80211_calculate_bitrate(info);
6562 	/* report 16-bit bitrate only if we can */
6563 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6564 	if (bitrate > 0 &&
6565 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6566 		return false;
6567 	if (bitrate_compat > 0 &&
6568 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6569 		return false;
6570 
6571 	switch (info->bw) {
6572 	case RATE_INFO_BW_1:
6573 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6574 		break;
6575 	case RATE_INFO_BW_2:
6576 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6577 		break;
6578 	case RATE_INFO_BW_4:
6579 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6580 		break;
6581 	case RATE_INFO_BW_5:
6582 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6583 		break;
6584 	case RATE_INFO_BW_8:
6585 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6586 		break;
6587 	case RATE_INFO_BW_10:
6588 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6589 		break;
6590 	case RATE_INFO_BW_16:
6591 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6592 		break;
6593 	default:
6594 		WARN_ON(1);
6595 		fallthrough;
6596 	case RATE_INFO_BW_20:
6597 		rate_flg = 0;
6598 		break;
6599 	case RATE_INFO_BW_40:
6600 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6601 		break;
6602 	case RATE_INFO_BW_80:
6603 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6604 		break;
6605 	case RATE_INFO_BW_160:
6606 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6607 		break;
6608 	case RATE_INFO_BW_HE_RU:
6609 		rate_flg = 0;
6610 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6611 		break;
6612 	case RATE_INFO_BW_320:
6613 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6614 		break;
6615 	case RATE_INFO_BW_EHT_RU:
6616 		rate_flg = 0;
6617 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6618 		break;
6619 	}
6620 
6621 	if (rate_flg && nla_put_flag(msg, rate_flg))
6622 		return false;
6623 
6624 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6625 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6626 			return false;
6627 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6628 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6629 			return false;
6630 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6631 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6632 			return false;
6633 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6634 			return false;
6635 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6636 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6637 			return false;
6638 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6639 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6640 			return false;
6641 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6642 			return false;
6643 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6644 			return false;
6645 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6646 			return false;
6647 		if (info->bw == RATE_INFO_BW_HE_RU &&
6648 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6649 			       info->he_ru_alloc))
6650 			return false;
6651 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6652 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6653 			return false;
6654 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6655 			return false;
6656 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6657 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6658 			return false;
6659 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6660 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6661 			return false;
6662 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6663 			return false;
6664 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6665 			return false;
6666 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6667 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6668 			       info->eht_ru_alloc))
6669 			return false;
6670 	}
6671 
6672 	nla_nest_end(msg, rate);
6673 	return true;
6674 }
6675 
6676 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6677 			       int id)
6678 {
6679 	void *attr;
6680 	int i = 0;
6681 
6682 	if (!mask)
6683 		return true;
6684 
6685 	attr = nla_nest_start_noflag(msg, id);
6686 	if (!attr)
6687 		return false;
6688 
6689 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6690 		if (!(mask & BIT(i)))
6691 			continue;
6692 
6693 		if (nla_put_u8(msg, i, signal[i]))
6694 			return false;
6695 	}
6696 
6697 	nla_nest_end(msg, attr);
6698 
6699 	return true;
6700 }
6701 
6702 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6703 				u32 seq, int flags,
6704 				struct cfg80211_registered_device *rdev,
6705 				struct net_device *dev,
6706 				const u8 *mac_addr, struct station_info *sinfo)
6707 {
6708 	void *hdr;
6709 	struct nlattr *sinfoattr, *bss_param;
6710 
6711 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6712 	if (!hdr) {
6713 		cfg80211_sinfo_release_content(sinfo);
6714 		return -1;
6715 	}
6716 
6717 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6718 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6719 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6720 		goto nla_put_failure;
6721 
6722 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6723 	if (!sinfoattr)
6724 		goto nla_put_failure;
6725 
6726 #define PUT_SINFO(attr, memb, type) do {				\
6727 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6728 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6729 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6730 			     sinfo->memb))				\
6731 		goto nla_put_failure;					\
6732 	} while (0)
6733 #define PUT_SINFO_U64(attr, memb) do {					\
6734 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6735 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6736 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6737 		goto nla_put_failure;					\
6738 	} while (0)
6739 
6740 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6741 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6742 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6743 
6744 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6745 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6746 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6747 			(u32)sinfo->rx_bytes))
6748 		goto nla_put_failure;
6749 
6750 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6751 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6752 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6753 			(u32)sinfo->tx_bytes))
6754 		goto nla_put_failure;
6755 
6756 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6757 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6758 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6759 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6760 
6761 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6762 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6763 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6764 
6765 	switch (rdev->wiphy.signal_type) {
6766 	case CFG80211_SIGNAL_TYPE_MBM:
6767 		PUT_SINFO(SIGNAL, signal, u8);
6768 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6769 		break;
6770 	default:
6771 		break;
6772 	}
6773 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6774 		if (!nl80211_put_signal(msg, sinfo->chains,
6775 					sinfo->chain_signal,
6776 					NL80211_STA_INFO_CHAIN_SIGNAL))
6777 			goto nla_put_failure;
6778 	}
6779 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6780 		if (!nl80211_put_signal(msg, sinfo->chains,
6781 					sinfo->chain_signal_avg,
6782 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6783 			goto nla_put_failure;
6784 	}
6785 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6786 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6787 					  NL80211_STA_INFO_TX_BITRATE))
6788 			goto nla_put_failure;
6789 	}
6790 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6791 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6792 					  NL80211_STA_INFO_RX_BITRATE))
6793 			goto nla_put_failure;
6794 	}
6795 
6796 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6797 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6798 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6799 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6800 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6801 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6802 
6803 	PUT_SINFO(LLID, llid, u16);
6804 	PUT_SINFO(PLID, plid, u16);
6805 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6806 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6807 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6808 	PUT_SINFO(PEER_PM, peer_pm, u32);
6809 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6810 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6811 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6812 	PUT_SINFO_U64(T_OFFSET, t_offset);
6813 
6814 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6815 		bss_param = nla_nest_start_noflag(msg,
6816 						  NL80211_STA_INFO_BSS_PARAM);
6817 		if (!bss_param)
6818 			goto nla_put_failure;
6819 
6820 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6821 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6822 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6823 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6824 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6825 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6826 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6827 			       sinfo->bss_param.dtim_period) ||
6828 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6829 				sinfo->bss_param.beacon_interval))
6830 			goto nla_put_failure;
6831 
6832 		nla_nest_end(msg, bss_param);
6833 	}
6834 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6835 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6836 		    sizeof(struct nl80211_sta_flag_update),
6837 		    &sinfo->sta_flags))
6838 		goto nla_put_failure;
6839 
6840 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6841 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6842 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6843 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6844 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6845 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6846 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6847 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6848 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6849 	}
6850 
6851 #undef PUT_SINFO
6852 #undef PUT_SINFO_U64
6853 
6854 	if (sinfo->pertid) {
6855 		struct nlattr *tidsattr;
6856 		int tid;
6857 
6858 		tidsattr = nla_nest_start_noflag(msg,
6859 						 NL80211_STA_INFO_TID_STATS);
6860 		if (!tidsattr)
6861 			goto nla_put_failure;
6862 
6863 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6864 			struct cfg80211_tid_stats *tidstats;
6865 			struct nlattr *tidattr;
6866 
6867 			tidstats = &sinfo->pertid[tid];
6868 
6869 			if (!tidstats->filled)
6870 				continue;
6871 
6872 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6873 			if (!tidattr)
6874 				goto nla_put_failure;
6875 
6876 #define PUT_TIDVAL_U64(attr, memb) do {					\
6877 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6878 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6879 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6880 		goto nla_put_failure;					\
6881 	} while (0)
6882 
6883 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6884 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6885 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6886 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6887 
6888 #undef PUT_TIDVAL_U64
6889 			if ((tidstats->filled &
6890 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6891 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6892 						   NL80211_TID_STATS_TXQ_STATS))
6893 				goto nla_put_failure;
6894 
6895 			nla_nest_end(msg, tidattr);
6896 		}
6897 
6898 		nla_nest_end(msg, tidsattr);
6899 	}
6900 
6901 	nla_nest_end(msg, sinfoattr);
6902 
6903 	if (sinfo->assoc_req_ies_len &&
6904 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6905 		    sinfo->assoc_req_ies))
6906 		goto nla_put_failure;
6907 
6908 	if (sinfo->assoc_resp_ies_len &&
6909 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6910 		    sinfo->assoc_resp_ies))
6911 		goto nla_put_failure;
6912 
6913 	if (sinfo->mlo_params_valid) {
6914 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6915 			       sinfo->assoc_link_id))
6916 			goto nla_put_failure;
6917 
6918 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6919 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6920 			    sinfo->mld_addr))
6921 			goto nla_put_failure;
6922 	}
6923 
6924 	cfg80211_sinfo_release_content(sinfo);
6925 	genlmsg_end(msg, hdr);
6926 	return 0;
6927 
6928  nla_put_failure:
6929 	cfg80211_sinfo_release_content(sinfo);
6930 	genlmsg_cancel(msg, hdr);
6931 	return -EMSGSIZE;
6932 }
6933 
6934 static int nl80211_dump_station(struct sk_buff *skb,
6935 				struct netlink_callback *cb)
6936 {
6937 	struct station_info sinfo;
6938 	struct cfg80211_registered_device *rdev;
6939 	struct wireless_dev *wdev;
6940 	u8 mac_addr[ETH_ALEN];
6941 	int sta_idx = cb->args[2];
6942 	int err;
6943 
6944 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6945 	if (err)
6946 		return err;
6947 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6948 	__acquire(&rdev->wiphy.mtx);
6949 
6950 	if (!wdev->netdev) {
6951 		err = -EINVAL;
6952 		goto out_err;
6953 	}
6954 
6955 	if (!rdev->ops->dump_station) {
6956 		err = -EOPNOTSUPP;
6957 		goto out_err;
6958 	}
6959 
6960 	while (1) {
6961 		memset(&sinfo, 0, sizeof(sinfo));
6962 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6963 					mac_addr, &sinfo);
6964 		if (err == -ENOENT)
6965 			break;
6966 		if (err)
6967 			goto out_err;
6968 
6969 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6970 				NETLINK_CB(cb->skb).portid,
6971 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6972 				rdev, wdev->netdev, mac_addr,
6973 				&sinfo) < 0)
6974 			goto out;
6975 
6976 		sta_idx++;
6977 	}
6978 
6979  out:
6980 	cb->args[2] = sta_idx;
6981 	err = skb->len;
6982  out_err:
6983 	wiphy_unlock(&rdev->wiphy);
6984 
6985 	return err;
6986 }
6987 
6988 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6989 {
6990 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6991 	struct net_device *dev = info->user_ptr[1];
6992 	struct station_info sinfo;
6993 	struct sk_buff *msg;
6994 	u8 *mac_addr = NULL;
6995 	int err;
6996 
6997 	memset(&sinfo, 0, sizeof(sinfo));
6998 
6999 	if (!info->attrs[NL80211_ATTR_MAC])
7000 		return -EINVAL;
7001 
7002 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7003 
7004 	if (!rdev->ops->get_station)
7005 		return -EOPNOTSUPP;
7006 
7007 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
7008 	if (err)
7009 		return err;
7010 
7011 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7012 	if (!msg) {
7013 		cfg80211_sinfo_release_content(&sinfo);
7014 		return -ENOMEM;
7015 	}
7016 
7017 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
7018 				 info->snd_portid, info->snd_seq, 0,
7019 				 rdev, dev, mac_addr, &sinfo) < 0) {
7020 		nlmsg_free(msg);
7021 		return -ENOBUFS;
7022 	}
7023 
7024 	return genlmsg_reply(msg, info);
7025 }
7026 
7027 int cfg80211_check_station_change(struct wiphy *wiphy,
7028 				  struct station_parameters *params,
7029 				  enum cfg80211_station_type statype)
7030 {
7031 	if (params->listen_interval != -1 &&
7032 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7033 		return -EINVAL;
7034 
7035 	if (params->support_p2p_ps != -1 &&
7036 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7037 		return -EINVAL;
7038 
7039 	if (params->aid &&
7040 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
7041 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7042 		return -EINVAL;
7043 
7044 	/* When you run into this, adjust the code below for the new flag */
7045 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7046 
7047 	switch (statype) {
7048 	case CFG80211_STA_MESH_PEER_KERNEL:
7049 	case CFG80211_STA_MESH_PEER_USER:
7050 		/*
7051 		 * No ignoring the TDLS flag here -- the userspace mesh
7052 		 * code doesn't have the bug of including TDLS in the
7053 		 * mask everywhere.
7054 		 */
7055 		if (params->sta_flags_mask &
7056 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7057 				  BIT(NL80211_STA_FLAG_MFP) |
7058 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
7059 			return -EINVAL;
7060 		break;
7061 	case CFG80211_STA_TDLS_PEER_SETUP:
7062 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7063 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7064 			return -EINVAL;
7065 		/* ignore since it can't change */
7066 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7067 		break;
7068 	default:
7069 		/* disallow mesh-specific things */
7070 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
7071 			return -EINVAL;
7072 		if (params->local_pm)
7073 			return -EINVAL;
7074 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7075 			return -EINVAL;
7076 	}
7077 
7078 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7079 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
7080 		/* TDLS can't be set, ... */
7081 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
7082 			return -EINVAL;
7083 		/*
7084 		 * ... but don't bother the driver with it. This works around
7085 		 * a hostapd/wpa_supplicant issue -- it always includes the
7086 		 * TLDS_PEER flag in the mask even for AP mode.
7087 		 */
7088 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7089 	}
7090 
7091 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7092 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7093 		/* reject other things that can't change */
7094 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
7095 			return -EINVAL;
7096 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
7097 			return -EINVAL;
7098 		if (params->link_sta_params.supported_rates)
7099 			return -EINVAL;
7100 		if (params->ext_capab || params->link_sta_params.ht_capa ||
7101 		    params->link_sta_params.vht_capa ||
7102 		    params->link_sta_params.he_capa ||
7103 		    params->link_sta_params.eht_capa)
7104 			return -EINVAL;
7105 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7106 			return -EINVAL;
7107 	}
7108 
7109 	if (statype != CFG80211_STA_AP_CLIENT &&
7110 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7111 		if (params->vlan)
7112 			return -EINVAL;
7113 	}
7114 
7115 	switch (statype) {
7116 	case CFG80211_STA_AP_MLME_CLIENT:
7117 		/* Use this only for authorizing/unauthorizing a station */
7118 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
7119 			return -EOPNOTSUPP;
7120 		break;
7121 	case CFG80211_STA_AP_CLIENT:
7122 	case CFG80211_STA_AP_CLIENT_UNASSOC:
7123 		/* accept only the listed bits */
7124 		if (params->sta_flags_mask &
7125 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7126 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7127 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
7128 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7129 				  BIT(NL80211_STA_FLAG_WME) |
7130 				  BIT(NL80211_STA_FLAG_MFP) |
7131 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
7132 			return -EINVAL;
7133 
7134 		/* but authenticated/associated only if driver handles it */
7135 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7136 		    params->sta_flags_mask &
7137 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7138 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
7139 			return -EINVAL;
7140 		break;
7141 	case CFG80211_STA_IBSS:
7142 	case CFG80211_STA_AP_STA:
7143 		/* reject any changes other than AUTHORIZED */
7144 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
7145 			return -EINVAL;
7146 		break;
7147 	case CFG80211_STA_TDLS_PEER_SETUP:
7148 		/* reject any changes other than AUTHORIZED or WME */
7149 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7150 					       BIT(NL80211_STA_FLAG_WME)))
7151 			return -EINVAL;
7152 		/* force (at least) rates when authorizing */
7153 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
7154 		    !params->link_sta_params.supported_rates)
7155 			return -EINVAL;
7156 		break;
7157 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7158 		/* reject any changes */
7159 		return -EINVAL;
7160 	case CFG80211_STA_MESH_PEER_KERNEL:
7161 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7162 			return -EINVAL;
7163 		break;
7164 	case CFG80211_STA_MESH_PEER_USER:
7165 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
7166 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
7167 			return -EINVAL;
7168 		break;
7169 	}
7170 
7171 	/*
7172 	 * Older kernel versions ignored this attribute entirely, so don't
7173 	 * reject attempts to update it but mark it as unused instead so the
7174 	 * driver won't look at the data.
7175 	 */
7176 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
7177 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
7178 		params->link_sta_params.opmode_notif_used = false;
7179 
7180 	return 0;
7181 }
7182 EXPORT_SYMBOL(cfg80211_check_station_change);
7183 
7184 /*
7185  * Get vlan interface making sure it is running and on the right wiphy.
7186  */
7187 static struct net_device *get_vlan(struct genl_info *info,
7188 				   struct cfg80211_registered_device *rdev)
7189 {
7190 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
7191 	struct net_device *v;
7192 	int ret;
7193 
7194 	if (!vlanattr)
7195 		return NULL;
7196 
7197 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
7198 	if (!v)
7199 		return ERR_PTR(-ENODEV);
7200 
7201 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
7202 		ret = -EINVAL;
7203 		goto error;
7204 	}
7205 
7206 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7207 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7208 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7209 		ret = -EINVAL;
7210 		goto error;
7211 	}
7212 
7213 	if (!netif_running(v)) {
7214 		ret = -ENETDOWN;
7215 		goto error;
7216 	}
7217 
7218 	return v;
7219  error:
7220 	dev_put(v);
7221 	return ERR_PTR(ret);
7222 }
7223 
7224 static int nl80211_parse_sta_wme(struct genl_info *info,
7225 				 struct station_parameters *params)
7226 {
7227 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7228 	struct nlattr *nla;
7229 	int err;
7230 
7231 	/* parse WME attributes if present */
7232 	if (!info->attrs[NL80211_ATTR_STA_WME])
7233 		return 0;
7234 
7235 	nla = info->attrs[NL80211_ATTR_STA_WME];
7236 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7237 					  nl80211_sta_wme_policy,
7238 					  info->extack);
7239 	if (err)
7240 		return err;
7241 
7242 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7243 		params->uapsd_queues = nla_get_u8(
7244 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7245 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7246 		return -EINVAL;
7247 
7248 	if (tb[NL80211_STA_WME_MAX_SP])
7249 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7250 
7251 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7252 		return -EINVAL;
7253 
7254 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7255 
7256 	return 0;
7257 }
7258 
7259 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7260 				      struct station_parameters *params)
7261 {
7262 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7263 		params->supported_channels =
7264 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7265 		params->supported_channels_len =
7266 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7267 		/*
7268 		 * Need to include at least one (first channel, number of
7269 		 * channels) tuple for each subband (checked in policy),
7270 		 * and must have proper tuples for the rest of the data as well.
7271 		 */
7272 		if (params->supported_channels_len % 2)
7273 			return -EINVAL;
7274 	}
7275 
7276 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7277 		params->supported_oper_classes =
7278 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7279 		params->supported_oper_classes_len =
7280 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7281 	}
7282 	return 0;
7283 }
7284 
7285 static int nl80211_set_station_tdls(struct genl_info *info,
7286 				    struct station_parameters *params)
7287 {
7288 	int err;
7289 	/* Dummy STA entry gets updated once the peer capabilities are known */
7290 	if (info->attrs[NL80211_ATTR_PEER_AID])
7291 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7292 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7293 		params->link_sta_params.ht_capa =
7294 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7295 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7296 		params->link_sta_params.vht_capa =
7297 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7298 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7299 		params->link_sta_params.he_capa =
7300 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7301 		params->link_sta_params.he_capa_len =
7302 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7303 
7304 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7305 			params->link_sta_params.eht_capa =
7306 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7307 			params->link_sta_params.eht_capa_len =
7308 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7309 
7310 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7311 							(const u8 *)params->link_sta_params.eht_capa,
7312 							params->link_sta_params.eht_capa_len,
7313 							false))
7314 				return -EINVAL;
7315 		}
7316 	}
7317 
7318 	err = nl80211_parse_sta_channel_info(info, params);
7319 	if (err)
7320 		return err;
7321 
7322 	return nl80211_parse_sta_wme(info, params);
7323 }
7324 
7325 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7326 					     struct sta_txpwr *txpwr,
7327 					     bool *txpwr_set)
7328 {
7329 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7330 	int idx;
7331 
7332 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7333 		if (!rdev->ops->set_tx_power ||
7334 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7335 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7336 			return -EOPNOTSUPP;
7337 
7338 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7339 		txpwr->type = nla_get_u8(info->attrs[idx]);
7340 
7341 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7342 			idx = NL80211_ATTR_STA_TX_POWER;
7343 
7344 			if (info->attrs[idx])
7345 				txpwr->power = nla_get_s16(info->attrs[idx]);
7346 			else
7347 				return -EINVAL;
7348 		}
7349 
7350 		*txpwr_set = true;
7351 	} else {
7352 		*txpwr_set = false;
7353 	}
7354 
7355 	return 0;
7356 }
7357 
7358 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7359 {
7360 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7361 	struct net_device *dev = info->user_ptr[1];
7362 	struct station_parameters params;
7363 	u8 *mac_addr;
7364 	int err;
7365 
7366 	memset(&params, 0, sizeof(params));
7367 
7368 	if (!rdev->ops->change_station)
7369 		return -EOPNOTSUPP;
7370 
7371 	/*
7372 	 * AID and listen_interval properties can be set only for unassociated
7373 	 * station. Include these parameters here and will check them in
7374 	 * cfg80211_check_station_change().
7375 	 */
7376 	if (info->attrs[NL80211_ATTR_STA_AID])
7377 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7378 
7379 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7380 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7381 
7382 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7383 		params.listen_interval =
7384 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7385 	else
7386 		params.listen_interval = -1;
7387 
7388 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7389 		params.support_p2p_ps =
7390 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7391 	else
7392 		params.support_p2p_ps = -1;
7393 
7394 	if (!info->attrs[NL80211_ATTR_MAC])
7395 		return -EINVAL;
7396 
7397 	params.link_sta_params.link_id =
7398 		nl80211_link_id_or_invalid(info->attrs);
7399 
7400 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7401 		/* If MLD_ADDR attribute is set then this is an MLD station
7402 		 * and the MLD_ADDR attribute holds the MLD address and the
7403 		 * MAC attribute holds for the LINK address.
7404 		 * In that case, the link_id is also expected to be valid.
7405 		 */
7406 		if (params.link_sta_params.link_id < 0)
7407 			return -EINVAL;
7408 
7409 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7410 		params.link_sta_params.mld_mac = mac_addr;
7411 		params.link_sta_params.link_mac =
7412 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7413 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7414 			return -EINVAL;
7415 	} else {
7416 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7417 	}
7418 
7419 
7420 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7421 		params.link_sta_params.supported_rates =
7422 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7423 		params.link_sta_params.supported_rates_len =
7424 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7425 	}
7426 
7427 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7428 		params.capability =
7429 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7430 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7431 	}
7432 
7433 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7434 		params.ext_capab =
7435 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7436 		params.ext_capab_len =
7437 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7438 	}
7439 
7440 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7441 		return -EINVAL;
7442 
7443 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7444 		params.plink_action =
7445 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7446 
7447 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7448 		params.plink_state =
7449 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7450 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7451 			params.peer_aid = nla_get_u16(
7452 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7453 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7454 	}
7455 
7456 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7457 		params.local_pm = nla_get_u32(
7458 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7459 
7460 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7461 		params.link_sta_params.opmode_notif_used = true;
7462 		params.link_sta_params.opmode_notif =
7463 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7464 	}
7465 
7466 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7467 		params.link_sta_params.he_6ghz_capa =
7468 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7469 
7470 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7471 		params.airtime_weight =
7472 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7473 
7474 	if (params.airtime_weight &&
7475 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7476 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7477 		return -EOPNOTSUPP;
7478 
7479 	err = nl80211_parse_sta_txpower_setting(info,
7480 						&params.link_sta_params.txpwr,
7481 						&params.link_sta_params.txpwr_set);
7482 	if (err)
7483 		return err;
7484 
7485 	/* Include parameters for TDLS peer (will check later) */
7486 	err = nl80211_set_station_tdls(info, &params);
7487 	if (err)
7488 		return err;
7489 
7490 	params.vlan = get_vlan(info, rdev);
7491 	if (IS_ERR(params.vlan))
7492 		return PTR_ERR(params.vlan);
7493 
7494 	switch (dev->ieee80211_ptr->iftype) {
7495 	case NL80211_IFTYPE_AP:
7496 	case NL80211_IFTYPE_AP_VLAN:
7497 	case NL80211_IFTYPE_P2P_GO:
7498 	case NL80211_IFTYPE_P2P_CLIENT:
7499 	case NL80211_IFTYPE_STATION:
7500 	case NL80211_IFTYPE_ADHOC:
7501 	case NL80211_IFTYPE_MESH_POINT:
7502 		break;
7503 	default:
7504 		err = -EOPNOTSUPP;
7505 		goto out_put_vlan;
7506 	}
7507 
7508 	/* driver will call cfg80211_check_station_change() */
7509 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7510 
7511  out_put_vlan:
7512 	dev_put(params.vlan);
7513 
7514 	return err;
7515 }
7516 
7517 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7518 {
7519 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7520 	int err;
7521 	struct net_device *dev = info->user_ptr[1];
7522 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7523 	struct station_parameters params;
7524 	u8 *mac_addr = NULL;
7525 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7526 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7527 
7528 	memset(&params, 0, sizeof(params));
7529 
7530 	if (!rdev->ops->add_station)
7531 		return -EOPNOTSUPP;
7532 
7533 	if (!info->attrs[NL80211_ATTR_MAC])
7534 		return -EINVAL;
7535 
7536 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7537 		return -EINVAL;
7538 
7539 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7540 		return -EINVAL;
7541 
7542 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7543 	    !info->attrs[NL80211_ATTR_PEER_AID])
7544 		return -EINVAL;
7545 
7546 	params.link_sta_params.link_id =
7547 		nl80211_link_id_or_invalid(info->attrs);
7548 
7549 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7550 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7551 		params.link_sta_params.mld_mac = mac_addr;
7552 		params.link_sta_params.link_mac =
7553 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7554 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7555 			return -EINVAL;
7556 	} else {
7557 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7558 	}
7559 
7560 	params.link_sta_params.supported_rates =
7561 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7562 	params.link_sta_params.supported_rates_len =
7563 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7564 	params.listen_interval =
7565 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7566 
7567 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7568 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7569 
7570 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7571 		params.support_p2p_ps =
7572 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7573 	} else {
7574 		/*
7575 		 * if not specified, assume it's supported for P2P GO interface,
7576 		 * and is NOT supported for AP interface
7577 		 */
7578 		params.support_p2p_ps =
7579 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7580 	}
7581 
7582 	if (info->attrs[NL80211_ATTR_PEER_AID])
7583 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7584 	else
7585 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7586 
7587 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7588 		params.capability =
7589 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7590 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7591 	}
7592 
7593 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7594 		params.ext_capab =
7595 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7596 		params.ext_capab_len =
7597 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7598 	}
7599 
7600 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7601 		params.link_sta_params.ht_capa =
7602 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7603 
7604 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7605 		params.link_sta_params.vht_capa =
7606 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7607 
7608 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7609 		params.link_sta_params.he_capa =
7610 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7611 		params.link_sta_params.he_capa_len =
7612 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7613 
7614 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7615 			params.link_sta_params.eht_capa =
7616 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7617 			params.link_sta_params.eht_capa_len =
7618 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7619 
7620 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7621 							(const u8 *)params.link_sta_params.eht_capa,
7622 							params.link_sta_params.eht_capa_len,
7623 							false))
7624 				return -EINVAL;
7625 		}
7626 	}
7627 
7628 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7629 		params.link_sta_params.he_6ghz_capa =
7630 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7631 
7632 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7633 		params.link_sta_params.opmode_notif_used = true;
7634 		params.link_sta_params.opmode_notif =
7635 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7636 	}
7637 
7638 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7639 		params.plink_action =
7640 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7641 
7642 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7643 		params.airtime_weight =
7644 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7645 
7646 	if (params.airtime_weight &&
7647 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7648 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7649 		return -EOPNOTSUPP;
7650 
7651 	err = nl80211_parse_sta_txpower_setting(info,
7652 						&params.link_sta_params.txpwr,
7653 						&params.link_sta_params.txpwr_set);
7654 	if (err)
7655 		return err;
7656 
7657 	err = nl80211_parse_sta_channel_info(info, &params);
7658 	if (err)
7659 		return err;
7660 
7661 	err = nl80211_parse_sta_wme(info, &params);
7662 	if (err)
7663 		return err;
7664 
7665 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7666 		return -EINVAL;
7667 
7668 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7669 	 * as userspace might just pass through the capabilities from the IEs
7670 	 * directly, rather than enforcing this restriction and returning an
7671 	 * error in this case.
7672 	 */
7673 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7674 		params.link_sta_params.ht_capa = NULL;
7675 		params.link_sta_params.vht_capa = NULL;
7676 
7677 		/* HE and EHT require WME */
7678 		if (params.link_sta_params.he_capa_len ||
7679 		    params.link_sta_params.he_6ghz_capa ||
7680 		    params.link_sta_params.eht_capa_len)
7681 			return -EINVAL;
7682 	}
7683 
7684 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7685 	if (params.link_sta_params.he_6ghz_capa &&
7686 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7687 		return -EINVAL;
7688 
7689 	/* When you run into this, adjust the code below for the new flag */
7690 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7691 
7692 	switch (dev->ieee80211_ptr->iftype) {
7693 	case NL80211_IFTYPE_AP:
7694 	case NL80211_IFTYPE_AP_VLAN:
7695 	case NL80211_IFTYPE_P2P_GO:
7696 		/* ignore WME attributes if iface/sta is not capable */
7697 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7698 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7699 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7700 
7701 		/* TDLS peers cannot be added */
7702 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7703 		    info->attrs[NL80211_ATTR_PEER_AID])
7704 			return -EINVAL;
7705 		/* but don't bother the driver with it */
7706 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7707 
7708 		/* allow authenticated/associated only if driver handles it */
7709 		if (!(rdev->wiphy.features &
7710 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7711 		    params.sta_flags_mask & auth_assoc)
7712 			return -EINVAL;
7713 
7714 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7715 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
7716 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7717 			return -EINVAL;
7718 
7719 		/* Older userspace, or userspace wanting to be compatible with
7720 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7721 		 * and assoc flags in the mask, but assumes the station will be
7722 		 * added as associated anyway since this was the required driver
7723 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7724 		 * introduced.
7725 		 * In order to not bother drivers with this quirk in the API
7726 		 * set the flags in both the mask and set for new stations in
7727 		 * this case.
7728 		 */
7729 		if (!(params.sta_flags_mask & auth_assoc)) {
7730 			params.sta_flags_mask |= auth_assoc;
7731 			params.sta_flags_set |= auth_assoc;
7732 		}
7733 
7734 		/* must be last in here for error handling */
7735 		params.vlan = get_vlan(info, rdev);
7736 		if (IS_ERR(params.vlan))
7737 			return PTR_ERR(params.vlan);
7738 		break;
7739 	case NL80211_IFTYPE_MESH_POINT:
7740 		/* ignore uAPSD data */
7741 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7742 
7743 		/* associated is disallowed */
7744 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7745 			return -EINVAL;
7746 		/* TDLS peers cannot be added */
7747 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7748 		    info->attrs[NL80211_ATTR_PEER_AID])
7749 			return -EINVAL;
7750 		break;
7751 	case NL80211_IFTYPE_STATION:
7752 	case NL80211_IFTYPE_P2P_CLIENT:
7753 		/* ignore uAPSD data */
7754 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7755 
7756 		/* these are disallowed */
7757 		if (params.sta_flags_mask &
7758 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7759 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7760 			return -EINVAL;
7761 		/* Only TDLS peers can be added */
7762 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7763 			return -EINVAL;
7764 		/* Can only add if TDLS ... */
7765 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7766 			return -EOPNOTSUPP;
7767 		/* ... with external setup is supported */
7768 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7769 			return -EOPNOTSUPP;
7770 		/*
7771 		 * Older wpa_supplicant versions always mark the TDLS peer
7772 		 * as authorized, but it shouldn't yet be.
7773 		 */
7774 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7775 		break;
7776 	default:
7777 		return -EOPNOTSUPP;
7778 	}
7779 
7780 	/* be aware of params.vlan when changing code here */
7781 
7782 	if (wdev->valid_links) {
7783 		if (params.link_sta_params.link_id < 0) {
7784 			err = -EINVAL;
7785 			goto out;
7786 		}
7787 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7788 			err = -ENOLINK;
7789 			goto out;
7790 		}
7791 	} else {
7792 		if (params.link_sta_params.link_id >= 0) {
7793 			err = -EINVAL;
7794 			goto out;
7795 		}
7796 	}
7797 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7798 out:
7799 	dev_put(params.vlan);
7800 	return err;
7801 }
7802 
7803 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7804 {
7805 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7806 	struct net_device *dev = info->user_ptr[1];
7807 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7808 	struct station_del_parameters params;
7809 	int link_id = nl80211_link_id_or_invalid(info->attrs);
7810 
7811 	memset(&params, 0, sizeof(params));
7812 
7813 	if (info->attrs[NL80211_ATTR_MAC])
7814 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7815 
7816 	switch (wdev->iftype) {
7817 	case NL80211_IFTYPE_AP:
7818 	case NL80211_IFTYPE_AP_VLAN:
7819 	case NL80211_IFTYPE_MESH_POINT:
7820 	case NL80211_IFTYPE_P2P_GO:
7821 		/* always accept these */
7822 		break;
7823 	case NL80211_IFTYPE_ADHOC:
7824 		/* conditionally accept */
7825 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7826 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7827 			break;
7828 		return -EINVAL;
7829 	default:
7830 		return -EINVAL;
7831 	}
7832 
7833 	if (!rdev->ops->del_station)
7834 		return -EOPNOTSUPP;
7835 
7836 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7837 		params.subtype =
7838 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7839 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7840 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7841 			return -EINVAL;
7842 	} else {
7843 		/* Default to Deauthentication frame */
7844 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7845 	}
7846 
7847 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7848 		params.reason_code =
7849 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7850 		if (params.reason_code == 0)
7851 			return -EINVAL; /* 0 is reserved */
7852 	} else {
7853 		/* Default to reason code 2 */
7854 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7855 	}
7856 
7857 	/* Link ID not expected in case of non-ML operation */
7858 	if (!wdev->valid_links && link_id != -1)
7859 		return -EINVAL;
7860 
7861 	/* If given, a valid link ID should be passed during MLO */
7862 	if (wdev->valid_links && link_id >= 0 &&
7863 	    !(wdev->valid_links & BIT(link_id)))
7864 		return -EINVAL;
7865 
7866 	params.link_id = link_id;
7867 
7868 	return rdev_del_station(rdev, dev, &params);
7869 }
7870 
7871 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7872 				int flags, struct net_device *dev,
7873 				u8 *dst, u8 *next_hop,
7874 				struct mpath_info *pinfo)
7875 {
7876 	void *hdr;
7877 	struct nlattr *pinfoattr;
7878 
7879 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7880 	if (!hdr)
7881 		return -1;
7882 
7883 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7884 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7885 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7886 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7887 		goto nla_put_failure;
7888 
7889 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7890 	if (!pinfoattr)
7891 		goto nla_put_failure;
7892 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7893 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7894 			pinfo->frame_qlen))
7895 		goto nla_put_failure;
7896 	if (((pinfo->filled & MPATH_INFO_SN) &&
7897 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7898 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7899 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7900 			 pinfo->metric)) ||
7901 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7902 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7903 			 pinfo->exptime)) ||
7904 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7905 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7906 			pinfo->flags)) ||
7907 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7908 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7909 			 pinfo->discovery_timeout)) ||
7910 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7911 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7912 			pinfo->discovery_retries)) ||
7913 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7914 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7915 			pinfo->hop_count)) ||
7916 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7917 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7918 			 pinfo->path_change_count)))
7919 		goto nla_put_failure;
7920 
7921 	nla_nest_end(msg, pinfoattr);
7922 
7923 	genlmsg_end(msg, hdr);
7924 	return 0;
7925 
7926  nla_put_failure:
7927 	genlmsg_cancel(msg, hdr);
7928 	return -EMSGSIZE;
7929 }
7930 
7931 static int nl80211_dump_mpath(struct sk_buff *skb,
7932 			      struct netlink_callback *cb)
7933 {
7934 	struct mpath_info pinfo;
7935 	struct cfg80211_registered_device *rdev;
7936 	struct wireless_dev *wdev;
7937 	u8 dst[ETH_ALEN];
7938 	u8 next_hop[ETH_ALEN];
7939 	int path_idx = cb->args[2];
7940 	int err;
7941 
7942 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7943 	if (err)
7944 		return err;
7945 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7946 	__acquire(&rdev->wiphy.mtx);
7947 
7948 	if (!rdev->ops->dump_mpath) {
7949 		err = -EOPNOTSUPP;
7950 		goto out_err;
7951 	}
7952 
7953 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7954 		err = -EOPNOTSUPP;
7955 		goto out_err;
7956 	}
7957 
7958 	while (1) {
7959 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7960 				      next_hop, &pinfo);
7961 		if (err == -ENOENT)
7962 			break;
7963 		if (err)
7964 			goto out_err;
7965 
7966 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7967 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7968 				       wdev->netdev, dst, next_hop,
7969 				       &pinfo) < 0)
7970 			goto out;
7971 
7972 		path_idx++;
7973 	}
7974 
7975  out:
7976 	cb->args[2] = path_idx;
7977 	err = skb->len;
7978  out_err:
7979 	wiphy_unlock(&rdev->wiphy);
7980 	return err;
7981 }
7982 
7983 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7984 {
7985 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7986 	int err;
7987 	struct net_device *dev = info->user_ptr[1];
7988 	struct mpath_info pinfo;
7989 	struct sk_buff *msg;
7990 	u8 *dst = NULL;
7991 	u8 next_hop[ETH_ALEN];
7992 
7993 	memset(&pinfo, 0, sizeof(pinfo));
7994 
7995 	if (!info->attrs[NL80211_ATTR_MAC])
7996 		return -EINVAL;
7997 
7998 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7999 
8000 	if (!rdev->ops->get_mpath)
8001 		return -EOPNOTSUPP;
8002 
8003 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8004 		return -EOPNOTSUPP;
8005 
8006 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
8007 	if (err)
8008 		return err;
8009 
8010 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8011 	if (!msg)
8012 		return -ENOMEM;
8013 
8014 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8015 				 dev, dst, next_hop, &pinfo) < 0) {
8016 		nlmsg_free(msg);
8017 		return -ENOBUFS;
8018 	}
8019 
8020 	return genlmsg_reply(msg, info);
8021 }
8022 
8023 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
8024 {
8025 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8026 	struct net_device *dev = info->user_ptr[1];
8027 	u8 *dst = NULL;
8028 	u8 *next_hop = NULL;
8029 
8030 	if (!info->attrs[NL80211_ATTR_MAC])
8031 		return -EINVAL;
8032 
8033 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8034 		return -EINVAL;
8035 
8036 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8037 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8038 
8039 	if (!rdev->ops->change_mpath)
8040 		return -EOPNOTSUPP;
8041 
8042 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8043 		return -EOPNOTSUPP;
8044 
8045 	return rdev_change_mpath(rdev, dev, dst, next_hop);
8046 }
8047 
8048 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
8049 {
8050 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8051 	struct net_device *dev = info->user_ptr[1];
8052 	u8 *dst = NULL;
8053 	u8 *next_hop = NULL;
8054 
8055 	if (!info->attrs[NL80211_ATTR_MAC])
8056 		return -EINVAL;
8057 
8058 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8059 		return -EINVAL;
8060 
8061 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8062 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8063 
8064 	if (!rdev->ops->add_mpath)
8065 		return -EOPNOTSUPP;
8066 
8067 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8068 		return -EOPNOTSUPP;
8069 
8070 	return rdev_add_mpath(rdev, dev, dst, next_hop);
8071 }
8072 
8073 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
8074 {
8075 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8076 	struct net_device *dev = info->user_ptr[1];
8077 	u8 *dst = NULL;
8078 
8079 	if (info->attrs[NL80211_ATTR_MAC])
8080 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8081 
8082 	if (!rdev->ops->del_mpath)
8083 		return -EOPNOTSUPP;
8084 
8085 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8086 		return -EOPNOTSUPP;
8087 
8088 	return rdev_del_mpath(rdev, dev, dst);
8089 }
8090 
8091 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
8092 {
8093 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8094 	int err;
8095 	struct net_device *dev = info->user_ptr[1];
8096 	struct mpath_info pinfo;
8097 	struct sk_buff *msg;
8098 	u8 *dst = NULL;
8099 	u8 mpp[ETH_ALEN];
8100 
8101 	memset(&pinfo, 0, sizeof(pinfo));
8102 
8103 	if (!info->attrs[NL80211_ATTR_MAC])
8104 		return -EINVAL;
8105 
8106 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8107 
8108 	if (!rdev->ops->get_mpp)
8109 		return -EOPNOTSUPP;
8110 
8111 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8112 		return -EOPNOTSUPP;
8113 
8114 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
8115 	if (err)
8116 		return err;
8117 
8118 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8119 	if (!msg)
8120 		return -ENOMEM;
8121 
8122 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8123 			       dev, dst, mpp, &pinfo) < 0) {
8124 		nlmsg_free(msg);
8125 		return -ENOBUFS;
8126 	}
8127 
8128 	return genlmsg_reply(msg, info);
8129 }
8130 
8131 static int nl80211_dump_mpp(struct sk_buff *skb,
8132 			    struct netlink_callback *cb)
8133 {
8134 	struct mpath_info pinfo;
8135 	struct cfg80211_registered_device *rdev;
8136 	struct wireless_dev *wdev;
8137 	u8 dst[ETH_ALEN];
8138 	u8 mpp[ETH_ALEN];
8139 	int path_idx = cb->args[2];
8140 	int err;
8141 
8142 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8143 	if (err)
8144 		return err;
8145 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8146 	__acquire(&rdev->wiphy.mtx);
8147 
8148 	if (!rdev->ops->dump_mpp) {
8149 		err = -EOPNOTSUPP;
8150 		goto out_err;
8151 	}
8152 
8153 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
8154 		err = -EOPNOTSUPP;
8155 		goto out_err;
8156 	}
8157 
8158 	while (1) {
8159 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
8160 				    mpp, &pinfo);
8161 		if (err == -ENOENT)
8162 			break;
8163 		if (err)
8164 			goto out_err;
8165 
8166 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8167 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8168 				       wdev->netdev, dst, mpp,
8169 				       &pinfo) < 0)
8170 			goto out;
8171 
8172 		path_idx++;
8173 	}
8174 
8175  out:
8176 	cb->args[2] = path_idx;
8177 	err = skb->len;
8178  out_err:
8179 	wiphy_unlock(&rdev->wiphy);
8180 	return err;
8181 }
8182 
8183 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
8184 {
8185 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8186 	struct net_device *dev = info->user_ptr[1];
8187 	struct bss_parameters params;
8188 
8189 	memset(&params, 0, sizeof(params));
8190 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
8191 	/* default to not changing parameters */
8192 	params.use_cts_prot = -1;
8193 	params.use_short_preamble = -1;
8194 	params.use_short_slot_time = -1;
8195 	params.ap_isolate = -1;
8196 	params.ht_opmode = -1;
8197 	params.p2p_ctwindow = -1;
8198 	params.p2p_opp_ps = -1;
8199 
8200 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
8201 		params.use_cts_prot =
8202 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
8203 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
8204 		params.use_short_preamble =
8205 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
8206 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
8207 		params.use_short_slot_time =
8208 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
8209 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8210 		params.basic_rates =
8211 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8212 		params.basic_rates_len =
8213 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8214 	}
8215 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8216 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8217 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8218 		params.ht_opmode =
8219 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8220 
8221 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8222 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8223 			return -EINVAL;
8224 		params.p2p_ctwindow =
8225 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8226 		if (params.p2p_ctwindow != 0 &&
8227 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8228 			return -EINVAL;
8229 	}
8230 
8231 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8232 		u8 tmp;
8233 
8234 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8235 			return -EINVAL;
8236 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8237 		params.p2p_opp_ps = tmp;
8238 		if (params.p2p_opp_ps &&
8239 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8240 			return -EINVAL;
8241 	}
8242 
8243 	if (!rdev->ops->change_bss)
8244 		return -EOPNOTSUPP;
8245 
8246 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8247 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8248 		return -EOPNOTSUPP;
8249 
8250 	return rdev_change_bss(rdev, dev, &params);
8251 }
8252 
8253 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8254 {
8255 	char *data = NULL;
8256 	bool is_indoor;
8257 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8258 	u32 owner_nlportid;
8259 
8260 	/*
8261 	 * You should only get this when cfg80211 hasn't yet initialized
8262 	 * completely when built-in to the kernel right between the time
8263 	 * window between nl80211_init() and regulatory_init(), if that is
8264 	 * even possible.
