xref: /linux/net/wireless/nl80211.c (revision 2ed4b46b4fc77749cb0f8dd31a01441b82c8dbaa) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2026 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <linux/random.h>
25 #include <net/net_namespace.h>
26 #include <net/genetlink.h>
27 #include <net/cfg80211.h>
28 #include <net/sock.h>
29 #include <net/inet_connection_sock.h>
30 #include "core.h"
31 #include "nl80211.h"
32 #include "reg.h"
33 #include "rdev-ops.h"
34 
35 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
36 				   struct genl_info *info,
37 				   struct cfg80211_crypto_settings *settings,
38 				   int cipher_limit);
39 
40 /* the netlink family */
41 static struct genl_family nl80211_fam;
42 
43 /* multicast groups */
44 enum nl80211_multicast_groups {
45 	NL80211_MCGRP_CONFIG,
46 	NL80211_MCGRP_SCAN,
47 	NL80211_MCGRP_REGULATORY,
48 	NL80211_MCGRP_MLME,
49 	NL80211_MCGRP_VENDOR,
50 	NL80211_MCGRP_NAN,
51 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
52 };
53 
54 static const struct genl_multicast_group nl80211_mcgrps[] = {
55 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
56 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
57 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
58 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
59 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
60 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
61 #ifdef CONFIG_NL80211_TESTMODE
62 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
63 #endif
64 };
65 
66 /* returns ERR_PTR values */
67 static struct wireless_dev *
68 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
69 			   struct net *netns, struct nlattr **attrs)
70 {
71 	struct wireless_dev *result = NULL;
72 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
73 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
74 	u64 wdev_id = 0;
75 	int wiphy_idx = -1;
76 	int ifidx = -1;
77 
78 	if (!have_ifidx && !have_wdev_id)
79 		return ERR_PTR(-EINVAL);
80 
81 	if (have_ifidx)
82 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
83 	if (have_wdev_id) {
84 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
85 		wiphy_idx = wdev_id >> 32;
86 	}
87 
88 	if (rdev) {
89 		struct wireless_dev *wdev;
90 
91 		lockdep_assert_held(&rdev->wiphy.mtx);
92 
93 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
94 			if (have_ifidx && wdev->netdev &&
95 			    wdev->netdev->ifindex == ifidx) {
96 				result = wdev;
97 				break;
98 			}
99 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
100 				result = wdev;
101 				break;
102 			}
103 		}
104 
105 		return result ?: ERR_PTR(-ENODEV);
106 	}
107 
108 	ASSERT_RTNL();
109 
110 	for_each_rdev(rdev) {
111 		struct wireless_dev *wdev;
112 
113 		if (wiphy_net(&rdev->wiphy) != netns)
114 			continue;
115 
116 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
117 			continue;
118 
119 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
120 			if (have_ifidx && wdev->netdev &&
121 			    wdev->netdev->ifindex == ifidx) {
122 				result = wdev;
123 				break;
124 			}
125 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
126 				result = wdev;
127 				break;
128 			}
129 		}
130 
131 		if (result)
132 			break;
133 	}
134 
135 	if (result)
136 		return result;
137 	return ERR_PTR(-ENODEV);
138 }
139 
140 static struct cfg80211_registered_device *
141 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
142 {
143 	struct cfg80211_registered_device *rdev = NULL, *tmp;
144 	struct net_device *netdev;
145 
146 	ASSERT_RTNL();
147 
148 	if (!attrs[NL80211_ATTR_WIPHY] &&
149 	    !attrs[NL80211_ATTR_IFINDEX] &&
150 	    !attrs[NL80211_ATTR_WDEV])
151 		return ERR_PTR(-EINVAL);
152 
153 	if (attrs[NL80211_ATTR_WIPHY])
154 		rdev = cfg80211_rdev_by_wiphy_idx(
155 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
156 
157 	if (attrs[NL80211_ATTR_WDEV]) {
158 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
159 		struct wireless_dev *wdev;
160 		bool found = false;
161 
162 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
163 		if (tmp) {
164 			/* make sure wdev exists */
165 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
166 				if (wdev->identifier != (u32)wdev_id)
167 					continue;
168 				found = true;
169 				break;
170 			}
171 
172 			if (!found)
173 				tmp = NULL;
174 
175 			if (rdev && tmp != rdev)
176 				return ERR_PTR(-EINVAL);
177 			rdev = tmp;
178 		}
179 	}
180 
181 	if (attrs[NL80211_ATTR_IFINDEX]) {
182 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
183 
184 		netdev = __dev_get_by_index(netns, ifindex);
185 		if (netdev) {
186 			if (netdev->ieee80211_ptr)
187 				tmp = wiphy_to_rdev(
188 					netdev->ieee80211_ptr->wiphy);
189 			else
190 				tmp = NULL;
191 
192 			/* not wireless device -- return error */
193 			if (!tmp)
194 				return ERR_PTR(-EINVAL);
195 
196 			/* mismatch -- return error */
197 			if (rdev && tmp != rdev)
198 				return ERR_PTR(-EINVAL);
199 
200 			rdev = tmp;
201 		}
202 	}
203 
204 	if (!rdev)
205 		return ERR_PTR(-ENODEV);
206 
207 	if (netns != wiphy_net(&rdev->wiphy))
208 		return ERR_PTR(-ENODEV);
209 
210 	return rdev;
211 }
212 
213 /*
214  * This function returns a pointer to the driver
215  * that the genl_info item that is passed refers to.
216  *
217  * The result of this can be a PTR_ERR and hence must
218  * be checked with IS_ERR() for errors.
219  */
220 static struct cfg80211_registered_device *
221 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
222 {
223 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
224 }
225 
226 static int validate_beacon_head(const struct nlattr *attr,
227 				struct netlink_ext_ack *extack)
228 {
229 	const u8 *data = nla_data(attr);
230 	unsigned int len = nla_len(attr);
231 	const struct element *elem;
232 	const struct ieee80211_mgmt *mgmt = (void *)data;
233 	const struct ieee80211_ext *ext;
234 	unsigned int fixedlen, hdrlen;
235 	bool s1g_bcn;
236 
237 	if (len < offsetofend(typeof(*mgmt), frame_control))
238 		goto err;
239 
240 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
241 	if (s1g_bcn) {
242 		ext = (struct ieee80211_ext *)mgmt;
243 		fixedlen =
244 			offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +
245 			ieee80211_s1g_optional_len(ext->frame_control);
246 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
247 	} else {
248 		fixedlen = offsetof(struct ieee80211_mgmt,
249 				    u.beacon.variable);
250 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
251 	}
252 
253 	if (len < fixedlen)
254 		goto err;
255 
256 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
257 		goto err;
258 
259 	data += fixedlen;
260 	len -= fixedlen;
261 
262 	for_each_element(elem, data, len) {
263 		/* nothing */
264 	}
265 
266 	if (for_each_element_completed(elem, data, len))
267 		return 0;
268 
269 err:
270 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
271 	return -EINVAL;
272 }
273 
274 static int validate_ie_attr(const struct nlattr *attr,
275 			    struct netlink_ext_ack *extack)
276 {
277 	const u8 *data = nla_data(attr);
278 	unsigned int len = nla_len(attr);
279 	const struct element *elem;
280 
281 	for_each_element(elem, data, len) {
282 		/* nothing */
283 	}
284 
285 	if (for_each_element_completed(elem, data, len))
286 		return 0;
287 
288 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
289 	return -EINVAL;
290 }
291 
292 static int validate_he_capa(const struct nlattr *attr,
293 			    struct netlink_ext_ack *extack)
294 {
295 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
296 		return -EINVAL;
297 
298 	return 0;
299 }
300 
301 static int validate_supported_selectors(const struct nlattr *attr,
302 					struct netlink_ext_ack *extack)
303 {
304 	const u8 *supported_selectors = nla_data(attr);
305 	u8 supported_selectors_len = nla_len(attr);
306 
307 	/* The top bit must not be set as it is not part of the selector */
308 	for (int i = 0; i < supported_selectors_len; i++) {
309 		if (supported_selectors[i] & 0x80)
310 			return -EINVAL;
311 	}
312 
313 	return 0;
314 }
315 
316 static int validate_nan_cluster_id(const struct nlattr *attr,
317 				   struct netlink_ext_ack *extack)
318 {
319 	const u8 *data = nla_data(attr);
320 	unsigned int len = nla_len(attr);
321 	static const u8 cluster_id_prefix[4] = {0x50, 0x6f, 0x9a, 0x1};
322 
323 	if (len != ETH_ALEN) {
324 		NL_SET_ERR_MSG_ATTR(extack, attr, "bad cluster id length");
325 		return -EINVAL;
326 	}
327 
328 	if (memcmp(data, cluster_id_prefix, sizeof(cluster_id_prefix))) {
329 		NL_SET_ERR_MSG_ATTR(extack, attr, "invalid cluster id prefix");
330 		return -EINVAL;
331 	}
332 
333 	return 0;
334 }
335 
336 static int validate_uhr_capa(const struct nlattr *attr,
337 			     struct netlink_ext_ack *extack)
338 {
339 	const u8 *data = nla_data(attr);
340 	unsigned int len = nla_len(attr);
341 
342 	return ieee80211_uhr_capa_size_ok(data, len, false);
343 }
344 
345 /* policy for the attributes */
346 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
347 
348 static const struct nla_policy
349 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
350 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
351 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
352 					.len = U8_MAX },
353 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
354 					     .len = U8_MAX },
355 };
356 
357 static const struct nla_policy
358 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
359 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
360 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
361 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
362 		NLA_POLICY_MAX(NLA_U8, 15),
363 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
364 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
365 		NLA_POLICY_MAX(NLA_U8, 15),
366 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
367 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
368 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
369 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
370 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
371 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
372 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
373 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
374 	[NL80211_PMSR_FTM_REQ_ATTR_RSTA] = { .type = NLA_FLAG },
375 };
376 
377 static const struct nla_policy
378 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
379 	[NL80211_PMSR_TYPE_FTM] =
380 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
381 };
382 
383 static const struct nla_policy
384 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
385 	[NL80211_PMSR_REQ_ATTR_DATA] =
386 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
387 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
388 };
389 
390 static const struct nla_policy
391 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
392 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
393 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
394 	[NL80211_PMSR_PEER_ATTR_REQ] =
395 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
396 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
397 };
398 
399 static const struct nla_policy
400 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
401 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
402 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
403 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
404 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
405 	[NL80211_PMSR_ATTR_PEERS] =
406 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
407 };
408 
409 static const struct nla_policy
410 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
411 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
412 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
413 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
414 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
415 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
416 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
417 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
418 		NLA_POLICY_EXACT_LEN(8),
419 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
420 		NLA_POLICY_EXACT_LEN(8),
421 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
422 };
423 
424 static const struct nla_policy
425 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
426 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
427 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
428 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
429 };
430 
431 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
432 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
433 				    .len = NL80211_MAX_SUPP_RATES },
434 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
435 				.len = NL80211_MAX_SUPP_HT_RATES },
436 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
437 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
438 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
439 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
440 						   NL80211_RATE_INFO_HE_GI_0_8,
441 						   NL80211_RATE_INFO_HE_GI_3_2),
442 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
443 						   NL80211_RATE_INFO_HE_1XLTF,
444 						   NL80211_RATE_INFO_HE_4XLTF),
445 	[NL80211_TXRATE_EHT] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_eht)),
446 	[NL80211_TXRATE_EHT_GI] =  NLA_POLICY_RANGE(NLA_U8,
447 						   NL80211_RATE_INFO_EHT_GI_0_8,
448 						   NL80211_RATE_INFO_EHT_GI_3_2),
449 	[NL80211_TXRATE_EHT_LTF] = NLA_POLICY_RANGE(NLA_U8,
450 						   NL80211_RATE_INFO_EHT_1XLTF,
451 						   NL80211_RATE_INFO_EHT_8XLTF),
452 
453 };
454 
455 static const struct nla_policy
456 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
457 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
458 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
459 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
460 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
461 	[NL80211_TID_CONFIG_ATTR_NOACK] =
462 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
463 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
464 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
465 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
466 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
467 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
468 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
469 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
470 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
471 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
472 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
473 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
474 			NLA_POLICY_NESTED(nl80211_txattr_policy),
475 };
476 
477 static const struct nla_policy
478 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
479 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
480 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
481 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
482 			NLA_POLICY_RANGE(NLA_BINARY,
483 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
484 					 IEEE80211_MAX_DATA_LEN),
485 };
486 
487 static const struct nla_policy
488 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
489 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
490 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
491 						       .len = IEEE80211_MAX_DATA_LEN }
492 };
493 
494 static const struct nla_policy
495 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
496 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
497 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
498 };
499 
500 static const struct nla_policy
501 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
502 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
503 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
504 };
505 
506 static const struct nla_policy
507 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
508 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
509 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
510 						NLA_POLICY_MIN(NLA_U8, 1),
511 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
512 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
513 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
514 	[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID] =
515 		NLA_POLICY_MAX(NLA_U8, IEEE80211_MLD_MAX_NUM_LINKS),
516 };
517 
518 static const struct nla_policy
519 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
520 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
521 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
522 };
523 
524 static const struct nla_policy
525 nl80211_s1g_short_beacon[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1] = {
526 	[NL80211_S1G_SHORT_BEACON_ATTR_HEAD] =
527 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
528 				       IEEE80211_MAX_DATA_LEN),
529 	[NL80211_S1G_SHORT_BEACON_ATTR_TAIL] =
530 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
531 				       IEEE80211_MAX_DATA_LEN),
532 };
533 
534 static const struct nla_policy
535 nl80211_nan_band_conf_policy[NL80211_NAN_BAND_CONF_ATTR_MAX + 1] = {
536 	[NL80211_NAN_BAND_CONF_BAND] = NLA_POLICY_MAX(NLA_U8,
537 						      NUM_NL80211_BANDS - 1),
538 	[NL80211_NAN_BAND_CONF_FREQ] = { .type = NLA_U16 },
539 	[NL80211_NAN_BAND_CONF_RSSI_CLOSE] = NLA_POLICY_MIN(NLA_S8, -59),
540 	[NL80211_NAN_BAND_CONF_RSSI_MIDDLE] = NLA_POLICY_MIN(NLA_S8, -74),
541 	[NL80211_NAN_BAND_CONF_WAKE_DW] = NLA_POLICY_MAX(NLA_U8, 5),
542 	[NL80211_NAN_BAND_CONF_DISABLE_SCAN] = { .type = NLA_FLAG },
543 };
544 
545 static const struct nla_policy
546 nl80211_nan_conf_policy[NL80211_NAN_CONF_ATTR_MAX + 1] = {
547 	[NL80211_NAN_CONF_CLUSTER_ID] =
548 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_cluster_id,
549 				       ETH_ALEN),
550 	[NL80211_NAN_CONF_EXTRA_ATTRS] = { .type = NLA_BINARY,
551 					   .len = IEEE80211_MAX_DATA_LEN},
552 	[NL80211_NAN_CONF_VENDOR_ELEMS] =
553 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
554 				       IEEE80211_MAX_DATA_LEN),
555 	[NL80211_NAN_CONF_BAND_CONFIGS] =
556 		NLA_POLICY_NESTED_ARRAY(nl80211_nan_band_conf_policy),
557 	[NL80211_NAN_CONF_SCAN_PERIOD] = { .type = NLA_U16 },
558 	[NL80211_NAN_CONF_SCAN_DWELL_TIME] = NLA_POLICY_RANGE(NLA_U16, 50, 512),
559 	[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL] =
560 		NLA_POLICY_RANGE(NLA_U8, 50, 200),
561 	[NL80211_NAN_CONF_NOTIFY_DW] = { .type = NLA_FLAG },
562 };
563 
564 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
565 	.min = 0,
566 	.max = 0xffff,
567 };
568 
569 static const struct netlink_range_validation q_range = {
570 	.max = INT_MAX,
571 };
572 
573 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
574 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
575 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
576 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
577 				      .len = 20-1 },
578 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
579 
580 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
581 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
582 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
583 						NL80211_EDMG_CHANNELS_MIN,
584 						NL80211_EDMG_CHANNELS_MAX),
585 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
586 						NL80211_EDMG_BW_CONFIG_MIN,
587 						NL80211_EDMG_BW_CONFIG_MAX),
588 
589 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
590 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
591 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
592 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
593 
594 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
595 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
596 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
597 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
598 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
599 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
600 
601 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
602 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
603 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
604 
605 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
606 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
607 
608 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
609 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
610 				    .len = WLAN_MAX_KEY_LEN },
611 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
612 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
613 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
614 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
615 	[NL80211_ATTR_KEY_TYPE] =
616 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
617 
618 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
619 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
620 	[NL80211_ATTR_BEACON_HEAD] =
621 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
622 				       IEEE80211_MAX_DATA_LEN),
623 	[NL80211_ATTR_BEACON_TAIL] =
624 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
625 				       IEEE80211_MAX_DATA_LEN),
626 	[NL80211_ATTR_STA_AID] =
627 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
628 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
629 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
630 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
631 					       .len = NL80211_MAX_SUPP_RATES },
632 	[NL80211_ATTR_STA_PLINK_ACTION] =
633 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
634 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
635 		NLA_POLICY_RANGE(NLA_U8,
636 				 NL80211_TX_POWER_AUTOMATIC,
637 				 NL80211_TX_POWER_FIXED),
638 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
639 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
640 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
641 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
642 				   .len = IEEE80211_MAX_MESH_ID_LEN },
643 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
644 
645 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
646 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
647 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
648 
649 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
650 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
651 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
652 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
653 					   .len = NL80211_MAX_SUPP_RATES },
654 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
655 
656 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
657 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
658 
659 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
660 
661 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
662 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
663 						   validate_ie_attr,
664 						   IEEE80211_MAX_DATA_LEN),
665 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
666 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
667 
668 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
669 				.len = IEEE80211_MAX_SSID_LEN },
670 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
671 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
672 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
673 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
674 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
675 						  NL80211_MFP_NO,
676 						  NL80211_MFP_OPTIONAL),
677 	[NL80211_ATTR_STA_FLAGS2] =
678 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
679 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
680 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
681 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
682 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
683 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
684 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
685 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
686 	[NL80211_ATTR_WPA_VERSIONS] =
687 		NLA_POLICY_RANGE(NLA_U32, 0,
688 				 NL80211_WPA_VERSION_1 |
689 				 NL80211_WPA_VERSION_2 |
690 				 NL80211_WPA_VERSION_3),
691 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
692 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
693 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
694 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
695 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
696 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
697 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
698 				 .len = IEEE80211_MAX_DATA_LEN },
699 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
700 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
701 						   NL80211_PS_DISABLED,
702 						   NL80211_PS_ENABLED),
703 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
704 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
705 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
706 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
707 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
708 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
709 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
710 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
711 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
712 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
713 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
714 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
715 	[NL80211_ATTR_STA_PLINK_STATE] =
716 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
717 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
718 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
719 	[NL80211_ATTR_MESH_PEER_AID] =
720 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
721 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
722 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
723 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
724 	[NL80211_ATTR_HIDDEN_SSID] =
725 		NLA_POLICY_RANGE(NLA_U32,
726 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
727 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
728 	[NL80211_ATTR_IE_PROBE_RESP] =
729 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
730 				       IEEE80211_MAX_DATA_LEN),
731 	[NL80211_ATTR_IE_ASSOC_RESP] =
732 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
733 				       IEEE80211_MAX_DATA_LEN),
734 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
735 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
736 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
737 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
738 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
739 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
740 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
741 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
742 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
743 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
744 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
745 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
746 				      .len = IEEE80211_MAX_DATA_LEN },
747 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
748 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
749 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
750 		.len = NL80211_HT_CAPABILITY_LEN
751 	},
752 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
753 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
754 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
755 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
756 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
757 
758 	/* need to include at least Auth Transaction and Status Code */
759 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
760 
761 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
762 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
763 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
764 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
765 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
766 		NLA_POLICY_RANGE(NLA_U32,
767 				 NL80211_MESH_POWER_UNKNOWN + 1,
768 				 NL80211_MESH_POWER_MAX),
769 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
770 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
771 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
772 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
773 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
774 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
775 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
776 		.len = NL80211_VHT_CAPABILITY_LEN,
777 	},
778 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
779 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
780 				  .len = IEEE80211_MAX_DATA_LEN },
781 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
782 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
783 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
784 	[NL80211_ATTR_PEER_AID] =
785 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
786 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
787 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
788 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
789 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
790 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
791 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
792 	/*
793 	 * The value of the Length field of the Supported Operating
794 	 * Classes element is between 2 and 253.
795 	 */
796 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
797 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
798 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
799 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
800 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
801 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
802 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
803 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
804 						  IEEE80211_QOS_MAP_LEN_MIN,
805 						  IEEE80211_QOS_MAP_LEN_MAX),
806 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
807 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
808 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
809 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
810 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
811 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
812 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
813 	[NL80211_ATTR_USER_PRIO] =
814 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
815 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
816 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
817 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
818 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
819 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
820 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
821 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
822 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
823 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
824 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
825 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
826 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
827 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
828 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
829 	},
830 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
831 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
832 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
833 	[NL80211_ATTR_NAN_CONFIG] = NLA_POLICY_NESTED(nl80211_nan_conf_policy),
834 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
835 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
836 				    .len = FILS_MAX_KEK_LEN },
837 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
838 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
839 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
840 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
841 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
842 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
843 	},
844 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
845 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
846 					     .len = FILS_ERP_MAX_USERNAME_LEN },
847 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
848 					  .len = FILS_ERP_MAX_REALM_LEN },
849 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
850 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
851 					.len = FILS_ERP_MAX_RRK_LEN },
852 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
853 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
854 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
855 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
856 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
857 
858 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
859 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
860 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
861 	[NL80211_ATTR_HE_CAPABILITY] =
862 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
863 				       NL80211_HE_MAX_CAPABILITY_LEN),
864 	[NL80211_ATTR_FTM_RESPONDER] =
865 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
866 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
867 	[NL80211_ATTR_PEER_MEASUREMENTS] =
868 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
869 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
870 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
871 					.len = SAE_PASSWORD_MAX_LEN },
872 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
873 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
874 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
875 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
876 	[NL80211_ATTR_TID_CONFIG] =
877 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
878 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
879 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
880 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
881 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
882 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
883 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
884 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
885 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
886 	[NL80211_ATTR_FILS_DISCOVERY] =
887 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
888 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
889 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
890 	[NL80211_ATTR_S1G_CAPABILITY] =
891 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
892 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
893 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
894 	[NL80211_ATTR_SAE_PWE] =
895 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
896 				 NL80211_SAE_PWE_BOTH),
897 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
898 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
899 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
900 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
901 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
902 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
903 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
904 	[NL80211_ATTR_MBSSID_CONFIG] =
905 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
906 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
907 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
908 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
909 	[NL80211_ATTR_EHT_CAPABILITY] =
910 		NLA_POLICY_RANGE(NLA_BINARY,
911 				 NL80211_EHT_MIN_CAPABILITY_LEN,
912 				 NL80211_EHT_MAX_CAPABILITY_LEN),
913 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
914 	[NL80211_ATTR_MLO_LINKS] =
915 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
916 	[NL80211_ATTR_MLO_LINK_ID] =
917 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
918 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
919 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
920 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
921 	[NL80211_ATTR_EML_CAPABILITY] = { .type = NLA_U16 },
922 	[NL80211_ATTR_PUNCT_BITMAP] =
923 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
924 
925 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
926 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
927 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
928 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
929 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
930 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
931 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
932 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
933 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
934 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
935 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
936 				       NL80211_MAX_SUPP_SELECTORS),
937 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
938 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
939 	[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS] = { .type = NLA_U16 },
940 	[NL80211_ATTR_WIPHY_RADIO_INDEX] = { .type = NLA_U8 },
941 	[NL80211_ATTR_S1G_LONG_BEACON_PERIOD] = NLA_POLICY_MIN(NLA_U8, 2),
942 	[NL80211_ATTR_S1G_SHORT_BEACON] =
943 		NLA_POLICY_NESTED(nl80211_s1g_short_beacon),
944 	[NL80211_ATTR_BSS_PARAM] = { .type = NLA_FLAG },
945 	[NL80211_ATTR_S1G_PRIMARY_2MHZ] = { .type = NLA_FLAG },
946 	[NL80211_ATTR_EPP_PEER] = { .type = NLA_FLAG },
947 	[NL80211_ATTR_UHR_CAPABILITY] =
948 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_uhr_capa, 255),
949 	[NL80211_ATTR_DISABLE_UHR] = { .type = NLA_FLAG },
950 };
951 
952 /* policy for the key attributes */
953 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
954 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
955 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
956 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
957 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
958 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
959 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
960 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
961 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
962 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
963 };
964 
965 /* policy for the key default flags */
966 static const struct nla_policy
967 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
968 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
969 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
970 };
971 
972 #ifdef CONFIG_PM
973 /* policy for WoWLAN attributes */
974 static const struct nla_policy
975 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
976 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
977 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
978 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
979 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
980 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
981 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
982 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
983 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
984 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
985 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
986 };
987 
988 static const struct nla_policy
989 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
990 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
991 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
992 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
993 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
994 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
995 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
996 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
997 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
998 	},
999 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
1000 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
1001 	},
1002 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
1003 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
1004 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
1005 };
1006 #endif /* CONFIG_PM */
1007 
1008 /* policy for coalesce rule attributes */
1009 static const struct nla_policy
1010 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
1011 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
1012 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
1013 		NLA_POLICY_RANGE(NLA_U32,
1014 				 NL80211_COALESCE_CONDITION_MATCH,
1015 				 NL80211_COALESCE_CONDITION_NO_MATCH),
1016 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
1017 };
1018 
1019 /* policy for GTK rekey offload attributes */
1020 static const struct nla_policy
1021 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
1022 	[NL80211_REKEY_DATA_KEK] = {
1023 		.type = NLA_BINARY,
1024 		.len = NL80211_KEK_EXT_LEN
1025 	},
1026 	[NL80211_REKEY_DATA_KCK] = {
1027 		.type = NLA_BINARY,
1028 		.len = NL80211_KCK_EXT_LEN_32
1029 	},
1030 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
1031 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
1032 };
1033 
1034 static const struct nla_policy
1035 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
1036 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
1037 						 .len = IEEE80211_MAX_SSID_LEN },
1038 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1039 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
1040 };
1041 
1042 static const struct nla_policy
1043 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
1044 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
1045 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
1046 };
1047 
1048 static const struct nla_policy
1049 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
1050 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
1051 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
1052 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
1053 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
1054 	},
1055 };
1056 
1057 /* policy for NAN function attributes */
1058 static const struct nla_policy
1059 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
1060 	[NL80211_NAN_FUNC_TYPE] =
1061 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
1062 	[NL80211_NAN_FUNC_SERVICE_ID] = {
1063 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
1064 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
1065 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
1066 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
1067 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
1068 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
1069 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1070 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
1071 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
1072 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
1073 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
1074 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
1075 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
1076 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
1077 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
1078 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
1079 };
1080 
1081 /* policy for Service Response Filter attributes */
1082 static const struct nla_policy
1083 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
1084 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
1085 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
1086 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
1087 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
1088 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
1089 };
1090 
1091 /* policy for packet pattern attributes */
1092 static const struct nla_policy
1093 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
1094 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
1095 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
1096 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1097 };
1098 
1099 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1100 				     struct cfg80211_registered_device **rdev,
1101 				     struct wireless_dev **wdev,
1102 				     struct nlattr **attrbuf)
1103 {
1104 	int err;
1105 
1106 	if (!cb->args[0]) {
1107 		struct nlattr **attrbuf_free = NULL;
1108 
1109 		if (!attrbuf) {
1110 			attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
1111 			if (!attrbuf)
1112 				return -ENOMEM;
1113 			attrbuf_free = attrbuf;
1114 		}
1115 
1116 		err = nlmsg_parse_deprecated(cb->nlh,
1117 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1118 					     attrbuf, nl80211_fam.maxattr,
1119 					     nl80211_policy, NULL);
1120 		if (err) {
1121 			kfree(attrbuf_free);
1122 			return err;
1123 		}
1124 
1125 		rtnl_lock();
1126 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1127 						   attrbuf);
1128 		kfree(attrbuf_free);
1129 		if (IS_ERR(*wdev)) {
1130 			rtnl_unlock();
1131 			return PTR_ERR(*wdev);
1132 		}
1133 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1134 		mutex_lock(&(*rdev)->wiphy.mtx);
1135 		rtnl_unlock();
1136 		/* 0 is the first index - add 1 to parse only once */
1137 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1138 		cb->args[1] = (*wdev)->identifier;
1139 	} else {
1140 		/* subtract the 1 again here */
1141 		struct wiphy *wiphy;
1142 		struct wireless_dev *tmp;
1143 
1144 		rtnl_lock();
1145 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1146 		if (!wiphy) {
1147 			rtnl_unlock();
1148 			return -ENODEV;
1149 		}
1150 		*rdev = wiphy_to_rdev(wiphy);
1151 		*wdev = NULL;
1152 
1153 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1154 			if (tmp->identifier == cb->args[1]) {
1155 				*wdev = tmp;
1156 				break;
1157 			}
1158 		}
1159 
1160 		if (!*wdev) {
1161 			rtnl_unlock();
1162 			return -ENODEV;
1163 		}
1164 		mutex_lock(&(*rdev)->wiphy.mtx);
1165 		rtnl_unlock();
1166 	}
1167 
1168 	return 0;
1169 }
1170 
1171 /* message building helper */
1172 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1173 		     int flags, u8 cmd)
1174 {
1175 	/* since there is no private header just add the generic one */
1176 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1177 }
1178 
1179 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1180 				     const struct ieee80211_reg_rule *rule)
1181 {
1182 	int j;
1183 	struct nlattr *nl_wmm_rules =
1184 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1185 
1186 	if (!nl_wmm_rules)
1187 		goto nla_put_failure;
1188 
1189 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1190 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1191 
1192 		if (!nl_wmm_rule)
1193 			goto nla_put_failure;
1194 
1195 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1196 				rule->wmm_rule.client[j].cw_min) ||
1197 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1198 				rule->wmm_rule.client[j].cw_max) ||
1199 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1200 			       rule->wmm_rule.client[j].aifsn) ||
1201 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1202 			        rule->wmm_rule.client[j].cot))
1203 			goto nla_put_failure;
1204 
1205 		nla_nest_end(msg, nl_wmm_rule);
1206 	}
1207 	nla_nest_end(msg, nl_wmm_rules);
1208 
1209 	return 0;
1210 
1211 nla_put_failure:
1212 	return -ENOBUFS;
1213 }
1214 
1215 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1216 				   struct ieee80211_channel *chan,
1217 				   bool large)
1218 {
1219 	/* Some channels must be completely excluded from the
1220 	 * list to protect old user-space tools from breaking
1221 	 */
1222 	if (!large && chan->flags &
1223 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1224 		return 0;
1225 	if (!large && chan->freq_offset)
1226 		return 0;
1227 
1228 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1229 			chan->center_freq))
1230 		goto nla_put_failure;
1231 
1232 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1233 		goto nla_put_failure;
1234 
1235 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1236 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1237 		goto nla_put_failure;
1238 
1239 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1240 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1241 		goto nla_put_failure;
1242 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1243 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1244 			goto nla_put_failure;
1245 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1246 			goto nla_put_failure;
1247 	}
1248 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1249 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1250 			goto nla_put_failure;
1251 		if (large) {
1252 			u32 time;
1253 
1254 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1255 
1256 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1257 					chan->dfs_state))
1258 				goto nla_put_failure;
1259 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1260 					time))
1261 				goto nla_put_failure;
1262 			if (nla_put_u32(msg,
1263 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1264 					chan->dfs_cac_ms))
1265 				goto nla_put_failure;
1266 		}
1267 	}
1268 
1269 	if (large) {
1270 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1271 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1272 			goto nla_put_failure;
1273 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1274 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1275 			goto nla_put_failure;
1276 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1277 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1278 			goto nla_put_failure;
1279 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1280 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1281 			goto nla_put_failure;
1282 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1283 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1284 			goto nla_put_failure;
1285 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1286 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1287 			goto nla_put_failure;
1288 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1289 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1290 			goto nla_put_failure;
1291 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1292 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1293 			goto nla_put_failure;
1294 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1295 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1296 			goto nla_put_failure;
1297 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1298 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1299 			goto nla_put_failure;
1300 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1301 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1302 			goto nla_put_failure;
1303 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1304 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1305 			goto nla_put_failure;
1306 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1307 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1308 			goto nla_put_failure;
1309 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1310 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1311 			goto nla_put_failure;
1312 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1313 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1314 			goto nla_put_failure;
1315 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1316 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1317 			goto nla_put_failure;
1318 		if ((chan->flags & IEEE80211_CHAN_ALLOW_20MHZ_ACTIVITY) &&
1319 		    nla_put_flag(msg,
1320 				 NL80211_FREQUENCY_ATTR_ALLOW_20MHZ_ACTIVITY))
1321 			goto nla_put_failure;
1322 		if ((chan->flags & IEEE80211_CHAN_NO_4MHZ) &&
1323 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_4MHZ))
1324 			goto nla_put_failure;
1325 		if ((chan->flags & IEEE80211_CHAN_NO_8MHZ) &&
1326 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_8MHZ))
1327 			goto nla_put_failure;
1328 		if ((chan->flags & IEEE80211_CHAN_NO_16MHZ) &&
1329 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_16MHZ))
1330 			goto nla_put_failure;
1331 		if ((chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY) &&
1332 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_S1G_NO_PRIMARY))
1333 			goto nla_put_failure;
1334 		if ((chan->flags & IEEE80211_CHAN_NO_UHR) &&
1335 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_UHR))
1336 			goto nla_put_failure;
1337 		if (chan->cac_start_time &&
1338 		    nla_put_u64_64bit(msg,
1339 				      NL80211_FREQUENCY_ATTR_CAC_START_TIME,
1340 				      chan->cac_start_time,
1341 				      NL80211_FREQUENCY_ATTR_PAD))
1342 			goto nla_put_failure;
1343 	}
1344 
1345 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1346 			DBM_TO_MBM(chan->max_power)))
1347 		goto nla_put_failure;
1348 
1349 	if (large) {
1350 		const struct ieee80211_reg_rule *rule =
1351 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1352 
1353 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1354 			if (nl80211_msg_put_wmm_rules(msg, rule))
1355 				goto nla_put_failure;
1356 		}
1357 	}
1358 
1359 	return 0;
1360 
1361  nla_put_failure:
1362 	return -ENOBUFS;
1363 }
1364 
1365 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1366 				  struct cfg80211_txq_stats *txqstats,
1367 				  int attrtype)
1368 {
1369 	struct nlattr *txqattr;
1370 
1371 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1372 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1373 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1374 		return false;						  \
1375 	} while (0)
1376 
1377 	txqattr = nla_nest_start_noflag(msg, attrtype);
1378 	if (!txqattr)
1379 		return false;
1380 
1381 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1382 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1383 	PUT_TXQVAL_U32(FLOWS, flows);
1384 	PUT_TXQVAL_U32(DROPS, drops);
1385 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1386 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1387 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1388 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1389 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1390 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1391 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1392 	nla_nest_end(msg, txqattr);
1393 
1394 #undef PUT_TXQVAL_U32
1395 	return true;
1396 }
1397 
1398 /* netlink command implementations */
1399 
1400 /**
1401  * nl80211_link_id - return link ID
1402  * @attrs: attributes to look at
1403  *
1404  * Returns: the link ID or 0 if not given
1405  *
1406  * Note this function doesn't do any validation of the link
1407  * ID validity wrt. links that were actually added, so it must
1408  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1409  * or if additional validation is done.
1410  */
1411 static unsigned int nl80211_link_id(struct nlattr **attrs)
1412 {
1413 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1414 
1415 	return nla_get_u8_default(linkid, 0);
1416 }
1417 
1418 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1419 {
1420 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1421 
1422 	if (!linkid)
1423 		return -1;
1424 
1425 	return nla_get_u8(linkid);
1426 }
1427 
1428 struct key_parse {
1429 	struct key_params p;
1430 	int idx;
1431 	int type;
1432 	bool def, defmgmt, defbeacon;
1433 	bool def_uni, def_multi;
1434 };
1435 
1436 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1437 				 struct key_parse *k)
1438 {
1439 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1440 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1441 					      nl80211_key_policy,
1442 					      info->extack);
1443 	if (err)
1444 		return err;
1445 
1446 	k->def = !!tb[NL80211_KEY_DEFAULT];
1447 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1448 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1449 
1450 	if (k->def) {
1451 		k->def_uni = true;
1452 		k->def_multi = true;
1453 	}
1454 	if (k->defmgmt || k->defbeacon)
1455 		k->def_multi = true;
1456 
1457 	if (tb[NL80211_KEY_IDX])
1458 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1459 
1460 	if (tb[NL80211_KEY_DATA]) {
1461 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1462 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1463 	}
1464 
1465 	if (tb[NL80211_KEY_SEQ]) {
1466 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1467 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1468 	}
1469 
1470 	if (tb[NL80211_KEY_CIPHER])
1471 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1472 
1473 	if (tb[NL80211_KEY_TYPE])
1474 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1475 
1476 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1477 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1478 
1479 		err = nla_parse_nested_deprecated(kdt,
1480 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1481 						  tb[NL80211_KEY_DEFAULT_TYPES],
1482 						  nl80211_key_default_policy,
1483 						  info->extack);
1484 		if (err)
1485 			return err;
1486 
1487 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1488 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1489 	}
1490 
1491 	if (tb[NL80211_KEY_MODE])
1492 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1493 
1494 	return 0;
1495 }
1496 
1497 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1498 {
1499 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1500 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1501 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1502 	}
1503 
1504 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1505 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1506 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1507 	}
1508 
1509 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1510 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1511 
1512 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1513 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1514 
1515 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1516 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1517 
1518 	if (k->def) {
1519 		k->def_uni = true;
1520 		k->def_multi = true;
1521 	}
1522 	if (k->defmgmt)
1523 		k->def_multi = true;
1524 
1525 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1526 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1527 
1528 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1529 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1530 		int err = nla_parse_nested_deprecated(kdt,
1531 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1532 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1533 						      nl80211_key_default_policy,
1534 						      info->extack);
1535 		if (err)
1536 			return err;
1537 
1538 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1539 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1540 	}
1541 
1542 	return 0;
1543 }
1544 
1545 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1546 {
1547 	int err;
1548 
1549 	memset(k, 0, sizeof(*k));
1550 	k->idx = -1;
1551 	k->type = -1;
1552 
1553 	if (info->attrs[NL80211_ATTR_KEY])
1554 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1555 	else
1556 		err = nl80211_parse_key_old(info, k);
1557 
1558 	if (err)
1559 		return err;
1560 
1561 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1562 	    (k->defbeacon ? 1 : 0) > 1) {
1563 		GENL_SET_ERR_MSG(info,
1564 				 "key with multiple default flags is invalid");
1565 		return -EINVAL;
1566 	}
1567 
1568 	if (k->defmgmt || k->defbeacon) {
1569 		if (k->def_uni || !k->def_multi) {
1570 			GENL_SET_ERR_MSG(info,
1571 					 "defmgmt/defbeacon key must be mcast");
1572 			return -EINVAL;
1573 		}
1574 	}
1575 
1576 	if (k->idx != -1) {
1577 		if (k->defmgmt) {
1578 			if (k->idx < 4 || k->idx > 5) {
1579 				GENL_SET_ERR_MSG(info,
1580 						 "defmgmt key idx not 4 or 5");
1581 				return -EINVAL;
1582 			}
1583 		} else if (k->defbeacon) {
1584 			if (k->idx < 6 || k->idx > 7) {
1585 				GENL_SET_ERR_MSG(info,
1586 						 "defbeacon key idx not 6 or 7");
1587 				return -EINVAL;
1588 			}
1589 		} else if (k->def) {
1590 			if (k->idx < 0 || k->idx > 3) {
1591 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1592 				return -EINVAL;
1593 			}
1594 		} else {
1595 			if (k->idx < 0 || k->idx > 7) {
1596 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1597 				return -EINVAL;
1598 			}
1599 		}
1600 	}
1601 
1602 	return 0;
1603 }
1604 
1605 static struct cfg80211_cached_keys *
1606 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1607 		       struct genl_info *info, bool *no_ht)
1608 {
1609 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1610 	struct key_parse parse;
1611 	struct nlattr *key;
1612 	struct cfg80211_cached_keys *result;
1613 	int rem, err, def = 0;
1614 	bool have_key = false;
1615 
1616 	nla_for_each_nested(key, keys, rem) {
1617 		have_key = true;
1618 		break;
1619 	}
1620 
1621 	if (!have_key)
1622 		return NULL;
1623 
1624 	result = kzalloc_obj(*result);
1625 	if (!result)
1626 		return ERR_PTR(-ENOMEM);
1627 
1628 	result->def = -1;
1629 
1630 	nla_for_each_nested(key, keys, rem) {
1631 		memset(&parse, 0, sizeof(parse));
1632 		parse.idx = -1;
1633 
1634 		err = nl80211_parse_key_new(info, key, &parse);
1635 		if (err)
1636 			goto error;
1637 		err = -EINVAL;
1638 		if (!parse.p.key)
1639 			goto error;
1640 		if (parse.idx < 0 || parse.idx > 3) {
1641 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1642 			goto error;
1643 		}
1644 		if (parse.def) {
1645 			if (def) {
1646 				GENL_SET_ERR_MSG(info,
1647 						 "only one key can be default");
1648 				goto error;
1649 			}
1650 			def = 1;
1651 			result->def = parse.idx;
1652 			if (!parse.def_uni || !parse.def_multi)
1653 				goto error;
1654 		} else if (parse.defmgmt)
1655 			goto error;
1656 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1657 						     parse.idx, false, NULL);
1658 		if (err)
1659 			goto error;
1660 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1661 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1662 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1663 			err = -EINVAL;
1664 			goto error;
1665 		}
1666 		result->params[parse.idx].cipher = parse.p.cipher;
1667 		result->params[parse.idx].key_len = parse.p.key_len;
1668 		result->params[parse.idx].key = result->data[parse.idx];
1669 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1670 
1671 		/* must be WEP key if we got here */
1672 		if (no_ht)
1673 			*no_ht = true;
1674 	}
1675 
1676 	if (result->def < 0) {
1677 		err = -EINVAL;
1678 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1679 		goto error;
1680 	}
1681 
1682 	return result;
1683  error:
1684 	kfree_sensitive(result);
1685 	return ERR_PTR(err);
1686 }
1687 
1688 static int nl80211_key_allowed(struct wireless_dev *wdev)
1689 {
1690 	lockdep_assert_wiphy(wdev->wiphy);
1691 
1692 	switch (wdev->iftype) {
1693 	case NL80211_IFTYPE_AP:
1694 	case NL80211_IFTYPE_AP_VLAN:
1695 	case NL80211_IFTYPE_P2P_GO:
1696 	case NL80211_IFTYPE_MESH_POINT:
1697 		break;
1698 	case NL80211_IFTYPE_ADHOC:
1699 		if (wdev->u.ibss.current_bss)
1700 			return 0;
1701 		return -ENOLINK;
1702 	case NL80211_IFTYPE_STATION:
1703 	case NL80211_IFTYPE_P2P_CLIENT:
1704 		if (wdev->connected ||
1705 		    (wiphy_ext_feature_isset(wdev->wiphy,
1706 					     NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION)))
1707 			return 0;
1708 		return -ENOLINK;
1709 	case NL80211_IFTYPE_NAN:
1710 		if (wiphy_ext_feature_isset(wdev->wiphy,
1711 					    NL80211_EXT_FEATURE_SECURE_NAN))
1712 			return 0;
1713 		return -EINVAL;
1714 	case NL80211_IFTYPE_UNSPECIFIED:
1715 	case NL80211_IFTYPE_OCB:
1716 	case NL80211_IFTYPE_MONITOR:
1717 	case NL80211_IFTYPE_P2P_DEVICE:
1718 	case NL80211_IFTYPE_WDS:
1719 	case NUM_NL80211_IFTYPES:
1720 		return -EINVAL;
1721 	}
1722 
1723 	return 0;
1724 }
1725 
1726 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1727 							u32 freq)
1728 {
1729 	struct ieee80211_channel *chan;
1730 
1731 	chan = ieee80211_get_channel_khz(wiphy, freq);
1732 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1733 		return NULL;
1734 	return chan;
1735 }
1736 
1737 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1738 {
1739 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1740 	int i;
1741 
1742 	if (!nl_modes)
1743 		goto nla_put_failure;
1744 
1745 	i = 0;
1746 	while (ifmodes) {
1747 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1748 			goto nla_put_failure;
1749 		ifmodes >>= 1;
1750 		i++;
1751 	}
1752 
1753 	nla_nest_end(msg, nl_modes);
1754 	return 0;
1755 
1756 nla_put_failure:
1757 	return -ENOBUFS;
1758 }
1759 
1760 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1761 				   const struct ieee80211_iface_combination *c,
1762 				   u16 nested)
1763 {
1764 	struct nlattr *nl_combi, *nl_limits;
1765 	int i;
1766 
1767 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1768 	if (!nl_combi)
1769 		goto nla_put_failure;
1770 
1771 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1772 					       nested);
1773 	if (!nl_limits)
1774 		goto nla_put_failure;
1775 
1776 	for (i = 0; i < c->n_limits; i++) {
1777 		struct nlattr *nl_limit;
1778 
1779 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1780 		if (!nl_limit)
1781 			goto nla_put_failure;
1782 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1783 			goto nla_put_failure;
1784 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1785 					c->limits[i].types))
1786 			goto nla_put_failure;
1787 		nla_nest_end(msg, nl_limit);
1788 	}
1789 
1790 	nla_nest_end(msg, nl_limits);
1791 
1792 	if (c->beacon_int_infra_match &&
1793 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1794 		goto nla_put_failure;
1795 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1796 			c->num_different_channels) ||
1797 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1798 			c->max_interfaces))
1799 		goto nla_put_failure;
1800 	if (large &&
1801 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1802 			c->radar_detect_widths) ||
1803 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1804 			c->radar_detect_regions)))
1805 		goto nla_put_failure;
1806 	if (c->beacon_int_min_gcd &&
1807 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1808 			c->beacon_int_min_gcd))
1809 		goto nla_put_failure;
1810 
1811 	nla_nest_end(msg, nl_combi);
1812 
1813 	return 0;
1814 nla_put_failure:
1815 	return -ENOBUFS;
1816 }
1817 
1818 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1819 					  struct sk_buff *msg,
1820 					  int attr, int radio,
1821 					  bool large, u16 nested)
1822 {
1823 	const struct ieee80211_iface_combination *c;
1824 	struct nlattr *nl_combis;
1825 	int i, n;
1826 
1827 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1828 	if (!nl_combis)
1829 		goto nla_put_failure;
1830 
1831 	if (radio >= 0) {
1832 		c = wiphy->radio[0].iface_combinations;
1833 		n = wiphy->radio[0].n_iface_combinations;
1834 	} else {
1835 		c = wiphy->iface_combinations;
1836 		n = wiphy->n_iface_combinations;
1837 	}
1838 	for (i = 0; i < n; i++)
1839 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1840 			goto nla_put_failure;
1841 
1842 	nla_nest_end(msg, nl_combis);
1843 
1844 	return 0;
1845 nla_put_failure:
1846 	return -ENOBUFS;
1847 }
1848 
1849 #ifdef CONFIG_PM
1850 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1851 					struct sk_buff *msg)
1852 {
1853 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1854 	struct nlattr *nl_tcp;
1855 
1856 	if (!tcp)
1857 		return 0;
1858 
1859 	nl_tcp = nla_nest_start_noflag(msg,
1860 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1861 	if (!nl_tcp)
1862 		return -ENOBUFS;
1863 
1864 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1865 			tcp->data_payload_max))
1866 		return -ENOBUFS;
1867 
1868 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1869 			tcp->data_payload_max))
1870 		return -ENOBUFS;
1871 
1872 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1873 		return -ENOBUFS;
1874 
1875 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1876 				sizeof(*tcp->tok), tcp->tok))
1877 		return -ENOBUFS;
1878 
1879 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1880 			tcp->data_interval_max))
1881 		return -ENOBUFS;
1882 
1883 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1884 			tcp->wake_payload_max))
1885 		return -ENOBUFS;
1886 
1887 	nla_nest_end(msg, nl_tcp);
1888 	return 0;
1889 }
1890 
1891 static int nl80211_send_wowlan(struct sk_buff *msg,
1892 			       struct cfg80211_registered_device *rdev,
1893 			       bool large)
1894 {
1895 	struct nlattr *nl_wowlan;
1896 
1897 	if (!rdev->wiphy.wowlan)
1898 		return 0;
1899 
1900 	nl_wowlan = nla_nest_start_noflag(msg,
1901 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1902 	if (!nl_wowlan)
1903 		return -ENOBUFS;
1904 
1905 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1906 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1907 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1908 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1909 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1910 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1911 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1912 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1913 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1914 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1915 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1916 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1917 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1918 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1919 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1920 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1921 		return -ENOBUFS;
1922 
1923 	if (rdev->wiphy.wowlan->n_patterns) {
1924 		struct nl80211_pattern_support pat = {
1925 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1926 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1927 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1928 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1929 		};
1930 
1931 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1932 			    sizeof(pat), &pat))
1933 			return -ENOBUFS;
1934 	}
1935 
1936 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1937 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1938 			rdev->wiphy.wowlan->max_nd_match_sets))
1939 		return -ENOBUFS;
1940 
1941 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1942 		return -ENOBUFS;
1943 
1944 	nla_nest_end(msg, nl_wowlan);
1945 
1946 	return 0;
1947 }
1948 #endif
1949 
1950 static int nl80211_send_coalesce(struct sk_buff *msg,
1951 				 struct cfg80211_registered_device *rdev)
1952 {
1953 	struct nl80211_coalesce_rule_support rule;
1954 
1955 	if (!rdev->wiphy.coalesce)
1956 		return 0;
1957 
1958 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1959 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1960 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1961 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1962 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1963 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1964 
1965 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1966 		return -ENOBUFS;
1967 
1968 	return 0;
1969 }
1970 
1971 static int
1972 nl80211_send_iftype_data(struct sk_buff *msg,
1973 			 const struct ieee80211_supported_band *sband,
1974 			 const struct ieee80211_sband_iftype_data *iftdata)
1975 {
1976 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1977 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1978 	const struct ieee80211_sta_uhr_cap *uhr_cap = &iftdata->uhr_cap;
1979 
1980 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1981 				iftdata->types_mask))
1982 		return -ENOBUFS;
1983 
1984 	if (he_cap->has_he) {
1985 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1986 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1987 			    he_cap->he_cap_elem.mac_cap_info) ||
1988 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1989 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1990 			    he_cap->he_cap_elem.phy_cap_info) ||
1991 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1992 			    sizeof(he_cap->he_mcs_nss_supp),
1993 			    &he_cap->he_mcs_nss_supp) ||
1994 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1995 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1996 			return -ENOBUFS;
1997 	}
1998 
1999 	if (eht_cap->has_eht && he_cap->has_he) {
2000 		u8 mcs_nss_size, ppe_thresh_size;
2001 		u16 ppe_thres_hdr;
2002 		bool is_ap;
2003 
2004 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
2005 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
2006 
2007 		mcs_nss_size =
2008 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
2009 						   &eht_cap->eht_cap_elem,
2010 						   is_ap);
2011 
2012 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
2013 		ppe_thresh_size =
2014 			ieee80211_eht_ppe_size(ppe_thres_hdr,
2015 					       eht_cap->eht_cap_elem.phy_cap_info);
2016 
2017 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
2018 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
2019 			    eht_cap->eht_cap_elem.mac_cap_info) ||
2020 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
2021 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
2022 			    eht_cap->eht_cap_elem.phy_cap_info) ||
2023 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
2024 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
2025 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
2026 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
2027 			return -ENOBUFS;
2028 	}
2029 
2030 	if (uhr_cap->has_uhr) {
2031 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_MAC,
2032 			    sizeof(uhr_cap->mac), &uhr_cap->mac) ||
2033 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_PHY,
2034 			    sizeof(uhr_cap->phy), &uhr_cap->phy))
2035 			return -ENOBUFS;
2036 	}
2037 
2038 	if (sband->band == NL80211_BAND_6GHZ &&
2039 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
2040 		    sizeof(iftdata->he_6ghz_capa),
2041 		    &iftdata->he_6ghz_capa))
2042 		return -ENOBUFS;
2043 
2044 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
2045 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
2046 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
2047 		return -ENOBUFS;
2048 
2049 	return 0;
2050 }
2051 
2052 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
2053 				      struct ieee80211_supported_band *sband,
2054 				      bool large)
2055 {
2056 	struct nlattr *nl_rates, *nl_rate;
2057 	struct ieee80211_rate *rate;
2058 	int i;
2059 
2060 	/* add HT info */
2061 	if (sband->ht_cap.ht_supported &&
2062 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
2063 		     sizeof(sband->ht_cap.mcs),
2064 		     &sband->ht_cap.mcs) ||
2065 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
2066 			 sband->ht_cap.cap) ||
2067 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
2068 			sband->ht_cap.ampdu_factor) ||
2069 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
2070 			sband->ht_cap.ampdu_density)))
2071 		return -ENOBUFS;
2072 
2073 	/* add VHT info */
2074 	if (sband->vht_cap.vht_supported &&
2075 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
2076 		     sizeof(sband->vht_cap.vht_mcs),
2077 		     &sband->vht_cap.vht_mcs) ||
2078 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
2079 			 sband->vht_cap.cap)))
2080 		return -ENOBUFS;
2081 
2082 	if (large && sband->n_iftype_data) {
2083 		struct nlattr *nl_iftype_data =
2084 			nla_nest_start_noflag(msg,
2085 					      NL80211_BAND_ATTR_IFTYPE_DATA);
2086 		const struct ieee80211_sband_iftype_data *iftd;
2087 		int err;
2088 
2089 		if (!nl_iftype_data)
2090 			return -ENOBUFS;
2091 
2092 		for_each_sband_iftype_data(sband, i, iftd) {
2093 			struct nlattr *iftdata;
2094 
2095 			iftdata = nla_nest_start_noflag(msg, i + 1);
2096 			if (!iftdata)
2097 				return -ENOBUFS;
2098 
2099 			err = nl80211_send_iftype_data(msg, sband, iftd);
2100 			if (err)
2101 				return err;
2102 
2103 			nla_nest_end(msg, iftdata);
2104 		}
2105 
2106 		nla_nest_end(msg, nl_iftype_data);
2107 	}
2108 
2109 	/* add EDMG info */
2110 	if (large && sband->edmg_cap.channels &&
2111 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
2112 		       sband->edmg_cap.channels) ||
2113 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
2114 		       sband->edmg_cap.bw_config)))
2115 
2116 		return -ENOBUFS;
2117 
2118 	/* add bitrates */
2119 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2120 	if (!nl_rates)
2121 		return -ENOBUFS;
2122 
2123 	for (i = 0; i < sband->n_bitrates; i++) {
2124 		nl_rate = nla_nest_start_noflag(msg, i);
2125 		if (!nl_rate)
2126 			return -ENOBUFS;
2127 
2128 		rate = &sband->bitrates[i];
2129 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2130 				rate->bitrate))
2131 			return -ENOBUFS;
2132 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2133 		    nla_put_flag(msg,
2134 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2135 			return -ENOBUFS;
2136 
2137 		nla_nest_end(msg, nl_rate);
2138 	}
2139 
2140 	nla_nest_end(msg, nl_rates);
2141 
2142 	/* S1G capabilities */
2143 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2144 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2145 		     sizeof(sband->s1g_cap.cap),
2146 		     sband->s1g_cap.cap) ||
2147 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2148 		     sizeof(sband->s1g_cap.nss_mcs),
2149 		     sband->s1g_cap.nss_mcs)))
2150 		return -ENOBUFS;
2151 
2152 	return 0;
2153 }
2154 
2155 static int
2156 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2157 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2158 {
2159 	u16 stypes;
2160 	struct nlattr *nl_ftypes, *nl_ifs;
2161 	enum nl80211_iftype ift;
2162 	int i;
2163 
2164 	if (!mgmt_stypes)
2165 		return 0;
2166 
2167 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2168 	if (!nl_ifs)
2169 		return -ENOBUFS;
2170 
2171 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2172 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2173 		if (!nl_ftypes)
2174 			return -ENOBUFS;
2175 		i = 0;
2176 		stypes = mgmt_stypes[ift].tx;
2177 		while (stypes) {
2178 			if ((stypes & 1) &&
2179 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2180 					(i << 4) | IEEE80211_FTYPE_MGMT))
2181 				return -ENOBUFS;
2182 			stypes >>= 1;
2183 			i++;
2184 		}
2185 		nla_nest_end(msg, nl_ftypes);
2186 	}
2187 
2188 	nla_nest_end(msg, nl_ifs);
2189 
2190 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2191 	if (!nl_ifs)
2192 		return -ENOBUFS;
2193 
2194 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2195 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2196 		if (!nl_ftypes)
2197 			return -ENOBUFS;
2198 		i = 0;
2199 		stypes = mgmt_stypes[ift].rx;
2200 		while (stypes) {
2201 			if ((stypes & 1) &&
2202 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2203 					(i << 4) | IEEE80211_FTYPE_MGMT))
2204 				return -ENOBUFS;
2205 			stypes >>= 1;
2206 			i++;
2207 		}
2208 		nla_nest_end(msg, nl_ftypes);
2209 	}
2210 	nla_nest_end(msg, nl_ifs);
2211 
2212 	return 0;
2213 }
2214 
2215 #define CMD(op, n)							\
2216 	 do {								\
2217 		if (rdev->ops->op) {					\
2218 			i++;						\
2219 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2220 				goto nla_put_failure;			\
2221 		}							\
2222 	} while (0)
2223 
2224 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2225 					struct sk_buff *msg)
2226 {
2227 	int i = 0;
2228 
2229 	/*
2230 	 * do *NOT* add anything into this function, new things need to be
2231 	 * advertised only to new versions of userspace that can deal with
2232 	 * the split (and they can't possibly care about new features...
2233 	 */
2234 	CMD(add_virtual_intf, NEW_INTERFACE);
2235 	CMD(change_virtual_intf, SET_INTERFACE);
2236 	CMD(add_key, NEW_KEY);
2237 	CMD(start_ap, START_AP);
2238 	CMD(add_station, NEW_STATION);
2239 	CMD(add_mpath, NEW_MPATH);
2240 	CMD(update_mesh_config, SET_MESH_CONFIG);
2241 	CMD(change_bss, SET_BSS);
2242 	CMD(auth, AUTHENTICATE);
2243 	CMD(assoc, ASSOCIATE);
2244 	CMD(deauth, DEAUTHENTICATE);
2245 	CMD(disassoc, DISASSOCIATE);
2246 	CMD(join_ibss, JOIN_IBSS);
2247 	CMD(join_mesh, JOIN_MESH);
2248 	CMD(set_pmksa, SET_PMKSA);
2249 	CMD(del_pmksa, DEL_PMKSA);
2250 	CMD(flush_pmksa, FLUSH_PMKSA);
2251 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2252 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2253 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2254 	CMD(mgmt_tx, FRAME);
2255 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2256 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2257 		i++;
2258 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2259 			goto nla_put_failure;
2260 	}
2261 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2262 	    rdev->ops->join_mesh) {
2263 		i++;
2264 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2265 			goto nla_put_failure;
2266 	}
2267 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2268 		CMD(tdls_mgmt, TDLS_MGMT);
2269 		CMD(tdls_oper, TDLS_OPER);
2270 	}
2271 	if (rdev->wiphy.max_sched_scan_reqs)
2272 		CMD(sched_scan_start, START_SCHED_SCAN);
2273 	CMD(probe_client, PROBE_CLIENT);
2274 	CMD(set_noack_map, SET_NOACK_MAP);
2275 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2276 		i++;
2277 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2278 			goto nla_put_failure;
2279 	}
2280 	CMD(start_p2p_device, START_P2P_DEVICE);
2281 	CMD(set_mcast_rate, SET_MCAST_RATE);
2282 #ifdef CONFIG_NL80211_TESTMODE
2283 	CMD(testmode_cmd, TESTMODE);
2284 #endif
2285 
2286 	if (rdev->ops->connect || rdev->ops->auth) {
2287 		i++;
2288 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2289 			goto nla_put_failure;
2290 	}
2291 
2292 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2293 		i++;
2294 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2295 			goto nla_put_failure;
2296 	}
2297 
2298 	return i;
2299  nla_put_failure:
2300 	return -ENOBUFS;
2301 }
2302 
2303 static int
2304 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2305 			   struct sk_buff *msg)
2306 {
2307 	struct nlattr *ftm;
2308 
2309 	if (!cap->ftm.supported)
2310 		return 0;
2311 
2312 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2313 	if (!ftm)
2314 		return -ENOBUFS;
2315 
2316 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2317 		return -ENOBUFS;
2318 	if (cap->ftm.non_asap &&
2319 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2320 		return -ENOBUFS;
2321 	if (cap->ftm.request_lci &&
2322 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2323 		return -ENOBUFS;
2324 	if (cap->ftm.request_civicloc &&
2325 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2326 		return -ENOBUFS;
2327 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2328 			cap->ftm.preambles))
2329 		return -ENOBUFS;
2330 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2331 			cap->ftm.bandwidths))
2332 		return -ENOBUFS;
2333 	if (cap->ftm.max_bursts_exponent >= 0 &&
2334 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2335 			cap->ftm.max_bursts_exponent))
2336 		return -ENOBUFS;
2337 	if (cap->ftm.max_ftms_per_burst &&
2338 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2339 			cap->ftm.max_ftms_per_burst))
2340 		return -ENOBUFS;
2341 	if (cap->ftm.trigger_based &&
2342 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2343 		return -ENOBUFS;
2344 	if (cap->ftm.non_trigger_based &&
2345 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2346 		return -ENOBUFS;
2347 	if (cap->ftm.support_6ghz &&
2348 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_6GHZ_SUPPORT))
2349 		return -ENOBUFS;
2350 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_LTF_REP,
2351 			cap->ftm.max_tx_ltf_rep))
2352 		return -ENOBUFS;
2353 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_LTF_REP,
2354 			cap->ftm.max_rx_ltf_rep))
2355 		return -ENOBUFS;
2356 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_STS,
2357 			cap->ftm.max_tx_sts))
2358 		return -ENOBUFS;
2359 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_STS,
2360 			cap->ftm.max_rx_sts))
2361 		return -ENOBUFS;
2362 	if (cap->ftm.max_total_ltf_tx > 0 &&
2363 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_TX,
2364 			cap->ftm.max_total_ltf_tx))
2365 		return -ENOBUFS;
2366 	if (cap->ftm.max_total_ltf_rx > 0 &&
2367 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_RX,
2368 			cap->ftm.max_total_ltf_rx))
2369 		return -ENOBUFS;
2370 	if (cap->ftm.support_rsta &&
2371 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_RSTA_SUPPORT))
2372 		return -ENOBUFS;
2373 
2374 	nla_nest_end(msg, ftm);
2375 	return 0;
2376 }
2377 
2378 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2379 				  struct sk_buff *msg)
2380 {
2381 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2382 	struct nlattr *pmsr, *caps;
2383 
2384 	if (!cap)
2385 		return 0;
2386 
2387 	/*
2388 	 * we don't need to clean up anything here since the caller
2389 	 * will genlmsg_cancel() if we fail
2390 	 */
2391 
2392 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2393 	if (!pmsr)
2394 		return -ENOBUFS;
2395 
2396 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2397 		return -ENOBUFS;
2398 
2399 	if (cap->report_ap_tsf &&
2400 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2401 		return -ENOBUFS;
2402 
2403 	if (cap->randomize_mac_addr &&
2404 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2405 		return -ENOBUFS;
2406 
2407 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2408 	if (!caps)
2409 		return -ENOBUFS;
2410 
2411 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2412 		return -ENOBUFS;
2413 
2414 	nla_nest_end(msg, caps);
2415 	nla_nest_end(msg, pmsr);
2416 
2417 	return 0;
2418 }
2419 
2420 static int
2421 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2422 			      struct sk_buff *msg)
2423 {
2424 	int i;
2425 	struct nlattr *nested, *nested_akms;
2426 	const struct wiphy_iftype_akm_suites *iftype_akms;
2427 
2428 	if (!rdev->wiphy.num_iftype_akm_suites ||
2429 	    !rdev->wiphy.iftype_akm_suites)
2430 		return 0;
2431 
2432 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2433 	if (!nested)
2434 		return -ENOBUFS;
2435 
2436 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2437 		nested_akms = nla_nest_start(msg, i + 1);
2438 		if (!nested_akms)
2439 			return -ENOBUFS;
2440 
2441 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2442 
2443 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2444 					iftype_akms->iftypes_mask))
2445 			return -ENOBUFS;
2446 
2447 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2448 			    sizeof(u32) * iftype_akms->n_akm_suites,
2449 			    iftype_akms->akm_suites)) {
2450 			return -ENOBUFS;
2451 		}
2452 		nla_nest_end(msg, nested_akms);
2453 	}
2454 
2455 	nla_nest_end(msg, nested);
2456 
2457 	return 0;
2458 }
2459 
2460 static int
2461 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2462 			       struct sk_buff *msg)
2463 {
2464 	struct nlattr *supp;
2465 
2466 	if (!rdev->wiphy.tid_config_support.vif &&
2467 	    !rdev->wiphy.tid_config_support.peer)
2468 		return 0;
2469 
2470 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2471 	if (!supp)
2472 		return -ENOSPC;
2473 
2474 	if (rdev->wiphy.tid_config_support.vif &&
2475 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2476 			      rdev->wiphy.tid_config_support.vif,
2477 			      NL80211_TID_CONFIG_ATTR_PAD))
2478 		goto fail;
2479 
2480 	if (rdev->wiphy.tid_config_support.peer &&
2481 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2482 			      rdev->wiphy.tid_config_support.peer,
2483 			      NL80211_TID_CONFIG_ATTR_PAD))
2484 		goto fail;
2485 
2486 	/* for now we just use the same value ... makes more sense */
2487 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2488 		       rdev->wiphy.tid_config_support.max_retry))
2489 		goto fail;
2490 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2491 		       rdev->wiphy.tid_config_support.max_retry))
2492 		goto fail;
2493 
2494 	nla_nest_end(msg, supp);
2495 
2496 	return 0;
2497 fail:
2498 	nla_nest_cancel(msg, supp);
2499 	return -ENOBUFS;
2500 }
2501 
2502 static int
2503 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2504 		      struct sk_buff *msg)
2505 {
2506 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2507 	u8 num_freq_ranges;
2508 	int i;
2509 
2510 	if (!rdev->wiphy.sar_capa)
2511 		return 0;
2512 
2513 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2514 
2515 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2516 	if (!sar_capa)
2517 		return -ENOSPC;
2518 
2519 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2520 		goto fail;
2521 
2522 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2523 	if (!specs)
2524 		goto fail;
2525 
2526 	/* report supported freq_ranges */
2527 	for (i = 0; i < num_freq_ranges; i++) {
2528 		sub_freq_range = nla_nest_start(msg, i + 1);
2529 		if (!sub_freq_range)
2530 			goto fail;
2531 
2532 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2533 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2534 			goto fail;
2535 
2536 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2537 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2538 			goto fail;
2539 
2540 		nla_nest_end(msg, sub_freq_range);
2541 	}
2542 
2543 	nla_nest_end(msg, specs);
2544 	nla_nest_end(msg, sar_capa);
2545 
2546 	return 0;
2547 fail:
2548 	nla_nest_cancel(msg, sar_capa);
2549 	return -ENOBUFS;
2550 }
2551 
2552 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2553 {
2554 	struct nlattr *config;
2555 
2556 	if (!wiphy->mbssid_max_interfaces)
2557 		return 0;
2558 
2559 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2560 	if (!config)
2561 		return -ENOBUFS;
2562 
2563 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2564 		       wiphy->mbssid_max_interfaces))
2565 		goto fail;
2566 
2567 	if (wiphy->ema_max_profile_periodicity &&
2568 	    nla_put_u8(msg,
2569 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2570 		       wiphy->ema_max_profile_periodicity))
2571 		goto fail;
2572 
2573 	nla_nest_end(msg, config);
2574 	return 0;
2575 
2576 fail:
2577 	nla_nest_cancel(msg, config);
2578 	return -ENOBUFS;
2579 }
2580 
2581 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2582 {
2583 	const struct wiphy_radio *r = &wiphy->radio[idx];
2584 	const struct wiphy_radio_cfg *rcfg = &wiphy->radio_cfg[idx];
2585 	struct nlattr *radio, *freq;
2586 	int i;
2587 
2588 	radio = nla_nest_start(msg, idx);
2589 	if (!radio)
2590 		return -ENOBUFS;
2591 
2592 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2593 		goto nla_put_failure;
2594 
2595 	if (rcfg->rts_threshold &&
2596 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_RTS_THRESHOLD,
2597 			rcfg->rts_threshold))
2598 		goto nla_put_failure;
2599 
2600 	if (r->antenna_mask &&
2601 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2602 			r->antenna_mask))
2603 		goto nla_put_failure;
2604 
2605 	for (i = 0; i < r->n_freq_range; i++) {
2606 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2607 
2608 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2609 		if (!freq)
2610 			goto nla_put_failure;
2611 
2612 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2613 				range->start_freq) ||
2614 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2615 				range->end_freq))
2616 			goto nla_put_failure;
2617 
2618 		nla_nest_end(msg, freq);
2619 	}
2620 
2621 	for (i = 0; i < r->n_iface_combinations; i++)
2622 		if (nl80211_put_ifcomb_data(msg, true,
2623 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2624 					    &r->iface_combinations[i],
2625 					    NLA_F_NESTED))
2626 			goto nla_put_failure;
2627 
2628 	nla_nest_end(msg, radio);
2629 
2630 	return 0;
2631 
2632 nla_put_failure:
2633 	return -ENOBUFS;
2634 }
2635 
2636 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2637 {
2638 	struct nlattr *radios;
2639 	int i;
2640 
2641 	if (!wiphy->n_radio)
2642 		return 0;
2643 
2644 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2645 	if (!radios)
2646 		return -ENOBUFS;
2647 
2648 	for (i = 0; i < wiphy->n_radio; i++)
2649 		if (nl80211_put_radio(wiphy, msg, i))
2650 			goto fail;
2651 
2652 	nla_nest_end(msg, radios);
2653 
2654 	if (nl80211_put_iface_combinations(wiphy, msg,
2655 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2656 					   -1, true, NLA_F_NESTED))
2657 		return -ENOBUFS;
2658 
2659 	return 0;
2660 
2661 fail:
2662 	nla_nest_cancel(msg, radios);
2663 	return -ENOBUFS;
2664 }
2665 
2666 static int nl80211_put_nan_capa(struct wiphy *wiphy, struct sk_buff *msg)
2667 {
2668 	struct nlattr *nan_caps;
2669 
2670 	nan_caps = nla_nest_start(msg, NL80211_ATTR_NAN_CAPABILITIES);
2671 	if (!nan_caps)
2672 		return -ENOBUFS;
2673 
2674 	if (wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_CONFIGURABLE_SYNC &&
2675 	    nla_put_flag(msg, NL80211_NAN_CAPA_CONFIGURABLE_SYNC))
2676 		goto fail;
2677 
2678 	if ((wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE) &&
2679 	    nla_put_flag(msg, NL80211_NAN_CAPA_USERSPACE_DE))
2680 		goto fail;
2681 
2682 	if (nla_put_u8(msg, NL80211_NAN_CAPA_OP_MODE,
2683 		       wiphy->nan_capa.op_mode) ||
2684 	    nla_put_u8(msg, NL80211_NAN_CAPA_NUM_ANTENNAS,
2685 		       wiphy->nan_capa.n_antennas) ||
2686 	    nla_put_u16(msg, NL80211_NAN_CAPA_MAX_CHANNEL_SWITCH_TIME,
2687 			wiphy->nan_capa.max_channel_switch_time) ||
2688 	    nla_put_u8(msg, NL80211_NAN_CAPA_CAPABILITIES,
2689 		       wiphy->nan_capa.dev_capabilities))
2690 		goto fail;
2691 
2692 	nla_nest_end(msg, nan_caps);
2693 
2694 	return 0;
2695 
2696 fail:
2697 	nla_nest_cancel(msg, nan_caps);
2698 	return -ENOBUFS;
2699 }
2700 
2701 struct nl80211_dump_wiphy_state {
2702 	s64 filter_wiphy;
2703 	long start;
2704 	long split_start, band_start, chan_start, capa_start;
2705 	bool split;
2706 };
2707 
2708 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2709 			      enum nl80211_commands cmd,
2710 			      struct sk_buff *msg, u32 portid, u32 seq,
2711 			      int flags, struct nl80211_dump_wiphy_state *state)
2712 {
2713 	void *hdr;
2714 	struct nlattr *nl_bands, *nl_band;
2715 	struct nlattr *nl_freqs, *nl_freq;
2716 	struct nlattr *nl_cmds;
2717 	enum nl80211_band band;
2718 	struct ieee80211_channel *chan;
2719 	int i;
2720 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2721 				rdev->wiphy.mgmt_stypes;
2722 	u32 features;
2723 
2724 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2725 	if (!hdr)
2726 		return -ENOBUFS;
2727 
2728 	if (WARN_ON(!state))
2729 		return -EINVAL;
2730 
2731 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2732 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2733 			   wiphy_name(&rdev->wiphy)) ||
2734 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2735 			cfg80211_rdev_list_generation))
2736 		goto nla_put_failure;
2737 
2738 	if (cmd != NL80211_CMD_NEW_WIPHY)
2739 		goto finish;
2740 
2741 	switch (state->split_start) {
2742 	case 0:
2743 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2744 			       rdev->wiphy.retry_short) ||
2745 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2746 			       rdev->wiphy.retry_long) ||
2747 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2748 				rdev->wiphy.frag_threshold) ||
2749 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2750 				rdev->wiphy.rts_threshold) ||
2751 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2752 			       rdev->wiphy.coverage_class) ||
2753 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2754 			       rdev->wiphy.max_scan_ssids) ||
2755 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2756 			       rdev->wiphy.max_sched_scan_ssids) ||
2757 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2758 				rdev->wiphy.max_scan_ie_len) ||
2759 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2760 				rdev->wiphy.max_sched_scan_ie_len) ||
2761 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2762 			       rdev->wiphy.max_match_sets))
2763 			goto nla_put_failure;
2764 
2765 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2766 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2767 			goto nla_put_failure;
2768 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2769 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2770 			goto nla_put_failure;
2771 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2772 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2773 			goto nla_put_failure;
2774 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2775 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2776 			goto nla_put_failure;
2777 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2778 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2779 			goto nla_put_failure;
2780 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2781 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2782 			goto nla_put_failure;
2783 		state->split_start++;
2784 		if (state->split)
2785 			break;
2786 		fallthrough;
2787 	case 1:
2788 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2789 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2790 			    rdev->wiphy.cipher_suites))
2791 			goto nla_put_failure;
2792 
2793 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2794 			       rdev->wiphy.max_num_pmkids))
2795 			goto nla_put_failure;
2796 
2797 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2798 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2799 			goto nla_put_failure;
2800 
2801 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2802 				rdev->wiphy.available_antennas_tx) ||
2803 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2804 				rdev->wiphy.available_antennas_rx))
2805 			goto nla_put_failure;
2806 
2807 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2808 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2809 				rdev->wiphy.probe_resp_offload))
2810 			goto nla_put_failure;
2811 
2812 		if ((rdev->wiphy.available_antennas_tx ||
2813 		     rdev->wiphy.available_antennas_rx) &&
2814 		    rdev->ops->get_antenna) {
2815 			u32 tx_ant = 0, rx_ant = 0;
2816 			int res;
2817 
2818 			res = rdev_get_antenna(rdev, -1, &tx_ant, &rx_ant);
2819 			if (!res) {
2820 				if (nla_put_u32(msg,
2821 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2822 						tx_ant) ||
2823 				    nla_put_u32(msg,
2824 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2825 						rx_ant))
2826 					goto nla_put_failure;
2827 			}
2828 		}
2829 
2830 		state->split_start++;
2831 		if (state->split)
2832 			break;
2833 		fallthrough;
2834 	case 2:
2835 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2836 					rdev->wiphy.interface_modes))
2837 				goto nla_put_failure;
2838 		state->split_start++;
2839 		if (state->split)
2840 			break;
2841 		fallthrough;
2842 	case 3:
2843 		nl_bands = nla_nest_start_noflag(msg,
2844 						 NL80211_ATTR_WIPHY_BANDS);
2845 		if (!nl_bands)
2846 			goto nla_put_failure;
2847 
2848 		for (band = state->band_start;
2849 		     band < (state->split ?