8265 	 */
8266 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8267 		return -EINPROGRESS;
8268 
8269 	user_reg_hint_type =
8270 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
8271 				    NL80211_USER_REG_HINT_USER);
8272 
8273 	switch (user_reg_hint_type) {
8274 	case NL80211_USER_REG_HINT_USER:
8275 	case NL80211_USER_REG_HINT_CELL_BASE:
8276 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8277 			return -EINVAL;
8278 
8279 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8280 		return regulatory_hint_user(data, user_reg_hint_type);
8281 	case NL80211_USER_REG_HINT_INDOOR:
8282 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8283 			owner_nlportid = info->snd_portid;
8284 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8285 		} else {
8286 			owner_nlportid = 0;
8287 			is_indoor = true;
8288 		}
8289 
8290 		regulatory_hint_indoor(is_indoor, owner_nlportid);
8291 		return 0;
8292 	default:
8293 		return -EINVAL;
8294 	}
8295 }
8296 
8297 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8298 {
8299 	return reg_reload_regdb();
8300 }
8301 
8302 static int nl80211_get_mesh_config(struct sk_buff *skb,
8303 				   struct genl_info *info)
8304 {
8305 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8306 	struct net_device *dev = info->user_ptr[1];
8307 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8308 	struct mesh_config cur_params;
8309 	int err = 0;
8310 	void *hdr;
8311 	struct nlattr *pinfoattr;
8312 	struct sk_buff *msg;
8313 
8314 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8315 		return -EOPNOTSUPP;
8316 
8317 	if (!rdev->ops->get_mesh_config)
8318 		return -EOPNOTSUPP;
8319 
8320 	/* If not connected, get default parameters */
8321 	if (!wdev->u.mesh.id_len)
8322 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8323 	else
8324 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8325 
8326 	if (err)
8327 		return err;
8328 
8329 	/* Draw up a netlink message to send back */
8330 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8331 	if (!msg)
8332 		return -ENOMEM;
8333 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8334 			     NL80211_CMD_GET_MESH_CONFIG);
8335 	if (!hdr)
8336 		goto out;
8337 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8338 	if (!pinfoattr)
8339 		goto nla_put_failure;
8340 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8341 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8342 			cur_params.dot11MeshRetryTimeout) ||
8343 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8344 			cur_params.dot11MeshConfirmTimeout) ||
8345 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8346 			cur_params.dot11MeshHoldingTimeout) ||
8347 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8348 			cur_params.dot11MeshMaxPeerLinks) ||
8349 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8350 		       cur_params.dot11MeshMaxRetries) ||
8351 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8352 		       cur_params.dot11MeshTTL) ||
8353 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8354 		       cur_params.element_ttl) ||
8355 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8356 		       cur_params.auto_open_plinks) ||
8357 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8358 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8359 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8360 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8361 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8362 			cur_params.path_refresh_time) ||
8363 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8364 			cur_params.min_discovery_timeout) ||
8365 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8366 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8367 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8368 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8369 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8370 			cur_params.dot11MeshHWMPperrMinInterval) ||
8371 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8372 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8373 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8374 		       cur_params.dot11MeshHWMPRootMode) ||
8375 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8376 			cur_params.dot11MeshHWMPRannInterval) ||
8377 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8378 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8379 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8380 		       cur_params.dot11MeshForwarding) ||
8381 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8382 			cur_params.rssi_threshold) ||
8383 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8384 			cur_params.ht_opmode) ||
8385 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8386 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8387 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8388 			cur_params.dot11MeshHWMProotInterval) ||
8389 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8390 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8391 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8392 			cur_params.power_mode) ||
8393 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8394 			cur_params.dot11MeshAwakeWindowDuration) ||
8395 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8396 			cur_params.plink_timeout) ||
8397 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8398 		       cur_params.dot11MeshConnectedToMeshGate) ||
8399 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8400 		       cur_params.dot11MeshNolearn) ||
8401 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8402 		       cur_params.dot11MeshConnectedToAuthServer))
8403 		goto nla_put_failure;
8404 	nla_nest_end(msg, pinfoattr);
8405 	genlmsg_end(msg, hdr);
8406 	return genlmsg_reply(msg, info);
8407 
8408  nla_put_failure:
8409  out:
8410 	nlmsg_free(msg);
8411 	return -ENOBUFS;
8412 }
8413 
8414 static const struct nla_policy
8415 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8416 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8417 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8418 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8419 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8420 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8421 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8422 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8423 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8424 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8425 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8426 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8427 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8428 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8429 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8430 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8431 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8432 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8433 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8434 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8435 		NLA_POLICY_MIN(NLA_U16, 1),
8436 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8437 		NLA_POLICY_MIN(NLA_U16, 1),
8438 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8439 		NLA_POLICY_MIN(NLA_U16, 1),
8440 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8441 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8442 		NLA_POLICY_MIN(NLA_U16, 1),
8443 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8444 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8445 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8446 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8447 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8448 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8449 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8450 		NLA_POLICY_MIN(NLA_U16, 1),
8451 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8452 		NLA_POLICY_MIN(NLA_U16, 1),
8453 	[NL80211_MESHCONF_POWER_MODE] =
8454 		NLA_POLICY_RANGE(NLA_U32,
8455 				 NL80211_MESH_POWER_ACTIVE,
8456 				 NL80211_MESH_POWER_MAX),
8457 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8458 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8459 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8460 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8461 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8462 };
8463 
8464 static const struct nla_policy
8465 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8466 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8467 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8468 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8469 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8470 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8471 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8472 	[NL80211_MESH_SETUP_IE] =
8473 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8474 				       IEEE80211_MAX_DATA_LEN),
8475 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8476 };
8477 
8478 static int nl80211_parse_mesh_config(struct genl_info *info,
8479 				     struct mesh_config *cfg,
8480 				     u32 *mask_out)
8481 {
8482 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8483 	u32 mask = 0;
8484 	u16 ht_opmode;
8485 
8486 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8487 do {									\
8488 	if (tb[attr]) {							\
8489 		cfg->param = fn(tb[attr]);				\
8490 		mask |= BIT((attr) - 1);				\
8491 	}								\
8492 } while (0)
8493 
8494 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8495 		return -EINVAL;
8496 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8497 		return -EINVAL;
8498 
8499 	/* This makes sure that there aren't more than 32 mesh config
8500 	 * parameters (otherwise our bitfield scheme would not work.) */
8501 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8502 
8503 	/* Fill in the params struct */
8504 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8505 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8506 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8507 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8508 				  nla_get_u16);
8509 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8510 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8511 				  nla_get_u16);
8512 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8513 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8514 				  nla_get_u16);
8515 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8516 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8517 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8518 				  NL80211_MESHCONF_TTL, nla_get_u8);
8519 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8520 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8521 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8522 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8523 				  nla_get_u8);
8524 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8525 				  mask,
8526 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8527 				  nla_get_u32);
8528 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8529 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8530 				  nla_get_u8);
8531 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8532 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8533 				  nla_get_u32);
8534 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8535 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8536 		return -EINVAL;
8537 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8538 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8539 				  nla_get_u16);
8540 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8541 				  mask,
8542 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8543 				  nla_get_u32);
8544 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8545 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8546 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8547 		return -EINVAL;
8548 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8549 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8550 				  nla_get_u16);
8551 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8552 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8553 				  nla_get_u16);
8554 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8555 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8556 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8557 				  nla_get_u16);
8558 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8559 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8560 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8561 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8562 				  nla_get_u16);
8563 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8564 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8565 				  nla_get_u8);
8566 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8567 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8568 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8569 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8570 				  nla_get_s32);
8571 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8572 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8573 				  nla_get_u8);
8574 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8575 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8576 				  nla_get_u8);
8577 	/*
8578 	 * Check HT operation mode based on
8579 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8580 	 */
8581 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8582 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8583 
8584 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8585 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8586 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8587 			return -EINVAL;
8588 
8589 		/* NON_HT_STA bit is reserved, but some programs set it */
8590 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8591 
8592 		cfg->ht_opmode = ht_opmode;
8593 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8594 	}
8595 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8596 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8597 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8598 				  nla_get_u32);
8599 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8600 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8601 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8602 		return -EINVAL;
8603 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8604 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8605 				  nla_get_u16);
8606 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8607 				  mask,
8608 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8609 				  nla_get_u16);
8610 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8611 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8612 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8613 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8614 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8615 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8616 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8617 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8618 	if (mask_out)
8619 		*mask_out = mask;
8620 
8621 	return 0;
8622 
8623 #undef FILL_IN_MESH_PARAM_IF_SET
8624 }
8625 
8626 static int nl80211_parse_mesh_setup(struct genl_info *info,
8627 				     struct mesh_setup *setup)
8628 {
8629 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8630 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8631 
8632 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8633 		return -EINVAL;
8634 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8635 		return -EINVAL;
8636 
8637 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8638 		setup->sync_method =
8639 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8640 		 IEEE80211_SYNC_METHOD_VENDOR :
8641 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8642 
8643 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8644 		setup->path_sel_proto =
8645 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8646 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8647 		 IEEE80211_PATH_PROTOCOL_HWMP;
8648 
8649 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8650 		setup->path_metric =
8651 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8652 		 IEEE80211_PATH_METRIC_VENDOR :
8653 		 IEEE80211_PATH_METRIC_AIRTIME;
8654 
8655 	if (tb[NL80211_MESH_SETUP_IE]) {
8656 		struct nlattr *ieattr =
8657 			tb[NL80211_MESH_SETUP_IE];
8658 		setup->ie = nla_data(ieattr);
8659 		setup->ie_len = nla_len(ieattr);
8660 	}
8661 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8662 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8663 		return -EINVAL;
8664 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8665 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8666 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8667 	if (setup->is_secure)
8668 		setup->user_mpm = true;
8669 
8670 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8671 		if (!setup->user_mpm)
8672 			return -EINVAL;
8673 		setup->auth_id =
8674 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8675 	}
8676 
8677 	return 0;
8678 }
8679 
8680 static int nl80211_update_mesh_config(struct sk_buff *skb,
8681 				      struct genl_info *info)
8682 {
8683 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8684 	struct net_device *dev = info->user_ptr[1];
8685 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8686 	struct mesh_config cfg = {};
8687 	u32 mask;
8688 	int err;
8689 
8690 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8691 		return -EOPNOTSUPP;
8692 
8693 	if (!rdev->ops->update_mesh_config)
8694 		return -EOPNOTSUPP;
8695 
8696 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8697 	if (err)
8698 		return err;
8699 
8700 	if (!wdev->u.mesh.id_len)
8701 		err = -ENOLINK;
8702 
8703 	if (!err)
8704 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8705 
8706 	return err;
8707 }
8708 
8709 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8710 			      struct sk_buff *msg)
8711 {
8712 	struct nlattr *nl_reg_rules;
8713 	unsigned int i;
8714 
8715 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8716 	    (regdom->dfs_region &&
8717 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8718 		goto nla_put_failure;
8719 
8720 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8721 	if (!nl_reg_rules)
8722 		goto nla_put_failure;
8723 
8724 	for (i = 0; i < regdom->n_reg_rules; i++) {
8725 		struct nlattr *nl_reg_rule;
8726 		const struct ieee80211_reg_rule *reg_rule;
8727 		const struct ieee80211_freq_range *freq_range;
8728 		const struct ieee80211_power_rule *power_rule;
8729 		unsigned int max_bandwidth_khz;
8730 
8731 		reg_rule = &regdom->reg_rules[i];
8732 		freq_range = &reg_rule->freq_range;
8733 		power_rule = &reg_rule->power_rule;
8734 
8735 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8736 		if (!nl_reg_rule)
8737 			goto nla_put_failure;
8738 
8739 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8740 		if (!max_bandwidth_khz)
8741 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8742 								  reg_rule);
8743 
8744 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8745 				reg_rule->flags) ||
8746 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8747 				freq_range->start_freq_khz) ||
8748 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8749 				freq_range->end_freq_khz) ||
8750 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8751 				max_bandwidth_khz) ||
8752 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8753 				power_rule->max_antenna_gain) ||
8754 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8755 				power_rule->max_eirp) ||
8756 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8757 				reg_rule->dfs_cac_ms))
8758 			goto nla_put_failure;
8759 
8760 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
8761 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
8762 			       reg_rule->psd))
8763 			goto nla_put_failure;
8764 
8765 		nla_nest_end(msg, nl_reg_rule);
8766 	}
8767 
8768 	nla_nest_end(msg, nl_reg_rules);
8769 	return 0;
8770 
8771 nla_put_failure:
8772 	return -EMSGSIZE;
8773 }
8774 
8775 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8776 {
8777 	const struct ieee80211_regdomain *regdom = NULL;
8778 	struct cfg80211_registered_device *rdev;
8779 	struct wiphy *wiphy = NULL;
8780 	struct sk_buff *msg;
8781 	int err = -EMSGSIZE;
8782 	void *hdr;
8783 
8784 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8785 	if (!msg)
8786 		return -ENOBUFS;
8787 
8788 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8789 			     NL80211_CMD_GET_REG);
8790 	if (!hdr)
8791 		goto put_failure;
8792 
8793 	rtnl_lock();
8794 
8795 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8796 		bool self_managed;
8797 
8798 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8799 		if (IS_ERR(rdev)) {
8800 			err = PTR_ERR(rdev);
8801 			goto nla_put_failure;
8802 		}
8803 
8804 		wiphy = &rdev->wiphy;
8805 		self_managed = wiphy->regulatory_flags &
8806 			       REGULATORY_WIPHY_SELF_MANAGED;
8807 
8808 		rcu_read_lock();
8809 
8810 		regdom = get_wiphy_regdom(wiphy);
8811 
8812 		/* a self-managed-reg device must have a private regdom */
8813 		if (WARN_ON(!regdom && self_managed)) {
8814 			err = -EINVAL;
8815 			goto nla_put_failure_rcu;
8816 		}
8817 
8818 		if (regdom &&
8819 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8820 			goto nla_put_failure_rcu;
8821 	} else {
8822 		rcu_read_lock();
8823 	}
8824 
8825 	if (!wiphy && reg_last_request_cell_base() &&
8826 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8827 			NL80211_USER_REG_HINT_CELL_BASE))
8828 		goto nla_put_failure_rcu;
8829 
8830 	if (!regdom)
8831 		regdom = rcu_dereference(cfg80211_regdomain);
8832 
8833 	if (nl80211_put_regdom(regdom, msg))
8834 		goto nla_put_failure_rcu;
8835 
8836 	rcu_read_unlock();
8837 
8838 	genlmsg_end(msg, hdr);
8839 	rtnl_unlock();
8840 	return genlmsg_reply(msg, info);
8841 
8842 nla_put_failure_rcu:
8843 	rcu_read_unlock();
8844 nla_put_failure:
8845 	rtnl_unlock();
8846 put_failure:
8847 	nlmsg_free(msg);
8848 	return err;
8849 }
8850 
8851 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8852 			       u32 seq, int flags, struct wiphy *wiphy,
8853 			       const struct ieee80211_regdomain *regdom)
8854 {
8855 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8856 				   NL80211_CMD_GET_REG);
8857 
8858 	if (!hdr)
8859 		return -1;
8860 
8861 	genl_dump_check_consistent(cb, hdr);
8862 
8863 	if (nl80211_put_regdom(regdom, msg))
8864 		goto nla_put_failure;
8865 
8866 	if (!wiphy && reg_last_request_cell_base() &&
8867 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8868 			NL80211_USER_REG_HINT_CELL_BASE))
8869 		goto nla_put_failure;
8870 
8871 	if (wiphy &&
8872 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8873 		goto nla_put_failure;
8874 
8875 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8876 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8877 		goto nla_put_failure;
8878 
8879 	genlmsg_end(msg, hdr);
8880 	return 0;
8881 
8882 nla_put_failure:
8883 	genlmsg_cancel(msg, hdr);
8884 	return -EMSGSIZE;
8885 }
8886 
8887 static int nl80211_get_reg_dump(struct sk_buff *skb,
8888 				struct netlink_callback *cb)
8889 {
8890 	const struct ieee80211_regdomain *regdom = NULL;
8891 	struct cfg80211_registered_device *rdev;
8892 	int err, reg_idx, start = cb->args[2];
8893 
8894 	rcu_read_lock();
8895 
8896 	if (cfg80211_regdomain && start == 0) {
8897 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8898 					  NLM_F_MULTI, NULL,
8899 					  rcu_dereference(cfg80211_regdomain));
8900 		if (err < 0)
8901 			goto out_err;
8902 	}
8903 
8904 	/* the global regdom is idx 0 */
8905 	reg_idx = 1;
8906 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8907 		regdom = get_wiphy_regdom(&rdev->wiphy);
8908 		if (!regdom)
8909 			continue;
8910 
8911 		if (++reg_idx <= start)
8912 			continue;
8913 
8914 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8915 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8916 		if (err < 0) {
8917 			reg_idx--;
8918 			break;
8919 		}
8920 	}
8921 
8922 	cb->args[2] = reg_idx;
8923 	err = skb->len;
8924 out_err:
8925 	rcu_read_unlock();
8926 	return err;
8927 }
8928 
8929 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8930 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8931 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8932 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8933 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8934 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8935 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8936 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8937 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8938 };
8939 
8940 static int parse_reg_rule(struct nlattr *tb[],
8941 	struct ieee80211_reg_rule *reg_rule)
8942 {
8943 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8944 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8945 
8946 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8947 		return -EINVAL;
8948 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8949 		return -EINVAL;
8950 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8951 		return -EINVAL;
8952 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8953 		return -EINVAL;
8954 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8955 		return -EINVAL;
8956 
8957 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8958 
8959 	freq_range->start_freq_khz =
8960 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8961 	freq_range->end_freq_khz =
8962 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8963 	freq_range->max_bandwidth_khz =
8964 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8965 
8966 	power_rule->max_eirp =
8967 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8968 
8969 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8970 		power_rule->max_antenna_gain =
8971 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8972 
8973 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8974 		reg_rule->dfs_cac_ms =
8975 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8976 
8977 	return 0;
8978 }
8979 
8980 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8981 {
8982 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8983 	struct nlattr *nl_reg_rule;
8984 	char *alpha2;
8985 	int rem_reg_rules, r;
8986 	u32 num_rules = 0, rule_idx = 0;
8987 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8988 	struct ieee80211_regdomain *rd;
8989 
8990 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8991 		return -EINVAL;
8992 
8993 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8994 		return -EINVAL;
8995 
8996 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8997 
8998 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8999 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
9000 
9001 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9002 			    rem_reg_rules) {
9003 		num_rules++;
9004 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
9005 			return -EINVAL;
9006 	}
9007 
9008 	rtnl_lock();
9009 	if (!reg_is_valid_request(alpha2)) {
9010 		r = -EINVAL;
9011 		goto out;
9012 	}
9013 
9014 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
9015 	if (!rd) {
9016 		r = -ENOMEM;
9017 		goto out;
9018 	}
9019 
9020 	rd->n_reg_rules = num_rules;
9021 	rd->alpha2[0] = alpha2[0];
9022 	rd->alpha2[1] = alpha2[1];
9023 
9024 	/*
9025 	 * Disable DFS master mode if the DFS region was
9026 	 * not supported or known on this kernel.
9027 	 */
9028 	if (reg_supported_dfs_region(dfs_region))
9029 		rd->dfs_region = dfs_region;
9030 
9031 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9032 			    rem_reg_rules) {
9033 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
9034 						nl_reg_rule, reg_rule_policy,
9035 						info->extack);
9036 		if (r)
9037 			goto bad_reg;
9038 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
9039 		if (r)
9040 			goto bad_reg;
9041 
9042 		rule_idx++;
9043 
9044 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
9045 			r = -EINVAL;
9046 			goto bad_reg;
9047 		}
9048 	}
9049 
9050 	r = set_regdom(rd, REGD_SOURCE_CRDA);
9051 	/* set_regdom takes ownership of rd */
9052 	rd = NULL;
9053  bad_reg:
9054 	kfree(rd);
9055  out:
9056 	rtnl_unlock();
9057 	return r;
9058 }
9059 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
9060 
9061 static int validate_scan_freqs(struct nlattr *freqs)
9062 {
9063 	struct nlattr *attr1, *attr2;
9064 	int n_channels = 0, tmp1, tmp2;
9065 
9066 	nla_for_each_nested(attr1, freqs, tmp1)
9067 		if (nla_len(attr1) != sizeof(u32))
9068 			return 0;
9069 
9070 	nla_for_each_nested(attr1, freqs, tmp1) {
9071 		n_channels++;
9072 		/*
9073 		 * Some hardware has a limited channel list for
9074 		 * scanning, and it is pretty much nonsensical
9075 		 * to scan for a channel twice, so disallow that
9076 		 * and don't require drivers to check that the
9077 		 * channel list they get isn't longer than what
9078 		 * they can scan, as long as they can scan all
9079 		 * the channels they registered at once.
9080 		 */
9081 		nla_for_each_nested(attr2, freqs, tmp2)
9082 			if (attr1 != attr2 &&
9083 			    nla_get_u32(attr1) == nla_get_u32(attr2))
9084 				return 0;
9085 	}
9086 
9087 	return n_channels;
9088 }
9089 
9090 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
9091 {
9092 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
9093 }
9094 
9095 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
9096 			    struct cfg80211_bss_selection *bss_select)
9097 {
9098 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
9099 	struct nlattr *nest;
9100 	int err;
9101 	bool found = false;
9102 	int i;
9103 
9104 	/* only process one nested attribute */
9105 	nest = nla_data(nla);
9106 	if (!nla_ok(nest, nla_len(nest)))
9107 		return -EINVAL;
9108 
9109 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
9110 					  nest, nl80211_bss_select_policy,
9111 					  NULL);
9112 	if (err)
9113 		return err;
9114 
9115 	/* only one attribute may be given */
9116 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
9117 		if (attr[i]) {
9118 			if (found)
9119 				return -EINVAL;
9120 			found = true;
9121 		}
9122 	}
9123 
9124 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
9125 
9126 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
9127 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
9128 
9129 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
9130 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
9131 		bss_select->param.band_pref =
9132 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
9133 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
9134 			return -EINVAL;
9135 	}
9136 
9137 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
9138 		struct nl80211_bss_select_rssi_adjust *adj_param;
9139 
9140 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
9141 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
9142 		bss_select->param.adjust.band = adj_param->band;
9143 		bss_select->param.adjust.delta = adj_param->delta;
9144 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
9145 			return -EINVAL;
9146 	}
9147 
9148 	/* user-space did not provide behaviour attribute */
9149 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
9150 		return -EINVAL;
9151 
9152 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
9153 		return -EINVAL;
9154 
9155 	return 0;
9156 }
9157 
9158 int nl80211_parse_random_mac(struct nlattr **attrs,
9159 			     u8 *mac_addr, u8 *mac_addr_mask)
9160 {
9161 	int i;
9162 
9163 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
9164 		eth_zero_addr(mac_addr);
9165 		eth_zero_addr(mac_addr_mask);
9166 		mac_addr[0] = 0x2;
9167 		mac_addr_mask[0] = 0x3;
9168 
9169 		return 0;
9170 	}
9171 
9172 	/* need both or none */
9173 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
9174 		return -EINVAL;
9175 
9176 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
9177 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
9178 
9179 	/* don't allow or configure an mcast address */
9180 	if (!is_multicast_ether_addr(mac_addr_mask) ||
9181 	    is_multicast_ether_addr(mac_addr))
9182 		return -EINVAL;
9183 
9184 	/*
9185 	 * allow users to pass a MAC address that has bits set outside
9186 	 * of the mask, but don't bother drivers with having to deal
9187 	 * with such bits
9188 	 */
9189 	for (i = 0; i < ETH_ALEN; i++)
9190 		mac_addr[i] &= mac_addr_mask[i];
9191 
9192 	return 0;
9193 }
9194 
9195 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
9196 					      struct ieee80211_channel *chan)
9197 {
9198 	unsigned int link_id;
9199 	bool all_ok = true;
9200 
9201 	lockdep_assert_wiphy(wdev->wiphy);
9202 
9203 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
9204 		return false;
9205 
9206 	if (!cfg80211_beaconing_iface_active(wdev))
9207 		return true;
9208 
9209 	/*
9210 	 * FIXME: check if we have a free HW resource/link for chan
9211 	 *
9212 	 * This, as well as the FIXME below, requires knowing the link
9213 	 * capabilities of the hardware.
9214 	 */
9215 
9216 	/* we cannot leave radar channels */
9217 	for_each_valid_link(wdev, link_id) {
9218 		struct cfg80211_chan_def *chandef;
9219 
9220 		chandef = wdev_chandef(wdev, link_id);
9221 		if (!chandef || !chandef->chan)
9222 			continue;
9223 
9224 		/*
9225 		 * FIXME: don't require all_ok, but rather check only the
9226 		 *	  correct HW resource/link onto which 'chan' falls,
9227 		 *	  as only that link leaves the channel for doing
9228 		 *	  the off-channel operation.
9229 		 */
9230 
9231 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9232 			all_ok = false;
9233 	}
9234 
9235 	if (all_ok)
9236 		return true;
9237 
9238 	return regulatory_pre_cac_allowed(wdev->wiphy);
9239 }
9240 
9241 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9242 				    enum nl80211_ext_feature_index feat)
9243 {
9244 	if (!(flags & flag))
9245 		return true;
9246 	if (wiphy_ext_feature_isset(wiphy, feat))
9247 		return true;
9248 	return false;
9249 }
9250 
9251 static int
9252 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9253 			 void *request, struct nlattr **attrs,
9254 			 bool is_sched_scan)
9255 {
9256 	u8 *mac_addr, *mac_addr_mask;
9257 	u32 *flags;
9258 	enum nl80211_feature_flags randomness_flag;
9259 
9260 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9261 		return 0;
9262 
9263 	if (is_sched_scan) {
9264 		struct cfg80211_sched_scan_request *req = request;
9265 
9266 		randomness_flag = wdev ?
9267 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9268 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9269 		flags = &req->flags;
9270 		mac_addr = req->mac_addr;
9271 		mac_addr_mask = req->mac_addr_mask;
9272 	} else {
9273 		struct cfg80211_scan_request *req = request;
9274 
9275 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9276 		flags = &req->flags;
9277 		mac_addr = req->mac_addr;
9278 		mac_addr_mask = req->mac_addr_mask;
9279 	}
9280 
9281 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9282 
9283 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9284 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9285 	    !nl80211_check_scan_feat(wiphy, *flags,
9286 				     NL80211_SCAN_FLAG_LOW_SPAN,
9287 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9288 	    !nl80211_check_scan_feat(wiphy, *flags,
9289 				     NL80211_SCAN_FLAG_LOW_POWER,
9290 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9291 	    !nl80211_check_scan_feat(wiphy, *flags,
9292 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9293 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9294 	    !nl80211_check_scan_feat(wiphy, *flags,
9295 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9296 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9297 	    !nl80211_check_scan_feat(wiphy, *flags,
9298 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9299 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9300 	    !nl80211_check_scan_feat(wiphy, *flags,
9301 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9302 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9303 	    !nl80211_check_scan_feat(wiphy, *flags,
9304 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9305 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9306 	    !nl80211_check_scan_feat(wiphy, *flags,
9307 				     NL80211_SCAN_FLAG_RANDOM_SN,
9308 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9309 	    !nl80211_check_scan_feat(wiphy, *flags,
9310 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9311 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9312 		return -EOPNOTSUPP;
9313 
9314 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9315 		int err;
9316 
9317 		if (!(wiphy->features & randomness_flag) ||
9318 		    (wdev && wdev->connected))
9319 			return -EOPNOTSUPP;
9320 
9321 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9322 		if (err)
9323 			return err;
9324 	}
9325 
9326 	return 0;
9327 }
9328 
9329 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9330 {
9331 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9332 	struct wireless_dev *wdev = info->user_ptr[1];
9333 	struct cfg80211_scan_request *request;
9334 	struct nlattr *scan_freqs = NULL;
9335 	bool scan_freqs_khz = false;
9336 	struct nlattr *attr;
9337 	struct wiphy *wiphy;
9338 	int err, tmp, n_ssids = 0, n_channels, i;
9339 	size_t ie_len, size;
9340 	size_t ssids_offset, ie_offset;
9341 
9342 	wiphy = &rdev->wiphy;
9343 
9344 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9345 		return -EOPNOTSUPP;
9346 
9347 	if (!rdev->ops->scan)
9348 		return -EOPNOTSUPP;
9349 
9350 	if (rdev->scan_req || rdev->scan_msg)
9351 		return -EBUSY;
9352 
9353 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9354 		if (!wiphy_ext_feature_isset(wiphy,
9355 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9356 			return -EOPNOTSUPP;
9357 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9358 		scan_freqs_khz = true;
9359 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9360 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9361 
9362 	if (scan_freqs) {
9363 		n_channels = validate_scan_freqs(scan_freqs);
9364 		if (!n_channels)
9365 			return -EINVAL;
9366 	} else {
9367 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9368 	}
9369 
9370 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9371 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9372 			n_ssids++;
9373 
9374 	if (n_ssids > wiphy->max_scan_ssids)
9375 		return -EINVAL;
9376 
9377 	if (info->attrs[NL80211_ATTR_IE])
9378 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9379 	else
9380 		ie_len = 0;
9381 
9382 	if (ie_len > wiphy->max_scan_ie_len)
9383 		return -EINVAL;
9384 
9385 	size = struct_size(request, channels, n_channels);
9386 	ssids_offset = size;
9387 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9388 	ie_offset = size;
9389 	size = size_add(size, ie_len);
9390 	request = kzalloc(size, GFP_KERNEL);
9391 	if (!request)
9392 		return -ENOMEM;
9393 	request->n_channels = n_channels;
9394 
9395 	if (n_ssids)
9396 		request->ssids = (void *)request + ssids_offset;
9397 	request->n_ssids = n_ssids;
9398 	if (ie_len)
9399 		request->ie = (void *)request + ie_offset;
9400 
9401 	i = 0;
9402 	if (scan_freqs) {
9403 		/* user specified, bail out if channel not found */
9404 		nla_for_each_nested(attr, scan_freqs, tmp) {
9405 			struct ieee80211_channel *chan;
9406 			int freq = nla_get_u32(attr);
9407 
9408 			if (!scan_freqs_khz)
9409 				freq = MHZ_TO_KHZ(freq);
9410 
9411 			chan = ieee80211_get_channel_khz(wiphy, freq);
9412 			if (!chan) {
9413 				err = -EINVAL;
9414 				goto out_free;
9415 			}
9416 
9417 			/* ignore disabled channels */
9418 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
9419 			    !cfg80211_wdev_channel_allowed(wdev, chan))
9420 				continue;
9421 
9422 			request->channels[i] = chan;
9423 			i++;
9424 		}
9425 	} else {
9426 		enum nl80211_band band;
9427 
9428 		/* all channels */
9429 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9430 			int j;
9431 
9432 			if (!wiphy->bands[band])
9433 				continue;
9434 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9435 				struct ieee80211_channel *chan;
9436 
9437 				chan = &wiphy->bands[band]->channels[j];
9438 
9439 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
9440 				    !cfg80211_wdev_channel_allowed(wdev, chan))
9441 					continue;
9442 
9443 				request->channels[i] = chan;
9444 				i++;
9445 			}
9446 		}
9447 	}
9448 
9449 	if (!i) {
9450 		err = -EINVAL;
9451 		goto out_free;
9452 	}
9453 
9454 	request->n_channels = i;
9455 
9456 	for (i = 0; i < request->n_channels; i++) {
9457 		struct ieee80211_channel *chan = request->channels[i];
9458 
9459 		/* if we can go off-channel to the target channel we're good */
9460 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9461 			continue;
9462 
9463 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9464 			err = -EBUSY;
9465 			goto out_free;
9466 		}
9467 	}
9468 
9469 	i = 0;
9470 	if (n_ssids) {
9471 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9472 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9473 				err = -EINVAL;
9474 				goto out_free;
9475 			}
9476 			request->ssids[i].ssid_len = nla_len(attr);
9477 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9478 			i++;
9479 		}
9480 	}
9481 
9482 	if (info->attrs[NL80211_ATTR_IE]) {
9483 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9484 		memcpy((void *)request->ie,
9485 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9486 		       request->ie_len);
9487 	}
9488 
9489 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9490 		if (wiphy->bands[i])
9491 			request->rates[i] =
9492 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9493 
9494 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9495 		nla_for_each_nested(attr,
9496 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9497 				    tmp) {
9498 			enum nl80211_band band = nla_type(attr);
9499 
9500 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9501 				err = -EINVAL;
9502 				goto out_free;
9503 			}
9504 
9505 			if (!wiphy->bands[band])
9506 				continue;
9507 
9508 			err = ieee80211_get_ratemask(wiphy->bands[band],
9509 						     nla_data(attr),
9510 						     nla_len(attr),
9511 						     &request->rates[band]);
9512 			if (err)
9513 				goto out_free;
9514 		}
9515 	}
9516 
9517 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9518 		request->duration =
9519 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9520 		request->duration_mandatory =
9521 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9522 	}
9523 
9524 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9525 				       false);
9526 	if (err)
9527 		goto out_free;
9528 
9529 	request->no_cck =
9530 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9531 
9532 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9533 	 * BSSID to scan for. This was problematic because that same attribute
9534 	 * was already used for another purpose (local random MAC address). The
9535 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9536 	 * compatibility with older userspace components, also use the
9537 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9538 	 * the specific BSSID use case instead of the random MAC address
9539 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9540 	 */
9541 	if (info->attrs[NL80211_ATTR_BSSID])
9542 		memcpy(request->bssid,
9543 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9544 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9545 		 info->attrs[NL80211_ATTR_MAC])
9546 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9547 		       ETH_ALEN);
9548 	else
9549 		eth_broadcast_addr(request->bssid);
9550 
9551 	request->tsf_report_link_id = nl80211_link_id_or_invalid(info->attrs);
9552 	request->wdev = wdev;
9553 	request->wiphy = &rdev->wiphy;
9554 	request->scan_start = jiffies;
9555 
9556 	rdev->scan_req = request;
9557 	err = cfg80211_scan(rdev);
9558 
9559 	if (err)
9560 		goto out_free;
9561 
9562 	nl80211_send_scan_start(rdev, wdev);
9563 	dev_hold(wdev->netdev);
9564 
9565 	return 0;
9566 
9567  out_free:
9568 	rdev->scan_req = NULL;
9569 	kfree(request);
9570 
9571 	return err;
9572 }
9573 
9574 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9575 {
9576 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9577 	struct wireless_dev *wdev = info->user_ptr[1];
9578 
9579 	if (!rdev->ops->abort_scan)
9580 		return -EOPNOTSUPP;
9581 
9582 	if (rdev->scan_msg)
9583 		return 0;
9584 
9585 	if (!rdev->scan_req)
9586 		return -ENOENT;
9587 
9588 	rdev_abort_scan(rdev, wdev);
9589 	return 0;
9590 }
9591 
9592 static int
9593 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9594 			       struct cfg80211_sched_scan_request *request,
9595 			       struct nlattr **attrs)
9596 {
9597 	int tmp, err, i = 0;
9598 	struct nlattr *attr;
9599 
9600 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9601 		u32 interval;
9602 
9603 		/*
9604 		 * If scan plans are not specified,
9605 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9606 		 * case one scan plan will be set with the specified scan
9607 		 * interval and infinite number of iterations.
9608 		 */
9609 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9610 		if (!interval)
9611 			return -EINVAL;
9612 
9613 		request->scan_plans[0].interval =
9614 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9615 		if (!request->scan_plans[0].interval)
9616 			return -EINVAL;
9617 
9618 		if (request->scan_plans[0].interval >
9619 		    wiphy->max_sched_scan_plan_interval)
9620 			request->scan_plans[0].interval =
9621 				wiphy->max_sched_scan_plan_interval;
9622 
9623 		return 0;
9624 	}
9625 
9626 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9627 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9628 
9629 		if (WARN_ON(i >= n_plans))
9630 			return -EINVAL;
9631 
9632 		err = nla_parse_nested_deprecated(plan,
9633 						  NL80211_SCHED_SCAN_PLAN_MAX,
9634 						  attr, nl80211_plan_policy,
9635 						  NULL);
9636 		if (err)
9637 			return err;
9638 
9639 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9640 			return -EINVAL;
9641 
9642 		request->scan_plans[i].interval =
9643 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9644 		if (!request->scan_plans[i].interval ||
9645 		    request->scan_plans[i].interval >
9646 		    wiphy->max_sched_scan_plan_interval)
9647 			return -EINVAL;
9648 
9649 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9650 			request->scan_plans[i].iterations =
9651 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9652 			if (!request->scan_plans[i].iterations ||
9653 			    (request->scan_plans[i].iterations >
9654 			     wiphy->max_sched_scan_plan_iterations))
9655 				return -EINVAL;
9656 		} else if (i < n_plans - 1) {
9657 			/*
9658 			 * All scan plans but the last one must specify
9659 			 * a finite number of iterations
9660 			 */
9661 			return -EINVAL;
9662 		}
9663 
9664 		i++;
9665 	}
9666 
9667 	/*
9668 	 * The last scan plan must not specify the number of
9669 	 * iterations, it is supposed to run infinitely
9670 	 */
9671 	if (request->scan_plans[n_plans - 1].iterations)
9672 		return  -EINVAL;
9673 
9674 	return 0;
9675 }
9676 
9677 static struct cfg80211_sched_scan_request *
9678 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9679 			 struct nlattr **attrs, int max_match_sets)
9680 {
9681 	struct cfg80211_sched_scan_request *request;
9682 	struct nlattr *attr;
9683 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9684 	enum nl80211_band band;
9685 	size_t ie_len, size;
9686 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9687 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9688 
9689 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9690 		n_channels = validate_scan_freqs(
9691 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9692 		if (!n_channels)
9693 			return ERR_PTR(-EINVAL);
9694 	} else {
9695 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9696 	}
9697 
9698 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9699 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9700 				    tmp)
9701 			n_ssids++;
9702 
9703 	if (n_ssids > wiphy->max_sched_scan_ssids)
9704 		return ERR_PTR(-EINVAL);
9705 
9706 	/*
9707 	 * First, count the number of 'real' matchsets. Due to an issue with
9708 	 * the old implementation, matchsets containing only the RSSI attribute
9709 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9710 	 * RSSI for all matchsets, rather than their own matchset for reporting
9711 	 * all APs with a strong RSSI. This is needed to be compatible with
9712 	 * older userspace that treated a matchset with only the RSSI as the
9713 	 * global RSSI for all other matchsets - if there are other matchsets.
9714 	 */
9715 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9716 		nla_for_each_nested(attr,
9717 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9718 				    tmp) {
9719 			struct nlattr *rssi;
9720 
9721 			err = nla_parse_nested_deprecated(tb,
9722 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9723 							  attr,
9724 							  nl80211_match_policy,
9725 							  NULL);
9726 			if (err)
9727 				return ERR_PTR(err);
9728 
9729 			/* SSID and BSSID are mutually exclusive */
9730 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9731 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9732 				return ERR_PTR(-EINVAL);
9733 
9734 			/* add other standalone attributes here */
9735 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9736 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9737 				n_match_sets++;
9738 				continue;
9739 			}
9740 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9741 			if (rssi)
9742 				default_match_rssi = nla_get_s32(rssi);
9743 		}
9744 	}
9745 
9746 	/* However, if there's no other matchset, add the RSSI one */
9747 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9748 		n_match_sets = 1;
9749 
9750 	if (n_match_sets > max_match_sets)
9751 		return ERR_PTR(-EINVAL);
9752 
9753 	if (attrs[NL80211_ATTR_IE])
9754 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9755 	else
9756 		ie_len = 0;
9757 
9758 	if (ie_len > wiphy->max_sched_scan_ie_len)
9759 		return ERR_PTR(-EINVAL);
9760 
9761 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9762 		/*
9763 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9764 		 * each scan plan already specifies its own interval
9765 		 */
9766 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9767 			return ERR_PTR(-EINVAL);
9768 
9769 		nla_for_each_nested(attr,
9770 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9771 			n_plans++;
9772 	} else {
9773 		/*
9774 		 * The scan interval attribute is kept for backward
9775 		 * compatibility. If no scan plans are specified and sched scan
9776 		 * interval is specified, one scan plan will be set with this
9777 		 * scan interval and infinite number of iterations.
9778 		 */
9779 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9780 			return ERR_PTR(-EINVAL);
9781 
9782 		n_plans = 1;
9783 	}
9784 
9785 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9786 		return ERR_PTR(-EINVAL);
9787 
9788 	if (!wiphy_ext_feature_isset(
9789 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9790 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9791 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9792 		return ERR_PTR(-EINVAL);
9793 
9794 	size = struct_size(request, channels, n_channels);
9795 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9796 	size = size_add(size, array_size(sizeof(*request->match_sets),
9797 					 n_match_sets));
9798 	size = size_add(size, array_size(sizeof(*request->scan_plans),
9799 					 n_plans));
9800 	size = size_add(size, ie_len);
9801 	request = kzalloc(size, GFP_KERNEL);
9802 	if (!request)
9803 		return ERR_PTR(-ENOMEM);
9804 	request->n_channels = n_channels;
9805 
9806 	if (n_ssids)
9807 		request->ssids = (void *)request +
9808 			struct_size(request, channels, n_channels);
9809 	request->n_ssids = n_ssids;
9810 	if (ie_len) {
9811 		if (n_ssids)
9812 			request->ie = (void *)(request->ssids + n_ssids);
9813 		else
9814 			request->ie = (void *)(request->channels + n_channels);
9815 	}
9816 
9817 	if (n_match_sets) {
9818 		if (request->ie)
9819 			request->match_sets = (void *)(request->ie + ie_len);
9820 		else if (n_ssids)
9821 			request->match_sets =
9822 				(void *)(request->ssids + n_ssids);
9823 		else
9824 			request->match_sets =
9825 				(void *)(request->channels + n_channels);
9826 	}
9827 	request->n_match_sets = n_match_sets;
9828 
9829 	if (n_match_sets)
9830 		request->scan_plans = (void *)(request->match_sets +
9831 					       n_match_sets);
9832 	else if (request->ie)
9833 		request->scan_plans = (void *)(request->ie + ie_len);
9834 	else if (n_ssids)
9835 		request->scan_plans = (void *)(request->ssids + n_ssids);
9836 	else
9837 		request->scan_plans = (void *)(request->channels + n_channels);
9838 
9839 	request->n_scan_plans = n_plans;
9840 
9841 	i = 0;
9842 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9843 		/* user specified, bail out if channel not found */
9844 		nla_for_each_nested(attr,
9845 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9846 				    tmp) {
9847 			struct ieee80211_channel *chan;
9848 
9849 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9850 
9851 			if (!chan) {
9852 				err = -EINVAL;
9853 				goto out_free;
9854 			}
9855 
9856 			/* ignore disabled channels */
9857 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9858 				continue;
9859 
9860 			request->channels[i] = chan;
9861 			i++;
9862 		}
9863 	} else {
9864 		/* all channels */
9865 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9866 			int j;
9867 
9868 			if (!wiphy->bands[band])
9869 				continue;
9870 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9871 				struct ieee80211_channel *chan;
9872 
9873 				chan = &wiphy->bands[band]->channels[j];
9874 
9875 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9876 					continue;
9877 
9878 				request->channels[i] = chan;
9879 				i++;
9880 			}
9881 		}
9882 	}
9883 
9884 	if (!i) {
9885 		err = -EINVAL;
9886 		goto out_free;
9887 	}
9888 
9889 	request->n_channels = i;
9890 
9891 	i = 0;
9892 	if (n_ssids) {
9893 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9894 				    tmp) {
9895 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9896 				err = -EINVAL;
9897 				goto out_free;
9898 			}
9899 			request->ssids[i].ssid_len = nla_len(attr);
9900 			memcpy(request->ssids[i].ssid, nla_data(attr),
9901 			       nla_len(attr));
9902 			i++;
9903 		}
9904 	}
9905 
9906 	i = 0;
9907 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9908 		nla_for_each_nested(attr,
9909 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9910 				    tmp) {
9911 			struct nlattr *ssid, *bssid, *rssi;
9912 
9913 			err = nla_parse_nested_deprecated(tb,
9914 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9915 							  attr,
9916 							  nl80211_match_policy,
9917 							  NULL);
9918 			if (err)
9919 				goto out_free;
9920 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9921 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9922 
9923 			if (!ssid && !bssid) {
9924 				i++;
9925 				continue;
9926 			}
9927 
9928 			if (WARN_ON(i >= n_match_sets)) {
9929 				/* this indicates a programming error,
9930 				 * the loop above should have verified
9931 				 * things properly
9932 				 */
9933 				err = -EINVAL;
9934 				goto out_free;
9935 			}
9936 
9937 			if (ssid) {
9938 				memcpy(request->match_sets[i].ssid.ssid,
9939 				       nla_data(ssid), nla_len(ssid));
9940 				request->match_sets[i].ssid.ssid_len =
9941 					nla_len(ssid);
9942 			}
9943 			if (bssid)
9944 				memcpy(request->match_sets[i].bssid,
9945 				       nla_data(bssid), ETH_ALEN);
9946 
9947 			/* special attribute - old implementation w/a */
9948 			request->match_sets[i].rssi_thold = default_match_rssi;
9949 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9950 			if (rssi)
9951 				request->match_sets[i].rssi_thold =
9952 					nla_get_s32(rssi);
9953 			i++;
9954 		}
9955 
9956 		/* there was no other matchset, so the RSSI one is alone */
9957 		if (i == 0 && n_match_sets)
9958 			request->match_sets[0].rssi_thold = default_match_rssi;
9959 
9960 		request->min_rssi_thold = INT_MAX;
9961 		for (i = 0; i < n_match_sets; i++)
9962 			request->min_rssi_thold =
9963 				min(request->match_sets[i].rssi_thold,
9964 				    request->min_rssi_thold);
9965 	} else {
9966 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9967 	}
9968 
9969 	if (ie_len) {
9970 		request->ie_len = ie_len;
9971 		memcpy((void *)request->ie,
9972 		       nla_data(attrs[NL80211_ATTR_IE]),
9973 		       request->ie_len);
9974 	}
9975 
9976 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9977 	if (err)
9978 		goto out_free;
9979 
9980 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9981 		request->delay =
9982 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9983 
9984 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9985 		request->relative_rssi = nla_get_s8(
9986 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9987 		request->relative_rssi_set = true;
9988 	}
9989 
9990 	if (request->relative_rssi_set &&
9991 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9992 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9993 
9994 		rssi_adjust = nla_data(
9995 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9996 		request->rssi_adjust.band = rssi_adjust->band;
9997 		request->rssi_adjust.delta = rssi_adjust->delta;
9998 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9999 			err = -EINVAL;
10000 			goto out_free;
10001 		}
10002 	}
10003 
10004 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
10005 	if (err)
10006 		goto out_free;
10007 
10008 	request->scan_start = jiffies;
10009 
10010 	return request;
10011 
10012 out_free:
10013 	kfree(request);
10014 	return ERR_PTR(err);
10015 }
10016 
10017 static int nl80211_start_sched_scan(struct sk_buff *skb,
10018 				    struct genl_info *info)
10019 {
10020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10021 	struct net_device *dev = info->user_ptr[1];
10022 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10023 	struct cfg80211_sched_scan_request *sched_scan_req;
10024 	bool want_multi;
10025 	int err;
10026 
10027 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
10028 		return -EOPNOTSUPP;
10029 
10030 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
10031 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
10032 	if (err)
10033 		return err;
10034 
10035 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
10036 						  info->attrs,
10037 						  rdev->wiphy.max_match_sets);
10038 
10039 	err = PTR_ERR_OR_ZERO(sched_scan_req);
10040 	if (err)
10041 		goto out_err;
10042 
10043 	/* leave request id zero for legacy request
10044 	 * or if driver does not support multi-scheduled scan
10045 	 */
10046 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
10047 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
10048 
10049 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
10050 	if (err)
10051 		goto out_free;
10052 
10053 	sched_scan_req->dev = dev;
10054 	sched_scan_req->wiphy = &rdev->wiphy;
10055 
10056 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10057 		sched_scan_req->owner_nlportid = info->snd_portid;
10058 
10059 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
10060 
10061 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
10062 	return 0;
10063 
10064 out_free:
10065 	kfree(sched_scan_req);
10066 out_err:
10067 	return err;
10068 }
10069 
10070 static int nl80211_stop_sched_scan(struct sk_buff *skb,
10071 				   struct genl_info *info)
10072 {
10073 	struct cfg80211_sched_scan_request *req;
10074 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10075 	u64 cookie;
10076 
10077 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
10078 		return -EOPNOTSUPP;
10079 
10080 	if (info->attrs[NL80211_ATTR_COOKIE]) {
10081 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10082 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
10083 	}
10084 
10085 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
10086 				     struct cfg80211_sched_scan_request,
10087 				     list);
10088 	if (!req || req->reqid ||
10089 	    (req->owner_nlportid &&
10090 	     req->owner_nlportid != info->snd_portid))
10091 		return -ENOENT;
10092 
10093 	return cfg80211_stop_sched_scan_req(rdev, req, false);
10094 }
10095 
10096 static int nl80211_start_radar_detection(struct sk_buff *skb,
10097 					 struct genl_info *info)
10098 {
10099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10100 	struct net_device *dev = info->user_ptr[1];
10101 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10102 	int link_id = nl80211_link_id(info->attrs);
10103 	struct wiphy *wiphy = wdev->wiphy;
10104 	struct cfg80211_chan_def chandef;
10105 	enum nl80211_dfs_regions dfs_region;
10106 	unsigned int cac_time_ms;
10107 	int err;
10108 
10109 	flush_delayed_work(&rdev->dfs_update_channels_wk);
10110 
10111 	switch (wdev->iftype) {
10112 	case NL80211_IFTYPE_AP:
10113 	case NL80211_IFTYPE_P2P_GO:
10114 	case NL80211_IFTYPE_MESH_POINT:
10115 	case NL80211_IFTYPE_ADHOC:
10116 		break;
10117 	default:
10118 		/* caution - see cfg80211_beaconing_iface_active() below */
10119 		return -EINVAL;
10120 	}
10121 
10122 	guard(wiphy)(wiphy);
10123 
10124 	dfs_region = reg_get_dfs_region(wiphy);
10125 	if (dfs_region == NL80211_DFS_UNSET)
10126 		return -EINVAL;
10127 
10128 	err = nl80211_parse_chandef(rdev, info, &chandef);
10129 	if (err)
10130 		return err;
10131 
10132 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10133 	if (err < 0)
10134 		return err;
10135 
10136 	if (err == 0)
10137 		return -EINVAL;
10138 
10139 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
10140 		return -EINVAL;
10141 
10142 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
10143 		return cfg80211_start_background_radar_detection(rdev, wdev,
10144 								 &chandef);
10145 
10146 	if (cfg80211_beaconing_iface_active(wdev)) {
10147 		/* During MLO other link(s) can beacon, only the current link
10148 		 * can not already beacon
10149 		 */
10150 		if (wdev->valid_links &&
10151 		    !wdev->links[link_id].ap.beacon_interval) {
10152 			/* nothing */
10153 		} else {
10154 			return -EBUSY;
10155 		}
10156 	}
10157 
10158 	if (wdev->links[link_id].cac_started)
10159 		return -EBUSY;
10160 
10161 	/* CAC start is offloaded to HW and can't be started manually */
10162 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
10163 		return -EOPNOTSUPP;
10164 
10165 	if (!rdev->ops->start_radar_detection)
10166 		return -EOPNOTSUPP;
10167 
10168 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
10169 	if (WARN_ON(!cac_time_ms))
10170 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
10171 
10172 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
10173 					 link_id);
10174 	if (err)
10175 		return err;
10176 
10177 	switch (wdev->iftype) {
10178 	case NL80211_IFTYPE_AP:
10179 	case NL80211_IFTYPE_P2P_GO:
10180 		wdev->links[0].ap.chandef = chandef;
10181 		break;
10182 	case NL80211_IFTYPE_ADHOC:
10183 		wdev->u.ibss.chandef = chandef;
10184 		break;
10185 	case NL80211_IFTYPE_MESH_POINT:
10186 		wdev->u.mesh.chandef = chandef;
10187 		break;
10188 	default:
10189 		break;
10190 	}
10191 	wdev->links[link_id].cac_started = true;
10192 	wdev->links[link_id].cac_start_time = jiffies;
10193 	wdev->links[link_id].cac_time_ms = cac_time_ms;
10194 
10195 	return 0;
10196 }
10197 
10198 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10199 					  struct genl_info *info)
10200 {
10201 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10202 	struct net_device *dev = info->user_ptr[1];
10203 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10204 	struct wiphy *wiphy = wdev->wiphy;
10205 	struct cfg80211_chan_def chandef;
10206 	enum nl80211_dfs_regions dfs_region;
10207 	int err;
10208 
10209 	dfs_region = reg_get_dfs_region(wiphy);
10210 	if (dfs_region == NL80211_DFS_UNSET) {
10211 		GENL_SET_ERR_MSG(info,
10212 				 "DFS Region is not set. Unexpected Radar indication");
10213 		return -EINVAL;
10214 	}
10215 
10216 	err = nl80211_parse_chandef(rdev, info, &chandef);
10217 	if (err) {
10218 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10219 		return err;
10220 	}
10221 
10222 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10223 	if (err < 0) {
10224 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10225 		return err;
10226 	}
10227 
10228 	if (err == 0) {
10229 		GENL_SET_ERR_MSG(info,
10230 				 "Unexpected Radar indication for chandef/iftype");
10231 		return -EINVAL;
10232 	}
10233 
10234 	/* Do not process this notification if radar is already detected
10235 	 * by kernel on this channel, and return success.
10236 	 */
10237 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10238 		return 0;
10239 
10240 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10241 
10242 	cfg80211_sched_dfs_chan_update(rdev);
10243 
10244 	rdev->radar_chandef = chandef;
10245 
10246 	/* Propagate this notification to other radios as well */
10247 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10248 
10249 	return 0;
10250 }
10251 
10252 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
10253 					 const u8 *data, size_t datalen,
10254 					 int first_count, struct nlattr *attr,
10255 					 const u16 **offsets, unsigned int *n_offsets)
10256 {
10257 	int i;
10258 
10259 	*n_offsets = 0;
10260 
10261 	if (!attr)
10262 		return 0;
10263 
10264 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
10265 		return -EINVAL;
10266 
10267 	*n_offsets = nla_len(attr) / sizeof(u16);
10268 	if (rdev->wiphy.max_num_csa_counters &&
10269 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
10270 		return -EINVAL;
10271 
10272 	*offsets = nla_data(attr);
10273 
10274 	/* sanity checks - counters should fit and be the same */
10275 	for (i = 0; i < *n_offsets; i++) {
10276 		u16 offset = (*offsets)[i];
10277 
10278 		if (offset >= datalen)
10279 			return -EINVAL;
10280 
10281 		if (first_count != -1 && data[offset] != first_count)
10282 			return -EINVAL;
10283 	}
10284 
10285 	return 0;
10286 }
10287 
10288 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10289 {
10290 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10291 	unsigned int link_id = nl80211_link_id(info->attrs);
10292 	struct net_device *dev = info->user_ptr[1];
10293 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10294 	struct cfg80211_csa_settings params;
10295 	struct nlattr **csa_attrs = NULL;
10296 	int err;
10297 	bool need_new_beacon = false;
10298 	bool need_handle_dfs_flag = true;
10299 	u32 cs_count;
10300 
10301 	if (!rdev->ops->channel_switch ||
10302 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10303 		return -EOPNOTSUPP;
10304 
10305 	switch (dev->ieee80211_ptr->iftype) {
10306 	case NL80211_IFTYPE_AP:
10307 	case NL80211_IFTYPE_P2P_GO:
10308 		need_new_beacon = true;
10309 		/* For all modes except AP the handle_dfs flag needs to be
10310 		 * supplied to tell the kernel that userspace will handle radar
10311 		 * events when they happen. Otherwise a switch to a channel
10312 		 * requiring DFS will be rejected.
10313 		 */
10314 		need_handle_dfs_flag = false;
10315 
10316 		/* useless if AP is not running */
10317 		if (!wdev->links[link_id].ap.beacon_interval)
10318 			return -ENOTCONN;
10319 		break;
10320 	case NL80211_IFTYPE_ADHOC:
10321 		if (!wdev->u.ibss.ssid_len)
10322 			return -ENOTCONN;
10323 		break;
10324 	case NL80211_IFTYPE_MESH_POINT:
10325 		if (!wdev->u.mesh.id_len)
10326 			return -ENOTCONN;
10327 		break;
10328 	default:
10329 		return -EOPNOTSUPP;
10330 	}
10331 
10332 	memset(&params, 0, sizeof(params));
10333 	params.beacon_csa.ftm_responder = -1;
10334 
10335 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10336 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10337 		return -EINVAL;
10338 
10339 	/* only important for AP, IBSS and mesh create IEs internally */
10340 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10341 		return -EINVAL;
10342 
10343 	/* Even though the attribute is u32, the specification says
10344 	 * u8, so let's make sure we don't overflow.
10345 	 */
10346 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10347 	if (cs_count > 255)
10348 		return -EINVAL;
10349 
10350 	params.count = cs_count;
10351 
10352 	if (!need_new_beacon)
10353 		goto skip_beacons;
10354 
10355 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10356 				   info->extack);
10357 	if (err)
10358 		goto free;
10359 
10360 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10361 			    GFP_KERNEL);
10362 	if (!csa_attrs) {
10363 		err = -ENOMEM;
10364 		goto free;
10365 	}
10366 
10367 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10368 					  info->attrs[NL80211_ATTR_CSA_IES],
10369 					  nl80211_policy, info->extack);
10370 	if (err)
10371 		goto free;
10372 
10373 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10374 				   info->extack);
10375 	if (err)
10376 		goto free;
10377 
10378 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10379 		err = -EINVAL;
10380 		goto free;
10381 	}
10382 
10383 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
10384 					    params.beacon_csa.tail_len,
10385 					    params.count,
10386 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
10387 					    &params.counter_offsets_beacon,
10388 					    &params.n_counter_offsets_beacon);
10389 	if (err)
10390 		goto free;
10391 
10392 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
10393 					    params.beacon_csa.probe_resp_len,
10394 					    params.count,
10395 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
10396 					    &params.counter_offsets_presp,
10397 					    &params.n_counter_offsets_presp);
10398 	if (err)
10399 		goto free;
10400 
10401 skip_beacons:
10402 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10403 	if (err)
10404 		goto free;
10405 
10406 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10407 					   wdev->iftype)) {
10408 		err = -EINVAL;
10409 		goto free;
10410 	}
10411 
10412 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10413 					    &params.chandef,
10414 					    wdev->iftype);
10415 	if (err < 0)
10416 		goto free;
10417 
10418 	if (err > 0) {
10419 		params.radar_required = true;
10420 		if (need_handle_dfs_flag &&
10421 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10422 			err = -EINVAL;
10423 			goto free;
10424 		}
10425 	}
10426 
10427 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10428 		params.block_tx = true;
10429 
10430 	params.link_id = link_id;
10431 	err = rdev_channel_switch(rdev, dev, &params);
10432 
10433 free:
10434 	kfree(params.beacon_after.mbssid_ies);
10435 	kfree(params.beacon_csa.mbssid_ies);
10436 	kfree(params.beacon_after.rnr_ies);
10437 	kfree(params.beacon_csa.rnr_ies);
10438 	kfree(csa_attrs);
10439 	return err;
10440 }
10441 
10442 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10443 			    u32 seq, int flags,
10444 			    struct cfg80211_registered_device *rdev,
10445 			    struct wireless_dev *wdev,
10446 			    struct cfg80211_internal_bss *intbss)
10447 {
10448 	struct cfg80211_bss *res = &intbss->pub;
10449 	const struct cfg80211_bss_ies *ies;
10450 	unsigned int link_id;
10451 	void *hdr;
10452 	struct nlattr *bss;
10453 
10454 	lockdep_assert_wiphy(wdev->wiphy);
10455 
10456 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10457 			     NL80211_CMD_NEW_SCAN_RESULTS);
10458 	if (!hdr)
10459 		return -1;
10460 
10461 	genl_dump_check_consistent(cb, hdr);
10462 
10463 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10464 		goto nla_put_failure;
10465 	if (wdev->netdev &&
10466 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10467 		goto nla_put_failure;
10468 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10469 			      NL80211_ATTR_PAD))
10470 		goto nla_put_failure;
10471 
10472 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10473 	if (!bss)
10474 		goto nla_put_failure;
10475 	if ((!is_zero_ether_addr(res->bssid) &&
10476 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10477 		goto nla_put_failure;
10478 
10479 	rcu_read_lock();
10480 	/* indicate whether we have probe response data or not */
10481 	if (rcu_access_pointer(res->proberesp_ies) &&
10482 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10483 		goto fail_unlock_rcu;
10484 
10485 	/* this pointer prefers to be pointed to probe response data
10486 	 * but is always valid
10487 	 */
10488 	ies = rcu_dereference(res->ies);
10489 	if (ies) {
10490 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10491 				      NL80211_BSS_PAD))
10492 			goto fail_unlock_rcu;
10493 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10494 					ies->len, ies->data))
10495 			goto fail_unlock_rcu;
10496 	}
10497 
10498 	/* and this pointer is always (unless driver didn't know) beacon data */
10499 	ies = rcu_dereference(res->beacon_ies);
10500 	if (ies && ies->from_beacon) {
10501 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10502 				      NL80211_BSS_PAD))
10503 			goto fail_unlock_rcu;
10504 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10505 					ies->len, ies->data))
10506 			goto fail_unlock_rcu;
10507 	}
10508 	rcu_read_unlock();
10509 
10510 	if (res->beacon_interval &&
10511 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10512 		goto nla_put_failure;
10513 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10514 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10515 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10516 			res->channel->freq_offset) ||
10517 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10518 			jiffies_to_msecs(jiffies - intbss->ts)))
10519 		goto nla_put_failure;
10520 
10521 	if (intbss->parent_tsf &&
10522 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10523 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10524 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10525 		     intbss->parent_bssid)))
10526 		goto nla_put_failure;
10527 
10528 	if (res->ts_boottime &&
10529 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10530 			      res->ts_boottime, NL80211_BSS_PAD))
10531 		goto nla_put_failure;
10532 
10533 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10534 				intbss->pub.chain_signal,
10535 				NL80211_BSS_CHAIN_SIGNAL))
10536 		goto nla_put_failure;
10537 
10538 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
10539 		switch (rdev->wiphy.signal_type) {
10540 		case CFG80211_SIGNAL_TYPE_MBM:
10541 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
10542 					res->signal))
10543 				goto nla_put_failure;
10544 			break;
10545 		case CFG80211_SIGNAL_TYPE_UNSPEC:
10546 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
10547 				       res->signal))
10548 				goto nla_put_failure;
10549 			break;
10550 		default:
10551 			break;
10552 		}
10553 	}
10554 
10555 	switch (wdev->iftype) {
10556 	case NL80211_IFTYPE_P2P_CLIENT:
10557 	case NL80211_IFTYPE_STATION:
10558 		for_each_valid_link(wdev, link_id) {
10559 			if (intbss == wdev->links[link_id].client.current_bss &&
10560 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10561 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10562 			     (wdev->valid_links &&
10563 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10564 					  link_id) ||
10565 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10566 				       wdev->u.client.connected_addr)))))
10567 				goto nla_put_failure;
10568 		}
10569 		break;
10570 	case NL80211_IFTYPE_ADHOC:
10571 		if (intbss == wdev->u.ibss.current_bss &&
10572 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10573 				NL80211_BSS_STATUS_IBSS_JOINED))
10574 			goto nla_put_failure;
10575 		break;
10576 	default:
10577 		break;
10578 	}
10579 
10580 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
10581 		goto nla_put_failure;
10582 
10583 	if (res->cannot_use_reasons &&
10584 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
10585 			      res->cannot_use_reasons,
10586 			      NL80211_BSS_PAD))
10587 		goto nla_put_failure;
10588 
10589 	nla_nest_end(msg, bss);
10590 
10591 	genlmsg_end(msg, hdr);
10592 	return 0;
10593 
10594  fail_unlock_rcu:
10595 	rcu_read_unlock();
10596  nla_put_failure:
10597 	genlmsg_cancel(msg, hdr);
10598 	return -EMSGSIZE;
10599 }
10600 
10601 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10602 {
10603 	struct cfg80211_registered_device *rdev;
10604 	struct cfg80211_internal_bss *scan;
10605 	struct wireless_dev *wdev;
10606 	struct nlattr **attrbuf;
10607 	int start = cb->args[2], idx = 0;
10608 	bool dump_include_use_data;
10609 	int err;
10610 
10611 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10612 	if (!attrbuf)
10613 		return -ENOMEM;
10614 
10615 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10616 	if (err) {
10617 		kfree(attrbuf);
10618 		return err;
10619 	}
10620 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10621 	__acquire(&rdev->wiphy.mtx);
10622 
10623 	dump_include_use_data =
10624 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
10625 	kfree(attrbuf);
10626 
10627 	spin_lock_bh(&rdev->bss_lock);
10628 
10629 	/*
10630 	 * dump_scan will be called multiple times to break up the scan results
10631 	 * into multiple messages.  It is unlikely that any more bss-es will be
10632 	 * expired after the first call, so only call only call this on the
10633 	 * first dump_scan invocation.
10634 	 */
10635 	if (start == 0)
10636 		cfg80211_bss_expire(rdev);
10637 
10638 	cb->seq = rdev->bss_generation;
10639 
10640 	list_for_each_entry(scan, &rdev->bss_list, list) {
10641 		if (++idx <= start)
10642 			continue;
10643 		if (!dump_include_use_data &&
10644 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
10645 			continue;
10646 		if (nl80211_send_bss(skb, cb,
10647 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10648 				rdev, wdev, scan) < 0) {
10649 			idx--;
10650 			break;
10651 		}
10652 	}
10653 
10654 	spin_unlock_bh(&rdev->bss_lock);
10655 
10656 	cb->args[2] = idx;
10657 	wiphy_unlock(&rdev->wiphy);
10658 
10659 	return skb->len;
10660 }
10661 
10662 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10663 			       int flags, struct net_device *dev,
10664 			       bool allow_radio_stats,
10665 			       struct survey_info *survey)
10666 {
10667 	void *hdr;
10668 	struct nlattr *infoattr;
10669 
10670 	/* skip radio stats if userspace didn't request them */
10671 	if (!survey->channel && !allow_radio_stats)
10672 		return 0;
10673 
10674 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10675 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10676 	if (!hdr)
10677 		return -ENOMEM;
10678 
10679 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10680 		goto nla_put_failure;
10681 
10682 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10683 	if (!infoattr)
10684 		goto nla_put_failure;
10685 
10686 	if (survey->channel &&
10687 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10688 			survey->channel->center_freq))
10689 		goto nla_put_failure;
10690 
10691 	if (survey->channel && survey->channel->freq_offset &&
10692 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10693 			survey->channel->freq_offset))
10694 		goto nla_put_failure;
10695 
10696 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10697 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10698 		goto nla_put_failure;
10699 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10700 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10701 		goto nla_put_failure;
10702 	if ((survey->filled & SURVEY_INFO_TIME) &&
10703 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10704 			survey->time, NL80211_SURVEY_INFO_PAD))
10705 		goto nla_put_failure;
10706 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10707 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10708 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10709 		goto nla_put_failure;
10710 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10711 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10712 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10713 		goto nla_put_failure;
10714 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10715 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10716 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10717 		goto nla_put_failure;
10718 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10719 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10720 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10721 		goto nla_put_failure;
10722 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10723 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10724 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10725 		goto nla_put_failure;
10726 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10727 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10728 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10729 		goto nla_put_failure;
10730 
10731 	nla_nest_end(msg, infoattr);
10732 
10733 	genlmsg_end(msg, hdr);
10734 	return 0;
10735 
10736  nla_put_failure:
10737 	genlmsg_cancel(msg, hdr);
10738 	return -EMSGSIZE;
10739 }
10740 
10741 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10742 {
10743 	struct nlattr **attrbuf;
10744 	struct survey_info survey;
10745 	struct cfg80211_registered_device *rdev;
10746 	struct wireless_dev *wdev;
10747 	int survey_idx = cb->args[2];
10748 	int res;
10749 	bool radio_stats;
10750 
10751 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10752 	if (!attrbuf)
10753 		return -ENOMEM;
10754 
10755 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10756 	if (res) {
10757 		kfree(attrbuf);
10758 		return res;
10759 	}
10760 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10761 	__acquire(&rdev->wiphy.mtx);
10762 
10763 	/* prepare_wdev_dump parsed the attributes */
10764 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10765 
10766 	if (!wdev->netdev) {
10767 		res = -EINVAL;
10768 		goto out_err;
10769 	}
10770 
10771 	if (!rdev->ops->dump_survey) {
10772 		res = -EOPNOTSUPP;
10773 		goto out_err;
10774 	}
10775 
10776 	while (1) {
10777 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10778 		if (res == -ENOENT)
10779 			break;
10780 		if (res)
10781 			goto out_err;
10782 
10783 		/* don't send disabled channels, but do send non-channel data */
10784 		if (survey.channel &&
10785 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10786 			survey_idx++;
10787 			continue;
10788 		}
10789 
10790 		if (nl80211_send_survey(skb,
10791 				NETLINK_CB(cb->skb).portid,
10792 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10793 				wdev->netdev, radio_stats, &survey) < 0)
10794 			goto out;
10795 		survey_idx++;
10796 	}
10797 
10798  out:
10799 	cb->args[2] = survey_idx;
10800 	res = skb->len;
10801  out_err:
10802 	kfree(attrbuf);
10803 	wiphy_unlock(&rdev->wiphy);
10804 	return res;
10805 }
10806 
10807 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10808 {
10809 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10810 	struct net_device *dev = info->user_ptr[1];
10811 	struct ieee80211_channel *chan;
10812 	const u8 *bssid, *ssid;
10813 	int err, ssid_len;
10814 	enum nl80211_auth_type auth_type;
10815 	struct key_parse key;
10816 	bool local_state_change;
10817 	struct cfg80211_auth_request req = {};
10818 	u32 freq;
10819 
10820 	if (!info->attrs[NL80211_ATTR_MAC])
10821 		return -EINVAL;
10822 
10823 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10824 		return -EINVAL;
10825 
10826 	if (!info->attrs[NL80211_ATTR_SSID])
10827 		return -EINVAL;
10828 
10829 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10830 		return -EINVAL;
10831 
10832 	err = nl80211_parse_key(info, &key);
10833 	if (err)
10834 		return err;
10835 
10836 	if (key.idx >= 0) {
10837 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10838 			return -EINVAL;
10839 		if (!key.p.key || !key.p.key_len)
10840 			return -EINVAL;
10841 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10842 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10843 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10844 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10845 			return -EINVAL;
10846 		if (key.idx > 3)
10847 			return -EINVAL;
10848 	} else {
10849 		key.p.key_len = 0;
10850 		key.p.key = NULL;
10851 	}
10852 
10853 	if (key.idx >= 0) {
10854 		int i;
10855 		bool ok = false;
10856 
10857 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10858 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10859 				ok = true;
10860 				break;
10861 			}
10862 		}
10863 		if (!ok)
10864 			return -EINVAL;
10865 	}
10866 
10867 	if (!rdev->ops->auth)
10868 		return -EOPNOTSUPP;
10869 
10870 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10871 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10872 		return -EOPNOTSUPP;
10873 
10874 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10875 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10876 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10877 		freq +=
10878 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10879 
10880 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10881 	if (!chan)
10882 		return -EINVAL;
10883 
10884 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10885 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10886 
10887 	if (info->attrs[NL80211_ATTR_IE]) {
10888 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10889 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10890 	}
10891 
10892 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
10893 		req.supported_selectors =
10894 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
10895 		req.supported_selectors_len =
10896 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
10897 	}
10898 
10899 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10900 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10901 		return -EINVAL;
10902 
10903 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10904 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10905 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10906 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10907 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10908 		return -EINVAL;
10909 
10910 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10911 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10912 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10913 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10914 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10915 			return -EINVAL;
10916 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10917 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10918 	}
10919 
10920 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10921 
10922 	/*
10923 	 * Since we no longer track auth state, ignore
10924 	 * requests to only change local state.
10925 	 */
10926 	if (local_state_change)
10927 		return 0;
10928 
10929 	req.auth_type = auth_type;
10930 	req.key = key.p.key;
10931 	req.key_len = key.p.key_len;
10932 	req.key_idx = key.idx;
10933 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10934 	if (req.link_id >= 0) {
10935 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10936 			return -EINVAL;
10937 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10938 			return -EINVAL;
10939 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10940 		if (!is_valid_ether_addr(req.ap_mld_addr))
10941 			return -EINVAL;
10942 	}
10943 
10944 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10945 				   IEEE80211_BSS_TYPE_ESS,
10946 				   IEEE80211_PRIVACY_ANY);
10947 	if (!req.bss)
10948 		return -ENOENT;
10949 
10950 	err = cfg80211_mlme_auth(rdev, dev, &req);
10951 
10952 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10953 
10954 	return err;
10955 }
10956 
10957 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10958 				     struct genl_info *info)
10959 {
10960 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10961 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10962 		return -EINVAL;
10963 	}
10964 
10965 	if (!rdev->ops->tx_control_port ||
10966 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10967 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10968 		return -EOPNOTSUPP;
10969 
10970 	return 0;
10971 }
10972 
10973 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10974 				   struct genl_info *info,
10975 				   struct cfg80211_crypto_settings *settings,
10976 				   int cipher_limit)
10977 {
10978 	memset(settings, 0, sizeof(*settings));
10979 
10980 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10981 
10982 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10983 		u16 proto;
10984 
10985 		proto = nla_get_u16(
10986 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10987 		settings->control_port_ethertype = cpu_to_be16(proto);
10988 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10989 		    proto != ETH_P_PAE)
10990 			return -EINVAL;
10991 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10992 			settings->control_port_no_encrypt = true;
10993 	} else
10994 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10995 
10996 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10997 		int r = validate_pae_over_nl80211(rdev, info);
10998 
10999 		if (r < 0)
11000 			return r;
11001 
11002 		settings->control_port_over_nl80211 = true;
11003 
11004 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
11005 			settings->control_port_no_preauth = true;
11006 	}
11007 
11008 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
11009 		void *data;
11010 		int len, i;
11011 
11012 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
11013 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
11014 		settings->n_ciphers_pairwise = len / sizeof(u32);
11015 
11016 		if (len % sizeof(u32))
11017 			return -EINVAL;
11018 
11019 		if (settings->n_ciphers_pairwise > cipher_limit)
11020 			return -EINVAL;
11021 
11022 		memcpy(settings->ciphers_pairwise, data, len);
11023 
11024 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
11025 			if (!cfg80211_supported_cipher_suite(
11026 					&rdev->wiphy,
11027 					settings->ciphers_pairwise[i]))
11028 				return -EINVAL;
11029 	}
11030 
11031 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
11032 		settings->cipher_group =
11033 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
11034 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
11035 						     settings->cipher_group))
11036 			return -EINVAL;
11037 	}
11038 
11039 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
11040 		settings->wpa_versions =
11041 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
11042 
11043 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
11044 		void *data;
11045 		int len;
11046 
11047 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
11048 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
11049 		settings->n_akm_suites = len / sizeof(u32);
11050 
11051 		if (len % sizeof(u32))
11052 			return -EINVAL;
11053 
11054 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
11055 			return -EINVAL;
11056 
11057 		memcpy(settings->akm_suites, data, len);
11058 	}
11059 
11060 	if (info->attrs[NL80211_ATTR_PMK]) {
11061 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
11062 			return -EINVAL;
11063 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11064 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
11065 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11066 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
11067 			return -EINVAL;
11068 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11069 	}
11070 
11071 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
11072 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11073 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
11074 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11075 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
11076 			return -EINVAL;
11077 		settings->sae_pwd =
11078 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11079 		settings->sae_pwd_len =
11080 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11081 	}
11082 
11083 	settings->sae_pwe =
11084 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
11085 				   NL80211_SAE_PWE_UNSPECIFIED);
11086 
11087 	return 0;
11088 }
11089 
11090 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
11091 					      const u8 *ssid, int ssid_len,
11092 					      struct nlattr **attrs,
11093 					      int assoc_link_id, int link_id)
11094 {
11095 	struct ieee80211_channel *chan;
11096 	struct cfg80211_bss *bss;
11097 	const u8 *bssid;
11098 	u32 freq, use_for = 0;
11099 
11100 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
11101 		return ERR_PTR(-EINVAL);
11102 
11103 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
11104 
11105 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
11106 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11107 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11108 
11109 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
11110 	if (!chan)
11111 		return ERR_PTR(-EINVAL);
11112 
11113 	if (assoc_link_id >= 0)
11114 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
11115 	if (assoc_link_id == link_id)
11116 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
11117 
11118 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
11119 				 ssid, ssid_len,
11120 				 IEEE80211_BSS_TYPE_ESS,
11121 				 IEEE80211_PRIVACY_ANY,
11122 				 use_for);
11123 	if (!bss)
11124 		return ERR_PTR(-ENOENT);
11125 
11126 	return bss;
11127 }
11128 
11129 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
11130 				 struct cfg80211_assoc_link *links,
11131 				 const u8 *ssid, int ssid_len,
11132 				 struct genl_info *info)
11133 {
11134 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
11135 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
11136 	struct nlattr *link;
11137 	unsigned int link_id;
11138 	int rem, err;
11139 
11140 	if (!attrs)
11141 		return -ENOMEM;
11142 
11143 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
11144 		memset(attrs, 0, attrsize);
11145 
11146 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
11147 
11148 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11149 			NL_SET_BAD_ATTR(info->extack, link);
11150 			return -EINVAL;
11151 		}
11152 
11153 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11154 		/* cannot use the same link ID again */
11155 		if (links[link_id].bss) {
11156 			NL_SET_BAD_ATTR(info->extack, link);
11157 			return -EINVAL;
11158 		}
11159 		links[link_id].bss =
11160 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
11161 					  link_id, link_id);
11162 		if (IS_ERR(links[link_id].bss)) {
11163 			err = PTR_ERR(links[link_id].bss);
11164 			links[link_id].bss = NULL;
11165 			NL_SET_ERR_MSG_ATTR(info->extack, link,
11166 					    "Error fetching BSS for link");
11167 			return err;
11168 		}
11169 
11170 		if (attrs[NL80211_ATTR_IE]) {
11171 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
11172 			links[link_id].elems_len =
11173 				nla_len(attrs[NL80211_ATTR_IE]);
11174 
11175 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11176 					       links[link_id].elems,
11177 					       links[link_id].elems_len)) {
11178 				NL_SET_ERR_MSG_ATTR(info->extack,
11179 						    attrs[NL80211_ATTR_IE],
11180 						    "cannot deal with fragmentation");
11181 				return -EINVAL;
11182 			}
11183 
11184 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11185 						   links[link_id].elems,
11186 						   links[link_id].elems_len)) {
11187 				NL_SET_ERR_MSG_ATTR(info->extack,
11188 						    attrs[NL80211_ATTR_IE],
11189 						    "cannot deal with non-inheritance");
11190 				return -EINVAL;
11191 			}
11192 		}
11193 
11194 		links[link_id].disabled =
11195 			nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11196 	}
11197 
11198 	return 0;
11199 }
11200 
11201 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
11202 {
11203 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11204 	struct net_device *dev = info->user_ptr[1];
11205 	struct cfg80211_assoc_request req = {};
11206 	const u8 *ap_addr, *ssid;
11207 	unsigned int link_id;
11208 	int err, ssid_len;
11209 
11210 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11211 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11212 		return -EPERM;
11213 
11214 	if (!info->attrs[NL80211_ATTR_SSID])
11215 		return -EINVAL;
11216 
11217 	if (!rdev->ops->assoc)
11218 		return -EOPNOTSUPP;
11219 
11220 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11221 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11222 		return -EOPNOTSUPP;
11223 
11224 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11225 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11226 
11227 	if (info->attrs[NL80211_ATTR_IE]) {
11228 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11229 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11230 
11231 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11232 					   req.ie, req.ie_len)) {
11233 			NL_SET_ERR_MSG_ATTR(info->extack,
11234 					    info->attrs[NL80211_ATTR_IE],
11235 					    "non-inheritance makes no sense");
11236 			return -EINVAL;
11237 		}
11238 	}
11239 
11240 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11241 		enum nl80211_mfp mfp =
11242 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11243 		if (mfp == NL80211_MFP_REQUIRED)
11244 			req.use_mfp = true;
11245 		else if (mfp != NL80211_MFP_NO)
11246 			return -EINVAL;
11247 	}
11248 
11249 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11250 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11251 
11252 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
11253 		req.supported_selectors =
11254 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11255 		req.supported_selectors_len =
11256 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11257 	}
11258 
11259 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11260 		req.flags |= ASSOC_REQ_DISABLE_HT;
11261 
11262 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11263 		memcpy(&req.ht_capa_mask,
11264 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11265 		       sizeof(req.ht_capa_mask));
11266 
11267 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11268 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11269 			return -EINVAL;
11270 		memcpy(&req.ht_capa,
11271 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11272 		       sizeof(req.ht_capa));
11273 	}
11274 
11275 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11276 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11277 
11278 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11279 		req.flags |= ASSOC_REQ_DISABLE_HE;
11280 
11281 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11282 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11283 
11284 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11285 		memcpy(&req.vht_capa_mask,
11286 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11287 		       sizeof(req.vht_capa_mask));
11288 
11289 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11290 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11291 			return -EINVAL;
11292 		memcpy(&req.vht_capa,
11293 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11294 		       sizeof(req.vht_capa));
11295 	}
11296 
11297 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11298 		if (!((rdev->wiphy.features &
11299 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11300 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11301 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11302 					     NL80211_EXT_FEATURE_RRM))
11303 			return -EINVAL;
11304 		req.flags |= ASSOC_REQ_USE_RRM;
11305 	}
11306 
11307 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11308 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11309 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11310 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11311 			return -EINVAL;
11312 		req.fils_nonces =
11313 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11314 	}
11315 
11316 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11317 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11318 			return -EINVAL;
11319 		memcpy(&req.s1g_capa_mask,
11320 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11321 		       sizeof(req.s1g_capa_mask));
11322 	}
11323 
11324 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11325 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11326 			return -EINVAL;
11327 		memcpy(&req.s1g_capa,
11328 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11329 		       sizeof(req.s1g_capa));
11330 	}
11331 
11332 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
11333 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11334 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
11335 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
11336 			return -EINVAL;
11337 		}
11338 		req.flags |= ASSOC_REQ_SPP_AMSDU;
11339 	}
11340 
11341 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11342 
11343 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11344 		if (req.link_id < 0)
11345 			return -EINVAL;
11346 
11347 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11348 			return -EINVAL;
11349 
11350 		if (info->attrs[NL80211_ATTR_MAC] ||
11351 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11352 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11353 			return -EINVAL;
11354 
11355 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11356 		ap_addr = req.ap_mld_addr;
11357 
11358 		err = nl80211_process_links(rdev, req.links, ssid, ssid_len,
11359 					    info);
11360 		if (err)
11361 			goto free;
11362 
11363 		if (!req.links[req.link_id].bss) {
11364 			err = -EINVAL;
11365 			goto free;
11366 		}
11367 
11368 		if (req.links[req.link_id].elems_len) {
11369 			GENL_SET_ERR_MSG(info,
11370 					 "cannot have per-link elems on assoc link");
11371 			err = -EINVAL;
11372 			goto free;
11373 		}
11374 
11375 		if (req.links[req.link_id].disabled) {
11376 			GENL_SET_ERR_MSG(info,
11377 					 "cannot have assoc link disabled");
11378 			err = -EINVAL;
11379 			goto free;
11380 		}
11381 	} else {
11382 		if (req.link_id >= 0)
11383 			return -EINVAL;
11384 
11385 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
11386 					    -1, -1);
11387 		if (IS_ERR(req.bss))
11388 			return PTR_ERR(req.bss);
11389 		ap_addr = req.bss->bssid;
11390 	}
11391 
11392 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11393 	if (!err) {
11394 		struct nlattr *link;
11395 		int rem = 0;
11396 
11397 		err = cfg80211_mlme_assoc(rdev, dev, &req,
11398 					  info->extack);
11399 
11400 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11401 			dev->ieee80211_ptr->conn_owner_nlportid =
11402 				info->snd_portid;
11403 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11404 			       ap_addr, ETH_ALEN);
11405 		}
11406 
11407 		/* Report error from first problematic link */
11408 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11409 			nla_for_each_nested(link,
11410 					    info->attrs[NL80211_ATTR_MLO_LINKS],
11411 					    rem) {
11412 				struct nlattr *link_id_attr =
11413 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
11414 
11415 				if (!link_id_attr)
11416 					continue;
11417 
11418 				link_id = nla_get_u8(link_id_attr);
11419 
11420 				if (link_id == req.link_id)
11421 					continue;
11422 
11423 				if (!req.links[link_id].error ||
11424 				    WARN_ON(req.links[link_id].error > 0))
11425 					continue;
11426 
11427 				WARN_ON(err >= 0);
11428 
11429 				NL_SET_BAD_ATTR(info->extack, link);
11430 				err = req.links[link_id].error;
11431 				break;
11432 			}
11433 		}
11434 	}
11435 
11436 free:
11437 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11438 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11439 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11440 
11441 	return err;
11442 }
11443 
11444 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11445 {
11446 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11447 	struct net_device *dev = info->user_ptr[1];
11448 	const u8 *ie = NULL, *bssid;
11449 	int ie_len = 0;
11450 	u16 reason_code;
11451 	bool local_state_change;
11452 
11453 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11454 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11455 		return -EPERM;
11456 
11457 	if (!info->attrs[NL80211_ATTR_MAC])
11458 		return -EINVAL;
11459 
11460 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11461 		return -EINVAL;
11462 
11463 	if (!rdev->ops->deauth)
11464 		return -EOPNOTSUPP;
11465 
11466 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11467 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11468 		return -EOPNOTSUPP;
11469 
11470 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11471 
11472 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11473 	if (reason_code == 0) {
11474 		/* Reason Code 0 is reserved */
11475 		return -EINVAL;
11476 	}
11477 
11478 	if (info->attrs[NL80211_ATTR_IE]) {
11479 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11480 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11481 	}
11482 
11483 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11484 
11485 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11486 				    local_state_change);
11487 }
11488 
11489 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11490 {
11491 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11492 	struct net_device *dev = info->user_ptr[1];
11493 	const u8 *ie = NULL, *bssid;
11494 	int ie_len = 0;
11495 	u16 reason_code;
11496 	bool local_state_change;
11497 
11498 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11499 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11500 		return -EPERM;
11501 
11502 	if (!info->attrs[NL80211_ATTR_MAC])
11503 		return -EINVAL;
11504 
11505 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11506 		return -EINVAL;
11507 
11508 	if (!rdev->ops->disassoc)
11509 		return -EOPNOTSUPP;
11510 
11511 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11512 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11513 		return -EOPNOTSUPP;
11514 
11515 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11516 
11517 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11518 	if (reason_code == 0) {
11519 		/* Reason Code 0 is reserved */
11520 		return -EINVAL;
11521 	}
11522 
11523 	if (info->attrs[NL80211_ATTR_IE]) {
11524 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11525 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11526 	}
11527 
11528 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11529 
11530 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11531 				      local_state_change);
11532 }
11533 
11534 static bool
11535 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11536 			 int mcast_rate[NUM_NL80211_BANDS],
11537 			 int rateval)
11538 {
11539 	struct wiphy *wiphy = &rdev->wiphy;
11540 	bool found = false;
11541 	int band, i;
11542 
11543 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11544 		struct ieee80211_supported_band *sband;
11545 
11546 		sband = wiphy->bands[band];
11547 		if (!sband)
11548 			continue;
11549 
11550 		for (i = 0; i < sband->n_bitrates; i++) {
11551 			if (sband->bitrates[i].bitrate == rateval) {
11552 				mcast_rate[band] = i + 1;
11553 				found = true;
11554 				break;
11555 			}
11556 		}
11557 	}
11558 
11559 	return found;
11560 }
11561 
11562 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11563 {
11564 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11565 	struct net_device *dev = info->user_ptr[1];
11566 	struct cfg80211_ibss_params ibss;
11567 	struct wiphy *wiphy;
11568 	struct cfg80211_cached_keys *connkeys = NULL;
11569 	int err;
11570 
11571 	memset(&ibss, 0, sizeof(ibss));
11572 
11573 	if (!info->attrs[NL80211_ATTR_SSID] ||
11574 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11575 		return -EINVAL;
11576 
11577 	ibss.beacon_interval = 100;
11578 
11579 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11580 		ibss.beacon_interval =
11581 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11582 
11583 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11584 					   ibss.beacon_interval);
11585 	if (err)
11586 		return err;
11587 
11588 	if (!rdev->ops->join_ibss)
11589 		return -EOPNOTSUPP;
11590 
11591 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11592 		return -EOPNOTSUPP;
11593 
11594 	wiphy = &rdev->wiphy;
11595 
11596 	if (info->attrs[NL80211_ATTR_MAC]) {
11597 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11598 
11599 		if (!is_valid_ether_addr(ibss.bssid))
11600 			return -EINVAL;
11601 	}
11602 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11603 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11604 
11605 	if (info->attrs[NL80211_ATTR_IE]) {
11606 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11607 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11608 	}
11609 
11610 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11611 	if (err)
11612 		return err;
11613 
11614 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11615 				     NL80211_IFTYPE_ADHOC))
11616 		return -EINVAL;
11617 
11618 	switch (ibss.chandef.width) {
11619 	case NL80211_CHAN_WIDTH_5:
11620 	case NL80211_CHAN_WIDTH_10:
11621 	case NL80211_CHAN_WIDTH_20_NOHT:
11622 		break;
11623 	case NL80211_CHAN_WIDTH_20:
11624 	case NL80211_CHAN_WIDTH_40:
11625 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11626 			return -EINVAL;
11627 		break;
11628 	case NL80211_CHAN_WIDTH_80:
11629 	case NL80211_CHAN_WIDTH_80P80:
11630 	case NL80211_CHAN_WIDTH_160:
11631 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11632 			return -EINVAL;
11633 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11634 					     NL80211_EXT_FEATURE_VHT_IBSS))
11635 			return -EINVAL;
11636 		break;
11637 	case NL80211_CHAN_WIDTH_320:
11638 		return -EINVAL;
11639 	default:
11640 		return -EINVAL;
11641 	}
11642 
11643 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11644 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11645 
11646 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11647 		u8 *rates =
11648 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11649 		int n_rates =
11650 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11651 		struct ieee80211_supported_band *sband =
11652 			wiphy->bands[ibss.chandef.chan->band];
11653 
11654 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11655 					     &ibss.basic_rates);
11656 		if (err)
11657 			return err;
11658 	}
11659 
11660 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11661 		memcpy(&ibss.ht_capa_mask,
11662 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11663 		       sizeof(ibss.ht_capa_mask));
11664 
11665 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11666 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11667 			return -EINVAL;
11668 		memcpy(&ibss.ht_capa,
11669 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11670 		       sizeof(ibss.ht_capa));
11671 	}
11672 
11673 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11674 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11675 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11676 		return -EINVAL;
11677 
11678 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11679 		bool no_ht = false;
11680 
11681 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11682 		if (IS_ERR(connkeys))
11683 			return PTR_ERR(connkeys);
11684 
11685 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11686 		    no_ht) {
11687 			kfree_sensitive(connkeys);
11688 			return -EINVAL;
11689 		}
11690 	}
11691 
11692 	ibss.control_port =
11693 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11694 
11695 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11696 		int r = validate_pae_over_nl80211(rdev, info);
11697 
11698 		if (r < 0) {
11699 			kfree_sensitive(connkeys);
11700 			return r;
11701 		}
11702 
11703 		ibss.control_port_over_nl80211 = true;
11704 	}
11705 
11706 	ibss.userspace_handles_dfs =
11707 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11708 
11709 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11710 	if (err)
11711 		kfree_sensitive(connkeys);
11712 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11713 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11714 
11715 	return err;
11716 }
11717 
11718 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11719 {
11720 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11721 	struct net_device *dev = info->user_ptr[1];
11722 
11723 	if (!rdev->ops->leave_ibss)
11724 		return -EOPNOTSUPP;
11725 
11726 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11727 		return -EOPNOTSUPP;
11728 
11729 	return cfg80211_leave_ibss(rdev, dev, false);
11730 }
11731 
11732 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11733 {
11734 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11735 	struct net_device *dev = info->user_ptr[1];
11736 	int mcast_rate[NUM_NL80211_BANDS];
11737 	u32 nla_rate;
11738 
11739 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11740 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11741 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11742 		return -EOPNOTSUPP;
11743 
11744 	if (!rdev->ops->set_mcast_rate)
11745 		return -EOPNOTSUPP;
11746 
11747 	memset(mcast_rate, 0, sizeof(mcast_rate));
11748 
11749 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11750 		return -EINVAL;
11751 
11752 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11753 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11754 		return -EINVAL;
11755 
11756 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11757 }
11758 
11759 static struct sk_buff *
11760 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11761 			    struct wireless_dev *wdev, int approxlen,
11762 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11763 			    enum nl80211_attrs attr,
11764 			    const struct nl80211_vendor_cmd_info *info,
11765 			    gfp_t gfp)
11766 {
11767 	struct sk_buff *skb;
11768 	void *hdr;
11769 	struct nlattr *data;
11770 
11771 	skb = nlmsg_new(approxlen + 100, gfp);
11772 	if (!skb)
11773 		return NULL;
11774 
11775 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11776 	if (!hdr) {
11777 		kfree_skb(skb);
11778 		return NULL;
11779 	}
11780 
11781 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11782 		goto nla_put_failure;
11783 
11784 	if (info) {
11785 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11786 				info->vendor_id))
11787 			goto nla_put_failure;
11788 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11789 				info->subcmd))
11790 			goto nla_put_failure;
11791 	}
11792 
11793 	if (wdev) {
11794 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11795 				      wdev_id(wdev), NL80211_ATTR_PAD))
11796 			goto nla_put_failure;
11797 		if (wdev->netdev &&
11798 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11799 				wdev->netdev->ifindex))
11800 			goto nla_put_failure;
11801 	}
11802 
11803 	data = nla_nest_start_noflag(skb, attr);
11804 	if (!data)
11805 		goto nla_put_failure;
11806 
11807 	((void **)skb->cb)[0] = rdev;
11808 	((void **)skb->cb)[1] = hdr;
11809 	((void **)skb->cb)[2] = data;
11810 
11811 	return skb;
11812 
11813  nla_put_failure:
11814 	kfree_skb(skb);
11815 	return NULL;
11816 }
11817 
11818 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11819 					   struct wireless_dev *wdev,
11820 					   enum nl80211_commands cmd,
11821 					   enum nl80211_attrs attr,
11822 					   unsigned int portid,
11823 					   int vendor_event_idx,
11824 					   int approxlen, gfp_t gfp)
11825 {
11826 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11827 	const struct nl80211_vendor_cmd_info *info;
11828 
11829 	switch (cmd) {
11830 	case NL80211_CMD_TESTMODE:
11831 		if (WARN_ON(vendor_event_idx != -1))
11832 			return NULL;
11833 		info = NULL;
11834 		break;
11835 	case NL80211_CMD_VENDOR:
11836 		if (WARN_ON(vendor_event_idx < 0 ||
11837 			    vendor_event_idx >= wiphy->n_vendor_events))
11838 			return NULL;
11839 		info = &wiphy->vendor_events[vendor_event_idx];
11840 		break;
11841 	default:
11842 		WARN_ON(1);
11843 		return NULL;
11844 	}
11845 
11846 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11847 					   cmd, attr, info, gfp);
11848 }
11849 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11850 
11851 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11852 {
11853 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11854 	void *hdr = ((void **)skb->cb)[1];
11855 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11856 	struct nlattr *data = ((void **)skb->cb)[2];
11857 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11858 
11859 	/* clear CB data for netlink core to own from now on */
11860 	memset(skb->cb, 0, sizeof(skb->cb));
11861 
11862 	nla_nest_end(skb, data);
11863 	genlmsg_end(skb, hdr);
11864 
11865 	if (nlhdr->nlmsg_pid) {
11866 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11867 				nlhdr->nlmsg_pid);
11868 	} else {
11869 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11870 			mcgrp = NL80211_MCGRP_VENDOR;
11871 
11872 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11873 					skb, 0, mcgrp, gfp);
11874 	}
11875 }
11876 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11877 
11878 #ifdef CONFIG_NL80211_TESTMODE
11879 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11880 {
11881 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11882 	struct wireless_dev *wdev;
11883 	int err;
11884 
11885 	lockdep_assert_held(&rdev->wiphy.mtx);
11886 
11887 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11888 					  info->attrs);
11889 
11890 	if (!rdev->ops->testmode_cmd)
11891 		return -EOPNOTSUPP;
11892 
11893 	if (IS_ERR(wdev)) {
11894 		err = PTR_ERR(wdev);
11895 		if (err != -EINVAL)
11896 			return err;
11897 		wdev = NULL;
11898 	} else if (wdev->wiphy != &rdev->wiphy) {
11899 		return -EINVAL;
11900 	}
11901 
11902 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11903 		return -EINVAL;
11904 
11905 	rdev->cur_cmd_info = info;
11906 	err = rdev_testmode_cmd(rdev, wdev,
11907 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11908 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11909 	rdev->cur_cmd_info = NULL;
11910 
11911 	return err;
11912 }
11913 
11914 static int nl80211_testmode_dump(struct sk_buff *skb,
11915 				 struct netlink_callback *cb)
11916 {
11917 	struct cfg80211_registered_device *rdev;
11918 	struct nlattr **attrbuf = NULL;
11919 	int err;
11920 	long phy_idx;
11921 	void *data = NULL;
11922 	int data_len = 0;
11923 
11924 	rtnl_lock();
11925 
11926 	if (cb->args[0]) {
11927 		/*
11928 		 * 0 is a valid index, but not valid for args[0],
11929 		 * so we need to offset by 1.