2850 				NUM_NL80211_BANDS :
2851 				NL80211_BAND_60GHZ + 1);
2852 		     band++) {
2853 			struct ieee80211_supported_band *sband;
2854 
2855 			/* omit higher bands for ancient software */
2856 			if (band > NL80211_BAND_5GHZ && !state->split)
2857 				break;
2858 
2859 			sband = rdev->wiphy.bands[band];
2860 
2861 			if (!sband)
2862 				continue;
2863 
2864 			nl_band = nla_nest_start_noflag(msg, band);
2865 			if (!nl_band)
2866 				goto nla_put_failure;
2867 
2868 			switch (state->chan_start) {
2869 			case 0:
2870 				if (nl80211_send_band_rateinfo(msg, sband,
2871 							       state->split))
2872 					goto nla_put_failure;
2873 				state->chan_start++;
2874 				if (state->split)
2875 					break;
2876 				fallthrough;
2877 			default:
2878 				/* add frequencies */
2879 				nl_freqs = nla_nest_start_noflag(msg,
2880 								 NL80211_BAND_ATTR_FREQS);
2881 				if (!nl_freqs)
2882 					goto nla_put_failure;
2883 
2884 				for (i = state->chan_start - 1;
2885 				     i < sband->n_channels;
2886 				     i++) {
2887 					nl_freq = nla_nest_start_noflag(msg,
2888 									i);
2889 					if (!nl_freq)
2890 						goto nla_put_failure;
2891 
2892 					chan = &sband->channels[i];
2893 
2894 					if (nl80211_msg_put_channel(
2895 							msg, &rdev->wiphy, chan,
2896 							state->split))
2897 						goto nla_put_failure;
2898 
2899 					nla_nest_end(msg, nl_freq);
2900 					if (state->split)
2901 						break;
2902 				}
2903 				if (i < sband->n_channels)
2904 					state->chan_start = i + 2;
2905 				else
2906 					state->chan_start = 0;
2907 				nla_nest_end(msg, nl_freqs);
2908 			}
2909 
2910 			nla_nest_end(msg, nl_band);
2911 
2912 			if (state->split) {
2913 				/* start again here */
2914 				if (state->chan_start)
2915 					band--;
2916 				break;
2917 			}
2918 		}
2919 		nla_nest_end(msg, nl_bands);
2920 
2921 		if (band < NUM_NL80211_BANDS)
2922 			state->band_start = band + 1;
2923 		else
2924 			state->band_start = 0;
2925 
2926 		/* if bands & channels are done, continue outside */
2927 		if (state->band_start == 0 && state->chan_start == 0)
2928 			state->split_start++;
2929 		if (state->split)
2930 			break;
2931 		fallthrough;
2932 	case 4:
2933 		nl_cmds = nla_nest_start_noflag(msg,
2934 						NL80211_ATTR_SUPPORTED_COMMANDS);
2935 		if (!nl_cmds)
2936 			goto nla_put_failure;
2937 
2938 		i = nl80211_add_commands_unsplit(rdev, msg);
2939 		if (i < 0)
2940 			goto nla_put_failure;
2941 		if (state->split) {
2942 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2943 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2944 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2945 				CMD(channel_switch, CHANNEL_SWITCH);
2946 			CMD(set_qos_map, SET_QOS_MAP);
2947 			if (rdev->wiphy.features &
2948 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2949 				CMD(add_tx_ts, ADD_TX_TS);
2950 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2951 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2952 			CMD(update_ft_ies, UPDATE_FT_IES);
2953 			if (rdev->wiphy.sar_capa)
2954 				CMD(set_sar_specs, SET_SAR_SPECS);
2955 			CMD(assoc_ml_reconf, ASSOC_MLO_RECONF);
2956 		}
2957 #undef CMD
2958 
2959 		nla_nest_end(msg, nl_cmds);
2960 		state->split_start++;
2961 		if (state->split)
2962 			break;
2963 		fallthrough;
2964 	case 5:
2965 		if (rdev->ops->remain_on_channel &&
2966 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2967 		    nla_put_u32(msg,
2968 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2969 				rdev->wiphy.max_remain_on_channel_duration))
2970 			goto nla_put_failure;
2971 
2972 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2973 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2974 			goto nla_put_failure;
2975 
2976 		state->split_start++;
2977 		if (state->split)
2978 			break;
2979 		fallthrough;
2980 	case 6:
2981 #ifdef CONFIG_PM
2982 		if (nl80211_send_wowlan(msg, rdev, state->split))
2983 			goto nla_put_failure;
2984 		state->split_start++;
2985 		if (state->split)
2986 			break;
2987 #else
2988 		state->split_start++;
2989 #endif
2990 		fallthrough;
2991 	case 7:
2992 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2993 					rdev->wiphy.software_iftypes))
2994 			goto nla_put_failure;
2995 
2996 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2997 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2998 						   rdev->wiphy.n_radio ? 0 : -1,
2999 						   state->split, 0))
3000 			goto nla_put_failure;
3001 
3002 		state->split_start++;
3003 		if (state->split)
3004 			break;
3005 		fallthrough;
3006 	case 8:
3007 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
3008 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
3009 				rdev->wiphy.ap_sme_capa))
3010 			goto nla_put_failure;
3011 
3012 		features = rdev->wiphy.features;
3013 		/*
3014 		 * We can only add the per-channel limit information if the
3015 		 * dump is split, otherwise it makes it too big. Therefore
3016 		 * only advertise it in that case.
3017 		 */
3018 		if (state->split)
3019 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
3020 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
3021 			goto nla_put_failure;
3022 
3023 		if (rdev->wiphy.ht_capa_mod_mask &&
3024 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
3025 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
3026 			    rdev->wiphy.ht_capa_mod_mask))
3027 			goto nla_put_failure;
3028 
3029 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
3030 		    rdev->wiphy.max_acl_mac_addrs &&
3031 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
3032 				rdev->wiphy.max_acl_mac_addrs))
3033 			goto nla_put_failure;
3034 
3035 		/*
3036 		 * Any information below this point is only available to
3037 		 * applications that can deal with it being split. This
3038 		 * helps ensure that newly added capabilities don't break
3039 		 * older tools by overrunning their buffers.
3040 		 *
3041 		 * We still increment split_start so that in the split
3042 		 * case we'll continue with more data in the next round,
3043 		 * but break unconditionally so unsplit data stops here.
3044 		 */
3045 		if (state->split)
3046 			state->split_start++;
3047 		else
3048 			state->split_start = 0;
3049 		break;
3050 	case 9:
3051 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
3052 			goto nla_put_failure;
3053 
3054 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
3055 				rdev->wiphy.max_sched_scan_plans) ||
3056 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
3057 				rdev->wiphy.max_sched_scan_plan_interval) ||
3058 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
3059 				rdev->wiphy.max_sched_scan_plan_iterations))
3060 			goto nla_put_failure;
3061 
3062 		if (rdev->wiphy.extended_capabilities &&
3063 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
3064 			     rdev->wiphy.extended_capabilities_len,
3065 			     rdev->wiphy.extended_capabilities) ||
3066 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3067 			     rdev->wiphy.extended_capabilities_len,
3068 			     rdev->wiphy.extended_capabilities_mask)))
3069 			goto nla_put_failure;
3070 
3071 		if (rdev->wiphy.vht_capa_mod_mask &&
3072 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
3073 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
3074 			    rdev->wiphy.vht_capa_mod_mask))
3075 			goto nla_put_failure;
3076 
3077 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3078 			    rdev->wiphy.perm_addr))
3079 			goto nla_put_failure;
3080 
3081 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
3082 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
3083 			    rdev->wiphy.addr_mask))
3084 			goto nla_put_failure;
3085 
3086 		if (rdev->wiphy.n_addresses > 1) {
3087 			void *attr;
3088 
3089 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
3090 			if (!attr)
3091 				goto nla_put_failure;
3092 
3093 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
3094 				if (nla_put(msg, i + 1, ETH_ALEN,
3095 					    rdev->wiphy.addresses[i].addr))
3096 					goto nla_put_failure;
3097 
3098 			nla_nest_end(msg, attr);
3099 		}
3100 
3101 		state->split_start++;
3102 		break;
3103 	case 10:
3104 		if (nl80211_send_coalesce(msg, rdev))
3105 			goto nla_put_failure;
3106 
3107 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
3108 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
3109 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
3110 			goto nla_put_failure;
3111 
3112 		if (rdev->wiphy.max_ap_assoc_sta &&
3113 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
3114 				rdev->wiphy.max_ap_assoc_sta))
3115 			goto nla_put_failure;
3116 
3117 		state->split_start++;
3118 		break;
3119 	case 11:
3120 		if (rdev->wiphy.n_vendor_commands) {
3121 			const struct nl80211_vendor_cmd_info *info;
3122 			struct nlattr *nested;
3123 
3124 			nested = nla_nest_start_noflag(msg,
3125 						       NL80211_ATTR_VENDOR_DATA);
3126 			if (!nested)
3127 				goto nla_put_failure;
3128 
3129 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
3130 				info = &rdev->wiphy.vendor_commands[i].info;
3131 				if (nla_put(msg, i + 1, sizeof(*info), info))
3132 					goto nla_put_failure;
3133 			}
3134 			nla_nest_end(msg, nested);
3135 		}
3136 
3137 		if (rdev->wiphy.n_vendor_events) {
3138 			const struct nl80211_vendor_cmd_info *info;
3139 			struct nlattr *nested;
3140 
3141 			nested = nla_nest_start_noflag(msg,
3142 						       NL80211_ATTR_VENDOR_EVENTS);
3143 			if (!nested)
3144 				goto nla_put_failure;
3145 
3146 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
3147 				info = &rdev->wiphy.vendor_events[i];
3148 				if (nla_put(msg, i + 1, sizeof(*info), info))
3149 					goto nla_put_failure;
3150 			}
3151 			nla_nest_end(msg, nested);
3152 		}
3153 		state->split_start++;
3154 		break;
3155 	case 12:
3156 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
3157 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
3158 			       rdev->wiphy.max_num_csa_counters))
3159 			goto nla_put_failure;
3160 
3161 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
3162 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
3163 			goto nla_put_failure;
3164 
3165 		if (rdev->wiphy.max_sched_scan_reqs &&
3166 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
3167 				rdev->wiphy.max_sched_scan_reqs))
3168 			goto nla_put_failure;
3169 
3170 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
3171 			    sizeof(rdev->wiphy.ext_features),
3172 			    rdev->wiphy.ext_features))
3173 			goto nla_put_failure;
3174 
3175 		if (rdev->wiphy.bss_param_support) {
3176 			struct nlattr *nested;
3177 			u32 parsup = rdev->wiphy.bss_param_support;
3178 
3179 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_PARAM);
3180 			if (!nested)
3181 				goto nla_put_failure;
3182 
3183 			if ((parsup & WIPHY_BSS_PARAM_CTS_PROT) &&
3184 			    nla_put_flag(msg, NL80211_ATTR_BSS_CTS_PROT))
3185 				goto nla_put_failure;
3186 			if ((parsup & WIPHY_BSS_PARAM_SHORT_PREAMBLE) &&
3187 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_PREAMBLE))
3188 				goto nla_put_failure;
3189 			if ((parsup & WIPHY_BSS_PARAM_SHORT_SLOT_TIME) &&
3190 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_SLOT_TIME))
3191 				goto nla_put_failure;
3192 			if ((parsup & WIPHY_BSS_PARAM_BASIC_RATES) &&
3193 			    nla_put_flag(msg, NL80211_ATTR_BSS_BASIC_RATES))
3194 				goto nla_put_failure;
3195 			if ((parsup & WIPHY_BSS_PARAM_AP_ISOLATE) &&
3196 			    nla_put_flag(msg, NL80211_ATTR_AP_ISOLATE))
3197 				goto nla_put_failure;
3198 			if ((parsup & WIPHY_BSS_PARAM_HT_OPMODE) &&
3199 			    nla_put_flag(msg, NL80211_ATTR_BSS_HT_OPMODE))
3200 				goto nla_put_failure;
3201 			if ((parsup & WIPHY_BSS_PARAM_P2P_CTWINDOW) &&
3202 			    nla_put_flag(msg, NL80211_ATTR_P2P_CTWINDOW))
3203 				goto nla_put_failure;
3204 			if ((parsup & WIPHY_BSS_PARAM_P2P_OPPPS) &&
3205 			    nla_put_flag(msg, NL80211_ATTR_P2P_OPPPS))
3206 				goto nla_put_failure;
3207 			nla_nest_end(msg, nested);
3208 		}
3209 		if (rdev->wiphy.bss_select_support) {
3210 			struct nlattr *nested;
3211 			u32 bss_select_support = rdev->wiphy.bss_select_support;
3212 
3213 			nested = nla_nest_start_noflag(msg,
3214 						       NL80211_ATTR_BSS_SELECT);
3215 			if (!nested)
3216 				goto nla_put_failure;
3217 
3218 			i = 0;
3219 			while (bss_select_support) {
3220 				if ((bss_select_support & 1) &&
3221 				    nla_put_flag(msg, i))
3222 					goto nla_put_failure;
3223 				i++;
3224 				bss_select_support >>= 1;
3225 			}
3226 			nla_nest_end(msg, nested);
3227 		}
3228 
3229 		state->split_start++;
3230 		break;
3231 	case 13:
3232 		if (rdev->wiphy.num_iftype_ext_capab &&
3233 		    rdev->wiphy.iftype_ext_capab) {
3234 			struct nlattr *nested_ext_capab, *nested;
3235 
3236 			nested = nla_nest_start_noflag(msg,
3237 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3238 			if (!nested)
3239 				goto nla_put_failure;
3240 
3241 			for (i = state->capa_start;
3242 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3243 				const struct wiphy_iftype_ext_capab *capab;
3244 
3245 				capab = &rdev->wiphy.iftype_ext_capab[i];
3246 
3247 				nested_ext_capab = nla_nest_start_noflag(msg,
3248 									 i);
3249 				if (!nested_ext_capab ||
3250 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3251 						capab->iftype) ||
3252 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3253 					    capab->extended_capabilities_len,
3254 					    capab->extended_capabilities) ||
3255 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3256 					    capab->extended_capabilities_len,
3257 					    capab->extended_capabilities_mask))
3258 					goto nla_put_failure;
3259 
3260 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3261 				    (nla_put_u16(msg,
3262 						 NL80211_ATTR_EML_CAPABILITY,
3263 						 capab->eml_capabilities) ||
3264 				     nla_put_u16(msg,
3265 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3266 						 capab->mld_capa_and_ops)))
3267 					goto nla_put_failure;
3268 
3269 				nla_nest_end(msg, nested_ext_capab);
3270 				if (state->split)
3271 					break;
3272 			}
3273 			nla_nest_end(msg, nested);
3274 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3275 				state->capa_start = i + 1;
3276 				break;
3277 			}
3278 		}
3279 
3280 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3281 				rdev->wiphy.nan_supported_bands))
3282 			goto nla_put_failure;
3283 
3284 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3285 					    NL80211_EXT_FEATURE_TXQS)) {
3286 			struct cfg80211_txq_stats txqstats = {};
3287 			int res;
3288 
3289 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3290 			if (!res &&
3291 			    !nl80211_put_txq_stats(msg, &txqstats,
3292 						   NL80211_ATTR_TXQ_STATS))
3293 				goto nla_put_failure;
3294 
3295 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3296 					rdev->wiphy.txq_limit))
3297 				goto nla_put_failure;
3298 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3299 					rdev->wiphy.txq_memory_limit))
3300 				goto nla_put_failure;
3301 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3302 					rdev->wiphy.txq_quantum))
3303 				goto nla_put_failure;
3304 		}
3305 
3306 		state->split_start++;
3307 		break;
3308 	case 14:
3309 		if (nl80211_send_pmsr_capa(rdev, msg))
3310 			goto nla_put_failure;
3311 
3312 		state->split_start++;
3313 		break;
3314 	case 15:
3315 		if (rdev->wiphy.akm_suites &&
3316 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3317 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3318 			    rdev->wiphy.akm_suites))
3319 			goto nla_put_failure;
3320 
3321 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3322 			goto nla_put_failure;
3323 
3324 		if (nl80211_put_tid_config_support(rdev, msg))
3325 			goto nla_put_failure;
3326 		state->split_start++;
3327 		break;
3328 	case 16:
3329 		if (nl80211_put_sar_specs(rdev, msg))
3330 			goto nla_put_failure;
3331 
3332 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3333 			goto nla_put_failure;
3334 
3335 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3336 				rdev->wiphy.max_num_akm_suites))
3337 			goto nla_put_failure;
3338 
3339 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3340 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3341 
3342 		if (rdev->wiphy.hw_timestamp_max_peers &&
3343 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3344 				rdev->wiphy.hw_timestamp_max_peers))
3345 			goto nla_put_failure;
3346 
3347 		state->split_start++;
3348 		break;
3349 	case 17:
3350 		if (nl80211_put_radios(&rdev->wiphy, msg))
3351 			goto nla_put_failure;
3352 
3353 		state->split_start++;
3354 		break;
3355 	case 18:
3356 		if (nl80211_put_nan_capa(&rdev->wiphy, msg))
3357 			goto nla_put_failure;
3358 
3359 		/* done */
3360 		state->split_start = 0;
3361 		break;
3362 	}
3363  finish:
3364 	genlmsg_end(msg, hdr);
3365 	return 0;
3366 
3367  nla_put_failure:
3368 	genlmsg_cancel(msg, hdr);
3369 	return -EMSGSIZE;
3370 }
3371 
3372 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3373 				    struct netlink_callback *cb,
3374 				    struct nl80211_dump_wiphy_state *state)
3375 {
3376 	struct nlattr **tb = kzalloc_objs(*tb, NUM_NL80211_ATTR);
3377 	int ret;
3378 
3379 	if (!tb)
3380 		return -ENOMEM;
3381 
3382 	ret = nlmsg_parse_deprecated(cb->nlh,
3383 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3384 				     tb, nl80211_fam.maxattr,
3385 				     nl80211_policy, NULL);
3386 	/* ignore parse errors for backward compatibility */
3387 	if (ret) {
3388 		ret = 0;
3389 		goto out;
3390 	}
3391 
3392 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3393 	if (tb[NL80211_ATTR_WIPHY])
3394 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3395 	if (tb[NL80211_ATTR_WDEV])
3396 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3397 	if (tb[NL80211_ATTR_IFINDEX]) {
3398 		struct net_device *netdev;
3399 		struct cfg80211_registered_device *rdev;
3400 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3401 
3402 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3403 		if (!netdev) {
3404 			ret = -ENODEV;
3405 			goto out;
3406 		}
3407 		if (netdev->ieee80211_ptr) {
3408 			rdev = wiphy_to_rdev(
3409 				netdev->ieee80211_ptr->wiphy);
3410 			state->filter_wiphy = rdev->wiphy_idx;
3411 		}
3412 	}
3413 
3414 	ret = 0;
3415 out:
3416 	kfree(tb);
3417 	return ret;
3418 }
3419 
3420 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3421 {
3422 	int idx = 0, ret;
3423 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3424 	struct cfg80211_registered_device *rdev;
3425 
3426 	rtnl_lock();
3427 	if (!state) {
3428 		state = kzalloc_obj(*state);
3429 		if (!state) {
3430 			rtnl_unlock();
3431 			return -ENOMEM;
3432 		}
3433 		state->filter_wiphy = -1;
3434 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3435 		if (ret) {
3436 			kfree(state);
3437 			rtnl_unlock();
3438 			return ret;
3439 		}
3440 		cb->args[0] = (long)state;
3441 	}
3442 
3443 	for_each_rdev(rdev) {
3444 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3445 			continue;
3446 		if (++idx <= state->start)
3447 			continue;
3448 		if (state->filter_wiphy != -1 &&
3449 		    state->filter_wiphy != rdev->wiphy_idx)
3450 			continue;
3451 		wiphy_lock(&rdev->wiphy);
3452 		/* attempt to fit multiple wiphy data chunks into the skb */
3453 		do {
3454 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3455 						 skb,
3456 						 NETLINK_CB(cb->skb).portid,
3457 						 cb->nlh->nlmsg_seq,
3458 						 NLM_F_MULTI, state);
3459 			if (ret < 0) {
3460 				/*
3461 				 * If sending the wiphy data didn't fit (ENOBUFS
3462 				 * or EMSGSIZE returned), this SKB is still
3463 				 * empty (so it's not too big because another
3464 				 * wiphy dataset is already in the skb) and
3465 				 * we've not tried to adjust the dump allocation
3466 				 * yet ... then adjust the alloc size to be
3467 				 * bigger, and return 1 but with the empty skb.
3468 				 * This results in an empty message being RX'ed
3469 				 * in userspace, but that is ignored.
3470 				 *
3471 				 * We can then retry with the larger buffer.
3472 				 */
3473 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3474 				    !skb->len && !state->split &&
3475 				    cb->min_dump_alloc < 4096) {
3476 					cb->min_dump_alloc = 4096;
3477 					state->split_start = 0;
3478 					wiphy_unlock(&rdev->wiphy);
3479 					rtnl_unlock();
3480 					return 1;
3481 				}
3482 				idx--;
3483 				break;
3484 			}
3485 		} while (state->split_start > 0);
3486 		wiphy_unlock(&rdev->wiphy);
3487 		break;
3488 	}
3489 	rtnl_unlock();
3490 
3491 	state->start = idx;
3492 
3493 	return skb->len;
3494 }
3495 
3496 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3497 {
3498 	kfree((void *)cb->args[0]);
3499 	return 0;
3500 }
3501 
3502 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3503 {
3504 	struct sk_buff *msg;
3505 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3506 	struct nl80211_dump_wiphy_state state = {};
3507 
3508 	msg = nlmsg_new(4096, GFP_KERNEL);
3509 	if (!msg)
3510 		return -ENOMEM;
3511 
3512 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3513 			       info->snd_portid, info->snd_seq, 0,
3514 			       &state) < 0) {
3515 		nlmsg_free(msg);
3516 		return -ENOBUFS;
3517 	}
3518 
3519 	return genlmsg_reply(msg, info);
3520 }
3521 
3522 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3523 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3524 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3525 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3526 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3527 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3528 };
3529 
3530 static int parse_txq_params(struct nlattr *tb[],
3531 			    struct ieee80211_txq_params *txq_params)
3532 {
3533 	u8 ac;
3534 
3535 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3536 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3537 	    !tb[NL80211_TXQ_ATTR_AIFS])
3538 		return -EINVAL;
3539 
3540 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3541 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3542 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3543 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3544 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3545 
3546 	if (ac >= NL80211_NUM_ACS)
3547 		return -EINVAL;
3548 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3549 	return 0;
3550 }
3551 
3552 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3553 {
3554 	/*
3555 	 * You can only set the channel explicitly for some interfaces,
3556 	 * most have their channel managed via their respective
3557 	 * "establish a connection" command (connect, join, ...)
3558 	 *
3559 	 * For AP/GO and mesh mode, the channel can be set with the
3560 	 * channel userspace API, but is only stored and passed to the
3561 	 * low-level driver when the AP starts or the mesh is joined.
3562 	 * This is for backward compatibility, userspace can also give
3563 	 * the channel in the start-ap or join-mesh commands instead.
3564 	 *
3565 	 * Monitors are special as they are normally slaved to
3566 	 * whatever else is going on, so they have their own special
3567 	 * operation to set the monitor channel if possible.
3568 	 */
3569 	return !wdev ||
3570 		wdev->iftype == NL80211_IFTYPE_AP ||
3571 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3572 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3573 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3574 }
3575 
3576 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3577 				  struct netlink_ext_ack *extack,
3578 				  struct nlattr **attrs, bool monitor,
3579 				  struct cfg80211_chan_def *chandef)
3580 {
3581 	u32 control_freq;
3582 
3583 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3584 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3585 				    "Frequency is missing");
3586 		return -EINVAL;
3587 	}
3588 
3589 	control_freq = MHZ_TO_KHZ(
3590 			nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
3591 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3592 		control_freq +=
3593 		    nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3594 
3595 	memset(chandef, 0, sizeof(*chandef));
3596 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3597 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3598 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3599 	chandef->freq1_offset = control_freq % 1000;
3600 	chandef->center_freq2 = 0;
3601 	chandef->s1g_primary_2mhz = false;
3602 
3603 	if (!chandef->chan) {
3604 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3605 				    "Unknown channel");
3606 		return -EINVAL;
3607 	}
3608 
3609 	if (cfg80211_chandef_is_s1g(chandef))
3610 		chandef->width = NL80211_CHAN_WIDTH_1;
3611 
3612 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3613 		enum nl80211_channel_type chantype;
3614 
3615 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3616 
3617 		switch (chantype) {
3618 		case NL80211_CHAN_NO_HT:
3619 		case NL80211_CHAN_HT20:
3620 		case NL80211_CHAN_HT40PLUS:
3621 		case NL80211_CHAN_HT40MINUS:
3622 			cfg80211_chandef_create(chandef, chandef->chan,
3623 						chantype);
3624 			/* user input for center_freq is incorrect */
3625 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3626 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3627 				NL_SET_ERR_MSG_ATTR(extack,
3628 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3629 						    "bad center frequency 1");
3630 				return -EINVAL;
3631 			}
3632 			/* center_freq2 must be zero */
3633 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3634 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3635 				NL_SET_ERR_MSG_ATTR(extack,
3636 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3637 						    "center frequency 2 can't be used");
3638 				return -EINVAL;
3639 			}
3640 			break;
3641 		default:
3642 			NL_SET_ERR_MSG_ATTR(extack,
3643 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3644 					    "invalid channel type");
3645 			return -EINVAL;
3646 		}
3647 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3648 		chandef->width = nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3649 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3650 			chandef->center_freq1 =
3651 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3652 			chandef->freq1_offset = nla_get_u32_default(
3653 				attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET], 0);
3654 		}
3655 
3656 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3657 			chandef->center_freq2 =
3658 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3659 
3660 		chandef->s1g_primary_2mhz = nla_get_flag(
3661 			attrs[NL80211_ATTR_S1G_PRIMARY_2MHZ]);
3662 	}
3663 
3664 	if (attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3665 		chandef->edmg.channels =
3666 		      nla_get_u8(attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3667 
3668 		if (attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3669 			chandef->edmg.bw_config =
3670 		     nla_get_u8(attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3671 	} else {
3672 		chandef->edmg.bw_config = 0;
3673 		chandef->edmg.channels = 0;
3674 	}
3675 
3676 	if (attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3677 		chandef->punctured =
3678 			nla_get_u32(attrs[NL80211_ATTR_PUNCT_BITMAP]);
3679 
3680 		if (chandef->punctured &&
3681 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3682 					     NL80211_EXT_FEATURE_PUNCT)) {
3683 			NL_SET_ERR_MSG_ATTR(extack,
3684 					    attrs[NL80211_ATTR_WIPHY_FREQ],
3685 					    "driver doesn't support puncturing");
3686 			return -EINVAL;
3687 		}
3688 	}
3689 
3690 	if (!cfg80211_chandef_valid(chandef)) {
3691 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3692 				    "invalid channel definition");
3693 		return -EINVAL;
3694 	}
3695 
3696 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3697 				      IEEE80211_CHAN_DISABLED,
3698 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3699 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3700 				    "(extension) channel is disabled");
3701 		return -EINVAL;
3702 	}
3703 
3704 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3705 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3706 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3707 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3708 		return -EINVAL;
3709 	}
3710 
3711 	return 0;
3712 }
3713 
3714 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3715 			  struct netlink_ext_ack *extack,
3716 			  struct nlattr **attrs,
3717 			  struct cfg80211_chan_def *chandef)
3718 {
3719 	return _nl80211_parse_chandef(rdev, extack, attrs, false, chandef);
3720 }
3721 
3722 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3723 				 struct net_device *dev,
3724 				 struct genl_info *info,
3725 				 int _link_id)
3726 {
3727 	struct cfg80211_chan_def chandef;
3728 	int result;
3729 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3730 	struct wireless_dev *wdev = NULL;
3731 	int link_id = _link_id;
3732 
3733 	if (dev)
3734 		wdev = dev->ieee80211_ptr;
3735 	if (!nl80211_can_set_dev_channel(wdev))
3736 		return -EOPNOTSUPP;
3737 	if (wdev)
3738 		iftype = wdev->iftype;
3739 
3740 	if (link_id < 0) {
3741 		if (wdev && wdev->valid_links)
3742 			return -EINVAL;
3743 		link_id = 0;
3744 	}
3745 
3746 	result = _nl80211_parse_chandef(rdev, info->extack, info->attrs,
3747 					iftype == NL80211_IFTYPE_MONITOR,
3748 					&chandef);
3749 	if (result)
3750 		return result;
3751 
3752 	switch (iftype) {
3753 	case NL80211_IFTYPE_AP:
3754 	case NL80211_IFTYPE_P2P_GO:
3755 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3756 						   iftype))
3757 			return -EINVAL;
3758 		if (wdev->links[link_id].ap.beacon_interval) {
3759 			struct ieee80211_channel *cur_chan;
3760 
3761 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3762 			    !(rdev->wiphy.features &
3763 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3764 				return -EBUSY;
3765 
3766 			/* Only allow dynamic channel width changes */
3767 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3768 			if (chandef.chan != cur_chan)
3769 				return -EBUSY;
3770 
3771 			/* only allow this for regular channel widths */
3772 			switch (wdev->links[link_id].ap.chandef.width) {
3773 			case NL80211_CHAN_WIDTH_20_NOHT:
3774 			case NL80211_CHAN_WIDTH_20:
3775 			case NL80211_CHAN_WIDTH_40:
3776 			case NL80211_CHAN_WIDTH_80:
3777 			case NL80211_CHAN_WIDTH_80P80:
3778 			case NL80211_CHAN_WIDTH_160:
3779 			case NL80211_CHAN_WIDTH_320:
3780 				break;
3781 			default:
3782 				return -EINVAL;
3783 			}
3784 
3785 			switch (chandef.width) {
3786 			case NL80211_CHAN_WIDTH_20_NOHT:
3787 			case NL80211_CHAN_WIDTH_20:
3788 			case NL80211_CHAN_WIDTH_40:
3789 			case NL80211_CHAN_WIDTH_80:
3790 			case NL80211_CHAN_WIDTH_80P80:
3791 			case NL80211_CHAN_WIDTH_160:
3792 			case NL80211_CHAN_WIDTH_320:
3793 				break;
3794 			default:
3795 				return -EINVAL;
3796 			}
3797 
3798 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3799 						       &chandef);
3800 			if (result)
3801 				return result;
3802 			wdev->links[link_id].ap.chandef = chandef;
3803 		} else {
3804 			wdev->u.ap.preset_chandef = chandef;
3805 		}
3806 		return 0;
3807 	case NL80211_IFTYPE_MESH_POINT:
3808 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3809 	case NL80211_IFTYPE_MONITOR:
3810 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
3811 	default:
3812 		break;
3813 	}
3814 
3815 	return -EINVAL;
3816 }
3817 
3818 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3819 {
3820 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3821 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3822 	struct net_device *netdev = info->user_ptr[1];
3823 
3824 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3825 }
3826 
3827 static int nl80211_set_wiphy_radio(struct genl_info *info,
3828 				   struct cfg80211_registered_device *rdev,
3829 				   int radio_idx)
3830 {
3831 	u32 rts_threshold = 0, old_rts, changed = 0;
3832 	int result;
3833 
3834 	if (!rdev->ops->set_wiphy_params)
3835 		return -EOPNOTSUPP;
3836 
3837 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3838 		rts_threshold = nla_get_u32(
3839 				info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3840 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3841 	}
3842 
3843 	old_rts = rdev->wiphy.radio_cfg[radio_idx].rts_threshold;
3844 
3845 	rdev->wiphy.radio_cfg[radio_idx].rts_threshold = rts_threshold;
3846 
3847 	result = rdev_set_wiphy_params(rdev, radio_idx, changed);
3848 	if (result)
3849 		rdev->wiphy.radio_cfg[radio_idx].rts_threshold = old_rts;
3850 
3851 	return 0;
3852 }
3853 
3854 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3855 {
3856 	struct cfg80211_registered_device *rdev = NULL;
3857 	struct net_device *netdev = NULL;
3858 	struct wireless_dev *wdev;
3859 	int result = 0, rem_txq_params = 0;
3860 	struct nlattr *nl_txq_params;
3861 	u32 changed;
3862 	u8 retry_short = 0, retry_long = 0;
3863 	u32 frag_threshold = 0, rts_threshold = 0;
3864 	u8 coverage_class = 0;
3865 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3866 	int radio_idx = -1;
3867 
3868 	rtnl_lock();
3869 	/*
3870 	 * Try to find the wiphy and netdev. Normally this
3871 	 * function shouldn't need the netdev, but this is
3872 	 * done for backward compatibility -- previously
3873 	 * setting the channel was done per wiphy, but now
3874 	 * it is per netdev. Previous userland like hostapd
3875 	 * also passed a netdev to set_wiphy, so that it is
3876 	 * possible to let that go to the right netdev!
3877 	 */
3878 
3879 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3880 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3881 
3882 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3883 		if (netdev && netdev->ieee80211_ptr)
3884 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3885 		else
3886 			netdev = NULL;
3887 	}
3888 
3889 	if (!netdev) {
3890 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3891 						  info->attrs);
3892 		if (IS_ERR(rdev)) {
3893 			rtnl_unlock();
3894 			return PTR_ERR(rdev);
3895 		}
3896 		wdev = NULL;
3897 		netdev = NULL;
3898 		result = 0;
3899 	} else
3900 		wdev = netdev->ieee80211_ptr;
3901 
3902 	guard(wiphy)(&rdev->wiphy);
3903 
3904 	/*
3905 	 * end workaround code, by now the rdev is available
3906 	 * and locked, and wdev may or may not be NULL.
3907 	 */
3908 
3909 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3910 		result = cfg80211_dev_rename(
3911 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3912 	rtnl_unlock();
3913 
3914 	if (result)
3915 		return result;
3916 
3917 	if (info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]) {
3918 		/* Radio idx is not expected for non-multi radio wiphy */
3919 		if (rdev->wiphy.n_radio <= 0)
3920 			return -EINVAL;
3921 
3922 		radio_idx = nla_get_u8(
3923 				info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]);
3924 		if (radio_idx >= rdev->wiphy.n_radio)
3925 			return -EINVAL;
3926 
3927 		return nl80211_set_wiphy_radio(info, rdev, radio_idx);
3928 	}
3929 
3930 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3931 		struct ieee80211_txq_params txq_params;
3932 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3933 
3934 		if (!rdev->ops->set_txq_params)
3935 			return -EOPNOTSUPP;
3936 
3937 		if (!netdev)
3938 			return -EINVAL;
3939 
3940 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3941 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3942 			return -EINVAL;
3943 
3944 		if (!netif_running(netdev))
3945 			return -ENETDOWN;
3946 
3947 		nla_for_each_nested(nl_txq_params,
3948 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3949 				    rem_txq_params) {
3950 			result = nla_parse_nested_deprecated(tb,
3951 							     NL80211_TXQ_ATTR_MAX,
3952 							     nl_txq_params,
3953 							     txq_params_policy,
3954 							     info->extack);
3955 			if (result)
3956 				return result;
3957 
3958 			result = parse_txq_params(tb, &txq_params);
3959 			if (result)
3960 				return result;
3961 
3962 			txq_params.link_id =
3963 				nl80211_link_id_or_invalid(info->attrs);
3964 
3965 			if (txq_params.link_id >= 0 &&
3966 			    !(netdev->ieee80211_ptr->valid_links &
3967 			      BIT(txq_params.link_id)))
3968 				result = -ENOLINK;
3969 			else if (txq_params.link_id >= 0 &&
3970 				 !netdev->ieee80211_ptr->valid_links)
3971 				result = -EINVAL;
3972 			else
3973 				result = rdev_set_txq_params(rdev, netdev,
3974 							     &txq_params);
3975 			if (result)
3976 				return result;
3977 		}
3978 	}
3979 
3980 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3981 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3982 
3983 		if (wdev) {
3984 			result = __nl80211_set_channel(
3985 				rdev,
3986 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3987 				info, link_id);
3988 		} else {
3989 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3990 		}
3991 
3992 		if (result)
3993 			return result;
3994 	}
3995 
3996 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3997 		struct wireless_dev *txp_wdev = wdev;
3998 		enum nl80211_tx_power_setting type;
3999 		int idx, mbm = 0;
4000 
4001 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
4002 			txp_wdev = NULL;
4003 
4004 		if (!rdev->ops->set_tx_power)
4005 			return -EOPNOTSUPP;
4006 
4007 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
4008 		type = nla_get_u32(info->attrs[idx]);
4009 
4010 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
4011 		    (type != NL80211_TX_POWER_AUTOMATIC))
4012 			return -EINVAL;
4013 
4014 		if (type != NL80211_TX_POWER_AUTOMATIC) {
4015 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
4016 			mbm = nla_get_u32(info->attrs[idx]);
4017 		}
4018 
4019 		result = rdev_set_tx_power(rdev, txp_wdev, radio_idx, type,
4020 					   mbm);
4021 		if (result)
4022 			return result;
4023 	}
4024 
4025 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
4026 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
4027 		u32 tx_ant, rx_ant;
4028 
4029 		if ((!rdev->wiphy.available_antennas_tx &&
4030 		     !rdev->wiphy.available_antennas_rx) ||
4031 		    !rdev->ops->set_antenna)
4032 			return -EOPNOTSUPP;
4033 
4034 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
4035 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
4036 
4037 		/* reject antenna configurations which don't match the
4038 		 * available antenna masks, except for the "all" mask */
4039 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
4040 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
4041 			return -EINVAL;
4042 
4043 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
4044 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
4045 
4046 		result = rdev_set_antenna(rdev, radio_idx, tx_ant, rx_ant);
4047 		if (result)
4048 			return result;
4049 	}
4050 
4051 	changed = 0;
4052 
4053 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
4054 		retry_short = nla_get_u8(
4055 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
4056 
4057 		changed |= WIPHY_PARAM_RETRY_SHORT;
4058 	}
4059 
4060 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
4061 		retry_long = nla_get_u8(
4062 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
4063 
4064 		changed |= WIPHY_PARAM_RETRY_LONG;
4065 	}
4066 
4067 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
4068 		frag_threshold = nla_get_u32(
4069 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
4070 		if (frag_threshold < 256)
4071 			return -EINVAL;
4072 
4073 		if (frag_threshold != (u32) -1) {
4074 			/*
4075 			 * Fragments (apart from the last one) are required to
4076 			 * have even length. Make the fragmentation code
4077 			 * simpler by stripping LSB should someone try to use
4078 			 * odd threshold value.
4079 			 */
4080 			frag_threshold &= ~0x1;
4081 		}
4082 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
4083 	}
4084 
4085 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
4086 		rts_threshold = nla_get_u32(
4087 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
4088 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
4089 	}
4090 
4091 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
4092 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
4093 			return -EINVAL;
4094 
4095 		coverage_class = nla_get_u8(
4096 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
4097 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
4098 	}
4099 
4100 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
4101 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
4102 			return -EOPNOTSUPP;
4103 
4104 		changed |= WIPHY_PARAM_DYN_ACK;
4105 	}
4106 
4107 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
4108 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4109 					     NL80211_EXT_FEATURE_TXQS))
4110 			return -EOPNOTSUPP;
4111 
4112 		txq_limit = nla_get_u32(
4113 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
4114 		changed |= WIPHY_PARAM_TXQ_LIMIT;
4115 	}
4116 
4117 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
4118 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4119 					     NL80211_EXT_FEATURE_TXQS))
4120 			return -EOPNOTSUPP;
4121 
4122 		txq_memory_limit = nla_get_u32(
4123 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
4124 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
4125 	}
4126 
4127 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
4128 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4129 					     NL80211_EXT_FEATURE_TXQS))
4130 			return -EOPNOTSUPP;
4131 
4132 		txq_quantum = nla_get_u32(
4133 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
4134 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
4135 	}
4136 
4137 	if (changed) {
4138 		u8 old_retry_short, old_retry_long;
4139 		u32 old_frag_threshold, old_rts_threshold;
4140 		u8 old_coverage_class, i;
4141 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
4142 		u32 *old_radio_rts_threshold = NULL;
4143 
4144 		if (!rdev->ops->set_wiphy_params)
4145 			return -EOPNOTSUPP;
4146 
4147 		if (rdev->wiphy.n_radio) {
4148 			old_radio_rts_threshold = kcalloc(rdev->wiphy.n_radio,
4149 							  sizeof(u32),
4150 							  GFP_KERNEL);
4151 			if (!old_radio_rts_threshold)
4152 				return -ENOMEM;
4153 		}
4154 
4155 		old_retry_short = rdev->wiphy.retry_short;
4156 		old_retry_long = rdev->wiphy.retry_long;
4157 		old_frag_threshold = rdev->wiphy.frag_threshold;
4158 		old_rts_threshold = rdev->wiphy.rts_threshold;
4159 		if (old_radio_rts_threshold) {
4160 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4161 				old_radio_rts_threshold[i] =
4162 					rdev->wiphy.radio_cfg[i].rts_threshold;
4163 		}
4164 		old_coverage_class = rdev->wiphy.coverage_class;
4165 		old_txq_limit = rdev->wiphy.txq_limit;
4166 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
4167 		old_txq_quantum = rdev->wiphy.txq_quantum;
4168 
4169 		if (changed & WIPHY_PARAM_RETRY_SHORT)
4170 			rdev->wiphy.retry_short = retry_short;
4171 		if (changed & WIPHY_PARAM_RETRY_LONG)
4172 			rdev->wiphy.retry_long = retry_long;
4173 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
4174 			rdev->wiphy.frag_threshold = frag_threshold;
4175 		if ((changed & WIPHY_PARAM_RTS_THRESHOLD) &&
4176 		    old_radio_rts_threshold) {
4177 			rdev->wiphy.rts_threshold = rts_threshold;
4178 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4179 				rdev->wiphy.radio_cfg[i].rts_threshold =
4180 					rdev->wiphy.rts_threshold;
4181 		}
4182 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
4183 			rdev->wiphy.coverage_class = coverage_class;
4184 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
4185 			rdev->wiphy.txq_limit = txq_limit;
4186 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
4187 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
4188 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
4189 			rdev->wiphy.txq_quantum = txq_quantum;
4190 
4191 		result = rdev_set_wiphy_params(rdev, radio_idx, changed);
4192 		if (result) {
4193 			rdev->wiphy.retry_short = old_retry_short;
4194 			rdev->wiphy.retry_long = old_retry_long;
4195 			rdev->wiphy.frag_threshold = old_frag_threshold;
4196 			rdev->wiphy.rts_threshold = old_rts_threshold;
4197 			if (old_radio_rts_threshold) {
4198 				for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4199 					rdev->wiphy.radio_cfg[i].rts_threshold =
4200 						old_radio_rts_threshold[i];
4201 			}
4202 			rdev->wiphy.coverage_class = old_coverage_class;
4203 			rdev->wiphy.txq_limit = old_txq_limit;
4204 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
4205 			rdev->wiphy.txq_quantum = old_txq_quantum;
4206 		}
4207 
4208 		kfree(old_radio_rts_threshold);
4209 		return result;
4210 	}
4211 
4212 	return 0;
4213 }
4214 
4215 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
4216 {
4217 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
4218 		return -EINVAL;
4219 
4220 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
4221 			chandef->chan->center_freq))
4222 		return -ENOBUFS;
4223 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
4224 			chandef->chan->freq_offset))
4225 		return -ENOBUFS;
4226 	switch (chandef->width) {
4227 	case NL80211_CHAN_WIDTH_20_NOHT:
4228 	case NL80211_CHAN_WIDTH_20:
4229 	case NL80211_CHAN_WIDTH_40:
4230 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
4231 				cfg80211_get_chandef_type(chandef)))
4232 			return -ENOBUFS;
4233 		break;
4234 	default:
4235 		break;
4236 	}
4237 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
4238 		return -ENOBUFS;
4239 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
4240 		return -ENOBUFS;
4241 	if (chandef->center_freq2 &&
4242 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
4243 		return -ENOBUFS;
4244 	if (chandef->punctured &&
4245 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
4246 		return -ENOBUFS;
4247 	if (chandef->s1g_primary_2mhz &&
4248 	    nla_put_flag(msg, NL80211_ATTR_S1G_PRIMARY_2MHZ))
4249 		return -ENOBUFS;
4250 
4251 	return 0;
4252 }
4253 EXPORT_SYMBOL(nl80211_send_chandef);
4254 
4255 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
4256 			      struct cfg80211_registered_device *rdev,
4257 			      struct wireless_dev *wdev,
4258 			      enum nl80211_commands cmd)
4259 {
4260 	struct net_device *dev = wdev->netdev;
4261 	void *hdr;
4262 
4263 	lockdep_assert_wiphy(&rdev->wiphy);
4264 
4265 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
4266 		cmd != NL80211_CMD_DEL_INTERFACE &&
4267 		cmd != NL80211_CMD_SET_INTERFACE);
4268 
4269 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4270 	if (!hdr)
4271 		return -1;
4272 
4273 	if (dev &&
4274 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4275 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
4276 		goto nla_put_failure;
4277 
4278 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
4279 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
4280 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
4281 			      NL80211_ATTR_PAD) ||
4282 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
4283 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
4284 			rdev->devlist_generation ^
4285 			(cfg80211_rdev_list_generation << 2)) ||
4286 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
4287 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
4288 		goto nla_put_failure;
4289 
4290 	if (rdev->ops->get_channel && !wdev->valid_links) {
4291 		struct cfg80211_chan_def chandef = {};
4292 		int ret;
4293 
4294 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4295 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4296 			goto nla_put_failure;
4297 	}
4298 
4299 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4300 		int dbm, ret;
4301 
4302 		ret = rdev_get_tx_power(rdev, wdev, -1, 0, &dbm);
4303 		if (ret == 0 &&
4304 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4305 				DBM_TO_MBM(dbm)))
4306 			goto nla_put_failure;
4307 	}
4308 
4309 	switch (wdev->iftype) {
4310 	case NL80211_IFTYPE_AP:
4311 	case NL80211_IFTYPE_P2P_GO:
4312 		if (wdev->u.ap.ssid_len &&
4313 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4314 			    wdev->u.ap.ssid))
4315 			goto nla_put_failure;
4316 		break;
4317 	case NL80211_IFTYPE_STATION:
4318 	case NL80211_IFTYPE_P2P_CLIENT:
4319 		if (wdev->u.client.ssid_len &&
4320 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4321 			    wdev->u.client.ssid))
4322 			goto nla_put_failure;
4323 		break;
4324 	case NL80211_IFTYPE_ADHOC:
4325 		if (wdev->u.ibss.ssid_len &&
4326 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4327 			    wdev->u.ibss.ssid))
4328 			goto nla_put_failure;
4329 		break;
4330 	default:
4331 		/* nothing */
4332 		break;
4333 	}
4334 
4335 	if (rdev->ops->get_txq_stats) {
4336 		struct cfg80211_txq_stats txqstats = {};
4337 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4338 
4339 		if (ret == 0 &&
4340 		    !nl80211_put_txq_stats(msg, &txqstats,
4341 					   NL80211_ATTR_TXQ_STATS))
4342 			goto nla_put_failure;
4343 	}
4344 
4345 	if (wdev->valid_links) {
4346 		unsigned int link_id;
4347 		struct nlattr *links = nla_nest_start(msg,
4348 						      NL80211_ATTR_MLO_LINKS);
4349 
4350 		if (!links)
4351 			goto nla_put_failure;
4352 
4353 		for_each_valid_link(wdev, link_id) {
4354 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4355 			struct cfg80211_chan_def chandef = {};
4356 			int ret;
4357 
4358 			if (!link)
4359 				goto nla_put_failure;
4360 
4361 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4362 				goto nla_put_failure;
4363 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4364 				    wdev->links[link_id].addr))
4365 				goto nla_put_failure;
4366 
4367 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4368 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4369 				goto nla_put_failure;
4370 
4371 			if (rdev->ops->get_tx_power) {
4372 				int dbm, ret;
4373 
4374 				ret = rdev_get_tx_power(rdev, wdev, -1, link_id, &dbm);
4375 				if (ret == 0 &&
4376 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4377 						DBM_TO_MBM(dbm)))
4378 					goto nla_put_failure;
4379 			}
4380 			nla_nest_end(msg, link);
4381 		}
4382 
4383 		nla_nest_end(msg, links);
4384 	}
4385 
4386 	genlmsg_end(msg, hdr);
4387 	return 0;
4388 
4389  nla_put_failure:
4390 	genlmsg_cancel(msg, hdr);
4391 	return -EMSGSIZE;
4392 }
4393 
4394 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4395 {
4396 	int wp_idx = 0;
4397 	int if_idx = 0;
4398 	int wp_start = cb->args[0];
4399 	int if_start = cb->args[1];
4400 	int filter_wiphy = -1;
4401 	struct cfg80211_registered_device *rdev;
4402 	struct wireless_dev *wdev;
4403 	int ret;
4404 
4405 	rtnl_lock();
4406 	if (!cb->args[2]) {
4407 		struct nl80211_dump_wiphy_state state = {
4408 			.filter_wiphy = -1,
4409 		};
4410 
4411 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4412 		if (ret)
4413 			goto out_unlock;
4414 
4415 		filter_wiphy = state.filter_wiphy;
4416 
4417 		/*
4418 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4419 		 * value needed to determine that parsing is necessary.
4420 		 */
4421 		if (filter_wiphy >= 0)
4422 			cb->args[2] = filter_wiphy + 1;
4423 		else
4424 			cb->args[2] = -1;
4425 	} else if (cb->args[2] > 0) {
4426 		filter_wiphy = cb->args[2] - 1;
4427 	}
4428 
4429 	for_each_rdev(rdev) {
4430 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4431 			continue;
4432 		if (wp_idx < wp_start) {
4433 			wp_idx++;
4434 			continue;
4435 		}
4436 
4437 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4438 			continue;
4439 
4440 		if_idx = 0;
4441 
4442 		guard(wiphy)(&rdev->wiphy);
4443 
4444 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4445 			if (if_idx < if_start) {
4446 				if_idx++;
4447 				continue;
4448 			}
4449 
4450 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4451 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4452 					       rdev, wdev,
4453 					       NL80211_CMD_NEW_INTERFACE) < 0)
4454 				goto out;
4455 
4456 			if_idx++;
4457 		}
4458 
4459 		if_start = 0;
4460 		wp_idx++;
4461 	}
4462  out:
4463 	cb->args[0] = wp_idx;
4464 	cb->args[1] = if_idx;
4465 
4466 	ret = skb->len;
4467  out_unlock:
4468 	rtnl_unlock();
4469 
4470 	return ret;
4471 }
4472 
4473 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4474 {
4475 	struct sk_buff *msg;
4476 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4477 	struct wireless_dev *wdev = info->user_ptr[1];
4478 
4479 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4480 	if (!msg)
4481 		return -ENOMEM;
4482 
4483 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4484 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4485 		nlmsg_free(msg);
4486 		return -ENOBUFS;
4487 	}
4488 
4489 	return genlmsg_reply(msg, info);
4490 }
4491 
4492 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4493 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4494 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4495 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4496 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4497 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4498 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4499 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4500 };
4501 
4502 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4503 {
4504 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4505 	int flag;
4506 
4507 	*mntrflags = 0;
4508 
4509 	if (!nla)
4510 		return -EINVAL;
4511 
4512 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4513 		return -EINVAL;
4514 
4515 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4516 		if (flags[flag])
4517 			*mntrflags |= (1<<flag);
4518 
4519 	/* cooked monitor mode is incompatible with other modes */
4520 	if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
4521 	    *mntrflags != MONITOR_FLAG_COOK_FRAMES)
4522 		return -EOPNOTSUPP;
4523 
4524 	*mntrflags |= MONITOR_FLAG_CHANGED;
4525 
4526 	return 0;
4527 }
4528 
4529 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4530 				     enum nl80211_iftype type,
4531 				     struct genl_info *info,
4532 				     struct vif_params *params)
4533 {
4534 	bool change = false;
4535 	int err;
4536 
4537 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4538 		if (type != NL80211_IFTYPE_MONITOR)
4539 			return -EINVAL;
4540 
4541 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4542 					  &params->flags);
4543 		if (err)
4544 			return err;
4545 
4546 		change = true;
4547 	}
4548 
4549 	/* MONITOR_FLAG_COOK_FRAMES is deprecated, refuse cooperation */
4550 	if (params->flags & MONITOR_FLAG_COOK_FRAMES)
4551 		return -EOPNOTSUPP;
4552 
4553 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4554 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4555 		return -EOPNOTSUPP;
4556 
4557 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4558 		const u8 *mumimo_groups;
4559 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4560 
4561 		if (type != NL80211_IFTYPE_MONITOR)
4562 			return -EINVAL;
4563 
4564 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4565 			return -EOPNOTSUPP;
4566 
4567 		mumimo_groups =
4568 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4569 
4570 		/* bits 0 and 63 are reserved and must be zero */
4571 		if ((mumimo_groups[0] & BIT(0)) ||
4572 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4573 			return -EINVAL;
4574 
4575 		params->vht_mumimo_groups = mumimo_groups;
4576 		change = true;
4577 	}
4578 
4579 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4580 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4581 
4582 		if (type != NL80211_IFTYPE_MONITOR)
4583 			return -EINVAL;
4584 
4585 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4586 			return -EOPNOTSUPP;
4587 
4588 		params->vht_mumimo_follow_addr =
4589 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4590 		change = true;
4591 	}
4592 
4593 	return change ? 1 : 0;
4594 }
4595 
4596 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4597 			       struct net_device *netdev, u8 use_4addr,
4598 			       enum nl80211_iftype iftype)
4599 {
4600 	if (!use_4addr) {
4601 		if (netdev && netif_is_bridge_port(netdev))
4602 			return -EBUSY;
4603 		return 0;
4604 	}
4605 
4606 	switch (iftype) {
4607 	case NL80211_IFTYPE_AP_VLAN:
4608 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4609 			return 0;
4610 		break;
4611 	case NL80211_IFTYPE_STATION:
4612 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4613 			return 0;
4614 		break;
4615 	default:
4616 		break;
4617 	}
4618 
4619 	return -EOPNOTSUPP;
4620 }
4621 
4622 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4623 					u32 *radio_mask)
4624 {
4625 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4626 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4627 	u32 mask, allowed;
4628 
4629 	if (!attr) {
4630 		*radio_mask = 0;
4631 		return 0;
4632 	}
4633 
4634 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4635 	mask = nla_get_u32(attr);
4636 	if (mask & ~allowed)
4637 		return -EINVAL;
4638 	if (!mask)
4639 		mask = allowed;
4640 	*radio_mask = mask;
4641 
4642 	return 1;
4643 }
4644 
4645 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4646 {
4647 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4648 	struct vif_params params;
4649 	int err;
4650 	enum nl80211_iftype otype, ntype;
4651 	struct net_device *dev = info->user_ptr[1];
4652 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4653 	u32 radio_mask = 0;
4654 	bool change = false;
4655 
4656 	memset(&params, 0, sizeof(params));
4657 
4658 	otype = ntype = dev->ieee80211_ptr->iftype;
4659 
4660 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4661 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4662 		if (otype != ntype)
4663 			change = true;
4664 	}
4665 
4666 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4667 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4668 			return -EINVAL;
4669 		if (otype != NL80211_IFTYPE_MESH_POINT)
4670 			return -EINVAL;
4671 		if (netif_running(dev))
4672 			return -EBUSY;
4673 
4674 		wdev->u.mesh.id_up_len =
4675 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4676 		memcpy(wdev->u.mesh.id,
4677 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4678 		       wdev->u.mesh.id_up_len);
4679 	}
4680 
4681 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4682 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4683 		change = true;
4684 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4685 		if (err)
4686 			return err;
4687 	} else {
4688 		params.use_4addr = -1;
4689 	}
4690 
4691 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4692 	if (err < 0)
4693 		return err;
4694 	if (err > 0)
4695 		change = true;
4696 
4697 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4698 	if (err < 0)
4699 		return err;
4700 	if (err && netif_running(dev))
4701 		return -EBUSY;
4702 
4703 	if (change)
4704 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4705 	else
4706 		err = 0;
4707 
4708 	if (!err && params.use_4addr != -1)
4709 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4710 
4711 	if (radio_mask)
4712 		wdev->radio_mask = radio_mask;
4713 
4714 	if (change && !err)
4715 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4716 
4717 	return err;
4718 }
4719 
4720 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4721 {
4722 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4723 	struct vif_params params;
4724 	struct wireless_dev *wdev;
4725 	struct sk_buff *msg;
4726 	u32 radio_mask;
4727 	int err;
4728 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4729 
4730 	memset(&params, 0, sizeof(params));
4731 
4732 	if (!info->attrs[NL80211_ATTR_IFNAME])
4733 		return -EINVAL;
4734 
4735 	if (info->attrs[NL80211_ATTR_IFTYPE])
4736 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4737 
4738 	if (!rdev->ops->add_virtual_intf)
4739 		return -EOPNOTSUPP;
4740 
4741 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4742 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4743 	    info->attrs[NL80211_ATTR_MAC]) {
4744 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4745 			   ETH_ALEN);
4746 		if (!is_valid_ether_addr(params.macaddr))
4747 			return -EADDRNOTAVAIL;
4748 	}
4749 
4750 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4751 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4752 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4753 		if (err)
4754 			return err;
4755 	}
4756 
4757 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4758 		return -EOPNOTSUPP;
4759 
4760 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4761 	if (err < 0)
4762 		return err;
4763 
4764 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4765 	if (err < 0)
4766 		return err;
4767 
4768 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4769 	if (!msg)
4770 		return -ENOMEM;
4771 
4772 	wdev = rdev_add_virtual_intf(rdev,
4773 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4774 				NET_NAME_USER, type, &params);
4775 	if (WARN_ON(!wdev)) {
4776 		nlmsg_free(msg);
4777 		return -EPROTO;
4778 	} else if (IS_ERR(wdev)) {
4779 		nlmsg_free(msg);
4780 		return PTR_ERR(wdev);
4781 	}
4782 
4783 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4784 		wdev->owner_nlportid = info->snd_portid;
4785 
4786 	switch (type) {
4787 	case NL80211_IFTYPE_MESH_POINT:
4788 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4789 			break;
4790 		wdev->u.mesh.id_up_len =
4791 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4792 		memcpy(wdev->u.mesh.id,
4793 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4794 		       wdev->u.mesh.id_up_len);
4795 		break;
4796 	case NL80211_IFTYPE_NAN:
4797 	case NL80211_IFTYPE_P2P_DEVICE:
4798 		/*
4799 		 * P2P Device and NAN do not have a netdev, so don't go
4800 		 * through the netdev notifier and must be added here
4801 		 */
4802 		cfg80211_init_wdev(wdev);
4803 		cfg80211_register_wdev(rdev, wdev);
4804 		break;
4805 	default:
4806 		break;
4807 	}
4808 
4809 	if (radio_mask)
4810 		wdev->radio_mask = radio_mask;
4811 
4812 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4813 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4814 		nlmsg_free(msg);
4815 		return -ENOBUFS;
4816 	}
4817 
4818 	return genlmsg_reply(msg, info);
4819 }
4820 
4821 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4822 {
4823 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4824 
4825 	/* to avoid failing a new interface creation due to pending removal */
4826 	cfg80211_destroy_ifaces(rdev);
4827 
4828 	guard(wiphy)(&rdev->wiphy);
4829 
4830 	return _nl80211_new_interface(skb, info);
4831 }
4832 
4833 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4834 {
4835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4836 	struct wireless_dev *wdev = info->user_ptr[1];
4837 
4838 	if (!rdev->ops->del_virtual_intf)
4839 		return -EOPNOTSUPP;
4840 
4841 	/*
4842 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4843 	 * reach 0, and thus the rdev cannot be deleted.
4844 	 *
4845 	 * We need to do it for the dev_close(), since that will call
4846 	 * the netdev notifiers, and we need to acquire the mutex there
4847 	 * but don't know if we get there from here or from some other
4848 	 * place (e.g. "ip link set ... down").
4849 	 */
4850 	mutex_unlock(&rdev->wiphy.mtx);
4851 
4852 	/*
4853 	 * If we remove a wireless device without a netdev then clear
4854 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4855 	 * to check if it needs to do dev_put(). Otherwise it crashes
4856 	 * since the wdev has been freed, unlike with a netdev where
4857 	 * we need the dev_put() for the netdev to really be freed.
4858 	 */
4859 	if (!wdev->netdev)
4860 		info->user_ptr[1] = NULL;
4861 	else
4862 		dev_close(wdev->netdev);
4863 
4864 	mutex_lock(&rdev->wiphy.mtx);
4865 
4866 	return cfg80211_remove_virtual_intf(rdev, wdev);
4867 }
4868 
4869 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4870 {
4871 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4872 	struct net_device *dev = info->user_ptr[1];
4873 	u16 noack_map;
4874 
4875 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4876 		return -EINVAL;
4877 
4878 	if (!rdev->ops->set_noack_map)
4879 		return -EOPNOTSUPP;
4880 
4881 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4882 
4883 	return rdev_set_noack_map(rdev, dev, noack_map);
4884 }
4885 
4886 static int nl80211_validate_key_link_id(struct genl_info *info,
4887 					struct wireless_dev *wdev,
4888 					int link_id, bool pairwise)
4889 {
4890 	if (pairwise) {
4891 		if (link_id != -1) {
4892 			GENL_SET_ERR_MSG(info,
4893 					 "link ID not allowed for pairwise key");
4894 			return -EINVAL;
4895 		}
4896 
4897 		return 0;
4898 	}
4899 
4900 	if (wdev->valid_links) {
4901 		if (link_id == -1) {
4902 			GENL_SET_ERR_MSG(info,
4903 					 "link ID must for MLO group key");
4904 			return -EINVAL;
4905 		}
4906 		if (!(wdev->valid_links & BIT(link_id))) {
4907 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4908 			return -EINVAL;
4909 		}
4910 	} else if (link_id != -1) {
4911 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4912 		return -EINVAL;
4913 	}
4914 
4915 	return 0;
4916 }
4917 
4918 struct get_key_cookie {
4919 	struct sk_buff *msg;
4920 	int error;
4921 	int idx;
4922 };
4923 
4924 static void get_key_callback(void *c, struct key_params *params)
4925 {
4926 	struct nlattr *key;
4927 	struct get_key_cookie *cookie = c;
4928 
4929 	if ((params->seq &&
4930 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4931 		     params->seq_len, params->seq)) ||
4932 	    (params->cipher &&
4933 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4934 			 params->cipher)))
4935 		goto nla_put_failure;
4936 
4937 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4938 	if (!key)
4939 		goto nla_put_failure;
4940 
4941 	if ((params->seq &&
4942 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4943 		     params->seq_len, params->seq)) ||
4944 	    (params->cipher &&
4945 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4946 			 params->cipher)))
4947 		goto nla_put_failure;
4948 
4949 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4950 		goto nla_put_failure;
4951 
4952 	nla_nest_end(cookie->msg, key);
4953 
4954 	return;
4955  nla_put_failure:
4956 	cookie->error = 1;
4957 }
4958 
4959 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4960 {
4961 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4962 	int err;
4963 	struct wireless_dev *wdev = info->user_ptr[1];
4964 	u8 key_idx = 0;
4965 	const u8 *mac_addr = NULL;
4966 	bool pairwise;
4967 	struct get_key_cookie cookie = {
4968 		.error = 0,
4969 	};
4970 	void *hdr;
4971 	struct sk_buff *msg;
4972 	bool bigtk_support = false;
4973 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4974 
4975 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4976 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4977 		bigtk_support = true;
4978 
4979 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4980 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4981 	    wiphy_ext_feature_isset(&rdev->wiphy,
4982 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4983 		bigtk_support = true;
4984 
4985 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4986 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4987 
4988 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4989 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4990 			return -EINVAL;
4991 		}
4992 	}
4993 
4994 	if (info->attrs[NL80211_ATTR_MAC])
4995 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4996 
4997 	pairwise = !!mac_addr;
4998 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4999 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
5000 
5001 		if (kt != NL80211_KEYTYPE_GROUP &&
5002 		    kt != NL80211_KEYTYPE_PAIRWISE)
5003 			return -EINVAL;
5004 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
5005 	}
5006 
5007 	if (!rdev->ops->get_key)
5008 		return -EOPNOTSUPP;
5009 
5010 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5011 		return -ENOENT;
5012 
5013 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5014 	if (!msg)
5015 		return -ENOMEM;
5016 
5017 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5018 			     NL80211_CMD_NEW_KEY);
5019 	if (!hdr)
5020 		goto nla_put_failure;
5021 
5022 	cookie.msg = msg;
5023 	cookie.idx = key_idx;
5024 
5025 	if ((wdev->netdev &&
5026 	     nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex)) ||
5027 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
5028 			      NL80211_ATTR_PAD) ||
5029 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
5030 		goto nla_put_failure;
5031 	if (mac_addr &&
5032 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
5033 		goto nla_put_failure;
5034 
5035 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
5036 	if (err)
5037 		goto free_msg;
5038 
5039 	err = rdev_get_key(rdev, wdev, link_id, key_idx, pairwise, mac_addr,
5040 			   &cookie, get_key_callback);
5041 
5042 	if (err)
5043 		goto free_msg;
5044 
5045 	if (cookie.error)
5046 		goto nla_put_failure;
5047 
5048 	genlmsg_end(msg, hdr);
5049 	return genlmsg_reply(msg, info);
5050 
5051  nla_put_failure:
5052 	err = -ENOBUFS;
5053  free_msg:
5054 	nlmsg_free(msg);
5055 	return err;
5056 }
5057 
5058 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
5059 {
5060 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5061 	struct key_parse key;
5062 	int err;
5063 	struct wireless_dev *wdev = info->user_ptr[1];
5064 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5065 
5066 	err = nl80211_parse_key(info, &key);
5067 	if (err)
5068 		return err;
5069 
5070 	if (key.idx < 0)
5071 		return -EINVAL;
5072 
5073 	/* Only support setting default key and
5074 	 * Extended Key ID action NL80211_KEY_SET_TX.
5075 	 */
5076 	if (!key.def && !key.defmgmt && !key.defbeacon &&
5077 	    !(key.p.mode == NL80211_KEY_SET_TX))
5078 		return -EINVAL;
5079 
5080 	if (key.def) {
5081 		if (!rdev->ops->set_default_key)
5082 			return -EOPNOTSUPP;
5083 
5084 		if (!wdev->netdev)
5085 			return -EINVAL;
5086 
5087 		err = nl80211_key_allowed(wdev);
5088 		if (err)
5089 			return err;
5090 
5091 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5092 		if (err)
5093 			return err;
5094 
5095 		err = rdev_set_default_key(rdev, wdev->netdev, link_id, key.idx,
5096 					   key.def_uni, key.def_multi);
5097 
5098 		if (err)
5099 			return err;
5100 
5101 #ifdef CONFIG_CFG80211_WEXT
5102 		wdev->wext.default_key = key.idx;
5103 #endif
5104 		return 0;
5105 	} else if (key.defmgmt) {
5106 		if (key.def_uni || !key.def_multi)
5107 			return -EINVAL;
5108 
5109 		if (!rdev->ops->set_default_mgmt_key)
5110 			return -EOPNOTSUPP;
5111 
5112 		err = nl80211_key_allowed(wdev);
5113 		if (err)
5114 			return err;
5115 
5116 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5117 		if (err)
5118 			return err;
5119 
5120 		err = rdev_set_default_mgmt_key(rdev, wdev, link_id, key.idx);
5121 		if (err)
5122 			return err;
5123 
5124 #ifdef CONFIG_CFG80211_WEXT
5125 		wdev->wext.default_mgmt_key = key.idx;
5126 #endif
5127 		return 0;
5128 	} else if (key.defbeacon) {
5129 		if (key.def_uni || !key.def_multi)
5130 			return -EINVAL;
5131 
5132 		if (!rdev->ops->set_default_beacon_key)
5133 			return -EOPNOTSUPP;
5134 
5135 		err = nl80211_key_allowed(wdev);
5136 		if (err)
5137 			return err;
5138 
5139 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5140 		if (err)
5141 			return err;
5142 
5143 		return rdev_set_default_beacon_key(rdev, wdev, link_id,
5144 						   key.idx);
5145 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
5146 		   wiphy_ext_feature_isset(&rdev->wiphy,
5147 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
5148 		u8 *mac_addr = NULL;
5149 
5150 		if (info->attrs[NL80211_ATTR_MAC])
5151 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5152 
5153 		if (!mac_addr || key.idx < 0 || key.idx > 1)
5154 			return -EINVAL;
5155 
5156 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
5157 		if (err)
5158 			return err;
5159 
5160 		return rdev_add_key(rdev, wdev, link_id, key.idx,
5161 				    NL80211_KEYTYPE_PAIRWISE,
5162 				    mac_addr, &key.p);
5163 	}
5164 
5165 	return -EINVAL;
5166 }
5167 
5168 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
5169 {
5170 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5171 	int err;
5172 	struct wireless_dev *wdev = info->user_ptr[1];
5173 	struct key_parse key;
5174 	const u8 *mac_addr = NULL;
5175 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5176 
5177 	err = nl80211_parse_key(info, &key);
5178 	if (err)
5179 		return err;
5180 
5181 	if (!key.p.key) {
5182 		GENL_SET_ERR_MSG(info, "no key");
5183 		return -EINVAL;
5184 	}
5185 
5186 	if (info->attrs[NL80211_ATTR_MAC])
5187 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5188 
5189 	if (key.type == -1) {
5190 		if (mac_addr)
5191 			key.type = NL80211_KEYTYPE_PAIRWISE;
5192 		else
5193 			key.type = NL80211_KEYTYPE_GROUP;
5194 	}
5195 
5196 	/* for now */
5197 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5198 	    key.type != NL80211_KEYTYPE_GROUP) {
5199 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
5200 		return -EINVAL;
5201 	}
5202 
5203 	if (key.type == NL80211_KEYTYPE_GROUP &&
5204 	    info->attrs[NL80211_ATTR_VLAN_ID])
5205 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
5206 
5207 	if (!rdev->ops->add_key)
5208 		return -EOPNOTSUPP;
5209 
5210 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
5211 					   key.type == NL80211_KEYTYPE_PAIRWISE,
5212 					   mac_addr)) {
5213 		GENL_SET_ERR_MSG(info, "key setting validation failed");
5214 		return -EINVAL;
5215 	}
5216 
5217 	err = nl80211_key_allowed(wdev);
5218 	if (err)
5219 		GENL_SET_ERR_MSG(info, "key not allowed");
5220 
5221 	if (!err)
5222 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5223 				key.type == NL80211_KEYTYPE_PAIRWISE);
5224 
5225 	if (!err) {
5226 		err = rdev_add_key(rdev, wdev, link_id, key.idx,
5227 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5228 				    mac_addr, &key.p);
5229 		if (err)
5230 			GENL_SET_ERR_MSG(info, "key addition failed");
5231 	}
5232 
5233 	return err;
5234 }
5235 
5236 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
5237 {
5238 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5239 	int err;
5240 	struct wireless_dev *wdev = info->user_ptr[1];
5241 	u8 *mac_addr = NULL;
5242 	struct key_parse key;
5243 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5244 
5245 	err = nl80211_parse_key(info, &key);
5246 	if (err)
5247 		return err;
5248 
5249 	if (info->attrs[NL80211_ATTR_MAC])
5250 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5251 
5252 	if (key.type == -1) {
5253 		if (mac_addr)
5254 			key.type = NL80211_KEYTYPE_PAIRWISE;
5255 		else
5256 			key.type = NL80211_KEYTYPE_GROUP;
5257 	}
5258 
5259 	/* for now */
5260 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5261 	    key.type != NL80211_KEYTYPE_GROUP)
5262 		return -EINVAL;
5263 
5264 	if (!cfg80211_valid_key_idx(rdev, key.idx,
5265 				    key.type == NL80211_KEYTYPE_PAIRWISE))
5266 		return -EINVAL;
5267 
5268 	if (!rdev->ops->del_key)
5269 		return -EOPNOTSUPP;
5270 
5271 	err = nl80211_key_allowed(wdev);
5272 
5273 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
5274 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5275 		err = -ENOENT;
5276 
5277 	if (!err)
5278 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5279 				key.type == NL80211_KEYTYPE_PAIRWISE);
5280 
5281 	if (!err)
5282 		err = rdev_del_key(rdev, wdev, link_id, key.idx,
5283 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5284 				   mac_addr);
5285 
5286 #ifdef CONFIG_CFG80211_WEXT
5287 	if (!err) {
5288 		if (key.idx == wdev->wext.default_key)
5289 			wdev->wext.default_key = -1;
5290 		else if (key.idx == wdev->wext.default_mgmt_key)
5291 			wdev->wext.default_mgmt_key = -1;
5292 	}
5293 #endif
5294 
5295 	return err;
5296 }
5297 
5298 /* This function returns an error or the number of nested attributes */
5299 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
5300 {
5301 	struct nlattr *attr;
5302 	int n_entries = 0, tmp;
5303 
5304 	nla_for_each_nested(attr, nl_attr, tmp) {
5305 		if (nla_len(attr) != ETH_ALEN)
5306 			return -EINVAL;
5307 
5308 		n_entries++;
5309 	}
5310 
5311 	return n_entries;
5312 }
5313 
5314 /*
5315  * This function parses ACL information and allocates memory for ACL data.
5316  * On successful return, the calling function is responsible to free the
5317  * ACL buffer returned by this function.
5318  */
5319 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5320 						struct genl_info *info)
5321 {
5322 	enum nl80211_acl_policy acl_policy;
5323 	struct nlattr *attr;
5324 	struct cfg80211_acl_data *acl;
5325 	int i = 0, n_entries, tmp;
5326 
5327 	if (!wiphy->max_acl_mac_addrs)
5328 		return ERR_PTR(-EOPNOTSUPP);
5329 
5330 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5331 		return ERR_PTR(-EINVAL);
5332 
5333 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5334 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5335 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5336 		return ERR_PTR(-EINVAL);
5337 
5338 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5339 		return ERR_PTR(-EINVAL);
5340 
5341 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5342 	if (n_entries < 0)
5343 		return ERR_PTR(n_entries);
5344 
5345 	if (n_entries > wiphy->max_acl_mac_addrs)
5346 		return ERR_PTR(-EOPNOTSUPP);
5347 
5348 	acl = kzalloc_flex(*acl, mac_addrs, n_entries);
5349 	if (!acl)
5350 		return ERR_PTR(-ENOMEM);
5351 	acl->n_acl_entries = n_entries;
5352 
5353 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5354 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5355 		i++;
5356 	}
5357 	acl->acl_policy = acl_policy;
5358 
5359 	return acl;
5360 }
5361 
5362 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5363 {
5364 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5365 	struct net_device *dev = info->user_ptr[1];
5366 	struct cfg80211_acl_data *acl;
5367 	int err;
5368 
5369 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5370 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5371 		return -EOPNOTSUPP;
5372 
5373 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5374 		return -EINVAL;
5375 
5376 	acl = parse_acl_data(&rdev->wiphy, info);
5377 	if (IS_ERR(acl))
5378 		return PTR_ERR(acl);
5379 
5380 	err = rdev_set_mac_acl(rdev, dev, acl);
5381 
5382 	kfree(acl);
5383 
5384 	return err;
5385 }
5386 
5387 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5388 			   u8 *rates, u8 rates_len)
5389 {
5390 	u8 i;
5391 	u32 mask = 0;
5392 
5393 	for (i = 0; i < rates_len; i++) {
5394 		int rate = (rates[i] & 0x7f) * 5;
5395 		int ridx;
5396 
5397 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5398 			struct ieee80211_rate *srate =
5399 				&sband->bitrates[ridx];
5400 			if (rate == srate->bitrate) {
5401 				mask |= 1 << ridx;
5402 				break;
5403 			}
5404 		}
5405 		if (ridx == sband->n_bitrates)
5406 			return 0; /* rate not found */
5407 	}
5408 
5409 	return mask;
5410 }
5411 
5412 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5413 			       u8 *rates, u8 rates_len,
5414 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5415 {
5416 	u8 i;
5417 
5418 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5419 
5420 	for (i = 0; i < rates_len; i++) {
5421 		int ridx, rbit;
5422 
5423 		ridx = rates[i] / 8;
5424 		rbit = BIT(rates[i] % 8);
5425 
5426 		/* check validity */
5427 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5428 			return false;
5429 
5430 		/* check availability */
5431 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5432 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5433 			mcs[ridx] |= rbit;
5434 		else
5435 			return false;
5436 	}
5437 
5438 	return true;
5439 }
5440 
5441 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5442 {
5443 	u16 mcs_mask = 0;
5444 
5445 	switch (vht_mcs_map) {
5446 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5447 		break;
5448 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5449 		mcs_mask = 0x00FF;
5450 		break;
5451 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5452 		mcs_mask = 0x01FF;
5453 		break;
5454 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5455 		mcs_mask = 0x03FF;
5456 		break;
5457 	default:
5458 		break;
5459 	}
5460 
5461 	return mcs_mask;
5462 }
5463 
5464 static void vht_build_mcs_mask(u16 vht_mcs_map,
5465 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5466 {
5467 	u8 nss;
5468 
5469 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5470 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5471 		vht_mcs_map >>= 2;
5472 	}
5473 }
5474 
5475 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5476 			     struct nl80211_txrate_vht *txrate,
5477 			     u16 mcs[NL80211_VHT_NSS_MAX])
5478 {
5479 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5480 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5481 	u8 i;
5482 
5483 	if (!sband->vht_cap.vht_supported)
5484 		return false;
5485 
5486 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5487 
5488 	/* Build vht_mcs_mask from VHT capabilities */
5489 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5490 
5491 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5492 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5493 			mcs[i] = txrate->mcs[i];
5494 		else
5495 			return false;
5496 	}
5497 
5498 	return true;
5499 }
5500 
5501 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5502 {
5503 	switch (he_mcs_map) {
5504 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5505 		return 0;
5506 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5507 		return 0x00FF;
5508 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5509 		return 0x03FF;
5510 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5511 		return 0xFFF;
5512 	default:
5513 		break;
5514 	}
5515 	return 0;
5516 }
5517 
5518 static void he_build_mcs_mask(u16 he_mcs_map,
5519 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5520 {
5521 	u8 nss;
5522 
5523 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5524 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5525 		he_mcs_map >>= 2;
5526 	}
5527 }
5528 
5529 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5530 			   const struct ieee80211_sta_he_cap *he_cap)
5531 {
5532 	struct net_device *dev = info->user_ptr[1];
5533 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5534 	struct cfg80211_chan_def *chandef;
5535 	__le16 tx_mcs;
5536 
5537 	chandef = wdev_chandef(wdev, link_id);
5538 	if (!chandef) {
5539 		/*
5540 		 * This is probably broken, but we never maintained
5541 		 * a chandef in these cases, so it always was.