11930 		 */
11931 		phy_idx = cb->args[0] - 1;
11932 
11933 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11934 		if (!rdev) {
11935 			err = -ENOENT;
11936 			goto out_err;
11937 		}
11938 	} else {
11939 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11940 				  GFP_KERNEL);
11941 		if (!attrbuf) {
11942 			err = -ENOMEM;
11943 			goto out_err;
11944 		}
11945 
11946 		err = nlmsg_parse_deprecated(cb->nlh,
11947 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11948 					     attrbuf, nl80211_fam.maxattr,
11949 					     nl80211_policy, NULL);
11950 		if (err)
11951 			goto out_err;
11952 
11953 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11954 		if (IS_ERR(rdev)) {
11955 			err = PTR_ERR(rdev);
11956 			goto out_err;
11957 		}
11958 		phy_idx = rdev->wiphy_idx;
11959 
11960 		if (attrbuf[NL80211_ATTR_TESTDATA])
11961 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11962 	}
11963 
11964 	if (cb->args[1]) {
11965 		data = nla_data((void *)cb->args[1]);
11966 		data_len = nla_len((void *)cb->args[1]);
11967 	}
11968 
11969 	if (!rdev->ops->testmode_dump) {
11970 		err = -EOPNOTSUPP;
11971 		goto out_err;
11972 	}
11973 
11974 	while (1) {
11975 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11976 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11977 					   NL80211_CMD_TESTMODE);
11978 		struct nlattr *tmdata;
11979 
11980 		if (!hdr)
11981 			break;
11982 
11983 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11984 			genlmsg_cancel(skb, hdr);
11985 			break;
11986 		}
11987 
11988 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11989 		if (!tmdata) {
11990 			genlmsg_cancel(skb, hdr);
11991 			break;
11992 		}
11993 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11994 		nla_nest_end(skb, tmdata);
11995 
11996 		if (err == -ENOBUFS || err == -ENOENT) {
11997 			genlmsg_cancel(skb, hdr);
11998 			break;
11999 		} else if (err) {
12000 			genlmsg_cancel(skb, hdr);
12001 			goto out_err;
12002 		}
12003 
12004 		genlmsg_end(skb, hdr);
12005 	}
12006 
12007 	err = skb->len;
12008 	/* see above */
12009 	cb->args[0] = phy_idx + 1;
12010  out_err:
12011 	kfree(attrbuf);
12012 	rtnl_unlock();
12013 	return err;
12014 }
12015 #endif
12016 
12017 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
12018 {
12019 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12020 	struct net_device *dev = info->user_ptr[1];
12021 	struct cfg80211_connect_params connect;
12022 	struct wiphy *wiphy;
12023 	struct cfg80211_cached_keys *connkeys = NULL;
12024 	u32 freq = 0;
12025 	int err;
12026 
12027 	memset(&connect, 0, sizeof(connect));
12028 
12029 	if (!info->attrs[NL80211_ATTR_SSID] ||
12030 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12031 		return -EINVAL;
12032 
12033 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12034 		connect.auth_type =
12035 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12036 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
12037 					     NL80211_CMD_CONNECT))
12038 			return -EINVAL;
12039 	} else
12040 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
12041 
12042 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
12043 
12044 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
12045 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12046 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
12047 		return -EINVAL;
12048 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
12049 
12050 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
12051 				      NL80211_MAX_NR_CIPHER_SUITES);
12052 	if (err)
12053 		return err;
12054 
12055 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12056 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12057 		return -EOPNOTSUPP;
12058 
12059 	wiphy = &rdev->wiphy;
12060 
12061 	connect.bg_scan_period = -1;
12062 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
12063 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
12064 		connect.bg_scan_period =
12065 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
12066 	}
12067 
12068 	if (info->attrs[NL80211_ATTR_MAC])
12069 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12070 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
12071 		connect.bssid_hint =
12072 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
12073 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12074 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12075 
12076 	if (info->attrs[NL80211_ATTR_IE]) {
12077 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12078 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12079 	}
12080 
12081 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12082 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12083 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
12084 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12085 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
12086 			return -EOPNOTSUPP;
12087 	} else {
12088 		connect.mfp = NL80211_MFP_NO;
12089 	}
12090 
12091 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12092 		connect.prev_bssid =
12093 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12094 
12095 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
12096 		freq = MHZ_TO_KHZ(nla_get_u32(
12097 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12098 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12099 		freq +=
12100 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12101 
12102 	if (freq) {
12103 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
12104 		if (!connect.channel)
12105 			return -EINVAL;
12106 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
12107 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
12108 		freq = MHZ_TO_KHZ(freq);
12109 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
12110 		if (!connect.channel_hint)
12111 			return -EINVAL;
12112 	}
12113 
12114 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
12115 		connect.edmg.channels =
12116 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
12117 
12118 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
12119 			connect.edmg.bw_config =
12120 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
12121 	}
12122 
12123 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12124 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
12125 		if (IS_ERR(connkeys))
12126 			return PTR_ERR(connkeys);
12127 	}
12128 
12129 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12130 		connect.flags |= ASSOC_REQ_DISABLE_HT;
12131 
12132 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12133 		memcpy(&connect.ht_capa_mask,
12134 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12135 		       sizeof(connect.ht_capa_mask));
12136 
12137 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12138 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
12139 			kfree_sensitive(connkeys);
12140 			return -EINVAL;
12141 		}
12142 		memcpy(&connect.ht_capa,
12143 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12144 		       sizeof(connect.ht_capa));
12145 	}
12146 
12147 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12148 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
12149 
12150 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12151 		connect.flags |= ASSOC_REQ_DISABLE_HE;
12152 
12153 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12154 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
12155 
12156 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12157 		memcpy(&connect.vht_capa_mask,
12158 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12159 		       sizeof(connect.vht_capa_mask));
12160 
12161 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12162 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
12163 			kfree_sensitive(connkeys);
12164 			return -EINVAL;
12165 		}
12166 		memcpy(&connect.vht_capa,
12167 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12168 		       sizeof(connect.vht_capa));
12169 	}
12170 
12171 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12172 		if (!((rdev->wiphy.features &
12173 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12174 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12175 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12176 					     NL80211_EXT_FEATURE_RRM)) {
12177 			kfree_sensitive(connkeys);
12178 			return -EINVAL;
12179 		}
12180 		connect.flags |= ASSOC_REQ_USE_RRM;
12181 	}
12182 
12183 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
12184 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
12185 		kfree_sensitive(connkeys);
12186 		return -EOPNOTSUPP;
12187 	}
12188 
12189 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
12190 		/* bss selection makes no sense if bssid is set */
12191 		if (connect.bssid) {
12192 			kfree_sensitive(connkeys);
12193 			return -EINVAL;
12194 		}
12195 
12196 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
12197 				       wiphy, &connect.bss_select);
12198 		if (err) {
12199 			kfree_sensitive(connkeys);
12200 			return err;
12201 		}
12202 	}
12203 
12204 	if (wiphy_ext_feature_isset(&rdev->wiphy,
12205 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
12206 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12207 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12208 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12209 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12210 		connect.fils_erp_username =
12211 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12212 		connect.fils_erp_username_len =
12213 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12214 		connect.fils_erp_realm =
12215 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12216 		connect.fils_erp_realm_len =
12217 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12218 		connect.fils_erp_next_seq_num =
12219 			nla_get_u16(
12220 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12221 		connect.fils_erp_rrk =
12222 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12223 		connect.fils_erp_rrk_len =
12224 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12225 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12226 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12227 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12228 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12229 		kfree_sensitive(connkeys);
12230 		return -EINVAL;
12231 	}
12232 
12233 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12234 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12235 			kfree_sensitive(connkeys);
12236 			GENL_SET_ERR_MSG(info,
12237 					 "external auth requires connection ownership");
12238 			return -EINVAL;
12239 		}
12240 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12241 	}
12242 
12243 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12244 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12245 
12246 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12247 			       connect.prev_bssid);
12248 	if (err)
12249 		kfree_sensitive(connkeys);
12250 
12251 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12252 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12253 		if (connect.bssid)
12254 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12255 			       connect.bssid, ETH_ALEN);
12256 		else
12257 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12258 	}
12259 
12260 	return err;
12261 }
12262 
12263 static int nl80211_update_connect_params(struct sk_buff *skb,
12264 					 struct genl_info *info)
12265 {
12266 	struct cfg80211_connect_params connect = {};
12267 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12268 	struct net_device *dev = info->user_ptr[1];
12269 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12270 	bool fils_sk_offload;
12271 	u32 auth_type;
12272 	u32 changed = 0;
12273 
12274 	if (!rdev->ops->update_connect_params)
12275 		return -EOPNOTSUPP;
12276 
12277 	if (info->attrs[NL80211_ATTR_IE]) {
12278 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12279 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12280 		changed |= UPDATE_ASSOC_IES;
12281 	}
12282 
12283 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12284 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12285 
12286 	/*
12287 	 * when driver supports fils-sk offload all attributes must be
12288 	 * provided. So the else covers "fils-sk-not-all" and
12289 	 * "no-fils-sk-any".
12290 	 */
12291 	if (fils_sk_offload &&
12292 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12293 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12294 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12295 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12296 		connect.fils_erp_username =
12297 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12298 		connect.fils_erp_username_len =
12299 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12300 		connect.fils_erp_realm =
12301 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12302 		connect.fils_erp_realm_len =
12303 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12304 		connect.fils_erp_next_seq_num =
12305 			nla_get_u16(
12306 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12307 		connect.fils_erp_rrk =
12308 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12309 		connect.fils_erp_rrk_len =
12310 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12311 		changed |= UPDATE_FILS_ERP_INFO;
12312 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12313 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12314 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12315 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12316 		return -EINVAL;
12317 	}
12318 
12319 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12320 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12321 		if (!nl80211_valid_auth_type(rdev, auth_type,
12322 					     NL80211_CMD_CONNECT))
12323 			return -EINVAL;
12324 
12325 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12326 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12327 			return -EINVAL;
12328 
12329 		connect.auth_type = auth_type;
12330 		changed |= UPDATE_AUTH_TYPE;
12331 	}
12332 
12333 	if (!wdev->connected)
12334 		return -ENOLINK;
12335 
12336 	return rdev_update_connect_params(rdev, dev, &connect, changed);
12337 }
12338 
12339 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12340 {
12341 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12342 	struct net_device *dev = info->user_ptr[1];
12343 	u16 reason;
12344 
12345 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12346 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12347 		return -EPERM;
12348 
12349 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
12350 				     WLAN_REASON_DEAUTH_LEAVING);
12351 
12352 	if (reason == 0)
12353 		return -EINVAL;
12354 
12355 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12356 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12357 		return -EOPNOTSUPP;
12358 
12359 	return cfg80211_disconnect(rdev, dev, reason, true);
12360 }
12361 
12362 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12363 {
12364 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12365 	struct net *net;
12366 	int err;
12367 
12368 	if (info->attrs[NL80211_ATTR_PID]) {
12369 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12370 
12371 		net = get_net_ns_by_pid(pid);
12372 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12373 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12374 
12375 		net = get_net_ns_by_fd(fd);
12376 	} else {
12377 		return -EINVAL;
12378 	}
12379 
12380 	if (IS_ERR(net))
12381 		return PTR_ERR(net);
12382 
12383 	err = 0;
12384 
12385 	/* check if anything to do */
12386 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12387 		err = cfg80211_switch_netns(rdev, net);
12388 
12389 	put_net(net);
12390 	return err;
12391 }
12392 
12393 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
12394 {
12395 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12396 	struct net_device *dev = info->user_ptr[1];
12397 	struct cfg80211_pmksa pmksa;
12398 	bool ap_pmksa_caching_support = false;
12399 
12400 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12401 
12402 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12403 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12404 
12405 	if (!info->attrs[NL80211_ATTR_PMKID])
12406 		return -EINVAL;
12407 
12408 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12409 
12410 	if (info->attrs[NL80211_ATTR_MAC]) {
12411 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12412 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12413 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12414 	           info->attrs[NL80211_ATTR_PMK]) {
12415 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12416 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12417 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12418 	} else {
12419 		return -EINVAL;
12420 	}
12421 
12422 	if (info->attrs[NL80211_ATTR_PMK]) {
12423 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12424 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12425 	}
12426 
12427 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12428 		pmksa.pmk_lifetime =
12429 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12430 
12431 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12432 		pmksa.pmk_reauth_threshold =
12433 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12434 
12435 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12436 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12437 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12438 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12439 	       ap_pmksa_caching_support))
12440 		return -EOPNOTSUPP;
12441 
12442 	if (!rdev->ops->set_pmksa)
12443 		return -EOPNOTSUPP;
12444 
12445 	return rdev_set_pmksa(rdev, dev, &pmksa);
12446 }
12447 
12448 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
12449 {
12450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12451 	struct net_device *dev = info->user_ptr[1];
12452 	struct cfg80211_pmksa pmksa;
12453 	bool sae_offload_support = false;
12454 	bool owe_offload_support = false;
12455 	bool ap_pmksa_caching_support = false;
12456 
12457 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12458 
12459 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12460 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
12461 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12462 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
12463 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12464 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12465 
12466 	if (info->attrs[NL80211_ATTR_PMKID])
12467 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12468 
12469 	if (info->attrs[NL80211_ATTR_MAC]) {
12470 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12471 	} else if (info->attrs[NL80211_ATTR_SSID]) {
12472 		/* SSID based pmksa flush supported only for FILS,
12473 		 * OWE/SAE OFFLOAD cases
12474 		 */
12475 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12476 		    info->attrs[NL80211_ATTR_PMK]) {
12477 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12478 		} else if (!sae_offload_support && !owe_offload_support) {
12479 			return -EINVAL;
12480 		}
12481 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12482 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12483 	} else {
12484 		return -EINVAL;
12485 	}
12486 
12487 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12488 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12489 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12490 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12491 	       ap_pmksa_caching_support))
12492 		return -EOPNOTSUPP;
12493 
12494 	if (!rdev->ops->del_pmksa)
12495 		return -EOPNOTSUPP;
12496 
12497 	return rdev_del_pmksa(rdev, dev, &pmksa);
12498 }
12499 
12500 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12501 {
12502 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12503 	struct net_device *dev = info->user_ptr[1];
12504 
12505 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12506 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12507 		return -EOPNOTSUPP;
12508 
12509 	if (!rdev->ops->flush_pmksa)
12510 		return -EOPNOTSUPP;
12511 
12512 	return rdev_flush_pmksa(rdev, dev);
12513 }
12514 
12515 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12516 {
12517 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12518 	struct net_device *dev = info->user_ptr[1];
12519 	u8 action_code, dialog_token;
12520 	u32 peer_capability = 0;
12521 	u16 status_code;
12522 	u8 *peer;
12523 	int link_id;
12524 	bool initiator;
12525 
12526 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12527 	    !rdev->ops->tdls_mgmt)
12528 		return -EOPNOTSUPP;
12529 
12530 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12531 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12532 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12533 	    !info->attrs[NL80211_ATTR_IE] ||
12534 	    !info->attrs[NL80211_ATTR_MAC])
12535 		return -EINVAL;
12536 
12537 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12538 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12539 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12540 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12541 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12542 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12543 		peer_capability =
12544 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12545 	link_id = nl80211_link_id_or_invalid(info->attrs);
12546 
12547 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
12548 			      dialog_token, status_code, peer_capability,
12549 			      initiator,
12550 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12551 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12552 }
12553 
12554 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12555 {
12556 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12557 	struct net_device *dev = info->user_ptr[1];
12558 	enum nl80211_tdls_operation operation;
12559 	u8 *peer;
12560 
12561 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12562 	    !rdev->ops->tdls_oper)
12563 		return -EOPNOTSUPP;
12564 
12565 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12566 	    !info->attrs[NL80211_ATTR_MAC])
12567 		return -EINVAL;
12568 
12569 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12570 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12571 
12572 	return rdev_tdls_oper(rdev, dev, peer, operation);
12573 }
12574 
12575 static int nl80211_remain_on_channel(struct sk_buff *skb,
12576 				     struct genl_info *info)
12577 {
12578 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12579 	unsigned int link_id = nl80211_link_id(info->attrs);
12580 	struct wireless_dev *wdev = info->user_ptr[1];
12581 	struct cfg80211_chan_def chandef;
12582 	struct sk_buff *msg;
12583 	void *hdr;
12584 	u64 cookie;
12585 	u32 duration;
12586 	int err;
12587 
12588 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12589 	    !info->attrs[NL80211_ATTR_DURATION])
12590 		return -EINVAL;
12591 
12592 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12593 
12594 	if (!rdev->ops->remain_on_channel ||
12595 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12596 		return -EOPNOTSUPP;
12597 
12598 	/*
12599 	 * We should be on that channel for at least a minimum amount of
12600 	 * time (10ms) but no longer than the driver supports.
12601 	 */
12602 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12603 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12604 		return -EINVAL;
12605 
12606 	err = nl80211_parse_chandef(rdev, info, &chandef);
12607 	if (err)
12608 		return err;
12609 
12610 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12611 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12612 
12613 		oper_chandef = wdev_chandef(wdev, link_id);
12614 
12615 		if (WARN_ON(!oper_chandef)) {
12616 			/* cannot happen since we must beacon to get here */
12617 			WARN_ON(1);
12618 			return -EBUSY;
12619 		}
12620 
12621 		/* note: returns first one if identical chandefs */
12622 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12623 							     oper_chandef);
12624 
12625 		if (compat_chandef != &chandef)
12626 			return -EBUSY;
12627 	}
12628 
12629 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12630 	if (!msg)
12631 		return -ENOMEM;
12632 
12633 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12634 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12635 	if (!hdr) {
12636 		err = -ENOBUFS;
12637 		goto free_msg;
12638 	}
12639 
12640 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12641 				     duration, &cookie);
12642 
12643 	if (err)
12644 		goto free_msg;
12645 
12646 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12647 			      NL80211_ATTR_PAD))
12648 		goto nla_put_failure;
12649 
12650 	genlmsg_end(msg, hdr);
12651 
12652 	return genlmsg_reply(msg, info);
12653 
12654  nla_put_failure:
12655 	err = -ENOBUFS;
12656  free_msg:
12657 	nlmsg_free(msg);
12658 	return err;
12659 }
12660 
12661 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12662 					    struct genl_info *info)
12663 {
12664 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12665 	struct wireless_dev *wdev = info->user_ptr[1];
12666 	u64 cookie;
12667 
12668 	if (!info->attrs[NL80211_ATTR_COOKIE])
12669 		return -EINVAL;
12670 
12671 	if (!rdev->ops->cancel_remain_on_channel)
12672 		return -EOPNOTSUPP;
12673 
12674 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12675 
12676 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12677 }
12678 
12679 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12680 				       struct genl_info *info)
12681 {
12682 	struct cfg80211_bitrate_mask mask;
12683 	unsigned int link_id = nl80211_link_id(info->attrs);
12684 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12685 	struct net_device *dev = info->user_ptr[1];
12686 	int err;
12687 
12688 	if (!rdev->ops->set_bitrate_mask)
12689 		return -EOPNOTSUPP;
12690 
12691 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12692 					    NL80211_ATTR_TX_RATES, &mask,
12693 					    dev, true, link_id);
12694 	if (err)
12695 		return err;
12696 
12697 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12698 }
12699 
12700 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12701 {
12702 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12703 	struct wireless_dev *wdev = info->user_ptr[1];
12704 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12705 
12706 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12707 		return -EINVAL;
12708 
12709 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12710 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12711 
12712 	switch (wdev->iftype) {
12713 	case NL80211_IFTYPE_STATION:
12714 	case NL80211_IFTYPE_ADHOC:
12715 	case NL80211_IFTYPE_P2P_CLIENT:
12716 	case NL80211_IFTYPE_AP:
12717 	case NL80211_IFTYPE_AP_VLAN:
12718 	case NL80211_IFTYPE_MESH_POINT:
12719 	case NL80211_IFTYPE_P2P_GO:
12720 	case NL80211_IFTYPE_P2P_DEVICE:
12721 		break;
12722 	case NL80211_IFTYPE_NAN:
12723 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12724 					     NL80211_EXT_FEATURE_SECURE_NAN))
12725 			return -EOPNOTSUPP;
12726 		break;
12727 	default:
12728 		return -EOPNOTSUPP;
12729 	}
12730 
12731 	/* not much point in registering if we can't reply */
12732 	if (!rdev->ops->mgmt_tx)
12733 		return -EOPNOTSUPP;
12734 
12735 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12736 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12737 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12738 		GENL_SET_ERR_MSG(info,
12739 				 "multicast RX registrations are not supported");
12740 		return -EOPNOTSUPP;
12741 	}
12742 
12743 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12744 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12745 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12746 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12747 					   info->extack);
12748 }
12749 
12750 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12751 {
12752 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12753 	struct wireless_dev *wdev = info->user_ptr[1];
12754 	struct cfg80211_chan_def chandef;
12755 	int err;
12756 	void *hdr = NULL;
12757 	u64 cookie;
12758 	struct sk_buff *msg = NULL;
12759 	struct cfg80211_mgmt_tx_params params = {
12760 		.dont_wait_for_ack =
12761 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12762 	};
12763 
12764 	if (!info->attrs[NL80211_ATTR_FRAME])
12765 		return -EINVAL;
12766 
12767 	if (!rdev->ops->mgmt_tx)
12768 		return -EOPNOTSUPP;
12769 
12770 	switch (wdev->iftype) {
12771 	case NL80211_IFTYPE_P2P_DEVICE:
12772 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12773 			return -EINVAL;
12774 		break;
12775 	case NL80211_IFTYPE_STATION:
12776 	case NL80211_IFTYPE_ADHOC:
12777 	case NL80211_IFTYPE_P2P_CLIENT:
12778 	case NL80211_IFTYPE_AP:
12779 	case NL80211_IFTYPE_AP_VLAN:
12780 	case NL80211_IFTYPE_MESH_POINT:
12781 	case NL80211_IFTYPE_P2P_GO:
12782 		break;
12783 	case NL80211_IFTYPE_NAN:
12784 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12785 					     NL80211_EXT_FEATURE_SECURE_NAN))
12786 			return -EOPNOTSUPP;
12787 		break;
12788 	default:
12789 		return -EOPNOTSUPP;
12790 	}
12791 
12792 	if (info->attrs[NL80211_ATTR_DURATION]) {
12793 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12794 			return -EINVAL;
12795 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12796 
12797 		/*
12798 		 * We should wait on the channel for at least a minimum amount
12799 		 * of time (10ms) but no longer than the driver supports.
12800 		 */
12801 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12802 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12803 			return -EINVAL;
12804 	}
12805 
12806 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12807 
12808 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12809 		return -EINVAL;
12810 
12811 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12812 
12813 	/* get the channel if any has been specified, otherwise pass NULL to
12814 	 * the driver. The latter will use the current one
12815 	 */
12816 	chandef.chan = NULL;
12817 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12818 		err = nl80211_parse_chandef(rdev, info, &chandef);
12819 		if (err)
12820 			return err;
12821 	}
12822 
12823 	if (!chandef.chan && params.offchan)
12824 		return -EINVAL;
12825 
12826 	if (params.offchan &&
12827 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
12828 		return -EBUSY;
12829 
12830 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12831 	/*
12832 	 * This now races due to the unlock, but we cannot check
12833 	 * the valid links for the _station_ anyway, so that's up
12834 	 * to the driver.
12835 	 */
12836 	if (params.link_id >= 0 &&
12837 	    !(wdev->valid_links & BIT(params.link_id)))
12838 		return -EINVAL;
12839 
12840 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12841 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12842 
12843 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
12844 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
12845 					    &params.csa_offsets,
12846 					    &params.n_csa_offsets);
12847 	if (err)
12848 		return err;
12849 
12850 	if (!params.dont_wait_for_ack) {
12851 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12852 		if (!msg)
12853 			return -ENOMEM;
12854 
12855 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12856 				     NL80211_CMD_FRAME);
12857 		if (!hdr) {
12858 			err = -ENOBUFS;
12859 			goto free_msg;
12860 		}
12861 	}
12862 
12863 	params.chan = chandef.chan;
12864 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12865 	if (err)
12866 		goto free_msg;
12867 
12868 	if (msg) {
12869 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12870 				      NL80211_ATTR_PAD))
12871 			goto nla_put_failure;
12872 
12873 		genlmsg_end(msg, hdr);
12874 		return genlmsg_reply(msg, info);
12875 	}
12876 
12877 	return 0;
12878 
12879  nla_put_failure:
12880 	err = -ENOBUFS;
12881  free_msg:
12882 	nlmsg_free(msg);
12883 	return err;
12884 }
12885 
12886 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12887 {
12888 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12889 	struct wireless_dev *wdev = info->user_ptr[1];
12890 	u64 cookie;
12891 
12892 	if (!info->attrs[NL80211_ATTR_COOKIE])
12893 		return -EINVAL;
12894 
12895 	if (!rdev->ops->mgmt_tx_cancel_wait)
12896 		return -EOPNOTSUPP;
12897 
12898 	switch (wdev->iftype) {
12899 	case NL80211_IFTYPE_STATION:
12900 	case NL80211_IFTYPE_ADHOC:
12901 	case NL80211_IFTYPE_P2P_CLIENT:
12902 	case NL80211_IFTYPE_AP:
12903 	case NL80211_IFTYPE_AP_VLAN:
12904 	case NL80211_IFTYPE_P2P_GO:
12905 	case NL80211_IFTYPE_P2P_DEVICE:
12906 		break;
12907 	case NL80211_IFTYPE_NAN:
12908 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12909 					     NL80211_EXT_FEATURE_SECURE_NAN))
12910 			return -EOPNOTSUPP;
12911 		break;
12912 	default:
12913 		return -EOPNOTSUPP;
12914 	}
12915 
12916 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12917 
12918 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12919 }
12920 
12921 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12922 {
12923 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12924 	struct wireless_dev *wdev;
12925 	struct net_device *dev = info->user_ptr[1];
12926 	u8 ps_state;
12927 	bool state;
12928 	int err;
12929 
12930 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12931 		return -EINVAL;
12932 
12933 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12934 
12935 	wdev = dev->ieee80211_ptr;
12936 
12937 	if (!rdev->ops->set_power_mgmt)
12938 		return -EOPNOTSUPP;
12939 
12940 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12941 
12942 	if (state == wdev->ps)
12943 		return 0;
12944 
12945 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12946 	if (!err)
12947 		wdev->ps = state;
12948 	return err;
12949 }
12950 
12951 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12952 {
12953 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12954 	enum nl80211_ps_state ps_state;
12955 	struct wireless_dev *wdev;
12956 	struct net_device *dev = info->user_ptr[1];
12957 	struct sk_buff *msg;
12958 	void *hdr;
12959 	int err;
12960 
12961 	wdev = dev->ieee80211_ptr;
12962 
12963 	if (!rdev->ops->set_power_mgmt)
12964 		return -EOPNOTSUPP;
12965 
12966 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12967 	if (!msg)
12968 		return -ENOMEM;
12969 
12970 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12971 			     NL80211_CMD_GET_POWER_SAVE);
12972 	if (!hdr) {
12973 		err = -ENOBUFS;
12974 		goto free_msg;
12975 	}
12976 
12977 	if (wdev->ps)
12978 		ps_state = NL80211_PS_ENABLED;
12979 	else
12980 		ps_state = NL80211_PS_DISABLED;
12981 
12982 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12983 		goto nla_put_failure;
12984 
12985 	genlmsg_end(msg, hdr);
12986 	return genlmsg_reply(msg, info);
12987 
12988  nla_put_failure:
12989 	err = -ENOBUFS;
12990  free_msg:
12991 	nlmsg_free(msg);
12992 	return err;
12993 }
12994 
12995 static const struct nla_policy
12996 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12997 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12998 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12999 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
13000 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
13001 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
13002 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
13003 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
13004 };
13005 
13006 static int nl80211_set_cqm_txe(struct genl_info *info,
13007 			       u32 rate, u32 pkts, u32 intvl)
13008 {
13009 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13010 	struct net_device *dev = info->user_ptr[1];
13011 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13012 
13013 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
13014 		return -EINVAL;
13015 
13016 	if (!rdev->ops->set_cqm_txe_config)
13017 		return -EOPNOTSUPP;
13018 
13019 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13020 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13021 		return -EOPNOTSUPP;
13022 
13023 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
13024 }
13025 
13026 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
13027 				    struct net_device *dev,
13028 				    struct cfg80211_cqm_config *cqm_config)
13029 {
13030 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13031 	s32 last, low, high;
13032 	u32 hyst;
13033 	int i, n, low_index;
13034 	int err;
13035 
13036 	/*
13037 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
13038 	 * event has been received yet, we should receive an event after a
13039 	 * connection is established and enough beacons received to calculate
13040 	 * the average.
13041 	 */
13042 	if (!cqm_config->last_rssi_event_value &&
13043 	    wdev->links[0].client.current_bss &&
13044 	    rdev->ops->get_station) {
13045 		struct station_info sinfo = {};
13046 		u8 *mac_addr;
13047 
13048 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
13049 
13050 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
13051 		if (err)
13052 			return err;
13053 
13054 		cfg80211_sinfo_release_content(&sinfo);
13055 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
13056 			cqm_config->last_rssi_event_value =
13057 				(s8) sinfo.rx_beacon_signal_avg;
13058 	}
13059 
13060 	last = cqm_config->last_rssi_event_value;
13061 	hyst = cqm_config->rssi_hyst;
13062 	n = cqm_config->n_rssi_thresholds;
13063 
13064 	for (i = 0; i < n; i++) {
13065 		i = array_index_nospec(i, n);
13066 		if (last < cqm_config->rssi_thresholds[i])
13067 			break;
13068 	}
13069 
13070 	low_index = i - 1;
13071 	if (low_index >= 0) {
13072 		low_index = array_index_nospec(low_index, n);
13073 		low = cqm_config->rssi_thresholds[low_index] - hyst;
13074 	} else {
13075 		low = S32_MIN;
13076 	}
13077 	if (i < n) {
13078 		i = array_index_nospec(i, n);
13079 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
13080 	} else {
13081 		high = S32_MAX;
13082 	}
13083 
13084 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
13085 }
13086 
13087 static int nl80211_set_cqm_rssi(struct genl_info *info,
13088 				const s32 *thresholds, int n_thresholds,
13089 				u32 hysteresis)
13090 {
13091 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13092 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
13093 	struct net_device *dev = info->user_ptr[1];
13094 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13095 	s32 prev = S32_MIN;
13096 	int i, err;
13097 
13098 	/* Check all values negative and sorted */
13099 	for (i = 0; i < n_thresholds; i++) {
13100 		if (thresholds[i] > 0 || thresholds[i] <= prev)
13101 			return -EINVAL;
13102 
13103 		prev = thresholds[i];
13104 	}
13105 
13106 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13107 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13108 		return -EOPNOTSUPP;
13109 
13110 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
13111 		n_thresholds = 0;
13112 
13113 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
13114 
13115 	/* if already disabled just succeed */
13116 	if (!n_thresholds && !old)
13117 		return 0;
13118 
13119 	if (n_thresholds > 1) {
13120 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
13121 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
13122 		    !rdev->ops->set_cqm_rssi_range_config)
13123 			return -EOPNOTSUPP;
13124 	} else {
13125 		if (!rdev->ops->set_cqm_rssi_config)
13126 			return -EOPNOTSUPP;
13127 	}
13128 
13129 	if (n_thresholds) {
13130 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
13131 						 n_thresholds),
13132 				     GFP_KERNEL);
13133 		if (!cqm_config)
13134 			return -ENOMEM;
13135 
13136 		cqm_config->rssi_hyst = hysteresis;
13137 		cqm_config->n_rssi_thresholds = n_thresholds;
13138 		memcpy(cqm_config->rssi_thresholds, thresholds,
13139 		       flex_array_size(cqm_config, rssi_thresholds,
13140 				       n_thresholds));
13141 		cqm_config->use_range_api = n_thresholds > 1 ||
13142 					    !rdev->ops->set_cqm_rssi_config;
13143 
13144 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
13145 
13146 		if (cqm_config->use_range_api)
13147 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
13148 		else
13149 			err = rdev_set_cqm_rssi_config(rdev, dev,
13150 						       thresholds[0],
13151 						       hysteresis);
13152 	} else {
13153 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
13154 		/* if enabled as range also disable via range */
13155 		if (old->use_range_api)
13156 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
13157 		else
13158 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
13159 	}
13160 
13161 	if (err) {
13162 		rcu_assign_pointer(wdev->cqm_config, old);
13163 		kfree_rcu(cqm_config, rcu_head);
13164 	} else {
13165 		kfree_rcu(old, rcu_head);
13166 	}
13167 
13168 	return err;
13169 }
13170 
13171 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
13172 {
13173 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
13174 	struct nlattr *cqm;
13175 	int err;
13176 
13177 	cqm = info->attrs[NL80211_ATTR_CQM];
13178 	if (!cqm)
13179 		return -EINVAL;
13180 
13181 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
13182 					  nl80211_attr_cqm_policy,
13183 					  info->extack);
13184 	if (err)
13185 		return err;
13186 
13187 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
13188 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
13189 		const s32 *thresholds =
13190 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13191 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13192 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
13193 
13194 		if (len % 4)
13195 			return -EINVAL;
13196 
13197 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
13198 					    hysteresis);
13199 	}
13200 
13201 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
13202 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
13203 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
13204 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
13205 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
13206 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
13207 
13208 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
13209 	}
13210 
13211 	return -EINVAL;
13212 }
13213 
13214 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
13215 {
13216 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13217 	struct net_device *dev = info->user_ptr[1];
13218 	struct ocb_setup setup = {};
13219 	int err;
13220 
13221 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13222 	if (err)
13223 		return err;
13224 
13225 	return cfg80211_join_ocb(rdev, dev, &setup);
13226 }
13227 
13228 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
13229 {
13230 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13231 	struct net_device *dev = info->user_ptr[1];
13232 
13233 	return cfg80211_leave_ocb(rdev, dev);
13234 }
13235 
13236 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
13237 {
13238 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13239 	struct net_device *dev = info->user_ptr[1];
13240 	struct mesh_config cfg;
13241 	struct mesh_setup setup;
13242 	int err;
13243 
13244 	/* start with default */
13245 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13246 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13247 
13248 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13249 		/* and parse parameters if given */
13250 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13251 		if (err)
13252 			return err;
13253 	}
13254 
13255 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13256 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13257 		return -EINVAL;
13258 
13259 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13260 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13261 
13262 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13263 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13264 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13265 			return -EINVAL;
13266 
13267 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13268 		setup.beacon_interval =
13269 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13270 
13271 		err = cfg80211_validate_beacon_int(rdev,
13272 						   NL80211_IFTYPE_MESH_POINT,
13273 						   setup.beacon_interval);
13274 		if (err)
13275 			return err;
13276 	}
13277 
13278 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13279 		setup.dtim_period =
13280 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13281 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13282 			return -EINVAL;
13283 	}
13284 
13285 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13286 		/* parse additional setup parameters if given */
13287 		err = nl80211_parse_mesh_setup(info, &setup);
13288 		if (err)
13289 			return err;
13290 	}
13291 
13292 	if (setup.user_mpm)
13293 		cfg.auto_open_plinks = false;
13294 
13295 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13296 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13297 		if (err)
13298 			return err;
13299 	} else {
13300 		/* __cfg80211_join_mesh() will sort it out */
13301 		setup.chandef.chan = NULL;
13302 	}
13303 
13304 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13305 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13306 		int n_rates =
13307 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13308 		struct ieee80211_supported_band *sband;
13309 
13310 		if (!setup.chandef.chan)
13311 			return -EINVAL;
13312 
13313 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13314 
13315 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13316 					     &setup.basic_rates);
13317 		if (err)
13318 			return err;
13319 	}
13320 
13321 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13322 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13323 						    NL80211_ATTR_TX_RATES,
13324 						    &setup.beacon_rate,
13325 						    dev, false, 0);
13326 		if (err)
13327 			return err;
13328 
13329 		if (!setup.chandef.chan)
13330 			return -EINVAL;
13331 
13332 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13333 					      &setup.beacon_rate);
13334 		if (err)
13335 			return err;
13336 	}
13337 
13338 	setup.userspace_handles_dfs =
13339 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13340 
13341 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13342 		int r = validate_pae_over_nl80211(rdev, info);
13343 
13344 		if (r < 0)
13345 			return r;
13346 
13347 		setup.control_port_over_nl80211 = true;
13348 	}
13349 
13350 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13351 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13352 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13353 
13354 	return err;
13355 }
13356 
13357 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13358 {
13359 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13360 	struct net_device *dev = info->user_ptr[1];
13361 
13362 	return cfg80211_leave_mesh(rdev, dev);
13363 }
13364 
13365 #ifdef CONFIG_PM
13366 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13367 					struct cfg80211_registered_device *rdev)
13368 {
13369 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13370 	struct nlattr *nl_pats, *nl_pat;
13371 	int i, pat_len;
13372 
13373 	if (!wowlan->n_patterns)
13374 		return 0;
13375 
13376 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13377 	if (!nl_pats)
13378 		return -ENOBUFS;
13379 
13380 	for (i = 0; i < wowlan->n_patterns; i++) {
13381 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13382 		if (!nl_pat)
13383 			return -ENOBUFS;
13384 		pat_len = wowlan->patterns[i].pattern_len;
13385 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13386 			    wowlan->patterns[i].mask) ||
13387 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13388 			    wowlan->patterns[i].pattern) ||
13389 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13390 				wowlan->patterns[i].pkt_offset))
13391 			return -ENOBUFS;
13392 		nla_nest_end(msg, nl_pat);
13393 	}
13394 	nla_nest_end(msg, nl_pats);
13395 
13396 	return 0;
13397 }
13398 
13399 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13400 				   struct cfg80211_wowlan_tcp *tcp)
13401 {
13402 	struct nlattr *nl_tcp;
13403 
13404 	if (!tcp)
13405 		return 0;
13406 
13407 	nl_tcp = nla_nest_start_noflag(msg,
13408 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13409 	if (!nl_tcp)
13410 		return -ENOBUFS;
13411 
13412 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13413 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13414 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13415 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13416 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13417 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13418 		    tcp->payload_len, tcp->payload) ||
13419 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13420 			tcp->data_interval) ||
13421 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13422 		    tcp->wake_len, tcp->wake_data) ||
13423 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13424 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13425 		return -ENOBUFS;
13426 
13427 	if (tcp->payload_seq.len &&
13428 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13429 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13430 		return -ENOBUFS;
13431 
13432 	if (tcp->payload_tok.len &&
13433 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13434 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13435 		    &tcp->payload_tok))
13436 		return -ENOBUFS;
13437 
13438 	nla_nest_end(msg, nl_tcp);
13439 
13440 	return 0;
13441 }
13442 
13443 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13444 				  struct cfg80211_sched_scan_request *req)
13445 {
13446 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13447 	int i;
13448 
13449 	if (!req)
13450 		return 0;
13451 
13452 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13453 	if (!nd)
13454 		return -ENOBUFS;
13455 
13456 	if (req->n_scan_plans == 1 &&
13457 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13458 			req->scan_plans[0].interval * 1000))
13459 		return -ENOBUFS;
13460 
13461 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13462 		return -ENOBUFS;
13463 
13464 	if (req->relative_rssi_set) {
13465 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13466 
13467 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13468 			       req->relative_rssi))
13469 			return -ENOBUFS;
13470 
13471 		rssi_adjust.band = req->rssi_adjust.band;
13472 		rssi_adjust.delta = req->rssi_adjust.delta;
13473 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13474 			    sizeof(rssi_adjust), &rssi_adjust))
13475 			return -ENOBUFS;
13476 	}
13477 
13478 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13479 	if (!freqs)
13480 		return -ENOBUFS;
13481 
13482 	for (i = 0; i < req->n_channels; i++) {
13483 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13484 			return -ENOBUFS;
13485 	}
13486 
13487 	nla_nest_end(msg, freqs);
13488 
13489 	if (req->n_match_sets) {
13490 		matches = nla_nest_start_noflag(msg,
13491 						NL80211_ATTR_SCHED_SCAN_MATCH);
13492 		if (!matches)
13493 			return -ENOBUFS;
13494 
13495 		for (i = 0; i < req->n_match_sets; i++) {
13496 			match = nla_nest_start_noflag(msg, i);
13497 			if (!match)
13498 				return -ENOBUFS;
13499 
13500 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13501 				    req->match_sets[i].ssid.ssid_len,
13502 				    req->match_sets[i].ssid.ssid))
13503 				return -ENOBUFS;
13504 			nla_nest_end(msg, match);
13505 		}
13506 		nla_nest_end(msg, matches);
13507 	}
13508 
13509 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13510 	if (!scan_plans)
13511 		return -ENOBUFS;
13512 
13513 	for (i = 0; i < req->n_scan_plans; i++) {
13514 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13515 		if (!scan_plan)
13516 			return -ENOBUFS;
13517 
13518 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13519 				req->scan_plans[i].interval) ||
13520 		    (req->scan_plans[i].iterations &&
13521 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13522 				 req->scan_plans[i].iterations)))
13523 			return -ENOBUFS;
13524 		nla_nest_end(msg, scan_plan);
13525 	}
13526 	nla_nest_end(msg, scan_plans);
13527 
13528 	nla_nest_end(msg, nd);
13529 
13530 	return 0;
13531 }
13532 
13533 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13534 {
13535 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13536 	struct sk_buff *msg;
13537 	void *hdr;
13538 	u32 size = NLMSG_DEFAULT_SIZE;
13539 
13540 	if (!rdev->wiphy.wowlan)
13541 		return -EOPNOTSUPP;
13542 
13543 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13544 		/* adjust size to have room for all the data */
13545 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13546 			rdev->wiphy.wowlan_config->tcp->payload_len +
13547 			rdev->wiphy.wowlan_config->tcp->wake_len +
13548 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13549 	}
13550 
13551 	msg = nlmsg_new(size, GFP_KERNEL);
13552 	if (!msg)
13553 		return -ENOMEM;
13554 
13555 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13556 			     NL80211_CMD_GET_WOWLAN);
13557 	if (!hdr)
13558 		goto nla_put_failure;
13559 
13560 	if (rdev->wiphy.wowlan_config) {
13561 		struct nlattr *nl_wowlan;
13562 
13563 		nl_wowlan = nla_nest_start_noflag(msg,
13564 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13565 		if (!nl_wowlan)
13566 			goto nla_put_failure;
13567 
13568 		if ((rdev->wiphy.wowlan_config->any &&
13569 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13570 		    (rdev->wiphy.wowlan_config->disconnect &&
13571 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13572 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13573 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13574 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13575 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13576 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13577 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13578 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13579 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13580 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13581 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13582 			goto nla_put_failure;
13583 
13584 		if (nl80211_send_wowlan_patterns(msg, rdev))
13585 			goto nla_put_failure;
13586 
13587 		if (nl80211_send_wowlan_tcp(msg,
13588 					    rdev->wiphy.wowlan_config->tcp))
13589 			goto nla_put_failure;
13590 
13591 		if (nl80211_send_wowlan_nd(
13592 			    msg,
13593 			    rdev->wiphy.wowlan_config->nd_config))
13594 			goto nla_put_failure;
13595 
13596 		nla_nest_end(msg, nl_wowlan);
13597 	}
13598 
13599 	genlmsg_end(msg, hdr);
13600 	return genlmsg_reply(msg, info);
13601 
13602 nla_put_failure:
13603 	nlmsg_free(msg);
13604 	return -ENOBUFS;
13605 }
13606 
13607 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13608 				    struct nlattr *attr,
13609 				    struct cfg80211_wowlan *trig)
13610 {
13611 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13612 	struct cfg80211_wowlan_tcp *cfg;
13613 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13614 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13615 	u32 size;
13616 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13617 	int err, port;
13618 
13619 	if (!rdev->wiphy.wowlan->tcp)
13620 		return -EINVAL;
13621 
13622 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13623 					  nl80211_wowlan_tcp_policy, NULL);
13624 	if (err)
13625 		return err;
13626 
13627 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13628 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13629 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13630 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13631 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13632 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13633 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13634 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13635 		return -EINVAL;
13636 
13637 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13638 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13639 		return -EINVAL;
13640 
13641 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13642 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13643 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13644 		return -EINVAL;
13645 
13646 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13647 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13648 		return -EINVAL;
13649 
13650 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13651 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13652 		return -EINVAL;
13653 
13654 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13655 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13656 
13657 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13658 		tokens_size = tokln - sizeof(*tok);
13659 
13660 		if (!tok->len || tokens_size % tok->len)
13661 			return -EINVAL;
13662 		if (!rdev->wiphy.wowlan->tcp->tok)
13663 			return -EINVAL;
13664 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13665 			return -EINVAL;
13666 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13667 			return -EINVAL;
13668 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13669 			return -EINVAL;
13670 		if (tok->offset + tok->len > data_size)
13671 			return -EINVAL;
13672 	}
13673 
13674 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13675 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13676 		if (!rdev->wiphy.wowlan->tcp->seq)
13677 			return -EINVAL;
13678 		if (seq->len == 0 || seq->len > 4)
13679 			return -EINVAL;
13680 		if (seq->len + seq->offset > data_size)
13681 			return -EINVAL;
13682 	}
13683 
13684 	size = sizeof(*cfg);
13685 	size += data_size;
13686 	size += wake_size + wake_mask_size;
13687 	size += tokens_size;
13688 
13689 	cfg = kzalloc(size, GFP_KERNEL);
13690 	if (!cfg)
13691 		return -ENOMEM;
13692 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13693 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13694 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13695 	       ETH_ALEN);
13696 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
13697 #ifdef CONFIG_INET
13698 	/* allocate a socket and port for it and use it */
13699 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13700 			    IPPROTO_TCP, &cfg->sock, 1);
13701 	if (err) {
13702 		kfree(cfg);
13703 		return err;
13704 	}
13705 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13706 		sock_release(cfg->sock);
13707 		kfree(cfg);
13708 		return -EADDRINUSE;
13709 	}
13710 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13711 #else
13712 	if (!port) {
13713 		kfree(cfg);
13714 		return -EINVAL;
13715 	}
13716 	cfg->src_port = port;
13717 #endif
13718 
13719 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13720 	cfg->payload_len = data_size;
13721 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13722 	memcpy((void *)cfg->payload,
13723 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13724 	       data_size);
13725 	if (seq)
13726 		cfg->payload_seq = *seq;
13727 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13728 	cfg->wake_len = wake_size;
13729 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13730 	memcpy((void *)cfg->wake_data,
13731 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13732 	       wake_size);
13733 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13734 			 data_size + wake_size;
13735 	memcpy((void *)cfg->wake_mask,
13736 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13737 	       wake_mask_size);
13738 	if (tok) {
13739 		cfg->tokens_size = tokens_size;
13740 		cfg->payload_tok = *tok;
13741 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13742 		       tokens_size);
13743 	}
13744 
13745 	trig->tcp = cfg;
13746 
13747 	return 0;
13748 }
13749 
13750 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13751 				   const struct wiphy_wowlan_support *wowlan,
13752 				   struct nlattr *attr,
13753 				   struct cfg80211_wowlan *trig)
13754 {
13755 	struct nlattr **tb;
13756 	int err;
13757 
13758 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13759 	if (!tb)
13760 		return -ENOMEM;
13761 
13762 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13763 		err = -EOPNOTSUPP;
13764 		goto out;
13765 	}
13766 
13767 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13768 					  nl80211_policy, NULL);
13769 	if (err)
13770 		goto out;
13771 
13772 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13773 						   wowlan->max_nd_match_sets);
13774 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13775 	if (err)
13776 		trig->nd_config = NULL;
13777 
13778 out:
13779 	kfree(tb);
13780 	return err;
13781 }
13782 
13783 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13784 {
13785 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13786 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13787 	struct cfg80211_wowlan new_triggers = {};
13788 	struct cfg80211_wowlan *ntrig;
13789 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13790 	int err, i;
13791 	bool prev_enabled = rdev->wiphy.wowlan_config;
13792 	bool regular = false;
13793 
13794 	if (!wowlan)
13795 		return -EOPNOTSUPP;
13796 
13797 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13798 		cfg80211_rdev_free_wowlan(rdev);
13799 		rdev->wiphy.wowlan_config = NULL;
13800 		goto set_wakeup;
13801 	}
13802 
13803 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13804 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13805 					  nl80211_wowlan_policy, info->extack);
13806 	if (err)
13807 		return err;
13808 
13809 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13810 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13811 			return -EINVAL;
13812 		new_triggers.any = true;
13813 	}
13814 
13815 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13816 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13817 			return -EINVAL;
13818 		new_triggers.disconnect = true;
13819 		regular = true;
13820 	}
13821 
13822 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13823 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13824 			return -EINVAL;
13825 		new_triggers.magic_pkt = true;
13826 		regular = true;
13827 	}
13828 
13829 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13830 		return -EINVAL;
13831 
13832 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13833 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13834 			return -EINVAL;
13835 		new_triggers.gtk_rekey_failure = true;
13836 		regular = true;
13837 	}
13838 
13839 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13840 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13841 			return -EINVAL;
13842 		new_triggers.eap_identity_req = true;
13843 		regular = true;
13844 	}
13845 
13846 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13847 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13848 			return -EINVAL;
13849 		new_triggers.four_way_handshake = true;
13850 		regular = true;
13851 	}
13852 
13853 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13854 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13855 			return -EINVAL;
13856 		new_triggers.rfkill_release = true;
13857 		regular = true;
13858 	}
13859 
13860 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13861 		struct nlattr *pat;
13862 		int n_patterns = 0;
13863 		int rem, pat_len, mask_len, pkt_offset;
13864 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13865 
13866 		regular = true;
13867 
13868 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13869 				    rem)
13870 			n_patterns++;
13871 		if (n_patterns > wowlan->n_patterns)
13872 			return -EINVAL;
13873 
13874 		new_triggers.patterns = kcalloc(n_patterns,
13875 						sizeof(new_triggers.patterns[0]),
13876 						GFP_KERNEL);
13877 		if (!new_triggers.patterns)
13878 			return -ENOMEM;
13879 
13880 		new_triggers.n_patterns = n_patterns;
13881 		i = 0;
13882 
13883 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13884 				    rem) {
13885 			u8 *mask_pat;
13886 
13887 			err = nla_parse_nested_deprecated(pat_tb,
13888 							  MAX_NL80211_PKTPAT,
13889 							  pat,
13890 							  nl80211_packet_pattern_policy,
13891 							  info->extack);
13892 			if (err)
13893 				goto error;
13894 
13895 			err = -EINVAL;
13896 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13897 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13898 				goto error;
13899 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13900 			mask_len = DIV_ROUND_UP(pat_len, 8);
13901 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13902 				goto error;
13903 			if (pat_len > wowlan->pattern_max_len ||
13904 			    pat_len < wowlan->pattern_min_len)
13905 				goto error;
13906 
13907 			pkt_offset =
13908 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
13909 						    0);
13910 			if (pkt_offset > wowlan->max_pkt_offset)
13911 				goto error;
13912 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13913 
13914 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13915 			if (!mask_pat) {
13916 				err = -ENOMEM;
13917 				goto error;
13918 			}
13919 			new_triggers.patterns[i].mask = mask_pat;
13920 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13921 			       mask_len);
13922 			mask_pat += mask_len;
13923 			new_triggers.patterns[i].pattern = mask_pat;
13924 			new_triggers.patterns[i].pattern_len = pat_len;
13925 			memcpy(mask_pat,
13926 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13927 			       pat_len);
13928 			i++;
13929 		}
13930 	}
13931 
13932 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13933 		regular = true;
13934 		err = nl80211_parse_wowlan_tcp(
13935 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13936 			&new_triggers);
13937 		if (err)
13938 			goto error;
13939 	}
13940 
13941 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13942 		regular = true;
13943 		err = nl80211_parse_wowlan_nd(
13944 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13945 			&new_triggers);
13946 		if (err)
13947 			goto error;
13948 	}
13949 
13950 	/* The 'any' trigger means the device continues operating more or less
13951 	 * as in its normal operation mode and wakes up the host on most of the
13952 	 * normal interrupts (like packet RX, ...)
13953 	 * It therefore makes little sense to combine with the more constrained
13954 	 * wakeup trigger modes.
13955 	 */
13956 	if (new_triggers.any && regular) {
13957 		err = -EINVAL;
13958 		goto error;
13959 	}
13960 
13961 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13962 	if (!ntrig) {
13963 		err = -ENOMEM;
13964 		goto error;
13965 	}
13966 	cfg80211_rdev_free_wowlan(rdev);
13967 	rdev->wiphy.wowlan_config = ntrig;
13968 
13969  set_wakeup:
13970 	if (rdev->ops->set_wakeup &&
13971 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13972 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13973 
13974 	return 0;
13975  error:
13976 	for (i = 0; i < new_triggers.n_patterns; i++)
13977 		kfree(new_triggers.patterns[i].mask);
13978 	kfree(new_triggers.patterns);
13979 	if (new_triggers.tcp && new_triggers.tcp->sock)
13980 		sock_release(new_triggers.tcp->sock);
13981 	kfree(new_triggers.tcp);
13982 	kfree(new_triggers.nd_config);
13983 	return err;
13984 }
13985 #endif
13986 
13987 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13988 				       struct cfg80211_registered_device *rdev)
13989 {
13990 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13991 	int i, j, pat_len;
13992 	struct cfg80211_coalesce_rules *rule;
13993 
13994 	if (!rdev->coalesce->n_rules)
13995 		return 0;
13996 
13997 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13998 	if (!nl_rules)
13999 		return -ENOBUFS;
14000 
14001 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
14002 		nl_rule = nla_nest_start_noflag(msg, i + 1);
14003 		if (!nl_rule)
14004 			return -ENOBUFS;
14005 
14006 		rule = &rdev->coalesce->rules[i];
14007 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
14008 				rule->delay))
14009 			return -ENOBUFS;
14010 
14011 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
14012 				rule->condition))
14013 			return -ENOBUFS;
14014 
14015 		nl_pats = nla_nest_start_noflag(msg,
14016 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
14017 		if (!nl_pats)
14018 			return -ENOBUFS;
14019 
14020 		for (j = 0; j < rule->n_patterns; j++) {
14021 			nl_pat = nla_nest_start_noflag(msg, j + 1);
14022 			if (!nl_pat)
14023 				return -ENOBUFS;
14024 			pat_len = rule->patterns[j].pattern_len;
14025 			if (nla_put(msg, NL80211_PKTPAT_MASK,
14026 				    DIV_ROUND_UP(pat_len, 8),
14027 				    rule->patterns[j].mask) ||
14028 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14029 				    rule->patterns[j].pattern) ||
14030 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14031 					rule->patterns[j].pkt_offset))
14032 				return -ENOBUFS;
14033 			nla_nest_end(msg, nl_pat);
14034 		}
14035 		nla_nest_end(msg, nl_pats);
14036 		nla_nest_end(msg, nl_rule);
14037 	}
14038 	nla_nest_end(msg, nl_rules);
14039 
14040 	return 0;
14041 }
14042 
14043 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
14044 {
14045 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14046 	struct sk_buff *msg;
14047 	void *hdr;
14048 
14049 	if (!rdev->wiphy.coalesce)
14050 		return -EOPNOTSUPP;
14051 
14052 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14053 	if (!msg)
14054 		return -ENOMEM;
14055 
14056 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14057 			     NL80211_CMD_GET_COALESCE);
14058 	if (!hdr)
14059 		goto nla_put_failure;
14060 
14061 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
14062 		goto nla_put_failure;
14063 
14064 	genlmsg_end(msg, hdr);
14065 	return genlmsg_reply(msg, info);
14066 
14067 nla_put_failure:
14068 	nlmsg_free(msg);
14069 	return -ENOBUFS;
14070 }
14071 
14072 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
14073 {
14074 	int i, j;
14075 	struct cfg80211_coalesce_rules *rule;
14076 
14077 	if (!coalesce)
14078 		return;
14079 
14080 	for (i = 0; i < coalesce->n_rules; i++) {
14081 		rule = &coalesce->rules[i];
14082 		for (j = 0; j < rule->n_patterns; j++)
14083 			kfree(rule->patterns[j].mask);
14084 		kfree(rule->patterns);
14085 	}
14086 	kfree(coalesce);
14087 }
14088 
14089 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
14090 				       struct nlattr *rule,
14091 				       struct cfg80211_coalesce_rules *new_rule)
14092 {
14093 	int err, i;
14094 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14095 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
14096 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
14097 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
14098 
14099 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
14100 					  rule, nl80211_coalesce_policy, NULL);
14101 	if (err)
14102 		return err;
14103 
14104 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
14105 		new_rule->delay =
14106 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
14107 	if (new_rule->delay > coalesce->max_delay)
14108 		return -EINVAL;
14109 
14110 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
14111 		new_rule->condition =
14112 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
14113 
14114 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
14115 		return -EINVAL;
14116 
14117 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14118 			    rem)
14119 		n_patterns++;
14120 	if (n_patterns > coalesce->n_patterns)
14121 		return -EINVAL;
14122 
14123 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
14124 				     GFP_KERNEL);
14125 	if (!new_rule->patterns)
14126 		return -ENOMEM;
14127 
14128 	new_rule->n_patterns = n_patterns;
14129 	i = 0;
14130 
14131 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14132 			    rem) {
14133 		u8 *mask_pat;
14134 
14135 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
14136 						  pat,
14137 						  nl80211_packet_pattern_policy,
14138 						  NULL);
14139 		if (err)
14140 			return err;
14141 
14142 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
14143 		    !pat_tb[NL80211_PKTPAT_PATTERN])
14144 			return -EINVAL;
14145 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
14146 		mask_len = DIV_ROUND_UP(pat_len, 8);
14147 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
14148 			return -EINVAL;
14149 		if (pat_len > coalesce->pattern_max_len ||
14150 		    pat_len < coalesce->pattern_min_len)
14151 			return -EINVAL;
14152 
14153 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
14154 						 0);
14155 		if (pkt_offset > coalesce->max_pkt_offset)
14156 			return -EINVAL;
14157 		new_rule->patterns[i].pkt_offset = pkt_offset;
14158 
14159 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
14160 		if (!mask_pat)
14161 			return -ENOMEM;
14162 
14163 		new_rule->patterns[i].mask = mask_pat;
14164 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14165 		       mask_len);
14166 
14167 		mask_pat += mask_len;
14168 		new_rule->patterns[i].pattern = mask_pat;
14169 		new_rule->patterns[i].pattern_len = pat_len;
14170 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14171 		       pat_len);
14172 		i++;
14173 	}
14174 
14175 	return 0;
14176 }
14177 
14178 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
14179 {
14180 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14181 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14182 	struct cfg80211_coalesce *new_coalesce;
14183 	int err, rem_rule, n_rules = 0, i;
14184 	struct nlattr *rule;
14185 
14186 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
14187 		return -EOPNOTSUPP;
14188 
14189 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
14190 		cfg80211_free_coalesce(rdev->coalesce);
14191 		rdev->coalesce = NULL;
14192 		rdev_set_coalesce(rdev, NULL);
14193 		return 0;
14194 	}
14195 
14196 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14197 			    rem_rule)
14198 		n_rules++;
14199 	if (n_rules > coalesce->n_rules)
14200 		return -EINVAL;
14201 
14202 	new_coalesce = kzalloc(struct_size(new_coalesce, rules, n_rules),
14203 			       GFP_KERNEL);
14204 	if (!new_coalesce)
14205 		return -ENOMEM;
14206 
14207 	new_coalesce->n_rules = n_rules;
14208 	i = 0;
14209 
14210 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14211 			    rem_rule) {
14212 		err = nl80211_parse_coalesce_rule(rdev, rule,
14213 						  &new_coalesce->rules[i]);
14214 		if (err)
14215 			goto error;
14216 
14217 		i++;
14218 	}
14219 
14220 	err = rdev_set_coalesce(rdev, new_coalesce);
14221 	if (err)
14222 		goto error;
14223 
14224 	cfg80211_free_coalesce(rdev->coalesce);
14225 	rdev->coalesce = new_coalesce;
14226 
14227 	return 0;
14228 error:
14229 	cfg80211_free_coalesce(new_coalesce);
14230 
14231 	return err;
14232 }
14233 
14234 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14235 {
14236 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14237 	struct net_device *dev = info->user_ptr[1];
14238 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14239 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14240 	struct cfg80211_gtk_rekey_data rekey_data = {};
14241 	int err;
14242 
14243 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14244 		return -EINVAL;
14245 
14246 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14247 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14248 					  nl80211_rekey_policy, info->extack);
14249 	if (err)
14250 		return err;
14251 
14252 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14253 	    !tb[NL80211_REKEY_DATA_KCK])
14254 		return -EINVAL;
14255 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14256 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14257 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14258 		return -ERANGE;
14259 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14260 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14261 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14262 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14263 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14264 		return -ERANGE;
14265 
14266 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14267 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14268 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14269 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14270 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14271 	if (tb[NL80211_REKEY_DATA_AKM])
14272 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14273 
14274 	if (!wdev->connected)
14275 		return -ENOTCONN;
14276 
14277 	if (!rdev->ops->set_rekey_data)
14278 		return -EOPNOTSUPP;
14279 
14280 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
14281 }
14282 
14283 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14284 					     struct genl_info *info)
14285 {
14286 	struct net_device *dev = info->user_ptr[1];
14287 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14288 
14289 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14290 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14291 		return -EINVAL;
14292 
14293 	if (wdev->ap_unexpected_nlportid)
14294 		return -EBUSY;
14295 
14296 	wdev->ap_unexpected_nlportid = info->snd_portid;
14297 	return 0;
14298 }
14299 
14300 static int nl80211_probe_client(struct sk_buff *skb,
14301 				struct genl_info *info)
14302 {
14303 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14304 	struct net_device *dev = info->user_ptr[1];
14305 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14306 	struct sk_buff *msg;
14307 	void *hdr;
14308 	const u8 *addr;
14309 	u64 cookie;
14310 	int err;
14311 
14312 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14313 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14314 		return -EOPNOTSUPP;
14315 
14316 	if (!info->attrs[NL80211_ATTR_MAC])
14317 		return -EINVAL;
14318 
14319 	if (!rdev->ops->probe_client)
14320 		return -EOPNOTSUPP;
14321 
14322 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14323 	if (!msg)
14324 		return -ENOMEM;
14325 
14326 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14327 			     NL80211_CMD_PROBE_CLIENT);
14328 	if (!hdr) {
14329 		err = -ENOBUFS;
14330 		goto free_msg;
14331 	}
14332 
14333 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14334 
14335 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14336 	if (err)
14337 		goto free_msg;
14338 
14339 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14340 			      NL80211_ATTR_PAD))
14341 		goto nla_put_failure;
14342 
14343 	genlmsg_end(msg, hdr);
14344 
14345 	return genlmsg_reply(msg, info);
14346 
14347  nla_put_failure:
14348 	err = -ENOBUFS;
14349  free_msg:
14350 	nlmsg_free(msg);
14351 	return err;
14352 }
14353 
14354 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14355 {
14356 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14357 	struct cfg80211_beacon_registration *reg, *nreg;
14358 	int rv;
14359 
14360 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14361 		return -EOPNOTSUPP;
14362 
14363 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14364 	if (!nreg)
14365 		return -ENOMEM;
14366 
14367 	/* First, check if already registered. */
14368 	spin_lock_bh(&rdev->beacon_registrations_lock);
14369 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14370 		if (reg->nlportid == info->snd_portid) {
14371 			rv = -EALREADY;
14372 			goto out_err;
14373 		}
14374 	}
14375 	/* Add it to the list */
14376 	nreg->nlportid = info->snd_portid;
14377 	list_add(&nreg->list, &rdev->beacon_registrations);
14378 
14379 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14380 
14381 	return 0;
14382 out_err:
14383 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14384 	kfree(nreg);
14385 	return rv;
14386 }
14387 
14388 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14389 {
14390 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14391 	struct wireless_dev *wdev = info->user_ptr[1];
14392 	int err;
14393 
14394 	if (!rdev->ops->start_p2p_device)
14395 		return -EOPNOTSUPP;
14396 
14397 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14398 		return -EOPNOTSUPP;
14399 
14400 	if (wdev_running(wdev))
14401 		return 0;
14402 
14403 	if (rfkill_blocked(rdev->wiphy.rfkill))
14404 		return -ERFKILL;
14405 
14406 	err = rdev_start_p2p_device(rdev, wdev);
14407 	if (err)
14408 		return err;
14409 
14410 	wdev->is_running = true;
14411 	rdev->opencount++;
14412 
14413 	return 0;
14414 }
14415 
14416 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14417 {
14418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14419 	struct wireless_dev *wdev = info->user_ptr[1];
14420 
14421 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14422 		return -EOPNOTSUPP;
14423 
14424 	if (!rdev->ops->stop_p2p_device)
14425 		return -EOPNOTSUPP;
14426 
14427 	cfg80211_stop_p2p_device(rdev, wdev);
14428 
14429 	return 0;
14430 }
14431 
14432 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14433 {
14434 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14435 	struct wireless_dev *wdev = info->user_ptr[1];
14436 	struct cfg80211_nan_conf conf = {};
14437 	int err;
14438 
14439 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14440 		return -EOPNOTSUPP;
14441 
14442 	if (wdev_running(wdev))
14443 		return -EEXIST;
14444 
14445 	if (rfkill_blocked(rdev->wiphy.rfkill))
14446 		return -ERFKILL;
14447 
14448 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14449 		return -EINVAL;
14450 
14451 	conf.master_pref =
14452 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14453 
14454 	if (info->attrs[NL80211_ATTR_BANDS]) {
14455 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14456 
14457 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14458 			return -EOPNOTSUPP;
14459 
14460 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14461 			return -EINVAL;
14462 
14463 		conf.bands = bands;
14464 	}
14465 
14466 	err = rdev_start_nan(rdev, wdev, &conf);
14467 	if (err)
14468 		return err;
14469 
14470 	wdev->is_running = true;
14471 	rdev->opencount++;
14472 
14473 	return 0;
14474 }
14475 
14476 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14477 {
14478 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14479 	struct wireless_dev *wdev = info->user_ptr[1];
14480 
14481 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14482 		return -EOPNOTSUPP;
14483 
14484 	cfg80211_stop_nan(rdev, wdev);
14485 
14486 	return 0;
14487 }
14488 
14489 static int validate_nan_filter(struct nlattr *filter_attr)
14490 {
14491 	struct nlattr *attr;
14492 	int len = 0, n_entries = 0, rem;
14493 
14494 	nla_for_each_nested(attr, filter_attr, rem) {
14495 		len += nla_len(attr);
14496 		n_entries++;
14497 	}
14498 
14499 	if (len >= U8_MAX)
14500 		return -EINVAL;
14501 
14502 	return n_entries;
14503 }
14504 
14505 static int handle_nan_filter(struct nlattr *attr_filter,
14506 			     struct cfg80211_nan_func *func,
14507 			     bool tx)
14508 {
14509 	struct nlattr *attr;
14510 	int n_entries, rem, i;
14511 	struct cfg80211_nan_func_filter *filter;
14512 
14513 	n_entries = validate_nan_filter(attr_filter);
14514 	if (n_entries < 0)
14515 		return n_entries;
14516 
14517 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14518 
14519 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14520 	if (!filter)
14521 		return -ENOMEM;
14522 
14523 	i = 0;
14524 	nla_for_each_nested(attr, attr_filter, rem) {
14525 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14526 		if (!filter[i].filter)
14527 			goto err;
14528 
14529 		filter[i].len = nla_len(attr);
14530 		i++;
14531 	}
14532 	if (tx) {
14533 		func->num_tx_filters = n_entries;
14534 		func->tx_filters = filter;
14535 	} else {
14536 		func->num_rx_filters = n_entries;
14537 		func->rx_filters = filter;
14538 	}
14539 
14540 	return 0;
14541 
14542 err:
14543 	i = 0;
14544 	nla_for_each_nested(attr, attr_filter, rem) {
14545 		kfree(filter[i].filter);
14546 		i++;
14547 	}
14548 	kfree(filter);
14549 	return -ENOMEM;
14550 }
14551 
14552 static int nl80211_nan_add_func(struct sk_buff *skb,
14553 				struct genl_info *info)
14554 {
14555 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14556 	struct wireless_dev *wdev = info->user_ptr[1];
14557 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14558 	struct cfg80211_nan_func *func;
14559 	struct sk_buff *msg = NULL;
14560 	void *hdr = NULL;
14561 	int err = 0;
14562 
14563 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14564 		return -EOPNOTSUPP;
14565 
14566 	if (!wdev_running(wdev))
14567 		return -ENOTCONN;
14568 
14569 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14570 		return -EINVAL;
14571 
14572 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14573 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14574 					  nl80211_nan_func_policy,
14575 					  info->extack);
14576 	if (err)
14577 		return err;
14578 
14579 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14580 	if (!func)
14581 		return -ENOMEM;
14582 
14583 	func->cookie = cfg80211_assign_cookie(rdev);
14584 
14585 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14586 		err = -EINVAL;
14587 		goto out;
14588 	}
14589 
14590 
14591 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14592 
14593 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14594 		err = -EINVAL;
14595 		goto out;
14596 	}
14597 
14598 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14599 	       sizeof(func->service_id));
14600 
14601 	func->close_range =
14602 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14603 
14604 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14605 		func->serv_spec_info_len =
14606 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14607 		func->serv_spec_info =
14608 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14609 				func->serv_spec_info_len,
14610 				GFP_KERNEL);
14611 		if (!func->serv_spec_info) {
14612 			err = -ENOMEM;
14613 			goto out;
14614 		}
14615 	}
14616 
14617 	if (tb[NL80211_NAN_FUNC_TTL])
14618 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14619 
14620 	switch (func->type) {
14621 	case NL80211_NAN_FUNC_PUBLISH:
14622 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14623 			err = -EINVAL;
14624 			goto out;
14625 		}
14626 
14627 		func->publish_type =
14628 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14629 		func->publish_bcast =
14630 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14631 
14632 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14633 			func->publish_bcast) {
14634 			err = -EINVAL;
14635 			goto out;
14636 		}
14637 		break;
14638 	case NL80211_NAN_FUNC_SUBSCRIBE:
14639 		func->subscribe_active =
14640 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14641 		break;
14642 	case NL80211_NAN_FUNC_FOLLOW_UP:
14643 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14644 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14645 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14646 			err = -EINVAL;
14647 			goto out;
14648 		}
14649 
14650 		func->followup_id =
14651 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14652 		func->followup_reqid =
14653 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14654 		memcpy(func->followup_dest.addr,
14655 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14656 		       sizeof(func->followup_dest.addr));
14657 		if (func->ttl) {
14658 			err = -EINVAL;
14659 			goto out;
14660 		}
14661 		break;
14662 	default:
14663 		err = -EINVAL;
14664 		goto out;
14665 	}
14666 
14667 	if (tb[NL80211_NAN_FUNC_SRF]) {
14668 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14669 
14670 		err = nla_parse_nested_deprecated(srf_tb,
14671 						  NL80211_NAN_SRF_ATTR_MAX,
14672 						  tb[NL80211_NAN_FUNC_SRF],
14673 						  nl80211_nan_srf_policy,
14674 						  info->extack);
14675 		if (err)
14676 			goto out;
14677 
14678 		func->srf_include =
14679 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14680 
14681 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14682 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14683 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14684 				err = -EINVAL;
14685 				goto out;
14686 			}
14687 
14688 			func->srf_bf_len =
14689 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14690 			func->srf_bf =
14691 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14692 					func->srf_bf_len, GFP_KERNEL);
14693 			if (!func->srf_bf) {
14694 				err = -ENOMEM;
14695 				goto out;
14696 			}
14697 
14698 			func->srf_bf_idx =
14699 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14700 		} else {
14701 			struct nlattr *attr, *mac_attr =
14702 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14703 			int n_entries, rem, i = 0;
14704 
14705 			if (!mac_attr) {
14706 				err = -EINVAL;
14707 				goto out;
14708 			}
14709 
14710 			n_entries = validate_acl_mac_addrs(mac_attr);
14711 			if (n_entries <= 0) {
14712 				err = -EINVAL;
14713 				goto out;
14714 			}
14715 
14716 			func->srf_num_macs = n_entries;
14717 			func->srf_macs =
14718 				kcalloc(n_entries, sizeof(*func->srf_macs),
14719 					GFP_KERNEL);
14720 			if (!func->srf_macs) {
14721 				err = -ENOMEM;
14722 				goto out;
14723 			}
14724 
14725 			nla_for_each_nested(attr, mac_attr, rem)
14726 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14727 				       sizeof(*func->srf_macs));
14728 		}
14729 	}
14730 
14731 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14732 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14733 					func, true);
14734 		if (err)
14735 			goto out;
14736 	}
14737 
14738 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14739 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14740 					func, false);
14741 		if (err)
14742 			goto out;
14743 	}
14744 
14745 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14746 	if (!msg) {
14747 		err = -ENOMEM;
14748 		goto out;
14749 	}
14750 
14751 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14752 			     NL80211_CMD_ADD_NAN_FUNCTION);
14753 	/* This can't really happen - we just allocated 4KB */
14754 	if (WARN_ON(!hdr)) {
14755 		err = -ENOMEM;
14756 		goto out;
14757 	}
14758 
14759 	err = rdev_add_nan_func(rdev, wdev, func);
14760 out:
14761 	if (err < 0) {
14762 		cfg80211_free_nan_func(func);
14763 		nlmsg_free(msg);
14764 		return err;
14765 	}
14766 
14767 	/* propagate the instance id and cookie to userspace  */
14768 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14769 			      NL80211_ATTR_PAD))
14770 		goto nla_put_failure;
14771 
14772 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14773 	if (!func_attr)
14774 		goto nla_put_failure;
14775 
14776 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14777 		       func->instance_id))
14778 		goto nla_put_failure;
14779 
14780 	nla_nest_end(msg, func_attr);
14781 
14782 	genlmsg_end(msg, hdr);
14783 	return genlmsg_reply(msg, info);
14784 
14785 nla_put_failure:
14786 	nlmsg_free(msg);
14787 	return -ENOBUFS;
14788 }
14789 
14790 static int nl80211_nan_del_func(struct sk_buff *skb,
14791 			       struct genl_info *info)
14792 {
14793 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14794 	struct wireless_dev *wdev = info->user_ptr[1];
14795 	u64 cookie;
14796 
14797 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14798 		return -EOPNOTSUPP;
14799 
14800 	if (!wdev_running(wdev))
14801 		return -ENOTCONN;
14802 
14803 	if (!info->attrs[NL80211_ATTR_COOKIE])
14804 		return -EINVAL;
14805 
14806 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14807 
14808 	rdev_del_nan_func(rdev, wdev, cookie);
14809 
14810 	return 0;
14811 }
14812 
14813 static int nl80211_nan_change_config(struct sk_buff *skb,
14814 				     struct genl_info *info)
14815 {
14816 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14817 	struct wireless_dev *wdev = info->user_ptr[1];
14818 	struct cfg80211_nan_conf conf = {};
14819 	u32 changed = 0;
14820 
14821 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14822 		return -EOPNOTSUPP;
14823 
14824 	if (!wdev_running(wdev))
14825 		return -ENOTCONN;
14826 
14827 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14828 		conf.master_pref =
14829 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14830 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14831 			return -EINVAL;
14832 
14833 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14834 	}
14835 
14836 	if (info->attrs[NL80211_ATTR_BANDS]) {
14837 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14838 
14839 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14840 			return -EOPNOTSUPP;
14841 
14842 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14843 			return -EINVAL;
14844 
14845 		conf.bands = bands;
14846 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14847 	}
14848 
14849 	if (!changed)
14850 		return -EINVAL;
14851 
14852 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14853 }
14854 
14855 void cfg80211_nan_match(struct wireless_dev *wdev,
14856 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14857 {
14858 	struct wiphy *wiphy = wdev->wiphy;
14859 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14860 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14861 	struct sk_buff *msg;
14862 	void *hdr;
14863 
14864 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14865 		return;
14866 
14867 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14868 	if (!msg)
14869 		return;
14870 
14871 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14872 	if (!hdr) {
14873 		nlmsg_free(msg);
14874 		return;
14875 	}
14876 
14877 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14878 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14879 					 wdev->netdev->ifindex)) ||
14880 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14881 			      NL80211_ATTR_PAD))
14882 		goto nla_put_failure;
14883 
14884 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14885 			      NL80211_ATTR_PAD) ||
14886 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14887 		goto nla_put_failure;
14888 
14889 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14890 	if (!match_attr)
14891 		goto nla_put_failure;
14892 
14893 	local_func_attr = nla_nest_start_noflag(msg,
14894 						NL80211_NAN_MATCH_FUNC_LOCAL);
14895 	if (!local_func_attr)
14896 		goto nla_put_failure;
14897 
14898 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14899 		goto nla_put_failure;
14900 
14901 	nla_nest_end(msg, local_func_attr);
14902 
14903 	peer_func_attr = nla_nest_start_noflag(msg,
14904 					       NL80211_NAN_MATCH_FUNC_PEER);
14905 	if (!peer_func_attr)
14906 		goto nla_put_failure;
14907 
14908 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14909 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14910 		goto nla_put_failure;
14911 
14912 	if (match->info && match->info_len &&
14913 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14914 		    match->info))
14915 		goto nla_put_failure;
14916 
14917 	nla_nest_end(msg, peer_func_attr);
14918 	nla_nest_end(msg, match_attr);
14919 	genlmsg_end(msg, hdr);
14920 
14921 	if (!wdev->owner_nlportid)
14922 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14923 					msg, 0, NL80211_MCGRP_NAN, gfp);
14924 	else
14925 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14926 				wdev->owner_nlportid);
14927 
14928 	return;
14929 
14930 nla_put_failure:
14931 	nlmsg_free(msg);
14932 }
14933 EXPORT_SYMBOL(cfg80211_nan_match);
14934 
14935 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14936 				  u8 inst_id,
14937 				  enum nl80211_nan_func_term_reason reason,
14938 				  u64 cookie, gfp_t gfp)
14939 {
14940 	struct wiphy *wiphy = wdev->wiphy;
14941 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14942 	struct sk_buff *msg;
14943 	struct nlattr *func_attr;
14944 	void *hdr;
14945 
14946 	if (WARN_ON(!inst_id))
14947 		return;
14948 
14949 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14950 	if (!msg)
14951 		return;
14952 
14953 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14954 	if (!hdr) {
14955 		nlmsg_free(msg);
14956 		return;
14957 	}
14958 
14959 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14960 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14961 					 wdev->netdev->ifindex)) ||
14962 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14963 			      NL80211_ATTR_PAD))
14964 		goto nla_put_failure;
14965 
14966 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14967 			      NL80211_ATTR_PAD))
14968 		goto nla_put_failure;
14969 
14970 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14971 	if (!func_attr)
14972 		goto nla_put_failure;
14973 
14974 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14975 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14976 		goto nla_put_failure;
14977 
14978 	nla_nest_end(msg, func_attr);
14979 	genlmsg_end(msg, hdr);
14980 
14981 	if (!wdev->owner_nlportid)
14982 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14983 					msg, 0, NL80211_MCGRP_NAN, gfp);
14984 	else
14985 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14986 				wdev->owner_nlportid);
14987 
14988 	return;
14989 
14990 nla_put_failure:
14991 	nlmsg_free(msg);
14992 }
14993 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14994 
14995 static int nl80211_get_protocol_features(struct sk_buff *skb,
14996 					 struct genl_info *info)
14997 {
14998 	void *hdr;
14999 	struct sk_buff *msg;
15000 
15001 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15002 	if (!msg)
15003 		return -ENOMEM;
15004 
15005 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15006 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
15007 	if (!hdr)
15008 		goto nla_put_failure;
15009 
15010 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
15011 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
15012 		goto nla_put_failure;
15013 
15014 	genlmsg_end(msg, hdr);
15015 	return genlmsg_reply(msg, info);
15016 
15017  nla_put_failure:
15018 	kfree_skb(msg);
15019 	return -ENOBUFS;
15020 }
15021 
15022 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
15023 {
15024 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15025 	struct cfg80211_update_ft_ies_params ft_params;
15026 	struct net_device *dev = info->user_ptr[1];
15027 
15028 	if (!rdev->ops->update_ft_ies)
15029 		return -EOPNOTSUPP;
15030 
15031 	if (!info->attrs[NL80211_ATTR_MDID] ||
15032 	    !info->attrs[NL80211_ATTR_IE])
15033 		return -EINVAL;
15034 
15035 	memset(&ft_params, 0, sizeof(ft_params));
15036 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
15037 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15038 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15039 
15040 	return rdev_update_ft_ies(rdev, dev, &ft_params);
15041 }
15042 
15043 static int nl80211_crit_protocol_start(struct sk_buff *skb,
15044 				       struct genl_info *info)
15045 {
15046 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15047 	struct wireless_dev *wdev = info->user_ptr[1];
15048 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
15049 	u16 duration;
15050 	int ret;
15051 
15052 	if (!rdev->ops->crit_proto_start)
15053 		return -EOPNOTSUPP;
15054 
15055 	if (WARN_ON(!rdev->ops->crit_proto_stop))
15056 		return -EINVAL;
15057 
15058 	if (rdev->crit_proto_nlportid)
15059 		return -EBUSY;
15060 
15061 	/* determine protocol if provided */
15062 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
15063 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
15064 
15065 	if (proto >= NUM_NL80211_CRIT_PROTO)
15066 		return -EINVAL;
15067 
15068 	/* timeout must be provided */
15069 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
15070 		return -EINVAL;
15071 
15072 	duration =
15073 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
15074 
15075 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
15076 	if (!ret)
15077 		rdev->crit_proto_nlportid = info->snd_portid;
15078 
15079 	return ret;
15080 }
15081 
15082 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
15083 				      struct genl_info *info)
15084 {
15085 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15086 	struct wireless_dev *wdev = info->user_ptr[1];
15087 
15088 	if (!rdev->ops->crit_proto_stop)
15089 		return -EOPNOTSUPP;
15090 
15091 	if (rdev->crit_proto_nlportid) {
15092 		rdev->crit_proto_nlportid = 0;
15093 		rdev_crit_proto_stop(rdev, wdev);
15094 	}
15095 	return 0;
15096 }
15097 
15098 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
15099 				       struct nlattr *attr,
15100 				       struct netlink_ext_ack *extack)
15101 {
15102 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
15103 		if (attr->nla_type & NLA_F_NESTED) {
15104 			NL_SET_ERR_MSG_ATTR(extack, attr,
15105 					    "unexpected nested data");
15106 			return -EINVAL;
15107 		}
15108 
15109 		return 0;
15110 	}
15111 
15112 	if (!(attr->nla_type & NLA_F_NESTED)) {
15113 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
15114 		return -EINVAL;
15115 	}
15116 
15117 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
15118 }
15119 
15120 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
15121 {
15122 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15123 	struct wireless_dev *wdev =
15124 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
15125 					   info->attrs);
15126 	int i, err;
15127 	u32 vid, subcmd;
15128 
15129 	if (!rdev->wiphy.vendor_commands)
15130 		return -EOPNOTSUPP;
15131 
15132 	if (IS_ERR(wdev)) {
15133 		err = PTR_ERR(wdev);
15134 		if (err != -EINVAL)
15135 			return err;
15136 		wdev = NULL;
15137 	} else if (wdev->wiphy != &rdev->wiphy) {
15138 		return -EINVAL;
15139 	}
15140 
15141 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
15142 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
15143 		return -EINVAL;
15144 
15145 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
15146 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
15147 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
15148 		const struct wiphy_vendor_command *vcmd;
15149 		void *data = NULL;
15150 		int len = 0;
15151 
15152 		vcmd = &rdev->wiphy.vendor_commands[i];
15153 
15154 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15155 			continue;
15156 
15157 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15158 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15159 			if (!wdev)
15160 				return -EINVAL;
15161 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15162 			    !wdev->netdev)
15163 				return -EINVAL;
15164 
15165 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15166 				if (!wdev_running(wdev))
15167 					return -ENETDOWN;
15168 			}
15169 		} else {
15170 			wdev = NULL;
15171 		}
15172 
15173 		if (!vcmd->doit)
15174 			return -EOPNOTSUPP;
15175 
15176 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
15177 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15178 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15179 
15180 			err = nl80211_vendor_check_policy(vcmd,
15181 					info->attrs[NL80211_ATTR_VENDOR_DATA],
15182 					info->extack);
15183 			if (err)
15184 				return err;
15185 		}
15186 
15187 		rdev->cur_cmd_info = info;
15188 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
15189 		rdev->cur_cmd_info = NULL;
15190 		return err;
15191 	}
15192 
15193 	return -EOPNOTSUPP;
15194 }
15195 
15196 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
15197 				       struct netlink_callback *cb,
15198 				       struct cfg80211_registered_device **rdev,
15199 				       struct wireless_dev **wdev)
15200 {
15201 	struct nlattr **attrbuf;
15202 	u32 vid, subcmd;
15203 	unsigned int i;
15204 	int vcmd_idx = -1;
15205 	int err;
15206 	void *data = NULL;
15207 	unsigned int data_len = 0;
15208 
15209 	if (cb->args[0]) {
15210 		/* subtract the 1 again here */
15211 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15212 		struct wireless_dev *tmp;
15213 
15214 		if (!wiphy)
15215 			return -ENODEV;
15216 		*rdev = wiphy_to_rdev(wiphy);
15217 		*wdev = NULL;
15218 
15219 		if (cb->args[1]) {
15220 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15221 				if (tmp->identifier == cb->args[1] - 1) {
15222 					*wdev = tmp;
15223 					break;
15224 				}
15225 			}
15226 		}
15227 
15228 		/* keep rtnl locked in successful case */
15229 		return 0;
15230 	}
15231 
15232 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15233 	if (!attrbuf)
15234 		return -ENOMEM;
15235 
15236 	err = nlmsg_parse_deprecated(cb->nlh,
15237 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15238 				     attrbuf, nl80211_fam.maxattr,
15239 				     nl80211_policy, NULL);
15240 	if (err)
15241 		goto out;
15242 
15243 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15244 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15245 		err = -EINVAL;
15246 		goto out;
15247 	}
15248 
15249 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15250 	if (IS_ERR(*wdev))
15251 		*wdev = NULL;
15252 
15253 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15254 	if (IS_ERR(*rdev)) {
15255 		err = PTR_ERR(*rdev);
15256 		goto out;
15257 	}
15258 
15259 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15260 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15261 
15262 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15263 		const struct wiphy_vendor_command *vcmd;
15264 
15265 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15266 
15267 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15268 			continue;
15269 
15270 		if (!vcmd->dumpit) {
15271 			err = -EOPNOTSUPP;
15272 			goto out;
15273 		}
15274 
15275 		vcmd_idx = i;
15276 		break;
15277 	}
15278 
15279 	if (vcmd_idx < 0) {
15280 		err = -EOPNOTSUPP;
15281 		goto out;
15282 	}
15283 
15284 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15285 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15286 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15287 
15288 		err = nl80211_vendor_check_policy(
15289 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15290 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15291 				cb->extack);
15292 		if (err)
15293 			goto out;
15294 	}
15295 
15296 	/* 0 is the first index - add 1 to parse only once */
15297 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15298 	/* add 1 to know if it was NULL */
15299 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15300 	cb->args[2] = vcmd_idx;
15301 	cb->args[3] = (unsigned long)data;
15302 	cb->args[4] = data_len;
15303 
15304 	/* keep rtnl locked in successful case */
15305 	err = 0;
15306 out:
15307 	kfree(attrbuf);
15308 	return err;
15309 }
15310 
15311 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15312 				   struct netlink_callback *cb)
15313 {
15314 	struct cfg80211_registered_device *rdev;
15315 	struct wireless_dev *wdev;
15316 	unsigned int vcmd_idx;
15317 	const struct wiphy_vendor_command *vcmd;
15318 	void *data;
15319 	int data_len;
15320 	int err;
15321 	struct nlattr *vendor_data;
15322 
15323 	rtnl_lock();
15324 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15325 	if (err)
15326 		goto out;
15327 
15328 	vcmd_idx = cb->args[2];
15329 	data = (void *)cb->args[3];
15330 	data_len = cb->args[4];
15331 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15332 
15333 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15334 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15335 		if (!wdev) {
15336 			err = -EINVAL;
15337 			goto out;
15338 		}
15339 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15340 		    !wdev->netdev) {
15341 			err = -EINVAL;
15342 			goto out;
15343 		}
15344 
15345 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15346 			if (!wdev_running(wdev)) {
15347 				err = -ENETDOWN;
15348 				goto out;
15349 			}
15350 		}
15351 	}
15352 
15353 	while (1) {
15354 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15355 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15356 					   NL80211_CMD_VENDOR);
15357 		if (!hdr)
15358 			break;
15359 
15360 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15361 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15362 					       wdev_id(wdev),
15363 					       NL80211_ATTR_PAD))) {
15364 			genlmsg_cancel(skb, hdr);
15365 			break;
15366 		}
15367 
15368 		vendor_data = nla_nest_start_noflag(skb,
15369 						    NL80211_ATTR_VENDOR_DATA);
15370 		if (!vendor_data) {
15371 			genlmsg_cancel(skb, hdr);
15372 			break;
15373 		}
15374 
15375 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15376 				   (unsigned long *)&cb->args[5]);
15377 		nla_nest_end(skb, vendor_data);
15378 
15379 		if (err == -ENOBUFS || err == -ENOENT) {
15380 			genlmsg_cancel(skb, hdr);
15381 			break;
15382 		} else if (err <= 0) {
15383 			genlmsg_cancel(skb, hdr);
15384 			goto out;
15385 		}
15386 
15387 		genlmsg_end(skb, hdr);
15388 	}
15389 
15390 	err = skb->len;
15391  out:
15392 	rtnl_unlock();
15393 	return err;
15394 }
15395 
15396 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15397 					   enum nl80211_commands cmd,
15398 					   enum nl80211_attrs attr,
15399 					   int approxlen)
15400 {
15401 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15402 
15403 	if (WARN_ON(!rdev->cur_cmd_info))
15404 		return NULL;
15405 
15406 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15407 					   rdev->cur_cmd_info->snd_portid,
15408 					   rdev->cur_cmd_info->snd_seq,
15409 					   cmd, attr, NULL, GFP_KERNEL);
15410 }
15411 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15412 
15413 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15414 {
15415 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15416 	void *hdr = ((void **)skb->cb)[1];
15417 	struct nlattr *data = ((void **)skb->cb)[2];
15418 
15419 	/* clear CB data for netlink core to own from now on */
15420 	memset(skb->cb, 0, sizeof(skb->cb));
15421 
15422 	if (WARN_ON(!rdev->cur_cmd_info)) {
15423 		kfree_skb(skb);
15424 		return -EINVAL;
15425 	}
15426 
15427 	nla_nest_end(skb, data);
15428 	genlmsg_end(skb, hdr);
15429 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15430 }
15431 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15432 
15433 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15434 {
15435 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15436 
15437 	if (WARN_ON(!rdev->cur_cmd_info))
15438 		return 0;
15439 
15440 	return rdev->cur_cmd_info->snd_portid;
15441 }
15442 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15443 
15444 static int nl80211_set_qos_map(struct sk_buff *skb,
15445 			       struct genl_info *info)
15446 {
15447 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15448 	struct cfg80211_qos_map *qos_map = NULL;
15449 	struct net_device *dev = info->user_ptr[1];
15450 	u8 *pos, len, num_des, des_len, des;
15451 	int ret;
15452 
15453 	if (!rdev->ops->set_qos_map)
15454 		return -EOPNOTSUPP;
15455 
15456 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15457 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15458 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15459 
15460 		if (len % 2)
15461 			return -EINVAL;
15462 
15463 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15464 		if (!qos_map)
15465 			return -ENOMEM;
15466 
15467 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15468 		if (num_des) {
15469 			des_len = num_des *
15470 				sizeof(struct cfg80211_dscp_exception);
15471 			memcpy(qos_map->dscp_exception, pos, des_len);
15472 			qos_map->num_des = num_des;
15473 			for (des = 0; des < num_des; des++) {
15474 				if (qos_map->dscp_exception[des].up > 7) {
15475 					kfree(qos_map);
15476 					return -EINVAL;
15477 				}
15478 			}
15479 			pos += des_len;
15480 		}
15481 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15482 	}
15483 
15484 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15485 	if (!ret)
15486 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15487 
15488 	kfree(qos_map);
15489 	return ret;
15490 }
15491 
15492 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15493 {
15494 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15495 	struct net_device *dev = info->user_ptr[1];
15496 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15497 	const u8 *peer;
15498 	u8 tsid, up;
15499 	u16 admitted_time = 0;
15500 
15501 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15502 		return -EOPNOTSUPP;
15503 
15504 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15505 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15506 		return -EINVAL;
15507 
15508 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15509 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15510 
15511 	/* WMM uses TIDs 0-7 even for TSPEC */
15512 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15513 		/* TODO: handle 802.11 TSPEC/admission control
15514 		 * need more attributes for that (e.g. BA session requirement);
15515 		 * change the WMM admission test above to allow both then
15516 		 */
15517 		return -EINVAL;
15518 	}
15519 
15520 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15521 
15522 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15523 		admitted_time =
15524 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15525 		if (!admitted_time)
15526 			return -EINVAL;
15527 	}
15528 
15529 	switch (wdev->iftype) {
15530 	case NL80211_IFTYPE_STATION:
15531 	case NL80211_IFTYPE_P2P_CLIENT:
15532 		if (wdev->connected)
15533 			break;
15534 		return -ENOTCONN;
15535 	default:
15536 		return -EOPNOTSUPP;
15537 	}
15538 
15539 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15540 }
15541 
15542 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15543 {
15544 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15545 	struct net_device *dev = info->user_ptr[1];
15546 	const u8 *peer;
15547 	u8 tsid;
15548 
15549 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15550 		return -EINVAL;
15551 
15552 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15553 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15554 
15555 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
15556 }
15557 
15558 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15559 				       struct genl_info *info)
15560 {
15561 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15562 	struct net_device *dev = info->user_ptr[1];
15563 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15564 	struct cfg80211_chan_def chandef = {};
15565 	const u8 *addr;
15566 	u8 oper_class;
15567 	int err;
15568 
15569 	if (!rdev->ops->tdls_channel_switch ||
15570 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15571 		return -EOPNOTSUPP;
15572 
15573 	switch (dev->ieee80211_ptr->iftype) {
15574 	case NL80211_IFTYPE_STATION:
15575 	case NL80211_IFTYPE_P2P_CLIENT:
15576 		break;
15577 	default:
15578 		return -EOPNOTSUPP;
15579 	}
15580 
15581 	if (!info->attrs[NL80211_ATTR_MAC] ||
15582 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15583 		return -EINVAL;
15584 
15585 	err = nl80211_parse_chandef(rdev, info, &chandef);
15586 	if (err)
15587 		return err;
15588 
15589 	/*
15590 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15591 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15592 	 * specification is not defined for them.