5542 		 */
5543 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5544 	}
5545 
5546 	switch (chandef->width) {
5547 	case NL80211_CHAN_WIDTH_80P80:
5548 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5549 		break;
5550 	case NL80211_CHAN_WIDTH_160:
5551 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5552 		break;
5553 	default:
5554 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5555 		break;
5556 	}
5557 
5558 	return le16_to_cpu(tx_mcs);
5559 }
5560 
5561 static bool he_set_mcs_mask(struct genl_info *info,
5562 			    struct wireless_dev *wdev,
5563 			    struct ieee80211_supported_band *sband,
5564 			    struct nl80211_txrate_he *txrate,
5565 			    u16 mcs[NL80211_HE_NSS_MAX],
5566 			    unsigned int link_id)
5567 {
5568 	const struct ieee80211_sta_he_cap *he_cap;
5569 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5570 	u16 tx_mcs_map = 0;
5571 	u8 i;
5572 
5573 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5574 	if (!he_cap)
5575 		return false;
5576 
5577 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5578 
5579 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5580 
5581 	/* Build he_mcs_mask from HE capabilities */
5582 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5583 
5584 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5585 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5586 			mcs[i] = txrate->mcs[i];
5587 		else
5588 			return false;
5589 	}
5590 
5591 	return true;
5592 }
5593 
5594 static void eht_build_mcs_mask(struct genl_info *info,
5595 			       const struct ieee80211_sta_eht_cap *eht_cap,
5596 			       u8 mcs_nss_len, u16 *mcs_mask)
5597 {
5598 	struct net_device *dev = info->user_ptr[1];
5599 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5600 	u8 nss, mcs_7 = 0, mcs_9 = 0, mcs_11 = 0, mcs_13 = 0;
5601 	unsigned int link_id = nl80211_link_id(info->attrs);
5602 
5603 	if (mcs_nss_len == 4) {
5604 		const struct ieee80211_eht_mcs_nss_supp_20mhz_only *mcs =
5605 					&eht_cap->eht_mcs_nss_supp.only_20mhz;
5606 
5607 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs7_max_nss,
5608 				    IEEE80211_EHT_MCS_NSS_TX);
5609 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5610 				    IEEE80211_EHT_MCS_NSS_TX);
5611 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5612 				     IEEE80211_EHT_MCS_NSS_TX);
5613 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5614 				     IEEE80211_EHT_MCS_NSS_TX);
5615 
5616 	} else {
5617 		const struct ieee80211_eht_mcs_nss_supp_bw *mcs;
5618 		enum nl80211_chan_width width;
5619 
5620 		switch (wdev->iftype) {
5621 		case NL80211_IFTYPE_ADHOC:
5622 			width = wdev->u.ibss.chandef.width;
5623 			break;
5624 		case NL80211_IFTYPE_MESH_POINT:
5625 			width = wdev->u.mesh.chandef.width;
5626 			break;
5627 		case NL80211_IFTYPE_OCB:
5628 			width = wdev->u.ocb.chandef.width;
5629 			break;
5630 		default:
5631 			if (wdev->valid_links)
5632 				width = wdev->links[link_id].ap.chandef.width;
5633 			else
5634 				width = wdev->u.ap.preset_chandef.width;
5635 			break;
5636 		}
5637 
5638 		switch (width) {
5639 		case NL80211_CHAN_WIDTH_320:
5640 			mcs = &eht_cap->eht_mcs_nss_supp.bw._320;
5641 			break;
5642 		case NL80211_CHAN_WIDTH_160:
5643 			mcs = &eht_cap->eht_mcs_nss_supp.bw._160;
5644 			break;
5645 		default:
5646 			mcs = &eht_cap->eht_mcs_nss_supp.bw._80;
5647 			break;
5648 		}
5649 
5650 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5651 				    IEEE80211_EHT_MCS_NSS_TX);
5652 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5653 				    IEEE80211_EHT_MCS_NSS_TX);
5654 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5655 				     IEEE80211_EHT_MCS_NSS_TX);
5656 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5657 				     IEEE80211_EHT_MCS_NSS_TX);
5658 	}
5659 
5660 	/* Enable MCS 14 for NSS 0 */
5661 	if (eht_cap->eht_cap_elem.phy_cap_info[6] &
5662 	    IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP)
5663 		mcs_mask[0] |= 0x4000;
5664 
5665 	/* Enable MCS 15 for NSS 0 */
5666 	mcs_mask[0] |= 0x8000;
5667 
5668 	for (nss = 0; nss < NL80211_EHT_NSS_MAX; nss++) {
5669 		if (!mcs_7)
5670 			continue;
5671 		mcs_mask[nss] |= 0x00FF;
5672 		mcs_7--;
5673 
5674 		if (!mcs_9)
5675 			continue;
5676 		mcs_mask[nss] |= 0x0300;
5677 		mcs_9--;
5678 
5679 		if (!mcs_11)
5680 			continue;
5681 		mcs_mask[nss] |= 0x0C00;
5682 		mcs_11--;
5683 
5684 		if (!mcs_13)
5685 			continue;
5686 		mcs_mask[nss] |= 0x3000;
5687 		mcs_13--;
5688 	}
5689 }
5690 
5691 static bool eht_set_mcs_mask(struct genl_info *info, struct wireless_dev *wdev,
5692 			     struct ieee80211_supported_band *sband,
5693 			     struct nl80211_txrate_eht *txrate,
5694 			     u16 mcs[NL80211_EHT_NSS_MAX])
5695 {
5696 	const struct ieee80211_sta_he_cap *he_cap;
5697 	const struct ieee80211_sta_eht_cap *eht_cap;
5698 	u16 tx_mcs_mask[NL80211_EHT_NSS_MAX] = { 0 };
5699 	u8 i, mcs_nss_len;
5700 
5701 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5702 	if (!he_cap)
5703 		return false;
5704 
5705 	eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5706 	if (!eht_cap)
5707 		return false;
5708 
5709 	/* Checks for MCS 14 */
5710 	if (txrate->mcs[0] & 0x4000) {
5711 		if (sband->band != NL80211_BAND_6GHZ)
5712 			return false;
5713 
5714 		if (!(eht_cap->eht_cap_elem.phy_cap_info[6] &
5715 		      IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP))
5716 			return false;
5717 	}
5718 
5719 	mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5720 						 &eht_cap->eht_cap_elem,
5721 						 wdev->iftype ==
5722 							NL80211_IFTYPE_STATION);
5723 
5724 	if (mcs_nss_len == 3) {
5725 		/* Supported iftypes for setting non-20 MHZ only EHT MCS */
5726 		switch (wdev->iftype) {
5727 		case NL80211_IFTYPE_ADHOC:
5728 		case NL80211_IFTYPE_AP:
5729 		case NL80211_IFTYPE_P2P_GO:
5730 		case NL80211_IFTYPE_MESH_POINT:
5731 		case NL80211_IFTYPE_OCB:
5732 			break;
5733 		default:
5734 			return false;
5735 		}
5736 	}
5737 
5738 	/* Build eht_mcs_mask from EHT and HE capabilities */
5739 	eht_build_mcs_mask(info, eht_cap, mcs_nss_len, tx_mcs_mask);
5740 
5741 	memset(mcs, 0, sizeof(u16) * NL80211_EHT_NSS_MAX);
5742 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5743 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5744 			mcs[i] = txrate->mcs[i];
5745 		else
5746 			return false;
5747 	}
5748 
5749 	return true;
5750 }
5751 
5752 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5753 					 struct nlattr *attrs[],
5754 					 enum nl80211_attrs attr,
5755 					 struct cfg80211_bitrate_mask *mask,
5756 					 struct net_device *dev,
5757 					 bool default_all_enabled,
5758 					 unsigned int link_id)
5759 {
5760 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5761 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5762 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5763 	int rem, i;
5764 	struct nlattr *tx_rates;
5765 	struct ieee80211_supported_band *sband;
5766 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5767 
5768 	memset(mask, 0, sizeof(*mask));
5769 	/* Default to all rates enabled */
5770 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5771 		const struct ieee80211_sta_he_cap *he_cap;
5772 		const struct ieee80211_sta_eht_cap *eht_cap;
5773 		u8 mcs_nss_len;
5774 
5775 		if (!default_all_enabled)
5776 			break;
5777 
5778 		sband = rdev->wiphy.bands[i];
5779 
5780 		if (!sband)
5781 			continue;
5782 
5783 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5784 		memcpy(mask->control[i].ht_mcs,
5785 		       sband->ht_cap.mcs.rx_mask,
5786 		       sizeof(mask->control[i].ht_mcs));
5787 
5788 		if (sband->vht_cap.vht_supported) {
5789 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5790 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5791 		}
5792 
5793 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5794 		if (!he_cap)
5795 			continue;
5796 
5797 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5798 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5799 
5800 		mask->control[i].he_gi = 0xFF;
5801 		mask->control[i].he_ltf = 0xFF;
5802 
5803 		eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5804 		if (!eht_cap)
5805 			continue;
5806 
5807 		mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5808 							 &eht_cap->eht_cap_elem,
5809 							 wdev->iftype ==
5810 							 NL80211_IFTYPE_STATION);
5811 
5812 		eht_build_mcs_mask(info, eht_cap, mcs_nss_len,
5813 				   mask->control[i].eht_mcs);
5814 
5815 		mask->control[i].eht_gi = 0xFF;
5816 		mask->control[i].eht_ltf = 0xFF;
5817 	}
5818 
5819 	/* if no rates are given set it back to the defaults */
5820 	if (!attrs[attr])
5821 		goto out;
5822 
5823 	/* The nested attribute uses enum nl80211_band as the index. This maps
5824 	 * directly to the enum nl80211_band values used in cfg80211.
5825 	 */
5826 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5827 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5828 		enum nl80211_band band = nla_type(tx_rates);
5829 		int err;
5830 
5831 		if (band < 0 || band >= NUM_NL80211_BANDS)
5832 			return -EINVAL;
5833 		sband = rdev->wiphy.bands[band];
5834 		if (sband == NULL)
5835 			return -EINVAL;
5836 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5837 						  tx_rates,
5838 						  nl80211_txattr_policy,
5839 						  info->extack);
5840 		if (err)
5841 			return err;
5842 		if (tb[NL80211_TXRATE_LEGACY]) {
5843 			mask->control[band].legacy = rateset_to_mask(
5844 				sband,
5845 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5846 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5847 			if ((mask->control[band].legacy == 0) &&
5848 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5849 				return -EINVAL;
5850 		}
5851 		if (tb[NL80211_TXRATE_HT]) {
5852 			if (!ht_rateset_to_mask(
5853 					sband,
5854 					nla_data(tb[NL80211_TXRATE_HT]),
5855 					nla_len(tb[NL80211_TXRATE_HT]),
5856 					mask->control[band].ht_mcs))
5857 				return -EINVAL;
5858 		}
5859 
5860 		if (tb[NL80211_TXRATE_VHT]) {
5861 			if (!vht_set_mcs_mask(
5862 					sband,
5863 					nla_data(tb[NL80211_TXRATE_VHT]),
5864 					mask->control[band].vht_mcs))
5865 				return -EINVAL;
5866 		}
5867 
5868 		if (tb[NL80211_TXRATE_GI]) {
5869 			mask->control[band].gi =
5870 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5871 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5872 				return -EINVAL;
5873 		}
5874 		if (tb[NL80211_TXRATE_HE] &&
5875 		    !he_set_mcs_mask(info, wdev, sband,
5876 				     nla_data(tb[NL80211_TXRATE_HE]),
5877 				     mask->control[band].he_mcs,
5878 				     link_id))
5879 			return -EINVAL;
5880 
5881 		if (tb[NL80211_TXRATE_HE_GI])
5882 			mask->control[band].he_gi =
5883 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5884 		if (tb[NL80211_TXRATE_HE_LTF])
5885 			mask->control[band].he_ltf =
5886 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5887 
5888 		if (tb[NL80211_TXRATE_EHT] &&
5889 		    !eht_set_mcs_mask(info, wdev, sband,
5890 				      nla_data(tb[NL80211_TXRATE_EHT]),
5891 				      mask->control[band].eht_mcs))
5892 			return -EINVAL;
5893 
5894 		if (tb[NL80211_TXRATE_EHT_GI])
5895 			mask->control[band].eht_gi =
5896 				nla_get_u8(tb[NL80211_TXRATE_EHT_GI]);
5897 		if (tb[NL80211_TXRATE_EHT_LTF])
5898 			mask->control[band].eht_ltf =
5899 				nla_get_u8(tb[NL80211_TXRATE_EHT_LTF]);
5900 
5901 		if (mask->control[band].legacy == 0) {
5902 			/* don't allow empty legacy rates if HT, VHT, HE or EHT
5903 			 * are not even supported.
5904 			 */
5905 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5906 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5907 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype) ||
5908 			      ieee80211_get_eht_iftype_cap(sband, wdev->iftype)))
5909 				return -EINVAL;
5910 
5911 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5912 				if (mask->control[band].ht_mcs[i])
5913 					goto out;
5914 
5915 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5916 				if (mask->control[band].vht_mcs[i])
5917 					goto out;
5918 
5919 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5920 				if (mask->control[band].he_mcs[i])
5921 					goto out;
5922 
5923 			for (i = 0; i < NL80211_EHT_NSS_MAX; i++)
5924 				if (mask->control[band].eht_mcs[i])
5925 					goto out;
5926 
5927 			/* legacy and mcs rates may not be both empty */
5928 			return -EINVAL;
5929 		}
5930 	}
5931 
5932 out:
5933 	return 0;
5934 }
5935 
5936 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5937 				   enum nl80211_band band,
5938 				   struct cfg80211_bitrate_mask *beacon_rate)
5939 {
5940 	u32 count_ht, count_vht, count_he, count_eht, i;
5941 	u32 rate = beacon_rate->control[band].legacy;
5942 
5943 	/* Allow only one rate */
5944 	if (hweight32(rate) > 1)
5945 		return -EINVAL;
5946 
5947 	count_ht = 0;
5948 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5949 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5950 			return -EINVAL;
5951 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5952 			count_ht++;
5953 			if (count_ht > 1)
5954 				return -EINVAL;
5955 		}
5956 		if (count_ht && rate)
5957 			return -EINVAL;
5958 	}
5959 
5960 	count_vht = 0;
5961 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5962 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5963 			return -EINVAL;
5964 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5965 			count_vht++;
5966 			if (count_vht > 1)
5967 				return -EINVAL;
5968 		}
5969 		if (count_vht && rate)
5970 			return -EINVAL;
5971 	}
5972 
5973 	count_he = 0;
5974 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5975 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5976 			return -EINVAL;
5977 		} else if (beacon_rate->control[band].he_mcs[i]) {
5978 			count_he++;
5979 			if (count_he > 1)
5980 				return -EINVAL;
5981 		}
5982 		if (count_he && rate)
5983 			return -EINVAL;
5984 	}
5985 
5986 	count_eht = 0;
5987 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5988 		if (hweight16(beacon_rate->control[band].eht_mcs[i]) > 1) {
5989 			return -EINVAL;
5990 		} else if (beacon_rate->control[band].eht_mcs[i]) {
5991 			count_eht++;
5992 			if (count_eht > 1)
5993 				return -EINVAL;
5994 		}
5995 		if (count_eht && rate)
5996 			return -EINVAL;
5997 	}
5998 
5999 	if ((count_ht && count_vht && count_he && count_eht) ||
6000 	    (!rate && !count_ht && !count_vht && !count_he && !count_eht))
6001 		return -EINVAL;
6002 
6003 	if (rate &&
6004 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6005 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
6006 		return -EINVAL;
6007 	if (count_ht &&
6008 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6009 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
6010 		return -EINVAL;
6011 	if (count_vht &&
6012 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6013 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
6014 		return -EINVAL;
6015 	if (count_he &&
6016 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6017 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
6018 		return -EINVAL;
6019 
6020 	if (count_eht &&
6021 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6022 				     NL80211_EXT_FEATURE_BEACON_RATE_EHT))
6023 		return -EINVAL;
6024 
6025 	return 0;
6026 }
6027 
6028 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
6029 				       struct net_device *dev,
6030 				       unsigned int link_id,
6031 				       struct nlattr *attrs,
6032 				       struct cfg80211_mbssid_config *config,
6033 				       u8 num_elems)
6034 {
6035 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
6036 	int tx_link_id = -1;
6037 
6038 	if (!wiphy->mbssid_max_interfaces)
6039 		return -EOPNOTSUPP;
6040 
6041 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
6042 			     NULL) ||
6043 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
6044 		return -EINVAL;
6045 
6046 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
6047 	if (config->ema) {
6048 		if (!wiphy->ema_max_profile_periodicity)
6049 			return -EOPNOTSUPP;
6050 
6051 		if (num_elems > wiphy->ema_max_profile_periodicity)
6052 			return -EINVAL;
6053 	}
6054 
6055 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
6056 	if (config->index >= wiphy->mbssid_max_interfaces ||
6057 	    (!config->index && !num_elems))
6058 		return -EINVAL;
6059 
6060 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID])
6061 		tx_link_id = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID]);
6062 
6063 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
6064 		u32 tx_ifindex =
6065 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
6066 
6067 		if ((!config->index && tx_ifindex != dev->ifindex) ||
6068 		    (config->index && tx_ifindex == dev->ifindex))
6069 			return -EINVAL;
6070 
6071 		if (tx_ifindex != dev->ifindex) {
6072 			struct net_device *tx_netdev =
6073 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
6074 
6075 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
6076 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
6077 			    tx_netdev->ieee80211_ptr->iftype !=
6078 							NL80211_IFTYPE_AP) {
6079 				dev_put(tx_netdev);
6080 				return -EINVAL;
6081 			}
6082 
6083 			config->tx_wdev = tx_netdev->ieee80211_ptr;
6084 			/* Caller should call dev_put(config->tx_wdev) from this point */
6085 
6086 			if (config->tx_wdev->valid_links) {
6087 				if (tx_link_id == -1 ||
6088 				    !(config->tx_wdev->valid_links & BIT(tx_link_id)))
6089 					return -ENOLINK;
6090 
6091 				config->tx_link_id = tx_link_id;
6092 			}
6093 		} else {
6094 			if (tx_link_id >= 0 && tx_link_id != link_id)
6095 				return -EINVAL;
6096 
6097 			config->tx_wdev = dev->ieee80211_ptr;
6098 		}
6099 	} else if (!config->index) {
6100 		if (tx_link_id >= 0 && tx_link_id != link_id)
6101 			return -EINVAL;
6102 
6103 		config->tx_wdev = dev->ieee80211_ptr;
6104 	} else {
6105 		return -EINVAL;
6106 	}
6107 
6108 	return 0;
6109 }
6110 
6111 static struct cfg80211_mbssid_elems *
6112 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
6113 {
6114 	struct nlattr *nl_elems;
6115 	struct cfg80211_mbssid_elems *elems;
6116 	int rem_elems;
6117 	u8 i = 0, num_elems = 0;
6118 
6119 	if (!wiphy->mbssid_max_interfaces)
6120 		return ERR_PTR(-EINVAL);
6121 
6122 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6123 		if (num_elems >= 255)
6124 			return ERR_PTR(-EINVAL);
6125 		num_elems++;
6126 	}
6127 
6128 	elems = kzalloc_flex(*elems, elem, num_elems);
6129 	if (!elems)
6130 		return ERR_PTR(-ENOMEM);
6131 	elems->cnt = num_elems;
6132 
6133 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6134 		elems->elem[i].data = nla_data(nl_elems);
6135 		elems->elem[i].len = nla_len(nl_elems);
6136 		i++;
6137 	}
6138 	return elems;
6139 }
6140 
6141 static struct cfg80211_rnr_elems *
6142 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
6143 			struct netlink_ext_ack *extack)
6144 {
6145 	struct nlattr *nl_elems;
6146 	struct cfg80211_rnr_elems *elems;
6147 	int rem_elems;
6148 	u8 i = 0, num_elems = 0;
6149 
6150 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6151 		int ret;
6152 
6153 		ret = validate_ie_attr(nl_elems, extack);
6154 		if (ret)
6155 			return ERR_PTR(ret);
6156 
6157 		num_elems++;
6158 	}
6159 
6160 	elems = kzalloc_flex(*elems, elem, num_elems);
6161 	if (!elems)
6162 		return ERR_PTR(-ENOMEM);
6163 	elems->cnt = num_elems;
6164 
6165 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6166 		elems->elem[i].data = nla_data(nl_elems);
6167 		elems->elem[i].len = nla_len(nl_elems);
6168 		i++;
6169 	}
6170 	return elems;
6171 }
6172 
6173 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
6174 				      struct cfg80211_he_bss_color *he_bss_color)
6175 {
6176 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
6177 	int err;
6178 
6179 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
6180 			       he_bss_color_policy, NULL);
6181 	if (err)
6182 		return err;
6183 
6184 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
6185 		return -EINVAL;
6186 
6187 	he_bss_color->color =
6188 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
6189 	he_bss_color->enabled =
6190 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
6191 	he_bss_color->partial =
6192 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
6193 
6194 	return 0;
6195 }
6196 
6197 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
6198 				struct nlattr *attrs[],
6199 				struct cfg80211_beacon_data *bcn,
6200 				struct netlink_ext_ack *extack)
6201 {
6202 	bool haveinfo = false;
6203 	int err;
6204 
6205 	memset(bcn, 0, sizeof(*bcn));
6206 
6207 	bcn->link_id = nl80211_link_id(attrs);
6208 
6209 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
6210 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
6211 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
6212 		if (!bcn->head_len)
6213 			return -EINVAL;
6214 		haveinfo = true;
6215 	}
6216 
6217 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
6218 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
6219 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
6220 		haveinfo = true;
6221 	}
6222 
6223 	if (!haveinfo)
6224 		return -EINVAL;
6225 
6226 	if (attrs[NL80211_ATTR_IE]) {
6227 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
6228 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
6229 	}
6230 
6231 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
6232 		bcn->proberesp_ies =
6233 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6234 		bcn->proberesp_ies_len =
6235 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6236 	}
6237 
6238 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
6239 		bcn->assocresp_ies =
6240 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6241 		bcn->assocresp_ies_len =
6242 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6243 	}
6244 
6245 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
6246 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
6247 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
6248 	}
6249 
6250 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
6251 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
6252 
6253 		err = nla_parse_nested_deprecated(tb,
6254 						  NL80211_FTM_RESP_ATTR_MAX,
6255 						  attrs[NL80211_ATTR_FTM_RESPONDER],
6256 						  NULL, NULL);
6257 		if (err)
6258 			return err;
6259 
6260 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
6261 		    wiphy_ext_feature_isset(&rdev->wiphy,
6262 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
6263 			bcn->ftm_responder = 1;
6264 		else
6265 			return -EOPNOTSUPP;
6266 
6267 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
6268 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
6269 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
6270 		}
6271 
6272 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
6273 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6274 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6275 		}
6276 	} else {
6277 		bcn->ftm_responder = -1;
6278 	}
6279 
6280 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
6281 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
6282 						 &bcn->he_bss_color);
6283 		if (err)
6284 			return err;
6285 		bcn->he_bss_color_valid = true;
6286 	}
6287 
6288 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
6289 		struct cfg80211_mbssid_elems *mbssid =
6290 			nl80211_parse_mbssid_elems(&rdev->wiphy,
6291 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
6292 
6293 		if (IS_ERR(mbssid))
6294 			return PTR_ERR(mbssid);
6295 
6296 		bcn->mbssid_ies = mbssid;
6297 
6298 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
6299 			struct cfg80211_rnr_elems *rnr =
6300 				nl80211_parse_rnr_elems(&rdev->wiphy,
6301 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
6302 							extack);
6303 
6304 			if (IS_ERR(rnr))
6305 				return PTR_ERR(rnr);
6306 
6307 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
6308 				return -EINVAL;
6309 
6310 			bcn->rnr_ies = rnr;
6311 		}
6312 	}
6313 
6314 	return 0;
6315 }
6316 
6317 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
6318 				    struct ieee80211_he_obss_pd *he_obss_pd)
6319 {
6320 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
6321 	int err;
6322 
6323 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
6324 			       he_obss_pd_policy, NULL);
6325 	if (err)
6326 		return err;
6327 
6328 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
6329 		return -EINVAL;
6330 
6331 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
6332 
6333 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
6334 		he_obss_pd->min_offset =
6335 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
6336 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
6337 		he_obss_pd->max_offset =
6338 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
6339 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
6340 		he_obss_pd->non_srg_max_offset =
6341 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
6342 
6343 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
6344 		return -EINVAL;
6345 
6346 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
6347 		memcpy(he_obss_pd->bss_color_bitmap,
6348 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
6349 		       sizeof(he_obss_pd->bss_color_bitmap));
6350 
6351 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
6352 		memcpy(he_obss_pd->partial_bssid_bitmap,
6353 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
6354 		       sizeof(he_obss_pd->partial_bssid_bitmap));
6355 
6356 	he_obss_pd->enable = true;
6357 
6358 	return 0;
6359 }
6360 
6361 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
6362 					struct nlattr *attrs,
6363 					struct cfg80211_fils_discovery *fd)
6364 {
6365 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
6366 	int ret;
6367 
6368 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6369 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
6370 		return -EINVAL;
6371 
6372 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
6373 			       NULL, NULL);
6374 	if (ret)
6375 		return ret;
6376 
6377 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
6378 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
6379 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
6380 		fd->update = true;
6381 		return 0;
6382 	}
6383 
6384 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
6385 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
6386 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
6387 		return -EINVAL;
6388 
6389 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6390 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6391 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
6392 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
6393 	fd->update = true;
6394 	return 0;
6395 }
6396 
6397 static int
6398 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
6399 				     struct nlattr *attrs,
6400 				     struct cfg80211_unsol_bcast_probe_resp *presp)
6401 {
6402 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
6403 	int ret;
6404 
6405 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6406 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
6407 		return -EINVAL;
6408 
6409 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
6410 			       attrs, NULL, NULL);
6411 	if (ret)
6412 		return ret;
6413 
6414 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
6415 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
6416 		presp->update = true;
6417 		return 0;
6418 	}
6419 
6420 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
6421 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
6422 		return -EINVAL;
6423 
6424 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6425 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6426 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
6427 	presp->update = true;
6428 	return 0;
6429 }
6430 
6431 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
6432 					    const struct element *rates)
6433 {
6434 	int i;
6435 
6436 	if (!rates)
6437 		return;
6438 
6439 	for (i = 0; i < rates->datalen; i++) {
6440 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
6441 			params->ht_required = true;
6442 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
6443 			params->vht_required = true;
6444 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
6445 			params->he_required = true;
6446 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
6447 			params->sae_h2e_required = true;
6448 	}
6449 }
6450 
6451 /*
6452  * Since the nl80211 API didn't include, from the beginning, attributes about
6453  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
6454  * benefit of drivers that rebuild IEs in the firmware.
6455  */
6456 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
6457 {
6458 	const struct cfg80211_beacon_data *bcn = &params->beacon;
6459 	size_t ies_len = bcn->tail_len;
6460 	const u8 *ies = bcn->tail;
6461 	const struct element *rates;
6462 	const struct element *cap;
6463 
6464 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
6465 	nl80211_check_ap_rate_selectors(params, rates);
6466 
6467 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
6468 	nl80211_check_ap_rate_selectors(params, rates);
6469 
6470 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
6471 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
6472 		params->ht_cap = (void *)cap->data;
6473 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
6474 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
6475 		params->vht_cap = (void *)cap->data;
6476 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
6477 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
6478 		params->he_cap = (void *)(cap->data + 1);
6479 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
6480 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
6481 		params->he_oper = (void *)(cap->data + 1);
6482 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
6483 	if (cap) {
6484 		if (!cap->datalen)
6485 			return -EINVAL;
6486 		params->eht_cap = (void *)(cap->data + 1);
6487 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
6488 						(const u8 *)params->eht_cap,
6489 						cap->datalen - 1, true))
6490 			return -EINVAL;
6491 	}
6492 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
6493 	if (cap) {
6494 		if (!cap->datalen)
6495 			return -EINVAL;
6496 		params->eht_oper = (void *)(cap->data + 1);
6497 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
6498 						cap->datalen - 1))
6499 			return -EINVAL;
6500 	}
6501 
6502 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_UHR_OPER, ies, ies_len);
6503 	if (cap) {
6504 		if (!cap->datalen)
6505 			return -EINVAL;
6506 		params->uhr_oper = (void *)(cap->data + 1);
6507 		if (!ieee80211_uhr_oper_size_ok((const u8 *)params->uhr_oper,
6508 						cap->datalen - 1, true))
6509 			return -EINVAL;
6510 	}
6511 
6512 	return 0;
6513 }
6514 
6515 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
6516 				   struct cfg80211_ap_settings *params)
6517 {
6518 	struct wireless_dev *wdev;
6519 
6520 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
6521 		if (wdev->iftype != NL80211_IFTYPE_AP &&
6522 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
6523 			continue;
6524 
6525 		if (!wdev->u.ap.preset_chandef.chan)
6526 			continue;
6527 
6528 		params->chandef = wdev->u.ap.preset_chandef;
6529 		return true;
6530 	}
6531 
6532 	return false;
6533 }
6534 
6535 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
6536 				    enum nl80211_auth_type auth_type,
6537 				    enum nl80211_commands cmd)
6538 {
6539 	if (auth_type > NL80211_AUTHTYPE_MAX)
6540 		return false;
6541 
6542 	switch (cmd) {
6543 	case NL80211_CMD_AUTHENTICATE:
6544 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6545 		    auth_type == NL80211_AUTHTYPE_SAE)
6546 			return false;
6547 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6548 					     NL80211_EXT_FEATURE_FILS_STA) &&
6549 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6550 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6551 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6552 			return false;
6553 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6554 					     NL80211_EXT_FEATURE_EPPKE) &&
6555 		    auth_type == NL80211_AUTHTYPE_EPPKE)
6556 			return false;
6557 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6558 					     NL80211_EXT_FEATURE_IEEE8021X_AUTH) &&
6559 		    auth_type == NL80211_AUTHTYPE_IEEE8021X)
6560 			return false;
6561 		return true;
6562 	case NL80211_CMD_CONNECT:
6563 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6564 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6565 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6566 		    auth_type == NL80211_AUTHTYPE_SAE)
6567 			return false;
6568 
6569 		/* FILS with SK PFS or PK not supported yet */
6570 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6571 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6572 			return false;
6573 		if (!wiphy_ext_feature_isset(
6574 			    &rdev->wiphy,
6575 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6576 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6577 			return false;
6578 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6579 					     NL80211_EXT_FEATURE_EPPKE) &&
6580 		    auth_type == NL80211_AUTHTYPE_EPPKE)
6581 			return false;
6582 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6583 					     NL80211_EXT_FEATURE_IEEE8021X_AUTH) &&
6584 		    auth_type == NL80211_AUTHTYPE_IEEE8021X)
6585 			return false;
6586 		return true;
6587 	case NL80211_CMD_START_AP:
6588 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6589 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6590 		    auth_type == NL80211_AUTHTYPE_SAE)
6591 			return false;
6592 		/* FILS not supported yet */
6593 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6594 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6595 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6596 			return false;
6597 		return true;
6598 	default:
6599 		return false;
6600 	}
6601 }
6602 
6603 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6604 				    unsigned int link_id)
6605 {
6606 	struct wiphy *wiphy = wdev->wiphy;
6607 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6608 	struct sk_buff *msg;
6609 	void *hdr;
6610 
6611 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6612 	if (!msg)
6613 		return;
6614 
6615 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6616 	if (!hdr)
6617 		goto out;
6618 
6619 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6620 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6621 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6622 			      NL80211_ATTR_PAD) ||
6623 	    (wdev->u.ap.ssid_len &&
6624 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6625 		     wdev->u.ap.ssid)) ||
6626 	    (wdev->valid_links &&
6627 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6628 		goto out;
6629 
6630 	genlmsg_end(msg, hdr);
6631 
6632 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6633 				NL80211_MCGRP_MLME, GFP_KERNEL);
6634 	return;
6635 out:
6636 	nlmsg_free(msg);
6637 }
6638 
6639 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6640 {
6641 	struct ieee80211_channel *channel = params->chandef.chan;
6642 
6643 	if ((params->he_cap ||  params->he_oper) &&
6644 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6645 		return -EOPNOTSUPP;
6646 
6647 	if ((params->eht_cap || params->eht_oper) &&
6648 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6649 		return -EOPNOTSUPP;
6650 
6651 	if (params->uhr_oper && (channel->flags & IEEE80211_CHAN_NO_UHR))
6652 		return -EOPNOTSUPP;
6653 
6654 	return 0;
6655 }
6656 
6657 static int
6658 nl80211_parse_s1g_short_beacon(struct cfg80211_registered_device *rdev,
6659 			       struct nlattr *attrs,
6660 			       struct cfg80211_s1g_short_beacon *sb)
6661 {
6662 	struct nlattr *tb[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1];
6663 	int ret;
6664 
6665 	if (!rdev->wiphy.bands[NL80211_BAND_S1GHZ])
6666 		return -EINVAL;
6667 
6668 	ret = nla_parse_nested(tb, NL80211_S1G_SHORT_BEACON_ATTR_MAX, attrs,
6669 			       NULL, NULL);
6670 	if (ret)
6671 		return ret;
6672 
6673 	/* Short beacon tail is optional (i.e might only include the TIM) */
6674 	if (!tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD])
6675 		return -EINVAL;
6676 
6677 	sb->short_head = nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6678 	sb->short_head_len = nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6679 	sb->short_tail_len = 0;
6680 
6681 	if (tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]) {
6682 		sb->short_tail =
6683 			nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6684 		sb->short_tail_len =
6685 			nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6686 	}
6687 
6688 	sb->update = true;
6689 	return 0;
6690 }
6691 
6692 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6693 {
6694 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6695 	struct cfg80211_beaconing_check_config beacon_check = {};
6696 	unsigned int link_id = nl80211_link_id(info->attrs);
6697 	struct net_device *dev = info->user_ptr[1];
6698 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6699 	struct cfg80211_ap_settings *params;
6700 	int err;
6701 
6702 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6703 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6704 		return -EOPNOTSUPP;
6705 
6706 	if (!rdev->ops->start_ap)
6707 		return -EOPNOTSUPP;
6708 
6709 	if (wdev->links[link_id].cac_started)
6710 		return -EBUSY;
6711 
6712 	if (wdev->links[link_id].ap.beacon_interval)
6713 		return -EALREADY;
6714 
6715 	/* these are required for START_AP */
6716 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6717 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6718 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6719 		return -EINVAL;
6720 
6721 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6722 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6723 		return -EOPNOTSUPP;
6724 
6725 	params = kzalloc_obj(*params);
6726 	if (!params)
6727 		return -ENOMEM;
6728 
6729 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6730 				   info->extack);
6731 	if (err)
6732 		goto out;
6733 
6734 	params->beacon_interval =
6735 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6736 	params->dtim_period =
6737 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6738 
6739 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6740 					   params->beacon_interval);
6741 	if (err)
6742 		goto out;
6743 
6744 	/*
6745 	 * In theory, some of these attributes should be required here
6746 	 * but since they were not used when the command was originally
6747 	 * added, keep them optional for old user space programs to let
6748 	 * them continue to work with drivers that do not need the
6749 	 * additional information -- drivers must check!
6750 	 */
6751 	if (info->attrs[NL80211_ATTR_SSID]) {
6752 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6753 		params->ssid_len =
6754 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6755 		if (params->ssid_len == 0) {
6756 			err = -EINVAL;
6757 			goto out;
6758 		}
6759 
6760 		if (wdev->u.ap.ssid_len &&
6761 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6762 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6763 			/* require identical SSID for MLO */
6764 			err = -EINVAL;
6765 			goto out;
6766 		}
6767 	} else if (wdev->valid_links) {
6768 		/* require SSID for MLO */
6769 		err = -EINVAL;
6770 		goto out;
6771 	}
6772 
6773 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6774 		params->hidden_ssid = nla_get_u32(
6775 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6776 
6777 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6778 
6779 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6780 		params->auth_type = nla_get_u32(
6781 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6782 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6783 					     NL80211_CMD_START_AP)) {
6784 			err = -EINVAL;
6785 			goto out;
6786 		}
6787 	} else
6788 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6789 
6790 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6791 				      NL80211_MAX_NR_CIPHER_SUITES);
6792 	if (err)
6793 		goto out;
6794 
6795 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6796 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6797 			err = -EOPNOTSUPP;
6798 			goto out;
6799 		}
6800 		params->inactivity_timeout = nla_get_u16(
6801 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6802 	}
6803 
6804 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6805 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6806 			err = -EINVAL;
6807 			goto out;
6808 		}
6809 		params->p2p_ctwindow =
6810 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6811 		if (params->p2p_ctwindow != 0 &&
6812 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6813 			err = -EINVAL;
6814 			goto out;
6815 		}
6816 	}
6817 
6818 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6819 		u8 tmp;
6820 
6821 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6822 			err = -EINVAL;
6823 			goto out;
6824 		}
6825 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6826 		params->p2p_opp_ps = tmp;
6827 		if (params->p2p_opp_ps != 0 &&
6828 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6829 			err = -EINVAL;
6830 			goto out;
6831 		}
6832 	}
6833 
6834 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6835 		err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
6836 					    &params->chandef);
6837 		if (err)
6838 			goto out;
6839 	} else if (wdev->valid_links) {
6840 		/* with MLD need to specify the channel configuration */
6841 		err = -EINVAL;
6842 		goto out;
6843 	} else if (wdev->u.ap.preset_chandef.chan) {
6844 		params->chandef = wdev->u.ap.preset_chandef;
6845 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6846 		err = -EINVAL;
6847 		goto out;
6848 	}
6849 
6850 	beacon_check.iftype = wdev->iftype;
6851 	beacon_check.relax = true;
6852 	beacon_check.reg_power =
6853 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6854 					     params->beacon.tail_len, 0);
6855 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6856 					  &beacon_check)) {
6857 		err = -EINVAL;
6858 		goto out;
6859 	}
6860 
6861 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6862 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6863 						    NL80211_ATTR_TX_RATES,
6864 						    &params->beacon_rate,
6865 						    dev, false, link_id);
6866 		if (err)
6867 			goto out;
6868 
6869 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6870 					      &params->beacon_rate);
6871 		if (err)
6872 			goto out;
6873 	}
6874 
6875 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6876 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6877 		err = -EOPNOTSUPP;
6878 		goto out;
6879 	}
6880 
6881 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6882 		params->acl = parse_acl_data(&rdev->wiphy, info);
6883 		if (IS_ERR(params->acl)) {
6884 			err = PTR_ERR(params->acl);
6885 			params->acl = NULL;
6886 			goto out;
6887 		}
6888 	}
6889 
6890 	params->twt_responder =
6891 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6892 
6893 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6894 		err = nl80211_parse_he_obss_pd(
6895 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6896 					&params->he_obss_pd);
6897 		if (err)
6898 			goto out;
6899 	}
6900 
6901 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6902 		err = nl80211_parse_fils_discovery(rdev,
6903 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6904 						   &params->fils_discovery);
6905 		if (err)
6906 			goto out;
6907 	}
6908 
6909 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6910 		err = nl80211_parse_unsol_bcast_probe_resp(
6911 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6912 			&params->unsol_bcast_probe_resp);
6913 		if (err)
6914 			goto out;
6915 	}
6916 
6917 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6918 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev, link_id,
6919 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6920 						  &params->mbssid_config,
6921 						  params->beacon.mbssid_ies ?
6922 							params->beacon.mbssid_ies->cnt :
6923 							0);
6924 		if (err)
6925 			goto out;
6926 	}
6927 
6928 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6929 		err = -EINVAL;
6930 		goto out;
6931 	}
6932 
6933 	if (info->attrs[NL80211_ATTR_S1G_SHORT_BEACON]) {
6934 		if (!info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]) {
6935 			err = -EINVAL;
6936 			goto out;
6937 		}
6938 
6939 		params->s1g_long_beacon_period = nla_get_u8(
6940 			info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]);
6941 
6942 		err = nl80211_parse_s1g_short_beacon(
6943 			rdev, info->attrs[NL80211_ATTR_S1G_SHORT_BEACON],
6944 			&params->s1g_short_beacon);
6945 		if (err)
6946 			goto out;
6947 	}
6948 
6949 	err = nl80211_calculate_ap_params(params);
6950 	if (err)
6951 		goto out;
6952 
6953 	err = nl80211_validate_ap_phy_operation(params);
6954 	if (err)
6955 		goto out;
6956 
6957 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6958 		params->flags = nla_get_u32(
6959 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6960 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6961 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6962 
6963 	if (wdev->conn_owner_nlportid &&
6964 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6965 	    wdev->conn_owner_nlportid != info->snd_portid) {
6966 		err = -EINVAL;
6967 		goto out;
6968 	}
6969 
6970 	/* FIXME: validate MLO/link-id against driver capabilities */
6971 
6972 	err = rdev_start_ap(rdev, dev, params);
6973 	if (!err) {
6974 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6975 		wdev->links[link_id].ap.chandef = params->chandef;
6976 		wdev->u.ap.ssid_len = params->ssid_len;
6977 		memcpy(wdev->u.ap.ssid, params->ssid,
6978 		       params->ssid_len);
6979 
6980 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6981 			wdev->conn_owner_nlportid = info->snd_portid;
6982 
6983 		nl80211_send_ap_started(wdev, link_id);
6984 	}
6985 out:
6986 	kfree(params->acl);
6987 	kfree(params->beacon.mbssid_ies);
6988 	if (params->mbssid_config.tx_wdev &&
6989 	    params->mbssid_config.tx_wdev->netdev &&
6990 	    params->mbssid_config.tx_wdev->netdev != dev)
6991 		dev_put(params->mbssid_config.tx_wdev->netdev);
6992 	kfree(params->beacon.rnr_ies);
6993 	kfree(params);
6994 
6995 	return err;
6996 }
6997 
6998 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6999 {
7000 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7001 	struct cfg80211_beaconing_check_config beacon_check = {};
7002 	unsigned int link_id = nl80211_link_id(info->attrs);
7003 	struct net_device *dev = info->user_ptr[1];
7004 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7005 	struct cfg80211_ap_update *params;
7006 	struct nlattr *attr;
7007 	int err;
7008 
7009 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7010 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7011 		return -EOPNOTSUPP;
7012 
7013 	if (!rdev->ops->change_beacon)
7014 		return -EOPNOTSUPP;
7015 
7016 	if (!wdev->links[link_id].ap.beacon_interval)
7017 		return -EINVAL;
7018 
7019 	params = kzalloc_obj(*params);
7020 	if (!params)
7021 		return -ENOMEM;
7022 
7023 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
7024 				   info->extack);
7025 	if (err)
7026 		goto out;
7027 
7028 	/* recheck beaconing is permitted with possibly changed power type */
7029 	beacon_check.iftype = wdev->iftype;
7030 	beacon_check.relax = true;
7031 	beacon_check.reg_power =
7032 		cfg80211_get_6ghz_power_type(params->beacon.tail,
7033 					     params->beacon.tail_len, 0);
7034 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
7035 					  &wdev->links[link_id].ap.chandef,
7036 					  &beacon_check)) {
7037 		err = -EINVAL;
7038 		goto out;
7039 	}
7040 
7041 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
7042 	if (attr) {
7043 		err = nl80211_parse_fils_discovery(rdev, attr,
7044 						   &params->fils_discovery);
7045 		if (err)
7046 			goto out;
7047 	}
7048 
7049 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
7050 	if (attr) {
7051 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
7052 							   &params->unsol_bcast_probe_resp);
7053 		if (err)
7054 			goto out;
7055 	}
7056 
7057 	attr = info->attrs[NL80211_ATTR_S1G_SHORT_BEACON];
7058 	if (attr) {
7059 		err = nl80211_parse_s1g_short_beacon(rdev, attr,
7060 						     &params->s1g_short_beacon);
7061 		if (err)
7062 			goto out;
7063 	}
7064 
7065 	err = rdev_change_beacon(rdev, dev, params);
7066 
7067 out:
7068 	kfree(params->beacon.mbssid_ies);
7069 	kfree(params->beacon.rnr_ies);
7070 	kfree(params);
7071 	return err;
7072 }
7073 
7074 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
7075 {
7076 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7077 	unsigned int link_id = nl80211_link_id(info->attrs);
7078 	struct net_device *dev = info->user_ptr[1];
7079 
7080 	return cfg80211_stop_ap(rdev, dev, link_id, false);
7081 }
7082 
7083 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
7084 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
7085 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
7086 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
7087 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
7088 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
7089 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
7090 };
7091 
7092 static int parse_station_flags(struct genl_info *info,
7093 			       enum nl80211_iftype iftype,
7094 			       struct station_parameters *params)
7095 {
7096 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
7097 	struct nlattr *nla;
7098 	int flag;
7099 
7100 	/*
7101 	 * Try parsing the new attribute first so userspace
7102 	 * can specify both for older kernels.
7103 	 */
7104 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
7105 	if (nla) {
7106 		struct nl80211_sta_flag_update *sta_flags;
7107 
7108 		sta_flags = nla_data(nla);
7109 		params->sta_flags_mask = sta_flags->mask;
7110 		params->sta_flags_set = sta_flags->set;
7111 		params->sta_flags_set &= params->sta_flags_mask;
7112 		if ((params->sta_flags_mask |
7113 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
7114 			return -EINVAL;
7115 		return 0;
7116 	}
7117 
7118 	/* if present, parse the old attribute */
7119 
7120 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
7121 	if (!nla)
7122 		return 0;
7123 
7124 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
7125 		return -EINVAL;
7126 
7127 	/*
7128 	 * Only allow certain flags for interface types so that
7129 	 * other attributes are silently ignored. Remember that
7130 	 * this is backward compatibility code with old userspace
7131 	 * and shouldn't be hit in other cases anyway.
7132 	 */
7133 	switch (iftype) {
7134 	case NL80211_IFTYPE_AP:
7135 	case NL80211_IFTYPE_AP_VLAN:
7136 	case NL80211_IFTYPE_P2P_GO:
7137 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7138 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7139 					 BIT(NL80211_STA_FLAG_WME) |
7140 					 BIT(NL80211_STA_FLAG_MFP);
7141 		break;
7142 	case NL80211_IFTYPE_P2P_CLIENT:
7143 	case NL80211_IFTYPE_STATION:
7144 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7145 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
7146 		break;
7147 	case NL80211_IFTYPE_MESH_POINT:
7148 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7149 					 BIT(NL80211_STA_FLAG_MFP) |
7150 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
7151 		break;
7152 	default:
7153 		return -EINVAL;
7154 	}
7155 
7156 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
7157 		if (flags[flag]) {
7158 			params->sta_flags_set |= (1<<flag);
7159 
7160 			/* no longer support new API additions in old API */
7161 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
7162 				return -EINVAL;
7163 		}
7164 	}
7165 
7166 	return 0;
7167 }
7168 
7169 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
7170 {
7171 	struct nlattr *rate;
7172 	u32 bitrate;
7173 	u16 bitrate_compat;
7174 	enum nl80211_rate_info rate_flg;
7175 
7176 	rate = nla_nest_start_noflag(msg, attr);
7177 	if (!rate)
7178 		return false;
7179 
7180 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
7181 	bitrate = cfg80211_calculate_bitrate(info);
7182 	/* report 16-bit bitrate only if we can */
7183 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
7184 	if (bitrate > 0 &&
7185 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
7186 		return false;
7187 	if (bitrate_compat > 0 &&
7188 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
7189 		return false;
7190 
7191 	switch (info->bw) {
7192 	case RATE_INFO_BW_1:
7193 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
7194 		break;
7195 	case RATE_INFO_BW_2:
7196 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
7197 		break;
7198 	case RATE_INFO_BW_4:
7199 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
7200 		break;
7201 	case RATE_INFO_BW_5:
7202 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
7203 		break;
7204 	case RATE_INFO_BW_8:
7205 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
7206 		break;
7207 	case RATE_INFO_BW_10:
7208 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
7209 		break;
7210 	case RATE_INFO_BW_16:
7211 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
7212 		break;
7213 	default:
7214 		WARN_ON(1);
7215 		fallthrough;
7216 	case RATE_INFO_BW_20:
7217 		rate_flg = 0;
7218 		break;
7219 	case RATE_INFO_BW_40:
7220 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
7221 		break;
7222 	case RATE_INFO_BW_80:
7223 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
7224 		break;
7225 	case RATE_INFO_BW_160:
7226 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
7227 		break;
7228 	case RATE_INFO_BW_HE_RU:
7229 		rate_flg = 0;
7230 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
7231 		break;
7232 	case RATE_INFO_BW_320:
7233 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
7234 		break;
7235 	case RATE_INFO_BW_EHT_RU:
7236 		rate_flg = 0;
7237 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS) &&
7238 			!(info->flags & RATE_INFO_FLAGS_UHR_MCS));
7239 		break;
7240 	}
7241 
7242 	if (rate_flg && nla_put_flag(msg, rate_flg))
7243 		return false;
7244 
7245 	if (info->flags & RATE_INFO_FLAGS_MCS) {
7246 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
7247 			return false;
7248 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7249 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7250 			return false;
7251 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
7252 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
7253 			return false;
7254 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
7255 			return false;
7256 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7257 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7258 			return false;
7259 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
7260 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
7261 			return false;
7262 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
7263 			return false;
7264 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
7265 			return false;
7266 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
7267 			return false;
7268 		if (info->bw == RATE_INFO_BW_HE_RU &&
7269 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
7270 			       info->he_ru_alloc))
7271 			return false;
7272 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
7273 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
7274 			return false;
7275 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
7276 			return false;
7277 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7278 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7279 			return false;
7280 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
7281 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
7282 			return false;
7283 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7284 			return false;
7285 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7286 			return false;
7287 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7288 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7289 			       info->eht_ru_alloc))
7290 			return false;
7291 	} else if (info->flags & RATE_INFO_FLAGS_UHR_MCS) {
7292 		if (nla_put_u8(msg, NL80211_RATE_INFO_UHR_MCS, info->mcs))
7293 			return false;
7294 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7295 			return false;
7296 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7297 			return false;
7298 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7299 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7300 			       info->eht_ru_alloc))
7301 			return false;
7302 		if (info->flags & RATE_INFO_FLAGS_UHR_ELR_MCS &&
7303 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_ELR))
7304 			return false;
7305 		if (info->flags & RATE_INFO_FLAGS_UHR_IM &&
7306 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_IM))
7307 			return false;
7308 	}
7309 
7310 	nla_nest_end(msg, rate);
7311 	return true;
7312 }
7313 
7314 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
7315 			       int id)
7316 {
7317 	void *attr;
7318 	int i = 0;
7319 
7320 	if (!mask)
7321 		return true;
7322 
7323 	attr = nla_nest_start_noflag(msg, id);
7324 	if (!attr)
7325 		return false;
7326 
7327 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
7328 		if (!(mask & BIT(i)))
7329 			continue;
7330 
7331 		if (nla_put_u8(msg, i, signal[i]))
7332 			return false;
7333 	}
7334 
7335 	nla_nest_end(msg, attr);
7336 
7337 	return true;
7338 }
7339 
7340 static int nl80211_fill_link_station(struct sk_buff *msg,
7341 				     struct cfg80211_registered_device *rdev,
7342 				     struct link_station_info *link_sinfo)
7343 {
7344 	struct nlattr *bss_param, *link_sinfoattr;
7345 
7346 #define PUT_LINK_SINFO(attr, memb, type) do {				\
7347 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7348 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7349 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7350 			     link_sinfo->memb))				\
7351 		goto nla_put_failure;					\
7352 	} while (0)
7353 #define PUT_LINK_SINFO_U64(attr, memb) do {				\
7354 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7355 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7356 			      link_sinfo->memb, NL80211_STA_INFO_PAD))	\
7357 		goto nla_put_failure;					\
7358 	} while (0)
7359 
7360 	link_sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7361 	if (!link_sinfoattr)
7362 		goto nla_put_failure;
7363 
7364 	PUT_LINK_SINFO(INACTIVE_TIME, inactive_time, u32);
7365 
7366 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7367 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7368 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7369 			(u32)link_sinfo->rx_bytes))
7370 		goto nla_put_failure;
7371 
7372 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7373 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7374 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7375 			(u32)link_sinfo->tx_bytes))
7376 		goto nla_put_failure;
7377 
7378 	PUT_LINK_SINFO_U64(RX_BYTES64, rx_bytes);
7379 	PUT_LINK_SINFO_U64(TX_BYTES64, tx_bytes);
7380 	PUT_LINK_SINFO_U64(RX_DURATION, rx_duration);
7381 	PUT_LINK_SINFO_U64(TX_DURATION, tx_duration);
7382 
7383 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7384 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7385 		PUT_LINK_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7386 
7387 	switch (rdev->wiphy.signal_type) {
7388 	case CFG80211_SIGNAL_TYPE_MBM:
7389 		PUT_LINK_SINFO(SIGNAL, signal, u8);
7390 		PUT_LINK_SINFO(SIGNAL_AVG, signal_avg, u8);
7391 		break;
7392 	default:
7393 		break;
7394 	}
7395 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7396 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7397 					link_sinfo->chain_signal,
7398 					NL80211_STA_INFO_CHAIN_SIGNAL))
7399 			goto nla_put_failure;
7400 	}
7401 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7402 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7403 					link_sinfo->chain_signal_avg,
7404 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7405 			goto nla_put_failure;
7406 	}
7407 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7408 		if (!nl80211_put_sta_rate(msg, &link_sinfo->txrate,
7409 					  NL80211_STA_INFO_TX_BITRATE))
7410 			goto nla_put_failure;
7411 	}
7412 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7413 		if (!nl80211_put_sta_rate(msg, &link_sinfo->rxrate,
7414 					  NL80211_STA_INFO_RX_BITRATE))
7415 			goto nla_put_failure;
7416 	}
7417 
7418 	PUT_LINK_SINFO(RX_PACKETS, rx_packets, u32);
7419 	PUT_LINK_SINFO(TX_PACKETS, tx_packets, u32);
7420 	PUT_LINK_SINFO(TX_RETRIES, tx_retries, u32);
7421 	PUT_LINK_SINFO(TX_FAILED, tx_failed, u32);
7422 	PUT_LINK_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7423 	PUT_LINK_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7424 
7425 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7426 		bss_param = nla_nest_start_noflag(msg,
7427 						  NL80211_STA_INFO_BSS_PARAM);
7428 		if (!bss_param)
7429 			goto nla_put_failure;
7430 
7431 		if (((link_sinfo->bss_param.flags &
7432 		      BSS_PARAM_FLAGS_CTS_PROT) &&
7433 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7434 		    ((link_sinfo->bss_param.flags &
7435 		      BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7436 		     nla_put_flag(msg,
7437 				  NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7438 		    ((link_sinfo->bss_param.flags &
7439 		      BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7440 		     nla_put_flag(msg,
7441 				  NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7442 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7443 			       link_sinfo->bss_param.dtim_period) ||
7444 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7445 				link_sinfo->bss_param.beacon_interval))
7446 			goto nla_put_failure;
7447 
7448 		nla_nest_end(msg, bss_param);
7449 	}
7450 
7451 	PUT_LINK_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7452 	PUT_LINK_SINFO_U64(BEACON_RX, rx_beacon);
7453 	PUT_LINK_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7454 	PUT_LINK_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7455 	PUT_LINK_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7456 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7457 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7458 		PUT_LINK_SINFO(ACK_SIGNAL, ack_signal, u8);
7459 		PUT_LINK_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7460 	}
7461 
7462 #undef PUT_LINK_SINFO
7463 #undef PUT_LINK_SINFO_U64
7464 
7465 	if (link_sinfo->pertid) {
7466 		struct nlattr *tidsattr;
7467 		int tid;
7468 
7469 		tidsattr = nla_nest_start_noflag(msg,
7470 						 NL80211_STA_INFO_TID_STATS);
7471 		if (!tidsattr)
7472 			goto nla_put_failure;
7473 
7474 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7475 			struct cfg80211_tid_stats *tidstats;
7476 			struct nlattr *tidattr;
7477 
7478 			tidstats = &link_sinfo->pertid[tid];
7479 
7480 			if (!tidstats->filled)
7481 				continue;
7482 
7483 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7484 			if (!tidattr)
7485 				goto nla_put_failure;
7486 
7487 #define PUT_TIDVAL_U64(attr, memb) do {					\
7488 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7489 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7490 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7491 		goto nla_put_failure;					\
7492 	} while (0)
7493 
7494 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7495 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7496 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7497 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7498 
7499 #undef PUT_TIDVAL_U64
7500 			if ((tidstats->filled &
7501 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7502 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7503 						   NL80211_TID_STATS_TXQ_STATS))
7504 				goto nla_put_failure;
7505 
7506 			nla_nest_end(msg, tidattr);
7507 		}
7508 
7509 		nla_nest_end(msg, tidsattr);
7510 	}
7511 
7512 	nla_nest_end(msg, link_sinfoattr);
7513 	return 0;
7514 
7515 nla_put_failure:
7516 	return -EMSGSIZE;
7517 }
7518 
7519 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
7520 				u32 seq, int flags,
7521 				struct cfg80211_registered_device *rdev,
7522 				struct wireless_dev *wdev,
7523 				const u8 *mac_addr, struct station_info *sinfo,
7524 				bool link_stats)
7525 {
7526 	void *hdr;
7527 	struct nlattr *sinfoattr, *bss_param;
7528 	struct link_station_info *link_sinfo;
7529 	struct nlattr *links, *link;
7530 	int link_id;
7531 
7532 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
7533 	if (!hdr) {
7534 		cfg80211_sinfo_release_content(sinfo);
7535 		return -1;
7536 	}
7537 
7538 	if ((wdev->netdev &&
7539 	     nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex)) ||
7540 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
7541 			      NL80211_ATTR_PAD) ||
7542 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
7543 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
7544 		goto nla_put_failure;
7545 
7546 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7547 	if (!sinfoattr)
7548 		goto nla_put_failure;
7549 
7550 #define PUT_SINFO(attr, memb, type) do {				\
7551 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7552 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7553 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7554 			     sinfo->memb))				\
7555 		goto nla_put_failure;					\
7556 	} while (0)
7557 #define PUT_SINFO_U64(attr, memb) do {					\
7558 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7559 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7560 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
7561 		goto nla_put_failure;					\
7562 	} while (0)
7563 
7564 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
7565 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
7566 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
7567 
7568 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7569 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7570 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7571 			(u32)sinfo->rx_bytes))
7572 		goto nla_put_failure;
7573 
7574 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7575 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7576 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7577 			(u32)sinfo->tx_bytes))
7578 		goto nla_put_failure;
7579 
7580 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
7581 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
7582 	PUT_SINFO_U64(RX_DURATION, rx_duration);
7583 	PUT_SINFO_U64(TX_DURATION, tx_duration);
7584 
7585 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7586 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7587 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7588 
7589 	switch (rdev->wiphy.signal_type) {
7590 	case CFG80211_SIGNAL_TYPE_MBM:
7591 		PUT_SINFO(SIGNAL, signal, u8);
7592 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
7593 		break;
7594 	default:
7595 		break;
7596 	}
7597 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7598 		if (!nl80211_put_signal(msg, sinfo->chains,
7599 					sinfo->chain_signal,
7600 					NL80211_STA_INFO_CHAIN_SIGNAL))
7601 			goto nla_put_failure;
7602 	}
7603 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7604 		if (!nl80211_put_signal(msg, sinfo->chains,
7605 					sinfo->chain_signal_avg,
7606 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7607 			goto nla_put_failure;
7608 	}
7609 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7610 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
7611 					  NL80211_STA_INFO_TX_BITRATE))
7612 			goto nla_put_failure;
7613 	}
7614 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7615 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
7616 					  NL80211_STA_INFO_RX_BITRATE))
7617 			goto nla_put_failure;
7618 	}
7619 
7620 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
7621 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
7622 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
7623 	PUT_SINFO(TX_FAILED, tx_failed, u32);
7624 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7625 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7626 
7627 	PUT_SINFO(LLID, llid, u16);
7628 	PUT_SINFO(PLID, plid, u16);
7629 	PUT_SINFO(PLINK_STATE, plink_state, u8);
7630 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
7631 	PUT_SINFO(LOCAL_PM, local_pm, u32);
7632 	PUT_SINFO(PEER_PM, peer_pm, u32);
7633 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
7634 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
7635 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
7636 	PUT_SINFO_U64(T_OFFSET, t_offset);
7637 
7638 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7639 		bss_param = nla_nest_start_noflag(msg,
7640 						  NL80211_STA_INFO_BSS_PARAM);
7641 		if (!bss_param)
7642 			goto nla_put_failure;
7643 
7644 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
7645 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7646 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7647 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7648 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7649 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7650 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7651 			       sinfo->bss_param.dtim_period) ||
7652 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7653 				sinfo->bss_param.beacon_interval))
7654 			goto nla_put_failure;
7655 
7656 		nla_nest_end(msg, bss_param);
7657 	}
7658 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
7659 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
7660 		    sizeof(struct nl80211_sta_flag_update),
7661 		    &sinfo->sta_flags))
7662 		goto nla_put_failure;
7663 
7664 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7665 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
7666 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7667 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7668 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7669 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7670 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7671 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
7672 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7673 	}
7674 
7675 #undef PUT_SINFO
7676 #undef PUT_SINFO_U64
7677 
7678 	if (sinfo->pertid) {
7679 		struct nlattr *tidsattr;
7680 		int tid;
7681 
7682 		tidsattr = nla_nest_start_noflag(msg,
7683 						 NL80211_STA_INFO_TID_STATS);
7684 		if (!tidsattr)
7685 			goto nla_put_failure;
7686 
7687 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7688 			struct cfg80211_tid_stats *tidstats;
7689 			struct nlattr *tidattr;
7690 
7691 			tidstats = &sinfo->pertid[tid];
7692 
7693 			if (!tidstats->filled)
7694 				continue;
7695 
7696 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7697 			if (!tidattr)
7698 				goto nla_put_failure;
7699 
7700 #define PUT_TIDVAL_U64(attr, memb) do {					\
7701 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7702 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7703 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7704 		goto nla_put_failure;					\
7705 	} while (0)
7706 
7707 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7708 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7709 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7710 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7711 
7712 #undef PUT_TIDVAL_U64
7713 			if ((tidstats->filled &
7714 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7715 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7716 						   NL80211_TID_STATS_TXQ_STATS))
7717 				goto nla_put_failure;
7718 
7719 			nla_nest_end(msg, tidattr);
7720 		}
7721 
7722 		nla_nest_end(msg, tidsattr);
7723 	}
7724 
7725 	nla_nest_end(msg, sinfoattr);
7726 
7727 	if (sinfo->assoc_req_ies_len &&
7728 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
7729 		    sinfo->assoc_req_ies))
7730 		goto nla_put_failure;
7731 
7732 	if (sinfo->assoc_resp_ies_len &&
7733 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
7734 		    sinfo->assoc_resp_ies))
7735 		goto nla_put_failure;
7736 
7737 	if (sinfo->mlo_params_valid) {
7738 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7739 			       sinfo->assoc_link_id))
7740 			goto nla_put_failure;
7741 
7742 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
7743 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
7744 			    sinfo->mld_addr))
7745 			goto nla_put_failure;
7746 	}
7747 
7748 	if (link_stats && sinfo->valid_links) {
7749 		links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
7750 		if (!links)
7751 			goto nla_put_failure;
7752 
7753 		for_each_valid_link(sinfo, link_id) {
7754 			link_sinfo = sinfo->links[link_id];
7755 
7756 			if (WARN_ON_ONCE(!link_sinfo))
7757 				continue;
7758 
7759 			if (!is_valid_ether_addr(link_sinfo->addr))
7760 				continue;
7761 
7762 			link = nla_nest_start(msg, link_id + 1);
7763 			if (!link)
7764 				goto nla_put_failure;
7765 
7766 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7767 				       link_id))
7768 				goto nla_put_failure;
7769 
7770 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
7771 				    link_sinfo->addr))
7772 				goto nla_put_failure;
7773 
7774 			if (nl80211_fill_link_station(msg, rdev, link_sinfo))
7775 				goto nla_put_failure;
7776 
7777 			nla_nest_end(msg, link);
7778 		}
7779 		nla_nest_end(msg, links);
7780 	}
7781 
7782 	cfg80211_sinfo_release_content(sinfo);
7783 	genlmsg_end(msg, hdr);
7784 	return 0;
7785 
7786  nla_put_failure:
7787 	cfg80211_sinfo_release_content(sinfo);
7788 	genlmsg_cancel(msg, hdr);
7789 	return -EMSGSIZE;
7790 }
7791 
7792 static void cfg80211_sta_set_mld_sinfo(struct station_info *sinfo)
7793 {
7794 	struct link_station_info *link_sinfo;
7795 	int link_id, init = 0;
7796 	u32 link_inactive_time;
7797 
7798 	sinfo->signal = -99;
7799 
7800 	for_each_valid_link(sinfo, link_id) {
7801 		link_sinfo = sinfo->links[link_id];
7802 		if (!link_sinfo)
7803 			continue;
7804 
7805 		if ((link_sinfo->filled &
7806 		     BIT_ULL(NL80211_STA_INFO_TX_PACKETS))) {
7807 			sinfo->tx_packets += link_sinfo->tx_packets;
7808 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_PACKETS);
7809 		}
7810 
7811 		if ((link_sinfo->filled &
7812 		     BIT_ULL(NL80211_STA_INFO_RX_PACKETS))) {
7813 			sinfo->rx_packets += link_sinfo->rx_packets;
7814 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_PACKETS);
7815 		}
7816 
7817 		if (link_sinfo->filled &
7818 		    (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7819 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7820 			sinfo->tx_bytes += link_sinfo->tx_bytes;
7821 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BYTES);
7822 		}
7823 
7824 		if (link_sinfo->filled &
7825 		    (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7826 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7827 			sinfo->rx_bytes += link_sinfo->rx_bytes;
7828 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BYTES);
7829 		}
7830 
7831 		if (link_sinfo->filled &
7832 		    BIT_ULL(NL80211_STA_INFO_TX_RETRIES)) {
7833 			sinfo->tx_retries += link_sinfo->tx_retries;
7834 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_RETRIES);
7835 		}
7836 
7837 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_FAILED)) {
7838 			sinfo->tx_failed += link_sinfo->tx_failed;
7839 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_FAILED);
7840 		}
7841 
7842 		if (link_sinfo->filled &
7843 		    BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC)) {
7844 			sinfo->rx_dropped_misc += link_sinfo->rx_dropped_misc;
7845 			sinfo->filled |=
7846 				BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC);
7847 		}
7848 
7849 		if (link_sinfo->filled &
7850 		    BIT_ULL(NL80211_STA_INFO_BEACON_LOSS)) {
7851 			sinfo->beacon_loss_count +=
7852 				link_sinfo->beacon_loss_count;
7853 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_LOSS);
7854 		}
7855 
7856 		if (link_sinfo->filled &
7857 		    BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) {
7858 			sinfo->expected_throughput +=
7859 				link_sinfo->expected_throughput;
7860 			sinfo->filled |=
7861 				BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT);
7862 		}
7863 
7864 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_MPDUS)) {
7865 			sinfo->rx_mpdu_count += link_sinfo->rx_mpdu_count;
7866 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_MPDUS);
7867 		}
7868 
7869 		if (link_sinfo->filled &
7870 		    BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT)) {
7871 			sinfo->fcs_err_count += link_sinfo->fcs_err_count;
7872 			sinfo->filled |=
7873 				BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT);
7874 		}
7875 
7876 		if (link_sinfo->filled &
7877 		    BIT_ULL(NL80211_STA_INFO_BEACON_RX)) {
7878 			sinfo->rx_beacon += link_sinfo->rx_beacon;
7879 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_RX);
7880 		}
7881 
7882 		/* Update MLO signal, signal_avg as best among links */
7883 		if ((link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_SIGNAL)) &&
7884 		    link_sinfo->signal > sinfo->signal) {
7885 			sinfo->signal = link_sinfo->signal;
7886 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL);
7887 		}
7888 
7889 		if ((link_sinfo->filled &
7890 			BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG)) &&
7891 		    link_sinfo->signal_avg > sinfo->signal_avg) {
7892 			sinfo->signal_avg = link_sinfo->signal_avg;
7893 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG);
7894 		}
7895 
7896 		/* Update MLO inactive_time, bss_param based on least
7897 		 * value for corresponding field of link.
7898 		 */
7899 		if ((link_sinfo->filled &
7900 		     BIT_ULL(NL80211_STA_INFO_INACTIVE_TIME)) &&
7901 		    (!init ||
7902 		     link_inactive_time > link_sinfo->inactive_time)) {
7903 			link_inactive_time = link_sinfo->inactive_time;
7904 			sinfo->inactive_time = link_sinfo->inactive_time;
7905 			sinfo->filled |= NL80211_STA_INFO_INACTIVE_TIME;
7906 		}
7907 
7908 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM) &&
7909 		    (!init ||
7910 		     sinfo->bss_param.dtim_period >
7911 		      link_sinfo->bss_param.dtim_period)) {
7912 			sinfo->bss_param.dtim_period =
7913 				link_sinfo->bss_param.dtim_period;
7914 			sinfo->filled |= NL80211_STA_BSS_PARAM_DTIM_PERIOD;
7915 			sinfo->bss_param.beacon_interval =
7916 				link_sinfo->bss_param.beacon_interval;
7917 			sinfo->filled |= NL80211_STA_BSS_PARAM_BEACON_INTERVAL;
7918 		}
7919 
7920 		/* Update MLO rates as per last updated link rate */
7921 		if ((link_sinfo->filled &
7922 		     BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) &&
7923 		    (!init ||
7924 		     link_inactive_time > link_sinfo->inactive_time)) {
7925 			sinfo->txrate = link_sinfo->txrate;
7926 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BITRATE);
7927 		}
7928 		if ((link_sinfo->filled &
7929 		     BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) &&
7930 		    (!init ||
7931 		     link_inactive_time > link_sinfo->inactive_time)) {
7932 			sinfo->rxrate = link_sinfo->rxrate;
7933 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BITRATE);
7934 		}
7935 
7936 		if (link_sinfo->filled &
7937 		    BIT_ULL(NL80211_STA_INFO_TX_DURATION) &&
7938 		    (!init ||
7939 		     link_inactive_time > link_sinfo->inactive_time)) {
7940 			sinfo->tx_duration += link_sinfo->tx_duration;
7941 			sinfo->filled |=
7942 				BIT_ULL(NL80211_STA_INFO_TX_DURATION);
7943 		}
7944 		if (link_sinfo->filled &
7945 		    BIT_ULL(NL80211_STA_INFO_RX_DURATION) &&
7946 		    (!init ||
7947 		     link_inactive_time > link_sinfo->inactive_time)) {
7948 			sinfo->rx_duration += link_sinfo->rx_duration;
7949 			sinfo->filled |=
7950 				BIT_ULL(NL80211_STA_INFO_RX_DURATION);
7951 		}
7952 		init++;
7953 
7954 		/* pertid stats accumulate for rx/tx fields */
7955 		if (sinfo->pertid) {
7956 			sinfo->pertid->rx_msdu +=
7957 				link_sinfo->pertid->rx_msdu;
7958 			sinfo->pertid->tx_msdu +=
7959 				link_sinfo->pertid->tx_msdu;
7960 			sinfo->pertid->tx_msdu_retries +=
7961 				link_sinfo->pertid->tx_msdu_retries;
7962 			sinfo->pertid->tx_msdu_failed +=
7963 				link_sinfo->pertid->tx_msdu_failed;
7964 
7965 			sinfo->pertid->filled |=
7966 				BIT(NL80211_TID_STATS_RX_MSDU) |
7967 				BIT(NL80211_TID_STATS_TX_MSDU) |
7968 				BIT(NL80211_TID_STATS_TX_MSDU_RETRIES) |
7969 				BIT(NL80211_TID_STATS_TX_MSDU_FAILED);
7970 		}
7971 	}
7972 
7973 	/* Reset sinfo->filled bits to exclude fields which don't make
7974 	 * much sense at the MLO level.
7975 	 */
7976 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
7977 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG);
7978 }
7979 
7980 static int nl80211_dump_station(struct sk_buff *skb,
7981 				struct netlink_callback *cb)
7982 {
7983 	struct station_info sinfo;
7984 	struct cfg80211_registered_device *rdev;
7985 	struct wireless_dev *wdev;
7986 	u8 mac_addr[ETH_ALEN];
7987 	int sta_idx = cb->args[2];
7988 	bool sinfo_alloc = false;
7989 	int err, i;
7990 
7991 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7992 	if (err)
7993 		return err;
7994 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7995 	__acquire(&rdev->wiphy.mtx);
7996 
7997 	if (!wdev->netdev) {
7998 		err = -EINVAL;
7999 		goto out_err;
8000 	}
8001 
8002 	if (!rdev->ops->dump_station) {
8003 		err = -EOPNOTSUPP;
8004 		goto out_err;
8005 	}
8006 
8007 	while (1) {
8008 		memset(&sinfo, 0, sizeof(sinfo));
8009 
8010 		for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
8011 			sinfo.links[i] =
8012 				kzalloc_obj(*sinfo.links[0]);
8013 			if (!sinfo.links[i]) {
8014 				err = -ENOMEM;
8015 				goto out_err;
8016 			}
8017 			sinfo_alloc = true;
8018 		}
8019 
8020 		err = rdev_dump_station(rdev, wdev, sta_idx,
8021 					mac_addr, &sinfo);
8022 		if (err == -ENOENT)
8023 			break;
8024 		if (err)
8025 			goto out_err;
8026 
8027 		if (sinfo.valid_links)
8028 			cfg80211_sta_set_mld_sinfo(&sinfo);
8029 
8030 		/* reset the sinfo_alloc flag as nl80211_send_station()
8031 		 * always releases sinfo
8032 		 */
8033 		sinfo_alloc = false;
8034 
8035 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
8036 				NETLINK_CB(cb->skb).portid,
8037 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8038 				rdev, wdev, mac_addr,
8039 				&sinfo, false) < 0)
8040 			goto out;
8041 
8042 		sta_idx++;
8043 	}
8044 
8045  out:
8046 	cb->args[2] = sta_idx;
8047 	err = skb->len;
8048  out_err:
8049 	if (sinfo_alloc)
8050 		cfg80211_sinfo_release_content(&sinfo);
8051 	wiphy_unlock(&rdev->wiphy);
8052 
8053 	return err;
8054 }
8055 
8056 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
8057 {
8058 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8059 	struct wireless_dev *wdev = info->user_ptr[1];
8060 	struct station_info sinfo;
8061 	struct sk_buff *msg;
8062 	u8 *mac_addr = NULL;
8063 	int err, i;
8064 
8065 	memset(&sinfo, 0, sizeof(sinfo));
8066 
8067 	if (!wdev->netdev)
8068 		return -EINVAL;
8069 
8070 	if (!info->attrs[NL80211_ATTR_MAC])
8071 		return -EINVAL;
8072 
8073 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8074 
8075 	if (!rdev->ops->get_station)
8076 		return -EOPNOTSUPP;
8077 
8078 	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
8079 		sinfo.links[i] = kzalloc_obj(*sinfo.links[0]);
8080 		if (!sinfo.links[i]) {
8081 			cfg80211_sinfo_release_content(&sinfo);
8082 			return -ENOMEM;
8083 		}
8084 	}
8085 
8086 	err = rdev_get_station(rdev, wdev, mac_addr, &sinfo);
8087 	if (err) {
8088 		cfg80211_sinfo_release_content(&sinfo);
8089 		return err;
8090 	}
8091 
8092 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8093 	if (!msg) {
8094 		cfg80211_sinfo_release_content(&sinfo);
8095 		return -ENOMEM;
8096 	}
8097 
8098 	if (sinfo.valid_links)
8099 		cfg80211_sta_set_mld_sinfo(&sinfo);
8100 
8101 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
8102 				 info->snd_portid, info->snd_seq, 0,
8103 				 rdev, wdev, mac_addr, &sinfo, false) < 0) {
8104 		nlmsg_free(msg);
8105 		return -ENOBUFS;
8106 	}
8107 
8108 	return genlmsg_reply(msg, info);
8109 }
8110 
8111 int cfg80211_check_station_change(struct wiphy *wiphy,
8112 				  struct station_parameters *params,
8113 				  enum cfg80211_station_type statype)
8114 {
8115 	if (params->listen_interval != -1 &&
8116 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8117 		return -EINVAL;
8118 
8119 	if (params->support_p2p_ps != -1 &&
8120 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8121 		return -EINVAL;
8122 
8123 	if (params->aid &&
8124 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
8125 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8126 		return -EINVAL;
8127 
8128 	/* When you run into this, adjust the code below for the new flag */
8129 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8130 
8131 	switch (statype) {
8132 	case CFG80211_STA_MESH_PEER_KERNEL:
8133 	case CFG80211_STA_MESH_PEER_USER:
8134 		/*
8135 		 * No ignoring the TDLS flag here -- the userspace mesh
8136 		 * code doesn't have the bug of including TDLS in the
8137 		 * mask everywhere.