15593 	 */
15594 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15595 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15596 	    chandef.width != NL80211_CHAN_WIDTH_20)
15597 		return -EINVAL;
15598 
15599 	/* we will be active on the TDLS link */
15600 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15601 					   wdev->iftype))
15602 		return -EINVAL;
15603 
15604 	/* don't allow switching to DFS channels */
15605 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15606 		return -EINVAL;
15607 
15608 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15609 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15610 
15611 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15612 }
15613 
15614 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15615 					      struct genl_info *info)
15616 {
15617 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15618 	struct net_device *dev = info->user_ptr[1];
15619 	const u8 *addr;
15620 
15621 	if (!rdev->ops->tdls_channel_switch ||
15622 	    !rdev->ops->tdls_cancel_channel_switch ||
15623 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15624 		return -EOPNOTSUPP;
15625 
15626 	switch (dev->ieee80211_ptr->iftype) {
15627 	case NL80211_IFTYPE_STATION:
15628 	case NL80211_IFTYPE_P2P_CLIENT:
15629 		break;
15630 	default:
15631 		return -EOPNOTSUPP;
15632 	}
15633 
15634 	if (!info->attrs[NL80211_ATTR_MAC])
15635 		return -EINVAL;
15636 
15637 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15638 
15639 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15640 
15641 	return 0;
15642 }
15643 
15644 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15645 					    struct genl_info *info)
15646 {
15647 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15648 	struct net_device *dev = info->user_ptr[1];
15649 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15650 	const struct nlattr *nla;
15651 	bool enabled;
15652 
15653 	if (!rdev->ops->set_multicast_to_unicast)
15654 		return -EOPNOTSUPP;
15655 
15656 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15657 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15658 		return -EOPNOTSUPP;
15659 
15660 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15661 	enabled = nla_get_flag(nla);
15662 
15663 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15664 }
15665 
15666 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15667 {
15668 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15669 	struct net_device *dev = info->user_ptr[1];
15670 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15671 	struct cfg80211_pmk_conf pmk_conf = {};
15672 
15673 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15674 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15675 		return -EOPNOTSUPP;
15676 
15677 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15678 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15679 		return -EOPNOTSUPP;
15680 
15681 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15682 		return -EINVAL;
15683 
15684 	if (!wdev->connected)
15685 		return -ENOTCONN;
15686 
15687 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15688 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
15689 		return -EINVAL;
15690 
15691 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15692 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15693 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15694 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
15695 		return -EINVAL;
15696 
15697 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15698 		pmk_conf.pmk_r0_name =
15699 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15700 
15701 	return rdev_set_pmk(rdev, dev, &pmk_conf);
15702 }
15703 
15704 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15705 {
15706 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15707 	struct net_device *dev = info->user_ptr[1];
15708 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15709 	const u8 *aa;
15710 
15711 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15712 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15713 		return -EOPNOTSUPP;
15714 
15715 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15716 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15717 		return -EOPNOTSUPP;
15718 
15719 	if (!info->attrs[NL80211_ATTR_MAC])
15720 		return -EINVAL;
15721 
15722 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15723 	return rdev_del_pmk(rdev, dev, aa);
15724 }
15725 
15726 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15727 {
15728 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15729 	struct net_device *dev = info->user_ptr[1];
15730 	struct cfg80211_external_auth_params params;
15731 
15732 	if (!rdev->ops->external_auth)
15733 		return -EOPNOTSUPP;
15734 
15735 	if (!info->attrs[NL80211_ATTR_SSID] &&
15736 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15737 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15738 		return -EINVAL;
15739 
15740 	if (!info->attrs[NL80211_ATTR_BSSID])
15741 		return -EINVAL;
15742 
15743 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15744 		return -EINVAL;
15745 
15746 	memset(&params, 0, sizeof(params));
15747 
15748 	if (info->attrs[NL80211_ATTR_SSID]) {
15749 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15750 		if (params.ssid.ssid_len == 0)
15751 			return -EINVAL;
15752 		memcpy(params.ssid.ssid,
15753 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15754 		       params.ssid.ssid_len);
15755 	}
15756 
15757 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15758 	       ETH_ALEN);
15759 
15760 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15761 
15762 	if (info->attrs[NL80211_ATTR_PMKID])
15763 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15764 
15765 	return rdev_external_auth(rdev, dev, &params);
15766 }
15767 
15768 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15769 {
15770 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15771 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15772 	struct net_device *dev = info->user_ptr[1];
15773 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15774 	const u8 *buf;
15775 	size_t len;
15776 	u8 *dest;
15777 	u16 proto;
15778 	bool noencrypt;
15779 	u64 cookie = 0;
15780 	int link_id;
15781 	int err;
15782 
15783 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15784 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15785 		return -EOPNOTSUPP;
15786 
15787 	if (!rdev->ops->tx_control_port)
15788 		return -EOPNOTSUPP;
15789 
15790 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15791 	    !info->attrs[NL80211_ATTR_MAC] ||
15792 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15793 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15794 		return -EINVAL;
15795 	}
15796 
15797 	switch (wdev->iftype) {
15798 	case NL80211_IFTYPE_AP:
15799 	case NL80211_IFTYPE_P2P_GO:
15800 	case NL80211_IFTYPE_MESH_POINT:
15801 		break;
15802 	case NL80211_IFTYPE_ADHOC:
15803 		if (wdev->u.ibss.current_bss)
15804 			break;
15805 		return -ENOTCONN;
15806 	case NL80211_IFTYPE_STATION:
15807 	case NL80211_IFTYPE_P2P_CLIENT:
15808 		if (wdev->connected)
15809 			break;
15810 		return -ENOTCONN;
15811 	default:
15812 		return -EOPNOTSUPP;
15813 	}
15814 
15815 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15816 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15817 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15818 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15819 	noencrypt =
15820 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15821 
15822 	link_id = nl80211_link_id_or_invalid(info->attrs);
15823 
15824 	err = rdev_tx_control_port(rdev, dev, buf, len,
15825 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15826 				   dont_wait_for_ack ? NULL : &cookie);
15827 	if (!err && !dont_wait_for_ack)
15828 		nl_set_extack_cookie_u64(info->extack, cookie);
15829 	return err;
15830 }
15831 
15832 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15833 					   struct genl_info *info)
15834 {
15835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15836 	struct net_device *dev = info->user_ptr[1];
15837 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15838 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15839 	unsigned int link_id = nl80211_link_id(info->attrs);
15840 	struct sk_buff *msg;
15841 	void *hdr;
15842 	struct nlattr *ftm_stats_attr;
15843 	int err;
15844 
15845 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15846 	    !wdev->links[link_id].ap.beacon_interval)
15847 		return -EOPNOTSUPP;
15848 
15849 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15850 	if (err)
15851 		return err;
15852 
15853 	if (!ftm_stats.filled)
15854 		return -ENODATA;
15855 
15856 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15857 	if (!msg)
15858 		return -ENOMEM;
15859 
15860 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15861 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15862 	if (!hdr)
15863 		goto nla_put_failure;
15864 
15865 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15866 		goto nla_put_failure;
15867 
15868 	ftm_stats_attr = nla_nest_start_noflag(msg,
15869 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15870 	if (!ftm_stats_attr)
15871 		goto nla_put_failure;
15872 
15873 #define SET_FTM(field, name, type)					 \
15874 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15875 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15876 			     ftm_stats.field))				 \
15877 		goto nla_put_failure; } while (0)
15878 #define SET_FTM_U64(field, name)					 \
15879 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15880 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15881 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15882 		goto nla_put_failure; } while (0)
15883 
15884 	SET_FTM(success_num, SUCCESS_NUM, u32);
15885 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15886 	SET_FTM(failed_num, FAILED_NUM, u32);
15887 	SET_FTM(asap_num, ASAP_NUM, u32);
15888 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15889 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15890 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15891 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15892 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15893 #undef SET_FTM
15894 
15895 	nla_nest_end(msg, ftm_stats_attr);
15896 
15897 	genlmsg_end(msg, hdr);
15898 	return genlmsg_reply(msg, info);
15899 
15900 nla_put_failure:
15901 	nlmsg_free(msg);
15902 	return -ENOBUFS;
15903 }
15904 
15905 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15906 {
15907 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15908 	struct cfg80211_update_owe_info owe_info;
15909 	struct net_device *dev = info->user_ptr[1];
15910 
15911 	if (!rdev->ops->update_owe_info)
15912 		return -EOPNOTSUPP;
15913 
15914 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15915 	    !info->attrs[NL80211_ATTR_MAC])
15916 		return -EINVAL;
15917 
15918 	memset(&owe_info, 0, sizeof(owe_info));
15919 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15920 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15921 
15922 	if (info->attrs[NL80211_ATTR_IE]) {
15923 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15924 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15925 	}
15926 
15927 	return rdev_update_owe_info(rdev, dev, &owe_info);
15928 }
15929 
15930 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15931 {
15932 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15933 	struct net_device *dev = info->user_ptr[1];
15934 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15935 	struct station_info sinfo = {};
15936 	const u8 *buf;
15937 	size_t len;
15938 	u8 *dest;
15939 	int err;
15940 
15941 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15942 		return -EOPNOTSUPP;
15943 
15944 	if (!info->attrs[NL80211_ATTR_MAC] ||
15945 	    !info->attrs[NL80211_ATTR_FRAME]) {
15946 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15947 		return -EINVAL;
15948 	}
15949 
15950 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15951 		return -EOPNOTSUPP;
15952 
15953 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15954 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15955 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15956 
15957 	if (len < sizeof(struct ethhdr))
15958 		return -EINVAL;
15959 
15960 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15961 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15962 		return -EINVAL;
15963 
15964 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15965 	if (err)
15966 		return err;
15967 
15968 	cfg80211_sinfo_release_content(&sinfo);
15969 
15970 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15971 }
15972 
15973 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15974 			  struct nlattr *attrs[], struct net_device *dev,
15975 			  struct cfg80211_tid_cfg *tid_conf,
15976 			  struct genl_info *info, const u8 *peer,
15977 			  unsigned int link_id)
15978 {
15979 	struct netlink_ext_ack *extack = info->extack;
15980 	u64 mask;
15981 	int err;
15982 
15983 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15984 		return -EINVAL;
15985 
15986 	tid_conf->config_override =
15987 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15988 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15989 
15990 	if (tid_conf->config_override) {
15991 		if (rdev->ops->reset_tid_config) {
15992 			err = rdev_reset_tid_config(rdev, dev, peer,
15993 						    tid_conf->tids);
15994 			if (err)
15995 				return err;
15996 		} else {
15997 			return -EINVAL;
15998 		}
15999 	}
16000 
16001 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
16002 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
16003 		tid_conf->noack =
16004 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
16005 	}
16006 
16007 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
16008 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
16009 		tid_conf->retry_short =
16010 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
16011 
16012 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
16013 			return -EINVAL;
16014 	}
16015 
16016 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
16017 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
16018 		tid_conf->retry_long =
16019 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
16020 
16021 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
16022 			return -EINVAL;
16023 	}
16024 
16025 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
16026 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
16027 		tid_conf->ampdu =
16028 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
16029 	}
16030 
16031 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
16032 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
16033 		tid_conf->rtscts =
16034 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
16035 	}
16036 
16037 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
16038 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
16039 		tid_conf->amsdu =
16040 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
16041 	}
16042 
16043 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
16044 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
16045 
16046 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
16047 
16048 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
16049 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
16050 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
16051 						    &tid_conf->txrate_mask, dev,
16052 						    true, link_id);
16053 			if (err)
16054 				return err;
16055 
16056 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
16057 		}
16058 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
16059 	}
16060 
16061 	if (peer)
16062 		mask = rdev->wiphy.tid_config_support.peer;
16063 	else
16064 		mask = rdev->wiphy.tid_config_support.vif;
16065 
16066 	if (tid_conf->mask & ~mask) {
16067 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
16068 		return -EOPNOTSUPP;
16069 	}
16070 
16071 	return 0;
16072 }
16073 
16074 static int nl80211_set_tid_config(struct sk_buff *skb,
16075 				  struct genl_info *info)
16076 {
16077 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16078 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
16079 	unsigned int link_id = nl80211_link_id(info->attrs);
16080 	struct net_device *dev = info->user_ptr[1];
16081 	struct cfg80211_tid_config *tid_config;
16082 	struct nlattr *tid;
16083 	int conf_idx = 0, rem_conf;
16084 	int ret = -EINVAL;
16085 	u32 num_conf = 0;
16086 
16087 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
16088 		return -EINVAL;
16089 
16090 	if (!rdev->ops->set_tid_config)
16091 		return -EOPNOTSUPP;
16092 
16093 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16094 			    rem_conf)
16095 		num_conf++;
16096 
16097 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
16098 			     GFP_KERNEL);
16099 	if (!tid_config)
16100 		return -ENOMEM;
16101 
16102 	tid_config->n_tid_conf = num_conf;
16103 
16104 	if (info->attrs[NL80211_ATTR_MAC])
16105 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16106 
16107 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16108 			    rem_conf) {
16109 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
16110 				       tid, NULL, NULL);
16111 
16112 		if (ret)
16113 			goto bad_tid_conf;
16114 
16115 		ret = parse_tid_conf(rdev, attrs, dev,
16116 				     &tid_config->tid_conf[conf_idx],
16117 				     info, tid_config->peer, link_id);
16118 		if (ret)
16119 			goto bad_tid_conf;
16120 
16121 		conf_idx++;
16122 	}
16123 
16124 	ret = rdev_set_tid_config(rdev, dev, tid_config);
16125 
16126 bad_tid_conf:
16127 	kfree(tid_config);
16128 	return ret;
16129 }
16130 
16131 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
16132 {
16133 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16134 	struct cfg80211_color_change_settings params = {};
16135 	struct net_device *dev = info->user_ptr[1];
16136 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16137 	struct nlattr **tb;
16138 	u16 offset;
16139 	int err;
16140 
16141 	if (!rdev->ops->color_change)
16142 		return -EOPNOTSUPP;
16143 
16144 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16145 				     NL80211_EXT_FEATURE_BSS_COLOR))
16146 		return -EOPNOTSUPP;
16147 
16148 	if (wdev->iftype != NL80211_IFTYPE_AP)
16149 		return -EOPNOTSUPP;
16150 
16151 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
16152 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
16153 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
16154 		return -EINVAL;
16155 
16156 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
16157 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16158 
16159 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16160 				   info->extack);
16161 	if (err)
16162 		return err;
16163 
16164 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16165 	if (!tb)
16166 		return -ENOMEM;
16167 
16168 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16169 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16170 			       nl80211_policy, info->extack);
16171 	if (err)
16172 		goto out;
16173 
16174 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16175 				   info->extack);
16176 	if (err)
16177 		goto out;
16178 
16179 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16180 		err = -EINVAL;
16181 		goto out;
16182 	}
16183 
16184 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16185 		err = -EINVAL;
16186 		goto out;
16187 	}
16188 
16189 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16190 	if (offset >= params.beacon_color_change.tail_len) {
16191 		err = -EINVAL;
16192 		goto out;
16193 	}
16194 
16195 	if (params.beacon_color_change.tail[offset] != params.count) {
16196 		err = -EINVAL;
16197 		goto out;
16198 	}
16199 
16200 	params.counter_offset_beacon = offset;
16201 
16202 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16203 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16204 		    sizeof(u16)) {
16205 			err = -EINVAL;
16206 			goto out;
16207 		}
16208 
16209 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16210 		if (offset >= params.beacon_color_change.probe_resp_len) {
16211 			err = -EINVAL;
16212 			goto out;
16213 		}
16214 
16215 		if (params.beacon_color_change.probe_resp[offset] !=
16216 		    params.count) {
16217 			err = -EINVAL;
16218 			goto out;
16219 		}
16220 
16221 		params.counter_offset_presp = offset;
16222 	}
16223 
16224 	params.link_id = nl80211_link_id(info->attrs);
16225 	err = rdev_color_change(rdev, dev, &params);
16226 
16227 out:
16228 	kfree(params.beacon_next.mbssid_ies);
16229 	kfree(params.beacon_color_change.mbssid_ies);
16230 	kfree(params.beacon_next.rnr_ies);
16231 	kfree(params.beacon_color_change.rnr_ies);
16232 	kfree(tb);
16233 	return err;
16234 }
16235 
16236 static int nl80211_set_fils_aad(struct sk_buff *skb,
16237 				struct genl_info *info)
16238 {
16239 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16240 	struct net_device *dev = info->user_ptr[1];
16241 	struct cfg80211_fils_aad fils_aad = {};
16242 	u8 *nonces;
16243 
16244 	if (!info->attrs[NL80211_ATTR_MAC] ||
16245 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16246 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16247 		return -EINVAL;
16248 
16249 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16250 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16251 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16252 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16253 	fils_aad.snonce = nonces;
16254 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16255 
16256 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16257 }
16258 
16259 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16260 {
16261 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16262 	unsigned int link_id = nl80211_link_id(info->attrs);
16263 	struct net_device *dev = info->user_ptr[1];
16264 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16265 	int ret;
16266 
16267 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16268 		return -EINVAL;
16269 
16270 	switch (wdev->iftype) {
16271 	case NL80211_IFTYPE_AP:
16272 		break;
16273 	default:
16274 		return -EINVAL;
16275 	}
16276 
16277 	if (!info->attrs[NL80211_ATTR_MAC] ||
16278 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16279 		return -EINVAL;
16280 
16281 	wdev->valid_links |= BIT(link_id);
16282 	ether_addr_copy(wdev->links[link_id].addr,
16283 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16284 
16285 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16286 	if (ret) {
16287 		wdev->valid_links &= ~BIT(link_id);
16288 		eth_zero_addr(wdev->links[link_id].addr);
16289 	}
16290 
16291 	return ret;
16292 }
16293 
16294 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16295 {
16296 	unsigned int link_id = nl80211_link_id(info->attrs);
16297 	struct net_device *dev = info->user_ptr[1];
16298 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16299 
16300 	/* cannot remove if there's no link */
16301 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16302 		return -EINVAL;
16303 
16304 	switch (wdev->iftype) {
16305 	case NL80211_IFTYPE_AP:
16306 		break;
16307 	default:
16308 		return -EINVAL;
16309 	}
16310 
16311 	cfg80211_remove_link(wdev, link_id);
16312 
16313 	return 0;
16314 }
16315 
16316 static int
16317 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16318 			     bool add)
16319 {
16320 	struct link_station_parameters params = {};
16321 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16322 	struct net_device *dev = info->user_ptr[1];
16323 	int err;
16324 
16325 	if ((add && !rdev->ops->add_link_station) ||
16326 	    (!add && !rdev->ops->mod_link_station))
16327 		return -EOPNOTSUPP;
16328 
16329 	if (add && !info->attrs[NL80211_ATTR_MAC])
16330 		return -EINVAL;
16331 
16332 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16333 		return -EINVAL;
16334 
16335 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16336 		return -EINVAL;
16337 
16338 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16339 
16340 	if (info->attrs[NL80211_ATTR_MAC]) {
16341 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16342 		if (!is_valid_ether_addr(params.link_mac))
16343 			return -EINVAL;
16344 	}
16345 
16346 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16347 		return -EINVAL;
16348 
16349 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16350 
16351 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16352 		params.supported_rates =
16353 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16354 		params.supported_rates_len =
16355 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16356 	}
16357 
16358 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16359 		params.ht_capa =
16360 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16361 
16362 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16363 		params.vht_capa =
16364 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16365 
16366 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16367 		params.he_capa =
16368 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16369 		params.he_capa_len =
16370 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16371 
16372 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16373 			params.eht_capa =
16374 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16375 			params.eht_capa_len =
16376 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16377 
16378 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16379 							(const u8 *)params.eht_capa,
16380 							params.eht_capa_len,
16381 							false))
16382 				return -EINVAL;
16383 		}
16384 	}
16385 
16386 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16387 		params.he_6ghz_capa =
16388 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16389 
16390 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16391 		params.opmode_notif_used = true;
16392 		params.opmode_notif =
16393 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16394 	}
16395 
16396 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16397 						&params.txpwr_set);
16398 	if (err)
16399 		return err;
16400 
16401 	if (add)
16402 		return rdev_add_link_station(rdev, dev, &params);
16403 
16404 	return rdev_mod_link_station(rdev, dev, &params);
16405 }
16406 
16407 static int
16408 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16409 {
16410 	return nl80211_add_mod_link_station(skb, info, true);
16411 }
16412 
16413 static int
16414 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16415 {
16416 	return nl80211_add_mod_link_station(skb, info, false);
16417 }
16418 
16419 static int
16420 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16421 {
16422 	struct link_station_del_parameters params = {};
16423 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16424 	struct net_device *dev = info->user_ptr[1];
16425 
16426 	if (!rdev->ops->del_link_station)
16427 		return -EOPNOTSUPP;
16428 
16429 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16430 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16431 		return -EINVAL;
16432 
16433 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16434 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16435 
16436 	return rdev_del_link_station(rdev, dev, &params);
16437 }
16438 
16439 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16440 				    struct genl_info *info)
16441 {
16442 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16443 	struct net_device *dev = info->user_ptr[1];
16444 	struct cfg80211_set_hw_timestamp hwts = {};
16445 
16446 	if (!rdev->wiphy.hw_timestamp_max_peers)
16447 		return -EOPNOTSUPP;
16448 
16449 	if (!info->attrs[NL80211_ATTR_MAC] &&
16450 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16451 		return -EOPNOTSUPP;
16452 
16453 	if (info->attrs[NL80211_ATTR_MAC])
16454 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16455 
16456 	hwts.enable =
16457 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16458 
16459 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16460 }
16461 
16462 static int
16463 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
16464 {
16465 	struct cfg80211_ttlm_params params = {};
16466 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16467 	struct net_device *dev = info->user_ptr[1];
16468 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16469 
16470 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16471 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16472 		return -EOPNOTSUPP;
16473 
16474 	if (!wdev->connected)
16475 		return -ENOLINK;
16476 
16477 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
16478 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
16479 		return -EINVAL;
16480 
16481 	nla_memcpy(params.dlink,
16482 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
16483 		   sizeof(params.dlink));
16484 	nla_memcpy(params.ulink,
16485 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
16486 		   sizeof(params.ulink));
16487 
16488 	return rdev_set_ttlm(rdev, dev, &params);
16489 }
16490 
16491 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
16492 {
16493 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16494 	struct net_device *dev = info->user_ptr[1];
16495 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16496 	struct cfg80211_assoc_link links[IEEE80211_MLD_MAX_NUM_LINKS] = {};
16497 	unsigned int link_id;
16498 	u16 add_links, rem_links;
16499 	int err;
16500 
16501 	if (!wdev->valid_links)
16502 		return -EINVAL;
16503 
16504 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
16505 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
16506 		return -EPERM;
16507 
16508 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
16509 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
16510 		return -EOPNOTSUPP;
16511 
16512 	add_links = 0;
16513 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
16514 		err = nl80211_process_links(rdev, links, NULL, 0, info);
16515 		if (err)
16516 			return err;
16517 
16518 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
16519 		     link_id++) {
16520 			if (!links[link_id].bss)
16521 				continue;
16522 			add_links |= BIT(link_id);
16523 		}
16524 	}
16525 
16526 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
16527 		rem_links =
16528 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
16529 	else
16530 		rem_links = 0;
16531 
16532 	/* Validate that existing links are not added, removed links are valid
16533 	 * and don't allow adding and removing the same links
16534 	 */
16535 	if ((add_links & rem_links) || !(add_links | rem_links) ||
16536 	    (wdev->valid_links & add_links) ||
16537 	    ((wdev->valid_links & rem_links) != rem_links)) {
16538 		err = -EINVAL;
16539 		goto out;
16540 	}
16541 
16542 	err = -EOPNOTSUPP;
16543 
16544 out:
16545 	for (link_id = 0; link_id < ARRAY_SIZE(links); link_id++)
16546 		cfg80211_put_bss(&rdev->wiphy, links[link_id].bss);
16547 
16548 	return err;
16549 }
16550 
16551 static int
16552 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
16553 {
16554 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16555 	struct net_device *dev = info->user_ptr[1];
16556 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16557 	bool val;
16558 
16559 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16560 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16561 		return -EOPNOTSUPP;
16562 
16563 	if (!wdev->connected)
16564 		return -ENOLINK;
16565 
16566 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
16567 
16568 	return rdev_set_epcs(rdev, dev, val);
16569 }
16570 
16571 #define NL80211_FLAG_NEED_WIPHY		0x01
16572 #define NL80211_FLAG_NEED_NETDEV	0x02
16573 #define NL80211_FLAG_NEED_RTNL		0x04
16574 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16575 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16576 					 NL80211_FLAG_CHECK_NETDEV_UP)
16577 #define NL80211_FLAG_NEED_WDEV		0x10
16578 /* If a netdev is associated, it must be UP, P2P must be started */
16579 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16580 					 NL80211_FLAG_CHECK_NETDEV_UP)
16581 #define NL80211_FLAG_CLEAR_SKB		0x20
16582 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16583 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16584 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16585 
16586 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16587 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16588 	SELECTOR(__sel, WIPHY,				\
16589 		 NL80211_FLAG_NEED_WIPHY)		\
16590 	SELECTOR(__sel, WDEV,				\
16591 		 NL80211_FLAG_NEED_WDEV)		\
16592 	SELECTOR(__sel, NETDEV,				\
16593 		 NL80211_FLAG_NEED_NETDEV)		\
16594 	SELECTOR(__sel, NETDEV_LINK,			\
16595 		 NL80211_FLAG_NEED_NETDEV |		\
16596 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16597 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16598 		 NL80211_FLAG_NEED_NETDEV |		\
16599 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16600 	SELECTOR(__sel, WIPHY_RTNL,			\
16601 		 NL80211_FLAG_NEED_WIPHY |		\
16602 		 NL80211_FLAG_NEED_RTNL)		\
16603 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16604 		 NL80211_FLAG_NEED_WIPHY |		\
16605 		 NL80211_FLAG_NEED_RTNL |		\
16606 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16607 	SELECTOR(__sel, WDEV_RTNL,			\
16608 		 NL80211_FLAG_NEED_WDEV |		\
16609 		 NL80211_FLAG_NEED_RTNL)		\
16610 	SELECTOR(__sel, NETDEV_RTNL,			\
16611 		 NL80211_FLAG_NEED_NETDEV |		\
16612 		 NL80211_FLAG_NEED_RTNL)		\
16613 	SELECTOR(__sel, NETDEV_UP,			\
16614 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16615 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16616 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16617 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16618 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16619 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16620 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16621 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16622 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16623 		 NL80211_FLAG_CLEAR_SKB |		\
16624 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16625 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16626 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16627 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16628 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
16629 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16630 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16631 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16632 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16633 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16634 		 NL80211_FLAG_CLEAR_SKB)		\
16635 	SELECTOR(__sel, WDEV_UP,			\
16636 		 NL80211_FLAG_NEED_WDEV_UP)		\
16637 	SELECTOR(__sel, WDEV_UP_LINK,			\
16638 		 NL80211_FLAG_NEED_WDEV_UP |		\
16639 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16640 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16641 		 NL80211_FLAG_NEED_WDEV_UP |		\
16642 		 NL80211_FLAG_NEED_RTNL)		\
16643 	SELECTOR(__sel, WIPHY_CLEAR,			\
16644 		 NL80211_FLAG_NEED_WIPHY |		\
16645 		 NL80211_FLAG_CLEAR_SKB)
16646 
16647 enum nl80211_internal_flags_selector {
16648 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16649 	INTERNAL_FLAG_SELECTORS(_)
16650 #undef SELECTOR
16651 };
16652 
16653 static u32 nl80211_internal_flags[] = {
16654 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16655 	INTERNAL_FLAG_SELECTORS(_)
16656 #undef SELECTOR
16657 };
16658 
16659 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16660 			    struct sk_buff *skb,
16661 			    struct genl_info *info)
16662 {
16663 	struct cfg80211_registered_device *rdev = NULL;
16664 	struct wireless_dev *wdev = NULL;
16665 	struct net_device *dev = NULL;
16666 	u32 internal_flags;
16667 	int err;
16668 
16669 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16670 		return -EINVAL;
16671 
16672 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16673 
16674 	rtnl_lock();
16675 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16676 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16677 		if (IS_ERR(rdev)) {
16678 			err = PTR_ERR(rdev);
16679 			goto out_unlock;
16680 		}
16681 		info->user_ptr[0] = rdev;
16682 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16683 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16684 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16685 						  info->attrs);
16686 		if (IS_ERR(wdev)) {
16687 			err = PTR_ERR(wdev);
16688 			goto out_unlock;
16689 		}
16690 
16691 		dev = wdev->netdev;
16692 		dev_hold(dev);
16693 		rdev = wiphy_to_rdev(wdev->wiphy);
16694 
16695 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16696 			if (!dev) {
16697 				err = -EINVAL;
16698 				goto out_unlock;
16699 			}
16700 
16701 			info->user_ptr[1] = dev;
16702 		} else {
16703 			info->user_ptr[1] = wdev;
16704 		}
16705 
16706 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16707 		    !wdev_running(wdev)) {
16708 			err = -ENETDOWN;
16709 			goto out_unlock;
16710 		}
16711 
16712 		info->user_ptr[0] = rdev;
16713 	}
16714 
16715 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16716 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16717 
16718 		if (!wdev) {
16719 			err = -EINVAL;
16720 			goto out_unlock;
16721 		}
16722 
16723 		/* MLO -> require valid link ID */
16724 		if (wdev->valid_links &&
16725 		    (!link_id ||
16726 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16727 			err = -EINVAL;
16728 			goto out_unlock;
16729 		}
16730 
16731 		/* non-MLO -> no link ID attribute accepted */
16732 		if (!wdev->valid_links && link_id) {
16733 			err = -EINVAL;
16734 			goto out_unlock;
16735 		}
16736 	}
16737 
16738 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16739 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16740 		    (wdev && wdev->valid_links)) {
16741 			err = -EINVAL;
16742 			goto out_unlock;
16743 		}
16744 	}
16745 
16746 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16747 		wiphy_lock(&rdev->wiphy);
16748 		/* we keep the mutex locked until post_doit */
16749 		__release(&rdev->wiphy.mtx);
16750 	}
16751 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16752 		rtnl_unlock();
16753 
16754 	return 0;
16755 out_unlock:
16756 	rtnl_unlock();
16757 	dev_put(dev);
16758 	return err;
16759 }
16760 
16761 static void nl80211_post_doit(const struct genl_split_ops *ops,
16762 			      struct sk_buff *skb,
16763 			      struct genl_info *info)
16764 {
16765 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16766 
16767 	if (info->user_ptr[1]) {
16768 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16769 			struct wireless_dev *wdev = info->user_ptr[1];
16770 
16771 			dev_put(wdev->netdev);
16772 		} else {
16773 			dev_put(info->user_ptr[1]);
16774 		}
16775 	}
16776 
16777 	if (info->user_ptr[0] &&
16778 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16779 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16780 
16781 		/* we kept the mutex locked since pre_doit */
16782 		__acquire(&rdev->wiphy.mtx);
16783 		wiphy_unlock(&rdev->wiphy);
16784 	}
16785 
16786 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16787 		rtnl_unlock();
16788 
16789 	/* If needed, clear the netlink message payload from the SKB
16790 	 * as it might contain key data that shouldn't stick around on
16791 	 * the heap after the SKB is freed. The netlink message header
16792 	 * is still needed for further processing, so leave it intact.
16793 	 */
16794 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16795 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16796 
16797 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16798 	}
16799 }
16800 
16801 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16802 				     struct cfg80211_sar_specs *sar_specs,
16803 				     struct nlattr *spec[], int index)
16804 {
16805 	u32 range_index, i;
16806 
16807 	if (!sar_specs || !spec)
16808 		return -EINVAL;
16809 
16810 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16811 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16812 		return -EINVAL;
16813 
16814 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16815 
16816 	/* check if range_index exceeds num_freq_ranges */
16817 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16818 		return -EINVAL;
16819 
16820 	/* check if range_index duplicates */
16821 	for (i = 0; i < index; i++) {
16822 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16823 			return -EINVAL;
16824 	}
16825 
16826 	sar_specs->sub_specs[index].power =
16827 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16828 
16829 	sar_specs->sub_specs[index].freq_range_index = range_index;
16830 
16831 	return 0;
16832 }
16833 
16834 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16835 {
16836 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16837 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16838 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16839 	struct cfg80211_sar_specs *sar_spec;
16840 	enum nl80211_sar_type type;
16841 	struct nlattr *spec_list;
16842 	u32 specs;
16843 	int rem, err;
16844 
16845 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16846 		return -EOPNOTSUPP;
16847 
16848 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16849 		return -EINVAL;
16850 
16851 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16852 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16853 			 NULL, NULL);
16854 
16855 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16856 		return -EINVAL;
16857 
16858 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16859 	if (type != rdev->wiphy.sar_capa->type)
16860 		return -EINVAL;
16861 
16862 	specs = 0;
16863 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16864 		specs++;
16865 
16866 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16867 		return -EINVAL;
16868 
16869 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16870 	if (!sar_spec)
16871 		return -ENOMEM;
16872 
16873 	sar_spec->type = type;
16874 	specs = 0;
16875 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16876 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16877 				 spec_list, NULL, NULL);
16878 
16879 		switch (type) {
16880 		case NL80211_SAR_TYPE_POWER:
16881 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16882 						      spec, specs)) {
16883 				err = -EINVAL;
16884 				goto error;
16885 			}
16886 			break;
16887 		default:
16888 			err = -EINVAL;
16889 			goto error;
16890 		}
16891 		specs++;
16892 	}
16893 
16894 	sar_spec->num_sub_specs = specs;
16895 
16896 	rdev->cur_cmd_info = info;
16897 	err = rdev_set_sar_specs(rdev, sar_spec);
16898 	rdev->cur_cmd_info = NULL;
16899 error:
16900 	kfree(sar_spec);
16901 	return err;
16902 }
16903 
16904 #define SELECTOR(__sel, name, value) \
16905 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16906 int __missing_selector(void);
16907 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16908 
16909 static const struct genl_ops nl80211_ops[] = {
16910 	{
16911 		.cmd = NL80211_CMD_GET_WIPHY,
16912 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16913 		.doit = nl80211_get_wiphy,
16914 		.dumpit = nl80211_dump_wiphy,
16915 		.done = nl80211_dump_wiphy_done,
16916 		/* can be retrieved by unprivileged users */
16917 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16918 	},
16919 };
16920 
16921 static const struct genl_small_ops nl80211_small_ops[] = {
16922 	{
16923 		.cmd = NL80211_CMD_SET_WIPHY,
16924 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16925 		.doit = nl80211_set_wiphy,
16926 		.flags = GENL_UNS_ADMIN_PERM,
16927 	},
16928 	{
16929 		.cmd = NL80211_CMD_GET_INTERFACE,
16930 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16931 		.doit = nl80211_get_interface,
16932 		.dumpit = nl80211_dump_interface,
16933 		/* can be retrieved by unprivileged users */
16934 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16935 	},
16936 	{
16937 		.cmd = NL80211_CMD_SET_INTERFACE,
16938 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16939 		.doit = nl80211_set_interface,
16940 		.flags = GENL_UNS_ADMIN_PERM,
16941 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16942 					 NL80211_FLAG_NEED_RTNL),
16943 	},
16944 	{
16945 		.cmd = NL80211_CMD_NEW_INTERFACE,
16946 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16947 		.doit = nl80211_new_interface,
16948 		.flags = GENL_UNS_ADMIN_PERM,
16949 		.internal_flags =
16950 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16951 			       NL80211_FLAG_NEED_RTNL |
16952 			       /* we take the wiphy mutex later ourselves */
16953 			       NL80211_FLAG_NO_WIPHY_MTX),
16954 	},
16955 	{
16956 		.cmd = NL80211_CMD_DEL_INTERFACE,
16957 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16958 		.doit = nl80211_del_interface,
16959 		.flags = GENL_UNS_ADMIN_PERM,
16960 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16961 					 NL80211_FLAG_NEED_RTNL),
16962 	},
16963 	{
16964 		.cmd = NL80211_CMD_GET_KEY,
16965 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16966 		.doit = nl80211_get_key,
16967 		.flags = GENL_UNS_ADMIN_PERM,
16968 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16969 	},
16970 	{
16971 		.cmd = NL80211_CMD_SET_KEY,
16972 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16973 		.doit = nl80211_set_key,
16974 		.flags = GENL_UNS_ADMIN_PERM,
16975 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16976 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16977 					 NL80211_FLAG_CLEAR_SKB),
16978 	},
16979 	{
16980 		.cmd = NL80211_CMD_NEW_KEY,
16981 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16982 		.doit = nl80211_new_key,
16983 		.flags = GENL_UNS_ADMIN_PERM,
16984 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16985 					 NL80211_FLAG_CLEAR_SKB),
16986 	},
16987 	{
16988 		.cmd = NL80211_CMD_DEL_KEY,
16989 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16990 		.doit = nl80211_del_key,
16991 		.flags = GENL_UNS_ADMIN_PERM,
16992 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16993 	},
16994 	{
16995 		.cmd = NL80211_CMD_SET_BEACON,
16996 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16997 		.flags = GENL_UNS_ADMIN_PERM,
16998 		.doit = nl80211_set_beacon,
16999 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17000 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17001 	},
17002 	{
17003 		.cmd = NL80211_CMD_START_AP,
17004 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17005 		.flags = GENL_UNS_ADMIN_PERM,
17006 		.doit = nl80211_start_ap,
17007 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17008 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17009 	},
17010 	{
17011 		.cmd = NL80211_CMD_STOP_AP,
17012 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17013 		.flags = GENL_UNS_ADMIN_PERM,
17014 		.doit = nl80211_stop_ap,
17015 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17016 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17017 	},
17018 	{
17019 		.cmd = NL80211_CMD_GET_STATION,
17020 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17021 		.doit = nl80211_get_station,
17022 		.dumpit = nl80211_dump_station,
17023 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17024 	},
17025 	{
17026 		.cmd = NL80211_CMD_SET_STATION,
17027 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17028 		.doit = nl80211_set_station,
17029 		.flags = GENL_UNS_ADMIN_PERM,
17030 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17031 	},
17032 	{
17033 		.cmd = NL80211_CMD_NEW_STATION,
17034 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17035 		.doit = nl80211_new_station,
17036 		.flags = GENL_UNS_ADMIN_PERM,
17037 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17038 	},
17039 	{
17040 		.cmd = NL80211_CMD_DEL_STATION,
17041 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17042 		.doit = nl80211_del_station,
17043 		.flags = GENL_UNS_ADMIN_PERM,
17044 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
17045 		 * whether MAC address is passed or not. If MAC address is
17046 		 * passed, then even during MLO, link ID is not required.