8138 		 */
8139 		if (params->sta_flags_mask &
8140 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8141 				  BIT(NL80211_STA_FLAG_MFP) |
8142 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
8143 			return -EINVAL;
8144 		break;
8145 	case CFG80211_STA_TDLS_PEER_SETUP:
8146 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8147 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8148 			return -EINVAL;
8149 		/* ignore since it can't change */
8150 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8151 		break;
8152 	default:
8153 		/* disallow mesh-specific things */
8154 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
8155 			return -EINVAL;
8156 		if (params->local_pm)
8157 			return -EINVAL;
8158 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8159 			return -EINVAL;
8160 	}
8161 
8162 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8163 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
8164 		/* TDLS can't be set, ... */
8165 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
8166 			return -EINVAL;
8167 		/*
8168 		 * ... but don't bother the driver with it. This works around
8169 		 * a hostapd/wpa_supplicant issue -- it always includes the
8170 		 * TLDS_PEER flag in the mask even for AP mode.
8171 		 */
8172 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8173 	}
8174 
8175 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8176 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8177 		/* reject other things that can't change */
8178 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
8179 			return -EINVAL;
8180 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
8181 			return -EINVAL;
8182 		if (params->link_sta_params.supported_rates)
8183 			return -EINVAL;
8184 		if (params->ext_capab || params->link_sta_params.ht_capa ||
8185 		    params->link_sta_params.vht_capa ||
8186 		    params->link_sta_params.he_capa ||
8187 		    params->link_sta_params.eht_capa ||
8188 		    params->link_sta_params.uhr_capa)
8189 			return -EINVAL;
8190 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8191 			return -EINVAL;
8192 	}
8193 
8194 	if (statype != CFG80211_STA_AP_CLIENT &&
8195 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8196 		if (params->vlan)
8197 			return -EINVAL;
8198 	}
8199 
8200 	/* Accept EMLSR capabilities only for AP client before association */
8201 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8202 	    params->eml_cap_present)
8203 		return -EINVAL;
8204 
8205 	switch (statype) {
8206 	case CFG80211_STA_AP_MLME_CLIENT:
8207 		/* Use this only for authorizing/unauthorizing a station */
8208 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
8209 			return -EOPNOTSUPP;
8210 		break;
8211 	case CFG80211_STA_AP_CLIENT:
8212 	case CFG80211_STA_AP_CLIENT_UNASSOC:
8213 		/* accept only the listed bits */
8214 		if (params->sta_flags_mask &
8215 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8216 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8217 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
8218 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
8219 				  BIT(NL80211_STA_FLAG_WME) |
8220 				  BIT(NL80211_STA_FLAG_MFP) |
8221 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
8222 			return -EINVAL;
8223 
8224 		/* but authenticated/associated only if driver handles it */
8225 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8226 		    params->sta_flags_mask &
8227 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8228 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
8229 			return -EINVAL;
8230 		break;
8231 	case CFG80211_STA_IBSS:
8232 	case CFG80211_STA_AP_STA:
8233 		/* reject any changes other than AUTHORIZED */
8234 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
8235 			return -EINVAL;
8236 		break;
8237 	case CFG80211_STA_TDLS_PEER_SETUP:
8238 		/* reject any changes other than AUTHORIZED or WME */
8239 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8240 					       BIT(NL80211_STA_FLAG_WME)))
8241 			return -EINVAL;
8242 		/* force (at least) rates when authorizing */
8243 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
8244 		    !params->link_sta_params.supported_rates)
8245 			return -EINVAL;
8246 		break;
8247 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8248 		/* reject any changes */
8249 		return -EINVAL;
8250 	case CFG80211_STA_MESH_PEER_KERNEL:
8251 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8252 			return -EINVAL;
8253 		break;
8254 	case CFG80211_STA_MESH_PEER_USER:
8255 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
8256 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
8257 			return -EINVAL;
8258 		break;
8259 	}
8260 
8261 	/*
8262 	 * Older kernel versions ignored this attribute entirely, so don't
8263 	 * reject attempts to update it but mark it as unused instead so the
8264 	 * driver won't look at the data.
8265 	 */
8266 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8267 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
8268 		params->link_sta_params.opmode_notif_used = false;
8269 
8270 	return 0;
8271 }
8272 EXPORT_SYMBOL(cfg80211_check_station_change);
8273 
8274 /*
8275  * Get vlan interface making sure it is running and on the right wiphy.
8276  */
8277 static struct net_device *get_vlan(struct genl_info *info,
8278 				   struct cfg80211_registered_device *rdev)
8279 {
8280 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
8281 	struct net_device *v;
8282 	int ret;
8283 
8284 	if (!vlanattr)
8285 		return NULL;
8286 
8287 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
8288 	if (!v)
8289 		return ERR_PTR(-ENODEV);
8290 
8291 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
8292 		ret = -EINVAL;
8293 		goto error;
8294 	}
8295 
8296 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
8297 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8298 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
8299 		ret = -EINVAL;
8300 		goto error;
8301 	}
8302 
8303 	if (!netif_running(v)) {
8304 		ret = -ENETDOWN;
8305 		goto error;
8306 	}
8307 
8308 	return v;
8309  error:
8310 	dev_put(v);
8311 	return ERR_PTR(ret);
8312 }
8313 
8314 static int nl80211_parse_sta_wme(struct genl_info *info,
8315 				 struct station_parameters *params)
8316 {
8317 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
8318 	struct nlattr *nla;
8319 	int err;
8320 
8321 	/* parse WME attributes if present */
8322 	if (!info->attrs[NL80211_ATTR_STA_WME])
8323 		return 0;
8324 
8325 	nla = info->attrs[NL80211_ATTR_STA_WME];
8326 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
8327 					  nl80211_sta_wme_policy,
8328 					  info->extack);
8329 	if (err)
8330 		return err;
8331 
8332 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
8333 		params->uapsd_queues = nla_get_u8(
8334 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
8335 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
8336 		return -EINVAL;
8337 
8338 	if (tb[NL80211_STA_WME_MAX_SP])
8339 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
8340 
8341 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
8342 		return -EINVAL;
8343 
8344 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
8345 
8346 	return 0;
8347 }
8348 
8349 static int nl80211_parse_sta_channel_info(struct genl_info *info,
8350 				      struct station_parameters *params)
8351 {
8352 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
8353 		params->supported_channels =
8354 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8355 		params->supported_channels_len =
8356 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8357 		/*
8358 		 * Need to include at least one (first channel, number of
8359 		 * channels) tuple for each subband (checked in policy),
8360 		 * and must have proper tuples for the rest of the data as well.
8361 		 */
8362 		if (params->supported_channels_len % 2)
8363 			return -EINVAL;
8364 	}
8365 
8366 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
8367 		params->supported_oper_classes =
8368 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8369 		params->supported_oper_classes_len =
8370 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8371 	}
8372 	return 0;
8373 }
8374 
8375 static int nl80211_set_station_tdls(struct genl_info *info,
8376 				    struct station_parameters *params)
8377 {
8378 	int err;
8379 	/* Dummy STA entry gets updated once the peer capabilities are known */
8380 	if (info->attrs[NL80211_ATTR_PEER_AID])
8381 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8382 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8383 		params->link_sta_params.ht_capa =
8384 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8385 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8386 		params->link_sta_params.vht_capa =
8387 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8388 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8389 		params->link_sta_params.he_capa =
8390 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8391 		params->link_sta_params.he_capa_len =
8392 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8393 
8394 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8395 			params->link_sta_params.eht_capa =
8396 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8397 			params->link_sta_params.eht_capa_len =
8398 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8399 
8400 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
8401 							(const u8 *)params->link_sta_params.eht_capa,
8402 							params->link_sta_params.eht_capa_len,
8403 							false))
8404 				return -EINVAL;
8405 		}
8406 	}
8407 
8408 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
8409 		if (!params->link_sta_params.eht_capa)
8410 			return -EINVAL;
8411 
8412 		params->link_sta_params.uhr_capa =
8413 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8414 		params->link_sta_params.uhr_capa_len =
8415 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8416 	}
8417 
8418 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8419 		params->link_sta_params.s1g_capa =
8420 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8421 
8422 	err = nl80211_parse_sta_channel_info(info, params);
8423 	if (err)
8424 		return err;
8425 
8426 	return nl80211_parse_sta_wme(info, params);
8427 }
8428 
8429 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
8430 					     struct sta_txpwr *txpwr,
8431 					     bool *txpwr_set)
8432 {
8433 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8434 	int idx;
8435 
8436 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
8437 		if (!rdev->ops->set_tx_power ||
8438 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8439 					 NL80211_EXT_FEATURE_STA_TX_PWR))
8440 			return -EOPNOTSUPP;
8441 
8442 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
8443 		txpwr->type = nla_get_u8(info->attrs[idx]);
8444 
8445 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
8446 			idx = NL80211_ATTR_STA_TX_POWER;
8447 
8448 			if (info->attrs[idx])
8449 				txpwr->power = nla_get_s16(info->attrs[idx]);
8450 			else
8451 				return -EINVAL;
8452 		}
8453 
8454 		*txpwr_set = true;
8455 	} else {
8456 		*txpwr_set = false;
8457 	}
8458 
8459 	return 0;
8460 }
8461 
8462 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
8463 {
8464 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8465 	struct wireless_dev *wdev = info->user_ptr[1];
8466 	struct net_device *dev = wdev->netdev;
8467 	struct station_parameters params;
8468 	u8 *mac_addr;
8469 	int err;
8470 
8471 	memset(&params, 0, sizeof(params));
8472 
8473 	if (!dev)
8474 		return -EINVAL;
8475 
8476 	if (!rdev->ops->change_station)
8477 		return -EOPNOTSUPP;
8478 
8479 	/*
8480 	 * AID and listen_interval properties can be set only for unassociated
8481 	 * station. Include these parameters here and will check them in
8482 	 * cfg80211_check_station_change().
8483 	 */
8484 	if (info->attrs[NL80211_ATTR_STA_AID])
8485 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8486 
8487 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8488 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8489 
8490 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8491 		params.listen_interval =
8492 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8493 	else
8494 		params.listen_interval = -1;
8495 
8496 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
8497 		params.support_p2p_ps =
8498 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8499 	else
8500 		params.support_p2p_ps = -1;
8501 
8502 	if (!info->attrs[NL80211_ATTR_MAC])
8503 		return -EINVAL;
8504 
8505 	params.link_sta_params.link_id =
8506 		nl80211_link_id_or_invalid(info->attrs);
8507 
8508 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8509 		/* If MLD_ADDR attribute is set then this is an MLD station
8510 		 * and the MLD_ADDR attribute holds the MLD address and the
8511 		 * MAC attribute holds for the LINK address.
8512 		 * In that case, the link_id is also expected to be valid.
8513 		 */
8514 		if (params.link_sta_params.link_id < 0)
8515 			return -EINVAL;
8516 
8517 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8518 		params.link_sta_params.mld_mac = mac_addr;
8519 		params.link_sta_params.link_mac =
8520 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8521 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8522 			return -EINVAL;
8523 	} else {
8524 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8525 	}
8526 
8527 
8528 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
8529 		params.link_sta_params.supported_rates =
8530 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8531 		params.link_sta_params.supported_rates_len =
8532 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8533 	}
8534 
8535 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8536 		params.capability =
8537 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8538 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8539 	}
8540 
8541 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8542 		params.ext_capab =
8543 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8544 		params.ext_capab_len =
8545 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8546 	}
8547 
8548 	if (parse_station_flags(info, wdev->iftype, &params))
8549 		return -EINVAL;
8550 
8551 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8552 		params.plink_action =
8553 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8554 
8555 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
8556 		params.plink_state =
8557 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
8558 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
8559 			params.peer_aid = nla_get_u16(
8560 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
8561 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
8562 	}
8563 
8564 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
8565 		params.local_pm = nla_get_u32(
8566 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
8567 
8568 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8569 		params.link_sta_params.opmode_notif_used = true;
8570 		params.link_sta_params.opmode_notif =
8571 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8572 	}
8573 
8574 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8575 		params.link_sta_params.he_6ghz_capa =
8576 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8577 
8578 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8579 		params.eml_cap_present = true;
8580 		params.eml_cap =
8581 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8582 	}
8583 
8584 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8585 		params.airtime_weight =
8586 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8587 
8588 	if (params.airtime_weight &&
8589 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8590 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8591 		return -EOPNOTSUPP;
8592 
8593 	err = nl80211_parse_sta_txpower_setting(info,
8594 						&params.link_sta_params.txpwr,
8595 						&params.link_sta_params.txpwr_set);
8596 	if (err)
8597 		return err;
8598 
8599 	/* Include parameters for TDLS peer (will check later) */
8600 	err = nl80211_set_station_tdls(info, &params);
8601 	if (err)
8602 		return err;
8603 
8604 	params.vlan = get_vlan(info, rdev);
8605 	if (IS_ERR(params.vlan))
8606 		return PTR_ERR(params.vlan);
8607 
8608 	switch (wdev->iftype) {
8609 	case NL80211_IFTYPE_AP:
8610 	case NL80211_IFTYPE_AP_VLAN:
8611 	case NL80211_IFTYPE_P2P_GO:
8612 	case NL80211_IFTYPE_P2P_CLIENT:
8613 	case NL80211_IFTYPE_STATION:
8614 	case NL80211_IFTYPE_ADHOC:
8615 	case NL80211_IFTYPE_MESH_POINT:
8616 		break;
8617 	default:
8618 		err = -EOPNOTSUPP;
8619 		goto out_put_vlan;
8620 	}
8621 
8622 	/* driver will call cfg80211_check_station_change() */
8623 	err = rdev_change_station(rdev, wdev, mac_addr, &params);
8624 
8625  out_put_vlan:
8626 	dev_put(params.vlan);
8627 
8628 	return err;
8629 }
8630 
8631 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
8632 {
8633 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8634 	int err;
8635 	struct wireless_dev *wdev = info->user_ptr[1];
8636 	struct net_device *dev = wdev->netdev;
8637 	struct station_parameters params;
8638 	u8 *mac_addr = NULL;
8639 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8640 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
8641 
8642 	memset(&params, 0, sizeof(params));
8643 
8644 	if (!dev)
8645 		return -EINVAL;
8646 
8647 	if (!rdev->ops->add_station)
8648 		return -EOPNOTSUPP;
8649 
8650 	if (!info->attrs[NL80211_ATTR_MAC])
8651 		return -EINVAL;
8652 
8653 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8654 		return -EINVAL;
8655 
8656 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
8657 		return -EINVAL;
8658 
8659 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
8660 	    !info->attrs[NL80211_ATTR_PEER_AID])
8661 		return -EINVAL;
8662 
8663 	params.link_sta_params.link_id =
8664 		nl80211_link_id_or_invalid(info->attrs);
8665 
8666 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8667 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8668 		params.link_sta_params.mld_mac = mac_addr;
8669 		params.link_sta_params.link_mac =
8670 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8671 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8672 			return -EINVAL;
8673 	} else {
8674 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8675 	}
8676 
8677 	params.link_sta_params.supported_rates =
8678 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8679 	params.link_sta_params.supported_rates_len =
8680 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8681 	params.listen_interval =
8682 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8683 
8684 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8685 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8686 
8687 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
8688 		params.support_p2p_ps =
8689 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8690 	} else {
8691 		/*
8692 		 * if not specified, assume it's supported for P2P GO interface,
8693 		 * and is NOT supported for AP interface
8694 		 */
8695 		params.support_p2p_ps =
8696 			wdev->iftype == NL80211_IFTYPE_P2P_GO;
8697 	}
8698 
8699 	if (info->attrs[NL80211_ATTR_PEER_AID])
8700 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8701 	else
8702 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8703 
8704 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8705 		params.capability =
8706 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8707 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8708 	}
8709 
8710 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8711 		params.ext_capab =
8712 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8713 		params.ext_capab_len =
8714 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8715 	}
8716 
8717 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8718 		params.link_sta_params.ht_capa =
8719 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8720 
8721 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8722 		params.link_sta_params.vht_capa =
8723 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8724 
8725 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8726 		params.link_sta_params.he_capa =
8727 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8728 		params.link_sta_params.he_capa_len =
8729 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8730 
8731 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8732 			params.link_sta_params.eht_capa =
8733 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8734 			params.link_sta_params.eht_capa_len =
8735 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8736 
8737 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
8738 							(const u8 *)params.link_sta_params.eht_capa,
8739 							params.link_sta_params.eht_capa_len,
8740 							false))
8741 				return -EINVAL;
8742 		}
8743 	}
8744 
8745 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
8746 		if (!params.link_sta_params.eht_capa)
8747 			return -EINVAL;
8748 
8749 		params.link_sta_params.uhr_capa =
8750 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8751 		params.link_sta_params.uhr_capa_len =
8752 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8753 	}
8754 
8755 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8756 		params.eml_cap_present = true;
8757 		params.eml_cap =
8758 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8759 	}
8760 
8761 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8762 		params.link_sta_params.he_6ghz_capa =
8763 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8764 
8765 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8766 		params.link_sta_params.s1g_capa =
8767 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8768 
8769 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8770 		params.link_sta_params.opmode_notif_used = true;
8771 		params.link_sta_params.opmode_notif =
8772 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8773 	}
8774 
8775 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8776 		params.plink_action =
8777 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8778 
8779 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8780 		params.airtime_weight =
8781 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8782 
8783 	if (params.airtime_weight &&
8784 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8785 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8786 		return -EOPNOTSUPP;
8787 
8788 	err = nl80211_parse_sta_txpower_setting(info,
8789 						&params.link_sta_params.txpwr,
8790 						&params.link_sta_params.txpwr_set);
8791 	if (err)
8792 		return err;
8793 
8794 	err = nl80211_parse_sta_channel_info(info, &params);
8795 	if (err)
8796 		return err;
8797 
8798 	err = nl80211_parse_sta_wme(info, &params);
8799 	if (err)
8800 		return err;
8801 
8802 	if (parse_station_flags(info, wdev->iftype, &params))
8803 		return -EINVAL;
8804 
8805 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
8806 	 * as userspace might just pass through the capabilities from the IEs
8807 	 * directly, rather than enforcing this restriction and returning an
8808 	 * error in this case.
8809 	 */
8810 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
8811 		params.link_sta_params.ht_capa = NULL;
8812 		params.link_sta_params.vht_capa = NULL;
8813 
8814 		/* HE, EHT and UHR require WME */
8815 		if (params.link_sta_params.he_capa_len ||
8816 		    params.link_sta_params.he_6ghz_capa ||
8817 		    params.link_sta_params.eht_capa_len ||
8818 		    params.link_sta_params.uhr_capa_len)
8819 			return -EINVAL;
8820 	}
8821 
8822 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
8823 	if (params.link_sta_params.he_6ghz_capa &&
8824 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
8825 		return -EINVAL;
8826 
8827 	/* When you run into this, adjust the code below for the new flag */
8828 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8829 
8830 	switch (wdev->iftype) {
8831 	case NL80211_IFTYPE_AP:
8832 	case NL80211_IFTYPE_AP_VLAN:
8833 	case NL80211_IFTYPE_P2P_GO:
8834 		/* ignore WME attributes if iface/sta is not capable */
8835 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
8836 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
8837 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8838 
8839 		/* TDLS peers cannot be added */
8840 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8841 		    info->attrs[NL80211_ATTR_PEER_AID])
8842 			return -EINVAL;
8843 		/* but don't bother the driver with it */
8844 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8845 
8846 		/* allow authenticated/associated only if driver handles it */
8847 		if (!(rdev->wiphy.features &
8848 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8849 		    params.sta_flags_mask & auth_assoc)
8850 			return -EINVAL;
8851 
8852 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8853 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
8854 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8855 			return -EINVAL;
8856 
8857 		/* Older userspace, or userspace wanting to be compatible with
8858 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
8859 		 * and assoc flags in the mask, but assumes the station will be
8860 		 * added as associated anyway since this was the required driver
8861 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
8862 		 * introduced.
8863 		 * In order to not bother drivers with this quirk in the API
8864 		 * set the flags in both the mask and set for new stations in
8865 		 * this case.
8866 		 */
8867 		if (!(params.sta_flags_mask & auth_assoc)) {
8868 			params.sta_flags_mask |= auth_assoc;
8869 			params.sta_flags_set |= auth_assoc;
8870 		}
8871 
8872 		/* must be last in here for error handling */
8873 		params.vlan = get_vlan(info, rdev);
8874 		if (IS_ERR(params.vlan))
8875 			return PTR_ERR(params.vlan);
8876 		break;
8877 	case NL80211_IFTYPE_MESH_POINT:
8878 		/* ignore uAPSD data */
8879 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8880 
8881 		/* associated is disallowed */
8882 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
8883 			return -EINVAL;
8884 		/* TDLS peers cannot be added */
8885 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8886 		    info->attrs[NL80211_ATTR_PEER_AID])
8887 			return -EINVAL;
8888 		break;
8889 	case NL80211_IFTYPE_STATION:
8890 	case NL80211_IFTYPE_P2P_CLIENT:
8891 		/* ignore uAPSD data */
8892 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8893 
8894 		/* these are disallowed */
8895 		if (params.sta_flags_mask &
8896 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
8897 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
8898 			return -EINVAL;
8899 		/* Only TDLS peers can be added */
8900 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8901 			return -EINVAL;
8902 		/* Can only add if TDLS ... */
8903 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
8904 			return -EOPNOTSUPP;
8905 		/* ... with external setup is supported */
8906 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
8907 			return -EOPNOTSUPP;
8908 		/*
8909 		 * Older wpa_supplicant versions always mark the TDLS peer
8910 		 * as authorized, but it shouldn't yet be.
8911 		 */
8912 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
8913 		break;
8914 	default:
8915 		return -EOPNOTSUPP;
8916 	}
8917 
8918 	/* be aware of params.vlan when changing code here */
8919 
8920 	if (wdev->valid_links) {
8921 		if (params.link_sta_params.link_id < 0) {
8922 			err = -EINVAL;
8923 			goto out;
8924 		}
8925 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
8926 			err = -ENOLINK;
8927 			goto out;
8928 		}
8929 	} else {
8930 		if (params.link_sta_params.link_id >= 0) {
8931 			err = -EINVAL;
8932 			goto out;
8933 		}
8934 	}
8935 
8936 	params.epp_peer =
8937 		nla_get_flag(info->attrs[NL80211_ATTR_EPP_PEER]);
8938 
8939 	err = rdev_add_station(rdev, wdev, mac_addr, &params);
8940 out:
8941 	dev_put(params.vlan);
8942 	return err;
8943 }
8944 
8945 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
8946 {
8947 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8948 	struct wireless_dev *wdev = info->user_ptr[1];
8949 	struct net_device *dev = wdev->netdev;
8950 	struct station_del_parameters params;
8951 	int link_id = nl80211_link_id_or_invalid(info->attrs);
8952 
8953 	memset(&params, 0, sizeof(params));
8954 
8955 	if (!dev)
8956 		return -EINVAL;
8957 
8958 	if (info->attrs[NL80211_ATTR_MAC])
8959 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
8960 
8961 	switch (wdev->iftype) {
8962 	case NL80211_IFTYPE_AP:
8963 	case NL80211_IFTYPE_AP_VLAN:
8964 	case NL80211_IFTYPE_MESH_POINT:
8965 	case NL80211_IFTYPE_P2P_GO:
8966 		/* always accept these */
8967 		break;
8968 	case NL80211_IFTYPE_ADHOC:
8969 		/* conditionally accept */
8970 		if (wiphy_ext_feature_isset(&rdev->wiphy,
8971 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
8972 			break;
8973 		return -EINVAL;
8974 	default:
8975 		return -EINVAL;
8976 	}
8977 
8978 	if (!rdev->ops->del_station)
8979 		return -EOPNOTSUPP;
8980 
8981 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
8982 		params.subtype =
8983 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
8984 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
8985 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
8986 			return -EINVAL;
8987 	} else {
8988 		/* Default to Deauthentication frame */
8989 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
8990 	}
8991 
8992 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
8993 		params.reason_code =
8994 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8995 		if (params.reason_code == 0)
8996 			return -EINVAL; /* 0 is reserved */
8997 	} else {
8998 		/* Default to reason code 2 */
8999 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
9000 	}
9001 
9002 	/* Link ID not expected in case of non-ML operation */
9003 	if (!wdev->valid_links && link_id != -1)
9004 		return -EINVAL;
9005 
9006 	/* If given, a valid link ID should be passed during MLO */
9007 	if (wdev->valid_links && link_id >= 0 &&
9008 	    !(wdev->valid_links & BIT(link_id)))
9009 		return -EINVAL;
9010 
9011 	params.link_id = link_id;
9012 
9013 	return rdev_del_station(rdev, wdev, &params);
9014 }
9015 
9016 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
9017 				int flags, struct net_device *dev,
9018 				u8 *dst, u8 *next_hop,
9019 				struct mpath_info *pinfo)
9020 {
9021 	void *hdr;
9022 	struct nlattr *pinfoattr;
9023 
9024 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
9025 	if (!hdr)
9026 		return -1;
9027 
9028 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9029 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
9030 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
9031 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
9032 		goto nla_put_failure;
9033 
9034 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
9035 	if (!pinfoattr)
9036 		goto nla_put_failure;
9037 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
9038 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
9039 			pinfo->frame_qlen))
9040 		goto nla_put_failure;
9041 	if (((pinfo->filled & MPATH_INFO_SN) &&
9042 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
9043 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
9044 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
9045 			 pinfo->metric)) ||
9046 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
9047 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
9048 			 pinfo->exptime)) ||
9049 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
9050 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
9051 			pinfo->flags)) ||
9052 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
9053 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
9054 			 pinfo->discovery_timeout)) ||
9055 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
9056 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
9057 			pinfo->discovery_retries)) ||
9058 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
9059 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
9060 			pinfo->hop_count)) ||
9061 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
9062 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
9063 			 pinfo->path_change_count)))
9064 		goto nla_put_failure;
9065 
9066 	nla_nest_end(msg, pinfoattr);
9067 
9068 	genlmsg_end(msg, hdr);
9069 	return 0;
9070 
9071  nla_put_failure:
9072 	genlmsg_cancel(msg, hdr);
9073 	return -EMSGSIZE;
9074 }
9075 
9076 static int nl80211_dump_mpath(struct sk_buff *skb,
9077 			      struct netlink_callback *cb)
9078 {
9079 	struct mpath_info pinfo;
9080 	struct cfg80211_registered_device *rdev;
9081 	struct wireless_dev *wdev;
9082 	u8 dst[ETH_ALEN];
9083 	u8 next_hop[ETH_ALEN];
9084 	int path_idx = cb->args[2];
9085 	int err;
9086 
9087 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9088 	if (err)
9089 		return err;
9090 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9091 	__acquire(&rdev->wiphy.mtx);
9092 
9093 	if (!rdev->ops->dump_mpath) {
9094 		err = -EOPNOTSUPP;
9095 		goto out_err;
9096 	}
9097 
9098 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9099 		err = -EOPNOTSUPP;
9100 		goto out_err;
9101 	}
9102 
9103 	while (1) {
9104 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
9105 				      next_hop, &pinfo);
9106 		if (err == -ENOENT)
9107 			break;
9108 		if (err)
9109 			goto out_err;
9110 
9111 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9112 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9113 				       wdev->netdev, dst, next_hop,
9114 				       &pinfo) < 0)
9115 			goto out;
9116 
9117 		path_idx++;
9118 	}
9119 
9120  out:
9121 	cb->args[2] = path_idx;
9122 	err = skb->len;
9123  out_err:
9124 	wiphy_unlock(&rdev->wiphy);
9125 	return err;
9126 }
9127 
9128 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
9129 {
9130 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9131 	int err;
9132 	struct net_device *dev = info->user_ptr[1];
9133 	struct mpath_info pinfo;
9134 	struct sk_buff *msg;
9135 	u8 *dst = NULL;
9136 	u8 next_hop[ETH_ALEN];
9137 
9138 	memset(&pinfo, 0, sizeof(pinfo));
9139 
9140 	if (!info->attrs[NL80211_ATTR_MAC])
9141 		return -EINVAL;
9142 
9143 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9144 
9145 	if (!rdev->ops->get_mpath)
9146 		return -EOPNOTSUPP;
9147 
9148 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9149 		return -EOPNOTSUPP;
9150 
9151 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
9152 	if (err)
9153 		return err;
9154 
9155 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9156 	if (!msg)
9157 		return -ENOMEM;
9158 
9159 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9160 				 dev, dst, next_hop, &pinfo) < 0) {
9161 		nlmsg_free(msg);
9162 		return -ENOBUFS;
9163 	}
9164 
9165 	return genlmsg_reply(msg, info);
9166 }
9167 
9168 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
9169 {
9170 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9171 	struct net_device *dev = info->user_ptr[1];
9172 	u8 *dst = NULL;
9173 	u8 *next_hop = NULL;
9174 
9175 	if (!info->attrs[NL80211_ATTR_MAC])
9176 		return -EINVAL;
9177 
9178 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9179 		return -EINVAL;
9180 
9181 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9182 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9183 
9184 	if (!rdev->ops->change_mpath)
9185 		return -EOPNOTSUPP;
9186 
9187 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9188 		return -EOPNOTSUPP;
9189 
9190 	return rdev_change_mpath(rdev, dev, dst, next_hop);
9191 }
9192 
9193 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
9194 {
9195 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9196 	struct net_device *dev = info->user_ptr[1];
9197 	u8 *dst = NULL;
9198 	u8 *next_hop = NULL;
9199 
9200 	if (!info->attrs[NL80211_ATTR_MAC])
9201 		return -EINVAL;
9202 
9203 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9204 		return -EINVAL;
9205 
9206 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9207 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9208 
9209 	if (!rdev->ops->add_mpath)
9210 		return -EOPNOTSUPP;
9211 
9212 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9213 		return -EOPNOTSUPP;
9214 
9215 	return rdev_add_mpath(rdev, dev, dst, next_hop);
9216 }
9217 
9218 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
9219 {
9220 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9221 	struct net_device *dev = info->user_ptr[1];
9222 	u8 *dst = NULL;
9223 
9224 	if (info->attrs[NL80211_ATTR_MAC])
9225 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9226 
9227 	if (!rdev->ops->del_mpath)
9228 		return -EOPNOTSUPP;
9229 
9230 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9231 		return -EOPNOTSUPP;
9232 
9233 	return rdev_del_mpath(rdev, dev, dst);
9234 }
9235 
9236 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
9237 {
9238 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9239 	int err;
9240 	struct net_device *dev = info->user_ptr[1];
9241 	struct mpath_info pinfo;
9242 	struct sk_buff *msg;
9243 	u8 *dst = NULL;
9244 	u8 mpp[ETH_ALEN];
9245 
9246 	memset(&pinfo, 0, sizeof(pinfo));
9247 
9248 	if (!info->attrs[NL80211_ATTR_MAC])
9249 		return -EINVAL;
9250 
9251 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9252 
9253 	if (!rdev->ops->get_mpp)
9254 		return -EOPNOTSUPP;
9255 
9256 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9257 		return -EOPNOTSUPP;
9258 
9259 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
9260 	if (err)
9261 		return err;
9262 
9263 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9264 	if (!msg)
9265 		return -ENOMEM;
9266 
9267 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9268 			       dev, dst, mpp, &pinfo) < 0) {
9269 		nlmsg_free(msg);
9270 		return -ENOBUFS;
9271 	}
9272 
9273 	return genlmsg_reply(msg, info);
9274 }
9275 
9276 static int nl80211_dump_mpp(struct sk_buff *skb,
9277 			    struct netlink_callback *cb)
9278 {
9279 	struct mpath_info pinfo;
9280 	struct cfg80211_registered_device *rdev;
9281 	struct wireless_dev *wdev;
9282 	u8 dst[ETH_ALEN];
9283 	u8 mpp[ETH_ALEN];
9284 	int path_idx = cb->args[2];
9285 	int err;
9286 
9287 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9288 	if (err)
9289 		return err;
9290 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9291 	__acquire(&rdev->wiphy.mtx);
9292 
9293 	if (!rdev->ops->dump_mpp) {
9294 		err = -EOPNOTSUPP;
9295 		goto out_err;
9296 	}
9297 
9298 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9299 		err = -EOPNOTSUPP;
9300 		goto out_err;
9301 	}
9302 
9303 	while (1) {
9304 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
9305 				    mpp, &pinfo);
9306 		if (err == -ENOENT)
9307 			break;
9308 		if (err)
9309 			goto out_err;
9310 
9311 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9312 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9313 				       wdev->netdev, dst, mpp,
9314 				       &pinfo) < 0)
9315 			goto out;
9316 
9317 		path_idx++;
9318 	}
9319 
9320  out:
9321 	cb->args[2] = path_idx;
9322 	err = skb->len;
9323  out_err:
9324 	wiphy_unlock(&rdev->wiphy);
9325 	return err;
9326 }
9327 
9328 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
9329 {
9330 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9331 	struct net_device *dev = info->user_ptr[1];
9332 	struct bss_parameters params;
9333 	u32 bss_param_support = rdev->wiphy.bss_param_support;
9334 	u32 changed = 0;
9335 	bool strict;
9336 
9337 	memset(&params, 0, sizeof(params));
9338 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
9339 	/* default to not changing parameters */
9340 	params.use_cts_prot = -1;
9341 	params.use_short_preamble = -1;
9342 	params.use_short_slot_time = -1;
9343 	params.ap_isolate = -1;
9344 	params.ht_opmode = -1;
9345 	params.p2p_ctwindow = -1;
9346 	params.p2p_opp_ps = -1;
9347 
9348 	strict = nla_get_flag(info->attrs[NL80211_ATTR_BSS_PARAM]);
9349 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT]) {
9350 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_CTS_PROT))
9351 			return -EINVAL;
9352 		params.use_cts_prot =
9353 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
9354 		changed |= WIPHY_BSS_PARAM_CTS_PROT;
9355 	}
9356 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]) {
9357 		if (strict &&
9358 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_PREAMBLE))
9359 			return -EINVAL;
9360 		params.use_short_preamble =
9361 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
9362 		changed |= WIPHY_BSS_PARAM_SHORT_PREAMBLE;
9363 	}
9364 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]) {
9365 		if (strict &&
9366 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_SLOT_TIME))
9367 			return -EINVAL;
9368 		params.use_short_slot_time =
9369 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
9370 		changed |= WIPHY_BSS_PARAM_SHORT_SLOT_TIME;
9371 	}
9372 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9373 		if (strict &&
9374 		    !(bss_param_support & WIPHY_BSS_PARAM_BASIC_RATES))
9375 			return -EINVAL;
9376 		params.basic_rates =
9377 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9378 		params.basic_rates_len =
9379 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9380 		changed |= WIPHY_BSS_PARAM_BASIC_RATES;
9381 	}
9382 	if (info->attrs[NL80211_ATTR_AP_ISOLATE]) {
9383 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_AP_ISOLATE))
9384 			return -EINVAL;
9385 		params.ap_isolate =
9386 			!!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
9387 		changed |= WIPHY_BSS_PARAM_AP_ISOLATE;
9388 	}
9389 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE]) {
9390 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_HT_OPMODE))
9391 			return -EINVAL;
9392 		params.ht_opmode =
9393 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
9394 		changed |= WIPHY_BSS_PARAM_HT_OPMODE;
9395 	}
9396 
9397 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
9398 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9399 			return -EINVAL;
9400 		params.p2p_ctwindow =
9401 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
9402 		if (params.p2p_ctwindow != 0 &&
9403 		    !(bss_param_support & WIPHY_BSS_PARAM_P2P_CTWINDOW))
9404 			return -EINVAL;
9405 		changed |= WIPHY_BSS_PARAM_P2P_CTWINDOW;
9406 	}
9407 
9408 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
9409 		u8 tmp;
9410 
9411 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9412 			return -EINVAL;
9413 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
9414 		if (tmp && !(bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9415 			return -EINVAL;
9416 		params.p2p_opp_ps = tmp;
9417 		if (params.p2p_opp_ps &&
9418 		    !(rdev->wiphy.bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9419 			return -EINVAL;
9420 	}
9421 
9422 	if (!rdev->ops->change_bss)
9423 		return -EOPNOTSUPP;
9424 
9425 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
9426 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9427 		return -EOPNOTSUPP;
9428 
9429 	changed &= rdev->wiphy.bss_param_support;
9430 	if (!changed)
9431 		return 0;
9432 
9433 	return rdev_change_bss(rdev, dev, &params);
9434 }
9435 
9436 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
9437 {
9438 	char *data = NULL;
9439 	bool is_indoor;
9440 	enum nl80211_user_reg_hint_type user_reg_hint_type;
9441 	u32 owner_nlportid;
9442 
9443 	/*
9444 	 * You should only get this when cfg80211 hasn't yet initialized
9445 	 * completely when built-in to the kernel right between the time
9446 	 * window between nl80211_init() and regulatory_init(), if that is
9447 	 * even possible.
9448 	 */
9449 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
9450 		return -EINPROGRESS;
9451 
9452 	user_reg_hint_type =
9453 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
9454 				    NL80211_USER_REG_HINT_USER);
9455 
9456 	switch (user_reg_hint_type) {
9457 	case NL80211_USER_REG_HINT_USER:
9458 	case NL80211_USER_REG_HINT_CELL_BASE:
9459 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
9460 			return -EINVAL;
9461 
9462 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
9463 		return regulatory_hint_user(data, user_reg_hint_type);
9464 	case NL80211_USER_REG_HINT_INDOOR:
9465 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9466 			owner_nlportid = info->snd_portid;
9467 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
9468 		} else {
9469 			owner_nlportid = 0;
9470 			is_indoor = true;
9471 		}
9472 
9473 		regulatory_hint_indoor(is_indoor, owner_nlportid);
9474 		return 0;
9475 	default:
9476 		return -EINVAL;
9477 	}
9478 }
9479 
9480 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
9481 {
9482 	return reg_reload_regdb();
9483 }
9484 
9485 static int nl80211_get_mesh_config(struct sk_buff *skb,
9486 				   struct genl_info *info)
9487 {
9488 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9489 	struct net_device *dev = info->user_ptr[1];
9490 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9491 	struct mesh_config cur_params;
9492 	int err = 0;
9493 	void *hdr;
9494 	struct nlattr *pinfoattr;
9495 	struct sk_buff *msg;
9496 
9497 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9498 		return -EOPNOTSUPP;
9499 
9500 	if (!rdev->ops->get_mesh_config)
9501 		return -EOPNOTSUPP;
9502 
9503 	/* If not connected, get default parameters */
9504 	if (!wdev->u.mesh.id_len)
9505 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
9506 	else
9507 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
9508 
9509 	if (err)
9510 		return err;
9511 
9512 	/* Draw up a netlink message to send back */
9513 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9514 	if (!msg)
9515 		return -ENOMEM;
9516 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9517 			     NL80211_CMD_GET_MESH_CONFIG);
9518 	if (!hdr)
9519 		goto out;
9520 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
9521 	if (!pinfoattr)
9522 		goto nla_put_failure;
9523 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9524 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
9525 			cur_params.dot11MeshRetryTimeout) ||
9526 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
9527 			cur_params.dot11MeshConfirmTimeout) ||
9528 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
9529 			cur_params.dot11MeshHoldingTimeout) ||
9530 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
9531 			cur_params.dot11MeshMaxPeerLinks) ||
9532 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
9533 		       cur_params.dot11MeshMaxRetries) ||
9534 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
9535 		       cur_params.dot11MeshTTL) ||
9536 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
9537 		       cur_params.element_ttl) ||
9538 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9539 		       cur_params.auto_open_plinks) ||
9540 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9541 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
9542 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9543 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
9544 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
9545 			cur_params.path_refresh_time) ||
9546 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9547 			cur_params.min_discovery_timeout) ||
9548 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9549 			cur_params.dot11MeshHWMPactivePathTimeout) ||
9550 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9551 			cur_params.dot11MeshHWMPpreqMinInterval) ||
9552 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9553 			cur_params.dot11MeshHWMPperrMinInterval) ||
9554 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9555 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
9556 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
9557 		       cur_params.dot11MeshHWMPRootMode) ||
9558 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9559 			cur_params.dot11MeshHWMPRannInterval) ||
9560 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9561 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
9562 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
9563 		       cur_params.dot11MeshForwarding) ||
9564 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
9565 			cur_params.rssi_threshold) ||
9566 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
9567 			cur_params.ht_opmode) ||
9568 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9569 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
9570 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9571 			cur_params.dot11MeshHWMProotInterval) ||
9572 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9573 			cur_params.dot11MeshHWMPconfirmationInterval) ||
9574 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
9575 			cur_params.power_mode) ||
9576 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
9577 			cur_params.dot11MeshAwakeWindowDuration) ||
9578 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
9579 			cur_params.plink_timeout) ||
9580 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
9581 		       cur_params.dot11MeshConnectedToMeshGate) ||
9582 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
9583 		       cur_params.dot11MeshNolearn) ||
9584 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
9585 		       cur_params.dot11MeshConnectedToAuthServer))
9586 		goto nla_put_failure;
9587 	nla_nest_end(msg, pinfoattr);
9588 	genlmsg_end(msg, hdr);
9589 	return genlmsg_reply(msg, info);
9590 
9591  nla_put_failure:
9592  out:
9593 	nlmsg_free(msg);
9594 	return -ENOBUFS;
9595 }
9596 
9597 static const struct nla_policy
9598 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
9599 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
9600 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9601 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
9602 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9603 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
9604 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9605 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
9606 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
9607 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
9608 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9609 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9610 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
9611 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
9612 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
9613 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
9614 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
9615 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
9616 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
9617 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
9618 		NLA_POLICY_MIN(NLA_U16, 1),
9619 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
9620 		NLA_POLICY_MIN(NLA_U16, 1),
9621 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
9622 		NLA_POLICY_MIN(NLA_U16, 1),
9623 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
9624 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
9625 		NLA_POLICY_MIN(NLA_U16, 1),
9626 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
9627 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
9628 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
9629 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
9630 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
9631 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
9632 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
9633 		NLA_POLICY_MIN(NLA_U16, 1),
9634 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
9635 		NLA_POLICY_MIN(NLA_U16, 1),
9636 	[NL80211_MESHCONF_POWER_MODE] =
9637 		NLA_POLICY_RANGE(NLA_U32,
9638 				 NL80211_MESH_POWER_ACTIVE,
9639 				 NL80211_MESH_POWER_MAX),
9640 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
9641 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
9642 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9643 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9644 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9645 };
9646 
9647 static const struct nla_policy
9648 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
9649 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
9650 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
9651 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
9652 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
9653 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
9654 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
9655 	[NL80211_MESH_SETUP_IE] =
9656 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
9657 				       IEEE80211_MAX_DATA_LEN),
9658 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
9659 };
9660 
9661 static int nl80211_parse_mesh_config(struct genl_info *info,
9662 				     struct mesh_config *cfg,
9663 				     u32 *mask_out)
9664 {
9665 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
9666 	u32 mask = 0;
9667 	u16 ht_opmode;
9668 
9669 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
9670 do {									\
9671 	if (tb[attr]) {							\
9672 		cfg->param = fn(tb[attr]);				\
9673 		mask |= BIT((attr) - 1);				\
9674 	}								\
9675 } while (0)
9676 
9677 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
9678 		return -EINVAL;
9679 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
9680 		return -EINVAL;
9681 
9682 	/* This makes sure that there aren't more than 32 mesh config
9683 	 * parameters (otherwise our bitfield scheme would not work.) */
9684 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
9685 
9686 	/* Fill in the params struct */
9687 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
9688 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
9689 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
9690 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
9691 				  nla_get_u16);
9692 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
9693 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
9694 				  nla_get_u16);
9695 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
9696 				  NL80211_MESHCONF_MAX_PEER_LINKS,
9697 				  nla_get_u16);
9698 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
9699 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
9700 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
9701 				  NL80211_MESHCONF_TTL, nla_get_u8);
9702 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
9703 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
9704 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
9705 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9706 				  nla_get_u8);
9707 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
9708 				  mask,
9709 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9710 				  nla_get_u32);
9711 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
9712 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9713 				  nla_get_u8);
9714 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
9715 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
9716 				  nla_get_u32);
9717 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
9718 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
9719 		return -EINVAL;
9720 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
9721 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9722 				  nla_get_u16);
9723 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
9724 				  mask,
9725 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9726 				  nla_get_u32);
9727 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
9728 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
9729 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
9730 		return -EINVAL;
9731 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
9732 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9733 				  nla_get_u16);
9734 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
9735 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9736 				  nla_get_u16);
9737 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9738 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
9739 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9740 				  nla_get_u16);
9741 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
9742 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
9743 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
9744 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9745 				  nla_get_u16);
9746 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
9747 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9748 				  nla_get_u8);
9749 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
9750 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
9751 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
9752 				  NL80211_MESHCONF_RSSI_THRESHOLD,
9753 				  nla_get_s32);
9754 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
9755 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
9756 				  nla_get_u8);
9757 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
9758 				  NL80211_MESHCONF_CONNECTED_TO_AS,
9759 				  nla_get_u8);
9760 	/*
9761 	 * Check HT operation mode based on
9762 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
9763 	 */
9764 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
9765 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
9766 
9767 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
9768 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
9769 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
9770 			return -EINVAL;
9771 
9772 		/* NON_HT_STA bit is reserved, but some programs set it */
9773 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
9774 
9775 		cfg->ht_opmode = ht_opmode;
9776 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
9777 	}
9778 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9779 				  dot11MeshHWMPactivePathToRootTimeout, mask,
9780 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9781 				  nla_get_u32);
9782 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
9783 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
9784 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
9785 		return -EINVAL;
9786 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
9787 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9788 				  nla_get_u16);
9789 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
9790 				  mask,
9791 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9792 				  nla_get_u16);
9793 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
9794 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
9795 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
9796 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
9797 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
9798 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
9799 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
9800 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
9801 	if (mask_out)
9802 		*mask_out = mask;
9803 
9804 	return 0;
9805 
9806 #undef FILL_IN_MESH_PARAM_IF_SET
9807 }
9808 
9809 static int nl80211_parse_mesh_setup(struct genl_info *info,
9810 				     struct mesh_setup *setup)
9811 {
9812 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9813 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
9814 
9815 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
9816 		return -EINVAL;
9817 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
9818 		return -EINVAL;
9819 
9820 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
9821 		setup->sync_method =
9822 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
9823 		 IEEE80211_SYNC_METHOD_VENDOR :
9824 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
9825 
9826 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
9827 		setup->path_sel_proto =
9828 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
9829 		 IEEE80211_PATH_PROTOCOL_VENDOR :
9830 		 IEEE80211_PATH_PROTOCOL_HWMP;
9831 
9832 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
9833 		setup->path_metric =
9834 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
9835 		 IEEE80211_PATH_METRIC_VENDOR :
9836 		 IEEE80211_PATH_METRIC_AIRTIME;
9837 
9838 	if (tb[NL80211_MESH_SETUP_IE]) {
9839 		struct nlattr *ieattr =
9840 			tb[NL80211_MESH_SETUP_IE];
9841 		setup->ie = nla_data(ieattr);
9842 		setup->ie_len = nla_len(ieattr);
9843 	}
9844 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
9845 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
9846 		return -EINVAL;
9847 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
9848 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
9849 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
9850 	if (setup->is_secure)
9851 		setup->user_mpm = true;
9852 
9853 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
9854 		if (!setup->user_mpm)
9855 			return -EINVAL;
9856 		setup->auth_id =
9857 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
9858 	}
9859 
9860 	return 0;
9861 }
9862 
9863 static int nl80211_update_mesh_config(struct sk_buff *skb,
9864 				      struct genl_info *info)
9865 {
9866 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9867 	struct net_device *dev = info->user_ptr[1];
9868 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9869 	struct mesh_config cfg = {};
9870 	u32 mask;
9871 	int err;
9872 
9873 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9874 		return -EOPNOTSUPP;
9875 
9876 	if (!rdev->ops->update_mesh_config)
9877 		return -EOPNOTSUPP;
9878 
9879 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
9880 	if (err)
9881 		return err;
9882 
9883 	if (!wdev->u.mesh.id_len)
9884 		err = -ENOLINK;
9885 
9886 	if (!err)
9887 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
9888 
9889 	return err;
9890 }
9891 
9892 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
9893 			      struct sk_buff *msg)
9894 {
9895 	struct nlattr *nl_reg_rules;
9896 	unsigned int i;
9897 
9898 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
9899 	    (regdom->dfs_region &&
9900 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
9901 		goto nla_put_failure;
9902 
9903 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
9904 	if (!nl_reg_rules)
9905 		goto nla_put_failure;
9906 
9907 	for (i = 0; i < regdom->n_reg_rules; i++) {
9908 		struct nlattr *nl_reg_rule;
9909 		const struct ieee80211_reg_rule *reg_rule;
9910 		const struct ieee80211_freq_range *freq_range;
9911 		const struct ieee80211_power_rule *power_rule;
9912 		unsigned int max_bandwidth_khz;
9913 
9914 		reg_rule = &regdom->reg_rules[i];
9915 		freq_range = &reg_rule->freq_range;
9916 		power_rule = &reg_rule->power_rule;
9917 
9918 		nl_reg_rule = nla_nest_start_noflag(msg, i);
9919 		if (!nl_reg_rule)
9920 			goto nla_put_failure;
9921 
9922 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
9923 		if (!max_bandwidth_khz)
9924 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
9925 								  reg_rule);
9926 
9927 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
9928 				reg_rule->flags) ||
9929 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
9930 				freq_range->start_freq_khz) ||
9931 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
9932 				freq_range->end_freq_khz) ||
9933 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
9934 				max_bandwidth_khz) ||
9935 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
9936 				power_rule->max_antenna_gain) ||
9937 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
9938 				power_rule->max_eirp) ||
9939 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
9940 				reg_rule->dfs_cac_ms))
9941 			goto nla_put_failure;
9942 
9943 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
9944 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
9945 			       reg_rule->psd))
9946 			goto nla_put_failure;
9947 
9948 		nla_nest_end(msg, nl_reg_rule);
9949 	}
9950 
9951 	nla_nest_end(msg, nl_reg_rules);
9952 	return 0;
9953 
9954 nla_put_failure:
9955 	return -EMSGSIZE;
9956 }
9957 
9958 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
9959 {
9960 	const struct ieee80211_regdomain *regdom = NULL;
9961 	struct cfg80211_registered_device *rdev;
9962 	struct wiphy *wiphy = NULL;
9963 	struct sk_buff *msg;
9964 	int err = -EMSGSIZE;
9965 	void *hdr;
9966 
9967 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9968 	if (!msg)
9969 		return -ENOBUFS;
9970 
9971 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9972 			     NL80211_CMD_GET_REG);
9973 	if (!hdr)
9974 		goto put_failure;
9975 
9976 	rtnl_lock();
9977 
9978 	if (info->attrs[NL80211_ATTR_WIPHY]) {
9979 		bool self_managed;
9980 
9981 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
9982 		if (IS_ERR(rdev)) {
9983 			err = PTR_ERR(rdev);
9984 			goto nla_put_failure;
9985 		}
9986 
9987 		wiphy = &rdev->wiphy;
9988 		self_managed = wiphy->regulatory_flags &
9989 			       REGULATORY_WIPHY_SELF_MANAGED;
9990 
9991 		rcu_read_lock();
9992 
9993 		regdom = get_wiphy_regdom(wiphy);
9994 
9995 		/* a self-managed-reg device must have a private regdom */
9996 		if (WARN_ON(!regdom && self_managed)) {
9997 			err = -EINVAL;
9998 			goto nla_put_failure_rcu;
9999 		}
10000 
10001 		if (regdom &&
10002 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10003 			goto nla_put_failure_rcu;
10004 	} else {
10005 		rcu_read_lock();
10006 	}
10007 
10008 	if (!wiphy && reg_last_request_cell_base() &&
10009 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
10010 			NL80211_USER_REG_HINT_CELL_BASE))
10011 		goto nla_put_failure_rcu;
10012 
10013 	if (!regdom)
10014 		regdom = rcu_dereference(cfg80211_regdomain);
10015 
10016 	if (nl80211_put_regdom(regdom, msg))
10017 		goto nla_put_failure_rcu;
10018 
10019 	rcu_read_unlock();
10020 
10021 	genlmsg_end(msg, hdr);
10022 	rtnl_unlock();
10023 	return genlmsg_reply(msg, info);
10024 
10025 nla_put_failure_rcu:
10026 	rcu_read_unlock();
10027 nla_put_failure:
10028 	rtnl_unlock();
10029 put_failure:
10030 	nlmsg_free(msg);
10031 	return err;
10032 }
10033 
10034 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
10035 			       u32 seq, int flags, struct wiphy *wiphy,
10036 			       const struct ieee80211_regdomain *regdom)
10037 {
10038 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10039 				   NL80211_CMD_GET_REG);
10040 
10041 	if (!hdr)
10042 		return -1;
10043 
10044 	genl_dump_check_consistent(cb, hdr);
10045 
10046 	if (nl80211_put_regdom(regdom, msg))
10047 		goto nla_put_failure;
10048 
10049 	if (!wiphy && reg_last_request_cell_base() &&
10050 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
10051 			NL80211_USER_REG_HINT_CELL_BASE))
10052 		goto nla_put_failure;
10053 
10054 	if (wiphy &&
10055 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10056 		goto nla_put_failure;
10057 
10058 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
10059 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
10060 		goto nla_put_failure;
10061 
10062 	genlmsg_end(msg, hdr);
10063 	return 0;
10064 
10065 nla_put_failure:
10066 	genlmsg_cancel(msg, hdr);
10067 	return -EMSGSIZE;
10068 }
10069 
10070 static int nl80211_get_reg_dump(struct sk_buff *skb,
10071 				struct netlink_callback *cb)
10072 {
10073 	const struct ieee80211_regdomain *regdom = NULL;
10074 	struct cfg80211_registered_device *rdev;
10075 	int err, reg_idx, start = cb->args[2];
10076 
10077 	rcu_read_lock();
10078 
10079 	if (cfg80211_regdomain && start == 0) {
10080 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10081 					  NLM_F_MULTI, NULL,
10082 					  rcu_dereference(cfg80211_regdomain));
10083 		if (err < 0)
10084 			goto out_err;
10085 	}
10086 
10087 	/* the global regdom is idx 0 */
10088 	reg_idx = 1;
10089 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
10090 		regdom = get_wiphy_regdom(&rdev->wiphy);
10091 		if (!regdom)
10092 			continue;
10093 
10094 		if (++reg_idx <= start)
10095 			continue;
10096 
10097 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10098 					  NLM_F_MULTI, &rdev->wiphy, regdom);
10099 		if (err < 0) {
10100 			reg_idx--;
10101 			break;
10102 		}
10103 	}
10104 
10105 	cb->args[2] = reg_idx;
10106 	err = skb->len;
10107 out_err:
10108 	rcu_read_unlock();
10109 	return err;
10110 }
10111 
10112 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
10113 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
10114 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
10115 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
10116 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
10117 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
10118 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
10119 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
10120 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
10121 };
10122 
10123 static int parse_reg_rule(struct nlattr *tb[],
10124 	struct ieee80211_reg_rule *reg_rule)
10125 {
10126 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
10127 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
10128 
10129 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
10130 		return -EINVAL;
10131 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
10132 		return -EINVAL;
10133 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
10134 		return -EINVAL;
10135 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
10136 		return -EINVAL;
10137 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
10138 		return -EINVAL;
10139 
10140 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
10141 
10142 	freq_range->start_freq_khz =
10143 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
10144 	freq_range->end_freq_khz =
10145 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
10146 	freq_range->max_bandwidth_khz =
10147 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
10148 
10149 	power_rule->max_eirp =
10150 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
10151 
10152 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
10153 		power_rule->max_antenna_gain =
10154 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
10155 
10156 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
10157 		reg_rule->dfs_cac_ms =
10158 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
10159 
10160 	return 0;
10161 }
10162 
10163 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
10164 {
10165 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
10166 	struct nlattr *nl_reg_rule;
10167 	char *alpha2;
10168 	int rem_reg_rules, r;
10169 	u32 num_rules = 0, rule_idx = 0;
10170 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
10171 	struct ieee80211_regdomain *rd;
10172 
10173 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
10174 		return -EINVAL;
10175 
10176 	if (!info->attrs[NL80211_ATTR_REG_RULES])
10177 		return -EINVAL;
10178 
10179 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
10180 
10181 	if (info->attrs[NL80211_ATTR_DFS_REGION])
10182 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
10183 
10184 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10185 			    rem_reg_rules) {
10186 		num_rules++;
10187 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
10188 			return -EINVAL;
10189 	}
10190 
10191 	rtnl_lock();
10192 	if (!reg_is_valid_request(alpha2)) {
10193 		r = -EINVAL;
10194 		goto out;
10195 	}
10196 
10197 	rd = kzalloc_flex(*rd, reg_rules, num_rules);
10198 	if (!rd) {
10199 		r = -ENOMEM;
10200 		goto out;
10201 	}
10202 
10203 	rd->n_reg_rules = num_rules;
10204 	rd->alpha2[0] = alpha2[0];
10205 	rd->alpha2[1] = alpha2[1];
10206 
10207 	/*
10208 	 * Disable DFS master mode if the DFS region was
10209 	 * not supported or known on this kernel.
10210 	 */
10211 	if (reg_supported_dfs_region(dfs_region))
10212 		rd->dfs_region = dfs_region;
10213 
10214 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10215 			    rem_reg_rules) {
10216 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
10217 						nl_reg_rule, reg_rule_policy,
10218 						info->extack);
10219 		if (r)
10220 			goto bad_reg;
10221 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
10222 		if (r)
10223 			goto bad_reg;
10224 
10225 		rule_idx++;
10226 
10227 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
10228 			r = -EINVAL;
10229 			goto bad_reg;
10230 		}
10231 	}
10232 
10233 	r = set_regdom(rd, REGD_SOURCE_CRDA);
10234 	/* set_regdom takes ownership of rd */
10235 	rd = NULL;
10236  bad_reg:
10237 	kfree(rd);
10238  out:
10239 	rtnl_unlock();
10240 	return r;
10241 }
10242 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
10243 
10244 static int validate_scan_freqs(struct nlattr *freqs)
10245 {
10246 	struct nlattr *attr1, *attr2;
10247 	int n_channels = 0, tmp1, tmp2;
10248 
10249 	nla_for_each_nested(attr1, freqs, tmp1)
10250 		if (nla_len(attr1) != sizeof(u32))
10251 			return 0;
10252 
10253 	nla_for_each_nested(attr1, freqs, tmp1) {
10254 		n_channels++;
10255 		/*
10256 		 * Some hardware has a limited channel list for
10257 		 * scanning, and it is pretty much nonsensical
10258 		 * to scan for a channel twice, so disallow that
10259 		 * and don't require drivers to check that the
10260 		 * channel list they get isn't longer than what
10261 		 * they can scan, as long as they can scan all
10262 		 * the channels they registered at once.
10263 		 */
10264 		nla_for_each_nested(attr2, freqs, tmp2)
10265 			if (attr1 != attr2 &&
10266 			    nla_get_u32(attr1) == nla_get_u32(attr2))
10267 				return 0;
10268 	}
10269 
10270 	return n_channels;
10271 }
10272 
10273 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
10274 {
10275 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
10276 }
10277 
10278 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
10279 			    struct cfg80211_bss_selection *bss_select)
10280 {
10281 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
10282 	struct nlattr *nest;
10283 	int err;
10284 	bool found = false;
10285 	int i;
10286 
10287 	/* only process one nested attribute */
10288 	nest = nla_data(nla);
10289 	if (!nla_ok(nest, nla_len(nest)))
10290 		return -EINVAL;
10291 
10292 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
10293 					  nest, nl80211_bss_select_policy,
10294 					  NULL);
10295 	if (err)
10296 		return err;
10297 
10298 	/* only one attribute may be given */
10299 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
10300 		if (attr[i]) {
10301 			if (found)
10302 				return -EINVAL;
10303 			found = true;
10304 		}
10305 	}
10306 
10307 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
10308 
10309 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
10310 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
10311 
10312 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
10313 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
10314 		bss_select->param.band_pref =
10315 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
10316 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
10317 			return -EINVAL;
10318 	}
10319 
10320 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
10321 		struct nl80211_bss_select_rssi_adjust *adj_param;
10322 
10323 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
10324 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
10325 		bss_select->param.adjust.band = adj_param->band;
10326 		bss_select->param.adjust.delta = adj_param->delta;
10327 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
10328 			return -EINVAL;
10329 	}
10330 
10331 	/* user-space did not provide behaviour attribute */
10332 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
10333 		return -EINVAL;
10334 
10335 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
10336 		return -EINVAL;
10337 
10338 	return 0;
10339 }
10340 
10341 int nl80211_parse_random_mac(struct nlattr **attrs,
10342 			     u8 *mac_addr, u8 *mac_addr_mask)
10343 {
10344 	int i;
10345 
10346 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
10347 		eth_zero_addr(mac_addr);
10348 		eth_zero_addr(mac_addr_mask);
10349 		mac_addr[0] = 0x2;
10350 		mac_addr_mask[0] = 0x3;
10351 
10352 		return 0;
10353 	}
10354 
10355 	/* need both or none */
10356 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
10357 		return -EINVAL;
10358 
10359 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
10360 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
10361 
10362 	/* don't allow or configure an mcast address */
10363 	if (!is_multicast_ether_addr(mac_addr_mask) ||
10364 	    is_multicast_ether_addr(mac_addr))
10365 		return -EINVAL;
10366 
10367 	/*
10368 	 * allow users to pass a MAC address that has bits set outside
10369 	 * of the mask, but don't bother drivers with having to deal
10370 	 * with such bits
10371 	 */
10372 	for (i = 0; i < ETH_ALEN; i++)
10373 		mac_addr[i] &= mac_addr_mask[i];
10374 
10375 	return 0;
10376 }
10377 
10378 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
10379 					      struct ieee80211_channel *chan)
10380 {
10381 	unsigned int link_id;
10382 	bool all_ok = true;
10383 	int radio_idx;
10384 
10385 	lockdep_assert_wiphy(wdev->wiphy);
10386 
10387 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
10388 		return false;
10389 
10390 	if (!cfg80211_beaconing_iface_active(wdev))
10391 		return true;
10392 
10393 	radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy, chan);
10394 
10395 	/*
10396 	 * FIXME: check if we have a free radio/link for chan
10397 	 *
10398 	 * This, as well as the FIXME below, requires knowing the link
10399 	 * capabilities of the hardware.
10400 	 */
10401 
10402 	/* we cannot leave radar channels */
10403 	for_each_valid_link(wdev, link_id) {
10404 		struct cfg80211_chan_def *chandef;
10405 		int link_radio_idx;
10406 
10407 		chandef = wdev_chandef(wdev, link_id);
10408 		if (!chandef || !chandef->chan)
10409 			continue;
10410 
10411 		if (!(chandef->chan->flags & IEEE80211_CHAN_RADAR))
10412 			continue;
10413 
10414 		/*
10415 		 * chandef->chan is a radar channel. If the radio/link onto
10416 		 * which this radar channel falls is the same radio/link onto
10417 		 * which the input 'chan' falls, off-channel operation should
10418 		 * not be allowed. Hence, set 'all_ok' to false.
10419 		 */
10420 
10421 		link_radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy,
10422 								chandef->chan);
10423 		if (link_radio_idx == radio_idx) {
10424 			all_ok = false;
10425 			break;
10426 		}
10427 	}
10428 
10429 	if (all_ok)
10430 		return true;
10431 
10432 	return regulatory_pre_cac_allowed(wdev->wiphy);
10433 }
10434 
10435 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
10436 				    enum nl80211_ext_feature_index feat)
10437 {
10438 	if (!(flags & flag))
10439 		return true;
10440 	if (wiphy_ext_feature_isset(wiphy, feat))
10441 		return true;
10442 	return false;
10443 }
10444 
10445 static int
10446 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
10447 			 struct nlattr **attrs, u8 *mac_addr, u8 *mac_addr_mask,
10448 			 u32 *flags, enum nl80211_feature_flags randomness_flag)
10449 {
10450 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
10451 		return 0;
10452 
10453 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
10454 
10455 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
10456 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
10457 	    !nl80211_check_scan_feat(wiphy, *flags,
10458 				     NL80211_SCAN_FLAG_LOW_SPAN,
10459 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
10460 	    !nl80211_check_scan_feat(wiphy, *flags,
10461 				     NL80211_SCAN_FLAG_LOW_POWER,
10462 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
10463 	    !nl80211_check_scan_feat(wiphy, *flags,
10464 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
10465 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
10466 	    !nl80211_check_scan_feat(wiphy, *flags,
10467 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
10468 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
10469 	    !nl80211_check_scan_feat(wiphy, *flags,
10470 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
10471 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
10472 	    !nl80211_check_scan_feat(wiphy, *flags,
10473 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
10474 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
10475 	    !nl80211_check_scan_feat(wiphy, *flags,
10476 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
10477 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
10478 	    !nl80211_check_scan_feat(wiphy, *flags,
10479 				     NL80211_SCAN_FLAG_RANDOM_SN,
10480 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
10481 	    !nl80211_check_scan_feat(wiphy, *flags,
10482 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
10483 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
10484 		return -EOPNOTSUPP;
10485 
10486 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
10487 		int err;
10488 
10489 		if (!(wiphy->features & randomness_flag) ||
10490 		    (wdev && wdev->connected))
10491 			return -EOPNOTSUPP;
10492 
10493 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
10494 		if (err)
10495 			return err;
10496 	}
10497 
10498 	return 0;
10499 }
10500 
10501 static int
10502 nl80211_check_scan_flags_sched(struct wiphy *wiphy, struct wireless_dev *wdev,
10503 			       struct nlattr **attrs,
10504 			       struct cfg80211_sched_scan_request *req)
10505 {
10506 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10507 					req->mac_addr, req->mac_addr_mask,
10508 					&req->flags,
10509 					wdev ? NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
10510 					       NL80211_FEATURE_ND_RANDOM_MAC_ADDR);
10511 }
10512 
10513 static int
10514 nl80211_check_scan_flags_reg(struct wiphy *wiphy, struct wireless_dev *wdev,
10515 			     struct nlattr **attrs,
10516 			     struct cfg80211_scan_request_int *req)
10517 {
10518 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10519 					req->req.mac_addr,
10520 					req->req.mac_addr_mask,
10521 					&req->req.flags,
10522 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR);
10523 }
10524 
10525 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
10526 {
10527 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10528 	struct wireless_dev *wdev = info->user_ptr[1];
10529 	struct cfg80211_scan_request_int *request;
10530 	struct nlattr *scan_freqs = NULL;
10531 	bool scan_freqs_khz = false;
10532 	struct nlattr *attr;
10533 	struct wiphy *wiphy;
10534 	int err, tmp, n_ssids = 0, n_channels, i;
10535 	size_t ie_len, size;
10536 	size_t ssids_offset, ie_offset;
10537 
10538 	wiphy = &rdev->wiphy;
10539 
10540 	if (wdev->iftype == NL80211_IFTYPE_NAN)
10541 		return -EOPNOTSUPP;
10542 
10543 	if (!rdev->ops->scan)
10544 		return -EOPNOTSUPP;
10545 
10546 	if (rdev->scan_req || rdev->scan_msg)
10547 		return -EBUSY;
10548 
10549 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
10550 		if (!wiphy_ext_feature_isset(wiphy,
10551 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
10552 			return -EOPNOTSUPP;
10553 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
10554 		scan_freqs_khz = true;
10555 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
10556 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
10557 
10558 	if (scan_freqs) {
10559 		n_channels = validate_scan_freqs(scan_freqs);
10560 		if (!n_channels)
10561 			return -EINVAL;
10562 	} else {
10563 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10564 	}
10565 
10566 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
10567 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
10568 			n_ssids++;
10569 
10570 	if (n_ssids > wiphy->max_scan_ssids)
10571 		return -EINVAL;
10572 
10573 	if (info->attrs[NL80211_ATTR_IE])
10574 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10575 	else
10576 		ie_len = 0;
10577 
10578 	if (ie_len > wiphy->max_scan_ie_len)
10579 		return -EINVAL;
10580 
10581 	size = struct_size(request, req.channels, n_channels);
10582 	ssids_offset = size;
10583 	size = size_add(size, array_size(sizeof(*request->req.ssids), n_ssids));
10584 	ie_offset = size;
10585 	size = size_add(size, ie_len);
10586 	request = kzalloc(size, GFP_KERNEL);
10587 	if (!request)
10588 		return -ENOMEM;
10589 
10590 	if (n_ssids)
10591 		request->req.ssids = (void *)request + ssids_offset;
10592 	request->req.n_ssids = n_ssids;
10593 	if (ie_len)
10594 		request->req.ie = (void *)request + ie_offset;
10595 
10596 	i = 0;
10597 	if (scan_freqs) {
10598 		/* user specified, bail out if channel not found */
10599 		nla_for_each_nested(attr, scan_freqs, tmp) {
10600 			struct ieee80211_channel *chan;
10601 			int freq = nla_get_u32(attr);
10602 
10603 			if (!scan_freqs_khz)
10604 				freq = MHZ_TO_KHZ(freq);
10605 
10606 			chan = ieee80211_get_channel_khz(wiphy, freq);
10607 			if (!chan) {
10608 				err = -EINVAL;
10609 				goto out_free;
10610 			}
10611 
10612 			/* Ignore disabled / no primary channels */
10613 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
10614 			    chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY ||
10615 			    !cfg80211_wdev_channel_allowed(wdev, chan))
10616 				continue;
10617 
10618 			request->req.channels[i] = chan;
10619 			i++;
10620 		}
10621 	} else {
10622 		enum nl80211_band band;
10623 
10624 		/* all channels */
10625 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
10626 			int j;
10627 
10628 			if (!wiphy->bands[band])
10629 				continue;
10630 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
10631 				struct ieee80211_channel *chan;
10632 
10633 				chan = &wiphy->bands[band]->channels[j];
10634 
10635 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
10636 				    chan->flags &
10637 					    IEEE80211_CHAN_S1G_NO_PRIMARY ||
10638 				    !cfg80211_wdev_channel_allowed(wdev, chan))
10639 					continue;
10640 
10641 				request->req.channels[i] = chan;
10642 				i++;
10643 			}
10644 		}
10645 	}
10646 
10647 	if (!i) {
10648 		err = -EINVAL;
10649 		goto out_free;
10650 	}
10651 
10652 	request->req.n_channels = i;
10653 
10654 	for (i = 0; i < request->req.n_channels; i++) {
10655 		struct ieee80211_channel *chan = request->req.channels[i];
10656 
10657 		/* if we can go off-channel to the target channel we're good */
10658 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
10659 			continue;
10660 
10661 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
10662 			err = -EBUSY;
10663 			goto out_free;
10664 		}
10665 	}
10666 
10667 	i = 0;
10668 	if (n_ssids) {
10669 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
10670 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
10671 				err = -EINVAL;
10672 				goto out_free;
10673 			}
10674 			request->req.ssids[i].ssid_len = nla_len(attr);
10675 			memcpy(request->req.ssids[i].ssid,
10676 			       nla_data(attr), nla_len(attr));
10677 			i++;
10678 		}
10679 	}
10680 
10681 	if (info->attrs[NL80211_ATTR_IE]) {
10682 		request->req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10683 		memcpy((void *)request->req.ie,
10684 		       nla_data(info->attrs[NL80211_ATTR_IE]),
10685 		       request->req.ie_len);
10686 	}
10687 
10688 	for (i = 0; i < NUM_NL80211_BANDS; i++)
10689 		if (wiphy->bands[i])
10690 			request->req.rates[i] =
10691 				(1 << wiphy->bands[i]->n_bitrates) - 1;
10692 
10693 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
10694 		nla_for_each_nested(attr,
10695 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
10696 				    tmp) {
10697 			enum nl80211_band band = nla_type(attr);
10698 
10699 			if (band < 0 || band >= NUM_NL80211_BANDS) {
10700 				err = -EINVAL;
10701 				goto out_free;
10702 			}
10703 
10704 			if (!wiphy->bands[band])
10705 				continue;
10706 
10707 			err = ieee80211_get_ratemask(wiphy->bands[band],
10708 						     nla_data(attr),
10709 						     nla_len(attr),
10710 						     &request->req.rates[band]);
10711 			if (err)
10712 				goto out_free;
10713 		}
10714 	}
10715 
10716 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
10717 		request->req.duration =
10718 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
10719 		request->req.duration_mandatory =
10720 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
10721 	}
10722 
10723 	err = nl80211_check_scan_flags_reg(wiphy, wdev, info->attrs, request);
10724 	if (err)
10725 		goto out_free;
10726 
10727 	request->req.no_cck =
10728 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10729 
10730 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
10731 	 * BSSID to scan for. This was problematic because that same attribute
10732 	 * was already used for another purpose (local random MAC address). The
10733 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
10734 	 * compatibility with older userspace components, also use the
10735 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
10736 	 * the specific BSSID use case instead of the random MAC address
10737 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
10738 	 */
10739 	if (info->attrs[NL80211_ATTR_BSSID])
10740 		memcpy(request->req.bssid,
10741 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
10742 	else if (!(request->req.flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
10743 		 info->attrs[NL80211_ATTR_MAC])
10744 		memcpy(request->req.bssid,
10745 		       nla_data(info->attrs[NL80211_ATTR_MAC]),
10746 		       ETH_ALEN);
10747 	else
10748 		eth_broadcast_addr(request->req.bssid);
10749 
10750 	request->req.tsf_report_link_id =
10751 		nl80211_link_id_or_invalid(info->attrs);
10752 	request->req.wdev = wdev;
10753 	request->req.wiphy = &rdev->wiphy;
10754 	request->req.scan_start = jiffies;
10755 
10756 	rdev->scan_req = request;
10757 	err = cfg80211_scan(rdev);
10758 
10759 	if (err)
10760 		goto out_free;
10761 
10762 	nl80211_send_scan_start(rdev, wdev);
10763 	dev_hold(wdev->netdev);
10764 
10765 	return 0;
10766 
10767  out_free:
10768 	rdev->scan_req = NULL;
10769 	kfree(request);
10770 
10771 	return err;
10772 }
10773 
10774 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
10775 {
10776 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10777 	struct wireless_dev *wdev = info->user_ptr[1];
10778 
10779 	if (!rdev->ops->abort_scan)
10780 		return -EOPNOTSUPP;
10781 
10782 	if (rdev->scan_msg)
10783 		return 0;
10784 
10785 	if (!rdev->scan_req)
10786 		return -ENOENT;
10787 
10788 	rdev_abort_scan(rdev, wdev);
10789 	return 0;
10790 }
10791 
10792 static int
10793 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
10794 			       struct cfg80211_sched_scan_request *request,
10795 			       struct nlattr **attrs)
10796 {
10797 	int tmp, err, i = 0;
10798 	struct nlattr *attr;
10799 
10800 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10801 		u32 interval;
10802 
10803 		/*
10804 		 * If scan plans are not specified,
10805 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
10806 		 * case one scan plan will be set with the specified scan
10807 		 * interval and infinite number of iterations.
10808 		 */
10809 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
10810 		if (!interval)
10811 			return -EINVAL;
10812 
10813 		request->scan_plans[0].interval =
10814 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
10815 		if (!request->scan_plans[0].interval)
10816 			return -EINVAL;
10817 
10818 		if (request->scan_plans[0].interval >
10819 		    wiphy->max_sched_scan_plan_interval)
10820 			request->scan_plans[0].interval =
10821 				wiphy->max_sched_scan_plan_interval;
10822 
10823 		return 0;
10824 	}
10825 
10826 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
10827 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
10828 
10829 		if (WARN_ON(i >= n_plans))
10830 			return -EINVAL;
10831 
10832 		err = nla_parse_nested_deprecated(plan,
10833 						  NL80211_SCHED_SCAN_PLAN_MAX,
10834 						  attr, nl80211_plan_policy,
10835 						  NULL);
10836 		if (err)
10837 			return err;
10838 
10839 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
10840 			return -EINVAL;
10841 
10842 		request->scan_plans[i].interval =
10843 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
10844 		if (!request->scan_plans[i].interval ||
10845 		    request->scan_plans[i].interval >
10846 		    wiphy->max_sched_scan_plan_interval)
10847 			return -EINVAL;
10848 
10849 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
10850 			request->scan_plans[i].iterations =
10851 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
10852 			if (!request->scan_plans[i].iterations ||
10853 			    (request->scan_plans[i].iterations >
10854 			     wiphy->max_sched_scan_plan_iterations))
10855 				return -EINVAL;
10856 		} else if (i < n_plans - 1) {
10857 			/*
10858 			 * All scan plans but the last one must specify
10859 			 * a finite number of iterations
10860 			 */
10861 			return -EINVAL;
10862 		}
10863 
10864 		i++;
10865 	}
10866 
10867 	/*
10868 	 * The last scan plan must not specify the number of
10869 	 * iterations, it is supposed to run infinitely
10870 	 */
10871 	if (request->scan_plans[n_plans - 1].iterations)
10872 		return  -EINVAL;
10873 
10874 	return 0;
10875 }
10876 
10877 static struct cfg80211_sched_scan_request *
10878 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
10879 			 struct nlattr **attrs, int max_match_sets)
10880 {
10881 	struct cfg80211_sched_scan_request *request;
10882 	struct nlattr *attr;
10883 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
10884 	enum nl80211_band band;
10885 	size_t ie_len, size;
10886 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
10887 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
10888 
10889 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
10890 		n_channels = validate_scan_freqs(
10891 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
10892 		if (!n_channels)
10893 			return ERR_PTR(-EINVAL);
10894 	} else {
10895 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10896 	}
10897 
10898 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
10899 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
10900 				    tmp)
10901 			n_ssids++;
10902 
10903 	if (n_ssids > wiphy->max_sched_scan_ssids)
10904 		return ERR_PTR(-EINVAL);
10905 
10906 	/*
10907 	 * First, count the number of 'real' matchsets. Due to an issue with
10908 	 * the old implementation, matchsets containing only the RSSI attribute
10909 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
10910 	 * RSSI for all matchsets, rather than their own matchset for reporting
10911 	 * all APs with a strong RSSI. This is needed to be compatible with
10912 	 * older userspace that treated a matchset with only the RSSI as the
10913 	 * global RSSI for all other matchsets - if there are other matchsets.
10914 	 */
10915 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
10916 		nla_for_each_nested(attr,
10917 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
10918 				    tmp) {
10919 			struct nlattr *rssi;
10920 
10921 			err = nla_parse_nested_deprecated(tb,
10922 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
10923 							  attr,
10924 							  nl80211_match_policy,
10925 							  NULL);
10926 			if (err)
10927 				return ERR_PTR(err);
10928 
10929 			/* SSID and BSSID are mutually exclusive */
10930 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
10931 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
10932 				return ERR_PTR(-EINVAL);
10933 
10934 			/* add other standalone attributes here */
10935 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
10936 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
10937 				n_match_sets++;
10938 				continue;
10939 			}
10940 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
10941 			if (rssi)
10942 				default_match_rssi = nla_get_s32(rssi);
10943 		}
10944 	}
10945 
10946 	/* However, if there's no other matchset, add the RSSI one */
10947 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
10948 		n_match_sets = 1;
10949 
10950 	if (n_match_sets > max_match_sets)
10951 		return ERR_PTR(-EINVAL);
10952 
10953 	if (attrs[NL80211_ATTR_IE])
10954 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
10955 	else
10956 		ie_len = 0;
10957 
10958 	if (ie_len > wiphy->max_sched_scan_ie_len)
10959 		return ERR_PTR(-EINVAL);
10960 
10961 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10962 		/*
10963 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
10964 		 * each scan plan already specifies its own interval
10965 		 */
10966 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10967 			return ERR_PTR(-EINVAL);
10968 
10969 		nla_for_each_nested(attr,
10970 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
10971 			n_plans++;
10972 	} else {
10973 		/*
10974 		 * The scan interval attribute is kept for backward
10975 		 * compatibility. If no scan plans are specified and sched scan
10976 		 * interval is specified, one scan plan will be set with this
10977 		 * scan interval and infinite number of iterations.
10978 		 */
10979 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10980 			return ERR_PTR(-EINVAL);
10981 
10982 		n_plans = 1;
10983 	}
10984 
10985 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
10986 		return ERR_PTR(-EINVAL);
10987 
10988 	if (!wiphy_ext_feature_isset(
10989 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
10990 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
10991 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
10992 		return ERR_PTR(-EINVAL);
10993 
10994 	size = struct_size(request, channels, n_channels);
10995 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
10996 	size = size_add(size, array_size(sizeof(*request->match_sets),
10997 					 n_match_sets));
10998 	size = size_add(size, array_size(sizeof(*request->scan_plans),
10999 					 n_plans));
11000 	size = size_add(size, ie_len);
11001 	request = kzalloc(size, GFP_KERNEL);
11002 	if (!request)
11003 		return ERR_PTR(-ENOMEM);
11004 	request->n_channels = n_channels;
11005 
11006 	if (n_ssids)
11007 		request->ssids = (void *)request +
11008 			struct_size(request, channels, n_channels);
11009 	request->n_ssids = n_ssids;
11010 	if (ie_len) {
11011 		if (n_ssids)
11012 			request->ie = (void *)(request->ssids + n_ssids);
11013 		else
11014 			request->ie = (void *)(request->channels + n_channels);
11015 	}
11016 
11017 	if (n_match_sets) {
11018 		if (request->ie)
11019 			request->match_sets = (void *)(request->ie + ie_len);
11020 		else if (n_ssids)
11021 			request->match_sets =
11022 				(void *)(request->ssids + n_ssids);
11023 		else
11024 			request->match_sets =
11025 				(void *)(request->channels + n_channels);
11026 	}
11027 	request->n_match_sets = n_match_sets;
11028 
11029 	if (n_match_sets)
11030 		request->scan_plans = (void *)(request->match_sets +
11031 					       n_match_sets);
11032 	else if (request->ie)
11033 		request->scan_plans = (void *)(request->ie + ie_len);
11034 	else if (n_ssids)
11035 		request->scan_plans = (void *)(request->ssids + n_ssids);
11036 	else
11037 		request->scan_plans = (void *)(request->channels + n_channels);
11038 
11039 	request->n_scan_plans = n_plans;
11040 
11041 	i = 0;
11042 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
11043 		/* user specified, bail out if channel not found */
11044 		nla_for_each_nested(attr,
11045 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
11046 				    tmp) {
11047 			struct ieee80211_channel *chan;
11048 
11049 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
11050 
11051 			if (!chan) {
11052 				err = -EINVAL;
11053 				goto out_free;
11054 			}
11055 
11056 			/* ignore disabled channels */
11057 			if (chan->flags & IEEE80211_CHAN_DISABLED)
11058 				continue;
11059 
11060 			request->channels[i] = chan;
11061 			i++;
11062 		}
11063 	} else {
11064 		/* all channels */
11065 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
11066 			int j;
11067 
11068 			if (!wiphy->bands[band])
11069 				continue;
11070 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
11071 				struct ieee80211_channel *chan;
11072 
11073 				chan = &wiphy->bands[band]->channels[j];
11074 
11075 				if (chan->flags & IEEE80211_CHAN_DISABLED)
11076 					continue;
11077 
11078 				request->channels[i] = chan;
11079 				i++;
11080 			}
11081 		}
11082 	}
11083 
11084 	if (!i) {
11085 		err = -EINVAL;
11086 		goto out_free;
11087 	}
11088 
11089 	request->n_channels = i;
11090 
11091 	i = 0;
11092 	if (n_ssids) {
11093 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
11094 				    tmp) {
11095 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
11096 				err = -EINVAL;
11097 				goto out_free;
11098 			}
11099 			request->ssids[i].ssid_len = nla_len(attr);
11100 			memcpy(request->ssids[i].ssid, nla_data(attr),
11101 			       nla_len(attr));
11102 			i++;
11103 		}
11104 	}
11105 
11106 	i = 0;
11107 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
11108 		nla_for_each_nested(attr,
11109 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
11110 				    tmp) {
11111 			struct nlattr *ssid, *bssid, *rssi;
11112 
11113 			err = nla_parse_nested_deprecated(tb,
11114 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
11115 							  attr,
11116 							  nl80211_match_policy,
11117 							  NULL);
11118 			if (err)
11119 				goto out_free;
11120 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
11121 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
11122 
11123 			if (!ssid && !bssid) {
11124 				i++;
11125 				continue;
11126 			}
11127 
11128 			if (WARN_ON(i >= n_match_sets)) {
11129 				/* this indicates a programming error,
11130 				 * the loop above should have verified
11131 				 * things properly
11132 				 */
11133 				err = -EINVAL;
11134 				goto out_free;
11135 			}
11136 
11137 			if (ssid) {
11138 				memcpy(request->match_sets[i].ssid.ssid,
11139 				       nla_data(ssid), nla_len(ssid));
11140 				request->match_sets[i].ssid.ssid_len =
11141 					nla_len(ssid);
11142 			}
11143 			if (bssid)
11144 				memcpy(request->match_sets[i].bssid,
11145 				       nla_data(bssid), ETH_ALEN);
11146 
11147 			/* special attribute - old implementation w/a */
11148 			request->match_sets[i].rssi_thold = default_match_rssi;
11149 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
11150 			if (rssi)
11151 				request->match_sets[i].rssi_thold =
11152 					nla_get_s32(rssi);
11153 			i++;
11154 		}
11155 
11156 		/* there was no other matchset, so the RSSI one is alone */
11157 		if (i == 0 && n_match_sets)
11158 			request->match_sets[0].rssi_thold = default_match_rssi;
11159 
11160 		request->min_rssi_thold = INT_MAX;
11161 		for (i = 0; i < n_match_sets; i++)
11162 			request->min_rssi_thold =
11163 				min(request->match_sets[i].rssi_thold,
11164 				    request->min_rssi_thold);
11165 	} else {
11166 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
11167 	}
11168 
11169 	if (ie_len) {
11170 		request->ie_len = ie_len;
11171 		memcpy((void *)request->ie,
11172 		       nla_data(attrs[NL80211_ATTR_IE]),
11173 		       request->ie_len);
11174 	}
11175 
11176 	err = nl80211_check_scan_flags_sched(wiphy, wdev, attrs, request);
11177 	if (err)
11178 		goto out_free;
11179 
11180 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
11181 		request->delay =
11182 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
11183 
11184 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
11185 		request->relative_rssi = nla_get_s8(
11186 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
11187 		request->relative_rssi_set = true;
11188 	}
11189 
11190 	if (request->relative_rssi_set &&
11191 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
11192 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
11193 
11194 		rssi_adjust = nla_data(
11195 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
11196 		request->rssi_adjust.band = rssi_adjust->band;
11197 		request->rssi_adjust.delta = rssi_adjust->delta;
11198 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
11199 			err = -EINVAL;
11200 			goto out_free;
11201 		}
11202 	}
11203 
11204 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
11205 	if (err)
11206 		goto out_free;
11207 
11208 	request->scan_start = jiffies;
11209 
11210 	return request;
11211 
11212 out_free:
11213 	kfree(request);
11214 	return ERR_PTR(err);
11215 }
11216 
11217 static int nl80211_start_sched_scan(struct sk_buff *skb,
11218 				    struct genl_info *info)
11219 {
11220 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11221 	struct net_device *dev = info->user_ptr[1];
11222 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11223 	struct cfg80211_sched_scan_request *sched_scan_req;
11224 	bool want_multi;
11225 	int err;
11226 
11227 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
11228 		return -EOPNOTSUPP;
11229 
11230 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
11231 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
11232 	if (err)
11233 		return err;
11234 
11235 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
11236 						  info->attrs,
11237 						  rdev->wiphy.max_match_sets);
11238 
11239 	err = PTR_ERR_OR_ZERO(sched_scan_req);
11240 	if (err)
11241 		goto out_err;
11242 
11243 	/* leave request id zero for legacy request
11244 	 * or if driver does not support multi-scheduled scan
11245 	 */
11246 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
11247 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
11248 
11249 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
11250 	if (err)
11251 		goto out_free;
11252 
11253 	sched_scan_req->dev = dev;
11254 	sched_scan_req->wiphy = &rdev->wiphy;
11255 
11256 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11257 		sched_scan_req->owner_nlportid = info->snd_portid;
11258 
11259 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
11260 
11261 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
11262 	return 0;
11263 
11264 out_free:
11265 	kfree(sched_scan_req);
11266 out_err:
11267 	return err;
11268 }
11269 
11270 static int nl80211_stop_sched_scan(struct sk_buff *skb,
11271 				   struct genl_info *info)
11272 {
11273 	struct cfg80211_sched_scan_request *req;
11274 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11275 	u64 cookie;
11276 
11277 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
11278 		return -EOPNOTSUPP;
11279 
11280 	if (info->attrs[NL80211_ATTR_COOKIE]) {
11281 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11282 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
11283 	}
11284 
11285 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
11286 				     struct cfg80211_sched_scan_request,
11287 				     list);
11288 	if (!req || req->reqid ||
11289 	    (req->owner_nlportid &&
11290 	     req->owner_nlportid != info->snd_portid))
11291 		return -ENOENT;
11292 
11293 	return cfg80211_stop_sched_scan_req(rdev, req, false);
11294 }
11295 
11296 static int nl80211_start_radar_detection(struct sk_buff *skb,
11297 					 struct genl_info *info)
11298 {
11299 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11300 	struct net_device *dev = info->user_ptr[1];
11301 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11302 	int link_id = nl80211_link_id(info->attrs);
11303 	struct wiphy *wiphy = wdev->wiphy;
11304 	struct cfg80211_chan_def chandef;
11305 	enum nl80211_dfs_regions dfs_region;
11306 	unsigned int cac_time_ms;
11307 	int err;
11308 
11309 	flush_delayed_work(&rdev->dfs_update_channels_wk);
11310 
11311 	switch (wdev->iftype) {
11312 	case NL80211_IFTYPE_AP:
11313 	case NL80211_IFTYPE_P2P_GO:
11314 	case NL80211_IFTYPE_MESH_POINT:
11315 	case NL80211_IFTYPE_ADHOC:
11316 		break;
11317 	default:
11318 		/* caution - see cfg80211_beaconing_iface_active() below */
11319 		return -EINVAL;
11320 	}
11321 
11322 	guard(wiphy)(wiphy);
11323 
11324 	dfs_region = reg_get_dfs_region(wiphy);
11325 	if (dfs_region == NL80211_DFS_UNSET)
11326 		return -EINVAL;
11327 
11328 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef);
11329 	if (err)
11330 		return err;
11331 
11332 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11333 	if (err < 0)
11334 		return err;
11335 
11336 	if (err == 0)
11337 		return -EINVAL;
11338 
11339 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
11340 		return -EINVAL;
11341 
11342 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
11343 		return cfg80211_start_background_radar_detection(rdev, wdev,
11344 								 &chandef);
11345 
11346 	if (cfg80211_beaconing_iface_active(wdev)) {
11347 		/* During MLO other link(s) can beacon, only the current link
11348 		 * can not already beacon
11349 		 */
11350 		if (wdev->valid_links &&
11351 		    !wdev->links[link_id].ap.beacon_interval) {
11352 			/* nothing */
11353 		} else {
11354 			return -EBUSY;
11355 		}
11356 	}
11357 
11358 	if (wdev->links[link_id].cac_started)
11359 		return -EBUSY;
11360 
11361 	/* CAC start is offloaded to HW and can't be started manually */
11362 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
11363 		return -EOPNOTSUPP;
11364 
11365 	if (!rdev->ops->start_radar_detection)
11366 		return -EOPNOTSUPP;
11367 
11368 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
11369 	if (WARN_ON(!cac_time_ms))
11370 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
11371 
11372 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
11373 					 link_id);
11374 	if (err)
11375 		return err;
11376 
11377 	switch (wdev->iftype) {
11378 	case NL80211_IFTYPE_AP:
11379 	case NL80211_IFTYPE_P2P_GO:
11380 		wdev->links[link_id].ap.chandef = chandef;
11381 		break;
11382 	case NL80211_IFTYPE_ADHOC:
11383 		wdev->u.ibss.chandef = chandef;
11384 		break;
11385 	case NL80211_IFTYPE_MESH_POINT:
11386 		wdev->u.mesh.chandef = chandef;
11387 		break;
11388 	default:
11389 		break;
11390 	}
11391 	wdev->links[link_id].cac_started = true;
11392 	wdev->links[link_id].cac_start_time = jiffies;
11393 	wdev->links[link_id].cac_time_ms = cac_time_ms;
11394 	cfg80211_set_cac_state(wiphy, &chandef, true);
11395 
11396 	return 0;
11397 }
11398 
11399 static int nl80211_notify_radar_detection(struct sk_buff *skb,
11400 					  struct genl_info *info)
11401 {
11402 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11403 	struct net_device *dev = info->user_ptr[1];
11404 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11405 	struct wiphy *wiphy = wdev->wiphy;
11406 	struct cfg80211_chan_def chandef;
11407 	enum nl80211_dfs_regions dfs_region;
11408 	int err;
11409 
11410 	dfs_region = reg_get_dfs_region(wiphy);
11411 	if (dfs_region == NL80211_DFS_UNSET) {
11412 		GENL_SET_ERR_MSG(info,
11413 				 "DFS Region is not set. Unexpected Radar indication");
11414 		return -EINVAL;
11415 	}
11416 
11417 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef);
11418 	if (err) {
11419 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
11420 		return err;
11421 	}
11422 
11423 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11424 	if (err < 0) {
11425 		GENL_SET_ERR_MSG(info, "chandef is invalid");
11426 		return err;
11427 	}
11428 
11429 	if (err == 0) {
11430 		GENL_SET_ERR_MSG(info,
11431 				 "Unexpected Radar indication for chandef/iftype");
11432 		return -EINVAL;
11433 	}
11434 
11435 	/* Do not process this notification if radar is already detected
11436 	 * by kernel on this channel, and return success.
11437 	 */
11438 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
11439 		return 0;
11440 
11441 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
11442 
11443 	cfg80211_sched_dfs_chan_update(rdev);
11444 
11445 	rdev->radar_chandef = chandef;
11446 
11447 	/* Propagate this notification to other radios as well */
11448 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
11449 
11450 	return 0;
11451 }
11452 
11453 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
11454 					 const u8 *data, size_t datalen,
11455 					 int first_count, struct nlattr *attr,
11456 					 const u16 **offsets, unsigned int *n_offsets)
11457 {
11458 	int i;
11459 
11460 	*n_offsets = 0;
11461 
11462 	if (!attr)
11463 		return 0;
11464 
11465 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
11466 		return -EINVAL;
11467 
11468 	*n_offsets = nla_len(attr) / sizeof(u16);
11469 	if (rdev->wiphy.max_num_csa_counters &&
11470 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
11471 		return -EINVAL;
11472 
11473 	*offsets = nla_data(attr);
11474 
11475 	/* sanity checks - counters should fit and be the same */
11476 	for (i = 0; i < *n_offsets; i++) {
11477 		u16 offset = (*offsets)[i];
11478 
11479 		if (offset >= datalen)
11480 			return -EINVAL;
11481 
11482 		if (first_count != -1 && data[offset] != first_count)
11483 			return -EINVAL;
11484 	}
11485 
11486 	return 0;
11487 }
11488 
11489 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
11490 {
11491 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11492 	unsigned int link_id = nl80211_link_id(info->attrs);
11493 	struct net_device *dev = info->user_ptr[1];
11494 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11495 	struct cfg80211_csa_settings params;
11496 	struct nlattr **csa_attrs = NULL;
11497 	int err;
11498 	bool need_new_beacon = false;
11499 	bool need_handle_dfs_flag = true;
11500 	u32 cs_count;
11501 
11502 	if (!rdev->ops->channel_switch ||
11503 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
11504 		return -EOPNOTSUPP;
11505 
11506 	switch (dev->ieee80211_ptr->iftype) {
11507 	case NL80211_IFTYPE_AP:
11508 	case NL80211_IFTYPE_P2P_GO:
11509 		need_new_beacon = true;
11510 		/* For all modes except AP the handle_dfs flag needs to be
11511 		 * supplied to tell the kernel that userspace will handle radar
11512 		 * events when they happen. Otherwise a switch to a channel
11513 		 * requiring DFS will be rejected.
11514 		 */
11515 		need_handle_dfs_flag = false;
11516 
11517 		/* useless if AP is not running */
11518 		if (!wdev->links[link_id].ap.beacon_interval)
11519 			return -ENOTCONN;
11520 		break;
11521 	case NL80211_IFTYPE_ADHOC:
11522 		if (!wdev->u.ibss.ssid_len)
11523 			return -ENOTCONN;
11524 		break;
11525 	case NL80211_IFTYPE_MESH_POINT:
11526 		if (!wdev->u.mesh.id_len)
11527 			return -ENOTCONN;
11528 		break;
11529 	default:
11530 		return -EOPNOTSUPP;
11531 	}
11532 
11533 	memset(&params, 0, sizeof(params));
11534 	params.beacon_csa.ftm_responder = -1;
11535 
11536 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11537 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
11538 		return -EINVAL;
11539 
11540 	/* only important for AP, IBSS and mesh create IEs internally */
11541 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
11542 		return -EINVAL;
11543 
11544 	/* Even though the attribute is u32, the specification says
11545 	 * u8, so let's make sure we don't overflow.
11546 	 */
11547 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
11548 	if (cs_count > 255)
11549 		return -EINVAL;
11550 
11551 	params.count = cs_count;
11552 
11553 	if (!need_new_beacon)
11554 		goto skip_beacons;
11555 
11556 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
11557 				   info->extack);
11558 	if (err)
11559 		goto free;
11560 
11561 	csa_attrs = kzalloc_objs(*csa_attrs, NL80211_ATTR_MAX + 1);
11562 	if (!csa_attrs) {
11563 		err = -ENOMEM;
11564 		goto free;
11565 	}
11566 
11567 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
11568 					  info->attrs[NL80211_ATTR_CSA_IES],
11569 					  nl80211_policy, info->extack);
11570 	if (err)
11571 		goto free;
11572 
11573 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
11574 				   info->extack);
11575 	if (err)
11576 		goto free;
11577 
11578 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
11579 		err = -EINVAL;
11580 		goto free;
11581 	}
11582 
11583 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
11584 					    params.beacon_csa.tail_len,
11585 					    params.count,
11586 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
11587 					    &params.counter_offsets_beacon,
11588 					    &params.n_counter_offsets_beacon);
11589 	if (err)
11590 		goto free;
11591 
11592 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
11593 					    params.beacon_csa.probe_resp_len,
11594 					    params.count,
11595 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
11596 					    &params.counter_offsets_presp,
11597 					    &params.n_counter_offsets_presp);
11598 	if (err)
11599 		goto free;
11600 
11601 skip_beacons:
11602 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
11603 				    &params.chandef);
11604 	if (err)
11605 		goto free;
11606 
11607 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
11608 					   wdev->iftype)) {
11609 		err = -EINVAL;
11610 		goto free;
11611 	}
11612 
11613 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
11614 					    &params.chandef,
11615 					    wdev->iftype);
11616 	if (err < 0)
11617 		goto free;
11618 
11619 	if (err > 0) {
11620 		params.radar_required = true;
11621 		if (need_handle_dfs_flag &&
11622 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
11623 			err = -EINVAL;
11624 			goto free;
11625 		}
11626 	}
11627 
11628 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
11629 		params.block_tx = true;
11630 
11631 	if ((wdev->iftype == NL80211_IFTYPE_AP ||
11632 	     wdev->iftype == NL80211_IFTYPE_P2P_GO) &&
11633 	    info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
11634 		err = nl80211_parse_unsol_bcast_probe_resp(
11635 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
11636 			&params.unsol_bcast_probe_resp);
11637 		if (err)
11638 			goto free;
11639 	}
11640 
11641 	params.link_id = link_id;
11642 	err = rdev_channel_switch(rdev, dev, &params);
11643 
11644 free:
11645 	kfree(params.beacon_after.mbssid_ies);
11646 	kfree(params.beacon_csa.mbssid_ies);
11647 	kfree(params.beacon_after.rnr_ies);
11648 	kfree(params.beacon_csa.rnr_ies);
11649 	kfree(csa_attrs);
11650 	return err;
11651 }
11652 
11653 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
11654 			    u32 seq, int flags,
11655 			    struct cfg80211_registered_device *rdev,
11656 			    struct wireless_dev *wdev,
11657 			    struct cfg80211_internal_bss *intbss)
11658 {
11659 	struct cfg80211_bss *res = &intbss->pub;
11660 	const struct cfg80211_bss_ies *ies;
11661 	unsigned int link_id;
11662 	void *hdr;
11663 	struct nlattr *bss;
11664 
11665 	lockdep_assert_wiphy(wdev->wiphy);
11666 
11667 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
11668 			     NL80211_CMD_NEW_SCAN_RESULTS);
11669 	if (!hdr)
11670 		return -1;
11671 
11672 	genl_dump_check_consistent(cb, hdr);
11673 
11674 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
11675 		goto nla_put_failure;
11676 	if (wdev->netdev &&
11677 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
11678 		goto nla_put_failure;
11679 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11680 			      NL80211_ATTR_PAD))
11681 		goto nla_put_failure;
11682 
11683 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
11684 	if (!bss)
11685 		goto nla_put_failure;
11686 	if ((!is_zero_ether_addr(res->bssid) &&
11687 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
11688 		goto nla_put_failure;
11689 
11690 	rcu_read_lock();
11691 	/* indicate whether we have probe response data or not */
11692 	if (rcu_access_pointer(res->proberesp_ies) &&
11693 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
11694 		goto fail_unlock_rcu;
11695 
11696 	/* this pointer prefers to be pointed to probe response data
11697 	 * but is always valid
11698 	 */
11699 	ies = rcu_dereference(res->ies);
11700 	if (ies) {
11701 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
11702 				      NL80211_BSS_PAD))
11703 			goto fail_unlock_rcu;
11704 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
11705 					ies->len, ies->data))
11706 			goto fail_unlock_rcu;
11707 	}
11708 
11709 	/* and this pointer is always (unless driver didn't know) beacon data */
11710 	ies = rcu_dereference(res->beacon_ies);
11711 	if (ies && ies->from_beacon) {
11712 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
11713 				      NL80211_BSS_PAD))
11714 			goto fail_unlock_rcu;
11715 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
11716 					ies->len, ies->data))
11717 			goto fail_unlock_rcu;
11718 	}
11719 	rcu_read_unlock();
11720 
11721 	if (res->beacon_interval &&
11722 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
11723 		goto nla_put_failure;
11724 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
11725 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
11726 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
11727 			res->channel->freq_offset) ||
11728 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
11729 			jiffies_to_msecs(jiffies - intbss->ts)))
11730 		goto nla_put_failure;
11731 
11732 	if (intbss->parent_tsf &&
11733 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
11734 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
11735 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
11736 		     intbss->parent_bssid)))
11737 		goto nla_put_failure;
11738 
11739 	if (res->ts_boottime &&
11740 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
11741 			      res->ts_boottime, NL80211_BSS_PAD))
11742 		goto nla_put_failure;
11743 
11744 	if (!nl80211_put_signal(msg, intbss->pub.chains,
11745 				intbss->pub.chain_signal,
11746 				NL80211_BSS_CHAIN_SIGNAL))
11747 		goto nla_put_failure;
11748 
11749 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
11750 		switch (rdev->wiphy.signal_type) {
11751 		case CFG80211_SIGNAL_TYPE_MBM:
11752 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
11753 					res->signal))
11754 				goto nla_put_failure;
11755 			break;
11756 		case CFG80211_SIGNAL_TYPE_UNSPEC:
11757 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
11758 				       res->signal))
11759 				goto nla_put_failure;
11760 			break;
11761 		default:
11762 			break;
11763 		}
11764 	}
11765 
11766 	switch (wdev->iftype) {
11767 	case NL80211_IFTYPE_P2P_CLIENT:
11768 	case NL80211_IFTYPE_STATION:
11769 		for_each_valid_link(wdev, link_id) {
11770 			if (intbss == wdev->links[link_id].client.current_bss &&
11771 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
11772 					 NL80211_BSS_STATUS_ASSOCIATED) ||
11773 			     (wdev->valid_links &&
11774 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
11775 					  link_id) ||
11776 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
11777 				       wdev->u.client.connected_addr)))))
11778 				goto nla_put_failure;
11779 		}
11780 		break;
11781 	case NL80211_IFTYPE_ADHOC:
11782 		if (intbss == wdev->u.ibss.current_bss &&
11783 		    nla_put_u32(msg, NL80211_BSS_STATUS,
11784 				NL80211_BSS_STATUS_IBSS_JOINED))
11785 			goto nla_put_failure;
11786 		break;
11787 	default:
11788 		break;
11789 	}
11790 
11791 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
11792 		goto nla_put_failure;
11793 
11794 	if (res->cannot_use_reasons &&
11795 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
11796 			      res->cannot_use_reasons,
11797 			      NL80211_BSS_PAD))
11798 		goto nla_put_failure;
11799 
11800 	nla_nest_end(msg, bss);
11801 
11802 	genlmsg_end(msg, hdr);
11803 	return 0;
11804 
11805  fail_unlock_rcu:
11806 	rcu_read_unlock();
11807  nla_put_failure:
11808 	genlmsg_cancel(msg, hdr);
11809 	return -EMSGSIZE;
11810 }
11811 
11812 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
11813 {
11814 	struct cfg80211_registered_device *rdev;
11815 	struct cfg80211_internal_bss *scan;
11816 	struct wireless_dev *wdev;
11817 	struct nlattr **attrbuf;
11818 	int start = cb->args[2], idx = 0;
11819 	bool dump_include_use_data;
11820 	int err;
11821 
11822 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
11823 	if (!attrbuf)
11824 		return -ENOMEM;
11825 
11826 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11827 	if (err) {
11828 		kfree(attrbuf);
11829 		return err;
11830 	}
11831 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11832 	__acquire(&rdev->wiphy.mtx);
11833 
11834 	dump_include_use_data =
11835 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
11836 	kfree(attrbuf);
11837 
11838 	spin_lock_bh(&rdev->bss_lock);
11839 
11840 	/*
11841 	 * dump_scan will be called multiple times to break up the scan results
11842 	 * into multiple messages.  It is unlikely that any more bss-es will be
11843 	 * expired after the first call, so only call only call this on the
11844 	 * first dump_scan invocation.
11845 	 */
11846 	if (start == 0)
11847 		cfg80211_bss_expire(rdev);
11848 
11849 	cb->seq = rdev->bss_generation;
11850 
11851 	list_for_each_entry(scan, &rdev->bss_list, list) {
11852 		if (++idx <= start)
11853 			continue;
11854 		if (!dump_include_use_data &&
11855 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
11856 			continue;
11857 		if (nl80211_send_bss(skb, cb,
11858 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11859 				rdev, wdev, scan) < 0) {
11860 			idx--;
11861 			break;
11862 		}
11863 	}
11864 
11865 	spin_unlock_bh(&rdev->bss_lock);
11866 
11867 	cb->args[2] = idx;
11868 	wiphy_unlock(&rdev->wiphy);
11869 
11870 	return skb->len;
11871 }
11872 
11873 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
11874 			       int flags, struct net_device *dev,
11875 			       bool allow_radio_stats,
11876 			       struct survey_info *survey)
11877 {
11878 	void *hdr;
11879 	struct nlattr *infoattr;
11880 
11881 	/* skip radio stats if userspace didn't request them */
11882 	if (!survey->channel && !allow_radio_stats)
11883 		return 0;
11884 
11885 	hdr = nl80211hdr_put(msg, portid, seq, flags,
11886 			     NL80211_CMD_NEW_SURVEY_RESULTS);
11887 	if (!hdr)
11888 		return -ENOMEM;
11889 
11890 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
11891 		goto nla_put_failure;
11892 
11893 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
11894 	if (!infoattr)
11895 		goto nla_put_failure;
11896 
11897 	if (survey->channel &&
11898 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
11899 			survey->channel->center_freq))
11900 		goto nla_put_failure;
11901 
11902 	if (survey->channel && survey->channel->freq_offset &&
11903 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
11904 			survey->channel->freq_offset))
11905 		goto nla_put_failure;
11906 
11907 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
11908 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
11909 		goto nla_put_failure;
11910 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
11911 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
11912 		goto nla_put_failure;
11913 	if ((survey->filled & SURVEY_INFO_TIME) &&
11914 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
11915 			survey->time, NL80211_SURVEY_INFO_PAD))
11916 		goto nla_put_failure;
11917 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
11918 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
11919 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
11920 		goto nla_put_failure;
11921 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
11922 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
11923 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
11924 		goto nla_put_failure;
11925 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
11926 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
11927 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
11928 		goto nla_put_failure;
11929 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
11930 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
11931 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
11932 		goto nla_put_failure;
11933 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
11934 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
11935 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
11936 		goto nla_put_failure;
11937 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
11938 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
11939 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
11940 		goto nla_put_failure;
11941 
11942 	nla_nest_end(msg, infoattr);
11943 
11944 	genlmsg_end(msg, hdr);
11945 	return 0;
11946 
11947  nla_put_failure:
11948 	genlmsg_cancel(msg, hdr);
11949 	return -EMSGSIZE;
11950 }
11951 
11952 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
11953 {
11954 	struct nlattr **attrbuf;
11955 	struct survey_info survey;
11956 	struct cfg80211_registered_device *rdev;
11957 	struct wireless_dev *wdev;
11958 	int survey_idx = cb->args[2];
11959 	int res;
11960 	bool radio_stats;
11961 
11962 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
11963 	if (!attrbuf)
11964 		return -ENOMEM;
11965 
11966 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11967 	if (res) {
11968 		kfree(attrbuf);
11969 		return res;
11970 	}
11971 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11972 	__acquire(&rdev->wiphy.mtx);
11973 
11974 	/* prepare_wdev_dump parsed the attributes */
11975 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
11976 
11977 	if (!wdev->netdev) {
11978 		res = -EINVAL;
11979 		goto out_err;
11980 	}
11981 
11982 	if (!rdev->ops->dump_survey) {
11983 		res = -EOPNOTSUPP;
11984 		goto out_err;
11985 	}
11986 
11987 	while (1) {
11988 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
11989 		if (res == -ENOENT)
11990 			break;
11991 		if (res)
11992 			goto out_err;
11993 
11994 		/* don't send disabled channels, but do send non-channel data */
11995 		if (survey.channel &&
11996 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
11997 			survey_idx++;
11998 			continue;
11999 		}
12000 
12001 		if (nl80211_send_survey(skb,
12002 				NETLINK_CB(cb->skb).portid,
12003 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
12004 				wdev->netdev, radio_stats, &survey) < 0)
12005 			goto out;
12006 		survey_idx++;
12007 	}
12008 
12009  out:
12010 	cb->args[2] = survey_idx;
12011 	res = skb->len;
12012  out_err:
12013 	kfree(attrbuf);
12014 	wiphy_unlock(&rdev->wiphy);
12015 	return res;
12016 }
12017 
12018 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
12019 {
12020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12021 	struct net_device *dev = info->user_ptr[1];
12022 	struct ieee80211_channel *chan;
12023 	const u8 *bssid, *ssid;
12024 	int err, ssid_len;
12025 	enum nl80211_auth_type auth_type;
12026 	struct key_parse key;
12027 	bool local_state_change;
12028 	struct cfg80211_auth_request req = {};
12029 	u32 freq;
12030 
12031 	if (!info->attrs[NL80211_ATTR_MAC])
12032 		return -EINVAL;
12033 
12034 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
12035 		return -EINVAL;
12036 
12037 	if (!info->attrs[NL80211_ATTR_SSID])
12038 		return -EINVAL;
12039 
12040 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12041 		return -EINVAL;
12042 
12043 	err = nl80211_parse_key(info, &key);
12044 	if (err)
12045 		return err;
12046 
12047 	if (key.idx >= 0) {
12048 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
12049 			return -EINVAL;
12050 		if (!key.p.key || !key.p.key_len)
12051 			return -EINVAL;
12052 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
12053 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
12054 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
12055 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
12056 			return -EINVAL;
12057 		if (key.idx > 3)
12058 			return -EINVAL;
12059 	} else {
12060 		key.p.key_len = 0;
12061 		key.p.key = NULL;
12062 	}
12063 
12064 	if (key.idx >= 0) {
12065 		int i;
12066 		bool ok = false;
12067 
12068 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
12069 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
12070 				ok = true;
12071 				break;
12072 			}
12073 		}
12074 		if (!ok)
12075 			return -EINVAL;
12076 	}
12077 
12078 	if (!rdev->ops->auth)
12079 		return -EOPNOTSUPP;
12080 
12081 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12082 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12083 		return -EOPNOTSUPP;
12084 
12085 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12086 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12087 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12088 		freq +=
12089 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12090 
12091 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12092 	if (!chan)
12093 		return -EINVAL;
12094 
12095 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12096 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12097 
12098 	if (info->attrs[NL80211_ATTR_IE]) {
12099 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12100 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12101 	}
12102 
12103 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12104 		req.supported_selectors =
12105 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12106 		req.supported_selectors_len =
12107 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12108 	}
12109 
12110 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12111 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
12112 		return -EINVAL;
12113 
12114 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
12115 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
12116 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
12117 	     auth_type == NL80211_AUTHTYPE_FILS_PK ||
12118 	     auth_type == NL80211_AUTHTYPE_EPPKE ||
12119 	     auth_type == NL80211_AUTHTYPE_IEEE8021X) &&
12120 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
12121 		return -EINVAL;
12122 
12123 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
12124 		if (auth_type != NL80211_AUTHTYPE_SAE &&
12125 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
12126 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
12127 		    auth_type != NL80211_AUTHTYPE_FILS_PK &&
12128 		    auth_type != NL80211_AUTHTYPE_EPPKE &&
12129 		    auth_type != NL80211_AUTHTYPE_IEEE8021X)
12130 			return -EINVAL;
12131 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
12132 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
12133 	}
12134 
12135 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12136 
12137 	/*
12138 	 * Since we no longer track auth state, ignore
12139 	 * requests to only change local state.
12140 	 */
12141 	if (local_state_change)
12142 		return 0;
12143 
12144 	req.auth_type = auth_type;
12145 	req.key = key.p.key;
12146 	req.key_len = key.p.key_len;
12147 	req.key_idx = key.idx;
12148 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12149 	if (req.link_id >= 0) {
12150 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12151 			return -EINVAL;
12152 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
12153 			return -EINVAL;
12154 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12155 		if (!is_valid_ether_addr(req.ap_mld_addr))
12156 			return -EINVAL;
12157 	}
12158 
12159 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
12160 				   IEEE80211_BSS_TYPE_ESS,
12161 				   IEEE80211_PRIVACY_ANY);
12162 	if (!req.bss)
12163 		return -ENOENT;
12164 
12165 	err = cfg80211_mlme_auth(rdev, dev, &req);
12166 
12167 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12168 
12169 	return err;
12170 }
12171 
12172 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
12173 				     struct genl_info *info)
12174 {
12175 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12176 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
12177 		return -EINVAL;
12178 	}
12179 
12180 	if (!rdev->ops->tx_control_port ||
12181 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12182 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
12183 		return -EOPNOTSUPP;
12184 
12185 	return 0;
12186 }
12187 
12188 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
12189 				   struct genl_info *info,
12190 				   struct cfg80211_crypto_settings *settings,
12191 				   int cipher_limit)
12192 {
12193 	memset(settings, 0, sizeof(*settings));
12194 
12195 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
12196 
12197 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
12198 		u16 proto;
12199 
12200 		proto = nla_get_u16(
12201 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
12202 		settings->control_port_ethertype = cpu_to_be16(proto);
12203 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
12204 		    proto != ETH_P_PAE)
12205 			return -EINVAL;
12206 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
12207 			settings->control_port_no_encrypt = true;
12208 	} else
12209 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
12210 
12211 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12212 		int r = validate_pae_over_nl80211(rdev, info);
12213 
12214 		if (r < 0)
12215 			return r;
12216 
12217 		settings->control_port_over_nl80211 = true;
12218 
12219 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
12220 			settings->control_port_no_preauth = true;
12221 	}
12222 
12223 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
12224 		void *data;
12225 		int len, i;
12226 
12227 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12228 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12229 		settings->n_ciphers_pairwise = len / sizeof(u32);
12230 
12231 		if (len % sizeof(u32))
12232 			return -EINVAL;
12233 
12234 		if (settings->n_ciphers_pairwise > cipher_limit)
12235 			return -EINVAL;
12236 
12237 		memcpy(settings->ciphers_pairwise, data, len);
12238 
12239 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
12240 			if (!cfg80211_supported_cipher_suite(
12241 					&rdev->wiphy,
12242 					settings->ciphers_pairwise[i]))
12243 				return -EINVAL;
12244 	}
12245 
12246 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
12247 		settings->cipher_group =
12248 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
12249 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
12250 						     settings->cipher_group))
12251 			return -EINVAL;
12252 	}
12253 
12254 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
12255 		settings->wpa_versions =
12256 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
12257 
12258 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
12259 		void *data;
12260 		int len;
12261 
12262 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
12263 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
12264 		settings->n_akm_suites = len / sizeof(u32);
12265 
12266 		if (len % sizeof(u32))
12267 			return -EINVAL;
12268 
12269 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
12270 			return -EINVAL;
12271 
12272 		memcpy(settings->akm_suites, data, len);
12273 	}
12274 
12275 	if (info->attrs[NL80211_ATTR_PMK]) {
12276 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
12277 			return -EINVAL;
12278 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12279 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
12280 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12281 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
12282 			return -EINVAL;
12283 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12284 	}
12285 
12286 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
12287 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12288 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
12289 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12290 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
12291 			return -EINVAL;
12292 		settings->sae_pwd =
12293 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12294 		settings->sae_pwd_len =
12295 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12296 	}
12297 
12298 	settings->sae_pwe =
12299 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
12300 				   NL80211_SAE_PWE_UNSPECIFIED);
12301 
12302 	return 0;
12303 }
12304 
12305 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
12306 					      const u8 *ssid, int ssid_len,
12307 					      struct nlattr **attrs,
12308 					      int assoc_link_id, int link_id)
12309 {
12310 	struct ieee80211_channel *chan;
12311 	struct cfg80211_bss *bss;
12312 	const u8 *bssid;
12313 	u32 freq, use_for = 0;
12314 
12315 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
12316 		return ERR_PTR(-EINVAL);
12317 
12318 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
12319 
12320 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
12321 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12322 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12323 
12324 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12325 	if (!chan)
12326 		return ERR_PTR(-EINVAL);
12327 
12328 	if (assoc_link_id >= 0)
12329 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
12330 	if (assoc_link_id == link_id)
12331 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
12332 
12333 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
12334 				 ssid, ssid_len,
12335 				 IEEE80211_BSS_TYPE_ESS,
12336 				 IEEE80211_PRIVACY_ANY,
12337 				 use_for);
12338 	if (!bss)
12339 		return ERR_PTR(-ENOENT);
12340 
12341 	return bss;
12342 }
12343 
12344 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
12345 				 struct cfg80211_assoc_link *links,
12346 				 int assoc_link_id,
12347 				 const u8 *ssid, int ssid_len,
12348 				 struct genl_info *info)
12349 {
12350 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
12351 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
12352 	struct nlattr *link;
12353 	unsigned int link_id;
12354 	int rem, err;
12355 
12356 	if (!attrs)
12357 		return -ENOMEM;
12358 
12359 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
12360 		memset(attrs, 0, attrsize);
12361 
12362 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
12363 
12364 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
12365 			NL_SET_BAD_ATTR(info->extack, link);
12366 			return -EINVAL;
12367 		}
12368 
12369 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
12370 		/* cannot use the same link ID again */
12371 		if (links[link_id].bss) {
12372 			NL_SET_BAD_ATTR(info->extack, link);
12373 			return -EINVAL;
12374 		}
12375 		links[link_id].bss =
12376 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
12377 					  assoc_link_id, link_id);
12378 		if (IS_ERR(links[link_id].bss)) {
12379 			err = PTR_ERR(links[link_id].bss);
12380 			links[link_id].bss = NULL;
12381 			NL_SET_ERR_MSG_ATTR(info->extack, link,
12382 					    "Error fetching BSS for link");
12383 			return err;
12384 		}
12385 
12386 		if (attrs[NL80211_ATTR_IE]) {
12387 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
12388 			links[link_id].elems_len =
12389 				nla_len(attrs[NL80211_ATTR_IE]);
12390 
12391 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
12392 					       links[link_id].elems,
12393 					       links[link_id].elems_len)) {
12394 				NL_SET_ERR_MSG_ATTR(info->extack,
12395 						    attrs[NL80211_ATTR_IE],
12396 						    "cannot deal with fragmentation");
12397 				return -EINVAL;
12398 			}
12399 
12400 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12401 						   links[link_id].elems,
12402 						   links[link_id].elems_len)) {
12403 				NL_SET_ERR_MSG_ATTR(info->extack,
12404 						    attrs[NL80211_ATTR_IE],
12405 						    "cannot deal with non-inheritance");
12406 				return -EINVAL;
12407 			}
12408 		}
12409 	}
12410 
12411 	return 0;
12412 }
12413 
12414 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
12415 {
12416 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12417 	struct net_device *dev = info->user_ptr[1];
12418 	struct cfg80211_assoc_request req = {};
12419 	const u8 *ap_addr, *ssid;
12420 	unsigned int link_id;
12421 	int err, ssid_len;
12422 
12423 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12424 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12425 		return -EPERM;
12426 
12427 	if (!info->attrs[NL80211_ATTR_SSID])
12428 		return -EINVAL;
12429 
12430 	if (!rdev->ops->assoc)
12431 		return -EOPNOTSUPP;
12432 
12433 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12434 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12435 		return -EOPNOTSUPP;
12436 
12437 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12438 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12439 
12440 	if (info->attrs[NL80211_ATTR_IE]) {
12441 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12442 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12443 
12444 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12445 					   req.ie, req.ie_len)) {
12446 			NL_SET_ERR_MSG_ATTR(info->extack,
12447 					    info->attrs[NL80211_ATTR_IE],
12448 					    "non-inheritance makes no sense");
12449 			return -EINVAL;
12450 		}
12451 	}
12452 
12453 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12454 		enum nl80211_mfp mfp =
12455 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12456 		if (mfp == NL80211_MFP_REQUIRED)
12457 			req.use_mfp = true;
12458 		else if (mfp != NL80211_MFP_NO)
12459 			return -EINVAL;
12460 	}
12461 
12462 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12463 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12464 
12465 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12466 		req.supported_selectors =
12467 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12468 		req.supported_selectors_len =
12469 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12470 	}
12471 
12472 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12473 		req.flags |= ASSOC_REQ_DISABLE_HT;
12474 
12475 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12476 		memcpy(&req.ht_capa_mask,
12477 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12478 		       sizeof(req.ht_capa_mask));
12479 
12480 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12481 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12482 			return -EINVAL;
12483 		memcpy(&req.ht_capa,
12484 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12485 		       sizeof(req.ht_capa));
12486 	}
12487 
12488 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12489 		req.flags |= ASSOC_REQ_DISABLE_VHT;
12490 
12491 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12492 		req.flags |= ASSOC_REQ_DISABLE_HE;
12493 
12494 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12495 		req.flags |= ASSOC_REQ_DISABLE_EHT;
12496 
12497 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
12498 		req.flags |= ASSOC_REQ_DISABLE_UHR;
12499 
12500 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12501 		memcpy(&req.vht_capa_mask,
12502 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12503 		       sizeof(req.vht_capa_mask));
12504 
12505 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12506 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12507 			return -EINVAL;
12508 		memcpy(&req.vht_capa,
12509 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12510 		       sizeof(req.vht_capa));
12511 	}
12512 
12513 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12514 		if (!((rdev->wiphy.features &
12515 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12516 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12517 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12518 					     NL80211_EXT_FEATURE_RRM))
12519 			return -EINVAL;
12520 		req.flags |= ASSOC_REQ_USE_RRM;
12521 	}
12522 
12523 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
12524 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
12525 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
12526 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
12527 			return -EINVAL;
12528 		req.fils_nonces =
12529 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
12530 	}
12531 
12532 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
12533 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
12534 			return -EINVAL;
12535 		memcpy(&req.s1g_capa_mask,
12536 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
12537 		       sizeof(req.s1g_capa_mask));
12538 	}
12539 
12540 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
12541 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
12542 			return -EINVAL;
12543 		memcpy(&req.s1g_capa,
12544 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
12545 		       sizeof(req.s1g_capa));
12546 	}
12547 
12548 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
12549 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12550 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
12551 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
12552 			return -EINVAL;
12553 		}
12554 		req.flags |= ASSOC_REQ_SPP_AMSDU;
12555 	}
12556 
12557 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12558 
12559 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12560 		if (req.link_id < 0)
12561 			return -EINVAL;
12562 
12563 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12564 			return -EINVAL;
12565 
12566 		if (info->attrs[NL80211_ATTR_MAC] ||
12567 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12568 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
12569 			return -EINVAL;
12570 
12571 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12572 		ap_addr = req.ap_mld_addr;
12573 
12574 		err = nl80211_process_links(rdev, req.links, req.link_id,
12575 					    ssid, ssid_len, info);
12576 		if (err)
12577 			goto free;
12578 
12579 		if (!req.links[req.link_id].bss) {
12580 			err = -EINVAL;
12581 			goto free;
12582 		}
12583 
12584 		if (req.links[req.link_id].elems_len) {
12585 			GENL_SET_ERR_MSG(info,
12586 					 "cannot have per-link elems on assoc link");
12587 			err = -EINVAL;
12588 			goto free;
12589 		}
12590 
12591 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12592 			req.ext_mld_capa_ops =
12593 				nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
12594 	} else {
12595 		if (req.link_id >= 0)
12596 			return -EINVAL;
12597 
12598 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
12599 					    -1, -1);
12600 		if (IS_ERR(req.bss))
12601 			return PTR_ERR(req.bss);
12602 		ap_addr = req.bss->bssid;
12603 
12604 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12605 			return -EINVAL;
12606 	}
12607 
12608 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
12609 	if (!err) {
12610 		struct nlattr *link;
12611 		int rem = 0;
12612 
12613 		err = cfg80211_mlme_assoc(rdev, dev, &req,
12614 					  info->extack);
12615 
12616 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12617 			dev->ieee80211_ptr->conn_owner_nlportid =
12618 				info->snd_portid;
12619 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12620 			       ap_addr, ETH_ALEN);
12621 		}
12622 
12623 		/* Report error from first problematic link */
12624 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12625 			nla_for_each_nested(link,
12626 					    info->attrs[NL80211_ATTR_MLO_LINKS],
12627 					    rem) {
12628 				struct nlattr *link_id_attr =
12629 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
12630 
12631 				if (!link_id_attr)
12632 					continue;
12633 
12634 				link_id = nla_get_u8(link_id_attr);
12635 
12636 				if (link_id == req.link_id)
12637 					continue;
12638 
12639 				if (!req.links[link_id].error ||
12640 				    WARN_ON(req.links[link_id].error > 0))
12641 					continue;
12642 
12643 				WARN_ON(err >= 0);
12644 
12645 				NL_SET_BAD_ATTR(info->extack, link);
12646 				err = req.links[link_id].error;
12647 				break;
12648 			}
12649 		}
12650 	}
12651 
12652 free:
12653 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
12654 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
12655 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12656 
12657 	return err;
12658 }
12659 
12660 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
12661 {
12662 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12663 	struct net_device *dev = info->user_ptr[1];
12664 	const u8 *ie = NULL, *bssid;
12665 	int ie_len = 0;
12666 	u16 reason_code;
12667 	bool local_state_change;
12668 
12669 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12670 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12671 		return -EPERM;
12672 
12673 	if (!info->attrs[NL80211_ATTR_MAC])
12674 		return -EINVAL;
12675 
12676 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12677 		return -EINVAL;
12678 
12679 	if (!rdev->ops->deauth)
12680 		return -EOPNOTSUPP;
12681 
12682 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12683 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12684 		return -EOPNOTSUPP;
12685 
12686 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12687 
12688 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12689 	if (reason_code == 0) {
12690 		/* Reason Code 0 is reserved */
12691 		return -EINVAL;
12692 	}
12693 
12694 	if (info->attrs[NL80211_ATTR_IE]) {
12695 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12696 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12697 	}
12698 
12699 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12700 
12701 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
12702 				    local_state_change);
12703 }
12704 
12705 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
12706 {
12707 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12708 	struct net_device *dev = info->user_ptr[1];
12709 	const u8 *ie = NULL, *bssid;
12710 	int ie_len = 0;
12711 	u16 reason_code;
12712 	bool local_state_change;
12713 
12714 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12715 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12716 		return -EPERM;
12717 
12718 	if (!info->attrs[NL80211_ATTR_MAC])
12719 		return -EINVAL;
12720 
12721 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12722 		return -EINVAL;
12723 
12724 	if (!rdev->ops->disassoc)
12725 		return -EOPNOTSUPP;
12726 
12727 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12728 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12729 		return -EOPNOTSUPP;
12730 
12731 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12732 
12733 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12734 	if (reason_code == 0) {
12735 		/* Reason Code 0 is reserved */
12736 		return -EINVAL;
12737 	}
12738 
12739 	if (info->attrs[NL80211_ATTR_IE]) {
12740 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12741 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12742 	}
12743 
12744 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12745 
12746 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
12747 				      local_state_change);
12748 }
12749 
12750 static bool
12751 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
12752 			 int mcast_rate[NUM_NL80211_BANDS],
12753 			 int rateval)
12754 {
12755 	struct wiphy *wiphy = &rdev->wiphy;
12756 	bool found = false;
12757 	int band, i;
12758 
12759 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
12760 		struct ieee80211_supported_band *sband;
12761 
12762 		sband = wiphy->bands[band];
12763 		if (!sband)
12764 			continue;
12765 
12766 		for (i = 0; i < sband->n_bitrates; i++) {
12767 			if (sband->bitrates[i].bitrate == rateval) {
12768 				mcast_rate[band] = i + 1;
12769 				found = true;
12770 				break;
12771 			}
12772 		}
12773 	}
12774 
12775 	return found;
12776 }
12777 
12778 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
12779 {
12780 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12781 	struct net_device *dev = info->user_ptr[1];
12782 	struct cfg80211_ibss_params ibss;
12783 	struct wiphy *wiphy;
12784 	struct cfg80211_cached_keys *connkeys = NULL;
12785 	int err;
12786 
12787 	memset(&ibss, 0, sizeof(ibss));
12788 
12789 	if (!info->attrs[NL80211_ATTR_SSID] ||
12790 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12791 		return -EINVAL;
12792 
12793 	ibss.beacon_interval = 100;
12794 
12795 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
12796 		ibss.beacon_interval =
12797 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12798 
12799 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
12800 					   ibss.beacon_interval);
12801 	if (err)
12802 		return err;
12803 
12804 	if (!rdev->ops->join_ibss)
12805 		return -EOPNOTSUPP;
12806 
12807 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12808 		return -EOPNOTSUPP;
12809 
12810 	wiphy = &rdev->wiphy;
12811 
12812 	if (info->attrs[NL80211_ATTR_MAC]) {
12813 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12814 
12815 		if (!is_valid_ether_addr(ibss.bssid))
12816 			return -EINVAL;
12817 	}
12818 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12819 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12820 
12821 	if (info->attrs[NL80211_ATTR_IE]) {
12822 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12823 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12824 	}
12825 
12826 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
12827 				    &ibss.chandef);
12828 	if (err)
12829 		return err;
12830 
12831 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
12832 				     NL80211_IFTYPE_ADHOC))
12833 		return -EINVAL;
12834 
12835 	switch (ibss.chandef.width) {
12836 	case NL80211_CHAN_WIDTH_5:
12837 	case NL80211_CHAN_WIDTH_10:
12838 	case NL80211_CHAN_WIDTH_20_NOHT:
12839 		break;
12840 	case NL80211_CHAN_WIDTH_20:
12841 	case NL80211_CHAN_WIDTH_40:
12842 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12843 			return -EINVAL;
12844 		break;
12845 	case NL80211_CHAN_WIDTH_80:
12846 	case NL80211_CHAN_WIDTH_80P80:
12847 	case NL80211_CHAN_WIDTH_160:
12848 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12849 			return -EINVAL;
12850 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12851 					     NL80211_EXT_FEATURE_VHT_IBSS))
12852 			return -EINVAL;
12853 		break;
12854 	case NL80211_CHAN_WIDTH_320:
12855 		return -EINVAL;
12856 	default:
12857 		return -EINVAL;
12858 	}
12859 
12860 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
12861 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
12862 
12863 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12864 		u8 *rates =
12865 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12866 		int n_rates =
12867 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12868 		struct ieee80211_supported_band *sband =
12869 			wiphy->bands[ibss.chandef.chan->band];
12870 
12871 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12872 					     &ibss.basic_rates);
12873 		if (err)
12874 			return err;
12875 	}
12876 
12877 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12878 		memcpy(&ibss.ht_capa_mask,
12879 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12880 		       sizeof(ibss.ht_capa_mask));
12881 
12882 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12883 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12884 			return -EINVAL;
12885 		memcpy(&ibss.ht_capa,
12886 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12887 		       sizeof(ibss.ht_capa));
12888 	}
12889 
12890 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12891 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
12892 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12893 		return -EINVAL;
12894 
12895 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12896 		bool no_ht = false;
12897 
12898 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
12899 		if (IS_ERR(connkeys))
12900 			return PTR_ERR(connkeys);
12901 
12902 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
12903 		    no_ht) {
12904 			kfree_sensitive(connkeys);
12905 			return -EINVAL;
12906 		}
12907 	}
12908 
12909 	ibss.control_port =
12910 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
12911 
12912 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12913 		int r = validate_pae_over_nl80211(rdev, info);
12914 
12915 		if (r < 0) {
12916 			kfree_sensitive(connkeys);
12917 			return r;
12918 		}
12919 
12920 		ibss.control_port_over_nl80211 = true;
12921 	}
12922 
12923 	ibss.userspace_handles_dfs =
12924 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12925 
12926 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
12927 	if (err)
12928 		kfree_sensitive(connkeys);
12929 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
12930 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12931 
12932 	return err;
12933 }
12934 
12935 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
12936 {
12937 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12938 	struct net_device *dev = info->user_ptr[1];
12939 
12940 	if (!rdev->ops->leave_ibss)
12941 		return -EOPNOTSUPP;
12942 
12943 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12944 		return -EOPNOTSUPP;
12945 
12946 	return cfg80211_leave_ibss(rdev, dev, false);
12947 }
12948 
12949 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
12950 {
12951 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12952 	struct net_device *dev = info->user_ptr[1];
12953 	int mcast_rate[NUM_NL80211_BANDS];
12954 	u32 nla_rate;
12955 
12956 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
12957 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
12958 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
12959 		return -EOPNOTSUPP;
12960 
12961 	if (!rdev->ops->set_mcast_rate)
12962 		return -EOPNOTSUPP;
12963 
12964 	memset(mcast_rate, 0, sizeof(mcast_rate));
12965 
12966 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
12967 		return -EINVAL;
12968 
12969 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
12970 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
12971 		return -EINVAL;
12972 
12973 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
12974 }
12975 
12976 static struct sk_buff *
12977 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
12978 			    struct wireless_dev *wdev, int approxlen,
12979 			    u32 portid, u32 seq, enum nl80211_commands cmd,
12980 			    enum nl80211_attrs attr,
12981 			    const struct nl80211_vendor_cmd_info *info,
12982 			    gfp_t gfp)
12983 {
12984 	struct sk_buff *skb;
12985 	void *hdr;
12986 	struct nlattr *data;
12987 
12988 	skb = nlmsg_new(approxlen + 100, gfp);
12989 	if (!skb)
12990 		return NULL;
12991 
12992 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
12993 	if (!hdr) {
12994 		kfree_skb(skb);
12995 		return NULL;
12996 	}
12997 
12998 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
12999 		goto nla_put_failure;
13000 
13001 	if (info) {
13002 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
13003 				info->vendor_id))
13004 			goto nla_put_failure;
13005 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
13006 				info->subcmd))
13007 			goto nla_put_failure;
13008 	}
13009 
13010 	if (wdev) {
13011 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
13012 				      wdev_id(wdev), NL80211_ATTR_PAD))
13013 			goto nla_put_failure;
13014 		if (wdev->netdev &&
13015 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
13016 				wdev->netdev->ifindex))
13017 			goto nla_put_failure;
13018 	}
13019 
13020 	data = nla_nest_start_noflag(skb, attr);
13021 	if (!data)
13022 		goto nla_put_failure;
13023 
13024 	((void **)skb->cb)[0] = rdev;
13025 	((void **)skb->cb)[1] = hdr;
13026 	((void **)skb->cb)[2] = data;
13027 
13028 	return skb;
13029 
13030  nla_put_failure:
13031 	kfree_skb(skb);
13032 	return NULL;
13033 }
13034 
13035 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
13036 					   struct wireless_dev *wdev,
13037 					   enum nl80211_commands cmd,
13038 					   enum nl80211_attrs attr,
13039 					   unsigned int portid,
13040 					   int vendor_event_idx,
13041 					   int approxlen, gfp_t gfp)
13042 {
13043 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13044 	const struct nl80211_vendor_cmd_info *info;
13045 
13046 	switch (cmd) {
13047 	case NL80211_CMD_TESTMODE:
13048 		if (WARN_ON(vendor_event_idx != -1))
13049 			return NULL;
13050 		info = NULL;
13051 		break;
13052 	case NL80211_CMD_VENDOR:
13053 		if (WARN_ON(vendor_event_idx < 0 ||
13054 			    vendor_event_idx >= wiphy->n_vendor_events))
13055 			return NULL;
13056 		info = &wiphy->vendor_events[vendor_event_idx];
13057 		break;
13058 	default:
13059 		WARN_ON(1);
13060 		return NULL;
13061 	}
13062 
13063 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
13064 					   cmd, attr, info, gfp);
13065 }
13066 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
13067 
13068 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
13069 {
13070 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13071 	void *hdr = ((void **)skb->cb)[1];
13072 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
13073 	struct nlattr *data = ((void **)skb->cb)[2];
13074 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
13075 
13076 	/* clear CB data for netlink core to own from now on */
13077 	memset(skb->cb, 0, sizeof(skb->cb));
13078 
13079 	nla_nest_end(skb, data);
13080 	genlmsg_end(skb, hdr);
13081 
13082 	if (nlhdr->nlmsg_pid) {
13083 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
13084 				nlhdr->nlmsg_pid);
13085 	} else {
13086 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
13087 			mcgrp = NL80211_MCGRP_VENDOR;
13088 
13089 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13090 					skb, 0, mcgrp, gfp);
13091 	}
13092 }
13093 EXPORT_SYMBOL(__cfg80211_send_event_skb);
13094 
13095 #ifdef CONFIG_NL80211_TESTMODE
13096 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
13097 {
13098 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13099 	struct wireless_dev *wdev;
13100 	int err;
13101 
13102 	lockdep_assert_held(&rdev->wiphy.mtx);
13103 
13104 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
13105 					  info->attrs);
13106 
13107 	if (!rdev->ops->testmode_cmd)
13108 		return -EOPNOTSUPP;
13109 
13110 	if (IS_ERR(wdev)) {
13111 		err = PTR_ERR(wdev);
13112 		if (err != -EINVAL)
13113 			return err;
13114 		wdev = NULL;
13115 	} else if (wdev->wiphy != &rdev->wiphy) {
13116 		return -EINVAL;
13117 	}
13118 
13119 	if (!info->attrs[NL80211_ATTR_TESTDATA])
13120 		return -EINVAL;
13121 
13122 	rdev->cur_cmd_info = info;
13123 	err = rdev_testmode_cmd(rdev, wdev,
13124 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
13125 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
13126 	rdev->cur_cmd_info = NULL;
13127 
13128 	return err;
13129 }
13130 
13131 static int nl80211_testmode_dump(struct sk_buff *skb,
13132 				 struct netlink_callback *cb)
13133 {
13134 	struct cfg80211_registered_device *rdev;
13135 	struct nlattr **attrbuf = NULL;
13136 	int err;
13137 	long phy_idx;
13138 	void *data = NULL;
13139 	int data_len = 0;
13140 
13141 	rtnl_lock();
13142 
13143 	if (cb->args[0]) {
13144 		/*
13145 		 * 0 is a valid index, but not valid for args[0],
13146 		 * so we need to offset by 1.
13147 		 */
13148 		phy_idx = cb->args[0] - 1;
13149 
13150 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
13151 		if (!rdev) {
13152 			err = -ENOENT;
13153 			goto out_err;
13154 		}
13155 	} else {
13156 		attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
13157 		if (!attrbuf) {
13158 			err = -ENOMEM;
13159 			goto out_err;
13160 		}
13161 
13162 		err = nlmsg_parse_deprecated(cb->nlh,
13163 					     GENL_HDRLEN + nl80211_fam.hdrsize,
13164 					     attrbuf, nl80211_fam.maxattr,
13165 					     nl80211_policy, NULL);
13166 		if (err)
13167 			goto out_err;
13168 
13169 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13170 		if (IS_ERR(rdev)) {
13171 			err = PTR_ERR(rdev);
13172 			goto out_err;
13173 		}
13174 		phy_idx = rdev->wiphy_idx;
13175 
13176 		if (attrbuf[NL80211_ATTR_TESTDATA])
13177 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
13178 	}
13179 
13180 	if (cb->args[1]) {
13181 		data = nla_data((void *)cb->args[1]);
13182 		data_len = nla_len((void *)cb->args[1]);
13183 	}
13184 
13185 	if (!rdev->ops->testmode_dump) {
13186 		err = -EOPNOTSUPP;
13187 		goto out_err;
13188 	}
13189 
13190 	while (1) {
13191 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13192 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13193 					   NL80211_CMD_TESTMODE);
13194 		struct nlattr *tmdata;
13195 
13196 		if (!hdr)
13197 			break;
13198 
13199 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
13200 			genlmsg_cancel(skb, hdr);
13201 			break;
13202 		}
13203 
13204 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
13205 		if (!tmdata) {
13206 			genlmsg_cancel(skb, hdr);
13207 			break;
13208 		}
13209 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
13210 		nla_nest_end(skb, tmdata);
13211 
13212 		if (err == -ENOBUFS || err == -ENOENT) {
13213 			genlmsg_cancel(skb, hdr);
13214 			break;
13215 		} else if (err) {
13216 			genlmsg_cancel(skb, hdr);
13217 			goto out_err;
13218 		}
13219 
13220 		genlmsg_end(skb, hdr);
13221 	}
13222 
13223 	err = skb->len;
13224 	/* see above */
13225 	cb->args[0] = phy_idx + 1;
13226  out_err:
13227 	kfree(attrbuf);
13228 	rtnl_unlock();
13229 	return err;
13230 }
13231 #endif
13232 
13233 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
13234 {
13235 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13236 	struct net_device *dev = info->user_ptr[1];
13237 	struct cfg80211_connect_params connect;
13238 	struct wiphy *wiphy;
13239 	struct cfg80211_cached_keys *connkeys = NULL;
13240 	u32 freq = 0;
13241 	int err;
13242 
13243 	memset(&connect, 0, sizeof(connect));
13244 
13245 	if (!info->attrs[NL80211_ATTR_SSID] ||
13246 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
13247 		return -EINVAL;
13248 
13249 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13250 		connect.auth_type =
13251 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13252 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
13253 					     NL80211_CMD_CONNECT))
13254 			return -EINVAL;
13255 	} else
13256 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
13257 
13258 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
13259 
13260 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
13261 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13262 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13263 		return -EINVAL;
13264 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
13265 
13266 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
13267 				      NL80211_MAX_NR_CIPHER_SUITES);
13268 	if (err)
13269 		return err;
13270 
13271 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13272 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13273 		return -EOPNOTSUPP;
13274 
13275 	wiphy = &rdev->wiphy;
13276 
13277 	connect.bg_scan_period = -1;
13278 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
13279 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
13280 		connect.bg_scan_period =
13281 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
13282 	}
13283 
13284 	if (info->attrs[NL80211_ATTR_MAC])
13285 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13286 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
13287 		connect.bssid_hint =
13288 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
13289 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13290 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13291 
13292 	if (info->attrs[NL80211_ATTR_IE]) {
13293 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13294 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13295 	}
13296 
13297 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
13298 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
13299 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
13300 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13301 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
13302 			return -EOPNOTSUPP;
13303 	} else {
13304 		connect.mfp = NL80211_MFP_NO;
13305 	}
13306 
13307 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
13308 		connect.prev_bssid =
13309 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
13310 
13311 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
13312 		freq = MHZ_TO_KHZ(nla_get_u32(
13313 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
13314 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
13315 		freq +=
13316 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
13317 
13318 	if (freq) {
13319 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
13320 		if (!connect.channel)
13321 			return -EINVAL;
13322 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
13323 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
13324 		freq = MHZ_TO_KHZ(freq);
13325 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
13326 		if (!connect.channel_hint)
13327 			return -EINVAL;
13328 	}
13329 
13330 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
13331 		connect.edmg.channels =
13332 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
13333 
13334 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
13335 			connect.edmg.bw_config =
13336 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
13337 	}
13338 
13339 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
13340 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
13341 		if (IS_ERR(connkeys))
13342 			return PTR_ERR(connkeys);
13343 	}
13344 
13345 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
13346 		connect.flags |= ASSOC_REQ_DISABLE_HT;
13347 
13348 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13349 		memcpy(&connect.ht_capa_mask,
13350 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13351 		       sizeof(connect.ht_capa_mask));
13352 
13353 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13354 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
13355 			kfree_sensitive(connkeys);
13356 			return -EINVAL;
13357 		}
13358 		memcpy(&connect.ht_capa,
13359 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13360 		       sizeof(connect.ht_capa));
13361 	}
13362 
13363 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
13364 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
13365 
13366 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
13367 		connect.flags |= ASSOC_REQ_DISABLE_HE;
13368 
13369 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
13370 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
13371 
13372 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
13373 		connect.flags |= ASSOC_REQ_DISABLE_UHR;
13374 
13375 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
13376 		memcpy(&connect.vht_capa_mask,
13377 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
13378 		       sizeof(connect.vht_capa_mask));
13379 
13380 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
13381 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
13382 			kfree_sensitive(connkeys);
13383 			return -EINVAL;
13384 		}
13385 		memcpy(&connect.vht_capa,
13386 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
13387 		       sizeof(connect.vht_capa));
13388 	}
13389 
13390 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
13391 		if (!((rdev->wiphy.features &
13392 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
13393 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
13394 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13395 					     NL80211_EXT_FEATURE_RRM)) {
13396 			kfree_sensitive(connkeys);
13397 			return -EINVAL;
13398 		}
13399 		connect.flags |= ASSOC_REQ_USE_RRM;
13400 	}
13401 
13402 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
13403 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
13404 		kfree_sensitive(connkeys);
13405 		return -EOPNOTSUPP;
13406 	}
13407 
13408 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
13409 		/* bss selection makes no sense if bssid is set */
13410 		if (connect.bssid) {
13411 			kfree_sensitive(connkeys);
13412 			return -EINVAL;
13413 		}
13414 
13415 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
13416 				       wiphy, &connect.bss_select);
13417 		if (err) {
13418 			kfree_sensitive(connkeys);
13419 			return err;
13420 		}
13421 	}
13422 
13423 	if (wiphy_ext_feature_isset(&rdev->wiphy,
13424 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
13425 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13426 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13427 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13428 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13429 		connect.fils_erp_username =
13430 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13431 		connect.fils_erp_username_len =
13432 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13433 		connect.fils_erp_realm =
13434 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13435 		connect.fils_erp_realm_len =
13436 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13437 		connect.fils_erp_next_seq_num =
13438 			nla_get_u16(
13439 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13440 		connect.fils_erp_rrk =
13441 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13442 		connect.fils_erp_rrk_len =
13443 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13444 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13445 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13446 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13447 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13448 		kfree_sensitive(connkeys);
13449 		return -EINVAL;
13450 	}
13451 
13452 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
13453 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13454 			kfree_sensitive(connkeys);
13455 			GENL_SET_ERR_MSG(info,
13456 					 "external auth requires connection ownership");
13457 			return -EINVAL;
13458 		}
13459 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
13460 	}
13461 
13462 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
13463 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
13464 
13465 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
13466 			       connect.prev_bssid);
13467 	if (err)
13468 		kfree_sensitive(connkeys);
13469 
13470 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13471 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13472 		if (connect.bssid)
13473 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
13474 			       connect.bssid, ETH_ALEN);
13475 		else
13476 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
13477 	}
13478 
13479 	return err;
13480 }
13481 
13482 static int nl80211_update_connect_params(struct sk_buff *skb,
13483 					 struct genl_info *info)
13484 {
13485 	struct cfg80211_connect_params connect = {};
13486 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13487 	struct net_device *dev = info->user_ptr[1];
13488 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13489 	bool fils_sk_offload;
13490 	u32 auth_type;
13491 	u32 changed = 0;
13492 
13493 	if (!rdev->ops->update_connect_params)
13494 		return -EOPNOTSUPP;
13495 
13496 	if (info->attrs[NL80211_ATTR_IE]) {
13497 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13498 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13499 		changed |= UPDATE_ASSOC_IES;
13500 	}
13501 
13502 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
13503 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
13504 
13505 	/*
13506 	 * when driver supports fils-sk offload all attributes must be
13507 	 * provided. So the else covers "fils-sk-not-all" and
13508 	 * "no-fils-sk-any".
13509 	 */
13510 	if (fils_sk_offload &&
13511 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13512 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13513 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13514 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13515 		connect.fils_erp_username =
13516 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13517 		connect.fils_erp_username_len =
13518 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13519 		connect.fils_erp_realm =
13520 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13521 		connect.fils_erp_realm_len =
13522 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13523 		connect.fils_erp_next_seq_num =
13524 			nla_get_u16(
13525 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13526 		connect.fils_erp_rrk =
13527 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13528 		connect.fils_erp_rrk_len =
13529 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13530 		changed |= UPDATE_FILS_ERP_INFO;
13531 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13532 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13533 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13534 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13535 		return -EINVAL;
13536 	}
13537 
13538 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13539 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13540 		if (!nl80211_valid_auth_type(rdev, auth_type,
13541 					     NL80211_CMD_CONNECT))
13542 			return -EINVAL;
13543 
13544 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
13545 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
13546 			return -EINVAL;
13547 
13548 		connect.auth_type = auth_type;
13549 		changed |= UPDATE_AUTH_TYPE;
13550 	}
13551 
13552 	if (!wdev->connected)
13553 		return -ENOLINK;
13554 
13555 	return rdev_update_connect_params(rdev, dev, &connect, changed);
13556 }
13557 
13558 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
13559 {
13560 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13561 	struct net_device *dev = info->user_ptr[1];
13562 	u16 reason;
13563 
13564 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
13565 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
13566 		return -EPERM;
13567 
13568 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
13569 				     WLAN_REASON_DEAUTH_LEAVING);
13570 
13571 	if (reason == 0)
13572 		return -EINVAL;
13573 
13574 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13575 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13576 		return -EOPNOTSUPP;
13577 
13578 	return cfg80211_disconnect(rdev, dev, reason, true);
13579 }
13580 
13581 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
13582 {
13583 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13584 	struct net *net;
13585 	int err;
13586 
13587 	if (info->attrs[NL80211_ATTR_PID]) {
13588 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
13589 
13590 		net = get_net_ns_by_pid(pid);
13591 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
13592 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
13593 
13594 		net = get_net_ns_by_fd(fd);
13595 	} else {
13596 		return -EINVAL;
13597 	}
13598 
13599 	if (IS_ERR(net))
13600 		return PTR_ERR(net);
13601 
13602 	err = 0;
13603 
13604 	/* check if anything to do */
13605 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
13606 		err = cfg80211_switch_netns(rdev, net);
13607 
13608 	put_net(net);
13609 	return err;
13610 }
13611 
13612 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
13613 {
13614 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13615 	struct net_device *dev = info->user_ptr[1];
13616 	struct cfg80211_pmksa pmksa;
13617 	bool ap_pmksa_caching_support = false;
13618 
13619 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13620 
13621 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13622 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13623 
13624 	if (!info->attrs[NL80211_ATTR_PMKID])
13625 		return -EINVAL;
13626 
13627 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13628 
13629 	if (info->attrs[NL80211_ATTR_MAC]) {
13630 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13631 	} else if (info->attrs[NL80211_ATTR_SSID] &&
13632 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13633 	           info->attrs[NL80211_ATTR_PMK]) {
13634 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13635 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13636 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13637 	} else {
13638 		return -EINVAL;
13639 	}
13640 
13641 	if (info->attrs[NL80211_ATTR_PMK]) {
13642 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13643 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13644 	}
13645 
13646 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
13647 		pmksa.pmk_lifetime =
13648 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
13649 
13650 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
13651 		pmksa.pmk_reauth_threshold =
13652 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
13653 
13654 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13655 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13656 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13657 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13658 	       ap_pmksa_caching_support))
13659 		return -EOPNOTSUPP;
13660 
13661 	if (!rdev->ops->set_pmksa)
13662 		return -EOPNOTSUPP;
13663 
13664 	return rdev_set_pmksa(rdev, dev, &pmksa);
13665 }
13666 
13667 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
13668 {
13669 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13670 	struct net_device *dev = info->user_ptr[1];
13671 	struct cfg80211_pmksa pmksa;
13672 	bool sae_offload_support = false;
13673 	bool owe_offload_support = false;
13674 	bool ap_pmksa_caching_support = false;
13675 
13676 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13677 
13678 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13679 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
13680 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13681 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
13682 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13683 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13684 
13685 	if (info->attrs[NL80211_ATTR_PMKID])
13686 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13687 
13688 	if (info->attrs[NL80211_ATTR_MAC]) {
13689 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13690 	} else if (info->attrs[NL80211_ATTR_SSID]) {
13691 		/* SSID based pmksa flush supported only for FILS,
13692 		 * OWE/SAE OFFLOAD cases
13693 		 */
13694 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13695 		    info->attrs[NL80211_ATTR_PMK]) {
13696 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13697 		} else if (!sae_offload_support && !owe_offload_support) {
13698 			return -EINVAL;
13699 		}
13700 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13701 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13702 	} else {
13703 		return -EINVAL;
13704 	}
13705 
13706 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13707 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13708 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13709 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13710 	       ap_pmksa_caching_support))
13711 		return -EOPNOTSUPP;
13712 
13713 	if (!rdev->ops->del_pmksa)
13714 		return -EOPNOTSUPP;
13715 
13716 	return rdev_del_pmksa(rdev, dev, &pmksa);
13717 }
13718 
13719 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
13720 {
13721 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13722 	struct net_device *dev = info->user_ptr[1];
13723 
13724 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13725 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13726 		return -EOPNOTSUPP;
13727 
13728 	if (!rdev->ops->flush_pmksa)
13729 		return -EOPNOTSUPP;
13730 
13731 	return rdev_flush_pmksa(rdev, dev);
13732 }
13733 
13734 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
13735 {
13736 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13737 	struct net_device *dev = info->user_ptr[1];
13738 	u8 action_code, dialog_token;
13739 	u32 peer_capability = 0;
13740 	u16 status_code;
13741 	u8 *peer;
13742 	int link_id;
13743 	bool initiator;
13744 
13745 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13746 	    !rdev->ops->tdls_mgmt)
13747 		return -EOPNOTSUPP;
13748 
13749 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
13750 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
13751 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
13752 	    !info->attrs[NL80211_ATTR_IE] ||
13753 	    !info->attrs[NL80211_ATTR_MAC])
13754 		return -EINVAL;
13755 
13756 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13757 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
13758 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13759 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
13760 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
13761 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
13762 		peer_capability =
13763 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
13764 	link_id = nl80211_link_id_or_invalid(info->attrs);
13765 
13766 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
13767 			      dialog_token, status_code, peer_capability,
13768 			      initiator,
13769 			      nla_data(info->attrs[NL80211_ATTR_IE]),
13770 			      nla_len(info->attrs[NL80211_ATTR_IE]));
13771 }
13772 
13773 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
13774 {
13775 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13776 	struct net_device *dev = info->user_ptr[1];
13777 	enum nl80211_tdls_operation operation;
13778 	u8 *peer;
13779 
13780 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13781 	    !rdev->ops->tdls_oper)
13782 		return -EOPNOTSUPP;
13783 
13784 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
13785 	    !info->attrs[NL80211_ATTR_MAC])
13786 		return -EINVAL;
13787 
13788 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
13789 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13790 
13791 	return rdev_tdls_oper(rdev, dev, peer, operation);
13792 }
13793 
13794 static int nl80211_remain_on_channel(struct sk_buff *skb,
13795 				     struct genl_info *info)
13796 {
13797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13798 	unsigned int link_id = nl80211_link_id(info->attrs);
13799 	struct wireless_dev *wdev = info->user_ptr[1];
13800 	struct cfg80211_chan_def chandef;
13801 	struct sk_buff *msg;
13802 	void *hdr;
13803 	u64 cookie;
13804 	u32 duration;
13805 	int err;
13806 
13807 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
13808 	    !info->attrs[NL80211_ATTR_DURATION])
13809 		return -EINVAL;
13810 
13811 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13812 
13813 	if (!rdev->ops->remain_on_channel ||
13814 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
13815 		return -EOPNOTSUPP;
13816 
13817 	/*
13818 	 * We should be on that channel for at least a minimum amount of
13819 	 * time (10ms) but no longer than the driver supports.