17047 		 */
17048 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17049 	},
17050 	{
17051 		.cmd = NL80211_CMD_GET_MPATH,
17052 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17053 		.doit = nl80211_get_mpath,
17054 		.dumpit = nl80211_dump_mpath,
17055 		.flags = GENL_UNS_ADMIN_PERM,
17056 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17057 	},
17058 	{
17059 		.cmd = NL80211_CMD_GET_MPP,
17060 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17061 		.doit = nl80211_get_mpp,
17062 		.dumpit = nl80211_dump_mpp,
17063 		.flags = GENL_UNS_ADMIN_PERM,
17064 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17065 	},
17066 	{
17067 		.cmd = NL80211_CMD_SET_MPATH,
17068 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17069 		.doit = nl80211_set_mpath,
17070 		.flags = GENL_UNS_ADMIN_PERM,
17071 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17072 	},
17073 	{
17074 		.cmd = NL80211_CMD_NEW_MPATH,
17075 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17076 		.doit = nl80211_new_mpath,
17077 		.flags = GENL_UNS_ADMIN_PERM,
17078 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17079 	},
17080 	{
17081 		.cmd = NL80211_CMD_DEL_MPATH,
17082 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17083 		.doit = nl80211_del_mpath,
17084 		.flags = GENL_UNS_ADMIN_PERM,
17085 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17086 	},
17087 	{
17088 		.cmd = NL80211_CMD_SET_BSS,
17089 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17090 		.doit = nl80211_set_bss,
17091 		.flags = GENL_UNS_ADMIN_PERM,
17092 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17093 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17094 	},
17095 	{
17096 		.cmd = NL80211_CMD_GET_REG,
17097 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17098 		.doit = nl80211_get_reg_do,
17099 		.dumpit = nl80211_get_reg_dump,
17100 		/* can be retrieved by unprivileged users */
17101 	},
17102 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
17103 	{
17104 		.cmd = NL80211_CMD_SET_REG,
17105 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17106 		.doit = nl80211_set_reg,
17107 		.flags = GENL_ADMIN_PERM,
17108 	},
17109 #endif
17110 	{
17111 		.cmd = NL80211_CMD_REQ_SET_REG,
17112 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17113 		.doit = nl80211_req_set_reg,
17114 		.flags = GENL_ADMIN_PERM,
17115 	},
17116 	{
17117 		.cmd = NL80211_CMD_RELOAD_REGDB,
17118 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17119 		.doit = nl80211_reload_regdb,
17120 		.flags = GENL_ADMIN_PERM,
17121 	},
17122 	{
17123 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
17124 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17125 		.doit = nl80211_get_mesh_config,
17126 		/* can be retrieved by unprivileged users */
17127 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17128 	},
17129 	{
17130 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
17131 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17132 		.doit = nl80211_update_mesh_config,
17133 		.flags = GENL_UNS_ADMIN_PERM,
17134 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17135 	},
17136 	{
17137 		.cmd = NL80211_CMD_TRIGGER_SCAN,
17138 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17139 		.doit = nl80211_trigger_scan,
17140 		.flags = GENL_UNS_ADMIN_PERM,
17141 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17142 	},
17143 	{
17144 		.cmd = NL80211_CMD_ABORT_SCAN,
17145 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17146 		.doit = nl80211_abort_scan,
17147 		.flags = GENL_UNS_ADMIN_PERM,
17148 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17149 	},
17150 	{
17151 		.cmd = NL80211_CMD_GET_SCAN,
17152 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17153 		.dumpit = nl80211_dump_scan,
17154 	},
17155 	{
17156 		.cmd = NL80211_CMD_START_SCHED_SCAN,
17157 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17158 		.doit = nl80211_start_sched_scan,
17159 		.flags = GENL_UNS_ADMIN_PERM,
17160 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17161 	},
17162 	{
17163 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
17164 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17165 		.doit = nl80211_stop_sched_scan,
17166 		.flags = GENL_UNS_ADMIN_PERM,
17167 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17168 	},
17169 	{
17170 		.cmd = NL80211_CMD_AUTHENTICATE,
17171 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17172 		.doit = nl80211_authenticate,
17173 		.flags = GENL_UNS_ADMIN_PERM,
17174 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17175 					 NL80211_FLAG_CLEAR_SKB),
17176 	},
17177 	{
17178 		.cmd = NL80211_CMD_ASSOCIATE,
17179 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17180 		.doit = nl80211_associate,
17181 		.flags = GENL_UNS_ADMIN_PERM,
17182 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17183 					 NL80211_FLAG_CLEAR_SKB),
17184 	},
17185 	{
17186 		.cmd = NL80211_CMD_DEAUTHENTICATE,
17187 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17188 		.doit = nl80211_deauthenticate,
17189 		.flags = GENL_UNS_ADMIN_PERM,
17190 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17191 	},
17192 	{
17193 		.cmd = NL80211_CMD_DISASSOCIATE,
17194 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17195 		.doit = nl80211_disassociate,
17196 		.flags = GENL_UNS_ADMIN_PERM,
17197 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17198 	},
17199 	{
17200 		.cmd = NL80211_CMD_JOIN_IBSS,
17201 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17202 		.doit = nl80211_join_ibss,
17203 		.flags = GENL_UNS_ADMIN_PERM,
17204 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17205 	},
17206 	{
17207 		.cmd = NL80211_CMD_LEAVE_IBSS,
17208 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17209 		.doit = nl80211_leave_ibss,
17210 		.flags = GENL_UNS_ADMIN_PERM,
17211 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17212 	},
17213 #ifdef CONFIG_NL80211_TESTMODE
17214 	{
17215 		.cmd = NL80211_CMD_TESTMODE,
17216 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17217 		.doit = nl80211_testmode_do,
17218 		.dumpit = nl80211_testmode_dump,
17219 		.flags = GENL_UNS_ADMIN_PERM,
17220 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17221 	},
17222 #endif
17223 	{
17224 		.cmd = NL80211_CMD_CONNECT,
17225 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17226 		.doit = nl80211_connect,
17227 		.flags = GENL_UNS_ADMIN_PERM,
17228 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17229 					 NL80211_FLAG_CLEAR_SKB),
17230 	},
17231 	{
17232 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
17233 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17234 		.doit = nl80211_update_connect_params,
17235 		.flags = GENL_ADMIN_PERM,
17236 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17237 					 NL80211_FLAG_CLEAR_SKB),
17238 	},
17239 	{
17240 		.cmd = NL80211_CMD_DISCONNECT,
17241 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17242 		.doit = nl80211_disconnect,
17243 		.flags = GENL_UNS_ADMIN_PERM,
17244 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17245 	},
17246 	{
17247 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
17248 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17249 		.doit = nl80211_wiphy_netns,
17250 		.flags = GENL_UNS_ADMIN_PERM,
17251 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17252 					 NL80211_FLAG_NEED_RTNL |
17253 					 NL80211_FLAG_NO_WIPHY_MTX),
17254 	},
17255 	{
17256 		.cmd = NL80211_CMD_GET_SURVEY,
17257 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17258 		.dumpit = nl80211_dump_survey,
17259 	},
17260 	{
17261 		.cmd = NL80211_CMD_SET_PMKSA,
17262 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17263 		.doit = nl80211_set_pmksa,
17264 		.flags = GENL_UNS_ADMIN_PERM,
17265 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17266 					 NL80211_FLAG_CLEAR_SKB),
17267 	},
17268 	{
17269 		.cmd = NL80211_CMD_DEL_PMKSA,
17270 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17271 		.doit = nl80211_del_pmksa,
17272 		.flags = GENL_UNS_ADMIN_PERM,
17273 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17274 	},
17275 	{
17276 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17277 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17278 		.doit = nl80211_flush_pmksa,
17279 		.flags = GENL_UNS_ADMIN_PERM,
17280 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17281 	},
17282 	{
17283 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17284 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17285 		.doit = nl80211_remain_on_channel,
17286 		.flags = GENL_UNS_ADMIN_PERM,
17287 		/* FIXME: requiring a link ID here is probably not good */
17288 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17289 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17290 	},
17291 	{
17292 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17293 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17294 		.doit = nl80211_cancel_remain_on_channel,
17295 		.flags = GENL_UNS_ADMIN_PERM,
17296 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17297 	},
17298 	{
17299 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17300 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17301 		.doit = nl80211_set_tx_bitrate_mask,
17302 		.flags = GENL_UNS_ADMIN_PERM,
17303 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17304 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17305 	},
17306 	{
17307 		.cmd = NL80211_CMD_REGISTER_FRAME,
17308 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17309 		.doit = nl80211_register_mgmt,
17310 		.flags = GENL_UNS_ADMIN_PERM,
17311 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17312 	},
17313 	{
17314 		.cmd = NL80211_CMD_FRAME,
17315 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17316 		.doit = nl80211_tx_mgmt,
17317 		.flags = GENL_UNS_ADMIN_PERM,
17318 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17319 	},
17320 	{
17321 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17322 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17323 		.doit = nl80211_tx_mgmt_cancel_wait,
17324 		.flags = GENL_UNS_ADMIN_PERM,
17325 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17326 	},
17327 	{
17328 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17329 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17330 		.doit = nl80211_set_power_save,
17331 		.flags = GENL_UNS_ADMIN_PERM,
17332 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17333 	},
17334 	{
17335 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17336 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17337 		.doit = nl80211_get_power_save,
17338 		/* can be retrieved by unprivileged users */
17339 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17340 	},
17341 	{
17342 		.cmd = NL80211_CMD_SET_CQM,
17343 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17344 		.doit = nl80211_set_cqm,
17345 		.flags = GENL_UNS_ADMIN_PERM,
17346 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17347 	},
17348 	{
17349 		.cmd = NL80211_CMD_SET_CHANNEL,
17350 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17351 		.doit = nl80211_set_channel,
17352 		.flags = GENL_UNS_ADMIN_PERM,
17353 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17354 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17355 	},
17356 	{
17357 		.cmd = NL80211_CMD_JOIN_MESH,
17358 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17359 		.doit = nl80211_join_mesh,
17360 		.flags = GENL_UNS_ADMIN_PERM,
17361 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17362 	},
17363 	{
17364 		.cmd = NL80211_CMD_LEAVE_MESH,
17365 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17366 		.doit = nl80211_leave_mesh,
17367 		.flags = GENL_UNS_ADMIN_PERM,
17368 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17369 	},
17370 	{
17371 		.cmd = NL80211_CMD_JOIN_OCB,
17372 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17373 		.doit = nl80211_join_ocb,
17374 		.flags = GENL_UNS_ADMIN_PERM,
17375 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17376 	},
17377 	{
17378 		.cmd = NL80211_CMD_LEAVE_OCB,
17379 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17380 		.doit = nl80211_leave_ocb,
17381 		.flags = GENL_UNS_ADMIN_PERM,
17382 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17383 	},
17384 #ifdef CONFIG_PM
17385 	{
17386 		.cmd = NL80211_CMD_GET_WOWLAN,
17387 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17388 		.doit = nl80211_get_wowlan,
17389 		/* can be retrieved by unprivileged users */
17390 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17391 	},
17392 	{
17393 		.cmd = NL80211_CMD_SET_WOWLAN,
17394 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17395 		.doit = nl80211_set_wowlan,
17396 		.flags = GENL_UNS_ADMIN_PERM,
17397 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17398 	},
17399 #endif
17400 	{
17401 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17402 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17403 		.doit = nl80211_set_rekey_data,
17404 		.flags = GENL_UNS_ADMIN_PERM,
17405 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17406 					 NL80211_FLAG_CLEAR_SKB),
17407 	},
17408 	{
17409 		.cmd = NL80211_CMD_TDLS_MGMT,
17410 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17411 		.doit = nl80211_tdls_mgmt,
17412 		.flags = GENL_UNS_ADMIN_PERM,
17413 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17414 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17415 	},
17416 	{
17417 		.cmd = NL80211_CMD_TDLS_OPER,
17418 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17419 		.doit = nl80211_tdls_oper,
17420 		.flags = GENL_UNS_ADMIN_PERM,
17421 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17422 	},
17423 	{
17424 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17425 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17426 		.doit = nl80211_register_unexpected_frame,
17427 		.flags = GENL_UNS_ADMIN_PERM,
17428 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17429 	},
17430 	{
17431 		.cmd = NL80211_CMD_PROBE_CLIENT,
17432 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17433 		.doit = nl80211_probe_client,
17434 		.flags = GENL_UNS_ADMIN_PERM,
17435 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17436 	},
17437 	{
17438 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17439 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17440 		.doit = nl80211_register_beacons,
17441 		.flags = GENL_UNS_ADMIN_PERM,
17442 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17443 	},
17444 	{
17445 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17446 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17447 		.doit = nl80211_set_noack_map,
17448 		.flags = GENL_UNS_ADMIN_PERM,
17449 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17450 	},
17451 	{
17452 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17453 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17454 		.doit = nl80211_start_p2p_device,
17455 		.flags = GENL_UNS_ADMIN_PERM,
17456 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17457 					 NL80211_FLAG_NEED_RTNL),
17458 	},
17459 	{
17460 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17461 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17462 		.doit = nl80211_stop_p2p_device,
17463 		.flags = GENL_UNS_ADMIN_PERM,
17464 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17465 					 NL80211_FLAG_NEED_RTNL),
17466 	},
17467 	{
17468 		.cmd = NL80211_CMD_START_NAN,
17469 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17470 		.doit = nl80211_start_nan,
17471 		.flags = GENL_ADMIN_PERM,
17472 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17473 					 NL80211_FLAG_NEED_RTNL),
17474 	},
17475 	{
17476 		.cmd = NL80211_CMD_STOP_NAN,
17477 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17478 		.doit = nl80211_stop_nan,
17479 		.flags = GENL_ADMIN_PERM,
17480 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17481 					 NL80211_FLAG_NEED_RTNL),
17482 	},
17483 	{
17484 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17485 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17486 		.doit = nl80211_nan_add_func,
17487 		.flags = GENL_ADMIN_PERM,
17488 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17489 	},
17490 	{
17491 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17492 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17493 		.doit = nl80211_nan_del_func,
17494 		.flags = GENL_ADMIN_PERM,
17495 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17496 	},
17497 	{
17498 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17499 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17500 		.doit = nl80211_nan_change_config,
17501 		.flags = GENL_ADMIN_PERM,
17502 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17503 	},
17504 	{
17505 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17506 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17507 		.doit = nl80211_set_mcast_rate,
17508 		.flags = GENL_UNS_ADMIN_PERM,
17509 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17510 	},
17511 	{
17512 		.cmd = NL80211_CMD_SET_MAC_ACL,
17513 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17514 		.doit = nl80211_set_mac_acl,
17515 		.flags = GENL_UNS_ADMIN_PERM,
17516 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17517 					 NL80211_FLAG_MLO_UNSUPPORTED),
17518 	},
17519 	{
17520 		.cmd = NL80211_CMD_RADAR_DETECT,
17521 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17522 		.doit = nl80211_start_radar_detection,
17523 		.flags = GENL_UNS_ADMIN_PERM,
17524 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17525 					 NL80211_FLAG_NO_WIPHY_MTX |
17526 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17527 	},
17528 	{
17529 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17530 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17531 		.doit = nl80211_get_protocol_features,
17532 	},
17533 	{
17534 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17535 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17536 		.doit = nl80211_update_ft_ies,
17537 		.flags = GENL_UNS_ADMIN_PERM,
17538 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17539 	},
17540 	{
17541 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17542 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17543 		.doit = nl80211_crit_protocol_start,
17544 		.flags = GENL_UNS_ADMIN_PERM,
17545 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17546 	},
17547 	{
17548 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17549 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17550 		.doit = nl80211_crit_protocol_stop,
17551 		.flags = GENL_UNS_ADMIN_PERM,
17552 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17553 	},
17554 	{
17555 		.cmd = NL80211_CMD_GET_COALESCE,
17556 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17557 		.doit = nl80211_get_coalesce,
17558 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17559 	},
17560 	{
17561 		.cmd = NL80211_CMD_SET_COALESCE,
17562 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17563 		.doit = nl80211_set_coalesce,
17564 		.flags = GENL_UNS_ADMIN_PERM,
17565 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17566 	},
17567 	{
17568 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17569 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17570 		.doit = nl80211_channel_switch,
17571 		.flags = GENL_UNS_ADMIN_PERM,
17572 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17573 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17574 	},
17575 	{
17576 		.cmd = NL80211_CMD_VENDOR,
17577 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17578 		.doit = nl80211_vendor_cmd,
17579 		.dumpit = nl80211_vendor_cmd_dump,
17580 		.flags = GENL_UNS_ADMIN_PERM,
17581 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17582 					 NL80211_FLAG_CLEAR_SKB),
17583 	},
17584 	{
17585 		.cmd = NL80211_CMD_SET_QOS_MAP,
17586 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17587 		.doit = nl80211_set_qos_map,
17588 		.flags = GENL_UNS_ADMIN_PERM,
17589 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17590 	},
17591 	{
17592 		.cmd = NL80211_CMD_ADD_TX_TS,
17593 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17594 		.doit = nl80211_add_tx_ts,
17595 		.flags = GENL_UNS_ADMIN_PERM,
17596 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17597 					 NL80211_FLAG_MLO_UNSUPPORTED),
17598 	},
17599 	{
17600 		.cmd = NL80211_CMD_DEL_TX_TS,
17601 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17602 		.doit = nl80211_del_tx_ts,
17603 		.flags = GENL_UNS_ADMIN_PERM,
17604 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17605 	},
17606 	{
17607 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17608 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17609 		.doit = nl80211_tdls_channel_switch,
17610 		.flags = GENL_UNS_ADMIN_PERM,
17611 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17612 	},
17613 	{
17614 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17615 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17616 		.doit = nl80211_tdls_cancel_channel_switch,
17617 		.flags = GENL_UNS_ADMIN_PERM,
17618 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17619 	},
17620 	{
17621 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17622 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17623 		.doit = nl80211_set_multicast_to_unicast,
17624 		.flags = GENL_UNS_ADMIN_PERM,
17625 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17626 	},
17627 	{
17628 		.cmd = NL80211_CMD_SET_PMK,
17629 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17630 		.doit = nl80211_set_pmk,
17631 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17632 					 NL80211_FLAG_CLEAR_SKB),
17633 	},
17634 	{
17635 		.cmd = NL80211_CMD_DEL_PMK,
17636 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17637 		.doit = nl80211_del_pmk,
17638 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17639 	},
17640 	{
17641 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17642 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17643 		.doit = nl80211_external_auth,
17644 		.flags = GENL_ADMIN_PERM,
17645 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17646 	},
17647 	{
17648 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17649 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17650 		.doit = nl80211_tx_control_port,
17651 		.flags = GENL_UNS_ADMIN_PERM,
17652 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17653 	},
17654 	{
17655 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17656 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17657 		.doit = nl80211_get_ftm_responder_stats,
17658 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17659 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17660 	},
17661 	{
17662 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17663 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17664 		.doit = nl80211_pmsr_start,
17665 		.flags = GENL_UNS_ADMIN_PERM,
17666 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17667 	},
17668 	{
17669 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17670 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17671 		.doit = nl80211_notify_radar_detection,
17672 		.flags = GENL_UNS_ADMIN_PERM,
17673 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17674 	},
17675 	{
17676 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17677 		.doit = nl80211_update_owe_info,
17678 		.flags = GENL_ADMIN_PERM,
17679 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17680 	},
17681 	{
17682 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17683 		.doit = nl80211_probe_mesh_link,
17684 		.flags = GENL_UNS_ADMIN_PERM,
17685 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17686 	},
17687 	{
17688 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17689 		.doit = nl80211_set_tid_config,
17690 		.flags = GENL_UNS_ADMIN_PERM,
17691 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17692 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17693 	},
17694 	{
17695 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17696 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17697 		.doit = nl80211_set_sar_specs,
17698 		.flags = GENL_UNS_ADMIN_PERM,
17699 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17700 					 NL80211_FLAG_NEED_RTNL),
17701 	},
17702 	{
17703 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17704 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17705 		.doit = nl80211_color_change,
17706 		.flags = GENL_UNS_ADMIN_PERM,
17707 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17708 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17709 	},
17710 	{
17711 		.cmd = NL80211_CMD_SET_FILS_AAD,
17712 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17713 		.doit = nl80211_set_fils_aad,
17714 		.flags = GENL_UNS_ADMIN_PERM,
17715 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17716 	},
17717 	{
17718 		.cmd = NL80211_CMD_ADD_LINK,
17719 		.doit = nl80211_add_link,
17720 		.flags = GENL_UNS_ADMIN_PERM,
17721 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17722 	},
17723 	{
17724 		.cmd = NL80211_CMD_REMOVE_LINK,
17725 		.doit = nl80211_remove_link,
17726 		.flags = GENL_UNS_ADMIN_PERM,
17727 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17728 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17729 	},
17730 	{
17731 		.cmd = NL80211_CMD_ADD_LINK_STA,
17732 		.doit = nl80211_add_link_station,
17733 		.flags = GENL_UNS_ADMIN_PERM,
17734 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17735 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17736 	},
17737 	{
17738 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17739 		.doit = nl80211_modify_link_station,
17740 		.flags = GENL_UNS_ADMIN_PERM,
17741 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17742 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17743 	},
17744 	{
17745 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17746 		.doit = nl80211_remove_link_station,
17747 		.flags = GENL_UNS_ADMIN_PERM,
17748 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17749 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17750 	},
17751 	{
17752 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17753 		.doit = nl80211_set_hw_timestamp,
17754 		.flags = GENL_UNS_ADMIN_PERM,
17755 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17756 	},
17757 	{
17758 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
17759 		.doit = nl80211_set_ttlm,
17760 		.flags = GENL_UNS_ADMIN_PERM,
17761 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17762 	},
17763 	{
17764 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
17765 		.doit = nl80211_assoc_ml_reconf,
17766 		.flags = GENL_UNS_ADMIN_PERM,
17767 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17768 	},
17769 	{
17770 		.cmd = NL80211_CMD_EPCS_CFG,
17771 		.doit = nl80211_epcs_cfg,
17772 		.flags = GENL_UNS_ADMIN_PERM,
17773 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17774 	},
17775 };
17776 
17777 static struct genl_family nl80211_fam __ro_after_init = {
17778 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17779 	.hdrsize = 0,			/* no private header */
17780 	.version = 1,			/* no particular meaning now */
17781 	.maxattr = NL80211_ATTR_MAX,
17782 	.policy = nl80211_policy,
17783 	.netnsok = true,
17784 	.pre_doit = nl80211_pre_doit,
17785 	.post_doit = nl80211_post_doit,
17786 	.module = THIS_MODULE,
17787 	.ops = nl80211_ops,
17788 	.n_ops = ARRAY_SIZE(nl80211_ops),
17789 	.small_ops = nl80211_small_ops,
17790 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17791 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17792 	.mcgrps = nl80211_mcgrps,
17793 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17794 	.parallel_ops = true,
17795 };
17796 
17797 /* notification functions */
17798 
17799 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17800 			  enum nl80211_commands cmd)
17801 {
17802 	struct sk_buff *msg;
17803 	struct nl80211_dump_wiphy_state state = {};
17804 
17805 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17806 		cmd != NL80211_CMD_DEL_WIPHY);
17807 
17808 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17809 	if (!msg)
17810 		return;
17811 
17812 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17813 		nlmsg_free(msg);
17814 		return;
17815 	}
17816 
17817 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17818 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17819 }
17820 
17821 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17822 				struct wireless_dev *wdev,
17823 				enum nl80211_commands cmd)
17824 {
17825 	struct sk_buff *msg;
17826 
17827 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17828 	if (!msg)
17829 		return;
17830 
17831 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17832 		nlmsg_free(msg);
17833 		return;
17834 	}
17835 
17836 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17837 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17838 }
17839 
17840 static int nl80211_add_scan_req(struct sk_buff *msg,
17841 				struct cfg80211_registered_device *rdev)
17842 {
17843 	struct cfg80211_scan_request *req = rdev->scan_req;
17844 	struct nlattr *nest;
17845 	int i;
17846 	struct cfg80211_scan_info *info;
17847 
17848 	if (WARN_ON(!req))
17849 		return 0;
17850 
17851 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17852 	if (!nest)
17853 		goto nla_put_failure;
17854 	for (i = 0; i < req->n_ssids; i++) {
17855 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17856 			goto nla_put_failure;
17857 	}
17858 	nla_nest_end(msg, nest);
17859 
17860 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17861 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17862 		if (!nest)
17863 			goto nla_put_failure;
17864 		for (i = 0; i < req->n_channels; i++) {
17865 			if (nla_put_u32(msg, i,
17866 				   ieee80211_channel_to_khz(req->channels[i])))
17867 				goto nla_put_failure;
17868 		}
17869 		nla_nest_end(msg, nest);
17870 	} else {
17871 		nest = nla_nest_start_noflag(msg,
17872 					     NL80211_ATTR_SCAN_FREQUENCIES);
17873 		if (!nest)
17874 			goto nla_put_failure;
17875 		for (i = 0; i < req->n_channels; i++) {
17876 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17877 				goto nla_put_failure;
17878 		}
17879 		nla_nest_end(msg, nest);
17880 	}
17881 
17882 	if (req->ie &&
17883 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17884 		goto nla_put_failure;
17885 
17886 	if (req->flags &&
17887 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17888 		goto nla_put_failure;
17889 
17890 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17891 		&rdev->scan_req->info;
17892 	if (info->scan_start_tsf &&
17893 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17894 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17895 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17896 		     info->tsf_bssid)))
17897 		goto nla_put_failure;
17898 
17899 	return 0;
17900  nla_put_failure:
17901 	return -ENOBUFS;
17902 }
17903 
17904 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17905 				 struct cfg80211_registered_device *rdev,
17906 				 struct wireless_dev *wdev,
17907 				 u32 portid, u32 seq, int flags,
17908 				 u32 cmd)
17909 {
17910 	void *hdr;
17911 
17912 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17913 	if (!hdr)
17914 		return -1;
17915 
17916 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17917 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17918 					 wdev->netdev->ifindex)) ||
17919 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17920 			      NL80211_ATTR_PAD))
17921 		goto nla_put_failure;
17922 
17923 	/* ignore errors and send incomplete event anyway */
17924 	nl80211_add_scan_req(msg, rdev);
17925 
17926 	genlmsg_end(msg, hdr);
17927 	return 0;
17928 
17929  nla_put_failure:
17930 	genlmsg_cancel(msg, hdr);
17931 	return -EMSGSIZE;
17932 }
17933 
17934 static int
17935 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17936 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17937 {
17938 	void *hdr;
17939 
17940 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17941 	if (!hdr)
17942 		return -1;
17943 
17944 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17945 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17946 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17947 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17948 			      NL80211_ATTR_PAD))
17949 		goto nla_put_failure;
17950 
17951 	genlmsg_end(msg, hdr);
17952 	return 0;
17953 
17954  nla_put_failure:
17955 	genlmsg_cancel(msg, hdr);
17956 	return -EMSGSIZE;
17957 }
17958 
17959 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17960 			     struct wireless_dev *wdev)
17961 {
17962 	struct sk_buff *msg;
17963 
17964 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17965 	if (!msg)
17966 		return;
17967 
17968 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17969 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17970 		nlmsg_free(msg);
17971 		return;
17972 	}
17973 
17974 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17975 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17976 }
17977 
17978 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17979 				       struct wireless_dev *wdev, bool aborted)
17980 {
17981 	struct sk_buff *msg;
17982 
17983 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17984 	if (!msg)
17985 		return NULL;
17986 
17987 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17988 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17989 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17990 		nlmsg_free(msg);
17991 		return NULL;
17992 	}
17993 
17994 	return msg;
17995 }
17996 
17997 /* send message created by nl80211_build_scan_msg() */
17998 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17999 			   struct sk_buff *msg)
18000 {
18001 	if (!msg)
18002 		return;
18003 
18004 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18005 				NL80211_MCGRP_SCAN, GFP_KERNEL);
18006 }
18007 
18008 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
18009 {
18010 	struct sk_buff *msg;
18011 
18012 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18013 	if (!msg)
18014 		return;
18015 
18016 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
18017 		nlmsg_free(msg);
18018 		return;
18019 	}
18020 
18021 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
18022 				NL80211_MCGRP_SCAN, GFP_KERNEL);
18023 }
18024 
18025 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
18026 					  struct regulatory_request *request)
18027 {
18028 	/* Userspace can always count this one always being set */
18029 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
18030 		goto nla_put_failure;
18031 
18032 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
18033 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18034 			       NL80211_REGDOM_TYPE_WORLD))
18035 			goto nla_put_failure;
18036 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
18037 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18038 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
18039 			goto nla_put_failure;
18040 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
18041 		   request->intersect) {
18042 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18043 			       NL80211_REGDOM_TYPE_INTERSECTION))
18044 			goto nla_put_failure;
18045 	} else {
18046 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18047 			       NL80211_REGDOM_TYPE_COUNTRY) ||
18048 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
18049 				   request->alpha2))
18050 			goto nla_put_failure;
18051 	}
18052 
18053 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
18054 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
18055 
18056 		if (wiphy &&
18057 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
18058 			goto nla_put_failure;
18059 
18060 		if (wiphy &&
18061 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
18062 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
18063 			goto nla_put_failure;
18064 	}
18065 
18066 	return true;
18067 
18068 nla_put_failure:
18069 	return false;
18070 }
18071 
18072 /*
18073  * This can happen on global regulatory changes or device specific settings
18074  * based on custom regulatory domains.
18075  */
18076 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
18077 				     struct regulatory_request *request)
18078 {
18079 	struct sk_buff *msg;
18080 	void *hdr;
18081 
18082 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18083 	if (!msg)
18084 		return;
18085 
18086 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
18087 	if (!hdr)
18088 		goto nla_put_failure;
18089 
18090 	if (!nl80211_reg_change_event_fill(msg, request))
18091 		goto nla_put_failure;
18092 
18093 	genlmsg_end(msg, hdr);
18094 
18095 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18096 				NL80211_MCGRP_REGULATORY);
18097 
18098 	return;
18099 
18100 nla_put_failure:
18101 	nlmsg_free(msg);
18102 }
18103 
18104 struct nl80211_mlme_event {
18105 	enum nl80211_commands cmd;
18106 	const u8 *buf;
18107 	size_t buf_len;
18108 	int uapsd_queues;
18109 	const u8 *req_ies;
18110 	size_t req_ies_len;
18111 	bool reconnect;
18112 };
18113 
18114 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
18115 				    struct net_device *netdev,
18116 				    const struct nl80211_mlme_event *event,
18117 				    gfp_t gfp)
18118 {
18119 	struct sk_buff *msg;
18120 	void *hdr;
18121 
18122 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
18123 	if (!msg)
18124 		return;
18125 
18126 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
18127 	if (!hdr) {
18128 		nlmsg_free(msg);
18129 		return;
18130 	}
18131 
18132 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18133 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18134 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
18135 	    (event->req_ies &&
18136 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
18137 		     event->req_ies)))
18138 		goto nla_put_failure;
18139 
18140 	if (event->reconnect &&
18141 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
18142 		goto nla_put_failure;
18143 
18144 	if (event->uapsd_queues >= 0) {
18145 		struct nlattr *nla_wmm =
18146 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
18147 		if (!nla_wmm)
18148 			goto nla_put_failure;
18149 
18150 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
18151 			       event->uapsd_queues))
18152 			goto nla_put_failure;
18153 
18154 		nla_nest_end(msg, nla_wmm);
18155 	}
18156 
18157 	genlmsg_end(msg, hdr);
18158 
18159 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18160 				NL80211_MCGRP_MLME, gfp);
18161 	return;
18162 
18163  nla_put_failure:
18164 	nlmsg_free(msg);
18165 }
18166 
18167 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
18168 			  struct net_device *netdev, const u8 *buf,
18169 			  size_t len, gfp_t gfp)
18170 {
18171 	struct nl80211_mlme_event event = {
18172 		.cmd = NL80211_CMD_AUTHENTICATE,
18173 		.buf = buf,
18174 		.buf_len = len,
18175 		.uapsd_queues = -1,
18176 	};
18177 
18178 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18179 }
18180 
18181 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
18182 			   struct net_device *netdev,
18183 			   const struct cfg80211_rx_assoc_resp_data *data)
18184 {
18185 	struct nl80211_mlme_event event = {
18186 		.cmd = NL80211_CMD_ASSOCIATE,
18187 		.buf = data->buf,
18188 		.buf_len = data->len,
18189 		.uapsd_queues = data->uapsd_queues,
18190 		.req_ies = data->req_ies,
18191 		.req_ies_len = data->req_ies_len,
18192 	};
18193 
18194 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
18195 }
18196 
18197 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
18198 			 struct net_device *netdev, const u8 *buf,
18199 			 size_t len, bool reconnect, gfp_t gfp)
18200 {
18201 	struct nl80211_mlme_event event = {
18202 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18203 		.buf = buf,
18204 		.buf_len = len,
18205 		.reconnect = reconnect,
18206 		.uapsd_queues = -1,
18207 	};
18208 
18209 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18210 }
18211 
18212 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
18213 			   struct net_device *netdev, const u8 *buf,
18214 			   size_t len, bool reconnect, gfp_t gfp)
18215 {
18216 	struct nl80211_mlme_event event = {
18217 		.cmd = NL80211_CMD_DISASSOCIATE,
18218 		.buf = buf,
18219 		.buf_len = len,
18220 		.reconnect = reconnect,
18221 		.uapsd_queues = -1,
18222 	};
18223 
18224 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18225 }
18226 
18227 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
18228 				  size_t len)
18229 {
18230 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18231 	struct wiphy *wiphy = wdev->wiphy;
18232 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18233 	const struct ieee80211_mgmt *mgmt = (void *)buf;
18234 	struct nl80211_mlme_event event = {
18235 		.buf = buf,
18236 		.buf_len = len,
18237 		.uapsd_queues = -1,
18238 	};
18239 
18240 	if (WARN_ON(len < 2))
18241 		return;
18242 
18243 	if (ieee80211_is_deauth(mgmt->frame_control)) {
18244 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
18245 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
18246 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
18247 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
18248 		if (wdev->unprot_beacon_reported &&
18249 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
18250 			return;
18251 		event.cmd = NL80211_CMD_UNPROT_BEACON;
18252 		wdev->unprot_beacon_reported = jiffies;
18253 	} else {
18254 		return;
18255 	}
18256 
18257 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
18258 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
18259 }
18260 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
18261 
18262 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
18263 				      struct net_device *netdev, int cmd,
18264 				      const u8 *addr, gfp_t gfp)
18265 {
18266 	struct sk_buff *msg;
18267 	void *hdr;
18268 
18269 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18270 	if (!msg)
18271 		return;
18272 
18273 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18274 	if (!hdr) {
18275 		nlmsg_free(msg);
18276 		return;
18277 	}
18278 
18279 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18280 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18281 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18282 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18283 		goto nla_put_failure;
18284 
18285 	genlmsg_end(msg, hdr);
18286 
18287 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18288 				NL80211_MCGRP_MLME, gfp);
18289 	return;
18290 
18291  nla_put_failure:
18292 	nlmsg_free(msg);
18293 }
18294 
18295 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
18296 			       struct net_device *netdev, const u8 *addr,
18297 			       gfp_t gfp)
18298 {
18299 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
18300 				  addr, gfp);
18301 }
18302 
18303 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
18304 				struct net_device *netdev, const u8 *addr,
18305 				gfp_t gfp)
18306 {
18307 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
18308 				  addr, gfp);
18309 }
18310 
18311 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18312 				 struct net_device *netdev,
18313 				 struct cfg80211_connect_resp_params *cr,
18314 				 gfp_t gfp)
18315 {
18316 	struct sk_buff *msg;
18317 	void *hdr;
18318 	unsigned int link;
18319 	size_t link_info_size = 0;
18320 	const u8 *connected_addr = cr->valid_links ?
18321 				   cr->ap_mld_addr : cr->links[0].bssid;
18322 
18323 	if (cr->valid_links) {
18324 		for_each_valid_link(cr, link) {
18325 			/* Nested attribute header */
18326 			link_info_size += NLA_HDRLEN;
18327 			/* Link ID */
18328 			link_info_size += nla_total_size(sizeof(u8));
18329 			link_info_size += cr->links[link].addr ?
18330 					  nla_total_size(ETH_ALEN) : 0;
18331 			link_info_size += (cr->links[link].bssid ||
18332 					   cr->links[link].bss) ?
18333 					  nla_total_size(ETH_ALEN) : 0;
18334 			link_info_size += nla_total_size(sizeof(u16));
18335 		}
18336 	}
18337 
18338 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18339 			cr->fils.kek_len + cr->fils.pmk_len +
18340 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18341 			gfp);
18342 	if (!msg)
18343 		return;
18344 
18345 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18346 	if (!hdr) {
18347 		nlmsg_free(msg);
18348 		return;
18349 	}
18350 
18351 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18352 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18353 	    (connected_addr &&
18354 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18355 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18356 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18357 			cr->status) ||
18358 	    (cr->status < 0 &&
18359 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18360 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18361 			  cr->timeout_reason))) ||
18362 	    (cr->req_ie &&
18363 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18364 	    (cr->resp_ie &&
18365 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18366 		     cr->resp_ie)) ||
18367 	    (cr->fils.update_erp_next_seq_num &&
18368 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18369 			 cr->fils.erp_next_seq_num)) ||
18370 	    (cr->status == WLAN_STATUS_SUCCESS &&
18371 	     ((cr->fils.kek &&
18372 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18373 		       cr->fils.kek)) ||
18374 	      (cr->fils.pmk &&
18375 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18376 	      (cr->fils.pmkid &&
18377 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18378 		goto nla_put_failure;
18379 
18380 	if (cr->valid_links) {
18381 		int i = 1;
18382 		struct nlattr *nested;
18383 
18384 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18385 		if (!nested)
18386 			goto nla_put_failure;
18387 
18388 		for_each_valid_link(cr, link) {
18389 			struct nlattr *nested_mlo_links;
18390 			const u8 *bssid = cr->links[link].bss ?
18391 					  cr->links[link].bss->bssid :
18392 					  cr->links[link].bssid;
18393 
18394 			nested_mlo_links = nla_nest_start(msg, i);
18395 			if (!nested_mlo_links)
18396 				goto nla_put_failure;
18397 
18398 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18399 			    (bssid &&
18400 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18401 			    (cr->links[link].addr &&
18402 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18403 				     cr->links[link].addr)) ||
18404 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18405 					cr->links[link].status))
18406 				goto nla_put_failure;
18407 
18408 			nla_nest_end(msg, nested_mlo_links);
18409 			i++;
18410 		}
18411 		nla_nest_end(msg, nested);
18412 	}
18413 
18414 	genlmsg_end(msg, hdr);
18415 
18416 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18417 				NL80211_MCGRP_MLME, gfp);
18418 	return;
18419 
18420  nla_put_failure:
18421 	nlmsg_free(msg);
18422 }
18423 
18424 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18425 			 struct net_device *netdev,
18426 			 struct cfg80211_roam_info *info, gfp_t gfp)
18427 {
18428 	struct sk_buff *msg;
18429 	void *hdr;
18430 	size_t link_info_size = 0;
18431 	unsigned int link;
18432 	const u8 *connected_addr = info->ap_mld_addr ?
18433 				   info->ap_mld_addr :
18434 				   (info->links[0].bss ?
18435 				    info->links[0].bss->bssid :
18436 				    info->links[0].bssid);
18437 
18438 	if (info->valid_links) {
18439 		for_each_valid_link(info, link) {
18440 			/* Nested attribute header */
18441 			link_info_size += NLA_HDRLEN;
18442 			/* Link ID */
18443 			link_info_size += nla_total_size(sizeof(u8));
18444 			link_info_size += info->links[link].addr ?
18445 					  nla_total_size(ETH_ALEN) : 0;
18446 			link_info_size += (info->links[link].bssid ||
18447 					   info->links[link].bss) ?
18448 					  nla_total_size(ETH_ALEN) : 0;
18449 		}
18450 	}
18451 
18452 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18453 			info->fils.kek_len + info->fils.pmk_len +
18454 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18455 			link_info_size, gfp);
18456 	if (!msg)
18457 		return;
18458 
18459 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18460 	if (!hdr) {
18461 		nlmsg_free(msg);
18462 		return;
18463 	}
18464 
18465 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18466 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18467 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18468 	    (info->req_ie &&
18469 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18470 		     info->req_ie)) ||
18471 	    (info->resp_ie &&
18472 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18473 		     info->resp_ie)) ||
18474 	    (info->fils.update_erp_next_seq_num &&
18475 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18476 			 info->fils.erp_next_seq_num)) ||
18477 	    (info->fils.kek &&
18478 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18479 		     info->fils.kek)) ||
18480 	    (info->fils.pmk &&
18481 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18482 	    (info->fils.pmkid &&
18483 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18484 		goto nla_put_failure;
18485 
18486 	if (info->valid_links) {
18487 		int i = 1;
18488 		struct nlattr *nested;
18489 
18490 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18491 		if (!nested)
18492 			goto nla_put_failure;
18493 
18494 		for_each_valid_link(info, link) {
18495 			struct nlattr *nested_mlo_links;
18496 			const u8 *bssid = info->links[link].bss ?