13820 	 */
13821 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13822 	    duration > rdev->wiphy.max_remain_on_channel_duration)
13823 		return -EINVAL;
13824 
13825 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef);
13826 	if (err)
13827 		return err;
13828 
13829 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
13830 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
13831 
13832 		oper_chandef = wdev_chandef(wdev, link_id);
13833 
13834 		if (WARN_ON(!oper_chandef)) {
13835 			/* cannot happen since we must beacon to get here */
13836 			WARN_ON(1);
13837 			return -EBUSY;
13838 		}
13839 
13840 		/* note: returns first one if identical chandefs */
13841 		compat_chandef = cfg80211_chandef_compatible(&chandef,
13842 							     oper_chandef);
13843 
13844 		if (compat_chandef != &chandef)
13845 			return -EBUSY;
13846 	}
13847 
13848 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13849 	if (!msg)
13850 		return -ENOMEM;
13851 
13852 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13853 			     NL80211_CMD_REMAIN_ON_CHANNEL);
13854 	if (!hdr) {
13855 		err = -ENOBUFS;
13856 		goto free_msg;
13857 	}
13858 
13859 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
13860 				     duration, &cookie);
13861 
13862 	if (err)
13863 		goto free_msg;
13864 
13865 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13866 			      NL80211_ATTR_PAD))
13867 		goto nla_put_failure;
13868 
13869 	genlmsg_end(msg, hdr);
13870 
13871 	return genlmsg_reply(msg, info);
13872 
13873  nla_put_failure:
13874 	err = -ENOBUFS;
13875  free_msg:
13876 	nlmsg_free(msg);
13877 	return err;
13878 }
13879 
13880 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
13881 					    struct genl_info *info)
13882 {
13883 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13884 	struct wireless_dev *wdev = info->user_ptr[1];
13885 	u64 cookie;
13886 
13887 	if (!info->attrs[NL80211_ATTR_COOKIE])
13888 		return -EINVAL;
13889 
13890 	if (!rdev->ops->cancel_remain_on_channel)
13891 		return -EOPNOTSUPP;
13892 
13893 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13894 
13895 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
13896 }
13897 
13898 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
13899 				       struct genl_info *info)
13900 {
13901 	struct cfg80211_bitrate_mask mask;
13902 	unsigned int link_id = nl80211_link_id(info->attrs);
13903 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13904 	struct net_device *dev = info->user_ptr[1];
13905 	int err;
13906 
13907 	if (!rdev->ops->set_bitrate_mask)
13908 		return -EOPNOTSUPP;
13909 
13910 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13911 					    NL80211_ATTR_TX_RATES, &mask,
13912 					    dev, true, link_id);
13913 	if (err)
13914 		return err;
13915 
13916 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
13917 }
13918 
13919 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
13920 {
13921 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13922 	struct wireless_dev *wdev = info->user_ptr[1];
13923 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
13924 
13925 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
13926 		return -EINVAL;
13927 
13928 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
13929 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
13930 
13931 	switch (wdev->iftype) {
13932 	case NL80211_IFTYPE_STATION:
13933 	case NL80211_IFTYPE_ADHOC:
13934 	case NL80211_IFTYPE_P2P_CLIENT:
13935 	case NL80211_IFTYPE_AP:
13936 	case NL80211_IFTYPE_AP_VLAN:
13937 	case NL80211_IFTYPE_MESH_POINT:
13938 	case NL80211_IFTYPE_P2P_GO:
13939 	case NL80211_IFTYPE_P2P_DEVICE:
13940 		break;
13941 	case NL80211_IFTYPE_NAN:
13942 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13943 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
13944 		    !(wdev->wiphy->nan_capa.flags &
13945 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
13946 			return -EOPNOTSUPP;
13947 		break;
13948 	default:
13949 		return -EOPNOTSUPP;
13950 	}
13951 
13952 	/* not much point in registering if we can't reply */
13953 	if (!rdev->ops->mgmt_tx)
13954 		return -EOPNOTSUPP;
13955 
13956 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
13957 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13958 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
13959 		GENL_SET_ERR_MSG(info,
13960 				 "multicast RX registrations are not supported");
13961 		return -EOPNOTSUPP;
13962 	}
13963 
13964 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
13965 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13966 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13967 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
13968 					   info->extack);
13969 }
13970 
13971 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
13972 {
13973 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13974 	struct wireless_dev *wdev = info->user_ptr[1];
13975 	struct cfg80211_chan_def chandef;
13976 	int err;
13977 	void *hdr = NULL;
13978 	u64 cookie;
13979 	struct sk_buff *msg = NULL;
13980 	struct cfg80211_mgmt_tx_params params = {
13981 		.dont_wait_for_ack =
13982 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
13983 	};
13984 
13985 	if (!info->attrs[NL80211_ATTR_FRAME])
13986 		return -EINVAL;
13987 
13988 	if (!rdev->ops->mgmt_tx)
13989 		return -EOPNOTSUPP;
13990 
13991 	switch (wdev->iftype) {
13992 	case NL80211_IFTYPE_P2P_DEVICE:
13993 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
13994 			return -EINVAL;
13995 		break;
13996 	case NL80211_IFTYPE_STATION:
13997 	case NL80211_IFTYPE_ADHOC:
13998 	case NL80211_IFTYPE_P2P_CLIENT:
13999 	case NL80211_IFTYPE_AP:
14000 	case NL80211_IFTYPE_AP_VLAN:
14001 	case NL80211_IFTYPE_MESH_POINT:
14002 	case NL80211_IFTYPE_P2P_GO:
14003 		break;
14004 	case NL80211_IFTYPE_NAN:
14005 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14006 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
14007 		    !(wdev->wiphy->nan_capa.flags &
14008 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
14009 			return -EOPNOTSUPP;
14010 		break;
14011 	default:
14012 		return -EOPNOTSUPP;
14013 	}
14014 
14015 	if (info->attrs[NL80211_ATTR_DURATION]) {
14016 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
14017 			return -EINVAL;
14018 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
14019 
14020 		/*
14021 		 * We should wait on the channel for at least a minimum amount
14022 		 * of time (10ms) but no longer than the driver supports.
14023 		 */
14024 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
14025 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
14026 			return -EINVAL;
14027 	}
14028 
14029 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
14030 
14031 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
14032 		return -EINVAL;
14033 
14034 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
14035 
14036 	/* get the channel if any has been specified, otherwise pass NULL to
14037 	 * the driver. The latter will use the current one
14038 	 */
14039 	chandef.chan = NULL;
14040 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14041 		err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
14042 					    &chandef);
14043 		if (err)
14044 			return err;
14045 	}
14046 
14047 	if (!chandef.chan && params.offchan)
14048 		return -EINVAL;
14049 
14050 	if (params.offchan &&
14051 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
14052 		return -EBUSY;
14053 
14054 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
14055 	/*
14056 	 * This now races due to the unlock, but we cannot check
14057 	 * the valid links for the _station_ anyway, so that's up
14058 	 * to the driver.
14059 	 */
14060 	if (params.link_id >= 0 &&
14061 	    !(wdev->valid_links & BIT(params.link_id)))
14062 		return -EINVAL;
14063 
14064 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14065 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14066 
14067 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
14068 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
14069 					    &params.csa_offsets,
14070 					    &params.n_csa_offsets);
14071 	if (err)
14072 		return err;
14073 
14074 	if (!params.dont_wait_for_ack) {
14075 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14076 		if (!msg)
14077 			return -ENOMEM;
14078 
14079 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14080 				     NL80211_CMD_FRAME);
14081 		if (!hdr) {
14082 			err = -ENOBUFS;
14083 			goto free_msg;
14084 		}
14085 	}
14086 
14087 	params.chan = chandef.chan;
14088 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
14089 	if (err)
14090 		goto free_msg;
14091 
14092 	if (msg) {
14093 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14094 				      NL80211_ATTR_PAD))
14095 			goto nla_put_failure;
14096 
14097 		genlmsg_end(msg, hdr);
14098 		return genlmsg_reply(msg, info);
14099 	}
14100 
14101 	return 0;
14102 
14103  nla_put_failure:
14104 	err = -ENOBUFS;
14105  free_msg:
14106 	nlmsg_free(msg);
14107 	return err;
14108 }
14109 
14110 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
14111 {
14112 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14113 	struct wireless_dev *wdev = info->user_ptr[1];
14114 	u64 cookie;
14115 
14116 	if (!info->attrs[NL80211_ATTR_COOKIE])
14117 		return -EINVAL;
14118 
14119 	if (!rdev->ops->mgmt_tx_cancel_wait)
14120 		return -EOPNOTSUPP;
14121 
14122 	switch (wdev->iftype) {
14123 	case NL80211_IFTYPE_STATION:
14124 	case NL80211_IFTYPE_ADHOC:
14125 	case NL80211_IFTYPE_P2P_CLIENT:
14126 	case NL80211_IFTYPE_AP:
14127 	case NL80211_IFTYPE_AP_VLAN:
14128 	case NL80211_IFTYPE_P2P_GO:
14129 	case NL80211_IFTYPE_P2P_DEVICE:
14130 		break;
14131 	case NL80211_IFTYPE_NAN:
14132 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14133 					     NL80211_EXT_FEATURE_SECURE_NAN))
14134 			return -EOPNOTSUPP;
14135 		break;
14136 	default:
14137 		return -EOPNOTSUPP;
14138 	}
14139 
14140 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14141 
14142 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
14143 }
14144 
14145 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
14146 {
14147 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14148 	struct wireless_dev *wdev;
14149 	struct net_device *dev = info->user_ptr[1];
14150 	u8 ps_state;
14151 	bool state;
14152 	int err;
14153 
14154 	if (!info->attrs[NL80211_ATTR_PS_STATE])
14155 		return -EINVAL;
14156 
14157 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
14158 
14159 	wdev = dev->ieee80211_ptr;
14160 
14161 	if (!rdev->ops->set_power_mgmt)
14162 		return -EOPNOTSUPP;
14163 
14164 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
14165 
14166 	if (state == wdev->ps)
14167 		return 0;
14168 
14169 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
14170 	if (!err)
14171 		wdev->ps = state;
14172 	return err;
14173 }
14174 
14175 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
14176 {
14177 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14178 	enum nl80211_ps_state ps_state;
14179 	struct wireless_dev *wdev;
14180 	struct net_device *dev = info->user_ptr[1];
14181 	struct sk_buff *msg;
14182 	void *hdr;
14183 	int err;
14184 
14185 	wdev = dev->ieee80211_ptr;
14186 
14187 	if (!rdev->ops->set_power_mgmt)
14188 		return -EOPNOTSUPP;
14189 
14190 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14191 	if (!msg)
14192 		return -ENOMEM;
14193 
14194 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14195 			     NL80211_CMD_GET_POWER_SAVE);
14196 	if (!hdr) {
14197 		err = -ENOBUFS;
14198 		goto free_msg;
14199 	}
14200 
14201 	if (wdev->ps)
14202 		ps_state = NL80211_PS_ENABLED;
14203 	else
14204 		ps_state = NL80211_PS_DISABLED;
14205 
14206 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
14207 		goto nla_put_failure;
14208 
14209 	genlmsg_end(msg, hdr);
14210 	return genlmsg_reply(msg, info);
14211 
14212  nla_put_failure:
14213 	err = -ENOBUFS;
14214  free_msg:
14215 	nlmsg_free(msg);
14216 	return err;
14217 }
14218 
14219 static const struct nla_policy
14220 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
14221 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
14222 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
14223 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
14224 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
14225 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
14226 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
14227 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
14228 };
14229 
14230 static int nl80211_set_cqm_txe(struct genl_info *info,
14231 			       u32 rate, u32 pkts, u32 intvl)
14232 {
14233 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14234 	struct net_device *dev = info->user_ptr[1];
14235 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14236 
14237 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
14238 		return -EINVAL;
14239 
14240 	if (!rdev->ops->set_cqm_txe_config)
14241 		return -EOPNOTSUPP;
14242 
14243 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14244 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14245 		return -EOPNOTSUPP;
14246 
14247 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
14248 }
14249 
14250 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
14251 				    struct net_device *dev,
14252 				    struct cfg80211_cqm_config *cqm_config)
14253 {
14254 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14255 	s32 last, low, high;
14256 	u32 hyst;
14257 	int i, n, low_index;
14258 	int err;
14259 
14260 	/*
14261 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
14262 	 * event has been received yet, we should receive an event after a
14263 	 * connection is established and enough beacons received to calculate
14264 	 * the average.
14265 	 */
14266 	if (!cqm_config->last_rssi_event_value &&
14267 	    wdev->links[0].client.current_bss &&
14268 	    rdev->ops->get_station) {
14269 		struct station_info sinfo = {};
14270 		u8 *mac_addr;
14271 
14272 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
14273 
14274 		err = rdev_get_station(rdev, wdev, mac_addr, &sinfo);
14275 		if (err)
14276 			return err;
14277 
14278 		cfg80211_sinfo_release_content(&sinfo);
14279 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
14280 			cqm_config->last_rssi_event_value =
14281 				(s8) sinfo.rx_beacon_signal_avg;
14282 	}
14283 
14284 	last = cqm_config->last_rssi_event_value;
14285 	hyst = cqm_config->rssi_hyst;
14286 	n = cqm_config->n_rssi_thresholds;
14287 
14288 	for (i = 0; i < n; i++) {
14289 		i = array_index_nospec(i, n);
14290 		if (last < cqm_config->rssi_thresholds[i])
14291 			break;
14292 	}
14293 
14294 	low_index = i - 1;
14295 	if (low_index >= 0) {
14296 		low_index = array_index_nospec(low_index, n);
14297 		low = cqm_config->rssi_thresholds[low_index] - hyst;
14298 	} else {
14299 		low = S32_MIN;
14300 	}
14301 	if (i < n) {
14302 		i = array_index_nospec(i, n);
14303 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
14304 	} else {
14305 		high = S32_MAX;
14306 	}
14307 
14308 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
14309 }
14310 
14311 static int nl80211_set_cqm_rssi(struct genl_info *info,
14312 				const s32 *thresholds, int n_thresholds,
14313 				u32 hysteresis)
14314 {
14315 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14316 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
14317 	struct net_device *dev = info->user_ptr[1];
14318 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14319 	s32 prev = S32_MIN;
14320 	int i, err;
14321 
14322 	/* Check all values negative and sorted */
14323 	for (i = 0; i < n_thresholds; i++) {
14324 		if (thresholds[i] > 0 || thresholds[i] <= prev)
14325 			return -EINVAL;
14326 
14327 		prev = thresholds[i];
14328 	}
14329 
14330 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14331 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14332 		return -EOPNOTSUPP;
14333 
14334 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
14335 		n_thresholds = 0;
14336 
14337 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
14338 
14339 	/* if already disabled just succeed */
14340 	if (!n_thresholds && !old)
14341 		return 0;
14342 
14343 	if (n_thresholds > 1) {
14344 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
14345 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
14346 		    !rdev->ops->set_cqm_rssi_range_config)
14347 			return -EOPNOTSUPP;
14348 	} else {
14349 		if (!rdev->ops->set_cqm_rssi_config)
14350 			return -EOPNOTSUPP;
14351 	}
14352 
14353 	if (n_thresholds) {
14354 		cqm_config = kzalloc_flex(*cqm_config, rssi_thresholds,
14355 					  n_thresholds);
14356 		if (!cqm_config)
14357 			return -ENOMEM;
14358 
14359 		cqm_config->rssi_hyst = hysteresis;
14360 		cqm_config->n_rssi_thresholds = n_thresholds;
14361 		memcpy(cqm_config->rssi_thresholds, thresholds,
14362 		       flex_array_size(cqm_config, rssi_thresholds,
14363 				       n_thresholds));
14364 		cqm_config->use_range_api = n_thresholds > 1 ||
14365 					    !rdev->ops->set_cqm_rssi_config;
14366 
14367 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
14368 
14369 		if (cqm_config->use_range_api)
14370 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
14371 		else
14372 			err = rdev_set_cqm_rssi_config(rdev, dev,
14373 						       thresholds[0],
14374 						       hysteresis);
14375 	} else {
14376 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
14377 		/* if enabled as range also disable via range */
14378 		if (old->use_range_api)
14379 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
14380 		else
14381 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
14382 	}
14383 
14384 	if (err) {
14385 		rcu_assign_pointer(wdev->cqm_config, old);
14386 		kfree_rcu(cqm_config, rcu_head);
14387 	} else {
14388 		kfree_rcu(old, rcu_head);
14389 	}
14390 
14391 	return err;
14392 }
14393 
14394 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
14395 {
14396 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
14397 	struct nlattr *cqm;
14398 	int err;
14399 
14400 	cqm = info->attrs[NL80211_ATTR_CQM];
14401 	if (!cqm)
14402 		return -EINVAL;
14403 
14404 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
14405 					  nl80211_attr_cqm_policy,
14406 					  info->extack);
14407 	if (err)
14408 		return err;
14409 
14410 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
14411 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
14412 		const s32 *thresholds =
14413 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14414 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14415 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
14416 
14417 		if (len % 4)
14418 			return -EINVAL;
14419 
14420 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
14421 					    hysteresis);
14422 	}
14423 
14424 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
14425 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
14426 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
14427 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
14428 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
14429 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
14430 
14431 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
14432 	}
14433 
14434 	return -EINVAL;
14435 }
14436 
14437 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
14438 {
14439 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14440 	struct net_device *dev = info->user_ptr[1];
14441 	struct ocb_setup setup = {};
14442 	int err;
14443 
14444 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
14445 				    &setup.chandef);
14446 	if (err)
14447 		return err;
14448 
14449 	return cfg80211_join_ocb(rdev, dev, &setup);
14450 }
14451 
14452 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
14453 {
14454 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14455 	struct net_device *dev = info->user_ptr[1];
14456 
14457 	return cfg80211_leave_ocb(rdev, dev);
14458 }
14459 
14460 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
14461 {
14462 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14463 	struct net_device *dev = info->user_ptr[1];
14464 	struct mesh_config cfg;
14465 	struct mesh_setup setup;
14466 	int err;
14467 
14468 	/* start with default */
14469 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
14470 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
14471 
14472 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
14473 		/* and parse parameters if given */
14474 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
14475 		if (err)
14476 			return err;
14477 	}
14478 
14479 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
14480 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
14481 		return -EINVAL;
14482 
14483 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
14484 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
14485 
14486 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
14487 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
14488 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
14489 			return -EINVAL;
14490 
14491 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
14492 		setup.beacon_interval =
14493 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
14494 
14495 		err = cfg80211_validate_beacon_int(rdev,
14496 						   NL80211_IFTYPE_MESH_POINT,
14497 						   setup.beacon_interval);
14498 		if (err)
14499 			return err;
14500 	}
14501 
14502 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
14503 		setup.dtim_period =
14504 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
14505 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
14506 			return -EINVAL;
14507 	}
14508 
14509 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
14510 		/* parse additional setup parameters if given */
14511 		err = nl80211_parse_mesh_setup(info, &setup);
14512 		if (err)
14513 			return err;
14514 	}
14515 
14516 	if (setup.user_mpm)
14517 		cfg.auto_open_plinks = false;
14518 
14519 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14520 		err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
14521 					    &setup.chandef);
14522 		if (err)
14523 			return err;
14524 	} else {
14525 		/* __cfg80211_join_mesh() will sort it out */
14526 		setup.chandef.chan = NULL;
14527 	}
14528 
14529 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
14530 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14531 		int n_rates =
14532 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14533 		struct ieee80211_supported_band *sband;
14534 
14535 		if (!setup.chandef.chan)
14536 			return -EINVAL;
14537 
14538 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
14539 
14540 		err = ieee80211_get_ratemask(sband, rates, n_rates,
14541 					     &setup.basic_rates);
14542 		if (err)
14543 			return err;
14544 	}
14545 
14546 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
14547 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
14548 						    NL80211_ATTR_TX_RATES,
14549 						    &setup.beacon_rate,
14550 						    dev, false, 0);
14551 		if (err)
14552 			return err;
14553 
14554 		if (!setup.chandef.chan)
14555 			return -EINVAL;
14556 
14557 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
14558 					      &setup.beacon_rate);
14559 		if (err)
14560 			return err;
14561 	}
14562 
14563 	setup.userspace_handles_dfs =
14564 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
14565 
14566 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
14567 		int r = validate_pae_over_nl80211(rdev, info);
14568 
14569 		if (r < 0)
14570 			return r;
14571 
14572 		setup.control_port_over_nl80211 = true;
14573 	}
14574 
14575 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
14576 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
14577 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
14578 
14579 	return err;
14580 }
14581 
14582 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
14583 {
14584 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14585 	struct net_device *dev = info->user_ptr[1];
14586 
14587 	return cfg80211_leave_mesh(rdev, dev);
14588 }
14589 
14590 #ifdef CONFIG_PM
14591 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
14592 					struct cfg80211_registered_device *rdev)
14593 {
14594 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
14595 	struct nlattr *nl_pats, *nl_pat;
14596 	int i, pat_len;
14597 
14598 	if (!wowlan->n_patterns)
14599 		return 0;
14600 
14601 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
14602 	if (!nl_pats)
14603 		return -ENOBUFS;
14604 
14605 	for (i = 0; i < wowlan->n_patterns; i++) {
14606 		nl_pat = nla_nest_start_noflag(msg, i + 1);
14607 		if (!nl_pat)
14608 			return -ENOBUFS;
14609 		pat_len = wowlan->patterns[i].pattern_len;
14610 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
14611 			    wowlan->patterns[i].mask) ||
14612 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14613 			    wowlan->patterns[i].pattern) ||
14614 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14615 				wowlan->patterns[i].pkt_offset))
14616 			return -ENOBUFS;
14617 		nla_nest_end(msg, nl_pat);
14618 	}
14619 	nla_nest_end(msg, nl_pats);
14620 
14621 	return 0;
14622 }
14623 
14624 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
14625 				   struct cfg80211_wowlan_tcp *tcp)
14626 {
14627 	struct nlattr *nl_tcp;
14628 
14629 	if (!tcp)
14630 		return 0;
14631 
14632 	nl_tcp = nla_nest_start_noflag(msg,
14633 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
14634 	if (!nl_tcp)
14635 		return -ENOBUFS;
14636 
14637 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
14638 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
14639 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
14640 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
14641 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
14642 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
14643 		    tcp->payload_len, tcp->payload) ||
14644 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
14645 			tcp->data_interval) ||
14646 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
14647 		    tcp->wake_len, tcp->wake_data) ||
14648 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
14649 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
14650 		return -ENOBUFS;
14651 
14652 	if (tcp->payload_seq.len &&
14653 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
14654 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
14655 		return -ENOBUFS;
14656 
14657 	if (tcp->payload_tok.len &&
14658 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
14659 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
14660 		    &tcp->payload_tok))
14661 		return -ENOBUFS;
14662 
14663 	nla_nest_end(msg, nl_tcp);
14664 
14665 	return 0;
14666 }
14667 
14668 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
14669 				  struct cfg80211_sched_scan_request *req)
14670 {
14671 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
14672 	int i;
14673 
14674 	if (!req)
14675 		return 0;
14676 
14677 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
14678 	if (!nd)
14679 		return -ENOBUFS;
14680 
14681 	if (req->n_scan_plans == 1 &&
14682 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
14683 			req->scan_plans[0].interval * 1000))
14684 		return -ENOBUFS;
14685 
14686 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
14687 		return -ENOBUFS;
14688 
14689 	if (req->relative_rssi_set) {
14690 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
14691 
14692 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
14693 			       req->relative_rssi))
14694 			return -ENOBUFS;
14695 
14696 		rssi_adjust.band = req->rssi_adjust.band;
14697 		rssi_adjust.delta = req->rssi_adjust.delta;
14698 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
14699 			    sizeof(rssi_adjust), &rssi_adjust))
14700 			return -ENOBUFS;
14701 	}
14702 
14703 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14704 	if (!freqs)
14705 		return -ENOBUFS;
14706 
14707 	for (i = 0; i < req->n_channels; i++) {
14708 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14709 			return -ENOBUFS;
14710 	}
14711 
14712 	nla_nest_end(msg, freqs);
14713 
14714 	if (req->n_match_sets) {
14715 		matches = nla_nest_start_noflag(msg,
14716 						NL80211_ATTR_SCHED_SCAN_MATCH);
14717 		if (!matches)
14718 			return -ENOBUFS;
14719 
14720 		for (i = 0; i < req->n_match_sets; i++) {
14721 			match = nla_nest_start_noflag(msg, i);
14722 			if (!match)
14723 				return -ENOBUFS;
14724 
14725 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
14726 				    req->match_sets[i].ssid.ssid_len,
14727 				    req->match_sets[i].ssid.ssid))
14728 				return -ENOBUFS;
14729 			nla_nest_end(msg, match);
14730 		}
14731 		nla_nest_end(msg, matches);
14732 	}
14733 
14734 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
14735 	if (!scan_plans)
14736 		return -ENOBUFS;
14737 
14738 	for (i = 0; i < req->n_scan_plans; i++) {
14739 		scan_plan = nla_nest_start_noflag(msg, i + 1);
14740 		if (!scan_plan)
14741 			return -ENOBUFS;
14742 
14743 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
14744 				req->scan_plans[i].interval) ||
14745 		    (req->scan_plans[i].iterations &&
14746 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
14747 				 req->scan_plans[i].iterations)))
14748 			return -ENOBUFS;
14749 		nla_nest_end(msg, scan_plan);
14750 	}
14751 	nla_nest_end(msg, scan_plans);
14752 
14753 	nla_nest_end(msg, nd);
14754 
14755 	return 0;
14756 }
14757 
14758 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
14759 {
14760 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14761 	struct sk_buff *msg;
14762 	void *hdr;
14763 	u32 size = NLMSG_DEFAULT_SIZE;
14764 
14765 	if (!rdev->wiphy.wowlan)
14766 		return -EOPNOTSUPP;
14767 
14768 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
14769 		/* adjust size to have room for all the data */
14770 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
14771 			rdev->wiphy.wowlan_config->tcp->payload_len +
14772 			rdev->wiphy.wowlan_config->tcp->wake_len +
14773 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
14774 	}
14775 
14776 	msg = nlmsg_new(size, GFP_KERNEL);
14777 	if (!msg)
14778 		return -ENOMEM;
14779 
14780 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14781 			     NL80211_CMD_GET_WOWLAN);
14782 	if (!hdr)
14783 		goto nla_put_failure;
14784 
14785 	if (rdev->wiphy.wowlan_config) {
14786 		struct nlattr *nl_wowlan;
14787 
14788 		nl_wowlan = nla_nest_start_noflag(msg,
14789 						  NL80211_ATTR_WOWLAN_TRIGGERS);
14790 		if (!nl_wowlan)
14791 			goto nla_put_failure;
14792 
14793 		if ((rdev->wiphy.wowlan_config->any &&
14794 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
14795 		    (rdev->wiphy.wowlan_config->disconnect &&
14796 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
14797 		    (rdev->wiphy.wowlan_config->magic_pkt &&
14798 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
14799 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
14800 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
14801 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
14802 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
14803 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
14804 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
14805 		    (rdev->wiphy.wowlan_config->rfkill_release &&
14806 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
14807 			goto nla_put_failure;
14808 
14809 		if (nl80211_send_wowlan_patterns(msg, rdev))
14810 			goto nla_put_failure;
14811 
14812 		if (nl80211_send_wowlan_tcp(msg,
14813 					    rdev->wiphy.wowlan_config->tcp))
14814 			goto nla_put_failure;
14815 
14816 		if (nl80211_send_wowlan_nd(
14817 			    msg,
14818 			    rdev->wiphy.wowlan_config->nd_config))
14819 			goto nla_put_failure;
14820 
14821 		nla_nest_end(msg, nl_wowlan);
14822 	}
14823 
14824 	genlmsg_end(msg, hdr);
14825 	return genlmsg_reply(msg, info);
14826 
14827 nla_put_failure:
14828 	nlmsg_free(msg);
14829 	return -ENOBUFS;
14830 }
14831 
14832 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
14833 				    struct nlattr *attr,
14834 				    struct cfg80211_wowlan *trig)
14835 {
14836 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
14837 	struct cfg80211_wowlan_tcp *cfg;
14838 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
14839 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
14840 	u32 size;
14841 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
14842 	int err, port;
14843 
14844 	if (!rdev->wiphy.wowlan->tcp)
14845 		return -EINVAL;
14846 
14847 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
14848 					  nl80211_wowlan_tcp_policy, NULL);
14849 	if (err)
14850 		return err;
14851 
14852 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
14853 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
14854 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
14855 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
14856 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
14857 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
14858 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
14859 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
14860 		return -EINVAL;
14861 
14862 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
14863 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
14864 		return -EINVAL;
14865 
14866 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
14867 			rdev->wiphy.wowlan->tcp->data_interval_max ||
14868 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
14869 		return -EINVAL;
14870 
14871 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
14872 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
14873 		return -EINVAL;
14874 
14875 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
14876 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
14877 		return -EINVAL;
14878 
14879 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
14880 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14881 
14882 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14883 		tokens_size = tokln - sizeof(*tok);
14884 
14885 		if (!tok->len || tokens_size % tok->len)
14886 			return -EINVAL;
14887 		if (!rdev->wiphy.wowlan->tcp->tok)
14888 			return -EINVAL;
14889 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
14890 			return -EINVAL;
14891 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
14892 			return -EINVAL;
14893 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
14894 			return -EINVAL;
14895 		if (tok->offset + tok->len > data_size)
14896 			return -EINVAL;
14897 	}
14898 
14899 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
14900 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
14901 		if (!rdev->wiphy.wowlan->tcp->seq)
14902 			return -EINVAL;
14903 		if (seq->len == 0 || seq->len > 4)
14904 			return -EINVAL;
14905 		if (seq->len + seq->offset > data_size)
14906 			return -EINVAL;
14907 	}
14908 
14909 	size = sizeof(*cfg);
14910 	size += data_size;
14911 	size += wake_size + wake_mask_size;
14912 	size += tokens_size;
14913 
14914 	cfg = kzalloc(size, GFP_KERNEL);
14915 	if (!cfg)
14916 		return -ENOMEM;
14917 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
14918 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
14919 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
14920 	       ETH_ALEN);
14921 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
14922 #ifdef CONFIG_INET
14923 	/* allocate a socket and port for it and use it */
14924 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
14925 			    IPPROTO_TCP, &cfg->sock, 1);
14926 	if (err) {
14927 		kfree(cfg);
14928 		return err;
14929 	}
14930 	if (inet_csk_get_port(cfg->sock->sk, port)) {
14931 		sock_release(cfg->sock);
14932 		kfree(cfg);
14933 		return -EADDRINUSE;
14934 	}
14935 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
14936 #else
14937 	if (!port) {
14938 		kfree(cfg);
14939 		return -EINVAL;
14940 	}
14941 	cfg->src_port = port;
14942 #endif
14943 
14944 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
14945 	cfg->payload_len = data_size;
14946 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
14947 	memcpy((void *)cfg->payload,
14948 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
14949 	       data_size);
14950 	if (seq)
14951 		cfg->payload_seq = *seq;
14952 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
14953 	cfg->wake_len = wake_size;
14954 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
14955 	memcpy((void *)cfg->wake_data,
14956 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
14957 	       wake_size);
14958 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
14959 			 data_size + wake_size;
14960 	memcpy((void *)cfg->wake_mask,
14961 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
14962 	       wake_mask_size);
14963 	if (tok) {
14964 		cfg->tokens_size = tokens_size;
14965 		cfg->payload_tok = *tok;
14966 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
14967 		       tokens_size);
14968 	}
14969 
14970 	trig->tcp = cfg;
14971 
14972 	return 0;
14973 }
14974 
14975 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
14976 				   const struct wiphy_wowlan_support *wowlan,
14977 				   struct nlattr *attr,
14978 				   struct cfg80211_wowlan *trig)
14979 {
14980 	struct nlattr **tb;
14981 	int err;
14982 
14983 	tb = kzalloc_objs(*tb, NUM_NL80211_ATTR);
14984 	if (!tb)
14985 		return -ENOMEM;
14986 
14987 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
14988 		err = -EOPNOTSUPP;
14989 		goto out;
14990 	}
14991 
14992 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
14993 					  nl80211_policy, NULL);
14994 	if (err)
14995 		goto out;
14996 
14997 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
14998 						   wowlan->max_nd_match_sets);
14999 	err = PTR_ERR_OR_ZERO(trig->nd_config);
15000 	if (err)
15001 		trig->nd_config = NULL;
15002 
15003 out:
15004 	kfree(tb);
15005 	return err;
15006 }
15007 
15008 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
15009 {
15010 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15011 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
15012 	struct cfg80211_wowlan new_triggers = {};
15013 	struct cfg80211_wowlan *ntrig;
15014 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
15015 	int err, i;
15016 	bool prev_enabled = rdev->wiphy.wowlan_config;
15017 	bool regular = false;
15018 
15019 	if (!wowlan)
15020 		return -EOPNOTSUPP;
15021 
15022 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
15023 		cfg80211_rdev_free_wowlan(rdev);
15024 		rdev->wiphy.wowlan_config = NULL;
15025 		goto set_wakeup;
15026 	}
15027 
15028 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
15029 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
15030 					  nl80211_wowlan_policy, info->extack);
15031 	if (err)
15032 		return err;
15033 
15034 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
15035 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
15036 			return -EINVAL;
15037 		new_triggers.any = true;
15038 	}
15039 
15040 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
15041 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
15042 			return -EINVAL;
15043 		new_triggers.disconnect = true;
15044 		regular = true;
15045 	}
15046 
15047 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
15048 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
15049 			return -EINVAL;
15050 		new_triggers.magic_pkt = true;
15051 		regular = true;
15052 	}
15053 
15054 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
15055 		return -EINVAL;
15056 
15057 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
15058 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
15059 			return -EINVAL;
15060 		new_triggers.gtk_rekey_failure = true;
15061 		regular = true;
15062 	}
15063 
15064 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
15065 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
15066 			return -EINVAL;
15067 		new_triggers.eap_identity_req = true;
15068 		regular = true;
15069 	}
15070 
15071 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
15072 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
15073 			return -EINVAL;
15074 		new_triggers.four_way_handshake = true;
15075 		regular = true;
15076 	}
15077 
15078 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
15079 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
15080 			return -EINVAL;
15081 		new_triggers.rfkill_release = true;
15082 		regular = true;
15083 	}
15084 
15085 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
15086 		struct nlattr *pat;
15087 		int n_patterns = 0;
15088 		int rem, pat_len, mask_len, pkt_offset;
15089 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15090 
15091 		regular = true;
15092 
15093 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15094 				    rem)
15095 			n_patterns++;
15096 		if (n_patterns > wowlan->n_patterns)
15097 			return -EINVAL;
15098 
15099 		new_triggers.patterns = kzalloc_objs(new_triggers.patterns[0],
15100 						     n_patterns);
15101 		if (!new_triggers.patterns)
15102 			return -ENOMEM;
15103 
15104 		new_triggers.n_patterns = n_patterns;
15105 		i = 0;
15106 
15107 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15108 				    rem) {
15109 			u8 *mask_pat;
15110 
15111 			err = nla_parse_nested_deprecated(pat_tb,
15112 							  MAX_NL80211_PKTPAT,
15113 							  pat,
15114 							  nl80211_packet_pattern_policy,
15115 							  info->extack);
15116 			if (err)
15117 				goto error;
15118 
15119 			err = -EINVAL;
15120 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
15121 			    !pat_tb[NL80211_PKTPAT_PATTERN])
15122 				goto error;
15123 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15124 			mask_len = DIV_ROUND_UP(pat_len, 8);
15125 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15126 				goto error;
15127 			if (pat_len > wowlan->pattern_max_len ||
15128 			    pat_len < wowlan->pattern_min_len)
15129 				goto error;
15130 
15131 			pkt_offset =
15132 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15133 						    0);
15134 			if (pkt_offset > wowlan->max_pkt_offset)
15135 				goto error;
15136 			new_triggers.patterns[i].pkt_offset = pkt_offset;
15137 
15138 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15139 			if (!mask_pat) {
15140 				err = -ENOMEM;
15141 				goto error;
15142 			}
15143 			new_triggers.patterns[i].mask = mask_pat;
15144 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15145 			       mask_len);
15146 			mask_pat += mask_len;
15147 			new_triggers.patterns[i].pattern = mask_pat;
15148 			new_triggers.patterns[i].pattern_len = pat_len;
15149 			memcpy(mask_pat,
15150 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15151 			       pat_len);
15152 			i++;
15153 		}
15154 	}
15155 
15156 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
15157 		regular = true;
15158 		err = nl80211_parse_wowlan_tcp(
15159 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
15160 			&new_triggers);
15161 		if (err)
15162 			goto error;
15163 	}
15164 
15165 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
15166 		regular = true;
15167 		err = nl80211_parse_wowlan_nd(
15168 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
15169 			&new_triggers);
15170 		if (err)
15171 			goto error;
15172 	}
15173 
15174 	/* The 'any' trigger means the device continues operating more or less
15175 	 * as in its normal operation mode and wakes up the host on most of the
15176 	 * normal interrupts (like packet RX, ...)
15177 	 * It therefore makes little sense to combine with the more constrained
15178 	 * wakeup trigger modes.
15179 	 */
15180 	if (new_triggers.any && regular) {
15181 		err = -EINVAL;
15182 		goto error;
15183 	}
15184 
15185 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
15186 	if (!ntrig) {
15187 		err = -ENOMEM;
15188 		goto error;
15189 	}
15190 	cfg80211_rdev_free_wowlan(rdev);
15191 	rdev->wiphy.wowlan_config = ntrig;
15192 
15193  set_wakeup:
15194 	if (rdev->ops->set_wakeup &&
15195 	    prev_enabled != !!rdev->wiphy.wowlan_config)
15196 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
15197 
15198 	return 0;
15199  error:
15200 	for (i = 0; i < new_triggers.n_patterns; i++)
15201 		kfree(new_triggers.patterns[i].mask);
15202 	kfree(new_triggers.patterns);
15203 	if (new_triggers.tcp && new_triggers.tcp->sock)
15204 		sock_release(new_triggers.tcp->sock);
15205 	kfree(new_triggers.tcp);
15206 	kfree(new_triggers.nd_config);
15207 	return err;
15208 }
15209 #endif
15210 
15211 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
15212 				       struct cfg80211_registered_device *rdev)
15213 {
15214 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
15215 	int i, j, pat_len;
15216 	struct cfg80211_coalesce_rules *rule;
15217 
15218 	if (!rdev->coalesce->n_rules)
15219 		return 0;
15220 
15221 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
15222 	if (!nl_rules)
15223 		return -ENOBUFS;
15224 
15225 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
15226 		nl_rule = nla_nest_start_noflag(msg, i + 1);
15227 		if (!nl_rule)
15228 			return -ENOBUFS;
15229 
15230 		rule = &rdev->coalesce->rules[i];
15231 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
15232 				rule->delay))
15233 			return -ENOBUFS;
15234 
15235 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
15236 				rule->condition))
15237 			return -ENOBUFS;
15238 
15239 		nl_pats = nla_nest_start_noflag(msg,
15240 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
15241 		if (!nl_pats)
15242 			return -ENOBUFS;
15243 
15244 		for (j = 0; j < rule->n_patterns; j++) {
15245 			nl_pat = nla_nest_start_noflag(msg, j + 1);
15246 			if (!nl_pat)
15247 				return -ENOBUFS;
15248 			pat_len = rule->patterns[j].pattern_len;
15249 			if (nla_put(msg, NL80211_PKTPAT_MASK,
15250 				    DIV_ROUND_UP(pat_len, 8),
15251 				    rule->patterns[j].mask) ||
15252 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
15253 				    rule->patterns[j].pattern) ||
15254 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
15255 					rule->patterns[j].pkt_offset))
15256 				return -ENOBUFS;
15257 			nla_nest_end(msg, nl_pat);
15258 		}
15259 		nla_nest_end(msg, nl_pats);
15260 		nla_nest_end(msg, nl_rule);
15261 	}
15262 	nla_nest_end(msg, nl_rules);
15263 
15264 	return 0;
15265 }
15266 
15267 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
15268 {
15269 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15270 	struct sk_buff *msg;
15271 	void *hdr;
15272 
15273 	if (!rdev->wiphy.coalesce)
15274 		return -EOPNOTSUPP;
15275 
15276 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15277 	if (!msg)
15278 		return -ENOMEM;
15279 
15280 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15281 			     NL80211_CMD_GET_COALESCE);
15282 	if (!hdr)
15283 		goto nla_put_failure;
15284 
15285 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
15286 		goto nla_put_failure;
15287 
15288 	genlmsg_end(msg, hdr);
15289 	return genlmsg_reply(msg, info);
15290 
15291 nla_put_failure:
15292 	nlmsg_free(msg);
15293 	return -ENOBUFS;
15294 }
15295 
15296 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
15297 {
15298 	int i, j;
15299 	struct cfg80211_coalesce_rules *rule;
15300 
15301 	if (!coalesce)
15302 		return;
15303 
15304 	for (i = 0; i < coalesce->n_rules; i++) {
15305 		rule = &coalesce->rules[i];
15306 		for (j = 0; j < rule->n_patterns; j++)
15307 			kfree(rule->patterns[j].mask);
15308 		kfree(rule->patterns);
15309 	}
15310 	kfree(coalesce);
15311 }
15312 
15313 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
15314 				       struct nlattr *rule,
15315 				       struct cfg80211_coalesce_rules *new_rule)
15316 {
15317 	int err, i;
15318 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15319 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
15320 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
15321 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15322 
15323 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
15324 					  rule, nl80211_coalesce_policy, NULL);
15325 	if (err)
15326 		return err;
15327 
15328 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
15329 		new_rule->delay =
15330 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
15331 	if (new_rule->delay > coalesce->max_delay)
15332 		return -EINVAL;
15333 
15334 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
15335 		new_rule->condition =
15336 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
15337 
15338 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
15339 		return -EINVAL;
15340 
15341 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15342 			    rem)
15343 		n_patterns++;
15344 	if (n_patterns > coalesce->n_patterns)
15345 		return -EINVAL;
15346 
15347 	new_rule->patterns = kzalloc_objs(new_rule->patterns[0], n_patterns);
15348 	if (!new_rule->patterns)
15349 		return -ENOMEM;
15350 
15351 	new_rule->n_patterns = n_patterns;
15352 	i = 0;
15353 
15354 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15355 			    rem) {
15356 		u8 *mask_pat;
15357 
15358 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
15359 						  pat,
15360 						  nl80211_packet_pattern_policy,
15361 						  NULL);
15362 		if (err)
15363 			return err;
15364 
15365 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
15366 		    !pat_tb[NL80211_PKTPAT_PATTERN])
15367 			return -EINVAL;
15368 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15369 		mask_len = DIV_ROUND_UP(pat_len, 8);
15370 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15371 			return -EINVAL;
15372 		if (pat_len > coalesce->pattern_max_len ||
15373 		    pat_len < coalesce->pattern_min_len)
15374 			return -EINVAL;
15375 
15376 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15377 						 0);
15378 		if (pkt_offset > coalesce->max_pkt_offset)
15379 			return -EINVAL;
15380 		new_rule->patterns[i].pkt_offset = pkt_offset;
15381 
15382 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15383 		if (!mask_pat)
15384 			return -ENOMEM;
15385 
15386 		new_rule->patterns[i].mask = mask_pat;
15387 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15388 		       mask_len);
15389 
15390 		mask_pat += mask_len;
15391 		new_rule->patterns[i].pattern = mask_pat;
15392 		new_rule->patterns[i].pattern_len = pat_len;
15393 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15394 		       pat_len);
15395 		i++;
15396 	}
15397 
15398 	return 0;
15399 }
15400 
15401 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
15402 {
15403 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15404 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15405 	struct cfg80211_coalesce *new_coalesce;
15406 	int err, rem_rule, n_rules = 0, i;
15407 	struct nlattr *rule;
15408 
15409 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
15410 		return -EOPNOTSUPP;
15411 
15412 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
15413 		cfg80211_free_coalesce(rdev->coalesce);
15414 		rdev->coalesce = NULL;
15415 		rdev_set_coalesce(rdev, NULL);
15416 		return 0;
15417 	}
15418 
15419 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15420 			    rem_rule)
15421 		n_rules++;
15422 	if (n_rules > coalesce->n_rules)
15423 		return -EINVAL;
15424 
15425 	new_coalesce = kzalloc_flex(*new_coalesce, rules, n_rules);
15426 	if (!new_coalesce)
15427 		return -ENOMEM;
15428 
15429 	new_coalesce->n_rules = n_rules;
15430 	i = 0;
15431 
15432 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15433 			    rem_rule) {
15434 		err = nl80211_parse_coalesce_rule(rdev, rule,
15435 						  &new_coalesce->rules[i]);
15436 		if (err)
15437 			goto error;
15438 
15439 		i++;
15440 	}
15441 
15442 	err = rdev_set_coalesce(rdev, new_coalesce);
15443 	if (err)
15444 		goto error;
15445 
15446 	cfg80211_free_coalesce(rdev->coalesce);
15447 	rdev->coalesce = new_coalesce;
15448 
15449 	return 0;
15450 error:
15451 	cfg80211_free_coalesce(new_coalesce);
15452 
15453 	return err;
15454 }
15455 
15456 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
15457 {
15458 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15459 	struct net_device *dev = info->user_ptr[1];
15460 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15461 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
15462 	struct cfg80211_gtk_rekey_data rekey_data = {};
15463 	int err;
15464 
15465 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
15466 		return -EINVAL;
15467 
15468 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
15469 					  info->attrs[NL80211_ATTR_REKEY_DATA],
15470 					  nl80211_rekey_policy, info->extack);
15471 	if (err)
15472 		return err;
15473 
15474 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
15475 	    !tb[NL80211_REKEY_DATA_KCK])
15476 		return -EINVAL;
15477 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
15478 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15479 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
15480 		return -ERANGE;
15481 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
15482 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15483 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
15484 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
15485 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
15486 		return -ERANGE;
15487 
15488 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
15489 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
15490 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
15491 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
15492 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
15493 	if (tb[NL80211_REKEY_DATA_AKM])
15494 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
15495 
15496 	if (!wdev->connected)
15497 		return -ENOTCONN;
15498 
15499 	if (!rdev->ops->set_rekey_data)
15500 		return -EOPNOTSUPP;
15501 
15502 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
15503 }
15504 
15505 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
15506 					     struct genl_info *info)
15507 {
15508 	struct net_device *dev = info->user_ptr[1];
15509 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15510 
15511 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15512 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15513 		return -EINVAL;
15514 
15515 	if (wdev->ap_unexpected_nlportid)
15516 		return -EBUSY;
15517 
15518 	wdev->ap_unexpected_nlportid = info->snd_portid;
15519 	return 0;
15520 }
15521 
15522 static int nl80211_probe_client(struct sk_buff *skb,
15523 				struct genl_info *info)
15524 {
15525 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15526 	struct net_device *dev = info->user_ptr[1];
15527 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15528 	struct sk_buff *msg;
15529 	void *hdr;
15530 	const u8 *addr;
15531 	u64 cookie;
15532 	int err;
15533 
15534 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15535 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15536 		return -EOPNOTSUPP;
15537 
15538 	if (!info->attrs[NL80211_ATTR_MAC])
15539 		return -EINVAL;
15540 
15541 	if (!rdev->ops->probe_client)
15542 		return -EOPNOTSUPP;
15543 
15544 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15545 	if (!msg)
15546 		return -ENOMEM;
15547 
15548 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15549 			     NL80211_CMD_PROBE_CLIENT);
15550 	if (!hdr) {
15551 		err = -ENOBUFS;
15552 		goto free_msg;
15553 	}
15554 
15555 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15556 
15557 	err = rdev_probe_client(rdev, dev, addr, &cookie);
15558 	if (err)
15559 		goto free_msg;
15560 
15561 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15562 			      NL80211_ATTR_PAD))
15563 		goto nla_put_failure;
15564 
15565 	genlmsg_end(msg, hdr);
15566 
15567 	return genlmsg_reply(msg, info);
15568 
15569  nla_put_failure:
15570 	err = -ENOBUFS;
15571  free_msg:
15572 	nlmsg_free(msg);
15573 	return err;
15574 }
15575 
15576 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
15577 {
15578 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15579 	struct cfg80211_beacon_registration *reg, *nreg;
15580 	int rv;
15581 
15582 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
15583 		return -EOPNOTSUPP;
15584 
15585 	nreg = kzalloc_obj(*nreg);
15586 	if (!nreg)
15587 		return -ENOMEM;
15588 
15589 	/* First, check if already registered. */
15590 	spin_lock_bh(&rdev->beacon_registrations_lock);
15591 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
15592 		if (reg->nlportid == info->snd_portid) {
15593 			rv = -EALREADY;
15594 			goto out_err;
15595 		}
15596 	}
15597 	/* Add it to the list */
15598 	nreg->nlportid = info->snd_portid;
15599 	list_add(&nreg->list, &rdev->beacon_registrations);
15600 
15601 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15602 
15603 	return 0;
15604 out_err:
15605 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15606 	kfree(nreg);
15607 	return rv;
15608 }
15609 
15610 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
15611 {
15612 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15613 	struct wireless_dev *wdev = info->user_ptr[1];
15614 	int err;
15615 
15616 	if (!rdev->ops->start_p2p_device)
15617 		return -EOPNOTSUPP;
15618 
15619 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15620 		return -EOPNOTSUPP;
15621 
15622 	if (wdev_running(wdev))
15623 		return 0;
15624 
15625 	if (rfkill_blocked(rdev->wiphy.rfkill))
15626 		return -ERFKILL;
15627 
15628 	err = rdev_start_p2p_device(rdev, wdev);
15629 	if (err)
15630 		return err;
15631 
15632 	wdev->is_running = true;
15633 	rdev->opencount++;
15634 
15635 	return 0;
15636 }
15637 
15638 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
15639 {
15640 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15641 	struct wireless_dev *wdev = info->user_ptr[1];
15642 
15643 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15644 		return -EOPNOTSUPP;
15645 
15646 	if (!rdev->ops->stop_p2p_device)
15647 		return -EOPNOTSUPP;
15648 
15649 	cfg80211_stop_p2p_device(rdev, wdev);
15650 
15651 	return 0;
15652 }
15653 
15654 static struct ieee80211_channel *nl80211_get_nan_channel(struct wiphy *wiphy,
15655 							 int freq)
15656 {
15657 	struct ieee80211_channel *chan;
15658 	struct cfg80211_chan_def def;
15659 
15660 	/* Check if the frequency is valid for NAN */
15661 	if (freq != 5220 && freq != 5745 && freq != 2437)
15662 		return NULL;
15663 
15664 	chan = ieee80211_get_channel(wiphy, freq);
15665 	if (!chan)
15666 		return NULL;
15667 
15668 	cfg80211_chandef_create(&def, chan, NL80211_CHAN_NO_HT);
15669 
15670 	/* Check if the channel is allowed */
15671 	if (cfg80211_reg_can_beacon(wiphy, &def, NL80211_IFTYPE_NAN))
15672 		return chan;
15673 
15674 	return NULL;
15675 }
15676 
15677 static int nl80211_parse_nan_band_config(struct wiphy *wiphy,
15678 					 struct nlattr **tb,
15679 					 struct cfg80211_nan_band_config *cfg,
15680 					 enum nl80211_band band)
15681 {
15682 	if (BIT(band) & ~(u32)wiphy->nan_supported_bands)
15683 		return -EINVAL;
15684 
15685 	if (tb[NL80211_NAN_BAND_CONF_FREQ]) {
15686 		u16 freq = nla_get_u16(tb[NL80211_NAN_BAND_CONF_FREQ]);
15687 
15688 		if (band != NL80211_BAND_5GHZ)
15689 			return -EINVAL;
15690 
15691 		cfg->chan = nl80211_get_nan_channel(wiphy, freq);
15692 		if (!cfg->chan)
15693 			return -EINVAL;
15694 	}
15695 
15696 	if (tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]) {
15697 		cfg->rssi_close =
15698 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]);
15699 		if (!tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE])
15700 			return -EINVAL;
15701 	}
15702 
15703 	if (tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]) {
15704 		cfg->rssi_middle =
15705 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]);
15706 		if (!cfg->rssi_close || cfg->rssi_middle >= cfg->rssi_close)
15707 			return -EINVAL;
15708 	}
15709 
15710 	if (tb[NL80211_NAN_BAND_CONF_WAKE_DW]) {
15711 		cfg->awake_dw_interval =
15712 			nla_get_u8(tb[NL80211_NAN_BAND_CONF_WAKE_DW]);
15713 
15714 		if (band == NL80211_BAND_2GHZ && cfg->awake_dw_interval == 0)
15715 			return -EINVAL;
15716 	}
15717 
15718 	cfg->disable_scan =
15719 		nla_get_flag(tb[NL80211_NAN_BAND_CONF_DISABLE_SCAN]);
15720 	return 0;
15721 }
15722 
15723 static int nl80211_parse_nan_conf(struct wiphy *wiphy,
15724 				  struct genl_info *info,
15725 				  struct cfg80211_nan_conf *conf,
15726 				  u32 *changed_flags,
15727 				  bool start)
15728 {
15729 	struct nlattr *attrs[NL80211_NAN_CONF_ATTR_MAX + 1];
15730 	int err, rem;
15731 	u32 changed = 0;
15732 	struct nlattr *band_config;
15733 
15734 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
15735 		conf->master_pref =
15736 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
15737 
15738 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
15739 	}
15740 
15741 	if (info->attrs[NL80211_ATTR_BANDS]) {
15742 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
15743 
15744 		if (bands & ~(u32)wiphy->nan_supported_bands)
15745 			return -EOPNOTSUPP;
15746 
15747 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
15748 			return -EINVAL;
15749 
15750 		conf->bands = bands;
15751 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
15752 	}
15753 
15754 	conf->band_cfgs[NL80211_BAND_2GHZ].awake_dw_interval = 1;
15755 	if (conf->bands & BIT(NL80211_BAND_5GHZ) || !conf->bands)
15756 		conf->band_cfgs[NL80211_BAND_5GHZ].awake_dw_interval = 1;
15757 
15758 	/* On 2.4 GHz band use channel 6 */
15759 	conf->band_cfgs[NL80211_BAND_2GHZ].chan =
15760 		nl80211_get_nan_channel(wiphy, 2437);
15761 	if (!conf->band_cfgs[NL80211_BAND_2GHZ].chan)
15762 		return -EINVAL;
15763 
15764 	if (!info->attrs[NL80211_ATTR_NAN_CONFIG])
15765 		goto out;
15766 
15767 	err = nla_parse_nested(attrs, NL80211_NAN_CONF_ATTR_MAX,
15768 			       info->attrs[NL80211_ATTR_NAN_CONFIG], NULL,
15769 			       info->extack);
15770 	if (err)
15771 		return err;
15772 
15773 	changed |= CFG80211_NAN_CONF_CHANGED_CONFIG;
15774 	if (attrs[NL80211_NAN_CONF_CLUSTER_ID] && start) {
15775 		ether_addr_copy(conf->cluster_id,
15776 				nla_data(attrs[NL80211_NAN_CONF_CLUSTER_ID]));
15777 	} else if (start) {
15778 		conf->cluster_id[0] = 0x50;
15779 		conf->cluster_id[1] = 0x6f;
15780 		conf->cluster_id[2] = 0x9a;
15781 		conf->cluster_id[3] = 0x01;
15782 		get_random_bytes(&conf->cluster_id[4], 2);
15783 	}
15784 
15785 	if (attrs[NL80211_NAN_CONF_EXTRA_ATTRS]) {
15786 		conf->extra_nan_attrs =
15787 			nla_data(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
15788 		conf->extra_nan_attrs_len =
15789 			nla_len(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
15790 	}
15791 
15792 	if (attrs[NL80211_NAN_CONF_VENDOR_ELEMS]) {
15793 		conf->vendor_elems =
15794 			nla_data(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
15795 		conf->vendor_elems_len =
15796 			nla_len(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
15797 	}
15798 
15799 	if (attrs[NL80211_NAN_CONF_BAND_CONFIGS]) {
15800 		nla_for_each_nested(band_config,
15801 				    attrs[NL80211_NAN_CONF_BAND_CONFIGS],
15802 				    rem) {
15803 			enum nl80211_band band;
15804 			struct cfg80211_nan_band_config *cfg;
15805 			struct nlattr *tb[NL80211_NAN_BAND_CONF_ATTR_MAX + 1];
15806 
15807 			err = nla_parse_nested(tb,
15808 					       NL80211_NAN_BAND_CONF_ATTR_MAX,
15809 					       band_config, NULL,
15810 					       info->extack);
15811 			if (err)
15812 				return err;
15813 
15814 			if (!tb[NL80211_NAN_BAND_CONF_BAND])
15815 				return -EINVAL;
15816 
15817 			band = nla_get_u8(tb[NL80211_NAN_BAND_CONF_BAND]);
15818 			if (conf->bands && !(conf->bands & BIT(band)))
15819 				return -EINVAL;
15820 
15821 			cfg = &conf->band_cfgs[band];
15822 
15823 			err = nl80211_parse_nan_band_config(wiphy, tb, cfg,
15824 							    band);
15825 			if (err)
15826 				return err;
15827 		}
15828 	}
15829 
15830 	if (attrs[NL80211_NAN_CONF_SCAN_PERIOD])
15831 		conf->scan_period =
15832 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_PERIOD]);
15833 
15834 	if (attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME])
15835 		conf->scan_dwell_time =
15836 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME]);
15837 
15838 	if (attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL])
15839 		conf->discovery_beacon_interval =
15840 			nla_get_u8(attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL]);
15841 
15842 	if (attrs[NL80211_NAN_CONF_NOTIFY_DW])
15843 		conf->enable_dw_notification =
15844 			nla_get_flag(attrs[NL80211_NAN_CONF_NOTIFY_DW]);
15845 
15846 out:
15847 	if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
15848 	    (!conf->bands || conf->bands & BIT(NL80211_BAND_5GHZ))) {
15849 		/* If no 5GHz channel is specified use default, if possible */
15850 		conf->band_cfgs[NL80211_BAND_5GHZ].chan =
15851 				nl80211_get_nan_channel(wiphy, 5745);
15852 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan)
15853 			conf->band_cfgs[NL80211_BAND_5GHZ].chan =
15854 					nl80211_get_nan_channel(wiphy, 5220);
15855 
15856 		/* Return error if user space asked explicitly for 5 GHz */
15857 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
15858 		    conf->bands & BIT(NL80211_BAND_5GHZ)) {
15859 			NL_SET_ERR_MSG_ATTR(info->extack,
15860 					    info->attrs[NL80211_ATTR_BANDS],
15861 					    "5 GHz band operation is not allowed");
15862 			return -EINVAL;
15863 		}
15864 	}
15865 
15866 	if (changed_flags)
15867 		*changed_flags = changed;
15868 
15869 	return 0;
15870 }
15871 
15872 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
15873 {
15874 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15875 	struct wireless_dev *wdev = info->user_ptr[1];
15876 	struct cfg80211_nan_conf conf = {};
15877 	int err;
15878 
15879 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15880 		return -EOPNOTSUPP;
15881 
15882 	if (wdev_running(wdev))
15883 		return -EEXIST;
15884 
15885 	if (rfkill_blocked(rdev->wiphy.rfkill))
15886 		return -ERFKILL;
15887 
15888 	/* Master preference is mandatory for START_NAN */
15889 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
15890 		return -EINVAL;
15891 
15892 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, NULL, true);
15893 	if (err)
15894 		return err;
15895 
15896 	err = rdev_start_nan(rdev, wdev, &conf);
15897 	if (err)
15898 		return err;
15899 
15900 	wdev->is_running = true;
15901 	rdev->opencount++;
15902 
15903 	return 0;
15904 }
15905 
15906 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
15907 {
15908 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15909 	struct wireless_dev *wdev = info->user_ptr[1];
15910 
15911 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15912 		return -EOPNOTSUPP;
15913 
15914 	cfg80211_stop_nan(rdev, wdev);
15915 
15916 	return 0;
15917 }
15918 
15919 static int validate_nan_filter(struct nlattr *filter_attr)
15920 {
15921 	struct nlattr *attr;
15922 	int len = 0, n_entries = 0, rem;
15923 
15924 	nla_for_each_nested(attr, filter_attr, rem) {
15925 		len += nla_len(attr);
15926 		n_entries++;
15927 	}
15928 
15929 	if (len >= U8_MAX)
15930 		return -EINVAL;
15931 
15932 	return n_entries;
15933 }
15934 
15935 static int handle_nan_filter(struct nlattr *attr_filter,
15936 			     struct cfg80211_nan_func *func,
15937 			     bool tx)
15938 {
15939 	struct nlattr *attr;
15940 	int n_entries, rem, i;
15941 	struct cfg80211_nan_func_filter *filter;
15942 
15943 	n_entries = validate_nan_filter(attr_filter);
15944 	if (n_entries < 0)
15945 		return n_entries;
15946 
15947 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
15948 
15949 	filter = kzalloc_objs(*func->rx_filters, n_entries);
15950 	if (!filter)
15951 		return -ENOMEM;
15952 
15953 	i = 0;
15954 	nla_for_each_nested(attr, attr_filter, rem) {
15955 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
15956 		if (!filter[i].filter)
15957 			goto err;
15958 
15959 		filter[i].len = nla_len(attr);
15960 		i++;
15961 	}
15962 	if (tx) {
15963 		func->num_tx_filters = n_entries;
15964 		func->tx_filters = filter;
15965 	} else {
15966 		func->num_rx_filters = n_entries;
15967 		func->rx_filters = filter;
15968 	}
15969 
15970 	return 0;
15971 
15972 err:
15973 	i = 0;
15974 	nla_for_each_nested(attr, attr_filter, rem) {
15975 		kfree(filter[i].filter);
15976 		i++;
15977 	}
15978 	kfree(filter);
15979 	return -ENOMEM;
15980 }
15981 
15982 static int nl80211_nan_add_func(struct sk_buff *skb,
15983 				struct genl_info *info)
15984 {
15985 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15986 	struct wireless_dev *wdev = info->user_ptr[1];
15987 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
15988 	struct cfg80211_nan_func *func;
15989 	struct sk_buff *msg = NULL;
15990 	void *hdr = NULL;
15991 	int err = 0;
15992 
15993 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15994 		return -EOPNOTSUPP;
15995 
15996 	if (!wdev_running(wdev))
15997 		return -ENOTCONN;
15998 
15999 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
16000 		return -EINVAL;
16001 
16002 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
16003 					  info->attrs[NL80211_ATTR_NAN_FUNC],
16004 					  nl80211_nan_func_policy,
16005 					  info->extack);
16006 	if (err)
16007 		return err;
16008 
16009 	func = kzalloc_obj(*func);
16010 	if (!func)
16011 		return -ENOMEM;
16012 
16013 	func->cookie = cfg80211_assign_cookie(rdev);
16014 
16015 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
16016 		err = -EINVAL;
16017 		goto out;
16018 	}
16019 
16020 
16021 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
16022 
16023 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
16024 		err = -EINVAL;
16025 		goto out;
16026 	}
16027 
16028 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
16029 	       sizeof(func->service_id));
16030 
16031 	func->close_range =
16032 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
16033 
16034 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
16035 		func->serv_spec_info_len =
16036 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
16037 		func->serv_spec_info =
16038 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
16039 				func->serv_spec_info_len,
16040 				GFP_KERNEL);
16041 		if (!func->serv_spec_info) {
16042 			err = -ENOMEM;
16043 			goto out;
16044 		}
16045 	}
16046 
16047 	if (tb[NL80211_NAN_FUNC_TTL])
16048 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
16049 
16050 	switch (func->type) {
16051 	case NL80211_NAN_FUNC_PUBLISH:
16052 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
16053 			err = -EINVAL;
16054 			goto out;
16055 		}
16056 
16057 		func->publish_type =
16058 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
16059 		func->publish_bcast =
16060 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
16061 
16062 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
16063 			func->publish_bcast) {
16064 			err = -EINVAL;
16065 			goto out;
16066 		}
16067 		break;
16068 	case NL80211_NAN_FUNC_SUBSCRIBE:
16069 		func->subscribe_active =
16070 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
16071 		break;
16072 	case NL80211_NAN_FUNC_FOLLOW_UP:
16073 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
16074 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
16075 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
16076 			err = -EINVAL;
16077 			goto out;
16078 		}
16079 
16080 		func->followup_id =
16081 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
16082 		func->followup_reqid =
16083 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
16084 		memcpy(func->followup_dest.addr,
16085 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
16086 		       sizeof(func->followup_dest.addr));
16087 		if (func->ttl) {
16088 			err = -EINVAL;
16089 			goto out;
16090 		}
16091 		break;
16092 	default:
16093 		err = -EINVAL;
16094 		goto out;
16095 	}
16096 
16097 	if (tb[NL80211_NAN_FUNC_SRF]) {
16098 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
16099 
16100 		err = nla_parse_nested_deprecated(srf_tb,
16101 						  NL80211_NAN_SRF_ATTR_MAX,
16102 						  tb[NL80211_NAN_FUNC_SRF],
16103 						  nl80211_nan_srf_policy,
16104 						  info->extack);
16105 		if (err)
16106 			goto out;
16107 
16108 		func->srf_include =
16109 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
16110 
16111 		if (srf_tb[NL80211_NAN_SRF_BF]) {
16112 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
16113 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
16114 				err = -EINVAL;
16115 				goto out;
16116 			}
16117 
16118 			func->srf_bf_len =
16119 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
16120 			func->srf_bf =
16121 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
16122 					func->srf_bf_len, GFP_KERNEL);
16123 			if (!func->srf_bf) {
16124 				err = -ENOMEM;
16125 				goto out;
16126 			}
16127 
16128 			func->srf_bf_idx =
16129 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
16130 		} else {
16131 			struct nlattr *attr, *mac_attr =
16132 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
16133 			int n_entries, rem, i = 0;
16134 
16135 			if (!mac_attr) {
16136 				err = -EINVAL;
16137 				goto out;
16138 			}
16139 
16140 			n_entries = validate_acl_mac_addrs(mac_attr);
16141 			if (n_entries <= 0) {
16142 				err = -EINVAL;
16143 				goto out;
16144 			}
16145 
16146 			func->srf_num_macs = n_entries;
16147 			func->srf_macs =
16148 				kzalloc_objs(*func->srf_macs, n_entries);
16149 			if (!func->srf_macs) {
16150 				err = -ENOMEM;
16151 				goto out;
16152 			}
16153 
16154 			nla_for_each_nested(attr, mac_attr, rem)
16155 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
16156 				       sizeof(*func->srf_macs));
16157 		}
16158 	}
16159 
16160 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
16161 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
16162 					func, true);
16163 		if (err)
16164 			goto out;
16165 	}
16166 
16167 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
16168 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
16169 					func, false);
16170 		if (err)
16171 			goto out;
16172 	}
16173 
16174 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16175 	if (!msg) {
16176 		err = -ENOMEM;
16177 		goto out;
16178 	}
16179 
16180 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16181 			     NL80211_CMD_ADD_NAN_FUNCTION);
16182 	/* This can't really happen - we just allocated 4KB */
16183 	if (WARN_ON(!hdr)) {
16184 		err = -ENOMEM;
16185 		goto out;
16186 	}
16187 
16188 	err = rdev_add_nan_func(rdev, wdev, func);
16189 out:
16190 	if (err < 0) {
16191 		cfg80211_free_nan_func(func);
16192 		nlmsg_free(msg);
16193 		return err;
16194 	}
16195 
16196 	/* propagate the instance id and cookie to userspace  */
16197 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
16198 			      NL80211_ATTR_PAD))
16199 		goto nla_put_failure;
16200 
16201 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16202 	if (!func_attr)
16203 		goto nla_put_failure;
16204 
16205 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
16206 		       func->instance_id))
16207 		goto nla_put_failure;
16208 
16209 	nla_nest_end(msg, func_attr);
16210 
16211 	genlmsg_end(msg, hdr);
16212 	return genlmsg_reply(msg, info);
16213 
16214 nla_put_failure:
16215 	nlmsg_free(msg);
16216 	return -ENOBUFS;
16217 }
16218 
16219 static int nl80211_nan_del_func(struct sk_buff *skb,
16220 			       struct genl_info *info)
16221 {
16222 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16223 	struct wireless_dev *wdev = info->user_ptr[1];
16224 	u64 cookie;
16225 
16226 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16227 		return -EOPNOTSUPP;
16228 
16229 	if (!wdev_running(wdev))
16230 		return -ENOTCONN;
16231 
16232 	if (!info->attrs[NL80211_ATTR_COOKIE])
16233 		return -EINVAL;
16234 
16235 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
16236 
16237 	rdev_del_nan_func(rdev, wdev, cookie);
16238 
16239 	return 0;
16240 }
16241 
16242 static int nl80211_nan_change_config(struct sk_buff *skb,
16243 				     struct genl_info *info)
16244 {
16245 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16246 	struct wireless_dev *wdev = info->user_ptr[1];
16247 	struct cfg80211_nan_conf conf = {};
16248 	u32 changed = 0;
16249 	int err;
16250 
16251 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16252 		return -EOPNOTSUPP;
16253 
16254 	if (!wdev_running(wdev))
16255 		return -ENOTCONN;
16256 
16257 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, &changed, false);
16258 	if (err)
16259 		return err;
16260 
16261 	if (!changed)
16262 		return -EINVAL;
16263 
16264 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
16265 }
16266 
16267 void cfg80211_nan_match(struct wireless_dev *wdev,
16268 			struct cfg80211_nan_match_params *match, gfp_t gfp)
16269 {
16270 	struct wiphy *wiphy = wdev->wiphy;
16271 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16272 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
16273 	struct sk_buff *msg;
16274 	void *hdr;
16275 
16276 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16277 		return;
16278 
16279 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
16280 		return;
16281 
16282 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16283 	if (!msg)
16284 		return;
16285 
16286 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
16287 	if (!hdr) {
16288 		nlmsg_free(msg);
16289 		return;
16290 	}
16291 
16292 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16293 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16294 					 wdev->netdev->ifindex)) ||
16295 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16296 			      NL80211_ATTR_PAD))
16297 		goto nla_put_failure;
16298 
16299 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
16300 			      NL80211_ATTR_PAD) ||
16301 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
16302 		goto nla_put_failure;
16303 
16304 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
16305 	if (!match_attr)
16306 		goto nla_put_failure;
16307 
16308 	local_func_attr = nla_nest_start_noflag(msg,
16309 						NL80211_NAN_MATCH_FUNC_LOCAL);
16310 	if (!local_func_attr)
16311 		goto nla_put_failure;
16312 
16313 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
16314 		goto nla_put_failure;
16315 
16316 	nla_nest_end(msg, local_func_attr);
16317 
16318 	peer_func_attr = nla_nest_start_noflag(msg,
16319 					       NL80211_NAN_MATCH_FUNC_PEER);
16320 	if (!peer_func_attr)
16321 		goto nla_put_failure;
16322 
16323 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
16324 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
16325 		goto nla_put_failure;
16326 
16327 	if (match->info && match->info_len &&
16328 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
16329 		    match->info))
16330 		goto nla_put_failure;
16331 
16332 	nla_nest_end(msg, peer_func_attr);
16333 	nla_nest_end(msg, match_attr);
16334 	genlmsg_end(msg, hdr);
16335 
16336 	if (!wdev->owner_nlportid)
16337 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16338 					msg, 0, NL80211_MCGRP_NAN, gfp);
16339 	else
16340 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16341 				wdev->owner_nlportid);
16342 
16343 	return;
16344 
16345 nla_put_failure:
16346 	nlmsg_free(msg);
16347 }
16348 EXPORT_SYMBOL(cfg80211_nan_match);
16349 
16350 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
16351 				  u8 inst_id,
16352 				  enum nl80211_nan_func_term_reason reason,
16353 				  u64 cookie, gfp_t gfp)
16354 {
16355 	struct wiphy *wiphy = wdev->wiphy;
16356 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16357 	struct sk_buff *msg;
16358 	struct nlattr *func_attr;
16359 	void *hdr;
16360 
16361 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16362 		return;
16363 
16364 	if (WARN_ON(!inst_id))
16365 		return;
16366 
16367 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16368 	if (!msg)
16369 		return;
16370 
16371 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
16372 	if (!hdr) {
16373 		nlmsg_free(msg);
16374 		return;
16375 	}
16376 
16377 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16378 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16379 					 wdev->netdev->ifindex)) ||
16380 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16381 			      NL80211_ATTR_PAD))
16382 		goto nla_put_failure;
16383 
16384 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16385 			      NL80211_ATTR_PAD))
16386 		goto nla_put_failure;
16387 
16388 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16389 	if (!func_attr)
16390 		goto nla_put_failure;
16391 
16392 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
16393 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
16394 		goto nla_put_failure;
16395 
16396 	nla_nest_end(msg, func_attr);
16397 	genlmsg_end(msg, hdr);
16398 
16399 	if (!wdev->owner_nlportid)
16400 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16401 					msg, 0, NL80211_MCGRP_NAN, gfp);
16402 	else
16403 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16404 				wdev->owner_nlportid);
16405 
16406 	return;
16407 
16408 nla_put_failure:
16409 	nlmsg_free(msg);
16410 }
16411 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
16412 
16413 static int nl80211_get_protocol_features(struct sk_buff *skb,
16414 					 struct genl_info *info)
16415 {
16416 	void *hdr;
16417 	struct sk_buff *msg;
16418 
16419 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16420 	if (!msg)
16421 		return -ENOMEM;
16422 
16423 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16424 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
16425 	if (!hdr)
16426 		goto nla_put_failure;
16427 
16428 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
16429 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
16430 		goto nla_put_failure;
16431 
16432 	genlmsg_end(msg, hdr);
16433 	return genlmsg_reply(msg, info);
16434 
16435  nla_put_failure:
16436 	kfree_skb(msg);
16437 	return -ENOBUFS;
16438 }
16439 
16440 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
16441 {
16442 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16443 	struct cfg80211_update_ft_ies_params ft_params;
16444 	struct net_device *dev = info->user_ptr[1];
16445 
16446 	if (!rdev->ops->update_ft_ies)
16447 		return -EOPNOTSUPP;
16448 
16449 	if (!info->attrs[NL80211_ATTR_MDID] ||
16450 	    !info->attrs[NL80211_ATTR_IE])
16451 		return -EINVAL;
16452 
16453 	memset(&ft_params, 0, sizeof(ft_params));
16454 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
16455 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
16456 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
16457 
16458 	return rdev_update_ft_ies(rdev, dev, &ft_params);
16459 }
16460 
16461 static int nl80211_crit_protocol_start(struct sk_buff *skb,
16462 				       struct genl_info *info)
16463 {
16464 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16465 	struct wireless_dev *wdev = info->user_ptr[1];
16466 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
16467 	u16 duration;
16468 	int ret;
16469 
16470 	if (!rdev->ops->crit_proto_start)
16471 		return -EOPNOTSUPP;
16472 
16473 	if (WARN_ON(!rdev->ops->crit_proto_stop))
16474 		return -EINVAL;
16475 
16476 	if (rdev->crit_proto_nlportid)
16477 		return -EBUSY;
16478 
16479 	/* determine protocol if provided */
16480 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
16481 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
16482 
16483 	if (proto >= NUM_NL80211_CRIT_PROTO)
16484 		return -EINVAL;
16485 
16486 	/* timeout must be provided */
16487 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
16488 		return -EINVAL;
16489 
16490 	duration =
16491 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
16492 
16493 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
16494 	if (!ret)
16495 		rdev->crit_proto_nlportid = info->snd_portid;
16496 
16497 	return ret;
16498 }
16499 
16500 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
16501 				      struct genl_info *info)
16502 {
16503 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16504 	struct wireless_dev *wdev = info->user_ptr[1];
16505 
16506 	if (!rdev->ops->crit_proto_stop)
16507 		return -EOPNOTSUPP;
16508 
16509 	if (rdev->crit_proto_nlportid) {
16510 		rdev->crit_proto_nlportid = 0;
16511 		rdev_crit_proto_stop(rdev, wdev);
16512 	}
16513 	return 0;
16514 }
16515 
16516 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
16517 				       struct nlattr *attr,
16518 				       struct netlink_ext_ack *extack)
16519 {
16520 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
16521 		if (attr->nla_type & NLA_F_NESTED) {
16522 			NL_SET_ERR_MSG_ATTR(extack, attr,
16523 					    "unexpected nested data");
16524 			return -EINVAL;
16525 		}
16526 
16527 		return 0;
16528 	}
16529 
16530 	if (!(attr->nla_type & NLA_F_NESTED)) {
16531 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
16532 		return -EINVAL;
16533 	}
16534 
16535 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
16536 }
16537 
16538 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
16539 {
16540 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16541 	struct wireless_dev *wdev =
16542 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
16543 					   info->attrs);
16544 	int i, err;
16545 	u32 vid, subcmd;
16546 
16547 	if (!rdev->wiphy.vendor_commands)
16548 		return -EOPNOTSUPP;
16549 
16550 	if (IS_ERR(wdev)) {
16551 		err = PTR_ERR(wdev);
16552 		if (err != -EINVAL)
16553 			return err;
16554 		wdev = NULL;
16555 	} else if (wdev->wiphy != &rdev->wiphy) {
16556 		return -EINVAL;
16557 	}
16558 
16559 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
16560 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
16561 		return -EINVAL;
16562 
16563 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
16564 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
16565 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
16566 		const struct wiphy_vendor_command *vcmd;
16567 		void *data = NULL;
16568 		int len = 0;
16569 
16570 		vcmd = &rdev->wiphy.vendor_commands[i];
16571 
16572 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
16573 			continue;
16574 
16575 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
16576 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
16577 			if (!wdev)
16578 				return -EINVAL;
16579 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
16580 			    !wdev->netdev)
16581 				return -EINVAL;
16582 
16583 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
16584 				if (!wdev_running(wdev))
16585 					return -ENETDOWN;
16586 			}
16587 		} else {
16588 			wdev = NULL;
16589 		}
16590 
16591 		if (!vcmd->doit)
16592 			return -EOPNOTSUPP;
16593 
16594 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
16595 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
16596 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
16597 
16598 			err = nl80211_vendor_check_policy(vcmd,
16599 					info->attrs[NL80211_ATTR_VENDOR_DATA],
16600 					info->extack);
16601 			if (err)
16602 				return err;
16603 		}
16604 
16605 		rdev->cur_cmd_info = info;
16606 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
16607 		rdev->cur_cmd_info = NULL;
16608 		return err;
16609 	}
16610 
16611 	return -EOPNOTSUPP;
16612 }
16613 
16614 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
16615 				       struct netlink_callback *cb,
16616 				       struct cfg80211_registered_device **rdev,
16617 				       struct wireless_dev **wdev)
16618 {
16619 	struct nlattr **attrbuf;
16620 	u32 vid, subcmd;
16621 	unsigned int i;
16622 	int vcmd_idx = -1;
16623 	int err;
16624 	void *data = NULL;
16625 	unsigned int data_len = 0;
16626 
16627 	if (cb->args[0]) {
16628 		/* subtract the 1 again here */
16629 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
16630 		struct wireless_dev *tmp;
16631 
16632 		if (!wiphy)
16633 			return -ENODEV;
16634 		*rdev = wiphy_to_rdev(wiphy);
16635 		*wdev = NULL;
16636 
16637 		if (cb->args[1]) {
16638 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
16639 				if (tmp->identifier == cb->args[1] - 1) {
16640 					*wdev = tmp;
16641 					break;
16642 				}
16643 			}
16644 		}
16645 
16646 		/* keep rtnl locked in successful case */
16647 		return 0;
16648 	}
16649 
16650 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
16651 	if (!attrbuf)
16652 		return -ENOMEM;
16653 
16654 	err = nlmsg_parse_deprecated(cb->nlh,
16655 				     GENL_HDRLEN + nl80211_fam.hdrsize,
16656 				     attrbuf, nl80211_fam.maxattr,
16657 				     nl80211_policy, NULL);
16658 	if (err)
16659 		goto out;
16660 
16661 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
16662 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
16663 		err = -EINVAL;
16664 		goto out;
16665 	}
16666 
16667 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
16668 	if (IS_ERR(*wdev))
16669 		*wdev = NULL;
16670 
16671 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
16672 	if (IS_ERR(*rdev)) {
16673 		err = PTR_ERR(*rdev);
16674 		goto out;
16675 	}
16676 
16677 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
16678 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
16679 
16680 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
16681 		const struct wiphy_vendor_command *vcmd;
16682 
16683 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
16684 
16685 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
16686 			continue;
16687 
16688 		if (!vcmd->dumpit) {
16689 			err = -EOPNOTSUPP;
16690 			goto out;
16691 		}
16692 
16693 		vcmd_idx = i;
16694 		break;
16695 	}
16696 
16697 	if (vcmd_idx < 0) {
16698 		err = -EOPNOTSUPP;
16699 		goto out;
16700 	}
16701 
16702 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
16703 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
16704 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
16705 
16706 		err = nl80211_vendor_check_policy(
16707 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
16708 				attrbuf[NL80211_ATTR_VENDOR_DATA],
16709 				cb->extack);
16710 		if (err)
16711 			goto out;
16712 	}
16713 
16714 	/* 0 is the first index - add 1 to parse only once */
16715 	cb->args[0] = (*rdev)->wiphy_idx + 1;
16716 	/* add 1 to know if it was NULL */
16717 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
16718 	cb->args[2] = vcmd_idx;
16719 	cb->args[3] = (unsigned long)data;
16720 	cb->args[4] = data_len;
16721 
16722 	/* keep rtnl locked in successful case */
16723 	err = 0;
16724 out:
16725 	kfree(attrbuf);
16726 	return err;
16727 }
16728 
16729 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
16730 				   struct netlink_callback *cb)
16731 {
16732 	struct cfg80211_registered_device *rdev;
16733 	struct wireless_dev *wdev;
16734 	unsigned int vcmd_idx;
16735 	const struct wiphy_vendor_command *vcmd;
16736 	void *data;
16737 	int data_len;
16738 	int err;
16739 	struct nlattr *vendor_data;
16740 
16741 	rtnl_lock();
16742 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
16743 	if (err)
16744 		goto out;
16745 
16746 	vcmd_idx = cb->args[2];
16747 	data = (void *)cb->args[3];
16748 	data_len = cb->args[4];
16749 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
16750 
16751 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
16752 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
16753 		if (!wdev) {
16754 			err = -EINVAL;
16755 			goto out;
16756 		}
16757 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
16758 		    !wdev->netdev) {
16759 			err = -EINVAL;
16760 			goto out;
16761 		}
16762 
16763 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
16764 			if (!wdev_running(wdev)) {
16765 				err = -ENETDOWN;
16766 				goto out;
16767 			}
16768 		}
16769 	}
16770 
16771 	while (1) {
16772 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
16773 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
16774 					   NL80211_CMD_VENDOR);
16775 		if (!hdr)
16776 			break;
16777 
16778 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16779 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
16780 					       wdev_id(wdev),
16781 					       NL80211_ATTR_PAD))) {
16782 			genlmsg_cancel(skb, hdr);
16783 			break;
16784 		}
16785 
16786 		vendor_data = nla_nest_start_noflag(skb,
16787 						    NL80211_ATTR_VENDOR_DATA);
16788 		if (!vendor_data) {
16789 			genlmsg_cancel(skb, hdr);
16790 			break;
16791 		}
16792 
16793 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
16794 				   (unsigned long *)&cb->args[5]);
16795 		nla_nest_end(skb, vendor_data);
16796 
16797 		if (err == -ENOBUFS || err == -ENOENT) {
16798 			genlmsg_cancel(skb, hdr);
16799 			break;
16800 		} else if (err <= 0) {
16801 			genlmsg_cancel(skb, hdr);
16802 			goto out;
16803 		}
16804 
16805 		genlmsg_end(skb, hdr);
16806 	}
16807 
16808 	err = skb->len;
16809  out:
16810 	rtnl_unlock();
16811 	return err;
16812 }
16813 
16814 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
16815 					   enum nl80211_commands cmd,
16816 					   enum nl80211_attrs attr,
16817 					   int approxlen)
16818 {
16819 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16820 
16821 	if (WARN_ON(!rdev->cur_cmd_info))
16822 		return NULL;
16823 
16824 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
16825 					   rdev->cur_cmd_info->snd_portid,
16826 					   rdev->cur_cmd_info->snd_seq,
16827 					   cmd, attr, NULL, GFP_KERNEL);
16828 }
16829 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
16830 
16831 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
16832 {
16833 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
16834 	void *hdr = ((void **)skb->cb)[1];
16835 	struct nlattr *data = ((void **)skb->cb)[2];
16836 
16837 	/* clear CB data for netlink core to own from now on */
16838 	memset(skb->cb, 0, sizeof(skb->cb));
16839 
16840 	if (WARN_ON(!rdev->cur_cmd_info)) {
16841 		kfree_skb(skb);
16842 		return -EINVAL;
16843 	}
16844 
16845 	nla_nest_end(skb, data);
16846 	genlmsg_end(skb, hdr);
16847 	return genlmsg_reply(skb, rdev->cur_cmd_info);
16848 }
16849 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
16850 
16851 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
16852 {
16853 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16854 
16855 	if (WARN_ON(!rdev->cur_cmd_info))
16856 		return 0;
16857 
16858 	return rdev->cur_cmd_info->snd_portid;
16859 }
16860 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
16861 
16862 static int nl80211_set_qos_map(struct sk_buff *skb,
16863 			       struct genl_info *info)
16864 {
16865 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16866 	struct cfg80211_qos_map *qos_map = NULL;
16867 	struct net_device *dev = info->user_ptr[1];
16868 	u8 *pos, len, num_des, des_len, des;
16869 	int ret;
16870 
16871 	if (!rdev->ops->set_qos_map)
16872 		return -EOPNOTSUPP;
16873 
16874 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
16875 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
16876 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
16877 
16878 		if (len % 2)
16879 			return -EINVAL;
16880 
16881 		qos_map = kzalloc_obj(struct cfg80211_qos_map);
16882 		if (!qos_map)
16883 			return -ENOMEM;
16884 
16885 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
16886 		if (num_des) {
16887 			des_len = num_des *
16888 				sizeof(struct cfg80211_dscp_exception);
16889 			memcpy(qos_map->dscp_exception, pos, des_len);
16890 			qos_map->num_des = num_des;
16891 			for (des = 0; des < num_des; des++) {
16892 				if (qos_map->dscp_exception[des].up > 7) {
16893 					kfree(qos_map);
16894 					return -EINVAL;
16895 				}
16896 			}
16897 			pos += des_len;
16898 		}
16899 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
16900 	}
16901 
16902 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
16903 	if (!ret)
16904 		ret = rdev_set_qos_map(rdev, dev, qos_map);
16905 
16906 	kfree(qos_map);
16907 	return ret;
16908 }
16909 
16910 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
16911 {
16912 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16913 	struct net_device *dev = info->user_ptr[1];
16914 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16915 	const u8 *peer;
16916 	u8 tsid, up;
16917 	u16 admitted_time = 0;
16918 
16919 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
16920 		return -EOPNOTSUPP;
16921 
16922 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
16923 	    !info->attrs[NL80211_ATTR_USER_PRIO])
16924 		return -EINVAL;
16925 
16926 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16927 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
16928 
16929 	/* WMM uses TIDs 0-7 even for TSPEC */
16930 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
16931 		/* TODO: handle 802.11 TSPEC/admission control
16932 		 * need more attributes for that (e.g. BA session requirement);
16933 		 * change the WMM admission test above to allow both then
16934 		 */
16935 		return -EINVAL;
16936 	}
16937 
16938 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16939 
16940 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
16941 		admitted_time =
16942 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
16943 		if (!admitted_time)
16944 			return -EINVAL;
16945 	}
16946 
16947 	switch (wdev->iftype) {
16948 	case NL80211_IFTYPE_STATION:
16949 	case NL80211_IFTYPE_P2P_CLIENT:
16950 		if (wdev->connected)
16951 			break;
16952 		return -ENOTCONN;
16953 	default:
16954 		return -EOPNOTSUPP;
16955 	}
16956 
16957 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
16958 }
16959 
16960 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
16961 {
16962 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16963 	struct net_device *dev = info->user_ptr[1];
16964 	const u8 *peer;
16965 	u8 tsid;
16966 
16967 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
16968 		return -EINVAL;
16969 
16970 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16971 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16972 
16973 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
16974 }
16975 
16976 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
16977 				       struct genl_info *info)
16978 {
16979 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16980 	struct net_device *dev = info->user_ptr[1];
16981 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16982 	struct cfg80211_chan_def chandef = {};
16983 	const u8 *addr;
16984 	u8 oper_class;
16985 	int err;
16986 
16987 	if (!rdev->ops->tdls_channel_switch ||
16988 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16989 		return -EOPNOTSUPP;
16990 
16991 	switch (dev->ieee80211_ptr->iftype) {
16992 	case NL80211_IFTYPE_STATION:
16993 	case NL80211_IFTYPE_P2P_CLIENT:
16994 		break;
16995 	default:
16996 		return -EOPNOTSUPP;
16997 	}
16998 
16999 	if (!info->attrs[NL80211_ATTR_MAC] ||
17000 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
17001 		return -EINVAL;
17002 
17003 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef);
17004 	if (err)
17005 		return err;
17006 
17007 	/*
17008 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
17009 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
17010 	 * specification is not defined for them.
17011 	 */
17012 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
17013 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
17014 	    chandef.width != NL80211_CHAN_WIDTH_20)
17015 		return -EINVAL;
17016 
17017 	/* we will be active on the TDLS link */
17018 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
17019 					   wdev->iftype))
17020 		return -EINVAL;
17021 
17022 	/* don't allow switching to DFS channels */
17023 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
17024 		return -EINVAL;
17025 
17026 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17027 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
17028 
17029 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
17030 }
17031 
17032 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
17033 					      struct genl_info *info)
17034 {
17035 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17036 	struct net_device *dev = info->user_ptr[1];
17037 	const u8 *addr;
17038 
17039 	if (!rdev->ops->tdls_channel_switch ||
17040 	    !rdev->ops->tdls_cancel_channel_switch ||
17041 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
17042 		return -EOPNOTSUPP;
17043 
17044 	switch (dev->ieee80211_ptr->iftype) {
17045 	case NL80211_IFTYPE_STATION:
17046 	case NL80211_IFTYPE_P2P_CLIENT:
17047 		break;
17048 	default:
17049 		return -EOPNOTSUPP;
17050 	}
17051 
17052 	if (!info->attrs[NL80211_ATTR_MAC])
17053 		return -EINVAL;
17054 
17055 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17056 
17057 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
17058 
17059 	return 0;
17060 }
17061 
17062 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
17063 					    struct genl_info *info)
17064 {
17065 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17066 	struct net_device *dev = info->user_ptr[1];
17067 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17068 	const struct nlattr *nla;
17069 	bool enabled;
17070 
17071 	if (!rdev->ops->set_multicast_to_unicast)
17072 		return -EOPNOTSUPP;
17073 
17074 	if (wdev->iftype != NL80211_IFTYPE_AP &&
17075 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
17076 		return -EOPNOTSUPP;
17077 
17078 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
17079 	enabled = nla_get_flag(nla);
17080 
17081 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
17082 }
17083 
17084 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
17085 {
17086 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17087 	struct net_device *dev = info->user_ptr[1];
17088 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17089 	struct cfg80211_pmk_conf pmk_conf = {};
17090 
17091 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17092 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17093 		return -EOPNOTSUPP;
17094 
17095 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17096 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
17097 		return -EOPNOTSUPP;
17098 
17099 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
17100 		return -EINVAL;
17101 
17102 	if (!wdev->connected)
17103 		return -ENOTCONN;
17104 
17105 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
17106 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
17107 		return -EINVAL;
17108 
17109 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
17110 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
17111 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
17112 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
17113 		return -EINVAL;
17114 
17115 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
17116 		pmk_conf.pmk_r0_name =
17117 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
17118 
17119 	return rdev_set_pmk(rdev, dev, &pmk_conf);
17120 }
17121 
17122 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
17123 {
17124 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17125 	struct net_device *dev = info->user_ptr[1];
17126 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17127 	const u8 *aa;
17128 
17129 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17130 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17131 		return -EOPNOTSUPP;
17132 
17133 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17134 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
17135 		return -EOPNOTSUPP;
17136 
17137 	if (!info->attrs[NL80211_ATTR_MAC])
17138 		return -EINVAL;
17139 
17140 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
17141 	return rdev_del_pmk(rdev, dev, aa);
17142 }
17143 
17144 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
17145 {
17146 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17147 	struct net_device *dev = info->user_ptr[1];
17148 	struct cfg80211_external_auth_params params;
17149 
17150 	if (!rdev->ops->external_auth)
17151 		return -EOPNOTSUPP;
17152 
17153 	if (!info->attrs[NL80211_ATTR_SSID] &&
17154 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
17155 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
17156 		return -EINVAL;
17157 
17158 	if (!info->attrs[NL80211_ATTR_BSSID])
17159 		return -EINVAL;
17160 
17161 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
17162 		return -EINVAL;
17163 
17164 	memset(&params, 0, sizeof(params));
17165 
17166 	if (info->attrs[NL80211_ATTR_SSID]) {
17167 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
17168 		if (params.ssid.ssid_len == 0)
17169 			return -EINVAL;
17170 		memcpy(params.ssid.ssid,
17171 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
17172 		       params.ssid.ssid_len);
17173 	}
17174 
17175 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
17176 	       ETH_ALEN);
17177 
17178 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
17179 
17180 	if (info->attrs[NL80211_ATTR_PMKID])
17181 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
17182 
17183 	return rdev_external_auth(rdev, dev, &params);
17184 }
17185 
17186 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
17187 {
17188 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
17189 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17190 	struct net_device *dev = info->user_ptr[1];
17191 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17192 	const u8 *buf;
17193 	size_t len;
17194 	u8 *dest;
17195 	u16 proto;
17196 	bool noencrypt;
17197 	u64 cookie = 0;
17198 	int link_id;
17199 	int err;
17200 
17201 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17202 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
17203 		return -EOPNOTSUPP;
17204 
17205 	if (!rdev->ops->tx_control_port)
17206 		return -EOPNOTSUPP;
17207 
17208 	if (!info->attrs[NL80211_ATTR_FRAME] ||
17209 	    !info->attrs[NL80211_ATTR_MAC] ||
17210 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
17211 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
17212 		return -EINVAL;
17213 	}
17214 
17215 	switch (wdev->iftype) {
17216 	case NL80211_IFTYPE_AP:
17217 	case NL80211_IFTYPE_P2P_GO:
17218 	case NL80211_IFTYPE_MESH_POINT:
17219 		break;
17220 	case NL80211_IFTYPE_ADHOC:
17221 		if (wdev->u.ibss.current_bss)
17222 			break;
17223 		return -ENOTCONN;
17224 	case NL80211_IFTYPE_STATION:
17225 	case NL80211_IFTYPE_P2P_CLIENT:
17226 		if (wdev->connected)
17227 			break;
17228 		return -ENOTCONN;
17229 	default:
17230 		return -EOPNOTSUPP;
17231 	}
17232 
17233 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
17234 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
17235 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
17236 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
17237 	noencrypt =
17238 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
17239 
17240 	link_id = nl80211_link_id_or_invalid(info->attrs);
17241 
17242 	err = rdev_tx_control_port(rdev, dev, buf, len,
17243 				   dest, cpu_to_be16(proto), noencrypt, link_id,
17244 				   dont_wait_for_ack ? NULL : &cookie);
17245 	if (!err && !dont_wait_for_ack)
17246 		nl_set_extack_cookie_u64(info->extack, cookie);
17247 	return err;
17248 }
17249 
17250 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
17251 					   struct genl_info *info)
17252 {
17253 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17254 	struct net_device *dev = info->user_ptr[1];
17255 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17256 	struct cfg80211_ftm_responder_stats ftm_stats = {};
17257 	unsigned int link_id = nl80211_link_id(info->attrs);
17258 	struct sk_buff *msg;
17259 	void *hdr;
17260 	struct nlattr *ftm_stats_attr;
17261 	int err;
17262 
17263 	if (wdev->iftype != NL80211_IFTYPE_AP ||
17264 	    !wdev->links[link_id].ap.beacon_interval)
17265 		return -EOPNOTSUPP;
17266 
17267 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
17268 	if (err)
17269 		return err;
17270 
17271 	if (!ftm_stats.filled)
17272 		return -ENODATA;
17273 
17274 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17275 	if (!msg)
17276 		return -ENOMEM;
17277 
17278 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
17279 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
17280 	if (!hdr)
17281 		goto nla_put_failure;
17282 
17283 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17284 		goto nla_put_failure;
17285 
17286 	ftm_stats_attr = nla_nest_start_noflag(msg,
17287 					       NL80211_ATTR_FTM_RESPONDER_STATS);
17288 	if (!ftm_stats_attr)
17289 		goto nla_put_failure;
17290 
17291 #define SET_FTM(field, name, type)					 \
17292 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
17293 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
17294 			     ftm_stats.field))				 \
17295 		goto nla_put_failure; } while (0)
17296 #define SET_FTM_U64(field, name)					 \
17297 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
17298 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
17299 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
17300 		goto nla_put_failure; } while (0)
17301 
17302 	SET_FTM(success_num, SUCCESS_NUM, u32);
17303 	SET_FTM(partial_num, PARTIAL_NUM, u32);
17304 	SET_FTM(failed_num, FAILED_NUM, u32);
17305 	SET_FTM(asap_num, ASAP_NUM, u32);
17306 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
17307 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
17308 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
17309 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
17310 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
17311 #undef SET_FTM
17312 
17313 	nla_nest_end(msg, ftm_stats_attr);
17314 
17315 	genlmsg_end(msg, hdr);
17316 	return genlmsg_reply(msg, info);
17317 
17318 nla_put_failure:
17319 	nlmsg_free(msg);
17320 	return -ENOBUFS;
17321 }
17322 
17323 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
17324 {
17325 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17326 	struct cfg80211_update_owe_info owe_info;
17327 	struct net_device *dev = info->user_ptr[1];
17328 
17329 	if (!rdev->ops->update_owe_info)
17330 		return -EOPNOTSUPP;
17331 
17332 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
17333 	    !info->attrs[NL80211_ATTR_MAC])
17334 		return -EINVAL;
17335 
17336 	memset(&owe_info, 0, sizeof(owe_info));
17337 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
17338 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
17339 
17340 	if (info->attrs[NL80211_ATTR_IE]) {
17341 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
17342 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
17343 	}
17344 
17345 	return rdev_update_owe_info(rdev, dev, &owe_info);
17346 }
17347 
17348 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
17349 {
17350 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17351 	struct net_device *dev = info->user_ptr[1];
17352 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17353 	struct station_info sinfo = {};
17354 	const u8 *buf;
17355 	size_t len;
17356 	u8 *dest;
17357 	int err;
17358 
17359 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
17360 		return -EOPNOTSUPP;
17361 
17362 	if (!info->attrs[NL80211_ATTR_MAC] ||
17363 	    !info->attrs[NL80211_ATTR_FRAME]) {
17364 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
17365 		return -EINVAL;
17366 	}
17367 
17368 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
17369 		return -EOPNOTSUPP;
17370 
17371 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
17372 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
17373 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
17374 
17375 	if (len < sizeof(struct ethhdr))
17376 		return -EINVAL;
17377 
17378 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
17379 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
17380 		return -EINVAL;
17381 
17382 	err = rdev_get_station(rdev, wdev, dest, &sinfo);
17383 	if (err)
17384 		return err;
17385 
17386 	cfg80211_sinfo_release_content(&sinfo);
17387 
17388 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
17389 }
17390 
17391 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
17392 			  struct nlattr *attrs[], struct net_device *dev,
17393 			  struct cfg80211_tid_cfg *tid_conf,
17394 			  struct genl_info *info, const u8 *peer,
17395 			  unsigned int link_id)
17396 {
17397 	struct netlink_ext_ack *extack = info->extack;
17398 	u64 mask;
17399 	int err;
17400 
17401 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
17402 		return -EINVAL;
17403 
17404 	tid_conf->config_override =
17405 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
17406 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
17407 
17408 	if (tid_conf->config_override) {
17409 		if (rdev->ops->reset_tid_config) {
17410 			err = rdev_reset_tid_config(rdev, dev, peer,
17411 						    tid_conf->tids);
17412 			if (err)
17413 				return err;
17414 		} else {
17415 			return -EINVAL;
17416 		}
17417 	}
17418 
17419 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
17420 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
17421 		tid_conf->noack =
17422 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
17423 	}
17424 
17425 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
17426 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
17427 		tid_conf->retry_short =
17428 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
17429 
17430 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
17431 			return -EINVAL;
17432 	}
17433 
17434 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
17435 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
17436 		tid_conf->retry_long =
17437 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
17438 
17439 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
17440 			return -EINVAL;
17441 	}
17442 
17443 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
17444 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
17445 		tid_conf->ampdu =
17446 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
17447 	}
17448 
17449 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
17450 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
17451 		tid_conf->rtscts =
17452 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
17453 	}
17454 
17455 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
17456 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
17457 		tid_conf->amsdu =
17458 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
17459 	}
17460 
17461 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
17462 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
17463 
17464 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
17465 
17466 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
17467 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
17468 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
17469 						    &tid_conf->txrate_mask, dev,
17470 						    true, link_id);
17471 			if (err)
17472 				return err;
17473 
17474 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
17475 		}
17476 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
17477 	}
17478 
17479 	if (peer)
17480 		mask = rdev->wiphy.tid_config_support.peer;
17481 	else
17482 		mask = rdev->wiphy.tid_config_support.vif;
17483 
17484 	if (tid_conf->mask & ~mask) {
17485 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
17486 		return -EOPNOTSUPP;
17487 	}
17488 
17489 	return 0;
17490 }
17491 
17492 static int nl80211_set_tid_config(struct sk_buff *skb,
17493 				  struct genl_info *info)
17494 {
17495 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17496 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
17497 	unsigned int link_id = nl80211_link_id(info->attrs);
17498 	struct net_device *dev = info->user_ptr[1];
17499 	struct cfg80211_tid_config *tid_config;
17500 	struct nlattr *tid;
17501 	int conf_idx = 0, rem_conf;
17502 	int ret = -EINVAL;
17503 	u32 num_conf = 0;
17504 
17505 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
17506 		return -EINVAL;
17507 
17508 	if (!rdev->ops->set_tid_config)
17509 		return -EOPNOTSUPP;
17510 
17511 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
17512 			    rem_conf)
17513 		num_conf++;
17514 
17515 	tid_config = kzalloc_flex(*tid_config, tid_conf, num_conf);
17516 	if (!tid_config)
17517 		return -ENOMEM;
17518 
17519 	tid_config->n_tid_conf = num_conf;
17520 
17521 	if (info->attrs[NL80211_ATTR_MAC])
17522 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
17523 
17524 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
17525 			    rem_conf) {
17526 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
17527 				       tid, NULL, NULL);
17528 
17529 		if (ret)
17530 			goto bad_tid_conf;
17531 
17532 		ret = parse_tid_conf(rdev, attrs, dev,
17533 				     &tid_config->tid_conf[conf_idx],
17534 				     info, tid_config->peer, link_id);
17535 		if (ret)
17536 			goto bad_tid_conf;
17537 
17538 		conf_idx++;
17539 	}
17540 
17541 	ret = rdev_set_tid_config(rdev, dev, tid_config);
17542 
17543 bad_tid_conf:
17544 	kfree(tid_config);
17545 	return ret;
17546 }
17547 
17548 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
17549 {
17550 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17551 	struct cfg80211_color_change_settings params = {};
17552 	struct net_device *dev = info->user_ptr[1];
17553 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17554 	struct nlattr **tb;
17555 	u16 offset;
17556 	int err;
17557 
17558 	if (!rdev->ops->color_change)
17559 		return -EOPNOTSUPP;
17560 
17561 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17562 				     NL80211_EXT_FEATURE_BSS_COLOR))
17563 		return -EOPNOTSUPP;
17564 
17565 	if (wdev->iftype != NL80211_IFTYPE_AP)
17566 		return -EOPNOTSUPP;
17567 
17568 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
17569 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
17570 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
17571 		return -EINVAL;
17572 
17573 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
17574 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
17575 
17576 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
17577 				   info->extack);
17578 	if (err)
17579 		return err;
17580 
17581 	tb = kzalloc_objs(*tb, NL80211_ATTR_MAX + 1);
17582 	if (!tb)
17583 		return -ENOMEM;
17584 
17585 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
17586 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
17587 			       nl80211_policy, info->extack);
17588 	if (err)
17589 		goto out;
17590 
17591 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
17592 				   info->extack);
17593 	if (err)
17594 		goto out;
17595 
17596 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
17597 		err = -EINVAL;
17598 		goto out;
17599 	}
17600 
17601 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
17602 		err = -EINVAL;
17603 		goto out;
17604 	}
17605 
17606 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
17607 	if (offset >= params.beacon_color_change.tail_len) {
17608 		err = -EINVAL;
17609 		goto out;
17610 	}
17611 
17612 	if (params.beacon_color_change.tail[offset] != params.count) {
17613 		err = -EINVAL;
17614 		goto out;
17615 	}
17616 
17617 	params.counter_offset_beacon = offset;
17618 
17619 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
17620 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
17621 		    sizeof(u16)) {
17622 			err = -EINVAL;
17623 			goto out;
17624 		}
17625 
17626 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
17627 		if (offset >= params.beacon_color_change.probe_resp_len) {
17628 			err = -EINVAL;
17629 			goto out;
17630 		}
17631 
17632 		if (params.beacon_color_change.probe_resp[offset] !=
17633 		    params.count) {
17634 			err = -EINVAL;
17635 			goto out;
17636 		}
17637 
17638 		params.counter_offset_presp = offset;
17639 	}
17640 
17641 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
17642 		err = nl80211_parse_unsol_bcast_probe_resp(
17643 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
17644 			&params.unsol_bcast_probe_resp);
17645 		if (err)
17646 			goto out;
17647 	}
17648 
17649 	params.link_id = nl80211_link_id(info->attrs);
17650 	err = rdev_color_change(rdev, dev, &params);
17651 
17652 out:
17653 	kfree(params.beacon_next.mbssid_ies);
17654 	kfree(params.beacon_color_change.mbssid_ies);
17655 	kfree(params.beacon_next.rnr_ies);
17656 	kfree(params.beacon_color_change.rnr_ies);
17657 	kfree(tb);
17658 	return err;
17659 }
17660 
17661 static int nl80211_set_fils_aad(struct sk_buff *skb,
17662 				struct genl_info *info)
17663 {
17664 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17665 	struct net_device *dev = info->user_ptr[1];
17666 	struct cfg80211_fils_aad fils_aad = {};
17667 	u8 *nonces;
17668 
17669 	if (!info->attrs[NL80211_ATTR_MAC] ||
17670 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
17671 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
17672 		return -EINVAL;
17673 
17674 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17675 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
17676 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
17677 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
17678 	fils_aad.snonce = nonces;
17679 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
17680 
17681 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
17682 }
17683 
17684 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
17685 {
17686 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17687 	unsigned int link_id = nl80211_link_id(info->attrs);
17688 	struct net_device *dev = info->user_ptr[1];
17689 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17690 	int ret;
17691 
17692 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
17693 		return -EINVAL;
17694 
17695 	switch (wdev->iftype) {
17696 	case NL80211_IFTYPE_AP:
17697 		break;
17698 	default:
17699 		return -EINVAL;
17700 	}
17701 
17702 	if (!info->attrs[NL80211_ATTR_MAC] ||
17703 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
17704 		return -EINVAL;
17705 
17706 	wdev->valid_links |= BIT(link_id);
17707 	ether_addr_copy(wdev->links[link_id].addr,
17708 			nla_data(info->attrs[NL80211_ATTR_MAC]));
17709 
17710 	ret = rdev_add_intf_link(rdev, wdev, link_id);
17711 	if (ret) {
17712 		wdev->valid_links &= ~BIT(link_id);
17713 		eth_zero_addr(wdev->links[link_id].addr);
17714 	}
17715 
17716 	return ret;
17717 }
17718 
17719 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
17720 {
17721 	unsigned int link_id = nl80211_link_id(info->attrs);
17722 	struct net_device *dev = info->user_ptr[1];
17723 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17724 
17725 	/* cannot remove if there's no link */
17726 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
17727 		return -EINVAL;
17728 
17729 	switch (wdev->iftype) {
17730 	case NL80211_IFTYPE_AP:
17731 		break;
17732 	default:
17733 		return -EINVAL;
17734 	}
17735 
17736 	cfg80211_remove_link(wdev, link_id);
17737 
17738 	return 0;
17739 }
17740 
17741 static int
17742 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
17743 			     bool add)
17744 {
17745 	struct link_station_parameters params = {};
17746 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17747 	struct net_device *dev = info->user_ptr[1];
17748 	int err;
17749 
17750 	if ((add && !rdev->ops->add_link_station) ||
17751 	    (!add && !rdev->ops->mod_link_station))
17752 		return -EOPNOTSUPP;
17753 
17754 	if (add && !info->attrs[NL80211_ATTR_MAC])
17755 		return -EINVAL;
17756 
17757 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
17758 		return -EINVAL;
17759 
17760 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
17761 		return -EINVAL;
17762 
17763 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17764 
17765 	if (info->attrs[NL80211_ATTR_MAC]) {
17766 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
17767 		if (!is_valid_ether_addr(params.link_mac))
17768 			return -EINVAL;
17769 	}
17770 
17771 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
17772 		return -EINVAL;
17773 
17774 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17775 
17776 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
17777 		params.supported_rates =
17778 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
17779 		params.supported_rates_len =
17780 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
17781 	}
17782 
17783 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
17784 		params.ht_capa =
17785 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
17786 
17787 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
17788 		params.vht_capa =
17789 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
17790 
17791 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
17792 		params.he_capa =
17793 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
17794 		params.he_capa_len =
17795 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
17796 
17797 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
17798 			params.eht_capa =
17799 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
17800 			params.eht_capa_len =
17801 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
17802 
17803 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
17804 							(const u8 *)params.eht_capa,
17805 							params.eht_capa_len,
17806 							false))
17807 				return -EINVAL;
17808 		}
17809 	}
17810 
17811 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
17812 		if (!params.eht_capa)
17813 			return -EINVAL;
17814 
17815 		params.uhr_capa =
17816 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
17817 		params.uhr_capa_len =
17818 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
17819 	}
17820 
17821 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
17822 		params.he_6ghz_capa =
17823 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
17824 
17825 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
17826 		params.opmode_notif_used = true;
17827 		params.opmode_notif =
17828 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
17829 	}
17830 
17831 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
17832 						&params.txpwr_set);
17833 	if (err)
17834 		return err;
17835 
17836 	if (add)
17837 		return rdev_add_link_station(rdev, dev, &params);
17838 
17839 	return rdev_mod_link_station(rdev, dev, &params);
17840 }
17841 
17842 static int
17843 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
17844 {
17845 	return nl80211_add_mod_link_station(skb, info, true);
17846 }
17847 
17848 static int
17849 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
17850 {
17851 	return nl80211_add_mod_link_station(skb, info, false);
17852 }
17853 
17854 static int
17855 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
17856 {
17857 	struct link_station_del_parameters params = {};
17858 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17859 	struct net_device *dev = info->user_ptr[1];
17860 
17861 	if (!rdev->ops->del_link_station)
17862 		return -EOPNOTSUPP;
17863 
17864 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
17865 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
17866 		return -EINVAL;
17867 
17868 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17869 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17870 
17871 	return rdev_del_link_station(rdev, dev, &params);
17872 }
17873 
17874 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
17875 				    struct genl_info *info)
17876 {
17877 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17878 	struct net_device *dev = info->user_ptr[1];
17879 	struct cfg80211_set_hw_timestamp hwts = {};
17880 
17881 	if (!rdev->wiphy.hw_timestamp_max_peers)
17882 		return -EOPNOTSUPP;
17883 
17884 	if (!info->attrs[NL80211_ATTR_MAC] &&
17885 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
17886 		return -EOPNOTSUPP;
17887 
17888 	if (info->attrs[NL80211_ATTR_MAC])
17889 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17890 
17891 	hwts.enable =
17892 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
17893 
17894 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
17895 }
17896 
17897 static int
17898 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
17899 {
17900 	struct cfg80211_ttlm_params params = {};
17901 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17902 	struct net_device *dev = info->user_ptr[1];
17903 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17904 
17905 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17906 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17907 		return -EOPNOTSUPP;
17908 
17909 	if (!wdev->connected)
17910 		return -ENOLINK;
17911 
17912 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
17913 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
17914 		return -EINVAL;
17915 
17916 	nla_memcpy(params.dlink,
17917 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
17918 		   sizeof(params.dlink));
17919 	nla_memcpy(params.ulink,
17920 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
17921 		   sizeof(params.ulink));
17922 
17923 	return rdev_set_ttlm(rdev, dev, &params);
17924 }
17925 
17926 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
17927 {
17928 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17929 	struct net_device *dev = info->user_ptr[1];
17930 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17931 	struct cfg80211_ml_reconf_req req = {};
17932 	unsigned int link_id;
17933 	u16 add_links;
17934 	int err;
17935 
17936 	if (!wdev->valid_links)
17937 		return -EINVAL;
17938 
17939 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
17940 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
17941 		return -EPERM;
17942 
17943 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
17944 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
17945 		return -EOPNOTSUPP;
17946 
17947 	add_links = 0;
17948 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
17949 		err = nl80211_process_links(rdev, req.add_links,
17950 					    /* mark as MLO, but not assoc */
17951 					    IEEE80211_MLD_MAX_NUM_LINKS,
17952 					    NULL, 0, info);
17953 		if (err)
17954 			return err;
17955 
17956 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
17957 		     link_id++) {
17958 			if (!req.add_links[link_id].bss)
17959 				continue;
17960 			add_links |= BIT(link_id);
17961 		}
17962 	}
17963 
17964 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
17965 		req.rem_links =
17966 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
17967 
17968 	/* Validate that existing links are not added, removed links are valid
17969 	 * and don't allow adding and removing the same links
17970 	 */
17971 	if ((add_links & req.rem_links) || !(add_links | req.rem_links) ||
17972 	    (wdev->valid_links & add_links) ||
17973 	    ((wdev->valid_links & req.rem_links) != req.rem_links)) {
17974 		err = -EINVAL;
17975 		goto out;
17976 	}
17977 
17978 	if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
17979 		req.ext_mld_capa_ops =
17980 			nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
17981 
17982 	err = cfg80211_assoc_ml_reconf(rdev, dev, &req);
17983 
17984 out:
17985 	for (link_id = 0; link_id < ARRAY_SIZE(req.add_links); link_id++)
17986 		cfg80211_put_bss(&rdev->wiphy, req.add_links[link_id].bss);
17987 
17988 	return err;
17989 }
17990 
17991 static int
17992 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
17993 {
17994 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17995 	struct net_device *dev = info->user_ptr[1];
17996 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17997 	bool val;
17998 
17999 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
18000 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
18001 		return -EOPNOTSUPP;
18002 
18003 	if (!wdev->connected)
18004 		return -ENOLINK;
18005 
18006 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
18007 
18008 	return rdev_set_epcs(rdev, dev, val);
18009 }
18010 
18011 #define NL80211_FLAG_NEED_WIPHY		0x01
18012 #define NL80211_FLAG_NEED_NETDEV	0x02
18013 #define NL80211_FLAG_NEED_RTNL		0x04
18014 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
18015 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
18016 					 NL80211_FLAG_CHECK_NETDEV_UP)
18017 #define NL80211_FLAG_NEED_WDEV		0x10
18018 /* If a netdev is associated, it must be UP, P2P must be started */
18019 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
18020 					 NL80211_FLAG_CHECK_NETDEV_UP)
18021 #define NL80211_FLAG_CLEAR_SKB		0x20
18022 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
18023 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
18024 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
18025 
18026 #define INTERNAL_FLAG_SELECTORS(__sel)			\
18027 	SELECTOR(__sel, NONE, 0) /* must be first */	\
18028 	SELECTOR(__sel, WIPHY,				\
18029 		 NL80211_FLAG_NEED_WIPHY)		\
18030 	SELECTOR(__sel, WDEV,				\
18031 		 NL80211_FLAG_NEED_WDEV)		\
18032 	SELECTOR(__sel, NETDEV,				\
18033 		 NL80211_FLAG_NEED_NETDEV)		\
18034 	SELECTOR(__sel, NETDEV_LINK,			\
18035 		 NL80211_FLAG_NEED_NETDEV |		\
18036 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18037 	SELECTOR(__sel, NETDEV_NO_MLO,			\
18038 		 NL80211_FLAG_NEED_NETDEV |		\
18039 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
18040 	SELECTOR(__sel, WIPHY_RTNL,			\
18041 		 NL80211_FLAG_NEED_WIPHY |		\
18042 		 NL80211_FLAG_NEED_RTNL)		\
18043 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
18044 		 NL80211_FLAG_NEED_WIPHY |		\
18045 		 NL80211_FLAG_NEED_RTNL |		\
18046 		 NL80211_FLAG_NO_WIPHY_MTX)		\
18047 	SELECTOR(__sel, WDEV_RTNL,			\
18048 		 NL80211_FLAG_NEED_WDEV |		\
18049 		 NL80211_FLAG_NEED_RTNL)		\
18050 	SELECTOR(__sel, NETDEV_RTNL,			\
18051 		 NL80211_FLAG_NEED_NETDEV |		\
18052 		 NL80211_FLAG_NEED_RTNL)		\
18053 	SELECTOR(__sel, NETDEV_UP,			\
18054 		 NL80211_FLAG_NEED_NETDEV_UP)		\
18055 	SELECTOR(__sel, NETDEV_UP_LINK,			\
18056 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18057 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18058 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
18059 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18060 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
18061 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
18062 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18063 		 NL80211_FLAG_CLEAR_SKB |		\
18064 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
18065 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
18066 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18067 		 NL80211_FLAG_NO_WIPHY_MTX)		\
18068 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
18069 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18070 		 NL80211_FLAG_NO_WIPHY_MTX |		\
18071 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18072 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
18073 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18074 		 NL80211_FLAG_CLEAR_SKB)		\
18075 	SELECTOR(__sel, WDEV_UP,			\
18076 		 NL80211_FLAG_NEED_WDEV_UP)		\
18077 	SELECTOR(__sel, WDEV_UP_CLEAR,			\
18078 		 NL80211_FLAG_NEED_WDEV_UP |		\
18079 		 NL80211_FLAG_CLEAR_SKB)		\
18080 	SELECTOR(__sel, WDEV_UP_LINK,			\
18081 		 NL80211_FLAG_NEED_WDEV_UP |		\
18082 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18083 	SELECTOR(__sel, WDEV_UP_RTNL,			\
18084 		 NL80211_FLAG_NEED_WDEV_UP |		\
18085 		 NL80211_FLAG_NEED_RTNL)		\
18086 	SELECTOR(__sel, WIPHY_CLEAR,			\
18087 		 NL80211_FLAG_NEED_WIPHY |		\
18088 		 NL80211_FLAG_CLEAR_SKB)
18089 
18090 enum nl80211_internal_flags_selector {
18091 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
18092 	INTERNAL_FLAG_SELECTORS(_)
18093 #undef SELECTOR
18094 };
18095 
18096 static u32 nl80211_internal_flags[] = {
18097 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
18098 	INTERNAL_FLAG_SELECTORS(_)
18099 #undef SELECTOR
18100 };
18101 
18102 static int nl80211_pre_doit(const struct genl_split_ops *ops,
18103 			    struct sk_buff *skb,
18104 			    struct genl_info *info)
18105 {
18106 	struct cfg80211_registered_device *rdev = NULL;
18107 	struct wireless_dev *wdev = NULL;
18108 	struct net_device *dev = NULL;
18109 	u32 internal_flags;
18110 	int err;
18111 
18112 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
18113 		return -EINVAL;
18114 
18115 	internal_flags = nl80211_internal_flags[ops->internal_flags];
18116 
18117 	rtnl_lock();
18118 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
18119 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
18120 		if (IS_ERR(rdev)) {
18121 			err = PTR_ERR(rdev);
18122 			goto out_unlock;
18123 		}
18124 		info->user_ptr[0] = rdev;
18125 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
18126 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
18127 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
18128 						  info->attrs);
18129 		if (IS_ERR(wdev)) {
18130 			err = PTR_ERR(wdev);
18131 			goto out_unlock;
18132 		}
18133 
18134 		dev = wdev->netdev;
18135 		dev_hold(dev);
18136 		rdev = wiphy_to_rdev(wdev->wiphy);
18137 
18138 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
18139 			if (!dev) {
18140 				err = -EINVAL;
18141 				goto out_unlock;
18142 			}
18143 
18144 			info->user_ptr[1] = dev;
18145 		} else {
18146 			info->user_ptr[1] = wdev;
18147 		}
18148 
18149 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
18150 		    !wdev_running(wdev)) {
18151 			err = -ENETDOWN;
18152 			goto out_unlock;
18153 		}
18154 
18155 		info->user_ptr[0] = rdev;
18156 	}
18157 
18158 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
18159 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
18160 
18161 		if (!wdev) {
18162 			err = -EINVAL;
18163 			goto out_unlock;
18164 		}
18165 
18166 		/* MLO -> require valid link ID */
18167 		if (wdev->valid_links &&
18168 		    (!link_id ||
18169 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
18170 			err = -EINVAL;
18171 			goto out_unlock;
18172 		}
18173 
18174 		/* non-MLO -> no link ID attribute accepted */
18175 		if (!wdev->valid_links && link_id) {
18176 			err = -EINVAL;
18177 			goto out_unlock;
18178 		}
18179 	}
18180 
18181 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
18182 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
18183 		    (wdev && wdev->valid_links)) {
18184 			err = -EINVAL;
18185 			goto out_unlock;
18186 		}
18187 	}
18188 
18189 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18190 		wiphy_lock(&rdev->wiphy);
18191 		/* we keep the mutex locked until post_doit */
18192 		__release(&rdev->wiphy.mtx);
18193 	}
18194 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
18195 		rtnl_unlock();
18196 
18197 	return 0;
18198 out_unlock:
18199 	rtnl_unlock();
18200 	dev_put(dev);
18201 	return err;
18202 }
18203 
18204 static void nl80211_post_doit(const struct genl_split_ops *ops,
18205 			      struct sk_buff *skb,
18206 			      struct genl_info *info)
18207 {
18208 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
18209 
18210 	if (info->user_ptr[1]) {
18211 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
18212 			struct wireless_dev *wdev = info->user_ptr[1];
18213 
18214 			dev_put(wdev->netdev);
18215 		} else {
18216 			dev_put(info->user_ptr[1]);
18217 		}
18218 	}
18219 
18220 	if (info->user_ptr[0] &&
18221 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18222 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
18223 
18224 		/* we kept the mutex locked since pre_doit */
18225 		__acquire(&rdev->wiphy.mtx);
18226 		wiphy_unlock(&rdev->wiphy);
18227 	}
18228 
18229 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
18230 		rtnl_unlock();
18231 
18232 	/* If needed, clear the netlink message payload from the SKB
18233 	 * as it might contain key data that shouldn't stick around on
18234 	 * the heap after the SKB is freed. The netlink message header
18235 	 * is still needed for further processing, so leave it intact.
18236 	 */
18237 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
18238 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
18239 
18240 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
18241 	}
18242 }
18243 
18244 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
18245 				     struct cfg80211_sar_specs *sar_specs,
18246 				     struct nlattr *spec[], int index)
18247 {
18248 	u32 range_index, i;
18249 
18250 	if (!sar_specs || !spec)
18251 		return -EINVAL;
18252 
18253 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
18254 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
18255 		return -EINVAL;
18256 
18257 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
18258 
18259 	/* check if range_index exceeds num_freq_ranges */
18260 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
18261 		return -EINVAL;
18262 
18263 	/* check if range_index duplicates */
18264 	for (i = 0; i < index; i++) {
18265 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
18266 			return -EINVAL;
18267 	}
18268 
18269 	sar_specs->sub_specs[index].power =
18270 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
18271 
18272 	sar_specs->sub_specs[index].freq_range_index = range_index;
18273 
18274 	return 0;
18275 }
18276 
18277 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
18278 {
18279 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18280 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
18281 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
18282 	struct cfg80211_sar_specs *sar_spec;
18283 	enum nl80211_sar_type type;
18284 	struct nlattr *spec_list;
18285 	u32 specs;
18286 	int rem, err;
18287 
18288 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
18289 		return -EOPNOTSUPP;
18290 
18291 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
18292 		return -EINVAL;
18293 
18294 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
18295 			 info->attrs[NL80211_ATTR_SAR_SPEC],
18296 			 NULL, NULL);
18297 
18298 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
18299 		return -EINVAL;
18300 
18301 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
18302 	if (type != rdev->wiphy.sar_capa->type)
18303 		return -EINVAL;
18304 
18305 	specs = 0;
18306 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
18307 		specs++;
18308 
18309 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
18310 		return -EINVAL;
18311 
18312 	sar_spec = kzalloc_flex(*sar_spec, sub_specs, specs);
18313 	if (!sar_spec)
18314 		return -ENOMEM;
18315 
18316 	sar_spec->num_sub_specs = specs;
18317 	sar_spec->type = type;
18318 	specs = 0;
18319 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
18320 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
18321 				 spec_list, NULL, NULL);
18322 
18323 		switch (type) {
18324 		case NL80211_SAR_TYPE_POWER:
18325 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
18326 						      spec, specs)) {
18327 				err = -EINVAL;
18328 				goto error;
18329 			}
18330 			break;
18331 		default:
18332 			err = -EINVAL;
18333 			goto error;
18334 		}
18335 		specs++;
18336 	}
18337 
18338 	sar_spec->num_sub_specs = specs;
18339 
18340 	rdev->cur_cmd_info = info;
18341 	err = rdev_set_sar_specs(rdev, sar_spec);
18342 	rdev->cur_cmd_info = NULL;
18343 error:
18344 	kfree(sar_spec);
18345 	return err;
18346 }
18347 
18348 #define SELECTOR(__sel, name, value) \
18349 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
18350 int __missing_selector(void);
18351 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
18352 
18353 static const struct genl_ops nl80211_ops[] = {
18354 	{
18355 		.cmd = NL80211_CMD_GET_WIPHY,
18356 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18357 		.doit = nl80211_get_wiphy,
18358 		.dumpit = nl80211_dump_wiphy,
18359 		.done = nl80211_dump_wiphy_done,
18360 		/* can be retrieved by unprivileged users */
18361 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18362 	},
18363 };
18364 
18365 static const struct genl_small_ops nl80211_small_ops[] = {
18366 	{
18367 		.cmd = NL80211_CMD_SET_WIPHY,
18368 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18369 		.doit = nl80211_set_wiphy,
18370 		.flags = GENL_UNS_ADMIN_PERM,
18371 	},
18372 	{
18373 		.cmd = NL80211_CMD_GET_INTERFACE,
18374 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18375 		.doit = nl80211_get_interface,
18376 		.dumpit = nl80211_dump_interface,
18377 		/* can be retrieved by unprivileged users */
18378 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
18379 	},
18380 	{
18381 		.cmd = NL80211_CMD_SET_INTERFACE,
18382 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18383 		.doit = nl80211_set_interface,
18384 		.flags = GENL_UNS_ADMIN_PERM,
18385 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18386 					 NL80211_FLAG_NEED_RTNL),
18387 	},
18388 	{
18389 		.cmd = NL80211_CMD_NEW_INTERFACE,
18390 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18391 		.doit = nl80211_new_interface,
18392 		.flags = GENL_UNS_ADMIN_PERM,
18393 		.internal_flags =
18394 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
18395 			       NL80211_FLAG_NEED_RTNL |
18396 			       /* we take the wiphy mutex later ourselves */
18397 			       NL80211_FLAG_NO_WIPHY_MTX),
18398 	},
18399 	{
18400 		.cmd = NL80211_CMD_DEL_INTERFACE,
18401 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18402 		.doit = nl80211_del_interface,
18403 		.flags = GENL_UNS_ADMIN_PERM,
18404 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18405 					 NL80211_FLAG_NEED_RTNL),
18406 	},
18407 	{
18408 		.cmd = NL80211_CMD_GET_KEY,
18409 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18410 		.doit = nl80211_get_key,
18411 		.flags = GENL_UNS_ADMIN_PERM,
18412 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18413 	},
18414 	{
18415 		.cmd = NL80211_CMD_SET_KEY,
18416 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18417 		.doit = nl80211_set_key,
18418 		.flags = GENL_UNS_ADMIN_PERM,
18419 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
18420 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18421 					 NL80211_FLAG_CLEAR_SKB),
18422 	},
18423 	{
18424 		.cmd = NL80211_CMD_NEW_KEY,
18425 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18426 		.doit = nl80211_new_key,
18427 		.flags = GENL_UNS_ADMIN_PERM,
18428 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18429 					 NL80211_FLAG_CLEAR_SKB),
18430 	},
18431 	{
18432 		.cmd = NL80211_CMD_DEL_KEY,
18433 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18434 		.doit = nl80211_del_key,
18435 		.flags = GENL_UNS_ADMIN_PERM,
18436 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18437 	},
18438 	{
18439 		.cmd = NL80211_CMD_SET_BEACON,
18440 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18441 		.flags = GENL_UNS_ADMIN_PERM,
18442 		.doit = nl80211_set_beacon,
18443 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18444 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18445 	},
18446 	{
18447 		.cmd = NL80211_CMD_START_AP,
18448 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18449 		.flags = GENL_UNS_ADMIN_PERM,
18450 		.doit = nl80211_start_ap,
18451 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18452 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18453 	},
18454 	{
18455 		.cmd = NL80211_CMD_STOP_AP,
18456 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18457 		.flags = GENL_UNS_ADMIN_PERM,
18458 		.doit = nl80211_stop_ap,
18459 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18460 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18461 	},
18462 	{
18463 		.cmd = NL80211_CMD_GET_STATION,
18464 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18465 		.doit = nl80211_get_station,
18466 		.dumpit = nl80211_dump_station,
18467 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
18468 	},
18469 	{
18470 		.cmd = NL80211_CMD_SET_STATION,
18471 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18472 		.doit = nl80211_set_station,
18473 		.flags = GENL_UNS_ADMIN_PERM,
18474 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18475 	},
18476 	{
18477 		.cmd = NL80211_CMD_NEW_STATION,
18478 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18479 		.doit = nl80211_new_station,
18480 		.flags = GENL_UNS_ADMIN_PERM,
18481 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18482 	},
18483 	{
18484 		.cmd = NL80211_CMD_DEL_STATION,
18485 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18486 		.doit = nl80211_del_station,
18487 		.flags = GENL_UNS_ADMIN_PERM,
18488 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
18489 		 * whether MAC address is passed or not. If MAC address is
18490 		 * passed, then even during MLO, link ID is not required.
18491 		 */
18492 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18493 	},
18494 	{
18495 		.cmd = NL80211_CMD_GET_MPATH,
18496 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18497 		.doit = nl80211_get_mpath,
18498 		.dumpit = nl80211_dump_mpath,
18499 		.flags = GENL_UNS_ADMIN_PERM,
18500 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18501 	},
18502 	{
18503 		.cmd = NL80211_CMD_GET_MPP,
18504 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18505 		.doit = nl80211_get_mpp,
18506 		.dumpit = nl80211_dump_mpp,
18507 		.flags = GENL_UNS_ADMIN_PERM,
18508 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18509 	},
18510 	{
18511 		.cmd = NL80211_CMD_SET_MPATH,
18512 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18513 		.doit = nl80211_set_mpath,
18514 		.flags = GENL_UNS_ADMIN_PERM,
18515 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18516 	},
18517 	{
18518 		.cmd = NL80211_CMD_NEW_MPATH,
18519 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18520 		.doit = nl80211_new_mpath,
18521 		.flags = GENL_UNS_ADMIN_PERM,
18522 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18523 	},
18524 	{
18525 		.cmd = NL80211_CMD_DEL_MPATH,
18526 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18527 		.doit = nl80211_del_mpath,
18528 		.flags = GENL_UNS_ADMIN_PERM,
18529 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18530 	},
18531 	{
18532 		.cmd = NL80211_CMD_SET_BSS,
18533 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18534 		.doit = nl80211_set_bss,
18535 		.flags = GENL_UNS_ADMIN_PERM,
18536 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18537 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18538 	},
18539 	{
18540 		.cmd = NL80211_CMD_GET_REG,
18541 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18542 		.doit = nl80211_get_reg_do,
18543 		.dumpit = nl80211_get_reg_dump,
18544 		/* can be retrieved by unprivileged users */
18545 	},
18546 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
18547 	{
18548 		.cmd = NL80211_CMD_SET_REG,
18549 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18550 		.doit = nl80211_set_reg,
18551 		.flags = GENL_ADMIN_PERM,
18552 	},
18553 #endif
18554 	{
18555 		.cmd = NL80211_CMD_REQ_SET_REG,
18556 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18557 		.doit = nl80211_req_set_reg,
18558 		.flags = GENL_ADMIN_PERM,
18559 	},
18560 	{
18561 		.cmd = NL80211_CMD_RELOAD_REGDB,
18562 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18563 		.doit = nl80211_reload_regdb,
18564 		.flags = GENL_ADMIN_PERM,
18565 	},
18566 	{
18567 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
18568 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18569 		.doit = nl80211_get_mesh_config,
18570 		/* can be retrieved by unprivileged users */
18571 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18572 	},
18573 	{
18574 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
18575 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18576 		.doit = nl80211_update_mesh_config,
18577 		.flags = GENL_UNS_ADMIN_PERM,
18578 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18579 	},
18580 	{
18581 		.cmd = NL80211_CMD_TRIGGER_SCAN,
18582 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18583 		.doit = nl80211_trigger_scan,
18584 		.flags = GENL_UNS_ADMIN_PERM,
18585 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18586 	},
18587 	{
18588 		.cmd = NL80211_CMD_ABORT_SCAN,
18589 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18590 		.doit = nl80211_abort_scan,
18591 		.flags = GENL_UNS_ADMIN_PERM,
18592 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18593 	},
18594 	{
18595 		.cmd = NL80211_CMD_GET_SCAN,
18596 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18597 		.dumpit = nl80211_dump_scan,
18598 	},
18599 	{
18600 		.cmd = NL80211_CMD_START_SCHED_SCAN,
18601 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18602 		.doit = nl80211_start_sched_scan,
18603 		.flags = GENL_UNS_ADMIN_PERM,
18604 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18605 	},
18606 	{
18607 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
18608 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18609 		.doit = nl80211_stop_sched_scan,
18610 		.flags = GENL_UNS_ADMIN_PERM,
18611 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18612 	},
18613 	{
18614 		.cmd = NL80211_CMD_AUTHENTICATE,
18615 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18616 		.doit = nl80211_authenticate,
18617 		.flags = GENL_UNS_ADMIN_PERM,
18618 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18619 					 NL80211_FLAG_CLEAR_SKB),
18620 	},
18621 	{
18622 		.cmd = NL80211_CMD_ASSOCIATE,
18623 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18624 		.doit = nl80211_associate,
18625 		.flags = GENL_UNS_ADMIN_PERM,
18626 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18627 					 NL80211_FLAG_CLEAR_SKB),
18628 	},
18629 	{
18630 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18631 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18632 		.doit = nl80211_deauthenticate,
18633 		.flags = GENL_UNS_ADMIN_PERM,
18634 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18635 	},
18636 	{
18637 		.cmd = NL80211_CMD_DISASSOCIATE,
18638 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18639 		.doit = nl80211_disassociate,
18640 		.flags = GENL_UNS_ADMIN_PERM,
18641 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18642 	},
18643 	{
18644 		.cmd = NL80211_CMD_JOIN_IBSS,
18645 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18646 		.doit = nl80211_join_ibss,
18647 		.flags = GENL_UNS_ADMIN_PERM,
18648 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18649 	},
18650 	{
18651 		.cmd = NL80211_CMD_LEAVE_IBSS,
18652 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18653 		.doit = nl80211_leave_ibss,
18654 		.flags = GENL_UNS_ADMIN_PERM,
18655 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18656 	},
18657 #ifdef CONFIG_NL80211_TESTMODE
18658 	{
18659 		.cmd = NL80211_CMD_TESTMODE,
18660 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18661 		.doit = nl80211_testmode_do,
18662 		.dumpit = nl80211_testmode_dump,
18663 		.flags = GENL_UNS_ADMIN_PERM,
18664 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18665 	},
18666 #endif
18667 	{
18668 		.cmd = NL80211_CMD_CONNECT,
18669 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18670 		.doit = nl80211_connect,
18671 		.flags = GENL_UNS_ADMIN_PERM,
18672 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18673 					 NL80211_FLAG_CLEAR_SKB),
18674 	},
18675 	{
18676 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
18677 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18678 		.doit = nl80211_update_connect_params,
18679 		.flags = GENL_ADMIN_PERM,
18680 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18681 					 NL80211_FLAG_CLEAR_SKB),
18682 	},
18683 	{
18684 		.cmd = NL80211_CMD_DISCONNECT,
18685 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18686 		.doit = nl80211_disconnect,
18687 		.flags = GENL_UNS_ADMIN_PERM,
18688 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18689 	},
18690 	{
18691 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
18692 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18693 		.doit = nl80211_wiphy_netns,
18694 		.flags = GENL_UNS_ADMIN_PERM,
18695 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18696 					 NL80211_FLAG_NEED_RTNL |
18697 					 NL80211_FLAG_NO_WIPHY_MTX),
18698 	},
18699 	{
18700 		.cmd = NL80211_CMD_GET_SURVEY,
18701 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18702 		.dumpit = nl80211_dump_survey,
18703 	},
18704 	{
18705 		.cmd = NL80211_CMD_SET_PMKSA,
18706 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18707 		.doit = nl80211_set_pmksa,
18708 		.flags = GENL_UNS_ADMIN_PERM,
18709 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18710 					 NL80211_FLAG_CLEAR_SKB),
18711 	},
18712 	{
18713 		.cmd = NL80211_CMD_DEL_PMKSA,
18714 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18715 		.doit = nl80211_del_pmksa,
18716 		.flags = GENL_UNS_ADMIN_PERM,
18717 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18718 	},
18719 	{
18720 		.cmd = NL80211_CMD_FLUSH_PMKSA,
18721 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18722 		.doit = nl80211_flush_pmksa,
18723 		.flags = GENL_UNS_ADMIN_PERM,
18724 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18725 	},
18726 	{
18727 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
18728 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18729 		.doit = nl80211_remain_on_channel,
18730 		.flags = GENL_UNS_ADMIN_PERM,
18731 		/* FIXME: requiring a link ID here is probably not good */
18732 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18733 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18734 	},
18735 	{
18736 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18737 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18738 		.doit = nl80211_cancel_remain_on_channel,
18739 		.flags = GENL_UNS_ADMIN_PERM,
18740 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18741 	},
18742 	{
18743 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
18744 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18745 		.doit = nl80211_set_tx_bitrate_mask,
18746 		.flags = GENL_UNS_ADMIN_PERM,
18747 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18748 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18749 	},
18750 	{
18751 		.cmd = NL80211_CMD_REGISTER_FRAME,
18752 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18753 		.doit = nl80211_register_mgmt,
18754 		.flags = GENL_UNS_ADMIN_PERM,
18755 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
18756 	},
18757 	{
18758 		.cmd = NL80211_CMD_FRAME,
18759 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18760 		.doit = nl80211_tx_mgmt,
18761 		.flags = GENL_UNS_ADMIN_PERM,
18762 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18763 	},
18764 	{
18765 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
18766 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18767 		.doit = nl80211_tx_mgmt_cancel_wait,
18768 		.flags = GENL_UNS_ADMIN_PERM,
18769 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18770 	},
18771 	{
18772 		.cmd = NL80211_CMD_SET_POWER_SAVE,
18773 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18774 		.doit = nl80211_set_power_save,
18775 		.flags = GENL_UNS_ADMIN_PERM,
18776 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18777 	},
18778 	{
18779 		.cmd = NL80211_CMD_GET_POWER_SAVE,
18780 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18781 		.doit = nl80211_get_power_save,
18782 		/* can be retrieved by unprivileged users */
18783 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18784 	},
18785 	{
18786 		.cmd = NL80211_CMD_SET_CQM,
18787 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18788 		.doit = nl80211_set_cqm,
18789 		.flags = GENL_UNS_ADMIN_PERM,
18790 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18791 	},
18792 	{
18793 		.cmd = NL80211_CMD_SET_CHANNEL,
18794 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18795 		.doit = nl80211_set_channel,
18796 		.flags = GENL_UNS_ADMIN_PERM,
18797 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18798 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18799 	},
18800 	{
18801 		.cmd = NL80211_CMD_JOIN_MESH,
18802 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18803 		.doit = nl80211_join_mesh,
18804 		.flags = GENL_UNS_ADMIN_PERM,
18805 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18806 	},
18807 	{
18808 		.cmd = NL80211_CMD_LEAVE_MESH,
18809 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18810 		.doit = nl80211_leave_mesh,
18811 		.flags = GENL_UNS_ADMIN_PERM,
18812 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18813 	},
18814 	{
18815 		.cmd = NL80211_CMD_JOIN_OCB,
18816 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18817 		.doit = nl80211_join_ocb,
18818 		.flags = GENL_UNS_ADMIN_PERM,
18819 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18820 	},
18821 	{
18822 		.cmd = NL80211_CMD_LEAVE_OCB,
18823 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18824 		.doit = nl80211_leave_ocb,
18825 		.flags = GENL_UNS_ADMIN_PERM,
18826 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18827 	},
18828 #ifdef CONFIG_PM
18829 	{
18830 		.cmd = NL80211_CMD_GET_WOWLAN,
18831 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18832 		.doit = nl80211_get_wowlan,
18833 		/* can be retrieved by unprivileged users */
18834 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18835 	},
18836 	{
18837 		.cmd = NL80211_CMD_SET_WOWLAN,
18838 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18839 		.doit = nl80211_set_wowlan,
18840 		.flags = GENL_UNS_ADMIN_PERM,
18841 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18842 	},
18843 #endif
18844 	{
18845 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
18846 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18847 		.doit = nl80211_set_rekey_data,
18848 		.flags = GENL_UNS_ADMIN_PERM,
18849 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18850 					 NL80211_FLAG_CLEAR_SKB),
18851 	},
18852 	{
18853 		.cmd = NL80211_CMD_TDLS_MGMT,
18854 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18855 		.doit = nl80211_tdls_mgmt,
18856 		.flags = GENL_UNS_ADMIN_PERM,
18857 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18858 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18859 	},
18860 	{
18861 		.cmd = NL80211_CMD_TDLS_OPER,
18862 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18863 		.doit = nl80211_tdls_oper,
18864 		.flags = GENL_UNS_ADMIN_PERM,
18865 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18866 	},
18867 	{
18868 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
18869 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18870 		.doit = nl80211_register_unexpected_frame,
18871 		.flags = GENL_UNS_ADMIN_PERM,
18872 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18873 	},
18874 	{
18875 		.cmd = NL80211_CMD_PROBE_CLIENT,
18876 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18877 		.doit = nl80211_probe_client,
18878 		.flags = GENL_UNS_ADMIN_PERM,
18879 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18880 	},
18881 	{
18882 		.cmd = NL80211_CMD_REGISTER_BEACONS,
18883 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18884 		.doit = nl80211_register_beacons,
18885 		.flags = GENL_UNS_ADMIN_PERM,
18886 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18887 	},
18888 	{
18889 		.cmd = NL80211_CMD_SET_NOACK_MAP,
18890 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18891 		.doit = nl80211_set_noack_map,
18892 		.flags = GENL_UNS_ADMIN_PERM,
18893 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18894 	},
18895 	{
18896 		.cmd = NL80211_CMD_START_P2P_DEVICE,
18897 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18898 		.doit = nl80211_start_p2p_device,
18899 		.flags = GENL_UNS_ADMIN_PERM,
18900 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18901 					 NL80211_FLAG_NEED_RTNL),
18902 	},
18903 	{
18904 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
18905 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18906 		.doit = nl80211_stop_p2p_device,
18907 		.flags = GENL_UNS_ADMIN_PERM,
18908 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18909 					 NL80211_FLAG_NEED_RTNL),
18910 	},
18911 	{
18912 		.cmd = NL80211_CMD_START_NAN,
18913 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18914 		.doit = nl80211_start_nan,
18915 		.flags = GENL_ADMIN_PERM,
18916 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18917 					 NL80211_FLAG_NEED_RTNL),
18918 	},
18919 	{
18920 		.cmd = NL80211_CMD_STOP_NAN,
18921 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18922 		.doit = nl80211_stop_nan,
18923 		.flags = GENL_ADMIN_PERM,
18924 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18925 					 NL80211_FLAG_NEED_RTNL),
18926 	},
18927 	{
18928 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
18929 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18930 		.doit = nl80211_nan_add_func,
18931 		.flags = GENL_ADMIN_PERM,
18932 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18933 	},
18934 	{
18935 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
18936 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18937 		.doit = nl80211_nan_del_func,
18938 		.flags = GENL_ADMIN_PERM,
18939 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18940 	},
18941 	{
18942 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
18943 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18944 		.doit = nl80211_nan_change_config,
18945 		.flags = GENL_ADMIN_PERM,
18946 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18947 	},
18948 	{
18949 		.cmd = NL80211_CMD_SET_MCAST_RATE,
18950 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18951 		.doit = nl80211_set_mcast_rate,
18952 		.flags = GENL_UNS_ADMIN_PERM,
18953 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18954 	},
18955 	{
18956 		.cmd = NL80211_CMD_SET_MAC_ACL,
18957 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18958 		.doit = nl80211_set_mac_acl,
18959 		.flags = GENL_UNS_ADMIN_PERM,
18960 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18961 					 NL80211_FLAG_MLO_UNSUPPORTED),
18962 	},
18963 	{
18964 		.cmd = NL80211_CMD_RADAR_DETECT,
18965 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18966 		.doit = nl80211_start_radar_detection,
18967 		.flags = GENL_UNS_ADMIN_PERM,
18968 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18969 					 NL80211_FLAG_NO_WIPHY_MTX |
18970 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18971 	},
18972 	{
18973 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
18974 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18975 		.doit = nl80211_get_protocol_features,
18976 	},
18977 	{
18978 		.cmd = NL80211_CMD_UPDATE_FT_IES,
18979 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18980 		.doit = nl80211_update_ft_ies,
18981 		.flags = GENL_UNS_ADMIN_PERM,
18982 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18983 	},
18984 	{
18985 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
18986 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18987 		.doit = nl80211_crit_protocol_start,
18988 		.flags = GENL_UNS_ADMIN_PERM,
18989 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18990 	},
18991 	{
18992 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
18993 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18994 		.doit = nl80211_crit_protocol_stop,
18995 		.flags = GENL_UNS_ADMIN_PERM,
18996 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18997 	},
18998 	{
18999 		.cmd = NL80211_CMD_GET_COALESCE,
19000 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19001 		.doit = nl80211_get_coalesce,
19002 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19003 	},
19004 	{
19005 		.cmd = NL80211_CMD_SET_COALESCE,
19006 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19007 		.doit = nl80211_set_coalesce,
19008 		.flags = GENL_UNS_ADMIN_PERM,
19009 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19010 	},
19011 	{
19012 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
19013 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19014 		.doit = nl80211_channel_switch,
19015 		.flags = GENL_UNS_ADMIN_PERM,
19016 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19017 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19018 	},
19019 	{
19020 		.cmd = NL80211_CMD_VENDOR,
19021 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19022 		.doit = nl80211_vendor_cmd,
19023 		.dumpit = nl80211_vendor_cmd_dump,
19024 		.flags = GENL_UNS_ADMIN_PERM,
19025 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
19026 					 NL80211_FLAG_CLEAR_SKB),
19027 	},
19028 	{
19029 		.cmd = NL80211_CMD_SET_QOS_MAP,
19030 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19031 		.doit = nl80211_set_qos_map,
19032 		.flags = GENL_UNS_ADMIN_PERM,
19033 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19034 	},
19035 	{
19036 		.cmd = NL80211_CMD_ADD_TX_TS,
19037 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19038 		.doit = nl80211_add_tx_ts,
19039 		.flags = GENL_UNS_ADMIN_PERM,
19040 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19041 					 NL80211_FLAG_MLO_UNSUPPORTED),
19042 	},
19043 	{
19044 		.cmd = NL80211_CMD_DEL_TX_TS,
19045 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19046 		.doit = nl80211_del_tx_ts,
19047 		.flags = GENL_UNS_ADMIN_PERM,
19048 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19049 	},
19050 	{
19051 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
19052 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19053 		.doit = nl80211_tdls_channel_switch,
19054 		.flags = GENL_UNS_ADMIN_PERM,
19055 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19056 	},
19057 	{
19058 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
19059 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19060 		.doit = nl80211_tdls_cancel_channel_switch,
19061 		.flags = GENL_UNS_ADMIN_PERM,
19062 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19063 	},
19064 	{
19065 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
19066 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19067 		.doit = nl80211_set_multicast_to_unicast,
19068 		.flags = GENL_UNS_ADMIN_PERM,
19069 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19070 	},
19071 	{
19072 		.cmd = NL80211_CMD_SET_PMK,
19073 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19074 		.doit = nl80211_set_pmk,
19075 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19076 					 NL80211_FLAG_CLEAR_SKB),
19077 	},
19078 	{
19079 		.cmd = NL80211_CMD_DEL_PMK,
19080 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19081 		.doit = nl80211_del_pmk,
19082 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19083 	},
19084 	{
19085 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
19086 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19087 		.doit = nl80211_external_auth,
19088 		.flags = GENL_ADMIN_PERM,
19089 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19090 	},
19091 	{
19092 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
19093 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19094 		.doit = nl80211_tx_control_port,
19095 		.flags = GENL_UNS_ADMIN_PERM,
19096 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19097 	},
19098 	{
19099 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
19100 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19101 		.doit = nl80211_get_ftm_responder_stats,
19102 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19103 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19104 	},
19105 	{
19106 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
19107 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19108 		.doit = nl80211_pmsr_start,
19109 		.flags = GENL_UNS_ADMIN_PERM,
19110 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19111 	},
19112 	{
19113 		.cmd = NL80211_CMD_NOTIFY_RADAR,
19114 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19115 		.doit = nl80211_notify_radar_detection,
19116 		.flags = GENL_UNS_ADMIN_PERM,
19117 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19118 	},
19119 	{
19120 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
19121 		.doit = nl80211_update_owe_info,
19122 		.flags = GENL_ADMIN_PERM,
19123 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19124 	},
19125 	{
19126 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
19127 		.doit = nl80211_probe_mesh_link,
19128 		.flags = GENL_UNS_ADMIN_PERM,
19129 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19130 	},
19131 	{
19132 		.cmd = NL80211_CMD_SET_TID_CONFIG,
19133 		.doit = nl80211_set_tid_config,
19134 		.flags = GENL_UNS_ADMIN_PERM,
19135 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19136 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19137 	},
19138 	{
19139 		.cmd = NL80211_CMD_SET_SAR_SPECS,
19140 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19141 		.doit = nl80211_set_sar_specs,
19142 		.flags = GENL_UNS_ADMIN_PERM,
19143 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
19144 					 NL80211_FLAG_NEED_RTNL),
19145 	},
19146 	{
19147 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
19148 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19149 		.doit = nl80211_color_change,
19150 		.flags = GENL_UNS_ADMIN_PERM,
19151 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19152 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19153 	},
19154 	{
19155 		.cmd = NL80211_CMD_SET_FILS_AAD,
19156 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19157 		.doit = nl80211_set_fils_aad,
19158 		.flags = GENL_UNS_ADMIN_PERM,
19159 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19160 	},
19161 	{
19162 		.cmd = NL80211_CMD_ADD_LINK,
19163 		.doit = nl80211_add_link,
19164 		.flags = GENL_UNS_ADMIN_PERM,
19165 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19166 	},
19167 	{
19168 		.cmd = NL80211_CMD_REMOVE_LINK,
19169 		.doit = nl80211_remove_link,
19170 		.flags = GENL_UNS_ADMIN_PERM,
19171 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19172 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19173 	},
19174 	{
19175 		.cmd = NL80211_CMD_ADD_LINK_STA,
19176 		.doit = nl80211_add_link_station,
19177 		.flags = GENL_UNS_ADMIN_PERM,
19178 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19179 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19180 	},
19181 	{
19182 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
19183 		.doit = nl80211_modify_link_station,
19184 		.flags = GENL_UNS_ADMIN_PERM,
19185 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19186 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19187 	},
19188 	{
19189 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
19190 		.doit = nl80211_remove_link_station,
19191 		.flags = GENL_UNS_ADMIN_PERM,
19192 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19193 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19194 	},
19195 	{
19196 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
19197 		.doit = nl80211_set_hw_timestamp,
19198 		.flags = GENL_UNS_ADMIN_PERM,
19199 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19200 	},
19201 	{
19202 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
19203 		.doit = nl80211_set_ttlm,
19204 		.flags = GENL_UNS_ADMIN_PERM,
19205 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19206 	},
19207 	{
19208 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
19209 		.doit = nl80211_assoc_ml_reconf,
19210 		.flags = GENL_UNS_ADMIN_PERM,
19211 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19212 	},
19213 	{
19214 		.cmd = NL80211_CMD_EPCS_CFG,
19215 		.doit = nl80211_epcs_cfg,
19216 		.flags = GENL_UNS_ADMIN_PERM,
19217 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19218 	},
19219 };
19220 
19221 static struct genl_family nl80211_fam __ro_after_init = {
19222 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
19223 	.hdrsize = 0,			/* no private header */
19224 	.version = 1,			/* no particular meaning now */
19225 	.maxattr = NL80211_ATTR_MAX,
19226 	.policy = nl80211_policy,
19227 	.netnsok = true,
19228 	.pre_doit = nl80211_pre_doit,
19229 	.post_doit = nl80211_post_doit,
19230 	.module = THIS_MODULE,
19231 	.ops = nl80211_ops,
19232 	.n_ops = ARRAY_SIZE(nl80211_ops),
19233 	.small_ops = nl80211_small_ops,
19234 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
19235 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
19236 	.mcgrps = nl80211_mcgrps,
19237 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
19238 	.parallel_ops = true,
19239 };
19240 
19241 /* notification functions */
19242 
19243 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
19244 			  enum nl80211_commands cmd)
19245 {
19246 	struct sk_buff *msg;
19247 	struct nl80211_dump_wiphy_state state = {};
19248 
19249 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
19250 		cmd != NL80211_CMD_DEL_WIPHY);
19251 
19252 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19253 	if (!msg)
19254 		return;
19255 
19256 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
19257 		nlmsg_free(msg);
19258 		return;
19259 	}
19260 
19261 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19262 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
19263 }
19264 
19265 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
19266 				struct wireless_dev *wdev,
19267 				enum nl80211_commands cmd)
19268 {
19269 	struct sk_buff *msg;
19270 
19271 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19272 	if (!msg)
19273 		return;
19274 
19275 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
19276 		nlmsg_free(msg);
19277 		return;
19278 	}
19279 
19280 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19281 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
19282 }
19283 
19284 static int nl80211_add_scan_req(struct sk_buff *msg,
19285 				struct cfg80211_registered_device *rdev)
19286 {
19287 	struct cfg80211_scan_request_int *req = rdev->scan_req;
19288 	struct nlattr *nest;
19289 	int i;
19290 	struct cfg80211_scan_info *info;
19291 
19292 	if (WARN_ON(!req))
19293 		return 0;
19294 
19295 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
19296 	if (!nest)
19297 		goto nla_put_failure;
19298 	for (i = 0; i < req->req.n_ssids; i++) {
19299 		if (nla_put(msg, i, req->req.ssids[i].ssid_len,
19300 			    req->req.ssids[i].ssid))
19301 			goto nla_put_failure;
19302 	}
19303 	nla_nest_end(msg, nest);
19304 
19305 	if (req->req.flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
19306 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
19307 		if (!nest)
19308 			goto nla_put_failure;
19309 		for (i = 0; i < req->req.n_channels; i++) {
19310 			if (nla_put_u32(msg, i,
19311 					ieee80211_channel_to_khz(req->req.channels[i])))
19312 				goto nla_put_failure;
19313 		}
19314 		nla_nest_end(msg, nest);
19315 	} else {
19316 		nest = nla_nest_start_noflag(msg,
19317 					     NL80211_ATTR_SCAN_FREQUENCIES);
19318 		if (!nest)
19319 			goto nla_put_failure;
19320 		for (i = 0; i < req->req.n_channels; i++) {
19321 			if (nla_put_u32(msg, i,
19322 					req->req.channels[i]->center_freq))
19323 				goto nla_put_failure;
19324 		}
19325 		nla_nest_end(msg, nest);
19326 	}
19327 
19328 	if (req->req.ie &&
19329 	    nla_put(msg, NL80211_ATTR_IE, req->req.ie_len, req->req.ie))
19330 		goto nla_put_failure;
19331 
19332 	if (req->req.flags &&
19333 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->req.flags))
19334 		goto nla_put_failure;
19335 
19336 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
19337 		&rdev->scan_req->info;
19338 	if (info->scan_start_tsf &&
19339 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
19340 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
19341 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
19342 		     info->tsf_bssid)))
19343 		goto nla_put_failure;
19344 
19345 	return 0;
19346  nla_put_failure:
19347 	return -ENOBUFS;
19348 }
19349 
19350 static int nl80211_prep_scan_msg(struct sk_buff *msg,
19351 				 struct cfg80211_registered_device *rdev,
19352 				 struct wireless_dev *wdev,
19353 				 u32 portid, u32 seq, int flags,
19354 				 u32 cmd)
19355 {
19356 	void *hdr;
19357 
19358 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
19359 	if (!hdr)
19360 		return -1;
19361 
19362 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19363 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19364 					 wdev->netdev->ifindex)) ||
19365 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19366 			      NL80211_ATTR_PAD))
19367 		goto nla_put_failure;
19368 
19369 	/* ignore errors and send incomplete event anyway */
19370 	nl80211_add_scan_req(msg, rdev);
19371 
19372 	genlmsg_end(msg, hdr);
19373 	return 0;
19374 
19375  nla_put_failure:
19376 	genlmsg_cancel(msg, hdr);
19377 	return -EMSGSIZE;
19378 }
19379 
19380 static int
19381 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
19382 			    struct cfg80211_sched_scan_request *req, u32 cmd)
19383 {
19384 	void *hdr;
19385 
19386 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19387 	if (!hdr)
19388 		return -1;
19389 
19390 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
19391 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
19392 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
19393 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
19394 			      NL80211_ATTR_PAD))
19395 		goto nla_put_failure;
19396 
19397 	genlmsg_end(msg, hdr);
19398 	return 0;
19399 
19400  nla_put_failure:
19401 	genlmsg_cancel(msg, hdr);
19402 	return -EMSGSIZE;
19403 }
19404 
19405 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
19406 			     struct wireless_dev *wdev)
19407 {
19408 	struct sk_buff *msg;
19409 
19410 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19411 	if (!msg)
19412 		return;
19413 
19414 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
19415 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
19416 		nlmsg_free(msg);
19417 		return;
19418 	}
19419 
19420 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19421 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19422 }
19423 
19424 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
19425 				       struct wireless_dev *wdev, bool aborted)
19426 {
19427 	struct sk_buff *msg;
19428 
19429 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19430 	if (!msg)
19431 		return NULL;
19432 
19433 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
19434 				  aborted ? NL80211_CMD_SCAN_ABORTED :
19435 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
19436 		nlmsg_free(msg);
19437 		return NULL;
19438 	}
19439 
19440 	return msg;
19441 }
19442 
19443 /* send message created by nl80211_build_scan_msg() */
19444 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
19445 			   struct sk_buff *msg)
19446 {
19447 	if (!msg)
19448 		return;
19449 
19450 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19451 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19452 }
19453 
19454 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
19455 {
19456 	struct sk_buff *msg;
19457 
19458 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19459 	if (!msg)
19460 		return;
19461 
19462 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
19463 		nlmsg_free(msg);
19464 		return;
19465 	}
19466 
19467 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
19468 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19469 }
19470 
19471 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
19472 					  struct regulatory_request *request)
19473 {
19474 	/* Userspace can always count this one always being set */
19475 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
19476 		goto nla_put_failure;
19477 
19478 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
19479 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19480 			       NL80211_REGDOM_TYPE_WORLD))
19481 			goto nla_put_failure;
19482 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
19483 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19484 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
19485 			goto nla_put_failure;
19486 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
19487 		   request->intersect) {
19488 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19489 			       NL80211_REGDOM_TYPE_INTERSECTION))
19490 			goto nla_put_failure;
19491 	} else {
19492 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19493 			       NL80211_REGDOM_TYPE_COUNTRY) ||
19494 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
19495 				   request->alpha2))
19496 			goto nla_put_failure;
19497 	}
19498 
19499 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
19500 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
19501 
19502 		if (wiphy &&
19503 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
19504 			goto nla_put_failure;
19505 
19506 		if (wiphy &&
19507 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
19508 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
19509 			goto nla_put_failure;
19510 	}
19511 
19512 	return true;
19513 
19514 nla_put_failure:
19515 	return false;
19516 }
19517 
19518 /*
19519  * This can happen on global regulatory changes or device specific settings
19520  * based on custom regulatory domains.