18497 					  info->links[link].bss->bssid :
18498 					  info->links[link].bssid;
18499 
18500 			nested_mlo_links = nla_nest_start(msg, i);
18501 			if (!nested_mlo_links)
18502 				goto nla_put_failure;
18503 
18504 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18505 			    (bssid &&
18506 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18507 			    (info->links[link].addr &&
18508 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18509 				     info->links[link].addr)))
18510 				goto nla_put_failure;
18511 
18512 			nla_nest_end(msg, nested_mlo_links);
18513 			i++;
18514 		}
18515 		nla_nest_end(msg, nested);
18516 	}
18517 
18518 	genlmsg_end(msg, hdr);
18519 
18520 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18521 				NL80211_MCGRP_MLME, gfp);
18522 	return;
18523 
18524  nla_put_failure:
18525 	nlmsg_free(msg);
18526 }
18527 
18528 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18529 				  struct net_device *netdev, const u8 *peer_addr,
18530 				  const u8 *td_bitmap, u8 td_bitmap_len)
18531 {
18532 	struct sk_buff *msg;
18533 	void *hdr;
18534 
18535 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18536 	if (!msg)
18537 		return;
18538 
18539 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18540 	if (!hdr) {
18541 		nlmsg_free(msg);
18542 		return;
18543 	}
18544 
18545 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18546 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18547 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
18548 		goto nla_put_failure;
18549 
18550 	if (td_bitmap_len > 0 && td_bitmap &&
18551 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
18552 		goto nla_put_failure;
18553 
18554 	genlmsg_end(msg, hdr);
18555 
18556 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18557 				NL80211_MCGRP_MLME, GFP_KERNEL);
18558 	return;
18559 
18560  nla_put_failure:
18561 	nlmsg_free(msg);
18562 }
18563 
18564 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18565 			       struct net_device *netdev, u16 reason,
18566 			       const u8 *ie, size_t ie_len, bool from_ap)
18567 {
18568 	struct sk_buff *msg;
18569 	void *hdr;
18570 
18571 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18572 	if (!msg)
18573 		return;
18574 
18575 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18576 	if (!hdr) {
18577 		nlmsg_free(msg);
18578 		return;
18579 	}
18580 
18581 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18582 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18583 	    (reason &&
18584 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18585 	    (from_ap &&
18586 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18587 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18588 		goto nla_put_failure;
18589 
18590 	genlmsg_end(msg, hdr);
18591 
18592 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18593 				NL80211_MCGRP_MLME, GFP_KERNEL);
18594 	return;
18595 
18596  nla_put_failure:
18597 	nlmsg_free(msg);
18598 }
18599 
18600 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
18601 {
18602 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18603 	struct wiphy *wiphy = wdev->wiphy;
18604 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18605 	struct sk_buff *msg;
18606 	struct nlattr *links;
18607 	void *hdr;
18608 
18609 	lockdep_assert_wiphy(wdev->wiphy);
18610 	trace_cfg80211_links_removed(dev, link_mask);
18611 
18612 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
18613 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
18614 		return;
18615 
18616 	if (WARN_ON(!wdev->valid_links || !link_mask ||
18617 		    (wdev->valid_links & link_mask) != link_mask ||
18618 		    wdev->valid_links == link_mask))
18619 		return;
18620 
18621 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
18622 	wdev->valid_links &= ~link_mask;
18623 
18624 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18625 	if (!msg)
18626 		return;
18627 
18628 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
18629 	if (!hdr) {
18630 		nlmsg_free(msg);
18631 		return;
18632 	}
18633 
18634 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18635 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18636 		goto nla_put_failure;
18637 
18638 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18639 	if (!links)
18640 		goto nla_put_failure;
18641 
18642 	while (link_mask) {
18643 		struct nlattr *link;
18644 		int link_id = __ffs(link_mask);
18645 
18646 		link = nla_nest_start(msg, link_id + 1);
18647 		if (!link)
18648 			goto nla_put_failure;
18649 
18650 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18651 			goto nla_put_failure;
18652 
18653 		nla_nest_end(msg, link);
18654 		link_mask &= ~(1 << link_id);
18655 	}
18656 
18657 	nla_nest_end(msg, links);
18658 
18659 	genlmsg_end(msg, hdr);
18660 
18661 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18662 				NL80211_MCGRP_MLME, GFP_KERNEL);
18663 	return;
18664 
18665  nla_put_failure:
18666 	nlmsg_free(msg);
18667 }
18668 EXPORT_SYMBOL(cfg80211_links_removed);
18669 
18670 void nl80211_mlo_reconf_add_done(struct net_device *dev,
18671 				 struct cfg80211_mlo_reconf_done_data *data)
18672 {
18673 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18674 	struct wiphy *wiphy = wdev->wiphy;
18675 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18676 	struct nl80211_mlme_event event = {
18677 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
18678 		.buf = data->buf,
18679 		.buf_len = data->len,
18680 		.uapsd_queues = -1,
18681 	};
18682 
18683 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
18684 }
18685 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
18686 
18687 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18688 			     struct net_device *netdev, const u8 *bssid,
18689 			     gfp_t gfp)
18690 {
18691 	struct sk_buff *msg;
18692 	void *hdr;
18693 
18694 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18695 	if (!msg)
18696 		return;
18697 
18698 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18699 	if (!hdr) {
18700 		nlmsg_free(msg);
18701 		return;
18702 	}
18703 
18704 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18705 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18706 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18707 		goto nla_put_failure;
18708 
18709 	genlmsg_end(msg, hdr);
18710 
18711 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18712 				NL80211_MCGRP_MLME, gfp);
18713 	return;
18714 
18715  nla_put_failure:
18716 	nlmsg_free(msg);
18717 }
18718 
18719 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18720 					const u8 *ie, u8 ie_len,
18721 					int sig_dbm, gfp_t gfp)
18722 {
18723 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18724 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18725 	struct sk_buff *msg;
18726 	void *hdr;
18727 
18728 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18729 		return;
18730 
18731 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18732 
18733 	msg = nlmsg_new(100 + ie_len, gfp);
18734 	if (!msg)
18735 		return;
18736 
18737 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18738 	if (!hdr) {
18739 		nlmsg_free(msg);
18740 		return;
18741 	}
18742 
18743 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18744 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18745 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18746 	    (ie_len && ie &&
18747 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18748 	    (sig_dbm &&
18749 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18750 		goto nla_put_failure;
18751 
18752 	genlmsg_end(msg, hdr);
18753 
18754 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18755 				NL80211_MCGRP_MLME, gfp);
18756 	return;
18757 
18758  nla_put_failure:
18759 	nlmsg_free(msg);
18760 }
18761 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18762 
18763 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18764 				 struct net_device *netdev, const u8 *addr,
18765 				 enum nl80211_key_type key_type, int key_id,
18766 				 const u8 *tsc, gfp_t gfp)
18767 {
18768 	struct sk_buff *msg;
18769 	void *hdr;
18770 
18771 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18772 	if (!msg)
18773 		return;
18774 
18775 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18776 	if (!hdr) {
18777 		nlmsg_free(msg);
18778 		return;
18779 	}
18780 
18781 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18782 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18783 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18784 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18785 	    (key_id != -1 &&
18786 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18787 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18788 		goto nla_put_failure;
18789 
18790 	genlmsg_end(msg, hdr);
18791 
18792 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18793 				NL80211_MCGRP_MLME, gfp);
18794 	return;
18795 
18796  nla_put_failure:
18797 	nlmsg_free(msg);
18798 }
18799 
18800 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18801 				    struct ieee80211_channel *channel_before,
18802 				    struct ieee80211_channel *channel_after)
18803 {
18804 	struct sk_buff *msg;
18805 	void *hdr;
18806 	struct nlattr *nl_freq;
18807 
18808 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18809 	if (!msg)
18810 		return;
18811 
18812 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18813 	if (!hdr) {
18814 		nlmsg_free(msg);
18815 		return;
18816 	}
18817 
18818 	/*
18819 	 * Since we are applying the beacon hint to a wiphy we know its
18820 	 * wiphy_idx is valid
18821 	 */
18822 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18823 		goto nla_put_failure;
18824 
18825 	/* Before */
18826 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18827 	if (!nl_freq)
18828 		goto nla_put_failure;
18829 
18830 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18831 		goto nla_put_failure;
18832 	nla_nest_end(msg, nl_freq);
18833 
18834 	/* After */
18835 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18836 	if (!nl_freq)
18837 		goto nla_put_failure;
18838 
18839 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18840 		goto nla_put_failure;
18841 	nla_nest_end(msg, nl_freq);
18842 
18843 	genlmsg_end(msg, hdr);
18844 
18845 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18846 				NL80211_MCGRP_REGULATORY);
18847 
18848 	return;
18849 
18850 nla_put_failure:
18851 	nlmsg_free(msg);
18852 }
18853 
18854 static void nl80211_send_remain_on_chan_event(
18855 	int cmd, struct cfg80211_registered_device *rdev,
18856 	struct wireless_dev *wdev, u64 cookie,
18857 	struct ieee80211_channel *chan,
18858 	unsigned int duration, gfp_t gfp)
18859 {
18860 	struct sk_buff *msg;
18861 	void *hdr;
18862 
18863 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18864 	if (!msg)
18865 		return;
18866 
18867 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18868 	if (!hdr) {
18869 		nlmsg_free(msg);
18870 		return;
18871 	}
18872 
18873 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18874 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18875 					 wdev->netdev->ifindex)) ||
18876 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18877 			      NL80211_ATTR_PAD) ||
18878 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18879 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18880 			NL80211_CHAN_NO_HT) ||
18881 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18882 			      NL80211_ATTR_PAD))
18883 		goto nla_put_failure;
18884 
18885 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18886 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18887 		goto nla_put_failure;
18888 
18889 	genlmsg_end(msg, hdr);
18890 
18891 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18892 				NL80211_MCGRP_MLME, gfp);
18893 	return;
18894 
18895  nla_put_failure:
18896 	nlmsg_free(msg);
18897 }
18898 
18899 void cfg80211_assoc_comeback(struct net_device *netdev,
18900 			     const u8 *ap_addr, u32 timeout)
18901 {
18902 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18903 	struct wiphy *wiphy = wdev->wiphy;
18904 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18905 	struct sk_buff *msg;
18906 	void *hdr;
18907 
18908 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18909 
18910 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18911 	if (!msg)
18912 		return;
18913 
18914 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18915 	if (!hdr) {
18916 		nlmsg_free(msg);
18917 		return;
18918 	}
18919 
18920 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18921 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18922 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18923 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18924 		goto nla_put_failure;
18925 
18926 	genlmsg_end(msg, hdr);
18927 
18928 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18929 				NL80211_MCGRP_MLME, GFP_KERNEL);
18930 	return;
18931 
18932  nla_put_failure:
18933 	nlmsg_free(msg);
18934 }
18935 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18936 
18937 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18938 			       struct ieee80211_channel *chan,
18939 			       unsigned int duration, gfp_t gfp)
18940 {
18941 	struct wiphy *wiphy = wdev->wiphy;
18942 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18943 
18944 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18945 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18946 					  rdev, wdev, cookie, chan,
18947 					  duration, gfp);
18948 }
18949 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18950 
18951 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18952 					struct ieee80211_channel *chan,
18953 					gfp_t gfp)
18954 {
18955 	struct wiphy *wiphy = wdev->wiphy;
18956 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18957 
18958 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18959 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18960 					  rdev, wdev, cookie, chan, 0, gfp);
18961 }
18962 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18963 
18964 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18965 					struct ieee80211_channel *chan,
18966 					gfp_t gfp)
18967 {
18968 	struct wiphy *wiphy = wdev->wiphy;
18969 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18970 
18971 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18972 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18973 					  rdev, wdev, cookie, chan, 0, gfp);
18974 }
18975 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18976 
18977 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18978 		      struct station_info *sinfo, gfp_t gfp)
18979 {
18980 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18981 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18982 	struct sk_buff *msg;
18983 
18984 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18985 
18986 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18987 	if (!msg)
18988 		return;
18989 
18990 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18991 				 rdev, dev, mac_addr, sinfo) < 0) {
18992 		nlmsg_free(msg);
18993 		return;
18994 	}
18995 
18996 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18997 				NL80211_MCGRP_MLME, gfp);
18998 }
18999 EXPORT_SYMBOL(cfg80211_new_sta);
19000 
19001 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
19002 			    struct station_info *sinfo, gfp_t gfp)
19003 {
19004 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
19005 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19006 	struct sk_buff *msg;
19007 	struct station_info empty_sinfo = {};
19008 
19009 	if (!sinfo)
19010 		sinfo = &empty_sinfo;
19011 
19012 	trace_cfg80211_del_sta(dev, mac_addr);
19013 
19014 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19015 	if (!msg) {
19016 		cfg80211_sinfo_release_content(sinfo);
19017 		return;
19018 	}
19019 
19020 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
19021 				 rdev, dev, mac_addr, sinfo) < 0) {
19022 		nlmsg_free(msg);
19023 		return;
19024 	}
19025 
19026 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19027 				NL80211_MCGRP_MLME, gfp);
19028 }
19029 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
19030 
19031 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
19032 			  enum nl80211_connect_failed_reason reason,
19033 			  gfp_t gfp)
19034 {
19035 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
19036 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19037 	struct sk_buff *msg;
19038 	void *hdr;
19039 
19040 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
19041 	if (!msg)
19042 		return;
19043 
19044 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
19045 	if (!hdr) {
19046 		nlmsg_free(msg);
19047 		return;
19048 	}
19049 
19050 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19051 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
19052 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
19053 		goto nla_put_failure;
19054 
19055 	genlmsg_end(msg, hdr);
19056 
19057 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19058 				NL80211_MCGRP_MLME, gfp);
19059 	return;
19060 
19061  nla_put_failure:
19062 	nlmsg_free(msg);
19063 }
19064 EXPORT_SYMBOL(cfg80211_conn_failed);
19065 
19066 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
19067 				       const u8 *addr, gfp_t gfp)
19068 {
19069 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19070 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19071 	struct sk_buff *msg;
19072 	void *hdr;
19073 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
19074 
19075 	if (!nlportid)
19076 		return false;
19077 
19078 	msg = nlmsg_new(100, gfp);
19079 	if (!msg)
19080 		return true;
19081 
19082 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19083 	if (!hdr) {
19084 		nlmsg_free(msg);
19085 		return true;
19086 	}
19087 
19088 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19089 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19090 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
19091 		goto nla_put_failure;
19092 
19093 	genlmsg_end(msg, hdr);
19094 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19095 	return true;
19096 
19097  nla_put_failure:
19098 	nlmsg_free(msg);
19099 	return true;
19100 }
19101 
19102 bool cfg80211_rx_spurious_frame(struct net_device *dev,
19103 				const u8 *addr, gfp_t gfp)
19104 {
19105 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19106 	bool ret;
19107 
19108 	trace_cfg80211_rx_spurious_frame(dev, addr);
19109 
19110 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
19111 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
19112 		trace_cfg80211_return_bool(false);
19113 		return false;
19114 	}
19115 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
19116 					 addr, gfp);
19117 	trace_cfg80211_return_bool(ret);
19118 	return ret;
19119 }
19120 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
19121 
19122 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
19123 					const u8 *addr, gfp_t gfp)
19124 {
19125 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19126 	bool ret;
19127 
19128 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
19129 
19130 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
19131 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
19132 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
19133 		trace_cfg80211_return_bool(false);
19134 		return false;
19135 	}
19136 	ret = __nl80211_unexpected_frame(dev,
19137 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
19138 					 addr, gfp);
19139 	trace_cfg80211_return_bool(ret);
19140 	return ret;
19141 }
19142 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
19143 
19144 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
19145 		      struct wireless_dev *wdev, u32 nlportid,
19146 		      struct cfg80211_rx_info *info, gfp_t gfp)
19147 {
19148 	struct net_device *netdev = wdev->netdev;
19149 	struct sk_buff *msg;
19150 	void *hdr;
19151 
19152 	msg = nlmsg_new(100 + info->len, gfp);
19153 	if (!msg)
19154 		return -ENOMEM;
19155 
19156 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19157 	if (!hdr) {
19158 		nlmsg_free(msg);
19159 		return -ENOMEM;
19160 	}
19161 
19162 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19163 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19164 					netdev->ifindex)) ||
19165 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19166 			      NL80211_ATTR_PAD) ||
19167 	    (info->have_link_id &&
19168 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
19169 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
19170 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
19171 	    (info->sig_dbm &&
19172 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
19173 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
19174 	    (info->flags &&
19175 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
19176 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
19177 						  NL80211_ATTR_RX_HW_TIMESTAMP,
19178 						  info->rx_tstamp,
19179 						  NL80211_ATTR_PAD)) ||
19180 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
19181 						   NL80211_ATTR_TX_HW_TIMESTAMP,
19182 						   info->ack_tstamp,
19183 						   NL80211_ATTR_PAD)))
19184 		goto nla_put_failure;
19185 
19186 	genlmsg_end(msg, hdr);
19187 
19188 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19189 
19190  nla_put_failure:
19191 	nlmsg_free(msg);
19192 	return -ENOBUFS;
19193 }
19194 
19195 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
19196 				    struct cfg80211_tx_status *status,
19197 				    gfp_t gfp, enum nl80211_commands command)
19198 {
19199 	struct wiphy *wiphy = wdev->wiphy;
19200 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19201 	struct net_device *netdev = wdev->netdev;
19202 	struct sk_buff *msg;
19203 	void *hdr;
19204 
19205 	if (command == NL80211_CMD_FRAME_TX_STATUS)
19206 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
19207 					      status->ack);
19208 	else
19209 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
19210 						      status->ack);
19211 
19212 	msg = nlmsg_new(100 + status->len, gfp);
19213 	if (!msg)
19214 		return;
19215 
19216 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
19217 	if (!hdr) {
19218 		nlmsg_free(msg);
19219 		return;
19220 	}
19221 
19222 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19223 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19224 				   netdev->ifindex)) ||
19225 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19226 			      NL80211_ATTR_PAD) ||
19227 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
19228 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
19229 			      NL80211_ATTR_PAD) ||
19230 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19231 	    (status->tx_tstamp &&
19232 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
19233 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
19234 	    (status->ack_tstamp &&
19235 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
19236 			       status->ack_tstamp, NL80211_ATTR_PAD)))
19237 		goto nla_put_failure;
19238 
19239 	genlmsg_end(msg, hdr);
19240 
19241 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19242 				NL80211_MCGRP_MLME, gfp);
19243 	return;
19244 
19245 nla_put_failure:
19246 	nlmsg_free(msg);
19247 }
19248 
19249 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
19250 				     const u8 *buf, size_t len, bool ack,
19251 				     gfp_t gfp)
19252 {
19253 	struct cfg80211_tx_status status = {
19254 		.cookie = cookie,
19255 		.buf = buf,
19256 		.len = len,
19257 		.ack = ack
19258 	};
19259 
19260 	nl80211_frame_tx_status(wdev, &status, gfp,
19261 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
19262 }
19263 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
19264 
19265 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
19266 				 struct cfg80211_tx_status *status, gfp_t gfp)
19267 {
19268 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
19269 }
19270 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
19271 
19272 static int __nl80211_rx_control_port(struct net_device *dev,
19273 				     struct sk_buff *skb,
19274 				     bool unencrypted,
19275 				     int link_id,
19276 				     gfp_t gfp)
19277 {
19278 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19279 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19280 	struct ethhdr *ehdr = eth_hdr(skb);
19281 	const u8 *addr = ehdr->h_source;
19282 	u16 proto = be16_to_cpu(skb->protocol);
19283 	struct sk_buff *msg;
19284 	void *hdr;
19285 	struct nlattr *frame;
19286 
19287 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
19288 
19289 	if (!nlportid)
19290 		return -ENOENT;
19291 
19292 	msg = nlmsg_new(100 + skb->len, gfp);
19293 	if (!msg)
19294 		return -ENOMEM;
19295 
19296 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
19297 	if (!hdr) {
19298 		nlmsg_free(msg);
19299 		return -ENOBUFS;
19300 	}
19301 
19302 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19303 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19304 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19305 			      NL80211_ATTR_PAD) ||
19306 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19307 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
19308 	    (link_id >= 0 &&
19309 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
19310 	    (unencrypted && nla_put_flag(msg,
19311 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
19312 		goto nla_put_failure;
19313 
19314 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
19315 	if (!frame)
19316 		goto nla_put_failure;
19317 
19318 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
19319 	genlmsg_end(msg, hdr);
19320 
19321 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19322 
19323  nla_put_failure:
19324 	nlmsg_free(msg);
19325 	return -ENOBUFS;
19326 }
19327 
19328 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19329 			      bool unencrypted, int link_id)
19330 {
19331 	int ret;
19332 
19333 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19334 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19335 					GFP_ATOMIC);
19336 	trace_cfg80211_return_bool(ret == 0);
19337 	return ret == 0;
19338 }
19339 EXPORT_SYMBOL(cfg80211_rx_control_port);
19340 
19341 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19342 					    const char *mac, gfp_t gfp)
19343 {
19344 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19345 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19346 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19347 	void **cb;
19348 
19349 	if (!msg)
19350 		return NULL;
19351 
19352 	cb = (void **)msg->cb;
19353 
19354 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19355 	if (!cb[0]) {
19356 		nlmsg_free(msg);
19357 		return NULL;
19358 	}
19359 
19360 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19361 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19362 		goto nla_put_failure;
19363 
19364 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19365 		goto nla_put_failure;
19366 
19367 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19368 	if (!cb[1])
19369 		goto nla_put_failure;
19370 
19371 	cb[2] = rdev;
19372 
19373 	return msg;
19374  nla_put_failure:
19375 	nlmsg_free(msg);
19376 	return NULL;
19377 }
19378 
19379 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
19380 {
19381 	void **cb = (void **)msg->cb;
19382 	struct cfg80211_registered_device *rdev = cb[2];
19383 
19384 	nla_nest_end(msg, cb[1]);
19385 	genlmsg_end(msg, cb[0]);
19386 
19387 	memset(msg->cb, 0, sizeof(msg->cb));
19388 
19389 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19390 				NL80211_MCGRP_MLME, gfp);
19391 }
19392 
19393 void cfg80211_cqm_rssi_notify(struct net_device *dev,
19394 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
19395 			      s32 rssi_level, gfp_t gfp)
19396 {
19397 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19398 	struct cfg80211_cqm_config *cqm_config;
19399 
19400 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
19401 
19402 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
19403 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
19404 		return;
19405 
19406 	rcu_read_lock();
19407 	cqm_config = rcu_dereference(wdev->cqm_config);
19408 	if (cqm_config) {
19409 		cqm_config->last_rssi_event_value = rssi_level;
19410 		cqm_config->last_rssi_event_type = rssi_event;
19411 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
19412 	}
19413 	rcu_read_unlock();
19414 }
19415 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19416 
19417 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
19418 {
19419 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
19420 						 cqm_rssi_work);
19421 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19422 	enum nl80211_cqm_rssi_threshold_event rssi_event;
19423 	struct cfg80211_cqm_config *cqm_config;
19424 	struct sk_buff *msg;
19425 	s32 rssi_level;
19426 
19427 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
19428 	if (!cqm_config)
19429 		return;
19430 
19431 	if (cqm_config->use_range_api)
19432 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
19433 
19434 	rssi_level = cqm_config->last_rssi_event_value;
19435 	rssi_event = cqm_config->last_rssi_event_type;
19436 
19437 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
19438 	if (!msg)
19439 		return;
19440 
19441 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19442 			rssi_event))
19443 		goto nla_put_failure;
19444 
19445 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19446 				      rssi_level))
19447 		goto nla_put_failure;
19448 
19449 	cfg80211_send_cqm(msg, GFP_KERNEL);
19450 
19451 	return;
19452 
19453  nla_put_failure:
19454 	nlmsg_free(msg);
19455 }
19456 
19457 void cfg80211_cqm_txe_notify(struct net_device *dev,
19458 			     const u8 *peer, u32 num_packets,
19459 			     u32 rate, u32 intvl, gfp_t gfp)
19460 {
19461 	struct sk_buff *msg;
19462 
19463 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19464 	if (!msg)
19465 		return;
19466 
19467 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19468 		goto nla_put_failure;
19469 
19470 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19471 		goto nla_put_failure;
19472 
19473 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19474 		goto nla_put_failure;
19475 
19476 	cfg80211_send_cqm(msg, gfp);
19477 	return;
19478 
19479  nla_put_failure:
19480 	nlmsg_free(msg);
19481 }
19482 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19483 
19484 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19485 				 const u8 *peer, u32 num_packets, gfp_t gfp)
19486 {
19487 	struct sk_buff *msg;
19488 
19489 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19490 
19491 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19492 	if (!msg)
19493 		return;
19494 
19495 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19496 		goto nla_put_failure;
19497 
19498 	cfg80211_send_cqm(msg, gfp);
19499 	return;
19500 
19501  nla_put_failure:
19502 	nlmsg_free(msg);
19503 }
19504 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19505 
19506 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19507 {
19508 	struct sk_buff *msg;
19509 
19510 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19511 	if (!msg)
19512 		return;
19513 
19514 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19515 		goto nla_put_failure;
19516 
19517 	cfg80211_send_cqm(msg, gfp);
19518 	return;
19519 
19520  nla_put_failure:
19521 	nlmsg_free(msg);
19522 }
19523 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19524 
19525 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19526 				     struct net_device *netdev, const u8 *bssid,
19527 				     const u8 *replay_ctr, gfp_t gfp)
19528 {
19529 	struct sk_buff *msg;
19530 	struct nlattr *rekey_attr;
19531 	void *hdr;
19532 
19533 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19534 	if (!msg)
19535 		return;
19536 
19537 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19538 	if (!hdr) {
19539 		nlmsg_free(msg);
19540 		return;
19541 	}
19542 
19543 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19544 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19545 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19546 		goto nla_put_failure;
19547 
19548 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19549 	if (!rekey_attr)
19550 		goto nla_put_failure;
19551 
19552 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19553 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19554 		goto nla_put_failure;
19555 
19556 	nla_nest_end(msg, rekey_attr);
19557 
19558 	genlmsg_end(msg, hdr);
19559 
19560 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19561 				NL80211_MCGRP_MLME, gfp);
19562 	return;
19563 
19564  nla_put_failure:
19565 	nlmsg_free(msg);
19566 }
19567 
19568 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19569 			       const u8 *replay_ctr, gfp_t gfp)
19570 {
19571 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19572 	struct wiphy *wiphy = wdev->wiphy;
19573 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19574 
19575 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19576 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19577 }
19578 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19579 
19580 static void
19581 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19582 			       struct net_device *netdev, int index,
19583 			       const u8 *bssid, bool preauth, gfp_t gfp)
19584 {
19585 	struct sk_buff *msg;
19586 	struct nlattr *attr;
19587 	void *hdr;
19588 
19589 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19590 	if (!msg)
19591 		return;
19592 
19593 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19594 	if (!hdr) {
19595 		nlmsg_free(msg);
19596 		return;
19597 	}
19598 
19599 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19600 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19601 		goto nla_put_failure;
19602 
19603 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19604 	if (!attr)
19605 		goto nla_put_failure;
19606 
19607 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19608 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19609 	    (preauth &&
19610 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19611 		goto nla_put_failure;
19612 
19613 	nla_nest_end(msg, attr);
19614 
19615 	genlmsg_end(msg, hdr);
19616 
19617 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19618 				NL80211_MCGRP_MLME, gfp);
19619 	return;
19620 
19621  nla_put_failure:
19622 	nlmsg_free(msg);
19623 }
19624 
19625 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19626 				     const u8 *bssid, bool preauth, gfp_t gfp)
19627 {
19628 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19629 	struct wiphy *wiphy = wdev->wiphy;
19630 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19631 
19632 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19633 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19634 }
19635 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19636 
19637 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19638 				     struct net_device *netdev,
19639 				     unsigned int link_id,
19640 				     struct cfg80211_chan_def *chandef,
19641 				     gfp_t gfp,
19642 				     enum nl80211_commands notif,
19643 				     u8 count, bool quiet)
19644 {
19645 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19646 	struct sk_buff *msg;
19647 	void *hdr;
19648 
19649 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19650 	if (!msg)
19651 		return;
19652 
19653 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19654 	if (!hdr) {
19655 		nlmsg_free(msg);
19656 		return;
19657 	}
19658 
19659 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19660 		goto nla_put_failure;
19661 
19662 	if (wdev->valid_links &&
19663 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19664 		goto nla_put_failure;
19665 
19666 	if (nl80211_send_chandef(msg, chandef))
19667 		goto nla_put_failure;
19668 
19669 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19670 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19671 			goto nla_put_failure;
19672 		if (quiet &&
19673 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19674 			goto nla_put_failure;
19675 	}
19676 
19677 	genlmsg_end(msg, hdr);
19678 
19679 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19680 				NL80211_MCGRP_MLME, gfp);
19681 	return;
19682 
19683  nla_put_failure:
19684 	nlmsg_free(msg);
19685 }
19686 
19687 void cfg80211_ch_switch_notify(struct net_device *dev,
19688 			       struct cfg80211_chan_def *chandef,
19689 			       unsigned int link_id)
19690 {
19691 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19692 	struct wiphy *wiphy = wdev->wiphy;
19693 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19694 
19695 	lockdep_assert_wiphy(wdev->wiphy);
19696 	WARN_INVALID_LINK_ID(wdev, link_id);
19697 
19698 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
19699 
19700 	switch (wdev->iftype) {
19701 	case NL80211_IFTYPE_STATION:
19702 	case NL80211_IFTYPE_P2P_CLIENT:
19703 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19704 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19705 							chandef->chan);
19706 		break;
19707 	case NL80211_IFTYPE_MESH_POINT:
19708 		wdev->u.mesh.chandef = *chandef;
19709 		wdev->u.mesh.preset_chandef = *chandef;
19710 		break;
19711 	case NL80211_IFTYPE_AP:
19712 	case NL80211_IFTYPE_P2P_GO:
19713 		wdev->links[link_id].ap.chandef = *chandef;
19714 		break;
19715 	case NL80211_IFTYPE_ADHOC:
19716 		wdev->u.ibss.chandef = *chandef;
19717 		break;
19718 	default:
19719 		WARN_ON(1);
19720 		break;
19721 	}
19722 
19723 	cfg80211_schedule_channels_check(wdev);
19724 	cfg80211_sched_dfs_chan_update(rdev);
19725 
19726 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19727 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
19728 }
19729 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19730 
19731 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19732 				       struct cfg80211_chan_def *chandef,
19733 				       unsigned int link_id, u8 count,
19734 				       bool quiet)
19735 {
19736 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19737 	struct wiphy *wiphy = wdev->wiphy;
19738 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19739 
19740 	lockdep_assert_wiphy(wdev->wiphy);
19741 	WARN_INVALID_LINK_ID(wdev, link_id);
19742 
19743 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
19744 
19745 
19746 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19747 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19748 				 count, quiet);
19749 }
19750 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19751 
19752 int cfg80211_bss_color_notify(struct net_device *dev,
19753 			      enum nl80211_commands cmd, u8 count,
19754 			      u64 color_bitmap, u8 link_id)
19755 {
19756 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19757 	struct wiphy *wiphy = wdev->wiphy;
19758 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19759 	struct sk_buff *msg;
19760 	void *hdr;
19761 
19762 	lockdep_assert_wiphy(wdev->wiphy);
19763 
19764 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19765 
19766 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19767 	if (!msg)
19768 		return -ENOMEM;
19769 
19770 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19771 	if (!hdr)
19772 		goto nla_put_failure;
19773 
19774 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19775 		goto nla_put_failure;
19776 
19777 	if (wdev->valid_links &&
19778 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19779 		goto nla_put_failure;
19780 
19781 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19782 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19783 		goto nla_put_failure;
19784 
19785 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19786 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19787 			      color_bitmap, NL80211_ATTR_PAD))
19788 		goto nla_put_failure;
19789 
19790 	genlmsg_end(msg, hdr);
19791 
19792 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19793 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19794 
19795 nla_put_failure:
19796 	nlmsg_free(msg);
19797 	return -EINVAL;
19798 }
19799 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19800 
19801 void
19802 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19803 		     const struct cfg80211_chan_def *chandef,
19804 		     enum nl80211_radar_event event,
19805 		     struct net_device *netdev, gfp_t gfp)
19806 {
19807 	struct sk_buff *msg;
19808 	void *hdr;
19809 
19810 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19811 	if (!msg)
19812 		return;
19813 
19814 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19815 	if (!hdr) {
19816 		nlmsg_free(msg);
19817 		return;
19818 	}
19819 
19820 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19821 		goto nla_put_failure;
19822 
19823 	/* NOP and radar events don't need a netdev parameter */
19824 	if (netdev) {
19825 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19826 
19827 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19828 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19829 				      NL80211_ATTR_PAD))
19830 			goto nla_put_failure;
19831 	}
19832 
19833 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19834 		goto nla_put_failure;
19835 
19836 	if (nl80211_send_chandef(msg, chandef))
19837 		goto nla_put_failure;
19838 
19839 	genlmsg_end(msg, hdr);
19840 
19841 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19842 				NL80211_MCGRP_MLME, gfp);
19843 	return;
19844 
19845  nla_put_failure:
19846 	nlmsg_free(msg);
19847 }
19848 
19849 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19850 				       struct sta_opmode_info *sta_opmode,
19851 				       gfp_t gfp)
19852 {
19853 	struct sk_buff *msg;
19854 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19855 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19856 	void *hdr;
19857 
19858 	if (WARN_ON(!mac))
19859 		return;
19860 
19861 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19862 	if (!msg)
19863 		return;
19864 
19865 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19866 	if (!hdr) {
19867 		nlmsg_free(msg);
19868 		return;
19869 	}
19870 
19871 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19872 		goto nla_put_failure;
19873 
19874 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19875 		goto nla_put_failure;
19876 
19877 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19878 		goto nla_put_failure;
19879 
19880 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19881 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19882 		goto nla_put_failure;
19883 
19884 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19885 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19886 		goto nla_put_failure;
19887 
19888 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19889 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19890 		goto nla_put_failure;
19891 
19892 	genlmsg_end(msg, hdr);
19893 
19894 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19895 				NL80211_MCGRP_MLME, gfp);
19896 
19897 	return;
19898 
19899 nla_put_failure:
19900 	nlmsg_free(msg);
19901 }
19902 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19903 
19904 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19905 			   u64 cookie, bool acked, s32 ack_signal,
19906 			   bool is_valid_ack_signal, gfp_t gfp)
19907 {
19908 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19909 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19910 	struct sk_buff *msg;
19911 	void *hdr;
19912 
19913 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19914 
19915 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19916 
19917 	if (!msg)
19918 		return;
19919 
19920 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19921 	if (!hdr) {
19922 		nlmsg_free(msg);
19923 		return;
19924 	}
19925 
19926 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19927 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19928 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19929 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19930 			      NL80211_ATTR_PAD) ||
19931 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19932 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19933 						ack_signal)))
19934 		goto nla_put_failure;
19935 
19936 	genlmsg_end(msg, hdr);
19937 
19938 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19939 				NL80211_MCGRP_MLME, gfp);
19940 	return;
19941 
19942  nla_put_failure:
19943 	nlmsg_free(msg);
19944 }
19945 EXPORT_SYMBOL(cfg80211_probe_status);
19946 
19947 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19948 				     size_t len, int freq, int sig_dbm)
19949 {
19950 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19951 	struct sk_buff *msg;
19952 	void *hdr;
19953 	struct cfg80211_beacon_registration *reg;
19954 
19955 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19956 
19957 	spin_lock_bh(&rdev->beacon_registrations_lock);
19958 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19959 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19960 		if (!msg) {
19961 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19962 			return;
19963 		}
19964 
19965 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19966 		if (!hdr)
19967 			goto nla_put_failure;
19968 
19969 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19970 		    (freq &&
19971 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19972 				  KHZ_TO_MHZ(freq)) ||
19973 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19974 				  freq % 1000))) ||
19975 		    (sig_dbm &&
19976 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19977 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19978 			goto nla_put_failure;
19979 
19980 		genlmsg_end(msg, hdr);
19981 
19982 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19983 	}
19984 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19985 	return;
19986 
19987  nla_put_failure:
19988 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19989 	nlmsg_free(msg);
19990 }
19991 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19992 
19993 #ifdef CONFIG_PM
19994 static int cfg80211_net_detect_results(struct sk_buff *msg,
19995 				       struct cfg80211_wowlan_wakeup *wakeup)
19996 {
19997 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19998 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19999 	int i, j;
20000 
20001 	nl_results = nla_nest_start_noflag(msg,
20002 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
20003 	if (!nl_results)
20004 		return -EMSGSIZE;
20005 
20006 	for (i = 0; i < nd->n_matches; i++) {
20007 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
20008 
20009 		nl_match = nla_nest_start_noflag(msg, i);
20010 		if (!nl_match)
20011 			break;
20012 
20013 		/* The SSID attribute is optional in nl80211, but for
20014 		 * simplicity reasons it's always present in the
20015 		 * cfg80211 structure.  If a driver can't pass the
20016 		 * SSID, that needs to be changed.  A zero length SSID
20017 		 * is still a valid SSID (wildcard), so it cannot be
20018 		 * used for this purpose.
20019 		 */
20020 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
20021 			    match->ssid.ssid)) {
20022 			nla_nest_cancel(msg, nl_match);
20023 			goto out;
20024 		}
20025 
20026 		if (match->n_channels) {
20027 			nl_freqs = nla_nest_start_noflag(msg,
20028 							 NL80211_ATTR_SCAN_FREQUENCIES);
20029 			if (!nl_freqs) {
20030 				nla_nest_cancel(msg, nl_match);
20031 				goto out;
20032 			}
20033 
20034 			for (j = 0; j < match->n_channels; j++) {
20035 				if (nla_put_u32(msg, j, match->channels[j])) {
20036 					nla_nest_cancel(msg, nl_freqs);
20037 					nla_nest_cancel(msg, nl_match);
20038 					goto out;
20039 				}
20040 			}
20041 
20042 			nla_nest_end(msg, nl_freqs);
20043 		}
20044 
20045 		nla_nest_end(msg, nl_match);
20046 	}
20047 
20048 out:
20049 	nla_nest_end(msg, nl_results);
20050 	return 0;
20051 }
20052 
20053 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
20054 				   struct cfg80211_wowlan_wakeup *wakeup,
20055 				   gfp_t gfp)
20056 {
20057 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20058 	struct sk_buff *msg;
20059 	void *hdr;
20060 	int size = 200;
20061 
20062 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
20063 
20064 	if (wakeup)
20065 		size += wakeup->packet_present_len;
20066 
20067 	msg = nlmsg_new(size, gfp);
20068 	if (!msg)
20069 		return;
20070 
20071 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
20072 	if (!hdr)
20073 		goto free_msg;
20074 
20075 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20076 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20077 			      NL80211_ATTR_PAD))
20078 		goto free_msg;
20079 
20080 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20081 					wdev->netdev->ifindex))
20082 		goto free_msg;
20083 
20084 	if (wakeup) {
20085 		struct nlattr *reasons;
20086 
20087 		reasons = nla_nest_start_noflag(msg,
20088 						NL80211_ATTR_WOWLAN_TRIGGERS);
20089 		if (!reasons)
20090 			goto free_msg;
20091 
20092 		if (wakeup->disconnect &&
20093 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
20094 			goto free_msg;
20095 		if (wakeup->magic_pkt &&
20096 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
20097 			goto free_msg;
20098 		if (wakeup->gtk_rekey_failure &&
20099 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
20100 			goto free_msg;
20101 		if (wakeup->eap_identity_req &&
20102 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
20103 			goto free_msg;
20104 		if (wakeup->four_way_handshake &&
20105 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
20106 			goto free_msg;
20107 		if (wakeup->rfkill_release &&
20108 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
20109 			goto free_msg;
20110 
20111 		if (wakeup->pattern_idx >= 0 &&
20112 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
20113 				wakeup->pattern_idx))
20114 			goto free_msg;
20115 
20116 		if (wakeup->tcp_match &&
20117 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
20118 			goto free_msg;
20119 
20120 		if (wakeup->tcp_connlost &&
20121 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
20122 			goto free_msg;
20123 
20124 		if (wakeup->tcp_nomoretokens &&
20125 		    nla_put_flag(msg,
20126 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
20127 			goto free_msg;
20128 
20129 		if (wakeup->unprot_deauth_disassoc &&
20130 		    nla_put_flag(msg,
20131 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
20132 			goto free_msg;
20133 
20134 		if (wakeup->packet) {
20135 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
20136 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
20137 
20138 			if (!wakeup->packet_80211) {
20139 				pkt_attr =
20140 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
20141 				len_attr =
20142 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
20143 			}
20144 
20145 			if (wakeup->packet_len &&
20146 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
20147 				goto free_msg;
20148 
20149 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
20150 				    wakeup->packet))
20151 				goto free_msg;
20152 		}
20153 
20154 		if (wakeup->net_detect &&
20155 		    cfg80211_net_detect_results(msg, wakeup))
20156 				goto free_msg;
20157 
20158 		nla_nest_end(msg, reasons);
20159 	}
20160 
20161 	genlmsg_end(msg, hdr);
20162 
20163 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20164 				NL80211_MCGRP_MLME, gfp);
20165 	return;
20166 
20167  free_msg:
20168 	nlmsg_free(msg);
20169 }
20170 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
20171 #endif
20172 
20173 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
20174 				enum nl80211_tdls_operation oper,
20175 				u16 reason_code, gfp_t gfp)
20176 {
20177 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20178 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20179 	struct sk_buff *msg;
20180 	void *hdr;
20181 
20182 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
20183 					 reason_code);
20184 
20185 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20186 	if (!msg)
20187 		return;
20188 
20189 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
20190 	if (!hdr) {
20191 		nlmsg_free(msg);
20192 		return;
20193 	}
20194 
20195 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20196 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20197 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
20198 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
20199 	    (reason_code > 0 &&
20200 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
20201 		goto nla_put_failure;
20202 
20203 	genlmsg_end(msg, hdr);
20204 
20205 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20206 				NL80211_MCGRP_MLME, gfp);
20207 	return;
20208 
20209  nla_put_failure:
20210 	nlmsg_free(msg);
20211 }
20212 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
20213 
20214 static int nl80211_netlink_notify(struct notifier_block * nb,
20215 				  unsigned long state,
20216 				  void *_notify)
20217 {
20218 	struct netlink_notify *notify = _notify;
20219 	struct cfg80211_registered_device *rdev;
20220 	struct wireless_dev *wdev;
20221 	struct cfg80211_beacon_registration *reg, *tmp;
20222 
20223 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
20224 		return NOTIFY_DONE;
20225 
20226 	rcu_read_lock();
20227 
20228 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
20229 		struct cfg80211_sched_scan_request *sched_scan_req;
20230 
20231 		list_for_each_entry_rcu(sched_scan_req,
20232 					&rdev->sched_scan_req_list,
20233 					list) {
20234 			if (sched_scan_req->owner_nlportid == notify->portid) {
20235 				sched_scan_req->nl_owner_dead = true;
20236 				wiphy_work_queue(&rdev->wiphy,
20237 						 &rdev->sched_scan_stop_wk);
20238 			}
20239 		}
20240 
20241 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
20242 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
20243 
20244 			if (wdev->owner_nlportid == notify->portid) {
20245 				wdev->nl_owner_dead = true;
20246 				schedule_work(&rdev->destroy_work);
20247 			} else if (wdev->conn_owner_nlportid == notify->portid) {
20248 				schedule_work(&wdev->disconnect_wk);
20249 			}
20250 
20251 			cfg80211_release_pmsr(wdev, notify->portid);
20252 		}
20253 
20254 		spin_lock_bh(&rdev->beacon_registrations_lock);
20255 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
20256 					 list) {
20257 			if (reg->nlportid == notify->portid) {
20258 				list_del(&reg->list);
20259 				kfree(reg);
20260 				break;
20261 			}
20262 		}
20263 		spin_unlock_bh(&rdev->beacon_registrations_lock);
20264 	}
20265 
20266 	rcu_read_unlock();
20267 
20268 	/*
20269 	 * It is possible that the user space process that is controlling the
20270 	 * indoor setting disappeared, so notify the regulatory core.
20271 	 */
20272 	regulatory_netlink_notify(notify->portid);
20273 	return NOTIFY_OK;
20274 }
20275 
20276 static struct notifier_block nl80211_netlink_notifier = {
20277 	.notifier_call = nl80211_netlink_notify,
20278 };
20279 
20280 void cfg80211_ft_event(struct net_device *netdev,
20281 		       struct cfg80211_ft_event_params *ft_event)
20282 {
20283 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20284 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20285 	struct sk_buff *msg;
20286 	void *hdr;
20287 
20288 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
20289 
20290 	if (!ft_event->target_ap)
20291 		return;
20292 
20293 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
20294 			GFP_KERNEL);
20295 	if (!msg)
20296 		return;
20297 
20298 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
20299 	if (!hdr)
20300 		goto out;
20301 
20302 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20303 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20304 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
20305 		goto out;
20306 
20307 	if (ft_event->ies &&
20308 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
20309 		goto out;
20310 	if (ft_event->ric_ies &&
20311 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
20312 		    ft_event->ric_ies))
20313 		goto out;
20314 
20315 	genlmsg_end(msg, hdr);
20316 
20317 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20318 				NL80211_MCGRP_MLME, GFP_KERNEL);
20319 	return;
20320  out:
20321 	nlmsg_free(msg);
20322 }
20323 EXPORT_SYMBOL(cfg80211_ft_event);
20324 
20325 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
20326 {
20327 	struct cfg80211_registered_device *rdev;
20328 	struct sk_buff *msg;
20329 	void *hdr;
20330 	u32 nlportid;
20331 
20332 	rdev = wiphy_to_rdev(wdev->wiphy);
20333 	if (!rdev->crit_proto_nlportid)
20334 		return;
20335 
20336 	nlportid = rdev->crit_proto_nlportid;
20337 	rdev->crit_proto_nlportid = 0;
20338 
20339 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20340 	if (!msg)
20341 		return;
20342 
20343 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
20344 	if (!hdr)
20345 		goto nla_put_failure;
20346 
20347 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20348 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20349 			      NL80211_ATTR_PAD))
20350 		goto nla_put_failure;
20351 
20352 	genlmsg_end(msg, hdr);
20353 
20354 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20355 	return;
20356 
20357  nla_put_failure:
20358 	nlmsg_free(msg);
20359 }
20360 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20361 
20362 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20363 {
20364 	struct wiphy *wiphy = wdev->wiphy;
20365 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20366 	struct sk_buff *msg;
20367 	void *hdr;
20368 
20369 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20370 	if (!msg)
20371 		return;
20372 
20373 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20374 	if (!hdr)
20375 		goto out;
20376 
20377 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20378 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20379 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20380 			      NL80211_ATTR_PAD) ||
20381 	    (wdev->valid_links &&
20382 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20383 		goto out;
20384 
20385 	genlmsg_end(msg, hdr);
20386 
20387 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
20388 				NL80211_MCGRP_MLME, GFP_KERNEL);
20389 	return;
20390  out:
20391 	nlmsg_free(msg);
20392 }
20393 
20394 int cfg80211_external_auth_request(struct net_device *dev,
20395 				   struct cfg80211_external_auth_params *params,
20396 				   gfp_t gfp)
20397 {
20398 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20399 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20400 	struct sk_buff *msg;
20401 	void *hdr;
20402 
20403 	if (!wdev->conn_owner_nlportid)
20404 		return -EINVAL;
20405 
20406 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20407 	if (!msg)
20408 		return -ENOMEM;
20409 
20410 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
20411 	if (!hdr)
20412 		goto nla_put_failure;
20413 
20414 	/* Some historical mistakes in drivers <-> userspace interface (notably
20415 	 * between drivers and wpa_supplicant) led to a big-endian conversion
20416 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
20417 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
20418 	 * benefit of older wpa_supplicant versions, send this particular value
20419 	 * in big-endian. Note that newer wpa_supplicant will also detect this
20420 	 * particular value in big endian still, so it all continues to work.
20421 	 */
20422 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
20423 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
20424 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
20425 			goto nla_put_failure;
20426 	} else {
20427 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
20428 				params->key_mgmt_suite))
20429 			goto nla_put_failure;
20430 	}
20431 
20432 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20433 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20434 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
20435 			params->action) ||
20436 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
20437 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
20438 		    params->ssid.ssid) ||
20439 	    (!is_zero_ether_addr(params->mld_addr) &&
20440 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
20441 		goto nla_put_failure;
20442 
20443 	genlmsg_end(msg, hdr);
20444 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
20445 			wdev->conn_owner_nlportid);
20446 	return 0;
20447 
20448  nla_put_failure:
20449 	nlmsg_free(msg);
20450 	return -ENOBUFS;
20451 }
20452 EXPORT_SYMBOL(cfg80211_external_auth_request);
20453 
20454 void cfg80211_update_owe_info_event(struct net_device *netdev,
20455 				    struct cfg80211_update_owe_info *owe_info,
20456 				    gfp_t gfp)
20457 {
20458 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20459 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20460 	struct sk_buff *msg;
20461 	void *hdr;
20462 
20463 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20464 
20465 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20466 	if (!msg)
20467 		return;
20468 
20469 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20470 	if (!hdr)
20471 		goto nla_put_failure;
20472 
20473 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20474 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20475 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20476 		goto nla_put_failure;
20477 
20478 	if (!owe_info->ie_len ||
20479 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20480 		goto nla_put_failure;
20481 
20482 	if (owe_info->assoc_link_id != -1) {
20483 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20484 			       owe_info->assoc_link_id))
20485 			goto nla_put_failure;
20486 
20487 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20488 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20489 			    owe_info->peer_mld_addr))
20490 			goto nla_put_failure;
20491 	}
20492 
20493 	genlmsg_end(msg, hdr);
20494 
20495 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20496 				NL80211_MCGRP_MLME, gfp);
20497 	return;
20498 
20499 nla_put_failure:
20500 	genlmsg_cancel(msg, hdr);
20501 	nlmsg_free(msg);
20502 }
20503 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20504 
20505 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
20506 {
20507 	struct wiphy *wiphy = wdev->wiphy;
20508 
20509 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
20510 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
20511 	    (wiphy_ext_feature_isset(wiphy,
20512 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
20513 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
20514 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
20515 		reg_check_channels();
20516 }
20517 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
20518 
20519 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
20520 {
20521 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
20522 	struct wiphy *wiphy = wdev->wiphy;
20523 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20524 	struct sk_buff *msg;
20525 	void *hdr;
20526 
20527 	trace_cfg80211_epcs_changed(wdev, enabled);
20528 
20529 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20530 	if (!msg)
20531 		return;
20532 
20533 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
20534 	if (!hdr) {
20535 		nlmsg_free(msg);
20536 		return;
20537 	}
20538 
20539 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
20540 		goto nla_put_failure;
20541 
20542 	genlmsg_end(msg, hdr);
20543 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20544 				NL80211_MCGRP_MLME, GFP_KERNEL);
20545 	return;
20546 
20547  nla_put_failure:
20548 	nlmsg_free(msg);
20549 }
20550 EXPORT_SYMBOL(cfg80211_epcs_changed);
20551 
20552 /* initialisation/exit functions */
20553 
20554 int __init nl80211_init(void)
20555 {
20556 	int err;
20557 
20558 	err = genl_register_family(&nl80211_fam);
20559 	if (err)
20560 		return err;
20561 
20562 	err = netlink_register_notifier(&nl80211_netlink_notifier);
20563 	if (err)
20564 		goto err_out;
20565 
20566 	return 0;
20567  err_out:
20568 	genl_unregister_family(&nl80211_fam);
20569 	return err;
20570 }
20571 
20572 void nl80211_exit(void)
20573 {
20574 	netlink_unregister_notifier(&nl80211_netlink_notifier);
20575 	genl_unregister_family(&nl80211_fam);
20576 }
20577