19521  */
19522 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
19523 				     struct regulatory_request *request)
19524 {
19525 	struct sk_buff *msg;
19526 	void *hdr;
19527 
19528 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19529 	if (!msg)
19530 		return;
19531 
19532 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
19533 	if (!hdr)
19534 		goto nla_put_failure;
19535 
19536 	if (!nl80211_reg_change_event_fill(msg, request))
19537 		goto nla_put_failure;
19538 
19539 	genlmsg_end(msg, hdr);
19540 
19541 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
19542 				NL80211_MCGRP_REGULATORY);
19543 
19544 	return;
19545 
19546 nla_put_failure:
19547 	nlmsg_free(msg);
19548 }
19549 
19550 struct nl80211_mlme_event {
19551 	enum nl80211_commands cmd;
19552 	const u8 *buf;
19553 	size_t buf_len;
19554 	int uapsd_queues;
19555 	const u8 *req_ies;
19556 	size_t req_ies_len;
19557 	bool reconnect;
19558 };
19559 
19560 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
19561 				    struct net_device *netdev,
19562 				    const struct nl80211_mlme_event *event,
19563 				    gfp_t gfp)
19564 {
19565 	struct sk_buff *msg;
19566 	void *hdr;
19567 
19568 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
19569 	if (!msg)
19570 		return;
19571 
19572 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
19573 	if (!hdr) {
19574 		nlmsg_free(msg);
19575 		return;
19576 	}
19577 
19578 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19579 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19580 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
19581 	    (event->req_ies &&
19582 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
19583 		     event->req_ies)))
19584 		goto nla_put_failure;
19585 
19586 	if (event->reconnect &&
19587 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
19588 		goto nla_put_failure;
19589 
19590 	if (event->uapsd_queues >= 0) {
19591 		struct nlattr *nla_wmm =
19592 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
19593 		if (!nla_wmm)
19594 			goto nla_put_failure;
19595 
19596 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
19597 			       event->uapsd_queues))
19598 			goto nla_put_failure;
19599 
19600 		nla_nest_end(msg, nla_wmm);
19601 	}
19602 
19603 	genlmsg_end(msg, hdr);
19604 
19605 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19606 				NL80211_MCGRP_MLME, gfp);
19607 	return;
19608 
19609  nla_put_failure:
19610 	nlmsg_free(msg);
19611 }
19612 
19613 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
19614 			  struct net_device *netdev, const u8 *buf,
19615 			  size_t len, gfp_t gfp)
19616 {
19617 	struct nl80211_mlme_event event = {
19618 		.cmd = NL80211_CMD_AUTHENTICATE,
19619 		.buf = buf,
19620 		.buf_len = len,
19621 		.uapsd_queues = -1,
19622 	};
19623 
19624 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19625 }
19626 
19627 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
19628 			   struct net_device *netdev,
19629 			   const struct cfg80211_rx_assoc_resp_data *data)
19630 {
19631 	struct nl80211_mlme_event event = {
19632 		.cmd = NL80211_CMD_ASSOCIATE,
19633 		.buf = data->buf,
19634 		.buf_len = data->len,
19635 		.uapsd_queues = data->uapsd_queues,
19636 		.req_ies = data->req_ies,
19637 		.req_ies_len = data->req_ies_len,
19638 	};
19639 
19640 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
19641 }
19642 
19643 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
19644 			 struct net_device *netdev, const u8 *buf,
19645 			 size_t len, bool reconnect, gfp_t gfp)
19646 {
19647 	struct nl80211_mlme_event event = {
19648 		.cmd = NL80211_CMD_DEAUTHENTICATE,
19649 		.buf = buf,
19650 		.buf_len = len,
19651 		.reconnect = reconnect,
19652 		.uapsd_queues = -1,
19653 	};
19654 
19655 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19656 }
19657 
19658 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
19659 			   struct net_device *netdev, const u8 *buf,
19660 			   size_t len, bool reconnect, gfp_t gfp)
19661 {
19662 	struct nl80211_mlme_event event = {
19663 		.cmd = NL80211_CMD_DISASSOCIATE,
19664 		.buf = buf,
19665 		.buf_len = len,
19666 		.reconnect = reconnect,
19667 		.uapsd_queues = -1,
19668 	};
19669 
19670 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19671 }
19672 
19673 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
19674 				  size_t len)
19675 {
19676 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19677 	struct wiphy *wiphy = wdev->wiphy;
19678 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19679 	const struct ieee80211_mgmt *mgmt = (void *)buf;
19680 	struct nl80211_mlme_event event = {
19681 		.buf = buf,
19682 		.buf_len = len,
19683 		.uapsd_queues = -1,
19684 	};
19685 
19686 	if (WARN_ON(len < 2))
19687 		return;
19688 
19689 	if (ieee80211_is_deauth(mgmt->frame_control)) {
19690 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
19691 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
19692 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
19693 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
19694 		if (wdev->unprot_beacon_reported &&
19695 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
19696 			return;
19697 		event.cmd = NL80211_CMD_UNPROT_BEACON;
19698 		wdev->unprot_beacon_reported = jiffies;
19699 	} else {
19700 		return;
19701 	}
19702 
19703 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
19704 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
19705 }
19706 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
19707 
19708 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
19709 				      struct net_device *netdev, int cmd,
19710 				      const u8 *addr, gfp_t gfp)
19711 {
19712 	struct sk_buff *msg;
19713 	void *hdr;
19714 
19715 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19716 	if (!msg)
19717 		return;
19718 
19719 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19720 	if (!hdr) {
19721 		nlmsg_free(msg);
19722 		return;
19723 	}
19724 
19725 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19726 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19727 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
19728 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
19729 		goto nla_put_failure;
19730 
19731 	genlmsg_end(msg, hdr);
19732 
19733 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19734 				NL80211_MCGRP_MLME, gfp);
19735 	return;
19736 
19737  nla_put_failure:
19738 	nlmsg_free(msg);
19739 }
19740 
19741 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
19742 			       struct net_device *netdev, const u8 *addr,
19743 			       gfp_t gfp)
19744 {
19745 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
19746 				  addr, gfp);
19747 }
19748 
19749 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
19750 				struct net_device *netdev, const u8 *addr,
19751 				gfp_t gfp)
19752 {
19753 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
19754 				  addr, gfp);
19755 }
19756 
19757 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
19758 				 struct net_device *netdev,
19759 				 struct cfg80211_connect_resp_params *cr,
19760 				 gfp_t gfp)
19761 {
19762 	struct sk_buff *msg;
19763 	void *hdr;
19764 	unsigned int link;
19765 	size_t link_info_size = 0;
19766 	const u8 *connected_addr = cr->valid_links ?
19767 				   cr->ap_mld_addr : cr->links[0].bssid;
19768 
19769 	if (cr->valid_links) {
19770 		for_each_valid_link(cr, link) {
19771 			/* Nested attribute header */
19772 			link_info_size += NLA_HDRLEN;
19773 			/* Link ID */
19774 			link_info_size += nla_total_size(sizeof(u8));
19775 			link_info_size += cr->links[link].addr ?
19776 					  nla_total_size(ETH_ALEN) : 0;
19777 			link_info_size += (cr->links[link].bssid ||
19778 					   cr->links[link].bss) ?
19779 					  nla_total_size(ETH_ALEN) : 0;
19780 			link_info_size += nla_total_size(sizeof(u16));
19781 		}
19782 	}
19783 
19784 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
19785 			cr->fils.kek_len + cr->fils.pmk_len +
19786 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
19787 			gfp);
19788 	if (!msg)
19789 		return;
19790 
19791 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
19792 	if (!hdr) {
19793 		nlmsg_free(msg);
19794 		return;
19795 	}
19796 
19797 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19798 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19799 	    (connected_addr &&
19800 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
19801 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19802 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
19803 			cr->status) ||
19804 	    (cr->status < 0 &&
19805 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
19806 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
19807 			  cr->timeout_reason))) ||
19808 	    (cr->req_ie &&
19809 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
19810 	    (cr->resp_ie &&
19811 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
19812 		     cr->resp_ie)) ||
19813 	    (cr->fils.update_erp_next_seq_num &&
19814 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19815 			 cr->fils.erp_next_seq_num)) ||
19816 	    (cr->status == WLAN_STATUS_SUCCESS &&
19817 	     ((cr->fils.kek &&
19818 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
19819 		       cr->fils.kek)) ||
19820 	      (cr->fils.pmk &&
19821 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
19822 	      (cr->fils.pmkid &&
19823 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
19824 		goto nla_put_failure;
19825 
19826 	if (cr->valid_links) {
19827 		int i = 1;
19828 		struct nlattr *nested;
19829 
19830 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19831 		if (!nested)
19832 			goto nla_put_failure;
19833 
19834 		for_each_valid_link(cr, link) {
19835 			struct nlattr *nested_mlo_links;
19836 			const u8 *bssid = cr->links[link].bss ?
19837 					  cr->links[link].bss->bssid :
19838 					  cr->links[link].bssid;
19839 
19840 			nested_mlo_links = nla_nest_start(msg, i);
19841 			if (!nested_mlo_links)
19842 				goto nla_put_failure;
19843 
19844 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19845 			    (bssid &&
19846 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19847 			    (cr->links[link].addr &&
19848 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19849 				     cr->links[link].addr)) ||
19850 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19851 					cr->links[link].status))
19852 				goto nla_put_failure;
19853 
19854 			nla_nest_end(msg, nested_mlo_links);
19855 			i++;
19856 		}
19857 		nla_nest_end(msg, nested);
19858 	}
19859 
19860 	genlmsg_end(msg, hdr);
19861 
19862 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19863 				NL80211_MCGRP_MLME, gfp);
19864 	return;
19865 
19866  nla_put_failure:
19867 	nlmsg_free(msg);
19868 }
19869 
19870 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
19871 			 struct net_device *netdev,
19872 			 struct cfg80211_roam_info *info, gfp_t gfp)
19873 {
19874 	struct sk_buff *msg;
19875 	void *hdr;
19876 	size_t link_info_size = 0;
19877 	unsigned int link;
19878 	const u8 *connected_addr = info->ap_mld_addr ?
19879 				   info->ap_mld_addr :
19880 				   (info->links[0].bss ?
19881 				    info->links[0].bss->bssid :
19882 				    info->links[0].bssid);
19883 
19884 	if (info->valid_links) {
19885 		for_each_valid_link(info, link) {
19886 			/* Nested attribute header */
19887 			link_info_size += NLA_HDRLEN;
19888 			/* Link ID */
19889 			link_info_size += nla_total_size(sizeof(u8));
19890 			link_info_size += info->links[link].addr ?
19891 					  nla_total_size(ETH_ALEN) : 0;
19892 			link_info_size += (info->links[link].bssid ||
19893 					   info->links[link].bss) ?
19894 					  nla_total_size(ETH_ALEN) : 0;
19895 		}
19896 	}
19897 
19898 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
19899 			info->fils.kek_len + info->fils.pmk_len +
19900 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
19901 			link_info_size, gfp);
19902 	if (!msg)
19903 		return;
19904 
19905 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
19906 	if (!hdr) {
19907 		nlmsg_free(msg);
19908 		return;
19909 	}
19910 
19911 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19912 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19913 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
19914 	    (info->req_ie &&
19915 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
19916 		     info->req_ie)) ||
19917 	    (info->resp_ie &&
19918 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
19919 		     info->resp_ie)) ||
19920 	    (info->fils.update_erp_next_seq_num &&
19921 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19922 			 info->fils.erp_next_seq_num)) ||
19923 	    (info->fils.kek &&
19924 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
19925 		     info->fils.kek)) ||
19926 	    (info->fils.pmk &&
19927 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
19928 	    (info->fils.pmkid &&
19929 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
19930 		goto nla_put_failure;
19931 
19932 	if (info->valid_links) {
19933 		int i = 1;
19934 		struct nlattr *nested;
19935 
19936 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19937 		if (!nested)
19938 			goto nla_put_failure;
19939 
19940 		for_each_valid_link(info, link) {
19941 			struct nlattr *nested_mlo_links;
19942 			const u8 *bssid = info->links[link].bss ?
19943 					  info->links[link].bss->bssid :
19944 					  info->links[link].bssid;
19945 
19946 			nested_mlo_links = nla_nest_start(msg, i);
19947 			if (!nested_mlo_links)
19948 				goto nla_put_failure;
19949 
19950 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19951 			    (bssid &&
19952 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19953 			    (info->links[link].addr &&
19954 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19955 				     info->links[link].addr)))
19956 				goto nla_put_failure;
19957 
19958 			nla_nest_end(msg, nested_mlo_links);
19959 			i++;
19960 		}
19961 		nla_nest_end(msg, nested);
19962 	}
19963 
19964 	genlmsg_end(msg, hdr);
19965 
19966 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19967 				NL80211_MCGRP_MLME, gfp);
19968 	return;
19969 
19970  nla_put_failure:
19971 	nlmsg_free(msg);
19972 }
19973 
19974 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
19975 				  struct net_device *netdev, const u8 *peer_addr,
19976 				  const u8 *td_bitmap, u8 td_bitmap_len)
19977 {
19978 	struct sk_buff *msg;
19979 	void *hdr;
19980 
19981 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19982 	if (!msg)
19983 		return;
19984 
19985 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
19986 	if (!hdr) {
19987 		nlmsg_free(msg);
19988 		return;
19989 	}
19990 
19991 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19992 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19993 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
19994 		goto nla_put_failure;
19995 
19996 	if (td_bitmap_len > 0 && td_bitmap &&
19997 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
19998 		goto nla_put_failure;
19999 
20000 	genlmsg_end(msg, hdr);
20001 
20002 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20003 				NL80211_MCGRP_MLME, GFP_KERNEL);
20004 	return;
20005 
20006  nla_put_failure:
20007 	nlmsg_free(msg);
20008 }
20009 
20010 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
20011 			       struct net_device *netdev, u16 reason,
20012 			       const u8 *ie, size_t ie_len, bool from_ap)
20013 {
20014 	struct sk_buff *msg;
20015 	void *hdr;
20016 
20017 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
20018 	if (!msg)
20019 		return;
20020 
20021 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
20022 	if (!hdr) {
20023 		nlmsg_free(msg);
20024 		return;
20025 	}
20026 
20027 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20028 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20029 	    (reason &&
20030 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
20031 	    (from_ap &&
20032 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
20033 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
20034 		goto nla_put_failure;
20035 
20036 	genlmsg_end(msg, hdr);
20037 
20038 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20039 				NL80211_MCGRP_MLME, GFP_KERNEL);
20040 	return;
20041 
20042  nla_put_failure:
20043 	nlmsg_free(msg);
20044 }
20045 
20046 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
20047 {
20048 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20049 	struct wiphy *wiphy = wdev->wiphy;
20050 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20051 	struct sk_buff *msg;
20052 	struct nlattr *links;
20053 	void *hdr;
20054 
20055 	lockdep_assert_wiphy(wdev->wiphy);
20056 	trace_cfg80211_links_removed(dev, link_mask);
20057 
20058 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
20059 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
20060 		return;
20061 
20062 	if (WARN_ON(!wdev->valid_links || !link_mask ||
20063 		    (wdev->valid_links & link_mask) != link_mask ||
20064 		    wdev->valid_links == link_mask))
20065 		return;
20066 
20067 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
20068 	wdev->valid_links &= ~link_mask;
20069 
20070 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20071 	if (!msg)
20072 		return;
20073 
20074 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
20075 	if (!hdr) {
20076 		nlmsg_free(msg);
20077 		return;
20078 	}
20079 
20080 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20081 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20082 		goto nla_put_failure;
20083 
20084 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
20085 	if (!links)
20086 		goto nla_put_failure;
20087 
20088 	while (link_mask) {
20089 		struct nlattr *link;
20090 		int link_id = __ffs(link_mask);
20091 
20092 		link = nla_nest_start(msg, link_id + 1);
20093 		if (!link)
20094 			goto nla_put_failure;
20095 
20096 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
20097 			goto nla_put_failure;
20098 
20099 		nla_nest_end(msg, link);
20100 		link_mask &= ~(1 << link_id);
20101 	}
20102 
20103 	nla_nest_end(msg, links);
20104 
20105 	genlmsg_end(msg, hdr);
20106 
20107 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20108 				NL80211_MCGRP_MLME, GFP_KERNEL);
20109 	return;
20110 
20111  nla_put_failure:
20112 	nlmsg_free(msg);
20113 }
20114 EXPORT_SYMBOL(cfg80211_links_removed);
20115 
20116 void nl80211_mlo_reconf_add_done(struct net_device *dev,
20117 				 struct cfg80211_mlo_reconf_done_data *data)
20118 {
20119 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20120 	struct wiphy *wiphy = wdev->wiphy;
20121 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20122 	struct nl80211_mlme_event event = {
20123 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
20124 		.buf = data->buf,
20125 		.buf_len = data->len,
20126 		.uapsd_queues = -1,
20127 	};
20128 
20129 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
20130 }
20131 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
20132 
20133 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
20134 			     struct net_device *netdev, const u8 *bssid,
20135 			     gfp_t gfp)
20136 {
20137 	struct sk_buff *msg;
20138 	void *hdr;
20139 
20140 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20141 	if (!msg)
20142 		return;
20143 
20144 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
20145 	if (!hdr) {
20146 		nlmsg_free(msg);
20147 		return;
20148 	}
20149 
20150 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20151 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20152 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20153 		goto nla_put_failure;
20154 
20155 	genlmsg_end(msg, hdr);
20156 
20157 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20158 				NL80211_MCGRP_MLME, gfp);
20159 	return;
20160 
20161  nla_put_failure:
20162 	nlmsg_free(msg);
20163 }
20164 
20165 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
20166 					const u8 *ie, u8 ie_len,
20167 					int sig_dbm, gfp_t gfp)
20168 {
20169 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20170 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20171 	struct sk_buff *msg;
20172 	void *hdr;
20173 
20174 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
20175 		return;
20176 
20177 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
20178 
20179 	msg = nlmsg_new(100 + ie_len, gfp);
20180 	if (!msg)
20181 		return;
20182 
20183 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
20184 	if (!hdr) {
20185 		nlmsg_free(msg);
20186 		return;
20187 	}
20188 
20189 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20190 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20191 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20192 	    (ie_len && ie &&
20193 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
20194 	    (sig_dbm &&
20195 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
20196 		goto nla_put_failure;
20197 
20198 	genlmsg_end(msg, hdr);
20199 
20200 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20201 				NL80211_MCGRP_MLME, gfp);
20202 	return;
20203 
20204  nla_put_failure:
20205 	nlmsg_free(msg);
20206 }
20207 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
20208 
20209 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
20210 				 struct net_device *netdev, const u8 *addr,
20211 				 enum nl80211_key_type key_type, int key_id,
20212 				 const u8 *tsc, gfp_t gfp)
20213 {
20214 	struct sk_buff *msg;
20215 	void *hdr;
20216 
20217 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20218 	if (!msg)
20219 		return;
20220 
20221 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
20222 	if (!hdr) {
20223 		nlmsg_free(msg);
20224 		return;
20225 	}
20226 
20227 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20228 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20229 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
20230 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
20231 	    (key_id != -1 &&
20232 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
20233 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
20234 		goto nla_put_failure;
20235 
20236 	genlmsg_end(msg, hdr);
20237 
20238 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20239 				NL80211_MCGRP_MLME, gfp);
20240 	return;
20241 
20242  nla_put_failure:
20243 	nlmsg_free(msg);
20244 }
20245 
20246 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
20247 				    struct ieee80211_channel *channel_before,
20248 				    struct ieee80211_channel *channel_after)
20249 {
20250 	struct sk_buff *msg;
20251 	void *hdr;
20252 	struct nlattr *nl_freq;
20253 
20254 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
20255 	if (!msg)
20256 		return;
20257 
20258 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
20259 	if (!hdr) {
20260 		nlmsg_free(msg);
20261 		return;
20262 	}
20263 
20264 	/*
20265 	 * Since we are applying the beacon hint to a wiphy we know its
20266 	 * wiphy_idx is valid
20267 	 */
20268 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
20269 		goto nla_put_failure;
20270 
20271 	/* Before */
20272 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
20273 	if (!nl_freq)
20274 		goto nla_put_failure;
20275 
20276 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
20277 		goto nla_put_failure;
20278 	nla_nest_end(msg, nl_freq);
20279 
20280 	/* After */
20281 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
20282 	if (!nl_freq)
20283 		goto nla_put_failure;
20284 
20285 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
20286 		goto nla_put_failure;
20287 	nla_nest_end(msg, nl_freq);
20288 
20289 	genlmsg_end(msg, hdr);
20290 
20291 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
20292 				NL80211_MCGRP_REGULATORY);
20293 
20294 	return;
20295 
20296 nla_put_failure:
20297 	nlmsg_free(msg);
20298 }
20299 
20300 static void nl80211_send_remain_on_chan_event(
20301 	int cmd, struct cfg80211_registered_device *rdev,
20302 	struct wireless_dev *wdev, u64 cookie,
20303 	struct ieee80211_channel *chan,
20304 	unsigned int duration, gfp_t gfp)
20305 {
20306 	struct sk_buff *msg;
20307 	void *hdr;
20308 
20309 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20310 	if (!msg)
20311 		return;
20312 
20313 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20314 	if (!hdr) {
20315 		nlmsg_free(msg);
20316 		return;
20317 	}
20318 
20319 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20320 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20321 					 wdev->netdev->ifindex)) ||
20322 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20323 			      NL80211_ATTR_PAD) ||
20324 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
20325 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
20326 			NL80211_CHAN_NO_HT) ||
20327 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
20328 			      NL80211_ATTR_PAD))
20329 		goto nla_put_failure;
20330 
20331 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
20332 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
20333 		goto nla_put_failure;
20334 
20335 	genlmsg_end(msg, hdr);
20336 
20337 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20338 				NL80211_MCGRP_MLME, gfp);
20339 	return;
20340 
20341  nla_put_failure:
20342 	nlmsg_free(msg);
20343 }
20344 
20345 void cfg80211_assoc_comeback(struct net_device *netdev,
20346 			     const u8 *ap_addr, u32 timeout)
20347 {
20348 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
20349 	struct wiphy *wiphy = wdev->wiphy;
20350 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20351 	struct sk_buff *msg;
20352 	void *hdr;
20353 
20354 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
20355 
20356 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20357 	if (!msg)
20358 		return;
20359 
20360 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
20361 	if (!hdr) {
20362 		nlmsg_free(msg);
20363 		return;
20364 	}
20365 
20366 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20367 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20368 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
20369 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
20370 		goto nla_put_failure;
20371 
20372 	genlmsg_end(msg, hdr);
20373 
20374 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20375 				NL80211_MCGRP_MLME, GFP_KERNEL);
20376 	return;
20377 
20378  nla_put_failure:
20379 	nlmsg_free(msg);
20380 }
20381 EXPORT_SYMBOL(cfg80211_assoc_comeback);
20382 
20383 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
20384 			       struct ieee80211_channel *chan,
20385 			       unsigned int duration, gfp_t gfp)
20386 {
20387 	struct wiphy *wiphy = wdev->wiphy;
20388 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20389 
20390 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
20391 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
20392 					  rdev, wdev, cookie, chan,
20393 					  duration, gfp);
20394 }
20395 EXPORT_SYMBOL(cfg80211_ready_on_channel);
20396 
20397 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
20398 					struct ieee80211_channel *chan,
20399 					gfp_t gfp)
20400 {
20401 	struct wiphy *wiphy = wdev->wiphy;
20402 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20403 
20404 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
20405 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
20406 					  rdev, wdev, cookie, chan, 0, gfp);
20407 }
20408 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
20409 
20410 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
20411 					struct ieee80211_channel *chan,
20412 					gfp_t gfp)
20413 {
20414 	struct wiphy *wiphy = wdev->wiphy;
20415 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20416 
20417 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
20418 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
20419 					  rdev, wdev, cookie, chan, 0, gfp);
20420 }
20421 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
20422 
20423 void cfg80211_new_sta(struct wireless_dev *wdev, const u8 *mac_addr,
20424 		      struct station_info *sinfo, gfp_t gfp)
20425 {
20426 	struct wiphy *wiphy = wdev->wiphy;
20427 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20428 	struct sk_buff *msg;
20429 
20430 	trace_cfg80211_new_sta(wdev, mac_addr, sinfo);
20431 
20432 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20433 	if (!msg)
20434 		return;
20435 
20436 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
20437 				 rdev, wdev, mac_addr, sinfo, false) < 0) {
20438 		nlmsg_free(msg);
20439 		return;
20440 	}
20441 
20442 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20443 				NL80211_MCGRP_MLME, gfp);
20444 }
20445 EXPORT_SYMBOL(cfg80211_new_sta);
20446 
20447 void cfg80211_del_sta_sinfo(struct wireless_dev *wdev, const u8 *mac_addr,
20448 			    struct station_info *sinfo, gfp_t gfp)
20449 {
20450 	struct wiphy *wiphy = wdev->wiphy;
20451 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20452 	struct sk_buff *msg;
20453 	struct station_info empty_sinfo = {};
20454 
20455 	if (!sinfo)
20456 		sinfo = &empty_sinfo;
20457 
20458 	trace_cfg80211_del_sta(wdev, mac_addr);
20459 
20460 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20461 	if (!msg) {
20462 		cfg80211_sinfo_release_content(sinfo);
20463 		return;
20464 	}
20465 
20466 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
20467 				 rdev, wdev, mac_addr, sinfo, false) < 0) {
20468 		nlmsg_free(msg);
20469 		return;
20470 	}
20471 
20472 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20473 				NL80211_MCGRP_MLME, gfp);
20474 }
20475 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
20476 
20477 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
20478 			  enum nl80211_connect_failed_reason reason,
20479 			  gfp_t gfp)
20480 {
20481 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20482 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20483 	struct sk_buff *msg;
20484 	void *hdr;
20485 
20486 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
20487 	if (!msg)
20488 		return;
20489 
20490 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
20491 	if (!hdr) {
20492 		nlmsg_free(msg);
20493 		return;
20494 	}
20495 
20496 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20497 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
20498 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
20499 		goto nla_put_failure;
20500 
20501 	genlmsg_end(msg, hdr);
20502 
20503 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20504 				NL80211_MCGRP_MLME, gfp);
20505 	return;
20506 
20507  nla_put_failure:
20508 	nlmsg_free(msg);
20509 }
20510 EXPORT_SYMBOL(cfg80211_conn_failed);
20511 
20512 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
20513 				       const u8 *addr, int link_id, gfp_t gfp)
20514 {
20515 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20516 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20517 	struct sk_buff *msg;
20518 	void *hdr;
20519 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
20520 
20521 	if (!nlportid)
20522 		return false;
20523 
20524 	msg = nlmsg_new(100, gfp);
20525 	if (!msg)
20526 		return true;
20527 
20528 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20529 	if (!hdr) {
20530 		nlmsg_free(msg);
20531 		return true;
20532 	}
20533 
20534 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20535 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20536 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20537 	    (link_id >= 0 &&
20538 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20539 		goto nla_put_failure;
20540 
20541 	genlmsg_end(msg, hdr);
20542 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20543 	return true;
20544 
20545  nla_put_failure:
20546 	nlmsg_free(msg);
20547 	return true;
20548 }
20549 
20550 bool cfg80211_rx_spurious_frame(struct net_device *dev, const u8 *addr,
20551 				int link_id, gfp_t gfp)
20552 {
20553 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20554 	bool ret;
20555 
20556 	trace_cfg80211_rx_spurious_frame(dev, addr, link_id);
20557 
20558 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
20559 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
20560 		trace_cfg80211_return_bool(false);
20561 		return false;
20562 	}
20563 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
20564 					 addr, link_id, gfp);
20565 	trace_cfg80211_return_bool(ret);
20566 	return ret;
20567 }
20568 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
20569 
20570 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev, const u8 *addr,
20571 					int link_id, gfp_t gfp)
20572 {
20573 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20574 	bool ret;
20575 
20576 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr, link_id);
20577 
20578 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
20579 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
20580 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
20581 		trace_cfg80211_return_bool(false);
20582 		return false;
20583 	}
20584 	ret = __nl80211_unexpected_frame(dev,
20585 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
20586 					 addr, link_id, gfp);
20587 	trace_cfg80211_return_bool(ret);
20588 	return ret;
20589 }
20590 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
20591 
20592 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
20593 		      struct wireless_dev *wdev, u32 nlportid,
20594 		      struct cfg80211_rx_info *info, gfp_t gfp)
20595 {
20596 	struct net_device *netdev = wdev->netdev;
20597 	struct sk_buff *msg;
20598 	void *hdr;
20599 
20600 	msg = nlmsg_new(100 + info->len, gfp);
20601 	if (!msg)
20602 		return -ENOMEM;
20603 
20604 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
20605 	if (!hdr) {
20606 		nlmsg_free(msg);
20607 		return -ENOMEM;
20608 	}
20609 
20610 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20611 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20612 					netdev->ifindex)) ||
20613 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20614 			      NL80211_ATTR_PAD) ||
20615 	    (info->have_link_id &&
20616 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
20617 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
20618 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
20619 	    (info->sig_dbm &&
20620 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
20621 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
20622 	    (info->flags &&
20623 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
20624 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
20625 						  NL80211_ATTR_RX_HW_TIMESTAMP,
20626 						  info->rx_tstamp,
20627 						  NL80211_ATTR_PAD)) ||
20628 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
20629 						   NL80211_ATTR_TX_HW_TIMESTAMP,
20630 						   info->ack_tstamp,
20631 						   NL80211_ATTR_PAD)))
20632 		goto nla_put_failure;
20633 
20634 	genlmsg_end(msg, hdr);
20635 
20636 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20637 
20638  nla_put_failure:
20639 	nlmsg_free(msg);
20640 	return -ENOBUFS;
20641 }
20642 
20643 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
20644 				    struct cfg80211_tx_status *status,
20645 				    gfp_t gfp, enum nl80211_commands command)
20646 {
20647 	struct wiphy *wiphy = wdev->wiphy;
20648 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20649 	struct net_device *netdev = wdev->netdev;
20650 	struct sk_buff *msg;
20651 	void *hdr;
20652 
20653 	if (command == NL80211_CMD_FRAME_TX_STATUS)
20654 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
20655 					      status->ack);
20656 	else
20657 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
20658 						      status->ack);
20659 
20660 	msg = nlmsg_new(100 + status->len, gfp);
20661 	if (!msg)
20662 		return;
20663 
20664 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
20665 	if (!hdr) {
20666 		nlmsg_free(msg);
20667 		return;
20668 	}
20669 
20670 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20671 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20672 				   netdev->ifindex)) ||
20673 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20674 			      NL80211_ATTR_PAD) ||
20675 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
20676 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
20677 			      NL80211_ATTR_PAD) ||
20678 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
20679 	    (status->tx_tstamp &&
20680 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
20681 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
20682 	    (status->ack_tstamp &&
20683 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
20684 			       status->ack_tstamp, NL80211_ATTR_PAD)))
20685 		goto nla_put_failure;
20686 
20687 	genlmsg_end(msg, hdr);
20688 
20689 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20690 				NL80211_MCGRP_MLME, gfp);
20691 	return;
20692 
20693 nla_put_failure:
20694 	nlmsg_free(msg);
20695 }
20696 
20697 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
20698 				     const u8 *buf, size_t len, bool ack,
20699 				     gfp_t gfp)
20700 {
20701 	struct cfg80211_tx_status status = {
20702 		.cookie = cookie,
20703 		.buf = buf,
20704 		.len = len,
20705 		.ack = ack
20706 	};
20707 
20708 	nl80211_frame_tx_status(wdev, &status, gfp,
20709 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
20710 }
20711 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
20712 
20713 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
20714 				 struct cfg80211_tx_status *status, gfp_t gfp)
20715 {
20716 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
20717 }
20718 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
20719 
20720 static int __nl80211_rx_control_port(struct net_device *dev,
20721 				     struct sk_buff *skb,
20722 				     bool unencrypted,
20723 				     int link_id,
20724 				     gfp_t gfp)
20725 {
20726 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20727 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20728 	struct ethhdr *ehdr = eth_hdr(skb);
20729 	const u8 *addr = ehdr->h_source;
20730 	u16 proto = be16_to_cpu(skb->protocol);
20731 	struct sk_buff *msg;
20732 	void *hdr;
20733 	struct nlattr *frame;
20734 
20735 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
20736 
20737 	if (!nlportid)
20738 		return -ENOENT;
20739 
20740 	msg = nlmsg_new(100 + skb->len, gfp);
20741 	if (!msg)
20742 		return -ENOMEM;
20743 
20744 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
20745 	if (!hdr) {
20746 		nlmsg_free(msg);
20747 		return -ENOBUFS;
20748 	}
20749 
20750 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20751 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20752 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20753 			      NL80211_ATTR_PAD) ||
20754 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20755 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
20756 	    (link_id >= 0 &&
20757 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
20758 	    (unencrypted && nla_put_flag(msg,
20759 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
20760 		goto nla_put_failure;
20761 
20762 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
20763 	if (!frame)
20764 		goto nla_put_failure;
20765 
20766 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
20767 	genlmsg_end(msg, hdr);
20768 
20769 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20770 
20771  nla_put_failure:
20772 	nlmsg_free(msg);
20773 	return -ENOBUFS;
20774 }
20775 
20776 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
20777 			      bool unencrypted, int link_id)
20778 {
20779 	int ret;
20780 
20781 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
20782 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
20783 					GFP_ATOMIC);
20784 	trace_cfg80211_return_bool(ret == 0);
20785 	return ret == 0;
20786 }
20787 EXPORT_SYMBOL(cfg80211_rx_control_port);
20788 
20789 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
20790 					    const char *mac, gfp_t gfp)
20791 {
20792 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20793 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20794 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20795 	void **cb;
20796 
20797 	if (!msg)
20798 		return NULL;
20799 
20800 	cb = (void **)msg->cb;
20801 
20802 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
20803 	if (!cb[0]) {
20804 		nlmsg_free(msg);
20805 		return NULL;
20806 	}
20807 
20808 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20809 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20810 		goto nla_put_failure;
20811 
20812 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
20813 		goto nla_put_failure;
20814 
20815 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
20816 	if (!cb[1])
20817 		goto nla_put_failure;
20818 
20819 	cb[2] = rdev;
20820 
20821 	return msg;
20822  nla_put_failure:
20823 	nlmsg_free(msg);
20824 	return NULL;
20825 }
20826 
20827 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
20828 {
20829 	void **cb = (void **)msg->cb;
20830 	struct cfg80211_registered_device *rdev = cb[2];
20831 
20832 	nla_nest_end(msg, cb[1]);
20833 	genlmsg_end(msg, cb[0]);
20834 
20835 	memset(msg->cb, 0, sizeof(msg->cb));
20836 
20837 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20838 				NL80211_MCGRP_MLME, gfp);
20839 }
20840 
20841 void cfg80211_cqm_rssi_notify(struct net_device *dev,
20842 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
20843 			      s32 rssi_level, gfp_t gfp)
20844 {
20845 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20846 	struct cfg80211_cqm_config *cqm_config;
20847 
20848 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
20849 
20850 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
20851 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
20852 		return;
20853 
20854 	rcu_read_lock();
20855 	cqm_config = rcu_dereference(wdev->cqm_config);
20856 	if (cqm_config) {
20857 		cqm_config->last_rssi_event_value = rssi_level;
20858 		cqm_config->last_rssi_event_type = rssi_event;
20859 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
20860 	}
20861 	rcu_read_unlock();
20862 }
20863 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
20864 
20865 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
20866 {
20867 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
20868 						 cqm_rssi_work);
20869 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20870 	enum nl80211_cqm_rssi_threshold_event rssi_event;
20871 	struct cfg80211_cqm_config *cqm_config;
20872 	struct sk_buff *msg;
20873 	s32 rssi_level;
20874 
20875 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
20876 	if (!cqm_config)
20877 		return;
20878 
20879 	if (cqm_config->use_range_api)
20880 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
20881 
20882 	rssi_level = cqm_config->last_rssi_event_value;
20883 	rssi_event = cqm_config->last_rssi_event_type;
20884 
20885 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
20886 	if (!msg)
20887 		return;
20888 
20889 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
20890 			rssi_event))
20891 		goto nla_put_failure;
20892 
20893 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
20894 				      rssi_level))
20895 		goto nla_put_failure;
20896 
20897 	cfg80211_send_cqm(msg, GFP_KERNEL);
20898 
20899 	return;
20900 
20901  nla_put_failure:
20902 	nlmsg_free(msg);
20903 }
20904 
20905 void cfg80211_cqm_txe_notify(struct net_device *dev,
20906 			     const u8 *peer, u32 num_packets,
20907 			     u32 rate, u32 intvl, gfp_t gfp)
20908 {
20909 	struct sk_buff *msg;
20910 
20911 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20912 	if (!msg)
20913 		return;
20914 
20915 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
20916 		goto nla_put_failure;
20917 
20918 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
20919 		goto nla_put_failure;
20920 
20921 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
20922 		goto nla_put_failure;
20923 
20924 	cfg80211_send_cqm(msg, gfp);
20925 	return;
20926 
20927  nla_put_failure:
20928 	nlmsg_free(msg);
20929 }
20930 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
20931 
20932 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
20933 				 const u8 *peer, u32 num_packets, gfp_t gfp)
20934 {
20935 	struct sk_buff *msg;
20936 
20937 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
20938 
20939 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20940 	if (!msg)
20941 		return;
20942 
20943 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
20944 		goto nla_put_failure;
20945 
20946 	cfg80211_send_cqm(msg, gfp);
20947 	return;
20948 
20949  nla_put_failure:
20950 	nlmsg_free(msg);
20951 }
20952 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
20953 
20954 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
20955 {
20956 	struct sk_buff *msg;
20957 
20958 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
20959 	if (!msg)
20960 		return;
20961 
20962 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
20963 		goto nla_put_failure;
20964 
20965 	cfg80211_send_cqm(msg, gfp);
20966 	return;
20967 
20968  nla_put_failure:
20969 	nlmsg_free(msg);
20970 }
20971 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
20972 
20973 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
20974 				     struct net_device *netdev, const u8 *bssid,
20975 				     const u8 *replay_ctr, gfp_t gfp)
20976 {
20977 	struct sk_buff *msg;
20978 	struct nlattr *rekey_attr;
20979 	void *hdr;
20980 
20981 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20982 	if (!msg)
20983 		return;
20984 
20985 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
20986 	if (!hdr) {
20987 		nlmsg_free(msg);
20988 		return;
20989 	}
20990 
20991 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20992 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20993 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20994 		goto nla_put_failure;
20995 
20996 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
20997 	if (!rekey_attr)
20998 		goto nla_put_failure;
20999 
21000 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
21001 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
21002 		goto nla_put_failure;
21003 
21004 	nla_nest_end(msg, rekey_attr);
21005 
21006 	genlmsg_end(msg, hdr);
21007 
21008 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21009 				NL80211_MCGRP_MLME, gfp);
21010 	return;
21011 
21012  nla_put_failure:
21013 	nlmsg_free(msg);
21014 }
21015 
21016 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
21017 			       const u8 *replay_ctr, gfp_t gfp)
21018 {
21019 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21020 	struct wiphy *wiphy = wdev->wiphy;
21021 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21022 
21023 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
21024 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
21025 }
21026 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
21027 
21028 static void
21029 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
21030 			       struct net_device *netdev, int index,
21031 			       const u8 *bssid, bool preauth, gfp_t gfp)
21032 {
21033 	struct sk_buff *msg;
21034 	struct nlattr *attr;
21035 	void *hdr;
21036 
21037 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21038 	if (!msg)
21039 		return;
21040 
21041 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
21042 	if (!hdr) {
21043 		nlmsg_free(msg);
21044 		return;
21045 	}
21046 
21047 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21048 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
21049 		goto nla_put_failure;
21050 
21051 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
21052 	if (!attr)
21053 		goto nla_put_failure;
21054 
21055 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
21056 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
21057 	    (preauth &&
21058 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
21059 		goto nla_put_failure;
21060 
21061 	nla_nest_end(msg, attr);
21062 
21063 	genlmsg_end(msg, hdr);
21064 
21065 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21066 				NL80211_MCGRP_MLME, gfp);
21067 	return;
21068 
21069  nla_put_failure:
21070 	nlmsg_free(msg);
21071 }
21072 
21073 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
21074 				     const u8 *bssid, bool preauth, gfp_t gfp)
21075 {
21076 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21077 	struct wiphy *wiphy = wdev->wiphy;
21078 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21079 
21080 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
21081 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
21082 }
21083 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
21084 
21085 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
21086 				     struct net_device *netdev,
21087 				     unsigned int link_id,
21088 				     struct cfg80211_chan_def *chandef,
21089 				     gfp_t gfp,
21090 				     enum nl80211_commands notif,
21091 				     u8 count, bool quiet)
21092 {
21093 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21094 	struct sk_buff *msg;
21095 	void *hdr;
21096 
21097 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21098 	if (!msg)
21099 		return;
21100 
21101 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
21102 	if (!hdr) {
21103 		nlmsg_free(msg);
21104 		return;
21105 	}
21106 
21107 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
21108 		goto nla_put_failure;
21109 
21110 	if (wdev->valid_links &&
21111 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
21112 		goto nla_put_failure;
21113 
21114 	if (nl80211_send_chandef(msg, chandef))
21115 		goto nla_put_failure;
21116 
21117 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
21118 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
21119 			goto nla_put_failure;
21120 		if (quiet &&
21121 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
21122 			goto nla_put_failure;
21123 	}
21124 
21125 	genlmsg_end(msg, hdr);
21126 
21127 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21128 				NL80211_MCGRP_MLME, gfp);
21129 	return;
21130 
21131  nla_put_failure:
21132 	nlmsg_free(msg);
21133 }
21134 
21135 void cfg80211_ch_switch_notify(struct net_device *dev,
21136 			       struct cfg80211_chan_def *chandef,
21137 			       unsigned int link_id)
21138 {
21139 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21140 	struct wiphy *wiphy = wdev->wiphy;
21141 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21142 
21143 	lockdep_assert_wiphy(wdev->wiphy);
21144 	WARN_INVALID_LINK_ID(wdev, link_id);
21145 
21146 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
21147 
21148 	switch (wdev->iftype) {
21149 	case NL80211_IFTYPE_STATION:
21150 	case NL80211_IFTYPE_P2P_CLIENT:
21151 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
21152 			cfg80211_update_assoc_bss_entry(wdev, link_id,
21153 							chandef->chan);
21154 		break;
21155 	case NL80211_IFTYPE_MESH_POINT:
21156 		wdev->u.mesh.chandef = *chandef;
21157 		wdev->u.mesh.preset_chandef = *chandef;
21158 		break;
21159 	case NL80211_IFTYPE_AP:
21160 	case NL80211_IFTYPE_P2P_GO:
21161 		wdev->links[link_id].ap.chandef = *chandef;
21162 		break;
21163 	case NL80211_IFTYPE_ADHOC:
21164 		wdev->u.ibss.chandef = *chandef;
21165 		break;
21166 	default:
21167 		WARN_ON(1);
21168 		break;
21169 	}
21170 
21171 	cfg80211_schedule_channels_check(wdev);
21172 	cfg80211_sched_dfs_chan_update(rdev);
21173 
21174 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
21175 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
21176 }
21177 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
21178 
21179 void cfg80211_incumbent_signal_notify(struct wiphy *wiphy,
21180 				      const struct cfg80211_chan_def *chandef,
21181 				      u32 signal_interference_bitmap,
21182 				      gfp_t gfp)
21183 {
21184 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21185 	struct sk_buff *msg;
21186 	void *hdr;
21187 
21188 	trace_cfg80211_incumbent_signal_notify(wiphy, chandef, signal_interference_bitmap);
21189 
21190 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21191 	if (!msg)
21192 		return;
21193 
21194 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_INCUMBENT_SIGNAL_DETECT);
21195 	if (!hdr)
21196 		goto nla_put_failure;
21197 
21198 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21199 		goto nla_put_failure;
21200 
21201 	if (nl80211_send_chandef(msg, chandef))
21202 		goto nla_put_failure;
21203 
21204 	if (nla_put_u32(msg, NL80211_ATTR_INCUMBENT_SIGNAL_INTERFERENCE_BITMAP,
21205 			signal_interference_bitmap))
21206 		goto nla_put_failure;
21207 
21208 	genlmsg_end(msg, hdr);
21209 
21210 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21211 				NL80211_MCGRP_MLME, gfp);
21212 	return;
21213 
21214 nla_put_failure:
21215 	nlmsg_free(msg);
21216 }
21217 EXPORT_SYMBOL(cfg80211_incumbent_signal_notify);
21218 
21219 void cfg80211_ch_switch_started_notify(struct net_device *dev,
21220 				       struct cfg80211_chan_def *chandef,
21221 				       unsigned int link_id, u8 count,
21222 				       bool quiet)
21223 {
21224 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21225 	struct wiphy *wiphy = wdev->wiphy;
21226 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21227 
21228 	lockdep_assert_wiphy(wdev->wiphy);
21229 	WARN_INVALID_LINK_ID(wdev, link_id);
21230 
21231 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
21232 
21233 
21234 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
21235 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
21236 				 count, quiet);
21237 }
21238 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
21239 
21240 int cfg80211_bss_color_notify(struct net_device *dev,
21241 			      enum nl80211_commands cmd, u8 count,
21242 			      u64 color_bitmap, u8 link_id)
21243 {
21244 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21245 	struct wiphy *wiphy = wdev->wiphy;
21246 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21247 	struct sk_buff *msg;
21248 	void *hdr;
21249 
21250 	lockdep_assert_wiphy(wdev->wiphy);
21251 
21252 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
21253 
21254 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21255 	if (!msg)
21256 		return -ENOMEM;
21257 
21258 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
21259 	if (!hdr)
21260 		goto nla_put_failure;
21261 
21262 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21263 		goto nla_put_failure;
21264 
21265 	if (wdev->valid_links &&
21266 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
21267 		goto nla_put_failure;
21268 
21269 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
21270 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
21271 		goto nla_put_failure;
21272 
21273 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
21274 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
21275 			      color_bitmap, NL80211_ATTR_PAD))
21276 		goto nla_put_failure;
21277 
21278 	genlmsg_end(msg, hdr);
21279 
21280 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
21281 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
21282 
21283 nla_put_failure:
21284 	nlmsg_free(msg);
21285 	return -EINVAL;
21286 }
21287 EXPORT_SYMBOL(cfg80211_bss_color_notify);
21288 
21289 void
21290 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
21291 		     const struct cfg80211_chan_def *chandef,
21292 		     enum nl80211_radar_event event,
21293 		     struct net_device *netdev, gfp_t gfp)
21294 {
21295 	struct sk_buff *msg;
21296 	void *hdr;
21297 
21298 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21299 	if (!msg)
21300 		return;
21301 
21302 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
21303 	if (!hdr) {
21304 		nlmsg_free(msg);
21305 		return;
21306 	}
21307 
21308 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21309 		goto nla_put_failure;
21310 
21311 	/* NOP and radar events don't need a netdev parameter */
21312 	if (netdev) {
21313 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
21314 
21315 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21316 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21317 				      NL80211_ATTR_PAD))
21318 			goto nla_put_failure;
21319 	}
21320 
21321 	if (rdev->background_radar_wdev &&
21322 	    cfg80211_chandef_identical(&rdev->background_radar_chandef,
21323 				       chandef)) {
21324 		if (nla_put_flag(msg, NL80211_ATTR_RADAR_BACKGROUND))
21325 			goto nla_put_failure;
21326 	}
21327 
21328 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
21329 		goto nla_put_failure;
21330 
21331 	if (nl80211_send_chandef(msg, chandef))
21332 		goto nla_put_failure;
21333 
21334 	genlmsg_end(msg, hdr);
21335 
21336 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21337 				NL80211_MCGRP_MLME, gfp);
21338 	return;
21339 
21340  nla_put_failure:
21341 	nlmsg_free(msg);
21342 }
21343 
21344 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
21345 				       struct sta_opmode_info *sta_opmode,
21346 				       gfp_t gfp)
21347 {
21348 	struct sk_buff *msg;
21349 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21350 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21351 	void *hdr;
21352 
21353 	if (WARN_ON(!mac))
21354 		return;
21355 
21356 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21357 	if (!msg)
21358 		return;
21359 
21360 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
21361 	if (!hdr) {
21362 		nlmsg_free(msg);
21363 		return;
21364 	}
21365 
21366 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21367 		goto nla_put_failure;
21368 
21369 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21370 		goto nla_put_failure;
21371 
21372 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
21373 		goto nla_put_failure;
21374 
21375 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
21376 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
21377 		goto nla_put_failure;
21378 
21379 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
21380 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
21381 		goto nla_put_failure;
21382 
21383 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
21384 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
21385 		goto nla_put_failure;
21386 
21387 	genlmsg_end(msg, hdr);
21388 
21389 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21390 				NL80211_MCGRP_MLME, gfp);
21391 
21392 	return;
21393 
21394 nla_put_failure:
21395 	nlmsg_free(msg);
21396 }
21397 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
21398 
21399 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
21400 			   u64 cookie, bool acked, s32 ack_signal,
21401 			   bool is_valid_ack_signal, gfp_t gfp)
21402 {
21403 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21404 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21405 	struct sk_buff *msg;
21406 	void *hdr;
21407 
21408 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
21409 
21410 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21411 
21412 	if (!msg)
21413 		return;
21414 
21415 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
21416 	if (!hdr) {
21417 		nlmsg_free(msg);
21418 		return;
21419 	}
21420 
21421 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21422 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21423 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
21424 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
21425 			      NL80211_ATTR_PAD) ||
21426 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
21427 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
21428 						ack_signal)))
21429 		goto nla_put_failure;
21430 
21431 	genlmsg_end(msg, hdr);
21432 
21433 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21434 				NL80211_MCGRP_MLME, gfp);
21435 	return;
21436 
21437  nla_put_failure:
21438 	nlmsg_free(msg);
21439 }
21440 EXPORT_SYMBOL(cfg80211_probe_status);
21441 
21442 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
21443 				     size_t len, int freq, int sig_dbm)
21444 {
21445 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21446 	struct sk_buff *msg;
21447 	void *hdr;
21448 	struct cfg80211_beacon_registration *reg;
21449 
21450 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
21451 
21452 	spin_lock_bh(&rdev->beacon_registrations_lock);
21453 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
21454 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
21455 		if (!msg) {
21456 			spin_unlock_bh(&rdev->beacon_registrations_lock);
21457 			return;
21458 		}
21459 
21460 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
21461 		if (!hdr)
21462 			goto nla_put_failure;
21463 
21464 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21465 		    (freq &&
21466 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
21467 				  KHZ_TO_MHZ(freq)) ||
21468 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
21469 				  freq % 1000))) ||
21470 		    (sig_dbm &&
21471 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
21472 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
21473 			goto nla_put_failure;
21474 
21475 		genlmsg_end(msg, hdr);
21476 
21477 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
21478 	}
21479 	spin_unlock_bh(&rdev->beacon_registrations_lock);
21480 	return;
21481 
21482  nla_put_failure:
21483 	spin_unlock_bh(&rdev->beacon_registrations_lock);
21484 	nlmsg_free(msg);
21485 }
21486 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
21487 
21488 #ifdef CONFIG_PM
21489 static int cfg80211_net_detect_results(struct sk_buff *msg,
21490 				       struct cfg80211_wowlan_wakeup *wakeup)
21491 {
21492 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
21493 	struct nlattr *nl_results, *nl_match, *nl_freqs;
21494 	int i, j;
21495 
21496 	nl_results = nla_nest_start_noflag(msg,
21497 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
21498 	if (!nl_results)
21499 		return -EMSGSIZE;
21500 
21501 	for (i = 0; i < nd->n_matches; i++) {
21502 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
21503 
21504 		nl_match = nla_nest_start_noflag(msg, i);
21505 		if (!nl_match)
21506 			break;
21507 
21508 		/* The SSID attribute is optional in nl80211, but for
21509 		 * simplicity reasons it's always present in the
21510 		 * cfg80211 structure.  If a driver can't pass the
21511 		 * SSID, that needs to be changed.  A zero length SSID
21512 		 * is still a valid SSID (wildcard), so it cannot be
21513 		 * used for this purpose.
21514 		 */
21515 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
21516 			    match->ssid.ssid)) {
21517 			nla_nest_cancel(msg, nl_match);
21518 			goto out;
21519 		}
21520 
21521 		if (match->n_channels) {
21522 			nl_freqs = nla_nest_start_noflag(msg,
21523 							 NL80211_ATTR_SCAN_FREQUENCIES);
21524 			if (!nl_freqs) {
21525 				nla_nest_cancel(msg, nl_match);
21526 				goto out;
21527 			}
21528 
21529 			for (j = 0; j < match->n_channels; j++) {
21530 				if (nla_put_u32(msg, j, match->channels[j])) {
21531 					nla_nest_cancel(msg, nl_freqs);
21532 					nla_nest_cancel(msg, nl_match);
21533 					goto out;
21534 				}
21535 			}
21536 
21537 			nla_nest_end(msg, nl_freqs);
21538 		}
21539 
21540 		nla_nest_end(msg, nl_match);
21541 	}
21542 
21543 out:
21544 	nla_nest_end(msg, nl_results);
21545 	return 0;
21546 }
21547 
21548 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
21549 				   struct cfg80211_wowlan_wakeup *wakeup,
21550 				   gfp_t gfp)
21551 {
21552 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21553 	struct sk_buff *msg;
21554 	void *hdr;
21555 	int size = 200;
21556 
21557 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
21558 
21559 	if (wakeup)
21560 		size += wakeup->packet_present_len;
21561 
21562 	msg = nlmsg_new(size, gfp);
21563 	if (!msg)
21564 		return;
21565 
21566 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
21567 	if (!hdr)
21568 		goto free_msg;
21569 
21570 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21571 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21572 			      NL80211_ATTR_PAD))
21573 		goto free_msg;
21574 
21575 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21576 					wdev->netdev->ifindex))
21577 		goto free_msg;
21578 
21579 	if (wakeup) {
21580 		struct nlattr *reasons;
21581 
21582 		reasons = nla_nest_start_noflag(msg,
21583 						NL80211_ATTR_WOWLAN_TRIGGERS);
21584 		if (!reasons)
21585 			goto free_msg;
21586 
21587 		if (wakeup->disconnect &&
21588 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
21589 			goto free_msg;
21590 		if (wakeup->magic_pkt &&
21591 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
21592 			goto free_msg;
21593 		if (wakeup->gtk_rekey_failure &&
21594 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
21595 			goto free_msg;
21596 		if (wakeup->eap_identity_req &&
21597 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
21598 			goto free_msg;
21599 		if (wakeup->four_way_handshake &&
21600 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
21601 			goto free_msg;
21602 		if (wakeup->rfkill_release &&
21603 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
21604 			goto free_msg;
21605 
21606 		if (wakeup->pattern_idx >= 0 &&
21607 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
21608 				wakeup->pattern_idx))
21609 			goto free_msg;
21610 
21611 		if (wakeup->tcp_match &&
21612 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
21613 			goto free_msg;
21614 
21615 		if (wakeup->tcp_connlost &&
21616 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
21617 			goto free_msg;
21618 
21619 		if (wakeup->tcp_nomoretokens &&
21620 		    nla_put_flag(msg,
21621 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
21622 			goto free_msg;
21623 
21624 		if (wakeup->unprot_deauth_disassoc &&
21625 		    nla_put_flag(msg,
21626 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
21627 			goto free_msg;
21628 
21629 		if (wakeup->packet) {
21630 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
21631 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
21632 
21633 			if (!wakeup->packet_80211) {
21634 				pkt_attr =
21635 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
21636 				len_attr =
21637 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
21638 			}
21639 
21640 			if (wakeup->packet_len &&
21641 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
21642 				goto free_msg;
21643 
21644 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
21645 				    wakeup->packet))
21646 				goto free_msg;
21647 		}
21648 
21649 		if (wakeup->net_detect &&
21650 		    cfg80211_net_detect_results(msg, wakeup))
21651 				goto free_msg;
21652 
21653 		nla_nest_end(msg, reasons);
21654 	}
21655 
21656 	genlmsg_end(msg, hdr);
21657 
21658 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21659 				NL80211_MCGRP_MLME, gfp);
21660 	return;
21661 
21662  free_msg:
21663 	nlmsg_free(msg);
21664 }
21665 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
21666 #endif
21667 
21668 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
21669 				enum nl80211_tdls_operation oper,
21670 				u16 reason_code, gfp_t gfp)
21671 {
21672 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21673 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21674 	struct sk_buff *msg;
21675 	void *hdr;
21676 
21677 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
21678 					 reason_code);
21679 
21680 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21681 	if (!msg)
21682 		return;
21683 
21684 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
21685 	if (!hdr) {
21686 		nlmsg_free(msg);
21687 		return;
21688 	}
21689 
21690 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21691 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21692 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
21693 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
21694 	    (reason_code > 0 &&
21695 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
21696 		goto nla_put_failure;
21697 
21698 	genlmsg_end(msg, hdr);
21699 
21700 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21701 				NL80211_MCGRP_MLME, gfp);
21702 	return;
21703 
21704  nla_put_failure:
21705 	nlmsg_free(msg);
21706 }
21707 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
21708 
21709 static int nl80211_netlink_notify(struct notifier_block * nb,
21710 				  unsigned long state,
21711 				  void *_notify)
21712 {
21713 	struct netlink_notify *notify = _notify;
21714 	struct cfg80211_registered_device *rdev;
21715 	struct wireless_dev *wdev;
21716 	struct cfg80211_beacon_registration *reg, *tmp;
21717 
21718 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
21719 		return NOTIFY_DONE;
21720 
21721 	rcu_read_lock();
21722 
21723 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
21724 		struct cfg80211_sched_scan_request *sched_scan_req;
21725 
21726 		list_for_each_entry_rcu(sched_scan_req,
21727 					&rdev->sched_scan_req_list,
21728 					list) {
21729 			if (sched_scan_req->owner_nlportid == notify->portid) {
21730 				sched_scan_req->nl_owner_dead = true;
21731 				wiphy_work_queue(&rdev->wiphy,
21732 						 &rdev->sched_scan_stop_wk);
21733 			}
21734 		}
21735 
21736 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
21737 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
21738 
21739 			if (wdev->owner_nlportid == notify->portid) {
21740 				wdev->nl_owner_dead = true;
21741 				schedule_work(&rdev->destroy_work);
21742 			} else if (wdev->conn_owner_nlportid == notify->portid) {
21743 				schedule_work(&wdev->disconnect_wk);
21744 			}
21745 
21746 			cfg80211_release_pmsr(wdev, notify->portid);
21747 		}
21748 
21749 		spin_lock_bh(&rdev->beacon_registrations_lock);
21750 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
21751 					 list) {
21752 			if (reg->nlportid == notify->portid) {
21753 				list_del(&reg->list);
21754 				kfree(reg);
21755 				break;
21756 			}
21757 		}
21758 		spin_unlock_bh(&rdev->beacon_registrations_lock);
21759 	}
21760 
21761 	rcu_read_unlock();
21762 
21763 	/*
21764 	 * It is possible that the user space process that is controlling the
21765 	 * indoor setting disappeared, so notify the regulatory core.
21766 	 */
21767 	regulatory_netlink_notify(notify->portid);
21768 	return NOTIFY_OK;
21769 }
21770 
21771 static struct notifier_block nl80211_netlink_notifier = {
21772 	.notifier_call = nl80211_netlink_notify,
21773 };
21774 
21775 void cfg80211_ft_event(struct net_device *netdev,
21776 		       struct cfg80211_ft_event_params *ft_event)
21777 {
21778 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21779 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21780 	struct sk_buff *msg;
21781 	void *hdr;
21782 
21783 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
21784 
21785 	if (!ft_event->target_ap)
21786 		return;
21787 
21788 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
21789 			GFP_KERNEL);
21790 	if (!msg)
21791 		return;
21792 
21793 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
21794 	if (!hdr)
21795 		goto out;
21796 
21797 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21798 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21799 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
21800 		goto out;
21801 
21802 	if (ft_event->ies &&
21803 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
21804 		goto out;
21805 	if (ft_event->ric_ies &&
21806 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
21807 		    ft_event->ric_ies))
21808 		goto out;
21809 
21810 	genlmsg_end(msg, hdr);
21811 
21812 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21813 				NL80211_MCGRP_MLME, GFP_KERNEL);
21814 	return;
21815  out:
21816 	nlmsg_free(msg);
21817 }
21818 EXPORT_SYMBOL(cfg80211_ft_event);
21819 
21820 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
21821 {
21822 	struct cfg80211_registered_device *rdev;
21823 	struct sk_buff *msg;
21824 	void *hdr;
21825 	u32 nlportid;
21826 
21827 	rdev = wiphy_to_rdev(wdev->wiphy);
21828 	if (!rdev->crit_proto_nlportid)
21829 		return;
21830 
21831 	nlportid = rdev->crit_proto_nlportid;
21832 	rdev->crit_proto_nlportid = 0;
21833 
21834 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21835 	if (!msg)
21836 		return;
21837 
21838 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
21839 	if (!hdr)
21840 		goto nla_put_failure;
21841 
21842 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21843 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21844 			      NL80211_ATTR_PAD))
21845 		goto nla_put_failure;
21846 
21847 	genlmsg_end(msg, hdr);
21848 
21849 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21850 	return;
21851 
21852  nla_put_failure:
21853 	nlmsg_free(msg);
21854 }
21855 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
21856 
21857 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
21858 {
21859 	struct wiphy *wiphy = wdev->wiphy;
21860 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21861 	struct sk_buff *msg;
21862 	void *hdr;
21863 
21864 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21865 	if (!msg)
21866 		return;
21867 
21868 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
21869 	if (!hdr)
21870 		goto out;
21871 
21872 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21873 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
21874 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21875 			      NL80211_ATTR_PAD) ||
21876 	    (wdev->valid_links &&
21877 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
21878 		goto out;
21879 
21880 	genlmsg_end(msg, hdr);
21881 
21882 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
21883 				NL80211_MCGRP_MLME, GFP_KERNEL);
21884 	return;
21885  out:
21886 	nlmsg_free(msg);
21887 }
21888 
21889 int cfg80211_external_auth_request(struct net_device *dev,
21890 				   struct cfg80211_external_auth_params *params,
21891 				   gfp_t gfp)
21892 {
21893 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21894 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21895 	struct sk_buff *msg;
21896 	void *hdr;
21897 
21898 	if (!wdev->conn_owner_nlportid)
21899 		return -EINVAL;
21900 
21901 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21902 	if (!msg)
21903 		return -ENOMEM;
21904 
21905 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
21906 	if (!hdr)
21907 		goto nla_put_failure;
21908 
21909 	/* Some historical mistakes in drivers <-> userspace interface (notably
21910 	 * between drivers and wpa_supplicant) led to a big-endian conversion
21911 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
21912 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
21913 	 * benefit of older wpa_supplicant versions, send this particular value
21914 	 * in big-endian. Note that newer wpa_supplicant will also detect this
21915 	 * particular value in big endian still, so it all continues to work.
21916 	 */
21917 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
21918 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
21919 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
21920 			goto nla_put_failure;
21921 	} else {
21922 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
21923 				params->key_mgmt_suite))
21924 			goto nla_put_failure;
21925 	}
21926 
21927 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21928 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21929 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
21930 			params->action) ||
21931 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
21932 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
21933 		    params->ssid.ssid) ||
21934 	    (!is_zero_ether_addr(params->mld_addr) &&
21935 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
21936 		goto nla_put_failure;
21937 
21938 	genlmsg_end(msg, hdr);
21939 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
21940 			wdev->conn_owner_nlportid);
21941 	return 0;
21942 
21943  nla_put_failure:
21944 	nlmsg_free(msg);
21945 	return -ENOBUFS;
21946 }
21947 EXPORT_SYMBOL(cfg80211_external_auth_request);
21948 
21949 void cfg80211_update_owe_info_event(struct net_device *netdev,
21950 				    struct cfg80211_update_owe_info *owe_info,
21951 				    gfp_t gfp)
21952 {
21953 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21954 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21955 	struct sk_buff *msg;
21956 	void *hdr;
21957 
21958 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
21959 
21960 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21961 	if (!msg)
21962 		return;
21963 
21964 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
21965 	if (!hdr)
21966 		goto nla_put_failure;
21967 
21968 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21969 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21970 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
21971 		goto nla_put_failure;
21972 
21973 	if (!owe_info->ie_len ||
21974 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
21975 		goto nla_put_failure;
21976 
21977 	if (owe_info->assoc_link_id != -1) {
21978 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
21979 			       owe_info->assoc_link_id))
21980 			goto nla_put_failure;
21981 
21982 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
21983 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
21984 			    owe_info->peer_mld_addr))
21985 			goto nla_put_failure;
21986 	}
21987 
21988 	genlmsg_end(msg, hdr);
21989 
21990 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21991 				NL80211_MCGRP_MLME, gfp);
21992 	return;
21993 
21994 nla_put_failure:
21995 	genlmsg_cancel(msg, hdr);
21996 	nlmsg_free(msg);
21997 }
21998 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
21999 
22000 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
22001 {
22002 	struct wiphy *wiphy = wdev->wiphy;
22003 
22004 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
22005 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
22006 	    (wiphy_ext_feature_isset(wiphy,
22007 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
22008 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
22009 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
22010 		reg_check_channels();
22011 }
22012 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
22013 
22014 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
22015 {
22016 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
22017 	struct wiphy *wiphy = wdev->wiphy;
22018 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22019 	struct sk_buff *msg;
22020 	void *hdr;
22021 
22022 	trace_cfg80211_epcs_changed(wdev, enabled);
22023 
22024 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
22025 	if (!msg)
22026 		return;
22027 
22028 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
22029 	if (!hdr) {
22030 		nlmsg_free(msg);
22031 		return;
22032 	}
22033 
22034 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
22035 		goto nla_put_failure;
22036 
22037 	genlmsg_end(msg, hdr);
22038 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22039 				NL80211_MCGRP_MLME, GFP_KERNEL);
22040 	return;
22041 
22042  nla_put_failure:
22043 	nlmsg_free(msg);
22044 }
22045 EXPORT_SYMBOL(cfg80211_epcs_changed);
22046 
22047 void cfg80211_next_nan_dw_notif(struct wireless_dev *wdev,
22048 				struct ieee80211_channel *chan, gfp_t gfp)
22049 {
22050 	struct wiphy *wiphy = wdev->wiphy;
22051 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22052 	struct sk_buff *msg;
22053 	void *hdr;
22054 
22055 	trace_cfg80211_next_nan_dw_notif(wdev, chan);
22056 
22057 	if (!wdev->owner_nlportid)
22058 		return;
22059 
22060 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22061 	if (!msg)
22062 		return;
22063 
22064 	hdr = nl80211hdr_put(msg, 0, 0, 0,
22065 			     NL80211_CMD_NAN_NEXT_DW_NOTIFICATION);
22066 	if (!hdr)
22067 		goto nla_put_failure;
22068 
22069 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22070 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22071 			      NL80211_ATTR_PAD) ||
22072 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq))
22073 		goto nla_put_failure;
22074 
22075 	genlmsg_end(msg, hdr);
22076 
22077 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
22078 
22079 	return;
22080 
22081  nla_put_failure:
22082 	nlmsg_free(msg);
22083 }
22084 EXPORT_SYMBOL(cfg80211_next_nan_dw_notif);
22085 
22086 void cfg80211_nan_cluster_joined(struct wireless_dev *wdev,
22087 				 const u8 *cluster_id, bool new_cluster,
22088 				 gfp_t gfp)
22089 {
22090 	struct wiphy *wiphy = wdev->wiphy;
22091 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22092 	struct sk_buff *msg;
22093 	void *hdr;
22094 
22095 	trace_cfg80211_nan_cluster_joined(wdev, cluster_id, new_cluster);
22096 
22097 	memcpy(wdev->u.nan.cluster_id, cluster_id, ETH_ALEN);
22098 
22099 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22100 	if (!msg)
22101 		return;
22102 
22103 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_CLUSTER_JOINED);
22104 	if (!hdr)
22105 		goto nla_put_failure;
22106 
22107 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22108 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22109 			      NL80211_ATTR_PAD) ||
22110 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cluster_id) ||
22111 	    (new_cluster && nla_put_flag(msg, NL80211_ATTR_NAN_NEW_CLUSTER)))
22112 		goto nla_put_failure;
22113 
22114 	genlmsg_end(msg, hdr);
22115 
22116 	if (!wdev->owner_nlportid)
22117 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy),
22118 					msg, 0, NL80211_MCGRP_NAN, gfp);
22119 	else
22120 		genlmsg_unicast(wiphy_net(wiphy), msg,
22121 				wdev->owner_nlportid);
22122 	return;
22123 
22124  nla_put_failure:
22125 	nlmsg_free(msg);
22126 }
22127 EXPORT_SYMBOL(cfg80211_nan_cluster_joined);
22128 
22129 /* initialisation/exit functions */
22130 
22131 int __init nl80211_init(void)
22132 {
22133 	int err;
22134 
22135 	err = genl_register_family(&nl80211_fam);
22136 	if (err)
22137 		return err;
22138 
22139 	err = netlink_register_notifier(&nl80211_netlink_notifier);
22140 	if (err)
22141 		goto err_out;
22142 
22143 	return 0;
22144  err_out:
22145 	genl_unregister_family(&nl80211_fam);
22146 	return err;
22147 }
22148 
22149 void nl80211_exit(void)
22150 {
22151 	netlink_unregister_notifier(&nl80211_netlink_notifier);
22152 	genl_unregister_family(&nl80211_fam);
22153 }
22154